Page 1 Lenovo RackSwitch G8264 Application Guide For Lenovo Enterprise Network Operating System 8.4...
Page 2 Note: Before using this information and the product it supports, read the general information in the Safety information and Environmental Notices and User Guide documents on the Lenovo Documentation CD and the Warranty Information document that comes with the product. Second Edition (July 2017) © Copyright Lenovo 2017 Portions © Copyright IBM Corporation 2014. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS‐35F‐05925. Lenovo and the Lenovo logo are trademarks of Lenovo in the United States, other countries, or both.
Page 3: Table Of Contents
DHCP SYSLOG Server. . . . . . . . . . . . . . . . . . . . . . . .45 Global BOOTP Relay Agent Configuration . . . . . . . . . . . . . . .45 Domain‐Specific BOOTP Relay Agent Configuration. . . . . . . . . . .46 DHCP Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . .46 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . .46 Easy Connect Wizard . . . . . . . . . . . . . . . . . . . . . . . . . .48 Configuring the Easy Connect Wizard . . . . . . . . . . . . . . . . .48 Basic System Mode Configuration Example . . . . . . . . . . . . .49 Transparent Mode Configuration Example . . . . . . . . . . . . .49 Redundant Mode Configuration Example . . . . . . . . . . . . .50 Switch Login Levels . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Administrator Password Recovery . . . . . . . . . . . . . . . . . . . .54 Setup vs. the Command Line . . . . . . . . . . . . . . . . . . . . . . .56 Idle Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Boot Strict Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Acceptable Cipher Suites . . . . . . . . . . . . . . . . . . . . . . .61 Configuring Strict Mode . . . . . . . . . . . . . . . . . . . . . . .62 Configuring No‐Prompt Mode . . . . . . . . . . . . . . . . . . . .62 SSL/TLS Version Limitation . . . . . . . . . . . . . . . . . . . . .62 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Scripting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 © Copyright Lenovo 2017...
Page 4 Chapter 2. Initial Setup ..... 65 Information Needed for Setup . . . . . . . . . . . . . . . . . . . . . . 66 Default Setup Options . . . . . . . . . . . . . . . . . . . . . . . . . 67 Setting the Management Interface Default IP Address . . . . . . . . . . . . 68 Stopping and Restarting Setup Manually . . . . . . . . . . . . . . . . . 69 Stopping Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Restarting Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Setup Part 1: Basic System Configuration . . . . . . . . . . . . . . . . .
Page 5 Chapter 5. Authentication & Authorization Protocols ..105 RADIUS Authentication and Authorization . . . . . . . . . . . . . . . 106 How RADIUS Authentication Works . . . . . . . . . . . . . . . . 106 Configuring RADIUS on the Switch . . . . . . . . . . . . . . . . . 106 RADIUS Authentication Features in Enterprise NOS . . . . . . . . . . 108 Switch User Accounts . . . . . . . . . . . . . . . . . . . . . . . 108 RADIUS Attributes for Enterprise NOS User Privileges . . . . . . . . 109 TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . 110 How TACACS+ Authentication Works. . . . . . . . . . . . . . . . 110 TACACS+ Authentication Features in Enterprise NOS . . . . . . . . . 111 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . 111 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Command Authorization and Logging . . . . . . . . . . . . . . . . 112 Configuring TACACS+ Authentication on the Switch . . . . . . . . . 113 LDAP Authentication and Authorization . . . . . . . . . . . . . . . . 114 Configuring the LDAP Server. . . . . . . . . . . . . . . . . . . . 114 Configuring LDAP Authentication on the Switch . . . . . . . . . . . 114 © Copyright Lenovo 2017 Contents...
Page 6 Chapter 6. 802.1X Port-Based Network Access Control ..117 Extensible Authentication Protocol over LAN . . . . . . . . . . . . . . 118 EAPoL Authentication Process . . . . . . . . . . . . . . . . . . . . . 119 EAPoL Message Exchange . . . . . . . . . . . . . . . . . . . . . . . 120 EAPoL Port States . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Guest VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Supported RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . 122 EAPoL Configuration Guidelines . . . . . . . . . . . . . . . . . . . . 124 Chapter 7. Access Control Lists....125 Summary of Packet Classifiers . . . . . . . . . . . . . . . . . . . . . ...
Page 7 Link Aggregation Control Protocol . . . . . . . . . . . . . . . . . . . 180 Static LACP LAGs. . . . . . . . . . . . . . . . . . . . . . . . . 181 LACP Port Modes . . . . . . . . . . . . . . . . . . . . . . . . . 182 LACP Individual . . . . . . . . . . . . . . . . . . . . . . . . . 182 LACP Minimum Links Option . . . . . . . . . . . . . . . . . . . 183 Configuring LACP . . . . . . . . . . . . . . . . . . . . . . . . 184 Configurable LAG Hash Algorithm . . . . . . . . . . . . . . . . . . . 185 Chapter 11. Spanning Tree Protocols....187 Spanning Tree Protocol Modes . . . . . . . . . . . . . . . . . . . . . 188 Global STP Control . . . . . . . . . . . . . . . . . . . . . . . . . . 189 © Copyright Lenovo 2017 Contents...
Page 8 PVRST Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Port States . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Bridge Protocol Data Units . . . . . . . . . . . . . . . . . . . . . 190 How BPDU Works . . . . . . . . . . . . . . . . . . . . . . 190 Determining the Path for Forwarding BPDUs . . . . . . . . . . . 190 Simple STP Configuration . . . . . . . . . . . . . . . . . . . . . 192 Per‐VLAN Spanning Tree Groups. . . . . . . . . . . . . . . . . . 194 Using Multiple STGs to Eliminate False Loops . . . . . . . . . . 194 VLANs and STG Assignment . . . . . . . . . . . . . . . . . . 196 Manually Assigning STGs . . . . . . . . . . . . . . . . . . . 197 Guidelines for Creating VLANs . . . . . . . . . . . . . . . . . 197 Rules for VLAN Tagged/Trunk Mode Ports. . . . . . . . . . . . 197 Adding and Removing Ports from STGs . . . . . . . . . . . . . 198 The Switch‐Centric Model . . . . . . . . . . . . . . . . . . . 199 Configuring Multiple STGs . . . . . . . . . . . . . . . . . . . . 200 Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . ...
Page 9 Chapter 15. OpenFlow ..... . 261 OpenFlow Overview . . . . . . . . . . . . . . . . . . . . . . . . . 262 Switch Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 OpenFlow Versions . . . . . . . . . . . . . . . . . . . . . . . . . . 264 OpenFlow Instance . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Flow Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Static Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Port Membership . . . . . . . . . . . . . . . . . . . . . . . . . 270 FDB Aging and ECMP with OpenFlow. . . . . . . . . . . . . . . . 271 Static Flow Examples . . . . . . . . . . . . . . . . . . . . . . . 271 Table‐Miss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Fail Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Emergency Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 © Copyright Lenovo 2017 Contents...
Page 10 OpenFlow Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 OpenFlow Edge Ports . . . . . . . . . . . . . . . . . . . . . . . 278 Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . 279 Data Path ID . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 sFlow Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . 281 OpenFlow Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Configuring OpenFlow . . . . . . . . . . . . . . . . . . . . . . . . 283 Configuration Example 1 ‐ OpenFlow Boot Profile . . . . . . . . . . . 283 Configuration Example 2 ‐ Default Boot Profile . . . . . . . . . . . . 286 Feature Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Chapter 16. Deployment Profiles ....289 Available Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 11 ..... . 341 VE Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Defining Server Ports . . . . . . . . . . . . . . . . . . . . . . . . . 342 VM Group Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Local VM Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Distributed VM Groups . . . . . . . . . . . . . . . . . . . . . . . . 346 VM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Initializing a Distributed VM Group . . . . . . . . . . . . . . . . . 347 Assigning Members . . . . . . . . . . . . . . . . . . . . . . . . 347 Synchronizing the Configuration . . . . . . . . . . . . . . . . . . 348 Removing Member VEs . . . . . . . . . . . . . . . . . . . . . . 348 VMcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Virtual Distributed Switch . . . . . . . . . . . . . . . . . . . . . . . 351 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Migrating to vDS . . . . . . . . . . . . . . . . . . . . . . . . . 352 Virtualization Management Servers . . . . . . . . . . . . . . . . . . . 353 Assigning a vCenter . . . . . . . . . . . . . . . . . . . . . . . . 353 vCenter Scans . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Deleting the vCenter. . . . . . . . . . . . . . . . . . . . . . . . 354 Exporting Profiles . . . . . . . . . . . . . . . . . . . . . . . . . 355 VMware Operational Commands . . . . . . . . . . . . . . . . . . 355 © Copyright Lenovo 2017 Contents...
Page 12 Pre‐Provisioning VEs . . . . . . . . . . . . . . . . . . . . . . . . . 356 VLAN Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 VM Policy Bandwidth Control . . . . . . . . . . . . . . . . . . . . . 358 VM Policy Bandwidth Control Commands . . . . . . . . . . . . . . 358 Bandwidth Policies vs. Bandwidth Shaping . . . . . . . . . . . . . 359 VMready Information Displays . . . . . . . . . . . . . . . . . . . . 360 Local VE Information . . . . . . . . . . . . . . . . . . . . . . . 360 vCenter Hypervisor Hosts . . . . . . . . . . . . . . . . . . . . . 361 vCenter VEs . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 vCenter VE Details . . . . . . . . . . . . . . . . . . . . . . . . 363 vCenter Switchport Mapping Details . . . . . . . . . . . . . . . . 363 VMready Configuration Example. . . . . . . . . . . . . . . . . . . . 364 Chapter 21. FCoE and CEE ....365 Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . ...
Page 13 UFP vPort Mode . . . . . . . . . . . . . . . . . . . . . . . 413 Tunnel Mode . . . . . . . . . . . . . . . . . . . . . . . . . 413 802.1Q Trunk Mode . . . . . . . . . . . . . . . . . . . . . . 414 Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . 414 FCoE Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Auto‐VLAN Mode. . . . . . . . . . . . . . . . . . . . . . . 415 UFP Bandwidth Provisioning . . . . . . . . . . . . . . . . . . . . . 416 ETS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 UFP Strict Bandwidth Provisioning Mode . . . . . . . . . . . . . . 418 Using UFP with Other RackSwitch G8264 Features . . . . . . . . . . . . 419 Layer 2 Failover. . . . . . . . . . . . . . . . . . . . . . . . . . 419 Increased VLAN Limits . . . . . . . . . . . . . . . . . . . . . . 419 Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . 419 VMReady . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 802.1Qbg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 UFP Configuration Examples. . . . . . . . . . . . . . . . . . . . . . 421 Example 1: Access Mode . . . . . . . . . . . . . . . . . . . . . . 421 Example 2: Trunk Mode . . . . . . . . . . . . . . . . . . . . . . 422 Example 3: Auto‐VLAN Mode . . . . . . . . . . . . . . . . . . . 424 Example 4: Tunnel Mode . . . . . . . . . . . . . . . . . . . . . . 424 Example 5: FCoE Mode . . . . . . . . . . . . . . . . . . . . . . 425 Example 6: Layer 2 Failover Configuration . . . . . . . . . . . . . . 426 © Copyright Lenovo 2017 Contents...
Page 14 Part 5: IP Routing......429 Chapter 26. Basic IP Routing ....431 IP Routing Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 15 Chapter 32. Internet Group Management Protocol ..493 IGMP Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 How IGMP Works . . . . . . . . . . . . . . . . . . . . . . . . . . 495 IGMP Capacity and Default Values . . . . . . . . . . . . . . . . . . . 496 IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 IGMP Querier . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Querier Election . . . . . . . . . . . . . . . . . . . . . . . . . 498 IGMP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 499 IGMPv3 Snooping. . . . . . . . . . . . . . . . . . . . . . . . . 499 IGMP Snooping Configuration Guidelines . . . . . . . . . . . . . . 501 IGMP Snooping Configuration Example . . . . . . . . . . . . . . . 502 Advanced Configuration Example: IGMP Snooping . . . . . . . . . . 503 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . 504 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 504 Troubleshooting IGMP Snooping . . . . . . . . . . . . . . . . . . 508 © Copyright Lenovo 2017 Contents...
Page 16 IGMP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 511 Configure IGMP Relay . . . . . . . . . . . . . . . . . . . . . . 512 Advanced Configuration Example: IGMP Relay . . . . . . . . . . . 513 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . 513 Configuration. . . . . . . . . . . . . . . . . . . . . . . . . 514 Troubleshooting IGMP Relay . . . . . . . . . . . . . . . . . . . . 517 Additional IGMP Features . . . . . . . . . . . . . . . . . . . . . . . 520 FastLeave . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520 IGMP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . 520 Configuring the Range . . . . . . . . . . . . . . . . . . . . . 520 Configuring the Action . . . . . . . . . . . . . . . . . . . . 521 Configure IGMP Filtering . . . . . . . . . . . . . . . . . . . 521 Static Multicast Router. . . . . . . . . . . . . . . . . . . . . . . 521 Chapter 33. Multicast Listener Discovery ....523 MLD Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 17 Host Routes for Load Balancing . . . . . . . . . . . . . . . . . . . 567 Loopback Interfaces in OSPF . . . . . . . . . . . . . . . . . . . . 568 OSPF Features Not Supported in This Release. . . . . . . . . . . . . 568 OSPFv2 Configuration Examples . . . . . . . . . . . . . . . . . . . . 569 Example 1: Simple OSPF Domain . . . . . . . . . . . . . . . . . . 570 Example 2: Virtual Links . . . . . . . . . . . . . . . . . . . . . . 572 Configuring OSPF for a Virtual Link on Switch #1 . . . . . . . . . 572 Configuring OSPF for a Virtual Link on Switch #2 . . . . . . . . . 573 Other Virtual Link Options . . . . . . . . . . . . . . . . . . . 575 Example 3: Summarizing Routes . . . . . . . . . . . . . . . . . . 576 Verifying OSPF Configuration . . . . . . . . . . . . . . . . . . . 577 OSPFv3 Implementation in Enterprise NOS . . . . . . . . . . . . . . . 578 OSPFv3 Differences from OSPFv2 . . . . . . . . . . . . . . . . . . 578 OSPFv3 Requires IPv6 Interfaces . . . . . . . . . . . . . . . . 578 OSPFv3 Uses Independent Command Paths . . . . . . . . . . . 578 OSPFv3 Identifies Neighbors by Router ID . . . . . . . . . . . . 579 Other Internal Improvements . . . . . . . . . . . . . . . . . . 579 OSPFv3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . 579 OSPFv3 Configuration Example. . . . . . . . . . . . . . . . . . . 579 Neighbor Configuration Example . . . . . . . . . . . . . . . . . . 581 © Copyright Lenovo 2017 Contents...
Page 18 Chapter 36. Protocol Independent Multicast... . . 583 PIM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584 Supported PIM Modes and Features . . . . . . . . . . . . . . . . . . 585 Basic PIM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 586 Globally Enabling or Disabling the PIM Feature. . . . . . . . . . . . 586 Defining a PIM Network Component . . . . . . . . . . . . . . . . 586 Defining an IP Interface for PIM Use . . . . . . . . . . . . . . . . 586 PIM Neighbor Filters . . . . . . . . . . . . . . . . . . . . . . . 587 Additional Sparse Mode Settings . . . . . . . . . . . . . . . . . . . . 589 Specifying the Rendezvous Point . . . . . . . . . . . . . . . . . . 589 Influencing the Designated Router Selection . . . . . . . . . . . . . ...
Page 19 Time‐to‐Live for Transmitted Information . . . . . . . . . . . . . . 632 Trap Notifications . . . . . . . . . . . . . . . . . . . . . . . . . 632 Changing the LLDP Transmit State . . . . . . . . . . . . . . . . . 633 Types of Information Transmitted . . . . . . . . . . . . . . . . . . 633 LLDP Receive Features . . . . . . . . . . . . . . . . . . . . . . . . 635 Types of Information Received . . . . . . . . . . . . . . . . . . . 635 Viewing Remote Device Information . . . . . . . . . . . . . . . . 635 Time‐to‐Live for Received Information . . . . . . . . . . . . . . . . 637 LLDP Example Configuration . . . . . . . . . . . . . . . . . . . . . 639 Chapter 41. Simple Network Management Protocol ..641 SNMP Version 1 & Version 2 . . . . . . . . . . . . . . . . . . . . . . 641 SNMP Version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 © Copyright Lenovo 2017 Contents...
Page 20 Configuring SNMP Trap Hosts . . . . . . . . . . . . . . . . . . . . . 644 SNMPv2 Trap Host Configuration . . . . . . . . . . . . . . . . . 645 SNMPv3 Trap Host Configuration . . . . . . . . . . . . . . . . . 646 SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Switch Images and Configuration Files . . . . . . . . . . . . . . . . . 655 Loading a New Switch Image . . . . . . . . . . . . . . . . . . . 656 Loading a Saved Switch Configuration . . . . . . . . . . . . . . . 656 Saving the Switch Configuration . . . . . . . . . . . . . . . . . . 657 Saving a Switch Dump . . . . . . . . . . . . . . . . . . . . . . 657 Chapter 42. Service Location Protocol ....659 Active DA Discovery . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 21 Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707 Important Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . 708 Recycling Information . . . . . . . . . . . . . . . . . . . . . . . . . 709 Particulate Contamination . . . . . . . . . . . . . . . . . . . . . . . 710 Telecommunication Regulatory Statement . . . . . . . . . . . . . . . . 711 Electronic Emission Notices . . . . . . . . . . . . . . . . . . . . . . 712 Federal Communications Commission (FCC) Statement . . . . . . . . 712 Industry Canada Class A Emission Compliance Statement . . . . . . . 712 Avis de Conformité à la Réglementation dʹIndustrie Canada . . . . . . 712 Australia and New Zealand Class A Statement . . . . . . . . . . . . 712 European Union ‐ Compliance to the Electromagnetic Compatibility Directive Germany Class A Compliance Statement . . . . . . . . . . . . . . . 713 Japan VCCI Class A Statement . . . . . . . . . . . . . . . . . . . 714 Japan Electronics and Information Technology Industries Association (JEITA) Statement . . . . . . . . . . . . . . . . . . . . . . . . . 714 Korea Communications Commission (KCC) Statement . . . . . . . . . 715 Russia Electromagnetic Interference (EMI) Class A statement . . . . . . . . 716 People’s Republic of China Class A electronic emission statement . . . . . . 717 Taiwan Class A compliance statement . . . . . . . . . . . . . . . . . . 718 © Copyright Lenovo 2017 Contents...
Page 22 G8264 Application Guide for ENOS 8.4...
Page 23: Preface
Preface This Application Guide describes how to configure and use the Lenovo Enterprise Network Operating System 8.4 software on the Lenovo RackSwitch G8264 (referred to as G8264 throughout this document). For documentation on installing the switch physically, see the Installation Guide for your G8264. © Copyright Lenovo 2016...
Page 24: Who Should Use This Guide
Who Should Use This Guide This guide is intended for network installers and system administrators engaged in configuring and maintaining a network. The administrator should be familiar with Ethernet concepts, IP addressing, Spanning Tree Protocol, and SNMP configuration parameters. G8264 Application Guide for ENOS 8.4...
Page 25: What You'll Find In This Guide
5, “Authentication & Authorization Protocols,” describes different secure administration for remote administrators. This includes using Remote Authentication Dial‐in User Service (RADIUS), as well as TACACS+ and LDAP.  Chapter 6, “802.1X Port‐Based Network Access Control,” describes how to authenticate devices attached to a LAN port that has point‐to‐point connection characteristics. This feature prevents access to ports that fail authentication and authorization and provides security to ports of the G8264 that connect to blade servers.  Chapter 7, “Access Control Lists,” describes how to use filters to permit or deny specific types of traffic, based on a variety of source, destination, and packet attributes.  Chapter 8, “Secure Input/Output Module,” describes which protocols can be enabled. This feature allows secured traffic and secured authentication management. Part 3: Switch Basics Chapter 9, “VLANs,” describes how to configure Virtual Local Area Networks  (VLANs) for creating separate network segments, including how to use VLAN tagging for devices that use multiple VLANs. This chapter also describes Protocol‐based VLANs, and Private VLANs.  Chapter 10, “Ports and Link Aggregation,” describes how to group multiple physical ports together to aggregate the bandwidth between large‐scale network devices. © Copyright Lenovo 2016 Preface...
Page 26  Chapter 12, “Virtual Link Aggregation Groups,” describes using Virtual Link Aggregation Groups (VLAGs) to form LAGs spanning multiple VLAG‐capable aggregator switches.  Chapter 11, “Spanning Tree Protocols,” discusses how Spanning Tree Protocol (STP) configures the network so that the switch selects the most efficient path when multiple paths exist. Covers Rapid Spanning Tree Protocol (RSTP), Per‐VLAN Rapid Spanning Tree (PVRST), and Multiple Spanning Tree Protocol (MSTP).  Chapter 13, “Quality of Service,” discusses Quality of Service (QoS) features, including IP filtering using Access Control Lists (ACLs), Differentiated Services, and IEEE 802.1p priority values.  Chapter 14, “Precision Time Protocol,” describes the configuration of PTP for clock synchronization. Part 4: Advanced Switching Features  Chapter 15, “OpenFlow,” describes how to create an OpenFlow Switch instance on the RackSwitch G8264.  Chapter 16, “Deployment Profiles,” describes how the G8264 can operate in different modes for different deployment scenarios, adjusting switch capacity levels to optimize performance for different types of networks.  Chapter 17, “Virtualization,” provides an overview of allocating resources based on the logical needs of the data center, rather than on the strict, physical nature of components. ...
Page 27 33, “Multicast Listener Discovery,” describes how Multicast Listener Discovery (MLD) is used with IPv6 to support host users requests for multicast data for a multicast group.  Chapter 34, “Border Gateway Protocol,” describes Border Gateway Protocol (BGP) concepts and features supported in ENOS.  Chapter 35, “Open Shortest Path First,” describes key Open Shortest Path First (OSPF) concepts and their implemented in ENOS, and provides examples of how to configure your switch for OSPF support.  Chapter 36, “Protocol Independent Multicast,” describes how multicast routing can be efficiently accomplished using the Protocol Independent Multicast (PIM) feature. Part 6: High Availability Fundamentals  Chapter 37, “Basic Redundancy,” describes how the G8264 supports redundancy through stacking, LAGs, and hotlinks.  Chapter 38, “Layer 2 Failover,” describes how the G8264 supports high‐availability network topologies using Layer 2 Failover.  Chapter 39, “Virtual Router Redundancy Protocol,” describes how the G8264 supports high‐availability network topologies using Virtual Router Redundancy Protocol (VRRP). © Copyright Lenovo 2016 Preface...
Page 28  (SLP) that allows the switch to provide dynamic directory services. Chapter 43, “NETCONF,” describes how to manage the G8264 using Network  Configuration Protocol (NETCONF), a mechanism based on the Extensible Markup Language (XML). Part 8: Monitoring  Chapter 44, “Remote Monitoring,” describes how to configure the RMON agent on the switch, so that the switch can exchange network monitoring data. Chapter 45, “sFlow, described how to use the embedded sFlow agent for  sampling network traffic and providing continuous monitoring information to a central sFlow analyzer.  Chapter 46, “Port Mirroring,” discusses tools how copy selected port traffic to a monitor port for network analysis. Part 9: Appendices Appendix A, “Glossary,” describes common terms and concepts used  throughout this guide. Appendix A, “Getting help and technical assistance,” provides details on where  to go for additional information about Lenovo and Lenovo products.  Appendix B, “Notices,” contains safety and environmental notices. G8264 Application Guide for ENOS 8.4...
Page 29: Additional References
Additional References Additional information about installing and configuring the G8264 is available in the following guides:  Lenovo RackSwitch G8264 Installation Guide Lenovo RackSwitch G8264 ISCLI Command Reference for Lenovo Enterprise Network  Operating System 8.4  Lenovo RackSwitch G8264 Release Notes for Lenovo Enterprise Network Operating System 8.4 © Copyright Lenovo 2016 Preface...
Page 30: Typographic Conventions
Typographic Conventions The following table describes the typographic styles used in this book. Table 1. Typographic Conventions Typeface or Meaning Example Symbol ABC123 This type is used for names of View the readme.txt file. commands, files, and directories used within the text. Main# It also depicts on‐screen computer output and prompts. ABC123 Main# sys This bold type appears in command examples. It shows text that must be typed in exactly as shown. <ABC123> This italicized type appears in To establish a Telnet session, command examples as a enter: host# telnet <IP address> parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, Read your User’s Guide special terms, or words to be thoroughly.
Page 32 G8264 Application Guide for ENOS 8.4...
Page 33: Chapter 1. Switch Administration
Chapter 1. Switch Administration Your RackSwitch G8264 (G8264) is ready to perform basic switching functions right out of the box. Some of the more advanced features, however, require some administrative configuration before they can be used effectively. The extensive Lenovo Enterprise Network Operating System switching software included in the G8264 provides a variety of options for accessing the switch to perform configuration, and to view switch information and statistics. This chapter discusses the various methods that can be used to administer the switch. © Copyright Lenovo 2016...
Page 34: Administration Interfaces
Enterprise NOS provides a variety of user‐interfaces for administration. These interfaces vary in character and in the methods used to access them: some are text‐based, and some are graphical; some are available by default, and some require configuration; some can be accessed by local connection to the switch, and others are accessed remotely using various client applications. For example, administration can be performed using any of the following:  A built‐in, text‐based command‐line interface and menu system for access via serial‐port connection or an optional Telnet or SSH session  The built‐in Browser‐Based Interface (BBI) available using a standard web‐browser  SNMP support for access through network management software such as IBM Director or HP OpenView The specific interface chosen for an administrative session depends on user preferences, as well as the switch configuration and the available client tools. In all cases, administration requires that the switch hardware is properly installed and turned on. (see the Lenovo RackSwitch G8264 Installation Guide). Command Line Interface The Industry Standard Command Line Interface (ISCLI) provides a simple, direct method for switch administration. Using a basic terminal, you can issue commands that allow you to view detailed information and statistics about the switch, and to perform any necessary configuration and switch software maintenance. You can establish a connection to the ISCLI in any of the following ways: Serial connection via the serial port on the G8264 (this option is always available)   Telnet connection over the network  SSH connection over the network G8264 Application Guide for ENOS 8.4...
Page 35: Establishing A Connection
1. Log onto the switch. 2. Enter Global Configuration mode. RS G8264> enable RS G8264# configure terminal 3. Configure a management IP address and mask: RS G8264(config)# interface ip 128 RS G8264(configipif)# ip address <management interface IPv4 address> RS G8264(configipif)# ip netmask <IPv4 subnet mask> RS G8264(configipif)# enable RS G8264(configipif)# exit 4. Configure the appropriate default gateway. IP gateway 4 is required for IF 128. RS G8264(config)# ip gateway 4 address <default gateway IPv4 address> RS G8264(config)# ip gateway 4 enable © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 36: Using The Switch Data Ports
Once you configure a management IP address for your switch, you can connect to a management port and use the Telnet program from an external management station to access and control the switch. The management port provides out‐of‐band management. Using the Switch Data Ports You also can configure in‐band management through any of the switch data ports. To allow in‐band management, use the following procedure: 1. Log on to the switch. 2. Enter IP interface mode. RS G8264> enable RS G8264# configure terminal RS G8264(config)# interface ip <IP interface number> Note: Interface 128 is reserved for out‐of‐band management (see “Using the Switch Management Ports” on page 35). 3. Configure the management IP interface/mask. IPv4:  RS G8264(configipif)# ip address <management interface IPv4 address> RS G8264(configipif)# ip netmask <IPv4 subnet mask> IPv6:  RS G8264(configipif)# ipv6 address <management interface IPv6 address> RS G8264(configipif)# ipv6 prefixlen <IPv6 prefix length> 4. Configure the VLAN, and enable the interface. RS G8264(configipif)# vlan 1 RS G8264(configipif)# enable RS G8264(configipif)# exit...
Page 37: Using Telnet
SNMP‐based network management system or a Web browser. For more information, see the documents listed in “Additional References” on page 29. Using Telnet A Telnet connection offers the convenience of accessing the switch from a workstation connected to the network. Telnet access provides the same options for user and administrator access as those available through the console port. By default, Telnet access is enabled. Use the following commands to disable or re‐enable Telnet access: RS G8264(config)# [no] access telnet enable Once the switch is configured with an IP address and gateway, you can use Telnet to access switch administration from any workstation connected to the management network. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the following Telnet command: telnet <switch IPv4 or IPv6 address> You will then be prompted to enter a password as explained “Switch Login Levels” on page Two attempts are allowed to log in to the switch. After the second unsuccessful attempt, the Telnet client is disconnected via TCP session closure. Using Secure Shell Although a remote network administrator can manage the configuration of a G8264 via Telnet, this method does not provide a secure connection. The Secure Shell (SSH) protocol enables you to securely log into another device over a network © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 38: Using Ssh With Password Authentication
The supported SSH encryption and authentication methods are:  Server Host Authentication: Client RSA‐authenticates the switch when starting each connection  Key Exchange: ecdh‐sha2‐nistp521, ecdh‐sha2‐nistp384, ecdh‐sha2‐nistp256, ecdh‐sha2‐nistp224, ecdh‐sha2‐nistp192, rsa2048‐sha256, rsa1024‐sha1, diffie‐hellman‐group‐exchange‐sha256, diffie‐hellman‐group‐exchange‐sha1, diffie‐hellman‐group14‐sha1, diffie‐hellman‐group1‐sha1  Encryption: aes128‐ctr, aes128‐cbc, rijndael128‐cbc, blowfish‐cbc,3des‐cbc, arcfour256, arcfour128, arcfour  MAC: hmac‐sha1, hmac‐sha1‐96, hmac‐md5, hmac‐md5‐96 User Authentication: Local password authentication, public key authentication,  RADIUS, TACACS+ Lenovo Enterprise Network Operating System implements the SSH version 2.0 standard and is confirmed to work with SSH version 2.0‐compliant clients such as the following:  OpenSSH_5.4p1 for Linux Secure CRT Version 5.0.2 (build 1021)   Putty SSH release 0.60 Using SSH with Password Authentication By default, the SSH feature is disabled. Once the IP parameters are configured and the SSH service is enabled, you can access the command line interface using an SSH connection. To establish an SSH connection with the switch, run the SSH program on your workstation by issuing the SSH command, followed by the switch IPv4 or IPv6 address: # ssh <switch IP address> You will then be prompted to enter a password as explained “Switch Login Levels” ...
Page 39: Using Ssh With Public Key Authentication
To set up public key authentication: 1. Enable SSH: RS G8264(config)# ssh enable 2. Import the public key file using SFTP or TFTP for the admin user account:: RS G8264(config)# copy {sftp|tftp} publickey Port type ["DATA"/"MGT"]: mgt Address or name of remote host: 9.43.101.151 Source file name: 11.key Username of the public key: admin Confirm download operation (y/n) ? y Notes: When prompted to input a username, a valid user account name must be  entered. If no username is entered, the key is stored on the switch, and can be assigned to a user account later.  A user account can have up to 100 public keys set up on the switch. 3. Configure a maximum number of 3 failed public key authentication attempts before the system reverts to password‐based authentication: RS G8264(config)# ssh maxauthattempts 3 Once the public key is configured on the switch, the client can use SSH to login from a system where the private key pair is set up: # ssh <switch IP address> © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 40: Using A Web Browser
Using a Web Browser The switch provides a Browser‐Based Interface (BBI) for accessing the common configuration, management, and operation features of the G8264 through your Web browser. By default, BBI access via HTTP is enabled on the switch. You can also access the BBI directly from an open Web browser window. Enter the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6 address>). Configuring HTTP Access to the BBI By default, BBI access via HTTP is enabled on the switch. To disable or re‐enable HTTP access to the switch BBI, use the following commands: (Enable HTTP access) RS G8264(config)# access http enable ‐or‐ (Disable HTTP access) RS G8264(config)# no access http enable The default HTTP web server port to access the BBI is port 80. However, you can change the default Web server port with the following command: RS G8264(config)# access http port <TCP port number> To access the BBI from a workstation, open a Web browser window and type in the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6 address>). Configuring HTTPS Access to the BBI The BBI can also be accessed via a secure HTTPS connection over management and ...
Page 41: Browser-Based Interface Summary
Browser-Based Interface Summary The BBI is organized at a high level as follows: Context buttons—These buttons allow you to select the type of action you wish to perform. The Configuration button provides access to the configuration elements for the entire switch. The Statistics button provides access to the switch statistics and state information. The Dashboard button allows you to display the settings and operating status of a variety of switch features. Navigation Window—Provides a menu of switch features and functions:  System—Provides access to the configuration elements for the entire switch. Switch Ports—Configure each of the physical ports on the switch.   Port‐Based Port Mirroring—Configure port mirroring behavior. Layer 2—Configure Layer 2 features for the switch.   RMON Menu—Configure Remote Monitoring features for the switch. Layer 3—Configure Layer 3 features for the switch.   QoS—Configure Quality of Service features for the switch. Access Control—Configure Access Control Lists to filter IP packets.   CEEConfigure Converged Enhanced Ethernet (CEE). FCoEConfigure FibreChannel over Ethernet (FCoE).   Virtualization—Configure vNICs and VMready for virtual machines (VMs). © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 42  Dove Gateway – Configure Distributed Overlay Virtual Ethernet. G8264 Application Guide for ENOS 8.4...
Page 43: Using Simple Network Management Protocol
RS G8264(config)# snmpserver readcommunity <1‐32 characters> ‐and‐ RS G8264(config)# snmpserver writecommunity <1‐32 characters> The SNMP manager must be able to reach any one of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following commands: RS G8264(config)# snmpserver trapsource <trap source IP interface> RS G8264(config)# snmpserver host <IPv4 address> <trap host community string> To restrict SNMP access to specific IPv4 subnets, use the following commands: RS G8264(config)# access managementnetwork <IPv4 address> <subnet mask> snmpro ‐and‐ RS G8264(config)# access managementnetwork <IPv4 address> <subnet mask> snmprw For IPv6 networks, use: RS G8264(config)# access managementnetwork6 <IPv6 address> <IPv6 prefix length> snmpro ‐and‐ RS G8264(config)# access managementnetwork6 <IPv6 address> <IPv6 prefix length> snmprw Note: Subnets allowed for SNMP read‐only access must not overlap with subnets allowed for SNMP read‐write access. For more information on SNMP usage and configuration, see Chapter 41, “Simple Network Management Protocol.” © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 44: Bootp/Dhcp Client Ip Address Services
BOOTP/DHCP Client IP Address Services For remote switch administration, the client terminal device must have a valid IP address on the same network as a switch interface. The IP address on the client device may be configured manually, or obtained automatically using IPv6 stateless address configuration, or an IPv4 address may obtained automatically via BOOTP or DHCP relay as discussed in the next section. The G8264 can function as a relay agent for Bootstrap Protocol (BOOTP) or DHCP. This allows clients to be assigned an IPv4 address for a finite lease period, reassigning freed addresses later to other clients. Acting as a relay agent, the switch can forward a client’s IPv4 address request to up to five BOOTP/DHCP servers. In addition to the five global BOOTP/DHCP servers, up to five domain‐specific BOOTP/DHCP servers can be configured for each of up to 10 VLANs. When a switch receives a BOOTP/DHCP request from a client seeking an IPv4 address, the switch acts as a proxy for the client. The request is forwarded as a UDP Unicast MAC layer message to the BOOTP/DHCP servers configured for the client’s VLAN, or to the global BOOTP/DHCP servers if no domain‐specific BOOTP/DHCP servers are configured for the client’s VLAN. The servers respond to the switch with a Unicast reply that contains the IPv4 default gateway and the IPv4 address for the client. The switch then forwards this reply back to the client. DHCP is described in RFC 2131, and the DHCP relay agent supported on the G8264 is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. BOOTP and DHCP relay are collectively configured using the BOOTP commands and menus on the G8264. DHCP Host Name Configuration The G8264 supports DHCP host name configuration as described in RFC 2132, option 12. DHCP host name configuration is enabled by default. Host name can be manually configured using the following command: RS G8264(config)# hostname <name> If the host name is manually configured, the switch does not replace it with the ...
Page 45: Dhcp Syslog Server
Global BOOTP Relay Agent Configuration To enable the G8264 to be a BOOTP (or DHCP) forwarder, enable the BOOTP relay feature, configure up to four global BOOTP server IPv4 addresses on the switch, and enable BOOTP relay on the interface(s) on which the client requests are expected. Generally, it is best to configure BOOTP for the switch IP interface that is closest to the client, so that the BOOTP server knows from which IPv4 subnet the newly allocated IPv4 address will come. In the G8264 implementation, there are no primary or secondary BOOTP servers. The client request is forwarded to all the global BOOTP servers configured on the switch (if no domain‐specific servers are configured). The use of multiple servers provides failover redundancy. However, no health checking is supported. 1. Use the following commands to configure global BOOTP relay servers: RS G8264(config)# ip bootprelay enable RS G8264(config)# ip bootprelay server <1‐5> address <IPv4 address> 2. Enable BOOTP relay on the appropriate IP interfaces. BOOTP/DHCP Relay functionality may be assigned on a per‐interface basis using the following commands: RS G8264(config)# interface ip <interface number> RS G8264(configipif)# relay RS G8264(configipif)# exit © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 46: Domain-Specific Bootp Relay Agent Configuration
Domain-Specific BOOTP Relay Agent Configuration Use the following commands to configure up to five domain‐specific BOOTP relay agents for each of up to 10 VLANs: RS G8264(config)# ip bootprelay bcastdomain <1‐10> vlan <VLAN number> RS G8264(config)# ip bootprelay bcastdomain <1‐10> server <1‐5> address <IPv4 address> RS G8264(config)# ip bootprelay bcastdomain <1‐10> enable As with global relay agent servers, domain‐specific BOOTP/DHCP functionality may be assigned on a per‐interface basis (see Step 2 in page 45). DHCP Option 82 DHCP Option 82 provides a mechanism for generating IP addresses based on the client device’s location in the network. When you enable the DHCP relay agent option on the switch, it inserts the relay agent information option 82 in the packet, and sends a unicast BOOTP request packet to the DHCP server. The DHCP server uses the option 82 field to assign an IP address, and sends the packet, with the original option 82 field included, back to the relay agent. DHCP relay agent strips off the option 82 field in the packet and sends the packet to the DHCP client. Configuration of this feature is optional. The feature helps resolve several issues where untrusted hosts access the network. See RFC 3046 for details. Use the following commands to configure DHCP Option 82: RS G8264(config)# ip bootprelay information enable (Enable Option 82) RS G8264(config)# ip bootprelay enable (Enable DHCP relay) RS G8264(config)# ip bootprelay server <1‐5> address <IP address> DHCP Snooping DHCP snooping provides security by filtering untrusted DHCP packets and by building and maintaining a DHCP snooping binding table. This feature is ...
Page 47 Following is an example of DHCP snooping configuration, where the DHCP server and client are in VLAN 100, and the server connects using port 24. RS G8264(config)# ip dhcp snooping vlan 100 RS G8264(config)# ip dhcp snooping RS G8264(config)# interface port 24 RS G8264(configif)# ip dhcp snooping trust(Optional; Set port as trusted) RS G8264(configif)# ip dhcp snooping information optioninsert (Optional; add DHCP option 82) RS G8264(configif)# ip dhcp snooping limit rate 100 (Optional; Set DHCP packet rate) © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 48: Easy Connect Wizard
Easy Connect Wizard Lenovo EasyConnect (EZC) is a feature designed to simplify switch configuration. A set of predefined configurations can be applied on the switch via ISCLI. By launching the EZC Wizard, you are prompted for a minimal set of input and the tool automatically customizes the switch software. The EZC Wizard allows you to choose one of the following configuration modes: Basic System mode supports settings for hostname, static management port IP,  netmask, and gateway.  Transparent mode collects server and uplink port settings. vNIC groups are used to define the loop free domains. Note: You can either accept the static defaults or enter a different port list for uplink and/or server ports.  Redundant mode refers to VLAG settings. The EZC configuration will be applied immediately. Any existing configuration will be deleted, the current active or running configuration will not be merged or appended to the EZC configuration. For any custom settings that are not included in the predefined configuration sets, the user has to do it manually. Notes:  EZC is not available in stacking mode.  To support scripting, the feature also has a single‐line format. For more information, please refer to Lenovo Networking ISCLI Reference Guide. Configuring the Easy Connect Wizard To launch the EZC Wizard, use the following command: RS G8264# easyconnect The wizard displays the available predefined configuration modes. You are prompted to select one of the following options: ...
Page 49: Basic System Mode Configuration Example
Gateway: 10.241.13.1 Confirm erasing current config to reconfigure Easy Connect (yes/no)? Note: You can either accept the default values or enter new parameters. Transparent Mode Configuration Example This example shows the parameters available for configuration in Transparent mode: RS G8264# #easyconnect Configure Transparent mode (yes/no)? y Select Uplink Ports (Static Defaults: 1724)? The following Uplink ports will be enabled: Uplink ports(1G/10G): 1724 Select Server Ports (Static Defaults: 2564)? The following Server ports will be enabled: Server ports(1G/10G): 2564 Pending switch configuration: Uplink Ports: 1724 Server Ports: 2564 Disabled Ports: 1,5,9,13 Confirm erasing current config to reconfigure Easy Connect (yes/no)? Notes:  If your selection for a port group contains ports of different mode or speed, the selection is not valid and you are guided to either select other ports or change the speed of the ports. You can either accept the static defaults or enter a different port list for uplink  and/or server ports. © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 50: Redundant Mode Configuration Example
Redundant Mode Configuration Example This example shows the parameters available for configuration in Redundant mode: RS G8264# #easyconnect Configure Switch Redundant mode (yes/no)? y Note: It is recommended to select Basic system configuration in order to set the management IP address used for vLAG health check. Configure Basic system (yes/no)? y Configure this switch as vLAG Primary or Secondary Peer (primary/secondary)? prim Select ISL Ports (Static Defaults: 116)? The following ISL ports will be enabled: ISL ports(40G) : 116 Select vLAG TierID (Default: 101)? Select management IP address (Current: 192.168.49.50)? Enter management netmask (Current: 255.255.255.0)? Select Peer IP address for vLAG healthcheck (Default: 1.1.1.2)? Warning: vLAG healthcheck Peer IP is not reachable. Do you want to select another Peer IP (yes/no)? y Select Peer IP address for vLAG healthcheck (Default: 1.1.1.2)? Warning: vLAG healthcheck Peer IP is not reachable. Do you want to select another Peer IP (yes/no)? n Select Uplink Ports (Static Defaults: 1724)? The following Uplink ports will be enabled: Uplink ports(1G/10G): 1724 Select Downlink Ports (Static Defaults: 2564)? The following Downlink ports will be enabled: Downlink ports(1G/10G): 2564 G8264 Application Guide for ENOS 8.4...
Page 51 Please enter "none" for no hostname. Enter hostname(Default: Primary VLAG)? Please enter "none" for no gateway. Enter management gateway:(Default: 0.0.0.0)? Pending switch configuration: vLAG switch type: Primary ISL Ports: 116 vLAG TierID: 101 vLAG Peer IP: 1.1.1.2 Uplink Ports: 1724 Downlink Ports: 2564 Disabled Ports: empty Hostname: Primary VLAG Management interface: IP: 192.168.49.50 Netmask: 255.255.255.0 Gateway: 0.0.0.0 Confirm erasing current config to reconfigure Easy Connect (yes/no)? Notes:  If your selection for a port group contains ports of different speed, the selection is not valid, and you are guided to either select other ports or change the speed of the ports.  All unused port are configured as shut down in the configuration dump.  You can either accept the static defaults or enter a different port list for ISL, uplink, and/or downlink ports. © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 52: Switch Login Levels
Switch Login Levels To enable better switch management and user accountability, three levels or classes of user access have been implemented on the G8264. Levels of access to CLI, Web management functions, and screens increase as needed to perform various switch management tasks. Conceptually, access classes are defined as follows:  User interaction with the switch is completely passive—nothing can be changed on the G8264. Users may display information that has no security or privacy implications, such as switch statistics and current operational state information.  Operators can only effect temporary changes on the G8264. These changes will be lost when the switch is rebooted/reset. Operators have access to the switch management features used for daily switch operations. Because any changes an operator makes are undone by a reset of the switch, operators cannot severely impact switch operation.  Administrators are the only ones that may make permanent changes to the switch configuration—changes that are persistent across a reboot/reset of the switch. Administrators can access switch functions to configure and troubleshoot problems on the G8264. Because administrators can also make temporary (operator‐level) changes as well, they must be aware of the interactions between temporary and permanent changes. Access to switch functions is controlled through the use of unique user names and passwords. Once you are connected to the switch via console, remote Telnet, or SSH, you are prompted to enter a password. The default user names/password for each access level are listed in the following table. Note: It is recommended that you change the default switch passwords after initial configuration and as regularly as required under your network security policies. Table 2. User Access Levels ‐ Default Settings User Password Description and Tasks Performed Status Account user...
Page 53 Note: Access to each user level (except admin account) can be disabled by setting the password to an empty value. To disable admin account, use the command no access user administratorenable. The Admin account can be disabled only if there is at least one user account enabled and configured with administrator privilege. © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 54: Administrator Password Recovery
Administrator Password Recovery You can follow these steps to reset the password of the admin user to the default value: Note: Password recovery process involves reloading the switch. Make sure to save any recent switch configuration changes before performing these steps. 1. Connect to the switch using the console port. 2. Reload the switch. 3. When the system displays Memory Test, press <Shift + B>. The Boot Management menu appears: **** System Reset from boot iscli **** Disable the Transceivers ... Unmount the File System ... Unmounting filesystem Wait for umount to finish.Done Waiting for I2C Transactions to Finish ... UBoot 2009.06 (Aug 21 2015 12:35:27) MPC83XX Reset Status: CPU: e300c4, MPC8378A, Rev: 2.1 at 792 MHz, CSB: 396 MHz Board: Networking OS RackSwitch G8052 I2C: ready DRAM: 1 GB Memory Test ..4. Select C Change configuration block from the Boot menu by pressing C. Then press f: Boot Menu Mode Platform: Rack Switch G8052 (version 0.0.0.1) FLASH: 256 MB PCIE0: Link Boot Management Menu I Change booting image C Change configuration block R Boot in recovery mode (xmodem download of images to recover ...
Page 55 Switch>ena Enable privilege granted. Switch#configure terminal Enter configuration commands, one per line. End with Ctrl/Z. Switch(config)#copy activeconfig runningconfig adminpwbypass Loading to current configuration. 8. Use the show run command to confirm the configuration is recovered. Set the new admin and enable passwords. Save the running configuration to startup configuration. Switch(config)#password Changing admin password; validation required: Enter current local admin password: Enter new admin password (max 64 characters): Reenter new admin password: New admin password accepted. Password changed and applied, but not saved. Notifying administrator to save changes. Switch(config)#enable password ? WORD The UNENCRYPTED (cleartext) 'enable' password Switch(config)#enable password admin1 Switch(config)#copy runningconfig startupconfig Confirm saving to FLASH (y/n) ? y Copy running configuration to startup configuration Switch is currently set to use factory default config block on next boot. Do you want to change that to the active config block (y/n) ? y Next boot will use active config block. 9. Make sure the boot configuration‐block is active by using the show boot configurationblock command. If it’s not active, change the boot configuration‐block by executing the following command: Switch(config)#boot configurationblock active © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 56: Setup Vs. The Command Line
Setup vs. the Command Line Once the administrator password is verified, you are given complete access to the switch. If the switch is still set to its factory default configuration, you will need to run Setup (see Chapter 2, “Initial Setup”), a utility designed to help you through the first‐time configuration process. If the switch has already been configured, the command line is displayed instead. G8264 Application Guide for ENOS 8.4...
Page 57: Idle Disconnect
Idle Disconnect By default, the switch will disconnect your Telnet session after 10 minutes of inactivity. This function is controlled by the idle timeout parameter, which can be set from 0 to 60 minutes, where 0 means the session will never timeout. Use the following command to set the idle timeout value: RS G8264(config)# system idle <0‐60> © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 58: Boot Strict Mode
Boot Strict Mode The implementations specified in this section are compliant with National Institute of Standards and Technology (NIST) Special Publication (SP) 800‐131A. The RackSwitch G8264 can operate in two boot modes:  Compatibility mode (default): This is the default switch boot mode. This mode may use algorithms and key lengths that may not be allowed/acceptable by NIST SP 800‐131A specification. This mode is useful in maintaining compatibility with previous releases and in environments that have lesser data security requirements.  Strict mode: Encryption algorithms, protocols, and key lengths in strict mode are compliant with NIST SP 800‐131A specification. When in boot strict mode, the switch uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.2 protocols to ensure confidentiality of the data to and from the switch. Before enabling strict mode, ensure the following:  The software version on all connected switches is Enterprise NOS 8.4. The supported protocol versions and cryptographic cipher suites between  clients and servers are compatible. For example: if using SSH to connect to the switch, ensure that the SSH client supports SSHv2 and a strong cipher suite that is compliant with the NIST standard.  Compliant Web server certificate is installed on the switch, if using BBI. A new self‐signed certificate is generated for the switch  (RS G8264(config)# access https generatecertificate). The new certificate is generated using 2048‐bit RSA key and SHA‐256 digest.  Protocols that are not NIST SP 800‐131A compliant must be disabled or not used.  Only SSHv2 or higher is used.  The current configuration, if any, is saved in a location external to the switch. ...
Page 59 RADIUS does not comply with Acceptable NIST SP 800‐131A specification. When in strict mode, RADIUS is dis‐ abled. However, it can be enabled, if required. Random Number NIST SP 800‐90A AES CTR DRBG NIST SP 800‐90A AES CTR Generator DRBG Secure NTP Secure NTP does not comply with Acceptable NIST SP 800‐131A specification. When in strict mode, secure NTP is disabled. However, it can be enabled, if required. SHA‐256 or higher RSA/DSA 2048 or higher SNMP SNMPv3 only SNMPv1, SNMPv2, SNMPv3 AES‐128‐CFB‐128/SHA1 DES/MD5, AES‐128‐CFB‐128/SHA1 Note: Following algorithms are acceptable if you choose to support old SNMPv3 factory default users: AES‐128‐CFB/SHA1 DES/MD5 AES‐128‐CFB‐128/SHA1 © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 60 Table 3. Acceptable Protocols and Algorithms (continued) Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm SSH/SFTP Host Key SSH‐RSA SSH‐RSA Key Exchange ECDH‐SHA2‐NISTP521 ECDH‐SHA2‐NISTP521 ECDH‐SHA2‐NISTP384 ECDH‐SHA2‐NISTP384 ECDH‐SHA2‐NISTP256 ECDH‐SHA2‐NISTP256 ECDH‐SHA2‐NISTP224 ECDH‐SHA2‐NISTP224 RSA2048‐SHA256 ECDH‐SHA2‐NISTP192 DIFFIE‐HELLMAN‐GROUP‐EXCH RSA2048‐SHA256 ANGE‐SHA256 RSA1024‐SHA1 DIFFIE‐HELLMAN‐GROUP‐EXCH DIFFIE‐HELLMAN‐GROUP‐EX ANGE‐SHA1 CHANGE‐SHA256 DIFFIE‐HELLMAN‐GROUP‐EX CHANGE‐SHA1 DIFFIE‐HELLMAN‐GROUP14‐S DIFFIE‐HELLMAN‐GROUP1‐S Encryption AES128‐CTR AES128‐CTR AES128‐CBC AES128‐CBC 3DES‐CBC...
Page 61: Acceptable Cipher Suites
AES_128_ SHA1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC012 ECDHE 3DES SHA1 SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0033 AES128_ SHA1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0067 AES_128_ SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0016 3DES SHA1 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x002F AES_128_ SHA1 TLS_RSA_WITH_AES_128_CBC_SHA 0x003C AES_128_ SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 0x000A 3DES SHA1 SSL_RSA_WITH_3DES_EDE_CBC_SHA © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 62: Configuring Strict Mode
Configuring Strict Mode To change the switch mode to boot strict mode, use the following command: RS G8264(config)# [no] boot strict enable When strict mode is enabled, you will see the following message: Warning, security strict mode limits the cryptographic algorithms used by secure protocols on this switch. Please see the documentation for full details, and verify that peer devices support acceptable algorithms before enabling this mode. The mode change will take effect after reloading the switch and the configuration will be wiped during the reload. System will enter security strict mode with default factory configuration at next boot up. Do you want SNMPV3 support old default users in strict mode (y/n)? For SNMPv3 default users, see “SNMP Version 3” on page 642. When strict mode is disabled, the following message is displayed: Warning, disabling security strict mode. The mode change will take effect after reloading the switch. You must reboot the switch for the boot strict mode enable/disable to take effect. Configuring No-Prompt Mode If you expect to administer the switch using SNSC or another browser‐based interface, you need to turn off confirmation prompts. To accomplish this, use the command: RS G8264(config)# [no] terminal dontask In no‐prompt mode, confirmation prompts are disabled for this and future sessions. SSL/TLS Version Limitation Each of the following successive encryption protocol versions provide more security and less compatibility: SSLv3, TLS1.0, TLS1.1, TLS1.2. When negotiating the encryption protocol during the SSL handshake, the switch will accept, by default, the latest (and most secure) protocol version supported by the client equipment. To enforce a minimal level of security acceptable for the connections, use the following command: RS G8264(config)# ssl minimumversion {ssl|tls10|tls11|tls12} Limitations In Enterprise NOS 8.4, consider the following limitation/restrictions if you need to ...
Page 63  Power ITEs and High‐Availability features do not comply with NIST SP 800‐131A specification.  The G8264 will not discover Platform agents/Common agents that are not in strict mode. Web browsers that do not use TLS 1.2 cannot be used.   Limited functions of the switch managing Windows will be available. © Copyright Lenovo 2016 Chapter 1: Switch Administration...
Page 64: Scripting
Scripting You can create and execute local Python script on switches to create small programs that allow the switch to automatically provision itself, perform fault monitoring, upgrade the image files, or auto‐generate configuration file. You can use local scripts as a key part of your auto‐provisioning solutions. You can also manage scripts on the Lenovo RackSwitch G8264. You can implement version control systems, automatically generate alerts, create custom logging tools, and automate management of network devices. Using Python scripts, you can perform many functions that can be performed through the CLI. In addition to configuration, you can notify users by sending email or updating the SYSLOG. See the Lenovo Enterprise Network Operating System Python Programming Guide for the Lenovo RackSwitch G8264 for details on how to create and execute Python scripts. G8264 Application Guide for ENOS 8.4...
Page 65: Chapter 2. Initial Setup
Chapter 2. Initial Setup To help with the initial process of configuring your switch, the Lenovo Enterprise Network Operating System software includes a Setup utility. The Setup utility prompts you step‐by‐step to enter all the necessary information for basic configuration of the switch. Setup can be activated manually from the command line interface any time after login. © Copyright Lenovo 2016...
Page 66: Information Needed For Setup
Information Needed for Setup Setup requests the following information:  Basic system information Date & time  Whether to use Spanning Tree Group or not   Optional configuration for each port Speed, duplex, flow control, and negotiation mode (as appropriate)  Whether to use VLAN trunk mode/tagging or not (as appropriate)  Optional configuration for each VLAN  Name of VLAN  Which ports are included in the VLAN   Optional configuration of IP parameters IP address/mask and VLAN for each IP interface  IP addresses for default gateway  Whether IP forwarding is enabled or not  G8264 Application Guide for ENOS 8.4...
Page 67: Default Setup Options
Default Setup Options You need to run the Setup utility to change the factory default settings. To accomplish this: 1. Connect to the switch. After connecting, the login prompt appears. Enter Password: 2. Enter admin as the default administrator password. 3. Start the Setup utility: RS G8264# setup Follow the instructions provided by the Setup utility. © Copyright Lenovo 2016 Chapter 2: Initial Setup...
Page 68: Setting The Management Interface Default Ip Address
Setting the Management Interface Default IP Address To facilitate switch boot up, the in‐band and out‐of‐band management interfaces are configured with factory default IP addresses. These are as follows:  VLAN 1/ Interface 1: 192.168.49.50/24 Out‐of‐band Management Port 1: 192.168.50.50/24  If you configure static IP addresses or if DHCP/BOOTP addresses are assigned to these interfaces, the factory default IP addresses will not be applied. By default, DHCP and BOOTP are enabled on the management interfaces. If you add interface 1 to another VLAN and do not configure any IP address, the factory default IP address will be automatically assigned to the interface. We recommend that you disable the factory default IP address configuration after the switch boot up and configuration is complete. Use the following command: RS G8264(config)# no system default-ip [data|mgt] G8264 Application Guide for ENOS 8.4...
Page 69: Stopping And Restarting Setup Manually
Stopping and Restarting Setup Manually Follow these instructions to manually stop and start the Setup utility. Stopping Setup To abort the Setup utility, press <Ctrl‐C> during any Setup question. When you abort Setup, the system will prompt: Would you like to run from top again? [y/n] Enter n to abort Setup, or y to restart the Setup program at the beginning. Restarting Setup You can restart the Setup utility manually at any time by entering the following command at the administrator prompt: RS G8264(config)# setup © Copyright Lenovo 2016 Chapter 2: Initial Setup...
Page 70: Setup Part 1: Basic System Configuration
Setup Part 1: Basic System Configuration When Setup is started, the system prompts: "Set Up" will walk you through the configuration of System Date and Time, Spanning Tree, Port Speed/Mode, VLANs, and IP interfaces. [type CtrlC to abort "Set Up"] 1. Enter y if you will be configuring VLANs. Otherwise enter n. If you decide not to configure VLANs during this session, you can configure them later using the configuration menus, or by restarting the Setup facility. For more information on configuring VLANs, see the Lenovo Enterprise Network Operating System Application Guide. Next, the Setup utility prompts you to input basic system information. 2. Enter the year of the current date at the prompt: System Date: Enter year [2009]: Enter the four‐digits that represent the year. To keep the current year, press <Enter>. 3. Enter the month of the current system date at the prompt: System Date: Enter month [1]: Enter the month as a number from 1 to 12. To keep the current month, press <Enter>. 4. Enter the day of the current date at the prompt: Enter day [3]: Enter the date as a number from 1 to 31. To keep the current day, press <Enter>. The system displays the date and time settings: System clock set to 18:55:36 Wed Jan 28, 2009. 5. Enter the hour of the current system time at the prompt: System Time: Enter hour in 24hour format [18]: Enter the hour as a number from 00 to 23. To keep the current hour, press <Enter>.
Page 71 Enter the minute as a number from 00 to 59. To keep the current minute, press <Enter>. 7. Enter the seconds of the current time at the prompt: Enter seconds [37]: Enter the seconds as a number from 00 to 59. To keep the current second, press <Enter>. The system then displays the date and time settings: System clock set to 8:55:36 Wed Jan 28, 2009. 8. Turn Spanning Tree Protocol on or off at the prompt: Spanning Tree: Current Spanning Tree Group 1 setting: ON Turn Spanning Tree Group 1 OFF? [y/n] Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on. © Copyright Lenovo 2016 Chapter 2: Initial Setup...
Page 72: Setup Part 2: Port Configuration
Setup Part 2: Port Configuration Note: When configuring port options for your switch, some prompts and options may be different. 1. Select whether you will configure VLANs and VLAN trunk mode/tagging for ports: Port Config: Will you configure VLANs and VLAN Tagging/TrunkMode for ports? [y/n] If you wish to change settings for VLANs, enter y, or enter n to skip VLAN configuration. Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system. Screen content varies based on the firmware versions and options that are installed. 2. Select the port to configure, or skip port configuration at the prompt: If you wish to change settings for individual ports, enter the number of the port you wish to configure. To skip port configuration, press <Enter> without specifying any port and go to “Setup Part 3: VLANs” on page 74. 3. Configure Gigabit Ethernet port flow parameters. The system prompts: Gig Link Configuration: Port Flow Control: Current Port EXT1 flow control setting: both Enter new value ["rx"/"tx"/"both"/"none"]: Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or none to turn flow control off for the port. To keep the current setting, press <Enter>. 4. Configure Gigabit Ethernet port autonegotiation mode. If you selected a port that has a Gigabit Ethernet connector, the system prompts: Port Auto Negotiation: Current Port autonegotiation: on Enter new value ["on"/"off"]: Enter on to enable port autonegotiation, off to disable it, or press <Enter> to keep ...
Page 73 Enter d to disable VLAN trunk mode/tagging for the port or enter e to enable VLAN tagging for the port. To keep the current setting, press <Enter>. 6. The system prompts you to configure the next port: Enter port (164): When you are through configuring ports, press <Enter> without specifying any port. Otherwise, repeat the steps in this section. © Copyright Lenovo 2016 Chapter 2: Initial Setup...
Page 74: Setup Part 3: Vlans
Setup Part 3: VLANs If you chose to skip VLANs configuration back in Part 2, skip to “Setup Part 4: IP Configuration” on page 1. Select the VLAN to configure, or skip VLAN configuration at the prompt: VLAN Config: Enter VLAN number from 2 to 4094, NULL at end: If you wish to change settings for individual VLANs, enter the number of the VLAN you wish to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and go to “Setup Part 4: IP Configuration” on page 2. Enter the new VLAN name at the prompt: Current VLAN name: VLAN 2 Enter new VLAN name: Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>. 3. Enter the VLAN port numbers: Define Ports in VLAN: Current VLAN 2: empty Enter ports one per line, NULL at end: Enter each port, by port number or port alias, and confirm placement of the port into this VLAN. When you are finished adding ports to this VLAN, press <Enter> without specifying any port. 4. Configure Spanning Tree Group membership for the VLAN: Spanning Tree Group membership: Enter new Spanning Tree Group index [1255]: 5. The system prompts you to configure the next VLAN: VLAN Config: Enter VLAN number from 2 to 4094, NULL at end: Repeat the steps in this section until all VLANs have been configured. When all VLANs have been configured, press <Enter> without specifying any VLAN. G8264 Application Guide for ENOS 8.4...
Page 75: Setup Part 4: Ip Configuration
Up to 126 IP interfaces can be configured on the RackSwitch G8264 (G8264). The IP address assigned to each IP interface provides the switch with an IP presence on your network. No two IP interfaces can be on the same IP network. The interfaces can be used for connecting to the switch for remote configuration, and for routing between subnets and VLANs (if used). Note: IP interface 128 is reserved for out‐of‐band switch management. 1. Select the IP interface to configure, or skip interface configuration at the prompt: IP Config: IP interfaces: Enter interface number: (1126) If you wish to configure individual IP interfaces, enter the number of the IP interface you wish to configure. To skip IP interface configuration, press <Enter> without typing an interface number and go to “Default Gateways” on page 77. 2. For the specified IP interface, enter the IP address in IPv4 dotted decimal notation: Current IP address: 0.0.0.0 Enter new IP address: To keep the current setting, press <Enter>. 3. At the prompt, enter the IPv4 subnet mask in dotted decimal notation: Current subnet mask: 0.0.0.0 Enter new subnet mask: To keep the current setting, press <Enter>.If configuring VLANs, specify a VLAN for the interface. The following prompt appears if you selected to configure VLANs back in Part 1: Current VLAN: 1 Enter new VLAN [14094]: Enter the number for the VLAN to which the interface belongs, or press <Enter> without specifying a VLAN number to accept the current setting. © Copyright Lenovo 2016 Chapter 2: Initial Setup...
Page 76: Loopback Interfaces
4. At the prompt, enter y to enable the IP interface, or n to leave it disabled: Enable IP interface? [y/n] 5. The system prompts you to configure another interface: Enter interface number: (1126) Repeat the steps in this section until all IP interfaces have been configured. When all interfaces have been configured, press <Enter> without specifying any interface number. Loopback Interfaces A loopback interface provides an IP address, but is not otherwise associated with a physical port or network entity. Essentially, it is a virtual interface that is perceived as being “always available” for higher‐layer protocols to use and advertise to the network, regardless of other connectivity. Loopback interfaces improve switch access, increase reliability, security, and provide greater flexibility in Layer 3 network designs. They can be used for many different purposes, but are most commonly for management IP addresses, router IDs for various protocols, and persistent peer IDs for neighbor relationships. In Enterprise NOS 8.4, loopback interfaces have been expanded for use with routing protocols such as OSPF, PIM, and BGP. Loopback interfaces can also be specified as the source IP address for syslog, SNMP, RADIUS, TACACS+, NTP, and router IDs. Loopback interfaces must be configured before they can be used in other features. Up to five loopback interfaces are currently supported. They can be configured using the following commands: RS G8264(config)# interface loopback <1‐5> RS G8264(configiploopback)# [no] ip address <IPv4 address> <mask> enable RS G8264(configiploopback)# exit Using Loopback Interfaces for Source IP Addresses The switch can use loopback interfaces to set the source IP addresses for a variety of protocols. This assists in server security, as the server for each protocol can be ...
Page 77: Loopback Interface Limitations
Loopback interfaces cannot be assigned to a VLAN. Default Gateways To set up a default gateway: 1. At the prompt, select an IP default gateway for configuration, or skip default gateway configuration: IP default gateways: Enter default gateway number: (14) Enter the number for the IP default gateway to be configured. To skip default gateway configuration, press <Enter> without typing a gateway number and go to “IP Routing” on page 2. At the prompt, enter the IPv4 address for the selected default gateway: Current IP address: 0.0.0.0 Enter new IP address: Enter the IPv4 address in dotted decimal notation, or press <Enter> without specifying an address to accept the current setting. 3. At the prompt, enter y to enable the default gateway, or n to leave it disabled: Enable default gateway? [y/n] 4. The system prompts you to configure another default gateway: Enter default gateway number: (14) Repeat the steps in this section until all default gateways have been configured. When all default gateways have been configured, press <Enter> without specifying any number. IP Routing When IP interfaces are configured for the various IP subnets attached to your switch, IP routing between them can be performed entirely within the switch. This eliminates the need to send inter‐subnet communication to an external router © Copyright Lenovo 2016 Chapter 2: Initial Setup...
Page 78 device. Routing on more complex networks, where subnets may not have a direct presence on the G8264, can be accomplished through configuring static routes or by letting the switch learn routes dynamically. This part of the Setup program prompts you to configure the various routing parameters. At the prompt, enable or disable forwarding for IP Routing: Enable IP forwarding? [y/n] Enter y to enable IP forwarding. To disable IP forwarding, enter n. To keep the current setting, press <Enter>. G8264 Application Guide for ENOS 8.4...
Page 79: Setup Part 5: Final Steps
Setup Part 5: Final Steps 1. When prompted, decide whether to restart Setup or continue: Would you like to run from top again? [y/n] Enter y to restart the Setup utility from the beginning, or n to continue. 2. When prompted, decide whether you wish to review the configuration changes: Review the changes made? [y/n] Enter y to review the changes made during this session of the Setup utility. Enter n to continue without reviewing the changes. We recommend that you review the changes. 3. Next, decide whether to apply the changes at the prompt: Apply the changes? [y/n] Enter y to apply the changes, or n to continue without applying. Changes are normally applied. 4. At the prompt, decide whether to make the changes permanent: Save changes to flash? [y/n] Enter y to save the changes to flash. Enter n to continue without saving the changes. Changes are normally saved at this point. 5. If you do not apply or save the changes, the system prompts whether to abort them: Abort all changes? [y/n] Enter y to discard the changes. Enter n to return to the “Apply the changes?” prompt. Note: After initial configuration is complete, it is recommended that you change the default passwords. © Copyright Lenovo 2016 Chapter 2: Initial Setup...
Page 80: Optional Setup For Telnet Support
Optional Setup for Telnet Support Note: This step is optional. Perform this procedure only if you are planning on connecting to the G8264 through a remote Telnet connection. Telnet is enabled by default. To change the setting, use the following command: RS G8264(config)# no access telnet G8264 Application Guide for ENOS 8.4...
Page 81: Chapter 3. Switch Software Management
Chapter 3. Switch Software Management The switch software image is the executable code running on the G8264. A version of the image comes pre‐installed on the device. As new versions of the image are released, you can upgrade the software running on your switch. To get the latest version of software supported for your G8264, go to the following website: http://www.lenovo.com/support/ To determine the software version currently used on the switch, use the following switch command: RS G8264# show boot The typical upgrade process for the software image consists of the following steps:  Load a new software image and boot image onto an FTP, SFTP or TFTP server on your network. Transfer the new images to your switch.   Specify the new software image as the one which will be loaded into switch memory the next time a switch reset occurs.  Reset the switch. For instructions on the typical upgrade process using the ENOS ISCLI, USB, or BBI, see “Loading New Software to Your Switch” on page CAUTION: Although the typical upgrade process is all that is necessary in most cases, upgrading from (or reverting to) some versions of Lenovo Enterprise Network Operating System requires special steps prior to or after the software installation process. Please be sure to follow all applicable instructions in the release notes document for the specific software release to ensure that your switch continues to operate as expected after installing new software. © Copyright Lenovo 2016...
Page 82: Loading New Software To Your Switch
Loading New Software to Your Switch The G8264 can store up to two different switch software images (called image1 and image2) as well as special boot software (called boot). When you load new software, you must specify where it is placed: either into image1, image2, or boot. For example, if your active image is currently loaded into image1, you would probably load the new image software into image2. This lets you test the new software and reload the original active image (stored in image1), if needed. CAUTION: When you upgrade the switch software image, always load the new boot image and the new software image before you reset the switch. If you do not load a new boot image, your switch might not boot properly (To recover, see “Recovering from a Failed Software Upgrade” on page 88). To load a new software image to your switch, you will need the following:  The image and boot software loaded on an FTP, SFTP or TFTP server on your net‐ work. Note: Be sure to download both the new boot file and the new image file.  The hostname or IP address of the FTP, SFTP or TFTP server Note: The DNS parameters must be configured if specifying hostnames. The name of the new system image.  When the software requirements are met, use one of the following procedures to download the new software to your switch. You can use the ISCLI, USB, or the BBI to download and activate new software. Loading Software via the ISCLI 1. In Privileged EXEC mode, enter the following command: Router# copy {tftp|ftp|sftp} {image1|image2|bootimage} 2.
Page 83 5. The switch will prompt you to confirm your request. Once confirmed, the software will begin loading into the switch. 6. When loading is complete, use the following commands to enter Global Configuration mode to select which software image (image1 or image2) you want to run in switch memory for the next reboot: configure terminal Router# boot image {image1|image2} Router(config)# The system will then verify which image is set to be loaded at the next reset: Next boot will use switch software image1 instead of image2. 7. Reboot the switch to run the new software: reload Router(config)# The system prompts you to confirm your request. Once confirmed, the switch will reboot to use the new software. © Copyright Lenovo 2016 Chapter 3: Switch Software Management...
Page 84: Loading Software Via Bbi
Loading Software via BBI You can use the Browser‐Based Interface to load software onto the G8264. The software image to load can reside in one of the following locations: FTP server   TFTP server SFTP server   Local computer After you log onto the BBI, perform the following steps to load a software image: 1. Click the Configure context tab in the toolbar. 2. In the Navigation Window, select System > Config/Image Control. The Switch Image and Configuration Management page appears. 3. If you are loading software from your computer (HTTP client), skip this step and go to the next. Otherwise, if you are loading software from an FTP, SFTP, or TFTP server, enter the server’s information in the FTP, SFTP, or TFTP Settings section. 4. In the Image Settings section, select the image version you want to replace (Image for Transfer).  If you are loading software from an FTP, SFTP, or TFTP server, enter the file name and click Get Image. If you are loading software from your computer, click Browse.   In the File Upload Dialog, select the file and click OK. Then click Download via Browser. Once the image has loaded, the page refreshes to show the new software. G8264 Application Guide for ENOS 8.4...
Page 85: Updating Software On Vlag Switches
5. Shutdown all ports except the ISL ports and the health check port on Switch 2. Note: Do not save this configuration. 6. Reload Switch 2. Switch 1 will assume the vLAG primary role. Once Switch 2 has rebooted, it will assume its initial role as the secondary vLAG switch. Note: Make sure that Switch 1 is now the vLAG primary switch and Switch 2 is now the vLAG secondary switch. 7. Verify that all the vLAG clients have converged using the following command: RS G8264> show vlag information USB Options You can insert a USB drive into the USB port on the G8264 and use it to work with switch image and configuration files. You can boot the switch using files located on the USB drive, or copy files to and from the USB drive. Note: USB options are not available in stacking mode. To safely remove the USB drive, first use the following command to un‐mount the USB file system: system usbeject Command mode: Global configuration USB Boot USB Boot allows you to boot the switch with a software image file, boot file, or configuration file that resides on a USB drive inserted into the USB port. Use the following command to enable or disable USB Boot: [no] boot usbboot enable © Copyright Lenovo 2016 Chapter 3: Switch Software Management...
Page 86 Command mode: Global configuration When enabled, when the switch is reset/reloaded, it checks the USB port. If a USB drive is inserted into the port, the switch checks the root directory on the USB drive for software and image files. If a valid file is present, the switch loads the file and boots using the file. Note: The following file types are supported: FAT32, NTFS (read‐only), EXT2, and EXT3. The following list describes the valid file names, and describes the switch behavior when it recognizes them. The file names must be exactly as shown, or the switch will not recognize them. RSG8264_Boot.img  The switch replaces the current boot image with the new image, and boots with the new image. RSG8264_OS.img  The switch boots with the new software image. The existing images are not affected. RSG8264_replace1_OS.img  The switch replaces the current software image1 with the new image, and boots with the new image. RSG8264_replace1_OS.img takes precedence over RSG8264_OS.img. RSG8264_replace2_OS.img  The switch replaces the current software image2 with the new image, and boots with the new image. RSG8264_replace2_OS.img takes precedence over RSG8264_OS.img. RSG8264.cfg  The switch boots with the new configuration file. The existing configuration files (active and backup) are not affected. RSG8264_replace.cfg  The switch replaces the active configuration file with the new file, and boots with the new file. This file takes precedence over any other configuration files that may be present on the USB drive. If more than one valid file is present, the switch loads all valid files and boots with them. For example, you may simultaneously load a new boot file, image file, and configuration file from the USB drive. ...
Page 87: Usb Copy
USB Copy If a USB drive is inserted into the USB port, you can copy files from the switch to the USB drive, or from the USB drive to the switch. USB Copy is available only for software image 1 and the active configuration. Copy to USB Use the following command to copy a file from the switch to the USB drive (Privileged EXEC mode): usbcopy tousb <filename> {boot|image1|active|syslog|crashdump} In this example, the active configuration file is copied to a directory on the USB drive: G8264(config)# usbcopy tousb a_folder/myconfig.cfg active Copy from USB Use the following command to copy a file from the USB drive to the switch: usbcopy fromusb <filename> {boot|image1|active} In this example, the active configuration file is copied from a directory on the USB drive: G8264(config)# usbcopy fromusb a_folder/myconfig.cfg active The new file replaces the current file. Note: Do not use two consecutive dot characters ( .. ). Do not use a slash character ( / ) to begin a filename. © Copyright Lenovo 2016 Chapter 3: Switch Software Management...
Page 88: The Boot Management Menu
The Boot Management Menu The Boot Management menu allows you to switch the software image, reset the switch to factory defaults, or to recover from a failed software download. You can interrupt the boot process and enter the Boot Management menu from the serial console port. When the system displays Memory Test, press <Shift B>. The Boot Management menu appears. Resetting the System ... Memory Test ........ Boot Management Menu I Change booting image C Change configuration block R Boot in recovery mode (tftp and xmodem download of images to recover switch) Q Reboot E Exit Please choose your menu option: Current boot image is 1. Enter image to boot: 1 or 2: 2 Booting from image 2 The Boot Management menu allows you to perform the following actions: To change the booting image, press I and follow the screen prompts.   To change the configuration block, press C, and follow the screen prompts. To perform a TFTP/XModem download, press R and follow the screen prompts.   To reboot the switch, press Q. The booting process restarts. To exit the Boot Management menu, press E. The booting process continues.  Recovering from a Failed Software Upgrade Use the following procedure to recover from a failed software upgrade. 1.
Page 89 3. To access the Boot Management menu you must interrupt the boot process from the Console port. Boot the G8264, and when the system begins displaying Memory Test progress (a series of dots), press <Shift B>. The boot managment menu appears: Resetting the System ... Memory Test ........ Boot Management Menu I Change booting image C Change configuration block R Boot in recovery mode (tftp and xmodem download of images to recover switch) Q Reboot E Exit Please choose your menu option: 4. Select R for Boot in recovery mode. The following appears: Entering Rescue Mode. Please select one of the following options: T) Configure networking and tftp download an image X) Use xmodem 1K to serial download an image R) Reboot E) Exit  If you choose option X (Xmodem serial download), go to Step  If you choose option T (TFTP download), go to Step © Copyright Lenovo 2016 Chapter 3: Switch Software Management...
Page 90 5. Xmodem download: When you see the following message, change the Serial Port characteristics to 115200 bps: Change the baud rate to 115200 bps and hit the <ENTER> key before initiating the download. a. Press <Enter> to set the system into download accept mode. When the readiness meter displays (a series of “C” characters), start XModem on your terminal emulator. b. When you see the following message, change the Serial Port characteristics to 9600 bps: Change the baud rate back to 9600 bps, hit the <ESC> key. c. When you see the following prompt, enter the image number where you want to install the new software and press <Enter>: Install image as image 1 or 2 (hit return to just boot image): 1 d. The following message is displayed when the image download is complete. Continue to step 7. Entering Rescue Mode. Please select one of the following options: T) Configure networking and tftp download an image X) Use xmodem 1K to serial download an image R) Reboot E) Exit Option?: G8264 Application Guide for ENOS 8.4...
Page 91: Recovering From A Failed Boot Image
T) Configure networking and tftp download an image X) Use xmodem 1K to serial download an image R) Reboot E) Exit 7. Image recovery is complete. Perform one of the following steps:  Press r to reboot the switch. Press e to exit the Boot Management menu   Press the Escape key (<Esc>) to re‐display the Boot Management menu. Recovering from a Failed Boot Image Use the following procedure to recover from a failed boot image upgrade. 1. Connect a PC to the serial port of the switch. 2. Open a terminal emulator program that supports Xmodem download (for example, HyperTerminal, CRT, PuTTY) and select the following serial port characteristics:  Speed: 9600 bps  Data Bits: 8  Stop Bits: 1 © Copyright Lenovo 2016 Chapter 3: Switch Software Management...
Page 92  Parity: None  Flow Control: None 3. Boot the switch and access the Boot Management menu by pressing <Shift B> while the Memory Test is in progress and the dots are being displayed. 4. Select X for Xmodem download. The following appears: Perform xmodem download To download an image use 1K Xmodem at 115200 bps. 5. When you see the following message, change the Serial Port characteristics to 115200 bps: Change the baud rate to 115200 bps and hit the <ENTER> key before initiating the download. a. Press <Enter> to set the system into download accept mode. When the readiness meter displays (a series of “C” characters), start Xmodem on your terminal emulator.You will see a display similar to the following: Extracting images ... Do *NOT* power cycle the switch. **** RAMDISK **** UnProtected 38 sectors Erasing Flash......... done Erased 38 sectors Writing to Flash...9..8..7..6..5..4..3..2..1..done Protected 38 sectors **** KERNEL **** UnProtected 24 sectors Erasing Flash...... done Erased 24 sectors Writing to Flash...9..8..7..6..5..4..3..2..1..b. When you see the following message, change the Serial Port characteristics to 9600 bps: Change the baud rate back to 9600 bps, hit the <ESC> key. Boot image recovery is complete. G8264 Application Guide for ENOS 8.4...
Page 94 G8264 Application Guide for ENOS 8.4...
Page 95: Chapter 4. Securing Administration
Chapter 4. Securing Administration Secure switch management is needed for environments that perform significant management functions across the Internet. Common functions for secured management are described in the following sections:  “Secure Shell and Secure Copy” on page 96  “End User Access Control” on page 101 Note: SNMP read and write functions are enabled by default. For best security practices, if SNMP is not needed for your network, it is recommended that you disable these functions prior to connecting the switch to the network (see Chapter 41, “Simple Network Management Protocol). © Copyright Lenovo 2016...
Page 96: Secure Shell And Secure Copy
Identifying the administrator using Name/Password  Authentication of remote administrators  Authorization of remote administrators  Determining the permitted actions and customizing service for individual administrators  Encryption of management messages Encrypting messages between the remote administrator and switch   Secure copy support Lenovo Enterprise Network Operating System implements the SSH version 2.0 standard and is confirmed to work with SSH version 2.0‐compliant clients such as the following:  OpenSSH_5.4p1 for Linux  Secure CRT Version 5.0.2 (build 1021)  Putty SSH release 0.60 Configuring SSH/SCP Features on the Switch SSH and SCP features are disabled by default. To change the SSH/SCP settings, using the following procedures. Note: To use SCP, you must first enable SSH. To Enable or Disable the SSH Feature Begin a Telnet session from the console port and enter the following command:...
Page 97: To Enable Or Disable Scp Apply And Save
Using SSH and SCP Client Commands This section shows the format for using some client commands. The following examples use 205.178.15.157 as the IP address of a sample switch. To Log Into the Switch Syntax: >> ssh [4|6] <switch IP address> ‐or‐ >> ssh [4|6] <login name>@<switch IP address> Note: The 4 option (the default) specifies that an IPv4 switch address will be used. The 6 option specifies IPv6. Example: >> ssh scpadmin@205.178.15.157 To Copy the Switch Configuration File to the SCP Host Syntax: >> scp [4|6] <username>@<switch IP address>:getcfg <local filename> Example: >> scp scpadmin@205.178.15.157:getcfg ad4.cfg © Copyright Lenovo 2016 Chapter 4: Securing Administration...
Page 98: To Load A Switch Configuration File From The Scp Host
To Load a Switch Configuration File from the SCP Host Syntax: >> scp [4|6] <local filename> <username>@<switch IP address>:putcfg Example: >> scp ad4.cfg scpadmin@205.178.15.157:putcfg To Apply and Save the Configuration When loading a configuration file to the switch, the apply and save commands are still required for the configuration commands to take effect. The apply and save commands may be entered manually on the switch, or by using SCP commands. Syntax: >> scp [4|6] <local filename> <username>@<switch IP address>:putcfg_apply >> scp [4|6] <local filename> <username>@<switch IP address>:putcfg_apply_save Example: >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply_save  The CLI diff command is automatically executed at the end of putcfg to notify the remote client of the difference between the new and the current configurations. putcfg_apply runs the apply command after the putcfg is done.  putcfg_apply_save saves the new configuration to the flash after  putcfg_apply is done.  The putcfg_apply and putcfg_apply_save commands are provided ...
Page 99: To Load Switch Configuration Files From The Scp Host
 User Authentication: Local password authentication, RADIUS Generating RSA Host Key for SSH Access To support the SSH host feature, an RSA host key is required. The host key is 2048 bits and is used to identify the G8264. To configure RSA host key, first connect to the G8264 through the console port (commands are not available via external Telnet connection), and enter the following command to generate it manually. RS G8264(config)# ssh generatehostkey When the switch reboots, it will retrieve the host key from the FLASH memory. Note: The switch will perform only one session of key/cipher generation at a time. Thus, an SSH/SCP client will not be able to log in if the switch is performing key generation at that time. Also, key generation will fail if an SSH/SCP client is logging in at that time. SSH/SCP Integration with Radius Authentication SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS servers for authentication. The redirection is transparent to the SSH clients. © Copyright Lenovo 2016 Chapter 4: Securing Administration...
Page 100: Ssh/Scp Integration With Tacacs+ Authentication
SSH/SCP Integration with TACACS+ Authentication SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified TACACS+ servers for authentication. The redirection is transparent to the SSH clients. G8264 Application Guide for ENOS 8.4...
Page 101: End User Access Control
 override the user password on the G8264. Also note that the password change command only modifies only the user password on the switch and has no effect on the user password on the Radius server. Radius authentication and user password cannot be used concurrently to access the switch.  Passwords for end users can be up to 128 characters in length for TACACS, RADIUS, Telnet, SSH, Console, and Web access. Strong Passwords The administrator can require use of Strong Passwords for users to access the G8264. Strong Passwords enhance security because they make password guessing more difficult. The following rules apply when Strong Passwords are enabled:  Minimum length: 8 characters; maximum length: 64 characters  Must contain at least one uppercase alphabet  Must contain at least one lowercase alphabet  Must contain at least one number  Must contain at least one special character: Supported special characters: ! “ # % & ‘ ( ) ; < = >> ? [\] * + , ‐ . / : ^ _ { | } ~  Cannot be same as the username When strong password is enabled, users can still access the switch using the old password but will be advised to change to a strong password at log‐in. Strong password requirement can be enabled using the following command: RS G8264(config)# access user strongpassword enable © Copyright Lenovo 2016 Chapter 4: Securing Administration...
Page 102: User Access Control
The administrator can choose the number of days allowed before each password expires. When a strong password expires, the user is allowed to log in one last time (last time) to change the password. A warning provides advance notice for users to change the password. User Access Control The end‐user access control commands allow you to configure end‐user accounts. Setting up User IDs Up to 20 user IDs can be configured. Use the following commands to define any user name and set the user password at the resulting prompts: RS G8264(config)# access user 1 name <1‐64 characters> RS G8264(config)# access user 1 password Changing user1 password; validation required: Enter current admin password: <current administrator password> Enter new user1 password: <new user password> Reenter new user1 password: <new user password> New user1 password accepted. Defining a User’s Access Level The end user is by default assigned to the user access level (also known as class of service, or COS). COS for all user accounts have global access to all resources except for User COS, which has access to view only resources that the user owns. For more information, see Table 8 on page 111. To change the user’s level, select one of the following options: RS G8264(config)# access user 1 level {user|operator|administrator} Validating a User’s Configuration show access user uid 1 RS G8264# ...
Page 103: Re-Enabling Locked Accounts
However, the above command cannot be used to re‐enable an account disabled by the administrator. To re‐enable all locked accounts, use the following command: RS G8264(config)# access user strongpassword clear local user lockout Listing Current Users The following command displays defined user accounts and whether or not each user is currently logged into the switch. RS G8264# show access user Usernames: user Enabled offline oper Disabled offline admin Always Enabled online 1 session Current User ID table: 1: name jane , ena, cos user , password valid, online 1 session 2: name john , ena, cos user , password valid, online 2 sessions Logging into an End User Account Once an end user account is configured and enabled, the user can login to the switch using the username/password combination. The level of switch access is determined by the COS established for the end user account. © Copyright Lenovo 2016 Chapter 4: Securing Administration...
Page 104 G8264 Application Guide for ENOS 8.4...
Page 105: Chapter 5. Authentication & Authorization Protocols
Chapter 5. Authentication & Authorization Protocols Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured IPv4 management and device access:  “RADIUS Authentication and Authorization” on page 106  “TACACS+ Authentication” on page 110  “LDAP Authentication and Authorization” on page 114 Note: Lenovo Enterprise Network Operating System 8.4 does not support IPv6 for RADIUS, TACACS+ or LDAP. © Copyright Lenovo 2016...
Page 106: Radius Authentication And Authorization
RADIUS Authentication and Authorization Enterprise NOS supports the RADIUS (Remote Authentication Dial‐in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back‐end database server. A remote user (the remote administrator) interacts only with the RAS, not the back‐end server and database. RADIUS authentication consists of the following components:  A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866) A centralized server that stores all the user authorization information   A client: in this case, the switch The G8264—acting as the RADIUS client—communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back‐end RADIUS server. How RADIUS Authentication Works The RADIUS authentication process follows these steps: 1. A remote administrator connects to the switch and provides a user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. The authentication server checks the request against the user ID database. 4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access. Configuring RADIUS on the Switch Use the following procedure to configure Radius authentication on your switch. ...
Page 107 2. Configure the RADIUS secret. RS G8264(config)# radiusserver primaryhost 10.10.1.1 key <1‐32 character secret> RS G8264(config)# radiusserver secondaryhost 10.10.1.2 key <1‐32 character secret> 3. If desired, you may change the default UDP port number used to listen to RADIUS. The well‐known port for RADIUS is 1812. RS G8264(config)# radiusserver port <UDP port number> 4. Configure the number retry attempts for contacting the RADIUS server, and the timeout period. RS G8264(config)# radiusserver retransmit 3 RS G8264(config)# radiusserver timeout 5 © Copyright Lenovo 2016 Chapter 5: Authentication & Authorization Protocols...
Page 108: Radius Authentication Features In Enterprise Nos
RADIUS Authentication Features in Enterprise NOS ENOS supports the following RADIUS authentication features:  Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866.  Allows RADIUS secret password up to 32 bytes and less than 16 octets. Supports secondary authentication server so that when the primary authentication  server is unreachable, the switch can send client authentication requests to the secondary authentication server. Use the following command to show the currently active RADIUS authentication server: RS G8264# show radiusserver  Supports user‐configurable RADIUS server retry and time‐out values: Time‐out value = 1‐10 seconds  Retries = 1‐3  The switch will time out if it does not receive a response from the RADIUS server in 1‐3 retries. The switch will also automatically retry connecting to the RADIUS server before it declares the server down. Supports user‐configurable RADIUS application port. The default is  1812/UDP‐based on RFC 2138. Port 1645 is also supported.  Allows network administrator to define privileges for one or more specific users to access the switch at the RADIUS user database. Switch User Accounts The user accounts listed in Table 6 can be defined in the RADIUS server dictionary file. Table 6.
Page 109: Radius Attributes For Enterprise Nos User Privileges
 Backdoor is enabled: The switch acts like it is connecting via console. Secure backdoor is enabled: You must enter the username: noradius. The switch  checks if RADIUS server is reachable. If it is reachable, then you must authenticate via remote authentication server. Only if RADIUS server is not reachable, you will be prompted for local user/password to be authenticated against these local credentials. All user privileges, other than those assigned to the Administrator, have to be defined in the RADIUS dictionary. RADIUS attribute 6 which is built into all RADIUS servers defines the administrator. The file name of the dictionary is RADIUS vendor‐dependent. The following RADIUS attributes are defined for G8264 user privileges levels: Table 7. Enterprise NOS‐proprietary Attributes for RADIUS User Name/Access User-Service-Type Value User Vendor‐supplied Operator Vendor‐supplied Admin Vendor‐supplied 6 © Copyright Lenovo 2016 Chapter 5: Authentication & Authorization Protocols...
Page 110: Tacacs+ Authentication
TACACS+ Authentication ENOS supports authentication and authorization with networks using the Cisco Systems TACACS+ protocol. The G8264 functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the G8264 either through a data port or management port. TACACS+ offers the following advantages over RADIUS:  TACACS+ uses TCP‐based connection‐oriented transport; whereas RADIUS is UDP‐based. TCP offers a connection‐oriented transport, while UDP offers best‐effort delivery. RADIUS requires additional programmable variables such as re‐transmit attempts and time‐outs to compensate for best‐effort transport, but it lacks the level of built‐in support that a TCP transport offers.  TACACS+ offers full packet encryption whereas RADIUS offers password‐only encryption in authentication requests.  TACACS+ separates authentication, authorization and accounting. How TACACS+ Authentication Works TACACS+ works much in the same way as RADIUS authentication as described on page 106. 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access. During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command. ...
Page 111: Tacacs+ Authentication Features In Enterprise Nos
9. Use the following command to set the alternate TACACS+ authorization levels. RS G8264(config)# tacacsserver privilegemapping Table 9. Alternate TACACS+ Authorization Levels ENOS User Access Level TACACS+ level user 0 ‐ 1 oper 6 ‐ 8 admin 14 ‐ 15 If the remote user is successfully authenticated by the authentication server, the switch verifies the privileges of the remote user and authorizes the appropriate access. The administrator has an option to allow secure backdoor access via Telnet/SSH. Secure backdoor provides switch access when the TACACS+ servers cannot be reached. You always can access the switch via the console port, by using notacacs and the administrator password, whether secure backdoor is enabled or not. Note: To obtain the TACACS+ backdoor password for your G8264, contact Technical Support. © Copyright Lenovo 2016 Chapter 5: Authentication & Authorization Protocols...
Page 112: Accounting
Accounting Accounting is the action of recording a userʹs activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, there are no TACACS+ accounting messages sent out. You can use TACACS+ to record and track software login access, configuration changes, and interactive commands. The G8264 supports the following TACACS+ accounting attributes:  protocol (console/Telnet/SSH/HTTP/HTTPS)  start_time  stop_time  elapsed_time  disc_cause Note: When using the Browser‐Based Interface, the TACACS+ Accounting Stop records are sent only if the Logout button on the browser is clicked. Command Authorization and Logging When TACACS+ Command Authorization is enabled, ENOS configuration commands are sent to the TACACS+ server for authorization. Use the following command to enable TACACS+ Command Authorization: RS G8264(config)# tacacsserver commandauthorization When TACACS+ Command Logging is enabled, ENOS configuration commands are logged on the TACACS+ server. Use the following command to enable TACACS+ Command Logging: RS G8264(config)# tacacsserver commandlogging The following examples illustrate the format of ENOS commands sent to the TACACS+ server: authorization request, cmd=shell, cmdarg=interface ip accounting request, cmd=shell, cmdarg=interface ip authorization request, cmd=shell, cmdarg=enable accounting request, cmd=shell, cmdarg=enable G8264 Application Guide for ENOS 8.4...
Page 113: Configuring Tacacs+ Authentication On The Switch
Note: You can use a configured loopback address as the source address so the TACACS+ server accepts requests only from the expected loopback address block. Use the following command to specify the loopback interface: RS G8264(config)# ip tacacs sourceinterface loopback <1‐5> 2. Configure the TACACS+ secret and second secret. RS G8264(config)# tacacsserver primaryhost 10.10.1.1 key <1‐32 character secret> RS G8264(config)# tacacsserver secondaryhost 10.10.1.2 key <1‐32 character secret> 3. If desired, you may change the default TCP port number used to listen to TACACS+. The well‐known port for TACACS+ is 49. RS G8264(config)# tacacsserver port <TCP port number> 4. Configure the number of retry attempts, and the timeout period. RS G8264(config)# tacacsserver retransmit 3 RS G8264(config)# tacacsserver timeout 5 © Copyright Lenovo 2016 Chapter 5: Authentication & Authorization Protocols...
Page 114: Ldap Authentication And Authorization
LDAP Authentication and Authorization ENOS supports the LDAP (Lightweight Directory Access Protocol) method to authenticate and authorize remote administrators to manage the switch. LDAP is based on a client/server model. The switch acts as a client to the LDAP server. A remote user (the remote administrator) interacts only with the switch, not the back‐end server and database. LDAP authentication consists of the following components: A protocol with a frame format that utilizes TCP over IP   A centralized server that stores all the user authorization information A client: in this case, the switch  Each entry in the LDAP server is referenced by its Distinguished Name (DN). The DN consists of the user‐account name concatenated with the LDAP domain name. If the user‐account name is John, the following is an example DN: uid=John,ou=people,dc=domain,dc=com Configuring the LDAP Server G8264 user groups and user accounts must reside within the same domain. On the LDAP server, configure the domain to include G8264 user groups and user accounts, as follows: User Accounts:  Use the uid attribute to define each individual user account. If a custom attribute is used to define individual users, it must also be configured on the switch. User Groups:  Use the members attribute in the groupOfNames object class to create the user groups. The first word of the common name for each user group must be equal to the user group names defined in the G8264, as follows: admin  oper  user ...
Page 115 The well‐known port for LDAP is 389. RS G8264(config)# ldapserver port <1‐65000> 4. Configure the number of retry attempts for contacting the LDAP server, and the timeout period. RS G8264(config)# ldapserver retransmit 3 RS G8264(config)# ldapserver timeout 10 5. You may change the default LDAP attribute (uid) or add a custom attribute. For instance, Microsoft’s Active Directory requires the cn attribute. RS G8264(config)# ldapserver attribute username <128 alpha‐numeric characters> © Copyright Lenovo 2016 Chapter 5: Authentication & Authorization Protocols...
Page 116 G8264 Application Guide for ENOS 8.4...
Page 117: Chapter 6. 802.1X Port-Based Network Access Control
Chapter 6. 802.1X Port-Based Network Access Control Port‐Based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to ports of the RackSwitch G8264 (G8264) that connect to blade servers. The following topics are discussed in this section:  “Extensible Authentication Protocol over LAN” on page 118  “EAPoL Authentication Process” on page 119  “EAPoL Port States” on page 121  “Guest VLAN” on page 121  “Supported RADIUS Attributes” on page 122  “EAPoL Configuration Guidelines” on page 124 © Copyright Lenovo 2016...
Page 118: Extensible Authentication Protocol Over Lan
Extensible Authentication Protocol over LAN Lenovo Enterprise Network Operating System can provide user‐level security for its ports using the IEEE 802.1X protocol, which is a more secure alternative to other methods of port‐based network access control. Any device attached to an 802.1X‐enabled port that fails authentication is prevented access to the network and denied services offered through that port. The 802.1X standard describes port‐based network access control using Extensible Authentication Protocol over LAN (EAPoL). EAPoL provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics and of preventing access to that port in cases of authentication and authorization failures. EAPoL is a client‐server protocol that has the following components: Supplicant or Client  The Supplicant is a device that requests network access and provides the required credentials (user name and password) to the Authenticator and the Authenticator Server.  Authenticator The Authenticator enforces authentication and controls access to the network. The Authenticator grants network access based on the information provided by the Supplicant and the response from the Authentication Server. The Authenticator acts as an intermediary between the Supplicant and the Authentication Server: requesting identity information from the client, forwarding that information to the Authentication Server for validation, relaying the server’s responses to the client, and authorizing network access based on the results of the authentication exchange. The G8264 acts as an Authenticator.  Authentication Server The Authentication Server validates the credentials provided by the Supplicant to determine if the Authenticator ought to grant access to the network. The Authentication Server may be co‐located with the Authenticator. The G8264 relies on external RADIUS servers for authentication. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed ...
Page 119: Eapol Authentication Process
802.1x Client Server EAPOL Lenovo Switch RADIUS-EAP Authenticator Ethernet (RADIUS Client) UDP/IP Port Unauthorized EAPOL-Start EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Challenge EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Accept EAP-Success Port Authorized © Copyright Lenovo 2016 Chapter 6: 802.1X Port-Based Network Access Control...
Page 120: Eapol Message Exchange
EAPoL Message Exchange During authentication, EAPOL messages are exchanged between the client and the G8264 authenticator, while RADIUS‐EAP messages are exchanged between the G8264 authenticator and the RADIUS server. Authentication is initiated by one of the following methods:  The G8264 authenticator sends an EAP‐Request/Identity packet to the client  The client sends an EAPOL‐Start frame to the G8264 authenticator, which responds with an EAP‐Request/Identity frame. The client confirms its identity by sending an EAP‐Response/Identity frame to the G8264 authenticator, which forwards the frame encapsulated in a RADIUS packet to the server. The RADIUS authentication server chooses an EAP‐supported authentication algorithm to verify the client’s identity, and sends an EAP‐Request packet to the client via the G8264 authenticator. The client then replies to the RADIUS server with an EAP‐Response containing its credentials. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed full access to services through the controlled port. When the client later sends an EAPOL‐Logoff message to the G8264 authenticator, the port transitions from authorized to unauthorized state. If a client that does not support 802.1X connects to an 802.1X‐controlled port, the G8264 authenticator requests the clientʹs identity when it detects a change in the operational state of the port. The client does not respond to the request, and the port remains in the unauthorized state. Note: When an 802.1X‐enabled client connects to a port that is not 802.1X‐controlled, the client initiates the authentication process by sending an EAPOL‐Start frame. When no response is received, the client retransmits the request for a fixed number of times. If no response is received, the client assumes the port is in authorized state, and begins sending frames, even if the port is unauthorized. G8264 Application Guide for ENOS 8.4...
Page 121: Eapol Port States
When the client is successfully authenticated, the port transitions to the authorized state allowing all traffic to and from the client to flow normally.  Force Unauthorized You can configure this state that denies all access to the port.  Force Authorized You can configure this state that allows full access to the port. Use the 802.1X global configuration commands (dot1x) to configure 802.1X authentication for all ports in the switch. Use the 802.1X port commands to configure a single port. Guest VLAN The guest VLAN provides limited access to unauthenticated ports. The guest VLAN can be configured using the following commands: dot1x guestvlan ? RS G8264(config)# Client ports that have not received an EAPOL response are placed into the Guest VLAN, if one is configured on the switch. Once the port is authenticated, it is moved from the Guest VLAN to its configured VLAN. When Guest VLAN enabled, the following considerations apply while a port is in the unauthenticated state:  The port is placed in the guest VLAN.  The Port VLAN ID (PVID) is changed to the Guest VLAN ID.  Port tagging is disabled on the port. © Copyright Lenovo 2016 Chapter 6: 802.1X Port-Based Network Access Control...
Page 122: Supported Radius Attributes
Supported RADIUS Attributes The 802.1X Authenticator relies on external RADIUS servers for authentication with EAP. Table 10 lists the RADIUS attributes that are supported as part of RADIUS‐EAP authentication based on the guidelines specified in Annex D of the 802.1X standard and RFC 3580. Table 10. Support for RADIUS Attributes # Attribute Attribute Value A-R A-A A-C A-R 1 User‐Name The value of the Type‐Data field 0‐1 from the supplicant’s EAP‐Response/ Identity message. If the Identity is unknown (for example, Type‐Data field is zero bytes in length), this attribute will have the same value as the Calling‐Station‐Id. 4 NAS‐IP‐Address IPv4 address of the authenticator used for Radius communication. 5 NAS‐Port Port number of the authenticator port to which the supplicant is attached. 24 State Server‐specific value. This is sent ...
Page 123 80 Message‐ Always present whenever an Authenticator EAP‐Message attribute is also included. Used to integrity‐protect a packet. 87 NAS‐Port‐ID Name assigned to the authenticator port, e.g. Server1_Port3 Legend: RADIUS Packet Types: A‐R (Access‐Request), A‐A (Access‐Accept), A‐C (Access‐Challenge), A‐R (Access‐Reject) RADIUS Attribute Support:  This attribute MUST NOT be present in a packet. Zero or more instances of this attribute MAY be present in a packet.   0‐1 Zero or one instance of this attribute MAY be present in a packet. Exactly one instance of this attribute MUST be present in a packet.   One or more of these attributes MUST be present. © Copyright Lenovo 2016 Chapter 6: 802.1X Port-Based Network Access Control...
Page 124: Eapol Configuration Guidelines
EAPoL Configuration Guidelines When configuring EAPoL, consider the following guidelines:  The 802.1X port‐based authentication is currently supported only in point‐to‐point configurations, that is, with a single supplicant connected to an 802.1X‐enabled switch port.  When 802.1X is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled. For example, the STG state of a port is operationally disabled while the port is in the unauthorized state.  The 802.1X supplicant capability is not supported. Therefore, none of its ports can successfully connect to an 802.1X‐enabled port of another device, such as another switch, that acts as an authenticator, unless access control on the remote port is disabled or is configured in forced‐authorized mode. For example, if a G8264 is connected to another G8264, and if 802.1X is enabled on both switches, the two connected ports must be configured in force‐authorized mode.  Unsupported 802.1X attributes include Service‐Type, Session‐Timeout, and Termination‐Action.  RADIUS accounting service for 802.1X‐authenticated devices or users is not currently supported.  Configuration changes performed using SNMP and the standard 802.1X MIB will take effect immediately. G8264 Application Guide for ENOS 8.4...
Page 125: Chapter 7. Access Control Lists
Chapter 7. Access Control Lists Access Control Lists (ACLs) are filters that permit or deny traffic for security purposes. They can also be used with QoS to classify and segment traffic to provide different levels of service to different traffic types. Each filter defines the conditions that must match for inclusion in the filter, and also the actions that are performed when a match is made. Lenovo Enterprise Network Operating System 8.4 supports the following ACLs:  IPv4 ACLs Up to 256 ACLs are supported for networks that use IPv4 addressing. IPv4 ACLs are configured using the following ISCLI command path: RS G8264(config)# accesscontrol list <IPv4 ACL number> ? IPv6 ACLs  Up to 128 ACLs are supported for networks that use IPv6 addressing. IPv6 ACLs are configured using the following ISCLI command path: RS G8264(config)# accesscontrol list6 <IPv6 ACL number> ? Note: ACLs are not supported with IPv6 in Stacking mode. VLAN Maps (VMaps)  Up to 128 VLAN Maps are supported for attaching filters to VLANs rather than ports. See “VLAN Maps” on page 136 for details. Management ACLs (MACLs)  Up to 256 MACLs are supported for filtering traffic toward CPU. MACLs are configured using the following ISCLI command path: RS G8264(config)# accesscontrol macl <MACL number> ? © Copyright Lenovo 2016...
Page 126: Summary Of Packet Classifiers
Summary of Packet Classifiers ACLs allow you to classify packets according to a variety of content in the packet header (such as the source address, destination address, source port number, destination port number, and others). Once classified, packet flows can be identified for more processing. IPv4 ACLs, IPv6 ACLs, and VMaps allow you to classify packets based on the following packet attributes: Ethernet header options (for IPv4 ACLs and VMaps only)  Source MAC address  Destination MAC address  VLAN number and mask  Ethernet type (ARP, IP, IPv6, MPLS, RARP, etc.)  Ethernet Priority (the IEEE 802.1p Priority)  IPv4 header options (for IPv4 ACLs and VMaps only)  Source IPv4 address and subnet mask  Destination IPv4 address and subnet mask  Type of Service value  IP protocol number or name as shown in Table  Table 11. Well‐Known Protocol Types Number Protocol Name icmp igmp ospf vrrp IPv6 header options (for IPv6 ACLs only)
Page 127: Summary Of Acl Actions
0x0004 0x0002 0x0001  Packet format (for IPv4 ACLs and VMaps only) Ethernet format (eth2, SNAP, LLC)  Ethernet tagging format  IP format (IPv4, IPv6)   Egress port packets (for all ACLs) Summary of ACL Actions Once classified using ACLs, the identified packet flows can be processed differently. For each ACL, an action can be assigned. The action determines how the switch treats packets that match the classifiers assigned to the ACL. G8264 ACL actions include the following:  Pass or Drop the packet  Redirect the packet Re‐mark the packet with a new DiffServ Code Point (DSCP)   Re‐mark the 802.1p field  Set the COS queue © Copyright Lenovo 2016 Chapter 7: Access Control Lists...
Page 128: Assigning Individual Acls To A Port
Assigning Individual ACLs to a Port Once you configure an ACL, you must assign the ACL to the appropriate ports. Each port can accept multiple ACLs, and each ACL can be applied for multiple ports. ACLs can be assigned individually. To assign an individual ACLs to a port, use the following IP Interface Mode commands: RS G8264(config)# interface port <port> RS G8264(configif)# accesscontrol list <IPv4 ACL number> RS G8264(configif)# accesscontrol list6 <IPv6 ACL number> When multiple ACLs are assigned to a port, higher‐priority ACLs are considered first, and their action takes precedence over lower‐priority ACLs. ACL order of precedence is discussed in the next section. ACL Order of Precedence When multiple ACLs are assigned to a port, they are evaluated in numeric sequence, based on the ACL number. Lower‐numbered ACLs take precedence over higher‐numbered ACLs. For example, ACL 1 (if assigned to the port) is evaluated first and has top priority. If multiple ACLs match the port traffic, only the action of the one with the lowest ACL number is applied. The others are ignored. If no assigned ACL matches the port traffic, no ACL action is applied. ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the G8264 by configuring a QoS meter (if desired) and assigning ACLs to ports. Note: When you add ACLs to a port, make sure they are ordered correctly in terms of precedence (see “ACL Order of Precedence” on page 128).
Page 129: Metering
Metering QoS metering provides different levels of service to data streams through user‐configurable parameters. A meter is used to measure the traffic stream against a traffic profile which you create. Thus, creating meters yields In‐Profile and Out‐of‐Profile traffic for each ACL, as follows:  In‐Profile—If there is no meter configured or if the packet conforms to the meter, the packet is classified as In‐Profile.  Out‐of‐Profile—If a meter is configured and the packet does not conform to the meter (exceeds the committed rate or maximum burst rate of the meter), the packet is classified as Out‐of‐Profile. Using meters, you set a Committed Rate in Kbps (in multiples of 64 Mbps). All traffic within this Committed Rate is in‐profile. Additionally, you can set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period. These parameters define the In‐Profile traffic. Meters keep the sorted packets within certain parameters. You can configure a meter on an ACL, and perform actions on metered traffic, such as packet re‐marking. Re-Marking Re‐marking allows for the treatment of packets to be reset based on new network specifications or desired levels of service. You can configure the ACL to re‐mark a packet as follows:  Change the DSCP value of a packet, used to specify the service level that traffic receives.  Change the 802.1p priority of a packet. © Copyright Lenovo 2016 Chapter 7: Access Control Lists...
Page 130: Acl Port Mirroring
ACL Port Mirroring For IPv4 ACLs and VMaps, packets that match the filter can be mirrored to another switch port for network diagnosis and monitoring. The source port for the mirrored packets cannot be a portchannel, but may be a member of a portchannel. The destination port to which packets are mirrored must be a physical port. The action (permit, drop, etc.) of the ACL or VMap must be configured before assigning it to a port. Use the following commands to add mirroring to an ACL:  For IPv4 ACLs: RS G8264(config)# accesscontrol list <ACL number> mirror port <destination port> The ACL must be also assigned to it target ports as usual (see “Assigning Individual ACLs to a Port” on page 128).  For VMaps (see “VLAN Maps” on page 136): RS G8264(config)# accesscontrol vmap <VMap number> mirror port <monitor destination port> See the configuration example on page 137. Viewing ACL Statistics ACL statistics display how many packets have “hit” (matched) each ACL. Use ACL statistics to check filter performance or to debug the ACL filter configuration. You must enable statistics for each ACL that you wish to monitor: RS G8264(config)# accesscontrol list <ACL number> statistics G8264 Application Guide for ENOS 8.4...
Page 131: Acl Logging
Destination IP address  TCP/UDP port number  ACL action  Number of packets logged  For example: Sep 27 4:20:28 DUT3 NOTICE ACLLOG: %IP ACCESS LOG: list ACLIP12IN denied tcp 1.1.1.1 (0) > 200.0.1.2 (0), 150 packets.  For MAC‐based ACLs, information is collected regarding Source MAC address  Source IP address  Destination IP address  TCP/UDP port number  ACL action  Number of packets logged  For example: Sep 27 4:25:38 DUT3 NOTICE ACLLOG: %MAC ACCESS LOG: list ACLMAC12IN permitted tcp 1.1.1.2 (0) (12, 00:ff:d7:66:74:62) > 200.0.1.2 (0) (00:18:73:ee:a7:c6), 32 packets. © Copyright Lenovo 2016 Chapter 7: Access Control Lists...
Page 132: Rate Limiting Behavior
Rate Limiting Behavior Because ACL logging can be CPU‐intensive, logging is rate‐limited. By default, the switch will log only 10 matching packets per second. This pool is shared by all log‐enabled ACLs. The global rate limit can be changed as follows: RS G8264(config)# accesscontrol log ratelimit <1‐1000> Where the limit is specified in packets per second. Log Interval For each log‐enabled ACL, the first packet that matches the ACL initiates an immediate message in the system log. Beyond that, additional matches are subject to the log interval. By default, the switch will buffer ACL log messages for a period of 300 seconds. At the end of that interval, all messages in the buffer are written to the system log. The global interval value can be changed as follows: RS G8264(config)# accesscontrol log interval <5‐600> Where the interval rate is specified in seconds. In any given interval, packets that have identical log information are condensed into a single message. However, the packet count shown in the ACL log message represents only the logged messages, which due to rate‐limiting, may be significantly less than the number of packets actually matched by the ACL. Also, the switch is limited to 64 different ACL log messages in any interval. Once the threshold is reached, the oldest message will be discarded in favor of the new message, and an overflow message will be added to the system log. ACL Logging Limitations ACL logging reserves packet queue 1 for internal use. Features that allow remapping packet queues (such as CoPP) may not behave as expected if other packet flows are reconfigured to use queue 1. G8264 Application Guide for ENOS 8.4...
Page 133: Acl Configuration Examples
2. Add ACL 1 to port 1. RS G8264(config)# interface port 1 RS G8264(configif)# accesscontrol list 1 RS G8264(configif)# exit ACL Example 2 Use this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses in port 2 with source IP from class 100.10.1.0/24 and destination IP 200.20.2.2 is denied. 1. Configure an Access Control List. RS G8264(config)# accesscontrol list 2 ipv4 sourceipaddress 100.10.1.0 255.255.255.0 RS G8264(config)# accesscontrol list 2 ipv4 destinationipaddress 200.20.2.2 255.255.255.255 RS G8264(config)# accesscontrol list 2 action deny 2. Add ACL 2 to port 2. RS G8264(config)# interface port 2 RS G8264(configif)# accesscontrol list 2 RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 7: Access Control Lists...
Page 134: Acl Example 3
ACL Example 3 Use this configuration to block traffic from a specific IPv6 source address. All traffic that ingresses in port 2 with source IP from class 2001:0:0:5:0:0:0:2/128 is denied. 1. Configure an Access Control List. RS G8264(config)# accesscontrol list6 3 ipv6 sourceaddress 2001:0:0:5:0:0:0:2 128 RS G8264(config)# accesscontrol list6 3 action deny 2. Add ACL 2 to port 2. RS G8264(config)# interface port 2 RS G8264(configif)# accesscontrol list6 3 RS G8264(configif)# exit ACL Example 4 Use this configuration to deny all ARP packets that ingress a port. 1. Configure an Access Control List. RS G8264(config)# accesscontrol list 2 ethernet ethernettype arp RS G8264(config)# accesscontrol list 2 action deny 2. Add ACL 2 to port EXT2. RS G8264(config)# interface port 2 RS G8264(configif)# accesscontrol list 2 RS G8264(configif)# exit ACL Example 5 Use the following configuration to permit access to hosts with destination MAC ...
Page 135: Acl Example 6
ACL Example 6 This configuration blocks traffic from a network that is destined for a specific egress port. All traffic that ingresses port 1 from the network 100.10.1.0/24 and is destined for port 3 is denied. 1. Configure an Access Control List. RS G8264(config)# accesscontrol list 4 ipv4 sourceipaddress 100.10.1.0 255.255.255.0 RS G8264(config)# accesscontrol list 4 egressport 3 RS G8264(config)# accesscontrol list 4 action deny 2. Add ACL 4 to port 1. RS G8264(config)# interface port 1 RS G8264(configif)# accesscontrol list 4 RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 7: Access Control Lists...
Page 136: Vlan Maps
VLAN Maps A VLAN map (VMap) is an ACL that can be assigned to a VLAN or VM group rather than to a switch port as with IPv4 ACLs. This is particularly useful in a virtualized environment where traffic filtering and metering policies must follow virtual machines (VMs) as they migrate between hypervisors. Note: VLAN maps for VM groups are not supported simultaneously on the same ports as vNICs (see Chapter 19, “Virtual NICs”). The G8264 supports up to 128 VMaps. Individual VMap filters are configured in the same fashion as IPv4 ACLs, except that VLANs cannot be specified as a filtering criteria (unnecessary, since the VMap are assigned to a specific VLAN or associated with a VM group VLAN). VMaps are configured using the following ISCLI configuration command path: RS G8264(config)# accesscontrol vmap <VMap ID> ? action Set filter action egressport Set to filter for packets egressing this port ethernet Ethernet header options ipv4 IP version 4 header options meter ACL metering configuration mirror Mirror options packetformat Set to filter specific packet format types remark ACL remark configuration statistics Enable access control list statistics tcpudp TCP and UDP filtering options Once a VMap filter is created, it can be assigned or removed using the following configuration commands:  For regular VLAN, use config‐vlan mode: RS G8264(config)# vlan <VLAN ID> RS G8264(configvlan)# [no] vmap <VMap ID> [serverports| nonserverports]  For a VM group (see “VM Group Types” on page 342), use the global configuration mode: RS G8264(config)# [no] virt vmgroup <ID> vmap <VMap ID> ...
Page 137 VMap Example In this example, EtherType 2 traffic from VLAN 3 server ports is mirrored to a network monitor on port 4. RS G8264(config)# accesscontrol vmap 21 packetformat ethernet ethernettype2 RS G8264(config)# accesscontrol vmap 21 mirror port 4 RS G8264(config)# accesscontrol vmap 21 action permit RS G8264(config)# vlan 3 RS G8264(configvlan)# vmap 21 serverports © Copyright Lenovo 2016 Chapter 7: Access Control Lists...
Page 138: Management Acls
Management ACLs Management ACLs (MACLs) filter inbound traffic i.e. traffic toward the CPU. MACLs are applied switch‐wide. Traffic can be filtered based on the following:  IPv4 source address IPv4 destination address   IPv4 protocols TCP/UDP destination or source port  Lower MACL numbers have higher priority. Following is an example MACL configuration based on a destination IP address and a TCP‐UDP destination port: RS G8264(config)# accesscontrol macl 1 ipv4 destinationipaddress 1.1.1.1 255.255.255.0 RS G8264(config)# accesscontrol macl 1 tcpudp destinationport 111 0xffff RS G8264(config)# accesscontrol macl 1 statistics RS G8264(config)# accesscontrol macl 1 action permit RS G8264(config)# accesscontrol macl 1 enable Use the following command to view the MACL configuration: RS G8264(config)# show accesscontrol macl 1 MACL 1 profile : Enabled IPv4 - DST IP : 1.1.1.1/255.255.255.0 TCP/UDP - DST Port...
Page 139: Using Storm Control Filters
The G8264 provides filters that can limit the number of the following packet types transmitted by switch ports:  Broadcast packets  Multicast packets  Unknown unicast packets (destination lookup failure) Unicast packets whose destination MAC address is not in the Forwarding Database are unknown unicasts. When an unknown unicast is encountered, the switch handles it like a broadcast packet and floods it to all other ports in the VLAN (broadcast domain). A high rate of unknown unicast traffic can have the same negative effects as a broadcast storm. Configure broadcast filters on each port that requires broadcast storm control. Set a threshold that defines the total number of broadcast packets transmitted (0‐2097151), in packets per second. When the threshold is reached, no more packets of the specified type are transmitted. To filter broadcast packets on a port, use the following commands: RS G8264(config)# interface port 1 RS G8264(configif)# stormcontrol broadcast level rate <packets per second> To filter multicast packets on a port, use the following commands: RS G8264(configif)# stormcontrol multicast level rate <packets per second> To filter unknown unicast packets on a port, use the following commands: RS G8264(configif)# stormcontrol unicast level rate <packets per second> RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 7: Access Control Lists...
Page 140 G8264 Application Guide for ENOS 8.4...
Page 141: Chapter 8. Secure Input/Output Module
Chapter 8. Secure Input/Output Module The Secure Input/Output Module (SIOM) enables you to determine which protocols can be enabled. The SIOM only allows secured traffic and secured authentication management. The following topics are discussed in this chapter: “SIOM Overview” on page 142   “Setting an SIOM Security Policy” on page 143 “Implementing Secure LDAP (LDAPS)” on page 146   “Using Cryptographic Mode” on page 149 © Copyright Lenovo 2016...
Page 142: Siom Overview
SIOM Overview A security policy is a set of rules to be enforced on the switch software. The SIOM contains the following sub‐features:  A Security Policy that can be enforced on the switch software  A Secure LDAP (LDAPS) implementation in addition to the current the LDAP feature Note: SIOM is supported in stacking mode. G8264 Application Guide for ENOS 8.4...
Page 143: Setting An Siom Security Policy
RS G8264(config)# boot securitypolicy securemode Note: The switch will remain in Legacy Mode until you reboot. To disable Secure Mode on the G8264, enter: RS G8264(config)# boot securitypolicy legacymode Note: The switch will remain in Secure Mode until you reboot. To display the running security policy, enter: RS G8264(config)# show boot securitypolicy Note: In stacking mode, the Master and the Backup switches control the security policy. Using Protocols With SIOM Some protocols can be used with SIOM. This section explains which protocols can and cannot operate with SIOM on the RackSwitch G8264. Insecure Protocols When you are in Secure Mode, the following protocols are deemed “insecure” and are disabled:  HTTP LDAP Client   SNMPv1 © Copyright Lenovo 2016 Chapter 8: Secure Input/Output Module...
Page 144: Secure Protocols
 SNMPv2  Telnet (server and client)  FTP (server and client)  Radius (client  TACACS+ (client)  TFTP Server Except for the TFTP server, these protocols cannot be enabled when the switch is operating in Secure Mode because the commands to enable or disable them disappear with SIOM enabled. The following protocols, although deemed “insecure” by SIOM, are enabled by default and can be disabled.  DHCP client  SysLog Note: Service Location Protocol (SLP) Discovery is also deemed “insecure” but is unaffected by Secure Mode. SLP has the same default settings as in Legacy Mode. If you can enable or disable SLP in Legacy Mode, you can enable or disable it the same way in Secure Mode. The following supported protocols are not enabled by default but can always be enabled in Secure Mode.  DNS Resolution  TFTP client (for signed items only, such as switch images) The following protocols, although deemed “insecure” and allowed by SIOM, are not supported by the G8264:   SMTP MIME   TCP command in secure mode (Port 6090) DHCPv6 client ...
Page 145: Insecure Protocols Unaffected By Siom
S/MIME  SNMPv3 Manager  TCP command secure mode (Port 6091) Insecure Protocols Unaffected by SIOM The following protocols are deemed “insecure” but can be enabled in all Security Policy Modes: Ping   Ping IPv6 Traceroute   Traceroute IPv6 TFTP IPv6   SNMPv3 IPv6 bootp  Notes:  Telnet IPv6 and TFTP IPv6 are disabled in Secure Mode. TFTP IPv6 is allowed in Secure Mode for signed image transfers only.  © Copyright Lenovo 2016 Chapter 8: Secure Input/Output Module...
Page 146: Implementing Secure Ldap (Ldaps)
Implementing Secure LDAP (LDAPS) Lightweight Directory Access Protocol (LDAP) is a protocol for accessing distributed directory information services over a network. Enterprise NOS uses LDAP for authentication and authorization. With an LDAP client enabled, the switch will authenticate a user and determine the user’s privilege level by checking with one or more directory servers instead of a local database of users. This prevents customers from having to configure local user accounts on multiple switches; they can maintain a centralized directory instead. As part of the SIOM, you can implement Secure Lightweight Directory Access Protocol (LDAPS) in addition to standard LDAP. Enabling LDAPS LDAPS is disabled by default. To enable LDAPS: 1. Turn LDAP authentication on: RS G8264(config)# ldapserver enable 2. Enable LDAP Enhanced Mode: RS G8264(config)# ldapserver mode enhanced This changes the ldapserver subcommands to support LDAPS. 3. Configure the IPv4 addresses of each LDAP server. Specify the interface port (optional). RS G8264(config)# ldapserver host {14} <IP address or hostname> mgtaport 4. You may change the default TCP port number used to listen to LDAPS (optional). The well‐known port for LDAP is 636. RS G8264(config)# ldapserver port <1‐65000> 5. Configure the Security Mode: RS G8264(config)# ldapserver security {clear|ldaps|mutual|starttls} where: Parameter Description clear...
Page 147: Disabling Ldaps
RS G8264(config)# ldapserver attribute group <search attribute> If no group search attribute is specified, the default is memberOf. 10. Configure the login permissions attribute: RS G8264(config)# ldapserver attribute loginpermission <attribute> Note: If no login permissions attribute is configured, LDAP client will not function. 11. Configure the group filter attribute (optional): RS G8264(config)# ldapserver groupfilter <filter attributes separated by comma> Note: The group filter string must contain no whitespace. If no group filter attribute is configured, no groups will be filtered and all groups will be considered in any search. 12. Enable DNS server verification: RS G8264(config)# ldapserver srv Disabling LDAPS To disable LDAPS, enter: RS G8264(config)# ldapserver security clear RS G8264(config)# ldapserver mode legacy For information about using LDAP in Legacy Mode, see “LDAP Authentication and Authorization” on page 114. © Copyright Lenovo 2016 Chapter 8: Secure Input/Output Module...
Page 148: Syslogs And Ldaps
Syslogs and LDAPS Syslogs are required for the following error conditions: Password change required on first login  Password expired  Username or password invalid  Account temporarily locked  Unknown/no reason given  G8264 Application Guide for ENOS 8.4...
Page 149: Using Cryptographic Mode
Using Cryptographic Mode The RackSwitch G8264 is able to change between Cryptographic Compatibility Mode and NIST SP 800‐131a Cryptographic Mode. In Cryptographic Mode, encryption key lengths must comply with NIST SP 800‐131a minimum requirements; only compliant encryption algorithms are allowed. To enable Cryptographic Mode: Note: You may want to save your configuration before enabling Cryptographic Mode, as this process will wipe out your configuration. 1. Set the boot mode: RS G8264(config)# boot strict enable 2. Reboot the switch. 3. Verify that the switch is operating in Cryptographic Mode: RS G8264# show boot strict Current strict settings: Strict Mode : enabled Old default Snmpv3 accounts support : no Strict settings saved: Strict Mode : enabled Old default Snmpv3 accounts support : no © Copyright Lenovo 2016 Chapter 8: Secure Input/Output Module...
Page 150 G8264 Application Guide for ENOS 8.4...
Page 151: Part 3: Switch Basics
Part 3: Switch Basics This section discusses basic switching functions:  VLANs  Port Aggregation  Spanning Tree Protocols (Spanning Tree Groups, Rapid Spanning Tree Protocol, and Multiple Spanning Tree Protocol)  Virtual Link Aggregation Groups  Quality of Service © Copyright Lenovo 2016...
Page 152 G8264 Application Guide for ENOS 8.4...
Page 153: Chapter 9. Vlans
Chapter 9. VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs commonly are used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments. The following topics are discussed in this chapter:  “VLANs and Port VLAN ID Numbers” on page 154  “VLAN Tagging/Trunk Mode” on page 156  “VLAN Topologies and Design Considerations” on page 161 This section discusses how you can connect users and segments to a host that supports many logical segments or subnets by using the flexibility of the multiple VLAN system.  “Protocol‐Based VLANs” on page 166 “Private VLANs” on page 169  Note: VLANs can be configured from the Command Line Interface (see “VLAN Configuration” as well as “Port Configuration” in the Command Reference). © Copyright Lenovo 2016...
Page 154: Vlans Overview
VLANs Overview Setting up virtual LANs (VLANs) is a way to segment networks to increase network flexibility without changing the physical network topology. With network segmentation, each switch port connects to a segment that is a single broadcast domain. When a switch port is configured to be a member of a VLAN, it is added to a group of ports (workgroup) that belong to one broadcast domain. Ports are grouped into broadcast domains by assigning them to the same VLAN. Frames received in one VLAN can only be forwarded within that VLAN, and multicast, broadcast, and unknown unicast frames are flooded only to ports in the same VLAN. The RackSwitch G8264 (G8264) supports jumbo frames with a Maximum Transmission Unit (MTU) of 9,216 bytes. Within each frame, 18 bytes are reserved for the Ethernet header and CRC trailer. The remaining space in the frame comprise the packet, which includes the payload and any additional overhead, such as 802.1q or VLAN tags. Jumbo frame support is automatic: it is enabled by default, requires no manual configuration, and cannot be manually disabled. VLANs and Port VLAN ID Numbers VLAN Numbers The G8264 supports up to 4095 VLANs per switch. Each can be identified with any number between 1 and 4094. VLAN 1 is the default VLAN for the data ports. VLAN 4095 is used by the management network, which includes the management port. Use the following command to view VLAN information: RS G8264# show vlan VLAN Name Status Ports 1 Default VLAN ena 164 2 VLAN 2 dis empty 4095 Mgmt VLAN ena MGMT G8264 Application Guide for ENOS 8.4...
Page 155: Pvid/Native Vlan Numbers
RS G8264# show interface trunk Alias Port Tag Type RMON Lrn Fld Openflow PVID DESCRIPTION VLAN(s) Trk NVLAN 1 1 n External d e e d 1 1 2 2 n External d e e d 1 1 3 3 n External d e e d 1 1 4 4 y External d e e d 1 1 64 64 n External d e e d 1 1 MGT 65 n Mgmt d e e d 4095 4095 * = PVID/NativeVLAN is tagged. # = PVID is ingress tagged. Trk = Trunk mode NVLAN = NativeVLAN Use the following command to set the port PVID/Native VLAN: Access Mode Port RS G8264(config)# interface port <port number> RS G8264(configif)# switchport access vlan <VLAN ID> For Trunk Mode Port RS G8264(config)# interface port <port number> RS G8264(configif)# switchport trunk native vlan <VLAN ID> Each port on the switch can belong to one or more VLANs, and each VLAN can have any number of switch ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging/trunk mode enabled (see “VLAN Tagging/Trunk Mode” on page 156). © Copyright Lenovo 2016 Chapter 9: VLANs...
Page 156: Vlan Tagging/Trunk Mode
VLAN Tagging/Trunk Mode Lenovo Enterprise Network Operating System software supports 802.1Q VLAN tagging, providing standards‐based VLAN support for Ethernet systems. Tagging places the VLAN identifier in the frame header of a packet, allowing each port to belong to multiple VLANs. When you add a port to multiple VLANs, you also must enable tagging on that port. Since tagging fundamentally changes the format of frames transmitted on a tagged port, you must carefully plan network designs to prevent tagged frames from being transmitted to devices that do not support 802.1Q VLAN tags, or devices where tagging is not enabled. Important terms used with the 802.1Q tagging feature are:  VLAN identifier (VID)—the 12‐bit portion of the VLAN tag in the frame header that identifies an explicit VLAN.  Port VLAN identifier (PVID)—a classification mechanism that associates a port with a specific VLAN. For example, a port with a PVID of 3 (PVID =3) assigns all untagged frames received on this port to VLAN 3. Any untagged frames received by the switch are classified with the PVID of the receiving port.  Tagged frame—a frame that carries VLAN tagging information in the header. This VLAN tagging information is a 32‐bit field (VLAN tag) in the frame header that identifies the frame as belonging to a specific VLAN. Untagged frames are marked (tagged) with this classification as they leave the switch through a port that is configured as a tagged port. Untagged frame— a frame that does not carry any VLAN tagging information  in the frame header. Untagged member—a port that has been configured as an untagged member of  a specific VLAN. When an untagged frame exits the switch through an untagged member port, the frame header remains unchanged. When a tagged frame exits the switch through an untagged member port, the tag is stripped and the tagged frame is changed to an untagged frame.  Tagged member—a port that has been configured as a tagged member of a specific VLAN. When an untagged frame exits the switch through a tagged member port, the frame header is modified to include the 32‐bit tag associated ...
Page 157 Figure 3. Port‐based VLAN assignment Port 1 Port 2 Port 3 Tagged member PVID = 2 of VLAN 2 Untagged packet 802.1Q Switch Data Before Port 6 Port 7 Port 8 Untagged member of VLAN 2 © Copyright Lenovo 2016 Chapter 9: VLANs...
Page 158 As shown in Figure 4, the untagged packet is marked (tagged) as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. The untagged packet remains unchanged as it leaves the switch through port 7, which is configured as an untagged member of VLAN 2. Figure 4. 802.1Q tagging (after port‐based VLAN assignment) Tagged member PVID = 2 Port 1 Port 2 Port 3 of VLAN 2 802.1Q Switch CRC* Data (*Recalculated) Port 6 Port 7 Port 8 8100 Priority VID = 2 Untagged memeber of VLAN 2 16 bits 3 bits...
Page 159: Ingress Vlan Tagging
Outgoing untagged packet changed (tag removed) Priority - User_priority - Canonical format indicator - VLAN identifier BS45014A Ingress VLAN Tagging Tagging can be enabled on an ingress port. When a packet is received on an ingress port, and if ingress tagging is enabled on the port, a VLAN tag with the port PVID is inserted into the packet as the outer VLAN tag. Depending on the egress port setting (tagged or untagged), the outer tag of the packet is retained or removed when it leaves the egress port. Ingress VLAN tagging is used to tunnel packets through a public domain without altering the original 802.1Q status. When ingress tagging is enabled on a port, all packets, whether untagged or tagged, will be tagged again. As shown in Figure 7, when tagging is enabled on the egress port, the outer tag of the packet is retained when it leaves the egress port. If tagging is disabled on the egress port, the outer tag of the packet is removed when it leaves the egress port. © Copyright Lenovo 2016 Chapter 9: VLANs...
Page 160: Limitations
Figure 7. 802.1Q tagging (after ingress tagging assignment) Untagged packet received on ingress port 802.1Q Switch Port 1 Port 2 Port 3 Tagged member PVID = 2 of VLAN 2 Untagged packet CRC* Data CRC* Data Data After Before Port 6 Port 7 Port 8 Untagged member of VLAN 2 Data...
Page 161: Vlan Topologies And Design Considerations
VLAN Topologies and Design Considerations Note the following when working with VLAN topologies:  By default, the G8264 software is configured so that tagging/trunk mode is disabled on all ports. By default, the G8264 software is configured so that all data ports are members  of VLAN 1.  By default, the Enterprise NOS software is configured so that the management port is a member of VLAN 4095 (the management VLAN).  STG 256 is reserved for switch management.  When using Spanning Tree, STG 2‐256 may contain only one VLAN unless Multiple Spanning‐Tree Protocol (MSTP) mode is used. With MSTP mode, STG 1 to 32 can include multiple VLANs.  All ports involved in both aggregation and port mirroring must have the same VLAN configuration. If a port is on a LAG with a mirroring port, the VLAN configuration cannot be changed. For more information about aggregation, see Chapter 10, “Ports and Link Aggregation” and Chapter 46, “Port Mirroring.” © Copyright Lenovo 2016 Chapter 9: VLANs...
Page 162: Multiple Vlans With Tagging/Trunk Mode Adapters
Multiple VLANs with Tagging/Trunk Mode Adapters Figure 8 illustrates a network topology described in Note: on page 163 and the configuration example on page page 165. Figure 8. Multiple VLANs with VLAN‐Tagged Gigabit Adapters Enterprise Enterprise Routing Switch Routing Switch Server 1 Server 2 Server 3 Server 4 Server 5 VLAN 1 VLAN 1 VLAN 2 VLAN 3 VLAN 1, 2 The features of this VLAN are described in the following table. ...
Page 163 1, Server 2, switches and Server 5 via VLAN 1. They can communicate with Server 3 and Server 5 via VLAN 2. They can communicate with Server 4 via VLAN 3. Tagging/trunk mode on switch ports is enabled. Note: VLAN tagging/trunk mode is required only on ports that are connected to other switches or on ports that connect to tag‐capable end‐stations, such as servers with VLAN‐tagging/trunk mode adapters. To configure a specific VLAN on a trunk port, the following conditions must be met: The port must be in trunk mode.   The VLAN must be in the trunk’s allowed VLAN range. By default, the range includes all VLANs.  The VLAN must be un‐reserved.  The VLAN must be created. The order in which these conditions are met is not relevant. However, all conditions must be met collectively. When all the conditions are met, the VLAN is enabled on the port. If one of the conditions is broken, the VLAN is disabled. © Copyright Lenovo 2016 Chapter 9: VLANs...
Page 164 If a port’s native VLAN is a private VLAN and its allowed VLAN range contains only invalid VLANs (either reserved VLANs or VLANs the port cannot belong to), removing the private VLAN mapping from the port will add the port to default VLAN and add the default VLAN to the allowed VLAN range. When setting up multiple VLANs, ports configured in private VLAN mode are not added to private VLANs unless the private VLANs are also configured for those ports. G8264 Application Guide for ENOS 8.4...
Page 165: Vlan Configuration Example
RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlans 1,2 RS G8264(configif)# exit 2. Enable tagging/trunk mode on uplink ports that support multiple VLANs. RS G8264(config)# interface port 19 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan add 2,3 RS G8264(configif)# exit RS G8264(config)# interface port 20 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan add 2,3 RS G8264(configif)# exit 3. Configure server ports that belong to a single VLAN. RS G8264(config)# interface port 4 RS G8264(configif)# switchport access vlan 2 RS G8264(configif)# exit By default, all ports are members of VLAN 1, so configure only those ports that belong to other VLANs. © Copyright Lenovo 2016 Chapter 9: VLANs...
Page 166: Protocol-Based Vlans
Protocol-Based VLANs Protocol‐based VLANs (PVLANs) allow you to segment network traffic according to the network protocols in use. Traffic for supported network protocols can be confined to a particular port‐based VLAN. You can give different priority levels to traffic generated by different network protocols. With PVLAN, the switch classifies incoming packets by Ethernet protocol of the packets, not by the configuration of the ingress port. When an untagged or priority‐tagged frame arrives at an ingress port, the protocol information carried in the frame is used to determine a VLAN to which the frame belongs. If a frame’s protocol is not recognized as a pre‐defined PVLAN type, the ingress port’s PVID is assigned to the frame. When a tagged frame arrives, the VLAN ID in the frame’s tag is used. Each VLAN can contain up to eight different PVLANs. You can configure separate PVLANs on different VLANs, with each PVLAN segmenting traffic for the same protocol type. For example, you can configure PVLAN 1 on VLAN 2 to segment IPv4 traffic, and PVLAN 8 on VLAN 100 to segment IPv4 traffic. To define a PVLAN on a VLAN, configure a PVLAN number (1‐8) and specify the frame type and the Ethernet type of the PVLAN protocol. You must assign at least one port to the PVLAN before it can function. Define the PVLAN frame type and Ethernet type as follows: Frame type—consists of one of the following values:  Ether2 (Ethernet II)  SNAP (Subnetwork Access Protocol)  LLC (Logical Link Control)   Ethernet type—consists of a 4‐digit (16 bit) hex value that defines the Ethernet type. You can use common Ethernet protocol values, or define your own values. Following are examples of common Ethernet protocol values: IPv4 = 0800  IPv6 = 86dd  ARP = 0806  Port-Based vs. Protocol-Based VLANs Each VLAN supports both port‐based and protocol‐based association, as follows: ...
Page 167: Pvlan Priority Levels
PVLAN Tagging/Trunk Mode When PVLAN tagging is enabled, the switch tags frames that match the PVLAN protocol. For more information about tagging, see “VLAN Tagging/Trunk Mode” on page 156. Untagged ports must have PVLAN tagging disabled. Tagged ports can have PVLAN tagging either enabled or disabled. PVLAN tagging has higher precedence than port‐based tagging. If a port is tagging/trunk mode enabled, and the port is a member of a PVLAN, the PVLAN tags egress frames that match the PVLAN protocol. Use the tag list command (protocolvlan <x> tagpvlan) to define the complete list of tag‐enabled ports in the PVLAN. Note that all ports not included in the PVLAN tag list will have PVLAN tagging disabled. PVLAN Configuration Guidelines Consider the following guidelines when you configure protocol‐based VLANs:  Each port can support up to 16 VLAN protocols. The G8264 can support up to 16 protocols simultaneously.   Each PVLAN must have at least one port assigned before it can be activated. The same port within a port‐based VLAN can belong to multiple PVLANs.   An untagged port can be a member of multiple PVLANs. A port cannot be a member of different VLANs with the same protocol  association. © Copyright Lenovo 2016 Chapter 9: VLANs...
Page 168: Configuring Pvlan
Configuring PVLAN Follow this procedure to configure a Protocol‐based VLAN (PVLAN). 1. Configure VLAN tagging/trunk mode for ports. RS G8264(config)# interface port 1, 2 RS G8264(configif)# switchport mode trunk RS G8264(configif)# exit 2. Create a VLAN and define the protocol type(s) supported by the VLAN. RS G8264(config)# vlan 2 RS G8264(configvlan)# protocolvlan 1 frametype ether2 0800 3. Configure the priority value for the protocol. RS G8264(configvlan)# protocolvlan 1 priority 2 4. Add member ports for this PVLAN. RS G8264(configvlan)# protocolvlan 1 member 1, 2 Note: If VLAN tagging is turned on and the port being added to the VLAN has a different default VLAN (PVID/Native VLAN), you will be asked to confirm changing the PVID to the current VLAN. 5. Enable the PVLAN. RS G8264(configvlan)# protocolvlan 1 enable RS G8264(configvlan)# exit 6. Verify PVLAN operation. RS G8264(config)# show vlan VLAN Name Status Ports ...
Page 169: Private Vlans
 toward ports in the primary VLAN. Each Private VLAN configuration can contain only one isolated VLAN. Community VLAN—carries upstream traffic from ports in the community  VLAN to other ports in the same community, and to ports in the primary VLAN. Each Private VLAN configuration can contain multiple community VLANs. After you define the primary VLAN and one or more secondary VLANs, you map the secondary VLAN(s) to the primary VLAN. Private VLAN Ports Private VLAN ports are defined as follows:  Promiscuous—A promiscuous port is a port that belongs to the primary VLAN. The promiscuous port can communicate with all the interfaces, including ports in the secondary VLANs (Isolated VLAN and Community VLANs).  Isolated—An isolated port is a host port that belongs to an isolated VLAN. Each isolated port has complete layer 2 separation from other ports within the same private VLAN (including other isolated ports), except for the promiscuous ports. Traffic sent to an isolated port is blocked by the Private VLAN, except the  traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.  Community—A community port is a host port that belongs to a community  VLAN. Community ports can communicate with other ports in the same com‐ munity VLAN, and with promiscuous ports. These interfaces are isolated at layer 2 from all other interfaces in other communities and from isolated ports within the Private VLAN. © Copyright Lenovo 2016 Chapter 9: VLANs...
Page 170: Configuration Guidelines
Configuration Guidelines The following guidelines apply when configuring Private VLANs:  Management VLANs cannot be Private VLANs. Management ports cannot be members of a Private VLAN.  The default VLAN 1 cannot be a Private VLAN. IGMP Snooping must be disabled on Private VLANs.   All VLANs that comprise the Private VLAN must belong to the same Spanning Tree Group.  A VLAN pair consists of a primary VLAN and one associated secondary VLAN (isolated or community). The maximum number of VLAN pairs per port is 16. Configuration Example Follow this procedure to configure a Private VLAN. 1. Select a VLAN and define the Private VLAN type as primary. RS G8264(config)# vlan 700 RS G8264(configvlan)# privatevlan primary RS G8264(configvlan)# exit 2. Configure a promiscuous port for VLAN 700. RS G8264(config)# interface port 1 RS G8264(configif)# switchport mode privatevlan RS G8264(configif)# switchport privatevlan mapping 700 RS G8264(configif)# exit 3. Configure two secondary VLANs: isolated VLAN and community VLAN. RS G8264(config)# vlan 701 RS G8264(configvlan)# privatevlan isolated RS G8264(configvlan)# exit RS G8264(config)# vlan 702...
Page 171 5. Configure host ports for secondary VLANs. RS G8264(config)# interface port 2 RS G8264(configif)# switchport mode privatevlan RS G8264(configif)# switchport privatevlan hostassociation 700 701 RS G8264(configif)# exit RS G8264(config)# interface port 3 RS G8264(configif)# switchport mode privatevlan RS G8264(configif)# switchport privatevlan hostassociation 700 702 RS G8264(configif)# exit 6. Verify the configuration. RS G8264(config)# show vlan privatevlan Primary Secondary Type Ports 700 701 isolated 1 2 700 702 community 1 3 © Copyright Lenovo 2016 Chapter 9: VLANs...
Page 172 G8264 Application Guide for ENOS 8.4...
Page 173: Chapter 10. Ports And Link Aggregation
Chapter 10. Ports and Link Aggregation Link Aggregation (LAG) groups can provide super‐bandwidth, multi‐link connections between the G8264 and other LAG‐capable devices. A LAG is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. This chapter provides configuration background and examples for aggregating multiple ports together:  “Configuring QSFP+ Ports” on page 174  “Aggregation Overview” on page 176”  “Configuring a Static LAG” on page 178  “Configurable LAG Hash Algorithm” on page 185 “Link Aggregation Control Protocol” on page 180  © Copyright Lenovo 2016...
Page 174: Configuring Qsfp+ Ports
Configuring QSFP+ Ports QSFP+ ports support both 10GbE and 40GbE, as shown in Table 15. Table 15. QSFP+ Port Numbering Physical Port Number 40GbE mode 10GbE mode Port 1 Port 1 Ports 1-4 Port 5 Port 5 Ports 5-8 Port 9 Port 9 Ports 9-12 Port 13 Port 13 Ports 13-16 Use the following procedure to change the QSFP+ port mode. 1.
Page 175 Use the ‘no’ form of the command to reset a port to 10GbE mode. RS G8264(config)# no boot qsfp40Gports <port number or a range of ports> © Copyright Lenovo 2016 Chapter 10: Ports and Link Aggregation...
Page 176: Aggregation Overview
Aggregation Overview When using LAGs between two switches, as shown in Figure 9, you can create a virtual link between the switches, operating with combined throughput levels that depends on how many physical ports are included. Each G8264 supports up to 64 LAGs in stand‐alone (non‐stacking) mode, or 64 LAGs in stacking mode. Two LAG types are available: static LAGs (portchannel), and dynamic Link Aggregation Control Protocol (LACP) LAGs. Each type can contain up to 32 member ports, depending on the port type and availability. Figure 9. Port LAG Switch 1 Switch 2 LAGs are also useful for connecting a G8264 to third‐party devices that support link aggregation, such as Cisco routers and switches with EtherChannel technology (not ISL aggregation technology) and Sunʹs Quad Fast Ethernet Adapter. LAG technology is compatible with these devices when they are configured manually. LAG traffic is statistically distributed among the ports in a LAG, based on a variety of configurable options. Also, since each LAG is comprised of multiple physical links, the LAG is inherently fault tolerant. As long as one connection between the switches is available, the trunk remains active and statistical load balancing is maintained whenever a port in a LAG is lost or returned to service. G8264 Application Guide for ENOS 8.4...
Page 177: Static Lags
VLAGs (see Chapter 12, “Virtual Link Aggregation Groups). In such cases, links in a LAG are allowed to connect to multiple physical devices because they act as one logical device. Any physical switch port can belong to only one LAG.  ® ®  Aggregation from third‐party devices must comply with Cisco EtherChannel technology. All ports in a LAG must have the same link configuration (speed, duplex, flow  control), the same VLAN properties, and the same Spanning Tree, storm control, and ACL configuration. It is recommended that the ports in a LAG be members of the same VLAN.  Each LAG inherits its port configuration (speed, flow control, tagging) from the first member port. As additional ports are added to the LAG, their settings must be changed to match the LAG configuration.  When a port leaves a LAG, its configuration parameters are retained.  You cannot configure a LAG member as a monitor port in a port‐mirroring con‐ figuration.  LAGs cannot be monitored by a monitor port; however, LAG members can be monitored. © Copyright Lenovo 2016 Chapter 10: Ports and Link Aggregation...
Page 178: Configuring A Static Lag
LAG 3 LAG 3 combines Ports 2, 9, and 16 LAG 1 combines Ports 1, 11, and 18 LAG 1 Prior to configuring each switch in this example, you must connect to the appropriate switches as the administrator. Note: For details about accessing and using any of the commands described in this example, see the Lenovo RackSwitch G8264 ISCLI Reference. 1. Follow these steps on the G8264: a. Define a LAG. RS G8264(config)# portchannel 3 port 2,9,16 RS G8264(config)# portchannel 3 enable b. Verify the configuration. # show portchannel information Examine the resulting information. If any settings are incorrect, make appropriate changes. 2. Repeat the process on the other switch.
Page 179 4. Examine the aggregation information on each switch. # show portchannel information PortChannel 3: Enabled Protocol—Static port state: 2: STG 1 forwarding 9: STG 1 forwarding 16: STG 1 forwarding Information about each port in each configured LAG is displayed. Make sure that LAGs consist of the expected ports and that each port is in the expected state. The following restrictions apply:  Any physical switch port can belong to only one LAG.  Up to 32 ports can belong to the same LAG.  All ports in static LAGs must be have the same link configuration (speed, duplex, flow control). ® ®  Aggregation with third‐party devices must comply with Cisco EtherChannel technology. © Copyright Lenovo 2016 Chapter 10: Ports and Link Aggregation...
Page 180: Link Aggregation Control Protocol
Link Aggregation Control Protocol Link Aggregation Control Protocol (LACP) is an IEEE 802.3ad standard for grouping several physical ports into one logical port (known as a Link Aggregation group) with any device that supports the standard. Please refer to IEEE 802.3ad‐2002 for a full description of the standard. The 802.3ad standard allows standard Ethernet links to form a single Layer 2 link using Link Aggregation Control Protocol (LACP). Link aggregation is a method of grouping physical link segments of the same media type and speed in full duplex, and treating them as if they were part of a single, logical link segment. If a link in an LACP LAG fails, traffic is reassigned dynamically to the remaining link(s) of the dynamic LAG. Note: LACP implementation in the Lenovo Enterprise Network Operating System does not support the Churn machine, an option used to detect if the port is operable within a bounded time period between the actor and the partner. Only the Marker Responder is implemented, and there is no marker protocol generator. A port’s Link Aggregation Identifier (LAG ID) determines how the port can be aggregated. The Link Aggregation ID (LAG ID) is constructed mainly from the partner switch’s system ID and the port’s admin key, as follows:  System ID: an integer value based on the partner switch’s MAC address and the system priority assigned in the CLI.  Admin key: a port’s Admin key is an integer value (1‐65535) that you can configure in the CLI. Each switch port that participates in the same LACP LAG must have the same admin key value. The Admin key is local significant, which means the partner switch does not need to use the same Admin key value. For example, consider two switches, an Actor (the G8264) and a Partner (another switch), as shown in Table Table 16. Actor vs. Partner LACP configuration Actor Switch Partner Switch LACP LAG Port 7 (admin key = 100)
Page 181: Static Lacp Lags
Static LACP LAGs To prevent switch ports with the same admin key from forming multiple LAGs, you can configure the LACP LAG as static. In a static LACP LAG, ports with the same admin key, but with different LAG IDs, compete to get aggregated in a LAG. The LAG ID for the LAG is decided based on the first port that is aggregated in the group. Ports with this LAG ID get aggregated and the other ports are placed in suspended mode. As per the configuration shown in Table 16 on page 180, if port 7 gets aggregated first, then the LAG ID of port 7 would be the LAG ID of the LAG. Port 8 will join the LAG while ports 9 and 10 would be placed in suspended mode. When in suspended mode, a port transmits only LACP data units (LACPDUs) and discards all other traffic. A port may also be placed in suspended mode for the following reasons:  When LACP is configured on the port but it stops receiving LACPDUs from the partner switch.  When the port has a different LAG ID because of the partner switch MAC or port LACP key being different. For example: when a switch is connected to two partners. Static LACP LAGs are configured by associating the LACP admin key to a portchannel ID within a dedicated LACP portchannel group range: RS G8264(config)# portchannel lacp key <adminkey of the LAG> A single LAG can have a maximum of 32 active ports at a given time. © Copyright Lenovo 2016 Chapter 10: Ports and Link Aggregation...
Page 182: Lacp Port Modes
LACP Port Modes Up to 64 ports can be assigned to a single LAG, but only 32 ports can actively participate in the LAG at a given time.Each port on the switch can have one of the following LACP modes.  off (default) You can configure this port into a regular static LAG. active  The port is capable of forming an LACP LAG. This port sends LACPDU packets to partner system ports. passive  The port is capable of forming an LACP LAG. This port only responds to the LACPDU packets sent from an LACP active port. Each active LACP port transmits LACP data units (LACPDUs), while each passive LACP port listens for LACPDUs. During LACP negotiation, the admin key is exchanged. The LACP LAG is enabled as long as the information matches at both ends of the link. If the admin key value changes for a port at either end of the link, that port’s association with the LACP LAG is lost. When the system is initialized, all ports by default are in LACP off mode and are assigned unique admin keys. To make a group of ports aggregable, you assign them all the same admin key. You must set the port’s LACP mode to active to activate LACP negotiation. You can set other port’s LACP mode to passive to reduce the amount of LACPDU traffic at the initial LAG‐forming stage. Use the following command to check whether the ports are aggregated: RS G8264 # show lacp information Notes:  If you configure LACP on ports with 802.1X network access control, make sure the ports on both sides of the connection are properly configured for both LACP and 802.1X. IEEE 802.1x and LACP cannot both be enabled on port 1.  LACP Individual Ports with LACP enabled (active or passive) are prevented by default from ...
Page 183: Lacp Minimum Links Option
LACP Minimum Links Option For dynamic LAGs that require a guaranteed amount of bandwidth to be considered useful, you can specify the minimum number of links for the LAG. If the specified minimum number of ports is not available, the LAG link will not be established. If an active LACP LAG loses one or more component links, the LAG will be placed in the down state if the number of links falls to less than the specified minimum. By default, the minimum number of links is 1, meaning that LACP LAGs will remain operational as long as at least one link is available. The LACP minimum links setting can be configured as follows:  Interface (port) configuration mode: RS G8264(config)# interface port <port number or range> RS G8264(configif)# portchannel minlinks <minimum links> RS G8264(configif)# exit Portchannel configuration mode:  RS G8264(config)# interface portchannel lacp <LACP key> RS G8264(configPortChannel)# portchannel minlinks <minimum links> RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 10: Ports and Link Aggregation...
Page 184: Configuring Lacp
Configuring LACP Use the following procedure to configure LACP for ports 7, 8, 9 and 10 to participate in link aggregation. 1. Configure port parameters. All ports that participate in the LACP LAG must have the same settings, including VLAN membership. 2. Select the port range and define the admin key. Only ports with the same admin key can form an LACP LAG. RS G8264(config)# interface port 710 RS G8264(configif)# lacp key 100 3. Set the LACP mode. RS G8264(configif)# lacp mode active 4. Optionally allow member ports to individually participate in normal data traffic if no LACPDUs are received. RS G8264(configif)# no lacp suspendindividual RS G8264(configif)# exit 5. Set the link aggregation as static, by associating it with LAG ID 65: RS G8264(config)# portchannel 65 lacp key 100 G8264 Application Guide for ENOS 8.4...
Page 185: Configurable Lag Hash Algorithm
RS G8264(config)# portchannel thash l2thash l2destinationmacaddress  Layer 2 source and destination MAC address: RS G8264(config)# portchannel thash l2thash l2sourcedestinationmac Layer 3 IPv4/IPv6 source IP address:  RS G8264(config)# portchannel thash l3thash l3sourceipaddress Layer 3 IPv4/IPv6 destination IP address:  RS G8264(config)# portchannel thash l3thash l3destinationipaddress  Layer 3 source and destination IPv4/IPv6 address (the default): RS G8264(config)# portchannel thash l3thash l3sourcedestinationip  Layer 2 hash configuration: RS G8264(config)# portchannel thash l3thash l3usel2hash  Layer 4 port hash RS G8264(config)# portchannel thash l4port Ingress port hash  RS G8264(config)# portchannel thash ingress © Copyright Lenovo 2016 Chapter 10: Ports and Link Aggregation...
Page 186 G8264 Application Guide for ENOS 8.4...
Page 187: Chapter 11. Spanning Tree Protocols
Chapter 11. Spanning Tree Protocols When multiple paths exist between two points on a network, Spanning Tree Protocol (STP), or one of its enhanced variants, can prevent broadcast loops and ensure that the RackSwitch G8264 uses only the most efficient network path. This chapter covers the following topics: “Spanning Tree Protocol Modes” on page 188   “Global STP Control” on page 189 “PVRST Mode” on page 189   “Rapid Spanning Tree Protocol” on page 202 “Multiple Spanning Tree Protocol” on page 204   “Port Type and Link Type” on page 208 © Copyright Lenovo 2016...
Page 188: Spanning Tree Protocol Modes
Spanning Tree Protocol Modes Lenovo Enterprise Network Operating System 8.4 supports the following STP modes:  Rapid Spanning Tree Protocol (RSTP) IEEE 802.1D (2004) RSTP allows devices to detect and eliminate logical loops in a bridged or switched network. When multiple paths exist, STP configures the network so that only the most efficient path is used. If that path fails, STP automatically configures the best alternative active path on the network to sustain network operations. RSTP is an enhanced version of IEEE 802.1D (1998) STP, providing more rapid convergence of the Spanning Tree network path states on STG 1. See “Rapid Spanning Tree Protocol” on page 202 for details.  Per‐VLAN Rapid Spanning Tree (PVRST) PVRST mode is based on RSTP to provide rapid Spanning Tree convergence, but supports instances of Spanning Tree, allowing one STG per VLAN. PVRST mode is compatible with Cisco R‐PVST/R‐PVST+ mode. PVRST is the default Spanning Tree mode on the G8264. See “PVRST Mode” on page 189 for details. Multiple Spanning Tree Protocol (MSTP)  IEEE 802.1Q (2003) MSTP provides both rapid convergence and load balancing in a VLAN environment. MSTP allows multiple STGs, with multiple VLANs in each. See “Multiple Spanning Tree Protocol” on page 204 for details. G8264 Application Guide for ENOS 8.4...
Page 189: Global Stp Control
G8264. Using STP, network devices detect and eliminate logical loops in a bridged or switched network. When multiple paths exist, Spanning Tree configures the network so that a switch uses only the most efficient path. If that path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations. ENOS PVRST mode is based on IEEE 802.1w RSTP. Like RSTP, PVRST mode provides rapid Spanning Tree convergence. However, PVRST mode is enhanced for multiple instances of Spanning Tree. In PVRST mode, each VLAN may be automatically or manually assigned to one of 255 available STGs. Each STG acts as an independent, simultaneous instance of STP. PVRST uses IEEE 802.1Q tagging to differentiate STP BPDUs and is compatible with Cisco R‐PVST/R‐PVST+ modes. The relationship between ports, LAGs, VLANs, and Spanning Trees is shown in Table Table 17. Ports, LAGs, and VLANs Switch Element Belongs To Port LAG or one or more VLANs One or more VLANs VLAN (non‐default)  PVRST: One VLAN per STG  RSTP: All VLANs are in STG 1  MSTP: Multiple VLANs per STG © Copyright Lenovo 2016 Chapter 11: Spanning Tree Protocols...
Page 190: Port States
Port States The port state controls the forwarding and learning processes of Spanning Tree. In PVRST, the port state has been consolidated to the following: discarding, learning, and forwarding. Due to the sequence involved in these STP states, considerable delays may occur while paths are being resolved. To mitigate delays, ports defined as edge ports (“Port Type and Link Type” on page 208) may bypass the discarding and learning states, and enter directly into the forwarding state. Bridge Protocol Data Units To create a Spanning Tree, the switch generates a configuration Bridge Protocol Data Unit (BPDU), which it then forwards out of its ports. All switches in the Layer 2 network participating in the Spanning Tree gather information about other switches in the network through an exchange of BPDUs. How BPDU Works A bridge sends BPDU packets at a configurable regular interval (2 seconds by default). The BPDU is used to establish a path, much like a hello packet in IP routing. BPDUs contain information about the transmitting bridge and its ports, including bridge MAC addresses, bridge priority, port priority, and path cost. If the ports are in trunk mode/tagged, each port sends out a special BPDU containing the tagged information. The generic action of a switch on receiving a BPDU is to compare the received BPDU to its own BPDU that it will transmit. If the priority of the received BPDU is better than its own priority, it will replace its BPDU with the received BPDU. Then, the switch adds its own bridge ID number and increments the path cost of the BPDU. The switch uses this information to block any necessary ports. Note: If STP is globally disabled, BPDUs from external devices will transit the switch transparently. If STP is globally enabled, for ports where STP is turned off, inbound BPDUs will instead be discarded. Determining the Path for Forwarding BPDUs When determining which port to use for forwarding and which port to block, the ...
Page 191 You can configure the root guard at the port level using the following commands: RS G8264(config)# interface port <port number> RS G8264(configif)# spanningtree guard root The default state is “none”, i.e. disabled. Loop Guard In general, STP resolves redundant network topologies into loop‐free topologies. The loop guard feature performs additional checking to detect loops that might not be found using Spanning Tree. STP loop guard ensures that a non‐designated port does not become a designated port. To globally enable loop guard, enter the following command: RS G8264(config)# spanningtree loopguard Note: The global loop guard command will be effective on a port only if the port‐level loop guard command is set to default as shown below: RS G8264(config)# interface port <port number> RS G8264(configif)# no spanningtree guard To enable loop guard at the port level, enter the following command: RS G8264(config)# interface port <port number> RS G8264(configif)# spanningtree guard loop The default state is “none” (disabled). © Copyright Lenovo 2016 Chapter 11: Spanning Tree Protocols...
Page 192: Simple Stp Configuration
RS G8264(configif)# spanningtree stp <STG number or range> pathcost <path cost value> RS G8264(configif)# exit The port path cost can be a value from 1 to 200000000. Specify 0 for automatic path cost. Simple STP Configuration Figure 11 depicts a simple topology using a switch‐to‐switch link between two G8264 1 and 2. Figure 11. Spanning Tree Blocking a Switch‐to‐Switch Link Enterprise Routing Switches Switch 1 Switch 2 Blocks Link Server Server Server Server To prevent a network loop among the switches, STP must block one of the links between them. In this case, it is desired that STP block the link between the Lenovo switches, and not one of the G8264 uplinks or the Enterprise switch LAG. During operation, if one G8264 experiences an uplink failure, STP will activate the Lenovo switch‐to‐switch link so that server traffic on the affected G8264 may pass through to the active uplink on the other G8264, as shown in Figure G8264 Application Guide for ENOS 8.4...
Page 193 Figure 12. Spanning Tree Restoring the Switch‐to‐Switch Link Enterprise Uplink Routing Failure Switches Switch 1 Switch 2 Restores Link Server Server Server Server In this example, port 10 on each G8264 is used for the switch‐to‐switch link. To ensure that the G8264 switch‐to‐switch link is blocked during normal operation, the port path cost is set to a higher value than other paths in the network. To configure the port path cost on the switch‐to‐switch links in this example, use the following commands on each G8264. RS G8264(config)# interface port 10 RS G8264(configif)# spanningtree stp 1 pathcost 60000 RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 11: Spanning Tree Protocols...
Page 194: Per-Vlan Spanning Tree Groups
Per-VLAN Spanning Tree Groups PVRST mode supports a maximum of 256 STGs, with each STG acting as an independent, simultaneous instance of STP. STG 256 can only be used for management traffic. Notes:  By default, a maximum number of 128 STGs is supported. To upgrade the value to 256, configure the switch accordingly and reboot. Make sure the PVRST switches are both booted with 128 STGs profile or 256 STGs profile.  For optimal performance, it is recommended to stay within a maximum of 10 interfaces or aggregated links (including vLAGs) with 4K MAC table entries when deploying 256 STP groups. Multiple STGs provide multiple data paths which can be used for load‐balancing and redundancy. To enable load balancing between two G8264s using multiple STGs, configure each path with a different VLAN and then assign each VLAN to a separate STG. Since each STG is independent, they each send their own IEEE 802.1Q tagged Bridge Protocol Data Units (BPDUs). Each STG behaves as a bridge group and forms a loop‐free topology. The default STG 1 may contain multiple VLANs (typically until they can be assigned to another STG). STGs 2‐256 may contain only one VLAN each. Using Multiple STGs to Eliminate False Loops Figure 13 shows a simple example of why multiple STGs are needed. In the figure, two ports on a G8264 are connected to two ports on an application switch. Each of the links is configured for a different VLAN, preventing a network loop. However, in the first network, since a single instance of Spanning Tree is running on all the ports of the G8264, a physical loop is assumed to exist, and one of the VLANs is blocked, impacting connectivity even though no actual loop exists. Figure 13. Using Multiple Instances of Spanning Tree Group Switch 1 Switch 2 STG 1...
Page 195 In the second network, the problem of improper link blocking is resolved when the VLANs are placed into different Spanning Tree Groups (STGs). Since each STG has its own independent instance of Spanning Tree, each STG is responsible only for the loops within its own VLAN. This eliminates the false loop, and allows both VLANs to forward packets between the switches at the same time. © Copyright Lenovo 2016 Chapter 11: Spanning Tree Protocols...
Page 196: Vlans And Stg Assignment
VLANs and STG Assignment In PVRST mode, up to 256 STGs are supported. Ports cannot be added directly to an STG. Instead, ports must be added as members of a VLAN, and the VLAN must then be assigned to the STG. STG 1 is the default STG. Although VLANs can be added to or deleted from default STG 1, the STG itself cannot be deleted from the system. By default, STG 1 is enabled and includes VLAN 1, which by default includes all switch ports (except for management VLANs and management ports) STG 256 is reserved for switch management. By default, STG 256 is disabled, but includes management VLAN 4095 and the management port. By default, all other STGs (STG 2 through 255) are enabled, though they initially include no member VLANs. VLANs must be assigned to STGs. By default, this is done automatically using VLAN Automatic STG Assignment (VASA), though it can also be done manually (see “Manually Assigning STGs” on page 197. When VASA is enabled (as by default), each time a new VLAN is configured, the switch will automatically assign that new VLAN to its own STG. Conversely, when a VLAN is deleted, if its STG is not associated with any other VLAN, the STG is returned to the available pool. The specific STG number to which the VLAN is assigned is based on the VLAN number itself. For low VLAN numbers (1 through 255), the switch will attempt to assign the VLAN to its matching STG number. For higher numbered VLANs, the STG assignment is based on a simple modulus calculation; the attempted STG number will “wrap around,” starting back at the top of STG list each time the end of the list is reached. However, if the attempted STG is already in use, the switch will select the next available STG. If an empty STG is not available when creating a new VLAN, the VLAN is automatically assigned to default STG 1. If ports are tagged, each tagged port sends out a special BPDU containing the tagged information. Also, when a tagged port belongs to more than one STG, the egress BPDUs are tagged to distinguish the BPDUs of one STG from those of another STG. VASA is enabled by default, but can be disabled or re‐enabled using the following commands: RS G8264(config)# [no] spanningtree stgauto If VASA is disabled, when you create a new VLAN, that VLAN automatically belongs to default STG 1. To place the VLAN in a different STG, assign it manually. VASA applies only to PVRST mode and is ignored in RSTP and MSTP modes.
Page 197: Manually Assigning Stgs
197. The VLAN is automatically removed from its old STG before being placed into the new STG.  Each VLANs must be contained within a single STG; a VLAN cannot span multiple STGs. By confining VLANs within a single STG, you avoid problems with Spanning Tree blocking ports and causing a loss of connectivity within the VLAN. When a VLAN spans multiple switches, it is recommended that the VLAN remain within the same STG (be assigned the same STG ID) across all the switches.  If ports are tagged, all aggregated ports can belong to multiple STGs.  A port cannot be directly added to an STG. The port must first be added to a VLAN, and that VLAN added to the desired STG. Rules for VLAN Tagged/Trunk Mode Ports The following rules apply to VLAN tagged ports:  Tagged/trunk mode ports can belong to more than one STG, but untagged/access mode ports can belong to only one STG.  When a tagged/trunk mode port belongs to more than one STG, the egress BPDUs are tagged to distinguish the BPDUs of one STG from those of another STG. © Copyright Lenovo 2016 Chapter 11: Spanning Tree Protocols...
Page 198: Adding And Removing Ports From Stgs
Adding and Removing Ports from STGs The following rules apply when you add ports to or remove ports from STGs: When you add a port to a VLAN that belongs to an STG, the port is also added  to that STG. However, if the port you are adding is an untagged port and is already a member of another STG, that port will be removed from its current STG and added to the new STG. An untagged port cannot belong to more than one STG. For example: Assume that VLAN 1 belongs to STG 1, and that port 1 is untagged and does not belong to any STG. When you add port 1 to VLAN 1, port 1 will automatically become part of STG 1. However, if port 5 is untagged and is a member of VLAN 3 in STG 2, then adding port 5 to VLAN 1 in STG 1 will change the port PVID from 3 to 1: "Port 5 is an UNTAGGED/Access Mode port and its PVID/NativeVLAN changed from 3 to 1. When you remove a port from VLAN that belongs to an STG, that port will also  be removed from the STG. However, if that port belongs to another VLAN in the same STG, the port remains in the STG. As an example, assume that port 2 belongs to only VLAN 2, and that VLAN 2 belongs to STG 2. When you remove port 2 from VLAN 2, the port is moved to default VLAN 1 and is removed from STG 2. However, if port 2 belongs to both VLAN 1 and VLAN 2, and both VLANs belong to STG 1, removing port 2 from VLAN 2 does not remove port 2 from STG 1 because the port is still a member of VLAN 1, which is still a member of STG 1.  An STG cannot be deleted, only disabled. If you disable the STG while it still contains VLAN members, Spanning Tree will be off on all ports belonging to that VLAN. The relationship between port, LAGs, VLANs, and Spanning Trees is shown in Table 17 on page 189. G8264 Application Guide for ENOS 8.4...
Page 199: The Switch-Centric Model
Application Switch C Switch D The VLAN participation for each Spanning Tree Group in Figure 14 on page 199 is as follows: VLAN 1 Participation  Assuming Switch B to be the root bridge, Switch B transmits the BPDU for STG 1 on ports 1 and 2. Switch C receives the BPDU on port 2, and Switch D receives the BPDU on port 1. Because there is a network loop between the switches in VLAN 1, either Switch D will block port 8 or Switch C will block port 1, depending on the information provided in the BPDU.  VLAN 2 Participation Switch B, the root bridge, generates a BPDU for STG 2 from port 8. Switch A receives this BPDU on port 17, which is assigned to VLAN 2, STG 2. Because switch B has no additional ports participating in STG 2, this BPDU is not forwarded to any additional ports and Switch B remains the designated root.  VLAN 3 Participation For VLAN 3, Switch A or Switch C may be the root bridge. If Switch A is the root bridge for VLAN 3, STG 3, then Switch A transmits the BPDU from port 18. Switch C receives this BPDU on port 8 and is identified as participating in VLAN 3, STG 3. Since Switch C has no additional ports participating in STG 3, this BPDU is not forwarded to any additional ports and Switch A remains the designated root. © Copyright Lenovo 2016 Chapter 11: Spanning Tree Protocols...
Page 200: Configuring Multiple Stgs
Configuring Multiple STGs This configuration shows how to configure the three instances of STGs on the switches A, B, C, and D illustrated in Figure 14 on page 199. Because VASA is enabled by default, each new VLAN is automatically assigned its own STG. 1. Set the Spanning Tree mode on each switch to PVRST. RS G8264(config)# spanningtree mode pvrst Note: PVRST is the default mode on the G8264. This step is not required unless the STP mode has been previously changed, and is shown here merely as an example of manual configuration. 2. Configure the following on Switch A: a. Enable VLAN 2 and VLAN 3. RS G8264(config)# vlan 2 RS G8264(configvlan)# exit RS G8264(config)# vlan 3 RS G8264(configvlan)# exit If VASA is disabled, enter the following commands: RS G8264(config)# spanningtree stp 2 vlan 2 RS G8264(config)# spanningtree stp 3 vlan 3 b. Add port 17 to VLAN 2, port 18 to VLAN 3. RS G8264(config)# interface port 17 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 2 RS G8264(configif)# exit RS G8264(config)# interface port 18...
Page 201 RS G8264(config)# spanningtree stp 2 vlan 2 b. VLAN 2 is automatically removed from STG 1. By default VLAN 1 remains in STG 1. 4. Configure the following on application switch C: a. Add port 8 to VLAN 3. Ports 1 and 2 are by default in VLAN 1 assigned to STG 1. RS G8264(config)# vlan 3 RS G8264(configvlan)# exit RS G8264(config)# interface port 8 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 3 RS G8264(configif)# exit If VASA is disabled, enter the following command: RS G8264(config)# spanningtree stp 3 vlan 3 b. VLAN 3 is automatically removed from STG 1. By default VLAN 1 remains in STG 1. 5. Switch D does not require any special configuration for multiple Spanning Trees. Switch D uses default STG 1 only. © Copyright Lenovo 2016 Chapter 11: Spanning Tree Protocols...
Page 202: Rapid Spanning Tree Protocol
Rapid Spanning Tree Protocol RSTP provides rapid convergence of the Spanning Tree and provides the fast re‐configuration critical for networks carrying delay‐sensitive traffic such as voice and video. RSTP significantly reduces the time to reconfigure the active topology of the network when changes occur to the physical topology or its configuration parameters. RSTP reduces the bridged‐LAN topology to a single Spanning Tree. RSTP was originally defined in IEEE 802.1w (2001) and was later incorporated into IEEE 802.1D (2004), superseding the original STP standard. RSTP parameters apply only to Spanning Tree Group (STG) 1. The PVRST mode STGs 2‐256 are not used when the switch is placed in RSTP mode. RSTP is compatible with devices that run IEEE 802.1D (1998) Spanning Tree Protocol. If the switch detects IEEE 802.1D (1998) BPDUs, it responds with IEEE 802.1D (1998)‐compatible data units. RSTP is not compatible with Per‐VLAN Rapid Spanning Tree (PVRST) protocol. Port States RSTP port state controls are the same as for PVRST: discarding, learning, and forwarding. Due to the sequence involved in these STP states, considerable delays may occur while paths are being resolved. To mitigate delays, ports defined as edge/portfast ports (“Port Type and Link Type” on page 208) may bypass the discarding and learning states, and enter directly into the forwarding state. RSTP Configuration Guidelines This section provides important information about configuring RSTP. When RSTP is turned on, the following occurs:  STP parameters apply only to STG 1.  Only STG 1 is available. All other STGs are turned off.  All VLANs, including management VLANs, are moved to STG 1. G8264 Application Guide for ENOS 8.4...
Page 203: Rstp Configuration Example
4. Configure port parameters: RS G8264(config)# interface port 3 RS G8264(config-if)# spanning-tree stp 1 priority 240 RS G8264(config-if)# spanning-tree stp 1 path-cost 500 RS G8264(config-if)# no spanning-tree stp 1 enable RS G8264(config-if)# exit © Copyright Lenovo 2016 Chapter 11: Spanning Tree Protocols...
Page 204: Multiple Spanning Tree Protocol
Multiple Spanning Tree Protocol Multiple Spanning Tree Protocol (MSTP) extends Rapid Spanning Tree Protocol (RSTP), allowing multiple Spanning Tree Groups (STGs) which may each include multiple VLANs. MSTP was originally defined in IEEE 802.1s (2002) and was later included in IEEE 802.1Q (2003). In MSTP mode, the G8264 supports up to 32 instances of Spanning Tree, corresponding to STGs 1‐32, with each STG acting as an independent, simultaneous instance of RSTP. MSTP allows frames assigned to different VLANs to follow separate paths, with each path based on an independent Spanning Tree instance. This approach provides multiple forwarding paths for data traffic, thereby enabling load‐balancing, and reducing the number of Spanning Tree instances required to support a large number of VLANs. Due to Spanning Tree’s sequence of discarding, learning, and forwarding, lengthy delays may occur while paths are being resolved. Ports defined as edge/portfast ports (“Port Type and Link Type” on page 208) bypass the Discarding and Learning states, and enter directly into the Forwarding state. Note: In MSTP mode, Spanning Tree for the management ports is turned off by default. MSTP Region A group of interconnected bridges that share the same attributes is called an MST region. Each bridge within the region must share the following attributes:  Alphanumeric name Revision number   VLAN‐to STG mapping scheme MSTP provides rapid re‐configuration, scalability and control due to the support of regions, and multiple Spanning‐Tree instances support within each region. Common Internal Spanning Tree The Common Internal Spanning Tree (CIST) or MST0 provides a common form of ...
Page 205: Mstp Configuration Guidelines
MSTP Configuration Examples The following section contains examples of how to configure multiple spanning trees. MSTP Example 1 This section provides steps to configure MSTP on the G8264. 1. Configure port and VLAN membership on the switch. 2. Configure Multiple Spanning Tree region parameters, and set the mode to MSTP. RS G8264(config)# spanningtree mst configuration (Enter MST configuration mode) RS G8264(configmst)# name <name> (Define the Region name) RS G8264(configmst)# revision <0 – 65535>(Define the Region revision number) RS G8264(configmst)# exit RS G8264(config)# spanningtree mode mst(Set mode to Multiple Spanning Trees) 3. Map VLANs to MSTP instances: RS G8264(config)# spanningtree mst configuration (Enter MST configuration mode) RS G8264(configmst)# instance <instance ID> vlan <vlan number or range> © Copyright Lenovo 2016 Chapter 11: Spanning Tree Protocols...
Page 206: Mstp Example 2
MSTP Example 2 This configuration shows how to configure MSTP Groups on the switch, as shown in Figure 14. Figure 15. Implementing Multiple Spanning Tree Groups Enterprise Enterprise Routing Switch Routing Switch MSTP Group 1 MSTP Group 2 Root Root Passing VLAN 1 Blocking VLAN 1 Blocking VLAN 2 Passing VLAN 2 Server 1 Server 2 Server 3 Server 4 VLAN 1 VLAN 1...
Page 207 3. Map VLANs to MSTP instances: RS G8264(config)# spanningtree mst configuration RS G8264(configmst)# instance 1 vlan 1 RS G8264(configmst)# instance 2 vlan 2 4. Configure port membership and define the STGs for VLAN 2. Add server ports 3 and 4 to VLAN 2. Uplink ports 19 and 20 are automatically added to VLAN 2. Assign VLAN 2 to STG 2. RS G8264(config)# interface port 3,4 RS G8264(configif)# switchport access vlan 2 RS G8264(configif)# exit Note: Each STG is enabled by default. © Copyright Lenovo 2016 Chapter 11: Spanning Tree Protocols...
Page 208: Port Type And Link Type
Port Type and Link Type The following port types and link types work with STP. Edge/Portfast Port A port that does not connect to a bridge is called an edge port. Since edge ports are assumed to be connected to non‐STP devices (such as directly to hosts or servers), they are placed in the forwarding state as soon as the link is up. Edge ports send BPDUs to upstream STP devices like normal STP ports, but do not receive BPDUs. If a port with edge enabled does receive a BPDU, it immediately begins working as a normal (non‐edge) port, and participates fully in Spanning Tree. Use the following commands to define or clear a port as an edge port: RS G8264(config)# interface port <port> RS G8264(configif)# [no] spanningtree portfast RS G8264(configif)# exit Link Type The link type determines how the port behaves in regard to Rapid Spanning Tree. Use the following commands to define the link type for the port: RS G8264(config)# interface port <port> RS G8264(configif)# [no] spanningtree linktype <type> RS G8264(configif)# exit where type corresponds to the duplex mode of the port, as follows:  A full‐duplex link to another device (point‐to‐point) shared  A half‐duplex link is a shared segment and can contain more than one device. auto ...
Page 209: Chapter 12. Virtual Link Aggregation Groups
Peers Layer STP blocks Links remain implicit loops VLAGs active Access Layer Servers As shown in the example, a switch in the access layer may be connected to more than one switch in the aggregation layer to provide for network redundancy. Typically, Spanning Tree Protocol (RSTP, PVRST, or MSTP—see Chapter 11, “Spanning Tree Protocols) is used to prevent broadcast loops, blocking redundant uplink paths. This has the unwanted consequence of reducing the available bandwidth between the layers by as much as 50%. In addition, STP may be slow to resolve topology changes that occur during a link failure, and can result in considerable MAC address flooding. Using Virtual Link Aggregation Groups (VLAGs), the redundant uplinks remain active, utilizing all available bandwidth. Two switches are paired into VLAG peers, and act as a single virtual entity for the purpose of establishing a multi‐port aggregation. Ports from both peers can be grouped into a VLAG and connected to the same LAG‐capable target device. From the perspective of the target device, the ports connected to the VLAG peers appear to be a single LAG connecting to a single logical device. The target device uses the configured Tier ID to identify the VLAG peers as this single logical device. It is important that you use a unique Tier ID for each VLAG pair you configure. The VLAG‐capable switches synchronize their logical view of the access layer port structure and internally prevent implicit loops. The VLAG topology also responds more quickly to link failure and does not result in unnecessary MAC flooding. VLAGs are also useful in multi‐layer environments for both uplink and downlink redundancy to any regular LAG‐capable device. For example: © Copyright Lenovo 2016...
Page 210 Figure 17. VLAG Application with Multiple Layers Layer 2/3 Border LACP-capable Routers VLAG 5 VLAG 6 Layer 2 Region VLAG with multiple levels Peers C VLAG 3 VLAG 3 VLAG 4 VLAG VLAG Peers A Peers B VLAG 1 VLAG 2 LACP-capable Switch LACP-capable Server Servers Wherever ports from both peered switches are aggregated to another device, the ...
Page 211 In addition, when used with VRRP, VLAGs can provide seamless active‐active failover for network links. For example Figure 18. VLAG Application with VRRP: VLAG Peers VRRP VRRP VLAG Master Backup Active Server Traffic Flows © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 212: Vlag Capacities
VLAG Capacities Servers or switches that connect to the VLAG peers using a multi‐port VLAG are considered VLAG clients. VLAG clients are not required to be VLAG‐capable. The ports participating in the VLAG are configured as regular port LAGs on the VLAG client end. On the VLAG peers, the VLAGs are configured similarly to regular port LAGs, using many of the same features and rules. See Chapter 10, “Ports and Link Aggregation” for general information concerning all port LAGs. Each VLAG begins as a regular port LAG on each VLAG‐peer switch. The VLAG may be either a static LAG (portchannel) or dynamic LACP LAG, and consumes one slot from the overall port LAG capacity pool. The LAG type must match that used on VLAG client devices. Additional configuration is then required to implement the VLAG on both VLAG peer switches. You may configure up to 64 LAGs on the switch, with all types (regular or VLAG, static or LACP) sharing the same pool. The maximum number of supported VLAG instances is as follows: With STP off: Maximum of 52 VLAG instances   With STP on: PVRST/MSTP with one VLAG instance per VLAN/STG: Maximum of 52  VLAG instances PVRST/MSTP with one VLAG instance belonging to multiple  VLANs/STGs: Maximum of 20 VLAG instances Each LAG type can contain up to 32 member ports, depending on the port type and availability. VLAGs versus Port LAGs Though similar to regular port LAGs in many regards, VLAGs differ from regular port LAGs in a number of important ways: A VLAG can consist of multiple ports on two VLAG peers, which are connected  to one logical client device such as a server, switch, or another VLAG device.  The participating ports on the client device are configured as a regular port ...
Page 213  Routing over VLAGs is not supported. However, IP forwarding between subnets served by VLAGs can be accomplished using VRRP.  VLAGs are configured using additional commands.  It is recommended that end‐devices connected to VLAG switches use NICs with dual‐homing. This increases traffic efficiency, reduces ISL load, and provides faster link failover. © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 214: Configuring Vlags
Configuring VLAGs When configuring VLAG or making changes to your VLAG configuration, consider the following VLAG behavior:  When adding a static Mrouter on VLAG links, ensure that you also add it on the ISL link to avoid VLAG link failure. If the VLAG link fails, traffic cannot be recovered through the ISL. Also ensure you add the same static entry on the peer VLAG switch for VLAG ports. If you have enabled VLAG on the switch, and you need to change the STP mode,  ensure that you first disable VLAG and then change the STP mode.  When VLAG is enabled, you may see two root ports on the secondary VLAG switch. One of these will be the actual root port for the secondary VLAG switch and the other will be a root port synced with the primary VLAG switch. The LACP key used must be unique for each VLAG in the entire topology.   The STG to VLAN mapping on both VLAG peers must be identical. The following parameters must be identically configured on the VLAG ports of both the VLAG peers:  VLANs  Native VLAN tagging  Native VLAN/PVID  STP mode  BPDU Guard setting  STP port setting  MAC aging timers  Static MAC entries  ACL configuration parameters ...
Page 215: Basic Vlag Configuration
In the following example configuration, only the configuration for VLAG 1 on VLAG Peer 1 is shown. VLAG Peer 2 and all other VLAGs are configured in a similar fashion. Configuring the ISL The ISL connecting the VLAG peers is shared by all their VLAGs. The ISL needs to be configured only once on each VLAG peer. 1. Configure STP if required. Use PVRST or MSTP mode only: RS G8264(config)# spanningtree mode pvrst 2. Configure the ISL ports and place them into a port LAG: RS G8264(config)# interface port 12 RS G8264(configif)# switchport mode trunk RS G8264(configif)# lacp mode active RS G8264(configif)# lacp key 200 RS G8264(configif)# exit RS G8264(config)# vlag isl adminkey 200 © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 216: Configuring The Vlag
Notes:  In this case, a dynamic LAG is shown. A static LAG (portchannel) could be configured instead.  ISL ports and VLAG ports must be members of the same VLANs. 3. Configure VLAG Tier ID. This is used to identify the VLAG switch in a multi‐tier environment. RS G8264(config)# vlag tierid 10 4. Configure the ISL for the VLAG peer. Make sure you configure the VLAG peer (VLAG Peer 2) using the same ISL aggregation type (dynamic or static), the same VLAN for VLAG and VLAG ISL ports, and the same STP mode and tier ID used on VLAG Peer 1. Configuring the VLAG To configure the VLAG: 1. Configure the VLAN for VLAG 1 ports. Make sure members include the ISL and VLAG 1 ports. Once the VLAN is ready, the ISL ports are automatically added to it. RS G8264(config)# vlan 100 RS G8264(configvlan)# exit RS G8264(config)# interface port 8 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 100 RS G8264(configif)# exit Note: In MSTP mode, VLANs are automatically mapped to CIST. 2. Place the VLAG 1 port(s) in a port LAG: RS G8264(config)# interface port 8 RS G8264(configif)# lacp mode active RS G8264(configif)# lacp key 1000 RS G8264(configif)# exit...
Page 218: Vlag Configuration - Vlans Mapped To Msti
VLAG Configuration - VLANs Mapped to MSTI Follow the steps in this section to configure VLAG in environments where the STP mode is MSTP and no previous VLAG was configured. Configuring the ISL The ISL connecting the VLAG peers is shared by all their VLAGs. The ISL needs to be configured only once on each VLAG peer. Ensure you have the same region name, revision and VLAN‐to‐STG mapping on both VLAG switches. 1. Configure STP: RS G8264(config)# spanningtree mode mst 2. Configure the ISL ports and place them into a portchannel (dynamic or static): RS G8264(config)# interface port 12 RS G8264(configif)# switchport mode trunk RS G8264(configif)# lacp mode active RS G8264(configif)# lacp key 200 RS G8264(configif)# exit RS G8264(config)# vlag isl adminkey 200 Notes:  In this case, a dynamic LAG is shown. A static LAG (portchannel) could be configured instead.  ISL ports and VLAG ports must be members of the same VLANs. 3. Configure the VLAG Tier ID. This is used to identify the VLAG switch in a multi‐tier environment. ...
Page 219 5. Add VLAG ports to the VLAN. RS G8264(config)# interface port 12,8 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 100 RS G8264(configif)# exit 6. Enable VLAG. RS G8264(config)# vlag enable 7. Place the VLAG 1 ports in a port trunk group. RS G8264(config)# interface port 8 RS G8264(configif)# lacp mode active RS G8264(configif)# lacp key 1000 RS G8264(configif)# exit 8. Assign the trunk to the VLAG. RS G8264(config)# vlag adminkey 1000 enable 9. Continue by configuring all required VLAGs on VLAG Peer 1, then follow the steps for configuring VLAG Peer 2. © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 220 10. Configure the VLAN for VLAG 2. RS G8264(config)# vlan 100 RS G8264(configvlan)# exit Note: The VLAN is automatically mapped to CIST. 11. Map the VLAN to an MSTI. RS G8264(config)# spanningtree mst 1 vlan 100 Note: At this point, traffic may be momentarily disrupted due to STP recalculation. 12. Disable VLAG. RS G8264(config)# no vlag enable Note: At this point, traffic may be momentarily disrupted due to STP recalculation. 13. Add VLAG ports to the VLAN. RS G8264(config)# interface port 12,8 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 100 RS G8264(configif)# exit 14. Enable VLAG. RS G8264(config)# vlag enable Note: At this point, traffic may be momentarily disrupted due to STP recalculation. On VLAG Peer 1: 15.
Page 221: Configuring Health Check
Note: If the switch does not have a dedicated management interface, configure a VLAN for the health check interface. The health check interface can be configured with an IPv4 address: RS G8264(config)# interface ip 128 RS G8264(configipif)# ip address 10.10.10.1 255.255.255.0 RS G8264(configipif)# enable RS G8264(configipif)# exit Note: Configure a similar interface on VLAG Peer 2. For example, use IP address 10.10.10.2. 2. Specify the IPv4 or IPv6 address of the VLAG Peer: RS G8264(config)# vlag hlthchk peerip 10.10.10.2 Note: For VLAG Peer 2, the management interface would be configured as 10.10.10.2, and the health check would be configured for 10.10.10.1, pointing back to VLAG Peer 1. VLAG supports either IPv4 or IPv6 health check addresses at one time. Configuring an IPv4 health check address, will set any IPv6 health check address in the VLAG to 0, and vice‐versa. You can still configure an IPv6 health check address in a profile that does not support IPv6. The local health check IP address cannot be configured manually. It is automatically configured within the same subnetwork as the peer’s VLAG health check IP address. © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 222: Vlags With Vrrp
VLAGs with VRRP Note: In a multi‐layer environment, configure VRRP separately for each layer. We recommend that you configure VRRP only on the tier with uplinks. See “Configuring VLAGs in Multiple Layers” on page 229. VRRP (see Chapter 39, “Virtual Router Redundancy Protocol”) can be used in conjunction with VLAGs and LACP‐capable devices to provide seamless redundancy. Figure 20. Active‐Active Configuration using VRRP and VLAGs VRRP Master Server 1 VLAG Peer 1 Layer 3 VLAG 1 VIR: 10.0.1.100 Router 10.0.1.1 Server 2 VLAG 2 Internet 10.0.1.2 VLAG 3 Server 3 Layer 3 VRRP Backup 10.0.1.3...
Page 223 RS G8264(configif)# switchport access vlan 10 RS G8264(configif)# exit RS G8264(config)# interface port 2 RS G8264(configif)# switchport access vlan 20 RS G8264(configif)# exit 8. Configure the server ports. RS G8264(config)# interface port 10 RS G8264(configif)# switchport access vlan 100 RS G8264(configif)# exit RS G8264(config)# interface port 11 RS G8264(configif)# switchport access vlan 100 RS G8264(configif)# exit RS G8264(config)# interface port 12 RS G8264(configif)# switchport access vlan 100 RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 224 9. Configure all VLANs including VLANs for the VLAGs. RS G8264(config)# vlan 10 RS G8264(configvlan)# exit RS G8264(config)# interface port 1 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan add 10 RS G8264(configif)# exit RS G8264(config)# vlan 20 RS G8264(configvlan)# exit RS G8264(config)# interface port 2 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan add 20 RS G8264(configif)# exit RS G8264(config)# vlan 100 RS G8264(configvlan)# exit RS G8264(config)# interface port 45 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 100 RS G8264(configif)# exit 10. Configure Internet‐facing interfaces. RS G8264(config)# interface ip 1 RS G8264(configipif)# ip address 172.1.1.10 255.255.255.0 RS G8264(configipif)# vlan 10...
Page 225: Task 2: Configure Vlag Peer 2
RS G8264(configipif)# vlan 100 RS G8264(configipif)# exit 4. Turn on VRRP and configure the Virtual Interface Router. RS G8264(config)# router vrrp RS G8264(configvrrp)# enable RS G8264(configvrrp)# virtualrouter 1 virtualrouterid 1 RS G8264(configvrrp)# virtualrouter 1 interface 3 RS G8264(configvrrp)# virtualrouter 1 address 10.0.1.100 RS G8264(configvrrp)# virtualrouter 1 enable 5. Configure the ISL ports and place them into a port LAG: RS G8264(config)# interface port 45 RS G8264(configif)# switchport mode trunk RS G8264(configif)# lacp mode active RS G8264(configif)# lacp key 2000 RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 226 6. Configure the upstream ports. RS G8264(config)# interface port 1 RS G8264(configif)# switchport access vlan 30 RS G8264(configif)# exit RS G8264(config)# interface port 2 RS G8264(configif)# switchport access vlan 40 RS G8264(configif)# exit 7. Configure the server ports. RS G8264(config)# interface port 10 RS G8264(configif)# switchport access vlan 100 RS G8264(configif)# exit RS G8264(config)# interface port 11 RS G8264(configif)# switchport access vlan 100 RS G8264(configif)# exit RS G8264(config)# interface port 12 RS G8264(configif)# switchport access vlan 100 RS G8264(configif)# exit 8. Configure all VLANs including VLANs for the VLAGs. RS G8264(config)# vlan 30 RS G8264(configvlan)# exit RS G8264(config)# interface port 1 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan add 30...
Page 227 RS G8264(configif)# lacp key 1000 RS G8264(configif)# exit RS G8264(config)# interface port 11 RS G8264(configif)# lacp mode active RS G8264(configif)# lacp key 1100 RS G8264(configif)# exit RS G8264(config)# interface port 12 RS G8264(configif)# lacp mode active RS G8264(configif)# lacp key 1200 RS G8264(configif)# exit 11. Assign the LAGs to the VLAGs: RS G8264(config)# vlag adminkey 1000 enable RS G8264(config)# vlag adminkey 1100 enable RS G8264(config)# vlag adminkey 1200 enable 12. Verify the completed configuration: # show vlag information © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 228: Two-Tier Vlags With Vrrp
Two-tier vLAGs with VRRP vLAG Active‐Active VRRP makes the secondary vLAG switch route Layer 3 traffic, thus reducing routing latency. If it is used in a two‐tier vLAG environment, there may be two VRRP master switches for one VRRP domain and their role will constantly flap. To prevent such occurrences, there are two vLAG VRRP modes: 1. vLAG VRRP Active (Full Active‐Active) mode In active mode, Layer 3 traffic is forwarded in all vLAG related VRRP domains. To enable vLAG VRRP active mode on a switch, use the following command: RS G8264(config)# vlag vrrp active Note: This is the default vLAG VRRP mode. 2. vLAG VRRP Passive (Half Active‐Active) mode In passive mode, Layer 3 traffic is forwarded in a vLAG related VRRP domain only if either the switch or its peer virtual router is the VRRP master. To enable vLAG VRRP passive mode on a switch, use the following command: RS G8264(config)# no vlag vrrp active To verify the currently configured vLAG VRRP mode you can use the following command: RS G8264(config)# show vlag vrrp G8264 Application Guide for ENOS 8.4...
Page 229: Vlag Peer Gateway
VLAG 4 VLAG VLAG Peers A Peers B Switch C Switch D Switch E Switch F VLAG 1 VLAG 2 LACP-capable Switch Switch G LACP-capable Server Servers Figure 21 shows an example of VLAG being used in a multi‐layer environment. Following are the configuration steps for the topology. © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 230: Task 1: Configure Layer 2/3 Border Switches
Task 1: Configure Layer 2/3 border switches. Configure ports on border switch as follows: RS G8264(config)# interface port 1,2 RS G8264(configif)# lacp key 100 RS G8264(configif)# lacp mode active RS G8264(configif)# exit Repeat the previous steps for the second border switch. Task 2: Configure switches in the Layer 2 region. Consider the following:  ISL ports on switches A and B ‐ ports 1, 2  Ports connecting to Layer 2/3 ‐ ports 5, 6  Ports on switches A and B connecting to switches C and D: ports 10, 11  Ports on switch B connecting to switch E: ports 15, 16  Ports on switch B connecting to switch F: ports 17, 18 1. Configure VLAG tier ID and enable VLAG globally. RS G8264(config)# vlag tierid 10 RS G8264(config)# vlag enable 2.
Page 231 RS G8264(configif)# lacp mode active RS G8264(configif)# exit RS G8264(config)# vlag adminkey 600 enable Repeat these commands on Switch B for ports connecting to downstream VLAG switch C and D. 6. Configure ports on Switch B connecting to downstream switches E and F. RS G8264(config)# vlan 30 RS G8264(configvlan)# exit RS G8264(config)# interface port 1518 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 30 RS G8264(configif)# lacp key 700 RS G8264(configif)# lacp mode active RS G8264(configif)# exit 7. Configure ISL between switches C and D, and between E and F as shown in Step 1. 8. Configure the Switch G as shown in Step 2. © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 232: Vlag With Pim
VLAG with PIM Protocol Independent Multicast (PIM) is designed for efficiently routing multicast traffic across one or more IPv4 domains. PIM is used by multicast source stations, client receivers, and intermediary routers and switches, to build and maintain efficient multicast routing trees. PIM is protocol independent; It collects routing information using the existing unicast routing functions underlying the IPv4 network, but does not rely on any particular unicast protocol. For PIM to function, a Layer 3 routing protocol (such as BGP, OSPF, RIP, or static routes) must first be configured on the switch. Lenovo Enterprise Network Operating System supports PIM in Sparse Mode (PIM‐SM) and Dense Mode (PIM‐DM). For more details on PIM, see Chapter 36, “Protocol Independent Multicast.” PIM, when configured in a VLAG topology, provides efficient multicast routing along with redundancy and failover. When the multicast source is located in the core L3 network, only the primary VLAG switch forwards multicast data packets to avoid duplicate packets reaching the access layer switch. The secondary VLAG switch is available as backup and forwards packets only when the primary VLAG switch is not available and during failover. When the multicast source is located in the L2 domain, behind the VLAG ports, either the primary or the secondary switch will forward the data traffic to the receiver, based on the shortest path detected by PIM. See Figure 19 on page 215 for a basic VLAG topology. For PIM to function in a VLAG topology, the following are required: IGMP (v1 or v2) must be configured on the VLAG switches.   A Layer 3 routing protocol (such as BGP, OSPF, RIP, or static routes) must be globally enabled and on VLAG‐associated IP interfaces for multicast routing.  The VLAG switches must be connected to upstream multicast routers.  The Rendezvous Point (RP) and/or the Bootstrap router (BSR) must be configured on the upstream router.  The multicast sources must be connected to the upstream router.
Page 233: Health Check
If the uplink to the secondary VLAG switch is down, the primary VLAG switch  forwards traffic to the receiver and to the secondary VLAG switch over the ISL. The secondary VLAG switch blocks traffic to the receiver so the receiver does not get double traffic. Both the VLAG switches will have multicast entries in the forward state. When the multicast source is connected to VLAG ports (layer 2 domain), traffic forwarded by the VLAG routers is managed as follows: IPMC traffic from the access switch can be hashed to any of the VLAG switches.  Consequently, both the primary and secondary VLAG switches must synchronize the (S,G) entries for faster failover.  The Rendezvous Point sends (S,G) entries to either the primary or secondary VLAG switch, depending on which provides the shortest path to the source. However, Register‐Stop messages are only sent to the primary VLAG switch. Based on the shortest path, one of the VLAG switches will forward traffic for a particular (S,G) entry to the receiver. For the VLAG multi‐tier topology, an additional L3 backup path to ISL is  supported. On the L3 backup interface, both L3 routing protocols and PIM must be enabled. Health Check In a VLAG with PIM topology, you must configure health check. See “Health Check” on page 233. When health check is configured, and the ISL is down, the primary VLAG switch forwards traffic to the receiver. The secondary VLAG switch ports will be errdisable state and will block traffic to the receiver. © Copyright Lenovo 2016 Chapter 12: Virtual Link Aggregation Groups...
Page 234 VLAG with IGMPv3 Consider the following when using VLAG with IGMPv3:  To maintain synchronization of the groups and sources states on the VLAG peers, traffic received on vLAG trunks is processed by the primary and then forwarded to the secondary. The secondary forwards the packets to the peer when it receives traffic on a vLAG and processes them when received from the peer. Traffic received on non‐vLAG ports but on an ISL VLAN is first processed by the  receiving vLAG switch and then forwarded to the peer, which will synchronize them on the ISL trunk.  The querier enabled option is supported. After querier election, when one of the peers is elected as querier, it will generate queries when required. When the secondary comes up after a reboot or ISL and health‐check fail, the  information on the primary will be considered valid and synchronized with the secondary.  PIM and IGMPv3 are not supported to work together on VLAG.  When configuring VLAG with IGMPv3, the same version of IGMP needs to be set on both VLAG switches.  The number of IGMPv3 groups with VLAG depends on the number of included and excluded sources.  The total number of supported groups is the same as the number of groups the switch can learn with VLAG disabled. All other scenarios will have a behavior similar to IGMPv2 on VLAG. G8264 Application Guide for ENOS 8.4...
Page 235: Chapter 13. Quality Of Service
Chapter 13. Quality of Service Quality of Service features allow you to allocate network resources to mission‐critical applications at the expense of applications that are less sensitive to such factors as time delays or network congestion. You can configure your network to prioritize specific types of traffic, ensuring that each type receives the appropriate Quality of Service (QoS) level. The following topics are discussed in this section:  “QoS Overview” on page 236  “Using ACL Filters” on page 237  “Using DSCP Values to Provide QoS” on page 239  “Using 802.1p Priority to Provide QoS” on page 245  “Queuing and Scheduling” on page 246  “Control Plane Protection” on page 246  “WRED with ECN” on page 248 © Copyright Lenovo 2016...
Page 236: Qos Overview
QoS Overview QoS helps you allocate guaranteed bandwidth to the critical applications, and limit bandwidth for less critical applications. Applications such as video and voice must have a certain amount of bandwidth to work correctly; using QoS, you can provide that bandwidth when necessary. Also, you can put a high priority on applications that are sensitive to timing out or that cannot tolerate delay, by assigning their traffic to a high‐priority queue. By assigning QoS levels to traffic flows on your network, you can ensure that network resources are allocated where they are needed most. QoS features allow you to prioritize network traffic, thereby providing better service for selected applications. Figure 22 shows the basic QoS model used by the switch. Figure 22. QoS Model Perform Queue and Egress Ingress Ports Classify Actions Schedule Packets Permit/Deny Queue Filter The basic QoS model works as follows: Classify traffic:  Read DSCP value.  Read 802.1p priority value.  Match ACL filter parameters.   Perform actions: Define bandwidth and burst parameters ...
Page 237: Using Acl Filters
The G8264 allows you to classify packets based on various parameters. For example:  Ethernet: source MAC, destination MAC, VLAN number/mask, Ethernet type, priority.  IPv4: Source IP address/mask, destination address/mask, type of service, IP pro‐ tocol number.  TCP/UPD: Source port, destination port, TCP flag.  Packet format For ACL details, see Chapter 7, “Access Control Lists.” Summary of ACL Actions The G8264 QoS actions include the Actions determine how the traffic is treated. following:  Pass or Drop  Redirect  Re‐mark a new DiffServ Code Point (DSCP)  Re‐mark the 802.1p field  Set the COS queue © Copyright Lenovo 2016 Chapter 13: Quality of Service...
Page 238: Acl Metering And Re-Marking
ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the G8264 by configuring a QoS meter (if desired) and assigning ACLs to ports. When you add ACLs to a port, make sure they are ordered correctly in terms of precedence. Actions taken by an ACL are called In‐Profile actions. You can configure additional In‐Profile and Out‐of‐Profile actions on a port. Data traffic can be metered, and re‐marked to ensure that the traffic flow provides certain levels of service in terms of bandwidth for different types of network traffic. Metering QoS metering provides different levels of service to data streams through user‐configurable parameters. A meter is used to measure the traffic stream against a traffic profile, which you create. Thus, creating meters yields In‐Profile and Out‐of‐Profile traffic for each ACL, as follows:  In‐Profile–If there is no meter configured or if the packet conforms to the meter, the packet is classified as In‐Profile.  Out‐of‐Profile–If a meter is configured and the packet does not conform to the meter (exceeds the committed rate or maximum burst rate of the meter), the packet is classified as Out‐of‐Profile. Using meters, you set a Committed Rate in Kbps (multiples of 64 Mbps). All traffic within this Committed Rate is In‐Profile. Additionally, you set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period. These parameters define the In‐Profile traffic. Meters keep the sorted packets within certain parameters. You can configure a meter on an ACL, and perform actions on metered traffic, such as packet re‐marking. Re-Marking Re‐marking allows for the treatment of packets to be reset based on new network specifications or desired levels of service. You can configure the ACL to re‐mark a packet as follows:  Change the DSCP value of a packet, used to specify the service level traffic receives.  Change the 802.1p priority of a packet. G8264 Application Guide for ENOS 8.4...
Page 239: Using Dscp Values To Provide Qos
(0‐63). Figure 23. Layer 3 IPv4 packet Version Length Offset Proto Data Length unused Differentiated Services Code Point (DSCP) The switch can perform the following actions to the DSCP: Read the DSCP value of ingress packets.   Re‐mark the DSCP value to a new value  Map the DSCP value to a Class of Service queue (COSq). The switch can use the DSCP value to direct traffic prioritization. With DiffServ, you can establish policies to direct traffic. A policy is a traffic‐controlling mechanism that monitors the characteristics of the traffic, (for example, its source, destination, and protocol) and performs a controlling action on the traffic when certain characteristics are matched. © Copyright Lenovo 2016 Chapter 13: Quality of Service...
Page 240 Trusted/Untrusted Ports By default, all ports on the G8264 are trusted. To configure untrusted ports, re‐mark the DSCP value of the incoming packet to a lower DSCP value using the following commands: RS G8264(config)# interface port 1 RS G8264(configif)# dscpmarking RS G8264(configif)# exit RS G8264(config)# qos dscp dscpmapping <DSCP value (0‐63)> <new value> RS G8264(config)# qos dscp remarking G8264 Application Guide for ENOS 8.4...
Page 241: Per Hop Behavior
Class 2 Class 3 Class 4 Precedence AF11 (DSCP 10) AF21 (DSCP 18) AF31 (DSCP 26) AF41 (DSCP 34) Medium AF12 (DSCP 12) AF22 (DSCP 20) AF32 (DSCP 28) AF42 (DSCP 36) High AF13 (DSCP 14) AF23 (DSCP 22) AF33 (DSCP 30) AF43 (DSCP 38)  Class Selector (CS)—This PHB has eight priority classes, with CS7 representing the highest priority, and CS0 representing the lowest priority, as shown in the following table. CS PHB is described in RFC 2474. Priority Class Selector DSCP Highest Lowest © Copyright Lenovo 2016 Chapter 13: Quality of Service...
Page 242: Qos Levels
QoS Levels Table 18 shows the default service levels provided by the switch, listed from highest to lowest importance: Table 18. Default QoS Service Levels Service Level Default PHB 802.1p Priority Critical Network Control Premium EF, CS5 Platinum AF41, AF42, AF43, CS4 Gold AF31, AF32, AF33, CS3 Silver AF21, AF22, AF23, CS2 Bronze AF11, AF12, AF13, CS1 Standard DF, CS0 DSCP Re-Marking and Mapping The switch can use the DSCP value of ingress packets to re‐mark the DSCP to a new value, and to set an 802.1p priority value. Use the following command to view the default settings. RS G8264# show qos dscp Current DSCP Remarking Configuration: OFF DSCP New DSCP New 802.1p Prio ...
Page 243: Dscp Re-Marking Configuration Examples
RS G8264(config)# accesscontrol list 2 tcpudp sourceport 5060 0xffff RS G8264(config)# accesscontrol list 2 meter committedrate 10000000 RS G8264(config)# accesscontrol list 2 meter enable RS G8264(config)# accesscontrol list 2 remark inprofile dscp 56 RS G8264(config)# accesscontrol list 2 remark dot1p 7 RS G8264(config)# accesscontrol list 2 action permit 2. Create an ACL to set a low priority to all other traffic. RS G8264(config)# accesscontrol list 3 action setpriority 1 RS G8264(config)# accesscontrol list 3 action permit 3. Apply the ACLs to a port and enable DSCP marking. RS G8264(config)# interface port 5 RS G8264(configif)# accesscontrol list 2 RS G8264(configif)# accesscontrol list 3 ethernet sourcemacaddress 00:00:00:00:00:00 00:00:00:00:00:00 RS G8264(configif)# dscpmarking RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 13: Quality of Service...
Page 244 4. Enable DSCP re‐marking globally. RS G8264(config)# qos dscp remarking 5. Assign the DSCP re‐mark value. RS G8264(config)# qos dscp dscpmapping 40 9 RS G8264(config)# qos dscp dscpmapping 46 9 6. Assign strict priority to VoIP COS queue. RS G8264(config)# qos transmitqueue weightcos 7 0 7. Map priority value to COS queue for non‐VoIP traffic. RS G8264(config)# qos transmitqueue mapping 1 1 8. Assign weight to the non‐VoIP COS queue. RS G8264(config)# qos transmitqueue weightcos 1 2 G8264 Application Guide for ENOS 8.4...
Page 245: Using 802.1P Priority To Provide Qos
Figure 24. Layer 2 802.1q/802.1p VLAN tagged packet DMAC SMAC E Type Data Preamble Priority VLAN Identifier (VID) Ingress packets receive a priority value, as follows:  Tagged packets—switch reads the 802.1p priority in the VLAN tag.  Untagged packets—switch tags the packet and assigns an 802.1p priority value, based on the port’s default 802.1p priority. Egress packets are placed in a COS queue based on the priority value, and scheduled for transmission based on the COS queue number. Higher COS queue numbers provide forwarding precedence To configure a port’s default 802.1p priority value, use the following commands: RS G8264(config)# interface port 1 RS G8264(configif)# dot1p <802.1p value (0‐7)> RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 13: Quality of Service...
Page 246: Queuing And Scheduling
Queuing and Scheduling The G8264 has 8 output Class of Service (COS) queues per port. If CEE is enabled, this is changed to 3 queues per port and ETS is then used to configure the scheduling in a manner different than what is described in this section. Each packet’s 802.1p priority determines its COS queue, except when an ACL action sets the COS queue of the packet. Notes:  In stacking mode, because one COS queue is reserved for internal use, the number of configurable COS queues is either 1 or 7.  When vNIC operations are enabled, the total number of COS queues available is 4. You can configure the following attributes for COS queues: Map 802.1p priority value to a COS queue   Define the scheduling weight of each COS queue You can map 802.1p priority value to a COS queue, as follows: RS G8264(config)# qos transmitqueue mapping <802.1p priority value (0‐7)> <COS queue (0‐7)> To set the COS queue scheduling weight, use the following command: RS G8264(config)# qos transmitqueue weightcos <COSq number> <COSq weight (0‐15)> Control Plane Protection Control plane receives packets that are required for the internal protocol state machines. This type of traffic is usually received at low rate. However, in some situations such as DOS attacks, the switch may receive this traffic at a high rate. If the control plane protocols are unable to process the high rate of traffic, the switch may become unstable. The control plane receives packets that are channeled through protocol‐specific packet queues. Multiple protocols can be channeled through a common packet ...
Page 247 Use the following commands to configure the control plane protection (CoPP) feature: RS G8264(config)# qos protocolpacketcontrol packetqueuemap <0‐47> <protocol> (Configure a queue for a protocol) RS G8264(config)# qos protocolpacketcontrol ratelimitpacketqueue <0‐47> <1‐10000> (Set the bandwidth for the queue, in packets per second) © Copyright Lenovo 2016 Chapter 13: Quality of Service...
Page 248: Wred With Ecn
WRED with ECN Weighted Random Early Detection (WRED) is a congestion avoidance algorithm that helps prevent a TCP collapse, where a congested port indiscriminately drops packets from all sessions. The transmitting hosts wait to retransmit resulting in a dramatic drop in throughput. Often times, this TCP collapse repeats in a cycle, which results in a saw‐tooth pattern of throughput. WRED selectively drops packets before the queue gets full, allowing majority of the traffic to flow smoothly. WRED discards packets based on the CoS queues. Packets marked with lower priorities are discarded first. Explicit Congestion Notification (ECN) is an extension to WRED. For packets that are ECN‐aware, the ECN bit is marked to signal impending congestion instead of dropping packets. The transmitting hosts then slow down sending packets. How WRED/ECN work together For implementing WRED, you must define a profile with minimum threshold, maximum threshold, and a maximum drop probability. The profiles can be defined on a port or a CoS. For implementing ECN, you require ECN‐specific field that has two bits—the ECN‐capable Transport (ECT) bit and the CE (Congestion Experienced) bit—in the IP header. ECN is identified and defined by the values in these bits in the Differentiated Services field of IP Header. Table 19 shows the combination values of the ECN bits. Table 19. ECN Bit Setting ECT Bit CE Bit Description Not ECN‐capable Endpoints of the transport protocol are ECN‐capable Endpoints of the transport protocol are ECN‐capable Congestion experienced G8264 Application Guide for ENOS 8.4...
Page 249: Configuring Wred/Ecn
Note: WRED/ECN can be configured only on physical ports and not on LAG. WRED and ECN are applicable only to unicast traffic. Consider the following guidelines for configuring WRED/ECN:  Profiles can be configured globally or per port. Global profiles are applicable to all ports. Always enable the global profile before applying the port‐level profile.  Note: You can enable the global profile and disable the port‐level profile. However, you must not enable the port‐level profile if the global profile is disabled.  WRED settings are dependent on Memory Management Unit (MMU) Settings. If you change the MMU setting, it could impact WRED functionality. You cannot enable WRED if you have QoS buffer settings such as Converged  Enhanced Ethernet (CEE), Priority‐based Flow Control (PFC), or Enhanced Transmission Selection (ETS).  The number of WRED profiles per‐port must match the total number of COS Queues configured in the system.  If you have configured a TCP profile and enabled ECN, ECN remarking happens only if all traffic experiencing congestion is TCP traffic. Configure a TCP profile only after enabling ECN on the interface.   You can apply TCP and non‐TCP profile configurations irrespective of ECN status (enabled/disabled). © Copyright Lenovo 2016 Chapter 13: Quality of Service...
Page 250: Wred/Ecn Configuration Example
WRED/ECN Configuration Example Follow these steps to enable WRED/ECN and configure a global and/or port‐level profile. If you configure global and port‐level profile, WRED/ECN uses the port‐level profile to make transmit/drop decisions when experiencing traffic congestion. Configure Global Profile for WRED 1. Enable WRED globally. RS G8264(config)# qos randomdetect enable 2. Enable a transmit queue. RS G8264(config)# qos randomdetect transmitqueue 0 enable 3. Configure WRED thresholds (minimum, maximum, and drop rate) for TCP traffic. RS G8264(config)# qos randomdetect transmitqueue 0 tcp minthreshold 1 maxthreshold 2 droprate 3 Note: Percentages are of Average Queue available in hardware and not percentages of traffic. 4. Configure WRED thresholds (minimum, maximum, and drop rate) for non‐TCP traffic. RS G8264(config)# qos randomdetect transmitqueue 0 nontcp minthreshold 4 maxthreshold 5 droprate 6 5. Select the port. RS G8264(config)# interface port 1 6. Enable WRED for the port. RS G8264(configif)# randomdetect enable RS G8264(configif)# exit Configure Port-level Profile for WRED...
Page 251: Configure Global Profile For Ecn
Configure Global Profile for ECN 1. Enable ECN globally. RS G8264(config)# qos randomdetect ecn enable 2. Enable a transmit queue. RS G8264(config)# qos randomdetect transmitqueue 0 enable 3. Configure ECN thresholds (minimum, maximum, and drop rate) for TCP traffic. RS G8264(config)# qos randomdetect transmitqueue 0 tcp minthreshold 1 maxthreshold 2 droprate 3 Note: Percentages are of Average Queue available in hardware and not percentages of traffic. 4. Select the port. RS G8264(config)# interface port 1 5. Enable ECN for the port. RS G8264(configif)# randomdetect ecn enable RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 13: Quality of Service...
Page 252: Configure Port-Level Profile For Ecn
Configure Port-level Profile for ECN 1. Enable ECN globally. RS G8264(config)# qos randomdetect ecn enable 2. Select the port. RS G8264(config)# interface port 1 3. Enable ECN for the port. RS G8264(configif)# randomdetect ecn enable 4. Enable a transmit queue. RS G8264(configif)# randomdetect transmitqueue 0 enable 5. Configure ECN thresholds (minimum, maximum, and drop rate) for TCP traffic. RS G8264(configif)# randomdetect transmitqueue 0 tcp minthreshold 11 maxthreshold 22 droprate 33 RS G8264(configif)# exit Note: Percentages are of Average Queue available in hardware and not percentages of traffic. Verify WRED/ECN Use the following command to view global WRED/ECN information: RS G8264(config)# show qos randomdetect Current wred and ecn configuration: Global ECN: Enable Global WRED: Enable TQ0:WREDTcpMinThrTcpMaxThrTcpDrateNonTcpMinThrNonTcpMaxThrNonTcpDrate Ena 10 20 30 10 20 30 TQ1:WREDTcpMinThrTcpMaxThrTcpDrateNonTcpMinThrNonTcpMaxThrNonTcpDrate...
Page 253 Use the following command to view port‐level WRED/ECN information: RS G8264(config)# show interface port 1 randomdetect Port: 1 ECN: Enable WRED: Enable TQ0:WREDTcpMinThrTcpMaxThrTcpDrateNonTcpMinThrNonTcpMaxThrNonTcpDrate Dis 0 0 0 0 0 0 TQ1:WREDTcpMinThrTcpMaxThrTcpDrateNonTcpMinThrNonTcpMaxThrNonTcpDrate Ena 4 5 6 1 2 3 TQ2:WREDTcpMinThrTcpMaxThrTcpDrateNonTcpMinThrNonTcpMaxThrNonTcpDrate Dis 0 0 0 0 0 0 TQ3:WREDTcpMinThrTcpMaxThrTcpDrateNonTcpMinThrNonTcpMaxThrNonTcpDrate Dis 0 0 0 0 0 0 TQ4:WREDTcpMinThrTcpMaxThrTcpDrateNonTcpMinThrNonTcpMaxThrNonTcpDrate Dis 0 0 0 0 0 0 TQ5:WREDTcpMinThrTcpMaxThrTcpDrateNonTcpMinThrNonTcpMaxThrNonTcpDrate Dis 0 0 0 0 0 0 TQ6:WREDTcpMinThrTcpMaxThrTcpDrateNonTcpMinThrNonTcpMaxThrNonTcpDrate Dis 0 0 0 0 0 0 TQ7:WREDTcpMinThrTcpMaxThrTcpDrateNonTcpMinThrNonTcpMaxThrNonTcpDrate Dis 0 0 0 0 0 0 © Copyright Lenovo 2016 Chapter 13: Quality of Service...
Page 254 G8264 Application Guide for ENOS 8.4...
Page 255: Chapter 14. Precision Time Protocol
 Boundary clock: A boundary clock connects to multiple networks. It synchro‐ nizes with the attached master clock and in turn acts as a master clock to all attached ordinary clocks. Boundary clocks help to reduce the effect of jitter in Ethernet‐based networks.  Transparent clock: A transparent clock listens for PTP packets and adjusts the cor‐ rection field in the PTP event packets as they pass the PTP device. Lenovo RackSwitch G8264 supports the configuration of ordinary clock and transparent clock. It cannot be a master clock as the switch does not participate in the master clock selection process. Note: Lenovo Enterprise Network Operating System does not support IPv6 for PTP. By default, PTP version 2 is installed on the switch but is globally disabled. Use the following command to globally enable PTP: RS G8264(config)# ptp {ordinary|transparent} enable PTP is configured on switch ports. In case of LAG ports, the PTP configuration must be the same on all ports participating in the same LAG. The switch uses only one port from a LAG (typically the one used by a multicast protocol) to forward PTP packets. By default, PTP is enabled on all the switch ports. To disable PTP on a port, use the following commands: RS G8264(config)# interface port <port number> RS G8264(configif)# no ptp Note: PTP cannot be enabled on management ports. © Copyright Lenovo 2016 Chapter 14: Precision Time Protocol...
Page 256 PTP packets have a Control Plane Protection (CoPP) queue of 36. You can change this CoPP priority using the following command: RS G8264(config)# qos protocolpacketcontrol packetqueuemap <0‐47> <protocol> You can modify the PTP queue rate using the following command: RS G8264(config)# qos protocolpacketcontrol ratelimitpacketqueue <0‐47> <1‐10000> G8264 Application Guide for ENOS 8.4...
Page 257: Ordinary Clock Mode
As an ordinary clock, the G8264 synchronizes with a single PTP domain. The switch uses a delay‐request mechanism to synchronize with the master clock. The switch uses a source IP address for the packets it generates. You can create a loopback interface for this purpose. By default, the switch uses the lowest interface in the VLAN from which the sync messages are received. To assign a loopback interface, use the following command: RS G8264(config)# ip ptp sourceinterface loopback <interface number> Note: If there are no interfaces on the switch that belong to the VLAN from which the sync messages are received, then the ordinary clock will not function. An error message will be generated. You can view this message using the RS G8264# show ptp command. Transparent Clock Mode When the G8264 is configured as a transparent clock, its time can be set manually or using any time protocol. You must configure PTPv2 for the transparent clock to function. The switch does not modify PTPv1 packets as they pass through the switch. As a transparent clock, the G8264 supports syntonization (synchronization of clock frequency but not time) and synchronization with multiple domains. Event packets received on all ports on the switch that have PTP enabled will be adjusted with the residence time. The switch sends all PTP packets to the multicast group address: 224.0.1.129. You can use Protocol Independent Multicast (PIM), Internet Group Management Protocol (IGMP), or any other multicast protocol to route the PTP packets. © Copyright Lenovo 2016 Chapter 14: Precision Time Protocol...
Page 258: Tracing Ptp Packets
Tracing PTP Packets PTP packets can be traced on the PTP ports. These packets can be identified by their destination IP address and UDP ports. The following table includes the IEEE standard specification: Table 20. IEEE Standard PTP Messages Message IP Address/UDP Port PTP‐primary: All PTP messages except 224.0.1.129 peer delay mechanism messages PTP‐pdelay: Peer delay mechanism 224.0.0.107 messages Event Messages: Sync, delay request, peer delay request, peer delay response General Messages: Announce, follow‐up, delay response, peer delay response follow‐up, management Viewing PTP Information The following table includes commands for viewing PTP information: Table 21. PTP Information Commands Command Description RS G8264(config)# show ptp Displays global PTP information RS G8264(config)# show Displays port information including interface port <port number>...
Page 260 G8264 Application Guide for ENOS 8.4...
Page 261: Chapter 15. Openflow
 “OpenFlow Versions” on page 264  “OpenFlow Instance” on page 265  “Flow Tables” on page 266  “Static Flows” on page 268  “Table‐Miss” on page 274  “Fail Secure Mode” on page 275  “Emergency Mode” on page 276  “OpenFlow Ports” on page 278  “sFlow Compatibility” on page 281  “OpenFlow Groups” on page 282  “Configuring OpenFlow” on page 283  “Feature Limitations” on page 288 © Copyright Lenovo 2016...
Page 262: Openflow Overview
OpenFlow Overview OpenFlow architecture consists of a control plane residing outside of the switch (typically on a server) and a data plane residing in the switch. The control plane is called OpenFlow controller. The data plane which resides in the switch consists of a set of flows which determine the forwarding of data packets. The OpenFlow protocol is described in the OpenFlow Switch Specification 1.0.0 and OpenFlow Switch Specification 1.3.1. An OpenFlow network consists of simple flow‐based switches in the data path, with a remote controller to manage all switches in the OpenFlow network. OpenFlow maintains a TCP channel for communication of flow management between the controller and the switch. All controller‐switch communication takes place over the switchʹs management network. G8264 Application Guide for ENOS 8.4...
Page 263: Switch Profiles
Switch Profiles The RackSwitch G8264 can be used for configuring OpenFlow and legacy switching features simultaneously. However, Layer 2 and Layer 3 switching features can be configured only on the ports that are not OpenFlow ports. Legacy switching ports and OpenFlow ports do not communicate with each other. Alternately, the switch can be configured as an OpenFlow‐only switch if you do not need to configure legacy switching features. Based on your requirement, select the switch boot profile using the following commands: OpenFlow‐only: RS G8264(config)# boot profile openflow  The switch will operate only in OpenFlow environment. None of the legacy switching features will be supported.  OpenFlow and Legacy Switching: RS G8264(config)# boot profile default Legacy switching features can be configured on the non‐OpenFlow ports. By default, the switch boots in this profile. Reload the switch to apply boot profile changes. © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 264: Openflow Versions
OpenFlow Versions The RackSwitch G8264 can be configured to run either version 1.0 or version 1.3 of the OpenFlow standard. By default, the switch uses OpenFlow 1.0. To shift between versions, use the following commands: RS G8264(config)# boot openflow v1  The switch will run OpenFlow 1.0 after reboot. This version does not support the use of MPLS‐based flows (See “Flow Tables” on page 266), groups, static portchannels, or static LACP LAGs in OpenFlow instances (see “Configuring OpenFlow” on page 283). RS G8264(config)# boot openflow v13  The switch will run OpenFlow 1.3 after reboot. This version does not support emergency flow tables (see “Emergency Mode” on page 276). OpenFlow 1.3 includes (but not limited to) the following key features:  Layer 3 MPLS  Static portchannels and static LACP LAGs  MAC address/IP address masking  Flexible Table Miss and Fail Secure  40Gb support  Static CLI for Flow Programming  OpenFlow Groups  FDB aging timer  OpenFlow 1.0 backwards compatibility G8264 Application Guide for ENOS 8.4...
Page 265: Openflow Instance
OpenFlow Instance The G8264 supports up to two instances of the OpenFlow protocol. Each instance appears as a switch to the controller. Instances on the same switch can be connected to different networks. Each instance maintains a separate TCP channel for communication of flow management between controller and switch. Each instance supports up to four controllers. However, only one controller per instance is active at any time. Global OpenFlow configuration applies to all instances. OpenFlow parameters for an instance can be configured using the command: RS G8264(config)# openflow instance <instance ID> OpenFlow ports cannot be shared between instances. © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 266: Flow Tables
Flow Tables A set of a flow identification condition and an action towards a flow is called flow entry, and the database that stores the entries is called the flow table. A flow is defined as all the packets matching a flow entry in an OpenFlow flow table. Each flow entry includes:  Qualifiers ‐ These are header fields that are matched with a packet.  Actions to be performed when a packet matches the qualifiers. The controller decides which flows to admit and the path their packets follow. The switch classifies the flows as ACL‐based, FDB‐based, or MPLS‐based. MPLS‐based flows are supported only in version 1.3 of the OpenFlow standard. When the switch operates in OpenFlow boot profile (See “Switch Profiles” on page 263), a maximum of 1000 ACL‐based flows, 4096 FDB multicast flows, 123904 FDB unicast flows, 1000 MPLS label pop flows, and 2000 MPLS label push flows are available. When the switch operates in default boot profile, a maximum of 750 ACL‐based flows, 4096 FDB multicast flows, 123904 FDB unicast flows, 1000 MPLS label pop flows, and 2000 MPLS label push flows are available. The instances share these flows dynamically. To guarantee a specific number of flows to an instance, use the following commands: OpenFlow boot profile:  RS G8264(config)# openflow instance <instance ID> RS G8264(configopenflowinstance)# maxflowacl <0‐1000> RS G8264(configopenflowinstance)# maxflowmcastfdb <0‐4096> RS G8264(configopenflowinstance)# maxflowucastfdb <0‐123904> RS G8264(configopenflowinstance)# maxflowmplspop <0‐1000> RS G8264(configopenflowinstance)# maxflowmplspush <0‐2000>  Default boot profile: RS G8264(config)# openflow instance <instance ID> RS G8264(configopenflowinstance)# maxflowacl <0‐750> ...
Page 267  Ether Type  VLAN TAG – Single VLAN tag – VLAN ID and Priority  IP address (source IP and destination IP)  IP Protocol  MPLS label (for OpenFlow 1.3)  DSCP bits  Layer 4 Port (TCP, UDP) ICMP code and type   If EtherType is ARP, the specified ARP type (request/reply) or SIP in the ARP payload can be used to match a packet. Once a packet arrives, the switch searches the flow table. When a flow entry is hit in the search, the packet is processed according to the action specified in the flow entry. © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 268: Static Flows
Static Flows You can configure static flow entries for OpenFlow instances. The switch forwards traffic based on these entries even if it is not connected to a controller. Up to 750 static ACL entries across all instances can be configured. An OpenFlow controller cannot modify or delete these entries. Static flow entries can replace entries installed by a controller. Static flow entries are not lost when the switch is reloaded. Static flow entries are based on the following qualifiers, actions, and options: Table 22. Static Flow Entry Qualifiers in OpenFlow 1.0 Qualifier Description ingress‐port port of the instance src‐mac source MAC address dst‐mac destination MAC address vlan‐id (0‐4095 + 65535 (untagged)) VLAN identifier vlan‐priority 802.1p(0‐7) src‐ip source IP address dst‐ip destination IP address src‐port Layer 4 source port (0‐65535) dst‐port Layer 4 destination port (0‐65535) ether‐type ʺarpʺ/ʺ0806ʺ or ʺipʺ/ʺ0800ʺ or (hex‐value < = 65535) protocol ʺtcpʺ or ʺudpʺ or 0‐255 IP TOS (0‐255) type ʺrequestʺ or ʺreplyʺ (can be set only if ether type is ARP) all qualifiers or any qualifier Table 23.
Page 269 MPLS label all qualifiers or any qualifier Table 24. Static Flow Entry Actions in OpenFlow 1.0 Action Description out‐put ʺallʺ,ʺin‐portʺ,ʺfloodʺ,ʺcontrollerʺ or a valid port set‐src‐mac change source MAC address set‐dst‐mac change destination MAC address strip‐vlan‐id strip VLAN set‐vlan‐id set VLAN ID set‐vlan‐priority set 802.1p priority (0‐7) set‐nw‐tos set IP TOS (0‐255) drop drop the packet Table 25. Static Flow Entry Actions in OpenFlow 1.3 Action Description output physical ports reserved ports: all, controller, in‐port output‐portchannel Logical ports: static LAG (portchannel) or static LACP © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 270: Port Membership
Table 25. Static Flow Entry Actions in OpenFlow 1.3 Action Description set‐eth‐src change source MAC address set‐eth‐dst change destination MAC address push‐vlan push a new VLAN tag, 0x8100 pop‐vlan pop the VLAN tag push‐mpls push a new MPLS tag, 0x8847 pop‐mpls pop MPLS tag, 0x0800 or 0x800 (IP Ethertype) set‐vlan‐vid set VLAN ID, <0‐4094> set‐vlan‐pcp set 802.1p priority (0‐7) set‐ip‐dscp Set IP DSCP (0‐63), 6 highest bits in TOS set‐mpls‐ttl set MPLS TTL set‐mpls‐label Set MPLS label, <1‐0xFFFFF> copy‐ttl‐out copy TTL outward ‐ from next‐to‐outermost to outer‐ most copy‐ttl‐in copy TTL inward ‐ from outermost to next‐to‐outer‐ most drop drop the packet Actions for static flows must be specified in the following order: set‐mpls‐ttl, copy‐ttl‐in, pop‐mpls, pop‐vlan, push‐mpls, push‐vlan, copy‐ttl‐out, set‐field, output. The set‐field action includes set‐eth‐src, set‐eth‐dst, set‐vlan‐vid, set‐vlan‐pcp, set‐ip‐dscp, set‐mpls‐label. They may be used in any order. The output action includes output and output‐portchannel. They may be used in ...
Page 271: Fdb Aging And Ecmp With Openflow
Static Flow Examples Following are examples of static flow entries for OpenFlow 1.0:  Basic ACL flow: RS G8264(configopenflowinstance)# statictable add index 1 match ingressport=1 actions output=10 priority 12345 Flow with multiple qualifiers and actions:  RS G8264(configopenflowinstance)# statictable add index 2 match vlanid=1,dstmac=00:00:00:00:00:01 actions setvlanpriority=3,output=20 priority 1000 Flow with action: output to controller:  RS G8264(configopenflowinstance)# statictable add index 3 match all actions output=controller options maxlen=65534 priority 1000 Static ACL flow entries can be deleted using the command: RS G8264(configopenflowinstance)# statictable remove index <index number> Following are examples of static flow entries for OpenFlow 1.3:  Basic ACL flow: RS G8264(configopenflowinstance)# statictable add index 1 match inport=41 actions output=50 priority 12345 Flow with multiple qualifiers and actions:  RS G8264(configopenflowinstance)# statictable add index 2 match vlanvid=1,ethdst=00:00:00:00:00:01 actions setvlanpcp=3,output=50 priority 1000 © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 272 Static ACL flow entries can be deleted using the command: RS G8264(configopenflowinstance)# statictable remove index <index number> Static flow table information can be viewed using the following commands: In OpenFlow version 1.0: RS G8264(configopenflowinstance)# show openflow table Openflow instance 1 is currently disabled Openflow Instance Id: 2 BASIC FLOW TABLE CONTROLLER ADDED FLOWS Flow:1 Filter Based, priority: 0, hardtimeout: 0, idletimeout: 0 cookie: 0x0 QUALIFIERS: ACTION: drop STATS: packets=0, bytes=0 Flow:2 Filter Based, priority:65535, hardtimeout: 0, idletimeout: 0 cookie: 0x0 QUALIFIERS: ethertype:0x88cc protocol: 0, tos: 0 srcip:0.0.0.0/32, dstip:0.0.0.0/32 srcport: 0, dstport: 0 ACTION: output:CONTROLLER [Max Len: 65535 / bytes (C/S)] STATS: packets=0, bytes=0 Flow:3 Filter Based, priority: 2, hardtimeout: 0, idletimeout: 0 cookie: 0x0 QUALIFIERS: ACTION: output:CONTROLLER [Max Len: 65535 / bytes (C/S)] STATS: packets=0, bytes=0 G8264 Application Guide for ENOS 8.4...
Page 273 In OpenFlow version 1.3: RS G8264(configopenflowinstance)# show openflow table Openflow instance 1 is currently disabled Openflow Instance Id: 2 CONTROLLER added FLOWs Flow 1, Filter Based, priority:1000, hardtimeout:0, idletimeout:0 cookie:0x0 QUALIFIERS: inport:PCH1 ethdst:01:00:08:00:00:03 vlanvid:1 Instruction: apply_action ACTION: output:18, PCH1, PCH66 STATS: packets=0, bytes=0 Flow 2, Filter Based, priority:2, hardtimeout:0, idletimeout:0 cookie:0x0 QUALIFIERS: Instruction: write_action ACTION: output:CONTROLLER [Max Len: 65535 / bytes (C/S)] STATS: packets=0, bytes=0 Flow 3, Filter Based, priority:65535, hardtimeout:0, idletimeout:0 cookie:0x0 QUALIFIERS: ethtype:0x88cc Instruction: write_action ACTION: output:CONTROLLER [Max Len: 65535 / bytes (C/S)] STATS: packets=0, bytes=0 Flow 4, Filter Based, priority:0, hardtimeout:0, idletimeout:0 cookie:0x0 QUALIFIERS: Instruction: empty ACTION: drop STATS: packets=0, bytes=0 © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 274 Table-Miss In OpenFlow 1.3, if a match is not found for an arriving packet, the packet is either dropped or sent to the controller. If sent to the controller, the controller decides which action(s) to perform on all packets from the same flow. The decision is then sent to the switch and cached as an entry in the switch instance’s flow table. If the controller decides to add the flow, it sends a flow add message to the switch. The switch then adds the flow in its flow table. The next arriving packet that belongs to the same flow is then forwarded at line‐rate through the switch without consulting the controller. By default, packets that don’t match any of the existing flow entries are dropped. To set up an OpenFlow instance to send non‐matching packets to the controller instead of dropping them, use the following commands: RS G8264(config)# openflow instance <instance ID> RS G8264(configopenflowinstance)# tablemiss controller G8264 Application Guide for ENOS 8.4...
Page 275: Fail Secure Mode
Fail Secure Mode In OpenFlow 1.3, if contact with all controllers is lost, the switch automatically enters a fail secure mode. In this mode, the switch continues to operate based on the existing flow entries until they expire (according to the configured flow timeout value), while packets and messages destined to the controllers are dropped. When a connection to a controller is reestablished, the controller has the option to either delete or keep any remaining flow entries. © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 276: Emergency Mode
Emergency Mode Note: Emergency Mode is supported only in version 1.0 of the OpenFlow standard. By default, Emergency mode is disabled. In this state, if the connection to the controller fails, the switch will behave as described in Fail Secure mode for Openflow 1.3. To enable Emergency mode, use the following command: RS G8264(config)# openflow instance <instance ID> RS G8264(configopenflowinstance)# emergency In Emergency mode enabled state, if the connection to the controller fails, the switch tries to establish connection with any of the other configured controllers. If it is unable to connect with any controller, it enters Emergency mode. It replaces the flow entries with the entries from the emergency flow table. The switch stays in the Emergency mode for the time configured as the Emergency timeout interval (default value is 30 seconds), after which the switch tries to establish connection with any configured controller.  If connection with a controller is established, the switch exits Emergency mode. Entries in the Emergency flow table are retained. If desired, the controller may delete all the emergency flow entries.  If connection with a controller is not established, the switch stays in Emergency mode and continues to forward packets based on the Emergency flows. It retries to establish a connection with a controller every time the Emergency timeout interval expires. Emergency mode can be activated or deactivated per instance. To activate Emergency mode on an instance, use the following command: RS G8264# openflow instance <instance ID> enteremergency To deactivate Emergency mode on an instance, use the following command: RS G8264# no openflow instance <instance ID> enteremergency G8264 Application Guide for ENOS 8.4...
Page 277 Openflow Instance Id: 1 BASIC FLOW TABLE Flow:1 FDB Based, priority: 1000, hardtimeout: 0 QUALIFIERS: dstmac:010203050600, vlanid: 100 ACTION: outport:21 Flow:2 Filter Based, priority:32768, hardtimeout: 0, idletimeout: 0 QUALIFIERS: vlanid: 100 dstmac:010203667600 ACTION: output:22 STATS: packets=0, bytes=0 EMERGENCY FLOW TABLE Flow:1 FDB Based, priority: 1000, hardtimeout: 0 QUALIFIERS: dstmac:010203660600, vlanid: 100 ACTION: outport:21 Flow:2 Filter Based, priority:32768, hardtimeout: 0, idletimeout: 0 QUALIFIERS: vlanid: 100 dstmac:010203660600 ACTION: output:22 Openflow Instance Id: 2 BASIC FLOW TABLE Flow:1 FDB Based, priority: 1000, hardtimeout: 0 QUALIFIERS: dstmac:015503119600, vlanid: 200 ACTION: outport:31 EMERGENCY FLOW TABLE Flow:1 FDB Based, priority: 1000, hardtimeout: 0 QUALIFIERS: dstmac:015503111600, vlanid: 200 ACTION: outport:31 © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 278: Openflow Ports
OpenFlow Ports When OpenFlow is enabled, all OpenFlow instance member ports become OpenFlow ports. OpenFlow ports have the following characteristics:  Learning is turned off. Flood blocking is turned on.   Spanning Tree Protocol (STP) is disabled. The switch communicates with OpenFlow controllers through controller management ports or through dedicated out‐of‐band management ports on the switch. All OpenFlow ports, except controller management ports, must be members of VLAN 1. Controller management ports can be members of any VLAN except VLAN 1. Note: When the switch operates in the default boot profile, we recommend that you use a non‐OpenFlow port to connect the switch with the controller. Use the following command to view port information: RS G8264(config)# show interface information For each OpenFlow instance, when you configure the controller IP address and port, the switch establishes a TCP connection with the controller for flow control and management. See Step 3 on page 283. The switch supports up to four controllers per instance. The default controller port is 6633 and is reachable via any in‐band port configured as management port or through dedicated out‐of‐band management port (MGT). The controller management ports must not be members of an OpenFlow instance. You can use a controller to manage and control multiple instances. Use the following command to configure a data port as a controller management port (available only in OpenFlow boot profile): RS G8264(config)# openflow mgmtport <port number> Note: In default boot profile, when you disable OpenFlow, the OpenFlow ports become legacy switch ports and are added to the default VLAN 1. OpenFlow Edge Ports You can configure a port as an OpenFlow edge port. Edge ports are connected to ...
Page 279: Link Aggregation
Link Aggregation In OpenFlow 1.3, port LAGs can be added to OpenFlow instances. A LAG aggregates its member ports to form a logical port with increased bandwidth. You can add an existing static LAG (portchannel) or static LACP LAG to an OpenFlow instance using the following commands: RS G8264(config)# openflow instance <instance ID> RS G8264(configopenflowinstance)# member portchannel <LAG ID> where the LAG ID (the logical port ID) is derived from the original LAG configuration, based on the LAG type:  Static LAG (portchannel) RS G8264(config)# portchannel <LAG ID> port <port list> Static LACP LAG  RS G8264(config)# portchannel <LAG ID> lacp key <LACP admin key> Note: For more information about configuring LAGs, see Chapter 10, “Ports and Link Aggregation.” Once added to the instance, the LAG ports inherit the OpenFlow data properties such as MAC learning turned off, flood blocking turned on, and STP disabled. The LAG link remains active as long as at least one member port is up. The LAG link speed is an aggregation of the speed of the individual member ports. If any port in the LAG goes down, the overall LAG link speed is decreased accordingly. To add a static LAG or static LACP LAG to the edge ports list, use the following command: RS G8264(configopenflowinstance)# edgeport portchannel <LAG ID> © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 280: Data Path Id
Data Path ID The data path ID—automatically computed—is a combination of two bytes of the instance ID and six bytes of the switch MAC address. Alternately, the data path ID can be manually configured using the following command. Each instance on the switch must have a unique data path ID: RS G8264(config)# openflow instance <instance ID> RS G8264(configopenflowinstance)# dpid <Data path ID> (Hex string starting with Note: If the data path ID is changed, the switch instance closes the active connection and reconnects with the modified data path ID. G8264 Application Guide for ENOS 8.4...
Page 281: Sflow Compatibility
Compatibility OpenFlow ports that are set for sFlow sampling will send incoming sample packets to both the sFlow server or analyzer and the OpenFlow controller as “packet‐in.” sFlow servers must be configured as reachable over a management port or a non‐OpenFlow data port. Unicast FDB flows support ingress and egress sampling. ACL‐based flows, multicast FDB‐based flows, packet‐in, send‐to‐controller, and mirror‐to‐controller flows support only ingress sampling. © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 282: Openflow Groups
OpenFlow Groups In OpenFlow 1.3, the RackSwitch G8264 supports OpenFlow groups based on the OpenFlow 1.3.1 specification. The following OpenFlow group features are supported:  Group types: ALL and INDIRECT  Up to 256 groups per instance  Group operations: ADD, MODIFY, and DELETE  Support for group multipart messages: group counter statistics, group description, and group features  Flows: ACL, MPLS, and FDB  Port types: Physical port, logical port (static portchannel or static LACP LAG) G8264 Application Guide for ENOS 8.4...
Page 283: Configuring Openflow
RS G8264(configopenflowinstance)# member <port number or range> In version 1.3 of the OpenFlow standard, you can also add static portchannels or static LACP LAGs to the instance: RS G8264(configopenflowinstance)# member portchannel <1‐128> 3. Configure a controller for the OpenFlow switch instance: RS G8264(configopenflowinstance)# controller <1‐4> address <IP address> [mgtport|dataport] RS G8264(configopenflowinstance)# controller <1‐4> port <1‐65535> 4. Enable the OpenFlow switch instance: RS G8264(configopenflowinstance)# enable The switch is ready to perform switching functions in an OpenFlow environment. 5. Verify OpenFlow configuration: RS G8264(config)# show openflow instance <instance ID> information Configuration Example 1 - OpenFlow Boot Profile The following example includes steps to configure an OpenFlow switch instance when the switch operates in OpenFlow boot profile. Configure OpenFlow instance 1, which connects with two controllers via in‐band management ports, and OpenFlow instance 2, which connects with two controllers via in‐band management ports. © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 284 1. Configure IP interface 128 for out‐of‐band connection: RS G8264(config)# interface ip 128 RS G8264(configipif)# ip address 172.20.100.1 255.255.0.0 enable RS G8264(configipif)# exit 2. Configure IP interface 1 for in‐band connection: RS G8264(config)# vlan 3000 RS G8264(configvlan)# exit RS G8264(config)# interface port 6 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 3000 RS G8264(configif)# exit RS G8264(config)# interface ip 1 RS G8264(configipif)# ip address 172.21.100.1 255.255.0.0 enable RS G8264(configipif)# vlan 3000 RS G8264(configipif)# exit 3. Configure IP interface 2 for in‐band connection: RS G8264(config)# vlan 4000 RS G8264(configvlan)# exit RS G8264(config)# interface port 6 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 4000 RS G8264(configif)# exit RS G8264(config)# interface ip 2...
Page 285 RS G8264(configopenflowinstance)# exit 10. Create OpenFlow switch instance 2 and add data ports: RS G8264(config)# openflow instance 2 (Create OpenFlow instance 2) RS G8264(configopenflowinstance)# member 26,27,2834 (Add dataports 26,27, and data port range 28 through 34 as members of OpenFlow instance 2) 11. Configure controller 2 IP address using in‐band management port: RS G8264(configopenflowinstance)# controller 2 address 172.21.100.73 dataport (Switch connects with controller 1 via the in‐band management port configured in Step 5; default controller port is used in this example) 12. Configure controller 2 IP address using in‐band management port: RS G8264(configopenflowinstance)# controller 2 address 172.22.100.73 dataport Switch connects with controller 2 via in‐band management port configured in Step 5; default controller port is used in this example) 13. Enable OpenFlow instance 2: RS G8264(configopenflowinstance)# enable 14. View OpenFlow Configuration: RS G8264(config)# show runningconfig © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 286: Configuration Example 2 - Default Boot Profile
Configuration Example 2 - Default Boot Profile The following example includes steps to configure an OpenFlow switch instance when the switch operates in Default boot profile. 1. Configure IP interface 128 for out‐of‐band connection: RS G8264(config)# interface ip 128 RS G8264(configipif)# ip address 172.20.100.1 255.255.0.0 enable RS G8264(configipif)# exit 2. Configure IP interface 1 for in‐band connection: RS G8264(config)# vlan 3000 RS G8264(configvlan)# exit RS G8264(config)# interface port 6 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan add 3000 RS G8264(configif)# exit RS G8264(config)# interface ip 1 RS G8264(configipif)# ip address 172.21.100.1 255.255.0.0 enable RS G8264(configipif)# vlan 3000 RS G8264(configipif)# exit 3. Configure IP interface 2 for in‐band connection: RS G8264(config)# vlan 4000 RS G8264(configvlan)# exit RS G8264(config)# interface port 6...
Page 287 9. Create OpenFlow switch instance 2 and add data ports: RS G8264(config)# openflow instance 2 (Create OpenFlow instance 2) RS G8264(configopenflowinstance)# member 26,27,2832 (Add data ports 26,27, and data port range 28 through 32 as members of OpenFlow instance 2) 10. Configure controller 1 IP address using in‐band management port: RS G8264(configopenflowinstance)# controller 1 address 172.21.100.73 dataport (Switch connects with controller 1 via the in‐band management port; default controller port is used in this example) 11. Configure controller 2 IP address using in‐band management port: RS G8264(configopenflowinstance)# controller 2 address 172.22.100.73 dataport Switch connects with controller 2 via in‐band management port; default controller port is used in this example) 12. Enable OpenFlow instance 2: RS G8264(configopenflowinstance)# enable RS G8264(configopenflowinstance)# exit View OpenFlow Configuration: RS G8264(config)# show runningconfig © Copyright Lenovo 2016 Chapter 15: OpenFlow...
Page 288: Feature Limitations
Feature Limitations When the switch is booted in the OpenFlow profile, it operates only in OpenFlow switch environment. None of the normal switching environment features are supported. If the switch is booted in default profile, normal switching environment features can be configured on the non‐OpenFlow ports. However, the following features are not supported:  ACLs  FCoE/CEE  Dynamic PBR  IPMC with IP options  IPv6  Management ACL  PVID  VLAG  VMap  VMready  vNIC G8264 Application Guide for ENOS 8.4...
Page 289: Chapter 16. Deployment Profiles
Chapter 16. Deployment Profiles The Enterprise NOS software for the Lenovo RackSwitch G8264 can be configured to operate in different modes for different deployment scenarios. Each deployment profile sets different capacity levels for basic switch resources, such as the number of IP Multicast (IPMC) entries and ACL entries, to optimize the switch for different types of networks. This chapter covers the following topics  “Available Profiles” on page 290  “Selecting Profiles” on page 291  “Automatic Configuration Changes” on page 292 © Copyright Lenovo 2016...
Page 290: Available Profiles
Available Profiles The following deployment profiles are currently available on the G8264:  Default Profile: This profile is recommended for general network usage. Switch resources are allocated to support a wide range of features such as IPv6, ACLs, and FCoE/CEE.  ACL Profile: This profile enables you to configure maximum number of ACLs. The IPv6, FCoE/CEE, and VMready features will not be supported. This profile also does not support the forwarding of IPMC packets with IP options. The properties of each mode are compared in the following table. Table 28. Deployment Mode Comparison Capacity, by Mode Switch Feature Default Openflow ACLs IPv6 Supported Not Supported Not Supported VMready Supported Not Supported Not Supported VMap Supported Not Supported Not Supported FCoE/CEE Supported Not Supported Not Supported Note: Throughout this guide, where feature capacities are listed, values reflect those of the Default profile only, unless otherwise noted.
Page 291: Selecting Profiles
Selecting Profiles To change the deployment profile, you must first select the new profile and then reboot the switch. Note: Before changing profiles, it is recommended that you save the active switch configuration to a backup file so that it may be restored later if desired. When you select a profile, you will see a warning message. For example, if you select the ACL profile, you will see the following message: Warning: Setting boot profile to "ACL" will cause FIPS, IPv6 and VM ACL configuration to be lost in next boot and error messages will be displayed when above configurations are restored. Next boot will use "ACL" profile. To view the current deployment profile, use the following command: RS G8264# show boot Use the following commands to change the deployment profile: RS G8264(config)# boot profile {default|openflow|acl} (Select deployment profile) RS G8264(config)# exit (To privileged EXEC mode) RS G8264# reload (Reboot the switch) When using a specialized profile, menus and commands are unavailable for features that are not supported under the profile. Such menus and commands will be available again only when a supporting profile is used. Note: Deployment profiles other than those listed in this section should be used only under the direction of your support personnel. © Copyright Lenovo 2016 Chapter 16: Deployment Profiles...
Page 292: Automatic Configuration Changes
Automatic Configuration Changes When a new profile is loaded, configuration settings for any unsupported features will be ignored. However, these settings are retained in memory until you change or save the current configuration under the new profile. Until then, you can return to the old profile with all prior configuration settings intact. Once you change or save the configuration under a new profile, any configuration settings related to unsupported features will be reset to their default values. At that point, you will have to reconfigure these settings or use a backup configuration if you reapply the old profile. For example, when using the ACL profile, because IPv6 is not supported in that mode, IPv6 settings will be excluded when the configuration is saved. Then, if returning to the Default profile, it will be necessary to reconfigure the IPv6 settings, or to use the backup configuration. G8264 Application Guide for ENOS 8.4...
Page 293: Chapter 17. Virtualization
With VLAGs, two switches can act as a single logical device for the purpose of establishing port aggregation. Active LAG links from one device can lead to both VLAG peer switches, providing enhanced redundancy, including active‐active VRRP configuration. For details on this feature, see Chapter 12, “Virtual Link Aggregation Groups.”  Stacking Multiple switches can be aggregated into a single super‐switch, combining port capacity while at the same time simplifying their management. Enterprise NOS 8.4 supports one stack with up to eight switches. For details on this feature, see Chapter 18, “Stacking.”  Virtual Network Interface Card (vNIC) support Some NICs, such as the Emulex Virtual Fabric Adapter, can virtualize NIC resources, presenting multiple virtual NICs to the server’s OS or hypervisor. Each vNIC appears as a regular, independent NIC with some portion of the physical NIC’s overall bandwidth. Enterprise NOS 8.4 supports up to four vNICs over each server‐side switch port. For details on this feature, see Chapter 19, “Virtual NICs”.  VMready The switch’s VMready software makes it virtualization aware. Servers that run hypervisor software with multiple instances of one or more operating systems can present each as an independent virtual machine (VM). With VMready, the switch automatically discovers virtual machines (VMs) connected to switch. For details on this feature, see Chapter 20, “VMready.”  Unified Fabric Port (UFP) An architecture that logically subdivides a high‐speed physical link connecting to a server NIC. UFP provides a switch fabric component to control the NIC. For details on this feature, see Chapter 25, “Unified Fabric Port”. © Copyright Lenovo 2016...
Page 294  Edge Virtual Bridging (EVB) An IEEE 802.1Qbg standard that simplifies network management by providing a standards‐based protocol that defines how virtual Ethernet bridges exchange configuration information. EVB bridges the gap between physical and virtual network resources by allowing networks to become virtual machine (VM)‐aware. For details on this feature, see Chapter 22, “Edge Virtual Bridging.” ENOS virtualization features provide a highly‐flexible framework for allocating and managing switch resources. G8264 Application Guide for ENOS 8.4...
Page 295: Chapter 18. Stacking
Chapter 18. Stacking This chapter describe how to implement the stacking feature in the Lenovo RackSwitch G8264. The following concepts are covered:  “Stacking Overview” on page 296  “Stack Membership” on page 298  “Configuring a Stack” on page 302  “Managing the Stack” on page 309  “Upgrading Software in an Existing Stack” on page 311  “Replacing or Removing Stacked Switches” on page 313 “Saving Syslog Messages” on page 317   “ISCLI Stacking Commands” on page 319 © Copyright Lenovo 2016...
Page 296: Stacking Overview
Stacking Overview A stack is a group of up to eight RackSwitch G8264 switches with Lenovo Enterprise Network Operating System that work together as a unified system. A stack has the following properties, regardless of the number of switches included:  The network views the stack as a single entity.  The stack can be accessed and managed as a whole using standard switch IP interfaces configured with IPv4 addresses.  The CLI for Individual Member switches is available via the Master switch serial console, or using remote Telnet/SSH access to the Master. Once the stacking links have been established (see the next section), the number  of ports available in a stack equals the total number of remaining ports of all the switches that are part of the stack.  The number of available IP interfaces, VLANs, LAGs, LAG Links, and other switch attributes are not aggregated among the switches in a stack. The totals for the stack as a whole are the same as for any single switch configured in stand‐alone mode. A maximum of 4095 VLANs are supported in stand‐alone mode, and a maximum of 2048 VLANs are supported in stacking mode. Stacking Requirements Before Enterprise NOS switches can form a stack, they must meet the following requirements:  All switches must be the same model (RackSwitch G8264).  Each switch must be installed with ENOS, version 8.4 or later. The same release version is not required, as the Master switch will push a firmware image to each differing switch which is part of the stack.  The recommended stacking topology is a bidirectional ring (see Figure 25 on page 304). To achieve this, two 10Gb or two 40 Gb Ethernet ports on each switch must be reserved for stacking. By default, 10Gb or 40Gb Ethernet ports 1 and 5 are used.
Page 297: Stacking Limitations
 OSPF and OSPFv3 Port flood blocking   Precision Time Protocol (PTP) Protocol‐based VLANs    Root Guard  Router IDs  Route maps  sFlow port monitoring  Static MAC address adding  Static multicast   Uni‐Directional Link Detection (UDLD)  Unified Fabric Port (UFP) VLAG   Virtual Router Redundancy Protocol (VRRP) Note: In stacking mode, switch menus and command for unsupported features may be unavailable, or may have no effect on switch operation. © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 298: Stack Membership
Stack Membership A stack contains up to eight switches, interconnected by a stack LAG in a local ring topology (see Figure 25 on page 304). With this topology, only a single stack link failure is allowed. An operational stack must contain one Master and one or more Members, as follows: Master  One switch controls the operation of the stack and is called the Master. The Master provides a single point to manage the stack. A stack must have one and only one Master. The firmware image, configuration information, and run‐time data are maintained by the Master and pushed to each switch in the stack as necessary. Member  Member switches provide additional port capacity to the stack. Members receive configuration changes, run‐time information, and software updates from the Master.  Backup One member switch can be designated as a Backup to the Master. The Backup takes over control of the stack if the Master fails. Configuration information and run‐time data are synchronized with the Master. The Master Switch An operational stack can have only one active Master at any given time. In a normal stack configuration, one switch is configured as a Master and all others are configured as Members. When adding new switches to an existing stack, the administrator must explicitly configure each new switch for its intended role as a Master (only when replacing a previous Master) or as a Member. All stack configuration procedures in this chapter depict proper role specification. However, although uncommon, there are scenarios in which a stack may temporarily have more than one Master switch. If this occurs, the switch with the lowestMAC address will be chosen as the active Master for the entire stack. The selection process is designed to promote stable, predictable stack operation and minimize stack reboots and other disruptions.
Page 299: Merging Independent Stacks
Master for the entire stack. Merging Independent Stacks If switches from different stacks are linked together in a stack topology without first reconfiguring their roles as recommended, it is possible that more than one switch in the stack might be configured as a Master. Although all switches which are configured for stacking and joined by stacking links are recognized as potential stack participants by any operational Master switches, they are not brought into operation within the stack until explicitly assigned (or “bound”) to a specific Master switch. Consider two independent stacks, Stack A and Stack B, which are merged into one stacking topology. The stacks will behave independently until the switches in Stack B are bound to Master A (or vice versa). In this example, once the Stack B switches are bound to Master A, Master A will automatically reconfigure them to operate as Stack A Members, regardless of their original status within Stack B. However, for purposes of future Backup selection, reconfigured Masters retain their identity as configured Masters, even though they otherwise act as Members. In case the configured Master goes down and the Backup takes over as the new Master, these reconfigured Masters become the new Backup. When the original configured Master of the stack boots up again, it acts as a Member. This is one way to have multiple backups in a stack. © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 300: Backup Switch Selection
Backup Switch Selection An operational stack can have one optional Backup at any given time. Only the Backup specified in the active Master’s configuration is eligible to take over current stack control when the Master is rebooted or fails. The Master automatically synchronizes configuration settings with the specified Backup to facilitate the transfer of control functions. The Backup retains its status until one of the following occurs: The Backup setting is deleted or changed using the following commands from  the active Master: RS G8264(config)# no stack backup ‐or‐ RS G8264(config)# stack backup <csnum 1‐8>  A new Master assumes operation as active Master in the stack, and uses its own configured Backup settings.  The active Master is rebooted with the boot configuration set to factory defaults (clearing the Backup setting). Master Failover When the Master switch is present, it controls the operation of the stack and pushes configuration information to the other switches in the stack. If the active Master fails, then the designated Backup (if one is defined in the Master’s configuration) becomes the new acting Master and the stack continues to operate normally. Secondary Backup When a Backup takes over stack control operations, if any other configured Masters (acting as Member switches) are available within the stack, the Backup will select one as a secondary Backup. The primary Backup automatically reconfigures the secondary Backup and specifies itself (the primary Backup) as the new Backup in case the secondary fails. This prevents the chain of stack control from migrating too far from the original Master and Backup configuration intended by the administrator. Master Recovery If the prior Master recovers in a functioning stack where the Backup has assumed ...
Page 301: No Backup
No Backup If a Backup is not configured on the active Master, or the specified Backup is not operating, then if the active Master fails, the stack will reboot without an active Master. When a group of stacked switches are rebooted without an active Master present, the switches are considered to be isolated. All isolated switches in the stack are placed in a WAITING state until a Master appears. During this WAITING period, all the ports, except the management port and stacking ports, of these Member switches are placed into operator‐disabled state. Without the Master, a stack cannot respond correctly to networking events. Stack Member Identification Each switch in the stack has two numeric identifiers, as follows:  Attached Switch Number (asnum) An asnum is automatically assigned by the Master switch, based on each Member switch’s physical connection in relation to the Master. The asnum is mainly used as an internal ID by the Master switch and is not user‐configurable. Configured Switch Number (csnum):  The csnum is the logical switch ID assigned by the stack administrator. The csnum is used in most stacking‐related configuration commands and switch information output. It is also used as a port prefix to distinguish the relationship between the ports on different switches in the stack. It is recommended that asnum 1 and csnum 1 be used for identifying the Master switch. By default, csnum 1 is assigned to the Master. If csnum 1 is not available, the lowest available csnum is assigned to the Master. © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 302: Configuring A Stack
Configuring a Stack Notes:  When stacking mode is enabled on the switch, the configuration is reset to factory default and the port numbering changes. When a switch mode is changed from standalone to stack or from stack to  standalone, the active and backup configuration will be erased. We recommended that you save the configuration to an external device before changing the switch mode. Configuration Overview This section provides procedures for creating a stack of switches. The high‐level procedure is as follows:  Configure the stack settings to be available after the next reboot: Choose one Master switch for the entire stack.  Set all stack switches to stacking mode.  Configure the same stacking VLAN for all switches in the stack.  Configure the desired stacking interlinks.  Configure a management interface.   Reboot the Master switch.  Configure the stack after the reboot: Bind Member switches to the Master.  Assign a Backup switch.  These tasks are covered in detail in the following sections. Best Configuration Practices The following are guidelines for building an effective switch stack: ...
Page 303: Stacking Vlans
Configuring Each Switch for the Stack To configure each switch for stacking, connect to each switch via its console or management interface and perform the following steps. Note: IPv6 is not supported in stacking mode. IP interfaces must use IPv4 addressing for proper stack configuration. 1. On each switch, enable stacking: RS G8264(config)# boot stack enable 2. On each switch, set the stacking membership mode. By default, each switch is set to Member mode. However, one switch must be set to Master mode. Use the following command on only the designated Master switch: RS G8264(config)# boot stack mode master Note: If any Member switches are incorrectly set to Master mode, use the mode member option to set them back to Member mode. 3. On each switch, configure the stacking VLAN (or use the default setting). Although any VLAN (except VLAN 1) may be defined for stack traffic, it is highly recommended that the default, VLAN 4090 as shown in the following example, be reserved for stacking. RS G8264(config)# boot stack vlan 4090 4. On each switch, designate the stacking links. If using the 2 x 40Gb ports as stacking links, first convert the 40Gb ports from their default 4x10Gb mode of operation to 40Gb mode. See: “Configuring QSFP+ Ports” on page 174. © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 304 To create the recommended topology, dedicate at least two 10Gb or 40Gb ports on each switch to stacking. By default, 10Gb or 40Gb Ethernet ports 1 and 5 are used. Use the following command to specify the links to be used in the stacking LAG: RS G8264(config)# boot stack higigtrunk <list of port names or aliases> Notes:  Ports configured as Server ports for use with VMready cannot be designated as stacking links.  You must configure all higig ports as 10Gb or 40 Gb ports. 5. On each switch, perform a reboot: RS G8264(config)# reload 6. Physically connect the stack LAGs. To create the recommended topology, attach the two designated stacking links in a bidirectional ring. As shown in Figure 25, connect each switch in turn to the next, starting with the Master switch. To complete the ring, connect the last Member switch back to the Master. Figure 25. Example of Stacking Connections Master Switch Member Switches Switch connected in bidirectional Member ring topology Switch Member Switch Note: The stacking feature is designed such that the stacking links in a ring topology do not result in broadcast loops. The stacking ring is thus valid (no ...
Page 305: Configuring A Management Ip Interface
Configuring a Management IP Interface For remote management, each switch in a stack can be configured with a management IP interface. To configure the interface, associate the desired IP address with the switch’s MAC address as follows: RS G8264(config)# interface ip 128 RS G8264(configipif)# mac <switch MAC address> ip address <IPv4 address> <subnet mask> RS G8264(configipif)# mac <switch MAC address> enable To provide continuous Management IP reachability in the event of Master node failover, an additional floating Management IP address can be set up on the management interfaces. The floating Management IP address will be used by the backup switch when taking over management from the failed master node. To configure the floating Management IP address, use the following command: RS G8264(config)# interface ip 128 RS G8264(configipif)# floating ip address <IPv4 address> <subnet mask> The Management IP and floating Management IP addresses on the master switch, as well as the Management IP address on the backup switch, must be in the same subnet. The gateway configuration for the management interface also works for the floating IP address. No additional gateway is required for the floating IP address. When a floating IP is defined, both the master and backup management interfaces must be defined. © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 306: Additional Master Configuration
Additional Master Configuration Once the stack links are connected, access the management IP interface of the Master switch (assigned by the management system) and complete the configuration. Viewing Stack Connections To view information about the switches in a stack, execute the following command: RS G8264(config)# show stack switch Stack name: GP_STK Local switch is the master. Local switch: csnum 2 MAC fc:cf:62:9d:4f:00 Switch Type 11 (G8264) Switch Mode (cfg) Master Priority 225 Stack MAC fc:cf:62:9d:4f:1f Master switch: csnum 2 MAC fc:cf:62:9d:4f:00 Backup switch: csnum 3 MAC 34:40:b5:3f:0b:00 Configured Switches: csnum MAC asnum C1 34:40:b5:3f:1d:00 A2 C2 fc:cf:62:9d:4f:00 A1 C3 34:40:b5:3f:0b:00 A5 C4 34:40:b5:41:76:00 A4 C5 34:40:b5:40:bc:00 A3 Attached Switches in Stack: asnum MAC csnum State A1 fc:cf:62:9d:4f:00 C2 IN_STACK A2 34:40:b5:3f:1d:00 C1 IN_STACK A3 34:40:b5:40:bc:00 C5 IN_STACK...
Page 307 C1 74:99:75:d1:fc:00 A1 C2 74:99:75:d0:99:00 A2 C3 74:99:75:d1:e9:00 A3 C4 00:00:00:00:00:00 C5 00:00:00:00:00:00 Attached Switches in Stack: asnum MAC csnum State A1 74:99:75:d1:fc:00 C1 IN_STACK A2 74:99:75:d0:99:00 C2 IN_STACK A3 74:99:75:d1:e9:00 C3 IN_STACK Stack Links: asnum Port csnum MAC Link A1 1:1 C1 74:99:75:d1:fc:00 up A1 1:5 C1 74:99:75:d1:fc:00 down A2 2:1 C2 74:99:75:d0:99:00 up A2 2:5 C2 74:99:75:d0:99:00 up A3 3:1 C3 74:99:75:d1:e9:00 down A3 3:5 C3 74:99:75:d1:e9:00 up Switch Firmware Versions: asnum csnum MAC S/W Version Serial # A1 C1 74:99:75:d1:fc:00 image1 8.4.0.1 Y010CM34L173 A2 C2 74:99:75:d0:99:00 image1 8.4.0.1 Y010CM34L184 A3 C3 74:99:75:d1:e9:00 image1 8.4.0.1 Y010CM34L196 RS G8264(config)# © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 308: Binding Members To The Stack
RS G8264(config)# show stack attachedswitches Attached Switches in Stack: asnum MAC csnum State A1 74:99:75:d1:fc:00 C1 IN_STACK A2 74:99:75:d0:99:00 C2 IN_STACK A3 74:99:75:d1:e9:00 C3 IN_STACK RS G8264(config)# Binding Members to the Stack You can bind Member switches to a stack csnum using either their asnum or MAC address : RS G8264(config)# stack switchnumber <csnum> mac <MAC address> ‐or‐ RS G8264(config)# stack switchnumber <csnum> bind <asnum> To remove a Member switch, execute the following command: RS G8264(config)# no stack switchnumber <csnum> To bind all units of a stack, use the command: RS G8264(config)# stack bind The stack bind command automatically assigns switch numbers to all attached switches in the stack that do not yet have a number assigned. Assigning a Stack Backup Switch To define a Member switch as a Backup (optional) which will assume the Master role if the Master switch fails, execute the following command: RS G8264(config)# stack backup <csnum> G8264 Application Guide for ENOS 8.4...
Page 309: Managing The Stack
Rebooting Stacked Switches using the BBI The Configure > System > Config/Image Control window allows the administrator to perform a reboot of individual switches in the stack, or the entire stack. The following table describes the stacking Reboot buttons. Table 29. Stacking Boot Management buttons Field Description Reboot Stack Performs a software reboot/reset of all switches in the stack. The software image specified in the Image To Boot drop‐down list becomes the active image. Reboot Master Performs a software reboot/reset of the Master switch. The software image specified in the Image To Boot drop‐down list becomes the active image. Reboot Switches Performs a reboot/reset on selected switches in the stack. Select one or more switches in the drop‐down list, and click Reboot Switches. The software image specified in the Image To Boot drop‐down list becomes the active image. The Update Image/Cfg section of the window applies to the Master. When a new software image or configuration file is loaded, the file first loads onto the Master, and the Master pushes the file to all other switches in the stack, placing it in the © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 310: Accessing The Member Switch Cli
Accessing the Member Switch CLI For easier administration, you can use the Master switch to access the CLI of any Member switch. Use this feature to display specific Member switch information such as log messages, system information, and statistics. Member CLI access is available regardless of whether the Member switch is operating in the attached state (prior to joining the stack), or in the active state (having received a configured switch number). Member CLI access is available even without an assigned IP address or a physical connection to the serial console on the Member. To use this feature, log in to the Master switch (via its local serial console or through a remote Telnet or SSH connection) and issue the following command: RS G8264# connect <asnum> where asnum is the attached switch number of the target Member switch. For example, to access the Member switch identified by attached switch number 3, enter the following command: RS G8264# connect 3 Connecting via DATA port. Connected to 127.117.210.5. Escape character is '^]'. Lenovo Networking Operating System RackSwitch G8264, Stack. Enter login username: Log in to the Member switch as usual. If the Member switch is in the active state (after successfully joining the stack), the prompt will include the Member’s configured switch number (csnum), which may be different from the assigned switch number (asnum): RS G82643> To return to the Master switch prompt, log out of the Member switch. G8264 Application Guide for ENOS 8.4...
Page 311: Upgrading Software In An Existing Stack
 From the ISCLI, use following command to verify the software push: RS G8264(config)# show stack pushstatus Image 1 transfer status info: Switch 00:16:60:f9:33:00: last receive successful Switch 00:17:ef:c3:fb:00: not received file not sent or transfer in progress Image 2 transfer status info: Switch 00:16:60:f9:33:00: last receive successful Switch 00:17:ef:c3:fb:00: last receive successful Boot image transfer status info: Switch 00:16:60:f9:33:00: last receive successful Switch 00:17:ef:c3:fb:00: last receive successful Config file transfer status info: Switch 00:16:60:f9:33:00: last receive successful Switch 00:17:ef:c3:fb:00: last receive successful 3. Reboot all switches in the stack. Use either the ISCLI or the BBI.  From the BBI, select Configure > System > Config/Image Control. Click Reboot Stack.  From the ISCLI, use the following command: RS G8264(config)# reload © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 312 4. Once the switches in the stack have rebooted, verify that all of them are using the same version of firmware. Use either the ISCLI or the BBI.  From the BBI, open Dashboard > Stacking > Stack Switches and view the Switch Firmware Versions Information from the Attached Switches in Stack.  From the ISCLI, use the following command: RS G8264(config)# show stack version Switch Firmware Versions: asnum csnum MAC S/W Version Serial # A1 C2 fc:cf:62:9d:4f:00 image1 8.4.0.1 US7042001C A2 C1 34:40:b5:3f:1d:00 image1 8.4.0.1 Y250VT215167 A3 C5 34:40:b5:40:bc:00 image1 8.4.0.1 Y250VT21S410 A4 C4 34:40:b5:41:76:00 image1 8.4.0.1 Y250VT21S409 A5 C3 34:40:b5:3f:0b:00 image1 8.4.0.1 Y250VT215168 G8264 Application Guide for ENOS 8.4...
Page 313: Replacing Or Removing Stacked Switches
2. If removing a Master switch, make sure that a Backup switch exists in the stack, then turn off the Master switch. This will force the Backup switch to assume Master operations for the stack. 3. Remove the stack link cables from the old switch only. 4. Disconnect all network cables from the old switch only. 5. Remove the old switch. Installing the New Switch or Healing the Topology If using a ring topology, but not installing a new switch for the one removed, close the ring by connecting the open stack links together, essentially bypassing the removed switch. Otherwise, if replacing the removed switch with a new unit, use the following procedure: Make sure the new switch meets the stacking requirements on page 296. 2. Place the new switch in its determined place according to the RackSwitch G8264 Installation Guide. 3. Connect to the ISCLI of the new switch (not the stack interface). 4. Enable stacking: RS G8264(config)# boot stack enable © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 314 5. Set the stacking mode. By default, each switch is set to Member mode. However, if the incoming switch has been used in another stacking configuration, it may be necessary to ensure the proper mode is set.  If replacing a Member or Backup switch: RS G8264(config)# boot stack mode member If replacing a Master switch:  RS G8264(config)# boot stack mode master 6. Configure the stacking VLAN on the new switch, or use the default setting. Although any VLAN may be defined for stack traffic, it is highly recommended that the default, VLAN 4090, be reserved for stacking, as shown in the following command. RS G8264(config)# boot stack vlan 4090 7. Designate the stacking links. It is recommended that you designate the same number of 10Gb or 40Gb ports for stacking as the switch being replaced. By default, 10Gb or 40Gb Ethernet ports 1 and 5 are used. At least one 10Gb or 40Gb port is required. Use the following command to specify the links to be used in the stacking LAG: RS G8264(config)# boot stack higigtrunk <list of port names or aliases> 8. Attach the required stack link cables to the designated stack links on the new switch. 9. Attach the desired network cables to the new switch. 10. Reboot the new switch: RS G8264(config)# reload When the new switch boots, it will join the existing stack. Wait for this process to complete. G8264 Application Guide for ENOS 8.4...
Page 315: Binding The New Switch To The Stack
Performing a Rolling Reload or Upgrade You can perform a sequential reload or upgrade, otherwise known as a staggered or rolling reload or upgrade, to avoid the need for an overall outage. With a rolling reload or upgrade, some of the hardware stays up at all times. This approach differs from the traditional image upgrade that requires manual image downloads and install to individual switches, which then requires the entire logical switch reboot. After the firmware is copied to all members of the stack, the rolling reload or upgrade process automatically reboots all switches sequentially in the following order: Backup switch   Master switch  Other stack members, from lowest to highest csnum During the rolling firmware reload or upgrade process, there will be continuous connectivity to the upstream network. From the point of view of the stack, it is as though a series of switch and uplink failures are occurring. When the design is cabled and configured properly, the environment redirects traffic. For detailed instructions on upgrading and rebooting, see Chapter 3, “Switch Software Management.” Starting a Rolling Reload To start a rolling reload, use the command: RS G8264(config)# reload staggered [delay <minutes>] where delay is an integer from 2 to 20 representing the time delay in minutes between switch reboots. The default value is one minute between switch reboots. © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 316: Starting A Rolling Upgrade
Starting a Rolling Upgrade To start a rolling upgrade, use the command: RS G8264(config)# copy {tftp|ftp|sftp} {image1|image2} {address <IP address>} {filename <image filename>} staggeredupgrade [delay <minutes>] where: tftp, ftp, sftp  is the protocol for copying image1, image2 is the image to which the firmware is being copied  address  is the IP address from which the firmware is being copied delay  is the delay between each reload, in minutes To upgrade both the boot and the firmware images: 1. Load the boot image with a non‐staggered copy: RS G8264(config)# copy {tftp|ftp|sftp} bootimage {address <IP address>} {filename <image filename>} 2. Load the firmware image with a staggered copy: RS G8264(config)# copy {tftp|ftp|sftp} {image1|image2} {address <IP address>} {filename <image filename>} staggeredupgrade [delay <minutes>] G8264 Application Guide for ENOS 8.4...
Page 317: Saving Syslog Messages
RS G8264(config)# show logging [swn <configured‐switch‐number>] [{messages | reverse | severity <0‐7>}] where: <configured‐switch‐number> The configured switch number. If no number is supplied, the command applies to the master switch. messages show last 2000 syslog messages reverse show syslog information in reverse priority order severity <0‐7> show messages of a specific severity level For example, to retrieve the last 2000 syslog messages of severity 4 or greater from switch 3, enter: RS G8052(config)# show logging swn 3 severity 4 To retrieve the contents of the log files stored on flash on a specified switch in the stack and copy that information to an external host using the specified protocol (SFTP or TFTP). In case the feature of saving log to flash is disabled, this command must be rejected. To copy syslog content to an external host using SFTP or TFTP, use the command: RS G8264(config)# copy log {swn <switch number>] stfp | {tftp [address <address>] [filename <file>] where: <switch number> The configured switch number. If no number is supplied, the command applies to the master switch. address The IP address of the TFTP host file The filename on the TFTP host © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 318 For example: RS G8264(config)# copy log tftp 192.168.1.85 // Copy logs from clients on the master RS G8264(config)# copy log swn 3 tftp 10.10.10.1 // Copy logs from stack member 3 To configure up to two external hosts to log stack errors, use the command: RS G8264(config)# logging host <host instance> {address <address> | facility <facility> | severity <severity> where <host instance> the host instance; either 1 or 2. <address> the IP address of the host being logged <facility> the facility (0‐7) of the logs being written to external syslog servers <severity> the severity (0‐7) of the logs being written to external syslog servers To enable console output of syslog messages, use the command: RS G8264(config)# logging console severity <severity> where <severity> configures the severity of logs to be sent to the console. To configure the severity of syslogs written to flash, use the command: RS G8264(config)# logging buffer severity <severity> where <severity> configures the severity of logs to be written to flash. G8264 Application Guide for ENOS 8.4...
Page 319: Iscli Stacking Commands
 show logging [swn <configured‐switch‐number>] [ { messages | reverse  | severity <0‐7>}] show stack attachedswitches  show stack backup  show stack dynamic  show stack link  show stack name  show stack pathmap [<csnum>]  show stack pushstatus  show stack switch  show stack switchnumber [<csnum>]  show stack version  stack backup <csnum>  stack name <word>  stack switchnumber <csnum> bind <asnum>  stack switchnumber <csnum> mac <MAC address>  © Copyright Lenovo 2016 Chapter 18: Stacking...
Page 320 G8264 Application Guide for ENOS 8.4...
Page 321: Chapter 19. Virtual Nics
VNIC Hypervisor Multiple Virtual Pipes Switch 2 VNIC VNIC VNIC VNIC A G8264 with Lenovo Enterprise Network Operating System 8.4 supports the Emulex Virtual Fabric Adapter (VFA) to provide the following vNIC features:  Up to four vNICs are supported on each server port. vNICs can be grouped together, along with regular server ports, uplink ports, or  LAGs, to define vNIC groups for enforcing communication boundaries.  In the case of a failure on the uplink ports associated with a vNIC group, the switch can signal affected vNICs for failover while permitting other vNICs to continue operation. Each vNIC can be independently allocated a symmetric percentage of the  10Gbps bandwidth on the link (from NIC to switch, and from switch to NIC). The G8264 can be used as the single point of vNIC configuration as long as the  Emulex NIC is working in Lenovo Virtual Fabric mode. The following restrictions apply to vNICs:  vNICs are not supported simultaneously with VM groups (see Chapter 20, “VMready”) on the same switch ports. By default, vNICs are disabled. As described in the following sections, the administrator must first define server ports prior to configuring and enabling vNICs as discussed in the rest of this section. © Copyright Lenovo 2016...
Page 322: Defining Server Ports
Defining Server Ports vNICs are supported only on ports connected to servers. Before you configure vNICs on a port, the port must first be defined as a server port using the following command: RS G8264(config)# system serverports port <port alias or number> Ports that are not defined as server ports are considered uplink ports and do not support vNICs. Enabling the vNIC Feature The vNIC feature can be globally enabled using the following command: RS G8264(config)# vnic enable G8264 Application Guide for ENOS 8.4...
Page 323: Vnic Ids
IDs on the Switch On the switch, each vNIC is identified by its port and vNIC number as follows: <port number or alias>.<vNIC pipe number (1‐4)> For example: 1.1, 1.2, 1.3, and 1.4 represent the vNICs on port 1. 2.1, 2.2, 2.3, and 2.4 represent the vNICs on port 2, etc. These vNIC IDs are used when adding vNICs to vNIC groups, and are shown in some configuration and information displays. vNIC Interface Names on the Server When running in virtualization mode, the Emulex Virtual Fabric Adapter presents eight vNICs to the OS or hypervisor (four for each of the two physical NIC ports). Each vNIC is identified in the OS or hypervisor with a different vNIC function number (0‐7). vNIC function numbers correlate to vNIC IDs on the switch as follows: Table 30. vNIC ID Correlation PCIe vNIC vNIC Function ID Port Pipe In this, the x in the vNIC ID represents the switch port to which the NIC port is connected. © Copyright Lenovo 2016 Chapter 19: Virtual NICs...
Page 324: Vnic Bandwidth Metering
Bandwidth Metering ENOS 8.4 supports bandwidth metering for vNIC traffic. By default, each of the four vNICs on any given port is allowed an equal share (25%) of NIC capacity when enabled. However, you may configure the percentage of available switch port bandwidth permitted to each vNIC. vNIC bandwidth can be configured as a value from 1 to 100, with each unit representing 1% (or 100Mbps) of the 10Gbps link. By default, each vNICs enabled on a port is assigned 25 units (equal to 25% of the link, or 2.5Gbps). When traffic from the switch to the vNIC reaches its assigned bandwidth limit, the switch will drop packets egressing to the affected vNIC. Likewise, if traffic from the vNIC to the switch reaches its limit, the NIC will drop egress of any further packets. When traffic falls to less than the configured thresholds, traffic resumes at its allowed rate. To change the bandwidth allocation, use the following commands: RS G8264(config)# vnic port <port alias or number> index <vNIC number (1‐4)> RS G8264(vnicconfig)# bandwidth <allocated percentage> Note: vNICs that are disabled are automatically allocated a bandwidth value of 0. A combined maximum of 100 units can be allocated among vNIC pipes enabled for any specific port (bandwidth values for disabled pipes are not counted). If more than 100 units are assigned to enabled pipes, an error will be reported when attempting to apply the configuration. The bandwidth metering configuration is synchronized between the switch and vNICs. Once configured on the switch, there is no need to manually configure vNIC bandwidth metering limits on the NIC as long as it is in Lenovo Virtual Fabric mode. G8264 Application Guide for ENOS 8.4...
Page 325: Vnic Uplink Modes
Uplink Modes The switch supports two modes for configuring the vNIC uplinks: dedicated mode and shared mode. The default is the dedicated mode. To enable the shared mode, enter the following command: RS G8264(config)# vnic uplinkshare In the dedicated mode, only one vNIC group is assigned to an uplink port. This port can be a regular port or a LAG port. The NIC places an outer tag on the vNIC group packets. This outer tag contains the vNIC group VLAN. The uplink NIC strips off the outer tag before sending out the packet. For details, see “vNIC Groups in Dedicated Mode” on page 329. In the shared mode, multiple vNIC groups can be assigned to an uplink port. This port can be a regular port or a LAG port. The vNIC groups share the uplink. You may assign a few vNIC groups to share an uplink and the other vNIC groups to have a single uplink each. In either case, the switch still operates in shared mode. As in the dedicated mode, the NIC places an outer tag on the vNIC group packets. This outer tag contains the vNIC group VLAN. The uplink NIC does not strip off the outer tag. The vNIC group tag defines the regular VLAN for the packet.This behavior is particularly useful in cases where the downstream server does not set any tag. Effectively, each vNIC group is a VLAN, which you can assign by configuring the VLAN to the vNIC group. You must enable the tag configuration on the uplink port. For details, see “vNIC Groups in Shared Mode” on page 329. © Copyright Lenovo 2016 Chapter 19: Virtual NICs...
Page 326 The following table compares the configurations of the two modes. Table 31. Comparison: Dedicated Mode vs. Shared Mode Configuration Dedicated Mode Shared Mode Area Port “tagpvid” must be disabled. “tagpvid” is user configurable. “pvid” = vNIC group VLAN. “pvid” is user configurable. “tag” is user configurable. “tag” must be enabled. Port can be added only to the Port can be added to multiple VLANs vNIC group VLAN. in addition to the vNIC group VLANs that are automatically config‐ ured. Inserts vNIC group VLAN in the Inserts regular VLAN in the outer outer tag of ingress packets. tag. VLAN tags are passed to and received from the uplink switch sim‐ ilar to vNIC ports. To handle untagged packets, con‐ figure the pvid/native VLAN of the uplink port to one of the vNIC group VLANs, and disable “tagpvid”. VLAN Add the port to a vNIC group Add the port to all vNIC group VLAN and delete it from any VLANs that are sharing the port. Do other VLAN when the vNIC not remove it from any other VLAN. group VLAN is enabled.
Page 327: Lacp Lags
LACP LAGs The uplink used by vNIC groups can be a regular port, static LAG, or a dynamic LAG. If you are using a dynamic LAG for the uplink, you must configure the same LACP admin key for the vNIC uplink ports you want to group as a LAG on the upstream switch. You cannot connect these vNIC uplink ports to multiple upstream switches unless these switches are a single logical switch from LAG perspective. Use the following commands to add the LACP LAG as the uplink for a vNIC group. RS G8264(config)# vnic vnicgroup <vNIC group number> RS G8264(vnicgroupconfig)# key <LACP admin key> © Copyright Lenovo 2016 Chapter 19: Virtual NICs...
Page 328: Vnic Groups
vNIC Groups vNICs can be grouped together, along with uplink ports and LAGs, as well as other ports that were defined as server ports but not connected to vNICs. Each vNIC group is essentially a separate virtual network within the switch. Elements within a vNIC group have a common logical function and can communicate with each other, while elements in different vNIC groups are separated. ENOS 8.4 supports up to 32 independent vNIC groups. The VLAN configured for the vNIC group will be automatically assigned to member vNICs, ports, and LAGs must not be manually configured for those elements. Note: Once a VLAN is assigned to a vNIC group, that VLAN is used only for vNIC purposes and is no longer available for configuration. Likewise, any VLAN configured for regular purposes cannot be configured as a vNIC group VLAN. Other vNIC group rules are as follows: vNIC groups may have one or more vNIC members. However, any given vNIC  can be a member of only one vNIC group.  All vNICs on a given port must belong to different vNIC groups.  Uplink ports which are part of a LAG may not be individually added to a vNIC group. Only one individual uplink port, one static LAG (consisting of multiple uplink ports), or one dynamic LAG may be added to any given vNIC group.  In dedicated mode, for any switch ports or port LAG connected to regular (non‐vNIC) devices: These elements can be placed in only one vNIC group (they cannot be  members of multiple vNIC groups). Once added to a vNIC group, the PVID for the element is automatically set to  use the vNIC group VLAN number, and PVID tagging on the element is automatically disabled. By default, STP is disabled on non‐server ports or LAGs added to a vNIC  group. STP cannot be re‐enabled on the port.  Because regular, inner VLAN IDs are ignored by the switch for traffic in vNIC groups, following rules and restrictions apply: The inner VLAN tag may specify any VLAN ID in the full, supported range (1 ...
Page 329: Vnic Groups In Dedicated Mode
Ignores regular VLAN strip outer tag Outbound Packet Switching uses outer tag; Switch retains Outer tag sets vNIC; Ignores regular VLAN outer tag NIC strips outer tag Inbound Packet Within the G8264, all Layer 2 switching for packets within a vNIC group is based on the outer vNIC group VLAN. The G8264 does not consider the regular, inner VLAN ID (if any) for any VLAN‐specific operation. © Copyright Lenovo 2016 Chapter 19: Virtual NICs...
Page 330 The outer vNIC group VLAN is not removed by the switch before the packet egresses any internal port or external uplink port. For untagged packets sent by the server, the uplink NIC uses this outer tag to switch the packet to destined VLAN. The shared mode is useful in cases where the multiple vNIC groups need to share an uplink port. The vNIC group tag defines the user VLAN. Following is an use case: An ESX server is presented with eight vNICs used with four virtual switches of the ESX host and with no tagged port groups. A pair of odd/even vNICs is placed within each virtual switch. On the G8264, four vNIC groups are created and the desired VLAN for each vNIC group is configured. For example, if vNIC group 1 on the G8264 has four interfaces: 1.1, 2.1, 3.1, 4.1. vNIC group 1 is configured with VLAN 10. Packets coming from any VM connecting with the virtual switch that VMNIC 2 and 3 will be assigned with VLAN 10. These packets go out the uplink with VLAN 10 tag. The upstream switch sends these packets to the desired destination on VLAN 10. G8264 Application Guide for ENOS 8.4...
Page 331: Vnic Teaming Failover
Port 2 Port 11 VNIC VNIC VNIC VNIC Hypervisor Port 1 link failure automatically disables associated server ports, To Backup prompting failover on all VMs Switch To avoid disrupting vNICs that have not lost their uplinks, ENOS 8.4 and the Emulex Virtual Fabric Adapter provide vNIC‐aware failover. When a vNIC group’s uplink ports fail, the switch cooperates with the affected NIC to prompt failover only on the appropriate vNICs. This allows the vNICs that are not affected by the failure to continue without disruption (see Figure 30 on page 332). © Copyright Lenovo 2016 Chapter 19: Virtual NICs...
Page 332 Figure 30. vNIC Failover Solution Primary Servers Switch Virtual Hypervisor Pipes VNIC vSwitch VNIC VNIC VNIC VM 1 VNIC Group 1 VM 2 Port 1 Port 10 VNIC VNIC VNIC VNIC VNIC vSwitch VNIC VNIC VNIC VM 3 VNIC Group 2 VM 4 Port 2 Port 11 VNIC...
Page 333: Vnic Configuration Example
Port Port Hypervisor To Switch 2 OS or Port Port Hypervisor To Switch 2 Figure 31 has the following vNIC network characteristics:  vNIC group 1 has an outer tag for VLAN 1000. The group is comprised of vNIC pipes 1.1 and 2.1, switch server port 4 (a non‐vNIC port), and uplink port 11.  vNIC group 2 has an outer tag for VLAN 1774. The group is comprised of vNIC pipes 1.2, 2.2 and 3.2, switch server port 5, and an uplink LAG of ports 13 and 14. vNIC failover is enabled for both vNIC groups.   vNIC bandwidth on port 1 is set to 60% for vNIC 1 and 40% for vNIC 2. Other enabled vNICs (2.1, 2.2, and 3.2) are permitted the default bandwidth of  25% (2.5Gbsp) on their respective ports. All remaining vNICs are disabled (by default) and are automatically allocated 0  bandwidth. © Copyright Lenovo 2016 Chapter 19: Virtual NICs...
Page 334 1. Define the server ports. RS G8264(config)# system serverports port 15 2. Configure the external LAG to be used with vNIC group 2. RS G8264(config)# portchannel 1 port 13,14 RS G8264(config)# portchannel 1 enable 3. Enable the vNIC feature on the switch. RS G8264(config)# vnic enable 4. Configure the virtual pipes for the vNICs attached to each server port: RS G8264(config)# vnic port 1 index 1 (Select vNIC 1 on the port) RS G8264(vnicconfig)# enable (Enable the vNIC pipe) RS G8264(vnicconfig)# bandwidth 60 (Allow 60% egress bandwidth) RS G8264(vnicconfig)# exit RS G8264(config)# vnic port 1 index 2 (Select vNIC 2 on the port) RS G8264(vnicconfig)# enable (Enable the vNIC pipe) RS G8264(vnicconfig)# bandwidth 40 (Allow 40% egress bandwidth) RS G8264(vnicconfig)# exit RS G8264(config)# vnic port 2 index 1 (Select vNIC 1 on the port) RS G8264(vnicconfig)# enable ...
Page 335 RS G8264(vnicgroupconfig)# member 1.2 RS G8264(vnicgroupconfig)# member 2.2 RS G8264(vnicgroupconfig)# member 3.2 vNIC 3.2 is not enabled. Confirm enabling vNIC3.2 [y/n]: y RS G8264(vnicgroupconfig)# port 5 RS G8264(vnicgroupconfig)# trunk 1 RS G8264(vnicgroupconfig)# failover RS G8264(vnicgroupconfig)# enable RS G8264(vnicgroupconfig)# exit Once VLAN 1000 and 1774 are configured for vNIC groups, they will not be available for configuration in the regular VLAN menus (RS G8264(config)# vlan <VLAN number>). Note: vNICs are not supported simultaneously on the same switch ports as VMready. 6. Save the configuration. © Copyright Lenovo 2016 Chapter 19: Virtual NICs...
Page 336: Vnics For Iscsi On Emulex Endeavor 2
vNICs for iSCSI on Emulex Endeavor 2 The ENOS vNIC feature works with standard network applications like iSCSI as previously described. However, the Emulex Endeavor 2 NIC expects iSCSI traffic to occur only on a single vNIC pipe. When using the Emulex Endeavor 2, only vNIC pipe 2 may participate in ISCSI. To configure the switch for this solution, place iSCSI traffic in its own vNIC group, comprised of the uplink port leading to the iSCSI target, and the related <port>.2 vNIC pipes connected to the participating servers. For example: 1. Define the server ports. RS G8264(config)# system serverports port 13 2. Enable the vNIC feature on the switch. RS G8264 # vnic enable 3. Configure the virtual pipes for the iSCSI vNICs attached to each server port: RS G8264(config)# vnic port 1 index 2 (Select vNIC 2 on the server port) RS G8264(vnic_config)# enable (Enable the vNIC pipe) RS G8264(vnic_config)# exit RS G8264(config)# vnic port 2 index 2 (Select vNIC 2 on the server port) RS G8264(vnic_config)# enable (Enable the vNIC pipe) RS G8264(vnic_config)# exit RS G8264(config)# vnic port 3 index 2 (Select vNIC 2 on the server port) RS G8264(vnic_config)# enable ...
Page 337: Vnics For Fcoe On Emulex Virtual Fabric Adapter
1. Disable FIP snooping automatic VLAN creation. RS G8264(config)# no fcoe fips automaticvlan 2. Turn CEE on. RS G8264(config)# cee enable Note: Turning CEE on will automatically change some 802.1p QoS and 802.3x standard flow control settings and menus (see “Turning CEE On or Off” on page 368). 3. Turn global FIP snooping on: RS G8264(config)# fcoe fips enable 4. Configure server ports to be used for FCoE. RS G8264(config)# system serverports port 1724 5. Enable VLAN tagging on FCoE ports. (Select FCoE ports) RS G8264(config)# interface port 1724,46 (Enable VLAN tagging) RS G8264(configif)# switchport mode trunk (Exit port configuration mode) RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 19: Virtual NICs...
Page 338 Note: If you are using Emulex CNA BE 2 ‐ FCoE mode, you must enable PVID tagging on the server ports. 6. Place FCoE ports into a VLAN supported by the FCF and CNAs (typically VLAN 1002): (Select a VLAN) RS G8264(config)# vlan 1002 (Exit VLAN configuration mode) RS G8264(configvlan)# exit (Add FCoE ports to the VLAN) RS G8264(config)# interface port 1724,46 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan add 1002 RS G8264(configif)# exit The following steps are specific to vNIC configuration. 7. On the NIC, ensure that FCoE traffic occurs on vNIC pipe 2 only. Refer to your Emulex Virtual Fabric Adapter documentation for details. 8. On the switch, enable the vNIC feature. RS G8264(config)# vnic enable 9. (Optional) Bandwidth metering: RS G8264(config)# vnic port 1724 index 1 (Select vNIC 1 on the ports) RS G8264(vnicconfig)# bandwidth 25 (Allow 25% egress bandwidth) RS G8264(vnicconfig)# enable (Enable the vNIC pipe) RS G8264(vnicconfig)# exit RS G8264(config)# vnic port 1724 index 3 (Select vNIC 3 on the ports) RS G8264(vnicconfig)# bandwidth 25 (Allow 25% egress bandwidth)
Page 339 RS G8264(vnicgroupconfig)# vlan 104 (Specify the VLAN) RS G8264(vnicgroupconfig)# member 17.4(Add FCoE vNIC pipes to the group) RS G8264(vnicgroupconfig)# member 18.4 RS G8264(vnicgroupconfig)# member 19.4 RS G8264(vnicgroupconfig)# member 20.4 RS G8264(vnicgroupconfig)# member 21.4 RS G8264(vnicgroupconfig)# member 22.4 RS G8264(vnicgroupconfig)# member 23.4 RS G8264(vnicgroupconfig)# member 24.4 RS G8264(vnicgroupconfig)# port 38 (Add the uplink port to the group) RS G8264(vnicgroupconfig)# failover (Configure failover) RS G8264(vnicgroupconfig)# enable (Enable the vNIC group) RS G8264(vnicgroupconfig)# exit Note: No additional configuration for vNIC pipes or vNIC groups is required for FCoE. However, for other networks connected to the switch, appropriate vNIC pipes and vNIC groups should be configured as normal, if desired. © Copyright Lenovo 2016 Chapter 19: Virtual NICs...
Page 340 G8264 Application Guide for ENOS 8.4...
Page 341: Chapter 20. Vmready
The Lenovo Enterprise Network Operating System 8.4 VMready feature supports up to 4096 VEs in a virtualized data center environment. The switch automatically discovers the VEs attached to switch ports, and distinguishes between regular VMs, Service Console Interfaces, and Kernel/Management Interfaces in a ® VMware environment. VEs may be placed into VM groups on the switch to define communication boundaries: VEs in the same VM group may communicate with each other, while VEs in different groups may not. VM groups also allow for configuring group‐level settings such as virtualization policies and ACLs. The administrator can also pre‐provision VEs by adding their MAC addresses (or their IPv4 address or VM name in a VMware environment) to a VM group. When a VE with a pre‐provisioned MAC address becomes connected to the switch, the switch will automatically apply the appropriate group membership configuration. The G8264 with VMready also detects the migration of VEs across different ™ hypervisors. As VEs move, the G8264 NMotion feature automatically moves the appropriate network configuration as well. NMotion gives the switch the ability to maintain assigned group membership and associated policies, even when a VE moves to a different port on the switch. VMready also works with VMware Virtual Center (vCenter) management software. Connecting with a vCenter allows the G8264 to collect information about more distant VEs, synchronize switch and VE configuration, and extend migration properties. Note: VM groups and policies, VE pre‐provisioning, and VE migration features are not supported simultaneously on the same ports as vNICs (see Chapter 19, “Virtual NICs”). © Copyright Lenovo 2016...
Page 342: Ve Capacity
VE Capacity When VMready is enabled, the switch will automatically discover VEs that reside in hypervisors directly connected on the switch ports. Enterprise NOS 8.4 supports up to 4096 VEs. Once this limit is reached, the switch will reject additional VEs. Note: In rare situations, the switch may reject new VEs prior to reaching the supported limit. This can occur when the internal hash corresponding to the new VE is already in use. If this occurs, change the MAC address of the VE and retry the operation. The MAC address can usually be changed from the virtualization management server console (such as the VMware Virtual Center). Defining Server Ports Before you configure VMready features, you must first define whether ports are connected to servers or are used as uplink ports. Use the following ISCLI configuration command to define a port as a server port: system serverports port RS G8264(config)# <port alias or number> Ports that are not defined as server ports are automatically considered uplink ports. VM Group Types VEs, as well as switch server ports, switch uplink ports, static LAGs, and LACP LAGs, can be placed into VM groups on the switch to define virtual communication boundaries. Elements in a given VM group are permitted to communicate with each other, while those in different groups are not. The elements within a VM group automatically share certain group‐level settings. ENOS 8.4 supports up to 4096 VM groups. There are two different types:  Local VM groups are maintained locally on the switch. Their configuration is not synchronized with hypervisors.  Distributed VM groups are automatically synchronized with a virtualization management server (see “Assigning a vCenter” on page 353). Each VM group type is covered in detail in the following sections.
Page 343: Local Vm Groups
Configuring a Local VM Group Use the following ISCLI configuration commands to assign group properties and membership: RS G8264(config)# virt vmgroup <VM group number> ? (Enable sending unregistered IPMC to CPU) flood (Enable flooding unregistered IPMC) key <LACP LAG key> (Add LACP LAG to group) optflood (Enable optimized flooding) port <port alias or number> (Add port member to group) portchannel <LAG number> (Add static LAG to group) profile <profile name> (Not used for local groups) stg <Spanning Tree group> (Add STG to group) (Set VLAN tagging on ports) validate <advanced|basic> (Validate mode for the group) vlan <VLAN number> (Specify the group VLAN) vm <MAC>|<index>|<UUID>|<IPv4 address>|<name>(Add VM member to group) vmap <VMAP number> [intports|extports](Specify VMAP number) vport (Add a virtual port to the group) © Copyright Lenovo 2016 Chapter 20: VMready...
Page 344 The following rules apply to the local VM group configuration commands: cpu: Enable sending unregistered IPMC to CPU.  flood: Enable flooding unregistered IPMC.  key: Add LACP LAGs to the group.  optflood: Enable optimized flooding to allow sending unregistered IPMC to  the Mrouter ports without having any packet loss during the learning period; This option is disabled by default; When optflood is enabled, the flood and cpu settings are ignored. port: Add switch server ports or switch uplink ports to the group. Note that  VM groups and vNICs (see Chapter 19, “Virtual NICs”) are not supported simultaneously on the same port. portchannel: Add static port LAGs to the group.  profile: The profile options are not applicable to local VM groups. Only  distributed VM groups may use VM profiles (see “VM Profiles” on page 346). stg: The group may be assigned to a Spanning‐Tree group for broadcast loop  control (see Chapter 11, “Spanning Tree Protocols”). tag: Enable VLAN tagging for the VM group. If the VM group contains ports  which also exist in other VM groups, enable tagging in both VM groups. validate: Set validation mode for the group.  vlan: Each VM group must have a unique VLAN number. This is required for  local VM groups. If one is not explicitly configured, the switch will automatically assign the next unconfigured VLAN when a VE or port is added to the VM group. vmap: Each VM group may optionally be assigned a VLAN‐based ACL (see  “VLAN Maps” on page 357).
Page 345 Use the no variant of the commands to remove or disable VM group configuration settings: no virt vmgroup RS G8264(config)# <VM group number> Note: Local VM groups are not supported simultaneously on the same ports as vNICs (see Chapter 19, “Virtual NICs”). © Copyright Lenovo 2016 Chapter 20: VMready...
Page 346: Distributed Vm Groups
Distributed VM Groups Distributed VM groups allow configuration profiles to be synchronized between the G8264 and associated hypervisors and VEs. This allows VE configuration to be centralized, and provides for more reliable VE migration across hypervisors. Using distributed VM groups requires a virtualization management server. The management server acts as a central point of access to configure and maintain multiple hypervisors and their VEs (VMs, virtual switches, and so on). The G8264 must connect to a virtualization management server before distributed VM groups can be used. The switch uses this connection to collect configuration information about associated VEs, and can also automatically push configuration profiles to the virtualization management server, which in turn configures the hypervisors and VEs. See “Virtualization Management Servers” on page 353 for more information. Note: Distributed VM groups are not supported simultaneously on the same ports as vNICs (see Chapter 19, “Virtual NICs”). VM Profiles VM profiles are required for configuring distributed VM groups. They are not used with local VM groups. A VM profile defines the VLAN and virtual switch bandwidth shaping characteristics for the distributed VM group. The switch distributes these settings to the virtualization management server, which in turn distributes them to the appropriate hypervisors for VE members associated with the group. Creating VM profiles is a two part process. First, the VM profile is created as shown in the following command on the switch: virt vmprofile RS G8264(config)# <profile name> Next, the profile must be edited and configured using the following configuration commands: RS G8264(config)# virt vmprofile edit <profile name> ? eshaping <average bandwidth> <burst size> <peak> shaping <average bandwidth> <burst size> <peak>...
Page 347: Initializing A Distributed Vm Group
Note: A VM profile is required before a distributed VM group may be configured. See “VM Profiles” on page 346 for details. Once a VM profile is available, a distributed VM group may be initialized using the following configuration command: RS G8264(config)# virt vmgroup <VM group number> profile <VM profile name> Only one VM profile can be assigned to a given distributed VM group. To change the VM profile, the old one must first be removed using the following ISCLI configuration command: RS G8264(config)# no virt vmgroup <VM group number> profile Note: The VM profile can be added only to an empty VM group (one that has no VLAN, VMs, or port members). Any VM group number currently configured for a local VM group (see “Local VM Groups” on page 343) cannot be converted and must be deleted before it can be used for a distributed VM group. Assigning Members VMs, ports, and LAGs may be added to the distributed VM group only after the VM profile is assigned. Group members are added, pre‐provisioned, or removed from distributed VM groups in the same manner as with local VM groups (“Local VM Groups” on page 343), with the following exceptions:  VMs: VMs and other VEs are not required to be local. Any VE known by the virtualization management server can be part of a distributed VM group.  The VM group vlan option (see page 344) cannot be used with distributed VM groups. For distributed VM groups, the VLAN is assigned in the VM profile. © Copyright Lenovo 2016 Chapter 20: VMready...
Page 348: Synchronizing The Configuration
Synchronizing the Configuration When the configuration for a distributed VM group is modified, the switch updates the assigned virtualization management server. The management server then distributes changes to the appropriate hypervisors. For VM membership changes, hypervisors modify their internal virtual switch port groups, adding or removing server port memberships to enforce the boundaries defined by the distributed VM groups. Virtual switch port groups created in this fashion can be identified in the virtual management server by the name of the VM profile, formatted as follows: Lenovo_<VM profile name> (or) Lenovo_<VM profile name> <index number> (for vDS) Adding a server host interface to a distributed VM group does not create a new port group on the virtual switch or move the host. Instead, because the host interface already has its own virtual switch port group on the hypervisor, the VM profile settings are applied to its existing port group. Note: When applying the distributed VM group configuration, the virtualization management server and associated hypervisors must take appropriate actions. If a hypervisor is unable to make requested changes, an error message will be displayed on the switch. Be sure to evaluate all error message and take the appropriate actions for the expected changes to apply. Removing Member VEs Removing a VE from a distributed VM group on the switch will have the following effects on the hypervisor:  The VE will be moved to the Lenovo_Default port group in VLAN 0 (zero).  Traffic shaping will be disabled for the VE.  All other properties will be reset to default values inherited from the virtual switch. G8264 Application Guide for ENOS 8.4...
Page 349: Vmcheck
API). This information is used to validate VM MAC addresses. Two modes of validation are available: Basic and Advanced. Use the following command to select the validation mode or to disable validation: RS G8264(config)# [no] virt vmgroup <VM group number> validate {basic|advanced} Basic Validation This mode provides port‐based validation by identifying the port used by a hypervisor. It is suitable for environments in which MAC reassignment or duplication cannot occur. The switch, using the hello message information, identifies a hypervisor port. If the hypervisor port is found in the hello message information, it is deemed to be a trusted port. Basic validation should be enabled when:  A VM is added to a VM group, and the MAC address of the VM interface is in the Layer 2 table of the switch.  A VM interface that belongs to a VM group experiences a “source miss” i.e. is not able to learn new MAC address.  A trusted port goes down. Port validation must be performed to ensure that the port does not get connected to an untrusted source when it comes back up. Use the following command to set the action to be performed if the switch is unable to validate the VM MAC address: RS G8264(config)# virt vmcheck action basic {log|link} log generates a log link disables the port © Copyright Lenovo 2016 Chapter 20: VMready...
Page 350 Advanced Validation This mode provides VM‐based validation by mapping a switch port to a VM MAC address. It is suitable for environments in which spoofing, MAC reassignment, or MAC duplication is possible. When the switch receives frames from a VM, it first validates the VM interface based on the VM MAC address, VM Universally Unique Identifier (UUID), Switch port, and Switch ID available in the hello message information. Only if all the four parameters are matched, the VM MAC address is considered valid. In advanced validation mode, if the VM MAC address validation fails, an ACL can be automatically created to drop the traffic received from the VM MAC address on the switch port. Use the following command to specify the number of ACLs to be automatically created for dropping traffic: RS G8264(config)# virt vmcheck acls max <1‐256> Use the following command to set the action to be performed if the switch is unable to validate the VM MAC address: RS G8264(config)# virt vmcheck action advanced {log|link|acl} Following are the other VMcheck commands: Table 32. VMcheck Commands Command Description RS G8264(config)# virt vmware hello {ena| Hello messages setting: hport <port number>|haddr|htimer} enable/add port/advertise this IP address in the hello messages instead of the default management IP address/set the timer to send the hello messages RS G8264(config)# no virt vmware hello Disable hello mes‐ {enable|hport <port number>} sages/remove port RS G8264(config)# [no] virt vmcheck ...
Page 351: Virtual Distributed Switch
Note: vDS works with ESX 4.0 or higher versions. To add a vDS, use the command: RS G8264# virt vmware dvswitch add <datacenter name> <dvSwitch name> [<dvSwitch‐version>] Prerequisites Before adding a vDS on the G8264, ensure the following: VMware vCenter is fully installed and configured and includes a “bladevm”  administration account and a valid SSL certificate.  A virtual distributed switch instance has been created on the vCenter. The vDS version must be higher or the same as the hypervisor version on the hosts.  At least two hypervisors are configured. Guidelines Before migrating VMs to a vDS, consider the following: At any one time, a VM NIC can be associated with only one virtual switch: to the  hypervisor’s virtual switch, or to the vDS. Management connection to the server must be ensured during the migration.  The connection is via the Service Console or the Kernel/Management Interface.  The vDS configuration and migration can be viewed in vCenter at the following locations: vDS: Home> Inventory > Networking  vDS Hosts: Home > Inventory > Networking > vDS > Hosts  Note: These changes will not be displayed in the running configuration on the G8264. © Copyright Lenovo 2016 Chapter 20: VMready...
Page 352: Migrating To Vds
Migrating to vDS You can migrate VMs to the vDS using vCenter. The migration may also be accomplished using the operational commands on the G8264 available in the following CLI menus: For VMware vDS operations: RS G8264# virt vmware dvswitch ? add Add a dvSwitch to a DataCenter addhost Add a host to a dvSwitch adduplnk Add a physical NIC to dvSwitch uplink ports del Remove a dvSwitch from a DataCenter remhost Remove a host from a dvSwitch remuplnk Remove a physical NIC from dvSwitch uplink ports For VMware distributed port group operations: RS G8264# virt vmware dpg ? add Add a port group to a dvSwitch del Delete a port group from a dvSwitch update Update a port group on a dvSwitch vmac Change a VM NIC's port group G8264 Application Guide for ENOS 8.4...
Page 353: Virtualization Management Servers
19, “Virtual NICs”), vCenter synchronization can provide additional information about VEs on vNIC and non‐vNIC ports. Assigning a vCenter Assigning a vCenter to the switch requires the following:  The vCenter must have a valid IPv4 address which is accessible to the switch (IPv6 addressing is not supported for the vCenter).  A user account must be configured on the vCenter to provide access for the switch. The account must have (at a minimum) the following vCenter user privi‐ leges: Network  Host Network > Configuration  Virtual Machine > Modify Device Settings  Once vCenter requirements are met, the following configuration command can be used on the G8264 to associate the vCenter with the switch: RS G8264(config)# virt vmware vcspec <vCenter IPv4 address> <username> [noauth] This command specifies the IPv4 address and account username that the switch will use for vCenter access. Once entered, the administrator will be prompted to enter the password for the specified vCenter account. The noauth option causes to the switch to ignores SSL certificate authentication. This is required when no authoritative SSL certificate is installed on the vCenter. Note: By default, the vCenter includes only a self‐signed SSL certificate. If using the default certificate, the noauth option is required. Once the vCenter configuration has been applied on the switch, the G8264 will connect to the vCenter to collect VE information. © Copyright Lenovo 2016 Chapter 20: VMready...
Page 354: Vcenter Scans
vCenter Scans Once the vCenter is assigned, the switch will periodically scan the vCenter to collect basic information about all the VEs in the datacenter, and more detailed information about the local VEs that the switch has discovered attached to its own ports. The switch completes a vCenter scan approximately every two minutes. Any major changes made through the vCenter may take up to two minutes to be reflected on the switch. However, you can force an immediate scan of the vCenter by using one of the following ISCLI privileged EXEC commands: RS G8264# virt vmware scan (Scan the vCenter) ‐or‐ RS G8264# show virt vm v r (Scan vCenter and display result) Deleting the vCenter To detach the vCenter from the switch, use the following configuration command: RS G8264(config)# no virt vmware vcspec Note: Without a valid vCenter assigned on the switch, any VE configuration changes must be manually synchronized. Deleting the assigned vCenter prevents synchronizing the configuration between the G8264 and VEs. VEs already operating in distributed VM groups will continue to function as configured, but any changes made to any VM profile or distributed VM group on the switch will affect only switch operation; changes on the switch will not be reflected in the vCenter or on the VEs. Likewise, any changes made to VE configuration on the vCenter will no longer be reflected on the switch. G8264 Application Guide for ENOS 8.4...
Page 355: Exporting Profiles
A VM profile can be exported to a host using the following ISCLI privileged EXEC command: RS G8264# virt vmware export <VM profile name> <host list> <virtual switch name> The host list can include one or more target hosts, specified by host name, IPv4 address, or UUID, with each list item separated by a space. Once executed, the requisite port group will be created on the specified virtual switch. If the specified virtual switch does not exist on the target host, the port group will not be created. VMware Operational Commands The G8264 may be used as a central point of configuration for VMware virtual switches and port groups using the following ISCLI privileged EXEC commands: RS G8264# virt vmware ? Distributed port group operations dvswitch VMWare dvSwitch operations export Create or update a vm profile on one host Add a port group to a host scan Perform a VM Agent scan operation now updpg Update a port group on a host vmacpg Change a vnic's port group Add a vswitch to a host © Copyright Lenovo 2016 Chapter 20: VMready...
Page 356: Pre-Provisioning Ves
Pre-Provisioning VEs VEs may be manually added to VM groups in advance of being detected on the switch ports. By pre‐provisioning the MAC address of VEs that are not yet active, the switch will be able to later recognize the VE when it becomes active on a switch port, and immediately assign the proper VM group properties without further configuration. Undiscovered VEs are added to or removed from VM groups using the following configuration commands: RS G8264(config)# [no] virt vmgroup <VM group number> vm <VE MAC address> For the pre‐provisioning of undiscovered VEs, a MAC address is required. Other identifying properties, such as IPv4 address or VM name permitted for known VEs, cannot be used for pre‐provisioning. Because VM groups are isolated from vNIC groups (see “LACP LAGs” on Note: page 327), pre‐provisioned VEs that appear on vNIC ports will not be added to the specified VM group upon discovery. G8264 Application Guide for ENOS 8.4...
Page 357: Vlan Maps
ipv4 IP version 4 header options meter ACL metering configuration mirror Mirror options packetformat Set to filter specific packet format types remark ACL remark configuration statistics Enable access control list statistics tcpudp TCP and UDP filtering options Once a VMAP filter is created, it can be assigned or removed using the following commands:  For regular VLANs, use config‐vlan mode: RS G8264(config)# vlan <VLAN ID> RS G8264(configvlan)# [no] vmap <VMAP ID> [serverports| nonserverports]  For a VM group, use the global configuration mode: RS G8264(config)# [no] virt vmgroup <ID> vmap <VMAP ID> [serverports|nonserverports] Note: Each VMAP can be assigned to only one VLAN or VM group. However, each VLAN or VM group may have multiple VMAPs assigned to it. The optional serverports or nonserverports parameter can be specified to apply the action (to add or remove the VMAP) for either the switch server ports (serverports) or switch uplink ports (nonserverports). If omitted, the operation will be applied to all ports in the associated VLAN or VM group. Note: VMAPs have a lower priority than port‐based ACLs. If both an ACL and a VMAP match a particular packet, both filter actions will be applied as long as there is no conflict. In the event of a conflict, the port ACL will take priority, though switch statistics will count matches for both the ACL and VMAP. © Copyright Lenovo 2016 Chapter 20: VMready...
Page 358: Vm Policy Bandwidth Control
VM Policy Bandwidth Control In a virtualized environment where VEs can migrate between hypervisors and thus move among different ports on the switch, traffic bandwidth policies must be attached to VEs, rather than to a specific switch port. VM Policy Bandwidth Control allows the administrator to specify the amount of data the switch will permit to flow from a particular VE, without defining a complicated matrix of ACLs or VMAPs for all port combinations where a VE may appear. VM Policy Bandwidth Control Commands VM Policy Bandwidth Control can be configured using the following configuration commands: RS G8264(config)# virt vmpolicy vmbwidth <VM MAC>|<index>|<UUID>| <IPv4 address>|<name>? txrate <committed rate> <burst> [<ACL number>] (Set the VM transmit bandwidth – ingress for switch) rxrate <committed rate> <burst> (Set the VM receive bandwidth – egress for switch) bwctrl (Enable bandwidth control) Bandwidth allocation can be defined for transmit (TX) traffic or receive (RX) traffic. Because bandwidth allocation is specified from the perspective of the VE, the switch command for TX Rate Control (txrate) sets the data rate to be sent from the VM to the switch, and the RX rate sets the data rate to be received by the VM from the switch. The committed rate is specified in multiples of 64 kbps, from 64 to 40,000,000. The maximum burst rate is specified as 32, 64, 128, 256, 1024, 2048, or 4096 kb. If both the committed rate and burst are set to 0, bandwidth control will be disabled. When txrate is specified, the switch automatically selects an available ACL for internal use with bandwidth control. Optionally, if automatic ACL selection is not desired, a specific ACL may be selected. If there are no unassigned ACLs available, txrate cannot be configured. G8264 Application Guide for ENOS 8.4...
Page 359: Bandwidth Policies Vs. Bandwidth Shaping
Bandwidth Policies vs. Bandwidth Shaping VM Profile Bandwidth Shaping differs from VM Policy Bandwidth Control. VM Profile Bandwidth Shaping (see “VM Profiles” on page 346) is configured per VM group and is enforced on the server by a virtual switch in the hypervisor. Shaping is unidirectional and limits traffic transmitted from the virtual switch to the G8264. Shaping is performed prior to transmit VM Policy Bandwidth Control. If the egress traffic for a virtual switch port group exceeds shaping parameters, the traffic is dropped by the virtual switch in the hypervisor. Shaping uses server CPU resources, but prevents extra traffic from consuming bandwidth between the server and the G8264. Shaping is not supported simultaneously on the same ports as vNICs. VM Policy Bandwidth Control is configured per VE, and can be set independently for transmit traffic. Bandwidth policies are enforced by the G8264. VE traffic that exceeds configured levels is dropped by the switch upon ingress. Setting txrate uses ACL resources on the switch. Bandwidth shaping and bandwidth policies can be used separately or in concert. © Copyright Lenovo 2016 Chapter 20: VMready...
Page 360: Vmready Information Displays
VMready Information Displays The G8264 can be used to display a variety of VMready information. Note: Some displays depict information collected from scans of a VMware vCenter and may not be available without a valid vCenter. If a vCenter is assigned (see “Assigning a vCenter” on page 353), scan information might not be available for up to two minutes after the switch boots or when VMready is first enabled. Also, any major changes made through the vCenter may take up to two minutes to be reflected on the switch unless you force an immediate vCenter scan (see “vCenter Scans” on page 354. Local VE Information A concise list of local VEs and pre‐provisioned VEs is available with the following ISCLI privileged EXEC command: RS G8264# show virt vm IP Address VMAC Address Index Port VM Group (Profile) Check status 0.0.0.0 00:50:56:55:47:0c 5 17.3 ~0.0.0.0 00:50:56:b3:1e:7b 2 17.3 1 test ~0.0.0.0 00:50:56:b3:1f:16 1 17.3 1 test ~0.0.0.0 00:50:56:b3:2c:b9 4 18 2 ~0.0.0.0 00:50:56:b3:5f:32 3 18 1 test ~0.0.0.0 00:50:56:b3:69:5a 0 19.3 1 test VMReady ports: 1721 Number of entries: 6 ~ indicates inactive VMs 0.0.0.0 indicates IP address not yet available Note: The Index numbers shown in the VE information displays can be used to specify a particular VE in configuration commands. G8264 Application Guide for ENOS 8.4...
Page 361: Vcenter Hypervisor Hosts
0 00:50:56:ba:1b:23 New Virtual Machine ST 1ST 1 100 vSwitch2 10.10.10.101 @10.241.5.49 100 Lenovo_vlan100 2 00:50:56:ba:25:8a VmForGaborII 26 vSwitch1 10.10.10.101 @10.241.5.49 0 IBM_Default 3 00:50:56:ba:1b:00 New Virtual Machine 2626 vSwitch1 0.0.0.0 @10.241.5.49 100 VM Network 2 3 of 3 entries printed 0.0.0.0 indicates IP Address is not available Use the "v r" options to refresh data before displaying results EVB Virtual Station Interface Information: Total number of VM Association entries : To view additional detail regarding any specific VE, see “vCenter Switchport Mapping Details” on page 363). vCenter Hypervisor Hosts If a vCenter is available, the following ISCLI privileged EXEC command displays the name and UUID of all VMware hosts, providing an essential overview of the data center: RS G8264# show virt vmware hosts UUID Name(s), IP Address 00a42681d0e55910a0bfbd23bd3f7800 172.16.41.30 002e063c153cdd118b32a78dd1909a00 172.16.46.10 00f1fe30143cdd1184f2a8ba2cd7ae00 172.16.44.50 0018938e143cdd119f7ad8defa4b8300 172.16.46.20 © Copyright Lenovo 2016 Chapter 20: VMready...
Page 362: Vcenter Ves
Using the following command, the administrator can view more detailed vCenter host information, including a list of virtual switches and their port groups, as well as details for all associated VEs: RS G8264# show virt vmware showhost {<UUID>|<IPv4 address>|<host name>} Vswitches available on the host: vSwitch0 Port Groups and their Vswitches on the host: Lenovo_Default vSwitch0 VM Network vSwitch0 Service Console vSwitch0 VMkernel vSwitch0 MAC Address 00:50:56:9c:21:2f Port 4 Type Virtual Machine VM vCenter Name halibut VM OS hostname localhost.localdomain VM IP Address 172.16.46.15 VM UUID 001c41f3ccd894bb1b946b94b03b9200 Current VM Host 172.16.46.10 Vswitch vSwitch0 Port Group Lenovo_Default VLAN ID 0 vCenter VEs If a vCenter is available, the following ISCLI privileged EXEC command displays a list of all known VEs: RS G8264# show virt vmware vms UUID Name(s), IP Address 001cdf1d863afa5e58c0d197ed3e3300 30vm1 001c1fba5483863fde044953b5caa700 VM90 001c0441c9ed184c7030d6a6bc9b4d00 VM91 001cc06e393ba36b2da9c71098d9a700 vm_new 001c6384f764983c83e3e94fc78f2c00 ...
Page 363: Vcenter Ve Details
VE Details If a vCenter is available, the following ISCLI privileged EXEC command displays detailed information about a specific VE: RS G8264# show virt vmware showvm {<VM UUID>|<VM IPv4 address>|<VM name>} MAC Address 00:50:56:9c:21:2f Port 4 Type Virtual Machine VM vCenter Name halibut VM OS hostname localhost.localdomain VM IP Address 172.16.46.15 VM UUID 001c41f3ccd894bb1b946b94b03b9200 Current VM Host 172.16.46.10 Vswitch vSwitch0 Port Group Lenovo_Default VLAN ID 0 vCenter Switchport Mapping Details If a vCenter is available, the following ISCLI privileged EXEC command displays detailed information about VE switchport mapping: RS G8264# show virt vmware switchportmapping ST 5 ==> 10.241.32.133 vmnic5 ST 5 ==> 10.241.32.133 vmnic5 23 ==> 10.241.32.131 vmnic3 © Copyright Lenovo 2016 Chapter 20: VMready...
Page 364: Vmready Configuration Example
VMready Configuration Example This example has the following characteristics:  A VMware vCenter is fully installed and configured prior to VMready configu‐ ration and includes a “bladevm” administration account and a valid SSL certifi‐ cate.  The distributed VM group model is used. The VM profile named “Finance” is configured for VLAN 30, and specifies  NIC‐to‐switch bandwidth shaping for 1Mbps average bandwidth, 2MB bursts, and 3Mbps maximum bandwidth. The VM group includes four discovered VMs on switch server ports 1 and 2, and  one static LAG (previously configured) that includes switch uplink ports 3 and 4. 1. Define the server ports. RS G8264(config)# system serverports port 12 2. Enable the VMready feature. RS G8264(config)# virt enable 3. Specify the VMware vCenter IPv4 address. RS G8264(config)# virt vmware vmware vcspec 172.16.100.1 bladevm When prompted, enter the user password that the switch must use for access to the vCenter. 4. Create the VM profile. RS G8264(config)# virt vmprofile Finance RS G8264(config)# virt vmprofile edit Finance vlan 30 RS G8264(config)# virt vmprofile edit Finance shaping 1000 2000 3000 5. Define the VM group. RS G8264(config)# virt vmgroup 1 profile Finance RS G8264(config)# virt vmgroup 1 vm arctic RS G8264(config)# virt vmgroup 1 vm monster...
Page 365: Chapter 21. Fcoe And Cee
 “Converged Enhanced Ethernet” on page 368 Converged Enhanced Ethernet (CEE) refers to a set of IEEE standards developed primarily to enable FCoE, requiring enhancing the existing Ethernet standards to make them lossless on a per‐priority traffic basis, and providing a mechanism to carry converged (LAN/SAN/IPC) traffic on a single physical link. CEE features can also be utilized in traditional LAN (non‐FCoE) networks to provide lossless guarantees on a per‐priority basis, and to provide efficient bandwidth allocation.  “Priority‐Based Flow Control” on page 377 Priority‐Based Flow Control (PFC) extends 802.3x standard flow control to allow the switch to pause traffic based on the 802.1p priority value in each packet’s VLAN tag. PFC is vital for FCoE environments, where SAN traffic must remain lossless and must be paused during congestion, while LAN traffic on the same links is delivered with “best effort” characteristics.  “Enhanced Transmission Selection” on page 381 Enhanced Transmission Selection (ETS) provides a method for allocating link bandwidth based on the 802.1p priority value in each packet’s VLAN tag. Using ETS, different types of traffic (such as LAN, SAN, and management) that are sensitive to different handling criteria can be configured either for specific bandwidth characteristics, low‐latency, or best‐effort transmission, despite sharing converged links as in an FCoE environment.  “Data Center Bridging Capability Exchange” on page 388 Data Center Bridging Capability Exchange Protocol (DCBX) allows neighboring network devices to exchange information about their capabilities. This is used between CEE‐capable devices for the purpose of discovering their peers, negotiating peer configurations, and detecting misconfigurations. © Copyright Lenovo 2016...
Page 366: Fibre Channel Over Ethernet
Fibre Channel over Ethernet Fibre Channel over Ethernet (FCoE) is an effort to converge two of the different physical networks in today’s data centers. It allows Fibre Channel traffic (such as that commonly used in Storage Area Networks, or SANs) to be transported without loss over 10Gb Ethernet links (typically used for high‐speed Local Area Networks, or LANs). This provides an evolutionary approach toward network consolidation, allowing Fibre Channel equipment and tools to be retained, while leveraging cheap, ubiquitous Ethernet networks for growth. With server virtualization, servers capable of hosting both Fibre Channel and Ethernet applications will provide advantages in server efficiency, particularly as FCoE‐enabled network adapters provide consolidated SAN and LAN traffic capabilities. The Lenovo RackSwitch G8264 with Lenovo Enterprise Network Operating System 8.4 software is compliant with the INCITS T11.3, FC‐BB‐5 FCoE specification, supporting up to 2048 FCoE connections. Note: The G8264 supports up to 2048 FCoE login sessions. The FCoE Topology In an end‐to‐end Fibre Channel network, switches and end devices generally establish trusted, point‐to‐point links. Fibre Channel switches validate end devices, enforce zoning configurations and device addressing, and prevent certain types of errors and attacks on the network. In a converged multi‐hop FCoE network where Fibre Channel devices are bridged to Ethernet devices, the direct point‐to‐point QoS capabilities normally provided by the Fibre Channel fabric may be lost in the transition between the different network types. The G8264 provides a solution to overcome this. Figure 32. A Mixed Fibre Channel and FCoE Network Fibre Channel Port 1 Port 2...
Page 367: Fcoe Requirements
FCoE traffic. Automatic FCoE‐related ACLs are independent from ACLs used for typical Ethernet purposes. FCoE Requirements The following are required for implementing FCoE using the Lenovo RackSwitch G8264 (G8264) with ENOS 8.4 software:  The G8264 must be connected to the Fibre Channel network using the switch’s built‐in Fibre Channel features (see Chapter 21, “Fibre Channel”) or an external FCF such as another G8264 or a Cisco Nexus 5000 Series Switch. For each G8264 port participating in FCoE, the connected server must use the  supported FCoE CNA. The QLogic CNA is currently the first CNA supported for this purpose. Also supported is the Emulex Virtual Fabric Adapter, which includes vNIC support (with some additional topology rules). CEE must be turned on (see “Turning CEE On or Off” on page 368). When CEE is  on, the DCBX, PFC, and ETS features are enabled and configured with default FCoE settings. These features may be reconfigured, but must remain enabled for FCoE to function. FIP snooping must be turned on (see “FCoE Initialization Protocol Snooping” on  page 371). When FIP snooping is turned on, the feature is enabled on all ports by default. The administrator can disable FIP snooping on individual ports that do not require FCoE, but FIP snooping must remain enabled on all FCoE ports for FCoE to function. © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 368: Converged Enhanced Ethernet
Converged Enhanced Ethernet Converged Enhanced Ethernet (CEE) refers to a set of IEEE standards designed to allow different physical networks with different data handling requirements to be converged together, simplifying management, increasing efficiency and utilization, and leveraging legacy investments without sacrificing evolutionary growth. CEE standards were developed primarily to enable Fibre Channel traffic to be carried over Ethernet networks. This required enhancing the existing Ethernet standards to make them lossless on a per‐priority traffic basis, and to provide a mechanism to carry converged (LAN/SAN/IPC) traffic on a single physical link. Although CEE standards were designed with FCoE in mind, they are not limited to FCoE installations. CEE features can be utilized in traditional LAN (non‐FCoE) networks to provide lossless guarantees on a per‐priority basis, and to provide efficient bandwidth allocation based on application needs. Turning CEE On or Off By default on the G8264, CEE is turned off. To turn CEE on or off, use the following CLI commands: RS G8264(config)# [no] cee enable CAUTION: Turning CEE on will automatically change some 802.1p QoS and 802.3x standard flow control settings on the G8264. Read the following material carefully to determine whether you will need to take action to reconfigure expected settings. It is recommended that you backup your configuration prior to turning CEE on. Viewing the file will allow you to manually re‐create the equivalent configuration once CEE is turned on, and will also allow you to recover your prior configuration if you need to turn CEE off. Effects on Link Layer Discovery Protocol When CEE is turned on, Link Layer Discovery Protocol (LLDP) is automatically turned on and enabled for receiving and transmitting DCBX information. LLDP ...
Page 369: Effects On 802.1P Quality Of Service
ETS Configuration With CEE Off (default) With CEE On Priority- COSq Weight Priority COSq PGID When CEE is on, the default ETS configuration also allocates a portion of link bandwidth to each PGID as shown in Table Table 34. Default ETS Bandwidth Allocation PGID Typical Use Bandwidth Latency‐sensitive If the prior, non‐CEE configuration used 802.1p priority values for different purposes, or does not expect bandwidth allocation as shown in Table 34 on page 369, when CEE is turned on, have the administrator reconfigure ETS settings as appropriate. © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 370: Effects On Flow Control
It is recommended that a configuration backup be made prior to turning CEE on or off. Viewing the configuration file will allow the administrator to manually re‐create the equivalent configuration under the new CEE mode, and will also allow for the recovery of the prior configuration if necessary. Effects on Flow Control When CEE is turned on, standard flow control is disabled on all ports, and in its place, PFC (see “Priority‐Based Flow Control” on page 377) is enabled on all ports for 802.1p priority value 3. This default is chosen because priority value 3 is commonly used to identify FCoE traffic in a CEE environment and must be guaranteed lossless behavior. PFC is disabled for all other priority values. Each time CEE is turned off, the prior 802.3x standard flow control settings will be restored (including any previous changes from the defaults). It is recommended that a configuration backup be made prior to turning CEE on or off. Viewing the configuration file will allow you to manually re‐create the equivalent configuration under the new CEE mode, and will also allow for the recovery of the prior configuration if necessary. When CEE is on, PFC can be enabled only on priority value 3 and one other priority. If flow control is required on additional priorities on any given port, consider using standard flow control on that port, so that regardless of which priority traffic becomes congested, a flow control frame is generated. G8264 Application Guide for ENOS 8.4...
Page 371: Fcoe Initialization Protocol Snooping
Global FIP Snooping Settings By default, the FIP snooping feature is turned off for the G8264. The following commands are used to turn the feature on or off: RS G8264(config)# [no] fcoe fips enable Note: FIP snooping requires CEE to be turned on (see “Turning CEE On or Off” on page 368). When FIP snooping is on, port participation may be configured on a port‐by‐port basis (see the next sections). When FIP snooping is off, all FCoE‐related ACLs generated by the feature are removed from all switch ports. FIP snooping configuration must be the same on all member ports in a LAG. If the configuration of a member port is changed, an error message, similar to the following, will be displayed. “FAIL: Trunk X FIP Snooping port Yand port Z need to have the same fcf mode config” The configuration changes are applied to all member ports in a LAG. FIP Snooping for Specific Ports When FIP snooping is globally turned on (see the previous section), ports may be individually configured for participation in FIP snooping and automatic ACL generation. By default, FIP snooping is enabled for each port. To change the setting for any specific port, use the following CLI commands: RS G8264(config)# [no] fcoe fips port <port alias, number, list, or range> enable © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 372: Port Fcf And Enode Detection
When FIP snooping is enabled on a port, FCoE‐related ACLs will be automatically configured. When FIP snooping is disabled on a port, all FCoE‐related ACLs on the port are removed, and the switch will enforce no FCoE‐related rules for traffic on the port. Port FCF and ENode Detection When FIP snooping is enabled on a port, the port is placed in FCF auto‐detect mode by default. In this mode, the port assumes connection to an ENode unless FIP packets show the port is connected to an FCF. Ports can also be specifically configured as to whether automatic FCF detection will be used, or whether the port is connected to an FCF or ENode: RS G8264(config)# fcoe fips port <port alias, number, list, or range> fcfmode {auto|on|off} When FCF mode is on, the port is assumed to be connected to a trusted FCF, and only ACLs appropriate to FCFs will be installed on the port. When off, the port is assumed to be connected to an ENode, and only ACLs appropriate to ENodes will be installed. When the mode is changed (either through manual configuration or as a result of automatic detection), the appropriate ACLs are automatically added, removed, or changed to reflect the new FCF or ENode connection. FCoE Connection Timeout FCoE‐related ACLs are added, changed, and removed as FCoE device connection and disconnection are discovered. In addition, the administrator can enable or disable automatic removal of ACLs for FCFs and other FCoE connections that timeout (fail or are disconnected) without FIP notification. By default, automatic removal of ACLs upon timeout is enabled. To change this function, use the following CLI command: RS G8264(config)# [no] fcoe fips timeoutacl G8264 Application Guide for ENOS 8.4...
Page 373: Fcoe Acl Rules
Initially, a basic set of FCoE‐related ACLs will be installed on all ports where FIP snooping is enabled. As the switch encounters FIP frames and learns about FCFs and ENodes that are attached or disconnect, ACLs are dynamically installed or expanded to provide appropriate security. When an FCoE connection logs out, or times out (if ACL timeout is enabled), the related ACLs will be automatically removed. FCoE‐related ACLs are independent of manually configured ACLs used for regular Ethernet purposes (see Chapter 7, “Access Control Lists”). FCoE ACLs generally have a higher priority over standard ACLs, and do not inhibit non‐FCoE and non‐FIP traffic. Optimized FCoE Traffic Flow To optimize the FCoE traffic flow, ACL entries are installed by default. Only FCoE to FCoE traffic is optimized. Traffic to and from Fibre Channel nodes is not optimized. If required, you can disable optimized traffic flow. However, you must first disable FIP snooping. Use the following commands: RS G8264(config)# no fcoe fips enable RS G8264(config)# no fcoe optimizedforwarding enable To re‐enable optimized traffic flow, use the following command sequence: RS G8264(config)# no fcoe fips enable RS G8264(config)# fcoe optimizedforwarding enable RS G8264(config)# fcoe fips enable © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 374: Fcoe Vlans
Optimized traffic flow is enabled for a single switch FCF as well as a stack. In a stack, one or more members may have optimized flow entries installed based on the configuration. You can view the installed optimized ACLs on the respective switches. Note: Optimized ACL entries cannot be installed on ports 53‐64, even when the ports are in FCoE mode. The following commands provide optimized traffic flow information:  To check the current state: RS G8264# show fcoe optimizedforwarding status To view a list of optimized ACLs:  RS G8264# show fcoe optimizedacls vlan <VLAN ID> FCoE VLANs FCoE packets to any FCF will be confined to the VLAN advertised by the FCF (typically VLAN 1002). The appropriate VLAN must be configured on the switch with member FCF ports and must be supported by the participating CNAs. You must manually configure the tag settings and the appropriate VLANs for the Enode ports. Note: If using an Emulex CNA, you must create the FCoE VLAN add the ENode and FCF ports to that VLAN using the CLI. The administrator must ensure that the VLAN configured for each FCF and its ENodes are supported by the participating FCF and ENode CNAs. Note: FCoE ports can have any native VLAN. Fibre Channel VLAN must not be configured as the native VLAN for FCoE ports. Viewing FIP Snooping Information ACLs automatically generated under FIP snooping are independent of regular, manually configure ACLs, and are not listed with regular ACLs in switch information and statistics output. Instead, FCoE ACLs are shown using the following CLI commands: RS G8264# show fcoe fips information (Show all FIP‐related information) RS G8264# show fcoe fips port <ports> information (Show FIP info for a selected port)
Page 375: Operational Commands
Operational Commands The administrator may use the operational commands to delete FIP‐related entries from the switch. To delete a specific FCF entry and all associated ACLs from the switch, use the following command: RS G8264# no fcoe fips fcf <FCF MAC address> [<VLAN number>] FIP Snooping Configuration In this example, as shown in Figure 32 on page 366, FCoE devices are connected to port 2 for the FCF device and port 3 for an ENode. You can configure FIP snooping on these ports using the following commands: 1. Enable VLAN tagging on the FCoE ports: ( RS G8264(config)# interface port 2,3 Select FCoE ports) ( RS G8264(configif)# switchport mode trunk Enable VLAN tagging) RS G8264(configif)# exit (Exit port configuration mode) Note: If you are using Emulex CNA BE 2 ‐ FCoE mode, you must enable PVID tagging on the Enode ports. © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 376 2. Place FCoE ports into a VLAN supported by the FCF and CNAs (typically VLAN 1002): RS G8264(config)# vlan 1002 (Select a VLAN) RS G8264(configvlan)# exit (Exit VLAN configuration mode) RS G8264(config)# interface port 2,3 (Add FCoE ports to the VLAN) RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan add 1002 RS G8264(configif)# exit Note: Placing ports into the VLAN (Step 2) after tagging is enabled (Step 1) helps to ensure that their port VLAN ID (PVID) is not accidentally changed. 3. Turn CEE on. RS G8264(config)# cee enable Note: Turning CEE on will automatically change some 802.1p QoS and 802.3x standard flow control settings and menus (see “Turning CEE On or Off” on page 368). 4. Turn global FIP snooping on: RS G8264(config)# fcoe fips enable 5. If using an Emulex CNA, disable automatic VLAN creation. RS G8264(config)# no fcoe fips automaticvlan 6.
Page 377: Priority-Based Flow Control
PFC pauses traffic based on 802.1p priority values in the VLAN tag. The administrator can assign different priority values to different types of traffic and then enable PFC for up to two specific priority values: priority value 3, and one other. The configuration can be applied globally for all ports on the switch. Then, when traffic congestion occurs on a port (caused when ingress traffic exceeds internal buffer thresholds), only traffic with priority values where PFC is enabled is paused. Traffic with priority values where PFC is disabled proceeds without interruption but may be subject to loss if port ingress buffers become full. Although PFC is useful for a variety of applications, it is required for FCoE implementation where storage (SAN) and networking (LAN) traffic are converged on the same Ethernet links. Typical LAN traffic tolerates Ethernet packet loss that can occur from congestion or other factors, but SAN traffic must be lossless and requires flow control. For FCoE, standard flow control would pause both SAN and LAN traffic during congestion. While this approach would limit SAN traffic loss, it could degrade the performance of some LAN applications that expect to handle congestion by dropping traffic. PFC resolves these FCoE flow control issues. Different types of SAN and LAN traffic can be assigned different IEEE 802.1p priority values. PFC can then be enabled for priority values that represent SAN and LAN traffic that must be paused during congestion, and disabled for priority values that represent LAN traffic that is more loss‐tolerant. PFC requires CEE to be turned on (“Turning CEE On or Off” on page 368). When CEE is turned on, PFC is enabled on priority value 3 by default. Optionally, the administrator can also enable PFC on one other priority value, providing lossless handling for another traffic type, such as for a business‐critical LAN application. Note: For any given port, only one flow control method can be implemented at any given time: either PFC or standard IEEE 802.3x flow control. © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 378: Global Vs. Port-By-Port Configuration
Global vs. Port-by-Port Configuration PFC requires CEE to be turned on (“Turning CEE On or Off” on page 368). When CEE is turned on, standard flow control is disabled on all ports, and PFC is enabled on all ports for 802.1p priority value 3. While CEE is turned on, PFC cannot be disabled for priority value 3. This default is chosen because priority value 3 is commonly used to identify FCoE traffic in a CEE environment and must be guaranteed lossless behavior. PFC is disabled for all other priority values by default, but can be enabled for one additional priority value. The administrator can also configure PFC on a port‐by‐port basis. The method used will typically depend on the following: Port‐by‐port PFC configuration is desirable in most mixed environments where  some G8264 ports are connected to CEE‐capable (FCoE) switches, gateways, and Converged Network Adapters (CNAs), and other G8264 ports are connected to non‐CEE Layer 2/Layer 3 switches, routers and Network Interface Cards (NICs).  Global PFC configuration is preferable in networks that implement end‐to‐end CEE devices. For example, if all ports are involved with FCoE and can use the same SAN and LAN priority value configuration with the same PFC settings, global configuration is easy and efficient. Global PFC configuration can also be used in some mixed environments where  traffic with PFC‐enabled priority values occurs only on ports connected to CEE devices, and not on any ports connected to non‐CEE devices. In such cases, PFC can be configured globally on specific priority values even though not all ports make use them. PFC is not restricted to CEE and FCoE networks. In any LAN where traffic is  separated into different priorities, PFC can be enabled on priority values for loss‐sensitive traffic. If all ports have the same priority definitions and utilize the same PFC strategy, PFC can be globally configured.  If you want to enable PFC on a priority, do one of the following: Create a separate PG (separate COS Q) (or)  Move the priority to the existing PG in which PFC is turned on. ...
Page 379: Pfc Configuration Example
Enabled others (not used) Disabled FCoE Enabled others (not used) Disabled 0‐2 Disabled (not used) Enabled Business‐critical LAN Enabled others (not used) Disabled In this example, PFC is to facilitate lossless traffic handling for FCoE (priority value 3) and a business‐critical LAN application (priority value 4). Assuming that CEE is off (the G8264 default), the example topology shown in the table above can be configured using the following commands: 1. Turn CEE on. RS G8264(config)# cee enable Note: Turning CEE on will automatically change some 802.1p QoS and 802.3x standard flow control settings and menus (see “Turning CEE On or Off” on page 368). © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 380 2. Enable PFC for the FCoE traffic. Note: PFC is enabled on priority 3 by default. If using the defaults, the manual configuration commands shown in this step are not necessary. RS G8264(config)# cee port 2 pfc priority 3 enable(Enable on FCoE priority) RS G8264(config)# cee port 2 pfc priority 3 description "FCoE" (Optional description) RS G8264(config)# cee port 3 pfc priority 3 enable(Enable on FCoE priority) RS G8264(config)# cee port 3 pfc priority 3 description "FCoE" (Optional description) 3. Enable PFC for the business‐critical LAN application: RS G8264(config)# cee port 1 pfc priority 4 enable(Enable on LAN priority) RS G8264(config)# cee port 1 pfc priority 4 description "Critical LAN" (Optional description) RS G8264(config)# cee port 4 pfc priority 4 enable( Enable on LAN priority) RS G8264(config)# cee port 4 pfc priority 4 description "Critical LAN" (Optional description) 4. Save the configuration. G8264 Application Guide for ENOS 8.4...
Page 381: Enhanced Transmission Selection
15 16 Servers and other network devices may be configured to assign different priority values to packets belonging to different traffic types (such as SAN and LAN). ETS uses the assigned 802.1p priority values to identify different traffic types. The various priority values are assigned to priority groups (PGID), and each priority group is assigned a portion of available link bandwidth. Priorities values within in any specific ETS priority group are expected to have similar traffic handling requirements with respect to latency and loss. 802.1p priority values may be assigned by the administrator for a variety of purposes. However, when CEE is turned on, the G8264 sets the initial default values for ETS configuration as follows: Figure 33. Default ETS Priority Groups 802.1p Bandwidth Typical Traffic Type PGID Priority Allocation Latency-Sensitive LAN Latency-Sensitive LAN Latency-Sensitive LAN Latency-Sensitive LAN © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 382: Priority Groups
In the assignment model shown in Figure 33 on page 381, priorities values 0 through 2 are assigned for regular Ethernet traffic, which has “best effort” transport characteristics. Because CEE and ETS features are generally associated with FCoE, Priority 3 is typically used to identify FCoE (SAN) traffic. Priorities 4‐7 are typically used for latency sensitive traffic and other important business applications. For example, priority 4 and 5 are often used for video and voice applications such as IPTV, Video on Demand (VoD), and Voice over IP (VoIP). Priority 6 and 7 are often used for traffic characterized with a “must get there” requirement, with priority 7 used for network control which is requires guaranteed delivery to support configuration and maintenance of the network infrastructure. Note: The default assignment of 802.1p priority values on the G8264 changes depending on whether CEE is on or off. See “Turning CEE On or Off” on page 368 for details. Priority Groups For ETS use, each 801.2p priority value is assigned to a priority group which can then be allocated a specific portion of available link bandwidth. To configure a priority group, the following is required:  CEE must be turned on (“Turning CEE On or Off” on page 368) for the ETS feature to function.  A priority group must be assigned a priority group ID (PGID), one or more 802.1p priority values, and allocated link bandwidth greater than 9%. PGID Each priority group is identified with number (0 through 7, and 15) known as the PGID. PGID 0 through 7 may each be assigned a portion of the switch’s available bandwidth. PGID 8 through 14 are reserved as per the 802.1Qaz ETS standard. PGID 15 is a strict priority group. It is generally used for critical traffic, such as network management. Any traffic with priority values assigned to PGID 15 is permitted as much bandwidth as required, up to the maximum available on the switch. After serving PGID 15, any remaining link bandwidth is shared among the ...
Page 383: Assigning Priority Values To A Priority Group
Each priority value must be assigned to a PGID. Priority values may not be deleted or unassigned. To remove a priority value from a PGID, it must be moved to another PGID. For PGIDs 0 through 7, bandwidth allocation can also be configured through the ETS Priority Group menu. See for “Allocating Bandwidth” on page 383 for details. Deleting a Priority Group A priority group is automatically deleted when it contains no associated priority values, and its bandwidth allocation is set to 0%. Note: The total bandwidth allocated to PGID 0 through 7 must equal exactly 100%. Reducing the bandwidth allocation of any group will require increasing the allocation to one or more of the other groups (see “Allocating Bandwidth” on page 383). Allocating Bandwidth Follow these guidelines when allocating bandwidth. Allocated Bandwidth for PGID 0 Through 7 You may allocate a portion of the switch’s available bandwidth to PGIDs 0 through 7. Available bandwidth is defined as the amount of link bandwidth that remains after priorities within PGID 15 are serviced (see “Unlimited Bandwidth for PGID © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 384: Configuring Ets
15” on page 384), and assuming that all PGIDs are fully subscribed. If any PGID does not fully consume its allocated bandwidth, the unused portion is made available to the other priority groups. Priority group bandwidth allocation can be configured using the following command: RS G8264(config)# cee global ets prioritygroup pgid <priority group number> bandwidth <bandwidth allocation> pgid <priority group number> bandwidth <bandwidth allocation> where bandwidth allocation represents the percentage of link bandwidth, specified as a number between 10 and 100, in 1% increments, or 0. The following bandwidth allocation rules apply: Bandwidth allocation must be 0% for any PGID that has no assigned 802.1p pri‐  ority values.  Any PGID assigned one or more priority values must have a bandwidth allocation greater than 9%.  Total bandwidth allocation for groups 0 through 7 must equal exactly 100%. Increasing or reducing the bandwidth allocation of any PGID also requires adjusting the allocation of other PGIDs to compensate. If these conditions are not met, the switch will report an error when applying the configuration. Note: Actual bandwidth used by any specific PGID may vary from configured values by up to 10% of the available bandwidth in accordance with 802.1Qaz ETS standard. For example, a setting of 10% may be served anywhere from 0% to 20% of the available bandwidth at any given time. Unlimited Bandwidth for PGID 15 PGID 15 is permitted unlimited bandwidth and is generally intended for critical traffic (such as switch management). Traffic in this group is given highest priority and is served before the traffic in any other priority group. If PGID 15 has low traffic levels, most of the switch’s bandwidth will be available to ...
Page 385 Latency‐sensitive LAN Network Management (strict) unlimited The example shown in Table 36 is only slightly different than the default configuration shown in Figure 33 on page 381. In this example, latency‐sensitive LAN traffic (802.1p priority 5 through 6) are moved from priority group 2 to priority group 3. This leaves Business Critical LAN traffic (802.1p priority 4) in priority group 2 by itself. Also, a new group for network management traffic has been assigned. Finally, the bandwidth allocation for priority groups 3, 4, and 5 are revised. Note: DCBX may be configured to permit sharing or learning PFC configuration with or from external devices. This example assumes that PFC configuration is being performed manually. See “Data Center Bridging Capability Exchange” on page 388 for more information on DCBX. This example can be configured using the following commands: 1. Turn CEE on. RS G8264(config)# cee enable Note: Turning CEE on will automatically change some 802.1p QoS and 802.3x standard flow control settings and menus (see “Turning CEE On or Off” on page 368). © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 386 2. Configure each allocated priority group with a description (optional), list of 802.1p priority values, and bandwidth allocation: RS G8264(config)# cee global ets prioritygroup pgid 0 priority 0,1,2 (Select a group for regular LAN, and set for 802.1p priorities 0, 1, and 2) RS G8264(config)# cee global ets prioritygroup pgid 0 description "Regular LAN" (Set a group description—optional) RS G8264(config)# cee global ets prioritygroup pgid 1 priority 3 (Select a group for SAN traffic, and set for 802.1p priority 3) RS G8264(config)# cee global ets prioritygroup pgid 1 description "SAN" (Set a group description—optional) RS G8264(config)# cee global ets prioritygroup pgid 2 priority 4 (Select a group for latency traffic, and set for 802.1p priority 4) RS G8264(config)# cee global ets prioritygroup pgid 2 description "BizCritical LAN" (Set a group description—optional) RS G8264(config)# cee global ets prioritygroup pgid 3 description "LatencySensitive LAN" (Set a group description—optional) RS G8264(config)# cee global ets prioritygroup pgid 3 priority 5,6 pgid 0 bandwidth 10 pgid 1 bandwidth 20 pgid 2 bandwidth 30 pgid 3 bandwidth 40 (Configure link bandwidth restriction) 3. Configure the strict priority group with a description (optional) and a list of 802.1p priority values: RS G8264(config)# cee global ets prioritygroup pgid 15 priority 7 (Select a group for strict traffic, and Set 802.1p priority 7) RS G8264(config)# cee global ets prioritygroup pgid 15 description ...
Page 387 To view the configuration, use the following command: RS G8264(config)# show cee global ets Current ETS Configuration: Number of COSq: 8 Current Mapping of 802.1p Priority to Priority Groups: Priority PGID COSq 0 0 0 1 0 0 2 0 0 3 1 1 4 2 2 5 3 3 6 3 3 7 15 7 Current Bandwidth Allocation to Priority Groups: PGID PG% Description 0 10 Regular LAN 1 20 SAN 2 30 BizCritical LAN 3 40 Latencysensitive LAN 15 Network Management © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 388: Data Center Bridging Capability Exchange
Data Center Bridging Capability Exchange Data Center Bridging Capability Exchange (DCBX) protocol is a vital element of CEE. DCBX allows peer CEE devices to exchange information about their advanced capabilities. Using DCBX, neighboring network devices discover their peers, negotiate peer configurations, and detect misconfigurations. DCBX provides two main functions on the G8264: Peer information exchange  The switch uses DCBX to exchange information with connected CEE devices. For normal operation of any FCoE implementation on the G8264, DCBX must remain enabled on all ports participating in FCoE.  Peer configuration negotiation DCBX also allows CEE devices to negotiate with each other for the purpose of automatically configuring advanced CEE features such as PFC, ETS, and (for some CNAs) FIP. The administrator can determine which CEE feature settings on the switch are communicated to and matched by CEE neighbors, and also which CEE feature settings on the switch may be configured by neighbor requirements. The DCBX feature requires CEE to be turned on (see “Turning CEE On or Off” on page 368). DCBX Settings When CEE is turned on, DCBX is enabled for peer information exchange on all ports. For configuration negotiation, the following default settings are configured:  Application Protocol: FCoE and FIP snooping is set for traffic with 802.1p priority 3  PFC: Enabled on 802.1p priority 3  Priority group 0 includes priority values 0 through 2, with bandwidth  allocation of 10% Priority group 1 includes priority value 3, with bandwidth allocation of 50% ...
Page 389: Enabling And Disabling Dcbx
Peer Configuration Negotiation CEE peer configuration negotiation can be set on a per‐port basis for a number of CEE features. For each supported feature, the administrator can configure two independent flags:  The advertise flag When this flag is set for a particular feature, the switch settings will be transmit to the remote CEE peer. If the peer is capable of the feature, and willing to accept the G8264 settings, it will be automatically reconfigured to match the switch.  The willing flag Set this flag when required by the remote CEE peer for a particular feature as part of DCBX signaling and support. Although some devices may also expect this flag to indicate that the switch will accept overrides on feature settings, the G8264 retains its configured settings. As a result, the administrator must configure the feature settings on the switch to match those expected by the remote CEE peer. These flags are available for the following CEE features: Application Protocol  DCBX exchanges information regarding FCoE and FIP snooping, including the 802.1p priority value used for FCoE traffic. The advertise flag is set or reset using the following command: RS G8264(config)# [no] cee port <port alias or number> dcbx app_proto advertise The willing flag is set or reset using the following command: RS G8264(config)# [no] cee port <port alias or number> dcbx app_proto willing © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 390: Configuring Dcbx
 DCBX exchanges information regarding whether PFC is enabled or disabled on the port. The advertise flag is set or reset using the following command: RS G8264(config)# [no] cee port <port alias or number> dcbx pfc advertise The willing flag is set or reset using the following command: RS G8264(config)# [no] cee port <port alias or number> dcbx pfc willing  DCBX exchanges information regarding ETS priority groups, including their 802.1p priority members and bandwidth allocation percentages. The advertise flag is set or reset using the following command: RS G8264(config)# [no] cee port <port alias or number> dcbx ets advertise The willing flag is set or reset using the following command: RS G8264(config)# [no] cee port <port alias or number> dcbx ets willing Configuring DCBX Consider an example consistent Figure 32 on page 366 and used with the previous FCoE examples in this chapter:  FCoE is used on ports 2 and 3. CEE features are also used with LANs on ports 1 and 4.   All other ports are disabled or are connected to regular (non‐CEE) LAN devices. In this example, the G8264 acts as the central point for CEE configuration. FCoE‐related ports will be configured for advertising CEE capabilities, but not to accept external configuration. Other LAN ports that use CEE features will also be configured to advertise feature settings to remote peers, but not to accept external configuration. DCBX will be disabled on all non‐CEE ports. This example can be configured using the following commands: 1. Turn CEE on. RS G8264(config)# cee enable Note: Turning CEE on will automatically change some 802.1p QoS and 802.3x standard flow control settings and menus (see “Turning CEE On or Off” on ...
Page 391 RS G8264(config)# cee port 3 dcbx enable RS G8264(config)# cee port 3 dcbx app_proto advertise RS G8264(config)# cee port 3 dcbx ets advertise RS G8264(config)# cee port 3 dcbx pfc advertise 3. Enable desired DCBX advertisements on other CEE ports: RS G8264(config)# cee port 1 dcbx enable RS G8264(config)# cee port 1 dcbx app_proto advertise RS G8264(config)# cee port 1 dcbx ets advertise RS G8264(config)# cee port 1 dcbx pfc advertise RS G8264(config)# cee port 4 dcbx enable RS G8264(config)# cee port 4 dcbx app_proto advertise RS G8264(config)# cee port 4 dcbx ets advertise RS G8264(config)# cee port 4 dcbx pfc advertise 4. Disable DCBX for each non‐CEE port as appropriate: RS G8264(config)# no cee port 564 dcbx enable 5. Save the configuration. © Copyright Lenovo 2016 Chapter 21: FCoE and CEE...
Page 392 G8264 Application Guide for ENOS 8.4...
Page 393: Chapter 22. Edge Virtual Bridging
Lenovo Enterprise Network Operating System EVB features are compliant with the IEEE 802.1Qbg Authors Group Draft 0.2. For a list of documents on this feature, see: http://www.ieee802.org/1/pages/802.1bg.html. The Lenovo RackSwitch G8264 performs the role of a 802.1Qbg bridge in an EVB environment. Enterprise NOS implementation of EVB supports the following protocols:  Virtual Ethernet Bridging (VEB) and Virtual Ethernet Port Aggregator (VEPA): VEB and VEPA are mechanisms for switching between VMs on the same hypervisor. VEB enables switching with the server, either in the software (vSwitch), or in the hardware (using single root I/O virtualization capable NICs). VEPA requires the edge switch to support “Reflective Relay”— an operation where the switch forwards a frame back to the port on which it arrived if the destination MAC address is on the same port.  Edge Control Protocol (ECP): ECP is a transport protocol that operates between two peers over an IEEE 802 LAN. ECP provides reliable, in‐order delivery of ULP (Upper Layer Protocol) PDUs (Protocol Data Units).  Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP): VDP allows hypervisors to advertise VSIs to the physical network. This protocol also allows centralized configuration of network policies that will persist with the VM, independent of its location. EVB Type‐Length‐Value (TLV): EVB TLV is a Link Layer Discovery protocol  (LLDP)‐based TLV used to discover and configure VEPA, ECP, and VDP. © Copyright Lenovo 2016 Chapter 22: Edge Virtual Bridging...
Page 394: Evb Operations Overview
EVB Operations Overview The ENOS includes a pre‐standards VSI Type Database (VSIDB) implemented through the System Networking Switch Center (SNSC), the IBM Flex System Manager (FSM), or the IBM System Networking Distributed Switch 5000V. The VSIDB is the central repository for defining sets of network policies that apply to VM network ports. You can configure only one VSIDB. Note: This document does not include the VSIDB configuration details. Please see the SNSC, FSM, or IBM System Networking Distributed Switch 5000V guide for details on how to configure VSIDB. The VSIDB operates in the following sequence: 1. Define VSI types in the VSIDB. The VSIDB exports the database when the G8264 metering sends a request. 2. Create a VM. Specify VSI type for each VM interface. See the SNSC, FSM, or IBM System Networking Distributed Switch 5000V guide for details on how to specify the VSI type. The hypervisor sends a VSI ASSOCIATE, which contains the VSI type ID, to the switch port after the VM is started. The switch updates its configuration based on the requested VSI type. The switch configures the per‐VM bandwidth using the VMpolicy. The ENOS supports the following policies for VMs:  ACLs  Bandwidth VSIDB Synchronization The switch periodically checks for VSIDB changes based on the configured interval. You can configure this interval using the following command: RS G8264(config)# virt evb vsidb <number> RS G8264(confvsidb)# [no] updateinterval <time in seconds> To disable periodic updates, use the “no updateinterval” command. If the switch finds that the VSIDB has changed, it updates the local VSIDB cache. When the cache is successfully updated, it sends a syslog message. After updating the local VSIDB cache, the switch disassociates any VM whose type ...
Page 395: Vlan Behavior
Dynamic VLAN information will not be displayed in the running configuration. However, the VLAN, port, and STP commands display the dynamic VLAN information with a “*”. If you configure any Layer 2/Layer 3 features on dynamically created VLANs, the VLAN information is displayed in the running configuration. Deleting a VLAN If you delete a VLAN that has a VM associated with it, you will see a warning message similar to the following: Warning: Vlan 10 is used by VM and can't be removed. The VMs will not get disassociated. If a VM is associated with a port, and you remove this port from a VLAN, you will see a warning message similar to the following: Warning: Port 23 in Vlan 10 is used by VM and can't be removed. The VMs will not get disassociated. Manual Reflective Relay Reflective Relay (RR) is an operation where the switch forwards a frame back to the port on which it arrived if the destination MAC address is on the same port. When an EVB profile is configured on a port, RR is automatically enabled on the port after capability exchange with the peer, using the IEEE802.1QBG protocol. This is the usual mode of operation. When the switch interoperates with devices that do not support IEEE 802.1QBG protocols, RR can be manually configured using the following command: RS G8264(configif)# reflectiverelay force Manual RR and EVB profile cannot be configured on a port at the same time. If a port belongs to an isolated VLAN, Manual RR will not work for the respective port. © Copyright Lenovo 2016 Chapter 22: Edge Virtual Bridging...
Page 396: Vsidb - Ipv6 Support
VSIDB - IPv6 Support The VSIDB manager can be configured with an IPv4 or IPv6 address. Use the following command to configure the VSIDB manager IP address: RS G8264(config)# virt evb vsidb 1 RS G8264(conf-vsidb)# host <IPv4 or IPv6 address> (Set VSI database Manager IP) G8264 Application Guide for ENOS 8.4...
Page 397: Evb Configuration
RS G8264(config)# virt evb profile 1 (Enter number from 1‐16) 2. Enable Reflective Relay. RS G8264(confevbprof)# reflectiverelay 3. Enable VSI discovery. RS G8264(confevbprof)# vsidiscovery RS G8264(conf-evbprof)# exit 4. Enable a server port. RS G8264(config)# system serverports port <port‐number> 5. Add EVB profile to port. RS G8264(config)# interface port 1 RS G8264(config-if)# evb profile 1 (Enter EVB profile RS G8264(configif)# exit 6. Configure ECP retransmission interval. RS G8264(config)# ecp retransmitinterval 8000 (Enter retransmission interval in milliseconds (100‐9000) © Copyright Lenovo 2016 Chapter 22: Edge Virtual Bridging...
Page 398 7. Set VSI database information. RS G8264(config)# virt evb vsidb 1 RS G8264(confvsidb)# protocol {http|https} (Select VSI database protocol; default is HTTP) RS G8264(confvsidb)# host 172.31.37.187 [dataport|mgtport] (Set VSI database Manager IP) RS G8264(confvsidb)# port 80 (Set VSI database Manager port) RS G8264(confvsidb)# filepath “vsidb” (Set VSI database document path) RS G8264(confvsidb)# filename “all.xml”(Set VSI database file name) RS G8264(confvsidb)# updateinterval 30(Set update interval in seconds) RS G8264(confvsidb)# exit Note: When you connect to an SNSC VSIDB, the port/docpath configuration is as follows: HTTP: Port: 40080   Docpath: snsc/rest/vsitypes HTTPS:  Port: 40443  Docpath: snsc/rest/vsitypes When you connect to a 5000v VSIDB, the port/docpath configuration is as follows:  Port: 80  Docpath: vsitypes 8.
Page 399: Limitations
Limitations  If both ACL and egress bandwidth metering are enabled, traffic will first be matched with the ACL and will not be limited by bandwidth metering. ACLs based on a source MAC or VLAN must match the source MAC and VLAN  of the VM. If not, the policy will be ignored and you will see the following warning message: "vm: VSI Type ID 100 Associated mac 00:50:56:b6:c0:ff on port 6, ignore 1 mismatched ACL" Unsupported features The following features are not supported with EVB:  LAG/VLAG  vNIC  Stacking © Copyright Lenovo 2016 Chapter 22: Edge Virtual Bridging...
Page 400 G8264 Application Guide for ENOS 8.4...
Page 401: Chapter 23. Static Multicast Arp
Chapter 23. Static Multicast ARP The Microsoft Windows operating system includes Network Load Balancing (NLB) technology that helps to balance incoming IP traffic among multi‐node clusters. In multicast mode, NLB uses a shared multicast MAC address with a unicast IP address. Since the address resolution protocol (ARP) can map an IP address to only one MAC address, port, and VLAN, the packet reaches only one of the servers (the one attached to the port on which the ARP was learnt). To avoid the ARP resolution, you must create a static ARP entry with multicast MAC address. You must also specify the list of ports through which the multicast packet must be sent out from the gateway or Layer 2/Layer 3 node. With these configurations, a packet with a unicast IPv4 destination address and multicast MAC address can be sent out as per the multicast MAC address configuration. NLB maps the unicast IP address and multicast MAC address as follows: Cluster multicast MAC address: 03‐BF‐W‐X‐Y‐Z; where W.X.Y.Z is the cluster unicast IP address. You must configure the static multicast ARP entry only at the Layer 2/Layer 3 or Router node, and not at the Layer 2‐only node. Lenovo Enterprise Network Operating System supports a maximum of 20 static multicast ARP entries. When the ARP table is full, an error message appears in the syslog. Note: If you use the ACL profile, an ACL entry is consumed for each Static Multicast ARP entry that you configure. Hence, you can configure a maximum of 896 ACLs and multicast MAC entries together when using the ACL profile.The ACL entries have a higher priority. In the default profile, the number of static multicast ARP entries that you configure does not affect the total number of ACL entries. © Copyright Lenovo 2016 Chapter 23: Static Multicast ARP...
Page 402: Configuring Static Multicast Arp
Configuring Static Multicast ARP To configure multicast MAC ARP, you must perform the following steps:  Configure the static multicast forwarding database (FDB) entry: Since there is no port list specified for static multicast ARP, and the associated MAC address is multicast, you must specify a static multicast FDB entry for the cluster MAC address to limit the multicast domain. If there is no static multicast FDB entry defined for the cluster MAC address, traffic will not be forwarded. Use the following command: RS G8264(config)# macaddresstable multicast <cluster MAC address> <port(s)>  Configure the static multicast ARP entry: Multicast ARP static entries should be configured without specifying the list of ports to be used. Use the following command: RS G8264(config)# ip arp <destination unicast IP address> <destination multicast MAC address> vlan <cluster VLAN number> Configuration Example Consider the following example:  Cluster unicast IP address: 10.10.10.42  Cluster multicast MAC address: 03:bf:0A:0A:0A:2A  Cluster VLAN: 42  List of individual or port LAGs to which traffic should be forwarded: 54 and 56 Following are the steps to configure the static multicast ARP based on the given example: 1. Configure the static multicast FDB entry. RS G8264(config)# macaddresstable multicast 03:bf:0A:0A:0A:2A 42 54,56 2.
Page 403  Verify static multicast ARP entry: RS G8264(config)# show ip arp Mgmt ARP entries: Total number of Mgmt arp entries : 2 IP address Flags MAC address VLAN Age Port 10.100.121.132 P 08:17:f4:62:64:fe 4095 MGT 10.100.121.1 00:22:00:ad:45:00 4095 1 MGT Data ARP entries: Current ARP configuration: rearp 5 Current static ARP: IP address MAC address Port VLAN 10.10.10.42 03:bf:0a:0a:0a:2a 42 Total number of arp entries : 2 IP address Flags MAC address VLAN Age Port 10.10.10.1 P 08:17:f4:62:64:00 42 10.10.10.42 P 03:bf:0a:0a:0a:2a 42 © Copyright Lenovo 2016 Chapter 23: Static Multicast ARP...
Page 404: Limitations
Limitations  You must configure the ARP only in the Layer 2/Layer 3 node or the router node but not in the Layer 2‐only node. Enterprise NOS cannot validate if the node is Layer 2‐only.  The packet is always forwarded to all the ports as specified in the Multicast MAC address configuration. If VLAN membership changes for the ports, you must update this static multicast MAC entry. If not, the ports, whose membership has changed, will report discards.  ACLs take precedence over static multicast ARP. If an ACL is configured to match and permit ingress of unicast traffic, the traffic will be forwarded based on the ACL rule, and the static multicast ARP will be ignored. G8264 Application Guide for ENOS 8.4...
Page 405: Chapter 24. Dynamic Arp Inspection
MAC address MC as the destination MAC address for traffic intended for Host B. Host C then intercepts that traffic. Because Host C knows the true MAC addresses associated with Host B, it forwards the intercepted traffic to that host by using the correct MAC address as the destination, keeping the appearance of regular behavior. Figure 34. ARP Cache Poisoning Host A Host B (IA, MA) (IB, MB) Host C (man-in-the-middle) (IC, MC) Understanding DAI Dynamic ARP Inspection is a security feature that lets the switch intercept and examine all ARP request and response packets in a subnet, discarding those packets with invalid IP to MAC address bindings. This capability protects the network from man‐in‐the‐middle attacks. A switch on which ARP Inspection is configured does the following:  Intercepts all ARP requests and responses on untrusted ports. Verifies that each of these intercepted packets has a valid IP/MAC/VLAN/port  binding before updating the local ARP cache or before forwarding the packet to the appropriate destination. © Copyright Lenovo 2016...
Page 406: Interface Trust States And Network Security
 Drops invalid ARP packets and sends a syslog message with details about each dropped packet. DAI determines the validity of an ARP packet based on valid IP‐to‐MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. As shown in Figure 35, if the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid. For hosts with statically configured IP addresses, static DHCP snooping binding entries can be configured with a big lease time. Figure 35. Dynamic ARP inspection at work Valid Packets Packets Packets DHCP Snooping/ Binding Invalid Packet Interface Trust States and Network Security DAI associates a trust state with each interface on the switch. In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. The trust state configuration should be done carefully: configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity. In Figure 36, assume that both Switch A and Switch B are running DAI on the VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A has the ...
Page 407 Port 1 Port 2 Port 2 Port 3 Port 3 Host 1 Host 2 If Switch A is not running DAI, Host 1 can easily poison the ARP caches of Switch B and Host 2, if the link between the switches is configured as trusted. This condition can occur even though Switch B is running DAI. The best option for the setup from Figure 36 is to have DAI running on both switches and to have the link between the switches configured as trusted. In cases in which some switches in a VLAN run DAI and other switches do not, configure the interfaces connecting such switches as untrusted. However, to validate the bindings of packets from switches where DAI is not configured, configure static DHCP snooping binding entries on the switch running DAI. When you cannot determine such bindings, isolate switches running DAI at Layer 3 from switches not running DAI. DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the network connected through a trusted interface from poisoning the caches of the hosts that are connected to a switch running DAI. © Copyright Lenovo 2016 Chapter 24: Dynamic ARP Inspection...
Page 408: Dai Configuration Guidelines And Restrictions
DAI Configuration Guidelines and Restrictions When configuring DAI, follow these guidelines and restrictions:  DAI is an ingress security feature; it does not perform any egress checking.  DAI is not effective for hosts connected to switches that do not support DAI or that do not have this feature enabled. Because man‐in‐the‐middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with DAI checks from the one with no checking. This action secures the ARP caches of hosts in the domain enabled for DAI.  DAI depends on the entries in the DHCP snooping binding database to verify IP‐to‐MAC address bindings in incoming ARP requests and ARP responses.  For non‐DHCP environments, for each static IP address add a static DHCP Snooping binding entry with the biggest lease time in order not to expire.  Ports belonging to a port‐channel must have the same trust state. DAI Configuration Example Following is the configuration for the example in Figure SwitchA(config)# interface port 13 SwitchA(configif)# switchport access vlan 2 SwitchA(config)# interface port 12 SwitchA(configif)# ip arp inspection trust SwitchA(configif)# exit SwitchA(config)# interface port 3 SwitchA(configif)# no ip arp inspection trust SwitchA(configif)# exit SwitchA(config)# ip arp inspection vlan 2 SwitchB(config)# interface port 23 SwitchB(configif)# switchport access vlan 2 SwitchB(config)# interface port 2 SwitchB(configif)# ip arp inspection trust SwitchB(configif)# exit SwitchB(config)# interface port 3 SwitchB(configif)# no ip arp inspection trust SwitchB(configif)# exit...
Page 409 SwitchA# show ip dhcp snooping binding Output of show commands: SwitchA# show ip arp inspection vlan Vlan Configuration 2 Enabled SwitchA# show ip arp inspection interfaces Interface Trust State 1Trusted 2Trusted 3Untrusted 4Untrusted SwitchA# show ip arp inspection statistics Vlan ForwardedDropped 2 100 200 When Host 1 tries to send an ARP with an IP address of 1.1.1.3 that is not present in the DHCP Binding table, the packet is dropped and an error message similar to the following is logged: “Dec 16 21:00:10 192.168.49.50 NOTICE ARPInspection: Invalid ARP Request on port 3, VLAN 2 ([00:02:00:02:00:02/1.1.1.3/00:00:00:00:00:00/1.1.1.4])” © Copyright Lenovo 2016 Chapter 24: Dynamic ARP Inspection...
Page 410 G8264 Application Guide for ENOS 8.4...
Page 411: Chapter 25. Unified Fabric Port
VNIC NIC Port Switch Port vPort Switch VNIC OS or vPort Hypervisor VNIC vPort vPort VNIC The UFP protocol has the following operation categories:  Channel Initialization: The server NIC and the switch port negotiate the number of channels and establish channel identifiers. Each UFP channel has a data component and a control component. The two components have the same UFP channel ID.  Channel Control: For an established channel, the switch can modify channel properties by sending a control message on the UFP channel. While the channel ID is the same for the control and data components, the destination MAC address of the control message frame is a well‐known address.  Discovery Capability: UFP can discover other ports that are UFP enabled. Once you enable UFP, you can check the information statistics for established channels. © Copyright Lenovo 2016 Chapter 25: Unified Fabric Port...
Page 412: Ufp Limitations
UFP Limitations The following limitations apply when configuring UFP:  For Emulex NICs, FCoE must be configured only on vPort 2 of the physical NIC.  UFP port in FCoE mode cannot operate with FIP auto‐VLAN feature.  VLANs that have member vPorts configured in trunk‐, access‐, or auto‐modes cannot have member vPorts configured in tunnel mode or FCoE. vPorts on a physical port must be members of separate VLANs.   VLANs 4002‐4009 are reserved for outer tagging. VLAN translation is not applied on egress ports that have UFP enabled but no  vPorts configured in trunk‐, access‐, or auto‐modes.  UFP bandwidth is guaranteed lossless only for unicast traffic.  VMready is supported only on a vPort which is configured in auto‐VLAN mode. When a vPort is in auto‐VLAN mode, it can support up to 32 VMGroups.  EVB is supported only on a vPort which is configured in auto‐VLAN mode.  VMready and EVB cannot be configured on the same physical port.  UFP vPorts can support up to 1024 VLANs in trunk mode and auto mode.  UFP can be enabled only on ports connected to servers and defined as server ports  When CEE is turned on, FCoE vPort must be used for lossless priority traffic. For loss‐tolerant priority traffic, a non‐FCoE UFP vPort must be used. The lossless property of FCoE vPort is not guaranteed, if lossless and loss‐tolerant traffic are combined.  When the vPort is enabled and the channel link state is up, the system does not support changing vPort VLAN type from private/non‐private to non‐private/private. ...
Page 413: Virtual Ports Modes
UFP vPort Mode The UFP mode is configured based on the type of switching domain (single VLAN or multiple VLANs) where the vPort is connected.  Use local domain data path types for trunk or access mode.  Use pass‐through domain data path types for tunnel mode. In tunnel mode, a vPort can belong to only one VLAN. Use the following command to configure UFP vPort mode: RS G8264(config)# ufp port <num> vport <num> RS G8264(config_ufp_vport)# network mode {access|trunk|auto|tunnel|fcoe} Default mode is ‘tunnel’ Tunnel Mode In tunnel mode, a vPort can belong to only one VLAN. An outer tag with the vPort’s VLAN ID is inserted in packets that egress the vPort. The inner VLAN tag remains unchanged. The switch processes packets based on the outer tag. When all the ports or vPorts that belong to a particular VLAN are placed in tunnel mode, they belong to one pass‐through domain. Use tunnel mode to send all VM data traffic to an upstream switch, for Layer 2 or Layer 3 processing, in one domain. In such cases, the UFP port or vPort must be in tunnel mode and the upstream switch port must be in 802.1Q trunk mode. Note: Two vPorts on a physical port cannot be members of the same VLAN. © Copyright Lenovo 2016 Chapter 25: Unified Fabric Port...
Page 414: 802.1Q Trunk Mode
Figure 38. Packet pass‐through in Tunnel Mode Server vNICs vPorts Lenovo Switch Ports without vNICs OS/Hypervisor Regular NIC attaches UFP Switching uses outer tag; Switch strips VLAN ID Channel VLAN ID Ignores regular VLAN outer tag Outbound Packet Switching uses outer tag; Switch adds outer Outer tag sets vNIC;...
Page 415: Fcoe Mode
FCoE Mode FCoE traffic is carried by a vPort. The server‐side endpoint of this virtual port will be represented through a FC vHBA. Setting a virtual port in FCoE mode will enable Priority‐based Flow Control (PFC) on the physical port. A vPort configured in FCoE mode can only be attached to a Fibre Channel (FC) VLAN. Only vPort 2 on a physical port can be configured in FCoE mode. A vPort in FCoE mode operates as a local domain data path type with packets being single tagged. Auto-VLAN Mode When a vPort is configured in auto‐VLAN mode, the vPort participates in VM discovery using VMready or 802.1Qbg. VLANs are dynamically provisioned based on VMready discovery or 802.1Qbg VM association. When a vPort operates in auto‐VLAN mode, it supports 32 VM groups. In the case of 802.1Qbg, when a vPort operates in auto‐VLAN mode, the maximum number of VLANs in the inner tag are 1024. The vPort cannot be configured in Virtual Ethernet Port Aggregator (VEPA) mode. © Copyright Lenovo 2016 Chapter 25: Unified Fabric Port...
Page 416: Ufp Bandwidth Provisioning
UFP Bandwidth Provisioning UFP provides one two modes of bandwidth provisioning for vPort: ETS Mode and Strict Bandwidth Provisioning Mode. ETS Mode Enhanced Transmission Selection (ETS) mode of bandwidth provisioning is useful when an end‐to‐end QoS framework for the entire data center, with bandwidth provisioning for different applications, is desired. ETS mode color marks traffic from point of origination to point of destination. It helps to couple QoS provisioning in the access layer with data center fabric. This mode functions with the ETS feature available on the G8264. You must first define the ETS characteristics of the G8264. Assign each vNIC to desired traffic class by assigning a system class priority. The Data Center Bridging Capabilities Exchange (DCBX) and UFP protocols propagate the configured parameters for the vNIC to apply appropriate traffic coloring and shaping at the source. When operating in this mode, traffic scheduling and bandwidth allocation behavior on switch egress is driven by the ETS class of traffic. When two vNICs use the same traffic class configuration, the order in which switch schedules traffic at egress depends on the order the traffic arrives at egress buffer. Since bandwidth allocation is derived from traffic class rather than vNIC, switch egress doesn’t differentiate between different vNIC traffics. Use the following command to configure ETC bandwidth provisioning: RS G8264(config_ufp_vport)# qos ets {hostcontrol|priority} Note: CEE must be globally enabled before accessing QoS ETS Mode. These examples display currently configured QoS ETS settings: RS G8264(config_ufp_vport)# show ufp information qos UFP QOS: Port | Vport | Mode | Minbw% | Maxbw% | Prio | HstCtrl 33 | 1 | ETS | | | 0 | Dis | 2 | ETS | | | 1 | Dis | 3 | ETS | | | 2 | Dis | 4 | ETS | | | 3 | Dis | 5 | ETS | | | 4 | Dis | 6 | ETS | | | 5 | Dis | 7 | ETS | | | 6 | Dis | 8 | ETS | | | 7 | Dis ...
Page 417 QOS ETS mode configuration: Priority: 2 | Host Control: dis 33.4: Enabled EVB profile configuration: EVB profile disabled Network configuration: Defvlan 400, Mode trunk, Tagdef ena, Private VLAN disabled QOS ETS mode configuration: Priority: 3 | Host Control: dis 33.5: Enabled EVB profile configuration: EVB profile disabled Network configuration: Defvlan 500, Mode trunk, Tagdef ena, Private VLAN disabled QOS ETS mode configuration: Priority: 4 | Host Control: dis 33.6: Enabled EVB profile configuration: EVB profile disabled Network configuration: Defvlan 600, Mode trunk, Tagdef ena, Private VLAN disabled QOS ETS mode configuration: Priority: 5 | Host Control: dis 33.7: Enabled EVB profile configuration: EVB profile disabled Network configuration: Defvlan 700, Mode trunk, Tagdef ena, Private VLAN disabled QOS ETS mode configuration: Priority: 6 | Host Control: dis © Copyright Lenovo 2016 Chapter 25: Unified Fabric Port...
Page 418: Ufp Strict Bandwidth Provisioning Mode
UFP Strict Bandwidth Provisioning Mode Strict bandwidth provisioning mode configures the switch and NIC apply bidirectional bandwidth control on the vPort as per the defined configuration. By default, a bandwidth of 2.5 Gbps per vPort is guaranteed. If other vPorts are idle, the bandwidth of a vPort can be up to 10 Gbps. A minimum bandwidth of 1 Gbps is provisioned, which can be raised by 100 Mbps increments. The sum of the minimum bandwidth guaranteed for all vPorts together cannot exceed the capacity of the physical link. A vPort can also be configured with a maximum bandwidth. This mode works with the port scheduler to avoid unintended packet drops due to policing through EFP metering block. If flow control is enabled, the switch provides a no‐drop packet forwarding behavior, which improves end‐to‐end TCP‐throughput performance. Note: If a vPort is configured with low upper limit, it might lead to head‐of‐line congestion on the egress port. ETS mode is disabled when strict bandwidth provisioning mode is enabled. By default, uplink ports have a separate traffic class for storage traffic with guaranteed bandwidth. The rest of the bandwidth is shared equally among other traffic. Use the following command to configure strict bandwidth provisioning: RS G8264(config_ufp_vport)# qos bandwidth {max|min} <10‐100> min Set minimum guaranteed bandwidth max Set maximum allowed bandwidth G8264 Application Guide for ENOS 8.4...
Page 419: Using Ufp With Other Rackswitch G8264 Features
Using UFP with Other RackSwitch G8264 Features UFP works with other G8264 features, as described with limitations and details. Layer 2 Failover UFP failover can be configured with auto‐monitoring or manual monitoring. In auto‐monitoring, a vPort is automatically associated with a Failover trigger if it has any VLAN in common with the monitor ports. For more information on failover, see Chapter 38, “Layer 2 Failover.” For an example configuration, see “Example 6: Layer 2 Failover Configuration” on page 426. Increased VLAN Limits Configured with UFP and VLANs, a vPort can support maximum 1024 VLANs. A UFP port supports 1024 VLANs. For more information on VLAN configuration, see Chapter 9, “VLANs.” Private VLANs It supports the following Private VLAN modes in UFP vPorts:  Disabled  Trunk  Promiscuous  Host The following are the criteria of these Private VLAN modes:  Private‐VLAN mode is disabled: ...
Page 420: Vmready
 Private‐VLAN mode is promiscuous: Allows only primary VLAN.  There can be multiple Private VLAN domains.  The Private VLAN domains must be unique for vPorts belonging to the same  UFP port.  Private‐VLAN mode is host: Allows only ONE secondary VLAN. In the case of a vPort is in network trunk  mode, there will be multiple VLANs assigned to the vPort, but there will still be only ONE secondary VLAN. The other VLANs will not be private‐VLANs. Warns if no primary VLAN is associated with the secondary VLAN assigned  to a vPort. UFP with private VLANs is supported under the following limitations:  vPorts from the same physical port cannot belong to the same private VLAN domain. UFP ports cannot have switchport mode private‐VLAN enabled on them.   Private VLAN is supported only on vPorts configured with trunk or access mode.  UFP cannot be configured on promiscuous ports. For more information on private VLANs, see Chapter 9, “Private VLANs. VMReady Configuring with UFP and VMReady, the G8264 can support up to 32 VMGroups with UFP vPorts in auto‐mode. VMReady is supported only on a vPort which is configured in auto‐VLAN mode. For more information on VMReady, see Chapter 20, “VMready.” 802.1Qbg Configured with Edge Virtual Bridging (EVB), UFP supports up to 1024 VLANs on a vPort. EVB is supported only on a vPort which is configured in auto‐VLAN mode.
Page 421: Ufp Configuration Examples
1. Configure port 1 as server port: G8264(config)# system serverports port 1 2. Turn on UFP. G8264(config)# ufp enable 3. Configure port 1 as UFP. G8264(config)# ufp port 1 enable Warning: "Tagging/Trunkmode" is enabled on UFP port 1 4. Configure virtual port. G8264(config)# ufp port 1 vport 1 5. Configure vPort access mode. G8264(config_ufp_vport)# network mode access 6. Configure vPort default VLAN. G8264(config_ufp_vport)# network defaultvlan 100 7. Specify QoS parameters for the vPort. G8264(config_ufp_vport)# qos bandwidth min 25 (in percentage) G8264(config_ufp_vport)# qos bandwidth max 100 (in percentage) G8264(config_ufp_vport)# enable G8264(config_ufp_vport)# exit 8. Configure PVID/Native VLAN for port 2. G8264(config)# interface port 2 G8264(configif)# switchport mode access G8264(configif)# switchport access vlan 100 © Copyright Lenovo 2016 Chapter 25: Unified Fabric Port...
Page 422: Example 2: Trunk Mode
Example 2: Trunk Mode Following is an example configuration of UFP vPorts in trunk mode. 1. Configure port 1 as server port: G8264(config)# system serverports port 1 2. Turn on UFP. RS G8264(config)# ufp enable 3. Configure port 1 as UFP. G8264(config)# ufp port 1 enable Warning: "Tagging/Trunkmode" is enabled on UFP port 1 4. Configure virtual port. G8264(config)# ufp port 1 vport 1 5. Configure vPort trunk mode. G8264(config_ufp_vport)# network mode trunk 6. Configure vPort default VLAN. G8264(config_ufp_vport)# network defaultvlan 100 7. Specify QoS parameters for the vPort. G8264(config_ufp_vport)# qos bandwidth min 25 (in percentage) G8264(config_ufp_vport)# qos bandwidth max 100 (in percentage) 8. Enable the vPort. G8264(config_ufp_vport)# enable G8264(config_ufp_vport)# exit 9. Configure port 2 as UFP. G8264(config)# ufp port 2 enable Warning: "Tagging/Trunkmode" is enabled on UFP port 2 10. Configure virtual port. G8264(config)# ufp port 2 vport 3 G8264 Application Guide for ENOS 8.4...
Page 423 G8264(config_ufp_vport)# network defaultvlan 100 13. Ensure tagging is disabled on vPort. G8264(config_ufp_vport)# no network defaulttag 14. Specify QoS parameters for the vPort. G8264(config_ufp_vport)# qos bandwidth min 25 (in percentage) G8264(config_ufp_vport)# qos bandwidth max 100 (in percentage) 15. Enable the vPort. G8264(config_ufp_vport)# enable G8264(config_ufp_vport)# exit 16. Enable tagging/trunk mode on port 3. G8264(config)# interface port 3 G8264(configif)# switchport mode trunk G8264(configif)# switchport trunk native vlan 100 G8264(configif)# switchport trunk allowed vlan add 200,300 G8264(configif)# exit 17. Configure VLAN 200 parameters. G8264(config)# vlan 200 G8264(configvlan)# vmember 1.1 G8264(configvlan)# vmember 2.3 G8264(configvlan)# exit 18. Configure VLAN 300 parameters. G8264(config)# vlan 300 G8264(configvlan)# vmember 1.1 G8264(configvlan)# vmember 2.3 G8264(configvlan)# exit © Copyright Lenovo 2016 Chapter 25: Unified Fabric Port...
Page 424: Example 3: Auto-Vlan Mode
Example 3: Auto-VLAN Mode 1. Configure port 1 as server port: G8264(config)# system serverports port 1 2. Turn on UFP. RS G8264(config)# ufp enable 3. Configure port 1 as UFP. G8264(config)# ufp port 1 enable Warning: "Tagging/Trunkmode" is enabled on UFP port 1 4. Configure virtual port. G8264(config)# ufp port 1 vport 1 5. Configure vPort default VLAN. G8264(config_ufp_vport)# network defaultvlan 100 6. Configure vPort auto mode. G8264(config_ufp_vport)# network mode auto Note: VLAN is dynamically added by 802.1Qbg. 7. Specify QoS parameters for the vPort. G8264(config_ufp_vport)# qos bandwidth min 25 (in percentage) G8264(config_ufp_vport)# qos bandwidth max 100 (in percentage) 8. Enable the vPort. G8264(config_ufp_vport)# enable G8264(config_ufp_vport)# exit Example 4: Tunnel Mode Following is an example configuration of UFP vPorts in tunnel mode. 1. Configure port 1 as a UFP server port. G8264(config)# system serverports port 1 2.
Page 425: Example 5: Fcoe Mode
6. Configure vPort default VLAN. G8264(config_ufp_vport)# network defaultvlan 4000 7. Specify QoS parameters for the vPort. G8264(config_ufp_vport)# qos bandwidth min 25 (in percentage) G8264(config_ufp_vport)# qos bandwidth max 100 (in percentage) 8. Enable the vPort. G8264(config_ufp_vport)# enable G8264(config_ufp_vport)# exit 9. Configure tagging on port 2. Note: Port 2 must be an upstream port. G8264(config)# interface port 2 G8264(configif)# tagpvidingress G8264(configif)# no vlan dot1q tag native G8264(configif)# switchport access vlan 4000 G8264(configif)# exit Example 5: FCoE Mode Following is an example configuration of UFP vPorts in FCoE mode. 1. Enable CEE. Configure port 1 as a UFP server port. G8264(config)# system serverports port 1 2. Enable CEE. G8264(config)# cee enable © Copyright Lenovo 2016 Chapter 25: Unified Fabric Port...
Page 426: Example 6: Layer 2 Failover Configuration
3. Enable FIPs. G8264(config)# fcoe fips enable 4. Turn on UFP. RS G8264(config)# ufp enable 5. Configure port as UFP. G8264(config)# ufp port 1 enable Warning: "Tagging/Trunkmode" is enabled on UFP port 1 6. Configure virtual port. G8264(config)# ufp port 1 vport 2 7. Configure vPort FCoE mode. G8264(config_ufp_vport)# network mode fcoe 8. Configure vPort default VLAN. G8264(config_ufp_vport)# network defaultvlan 1102 9. Specify QoS parameters for the vPort. G8264(config_ufp_vport)# qos bandwidth min 25 (in percentage) G8264(config_ufp_vport)# qos bandwidth max 100 (in percentage) 10. Enable tagging/trunk mode on the port. Note: Port 2 is connected to the upstream FCF. G8264(config)# interface port 2 G8264(configif)# switchport mode trunk G8264(configif)# switchport trunk native vlan 1 G8264(configif)# switchport trunk allowed vlan add 1102 G8264(configif)# exit Example 6: Layer 2 Failover Configuration While configuring a failover trigger, you cannot use the member command for a physical port that has vPorts configured. Instead, you must use the vmember ...
Page 427 1. Enable failover globally: G8264(config)# failover enable 2. Configure trigger 1 and add monitor and control ports: G8264(config)# failover trigger 1 mmon monitor member 5 G8264(config)# failover trigger 1 mmon control member 8 G8264(config)# failover trigger 1 mmon control vmember 9.1,9.2,9.3,9.4 Note: If you try to add a physical port (that has vPorts configured) as a member of a trigger, you may see the following error message when you enable the trigger: G8264(config)# failover trigger 1 ena Failover Error: trigger 1 physical port 9 has virtual ports. 3. Enable failover trigger: G8264(config)# failover trigger 1 enable © Copyright Lenovo 2016 Chapter 25: Unified Fabric Port...
Page 428 G8264 Application Guide for ENOS 8.4...
Page 429: Part 5: Ip Routing
Part 5: IP Routing This section discusses Layer 3 switching functions. In addition to switching traffic at near line rates, the application switch can perform multi‐protocol routing. This section discusses basic routing and advanced routing protocols:  Basic IP Routing  Policy‐Based Routing  Routed Ports  Internet Protocol Version 6  IPsec with IPv6  Routing Information Protocol  Internet Group Management Protocol  Multicast Listener Discovery  Border Gateway Protocol  Open Shortest Path First  Protocol Independent Multicast © Copyright Lenovo 2016...
Page 430 G8264 Application Guide for ENOS 8.4...
Page 431: Chapter 26. Basic Ip Routing
Chapter 26. Basic IP Routing This chapter provides configuration background and examples for using the G8264 to perform IP routing functions. The following topics are addressed in this chapter:  “IP Routing Benefits” on page 432  “Routing Between IP Subnets” on page 432  “Example of Subnet Routing” on page 433  “ARP ‐ Local Proxy” on page 437  “ECMP Static Routes” on page 438  “Dynamic Host Configuration Protocol” on page 440 “DHCP Relay Agent” on page 441  © Copyright Lenovo 2016...
Page 432: Ip Routing Benefits
IP Routing Benefits The switch uses a combination of configurable IP switch interfaces and IP routing options. The switch IP routing capabilities provide the following benefits:  Connects the server IP subnets to the rest of the backbone network. Provides the ability to route IP traffic between multiple Virtual Local Area  Networks (VLANs) configured on the switch. Routing Between IP Subnets The physical layout of most corporate networks has evolved over time. Classic hub/router topologies have given way to faster switched topologies, particularly now that switches are increasingly intelligent. The G8264 is intelligent and fast enough to perform routing functions at wire speed. The combination of faster routing and switching in a single device allows you to build versatile topologies that account for legacy configurations. For example, consider a corporate campus that has migrated from a router‐centric topology to a faster, more powerful, switch‐based topology. As is often the case, the legacy of network growth and redesign has left the system with a mix of illogically distributed subnets. This is a situation that switching alone cannot cure. Instead, the router is flooded with cross‐subnet communication. This compromises efficiency in two ways:  Routers can be slower than switches. The cross‐subnet side trip from the switch to the router and back again adds two hops for the data, slowing throughput considerably.  Traffic to the router increases, increasing congestion. Even if every end‐station could be moved to better logical subnets (a daunting task), competition for access to common server pools on different subnets still burdens the routers. This problem is solved by using switches with built‐in IP routing capabilities. Cross‐subnet LAN traffic can now be routed within the switches with wire speed switching performance. This eases the load on the router and saves the network administrators from reconfiguring every end‐station with new IP addresses. G8264 Application Guide for ENOS 8.4...
Page 433: Example Of Subnet Routing
VLAN 2 VLAN 4 IF 3 VLAN 3 Server subnet 3: Server subnet 1: 206.30.15.2-254 100.20.10.2-254 Server subnet 2: 131.15.15.2-254 The switch connects the Gigabit Ethernet and Fast Ethernet LAGs from various switched subnets throughout one building. Common servers are placed on another subnet attached to the switch. A primary and backup router are attached to the switch on yet another subnet. Without Layer 3 IP routing on the switch, cross‐subnet communication is relayed to the default gateway (in this case, the router) for the next level of routing intelligence. The router fills in the necessary address information and sends the data back to the switch, which then relays the packet to the proper destination subnet using Layer 2 switching. With Layer 3 IP routing in place on the switch, routing between different IP subnets can be accomplished entirely within the switch. This leaves the routers free to handle inbound and outbound traffic for this group of subnets. © Copyright Lenovo 2016 Chapter 26: Basic IP Routing...
Page 434: Using Vlans To Segregate Broadcast Domains
Using VLANs to Segregate Broadcast Domains If you want to control the broadcasts on your network, use VLANs to create distinct broadcast domains. Create one VLAN for each server subnet, and one for the router. Configuration Example This section describes the steps used to configure the example topology shown in Figure 40 on page 433. 1. Assign an IP address (or document the existing one) for each router and each server. The following IP addresses are used: Table 37. Subnet Routing Example: IP Address Assignments Subnet Devices IP Addresses Default router 205.21.17.1 Web servers 100.20.10.2-254 Database servers 131.15.15.2-254 Terminal Servers 206.30.15.2-254 2. Assign an IP interface for each subnet attached to the switch. Since there are four IP subnets connected to the switch, four IP interfaces are ...
Page 435 RS G8264(configif)# switchport trunk allowed vlan 2 RS G8264(configif)# exit RS G8264(config)# vlan 3 RS G8264(configvlan)# exit RS G8264(config)# interface port 3,4 (Add ports to VLAN 3) RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 3 RS G8264(configif)# exit RS G8264(config)# vlan 4 RS G8264(configvlan)# exit RS G8264(config)# interface port 5,6 (Add ports to VLAN 4) RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 4 RS G8264(configif)# exit Each time you add a port to a VLAN, you may get the following prompt: Port 4 is an untagged port and its PVID is changed from 1 to 3. © Copyright Lenovo 2016 Chapter 26: Basic IP Routing...
Page 436 5. Assign a VLAN to each IP interface. Now that the ports are separated into VLANs, the VLANs are assigned to the appropriate IP interface for each subnet. From Table 39 on page 434, the settings are made as follows: RS G8264(config)# interface ip 1 (Select IP interface 1) RS G8264(configipif)# ip address 205.21.17.3 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# vlan 1 (Add VLAN 1) RS G8264(configipif)# enable RS G8264(configvlan)# exit RS G8264(config)# interface ip 2 (Select IP interface 2) RS G8264(configipif)# ip address 100.20.10.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# vlan 2 (Add VLAN 2) RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 3 (Select IP interface 3) RS G8264(configipif)# ip address 131.15.15.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# vlan 3 (Add VLAN 3)
Page 437: Arp - Local Proxy
ARP - Local Proxy An IP interface or a routed port that has local proxy ARP enabled allows the RackSwitch G8264 to respond to all ARP requests for IP addresses within the subnetwork, and to forward all traffic between hosts in the subnetwork. This feature is useful when hosts in a subnetwork are separated at Layer 2 with features such as Private VLAN. After responding to an ARP request, the G8264 sends an ARP request to the destination host for creating an ARP entry, if such an entry does not already exist in the ARP cache. If VRRP is enabled, the G8264 uses the virtual router MAC address of the master in the ARP response. If VRRP is not enabled, the G8264 uses the switch base MAC address. When local proxy ARP is enabled on an interface, ICMP redirects must be disabled globally. This feature can be enabled using the following commands: On an IP interface: RS G8264(config-ip-if)# ip local-proxy-arp On a routed port: RS G8264(config-if)# ip local-proxy-arp For more information on routed ports, see Chapter 28, “Routed Ports.” © Copyright Lenovo 2016 Chapter 26: Basic IP Routing...
Page 438: Ecmp Static Routes
ECMP Static Routes Equal‐Cost Multi‐Path (ECMP) is a forwarding mechanism that routes packets along multiple paths of equal cost. ECMP provides equally‐distributed link load sharing across the paths. The hashing algorithm used is based on the destination IP and source IP (DIPSIP) addresses or only on the source IP address (SIP). ECMP routes allow the switch to choose between several next hops toward a given destination. The switch performs periodic health checks (ping) on each ECMP gateway. If a gateway fails, it is removed from the routing table, and an SNMP trap is sent. OSPF Integration When a dynamic route is added through Open Shortest Path First (OSPF), the switch checks the route’s gateway against the ECMP static routes. If the gateway matches one of the single or ECMP static route destinations, then the OSPF route is added to the list of ECMP static routes. Traffic is load‐balanced across all of the available gateways. When the OSPF dynamic route times out, it is deleted from the list of ECMP static routes. ECMP Route Hashing You can configure the parameters used to perform ECMP route hashing, as follows: sip: Source IP address  dipsip: Source IP address and destination IP address (default)  Note: The sip and dipsip options enabled under ECMP route hashing or in port LAG hashing (portchannel thash) apply to both ECMP and LAG features (the enabled settings are cumulative). If unexpected ECMP route hashing occurs, disable the unwanted source or destination IP address option set in LAG hashing. Likewise, if unexpected LAG hashing occurs, disable any unwanted options set in ECMP route hashing. The ECMP hash setting applies to all ECMP routes. G8264 Application Guide for ENOS 8.4...
Page 439: Configuring Ecmp Static Routes
3. Select an ECMP hashing method (optional). RS G8264(config)# ip route ecmphash [sip|dipsip] You may add up to 32 gateways for each static route. Use the following commands to check the status of ECMP static routes: RS G8264(config)# show ip route static Current static routes: Destination Mask Gateway If ECMP 10.20.2.2 255.255.255.255 10.4.4.1 * 10.5.5.1 * 10.6.6.1 * ... 10.35.35.1 * ECMP healthcheck ping interval: 1 ECMP healthcheck retries number: 3 ECMP Hash Mechanism: dipsip Gateway healthcheck: enabled RS G8264(config)# show ip ecmp Current ecmp static routes: Destination Mask Gateway If GW Status 10.20.2.2 255.255.255.255 10.4.4.1 up 10.5.5.1 up 10.6.6.1 up ... 10.34.34.1 up 10.35.35.1 up © Copyright Lenovo 2016 Chapter 26: Basic IP Routing...
Page 440: Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) is a transport protocol that provides a framework for automatically assigning IP addresses and configuration information to other IP hosts or clients in a large TCP/IP network. Without DHCP, the IP address must be entered manually for each network device. DHCP allows a network administrator to distribute IP addresses from a central point and automatically send a new IP address when a device is connected to a different place in the network. The switch accepts gateway configuration parameters if they have not been configured manually. The switch ignores DHCP gateway parameters if the gateway is configured. DHCP is an extension of another network IP management protocol, Bootstrap Protocol (BOOTP), with an additional capability of being able to allocate reusable network addresses and configuration parameters for client operation. Built on the client/server model, DHCP allows hosts or clients on an IP network to obtain their configurations from a DHCP server, thereby reducing network administration. The most significant configuration the client receives from the server is its required IP address; (other optional parameters include the “generic” file name to be booted, the address of the default gateway, and so forth). To enable DHCP on a switch interface, use the following command: RS G8264(config)# system dhcp G8264 Application Guide for ENOS 8.4...
Page 441: Dhcp Relay Agent
VLAN to send the server response to the client. To enable the G8264 to be the BOOTP forwarder, you need to configure the DHCP/BOOTP server IP addresses on the switch. Generally, it is best to configure the switch IP interface on the client side to match the client’s subnet, and configure VLANs to separate client and server subnets. The DHCP server knows from which IP subnet the newly allocated IP address will come. In G8264 implementation, there is no need for primary or secondary servers. The client request is forwarded to the BOOTP servers configured on the switch. The use of five servers provide failover redundancy. However, no health checking is supported. Use the following commands to configure the switch as a DHCP relay agent: RS G8264(config)# ip bootprelay server 1 <IP address> RS G8264(config)# ip bootprelay server 2 <IP address> RS G8264(config)# ip bootprelay server 3 <IP address> RS G8264(config)# ip bootprelay server 4 <IP address> RS G8264(config)# ip bootprelay server 5 <IP address> RS G8264(config)# ip bootprelay enable RS G8264(config)# show ip bootprelay Additionally, DHCP Relay functionality can be assigned on a per interface basis. Use the following commands to enable the Relay functionality: RS G8264(config)# interface ip <Interface number> RS G8264(configipif)# relay © Copyright Lenovo 2016 Chapter 26: Basic IP Routing...
Page 442 G8264 Application Guide for ENOS 8.4...
Page 443: Chapter 27. Policy-Based Routing
Chapter 27. Policy-Based Routing Policy‐based routing (PBR) allows the Lenovo RackSwitch G8264 to forward traffic based on defined policies rather than entries in the routing table. Such policies are defined based on the protocol, source IP, or other information present in a packet header. PBR provides a mechanism for applying the defined policies based on access control lists (ACLs), and marking packets with a type of service (ToS) to provide preferential treatment. PBR can be applied only to the ingress traffic. You can configure a PBR policy using route maps and apply the route map to an ingress interface. You need to specify the match (using ACLs) and set (using route maps) criteria in the policy. Based on the defined rules, an action is triggered. If no match is found, or the policy rule specifies that the packet be denied, the packet is routed based on an entry in the routing table. © Copyright Lenovo 2016...
Page 444: Pbr Policies And Acls
PBR Policies and ACLs Up to 256 ACLs can be configured for networks that use IPv4 addressing. Regular ACLs and PBR ACLs together cannot exceed the maximum ACLs supported. ACLs are prioritized based on the ACL number. Lower numbers have higher priority. You must configure regular ACLs with lower numbers and PBR ACLs with higher numbers. Note: You cannot apply an ACL directly to an interface and using a PBR policy at the same time. Applying PBR ACLs PBR ACLs must be applied to an IP interface that has a VLAN configured. In addition to the defined ACL rules, the Lenovo Enterprise Network Operating System uses the VLAN ID as a matching criterion. Traffic is filtered on a per‐VLAN basis rather than a per‐interface basis. If multiple IP interfaces have the same VLAN ID, route maps applied to each interface are used to filter traffic on the VLAN. For example: if interface IP 10 and interface IP 11 are members of VLAN 100; interface IP 10 uses PBR ACL 410 and interface IP 11 uses PBR ACL 411. Traffic on VLAN 100 will be filtered using PBR ACLs 410 and 411. Note: You cannot apply the PBR ACL to a Layer 2‐only port. G8264 Application Guide for ENOS 8.4...
Page 445: Configuring Route Maps
Source IP   Destination IP Protocol   TCP/UDP source port   TCP/UDP destination port If criteria other than the above are used in a PBR ACL, the switch will display an error message. If ingress packets do not meet any of the match criteria, or if a deny statement is configured in the ACL, then the packets are routed based on the entries in the routing table. Set Clauses When the match clause(s) is satisfied, one of the following set clauses can be used to specify the packet forwarding criteria:  Next hop IP address: This must be the IP address of an interface on the adjacent router. A remote router interface cannot be used to specify the next hop. Packets are forwarded to the next hop IP address. The PBR policy uses the next hops in the order you specify. If the first next hop is down, then the second next hop is used, and so on. If you specify the next hop addresses using separate statements, then the next hops are used in the order you specify, starting from top to down. A maximum of 64 unique next hops can be configured across all route maps. IP Differentiated Services Code Point (DSCP) value: A value used to set the  DSCP value of the matching packets. © Copyright Lenovo 2016 Chapter 27: Policy-Based Routing...
Page 446  IP precedence value: A value or keyword used to set the precedence value of the matching packets. You can use a combination of set commands. However, you cannot use the set commands for DSCP and precedence together in the same route map. Following are the basic steps and commands for configuring route maps. 1. Configure a route map. RS G8264(config)# routemap <route map number> 2. Define an access list statement and assign an ACL to the route map. RS G8264(configroutemap)# accesslist <1‐32> matchaccesscontrol <IP ACL number> 3. Enable the access list. RS G8264(configroutemap)# accesslist <1‐32> enable 4. Set next hop IP address i.e. IP address of an adjacent router. RS G8264(configroutemap)# set ip nexthop <IP address> [<nh2 IP address>] [<nh3 IP address>] [<nh4 IP address>] [accesslist {<access list ID>|<access list range>}] OR Set IP precedence value. RS G8264(configroutemap)# set ip precedence <value or keyword> [accesslist {<access list ID>|<access list range>}] OR Set IP DSCP value. RS G8264(configroutemap)# set ip dscp <value> [accesslist {<access list ID>|<access list range>}] 5.
Page 447: Configuring Health Check
(ARP) resolves the next hop IP address. The ARP re‐try interval is two minutes. Use the following command to configure health check: RS G8264(configroutemap)# set ip nexthop verifyavailability <next hop IP address> <priority> [icmp|arp] [interval] [retry] [accesslist {<access list ID>|<access list range>}] Default values: Protocol: ARP Interval: 2 seconds Retry: 3 times You must configure a separate statement for verifying health check of each next hop. A maximum of four health check statements can be included in a route map. Note: When you configure next hops using set ip nexthop command and health check using the set ip nexthop verifyavailability command in the same route map, only the health check statements will be considered. Following is an example of a route map health check statement: RS G8264(configroutemap)# set ip nexthop verifyavailability 12.1.1.1 10 icmp accesslist 4 Similarly, if there are inconsistent tracking parameters for a particular next hop IP address among multiple route maps, the route map with the lowest route map number is considered. Note: We strongly recommend that you configure health check if all or multiple next hops specified in the route map belong to the same Spanning Tree Group (STG). This is required in case of an STP topology change where all forwarding database (FDB) entries on all the ports in an STG are cleared. In such a scenario, the associated ARP entries are purged and the next hop specified in the PBR policy will not get resolved. When health check is configured, the PBR policy will route the traffic based on the second next hop that you have specified. © Copyright Lenovo 2016 Chapter 27: Policy-Based Routing...
Page 448: Example Pbr Configuration
Example PBR Configuration Note: Use only the ISCLI to configure PBR. Configurations using the BBI are not supported. Following is an example of configuring PBR to match packets with a destination network address of 3.0.0.0. The PBR is applied to ingress packets on the IP interface 11. The next hop IP address is configured as 5.5.5.5 or 10.10.10.10. 1. Configure an ACL and specify the match criteria. RS G8264(config)# accesscontrol list 100 action permit RS G8264(config)# accesscontrol list 100 ipv4 destinationipaddress 3.0.0.0 255.0.0.0 2. Configure a route map. RS G8264(config)# routemap 126 3. Apply the ACL to the route map. RS G8264(configroutemap)# accesslist 1 matchaccesscontrol 100 4. Set the next hop IP addresses. RS G8264(configroutemap)# set ip nexthop 5.5.5.5 10.10.10.10 RS G8264(configroutemap)# exit 5. Apply the route map to an IP interface that has a VLAN configured. RS G8264(config)# interface ip 11 RS G8264(configipif)# ip policy routemap 126 RS G8264(configipif)# exit RS G8264(config)# exit 6.
Page 449: Configuring Pbr With Other Features
Configuring PBR with other Features Consider the following PBR behavior when configured with the features given below:  DSCP: PBR ACLs can be used to remark an IP packet with a new precedence/DSCP value. PBR ACL remark statements have higher priority than the DSCP remark commands configured on ports.  Virtual Router Redundancy Protocol (VRRP): If PBR is enabled on a VRRP IP interface, the PBR becomes effective on the interface when the switch becomes the VRRP master on that IP interface.  Virtual Link Aggregation Group (VLAG): When configuring PBR on VLAG ports, you must configure the same PBR policy on both the VLAG peers. You cannot configure the next hop to be on a remote switch or on the VLAG ports. Unsupported Features PBR cannot be configured for:  Routed ports  Multicast traffic  IPv6 packets  Simple Network Management Protocol (SNMP)  Stacking  Virtual Network Interface Card (vNIC)  Loopback Interface © Copyright Lenovo 2016 Chapter 27: Policy-Based Routing...
Page 450: Dynamic Pbr (Multi-Tenant)
Dynamic PBR (Multi-Tenant) Dynamic Policy‐Based Routing enables simplified configuration of multi‐tenant networks. An IP interface can be set up as either a:  downlink to a specific tenant’s endpoint uplink for one or more tenants   link to a service network accessible to one or more tenants Traffic between different tenants is routed through their uplinks (firewall). Only intra‐tenant and service network traffic is routed locally. When configuring interface tenant settings, ACLs are dynamically generated to route data traffic correspondingly. Features and Limitations The following features and limitations apply to Dynamic Policy‐Based Routing:  If a tenant has two active uplinks, traffic will be load balanced across the two active next‐hop devices. Tenants must not use overlapping IP subnets.   If a tenant owns multiple subnets, data traffic between these subnets is not forwarded upstream. Instead, it is routed locally.  Dynamic PBR is not supported in IPv6 Tenant configuration is not supported on management interfaces   UFP and Dynamic PBR cannot be configured at the same time Support for up to:  30 tenants  2 uplinks per tenant  4 service networks ...
Page 451 RS G8264(configipif)# tenant tenantid 2 3. Set interface 8 as a common uplink for Tenants 1 and 2 RS G8264(configipif)# interface ip 8 RS G8264(configipif)# tenant uplink tenantid 1,2 4. Set up Tenant 3 with endpoints on interfaces 9 and 10 and uplinks on interfaces 11 and 12 RS G8264(configipif)# interface ip 9 RS G8264(configipif)# tenant tenantid 3 RS G8264(configipif)# interface ip 10 RS G8264(configipif)# tenant tenantid 3 RS G8264(configipif)# interface ip 11 RS G8264(configipif)# tenant uplink tenantid 3 RS G8264(configipif)# interface ip 12 RS G8264(configipif)# tenant uplink tenantid 3 5. Set interface 13 as a link to a service network available to Tenants 1 and 3 RS G8264(configipif)# interface ip 13 RS G8264(configipif)# tenant services tenantid 1,3 © Copyright Lenovo 2016 Chapter 27: Policy-Based Routing...
Page 452 G8264 Application Guide for ENOS 8.4...
Page 453: Chapter 28. Routed Ports
Chapter 28. Routed Ports By default, all ports on the Lenovo RackSwitch G8264 behave as switch ports, which are capable of performing Layer 2 switch functions, such as VLANs, STP, or bridging. Switch ports also provide a physical point of access for the switch IP interfaces, which can perform global Layer 3 functions, such as routing for BGP or OSPF. However, G8264 ports can also be configured as routed ports. Routed ports are configured with their own IP address belonging to a unique Layer 3 network, and behave similar to a port on a conventional router. Routed ports are typically used for connecting to a server or to a router. When a switch port is configured as a routed port, it forwards Layer 3 traffic and no longer performs Layer 2 switching functions. © Copyright Lenovo 2016...
Page 454: Overview
Overview A routed port has the following characteristics:  Does not participate in bridging.  Does not belong to any user‐configurable VLAN.  Does not implement any Layer 2 functionality, such as Spanning Tree Protocol (STP). Is always in a forwarding state.   Can participate in IPv4 routing. Can be configured with basic IP protocols, such as Internet Control Message  Protocol (ICMP), and with Layer 3 protocols, such as Protocol‐Independent Multicast (PIM), Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP).  Can be configured with Internet Group Management Protocol (IGMP) querier and snooping functionality.  Layer 3 configuration is saved even when the interface is shutdown.  MAC address learning is always enabled.  Tagging and port VLAN ID (PVID) tagging is disabled. Flooding is disabled.   Bridge Protocol Data Unit (BPDU)‐guard is disabled. Link Aggregation Control Protocol (LACP) is disabled.   Multicast threshold is disabled. Static Multicast MAC and static unicast MAC can be configured.  Notes:  Ports on which LACP or portchannel is enabled cannot be changed to routed ports.
Page 455  All the Layer 2 configuration is lost. When a routed port is changed back to a switch port, the following changes take place:  All the IP configuration is lost.  The ARP entry corresponding to the IP address is lost. The switch port is added to the default VLAN and STG. In case of MSTP, it is  added to the CIST.  STP is turned on.  The switch port can participate in STG and VLAN flooding. Can participate in bridging.   LACP port attributes are set to default. Multicast threshold remains disabled.   BPDU guard remains disabled. IGMP configuration is lost.  Note: When you configure a routed port to back to a switch port, it does not restore the Layer 2 configuration it had before it was changed to a routed port. © Copyright Lenovo 2016 Chapter 28: Routed Ports...
Page 456: Configuring A Routed Port
Configuring a Routed Port Note: Use only the ISCLI to configure routed ports. Configurations using the BBI are not supported. Configurations made using SNMP cannot be saved or applied. Note: You cannot configure a management port to be a routed port. Following are the basic steps for configuring a routed port: 1. Enter the interface configuration mode for the port. RS G8264(config)# interface port <port number> Note: You must enter only one port number. If you need to change multiple ports to routed ports, repeat the configuration steps for each port. 2. Enable routing. RS G8264(configif)# no switchport 3. Assign an IP address. RS G8264(configif)# ip address <IP address> <Subnet Mask> enable 4. (Optional) Enable a Layer 3 routing protocol. RS G8264(configif)# ip {<ospf>|<pim>|<rip>} Note: Configure the Layer 3 routing protocol‐related parameters in the interface configuration mode. Configuring OSPF on Routed Ports The following OSPF configuration commands are supported on routed ports: RS G8264(configif)# ip ospf ? area Set area index cost Set interface cost deadinterval Set dead interval in seconds or milliseconds...
Page 457: Ospf Configuration Example
poison Enable poisoned reverse splithorizon Enable split horizon supply Enable supplying route updates triggered Enable triggered updates version RIP version See Chapter 31, “Routing Information Protocol,” for details on the RIP protocol and its configuration. RIP Configuration Example The following example includes steps for a basic RIP configuration on a routed port: RS G8264(config)# router rip RS G8264(configrouterrip)# enable RS G8264(config-router-rip)# exit RS G8264(config)# interface port 1 RS G8264(configif)# no switchport wait... RS G8264(configif)# ip address 11.1.12.1 255.255.255.0 enable wait... RS G8264(configif)# ip rip enable RS G8264(configif)# exit © Copyright Lenovo 2016 Chapter 28: Routed Ports...
Page 458: Configuring Pim On Routed Ports
Configuring PIM on Routed Ports The following PIM configuration commands are supported on routed ports: RS G8264(configif)# ip pim ? borderbit Set interface as border interface cbsrpreference Set preference for local interface as a candidate bootstrap router componentid Add interface to the component drpriority Set designated router priority for the router interface enable Enable PIM on this interface helloholdtime Set hello message holdtime for the interface hellointerval Set the frequency of PIM hello messages on the interface joinpruneinterval Set frequency of PIM Join or Prune interval landelay Set lan delay for the router interface lanprunedelay Enable lan delay advertisement on interface neighboraddr Neighbor address neighborfilter Enable neighbor filter overrideinterval Set override interval for router interface See Chapter 36, “Protocol Independent Multicast” for details on the PIM protocol and its configuration. PIM Configuration Example The following example includes the basic steps for configuring PIM on a routed port: RS G8264(config)# ip pim enable RS G8264(config)# interface port 26 RS G8264(configif)# no switchport wait... RS G8264(configif)# ip address 26.26.26.1 255.255.255.0 enable wait...
Page 459: Configuring Bgp On Routed Ports
The following BGP configurations are not supported on routed ports:  Update source ‐ configuring a local IP interface Configuring IGMP on Routed Ports IGMP querier and snooping can be configured on routed ports. For details, see Chapter 32, “Internet Group Management Protocol.” To configure IGMP snooping on a routed port, enter the following command in the Global Configuration mode: RS G8264(config)# ip igmp snoop port <routed port ID> To configure fastleave on routed ports, enter the following command in the Global Configuration mode: RS G8264(config)# ip igmp fastleave port <routed port ID> The following IGMP querier commands are supported on routed ports: RS G8264(config)# ip igmp querier port <routed port ID> ? electiontype Set IGMP querier type enable Turn IGMP Querier on maxresponse Set Queriers max response time queryinterval Set general query interval for IGMP Querier only robustness Set IGMP robustness sourceip Set source IP to be used for IGMP startupcount Set startupcount for IGMP startupinterval Set startup query interval for IGMP version Sets the operating version of the IGMP snooping switch © Copyright Lenovo 2016 Chapter 28: Routed Ports...
Page 460: Limitations
Limitations Following features/configurations are not supported on routed ports:  Subinterfaces  BPDU Guard  Broadcast Threshold  Multicast Threshold  Link Aggregation Control Protocol (LACP)  Static Aggregation  Fibre Channel over Ethernet (FCoE)  Converged Enhanced Ethernet (CEE)  IPv6  IP Security (IPsec)  Internet Key Exchange version 2 (IKEv2)  Virtual Router Redundancy Protocol (VRRP)  Policy‐based Routing (PBR)  Hotlinks  Failover  802.1X  Dynamic Host Configuration Protocol (DHCP)  BOOTP  Simple Network Management Protocol (SNMP) ...
Page 461: Chapter 29. Internet Protocol Version 6
 RFC 4301  RFC 4862 RFC 2526 RFC 3484 RFC 4302 RFC 5095      RFC 2711  RFC 3602  RFC 4303  RFC 5114  RFC 2740  RFC 3810  RFC 4306  RFC 5340  RFC 3289  RFC 3879  RFC 4307 This chapter describes the basic configuration of IPv6 addresses and how to manage the switch via IPv6 host management. © Copyright Lenovo 2016...
Page 462: Ipv6 Limitations
IPv6 Limitations The following IPv6 features are not supported in this release:  Dynamic Host Control Protocol for IPv6 (DHCPv6)  Border Gateway Protocol for IPv6 (BGP)  Routing Information Protocol for IPv6 (RIPng) Most other Lenovo Enterprise Network Operating System 8.4 features permit IP addresses to be configured using either IPv4 or IPv6 address formats. However, the following switch features support IPv4 only:  Bootstrap Protocol (BOOTP) and DHCP  RADIUS, TACACS+ and LDAP  Stacking  VMware Virtual Center (vCenter) for VMready  Routing Information Protocol (RIP) Border Gateway Protocol (BGP)   Protocol Independent Multicast (PIM) Virtual Router Redundancy Protocol (VRRP)   sFlow G8264 Application Guide for ENOS 8.4...
Page 463: Ipv6 Address Format
Each IPv6 address has two parts:  Subnet prefix representing the network to which the interface is connected  Local identifier, either derived from the MAC address or user‐configured The preferred hexadecimal format is as follows: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx Example IPv6 address: FEDC:BA98:7654:BA98:FEDC:1234:ABCD:5412 Some addresses can contain long sequences of zeros. A single contiguous sequence of zeros can be compressed to :: (two colons). For example, consider the following IPv6 address: FE80:0:0:0:2AA:FF:FA:4CA2 The address can be compressed as follows: FE80::2AA:FF:FA:4CA2 Unlike IPv4, a subnet mask is not used for IPv6 addresses. IPv6 uses the subnet prefix as the network identifier. The prefix is the part of the address that indicates the bits that have fixed values or are the bits of the subnet prefix. An IPv6 prefix is written in address/prefix‐length notation. For example, in the following address, 64 is the network prefix: 21DA:D300:0000:2F3C::/64 IPv6 addresses can be either user‐configured or automatically configured. Automatically configured addresses always have a 64‐bit subnet prefix and a 64‐bit interface identifier. In most implementations, the interface identifier is derived from the switchʹs MAC address, using a method called EUI‐64. Most Enterprise NOS 8.4 features permit IP addresses to be configured using either IPv4 or IPv6 address formats. Throughout this manual, IP address is used in places where either an IPv4 or IPv6 address is allowed. In places where only one type of address is allowed, the type (IPv4 or IPv6) is specified. © Copyright Lenovo 2016 Chapter 29: Internet Protocol Version 6...
Page 464: Ipv6 Address Types
IPv6 Address Types IPv6 supports three types of addresses: unicast (one‐to‐one), multicast (one‐to‐many), and anycast (one‐to‐nearest). Multicast addresses replace the use of broadcast addresses. Unicast Address Unicast is a communication between a single host and a single receiver. Packets sent to a unicast address are delivered to the interface identified by that address. IPv6 defines the following types of unicast address:  Global Unicast address: An address that can be reached and identified globally. Global Unicast addresses use the high‐order bit range up to FF00, therefore all non‐multicast and non‐link‐local addresses are considered to be global unicast. A manually configured IPv6 address must be fully specified. Autoconfigured IPv6 addresses are comprised of a prefix combined with the 64‐bit EUI. RFC 4291 defines the IPv6 addressing architecture. The interface ID must be unique within the same subnet.  Link‐local unicast address: An address used to communicate with a neighbor on the same link. Link‐local addresses use the format FE80::EUI Link‐local addresses are designed to be used for addressing on a single link for purposes such as automatic address configuration, neighbor discovery, or when no routers are present. Routers must not forward any packets with link‐local source or destination addresses to other links. Multicast Multicast is communication between a single host and multiple receivers. Packets are sent to all interfaces identified by that address. An interface may belong to any number of multicast groups. A multicast address (FF00 ‐ FFFF) is an identifier for a group interface. The multicast address most often encountered is a solicited‐node multicast address using prefix FF02::1:FF00:0000/104 with the low‐order 24 bits of the unicast or anycast address. The following well‐known multicast addresses are pre‐defined. The group IDs defined in this section are defined for explicit scope values, as follows: FF00:::::::0 through FF0F:::::::0 Anycast Packets sent to an anycast address or list of addresses are delivered to the nearest interface identified by that address. Anycast is a communication between a single ...
Page 466: Ipv6 Address Autoconfiguration
IPv6 Address Autoconfiguration IPv6 supports the following types of address autoconfiguration:  Stateful address configuration Address configuration is based on the use of a stateful address configuration protocol, such as DHCPv6, to obtain addresses and other configuration options. Stateless address configuration  Address configuration is based on the receipt of Router Advertisement messages that contain one or more Prefix Information options. ENOS 8.4 supports stateless address configuration. Stateless address configuration allows hosts on a link to configure themselves with link‐local addresses and with addresses derived from prefixes advertised by local routers. Even if no router is present, hosts on the same link can configure themselves with link‐local addresses and communicate without manual configuration. G8264 Application Guide for ENOS 8.4...
Page 467: Ipv6 Interfaces
You can manually configure two IPv6 addresses for each interface, as follows:  Initial IPv6 address is a global unicast or anycast address. RS G8264(config)# interface ip <interface number> RS G8264(configipif)# ipv6 address <IPv6 address> Note that you cannot configure both addresses as anycast. If you configure an anycast address on the interface you must also configure a global unicast address on that interface. Second IPv6 address can be a unicast or anycast address.  RS G8264(configipif)# ipv6 secaddr6 <IPv6 address> RS G8264(configipif)# exit You cannot configure an IPv4 address on an IPv6 management interface. Each interface can be configured with only one address type: either IPv4 or IPv6, but not both. When changing between IPv4 and IPv6 address formats, the prior address settings for the interface are discarded. Each IPv6 interface can belong to only one VLAN. Each VLAN can support only one IPv6 interface. Each VLAN can support multiple IPv4 interfaces. Use the following commands to configure the IPv6 gateway: RS G8264(config)# ip gateway6 1 address <IPv6 address> RS G8264(config)# ip gateway6 1 enable IPv6 gateway 1 is reserved for IPv6 data interfaces.IPv6 gateway 4 is the default IPv6 management gateway. © Copyright Lenovo 2016 Chapter 29: Internet Protocol Version 6...
Page 468: Neighbor Discovery
Neighbor Discovery The switch uses Neighbor Discovery protocol (ND) to gather information about other router and host nodes, including the IPv6 addresses. Host nodes use ND to configure their interfaces and perform health detection. ND allows each node to determine the link‐layer addresses of neighboring nodes and to keep track of each neighbor’s information. A neighboring node is a host or a router linked directly to the switch. The switch supports Neighbor Discovery as described in RFC 4861. Neighbor Discovery Overview Neighbor Discover messages allow network nodes to exchange information, as follows:  Neighbor Solicitations allow a node to discover information about other nodes. Neighbor Advertisements are sent in response to Neighbor Solicitations. The  Neighbor Advertisement contains information required by nodes to determine the link‐layer address of the sender, and the sender’s role on the network.  IPv6 hosts use Router Solicitations to discover IPv6 routers. When a router receives a Router Solicitation, it responds immediately to the host. Routers uses Router Advertisements to announce its presence on the network, and  to provide its address prefix to neighbor devices. IPv6 hosts listen for Router Advertisements, and uses the information to build a list of default routers. Each host uses this information to perform autoconfiguration of IPv6 addresses.  Redirect messages are sent by IPv6 routers to inform hosts of a better first‐hop address for a specific destination. Redirect messages are only sent by routers for unicast traffic, are only unicast to originating hosts, and are only processed by hosts. ND configuration for general advertisements, flags, and interval settings, as well as for defining prefix profiles for router advertisements, is performed on a per‐interface basis using the following commands: RS G8264(config)# interface ip <interface number> RS G8264(configipif)# [no] ipv6 nd ? RS G8264(configipif)# exit To add or remove entries in the static neighbor cache, use the following command: RS G8264(config)# [no] ip neighbors ?
Page 469: Host Vs. Router
To clear the neighbor cache counters, use the following command: RS G8264(config)# clear ipv6 neighbors counters Host vs. Router Each IPv6 interface can be configured as a router node or a host node, as follows:  A router node’s IP address is configured manually. Router nodes can send Router Advertisements.  A host node’s IP address can be autoconfigured. Host nodes listen for Router Advertisements that convey information about devices on the network. Note: When IP forwarding is turned on, all IPv6 interfaces configured on the switch can forward packets. You can configure each IPv6 interface as either a host node or a router node. You can manually assign an IPv6 address to an interface in host mode, or the interface can be assigned an IPv6 address by an upstream router, using information from router advertisements to perform stateless auto‐configuration. To set an interface to host mode, use the following command: RS G8264(config)# interface ip <interface number> RS G8264(configipif)# ip6host RS G8264(configipif)# exit The G8264 supports up to 1156 IPv6 routes. © Copyright Lenovo 2016 Chapter 29: Internet Protocol Version 6...
Page 470: Supported Applications
Supported Applications The following applications have been enhanced to provide IPv6 support.  Ping The ping command supports IPv6 addresses. Use the following format to ping an IPv6 address: ping <host name>|<IPv6 address> [n <tries (0‐4294967295)>] [w <msec delay (0‐4294967295)>] [l <length (0/32‐65500/2080)>] [s <IP source>] [v <TOS (0‐255)>] [f] [t] To ping a link‐local address (begins with FE80), provide an interface index, as follows: ping <IPv6 address>%<Interface index> [n <tries (0‐4294967295)>] [w <msec delay (0‐4294967295)>] [l <length (0/32‐65500/2080)>] [s <IP source>] [v <TOS (0‐255)>] [f] [t]  Traceroute The traceroute command supports IPv6 addresses (but not link‐local addresses). Use the following format to perform a traceroute to an IPv6 address: traceroute <host name>| <IPv6 address> [<max‐hops (1‐32)> [<msec delay (1‐4294967295)>]]  Telnet server The telnet command supports IPv6 addresses (but not link‐local addresses). Use the following format to Telnet into an IPv6 interface on the switch: telnet <host name>| <IPv6 address> [<port>] Telnet client  The telnet command supports IPv6 addresses (but not link‐local addresses). ...
Page 471: Configuration Guidelines
Configuration Guidelines When you configure an interface for IPv6, consider the following guidelines:  Support for subnet router anycast addresses is not available.  A single interface can accept either IPv4 or IPv6 addresses, but not both IPv4 and IPv6 addresses.  A single interface can accept multiple IPv6 addresses. A single interface can accept only one IPv4 address.   If you change the IPv6 address of a configured interface to an IPv4 address, all IPv6 settings are deleted.  A single VLAN can support only one IPv6 interface. Health checks are not supported for IPv6 gateways.   IPv6 interfaces support Path MTU Discovery. The CPU’s MTU is fixed at 1500 bytes.  Support for jumbo frames (1,500 to 9,216 byte MTUs) is limited. Any jumbo frames intended for the CPU must be fragmented by the remote node. The switch can re‐assemble fragmented packets up to 9k. It can also fragment and transmit jumbo packets received from higher layers. © Copyright Lenovo 2016 Chapter 29: Internet Protocol Version 6...
Page 472: Ipv6 Configuration Examples
IPv6 Configuration Examples This section provides steps to configure IPv6 on the switch. IPv6 Example 1 The following example uses IPv6 host mode to autoconfigure an IPv6 address for the interface. By default, the interface is assigned to VLAN 1. 1. Enable IPv6 host mode on an interface. RS G8264(config)# interface ip 2 RS G8264(configipif)# ip6host RS G8264(configipif)# enable RS G8264(configipif)# exit 2. Configure the IPv6 default gateway. RS G8264(config)# ip gateway6 1 address 2001:BA98:7654:BA98:FEDC:1234:ABCD:5412 RS G8264(config)# ip gateway6 1 enable 3. Verify the interface address. RS G8264(config)# show interface ip 2 IPv6 Example 2 Use the following example to manually configure IPv6 on an interface. 1. Assign an IPv6 address and prefix length to the interface. RS G8264(config)# interface ip 3 RS G8264(configipif)# ipv6 address 2001:BA98:7654:BA98:FEDC:1234:ABCD:5214 RS G8264(configipif)# ipv6 prefixlen 64 RS G8264(configipif)# ipv6 seccaddr6 2003::1 32...
Page 474 G8264 Application Guide for ENOS 8.4...
Page 475: Chapter 30. Ipsec With Ipv6
Since IPsec was implemented in conjunction with IPv6, all implementations of IPv6 must contain IPsec. To support the National Institute of Standards and Technology (NIST) recommendations for IPv6 implementations, Lenovo Enterprise Network Operating System IPv6 feature compliance has been extended to include the following IETF RFCs, with an emphasis on IP Security (IPsec), Internet Key Exchange version 2, and authentication/confidentiality for OSPFv3:  RFC 4301 for IPv6 security  RFC 4302 for the IPv6 Authentication Header  RFCs 2404, 2410, 2451, 3602, and 4303 for IPv6 Encapsulating Security Payload (ESP), including NULL encryption, CBC‐mode 3DES and AES ciphers, and HMAC‐SHA‐1‐96.  RFCs 4306, 4307, 4718, and 4835 for IKEv2 and cryptography  RFC 4552 for OSPFv3 IPv6 authentication  RFC 5114 for Diffie‐Hellman groups Note: This implementation of IPsec supports DH groups 1, 2, 5, 14, and 24. The following topics are discussed in this chapter:  “IPsec Protocols” on page 476  “Using IPsec with the Lenovo RackSwitch G8264” on page 477 © Copyright Lenovo 2016 Chapter 30: IPsec with IPv6...
Page 476: Ipsec Protocols
IPsec Protocols The Enterprise NOS implementation of IPsec supports the following protocols:  Authentication Header (AH) AHs provide connectionless integrity out and data origin authentication for IP packets. They also provide protection against replay attacks. In IPv6, the AH protects the AH itself, the Destination Options extension header after the AH, and the IP payload. It also protects the fixed IPv6 header and all extension headers before the AH, except for the mutable fields DSCP, ECN, Flow Label, and Hop Limit. AH is defined in RFC 4302.  Encapsulating Security Payload (ESP) ESPs provide confidentiality, data origin authentication, integrity, an anti‐replay service (a form of partial sequence integrity), and some traffic flow confidentiality. ESPs may be applied alone or in combination with an AH. ESP is defined in RFC 4303.  Internet Key Exchange Version 2 (IKEv2) IKEv2 is used for mutual authentication between two network elements. An IKE establishes a security association (SA) that includes shared secret information to efficiently establish SAs for ESPs and AHs, and a set of cryptographic algorithms to be used by the SAs to protect the associated traffic. IKEv2 is defined in RFC 4306. Using IKEv2 as the foundation, IPsec supports ESP for encryption and/or authentication, and/or AH for authentication of the remote partner. Both ESP and AH rely on security associations. A security association (SA) is the bundle of algorithms and parameters (such as keys) that encrypt and authenticate a particular flow in one direction. G8264 Application Guide for ENOS 8.4...
Page 477: Using Ipsec With The Lenovo Rackswitch G8264
Using IPsec with the Lenovo RackSwitch G8264 IPsec supports the fragmentation and reassembly of IP packets that occurs when data goes to and comes from an external device. The Lenovo RackSwitch G8264 acts as an end node that processes any fragmentation and reassembly of packets but does not forward the IPsec traffic. :You must authenticate the IKEv2 key following the directions in “Setting up Authentication” on page 477 before you can use IPsec. The security protocol for the session key is either ESP or AH. Outgoing packets are labeled with the SA SPI (Security Parameter Index), which the remote device will use in its verification and decryption process. Every outgoing IPv6 packet is checked against the IPsec policies in force. For each outbound packet, after the packet is encrypted, the software compares the packet size with the MTU size that it either obtains from the default minimum maximum transmission unit (MTU) size (1500) or from path MTU discovery. If the packet size is larger than the MTU size, the receiver drops the packet and sends a message containing the MTU size to the sender. The sender then fragments the packet into smaller pieces and retransmits them using the correct MTU size. The maximum traffic load for each IPsec packet is limited to the following:  IKEv2 SAs: 5  IPsec SAs: 10 (5 SAs in each direction)  SPDs: 20 (10 policies in each direction) IPsec is implemented as a software cryptography engine designed for handling control traffic, such as network management. IPsec is not designed for handling data traffic, such as a VPN. Setting up Authentication Before you can use IPsec, you need to have key policy authentication in place. There are two types of key policy authentication: Preshared key (default) ...
Page 478: Creating An Ikev2 Proposal
Note: During the IKEv2 negotiation phase, the digital certificate takes precedence over the preshared key. Creating an IKEv2 Proposal With IKEv2, a single policy can have multiple encryption and authentication types, as well as multiple integrity algorithms. To create an IKEv2 proposal: 1. Enter IKEv2 proposal mode. RS G8264(config)# ikev2 proposal 2. Set the DES encryption algorithm. RS G8264(config-ikev2-prop)# encryption 3des|aescbc (default: 3des) 3. Set the authentication integrity algorithm type. RS G8264(configikev2prop)# integrity sha1 (default: sha1 4. Set the Diffie‐Hellman group. RS G8264(config-ikev2-prop)# group 1|2|5|14|24 (default: 24) Importing an IKEv2 Digital Certificate To import an IKEv2 digital certificate for authentication: 1. Import the CA certificate file. RS G8264(config)# copy tftp cacert address <hostname or IPv4 address>...
Page 479: Generating A Certificate Signing Request
Generating a Certificate Signing Request Before a digital certificate can be signed by a Certificate Authority (CA), it needs to be created. The generation of a certificate involves creating a Certificate Signing Request (CSR). The CSR includes various information related to the device and a public key. The public key is included in the CSR file itself and the private key associated with the public key is generated separately and kept private. The CSR can then be exported to a remote device to be signed by a CA. 1. Create an HTTPS CSR defining the information you want to be used in the various fields: RS G8264(config)# access https generatecsr Country Name (2 letter code) []: <country code> State or Province Name (full name) []: <state> Locality Name (eg, city) []: <city> Organization Name (eg, company) []: <company> Organizational Unit Name (eg, section) []: <org. unit> Common Name (eg, YOUR name) []: <name> Email (eg, email address) []: <email address> Confirm Generate CSR? [y/n]: y ..........+++ ....+++ Cert Req generated successfully © Copyright Lenovo 2016 Chapter 30: IPsec with IPv6...
Page 480 2. To verify the CSR you can use the following command: show https hostcsr [pemformat|txtformat] RS G8264> show https hostcsr txtformat Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Cali, L=Santa Barbara, O=Lenovo, OU=Sales, CN=www.zagat.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:b5:05:f6:d5:ad:ab:f2:1d:a9:57:c4:bc:84:1b: c6:bc:cd:04:95:ea:ad:ec:4a:44:3a:6e:42:9f:39: 96:14:11:a7:8e:3e:6f:da:9a:42:c6:c4:62:a1:33: 0e:a8:d3:6a:21:ce:f3:3c:4f:c1:8d:d1:e7:9e:c7: 29:04:ea:c6:7d:54:9a:4e:10:24:10:38:45:c6:4b: 13:19:f2:dd:8a:83:3f:5c:cf:8b:85:a7:2a:b0:eb: 7a:26:1f:4c:94:47:01:81:6a:59:d5:f5:d6:7e:3b: b5:bc:e4:3f:6d:dd:84:15:07:61:93:e0:d1:40:f8: 9d:15:d0:a6:e1:9b:a4:ab:85:b5:2b:f0:56:e9:ef: 36:43:2b:aa:be:1b:63:3c:fd:74:ab:78:76:53:12: e6:65:4c:0d:07:91:df:b3:91:96:f4:55:f7:37:73: 8c:f6:77:d7:9d:2b:a5:bd:17:3f:11:f2:85:4b:d6: b4:1d:3f:70:1f:13:bb:5e:2e:4c:a8:ad:6a:7f:11: 36:97:a6:25:0a:87:66:31:c9:92:59:03:31:5d:ff: df:c6:aa:93:7c:51:9f:8e:1b:6f:2a:be:c4:4c:66: d6:2c:4b:6d:e6:ae:4e:02:82:fc:fa:a1:de:3b:c9: 24:25:d5:6e:15:15:18:ce:9b:a6:98:ad:0c:32:1f: 94:01 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 24:26:dd:96:49:47:9d:78:74:48:9b:63:4c:32:f0:78:da:7d: 82:c9:17:6d:7e:93:38:60:94:d5:02:c1:31:dc:42:69:f5:57: 46:a8:44:5a:99:ea:55:d3:99:bf:f0:48:3b:ef:60:fd:50:e6: 33:cd:89:86:d3:51:97:f2:d1:68:6f:88:8c:e7:0f:3e:19:2a: f4:ea:6b:dc:05:24:d7:98:cd:a3:d3:c3:ef:03:93:8b:3f:fe: 75:5e:67:f1:48:b6:20:a6:ff:ae:5a:25:41:7f:e4:c8:48:d4:...
Page 481 END CERTIFICATE REQUEST 3. Export the CSR file to an external server: RS G8264(config)# copy certrequest tftp Port type ["DATA"/"MGT"/"EXTM"]: <port type> Address or name of remote host: <hostname or IPv4 address> Destination file name: <path and filename on the remote server> Certificate request successfully tftp'd to... 4. Import the signed certificate from an external server: RS G8264(config)# copy sftp hostcertonly mgtport Address or name of remote host: 10.241.3.32 Enter SFTP server port [22]: Source file name: mars.crt User name: admin Password: Confirm download operation (y/n) ? y Connecting to 10.241.3.32...via port 22 SFTP: User platformlinux logged in. Download in progress SFTP: Read 985 bytes Certificate file download complete (985 bytes) Restart the HTTPS server manually to make the switch use the certificate 5. Reset HTTPS server. RS G8264(config)# no access https enable access https enable Generating certificate. Please wait (approx 30 seconds) © Copyright Lenovo 2016 Chapter 30: IPsec with IPv6...
Page 482: Generating An Ikev2 Digital Certificate
Generating an IKEv2 Digital Certificate To create an IKEv2 digital certificate for authentication: 1. Create an HTTPS certificate defining the information you want to be used in the various fields. RS G8264(config)# access https generatecertificate Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [Santa Clara]: Organization Name (eg, company) [Lenovo]: Organizational Unit Name (eg, section) [Engineering]: Common Name (eg, YOUR name) [10.240.226.241]: Email (eg, email address) []: Confirm generat‘eywing certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent 2. Save the HTTPS certificate. The certificate is valid only until the switch is rebooted. To save the certificate so that it is retained beyond reboot or power cycles, use the following command: RS G8264(config)# access https savecertificate 3. Enable IKEv2 RSA‐signature authentication: RS G8264(config)# access https enable Enabling IKEv2 Preshared Key Authentication To set up IKEv2 preshared key authentication: 1. Enter the local preshared key. RS G8264(config)# ikev2 presharekey local <preshared key, a string of 1‐256 chars>...
Page 483: Setting Up A Key Policy
RS G8264(config)# ipsec transformset tunnel|transport 3. To describe the packets to which this policy applies, create a traffic selector using the following command: RS G8264(config)# ipsec trafficselector <traffic selector number> permit|deny any|icmp <type|any> |tcp > <source IP address|any> <destination IP address|any> [<prefix length>] where the following parameters are used:  traffic selector number an integer from 1‐10 permit|deny  whether or not to permit IPsec encryption of traffic that meets the criteria specified in this command apply the selector to any type of traffic  icmp <type>|any  only apply the selector only to ICMP traffic of the specified type (an integer from 1‐255) or to any ICMP traffic  only apply the selector to TCP traffic source IP address|any the source IP address in IPv6 format or “any”  source © Copyright Lenovo 2016 Chapter 30: IPsec with IPv6...
Page 484: Using A Manual Key Policy
 destination IP address|any the destination IP address in IPv6 format or “any” destination  prefix length (Optional) the length of the destination IPv6 prefix; an integer from 1‐128 Permitted traffic that matches the policy in force is encrypted, while denied traffic that matches the policy in force is dropped. Traffic that does not match the policy bypasses IPsec and passes through clear (unencrypted). 4. Choose whether to use a manual or a dynamic policy. Using a Manual Key Policy A manual policy involves configuring policy and manual SA entries for local and remote peers. To configure a manual key policy, you need:  The IP address of the peer in IPv6 format (for example, “3000::1”).  Inbound/Outbound session keys for the security protocols. You can then assign the policy to an interface. The peer represents the other end of the security association. The security protocol for the session key can be either ESP or AH. To create and configure a manual policy: 1. Enter a manual policy to configure. RS G8264(config)#ipsec manualpolicy <policy number> 2. Configure the policy. RS G8264(configipsecmanual)#peer <peer’s IPv6 address> RS G8264(configipsecmanual)#trafficselector <IPsec traffic selector> RS G8264(configipsecmanual)#transformset <IPsec transform set> RS G8264(configipsecmanual)#inah authkey <inbound AH IPsec key>...
Page 485   The outbound ESP authenticator key code, in outbound ESP authenticator key hexadecimal Note: When configuring a manual policy ESP, the ESP authenticator key is optional.   If using third‐party switches, the IPsec manual policy session key must be of fixed length as follows: For AH key: SHA1 is 20 bytes; MD5 is 16 bytes  For ESP cipher key: 3DES is 24 bytes; AES‐cbc is 24 bytes; DES is 8 bytes  For ESP auth key: SHA1 is 20 bytes; MD5 is 16 bytes  3. After you configure the IPSec policy, you need to apply it to the interface to enforce the security policies on that interface and save it to keep it in place after a reboot. To accomplish this, enter: RS G8264(configip)#interface ip <IP interface number, 1‐128> RS G8264(configipif)#address <IPv6 address> RS G8264(configipif)#ipsec manualpolicy <policy index, 1‐10> RS G8264(configipif)#enable (enable the IP interface) RS G8264#write (save the current configuration) © Copyright Lenovo 2016 Chapter 30: IPsec with IPv6...
Page 486: Using A Dynamic Key Policy
Using a Dynamic Key Policy When you use a dynamic key policy, the first packet triggers IKE and sets the IPsec SA and IKEv2 SA. The initial packet negotiation also determines the lifetime of the algorithm, or how long it stays in effect. When the key expires, a new key is automatically created. This helps prevent break‐ins. To configure a dynamic key policy: 1. Choose a dynamic policy to configure. RS G8264(config)#ipsec dynamicpolicy <policy number> 2. Configure the policy. RS G8264(configipsecdynamic)#peer <peer’s IPv6 address> RS G8264(configipsecdynamic)#trafficselector <index of traffic selector> RS G8264(configipsecdynamic)#transformset <index of transform set> RS G8264(configipsecdynamic)#salifetime <SA lifetime, in seconds> RS G8264(configipsecdynamic)#pfs enable|disable where the following parameters are used:  peer’s IPv6 address The IPv6 address of the peer (for example, 3000::1) index of traffic‐selector A number from1‐10   index of transform‐set A number from1‐10  SA lifetime, in seconds The length of time the SA is to remain in effect; an integer from120‐86400 ...
Page 487: Chapter 31. Routing Information Protocol
Chapter 31. Routing Information Protocol In a routed environment, routers communicate with one another to keep track of available routes. Routers can learn about available routes dynamically using the Routing Information Protocol (RIP). Lenovo Enterprise Network Operating System software supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) for exchanging TCP/IPv4 route information with other routers. Note: Enterprise NOS 8.4 does not support IPv6 for RIP. © Copyright Lenovo 2016...
Page 488: Distance Vector Protocol
When a switch receives a routing update that contains a new or changed destination network entry, the switch adds 1 to the metric value indicated in the update and enters the network in the routing table. The IPv4 address of the sender is used as the next hop. Stability RIP includes a number of other stability features that are common to many routing protocols. For example, RIP implements the split horizon and hold‐down mechanisms to prevent incorrect routing information from being propagated. RIP prevents routing loops from continuing indefinitely by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops in a path is 15. The network destination network is considered unreachable if increasing the metric value by 1 causes the metric to be 16 (that is infinity). This limits the maximum diameter of a RIP network to less than 16 hops. RIP is often used in stub networks and in small autonomous systems that do not have many redundant paths. Routing Updates RIP sends routing‐update messages at regular intervals and when the network topology changes. Each router “advertises” routing information by sending a routing information update every 30 seconds. If a router doesn’t receive an update from another router for 180 seconds, those routes provided by that router are declared invalid. The routes are removed from the routing table, but they remain in the RIP routes table. After another 120 seconds without receiving an update for those routes, the routes are removed from respective regular updates. When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop. RIP routers maintain only the best route (the route with the lowest metric value) to a destination. For more information, see the Configuration section, Routing Information Protocol Configuration in the Lenovo Enterprise Network Operating System Command Reference. G8264 Application Guide for ENOS 8.4...
Page 489: Ripv1
RIPv1 RIP version 1 use broadcast User Datagram Protocol (UDP) data packets for the regular routing updates. The main disadvantage is that the routing updates do not carry subnet mask information. Hence, the router cannot determine whether the route is a subnet route or a host route. It is of limited usage after the introduction of RIPv2. For more information about RIPv1 and RIPv2, refer to RFC 1058 and RFC 2453. RIPv2 RIPv2 is the most popular and preferred configuration for most networks. RIPv2 expands the amount of useful information carried in RIP messages and provides a measure of security. For a detailed explanation of RIPv2, refer to RFC 1723 and RFC 2453. RIPv2 improves efficiency by using multicast UDP (address 224.0.0.9) data packets for regular routing updates. Subnet mask information is provided in the routing updates. A security option is added for authenticating routing updates, by using a shared password. ENOS supports using clear password for RIPv2. RIPv2 in RIPv1 Compatibility Mode ENOS allows you to configure RIPv2 in RIPv1compatibility mode, for using both RIPv2 and RIPv1 routers within a network. In this mode, the regular routing updates use broadcast UDP data packet to allow RIPv1 routers to receive those packets. With RIPv1 routers as recipients, the routing updates have to carry natural or host mask. Hence, it is not a recommended configuration for most network topologies. Note: When using both RIPv1 and RIPv2 within a network, use a single subnet mask throughout the network. © Copyright Lenovo 2016 Chapter 31: Routing Information Protocol...
Page 490: Rip Features
RIP Features ENOS provides the following features to support RIPv1 and RIPv2:  Poison Simple split horizon in RIP scheme omits routes learned from one neighbor in updates sent to that neighbor. That is the most common configuration used in RIP, that is setting this Poison to DISABLE. Split horizon with poisoned reverse includes such routes in updates, but sets their metrics to 16. The disadvantage of using this feature is the increase of size in the routing updates. Triggered Updates  Triggered updates are an attempt to speed up convergence. When Triggered Updates is enabled, whenever a router changes the metric for a route, it sends update messages almost immediately, without waiting for the regular update interval. It is recommended to enable Triggered Updates.  Multicast RIPv2 messages use IPv4 multicast address (224.0.0.9) for periodic broadcasts. Multicast RIPv2 announcements are not processed by RIPv1 routers. IGMP is not needed since these are inter‐router messages which are not forwarded. To configure RIPv2 in RIPv1 compatibility mode, set multicast to disable, and set version to both.  Default The RIP router can listen and supply a default route, usually represented as IPv4 0.0.0.0 in the routing table. When a router does not have an explicit route to a destination network in its routing table, it uses the default route to forward those packets. Metric  The metric field contains a configurable value between 1 and 15 (inclusive) which specifies the current metric for the interface. The metric value typically indicates the total number of hops to the destination. The metric value of 16 represents an unreachable destination.  Authentication RIPv2 authentication uses plaintext password for authentication. If configured using Authentication password, then it is necessary to enter an authentication key value. The following method is used to authenticate an RIP message: ...
Page 491: Rip Configuration Example
>> (config)# interface port 3 >> (configif)# switchport mode trunk >> (configif)# switchport trunk allowed vlan add 3 >> (configif)# exit Port 3 is an UNTAGGED port and its current PVID is 1. Confirm changing PVID from 1 to 3 [y/n]: y 2. Add IP interfaces with IPv4 addresses to VLANs. >> # interface ip 2 >> (configipif)# enable >> (configipif)# ip address 102.1.1.1 >> (configipif)# vlan 2 >> (configipif)# exit >> # interface ip 3 >> (configipif)# enable >> (configipif)# ip address 103.1.1.1 >> (configipif)# vlan 3 3. Turn on RIP globally and enable RIP for each interface. >> # router rip >> (configrouterrip)# enable >> (configrouterrip)# exit >> # interface ip 2 >> (configipif)# ip rip enable >> (configipif)# exit >> # interface ip 3 >> (configipif)# ip rip enable >> (configipif)# exit Use the following command to check the current valid routes in the routing table of the switch: >> # show ip route © Copyright Lenovo 2016 Chapter 31: Routing Information Protocol...
Page 492 For those RIP routes learned within the garbage collection period, that are routes phasing out of the routing table with metric 16, use the following command: >> # show ip rip routes Locally configured static routes do not appear in the RIP Routes table. G8264 Application Guide for ENOS 8.4...
Page 493: Chapter 32. Internet Group Management Protocol
IPv4 multicast source that provides the data streams and the clients that want to receive the data. The switch supports three versions of IGMP:  IGMPv1: Defines the method for hosts to join a multicast group. However, this version does not define the method for hosts to leave a multicast group. See RFC 1112 for details.  IGMPv2: Adds the ability for a host to signal its desire to leave a multicast group. See RFC 2236 for details.  IGMPv3: Adds support for source filtering by which a host can report interest in receiving packets only from specific source addresses, or from all but specific source addresses, sent to a particular multicast address. See RFC 3376 for details. The G8264 can perform IGMP Snooping, and connect to static Mrouters. The G8264 can act as a Querier, and participate in the IGMP Querier election process. The following topics are discussed in this chapter:  “IGMP Terms” on page 494  “How IGMP Works” on page 495 “IGMP Capacity and Default Values” on page 496   “IGMP Snooping” on page 498 “IGMP Relay” on page 511   “Additional IGMP Features” on page 520 © Copyright Lenovo 2016...
Page 494: Igmp Terms
IGMP Terms The following are commonly used IGMP terms:  Multicast traffic: Flow of data from one source to multiple destinations.  Group: A multicast stream to which a host can join. Multicast groups have IP addresses in the range: 224.0.1.0 to 239.255.255.255.  IGMP Querier: A router or switch in the subnet that generates Membership Queries.  IGMP Snooper: A Layer 3 device that forwards multicast traffic only to hosts that are interested in receiving multicast data. This device can be a router or a Layer 3 switch.  Multicast Router: A router configured to make routing decisions for multicast traffic. The router identifies the type of packet received (unicast or multicast) and forwards the packet to the intended destination.  IGMP Proxy: A device that filters Join messages and Leave messages sent upstream to the Mrouter to reduce the load on the Mrouter.  Membership Report: A report sent by the host that indicates an interest in receiving multicast traffic from a multicast group.  Leave: A message sent by the host when it wants to leave a multicast group. FastLeave: A process by which the switch stops forwarding multicast traffic to a  port as soon as it receives a Leave message.  Membership Query: Message sent by the Querier to verify if hosts are listening to a group.  General Query: A Membership Query sent to all hosts. The Group address field for general queries is 0.0.0.0 and the destination address is 224.0.0.1.  Group‐specific Query: A Membership Query sent to all hosts in a multicast group. G8264 Application Guide for ENOS 8.4...
Page 495: How Igmp Works
 to continue receiving multicast traffic. If a host does not respond, the IGMP Snooper stops sending traffic to the host.  The host can initiate the Leave process by sending an IGMP Leave packet to the IGMP Snooper. When a host sends an IGMPv2 Leave packet, the IGMP Snooper queries to find  out if any other host connected to the port is interested in receiving the multicast traffic. If it does not receive a Join message in response, the IGMP Snooper removes the group entry and passes on the information to the Mrouter. The G8264 supports the following: IGMP version 1, 2, and 3   IGMP version 3 in stand‐alone (non‐stacking) mode only  128 static Mrouters and 128 dynamic Mrouters Note: Unknown multicast traffic is sent to all ports if the flood option is enabled and no Membership Report was learned for that specific IGMP group. If the flood option is disabled, unknown multicast traffic is discarded if no hosts or Mrouters are learned on a switch. To enable or disable IGMP flood, use the following command: # vlan <vlan ID> RS G8264(config) # [no] flood RS G8264(config-vlan) © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 496: Igmp Capacity And Default Values
IGMP Capacity and Default Values The following table lists the maximum and minimum values of the G8264 variables. Note: When having maximum number of IGMP entries installed, any received GMP Reports/Leaves are sent to mrouter (if it exists). Table 40. G8264 Capacity Table Variable Maximum IGMP Entries ‐ Snoop 3072 IGMP Entries ‐ Relay 1000 VLANs ‐ Snoop 1024 VLANs ‐ Relay Static Mrouters Dynamic Mrouters Number of IGMP Filters IPMC Groups (IGMP Relay) 1000 The following table lists the default settings for IGMP features and variables. Table 41. IGMP Default Configuration Settings Field Default Value Global IGMP State Disabled IGMP Querier Disabled IGMP Snooping Disabled IGMP Filtering Disabled IP Multicast (IPMC) Flood...
Page 497 Table 41. IGMP Default Configuration Settings (continued) Field Default Value IGMPv3 number of sources 8 (The switch processes only the first eight sources listed in the IGMPv3 group record.) Valid range: 1 ‐ 64 IGMPv3 ‐ allow v1v2 Snooping Enabled © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 498: Igmp Snooping
IGMP Snooping IGMP Snooping allows a switch to listen to the IGMP conversation between hosts and Mrouters. By default, a switch floods multicast traffic to all ports in a broadcast domain. With IGMP Snooping enabled, the switch learns the ports interested in receiving multicast data and forwards it only to those ports. IGMP Snooping conserves network resources. The switch can sense IGMP Membership Reports from attached hosts and acts as a proxy to set up a dedicated path between the requesting host and a local IPv4 Mrouter. After the path is established, the switch blocks the IPv4 multicast stream from flowing through any port that does not connect to a host member, thus conserving bandwidth. IGMP Querier For IGMP Snooping to function, you must have an Mrouter on the network that generates IGMP Query packets. Enabling the IGMP Querier feature on the switch allows it to participate in the Querier election process. If the switch is elected as the Querier, it will send IGMP Query packets for the LAN segment. Querier Election If multiple Mrouters exist on the network, only one can be elected as a Querier. The Mrouters elect the one with the lowest source IPv4 address or MAC address as the Querier. The Querier performs all periodic membership queries. All other Mrouters (non‐Queriers) do not send IGMP Query packets. Note: When IGMP Querier is enabled on a VLAN, the switch performs the role of an IGMP Querier only if it meets the IGMP Querier election criteria. Each time the Querier switch sends an IGMP Query packet, it initializes a general query timer. If a Querier receives a General Query packet from an Mrouter with a lower IP address or MAC address, it transitions to a non‐Querier state and initializes an other querier present timer. When this timer expires, the Mrouter transitions back to the Querier state and sends a General Query packet. Follow this procedure to configure IGMP Querier. 1. Enable IGMP and configure the source IPv4 address for IGMP Querier on a VLAN. RS G8264(config)# ip igmp enable RS G8264(config)# ip igmp querier vlan 2 sourceip 10.10.10.1 2. Enable IGMP Querier on the VLAN. RS G8264(config)# ip igmp querier vlan 2 enable 3.
Page 499: Igmp Groups
IGMPv3 includes new Membership Report messages that extend IGMP functionality. The switch provides snooping capability for all types of IGMPv3 Membership Reports. IGMPv3 is supported in stand‐alone (non‐stacking) mode only. IGMPv3 supports Source‐Specific Multicast (SSM). SSM identifies session traffic by both source and group addresses. The IGMPv3 implementation keeps records on the multicast hosts present in the network. If a host is already registered, when it receives a new IS_INC, TO_INC, IS_EXC, or TO_EXC report from same host, the switch makes the correct transition to new (port‐host‐group) registration based on the IGMPv3 RFC. The registrations of other hosts for the same group on the same port are not changed. The G8264 supports the following IGMPv3 filter modes:  INCLUDE mode: The host requests membership to a multicast group and pro‐ vides a list of IPv4 addresses from which it wants to receive traffic. EXCLUDE mode: The host requests membership to a multicast group and provides a  list of IPv4 addresses from which it does not want to receive traffic. This indicates that the host wants to receive traffic only from sources that are not part of the Exclude list. To disable snooping on EXCLUDE mode reports, use the following command: # RS G8264(config) no ip igmp snoop igmpv3 exclude By default, the G8264 snoops the first eight sources listed in the IGMPv3 Group Record. Use the following command to change the number of snooping sources: # RS G8264(config) ip igmp snoop igmpv3 sources <1‐64> © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 500 IGMPv3 Snooping is compatible with IGMPv1 and IGMPv2 Snooping. To disable snooping on version 1 and version 2 reports, use the following command: # RS G8264(config) no ip igmp snoop igmpv3 v1v2 G8264 Application Guide for ENOS 8.4...
Page 501: Igmp Snooping Configuration Guidelines
IGMP Snooping Configuration Guidelines Consider the following guidelines when you configure IGMP Snooping:  IGMP operation is independent of the routing method. You can use RIP, OSPF, or static routes for Layer 3 routing.  When multicast traffic flood is disabled, the multicast traffic sent by the multicast server is discarded if no hosts or Mrouters are learned on the switch.  The Mrouter periodically sends IGMP Queries. The switch learns the Mrouter on the port connected to the router when it sees  Query messages. The switch then floods the IGMP queries on all other ports including a LAG, if any. Multicast hosts send IGMP Reports as a reply to the IGMP Queries sent by the  Mrouter. The switch can also learn an Mrouter when it receives a PIM hello packet from  another device. However, an Mrouter learned from a PIM packet has a lower priority than an Mrouter learned from an IGMP Query. A switch overwrites an Mrouter learned from a PIM packet when it receives an IGMP Query on the same port.  A host sends an IGMP Leave message to its multicast group. The expiration timer for this group is updated to 10 seconds. The Layer 3 switch sends IGMP Group‐Specific Query to the host that had sent the Leave message. If the host does not respond with an IGMP Report during these 10 seconds, all the groups expire and the switch deletes the host from the IGMP groups table. The switch then proxies the IGMP Leave messages to the Mrouter. © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 502: Igmp Snooping Configuration Example
IGMP Snooping Configuration Example This section provides steps to configure IGMP Snooping on the G8264. 1. Configure port and VLAN membership on the switch. 2. Add VLANs to IGMP Snooping. RS G8264(config)# ip igmp snoop vlan 1 3. Enable IGMP Snooping. RS G8264(config)# ip igmp snoop enable 4. Enable IGMPv3 Snooping (optional). RS G8264(config)# ip igmp snoop igmpv3 enable 5. Enable the IGMP feature. RS G8264(config)# ip igmp enable 6. View dynamic IGMP information. RS G8264# show ip igmp groups Total entries: 5 Total IGMP groups: 2 Note: The <Total IGMP groups> number is computed as the number of unique (Group, Vlan) entries! Note: Local groups (224.0.0.x) are not snooped/relayed and will not appear. Source Group VLAN Port Version Mode Expires Fwd 10.1.1.1 232.1.1.1 2 4 V3 INC 4:16 Yes 10.1.1.5 232.1.1.1 2 4 V3 INC 4:16 Yes * 232.1.1.1 2 4 V3 INC No 10.10.10.43 235.0.0.1 9 1 V3 EXC 2:26 No * 235.0.0.1 9 1 V3 EXC Yes RS G8264# show ip igmp mrouter Total entries: 3 Total number of dynamic mrouters: 2 Total number of installed static mrouters: 1 SrcIP VLAN Port Version Expires MRT QRV QQIC ...
Page 503: Advanced Configuration Example: Igmp Snooping
VLANs 2,3 Multicast Server Devices in this topology are configured as follows:  STG2 includes VLAN2; STG3 includes VLAN3.  The multicast server sends IP multicast traffic for the following groups: VLAN 2, 225.10.0.11 – 225.10.0.12, Source: 22.10.0.11  VLAN 2, 225.10.0.13 – 225.10.0.15, Source: 22.10.0.13  VLAN 3, 230.0.2.1 – 230.0.2.2, Source: 22.10.0.1  VLAN 3, 230.0.2.3 – 230.0.2.5, Source: 22.10.0.3   The Mrouter sends IGMP Query packets in VLAN 2 and VLAN 3. The Mrouter’s IP address is 10.10.10.10. The multicast hosts send the following IGMP Reports:  IGMPv2 Report, VLAN 2, Group: 225.10.0.11, Source: *  IGMPv2 Report, VLAN 3, Group: 230.0.2.1, Source: *  IGMPv3 IS_INCLUDE Report, VLAN 2, Group: 225.10.0.13, Source: 22.10.0.13  IGMPv3 IS_INCLUDE Report, VLAN 3, Group: 230.0.2.3, Source: 22.10.0.3  © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 504: Prerequisites
 The hosts receive multicast traffic as follows: Host 1 receives multicast traffic for groups (*, 225.10.0.11), (22.10.0.13,  225.10.0.13) Host 2 receives multicast traffic for groups (*, 225.10.0.11), (*, 230.0.2.1),  (22.10.0.13, 225.10.0.13), (22.10.0.3, 230.0.2.3) Host 3 receives multicast traffic for groups (*, 230.0.2.1), (22.10.0.3, 230.0.2.3)   The Mrouter receives all the multicast traffic. Prerequisites Before you configure IGMP Snooping, ensure you have performed the following actions:  Configured VLANs.  Enabled IGMP.  Added VLANs to IGMP Snooping.  Configured a switch or Mrouter as the Querier.  Identified the IGMP version(s) you want to enable.  Disabled IGMP flooding. Configuration This section provides the configuration details of the switches shown in Figure Switch A Configuration 1. Configure VLANs and tagging. RS G8264(config)# interface port 15 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 2,3 RS G8264(configif)# exit 2.
Page 505 RS G8264(configipif)# vlan 2 RS G8264(configipif)# exit 3. Configure STP. Reset the ports to make the edge configuration operational. RS G8264(config)# interface port 5,6 RS G8264(configif)# spanningtree portfast RS G8264(configif)# shutdown RS G8264(configif)# no shutdown RS G8264(configif)# exit 4. Configure an LACP dynamic LAG (portchannel). RS G8264(config)# interface port 1,2 RS G8264(configif)# lacp key 300 RS G8264(configif)# lacp mode active RS G8264(configif)# exit 5. Configure a static LAG (portchannel). RS G8264(config)# portchannel 1 port 3,4 enable © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 506 6. Configure IGMP Snooping. RS G8264(config)# ip igmp enable RS G8264(config)# ip igmp snoop vlan 2,3 RS G8264(config)# ip igmp snoop sourceip 10.10.10.2 RS G8264(config)# ip igmp snoop igmpv3 enable RS G8264(config)# ip igmp snoop igmpv3 sources 64 RS G8264(config)# ip igmp snoop enable RS G8264(config)# vlan 2 RS G8264(configvlan)# no flood RS G8264(configvlan)# exit RS G8264(config)# vlan 3 RS G8264(configvlan)# no flood RS G8264(configvlan)# exit Switch C Configuration 1. Configure VLANs and tagging. RS G8264(config)# vlan 2,3 RS G8264(configvlan)# interface port 14,6 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 2,3 RS G8264(configif)# exit RS G8264(config)# interface port 5 RS G8264(configif)# switchport access vlan 3 2.
Page 507 6. Configure IGMP Snooping. RS G8264(config)# ip igmp enable RS G8264(config)# ip igmp snoop vlan 2,3 RS G8264(config)# ip igmp snoop sourceip 10.10.10.3 RS G8264(config)# ip igmp snoop igmpv3 enable RS G8264(config)# ip igmp snoop igmpv3 sources 64 RS G8264(config)# ip igmp snoop enable RS G8264(config)# vlan 2 RS G8264(configvlan)# no flood RS G8264(configvlan)# exit RS G8264(config)# vlan 3 RS G8264(configvlan)# no flood RS G8264(configvlan)# exit © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 508: Troubleshooting Igmp Snooping
Troubleshooting IGMP Snooping This section provides the steps to resolve common IGMP Snooping configuration issues. The topology described in Figure 41 is used as an example. Multicast traffic from non‐member groups reaches the host or Mrouter  Check if traffic is unregistered. For unregistered traffic, an IGMP entry is not  displayed in the IGMP groups table. RS G8264# show ip igmp groups Ensure IPMC flooding is disabled and CPU is enabled.  RS G8264(config)# vlan <vlan id> RS G8264(configvlan)# no flood RS G8264(configvlan)# cpu Check the egress port’s VLAN membership. The ports to which the hosts and  Mrouter are connected must be used only for VLAN 2 and VLAN 3. RS G8264# show vlan Note: To avoid such a scenario, disable IPMC flooding for all VLANs enabled on the switches (if this is an acceptable configuration). Check IGMP Reports on switches B and C for information about the IGMP  groups. RS G8264# show ip igmp groups If the non‐member IGMP groups are displayed in the table, close the application that may be sending the IGMP Reports for these groups. Identify the traffic source by using a sniffer on the hosts and reading the source IP/MAC address. If the source IP/MAC address is unknown, check the port statistics to find the ingress port. RS G8264# show interface port <port id> interfacecounters Ensure no static multicast MACs, static multicast groups, or static Mrouters ...
Page 509 Note: To clear all IGMP groups, use the following command: clear ip igmp groups RS G8264(config)# However, this will clear all the IGMP groups and will influence other hosts. Check if the multicast traffic reaches the switch. RS G8264# show ip igmp ipmcgrp If the multicast traffic group is not displayed in the table, check the link state, VLAN membership, and STP convergence. Ensure multicast server is sending all the multicast traffic.  Ensure no static multicast MACs, static multicast groups, or static multicast  routes are configured. IGMP queries sent by the Mrouter do not reach the host.  Ensure the Mrouter is learned on switches B and C.  RS G8264# show ip igmp mrouter If it is not learned on switch B but is learned on switch C, check the link state of the LAG, VLAN membership, and STP convergence. If it is not learned on any switch, ensure the multicast application is running and is sending correct IGMP Query packets. If it is learned on both switches, check the link state, VLAN membership, and STP port states for the ports connected to the hosts. © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 510  IGMP Reports/Leaves sent by the hosts do not reach the Mrouter Ensure IGMP Queries sent by the Mrouter reach the hosts.  Ensure the Mrouter is learned on both switches. Note that the Mrouter may  not be learned on switch B immediately after a LAG failover/failback. RS G8264# show ip igmp mrouter Ensure the host’s multicast application is started and is sending correct IGMP  Reports/Leaves. RS G8264# show ip igmp groups RS G8264# show ip igmp counters  A host receives multicast traffic from the incorrect VLAN Check port VLAN membership.  Check IGMP Reports sent by the host.  Check multicast data sent by the server.   The Mrouter is learned on the incorrect LAG Check link state. LAG 1 might be down or in STP discarding state.  Check STP convergence.  Check port VLAN membership.   Hosts receive multicast traffic at a lower rate than normal Note: This behavior is expected if IPMC flood is disabled and CPU is enabled. As soon as the IGMP/IPMC entries are installed on ASIC, the IPMC traffic recovers and is forwarded at line rate. This applies to unregistered IPMC traffic. Ensure a storm control is not configured on the LAGs. ...
Page 511: Igmp Relay
Configuration Guidelines Consider the following guidelines when you configure IGMP Relay:  IGMP Relay is supported in stand‐alone (non‐stacking) mode only.  IGMP Relay and IGMP Snooping are mutually exclusive—if you enable IGMP Relay, you must turn off IGMP Snooping/Querier. Add the upstream Mrouter VLAN to the IGMP Relay list, using the following  command: <VLAN number> RS G8264(config)# ip igmp relay vlan  If IGMP hosts reside on different VLANs, you must: Disable IGMP flooding.  RS G8264(config)# vlan <vlan id> RS G8264(configvlan)# no flood Ensure CPU forwarding is enabled; Ensure that multicast data is forwarded  across the VLANs. RS G8264(config)# vlan <vlan id> RS G8264(configvlan)# cpu © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 512: Configure Igmp Relay
Configure IGMP Relay Use the following procedure to configure IGMP Relay. 1. Configure IP interfaces with IPv4 addresses, and assign VLANs. RS G8264(config)# interface ip 2 RS G8264(configipif)# ip address 10.10.1.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# vlan 2 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 3 RS G8264(configipif)# ip address 10.10.2.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# vlan 3 RS G8264(configipif)# enable RS G8264(configipif)# exit 2. Turn IGMP on. RS G8264(config)# ip igmp enable 3. Configure the upstream Mrouters with IPv4 addresses. RS G8264(config)# ip igmp relay mrouter 1 address 100.0.1.2 RS G8264(config)# ip igmp relay mrouter 1 enable RS G8264(config)# ip igmp relay mrouter 2 address 100.0.2.4 RS G8264(config)# ip igmp relay mrouter 2 enable 4.
Page 513: Advanced Configuration Example: Igmp Relay
Multicast Server Devices in this topology are configured as follows:  The IP address of Multicast Router 1 is 5.5.5.5  The IP address of Multicast Router 2 is 5.5.5.6  STG 2 includes VLAN2; STG 3 includes VLAN 3; STG 5 includes VLAN 5.  The multicast server sends IP multicast traffic for the following groups: VLAN 2, 225.10.0.11 – 225.10.0.15   The multicast hosts send the following IGMP Reports: Host 1: 225.10.0.11 – 225.10.0.12, VLAN 3  Host 2: 225.10.0.12 – 225.10.0.13, VLAN 2; 225.10.0.14 – 225.10.0.15, VLAN 3  Host 3: 225.10.0.13 – 225.10.0.14, VLAN 2   The Mrouter receives all the multicast traffic. Prerequisites Before you configure IGMP Relay, ensure you have performed the following actions:  Configured VLANs.  Enabled IGMP. © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 514: Configuration
 Disabled IGMP flooding.  Disabled IGMP Snooping. Configuration This section provides the configuration details of the switches in Figure Switch A Configuration 1. Configure a VLAN. RS G8264(config)# interface port 15 RS G8264(configif)# switchport access vlan 2 2. Configure an IP interface with IPv4 address, and assign a VLAN.. RS G8264(config)# interface ip 2 RS G8264(configipif)# ip address 2.2.2.10 enable RS G8264(configipif)# vlan 2 RS G8264(configipif)# exit 3. Assign a bridge priority lower than the default bridge priority to enable the switch to become the STP root in STG 2 and 3. RS G8264(config)# spanningtree stp 2 bridge priority 4096 4. Configure LACP dynamic LAGs (portchannels). RS G8264(config)# interface port 1,2 RS G8264(configif)# lacp key 100 RS G8264(configif)# lacp mode active RS G8264(configif)# exit RS G8264(config)# interface port 3,4 RS G8264(configif)# lacp key 200 RS G8264(configif)# lacp mode active...
Page 515 RS G8264(configipif)# exit RS G8264(config)# ip gateway 2 address 2.2.2.30 enable 3. Configure STP. RS G8264(config)# interface port 5,6 RS G8264(configif)# spanningtree portfast RS G8264(configif)# shutdown RS G8264(configif)# no shutdown RS G8264(configif)# exit 4. Configure an LACP dynamic LAG (portchannel). RS G8264(config)# interface port 1,2 RS G8264(configif)# lacp key 300 RS G8264(configif)# lacp mode active RS G8264(configif)# exit 5. Configure a static LAG (portchannel). RS G8264(config)# portchannel 1 port 3,4 enable © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 516 6. Configure IGMP Relay. RS G8264(config)# ip igmp enable RS G8264(config)# ip igmp relay vlan 2,3 RS G8264(config)# ip igmp relay mrouter 1 address 5.5.5.5 enable RS G8264(config)# ip igmp relay mrouter 2 address 5.5.5.6 enable RS G8264(config)# ip igmp relay enable RS G8264(config)# vlan 2 RS G8264(configvlan)# no flood RS G8264(configvlan)# exit RS G8264(config)# vlan 3 RS G8264(configvlan)# no flood RS G8264(configvlan)# exit Switch C Configuration 1. Configure VLANs. RS G8264(config)# vlan 2,3,5 RS G8264(configvlan)# interface port 15 RS G8264(configif)# switchport access vlan 2 RS G8264(configif)# interface port 6,7 RS G8264(configif)# switchport access vlan 5 RS G8264(configif)# exit 2.
Page 517: Troubleshooting Igmp Relay
RS G8264(config)# vlan 2 RS G8264(configvlan)# no flood RS G8264(configvlan)# exit RS G8264(config)# vlan 5 RS G8264(configvlan)# no flood RS G8264(configvlan)# exit Troubleshooting IGMP Relay This section provides the steps to resolve common IGMP Relay configuration issues. The topology described in Figure 42 is used as an example. Multicast traffic from non‐member groups reaches the hosts or the Mrouter  Ensure IPMC flood is disabled.  RS G8264(config)# vlan <vlan id> RS G8264(configvlan)# no flood Check the egress port’s VLAN membership. The ports to which the hosts and  Mrouter are connected must be used only for VLAN 2, VLAN 3, or VLAN 5. RS G8264(config)# show vlan © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 518 Note: To avoid such a scenario, disable IPMC flooding for all VLANs enabled on the switches (if this is an acceptable configuration). Check IGMP Reports on switches B and C for information about IGMP  groups. RS G8264(config)# show ip igmp groups If non‐member IGMP groups are displayed in the table, close the application that may be sending the IGMP Reports for these groups. Identify the traffic source by using a sniffer on the hosts and reading the source IP address/MAC address. If the source IP address/MAC address is unknown, check the port statistics to find the ingress port. RS G8264(config)# show interface port <port id> interfacecounters Ensure no static multicast MACs and static Mrouters are configured.   Not all multicast traffic reaches the appropriate receivers Ensure hosts are sending IGMP Reports for all the groups. Check the VLAN on which the groups are learned. RS G8264(config)# show ip igmp groups If some of the groups are not displayed, ensure the multicast application is running on the host device and the generated IGMP Reports are correct. Ensure the multicast traffic reaches the switch to which the host is connected.  Close the application sending the IGMP Reports. Clear the IGMP groups by flapping (disabling, then re‐enabling) the port. Note: To clear all IGMP groups, you can use the following command RS G8264(config)# clear ip igmp groups However, this will clear all the IGMP groups and will influence other hosts. Check if the multicast traffic reaches the switch. RS G8264(config)# show ip igmp ipmcgrp If the multicast traffic group is not displayed in the table, check the link state, VLAN membership, and STP convergence. Ensure the multicast server is sending all the multicast traffic. ...
Page 519 Reports/Leaves are not forwarded. Note that the Mrouter may not be reachable immediately after a LAG failover/failback. RS G8264(config)# show ip igmp groups Ensure the host’s multicast application is started and is sending correct IGMP  Reports/Leaves. RS G8264(config)# show ip igmp groups RS G8264(config)# show ip igmp counters  The Mrouter is reachable on the incorrect LAG Check link state. LAG 1 may be down or in STP discarding state.  Check STP convergence and port VLAN membership.  Check IP connectivity between the switch and the configured Mrouter  (primary or secondary).  Hosts receive multicast traffic at a lower rate than normal Ensure a multicast threshold is not configured on the LAGs.  RS G8264(config)# interface port <port id> RS G8264(configif)# no stormcontrol multicast Check link speeds and network congestion.  © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 520: Additional Igmp Features
Additional IGMP Features The following topics are discussed in this section:  “FastLeave” on page 520  “IGMP Filtering” on page 520  “Static Multicast Router” on page 521 FastLeave In normal IGMP operation, when the switch receives an IGMPv2 Leave message, it sends a Group‐Specific Query to determine if any other devices in the same group (and on the same port) are still interested in the specified multicast group traffic. The switch removes the affiliated port from that particular group, if the switch does not receive an IGMP Membership Report within the query‐response‐interval. With FastLeave enabled on the VLAN, a port can be removed immediately from the port list of the group entry when the IGMP Leave message is received. Note: Only IGMPv2 supports FastLeave. Enable FastLeave on ports that have only one host connected. If more than one host is connected to a port, you may lose some hosts unexpectedly. Use the following command to enable FastLeave. # RS G8264(config) ip igmp fastleave <VLAN number> IGMP Filtering With IGMP filtering, you can allow or deny certain IGMP groups to be learned on a port. If access to a multicast group is denied, IGMP Membership Reports from the port are dropped, and the port is not allowed to receive IPv4 multicast traffic from that group. If access to the multicast group is allowed, Membership Reports from the port are forwarded for normal processing. To configure IGMP filtering, you must globally enable IGMP filtering, define an IGMP filter, assign the filter to a port, and enable IGMP filtering on the port. To define an IGMP filter, you must configure a range of IPv4 multicast groups, choose ...
Page 521: Configuring The Action
RS G8264(config) ip igmp profile 1 enable 3. Assign the IGMP filter to a port. RS G8264(config) interface port 3 RS G8264(configif)# ip igmp profile 1 RS G8264(configif)# ip igmp filtering Static Multicast Router A static Mrouter can be configured for a particular port on a particular VLAN. A static Mrouter does not have to be learned through IGMP Snooping. Any data port can accept a static Mrouter. When you configure a static Mrouter on a VLAN, it replaces any dynamic Mrouters learned through IGMP Snooping. To configure a static multicast router 1. For each Mrouter, configure a port, VLAN, and IGMP version of the multicast router. RS G8264(config)# ip igmp mrouter 5 1 2 2. Verify the configuration. RS G8264(config)# show ip igmp mrouter © Copyright Lenovo 2016 Chapter 32: Internet Group Management Protocol...
Page 522 G8264 Application Guide for ENOS 8.4...
Page 523: Chapter 33. Multicast Listener Discovery
Chapter 33. Multicast Listener Discovery Multicast Listener Discovery (MLD) is an IPv6 protocol that a host uses to request multicast data for a multicast group. An IPv6 router uses MLD to discover the presence of multicast listeners (nodes that want to receive multicast packets) on its directly attached links, and to discover specifically the multicast addresses that are of interest to those neighboring nodes. MLD version 1 is derived from Internet Group Management Protocol version 2 (IGMPv2) and MLDv2 is derived from IGMPv3. MLD uses ICMPv6 (IP Protocol 58) message types. See RFC 2710 and RFC 3810 for details. MLDv2 protocol, when compared to MLDv1, adds support for source filtering— the ability for a node to report interest in listening to packets only from specific source addresses, or from all but specific source addresses, sent to a particular multicast address. MLDv2 is interoperable with MLDv1. See RFC 3569 for details on Source‐Specific Multicast (SSM). The following topics are discussed in this chapter:  “MLD Terms” on page 524  “How MLD Works” on page 525  “MLD Capacity and Default Values” on page 528  “Configuring MLD” on page 529 © Copyright Lenovo 2016...
Page 524: Mld Terms
MLD Terms Following are the commonly used MLD terms:  Multicast traffic: Flow of data from one source to multiple destinations.  Group: A multicast stream to which a host can join.  Multicast Router (Mrouter): A router configured to make routing decisions for multicast traffic. The router identifies the type of packet received (unicast or multicast) and forwards the packet to the intended destination.  Querier: An Mrouter that sends periodic query messages. Only one Mrouter on the subnet can be elected as the Querier.  Multicast Listener Query: Messages sent by the Querier. There are three types of queries: General Query: Sent periodically to learn multicast address listeners from an  attached link. G8264 uses these queries to build and refresh the Multicast Address Listener state. General Queries are sent to the link‐scope all‐nodes multicast address (FF02::1), with a multicast address field of 0, and a maximum response delay of query response interval. Multicast Address Specific Query: Sent to learn if a specific multicast address  has any listeners on an attached link. The multicast address field is set to the IPv6 multicast address. Multicast Address and Source Specific Query: Sent to learn if, for a specified  multicast address, there are nodes still listening to a specific set of sources. Supported only in MLDv2. Note: Multicast Address Specific Queries and Multicast Address and Source Specific Queries are sent only in response to State Change Reports, and never in response to Current State Reports.  Multicast Listener Report: Sent by a host when it joins a multicast group, or in response to a Multicast Listener Query sent by the Querier. Hosts use these reports to indicate their current multicast listening state, or changes in the multicast listening state of their interfaces. These reports are of two types: Current State Report: Contains the current Multicast Address Listening State ...
Page 525: How Mld Works
Hosts respond to these queries by reporting their per‐interface Multicast Address Listening state, through Current State Report messages sent to a specific multicast address that all MLD routers on the link listen to.  If the listening state of a host changes, the host immediately reports these changes through a State Change Report message.  The Querier sends a Multicast Address Specific Query to verify if hosts are listening to a specified multicast address or not. Similarly, if MLDv2 is configured, the Querier sends a Multicast Address and Source Specific Query to verify, for a specified multicast address, if hosts are listening to a specific set of sources, or not. MLDv2 listener report messages consists of Multicast Address Records: INCLUDE: to receive packets from source specified in the MLDv2 message  EXCLUDE: to receive packets from all sources except the ones specified in the  MLDv2 message A host can send a State Change Report to indicate its desire to stop listening to a  particular multicast address (or source in MLDv2). The Querier then sends a multicast address specific query to verify if there are other listeners of the multicast address. If there aren’t any, the Mrouter deletes the multicast address from its Multicast Address Listener state and stops sending multicast traffic. Similarly in MLDv2, the Mrouter sends a Multicast Address and Source Specific Query to verify if, for a specified multicast address, there are hosts still listening to a specific set of sources. G8264 supports MLD versions 1 and 2. Note: MLDv2 operates in version 1 compatibility mode when, in a specific network, not all hosts are configured with MLDv2. © Copyright Lenovo 2016 Chapter 33: Multicast Listener Discovery...
Page 526: How Flooding Impacts Mld
How Flooding Impacts MLD When flood option is disabled, the unknown multicast traffic is discarded if no Mrouters are learned on the switch. You can set the flooding behavior by configuring the flood and cpu options. You can optimize the flooding to ensure that unknown IP multicast (IPMC) data packets are not dropped during the learning phase. The flooding options include: flood: Enable hardware flooding in VLAN for the unregistered IPMC; This  option is enabled by default. cpu: Enable sending unregistered IPMC to the Mrouter ports. However, during  the learning period, there will be some packet loss. The cpu option is enabled by default. You must ensure that the flood and optflood options are disabled. optflood: Enable optimized flooding to allow sending the unregistered IPMC  to the Mrouter ports without having any packet loss during the learning period; This option is disabled by default; When optflood is enabled, the flood and cpu settings are ignored. The flooding parameters must be configured per VLAN. Enter the following command to set the flood or cpu option: RS G8264(config)# vlan <vlan number> RS G8264(configvlan)# [no] flood RS G8264(configvlan)# [no] cpu RS G8264(configvlan)# [no] optflood MLD Querier An Mrouter acts as a Querier and periodically (at short query intervals) sends query messages in the subnet. If there are multiple Mrouters in the subnet, only one can be the Querier. All Mrouters on the subnet listen to the messages sent by the multicast address listeners, and maintain the same multicast listening information state. All MLDv2 queries are sent with the FE80::/64 link‐local source address prefix. Querier Election Only one Mrouter can be the Querier per subnet. All other Mrouters will be ...
Page 527: Dynamic Mrouters
Dynamic Mrouters The switch learns Mrouters on the ingress VLANs of the MLD‐enabled interface. All report or done messages are forwarded to these Mrouters. By default, the option of dynamically learning Mrouters is disabled. To enable it, use the following command: RS G8264(config)# interface ip <interface number> RS G8264(configipif)# ipv6 mld dmrtr enable © Copyright Lenovo 2016 Chapter 33: Multicast Listener Discovery...
Page 528: Mld Capacity And Default Values
MLD Capacity and Default Values Table 42 lists the maximum and minimum values of the G8264 variables. Table 42. G8264 Capacity Table Variable Maximum Value IPv6 Multicast Entries IPv6 Interfaces for MLD Note: IGMP and MLD share the IPMC table. When the IPMC table is full, you cannot allocate additional IGMP/MLD groups. Table 43 lists the default settings for MLD features and variables. Table 43. MLD Timers and Default Values Field Default Value Robustness Variable (RV) Query Interval (QI) 125 seconds Query Response Interval (QRI) 10 seconds Multicast Address Listeners Interval 260 seconds [derived: RV*QI+QRI] (MALI) Other Querier Present Interval [OQPT] 255 seconds [derived: RV*QI + ½ QRI] Start up Query Interval [SQI] 31.25 seconds [derived: ¼ * QI] Startup Query Count [SQC] 2 [derived: RV] Last Listener Query Interval [LLQI] ...
Page 529: Configuring Mld
2. Create an IPv6 interface. RS G8264(config)# interface ip 2 RS G8264(configipif)# enable RS G8264(configipif)# ipv6 address 2002:1:0:0:0:0:0:3 RS G8264(configipif)# ipv6 prefixlen 64 3. Enable MLD on the IPv6 interface. RS G8264(configipif)# ipv6 mld enable 4. Configure the MLD parameters on the interface: version, robustness, query response interval, MLD query interval, and last listener query interval. RS G8264(configipif)# ipv6 mld version <1‐2> (MLD version) RS G8264(configipif)# ipv6 mld robust <1‐10> (Robustness) RS G8264(configipif)# ipv6 mld qri <1‐256> (In seconds) RS G8264(configipif)# ipv6 mld qintrval <1‐608> (In seconds) RS G8264(configipif)# ipv6 mld llistnr <1‐32> (In seconds) © Copyright Lenovo 2016 Chapter 33: Multicast Listener Discovery...
Page 530 G8264 Application Guide for ENOS 8.4...
Page 531: Chapter 34. Border Gateway Protocol
BGP and take BGP feeds from as many as 96 BGP router peers. This allows more resilience and flexibility in balancing traffic from the Internet. Note: Lenovo Enterprise Network Operating System 8.4 does not support IPv6 for BGP. The following topics are discussed in this section: “Internal Routing Versus External Routing” on page 532   “Forming BGP Peer Routers” on page 537  “Loopback Interfaces” on page 540  “What is a Route Map?” on page 540  “Aggregating Routes” on page 544  “Redistributing Routes” on page 544  “BGP Attributes” on page 546  “Selecting Route Paths in BGP” on page 548  “BGP Failover Configuration” on page 549  “Default Redistribution and Route Aggregation Example” on page 551 © Copyright Lenovo 2016...
Page 532: Internal Routing Versus External Routing
Internal Routing Versus External Routing To ensure effective processing of network traffic, every router on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active, internal dynamic routing protocols, such as RIP, RIPv2, and OSPF. Static routes must have a higher degree of precedence than dynamic routing protocols. If the destination route is not in the route cache, the packets are forwarded to the default gateway which may be incorrect if a dynamic routing protocol is enabled. It is also useful to tell routers outside your network (upstream providers or peers) about the routes you can access in your network. External networks (those outside your own) that are under the same administrative control are referred to as autonomous systems (AS). Sharing of routing information between autonomous systems is known as external routing. External BGP (eBGP) is used to exchange routes between different autonomous systems whereas internal BGP (iBGP) is used to exchange routes within the same autonomous system. An iBGP is a type of internal routing protocol you can use to do active routing inside your network. It also carries AS path information, which is important when you are an ISP or doing BGP transit. The iBGP peers have to maintain reciprocal sessions to every other iBGP router in the same AS (in a full‐mesh manner) to propagate route information throughout the AS. If the iBGP session shown between the two routers in AS 20 was not present (as indicated in Figure 43), the top router would not learn the route to AS 50, and the bottom router would not learn the route to AS 11, even though the two AS 20 routers are connected via the RackSwitch G8264. Figure 43. iBGP and eBGP Internet Internet When there are many iBGP peers, having a full‐mesh configuration results in large number of sessions between the iBGP peers. In such situations, configuring a route reflector eliminates the full‐mesh configuration requirement, prevents route propagation loops, and provides better scalability to the peers. For details, see “Route Reflector” on page 533.
Page 533: Route Reflector
Typically, an AS has one or more border routers—peer routers that exchange routes with other ASs—and an internal routing scheme that enables routers in that AS to reach every other router and destination within that AS. When you advertise routes to border routers on other autonomous systems, you are effectively committing to carry data to the IPv4 space represented in the route being advertised. For example, if you advertise 192.204.4.0/24, you are declaring that if another router sends you data destined for any address in 192.204.4.0/24, you know how to carry that data to its destination. Route Reflector The Enterprise NOS implementation conforms to the BGP Route Reflection specification defined in RFC 4456. As per RFC 1771 specification, a route received from an iBGP peer cannot be advertised to another iBGP peer. This makes it mandatory to have full‐mesh iBGP sessions between all BGP routers within an AS. A route reflector—a BGP router— breaks this iBGP loop avoidance rule. It does not affect the eBGP behavior. A route reflector is a BGP speaker that advertises a route learnt from an iBGP peer to another iBGP peer. The advertised route is called the reflected route. A route reflector has two groups of internal peers: clients and non‐clients. A route reflector reflects between these groups and among the clients. The non‐client peers must be fully meshed. The route reflector and its clients form a cluster. When a route reflector receives a route from an iBGP peer, it selects the best path based on its path selection rule. It then does the following based on the type of peer it received the best path from:  A route received from a non‐client iBGP peer is reflected to all clients.  A route received from an iBGP client peer is reflected to all iBGP clients and iBGP non‐clients. © Copyright Lenovo 2016 Chapter 34: Border Gateway Protocol...
Page 534 In Figure 44, the G8264 is configured as a route reflector. All clients and non‐clients are in the same AS. Figure 44. iBGP Route Reflector Cluster RR Client RR Client iBGP iBGP Route Reflector iBGP iBGP iBGP RR Non-Client RR Non-Client The following attributes are used by the route reflector functionality:  ORIGINATOR ID: BGP identifier (BGP router ID) of the route originator in the local AS. If the route does not have the ORIGINATOR ID attribute (it has not been reflected before), the router ID of the iBGP peer from which the route has been received is copied into the Originator ID attribute.This attribute is never modified by subsequent route reflectors. A router that identifies its own ID as the ORIGINATOR ID, it ignores the route. CLUSTER LIST: Sequence of the CLUSTER ID (the router ID) values  representing the reflection path that the route has passed. The value configured with the clusterid command (or the router ID of the route reflector if the clusterid is not configured) is prepended to the Cluster list attribute. If a route reflector detects its own CLUSTER ID in the CLUSTER LIST, it ignores the route. Up to 10 CLUSTER IDs can be added to a CLUSTER LIST. G8264 Application Guide for ENOS 8.4...
Page 535: Configuring Route Reflection
RS G8264(config)# show ip bgp neighbor 2 information BGP Peer 2 Information: 2: 10.1.50.1 , version 0, TTL 255, TTL Security hops 0 Remote AS: 0, Local AS: 22, Link type: IBGP Remote router ID: 0.0.0.0, Local router ID: 9.9.9.9 nexthopself disabled RR client enabled BGP status: connect, Old status: connect Total received packets: 0, Total sent packets: 0 Received updates: 0, Sent updates: 0 Keepalive: 0, Holdtime: 0, MinAdvTime: 60 LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0) Established state transitions: 0 Once configured as a route reflector, the switch, by default, passes routes between clients. If required, you can disable this by using the following command: RS G8264(configrouterbgp)# no clienttoclient reflection You can view the route reflector BGP attributes attached to a BGP route using the following command: RS G8264(configrouterbgp)# show ip bgp information 5.0.0.0 255.255.255.0 BGP routing table entry for 5.0.0.0/255.255.255.0 Paths: (1 available, best #1) Multipath: eBGP Local 30.1.1.1 (metric 0) from 22.22.1.1(17.17.17.17) Origin: IGP, localpref 0, valid, internal, best Originator: 1.16.0.195 Cluster list: 17.17.17.17 © Copyright Lenovo 2016 Chapter 34: Border Gateway Protocol...
Page 536: Restrictions
You can view BGP advertised routes to a specific neighbor or to all neighbors using the command: [Prompt](config)# show ip bgp neighbor advertisedroutes Restrictions Consider the following restrictions when configuring route reflection functionality:  When a CLUSTER ID is changed, all iBGP sessions are restarted. When a route reflector client is enabled/disabled, the session is restarted.  G8264 Application Guide for ENOS 8.4...
Page 537: Forming Bgp Peer Routers
For each Internet host, you must be able to send a packet to that host, and that host has to have a path back to you. This means that whoever provides Internet connectivity to that host must have a path to you. Ultimately, this means that they must “hear a route” which covers the section of the IPv4 space you are using; otherwise, you will not have connectivity to the host in question. Static Peers You can configure BGP static peers by using the following commands: RS G8264(config)# router bgp RS G8264(configrouterbgp)# neighbor <1‐96> remoteaddress <IP address> RS G8264(configrouterbgp)# neighbor <1‐96> remoteas <1‐65535> RS G8264(configrouterbgp)# no neighbor <1‐96> shutdown Static peers always take precedence over dynamic peers. Consider the following:  If the remote address of an incoming BGP connection matches both a static peer address and an IP address from a dynamic group, the peer is configured statically and not dynamically.  If a new static peer is enabled while a dynamic peer for the same remote address exists, BGP automatically removes the dynamic peer.  If a new static peer is enabled when the maximum number of BGP peers were already configured, then BGP deletes the dynamic peer that was last created and adds the newly created static peer. A syslog will be generated for the peer that was deleted. © Copyright Lenovo 2016 Chapter 34: Border Gateway Protocol...
Page 538: Dynamic Peers
Dynamic Peers To configure dynamic peers, you must define a range of IP addresses for a group. BGP waits to receive an open message initiated from BGP speakers within that range. Dynamic peers are automatically created when a peer group member accepts the incoming BGP connection. Dynamic peers are passive. When they are not in the established state, they accept inbound connections but do not initiate outbound connections. You can configure up to 6 AS numbers per group. When the BGP speaker receives an open message from a dynamic peer, the AS number from the packet must match one of the remote AS numbers configured on the corresponding group. When you delete a remote AS number, all dynamic peers established from that remote AS will be deleted. You can define attributes for the dynamic peers only at the group level. You cannot configure attributes for any one dynamic peer. All static peer attributes, except the BGP passive mode, can also be configured for groups. To set the maximum number of dynamic peers for a group that can simultaneously be in an established state, enter the following command: RS G8264(configrouterbgp)# neighbor group <1‐8> listen limit <1‐96> If you reset this limit to a lower number, and if the dynamic peers already established for the group are higher than this new limit, then BGP deletes the last created dynamic peer(s) until the new limit is reached. Note: The maximum number of static and dynamic peers established simultaneously cannot exceed the maximum peers, i.e. 96, that the switch can support. If the maximum peers are established, no more dynamic peers will be enabled even if the maximum dynamic peers limit you had configured for the groups was not reached. Configuring Dynamic Peers Following are the basic commands for configuring dynamic peers: RS G8264(config)# router bgp RS G8264(configrouterbgp)# neighbor group <1‐8> listen range <IP address> <subnet mask> (Define IP address range) RS G8264(configrouterbgp)# neighbor group <1‐8> remoteas <1‐65535> alternateas <1‐65535> (Enter up to 5 ...
Page 539 The stop command interrupts the BGP connection until the peer tries to re‐establish the connection. Also, when a dynamic peer state changes from established to idle, BGP removes the dynamic peer. © Copyright Lenovo 2016 Chapter 34: Border Gateway Protocol...
Page 540: Loopback Interfaces
Loopback Interfaces In many networks, multiple connections may exist between network devices. In such environments, it may be useful to employ a loopback interface for a common BGP router address, rather than peering the switch to each individual interface. Note: To ensure that the loopback interface is reachable from peer devices, it must be advertised using an interior routing protocol (such as OSPF), or a static route must be configured on the peer. To configure an existing loopback interface for BGP neighbor, use the following commands: RS G8264(config)# router bgp RS G8264(configrouterbgp)# neighbor <#> updatesource loopback <1‐5> RS G8264(configrouterbgp)# exit What is a Route Map? A route map is used to control and modify routing information. Route maps define conditions for redistributing routes from one routing protocol to another or controlling routing information when injecting it in and out of BGP. For example, a route map is used to set a preference value for a specific route from a peer router and another preference value for all other routes learned via the same peer router. For example, the following command is used to enter the Route Map mode for defining a route map: RS G8264(config)# routemap <map number>(Select a route map) A route map allows you to match attributes, such as metric, network address, and AS number. It also allows users to overwrite the local preference metric and to append the AS number in the AS route. See “BGP Failover Configuration” on page 549. Enterprise NOS allows you to configure 255 route maps. Each route map can have up to 32 access lists. Each access list consists of a network filter. A network filter defines an IPv4 address and subnet mask of the network that you want to include in the filter. Figure 45 illustrates the relationship between route maps, access lists, ...
Page 541: Next Hop Peer Ip Address
Route Map 255 Next Hop Peer IP Address Next hop peer IP address can be configured only for route maps used in BGP. When a route map is applied on ingress, the next hop of learnt routes is replaced with peer IP address. When applied on egress, the next hop of the redistributed routes is replaced with the local IP address. RS G8264(config)# routemap <map number> RS G8264(configroutermap)# set ip nexthop <peer IP address> Incoming and Outgoing Route Maps You can have two types of route maps: incoming and outgoing. A BGP peer router can be configured to support up to eight route maps in the incoming route map list and outgoing route map list. If a route map is not configured in the incoming route map list, the router imports all BGP updates. If a route map is configured in the incoming route map list, the router ignores all unmatched incoming updates. If you set the action to deny, you must add another route map to permit all unmatched updates. Route maps in an outgoing route map list behave similar to route maps in an incoming route map list. If a route map is not configured in the outgoing route map list, all routes are advertised or permitted. If a route map in the outgoing route map list is set to permit, matched routes are advertised and unmatched routes are ignored. © Copyright Lenovo 2016 Chapter 34: Border Gateway Protocol...
Page 542: Precedence
Precedence You can set a priority to a route map by specifying a precedence value with the following command (Route Map mode): RS G8264(config)# routemap <map number>(Select a route map) RS G8264(configroutemap)# precedence <1‐255>(Specify a precedence) RS G8264(configroutemap)# exit The smaller the value the higher the precedence. If two route maps have the same precedence value, the smaller number has higher precedence. Configuration Overview To configure route maps, you need to do the following: 1. Define a network filter. RS G8264(config)# ip matchaddress 1 <IPv4 address> <IPv4 subnet mask> RS G8264(config)# ip matchaddress 1 enable Enter a filter number from 1 to 256. Specify the IPv4 address and subnet mask of the network that you want to match. Enable the network filter. You can distribute up to 256 network filters among 64 route maps each containing 32 access lists. Steps 2 and 3 are optional, depending on the criteria that you want to match. In Step 2, the network filter number is used to match the subnets defined in the network filter. In Step 3, the autonomous system number is used to match the subnets. Or, you can use both (Step 2 and Step 3) criteria: access list (network filter) and access path (AS filter) to configure the route maps. 2. (Optional) Define the criteria for the access list and enable it. Specify the access list and associate the network filter number configured in Step 1. RS G8264(config)# routemap 1 RS G8264(configroutemap)# accesslist 1 matchaddress 1 RS G8264(configroutemap)# accesslist 1 metric <metric value> RS G8264(configroutemap)# accesslist 1 action deny RS G8264(configroutemap)# accesslist 1 enable 3.
Page 543 RS G8264(configroutemap)# exit 6. Turn BGP on. RS G8264(config)# router bgp RS G8264(configrouterbgp)# enable 7. Assign the route map to a peer router. Select the peer router and then add the route map to the incoming route map list, RS G8264(configrouterbgp)# neighbor 1 routemap in <1‐255> or to the outgoing route map list. RS G8264(configrouterbgp)# neighbor 1 routemap out <1‐255 8. Exit Router BGP mode. RS G8264(configrouterbgp)# exit © Copyright Lenovo 2016 Chapter 34: Border Gateway Protocol...
Page 544: Aggregating Routes
Aggregating Routes Aggregation is the process of combining several different routes in such a way that a single route can be advertised, which minimizes the size of the routing table. You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table. To define an aggregate route in the BGP routing table, use the following commands: RS G8264(config)# router bgp RS G8264(configrouterbgp)# aggregateaddress <1‐16> <IPv4 address> <mask> RS G8264(configrouterbgp)# aggregateaddress enable <1‐16> An example of creating a BGP aggregate route is shown in “Default Redistribution and Route Aggregation Example” on page 551. Redistributing Routes In addition to running multiple routing protocols simultaneously, ENOS software can redistribute information from one routing protocol to another. For example, you can instruct the switch to use BGP to re‐advertise static routes. This applies to all of the IP‐based routing protocols. You can also conditionally control the redistribution of routes between routing domains by defining a method known as route maps between the two domains. ...
Page 545: Bgp Communities
To remove configured communities on a routemap, use the following command: RS G8264(configroutemap)# no set community Prefixes with communities are propagated unchanged if there is no routemap that alters the community attribute and if the neighbor has community tags forwarding enabled. To enable or disable community tags forwarding for specific neighbors or neighbor groups, use the following commands: RS G8264(config)# router bgp RS G8264(configrouterbgp)# neighbor 5 sendcommunity RS G8264(configrouterbgp)# no neighbor 6 sendcommunity RS G8264(configrouterbgp)# neighbor group 1 sendcommunity RS G8264(configrouterbgp)# no neighbor group 2 sendcommunity © Copyright Lenovo 2016 Chapter 34: Border Gateway Protocol...
Page 546: Bgp Attributes
BGP Attributes The following BGP attributes are discussed in this section: Local preference, metric (Multi‐Exit Discriminator), and Next hop. Local Preference Attribute When there are multiple paths to the same destination, the local preference attribute indicates the preferred path. The path with the higher preference is preferred (the default value of the local preference attribute is 100). Unlike the weight attribute, which is only relevant to the local router, the local preference attribute is part of the routing update and is exchanged among routers in the same The local preference attribute can be set in one of two ways:  The following commands use the BGP default local preference method, affecting the outbound direction only. RS G8264(config)# router bgp RS G8264(config_router_bgp)# localpreference RS G8264(config_router_bgp)# exit  The following commands use the route map local preference method, which affects both inbound and outbound directions. RS G8264(config)# routemap 1 RS G8264(config_route_map)# localpreference RS G8264(config_router_map)# exit Metric (Multi-Exit Discriminator) Attribute...
Page 547: Next Hop Attribute
Next Hop Attribute BGP routing updates sent to a neighbor contain the next hop IP address used to reach a destination. In eBGP, the edge router, by default, sends its own IP address as the next hop address. However, this can sometimes cause routing path failures in Non‐Broadcast Multiaccess Networks (NBMA) and when the edge router sends iBGP updates. To avoid routing failures, you can manually configure the next hop IP address. In case of NBMA networks, you can configure the external BGP speaker to advertise its own IP address as the next hop. In case of iBGP updates, you can configure the edge iBGP router to send its IP address as the next hop. Next hop can be configured on a BGP peer or a peer group. Use the following commands:  Next Hop for a BGP Peer RS G8264(config)# router bgp RS G8264(configrouterbgp)# neighbor <number> nexthopself  Next Hop for a BGP Peer Group: RS G8264(config)# router bgp RS G8264(configrouterbgp)# neighbor group <number> nexthopself © Copyright Lenovo 2016 Chapter 34: Border Gateway Protocol...
Page 548: Selecting Route Paths In Bgp
Selecting Route Paths in BGP BGP selects only one path as the best path. It does not rely on metric attributes to determine the best path. When the same network is learned via more than one BGP peer, BGP uses its policy for selecting the best route to that network. The BGP implementation on the G8264 uses the following criteria to select a path when the same route is received from multiple peers. 1. Local fixed and static routes are preferred over learned routes. 2. With iBGP peers, routes with higher local preference values are selected. 3. In the case of multiple routes of equal preference, the route with lower AS path weight is selected. AS path weight = 128 x AS path length (number of autonomous systems traversed). 4. In the case of equal weight and routes learned from peers that reside in the same AS, the lower metric is selected. Note: A route with a metric is preferred over a route without a metric. 5. The lower cost to the next hop of routes is selected. 6. In the case of equal cost, the eBGP route is preferred over iBGP. 7. If all routes have same route type (eBGP or iBGP), the route with the lower router ID is selected. When the path is selected, BGP puts the selected path in its routing table and propagates the path to its neighbors. Equal Cost Multi-Path BGP can be configured to load balance the traffic over multiple paths if first six steps in path selection are identical and the next‐hop of the route differs. Multipath Relax BGP multipath relax functionality allows load balancing across routes with different autonomous system paths, but equal in length (same as‐path length). ...
Page 549: Bgp Failover Configuration
Figure 46. BGP Failover Configuration Example Switch IP: 200.200.200.1 IP: 210.210.210.1 BladeCenter Server 1 Server 2 IP: 200.200.200.10 IP: 200.200.200.11 On the G8264, one peer router (the secondary one) is configured with a longer AS path than the other, so that the peer with the shorter AS path will be seen by the switch as the primary default gateway. ISP 2, the secondary peer, is configured with a metric of “3,” thereby appearing to the switch to be three router hops away. 1. Define the VLANs. For simplicity, both default gateways are configured in the same VLAN in this example. The gateways could be in the same VLAN or different VLANs RS G8264(config)# vlan 1 © Copyright Lenovo 2016 Chapter 34: Border Gateway Protocol...
Page 550 2. Define the IP interfaces with IPv4 addresses. The switch will need an IP interface for each default gateway to which it will be connected. Each interface must be placed in the appropriate VLAN. These interfaces will be used as the primary and secondary default gateways for the switch. RS G8264(config)# interface ip 1 RS G8264(configipif)# ip address 200.200.200.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 2 RS G8264(configipif)# ip address 210.210.210.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# enable RS G8264(configipif)# exit 3. Enable IP forwarding. IP forwarding is turned on by default and is used for VLAN‐to‐VLAN (non‐BGP) routing. Make sure IP forwarding is on if the default gateways are on different subnets or if the switch is connected to different subnets and those subnets need to communicate through the switch (which they almost always do). RS G8264(config)# ip routing Note: To help eliminate the possibility for a Denial of Service (DoS) attack, the forwarding of directed broadcasts is disabled by default. 4. Configure BGP peer router 1 and 2 with IPv4 addresses. RS G8264(config)# router bgp RS G8264RS G8264(configrouterbgp)# neighbor 1 remoteaddress ...
Page 551: Default Redistribution And Route Aggregation Example
RS G8264(configrouterbgp)# as 135 RS G8264(configrouterbgp)# exit RS G8264(config)# ip routerid 10.1.1.135 3. Configure internal peer router 1 and external peer router 2 with IPv4 addresses. RS G8264(config)# router bgp RS G8264RS G8264(configrouterbgp)# neighbor 1 remoteaddress 10.1.1.4 RS G8264(configrouterbgp)# neighbor 1 remoteas 135 RS G8264(configrouterbgp)# no neighbor 1 shutdown RS G8264RS G8264(configrouterbgp)# neighbor 2 remoteaddress 20.20.20.2 RS G8264(configrouterbgp)# neighbor 2 remoteas 200 RS G8264(configrouterbgp)# no neighbor 2 shutdown 4. Configure redistribution for Peer 1. RS G8264(configrouterbgp)# neighbor 1 redistribute defaultaction redistribute RS G8264(configrouterbgp)# neighbor 1 redistribute fixed © Copyright Lenovo 2016 Chapter 34: Border Gateway Protocol...
Page 552 5. Configure aggregation policy control. Configure the IPv4 routes that you want aggregated. RS G8264(configrouterbgp)# aggregateaddress 1 135.0.0.0 255.0.0.0 RS G8264(configrouterbgp)# aggregateaddress 1 enable G8264 Application Guide for ENOS 8.4...
Page 553: Chapter 35. Open Shortest Path First
Chapter 35. Open Shortest Path First Lenovo Enterprise Network Operating System supports the Open Shortest Path First (OSPF) routing protocol. The Enterprise NOS implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583, and OSPF version 3 specifications in RFC 5340. The following sections discuss OSPF support for the RackSwitch G8264:  “OSPFv2 Overview” on page 554. This section provides information on OSPFv2 concepts, such as types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing.  “OSPFv2 Implementation in Enterprise NOS” on page 559. This section describes how OSPFv2 is implemented in ENOS, such as configuration parameters, electing the designated router, summarizing routes, defining route maps and so forth. “OSPFv2 Configuration Examples” on page 569. This section provides  step‐by‐step instructions on configuring different OSPFv2 examples: Creating a simple OSPF domain  Creating virtual links  Summarizing routes   “OSPFv3 Implementation in Enterprise NOS” on page 578. This section describes differences and additional features found in OSPFv3. © Copyright Lenovo 2016...
Page 554: Ospfv2 Overview
OSPFv2 Overview OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. All routing devices maintain link information in their own Link State Database (LSDB). OSPF allows networks to be grouped together into an area. The topology of an area is hidden from the rest of the AS, thereby reducing routing traffic. Routing within an area is determined only by the area’s own topology, thus protecting it from bad routing data. An area can be generalized as an IP subnetwork. The following sections describe key OSPF concepts. Types of OSPF Areas An AS can be broken into logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. As shown in Figure 48, OSPF defines the following types of areas: Stub Area—an area that is connected to only one other area. External route  information is not distributed into stub areas.  Not‐So‐Stubby‐Area (NSSA)—similar to a stub area with additional capabilities. Routes originating from within the NSSA can be propagated to adjacent transit and backbone areas. External routes from outside the AS can be advertised within the NSSA but can be configured to not be distributed into other areas.  Transit Area—an area that carries data traffic which neither originates nor terminates in the area itself. G8264 Application Guide for ENOS 8.4...
Page 555: Types Of Ospf Routing Devices
Connected to Backbone Boundary Router via Virtual Link Non-OSPF Area RIP/BGP AS Types of OSPF Routing Devices As shown in Figure 49, OSPF uses the following types of routing devices:  Internal Router (IR)—a router that has all of its interfaces within the same area. IRs maintain LSDBs identical to those of other routing devices within the local area.  Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain one LSDB for each connected area and disseminate routing information between areas. Autonomous System Boundary Router (ASBR)—a router that acts as a gateway  between the OSPF domain and non‐OSPF domains, such as RIP, BGP, and static routes. © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 556: Neighbors And Adjacencies
Figure 49. OSPF Domain and an Autonomous System OSPF Autonomous System Backbone Area 3 Area 0 Inter-Area Routes External (Summary Routes) ASBR Routes Internal ASBR Router Area 1 Area 2 Neighbors and Adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others’ state. To establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces. All routing devices that share a common network segment, appear in the same area, and have the same health parameters (hello and dead intervals) and authentication parameters respond to each other’s hello packets and become neighbors. Neighbors continue to send periodic hello packets to advertise their health to neighbors. In turn, they listen to hello packets to determine the health of their neighbors and to establish contact with new neighbors. The hello process is used for electing one of the neighbors as the network segment’s Designated Router (DR) and one as the network segment’s Backup Designated Router (BDR). The DR is adjacent to all other neighbors on that specific network ...
Page 557 When LSAs result in changes to the routing device’s LSDB, the routing device forwards the changes to the adjacent neighbors (the DR and BDR) for distribution to the other neighbors. OSPF routing updates occur only when changes occur, instead of periodically. For each new route, if a neighbor is interested in that route (for example, if configured to receive static routes and the new route is indeed static), an update message containing the new route is sent to the adjacency. For each route removed from the route table, if the route has already been sent to a neighbor, an update message containing the route to withdraw is sent. © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 558: The Shortest Path First Tree
The Shortest Path First Tree The routing devices use a link‐state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination. The cost of an individual interface in OSPF is an indication of the overhead required to send packets across it. Internal Versus External Routing To ensure effective processing of network traffic, every routing device on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active internal routing protocols, such as OSPF, RIP, or RIPv2. It is also useful to tell routers outside your network (upstream providers or peers) about the routes you have access to in your network. Sharing of routing information between autonomous systems is known as external routing. Typically, an AS will have one or more border routers (peer routers that exchange routes with other OSPF networks) as well as an internal routing system enabling every router in that AS to reach every other router and destination within that AS. When a routing device advertises routes to boundary routers on other autonomous systems, it is effectively committing to carry data to the IP space represented in the route being advertised. For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to its destination. G8264 Application Guide for ENOS 8.4...
Page 559: Ospfv2 Implementation In Enterprise Nos
“Authentication” on page 565 Configurable Parameters In ENOS, OSPF parameters can be configured through the Industry Standard Command Line Interfaces (ISCLI), Browser‐Based Interface (BBI), or through SNMP. For more information, see Chapter 1, “Switch Administration.” The ISCLI supports the following parameters: interface output cost, interface priority, dead and hello intervals, retransmission interval, and interface transmit delay. In addition to the preceding parameters, you can specify the following:  Shortest Path First (SPF) interval—Time interval between successive calculations of the shortest path tree using the Dijkstra’s algorithm. Stub area metric—A stub area can be configured to send a numeric metric value  such that all routes received via that stub area carry the configured metric to potentially influence routing decisions.  Default routes—Default routes with weight metrics can be manually injected into transit areas. This helps establish a preferred route when multiple routing devices exist between two areas. It also helps route traffic to external networks.  Passive—When enabled, the interface sends LSAs to upstream devices, but does not otherwise participate in OSPF protocol exchanges.  Point‐to‐Point—For LANs that have only two OSPF routing agents (the G8264 and one other device), this option allows the switch to significantly reduce the amount of routing information it must carry and manage. © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 560: Defining Areas
Defining Areas If you are configuring multiple areas in your OSPF domain, one of the areas must be designated as area 0, known as the backbone. The backbone is the central OSPF area and is usually physically connected to all other areas. The areas inject routing information into the backbone which, in turn, disseminates the information into other areas. Since the backbone connects the areas in your network, it must be a contiguous area. If the backbone is partitioned (possibly as a result of joining separate OSPF networks), parts of the AS will be unreachable, and you will need to configure virtual links to reconnect the partitioned areas (see “Virtual Links” on page 563). Up to 20 OSPF areas can be connected to the G8264 with ENOS software. To configure an area, the OSPF number must be defined and then attached to a network interface on the switch. The full process is explained in the following sections. An OSPF area is defined by assigning two pieces of information: an area index and an area ID. The commands to define and enable an OSPF area are as follows: RS G8264(config)# router ospf <area index> <n.n.n.n> RS G8264(configrouterospf)# area areaid <area index> RS G8264(configrouterospf)# area enable RS G8264(configrouterospf)# exit Note: The area option is an arbitrary index used only on the switch and does not represent the actual OSPF area number. The actual OSPF area number is defined in the area portion of the command as explained in the following sections. Assigning the Area Index The area <area index> option is actually just an arbitrary index (0‐19) used only by the G8264. This index number does not necessarily represent the OSPF area ...
Page 561: Using The Area Id To Assign The Ospf Area Number
For example, the following commands could be used to configure IP interface 14 to use 10.10.10.1 on the 10.10.10.0/24 network, to define OSPF area 1, and to attach the area to the network: RS G8264(config)# router ospf RS G8264(configrouterospf)# area 1 areaid 0.0.0.1 RS G8264(configrouterospf)# area 1 enable RS G8264(configrouterospf)# enable RS G8264(configrouterospf)# exit RS G8264(config)# interface ip 14 RS G8264(configipif)# ip address 10.10.10.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# enable RS G8264(configipif)# ip ospf area 1 RS G8264(configipif)# ip ospf enable Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Enterprise NOS” on page 578). © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 562: Interface Cost
Interface Cost The OSPF link‐state algorithm (Dijkstra’s algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. You can manually enter the cost for the output route with the following command (Interface IP mode): RS G8264(configipif)# ip ospf cost <cost value (1‐65535)> Electing the Designated Router and Backup In any broadcast type subnet, a Designated Router (DR) is elected as the central contact for database exchanges among neighbors. On subnets with more the one device, a Backup Designated Router (BDR) is elected in case the DR fails. DR and BDR elections are made through the hello process. The election can be influenced by assigning a priority value to the OSPF interfaces on the G8264. The command is as follows: RS G8264(configipif)# ip ospf priority <priority value (0‐255)> A priority value of 255 is the highest, and 1 is the lowest. A priority value of 0 specifies that the interface cannot be used as a DR or BDR. In case of a tie, the routing device with the highest router ID wins. Interfaces configured as passive do not participate in the DR or BDR election process: RS G8264(configipif)# ip ospf passiveinterface RS G8264(configipif)# exit Summarizing Routes Route summarization condenses routing information. Without summarization, each routing device in an OSPF network would retain a route to every subnet in the network. With summarization, routing devices can reduce some sets of routes to a single advertisement, reducing both the load on the routing device and the perceived complexity of the network. The importance of route summarization increases with network size. Summary routes can be defined for up to 16 IP address ranges using the following command: RS G8264(config)# router ospf RS G8264(configrouterospf)# arearange <range number> address <IP address> ...
Page 563: Default Routes
Each G8264 acting as an ABR automatically inserts a default route into stub and NSSA attached areas. In simple OSPF stub areas or NSSAs with only one ABR leading upstream (see Area 1 in Figure 50), any traffic for IP address destinations outside the area is forwarded to the switch’s IP interface, and then into the connected transit area (usually the backbone). Since this is automatic, no further configuration is required for such areas. Figure 50. Injecting Default Routes If the switch is in a transit area and has a configured default gateway, it can inject a default route into rest of the OSPF domain. Use the following command to configure the switch to inject OSPF default routes (Router OSPF mode): RS G8264(configrouterospf)# defaultinformation <metric value> <metric type (1 or 2)> In this command, <metric value> sets the priority for choosing this switch for default route. The value none sets no default and 1 sets the highest priority for default route. Metric type determines the method for influencing routing decisions for external routes. When the switch is configured to inject a default route, an AS‐external LSA with link state ID 0.0.0.0 is propagated throughout the OSPF routing domain. This LSA is sent with the configured metric value and metric type. The OSPF default route configuration can be removed with the command: RS G8264(configrouterospf)# no defaultinformation © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 564: Virtual Links
Virtual Links Usually, all areas in an OSPF AS are physically connected to the backbone. In some cases where this is not possible, you can use a virtual link. Virtual links are created to connect one area to the backbone through another non‐backbone area (see Figure 48 on page 555). The area which contains a virtual link must be a transit area and have full routing information. Virtual links cannot be configured inside a stub area or NSSA. The area type must be defined as transit using the following command: RS G8264(configrouterospf)# area <area index> type transit The virtual link must be configured on the routing devices at each endpoint of the virtual link, though they may traverse multiple routing devices. To configure a G8264 as one endpoint of a virtual link, use the following command: RS G8264(configrouterospf)# areavirtuallink <link number> neighborrouter <router ID> where <link number> is a value between 1 and 3, <area index> is the OSPF area index of the transit area, and <router ID> is the router ID of the virtual neighbor, the routing device at the target endpoint. Another router ID is needed when configuring a virtual link in the other direction. To provide the G8264 with a router ID, see the following section Router ID. For a detailed configuration example on Virtual Links, see “Example 2: Virtual Links” on page 572. Router ID Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP address format. The IP address of the router ID is not required to be included in any IP interface range or in any OSPF area, and may even use the G8264 loopback interface. The router ID can be configured in one of the following two ways:  Dynamically—OSPF protocol configures the lowest IP interface IP address as the router ID (loopback interface has priority over the IP interface). This is the default. ...
Page 565: Authentication
Authentication OSPF protocol exchanges can be authenticated so that only trusted routing devices can participate. This ensures less processing on routing devices that are not listening to OSPF packets. OSPF allows packet authentication and uses IP multicast when sending and receiving packets. Routers participate in routing domains based on pre‐defined passwords. ENOS supports simple password (type 1 plain text passwords) and MD5 cryptographic authentication. This type of authentication allows a password to be configured per interface. We strongly recommend that you implement MD5 cryptographic authentication as a best practice. Figure 51 shows authentication configured for area 0 with the password test. Simple authentication is also configured for the virtual link between area 2 and area 0. Area 1 is not configured for OSPF authentication. Figure 51. OSPF Authentication Switch 2 Switch 1 Switch 3 Switch 5 key=blade Switch 4 © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 566: Configuring Plain Text Ospf Passwords
Configuring Plain Text OSPF Passwords To configure simple plain text OSPF passwords on the switches shown in Figure 51 use the following commands: 1. Enable OSPF authentication for Area 0 on switches 1, 2, and 3. RS G8264(configrouterospf)# area 0 authenticationtype password RS G8264(configrouterospf)# exit 2. Configure a simple text password up to eight characters for each OSPF IP interface in Area 0 on switches 1, 2, and 3. RS G8264(config)# interface ip 1 RS G8264(configipif)# ip ospf key test RS G8264(configipif)# exit RS G8264(config)# interface ip 2 RS G8264(configipif)# ip ospf key test RS G8264(configipif)# exit RS G8264(config)# interface ip 3 RS G8264(configipif)# ip ospf key test RS G8264(configipif)# exit 3. Enable OSPF authentication for Area 2 on switch 4. RS G8264(config)# router ospf RS G8264(configrouterospf)# area 2 authenticationtype password 4.
Page 567: Host Routes For Load Balancing
RS G8264(configrouterospf)# areavirtuallink 1 messagedigestkey 2 RS G8264(configrouterospf)# exit Host Routes for Load Balancing ENOS implementation of OSPF includes host routes. Host routes are used for advertising network device IP addresses to external networks, accomplishing the following goals:  ABR Load Sharing As a form of load balancing, host routes can be used for dividing OSPF traffic among multiple ABRs. To accomplish this, each switch provides identical services but advertises a host route for a different IP address to the external network. If each IP address serves a different and equal portion of the external world, incoming traffic from the upstream router must be split evenly among ABRs.  ABR Failover Complementing ABR load sharing, identical host routes can be configured on each ABR. These host routes can be given different costs so that a different ABR is selected as the preferred route for each server and the others are available as backups for failover purposes.  Equal Cost Multipath (ECMP) With equal cost multipath, a router potentially has several available next hops towards any given destination. ECMP allows separate routes to be calculated for each IP Type of Service. All paths of equal cost to a given destination are calcu‐ lated, and the next hops for all equal‐cost paths are inserted into the routing table. © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 568: Loopback Interfaces In Ospf
Loopback Interfaces in OSPF A loopback interface is an IP interface which has an IP address, but is not associated with any particular physical port. The loopback interface is thus always available to the general network, regardless of which specific ports are in operation. Because loopback interfaces are always available on the switch, loopback interfaces may present an advantage when used as the router ID. If dynamic router ID selection is used (see “Router ID” on page 564) loopback interfaces can be used to force router ID selection. If a loopback interface is configured, its IP address is automatically selected as the router ID, even if other IP interfaces have lower IP addresses. If more than one loopback interface is configured, the lowest loopback interface IP address is selected. Loopback interfaces can be advertised into the OSPF domain by specifying an OSPF host route with the loopback interface IP address. To enable OSPF on an existing loopback interface: RS G8264(config)# interface loopback <1‐5> RS G8264(configiploopback)# ip ospf area <area ID> RS G8264(configiploopback)# ip ospf enable RS G8264(configiploopback)# exit OSPF Features Not Supported in This Release The following OSPF features are not supported in this release:  Summarizing external routes Filtering OSPF routes   Using OSPF to forward multicast routes Configuring OSPF on non‐broadcast multi‐access networks (such as frame relay, ...
Page 569: Ospfv2 Configuration Examples
OSPFv2 Configuration Examples A summary of the basic steps for configuring OSPF on the G8264 is listed here. Detailed instructions for each of the steps is covered in the following sections: 1. Configure IP interfaces. One IP interface is required for each desired network (range of IP addresses) being assigned to an OSPF area on the switch. 2. (Optional) Configure the router ID. 3. Enable OSPF on the switch. 4. Define the OSPF areas. 5. Configure OSPF interface parameters. IP interfaces are used for attaching networks to the various areas. 6. (Optional) Configure route summarization between OSPF areas. 7. (Optional) Configure virtual links. 8. (Optional) Configure host routes. © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 570: Example 1: Simple Ospf Domain
Example 1: Simple OSPF Domain In this example, two OSPF areas are defined—one area is the backbone and the other is a stub area. A stub area does not allow advertisements of external routes, thus reducing the size of the database. Instead, a default summary route of IP address 0.0.0.0 is automatically inserted into the stub area. Any traffic for IP address destinations outside the stub area will be forwarded to the stub area’s IP interface, and then into the backbone. Figure 52. A Simple OSPF Domain Network Network 10.10.12.0/24 10.10.7.0/24 Follow this procedure to configure OSPF support as shown in Figure 1. Configure IP interfaces on each network that will be attached to OSPF areas. In this example, two IP interfaces are needed:  Interface 1 for the backbone network on 10.10.7.0/24  Interface 2 for the stub area network on 10.10.12.0/24 RS G8264(config)# interface ip 1 RS G8264(configipif)# ip address 10.10.7.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 2 RS G8264(configipif)# ip address 10.10.12.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# enable RS G8264(configipif)# exit...
Page 571 4. Define the stub area. RS G8264(configrouterospf)# area 1 areaid 0.0.0.1 RS G8264(configrouterospf)# area 1 type stub RS G8264(configrouterospf)# area 1 enable RS G8264(configrouterospf)# exit 5. Attach the network interface to the backbone. RS G8264(config)# interface ip 1 RS G8264(configipif)# ip ospf area 0 RS G8264(configipif)# ip ospf enable RS G8264(configipif)# exit 6. Attach the network interface to the stub area. RS G8264(config)# interface ip 2 RS G8264(configipif)# ip ospf area 1 RS G8264(configipif)# ip ospf enable RS G8264(configipif)# exit © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 572: Example 2: Virtual Links
Example 2: Virtual Links In the example shown in Figure 53, area 2 is not physically connected to the backbone as is usually required. Instead, area 2 will be connected to the backbone via a virtual link through area 1. The virtual link must be configured at each endpoint. Figure 53. Configuring a Virtual Link Switch 1 Switch 1 Switch 2 Switch 2 Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Enterprise NOS” on page 578). Configuring OSPF for a Virtual Link on Switch #1 1. Configure IP interfaces on each network that will be attached to the switch. In this example, two IP interfaces are needed:  Interface 1 for the backbone network on 10.10.7.0/24 Interface 2 for the transit area network on 10.10.12.0/24 ...
Page 573: Configuring Ospf For A Virtual Link On Switch #2
RS G8264(configipif)# exit 8. Configure the virtual link. The nbr router ID configured in this step must be the same as the router ID that will be configured for Switch #2 in Step 2 on page 574. RS G8264(config)# router ospf RS G8264(configrouterospf)# areavirtuallink 1 area 1 RS G8264(configrouterospf)# areavirtuallink 1 neighborrouter 10.10.14.1 RS G8264(configrouterospf)# areavirtuallink 1 enable Configuring OSPF for a Virtual Link on Switch #2 1. Configure IP interfaces on each network that will be attached to OSPF areas. In this example, two IP interfaces are needed:  Interface 1 for the transit area network on 10.10.12.0/24 © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 574  Interface 2 for the stub area network on 10.10.24.0/24 RS G8264(config)# interface ip 1 RS G8264(configipif)# ip address 10.10.12.2 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# vlan 10 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 2 RS G8264(configipif)# ip address 10.10.24.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# vlan 20 RS G8264(configipif)# enable RS G8264(configipif)# exit 2. Configure the router ID. A router ID is required when configuring virtual links. This router ID must be the same one specified as the target virtual neighbor (nbr) on switch 1 in Step 8 on page 573. RS G8264(config)# ip routerid 10.10.14.1 3. Enable OSPF. RS G8264(config)# router ospf RS G8264(configrouterospf)# enable 4.
Page 575: Other Virtual Link Options
RS G8264(configipif)# ip ospf area 2 RS G8264(configipif)# ip ospf enable RS G8264(configipif)# exit 9. Configure the virtual link. The nbr router ID configured in this step must be the same as the router ID that was configured for switch #1 in Step 2 on page 572. RS G8264(config)# router ospf RS G8264(configrouterospf)# areavirtuallink 1 area 1 RS G8264(configrouterospf)# areavirtuallink 1 neighborrouter 10.10.10.1 RS G8264(configrouterospf)# areavirtuallink 1 enable Other Virtual Link Options  You can use redundant paths by configuring multiple virtual links.  Only the endpoints of the virtual link are configured. The virtual link path may traverse multiple routers in an area as long as there is a routable path between the endpoints. © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 576: Example 3: Summarizing Routes
Example 3: Summarizing Routes By default, ABRs advertise all the network addresses from one area into another area. Route summarization can be used for consolidating advertised addresses and reducing the perceived complexity of the network. If network IP addresses in an area are assigned to a contiguous subnet range, you can configure the ABR to advertise a single summary route that includes all individual IP addresses within the area. The following example shows one summary route from area 1 (stub area) injected into area 0 (the backbone). The summary route consists of all IP addresses from 36.128.192.0 through 36.128.254.255 except for the routes in the range 36.128.200.0 through 36.128.200.255. Figure 54. Summarizing Routes Notes:  OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Enterprise NOS” on page 578).  You can specify a range of addresses to prevent advertising by using the hide option. In this example, routes in the range 36.128.200.0 through 36.128.200.255 are kept private. Use the following procedure to configure OSPF support as shown in Figure 1. Configure IP interfaces for each network which will be attached to OSPF areas. RS G8264(config)# interface ip 1 RS G8264(configipif)# ip address 10.10.7.1 RS G8264(configipif)# ip netmask 255.255.255.0 RS G8264(configipif)# vlan 10 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 2 RS G8264(configipif)# ip address 36.128.192.1...
Page 577: Verifying Ospf Configuration
RS G8264(configrouterospf)# exit 8. Use the hide command to prevent a range of addresses from advertising to the backbone. RS G8264(config)# router ospf RS G8264(configrouterospf)# arearange 2 address 36.128.200.0 255.255.255.0 RS G8264(configrouterospf)# arearange 2 area 1 RS G8264(configrouterospf)# arearange 2 hide RS G8264(configrouterospf)# exit Verifying OSPF Configuration Use the following commands to verify the OSPF configuration on your switch: show ip ospf  show ip ospf neighbor  show ip ospf database databasesummary  show ip ospf routes  Refer to the Lenovo Enterprise Network Operating System Command Reference for information on the preceding commands. © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 578: Ospfv3 Implementation In Enterprise Nos
OSPFv3 Implementation in Enterprise NOS OSPF version 3 is based on OSPF version 2, but has been modified to support IPv6 addressing. In most other ways, OSPFv3 is similar to OSPFv2: They both have the same packet types and interfaces, and both use the same mechanisms for neighbor discovery, adjacency formation, LSA flooding, aging, and so on. The administrator must be familiar with the OSPFv2 concepts covered in the preceding sections of this chapter before implementing the OSPFv3 differences as described in the following sections. Although OSPFv2 and OSPFv3 are very similar, they represent independent features on the G8264. They are configured separately, and both can run in parallel on the switch with no relation to one another, serving different IPv6 and IPv4 traffic, respectively. The Enterprise NOS implementation conforms to the OSPF version 3 authentication/confidentiality specifications in RFC 4552. OSPFv3 Differences from OSPFv2 Note: When OSPFv3 is enabled, the OSPF backbone area (0.0.0.0) is created by default and is always active. OSPFv3 Requires IPv6 Interfaces OSPFv3 is designed to support IPv6 addresses. This requires IPv6 interfaces to be configured on the switch and assigned to OSPF areas, in much the same way IPv4 interfaces are assigned to areas in OSPFv2. This is the primary configuration difference between OSPFv3 and OSPFv2. See Chapter 29, “Internet Protocol Version 6,” for configuring IPv6 interfaces. OSPFv3 Uses Independent Command Paths Though OSPFv3 and OSPFv2 are very similar, they are configured independently. ...
Page 579: Ospfv3 Identifies Neighbors By Router Id
In this example, one summary route from area 1 (stub area) is injected into area 0 (the backbone). The summary route consists of all IP addresses from the 36::0/32 portion of the 36::0/56 network, except for the routes in the 36::0/8 range. Figure 55. Summarizing Routes Backbone Stub Area Area 0 Area 1 (0.0.0.0) (0.0.0.1) IF 3 IF 4 10::1 36::1 36::0/32 (- 36::0/8) Summary Route 10::0/56 36::0/56 Network Network © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 580 Note: You can specify a range of addresses to prevent advertising by using the hide option. In this example, routes in the 36::0/8 range are kept private. Use the following procedure to configure OSPFv3 support as shown in Figure 1. Configure IPv6 interfaces for each link which will be attached to OSPFv3 areas. RS G8264RS G8264(config)# interface ip 3 (configipif)# ipv6 address 10:0:0:0:0:0:0:1 RS G8264(configipif)# ipv6 prefixlen 56 RS G8264(configipif)# vlan 10 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 4 RS G8264(configipif)# ip address 36:0:0:0:0:0:1 RS G8264(configipif)# ipv6 prefixlen 56 RS G8264(configipif)# vlan 20 RS G8264(configipif)# enable RS G8264(configipif)# exit This is equivalent to configuring the IP address and netmask for IPv4 interfaces. 2. Enable OSPFv3. RS G8264(config)# ipv6 router ospf RS G8264(configrouterospf3)# enable This is equivalent to the OSPFv2 enable option in the router ospf command path. 3. Define the backbone. RS G8264(configrouterospf3)# area 0 areaid 0.0.0.0 RS G8264(configrouterospf3)# area 0 type transit RS G8264(configrouterospf3)# area 0 enable...
Page 581: Neighbor Configuration Example
RS G8264(configipif)# enable RS G8264(configipif)# ipv6 ospf area 0 RS G8264(configipif)# ipv6 ospf retransmitinterval 5 RS G8264(configipif)# ipv6 ospf transmitdelay 1 RS G8264(configipif)# ipv6 ospf priority 1 RS G8264(configipif)# ipv6 ospf hellointerval 10 RS G8264(configipif)# ipv6 ospf deadinterval 40 RS G8264(configipif)# ipv6 ospf network pointtomultipoint RS G8264(configipif)# ipv6 ospf pollinterval 120 RS G8264(configipif)# ipv6 ospf enable RS G8264(configipif)# exit 2. Enable OSPFv3: RS G8264(config# ipv6 router ospf RS G8264(configrouterospf3)# routerid 12.12.12.12 RS G8264(configrouterospf3)# enable © Copyright Lenovo 2016 Chapter 35: Open Shortest Path First...
Page 582 3. Define the backbone. RS G8264(configrouterospf3)# area 0 areaid 0.0.0.0 RS G8264(configrouterospf3)# area 0 stabilityinterval 40 RS G8264(configrouterospf3)# area 0 defaultmetric 1 RS G8264(configrouterospf3)# area 0 defaultmetric type 1 RS G8264(configrouterospf3)# area 0 translationrole candidate RS G8264(configrouterospf3)# area 0 type transit RS G8264(configrouterospf3)# area 0 enable 4. Configure neighbor entry: RS G8264(configrouterospf3)# neighbor 1 address fe80:0:0:0:dceb:ff:fe00:9 RS G8264(configrouterospf3)# neighbor 1 interface 10 RS G8264(configrouterospf3)# neighbor 1 priority 1 RS G8264(configrouterospf3)# neighbor 1 enable G8264 Application Guide for ENOS 8.4...
Page 583: Chapter 36. Protocol Independent Multicast
Chapter 36. Protocol Independent Multicast Lenovo Enterprise Network Operating System supports Protocol Independent Multicast (PIM) in Sparse Mode (PIM‐SM) and Dense Mode (PIM‐DM). Note: Enterprise NOS 8.4 does not support IPv6 for PIM. The following sections discuss PIM support for the RackSwitch G8264:  “PIM Overview” on page 584  “Supported PIM Modes and Features” on page 585  “Basic PIM Settings” on page 586  “Additional Sparse Mode Settings” on page 589  “Using PIM with Other Features” on page 592  “PIM Configuration Examples” on page 593 © Copyright Lenovo 2016...
Page 584: Pim Overview
PIM Overview PIM is designed for efficiently routing multicast traffic across one or more IPv4 domains. This has benefits for application such as IP television, collaboration, education, and software delivery, where a single source must deliver content (a multicast) to a group of receivers that span both wide‐area and inter‐domain networks. Instead of sending a separate copy of content to each receiver, a multicast derives efficiency by sending only a single copy of content toward its intended receivers. This single copy only becomes duplicated when it reaches the target domain that includes multiple receivers, or when it reaches a necessary bifurcation point leading to different receiver domains. PIM is used by multicast source stations, client receivers, and intermediary routers and switches, to build and maintain efficient multicast routing trees. PIM is protocol independent; It collects routing information using the existing unicast routing functions underlying the IPv4 network, but does not rely on any particular unicast protocol. For PIM to function, a Layer 3 routing protocol (such as BGP, OSPF, RIP, or static routes) must first be configured on the switch. PIM‐SM is a reverse‐path routing mechanism. Client receiver stations advertise their willingness to join a multicast group. The local routing and switching devices collect multicast routing information and forward the request toward the station that will provide the multicast content. When the join requests reach the sending station, the multicast data is sent toward the receivers, flowing in the opposite direction of the original join requests. Some routing and switching devices perform special PIM‐SM functions. Within each receiver domain, one router is elected as the Designated Router (DR) for handling multicasts for the domain. DRs forward information to a similar device, the Rendezvous Point (RP), which holds the root tree for the particular multicast group. Receiver join requests as well as sender multicast content initially converge at the RP, which generates and distributes multicast routing data for the DRs along the delivery path. As the multicast content flows, DRs use the routing tree information obtained from the RP to optimize the paths both to and from send and receive stations, bypassing the RP for the remainder of content transactions if a more efficient route is available. DRs continue to share routing information with the RP, modifying the multicast routing tree when new receivers join, or pruning the tree when all the receivers in any particular domain are no longer part of the multicast group. G8264 Application Guide for ENOS 8.4...
Page 585: Supported Pim Modes And Features
Supported PIM Modes and Features For each interface attached to a PIM network component, PIM can be configured to operate either in PIM Sparse Mode (PIM‐SM) or PIM Dense Mode (PIM‐DM).  PIM‐SM is used in networks where multicast senders and receivers comprise a relatively small (sparse) portion of the overall network. PIM‐SM uses a more complex process than PIM‐DM for collecting and optimizing multicast routes, but minimizes impact on other IP services and is more commonly used. PIM‐DM is used where multicast devices are a relatively large (dense) portion of  the network, with very frequent (or constant) multicast traffic. PIM‐DM requires less configuration on the switch than PIM‐SM, but uses broadcasts that can consume more bandwidth in establishing and optimizing routes. The following PIM modes and features are not currently supported in ENOS 8.4:  Hybrid Sparse‐Dense Mode (PIM‐SM/DM). Sparse Mode and Dense Mode may be configured on separate IP interfaces on the switch, but are not currently supported simultaneously on the same IP interface.  PIM Source‐Specific Multicast (PIM‐SSM) Anycast RP   PIM RP filters Only configuration via the switch ISCLI is supported. PIM configuration is  currently not available using the menu‐based CLI, the BBI, or via SNMP. © Copyright Lenovo 2016 Chapter 36: Protocol Independent Multicast...
Page 586: Basic Pim Settings
Basic PIM Settings To use PIM the following is required:  The PIM feature must be enabled globally on the switch.  PIM network components and PIM modes must be defined.  IP interfaces must be configured for each PIM component.  PIM neighbor filters may be defined (optional).  If PIM‐SM is used, define additional parameters: Rendezvous Point  Designated Router preferences (optional)  Bootstrap Router preferences (optional)  Each of these tasks is covered in the following sections. Note: In ENOS 8.4, PIM can be configured through the ISCLI only. PIM configuration and information are not available using the menu‐based CLI, the BBI, or via SNMP. Globally Enabling or Disabling the PIM Feature By default, PIM is disabled on the switch. PIM can be globally enabled or disabled using the following commands: RS G8264(config)# [no] ip pim enable Defining a PIM Network Component The G8264 can be attached to a maximum of two independent PIM network ...
Page 587: Pim Neighbor Filters
By default, PIM component 1 is automatically assigned when PIM is enabled on the IP interface. Note: While PIM is enabled on the interface, the interface VLAN cannot be changed. To change the VLAN, first disable PIM on the interface. PIM Neighbor Filters The G8264 accepts connection to up to 24 PIM interfaces. By default, the switch accepts all PIM neighbors attached to the PIM‐enabled interfaces, up to the maximum number. Once the maximum is reached, the switch will deny further PIM neighbors. To ensure that only the appropriate PIM neighbors are accepted by the switch, the administrator can use PIM neighbor filters to specify which PIM neighbors may be accepted or denied on a per‐interface basis. To turn PIM neighbor filtering on or off for a particular IP interface, use the following commands: RS G8264(config)# interface ip <Interface number> RS G8264(configipif)# [no] ip pim neighborfilter When filtering is enabled, all PIM neighbor requests on the specified IP interface will be denied by default. To allow a specific PIM neighbor, use the following command: RS G8264(configipif)# ip pim neighboraddr <neighbor IPv4 address> allow To remove a PIM neighbor from the accepted list, use the following command. RS G8264(configipif)# ip pim neighboraddr <neighbor IPv4 address> deny RS G8264(configipif)# exit © Copyright Lenovo 2016 Chapter 36: Protocol Independent Multicast...
Page 588 You can view configured PIM neighbor filters globally or for a specific IP interface using the following commands: RS G8264(config)# show ip pim neighborfilters RS G8264(config)# show ip pim interface <Interface number> neighborfilters G8264 Application Guide for ENOS 8.4...
Page 589: Additional Sparse Mode Settings
RS G8264(configippimcomp)# rpcandidate holdtime <0‐255> RS G8264(configippimcomp)# exit Static RP If RP no election is desired, the switch can provide a static RP. Use the following commands: 1. Enable static RP configuration. RS G8264(config)# ip pim staticrp enable 2. Select the PIM component that will represent the RP candidate: RS G8264(config)# ip pim component <1‐2> 3. Configure the static IPv4 address. RS G8264(configippimcomp)# rpstatic rpaddress <group address> <group address mask> <static IPv4 address> Influencing the Designated Router Selection Using PIM‐SM, All PIM‐enabled IP interfaces are considered as potential Designate Routers (DR) for their domain. By default, the interface with the highest IP address on the domain is selected. However, if an interface is configured with a © Copyright Lenovo 2016 Chapter 36: Protocol Independent Multicast...
Page 590: Specifying A Bootstrap Router
DR priority value, it overrides the IP address selection process. If more than one interface on a domain is configured with a DR priority, the one with the highest number is selected. Use the following commands to configure the DR priority value (Interface IP mode): RS G8264(config)# interface ip <Interface number> RS G8264(configipif)# ip pim drpriority <value (0‐4294967294)> RS G8264(configipif)# exit Note: A value of 0 (zero) specifies that the G8264 will not act as the DR. This setting requires the G8264 to be connected to a peer that has a DR priority setting of 1 or higher to ensure that a DR will be present in the network. Specifying a Bootstrap Router Using PIM‐SM, a Bootstrap Router (BSR) is a PIM‐capable router that hosts the election of the RP from available candidate routers. For each PIM‐enabled IP interface, the administrator can set the preference level for which the local interface becomes the BSR: RS G8264(config)# interface ip <Interface number> RS G8264(configipif)# ip pim cbsrpreference <0 to 255> RS G8264(configipif)# exit A value of 255 highly prefers the local interface as a BSR. A value of ‐1 indicates that the PIM CBSR preference is not configured on the switch. Configuring a Loopback Interface Loopback interfaces can be used in PIM Sparse Mode for Rendezvous Points (RPs) and Bootstrap Routers (BSRs). For example:  As a static RP interface loopback 1 ip address 55.55.1.1 255.255.255.0 enable exit...
Page 591  As a candidate RP interface loopback 1 ip address 55.55.1.1 255.255.255.0 enable exit ip pim component 1 rpcandidate holdtime 60 rpcandidate rpaddress 224.0.0.0 240.0.0.0 55.55.1.1 interface loopback 1 ip pim enable exit  As a BSR interface loopback 1 ip address 55.55.1.1 255.255.255.0 enable exit interface loopback 1 ip pim enable ip pim cbsrpreference 2 exit © Copyright Lenovo 2016 Chapter 36: Protocol Independent Multicast...
Page 592: Using Pim With Other Features
Using PIM with Other Features PIM with ACLs or VMAPs If using ACLs or VMAPs, be sure to permit traffic for local hosts and routers. PIM with IGMP If using IGMP (see Chapter 32, “Internet Group Management Protocol”):  IGMP static joins can be configured with a PIM‐SM or PIM‐DM multicast group IPv4 address. Using the ISCLI: RS G8264(config)# ip mroute <multicast group IPv4 address> <VLAN> <port>  IGMP Querier is disabled by default. If IGMP Querier is needed with PIM, be sure to enable the IGMP Query feature globally, as well as on each VLAN where it is needed. If the switch is connected to multicast receivers and/or hosts, be sure to enable  IGMP snooping globally, as well as on each VLAN where PIM receivers are attached. PIM with VLAG If using VLAG, see “VLAG with PIM” on page 232. G8264 Application Guide for ENOS 8.4...
Page 593: Pim Configuration Examples
Note: Because, Sparse Mode is set by default for PIM component 1, the mode command is needed only if the mode has been previously changed. 3. Define an IP interface for use with PIM: RS G8264(config)# interface ip 111 RS G8264(configipif)# ip address 10.10.1.1 255.255.255.255 RS G8264(configipif)# vlan 11 RS G8264(configipif)# enable The IP interface represents the PIM network being connected to the switch. The IPv4 addresses in the defined range must not be included in another IP interface on the switch under a different VLAN. 4. Enable PIM on the IP interface and assign the PIM component: RS G8264(configipif)# ip pim enable RS G8264(configipif)# ip pim componentid 1 Note: Because, PIM component 1 is assigned to the interface by default, the componentid command is needed only if the setting has been previously changed. 5. Set the Bootstrap Router (BSR) preference: RS G8264(configipif)# ip pim cbsrpreference 135 RS G8264(configipif)# exit © Copyright Lenovo 2016 Chapter 36: Protocol Independent Multicast...
Page 594: Example 2: Pim-Sm With Static Rp
Example 2: PIM-SM with Static RP The following commands can be used to modify the prior example configuration to use a static RP: RS G8264(config)# ip pim staticrp enable RS G8264(config)# ip pim component 1 RS G8264(configippimcomp)# rpstatic rpaddress 225.1.0.0 255.255.0.0 10.10.1.1 RS G8264(configippimcomp)# exit Where 225.1.0.0 255.255.0.0 is the multicast group base address and mask, and 10.10.1.1 is the static RP address. Note: The same static RP address must be configured for all switches in the group. Example 3: PIM-DM This example configures PIM Dense Mode (PIM‐DM) on one IP interface. PIM‐DM can be configured independently, or it can be combined with the prior PIM‐SM examples (which are configured on a different PIM component) as shown in Figure Figure 56. Network with both PIM‐DM and PIM‐SM Components PIM-SM PIM-DM Multicast Multicast 225.1.0.0/16 239.1.0.0/16 PIM Enabled Switch IP Interface 11 IP Interface 22 IP 10.10.1.1...
Page 595 3. Define an IP interface for use with PIM: RS G8264(config)# interface ip 22 RS G8264(configipif)# ip address 10.10.2.1 255.255.255.255 RS G8264(configipif)# vlan 102 RS G8264(configipif)# enable 4. Enable PIM on the IP interface and assign the PIM component: RS G8264(configipif)# ip pim enable RS G8264(configipif)# ip pim componentid 2 RS G8264(configipif)# exit 5. (Optional) Configure PIM border router if the IPMC traffic is flowing between PIM domains: RS G8264(config)# ip pim pmbr enable RS G8264(config)# interface ip 22 RS G8264(configipif)# ip pim borderbit RS G8264(configipif)# exit Note: For PIM Dense Mode, the DR, RP, and BSR settings do not apply. © Copyright Lenovo 2016 Chapter 36: Protocol Independent Multicast...
Page 596 G8264 Application Guide for ENOS 8.4...
Page 597: Part 6: High Availability Fundamentals
Part 6: High Availability Fundamentals Internet traffic consists of myriad services and applications which use the Internet Protocol (IP) for data delivery. However, IP is not optimized for all the various applications. High Availability goes beyond IP and makes intelligent switching decisions to provide redundant network configurations. © Copyright Lenovo 2016...
Page 598 G8264 Application Guide for ENOS 8.4...
Page 599: Chapter 37. Basic Redundancy
Chapter 37. Basic Redundancy Lenovo Enterprise Network Operating System 8.4 includes various features for providing basic link or device redundancy:  “Aggregating for Link Redundancy” on page 600  “Virtual Link Aggregation” on page 600  “Hot Links” on page 601  “Stacking for High Availability Topologies” on page 603 © Copyright Lenovo 2016...
Page 600: Aggregating For Link Redundancy
Aggregating for Link Redundancy Multiple switch ports can be combined together to form robust, high‐bandwidth LAGs to other devices. Since LAGs are comprised of multiple physical links, the LAG is inherently fault tolerant. As long as one connection between the switches is available, the LAG remains active. In Figure 57, four ports are aggregated together between the switch and the enterprise routing device. Connectivity is maintained as long as one of the links remain active. The links to the server are also aggregated, allowing the secondary NIC to take over in the event that the primary NIC link fails. Figure 57. Aggregating Ports for Link Redundancy Enterprise Server Routing Switch NIC 1 NIC 2 Internet For more information on aggregation, see Chapter 10, “Ports and Link Aggregation.” Virtual Link Aggregation Using the VLAG feature, switches can be paired as VLAG peers. The peer switches appear to the connecting device as a single virtual entity for the purpose of establishing a multi‐port LAG. The VLAG‐capable switches synchronize their logical view of the access layer port structure and internally prevent implicit loops. The VLAG topology also responds more quickly to link failure and does not result in unnecessary MAC flooding. VLAGs are useful in multi‐layer environments for both uplink and downlink redundancy to any regular LAG‐capable device. They can also be used in for active‐active VRRP connections. For more information on VLAGs, see Chapter 12, “Virtual Link Aggregation ...
Page 601: Hot Links
You may select a physical port, static LAG, or an LACP adminkey as a Hot Link interface. Forward Delay The Forward Delay timer allows Hot Links to monitor the Master and Backup interfaces for link stability before selecting one interface to transition to the active state. Before the transition occurs, the interface must maintain a stable link for the duration of the Forward Delay interval. For example, if you set the Forward delay timer to 10 seconds, the switch will select an interface to become active only if a link remained stable for the duration of the Forward Delay period. If the link is unstable, the Forward Delay period starts again. Preemption You can configure the Master interface to resume the active state whenever it becomes available. With Hot Links preemption enabled, the Master interface transitions to the active state immediately upon recovery. The Backup interface immediately transitions to the standby state. If Forward Delay is enabled, the transition occurs when an interface has maintained link stability for the duration of the Forward Delay period. FDB Update Use the FDB update option to notify other devices on the network about updates to the Forwarding Database (FDB). When you enable FDB update, the switch sends multicasts of addresses in the forwarding database (FDB) over the active interface, so that other devices on the network can learn the new path. The Hot Links FBD update option uses the station update rate to determine the rate at which to send FDB packets. Configuration Guidelines The following configuration guidelines apply to Hot links:  When Hot Links is turned on, STP must be disabled on the hotlink ports. © Copyright Lenovo 2016 Chapter 37: Basic Redundancy...
Page 602: Configuring Hot Links
 A port that is a member of the Master interface cannot be a member of the Backup interface. A port that is a member of one Hot Links trigger cannot be a member of another Hot Links trigger.  An individual port that is configured as a Hot Link interface cannot be a member of a LAG. Configuring Hot Links Spanning Tree Protocol must be disabled on Hot Links ports. For instance, if Hot Links ports 1 and 2 belong to STGs 1 and 23, use the following commands to disable the STGs: RS G8264(config)# no span stp 1 enable RS G8264(config)# no span stp 23 enable Use the following commands to configure Hot Links. RS G8264(config)# [no] hotlinks bpdu (Enable or disable Hot Links BPDU flood) RS G8264(config)# [no] hotlinks enable (Enable or disable Hot Links globally) RS G8264(config)# [no] hotlinks fdbupdate (Enable or disable Hot Links FDB update) RS G8264(config)# hotlinks fdbupdaterate (Configure FDB update rate in packets per second) RS G8264(config)# hotlinks trigger 1 enable (Enable Hot Links Trigger 1) RS G8264(config)# hotlinks trigger 1 master port 1 (Add port to Master interface) RS G8264(config)# hotlinks trigger 1 backup port 2 (Add port to Backup interface) RS G8264(config)# hotlinks enable (Turn on Hot Links) G8264 Application Guide for ENOS 8.4...
Page 603: Stacking For High Availability Topologies
In Figure 58, a simple stack using two switches provides full redundancy in the event that either switch were to fail. As shown with the servers in the example, stacking permits ports within different physical switches to be aggregated together, further enhancing switch redundancy. Figure 58. High Availability Topology Using Stacking Enterprise Routing Switch Cross-Stack Server Stacked Switches NIC 1 NIC 2 Stack Internet Links Server NIC 1 NIC 2 Cross-Stack For more information on stacking, see Chapter 18, “Stacking”. © Copyright Lenovo 2016 Chapter 37: Basic Redundancy...
Page 604 G8264 Application Guide for ENOS 8.4...
Page 605: Chapter 38. Layer 2 Failover
Chapter 38. Layer 2 Failover The primary application for Layer 2 Failover is to support Network Adapter Teaming. With Network Adapter Teaming, all the NICs on each server share the same IP address, and are configured into a team. One NIC is the primary link, and the other is a standby link. For more details, refer to the documentation for your Ethernet adapter. Note: Only two links per server can be used for Layer 2 LAG Failover (one primary and one backup). Network Adapter Teaming allows only one backup NIC for each server blade. © Copyright Lenovo 2016...
Page 606: Monitoring Lag Links
Monitoring LAG Links Layer 2 Failover can be enabled on any LAG in the G8264, including LACP LAGs. LAGs can be added to failover trigger groups. Then, if some specified number of monitor links fail, the switch disables all the control ports in the switch. When the control ports are disabled, it causes the NIC team on the affected servers to failover from the primary to the backup NIC. This process is called a failover event. When the appropriate number of links in a monitor group return to service, the switch enables the control ports. This causes the NIC team on the affected servers to fail back to the primary switch (unless Auto‐Fallback is disabled on the NIC team). The backup switch processes traffic until the primary switch’s control links come up, which can take up to five seconds. Figure 59 is a simple example of Layer 2 Failover. One G8264 is the primary, and the other is used as a backup. In this example, all ports on the primary switch belong to a single LAG, with Layer 2 Failover enabled, and Failover Limit set to 2. If two or fewer links in trigger 1 remain active, the switch temporarily disables all control ports. This action causes a failover event on Server 1 and Server 2. Figure 59. Basic Layer 2 Failover Enterprise Primary Routing Switches Server 1 Switch Trigger 1 NIC 1 NIC 2 Backup Internet Server 2 Switch Trigger 1 NIC 1 NIC 2...
Page 607: Manually Monitoring Port Links
The switch automatically enables the control list items when the monitor list items return to service. Monitor Port State A monitor port is considered operational as long as the following conditions are true:  The port must be in the Link Up state.  If STP is enabled, the port must be in the Forwarding state.  If the port is part of an LACP LAG, the port must be in the Aggregated state. If any of these conditions is false, the monitor port is considered to have failed. Control Port State A control port is considered Operational if the monitor trigger is up. As long as the trigger is up, the port is considered operational from a teaming perspective, even if the port itself is actually in the Down state, Blocking state (if STP is enabled on the port), or Not Aggregated state (if part of an LACP LAG). A control port is considered to have failed only if the monitor trigger is in the Down state. To view the state of any port, use one of the following commands: >> # show interface link (View port link status) >> # show interface port <x> spanningtree stp <x> (View port STP status) >> # show lacp information (View port LACP status) © Copyright Lenovo 2016 Chapter 38: Layer 2 Failover...
Page 608: L2 Failover With Other Features
L2 Failover with Other Features L2 Failover works together with static LAGs, Link Aggregation Control Protocol (LACP), and with Spanning Tree Protocol (STP), as described in the next sections. Static LAGs When you add a portchannel (static LAG) to a failover trigger, any ports in that LAG become members of the trigger. You can add up to 64 static LAGs to a failover trigger, using manual monitoring. LACP Link Aggregation Control Protocol allows the switch to form dynamic LAGs. You can use the admin key to add up to 64 LACP LAGs to a failover trigger using automatic monitoring. When you add an admin key to a trigger, any LACP LAG with that admin key becomes a member of the trigger. Spanning Tree Protocol If Spanning Tree Protocol (STP) is enabled on the ports in a failover trigger, the switch monitors the port STP state rather than the link state. A port failure results when STP is not in a Forwarding state (such as Learning, Discarding, or No Link) in all the Spanning Tree Groups (STGs) to which the port belongs. The switch automatically disables the appropriate control ports. When the switch determines that ports in the trigger are in STP Forwarding state in any one of the STGs it belongs to, then it automatically enables the appropriate control ports. The switch fails back to normal operation. For example, if a monitor port is a member of STG1, STG2, and STG3, a failover will be triggered only if the port is not in a forwarding state in all the three STGs. When the port state in any of the three STGs changes to forwarding, then the control port is enabled and normal switch operation is resumed. G8264 Application Guide for ENOS 8.4...
Page 609: Configuration Guidelines
Configuration Guidelines This section provides important information about configuring Layer 2 Failover.  Any specific failover trigger can monitor ports only, static LAGs only, or LACP LAGs only. The different types cannot be combined in the same trigger. A maximum of 64 LACP keys can be added per trigger.   Management ports and stacking ports cannot be monitored. Control ports for different triggers must not overlap. Monitor ports may  overlap. Configuring Layer 2 Failover Use the following procedure to configure a Layer 2 Failover Manual Monitor. 1. Specify the links to monitor. >> # failover trigger 1 mmon monitor member 15 2. Specify the links to disable when the failover limit is reached. >> # failover trigger 1 mmon control member 610 3. Configure general Failover parameters. >> # failover enable >> # failover trigger 1 enable >> # failover trigger 1 limit 2 © Copyright Lenovo 2016 Chapter 38: Layer 2 Failover...
Page 610 G8264 Application Guide for ENOS 8.4...
Page 611: Chapter 39. Virtual Router Redundancy Protocol
Chapter 39. Virtual Router Redundancy Protocol The Lenovo RackSwitch G8264 (G8264) supports IPv4 high‐availability network topologies through an enhanced implementation of the Virtual Router Redundancy Protocol (VRRP). Note: Lenovo Enterprise Network Operating System 8.4 does not support IPv6 for VRRP. The following topics are discussed in this chapter:  “VRRP Overview” on page 612. This section discusses VRRP operation and Enterprise NOS redundancy configurations. “Failover Methods” on page 615. This section describes the three modes of high  availability.  “Enterprise NOS Extensions to VRRP” on page 616. This section describes VRRP enhancements implemented in ENOS.  “Virtual Router Deployment Considerations” on page 617. This section describes issues to consider when deploying virtual routers.  “High Availability Configurations” on page 619. This section discusses the more useful and easily deployed redundant configurations. © Copyright Lenovo 2016...
Page 612: Vrrp Overview
VRRP Overview In a high‐availability network topology, no device can create a single point‐of‐failure for the network or force a single point‐of‐failure to any other part of the network. This means that your network will remain in service despite the failure of any single device. To achieve this usually requires redundancy for all vital network components. VRRP enables redundant router configurations within a LAN, providing alternate router paths for a host to eliminate single points‐of‐failure within a network. Each participating VRRP‐capable routing device is configured with the same virtual router IPv4 address and ID number. One of the virtual routers is elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IPv4 address. If the master fails, one of the backup virtual routers will take control of the virtual router IPv4 address and actively process traffic addressed to it. With VRRP, Virtual Interface Routers (VIR) allow two VRRP routers to share an IP interface across the routers. VIRs provide a single Destination IPv4 (DIP) address for upstream routers to reach various servers, and provide a virtual default Gateway for the servers. VRRP Components Each physical router running VRRP is known as a VRRP router. Virtual Router Two or more VRRP routers can be configured to form a virtual router (RFC 2338). Each VRRP router may participate in one or more virtual routers. Each virtual router consists of a user‐configured virtual router identifier (VRID) and an IPv4 address. Virtual Router MAC Address The VRID is used to build the virtual router MAC Address. The five highest‐order octets of the virtual router MAC Address are the standard MAC prefix (00‐00‐5E‐00‐01) defined in RFC 2338. The VRID is used to form the lowest‐order octet. Owners and Renters Only one of the VRRP routers in a virtual router may be configured as the IPv4 address owner. This router has the virtual router’s IPv4 address as its real interface ...
Page 613: Master And Backup Virtual Router
Note: If the IPv4 address owner is available, it will always become the virtual router master. The virtual router master forwards packets sent to the virtual router. It also responds to Address Resolution Protocol (ARP) requests sent to the virtual routerʹs IPv4 address. Finally, the virtual router master sends out periodic advertisements to let other VRRP routers know it is alive and its priority. Within a virtual router, the VRRP routers not selected to be the master are known as virtual router backups. If the virtual router master fails, one of the virtual router backups becomes the master and assumes its responsibilities. Virtual Interface Router At Layer 3, a Virtual Interface Router (VIR) allows two VRRP routers to share an IP interface across the routers. VIRs provide a single Destination IPv4 (DIP) address for upstream routers to reach various destination networks, and provide a virtual default Gateway. Note: Every VIR must be assigned to an IP interface, and every IP interface must be assigned to a VLAN. If no port in a VLAN has link up, the IP interface of that VLAN is down, and if the IP interface of a VIR is down, that VIR goes into INIT state. VRRP Operation Only the virtual router master responds to ARP requests. Therefore, the upstream routers only forward packets destined to the master. The master also responds to ICMP ping requests. The backup does not forward any traffic, nor does it respond to ARP requests. If the master is not available, the backup becomes the master and takes over responsibility for packet forwarding and responding to ARP requests. © Copyright Lenovo 2016 Chapter 39: Virtual Router Redundancy Protocol...
Page 614: Selecting The Master Vrrp Router
Selecting the Master VRRP Router Each VRRP router is configured with a priority between 1–254. A bidding process determines which VRRP router is or becomes the master—the VRRP router with the highest priority. The master periodically sends advertisements to an IPv4 multicast address. As long as the backups receive these advertisements, they remain in the backup state. If a backup does not receive an advertisement for three advertisement intervals, it initiates a bidding process to determine which VRRP router has the highest priority and takes over as master. In addition to the three advertisement intervals, a manually set holdoff time can further delay the backups from assuming the master status. If, at any time, a backup determines that it has higher priority than the current master does, it can preempt the master and become the master itself, unless configured not to do so. In preemption, the backup assumes the role of master and begins to send its own advertisements. The current master sees that the backup has higher priority and will stop functioning as the master. A backup router can stop receiving advertisements for one of two reasons—the master can be down, or all communications links between the master and the backup can be down. If the master has failed, it is clearly desirable for the backup (or one of the backups, if there is more than one) to become the master. Note: If the master is healthy but communication between the master and the backup has failed, there will then be two masters within the virtual router. To prevent this from happening, configure redundant links to be used between the switches that form a virtual router. G8264 Application Guide for ENOS 8.4...
Page 615: Failover Methods
Routing Switch Switch 2 Active (subnet B and D) Virtual Router Group The virtual router group ties all virtual routers on the switch together as a single entity. As members of a group, all virtual routers on the switch (and therefore the switch itself), are in either a master or standby state. A VRRP group has the following characteristics: When enabled, all virtual routers behave as one entity, and all group settings  override any individual virtual router settings.  All individual virtual routers, once the VRRP group is enabled, assume the group’s tracking and priority.  When one member of a VRRP group fails, the priority of the group decreases, and the state of the entire switch changes from Master to Standby.  When VRRP group restrictions are enabled, advertisements for the group are sent and received only on VRRP group interface. Each VRRP advertisement can include up to 16 addresses. All virtual routers are advertised within the same packet, conserving processing and buffering resources. © Copyright Lenovo 2016 Chapter 39: Virtual Router Redundancy Protocol...
Page 616: Enterprise Nos Extensions To Vrrp
Enterprise NOS Extensions to VRRP This section describes VRRP enhancements that are implemented in ENOS. ENOS supports a tracking function that dynamically modifies the priority of a VRRP router, based on its current state. The objective of tracking is to have, whenever possible, the master bidding processes for various virtual routers in a LAN converge on the same switch. Tracking ensures that the selected switch is the one that offers optimal network performance. For tracking to have any effect on virtual router operation, preemption must be enabled. ENOS can track the attributes listed in Table 44 (Router VRRP mode): Table 44. VRRP Tracking Parameters Parameter Description Number of IP interfaces on the Helps elect the virtual routers with the switch that are active (“up”) most available routes as the master. (An IP interface is considered active when there trackingpriorityincrement is at least one active port on the same interfaces VLAN.) This parameter influences the VRRP routerʹs priority in virtual interface routers. Number of active ports on the same Helps elect the virtual routers with the VLAN most available ports as the master. This parameter influences the VRRP routerʹs trackingpriorityincrement priority in virtual interface routers. ports Number of virtual routers in master Useful for ensuring that traffic for any mode on the switch particular client/server pair is handled by ...
Page 617: Virtual Router Deployment Considerations
 Switch 1 is the master router upon initialization. If switch 1 is the master and it has one fewer active servers than switch 2, then  switch 1 remains the master. This behavior is preferred because running one server down is less disruptive than bringing a new master online and severing all active connections in the process.  If switch 1 is the master and it has two or more active servers fewer than switch 2, then switch 2 becomes the master.  If switch 2 is the master, it remains the master even if servers are restored on switch 1 such that it has one fewer or an equal number of servers.  If switch 2 is the master and it has one active server fewer than switch 1, then switch 1 becomes the master. You can implement this behavior by configuring the switch for tracking as follows: 1. Set the priority for switch 1 to 101. 2. Leave the priority for switch 2 at the default value of 100. 3. On both switches, enable tracking based on ports, interfaces, next hops, or virtual routers. You can choose any combination of tracking parameters, based on your network configuration. Note: There is no shortcut to setting tracking parameters. The goals must first be set and the outcomes of various configurations and scenarios analyzed to find settings that meet the goals. © Copyright Lenovo 2016 Chapter 39: Virtual Router Redundancy Protocol...
Page 618: Vrrp - Next Hop Tracking
VRRP - Next Hop Tracking VRRP can be configured to track next hops. A health check mechanism, using ICMP ping or ARP requests, is used to track the next hop. If the health check succeeds or fails, the priority of the virtual router, for which the next hop tracking was configured, changes based on the configured tracking‐priority‐increment value. A VRRP group’s priority is calculated as the sum of all priorities for all active next hops. If an active next hop belongs to two virtual routers, then that next‐hop’s priority is added twice. VRRP next hop tracking can be configured using the following commands:  Enable VRRP tracking on next hop: RS G8264(config)# virtual-router <x> track next-hops  Configure next hop IP address: RS G8264(config-vrrp)# virtual-router <x> next-hop <IP address> [ICMP|ARP] [<interval>] [<retries>] Default Values: Health check protocol: ICMP Interval: 2 seconds Retries: 3 Note: A maximum of four unique next‐hop IP addresses can be configured.
Page 619: High Availability Configurations
NIC 1: 10.0.1.4/24 L2 Switch VIR 1: 192.168.1.200 (Backup) NIC 2: 10.0.2.4/24 VIR 2: 192.168.2.200 (Master) Although this example shows only two switches, there is no limit on the number of switches used in a redundant configuration. It is possible to implement an active‐active configuration across all the VRRP‐capable switches in a LAN. Each VRRP‐capable switch in an active‐active configuration is autonomous. Switches in a virtual router need not be identically configured. In the scenario illustrated in Figure 61, traffic destined for IPv4 address 10.0.1.1 is forwarded through the Layer 2 switch at the top of the drawing, and ingresses G8264 1 on port 1. Return traffic uses default gateway 1 (192.168.1.1). If the link between G8264 1 and the Layer 2 switch fails, G8264 2 becomes the Master because it has a higher priority. Traffic is forwarded to G8264 2, which forwards it to G8264 1 through port 4. Return traffic uses default gateway 2 (192.168.2.1), and is forwarded through the Layer 2 switch at the bottom of the drawing. © Copyright Lenovo 2016 Chapter 39: Virtual Router Redundancy Protocol...
Page 620 To implement the active‐active example, perform the following switch configuration. Task 1: Configure G8264 1 1. Configure client and server interfaces. RS G8264(config)# interface ip 1 RS G8264(configipif)# ip address 192.168.1.100 255.255.255.0 RS G8264(configipif)# vlan 10 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 2 RS G8264(configipif)# ip address 192.168.2.101 255.255.255.0 RS G8264(configipif)# vlan 20 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 3 RS G8264(configipif)# ip address 10.0.1.100 255.255.255.0 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 4 RS G8264(configipif)# ip address 10.0.2.101 255.255.255.0 RS G8264(configipif)# enable RS G8264(configipif)# exit 2.
Page 621 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 3 RS G8264(configipif)# ip address 10.0.1.101 255.255.255.0 RS G8264(configipif)# enable RS G8264(configipif)# exit RS G8264(config)# interface ip 4 RS G8264(configipif)# ip address 10.0.2.100 255.255.255.0 RS G8264(configipif)# enable RS G8264(configipif)# exit 2. Configure the default gateways. Each default gateway points to a Layer 3 router. RS G8264(config)# ip gateway 1 address 192.168.2.1 RS G8264(config)# ip gateway 1 enable RS G8264(config)# ip gateway 2 address 192.168.1.1 RS G8264(config)# ip gateway 2 enable © Copyright Lenovo 2016 Chapter 39: Virtual Router Redundancy Protocol...
Page 622 3. Turn on VRRP and configure two Virtual Interface Routers. RS G8264(config)# router vrrp RS G8264(configvrrp)# enable RS G8264(configvrrp)# virtualrouter 1 virtualrouterid 1 RS G8264(configvrrp)# virtualrouter 1 interface 1 RS G8264(configvrrp)# virtualrouter 1 address 192.168.1.200 RS G8264(configvrrp)# virtualrouter 1 enable RS G8264(configvrrp)# virtualrouter 2 virtualrouterid 2 RS G8264(configvrrp)# virtualrouter 2 interface 2 RS G8264(configvrrp)# virtualrouter 2 address 192.168.2.200 RS G8264(configvrrp)# virtualrouter 2 enable 4. Enable tracking on ports. Set the priority of Virtual Router 2 to 101, so that it becomes the Master. RS G8264(configvrrp)# virtualrouter 1 track ports RS G8264(configvrrp)# virtualrouter 2 track ports RS G8264(configvrrp)# virtualrouter 2 priority 101 RS G8264(configvrrp)# exit 5. Configure ports. RS G8264(config)# vlan 10 RS G8264(configvlan)# exit RS G8264(config)# interface port 1 RS G8264(configif)# switchport mode trunk RS G8264(configif)# switchport trunk allowed vlan 10 RS G8264(configif)# exit...
Page 623: Vrrp High-Availability Using Vlags
VLAG 1 VIR: 10.0.1.100 Router 10.0.1.1 Server 2 VLAG 2 Internet 10.0.1.2 VLAG 3 Server 3 Layer 3 VRRP Backup 10.0.1.3 Router VLAG Peer 2 Network 10.0.1.0/24 VIR: 10.0.1.100 See “VLAGs with VRRP” on page 222 for a detailed configuration example. © Copyright Lenovo 2016 Chapter 39: Virtual Router Redundancy Protocol...
Page 624 G8264 Application Guide for ENOS 8.4...
Page 626 G8264 Application Guide for ENOS 8.4...
Page 627: Chapter 40. Link Layer Discovery Protocol
Chapter 40. Link Layer Discovery Protocol The Lenovo Enterprise Network Operating System software support Link Layer Discovery Protocol (LLDP). This chapter discusses the use and configuration of LLDP on the switch:  “LLDP Overview” on page 628  “Enabling or Disabling LLDP” on page 630  “LLDP Transmit Features” on page 631  “LLDP Receive Features” on page 635  “LLDP Example Configuration” on page 639 © Copyright Lenovo 2016...
Page 628: Lldp Overview
LLDP Overview Link Layer Discovery Protocol (LLDP) is an IEEE 802.1AB‐2005 standard for discovering and managing network devices. LLDP uses Layer 2 (the data link layer), and allows network management applications to extend their awareness of the network by discovering devices that are direct neighbors of already known devices. With LLDP, the G8264 can advertise the presence of its ports, their major capabilities, and their current status to other LLDP stations in the same LAN. LLDP transmissions occur on ports at regular intervals or whenever there is a relevant change to their status. The switch can also receive LLDP information advertised from adjacent LLDP‐capable network devices. In addition to discovery of network resources, and notification of network changes, LLDP can help administrators quickly recognize a variety of common network configuration problems, such as unintended VLAN exclusions or mis‐matched port aggregation membership. The LLDP transmit function and receive function can be independently configured on a per‐port basis. The administrator can allow any given port to transmit only, receive only, or both transmit and receive LLDP information. The LLDP information to be distributed by the G8264 ports, and that which has been collected from other LLDP stations, is stored in the switch’s Management Information Base (MIB). Network Management Systems (NMS) can use Simple Network Management Protocol (SNMP) to access this MIB information. LLDP‐related MIB information is read‐only. Changes, either to the local switch LLDP information or to the remotely received LLDP information, are flagged within the MIB for convenient tracking by SNMP‐based management systems. For LLDP to provide expected benefits, all network devices that support LLDP must be consistent in their LLDP configuration. G8264 Application Guide for ENOS 8.4...
Page 629: Lldp - Stacking Mode
LLDP - Stacking Mode In stacking mode, LLDP can be configured only on the ports that are not used to create the stack. The LLDP configuration menus on the stacking ports are disabled. When configuring LLDP on a port, use the correct port syntax. See “Rebooting Stacked Switches using the ISCLI” on page 309. © Copyright Lenovo 2016 Chapter 40: Link Layer Discovery Protocol...
Page 630: Enabling Or Disabling Lldp
Enabling or Disabling LLDP Follow the instructions in this section to enable and disable LLDP. Global LLDP Setting By default, LLDP is enabled on the G8264. To turn LLDP on or off, use the following command: RS G8264(config)# [no] lldp enable (Turn LLDP on or off globally) Transmit and Receive Control The G8264 can also be configured to transmit or receive LLDP information on a port‐by‐port basis. By default, when LLDP is globally enabled on the switch, G8264 ports transmit and receive LLDP information (see the tx_rx option in the following example). To change the LLDP transmit and receive state, the following commands are available: RS G8264(config)# interface port 1 (Select a switch port) RS G8264(configif)# lldp adminstatus tx_rx (Transmit and receive LLDP) RS G8264(configif)# lldp adminstatus tx_only (Only transmit LLDP) RS G8264(configif)# lldp adminstatus rx_only (Only receive LLDP)
Page 631: Lldp Transmit Features
Scheduled Interval The G8264 can be configured to transmit LLDP information to neighboring devices once each 5 to 32768 seconds. The scheduled interval is global; the same interval value applies to all LLDP transmit‐enabled ports. However, to help balance LLDP transmissions and keep them from being sent simultaneously on all ports, each port maintains its own interval clock, based on its own initialization or reset time. This allows switch‐wide LLDP transmissions to be spread out over time, though individual ports comply with the configured interval. The global transmit interval can be configured using the following command: RS G8264(config)# lldp refreshinterval <interval> where interval is the number of seconds between LLDP transmissions. The range is 5 to 32768. The default is 30 seconds. Minimum Interval In addition to sending LLDP information at scheduled intervals, LLDP information is also sent when the G8264 detects relevant changes to its configuration or status (such as when ports are enabled or disabled). To prevent the G8264 from sending multiple LLDP packets in rapid succession when port status is in flux, a transmit delay timer can be configured. The transmit delay timer represents the minimum time permitted between successive LLDP transmissions on a port. Any interval‐driven or change‐driven updates will be consolidated until the configured transmit delay expires. The minimum transmit interval can be configured using the following command: RS G8264(config)# lldp transmissiondelay <interval> where interval is the minimum number of seconds permitted between successive LLDP transmissions on any port. The range is 1 to one‐quarter of the scheduled transmit interval (lldp refreshinterval <value>), up to 8192. The default is 2 seconds. © Copyright Lenovo 2016 Chapter 40: Link Layer Discovery Protocol...
Page 632: Time-To-Live For Transmitted Information
Time-to-Live for Transmitted Information The transmitted LLDP information is held by remote systems for a limited time. A time‐to‐live parameter allows the switch to determine how long the transmitted data is held before it expires. The hold time is configured as a multiple of the configured transmission interval. RS G8264(config)# lldp holdtimemultiplier <multiplier> where multiplier is a value between 2 and 10. The default value is 4, meaning that remote systems will hold the port’s LLDP information for 4 x the 30‐second msgtxint value, or 120 seconds, before removing it from their MIB. Trap Notifications If SNMP is enabled on the G8264 (see “Using Simple Network Management Protocol” on page 43), each port can be configured to send SNMP trap notifications whenever LLDP transmissions are sent. By default, trap notification is disabled for each port. The trap notification state can be changed using the following commands (Interface Port mode): RS G8264(config)# interface port 1 RS G8264(configif)# [no] lldp trapnotification RS G8264(configif)# exit In addition to sending LLDP information at scheduled intervals, LLDP information is also sent when the G8264 detects relevant changes to its configuration or status (such as when ports are enabled or disabled). To prevent the G8264 from sending multiple trap notifications in rapid succession when port status is in flux, a global trap delay timer can be configured. The trap delay timer represents the minimum time permitted between successive trap notifications on any port. Any interval‐driven or change‐driven trap notices from the port will be consolidated until the configured trap delay expires. The minimum trap notification interval can be configured using the following command: RS G8264(config)# lldp trapnotificationinterval <interval> where interval is the minimum number of seconds permitted between successive LLDP transmissions on any port. The range is 1 to 3600. The default is 5 seconds.
Page 633: Changing The Lldp Transmit State
Table 45. LLDP Optional Information Types Type Description Default portdesc Port Description Enabled sysname System Name Enabled sysdescr System Description Enabled syscap System Capabilities Enabled mgmtaddr Management Address Enabled portvid IEEE 802.1 Port VLAN ID Disabled portprot IEEE 802.1 Port and Protocol VLAN ID Disabled vlanname IEEE 802.1 VLAN Name Disabled © Copyright Lenovo 2016 Chapter 40: Link Layer Discovery Protocol...
Page 634 Table 45. LLDP Optional Information Types (continued) Type Description Default protid IEEE 802.1 Protocol Identity Disabled macphy IEEE 802.3 MAC/PHY Disabled Configuration/Status, including the auto‐negotiation, duplex, and speed status of the port. powermdi IEEE 802.3 Power via MDI, indicating the Disabled capabilities and status of devices that require or provide power over twisted‐pair copper links. linkaggr IEEE 802.3 Link Aggregation status for Disabled the port. framesz IEEE 802.3 Maximum Frame Size for the Disabled port. Data Center Bridging Capability Enabled dcbx Exchange Protocol (DCBX) for the port. Select all optional LLDP information for Disabled inclusion or exclusion. G8264 Application Guide for ENOS 8.4...
Page 635: Lldp Receive Features
System Capabilities Supported/Enabled   Remote Management Address The G8264 stores the collected LLDP information in the MIB. Each remote LLDP‐capable device is responsible for transmitting regular LLDP updates. If the received updates contain LLDP information changes (to port state, configuration, LLDP MIB structures, deletion), the switch will set a change flag within the MIB for convenient notification to SNMP‐based management systems. Note: In stacking mode, both the Master and the Backup receive LLDP information for all the ports in a stack and update the LLDP table. The Master and Backup switches synchronize the LLDP tables. Viewing Remote Device Information LLDP information collected from neighboring systems can be viewed in numerous ways:  Using a centrally‐connected LLDP analysis server  Using an SNMP agent to examine the G8264 MIB  Using the G8264 Browser‐Based Interface (BBI)  Using commands on the G8264 The following command displays remote LLDP information: RS G8264(config)# show lldp remotedevice [<index number>] © Copyright Lenovo 2016 Chapter 40: Link Layer Discovery Protocol...
Page 636 RS G8264(config)# show lldp remotedevice 1 Local Port Alias: 3 Remote Device Index : 1 Remote Device TTL : 99 Remote Device RxChanges : false Chassis Type : Mac Address Chassis Id : 0018b1331d00 Port Type : Locally Assigned Port Id : 23 Port Description : 7 System Name : System Description: Lenovo Lenovo RackSwitch G8264, Lenovo Networking OS: version 8.4, Boot Image: version 8.4 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge, router Remote Management Address: Subtype : IPv4 Address : 10.100.120.181 Interface Subtype : ifIndex Interface Number : 128 Object Identifier Note: Received LLDP information can change very quickly. When using show ...
Page 637: Time-To-Live For Received Information
: 2 Port Description : 2 System Name System Description : Lenovo Lenovo RackSwitch G8264, Lenovo Networking OS: version 8.4, Boot Image: version 6.9.1.14 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge, router Remote Management Address: Subtype : IPv4 Address : 10.38.22.23 Interface Subtype : ifIndex Interface Number : 127 Object Identifier Total entries displayed: 2 Time-to-Live for Received Information Each remote device LLDP packet includes an expiration time. If the switch port does not receive an LLDP update from the remote device before the time‐to‐live clock expires, the switch will consider the remote information to be invalid, and will remove all associated information from the MIB. © Copyright Lenovo 2016 Chapter 40: Link Layer Discovery Protocol...
Page 638 Remote devices can also intentionally set their LLDP time‐to‐live to 0, indicating to the switch that the LLDP information is invalid and must be immediately removed. G8264 Application Guide for ENOS 8.4...
Page 639: Lldp Example Configuration
3. Set LLDP options for each port. RS G8264(config)# interface port <n> (Select a switch port) RS G8264(configif)# lldp adminstatus tx_rx(Transmit and receive LLDP) RS G8264(configif)# lldp trapnotification(Enable SNMP trap notifications) RS G8264(configif)# lldp tlv all (Transmit all optional information) RS G8264(configif)# exit 4. Enable syslog reporting. RS G8264(config)# logging log lldp 5. Verify the configuration settings: RS G8264(config)# show lldp 6. View remote device information as needed. RS G8264(config)# show lldp remotedevice RS G8264(config)# show lldp remotedevice <index number> RS G8264(config)# show lldp remotedevices detail © Copyright Lenovo 2016 Chapter 40: Link Layer Discovery Protocol...
Page 640 G8264 Application Guide for ENOS 8.4...
Page 641: Chapter 41. Simple Network Management Protocol
HP‐OpenView. Note: SNMP read and write functions are enabled by default. For best security practices, if SNMP is not needed for your network, it is recommended that you disable these functions prior to connecting the switch to the network. SNMP Version 1 & Version 2 To access the SNMP agent on the G8264, the read and write community strings on the SNMP manager must be configured to match those on the switch. The default read community string on the switch is public and the default write community string is private. The read and write community strings on the switch can be changed using the following commands on the CLI: RS G8264(config)# snmpserver readcommunity <1‐32 characters> ‐and‐ RS G8264(config)# snmpserver writecommunity <1‐32 characters> The SNMP manager must be able to reach the management interface or any one of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following command: RS G8264(config)# snmpserver trapsource <trap source IP interface> RS G8264(config)# snmpserver host <IPv4 address> <trap host community string> Note: You can use a loopback interface to set the source IP address for SNMP traps. Use the following command to apply a configured loopback interface: RS G8264(config)# snmpserver trapsource loopback <1‐5> © Copyright Lenovo 2016...
Page 642: Snmp Version 3
SNMP Version 3 SNMP version 3 (SNMPv3) is an enhanced version of the Simple Network Management Protocol, approved by the Internet Engineering Steering Group in March, 2002. SNMPv3 contains additional security and authentication features that provide data origin authentication, data integrity checks, timeliness indicators and encryption to protect against threats such as masquerade, modification of information, message stream modification and disclosure. SNMPv3 allows clients to query the MIBs securely. SNMPv3 configuration is managed using the following command path menu: RS G8264(config)# snmpserver ? For more information on SNMP MIBs and the commands used to configure SNMP on the switch, see the Lenovo Enterprise Network Operating System 8.4 Command Reference. Default Configuration Enterprise NOS has three SNMPv3 users by default. All the three users have access to all the MIBs supported by the switch:  User 1 name is adminmd5 (password adminmd5). Authentication used is MD5. Privacy protocol used is DES. User 2 name is adminsha (password adminsha). Authentication used is SHA.  Privacy protocol used is DES.  User 3 name is adminshaaes (password Edpq132x!#9Zpx432w). Authentica‐ tion used is SHA. Privacy protocol used is AES‐128. In boot strict mode (See “Boot Strict Mode” on page 58), Enterprise NOS has one SNMPv3 user: User 1 name is adminshaaes (password Edpq132x!#9Zpx432w). Authentica‐  tion used is SHA. Privacy protocol used is AES‐128. Up to 17 SNMP users can be configured on the switch. To modify an SNMP user, enter the following commands: RS G8264(config)# snmpserver user <1‐17> name <1‐32 characters>...
Page 643 Changing privacy password; validation required: Enter current admin password: <admin. password> Enter new privacy password: <privacy password; Should be more than 18 characters> Reenter new privacy password: <privacy password> New privacy password accepted. 2. Configure a user access group, along with the views the group may access. Use the access table to configure the group’s access level. RS G8264(config)# snmpserver access 5 name admingrp RS G8264(config)# snmpserver access 5 level authpriv RS G8264(config)# snmpserver access 5 readview iso RS G8264(config)# snmpserver access 5 writeview iso RS G8264(config)# snmpserver access 5 notifyview iso Because the read view, write view, and notify view are all set to “iso,” the user type has access to all private and public MIBs. 3. Assign the user to the user group. Use the group table to link the user to a particular access group. RS G8264(config)# snmpserver group 5 username admin RS G8264(config)# snmpserver group 5 groupname admingrp © Copyright Lenovo 2016 Chapter 41: Simple Network Management Protocol...
Page 644: Configuring Snmp Trap Hosts
Configuring SNMP Trap Hosts Follow these instructions to configure SNMP trap hosts. SNMPv1 Trap Host 1. Configure a user with no authentication and password. RS G8264(config)# snmpserver user 10 name v1trap 2. Configure an access group and group table entries for the user. Use the following menu to specify which traps can be received by the user: RS G8264(config)# snmpserver access <user number> In the following example the user will receive the traps sent by the switch. RS G8264(config)# snmpserver access 10 (Access group to view SNMPv1 traps) name v1trap security snmpv1 notifyview iso RS G8264(config)# snmpserver group 10 (Assign user to the access group) security snmpv1 username v1trap groupname v1trap 3. Configure an entry in the notify table. RS G8264(config)# snmpserver notify 10 name v1trap RS G8264(config)# snmpserver notify 10 tag v1trap 4. Specify the IPv4 address and other trap parameters in the targetAddr and targetParam tables. Use the following commands to specify the user name associated with the targetParam table: RS G8264(config)# snmpserver targetaddress 10 name v1trap address ...
Page 645: Snmpv2 Trap Host Configuration
RS G8264(config)# snmpserver targetaddress 10 parametersname v2param RS G8264(config)# snmpserver targetparameters 10 name v2param RS G8264(config)# snmpserver targetparameters 10 message snmpv2c RS G8264(config)# snmpserver targetparameters 10 username v2trap RS G8264(config)# snmpserver targetparameters 10 security snmpv2 RS G8264(config)# snmpserver community 10 index v2trap RS G8264(config)# snmpserver community 10 username v2trap Note: ENOS 8.4 supports only IPv4 addresses for SNMPv1 and SNMPv2 trap hosts. © Copyright Lenovo 2016 Chapter 41: Simple Network Management Protocol...
Page 646: Snmpv3 Trap Host Configuration
SNMPv3 Trap Host Configuration To configure a user for SNMPv3 traps, you can choose to send the traps with both privacy and authentication, with authentication only, or without privacy or authentication. This is configured in the access table using the following commands: RS G8264(config)# snmpserver access <1‐32> level RS G8264(config)# snmpserver targetparameters <1‐16> level Configure the user in the user table accordingly. It is not necessary to configure the community table for SNMPv3 traps because the community string is not used by SNMPv3. The following example shows how to configure a SNMPv3 user v3trap with authentication only: RS G8264(config)# snmpserver user 11 name v3trap RS G8264(config)# snmpserver user 11 authenticationprotocol md5 authenticationpassword Changing authentication password; validation required: Enter current admin password: <admin. password> Enter new authentication password: <auth. password> Reenter new authentication password: <auth. password> New authentication password accepted. RS G8264(config)# snmpserver access 11 notifyview iso RS G8264(config)# snmpserver access 11 level authNopriv RS G8264(config)# snmpserver group 11 username v3trap RS G8264(config)# snmpserver group 11 groupname v3trap RS G8264(config)# snmpserver notify 11 name v3trap RS G8264(config)# snmpserver notify 11 tag v3trap RS G8264(config)# snmpserver targetaddress 11 name v3trap address ...
Page 647: Snmp Mibs
 rfc2575.mib  rfc2576.mib  rfc2790.mib  rfc3176.mib  rfc4133.mib  rfc4363.mib  The ENOS SNMP agent supports the following generic traps as defined in RFC 1215:  ColdStart  WarmStart  LinkDown  LinkUp AuthenticationFailure  The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493:  NewRoot  TopologyChange © Copyright Lenovo 2016 Chapter 41: Simple Network Management Protocol...
Page 648 The following are the enterprise SNMP traps supported in ENOS: Table 46. Enterprise NOS‐Supported Enterprise SNMP Traps Trap Name Description swLoginFailure Signifies that someone failed to enter a valid username/password combination. swTrapDisplayString specifies whether the login attempt was from CONSOLE or TELNET. In case of TELNET login it also specifies the IP address of the host from which the attempt was made. swValidLogin Signifies that a user login has occurred. swApplyComplete Signifies that new configuration has been applied. swSaveComplete Signifies that new configuration has been saved. swFwDownloadSucess Signifies that firmware has been downloaded to [image1|image2|boot image]. swFwDownloadFailure Signifies that firmware downloaded failed to [image1|image2|boot image]. swValidLogout Signifies that a user logout has occurred. swPrimaryPowerSupplyFailure Signifies that the primary power supply has failed.
Page 649 Signifies that the teaming is up. swTeamingCtrlDown Signifies that the teaming control is down. swTeamingCtrlDownTearDownBlked Signifies that the teaming control is down but teardown is blocked. swTeamingCtrlError Signifies error, action is undefined. swLACPPortBlocked Signifies that LACP is operationally down on a port, and traffic is blocked on the port. swLACPPortUnblocked Signifies that LACP is operationally up on a port, and traffic is no longer blocked on the port. swLFDPortErrdisabled Signifies that a port is error‐disabled due to excessive link flaps. swVlagInstanceUp Signifies that VLAG instance is up identified in the trap message. swVlagInstanceRemoteUp Signifies that VLAG is down but instance on the remote instance is swVlagInstanceLocalUp Signifies that VLAG is down but local instance is up. © Copyright Lenovo 2016 Chapter 41: Simple Network Management Protocol...
Page 650 Table 46. Enterprise NOS‐Supported Enterprise SNMP Traps (continued) Trap Name Description swVlagInstanceDown Signifies that VLAG instance is down identified in the trap message. swVlagIslUp Signifies that connection between VLAG switches is up. swVlagIslDown Signifies that connection between VLAG switches is down. sw8021x Signifies 802.1x feature is enabled. swDefGwUp Signifies that the default gateway is alive. ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable. The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax. ipCurCfgGwAddr is the IP address of the default gateway. swDefGwDown Signifies that the default gateway is down. ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable. The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax. ipCurCfgGwAddr is the IP address of the default gateway. swDefGwInService Signifies that the default gateway is up and in service. ipCurCfgGwIndex is the index of ...
Page 651 VRRP virtual router IP address. swVrrpNewBackup Indicates that the sending agent has transitioned to “Backup” state. vrrpCurCfgVirtRtrIndx is the VRRP virtual router table index referenced in vrrpCurCfgVirtRtrTable. The range is from 1 to vrrpVirtRtrTableMaxSize. vrrpCurCfgVirtRtrAddr is the VRRP virtual router IP address. swVrrpAuthFailure Signifies that a packet has been received from a router whose authentication key or authentication type conflicts with this routerʹs authentication key or authentication type. Implementation of this trap is optional. vrrpCurCfgIfIndx is the VRRP interface index. This is equivalent to ifIndex in RFC 1213 mib. The range is from 1 to vrrpIfTableMaxSize. vrrpCurCfgIfPasswd is the password for authentication. It is a DisplayString of 0 to 7 characters. © Copyright Lenovo 2016 Chapter 41: Simple Network Management Protocol...
Page 652 Table 46. Enterprise NOS‐Supported Enterprise SNMP Traps (continued) Trap Name Description swTcpHoldDown Signifies that new TCP connection requests from a particular client will be blocked for a pre‐determined amount of time since the rate of new TCP connections from that client has reached a pre‐determined threshold. The fltCurCfgSrcIp is the client source IP address for which new TCP connection requests will be blocked. The swTrapRate specifies the amount of time in minutes that the particular client will be blocked. swNTPSyncFailed Signifies that synchronization with the NTP server has failed. swNTPUpdateClock Signifies that the system clock is updated with NTP server. swECMPGatewayUp Signifies that the ECMP gateway is swECMPGatewayDown Signifies that the ECMP gateway is down. swTempExceedThreshold Signifies that the switch temperature has exceeded maximum safety limits. swFanFailure Signifies that fan failure has been detected. swFanFailureFixed Signifies that the fan failure has ...
Page 653 Signifies that a switch which was configured as a master in NVRAM has attached to the stack. swStackForceDetach Signifies that the master has sent a FORCE DETACH message to a member. swStackSwitchcoldStart Signifies that a Stack Member is re‐initializing itself such that neither the agent configuration nor the protocol entity implementation is altered. swStackSwitchwarmStart Signifies that a Stack Member is re‐initializing itself such that neither the agent configuration nor the protocol entity implementation is altered. swVMGroupVMotion Signifies that a virtual machine has moved from a port to another. swVMGroupVMOnline Signifies that an advance provisioned virtual machine has came online. swVMGroupVMVlanChange Signifies that a virtual machine has entered a VLAN, or changed the VLAN. © Copyright Lenovo 2016 Chapter 41: Simple Network Management Protocol...
Page 654 Table 46. Enterprise NOS‐Supported Enterprise SNMP Traps (continued) Trap Name Description swVmCheckSpoofedvm Signifies that a spoofed VM MAC was found. swOflowConnectControllerFailure Signifies that the connection to OpenFlow controller is broken. swOflowConnectControllerSuccess Signifies that the connection to OpenFlow controller is successful. swOflowEmergencyState Signifies that the OpenFlow switch has moved to emergency state. swOflowNoEmergencyState Signifies that the OpenFlow switch is out of emergency state. swOflowSwitchOflowMode Signifies that the device is working in OpenFlow switch mode. swOflowSwitchNomalMode Signifies that the device is working in normal switch mode. swOflowSwitchFlowtableClr Signifies that the flow table entries are cleared from the device. swOflowSwitchStatsClr Signifies that the OpenFlow statistics are cleared from the device. swOflowFlowtableEntryUnavail Signifies that the device is unable to add flow entry in OpenFlow due to unavailability of system resources. swOflowFlowtableLimit Signifies that the device has ...
Page 655: Switch Images And Configuration Files
1.3.6.1.4.1.26534.2.7.6.1.1.7.1 agTransferImage 1.3.6.1.4.1.26534.2.7.6.1.1.7.2 agTransferImageFileName 1.3.6.1.4.1.26534.2.7.6.1.1.7.3 agTransferCfgFileName 1.3.6.1.4.1.26534.2.7.6.1.1.7.4 agTransferDumpFileName 1.3.6.1.4.1.26534.2.7.6.1.1.7.5 agTransferAction 1.3.6.1.4.1.26534.2.7.6.1.1.7.6 agTransferLastActionStatus 1.3.6.1.4.1.26534.2.7.6.1.1.7.7 agTransferPort 1.3.6.1.4.1.26534.2.7.6.1.1.7.8 agTransferUserName 1.3.6.1.4.1.26534.2.7.6.1.1.7.9 agTransferPassword 1.3.6.1.4.1.26534.2.7.6.1.1.7.10 agTransferTSDumpFileName 1.3.6.1.4.1.26534.2.7.6.1.1.7.11 The following SNMP actions can be performed using the MIBs listed in the table:  Load a new Switch image (boot or running) from an FTP, SFTP, or TFTP server  Load a previously saved switch configuration from an FTP, SFTP, or TFTP server  Save the switch configuration to an FTP, SFTP, or TFTP server  Save a switch dump to an FTP, SFTP, or TFTP server © Copyright Lenovo 2016 Chapter 41: Simple Network Management Protocol...
Page 656: Loading A New Switch Image
Loading a New Switch Image To load a new switch image with the name “MyNewImage1.img” into image2, follow these steps. This example shows an FTP or TFTP server at IPv4 address 192.168.10.10, though IPv6 is also supported. 1. Set the FTP or TFTP server address where the switch image resides: Set agTransferServer.0 "192.168.10.10" 2. Set the area where the new image will be loaded: Set agTransferImage.0 "image2" 3. Set the name of the image: Set agTransferImageFileName.0 "MyNewImage1.img" 4. If you are using an FTP server, enter a username: Set agTransferUserName.0 "MyName" 5. If you are using an FTP server, enter a password: Set agTransferPassword.0 "MyPassword" 6. Initiate the transfer. To transfer a switch image, enter 2 (gtimg): Set agTransferAction.0 "2" Loading a Saved Switch Configuration To load a saved switch configuration with the name “MyRunningConfig.cfg” into the switch, follow these steps. This example shows an FTP, SFTP, or TFTP server at IPv4 address 192.168.10.10, though IPv6 is also supported. 1. Set the FTP, SFTP, or TFTP server address where the switch Configuration File resides: Set agTransferServer.0 "192.168.10.10" 2. Set the name of the configuration file: Set agTransferCfgFileName.0 "MyRunningConfig.cfg"...
Page 657: Saving The Switch Configuration
3. If you are using an FTP or SFTP server, enter a username: Set agTransferUserName.0 "MyName" 4. If you are using an FTP or SFTP server, enter a password: Set agTransferPassword.0 "MyPassword" 5. Initiate the transfer. To save a running configuration file, enter 4: Set agTransferAction.0 "4" Saving a Switch Dump To save a switch dump to a file server, follow these steps. This example shows an FTP, SFTP, or TFTP server at 192.168.10.10, though IPv6 is also supported. 1. Set the FTP, SFTP, or TFTP server address where the configuration will be saved: Set agTransferServer.0 "192.168.10.10" 2. Set the name of dump file: Set agTransferDumpFileName.0 "MyDumpFile.dmp" 3. If you are using an FTP or SFTP server, enter a username: Set agTransferUserName.0 "MyName" 4. If you are using an FTP or SFTP server, enter a password: Set agTransferPassword.0 "MyPassword" 5. Initiate the transfer. To save a dump file, enter 5: Set agTransferAction.0 "5" © Copyright Lenovo 2016 Chapter 41: Simple Network Management Protocol...
Page 658 G8264 Application Guide for ENOS 8.4...
Page 659: Chapter 42. Service Location Protocol
Service Location Protocol (SLP) allows the switch to provide dynamic directory services that help users find servers by attributes rather than by name or address. SLP eliminates the need for a user to know the name of a network host supporting a service. SLP allows the user to bind a service description to the network address of the service. Service Location Protocol is described in RFC 2608. SLP defines specialized components called agents that perform tasks and support services as follows:  User Agent (UA) supports service query functions. It requests service information for user applications. The User Agent retrieves service information from the Service Agent or Directory Agents. A Host On‐Demand client is an example of a User Agent.  Service Agent (SA) provides service registration and service advertisement. Note: In this release, SA supports UA/DA on Linux with SLPv2 support.  Directory Agent (DA) collects service information from Service Agents to provide a repository of service information in order to centralize it for efficient access by User Agents. There can only be one Directory Agent present per given host. The Directory Agent acts as an intermediate tier in the SLP architecture, placed between the User Agents and the Service Agents, so they communicate only with the Directory Agent instead of with each other. This eliminates a large portion of the multicast request or reply traffic on the network, and it protects the Service Agents from being overwhelmed by too many service requests. Services are described by the configuration of attributes associated with a type of service. A User Agent can select an appropriate service by specifying the attributes that it needs in a service request message. When service replies are returned, they contain a Uniform Resource Locator (URL) pointing to the service desired, and other information, such as server load, needed by the User Agent. © Copyright Lenovo 2016 Chapter 42: Service Location Protocol...
Page 660: Active Da Discovery
Active DA Discovery When a Service Agent or User Agent initializes, it can perform Active Directory Agent Discovery using a multicast service request and specifies the special, reserved service type (service:directory-agent). Active DA Discovery is achieved through the same mechanism as any other discovery using SLP. The Directory Agent replies with unicast service replies, which provides the URLs and attributes of the requested service. G8264 Application Guide for ENOS 8.4...
Page 661: Slp Configuration
<1‐10> Configures the wait time before starting Active DA Discovery, in seconds. The default value is 3 seconds. Command mode: Global configuration clear ip slp directory-agents Clears all Directory Agents learned by the switch. Command mode: Global configuration show ip slp information Displays SLP information. Command mode: All show ip slp directoryagents Displays Directory Agents learned by the switch. Command mode: All show ip slp useragents Displays User Agents information. Command mode: All show ip slp counter Displays SLP statistics. Command mode: All clear ip slp counters Clears all Directory Agents learned by the switch. Command mode: Global configuration © Copyright Lenovo 2016 Chapter 42: Service Location Protocol...
Page 662 G8264 Application Guide for ENOS 8.4...
Page 663: Chapter 43. Netconf
Chapter 43. NETCONF The Network Configuration Protocol (NETCONF) provides a mechanism to manage the G8264, retrieve or modify existing configuration data, and upload new configuration data. See RFC 4741 for details on NETCONF. NETCONF operates in a client/server model. The NETCONF client establishes a session with the switch (acting as a NETCONF server) using a Remote Procedure Call (RPC). NETCONF is based on the Extensible Markup Language (XML) for encoding data and for exchanging configuration and protocol messages. The following topics are discussed in this section: “NETCONF Overview” on page 664   “XML Requirements” on page 665 “Installing the NETCONF Client” on page 666   “Using Juniper Perl Client” on page 668 “Establishing a NETCONF Session” on page 669   “NETCONF Operations” on page 671 “Protocol Operations Examples” on page 672  © Copyright Lenovo 2016...
Page 664: Netconf Overview
NETCONF Overview NETCONF provides a method to quickly configure the switch. It also allows you to implement a configuration across multiple switches, thereby saving time and reducing the chances of configuration errors. The NETCONF protocol defines basic operations that are equivalent to the switch ISCLI commands. Note: The current implementation of NETCONF supports only ISCLI commands. NETCONF is a connection‐oriented protocol. See Figure 63 for an overview of NETCONF operation. Figure 63. NETCONF Operations Procedure <hello> <capabilities/> </hello> <hello> <capabilities/> </hello> <rpc> <operation/> </rpc> <rpc-reply> <operation-response/> NETCONF NETCONF </rpc-reply> Client Server <rpc> <close-session/> </rpc> <rpc-reply> <ok/> </rpc-reply> Session • Session-ID Transport Layer Connection Transport Layer...
Page 665: Xml Requirements
XML Requirements XML is the encoding format used within NETCONF. When using XML for NETCONF:  All NETCONF protocol elements are defined in the following namespace: urn:ietf:params:xml:ns:netconf:base:1.0 NETCONF capability names must be Uniform Resource Identifiers (URIs):  urn:ietf:params:netconf:capability:{name}:1.0 where {name} is the name of the capability.  Document type declarations must not appear in the NETCONF content.  For Secure Shell (SSH), you must use a special message termination sequence of six characters to provide message framing: ]]>]]> © Copyright Lenovo 2016 Chapter 43: NETCONF...
Page 666: Installing The Netconf Client
Installing the NETCONF Client You can download the required NETCONF Client installation files from www.ibm.com. Select Support & downloads > Fixes, updates and drivers. Follow instructions on the IBM Support Portal page to find the files. Before installing the NETCONF client, ensure you have completed the following tasks: Install a supported version of Python (Python 2.6 or higher, up to but not  including Python 3.0) in the folder C:\.  Install the PyCrypto application appropriate to the Python version you are using. Note: The following steps are for the Windows operating systems. Follow these steps to install the Blade NETCONF Python Client (BNClient): 1. Extract the file bladenetconfpythonclientv0.1.zip to the following folder: Under the root folder C:\bladenetconfpythonclientv0.1, you will see two folders: bladenetconfpythonclient  pythonlibrary  Note: Make sure Paramiko version 1.7.4 or higher is in the folder C:\bladenetconfpythonclientv0.1\pythonsshlibrary\ 2. Open the command prompt (Select Start > Run > cmd). 3.
Page 667 Enter the following command for help: python C:\bladenetconfpythonclientv0.1\bladenetconfpython client\bnclient\bnclient.py –h b. Enter the following command to establish a NETCONF session: Using SSH to connect to default port 830:  python C:\bladenetconfpythonclientv0.1\bladenetconfpython client\bnclient\bnclient.py {switch IP address} –u admin –p admin –o Using SSH to connect to port 22:  python C:\bladenetconfpythonclientv0.1\bladenetconfpython client\bnclient\bnclient.py {switch IP address}:22 –u admin –p admin –o As a python library: a. Open the file C:\bladenetconfpythonclientv0.1\bladenetconf pythonclient\example\get.py in a Python editor (For example, IDLE). b. Change the IP address in the hostname field to the switch IP address, and save the file. c. Enter the following command to establish a session: python C:\bladenetconfpythonclientv0.1\bladenetconfpython client\setup.py install d. Enter the following command to get the running configuration: python C:\bladenetconfpythonclientv0.1\bladenetconfpython client\example\get.py Note: The file get.py is an example of a NETCONF operation python script. You can edit the script or write a new script as per your requirements. © Copyright Lenovo 2016 Chapter 43: NETCONF...
Page 668: Using Juniper Perl Client
Using Juniper Perl Client You can use Juniper Perl client instead of BNClient to communicate with the NETCONF feature on the switch. Follow these steps to use the Juniper Perl client. Note: You must use the Linux operating system for the Juniper Perl client. 1. Extract the file junipernetconfperlclient.zip to the folder: /home/user/ You will see two folders: junipernetconfperlclient  bladenetconfperlscripts  2. Follow these steps to install the Juniper Perl client: As a Perl library: a. Change to the following directory: /home/user/junipernetconfperlclient b. Extract the following file: netconfperl10.0R2.10.tar.gz c. Change to the following directory: /home/user/junipernetconfperlclient/netconfperl10.0R2 d. Install the client as per the instructions in the README file. Note: If the prerequisites package installation fails, manually install each file in /home/user/junipernetconfperlclient\netconfperlprereqs patch. As a Perl script: a. Change to the following directory: /home/user/bladenetconfperlscripts/ b. Enter the following command: perl get/get.pl l admin p admin {swich IP address} Note: get.pl is an example of a NETCONF operation Perl script. You can edit the ...
Page 669: Establishing A Netconf Session
1. Enter the following command to open an SSH connection: ssh admin@{switch IP address} p 830 s netconf 2. Type or paste the following hello message: <hello> <capabilities> <capability>urn:ietf:params:netconf:base:1.0</capability> </capabilities> </hello> ]]>]]> The switch returns a hello message: <hello xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <capabilities> <capability>urn:ietf:params:netconf:base:1.0</capability> <capability>urn:ietf:params:netconf:capability:writablerunning:1.0</capab ility> <capability>urn:ietf:params:netconf:capability:rollbackonerror:1.0</capa bility> <capability>urn:ietf:params:netconf:capability:startup:1.0</capability> </capabilities> <sessionid>102</sessionid> </hello> ]]>]]> 3. Type or paste the following rpc message. The get operation is used as an example. <rpc messageid=“100”> <get> <filter type=“subtree”> <configurationtext/> </filter> </get> </rpc> ]]>]]> © Copyright Lenovo 2016 Chapter 43: NETCONF...
Page 670 The switch sends an rpcreply message: <rpcreply messageid=“100”> <data> <configurationtext xmlns=“http://www.ibm.com/netconf/1.0/configtext”> version “8.4.1” switchtype “Lenovo Lenovo RackSwitch G8264” no system dhcp mgta interface ip 127 ip address 172.31.36.51 enable exit ip gateway 3 address 172.31.1.1 ip gateway 3 enable </configurationtext> </data> </rpcreply> ]]>]]> Note: Repeat Step 3 for each request you need to send to the switch. 4. Type or paste the following closesession message to close the NETCONF session and terminate the SSH connection. <rpc messageid=“101”> <closesession/> </rpc> ]]>]]> The switch sends the following response: <rpcreply messageid=“101”> <ok/> </rpcreply> ]]>]]> G8264 Application Guide for ENOS 8.4...
Page 671: Netconf Operations
Operation Description getconfig Retrieve all or part of the running or startup configuration. editconfig Load all or part of a specified configuration to the running or startup configuration. copyconfig Replace the target running or startup configuration with a source running or startup configuration. deleteconfig Delete startup configuration. lock Lock the running configuration to prevent other users (via another NETCONF session) from changing it. unlock Release a locked running configuration. Retrieve running configuration and device state information. closesession Request graceful termination of a NETCONF session. killsession Force the termination of a NETCONF session. getconfiguration Retrieve configuration data from the switch. getinterfaceinformation Retrieve interface status information. © Copyright Lenovo 2016 Chapter 43: NETCONF...
Page 672: Protocol Operations Examples
Protocol Operations Examples Following are examples of the NETCONF protocol operations supported by the G8264. <get-config> Usage: <rpc messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <getconfig> <source> <running/> </source> <filter type=“subtree”> <configurationtext xmlns=“http://www.ibm.com/netconf/1.0/configtext”/> </filter> </getconfig> </rpc> Response from the switch: <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <data> <configurationtext xmlns=“http://www.ibm.com/netconf/1.0/configtext”> <! configuration text... > </configurationtext> </data> </rpcreply> See Table 50 for the tag elements and their values. getconfig Tag Element Values Table 50. Tag Element Description Value source running/ The configuration text you want to retrieve.
Page 673: Edit-Config
<editconfig> <target> <running/> </target> <defaultoperation> <merge/> </defaultoperation> <erroroption> <stoponerror/> </erroroption> <configtext xmlns=“http://www.ibm.com/netconf/1.0/configtext”> <configurationtext>hostname Router</configurationtext> </configtext> </editconfig> </rpc> Response from the switch: <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpcreply> See Table 51 for the tag elements and their values. editconfig Tag Element Values Table 51. Tag Element Description Value target running/ or startup/ The configuration you want to edit. © Copyright Lenovo 2016 Chapter 43: NETCONF...
Page 674 editconfig Tag Element Values Table 51. Tag Element Description Value defaultoperation Set the default merge: The new  operation for the configuration is merged editconfig request. with the target configuration at the corresponding level. replace: The new  configuration replaces the target configuration. none: The target  configuration does not change unless the configuration data in the configurationtext parameter uses the operation attribute to request a different operation. erroroption stoponerror: Abort Set the option to handle  configuration error. the editconfig operation on first error. This is the default error‐option. continueonerror: ...
Page 675: Copy-Config
Usage: <rpc messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <copyconfig> <target> <startup/> </target> <source> <running/> </source> </copyconfig> </rpc> Response from the switch: <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpcreply> See Table 52 for the tag elements and their values. copyconfig Tag Element Values Table 52. Tag Element Description Value target Configuration that needs to be changed. running/ or startup/ source running/ or Source configuration. startup/ © Copyright Lenovo 2016 Chapter 43: NETCONF...
Page 676: Delete-Config
<delete-config> Usage: <rpc messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <deleteconfig> <target> <startup/> </target> </deleteconfig> </rpc> Response from the switch: <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpcreply> See Table 53 for the tag elements and their values. Table 53. deleteconfig Tag Element Values Tag Element Description Value target startup/ Configuration that needs to be deleted. <lock> Usage: <rpc messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <lock> <target> <running/> </target> </lock> </rpc> Response from the switch: <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpcreply> See Table 54 for the tag elements and their values.
Page 677: Unlock
<unlock> Usage: <rpc messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <unlock> <target> <running/> </target> </unlock> </rpc> Response from the switch: <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpcreply> See Table 55 for the tag elements and their values. Table 55. unlock Tag Element Values Tag Element Description Value target running/ Configuration being edited. © Copyright Lenovo 2016 Chapter 43: NETCONF...
Page 678: Get
<get> Usage: <rpc messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <get> <filter type=“subtree”> <! request a text version of the configuration > <configurationtext xmlns=“http://www.ibm.com/netconf/1.0/configtext”/> </filter> </get> </rpc> Response from the switch: <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <data> <configurationtext xmlns=“http://www.ibm.com/netconf/1.0/configtext”> <! configuration text... > </configuration text> </data> </rpcreply> See Table 56 for the tag elements and their values. get Tag Element Values Table 56. Tag Element Description Value filter subtree Filter type. configurationtext Configuration in ISCLI format. G8264 Application Guide for ENOS 8.4...
Page 679: Close-Session
<close-session> Usage: <rpc messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <closesession/> </rpc> Response from the switch: <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpcreply> <kill-session> Usage: <rpc messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <killsession> <sessionid>4</sessionid> </killsession> </rpc> Response from the switch: <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <ok/> </rpcreply> See Table 57 for the tag elements and their values. killsession Tag Element Values Table 57. Tag Element Description sessionid ID number of the session to be killed © Copyright Lenovo 2016 Chapter 43: NETCONF...
Page 680: Get-Configuration
<get-configuration> Usage: <rpc messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <getconfiguration database=“commited” format=“text”/> </rpc> Response from the switch: <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <data> <configurationtext xmlns=“http://www.ibm.com/netconf/1.0/configtext”> <! configuration text... > </configuration text> </data> </rpcreply> See Table 58 for the tag elements and their values. getconfiguration Tag Element Values Table 58. Tag Element Description Attributes getconfiguratio database ‐ supports only Retrieve the configuration. committed format ‐ supports only text G8264 Application Guide for ENOS 8.4...
Page 681: Get-Interface-Information
<rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <interfaceinformation> <physicalinterface> <name></name> <adminstatus></adminstatus> <operstatus></operstatus> <localindex></localindex> <iftype></iftype> <linkleveltype></linkleveltype> <mtu></mtu> <speed></speed> <linktype></linktype> <trafficstatistics> <inputbytes></inputbytes> <outputbytes></outputbytes> <inputpackets></inputpackets> <outputpackets></outputpackets> </trafficstatistics> <inputerrorlist> <inputerrors></inputerrors> <framingerrors></framingerrors> <inputgiants></inputgiants> <inputdiscards></inputdiscards> </inputerrorlist> <outputerrorlist> <outputcollisions></outputcollisions> <outputerrors></outputerrors> <outputdrops></outputdrops> </outputerrorlist> </physicalinterface> </interfaceinformation> </rpcreply> © Copyright Lenovo 2016 Chapter 43: NETCONF...
Page 682  IP detail information <rpcreply messageid=“101” xmlns=“urn:ietf:params:xml:ns:netconf:base:1.0”> <interfaceinformation> <physicalinterface> <logicalinterface> <name></name> <localindex></localindex> <addressfamily> <addressfamilyname></addressfamilyname> <mtu></mtu> <interfaceaddress> <ifadestination></ifadestination> <ifalocal></ifalocal> <ifabroadcast></ifabroadcast> </interfaceaddress> </addressfamily> </logicalinterface> </physicalinterface> </interfaceinformation> </rpcreply> See Table 59 for the tag elements and their values. getinterfaceinformation Tag Element Values Table 59. Tag Element Description interfacename Interface name or number. You can use the tags brief/ or detail/ to specify the amount of information you need. name Name of the port or IP interface. adminstatus Administration status of port interface; shutdown or no shutdown. operstatus Operational status of port interface; link‐up or ...
Page 683 Table 59. Tag Element Description inputerrors Sum of discarded frames and FCS Errors framingerrors Number of failed frames received. inputgiants Number of frames that are too long. inputdiscards Number of frames in discarding state. outputcollisions Number of Ethernet collisions. outputerrors Sum of the outgoing frame aborts and FCS errors. outputdrops Number of frames dropped. addressfamilyname Name of the address family; must be set to either “inet” or “inet6”. ifadestination Protocol network address of the interface. ifalocal Protocol host address on the interface. ifabroadcast Network broadcast address. © Copyright Lenovo 2016 Chapter 43: NETCONF...
Page 684 G8264 Application Guide for ENOS 8.4...
Page 685: Part 8: Monitoring
Part 8: Monitoring The ability to monitor traffic passing through the G8264 can be invaluable for troubleshooting some types of networking problems. This sections cover the following monitoring features:  Remote Monitoring (RMON)  sFlow  Port Mirroring © Copyright Lenovo 2016...
Page 686 G8264 Application Guide for ENOS 8.4...
Page 687: Chapter 44. Remote Monitoring
Chapter 44. Remote Monitoring Remote Monitoring (RMON) allows network devices to exchange network monitoring data. RMON allows the switch to perform the following functions:  Track events and trigger alarms when a threshold is reached.  Notify administrators by issuing a syslog message or SNMP trap. © Copyright Lenovo 2016...
Page 688: Rmon Overview
RMON Overview The RMON MIB provides an interface between the RMON agent on the switch and an RMON management application. The RMON MIB is described in RFC 1757. The RMON standard defines objects that are suitable for the management of Ethernet networks. The RMON agent continuously collects statistics and proactively monitors switch performance. RMON allows you to monitor traffic flowing through the switch. The switch supports the following RMON Groups, as described in RFC 1757:  Group 1: Statistics  Group 2: History  Group 3: Alarms  Group 9: Events G8264 Application Guide for ENOS 8.4...
Page 689: Rmon Group 1-Statistics
Note: RMON port statistics must be enabled for the port before you can view RMON statistics. The following is an example of configuring RMON Group 1: 1. Enable RMON on a port. RS G8264(config)# interface port 1 RS G8264(configif)# rmon 2. View RMON statistics for the port. RS G8264(configif)# show interface port 1 rmoncounters RMON statistics for port 1: etherStatsDropEvents: NA etherStatsOctets: 7305626 etherStatsPkts: 48686 etherStatsBroadcastPkts: 4380 etherStatsMulticastPkts: 6612 etherStatsCRCAlignErrors: 22 etherStatsUndersizePkts: 0 etherStatsOversizePkts: 0 etherStatsFragments: 2 etherStatsJabbers: 0 etherStatsCollisions: 0 etherStatsPkts64Octets: 27445 etherStatsPkts65to127Octets: 12253 etherStatsPkts128to255Octets: 1046 etherStatsPkts256to511Octets: 619 etherStatsPkts512to1023Octets: 7283 etherStatsPkts1024to1518Octets: 38 © Copyright Lenovo 2016 Chapter 44: Remote Monitoring...
Page 690: Rmon Group 2-History
RMON Group 2—History The RMON History Group allows you to sample and archive Ethernet statistics for a specific interface during a specific time interval. History sampling is done per port. Note: RMON port statistics must be enabled for the port before an RMON History Group can monitor the port. Data is stored in buckets, which store data gathered during discreet sampling intervals. At each configured interval, the History index takes a sample of the current Ethernet statistics, and places them into a bucket. History data buckets reside in dynamic memory. When the switch is re‐booted, the buckets are emptied. Requested buckets are the number of buckets, or data slots, requested by the user for each History Group. Granted buckets are the number of buckets granted by the system, based on the amount of system memory available. The system grants a maximum of 50 buckets. You can use an SNMP browser to view History samples. History MIB Object ID The type of data that can be sampled must be of an ifIndex object type, as described in RFC 1213 and RFC 1573. The most common data type for the History sample is as follows: 1.3.6.1.2.1.2.2.1.1.<x> The last digit (x) represents the number of the port to monitor. Configuring RMON History Perform the following steps to configure RMON History on a port. 1. Enable RMON on a port. RS G8264(config)# interface port 1 RS G8264(configif)# rmon RS G8264(configif)# exit 2.
Page 691: Rmon Group 3-Alarms
RS G8264(config)# rmon alarm <alarm number> fallingcrossingindex <event number> When the alarm threshold is reached, the corresponding event is triggered. Alarm MIB objects The most common data types used for alarm monitoring are ifStats: errors, drops, bad CRCs, and so on. These MIB Object Identifiers (OIDs) correlate to the ones tracked by the History Group. An example statistic follows: 1.3.6.1.2.1.5.1.0 – mgmt.icmp.icmpInMsgs This value represents the alarm’s MIB OID, as a string. Note that for non‐tables, you must supply a .0 to specify end node. Configuring RMON Alarms Configure the RMON Alarm parameters to track ICMP messages. RS G8264(config)# rmon alarm 1 oid 1.3.6.1.2.1.5.8.0 RS G8264(config)# rmon alarm 1 alarmtype rising RS G8264(config)# rmon alarm 1 risingcrossingindex 110 RS G8264(config)# rmon alarm 1 intervaltime 60 RS G8264(config)# rmon alarm 1 risinglimit 200 RS G8264(config)# rmon alarm 1 sample delta RS G8264(config)# rmon alarm 1 owner "Alarm for icmpInEchos" © Copyright Lenovo 2016 Chapter 44: Remote Monitoring...
Page 692 This configuration creates an RMON alarm that checks icmpInEchos on the switch once every minute. If the statistic exceeds 200 within a 60 second interval, an alarm is generated that triggers event index 110. G8264 Application Guide for ENOS 8.4...
Page 693: Rmon Group 9-Events
RMON Group 9—Events The RMON Event Group allows you to define events that are triggered by alarms. An event can be a log message, an SNMP trap, or both. When an alarm is generated, it triggers a corresponding event notification. Use the following commands to correlate an Event index to an alarm: RS G8264(config)# rmon alarm <alarm number> risingcrossingindex <event number> RS G8264(config)# rmon alarm <alarm number> fallingcrossingindex <event number> RMON events use SNMP and syslogs to send notifications. Therefore, an SNMP trap host must be configured for trap event notification to work properly. RMON uses a syslog host to send syslog messages. Therefore, an existing syslog host must be configured for event log notification to work properly. Each log event generates a syslog of type RMON that corresponds to the event. For example, to configure the RMON event parameters. RS G8264(config)# rmon event 110 type log RS G8264(config)# rmon event 110 description "SYSLOG_this_alarm" RS G8264(config)# rmon event 110 owner "log icmpInEchos alarm" This configuration creates an RMON event that sends a syslog message each time it is triggered by an alarm. © Copyright Lenovo 2016 Chapter 44: Remote Monitoring...
Page 694 G8264 Application Guide for ENOS 8.4...
Page 695: Chapter 45. Sflow
The G8264 can be configured to send network statistics to an sFlow analyzer at regular intervals. For each port, a polling interval of 5 to 60 seconds can be configured, or 0 (the default) to disable this feature. When polling is enabled, at the end of each configured polling interval, the G8264 reports general port statistics and port Ethernet statistics. sFlow Network Sampling In addition to statistical counters, the G8264 can be configured to collect periodic samples of the traffic data received on each port. For each sample, 128 bytes are copied, UDP‐encapsulated, and sent to the configured sFlow analyzer. For each port, the sFlow sampling rate can be configured to occur once each 256 to 65536 packets, or 0 to disable (the default). A sampling rate of 256 means that one sample will be taken for approximately every 256 packets received on the port. The sampling rate is statistical, however. It is possible to have slightly more or fewer samples sent to the analyzer for any specific group of packets (especially under low traffic conditions). The actual sample rate becomes most accurate over time, and under higher traffic flow. sFlow sampling has the following restrictions:  Sample Rate—The fastest sFlow sample rate is 1 out of every 256 packets.  ACLs—sFlow sampling is performed before ACLs are processed. For ports configured both with sFlow sampling and one or more ACLs, sampling will occur regardless of the action of the ACL.  Port Mirroring—sFlow sampling will not occur on mirrored traffic. If sFlow sampling is enabled on a port that is configured as a port monitor, the mirrored traffic will not be sampled. Egress traffic—sFlow sampling will not occur on egress traffic.  Note: Although sFlow sampling is not generally a CPU‐intensive operation, configuring fast sampling rates (such as once every 256 packets) on ports under heavy traffic loads can cause switch CPU utilization to reach maximum. Use larger rate values for ports that experience heavy traffic. © Copyright Lenovo 2016...
Page 696: Sflow Example Configuration
sFlow Example Configuration 1. Specify the location of the sFlow analyzer (the server and optional port to which the sFlow information will be sent): (sFlow server address) RS G8264(config)# sflow server <IPv4 address> (Set the optional service port) RS G8264(config)# sflow port <service port> (Enable sFlow features) RS G8264(config)# sflow enable By default, the switch uses established sFlow service port 6343. To disable sFlow features across all ports, use the no sflow enable command. 2. On a per‐port basis, define the statistics polling rate: RS G8264(config)# interface port <port> (Statistics polling rate) RS G8264(configif)# sflow polling <polling rate> Specify a polling rate between 5 and 60 seconds, or 0 to disable. By default, polling is 0 (disabled) for each port. 3. On a per‐port basis, define the data sampling rate: (Data sampling rate) RS G8264(configif)# sflow sampling <sampling rate> Specify a sampling rate between 256 and 65536 packets, or 0 to disable. By default, the sampling rate is 0 (disabled) for each port. 4. Save the configuration. G8264 Application Guide for ENOS 8.4...
Page 697: Chapter 46. Port Mirroring
Chapter 46. Port Mirroring The Lenovo Enterprise Network Operating System port mirroring feature allows you to mirror (copy) the packets of a target port, and forward them to a monitoring port. Port mirroring functions for all layer 2 and layer 3 traffic on a port. This feature can be used as a troubleshooting tool or to enhance the security of your network. For example, an IDS server or other traffic sniffer device or analyzer can be connected to the monitoring port to detect intruders attacking the network. © Copyright Lenovo 2016...
Page 698: Port Mirroring Model
Port Mirroring Model The G8264 supports a “many to one” mirroring model. As shown in Figure 64, selected traffic for ports 1 and 2 is being monitored by port 3. In the example, both ingress traffic and egress traffic on port 2 are copied and forwarded to the monitor. However, port 1 mirroring is configured so that only ingress traffic is copied and forwarded to the monitor. A device attached to port 3 can analyze the resulting mirrored traffic. Figure 64. Mirroring Ports Mirrored Ports Monitor Port Ingress Connected to Both Traffic sniffer device Specified traffic is copied and forwarded to Monitor Port The G8264 supports four monitor ports in stand‐alone (non‐stacking) mode. Only one monitor port is supported in stacking mode. Each monitor port can receive mirrored traffic from any number of target ports. Enterprise NOS does not support “one to many” or “many to many” mirroring models where traffic from a specific port traffic is copied to multiple monitor ports. For example, port 1 traffic cannot be monitored by both port 3 and 4 at the same time, nor can port 2 ingress traffic be monitored by a different port than its egress traffic.
Page 699: Configuring Port Mirroring
Configuring Port Mirroring The following procedure may be used to configure port mirroring for the example shown in Figure 64 on page 698: 1. Specify the monitoring port, the mirroring port(s), and the port‐mirror direction. RS G8264(config)# portmirroring monitorport 3 mirroringport 1 in RS G8264(config)# portmirroring monitorport 3 mirroringport 2 both 2. Enable port mirroring. RS G8264(config)# portmirroring enable 3. View the current configuration. RS G8264# show portmirroring Port Monitoring : Enabled Monitoring Ports Mirrored Ports 1, in 2, both © Copyright Lenovo 2016 Chapter 46: Port Mirroring...
Page 700 G8264 Application Guide for ENOS 8.4...
Page 702 G8264 Application Guide for ENOS 8.4...
Page 703: Appendix A. Getting Help And Technical Assistance
Check all cables to make sure that they are connected.  Check the power switches to make sure that the system and any optional devices are turned on.  Check for updated software, firmware, and operating‐system device drivers for your Lenovo product. The Lenovo Warranty terms and conditions state that you, the owner of the Lenovo product, are responsible for maintaining and updating all software and firmware for the product (unless it is covered by an additional maintenance contract). Your service technician will request that you upgrade your software and firmware if the problem has a documented solution within a software upgrade.  If you have installed new hardware or software in your environment, check the IBM ServerProven website to make sure that the hardware and software is supported by your product.  Go to the IBM Support portal to check for information to help you solve the problem.  Gather the following information to provide to the service technician. This data will help the service technician quickly provide a solution to your problem and ensure that you receive the level of service for which you might have contracted. Hardware and Software Maintenance agreement contract numbers, if  applicable Machine type number (if applicable–Lenovo 4‐digit machine identifier)  Model number  Serial number  Current system UEFI and firmware levels  Other pertinent information such as error messages and logs  © Copyright Lenovo 2016...
Page 704  Start the process of determining a solution to your problem by making the pertinent information available to the service technicians. The IBM service technicians can start working on your solution as soon as you have completed and submitted an Electronic Service Request. You can solve many problems without outside assistance by following the troubleshooting procedures that Lenovo provides in the online help or in the Lenovo product documentation. The Lenovo product documentation also describes the diagnostic tests that you can perform. The documentation for most systems, operating systems, and programs contains troubleshooting procedures and explanations of error messages and error codes. If you suspect a software problem, see the documentation for the operating system or program. G8264 Application Guide for ENOS 8.4...
Page 705: Appendix B. Notices
Lenovo may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: Lenovo (United States), Inc. 1009 Think Place ‐ Building One Morrisville, NC 27560 U.S.A. Attention: Lenovo Director of Licensing LENOVO PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON‐INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. Lenovo may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. The products described in this document are not intended for use in implantation or other life support applications where malfunction may result in injury or death to persons. The information contained in this document does not affect or change Lenovo product specifications or warranties. Nothing in this document shall operate as an express or implied license or indemnity under the intellectual property rights of Lenovo or third parties. All information contained in this document was obtained in specific environments and is presented as an illustration. The result obtained in other operating environments may vary. Lenovo may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Any references in this publication to non‐Lenovo Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this Lenovo product, and use of those Web sites is at your own risk. © Copyright Lenovo 2017...
Page 706 Any performance data contained herein was determined in a controlled environment. Therefore, the result obtained in other operating environments may vary significantly. Some measurements may have been made on development‐level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. G8264 Application Guide for ENOS 8.4...
Page 707: Trademarks
Trademarks Lenovo, the Lenovo logo, Flex System, System x, NeXtScale System, and X‐Architecture are trademarks of Lenovo in the United States, other countries, or both. Intel and Intel Xeon are trademarks of Intel Corporation in the United States, other countries, or both. Internet Explorer, Microsoft, and Windows are trademarks of the Microsoft group of companies. Linux is a registered trademark of Linus Torvalds. Other company, product, or service names may be trademarks or service marks of others. © Copyright Lenovo 2017 Appendix B: Notices...
Page 708: Important Notes
Important Notes Processor speed indicates the internal clock speed of the microprocessor; other factors also affect application performance. CD or DVD drive speed is the variable read rate. Actual speeds vary and are often less than the possible maximum. When referring to processor storage, real and virtual storage, or channel volume, KB stands for 1 024 bytes, MB stands for 1 048 576 bytes, and GB stands for 1 073 741 824 bytes. When referring to hard disk drive capacity or communications volume, MB stands for 1 000 000 bytes, and GB stands for 1 000 000 000 bytes. Total user‐accessible capacity can vary depending on operating environments. Maximum internal hard disk drive capacities assume the replacement of any standard hard disk drives and population of all hard‐disk‐drive bays with the largest currently supported drives that are available from Lenovo. Maximum memory might require replacement of the standard memory with an optional memory module. Each solid‐state memory cell has an intrinsic, finite number of write cycles that the cell can incur. Therefore, a solid‐state device has a maximum number of write cycles that it can be subjected to, expressed as total bytes written (TBW). A device that has exceeded this limit might fail to respond to system‐generated commands or might be incapable of being written to. Lenovo is not responsible for replacement of a device that has exceeded its maximum guaranteed number of program/erase cycles, as documented in the Official Published Specifications for the device. Lenovo makes no representations or warranties with respect to non‐Lenovo products. Support (if any) for the non‐Lenovo products is provided by the third party, not Lenovo. Some software might differ from its retail version (if available) and might not include user manuals or all program functionality. G8264 Application Guide for ENOS 8.4...
Page 709: Recycling Information
Recycling Information Lenovo encourages owners of information technology (IT) equipment to responsibly recycle their equipment when it is no longer needed. Lenovo offers a variety of programs and services to assist equipment owners in recycling their IT products. For information on recycling Lenovo products, go to: http://www.lenovo.com/recycling © Copyright Lenovo 2017 Appendix B: Notices...
Page 710: Particulate Contamination
Particulate Contamination Attention: Airborne particulates (including metal flakes or particles) and reactive gases acting alone or in combination with other environmental factors such as humidity or temperature might pose a risk to the device that is described in this document. Risks that are posed by the presence of excessive particulate levels or concentrations of harmful gases include damage that might cause the device to malfunction or cease functioning altogether. This specification sets forth limits for particulates and gases that are intended to avoid such damage. The limits must not be viewed or used as definitive limits, because numerous other factors, such as temperature or moisture content of the air, can influence the impact of particulates or environmental corrosives and gaseous contaminant transfer. In the absence of specific limits that are set forth in this document, you must implement practices that maintain particulate and gas levels that are consistent with the protection of human health and safety. If Lenovo determines that the levels of particulates or gases in your environment have caused damage to the device, Lenovo may condition provision of repair or replacement of devices or parts on implementation of appropriate remedial measures to mitigate such environmental contamination. Implementation of such remedial measures is a customer responsibility.. Contaminant Limits Particulate • The room air must be continuously filtered with 40% atmospheric dust spot efficiency (MERV 9) according to ASHRAE Standard 52.2 • Air that enters a data center must be filtered to 99.97% efficiency or greater, using high‐efficiency particulate air (HEPA) filters that meet MIL‐STD‐282. • The deliquescent relative humidity of the particulate contamination must be more than 60% • The room must be free of conductive contamination such as zinc whis‐ kers. Gaseous • Copper: Class G1 as per ANSI/ISA 71.04‐1985 • Silver: Corrosion rate of less than 300 Å in 30 days 1 ...
Page 711: Telecommunication Regulatory Statement
Telecommunication Regulatory Statement This product may not be certified in your country for connection by any means whatsoever to interfaces of public telecommunications networks. Further certification may be required by law prior to making any such connection. Contact a Lenovo representative or reseller for any questions. © Copyright Lenovo 2017 Appendix B: Notices...
Page 712: Electronic Emission Notices
Federal Communications Commission (FCC) Statement Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user will be required to correct the interference at his own expense. Properly shielded and grounded cables and connectors must be used to meet FCC emission limits. Lenovo is not responsible for any radio or television interference caused by using other than recommended cables and connectors or by unauthorized changes or modifications to this equipment. Unauthorized changes or modifications could void the user’s authority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that might cause undesired operation. Industry Canada Class A Emission Compliance Statement This Class A digital apparatus complies with Canadian ICES‐003. Avis de Conformité à la Réglementation d'Industrie Canada Cet appareil numérique de la classe A est conforme à la norme NMB‐003 du ...
Page 713: Germany Class A Compliance Statement
Germany Class A Compliance Statement Deutschsprachiger EU Hinweis: Hinweis für Geräte der Klasse A EU‐Richtlinie zur Elektromagnetischen Verträglichkeit Dieses Produkt entspricht den Schutzanforderungen der EU‐Richtlinie 2014/30/EU (früher 2004/108/EC) zur Angleichung der Rechtsvorschriften über die elektromagnetische Verträglichkeit in den EU‐Mitgliedsstaaten und hält die Grenzwerte der Klasse A der Norm gemäß Richtlinie. Um dieses sicherzustellen, sind die Geräte wie in den Handbüchern beschrieben zu installieren und zu betreiben. Des Weiteren dürfen auch nur von der Lenovo empfohlene Kabel angeschlossen werden. Lenovo übernimmt keine Verantwortung für die Einhaltung der Schutzanforderungen, wenn das Produkt ohne Zustimmung der Lenovo verändert bzw. wenn Erweiterungskomponenten von Fremdherstellern ohne Empfehlung der Lenovo gesteckt/eingebaut werden. Deutschland: Einhaltung des Gesetzes über die elektromagnetische Verträglichkeit von Betriebsmittein Dieses Produkt entspricht dem ʺGesetz über die elektromagnetische Verträglichkeit von Betriebsmittelnʺ EMVG (früher ʺGesetz über die elektromagnetische Verträglichkeit von Gerätenʺ). Dies ist die Umsetzung der EU‐Richtlinie 2014/30/EU (früher 2004/108/EC) in der Bundesrepublik Deutschland. Zulassungsbescheinigung laut dem Deutschen Gesetz über die elektromagnetische Verträglichkeit von Betriebsmitteln, EMVG vom 20. Juli 2007 (früher Gesetz über die elektromagnetische Verträglichkeit von Geräten), bzw. der EMV EU Richtlinie 2014/30/EU (früher 2004/108/EC ), für Geräte der Klasse A. © Copyright Lenovo 2017 Appendix B: Notices...
Page 714: Japan Vcci Class A Statement
Dieses Gerät ist berechtigt, in Übereinstimmung mit dem Deutschen EMVG das EG‐Konformitätszeichen ‐ CE ‐ zu führen. Verantwortlich für die Konformitätserklärung nach Paragraf 5 des EMVG ist die Lenovo (Deutschland) GmbH, Meitnerstr. 9, D‐70563 Stuttgart. Informationen in Hinsicht EMVG Paragraf 4 Abs. (1) 4: Das Gerät erfüllt die Schutzanforderungen nach EN 55024 und EN 55022 Klasse Nach der EN 55022: ʺDies ist eine Einrichtung der Klasse A. Diese Einrichtung kann im Wohnbereich Funkstörungen verursachen; in diesem Fall kann vom Betreiber verlangt werden, angemessene Maßnahmen durchzuführen und dafür aufzukommen.ʺ Nach dem EMVG: ʺGeräte dürfen an Orten, für die sie nicht ausreichend entstört sind, nur mit besonderer Genehmigung des Bundesministers für Post und Telekommunikation oder des Bundesamtes für Post und Telekommunikation betrieben werden. Die Genehmigung wird erteilt, wenn keine elektromagnetischen Störungen zu erwarten sind.ʺ (Auszug aus dem EMVG, Paragraph 3, Abs. 4). Dieses Genehmigungsverfahrenist nach Paragraph 9 EMVG in Verbindung mit der entsprechenden Kostenverordnung (Amtsblatt 14/93) kostenpflichtig. Anmerkung: Um die Einhaltung des EMVG sicherzustellen sind die Geräte, wie in den Handbüchern angegeben, zu installieren und zu betreiben. Japan VCCI Class A Statement This is a Class A product based on the standard of the Voluntary Control Council for Interference (VCCI). If this equipment is used in a domestic environment, radio interference may occur, in which case the user may be required to take corrective actions. Japan Electronics and Information Technology Industries Association (JEITA) Statement Japan Electronics and Information Technology Industries Association (JEITA) Confirmed Harmonics Guidelines (products less than or equal to 20 A per phase) Japan Electronics and Information Technology Industries Association (JEITA) ...
Page 715: Korea Communications Commission (Kcc) Statement
Korea Communications Commission (KCC) Statement This is electromagnetic wave compatibility equipment for business (Type A). Sellers and users need to pay attention to it. This is for any areas other than home. © Copyright Lenovo 2017 Appendix B: Notices...
Page 716: Russia Electromagnetic Interference (Emi) Class A Statement
Russia Electromagnetic Interference (EMI) Class A statement G8264 Application Guide for ENOS 8.4...
Page 718: Taiwan Class A Compliance Statement
Taiwan Class A compliance statement G8264 Application Guide for ENOS 8.4...

Lenovo RackSwitch G8264 Application Manual

Chapter 1. Switch Administration

Chapter 2. Initial Setup

Chapter 3. Switch Software Management

Chapter 4. Securing Administration

Chapter 5. Authentication & Authorization Protocols

Chapter 6. 802.1X Port-Based Network Access Control

Chapter 7. Access Control Lists

Chapter 8. Secure Input/Output Module

Chapter 9. Vlans

Chapter 10. Ports and Link Aggregation

Chapter 11. Spanning Tree Protocols

Chapter 12. Virtual Link Aggregation Groups

Chapter 13. Quality of Service

Chapter 14. Precision Time Protocol

Chapter 15. Openflow

Quick Links

Troubleshooting

Related Manuals for Lenovo RackSwitch G8264

Summary of Contents for Lenovo RackSwitch G8264