Page 1 Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Application Guide For Lenovo Enterprise Network Operating System 8.4...
Page 2 Note: Before using this information and the product it supports, read the general information in the Safety information and Environmental Notices and User Guide documents on the Lenovo Documentation CD and the Warranty Information document that comes with the product. Third Edition (July 2017) © Copyright Lenovo 2017 Portions © Copyright IBM Corporation 2014. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS‐35F‐05925. Lenovo and the Lenovo logo are trademarks of Lenovo in the United States, other countries, or both.
Page 3: Table Of Contents
Browser‐Based Interface . . . . . . . . . . . . . . . . . . . . . . .31 Establishing a Connection . . . . . . . . . . . . . . . . . . . . . . . .32 Using the Chassis Management Module . . . . . . . . . . . . . . . .32 Factory‐Default vs. CMM‐Assigned IP Addresses . . . . . . . . . .32 Using Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Using Secure Shell. . . . . . . . . . . . . . . . . . . . . . . . . .33 Using SSH with Password Authentication . . . . . . . . . . . . .35 Using SSH with Public Key Authentication . . . . . . . . . . . . .35 Using a Web Browser . . . . . . . . . . . . . . . . . . . . . . . .36 Configuring HTTP Access to the BBI . . . . . . . . . . . . . . . .36 Configuring HTTPS Access to the BBI . . . . . . . . . . . . . . .37 BBI Summary . . . . . . . . . . . . . . . . . . . . . . . . . .38 Using Simple Network Management Protocol. . . . . . . . . . . . . .39 BOOTP/DHCP Client IP Address Services . . . . . . . . . . . . . . . . .40 Host Name Configuration . . . . . . . . . . . . . . . . . . . . . .40 SYSLOG Server . . . . . . . . . . . . . . . . . . . . . . . . . . .41 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . .41 Easy Connect Wizard . . . . . . . . . . . . . . . . . . . . . . . . . .42 Configuring the Easy Connect Wizard . . . . . . . . . . . . . . . . .42 Basic System Mode Configuration Example . . . . . . . . . . . . .43 Transparent Mode Configuration Example . . . . . . . . . . . . .44 Redundant Mode Configuration Example . . . . . . . . . . . . .45 Switch Login Levels . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Administrator Password Recovery . . . . . . . . . . . . . . . . . . . .49 Secure FTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 © Copyright Lenovo 2017...
Page 4 Boot Strict Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Acceptable Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 55 Configuring Strict Mode . . . . . . . . . . . . . . . . . . . . . . . 56 Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Configuring No‐Prompt Mode . . . . . . . . . . . . . . . . . . . . . . 57 Chapter 2. Initial Setup ..... 59 Information Needed for Setup . . . . . . . . . . . . . . . . . . . . . . 60 Default Setup Options . . . . . . . . . . . . . . . . . . . . . . . . .
Page 5 Chapter 5. Authentication & Authorization Protocols ..99 RADIUS Authentication and Authorization . . . . . . . . . . . . . . . 100 How RADIUS Authentication Works . . . . . . . . . . . . . . . . 100 Configuring RADIUS on the Switch . . . . . . . . . . . . . . . . . 101 RADIUS Authentication Features in Enterprise NOS . . . . . . . . . . 101 Switch User Accounts . . . . . . . . . . . . . . . . . . . . . . . 102 RADIUS Attributes for Enterprise NOS User Privileges . . . . . . . . 103 TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . 104 How TACACS+ Authentication Works. . . . . . . . . . . . . . . . 104 TACACS+ Authentication Features in Enterprise NOS . . . . . . . . . 105 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . 105 Backdoor . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Command Authorization and Logging . . . . . . . . . . . . . . . . 107 TACACS+ Password Change . . . . . . . . . . . . . . . . . . . . 109 Configuring TACACS+ Authentication on the Switch . . . . . . . . . 109 LDAP Authentication and Authorization . . . . . . . . . . . . . . . . 110 Configuring the LDAP Server. . . . . . . . . . . . . . . . . . . . 110 Configuring LDAP Authentication on the Switch . . . . . . . . . . . 111 © Copyright Lenovo 2017 Contents...
Page 6 Chapter 6. 802.1X Port-Based Network Access Control ..113 Extensible Authentication Protocol over LAN . . . . . . . . . . . . . . 114 EAPoL Authentication Process . . . . . . . . . . . . . . . . . . . 115 EAPoL Message Exchange . . . . . . . . . . . . . . . . . . . . . 116 EAPoL Port States . . . . . . . . . . . . . . . . . . . . . . . . 116 Guest VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Supported RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . 118 EAPoL Configuration Guidelines . . . . . . . . . . . . . . . . . . . . 120 Chapter 7. Access Control Lists....121 Summary of Packet Classifiers . . . . . . . . . . . . . . . . . . . . . ...
Page 7 Chapter 10. Spanning Tree Protocols....171 Spanning Tree Protocol Modes . . . . . . . . . . . . . . . . . . . . . 172 Global STP Control . . . . . . . . . . . . . . . . . . . . . . . . 172 PVRST Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Port States . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Bridge Protocol Data Units . . . . . . . . . . . . . . . . . . . . . 174 Determining the Path for Forwarding BPDUs . . . . . . . . . . . 174 Bridge Priority . . . . . . . . . . . . . . . . . . . . . . . . 174 Port Priority . . . . . . . . . . . . . . . . . . . . . . . . . 175 Root Guard . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Loop Guard. . . . . . . . . . . . . . . . . . . . . . . . . . 175 Port Path Cost. . . . . . . . . . . . . . . . . . . . . . . . . 176 Simple STP Configuration . . . . . . . . . . . . . . . . . . . . . 176 Per‐VLAN Spanning Tree Groups . . . . . . . . . . . . . . . . . . 178 Using Multiple STGs to Eliminate False Loops. . . . . . . . . . . 178 VLAN and STG Assignment . . . . . . . . . . . . . . . . . . 179 Manually Assigning STGs . . . . . . . . . . . . . . . . . . . 180 Guidelines for Creating VLANs . . . . . . . . . . . . . . . . . 180 Rules for VLAN Tagged Ports . . . . . . . . . . . . . . . . . . 180 Adding and Removing Ports from STGs . . . . . . . . . . . . . 181 Switch‐Centric Configuration . . . . . . . . . . . . . . . . . . 182 Configuring Multiple STGs . . . . . . . . . . . . . . . . . . . . . 183 © Copyright Lenovo 2017 Contents...
Page 8 Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . 185 Port States . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 RSTP Configuration Guidelines . . . . . . . . . . . . . . . . . . . 185 RSTP Configuration Example. . . . . . . . . . . . . . . . . . . . 186 Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . 187 MSTP Region. . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Common Internal Spanning Tree . . . . . . . . . . . . . . . . . . 187 MSTP Configuration Guidelines . . . . . . . . . . . . . . . . . . 188 MSTP Configuration Examples . . . . . . . . . . . . . . . . . . . 188 MSTP Configuration Example 1 . . . . . . . . . . . . . . . . . 188 MSTP Configuration Example 2 . . . . . . . . . . . . . . . . . 189 Port Type and Link Type . . . . . . . . . . . . . . . . . . . . . . . 191 Edge/Portfast Port . . . . . . . . . . . . . . . . . . . . . . . . 191 Link Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Chapter 11. Virtual Link Aggregation Groups ... . 193 VLAG Capacities . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 9 Configuring a Management IP Interface . . . . . . . . . . . . . . . 243 Additional Master Configuration . . . . . . . . . . . . . . . . . . 244 Viewing Stack Connections . . . . . . . . . . . . . . . . . . . 244 Binding Members to the Stack . . . . . . . . . . . . . . . . . . 245 Assigning a Stack Backup Switch . . . . . . . . . . . . . . . . 245 Managing a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Connecting to Stack Switches via the Master . . . . . . . . . . . . . 246 Rebooting Stacked Switches via the Master . . . . . . . . . . . . . . 246 Rebooting Stacked Switches using the ISCLI . . . . . . . . . . . 246 Rebooting Stacked Switches using the BBI . . . . . . . . . . . . 247 Upgrading Software in a Stack . . . . . . . . . . . . . . . . . . . . . 248 New Hybrid Stack . . . . . . . . . . . . . . . . . . . . . . . . 248 Converting a EN4093R Stack to a Hybrid Stack . . . . . . . . . . . . 248 New Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Replacing or Removing Stacked Switches . . . . . . . . . . . . . . . . 249 Removing a Switch from the Stack. . . . . . . . . . . . . . . . . . 249 Installing the New Switch or Healing the Topology . . . . . . . . . . 249 Binding the New Switch to the Stack. . . . . . . . . . . . . . . . . 251 Performing a Rolling Reload or Upgrade . . . . . . . . . . . . . . . 252 Starting a Rolling Reload . . . . . . . . . . . . . . . . . . . . 252 Starting a Rolling Upgrade . . . . . . . . . . . . . . . . . . . 252 Saving Syslog Messages . . . . . . . . . . . . . . . . . . . . . . 254 Flexible Port Mapping in Stacking . . . . . . . . . . . . . . . . . . . 256 ISCLI Stacking Commands. . . . . . . . . . . . . . . . . . . . . . . 258 © Copyright Lenovo 2017 Contents...
Page 10 Chapter 14. Virtualization ....259 Chapter 15. Virtual NICs ..... 261 vNIC IDs on the Switch . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 11 FCoE Example Configuration . . . . . . . . . . . . . . . . . . . . . 326 Chapter 18. Fibre Channel ....329 Ethernet vs. Fibre Channel . . . . . . . . . . . . . . . . . . . . . . . 330 Supported Switch Roles . . . . . . . . . . . . . . . . . . . . . . . . 331 NPV Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Full‐Fabric FC/FCoE Switch . . . . . . . . . . . . . . . . . . . . 332 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 © Copyright Lenovo 2017 Contents...
Page 12 Implementing Fibre Channel. . . . . . . . . . . . . . . . . . . . . . 333 Port Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Fibre Channel VLANs . . . . . . . . . . . . . . . . . . . . . . . 334 Port Membership . . . . . . . . . . . . . . . . . . . . . . . . . 334 Switching Mode . . . . . . . . . . . . . . . . . . . . . . . . . 335 NPV Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 336 NPV Port Traffic Mapping . . . . . . . . . . . . . . . . . . . 336 NPV Disruptive Load‐Balancing . . . . . . . . . . . . . . . . 336 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Full Fabric Mode . . . . . . . . . . . . . . . . . . . . . . . . . 338 Full Fabric Zoning. . . . . . . . . . . . . . . . . . . . . . . 338 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 E‐Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Optimized FCoE Traffic Flow . . . . . . . . . . . . . . . . . . 342 Storage Management Initiative Specification (SMI‐S) . . . . . . . . . 343 Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . 343 Fibre Channel Configuration . . . . . . . . . . . . . . . . . . . . . . 344 Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . ...
Page 13 BOOTP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . 399 BOOTP Relay Agent Configuration . . . . . . . . . . . . . . . . . 399 Domain‐Specific BOOTP Relay Agent Configuration. . . . . . . . . . 400 Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . 401 DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . 401 DHCP Relay Agent Configuration. . . . . . . . . . . . . . . . . . 402 Chapter 24. Internet Protocol Version 6 ....403 IPv6 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 IPv6 Address Format . . . . . . . . . . . . . . . . . . . . . . . . . 405 © Copyright Lenovo 2017 Contents...
Page 14 IPv6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . 406 Unicast Address . . . . . . . . . . . . . . . . . . . . . . . . . 406 Multicast Address . . . . . . . . . . . . . . . . . . . . . . . . 406 Anycast Address . . . . . . . . . . . . . . . . . . . . . . . . . 407 IPv6 Address Auto‐configuration. . . . . . . . . . . . . . . . . . . . 408 IPv6 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . 410 Host vs. Router . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Supported Applications . . . . . . . . . . . . . . . . . . . . . . . . 412 IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 414 IPv6 Configuration Examples. . . . . . . . . . . . . . . . . . . . 414 IPv6 Configuration Example 1 . . . . . . . . . . . . . . . . . 414 IPv6 Configuration Example 2 . . . . . . . . . . . . . . . . . 415 Chapter 25. Using IPsec with IPv6 ....417 IPsec Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 15 Chapter 30. OSPF ......467 OSPFv2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Types of OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . 468 Types of OSPF Routing Devices . . . . . . . . . . . . . . . . . . . 469 Neighbors and Adjacencies . . . . . . . . . . . . . . . . . . . . . 470 The Link‐State Database . . . . . . . . . . . . . . . . . . . . . . 470 The Shortest Path First Tree . . . . . . . . . . . . . . . . . . . . 471 Internal Versus External Routing . . . . . . . . . . . . . . . . . . 471 © Copyright Lenovo 2017 Contents...
Page 16 OSPFv2 Implementation in Enterprise NOS . . . . . . . . . . . . . . . 472 Configurable Parameters. . . . . . . . . . . . . . . . . . . . . . 472 Defining Areas . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Assigning the Area Index . . . . . . . . . . . . . . . . . . . 473 Using the Area ID to Assign the OSPF Area Number. . . . . . . . 474 Attaching an Area to a Network. . . . . . . . . . . . . . . . . 474 Interface Cost . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Electing the Designated Router and Backup . . . . . . . . . . . . . 475 Summarizing Routes . . . . . . . . . . . . . . . . . . . . . . . 475 Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Configuring Plain Text OSPF Passwords . . . . . . . . . . . . . 479 Configuring MD5 Authentication . . . . . . . . . . . . . . . . 480 Host Routes for Load Balancing. . . . . . . . . . . . . . . . . . . ...
Page 17 Manual Monitor Example . . . . . . . . . . . . . . . . . . . . . 522 Chapter 34. Virtual Router Redundancy Protocol ... 523 VRRP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 VRRP Components . . . . . . . . . . . . . . . . . . . . . . . . 524 Virtual Router. . . . . . . . . . . . . . . . . . . . . . . . . 524 Virtual Router MAC Address . . . . . . . . . . . . . . . . . . 524 Owners and Renters . . . . . . . . . . . . . . . . . . . . . . 524 Master and Backup Virtual Router . . . . . . . . . . . . . . . . 524 Virtual Interface Router . . . . . . . . . . . . . . . . . . . . 525 VRRP Operation . . . . . . . . . . . . . . . . . . . . . . . . . 525 Selecting the Master VRRP Router . . . . . . . . . . . . . . . . . . 525 © Copyright Lenovo 2017 Contents...
Page 18 Failover Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Active‐Active Redundancy . . . . . . . . . . . . . . . . . . . . . 527 Hot‐Standby Redundancy . . . . . . . . . . . . . . . . . . . . . 527 Virtual Router Group . . . . . . . . . . . . . . . . . . . . . . . 528 Enterprise NOS Extensions to VRRP . . . . . . . . . . . . . . . . . . 529 Virtual Router Deployment Considerations . . . . . . . . . . . . . . . 530 Assigning VRRP Virtual Router ID . . . . . . . . . . . . . . . . . 530 Configuring the Switch for Tracking. . . . . . . . . . . . . . . . . 530 High Availability Configurations . . . . . . . . . . . . . . . . . . . . 531 Active‐Active Configuration . . . . . . . . . . . . . . . . . . . . 531 Task 1: Configure CN4093 1 . . . . . . . . . . . . . . . . . . 532 Task 2: Configure CN4093 2 . . . . . . . . . . . . . . . . . . 533 Hot‐Standby Configuration . . . . . . . . . . . . . . . . . . . . 535 Task 1: Configure CN4093 1 . . . . . . . . . . . . . . . . . . 536 Task 2: Configure CN4093 2 . . . . . . . . . . . . . . . . . . 537 Part 7:.
Page 19 Part 8:. Monitoring ..... . . 595 Chapter 40. Remote Monitoring ....597 RMON Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 RMON Group 1–Statistics . . . . . . . . . . . . . . . . . . . . . . . 598 RMON Group 2–History. . . . . . . . . . . . . . . . . . . . . . . . 599 History MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . 599 Configuring RMON History . . . . . . . . . . . . . . . . . . . . 599 © Copyright Lenovo 2017 Contents...
Page 20 RMON Group 3–Alarms . . . . . . . . . . . . . . . . . . . . . . . 601 Alarm MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . 601 Configuring RMON Alarms . . . . . . . . . . . . . . . . . . . . 601 Alarm Example 1 . . . . . . . . . . . . . . . . . . . . . . . 601 Alarm Example 2 . . . . . . . . . . . . . . . . . . . . . . . 602 RMON Group 9–Events . . . . . . . . . . . . . . . . . . . . . . . . 603 Chapter 41. sFLOW ..... . . 605 sFlow Statistical Counters . . . . . . . . . . . . . . . . . . . . . . . ...
Page 21: Preface
Part 1: Getting Started This material is intended to help those new to Enterprise NOS products with the basics of switch management. This part includes the following chapters:  Chapter 1, “Switch Administration,” describes how to access the CN4093 in order to configure the switch and view switch information and statistics. This chapter discusses a variety of manual administration interfaces, including local management via the switch console, and remote administration via Telnet, a web browser or via SNMP.  Chapter 2, “Initial Setup,” describes how to use the built‐in Setup utility to perform first‐time configuration of the switch.  Chapter 3, “Switch Software Management,” describes how to update the N/OS software operating on the switch. Part 2: Securing the Switch  Chapter 4, “Securing Administration,” describes methods for changing the default switch passwords, using Secure Shell and Secure Copy for administration connections, configuring end‐user access control, and placing the switch in protected mode. Chapter 5, “Authentication & Authorization Protocols,” describes different  secure administration for remote administrators. This includes using Remote Authentication Dial‐in User Service (RADIUS), as well as TACACS+ and LDAP. © Copyright Lenovo 2017...
Page 22: Part 4: Advanced Switching Features
(STP) configures the network so that the switch selects the most efficient path when multiple paths exist. Also includes the Rapid Spanning Tree Protocol (RSTP), Per‐VLAN Rapid Spanning Tree Plus (PVRST+), and Multiple Spanning Tree Protocol (MSTP) extensions to STP.  Chapter 11, “Virtual Link Aggregation Groups,” describes using Virtual Link Aggregation Groups (vLAG) to form LAGs spanning multiple vLAG‐capable aggregator switches.  Chapter 12, “Quality of Service,” discusses Quality of Service (QoS) features, including IP filtering using Access Control Lists (ACLs), Differentiated Services, and IEEE 802.1p priority values. Part 4: Advanced Switching Features  Chapter 13, “Stacking,” describes how to implement the stacking feature in the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch. Chapter 14, “Virtualization,” provides an overview of allocating resources  based on the logical needs of the data center, rather than on the strict, physical nature of components.  Chapter 15, “Virtual NICs,” discusses using virtual NIC (vNIC) technology to divide NICs into multiple logical, independent instances.  Chapter 16, “VMready,” discusses virtual machine (VM) support on the CN4093. Chapter 17, “FCoE and CEE,” discusses using various Converged Enhanced  Ethernet (CEE) features such as Priority‐based Flow Control (PFC), Enhanced ...
Page 23: Part 5: Ip Routing
27, “Internet Group Management Protocol,” describes how the Enterprise NOS software implements IGMP Snooping or IGMP Relay to conserve bandwidth in a multicast‐switching environment.  Chapter 28, “Multicast Listener Discovery,” describes how Multicast Listener Discovery (MLD) is used with IPv6 to support host users requests for multicast data for a multicast group.  Chapter 29, “Border Gateway Protocol,” describes Border Gateway Protocol (BGP) concepts and features supported in Enterprise NOS.  Chapter 30, “OSPF,” describes key Open Shortest Path First (OSPF) concepts and their implemented in Enterprise NOS, and provides examples of how to configure your switch for OSPF support.  Chapter 31, “Protocol Independent Multicast,” describes how multicast routing can be efficiently accomplished using the Protocol Independent Multicast (PIM) feature. Part 6: High Availability Fundamentals  Chapter 32, “Basic Redundancy,” describes how the CN4093 supports redundancy through aggregation and Hotlinks.  Chapter 33, “Layer 2 Failover,” describes how the CN4093 supports high‐availability network topologies using Layer 2 Failover. © Copyright Lenovo 2017 Preface...
Page 24: Part 7: Network Management
 Chapter 34, “Virtual Router Redundancy Protocol,” describes how the CN4093 supports high‐availability network topologies using Virtual Router Redundancy Protocol (VRRP). Part 7: Network Management Chapter 35, “Link Layer Discovery Protocol,” describes how Link Layer  Discovery Protocol helps neighboring network devices learn about each others’ ports and capabilities.  Chapter 36, “Simple Network Management Protocol,” describes how to configure the switch for management through an SNMP client. Chapter 37, “Service Location Protocol,” describes the Service Location Protocol  (SLP) that allows the switch to provide dynamic directory services.  Chapter 38, “System License Keys,” describes how to manage Features on Demand (FoD) licenses and how to allocate bandwidth between physical ports within the installed licenses’ limitations. Part 8: Monitoring  Chapter 40, “Remote Monitoring,” describes how to configure the RMON agent on the switch, so that the switch can exchange network monitoring data.  Chapter 41, “sFLOW, described how to use the embedded sFlow agent for sampling network traffic and providing continuous monitoring information to a central sFlow analyzer.  Chapter 42, “Port Mirroring,” discusses tools how copy selected port traffic to a ...
Page 25: Additional References
Additional References Additional information about installing and configuring the CN4093 is available in the following guides:  Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Installation Guide  Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Command Reference for Lenovo Network Operating System 8.4  Lenovo Network Browser‐Based Interface Quick Guide © Copyright Lenovo 2017 Preface...
Page 26: Typographic Conventions
Typographic Conventions The following table describes the typographic styles used in this book. Table 1. Typographic Conventions Typeface or Meaning Example Symbol ABC123 This type is used for names of View the readme.txt file. commands, files, and directories used within the text. Main# It also depicts on‐screen computer output and prompts. ABC123 Main# sys This bold type appears in command examples. It shows text that must be typed in exactly as shown. <ABC123> This italicized type appears in To establish a Telnet session, command examples as a enter: host# telnet <IP address> parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, Read your User’s Guide ...
Page 28 CN4093 Application Guide for N/OS 8.4...
Page 29: Chapter 1. Switch Administration
Chapter 1. Switch Administration Your CN4093 10 Gb Converged Scalable Switch is ready to perform basic switching functions right out of the box. Some of the more advanced features, however, require some administrative configuration before they can be used effectively. The extensive Enterprise NOS switching software included in the CN4093 provides a variety of options for accessing the switch to perform configuration, and to view switch information and statistics. This chapter discusses the various methods that can be used to administer the switch. © Copyright Lenovo 2017...
Page 30: Administration Interfaces
 The Flex System chassis management module tools for general chassis management  A built‐in, text‐based command‐line interface and menu system for access via serial‐port connection or an optional Telnet or SSH session  The built‐in Browser‐Based Interface (BBI) available using a standard web‐browser  SNMP support for access through network management software such as IBM Director. The specific interface chosen for an administrative session depends on user preferences, as well as the switch configuration and the available client tools. In all cases, administration requires that the switch hardware is properly installed and turned on. (see the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Installation Guide). Chassis Management Module The CN4093 10 Gb Converged Scalable Switch is an integral subsystem within the overall Lenovo Flex System. The Flex System chassis also includes a chassis management module (CMM) as the central element for overall chassis management and control. Using the tools available through the CMM, the administrator can configure many of the CN4093 features and can also access other CN4093 administration interfaces. For more information, see “Using the Chassis Management Module” on page Industry Standard Command Line Interface The Industry Standard Command Line Interface (ISCLI) provides a simple, direct method for switch administration. Using a basic terminal, you can issue commands that allow you to view detailed information and statistics about the switch, and to perform any necessary configuration and switch software maintenance. You can establish a connection to the CLI in any of the following ways: ...
Page 31: Browser-Based Interface
Browser-Based Interface The Browser‐based Interface (BBI) provides access to the common configuration, management and operation features of the CN4093 through your Web browser. For more information, refer to the Enterprise NOS BBI Quick Guide. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 32: Establishing A Connection
 Out‐of‐band Management Port 1: 192.168.50.50/24 Remote access using the network requires the accessing terminal to have a valid, routable connection to the switch interface. The client IP address may be configured manually, or an IPv4 address can be provided automatically through the switch using a service such as DHCP or BOOTP relay (see “BOOTP/DHCP Client IP Address Services” on page 40), or an IPv6 address can be obtained using IPv6 stateless address configuration. Note: Throughout this manual, IP address is used in places where either an IPv4 or IPv6 address is allowed. IPv4 addresses are entered in dotted‐decimal notation (for example, 10.10.10.1), while IPv6 addresses are entered in hexadecimal notation (for example, 2001:db8:85a3::8a2e:370:7334). In places where only one type of address is allowed, IPv4 address or IPv6 address is specified. Using the Chassis Management Module The CN4093 is an integral subsystem within the overall Lenovo Flex System. The Flex System chassis includes a chassis management module (CMM) as the central element for overall chassis management and control. The CN4093 uses port 43 (MGT1) to communicate with the chassis management module(s). Even when the CN4093 is in a factory default configuration, you can use the 1Gb Ethernet port on each CMM to configure and manage the CN4093. For more information about using the chassis management module, see the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Installation Guide. Factory-Default vs. CMM-Assigned IP Addresses Each CN4093 must be assigned its own Internet Protocol version 4 (IPv4) address, which is used for communication with an SNMP network manager or other transmission control protocol/Internet Protocol (TCP/IP) applications (for example, BOOTP or TFTP). The factory‐default IPv4 address is 10.90.90.x, where x is based on the number of the bay into which the CN4093 is installed. For additional information, see the Installation Guide. The chassis management module assigns an IPv4 address of 192.168.70.1xx, where xx is also based on the number of the bay ...
Page 33: Using Telnet
CN 4093(config)# [no] access telnet enable Once the switch is configured with an IP address and gateway, you can use Telnet to access switch administration from any workstation connected to the management network. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the following Telnet command: telnet <switch IPv4 or IPv6 address> You will then be prompted to enter a password as explained “Switch Login Levels” on page Two attempts are allowed to log in to the switch. After the second unsuccessful attempt, the Telnet client is disconnected via TCP session closure. Using Secure Shell Although a remote network administrator can manage the configuration of a CN4093 via Telnet, this method does not provide a secure connection. The Secure Shell (SSH) protocol enables you to securely log into another device over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch configuration, SSH ensures that all data sent over the network is encrypted and secure. The switch can do only one session of key/cipher generation at a time. Thus, a SSH/SCP client will not be able to login if the switch is doing key generation at that time. Similarly, the system will fail to do the key generation if a SSH/SCP client is logging in at that time. The supported SSH encryption and authentication methods are listed below.  Server Host Authentication: Client RSA‐authenticates the switch when starting each connection © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 34  Key Exchange: ecdh‐sha2‐nistp521, ecdh‐sha2‐nistp384, ecdh‐sha2‐nistp256, ecdh‐sha2‐nistp224, ecdh‐sha2‐nistp192, rsa2048‐sha256, rsa1024‐sha1, diffie‐hellman‐group‐exchange‐sha256, diffie‐hellman‐group‐exchange‐sha1, diffie‐hellman‐group14‐sha1, diffie‐hellman‐group1‐sha1  Encryption: aes128‐ctr, aes128‐cbc, rijndael128‐cbc, blowfish‐cbc,3des‐cbc, arcfour256, arcfour128, arcfour  MAC: hmac‐sha1, hmac‐sha1‐96, hmac‐md5, hmac‐md5‐96  User Authentication: Local password authentication, RADIUS, TACACS+ CN4093 Application Guide for N/OS 8.4...
Page 35: Using Ssh With Password Authentication
Port type ["DATA"/"MGT"]: mgt Address or name of remote host: 9.43.101.151 Source file name: 11.key Username of the public key: admin Confirm download operation (y/n) ? y Note: When prompted to input a username, a valid user account name must be entered. If no username is entered, the key is stored on the switch, and can be assigned to a user account later. Note: A user account can have up to 100 public keys set up on the switch. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 36: Using A Web Browser
3. Configure a maximum number of 3 failed public key authentication attempts before the system reverts to password‐based authentication: CN 4093(config)# ssh maxauthattempts 3 Once the public key is configured on the switch, the client can use SSH to login from a system where the private key pair is set up: ssh <switch IP address> Using a Web Browser The switch provides a Browser‐Based Interface (BBI) for accessing the common configuration, management and operation features of the CN4093 through your Web browser. You can access the BBI directly from an open Web browser window. Enter the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6 address>). When you first access the switch, you must enter the default username and password: USERID; PASSW0RD (with a zero). You are required to change the password after first login. Configuring HTTP Access to the BBI By default, BBI access via HTTP is disabled on the switch. To enable or disable HTTP access to the switch BBI, use the following commands: CN 4093(config)# access http enable (Enable HTTP access) ‐or‐ CN 4093(config)# no access http enable (Disable HTTP access) The default HTTP web server port to access the BBI is port 80. However, you can ...
Page 37: Configuring Https Access To The Bbi
Email (eg, email address) []: <email address> Confirm generating certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent 4. Save the HTTPS certificate. The certificate is valid only until the switch is rebooted. To save the certificate so that it is retained beyond reboot or power cycles, use the following command: CN 4093(config)# access https save-certificate When a client (such as a web browser) connects to the switch, the client is asked to accept the certificate and verify that the fields match what is expected. Once BBI access is granted to the client, the BBI can be used as described in the Enterprise NOS BBI Quick Guide. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 38: Bbi Summary
BBI Summary The BBI is organized at a high level as follows: Context buttons—These buttons allow you to select the type of action you wish to perform. The Configuration button provides access to the configuration elements for the entire switch. The Statistics button provides access to the switch statistics and state information. The Dashboard button allows you to display the settings and operating status of a variety of switch features. Navigation Window—This window provides a menu list of switch features and functions:  System—this folder provides access to the configuration elements for the entire switch.  Switch Ports—Configure each of the physical ports on the switch. Port‐Based Port Mirroring—Configure port mirroring behavior.   Layer 2—Configure Layer 2 features for the switch.  RMON Menu—Configure Remote Monitoring features for the switch.  Layer 3—Configure Layer 3 features for the switch.  QoS—Configure Quality of Service features for the switch. Access Control—Configure Access Control Lists to filter IP packets.   Virtualization – Configure VMready for virtual machine (VM) support. For information on using the BBI, refer to the Enterprise NOS BBI Quick Guide. CN4093 Application Guide for N/OS 8.4...
Page 39: Using Simple Network Management Protocol
To access the SNMP agent on the CN4093, the read and write community strings on the SNMP manager should be configured to match those on the switch. The read and write community strings on the switch can be changed using the following commands: CN 4093(config)# snmp-server read-community <1‐32 characters> CN 4093(config)# snmp-server write-community <1‐32 characters> The SNMP manager should be able to reach any one of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following commands: CN 4093(config)# snmp-server trap-source <trap source IP interface> CN 4093(config)# snmp-server host <IPv4 address> <trap host community string> For more information on SNMP usage and configuration, see “Simple Network Management Protocol” on page 555. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 40: Bootp/Dhcp Client Ip Address Services
BOOTP/DHCP Client IP Address Services For remote switch administration, the client terminal device must have a valid IP address on the same network as a switch interface. The IP address on the client device may be configured manually, or obtained automatically using IPv6 stateless address configuration, or an IPv4 address may obtained automatically via BOOTP or DHCP relay as discussed below. The CN4093 can function as a relay agent for Bootstrap Protocol (BOOTP) or DHCP. This allows clients to be assigned an IPv4 address for a finite lease period, reassigning freed addresses later to other clients. Acting as a relay agent, the switch can forward a client’s IPv4 address request to up to five BOOTP/DHCP servers. In addition to the five global BOOTP/DHCP servers, up to five domain‐specific BOOTP/DHCP servers can be configured for each of up to 10 VLANs. When a switch receives a BOOTP/DHCP request from a client seeking an IPv4 address, the switch acts as a proxy for the client. The request is forwarded as a UDP Unicast MAC layer message to the BOOTP/DHCP servers configured for the client’s VLAN, or to the global BOOTP/DHCP servers if no domain‐specific BOOTP/DHCP servers are configured for the client’s VLAN. The servers respond to the switch with a Unicast reply that contains the IPv4 default gateway and the IPv4 address for the client. The switch then forwards this reply back to the client. DHCP is described in RFC 2131, and the DHCP relay agent supported on the CN4093 is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. BOOTP and DHCP relay are collectively configured using the BOOTP commands and menus on the CN4093. Host Name Configuration The CN4093 supports DHCP host name configuration as described in RFC 2132, option 12. DHCP host name configuration is enabled by default. Host name can be manually configured using the following command: CN 4093(config)# hostname <name> If the host name is manually configured, the switch does not replace it with the ...
Page 41: Syslog Server
An untrusted interface is a port that is configured to receive packets from outside the network or firewall. A trusted interface receives packets only from within the network. By default, all DHCP ports are untrusted. The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and port number that correspond to the local untrusted interface on the switch; it does not contain information regarding hosts interconnected with a trusted interface. By default, DHCP snooping is disabled on all VLANs. You can enable DHCP snooping on one or more VLANs. You must enable DHCP snooping globally. To enable this feature, enter the following commands: CN 4093(config)# ip dhcp snooping vlan <vlan number(s)> CN 4093(config)# ip dhcp snooping Note: When you make a DHCP release from a client, the switch does not forward the Unicast DHCP release packet to the server, the entry is not removed from the DHCP snooping binding table, and the counter for Received Request packets does not increase even though the release packet does arrive at the switch. If you want the DHCP Renew/Release packet to be forwarded to the server and the corresponding entry removed from the DHCP snooping binding table, configure an interface IP address with the sam subnet in the same VLAN. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 42: Easy Connect Wizard
Easy Connect Wizard Lenovo EasyConnect (EZC) is a feature designed to simplify switch configuration. A set of predefined configurations can be applied on the switch via ISCLI. By launching the EZC Wizard, you are prompted for a minimal set of input and the tool automatically customizes the switch software. The EZC Wizard allows you to choose one of the following configuration modes: Basic System mode supports settings for hostname, static management port IP,  netmask, and gateway.  Transparent mode collects server and uplink port settings. vNIC groups are used to define the loop free domains. Note: You can either accept the static defaults or enter a different port list for uplink and/or server ports.  Redundant mode refers to VLAG settings. The EZC configuration will be applied immediately. Any existing configuration will be deleted, the current active or running configuration will not be merged or appended to the EZC configuration. For any custom settings that are not included in the predefined configuration sets, the user has to do it manually. Notes:  EZC is not available in stacking mode.  To support scripting, the feature also has a single‐line format. For more information, please refer to Lenovo Networking ISCLI Reference Guide. Note: To support scripting, the feature also has a single‐line format. For more information, please refer to Lenovo Networking ISCLI Reference Guide. Configuring the Easy Connect Wizard To launch the EZC Wizard, use the following command: CN 4093# easyconnect The wizard displays the available predefined configuration modes. You are ...
Page 43: Basic System Mode Configuration Example
Please enter "dhcp" for dhcp IP. Select management IP address (Current: 10.241.13.32)? Enter management netmask(Current: 255.255.255.128)? Enter management gateway:(Current: 10.241.13.1)? Pending switch port configuration: Hostname: host Management interface: Port: 10.241.13.32 Netmask: 255.255.255.128 Gateway: 10.241.13.1 Note: You can either accept the default values or enter new parameters. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 44: Transparent Mode Configuration Example
Transparent Mode Configuration Example This example shows the parameters available for configuration in Transparent mode: CN 4093# # easyconnect Configure Transparent mode (yes/no)? y Select Uplink Ports (Static Defaults: 17-24)? The following Uplink ports will be enabled: Uplink ports(1G/10G): 17-24 Select Server Ports (Static Defaults: 25-64)? The following Server ports will be enabled: Server ports(1G/10G): 25-64 Pending switch configuration:...
Page 45: Redundant Mode Configuration Example
TierID: vLAG Peer IP: 1.1.1.2 Uplink Ports: Downlink Ports: Disabled Ports: empty Hostname: Primary VLAG Management interface: 192.168.49.50 Netmask: 255.255.255.0 Gateway: 0.0.0.0 Confirm erasing current config to re-configure Easy Connect (yes/no)? © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 46 Notes:  If your selection for a port group contains ports of different speed, the selection is not valid, and you are guided to either select other ports or change the speed of the ports.  All unused port are configured as shut down in the configuration dump. You can either accept the static defaults or enter a different port list for ISL,  uplink, and/or downlink ports. CN4093 Application Guide for N/OS 8.4...
Page 47: Switch Login Levels
Table 3. User Access Levels ‐ Default Settings User Password Description and Tasks Performed Status Account user user The User has no direct responsibility for Disabled switch management. He or she can view all switch status information and statistics, but cannot make any configuration changes to the switch. oper oper The Operator manages all functions of the Disabled switch. The Operator can reset ports, except the management ports. admin admin The Administrator has complete access to all Enabled menus, information and configuration commands on the CN4093, including the ability to change both the user and administrator passwords. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 48 Note: Access to each user level (except admin account) can be disabled by setting the password to an empty value. To disable admin account, use the command: CN 4093(config)# no access user administrator-enable. Admin account can be disabled only if there is at least one user account enabled and configured with administrator privilege. CN4093 Application Guide for N/OS 8.4...
Page 49: Administrator Password Recovery
R - Boot in recovery mode (xmodem download of images to recover switch) Q - Reboot E - Exit Please choose your menu option: c Currently using active configuration block Enter configuration block: a, b or f (active, backup or factory): f © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 50 5. Enter Q to reboot the switch: Boot Management Menu I - Change booting image C - Change configuration block R - Boot in recovery mode (xmodem download of images to recover switch) Q - Reboot E - Exit Please choose your menu option: q Resetting the board.
Page 51: Secure Ftp
Secure FTP Enterprise NOS supports Secure FTP (SFTP) to the switch. SFTP uses Secure Shell (SSH) to transfer files. SFTP encrypts both commands and data, and prevents passwords and sensitive information from being transmitted openly over the network. All file transfer commands include SFTP support along with FTP and TFTP support. SFTP is available through the menu‐based CLI, ISCLI, BBI, and SNMP. The following examples illustrate SFTP support for ISCLI commands: CN 4093# copy sftp {image1|image2|boot-image} [mgt-port|data-port] (Copy software image from SFTP server to the switch) CN 4093# copy sftp {ca-cert|host-cert|host-key} [mgt-port|data-port] (Copy HTTPS certificate or host key from SFTP server to the switch) © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 52: Boot Strict Mode
Boot Strict Mode The implementations specified in this section are compliant with National Institute of Standards and Technology (NIST) Special Publication (SP) 800‐131A. The CN4093 10 Gb Converged Scalable Switch can operate in two boot modes:  Compatibility mode (default): This is the default switch boot mode. This mode may use algorithms and key lengths that may not be allowed/acceptable by NIST SP 800‐131A specification. This mode is useful in maintaining compatibility with previous releases and in environments that have lesser data security requirements.  Strict mode: Encryption algorithms, protocols, and key lengths in strict mode are compliant with NIST SP 800‐131A specification. When in boot strict mode, the switch uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.2 protocols to ensure confidentiality of the data to and from the switch. By default, HTTP, Telnet, and SNMPv1 and SNMPv2 are disabled on the CN4093. Before enabling strict mode, ensure the following:  The software version on all connected switches is Enterprise NOS 8.4.  NIST Strict compliance is enabled on the Chassis Management Module.  The supported protocol versions and cryptographic cipher suites between clients and servers are compatible. For example: if using SSH to connect to the switch, ensure that the SSH client supports SSHv2 and a strong cipher suite that is compliant with the NIST standard. Compliant Web server certificate is installed on the switch, if using BBI.   A new self‐signed certificate is generated for the switch (CN 4093(config)# access https generate-certificate). The new certificate is generated using 2048‐bit RSA key and SHA‐256 digest.  Protocols that are not NIST SP 800‐131A compliant must be disabled or not ...
Page 53 Secure NTP does not comply with Acceptable NIST SP 800-131A specification. When in strict mode, secure NTP is dis- abled. However, it can be enabled, if required. SHA-256 or higher RSA/DSA 2048 or higher © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 54 Table 4. Acceptable Protocols and Algorithms Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm SNMP SNMPv3 only SNMPv1, SNMPv2, SNMPv3 AES-128-CFB-128/SHA1 DES/MD5, AES-128-CFB-128/SHA1 Note: Following algorithms are accept- able if you choose to support old SNMPv3 factory default users: AES-128-CFB/SHA1 DES/MD5 AES-128-CFB-128/SHA1 SSH/SFTP Host Key SSH-RSA SSH-RSA Key Exchange...
Page 55: Acceptable Cipher Suites
AES_128_CBC SHA1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC012 ECDHE 3DES SHA1 SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0033 AES-128_CBC SHA1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0067 AES_128_CBC SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0016 3DES SHA1 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x002F AES_128_CBC SHA1 TLS_RSA_WITH_AES_128_CBC_SHA 0x003C AES_128_CBC SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 0x000A 3DES SHA1 SSL_RSA_WITH_3DES_EDE_CBC_SHA © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 56: Configuring Strict Mode
Configuring Strict Mode To change the switch mode to boot strict mode, use the following command: CN 4093(config)# [no] boot strict enable When strict mode is enabled, you will see the following message: Warning, security strict mode limits the cryptographic algorithms used by secure protocols on this switch. Please see the documentation for full details, and verify that peer devices support acceptable algorithms before enabling this mode.
Page 57: Configuring No-Prompt Mode
Configuring No-Prompt Mode If you expect to administer the switch using SNSC or another browser‐based interface, you need to turn off confirmation prompts. When CLI confirmation prompts are disabled, the switch will choose the default answer. To accomplish this, use one of the following commands: CN 4093(config)# [no] prompting Note: This command will disable CLI confirmation prompts for current and future sessions. CN 4093(config)# [no] terminal dont-ask Note: This command will disable CLI confirmation prompts for the current session only. It also takes precedence over the prompting command ‐ any settings configured through the prompting command will be disregarded for the duration of the current session. For more details, see the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Command Reference for Enterprise NOS 8.4. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 58 CN4093 Application Guide for N/OS 8.4...
Page 59: Chapter 2. Initial Setup
Chapter 2. Initial Setup To help with the initial process of configuring your switch, the Enterprise NOS software includes a Setup utility. The Setup utility prompts you step‐by‐step to enter all the necessary information for basic configuration of the switch. Setup can be activated manually from the command line interface any time after login: CN 4093(config)# setup © Copyright Lenovo 2017...
Page 60: Information Needed For Setup
Information Needed for Setup Setup requests the following information:  Basic system information Date & time  Whether to use Spanning Tree Group or not   Optional configuration for each port Speed, duplex, flow control, and negotiation mode (as appropriate)  Whether to use VLAN tagging or not (as appropriate)  Optional configuration for each VLAN  Name of VLAN  Which ports are included in the VLAN   Optional configuration of IP parameters IP address/mask and VLAN for each IP interface  IP addresses for default gateway  Whether IP forwarding is enabled or not  CN4093 Application Guide for N/OS 8.4...
Page 61: Default Setup Options
Enter login password: 2. Enter USERID as the default administrator and PASSW0RD (with a zero) as the default password. 3. Enter the following command at the prompt: CN 4093(config)# setup Stopping Setup To abort the Setup utility, press <Ctrl+C> during any Setup question. When you abort Setup, the system will prompt: Would you like to run from top again? [y/n] Enter n to abort Setup, or y to restart the Setup program at the beginning. Restarting Setup You can restart the Setup utility manually at any time by entering the following command at the administrator prompt: CN 4093(config)# setup © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 62: Setup Part 1: Basic System Configuration
Setup Part 1: Basic System Configuration When Setup is started, the system prompts: "Set Up" will walk you through the configuration of System Date and Time, Spanning Tree, Port Speed/Mode, VLANs, and IP interfaces. [type Ctrl-C to abort "Set Up"] 1. Enter y if you will be configuring VLANs. Otherwise enter n. If you decide not to configure VLANs during this session, you can configure them later using the configuration menus, or by restarting the Setup facility. For more information on configuring VLANs, see the Enterprise NOS Application Guide. Next, the Setup utility prompts you to input basic system information. 2.
Page 63 System clock set to 8:55:36 Wed Jan 28, 2012. 8. Turn BOOTP on or off at the prompt: BootP Option: Current BOOTP: disabled Enter new BOOTP [d/e]: Enter e to enable BOOTP, or enter d to disable BOOTP. 9. Turn Spanning Tree Protocol on or off at the prompt: Spanning Tree: Current Spanning Tree Group 1 setting: ON Turn Spanning Tree Group 1 OFF? [y/n] Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on. © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 64: Setup Part 2: Port Configuration
Setup Part 2: Port Configuration Note: When configuring port options for your switch, some prompts and options may be different. 1. Select whether you will configure VLANs and VLAN tagging for ports: Port Config: Will you configure VLANs and Tagging/Trunk-mode for ports? [y/n] If you wish to change settings for VLANs, enter y or enter n to skip VLAN configuration. Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system. Screen content varies based on the type of chassis unit that you are using and the firmware versions and options that are installed. 2. Select the port to configure, or skip port configuration at the prompt: If you wish to change settings for individual ports, enter the number of the port you wish to configure. To skip port configuration, press <Enter> without specifying any port and go to “Setup Part 3: VLANs” on page 66. 3. Configure Gigabit Ethernet port flow parameters. The system prompts: Gig Link Configuration: Port Flow Control: Current Port EXT1 flow control setting: both...
Page 65 If you have selected to configure VLANs back in Part 1, the system prompts: Port Tagging/Trunk-mode config (Tagged/Trunk-mode port can be a member of multiple VLANs): Current Tagging/Trunk-mode support: disabled Enter new Tagging/Trunk-mode support [d/e]: Enter d to disable VLAN tagging for the port or enter e to enable VLAN tagging for the port. To keep the current setting, press <Enter>. 6. The system prompts you to configure the next port: Enter port (INTA1-C14, EXT1-22): When you are through configuring ports, press <Enter> without specifying any port. Otherwise, repeat the steps in this section. © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 66: Setup Part 3: Vlans
Setup Part 3: VLANs If you chose to skip VLANs configuration back in Part 2, skip to “Setup Part 4: IP Configuration” on page 1. Select the VLAN to configure, or skip VLAN configuration at the prompt: VLAN Config: Enter VLAN number from 2 to 4094, NULL at end: If you wish to change settings for individual VLANs, enter the number of the VLAN you wish to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and go to “Setup Part 4: IP Configuration” on page 2. Enter the new VLAN name at the prompt: Current VLAN name: VLAN 2 Enter new VLAN name: Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>. 3. Enter the VLAN port numbers: Define Ports in VLAN: Current VLAN 2: empty Enter ports one per line, NULL at end:...
Page 67: Setup Part 4: Ip Configuration
2. For the specified IP interface, enter the IP address in IPv4 dotted decimal notation: Current IP address: 0.0.0.0 Enter new IP address: To keep the current setting, press <Enter>. 3. At the prompt, enter the IPv4 subnet mask in dotted decimal notation: Current subnet mask: 0.0.0.0 Enter new subnet mask: To keep the current setting, press <Enter>. 4. If configuring VLANs, specify a VLAN for the interface. This prompt appears if you selected to configure VLANs back in Part 1: Current VLAN: Enter new VLAN [1-4094]: Enter the number for the VLAN to which the interface belongs, or press <Enter> without specifying a VLAN number to accept the current setting. © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 68: Default Gateways
5. At the prompt, enter y to enable the IP interface or n to leave it disabled: Enable IP interface? [y/n] 6. The system prompts you to configure another interface: Enter interface number: (1-128) Repeat the steps in this section until all IP interfaces have been configured. When all interfaces have been configured, press <Enter> without specifying any interface number. Default Gateways 1. At the prompt, select an IP default gateway for configuration or skip default gateway configuration: IP default gateways: Enter default gateway number: (1-3, 4) Enter the number for the IP default gateway to be configured. To skip default gateway configuration, press <Enter> without typing a gateway number and go to “IP Routing” on page 2. At the prompt, enter the IPv4 address for the selected default gateway: Current IP address: 0.0.0.0 Enter new IP address: Enter the IPv4 address in dotted decimal notation, or press <Enter> without ...
Page 69: Ip Routing
IP Routing When IP interfaces are configured for the various IP subnets attached to your switch, IP routing between them can be performed entirely within the switch. This eliminates the need to send inter‐subnet communication to an external router device. Routing on more complex networks, where subnets may not have a direct presence on the CN4093, can be accomplished through configuring static routes or by letting the switch learn routes dynamically. This part of the Setup program prompts you to configure the various routing parameters. At the prompt, enable or disable forwarding for IP Routing: Enable IP forwarding? [y/n] Enter y to enable IP forwarding. To disable IP forwarding, enter n. To keep the current setting, press <Enter>. © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 70: Setup Part 5: Final Steps
Setup Part 5: Final Steps 1. When prompted, decide whether to restart Setup or continue: Would you like to run from top again? [y/n] Enter y to restart the Setup utility from the beginning or n to continue. 2. When prompted, decide whether you wish to review the configuration changes: Review the changes made? [y/n] Enter y to review the changes made during this session of the Setup utility. Enter n to continue without reviewing the changes. We recommend that you review the changes. 3. Next, decide whether to apply the changes at the prompt: Apply the changes? [y/n] Enter y to apply the changes or n to continue without applying. Changes are normally applied. 4. At the prompt, decide whether to make the changes permanent: Save changes to flash? [y/n] Enter y to save the changes to flash. Enter n to continue without saving the ...
Page 71: Optional Setup For Telnet Support
Optional Setup for Telnet Support Note: This step is optional. Perform this procedure only if you are planning on connecting to the CN4093 through a remote Telnet connection. 1. Telnet is enabled by default. To change the setting, use the following command: CN 4093(config)# no access telnet © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 72 CN4093 Application Guide for N/OS 8.4...
Page 73: Chapter 3. Switch Software Management
CAUTION: Although the typical upgrade process is all that is necessary in most cases, upgrading from (or reverting to) some versions of Lenovo Enterprise Network Operating System requires special steps prior to or after the software installation process. Please be sure to follow all applicable instructions in the release notes document for the specific software release to ensure that your switch continues to operate as expected after installing new software.
Page 74: Loading New Software To Your Switch
Loading New Software to Your Switch The CN4093 can store up to two different switch software images (called image1 and image2) as well as special boot software (called boot). When you load new software, you must specify where it is placed: either into image1, image2 or boot. For example, if your active image is currently loaded into image1, you would probably load the new image software into image2. This lets you test the new software and reload the original active image (stored in image1), if needed. CAUTION: When you upgrade the switch software image, always load the new boot image and the new software image before you reset the switch. If you do not load a new boot image, your switch might not boot properly (To recover, see “Recover from a Failed Image Upgrade using TFTP” on page 80 or “Recovering from a Failed Image Upgrade using XModem Download” on page 82). To load a new software image to your switch, you will need the following:  The image and boot software loaded on an FTP, SFTP or TFTP server on your net‐ work. Note: Be sure to download both the new boot file and the new image file. The hostname or IP address of the FTP, SFTP or TFTP server  Note: The DNS parameters must be configured if specifying hostnames.  The name of the new software image or boot file When the software requirements are met, use one of the following procedures to download the new software to your switch. You can use the ISCLI or the BBI to download and activate new software. Loading Software via the ISCLI 1.
Page 75: Loading Software Via Bbi
FTP server  TFTP server  SFTP server  Local computer After you log onto the BBI, perform the following steps to load a software image: 1. Click the Configure context tab in the toolbar. 2. In the Navigation Window, select System > Config/Image Control. The Switch Image and Configuration Management page appears. 3. If you are loading software from your computer (HTTP client), skip this step and go to the next. Otherwise, if you are loading software from an FTP, SFTP, or TFTP server, enter the server’s information in the FTP, SFTP, or TFTP Settings section. 4. In the Image Settings section, select the image version you want to replace (Image for Transfer).  If you are loading software from an FTP, SFTP, or TFTP server, enter the file name and click Get Image.  If you are loading software from your computer, click Browse. In the File Upload Dialog, select the file and click OK. Then click Download via  Browser. Once the image has loaded, the page refreshes to show the new software. © Copyright Lenovo 2017 Chapter 3: Switch Software Management...
Page 76: Updating Software On Vlag Switches
Updating Software on vLAG Switches When updating the software and boot images for switches configured with vLAG, first: Make sure that the spanning tree root switch is not one of the vLAG switches   Shut down of ports should done under the port configuration Follow the shut down order of the ports  a. ISL links b. vLAG links c. vLAG health check (MGT port) Then follow this procedure to update the software on vLAG switches: 1. On Switch 2 (the original Secondary switch), shut down all links ISL, vLAG links, and vLAG HC. This is equivalent to powering off Switch 2.  All the traffic will failover to Switch 1 (the original Primary switch.).  After the shutdown of links on Switch 2, there will be N‐S traffic loss of around ~0.16 seconds. 2. Upgrade Switch 2 with the new image. Use FTP, STFP, or TFTP to copy the new ENOS and boot images onto the switch. For more details, see “Loading New Software to Your Switch” on page  After Switch 2 comes up, vLAG HC will be up and vLAG mismatch will happen with vLAG ports down (since it is still Secondary).  The traffic will still be forwarding via Switch 1 (the original Primary switch). 3. On Switch 1 (the original Primary switch), shut down all links ISL, vLAG links, and vLAG HC. This is equivalent to powering off Switch 1 (the original Primary switch) ...
Page 77  Switch 1 will reassume the vLAG Primary role and Switch 2 will reassume the vLAG Secondary role. 6. Make sure that Switch 1 is now the vLAG primary switch and Switch 2 is now the vLAG secondary switch using the following command: CN 4093> show vlag information © Copyright Lenovo 2017 Chapter 3: Switch Software Management...
Page 78: The Boot Management Menu
The Boot Management Menu The Boot Management menu allows you to switch the software image, reset the switch to factory defaults, or to recover from a failed software download. You can interrupt the boot process and enter the Boot Management menu from the serial console port. When the system displays Memory Test, press <Shift+B>. The Boot Management menu appears. Boot Management Menu I - Change booting image C - Change configuration block R - Boot in recovery mode (tftp and xmodem download of images to recover switch) Q - Reboot E - Exit Please choose your menu option: The Boot Management menu allows you to perform the following actions: ...
Page 79: Boot Recovery Mode
X) Use xmodem 1K to serial download an image P) Physical presence (low security mode) R) Reboot E) Exit Option? : The Boot Recovery Mode menu allows you to perform the following actions: To recover from a failed software or boot image upgrade using TFTP, press T  and follow the screen prompts. For more details, see “Recover from a Failed Image Upgrade using TFTP” on page  To recover from a failed software or boot image upgrade using XModem download, press X and follow the screen prompts. For more details, see “Recovering from a Failed Image Upgrade using XModem Download” on page  To enable the loading of an unofficial image, press P and follow the screen prompts. For more details, see “Physical Presence” on page  To restart the boot process from the beginning, press R.  To exit Boot Recovery Mode menu, press E. The boot process continues. © Copyright Lenovo 2017 Chapter 3: Switch Software Management...
Page 80: Recover From A Failed Image Upgrade Using Tftp
Recover from a Failed Image Upgrade using TFTP Use the following procedure to recover from a failed image upgrade using TFTP: 1. Connect a PC to the console port of the switch. 2. Open a terminal emulator program that supports Telnet protocol (for example, HyperTerminal, SecureCRT or PuTTY) and input the proper host name (IP address) and port to connect to the console port of the switch. 3. Boot the switch and access the Boot Management menu by pressing <Shift+B> while the Memory Test is in progress and the dots are being displayed. 4. Enter Boot Recovery Mode by pressing R. The Recovery Mode menu will appear. 5. To start the recovery process using TFTP, press T. The following message will appear: Performing TFTP rescue. Please answer the following questions (enter 'q' to quit): 6. Enter the IP address of the management port: IP addr : 7.
Page 81 Please select one of the following options: T) Configure networking and tftp download an image X) Use xmodem 1K to serial download an image P) Physical presence (low security mode) R) Reboot E) Exit Option? : © Copyright Lenovo 2017 Chapter 3: Switch Software Management...
Page 82: Recovering From A Failed Image Upgrade Using Xmodem Download
Recovering from a Failed Image Upgrade using XModem Download Use the following procedure to recover from a failed image upgrade. 1. Connect a PC to the serial port of the switch. 2. Open a terminal emulator program that supports Xmodem download (for example, HyperTerminal, SecureCRT or PuTTY) and select the following serial port characteristics: Speed: 9600 bps  Data Bits: 8  Stop Bits: 1  Parity: None  Flow Control: None  3. Boot the switch and access the Boot Management menu by pressing <Shift+B> while the Memory Test is in progress and the dots are being displayed. 4. Enter Boot Recovery Mode by pressing R. The Recovery Mode menu will appear. 5. Press X for Xmodem download. You will see the following display: Running xmodem rescue..6. When you see the following message, change the Serial Port speed to 115200 bps: Change the baud rate to 115200 bps and hit the <ENTER> key before initiating the download.
Page 83 Please select one of the following options: T) Configure networking and tftp download an image X) Use xmodem 1K to serial download an image P) Physical presence (low security mode) R) Reboot E) Exit Option? : Boot image recovery is complete. © Copyright Lenovo 2017 Chapter 3: Switch Software Management...
Page 84: Physical Presence
Physical Presence Use the following procedure to enable the installation of unofficial images on the switch: 1. Connect a PC to the console port of the switch. 2. Open a terminal emulator program that supports Telnet protocol (for example, HyperTerminal, SecureCRT or PuTTY) and input the proper host name (IP address) and port to connect to the console port of the switch. 3. Boot the switch and access the Boot Management menu by pressing <Shift+B> while the Memory Test is in progress and the dots are being displayed. 4. Enter Boot Recovery Mode by pressing R. The Recovery Mode menu will appear. 5. To begin the Physical Presence procedure, press P. The following warning message will appear: WARNING: the following test is used to determine physical presence and if completed will put the switch in low security mode. 6. You will be prompted for confirmation: Do you wish to continue y/n? 7.
Page 86 CN4093 Application Guide for N/OS 8.4...
Page 87: Chapter 4. Securing Administration
Chapter 4. Securing Administration This chapter discusses different methods of securing local and remote administration on the CN4093 10 Gb Converged Scalable Switch (CN4093):  “Changing the Switch Passwords” on page 88  “Secure Shell and Secure Copy” on page 89  “End User Access Control” on page 94  “Protected Mode” on page 97 © Copyright Lenovo 2017...
Page 88: Changing The Switch Passwords
Changing the Switch Passwords It is recommended that you change the administrator and user passwords after initial configuration and as regularly as required under your network security policies. To change the administrator password, you must login using the administrator password. Note: If you download user and password information to a switch running a version of ENOS earlier than 8.4, or if you revert the switch to a version of ENOS earlier than 8.4, your passwords will not be transferred because the encryption algorithm changed. Changing the Default Administrator Password The administrator has complete access to all menus, information, and configuration commands, including the ability to change both the user and administrator passwords. The default administrator account is USERID. The default password for the administrator account is PASSW0RD (with a zero). To change the administrator password, use the following procedure: 1. Connect to the switch and log in as the administrator. 2. Use the following command to change the administrator password: CN 4093(config)# access user administrator-password <password> Changing the Default User Password The user login has limited control of the switch. Through a user account, you can ...
Page 89: Secure Shell And Secure Copy
 Determining the permitted actions and customizing service for individual administrators  Encryption of management messages Encrypting messages between the remote administrator and switch   Secure copy support The Enterprise NOS implementation of SSH supports both versions 1.5 and 2.0 and supports SSH clients version 1.5 ‐ 2.x. The following SSH clients have been tested:  SSH 1.2.23 and SSH 1.2.27 for Linux (freeware)  SecureCRT 3.0.2 and SecureCRT 3.0.3 for Windows NT (Van Dyke Technologies, Inc.)  F‐Secure SSH 1.1 for Windows (Data Fellows)  Putty SSH  Cygwin OpenSSH  Mac X OpenSSH  Solaris 8 OpenSSH  AxeSSH SSHPro  SSH Communications Vandyke SSH A  F‐Secure © Copyright Lenovo 2017 Chapter 4: Securing Administration...
Page 90: Configuring Ssh/Scp Features On The Switch
Configuring SSH/SCP Features on the Switch SSH and SCP are disabled by default. To change the setting, using the following procedures. Note: To use SCP, you must first enable SSH. To Enable or Disable the SSH Feature Begin a Telnet session from the console port and enter the following commands: CN 4093(config)# ssh enable (Turn SSH on) CN 4093(config)# no ssh enable (Turn SSH off) To Enable or Disable SCP Enter the following command to enable or disable SCP: CN 4093(config)# [no] ssh scp-enable Configuring the SCP Administrator Password To configure the SCP‐only administrator password, enter the following command ...
Page 91: To Copy The Switch Configuration File To The Scp Host
>> scp [-4|-6] <local filename> <username>@<switch IP address>:putcfg_apply >> scp [-4|-6] <local filename> <username>@<switch IP address>:putcfg_apply_save Example: >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply_save The CLI diff command is automatically executed at the end of putcfg to  notify the remote client of the difference between the new and the current configurations. putcfg_apply runs the apply command after the putcfg is done.  putcfg_apply_save saves the new configuration to the flash after  putcfg_apply is done.  The putcfg_apply and putcfg_apply_save commands are provided because extra apply and save commands are usually required after a putcfg; however, an SCP session is not in an interactive mode. © Copyright Lenovo 2017 Chapter 4: Securing Administration...
Page 92: To Copy The Switch Image And Boot Files To The Scp Host
To Copy the Switch Image and Boot Files to the SCP Host Syntax: >> scp [-4|-6] <username>@<switch IP address>:getimg1 <local filename> >> scp [-4|-6] <username>@<switch IP address>:getimg2 <local filename> >> scp [-4|-6] <username>@<switch IP address>:getboot <local filename> Example: >> scp scpadmin@205.178.15.157:getimg1 6.1.0_os.img To Load Switch Configuration Files from the SCP Host Syntax: >>...
Page 93: Ssh And Scp Encryption Of Management Messages
To configure RSA host key, first connect to the CN4093 through the console port (commands are not available via external Telnet connection), and enter the following command to generate it manually. CN 4093(config)# ssh generate-host-key (Generates the host key) When the switch reboots, it will retrieve the host key from the FLASH memory. Note: The switch will perform only one session of key/cipher generation at a time. Thus, an SSH/SCP client will not be able to log in if the switch is performing key generation at that time. Also, key generation will fail if an SSH/SCP client is logging in at that time. SSH/SCP Integration with RADIUS Authentication SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS servers for authentication. The redirection is transparent to the SSH clients. SSH/SCP Integration with TACACS+ Authentication SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified TACACS+ servers for authentication. The redirection is transparent to the SSH clients. © Copyright Lenovo 2017 Chapter 4: Securing Administration...
Page 94: End User Access Control
End User Access Control Enterprise NOS allows an administrator to define end user accounts that permit end users to perform operation tasks via the switch CLI commands. Once end user accounts are configured and enabled, the switch requires username/password authentication. For example, an administrator can assign a user, who can then log into the switch and perform operational commands (effective only until the next switch reboot). Considerations for Configuring End User Accounts A maximum of 20 user IDs are supported on the switch.   Enterprise NOS supports end user support for Console, Telnet, BBI, and SSHv1/v2 access to the switch.  If RADIUS authentication is used, the user password on the Radius server will override the user password on the CN4093. Also note that the password change command modifies only the user switch password on the switch and has no effect on the user password on the Radius server. Radius authentication and user password cannot be used concurrently to access the switch.  Passwords can be up to 64 characters in length for Telnet, SSH, Console, and Web access. Strong Passwords The administrator can require use of Strong Passwords for users to access the CN4093. Strong Passwords enhance security because they make password guessing more difficult. The following rules apply when Strong Passwords are enabled: Minimum length: 8 characters; maximum length: 64 characters   Must contain at least one uppercase alphabet Must contain at least one lowercase alphabet ...
Page 95: User Access Control Menu
CN 4093# show access user uid 1 Enabling or Disabling a User An end user account must be enabled before the switch recognizes and permits login under the account. Once enabled, the switch requires any user to enter both username and password. CN 4093(config)# [no] access user 1 enable Locking Accounts To protect the switch from unauthorized access, the account lockout feature can be enabled. By default, account lockout is disabled. To enable this feature, ensure the strong password feature is enabled (See “Strong Passwords” on page 94). Then use the following command: CN 4093(config)# access user strong-password lockout After multiple failed login attempts, the switch locks the user account if lockout has been enabled on the switch. © Copyright Lenovo 2017 Chapter 4: Securing Administration...
Page 96: Re-Enabling Locked Accounts
Re-enabling Locked Accounts The administrator can re‐enable a locked account by reloading the switch or by using the following command: CN 4093(config)# access user strong-password clear local user lockout username <user name> However, the above command cannot be used to re‐enable an account disabled by the administrator. To re‐enable all locked accounts, use the following command: CN 4093(config)# access user strong-password clear local user lockout all Listing Current Users The show access user command displays defined user accounts and whether or not each user is currently logged into the switch. CN 4093# show access user Usernames: user - Enabled - offline...
Page 97: Protected Mode
Note: Before you turn Protected Mode on, make sure that external management (Telnet) access to one of the switch’s IP interfaces is enabled. Use the following command to turn Protected Mode on: CN 4093(config)# protected-mode enable If you lose access to the switch through the external ports, use the console port to connect directly to the switch, and configure an IP interface with Telnet access. Stacking Mode When the switch is in stacking mode, Protected Mode is automatically enabled for three of the four Protected Mode functions, and the following module functions are disabled:  External Ports (Enabled)  External management over all ports (Enabled)  Restore Factory Defaults Stack members and stack Master can get their IP addresses from the advanced management module (AMM). Stack can be managed using external ports or using the AMM management port. If required, the functionality of new static IP configuration can also be disabled by turning off Protected Mode (CN 4093(config)# no protected-mode enable) and turning it back on (CN 4093(config)# protected-mode enable). © Copyright Lenovo 2017 Chapter 4: Securing Administration...
Page 98 CN4093 Application Guide for N/OS 8.4...
Page 99: Chapter 5. Authentication & Authorization Protocols
Chapter 5. Authentication & Authorization Protocols Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured IPv4 management and device access:  “RADIUS Authentication and Authorization” on page 100  “TACACS+ Authentication” on page 104  “LDAP Authentication and Authorization” on page 110 Note: Enterprise NOS 8.4 does not support IPv6 for RADIUS, TACACS+, or LDAP. © Copyright Lenovo 2017...
Page 100: Radius Authentication And Authorization
RADIUS Authentication and Authorization Enterprise NOS supports the RADIUS (Remote Authentication Dial‐in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back‐end database server. A remote user (the remote administrator) interacts only with the RAS, not the back‐end server and database. RADIUS authentication consists of the following components:  A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866)  A centralized server that stores all the user authorization information A client, in this case, the switch  The CN4093—acting as the RADIUS client—communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back‐end RADIUS server. How RADIUS Authentication Works 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access. CN4093 Application Guide for N/OS 8.4...
Page 101: Configuring Radius On The Switch
CN 4093(config)# radius-server retransmit 3 CN 4093(config)# radius-server timeout 5 RADIUS Authentication Features in Enterprise NOS Enterprise NOS supports the following RADIUS authentication features:  Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866.  Allows a RADIUS secret password of up to 32 characters.  Supports secondary authentication server so that when the primary authentication server is unreachable, the switch can send client authentication requests to the secondary authentication server. Use the following command to show the currently active RADIUS authentication server: CN 4093# show radius-server © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 102: Switch User Accounts
 Supports user‐configurable RADIUS server retry and time‐out values: Time‐out value = 1‐10 seconds  Retries = 1‐3  The switch will time out if it does not receive a response from the RADIUS server within 1‐10 seconds. The switch automatically retries connecting to the RADIUS server 1‐3 times before it declares the server down.  Supports user‐configurable RADIUS application port. The default is UDP port 1645. UDP port 1812, based on RFC 2138, is also supported.  Allows network administrator to define privileges for one or more specific users to access the switch at the RADIUS user database. Switch User Accounts The user accounts listed in Table 7 can be defined in the RADIUS server dictionary file. Table 7. User Access Levels User Account Description and Tasks Performed Password user User The User has no direct responsibility for switch management. He/she can view all switch status information and statistics but cannot make any configuration changes to the switch. oper Operator In addition to User capabilities, the Operator has ...
Page 103: Radius Attributes For Enterprise Nos User Privileges
Irrespective of backdoor being enabled or not, you can always access the switch via the console port by using noradius as radius username. You can then enter the username and password configured on the switch. If you are trying to connect via SSH/Telnet/HTTP/HTTPS, there are two possibilities:  Backdoor is enabled: The switch acts like it is connecting via console.  Secure backdoor is enabled: You must enter the username: noradius. The switch checks if RADIUS server is reachable. If it is reachable, then you must authenticate via remote authentication server. Only if RADIUS server is not reachable, you will be prompted for local user/password to be authenticated against these local credentials. All user privileges, other than those assigned to the Administrator, have to be defined in the RADIUS dictionary. RADIUS attribute 6 which is built into all RADIUS servers defines the administrator. The file name of the dictionary is RADIUS vendor‐dependent. The following RADIUS attributes are defined for Enterprise NOS user privileges levels: Table 8. Enterprise NOS‐proprietary Attributes for RADIUS User Name/Access User-Service-Type Value User Vendor‐supplied Operator Vendor‐supplied Administrator (USERID) Vendor‐supplied © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 104: Tacacs+ Authentication
TACACS+ Authentication Enterprise NOS supports authentication, authorization, and accounting with networks using the Cisco Systems TACACS+ protocol. The CN4093 functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the CN4093 either through a data or management port. TACACS+ offers the following advantages over RADIUS:  TACACS+ uses TCP‐based connection‐oriented transport; whereas RADIUS is UDP‐based. TCP offers a connection‐oriented transport, while UDP offers best‐effort delivery. RADIUS requires additional programmable variables such as re‐transmit attempts and time‐outs to compensate for best‐effort transport, but it lacks the level of built‐in support that a TCP transport offers.  TACACS+ offers full packet encryption whereas RADIUS offers password‐only encryption in authentication requests.  TACACS+ separates authentication, authorization and accounting. How TACACS+ Authentication Works TACACS+ works much in the same way as RADIUS authentication as described on page 100. 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access. During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.f CN4093 Application Guide for N/OS 8.4...
Page 105: Tacacs+ Authentication Features In Enterprise Nos
CN 4093(config)# tacacs-server privilege-mapping Table 10. Alternate TACACS+ Authorization Levels Enterprise NOS User Access TACACS+ Level Level user 0–1 oper 6–8 admin (USERID) 14–15 You can customize the mapping between TACACS+ privilege levels and CN4093 management access levels. Use the following command to manually map each TACACS+ privilege level (0‐15) to a corresponding CN4093 management access level: CN 4093(config)# tacacs-server user-mapping If the remote user is successfully authenticated by the authentication server, the switch verifies the privileges of the remote user and authorizes the appropriate access. © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 106: Backdoor
Backdoor The administrator has an option to allow backdoor access via Telnet using the command: CN 4093(config)# tacacs-server backdoor The default value for Telnet access is disabled. The administrator also can enable secure backdoor to allow access if both the primary and the secondary TACACS+ servers fail to respond. The command for this is: CN 4093(config)# tacacs-server secure-backdoor Note: To obtain the TACACS+ backdoor password for your switch, contact your Service and Support line. Accounting Accounting is the action of recording a userʹs activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, there are no TACACS+ accounting messages sent out. You can use TACACS+ to record and track software login access, configuration changes, and interactive commands. The CN4093 supports the following TACACS+ accounting attributes: protocol (console/telnet/ssh/http)   start_time  stop_time  elapsed_time  disc‐cause Note: When using the Browser‐Based Interface, the TACACS+ Accounting Stop records are sent only if the Quit button on the browser is clicked. CN4093 Application Guide for N/OS 8.4...
Page 107: Command Authorization And Logging
The following rules apply to TACACS+ command authorization and logging:  Only commands from a Console, Telnet, or SSH connection are sent for authori‐ zation and logging. SNMP, BBI, or file‐copy commands (for example, TFTP or sync) are not sent. Only leaf‐level commands are sent for authorization and logging. For example:  CN 4093(config)# is not sent, but the following command is sent: CN 4093(config)# tacacs-server command-logging  The full path of each command is sent for authorization and logging. For example: CN 4093(config)# tacacs-server command-logging  Command arguments are not sent for authorization.  Only executed commands are logged.  Invalid commands are checked by Enterprise NOS and are not sent for authori‐ zation or logging. © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 108  Authorization is performed on each leaf‐level command separately. If the user issues multiple commands at once, each command is sent separately as a full path.  Only the following global commands are sent for authorization and logging: diff  ping  revert  telnet  traceroute  CN4093 Application Guide for N/OS 8.4...
Page 109: Tacacs+ Password Change
CN 4093(config)# tacacs-server timeout 5 5. Configure custom privilege‐level mapping (optional). CN 4093(config)# tacacs-server user-mapping 2 user CN 4093(config)# tacacs-server user-mapping 3 user CN 4093(config)# tacacs-server user-mapping 4 user CN 4093(config)# tacacs-server user-mapping 5 oper © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 110: Ldap Authentication And Authorization
LDAP Authentication and Authorization Enterprise NOS supports the LDAP (Lightweight Directory Access Protocol) method to authenticate and authorize remote administrators to manage the switch. LDAP is based on a client/server model. The switch acts as a client to the LDAP server. A remote user (the remote administrator) interacts only with the switch, not the back‐end server and database. LDAP authentication consists of the following components: A protocol with a frame format that utilizes TCP over IP   A centralized server that stores all the user authorization information A client, in this case, the switch  Each entry in the LDAP server is referenced by its Distinguished Name (DN). The DN consists of the user‐account name concatenated with the LDAP domain name. If the user‐account name is John, the following is an example DN: uid=John,ou=people,dc=domain,dc=com Configuring the LDAP Server CN4093 user groups and user accounts must reside within the same domain. On the LDAP server, configure the domain to include CN4093 user groups and user accounts, as follows:  User Accounts: Use the uid attribute to define each individual user account.  User Groups: Use the members attribute in the groupOfNames object class to create the user groups. The first word of the common name for each user group must be equal to the user group names defined in the CN4093, as follows: admin (USERID)  oper  user ...
Page 111: Configuring Ldap Authentication On The Switch
3. If desired, you may change the default TCP port number used to listen to LDAP. The well‐known port for LDAP is 389. CN 4093(config)# ldap-server port <1‐65000> 4. Configure the number of retry attempts for contacting the LDAP server and the timeout period. CN 4093(config)# ldap-server retransmit 3 (number of server retries) CN 4093(config)# ldap-server timeout 10 (enter the timeout period in seconds) 5. You may change the default LDAP attribute (uid) or add a custom attribute. For instance, Microsoft’s Active Directory requires the cn (common name) attribute. CN 4093(config)# ldap-server attribute username <1‐128 alpha‐numeric characters> © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 112 CN4093 Application Guide for N/OS 8.4...
Page 113: Chapter 6. 802.1X Port-Based Network Access Control
Chapter 6. 802.1X Port-Based Network Access Control Port‐Based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to ports of the CN4093 10 Gb Converged Scalable Switch (CN4093) that connect to blade servers. The following topics are discussed in this section:  “Extensible Authentication Protocol over LAN” on page 114  “EAPoL Authentication Process” on page 115  “EAPoL Port States” on page 116  “Guest VLAN” on page 117  “Supported RADIUS Attributes” on page 118  “EAPoL Configuration Guidelines” on page 120 © Copyright Lenovo 2017...
Page 114: Extensible Authentication Protocol Over Lan
Extensible Authentication Protocol over LAN Enterprise NOS can provide user‐level security for its ports using the IEEE 802.1X protocol, which is a more secure alternative to other methods of port‐based network access control. Any device attached to an 802.1X‐enabled port that fails authentication is prevented access to the network and denied services offered through that port. The 802.1X standard describes port‐based network access control using Extensible Authentication Protocol over LAN (EAPoL). EAPoL provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics and of preventing access to that port in cases of authentication and authorization failures. EAPoL is a client‐server protocol that has the following components: Supplicant or Client  The Supplicant is a device that requests network access and provides the required credentials (user name and password) to the Authenticator and the Authenticator Server.  Authenticator The Authenticator enforces authentication and controls access to the network. The Authenticator grants network access based on the information provided by the Supplicant and the response from the Authentication Server. The Authenticator acts as an intermediary between the Supplicant and the Authentication Server: requesting identity information from the client, forwarding that information to the Authentication Server for validation, relaying the server’s responses to the client, and authorizing network access based on the results of the authentication exchange. The CN4093 acts as an Authenticator.  Authentication Server The Authentication Server validates the credentials provided by the Supplicant to determine if the Authenticator should grant access to the network. The Authentication Server may be co‐located with the Authenticator. The CN4093 relies on external RADIUS servers for authentication. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed full access to services through the port. When the client sends an EAP‐Logoff ...
Page 115: Eapol Authentication Process
802.1x Client Server EAPOL IBM Switch RADIUS-EAP Authenticator Ethernet (RADIUS Client) UDP/IP Port Unauthorized EAPOL-Start EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Challenge EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Accept EAP-Success Port Authorized © Copyright Lenovo 2017 Chapter 6: 802.1X Port-Based Network Access Control...
Page 116: Eapol Message Exchange
EAPoL Message Exchange During authentication, EAPOL messages are exchanged between the client and the CN4093 authenticator, while RADIUS‐EAP messages are exchanged between the CN4093 authenticator and the RADIUS server. Authentication is initiated by one of the following methods:  The CN4093 authenticator sends an EAP‐Request/Identity packet to the client  The client sends an EAPOL‐Start frame to the CN4093 authenticator, which responds with an EAP‐Request/Identity frame. The client confirms its identity by sending an EAP‐Response/Identity frame to the CN4093 authenticator, which forwards the frame encapsulated in a RADIUS packet to the server. The RADIUS authentication server chooses an EAP‐supported authentication algorithm to verify the client’s identity, and sends an EAP‐Request packet to the client via the CN4093 authenticator. The client then replies to the RADIUS server with an EAP‐Response containing its credentials. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed full access to services through the controlled port. When the client later sends an EAPOL‐Logoff message to the CN4093 authenticator, the port transitions from authorized to unauthorized state. If a client that does not support 802.1X connects to an 802.1X‐controlled port, the CN4093 authenticator requests the clientʹs identity when it detects a change in the operational state of the port. The client does not respond to the request, and the port remains in the unauthorized state. Note: When an 802.1X‐enabled client connects to a port that is not 802.1X‐controlled, the client initiates the authentication process by sending an EAPOL‐Start frame. When no response is received, the client retransmits the request for a fixed number of times. If no response is received, the client assumes the port is in authorized state, and begins sending frames, even if the port is unauthorized. EAPoL Port States The state of the port determines whether the client is granted access to the network, as follows: ...
Page 117: Guest Vlan
Guest VLAN The guest VLAN provides limited access to unauthenticated ports. The guest VLAN can be configured using the following command: CN 4093(config)# dot1x guest-vlan ? Client ports that have not received an EAPOL response are placed into the Guest VLAN, if one is configured on the switch. Once the port is authenticated, it is moved from the Guest VLAN to its configured VLAN. When Guest VLAN enabled, the following considerations apply while a port is in the unauthenticated state:  The port is placed in the guest VLAN. The Port VLAN ID (PVID) is changed to the Guest VLAN ID.   Port tagging is disabled on the port. © Copyright Lenovo 2017 Chapter 6: 802.1X Port-Based Network Access Control...
Page 118: Supported Radius Attributes
Supported RADIUS Attributes The 802.1X Authenticator relies on external RADIUS servers for authentication with EAP. Table 11lists the RADIUS attributes that are supported as part of RADIUS‐EAP authentication based on the guidelines specified in Annex D of the 802.1X standard and RFC 3580. Table 11. Support for RADIUS Attributes # Attribute Attribute Value 1 User‐Name The value of the Type‐Data field 0‐1 from the supplicant’s EAP‐Response/Identity message. If the Identity is unknown (i.e. Type‐Data field is zero bytes in length), this attribute will have the same value as the Calling‐Station‐Id. 4 NAS‐IP‐Address IPv4 address of the authenticator used for Radius communication. 5 NAS‐Port Port number of the authenticator port to which the supplicant is attached. 24 State Server‐specific value. This is 0‐1 0‐1 0‐1 sent unmodified back to the ...
Page 119 80 Message‐ Always present whenever an Authenticator EAP‐Message attribute is also included. Used to integrity‐protect a packet. 87 NAS‐Port‐ID Name assigned to the authenticator port, e.g. Server1_Port3 Legend: RADIUS Packet Types: A‐R (Access‐Request), A‐A (Access‐Accept), A‐C (Access‐Challenge), A‐R (Access‐Reject) RADIUS Attribute Support: This attribute MUST NOT be present in a packet.   Zero or more instances of this attribute MAY be present in a packet. 0‐1 Zero or one instance of this attribute MAY be present in a packet.   Exactly one instance of this attribute MUST be present in a packet.  One or more of these attributes MUST be present. © Copyright Lenovo 2017 Chapter 6: 802.1X Port-Based Network Access Control...
Page 120: Eapol Configuration Guidelines
EAPoL Configuration Guidelines When configuring EAPoL, consider the following guidelines:  The 802.1X port‐based authentication is currently supported only in point‐to‐point configurations, that is, with a single supplicant connected to an 802.1X‐enabled switch port.  When 802.1X is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled. For example, the STG state of a port is operationally disabled while the port is in the unauthorized state.  The 802.1X supplicant capability is not supported. Therefore, none of its ports can successfully connect to an 802.1X‐enabled port of another device, such as another switch, that acts as an authenticator, unless access control on the remote port is disabled or is configured in forced‐authorized mode. For example, if a CN4093 is connected to another CN4093, and if 802.1X is enabled on both switches, the two connected ports must be configured in force‐authorized mode.  Unsupported 802.1X attributes include Service‐Type, Session‐Timeout, and Termination‐Action.  RADIUS accounting service for 802.1X‐authenticated devices or users is not currently supported.  Configuration changes performed using SNMP and the standard 802.1X MIB will take effect immediately. CN4093 Application Guide for N/OS 8.4...
Page 121: Chapter 7. Access Control Lists
ACLs are configured using the following CLI menu: CN 4093(config)# access-control list <IPv4 ACL number> IPv6 ACLs  Up to 128 ACLs are supported for networks that use IPv6 addressing. IPv6 ACLs are configured using the following CLI menu: CN 4093(config)# access-control list6 <IPv6 ACL number>  Management ACLs Up to 128 MACLs are supported. ACLs for the different types of management protocols (Telnet, HTTPS, etc.) provide greater granularity for securing management traffic. Management ACLs are configured using the following command: CN 4093(config)# access-control macl <MACL number>  VLAN Maps (VMaps) Up to 128 VLAN Maps are supported for attaching filters to VLANs rather than ports. See “VLAN Maps” on page 132 for details. CN 4093(config)# access-control vmap <vmap number> © Copyright Lenovo 2017...
Page 122: Summary Of Packet Classifiers
Summary of Packet Classifiers ACLs allow you to classify packets according to a variety of content in the packet header (such as the source address, destination address, source port number, destination port number, and others). Once classified, packet flows can be identified for more processing. Regular ACLs, and VMaps allow you to classify packets based on the following packet attributes:  Ethernet header options (for regular ACLs and VMaps only) Source MAC address  Destination MAC address  VLAN number and mask  Ethernet type (ARP, IPv4, MPLS, RARP, etc.)  Ethernet Priority (the IEEE 802.1p Priority)   IPv4 header options (for regular ACLs and VMaps only) Source IPv4 address and subnet mask  Destination IPv4 address and subnet mask  Type of Service value  IP protocol number or name as shown in Table  Table 12. Well‐Known Protocol Types Number Protocol Name icmp igmp ospf vrrp CN4093 Application Guide for N/OS 8.4...
Page 123 1985 hsrp gopher snmptrap TCP/UDP application destination port and mask as shown in Table  TCP/UDP flag value as shown in Table 14.  Table 14. Well‐Known TCP flag values Flag Value 0x0020 0x0010 0x0008 0x0004 0x0002 0x0001  Packet format (for regular ACLs and VMaps only) Ethernet format (eth2, SNAP, LLC)  Ethernet tagging format  IP format (IPv4)   Egress port packets (for all ACLs) © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 124: Summary Of Acl Actions
Summary of ACL Actions Once classified using ACLs, the identified packet flows can be processed differently. For each ACL, an action can be assigned. The action determines how the switch treats packets that match the classifiers assigned to the ACL. CN4093 ACL actions include the following:  Pass or Drop the packet  Re‐mark the packet with a new DiffServ Code Point (DSCP)  Re‐mark the 802.1p field  Set the COS queue Assigning Individual ACLs to a Port Once you configure an ACL, you must assign the ACL to the appropriate ports. Each port can accept multiple ACLs, and each ACL can be applied for multiple ports. ACLs can be assigned individually, or in groups. To assign an individual ACL to a port, use the following IP interface commands: CN 4093(config)# interface port <port> CN 4093(config-if)# access-control list <IPv4 ACL number> CN 4093(config-ip)# access-control list6 <IPv6 ACL number> When multiple ACLs are assigned to a port, higher‐priority ACLs are considered ...
Page 125: Acl Groups
DIP = 10.10.10.3 (255.255.255.0) Action = permit ACL Groups organize ACLs into traffic profiles that can be more easily assigned to ports. The CN4093 supports up to 256 ACL Groups. Note: ACL Groups are used for convenience in assigning multiple ACLs to ports. ACL Groups have no effect on the order in which ACLs are applied (see “ACL Order of Precedence” on page 124). All ACLs assigned to the port (whether individually assigned or part of an ACL Group) are considered as individual ACLs for the purposes of determining their order of precedence. Assigning ACL Groups to a Port To assign an ACL Group to a port, use the following commands: CN 4093(config)# interface port <port number> CN 4093(config-if)# access-control group <ACL group number> CN 4093(config-if)# exit © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 126: Acl Metering And Re-Marking
ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the switch by configuring a QoS meter (if desired) and assigning ACLs to ports. Note: When you add ACLs to a port, make sure they are ordered correctly in terms of precedence (see “ACL Order of Precedence” on page 124). Actions taken by an ACL are called In‐Profile actions. You can configure additional In‐Profile and Out‐of‐Profile actions on a port. Data traffic can be metered, and re‐marked to ensure that the traffic flow provides certain levels of service in terms of bandwidth for different types of network traffic. Metering QoS metering provides different levels of service to data streams through user‐configurable parameters. A meter is used to measure the traffic stream against a traffic profile which you create. Thus, creating meters yields In‐Profile and Out‐of‐Profile traffic for each ACL, as follows:  In‐Profile–If there is no meter configured or if the packet conforms to the meter, the packet is classified as In‐Profile.  Out‐of‐Profile–If a meter is configured and the packet does not conform to the meter (exceeds the committed rate or maximum burst rate of the meter), the packet is classified as Out‐of‐Profile. Using meters, you set a Committed Rate in Kbps (1000 bits per second in each Kbps). All traffic within this Committed Rate is In‐Profile. Additionally, you can set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period. These parameters define the In‐Profile traffic. Meters keep the sorted packets within certain parameters. You can configure a meter on an ACL, and perform actions on metered traffic, such as packet re‐marking. Re-Marking Re‐marking allows for the treatment of packets to be reset based on new network specifications or desired levels of service. You can configure the ACL to re‐mark a packet as follows:  Change the DSCP value of a packet, used to specify the service level that traffic should receive. ...
Page 127: Acl Port Mirroring
CN 4093(config)# access-control list <ACL number> mirror port <destination port> The ACL must be also assigned to it target ports as usual (see “Assigning Individual ACLs to a Port” on page 124, or “Assigning ACL Groups to a Port” on page 125). For VMaps (see “VLAN Maps” on page 132):  CN 4093(config)# access-control vmap <VMap number> mirror port <monitor destination port> Viewing ACL Statistics ACL statistics display how many packets have “hit” (matched) each ACL. Use ACL statistics to check filter performance or to debug the ACL filter configuration. You must enable statistics for each ACL that you wish to monitor: CN 4093(config)# access-control list <ACL number> statistics © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 128: Acl Logging
ACL Logging ACLs are generally used to enhance port security. Traffic that matches the characteristics (source addresses, destination addresses, packet type, etc.) specified by the ACLs on specific ports is subject to the actions (chiefly permit or deny) defined by those ACLs. Although switch statistics show the number of times particular ACLs are matched, the ACL logging feature can provide additional insight into actual traffic patterns on the switch, providing packet details in the system log for network debugging or security purposes. Enabling ACL Logging By default, ACL logging is disabled. Enable or disable ACL logging on a per‐ACL basis as follows: CN 4093(config)# [no] access-control list <IPv4 ACL number> log CN 4093(config)# [no] access-control list6 <IPv6 ACL number> log Logged Information When ACL logging is enabled on any particular ACL, the switch will collect information about packets that match the ACL. The information collected depends on the ACL type:  For IP‐based ACLs, information is collected regarding Source IP address  Destination IP address  TCP/UDP port number ...
Page 129: Rate Limiting Behavior
CN 4093(config)# access-control log rate-limit <1‐1000> Where the limit is specified in packets per second. Log Interval For each log‐enabled ACL, the first packet that matches the ACL initiates an immediate message in the system log. Beyond that, additional matches are subject to the log interval. By default, the switch will buffer ACL log messages for a period of 300 seconds. At the end of that interval, all messages in the buffer are written to the system log. The global interval value can be changed as follows: CN 4093(config)# access-control log interval <5‐600> Where the interval rate is specified in seconds. In any given interval, packets that have identical log information are condensed into a single message. However, the packet count shown in the ACL log message represents only the logged messages, which due to rate‐limiting, may be significantly less than the number of packets actually matched by the ACL. Also, the switch is limited to 64 different ACL log messages in any interval. Once the threshold is reached, the oldest message will be discarded in favor of the new message, and an overflow message will be added to the system log. ACL Logging Limitations ACL logging reserves packet queue 1 for internal use. Features that allow remapping packet queues (such as CoPP) may not behave as expected if other packet flows are reconfigured to use queue 1. © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 130: Acl Configuration Examples
ACL Configuration Examples ACL Example 1 Use this configuration to block traffic to a specific host. All traffic that ingresses on port EXT1 is denied if it is destined for the host at IP address 100.10.1.1. 1. Configure an Access Control List. CN 4093(config)# access-control list 1 ipv4 destination-ip-address 100.10.1.1 CN 4093(config)# access-control list 1 action deny 2. Add ACL 1 to port EXT1. CN 4093(config)# interface port EXT1 CN 4093(config-if)# access-control list 1 CN 4093(config-if)# exit ACL Example 2 Use this configuration to block traffic from a network destined for a specific host ...
Page 131: Acl Example 3
CN 4093(config)# access-control list 4 ipv4 source-ip-address 100.10.1.0 255.255.255.0 CN 4093(config)# access-control list 4 egress-port 3 CN 4093(config)# access-control list 4 action deny 2. Add ACL 4 to port EXT1. CN 4093(config)# interface port EXT1 CN 4093(config-if)# access-control list 4 CN 4093(config-if)# exit © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 132: Vlan Maps
VLAN Maps A VLAN map (VMAP) is an ACL that can be assigned to a VLAN or VM group rather than to a switch port as with regular ACLs. This is particularly useful in a virtualized environment where traffic filtering and metering policies must follow virtual machines (VMs) as they migrate between hypervisors. VMAPs are configured using the following ISCLI command path: CN 4093(config)# access-control vmap <VMAP ID (1‐128)> action Set filter action egress-port Set to filter for packets egressing this port ethernet Ethernet header options ipv4 IP version 4 header options meter ACL metering configuration mirror Mirror options packet-format Set to filter specific packet format types...
Page 133: Vmap Example
CN 4093(config)# access-control vmap 21 packet-format ethernet ethernet-type2 CN 4093(config)# access-control vmap 21 mirror port 4 CN 4093(config)# access-control vmap 21 action permit CN 4093(config)# vlan 3 CN 4093(config-vlan)# vmap 21 intports © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 134: Management Acls
Management ACLs Management ACLs (MACLs) filter inbound traffic (traffic heading toward the CPU). MACLs are applied switch‐wide. Traffic can be filtered based on the following:  IPv4 source address  IPv4 destination address  IPv4 protocols  TCP/UDP destination or source port Lower MACL numbers have higher priority. Up to 128 MACLs can be configured. Following is an example MACL configuration based on a destination IP address and a TCP‐UDP destination port: CN 4093(config)# access-control macl 1 ipv4 destination-ip-address 1.1.1.1 255.255.255.0 CN 4093(config)# access-control macl 1 tcp-udp destination-port 111 0xffff CN 4093(config)# access-control macl 1 statistics CN 4093(config)# access-control macl 1 action permit CN 4093(config)# access-control macl 1 enable Use the following command to view the MACL configuration: ...
Page 135: Part 3: Switch Basics
Part 3: Switch Basics This section discusses basic switching functions:  VLANs  Port Aggregation  Spanning Tree Protocols (Spanning Tree Groups, Rapid Spanning Tree Protocol and Multiple Spanning Tree Protocol)  Quality of Service © Copyright Lenovo 2017...
Page 136 CN4093 Application Guide for N/OS 8.4...
Page 137: Chapter 8. Vlans
Chapter 8. VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments. The following topics are discussed in this chapter:  “VLANs and Port VLAN ID Numbers” on page 139  “VLAN Tagging/Trunk Mode” on page 142  “VLAN Topologies and Design Considerations” on page 147  “Protocol‐Based VLANs” on page 150 “Private VLANs” on page 153  Note: Basic VLANs can be configured during initial switch configuration (see “Using the Setup Utility” in the CN4093 Enterprise NOS 8.4 Command Reference). More comprehensive VLAN configuration can be done from the Command Line Interface (see “VLAN Configuration” as well as “Port Configuration” in the CN4093 Enterprise NOS 8.4 Command Reference). © Copyright Lenovo 2017...
Page 138: Vlans Overview
VLANs Overview Setting up virtual LANs (VLANs) is a way to segment networks to increase network flexibility without changing the physical network topology. With network segmentation, each switch port connects to a segment that is a single broadcast domain. When a switch port is configured to be a member of a VLAN, it is added to a group of ports (workgroup) that belong to one broadcast domain. Ports are grouped into broadcast domains by assigning them to the same VLAN. Frames received in one VLAN can only be forwarded within that VLAN, and multicast, broadcast, and unknown unicast frames are flooded only to ports in the same VLAN. The CN4093 automatically supports jumbo frames. This default cannot be manually configured or disabled. The CN4093 10 Gb Converged Scalable Switch (CN4093) supports jumbo frames with a Maximum Transmission Unit (MTU) of 9,216 bytes. Within each frame, 18 bytes are reserved for the Ethernet header and CRC trailer. The remaining space in the frame (up to 9,198 bytes) comprise the packet, which includes the payload of up to 9,000 bytes and any additional overhead, such as 802.1q or VLAN tags. Jumbo frame support is automatic: it is enabled by default, requires no manual configuration, and cannot be manually disabled. Note: Jumbo frames are not supported for traffic sent to switch management interfaces. CN4093 Application Guide for N/OS 8.4...
Page 139: Vlans And Port Vlan Id Numbers
--------------------------- ------ --- ------------------------- Default VLAN INTA1-EXT22 VLAN 200 empty VLAN 300 empty 4095 Mgmt VLAN EXTM MGT1 Primary Secondary Type Ports vPorts ------- --------- --------------- --------------------- --------- Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system. Screen content varies based on the type of blade chassis unit that you are using and the firmware versions and options that are installed. © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 140: Pvid/Native Vlan Numbers
PVID/Native VLAN Numbers Each port in the switch has a configurable default VLAN number, known as its PVID. By default, the PVID for all non‐management ports is set to 1, which correlates to the default VLAN ID. The PVID for each port can be configured to any VLAN number between 1 and 4094. Use the following CLI commands to view PVIDs:  Port information: CN 4093# show interface information (or) CN 4093# show interface trunk Alias Port Tag Type RMON Lrn Fld PVID DESCRIPTION VLAN(s) NVLAN ------- ---- --- ---------- ---- --- --- ------ -------------- ------ INTA1 Internal 4094...
Page 141 Port Configuration: Access mode port:  CN 4093(config)# interface port <port number> CN 4093(config-if)# switchport access vlan <VLAN ID> Trunk mode port:  CN 4093(config)# interface port <port number> CN 4093(config-if)# switchport trunk native vlan <VLAN ID> Each port on the switch can belong to one or more VLANs, and each VLAN can have any number of switch ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled (see “VLAN Tagging/Trunk Mode” on page 142). © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 142: Vlan Tagging/Trunk Mode
VLAN Tagging/Trunk Mode Enterprise NOS software supports 802.1Q VLAN tagging, providing standards‐based VLAN support for Ethernet systems. Tagging places the VLAN identifier in the frame header of a packet, allowing each port to belong to multiple VLANs. When you add a port to multiple VLANs, you also must enable tagging on that port. Since tagging fundamentally changes the format of frames transmitted on a tagged port, you must carefully plan network designs to prevent tagged frames from being transmitted to devices that do not support 802.1Q VLAN tags, or devices where tagging is not enabled. Important terms used with the 802.1Q tagging feature are:  VLAN identifier (VID)—the 12‐bit portion of the VLAN tag in the frame header that identifies an explicit VLAN.  Port VLAN identifier (PVID)—a classification mechanism that associates a port with a specific VLAN. For example, a port with a PVID of 3 (PVID =3) assigns all untagged frames received on this port to VLAN 3. Any untagged frames received by the switch are classified with the PVID of the receiving port.  Tagged frame—a frame that carries VLAN tagging information in the header. This VLAN tagging information is a 32‐bit field (VLAN tag) in the frame header that identifies the frame as belonging to a specific VLAN. Untagged frames are marked (tagged) with this classification as they leave the switch through a port that is configured as a tagged port.  Untagged frame— a frame that does not carry any VLAN tagging information in the frame header.  Untagged member—a port that has been configured as an untagged member of a specific VLAN. When an untagged frame exits the switch through an untagged member port, the frame header remains unchanged. When a tagged frame exits the switch through an untagged member port, the tag is stripped and the tagged frame is changed to an untagged frame.  Tagged member—a port that has been configured as a tagged member of a specific VLAN. When an untagged frame exits the switch through a tagged member port, the frame header is modified to include the 32‐bit tag associated with the PVID. When a tagged frame exits the switch through a tagged member ...
Page 143 Port 1 Port 2 Port 3 Tagged member PVID = 2 of VLAN 2 Untagged packet 802.1Q Switch Data B efore Port 6 Port 7 Port 8 Untagged member of VLAN 2 BS45011A © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 144 As shown in Figure 4, the untagged packet is marked (tagged) as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. The untagged packet remains unchanged as it leaves the switch through port 7, which is configured as an untagged member of VLAN 2. Figure 4. 802.1Q tagging (after port‐based VLAN assignment) Tagged member PVID = 2 Port 1 Port 2 Port 3 of VLAN 2 802.1Q Switch CRC* Data (*Recalculated) Port 6 Port 7 Port 8 8100 Priority VID = 2 Untagged memeber of VLAN 2 16 bits 3 bits...
Page 145 16 bits 3 bits 1 bit 12 bits Data After Outgoing untagged packet changed (tag removed) Priority - User_priority - Canonical format indicator - VLAN identifier BS45014A Note: Setting the configuration to factory default (CN 4093(config)# boot configuration-block factory) will reset all non‐management ports to VLAN 1. © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 146: Ingress Vlan Tagging
Ingress VLAN Tagging Tagging can be enabled on an ingress port. When a packet is received on an ingress port, and if ingress tagging is enabled on the port, a VLAN tag with the port PVID is inserted into the packet as the outer VLAN tag. Depending on the egress port setting (tagged or untagged), the outer tag of the packet is retained or removed when it leaves the egress port. Ingress VLAN tagging is used to tunnel packets through a public domain without altering the original 802.1Q status. When ingress tagging is enabled on a port, all packets, whether untagged or tagged, will be tagged again. As shown in Figure 7, when tagging is enabled on the egress port, the outer tag of the packet is retained when it leaves the egress port. If tagging is disabled on the egress port, the outer tag of the packet is removed when it leaves the egress port. Figure 7. 802.1Q tagging (after ingress tagging assignment) Untagged packet received on ingress port 802.1Q Switch Port 1 Port 2 Port 3 Tagged member PVID = 2 of VLAN 2 Untagged packet CRC* Data...
Page 147: Vlan Topologies And Design Considerations
CN 4093(config)# vlan <VLAN ID (1‐4094)> CN 4093(config-vlan)# management When using Spanning Tree, STG 2‐128 may contain only one VLAN unless  Multiple Spanning‐Tree Protocol (MSTP) mode is used. With MSTP mode, STG 1 to 32 can include multiple VLANs. VLAN Configuration Rules VLANs operate according to specific configuration rules. When creating VLANs, consider the following rules that determine how the configured VLAN reacts in any network topology:  All ports involved in aggregation and port mirroring must have the same VLAN configuration. If a port is on a LAG with a mirroring port, the VLAN configura‐ tion cannot be changed. For more information about aggregation, see “Configuring a Static LAG” on page 163.  If a port is configured for port mirroring, the port’s VLAN membership cannot be changed. For more information on configuring port mirroring, see “Port Mirroring” on page 607.  Management VLANs must contain the management port, and can include one or more internal ports (INTx). External ports (EXTx) cannot be members of any management VLAN. © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 148: Example: Multiple Vlans With Tagging Adapters
Example: Multiple VLANs with Tagging Adapters Figure 8. Multiple VLANs with VLAN‐Tagged Gigabit Adapters Server #1 Server #2 VLAN #3 VLAN #1, 2, 3 Switch Module Switch Module Shared Media Gigabit/Tagged adapter PC #1 PC #2 PC #3 PC #4 PC #5 VLAN #2 VLAN #2 VLAN #1 VLAN #3 VLAN #1 &...
Page 149 Component Description PC #4 A member of VLAN 3, this PC can only communicate with Server 1 and Server 2. The associated external switch port has tagging disabled. PC #5 A member of both VLAN 1 and VLAN 2, this PC has a VLAN‐tagging Gigabit Ethernet adapter installed. It can communicate with Server 2 and PC 3 via VLAN 1, and to Server 2, PC 1 and PC 2 via VLAN 2. The associated external switch port is a member of VLAN 1 and VLAN 2, and has tagging enabled. Note: VLAN tagging is required only on ports that are connected to other CN4093s or on ports that connect to tag‐capable end‐stations, such as servers with VLAN‐tagging adapters. © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 150: Protocol-Based Vlans
Protocol-Based VLANs Protocol‐based VLANs (PVLANs) allow you to segment network traffic according to the network protocols in use. Traffic for supported network protocols can be confined to a particular port‐based VLAN. You can give different priority levels to traffic generated by different network protocols. With PVLAN, the switch classifies incoming packets by Ethernet protocol of the packets, not by the configuration of the ingress port. When an untagged or priority‐tagged frame arrives at an ingress port, the protocol information carried in the frame is used to determine a VLAN to which the frame belongs. If a frame’s protocol is not recognized as a pre‐defined PVLAN type, the ingress port’s PVID is assigned to the frame. When a tagged frame arrives, the VLAN ID in the frame’s tag is used. Each VLAN can contain up to eight different PVLANs. You can configure separate PVLANs on different VLANs, with each PVLAN segmenting traffic for the same protocol type. For example, you can configure PVLAN 1 on VLAN 2 to segment IPv4 traffic, and PVLAN 8 on VLAN 100 to segment IPv4 traffic. To define a PVLAN on a VLAN, configure a PVLAN number (1‐8) and specify the frame type and the Ethernet type of the PVLAN protocol. You must assign at least one port to the PVLAN before it can function. Define the PVLAN frame type and Ethernet type as follows: Frame type—consists of one of the following values:  Ether2 (Ethernet II)  SNAP (Subnetwork Access Protocol)  LLC (Logical Link Control)   Ethernet type—consists of a 4‐digit (16 bit) hex value that defines the Ethernet type. You can use common Ethernet protocol values, or define your own values. Following are examples of common Ethernet protocol values: IPv4 = 0800  IPv6 = 86dd  ARP = 0806  Port-Based vs. Protocol-Based VLANs Each VLAN supports both port‐based and protocol‐based association, as follows: ...
Page 151: Pvlan Priority Levels
142. Untagged ports must have PVLAN tagging disabled. Tagged ports can have PVLAN tagging either enabled or disabled. PVLAN tagging has higher precedence than port‐based tagging. If a port is tag enabled, and the port is a member of a PVLAN, the PVLAN tags egress frames that match the PVLAN protocol. Use the tag‐pvlan command (vlan <x> protocol-vlan <x> tag-pvlan <x>) to define the complete list of tag‐enabled ports in the PVLAN. Note that all ports not included in the PVLAN tag list will have PVLAN tagging disabled. PVLAN Configuration Guidelines Consider the following guidelines when you configure protocol‐based VLANs:  Each port can support up to 8 VLAN protocols. The CN4093 can support up to 16 protocols simultaneously.   Each PVLAN must have at least one port assigned before it can be activated. The same port within a port‐based VLAN can belong to multiple PVLANs.   An untagged port can be a member of multiple PVLANs. A port cannot be a member of different VLANs with the same protocol  association. © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 152: Configuring Pvlan
Configuring PVLAN Follow this procedure to configure a Protocol‐based VLAN (PVLAN). 1. Configure VLAN tagging/trunk mode for ports. CN 4093(config)# interface port 1,2 CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# exit 2. Create a VLAN and define the protocol type(s) supported by the VLAN. CN 4093(config)# vlan 2 CN 4093(config-vlan)# protocol-vlan 1 frame-type ether2 0800 3. Configure the priority value for the protocol. CN 4093(config-vlan)# protocol-vlan 1 priority 2 4. Add member ports for this PVLAN. CN 4093(config-vlan)# protocol-vlan 1 member 1,2 Note: If VLAN tagging is turned on and the port being added to the VLAN has a ...
Page 153: Private Vlans
 toward ports in the primary VLAN. Each Private VLAN can contain only one Isolated VLAN. Community VLAN—carries upstream traffic from ports in the community  VLAN to other ports in the same community, and to ports in the primary VLAN. Each Private VLAN can contain multiple community VLANs. After you define the primary VLAN and one or more secondary VLANs, you map the secondary VLAN(s) to the primary VLAN. Private VLAN Ports Private VLAN ports are defined as follows:  Promiscuous—A promiscuous port is a port that belongs to the primary VLAN. The promiscuous port can communicate with all the interfaces, including ports in the secondary VLANs (Isolated VLAN and Community VLANs).  Isolated—An isolated port is a host port that belongs to an isolated VLAN. Each isolated port has complete layer 2 separation from other ports within the same private VLAN (including other isolated ports), except for the promiscuous ports. Traffic sent to an isolated port is blocked by the Private VLAN, except the  traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.   Community—A community port is a host port that belongs to a community VLAN. Community ports can communicate with other ports in the same community VLAN, and with promiscuous ports. These interfaces are isolated at layer 2 from all other interfaces in other communities and from isolated ports within the Private VLAN. © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 154: Configuration Guidelines
Configuration Guidelines The following guidelines apply when configuring Private VLANs:  Management VLANs cannot be Private VLANs. Management ports cannot be members of a Private VLAN.  The default VLAN 1 cannot be a Private VLAN. IGMP Snooping must be disabled on Private VLANs.   All VLANs that comprise the Private VLAN must belong to the same Spanning Tree Group.  A VLAN pair is a primary VLAN and one associated secondary VLAN (isolated or community). The maximum number of VLAN pairs per port is 16. Configuration Example Follow this procedure to configure a Private VLAN. 1. Select a VLAN and define the Private VLAN type as primary. CN 4093(config)# vlan 700 CN 4093(config-vlan)# private-vlan primary CN 4093(config-vlan)# exit 2. Configure a promiscuous port for VLAN 700. CN 4093(config)# interface port 1 CN 4093(config-if)# switchport mode private-vlan CN 4093(config-if)# switchport private-vlan mapping 700 CN 4093(config-if)# exit 3.
Page 155 CN 4093(config)# interface port 3 CN 4093(config-if)# switchport mode private-vlan CN 4093(config-if)# switchport private-vlan host-association 700 702 CN 4093(config-if)# exit 6. Verify the configuration. CN 4093(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- --------------- --------------------------------- isolated community © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 156 CN4093 Application Guide for N/OS 8.4...
Page 157: Chapter 9. Ports And Link Aggregation (Lag)
Chapter 9. Ports and Link Aggregation (LAG) LAGs can provide super‐bandwidth, multi‐link connections between the CN4093 10 Gb Converged Scalable Switch (CN4093) and other LAG‐capable devices. A LAG is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. This chapter provides configuration background and examples for aggregating multiple ports together:  “Configuring Port Modes” on page 158  “Configuring QSFP+ Ports” on page 160  “Aggregation Overview” on page 161  “Static LAGs” on page 162 “Configurable LAG Hash Algorithm” on page 165   “Link Aggregation Control Protocol” on page 167 © Copyright Lenovo 2017...
Page 158: Configuring Port Modes
Configuring Port Modes The switch allows you to set the port mode. Select the port mode that fits your network configuration. Switch port modes are available based on the installation license. The following port modes are available: Base Port mode:  Fourteen 10Gb internal (1 port x 14 blade servers)  Eight 10Gb external  Upgrade 1 Port mode:  Twenty Eight 10Gb internal (2 ports x 14 blade servers)  Eight 10Gb external  Two 40Gb external  Upgrade 2 Port mode:  Forty Two 10Gb internal (3 ports x 14 Blade servers)  Fourteen 10Gb external  Two 40Gb external  Base Port mode is the default. To upgrade the port mode, you must obtain a software license key. The following command sequence is an example of how to upgrade the port mode (e.g. switch SN Y010CM2CN058): CN 4093# software-key Enter hostname or IP address of SFTP/TFTP server: 9.44.143.105 Enter name of file on SFTP/TFTP server: ibm_fod_0019_Y010CM2CN058_anyos_noarch.key...
Page 159 External EXT22 EXTM Mgmt 4095 EXTM 4095 MGT1 Mgmt 4095 MGT1 4095 * = PVID/Native-VLAN is tagged. # = PVID is ingress tagged. = Trunk mode NVLAN = Native-VLAN © Copyright Lenovo 2017 Chapter 9: Ports and Link Aggregation (LAG)
Page 160: Configuring Qsfp+ Ports
Configuring QSFP+ Ports QSFP+ ports support both 10GbE and 40GbE, as shown in Table 15. Table 15. QSFP+ Port Numbering Physical Port Number 40GbE mode 10GbE mode Port EXT3 Port EXT3 Ports EXT3‐EXT6 Port EXT7 Port EXT7 Ports EXT7‐EXT10 QSFP+ ports are available only when Upgrade 1 is installed (see “Configuring Port Modes” on page 158). The following procedure allows you to change the QSFP+ port mode. 1. Display the current port mode for the QSFP+ ports. CN 4093# show boot qsfp-port-modes QSFP ports booted configuration: Port EXT3, EXT4, EXT5, EXT6 - 10G Mode Port EXT7, EXT8, EXT9, EXT10 - 10G Mode QSFP ports saved configuration: Port EXT3, EXT4, EXT5, EXT6 - 10G Mode...
Page 161: Aggregation Overview
Aggregation Overview When using LAGs between two switches, as shown in Figure 9, you can create a virtual link between them, operating with combined throughput levels that depends on how many physical ports are included. Two types of aggregation are available: static LAGs and dynamic Link Aggregation Control Protocol (LACP) LAGs. Up to 52 LAGs of each type are supported, depending of the number and type of available ports. Each LAG can include up to 24 member ports. Figure 9. Link Aggregation Group (LAG) Switch 1 Switch 2 LAGs are also useful for connecting a CN4093 to third‐party devices that support link aggregation, such as Cisco routers and switches with EtherChannel technology (not ISL aggregation technology) and Sunʹs Quad Fast Ethernet Adapter. Static LAG technology is compatible with these devices when they are configured manually. LAG traffic is statistically distributed among the ports in a LAG, based on a variety of configurable options. Also, since each LAG is comprised of multiple physical links, the LAG is inherently fault tolerant. As long as one connection between the switches is available, the LAG remains active and statistical load balancing is maintained whenever a port in the LAG is lost or returned to service. © Copyright Lenovo 2017 Chapter 9: Ports and Link Aggregation (LAG)
Page 162: Static Lags
Static LAGs When you create and enable a static LAG, the LAG members (switch ports) take on certain settings necessary for correct operation of the aggregation feature. Before Configuring Static LAGs Before you configure your LAG, you must consider these settings, along with specific configuration rules, as follows:  Read the configuration rules provided in the section, “Static LAG Configuration Rules” on page 162.” Determine which switch ports are to become LAG members (the specific ports  making up the LAG).  Ensure that the chosen switch ports are set to enabled.  Ensure all member ports in a LAG have the same VLAN configuration.  Consider how the existing Spanning Tree will react to the new LAG configuration. See “Spanning Tree Protocols” on page 171 for configuration guidelines. Consider how existing VLANs will be affected by the addition of a LAG.  Static LAG Configuration Rules The aggregation feature operates according to specific configuration rules. When creating LAGs, consider the following rules that determine how a LAG reacts in any network topology:  All LAGs must originate from one network entity (a single device or multiple devices acting in a stack) and lead to one destination entity. For example, you cannot combine links from two different servers into one LAG.  Any physical switch port can belong to only one LAG.
Page 163: Configuring A Static Lag
 flow control). Configuring a Static LAG In the following example, three ports are aggregated between two switches. Figure 10. LAG Configuration Example Application Switch Application Switch LAG 3: Ports 2, 12, and 22 Lenovo Blade LAG 1: Ports EXT1, EXT2, and EXT3 Switch Lenovo Blade Chassis Prior to configuring each switch in the preceding example, you must connect to the appropriate switch’s Command Line Interface (CLI) as the administrator. Note: For details about accessing and using any of the menu commands described in this example, see the Enterprise NOS Command Reference. © Copyright Lenovo 2017...
Page 164 1. Connect the switch ports that will be members in the LAG. 2. Configure the LAG using these steps on the CN4093: a. Define a LAG. CN 4093(config)# portchannel 1 port ext1,ext2,ext3 (Add ports to LAG 1) CN 4093(config)# portchannel 1 enable b. Verify the configuration. CN 4093(config)# show portchannel information Examine the resulting information. If any settings are incorrect, make appropriate changes. 3. Repeat the process on the other switch. CN 4093(config)# portchannel 3 port 2,12,22 CN 4093(config)# portchannel 3 enable LAG 1 (on the CN4093) is now connected to LAG 3 on the Application Switch.
Page 165: Configurable Lag Hash Algorithm
CN 4093(config)# portchannel thash l3thash l3-source-ip-address Destination IP address (dip)  CN 4093(config)# portchannel thash l3thash l3-destination-ip-address Both source and destination IP address (enabled by default)  CN4093(config)# portchannel thash l3thash l3-source-destination-ip If Layer 2 hashing is preferred for Layer 3 traffic, disable the Layer 3 sip and dip hashing options and enable the useL2 option: CN 4093(config)# portchannel thash l3thash l3-use-l2-hash © Copyright Lenovo 2017 Chapter 9: Ports and Link Aggregation (LAG)
Page 166 Layer 3 traffic will then use Layer 2 options for hashing.  Ingress port number (disabled by default) CN 4093(config)# portchannel thash ingress Layer 4 port information (disabled by default)  CN 4093(config)# portchannel thash l4port When enabled, Layer 4 port information (TCP, UPD, etc.) is added to the hash if available. The L4port option is ignored when Layer 4 information is not included in the packet (such as for Layer 2 packets) or when the useL2 option is enabled. Note: For MPLS packets, Layer 4 port information is excluded from the hash calculation. Instead, other IP fields are used, along with the first two MPLS labels. The CN4093 supports the following FCoE hashing options: CN 4093(config)# portchannel thash fcoe cntag-id CN 4093(config)# portchannel thash fcoe destination-id CN 4093(config)# portchannel thash fcoe fabric-id CN 4093(config)# portchannel thash fcoe originator-id CN 4093(config)# portchannel thash fcoe responder-id CN 4093(config)# portchannel thash fcoe source-id...
Page 167: Link Aggregation Control Protocol
Admin key: a port’s admin key is an integer value (1 ‐ 65535) that you can configure in the CLI. Each CN4093 port that participates in the same LACP LAG must have the same admin key value. The admin key is locally significant, which means the partner switch does not need to use the same admin key value. For example, consider two switches, an Actor (the CN4093) and a Partner (another switch), as shown in Table Table 16. Actor vs. Partner LACP configuration Actor Switch Partner Switch 1 Port 38 (admin key = 100) Port 1 (admin key = 50) Port 39 (admin key = 100) Port 2 (admin key = 50) Port 40 (admin key = 100) Port 3 (admin key = 70) In the configuration shown in Table 16, Actor switch ports 38 and 39 aggregate to form an LACP LAG with Partner switch ports 1 and 2. Only ports with the same LAG ID are aggregated in the LAG. Actor switch port 40 is not aggregated in the LAG because it has a different LAG ID. Switch ports configured with the same admin key on the Actor switch but have a different LAG ID (due to Partner switch admin key configuration or due to partner switch MAC address being different) can be aggregated in another LAG i.e. Actor switch port 40 can be aggregated in another LAG with ports that have the same LAG ID as port 40. © Copyright Lenovo 2017 Chapter 9: Ports and Link Aggregation (LAG)
Page 168: Lacp Modes
To avoid the Actor switch ports (with the same admin key) from aggregating in another LAG, you can configure a LAG ID. Ports with the same admin key (although with different LAG IDs) compete to get aggregated in a LAG. The LAG ID for the LAG is decided based on the first port that is aggregated in the LAG. Ports with this LAG ID get aggregated and the other ports are placed in suspended mode. As per the configuration shown in Table 16, if port 38 gets aggregated first, then the LAG ID of port 38 would be the LAG ID of the LAG. Port 40 would be placed in suspended mode. When in suspended mode, a port transmits only LACP data units (LACPDUs) and discards all other traffic. A port may also be placed in suspended mode for the following reasons:  When LACP is configured on the port but it stops receiving LACPDUs from the partner switch.  When the port has a different LAG ID because of the partner switch MAC being different. For example: when a switch is connected to two partners. LAG ID can be configured using the following command: CN 4093(config)# portchannel <65‐128> lacp key <adminkey of the LAG> LACP provides for the controlled addition and removal of physical links for the link aggregation. LACP Modes Each port in the CN4093 can have one of the following LACP modes. off (default)  The user can configure this port in to a regular static LAG. active  The port is capable of forming a LACP LAG. This port sends LACPDU packets to partner system ports. passive  The port is capable of forming a LACP LAG. This port only responds to the LACPDU packets sent from a LACP active port.
Page 169: Lacp Individual
CN 4093(config-if)# no lacp suspend-individual This allows the selected ports to be treated as normal link‐up ports, which may forward data traffic according to STP, Hot Links or other applications, if they do not receive any LACPDUs. To configure the LACP individual setting for all the ports in a static LACP LAG, use the following commands: CN 4093(config-if)# interface portchannel lacp <LAG admin key> CN 4093(config-if)# [no] lacp suspend-individual Note: By default, ports are configured as below: external ports with lacp suspend-individual  internal ports with no lacp suspend-individual  © Copyright Lenovo 2017 Chapter 9: Ports and Link Aggregation (LAG)
Page 170: Configuring Lacp
Configuring LACP Use the following procedure to configure LACP for ports 7, 8 and 9 to participate in a single link aggregation. 1. Configure port parameters. All ports that participate in the LACP LAG must have the same settings, including VLAN membership. 2. Select the port range and define the admin key. Only ports with the same admin key can form a LACP LAG. CN 4093(config)# interface port 7-9 CN 4093(config-if)# lacp key 100 3. Set the LACP mode. CN 4093(config-if)# lacp mode active CN 4093(config-if)# exit 4. Optionally allow member ports to individually participate in normal data traffic if no LACPDUs are received. CN 4093(config-if)# no lacp suspend-individual CN 4093(config-if)# exit 5.
Page 171: Chapter 10. Spanning Tree Protocols
Chapter 10. Spanning Tree Protocols When multiple paths exist between two points on a network, Spanning Tree Protocol (STP), or one of its enhanced variants, can prevent broadcast loops and ensure that the CN4093 10 Gb Converged Scalable Switch (CN4093) uses only the most efficient network path. This chapter covers the following topics:  “Spanning Tree Protocol Modes” on page 172  “Global STP Control” on page 172  “PVRST Mode” on page 173  “Rapid Spanning Tree Protocol” on page 185  “Multiple Spanning Tree Protocol” on page 187 “Port Type and Link Type” on page 191  © Copyright Lenovo 2017...
Page 172: Spanning Tree Protocol Modes
Spanning Tree Protocol Modes Enterprise NOS 8.4 supports the following STP modes:  Rapid Spanning Tree Protocol (RSTP) IEEE 802.1D (2004) RSTP allows devices to detect and eliminate logical loops in a bridged or switched network. When multiple paths exist, STP configures the network so that only the most efficient path is used. If that path fails, STP automatically configures the best alternative active path on the network in order to sustain network operations. RSTP is an enhanced version of IEEE 802.1D (1998) STP, providing more rapid convergence of the Spanning Tree network path states on STG 1. See “Rapid Spanning Tree Protocol” on page 185 for details.  Per‐VLAN Rapid Spanning Tree (PVRST+) PVRST mode is based on RSTP to provide rapid Spanning Tree convergence, but supports instances of Spanning Tree, allowing one STG per VLAN. PVRST mode is compatible with Cisco R‐PVST/R‐PVST+ mode. PVRST is the default Spanning Tree mode on the CN4093. See “PVRST Mode” on page 173 for details.  Multiple Spanning Tree Protocol (MSTP) IEEE 802.1Q (2003) MSTP provides both rapid convergence and load balancing in a VLAN environment. MSTP allows multiple STGs, with multiple VLANs in each. See “Multiple Spanning Tree Protocol” on page 187 for details. Global STP Control By default, the Spanning Tree feature is globally enabled on the switch, and is set for PVRST mode. Spanning Tree (and thus any currently configured STP mode) can be globally disabled or re‐enabled using the following commands: (Globally disable Spanning Tree) CN 4093(config)# spanning-tree mode disable Spanning Tree can be re‐enabled by specifying the STP mode: ...
Page 173: Pvrst Mode
802.1Q tagging to differentiate STP BPDUs and is compatible with Cisco R‐PVST/R‐PVST+ modes. The relationship between ports, LAGs, VLANs and Spanning Trees is shown in Table Table 17. Ports, LAGs and VLANs Switch Element Belongs To Port LAG or one or more VLANs One or more VLANs VLAN (non‐default)  PVRST: One VLAN per STG  RSTP: All VLANs are in STG 1 MSTP: Multiple VLANs per STG  Port States The port state controls the forwarding and learning processes of Spanning Tree. In PVRST, the port state has been consolidated to the following: discarding, learning or forwarding. Due to the sequence involved in these STP states, considerable delays may occur while paths are being resolved. To mitigate delays, ports defined as edge ports (“Port Type and Link Type” on page 191) may bypass the discarding and learning states, and enter directly into the forwarding state. © Copyright Lenovo 2017 Chapter 10: Spanning Tree Protocols...
Page 174: Bridge Protocol Data Units
Bridge Protocol Data Units To create a Spanning Tree, the switch generates a configuration Bridge Protocol Data Unit (BPDU), which it then forwards out of its ports. All switches in the Layer 2 network participating in the Spanning Tree gather information about other switches in the network through an exchange of BPDUs. A bridge sends BPDU packets at a configurable regular interval (2 seconds by default). The BPDU is used to establish a path, much like a hello packet in IP routing. BPDUs contain information about the transmitting bridge and its ports, including bridge MAC addresses, bridge priority, port priority, and path cost. If the ports are tagged, each port sends out a special BPDU containing the tagged information. The generic action of a switch on receiving a BPDU is to compare the received BPDU to its own BPDU that it will transmit. If the priority of the received BPDU is better than its own priority, it will replace its BPDU with the received BPDU. Then, the switch adds its own bridge ID number and increments the path cost of the BPDU. The switch uses this information to block any necessary ports. Note: If STP is globally disabled, BPDUs from external devices will transit the switch transparently. If STP is globally enabled, for ports where STP is turned off, inbound BPDUs will instead be discarded. Determining the Path for Forwarding BPDUs When determining which port to use for forwarding and which port to block, the CN4093 uses information in the BPDU, including each bridge ID. A technique based on the “lowest root cost” is then computed to determine the most efficient path for forwarding. Bridge Priority The bridge priority parameter controls which bridge on the network is the STG root bridge. To make one switch become the root bridge, configure the bridge priority lower than all other switches and bridges on your network. The lower the value, the higher the bridge priority. Use the following command to configure the bridge priority: CN 4093(config)# spanning-tree stp <1‐128>...
Page 175: Port Priority
Loop Guard In general, STP resolves redundant network topologies into loop‐free topologies. The loop guard feature performs additional checking to detect loops that might not be found using Spanning Tree. STP loop guard ensures that a non‐designated port does not become a designated port. To globally enable loop guard, enter the following command: CN 4093(config)# spanning-tree loopguard Note: The global loop guard command will be effective on a port only if the port‐level loop guard command is set to default as shown below: CN 4093(config-if)# spanning-tree guard loop none To enable loop guard at the port level, enter the following command: CN 4093(config)# interface port <port alias or number> CN 4093(config-if)# spanning-tree guard loop The default state is “none”, i.e. disabled. © Copyright Lenovo 2017 Chapter 10: Spanning Tree Protocols...
Page 176: Port Path Cost
Port Path Cost The port path cost assigns lower values to high‐bandwidth ports, such as 10 Gigabit Ethernet, to encourage their use. The cost of a port also depends on whether the port operates at full‐duplex (lower cost) or half‐duplex (higher cost). For example, if a 100‐Mbps (Fast Ethernet) link has a “cost” of 10 in half‐duplex mode, it will have a cost of 5 in full‐duplex mode. The objective is to use the fastest links so that the route with the lowest cost is chosen. A value of 0 (the default) indicates that the default cost will be computed for an auto‐negotiated link or LAG speed. Use the following command to modify the port path cost: CN 4093(config)# interface port <port alias or number> CN 4093(config-if)# spanning-tree stp <1‐128> path-cost <path cost value> CN 4093(config-if)# exit The port path cost can be a value from 1 to 200000000. Specify 0 for automatic path cost. Simple STP Configuration Figure 11 depicts a simple topology using a switch‐to‐switch link between two switches (via either external ports or internal Inter‐Switch Links). Figure 11. Spanning Tree Blocking a Switch‐to‐Switch Link Enterprise Routing Switches Switch 1 Switch 2...
Page 177 Switches Switch 1 Switch 2 Restores Link Server Server Server Server In this example, port 10 on each switch is used for the switch‐to‐switch link. To ensure that the CN4093 switch‐to‐switch link is blocked during normal operation, the port path cost is set to a higher value than other paths in the network. To configure the port path cost on the switch‐to‐switch links in this example, use the following commands on each switch. CN 4093(config)# interface port 10 CN 4093(config-if)# spanning-tree stp 1 path-cost 60000 CN 4093(config-if)# exit © Copyright Lenovo 2017 Chapter 10: Spanning Tree Protocols...
Page 178: Per-Vlan Spanning Tree Groups
Per-VLAN Spanning Tree Groups PVRST mode supports a maximum of 128 STGs, with each STG acting as an independent, simultaneous instance of STP. Multiple STGs provide multiple data paths which can be used for load‐balancing and redundancy. To enable load balancing between two CN4093s using multiple STGs, configure each path with a different VLAN and then assign each VLAN to a separate STG. Since each STG is independent, they each send their own IEEE 802.1Q tagged Bridge Protocol Data Units (BPDUs). Each STG behaves as a bridge group and forms a loop‐free topology. The default STG 1 may contain multiple VLANs (typically until they can be assigned to another STG). STGs 2‐128 may contain only one VLAN each. Using Multiple STGs to Eliminate False Loops Figure 13 shows a simple example of why multiple STGs are needed. In the figure, two ports on a CN4093 are connected to two ports on an application switch. Each of the links is configured for a different VLAN, preventing a network loop. However, in the first network, since a single instance of Spanning Tree is running on all the ports of the CN4093, a physical loop is assumed to exist, and one of the VLANs is blocked, impacting connectivity even though no actual loop exists. Figure 13. Using Multiple Instances of Spanning Tree Group Switch 1 Switch 2 STG 1 STG 2 False VLAN 1 VLAN 30...
Page 179: Vlan And Stg Assignment
By default, all other STGs (STG 2 through 127) are enabled, though they initially include no member VLANs. VLANs must be assigned to STGs. By default, this is done automatically using VLAN Automatic STG Assignment (VASA), though it can also be done manually (see “Manually Assigning STGs” on page 180). When VASA is enabled (as by default), each time a new VLAN is configured, the switch will automatically assign that new VLAN to its own STG. Conversely, when a VLAN is deleted, if its STG is not associated with any other VLAN, the STG is returned to the available pool. The specific STG number to which the VLAN is assigned is based on the VLAN number itself. For low VLAN numbers (1 through 127), the switch will attempt to assign the VLAN to its matching STG number. For higher numbered VLANs, the STG assignment is based on a simple modulus calculation; the attempted STG number will “wrap around,” starting back at the top of STG list each time the end of the list is reached. However, if the attempted STG is already in use, the switch will select the next available STG. If an empty STG is not available when creating a new VLAN, the VLAN is automatically assigned to default STG 1. If ports are tagged, each tagged port sends out a special BPDU containing the tagged information. Also, when a tagged port belongs to more than one STG, the egress BPDUs are tagged to distinguish the BPDUs of one STG from those of another STG. VASA is enabled by default, but can be disabled or re‐enabled using the following command: CN 4093(config)# [no] spanning-tree stg-auto If VASA is disabled, when you create a new VLAN, that VLAN automatically belongs to default STG 1. To place the VLAN in a different STG, assign it manually. VASA applies only to PVRST mode and is ignored in RSTP and MSTP modes. © Copyright Lenovo 2017 Chapter 10: Spanning Tree Protocols...
Page 180: Manually Assigning Stgs
Manually Assigning STGs The administrator may manually assign VLANs to specific STGs, whether or not VASA is enabled. If no VLANs exist (other than default VLAN 1), see “Guidelines for Creating VLANs” on page 180 for information about creating VLANs and assigning ports to them. 2. Assign the VLAN to an STG using one of the following methods: From the global configuration mode:  CN 4093(config)# spanning-tree stp <1‐128> vlan <VLAN> Or from within the VLAN configuration mode:  CN 4093(config)# vlan <VLAN number> CN 4093(config-vlan)# stg <STG number> CN 4093(config-vlan)# exit When a VLAN is assigned to a new STG, the VLAN is automatically removed from its prior STG. Note: For proper operation with switches that use Cisco PVST+, it is recommended that you create a separate STG for each VLAN. Guidelines for Creating VLANs ...
Page 181: Adding And Removing Ports From Stgs
VLAN is 3. Confirm changing PVID/Native VLAn from 3 to 1 [y/n]:" y  When you remove a port from VLAN that belongs to an STG, that port will also be removed from the STG. However, if that port belongs to another VLAN in the same STG, the port remains in the STG. As an example, assume that port 2 belongs to only VLAN 2, and that VLAN 2 belongs to STG 2. When you remove port 2 from VLAN 2, the port is moved to default VLAN 1 and is removed from STG 2. However, if port 2 belongs to both VLAN 1 and VLAN 2, and both VLANs belong to STG 1, removing port 2 from VLAN 2 does not remove port 2 from STG 1, because the port is still a member of VLAN 1, which is still a member of STG 1.  An STG cannot be deleted, only disabled. If you disable the STG while it still contains VLAN members, Spanning Tree will be off on all ports belonging to that VLAN. The relationship between port, LAGs, VLANs and Spanning Trees is shown in Table 17 on page 173. © Copyright Lenovo 2017 Chapter 10: Spanning Tree Protocols...
Page 182: Switch-Centric Configuration
Switch-Centric Configuration PVRST is switch‐centric: STGs are enforced only on the switch where they are configured. The STG ID is not transmitted in the Spanning Tree BPDU. Each Spanning Tree decision is based entirely on the configuration of the particular switch. For example, in Figure 14, though VLAN 2 is shared by the Switch A and Switch B, each switch is responsible for the proper configuration of its own ports, VLANs, and STGs. Switch A identifies its own port 17 as part of VLAN 2 on STG 2, and the Switch B identifies its own port 8 as part of VLAN 2 on STG 2. Figure 14. Implementing Multiple Spanning Tree Groups Chassis Application Switch A Switch B STG 2 VLAN 2 STG 3 VLAN 3 STG 1 VLAN 1 Application Application Switch C Switch D The VLAN participation for each Spanning Tree Group in Figure 14 on page 182 is ...
Page 183: Configuring Multiple Stgs
CN 4093(config-vlan)# exit CN 4093(config)# interface port 8 CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# exit If VASA is disabled, enter the following command: CN 4093(config)# spanning-tree stp 2 vlan 2 © Copyright Lenovo 2017 Chapter 10: Spanning Tree Protocols...
Page 184 VLAN 2 is automatically removed from STG 1. By default VLAN 1 remains in STG 1. 4. Configure the following on application switch C: Add port 8 to VLAN 3. Ports 1 and 2 are by default in VLAN 1 assigned to STG 1. CN 4093(config)# vlan 3 CN 4093(config-vlan)# stg 3 CN 4093(config-vlan)# exit CN 4093(config)# interface port 8 CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# exit If VASA is disabled, enter the following command: CN 4093(config)# spanning-tree stp 3 vlan 3 VLAN 3 is automatically removed from STG 1. By default VLAN 1 remains in STG 1.
Page 185: Rapid Spanning Tree Protocol
IEEE 802.1D (2004), superseding the original STP standard. RSTP parameters apply only to Spanning Tree Group (STG) 1. The PVRST mode STGs 2‐128 are not used when the switch is placed in RSTP mode.RSTP is compatible with devices that run IEEE 802.1D (1998) Spanning Tree Protocol. If the switch detects IEEE 802.1D (1998) BPDUs, it responds with IEEE 802.1D (1998)‐compatible data units. RSTP is not compatible with Per‐VLAN Rapid Spanning Tree (PVRST) protocol. Note: In RSTP mode, Spanning Tree for the management ports is turned off by default. Port States RSTP port state controls are the same as for PVRST: discarding, learning and forwarding. Due to the sequence involved in these STP states, considerable delays may occur while paths are being resolved. To mitigate delays, ports defined as edge ports (“Port Type and Link Type” on page 191) may bypass the discarding and learning states, and enter directly into the forwarding state. RSTP Configuration Guidelines This section provides important information about configuring RSTP. When RSTP is turned on, the following occurs:  STP parameters apply only to STG 1.  Only STG 1 is available. All other STGs are turned off.  All VLANs, including management VLANs, are moved to STG 1. © Copyright Lenovo 2017 Chapter 10: Spanning Tree Protocols...
Page 186: Rstp Configuration Example
RSTP Configuration Example This section provides steps to configure RSTP. 1. Configure port and VLAN membership on the switch. 2. Set the Spanning Tree mode to Rapid Spanning Tree. CN 4093(config)# spanning-tree mode rstp 3. Configure RSTP parameters. CN 4093(config)# spanning-tree stp 1 bridge priority 8192 CN 4093(config)# spanning-tree stp 1 bridge hello-time 5 CN 4093(config)# spanning-tree stp 1 bridge forward-delay 20 CN 4093(config)# spanning-tree stp 1 bridge maximum-age 30 CN 4093(config)# no spanning-tree stp 1 enable 4.
Page 187: Multiple Spanning Tree Protocol
Type and Link Type” on page 191) bypass the Discarding and Learning states, and enter directly into the Forwarding state. Note: In MSTP mode, Spanning Tree for the management ports is turned off by default. MSTP Region A group of interconnected bridges that share the same attributes is called an MST region. Each bridge within the region must share the following attributes:  Alphanumeric name Revision number   VLAN‐to STG mapping scheme MSTP provides rapid re‐configuration, scalability and control due to the support of regions, and multiple Spanning‐Tree instances support within each region. Common Internal Spanning Tree The Common Internal Spanning Tree (CIST) provides a common form of Spanning Tree Protocol, with one Spanning‐Tree instance that can be used throughout the MSTP region. CIST allows the switch to interoperate with legacy equipment, including devices that run IEEE 802.1D (1998) STP. CIST allows the MSTP region to act as a virtual bridge to other bridges outside of the region, and provides a single Spanning‐Tree instance to interact with them. CIST port configuration includes Hello time, Edge port enable/disable, and Link Type. These parameters do not affect Spanning Tree Groups 1–32. They apply only when the CIST is used. © Copyright Lenovo 2017 Chapter 10: Spanning Tree Protocols...
Page 188: Mstp Configuration Guidelines
MSTP Configuration Guidelines This section provides important information about configuring Multiple Spanning Tree Groups: When MSTP is turned on, the switch automatically moves management VLAN  4095 to the CIST. When MSTP is turned off, the switch moves VLAN 4095 from the CIST to Spanning Tree Group 128.  When you enable MSTP, you must configure the Region Name. A default version number of 0 is configured automatically. Each bridge in the region must have the same name, version number and VLAN  mapping. MSTP Configuration Examples MSTP Configuration Example 1 This section provides steps to configure MSTP on the CN4093. 1. Configure port and VLAN membership on the switch. 2. Configure Multiple Spanning Tree region parameters and set the mode to MSTP. CN 4093(config)# spanning-tree mst configuration (Enter MST configuration mode) CN 4093(config-mst)# name <name> (Define the Region name) CN 4093(config-mst)# revision 100 (Define the Revision level) CN 4093(config-mst)# exit CN 4093(config)# spanning-tree mode mst (Set mode to Multiple Spanning Trees) 3.
Page 189: Mstp Configuration Example 2
CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# exit 2. Configure MSTP: Spanning Tree mode, region name, and version. CN 4093(config)# spanning-tree mst configuration CN 4093(config-mst)# name MyRegion (Define the Region name) CN 4093(config-mst)# revision 100 (Define the Revision level) CN 4093(config-mst)# exit CN 4093(config)# spanning-tree mode mst (Set mode to Multiple Spanning Trees) © Copyright Lenovo 2017 Chapter 10: Spanning Tree Protocols...
Page 190 3. Map VLANs to MSTP instances: CN 4093(config)# spanning-tree mst configuration CN 4093(config-mst)# instance 1 vlan 1 CN 4093(config-mst)# instance 2 vlan 2 4. Configure port membership and define the STGs for VLAN 2. Add server ports 3, 4 and 5 to VLAN 2. Add uplink ports 19 and 20 to VLAN 2. Assign VLAN 2 to STG 2. CN 4093(config)# interface port 3,4,5,19,20 CN 4093(config-if)# switchport access vlan 2 CN 4093(config-if)# exit Note: Each STG is enabled by default. CN4093 Application Guide for N/OS 8.4...
Page 191: Port Type And Link Type
Link Type The link type determines how the port behaves in regard to Rapid Spanning Tree. Use the following commands to define the link type for the port: CN 4093(config)# interface port <port> CN 4093(config-if)# [no] spanning-tree link-type <type> CN 4093(config-if)# exit where type corresponds to the duplex mode of the port, as follows:  A full‐duplex link to another device (point‐to‐point) shared  A half‐duplex link is a shared segment and can contain more than one device. auto  The switch dynamically configures the link type. Note: Any STP port in full‐duplex mode can be manually configured as a shared port when connected to a non‐STP‐aware shared device (such as a typical Layer 2 switch) used to interconnect multiple STP‐aware devices. © Copyright Lenovo 2017 Chapter 10: Spanning Tree Protocols...
Page 192 CN4093 Application Guide for N/OS 8.4...
Page 193: Chapter 11. Virtual Link Aggregation Groups
Peers Layer STP blocks Links remain VLAGs implicit loops active Access Layer Servers As shown in the example, a switch in the access layer may be connected to more than one switch in the aggregation layer to provide for network redundancy. Typically, Spanning Tree Protocol (RSTP, PVRST, or MSTP—see “Spanning Tree Protocols” on page 171) is used to prevent broadcast loops, blocking redundant uplink paths. This has the unwanted consequence of reducing the available bandwidth between the layers by as much as 50%. In addition, STP may be slow to resolve topology changes that occur during a link failure, and can result in considerable MAC address flooding. Using Virtual Link Aggregation Groups (VLAGs), the redundant uplinks remain active, utilizing all available bandwidth. Two switches are paired into VLAG peers, and act as a single virtual entity for the purpose of establishing a multi‐port aggregation. Ports from both peers can be grouped into a VLAG and connected to the same LAG‐capable target device. From the perspective of the target device, the ports connected to the VLAG peers appear to be a single LAG connecting to a single logical device. The target device uses the configured Tier ID to identify the VLAG peers as this single logical device. It is important that you use a unique Tier ID for each VLAG pair you configure. The VLAG‐capable switches synchronize their logical view of the access layer port structure and internally prevent implicit loops. The VLAG topology also responds more quickly to link failure and does not result in unnecessary MAC flooding. VLAGs are also useful in multi‐layer environments for both uplink and downlink redundancy to any regular LAG‐capable device. For example: © Copyright Lenovo 2017...
Page 194 Figure 17. VLAG Application with Multiple Layers Layer 2/3 Border LACP-capable Routers VLAG 5 VLAG 6 Layer 2 Region VLAG with multiple levels Peers C VLAG 3 VLAG 3 VLAG 4 VLAG VLAG Peers A Peers B VLAG 1 VLAG 2 LACP-capable Switch LACP-capable Server Servers Wherever ports from both peered switches are aggregated to another device, the ...
Page 195 In addition, when used with VRRP, VLAGs can provide seamless active‐active failover for network links. For example: Figure 18. VLAG Application with VRRP VLAG Peers VRRP VRRP VLAG Master Backup Active Server Traffic Flows Note: VLAG is not compatible with UFP vPorts on the same ports. © Copyright Lenovo 2017 Chapter 11: Virtual Link Aggregation Groups...
Page 196: Vlag Capacities
VLAG Capacities Servers or switches that connect to the VLAG peers using a multi‐port VLAG are considered VLAG clients. VLAG clients are not required to be VLAG‐capable. The ports participating in the VLAG are configured as regular port LAGs on the VLAG client end. On the VLAG peers, the VLAGs are configured similarly to regular port LAGs, using many of the same features and rules. See “Ports and Link Aggregation (LAG)” on page 157 for general information concerning all port LAGs. Each VLAG begins as a regular port LAG on each VLAG‐peer switch. The VLAG may be either a static LAG (portchannel) or dynamic LACP LAG and consumes one slot from the overall port LAG capacity pool. The type of aggregation must match that used on VLAG client devices. Additional configuration is then required to implement the VLAG on both VLAG peer switches. You may configure up to 52 LAGs on the switch, with all types (regular or VLAG, static or LACP) sharing the same pool. The maximum number of configurable VLAG instances is as follows: With STP off: Maximum of 31 VLAG instances   With STP on: PVRST/MSTP with one VLAG instance per VLAN/STG: Maximum of 31  VLAG instances PVRST/MSTP with one VLAG instance belonging to multiple  VLANs/STGs: Maximum of 20 VLAG instances Note: VLAG is not supported in RSTP mode. Each type of aggregation can contain up to 24 member ports, depending on the port type and availability. CN4093 Application Guide for N/OS 8.4...
Page 197: Vlags Versus Port Lags
 A VLAG can consist of multiple ports on two VLAG peers, which are connected to one logical client device such as a server, switch or another VLAG device.  The participating ports on the client device are configured as a regular port LAG.  The VLAG peers must be the same model and run the same software version.  VLAG peers require a dedicated inter‐switch link (ISL) for synchronization. The ports used to create the ISL must have the following properties: ISL ports must have VLAN tagging turned on.  ISL ports must be configured for all VLAG VLANs.  ISL ports must be placed into a regular port LAG (dynamic or static).  A minimum of two ports on each switch are recommended for ISL use.  Dynamic routing protocols, such as OSPF, cannot terminate on VLAGs.   Routing over VLAGs is not supported. However, IP forwarding between subnets served by VLAGs can be accomplished using VRRP.  VLAGs are configured using additional commands.  It is recommended that end‐devices connected to VLAG switches use NICs with dual‐homing. This increases traffic efficiency, reduces ISL load and provides faster link failover. © Copyright Lenovo 2017 Chapter 11: Virtual Link Aggregation Groups...
Page 198: Configuring Vlags
Configuring VLAGs When configuring VLAG or making changes to your VLAG configuration, consider the following VLAG behavior:  When adding a static Mrouter on VLAG links, ensure that you also add it on the ISL link to avoid VLAG link failure. If the VLAG link fails, traffic cannot be recovered through the ISL. Also, make sure you add the same static entry on the peer VLAG switch for VLAG ports. When you enable VLAG on the switch, if a MSTP region mismatch is detected  with the VLAG peer, the ISL will shut down. In such a scenario, correct the region on the VLAG peer and manually enable the ISL.  If you have enabled VLAG on the switch, and you need to change the STP mode, ensure that you first disable VLAG and then change the STP mode. When VLAG is enabled, you may see two root ports on the secondary VLAG  switch. One of these will be the actual root port for the secondary VLAG switch and the other will be a root port synced with the primary VLAG switch.  The LACP key used must be unique for each VLAG in the entire topology.  The STG to VLAN mapping on both VLAG peers must be identical. The following parameters must be identically configured on the VLAG ports of both the VLAG peers:  VLANs Native VLAN tagging   Native VLAN/PVID STP mode   BPDU Guard setting STP port setting   MAC aging timers Static MAC entries ...
Page 199: Basic Vlag Configuration
Mgmt IP: 10.10.10.2/24 LACP 200 VLAN 4094 VLAG 1 VLAG 2 LACP 1000 LACP 2000 VLAN 100 VLAN 100 Client Switch Client Switch In this example, each client switch is connected to both VLAG peers. On each client switch, the ports connecting to the VLAG peers are configured as a dynamic LACP port LAG. The VLAG peer switches share a dedicated ISL for synchronizing VLAG information. On the individual VLAG peers, each port leading to a specific client switch (and part of the client switch’s port LAG) is configured as a VLAG. In the following example configuration, only the configuration for VLAG 1 on VLAG Peer 1 is shown. VLAG Peer 2 and all other VLAGs are configured in a similar fashion. © Copyright Lenovo 2017 Chapter 11: Virtual Link Aggregation Groups...
Page 200: Configure The Isl
Configure the ISL The ISL connecting the VLAG peers is shared by all their VLAGs. The ISL needs to be configured only once on each VLAG peer. 1. Configure STP if required. Use PVRST or MSTP mode only: CN 4093(config)# spanning-tree mode pvrst 2. Configure the ISL ports and place them into a LAG (dynamic or static): CN 4093(config)# interface port 1-2 CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# lacp mode active CN 4093(config-if)# lacp key 200 CN 4093(config-if)# exit CN 4093(config)# vlag isl adminkey 200 Notes: ...
Page 201: Configure The Vlag
CN 4093(config-if)# lacp key 1000 CN 4093(config-if)# exit 3. Assign the LAG to the VLAG: CN 4093(config)# vlag adminkey 1000 enable 4. Continue by configuring all required VLAGs on VLAG Peer 1 and then repeat the configuration for VLAG Peer 2. For each corresponding VLAG on the peer, the port LAG type (dynamic or static), the port’s VLAN, and STP mode and ID must be the same as on VLAG Peer 1. 5. Enable VLAG globally. CN 4093(config)# vlag enable 6. Verify the completed configuration: CN 4093(config)# show vlag information © Copyright Lenovo 2017 Chapter 11: Virtual Link Aggregation Groups...
Page 202: Vlag Configuration - Vlans Mapped To Msti
VLAG Configuration - VLANs Mapped to MSTI Follow the steps in this section to configure VLAG in environments where the STP mode is MSTP and no previous VLAG was configured. Configure the ISL The ISL connecting the VLAG peers is shared by all their VLAGs. The ISL needs to be configured only once on each VLAG peer. Ensure you have the same region name, revision and VLAN‐to‐STG mapping on both VLAG switches. 1. Configure STP: CN 4093(config)# spanning-tree mode mst 2. Configure the ISL ports and place them into a portchannel (dynamic or static): CN 4093(config)# interface port 1-2 CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# lacp mode active CN 4093(config-if)# lacp key 200 CN 4093(config-if)# exit CN 4093(config)# vlag isl adminkey 200 Note:...
Page 203: Configure The Vlag
CN 4093(config-if)# lacp key 1000 CN 4093(config-if)# exit CN 4093(config)# vlag adminkey 1000 enable 4. Enable VLAG: CN 4093(config)# vlag enable 5. Continue by configuring all required VLAGs on VLAG Peer 1, and then follow the steps for configuring VLAG Peer 2. For each corresponding VLAG on the peer, the port LAG type (dynamic or static), the port’s VLAN and STP mode and ID must be the same as on VLAG Peer 1. 6. Verify the completed configuration: CN 4093# show vlag information © Copyright Lenovo 2017 Chapter 11: Virtual Link Aggregation Groups...
Page 204: Configuring Health Check
Configuring Health Check We strongly recommend that you configure the CN4093 to check the health status of its VLAG peer. Although the operational status of the VLAG peer is generally determined via the ISL connection, configuring a network health check provides an alternate means to check peer status in case the ISL links fail. Use an independent link between the VLAG switches to configure health check. Note: Configuring health check on an ISL VLAN interface or on a VLAG data port may impact the accuracy of the health check status. 1. Configure a management interface for the switch. Note: If the switch does not have a dedicated management interface, configure a VLAN for the health check interface. The health check interface can be configured with an IPv4 or IPv6 address: CN 4093(config)# interface ip 127 CN 4093(config-ip-if)# ip address 10.10.10.1 255.255.255.0 CN 4093(config-ip-if)# enable CN 4093(config-ip-if)# exit Note: Configure a similar interface on VLAG Peer 2. For example, use IP address 10.10.10.2. 2. Specify the IPv4 or IPv6 address of the VLAG Peer: CN 4093(config)# vlag hlthchk peer-ip 10.10.10.2 Note: For VLAG Peer 2, the management interface would be configured as ...
Page 205: Vlags With Vrrp
CN 4093(config-router-ospf)# enable CN 4093(config-router-ospf)# exit Although OSPF is used in this example, static routing could also be deployed. For more information, see “OSPF” on page 467 or “Basic IP Routing” on page 393. 3. Configure a server‐facing interface. CN 4093(config)# interface ip 3 CN 4093(config-ip-if)# ip address 10.0.1.10 255.255.255.0 CN 4093(config-ip-if)# vlan 100 CN 4093(config-ip-if)# exit © Copyright Lenovo 2017 Chapter 11: Virtual Link Aggregation Groups...
Page 206 4. Turn on VRRP and configure the Virtual Interface Router. CN 4093(config)# router vrrp CN 4093(config-vrrp)# enable CN 4093(config-vrrp)# virtual-router 1 virtual-router-id 1 CN 4093(config-vrrp)# virtual-router 1 interface 3 CN 4093(config-vrrp)# virtual-router 1 address 10.0.1.100 CN 4093(config-vrrp)# virtual-router 1 enable 5. Set the priority of Virtual Router 1 to 101, so that it becomes the Master. CN 4093(config-vrrp)# virtual-router 1 priority 101 CN 4093(config-vrrp)# exit 6.
Page 207 CN 4093(config-if)# lacp key 1200 CN 4093(config-if)# exit 12. Assign the LAGs to the VLAGs: CN 4093(config)# vlag adminkey 1000 enable CN 4093(config)# vlag adminkey 1100 enable CN 4093(config)# vlag adminkey 1200 enable 13. Verify the completed configuration: CN 4093(config)# show vlag © Copyright Lenovo 2017 Chapter 11: Virtual Link Aggregation Groups...
Page 208: Configure Vlag Peer 2
Configure VLAG Peer 2 The VLAG peer (VLAG Peer 2) must be configured using the same ISL aggregation type (dynamic or static), the same VLAN and the same STP mode and Tier ID used on VLAG Switch 1. For each corresponding VLAG on the peer, the port LAG type (dynamic or static), VLAN and STP mode and ID must be the same as on VLAG Switch 1. 1. Configure VLAG tier ID and enable VLAG globally. CN 4093(config)# vlag tier-id 10 CN 4093(config)# vlag enable 2. Configure appropriate routing. CN 4093(config)# router ospf CN 4093(config-router-ospf)# area 1 area-id 0.0.0.1 CN 4093(config-router-ospf)# enable CN 4093(config-router-ospf)# exit Although OSPF is used in this example, static routing could also be deployed. 3. Configure a server‐facing interface. CN 4093(config)# interface ip 3 CN 4093(config-ip-if)# ip address 10.0.1.11 255.255.255.0 CN 4093(config-ip-if)# vlan 100...
Page 209 CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip address 172.1.4.12 255.255.255.0 CN 4093(config-ip-if)# vlan 40 CN 4093(config-ip-if)# enable CN 4093(config-ip-if)# ip ospf area 1 CN 4093(config-ip-if)# ip ospf enable CN 4093(config-ip-if)# exit © Copyright Lenovo 2017 Chapter 11: Virtual Link Aggregation Groups...
Page 210 10. Place the VLAG port(s) in their port LAGs: CN 4093(config)# interface port 10 CN 4093(config-if)# lacp mode active CN 4093(config-if)# lacp key 1000 CN 4093(config-if)# exit CN 4093(config)# interface port 11 CN 4093(config-if)# lacp mode active CN 4093(config-if)# lacp key 1100 CN 4093(config-if)# exit CN 4093(config)# interface port 12 CN 4093(config-if)# lacp mode active CN 4093(config-if)# lacp key 1200 CN 4093(config-if)# exit...
Page 211: Two-Tier Vlags With Vrrp
1. vLAG VRRP Active (Full Active‐Active) mode In active mode, Layer 3 traffic is forwarded in all vLAG related VRRP domains. To enable vLAG VRRP active mode on a switch, use the following command: CN 4093(config)# vlag vrrp active Note: This is the default vLAG VRRP mode. 2. vLAG VRRP Passive (Half Active‐Active) mode In passive mode, Layer 3 traffic is forwarded in a vLAG related VRRP domain only if either the switch or its peer virtual router is the VRRP master. To enable vLAG VRRP passive mode on a switch, use the following command: CN 4093(config)# no vlag vrrp active To verify the currently configured vLAG VRRP mode you can use the following command: CN 4093(config)# show vlag vrrp © Copyright Lenovo 2017 Chapter 11: Virtual Link Aggregation Groups...
Page 212: Configuring Vlags In Multiple Layers
Configuring VLAGs in Multiple Layers Figure 21 shows an example of VLAG being used in a multi‐layer environment. Following are the configuration steps for the topology. Figure 21. VLAG in Multiple Layers Layer 2/3 Border LACP-capable Routers VLAG 5 VLAG 6 Layer 2 Region VLAG with multiple levels Peers C Switch A Switch B VLAG 3 VLAG 3 VLAG 4 VLAG VLAG Peers A Switch C...
Page 213 CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# exit CN 4093(config)# interface port 6 CN 4093(config-if)# lacp key 500 CN 4093(config-if)# lacp mode active CN 4093(config-if)# exit CN 4093(config)# vlag adminkey 500 enable Repeat these steps on Switch B for ports connecting to Layer 2/3 router 2. © Copyright Lenovo 2017 Chapter 11: Virtual Link Aggregation Groups...
Page 214 5. Configure ports on Switch A connecting to downstream VLAG switches C and D. CN 4093(config)# vlan 20 CN 4093(config-vlan)# exit CN 4093(config)# interface port 10,11 CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# lacp key 600 CN 4093(config-if)# lacp mode active CN 4093(config-if)# exit CN 4093(config)# vlag adminkey 600 enable Repeat these steps on Switch B for ports connecting to downstream VLAG switch C and D. 6.
Page 215: Chapter 12. Quality Of Service
By assigning QoS levels to traffic flows on your network, you can ensure that network resources are allocated where they are needed most. QoS features allow you to prioritize network traffic, thereby providing better service for selected applications. Figure 22 on page 215 shows the basic QoS model used by the CN4093 10 Gb Converged Scalable Switch. Figure 22. QoS Model Ports Perform Queue and Egress Ingress Classify Meter Actions Schedule Packets Traffic Drop/Pass/ Filter Meter Re-Mark Queue The CN4093 uses the Differentiated Services (DiffServ) architecture to provide QoS functions. DiffServ is described in IETF RFC 2474 and RFC 2475. With DiffServ, you can establish policies for directing traffic. A policy is a traffic‐controlling mechanism that monitors the characteristics of the traffic (for example, its source, destination, and protocol) and performs a controlling action on the traffic when certain characteristics are matched. © Copyright Lenovo 2017...
Page 216 The CN4093 can classify traffic by reading the DiffServ Code Point (DSCP) or IEEE 802.1p priority value, or by using filters to match specific criteria. When network traffic attributes match those specified in a traffic pattern, the policy instructs the CN4093 to perform specified actions on each packet that passes through it. The packets are assigned to different Class of Service (COS) queues and scheduled for transmission. The basic CN4093 QoS model works as follows:  Classify traffic: Read DSCP  Read 802.1p Priority  Match ACL filter parameters   Meter traffic: Define bandwidth and burst parameters  Select actions to perform on in‐profile and out‐of‐profile traffic  Perform actions:  Drop packets  Pass packets  Mark DSCP or 802.1p Priority  Set COS queue (with or without re‐marking)  Queue and schedule traffic:  Place packets in one of the available COS queues  Schedule transmission based on the COS queue weight  CN4093 Application Guide for N/OS 8.4...
Page 217: Using Acl Filters
Packet format—Ethernet format, tagging format, IPv4, IPv6  Egress port For ACL details, see “Access Control Lists” on page 121. Summary of ACL Actions Actions determine how the traffic is treated. The CN4093 QoS actions include the following:  Pass or Drop the packet  Re‐mark the packet with a new DiffServ Code Point (DSCP)  Re‐mark the 802.1p field  Set the COS queue ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the CN4093 by configuring a QoS meter (if desired) and assigning ACL Groups to ports. When you add ACL Groups to a port, make sure they are ordered correctly in terms of precedence. Actions taken by an ACL are called In‐Profile actions. You can configure additional In‐Profile and Out‐of‐Profile actions on a port. Data traffic can be metered, and re‐marked to ensure that the traffic flow provides certain levels of service in terms of bandwidth for different types of network traffic. © Copyright Lenovo 2017 Chapter 12: Quality of Service...
Page 218: Metering
Metering QoS metering provides different levels of service to data streams through user‐configurable parameters. A meter is used to measure the traffic stream against a traffic profile which you create. Thus, creating meters yields In‐Profile and Out‐of‐Profile traffic for each ACL, as follows:  In‐Profile–If there is no meter configured or if the packet conforms to the meter, the packet is classified as In‐Profile. Out‐of‐Profile–If a meter is configured and the packet does not conform to the  meter (exceeds the committed rate or maximum burst rate of the meter), the packet is classified as Out‐of‐Profile. Note: Metering is not supported for IPv6 ACLs. All traffic matching an IPv6 ACL is considered in‐profile for re‐marking purposes. Using meters, you set a Committed Rate in Kbps (1000 bits per second in each Kbps). All traffic within this Committed Rate is In‐Profile. Additionally, you can set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period. These parameters define the In‐Profile traffic. Meters keep the sorted packets within certain parameters. You can configure a meter on an ACL, and perform actions on metered traffic, such as packet re‐marking. Re-Marking Re‐marking allows for the treatment of packets to be reset based on new network specifications or desired levels of service. You can configure the ACL to re‐mark a packet as follows: Change the DSCP value of a packet, used to specify the service level traffic  should receive.  Change the 802.1p priority of a packet. CN4093 Application Guide for N/OS 8.4...
Page 219: Using Dscp Values To Provide Qos
Differentiated Services Concepts To differentiate between traffic flows, packets can be classified by their DSCP value. The Differentiated Services (DS) field in the IP header is an octet, and the first six bits, called the DS Code Point (DSCP), can provide QoS functions. Each packet carries its own QoS state in the DSCP. There are 64 possible DSCP values (0‐63). Figure 23. Layer 3 IPv4 Packet Version Length Offset Proto Data Length Differentiated Services Code Point (DSCP) unused The CN4093 can perform the following actions to the DSCP:  Read the DSCP value of ingress packets  Re‐mark the DSCP value to a new value  Map the DSCP value to an 802.1p priority Once the DSCP value is marked, the CN4093 can use it to direct traffic prioritization. © Copyright Lenovo 2017 Chapter 12: Quality of Service...
Page 220: Per-Hop Behavior
Per-Hop Behavior The DSCP value determines the Per Hop Behavior (PHB) of each packet. The PHB is the forwarding treatment given to packets at each hop. QoS policies are built by applying a set of rules to packets, based on the DSCP value, as they hop through the network. The CN4093 default settings are based on the following standard PHBs, as defined in the IEEE standards:  Expedited Forwarding (EF)—This PHB has the highest egress priority and lowest drop precedence level. EF traffic is forwarded ahead of all other traffic. EF PHB is described in RFC 2598.  Assured Forwarding (AF)—This PHB contains four service levels, each with a different drop precedence, as shown below. Routers use drop precedence to determine which packets to discard last when the network becomes congested. AF PHB is described in RFC 2597. Drop Precedence Class 1 Class 2 Class 3 Class 4 AF11 AF21 AF31 AF41 (DSCP 10) (DSCP 18) (DSCP 26) (DSCP 34) Medium AF12 AF22 AF32 AF42 (DSCP 12) (DSCP 20) (DSCP 28)
Page 221: Qos Levels
CN 4093(config)# show qos dscp Current DSCP Remarking Configuration: OFF DSCP New DSCP New 802.1p Prio -------- -------- --------------- Use the following command to turn on DSCP re‐marking globally: CN 4093(config)# qos dscp re-marking Then you must enable DSCP re‐marking on any port that you wish to perform this function. Note: If an ACL meter is configured for DSCP re‐marking, the meter function takes precedence over QoS re‐marking. © Copyright Lenovo 2017 Chapter 12: Quality of Service...
Page 222: Dscp Re-Marking Configuration Example 1
DSCP Re-Marking Configuration Example 1 The following example includes the basic steps for re‐marking DSCP value and mapping DSCP value to 802.1p. 1. Turn DSCP re‐marking on globally, and define the DSCP‐DSCP‐802.1p mapping. You can use the default mapping. CN 4093(config)# qos dscp re-marking CN 4093(config)# qos dscp dscp-mapping <DSCP value (0‐63)> <new value> CN 4093(config)# qos dscp dot1p-mapping <DSCP value (0‐63)> <802.1p value> 2. Enable DSCP re‐marking on a port. CN 4093(config)# interface port 1 CN 4093(config-if)# qos dscp re-marking CN 4093(config-if)# exit DSCP Re-Marking Configuration Example 2 The following example assigns strict priority to VoIP traffic and a lower priority to ...
Page 223 6. Assign strict priority to VoIP COS queue. CN 4093(config)# qos transmit-queue weight-cos 7 0 7. Map priority value to COS queue for non‐VoIP traffic. CN 4093(config)# qos transmit-queue mapping 1 1 8. Assign weight to the non‐VoIP COS queue. CN 4093(config)# qos transmit-queue weight-cos 1 2 © Copyright Lenovo 2017 Chapter 12: Quality of Service...
Page 224: Using 802.1P Priorities To Provide Qos
Using 802.1p Priorities to Provide QoS Enterprise NOS provides Quality of Service functions based on the priority bits in a packet’s VLAN header. (The priority bits are defined by the 802.1p standard within the IEEE 802.1q VLAN header.) The 802.1p bits, if present in the packet, specify the priority that should be given to packets during forwarding. Packets with a numerically higher (non‐zero) priority are given forwarding preference over packets with lower priority bit value. The IEEE 802.1p standard uses eight levels of priority (0‐7). Priority 7 is assigned to highest priority network traffic, such as OSPF or RIP routing table updates, priorities 5‐6 are assigned to delay‐sensitive applications such as voice and video, and lower priorities are assigned to standard applications. A value of 0 (zero) indicates a “best effort” traffic prioritization, and this is the default when traffic priority has not been configured on your network. The CN4093 can filter packets based on the 802.1p values, and it can assign or overwrite the 802.1p value in the packet. Figure 24. Layer 2 802.1q/802.1p VLAN Tagged Packet DMAC SMAC E Type Data Preamble Priority VLAN Identifier (VID) Ingress packets receive a priority value, as follows:  Tagged packets—CN4093 reads the 802.1p priority in the VLAN tag.  Untagged packets—CN4093 tags the packet and assigns an 802.1p priority, based on the port’s default priority. Egress packets are placed in a COS queue based on the priority value, and scheduled for transmission based on the scheduling weight of the COS queue.
Page 225: Queuing And Scheduling
CN 4093(config)# qos transmit-queue mapping <priority value (0‐7)> <COS queue (0‐7)> To set the COS queue scheduling weight, use the following command. CN 4093(config)# qos transmit-queue weight-cos <COSq number> <COSq weight (0‐15)> The scheduling weight can be set from 0 to 15. Weight values from 1 to 15 set the queue to use weighted round‐robin (WRR) scheduling, which distributes larger numbers of packets to queues with the highest weight values. For distribution purposes, each packet is counted the same, regardless of the packet’s size. A scheduling weight of 0 (zero) indicates strict priority. Traffic in strict priority queue has precedence over other all queues. If more than one queue is assigned a weight of 0, the strict queue with highest queue number will be served first. Once all traffic in strict queues is delivered, any remaining bandwidth will be allocated to the WRR queues, divided according to their weight values. Note: Use caution when assigning strict scheduling to queues. Heavy traffic in queues assigned with a weight of 0 can starve lower priority queues. For a scheduling method that uses a weighted deficit round‐robin (WDRR) algorithm, distributing packets with an awareness of packet size, see “Enhanced Transmission Selection” on page 352. © Copyright Lenovo 2017 Chapter 12: Quality of Service...
Page 226: Control Plane Protection
Control Plane Protection Control plane receives packets that are required for the internal protocol state machines. This type of traffic is usually received at low rate. However, in some situations such as DOS attacks, the switch may receive this traffic at a high rate. If the control plane protocols are unable to process the high rate of traffic, the switch may become unstable. The control plane receives packets that are channeled through protocol‐specific packet queues. Multiple protocols can be channeled through a common packet queue. However, one protocol cannot be channeled through multiple packet queues. These packet queues are applicable only to the packets received by the software and does not impact the regular switching or routing traffic. Packet queue with a higher number has higher priority. You can configure the bandwidth for each packet queue. Protocols that share a packet queue will also share the bandwidth. The following commands configure the control plane protection (CoPP) feature: Configure a queue for a protocol: CN 4093(config)# qos protocol-packet-control packet-queue-map <0‐47> <protocol> Set the bandwidth for the queue, in packets per second: CN 4093(config)# qos protocol-packet-control rate-limit-packet-queue <0‐47> <1‐10000>...
Page 227: Packet Drop Logging
Broadcast packets are received at rate higher than 200pps, hence are discarded on queue 5. To enable or disable packet drop logging, use the following commands: CN 4093(config)# [no] logging pdrop enable You can adjust the logging interval between 0 and 30 minutes using the following command: CN 4093(config)# logging pdrop interval <0-30> Setting the logging interval to 0 will log packet drops immediately (with up to 1 second delay), and will ignore further drops on the same queue during the next 2 minutes. Setting the logging interval to a greater value (1 – 30 minutes), regularly displays packet drop information at the designated time intervals. Once the packet drops stop, or if new packet drops are encountered only within 2 minutes after a syslog message, the switch does not display any more messages. © Copyright Lenovo 2017 Chapter 12: Quality of Service...
Page 228 CN4093 Application Guide for N/OS 8.4...
Page 230 CN4093 Application Guide for N/OS 8.4...
Page 231: Chapter 13. Stacking
Chapter 13. Stacking This chapter describes how to implement the stacking feature in the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch. The following concepts are covered:  “Stacking Overview” on page 232  “Stack Membership” on page 235  “Configuring a Stack” on page 240  “Managing a Stack” on page 246  “Upgrading Software in a Stack” on page 248  “Replacing or Removing Stacked Switches” on page 249  “ISCLI Stacking Commands” on page 258 © Copyright Lenovo 2017...
Page 232: Stacking Overview
Stacking Overview A hybrid stack is a group of eight switches: two CN4093 10 Gb Converged Scalable Switches and six EN4093R 10Gb Scalable Switches. A stack can also be formed with just two CN4093 10 Gb Converged Scalable Switches. A stack has the following properties, regardless of the number of switches included: The network views the stack as a single entity.   The stack can be accessed and managed as a whole using standard switch IP interfaces configured with IPv4 addresses.  The CLI for Individual Member switches is available via the Master switch serial console or using remote Telnet/SSH access to the Master.  Once the stacking links have been established (see the next section), the number of ports available in a stack equals the total number of remaining ports of all the switches that are part of the stack.  The number of available IP interfaces, VLANs, LAGs, LAG Links and other switch attributes are not aggregated among the switches in a stack. The totals for the stack as a whole are the same as for any single switch configured in stand‐alone mode. A maximum of 4095 VLANs are supported in stand‐alone mode, and a maximum of 1024 VLANs are supported in stacking mode. CN4093 Application Guide for N/OS 8.4...
Page 233: Stacking Requirements
 the stack LAG, you must first set the LACP port mode to off (CN 4093(config-if)# lacp mode off).  The cables used for connecting the switches in a stack carry low‐level, inter‐switch communications as well as cross‐stack data traffic critical to shared switching functions. Always maintain the stability of stack links to avoid internal stack reconfiguration. Stacking Limitations The CN4093 with ENOS 8.4 can operate in one of two modes:  Default mode, which is the regular stand‐alone (or non‐stacked) mode.  Stacking mode, in which multiple physical switches aggregate functions as a single switching device. When in stacking mode, the following stand‐alone features are not supported:  Border Gateway Protocol (BGP) Ethernet Operation, Administration and Maintenance (OAM)   Internet Group Management Protocol version 3 (IGMPv3) Internet Group Management Protocol (IGMP) Querier   Internet Group Management Protocol (IGMP) Relay Internet Key Exchange version 2 (IKEv2)  © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 234  IP Security (IPsec)  Internet Protocol version 6 (IPv6)  Loopback Interfaces  MAC address notification  Multicast Listener Discovery (MLD)  Network Configuration (NETCONF) Protocol  Open Shortest Path First (OSPF) Open Shortest Path First version 3 (OSPFv3)   Port flood blocking Protocol‐based VLANs   Router IDs Route maps   Routing Information Protocol (RIP) sFlow port monitoring   Spanning Tree Protocol (STP) Root Guard and Loop Guard Static MAC address adding   Static Multicast Routes Storm control   Switch Partition (SPAR) Uni‐Directional Link Detection (UDLD)  ...
Page 235: Stack Membership
Master  One switch controls the operation of the stack and is called the Master. The Master provides a single point to manage the stack. A stack must have one and only one Master. The firmware image, configuration information, and run‐time data are maintained by the Master and pushed to each switch in the stack as necessary. Member  Member switches provide additional port capacity to the stack. Members receive configuration changes, run‐time information, and software updates from the Master.  Backup One member switch can be designated as a Backup to the Master. The Backup takes over control of the stack if the Master fails. Configuration information and run‐time data are synchronized with the Master. The Master Switch An operational stack can have only one active Master at any given time. In a normal stack configuration, one switch is configured as a Master and all others are configured as Members. When adding new switches to an existing stack, the administrator must explicitly configure each new switch for its intended role as a Master (only when replacing a previous Master) or as a Member. All stack configuration procedures in this chapter depict proper role specification. However, there are scenarios when the two stacks (each having a Master switch) are interconnected through stacking links. When this occurs, one Master switch will automatically be chosen as the active Master for the entire stack. The selection process is designed to promote stable, predictable stack operation and minimize stack reboots and other disruptions. © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 236: Splitting And Merging One Stack
Splitting and Merging One Stack If stack links or Member switches fail, any Member which cannot access either the Master or Backup is considered isolated and will not process network traffic (see “No Backup” on page 239). Members which have access to a Master or Backup (or both), despite other link or Member failures, will continue to operate as part of their active stack. A Member that is isolated due to link failure resets itself. After it is up, if the link failure still exits, the Member stays in isolated state keeping all its data links disabled. Only the management and stacking links are enabled. If the Member was not configured when it went to isolated state, the Master pushes the configuration when the Member joins back the stack. If multiple stack links or stack Member switches fail, thereby separating the Master and Backup into separate sub‐stacks, the Backup automatically becomes an active Master for the partial stack in which it resides. Later, if the topology failures are corrected, the partial stacks will merge, and the two active Masters will come into contact. In this scenario, if both the (original) Master and the Backup (acting as Master) are in operation when the merger occurs, the original Master will reassert its role as active Master for the entire stack. If any configuration elements were changed and applied on the Backup during the time it acted as Master (and forwarded to its connected Members), the Backup and its affected Members will reboot and will be reconfigured by the returning Master before resuming their regular roles. Note: When the Backup becomes a Master, if NTP is enabled from the CMM, configuration changes are made to the Backup (acting as Master) by the CMM. Therefore, in the event of a subsequent merger, the aforementioned reboot and reconfiguration of the Backup and its affected Members will occur. However, if the original Master switch is disrupted (powered down or in the process of rebooting) when it is reconnected with the active stack, the Backup (acting as Master) will retain its acting Master status to avoid disruption to the functioning stack. The deferring Master will temporarily assume a role as Backup. If both the Master and Backup are rebooted, all member switches in the stack will also reboot. When the switches resume operation, they will assume their originally configured roles. If, while the stack is still split, the Backup (acting as Master) is explicitly reconfigured to become a regular Master, then when the split stacks are finally merged, the Master with the lowest MAC address will become the new active ...
Page 237: Merging Independent Stacks
Since up to 16 units can be attached to a stack, a merge between two 8 unit stack can be performed. The user will then have to choose which units will remain in the final stack and which will be eliminated, since only 8 of them can forward networking traffic, the rest having the data links disabled. Note: Do not merge hybrid stacks if the total number of CN4093 switches exceeds two units. Although all switches which are configured for stacking and joined by stacking links are recognized as potential stack participants by any operational Master switches, they are not brought into operation within the stack until explicitly assigned (or “bound”) to a specific Master switch. Consider two independent stacks, Stack A and Stack B, which are merged into one stacking topology. The stacks will behave independently until the switches in Stack B are bound to Master A (or vice versa). In this example, once the Stack B switches are bound to Master A, Master A will automatically reconfigure them to operate as Stack A Members, regardless of their original status within Stack B. However, for purposes of future Backup selection, reconfigured Masters retain their identity as configured Masters, even though they otherwise act as Members. In case the configured Master goes down and the Backup takes over as the new Master, these reconfigured Masters become the new Backup. When the original configured Master of the stack boots up again, it acts as a Member. This is one way to have multiple backups in a stack. © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 238: Backup Switch Selection
Backup Switch Selection An operational stack can have one optional Backup at any given time. Only the Backup specified in the active Master’s configuration is eligible to take over current stack control when the Master is rebooted or fails. The Master automatically synchronizes configuration settings with the specified Backup to facilitate the transfer of control functions. The Backup retains its status until one of the following occurs: The Backup switch is deleted using the following command from the Master:  CN 4093(config)# no stack backup  The Backup switch is changed using the following command from the Master: CN 4093(config)# stack backup <csnum 1‐8> Note: This will replace the current Backup switch with the configured switch specified through its csnum. Even if the new Backup switch is not attached to the stack when issuing the command, the current Backup switch will loose its role. When the configured switch is attached, the command will take effect and the switch will become the Backup. A new Master assumes operation as active Master in the stack and uses its own  configured Backup settings.  The active Master is rebooted with the boot configuration set to factory defaults (clearing the Backup setting). Master Failover When the Master switch is present, it controls the operation of the stack and pushes configuration information to the other switches in the stack. If the active Master fails, then the designated Backup (if one is defined in the Master’s configuration) becomes the new acting Master and the stack continues to operate ...
Page 239: No Backup
No Backup If a Backup is not configured on the active Master, or the specified Backup is not operating, then if the active Master fails, the stack will reboot without an active Master. When a group of stacked switches are rebooted without an active Master present, the switches are considered to be isolated. All isolated switches in the stack are placed in a INIT state until a Master appears. During this INIT period, all the network ports of these Member switches are placed into operator‐disabled state. Without the Master, a stack cannot respond correctly to networking events. Stack Member Identification Each switch in the stack has two numeric identifiers, as follows:  Attached Switch Number (asnum) An asnum is automatically assigned by the Master switch, based on each Member switch’s physical connection in relation to the Master. The asnum is mainly used as an internal ID by the Master switch and is not user‐configurable.  Configured Switch Number (csnum): The csnum is the logical switch ID assigned by the stack administrator. The csnum is used in most stacking‐related configuration commands and switch information output. It is also used as a port prefix to distinguish the relationship between the ports on different switches in the stack. It is recommended that asnum 1 and csnum 1 be used for identifying the Master switch. By default, csnum 1 is assigned to the Master. If csnum 1 is not available, the lowest available csnum is assigned to the Master. © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 240: Configuring A Stack
Configuring a Stack When stacking mode is enabled on the switch, the configuration is reset to factory default and the port numbering changes. When a switch mode is changed from stand‐alone to stack or from stack to stand‐alone, the active and backup configuration will be erased. We recommended that you save the configuration to an external device before changing the switch mode. Configuration Overview This section provides procedures for creating a stack of switches. The high‐level procedure is as follows: Configure the stack settings to be available after the next reboot:  Choose one Master switch for the entire stack.  Set all stack switches to stacking mode.  Configure the same stacking VLAN for all switches in the stack.  Configure the desired stacking interlinks.  Reboot the stack switches.   Configure the stack after the reboot: Bind Member switches to the Master.  Assign a Backup switch.  These tasks are covered in detail in the following sections. Best Configuration Practices The following are guidelines for building an effective switch stack:  Always connect the stack switches in a complete ring topology (see Figure 25 on page 242).
Page 241: Stacking Vlans
1. On each switch, enable stacking: CN 4093(config)# boot stack enable 2. On each switch, set the stacking membership mode. By default, each switch is set to Member mode. However, one switch must be set to Master mode. Use the following command on only the designated Master switch: CN 4093(config)# boot stack mode master Note: If any Member switches are incorrectly set to Master mode, use the mode member option to set them back to Member mode. 3. On each switch, configure the stacking VLAN (or use the default setting). Although any VLAN (except VLAN 1) may be defined for stack traffic, it is highly recommended that the default, VLAN 4090 as shown in the following example, be reserved for stacking. CN 4093(config)# boot stack vlan 4090 4. On each switch, designate the stacking links. © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 242 If using the 2 x 40Gb ports as stacking links, first convert the 40Gb ports from their default 4x10Gb mode of operation to 40Gb mode. See: “Configuring QSFP+ Ports” on page 160. Use the following command to specify the links to be used in the stacking LAG: CN 4093(config)# boot stack higig-trunk <list of port names or aliases> Note: Ports configured as Server ports for use with VMready cannot be designated as stacking links. 5. On each switch, perform a reboot: CN 4093(config)# reload 6. Physically connect the stack LAGs. To create the recommended topology, attach the two designated stacking links in a bidirectional ring. As shown in Figure 25, connect each switch in turn to the next, starting with the Master switch. To complete the ring, connect the last Member switch back to the Master. Figure 25. Example of Stacking Connections Master Switch Member Switches Switch connected in bidirectional Member ring topology Switch Member Switch...
Page 243: Configuring A Management Ip Interface
CN 4093(config-ip-if)# exit CN 4093(config)# ip gateway 3 mac <switch MAC address> address <gateway IPv4 address> enable To provide continuous Management IP reachability in the event of a Master node failover, an additional floating Management IP address can be set up on the management interface. The floating Management IP address will be used by the backup switch when taking over management from the failed master node. To configure the floating Management IP address, use the following command: CN 4093(config-if)# floating ip address <IPv4 address> <subnet mask> Note: The Management IP and floating Management IP addresses on the master switch, as well as the Management IP address on the backup switch, must be in the same subnet. Note: In case of a stack split, the floating IP cannot be used anymore due to duplicate IP address issue. © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 244: Additional Master Configuration
Additional Master Configuration Once the stack links are connected, access the internal management IP interface of the Master switch (assigned by the management system) and complete the configuration. Viewing Stack Connections To view information about the switches in a stack, execute the following command: CN 4093(config)# show stack switch Stack name: STK Local switch: csnum - 74:99:75:21:8c:00 UUID - 98c587636548429aba5010f8c62d4e27 Bay Number Switch Type - 14 (CN4093) Chassis Type - 6 (Flex Enterprise) Switch Mode (cfg) - Member (backup) Priority - 245...
Page 245: Binding Members To The Stack
CN 4093(config)# stack switch-number <csnum> bind <asnum (1‐16)> To remove a Member switch, execute the following command: CN 4093(config)# no stack switch-number <csnum> To bind all units of a stack, use the command: CN 4093(config)# stack bind The stack bind command automatically assigns switch numbers to all attached switches in the stack that do not yet have a number assigned. Assigning a Stack Backup Switch To define a Member switch as a Backup (optional) which will assume the Master role if the Master switch fails, execute the following command: CN 4093(config)# stack backup <csnum> ‐or‐ CN 4093(config)# stack bind © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 246: Managing A Stack
Managing a Stack The stack is managed primarily through the Master switch. The Master switch then pushes configuration changes and run‐time information to the Member switches. Use Telnet or the Browser‐Based Interface (BBI) to access the Master, as follows:  Use the management IP address assigned to the Master by the management system.  On any switch in the stack, connect to any port that is not part of an active LAG and is a member of a VLAN. To access the stack, use the IP address of any IP interface that is member of the VLAN. Connecting to Stack Switches via the Master From the Master switch, you can connect to any other switch in the stack directly from the ISCLI using the following command: CN 4093# connect <asnum (1‐16)> Rebooting Stacked Switches via the Master Rebooting Stacked Switches using the ISCLI The administrator can reboot individual switches in the stack, or the entire stack using the following commands: CN 4093(config)# reload (Reboot all switches in the stack) CN 4093(config)# reload master...
Page 247: Rebooting Stacked Switches Using The Bbi
The Configure > System > Config/Image Control window allows the administrator to perform a reboot of individual switches in the stack, or the entire stack. The following table describes the stacking Reboot buttons. Table 19. Stacking Boot Management buttons Field Description Reboot Stack Performs a software reboot/reset of all switches in the stack. The software image specified in the Image To Boot drop‐down list becomes the active image. Reboot Master Performs a software reboot/reset of the Master switch. The software image specified in the Image To Boot drop‐down list becomes the active image. Reboot Switches Performs a reboot/reset on selected switches in the stack. Select one or more switches in the drop‐down list, and click Reboot Switches. The software image specified in the Image To Boot drop‐down list becomes the active image. The Update Image/Cfg section of the window applies to the Master. When a new software image or configuration file is loaded, the file first loads onto the Master, and the Master pushes the file to all other switches in the stack, placing it in the same software or configuration bank as that on the Master. For example, if the new image is loaded into image 1 on the Master switch, the Master will push the same firmware to image 1 on each Member switch. © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 248: Upgrading Software In A Stack
Upgrading Software in a Stack New Hybrid Stack Use the following procedure to install software on switches that will be used to form a hybrid stack (two CN4093 and up to six EN4093R switches): 1. Install ENOS version 8.4 on each switch and reload the switch. Configure the switches to form a stack. See “Configuring a Stack” on page 240. 3. Reload the switches to establish the stack. Converting a EN4093R Stack to a Hybrid Stack Use the following procedure to install software on a stack of EN4093R switches that will be combined with CN4093 switches to form a hybrid stack (up to two CN4093 and up to six EN4093R switches): 1. Install ENOS version 8.4 on the Master EN4093R switch. 2. Install ENOS version 8.4 on each CN4093 switch. 3. Reload the switches. 4. Configure stacking on the CN4093 switch(es). The CN4093 must be configured as the Master of the hybrid stack. Reload the switch(es) to establish the stack. New Stack Use the following procedure to install software on two CN4093 switches that will be used to form a stack: 1.
Page 249: Replacing Or Removing Stacked Switches
3. Remove the stack link cables from the old switch only. 4. Disconnect all network cables from the old switch only. 5. Remove the old switch. Installing the New Switch or Healing the Topology If using a ring topology, but not installing a new switch for the one removed, close the ring by connecting the open stack links together, essentially bypassing the removed switch. Otherwise, if replacing the removed switch with a new unit, use the following procedure: Make sure the new switch meets the stacking requirements on page 233. 2. Place the new switch in its determined place according to the CN4093 10 Gb Converged Scalable Switch Installation Guide. 3. Connect to the ISCLI of the new switch (not the stack interface) 4. Enable stacking: CN 4093(config)# boot stack enable © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 250 5. Set the stacking mode. By default, each switch is set to Member mode. However, if the incoming switch has been used in another stacking configuration, it may be necessary to ensure the proper mode is set.  If replacing a Member or Backup switch: CN 4093(config)# boot stack mode member  If replacing a Master switch: CN 4093(config)# boot stack mode master 6. Configure the stacking VLAN on the new switch, or use the default setting. Although any VLAN may be defined for stack traffic, it is highly recommended that the default, VLAN 4090, be reserved for stacking, as shown in the following command. CN 4093(config)# boot stack vlan 4090 7. Designate the stacking links. Use the following command to specify the links to be used in the stacking LAG: CN 4093(config)# boot stack higig-trunk <list of external port s> 8.
Page 251: Binding The New Switch To The Stack
Note: If replacing the Master switch, be sure to log in to the stack interface (hosted temporarily on the Backup switch) rather than logging in directly to the newly installed Master. 2. From the stack interface, assign the csnum for the new switch. You can bind Member switches to a stack csnum using either the new switch’s asnum or MAC address: CN 4093(config)# stack switch-number <csnum> universal-unic-id <uuid> bay <Slot ID> ‐or‐ CN 4093(config)# stack switch-number <csnum> bind <asnum> ‐or‐ CN 4093(config)# stack bind Note: If replacing the Master switch, the Master will not assume control from the Backup unless the Backup is rebooted or fails. © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 252: Performing A Rolling Reload Or Upgrade
Performing a Rolling Reload or Upgrade You can perform a sequential reload or upgrade, otherwise known as a staggered or rolling reload or upgrade, to avoid the need for an overall outage. With a rolling reload or upgrade, some of the hardware stays up at all times. This approach differs from the traditional image upgrade that requires manual image downloads and install to individual switches, which then requires the entire logical switch reboot. After the firmware is copied to all members of the stack, the rolling reload or upgrade process automatically reboots all switches sequentially in the following order:  Backup switch Master switch   Configured stack members, from lowest to highest csnum Attached but not configured stack members, from lowest to highest asnum  During the rolling firmware reload or upgrade process, there will be continuous connectivity to the upstream network. From the point of view of the stack, it is as though a series of switch and uplink failures are occurring. When the design is cabled and configured properly, the environment redirects traffic. For detailed instructions on upgrading and rebooting, see Chapter 3, “Switch Software Management“. Starting a Rolling Reload To start a rolling reload, use the command: CN 4093(config)# reload staggered [delay <delay>] where delay is an integer from 2 to 20 representing the time delay in minutes ...
Page 253 To upgrade both the boot and the firmware images: 1. Load the boot image with a non‐staggered copy: CN 4093(config)# copy {tftp|ftp|sftp} boot-image {address <IP address>} {filename <image filename>} 2. Load the firmware image with a staggered copy: CN 4093(config)# copy {tftp|ftp|sftp} {image1|image2} {address <IP address>} {filename <image filename>} staggered-upgrade [delay <2‐20 minutes>] © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 254: Saving Syslog Messages
Saving Syslog Messages By default, syslog messages on each member of a stack are saved to flash memory on that stack member. You may want to preserve stacking‐related errors. To accomplish this, in console mode, use the following command: CN 4093(config)# [no] logging log stacking The master switch can display the syslog messages originated on any stack member as long as the specified stack element is currently an active member of the stack using the command: CN 4093(config)# show logging [swn <configured‐switch‐number>] [messages| |reverse|severity <0‐7>] where: <configured‐switch‐number> The configured switch number. If no number is supplied, the command applies to the master switch. messages shows last 2000 syslog messages. reverse shows syslog information in reverse priority order. severity <0‐7> shows messages of a specific severity level. For example, to retrieve the last 2000 syslog messages of severity 4 or greater from switch 3, enter: CN 4093(config)# show logging swn 3 severity 4 To retrieve the contents of the log files stored on flash on a specified switch in the ...
Page 255 CN 4093(config)# logging host <host instance> {address <IPv4 address>|address6 <IPv6 address>|facility <facility (0‐7)>|severity <severity (0‐7)>} where: <host instance> The host instance; either 1 or 2. <IPv4 address> The IPv4 address of the host being logged. <IPv6 address> The IPv6 address of the host being logged. <facility (0‐7)> The facility (0‐7) of the logs being written to external syslog servers. <severity (0‐7)> The severity (0‐7) of the logs being written to external syslog servers. To enable console output of syslog messages, use the command: CN 4093(config)# logging console severity <severity (0‐7)> where <severity> configures the severity of logs to be sent to the console. To configure the severity of syslogs written to flash, use the command: CN 4093(config)# logging buffer severity <severity (0‐7)> where <severity> configures the severity of logs to be written to flash. © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 256: Flexible Port Mapping In Stacking
Flexible Port Mapping in Stacking Flexible Port Mapping allows administrators to manually enable or disable specific switch ports within the limitations of the installed licenses’ bandwidth. For details, see “Flexible Port Mapping” on page 580. In stacking, there are no overall bandwidth restrictions. Instead, each switch in the stack that supports licensing has bandwidth restrictions determined by its license level. Commands associated with flexible port mapping can only be run from the master switch in the stack and can have an additional parameter: [no] boot port-map <csnum:port number or range>  Adds or removes ports of a stack switch to/from the port map by specifying the switch’s configured number and port number or range of ports. For example: CN 4093(config)# boot port-map 3:12 Adds port number 12 of stack configured switch number 3 to the port map. default boot port-map [<csnum>]  Resets the port map configuration to the default settings for the whole stack. If a configured switch number is specified, the command will reset the port map configuration only for the selected stack switch. CN4093 Application Guide for N/OS 8.4...
Page 257 3:21 3:22 3:23 3:24 3:25 3:26 3:27 3:28 3:29 3:30 3:31 3:32 3:33 3:34 3:35 3:36 3:37 3:38 3:39 3:40 3:41 3:42 3:43 3:44 3:45 3:49 3:53 3:54 3:55 3:56 3:57 3:58 3:59 3:60 3:61 3:62 3:63 3:64 Unmapped ports: © Copyright Lenovo 2017 Chapter 13: Stacking...
Page 258: Iscli Stacking Commands
ISCLI Stacking Commands Stacking‐related ISCLI commands are listed here. For details on specific commands, see the CN4093 10 Gb Converged Scalable Switch Command Reference. [no] boot stack enable  boot stack higig-trunk <port alias or number>  boot stack mode {master|member} [<asnum>|master|backup|all]  boot stack push-image {boot-image|image1|image2} <asnum>  boot stack vlan <VLAN ID>  connect <asnum>  copy log [swn <switch number>] stfp ...
Page 259: Chapter 14. Virtualization
For details on this feature, see “Ports and Link Aggregation (LAG)” on page 157.  Virtual Network Interface Card (vNIC) support Some NICs, such as the Emulex Virtual Fabric Adapter, can virtualize NIC resources, presenting multiple virtual NICs to the server’s OS or hypervisor. Each vNIC appears as a regular, independent NIC with some portion of the physical NIC’s overall bandwidth. ENOS 8.4 supports up to four vNICs over each internal switch port. For details on this feature, see “Virtual NICs” on page 261.  Virtual Link Aggregation Groups (VLAGs) With VLAGs, two switches can act as a single logical device for the purpose of establishing port LAGs. Active LAG links from one device can lead to both VLAG peer switches, providing enhanced redundancy, including active‐active VRRP configuration. For details on this feature, see “Virtual Link Aggregation Groups” on page 193  VMready The switch’s VMready software makes it virtualization aware. Servers that run hypervisor software with multiple instances of one or more operating systems can present each as an independent virtual machine (VM). With VMready, the switch automatically discovers virtual machines (VMs) connected to switch. For details on this feature, see “VMready” on page 279. Edge Virtual Bridging (QBG)  The 802.1Qbg/Edge Virtual Bridging (EVB) is an emerging IEEE standard for allowing networks to become virtual machine (VM)‐aware. EVB bridges the gap between physical and virtual network resources. For details on this feature, see “Edge Virtual Bridging” on page 349. © Copyright Lenovo 2017...
Page 260  Unified Fabric Port (UFP) An architecture that logically subdivides a high‐speed physical link connecting to a server NIC or to a Converged Network Adapter (CNA). UFP provides a switch fabric component to control the NIC. For details on this feature, see “Unified Fabric Port” on page 361. Enterprise NOS virtualization features provide a highly‐flexible framework for allocating and managing switch resources. CN4093 Application Guide for N/OS 8.4...
Page 261: Chapter 15. Virtual Nics
10 Gbps Link with VNIC Hypervisor Multiple Virtual Pipes Lenovo VNIC Switch 2 VNIC INTA1 VNIC VNIC A CN4093 with Enterprise NOS 8.4 supports the Emulex Virtual Fabric Adapter (VFA) 2‐port 10Gb LOM and Emulex Virtual Fabric Adapter (Fabric Mezz) for Lenovo Flex System to provide the following vNIC features: Up to four vNICs are supported on each internal switch port.   Each vNIC can accommodate one of the following traffic types: regular Ethernet, iSCSI or Fibre Channel over Ethernet (FCoE).  vNICs with traffic of the same type can be grouped together, along with regular internal ports, external uplink ports and LAGs, to define vNIC groups for enforcing communication boundaries.  In the case of a failure on the external uplink ports associated with a vNIC group, the switch can signal affected vNICs for failover while permitting other vNICs to continue operation.  Each vNIC can be allocated a symmetric percentage of the 10Gbps bandwidth on the link (from NIC to switch, and from switch to NIC).  The CN4093 can be used as the single point of vNIC configuration. © Copyright Lenovo 2017...
Page 262: Vnic Ids On The Switch
The following restriction applies to vNICs:  vNICs are not supported simultaneously with VM groups (see “VMready” on page 279) on the same switch ports. By default, vNICs are disabled. The administrator can enable vNICs and configure vNIC features on the switch using the standard management options such as the Enterprise NOS CLI, the ISCLI, and the Browser‐based Interface (BBI). To enable the vNIC feature on the switch, use the following command on the vNIC Configuration Menu: CN 4093(config)# vnic enable Note: The Emulex Virtual Fabric Adapter for Lenovo Flex System can also operate in Physical NIC (PNIC) mode, in which case vNIC features are non‐applicable. vNIC IDs on the Switch Enterprise NOS 8.4 supports up to four vNICs attached to each internal switch port. Each vNIC is provided its own independent virtual pipe on the port. On stand‐alone (non‐stacked) switches, each vNIC is identified by port and vNIC number: <port number or alias>.<vNIC pipe number (1‐4)> For example: INTA1.1, INTA1.2, INTA1.3, and INTA1.4 represent the vNICs on port INTA1. INTA2.1, INTA2.2, INTA2.3, and INTA2.4 represent the vNICs on port INTA2, etc. These vNIC IDs are used when adding vNICs to vNIC groups, and are shown in some configuration and information displays. Whenever switches are stacked, the switch csnum ID is also required: <switch csnum>:<port number or alias>.<vNIC pipe number (1‐4)> For example: 2:INTA2.3 refers to port INTA2, vNIC 3, switch number 2. Note: The configuration examples in this chapter depict stand‐alone (non‐stacked) port and vNIC designations. ...
Page 263: Vnic Interface Names On The Server
Emulex Virtual Fabric Adapter (Fabric Mezz), when replacing the LOM card: Table 21. vNIC ID Correlation PCIe NIC Port Switch Slot vNIC vNIC ID Function ID Pipe First ASIC Bay 1 INTAx.1 Bay 1 INTAx.2 Bay 1 INTAx.3 Bay 1 INTAx.4 Bay 2 INTAx.1 Bay 2 INTAx.2 Bay 2 INTAx.3 Bay 2 INTAx.4 © Copyright Lenovo 2017 Chapter 15: Virtual NICs...
Page 264 Table 22. vNIC ID Correlation PCIe NIC Port Switch Slot vNIC vNIC ID Function ID Pipe Second ASIC Bay 1 INTBx.1 Bay 1 INTBx.2 Bay 1 INTBx.3 Bay 1 INTBx.4 Bay 2 INTBx.1 Bay 2 INTBx.2 Bay 2 INTBx.3 Bay 2 INTBx.4 For Emulex Virtual Fabric Adapter (Fabric Mezz), when adding it with the LOM Card: Table 23. vNIC ID Correlation PCIe NIC Port Switch Slot vNIC vNIC ID...
Page 265 Table 24. vNIC ID Correlation PCIe NIC Port Switch Slot vNIC vNIC ID Function ID Pipe Bay 3 INTBx.4 Bay 4 INTBx.1 Bay 4 INTBx.2 Bay 4 INTBx.3 Bay 4 INTBx.4 In this, the x in the vNIC ID represents the internal switch port and its corresponding server node of the vNIC pipe. Each physical NIC port is connected to a different switch bay in the blade chassis. © Copyright Lenovo 2017 Chapter 15: Virtual NICs...
Page 266: Vnic Uplink Modes
vNIC Uplink Modes The switch supports two modes for configuring the vNIC uplinks: dedicated mode and shared mode. The default is the dedicated mode. To enable the shared mode, enter the following command: CN 4093(config)# vnic uplink-share In the dedicated mode, only one vNIC group is assigned to an uplink port. This port can be a regular port or a LAG port. The NIC places an outer tag on the vNIC group packets. This outer tag contains the vNIC group VLAN. The uplink NIC strips off the outer tag before sending out the packet. For details, see “vNIC Groups in Dedicated Mode” on page 270. In the shared mode, multiple vNIC groups can be assigned to an uplink port. This port can be a regular port or a LAG port. The vNIC groups share the uplink. You may assign a few vNIC groups to share an uplink and the other vNIC groups to have a single uplink each. In either case, the switch still operates in shared mode. As in the dedicated mode, the NIC places an outer tag on the vNIC group packets. This outer tag contains the vNIC group VLAN. The uplink NIC does not strip off the outer tag. The vNIC group tag defines the regular VLAN for the packet.This behavior is particularly useful in cases where the downstream server does not set any tag. Effectively, each vNIC group is a VLAN, which you can assign by configuring the VLAN to the vNIC group. You must enable the tag configuration on the uplink port. For details, see “vNIC Groups in Shared Mode” on page 271. CN4093 Application Guide for N/OS 8.4...
Page 267 Do not add a port or LAG to mul‐ Can add a port or LAG to multiple tiple vNIC groups that are vNIC groups that are enabled. enabled. Do not configure additional Can configure additional VLANs on VLANs on the uplink ports. the uplink ports. An uplink port can only be in one An uplink port can be in multiple STG. STGs. When you add a port to a vNIC When you add a port to a vNIC group, STP is automatically dis‐ group, STP is automatically disabled. abled. When you remove a port from a When you remove a port from a vNIC vNIC group, STP is automatically group, STP is automatically reset to reset to factory default. factory default. Failover An uplink up/event can trigger An uplink up/event can trigger the the failover state change only of failover state change of multiple vNIC one vNIC group. groups. © Copyright Lenovo 2017 Chapter 15: Virtual NICs...
Page 268: Vnic Bandwidth Metering
vNIC Bandwidth Metering Enterprise NOS 8.4 supports bandwidth metering for vNIC traffic. By default, each of the four vNICs on any given port is allowed an equal share (25%) of NIC capacity when enabled. However, you may configure the percentage of available switch port bandwidth permitted to each vNIC. vNIC bandwidth can be configured as a value from 1 to 100, with each unit representing 1% (or 100Mbps) of the 10Gbps link. By default, each vNICs enabled on a port is assigned 25 units (equal to 25% of the link, or 2.5Gbps). When traffic from the switch to the vNIC reaches its assigned bandwidth limit, the switch will drop packets egressing to the affected vNIC. Note: Bandwidth metering drops excess packets when configured limits are reached. Consider using the ETS feature in applications where packet loss is not desirable (see “Enhanced Transmission Selection” on page 352). To change the bandwidth allocation, use the following commands: CN 4093(config)# vnic port <port alias or number> index <vNIC number (1‐4)> CN 4093(vnic-config)# bandwidth <allocated percentage> Note: vNICs that are disabled are automatically allocated a bandwidth value of 0. A combined maximum of 100 units can be allocated among vNIC pipes enabled for any specific port (bandwidth values for disabled pipes are not counted). If more than 100 units are assigned to enabled pipes, an error will be reported when attempting to apply the configuration. The bandwidth metering configuration is automatically synchronized between the switch and vNICs for regular Ethernet and iSCSI traffic. Once configured on the switch, there is no need to manually configure vNIC bandwidth metering limits on the NIC. Note: FCoE vNIC does not use egress metering. ETS and PFC must be enabled to ensure lossless transmission for FCoE traffic. ETS does traffic shaping. You can ...
Page 269: Vnic Groups
External ports that are part of a LAG may not be individually added to a vNIC  group. Only one individual external port, one static LAG or one dynamic LAG (consisting of multiple external ports) may be added to any given vNIC group.  In dedicated mode, for any internal ports, external port or port LAG group connected to regular (non‐vNIC) devices: These elements can be placed in only one vNIC group (they cannot be  members of multiple vNIC groups). Once added to a vNIC group, the PVID for the element is automatically set to  use the vNIC group VLAN number, and PVID tagging on the element is automatically disabled.  By default, STP is disabled on any external port added to a vNIC group. STP can be re‐enabled on the port if desired.  Because regular, inner VLAN IDs are ignored by the switch for traffic in vNIC groups, following rules and restrictions apply: The inner VLAN tag may specify any VLAN ID in the full, supported range  (1 to 4095) and may even duplicate outer vNIC group VLAN IDs. However, in the shared mode, inner VLAN tag and the vNIC group VLAN ID should be the same. Per‐VLAN IGMP snooping is not supported in vNIC groups.  The inner VLAN tag is not processed in any way in vNIC groups: The inner  tag cannot be stripped or added on port egress, is not used to restrict multicast traffic, is not matched against ACL filters, and does not influence Layer 3 switching. © Copyright Lenovo 2017 Chapter 15: Virtual NICs...
Page 270: Vnic Groups In Dedicated Mode
Groups in Dedicated Mode The vNIC group VLAN ID is placed on all vNIC group packets as an “outer” tag. As shown in Figure 27, the outer vNIC group VLAN ID is placed on the packet in addition to any regular VLAN tag assigned by the network, server, or hypervisor. The outer vNIC group VLAN is used only between the CN4093 and the NIC. Figure 27. Outer and Inner VLAN Tags vNIC-Capable Server Ports with Lenovo Switch Ports without vNICs vNICs OS/Hypervisor Regular NIC attached outer Switching uses outer tag; Switch strips VLAN ID vNIC group VLAN ID...
Page 271: Vnic Groups In Shared Mode
Outer tag sets vNIC; Ignores regular VLAN outer tag NIC strips outer tag Inbound Packet Within the CN4093, all Layer 2 switching for packets within a vNIC group is based on the outer vNIC group VLAN. The CN4093 does not consider the regular, inner VLAN ID (if any) for any VLAN‐specific operation. The outer vNIC group VLAN is not removed by the switch before the packet egresses any internal port or external uplink port. For untagged packets sent by the server, the uplink NIC uses this outer tag to switch the packet to destined VLAN. The shared mode is useful is cases where the multiple vNIC groups need to share an uplink port. The vNIC group tag defines the user VLAN. Following is an use case: An ESX server is presented with eight vNICs (four from bay 7 and four from bay 9) used with four virtual switches of the ESX host and with no tagged port groups. A pair of odd/even vNICs is placed within each virtual switch. On the CN4093, four vNIC groups are created and the desired VLAN for each vNIC group is configured. For example, if vNIC group 1 on the CN4093 has four interfaces: 1.1, 2.1, 3.1, 4.1. vNIC group 1 is configured with VLAN 10. Packets coming from any VM connecting with the virtual switch that VMNIC 2 and 3 (vNIC 1.1, 2.1, 3.1, and 4.1 on bay 7 and bay 9) will be assigned with VLAN 10. These packets go out the uplink with VLAN 10 tag. The upstream switch sends these packets to the desired destination on VLAN 10. © Copyright Lenovo 2017 Chapter 15: Virtual NICs...
Page 272: Vnic Teaming Failover
Teaming Failover For NIC failover in a non‐virtualized environment, when a service group’s external uplink ports fail or are disconnected, the switch disables the affected group’s internal ports, causing the server to failover to the backup NIC and switch. However, in a virtualized environment, disabling the affected internal ports would disrupt all vNIC pipes on those ports, not just those that have lost their external uplinks (see Figure 29). Figure 29. Regular Failover in a Virtualized Environment Primary Lenovo Lenovo Switch Servers Virtual Hypervisor Pipes VNIC vSwitch VNIC VNIC VNIC VM 1 VNIC Group 1 VM 2 EXT1 INTA1 VNIC VNIC VNIC VNIC VNIC...
Page 273 VNIC Hypervisor Upon EXT1 link failure, the switch To Backup informs the server hypervisor for failover on affected VNICs only Switch By default, vNIC Teaming Failover is disabled on each vNIC group, but can be enabled or disabled independently for each vNIC group using the following commands: CN 4093(config)# vnic vnicgroup <group number> CN 4093(vnic-group-config)# failover © Copyright Lenovo 2017 Chapter 15: Virtual NICs...
Page 274: Vnic Configuration Example
Configuration Example Consider the following example configuration of vNICs for regular Ethernet traffic: Figure 31. Multiple vNIC Groups Lenovo Switch 1 Lenovo Servers VNIC VNIC VNIC OS or VNIC EXT1 INTA1 Hypervisor VNIC VNIC To Switch 2 VNIC VNIC Group 1 VNIC VNIC VLAN 1000 VNIC VNIC OS or VNIC...
Page 275 CN 4093(config)# vnic port INTA2 index 1 (Select vNIC 1 on the port) CN 4093(vnic-config)# enable (Enable the vNIC pipe) CN 4093(vnic-config)# exit CN 4093(config)# vnic port INTA2 index 2 (Select vNIC 2 on the port) CN 4093(vnic-config)# enable (Enable the vNIC pipe) CN 4093(vnic-config)# exit As a configuration shortcut, vNICs do not have to be explicitly enabled in this step. When a vNIC is added to the vNIC group (in the next step), the switch will prompt you to confirm automatically enabling the vNIC if it is not yet enabled (shown for INT3.2). Note: vNICs are not supported simultaneously on the same switch ports as VMready. © Copyright Lenovo 2017 Chapter 15: Virtual NICs...
Page 276 4. Add ports, LAGs and virtual pipes to their vNIC groups. CN 4093(config)# vnic vnicgroup 1 (Select vNIC group) CN 4093(vnic-group-config)# vlan 1000 (Specify the VLAN) CN 4093(vnic-group-config)# member INTA1.1 (Add vNIC pipes to the group) CN 4093(vnic-group-config)# member INTA2.1 CN 4093(vnic-group-config)# port INTA4 (Add non‐vNIC port to the group) CN 4093(vnic-group-config)# port EXT1 (Add uplink port to the group CN 4093(vnic-group-config)# failover (Enable vNIC failover for the group) CN 4093(vnic-group-config)# enable (Enable the vNIC group) CN 4093(vnic-group-config)# exit CN 4093(config)# vnic vnicgroup 2 CN 4093(vnic-group-config)# vlan 1774 CN 4093(vnic-group-config)# member INTA1.2...
Page 277: Vnics For Iscsi On Emulex Virtual Fabric Adapter
CN 4093(config)# vnic vnicgroup 1 (Select vNIC group) CN 4093(vnic-group-config)# vlan 1000 (Specify the VLAN) CN 4093(vnic-group-config)# member INTA1.2 (Add iSCSI vNIC pipes to the group) CN 4093(vnic-group-config)# member INTA2.2 CN 4093(vnic-group-config)# member INTA3.2 CN 4093(vnic-group-config)# port EXT1 (Add the uplink port to the group) CN 4093(vnic-group-config)# enable (Enable the vNIC group) CN 4093(vnic-group-config)# exit © Copyright Lenovo 2017 Chapter 15: Virtual NICs...
Page 278: Vnics For Fcoe Using The Emulex Vfa
FCoE Using the Emulex VFA Similar to the iSCSI application, when using the Emulex VFA for Lenovo chassis systems, FCoE traffic is expected to occur only on vNIC pipe 2. In this case, the additional vNIC configuration for FCoE support is minimal. Consider an example where the Fibre Channel network is connected to an FCoE Forwarder (FCF) bridge via bridge port EXT4, and to an ENode on port INT1. 1. The following steps are required as part of the regular FCoE configuration (see “FIP Snooping Configuration” on page 347): a. Disable the FIP Snooping automatic VLAN creation. b. Disable FIP Snooping on all external ports not used for FCoE. FIP snooping should be enabled only on ports connected to an FCF or ENode. c. Turn on CEE and FIP Snooping. d. Manually configure the FCoE ports and VLAN: enable VLAN tagging on all FCoE ports, and place FCoE ports into a supported VLAN. When CEE is turned on and the regular FCoE configuration is complete, FCoE traffic will be automatically assigned to PFC priority 3, and be initially allocated 50% of port bandwidth via ETS. The following steps are specific to vNIC configuration. 2. On the NIC, ensure that FCoE traffic occurs on vNIC pipe 2 only. Refer to your Emulex VFA documentation for details. 3. On the switch, enable the vNIC feature. CN 4093 # vnic enable 4.
Page 279: Chapter 16. Vmready
® and Kernel/Management Interfaces in a VMware environment. VEs may be placed into VM groups on the switch to define communication boundaries: VEs in the same VM group may communicate with each other, while VEs in different groups may not. VM groups also allow for configuring group‐level settings such as virtualization policies and ACLs. The administrator can also pre‐provision VEs by adding their MAC addresses (or their IPv4 address or VM name in a VMware environment) to a VM group. When a VE with a pre‐provisioned MAC address becomes connected to the switch, the switch will automatically apply the appropriate group membership configuration. The CN4093 with VMready also detects the migration of VEs across different ™ hypervisors. As VEs move, the CN4093 NMotion feature automatically moves the appropriate network configuration as well. NMotion gives the switch the ability to maintain assigned group membership and associated policies, even when a VE moves to a different port on the switch. VMready also works with VMware Virtual Center (vCenter) management software. Connecting with a vCenter allows the CN4093 to collect information about more distant VEs, synchronize switch and VE configuration, and extend migration properties. VE Capacity When VMready is enabled, the switch will automatically discover VEs that reside in hypervisors directly connected on the switch ports. Enterprise NOS 8.4 supports up to 4096 VEs. Once this limit is reached, the switch will reject additional VEs. Note: In rare situations, the switch may reject new VEs prior to reaching the supported limit. This can occur when the internal hash corresponding to the new VE is already in use. If this occurs, change the MAC address of the VE and retry the operation. The MAC address can usually be changed from the virtualization management server console (such as the VMware Virtual Center). © Copyright Lenovo 2017...
Page 280: Vm Group Types
VM Group Types VEs, as well as internal ports, external ports, static LAGs and LACP LAGs, can be placed into VM groups on the switch to define virtual communication boundaries. Elements in a given VM group are permitted to communicate with each other, while those in different groups are not. The elements within a VM group automatically share certain group‐level settings. Enterprise NOS 8.4 supports up to 4096 VM groups. There are two different types: Local VM groups are maintained locally on the switch. Their configuration is not  synchronized with hypervisors.  Distributed VM groups are automatically synchronized with a virtualization management server (see “Assigning a vCenter” on page 288). Each VM group type is covered in detail in the following sections. Local VM Groups The configuration for local VM groups is maintained on the switch (locally) and is not directly synchronized with hypervisors. Local VM groups may include only local elements: local switch ports and LAGs, and only those VEs connected to one of the switch ports or pre‐provisioned on the switch. Local VM groups support limited VE migration: as VMs and other VEs move to different hypervisors connected to different ports on the switch, the configuration of their group identity and features moves with them. However, VE migration to and from more distant hypervisors (those not connected to the CN4093, may require manual configuration when using local VM groups). Configuring a Local VM Group Local VM groups are configured in the VM Group command path: CN 4093(config)# virt vmgroup <VM group number> Use the following ISCLI configuration commands to assign group properties and ...
Page 281: Distributed Vm Groups
 local VM groups. If one is not explicitly configured, the switch will automatically assign the next unconfigured VLAN when a VE or port is added to the VM group. vmap: Each VM group may optionally be assigned a VLAN‐based ACL (see  “VLAN Maps” on page 291). vm: Add VMs.  VMs and other VEs are primarily specified by MAC address. They can also be specified by UUID or by the index number as shown in various VMready information output (see “VMready Information Displays” on page 293). vport: Add a virtual port.  Add a virtual port to the group. Distributed VM Groups Distributed VM groups allow configuration profiles to be synchronized between the CN4093 and associated hypervisors and VEs. This allows VE configuration to be centralized, and provides for more reliable VE migration across hypervisors. Using distributed VM groups requires a virtualization management server. The management server acts as a central point of access to configure and maintain multiple hypervisors and their VEs (VMs, virtual switches, and so on). The CN4093 must connect to a virtualization management server before distributed VM groups can be used. The switch uses this connection to collect configuration information about associated VEs, and can also automatically push configuration profiles to the virtualization management server, which in turn configures the hypervisors and VEs. See “Virtualization Management Servers” on page 288 for more information. © Copyright Lenovo 2017 Chapter 16: VMready...
Page 282: Vm Profiles
VM Profiles VM profiles are required for configuring distributed VM groups. They are not used with local VM groups. A VM profile defines the VLAN and virtual switch bandwidth shaping characteristics for the distributed VM group. The switch distributes these settings to the virtualization management server, which in turn distributes them to the appropriate hypervisors for VE members associated with the group. Creating VM profiles is a two part process. First, the VM profile is created as shown in the following command on the switch: CN 4093(config)# virt vmprofile <profile name> Next, the profile must be edited and configured using the following configuration commands: CN 4093(config)# virt vmprofile edit <profile name> ? eshaping <average bandwidth> <burst size> <peak> shaping <average bandwidth> <burst size> <peak> vlan <VLAN number> For virtual switch bandwidth shaping parameters, average and peak bandwidth are specified in kilobits per second (a value of 1000 represents 1 Mbps). Burst size is specified in kilobytes (a value of 1000 represents 1 MB). Note: The bandwidth shaping parameters in the VM profile are used by the hypervisor virtual switch software. To set bandwidth policies for individual VEs, ...
Page 283: Assigning Members
Lenovo_<VM profile name>_<index number> (for vDS profiles) Using the VM Group command path (CN 4093(config)# virt vmgroup <x> vm) to add a server host interface to a distributed VM group does not create a new port group on the virtual switch or move the host. Instead, because the host interface already has its own virtual switch port group on the hypervisor, the VM profile settings are applied to its existing port group. Note: When applying the distributed VM group configuration, the virtualization management server and associated hypervisors must take appropriate actions. If a hypervisor is unable to make requested changes, an error message will be displayed on the switch. Be sure to evaluate all error message and take the appropriate actions to be sure the expected changes are properly applied. Removing Member VEs Removing a VE from a distributed VM group on the switch will have the following effects on the hypervisor:  The VE will be moved to the Lenovo_Default (to the Lenovo_Default_<index number> in case of vDS) port group in VLAN 0 (zero). Traffic shaping will be disabled for the VE.   All other properties will be reset to default values inherited from the virtual switch. © Copyright Lenovo 2017 Chapter 16: VMready...
Page 284: Vmcheck
VMcheck The CN4093 primarily identifies virtual machines by their MAC addresses. An untrusted server or a VM could identify itself by a trusted MAC address leading to MAC spoofing attacks. Sometimes, MAC addresses get transferred to another VM, or they get duplicated. The VMcheck solution addresses these security concerns by validating the MAC addresses assigned to VMs. The switch periodically sends hello messages on server ports. These messages include the switch identifier and port number. The hypervisor listens to these messages on physical NICs and stores the information, which can be retrieved using the VMware Infrastructure Application Programming Interface (VI API). This information is used to validate VM MAC addresses. Two modes of validation are available: Basic and Advanced. Use the following command to select the validation mode or to disable validation: CN 4093(config)# [no] virt vmgroup <VM group number> validate {basic|advanced} Basic Validation This mode provides port‐based validation by identifying the port used by a hypervisor. It is suitable for environments in which MAC reassignment or duplication cannot occur. The switch, using the hello message information, identifies a hypervisor port. If the hypervisor port is found in the hello message information, it is deemed to be a trusted port. Basic validation should be enabled when:  A VM is added to a VM group, and the MAC address of the VM interface is in the Layer 2 table of the switch. A VM interface that belongs to a VM group experiences a “source miss” i.e. is  not able to learn new MAC address. A trusted port goes down. Port validation must be performed to ensure that the  port does not get connected to an untrusted source when it comes back up. Use the following command to set the action to be performed if the switch is unable to validate the VM MAC address: CN 4093(config)# virt vmcheck action basic {log|link} log - generates a log link - disables the port...
Page 285: Advanced Validation
<port number> command to mark port as untrusted CN 4093# no virt vmcheck acl [mac-address Delete ACL(s): all [<port number>]|port] ACLs/an ACL by MAC address ((optional) and port number) /all ACLs installed on a port © Copyright Lenovo 2017 Chapter 16: VMready...
Page 286: Virtual Distributed Switch
Virtual Distributed Switch A virtual Distributed Switch (vDS) allows the hypervisor’s NIC to be attached to the vDS instead of its own virtual switch. The vDS connects to the vCenter and spans across multiple hypervisors in a datacenter. The administrator can manage virtual machine networking for the entire data center from a single interface. The vDS enables centralized provisioning and administration of virtual machine networking in the data center using the VMware vCenter server. When a member is added to a distributed VM group, a distributed port group is created on the vDS. The member is then added to the distributed port group. Distributed port groups on a vDS are available to all hypervisors that are connected to the vDS. Members of a single distributed port group can communicate with each other. Note: vDS works with ESX 4.0 or higher versions. To add a vDS, use the command: CN 4093# virt vmware dvswitch add <datacenter name> <dvSwitch name> [<dvSwitch‐version>] Prerequisites Before adding a vDS on the CN4093, ensure the following: VMware vCenter is fully installed and configured and includes a “bladevm”  administration account and a valid SSL certificate.  A virtual distributed switch instance has been created on the vCenter. The vDS version must be higher or the same as the hypervisor version on the hosts.  At least two hypervisors are configured. Guidelines Before migrating VMs to a vDS, consider the following: At any one time, a VM NIC can be associated with only one virtual switch: to the  hypervisor’s virtual switch, or to the vDS. Management connection to the server must be ensured during the migration. ...
Page 287: Migrating To Vds
CN 4093# virt vmware dpg ? Add a port group to a dvSwitch Delete a port group from a dvSwitch update Update a port group on a dvSwitch vmac Change a VM NIC's port group © Copyright Lenovo 2017 Chapter 16: VMready...
Page 288: Virtualization Management Servers
Virtualization Management Servers The CN4093 can connect with a virtualization management server to collect configuration information about associated VEs. The switch can also automatically push VM group configuration profiles to the virtualization management server, which in turn configures the hypervisors and VEs, providing enhanced VE mobility. One virtual management server must be assigned on the switch before distributed VM groups may be used. Enterprise NOS 8.4 currently supports only the VMware Virtual Center (vCenter). Assigning a vCenter Assigning a vCenter to the switch requires the following:  The vCenter must have a valid IPv4 address which is accessible to the switch (IPv6 addressing is not supported for the vCenter).  A user account must be configured on the vCenter to provide access for the switch. The account must have (at a minimum) the following vCenter user privileges: Network  Host Network > Configuration  Virtual Machine > Modify Device Settings  Once vCenter requirements are met, the following configuration command can be used on the CN4093 to associate the vCenter with the switch: CN 4093(config)# virt vmware vcspec <vCenter IPv4 address> <username> [noauth] This command specifies the IPv4 address and account username that the switch will use for vCenter access. Once entered, the administrator will be prompted to enter the password for the specified vCenter account.
Page 289: Vcenter Scans
CN 4093(config)# no virt vmware vcspec Note: Without a valid vCenter assigned on the switch, any VE configuration changes must be manually synchronized. Deleting the assigned vCenter prevents synchronizing the configuration between the CN4093 and VEs. VEs already operating in distributed VM groups will continue to function as configured, but any changes made to any VM profile or distributed VM group on the switch will affect only switch operation; changes on the switch will not be reflected in the vCenter or on the VEs. Likewise, any changes made to VE configuration on the vCenter will no longer be reflected on the switch. Exporting Profiles VM profiles for discovered VEs in distributed VM groups are automatically synchronized with the virtual management server and the appropriate hypervisors. However, VM profiles can also be manually exported to specific hosts before individual VEs are defined on them. By exporting VM profiles to a specific host, BNT port groups will be available to the host’s internal virtual switches so that new VMs may be configured to use them. VM migration requires that the target hypervisor includes all the virtual switch port groups to which the VM connects on the source hypervisor. The VM profile export feature can be used to distribute the associated port groups to all the potential hosts for a given VM. A VM profile can be exported to a host using the following ISCLI privileged EXEC command: CN 4093# virt vmware export <VM profile name> <host list> <virtual switch name> © Copyright Lenovo 2017 Chapter 16: VMready...
Page 290: Vmware Operational Commands
The host list can include one or more target hosts, specified by host name, IPv4 address, or UUID, with each list item separated by a space. If the virtual switch name is omitted, the administrator will be prompted to select one from a list or to enter a new virtual switch name. Once executed, the requisite port group will be created on the specified virtual switch. If the specified virtual switch does not exist on the target host, it will be created with default properties, but with no uplink connection to a physical NIC (the administrator must assign uplinks using VMware management tools. VMware Operational Commands The CN4093 may be used as a central point of configuration for VMware virtual switches and port groups using the VMware operational menu, available with the following ISCLI privileged EXEC commands: CN 4093# virt vmware ? Distributed port group operations dvswitch VMWare dvSwitch operations export Create or update a vm profile on one host Add a port group to a host scan Perform a VM Agent scan operation now updpg...
Page 291: Vlan Maps
CN 4093(config)# vlan <VLAN ID> CN 4093(config-vlan)# [no] vmap <VMAP ID> [intports| extports]  For a VM group, use the global configuration mode: CN 4093(config)# [no] virt vmgroup <ID> vmap <VMAP ID> [intports|extports] Note: Each VMAP can be assigned to only one VLAN or VM group. However, each VLAN or VM group may have multiple VMAPs assigned to it. The optional intports or extports parameter can be specified to apply the action (to add or remove the VMAP) for either the internal ports or external ports only. If omitted, the operation will be applied to all ports in the associated VLAN or VM group. Note: VMAPs have a lower priority than port‐based ACLs. If both an ACL and a VMAP match a particular packet, both filter actions will be applied as long as there is no conflict. In the event of a conflict, the port ACL will take priority, though switch statistics will count matches for both the ACL and VMAP. © Copyright Lenovo 2017 Chapter 16: VMready...
Page 292: Vm Policy Bandwidth Control
VM Policy Bandwidth Control In a virtualized environment where VEs can migrate between hypervisors and thus move among different ports on the switch, traffic bandwidth policies must be attached to VEs, rather than to a specific switch port. VM Policy Bandwidth Control allows the administrator to specify the amount of data the switch will permit to flow to or from a particular VE, without defining a complicated matrix of ACLs or VMAPs for all port combinations where a VE may appear. VM Policy Bandwidth Control Commands VM Policy Bandwidth Control can be configured using the following configuration commands: CN 4093(config)# virt vmpolicy vmbwidth <VM MAC>|<index>|<UUID>| <IPv4 address>|<name> ? txrate <committed rate> <burst> [<ACL number>] (Set the VM to switch rate) rxrate <committed rate> <burst> (Set the VM received bandwidth) bwctrl (Enable bandwidth control) Bandwidth allocation can be defined either for transmit (TX) traffic or receive (RX) traffic. Because bandwidth allocation is specified from the perspective of the VE, ...
Page 293: Bandwidth Policies Vs. Bandwidth Shaping
0.0.0.0 00:00:00:00:11:11 UNKNOWN VMReady ports: INTA1-INTC14 Number of entries: 1 0.0.0.0 indicates IP address not yet available EVB Virtual Station Interface Information: Total number of VM Association entries : 0 Note: The Index numbers shown in the VE information displays can be used to specify a particular VE in configuration commands. © Copyright Lenovo 2017 Chapter 16: VMready...
Page 294: Vcenter Hypervisor Hosts
If a vCenter is available, more verbose information can be obtained using the following ISCLI privileged EXEC command: CN 4093# show virt vm -v Index MAC Address, Name (VM or Host), Port, Group Vswitch, IP Address @Host (VMs only) VLAN Port Group ----- ------------ ------------------ ----- ----- ---------- 00:50:56:9c:21:2f atom vSwitch0 172.16.46.15 @172.16.46.10 Eng_A 00:50:56:72:ec:86 172.16.46.50 vSwitch0 172.16.46.51 VMkernel...
Page 295: Vcenter Ves
CN 4093# show virt vmware vms UUID Name(s), IP Address ---------------------------------------------------------------------- 001cdf1d-863a-fa5e-58c0-d197ed3e3300 30vm1 001c1fba-5483-863f-de04-4953b5caa700 VM90 001c0441-c9ed-184c-7030-d6a6bc9b4d00 VM91 001cc06e-393b-a36b-2da9-c71098d9a700 vm_new 001c6384-f764-983c-83e3-e94fc78f2c00 sturgeon 001c7434-6bf9-52bd-c48c-a410da0c2300 VM70 001cad78-8a3c-9cbe-35f6-59ca5f392500 VM60 001cf762-a577-f42a-c6ea-090216c11800 30VM6 001c41f3-ccd8-94bb-1b94-6b94b03b9200 halibut, localhost.localdomain, 172.16.46.15 001cf17b-5581-ea80-c22c-3236b89ee900 30vm5 001c4312-a145-bf44-7edd-49b7a2fc3800 001caf40-a40a-de6f-7b44-9c496f123b00 30VM7 © Copyright Lenovo 2017 Chapter 16: VMready...
Page 296: Vcenter Ve Details
vCenter VE Details If a vCenter is available, the following ISCLI privileged EXEC command displays detailed information about a specific VE: CN 4093# show virt vmware showvm {<VM UUID>|<VM IPv4 address>|<VM name>} --------------------------------------------------------------------- MAC Address 00:50:56:9c:21:2f Port Type Virtual Machine VM vCenter Name halibut VM OS hostname localhost.localdomain VM IP Address 172.16.46.15 VM UUID 001c41f3-ccd8-94bb-1b94-6b94b03b9200 Current VM Host 172.16.46.10 Vswitch vSwitch0 Port Group BNT_Default...
Page 297: Vmready Configuration Example
CN 4093(config)# virt vmgroup 1 vm sierra CN 4093(config)# virt vmgroup 1 vm 00:50:56:4f:f2:00 CN 4093(config)# virt vmgroup 1 portchannel 1 When VMs are added, the internal server ports on which they appear are automatically added to the VM group. In this example, there is no need to manually add ports EXT1 and EXT2. 5. If necessary, enable VLAN tagging for the VM group: CN 4093(config)# virt vmgroup 1 tag Note: If the VM group contains ports which also exist in other VM groups, tagging should be enabled in both VM groups. In this example configuration, no ports exist in more than VM group. © Copyright Lenovo 2017 Chapter 16: VMready...
Page 298 CN4093 Application Guide for N/OS 8.4...
Page 299: Chapter 17. Fcoe And Cee
 “Converged Enhanced Ethernet” on page 302 Converged Enhanced Ethernet (CEE) refers to a set of IEEE standards developed primarily to enable FCoE, requiring enhancing the existing Ethernet standards to make them lossless on a per‐priority traffic basis, and providing a mechanism to carry converged (LAN/SAN/IPC) traffic on a single physical link. CEE features can also be utilized in traditional LAN (non‐FCoE) networks to provide lossless guarantees on a per‐priority basis, and to provide efficient bandwidth allocation. “Priority‐Based Flow Control” on page 312  Priority‐Based Flow Control (PFC) extends 802.3x standard flow control to allow the switch to pause traffic based on the 802.1p priority value in each packet’s VLAN tag. PFC is vital for FCoE environments, where SAN traffic must remain lossless and must be paused during congestion, while LAN traffic on the same links is delivered with “best effort” characteristics. “Enhanced Transmission Selection” on page 316  Enhanced Transmission Selection (ETS) provides a method for allocating link bandwidth based on the 802.1p priority value in each packet’s VLAN tag. Using ETS, different types of traffic (such as LAN, SAN, and management) that are sensitive to different handling criteria can be configured either for specific bandwidth characteristics, low‐latency, or best‐effort transmission, despite sharing converged links as in an FCoE environment. “Data Center Bridging Capability Exchange” on page 322  Data Center Bridging Capability Exchange Protocol (DCBX) allows neighboring network devices to exchange information about their capabilities. This is used between CEE‐capable devices for the purpose of discovering their peers, negotiating peer configurations, and detecting misconfigurations. © Copyright Lenovo 2017...
Page 300: Fibre Channel Over Ethernet
Figure 32. A Mixed Fibre Channel and FCoE Network FCoE Fibre 802.1p Priority & Usage EXT22 INTA1 Channel 3 FCoE Applications Switch 802.1p Priority & Usage Ethernet INTA2 EXT1 Business-Critical LAN Lenovo Chassis Servers In Figure 32 on page 300, the FCoE network is connected to the Fibre Channel network through an FCoE Forwarder (FCF). The FCF acts as a Fibre Channel gateway to and from the multi‐hop FCoE network. A full‐fabric FC/FCoE switch or a Fibre Channel Node Port Virtualized (NPV) switch may perform the FCF function. Although it may be possible to use an external FCF device, this chapter focuses on using the built‐in Fibre Channel features of the CN4093 itself. CN4093 Application Guide for N/OS 8.4...
Page 301: Fcoe Requirements
Automatic FCoE‐related ACLs are independent from ACLs used for typical Ethernet purposes. FCoE Requirements The following are required for implementing FCoE using the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch (CN4093) with ENOS 8.4 software:  The CN4093 must be connected to the Fibre Channel network using the switch’s built‐in Fibre Channel features (see “Fibre Channel” on page 329), or an external FCF device such as another CN4093 switch or a Lenovo RackSwitch G8264CS.  For each CN4093 internal port participating in FCoE, the connected server must use the supported Converged Network Adapter (CNA) and must have the FCoE license enabled (if applicable) on the CNA.  CEE must be turned on (see “Turning CEE On or Off” on page 302). When CEE is on, the DCBX, PFC, and ETS features are enabled and configured with default FCoE settings. These features may be reconfigured, but must remain enabled in order for FCoE to function. FIP snooping must be turned on (see “FCoE Initialization Protocol Snooping” on  page 305). When FIP snooping is turned on, the feature is enabled on all ports by default. The administrator can disable FIP snooping on individual ports that do not require FCoE, but FIP snooping must remain enabled on all FCoE ports in order for FCoE to function. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 302: Converged Enhanced Ethernet
Converged Enhanced Ethernet Converged Enhanced Ethernet (CEE) refers to a set of IEEE standards designed to allow different physical networks with different data handling requirements to be converged together, simplifying management, increasing efficiency and utilization, and leveraging legacy investments without sacrificing evolutionary growth. CEE standards were developed primarily to enable Fibre Channel traffic to be carried over Ethernet networks. This required enhancing the existing Ethernet standards to make them lossless on a per‐priority traffic basis, and to provide a mechanism to carry converged (LAN/SAN/IPC) traffic on a single physical link. Although CEE standards were designed with FCoE in mind, they are not limited to FCoE installations. CEE features can be utilized in traditional LAN (non‐FCoE) networks to provide lossless guarantees on a per‐priority basis, and to provide efficient bandwidth allocation based on application needs. Turning CEE On or Off By default on the CN4093, CEE is turned off. To turn CEE on or off, use the following ISCLI configuration mode commands: CN 4093(config)# [no] cee enable CAUTION: Turning CEE on will automatically change some 802.1p QoS and 802.3x standard flow control settings on the CN4093. Read the following material carefully to determine whether you will need to take action to reconfigure expected settings. It is recommended that you backup your configuration prior to turning CEE on. Viewing the file will allow you to manually re‐create the equivalent configuration once CEE is turned on, and will also allow you to recover your prior configuration if you need to turn CEE off. Effects on Link Layer Discovery Protocol When CEE is turned on, Link Layer Discovery Protocol (LLDP) is automatically ...
Page 303: Effects On 802.1P Quality Of Service
With CEE Off (default) With CEE On Priority COSq Weight Priority COSq PGID When CEE is on, the default ETS configuration also allocates a portion of link bandwidth to each PGID as shown in Table Table 28. Default ETS Bandwidth Allocation PGID Typical Use Bandwidth Latency‐sensitive LAN If the prior, non‐CEE configuration used 802.1p priority values for different purposes, or does not expect bandwidth allocation as shown in Table 28 on page 303, when CEE is turned on, the administrator should reconfigure ETS settings as appropriate. Each time CEE is turned on or off, the appropriate ETS or 802.1p QoS default settings shown in Table 27 on page 303 are restored, and any manual settings made to prior ETS or 802.1p QoS configurations are cleared. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 304: Effects On Flow Control
It is recommended that a configuration backup be made prior to turning CEE on or off. Viewing the configuration file will allow the administrator to manually re‐create the equivalent configuration under the new CEE mode, and will also allow for the recovery of the prior configuration if necessary. Effects on Flow Control When CEE is off (the default), 802.3x standard flow control is enabled on all switch ports by default. When CEE is turned on, standard flow control is disabled on all ports, and in its place, PFC (see “Priority‐Based Flow Control” on page 312) is enabled on all ports for 802.1p priority value 3. This default is chosen because priority value 3 is commonly used to identify FCoE traffic in a CEE environment and must be guaranteed lossless behavior. PFC is disabled for all other priority values. It is recommend that a configuration backup be made prior to turning CEE on or off. Viewing the configuration file will allow the administrator to manually re‐create the equivalent configuration under the new CEE mode, and will also allow for the recovery of the prior configuration if necessary. When CEE is on, PFC can be enabled only on priority value 3 and one other priority. If flow control is required on additional priorities on any given port, consider using standard flow control on that port, so that regardless of which priority traffic becomes congested, a flow control frame is generated. CN4093 Application Guide for N/OS 8.4...
Page 305: Fcoe Initialization Protocol Snooping
Using FIP snooping, the CN4093 examines the FIP frames normally exchanged between the FCF and ENodes to determine information about connected FCoE devices. This information is used to create narrowly tailored ACLs that permit expected FCoE traffic to and from confirmed Fibre Channel nodes, and deny all other undesirable FCoE or FIP traffic. FIP Snooping Requirements The following are required for implementing the FIP snooping bridge feature:  The CN4093 must be connected to the Fibre Channel network through a FCF such as a Lenovo Rackswitch G8264CS, another Lenovo CN4093 10Gb Converged Scalable Switch or a Cisco Nexus 5000 Series Switch.  For each CN4093 switch port participating in FCoE, the connected server must use a FCoE‐licensed Converged Network Adapter (CNA) and must have the FCoE license enabled (if applicable) on the CNA. CEE must be turned on (see “Turning CEE On or Off” on page 302). When CEE  is on, the DCBX, PFC and ETS features are enabled and configured with default FCoE settings. These features may be reconfigured, but must remain enabled for FCoE to function.  FIP snooping must be turned on (see “Global FIP Snooping Settings” on page 306). When FIP snooping is turned on, the feature is enabled on all ports by default. The administrator can disable FIP snooping on individual ports that do not require FCoE, but FIP snooping must remain enabled on all FCoE ports for FCoE to function. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 306: Port Aggregation
Port Aggregation Enterprise NOS 8.4 supports port aggregation for FCoE connections. Link Aggregation (LAGs) can be used for separate FCoE traffic, or for Ethernet and FCoE traffic. The ports can be grouped as static LAGS or dynamic LACP LAGs. Normal aggregation operations such as creating or enabling a LAG, and adding or removing member ports can be performed. When a port is added to a LAG, FCFs previously detected on the port will be deleted. The deleted FCF may be relearned later. However, this may cause flickering in the network traffic. It is recommended that any LAG changes are made prior to live FCoE traffic. Priority‐based Flow Control (PFC) and Data Center Bridging (DCBX) are configured on a per‐port basis. Each port in a LAG must have the same ETS, PFC and DCBX configuration. When a port ceases to be a LAG member, its configuration does not change. Note: If the ports chosen to be part of a certain LAG do not have the same PFC, ETS or DCBX configurations, the switch will display an error. Global FIP Snooping Settings By default, the FIP snooping feature is turned off for the CN4093. The following commands are used to turn the feature on or off: CN 4093(config)# [no] fcoe fips enable Note: FIP snooping requires CEE to be turned on (see “Turning CEE On or Off” on page 302). When FIP snooping is on, port participation may be configured on a port‐by‐port basis (see below). When FIP snooping is off, all FCoE‐related ACLs generated by the feature are removed from all switch ports. FIP Snooping for Specific Ports When FIP snooping is globally turned on, ports may be individually configured for ...
Page 307: Fips Lag Support On Server Ports
Enode. Similarly, any VN‐Port MACs are pinned on a port by port basis within a LAG. Regular (non‐FCoE) Ethernet traffic will continue to operate across the LAG normally (using any of the links based on balancing algorithm). This feature is automatically activated upon server‐port LAG mode detection by FIPS. Note: FCoE Fips must be enabled on FSB/FCF switch. Port FCF and ENode Detection When FIP snooping is enabled on a port, the port is placed in FCF auto‐detect mode by default. In this mode, the port assumes connection to an ENode unless FIP packets show the port is connected to an external FCF. Ports can also be specifically configured as to whether automatic FCF detection should be used, or whether the port is connected to an external FCF or ENode: CN 4093(config)# fcoe fips port <port alias, number, list, or range> fcf-mode {auto|on|off} When FCF mode is on, the port is assumed to be connected to a trusted external FCF, and only ACLs appropriate to FCFs will be installed on the port. When off, the port is assumed to be connected to an ENode, and only ACLs appropriate to ENodes will be installed. When the mode is changed (either through manual configuration or as a result of automatic detection), the appropriate ACLs are automatically added, removed, or changed to reflect the new FCF or ENode connection. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 308: Fcoe Connection Timeout
FCoE Connection Timeout FCoE‐related ACLs and VLANs are added, changed, and removed as FCoE device connection and disconnection are discovered. In addition, the administrator can enable or disable automatic removal of ACLs and VLANs for FCFs and other FCoE connections that timeout (fail or are disconnected) without FIP notification. By default, automatic removal of ACLs upon timeout is enabled. To change this function, use the following CLI command: CN 4093(config)# [no] fcoe fips timeout-acl FCoE ACL Rules When FIP Snooping is enabled on a port, the switch automatically installs the appropriate ACLs to enforce the following rules for FCoE traffic:  Ensure that FIP frames from ENodes may only be addressed to FCFs.  Flag important FIP packets for switch processing.  Ensure no end device uses an FCF MAC address as its source.  Each FCoE port is assumed to be connected to an ENode and include ENode‐specific ACLs installed, until the port is either detected or configured to be connected to an external FCF. Ports that are configured to have FIP snooping disabled will not have any FIP or  FCoE related ACLs installed.  Prevent transmission of all FCoE frames from an ENode prior to its successful completion of login (FLOGI) to the FCF.  After successful completion of FLOGI, ensure that the ENode uses only those FCoE source addresses assigned to it by the FCF.  After successful completion of FLOGI, ensure that all ENode FCoE source ...
Page 309: Fcoe Vlans
FIPS ACLs configured on this port: Ethertype 0x8914, action permit. dmac 00:00:18:01:00:XX, Ethertype 0x8914, action permit. For each ACL, the required traffic criteria are listed, along with the action taken (permit or deny) for matching traffic. ACLs are listed in order of precedence and evaluated in the order shown. The administrator can also view other FCoE information: CN 4093# show fcoe fips fcf (Show all detected FCFs) CN 4093# show fcoe fips fcoe (Show all FCoE connections) © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 310: Operational Commands
Operational Commands The administrator may use the operational commands to delete FIP‐related entries from the switch. To delete a specific FCF entry and all associated ACLs from the switch, use the following command: CN 4093# no fcoe fips fcf <FCF MAC address> [<VLAN number>] FIP Snooping Configuration In this example, as shown in Figure 32 on page 300, port INTA1 is connected to an ENode, and EXT22 is connected to the Fibre Channel network via an internal FCF (see“Fibre Channel” on page 329). FIP snooping can be configured on these ports using the following CLI commands: 1. Enable VLAN tagging on FCoE ports: CN 4093(config)# interface port INTA1, EXT22 (Select FCoE port) CN 4093(config-if)# switchport mode trunk (Enable VLAN tagging) CN 4093(config-if)# exit (Exit port configuration mode) 2.
Page 311 6. Enable FIP snooping on FCoE ports, and set the desired FCF mode: CN 4093(config)# fcoe fips port INTA1 enable (Enable FIPS on FCoE ports) CN 4093(config)# fcoe fips port INTA1 fcf-mode off (Set as ENode connection) CN 4093(config)# fcoe fips port EXT22 fcf-mode on (Set as FCF connection) Note: By default, FIP snooping is enabled on all ports and the FCF mode set for automatic detection. The configuration in this step is unnecessary if default settings have not been changed, and is shown merely as a manual configuration example. 7. Save the configuration. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 312: Priority-Based Flow Control
Priority-Based Flow Control Priority‐based Flow Control (PFC) is defined in IEEE 802.1Qbb. PFC extends the IEEE 802.3x standard flow control mechanism. Under standard flow control, when a port becomes busy, the switch manages congestion by pausing all the traffic on the port, regardless of the traffic type. PFC provides more granular flow control, allowing the switch to pause specified types of traffic on the port, while other traffic on the port continues. PFC pauses traffic based on 802.1p priority values in the VLAN tag. The administrator can assign different priority values to different types of traffic and then enable PFC for up to two specific priority values: priority value 3, and one other. The configuration can be applied on a port‐by‐port basis, or globally for all ports on the switch. Then, when traffic congestion occurs on a port (caused when ingress traffic exceeds internal buffer thresholds), only traffic with priority values where PFC is enabled is paused. Traffic with priority values where PFC is disabled proceeds without interruption but may be subject to loss if port ingress buffers become full. Although PFC is useful for a variety of applications, it is required for FCoE implementation where storage (SAN) and networking (LAN) traffic are converged on the same Ethernet links. Typical LAN traffic tolerates Ethernet packet loss that can occur from congestion or other factors, but SAN traffic must be lossless and requires flow control. For FCoE, standard flow control would pause both SAN and LAN traffic during congestion. While this approach would limit SAN traffic loss, it could degrade the performance of some LAN applications that expect to handle congestion by dropping traffic. PFC resolves these FCoE flow control issues. Different types of SAN and LAN traffic can be assigned different IEEE 802.1p priority values. PFC can then be enabled for priority values that represent SAN and LAN traffic that must be paused during congestion, and disabled for priority values that represent LAN traffic that is more loss‐tolerant. PFC requires CEE to be turned on (“Turning CEE On or Off” on page 302). When CEE is turned on, PFC is enabled on priority value 3 by default. Optionally, the administrator can also enable PFC on one other priority value, providing lossless handling for another traffic type, such as for a business‐critical LAN application. Note: For any given port, only one flow control method can be implemented at any given time: either PFC or standard IEEE 802.3x flow control. CN4093 Application Guide for N/OS 8.4...
Page 313: Global Vs. Port-By-Port Pfc Configuration
 PFC is not restricted to CEE and FCoE networks. In any LAN where traffic is separated into different priorities, PFC can be enabled on priority values for loss‐sensitive traffic. If all ports have the same priority definitions and utilize the same PFC strategy, PFC can be globally configured. If you want to enable PFC on a priority, do one of the following:  Create a separate priority group (see “Priority Groups” on page 317).  Move the priority to an existing priority group in which PFC is turned on. Since there are separate COS queue and ETS configurations, creating a distinct priority group is preferred. When configuring ETS and PFC on the switch, perform ETS configuration before performing PFC configuration. If two priorities are enabled on a port, the switch sends PFC frames for both priorities, even if only traffic tagged with one of the priorities is being received on that port. Note: When using global PFC configuration in conjunction with the ETS feature (see “Enhanced Transmission Selection” on page 316), ensure that only pause‐tolerant traffic (such as lossless FCoE traffic) is assigned priority values where PFC is enabled. Pausing other types of traffic can have adverse effects on LAN applications that expect uninterrupted traffic flow and tolerate dropping packets during congestion. Use PFC globally only if all priority values assigned for lossless traffic on one or more ports does not carry loss‐tolerant traffic on other ports. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 314: Pfc Configuration Example
PFC Configuration Example Note: DCBX may be configured to permit sharing or learning PFC configuration with or from external devices. This example assumes that PFC configuration is being performed manually. See “Data Center Bridging Capability Exchange” on page 322 for more information on DCBX. This example is consistent with the network shown in Figure 32 on page 300. In this example, the following topology is used. Table 29. Port‐Based PFC Configuration Switch 802.1p Usage Port Priority Setting EXT1 0‐2 Disabled (not used) Enabled Business‐critical LAN Enabled others (not used) Disabled EXT22 Fiber Channel network Enabled INTA1 FCoE Enabled others (not used) Disabled INTA2 0‐2...
Page 315 CN 4093(config)# cee port INTA2 pfc priority 4 description "Critical LAN" CN 4093(config)# cee port EXT1 pfc priority 4 enable( LAN priority) CN 4093(config)# cee port EXT1 pfc priority 4 description "Critical LAN" 4. Save the configuration. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 316: Enhanced Transmission Selection
Enhanced Transmission Selection Enhanced Transmission Selection (ETS) is defined in IEEE 802.1Qaz. ETS provides a method for allocating port bandwidth based on 802.1p priority values in the VLAN tag. Using ETS, different amounts of link bandwidth can specified for different traffic types (such as for LAN, SAN, and management). ETS is an essential component in a CEE environment that carries different types of traffic, each of which is sensitive to different handling criteria, such as Storage Area Networks (SANs) that are sensitive to packet loss, and LAN applications that may be latency‐sensitive. In a single converged link, such as when implementing FCoE, ETS allows SAN and LAN traffic to coexist without imposing contrary handling requirements upon each other. The ETS feature requires CEE to be turned on (see “Turning CEE On or Off” on page 302). 802.1p Priority Values Under the 802.1p standard, there are eight available priority values, with values numbered 0 through 7, which can be placed in the priority field of the 802.1Q VLAN tag: 16 bits 3 bits 12 bits Tag Protocol ID (0x8100) Priority C VLAN ID 15 16 Servers and other network devices may be configured to assign different priority values to packets belonging to different traffic types (such as SAN and LAN). ETS uses the assigned 802.1p priority values to identify different traffic types. The ...
Page 317: Priority Groups
Priority Groups For ETS use, each 801.2p priority value is assigned to a priority group which can then be allocated a specific portion of available link bandwidth. To configure a priority group, the following is required:  CEE must be turned on (“Turning CEE On or Off” on page 302) for the ETS feature to function.  A priority group must be assigned a priority group ID (PGID), one or more 802.1p priority values, and allocated link bandwidth greater than 0%. PGID Each priority group is identified with number (0 through 7, and 15) known as the PGID. PGID 0 through 7 may each be assigned a portion of the switch’s available bandwidth. PGID 8 through 14 are reserved as per the 802.1Qaz ETS standard. PGID 15 is a strict priority group. It is generally used for critical traffic, such as network management. Any traffic with priority values assigned to PGID 15 is permitted as much bandwidth as required, up to the maximum available on the switch. After serving PGID 15, any remaining link bandwidth is shared among the other groups, divided according to the configured bandwidth allocation settings. All 802.1p priority values assigned to a particular PGID should have similar traffic handling requirements. For example, PFC‐enabled traffic should not be grouped with non‐PFC traffic. Also, traffic of the same general type should be assigned to the same PGID. Splitting one type of traffic into multiple 802.1p priorities, and then assigning those priorities to different PGIDs may result in unexpected network behavior. Each 802.1p priority value may be assigned to only one PGID. However, each PGID may include multiple priority values. Up to eight PGIDs may be configured at any given time. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 318: Assigning Priority Values To A Priority Group
Assigning Priority Values to a Priority Group Each priority group may be configured from its corresponding ETS Priority Group, available using the following command: CN 4093(config)# cee global ets priority-group pgid <group number (0‐7, or 15)> priority <priority list> where priority list is one or more 802.1p priority values (with each separated by a comma). For example, to assign priority values 0 through 2: CN 4093(config)# cee global ets priority-group pgid <group number (0‐7, or 15)> priority 0,1,2 Note: Within any specific PGID, the PFC settings (see “Priority‐Based Flow Control” on page 312) should be the same (enabled or disabled) for all priority values within the group. PFC can be enabled only on priority value 3 and one other priority. If the PFC setting is inconsistent within a PGID, a warning message is reported when attempting to apply the configuration. When assigning priority values to a PGID, the specified priority value will be automatically removed from its old group and assigned to the new group when the configuration is applied.
Page 319: Allocating Bandwidth
Bandwidth allocation must be 0% for any PGID that has no assigned 802.1p pri‐  ority values.  Any PGID assigned one or more priority values must have a bandwidth allocation greater than 0%.  Total bandwidth allocation for groups 0 through 7 must equal exactly 100%. Increasing or reducing the bandwidth allocation of any PGID also requires adjusting the allocation of other PGIDs to compensate. If these conditions are not met, the switch will report an error when applying the configuration. Note: Actual bandwidth used by any specific PGID may vary from configured values by up to 10% of the available bandwidth in accordance with 802.1Qaz ETS standard. For example, a setting of 10% may be served anywhere from 0% to 20% of the available bandwidth at any given time. Unlimited Bandwidth for PGID 15 PGID 15 is permitted unlimited bandwidth and is generally intended for critical traffic (such as switch management). Traffic in this group is given highest priority and is served before the traffic in any other priority group. If PGID 15 has low traffic levels, most of the switch’s bandwidth will be available to serve priority groups 0 through 7. However, if PGID 15 consumes a larger part of the switch’s total bandwidth, the amount available to the other groups is reduced. Note: Consider traffic load when assigning priority values to PGID 15. Heavy traffic in this group may restrict the bandwidth available to other groups. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 320: Configuring Ets
Configuring ETS Consider an example consistent with that used for port‐based PFC configuration (on page 314): Table 30. ETS Configuration Priority Usage PGID Bandwidth LAN (best effort delivery) LAN (best effort delivery) LAN (best effort delivery) SAN (Fibre Channel over Ethernet, with PFC) Business Critical LAN (lossless Ethernet, with PFC) Latency‐sensitive LAN Latency‐sensitive LAN Network Management (strict) unlimited The example shown in Table 30 is only slightly different than the default configuration shown in Figure 33 on page 316. In this example, latency‐sensitive LAN traffic (802.1p priority 5 through 6) are moved from priority group 2 to priority group 3. This leaves Business Critical LAN traffic (802.1p priority 4) in priority group 2 by itself. Also, a new group for network management traffic has been assigned. Finally, the bandwidth allocation for priority groups 1, 2, and 3 are revised. Note: DCBX may be configured to permit sharing or learning PFC configuration with or from external devices. This example assumes that PFC configuration is being performed manually. See “Data Center Bridging Capability Exchange” on page 322 for more information on DCBX. CN4093 Application Guide for N/OS 8.4...
Page 321 10 pgid 1 bandwidth 20 pgid 2 bandwidth 30 pgid 3 bandwidth 40 (Configure link bandwidth restriction) 3. Configure the strict priority group with a description (optional) and a list of 802.1p priority values: CN 4093(config)# cee global ets priority-group pgid 15 priority 7 CN 4093(config)# cee global ets priority-group pgid 15 description "Network Management" Note: Priority group 15 is permitted unlimited bandwidth. As such, the commands for priority group 15 do not include bandwidth allocation. 4. Save the configuration. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 322: Data Center Bridging Capability Exchange
Data Center Bridging Capability Exchange Data Center Bridging Capability Exchange (DCBX) protocol is a vital element of CEE. DCBX allows peer CEE devices to exchange information about their advanced capabilities. Using DCBX, neighboring network devices discover their peers, negotiate peer configurations, and detect misconfigurations. DCBX provides two main functions on the CN4093: Peer information exchange  The switch uses DCBX to exchange information with connected CEE devices. For normal operation of any FCoE implementation on the CN4093, DCBX must remain enabled on all ports participating in FCoE.  Peer configuration negotiation DCBX also allows CEE devices to negotiate with each other for the purpose of automatically configuring advanced CEE features such as PFC, ETS, and (for some CNAs) FIP. The administrator can determine which CEE feature settings on the switch are communicated to and matched by CEE neighbors, and also which CEE feature settings on the switch may be configured by neighbor requirements. The DCBX feature requires CEE to be turned on (see “Turning CEE On or Off” on page 302). DCBX Settings When CEE is turned on, DCBX is enabled for peer information exchange on all ports. For configuration negotiation, the following default settings are configured:  Application Protocol: FCoE and FIP snooping is set for traffic with 802.1p priority 3  PFC: Enabled on 802.1p priority 3  Priority group 0 includes priority values 0 through 2, with bandwidth  allocation of 10% Priority group 1 includes priority value 3, with bandwidth allocation of 50% ...
Page 323: Enabling And Disabling Dcbx
Set this flag when required by the remote CEE peer for a particular feature as part of DCBX signaling and support. Although some devices may also expect this flag to indicate that the switch will accept overrides on feature settings, the CN4093 retains its configured settings. As a result, the administrator should configure the feature settings on the switch to match those expected by the remote CEE peer. These flags are available for the following CEE features: Application Protocol  DCBX exchanges information regarding FCoE and FIP snooping, including the 802.1p priority value used for FCoE traffic. The advertise flag is set or reset using the following command: CN 4093(config)# [no] cee port <port alias or number> dcbx app_proto advertise The willing flag is set or reset using the following command: CN 4093(config)# [no] cee port <port alias or number> dcbx app_proto willing © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 324: Configuring Dcbx
 DCBX exchanges information regarding whether PFC is enabled or disabled on the port. The advertise flag is set or reset using the following command: CN 4093(config)# [no] cee port <port alias or number> dcbx pfc advertise The willing flag is set or reset using the following command: CN 4093(config)# [no] cee port <port alias or number> dcbx pfc willing  DCBX exchanges information regarding ETS priority groups, including their 802.1p priority members and bandwidth allocation percentages. The advertise flag is set or reset using the following command: CN 4093(config)# [no] cee port <port alias or number> dcbx ets advertise The willing flag is set or reset using the following command: CN 4093(config)# [no] cee port <port alias or number> dcbx ets willing Configuring DCBX Consider an example consistent Figure 32 on page 300 and used with the previous ...
Page 325 CN 4093(config)# cee port EXT1 dcbx app_proto advertise CN 4093(config)# cee port EXT1 dcbx ets advertise CN 4093(config)# cee port EXT1 dcbx pfc advertise 4. Disable DCBX for each non‐CEE port as appropriate: CN 4093(config)# no cee port INTA3-INTC14,EXT2-EXT22 dcbx enable 5. Save the configuration. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 326: Fcoe Example Configuration
802.1p Priority & Usage EXT22 INTA1 Channel 3 FCoE Applications Switch 802.1p Priority & Usage Ethernet INTA2 EXT1 Business-Critical LAN Lenovo Chassis Servers In Figure 34 on page 326, a Fibre Channel network is connected to the CN4093 on port EXT22. The FCoE‐enabled CN4093 is internally connected to a blade server (ENode) through an FCoE‐enabled CNA on port INTA1. An internal FCF bridges the networks. 1. Configure FCoE ports as trunk ports and add them to FCoE VLAN for FCoE traffic and any Native VLAN (other than the FCoE VLAN) for FIP negotiation: CN 4093(config)# interface port INTA1 (Select FCoE ports) CN 4093(config-if)# switchport mode trunk (Enable VLAN tagging)
Page 327 10 pgid 1 bandwidth 20 pgid 2 bandwidth 30 pgid 3 bandwidth 40 (Configure link bandwidth restriction) 9. Configure the strict priority group with a description (optional) and a list of 802.1p priority values: CN 4093(config)# cee global ets priority-group pgid 15 priority 7 CN 4093(config)# cee global ets priority-group pgid 15 description "Network Management" Note: Priority group 15 is permitted unlimited bandwidth. As such, the commands for priority group 15 do not include bandwidth allocation. © Copyright Lenovo 2017 Chapter 17: FCoE and CEE...
Page 328 10. Enable desired DCBX configuration negotiation on FCoE ports: CN 4093(config)# cee port INTA1 dcbx enable CN 4093(config)# cee port INTA1 dcbx app_proto advertise CN 4093(config)# cee port INTA1 dcbx ets advertise CN 4093(config)# cee port INTA1 dcbx pfc advertise 11. Enable desired DCBX advertisements on other CEE ports: CN 4093(config)# cee port INTA2 dcbx enable CN 4093(config)# cee port INTA2 dcbx app_proto advertise CN 4093(config)# cee port INTA2 dcbx ets advertise CN 4093(config)# cee port INTA2 dcbx pfc advertise...
Page 330: Ethernet Vs. Fibre Channel
Ethernet vs. Fibre Channel As a converged switch, the CN4093 10 Gb Converged Scalable Switch provides simultaneous support of Ethernet and Fibre Channel networks. Ethernet is ubiquitous in modern networks. It is generally quick, easy, and inexpensive to implement. Ethernet is also flexible and dynamic by nature. Devices join and leave a well‐designed Ethernet network with little impact beyond their individual function. Because flux is the norm, Ethernet is classified as a “best effort” delivery protocol. This means that some loss of packets is acceptable, and that with multiple routes often available, packets in a stream may arrive at their destination out of sequence. Ethernet devices are expected to re‐request and resend lost packets, and reassemble data in the proper order at the destination. The Fibre Channel protocol adheres to a very different philosophy. Fibre Channel is most popular in storage networks end‐to‐end stability, reliability, and security are emphasized in favor over low cost and dynamic scalability. In Fibre Channel networks, the connecting ports must be fully authorized to communicate with their well‐defined neighbors. Bandwidth for properly connected devices is tuned to avoid loss due to congestion. Also, routes for traffic are converged in advance, ensuring that only one route is used by any given traffic stream so that packets arrive in their expected sequence. Ethernet and Fibre Channel networks are coming into contact with each other more frequently in modern networks. In some cases, legacy Fibre Channel devices are connected via Ethernet networks using Converged Enhanced Ethernet (CEE), a collection of recent Ethernet features designed to satisfy Fibre Channel delivery expectations. Although not the focus of this chapter, the CN4093 supports CEE and Fibre Channel over Ethernet (FCoE). For details, see “FCoE and CEE” on page 299. Another approach is to use converged switches such as the CN4093 to support direct connection to both Ethernet and Fibre Channel networks. This allows a “best of both worlds” approach, using ubiquitous Ethernet networks for regular traffic, and full connection to Fibre Channel networks for lossless applications and the legacy architecture of established Storage Area Networks. CN4093 Application Guide for N/OS 8.4...
Page 331: Supported Switch Roles
These functions are independent of each other, and can coexist or be used in combination on the switch. The CN4093 acts as a bridge between FCoE traffic and the Fibre Channel network. The switch performs Ethernet encapsulation for traffic heading to Ethernet ports, and performs decapsulation for traffic to Fibre Channel ports. FCoE features are covered in “FCoE and CEE” on page 299. These features can be used independently or in conjunction with NPV gateway and full fabric switch features. NPV Gateway As a Node Port Virtualized (NPV) gateway, the CN4093 can act as a Fibre Channel collector, connecting numerous Fibre Channel end‐point devices (known as nodes) for uplink to a Fibre Channel full fabric switch, performing stateless FC/FCoE encapsulation and decapsulation. This helps resolve a typical problem in Fibre Channel networks where port density is low on Director Class SAN switches, or considered too valuable to relegate to individual nodes. As an NPV gateway, the CN4093 acts as a proxy to the upstream full fabric switch on behalf of the connected nodes. The CN4093 supports standard Node Port Identifier Virtualization (NPIV) behavior. The NPV gateway allows concurrent logins from multiple node ports (and multiple server connections) to be forwarded upstream to the full‐fabric switch. The upstream switch provides full fabric services such as zoning enforcement, and makes all switching decisions. The gateway switch appears as a Fibre Channel end node to the full fabric switch, and acts as proxy for the full fabric switch to its connected node devices. When multiple uplink ports are available between the NPV gateway and the upstream switch, nodes are not ensured to be assigned the same uplink whenever they request a session. Only FCoE end nodes are allowed to be downstream connections. All Fibre Channel devices are connected to the full fabric FC switch. © Copyright Lenovo 2017 Chapter 18: Fibre Channel...
Page 332: Full-Fabric Fc/Fcoe Switch
Full-Fabric FC/FCoE Switch As a full fabric FC/FCoE switch, the CN4093 authenticates connecting neighbors, provides Fibre Channel IDs, enforces port security among zones, and informs neighboring devices of network changes. When acting as a full‐fabric switch, the CN4093 can be connected to NPV gateways or directly to Fibre Channel nodes. In full‐fabric mode, the CN4093 can be connected directly to another full fabric CN4093 or a Lenovo RackSwitch G8264CS through Fibre Channel ISL. For further details, see “E‐Ports” on page 341. Limitations In Enterprise NOS 8.4, CN4093 does not support the following Fibre Channel port types:  FL ports connecting storage fabric loop devices. CN4093 Application Guide for N/OS 8.4...
Page 333: Implementing Fibre Channel
Ethernet Ports (Internal) INTA1‐INTA14 (ports 1‐14), INTB1‐INTB14 (15‐28), INTC1‐INTC14 (29‐42) These standard 10Gb SFP+ Ethernet ports connect internally to servers in the system chassis.  Ethernet Ports (External EXT1‐EXT2 (ports 43‐44) These standard 10Gb SFP+ Ethernet ports provide external connectors. High‐Capacity Ethernet Ports (External)  EXT3‐EXT10 (ports 45‐52) These 40Gb QSFP+ Ethernet ports can be configured as either two 40Gb Ethernet ports (EXT3 and EXT7), or as four 10Gb Ethernet ports (EXT3‐EXT6, EXT7‐EXT10).  Omni Ports (External) EXT11‐EXT22 (ports 53‐64) These 10Gb SFP+ hybrid ports can be configured to operate either in Ethernet mode (the default) or in Fibre Channel mode for direct connection to Fibre Channel devices. All Ethernet ports (including the Omni Ports by default) can carry any Ethernet data traffic, including Fibre Channel over Ethernet (FCoE) traffic. When configured to operate in Fibre Channel mode, Omni Ports can be used as Fibre Channel downlinks (connected to Fibre Channel servers or storage devices) or as uplinks (connected to the data center SAN network). The Omni Port mode (Ethernet or Fibre Channel) can be changed only for pairs of ports. The following port pairs share the same mode: EXT11‐EXT12, EXT13‐EXT14, EXT15‐EXT16, EXT17‐EXT18, EXT19‐EXT20, EXT21‐EXT22. Any combination of the mentioned port pairs is allowed for converting into FC ports. Paired ports need not be connected to the same device and can even be used in different VLANs. The only required mutual attribute is the network type (Ethernet or Fibre Channel). © Copyright Lenovo 2017 Chapter 18: Fibre Channel...
Page 334: Fibre Channel Vlans
Fibre Channel configuration requires that at least one pair of Omni Ports be set to Fibre Channel mode. The mode for Omni Port pairs or ranges can be configured using the following privileged configuration command: CN 4093(config)# [no] system port <low port>-<high port> type fc Fibre Channel VLANs On the CN4093, each Fibre Channel network connected to the switch must be assigned its own VLAN. For each VLAN used with Fibre Channel, following properties must be defined:  VLAN number Switch role (NPV mode or full fabric mode)   Port membership Fibre Channel ports roles (as uplink ports or node connections)  The following commands are used to define a typical VLAN:  Set or delete a VLAN CN 4093(config)# [no] vlan <VLAN number> FCoE networks typically use VLAN 1002. If using a different VLAN for FCoE, be sure that any connected servers and FCoE bridge will support your selection. This command initiates VLAN configuration mode. All VLAN‐related Fibre Channel configuration is performed in this mode. Enable or disable the VLAN  CN 4093(config-vlan)# [no] shutdown Exit VLAN configuration mode ...
Page 335: Switching Mode
FCoE ports can have any native VLAN. A Fibre Channel VLAN must not be configured as the native VLAN of the FCoE ports. Switching Mode The switch’s role in the Fibre Channel network can be defined on a per‐VLAN basis. The administrator can specify one of the following modes:  NPV mode to uplink one or more nodes to a full fabric switch  Full fabric mode The CN4093 supports up to 12 Fibre Channel VLANs at any given time. Only one mode can be active on any specific VLAN at a given time, and only one VLAN can operate in full fabric mode. From within VLAN configuration mode, the following commands are used to specify the Fibre Channel mode:  To enable or disable NPV mode: CN 4093(config-vlan)# [no] npv enable  To enable or disable full fabric mode: CN 4093(config-vlan)# [no] fcf enable Note: Trunking must be enabled for FCoE Ports and these ports must be part of the Fibre Channel VLAN (NPV/FCF). © Copyright Lenovo 2017 Chapter 18: Fibre Channel...
Page 336: Npv Gateway
NPV Gateway As a Node Port Virtualized (NPV) gateway, the CN4093 can act as a Fibre Channel collector, connecting numerous Fibre Channel end‐point devices (known as nodes) for uplink to a Fibre Channel full fabric switch, performing stateless FC/FCoE encapsulation and decapsulation. For more details, see “NPV Gateway” on page 331. NPV Port Traffic Mapping Within each VLAN used with Fibre Channel, the physical ports may be used in the following roles: NPV External Interfaces  All NPV gateways on the CN4093 must connect to a full fabric switch. The NPV external interface map specifies which Fibre Channel port or ports (Omni Ports set to Fibre Channel mode) are used for this purpose within each Fibre Channel VLAN. At least one Fibre Channel port is required, though two are typically used in order to provide redundancy. The following VLAN configuration command is used to define or remove the uplink: CN 4093(config-vlan)# [no] npv traffic-map external-interface <ports>  Fibre Channel over Ethernet node Traffic from Ethernet ports which are properly configured to use CEE and FCoE (see “FCoE and CEE” on page 299) is permitted with no additional configuration.  Ethernet Traffic on regular (non‐FCoE) Ethernet ports will be blocked on Fibre Channel VLANs. NPV Disruptive Load-Balancing Every server connected to the NPV gateway logs into an upstream FC switch ...
Page 337: Limitations
The CLI for this option is: CN 4093(config-vlan)# [no] npv auto-disruptive-load-balance enable Note: This option triggers a disruptive load‐balance 60 seconds after the FC port came online. If any uplinks are flapping in the configured VLAN, the disruptive load‐balance will not be triggered. Note: The automated option will only take care of the imbalances caused by Fibre Channel uplinks flapping, not Enodes flapping. In the later case, manual load‐balance command should be used. Note: To check which VLANs are have automated disruptive load‐balancing enabled, use the following command: CN 4093(config-vlan)# show npv auto-disruptive-load-balance The load‐balancing is disruptive in nature as few devices are forced to logout and initiate a re‐login. The switch attempts to limit disruption by moving the fewest nodes necessary. Limitations Only Emulex CNAs participate in load‐balancing. FCoE targets (Ex: V7000) are not load‐balanced. Other CNAs (such as Qlogic) store FCF information and try to login to the same FCF (uplink), so they are not balanced. Servers with AIX Operating Systems also canʹt be load‐balanced for this reason. © Copyright Lenovo 2017 Chapter 18: Fibre Channel...
Page 338: Full Fabric Mode
Full Fabric Mode As a full fabric FC/FCoE switch, the CN4093 authenticates connecting neighbors, provides Fibre Channel IDs, enforces port security among zones, and informs neighboring devices of network changes. For more details, see “Full‐Fabric FC/FCoE Switch” on page 332. Full Fabric Zoning The CN4093 supports Fibre Channel zones and zonesets for VLANs operating in full fabric mode. In NPV gateway mode, zoning is controlled by the upstream full fabric switch and is not configurable in the NPV gateway VLAN. Zoning allows logical grouping of ports and storage devices within a storage area network. Zoning defines access control between groups of servers and storage devices. A SAN typically is divided into zones and zonesets, as described in the following sections. Zones A zone is a logical grouping of end nodes that are permitted to interact with each other. Zones can be grouped into a zonesets, which can be activated or deactivated as a single entity. A zone provides security by restricting access to only those devices that reside within the zone. Zoning also confines change notification floods within each zone. Each zone contains one or more servers and one or more storage devices. Ports and devices in a zone are called zone members. A zone contains one or more zone members. A device can belong to one or more zones. End nodes that are members of a zone can communicate with each other, but they are isolated from nodes in other zones of which they are not a member. Note: Only use the default zoneset with a limited number of FCoE connections or for testing purposes. If you need multiple FCoE connections, it is recommended that you configure well‐defined zoning. If no zone is configured for the device, it resides in the default zone. You can configure the default zone to permit or deny its member devices to communicate with each other. You can specify zone members based on any of the following criteria:  pWWN: The port World Wide Number is a unique ID represting a particular end node. The pWWN is a 64‐bit hexadecimal value (for example, ...
Page 339 Repeat for each alias as necessary. 2. For each desired zone: a. Name (or remove) the zone. CN 4093(config)# [no] zone name <zone name> b. Add (or remove) one or more members to the zone using either pWWNs, FC IDs, or FC Aliases CN 4093(config-zone)# [no] member pwwn <port World Wide Name> CN 4093(config-zone)# [no] member fcid <Fibre Channel ID> CN 4093(config-zone)# [no] member fcalias <device alias name> © Copyright Lenovo 2017 Chapter 18: Fibre Channel...
Page 340 Repeat as necessary for each member device. c. Exit from zone configuration: CN 4093(config-zone)# exit 3. For each desired zoneset: a. Name (or remove) the zoneset. CN 4093(config)# [no] zoneset name <zoneset name> b. Add (or remove) one or more member zones to the zoneset: CN 4093(config-zoneset)# [no] member <zone name> Repeat as necessary for each member zone. c. Exit from zoneset configuration: CN 4093(config-zone)# exit Activating Zoneset Fibre Channel is intended to operate with minimal disruption. To prevent the various synchronization events that would result if each stage of a live zoning configuration was applied, the cumulative configuration changes for zones and zoneset are held in reserve until explicitly activated by the administrator. When activated, the new zoneset will be synchronized throughout the Fibre Channel fabric for each modified zone. Fibre Channel traffic will be temporarily disrupted in modified zones as changes to the fabric are recognized by the connected devices. Until activation, the previously established zoneset will remain in effect. The basic zoneset commands are as follows: ...
Page 341: E-Ports
Configuration Configuration Zone Set State is Zone Set State is No change Deactivated. Activated or Deactivated. Zone Set State is Zone Set State is Zone Set gets the Adjacent Activated. Deactivated. Zone Set State (i.e., the Zone Set is activated). Zone Set gets the adjacent Zone Set. Adjacent Zone Set is equal to the Local Zone Set No change Adjacent and Local Zone Sets contain a Zone with ISL Isolated. the same name but different members. Adjacent Zone Set contains Zones that are not Zone Set State becomes included in the Local Zone Set, and/or Local Zone Activated. Set contains Zones that are not included in the Zone Set is the merge of the Adjacent Zone Set. local Zones plus the Adjacent Zones. E‐ports cannot be used to form stack LAG links. © Copyright Lenovo 2017 Chapter 18: Fibre Channel...
Page 342: Optimized Fcoe Traffic Flow
Limitations  Enterprise NOS supports ISL distance up to 3 kms. E‐ports can be configured only on Lenovo Flex System Fabric CN4093 10 Gb  Converged Scalable Switch and Lenovo RackSwitch G8264CS. E‐ports cannot interoperate with the switches from other vendors.  A maximum of eight switches are supported in a Fibre Channel fabric.  A maximum of four E‐ports can be configured on a switch. Optimized FCoE Traffic Flow To optimize FCoE traffic flow between FCoE enodes, optimized‐forwarding feature installs appropriate ACL entries for logged‐in nodes. Usually, any FC/FCoE traffic in full fabric mode should go through FC module for Zone check. We can achieve low latency if the Zone check is done on Ethernet switch module for FCoE‐FCoE traffic. Optimized feature is enabled by default in Full fabric mode, and is not applicable to NPV mode. Note: FCoE‐FC and FC‐FC traffic is not optimized. If needed, the administrator can disable optimized‐forwarding feature. Prior to that, disable FIP snooping. Use the following commands: CN 4093(config)# no fcoe fips enable CN 4093(config)# no fcoe optimized-forwarding enable To re‐enable optimized‐forwarding feature, use the following command sequence: CN 4093(config)# no fcoe fips enable...
Page 343: Storage Management Initiative Specification (Smi-S)
 Zoning updates  Create and destroy zone set, zone, and zone alias  Add/Remove zone to zone set, zone alias, or port WWN to zone and port WWN to zone alias  Activate and deactivate zoneset The IBM Director (includes Tivoli Storage Productivity Center (TPC)) is used to configure and administer the fibre channel fabric. Connection with the SMI‐S agent can be established via IPv4 or IPv6 management interface using HTTP/HTTPS. Use the following link: http://<Management IP address>:5988 (OR) https://<Management IP address>:5989 The namespace for the SMI‐S agent is root/interop. You will need to authenticate using the login and password configured for the switch. Restrictions The current implementation of SMI‐S does not support the following:  NPV mode  Zone configuration on the switch that uses FC IDs instead of port WWNs. Note: The CLI commands may be available, but the zone configuration will not be applied. © Copyright Lenovo 2017 Chapter 18: Fibre Channel...
Page 344: Fibre Channel Configuration
Example 1: NPV Gateway In this example, the CN4093 operates as an NPV gateway: Figure 35. Using the CN4093 as an NPV Gateway INTA1 FCoE EXT11 Storage Area Lenovo INTA2 FCoE Converged Network Switch INTA3 FCoE EXT12 INTA4 FCoE Full Fabric Switch Lenovo Chassis The switch connects to FCoE node ports to an external Fibre Channel full fabric switch. Because multiple nodes will share the CN4093 uplinks, the network must be configured as an NPV gateway. Note: Up to 12 Fibre Channel VLANs can be configured on the switch at any given time, any or all of which can be configured as NPV gateways. CN4093 Application Guide for N/OS 8.4...
Page 345 CN 4093(config-if)# exit 4. Specify a VLAN for this Fibre Channel network: CN 4093(config)# vlan 1002 5. Enable NPV mode on the VLAN: CN 4093(config-vlan)# npv enable 6. Specify which external ports are connected to the upstream Fibre Channel full fabric switch: CN 4093(config-vlan)# npv traffic-map external-interface ext11-ext12 CN 4093(config-vlan)# exit Note: Although this example depicts two Fibre Channel ports connected to the upstream device, this is done for the sake of network redundancy. Only one Fibre Channel port is actually required. 7. Remove unused ports—ports that are not part of the uplink to the Fibre Channel fabric—from the NPV VLAN. © Copyright Lenovo 2017 Chapter 18: Fibre Channel...
Page 346: Example 2: Full Fabric Fc/Fcoe Switch
FCoE Zone1 Converged Switch INTA7 FCoE Zone2 Fibre Channel EXT14 INTA8 FCoE Zone2 Server Zone1 Lenovo Chassis In this example network, the CN4093 acts as the full fabric switch for the Fibre Channel network in two zones. Note: Although up to 12 Fibre Channel VLANs can be configured on the switch at any given time, only one can operate in full fabric mode. The rest may be configured as NPV gateways. For instance, the full fabric configuration in this example can be used simultaneously with up to 11 NPV gateways configured as shown in the NPV example on page 346. 1. Specify which Omni Ports will be used for Fibre Channel devices: CN 4093(config)# system port ext13-ext14 type fc Note: On the CN4093, Fibre Channel devices can be connected only to Omni Ports. Omni Ports connected to FCoE devices are considered part of the Ethernet network and should be left to operate in Ethernet mode. 2. Enable tagging/trunk mode for internal ports participating in FCoE:...
Page 347 CN 4093(config-zone)# member pwwn 20:34:00:80:e5:18:b3:58 CN 4093(config-zone)# member pwwn 20:34:00:80:e5:28:31:13 CN 4093(config-zone)# exit CN 4093(config)# zoneset name City1 CN 4093(config-zoneset)# member Zone1 CN 4093(config-zoneset)# member Zone2 CN 4093(config-zoneset)# exit CN 4093(config)# zoneset activate name City1 © Copyright Lenovo 2017 Chapter 18: Fibre Channel...
Page 348: Fibre Channel Standard Protocols Supported
Fibre Channel Standard Protocols Supported Following table lists the standard FC protocols supported on the CN4093 10 Gb Converged Scalable Switch. Table 32. FC Protocols Supported Protocol Fibre Channel FCoE ∙ T11 FCoE Initialization Protocol (FIP) (FC‐BB‐5) Fibre Channel forwarding (FCF) Port Types Fibre Channel: F, NP, VF E (N/OS 7.8 onwards) Sixteen Buffer credits supported: Fabric Device Management Interface (FDMI) NPIV NPV Gateway Fabric Shortest Path First (FSPF) Port security Fibre Channel ping, debugging Fibre Channel Standards ∙ FC‐PH, Revision 4.3 (ANSI/INCITS 230‐1994) FC‐PH, Amendment 1 (ANSI/INCITS 230‐1994/AM1 1996) FC‐PH, Amendment 2 (ANSI/INCITS 230‐1994/AM2‐1999) FC‐PH‐2, Revision 7.4 (ANSI/INCITS 297‐1997) FC‐PH‐3, Revision 9.4 (ANSI/INCITS 303‐1998) FC‐PI, Revision 13 (ANSI/INCITS 352‐2002) FC‐PI‐2, Revision 10 (ANSI/INCITS 404‐2006) FC‐PI‐4, Revision 7.0 FC‐FS, Revision 1.9 (ANSI/INCITS 373‐2003) FC‐FS‐2, Revision 0.91 FC_FS_3 Revision 1.11 FC‐LS, Revision 1.2 FC‐SW‐2, Revision 5.3 (ANSI/INCITS 355‐2001) FC‐SW‐3, Revision 6.6 (ANSI/INCITS 384‐2004) FC‐SW‐5, Revision 8.5 (ANSI/INCITS 461‐2010) FC‐GS‐3, Revision 7.01 (ANSI/INCITS 348‐2001) FC‐GS‐4, Revision 7.91 (ANSI/INCITS 387‐2004) FC‐GS‐6 Revision 9.4 (ANSI/INCITS 463‐2010) FC‐BB‐5, Revision 2.0 for FCoE FCP, Revision 12 (ANSI/INCITS 269‐1996)
Page 349: Chapter 19. Edge Virtual Bridging
Enterprise NOS EVB features are compliant with the IEEE 802.1Qbg Authors Group Draft 0.2. For a list of documents on this feature, see: http://www.ieee802.org/1/pages/802.1bg.html. Enterprise NOS implementation of EVB supports the following protocols:  Virtual Ethernet Bridging (VEB) and Virtual Ethernet Port Aggregator (VEPA): VEB and VEPA are mechanisms for switching between VMs on the same hypervisor. VEB enables switching with the server, either in the software (vSwitch), or in the hardware (using single root I/O virtualization capable NICs). VEPA requires the edge switch to support “Reflective Relay”— an operation where the switch forwards a frame back to the port on which it arrived if the destination MAC address is on the same port.  Edge Control Protocol (ECP): ECP is a transport protocol that operates between two peers over an IEEE 802 LAN. ECP provides reliable, in‐order delivery of ULP (Upper Layer Protocol) PDUs (Protocol Data Units).  Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP): VDP allows hypervisors to advertise VSIs to the physical network. This protocol also allows centralized configuration of network policies that will persist with the VM, independent of its location. EVB Type‐Length‐Value (TLV): EVB TLV is a component of Link Layer  Discovery protocol (LLDP)‐based TLV used to discover and configure VEPA, ECP, and VDP. © Copyright Lenovo 2017 Chapter 19: Edge Virtual Bridging...
Page 350: Evb Operations Overview
EVB Operations Overview The ENOS includes a pre‐standards VSI Type Database (VSIDB) implemented through the System Networking Switch Center (SNSC), the Lenovo Flex System Manager (FSM), or the Lenovo System Networking Distributed Switch 5000V. The VSIDB is the central repository for defining sets of network policies that apply to VM network ports. You can configure only one VSIDB. Note: This document does not include the VSIDB configuration details. Please see the SNSC, FSM, or Lenovo System Networking Distributed Switch 5000V guide for details on how to configure VSIDB. The VSIDB operates in the following sequence: 1. Define VSI types in the VSIDB. The VSIDB exports the database when the CN4093 sends a request. 2. Create a VM. Specify VSI type for each VM interface. See the SNSC, FSM, or Lenovo System Networking Distributed Switch 5000V guide for details on how to specify the VSI type. The hypervisor sends a VSI ASSOCIATE, which contains the VSI type ID, to the switch port after the VM is started. The switch updates its configuration based on the requested VSI type. The switch configures the per‐VM bandwidth using the VMpolicy. The Enterprise NOS supports the following policies for VMs:  ACLs  Bandwidth metering VSIDB Synchronization The switch periodically checks for VSIDB changes based on the configured interval. You can configure this interval using the following command: CN 4093(config)# virt evb vsidb <number> CN 4093(conf-vsidb)# update-interval <time in seconds>...
Page 351: Vlan Behavior
If you delete a VLAN that has a VM associated with it, you will see a warning message similar to the following: Warning: Vlan 10 is used by VM and can’t be removed. The VMs will not get disassociated.If a VM is associated with a port, and you remove this port from a VLAN, you will see a warning message similar to the following: Warning: Port INTB1 in Vlan 10 is used by VM and can’t be removed. The VMs will not get disassociated. © Copyright Lenovo 2017 Chapter 19: Edge Virtual Bridging...
Page 352: Manual Reflective Relay
Manual Reflective Relay Reflective Relay (RR) is an operation where the switch forwards a frame back to the port on which it arrived if the destination MAC address is on the same port. When an EVB profile is configured on a port, RR is automatically enabled on the port after capability exchange with the peer, using the IEEE802.1QBG protocol. This is the usual mode of operation. When the switch interoperates with devices that do not support IEEE 802.1QBG protocols, RR can be manually configured using the following command: CN 4093(config-if)# reflective-relay force Manual RR and EVB profile cannot be configured on a port at the same time. Note: If a port is a member of an isolated VLAN, the manual reflective relay will not work. See “Private VLANs” on page 153 for more information on isolated VLANs. CN4093 Application Guide for N/OS 8.4...
Page 353: Evb Configuration
CN 4093(conf-vsidb)# protocol {http|https} (Select VSI database protocol; default is HTTP) CN 4093(conf-vsidb)# host 172.31.37.187 [data-port|extm-port|mgt-port] (Set VSI database Manager IP) CN 4093(conf-vsidb)# port 80 (Set VSI database Manager port) CN 4093(conf-vsidb)# filepath “vsidb” (Set VSI database document path) CN 4093(conf-vsidb)# filename “all.xml” (Set VSI database file name) CN 4093(conf-vsidb)# update-interval 30 (Set update interval in seconds) CN 4093(conf-vsidb)# exit © Copyright Lenovo 2017 Chapter 19: Edge Virtual Bridging...
Page 354 Note: When you connect to a SNSC VSIDB, the port/docpath configuration is as follows: HTTP:  Port: 40080  Docpath: snsc/rest/vsitypes  HTTPS:  Port: 40443  Docpath: snsc/rest/vsitypes  When you connect to a 5000v VSIDB, the port/docpath configuration is as follows:  Port: 80  Docpath: vsitypes CN4093 Application Guide for N/OS 8.4...
Page 355: Configuring Evb In Stacking Mode
An operational stack must contain one Master and one or more Members, as follows: Master  One switch controls the operation of the stack and is called the Master. The Master provides a single point to manage the stack. A stack must have one and only one Master. The firmware image, configuration information, and run‐time data are maintained by the Master and pushed to each switch in the stack as necessary. Member  Member switches provide additional port capacity to the stack. Members receive configuration changes, run‐time information, and software updates from the Master.  Backup One member switch can be designated as a Backup to the Master. The Backup takes over control of the stack if the Master fails. Configuration information and run‐time data are synchronized with the Master. For details on implementing the stacking feature, see “Stacking” on page 231. EVB can be configured on any port in the stack. Use the Master to configure EVB on a port in the stack. The port numbers in a stack use the following format: <switch number>:<port number> Configure VSIDB on a data or management port that resides on the Master. The Master process the EVB‐related information for all the switch ports in a stack. The Master performs the VSIDB synchronization (See “VSIDB Synchronization” on page 350). The Master synchronizes all EVB changes with the Backup. If the Master fails, the Backup takes over control of the stack. The VSI associations on the Master ports are lost. All other VSI associations remain unchanged. © Copyright Lenovo 2017 Chapter 19: Edge Virtual Bridging...
Page 356: Limitations
Limitations  If both ACL and egress bandwidth metering are enabled, traffic will first be matched with the ACL and will not be limited by bandwidth metering. ACLs based on a source MAC or VLAN must match the source MAC and VLAN  of the VM. If not, the policy will be ignored and you will see the following warning message: "vm: VSI Type ID 100 Associated mac 00:50:56:b6:c0:ff on port 6, ignore 1 mismatched ACL" Unsupported features The following features are not supported on ports configured with EVB:  LAG/VLAG  vNIC  VMready CN4093 Application Guide for N/OS 8.4...
Page 357: Chapter 20. Static Multicast Arp
Chapter 20. Static Multicast ARP The Microsoft Windows operating system includes the Network Load Balancing (NLB) technology that helps to balance incoming IP traffic among multi‐node clusters. In multicast mode, NLB uses a shared multicast MAC address with a unicast IP address. Since the address resolution protocol (ARP) can map an IP address to only one MAC address, port, and VLAN, the packet reaches only one of the servers (the one attached to the port on which the ARP was learnt). To avoid the ARP resolution, you must create a static ARP entry with multicast MAC address. You must also specify the list of ports through which the multicast packet must be sent out from the gateway or Layer 2/Layer 3 node. With these configurations, a packet with a unicast IPv4 destination address and multicast MAC address can be sent out as per the multicast MAC address configuration. NLB maps the unicast IP address and multicast MAC address as follows: Cluster multicast MAC address: 03‐BF‐W‐X‐Y‐Z; where W.X.Y.Z is the cluster unicast IP address. You must configure the static multicast ARP entry only at the Layer 2/Layer 3 or Router node, and not at the Layer 2‐only node. Enterprise NOS supports a maximum of 20 static multicast ARP entries. Note: If you use the ACL profile or IPMC‐OPT profile, an ACL entry is consumed for each Static Multicast ARP entry that you configure. Hence, you can configure a maximum of 640 ACL and multicast MAC entries together.The ACL entries have a higher priority. In the default profile, the number of static multicast ARP entries that you configure does not affect the total number of ACL entries. © Copyright Lenovo 2017 Chapter 20: Static Multicast ARP...
Page 358: Configuring Static Multicast Arp
Configuring Static Multicast ARP To configure multicast MAC ARP, you must perform the following steps:  Configure the static multicast forwarding database (FDB) entry: Since there is no port list specified for static multicast ARP, and the associated MAC address is multicast, you must specify a static multicast FDB entry for the cluster MAC address to limit the multicast domain. If there is no static multicast FDB entry defined for the cluster MAC address, traffic will not be forwarded. Use the following command: CN 4093(config)# mac-address-table multicast <cluster MAC address> <port(s)> Configure the static multicast ARP entry: Multicast ARP static entries should be  configured without specifying the list of ports to be used. Use the following command: CN 4093(config)# ip arp <destination unicast IP address> <destination multicast MAC address> vlan <cluster VLAN number> Configuration Example Consider the following example: Cluster unicast IP address: 10.10.10.42   Cluster multicast MAC address: 03:bf:0a:0a:0a:2a Cluster VLAN: 42   List of individual or port LAGs to which traffic should be forwarded: 54 and 56 Following are the steps to configure the static multicast ARP based on the given ...
Page 359 --------------- ----------------- ---- ---- 10.10.10.42 03:bf:0a:0a:0a:2a Total number of arp entries : 2 IP address Flags MAC address VLAN Age Port --------------- ----- ----------------- ---- --- ---- 10.10.10.1 fc:cf:62:9d:74:00 10.10.10.42 03:bf:0a:0a:0a:2a © Copyright Lenovo 2017 Chapter 20: Static Multicast ARP...
Page 360: Limitations
Limitations  You must configure the ARP only in the Layer 2/Layer 3 node or the router node but not in the Layer 2‐only node. Enterprise NOS cannot validate if the node is Layer 2‐only.  The packet is always forwarded to all the ports as specified in the Multicast MAC address configuration. If VLAN membership changes for the ports, you must update this static multicast MAC entry. If not, the ports, whose membership has changed, will report discards.  ACLs take precedence over static multicast ARP. If an ACL is configured to match and permit ingress of unicast traffic, the traffic will be forwarded based on the ACL rule, and the static multicast ARP will be ignored. CN4093 Application Guide for N/OS 8.4...
Page 361: Chapter 21. Unified Fabric Port
NIC Port Switch Port vPort Switch VNIC vPort OS or Hypervisor VNIC vPort vPort VNIC The UFP protocol has the following operation categories:  Channel Initialization: The server NIC and the switch port negotiate the number of channels and establish channel identifiers. Each UFP channel has a data component and a control component. The two components have the same UFP channel ID.  Channel Control: For an established channel, the switch can modify configurable channel properties by sending a control message on the UFP channel. While the channel ID is the same for the control and data components, the destination MAC address of the control message frame is a well‐known address 01-80-C2-00-00-03.  Discovery Capability: UFP can discover other ports that are UFP enabled. Once you enable UFP, you can check the information statistics for established channels. © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 362: Ufp Limitations
UFP Limitations The following limitations apply when configuring UFP:  FCoE must be configured only on vPort 2 of the physical NIC for Emulex CNA and on vPort 1 of the physical NIC for Qlogic CNA. For Emulex NIC CN4052, FCoE can be configured on vPort 2 or vPort 3.  UFP port in FCoE mode cannot operate with FIP auto‐VLAN feature.  VLANs that have member vPorts configured in trunk, access or auto modes cannot have member vPorts configured in tunnel mode or FCoE.  vPorts on a physical port must be members of separate VLANs.  VLANs 4002‐4009 are reserved for outer tagging.  A UFP‐enabled port with no vPorts configured cannot belong to the same VLAN as a UFP‐enabled port that has vPorts configured in trunk, access or auto modes.  UFP bandwidth is guaranteed lossless only for unicast traffic.  VMready is supported only on a vPort which is configure in auto‐VLAN mode. When a vPort is in auto‐VLAN mode, it can support up to 32 VMGroups.  EVB is supported only on a vPort which is configured in auto‐VLAN mode.  VMready and EVB cannot be configured on the same physical port.  UFP vPorts support up to 1024 VLANs in trunk and auto mode on the switch in standalone mode. Stacking switches have a limitation of 256 VLANs in both auto and trunk mode.  When CEE is turned on, FCoE vPort must be used for lossless priority traffic. For loss‐tolerant priority traffic, a non‐FCoE UFP vPort must be used. The lossless property of FCoE vPort is not guaranteed, if lossless and loss‐tolerant traffic are combined. When the vPort is enabled and the channel link state is up, the system does not  support changing vPort VLAN type from private/non‐private to ...
Page 363: Virtual Ports Modes
UFP vPort Mode The UFP mode is configured based on the type of switching domain (single VLAN or multiple VLANs) where the vPort is connected.  Use local domain data path types for trunk or access mode.  Use pass‐through domain data path types for tunnel mode. In tunnel mode, a vPort can belong to only one VLAN. Use the following command to configure UFP vPort mode: CN 4093(config)# ufp port <num> vport <num> CN 4093(config_ufp_vport)# network mode {access|trunk|auto|tunnel|fcoe} Notes:  Default mode is tunnel.  If LACP is down on a UFP port, the FCoE connections go down and are then reestablished by UFP. © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 364: Tunnel Mode
Use tunnel mode to send all VM data traffic to an upstream switch, for Layer 2 or Layer 3 processing, in one domain. In such cases, the UFP port or vPort must be in tunnel mode and the upstream switch port must be in 802.1Q trunk mode. Note: Two vPorts on a physical port cannot be members of the same VLAN. Figure 38. Packet pass‐through in Tunnel Mode Server vNICs vPorts Lenovo Switch Ports without vNICs OS/Hypervisor Regular NIC attaches UFP Switching uses outer tag; Switch strips VLAN ID Channel VLAN ID Ignores regular VLAN outer tag...
Page 365: Access Mode
Access Mode In access mode, a vPort carries packets with inner tags that belong to one VLAN. The vPort is associated with the VLAN defined by the command: CN 4093(config_ufp_vport)# network default-vlan <2‐4094> Note: VLANs 4002‐4009 are reserved for outer tagging. FCoE Mode FCoE traffic is carried by a vPort. The server‐side endpoint of this virtual port will be represented through a FC vHBA. Setting a virtual port in FCoE mode will enable Priority‐based Flow Control (PFC) on the physical port. A vPort configured in FCoE mode can only be attached to a Fibre Channel (FC) VLAN. A vPort in FCoE mode operates as a local domain data path type with packets being single tagged. Auto-VLAN Mode When a vPort is configured in auto‐VLAN mode, the vPort participates in VM discovery using VMready or 802.1Qbg. VLANs are dynamically provisioned based on VMready discovery or 802.1Qbg VM association. When a vPort operates in auto‐VLAN mode, it supports 32 VM groups. In the case of 802.1Qbg, when a vPort operates in auto‐VLAN mode, the maximum number of VLANs in the inner tag is 1024 when switch is configured in standalone mode. The vPort cannot be configured in Virtual Ethernet Port Aggregator (VEPA) mode. © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 366: Ufp Bandwidth Provisioning
UFP Bandwidth Provisioning UFP provides two modes of bandwidth provisioning for vPort: Enhanced Transmission Selection (ETS) mode and Strict Bandwidth Provisioning mode. Enhanced Transmission Selection mode Enhanced Transmission Selection (ETS) mode of bandwidth provisioning is useful when an end‐to‐end QoS framework for the entire data center, with bandwidth provisioning for different applications, is desired. ETS mode color marks traffic from point of origination to point of destination. It helps to couple QoS provisioning in the access layer with data center fabric. Note: ETS mode requires Converged Enhanced Ethernet (CEE) to be enabled globally. This mode functions with the ETS feature available on the CN4093. You must first define the ETS characteristics of the CN4093. Assign each vPort to the desired traffic class by assigning a system class priority. The Data Center Bridging Capabilities Exchange (DCBX) and UFP protocols propagate the configured parameters for the vPort to apply appropriate traffic coloring and shaping at the source. When operating in this mode, traffic scheduling and bandwidth allocation behavior on switch egress is driven by the ETS class of traffic. When two vPorts use the same traffic class configuration, the order in which switch schedules traffic at egress depends on the order the traffic arrives at egress buffer. Since bandwidth allocation is derived from traffic class rather than vNIC, switch egress doesn’t differentiate between different vPort traffics. In a virtualized environment, the hypervisor or guest VM may define its own traffic class priority. When configured this way, the priority defined by the OS or Hypervisor takes precedence over vPort‐configured priority. Use the following commands to configure ETS bandwidth provisioning: 1. Enable UFP ETS mode on a specific port: CN 4093(config)# ufp port <port alias or number> qos-mode ets 2.
Page 367: Ufp Strict Bandwidth Provisioning Mode
CN 4093(config)# ufp port <port alias or number> qos-mode bw 2. Configure the bandwidth settings for a specific vPort: CN 4093(config)# ufp port <port alias or number> vport <1‐8> CN 4093(config_ufp_vport)# qos bandwidth {max|min} <10‐100> min - Sets minimum guaranteed bandwidth max - Sets maximum allowed bandwidth Note: Total minimum guaranteed bandwidth of enabled vPorts on a physical switch port needs to be 100%. © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 368: Using Ufp With Other Cn4093 10 Gb Converged Scalable Switch Features
Using UFP with Other CN4093 10 Gb Converged Scalable Switch Features UFP works with other CN4093 features, as described with limitations and details. Layer 2 Failover UFP failover can be configured with auto‐monitoring or manual monitoring. In auto‐monitoring, a vPort is automatically associated with a Failover trigger if it has any VLAN in common with the monitor ports. Layer 2 failover is not supported on UFP ports in auto mode. For more information on failover, see “Layer 2 Failover” on page 515. For an example configuration, see “Example 8: Layer 2 Failover Configuration” on page 379. Increased VLAN Limits Configured with UFP and VLANs, a vPort can support up to 1024 VLANs. A UFP port supports 1024 VLANs on the switch in standalone mode. For more information on VLAN configuration, see “VLANs” on page 137. Private VLANs It supports the following Private VLAN modes in UFP vPorts:  Disabled Trunk   Promiscuous Host ...
Page 369: Vmready
Warns if no primary VLAN is associated with the secondary VLAN assigned  to a vPort. UFP with private VLANs is supported under the following limitations:  vPorts from the same physical port cannot belong to the same private VLAN domain.  vPorts cannot be configured with a primary VLAN as a default VLAN, only with secondary VLANs.  UFP ports cannot have switchport mode private‐VLAN enabled on them.  Private VLAN is supported only on vPorts configured with trunk or access mode.  UFP cannot be configured on promiscuous ports. For more information on private VLANs, see “Private VLANs” on page 153 . VMReady Configuring with UFP and VMReady, the CN4093 can support up to 32 VMGroups with UFP vPorts in auto mode. VMReady is supported only on a vPort which is configured in auto‐VLAN mode. For more information on VMReady, see “VMready” on page 279. 802.1Qbg Configured with Edge Virtual Bridging (EVB), UFP supports up to 1024 VLANs on a vPort. In Stacking mode, UFP supports up to 256 VLANs on a single vPort. EVB is supported only on a vPort which is configured in auto‐VLAN mode. For more information on EVB, see “Edge Virtual Bridging” on page 349. © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 370: Ufp Configuration Examples
UFP Configuration Examples Following is an example configuration of UFP vPorts in access mode. Example 1: Access Mode 1. Turn on UFP. CN4093(config)# ufp enable 2. Configure internal port as UFP. CN4093(config)# ufp port INTA1 enable Warning: "Tagging/Trunk-mode" is enabled on UFP port INTA1 3. Configure virtual port. CN4093(config)# ufp port INTA1 vport 1 4. Configure vPort access mode. CN4093(config_ufp_vport)# network mode access 5.
Page 371: Example 2: Trunk Mode
CN4093(config_ufp_vport)# exit 8. Configure internal port 2 as UFP. CN4093(config)# ufp port INTA2 enable Warning: "Tagging/Trunk-mode" is enabled on UFP port INTA2 9. Configure virtual port. CN4093(config)# ufp port INTA2 vport 3 10. Configure vPort trunk mode. CN4093(config_ufp_vport)# network mode trunk © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 372 11. Configure the vPort default VLAN. CN4093(config_ufp_vport)# network default-vlan 100 12. Optionally, you can disable tagging on the vPort. CN4093(config_ufp_vport)# no network default-tag 13. Specify QoS parameters for the vPort. CN4093(config_ufp_vport)# qos bandwidth min 15 (in percentage) CN4093(config_ufp_vport)# qos bandwidth max 95 (in percentage) 14. Enable vPort. CN4093(config_ufp_vport)# enable CN4093(config_ufp_vport)# exit 15. Enable tagging/trunk mode on external port 1. CN4093(config)# interface port EXT1 CN4093(config-if)# switchport mode trunk CN4093(config-if)# switchport trunk native vlan 100 CN4093(config-if)# switchport trunk allowed vlan add 200,300 CN4093(config-if)# exit...
Page 373: Example 3: Auto-Vlan Mode With Vmready
CN4093(config)# virt vmware vcspec 10.100.14.195 Administrator noauth 7cee7fa528e02aa036b6b6e6eb508952cdaed2acb702182cf62208fa72dec13fb19d6fec2 fac6598d19b 8f45acff3f6a1e237ae3c984709f874f61aecd2ede7a 10. Create a distributed VMGroup.. CN4093(config)# virt vmprofile “vlan 30” CN4093(config)# virt vmprofile edit “vlan 30” vlan 30 CN4093(config)# virt vmgroup 1 profile “vlan30” © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 374: Example 4: Auto-Vlan Mode With Edge Virtual Bridging
11. Verify the virtual machine settings. CN4093(config)# show virt vm 12. Add the virtual machine associated with the vPort to the VMGroup. CN4093(config)# virt vmgroup 1 vm 1 13. Verify the VMGroup associations. CN4093(config)# show virt vm Example 4: Auto-VLAN Mode with Edge Virtual Bridging Following is an example configuration of UFP vPorts in auto mode. 1. Turn on UFP. CN 4093(config)# ufp enable 2. Configure internal port 1 as UFP. CN4093(config)# ufp port INTA1 enable Warning: "Tagging/Trunk-mode"...
Page 375: Example 5: Tunnel Mode
CN4093(config)# ufp port INTA1 vport 1 4. Configure vPort tunnel mode. CN4093(config_ufp_vport)# network mode tunnel 5. Configure vPort default VLAN. CN4093(config_ufp_vport)# network default-vlan 4000 6. Specify the QoS parameters for the vPort. CN4093(config_ufp_vport)# qos bandwidth min 15 (in percentage) CN4093(config_ufp_vport)# qos bandwidth max 95 (in percentage) © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 376: Example 6: Fcoe Mode
7. Enable the vPort. CN4093(config_ufp_vport)# enable CN4093(config_ufp_vport)# exit 8. Configure tagging of ingress frames with the port’s VLAN ID on external port 1. CN4093(config)# interface port EXT1 CN4093(config-if)# tagpvid-ingress CN4093(config-if)# no vlan dot1q tag native CN4093(config-if)# switchport access vlan 4000 CN4093(config-if)# exit Example 6: FCoE Mode Following is an example configuration of UFP vPorts in FCoE mode. This example is consistent with the network shown in Figure 32 on page 300. 1. Enable CEE. CN4093(config)# cee enable 2.
Page 377 CN4093(config-vlan)# private-vlan community CN4093(config-vlan)# exit CN4093(config)# vlan 703 CN4093(config-vlan)# private-vlan community CN4093(config-vlan)# exit 4. Map secondary VLANs to primary VLAN. CN4093(config)# vlan 700-703 CN4093(config-vlan)# stg 1 CN4093(config-vlan)# exit CN4093(config)# vlan 700 CN4093(config-vlan)# private-vlan association 701,702,703 CN4093(config-vlan)# exit © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 378 5. Set up vPorts on ports 1 and 2. CN4093(config)# ufp port INTA1 enable CN4093(config)# ufp port INTA1 vport 1 CN4093(config-ufp-vport)# network private-vlan trunk CN4093(config-ufp-vport)# network default-vlan 100 CN4093(config-ufp-vport)# network mode trunk CN4093(config-ufp-vport)# enable CN4093(config-ufp-vport)# exit CN4093(config)# ufp port INTA2 enable CN4093(config)# ufp port INTA2 vport 1 CN4093(config-ufp-vport)# network private-vlan promiscuous CN4093(config-ufp-vport)# network default-vlan 200 CN4093(config-ufp-vport)# network mode trunk...
Page 379: Example 8: Layer 2 Failover Configuration
CN4093(config)# failover trigger 1 mmon control vmember INTA9.1, INTA10.2,INTA11.3 Note: If you try to add a physical port (that has vPorts configured) as a member of a trigger, you may see the following error message when you enable the trigger: CN4093(config)# failover trigger 1 ena Failover Error: trigger 1 physical port INTA9 has virtual ports. 3. Enable failover trigger: CN4093(config)# failover trigger 1 enable © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 380: Example 9: 8 Vports With Ets Bandwidth Provisioning Mode
Example 9: 8 vPorts with ETS bandwidth provisioning mode Follow this procedure to configure 8 vPorts for a single UFP port with ETS bandwidth provisioning mode. 1. Configure each individual vPort of a specific port: CN4093(config)# ufp port INTA10 vport 1 CN4093(config_ufp_vport)# network mode access CN4093(config_ufp_vport)# network default-vlan 101 CN4093(config_ufp_vport)# qos ets priority 0 CN4093(config_ufp_vport)# enable CN4093(config_ufp_vport)# exit CN4093(config)# ufp port INTA10 vport 2 CN4093(config_ufp_vport)# network mode fcoe CN4093(config_ufp_vport)# network default-vlan 1002 CN4093(config_ufp_vport)# qos ets priority 3...
Page 381 2. Configure ETS mode as the UFP QoS mode for port INTA10: CN4093(config)# ufp port INTA10 qos-mode ets 3. Enable UFP on port INTA10: CN4093(config)# ufp port INTA10 enable 4. Globally enable Converged Enhanced Ethernet (CEE): CN4093(config)# cee enable 5. Globally enable UFP: CN4093(config)# ufp enable © Copyright Lenovo 2017 Chapter 21: Unified Fabric Port...
Page 382 CN4093 Application Guide for N/OS 8.4...
Page 383: Chapter 22. Switch Partition
Chapter 22. Switch Partition Switch Partition (SPAR) enables consolidation of multiple network partitions within an embedded switch. SPARs divide the data plane of a physical switch into independent switching domains. Switch partitions are isolated from each other. Traffic originating in one SPAR stays local to that SPAR. Within a partitioned switch, traffic from one SPAR is never delivered to another SPAR. Traffic from one SPAR can, however, be delivered to another SPAR by traversing an upstream link and switch. Each individual SPAR requires exactly one uplink, which can be a port, a port channel, or an LACP group. Limiting SPAR connectivity to one external uplink prevents the creation of loops. SPAR operates as a Layer 2 broadcast network. Hosts on the same VLAN, attached to a SPAR, can communicate with each other and with the upstream switch. Hosts on the same VLAN, but attached to different SPARs, communicate via the upstream switch. © Copyright Lenovo 2017 Chapter 22: Switch Partition...
Page 384: Spar Processing Modes
SPAR Processing Modes SPAR operates in two processing modes. The default mode is pass‐through domain.  Local Domain: In local‐domain processing mode, VLAN classification and assignment is based on the user‐defined VLAN.  Pass‐through Domain: In pass‐through domain processing mode, VLAN classification and assignment is based on the outer tag, which contains the unique domain VLAN ID of the SPAR. The inner tag with the user‐defined VLAN remains unchanged. Local Domain Processing Each SPAR on a switch has a unique VLAN ID, which separates data between SPARs. If multiple networks share the uplink, the upstream switch port must be configured as a 802.1Q trunk port so it can process multiple VLAN traffic from a SPAR. The SPAR domain uses a single uplink port or LAG shared among all the VLANs. For link redundancy or greater bandwidth, the uplinks can be grouped as static or LACP LAG. If a VLAN is defined on multiple SPARs, the egress port mask is used to prevent communication between the SPARs in the same local domain VLAN. Since port membership of each SPAR is unique, the egress port mask ensures that different SPAR ports in the same local domain VLAN do not communicate with each other. In local domain processing, all SPAR ports must have the following settings:  Tagging/Trunk mode must be enabled.  Ingress VLAN tagging is disabled on all SPAR ports.  PVID/Native VLAN is based on any VLAN defined in SPAR. CN 4093(config)# interface port <num> CN 4093(config-if)# switchport trunk native vlan <VLAN number> CN4093 Application Guide for N/OS 8.4...
Page 385: Pass-Through Domain Processing
Pass‐through domain operates in Q‐In‐Q mode. Inside SPAR, different user‐defined VLAN traffic is classified into single S‐VLAN (service VLAN) associated with the SPAR. Although the uplink can be shared by multiple networks using the pass‐through domain, SPAR will not be server‐VLAN aware. Hence, multiple VLAN traffic will be mixed together in a single broadcast domain, that is, broadcast traffic on different VLANs from the upstream network will reach all servers attached to the SPAR pass‐through domain. The servers drop the packets if they do not belong to the desired VLAN. The pass‐through implementation uses ingress VLAN tagging, that is, tagpvid‐ingress is enabled on all SPAR ports. In pass‐through domain processing mode, all SPAR ports must have the following settings: PVID/Native VLAN tagging is disabled.   Ingress VLAN tagging is enabled on all SPAR ports. PVID/Native VLAN is based on the SPAR DVLAN.  CN 4093(config)# interface port <num> CN 4093(config-if)# switchport trunk native vlan <VLAN number> © Copyright Lenovo 2017 Chapter 22: Switch Partition...
Page 386: Limitations
Limitations The following limitations apply:  UFP and SPAR cannot be configured together.  LAGs must first be configured for SPAR before they can be used. Static or Link Aggregation Control Protocol (LACP) LAGs created on the global switch cannot reference any SPAR ports. Use the commands in the following menus to define LAGs in the SPAR context: CN 4093(config)# spar <num> CN 4093(config-spar)# uplink ? adminkey Set lacp trunk for uplink port Set external port for uplink PortChannel Set portchannel for uplink CN 4093(config)# portchannel ? <1-64> PortChannel group <65-128>...
Page 387: Unsupported Features
  Edge Virtual Bridging Fibre Channel over Ethernet (FCoE)   Hotlinks IGMP   Layer 3 Configuration Management VLAN   Private VLAN Protocol VLAN   sFlow Stacking   STP, RSTP, MRSTP, PVST   vLAG VMAP   VMready  VNIC © Copyright Lenovo 2017 Chapter 22: Switch Partition...
Page 388: Spar Vlan Management
SPAR VLAN Management SPAR VLANs use the same 4000 VLAN space available for other applications/features on the switch. The VLAN ID can be in the range of 2 ‐ 4094. VLAN 1 and the management VLAN 4095 are reserved for the global switch context. A VLAN assigned to a SPAR cannot be used for any other switch application. Similarly, VLAN used by any other switch application cannot be assigned to a SPAR. SPAR member ports cannot be members of any other VLAN. CN4093 Application Guide for N/OS 8.4...
Page 389: Example Configurations
CN 4093(config-spar)# domain default vlan 4081 5. Add ports INTA5 through INTA10 to SPAR 1. CN 4093(config-spar)# domain default member INTA5-INTA10 6. Enable SPAR 1. CN 4093(config-spar)# enable Local Domain Configuration This example demonstrates how to create a SPAR in local‐domain mode consisting of internal server ports INTA11‐INTA14 and a single uplink port, EXT 2. 1. Create SPAR 2. CN 4093(config)# spar 2 2. Add uplink port EXT 2 to SPAR 2. CN 4093(config-spar)# uplink port EXT2 © Copyright Lenovo 2017 Chapter 22: Switch Partition...
Page 390 3. Set the SPAR to local domain mode. CN 4093(config-spar)# domain mode local 4. Configure SPAR VLAN to 4082. CN 4093(config-spar)# domain default vlan 4082 5. Add server ports INTA11 through INTA14. CN 4093(config-spar)# domain default member INTA11-INTA14 6. Configure the VLANs for SPAR 2. Each SPAR has a set of local domains numbered 1 through 32, each of which identifies an allowed VLAN. The following steps create three local domains: VLAN, 10, 20, and 30 7. Create local domain 1, assign VLAN 10, and specify the SPAR ports that are members of the that VLAN. CN 4093(config-spar)# domain local 1 vlan 10 CN 4093(config-spar)# domain local 1 member INTA11-INTA14 CN 4093(config-spar)# domain local 1 enable 8.
Page 391: Part 5: Ip Routing
Part 5: IP Routing This section discusses Layer 3 switching functions. In addition to switching traffic at near line rates, the application switch can perform multi‐protocol routing. This section discusses basic routing and advanced routing protocols:  Basic Routing  Routing Information Protocol (RIP)  Internet Group Management Protocol (IGMP)  Border Gateway Protocol (BGP)  Open Shortest Path First (OSPF) © Copyright Lenovo 2017...
Page 392 CN4093 Application Guide for N/OS 8.4...
Page 393: Chapter 23. Basic Ip Routing
 Connects the server IP subnets to the rest of the backbone network.  Provides the ability to route IP traffic between multiple Virtual Local Area Networks (VLANs) configured on the switch. Routing Between IP Subnets The physical layout of most corporate networks has evolved over time. Classic hub/router topologies have given way to faster switched topologies, particularly now that switches are increasingly intelligent. The CN4093 is intelligent and fast enough to perform routing functions on par with wire‐speed Layer 2 switching. The combination of faster routing and switching in a single device provides another service—it allows you to build versatile topologies that account for legacy configurations. Consider an example in which a corporate campus has migrated from a router‐centric topology to a faster, more powerful, switch‐based topology. As is often the case, the legacy of network growth and redesign has left the system with a mix of illogically distributed subnets. This is a situation that switching alone cannot cure. Instead, the router is flooded with cross‐subnet communication. This compromises efficiency in two ways:  Routers can be slower than switches. The cross‐subnet side trip from the switch to the router and back again adds two hops for the data, slowing throughput con‐ siderably. Traffic to the router increases, increasing congestion.  Even if every end‐station could be moved to better logical subnets (a daunting task), competition for access to common server pools on different subnets still burdens the routers. This problem is solved by using CN4093s with built‐in IP routing capabilities. Cross‐subnet LAN traffic can now be routed within the switches with wire speed Layer 2 switching performance. This not only eases the load on the router but saves the network administrators from reconfiguring each and every end‐station with new IP addresses. © Copyright Lenovo 2017...
Page 394 Take a closer look at the CN4093 in the following configuration example: Figure 40. Switch‐Based Routing Topology First Floor Second Floor 10/100 Client Subnet 10/100 Client Subnet 100.20.10.2-254 131.15.15.2-254 10 Gbps Server Subnet: 206.30.15.2-254 Primary Default IF#2 IF#3 Router: 205.21.17.1 IF#4 IF#1 10 Gbps Secondary Default Router: 205.21.17.2 The CN4093 connects the Gigabit Ethernet and Fast Ethernet LAGs from various switched subnets throughout one building. Common servers are placed on another subnet attached to the switch. A primary and backup router are attached to the switch on yet another subnet. Without Layer 3 IP routing on the switch, cross‐subnet communication is relayed to the default gateway (in this case, the router) for the next level of routing ...
Page 395: Subnet Routing Example
CN 4093(config)# interface ip 3 (Select IP interface 3) CN 4093(config-ip-if)# ip address 131.15.15.1 255.255.255.0 enable CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 4 (Select IP interface 4) CN 4093(config-ip-if)# ip address 206.30.15.1 255.255.255.0 enable CN 4093(config-ip-if)# exit © Copyright Lenovo 2017 Chapter 23: Basic IP Routing...
Page 396 3. Set each server and workstation’s default gateway to the appropriate switch IP interface (the one in the same subnet as the server or workstation). 4. Configure the default gateways to the routers’ addresses. Configuring the default gateways allows the switch to send outbound traffic to the routers: CN 4093(config)# ip gateway 1 address 205.21.17.1 enable CN 4093(config)# ip gateway 2 address 205.21.17.2 enable 5. Verify the configuration. CN 4093(config)# show interface ip Examine the resulting information. If any settings are incorrect, make the appropriate changes. CN4093 Application Guide for N/OS 8.4...
Page 397: Using Vlans To Segregate Broadcast Domains
CN 4093(config-if)# exit CN 4093(config)# vlan 3 CN 4093(config-vlan)# exit CN 4093(config)# interface port inet5a,int6a (Add ports to VLAN 3) CN 4093(config-if)# switchport mode trunk CN 4093(config-if)# switchport trunk allowed vlan add 3 CN 4093(config-if)# exit © Copyright Lenovo 2017 Chapter 23: Basic IP Routing...
Page 398 Each time you add a port to a VLAN, you may get the following prompt: Port 4 is an untagged port and its current PVID is 1. Confirm changing PVID from 1 to 2 [y/n]? Enter y to set the default Port VLAN ID (PVID) for the port. 3. Add each IP interface to the appropriate VLAN. Now that the ports are separated into three VLANs, the IP interface for each subnet must be placed in the appropriate VLAN. From Table 35, the settings are made as follows: CN 4093(config)# interface ip 1 (Select IP interface 1) CN 4093(config-ip-if)# vlan 2 (Add VLAN 2) CN 4093(config-vlan)# exit CN 4093(config)# interface ip 2 (Select IP interface 2) CN 4093(config-ip-if)# vlan 1...
Page 399: Bootp Relay Agent
BOOTP server IP addresses on the switch, and enable BOOTP relay on the interface(s) on which the BOOTP requests are received. Generally, you should configure the command on the switch IP interface that is closest to the client, so that the BOOTP server knows from which IP subnet the newly allocated IP address should come. Use the following commands to configure the switch as a BOOTP relay agent: CN 4093(config)# ip bootp-relay enable CN 4093(config)# ip bootp-relay server <1‐5> address <IPv4 address> Use the following command to enable the Relay functionality on an IP interface: CN 4093(config)# interface ip <interface number> CN 4093(config-ip-if)# relay CN 4093(config-ip-if)# exit © Copyright Lenovo 2017 Chapter 23: Basic IP Routing...
Page 400: Domain-Specific Bootp Relay Agent Configuration
Domain-Specific BOOTP Relay Agent Configuration Use the following commands to configure up to four domain‐specific BOOTP relay agents for each of up to 10 VLANs: CN 4093(config)# ip bootp-relay bcast-domain <1‐10> vlan <VLAN number> CN 4093(config)# ip bootp-relay bcast-domain <1‐10> server <1‐5> address <IPv4 address> CN 4093(config)# ip bootp-relay bcast-domain <1‐10> enable As with global relay agent servers, domain‐specific BOOTP/DHCP functionality may be assigned on a per‐interface basis. CN4093 Application Guide for N/OS 8.4...
Page 401: Dynamic Host Configuration Protocol
DHCP relay agent eliminates the need to have DHCP/BOOTP servers on every subnet. It allows the administrator to reduce the number of DHCP servers deployed on the network and to centralize them. Without the DHCP relay agent, there must be at least one DHCP server deployed at each subnet that has hosts needing to perform the DHCP request. Note: The switch accepts gateway configuration parameters if they were not configured manually. The switch ignores DHCP gateway parameters if the gateway is configured. DHCP Relay Agent DHCP is described in RFC 2131, and the DHCP relay agent supported on CN4093s is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. DHCP defines the methods through which clients can be assigned an IP address for a finite lease period and allowing reassignment of the IP address to another client later. Additionally, DHCP provides the mechanism for a client to gather other IP configuration parameters it needs to operate in the TCP/IP network. In the DHCP environment, the CN4093 acts as a relay agent. The DHCP relay feature enables the switch to forward a client request for an IP address to two BOOTP servers with IP addresses that have been configured on the switch. When a switch receives a UDP broadcast on port 67 from a DHCP client requesting an IP address, the switch acts as a proxy for the client, replacing the client source IP (SIP) and destination IP (DIP) addresses. The request is then forwarded as a UDP Unicast MAC layer message to two BOOTP servers whose IP addresses are configured on the switch. The servers respond as a UDP Unicast message back to the switch, with the default gateway and IP address for the client. The destination © Copyright Lenovo 2017 Chapter 23: Basic IP Routing...
Page 402: Dhcp Relay Agent Configuration
IP address in the server response represents the interface address on the switch that received the client request. This interface address tells the switch on which VLAN to send the server response to the client. DHCP Relay Agent Configuration To enable the CN4093 to be the BOOTP forwarder, you need to configure the DHCP/BOOTP server IP addresses on the switch. Generally, you should configure the switch IP interface on the client side to match the client’s subnet, and configure VLANs to separate client and server subnets. The DHCP server knows from which IP subnet the newly allocated IP address should come. The following figure shows a basic DHCP network example: Figure 42. DHCP Relay Agent Configuration Boston GbESM 20.1.1.1 DHCP Client DHCP Server In CN4093 implementation, there is no need for primary or secondary servers. The client request is forwarded to the BOOTP servers configured on the switch. The use of two servers provide failover redundancy. However, no health checking is supported. Use the following commands to configure the switch as a DHCP relay agent: CN 4093(config)# ip bootp-relay server 1 <IP address> CN 4093(config)# ip bootp-relay server 2 <IP address> CN 4093(config)# ip bootp-relay server 3 <IP address>...
Page 403: Chapter 24. Internet Protocol Version 6
 RFC 4835 RFC 2462 RFC 3413 RFC 4293 RFC 4861      RFC 2474  RFC 3414  RFC 4301  RFC 4862  RFC 2526  RFC 3484  RFC 4302  RFC 5095  RFC 2711  RFC 3602  RFC 4303  RFC 5114 This chapter describes the basic configuration of IPv6 addresses and how to manage the switch via IPv6 host management. © Copyright Lenovo 2017...
Page 404: Ipv6 Limitations
IPv6 Limitations The following IPv6 features are not supported in this release.  Dynamic Host Control Protocol for IPv6 (DHCPv6)  Border Gateway Protocol for IPv6 (BGP)  Routing Information Protocol for IPv6 (RIPng) Most other Enterprise NOS 8.4 features permit IP addresses to be configured using either IPv4 or IPv6 address formats. However, the following switch features support IPv4 only:  Default switch management IP address  Bootstrap Protocol (BOOTP) and DHCP  RADIUS, TACACS+ and LDAP  QoS metering and re‐marking ACLs for out‐profile traffic  VMware Virtual Center (vCenter) for VMready  Routing Information Protocol (RIP)  Internet Group Management Protocol (IGMP)  Border Gateway Protocol (BGP)  Virtual Router Redundancy Protocol (VRRP)  sFLOW CN4093 Application Guide for N/OS 8.4...
Page 405: Ipv6 Address Format
Each IPv6 address has two parts:  Subnet prefix representing the network to which the interface is connected  Local identifier, either derived from the MAC address or user‐configured The preferred hexadecimal format is as follows: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx Example IPv6 address: FEDC:BA98:7654:BA98:FEDC:1234:ABCD:5412 Some addresses can contain long sequences of zeros. A single contiguous sequence of zeros can be compressed to :: (two colons). For example, consider the following IPv6 address: FE80:0:0:0:2AA:FF:FA:4CA2 The address can be compressed as follows: FE80::2AA:FF:FA:4CA2 Unlike IPv4, a subnet mask is not used for IPv6 addresses. IPv6 uses the subnet prefix as the network identifier. The prefix is the part of the address that indicates the bits that have fixed values or are the bits of the subnet prefix. An IPv6 prefix is written in address/prefix‐length notation. For example, in the following address, 64 is the network prefix: 21DA:D300:0000:2F3C::/64 IPv6 addresses can be either user‐configured or automatically configured. Automatically configured addresses always have a 64‐bit subnet prefix and a 64‐bit interface identifier. In most implementations, the interface identifier is derived from the switchʹs MAC address, using a method called EUI‐64. Most Enterprise NOS 8.4 features permit IP addresses to be configured using either IPv4 or IPv6 address formats. Throughout this manual, IP address is used in places where either an IPv4 or IPv6 address is allowed. In places where only one type of address is allowed, the type (IPv4 or IPv6 is specified). © Copyright Lenovo 2017 Chapter 24: Internet Protocol Version 6...
Page 406: Ipv6 Address Types
IPv6 Address Types IPv6 supports three types of addresses: unicast (one‐to‐one), multicast (one‐to‐many), and anycast (one‐to‐nearest). Multicast addresses replace the use of broadcast addresses. Unicast Address Unicast is a communication between a single host and a single receiver. Packets sent to a unicast address are delivered to the interface identified by that address. IPv6 defines the following types of unicast address:  Global Unicast address: An address that can be reached and identified globally. Global Unicast addresses use the high‐order bit range up to FF00, therefore all non‐multicast and non‐link‐local addresses are considered to be global unicast. A manually configured IPv6 address must be fully specified. Auto‐configured IPv6 addresses are comprised of a prefix combined with the 64‐bit EUI. RFC 4291 defines the IPv6 addressing architecture. The interface ID must be unique within the same subnet.  Link‐local unicast address: An address used to communicate with a neighbor on the same link. Link‐local addresses use the format FE80::EUI Link‐local addresses are designed to be used for addressing on a single link for purposes such as automatic address configuration, neighbor discovery, or when no routers are present. Routers must not forward any packets with link‐local source or destination addresses to other links. Multicast Address Multicast is communication between a single host and multiple receivers. Packets are sent to all interfaces identified by that address. An interface may belong to any number of multicast groups. A multicast address (FF00 ‐ FFFF) is an identifier for a group interface. The multicast address most often encountered is a solicited‐node multicast address using prefix FF02::1:FF00:0000/104 with the low‐order 24 bits of the unicast or anycast address. The following well‐known multicast addresses are pre‐defined. The group IDs defined in this section are defined for explicit scope values, as follows: FF00:::::::0 through FF0F:::::::0 CN4093 Application Guide for N/OS 8.4...
Page 407: Anycast Address
Anycast Address Packets sent to an anycast address or list of addresses are delivered to the nearest interface identified by that address. Anycast is a communication between a single sender and a list of addresses. Anycast addresses are allocated from the unicast address space, using any of the defined unicast address formats. Thus, anycast addresses are syntactically indistinguishable from unicast addresses. When a unicast address is assigned to more than one interface, thus turning it into an anycast address, the nodes to which the address is assigned must be explicitly configured to know that it is an anycast address. © Copyright Lenovo 2017 Chapter 24: Internet Protocol Version 6...
Page 408: Ipv6 Address Auto-Configuration
IPv6 Address Auto-configuration IPv6 supports the following types of address auto‐configuration:  Stateful address configuration Address configuration is based on the use of a stateful address configuration protocol, such as DHCPv6, to obtain addresses and other configuration options. Stateless address configuration  Address configuration is based on the receipt of Router Advertisement messages that contain one or more Prefix Information options. Enterprise NOS 8.4 supports stateless address configuration. Stateless address configuration allows hosts on a link to configure themselves with link‐local addresses and with addresses derived from prefixes advertised by local routers. Even if no router is present, hosts on the same link can configure themselves with link‐local addresses and communicate without manual configuration. CN4093 Application Guide for N/OS 8.4...
Page 409: Ipv6 Interfaces
CN 4093(config-ip-if)# ipv6 secaddr6 <IPv6 address> CN 4093(config-ip-if)# exit You cannot configure an IPv4 address on an IPv6 management interface. Each interface can be configured with only one address type: either IPv4 or IPv6, but not both. When changing between IPv4 and IPv6 address formats, the prior address settings for the interface are discarded. Each IPv6 interface can belong to only one VLAN. Each VLAN can support only one IPv6 interface. Each VLAN can support multiple IPv4 interfaces. Interface 125/126 is reserved for IPv6 host support. This interface is included in management VLAN 4095. Use the following commands to configure the IPv6 gateway: CN 4093(config)# ip gateway6 1 address <IPv6 address> CN 4093(config)# ip gateway6 1 enable IPv6 gateway 1 is reserved for IPv6 data interfaces. IPv6 gateway 3 and 4 are the default IPv6 management gateways. © Copyright Lenovo 2017 Chapter 24: Internet Protocol Version 6...
Page 410: Neighbor Discovery
Neighbor Discovery The switch uses Neighbor Discovery protocol (ND) to gather information about other router and host nodes, including the IPv6 addresses. Host nodes use ND to configure their interfaces and perform health detection. ND allows each node to determine the link‐layer addresses of neighboring nodes, and to keep track of each neighbor’s information. A neighboring node is a host or a router that is linked directly to the switch. The switch supports Neighbor Discovery as described in RFC 4861. Neighbor Discover messages allow network nodes to exchange information, as follows:  Neighbor Solicitations allow a node to discover information about other nodes.  Neighbor Advertisements are sent in response to Neighbor Solicitations. The Neighbor Advertisement contains information required by nodes to determine the link‐layer address of the sender, and the sender’s role on the network. IPv6 hosts use Router Solicitations to discover IPv6 routers. When a router  receives a Router Solicitation, it responds immediately to the host.  Routers uses Router Advertisements to announce its presence on the network, and to provide its address prefix to neighbor devices. IPv6 hosts listen for Router Advertisements, and uses the information to build a list of default routers. Each host uses this information to perform autoconfiguration of IPv6 addresses.  Redirect messages are sent by IPv6 routers to inform hosts of a better first‐hop address for a specific destination. Redirect messages are only sent by routers for unicast traffic, are only unicast to originating hosts, and are only processed by hosts. ND configuration for various advertisements, flags, and interval settings is performed on a per‐interface basis using the following command path: CN 4093(config)# interface ip <interface number> CN 4093(config-ip-if)# [no] ipv6 nd ? CN 4093(config-ip-if)# exit To add or remove entries in the static neighbor cache, use the following command ...
Page 411: Host Vs. Router
Host vs. Router Each IPv6 interface can be configured as a router node or a host node, as follows:  A router node’s IP address is configured manually. Router nodes can send Router Advertisements.  A host node’s IP address is auto‐configured. Host nodes listen for Router Advertisements that convey information about devices on the network. Note: When IP forwarding is turned on, all IPv6 interfaces configured on the switch can forward packets. You can configure each IPv6 interface as either a host node or a router node. You can manually assign an IPv6 address to an interface in host mode, or the interface can be assigned an IPv6 address by an upstream router, using information from router advertisements to perform stateless auto‐configuration. To set an interface to host mode, use the following command: CN 4093(config)# interface ip <interface number> CN 4093(config-ip-if)# ip6host CN 4093(config-ip-if)# exit By default, host mode is enabled on the management interface, and disabled on data interfaces. The CN4093 supports up to 1156 IPv6 routes. © Copyright Lenovo 2017 Chapter 24: Internet Protocol Version 6...
Page 412: Supported Applications
Supported Applications The following applications have been enhanced to provide IPv6 support.  Ping The ping command supports IPv6 addresses. Use the following format to ping an IPv6 address: ping <host name>|<IPv6 address> [-n <tries (0‐4294967295)>] [-w <msec delay (0‐4294967295)>] [-l <length (0/32‐65500/2080)>] [-s <IP source>] [-v <TOS (0‐255)>] [-f] [-t] To ping a link‐local address (begins with FE80), provide an interface index, as follows: ping <IPv6 address>%<Interface index> [-n <tries (0‐4294967295)>] [-w <msec delay (0‐4294967295)>] [-l <length (0/32‐65500/2080)>] [-s <IP source>] [-v <TOS (0‐255)>] [-f] [-t] ...
Page 413  DNS client DNS commands support both IPv4 and IPv6 addresses. Link‐local addresses are not supported. Use the following command to specify the type of DNS query to be sent first: CN 4093(config)# ip dns ipv6 request-version {ipv4|ipv6} If you set the request version to ipv4, the DNS application sends an A query first, to resolve the hostname with an IPv4 address. If no A record is found for that hostname (no IPv4 address for that hostname) an AAAA query is sent to resolve the hostname with a IPv6 address. If you set the request version to ipv6, the DNS application sends an AAAA query first, to resolve the hostname with an IPv6 address. If no AAAA record is found for that hostname (no IPv6 address for that hostname) an A query is sent to resolve the hostname with an IPv4 address. © Copyright Lenovo 2017 Chapter 24: Internet Protocol Version 6...
Page 414: Ipv6 Configuration
IPv6 Configuration This section provides steps to configure IPv6 on the switch. Configuration Guidelines When you configure an interface for IPv6, consider the following guidelines:  Support for subnet router anycast addresses is not available. Interface 125/126 are reserved for IPv6 management.   A single interface can accept either IPv4 or IPv6 addresses, but not both IPv4 and IPv6 addresses.  A single interface can accept multiple IPv6 addresses.  A single interface can accept only one IPv4 address.  If you change the IPv6 address of a configured interface to an IPv4 address, all IPv6 settings are deleted.  A single VLAN can support only one IPv6 interface.  Health checks are not supported for IPv6 gateways.  IPv6 interfaces support Path MTU Discovery. The CPU’s MTU is fixed at 1500 bytes. Support for jumbo frames (1,500 to 9,216 byte MTUs) is limited. Any jumbo  frames intended for the CPU must be fragmented by the remote node. The switch can re‐assemble fragmented packets up to 9k. It can also fragment and transmit jumbo packets received from higher layers. IPv6 Configuration Examples IPv6 Configuration Example 1 The following example uses IPv6 host mode to autoconfigure an IPv6 address for the interface. By default, the interface is assigned to VLAN 1.
Page 415: Ipv6 Configuration Example 2
CN 4093(config)# ip gateway6 1 address 2001:BA98:7654:BA98:FEDC:1234: ABCD:5412 CN 4093(config)# ip gateway6 1 enable 3. Configure Router advertisements for the interface (optional) CN 4093(config)# interface ip 3 CN 4093(config-ip-if)# no ipv6 nd suppress-ra 4. Verify the configuration. CN 4093(config-ip-if)# show layer3 © Copyright Lenovo 2017 Chapter 24: Internet Protocol Version 6...
Page 416 CN4093 Application Guide for N/OS 8.4...
Page 417: Chapter 25. Using Ipsec With Ipv6
Chapter 25. Using IPsec with IPv6 Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. Since IPsec was implemented in conjunction with IPv6, all implementations of IPv6 must contain IPsec. To support the National Institute of Standards and Technology (NIST) recommendations for IPv6 implementations, Enterprise NOS IPv6 feature compliance has been extended to include the following IETF RFCs, with an emphasis on IP Security (IPsec) and Internet Key Exchange version 2, and authentication/confidentiality for OSPFv3:  RFC 4301 for IPv6 security RFC 4302 for the IPv6 Authentication Header   RFCs 2404, 2410, 2451, 3602, and 4303 for IPv6 Encapsulating Security Payload (ESP), including NULL encryption, CBC‐mode 3DES and AES ciphers, and HMAC‐SHA‐1‐96.  RFCs 4306, 4307, 4718, and 4835 for IKEv2 and cryptography  RFC 4552 for OSPFv3 IPv6 authentication  RFC 5114 for Diffie‐Hellman groups Note: This implementation of IPsec supports DH groups 1, 2, 5, 14, and 24. The following topics are discussed in this chapter: “IPsec Protocols” on page 418   “Using IPsec with the CN4093” on page 419 © Copyright Lenovo 2017...
Page 418: Ipsec Protocols
IPsec Protocols The Enterprise NOS implementation of IPsec supports the following protocols:  Authentication Header (AH) AHs provide connectionless integrity and data origin authentication for IP packets, and provide protection against replay attacks. In IPv6, the AH protects the AH itself, the Destination Options extension header after the AH, and the IP payload. It also protects the fixed IPv6 header and all extension headers before the AH, except for the mutable fields DSCP, ECN, Flow Label, and Hop Limit. AH is defined in RFC 4302.  Encapsulating Security Payload (ESP) ESPs provide confidentiality, data origin authentication, integrity, an anti‐replay service (a form of partial sequence integrity), and some traffic flow confidentiality. ESPs may be applied alone or in combination with an AH. ESP is defined in RFC 4303.  Internet Key Exchange Version 2 (IKEv2) IKEv2 is used for mutual authentication between two network elements. An IKE establishes a security association (SA) that includes shared secret information to efficiently establish SAs for ESPs and AHs, and a set of cryptographic algorithms to be used by the SAs to protect the associated traffic. IKEv2 is defined in RFC 4306. Using IKEv2 as the foundation, IPsec supports ESP for encryption and/or authentication, and/or AH for authentication of the remote partner. Both ESP and AH rely on security associations. A security association (SA) is the bundle of algorithms and parameters (such as keys) that encrypt and authenticate a particular flow in one direction. CN4093 Application Guide for N/OS 8.4...
Page 419: Using Ipsec With The Cn4093
Using IPsec with the CN4093 IPsec supports the fragmentation and reassembly of IP packets that occurs when data goes to and comes from an external device. The Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch acts as an end node that processes any fragmentation and reassembly of packets but does not forward the IPsec traffic. The IKEv2 key must be authenticated before you can use IPsec. The security protocol for the session key is either ESP or AH. Outgoing packets are labeled with the SA SPI (Security Parameter Index), which the remote device will use in its verification and decryption process. Every outgoing IPv6 packet is checked against the IPsec policies in force. For each outbound packet, after the packet is encrypted, the software compares the packet size with the MTU size that it either obtains from the default minimum maximum transmission unit (MTU) size (1500) or from path MTU discovery. If the packet size is larger than the MTU size, the receiver drops the packet and sends a message containing the MTU size to the sender. The sender then fragments the packet into smaller pieces and retransmits them using the correct MTU size. The maximum traffic load for each IPSec packet is limited to the following:  IKEv2 SAs: 5  IPsec SAs: 10 (5 SAs in each direction) SPDs: 20 (10 policies in each direction)  IPsec is implemented as a software cryptography engine designed for handling control traffic, such as network management. IPsec is not designed for handling data traffic, such as a VPN. © Copyright Lenovo 2017 Chapter 25: Using IPsec with IPv6...
Page 420: Setting Up Authentication
Setting up Authentication Before you can use IPsec, you need to have key policy authentication in place. There are two types of key policy authentication: Preshared key (default)  The parties agree on a shared, secret key that is used for authentication in an IPsec policy. During security negotiation, information is encrypted before transmission by using a session key created by using a Diffie‐Hellman calculation and the shared, secret key. Information is decrypted on the receiving end using the same key. One IPsec peer authenticates the other peerʹs packet by decryption and verification of the hash inside the packet (the hash inside the packet is a hash of the preshared key). If authentication fails, the packet is discarded. Digital certificate (using RSA algorithms)  The peer being validated must hold a digital certificate signed by a trusted Certificate Authority and the private key for that digital certificate. The side performing the authentication only needs a copy of the trusted certificate authorities digital certificate. During IKEv2 authentication, the side being validated sends a copy of the digital certificate and a hash value signed using the private key. The certificate can be either generated or imported. Note: During the IKEv2 negotiation phase, the digital certificate takes precedence over the preshared key. Creating an IKEv2 Proposal With IKEv2, a single policy can have multiple encryption and authentication types, as well as multiple integrity algorithms. To create an IKEv2 proposal: 1. Enter IKEv2 proposal mode. CN 4093(config)# ikev2 proposal 2. Set the DES encryption algorithm. CN 4093(config-ikev2-prop)# encryption {3des|aes-cbc|des} (default: 3des) 3.
Page 421: Importing An Ikev2 Digital Certificate
Organizational Unit Name (eg, section) []: <org. unit> Common Name (eg, YOUR name) []: <name> Email (eg, email address) []: <email address> Confirm Generate CSR? [y/n]: y ..........+++ ....+++ Cert Req generated successfully © Copyright Lenovo 2017 Chapter 25: Using IPsec with IPv6...
Page 422 [pem-format|txt-format] CN 4093> show https host-csr txt-format Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Cali, L=Santa Barbara, O=Lenovo, OU=Sales, CN=www.zagat.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit):...
Page 423: Generating An Ikev2 Digital Certificate
Confirm generat‘eywing certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent 2. Save the HTTPS certificate. The certificate is valid only until the switch is rebooted. To save the certificate so that it is retained beyond reboot or power cycles, use the following command: CN 4093(config)# access https save-certificate 3. Enable IKEv2 RSA‐signature authentication: CN 4093(config)# access https enable © Copyright Lenovo 2017 Chapter 25: Using IPsec with IPv6...
Page 424: Enabling Ikev2 Preshared Key Authentication
Enabling IKEv2 Preshared Key Authentication To set up IKEv2 preshared key authentication: 1. Enter the local preshared key. CN 4093(config)# ikev2 preshare-key local <preshared key, a string of 1‐256 chars> 2. If asymmetric authentication is supported, enter the remote key: CN 4093(config)# ikev2 preshare-key remote <preshared key> <IPv6 host> where the following parameters are used:  preshared key A string of 1‐256 characters IPv6 host An IPv6‐format host, such as “3000::1”  3. Set up the IKEv2 identification type by entering one of the following commands: CN 4093(config)# ikev2 identity local address (use an IPv6 address) CN 4093(config)# ikev2 identity local email <email address> CN 4093(config)# ikev2 identity local fqdn <domain name>...
Page 425  apply the selector to any type of traffic proto/icmp type|any only apply the selector only to ICMP traffic of the  specified type (an integer from 1‐255) or to any ICMP traffic proto/tcp  only apply the selector to TCP traffic  source IP address|any the source IP address in IPv6 format or “any” source  destination IP address|any the destination IP address in IPv6 format or “any” destination prefix length (Optional) the length of the destination IPv6  prefix; an integer from 1‐128 Permitted traffic that matches the policy in force is encrypted, while denied traffic that matches the policy in force is dropped. Traffic that does not match the policy bypasses IPsec and passes through clear (unencrypted). 4. Choose whether to use a manual or a dynamic policy. © Copyright Lenovo 2017 Chapter 25: Using IPsec with IPv6...
Page 426: Using A Manual Key Policy
Using a Manual Key Policy A manual policy involves configuring policy and manual SA entries for local and remote peers. To configure a manual key policy, you need:  The IP address of the peer in IPv6 format (for example, “3000::1”).  Inbound/Outbound session keys for the security protocols. You can then assign the policy to an interface. The peer represents the other end of the security association. The security protocol for the session key can be either ESP or AH. To create and configure a manual policy: 1. Enter a manual policy to configure. CN 4093(config)# ipsec manual-policy <policy number> 2. Configure the policy. CN 4093(config-ipsec-manual)#peer <peer’s IPv6 address> CN 4093(config-ipsec-manual)#traffic-selector <IPsec traffic selector> CN 4093(config-ipsec-manual)#transform-set <IPsec transform set> CN 4093(config-ipsec-manual)#in-ah auth-key <inbound AH IPsec key> CN 4093(config-ipsec-manual)#in-ah auth-spi <inbound AH IPsec SPI> CN 4093(config-ipsec-manual)#in-esp cipher-key <inbound ESP cipher key>...
Page 427 Note: When configuring a manual policy ESP, the ESP authenticator key is optional. 3. After you configure the IPSec policy, you need to apply it to the interface to enforce the security policies on that interface and save it to keep it in place after a reboot. To accomplish this, enter: CN 4093(config-ip)# interface ip <IP interface number, 1‐128> CN 4093(config-ip-if)# address <IPv6 address> CN 4093(config-ip-if)# ipsec manual-policy <policy index, 1‐10> CN 4093(config-ip-if)# enable (enable the IP interface) CN 4093# write (save the current configuration) © Copyright Lenovo 2017 Chapter 25: Using IPsec with IPv6...
Page 428: Using A Dynamic Key Policy
Using a Dynamic Key Policy When you use a dynamic key policy, the first packet triggers IKE and sets the IPsec SA and IKEv2 SA. The initial packet negotiation also determines the lifetime of the algorithm, or how long it stays in effect. When the key expires, a new key is automatically created. This helps prevent break‐ins. To configure a dynamic key policy: 1. Choose a dynamic policy to configure. CN 4093(config)# ipsec dynamic-policy <policy number> 2. Configure the policy. CN 4093(config-ipsec-dynamic)# peer <peer’s IPv6 address> CN 4093(config-ipsec-dynamic)# traffic-selector <index of traffic selector> CN 4093(config-ipsec-dynamic)# transform-set <index of transform set> CN 4093(config-ipsec-dynamic)# sa-lifetime <SA lifetime, in seconds> CN 4093(config-ipsec-dynamic)# pfs enable|disable where the following parameters are used: ...
Page 429: Chapter 26. Routing Information Protocol
Chapter 26. Routing Information Protocol In a routed environment, routers communicate with one another to keep track of available routes. Routers can learn about available routes dynamically using the Routing Information Protocol (RIP). Enterprise NOS software supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) for exchanging TCP/IPv4 route information with other routers. Note: Enterprise NOS 8.4 does not support IPv6 for RIP. Distance Vector Protocol RIP is known as a distance vector protocol. The vector is the network number and next hop, and the distance is the cost associated with the network number. RIP identifies network reachability based on metric, and metric is defined as hop count. One hop is considered to be the distance from one switch to the next, which typically is 1. When a switch receives a routing update that contains a new or changed destination network entry, the switch adds 1 to the metric value indicated in the update and enters the network in the routing table. The IPv4 address of the sender is used as the next hop. Stability RIP includes a number of other stability features that are common to many routing protocols. For example, RIP implements the split horizon and hold‐down mechanisms to prevent incorrect routing information from being propagated. RIP prevents routing loops from continuing indefinitely by limiting the number of hops allowed in a path from the source to a destination. The maximum number of hops in a path is 15. The network destination network is considered unreachable if increasing the metric value by 1 causes the metric to be 16 (that is infinity). This limits the maximum diameter of a RIP network to less than 16 hops. RIP is often used in stub networks and in small autonomous systems that do not have many redundant paths. © Copyright Lenovo 2017...
Page 430: Routing Updates
Routing Updates RIP sends routing‐update messages at regular intervals and when the network topology changes. Each router “advertises” routing information by sending a routing information update every 30 seconds. If a router doesn’t receive an update from another router for 180 seconds, those routes provided by that router are declared invalid. The routes are removed from the routing table, but they remain in the RIP routes table. After another 120 seconds without receiving an update for those routes, the routes are removed from regular updates. When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop. RIP routers maintain only the best route (the route with the lowest metric value) to a destination. For more information see The Configuration Menu, Routing Information Protocol Configuration in the Enterprise NOS Command Reference. RIPv1 RIP version 1 uses broadcast User Datagram Protocol (UDP) data packets for the regular routing updates. The main disadvantage is that the routing updates do not carry subnet mask information. Hence, the router cannot determine whether the route is a subnet route or a host route. It is of limited usage after the introduction of RIPv2. For more information about RIPv1 and RIPv2, refer to RFC 1058 and RFC 2453. RIPv2 RIPv2 is the most popular and preferred configuration for most networks. RIPv2 expands the amount of useful information carried in RIP messages and provides a measure of security. For a detailed explanation of RIPv2, refer to RFC 1723 and RFC 2453. RIPv2 improves efficiency by using multicast UDP (address 224.0.0.9) data packets for regular routing updates. Subnet mask information is provided in the routing updates. A security option is added for authenticating routing updates, by using a shared password. Enterprise NOS supports using clear password for RIPv2. RIPv2 in RIPv1 Compatibility Mode Enterprise NOS allows you to configure RIPv2 in RIPv1compatibility mode, for using both RIPv2 and RIPv1 routers within a network. In this mode, the regular routing updates use broadcast UDP data packet to allow RIPv1 routers to receive those packets. With RIPv1 routers as recipients, the routing updates have to carry ...
Page 431: Rip Features
Enterprise NOS provides the following features to support RIPv1 and RIPv2: Poison Reverse Simple split horizon in RIP omits routes learned from one neighbor in updates sent to that neighbor. That is the most common configuration used in RIP, with the Poison Reverse feature disabled. Split horizon with poisoned reverse enabled includes such routes in updates, but sets their metrics to 16. The disadvantage of using this feature is the increase of size in the routing updates. Triggered Updates Triggered updates are an attempt to speed up convergence. When Triggered Updates is enabled, whenever a router changes the metric for a route, it sends update messages almost immediately, without waiting for the regular update interval. It is recommended to enable Triggered Updates. Multicast RIPv2 messages use IPv4 multicast address (224.0.0.9) for periodic updates. Multicast RIPv2 updates are not processed by RIPv1 routers. IGMP is not needed since these are inter‐router messages which are not forwarded. To configure RIPv2 in RIPv1 compatibility mode, set multicast to disable, and set version to both. Default Route The RIP router can listen and supply a default route, usually represented as IPv4 0.0.0.0 in the routing table. When a router does not have an explicit route to a destination network in its routing table, it uses the default route to forward those packets. Metric The metric field contains a configurable value between 1 and 15 (inclusive) which specifies the current metric for the interface. The metric value typically indicates the total number of hops to the destination. The metric value of 16 represents an unreachable destination. © Copyright Lenovo 2017 Chapter 26: Routing Information Protocol...
Page 432: Authentication
Authentication RIPv2 authentication uses plain text password for authentication. If configured using Authentication password, then it is necessary to enter an authentication key value. The following method is used to authenticate a RIP message:  If the router is not configured to authenticate RIPv2 messages, then RIPv1 and unauthenticated RIPv2 messages are accepted; authenticated RIPv2 messages are discarded.  If the router is configured to authenticate RIPv2 messages, then RIPv1 and RIPv2 messages which pass authentication testing are accepted; unauthenticated and failed authentication RIPv2 messages are discarded. For maximum security, RIPv1 messages are ignored when authentication is enabled (interface ip <x>/ ip rip auth type/password); otherwise, the routing information from authenticated messages is propagated by RIPv1 routers in an unauthenticated manner. CN4093 Application Guide for N/OS 8.4...
Page 433: Rip Configuration Example
CN 4093(config-router-rip)# enable CN 4093(config-router-rip)# exit CN 4093# interface ip 2 CN 4093(config-ip-if)# ip rip enable CN 4093(config-ip-if)# exit CN 4093# interface ip 3 CN 4093(config-ip-if)# ip rip enable CN 4093(config-ip-if)# exit © Copyright Lenovo 2017 Chapter 26: Routing Information Protocol...
Page 434 Use the following command to check the current valid routes in the routing table of the switch: CN 4093# show ip route For those RIP learnt routes within the garbage collection period, that are routes phasing out of the routing table with metric 16, use the following command: CN 4093# show ip rip routes Locally configured static routes do not appear in the RIP Routes table. CN4093 Application Guide for N/OS 8.4...
Page 435: Chapter 27. Internet Group Management Protocol
Chapter 27. Internet Group Management Protocol Internet Group Management Protocol (IGMP) is used by IPv4 Multicast routers to learn about the existence of host group members on their directly attached subnet (see RFC 2236). The IPv4 Multicast routers get this information by broadcasting IGMP Membership Queries and listening for IPv4 hosts reporting their host group memberships. This process is used to set up a client/server relationship between an IPv4 Multicast source that provides the data streams and the clients that want to receive the data. The CN4093 10 Gb Converged Scalable Switch (CN4093) can perform IGMP Snooping, or act as an IGMP Relay (proxy) device. Note: Enterprise NOS 8.4 does not support IPv6 for IGMP. The following topics are discussed in this chapter:  “IGMP Snooping” on page 436 “IGMP Querier” on page 442   “Additional IGMP Features” on page 443 © Copyright Lenovo 2017...
Page 436: Igmp Snooping
IGMP Snooping IGMP Snooping allows the switch to forward multicast traffic only to those ports that request it. IGMP Snooping prevents multicast traffic from being flooded to all ports. The switch learns which server hosts are interested in receiving multicast traffic, and forwards it only to ports connected to those servers. IGMP Snooping conserves bandwidth. With IGMP Snooping, the switch learns which ports are interested in receiving multicast data, and forwards multicast data only to those ports. In this way, other ports are not burdened with unwanted multicast traffic. The switch can sense IGMP Membership Reports from attached clients and act as a proxy to set up a dedicated path between the requesting host and a local IPv4 Multicast router. After the pathway is established, the switch blocks the IPv4 Multicast stream from flowing through any port that does not connect to a host member, thus conserving bandwidth. The client‐server path is set up as follows:  An IPv4 Multicast Router (Mrouter) sends Membership Queries to the switch, which forwards them to all ports in a given VLAN. Hosts that want to receive the multicast data stream send Membership Reports to  the switch, which sends a proxy Membership Report to the Mrouter. The switch sets up a path between the Mrouter and the host, and blocks all other  ports from receiving the multicast.  Periodically, the Mrouter sends Membership Queries to ensure that the host wants to continue receiving the multicast. If a host fails to respond with a Membership Report, the Mrouter stops sending the multicast to that path. The host can send an IGMP Leave packet to the switch, which responds with an  IGMP Groups Specific Query in order to check if there are other clients that want to receive the multicast traffic for the group referenced in the Leave packet. If an IGMP Report is not received, the group is deleted from the port and the multicast path is terminated. The switch then sends a Proxy Leave packet to the Mrouter in order to update it. If the FastLeave option is enabled on a VLAN, the multicast path is terminated immediately and the Leave packet is directly forwarded to the Mrouter. CN4093 Application Guide for N/OS 8.4...
Page 437: Igmp Groups
CN 4093(config)# no ip igmp snoop igmpv3 exclude By default, the CN4093 snoops the first eight sources listed in the IGMPv3 Group Record. Use the following command to change the number of snooping sources: CN 4093(config)# ip igmp snoop igmpv3 sources <1‐64> IGMPv3 Snooping is compatible with IGMPv1 and IGMPv2 Snooping. You can disable snooping on version 1 and version 2 reports, using the following command: CN 4093(config)# no ip igmp snoop igmpv3 v1v2 © Copyright Lenovo 2017 Chapter 27: Internet Group Management Protocol...
Page 438: Igmp Snooping Configuration Example
IGMP Snooping Configuration Example This section provides steps to configure IGMP Snooping on the CN4093, using the Command‐Line Interface (CLI). 1. Configure port and VLAN membership on the switch. 2. Add VLANs to IGMP Snooping and enable IGMP Snooping. CN 4093(config)# ip igmp snoop vlan 1 CN 4093(config)# ip igmp snoop enable 3. Enable IGMPv3 Snooping (optional). CN 4093(config)# ip igmp snoop igmpv3 enable 4. Enable IGMP. CN 4093(config)# ip igmp enable (Turn on IGMP) 5.
Page 439: Static Multicast Router
Static Multicast Router A static multicast router (Mrouter) can be configured for a particular port on a particular VLAN. A total of 128 static Mrouters can be configured on the CN4093. Both internal and external ports can accept a static Mrouter. Note: When static Mrouters are used, the switch will continue learning dynamic Mrouters via IGMP snooping. However, dynamic Mrouters may not replace static Mrouters. If a dynamic Mrouter has the same port and VLAN combination as a static Mrouter, the dynamic Mrouter will not be learned. Following is an example of configuring a static multicast router: 1. For each Mrouter, configure a port, VLAN, and IGMP version of the multicast router. CN 4093(config)# ip igmp mrouter EXT5 1 2 2. Verify the configuration. CN 4093(config)# show ip igmp mrouter © Copyright Lenovo 2017 Chapter 27: Internet Group Management Protocol...
Page 440: Igmp Relay
IGMP Relay The CN4093 can act as an IGMP Relay (or IGMP Proxy) device that relays IGMP multicast messages and traffic between an Mrouter and end stations. IGMP Relay allows the CN4093 to participate in network multicasts with no configuration of the various multicast routing protocols, so you can deploy it in the network with minimal effort. To an IGMP host connected to the CN4093, IGMP Relay appears to be an IGMP multicast router (Mrouter). IGMP Relay sends Membership Queries to hosts, which respond by sending an IGMP response message. A host can also send an unsolicited Join message to the IGMP Relay. To a multicast router, IGMP Relay appears as a host. The Mrouter sends IGMP host queries to IGMP Relay, and IGMP Relay responds by forwarding IGMP host reports and unsolicited join messages from its attached hosts. IGMP Relay also forwards multicast traffic between the Mrouter and end stations, similar to IGMP Snooping. You can configure up to two Mrouters to use with IGMP Relay. One Mrouter acts as the primary Mrouter, and one is the backup Mrouter. The CN4093 uses ICMP health checks to determine if the primary and backup mrouters are reachable. Configuration Guidelines Consider the following guidelines when you configure IGMP Relay: IGMP Relay is supported in stand‐alone (non‐stacking) mode only.   IGMP Relay and IGMP Snooping/Querier are mutually exclusive—if you enable IGMP Relay, you must turn off IGMP Snooping/Querier.  Add VLANs to the IGMP Relay list, using the following command: CN 4093(config)# ip igmp relay vlan <VLAN ID>  If IGMP hosts reside on different VLANs, you must: Disable IGMP flooding.  CN 4093(config)# vlan <VLAN ID>...
Page 441: Igmp Relay Configuration Example
CN 4093(config)# ip igmp relay mrouter 2 enable 4. Add VLANs to the downstream network and enable IGMP Relay CN 4093(config)# ip igmp relay vlan 2 CN 4093(config)# ip igmp relay vlan 3 CN 4093(config)# ip igmp relay enable © Copyright Lenovo 2017 Chapter 27: Internet Group Management Protocol...
Page 442: Igmp Querier
IGMP Querier IGMP Querier allows the switch to perform the multicast router (Mrouter) role and provide Mrouter discovery when the network or virtual LAN (VLAN) does not have a router. When the IGMP Querier feature is enabled on a VLAN, the switch participates in the Querier election process and has the possibility to be elected as Querier for the VLAN. The IGMP querier periodically broadcasts IGMP Queries and listens for hosts to respond with IGMP Reports indicating their IGMP group memberships. If multiple Mrouters exist on a given network, the Mrouters elect one as the querier, which performs all periodic membership queries. The election process can be based on IPv4 address or MAC address. Note: When IGMP Querier is enabled on a VLAN, the switch performs the role of IGMP querier only if it meets the IGMP querier election criteria. IGMP Querier Configuration Example Follow this procedure to configure IGMP Querier. 1. Enable IGMP and configure the source IPv4 address for IGMP Querier on a VLAN. CN 4093(config)# ip igmp enable CN 4093(config)# ip igmp querier vlan 2 source-ip 10.10.10.1 2. Enable IGMP Querier on the VLAN. CN 4093(config)# ip igmp querier vlan 2 enable 3.
Page 443: Additional Igmp Features
 “FastLeave” on page 443  “IGMP Filtering” on page 443 FastLeave In normal IGMP operation, when the switch receives an IGMPv2 leave message, it sends a Group‐Specific Query to determine if any other devices in the same group (and on the same port) are still interested in the specified multicast group traffic. The switch removes the affiliated port from that particular group, if it does not receive an IGMP Membership Report within the query‐response‐interval. With FastLeave enabled on the VLAN, a port can be removed immediately from the port list of the group entry when the IGMP Leave message is received, unless a multicast router was learned on the port. Enable FastLeave only on VLANs that have only one host connected to each physical port. IGMP Filtering With IGMP Filtering, you can allow or deny a port to learn certain IGMP or IPMC groups. This allows you to restrict users from receiving certain multicast traffic. If access to a multicast group is denied, IGMP Membership Reports from the port are dropped, and the port is not allowed to receive IPv4 multicast traffic from that group. If access to the multicast group is allowed, Membership Reports from the port are forwarded for normal processing. To configure IGMP Filtering, you must globally enable IGMP filtering, define an IGMP filter, assign the filter to a port, and enable IGMP Filtering on the port. To define an IGMP filter, you must configure a range of IPv4 multicast groups, choose whether the filter will allow or deny multicast traffic for groups within the range, and enable the filter. © Copyright Lenovo 2017 Chapter 27: Internet Group Management Protocol...
Page 444: Configuring The Range
Configuring the Range Each IGMP Filter allows you to set a start and end point that defines the range of IPv4 addresses upon which the filter takes action. Each IPv4 address in the range must be between 224.0.0.0 and 239.255.255.255. Configuring the Action Each IGMP filter can allow or deny IPv4 multicasts to the range of IPv4 addresses configured. If you configure the filter to deny IPv4 multicasts, then IGMP Membership Reports from multicast groups within the range are dropped. You can configure a secondary filter to allow IPv4 multicasts to a small range of addresses within a larger range that a primary filter is configured to deny. The two filters work together to allow IPv4 multicasts to a small subset of addresses within the larger range of addresses. Note: Lower‐numbered filters take precedence over higher‐number filters. For example, the action defined for IGMP Filter 1 supersedes the action defined for IGMP Filter 2. IGMP Filtering Configuration Example 1. Enable IGMP filtering on the switch. CN 4093(config) ip igmp filtering 2. Define an IGMP filter with IPv4 information. CN 4093(config) ip igmp profile 1 range 225.0.0.0 226.0.0.0 CN 4093(config) ip igmp profile 1 action deny CN 4093(config)
Page 445: Chapter 28. Multicast Listener Discovery
Chapter 28. Multicast Listener Discovery Multicast Listener Discovery (MLD) is an IPv6 protocol that a host uses to request multicast data for a multicast group. An IPv6 router uses MLD to discover the presence of multicast listeners (nodes that want to receive multicast packets) on its directly attached links, and to discover specifically the multicast addresses that are of interest to those neighboring nodes. MLD version 1 is derived from Internet Group Management Protocol version 2 (IGMPv2) and MLDv2 is derived from IGMPv3. MLD uses ICMPv6 (IP Protocol 58) message types. See RFC 2710 and RFC 3810 for details. MLDv2 protocol, when compared to MLDv1, adds support for source filtering— the ability for a node to report interest in listening to packets only from specific source addresses, or from all but specific source addresses, sent to a particular multicast address. MLDv2 is interoperable with MLDv1. See RFC 3569 for details on Source‐Specific Multicast (SSM). The following topics are discussed in this chapter:  “MLD Terms” on page 446  “How MLD Works” on page 447  “MLD Capacity and Default Values” on page 450  “Configuring MLD” on page 451 © Copyright Lenovo 2017...
Page 446: Mld Terms
MLD Terms Following are the commonly used MLD terms:  Multicast traffic: Flow of data from one source to multiple destinations.  Group: A multicast stream to which a host can join.  Multicast Router (Mrouter): A router configured to make routing decisions for multicast traffic. The router identifies the type of packet received (unicast or multicast) and forwards the packet to the intended destination.  Querier: An Mrouter that sends periodic query messages. Only one Mrouter on the subnet can be elected as the Querier.  Multicast Listener Query: Messages sent by the Querier. There are three types of queries: General Query: Sent periodically to learn multicast address listeners from an  attached link. CN4093 uses these queries to build and refresh the Multicast Address Listener state. General Queries are sent to the link‐scope all‐nodes multicast address (FF02::1), with a multicast address field of 0, and a maximum response delay of query response interval. Multicast Address Specific Query: Sent to learn if a specific multicast address  has any listeners on an attached link. The multicast address field is set to the IPv6 multicast address. Multicast Address and Source Specific Query: Sent to learn if, for a specified  multicast address, there are nodes still listening to a specific set of sources. Supported only in MLDv2. Note: Multicast Address Specific Queries and Multicast Address and Source Specific Queries are sent only in response to State Change Reports, and never in response to Current State Reports. Multicast Listener Report: Sent by a host when it joins a multicast group, or in  response to a Multicast Listener Query sent by the Querier. Hosts use these reports to indicate their current multicast listening state, or changes in the multicast listening state of their interfaces. These reports are of two types: Current State Report: Contains the current Multicast Address Listening State ...
Page 447: How Mld Works
Hosts respond to these queries by reporting their per‐interface Multicast Address Listening state, through Current State Report messages sent to a specific multicast address that all MLD routers on the link listen to.  If the listening state of a host changes, the host immediately reports these changes through a State Change Report message.  The Querier sends a Multicast Address Specific Query to verify if hosts are listening to a specified multicast address or not. Similarly, if MLDv2 is configured, the Querier sends a Multicast Address and Source Specific Query to verify, for a specified multicast address, if hosts are listening to a specific set of sources, or not. MLDv2 listener report messages consists of Multicast Address Records: INCLUDE: to receive packets from source specified in the MLDv2 message  EXCLUDE: to receive packets from all sources except the ones specified in the  MLDv2 message A host can send a State Change Report to indicate its desire to stop listening to a  particular multicast address (or source in MLDv2). The Querier then sends a multicast address specific query to verify if there are other listeners of the multicast address. If there aren’t any, the Mrouter deletes the multicast address from its Multicast Address Listener state and stops sending multicast traffic. Similarly in MLDv2, the Mrouter sends a Multicast Address and Source Specific Query to verify if, for a specified multicast address, there are hosts still listening to a specific set of sources. CN4093 supports MLD versions 1 and 2. Note: MLDv2 operates in version 1 compatibility mode when, in a specific network, not all hosts are configured with MLDv2. © Copyright Lenovo 2017 Chapter 28: Multicast Listener Discovery...
Page 448: How Flooding Impacts Mld
How Flooding Impacts MLD When flood option is disabled, the unknown multicast traffic is discarded if no Mrouters are learned on the switch. You can set the flooding behavior by configuring the flood and cpu options. You can optimize the flooding to ensure that unknown IP multicast (IPMC) data packets are not dropped during the learning phase. The flooding options include: flood: Enable hardware flooding in VLAN for the unregistered IPMC; This  option is enabled by default. cpu: Enable sending unregistered IPMC to the Mrouter ports. However, during  the learning period, there will be some packet loss. The cpu option is enabled by default. You must ensure that the flood and optflood options are disabled. optflood: Enable optimized flooding to allow sending the unregistered IPMC  to the Mrouter ports without having any packet loss during the learning period; This option is disabled by default; When optflood is enabled, the flood and cpu settings are ignored. The flooding parameters must be configured per VLAN. Enter the following command to set the flood or cpu options: CN 4093(config)# vlan <VLAN ID> CN 4093(config-vlan)# [no] flood CN 4093(config-vlan)# [no] cpu CN 4093(config-vlan)# [no] optflood MLD Querier An Mrouter acts as a Querier and periodically (at short query intervals) sends ...
Page 449: Dynamic Mrouters
Dynamic Mrouters The switch learns Mrouters on the ingress VLANs of the MLD‐enabled interface. All report or done messages are forwarded to these Mrouters. By default, the option of dynamically learning Mrouters is disabled. To enable it, use the following command: CN 4093(config)# interface ip <interface number> CN 4093(config-ip-if)# ipv6 mld dmrtr enable © Copyright Lenovo 2017 Chapter 28: Multicast Listener Discovery...
Page 450: Mld Capacity And Default Values
MLD Capacity and Default Values Table 36 lists the maximum and minimum values of the CN4093 variables. Table 36. CN4093 Capacity Table Variable Maximum Value IPv6 Multicast Entries IPv6 Interfaces for MLD Table 37 lists the default settings for MLD features and variables. Table 37. MLD Timers and Default Values Field Default Value Robustness Variable (RV) Query Interval (QI) 125 seconds Query Response Interval (QRI) 10 seconds Multicast Address Listeners Interval 260 seconds [derived: RV*QI+QRI] (MALI) Other Querier Present Interval [OQPT] 255 seconds [derived: RV*QI + ½ QRI] Start up Query Interval [SQI] 31.25 seconds [derived: ¼ * QI] Startup Query Count [SQC] 2 [derived: RV] Last Listener Query Interval [LLQI] 1 second Last Listener Query Count [LLQC] 2 [derived: RV] Last Listener Query Time [LLQT] 2 seconds [derived: LLQI * LLQT]...
Page 451: Configuring Mld
CN 4093(config-ip-if)# ipv6 mld robust <1‐10> (Robustness) CN 4093(config-ip-if)# ipv6 mld qri <1‐256> (In seconds) CN 4093(config-ip-if)# ipv6 mld qintrval <1‐608> (In seconds) CN 4093(config-ip-if)# ipv6 mld llistnr <1‐32> (In seconds) © Copyright Lenovo 2017 Chapter 28: Multicast Listener Discovery...
Page 452 CN4093 Application Guide for N/OS 8.4...
Page 453: Chapter 29. Border Gateway Protocol
CN4093 10 Gb Converged Scalable Switches (CN4093s) can advertise their IP interfaces and IPv4 addresses using BGP and take BGP feeds from as many as BGP router peers. This allows more resilience and flexibility in balancing traffic from the Internet. Note: Enterprise NOS 8.4 does not support IPv6 for BGP. The following topics are discussed in this section:  “Internal Routing Versus External Routing” on page 454  “Forming BGP Peer Routers” on page 455  “What is a Route Map?” on page 456  “Aggregating Routes” on page 459  “Redistributing Routes” on page 459  “BGP Attributes” on page 460  “Selecting Route Paths in BGP” on page 461  “BGP Failover Configuration” on page 462  “Default Redistribution and Route Aggregation Example” on page 464 © Copyright Lenovo 2017...
Page 454: Internal Routing Versus External Routing
Internal Routing Versus External Routing To ensure effective processing of network traffic, every router on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active, internal dynamic routing protocols, such as RIP, RIPv2, and OSPF. Static routes should have a higher degree of precedence than dynamic routing protocols. If the destination route is not in the route cache, then the packets are forwarded to the default gateway which may be incorrect if a dynamic routing protocol is enabled. It is also useful to tell routers outside your network (upstream providers or peers) about the routes you can access in your network. External networks (those outside your own) that are under the same administrative control are referred to as autonomous systems (AS). Sharing of routing information between autonomous systems is known as external routing. External BGP (eBGP) is used to exchange routes between different autonomous systems whereas internal BGP (iBGP) is used to exchange routes within the same autonomous system. An iBGP is a type of internal routing protocol you can use to do active routing inside your network. It also carries AS path information, which is important when you are an ISP or doing BGP transit. The iBGP peers have to maintain reciprocal sessions to every other iBGP router in the same AS (in a full‐mesh manner) in order to propagate route information throughout the AS. If the iBGP session shown between the two routers in AS 20 was not present (as indicated in Figure 43), the top router would not learn the route to AS 50, and the bottom router would not learn the route to AS 11, even though the two AS 20 routers are connected via the Flex System and the Application Switch. Figure 43. iBGP and eBGP AS 11 AS 20 ISP A iBGP eBGP Internet...
Page 455: Forming Bgp Peer Routers
Forming BGP Peer Routers Two BGP routers become peers or neighbors once you establish a TCP connection between them. For each new route, if a peer is interested in that route (for example, if a peer would like to receive your static routes and the new route is static), an update message is sent to that peer containing the new route. For each route removed from the route table, if the route has already been sent to a peer, an update message containing the route to withdraw is sent to that peer. For each Internet host, you must be able to send a packet to that host, and that host has to have a path back to you. This means that whoever provides Internet connectivity to that host must have a path to you. Ultimately, this means that they must “hear a route” which covers the section of the IPv4 space you are using; otherwise, you will not have connectivity to the host in question. © Copyright Lenovo 2017 Chapter 29: Border Gateway Protocol...
Page 456: What Is A Route Map
What is a Route Map? A route map is used to control and modify routing information. Route maps define conditions for redistributing routes from one routing protocol to another or controlling routing information when injecting it in and out of BGP. For example, a route map is used to set a preference value for a specific route from a peer router and another preference value for all other routes learned via the same peer router. For example, the following commands are used to define a route map: CN 4093(config)# route-map <map number> (Select a route map) CN 4093(config-route-map)# ? (List available commands) A route map allows you to match attributes, such as metric, network address, and AS number. It also allows users to overwrite the local preference metric and to append the AS number in the AS route. See “BGP Failover Configuration” on page 462. Enterprise NOS allows you to configure 32 route maps. Each route map can have up to eight access lists. Each access list consists of a network filter. A network filter defines an IPv4 address and subnet mask of the network that you want to include in the filter. Figure 44 illustrates the relationship between route maps, access lists and network filters. Figure 44. Distributing Network Filters in Access Lists and Route Maps Route Maps Network Filter (rmap) (nwf) Access Lists (alist) Route Map 1...
Page 457: Incoming And Outgoing Route Maps
2. (Optional) Define the criteria for the access list and enable it. Specify the access list and associate the network filter number configured in Step 1. CN 4093(config)# route-map 1 CN 4093(config-route-map)# access-list 1 match-address 1 CN 4093(config-route-map)# access-list 1 metric <metric value> CN 4093(config-route-map)# access-list 1 action deny CN 4093(config-route-map)# access-list 1 enable © Copyright Lenovo 2017 Chapter 29: Border Gateway Protocol...
Page 458 Steps 2 and 3 are optional, depending on the criteria that you want to match. In Step 2, the network filter number is used to match the subnets defined in the network filter. In Step 3, the autonomous system number is used to match the subnets. Or, you can use both (Step 2 and Step 3) criteria: access list (network filter) and access path (AS filter) to configure the route maps. 3. (Optional) Configure the attributes in the AS filter menu. CN 4093(config-route-map)# as-path-list 1 as 1 CN 4093(config-route-map)# as-path-list 1 action deny CN 4093(config-route-map)# as-path-list 1 enable 4. Set up the BGP attributes. If you want to overwrite the attributes that the peer router is sending, then define the following BGP attributes:  Specify up to 32 AS numbers that you want to prepend to a matched route and the local preference for the matched route.  Specify the metric [Multi Exit Discriminator (MED)] for the matched route. CN 4093(config-route-map)# as-path-preference <AS number> [<AS number>] ... CN 4093(config-route-map)# local-preference <local preference value> CN 4093(config-route-map)# metric <metric value>...
Page 459: Aggregating Routes
464. Redistributing Routes In addition to running multiple routing protocols simultaneously, Enterprise NOS software can redistribute information from one routing protocol to another. For example, you can instruct the switch to use BGP to re‐advertise static routes. This applies to all of the IP‐based routing protocols. You can also conditionally control the redistribution of routes between routing domains by defining a method known as route maps between the two domains. For more information on route maps, see “What is a Route Map?” on page 456. Redistributing routes is another way of providing policy control over whether to export OSPF routes, fixed routes, and static routes. For an example configuration, see “Default Redistribution and Route Aggregation Example” on page 464. Default routes can be configured using the following methods: Import   Originate—The router sends a default route to peers if it does not have any default routes in its routing table.  Redistribute—Default routes are either configured through the default gateway or learned via other protocols and redistributed to peer routers. If the default routes are from the default gateway, enable the static routes because default routes from the default gateway are static routes. Similarly, if the routes are learned from another routing protocol, make sure you enable that protocol for redistribution.  None © Copyright Lenovo 2017 Chapter 29: Border Gateway Protocol...
Page 460: Bgp Attributes
BGP Attributes The following two BGP attributes are discussed in this section: Local preference and metric (Multi‐Exit Discriminator). Local Preference Attribute When there are multiple paths to the same destination, the local preference attribute indicates the preferred path. The path with the higher preference is preferred (the default value of the local preference attribute is 100). Unlike the weight attribute, which is only relevant to the local router, the local preference attribute is part of the routing update and is exchanged among routers in the same The local preference attribute can be set in one of two ways:  Using the BGP default local preference method, affecting the outbound direction only. CN 4093(config)# router bgp CN 4093(config_router_bgp)# local-preference <0-4294967294> CN 4093(config_router_bgp)# exit  Using the route map local preference method, which affects both inbound and outbound directions. CN 4093(config)# route-map 1 CN 4093(config_route_map)# local-preference <0-4294967294> CN 4093(config_route_map)# enabled CN 4093(config_router_map)# exit CN 4093(config)# router bgp CN 4093(config_router_bgp)# neighbor {<number>/group <number>} route-map ...
Page 461: Selecting Route Paths In Bgp
Selecting Route Paths in BGP BGP selects only one path as the best path. It does not rely on metric attributes to determine the best path. When the same network is learned via more than one BGP peer, BGP uses its policy for selecting the best route to that network. The BGP implementation on the CN4093 uses the following criteria to select a path when the same route is received from multiple peers. 1. Local fixed and static routes are preferred over learned routes. 2. With iBGP peers, routes with higher local preference values are selected. 3. In the case of multiple routes of equal preference, the route with lower AS path weight is selected. AS path weight = 128 x AS path length (number of autonomous systems traversed). 4. In the case of equal weight and routes learned from peers that reside in the same AS, the lower metric is selected. Note: A route with a metric is preferred over a route without a metric. 5. The lower cost to the next hop of routes is selected. 6. In the case of equal cost, the eBGP route is preferred over iBGP. 7. If all routes have same route type (eBGP or iBGP), the route with the lower router ID is selected. When the path is selected, BGP puts the selected path in its routing table and propagates the path to its neighbors. © Copyright Lenovo 2017 Chapter 29: Border Gateway Protocol...
Page 462: Bgp Failover Configuration
BGP Failover Configuration Use the following example to create redundant default gateways for a CN4093 at a Web Host/ISP site, eliminating the possibility, should one gateway go down, that requests will be forwarded to an upstream router unknown to the switch. As shown in Figure 45, the switch is connected to ISP 1 and ISP 2. The customer negotiates with both ISPs to allow the switch to use their peer routers as default gateways. The ISP peer routers will then need to announce themselves as default gateways to the CN4093. Figure 45. BGP Failover Configuration Example ISP 1 ISP 2 Peer 1 Router Peer 2 Router AS 100 AS 200 (Primary) (Secondary) IP:200.200.200.2 IP:210.210.210.2 GbE Switch Module announces routes with Default gateway, Metric = AS path metric of “3”...
Page 463 CN 4093(config-router-bgp)# neighbor 1 remote-address 200.200.200.2 CN 4093(config-router-bgp)# neighbor 1 remote-as 100 CN 4093(config-router-bgp)# no neighbor 1 shutdown CN 4093(config-router-bgp)# neighbor 2 remote-address 210.210.210.2 CN 4093(config-router-bgp)# neighbor 2 remote-as 200 CN 4093(config-router-bgp)# no neighbor 2 shutdown © Copyright Lenovo 2017 Chapter 29: Border Gateway Protocol...
Page 464: Default Redistribution And Route Aggregation Example
Default Redistribution and Route Aggregation Example This example shows you how to configure the switch to redistribute information from one routing protocol to another and create an aggregate route entry in the BGP routing table to minimize the size of the routing table. As illustrated in Figure 46, you have two peer routers: an internal and an external peer router. Configure the CN4093 to redistribute the default routes from AS 200 to AS 135. At the same time, configure for route aggregation to allow you to condense the number of routes traversing from AS 135 to AS 200. Figure 46. Route Aggregation and Default Route Redistribution Aggregate routes 135.0.0.0/8 traversing from AS 135 to AS 200 AS 135 AS 200 Internal peer router 1 10.1.1.4 20.20.20.135 External peer router 2 20.20.20.2 135.110.0.0/16 Switch Module...
Page 465 5. Configure aggregation policy control. Configure the routes that you want aggregated. CN 4093(config-router-bgp)# aggregate-address 1 135.0.0.0 255.0.0.0 CN 4093(config-router-bgp)# aggregate-address 1 enable © Copyright Lenovo 2017 Chapter 29: Border Gateway Protocol...
Page 466 CN4093 Application Guide for N/OS 8.4...
Page 467: Chapter 30. Ospf
 “OSPFv2 Overview” on page 467. This section provides information on OSPFv2 concepts, such as types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing.  “OSPFv2 Implementation in Enterprise NOS” on page 472. This section describes how OSPFv2 is implemented in Enterprise NOS, such as configuration parameters, electing the designated router, summarizing routes, defining route maps and so forth. “OSPFv2 Configuration Examples” on page 483. This section provides  step‐by‐step instructions on configuring different OSPFv2 examples: Creating a simple OSPF domain  Creating virtual links  Summarizing routes   “OSPFv3 Implementation in Enterprise NOS” on page 491. This section describes differences and additional features found in OSPFv3. OSPFv2 Overview OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. All routing devices maintain link information in their own Link State Database (LSDB). The LSDB for all routing devices within an area is identical but is not exchanged between different areas. Only routing updates are exchanged between areas, thereby significantly reducing the overhead for maintaining routing information on a large, dynamic network. © Copyright Lenovo 2017...
Page 468: Types Of Ospf Areas
Types of OSPF Areas An AS can be broken into logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. As shown in Figure 47, OSPF defines the following types of areas: Stub Area—an area that is connected to only one other area. External route  information is not distributed into stub areas.  Not‐So‐Stubby‐Area (NSSA)—similar to a stub area with additional capabilities. Routes originating from within the NSSA can be propagated to adjacent transit and backbone areas. External routes from outside the AS can be advertised within the NSSA but can be configured to not be distributed into other areas.  Transit Area—an area that carries data traffic which neither originates nor terminates in the area itself. Figure 47. OSPF Area Types Backbone Area 0 (Also a Transit Area) Internal LSA Virtual Routes Link Stub Area Transit Area Not-So-Stubby Area No External Routes from Backbone...
Page 469: Types Of Ospf Routing Devices
 Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain one LSDB for each connected area and disseminate routing information between areas. Autonomous System Boundary Router (ASBR)—a router that acts as a gateway  between the OSPF domain and non‐OSPF domains, such as RIP, BGP, and static routes. Figure 48. OSPF Domain and an Autonomous System OSPF Autonomous System Backbone Area 3 Area 0 Inter-Area Routes External (Summary Routes) ASBR Routes Internal ASBR Router Area 1 Area 2 © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 470: Neighbors And Adjacencies
Neighbors and Adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others’ health. To establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces. All routing devices that share a common network segment, appear in the same area, and have the same health parameters (hello and dead intervals) and authentication parameters respond to each other’s hello packets and become neighbors. Neighbors continue to send periodic hello packets to advertise their health to neighbors. In turn, they listen to hello packets to determine the health of their neighbors and to establish contact with new neighbors. The hello process is used for electing one of the neighbors as the area’s Designated Router (DR) and one as the area’s Backup Designated Router (BDR). The DR is adjacent to all other neighbors and acts as the central contact for database exchanges. Each neighbor sends its database information to the DR, which relays the information to the other neighbors. The BDR is adjacent to all other neighbors (including the DR). Each neighbor sends its database information to the BDR just as with the DR, but the BDR merely stores this data and does not distribute it. If the DR fails, the BDR will take over the task of distributing database information to the other neighbors. The Link-State Database OSPF is a link‐state routing protocol. A link represents an interface (or routable path) from the routing device. By establishing an adjacency with the DR, each routing device in an OSPF area maintains an identical Link‐State Database (LSDB) describing the network topology for its area. Each routing device transmits a Link‐State Advertisement (LSA) on each of its active interfaces. LSAs are entered into the LSDB of each routing device. OSPF uses flooding to distribute LSAs between routing devices. Interfaces may also be passive. Passive interfaces send LSAs to active interfaces, but do not receive LSAs, hello packets, or any other OSPF protocol information from active interfaces. Passive interfaces behave as stub networks, allowing OSPF routing devices to be aware of devices that do otherwise participate in OSPF (either because they do not support it, or because the administrator chooses to restrict OSPF traffic exchange or transit). When LSAs result in changes to the routing device’s LSDB, the routing device forwards the changes to the adjacent neighbors (the DR and BDR) for distribution to the other neighbors. OSPF routing updates occur only when changes occur, instead of periodically. For ...
Page 471: The Shortest Path First Tree
The Shortest Path First Tree The routing devices use a link‐state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination. The cost of an individual interface in OSPF is an indication of the overhead required to send packets across it. The cost is inversely proportional to the bandwidth of the interface. A lower cost indicates a higher bandwidth. Internal Versus External Routing To ensure effective processing of network traffic, every routing device on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active internal routing protocols, such as OSPF, RIP, or RIPv2. It is also useful to tell routers outside your network (upstream providers or peers) about the routes you have access to in your network. Sharing of routing information between autonomous systems is known as external routing. Typically, an AS will have one or more border routers (peer routers that exchange routes with other OSPF networks) as well as an internal routing system enabling every router in that AS to reach every other router and destination within that AS. When a routing device advertises routes to boundary routers on other autonomous systems, it is effectively committing to carry data to the IP space represented in the route being advertised. For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to its destination. © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 472: Ospfv2 Implementation In Enterprise Nos
OSPFv2 Implementation in Enterprise NOS Enterprise NOS supports a single instance of OSPF and up to 2K routes on the network. The following sections describe OSPF implementation in Enterprise NOS:  “Configurable Parameters” on page 472 “Defining Areas” on page 473   “Interface Cost” on page 475 “Electing the Designated Router and Backup” on page 475   “Summarizing Routes” on page 475 “Default Routes” on page 476   “Virtual Links” on page 477 “Router ID” on page 477   “Authentication” on page 478 Configurable Parameters In Enterprise NOS, OSPF parameters can be configured through the Command Line Interfaces (CLI/ISCLI), Browser‐Based Interface (BBI), or through SNMP. For more information, see “Switch Administration” on page 29.” The CLI supports the following parameters: interface output cost, interface ...
Page 473: Defining Areas
The aindex <area index> option is actually just an arbitrary index (0‐2) used only by the CN4093. This index does not necessarily represent the OSPF area number, though for configuration simplicity, it should where possible. For example, both of the following sets of commands define OSPF area 0 (the backbone) and area 1 because that information is held in the area ID portion of the command. However, the first set of commands is easier to maintain because the arbitrary area indexes agree with the area IDs:  Area index and area ID agree area 0 area-id 0.0.0.0 (Use index 0 to set area 0 in ID octet format) area 1 area-id 0.0.0.1 (Use index 1 to set area 1 in ID octet format) Area index set to an arbitrary value  area 1 area-id 0.0.0.0 (Use index 1 to set area 0 in ID octet format) area 2 area-id 0.0.0.1 (Use index 2 to set area 1 in ID octet format) © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 474: Using The Area Id To Assign The Ospf Area Number
Using the Area ID to Assign the OSPF Area Number The OSPF area number is defined in the areaid <IP address> option. The octet format is used to be compatible with two different systems of notation used by other OSPF network vendors. There are two valid ways to designate an area ID:  Single Number Most common OSPF vendors express the area ID number as a single number. For example, the Cisco IOS‐based router command “network 1.1.1.0 0.0.0.255 area 1” defines the area number simply as “area 1.” Multi‐octet (IP address): Placing the area number in the last octet (0.0.0.n)  Some OSPF vendors express the area ID number in multi‐octet format. For example, “area 0.0.0.2” represents OSPF area 2 and can be specified directly on the CN4093 as “area-id 0.0.0.2”. On the CN4093, using the last octet in the area ID, “area 1” is equivalent to “area-id 0.0.0.1”. Note: Although both types of area ID formats are supported, be sure that the area IDs are in the same format throughout an area. Attaching an Area to a Network Once an OSPF area has been defined, it must be associated with a network. To ...
Page 475: Interface Cost
CN 4093(config-ip-if)# exit Summarizing Routes Route summarization condenses routing information. Without summarization, each routing device in an OSPF network would retain a route to every subnet in the network. With summarization, routing devices can reduce some sets of routes to a single advertisement, reducing both the load on the routing device and the perceived complexity of the network. The importance of route summarization increases with network size. Summary routes can be defined for up to 16 IP address ranges using the following command: CN 4093(config)# router ospf CN 4093(config-router-ospf)# area-range <range number> address <IP address> <mask> where <range number> is a number 1 to 16, <IPv4 address> is the base IP address for the range, and <subnet mask> is the IPv4 address mask for the range. For a detailed configuration example, see “Example 3: Summarizing Routes” on page 488. Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Enterprise NOS” on page 491). © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 476: Default Routes
Default Routes When an OSPF routing device encounters traffic for a destination address it does not recognize, it forwards that traffic along the default route. Typically, the default route leads upstream toward the backbone until it reaches the intended area or an external router. Each CN4093 acting as an ABR automatically inserts a default route into each attached area. In simple OSPF stub areas or NSSAs with only one ABR leading upstream (see Area 1 in Figure 49), any traffic for IP address destinations outside the area is forwarded to the switch’s IP interface, and then into the connected transit area (usually the backbone). Since this is automatic, no further configuration is required for such areas. Figure 49. Injecting Default Routes Backbone Stub Area Stub Area Metric: Metric: Area 0 Area 2 Area 1 IF 1 IF 2 Priority Priority default route Default default route route Metric: ASBR to...
Page 477: Virtual Links
For a detailed configuration example on Virtual Links, see “Example 2: Virtual Links” on page 485. Router ID Routing devices in OSPF areas are identified by a router ID, expressed in IP address format. The router ID is not required to be part of any IP interface range or in any OSPF area, and may even use the CN4093 loopback interface (see “Loopback Interfaces in OSPF” on page 481). The router ID can be configured in one of the following two ways:  Dynamically (the default)—OSPF protocol configures the router ID as the lowest IP loopback interface IP address, if available, or else the lowest IP interface IP address, if available. Once dynamically configured, the router ID does not nor‐ mally undergo further updates.  Statically—Use the following command to manually configure the router ID: CN 4093(config-router-ospf)# ip router-id <IPv4 address> To change the router ID from static to dynamic, set the router ID to 0.0.0.0, save the configuration, and reboot the CN4093. To view the router ID, enter: CN 4093(config-router-ospf)# show ip ospf © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 478: Authentication
Authentication OSPF protocol exchanges can be authenticated so that only trusted routing devices can participate. This ensures less processing on routing devices that are not listening to OSPF packets. OSPF allows packet authentication and uses IP multicast when sending and receiving packets. Routers participate in routing domains based on pre‐defined passwords. Enterprise NOS supports simple password (type 1 plain text passwords) and MD5 cryptographic authentication. This type of authentication allows a password to be configured per area. We strongly recommend that you implement MD5 cryptographic authentication as a best practice. Figure shows authentication configured for area 0 with the password test. Simple authentication is also configured for the virtual link between area 2 and area 0. Area 1 is not configured for OSPF authentication. Figure 50. OSPF Authentication Area 0 Area 1 Simple authentication key=test Application Switch 2 IF 1 IF 2 Switch 3 Application IF 4 Switch 1 Application IF 3 Switch 5...
Page 479: Configuring Plain Text Ospf Passwords
CN 4093(config)# interface ip 3 CN 4093(config-ip-if)# ip ospf key test CN 4093(config-ip-if)# exit 3. Enable OSPF authentication for Area 2 on switch 4. CN 4093(config)# router ospf CN 4093(config-router-ospf)# area 2 authentication-type password 4. Configure a simple text password up to eight characters for the virtual link between Area 2 and Area 0 on switches 2 and 4. CN 4093(config-router-ospf)# area-virtual-link 1 key IBM © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 480: Configuring Md5 Authentication
Configuring MD5 Authentication Use the following commands to configure MD5 authentication on the switches shown in Figure 1. Enable OSPF MD5 authentication for Area 0 on switches 1, 2, and 3. CN 4093(config-router-ospf)# area 0 authentication-type md5 2. Configure MD5 key ID for Area 0 on switches 1, 2, and 3. CN 4093(config-router-ospf)# message-digest-key 1 md5-key test CN 4093(config-router-ospf)# exit 3. Assign MD5 key ID to OSPF interfaces on switches 1, 2, and 3. CN 4093(config)# interface ip 1 CN 4093(config-ip-if)# ip ospf message-digest-key 1 CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip ospf message-digest-key 1 CN 4093(config-ip-if)# exit...
Page 481: Host Routes For Load Balancing
If redundant routes via multiple routing processes (such as OSPF, RIP, BGP, or static routes) exist on your network, the switch defaults to the OSPF‐derived route. Loopback Interfaces in OSPF Because loopback interfaces are always available on the switch, loopback interfaces may present an advantage when used as the router ID. If dynamic router ID selection is used (see “Router ID” on page 477), loopback interfaces can be used to force router ID selection. If a loopback interface is configured, its IP address is automatically selected as the router ID, even if other IP interfaces have lower IP addresses. If more than one loopback interface is configured, the lowest loopback interface IP address is selected. Loopback interfaces can be advertised into the OSPF domain by specifying an OSPF host route with the loopback interface IP address. To enable OSPF on an existing loopback interface: CN 4093(config)# interface loopback <1‐5> CN 4093(config-ip-loopback)# ip ospf area <area ID> enable CN 4093(config-ip-loopback)# exit © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 482: Ospf Features Not Supported
OSPF Features Not Supported The following OSPF features are not supported in this release:  Summarizing external routes  Filtering OSPF routes  Using OSPF to forward multicast routes  Configuring OSPF on non‐broadcast multi‐access networks (such as frame relay, X.25, or ATM) CN4093 Application Guide for N/OS 8.4...
Page 483: Ospfv2 Configuration Examples
Example 1: Simple OSPF Domain In this example, two OSPF areas are defined—one area is the backbone and the other is a stub area. A stub area does not allow advertisements of external routes, thus reducing the size of the database. Instead, a default summary route of IP address 0.0.0.0 is automatically inserted into the stub area. Any traffic for IP address destinations outside the stub area will be forwarded to the stub area’s IP interface, and then into the backbone. Figure 51. A Simple OSPF Domain Backbone Stub Area Area 0 Area 1 (0.0.0.0) (0.0.0.1) IF 1 IF 2 10.10.7.1 10.10.12.1 Network Network 10.10.7.0/24 10.10.12.0/24 © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 484 Follow this procedure to configure OSPF support as shown in Figure 1. Configure IP interfaces on each network that will be attached to OSPF areas. In this example, two IP interfaces are needed:  Interface 1 for the backbone network on 10.10.7.0/24  Interface 2 for the stub area network on 10.10.12.0/24 CN 4093(config)# interface ip 1 CN 4093(config-ip-if)# ip address 10.10.7.1 255.255.255.0 enable CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip address 10.10.12.1 255.255.255.0 enable CN 4093(config-ip-if)# exit Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Enterprise NOS” on page 491).
Page 485: Example 2: Virtual Links
CN 4093(config)# ip router-id 10.10.10.1 3. Enable OSPF. CN 4093(config)# router ospf CN 4093(config-router-ospf)# enable 4. Define the backbone. CN 4093(config-router-ospf)# area 0 area-id 0.0.0.0 CN 4093(config-router-ospf)# area 0 type transit CN 4093(config-router-ospf)# area 0 enable © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 486: Configuring Ospf For A Virtual Link On Switch #2
5. Define the transit area. The area that contains the virtual link must be configured as a transit area. CN 4093(config-router-ospf)# area 1 area-id 0.0.0.1 CN 4093(config-router-ospf)# area 1 type transit CN 4093(config-router-ospf)# area 1 enable CN 4093(config-router-ospf)# exit 6. Attach the network interface to the backbone. CN 4093(config)# interface ip 1 CN 4093(config-ip-if)# ip ospf area 0 CN 4093(config-ip-if)# ip ospf enable CN 4093(config-ip-if)# exit 7.
Page 487 CN 4093(config-ip-if)# ip ospf area 1 CN 4093(config-ip-if)# ip ospf enable CN 4093(config-ip-if)# exit 8. Attach the network interface to the stub area. CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip ospf area 2 CN 4093(config-ip-if)# ip ospf enable CN 4093(config-ip-if)# exit © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 488: Other Virtual Link Options
9. Configure the virtual link. The nbr router ID configured in this step must be the same as the router ID that was configured for switch #1 in Step 2 on page 485. CN 4093(config)# router ospf CN 4093(config-router-ospf)# area-virtual-link 1 area 1 CN 4093(config-router-ospf)# area-virtual-link 1 neighbor-router 10.10.10.1 CN 4093(config-router-ospf)# area-virtual-link 1 enable Other Virtual Link Options  You can use redundant paths by configuring multiple virtual links.  Only the endpoints of the virtual link are configured. The virtual link path may traverse multiple routers in an area as long as there is a routable path between the endpoints. Example 3: Summarizing Routes By default, ABRs advertise all the network addresses from one area into another ...
Page 489 CN 4093(config-ip-if)# ip ospf enable CN 4093(config-ip-if)# exit 7. Configure route summarization by specifying the starting address and mask of the range of addresses to be summarized. CN 4093(config)# router ospf CN 4093(config-router-ospf)# area-range 1 address 36.128.192.0 255.255.192.0 CN 4093(config-router-ospf)# area-range 1 area 1 CN 4093(config-router-ospf)# area-range 1 enable CN 4093(config-router-ospf)# exit © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 490: Verifying Ospf Configuration
8. Use the hide command to prevent a range of addresses from advertising to the backbone. CN 4093(config)# router ospf CN 4093(config-router-ospf)# area-range 2 address 36.128.200.0 255.255.255.0 CN 4093(config-router-ospf)# area-range 2 area 1 CN 4093(config-router-ospf)# area-range 2 hide CN 4093(config-router-ospf)# exit Verifying OSPF Configuration Use the following commands to verify the OSPF configuration on your switch: show ip ospf  show ip ospf neighbor ...
Page 491: Ospfv3 Implementation In Enterprise Nos
CN 4093(config)# interface ip <Interface number> (Configure OSPFv3) CN 4093(config-ip-if)# ipv6 ospf ? (OSPFv3 interface config) CN 4093# show ipv6 ospf ? (Show OSPFv3 information) OSPFv3 Identifies Neighbors by Router ID Where OSPFv2 uses a mix of IPv4 interface addresses and Router IDs to identify neighbors, depending on their type, OSPFv3 configuration consistently uses a Router ID to identify all neighbors. Although Router IDs are written in dotted decimal notation, and may even be based on IPv4 addresses from an original OSPFv2 network configuration, it is important to realize that Router IDs are not IP addresses in OSPFv3, and can be assigned independently of IP address space. However, maintaining Router IDs consistent with any legacy OSPFv2 IPv4 addressing allows for easier implementation of both protocols. © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 492: Other Internal Improvements
Other Internal Improvements OSPFv3 has numerous improvements that increase the protocol efficiency in addition to supporting IPv6 addressing. These improvements change some of the behaviors in the OSPFv3 network and may affect topology consideration, but have little direct impact on configuration. For example:  Addressing fields have been removed from Router and Network LSAs.  Flexible treatment of unknown LSA types to make integration of OSPFv3 easier.  Interface network type can be specified using the command: ipv6 ospf network {broadcast| CN 4093(config-ip-if)# |non-broadcast|point-to-multipoint|point-to-point}  For an interface network type that is not broadcast or NBMA, link LSA suppression can be enabled so link LSA is not originated for the interface. Use ipv6 ospf linklsasuppress the command: CN 4093(config-ip-if)# OSPFv3 Limitations Enterprise NOS 8.4 does not currently support the following OSPFv3 features:  Multiple instances of OSPFv3 on one IPv6 link. OSPFv3 Configuration Example The following example depicts the OSPFv3 equivalent configuration of “Example 3: Summarizing Routes” on page 488 for OSPFv2.
Page 493 CN 4093(config-ip-if)# ipv6 ospf area 0 CN 4093(config-ip-if)# ipv6 ospf enable CN 4093(config-ip-if)# exit The ipv6 command path is used instead of the OSPFv2 ip command path 6. Attach the network interface to the stub area. CN 4093(config)# interface ip 4 CN 4093(config-ip-if)# ipv6 ospf area 1 CN 4093(config-ip-if)# ipv6 ospf enable CN 4093(config-ip-if)# exit The ipv6 command path is used instead of the OSPFv2 ip command path. © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 494 7. Configure route summarization by specifying the starting address and prefix length of the range of addresses to be summarized. CN 4093(config)# ipv6 router ospf CN 4093(config-router-ospf3)# area-range 1 address 36:0:0:0:0:0:0:0 32 CN 4093(config-router-ospf3)# area-range 1 area 0 CN 4093(config-router-ospf3)# area-range 1 enable This differs from OSPFv2 only in that the OSPFv3 command path is used, and the address and prefix are specified in IPv6 format. 8. Use the hide command to prevent a range of addresses from advertising to the backbone. CN 4093(config-router-ospf)# area-range 2 address 36:0:0:0:0:0:0:0 8 CN 4093(config-router-ospf)# area-range 2 area 0 CN 4093(config-router-ospf)# area-range 2 hide CN 4093(config-router-ospf)# exit This differs from OSPFv2 only in that the OSPFv3 command path is used, and the ...
Page 495: Neighbor Configuration Example
CN 4093(config-router-ospf3)# area 0 type transit CN 4093(config-router-ospf3)# area 0 enable 4. Configure neighbor entry: CN 4093(config-router-ospf3)# neighbor 1 address fe80:0:0:0:dceb:ff:fe00:9 CN 4093(config-router-ospf3)# neighbor 1 interface 10 CN 4093(config-router-ospf3)# neighbor 1 priority 1 CN 4093(config-router-ospf3)# neighbor 1 enable © Copyright Lenovo 2017 Chapter 30: OSPF...
Page 496 CN4093 Application Guide for N/OS 8.4...
Page 497: Chapter 31. Protocol Independent Multicast
“Additional Sparse Mode Settings” on page 502 “Using PIM with Other Features” on page 504   “PIM Configuration Examples” on page 505 PIM Overview PIM is designed for efficiently routing multicast traffic across one or more IPv4 domains. This has benefits for application such as IP television, collaboration, education, and software delivery, where a single source must deliver content (a multicast) to a group of receivers that span both wide‐area and inter‐domain networks. Instead of sending a separate copy of content to each receiver, a multicast derives efficiency by sending only a single copy of content toward its intended receivers. This single copy only becomes duplicated when it reaches the target domain that includes multiple receivers, or when it reaches a necessary bifurcation point leading to different receiver domains. PIM is used by multicast source stations, client receivers, and intermediary routers and switches, to build and maintain efficient multicast routing trees. PIM is protocol independent; It collects routing information using the existing unicast routing functions underlying the IPv4 network, but does not rely on any particular unicast protocol. For PIM to function, a Layer 3 routing protocol (such as BGP, OSPF, RIP, or static routes) must first be configured on the switch. PIM‐SM is a reverse‐path routing mechanism. Client receiver stations advertise their willingness to join a multicast group. The local routing and switching devices collect multicast routing information and forward the request toward the station that will provide the multicast content. When the join requests reach the sending station, the multicast data is sent toward the receivers, flowing in the opposite direction of the original join requests. Some routing and switching devices perform special PIM‐SM functions. Within each receiver domain, one router is elected as the Designated Router (DR) for handling multicasts for the domain. DRs forward information to a similar device, the Rendezvous Point (RP), which holds the root tree for the particular multicast group. © Copyright Lenovo 2017...
Page 498: Supported Pim Modes And Features
Receiver join requests as well as sender multicast content initially converge at the RP, which generates and distributes multicast routing data for the DRs along the delivery path. As the multicast content flows, DRs use the routing tree information obtained from the RP to optimize the paths both to and from send and receive stations, bypassing the RP for the remainder of content transactions if a more efficient route is available. DRs continue to share routing information with the RP, modifying the multicast routing tree when new receivers join, or pruning the tree when all the receivers in any particular domain are no longer part of the multicast group. Supported PIM Modes and Features For each interface attached to a PIM network component, PIM can be configured to operate either in PIM Sparse Mode (PIM‐SM) or PIM Dense Mode (PIM‐DM).  PIM‐SM is used in networks where multicast senders and receivers comprise a relatively small (sparse) portion of the overall network. PIM‐SM uses a more complex process than PIM‐DM for collecting and optimizing multicast routes, but minimizes impact on other IP services and is more commonly used.  PIM‐DM is used where multicast devices are a relatively large (dense) portion of the network, with very frequent (or constant) multicast traffic. PIM‐DM requires less configuration on the switch than PIM‐SM, but uses broadcasts that can consume more bandwidth in establishing and optimizing routes. The following PIM modes and features are not currently supported in Enterprise NOS 8.4: Hybrid Sparse‐Dense Mode (PIM‐SM/DM). Sparse Mode and Dense Mode may  be configured on separate IP interfaces on the switch, but are not currently supported simultaneously on the same IP interface.  PIM Source‐Specific Multicast (PIM‐SSM)  Anycast RP  PIM RP filters  Only configuration via the switch ISCLI is supported. PIM configuration is currently not available using the menu‐based CLI, the BBI, or via SNMP.
Page 499: Basic Pim Settings
CN 4093(config)# [no] ip pim enable Defining a PIM Network Component The CN4093 can be attached to a maximum of two independent PIM network components. Each component represents a different PIM network, and can be defined for either PIM‐SM or PIM‐DM operation. Basic PIM component configuration is performed using the following commands: CN 4093(config)# ip pim component <1‐2> CN 4093(config-ip-pim-comp)# mode {sparse|dense} CN 4093(config-ip-pim-comp)# exit The sparse option will place the component in Sparse Mode (PIM‐SM). The dense option will place the component in Dense Mode (PIM‐DM). By default, PIM component 1 is configured for Sparse Mode. PIM component 2 is non configured by default. Note: A component using PIM‐SM must also be configured with a dynamic or static Rendezvous Point (see “Specifying the Rendezvous Point” on page 502). © Copyright Lenovo 2017 Chapter 31: Protocol Independent Multicast...
Page 500: Defining An Ip Interface For Pim Use
Defining an IP Interface for PIM Use Each network attached to an IP interface on the switch may be assigned one of the available PIM components. The same PIM component can be assigned to multiple IP interfaces. The interfaces may belong to the same VLAN, but each interface can belong to only one VLAN. To define an IP interface for use with PIM, first configured the interface with an IPv4 address and VLAN as follows: CN 4093(config)# interface ip <Interface number> CN 4093(config-ip-if)# ip address <IPv4 address> <IPv4 mask> CN 4093(config-ip-if)# vlan <VLAN number> CN 4093(config-ip-if)# enable Note: The PIM feature currently supports only one VLAN for each IP interface. Configurations where different interfaces on different VLANs share IP addresses are not supported. Next, PIM must be enabled on the interface, and the PIM network component ID must be specified: CN 4093(config-ip-if)# ip pim enable CN 4093(config-ip-if)# ip pim component-id <1‐2>...
Page 501 To remove a PIM neighbor from the accepted list, use the following command. CN 4093(config-ip-if)# ip pim neighbor-addr <neighbor IPv4 address> deny CN 4093(config-ip-if)# exit You can view configured PIM neighbor filters globally or for a specific IP interface using the following commands: CN 4093(config)# show ip pim neighbor-filters CN 4093(config)# show ip pim interface <Interface number> neighbor-filters © Copyright Lenovo 2017 Chapter 31: Protocol Independent Multicast...
Page 502: Additional Sparse Mode Settings
Additional Sparse Mode Settings Specifying the Rendezvous Point Using PIM‐SM, at least one PIM‐capable router must be a candidate for use as a Rendezvous Point (RP) for any given multicast group. If desired, the CN4093 can act as an RP candidate. To assign a configured switch IP interface as a candidate, use the following procedure. 1. Select the PIM component that will represent the RP candidate: CN 4093(config)# ip pim component <1‐2> 2. Configure the IPv4 address of the switch interface which will be advertised as a candidate RP for the specified multicast group: CN 4093(config-ip-pim-comp)# rp-candidate rp-address <group address> <group address mask> <candidate IPv4 address> The switch interface will participate in the election of the RP that occurs on the Bootstrap Router, or BSR (see “Specifying a Bootstrap Router” on page 503). Alternately, if no election is desired, the switch can provide a static RP, specified using the following command: CN 4093(config-ip-pim-comp)# rp-static rp-address <group address> <group address mask>...
Page 503: Specifying A Bootstrap Router
Specifying a Bootstrap Router Using PIM‐SM, a Bootstrap Router (BSR) is a PIM‐capable router that hosts the election of the RP from available candidate routers. For each PIM‐enabled IP interface, the administrator can set the preference level for which the local interface becomes the BSR: CN 4093(config)# interface ip <Interface number> CN 4093(config-ip-if)# ip pim cbsr-preference <0 to 255> CN 4093(config-ip-if)# exit A value of 255 highly prefers the local interface as a BSR. A value of ‐1 indicates that the PIM CBSR preference is not configured on the local interface. © Copyright Lenovo 2017 Chapter 31: Protocol Independent Multicast...
Page 504: Using Pim With Other Features
Using PIM with Other Features PIM with ACLs or VMAPs If using ACLs or VMAPs, be sure to permit traffic for local hosts and routers. PIM with IGMP If using IGMP (see “Internet Group Management Protocol” on page 435):  IGMP static joins can be configured with a PIM‐SM or PIM‐DM multicast group IPv4 address. Using the ISCLI: CN 4093(config)# ip mroute <multicast group IPv4 address> <VLAN> <port>  IGMP Query is disabled by default. If IGMP Querier is needed with PIM, be sure to enable the IGMP Query feature globally, as well as on each VLAN where it is needed. If the switch is connected to multicast receivers and/or hosts, be sure to enable  IGMP snooping globally, as well as on each VLAN where PIM receivers are attached. CN4093 Application Guide for N/OS 8.4...
Page 505: Pim Configuration Examples
The IP interface represents the PIM network being connected to the switch. The IPv4 addresses in the defined range must not be included in another IP interface on the switch under a different VLAN. 4. Enable PIM on the IP interface and assign the PIM component: CN 4093(config-ip-if)# ip pim enable CN 4093(config-ip-if)# ip pim component-id 1 Note: Because, PIM component 1 is assigned to the interface by default, the component-id command is needed only if the setting has been previously changed. 5. Set the Bootstrap Router (BSR) preference: CN 4093(config-ip-if)# ip pim cbsr-preference 135 CN 4093(config-ip-if)# exit © Copyright Lenovo 2017 Chapter 31: Protocol Independent Multicast...
Page 506: Example 2: Pim-Sm With Static Rp
Figure 55. Network with both PIM‐DM and PIM‐SM Components PIM-SM PIM-DM Multicast Multicast 225.1.0.0/16 239.1.0.0/16 PIM Enabled Lenovo Switch IP Interface 11 IP Interface 22 IP 10.10.1.1 IP 10.10.1.2 VLAN 101 VLAN 102 Component 1 Component 2 Media Servers CN4093 Application Guide for N/OS 8.4...
Page 507 CN 4093(config)# ip pim pmbr enable CN 4093(config)# interface ip 22 CN 4093(config-ip-if)# ip pim border-bit CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 11 CN 4093(config-ip-if)# ip pim border-bit CN 4093(config-ip-if)# exit Note: For PIM Dense Mode, the DR, RP, and BSR settings do not apply. © Copyright Lenovo 2017 Chapter 31: Protocol Independent Multicast...
Page 508 CN4093 Application Guide for N/OS 8.4...
Page 509: Part 6: High Availability Fundamentals
Part 6: High Availability Fundamentals Internet traffic consists of myriad services and applications which use the Internet Protocol (IP) for data delivery. However, IP is not optimized for all the various applications. High Availability goes beyond IP and makes intelligent switching decisions to provide redundant network configurations. © Copyright Lenovo 2017...
Page 510 CN4093 Application Guide for N/OS 8.4...
Page 511: Chapter 32. Basic Redundancy
Enterprise NOS 8.4 includes various features for providing basic link or device redundancy:  “Aggregation for Link Redundancy” on page 511  “Hot Links” on page 512 Aggregation for Link Redundancy Multiple switch ports can be combined together to form robust, high‐bandwidth LAGs to other devices. Since LAGs are comprised of multiple physical links, the LAG is inherently fault tolerant. As long as one connection between the switches is available, the LAG remains active. In Figure 56, four ports are aggregated together between the switch and the enterprise routing device. Connectivity is maintained as long as one of the links remains active. The links to the server are also aggregated, allowing the secondary NIC to take over in the event that the primary NIC link fails. Figure 56. Aggregating Ports for Link Redundancy Enterprise Server Routing Switch NIC 1 Internet NIC 2 For more information about aggregation, see “Ports and Link Aggregation (LAG)” on page 157. © Copyright Lenovo 2017...
Page 512: Hot Links
Hot Links Hot Links provides basic link redundancy with fast recovery. Hot Links consists of up to 200 triggers. A trigger consists of a pair of layer 2 interfaces, each containing an individual port, LAG, or LACP adminkey. One interface is the Master, and the other is a Backup. While the Master interface is set to the active state and forwards traffic, the Backup interface is set to the standby state and blocks traffic until the Master interface fails. If the Master interface fails, the Backup interface is set to active and forwards traffic. Once the Master interface is restored, it transitions to the standby state and blocks traffic until the Backup interface fails. You may select a physical port, static LAG, or an LACP adminkey as a Hot Link interface. Only external uplink ports can be members of a Hot Links trigger interface. Forward Delay The Forward Delay timer allows Hot Links to monitor the Master and Backup interfaces for link stability before selecting one interface to transition to the active state. Before the transition occurs, the interface must maintain a stable link for the duration of the Forward Delay interval. For example, if you set the Forward delay timer to 10 seconds using the command: CN 4093(config)# hotlinks trigger <x> forward-delay 10 the switch will select an interface to become active only if a link remained stable for the duration of the Forward Delay period. If the link is unstable, the Forward Delay period starts again. Preemption You can configure the Master interface to resume the active state whenever it becomes available. With Hot Links preemption enabled, the Master interface transitions to the active state immediately upon recovery. The Backup interface immediately transitions to the standby state. If Forward Delay is enabled, the transition occurs when an interface has maintained link stability for the duration of the Forward Delay period. FDB Update Use the FDB update option to notify other devices on the network about updates to ...
Page 513: Configuration Guidelines
Configuring Hot Links Use the following commands to configure Hot Links. CN 4093(config)# hotlinks trigger 1 enable (Enable Hot Links Trigger 1) CN 4093(config)# hotlinks trigger 1 master port 38 (Add port to Master interface) CN 4093(config)# hotlinks trigger 1 backup port 39 (Add port to Backup interface) CN 4093(config)# hotlinks enable (Turn on Hot Links) © Copyright Lenovo 2017 Chapter 32: Basic Redundancy...
Page 514 CN4093 Application Guide for N/OS 8.4...
Page 515: Chapter 33. Layer 2 Failover
Chapter 33. Layer 2 Failover The primary application for Layer 2 Failover is to support Network Adapter Teaming. With Network Adapter Teaming, all the NICs on each server share the same IP address, and are configured into a team. One NIC is the primary link, and the other is a standby link.For more details, refer to the documentation for your Ethernet adapter. Note: Only two links per server blade can be used for Layer 2 LAG Failover (one primary and one backup). Network Adapter Teaming allows only one backup NIC for each server blade. © Copyright Lenovo 2017...
Page 516: Auto Monitoring Lag Links
Auto Monitoring LAG Links Layer 2 Failover can be enabled on any LAG in the CN4093, including LACP LAGs. LAGs can be added to failover trigger groups. Then, if some specified number of trigger links fail, the switch disables all the internal ports in the switch (unless VLAN Monitor is turned on). When the internal ports are disabled, it causes the NIC team on the affected server blades to failover from the primary to the backup NIC. This process is called a failover event. When the appropriate number of links in a trigger group return to service, the switch enables the internal ports. This causes the NIC team on the affected server blades to fail back to the primary switch (unless Auto‐Fallback is disabled on the NIC team). The backup switch processes traffic until the primary switch’s internal links come up, which can take up to five seconds. VLAN Monitor The VLAN Monitor allows Layer 2 Failover to discern different VLANs. With VLAN Monitor turned on:  If enough links in a trigger fail (see “Setting the Failover Limit” on page 518), the switch disables all internal ports that reside in the same VLAN membership as the LAG(s) in the trigger.  When enough links in the trigger return to service, the switch enables the internal ports that reside in the same VLAN membership as the LAG(s) in the trigger. If you turn off the VLAN Monitor (CN 4093# no failover vlan), only one failover trigger is allowed. When a link failure occurs on the trigger, the switch disables all internal server‐blade ports. Auto Monitor Configurations Figure 57 is an example of Layer 2 Failover. One CN4093 is the primary and the other is used as a backup. In this example, all external ports on the primary switch ...
Page 517 Trigger 2 Server 2 Internet Server 3 Trigger 1 Server 4 Switch 2 Enterprise Trigger 2 Routing Switch VLAN 1: VLAN 2: VLAN Monitor = On Figure 59 shows a configuration with two LAGs. VLAN Monitor is turned off, so only one Failover Trigger is configured on each switch. Switch 1 is the primary switch for Server 1 and Server 2. Switch 2 is the primary switch for Server 3 and Server 4. STP is turned off. If all links in trigger 1 go down, switch 1 disables all internal links to server blades. © Copyright Lenovo 2017 Chapter 33: Layer 2 Failover...
Page 518: Setting The Failover Limit
Figure 59. Two LAGs, one Failover Trigger Trigger 1 Switch 1 Server 1 Server 2 Internet Server 3 Trigger 1 Server 4 Switch 2 Enterprise Routing Switch VLAN 1: VLAN 2: VLAN Monitor = Off Setting the Failover Limit The failover limit lets you specify the minimum number of operational links required within each trigger before the trigger initiates a failover event. For example, if the limit is two, a failover event occurs when the number of operational links in the trigger is two or fewer. When you set the limit to zero, the switch triggers a failover event only when no links in the trigger are operational. CN4093 Application Guide for N/OS 8.4...
Page 519: Manually Monitoring Port Links
Control Port State A control port is considered Operational if the monitor trigger is up. As long as the trigger is up, the port is considered operational from a teaming perspective, even if the port itself is actually in the Down state, Blocking state (if STP is enabled on the port), or Not Aggregated state (if part of an LACP LAG). A control port is considered to have failed only if the monitor trigger is in the Down state. To view the state of any port, use one of the following commands: CN 4093# show interface link (View port link status) CN 4093# show interface port <x> spanning-tree stp <x> (View port STP status) CN 4093# show lacp information (View port LACP status) © Copyright Lenovo 2017 Chapter 33: Layer 2 Failover...
Page 520: L2 Failover With Other Features
L2 Failover with Other Features L2 Failover works together with Link Aggregation Control Protocol (LACP) and with Spanning Tree Protocol (STP), as described in the next sections. LACP Link Aggregation Control Protocol allows the switch to form dynamic LAGs. You can use the admin key to add up to two LACP LAGs to a failover trigger using automatic monitoring. When you add an admin key to a trigger, any LACP LAG with that admin key becomes a member of the trigger. Note: If you change the LACP system priority on an LACP aggregation, the failover trigger goes down. Spanning Tree Protocol If Spanning Tree Protocol (STP) is enabled on the ports in a failover trigger, the switch monitors the port STP state rather than the link state. A port failure results when STP is not in a Forwarding state (such as Learning, Discarding or No Link). The switch automatically disables the appropriate internal ports, based on the VLAN monitor. When the switch determines that ports in the trigger are in STP Forwarding state, then it automatically enables the appropriate internal ports, based on the VLAN monitor. The switch fails back to normal operation. CN4093 Application Guide for N/OS 8.4...
Page 521: Configuration Guidelines
All external ports in all static or LACP LAGs added to any specific failover trigger must belong to the same VLAN. A maximum of two LACP keys can be added per trigger.   When VLAN Monitor is on, the following additional guidelines apply: All external ports in all static or LACP LAGs added to a specific failover  trigger must belong to the same VLAN and have the same PVID. Different triggers are not permitted to operate on the same VLAN.  Different triggers are not permitted to operate on the same internal port.  For each port in each LAG in a specific failover trigger, the trigger will  monitor the STP state on only the default PVID. Manual Monitor Guidelines  A Manual Monitor can monitor only external ports. Any specific failover trigger can monitor external ports only, static LAGs only, or  LACP LAGs only. The different types cannot be combined in the same trigger.  A maximum of two LACP keys can be added per trigger.  Management ports, FC ports and stacking ports cannot be monitored.  Control ports for different triggers must not overlap. Monitor ports may overlap. © Copyright Lenovo 2017 Chapter 33: Layer 2 Failover...
Page 522: Configuring Layer 2 Failover
Configuring Layer 2 Failover Auto Monitor Example The following procedure pertains to the configuration shown in Figure 1. Configure Network Adapter Teaming on the servers. 2. Define a LAG on the CN4093. CN 4093(config)# portchannel 1 port EXT1,EXT2,EXT3 enable 3. Configure Failover parameters. CN 4093(config)# failover trigger 1 enable CN 4093(config)# failover trigger 1 limit <0‐1024> CN 4093(config)# failover trigger 1 amon portchannel 1 4.
Page 523: Chapter 34. Virtual Router Redundancy Protocol
“Enterprise NOS Extensions to VRRP” on page 529. This section describes VRRP enhancements implemented in Enterprise NOS.  “Virtual Router Deployment Considerations” on page 530. This section describes issues to consider when deploying virtual routers.  “High Availability Configurations” on page 531. This section discusses the more useful and easily deployed redundant configurations. “Active‐Active Configuration” on page 531  “Hot‐Standby Configuration” on page 535  VRRP Overview In a high‐availability network topology, no device can create a single point‐of‐failure for the network or force a single point‐of‐failure to any other part of the network. This means that your network will remain in service despite the failure of any single device. To achieve this usually requires redundancy for all vital network components. VRRP enables redundant router configurations within a LAN, providing alternate router paths for a host to eliminate single points‐of‐failure within a network. Each participating VRRP‐capable routing device is configured with the same virtual router IPv4 address and ID number. One of the virtual routers is elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IPv4 address. If the master fails, one of the backup virtual routers will take control of the virtual router IPv4 address and actively process traffic addressed to it. With VRRP, Virtual Interface Routers (VIR) allow two VRRP routers to share an IP interface across the routers. VIRs provide a single Destination IPv4 (DIP) address for upstream routers to reach various servers, and provide a virtual default Gateway for the server blades. © Copyright Lenovo 2017...
Page 524: Vrrp Components
VRRP Components Each physical router running VRRP is known as a VRRP router. Virtual Router Two or more VRRP routers can be configured to form a virtual router (RFC 2338). Each VRRP router may participate in one or more virtual routers. Each virtual router consists of a user‐configured virtual router identifier (VRID) and an IPv4 address. Virtual Router MAC Address The VRID is used to build the virtual router MAC Address. The five highest‐order octets of the virtual router MAC Address are the standard MAC prefix (00‐00‐5E‐00‐01) defined in RFC 2338. The VRID is used to form the lowest‐order octet. Owners and Renters Only one of the VRRP routers in a virtual router may be configured as the IPv4 address owner. This router has the virtual router’s IPv4 address as its real interface address. This router responds to packets addressed to the virtual router’s IPv4 address for ICMP pings, TCP connections, and so on. There is no requirement for any VRRP router to be the IPv4 address owner. Most VRRP installations choose not to implement an IPv4 address owner. For the purposes of this chapter, VRRP routers that are not the IPv4 address owner are called renters. Master and Backup Virtual Router Within each virtual router, one VRRP router is selected to be the virtual router master. See “Selecting the Master VRRP Router” on page 525 for an explanation of the selection process. Note: If the IPv4 address owner is available, it will always become the virtual router master. The virtual router master forwards packets sent to the virtual router. It also ...
Page 525: Virtual Interface Router
Selecting the Master VRRP Router Each VRRP router is configured with a priority between 1–254. A bidding process determines which VRRP router is or becomes the master—the VRRP router with the highest priority. The master periodically sends advertisements to an IPv4 multicast address. As long as the backups receive these advertisements, they remain in the backup state. If a backup does not receive an advertisement for three advertisement intervals, it initiates a bidding process to determine which VRRP router has the highest priority and takes over as master. In addition to the three advertisement intervals, a manually set holdoff time can further delay the backups from assuming the master status. If, at any time, a backup determines that it has higher priority than the current master does, it can preempt the master and become the master itself, unless configured not to do so. In preemption, the backup assumes the role of master and begins to send its own advertisements. The current master sees that the backup has higher priority and will stop functioning as the master. A backup router can stop receiving advertisements for one of two reasons—the master can be down, or all communications links between the master and the backup can be down. If the master has failed, it is clearly desirable for the backup (or one of the backups, if there is more than one) to become the master. Note: If the master is healthy but communication between the master and the backup has failed, there will then be two masters within the virtual router. To prevent this from happening, configure redundant links to be used between the switches that form a virtual router. © Copyright Lenovo 2017 Chapter 34: Virtual Router Redundancy Protocol...
Page 526: Failover Methods
Failover Methods With service availability becoming a major concern on the Internet, service providers are increasingly deploying Internet traffic control devices, such as application switches, in redundant configurations. Traditionally, these configurations have been hot‐standby configurations, where one switch is active and the other is in a standby mode. A non‐VRRP hot‐standby configuration is shown in the figure below: Figure 60. A Non‐VRRP, Hot‐Standby Configuration Intranet Clients Primary Switch IP: 200.200.200.100 Internet Servers NFS Server Client Switches Secondary Switch IP: 200.200.200.101 While hot‐standby configurations increase site availability by removing single points‐of‐failure, service providers increasingly view them as an inefficient use of network resources because one functional application switch sits by idly until a failure calls it into action. Service providers now demand that vendorsʹ equipment support redundant configurations where all devices can process traffic when they are healthy, increasing site throughput and decreasing user response times when no device has failed. Enterprise NOS high availability configurations are based on VRRP. The implementation of VRRP includes proprietary extensions. The Enterprise NOS implementation of VRRP supports the following modes of high availability: Active‐Active—based on proprietary Enterprise NOS extensions to VRRP  ...
Page 527: Active-Active Redundancy
Active (subnet B and D) Hot-Standby Redundancy The primary application for VRRP‐based hot‐standby is to support Server Load Balancing when you have configured Network Adapter Teaming on your server blades. With Network Adapter Teaming, the NICs on each server share the same IPv4 address, and are configured into a team. One NIC is the primary link, and the others are backup links. For more details, refer to the relevant network adapter documentation. The hot‐standby model is shown in Figure Figure 62. Hot‐Standby Redundancy Active 10.10.10.1 Clients Switch 1 Interswitch Servers Link Enterprise Switch 2 Routing Switch 10.10.10.2 Standby Backup Link © Copyright Lenovo 2017 Chapter 34: Virtual Router Redundancy Protocol...
Page 528: Virtual Router Group
Virtual Router Group The virtual router group ties all virtual routers on the switch together as a single entity. By definition, hot‐standby requires that all virtual routers failover as a group, and not individually. As members of a group, all virtual routers on the switch (and therefore the switch itself), are in either a master or standby state. The virtual router group cannot be used for active‐active configurations or any other configuration that require shared interfaces. A VRRP group has the following characteristics:  When enabled, all virtual routers behave as one entity, and all group settings override any individual virtual router settings.  All individual virtual routers, once the VRRP group is enabled, assume the group’s tracking and priority.  When one member of a VRRP group fails, the priority of the group decreases, and the state of the entire switch changes from Master to Standby. Each VRRP advertisement can include up to 128 addresses. All virtual routers are advertised within the same packet, conserving processing and buffering resources. CN4093 Application Guide for N/OS 8.4...
Page 529: Enterprise Nos Extensions To Vrrp
VRRP routerʹs priority in virtual interface routers. Number of active ports on the same Helps elect the virtual routers with the VLAN most available ports as the master. This parameter influences the VRRP routerʹs tracking-priority-increment priority in virtual interface routers. ports Note: In a hot‐standby configuration, only external ports are tracked. Number of virtual routers in master Useful for ensuring that traffic for any mode on the switch particular client/server pair is handled by the same switch, increasing routing tracking-priority-increment efficiency. This parameter influences the virtual-routers VRRP routerʹs priority in virtual interface routers. Each tracked parameter has a user‐configurable weight associated with it. As the count associated with each tracked item increases (or decreases), so does the VRRP routerʹs priority, subject to the weighting associated with each tracked item. If the priority level of a standby is greater than that of the current master, then the standby can assume the role of the master. See “Configuring the Switch for Tracking” on page 530 for an example on how to configure the switch for tracking VRRP priority. © Copyright Lenovo 2017 Chapter 34: Virtual Router Redundancy Protocol...
Page 530: Virtual Router Deployment Considerations
Virtual Router Deployment Considerations Assigning VRRP Virtual Router ID During the software upgrade process, VRRP virtual router IDs will be automatically assigned if failover is enabled on the switch. When configuring virtual routers at any point after upgrade, virtual router ID numbers must be assigned. The virtual router ID may be configured as any number between 1 and 255. Use the following commands to configure the virtual router ID: CN 4093(config)# router vrrp CN 4093(config-vrrp)# virtual-router 1 virtual-router-id <1‐255> Configuring the Switch for Tracking Tracking configuration largely depends on user preferences and network environment. Consider the configuration shown in Figure 61 on page 527. Assume the following behavior on the network:  Switch 1 is the master router upon initialization. If switch 1 is the master and it has one fewer active servers than switch 2, then  switch 1 remains the master. This behavior is preferred because running one server down is less disruptive than bringing a new master online and severing all active connections in the ...
Page 531: High Availability Configurations
NIC 2: 10.0.2.4/24 L2 Switch VIR 1: 192.168.1.200 (Backup) VIR 2: 192.168.2.200 (Master) Although this example shows only two switches, there is no limit on the number of switches used in a redundant configuration. It is possible to implement an active‐active configuration across all the VRRP‐capable switches in a LAN. Each VRRP‐capable switch in an active‐active configuration is autonomous. Switches in a virtual router need not be identically configured. In the scenario illustrated in Figure 63, traffic destined for IPv4 address 10.0.1.1 is forwarded through the Layer 2 switch at the top of the drawing, and ingresses CN4093 1 on port EXT1. Return traffic uses default gateway 1 (192.168.1.1). If the link between CN4093 1 and the Layer 2 switch fails, CN4093 2 becomes the Master because it has a higher priority. Traffic is forwarded to CN4093 2, which forwards it to CN4093 1 through port EXT4. Return traffic uses default gateway 2 (192.168.2.1) and is forwarded through the Layer 2 switch at the bottom of the drawing. To implement the active‐active example, perform the following switch configuration. © Copyright Lenovo 2017 Chapter 34: Virtual Router Redundancy Protocol...
Page 532: Task 1: Configure Cn4093 1
Task 1: Configure CN4093 1 1. Configure client and server interfaces. CN 4093(config)# interface ip 1 CN 4093(config-ip-if)# ip address 192.168.1.100 255.255.255.0 CN 4093(config-ip-if)# vlan 10 CN 4093(config-ip-if)# enable CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip address 192.168.2.101 255.255.255.0 CN 4093(config-ip-if)# vlan 20 CN 4093(config-ip-if)# enable CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 3...
Page 533: Task 2: Configure Cn4093 2
CN 4093(config-ip-if)# exit 2. Configure the default gateways. Each default gateway points to a Layer 3 router. CN 4093(config)# ip gateway 1 address 192.168.2.1 CN 4093(config)# ip gateway 1 enable CN 4093(config)# ip gateway 2 address 192.168.1.1 CN 4093(config)# ip gateway 2 enable © Copyright Lenovo 2017 Chapter 34: Virtual Router Redundancy Protocol...
Page 534 3. Turn on VRRP and configure two Virtual Interface Routers. CN 4093(config)# router vrrp CN 4093(config-vrrp)# enable CN 4093(config-vrrp)# virtual-router 1 virtual-router-id 1 CN 4093(config-vrrp)# virtual-router 1 interface 1 CN 4093(config-vrrp)# virtual-router 1 address 192.168.1.200 CN 4093(config-vrrp)# virtual-router 1 enable CN 4093(config-vrrp)# virtual-router 2 virtual-router-id 2 CN 4093(config-vrrp)# virtual-router 2 interface 2 CN 4093(config-vrrp)# virtual-router 2 address 192.168.2.200 CN 4093(config-vrrp)# virtual-router 2 enable 4.
Page 535: Hot-Standby Configuration
Switch 2 NIC 1 IP = 10.0.1.2 Enterprise Server 2 Routing Switch IF 1: 174.14.20.111 IF 2: 10.1.1.111 = Active Links VIR 1: 174.14.20.100 VIR 2: 10.1.1.100 = Standby Links © Copyright Lenovo 2017 Chapter 34: Virtual Router Redundancy Protocol...
Page 536: Task 1: Configure Cn4093 1
Task 1: Configure CN4093 1 1. On CN4093 1, configure the interfaces for clients (174.14.20.110) and servers (10.1.1.110). CN 4093(config)# interface ip 1 CN 4093(config-ip-if)# ip address 174.14.20.110 (Define IPv4 address for interface 1) CN 4093(config-ip-if)# enable CN 4093(config-ip-if)# exit CN 4093(config)# interface ip 2 CN 4093(config-ip-if)# ip address 10.1.1.110 (Define IPv4 address for interface 2) CN 4093(config-ip-if)# enable CN 4093(config-ip-if)# exit 2.
Page 537: Task 2: Configure Cn4093 2
4. Configure VRRP Group parameters. Use the default VRRP priority of 100, so that this switch is the Standby. CN 4093(config-vrrp)# group enable (Enable Virtual Router Group) CN 4093(config-vrrp)# group virtual-router-id 1 (Set Virtual Router ID for Group) CN 4093(config-vrrp)# group interface 1 (Set interface for Group) CN 4093(config-vrrp)# group track ports (Enable tracking on ports) 5. Turn off Spanning Tree Protocol globally. . CN 4093(config)# spanning-tree mode disable © Copyright Lenovo 2017 Chapter 34: Virtual Router Redundancy Protocol...
Page 538 CN4093 Application Guide for N/OS 8.4...
Page 540 CN4093 Application Guide for N/OS 8.4...
Page 541: Chapter 35. Link Layer Discovery Protocol
Chapter 35. Link Layer Discovery Protocol The Enterprise NOS software support Link Layer Discovery Protocol (LLDP). This chapter discusses the use and configuration of LLDP on the switch:  “LLDP Overview” on page 542  “Enabling or Disabling LLDP” on page 543  “LLDP Transmit Features” on page 544  “LLDP Receive Features” on page 549  “LLDP Example Configuration” on page 553 © Copyright Lenovo 2017...
Page 542: Lldp Overview
LLDP Overview Link Layer Discovery Protocol (LLDP) is an IEEE 802.1AB‐2005 standard for discovering and managing network devices. LLDP uses Layer 2 (the data link layer), and allows network management applications to extend their awareness of the network by discovering devices that are direct neighbors of already known devices. With LLDP, the CN4093 can advertise the presence of its ports, their major capabilities, and their current status to other LLDP stations in the same LAN. LLDP transmissions occur on ports at regular intervals or whenever there is a relevant change to their status. The switch can also receive LLDP information advertised from adjacent LLDP‐capable network devices. In addition to discovery of network resources, and notification of network changes, LLDP can help administrators quickly recognize a variety of common network configuration problems, such as unintended VLAN exclusions or mis‐matched port aggregation membership. The LLDP transmit function and receive function can be independently configured on a per‐port basis. The administrator can allow any given port to transmit only, receive only, or both transmit and receive LLDP information. The LLDP information to be distributed by the CN4093 ports, and that which has been collected from other LLDP stations, is stored in the switch’s Management Information Base (MIB). Network Management Systems (NMS) can use Simple Network Management Protocol (SNMP) to access this MIB information. LLDP‐related MIB information is read‐only. Changes, either to the local switch LLDP information or to the remotely received LLDP information, are flagged within the MIB for convenient tracking by SNMP‐based management systems. For LLDP to provide expected benefits, all network devices that support LLDP should be consistent in their LLDP configuration. LLDP - Stacking Mode In stacking mode, LLDP can be configured only on the ports that are not used to create the stack. The LLDP configuration menus on the stacking ports are disabled. When configuring LLDP on a port, use the correct port syntax. See example of port syntax on page 241. CN4093 Application Guide for N/OS 8.4...
Page 543: Enabling Or Disabling Lldp
CN 4093(config-if)# no lldp admin-status (Exit port mode) CN 4093(config-if)# exit To view the LLDP transmit and receive status, use the following commands: CN 4093(config)# show lldp port (status of all ports) CN 4093(config)# show interface port <n> lldp (status of selected port) © Copyright Lenovo 2017 Chapter 35: Link Layer Discovery Protocol...
Page 544: Lldp Transmit Features
LLDP Transmit Features Numerous LLDP transmit options are available, including scheduled and minimum transmit interval, expiration on remote systems, SNMP trap notification, and the types of information permitted to be shared. Note: In stacking mode, only the stack Master transmits LLDP information for all the ports in a stack. The stack MAC address is used as the source address in the LLDP packets. Scheduled Interval The CN4093 can be configured to transmit LLDP information to neighboring devices once each 5 to 32768 seconds. The scheduled interval is global; the same interval value applies to all LLDP transmit‐enabled ports. However, to help balance LLDP transmissions and keep them from being sent simultaneously on all ports, each port maintains its own interval clock, based on its own initialization or reset time. This allows switch‐wide LLDP transmissions to be spread out over time, though individual ports comply with the configured interval. The global transmit interval can be configured using the following command: CN 4093(config)# lldp refresh-interval <interval> where interval is the number of seconds between LLDP transmissions. The range is 5 to 32768. The default is 30 seconds. Minimum Interval In addition to sending LLDP information at scheduled intervals, LLDP information is also sent when the CN4093 detects relevant changes to its configuration or status (such as when ports are enabled or disabled). To prevent the CN4093 from sending multiple LLDP packets in rapid succession when port status is in flux, a transmit delay timer can be configured. The transmit delay timer represents the minimum time permitted between successive LLDP transmissions on a port. Any interval‐driven or change‐driven updates will be consolidated until the configured transmit delay expires. The minimum transmit interval can be configured using the following command: CN 4093(config)# lldp transmission-delay <interval> where interval is the minimum number of seconds permitted between successive ...
Page 545: Time-To-Live For Transmitted Information
CN 4093(config-if)# exit In addition to sending LLDP information at scheduled intervals, LLDP information is also sent when the CN4093 detects relevant changes to its configuration or status (such as when ports are enabled or disabled). To prevent the CN4093 from sending multiple trap notifications in rapid succession when port status is in flux, a global trap delay timer can be configured. The trap delay timer represents the minimum time permitted between successive trap notifications on any port. Any interval‐driven or change‐driven trap notices from the port will be consolidated until the configured trap delay expires. The minimum trap notification interval can be configured using the following command: CN 4093(config)# lldp trap-notification-interval <interval> where interval is the minimum number of seconds permitted between successive LLDP transmissions on any port. The range is 1 to 3600. The default is 5 seconds. If SNMP trap notification is enabled, the notification messages can also appear in the system log. This is enabled by default. To change whether the SNMP trap notifications for LLDP events appear in the system log, use the following commands: CN 4093(config)# [no] logging log lldp © Copyright Lenovo 2017 Chapter 35: Link Layer Discovery Protocol...
Page 546: Changing The Lldp Transmit State
Changing the LLDP Transmit State When the port is disabled, or when LLDP transmit is turned off for the port using the admstat command’s rx_only or disabled options (see “Transmit and Receive Control” on page 543), a final LLDP packet is transmitted with a time‐to‐live value of 0. Neighbors that receive this packet will remove the LLDP information associated with the CN4093 port from their MIB. In addition, if LLDP is fully disabled on a port (using admstat disabled) and later re‐enabled, the CN4093 will temporarily delay resuming LLDP transmissions on the port in order to allow the port LLDP information to stabilize. The reinitialization delay interval can be globally configured for all ports using the following command: CN 4093(config)# lldp reinit-delay <interval> where interval is the number of seconds to wait before resuming LLDP transmissions. The range is between 1 and 10. The default is 2 seconds. CN4093 Application Guide for N/OS 8.4...
Page 547: Types Of Information Transmitted
Disabled portprot IEEE 802.1 Port and Protocol VLAN ID Disabled vlanname IEEE 802.1 VLAN Name Disabled protid IEEE 802.1 Protocol Identity Disabled macphy IEEE 802.3 MAC/PHY Disabled Configuration/Status, including the auto‐negotiation, duplex, and speed status of the port. powermdi IEEE 802.3 Power via MDI, indicating the Disabled capabilities and status of devices that require or provide power over twisted‐pair copper links. linkaggr IEEE 802.3 Link Aggregation status for Disabled the port. framesz IEEE 802.3 Maximum Frame Size for the Disabled port. © Copyright Lenovo 2017 Chapter 35: Link Layer Discovery Protocol...
Page 548 Table 39. LLDP Optional Information Types (continued) Type Description Default dcbx Data Center Bridging Capability Enabled Exchange Protocol (DCBX) for the port. Select all optional LLDP information for Disabled inclusion or exclusion. CN4093 Application Guide for N/OS 8.4...
Page 549: Lldp Receive Features
The CN4093 stores the collected LLDP information in the MIB. Each remote LLDP‐capable device is responsible for transmitting regular LLDP updates. If the received updates contain LLDP information changes (to port state, configuration, LLDP MIB structures, deletion), the switch will set a change flag within the MIB for convenient notification to SNMP‐based management systems. Note: In stacking mode, both the Master and the Backup receive LLDP information for all the ports in a stack and update the LLDP table. The Master and Backup switches synchronize the LLDP tables. Viewing Remote Device Information LLDP information collected from neighboring systems can be viewed in numerous ways:  Using a centrally‐connected LLDP analysis server Using an SNMP agent to examine the CN4093 MIB   Using the CN4093 Browser‐Based Interface (BBI) Using CLI or isCLI commands on the CN4093  Using the isCLI the following command displays remote LLDP information: CN 4093(config)# show lldp remote-device [<index number>] © Copyright Lenovo 2017 Chapter 35: Link Layer Discovery Protocol...
Page 550 Port Id : 23 Port Description : EXT7 System Name System Description : Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch, Enterprise NOS: version 8.4, boot image: version 6.9.1.14 System Capabilities Supported : bridge, router System Capabilities Enabled...
Page 551 : 56 Port Description : EXT14 System Name : CFC System Description : Lenovo Flex System CN4093 10Gb Converged Scalable Switch, Lenovo Networking OS: version 7.8.0.48, Boot image: version 7.8.0.48 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge, router...
Page 552: Time-To-Live For Received Information
Time-to-Live for Received Information Each remote device LLDP packet includes an expiration time. If the switch port does not receive an LLDP update from the remote device before the time‐to‐live clock expires, the switch will consider the remote information to be invalid, and will remove all associated information from the MIB. Remote devices can also intentionally set their LLDP time‐to‐live to 0, indicating to the switch that the LLDP information is invalid and should be immediately removed. CN4093 Application Guide for N/OS 8.4...
Page 553: Lldp Example Configuration
CN 4093(config)# logging log lldp 5. Verify the configuration settings: CN 4093(config)# show lldp 6. View remote device information as needed. CN 4093(config)# show lldp remote-device CN 4093(config)# show lldp remote-device <index number> CN 4093(config)# show lldp remote-devices detail © Copyright Lenovo 2017 Chapter 35: Link Layer Discovery Protocol...
Page 554 CN4093 Application Guide for N/OS 8.4...
Page 555: Chapter 36. Simple Network Management Protocol
Chapter 36. Simple Network Management Protocol Enterprise NOS provides Simple Network Management Protocol (SNMP) version 1, version 2 and version 3 support for access through any network management software, such as Lenovo Director. © Copyright Lenovo 2017...
Page 556: Snmp Version 1
SNMP Version 1 To access the SNMP agent on the CN4093, the read and write community strings on the SNMP manager should be configured to match those on the switch. The read and write community strings on the switch can be changed using the following commands: CN 4093(config)# snmp-server read-community <1‐32 characters> ‐and‐ CN 4093(config)# snmp-server write-community <1‐32 characters> The SNMP manager should be able to reach the management interface or any one of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following command: CN 4093(config)# snmp-server trap-source <trap source IP interface> CN 4093(config)# snmp-server host <IPv4 address> <trap host community string> Note: You can use a loopback interface to set the source IP address for SNMP traps. Use the following command to apply a configured loopback interface: snmp-server trap-source loopback CN 4093(config)# <1‐5>...
Page 557: Snmp Version 3
User 2 name is adminsha (password adminsha). The authentication used is SHA; the privacy protocol used is DES.  User 3 name is mmv3_mgr (password mmv3_mgr). The authentication used is MD5; the privacy protocol used is DES. User 3 with the default password is used for EHCM level 1 access. For EHCM level 2 and level 3 access, the CMM generates a random password. EHCM level 2 uses MD5 authentication and DES privacy protocol. EHCM level 3 uses SHA authentication and AES‐128 privacy protocol  User 4 name is adminshaaes (password Edpq132x!#9Zpx432w). Authentication used is SHA. Privacy protocol used is AES‐128. In boot strict mode (See “Boot Strict Mode” on page 52), Enterprise NOS has two SNMPv3 users:  User 1 name is mmv3_mgr (password mmv3_mgr). Authentication used is SHA. Privacy protocol used is AES‐128.  User 2 name is adminshaaes (password Edpq132x!#9Zpx432w). Authentication used is SHA. Privacy protocol used is AES‐128. Up to 17 SNMP users can be configured on the switch. To modify an SNMP user, enter the following commands: CN 4093(config)# snmp-server user <1‐17> name <1‐32 characters> © Copyright Lenovo 2017 Chapter 36: Simple Network Management Protocol...
Page 558: User Configuration Example
Users can be configured to use the authentication/privacy options. The CN4093 support two authentication algorithms: MD5 and SHA, as specified in the following command: CN 4093(config)# snmp-server user <1‐17> authentication-protocol {md5|sha authentication-password ‐or‐ CN 4093(config)# snmp-server user <1‐17> authentication-protocol none User Configuration Example 1. To configure a user with name “admin,” authentication type MD5, and authentication password of “admin,” privacy option DES with privacy password of “admin,” use the following ISCLI commands. CN 4093(config)# snmp-server user 5 name admin CN 4093(config)# snmp-server user 5 authentication-protocol md5 authentication-password Changing authentication password;...
Page 559: View-Based Configurations
(L3 statistics) CN 4093(config)# snmp-server view 10 name usr CN 4093(config)# snmp-server view 10 tree 1.3.6.1.4.1.1872.2.5.2.3 (L3 information) CN 4093(config)# snmp-server view 11 name usr CN 4093(config)# snmp-server view 11 tree 1.3.6.1.4.1.1872.2.5.3.3 © Copyright Lenovo 2017 Chapter 36: Simple Network Management Protocol...
Page 560  Switch Oper equivalent (Configure the user) CN 4093(config)# snmp-server user 5 name usr (Configure access group 3) CN 4093(config)# snmp-server access 4 name opergrp CN 4093(config)# snmp-server access 4 read-view oper CN 4093(config)# snmp-server access 4 write-view oper CN 4093(config)# snmp-server access 4 notify-view oper (Assign oper to access group 4) CN 4093(config)# snmp-server group 4 user-name oper CN 4093(config)# snmp-server group 4 group-name opergrp (Create views for oper)
Page 561: Secure Audit Logging
(security and information event management) SIEM tools like Qradar. Security audit logging refers to the following event types: NTP Server/DHCP server configuration changes   Switch management IP address changes  OSPF/BGP/RIP authentication changes  Software Resource alert :ARP Table/IP table/Route table/OSPF table full  L3 Link down/up Note: Audit logging is enabled by default and cannot be disabled. The audit logs are accessed remotely via SNMPv3 hosts. Use the following commands to locally manage the logs: CN 4093(config)# show sal reverse (Display most recent logs first) CN 4093(config)# clear sal (Clear audit logs) © Copyright Lenovo 2017 Chapter 36: Simple Network Management Protocol...
Page 562: Configuring Snmp Trap Hosts
Configuring SNMP Trap Hosts Follow these instructions to configure SNMP trap hosts. SNMPv1 Trap Host Configuration 1. Configure a user with no authentication and password. CN 4093(config)# snmp-server user 10 name v1trap 2. Configure an access group and group table entries for the user. Use the following menu to specify which traps can be received by the user: CN 4093(config)# snmp-server access <user number> In the following example the user will receive the traps sent by the switch. CN 4093(config)# snmp-server access 10 (Access group to view SNMPv1 traps) name v1trap security snmpv1 notify-view iso CN 4093(config)# snmp-server group 10 (Assign user to the access group) security snmpv1 user-name v1trap group-name v1trap...
Page 563: Snmpv2 Trap Host Configuration
CN 4093(config)# snmp-server target-parameters 10 user-name v2trap CN 4093(config)# snmp-server target-parameters 10 security snmpv2 CN 4093(config)# snmp-server community 10 index v2trap CN 4093(config)# snmp-server community 10 user-name v2trap Note: Enterprise NOS 8.4 supports only IPv4 addresses for SNMPv1 and SNMP v2 trap hosts. © Copyright Lenovo 2017 Chapter 36: Simple Network Management Protocol...
Page 564: Snmpv3 Trap Host Configuration
SNMPv3 Trap Host Configuration To configure a user for SNMPv3 traps, you can choose to send the traps with both privacy and authentication, with authentication only, or without privacy or authentication. This is configured in the access table using the following commands: CN 4093(config)# snmp-server access <1‐32> level CN 4093(config)# snmp-server target-parameters <1‐16> Configure the user in the user table accordingly. It is not necessary to configure the community table for SNMPv3 traps because the community string is not used by SNMPv3. The following example shows how to configure a SNMPv3 user v3trap with authentication only: CN 4093(config)# snmp-server user 11 name v3trap CN 4093(config)# snmp-server user 11 authentication-protocol md5 authentication-password Changing authentication password; validation required: Enter current admin password: <admin. password>...
Page 565: Snmp Mibs
 rfc2037.mib  rfc2233.mib  rfc2465.mib  rfc2571.mib  rfc2572.mib  rfc2573.mib  rfc2574.mib  rfc2575.mib  rfc2576.mib  rfc3176.mib  The following Fibre Channel/FCoE MIBs are supported: ibm-nos-fc-fcoe.mib  fc_fe_exp.mib  fcmgmt.mib  stack_rfc2837.mib  © Copyright Lenovo 2017 Chapter 36: Simple Network Management Protocol...
Page 566 The Enterprise NOS SNMP agent supports the following generic traps as defined in RFC 1215:  ColdStart  WarmStart  LinkDown  LinkUp  AuthenticationFailure The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493:  NewRoot TopologyChange  The following are the enterprise SNMP traps supported in Enterprise NOS: Table 40. Enterprise NOS‐Supported Enterprise SNMP Traps Trap Name Description altSwLoginFailure Signifies that someone failed to enter a valid username/password combination. altSwTrapDisplayString specifies whether the login attempt was from CONSOLE or TELNET. In case of TELNET login it also specifies the IP address of the host from which the attempt was made. altSwValidLogin Signifies that a user login has occurred. altSwApplyComplete Signifies that new configuration has ...
Page 567 Signifies that the Master interface is not active. altSwHotlinksBackupUp Signifies that the Backup interface is active. altSwHotlinksBackupDn Signifies that the Backup interface is not active. altSwHotlinksNone Signifies that there are no active interfaces. altSwStgBlockingState Signifies port state has changed to blocking state. altSwTeamingCtrlUp Signifies that the teaming is up. altSwTeamingCtrlDown Signifies that the teaming control is down. altSwTeamingCtrlDownTearDown Signifies that the teaming control is Blked down but teardown is blocked. altSwTeamingCtrlError Signifies error, action is undefined. altSwLACPPortBlocked Signifies that LACP is operationally down on a port, and traffic is blocked on the port. © Copyright Lenovo 2017 Chapter 36: Simple Network Management Protocol...
Page 568 Table 40. Enterprise NOS‐Supported Enterprise SNMP Traps (continued) Trap Name Description altSwLACPPortUnblocked Signifies that LACP is operationally up on a port, and traffic is no longer blocked on the port. altSwLFDPortErrdisabled Signifies that a port is error‐disabled due to excessive link flaps. altSwVlagInstanceUp Signifies that VLAG instance is up identified in the trap message. altSwVlagInstanceRemoteUp Signifies that VLAG is down but instance on the remote instance is altSwVlagInstanceLocalUp Signifies that VLAG is down but local instance is up. altSwVlagInstanceDown Signifies that VLAG instance is down identified in the trap message. altSwVlagIslUp Signifies that connection between VLAG switches is up. altSwVlagIslDown Signifies that connection between VLAG switches is down. altSwDefGwUp Signifies that the default gateway is alive. ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable. The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax. ...
Page 569 Signifies that the default gateway is alive but not in service. ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable. The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax. ipCurCfgGwAddr is the IP address of the default gateway. altSwVrrpNewMaster Indicates that the sending agent has transitioned to “Master” state. vrrpCurCfgVirtRtrIndx is the VRRP virtual router table index referenced in vrrpCurCfgVirtRtrTable. The range is from 1 to vrrpVirtRtrTableMaxSize. vrrpCurCfgVirtRtrAddr is the VRRP virtual router IP address. altSwVrrpNewBackup Indicates that the sending agent has transitioned to “Backup” state. vrrpCurCfgVirtRtrIndx is the VRRP virtual router table index referenced in vrrpCurCfgVirtRtrTable. The range is from 1 to vrrpVirtRtrTableMaxSize. vrrpCurCfgVirtRtrAddr is the VRRP virtual router IP address. © Copyright Lenovo 2017 Chapter 36: Simple Network Management Protocol...
Page 570 Table 40. Enterprise NOS‐Supported Enterprise SNMP Traps (continued) Trap Name Description altSwVrrpAuthFailure Signifies that a packet has been received from a router whose authentication key or authentication type conflicts with this routerʹs authentication key or authentication type. Implementation of this trap is optional. vrrpCurCfgIfIndx is the VRRP interface index. This is equivalent to ifIndex in RFC 1213 mib. The range is from 1 to vrrpIfTableMaxSize. vrrpCurCfgIfPasswd is the password for authentication. It is a DisplayString of 0 to 7 characters. altSwNtpNotServer Signifies that the primary or secondary NTP server cannot be reached. altSwNTPUpdateClock Signifies that the system clock is updated with NTP server. altSwECMPGatewayUp Signifies that the ECMP gateway is altSwECMPGatewayDown Signifies that the ECMP gateway is down. altSwOspfRouteUpdated Signifies that an OSPF route update message was received. altSwTempExceedThreshold Signifies that the switch temperature has exceeded ...
Page 571 Signifies that a new switch of different type has attempted to join the stack. altSwStackImageSlotMismatch Signifies that the slot of the boot image of a newly attached switch does not match that of the master. altSwStackImageVersMismatch Signifies that the version of the boot image of a newly attached switch does not match that of the master. altSwStackBootCfgMismatch Signifies that the booted config of a newly attached switch does not match that of the master. altSwStackNvramMasterJoin Signifies that a switch which was configured as a master in NVRAM has attached to the stack. altSwStackForceDetach Signifies that the master has sent a FORCE DETACH message to a member. altVMGroupVMotion Signifies that a virtual machine has moved from a port to another. altVMGroupVMOnline Signifies that an advance provisioned virtual machine has came online. © Copyright Lenovo 2017 Chapter 36: Simple Network Management Protocol...
Page 572 Table 40. Enterprise NOS‐Supported Enterprise SNMP Traps (continued) Trap Name Description altVMGroupVMVlanChange Signifies that a virtual machine has entered a VLAN, or changed the VLAN. vmCheckSpoofedvm Signifies that a spoofed VM MAC was found. CN4093 Application Guide for N/OS 8.4...
Page 573: Switch Images And Configuration Files
1.3.6.1.4.1872.2.5.1.1.7.1.0 agTransferImage 1.3.6.1.4.1872.2.5.1.1.7.2.0 agTransferImageFileName 1.3.6.1.4.1872.2.5.1.1.7.3.0 agTransferCfgFileName 1.3.6.1.4.1872.2.5.1.1.7.4.0 agTransferDumpFileName 1.3.6.1.4.1872.2.5.1.1.7.5.0 agTransferAction 1.3.6.1.4.1872.2.5.1.1.7.6.0 agTransferLastActionStatus 1.3.6.1.4.1872.2.5.1.1.7.7.0 agTransferUserName 1.3.6.1.4.1872.2.5.1.1.7.9.0 agTransferPassword 1.3.6.1.4.1.1872.2.5.1.1.7.10.0 agTransferTSDumpFileName 1.3.6.1.4.1.1872.2.5.1.1.7.11.0 The following SNMP actions can be performed using the MIBs listed in Table 41.  Load a new Switch image (boot or running) from a FTP/TFTP/SFTP server  Load a previously saved switch configuration from a FTP/TFTP/SFTP server  Save the switch configuration to a FTP/TFTP/SFTP server  Save a switch dump to a FTP/TFTP/SFTP server © Copyright Lenovo 2017 Chapter 36: Simple Network Management Protocol...
Page 574: Loading A New Switch Image
Loading a New Switch Image To load a new switch image with the name “MyNewImage-1.img” into image2, follow the steps below. This example shows an FTP/TFTP/SFTP server at IPv4 address 192.168.10.10, though IPv6 is also supported. 1. Set the FTP/TFTP/SFTP server address where the switch image resides: Set agTransferServer.0 "192.168.10.10" 2. Set the area where the new image will be loaded: Set agTransferImage.0 "image2" 3. Set the name of the image: Set agTransferImageFileName.0 "MyNewImage-1.img" 4. If you are using an SFTP/FTP server, enter a username: Set agTransferUserName.0 "MyName" 5. If you are using an SFTP/FTP server, enter a password: Set agTransferPassword.0 "MyPassword" 6. Initiate the transfer. To transfer a switch image, enter 2 (gtimg): Set agTransferAction.0 "2" Loading a Saved Switch Configuration To load a saved switch configuration with the name “MyRunningConfig.cfg” into ...
Page 575: Saving The Switch Configuration
Saving a Switch Dump To save a switch dump to a FTP/TFTP/SFTP server, follow the steps below. This example shows an FTP/TFTP/SFTP server at 192.168.10.10, though IPv6 is also supported. 1. Set the FTP/TFTP/SFTP server address where the configuration will be saved: Set agTransferServer.0 "192.168.10.10" 2. Set the name of dump file: Set agTransferDumpFileName.0 "MyDumpFile.dmp" 3. If you are using an SFTP/FTP server, enter a username: Set agTransferUserName.0 "MyName" 4. If you are using an SFTP/FTP server, enter a password: Set agTransferPassword.0 "MyPassword" 5. Initiate the transfer. To save a dump file, enter 5: Set agTransferAction.0 "5" © Copyright Lenovo 2017 Chapter 36: Simple Network Management Protocol...
Page 576 CN4093 Application Guide for N/OS 8.4...
Page 577: Chapter 37. Service Location Protocol
 Service Agent (SA) provides service registration and service advertisement. Note: In this release, SA supports UA/DA on Linux with SLPv2 support.  Directory Agent (DA) collects service information from Service Agents to provide a repository of service information in order to centralize it for efficient access by User Agents. There can only be one Directory Agent present per given host. The Directory Agent acts as an intermediate tier in the SLP architecture, placed between the User Agents and the Service Agents, so they communicate only with the Directory Agent instead of with each other. This eliminates a large portion of the multicast request or reply traffic on the network, and it protects the Service Agents from being overwhelmed by too many service requests. Services are described by the configuration of attributes associated with a type of service. A User Agent can select an appropriate service by specifying the attributes that it needs in a service request message. When service replies are returned, they contain a Uniform Resource Locator (URL) pointing to the service desired, and other information, such as server load, needed by the User Agent. For more details on SLP configuration, see the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Command Reference for Enterprise NOS 8.4. Active DA Discovery When a Service Agent or User Agent initializes, it can perform Active Directory Agent Discovery using a multicast service request and specifies the special, reserved service type (service:directory-agent). Active DA Discovery is achieved through the same mechanism as any other discovery using SLP. The Directory Agent replies with unicast service replies, which provides the URLs and attributes of the requested service. © Copyright Lenovo 2017 Chapter 37: Service Location Protocol...
Page 578: Chapter 38. System License Keys
Chapter 38. System License Keys License keys determine the number of available ports on the CN4093. Each switch comes with basic license that provides the use of a limited number of physical ports. On top of the basic license, optional upgrade licenses can be installed to expand the number of available ports. Obtaining Activation Keys The upgrade licenses can be acquired using the Lenovo System x Features on Demand (FoD) website: http://www.ibm.com/systems/x/fod/ You can also use the website to review and manage licenses, and to obtain additional help if required. Note: An IBM ID and password are required to log into the FoD website. If you do not yet have an IBM ID, you can register at the website. Activation keys are provided as files that must be uploaded to the CN4093. To acquire an activation key, use the FoD website to purchase an Authorization Code. You will need to provide the unique ID (UID) of the specific CN4093 where the key will be installed. The UID is the last 12 characters of the CN4093 serial number. This serial number is located on the Part Number (PN) label and is also displayed during successful login to the device. When available, download the activation key file from the FoD site. Installing Activation Keys Once FoD activation key files have been acquired, they must be installed on the CN4093. The following example depicts use of the CN4093 Command Line Interface (CLI), but other device interfaces (such as SNMP) may also be used. To install activation keys, complete the following steps: a. Log in to the CN4093. b. At the CLI prompt, enter the following commands: CN4093> enable CN4093# configure terminal CN4093(config)# software-key CN4093(config)# enakey addr <server IP address>...
Page 579: Transferring Activation Keys
This will cause ports that are not in the default port-map to lose their configuration. Please backup your configuration or enter a valid license key so the configuration will not be altered. When the trial license expires, all features enabled by the key are disabled, configuration files (active and backup) are deleted and the switch revert to the default port‐map. To prevent this, either install a regular upgrade license to overwrite the trial key or manually remove the trial key. Once a trial key is installed, it cannot be reused. © Copyright Lenovo 2017 Chapter 38: System License Keys...
Page 580: Flexible Port Mapping
Flexible Port Mapping Flexible Port Mapping allows administrators to manually enable or disable specific switch ports within the limitations of the installed licenses’ bandwidth. For instance, the FlexSystem may include two compute nodes and a single QSFP+ uplink, while the current license has the INTA1 – INTA14 and EXT1 – EXT10 Ethernet ports enabled by default. To make best use of the available resources, the administrator decides to activate internal ports INTB1, INTB2, INTC1 and INTC2 to provide redundant connections for the two compute nodes and to enable the high speed QSFP+ EXT3 port for the uplink. The total bandwidth required for this operation amounts to 80 Gbps (40 Gbps for the four additional 10 Gbps internal ports and 40 Gbps for the additional external QSFP+ port). The administrator decides to allocate this bandwidth by deactivating 6 internal and 2 external 10 Gbps ports. To implement the above scenario, follow these steps: a. Deactivate the ports required to clear the 80 Gbps required bandwidth: CN4093(config)# no boot port-map INTA9 CN4093(config)# no boot port-map INTA10 CN4093(config)# no boot port-map INTA11 CN4093(config)# no boot port-map INTA12 CN4093(config)# no boot port-map INTA13 CN4093(config)# no boot port-map INTA14 CN4093(config)# no boot port-map EXT9 CN4093(config)# no boot port-map EXT10...
Page 581: Chapter 39. Secure Input/Output Module
Chapter 39. Secure Input/Output Module The Secure Input/Output Module (SIOM) enables you to determine which protocols can be enabled. The SIOM only allows secured traffic and secured authentication management. The following topics are discussed in this chapter: “SIOM Overview” on page 582   “Creating a Policy Setting” on page 586 “Managing User Accounts” on page 589   “Implementing Secure LDAP (LDAPS)” on page 591 “SIOM Dependencies” on page 594  © Copyright Lenovo 2017...
Page 582: Siom Overview
SIOM Overview In networking solutions, a new approach about adopting a security level on Input/Output modules has been developed. This security level encompasses secured authentication management and only allows secure traffic and protocols. IOMs can be classified into two security categories: Legacy Input/Output Modules (LIOMs)  LIOMs are not capable of provisioning any security policy setting. All IOMs developed before the SIOM feature was introduced are of type LIOM. Secure Input/Output Modules (SIOMs)  SIOMs have security characteristics that allow them to integrate the network assigned security policy. For IOM to be in SIOM mode, both the IOM and the CMM (Chassis Management Module) containing it must be running SIOM‐capable software, and the IOM must have SIOM enabled. In all other cases, the IOM operates in LIOM mode. When the IOM is in SIOM mode, the security characteristics configured on the CMM are sent to the IOM. These characteristics can be divided into the following categories:  Policy setting  User Account Management  Secure LDAP (LDAPS) authentication To see whether SIOM is enabled on the IOM, use the following command: CN 4093(config)# show boot siom Current SIOM setting: disabled Saved SIOM setting: disabled This shows both the current SIOM setting and the saved setting that will be applied ...
Page 583: Switch Access In Siom Mode
In stacking mode, configuring SIOM is only supported on the Master switch. Hence, the command: CN 4093# [no] boot siom enable is only supported on the Master switch. On stack member switches, SIOM is configured by the Master switch, and the member switches automatically inherit the Master switch SIOM setting. When upgrading to SIOM‐capable software:  The Master, Backup, and member switches need to be rebooted for SIOM to take effect. When SIOM is enabled on the Master, it is applied on all stack members  automatically.  If a new switch with a different boot SIOM configuration is attached to the stack, the switch will inherit the boot SIOM configuration from the Master and will automatically reboot. When two stacks are joined, the selected Master for the two stacks will push its  own boot SIOM configuration, and the added members will automatically reboot.  There will be no changes in the SIOM policy on members if the stack is split. Note: Lenovo recommends using staggered upgrade. In this case, the upgrade will take more time, depending on how large the stack setup is, but the traffic loss will be minimal. © Copyright Lenovo 2017 Chapter 39: Secure Input/Output Module...
Page 584 Overall, in a stacking mode, it takes longer (about 9 minutes) to reload SIOM‐enabled software than a non‐SIOM enabled software. If staggered‐upgrade procedure is used, this duration increases according to the number of switches in the stack. The process of upgrading from non‐SIOM enabled software to SIOM‐enabled software takes about 15 minutes. If a staggered‐upgrade procedure is used, this duration increases according to the number of switches in the stack. If the Master switch gets rebooted, the Backup switch becomes the Master (operation called Master failover) and it will be SIOM provisioned. If the SIOM provisioning occurs for the first time on this switch, it will also reboot for the LIOM to SIOM transition. The new Master will reboot only after the Backup switch (original Master) rejoins the stack. CN4093 Application Guide for ENOS 8.4...
Page 585: Siom Feature Considerations
SIOM Feature Considerations SIOM has two aspects which must be accomplished on the switch:  The provisioning process which supplies all the necessary settings for the secure Ethernet connection for management and for the secure protocols enabled on the switch.  The protocols enabled during the functioning of a switch in SIOM. Switch boots up with all operational (data) ports disabled. Although the management ports are enabled, they canʹt be used by admin to set up the switch until the configuration is applied. Internal management port is used by the CMM during the provisioning to exchange information with IOM. At the end of provisioning, when SIOM is enabled, the rest of the operational ports come up and the switch will be fully functional. When in SIOM mode, the PKI system of switch cannot be controlled. The user cannot import his own certificate. All certificates are provisioned by CMM. © Copyright Lenovo 2017 Chapter 39: Secure Input/Output Module...
Page 586: Creating A Policy Setting
Creating a Policy Setting The policy setting can be either secure (IOM is in secure mode) or legacy (IOM is in legacy mode). In secure mode, only communication protocols that are deemed secure can be used; most protocols that are not deemed secure are disabled. In legacy mode setting, all protocols are allowed (LIOM behavior). To display the current policy setting, enter: CN 4093(config)# show boot security-policy Note: Security policy can be applied only from CMM. You must reboot the IOM for a new policy setting to be applied. Protocols Affected by the Policy Setting This section explains which protocols can and cannot operate in secure mode on the CN4093 10 Gb Converged Scalable Switch. Insecure Protocols When you are in Secure Mode, the following protocols are deemed “insecure” and are disabled:  HTTP  LDAP Client  SNMPv1  SNMPv2  Telnet (server and client)  FTP (server and client) ...
Page 587: Secure Protocols
IPSec The default state for these protocols in Secure Mode, whether enabled or disabled, is the same as in Legacy Mode. The following protocols are deemed “secure” but are not currently supported by the CN4093: EAPoL   S/MIME   SNMPv3 Manager TCP command secure mode (Port 6091)  Insecure Protocols Unaffected by SIOM The following protocols are deemed “insecure” but can be enabled in all Security Policy Modes:  Ping  Ping IPv6  Traceroute  Traceroute IPv6  TFTP IPv6 © Copyright Lenovo 2017 Chapter 39: Secure Input/Output Module...
Page 588  SNMPv3 IPv6  bootp Notes:  Telnet IPv6 and TFTP IPv6 are disabled in Secure Mode.  TFTP IPv6 is allowed in Secure Mode for signed image transfers only. CN4093 Application Guide for ENOS 8.4...
Page 589: Managing User Accounts
 snmp-server read-community-additional  snmp-server target-address  snmp-server target-parameters  snmp-server user  snmp-server version  snmp-server view  snmp-server write-community  snmp-server write-community-additional  show snmp-server v3  © Copyright Lenovo 2017 Chapter 39: Secure Input/Output Module...
Page 590 For more information about these commands, see the Lenovo ISCLI—Industry Standard CLI Command Reference for the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch. CN4093 Application Guide for ENOS 8.4...
Page 591: Implementing Secure Ldap (Ldaps)
CN 4093(config)# ldap-server host {1-4} <IP address or hostname> 4. You may change the default TCP port number used to listen to LDAPS (optional). The well‐known port for LDAP is 636. CN 4093(config)# ldap-server port <1‐65000> 5. Configure the Security Mode: CN 4093(config)# ldap-server security {clear|ldaps|mutual|starttls} where: Parameter Description clear Cleartext Mode (no security) ldaps LDAPS Mode mutual Mutual authentication in Transport Layer Security (TLS) starttls Secure LDAP via StartTLS without cleartext fallback © Copyright Lenovo 2017 Chapter 39: Secure Input/Output Module...
Page 592: Disabling Ldaps
6. Configure the distinguished name (DN) and password (optional). CN 4093(config)# ldap-server binddn dn “<distinguished name> “ CN 4093(config)# ldap-server binddn key “<password> “ If this is not configured, the switch will use user‐provided login credentials to bind. A DN will then be constructed from the userʹs login credentials and then used in the initial BIND attempt. 7. Configure the root DN: CN 4093(config)# ldap-server basedn <root DN name> 8. Configure the user search attribute (optional): CN 4093(config)# ldap-server attribute username <search attribute> If no user search attribute is specified, the default is uid. 9. Configure the group search attribute (optional): CN 4093(config)# ldap-server attribute group <search attribute> If no group search attribute is specified, the default is memberOf.
Page 593: Syslogs And Ldaps
Syslogs and LDAPS Syslogs are displayed for the following error conditions: Password change required on first login  Password expired  Username or password invalid  Account temporarily locked  Unknown/no reason given  © Copyright Lenovo 2017 Chapter 39: Secure Input/Output Module...
Page 594: Siom Dependencies
SIOM Dependencies The following points are relevant to SIOM:  The CMM has a Certificate Authority (CA) capable of signing the certificates involved for authenticating the IOM in the SSL and TLS processes and protocols. The correctness of the configuration depends upon the settings on the CMM.  This is especially important for NTP and LDAP, which ensure switch operability. For example, if the LDAP client is configured incorrectly, the switch cannot be managed.  The Enhanced Configuration and Management (EHCM) module configures the NTP client. Therefore, the NTP client is dependent upon the ECHM module being enabled and functional.  Some protocols cannot be changed from enabled to disabled without restarting the switch. The IOM may reboot when switching between the SIOM and LIOM. CN4093 Application Guide for ENOS 8.4...
Page 595: Part 8: Monitoring
Part 8: Monitoring The ability to monitor traffic passing through the CN4093 can be invaluable for troubleshooting some types of networking problems. This sections cover the following monitoring features:  Remote Monitoring (RMON)  sFLOW  Port Mirroring © Copyright Lenovo 2017...
Page 596 CN4093 Application Guide for N/OS 8.4...
Page 597: Chapter 40. Remote Monitoring
Chapter 40. Remote Monitoring Remote Monitoring (RMON) allows network devices to exchange network monitoring data. RMON performs the following major functions:  Gathers cumulative statistics for Ethernet interfaces  Tracks a history of statistics for Ethernet interfaces  Creates and triggers alarms for user‐defined events RMON Overview The RMON MIB provides an interface between the RMON agent on the switch and an RMON management application. The RMON MIB is described in RFC 1757. The RMON standard defines objects that are suitable for the management of Ethernet networks. The RMON agent continuously collects statistics and proactively monitors switch performance. RMON allows you to monitor traffic flowing through the switch. The switch supports the following RMON Groups, as described in RFC 1757:  RMON Group 1–Statistics  RMON Group 2–History  RMON Group 3–Alarms  RMON Group 9–Events © Copyright Lenovo 2017...
Page 598: Rmon Group 1-Statistics
RMON Group 1–Statistics The switch supports collection of Ethernet statistics as outlined in the RMON statistics MIB, in reference to etherStatsTable. RMON statistics are sampled every second, and new data overwrites any old data on a given port. Note: RMON port statistics must be enabled for the port before you can view RMON statistics. To configure RMON Statistics: 1. Enable RMON on each port where you wish to collect RMON statistics. CN 4093(config)# interface port 23 CN 4093(config-if)# rmon 2. View RMON statistics for the port. CN 4093(config-if)# show interface port 23 rmon-counters ------------------------------------------------------------------ RMON statistics for port 23: etherStatsDropEvents: etherStatsOctets: 7305626 etherStatsPkts: 48686 etherStatsBroadcastPkts: 4380 etherStatsMulticastPkts:...
Page 599: Rmon Group 2-History
CN 4093(config)# rmon history 1 interface-oid 1.3.6.1.2.1.2.2.1.1.<x> CN 4093(config)# rmon history 1 requested-buckets 30 CN 4093(config)# rmon history 1 polling-interval 120 CN 4093(config)# rmon history 1 owner "rmon port 1 history" where <x> is the number of the port to monitor. For example, the full OID for port 1 would be: 1.3.6.1.2.1.2.2.1.1.1 © Copyright Lenovo 2017 Chapter 40: Remote Monitoring...
Page 600 3. View RMON history for the port. CN 4093(config)# show rmon history RMON History group configuration: Index IFOID Interval Rbnum Gbnum ----- ----------------------- -------- ----- ----- 1.3.6.1.2.1.2.2.1.1.1 Index Owner ----- ---------------------------------------------- rmon port 1 history CN4093 Application Guide for N/OS 8.4...
Page 601: Rmon Group 3-Alarms
CN 4093(config)# rmon alarm 1 alarm-type rising CN 4093(config)# rmon alarm 1 rising-crossing-index 100 CN 4093(config)# rmon alarm 1 interval 3600 CN 4093(config)# rmon alarm 1 rising-limit 2000000000 CN 4093(config)# rmon alarm 1 owner "Alarm for ifInOctets" © Copyright Lenovo 2017 Chapter 40: Remote Monitoring...
Page 602: Alarm Example 2
Alarm Example 2 This example configuration creates an RMON alarm that checks icmpInEchos on the switch once every minute. If the statistic exceeds 200 within a 60 second interval, an alarm is generated that triggers event index 5. Configure the RMON Alarm parameters to track ICMP messages. CN 4093(config)# rmon alarm 1 oid 1.3.6.1.2.1.5.8.0 CN 4093(config)# rmon alarm 1 alarm-type rising CN 4093(config)# rmon alarm 1 rising-crossing-index 110 CN 4093(config)# rmon alarm 1 interval-time 60 CN 4093(config)# rmon alarm 1 rising-limit 200 CN 4093(config)# rmon alarm 1 sample delta CN 4093(config)# rmon alarm 1 owner "Alarm for icmpInEchos"...
Page 603: Rmon Group 9-Events
<event number> RMON events use SNMP and system logs to send notifications. Therefore, an SNMP trap host must be configured for trap event notification to work properly. RMON uses a syslog host to send syslog messages. Therefore, an existing syslog host must be configured for event log notification to work properly. Each log event generates a system log message of type RMON that corresponds to the event. For example, to configure the RMON event parameters. CN 4093(config)# rmon event 110 type log CN 4093(config)# rmon event 110 description "SYSLOG_this_alarm" CN 4093(config)# rmon event 110 owner "log icmpInEchos alarm" This configuration creates an RMON event that sends a syslog message each time it is triggered by an alarm. © Copyright Lenovo 2017 Chapter 40: Remote Monitoring...
Page 604 CN4093 Application Guide for N/OS 8.4...
Page 605: Chapter 41. Sflow
Statistical Counters The CN4093 can be configured to send network statistics to an sFlow analyzer at regular intervals. For each port, a polling interval of 5 to 60 seconds can be configured, or 0 (the default) to disable this feature. When polling is enabled, at the end of each configured polling interval, the CN4093 reports general port statistics and port Ethernet statistics. sFlow Network Sampling In addition to statistical counters, the CN4093 can be configured to collect periodic samples of the traffic data received on each port. For each sample, 128 bytes are copied, UDP‐encapsulated, and sent to the configured sFlow analyzer. For each port, the sFlow sampling rate can be configured to occur once each 256 to 65536 packets, or 0 to disable (the default). A sampling rate of 256 means that one sample will be taken for approximately every 256 packets received on the port. The sampling rate is statistical, however. It is possible to have slightly more or fewer samples sent to the analyzer for any specific group of packets (especially under low traffic conditions). The actual sample rate becomes most accurate over time, and under higher traffic flow. sFlow sampling has the following restrictions:  Sample Rate—The fastest sFlow sample rate is 1 out of every 256 packets.  ACLs—sFlow sampling is performed before ACLs are processed. For ports configured both with sFlow sampling and one or more ACLs, sampling will occur regardless of the action of the ACL. Port Mirroring—sFlow sampling will not occur on mirrored traffic. If sFlow  sampling is enabled on a port that is configured as a port monitor, the mirrored traffic will not be sampled. Note: Although sFlow sampling is not generally a CPU‐intensive operation, configuring fast sampling rates (such as once every 256 packets) on ports under heavy traffic loads can cause switch CPU utilization to reach maximum. Use larger rate values for ports that experience heavy traffic. © Copyright Lenovo 2017...
Page 606: Sflow Example Configuration
sFlow Example Configuration 1. Specify the location of the sFlow analyzer (the server and optional port to which the sFlow information will be sent): CN 4093(config)# sflow server <IPv4 address>(sFlow server address) CN 4093(config)# sflow port <service port> (Set the optional service port) CN 4093(config)# sflow enable (Enable sFlow features) By default, the switch uses established sFlow service port 6343. To disable sFlow features across all ports, use the following command: CN 4093(config)# no sflow enable 2. On a per‐port basis, define the statistics polling rate: CN 4093(config)# interface port <port> CN 4093(config-if)# sflow polling <polling rate>(Statistics polling rate) Specify a polling rate between 5 and 60 seconds, or 0 to disable. By default, polling ...
Page 607: Chapter 42. Port Mirroring
Mirrored Ports Monitor Port Ingress Connected to Both Traffic sniffer device Specified traffic is copied and forwarded to Monitor Port In standalone (non‐stacking) mode, the CN4093 supports two monitor ports with two‐way mirroring, or four monitor ports with one‐way mirroring. In stacking mode, one monitor port with two‐way mirroring, or two monitor ports with one‐way mirroring is supported. Each monitor port can receive mirrored traffic from any number of target ports. Enterprise NOS does not support “one to many” or “many to many” mirroring models where traffic from a specific port traffic is copied to multiple monitor ports. For example, port EXT1 traffic cannot be monitored by both port EXT3 and EXT4 at the same time, nor can port EXT2 ingress traffic be monitored by a different port than its egress traffic. Ingress and egress traffic is duplicated and sent to the monitor port after processing. Note: The CN4093 10 Gb Converged Scalable Switch (CN4093) cannot mirror LACPDU packets. Also, traffic on management VLANs is not mirrored to the external ports. © Copyright Lenovo 2017...
Page 608: Port Mirroring Behavior
Port Mirroring Behavior This section describes the composition of monitored packets in the CN4093, based on the configuration of the ports.  Packets mirrored at port egress are mirrored prior to VLAN tag processing and may have a different PVID than packets that egress the port toward their actual network destination.  Packets mirrored at port ingress are not modified. Configuring Port Mirroring The following procedure may be used to configure port mirroring for the example shown in Figure 65 on page 607: 1. Specify the monitoring port, the mirroring port(s), and the port‐mirror direction. CN 4093(config)# port-mirroring monitor-port EXT3 mirroring-port EXT1 in CN 4093(config)# port-mirroring monitor-port EXT3 mirroring-port EXT2 both 2. Enable port mirroring. CN 4093(config)# port-mirroring enable 3.
Page 610 CN4093 Application Guide for N/OS 8.4...
Page 611: Appendix A. Glossary
Priority In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s). Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win out for master designation. Proto (Protocol) The protocol of a frame. Can be any value represented by a 8‐bit value in the IP header adherent to the IP specification (for example, TCP, UDP, OSPF, ICMP, and so on.) The source IP address of a frame. SPort The source port (application socket: for example, HTTP‐80/HTTPS‐443/DNS‐53). Tracking In VRRP, a method to increase the priority of a virtual router and thus master designation (with preemption enabled). Tracking can be very valuable in an active/active configuration. You can track the following:  Active IP interfaces on the Web switch (increments priority by 2 for each)  Active ports on the same VLAN (increments priority by 2 for each)  Number of virtual routers in master mode on the switch Virtual Interface Router. A VRRP address is an IP interface address shared between two or more virtual routers. Virtual Router A shared address between two devices utilizing VRRP, as defined in RFC 2338. One virtual router is associated with an IP interface. This is one of the IP interfaces that the switch is assigned. All IP interfaces on the CN4093s must be in a VLAN. If there is more than one VLAN defined on the Web switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member. © Copyright Lenovo 2017...
Page 612 VRID Virtual Router Identifier. In VRRP, a numeric ID is used by each virtual router to create its MAC address and identify its peer for which it is sharing this VRRP address. The VRRP MAC address as defined in the RFC is 00‐00‐5E‐00‐01‐<VRID>. If you have a VRRP address that two switches are sharing, then the VRID number needs to be identical on both switches so each virtual router on each switch knows with whom to share. VRRP Virtual Router Redundancy Protocol. A protocol that acts very similarly to Ciscoʹs proprietary HSRP address sharing protocol. The reason for both of these protocols is so devices have a next hop or default gateway that is always available. Two or more devices sharing an IP interface are either advertising or listening for advertisements. These advertisements are sent via a broadcast message to an address such as 224.0.0.18. With VRRP, one switch is considered the master and the other the backup. The master is always advertising via the broadcasts. The backup switch is always listening for the broadcasts. Should the master stop advertising, the backup will take over ownership of the VRRP IP and MAC addresses as defined by the specification. The switch announces this change in ownership to the devices around it by way of a Gratuitous ARP, and advertisements. If the backup switch didnʹt do the Gratuitous ARP the Layer 2 devices attached to the switch would not know that the MAC address had moved in the network. For a more detailed description, refer to RFC 2338. CN4093 Application Guide for N/OS 8.4...
Page 613: Appendix B. Getting Help And Technical Assistance
Check all cables to make sure that they are connected.  Check the power switches to make sure that the system and any optional devices are turned on.  Check for updated software, firmware, and operating‐system device drivers for your Lenovo product. The Lenovo Warranty terms and conditions state that you, the owner of the Lenovo product, are responsible for maintaining and updating all software and firmware for the product (unless it is covered by an additional maintenance contract). Your service technician will request that you upgrade your software and firmware if the problem has a documented solution within a software upgrade.  If you have installed new hardware or software in your environment, check the IBM ServerProven website to make sure that the hardware and software is supported by your product.  Go to the IBM Support portal to check for information to help you solve the problem.  Gather the following information to provide to the service technician. This data will help the service technician quickly provide a solution to your problem and ensure that you receive the level of service for which you might have contracted. Hardware and Software Maintenance agreement contract numbers, if  applicable Machine type number (Lenovo 4‐digit machine identifier)  Model number  Serial number  Current system UEFI and firmware levels  Other pertinent information such as error messages and logs  © Copyright Lenovo 2017...
Page 614  Start the process of determining a solution to your problem by making the pertinent information available to the service technicians. The IBM service technicians can start working on your solution as soon as you have completed and submitted an Electronic Service Request. You can solve many problems without outside assistance by following the troubleshooting procedures that Lenovo provides in the online help or in the Lenovo product documentation. The Lenovo product documentation also describes the diagnostic tests that you can perform. The documentation for most systems, operating systems, and programs contains troubleshooting procedures and explanations of error messages and error codes. If you suspect a software problem, see the documentation for the operating system or program. CN4093 Application Guide for N/OS 8.4...
Page 615: Appendix C. Notices
Lenovo may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: Lenovo (United States), Inc. 1009 Think Place ‐ Building One Morrisville, NC 27560 U.S.A. Attention: Lenovo Director of Licensing LENOVO PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON‐INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. Lenovo may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. The products described in this document are not intended for use in implantation or other life support applications where malfunction may result in injury or death to persons. The information contained in this document does not affect or change Lenovo product specifications or warranties. Nothing in this document shall operate as an express or implied license or indemnity under the intellectual property rights of Lenovo or third parties. All information contained in this document was obtained in specific environments and is presented as an illustration. The result obtained in other operating environments may vary. Lenovo may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Any references in this publication to non‐Lenovo Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this Lenovo product, and use of those Web sites is at your own risk. © Copyright Lenovo 2017...
Page 616 Any performance data contained herein was determined in a controlled environment. Therefore, the result obtained in other operating environments may vary significantly. Some measurements may have been made on development‐level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. CN4093 Application Guide for N/OS 8.4...
Page 617: Trademarks
Trademarks Lenovo, the Lenovo logo, Flex System, System x, NeXtScale System, and X‐Architecture are trademarks of Lenovo in the United States, other countries, or both. Intel and Intel Xeon are trademarks of Intel Corporation in the United States, other countries, or both. Internet Explorer, Microsoft, and Windows are trademarks of the Microsoft group of companies. Linux is a registered trademark of Linus Torvalds. Other company, product, or service names may be trademarks or service marks of others. © Copyright Lenovo 2017 Appendix C: Notices...
Page 618: Important Notes
Important Notes Processor speed indicates the internal clock speed of the microprocessor; other factors also affect application performance. CD or DVD drive speed is the variable read rate. Actual speeds vary and are often less than the possible maximum. When referring to processor storage, real and virtual storage, or channel volume, KB stands for 1 024 bytes, MB stands for 1 048 576 bytes, and GB stands for 1 073 741 824 bytes. When referring to hard disk drive capacity or communications volume, MB stands for 1 000 000 bytes, and GB stands for 1 000 000 000 bytes. Total user‐accessible capacity can vary depending on operating environments. Maximum internal hard disk drive capacities assume the replacement of any standard hard disk drives and population of all hard‐disk‐drive bays with the largest currently supported drives that are available from Lenovo. Maximum memory might require replacement of the standard memory with an optional memory module. Each solid‐state memory cell has an intrinsic, finite number of write cycles that the cell can incur. Therefore, a solid‐state device has a maximum number of write cycles that it can be subjected to, expressed as total bytes written (TBW). A device that has exceeded this limit might fail to respond to system‐generated commands or might be incapable of being written to. Lenovo is not responsible for replacement of a device that has exceeded its maximum guaranteed number of program/erase cycles, as documented in the Official Published Specifications for the device. Lenovo makes no representations or warranties with respect to non‐Lenovo products. Support (if any) for the non‐Lenovo products is provided by the third party, not Lenovo. Some software might differ from its retail version (if available) and might not include user manuals or all program functionality. CN4093 Application Guide for N/OS 8.4...
Page 619: Recycling Information
Recycling Information Lenovo encourages owners of information technology (IT) equipment to responsibly recycle their equipment when it is no longer needed. Lenovo offers a variety of programs and services to assist equipment owners in recycling their IT products. For information on recycling Lenovo products, go to: http://www.lenovo.com/recycling © Copyright Lenovo 2017 Appendix C: Notices...
Page 620: Particulate Contamination
Particulate Contamination Attention: Airborne particulates (including metal flakes or particles) and reactive gases acting alone or in combination with other environmental factors such as humidity or temperature might pose a risk to the device that is described in this document. Risks that are posed by the presence of excessive particulate levels or concentrations of harmful gases include damage that might cause the device to malfunction or cease functioning altogether. This specification sets forth limits for particulates and gases that are intended to avoid such damage. The limits must not be viewed or used as definitive limits, because numerous other factors, such as temperature or moisture content of the air, can influence the impact of particulates or environmental corrosives and gaseous contaminant transfer. In the absence of specific limits that are set forth in this document, you must implement practices that maintain particulate and gas levels that are consistent with the protection of human health and safety. If Lenovo determines that the levels of particulates or gases in your environment have caused damage to the device, Lenovo may condition provision of repair or replacement of devices or parts on implementation of appropriate remedial measures to mitigate such environmental contamination. Implementation of such remedial measures is a customer responsibility.. Contaminant Limits Particulate • The room air must be continuously filtered with 40% atmospheric dust spot efficiency (MERV 9) according to ASHRAE Standard 52.2 • Air that enters a data center must be filtered to 99.97% efficiency or greater, using high‐efficiency particulate air (HEPA) filters that meet MIL‐STD‐282. • The deliquescent relative humidity of the particulate contamination must be more than 60% • The room must be free of conductive contamination such as zinc whis‐ kers. Gaseous • Copper: Class G1 as per ANSI/ISA 71.04‐1985 • Silver: Corrosion rate of less than 300 Å in 30 days 1 ...
Page 621: Telecommunication Regulatory Statement
Telecommunication Regulatory Statement This product may not be certified in your country for connection by any means whatsoever to interfaces of public telecommunications networks. Further certification may be required by law prior to making any such connection. Contact a Lenovo representative or reseller for any questions. © Copyright Lenovo 2017 Appendix C: Notices...
Page 622: Electronic Emission Notices
Federal Communications Commission (FCC) Statement Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user will be required to correct the interference at his own expense. Properly shielded and grounded cables and connectors must be used to meet FCC emission limits. Lenovo is not responsible for any radio or television interference caused by using other than recommended cables and connectors or by unauthorized changes or modifications to this equipment. Unauthorized changes or modifications could void the user’s authority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that might cause undesired operation. Industry Canada Class A Emission Compliance Statement This Class A digital apparatus complies with Canadian ICES‐003. Avis de Conformité à la Réglementation d'Industrie Canada Cet appareil numérique de la classe A est conforme à la norme NMB‐003 du ...
Page 623: European Union - Compliance To The Electromagnetic Compatibility Directive
Lenovo, Einsteinova 21, 851 01 Bratislava, Slovakia Warning: This is a Class A product. In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures. Germany Class A Statement Deutschsprachiger EU Hinweis: Hinweis für Geräte der Klasse A EU‐Richtlinie zur Elektromagnetischen Verträglichkeit Dieses Produkt entspricht den Schutzanforderungen der EU‐Richtlinie 2014/30/EU (früher 2004/108/EC) zur Angleichung der Rechtsvorschriften über die elektromagnetische Verträglichkeit in den EU‐Mitgliedsstaaten und hält die Grenzwerte der Klasse A der Norm gemäß Richtlinie. Um dieses sicherzustellen, sind die Geräte wie in den Handbüchern beschrieben zu installieren und zu betreiben. Des Weiteren dürfen auch nur von der Lenovo empfohlene Kabel angeschlossen werden. Lenovo übernimmt keine Verantwortung für die Einhaltung der Schutzanforderungen, wenn das Produkt ohne Zustimmung der Lenovo verändert bzw. wenn Erweiterungskomponenten von Fremdherstellern ohne Empfehlung der Lenovo gesteckt/eingebaut werden. Deutschland: Einhaltung des Gesetzes über die elektromagnetische Verträglichkeit von Betriebsmittein Dieses Produkt entspricht dem „Gesetz über die elektromagnetische Verträglichkeit von Betriebsmitteln“ EMVG (früher „Gesetz über die elektromagnetische Verträglichkeit von Geräten“). Dies ist die Umsetzung der EU‐Richtlinie 2014/30/EU (früher 2004/108/EC) in der Bundesrepublik Deutschland. © Copyright Lenovo 2017 Appendix C: Notices...
Page 624: Japan Vcci Class A Statement
Zulassungsbescheinigung laut dem Deutschen Gesetz über die elektromagnetische Verträglichkeit von Betriebsmitteln, EMVG vom 20. Juli 2007 (früher Gesetz über die elektromagnetische Verträglichkeit von Geräten), bzw. der EMV EU Richtlinie 2014/30/EU (früher 2004/108/EC ), für Geräte der Klasse A. Dieses Gerät ist berechtigt, in Übereinstimmung mit dem Deutschen EMVG das EG‐Konformitätszeichen ‐ CE ‐ zu führen. Verantwortlich für die Konformitätserklärung nach Paragraf 5 des EMVG ist die Lenovo (Deutschland) GmbH, Meitnerstr. 9, D‐70563 Stuttgart. Informationen in Hinsicht EMVG Paragraf 4 Abs. (1) 4: Das Gerät erfüllt die Schutzanforderungen nach EN 55024 und EN 55022 Klasse Nach der EN 55022: „Dies ist eine Einrichtung der Klasse A. Diese Einrichtung kann im Wohnbereich Funkstörungen verursachen; in diesem Fall kann vom Betreiber verlangt werden, angemessene Maßnahmen durchzuführen und dafür aufzukommen.“ Nach dem EMVG: „Geräte dürfen an Orten, für die sie nicht ausreichend entstört sind, nur mit besonderer Genehmigung des Bundesministers für Post und Telekommunikation oder des Bundesamtes für Post und Telekommunikation betrieben werden. Die Genehmigung wird erteilt, wenn keine elektromagnetischen Störungen zu erwarten sind.“ (Auszug aus dem EMVG, Paragraph 3, Abs. 4). Dieses Genehmigungsverfahrenist nach Paragraph 9 EMVG in Verbindung mit der entsprechenden Kostenverordnung (Amtsblatt 14/93) kostenpflichtig. Anmerkung: Um die Einhaltung des EMVG sicherzustellen sind die Geräte, wie in den Handbüchern angegeben, zu installieren und zu betreiben. Japan VCCI Class A Statement This is a Class A product based on the standard of the Voluntary Control Council for Interference (VCCI). If this equipment is used in a domestic environment, radio interference may occur, in which case the user may be required to take corrective actions. CN4093 Application Guide for N/OS 8.4...
Page 625: Japan Electronics And Information Technology Industries Association
Japan Electronics and Information Technology Industries Association (JEITA) Confirmed Harmonics Guidelines (products less than or equal to 20 A per phase) Japan Electronics and Information Technology Industries Association (JEITA) Confirmed Harmonics Guidelines with Modifications (products greater than 20 A per phase). Korea Communications Commission (KCC) Statement This is electromagnetic wave compatibility equipment for business (Type A). Sellers and users need to pay attention to it. This is for any areas other than home. Russia Electromagnetic Interference (EMI) Class A statement People’s Republic of China Class A electronic emission statement Taiwan Class A compliance statement © Copyright Lenovo 2017 Appendix C: Notices...
Page 626 CN4093 Application Guide for N/OS 8.4...
Page 627: Index
VLANs 162 setup 64 configuring autonomous systems (AS) 471 BGP failover 462 DCBX 324 ETS 320 FIP snooping 310 bandwidth allocation 303 IP routing 395 BBI 30 OSPF 483 BBI. See Browser‐Based Interface PFC 314 Bootstrap Router, PIM 503 port aggregation 164 spanning tree groups 183 contamination, particulate and gaseous 620 Converged Enhanced Ethernet. See CEE. © Copyright Lenovo 2017 Index...
Page 628 FCF 278 Converged Network Adapter. See CNA. detection mode 307 FCoE 299 bridge module 278 CEE 301 Data Center Bridging Capability Exchange. See DCBX. CNA 301 date setup 62 ENodes 301 DCBX 299 FCF 278 default gateway 394 FIP snooping 299 configuration example 396 FLOGI 308 default password 47 point‐to‐point links 300 default route, OSPF 476 requirements 301 Dense Mode, PIM 498 SAN 300 Designated Router, PIM 497 topology 300...
Page 629 618 routing 393 notices 615 VLANs 137 IPSec maximum traffic load 419 IPsec 417 key policy 424 IPv6 addressing 403 ISL Aggregation 161 Isolated VLAN 153 Japan Class A electronic emission statement 624 Japan Electronics and Information Technology Indus‐ tries Association statement 625 JEITA statement 625 jumbo frames 138 © Copyright Lenovo 2017 : Index...
Page 630 ports configuration 64 OSPF for services 123 area types 468 monitoring 607 authentication 478 physical. See switch ports. configuration examples 483 preshared key 420 default route 476 enabling 424 external routes 482 priority groups 317 filtering criteria 122 priority value (802.1p) 224 host routes 481 Priority‐based Flow Control. See PFC. link state database 470 Private VLANs 153 neighbors 470 promiscuous port 153 overview 467 Protocol Independant Multicast (see PIM) 497 redistributing routes 459...
Page 631 524 Spanning‐Tree Protocol multiple instances 178 virtual link, OSPF 477 setup (on/off) 63 Virtual Local Area Networks. See VLANs. Sparse Mode, PIM 497 virtual NICs 261 virtual router group 528 SSH/SCP configuring 90 virtual router ID numbering 530 RSA host and server keys 93 Virtual Station Interface, See VSI. stacking 232 VLAN tagging starting switch setup 61 setup 65 Static ARP 357 stopping switch setup 61 © Copyright Lenovo 2017 : Index...
Page 632 VLANs 67 broadcast domains 137 configuration rules 162 default PVID 140 example showing multiple VLANs 148 FCoE 309 ID numbers 139 interface 67 IP interface configuration 398 multiple spanning trees 173 multiple VLANs 142 name setup 66 port members 141 PVID 140 routing 397 security 137 setup 66 Spanning‐Tree Protocol 173 tagging 65 topologies 147 vNICs 261 VRRP (Virtual Router Redundancy Protocol) active‐active redundancy 527...
Page 634 Part Number: 00MY375 Printed in USA (IP) P/N: 00MY375...

Lenovo Flex System Fabric CN4093 Application Manual

Chapter 1. Switch Administration

Chapter 2. Initial Setup

Chapter 3. Switch Software Management

Chapter 4. Securing Administration

Chapter 5. Authentication & Authorization Protocols

Chapter 6. 802.1X Port-Based Network Access Control

Chapter 7. Access Control Lists

Chapter 8. Vlans

Chapter 9. Ports and Link Aggregation (LAG)

Chapter 10. Spanning Tree Protocols

Chapter 11. Virtual Link Aggregation Groups

Chapter 12. Quality of Service

Chapter 13. Stacking

Quick Links

Related Manuals for Lenovo Flex System Fabric CN4093

Summary of Contents for Lenovo Flex System Fabric CN4093