Page 1 Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch Application Guide For Networking OS 8.2...
Page 2 Note: Before using this information and the product it supports, read the general information in the Safety information and Environmental Notices and User Guide documents on the Lenovo Documentation CD and the Warranty Information document that comes with the product. First Edition (March 2015) © Copyright Lenovo 2015 Portions © Copyright IBM Corporation 2014. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS‐35F‐05925. Lenovo and the Lenovo logo are trademarks of Lenovo in the United States, other countries, or both.
Page 3: Table Of Contents
Chapter 2. Initial Setup ..... . 47 Information Needed for Setup . . . . . . . . . . . . . . . . . . . . . .47 Default Setup Options . . . . . . . . . . . . . . . . . . . . . . . . . .48 Stopping and Restarting Setup Manually . . . . . . . . . . . . . . . . .48 Setup Part 1: Basic System Configuration . . . . . . . . . . . . . . . . .48 Setup Part 2: Port Configuration . . . . . . . . . . . . . . . . . . . . .50 Setup Part 3: VLANs . . . . . . . . . . . . . . . . . . . . . . . . . .51 Setup Part 4: IP Configuration . . . . . . . . . . . . . . . . . . . . . .52 IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Default Gateways . . . . . . . . . . . . . . . . . . . . . . . . . .53 IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Setup Part 5: Final Steps . . . . . . . . . . . . . . . . . . . . . . . . .54 Optional Setup for Telnet Support . . . . . . . . . . . . . . . . . . . .55 © Copyright Lenovo 2015...
Page 4 Chapter 3. Service Location Protocol ....57 Active DA Discovery . . . . . . . . . . . . . . . . . . . . . . . . 57 SLP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 58 Chapter 4. System License Keys ....59 Obtaining Activation Keys . . . . . . . . . . . . . . . . . . . . . .
Page 5 Chapter 9. VLANs ......111 VLANs Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . 112 VLANs and Port VLAN ID Numbers . . . . . . . . . . . . . . . . . . 113 VLAN Tagging/Trunk Mode . . . . . . . . . . . . . . . . . . . . . . 117 Ingress VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . 120 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . 121 VLAN Topologies and Design Considerations . . . . . . . . . . . . . . 122 © Copyright Lenovo 2015 Contents...
Page 6 Protocol‐Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . 125 Port‐Based vs. Protocol‐Based VLANs . . . . . . . . . . . . . . . . 125 PVLAN Priority Levels . . . . . . . . . . . . . . . . . . . . . . 126 PVLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . 126 PVLAN Configuration Guidelines . . . . . . . . . . . . . . . . . 126 Configuring PVLAN . . . . . . . . . . . . . . . . . . . . . . . 126 Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Private VLAN Ports . . . . . . . . . . . . . . . . . . . . . . . . 128 Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 129 Configuration Example . . . . . . . . . . . . . . . . . . . . . . 129 Chapter 10. Ports and Trunking ....131 Configuring Port Modes. . . . . . . . . . . . . . . . . . . . . . . . ...
Page 7 Part 4:. Advanced Switching Features ....199 Chapter 14. Stacking ..... . 201 Stacking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Stacking Requirements. . . . . . . . . . . . . . . . . . . . . . . 202 Stacking Limitations . . . . . . . . . . . . . . . . . . . . . . . . 203 © Copyright Lenovo 2015 Contents...
Page 8 Stack Membership . . . . . . . . . . . . . . . . . . . . . . . . . . 204 The Master Switch . . . . . . . . . . . . . . . . . . . . . . . . 204 Splitting and Merging One Stack . . . . . . . . . . . . . . . . 204 Merging Independent Stacks . . . . . . . . . . . . . . . . . . 205 Backup Switch Selection . . . . . . . . . . . . . . . . . . . . . . 207 Master Failover . . . . . . . . . . . . . . . . . . . . . . . . 207 Master Recovery . . . . . . . . . . . . . . . . . . . . . . . 207 No Backup . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Stack Member Identification . . . . . . . . . . . . . . . . . . . . 208 Configuring a Stack. . . . . . . . . . . . . . . . . . . . . . . . . . 209 Configuration Overview . . . . . . . . . . . . . . . . . . . . . . 209 Best Configuration Practices . . . . . . . . . . . . . . . . . . . . 209 Stacking VLANs . . . . . . . . . . . . . . . . . . . . . . . 210 Configuring Each Switch in a Stack . . . . . . . . . . . . . . . . . 210 Configuring a Management IP Interface . . . . . . . . . . . . . . . 211 Additional Master Configuration . . . . . . . . . . . . . . . . . . 212 Viewing Stack Connections . . . . . . . . . . . . . . . . . . . 213 Binding Members to the Stack . . . . . . . . . . . . . . . . . ...
Page 9 Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . 262 The FCoE Topology . . . . . . . . . . . . . . . . . . . . . . . . 262 FCoE Requirements . . . . . . . . . . . . . . . . . . . . . . . . 263 Port Trunking . . . . . . . . . . . . . . . . . . . . . . . . . 264 Converged Enhanced Ethernet . . . . . . . . . . . . . . . . . . . . . 265 Turning CEE On or Off . . . . . . . . . . . . . . . . . . . . . . 265 Effects on Link Layer Discovery Protocol . . . . . . . . . . . . . . . 265 Effects on 802.1p Quality of Service . . . . . . . . . . . . . . . . . 266 Effects on Flow Control . . . . . . . . . . . . . . . . . . . . . . 267 FCoE Initialization Protocol Snooping . . . . . . . . . . . . . . . . . . 268 Global FIP Snooping Settings . . . . . . . . . . . . . . . . . . . . 268 FIP Snooping for Specific Ports . . . . . . . . . . . . . . . . . . . 268 FIPS Trunk Support on Server Ports . . . . . . . . . . . . . . . . . 268 Port FCF and ENode Detection . . . . . . . . . . . . . . . . . . . 269 FCoE Connection Timeout . . . . . . . . . . . . . . . . . . . . . 269 FCoE ACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . 270 Optimized FCoE Traffic Flow . . . . . . . . . . . . . . . . . . . . 270 FCoE VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Viewing FIP Snooping Information . . . . . . . . . . . . . . . . . 271 Operational Commands . . . . . . . . . . . . . . . . . . . . . . 272 FIP Snooping Configuration . . . . . . . . . . . . . . . . . . . . 272 © Copyright Lenovo 2015 Contents...
Page 10 Priority‐Based Flow Control . . . . . . . . . . . . . . . . . . . . . . 274 Global vs. Port‐by‐Port PFC Configuration . . . . . . . . . . . . . . 275 PFC Configuration Example . . . . . . . . . . . . . . . . . . . . 276 Enhanced Transmission Selection. . . . . . . . . . . . . . . . . . . . 278 802.1p Priority Values . . . . . . . . . . . . . . . . . . . . . . . 278 Priority Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 279 PGID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Assigning Priority Values to a Priority Group . . . . . . . . . . . 280 Deleting a Priority Group . . . . . . . . . . . . . . . . . . . 280 Allocating Bandwidth . . . . . . . . . . . . . . . . . . . . . 281 Configuring ETS . . . . . . . . . . . . . . . . . . . . . . . . . 282 Data Center Bridging Capability Exchange. . . . . . . . . . . . . . . . 284 DCBX Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Configuring DCBX . . . . . . . . . . . . . . . . . . . . . . . . 286 FCoE Example Configuration . . . . . . . . . . . . . . . . . . . . . 288 Chapter 19. Fibre Channel ....291 Ethernet vs. Fibre Channel . . . . . . . . . . . . . . . . . . . . . . . ...
Page 11 Part 5:. IP Routing......349 Chapter 24. Basic IP Routing ....351 IP Routing Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Routing Between IP Subnets . . . . . . . . . . . . . . . . . . . . . . 351 Subnet Routing Example . . . . . . . . . . . . . . . . . . . . . . 353 Using VLANs to Segregate Broadcast Domains . . . . . . . . . . . . 355 © Copyright Lenovo 2015 Contents...
Page 12 BOOTP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . 357 BOOTP Relay Agent Configuration . . . . . . . . . . . . . . . . . 357 Domain‐Specific BOOTP Relay Agent Configuration . . . . . . . . . 358 Dynamic Host Configuration Protocol. . . . . . . . . . . . . . . . . . 359 DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . 359 DHCP Relay Agent Configuration . . . . . . . . . . . . . . . . . 361 Chapter 25. Internet Protocol Version 6 ....363 IPv6 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 IPv6 Address Format . . . . . . . . . . . . . . . . . . . . . . . . . 365 IPv6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 13 Chapter 31. OSPF ......421 OSPFv2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Types of OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . 422 Types of OSPF Routing Devices . . . . . . . . . . . . . . . . . . . 424 Neighbors and Adjacencies . . . . . . . . . . . . . . . . . . . . . 424 The Link‐State Database . . . . . . . . . . . . . . . . . . . . . . 425 The Shortest Path First Tree . . . . . . . . . . . . . . . . . . . . 425 Internal Versus External Routing . . . . . . . . . . . . . . . . . . 425 © Copyright Lenovo 2015 Contents...
Page 14 OSPFv2 Implementation in Lenovo N/OS . . . . . . . . . . . . . . . . 427 Configurable Parameters. . . . . . . . . . . . . . . . . . . . . . 427 Defining Areas . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Assigning the Area Index . . . . . . . . . . . . . . . . . . . 428 Using the Area ID to Assign the OSPF Area Number. . . . . . . . 428 Attaching an Area to a Network. . . . . . . . . . . . . . . . . 429 Interface Cost . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Electing the Designated Router and Backup . . . . . . . . . . . . . 429 Summarizing Routes . . . . . . . . . . . . . . . . . . . . . . . 430 Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 Router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Configuring Plain Text OSPF Passwords . . . . . . . . . . . . . 434 Configuring MD5 Authentication . . . . . . . . . . . . . . . . 434 Host Routes for Load Balancing. . . . . . . . . . . . . . . . . . . 435 Loopback Interfaces in OSPF . . . . . . . . . . . . . . . . . . . . ...
Page 15 Part 7:. Network Management ....487 Chapter 36. Link Layer Discovery Protocol ... . . 489 LLDP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Enabling or Disabling LLDP . . . . . . . . . . . . . . . . . . . . . . 491 Global LLDP Setting . . . . . . . . . . . . . . . . . . . . . . . . 491 Transmit and Receive Control . . . . . . . . . . . . . . . . . . . 491 © Copyright Lenovo 2015 Contents...
Page 16 LLDP Transmit Features. . . . . . . . . . . . . . . . . . . . . . . . 492 Scheduled Interval . . . . . . . . . . . . . . . . . . . . . . . . 492 Minimum Interval . . . . . . . . . . . . . . . . . . . . . . . . 492 Time‐to‐Live for Transmitted Information . . . . . . . . . . . . . . 493 Trap Notifications . . . . . . . . . . . . . . . . . . . . . . . . 493 Changing the LLDP Transmit State . . . . . . . . . . . . . . . . . 494 Types of Information Transmitted. . . . . . . . . . . . . . . . . . 495 LLDP Receive Features . . . . . . . . . . . . . . . . . . . . . . . . 496 Types of Information Received . . . . . . . . . . . . . . . . . . . 496 Viewing Remote Device Information . . . . . . . . . . . . . . . . 496 Time‐to‐Live for Received Information . . . . . . . . . . . . . . . 498 LLDP Example Configuration . . . . . . . . . . . . . . . . . . . . . 500 Chapter 37. Simple Network Management Protocol..501 SNMP Version 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 17 People’s Republic of China Class A electronic emission statement . . . . . . 551 Taiwan Class A compliance statement . . . . . . . . . . . . . . . . . . 552 Index ......553 © Copyright Lenovo 2015 Contents...
Page 18 CN4093 Application Guide for N/OS 8.2...
Page 19: Preface
 Chapter 1, “Switch Administration,” describes how to access the CN4093 in order to configure the switch and view switch information and statistics. This chapter discusses a variety of manual administration interfaces, including local management via the switch console, and remote administration via Telnet, a web browser, or via SNMP.  Chapter 2, “Initial Setup,” describes how to use the built‐in Setup utility to perform first‐time configuration of the switch.  Chapter 3, “Service Location Protocol,” describes the Service Location Protocol (SLP) that allows the switch to provide dynamic directory services.  Chapter 4, “System License Keys,” describes how to manage Features on Demand (FoD) licenses and how to allocate bandwidth between physical ports within the installed licenses’ limitations. Part 2: Securing the Switch  Chapter 5, “Securing Administration,” describes methods for changing the default switch passwords, using Secure Shell and Secure Copy for administration connections, configuring end‐user access control, and placing the switch in protected mode.  Chapter 6, “Authentication & Authorization Protocols,” describes different secure administration for remote administrators. This includes using Remote Authentication Dial‐in User Service (RADIUS), as well as TACACS+ and LDAP. © Copyright Lenovo 2015...
Page 20 (STP) configures the network so that the switch selects the most efficient path when multiple paths exist. Also includes the Rapid Spanning Tree Protocol (RSTP), Per‐VLAN Rapid Spanning Tree Plus (PVRST+), and Multiple Spanning Tree Protocol (MSTP) extensions to STP.  Chapter 12, “Virtual Link Aggregation Groups,” describes using Virtual Link Aggregation Groups (VLAG) to form trunks spanning multiple VLAG‐capable aggregator switches.  Chapter 13, “Quality of Service,” discusses Quality of Service (QoS) features, including IP filtering using Access Control Lists (ACLs), Differentiated Services, and IEEE 802.1p priority values. Part 4: Advanced Switching Features  Chapter 14, “Stacking,” describes how to implement the stacking feature in the Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch. Chapter 15, “Virtualization,” provides an overview of allocating resources  based on the logical needs of the data center, rather than on the strict, physical nature of components.  Chapter 16, “Virtual NICs,” discusses using virtual NIC (vNIC) technology to divide NICs into multiple logical, independent instances. Chapter 17, “VMready,” discusses virtual machine (VM) support on the  CN4093.  Chapter 18, “FCoE and CEE,” discusses using various Converged Enhanced Ethernet (CEE) features such as Priority‐based Flow Control (PFC), Enhanced ...
Page 21 28, “Internet Group Management Protocol,” describes how the Lenovo N/OS software implements IGMP Snooping or IGMP Relay to conserve bandwidth in a multicast‐switching environment. Chapter 29, “Multicast Listener Discovery,” describes how Multicast Listener  Discovery (MLD) is used with IPv6 to support host users requests for multicast data for a multicast group.  Chapter 30, “Border Gateway Protocol,” describes Border Gateway Protocol (BGP) concepts and features supported in Lenovo N/OS. Chapter 31, “OSPF,” describes key Open Shortest Path First (OSPF) concepts  and their implemented in Lenovo N/OS, and provides examples of how to configure your switch for OSPF support.  Chapter 32, “Protocol Independent Multicast,” describes how multicast routing can be efficiently accomplished using the Protocol Independent Multicast (PIM) feature. Part 6: High Availability Fundamentals  Chapter 33, “Basic Redundancy,” describes how the CN4093 supports redundancy through trunking and Hotlinks.  Chapter 34, “Layer 2 Failover,” describes how the CN4093 supports high‐availability network topologies using Layer 2 Failover. © Copyright Lenovo 2015 Preface...
Page 22: Additional References
Chapter 39, “sFLOW, described how to use the embedded sFlow agent for sampling network traffic and providing continuous monitoring information to a central sFlow analyzer. Chapter 40, “Port Mirroring,” discusses tools how copy selected port traffic to a  monitor port for network analysis. Part 9: Appendices  Appendix A, “Glossary,” describes common terms and concepts used throughout this guide.  Appendix B, “Getting help and technical assistance,” describes how to get help.  Appendix C, “Notices,” provides trademark and other compliance information. Additional References Additional information about installing and configuring the CN4093 is available in the following guides:  Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch Installation Guide  Lenovo N/OS Menu‐Based CLI Command Reference  Lenovo N/OS ISCLI Command Reference  Lenovo N/OS Browser‐Based Interface Quick Guide CN4093 Application Guide for N/OS 8.2...
Page 23: Typographic Conventions
To establish a Telnet session, command examples as a enter: host# telnet <IP address> parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, Read your User’s Guide special terms, or words to be thoroughly. emphasized. host# ls [a] Command items shown inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets. The vertical bar ( | ) is used in host# set left|right command examples to separate choices where multiple options exist. Select only one of the listed options. Do not type the vertical bar. This block type depicts menus, Click the Save button. AaBbCc123 buttons, and other controls that appear in Web browsers and other graphical interfaces. © Copyright Lenovo 2015 Preface...
Page 24 CN4093 Application Guide for N/OS 8.2...
Page 26 CN4093 Application Guide for N/OS 8.2...
Page 27: Chapter 1. Switch Administration
Administration Interfaces The switch software provides a variety of user‐interfaces for administration. These interfaces vary in character and in the methods used to access them: some are text‐based, and some are graphical; some are available by default, and some require configuration; some can be accessed by local connection to the switch, and others are accessed remotely using various client applications. For example, administration can be performed using any of the following: The Flex System chassis management module tools for general chassis  management  A built‐in, text‐based command‐line interface and menu system for access via serial‐port connection or an optional Telnet or SSH session  The built‐in Browser‐Based Interface (BBI) available using a standard web‐browser  SNMP support for access through network management software such as IBM Director. The specific interface chosen for an administrative session depends on user preferences, as well as the switch configuration and the available client tools. In all cases, administration requires that the switch hardware is properly installed and turned on. (see the Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch Installation Guide). Chassis Management Module The CN4093 10Gb Converged Scalable Switch is an integral subsystem within the overall Lenovo Flex System. The Flex System chassis also includes a chassis management module (CMM) as the central element for overall chassis management and control. Using the tools available through the CMM, the administrator can configure many of the CN4093 features and can also access other CN4093 administration interfaces. For more information, see “Using the Chassis Management Module” on page © Copyright Lenovo 2015...
Page 28: Industry Standard Command Line Interface
Industry Standard Command Line Interface The Industry Standard Command Line Interface (ISCLI) provides a simple, direct method for switch administration. Using a basic terminal, you can issue commands that allow you to view detailed information and statistics about the switch, and to perform any necessary configuration and switch software maintenance. You can establish a connection to the CLI in any of the following ways:  Serial connection via the serial port on the CN4093 (this option is always avail‐ able)  Telnet connection over the network  SSH connection over the network When you first access the switch, you must enter the default username and password: USERID; PASSW0RD (with a zero). You are required to change the password after first login. Browser-Based Interface The Browser‐based Interface (BBI) provides access to the common configuration, management and operation features of the CN4093 through your Web browser. For more information, refer to the Lenovo N/OS BBI Quick Guide. CN4093 Application Guide for N/OS 8.2...
Page 29: Establishing A Connection
IPv4 Address Assigned by CMM Bay 1 10.90.90.91 192.168.70.120 Bay 2 10.90.90.92 192.168.70.121 Bay 3 10.90.90.93 192.168.70.122 Bay 4 10.90.90.94 192.168.70.123 Note: CN4093s installed in Bay 1 and Bay 2 connect to server NICs 1 and 2, respectively. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 30: Using Telnet
Using Telnet A Telnet connection offers the convenience of accessing the switch from a workstation connected to the network. Telnet access provides the same options for user and administrator access as those available through the console port. By default, Telnet access is disabled. Use the following commands (available on the console only) to enable or disable Telnet access: CN4093(config)# [no] access telnet enable Once the switch is configured with an IP address and gateway, you can use Telnet to access switch administration from any workstation connected to the management network. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the following Telnet command: telnet <switch IPv4 or IPv6 address> You will then be prompted to enter a password as explained “Switch Login Levels” on page Two attempts are allowed to log in to the switch. After the second unsuccessful attempt, the Telnet client is disconnected via TCP session closure. Using Secure Shell Although a remote network administrator can manage the configuration of a CN4093 via Telnet, this method does not provide a secure connection. The Secure Shell (SSH) protocol enables you to securely log into another device over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch configuration, SSH ensures that all data sent over the network is encrypted and secure. The switch can do only one session of key/cipher generation at a time. Thus, a SSH/SCP client will not be able to login if the switch is doing key generation at that time. Similarly, the system will fail to do the key generation if a SSH/SCP client is logging in at that time. The supported SSH encryption and authentication methods are listed below.  Server Host Authentication: Client RSA‐authenticates the switch when starting each connection  Key Exchange: ecdh‐sha2‐nistp521, ecdh‐sha2‐nistp384, ecdh‐sha2‐nistp256, ecdh‐sha2‐nistp224, ecdh‐sha2‐nistp192, rsa2048‐sha256, rsa1024‐sha1, diffie‐hellman‐group‐exchange‐sha256, diffie‐hellman‐group‐exchange‐sha1, diffie‐hellman‐group14‐sha1, diffie‐hellman‐group1‐sha1 ...
Page 31  User Authentication: Local password authentication, RADIUS, TACACS+ The following SSH clients have been tested:  OpenSSH_5.1p1 Debian‐3ubuntu1  SecureCRT 5.0 (Van Dyke Technologies, Inc.)  Putty beta 0.60 Note: The Lenovo N/OS implementation of SSH supports version 2.0 and supports SSH client version 2.0. Using SSH with Password Authentication By default, the SSH feature is enabled. For information about enabling and using SSH for switch access, see “Secure Shell and Secure Copy” on page Once the IP parameters are configured and the SSH service is enabled, you can access the command line interface using an SSH connection. To establish an SSH connection with the switch, run the SSH program on your workstation by issuing the SSH command, followed by the switch IPv4 or IPv6 address: # ssh <switch IP address> You will then be prompted to enter a password as explained “Switch Login Levels” on page Using SSH with Public Key Authentication SSH can also be used for switch authentication based on asymmetric cryptography. ...
Page 32: Using A Web Browser
Note: A user account can have up to 100 public keys set up on the switch. c. Configure a maximum number of 3 failed public key authentication attempts before the system reverts to password‐based authentication: CN4093(config)# ssh maxauthattempts 3 Once the public key is configured on the switch, the client can use SSH to login from a system where the private key pair is set up: # ssh <switch IP address> Using a Web Browser The switch provides a Browser‐Based Interface (BBI) for accessing the common configuration, management and operation features of the CN4093 through your Web browser. You can access the BBI directly from an open Web browser window. Enter the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6 address>). When you first access the switch, you must enter the default username and password: USERID; PASSW0RD (with a zero). You are required to change the password after first login. Configuring HTTP Access to the BBI By default, BBI access via HTTP is disabled on the switch. To enable or disable HTTP access to the switch BBI, use the following commands: CN4093(config)# access http enable (Enable HTTP access) ‐or‐ CN4093(config)# no access http enable (Disable HTTP access) The default HTTP web server port to access the BBI is port 80. However, you can change the default Web server port with the following command: CN4093(config)# access http port <TCP port number> To access the BBI from a workstation, open a Web browser window and type in the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6 address>).
Page 33: Configuring Https Access To The Bbi
3. Generate the HTTPS certificate. Accessing the BBI via HTTPS requires that you generate a certificate to be used during the key exchange. A default certificate is created the first time HTTPS is enabled, but you can create a new certificate defining the information you want to be used in the various fields. CN4093(config)# access https generatecertificate Country Name (2 letter code) []: <country code> State or Province Name (full name) []: <state> Locality Name (eg, city) []: <city> Organization Name (eg, company) []: <company> Organizational Unit Name (eg, section) []: <org. unit> Common Name (eg, YOUR name) []: <name> Email (eg, email address) []: <email address> Confirm generating certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent 4. Save the HTTPS certificate. The certificate is valid only until the switch is rebooted. To save the certificate so that it is retained beyond reboot or power cycles, use the following command: CN4093(config)# access https savecertificate When a client (such as a web browser) connects to the switch, the client is asked to accept the certificate and verify that the fields match what is expected. Once BBI access is granted to the client, the BBI can be used as described in the Lenovo N/OS BBI Quick Guide. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 34: Bbi Summary
BBI Summary The BBI is organized at a high level as follows: Context buttons—These buttons allow you to select the type of action you wish to perform. The Configuration button provides access to the configuration elements for the entire switch. The Statistics button provides access to the switch statistics and state information. The Dashboard button allows you to display the settings and operating status of a variety of switch features. Navigation Window—This window provides a menu list of switch features and functions:  System—this folder provides access to the configuration elements for the entire switch.  Switch Ports—Configure each of the physical ports on the switch. Port‐Based Port Mirroring—Configure port mirroring behavior.   Layer 2—Configure Layer 2 features for the switch.  RMON Menu—Configure Remote Monitoring features for the switch.  Layer 3—Configure Layer 3 features for the switch.  QoS—Configure Quality of Service features for the switch. Access Control—Configure Access Control Lists to filter IP packets.   Virtualization – Configure VMready for virtual machine (VM) support. For information on using the BBI, refer to the Lenovo N/OS BBI Quick Guide. CN4093 Application Guide for N/OS 8.2...
Page 35: Using Simple Network Management Protocol
Using Simple Network Management Protocol Lenovo N/OS provides Simple Network Management Protocol (SNMP) version 1, version 2, and version 3 support for access through any network management software, such as IBM Director. To access the SNMP agent on the CN4093, the read and write community strings on the SNMP manager should be configured to match those on the switch. The read and write community strings on the switch can be changed using the following commands: CN4093(config)# snmpserver readcommunity <1‐32 characters> ‐and‐ CN4093(config)# snmpserver writecommunity <1‐32 characters> The SNMP manager should be able to reach any one of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following commands: CN4093(config)# snmpserver trapsource <trap source IP interface> CN4093(config)# snmpserver host <IPv4 address> <trap host community string> For more information on SNMP usage and configuration, see “Simple Network Management Protocol” on page 501. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 36: Bootp/Dhcp Client Ip Address Services
BOOTP/DHCP Client IP Address Services For remote switch administration, the client terminal device must have a valid IP address on the same network as a switch interface. The IP address on the client device may be configured manually, or obtained automatically using IPv6 stateless address configuration, or an IPv4 address may obtained automatically via BOOTP or DHCP relay as discussed below. The CN4093 can function as a relay agent for Bootstrap Protocol (BOOTP) or DHCP. This allows clients to be assigned an IPv4 address for a finite lease period, reassigning freed addresses later to other clients. Acting as a relay agent, the switch can forward a client’s IPv4 address request to up to five BOOTP/DHCP servers. In addition to the five global BOOTP/DHCP servers, up to five domain‐specific BOOTP/DHCP servers can be configured for each of up to 10 VLANs. When a switch receives a BOOTP/DHCP request from a client seeking an IPv4 address, the switch acts as a proxy for the client. The request is forwarded as a UDP Unicast MAC layer message to the BOOTP/DHCP servers configured for the client’s VLAN, or to the global BOOTP/DHCP servers if no domain‐specific BOOTP/DHCP servers are configured for the client’s VLAN. The servers respond to the switch with a Unicast reply that contains the IPv4 default gateway and the IPv4 address for the client. The switch then forwards this reply back to the client. DHCP is described in RFC 2131, and the DHCP relay agent supported on the CN4093 is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. BOOTP and DHCP relay are collectively configured using the BOOTP commands and menus on the CN4093. Host Name Configuration The CN4093 supports DHCP host name configuration as described in RFC 2132, option 12. DHCP host name configuration is enabled by default. Host name can be manually configured using the following command: CN4093(config)# hostname <name> If the host name is manually configured, the switch does not replace it with the host name received from the DHCP server.
Page 37: Syslog Server
SYSLOG Server During switch startup, if the switch fails to get the configuration file, a message can be recorded in the SYSLOG server. The CN4093 supports requesting of a SYSLOG server IP address from the DHCP server as described in RFC 2132, option 7. DHCP SYSLOG server request option is enabled by default. Manually configured SYSLOG server takes priority over DHCP SYSLOG server. Up to two SYSLOG server addresses received from the DHCP server can be used. The SYSLOG server can be learnt over a management port or a data port. Use the CN4093# show logging command to view the SYSLOG server address. DHCP SYSLOG server address option can be enabled/disabled using the following command: CN4093(config)# [no] system dhcp syslog © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 38: Switch Login Levels
Switch Login Levels To enable better switch management and user accountability, three levels or classes of user access have been implemented on the CN4093. Levels of access to CLI, Web management functions, and screens increase as needed to perform various switch management tasks. Conceptually, access classes are defined as follows:  User interaction with the switch is completely passive—nothing can be changed on the CN4093. Users may display information that has no security or privacy implications, such as switch statistics and current operational state information.  Operators can only effect temporary changes on the CN4093. These changes will be lost when the switch is rebooted/reset. Operators have access to the switch management features used for daily switch operations. Because any changes an operator makes are undone by a reset of the switch, operators cannot severely impact switch operation.  Administrators are the only ones that may make permanent changes to the switch configuration—changes that are persistent across a reboot/reset of the switch. Administrators can access switch functions to configure and troubleshoot problems on the CN4093. Because administrators can also make temporary (operator‐level) changes as well, they must be aware of the interactions between temporary and permanent changes. Access to switch functions is controlled through the use of unique user names and passwords. Once you are connected to the switch via console, remote Telnet, or SSH, you are prompted to enter a password. The default user names/password for each access level are listed in the following table. Note: It is recommended that you change default switch passwords after initial configuration and as regularly as required under your network security policies.
Page 39 To disable admin account, use the command: CN4093(config)# no access user administratorenable. Admin account can be disabled only if there is at least one user account enabled and configured with administrator privilege. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 40: Secure Ftp
Secure FTP Lenovo N/OS supports Secure FTP (SFTP) to the switch. SFTP uses Secure Shell (SSH) to transfer files. SFTP encrypts both commands and data, and prevents passwords and sensitive information from being transmitted openly over the network. All file transfer commands include SFTP support along with FTP and TFTP support. SFTP is available through the menu‐based CLI, ISCLI, BBI, and SNMP. The following examples illustrate SFTP support for ISCLI commands: CN4093# copy sftp {image1|image2|bootimage} [mgtport|dataport] (Copy software image from SFTP server to the switch) CN4093# copy sftp {cacert|hostcert|hostkey} [mgtport|dataport] (Copy HTTPS certificate or host key from SFTP server to the switch) CN4093 Application Guide for N/OS 8.2...
Page 41: Boot Strict Mode
Acceptable Protocols and Algorithms Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm BGP does not comply with NIST SP Acceptable 800-131A specification. When in strict mode, BGP is disabled. However, it can be enabled, if required. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 42 Table 4. Acceptable Protocols and Algorithms Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm Certificate RSA-2048 RSA 2048 Generation SHA-256 SHA 256 Certificate RSA 2048 or higher Acceptance SHA 224 or higher SHA, SHA2 HTTPS TLS 1.2 only TLS 1.0, 1.1, 1.2 “Acceptable Cipher Suites” on “Acceptable Cipher Suites”...
Page 43 ARCFOUR HMAC-SHA1 HMAC-SHA1 HMAC-SHA1-96 HMAC-SHA1-96 HMAC-MD5 HMAC-MD5-96 TACACS+ TACACS+ does not comply with NIST Acceptable SP 800-131A specification. When in strict mode, TACACS+ is disabled. However, it can be enabled, if required. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 44: Acceptable Cipher Suites
Acceptable Cipher Suites The following cipher suites are acceptable (listed in the order of preference) when the CN4093 10Gb Converged Scalable Switch is in compatibility mode: Table 5. List of Acceptable Cipher Suites in Compatibility Mode Cipher ID Key Authenticati Encryption MAC Cipher Name Exchan 0xC027 ECDHE AES_128_CB SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA2 0xC013 ECDHE AES_128_CB SHA1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC012 ECDHE 3DES SHA1 SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC011 ECDHE SHA1 SSL_ECDHE_RSA_WITH_RC4_128_SHA 0x002F AES_128_CB SHA1 TLS_RSA_WITH_AES_128_CBC_SHA 0x003C AES_128_CB SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 0x0005...
Page 45: Limitations
When strict mode is enabled, you will see the following message: Warning, security strict mode limits the cryptographic algorithms used by secure protocols on this switch. Please see the documentation for full details, and verify that peer devices support acceptable algorithms before enabling this mode. The mode change will take effect after reloading the switch and the configuration will be wiped during the reload. System will enter security strict mode with default factory configuration at next boot up. Do you want SNMPV3 support old default users in strict mode (y/n)? For SNMPv3 default users, see “SNMP Version 3” on page 502. When strict mode is disabled, the following message is displayed: Warning, disabling security strict mode. The mode change will take effect after reloading the switch. You must reboot the switch for the boot strict mode enable/disable to take effect. Limitations In Lenovo N/OS 8.2, consider the following limitation/restrictions if you need to operate the switch in boot strict mode:  Power ITEs and High‐Availability features do not comply with NIST SP 800‐131A specification. The CN4093 will not discover Platform agents/Common agents that are not in  strict mode. Web browsers that do not use TLS 1.2 cannot be used.   Limited functions of the switch managing Windows will be available. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 46 CN4093 Application Guide for N/OS 8.2...
Page 47: Chapter 2. Initial Setup
To help with the initial process of configuring your switch, the Lenovo N/OS software includes a Setup utility. The Setup utility prompts you step‐by‐step to enter all the necessary information for basic configuration of the switch. Setup can be activated manually from the command line interface any time after login: CN4093(config)# setup Information Needed for Setup Setup requests the following information:  Basic system information Date & time  Whether to use Spanning Tree Group or not   Optional configuration for each port Speed, duplex, flow control, and negotiation mode (as appropriate)  Whether to use VLAN tagging or not (as appropriate)   Optional configuration for each VLAN Name of VLAN  Which ports are included in the VLAN   Optional configuration of IP parameters IP address/mask and VLAN for each IP interface  IP addresses for default gateway  Whether IP forwarding is enabled or not  © Copyright Lenovo 2015...
Page 48: Default Setup Options
3. Enter the following command at the prompt: CN4093(config)# setup Stopping and Restarting Setup Manually Stopping Setup To abort the Setup utility, press <Ctrl‐C> during any Setup question. When you abort Setup, the system will prompt: Would you like to run from top again? [y/n] Enter n to abort Setup, or y to restart the Setup program at the beginning. Restarting Setup You can restart the Setup utility manually at any time by entering the following command at the administrator prompt: CN4093(config)# setup Setup Part 1: Basic System Configuration When Setup is started, the system prompts: "Set Up" will walk you through the configuration of System Date and Time, Spanning Tree, Port Speed/Mode, VLANs, and IP interfaces. [type CtrlC to abort "Set Up"] 1. Enter y if you will be configuring VLANs. Otherwise enter n. If you decide not to configure VLANs during this session, you can configure them later using the configuration menus, or by restarting the Setup facility. For more information on configuring VLANs, see the Lenovo N/OS Application Guide. Next, the Setup utility prompts you to input basic system information. CN4093 Application Guide for N/OS 8.2...
Page 49 3. Enter the month of the current system date at the prompt: System Date: Enter month [1]: Enter the month as a number from 1 to 12. To keep the current month, press <Enter>. 4. Enter the day of the current date at the prompt: Enter day [3]: Enter the date as a number from 1 to 31. To keep the current day, press <Enter>. The system displays the date and time settings: System clock set to 18:55:36 Wed Jan 28, 2012. 5. Enter the hour of the current system time at the prompt: System Time: Enter hour in 24hour format [18]: Enter the hour as a number from 00 to 23. To keep the current hour, press <Enter>. 6. Enter the minute of the current time at the prompt: Enter minutes [55]: Enter the minute as a number from 00 to 59. To keep the current minute, press <Enter>. 7. Enter the seconds of the current time at the prompt: Enter seconds [37]: Enter the seconds as a number from 00 to 59. To keep the current second, press <Enter>. The system then displays the date and time settings: System clock set to 8:55:36 Wed Jan 28, 2012. 8. Turn BOOTP on or off at the prompt: BootP Option: Current BOOTP: disabled Enter new BOOTP [d/e]: © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 50: Setup Part 2: Port Configuration
Enter e to enable BOOTP, or enter d to disable BOOTP. 9. Turn Spanning Tree Protocol on or off at the prompt: Spanning Tree: Current Spanning Tree Group 1 setting: ON Turn Spanning Tree Group 1 OFF? [y/n] Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on. Setup Part 2: Port Configuration Note: When configuring port options for your switch, some prompts and options may be different. 1. Select whether you will configure VLANs and VLAN tagging for ports: Port Config: Will you configure VLANs and Tagging/Trunkmode for ports? [y/n] If you wish to change settings for VLANs, enter y, or enter n to skip VLAN configuration. Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system.
Page 51: Setup Part 3: Vlans
Setup Part 3: VLANs If you chose to skip VLANs configuration back in Part 2, skip to “Setup Part 4: IP Configuration” on page 1. Select the VLAN to configure, or skip VLAN configuration at the prompt: VLAN Config: Enter VLAN number from 2 to 4094, NULL at end: If you wish to change settings for individual VLANs, enter the number of the VLAN you wish to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and go to “Setup Part 4: IP Configuration” on page 2. Enter the new VLAN name at the prompt: Current VLAN name: VLAN 2 Enter new VLAN name: Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>. 3. Enter the VLAN port numbers: Define Ports in VLAN: Current VLAN 2: empty Enter ports one per line, NULL at end: Enter each port, by port number, and confirm placement of the port into this VLAN. When you are finished adding ports to this VLAN, press <Enter> without specifying any port. 4. Configure Spanning Tree Group membership for the VLAN: Spanning Tree Group membership: Enter new STG index [1128](802.1d)/[1](RSTP)/[032](MSTP): © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 52: Setup Part 4: Ip Configuration
5. The system prompts you to configure the next VLAN: VLAN Config: Enter VLAN number from 2 to 4094, NULL at end: Repeat the steps in this section until all VLANs have been configured. When all VLANs have been configured, press <Enter> without specifying any VLAN. Setup Part 4: IP Configuration The system prompts for IPv4 parameters. Although the switch supports both IPv4 and IPv6 networks, the Setup utility permits only IPv4 configuration. For IPv6 configuration, see “Internet Protocol Version 6” on page 363. IP Interfaces IP interfaces are used for defining the networks to which the switch belongs. Up to 128 IP interfaces can be configured on the CN4093 10Gb Converged Scalable Switch (CN4093). The IP address assigned to each IP interface provides the switch with an IP presence on your network. No two IP interfaces can be on the same IP network. The interfaces can be used for connecting to the switch for remote configuration, and for routing between subnets and VLANs (if used). Note: Interfaces125-128 is reserved for IPv4 switch management. 1. Select the IP interface to configure, or skip interface configuration at the prompt: IP Config: IP interfaces: Enter interface number: (1128) If you wish to configure individual IP interfaces, enter the number of the IP interface you wish to configure. To skip IP interface configuration, press <Enter> without typing an interface number and go to “Default Gateways” on page 53. ...
Page 53: Default Gateways
Enable IP interface? [y/n] 6. The system prompts you to configure another interface: Enter interface number: (1128) Repeat the steps in this section until all IP interfaces have been configured. When all interfaces have been configured, press <Enter> without specifying any interface number. Default Gateways 1. At the prompt, select an IP default gateway for configuration, or skip default gateway configuration: IP default gateways: Enter default gateway number: (13, 4) Enter the number for the IP default gateway to be configured. To skip default gateway configuration, press <Enter> without typing a gateway number and go to “IP Routing” on page 2. At the prompt, enter the IPv4 address for the selected default gateway: Current IP address: 0.0.0.0 Enter new IP address: Enter the IPv4 address in dotted decimal notation, or press <Enter> without specifying an address to accept the current setting. 3. At the prompt, enter y to enable the default gateway, or n to leave it disabled: Enable default gateway? [y/n] 4. The system prompts you to configure another default gateway: Enter default gateway number: (14) Repeat the steps in this section until all default gateways have been configured. When all default gateways have been configured, press <Enter> without specifying any number. © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 54: Ip Routing
IP Routing When IP interfaces are configured for the various IP subnets attached to your switch, IP routing between them can be performed entirely within the switch. This eliminates the need to send inter‐subnet communication to an external router device. Routing on more complex networks, where subnets may not have a direct presence on the CN4093, can be accomplished through configuring static routes or by letting the switch learn routes dynamically. This part of the Setup program prompts you to configure the various routing parameters. At the prompt, enable or disable forwarding for IP Routing: Enable IP forwarding? [y/n] Enter y to enable IP forwarding. To disable IP forwarding, enter n. To keep the current setting, press <Enter>. Setup Part 5: Final Steps 1. When prompted, decide whether to restart Setup or continue: Would you like to run from top again? [y/n] Enter y to restart the Setup utility from the beginning, or n to continue. 2. When prompted, decide whether you wish to review the configuration changes: Review the changes made? [y/n] Enter y to review the changes made during this session of the Setup utility. Enter n to continue without reviewing the changes. We recommend that you review the changes. 3. Next, decide whether to apply the changes at the prompt: Apply the changes? [y/n] Enter y to apply the changes, or n to continue without applying. Changes are normally applied. 4. At the prompt, decide whether to make the changes permanent: Save changes to flash? [y/n] Enter y to save the changes to flash. Enter n to continue without saving the changes. Changes are normally saved at this point. 5. If you do not apply or save the changes, the system prompts whether to abort them: Abort all changes? [y/n] CN4093 Application Guide for N/OS 8.2...
Page 55: Optional Setup For Telnet Support
“Changing the Switch Passwords” on page Optional Setup for Telnet Support Note: This step is optional. Perform this procedure only if you are planning on connecting to the CN4093 through a remote Telnet connection. 1. Telnet is enabled by default. To change the setting, use the following command: CN4093(config)# no access telnet © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 56 CN4093 Application Guide for N/OS 8.2...
Page 57: Chapter 3. Service Location Protocol
 Service Agent (SA) provides service registration and service advertisement. Note: In this release, SA supports UA/DA on Linux with SLPv2 support.  Directory Agent (DA) collects service information from Service Agents to provide a repository of service information in order to centralize it for efficient access by User Agents. There can only be one Directory Agent present per given host. The Directory Agent acts as an intermediate tier in the SLP architecture, placed between the User Agents and the Service Agents, so they communicate only with the Directory Agent instead of with each other. This eliminates a large portion of the multicast request or reply traffic on the network, and it protects the Service Agents from being overwhelmed by too many service requests. Services are described by the configuration of attributes associated with a type of service. A User Agent can select an appropriate service by specifying the attributes that it needs in a service request message. When service replies are returned, they contain a Uniform Resource Locator (URL) pointing to the service desired, and other information, such as server load, needed by the User Agent. Active DA Discovery When a Service Agent or User Agent initializes, it can perform Active Directory Agent Discovery using a multicast service request and specifies the special, reserved service type (service:directory-agent). Active DA Discovery is achieved through the same mechanism as any other discovery using SLP. The Directory Agent replies with unicast service replies, which provides the URLs and attributes of the requested service. © Copyright Lenovo 2015 Chapter 3: Service Location Protocol...
Page 58: Slp Configuration
SLP Configuration Use the following ISCLI commands to configure SLP for the switch: Table 7. SLP ISCLI Commands Command Syntax and Usage [no] ip slp enable Enables or disables SLP on the switch. Command mode: Global configuration [no] ip slp active-da-discovery enable Enables or disables Active DA Discovery. Command mode: Global configuration ip slp active-da-discovery-start-wait-time <1‐10> Configures the wait time before starting Active DA Discovery, in seconds. The default value is 3 seconds. Command mode: Global configuration clear ip slp directory-agents Clears all Directory Agents learned by the switch. Command mode: Global configuration show ip slp information Displays SLP information. Command mode: All show ip slp directoryagents Displays Directory Agents learned by the switch. ...
Page 59: Chapter 4. System License Keys
You can also use the website to review and manage licenses, and to obtain additional help if required. Note: An IBM ID and password are required to log into the FoD website. If you do not yet have an IBM ID, you can register at the website. Activation keys are provided as files that must be uploaded to the CN4093. To acquire an activation key, use the FoD website to purchase an Authorization Code. You will need to provide the unique ID (UID) of the specific CN4093 where the key will be installed. The UID is the last 12 characters of the CN4093 serial number. This serial number is located on the Part Number (PN) label and is also displayed during successful login to the device. When available, download the activation key file from the FoD site. Installing Activation Keys Once FoD activation key files have been acquired, they must be installed on the CN4093. The example below depicts use of the CN4093 Command Line Interface (CLI), but other device interfaces (such as SNMP) may also be used. The CN4093 must be reset to activate any newly installed licenses. To install activation keys, complete the following steps: a. Log in to the CN4093. b. At the CLI prompt, enter the following commands: CN4093> enable CN4093# configure terminal CN4093(config)# softwarekey CN4093(config)# enakey addr <server IP address> keyfile <key filename> c. Follow the prompts to enter the appropriate parameters, including the file transfer protocol and server parameters. © Copyright Lenovo 2015 Chapter 4: System License Keys...
Page 60: Transferring Activation Keys
Note: Repeat the enakey command for any additional keys being installed. d. Once the key file has been uploaded to the CN4093, reset the device to activate any newly installed licenses.: CN4093(config)# reload The system prompts you to confirm your request. Once confirmed, the system will reboot with the new licenses. Transferring Activation Keys Licenses keys are based on the unique CN4093 device serial number and are non‐transferable. In the event that the CN4093 must be replaced, a new activation key must be acquired and installed. When the replacement is handled through Lenovo Service and Support, your original license will be transferred to the serial number of the replacement unit and you will be provided a new license key. Trial Keys Trial keys are license keys used for evaluation purposes, upgrading the number of available ports for limited time. They are managed and obtained like regular license keys, from the Lenovo System x Features on Demand (FoD) website: http://www.ibm.com/systems/x/fod/ Trial keys expire after a predefined number of days. 10 days before the expiration date, the switch will begin to issue the following syslog messages: The software demo license for Upgrade1 will expire in 10 days. The switch will automatically reset to the factory configuration after the license expires. Please backup your configuration or enter a valid license key so the configuration will not be lost. When the trial license expires, all features enabled by the key are disabled, configuration files (active and backup) are deleted and the switch resets to the factory configuration. To prevent this, either install a regular upgrade license to overwrite the trial key, or manually remove the trial key and reset the switch. Once a trial key is installed, it cannot be reused. Flexible Port Mapping Flexible Port Mapping allows administrators to manually enable or disable specific switch ports within the limitations of the installed licenses’ bandwidth. For instance, the FlexSystem may include two compute nodes and a single QSFP+ ...
Page 61 The total bandwidth required for this operation amounts to 80 Gbps (40 Gbps for the four additional 10 Gbps internal ports and 40 Gbps for the additional external QSFP+ port). The administrator decides to allocate this bandwidth by deactivating 6 internal and 2 external 10 Gbps ports. To implement the above scenario, follow these steps: a. Deactivate the ports required to clear the 80 Gbps required bandwidth: CN4093(config)# no boot portmap INTA9 CN4093(config)# no boot portmap INTA10 CN4093(config)# no boot portmap INTA11 CN4093(config)# no boot portmap INTA12 CN4093(config)# no boot portmap INTA13 CN4093(config)# no boot portmap INTA14 CN4093(config)# no boot portmap EXT9 CN4093(config)# no boot portmap EXT10 b. Activate the required ports: CN4093(config)# boot portmap INTB1 CN4093(config)# boot portmap INTC1 CN4093(config)# boot portmap INTB2 CN4093(config)# boot portmap INTC2 CN4093(config)# boot portmap EXT3 c. A reboot is required for the changes to take effect. CN4093(config)# reload Flexible Port Mapping is disabled if all available licenses are installed (all physical ports are available). Removing a license key reverts the port mapping to the default settings for the remaining licensing level. To manually revert the port mapping to the default settings use the following command: CN4093(config)# default boot portmap © Copyright Lenovo 2015 Chapter 4: System License Keys...
Page 62 CN4093 Application Guide for N/OS 8.2...
Page 64 CN4093 Application Guide for N/OS 8.2...
Page 65: Chapter 5. Securing Administration
To change the administrator password, you must login using the administrator password. Changing the Default Administrator Password The administrator has complete access to all menus, information, and configuration commands, including the ability to change both the user and administrator passwords. The default administrator account is USERID. The default password for the administrator account is PASSW0RD (with a zero). To change the administrator password, use the following procedure: 1. Connect to the switch and log in as the administrator. 2. Use the following command to change the administrator password: CN4093(config)# access user administratorpassword <password> Changing the Default User Password The user login has limited control of the switch. Through a user account, you can view switch information and statistics, but you can’t make configuration changes. The default password for the user account is user. This password can be changed from the user account. The administrator can change all passwords, as shown in the following procedure. 1. Connect to the switch and log in as the administrator. 2. Use the following command to change the user password: CN4093(config)# access user userpassword <password> © Copyright Lenovo 2015...
Page 66: Secure Shell And Secure Copy
SCP is typically used to copy files securely from one machine to another. SCP uses SSH for encryption of data on the network. On a CN4093, SCP is used to download and upload the switch configuration via secure channels. Although SSH and SCP are disabled by default, enabling and using these features provides the following benefits:  Identifying the administrator using Name/Password  Authentication of remote administrators  Authorization of remote administrators  Determining the permitted actions and customizing service for individual administrators  Encryption of management messages Encrypting messages between the remote administrator and switch   Secure copy support The Lenovo N/OS implementation of SSH supports both versions 1.5 and 2.0 and supports SSH clients version 1.5 ‐ 2.x. The following SSH clients have been tested:  SSH 1.2.23 and SSH 1.2.27 for Linux (freeware)  SecureCRT 3.0.2 and SecureCRT 3.0.3 for Windows NT (Van Dyke Technologies, Inc.)  F‐Secure SSH 1.1 for Windows (Data Fellows)  Putty SSH  Cygwin OpenSSH  Mac X OpenSSH  Solaris 8 OpenSSH  AxeSSH SSHPro ...
Page 67: To Enable Or Disable The Ssh Feature
Note: The 4 option (the default) specifies that an IPv4 switch address will be used. The 6 option specifies IPv6. Example: >> ssh scpadmin@205.178.15.157 To Copy the Switch Configuration File to the SCP Host Syntax: >> scp [4|6] <username>@<switch IP address>:getcfg <local filename> © Copyright Lenovo 2015 Chapter 5: Securing Administration...
Page 68: To Load A Switch Configuration File From The Scp Host
Example: >> scp scpadmin@205.178.15.157:getcfg ad4.cfg To Load a Switch Configuration File from the SCP Host Syntax: >> scp [4|6] <local filename> <username>@<switch IP address>:putcfg Example: >> scp ad4.cfg scpadmin@205.178.15.157:putcfg To Apply and Save the Configuration When loading a configuration file to the switch, the apply and save commands are still required, in order for the configuration commands to take effect. The apply and save commands may be entered manually on the switch, or by using SCP commands. Syntax: >> scp [4|6] <local filename> <username>@<switch IP address>:putcfg_apply >> scp [4|6] <local filename> <username>@<switch IP address>:putcfg_apply_save Example: >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply_save  The CLI diff command is automatically executed at the end of putcfg to notify the remote client of the difference between the new and the current configurations. putcfg_apply runs the apply command after the putcfg is done.  putcfg_apply_save saves the new configuration to the flash after  putcfg_apply is done.
Page 69: To Load Switch Configuration Files From The Scp Host
Thus, an SSH/SCP client will not be able to log in if the switch is performing key generation at that time. Also, key generation will fail if an SSH/SCP client is logging in at that time. © Copyright Lenovo 2015 Chapter 5: Securing Administration...
Page 70: Ssh/Scp Integration With Radius Authentication
SSH/SCP Integration with RADIUS Authentication SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS servers for authentication. The redirection is transparent to the SSH clients. SSH/SCP Integration with TACACS+ Authentication SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified TACACS+ servers for authentication. The redirection is transparent to the SSH clients. CN4093 Application Guide for N/OS 8.2...
Page 71: End User Access Control
 Passwords can be up to 128 characters in length for TACACS, RADIUS, Telnet, SSH, Console, and Web access. Strong Passwords The administrator can require use of Strong Passwords for users to access the CN4093. Strong Passwords enhance security because they make password guessing more difficult. The following rules apply when Strong Passwords are enabled: Minimum length: 8 characters; maximum length: 64 characters   Must contain at least one uppercase alphabet Must contain at least one lowercase alphabet   Must contain at least one number Must contain at least one special character:  Supported special characters: ! “ # % & ‘ ( ) ; < = >> ? [\] * + , ‐ . / : ^ _ { | } ~  Cannot be same as the username  No consecutive four characters can be the same as in the old password When strong password is enabled, users can still access the switch using the old password but will be advised to change to a strong password while attempting to log in. Strong password requirement can be enabled using the following command: CN4093(config)# access user strongpassword enable © Copyright Lenovo 2015 Chapter 5: Securing Administration...
Page 72: User Access Control Menu
The administrator can choose the number of days allowed before each password expires. When a strong password expires, the user is allowed to log in one last time (last time) to change the password. A warning provides advance notice for users to change the password. User Access Control Menu The end‐user access control commands allow you to configure end‐user accounts. Setting Up User IDs Up to 20 user IDs can be configured in the User ID menu. CN4093(config)# access user 1 name <1‐8 characters> CN4093(config)# access user 1 password Changing user1 password; validation required: Enter current admin password: <current administrator password> Enter new user1 password: <new user password> Reenter new user1 password: <new user password> New user1 password accepted. Defining a User’s Access Level The end user is by default assigned to the user access level (also known as class of service, or CoS). CoS for all user accounts have global access to all resources except for User CoS, which has access to view only resources that the user owns. For more information, see Table 8 on page To change the user’s level, enter the class of service command: CN4093(config)# access user 1 level {user|operator|administrator} Validating a User’s Configuration CN4093# show access user uid 1 Enabling or Disabling a User An end user account must be enabled before the switch recognizes and permits ...
Page 73: Re-Enabling Locked Accounts
Re-enabling Locked Accounts The administrator can re‐enable a locked account by reloading the switch or by using the following command: CN4093(config)# access user strongpassword clear local user lockout username <user name> However, the above command cannot be used to re‐enable an account disabled by the administrator. To re‐enable all locked accounts, use the following command: CN4093(config)# access user strongpassword clear local user lockout all © Copyright Lenovo 2015 Chapter 5: Securing Administration...
Page 74: Listing Current Users
Listing Current Users The show access user command displays defined user accounts and whether or not each user is currently logged into the switch. CN4093# show access user Usernames: user Enabled offline oper Disabled offline admin Always Enabled online 1 session Current User ID table: 1: name USERID , ena, cos admin , password valid, offline 2: name jane , ena, cos user , password valid, online 3: name john , ena, cos user , password valid, online Logging In to an End User Account Once an end user account is configured and enabled, the user can login to the switch, using the username/password combination. The level of switch access is determined by the Class of Service established for the end user account. Protected Mode Protected Mode settings allow the switch administrator to block the management module from making configuration changes that affect switch operation. The switch retains control over those functions. The following management module functions are disabled when Protected Mode is turned on:  External Ports: Enabled/Disabled  External management over all ports: Enabled/Disabled ...
Page 75: Stacking Mode
Stacking Mode When the switch is in stacking mode, Protected Mode is automatically enabled for three of the four Protected Mode functions, and the following module functions are disabled:  External Ports (Enabled)  External management over all ports (Enabled)  Restore Factory Defaults Stack members and stack Master can get their IP addresses from the advanced management module (AMM). Stack can be managed using external ports or using the AMM management port. If required, the functionality of new static IP configuration can also be disabled by turning off Protected Mode (CN4093(config)# no protectedmode) and turning it back on (CN4093(config)# protectedmode enable). © Copyright Lenovo 2015 Chapter 5: Securing Administration...
Page 76 CN4093 Application Guide for N/OS 8.2...
Page 77: Chapter 6. Authentication & Authorization Protocols
Chapter 6. Authentication & Authorization Protocols Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured IPv4 management and device access:  “RADIUS Authentication and Authorization” on page 78  “TACACS+ Authentication” on page 82  “LDAP Authentication and Authorization” on page 87 Note: Lenovo N/OS 8.2 does not support IPv6 for RADIUS, TACACS+, or LDAP. © Copyright Lenovo 2015...
Page 78: Radius Authentication And Authorization
RADIUS Authentication and Authorization Lenovo N/OS supports the RADIUS (Remote Authentication Dial‐in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back‐end database server. A remote user (the remote administrator) interacts only with the RAS, not the back‐end server and database. RADIUS authentication consists of the following components:  A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866) A centralized server that stores all the user authorization information   A client, in this case, the switch The CN4093—acting as the RADIUS client—communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back‐end RADIUS server. How RADIUS Authentication Works 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access. Configuring RADIUS on the Switch Use the following procedure to configure Radius authentication on your CN4093.
Page 79: Radius Authentication Features In Lenovo N/Os
If you configure the RADIUS secret using any method other than through the console port, the secret may be transmitted over the network as clear text. 3. If desired, you may change the default UDP port number used to listen to RADIUS. The well‐known port for RADIUS is 1645. CN4093(config)# radiusserver port <UDP port number> 4. Configure the number retry attempts for contacting the RADIUS server, and the timeout period. CN4093(config)# radiusserver retransmit 3 CN4093(config)# radiusserver timeout 5 RADIUS Authentication Features in Lenovo N/OS Lenovo N/OS supports the following RADIUS authentication features:  Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866.  Allows a RADIUS secret password of up to 32 characters.  Supports secondary authentication server so that when the primary authentication server is unreachable, the switch can send client authentication requests to the ...
Page 80: Switch User Accounts
Switch User Accounts The user accounts listed in Table 8 can be defined in the RADIUS server dictionary file. Table 8. User Access Levels User Account Description and Tasks Performed Password user User The User has no direct responsibility for switch management. He/she can view all switch status information and statistics but cannot make any configuration changes to the switch. oper Operator In addition to User capabilities, the Operator has limited switch management access, including the ability to make temporary, operational configuration changes to some switch features, and to reset switch ports (other than management ports). PASSW0RD Administrator The super‐user Administrator has complete access to all menus, information, and configuration (USERID) commands on the switch, including the ability to change both the user and administrator passwords. CN4093 Application Guide for N/OS 8.2...
Page 81: Radius Attributes For Lenovo N/Os User Privileges
RADIUS Attributes for Lenovo N/OS User Privileges When the user logs in, the switch authenticates his/her level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server. If the remote user is successfully authenticated by the authentication server, the switch will verify the privileges of the remote user and authorize the appropriate access. The administrator has two options: to allow backdoor access via Telnet, SSH, HTTP, or HTTPS; to allow secure backdoor access via console, Telnet, SSH, or BBI. Secure backdoor provides access to the switch when the RADIUS servers cannot be reached. The default CN4093 setting for backdoor and secure backdoor access is disabled. Backdoor access is always enabled on the console port. Irrespective of backdoor being enabled or not, you can always access the switch via the console port by using noradius as radius username. You can then enter the username and password configured on the switch. If you are trying to connect via SSH/Telnet/HTTP/HTTPS, there are two possibilities:  Backdoor is enabled: The switch acts like it is connecting via console.  Secure backdoor is enabled: You must enter the username: noradius. The switch checks if RADIUS server is reachable. If it is reachable, then you must authenticate via remote authentication server. Only if RADIUS server is not reachable, you will be prompted for local user/password to be authenticated against these local credentials. All user privileges, other than those assigned to the Administrator, have to be defined in the RADIUS dictionary. RADIUS attribute 6 which is built into all RADIUS servers defines the administrator. The file name of the dictionary is RADIUS vendor‐dependent. The following RADIUS attributes are defined for Lenovo N/OS user privileges levels: Table 9. Lenovo N/OS‐proprietary Attributes for RADIUS User Name/Access...
Page 82: Tacacs+ Authentication
TACACS+ Authentication Lenovo N/OS supports authentication, authorization, and accounting with networks using the Cisco Systems TACACS+ protocol. The CN4093 functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the CN4093 either through a data or management port. TACACS+ offers the following advantages over RADIUS:  TACACS+ uses TCP‐based connection‐oriented transport; whereas RADIUS is UDP‐based. TCP offers a connection‐oriented transport, while UDP offers best‐effort delivery. RADIUS requires additional programmable variables such as re‐transmit attempts and time‐outs to compensate for best‐effort transport, but it lacks the level of built‐in support that a TCP transport offers.  TACACS+ offers full packet encryption whereas RADIUS offers password‐only encryption in authentication requests.  TACACS+ separates authentication, authorization and accounting. How TACACS+ Authentication Works TACACS+ works much in the same way as RADIUS authentication as described on page 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access. During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.
Page 83: Tacacs+ Authentication Features In Lenovo N/Os
TACACS+ Authentication Features in Lenovo N/OS Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log in to a device or gain access to its services. Lenovo N/OS supports ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one‐time password authentication are not supported. Authorization Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication. The default mapping between TACACS+ authorization levels and Lenovo N/OS management access levels is shown in Table 10. The authorization levels listed in this table must be defined on the TACACS+ server. Table 10. Default TACACS+ Authorization Levels Lenovo N/OS User Access TACACS+ Level Level user oper admin (USERID) Alternate mapping between TACACS+ authorization levels and Lenovo N/OS management access levels is shown in Table 11. Use the following command to use the alternate TACACS+ authorization levels: CN4093(config)# tacacsserver privilegemapping Table 11. Alternate TACACS+ Authorization Levels Lenovo N/OS User Access...
Page 84: Accounting
  disc‐cause Note: When using the Browser-Based Interface, the TACACS+ Accounting Stop records are sent only if the Quit button on the browser is clicked. Command Authorization and Logging When TACACS+ Command Authorization is enabled (CN4093(config)# tacacsserver commandauthorization), Lenovo N/OS configuration commands are sent to the TACACS+ server for authorization. When TACACS+ Command Logging is enabled (CN4093(config)# tacacsserver commandlogging), Lenovo N/OS configuration commands are logged on the TACACS+ server. The following examples illustrate the format of Lenovo N/OS commands sent to the TACACS+ server: authorization request, cmd=cfgtree, cmdarg=/cfg/l3/if...
Page 85: Tacacs+ Password Change
Configuring TACACS+ Authentication on the Switch 1. Configure the IPv4 addresses of the Primary and Secondary TACACS+ servers, and enable TACACS authentication. CN4093(config)# tacacsserver primaryhost 10.10.1.1(Enter primary server IPv4 address) CN4093(config)# tacacsserver primaryhost mgtport CN4093(config)# tacacsserver secondaryhost 10.10.1.1 (Enter secondary server IPv4 address) CN4093(config)# tacacsserver secondaryhost dataport CN4093(config)# tacacsserver enable 2. Configure the TACACS+ secret and second secret. CN4093(config)# tacacsserver primaryhost 10.10.1.1 key <1‐32 character secret> CN4093(config)# tacacsserver secondaryhost 10.10.1.2 key <1‐32 character secret> If you configure the TACACS+ secret using any method other than a direct console connection, the secret may be transmitted over the network as clear text. 3. If desired, you may change the default TCP port number used to listen to TACACS+. The well‐known port for TACACS+ is 49. CN4093(config)# tacacsserver port <TCP port number> © Copyright Lenovo 2015 Chapter 6: Authentication & Authorization Protocols...
Page 86 4. Configure the number of retry attempts, and the timeout period. CN4093(config)# tacacsserver retransmit 3 CN4093(config)# tacacsserver timeout 5 5. Configure custom privilege‐level mapping (optional). CN4093(config)# tacacsserver usermapping 2 user CN4093(config)# tacacsserver usermapping 3 user CN4093(config)# tacacsserver usermapping 4 user CN4093(config)# tacacsserver usermapping 5 oper CN4093 Application Guide for N/OS 8.2...
Page 87: Ldap Authentication And Authorization
 User Accounts: Use the uid attribute to define each individual user account. User Groups:  Use the members attribute in the groupOfNames object class to create the user groups. The first word of the common name for each user group must be equal to the user group names defined in the CN4093, as follows: admin (USERID)  oper  user  Configuring LDAP Authentication on the Switch 1. Turn LDAP authentication on, then configure the Primary and Secondary LDAP servers. CN4093(config)# ldapserver primaryhost 10.10.1.1 (Enter primary server IPv4 address) CN4093(config)# ldapserver primaryhost 10.10.1.2 (Enter secondary server IPv4 address) 2. Configure the domain name. CN4093(config)# ldapserver domain <ou=people,dc=my‐domain,dc=com> © Copyright Lenovo 2015 Chapter 6: Authentication & Authorization Protocols...
Page 88 3. If desired, you may change the default TCP port number used to listen to LDAP. The well‐known port for LDAP is 389. CN4093(config)# ldapserver port <1‐65000> 4. Configure the number of retry attempts for contacting the LDAP server, and the timeout period. CN4093(config)# ldapserver retransmit 3(server retries) CN4093(config)# ldapserver timeout 10 (Enter the timeout period in seconds) CN4093 Application Guide for N/OS 8.2...
Page 89: Chapter 7. 802.1X Port-Based Network Access Control
Chapter 7. 802.1X Port-Based Network Access Control Port‐Based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to ports of the CN4093 10Gb Converged Scalable Switch (CN4093) that connect to blade servers. The following topics are discussed in this section:  “Extensible Authentication Protocol over LAN” on page 90  “EAPoL Authentication Process” on page 91  “EAPoL Port States” on page 93 “Guest VLAN” on page 93   “Supported RADIUS Attributes” on page 94 “EAPoL Configuration Guidelines” on page 96  © Copyright Lenovo 2015...
Page 90: Extensible Authentication Protocol Over Lan
Extensible Authentication Protocol over LAN Lenovo N/OS can provide user‐level security for its ports using the IEEE 802.1X protocol, which is a more secure alternative to other methods of port‐based network access control. Any device attached to an 802.1X‐enabled port that fails authentication is prevented access to the network and denied services offered through that port. The 802.1X standard describes port‐based network access control using Extensible Authentication Protocol over LAN (EAPoL). EAPoL provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics and of preventing access to that port in cases of authentication and authorization failures. EAPoL is a client‐server protocol that has the following components: Supplicant or Client  The Supplicant is a device that requests network access and provides the required credentials (user name and password) to the Authenticator and the Authenticator Server.  Authenticator The Authenticator enforces authentication and controls access to the network. The Authenticator grants network access based on the information provided by the Supplicant and the response from the Authentication Server. The Authenticator acts as an intermediary between the Supplicant and the Authentication Server: requesting identity information from the client, forwarding that information to the Authentication Server for validation, relaying the server’s responses to the client, and authorizing network access based on the results of the authentication exchange. The CN4093 acts as an Authenticator.  Authentication Server The Authentication Server validates the credentials provided by the Supplicant to determine if the Authenticator should grant access to the network. The Authentication Server may be co‐located with the Authenticator. The CN4093 relies on external RADIUS servers for authentication. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed ...
Page 91: Eapol Authentication Process
802.1x Client Server EAPOL IBM Switch RADIUS-EAP Authenticator Ethernet (RADIUS Client) UDP/IP Port Unauthorized EAPOL-Start EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Challenge EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Accept EAP-Success Port Authorized © Copyright Lenovo 2015 Chapter 7: 802.1X Port-Based Network Access Control...
Page 92: Eapol Message Exchange
EAPoL Message Exchange During authentication, EAPOL messages are exchanged between the client and the CN4093 authenticator, while RADIUS‐EAP messages are exchanged between the CN4093 authenticator and the RADIUS server. Authentication is initiated by one of the following methods:  The CN4093 authenticator sends an EAP‐Request/Identity packet to the client  The client sends an EAPOL‐Start frame to the CN4093 authenticator, which responds with an EAP‐Request/Identity frame. The client confirms its identity by sending an EAP‐Response/Identity frame to the CN4093 authenticator, which forwards the frame encapsulated in a RADIUS packet to the server. The RADIUS authentication server chooses an EAP‐supported authentication algorithm to verify the client’s identity, and sends an EAP‐Request packet to the client via the CN4093 authenticator. The client then replies to the RADIUS server with an EAP‐Response containing its credentials. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed full access to services through the controlled port. When the client later sends an EAPOL‐Logoff message to the CN4093 authenticator, the port transitions from authorized to unauthorized state. If a client that does not support 802.1X connects to an 802.1X‐controlled port, the CN4093 authenticator requests the clientʹs identity when it detects a change in the operational state of the port. The client does not respond to the request, and the port remains in the unauthorized state. Note: When an 802.1X-enabled client connects to a port that is not 802.1X-controlled, the client initiates the authentication process by sending an EAPOL-Start frame.
Page 93: Eapol Port States
While in this state the port discards all ingress and egress traffic except EAP packets.  Authorized When the client is successfully authenticated, the port transitions to the authorized state allowing all traffic to and from the client to flow normally.  Force Unauthorized You can configure this state that denies all access to the port.  Force Authorized You can configure this state that allows full access to the port. Guest VLAN The guest VLAN provides limited access to unauthenticated ports. The guest VLAN can be configured using the following command: dot1x guestvlan ? CN4093(config)# Client ports that have not received an EAPOL response are placed into the Guest VLAN, if one is configured on the switch. Once the port is authenticated, it is moved from the Guest VLAN to its configured VLAN. When Guest VLAN enabled, the following considerations apply while a port is in the unauthenticated state:  The port is placed in the guest VLAN. The Port VLAN ID (PVID) is changed to the Guest VLAN ID.   Port tagging is disabled on the port. © Copyright Lenovo 2015 Chapter 7: 802.1X Port-Based Network Access Control...
Page 94: Supported Radius Attributes
Supported RADIUS Attributes The 802.1X Authenticator relies on external RADIUS servers for authentication with EAP. Table 12lists the RADIUS attributes that are supported as part of RADIUS‐EAP authentication based on the guidelines specified in Annex D of the 802.1X standard and RFC 3580. Table 12. Support for RADIUS Attributes # Attribute Attribute Value 1 User‐Name The value of the Type‐Data field 0‐1 from the supplicant’s EAP‐Response/Identity message. If the Identity is unknown (i.e. Type‐Data field is zero bytes in length), this attribute will have the same value as the Calling‐Station‐Id. 4 NAS‐IP‐Address IPv4 address of the authenticator used for Radius communication. 5 NAS‐Port Port number of the authenticator port to which the supplicant is attached. 24 State Server‐specific value. This is 0‐1 0‐1 0‐1 sent unmodified back to the ...
Page 95 80 Message‐ Always present whenever an Authenticator EAP‐Message attribute is also included. Used to integrity‐protect a packet. 87 NAS‐Port‐ID Name assigned to the authenticator port, e.g. Server1_Port3 Legend: RADIUS Packet Types: A‐R (Access‐Request), A‐A (Access‐Accept), A‐C (Access‐Challenge), A‐R (Access‐Reject) RADIUS Attribute Support: This attribute MUST NOT be present in a packet.   Zero or more instances of this attribute MAY be present in a packet. 0‐1 Zero or one instance of this attribute MAY be present in a packet.   Exactly one instance of this attribute MUST be present in a packet.  One or more of these attributes MUST be present. © Copyright Lenovo 2015 Chapter 7: 802.1X Port-Based Network Access Control...
Page 96: Eapol Configuration Guidelines
EAPoL Configuration Guidelines When configuring EAPoL, consider the following guidelines:  The 802.1X port‐based authentication is currently supported only in point‐to‐point configurations, that is, with a single supplicant connected to an 802.1X‐enabled switch port.  When 802.1X is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled. For example, the STG state of a port is operationally disabled while the port is in the unauthorized state.  The 802.1X supplicant capability is not supported. Therefore, none of its ports can successfully connect to an 802.1X‐enabled port of another device, such as another switch, that acts as an authenticator, unless access control on the remote port is disabled or is configured in forced‐authorized mode. For example, if a CN4093 is connected to another CN4093, and if 802.1X is enabled on both switches, the two connected ports must be configured in force‐authorized mode.  Unsupported 802.1X attributes include Service‐Type, Session‐Timeout, and Termination‐Action.  RADIUS accounting service for 802.1X‐authenticated devices or users is not currently supported.  Configuration changes performed using SNMP and the standard 802.1X MIB will take effect immediately. CN4093 Application Guide for N/OS 8.2...
Page 97: Chapter 8. Access Control Lists
Chapter 8. Access Control Lists Access Control Lists (ACLs) are filters that permit or deny traffic for security purposes. They can also be used with QoS to classify and segment traffic in order to provide different levels of service to different traffic types. Each filter defines the conditions that must match for inclusion in the filter, and also the actions that are performed when a match is made. Lenovo N/OS 8.2 supports the following ACLs:  IPv4 ACLs Up to 256 ACLs are supported for networks that use IPv4 addressing. IPv4 ACLs are configured using the following CLI menu: CN4093(config)# accesscontrol list <IPv4 ACL number> IPv6 ACLs  Up to 128 ACLs are supported for networks that use IPv6 addressing. IPv6 ACLs are configured using the following CLI menu: CN4093(config)# accesscontrol list6 <IPv6 ACL number>  Management ACLs Up to 128 MACLs are supported. ACLs for the different types of management protocols (Telnet, HTTPS, etc.) provide greater granularity for securing management traffic. Management ACLs are configured using the following CLI menu: CN4093(config)# accesscontrol macl <MACL number>  VLAN Maps (VMaps) Up to 128 VLAN Maps are supported for attaching filters to VLANs rather than ports. See “VLAN Maps” on page 106 for details. CN4093(config)# accesscontrol vmap <vmap number> © Copyright Lenovo 2015...
Page 98: Summary Of Packet Classifiers
Summary of Packet Classifiers ACLs allow you to classify packets according to a variety of content in the packet header (such as the source address, destination address, source port number, destination port number, and others). Once classified, packet flows can be identified for more processing. Regular ACLs, and VMaps allow you to classify packets based on the following packet attributes:  Ethernet header options (for regular ACLs and VMaps only) Source MAC address  Destination MAC address  VLAN number and mask  Ethernet type (ARP, IPv4, MPLS, RARP, etc.)  Ethernet Priority (the IEEE 802.1p Priority)   IPv4 header options (for regular ACLs and VMaps only) Source IPv4 address and subnet mask  Destination IPv4 address and subnet mask  Type of Service value  IP protocol number or name as shown in Table  Table 13. Well‐Known Protocol Types Number Protocol Name icmp igmp ospf vrrp CN4093 Application Guide for N/OS 8.2...
Page 99 Accounting gopher snmptrap hsrp TCP/UDP application destination port and mask as shown in Table 14.  TCP/UDP flag value as shown in Table 15.  Table 15. Well‐Known TCP flag values Flag Value 0x0020 0x0010 0x0008 0x0004 0x0002 0x0001  Packet format (for regular ACLs and VMaps only) Ethernet format (eth2, SNAP, LLC)  Ethernet tagging format  IP format (IPv4)   Egress port packets (for all ACLs) © Copyright Lenovo 2015 Chapter 8: Access Control Lists...
Page 100: Summary Of Acl Actions
Summary of ACL Actions Once classified using ACLs, the identified packet flows can be processed differently. For each ACL, an action can be assigned. The action determines how the switch treats packets that match the classifiers assigned to the ACL. CN4093 ACL actions include the following:  Pass or Drop the packet  Re‐mark the packet with a new DiffServ Code Point (DSCP)  Re‐mark the 802.1p field  Set the COS queue Assigning Individual ACLs to a Port Once you configure an ACL, you must assign the ACL to the appropriate ports. Each port can accept multiple ACLs, and each ACL can be applied for multiple ports. ACLs can be assigned individually, or in groups. To assign an individual ACL to a port, use the following IP interface commands: CN4093(config)# interface port <port> CN4093(configif)# accesscontrol list <IPv4 ACL number> CN4093(configip)# accesscontrol list6 <IPv6 ACL number> When multiple ACLs are assigned to a port, higher‐priority ACLs are considered first, and their action takes precedence over lower‐priority ACLs. ACL order of precedence is discussed in the next section. To create and assign ACLs in groups, see “ACL Groups” on page 101. ACL Order of Precedence When multiple ACLs are assigned to a port, they are evaluated in numeric sequence, based on the ACL number. Lower‐numbered ACLs take precedence over higher‐numbered ACLs. For example, ACL 1 (if assigned to the port) is ...
Page 101: Acl Groups
Order of Precedence” on page 100). All ACLs assigned to the port (whether individually assigned or part of an ACL Group) are considered as individual ACLs for the purposes of determining their order of precedence. © Copyright Lenovo 2015 Chapter 8: Access Control Lists...
Page 102: Assigning Acl Groups To A Port
Assigning ACL Groups to a Port To assign an ACL Group to a port, use the following commands: CN4093(config)# interface port <port number> CN4093(configif)# accesscontrol group <ACL group number> CN4093(configif)# exit ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the switch by configuring a QoS meter (if desired) and assigning ACLs to ports. Note: When you add ACLs to a port, make sure they are ordered correctly in terms of precedence (see “ACL Order of Precedence” on page 100).
Page 103: Acl Port Mirroring
ACL Port Mirroring For regular ACLs and VMaps, packets that match an ACL on a specific port can be mirrored to another switch port for network diagnosis and monitoring. The source port for the mirrored packets cannot be a portchannel, but may be a member of a portchannel. The destination port to which packets are mirrored must be a physical port. If the ACL or VMap has an action (permit, drop, etc.) assigned, it cannot be used to mirror packets for that ACL. Use the following commands to add mirroring to an ACL:  For regular ACLs: CN4093(config)# accesscontrol list <ACL number> mirror port <destination port> The ACL must be also assigned to it target ports as usual (see “Assigning Individual ACLs to a Port” on page 100, or “Assigning ACL Groups to a Port” on page 102). For VMaps (see “VLAN Maps” on page 106):  CN4093(config)# accesscontrol vmap <VMap number> mirror port <monitor destination port> Viewing ACL Statistics ACL statistics display how many packets have “hit” (matched) each ACL. Use ACL statistics to check filter performance or to debug the ACL filter configuration. You must enable statistics for each ACL that you wish to monitor: CN4093(config)# accesscontrol list <ACL number> statistics © Copyright Lenovo 2015 Chapter 8: Access Control Lists...
Page 104: Acl Configuration Examples
ACL Configuration Examples ACL Example 1 Use this configuration to block traffic to a specific host. All traffic that ingresses on port EXT1 is denied if it is destined for the host at IP address 100.10.1.1 1. Configure an Access Control List. CN4093(config)# accesscontrol list 1 ipv4 destinationipaddress 100.10.1.1 CN4093(config)# accesscontrol list 1 action deny 2. Add ACL 1 to port EXT1. CN4093(config)# interface port EXT1 CN4093(configif)# accesscontrol list 1 CN4093(configif)# exit ACL Example 2 Use this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses in port EXT2 with source IP from class 100.10.1.0/24 and destination IP 200.20.2.2 is denied. 1. Configure an Access Control List. CN4093(config)# accesscontrol list 2 ipv4 sourceipaddress 100.10.1.0 255.255.255.0 CN4093(config)# accesscontrol list 2 ipv4 destinationipaddress 200.20.2.2 255.255.255.255 CN4093(config)# accesscontrol list 2 action deny 2. Add ACL 2 to port EXT2. CN4093(config)# interface port EXT2 CN4093(configif)# accesscontrol list 2 CN4093(configif)# exit CN4093 Application Guide for N/OS 8.2...
Page 105 ACL Example 3 This configuration blocks traffic from a network that is destined for a specific egress port. All traffic that ingresses port EXT1 from the network 100.10.1.0/24 and is destined for port 3 is denied. 1. Configure an Access Control List. CN4093(config)# accesscontrol list 4 ipv4 sourceipaddress 100.10.1.0 255.255.255.0 CN4093(config)# accesscontrol list 4 egressport 3 CN4093(config)# accesscontrol list 4 action deny 2. Add ACL 4 to port EXT1. CN4093(config)# interface port EXT1 CN4093(configif)# accesscontrol list 4 CN4093(configif)# exit © Copyright Lenovo 2015 Chapter 8: Access Control Lists...
Page 106: Vlan Maps
VLAN Maps A VLAN map (VMAP) is an ACL that can be assigned to a VLAN or VM group rather than to a switch port as with regular ACLs. This is particularly useful in a virtualized environment where traffic filtering and metering policies must follow virtual machines (VMs) as they migrate between hypervisors. VMAPs are configured using the following ISCLI command path: CN4093(config)# accesscontrol vmap <VMAP ID (1‐128)> action Set filter action egressport Set to filter for packets egressing this port ethernet Ethernet header options ipv4 IP version 4 header options meter ACL metering configuration mirror Mirror options packetformat Set to filter specific packet format types remark ACL remark configuration statistics Enable access control list statistics tcpudp TCP and UDP filtering options The CN4093 supports up to 128 VMAPs. Individual VMAP filters are configured in the same fashion as regular ACLs, except that VLANs cannot be specified as a filtering criteria (unnecessary, since the VMAP are assigned to a specific VLAN or associated with a VM group VLAN). Once a VMAP filter is created, it can be assigned or removed using the following configuration commands:  For a regular VLAN: CN4093(config)# vlan <VLAN ID> CN4093(configvlan)# [no] vmap <VMap ID> [intports|extports]  For a VM group (see “VM Group Types” on page 242): CN4093(config)# [no] virt vmgroup <ID> vmap <VMap ID> [intports|extports] Note: Each VMAP can be assigned to only one VLAN or VM group. However, each VLAN or VM group may have multiple VMAPs assigned to it.
Page 107 VMap Example In this example, EtherType 2 traffic from VLAN 3 server ports is mirrored to a network monitor on port 4. CN4093(config)# accesscontrol vmap 21 packetformat ethernet ethernettype2 CN4093(config)# accesscontrol vmap 21 mirror port 4 CN4093(config)# accesscontrol vmap 21 action permit CN4093(config)# vlan 3 CN4093(configvlan)# vmap 21 intports © Copyright Lenovo 2015 Chapter 8: Access Control Lists...
Page 108: Management Acls
Management ACLs Management ACLs (MACLs) filter inbound traffic i.e. traffic toward the CPU. MACLs are applied switch‐wide. Traffic can be filtered based on the following:  IPv4 source address IPv4 destination address   IPv4 protocols TCP/UDP destination or source port  Lower MACL numbers have higher priority. Up to 128 MACLs can be configured. Following is an example MACL configuration based on a destination IP address and a TCP‐UDP destination port: CN4093(config)# accesscontrol macl 1 ipv4 destinationipaddress 1.1.1.1 255.255.255.0 CN4093(config)# accesscontrol macl 1 tcpudp destinationport 111 0xffff CN4093(config)# accesscontrol macl 1 statistics CN4093(config)# accesscontrol macl 1 action permit CN4093(config)# accesscontrol macl 1 enable Use the following command to view the MACL configuration: CN4093(config)# show accesscontrol macl 1 MACL 1 profile : Enabled IPv4 - DST IP : 1.1.1.1/255.255.255.0 TCP/UDP - DST Port : 111/0xffff Action : Permit...
Page 109: Part 3: Switch Basics
Part 3: Switch Basics This section discusses basic switching functions:  VLANs  Port Trunking  Spanning Tree Protocols (Spanning Tree Groups, Rapid Spanning Tree Protocol, and Multiple Spanning Tree Protocol)  Quality of Service © Copyright Lenovo 2015...
Page 110 CN4093 Application Guide for N/OS 8.2...
Page 111: Chapter 9. Vlans
“Using the Setup Utility” in the Lenovo N/OS 8.2 Command Reference). More comprehensive VLAN configuration can be done from the Command Line Interface (see “VLAN Configuration” as well as “Port Configuration” in the Lenovo N/OS 8.2 Command Reference). © Copyright Lenovo 2015...
Page 112: Vlans Overview
VLANs Overview Setting up virtual LANs (VLANs) is a way to segment networks to increase network flexibility without changing the physical network topology. With network segmentation, each switch port connects to a segment that is a single broadcast domain. When a switch port is configured to be a member of a VLAN, it is added to a group of ports (workgroup) that belong to one broadcast domain. Ports are grouped into broadcast domains by assigning them to the same VLAN. Frames received in one VLAN can only be forwarded within that VLAN, and multicast, broadcast, and unknown unicast frames are flooded only to ports in the same VLAN. The CN4093 automatically supports jumbo frames. This default cannot be manually configured or disabled. The CN4093 10Gb Converged Scalable Switch (CN4093) supports jumbo frames with a Maximum Transmission Unit (MTU) of 9,216 bytes. Within each frame, 18 bytes are reserved for the Ethernet header and CRC trailer. The remaining space in the frame (up to 9,198 bytes) comprise the packet, which includes the payload of up to 9,000 bytes and any additional overhead, such as 802.1q or VLAN tags. Jumbo frame support is automatic: it is enabled by default, requires no manual configuration, and cannot be manually disabled. Note: Jumbo frames are not supported for traffic sent to switch management interfaces. CN4093 Application Guide for N/OS 8.2...
Page 113: Vlans And Port Vlan Id Numbers
Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system. Screen content varies based on the type of blade chassis unit that you are using and the firmware versions and options that are installed. © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 114 PVID/Native VLAN Numbers Each port in the switch has a configurable default VLAN number, known as its PVID. By default, the PVID for all non‐management ports is set to 1, which correlates to the default VLAN ID. The PVID for each port can be configured to any VLAN number between 1 and 4094. Use the following CLI commands to view PVIDs:  Port information: CN4093# show interface information (or) CN4093# show interface trunk Alias Port Tag Type RMON Lrn Fld Openflow PVID DESCRIPTION VLAN(s) Trk NVLAN INTA1 1 n Internal d e e d 4094 INTA1 4094 INTA2 2 n Internal d e e d 1 INTA2 INTA3 3 n Internal d e e d 1 INTA3 INTA4 4 n Internal d e e d 1 INTA4 INTA5 5 n Internal d e e d 1 INTA5 INTA6 6 n Internal d e e d 1 INTA6 INTA7 7 n Internal d e e d 1 INTA7 INTA8 8 n Internal d e e d 1 INTA8 INTA9 9 n Internal d e e d 1 INTA9 CN4093 Application Guide for N/OS 8.2...
Page 115 Note: The sample output that appears in this document might differ slightly from that displayed by your system. Output varies based on the type of blade chassis unit that you are using and the firmware versions and options that are installed. © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 116  Port Configuration: Access Mode Port CN4093(config)# interface port <port number> CN4093(configif)# switchport access vlan <VLAN ID> For Trunk Mode Port CN4093(config)# interface port <port number> CN4093(configif)# switchport trunk native vlan <VLAN ID> Each port on the switch can belong to one or more VLANs, and each VLAN can have any number of switch ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled (see “VLAN Tagging/Trunk Mode” on page 117). CN4093 Application Guide for N/OS 8.2...
Page 117: Vlan Tagging/Trunk Mode
Important terms used with the 802.1Q tagging feature are:  VLAN identifier (VID)—the 12‐bit portion of the VLAN tag in the frame header that identifies an explicit VLAN.  Port VLAN identifier (PVID)—a classification mechanism that associates a port with a specific VLAN. For example, a port with a PVID of 3 (PVID =3) assigns all untagged frames received on this port to VLAN 3. Any untagged frames received by the switch are classified with the PVID of the receiving port.  Tagged frame—a frame that carries VLAN tagging information in the header. This VLAN tagging information is a 32‐bit field (VLAN tag) in the frame header that identifies the frame as belonging to a specific VLAN. Untagged frames are marked (tagged) with this classification as they leave the switch through a port that is configured as a tagged port.  Untagged frame— a frame that does not carry any VLAN tagging information in the frame header.  Untagged member—a port that has been configured as an untagged member of a specific VLAN. When an untagged frame exits the switch through an untagged member port, the frame header remains unchanged. When a tagged frame exits the switch through an untagged member port, the tag is stripped and the tagged frame is changed to an untagged frame.  Tagged member—a port that has been configured as a tagged member of a specific VLAN. When an untagged frame exits the switch through a tagged member port, the frame header is modified to include the 32‐bit tag associated with the PVID. When a tagged frame exits the switch through a tagged member port, the frame header remains unchanged (original VID remains). © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 118 Figure 2. Default VLAN settings 802.1Q Switch VLAN 1 Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 PVID = 1 Data Incoming Outgoing untagged untagged packet Data packet (unchanged) By default: All ports are assigned PVID = 1 All external ports are untagged members of VLAN 1 All internal server ports are untagged members of VLAN 1 BS45010A...
Page 119 Port 3 Tagged member PVID = 2 of VLAN 2 Tagged packet 802.1Q Switch Data B efore Port 6 Port 7 Port 8 Untagged member of VLAN 2 As shown in Figure 6, the tagged packet remains unchanged as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. However, the tagged packet is stripped (untagged) as it leaves the switch through port 7, which is configured as an untagged member of VLAN 2. © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 120: Ingress Vlan Tagging
Figure 6. 802.1Q tagging (after 802.1Q tag assignment) PVID = 2 Tagged member Port 1 Port 2 Port 3 of VLAN 2 802.1Q Switch Data Port 6 Port 7 Port 8 8100 Priority VID = 2 Untagged member CRC* (*Recalculated) of VLAN 2 16 bits 3 bits 1 bit 12 bits...
Page 121: Limitations
Tag 1 After Before Port 6 Port 7 Port 8 Untagged member of VLAN 2 CRC* Data Tag 1 By default, ingress tagging is disabled. To enable ingress tagging on a port, use the following commands: CN4093(config)# interface port <number> CN4093(configif)# tagpvidingress Limitations Ingress tagging cannot be configured with the following features/configurations:  vNIC ports  VMready ports  UFP ports  Management ports © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 122: Vlan Topologies And Design Considerations
VLAN Topologies and Design Considerations  By default, the Lenovo N/OS software is configured so that tagging is disabled on all external ports and on all internal ports.  By default, the Lenovo N/OS software is configured so that all internal ports are members of VLAN 1.  By default, the Lenovo N/OS software is configured so that the management port is a member of the default management VLAN 4095.  Multiple management VLANs can be configured on the switch, in addition to the default VLAN 4095, using the following commands: CN4093(config)# vlan <x> CN4093(configvlan)# management When using Spanning Tree, STG 2‐128 may contain only one VLAN unless  Multiple Spanning‐Tree Protocol (MSTP) mode is used. With MSTP mode, STG 1 to 32 can include multiple VLANs. VLAN Configuration Rules VLANs operate according to specific configuration rules. When creating VLANs, consider the following rules that determine how the configured VLAN reacts in any network topology: All ports involved in trunking and port mirroring must have the same VLAN  configuration. If a port is on a trunk with a mirroring port, the VLAN configura‐ tion cannot be changed. For more information trunk groups, see “Configuring a Static Port Trunk” on page 137.  If a port is configured for port mirroring, the port’s VLAN membership cannot be changed. For more information on configuring port mirroring, see “Port Mir‐ roring” on page 531.
Page 123 Server #1 This server is a member of VLAN 3 and has presence in only one IP subnet. The associated internal switch port is only a member of VLAN 3, so tagging is disabled. Server #2 This high‐use server needs to be accessed from all VLANs and IP subnets. The server has a VLAN‐tagging adapter installed with VLAN tagging turned on. The adapter is attached to one of the internal switch ports, that is a member of VLANs 1, 2, and 3, and has tagging enabled. Because of the VLAN tagging capabilities of both the adapter and the switch, the server is able to communicate on all three IP subnets in this network. Broadcast separation between all three VLANs and subnets, however, is maintained. PCs #1 and These PCs are attached to a shared media hub that is then connected to the switch. They belong to VLAN 2 and are logically in the same IP subnet as Server 2 and PC 5. The associated external switch port has tagging disabled. PC #3 A member of VLAN 1, this PC can only communicate with Server 2 and PC 5. The associated external switch port has tagging disabled. © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 124 Component Description PC #4 A member of VLAN 3, this PC can only communicate with Server 1 and Server 2. The associated external switch port has tagging disabled. PC #5 A member of both VLAN 1 and VLAN 2, this PC has a VLAN‐tagging Gigabit Ethernet adapter installed. It can communicate with Server 2 and PC 3 via VLAN 1, and to Server 2, PC 1 and PC 2 via VLAN 2. The associated external switch port is a member of VLAN 1 and VLAN 2, and has tagging enabled. Note: VLAN tagging is required only on ports that are connected to other CN4093s or on ports that connect to tag-capable end-stations, such as servers with VLAN-tagging adapters.
Page 125: Protocol-Based Vlans
SNAP (Subnetwork Access Protocol)  LLC (Logical Link Control)   Ethernet type—consists of a 4‐digit (16 bit) hex value that defines the Ethernet type. You can use common Ethernet protocol values, or define your own values. Following are examples of common Ethernet protocol values: IPv4 = 0800  IPv6 = 86dd  ARP = 0806  Port-Based vs. Protocol-Based VLANs Each VLAN supports both port‐based and protocol‐based association, as follows:  The default VLAN configuration is port‐based. All data ports are members of VLAN 1, with no PVLAN association.  When you add ports to a PVLAN, the ports become members of both the port‐based VLAN and the PVLAN. For example, if you add port EXT1 to PVLAN 1 on VLAN 2, the port also becomes a member of VLAN 2.  When you delete a PVLAN, it’s member ports remain members of the port‐based VLAN. For example, if you delete PVLAN 1 from VLAN 2, port EXT1 remains a member of VLAN 2.  When you delete a port from a VLAN, the port is deleted from all corresponding PVLANs. © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 126: Pvlan Priority Levels
PVLAN Priority Levels You can assign each PVLAN a priority value of 0‐7, used for Quality of Service (QoS). PVLAN priority takes precedence over a port’s configured priority level. If no priority level is configured for the PVLAN (priority = 0), each port’s priority is used (if configured). All member ports of a PVLAN have the same PVLAN priority level. PVLAN Tagging When PVLAN tagging is enabled, the switch tags frames that match the PVLAN protocol. For more information about tagging, see “VLAN Tagging/Trunk Mode” on page 117. Untagged ports must have PVLAN tagging disabled. Tagged ports can have PVLAN tagging either enabled or disabled. PVLAN tagging has higher precedence than port‐based tagging. If a port is tag enabled, and the port is a member of a PVLAN, the PVLAN tags egress frames that match the PVLAN protocol. Use the tag‐pvlan command (vlan <x> protocolvlan <x> tagpvlan <x>) to define the complete list of tag‐enabled ports in the PVLAN. Note that all ports not included in the PVLAN tag list will have PVLAN tagging disabled. PVLAN Configuration Guidelines Consider the following guidelines when you configure protocol‐based VLANs:  Each port can support up to 16 VLAN protocols. The CN4093 can support up to 16 protocols simultaneously.   Each PVLAN must have at least one port assigned before it can be activated. The same port within a port‐based VLAN can belong to multiple PVLANs.   An untagged port can be a member of multiple PVLANs. A port cannot be a member of different VLANs with the same protocol  association.
Page 127 VLAN (PVID/Native VLAN), you will be asked to confirm changing the PVID to the current VLAN. 5. Enable the PVLAN. CN4093(configvlan)# protocolvlan 1 enable CN4093(configvlan)# exit 6. Verify PVLAN operation. . CN4093(config)# show vlan VLAN Name Status MGT Ports 1 Default VLAN ena dis INTA2EXT15 EXT19 2 VLAN 2 ena dis INTA1 INTA2 Primary Secondary Type Ports vPorts PVLAN Protocol FrameType EtherType Priority Status Ports 2 1 Ether2 0800 2 enabled INTA1 INTA2 PVLAN PVLANTagged Ports none none © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 128: Private Vlans
Private VLANs Private VLANs provide Layer 2 isolation between the ports within the same broadcast domain. Private VLANs can control traffic within a VLAN domain, and provide port‐based security for host servers. Lenovo N/OS supports Private VLAN configuration as described in RFC 5517. Use Private VLANs to partition a VLAN domain into sub‐domains. Each sub‐domain is comprised of one primary VLAN and one secondary VLAN, as follows:  Primary VLAN—carries unidirectional traffic downstream from promiscuous ports. Each Private VLAN has only one primary VLAN. All ports in the Private VLAN are members of the primary VLAN.  Secondary VLAN—Secondary VLANs are internal to a private VLAN domain, and are defined as follows: Isolated VLAN—carries unidirectional traffic upstream from the host servers  toward ports in the primary VLAN. Each Private VLAN can contain only one Isolated VLAN. Community VLAN—carries upstream traffic from ports in the community  VLAN to other ports in the same community, and to ports in the primary VLAN. Each Private VLAN can contain multiple community VLANs. After you define the primary VLAN and one or more secondary VLANs, you map the secondary VLAN(s) to the primary VLAN. Private VLAN Ports Private VLAN ports are defined as follows:  Promiscuous—A promiscuous port is an external port that belongs to the primary VLAN. The promiscuous port can communicate with all the interfaces, including ports in the secondary VLANs (Isolated VLAN and Community VLANs). Isolated—An isolated port is a host port that belongs to an isolated VLAN. Each  isolated port has complete layer 2 separation from other ports within the same private VLAN (including other isolated ports), except for the promiscuous ports. ...
Page 129: Configuration Guidelines
 All VLANs that comprise the Private VLAN must belong to the same Spanning Tree Group. Configuration Example Follow this procedure to configure a Private VLAN. 1. Select a VLAN and define the Private VLAN type as primary. CN4093(config)# vlan 700 CN4093(configvlan)# privatevlan primary CN4093(configvlan)# exit 2. Configure a promiscuous port for VLAN 700. CN4093(config)# interface port 1 CN4093(configif)# switchport mode privatevlan CN4093(configif)# switchport privatevlan mapping 700 CN4093(configif)# exit 3. Configure two secondary VLANs: isolated VLAN and community VLAN. CN4093(config)# vlan 701 CN4093(configvlan)# privatevlan isolated CN4093(configvlan)# exit CN4093(config)# vlan 702 CN4093(configvlan)# privatevlan community CN4093(configvlan)# exit 4. Map secondary VLANs to primary VLAN. CN4093(config)# vlan 700702 CN4093(configvlan)# stg 1 CN4093(configvlan)# exit CN4093(config)# vlan 700 CN4093(configvlan)# privatevlan association 701,702 CN4093(configvlan)# exit © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 130 5. Configure host ports for secondary VLANs. CN4093(config)# interface port 2 CN4093(configif)# switchport mode privatevlan CN4093(configif)# switchport privatevlan hostassociation 700 701 CN4093(configif)# exit CN4093(config)# interface port 3 CN4093(configif)# switchport mode privatevlan CN4093(configif)# switchport privatevlan hostassociation 700 702 CN4093(configif)# exit 6. Verify the configuration. CN4093(config)# show vlan privatevlan Primary Secondary Type Ports 700 701 isolated 1 2 700 702 community 1 3 CN4093 Application Guide for N/OS 8.2...
Page 131: Chapter 10. Ports And Trunking
Chapter 10. Ports and Trunking Trunk groups can provide super‐bandwidth, multi‐link connections between the CN4093 10Gb Converged Scalable Switch (CN4093) and other trunk‐capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. This chapter provides configuration background and examples for trunking multiple ports together:  “Configuring Port Modes” on page 132  “Configuring QSFP+ Ports” on page 134  “Trunking Overview” on page 135  “Static Trunks” on page 136 “Configurable Trunk Hash Algorithm” on page 139   “Link Aggregation Control Protocol” on page 141 © Copyright Lenovo 2015...
Page 132: Configuring Port Modes
Configuring Port Modes The switch allows you to set the port mode. Select the port mode that fits your network configuration. Switch port modes are available based on the installation license. The following port modes are available:  Base Port mode: Fourteen 10Gb internal (1 port x 14 blade servers)  Eight 10Gb external   Upgrade 1 Port mode: Twenty Eight 10Gb internal (2 ports x 14 blade servers)  Eight 10Gb external  Two 40Gb external   Upgrade 2 Port mode: Forty Two 10Gb internal (3 ports x 14 Blade servers)  Fourteen 10Gb external  Two 40Gb external  Base Port mode is the default. To upgrade the port mode, you must obtain a software license key. The following command sequence is an example of how to upgrade the port mode (e.g. switch SN Y010CM2CN058): CN4093# softwarekey Enter hostname or IP address of SFTP/TFTP server: 9.44.143.105 Enter name of file on SFTP/TFTP server: ...
Page 133 INTA7 7 n Internal d e e 1 INTA7 1 INTA8 8 n Internal d e e 1 INTA8 1 INTA9 9 n Internal d e e 1 INTA9 1 EXT1 43 n External d e e 1 EXT1 1 EXT2 44 n External d e e 1 EXT2 1 EXT3 45 n External d e e 1 EXT3 1 EXT4 46 n External d e e 1 EXT4 1 EXT5 47 n External d e e 1 EXT5 1 EXT6 48 n External d e e 1 EXT6 1 EXT7 49 n External d e e 1 EXT7 1 EXT8 50 n External d e e 1 EXT8 1 EXT9 51 n External d e e 1 EXT9 1 EXT10 52 n External d e e 1 EXT10 1 EXT11 53 n External d e e 1 EXT11 1 EXT12 54 n External d e e 1 EXT12 1 EXT13 55 n External d e e 1 EXT13 1 EXT14 56 n External d e e 1 EXT14 1 EXT15 57 n External d e e 1 EXT15 1 EXT16 58 n External d e e 1 EXT16 1 EXT17 59 n External d e e 1 EXT17 1 EXT18 60 n External d e e 1 EXT18 1 EXT19 61 n External d e e 1 EXT19 1 EXT20 62 n External d e e 1 EXT20 1 EXT21 63 n External d e e 1 EXT21 1 EXT22 64 n External d e e 1 EXT22 1 EXTM 65 n Mgmt d e e 4095 EXTM 4095 MGT1 66 y Mgmt d e e 4095 MGT1 4095 * = PVID/NativeVLAN is tagged. # = PVID is ingress tagged. Trk = Trunk mode NVLAN = NativeVLAN © Copyright Lenovo 2015 Chapter 10: Ports and Trunking...
Page 134: Configuring Qsfp+ Ports
Configuring QSFP+ Ports QSFP+ ports support both 10GbE and 40GbE, as shown in Table 16. Table 16. QSFP+ Port Numbering Physical Port Number 40GbE mode 10GbE mode Port EXT3 Port EXT3 Ports EXT3‐EXT6 Port EXT7 Port EXT7 Ports EXT7‐EXT10 QSFP+ ports are available only when Upgrade 1 is installed (see “Configuring Port Modes” on page 132). The following procedure allows you to change the QSFP+ port mode. 1. Display the current port mode for the QSFP+ ports. CN4093# show boot qsfpportmodes QSFP ports booted configuration: Port EXT3, EXT4, EXT5, EXT6 10G Mode Port EXT7, EXT8, EXT9, EXT10 10G Mode QSFP ports saved configuration: Port EXT3, EXT4, EXT5, EXT6 10G Mode Port EXT7, EXT8, EXT9, EXT10 10G Mode 2. Change the port mode to 40GbE. Select the physical port number. CN4093(config)# boot qsfp40Gports ext3 3. Verify the change. CN4093# show boot qsfpportmodes QSFP ports booted configuration: Port EXT3, EXT4, EXT5, EXT6 10G Mode Port EXT7, EXT8, EXT9, EXT10 10G Mode QSFP ports saved configuration: Port EXT3 40G Mode Port EXT7, EXT8, EXT9, EXT10 10G Mode 4.
Page 135: Trunking Overview
Trunking Overview When using port trunk groups between two switches, as shown in Figure 9, you can create a virtual link between them, operating with combined throughput levels that depends on how many physical ports are included. Two trunk types are available: static trunk groups (portchannel), and dynamic LACP trunk groups. Up to 64 trunks of each type are supported, depending of the number and type of available ports. Each trunk can include up to 16 member ports. Figure 9. Port Trunk Group Switch 1 Switch 2 Aggregate Port Trunk Trunk groups are also useful for connecting a CN4093 to third‐party devices that support link aggregation, such as Cisco routers and switches with EtherChannel technology (not ISL trunking technology) and Sunʹs Quad Fast Ethernet Adapter. Trunk Group technology is compatible with these devices when they are configured manually. Trunk traffic is statistically distributed among the ports in a trunk group, based on a variety of configurable options. Also, since each trunk group is comprised of multiple physical links, the trunk group is inherently fault tolerant. As long as one connection between the switches is available, the trunk remains active and statistical load balancing is maintained whenever a port in a trunk group is lost or returned to service. © Copyright Lenovo 2015 Chapter 10: Ports and Trunking...
Page 136: Static Trunks
Static Trunks Before Configuring Static Trunks When you create and enable a static trunk, the trunk members (switch ports) take on certain settings necessary for correct operation of the trunking feature. Before you configure your trunk, you must consider these settings, along with specific configuration rules, as follows:  Read the configuration rules provided in the section, “Static Trunk Group Configuration Rules” on page 136.” Determine which switch ports are to become trunk members (the specific ports  making up the trunk).  Ensure that the chosen switch ports are set to enabled.  Ensure all member ports in a trunk have the same VLAN configuration.  Consider how the existing Spanning Tree will react to the new trunk configuration. See “Spanning Tree Protocols” on page 145 for configuration guidelines. Consider how existing VLANs will be affected by the addition of a trunk.  Static Trunk Group Configuration Rules The trunking feature operates according to specific configuration rules. When creating trunks, consider the following rules that determine how a trunk group reacts in any network topology:  All trunks must originate from one network entity (a single device, or multiple devices acting in a stack) and lead to one destination entity. For example, you cannot combine links from two different servers into one trunk group. ...
Page 137: Configuring A Static Port Trunk
Lenovo Blade Trunk 1: Ports EXT1, EXT2, and EXT3 Switch IBM Blade Chassis Prior to configuring each switch in the preceding example, you must connect to the appropriate switch’s Command Line Interface (CLI) as the administrator. Note: For details about accessing and using any of the menu commands described in this example, see the Lenovo N/OS Command Reference. © Copyright Lenovo 2015 Chapter 10: Ports and Trunking...
Page 138 1. Connect the switch ports that will be members in the trunk group. 2. Configure the trunk using these steps on the CN4093: a. Define a trunk group. CN4093(config)# portchannel 1 port ext1,ext2,ext3 (Add port s to trunk group 1) CN4093(config)# portchannel 1 enable b. Verify the configuration. CN4093(config)# show portchannel information Examine the resulting information. If any settings are incorrect, make appropriate changes. 3. Repeat the process on the other switch. CN4093(config)# portchannel 3 port 2,12,22 CN4093(config)# portchannel 3 enable Trunk group 1 (on the CN4093) is now connected to trunk group 3 on the Application Switch. Note: In this example, a CN4093 and an application switch are used. If a third-party device supporting link aggregation is used (such as Cisco routers and switches with EtherChannel technology or Sun's Quad Fast Ethernet Adapter), trunk groups on the third-party device should be configured manually.
Page 139: Configurable Trunk Hash Algorithm
Note: At least one Layer 2 option must always be enabled; The smac and dmac options may not both be disabled at the same time.  For Layer 3 IPv4/IPv6 traffic, one of the following are permitted: Source IP address (sip)  CN4093(config)# portchannel thash l3thash l3sourceipaddress Destination IP address (dip)  CN4093(config)# portchannel thash l3thash l3destinationipaddress Both source and destination IP address (enabled by default)  CN4093(config)# portchannel thash l3thash l3sourcedestinationip If Layer 2 hashing is preferred for Layer 3 traffic, disable the Layer 3 sip and dip hashing options and enable the useL2 option: CN4093(config)# portchannel thash l3thash l3usel2hash Layer 3 traffic will then use Layer 2 options for hashing. © Copyright Lenovo 2015 Chapter 10: Ports and Trunking...
Page 140  Ingress port number (disabled by default) CN4093(config)# portchannel thash ingress  Layer 4 port information (disabled by default) CN4093(config)# portchannel thash l4port When enabled, Layer 4 port information (TCP, UPD, etc.) is added to the hash if available. The L4port option is ignored when Layer 4 information is not included in the packet (such as for Layer 2 packets), or when the useL2 option is enabled. Note: For MPLS packets, Layer 4 port information is excluded from the hash calculation. Instead, other IP fields are used, along with the first two MPLS labels. The CN4093 supports the following FCoE hashing options: CN4093(config)# portchannel thash fcoe cntagid CN4093(config)# portchannel thash fcoe destinationid CN4093(config)# portchannel thash fcoe fabricid CN4093(config)# portchannel thash fcoe originatorid CN4093(config)# portchannel thash fcoe responderid...
Page 141: Link Aggregation Control Protocol
The CN4093 supports up to 64 LACP trunks, each with up to 16 ports. Note: LACP implementation in Lenovo N/OS does not support the Churn machine, an option used to detect if the port is operable within a bounded time period between the actor and the partner. Only the Marker Responder is implemented, and there is no marker protocol generator.
Page 142 To avoid the Actor switch ports (with the same admin key) from aggregating in another trunk group, you can configure a trunk ID. Ports with the same admin key (although with different LAG IDs) compete to get aggregated in a trunk group. The LAG ID for the trunk group is decided based on the first port that is aggregated in the group. Ports with this LAG ID get aggregated and the other ports are placed in suspended mode. As per the configuration shown in Table 17, if port 38 gets aggregated first, then the LAG ID of port 38 would be the LAG ID of the trunk. Port 40 would be placed in suspended mode. When in suspended mode, a port transmits only LACP data units (LACPDUs) and discards all other traffic. A port may also be placed in suspended mode for the following reasons:  When LACP is configured on the port but it stops receiving LACPDUs from the partner switch.  When the port has a different LAG ID because of the partner switch MAC being different. For example: when a switch is connected to two partners. Trunk ID can be configured using the following command: CN4093(config)# portchannel <65‐128> lacp key <adminkey of the LAG> LACP provides for the controlled addition and removal of physical links for the link aggregation. Each port in the CN4093 can have one of the following LACP modes. off (default)  The user can configure this port in to a regular static trunk group. active  The port is capable of forming an LACP trunk. This port sends LACPDU packets to partner system ports. passive  The port is capable of forming an LACP trunk. This port only responds to the LACPDU packets sent from an LACP active port. Each active LACP port transmits LACP data units (LACPDUs), while each passive LACP port listens for LACPDUs. During LACP negotiation, the admin key is exchanged. The LACP trunk group is enabled as long as the information matches at both ends of the link. If the admin key value changes for a port at either end of the link, that port’s association with the LACP trunk group is lost. If an LACP group member port is connected to a port that is in LACP off mode, the LACP port will not be able to converge and the link goes down. When the system is initialized, all ports by default are in LACP off mode and are ...
Page 143: Lacp Individual
Ports assigned with an LACP admin key are prevented by default from forming individual links if they cannot join an LACP trunk group. To override this behavior, use the following commands: CN4093(config)# interface port <port no or range> CN4093(configif)# no lacp suspendindividual This allows the selected ports to be treated as normal link‐up ports, which may forward data traffic according to STP, Hot Links or other applications, if they do not receive any LACPDUs. To configure the LACP individual setting for all the ports in a static LACP trunk, use the following commands: CN4093(configif)# interface portchannel lacp <adminkey of the LAG> CN4093(configif)# [no] lacp suspendindividual Note: By default, external ports are configured with lacp suspend-individual, while internal ports are configured with no lacp suspend-individual. © Copyright Lenovo 2015 Chapter 10: Ports and Trunking...
Page 144: Configuring Lacp
Configuring LACP Use the following procedure to configure LACP for ports 7, 8, and 9 to participate in a single link aggregation. 1. Configure port parameters. All ports that participate in the LACP trunk group must have the same settings, including VLAN membership. 2. Select the port range and define the admin key. Only ports with the same admin key can form an LACP trunk group. CN4093(config)# interface port 79 CN4093(configif)# lacp key 100 3. Set the LACP mode. CN4093(configif)# lacp mode active CN4093(configif)# exit 4. Optionally allow member ports to individually participate in normal data traffic if no LACPDUs are received. CN4093(configif)# no lacp suspendindividual CN4093(configif)# exit 5. Set the link aggregation as static, by associating it with trunk ID 65: CN4093(configif)# portchannel 65 lacp key 100 CN4093 Application Guide for N/OS 8.2...
Page 145: Chapter 11. Spanning Tree Protocols
“Port Type and Link Type” on page 164  Spanning Tree Protocol Modes Lenovo N/OS 8.2 supports the following STP modes:  Rapid Spanning Tree Protocol (RSTP) IEEE 802.1D (2004) RSTP allows devices to detect and eliminate logical loops in a bridged or switched network. When multiple paths exist, STP configures the network so that only the most efficient path is used. If that path fails, STP automatically configures the best alternative active path on the network in order to sustain network operations. RSTP is an enhanced version of IEEE 802.1D (1998) STP, providing more rapid convergence of the Spanning Tree network path states on STG 1. See “Rapid Spanning Tree Protocol” on page 158 for details.  Per‐VLAN Rapid Spanning Tree (PVRST+) PVRST mode is based on RSTP to provide rapid Spanning Tree convergence, but supports instances of Spanning Tree, allowing one STG per VLAN. PVRST mode is compatible with Cisco R‐PVST/R‐PVST+ mode. PVRST is the default Spanning Tree mode on the CN4093. See “PVSRT Mode” on page 146 for details.  Multiple Spanning Tree Protocol (MSTP) IEEE 802.1Q (2003) MSTP provides both rapid convergence and load balancing in a VLAN environment. MSTP allows multiple STGs, with multiple VLANs in each. See “Multiple Spanning Tree Protocol” on page 160 for details. © Copyright Lenovo 2015...
Page 146: Global Stp Control
(Globally disable Spanning Tree) Spanning Tree can be re‐enabled by specifying the STP mode: CN4093(config)# spanningtree mode {pvrst|rstp|mst} PVSRT Mode Note: Per-VLAN Rapid Spanning Tree (PVRST) is enabled by default on the CN4093. Using STP, network devices detect and eliminate logical loops in a bridged or switched network. When multiple paths exist, Spanning Tree configures the network so that a switch uses only the most efficient path. If that path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations. Lenovo N/OS PVRST mode is based on IEEE 802.1w RSTP. Like RSTP, PVRST mode provides rapid Spanning Tree convergence. However, PVRST mode is enhanced for multiple instances of Spanning Tree. In PVRST mode, each VLAN may be automatically or manually assigned to one of 127 available STGs, with each STG acting as an independent, simultaneous instance of STP. PVRST uses IEEE 802.1Q tagging to differentiate STP BPDUs and is compatible with Cisco R‐PVST/R‐PVST+ modes. The relationship between ports, trunk groups, VLANs, and Spanning Trees is shown in Table Table 18. Ports, Trunk Groups, and VLANs Switch Element...
Page 147: Port States
If STP is globally enabled, for ports where STP is turned off, inbound BPDUs will instead be discarded. Determining the Path for Forwarding BPDUs When determining which port to use for forwarding and which port to block, the CN4093 uses information in the BPDU, including each bridge ID. A technique based on the “lowest root cost” is then computed to determine the most efficient path for forwarding. Bridge Priority The bridge priority parameter controls which bridge on the network is the STG root bridge. To make one switch become the root bridge, configure the bridge priority lower than all other switches and bridges on your network. The lower the value, the higher the bridge priority. Use the following command to configure the bridge priority: <x> CN4093(config)# spanningtree stp bridge priority <0‐65535> © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 148 Port Priority The port priority helps determine which bridge port becomes the root port or the designated port. The case for the root port is when two switches are connected using a minimum of two links with the same path‐cost. The case for the designated port is in a network topology that has multiple bridge ports with the same path‐cost connected to a single segment, the port with the lowest port priority becomes the designated port for the segment. Use the following commands to configure the port priority: CN4093(config)# interface port <x> CN4093(configif)# spanningtree stp <STG> priority <port priority> where priority value is a number from 0 to 240, in increments of 16 (such as 0, 16, 32, and so on). If the specified priority value is not evenly divisible by 16, the value will be automatically rounded down to the nearest valid increment whenever manually changed in the configuration. Root Guard The root guard feature provides a way to enforce the root bridge placement in the network. It keeps a new device from becoming root and thereby forcing STP re‐convergence. If a root‐guard enabled port detects a root device, that port will be placed in a blocked state. You can configure the root guard at the port level using the following commands: CN4093(config)# interface port <port number> CN4093(configif)# spanningtree guard root The default state is none (disabled). Loop Guard In general, STP resolves redundant network topologies into loop‐free topologies. The loop guard feature performs additional checking to detect loops that might not be found using Spanning Tree. STP loop guard ensures that a non‐designated port does not become a designated port. To globally enable loop guard, enter the following command: CN4093(config)# spanningtree loopguard Note: The global loop guard command will be effective on a port only if the port-level loop guard command is set to default as shown below: CN4093(configif)# spanningtree guard loop none To enable loop guard at the port level, enter the following command:...
Page 149: Simple Stp Configuration
Use the following command to modify the port path cost: CN4093(config)# interface port <port number> CN4093(configif)# spanningtree stp <STG> pathcost <path cost value> CN4093(configif)# exit The port path cost can be a value from 1 to 200000000. Specify 0 for automatic path cost. Simple STP Configuration Figure 11 depicts a simple topology using a switch‐to‐switch link between two switches (via either external ports or internal Inter‐Switch Links). Figure 11. Spanning Tree Blocking a Switch‐to‐Switch Link Enterprise Routing Switches Switch 1 Switch 2 Blocks Link Server Server Server Server © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 150 To prevent a network loop among the switches, STP must block one of the links between them. In this case, it is desired that STP block the link between the blade switches, and not one of the CN4093 uplinks or the Enterprise switch trunk. During operation, if one CN4093 experiences an uplink failure, STP will activate the switch‐to‐switch link so that server traffic on the affected CN4093 may pass through to the active uplink on the other CN4093, as shown in Figure Figure 12. Spanning Tree Restoring the Switch‐to‐Switch Link Enterprise Uplink Routing Failure Switches Switch 1 Switch 2 Restores Link Server Server Server Server In this example, port 10 on each switch is used for the switch‐to‐switch link. To ensure that the CN4093 switch‐to‐switch link is blocked during normal operation, the port path cost is set to a higher value than other paths in the network. To configure the port path cost on the switch‐to‐switch links in this example, use the following commands on each switch. CN4093(config)# interface port 10 CN4093(configif)# spanningtree stp 1 pathcost 60000 CN4093(configif)# exit CN4093 Application Guide for N/OS 8.2...
Page 151: Per-Vlan Spanning Tree Groups
Loop is active is active Application Switch Application Switch With a single Spanning Tree, Using multiple STGs, one link becomes blocked. both links may be active. In the second network, the problem of improper link blocking is resolved when the VLANs are placed into different Spanning Tree Groups (STGs). Since each STG has its own independent instance of Spanning Tree, each STG is responsible only for the loops within its own VLAN. This eliminates the false loop, and allows both VLANs to forward packets between the switches at the same time. © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 152: Vlan And Stg Assignment
VLAN and STG Assignment In PVRST mode, up to 128 STGs are supported. Ports cannot be added directly to an STG. Instead, ports must be added as members of a VLAN, and the VLAN must then be assigned to the STG. STG 1 is the default STG. Although VLANs can be added to or deleted from default STG 1, the STG itself cannot be deleted from the system. By default, STG 1 is enabled and includes VLAN 1, which by default includes all switch ports (except for management VLANs and management ports). STG 128 is reserved for switch management. By default, STG 128 is disabled, but includes management VLAN 4095 and the management ports. By default, all other STGs (STG 2 through 127) are enabled, though they initially include no member VLANs. VLANs must be assigned to STGs. By default, this is done automatically using VLAN Automatic STG Assignment (VASA), though it can also be done manually (see “Manually Assigning STGs” on page 153). When VASA is enabled (as by default), each time a new VLAN is configured, the switch will automatically assign that new VLAN to its own STG. Conversely, when a VLAN is deleted, if its STG is not associated with any other VLAN, the STG is returned to the available pool. The specific STG number to which the VLAN is assigned is based on the VLAN number itself. For low VLAN numbers (1 through 127), the switch will attempt to assign the VLAN to its matching STG number. For higher numbered VLANs, the STG assignment is based on a simple modulus calculation; the attempted STG number will “wrap around,” starting back at the top of STG list each time the end of the list is reached. However, if the attempted STG is already in use, the switch will select the next available STG. If an empty STG is not available when creating a new VLAN, the VLAN is automatically assigned to default STG 1. If ports are tagged, each tagged port sends out a special BPDU containing the tagged information. Also, when a tagged port belongs to more than one STG, the egress BPDUs are tagged to distinguish the BPDUs of one STG from those of another STG. VASA is enabled by default, but can be disabled or re‐enabled using the following command: CN4093(config)# [no] spanningtree stgauto If VASA is disabled, when you create a new VLAN, that VLAN automatically belongs to default STG 1. To place the VLAN in a different STG, assign it manually. VASA applies only to PVRST mode and is ignored in RSTP and MSTP modes. CN4093 Application Guide for N/OS 8.2...
Page 153: Manually Assigning Stgs
Guidelines for Creating VLANs  When you create a new VLAN, if VASA is enabled (the default), that VLAN is automatically assigned its own STG. If VASA is disabled, the VLAN automatically belongs to STG 1, the default STG. To place the VLAN in a different STG, see “Manually Assigning STGs” on page 153. The VLAN is automatically removed from its old STG before being placed into the new STG.  Each VLANs must be contained within a single STG; a VLAN cannot span multiple STGs. By confining VLANs within a single STG, you avoid problems with Spanning Tree blocking ports and causing a loss of connectivity within the VLAN. When a VLAN spans multiple switches, it is recommended that the VLAN remain within the same STG (be assigned the same STG ID) across all the switches.  If ports are tagged, all trunked ports can belong to multiple STGs.  A port cannot be directly added to an STG. The port must first be added to a VLAN, and that VLAN added to the desired STG. Rules for VLAN Tagged Ports  Tagged ports can belong to more than one STG, but untagged ports can belong to only one STG. When a tagged port belongs to more than one STG, the egress BPDUs are tagged  to distinguish the BPDUs of one STG from those of another STG. © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 154: Adding And Removing Ports From Stgs
Adding and Removing Ports from STGs  When you add a port to a VLAN that belongs to an STG, the port is also added to that STG. However, if the port you are adding is an untagged port and is already a member of another STG, that port will be removed from its current STG and added to the new STG. An untagged port cannot belong to more that one STG. For example: Assume that VLAN 1 belongs to STG 1, and that port 1 is untagged and does not belong to any STG. When you add port 1 to VLAN 1, port 1 will automatically become part of STG 1. However, if port 5 is untagged and is a member of VLAN 3 in STG 2, then adding port 5 to VLAN 1 in STG 1 will not automatically add the port to STG 1. Instead, the switch will prompt you to decide whether to change the PVID from 3 to 1: "Port 5 is an UNTAGGED/Access Mode port and its current PVID/Native VLAN is 3. Confirm changing PVID/Native VLAn from 3 to 1 [y/n]:" y  When you remove a port from VLAN that belongs to an STG, that port will also be removed from the STG. However, if that port belongs to another VLAN in the same STG, the port remains in the STG. As an example, assume that port 2 belongs to only VLAN 2, and that VLAN 2 belongs to STG 2. When you remove port 2 from VLAN 2, the port is moved to default VLAN 1 and is removed from STG 2. However, if port 2 belongs to both VLAN 1 and VLAN 2, and both VLANs belong to STG 1, removing port 2 from VLAN 2 does not remove port 2 from STG 1, because the port is still a member of VLAN 1, which is still a member of STG 1.  An STG cannot be deleted, only disabled. If you disable the STG while it still contains VLAN members, Spanning Tree will be off on all ports belonging to that VLAN. The relationship between port, trunk groups, VLANs, and Spanning Trees is shown in Table 18 on page 146.
Page 155: Configuring Multiple Stgs
VLAN 1 on ports 1 and 2. Switch C receives the BPDU on port 2, and Switch D receives the BPDU on port 1. Because there is a network loop between the switches in VLAN 1, either Switch D will block port 8 or Switch C will block port 1, depending on the information provided in the BPDU.  VLAN 2 Participation Switch B, the root bridge, generates a BPDU for STG 2 from port 8. Switch A receives this BPDU on port 17, which is assigned to VLAN 2, STG 2. Because switch B has no additional ports participating in STG 2, this BPDU is not forwarded to any additional ports and Switch B remains the designated root. VLAN 3 Participation  For VLAN 3, Switch A or Switch C may be the root bridge. If Switch A is the root bridge for VLAN 3, STG 3, then Switch A transmits the BPDU from port 18. Switch C receives this BPDU on port 8 and is identified as participating in VLAN 3, STG 3. Since Switch C has no additional ports participating in STG 3, this BPDU is not forwarded to any additional ports and Switch A remains the designated root. Configuring Multiple STGs This configuration shows how to configure the three instances of STGs on the switches A, B, C, and D illustrated in Figure 14 on page 154. Because VASA is enabled by default, each new VLAN is automatically assigned its own STG. However, for this configuration example, some VLANs are explicitly reassigned to other STGs. © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 156 1. Set the Spanning Tree mode on each switch to PVRST. CN4093(config)# spanningtree mode pvrst Note: PVRST is the default mode on the CN4093. This step is not required unless the STP mode has been previously changed, and is shown here merely as an example of manual configuration. 2. Configure the following on Switch A: 3. Enable VLAN 2 and VLAN 3. CN4093(config)# vlan 2 CN4093(configvlan)# exit CN4093(config)# vlan 3...
Page 157 5. Configure the following on application switch C: Add port 8 to VLAN 3. Ports 1 and 2 are by default in VLAN 1 assigned to STG 1. CN4093(config)# vlan 3 CN4093(configvlan)# stg 3 CN4093(configvlan)# exit CN4093(config)# interface port 8 CN4093(configif)# switchport mode trunk CN4093(configif)# exit If VASA is disabled, enter the following command: CN4093(config)# spanningtree stp 3 vlan 3 VLAN 3 is automatically removed from STG 1. By default VLAN 1 remains in STG Switch D does not require any special configuration for multiple Spanning Trees. Switch D uses default STG 1 only. © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 158: Rapid Spanning Tree Protocol
Rapid Spanning Tree Protocol RSTP provides rapid convergence of the Spanning Tree and provides the fast re‐configuration critical for networks carrying delay‐sensitive traffic such as voice and video. RSTP significantly reduces the time to reconfigure the active topology of the network when changes occur to the physical topology or its configuration parameters. RSTP reduces the bridged‐LAN topology to a single Spanning Tree. RSTP was originally defined in IEEE 802.1w (2001) and was later incorporated into IEEE 802.1D (2004), superseding the original STP standard. RSTP parameters apply only to Spanning Tree Group (STG) 1. The PVRST mode STGs 2‐128 are not used when the switch is placed in RSTP mode. RSTP is compatible with devices that run IEEE 802.1D (1998) Spanning Tree Protocol. If the switch detects IEEE 802.1D (1998) BPDUs, it responds with IEEE 802.1D (1998)‐compatible data units. RSTP is not compatible with Per‐VLAN Rapid Spanning Tree (PVRST) protocol. Note: In RSTP mode, Spanning Tree for the management ports is turned off by default. Port States RSTP port state controls are the same as for PVRST: discarding, learning, and forwarding. Due to the sequence involved in these STP states, considerable delays may occur while paths are being resolved. To mitigate delays, ports defined as edge ports (“Port Type and Link Type” on page 164) may bypass the discarding and ...
Page 159 4. Configure port parameters: CN4093(config)# interface port 3 CN4093(configif)# spanningtree stp 1 priority 240 CN4093(configif)# spanningtree stp 1 pathcost 500 CN4093(configif)# no spanningtree stp 1 enable CN4093(configif)# exit © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 160: Multiple Spanning Tree Protocol
Multiple Spanning Tree Protocol Multiple Spanning Tree Protocol (MSTP) extends Rapid Spanning Tree Protocol (RSTP), allowing multiple Spanning Tree Groups (STGs) which may each include multiple VLANs. MSTP was originally defined in IEEE 802.1s (2002) and was later included in IEEE 802.1Q (2003). In MSTP mode, the CN4093 supports up to 32 instances of Spanning Tree, corresponding to STGs 1‐32, with each STG acting as an independent, simultaneous instance of STP. MSTP allows frames assigned to different VLANs to follow separate paths, with each path based on an independent Spanning Tree instance. This approach provides multiple forwarding paths for data traffic, thereby enabling load‐balancing, and reducing the number of Spanning Tree instances required to support a large number of VLANs. Due to Spanning Tree’s sequence of discarding, learning, and forwarding, lengthy delays may occur while paths are being resolved. Ports defined as edge ports (“Port Type and Link Type” on page 164) bypass the Discarding and Learning states, and enter directly into the Forwarding state. Note: In MSTP mode, Spanning Tree for the management ports is turned off by default. MSTP Region A group of interconnected bridges that share the same attributes is called an MST ...
Page 161: Mstp Configuration Guidelines
 4095 to the CIST. When MSTP is turned off, the switch moves VLAN 4095 from the CIST to Spanning Tree Group 128.  When you enable MSTP, you must configure the Region Name. A default version number of 0 is configured automatically. Each bridge in the region must have the same name, version number, and VLAN  mapping. MSTP Configuration Examples Example 1 This section provides steps to configure MSTP on the CN4093. 1. Configure port and VLAN membership on the switch. 2. Configure Multiple Spanning Tree region parameters and set the mode to MSTP. CN4093(config)# spanningtree mst configuration(Enter MST configuration mode) CN4093(configmst)# name <name> (Define the Region name) CN4093(configmst)# revision 100 (Define the Revision level) CN4093(configmst)# exit CN4093(config)# spanningtree mode mst (Set mode to Multiple Spanning Trees) 3. Map VLANs to MSTP instances: CN4093(config)# spanningtree mst configuration(Enter MST configuration mode) CN4093(configmst)# instance <instance ID> vlan <vlan number or range> © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 162 MSTP Configuration Example 2 This configuration shows how to configure MSTP Groups on the switch, as shown in Figure 15. Figure 15. Implementing Multiple Spanning Tree Groups Enterprise Enterprise Routing Switch Routing Switch MSTP Group 1 MSTP Group 2 Root Root Passing VLAN 1 Blocking VLAN 1 Blocking VLAN 2 Passing VLAN 2 Server 1 Server 2 Server 3 Server 4 VLAN 1...
Page 163 3. Map VLANs to MSTP instances: CN4093(config)# spanningtree mst configuration CN4093(configmst)# instance 1 vlan 1 CN4093(configmst)# instance 2 vlan 2 4. Configure port membership and define the STGs for VLAN 2. Add server ports 3, 4, and 5 to VLAN 2. Add uplink ports 19 and 20 to VLAN 2. Assign VLAN 2 to STG 2. CN4093(config)# interface port 3,4,5,19,20 CN4093(configif)# switchport access vlan 2 CN4093(configif)# exit Note: Each STG is enabled by default. © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 164: Port Type And Link Type
Port Type and Link Type Edge/Portfast Port A port that does not connect to a bridge is called an edge port. Since edge ports are assumed to be connected to non‐STP devices (such as directly to hosts or servers), they are placed in the forwarding state as soon as the link is up. Internal ports (INTx) should be configured as edge ports. Edge ports send BPDUs to upstream STP devices like normal STP ports, but should not receive BPDUs. If a port with edge enabled does receive a BPDU, it immediately begins working as a normal (non‐edge) port, and participates fully in Spanning Tree. Use the following commands to define or clear a port as an edge port: CN4093(config)# interface port <port> CN4093(configif)# [no] spanningtree portfast CN4093(configif)# exit Link Type The link type determines how the port behaves in regard to Rapid Spanning Tree. Use the following commands to define the link type for the port: CN4093(config)# interface port <port> CN4093(configif)# [no] spanningtree linktype <type> CN4093(configif)# exit where type corresponds to the duplex mode of the port, as follows:  A full‐duplex link to another device (point‐to‐point) shared  A half‐duplex link is a shared segment and can contain more than one device. auto  The switch dynamically configures the link type. Note: Any STP port in full-duplex mode can be manually configured as a shared port when connected to a non-STP-aware shared device (such as a typical Layer 2 switch) used to interconnect multiple STP-aware devices.
Page 165: Chapter 12. Virtual Link Aggregation Groups
Peers Layer STP blocks Links remain implicit loops VLAGs active Access Layer Servers As shown in the example, a switch in the access layer may be connected to more than one switch in the aggregation layer to provide for network redundancy. Typically, Spanning Tree Protocol (PVRST, or MSTP—see “Spanning Tree Protocols” on page 145) is used to prevent broadcast loops, blocking redundant uplink paths. This has the unwanted consequence of reducing the available bandwidth between the layers by as much as 50%. In addition, STP may be slow to resolve topology changes that occur during a link failure, and can result in considerable MAC address flooding. Using Virtual Link Aggregation Groups (VLAGs), the redundant uplinks remain active, utilizing all available bandwidth. Two switches are paired into VLAG peers, and act as a single virtual entity for the purpose of establishing a multi‐port trunk. Ports from both peers can be grouped into a VLAG and connected to the same LAG‐capable target device. From the perspective of the target device, the ports connected to the VLAG peers appear to be a single trunk connecting to a single logical device. The target device uses the configured Tier ID to identify the VLAG peers as this single logical device. It is important that you use a unique Tier ID for each VLAG pair you configure. The VLAG‐capable switches synchronize their logical view of the access layer port structure and internally prevent implicit loops. The VLAG topology also responds more quickly to link failure and does not result in unnecessary MAC flooding. VLAGs are also useful in multi‐layer environments for both uplink and downlink redundancy to any regular LAG‐capable device. For example: © Copyright Lenovo 2015...
Page 166 Figure 17. VLAG Application with Multiple Layers Layer 2/3 Border LACP-capable Routers Trunk Trunk VLAG 5 VLAG 6 Layer 2 Region VLAG with multiple levels Peers C Trunk VLAG 3 VLAG 3 VLAG 4 VLAG VLAG Peers A Peers B VLAG 1 VLAG 2 Trunk Trunk LACP-capable...
Page 167 In addition, when used with VRRP, VLAGs can provide seamless active‐active failover for network links. For exampleVLAG Application with VRRP: VLAG Peers VRRP VRRP VLAG Master Backup Active Server Traffic Flows Note: VLAG is not compatible with UFP vPorts on the same ports." © Copyright Lenovo 2015 Chapter 12: Virtual Link Aggregation Groups...
Page 168: Vlag Capacities
VLAG Capacities Servers or switches that connect to the VLAG peers using a multi‐port VLAG are considered VLAG clients. VLAG clients are not required to be VLAG‐capable. The ports participating in the VLAG are configured as regular port trunks on the VLAG client end. On the VLAG peers, the VLAGs are configured similarly to regular port trunks, using many of the same features and rules. See “Ports and Trunking” on page 131 for general information concerning all port trunks. Each VLAG begins as a regular port trunk on each VLAG‐peer switch. The VLAG may be either a static trunk group (portchannel) or dynamic LACP trunk group, and consumes one slot from the overall port trunk capacity pool. The trunk type must match that used on VLAG client devices. Additional configuration is then required to implement the VLAG on both VLAG peer switches. You may configure up to 64 trunk groups on the switch, with all types (regular or VLAG, static or LACP) sharing the same pool. The maximum number of configurable VLAG instances is as follows: With STP off: Maximum of 31 VLAG instances   With STP on: PVRST/MSTP with one VLAG instance per VLAN/STG: Maximum of 31  VLAG instances PVRST/MSTP with one VLAG instance belonging to multiple  VLANs/STGs: Maximum of 20 VLAG instances Note: VLAG is not supported in RSTP mode. Each trunk type can contain up to 16 member ports, depending on the port type and availability. VLAGs versus Port Trunks Though similar to regular port trunks in many regards, VLAGs differ from regular port trunks in a number of important ways: A VLAG can consist of multiple ports on two VLAG peers, which are connected  to one logical client device such as a server, switch, or another VLAG device.
Page 169  Routing over VLAGs is not supported. However, IP forwarding between subnets served by VLAGs can be accomplished using VRRP.  VLAGs are configured using additional commands.  It is recommended that end‐devices connected to VLAG switches use NICs with dual‐homing. This increases traffic efficiency, reduces ISL load, and provides faster link failover. © Copyright Lenovo 2015 Chapter 12: Virtual Link Aggregation Groups...
Page 170: Configuring Vlags
Configuring VLAGs When configuring VLAG or making changes to your VLAG configuration, consider the following VLAG behavior:  When adding a static Mrouter on VLAG links, ensure that you also add it on the ISL link to avoid VLAG link failure. If the VLAG link fails, traffic cannot be recovered through the ISL. Also, make sure you add the same static entry on the peer VLAG switch for VLAG ports. When you enable VLAG on the switch, if a MSTP region mismatch is detected  with the VLAG peer, the ISL will shut down. In such a scenario, correct the region on the VLAG peer and manually enable the ISL.  If you have enabled VLAG on the switch, and you need to change the STP mode, ensure that you first disable VLAG and then change the STP mode. When VLAG is enabled, you may see two root ports on the secondary VLAG  switch. One of these will be the actual root port for the secondary VLAG switch and the other will be a root port synced with the primary VLAG switch.  The LACP key used must be unique for each VLAG in the entire topology.  The STG to VLAN mapping on both VLAG peers must be identical. The following parameters must be identically configured on the VLAG ports of both the VLAG peers:  VLANs Native VLAN tagging   Native VLAN/PVID STP mode   BPDU Guard setting STP port setting   MAC aging timers Static MAC entries ...
Page 171: Basic Vlag Configuration
VLAN 100 Client Switch Client Switch In this example, each client switch is connected to both VLAG peers. On each client switch, the ports connecting to the VLAG peers are configured as a dynamic LACP port trunk. The VLAG peer switches share a dedicated ISL for synchronizing VLAG information. On the individual VLAG peers, each port leading to a specific client switch (and part of the client switch’s port trunk) is configured as a VLAG. In the following example configuration, only the configuration for VLAG 1 on VLAG Peer 1 is shown. VLAG Peer 2 and all other VLAGs are configured in a similar fashion. Configure the ISL The ISL connecting the VLAG peers is shared by all their VLAGs. The ISL needs to be configured only once on each VLAG peer. 1. Configure STP if required. Use PVRST or MSTP mode only: CN4093(config)# spanningtree mode pvrst 2. Configure the ISL ports and place them into a portchannel (dynamic or static): CN4093(config)# interface port 12 CN4093(configif)# switchport mode trunk CN4093(configif)# lacp mode active CN4093(configif)# lacp key 200 CN4093(configif)# exit CN4093(config)# vlag isl adminkey 200 © Copyright Lenovo 2015 Chapter 12: Virtual Link Aggregation Groups...
Page 172 Note: a. In this case, a dynamic trunk group is shown. A static trunk (portchannel) could be configured instead. b. ISL ports and VLAG ports must be members of the same VLANs. 3. Configure VLAG Tier ID. This is used to identify the VLAG switch in a multi‐tier environment. CN4093(config)# vlag tierid 10 4. Configure the ISL for the VLAG peer. Make sure you configure the VLAG peer (VLAG Peer 2) using the same ISL trunk type (dynamic or static), the same VLAN, and the same STP mode and tier ID used on VLAG Peer 1. Configure the VLAG 1. Configure the VLAN for VLAG 1 ports. Once the VLAN s ready, the ISL ports are automatically added to it. CN4093(config)# vlan 100 CN4093(configvlan)# exit CN4093(config)# interface port 8 CN4093(configif)# switchport mode trunk CN4093(configif)# exit Note: In MSTP mode, VLANs are automatically mapped to CIST. 2. Place the VLAG 1 port(s) in a port trunk group: CN4093(config)# interface port 8 CN4093(configif)# lacp mode active CN4093(configif)# lacp key 1000 CN4093(configif)# exit 3.
Page 173: Vlag Configuration - Vlans Mapped To Msti
Configure the ISL The ISL connecting the VLAG peers is shared by all their VLAGs. The ISL needs to be configured only once on each VLAG peer. Ensure you have the same region name, revision and VLAN‐to‐STG mapping on both VLAG switches. 1. Configure STP: CN4093(config)# spanningtree mode mst 2. Configure the ISL ports and place them into a portchannel (dynamic or static): CN4093(config)# interface port 12 CN4093(configif)# switchport mode trunk CN4093(configif)# lacp mode active CN4093(configif)# lacp key 200 CN4093(configif)# exit CN4093(config)# vlag isl adminkey 200 Note: a. In this case, a dynamic trunk group is shown. A static trunk (portchannel) could be configured instead. b. ISL ports and VLAG ports must be members of the same VLANs. 3. Configure VLAG Tier ID. This is used to identify the VLAG switch in a multi‐tier environment. CN4093(config)# vlag tierid 10 4. Configure the ISL for the VLAG peer. Make sure you configure the VLAG peer (VLAG Peer 2) using the same ISL trunk type (dynamic or static), the same VLAN for vLAG ports and vLAG ISL ports, and the same STP mode and tier ID used on VLAG Peer 1. © Copyright Lenovo 2015 Chapter 12: Virtual Link Aggregation Groups...
Page 174: Configuring Health Check
Configure the VLAG 1. Configure the VLAN for VLAG 1 ports. Once the VLAN s ready, the ISL ports are automatically added to it. CN4093(config)# vlan 100 CN4093(configvlan)# exit CN4093(config)# interface port 8 CN4093(configif)# switchport mode trunk CN4093(configif)# exit 2. Map the VLAN to an MSTI. CN4093(config)# spanningtree mst configuration CN4093(configmst)# instance 1 vlan 100 3. Place the VLAG 1 port(s) in a trunk group (static or dynamic) and assign it to the VLAG: CN4093(config)# interface port 8 CN4093(configif)# lacp mode active CN4093(configif)# lacp key 1000 CN4093(configif)# exit CN4093(config)# vlag adminkey 1000 enable 4. Enable VLAG: CN4093(config)# vlag enable 5. Continue by configuring all required VLAGs on VLAG Peer 1, and then follow the steps for configuring VLAG Peer 2. For each corresponding VLAG on the peer, the port trunk type (dynamic or static), the port’s VLAN, and STP mode and ID must be the same as on VLAG Peer 1. 6. Verify the completed configuration: CN4093# show vlag information Configuring Health Check We strongly recommend that you configure the CN4093 to check the health status of its VLAG peer. Although the operational status of the VLAG peer is generally determined via the ISL connection, configuring a network health check provides an alternate means to check peer status in case the ISL links fail. Use an ...
Page 175 2. Specify the IPv4 or IPv6 address of the VLAG Peer: CN4093(config)# vlag hlthchk peerip 10.10.10.2 Note: For VLAG Peer 2, the management interface would be configured as 10.10.10.2, and the health check would be configured for 10.10.10.1, pointing back to VLAG Peer 1. © Copyright Lenovo 2015 Chapter 12: Virtual Link Aggregation Groups...
Page 176: Vlags With Vrrp
VLAGs with VRRP Note: In a multi-layer environment, configure VRRP separately for each layer. We recommend that you configure VRRP only on the tier with uplinks. See “Configuring VLAGs in Multiple Layers” on page 181. VRRP (see “Virtual Router Redundancy Protocol” on page 471) can be used in conjunction with VLAGs and LACP‐capable devices to provide seamless redundancy. Figure 19. Active‐Active Configuration using VRRP and VLAGs VRRP Master Server 1 VLAG Peer 1...
Page 177 Note: In this case, a dynamic trunk group is shown. A static trunk (portchannel) could be configured instead. 7. Configure the upstream ports. CN4093(config)# interface port 1 CN4093(configif)# switchport access vlan 10 CN4093(configif)# exit CN4093(config)# interface port 2 CN4093(configif)# switchport access vlan 20 CN4093(configif)# exit 8. Configure the server ports. CN4093(config)# interface port 10 CN4093(configif)# switchport access vlan 100 CN4093(configif)# exit CN4093(config)# interface port 11 CN4093(configif)# switchport access vlan 100 CN4093(configif)# exit CN4093(config)# interface port 12 CN4093(configif)# switchport access vlan 100 CN4093(configif)# exit © Copyright Lenovo 2015 Chapter 12: Virtual Link Aggregation Groups...
Page 178 9. Configure all VLANs including VLANs for the VLAGs. CN4093(config)# vlan 10 CN4093(configvlan)# exit CN4093(config)# interface port 1 CN4093(configif)# switchport mode trunk CN4093(configif)# exit CN4093(config)# vlan 20 CN4093(configvlan)# exit CN4093(config)# interface port 2 CN4093(configif)# switchport mode trunk CN4093(configif)# exit CN4093(config)# vlan 100 CN4093(configvlan)# exit CN4093(config)# interface port 45, 1012 CN4093(configif)# switchport mode trunk CN4093(configif)# exit 10. Configure Internet‐facing interfaces. CN4093(config)# interface ip 1 CN4093(configipif)# ip address 172.1.1.10 255.255.255.0 CN4093(configipif)# vlan 10 CN4093(configipif)# enable CN4093(configipif)# ip ospf area 1 CN4093(configipif)# ip ospf enable CN4093(configipif)# exit CN4093(config)# interface ip 2 CN4093(configipif)# ip address 172.1.3.10 255.255.255.0 CN4093(configipif)# vlan 20 CN4093(configipif)# enable CN4093(configipif)# ip ospf area 1 CN4093(configipif)# ip ospf enable CN4093(configipif)# exit 11. Place the VLAG port(s) in their port trunk groups. CN4093(config)# interface port 10 CN4093(configif)# lacp mode active CN4093(configif)# lacp key 1000 CN4093(configif)# exit CN4093(config)# interface port 11 CN4093(configif)# lacp mode active CN4093(configif)# lacp key 1100 CN4093(configif)# exit...
Page 179 CN4093(config)# vlag tierid 10 CN4093(config)# vlag enable 2. Configure appropriate routing. CN4093(config)# router ospf CN4093(configrouterospf)# area 1 areaid 0.0.0.1 CN4093(configrouterospf)# enable CN4093(configrouterospf)# exit Although OSPF is used in this example, static routing could also be deployed. 3. Configure a server‐facing interface. CN4093(config)# interface ip 3 CN4093(configipif)# ip address 10.0.1.11 255.255.255.0 CN4093(configipif)# vlan 100 CN4093(configipif)# exit 4. Turn on VRRP and configure the Virtual Interface Router. CN4093(config)# router vrrp CN4093(configvrrp)# enable CN4093(configvrrp)# virtualrouter 1 virtualrouterid 1 CN4093(configvrrp)# virtualrouter 1 interface 3 CN4093(configvrrp)# virtualrouter 1 address 10.0.1.100 CN4093(configvrrp)# virtualrouter 1 enable 5. Configure the ISL ports and place them into a port trunk group: CN4093(config)# interface port 45 CN4093(configif)# switchport mode trunk CN4093(configif)# lacp mode active CN4093(configif)# lacp key 2000 CN4093(configif)# exit © Copyright Lenovo 2015 Chapter 12: Virtual Link Aggregation Groups...
Page 180 6. Configure the upstream ports. CN4093(config)# interface port 1 CN4093(configif)# switchport access vlan 30 CN4093(configif)# exit CN4093(config)# interface port 2 CN4093(configif)# switchport access vlan 40 CN4093(configif)# exit 7. Configure the server ports. CN4093(config)# interface port 10 CN4093(configif)# switchport access vlan 100 CN4093(configif)# exit CN4093(config)# interface port 11 CN4093(configif)# switchport access vlan 100 CN4093(configif)# exit CN4093(config)# interface port 12 CN4093(configif)# switchport access vlan 100 CN4093(configif)# exit 8. Configure all VLANs including VLANs for the VLAGs. CN4093(config)# vlan 30 CN4093(configvlan)# exit CN4093(config)# interface port 1 CN4093(configif)# switchport mode trunk CN4093(configif)# exit CN4093(config)# vlan 40 CN4093(configvlan)# exit CN4093(config)# interface port 2 CN4093(configif)# switchport mode trunk CN4093(configif)# exit CN4093(config)# vlan 100 CN4093(configvlan)# exit CN4093(config)# interface port 45,1012 CN4093(configif)# switchport mode trunk CN4093(configif)# exit 9. Configure Internet‐facing interfaces. CN4093(config)# interface ip 1 CN4093(configipif)# ip address 172.1.2.11 255.255.255.0 CN4093(configipif)# vlan 30 CN4093(configipif)# enable CN4093(configipif)# ip ospf area 1...
Page 181: Configuring Vlags In Multiple Layers
VLAG VLAG Peers A Switch C Switch D Switch E Switch F Peers B VLAG 1 VLAG 2 Trunk Trunk LACP-capable Switch Switch G LACP-capable Server Servers Figure 20 shows an example of VLAG being used in a multi‐layer environment. Following are the configuration steps for the topology. © Copyright Lenovo 2015 Chapter 12: Virtual Link Aggregation Groups...
Page 182 Task 1: Configure Layer 2/3 border switches. Configure ports on border switch as follows: CN4093(config)# interface port 1,2 CN4093(configif)# lacp key 100 CN4093(configif)# lacp mode active CN4093(configif)# exit Repeat these steps for the second border switch. Task 2: Configure switches in the Layer 2 region. Consider the following:  ISL ports on switches A and B ‐ ports 1, 2  Ports connecting to Layer 2/3 ‐ ports 5, 6  Ports on switches A and B connecting to switches C and D: ports 10, 11  Ports on switch B connecting to switch E: ports 15, 16  Ports on switch B connecting to switch F: ports 17, 18 1. Configure VLAG tier ID and enable VLAG globally. CN4093(config)# vlag tierid 10 CN4093(config)# vlag enable 2. Configure ISL ports on Switch A. CN4093(config)# interface port 1,2 CN4093(configif)# switchport mode trunk CN4093(configif)# lacp key 200 CN4093(configif)# lacp mode active...
Page 183 CN4093(configif)# lacp key 500 CN4093(configif)# lacp mode active CN4093(configif)# exit CN4093(config)# vlag adminkey 500 enable Repeat these steps on Switch B for ports connecting to Layer 2/3 router 2. 5. Configure ports on Switch A connecting to downstream VLAG switches C and D. CN4093(config)# vlan 20 CN4093(configvlan)# exit CN4093(config)# interface port 10,11 CN4093(configif)# switchport mode trunk CN4093(configif)# lacp key 600 CN4093(configif)# lacp mode active CN4093(configif)# exit CN4093(config)# vlag adminkey 600 enable Repeat these steps on Switch B for ports connecting to downstream VLAG switch C and D. 6. Configure ports on Switch B connecting to downstream switches E and F. CN4093(config)# vlan 30 CN4093(configvlan)# exit CN4093(config)# interface port 1518 CN4093(configif)# switchport mode trunk CN4093(configif)# lacp key 700 CN4093(configif)# lacp mode active CN4093(configif)# exit 7. Configure ISL between switches C and D, and between E and F as shown in Step 1. 8. Configure the Switch G as shown in Step 2. © Copyright Lenovo 2015 Chapter 12: Virtual Link Aggregation Groups...
Page 184 CN4093 Application Guide for N/OS 8.2...
Page 185: Chapter 13. Quality Of Service
By assigning QoS levels to traffic flows on your network, you can ensure that network resources are allocated where they are needed most. QoS features allow you to prioritize network traffic, thereby providing better service for selected applications. Figure 21 on page 185 shows the basic QoS model used by the CN4093 10Gb Converged Scalable Switch (CN4093). Figure 21. QoS Model Ingress Ports Meter Perform Queue and Egress Classify Packets Traffic Actions Schedule Drop/Pass/ Filter Meter Re-Mark Queue The CN4093 uses the Differentiated Services (DiffServ) architecture to provide QoS functions. DiffServ is described in IETF RFC 2474 and RFC 2475. With DiffServ, you can establish policies for directing traffic. A policy is a traffic‐controlling mechanism that monitors the characteristics of the traffic (for example, its source, destination, and protocol) and performs a controlling action on the traffic when certain characteristics are matched. © Copyright Lenovo 2015...
Page 186 The CN4093 can classify traffic by reading the DiffServ Code Point (DSCP) or IEEE 802.1p priority value, or by using filters to match specific criteria. When network traffic attributes match those specified in a traffic pattern, the policy instructs the CN4093 to perform specified actions on each packet that passes through it. The packets are assigned to different Class of Service (COS) queues and scheduled for transmission. The basic CN4093 QoS model works as follows:  Classify traffic: Read DSCP  Read 802.1p Priority  Match ACL filter parameters   Meter traffic: Define bandwidth and burst parameters  Select actions to perform on in‐profile and out‐of‐profile traffic  Perform actions:  Drop packets  Pass packets  Mark DSCP or 802.1p Priority  Set COS queue (with or without re‐marking)  Queue and schedule traffic:  Place packets in one of the available COS queues  Schedule transmission based on the COS queue weight  CN4093 Application Guide for N/OS 8.2...
Page 187: Using Acl Filters
 Packet format—Ethernet format, tagging format, IPv4, IPv6 Egress port  For ACL details, see “Access Control Lists” on page Summary of ACL Actions Actions determine how the traffic is treated. The CN4093 QoS actions include the following:  Pass or Drop the packet Re‐mark the packet with a new DiffServ Code Point (DSCP)   Re‐mark the 802.1p field  Set the COS queue ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the CN4093 by configuring a QoS meter (if desired) and assigning ACL Groups to ports. When you add ACL Groups to a port, make sure they are ordered correctly in terms of precedence. Actions taken by an ACL are called In‐Profile actions. You can configure additional In‐Profile and Out‐of‐Profile actions on a port. Data traffic can be metered, and re‐marked to ensure that the traffic flow provides certain levels of service in terms of bandwidth for different types of network traffic. © Copyright Lenovo 2015 Chapter 13: Quality of Service...
Page 188: Metering
Metering QoS metering provides different levels of service to data streams through user‐configurable parameters. A meter is used to measure the traffic stream against a traffic profile which you create. Thus, creating meters yields In‐Profile and Out‐of‐Profile traffic for each ACL, as follows:  In‐Profile–If there is no meter configured or if the packet conforms to the meter, the packet is classified as In‐Profile. Out‐of‐Profile–If a meter is configured and the packet does not conform to the  meter (exceeds the committed rate or maximum burst rate of the meter), the packet is classified as Out‐of‐Profile. Note: Metering is not supported for IPv6 ACLs. All traffic matching an IPv6 ACL is considered in-profile for re-marking purposes. Using meters, you set a Committed Rate in Kbps (1000 bits per second in each Kbps). All traffic within this Committed Rate is In‐Profile. Additionally, you can set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period. These parameters define the In‐Profile traffic. Meters keep the sorted packets within certain parameters. You can configure a meter on an ACL, and perform actions on metered traffic, such as packet re‐marking. Re-Marking Re‐marking allows for the treatment of packets to be reset based on new network ...
Page 189: Using Dscp Values To Provide Qos
Differentiated Services Concepts To differentiate between traffic flows, packets can be classified by their DSCP value. The Differentiated Services (DS) field in the IP header is an octet, and the first six bits, called the DS Code Point (DSCP), can provide QoS functions. Each packet carries its own QoS state in the DSCP. There are 64 possible DSCP values (0‐63). Figure 22. Layer 3 IPv4 Packet Version Offset Length Proto Data Length unused Differentiated Services Code Point (DSCP) The CN4093 can perform the following actions to the DSCP:  Read the DSCP value of ingress packets  Re‐mark the DSCP value to a new value  Map the DSCP value to an 802.1p priority Once the DSCP value is marked, the CN4093 can use it to direct traffic prioritization. © Copyright Lenovo 2015 Chapter 13: Quality of Service...
Page 190: Per-Hop Behavior
Per-Hop Behavior The DSCP value determines the Per Hop Behavior (PHB) of each packet. The PHB is the forwarding treatment given to packets at each hop. QoS policies are built by applying a set of rules to packets, based on the DSCP value, as they hop through the network. The CN4093 default settings are based on the following standard PHBs, as defined in the IEEE standards:  Expedited Forwarding (EF)—This PHB has the highest egress priority and lowest drop precedence level. EF traffic is forwarded ahead of all other traffic. EF PHB is described in RFC 2598.  Assured Forwarding (AF)—This PHB contains four service levels, each with a different drop precedence, as shown below. Routers use drop precedence to determine which packets to discard last when the network becomes congested. AF PHB is described in RFC 2597. Drop Precedence Class 1 Class 2 Class 3 Class 4 AF11 (DSCP AF21 (DSCP AF31 (DSCP AF41 (DSCP Medium AF12 (DSCP AF22 (DSCP AF32 (DSCP AF42 (DSCP High AF13 (DSCP AF23 (DSCP AF33 (DSCP AF43 (DSCP ...
Page 191: Qos Levels
DSCP Re-Marking and Mapping DSCP Re-Marking Overview The CN4093 can re‐mark the DSCP value of ingress packets to a new value, and set the 802.1p priority value, based on the DSCP value. You can view the settings by using the following command: CN4093(config)# show qos dscp Current DSCP Remarking Configuration: OFF DSCP New DSCP New 802.1p Prio 0 0 0 1 1 0 51 51 0 52 52 0 53 53 0 54 54 0 55 55 0 56 56 7 57 57 0 58 58 0 59 59 0 60 60 0 61 61 0 62 62 0 63 63 0 © Copyright Lenovo 2015 Chapter 13: Quality of Service...
Page 192: Dscp Re-Marking Configuration Example
Use the following command to turn on DSCP re‐marking globally: CN4093(config)# qos dscp remarking Then you must enable DSCP re‐marking on any port that you wish to perform this function. Note: If an ACL meter is configured for DSCP re-marking, the meter function takes precedence over QoS re-marking. DSCP Re-Marking Configuration Example Example 1 The following example includes the basic steps for re‐marking DSCP value and mapping DSCP value to 802.1p. 1. Turn DSCP re‐marking on globally, and define the DSCP‐DSCP‐802.1p mapping. You can use the default mapping. CN4093(config)# qos dscp remarking CN4093(config)# qos dscp dscpmapping <DSCP value (0‐63)> <new value> CN4093(config)# qos dscp dot1pmapping <DSCP value (0‐63)> <802.1p value> 2. Enable DSCP re‐marking on a port. CN4093(config)# interface port 1 CN4093(configif)# qos dscp remarking CN4093(configif)# exit Example 2 The following example assigns strict priority to VoIP traffic and a lower priority to ...
Page 193 4. Enable DSCP re‐marking globally. CN4093(config)# qos dscp remarking 5. Assign the DSCP re‐mark value. CN4093(config)# qos dscp dscpmapping 40 9 CN4093(config)# qos dscp dscpmapping 46 9 6. Assign strict priority to VoIP COS queue. CN4093(config)# qos transmitqueue weightcos 7 0 7. Map priority value to COS queue for non‐VoIP traffic. CN4093(config)# qos transmitqueue mapping 1 1 8. Assign weight to the non‐VoIP COS queue. CN4093(config)# qos transmitqueue weightcos 1 2 © Copyright Lenovo 2015 Chapter 13: Quality of Service...
Page 194: Using 802.1P Priorities To Provide Qos
Using 802.1p Priorities to Provide QoS 802.1p Overview Lenovo N/OS provides Quality of Service functions based on the priority bits in a packet’s VLAN header. (The priority bits are defined by the 802.1p standard within the IEEE 802.1q VLAN header.) The 802.1p bits, if present in the packet, specify the priority that should be given to packets during forwarding. Packets with a numerically higher (non‐zero) priority are given forwarding preference over packets with lower priority bit value. The IEEE 802.1p standard uses eight levels of priority (0‐7). Priority 7 is assigned to highest priority network traffic, such as OSPF or RIP routing table updates, priorities 5‐6 are assigned to delay‐sensitive applications such as voice and video, and lower priorities are assigned to standard applications. A value of 0 (zero) indicates a “best effort” traffic prioritization, and this is the default when traffic priority has not been configured on your network. The CN4093 can filter packets based on the 802.1p values, and it can assign or overwrite the 802.1p value in the packet. Figure 23. Layer 2 802.1q/802.1p VLAN Tagged Packet DMAC SMAC E Type Data Preamble Priority VLAN Identifier (VID) Ingress packets receive a priority value, as follows:  Tagged packets—CN4093 reads the 802.1p priority in the VLAN tag.  Untagged packets—CN4093 tags the packet and assigns an 802.1p priority, ...
Page 195: Queuing And Scheduling
Note: Use caution when assigning strict scheduling to queues. Heavy traffic in queues assigned with a weight of 0 can starve lower priority queues. For a scheduling method that uses a weighted deficit round‐robin (WDRR) algorithm, distributing packets with an awareness of packet size, see “Enhanced Transmission Selection” on page 309. © Copyright Lenovo 2015 Chapter 13: Quality of Service...
Page 196: Control Plane Protection
Control Plane Protection Control plane receives packets that are required for the internal protocol state machines. This type of traffic is usually received at low rate. However, in some situations such as DOS attacks, the switch may receive this traffic at a high rate. If the control plane protocols are unable to process the high rate of traffic, the switch may become unstable. The control plane receives packets that are channeled through protocol‐specific packet queues. Multiple protocols can be channeled through a common packet queue. However, one protocol cannot be channeled through multiple packet queues. These packet queues are applicable only to the packets received by the software and does not impact the regular switching or routing traffic. Packet queue with a higher number has higher priority. You can configure the bandwidth for each packet queue. Protocols that share a packet queue will also share the bandwidth. The following commands configure the control plane protection (CoPP) feature: CN4093(config)# qos protocolpacketcontrol packetqueuemap <0‐47> <protocol> (Configure a queue for a protocol) CN4093(config)# qos protocolpacketcontrol ratelimitpacketqueue <0‐47> <1‐10000> (Set the bandwidth for the queue, in packets per second) CN4093 Application Guide for N/OS 8.2...
Page 197: Packet Drop Logging
Packet Drop Logging Packet drop logging allows you to monitor network deficiencies by generating syslog messages for packet drops in the CPU queues. By default, the switch will generate such messages once every 30 minutes, specifying the type of traffic, queue data rate and queue number on which the drops occurred, such as: Apr 19 11:27:35 172.31.37.200 NOTICE Protocol control discards: ARP Broadcast packets are received at rate higher than 200pps, hence are discarded on queue 5. To enable or disable packet drop logging, use the following commands: CN4093(config)# [no] logging pdrop enable You can adjust the logging interval between 0 and 30 minutes using the following command: CN4093(config)# logging pdrop interval <030> Setting the logging interval to 0 will log packet drops immediately (with up to 1 second delay), and will ignore further drops on the same queue during the next 2 minutes. Setting the logging interval to a greater value (1 – 30 minutes), regularly displays packet drop information at the designated time intervals. Once the packet drops stop, or if new packet drops are encountered only within 2 minutes after a syslog message, the switch does not display any more messages. © Copyright Lenovo 2015 Chapter 13: Quality of Service...
Page 198 CN4093 Application Guide for N/OS 8.2...
Page 200 CN4093 Application Guide for N/OS 8.2...
Page 201: Chapter 14. Stacking
Chapter 14. Stacking This chapter describes how to implement the stacking feature in the Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch. The following concepts are covered:  “Stacking Overview” on page 202  “Stack Membership” on page 204  “Configuring a Stack” on page 209  “Managing a Stack” on page 214  “Replacing or Removing Stacked Switches” on page 217  “Replacing or Removing Stacked Switches” on page 217  “ISCLI Stacking Commands” on page 219 © Copyright Lenovo 2015...
Page 202: Stacking Overview
Stacking Overview A hybrid stack is a group of eight switches: two CN4093 10Gb Converged Scalable Switches and six EN4093R 10Gb Scalable Switches. A stack can also be formed with just two CN4093 10Gb Converged Scalable Switches. A stack has the following properties, regardless of the number of switches included: The network views the stack as a single entity.   The stack can be accessed and managed as a whole using standard switch IP interfaces configured with IPv4 addresses.  Once the stacking links have been established (see the next section), the number of ports available in a stack equals the total number of remaining ports of all the switches that are part of the stack. Stacking Requirements Before Lenovo N/OS switches can form a stack, they must meet the following requirements:  Switches in a hybrid stack must be of the model CN4093 10Gb Converged Scalable Switch or EN4093R 10Gb Scalable Switch. In a hybrid stack, the EN4093R switches cannot act as Backup switches. You  must use only the CN4093 10Gb Converged Scalable switches as the Master switch and Backup switch.  In a hybrid stack, only two CN4093 10Gb Converged Scalable switches can be grouped with the EN4093R switches. Each switch must be installed with N/ OS, version 8.2. Please see “Upgrading  Software in a Stack” on page 216. The recommended stacking topology is a bidirectional ring (see Figure 24 on  page 211). To achieve this, two 10Gb or two 40 Gb Ethernet ports on each switch must be reserved for stacking. By default, 10Gb Ethernet ports EXT1 and EXT2 ...
Page 203: Stacking Limitations
Static Multicast Routes  Switch Partition (SPAR)  Uni‐Directional Link Detection (UDLD)  Virtual Router Redundancy Protocol (VRRP) Virtual Link Aggregation Groups (VLAG)   Secure audit logging Note: In stacking mode, switch menus and command for unsupported features may be unavailable, or may have no effect on switch operation. © Copyright Lenovo 2015 Chapter 14: Stacking...
Page 204: Stack Membership
Stack Membership A stack contains up to switches, interconnected by a stack trunk in a local ring topology (see Figure 24 on page 211). With this topology, only a single stack link failure is allowed. An operational stack must contain one Master and one or more Members, as follows: Master  One switch controls the operation of the stack and is called the Master. The Master provides a single point to manage the stack. A stack must have one and only one Master. The firmware image, configuration information, and run‐time data are maintained by the Master and pushed to each switch in the stack as necessary. Member  Member switches provide additional port capacity to the stack. Members receive configuration changes, run‐time information, and software updates from the Master.  Backup One member switch can be designated as a Backup to the Master. The Backup takes over control of the stack if the Master fails. Configuration information and run‐time data are synchronized with the Master. The Master Switch An operational stack can have only one active Master at any given time. In a normal stack configuration, one switch is configured as a Master and all others are configured as Members. When adding new switches to an existing stack, the administrator must explicitly configure each new switch for its intended role as a Master (only when replacing a previous Master) or as a Member. All stack configuration procedures in this chapter depict proper role specification. However, although uncommon, there are scenarios in which a stack may temporarily have more than one Master switch. If this occurs, one Master switch will automatically be chosen as the active Master for the entire stack. The selection process is designed to promote stable, predictable stack operation and minimize stack reboots and other disruptions.
Page 205: Merging Independent Stacks
Note: Do not merge hybrid stacks if the total number of CN4093 switches exceeds two units. Although all switches which are configured for stacking and joined by stacking links are recognized as potential stack participants by any operational Master switches, they are not brought into operation within the stack until explicitly assigned (or “bound”) to a specific Master switch. Consider two independent stacks, Stack A and Stack B, which are merged into one stacking topology. The stacks will behave independently until the switches in Stack B are bound to Master A (or vice versa). In this example, once the Stack B switches are bound to Master A, Master A will automatically reconfigure them to operate as Stack A Members, regardless of their original status within Stack B. © Copyright Lenovo 2015 Chapter 14: Stacking...
Page 206 However, for purposes of future Backup selection, reconfigured Masters retain their identity as configured Masters, even though they otherwise act as Members. In case the configured Master goes down and the Backup takes over as the new Master, these reconfigured Masters become the new Backup. When the original configured Master of the stack boots up again, it acts as a Member. This is one way to have multiple backups in a stack. CN4093 Application Guide for N/OS 8.2...
Page 207: Backup Switch Selection
CN4093(config)# no stack backup ‐or‐ CN4093(config)# stack backup <csnum 1‐8>  A new Master assumes operation as active Master in the stack, and uses its own configured Backup settings.  The active Master is rebooted with the boot configuration set to factory defaults (clearing the Backup setting). Master Failover When the Master switch is present, it controls the operation of the stack and pushes configuration information to the other switches in the stack. If the active Master fails, then the designated Backup (if one is defined in the Master’s configuration) becomes the new acting Master and the stack continues to operate normally. Master Recovery If the prior Master recovers in a functioning stack where the Backup has assumed stack control, the prior Master does not reassert itself as the stack Master. Instead, the prior Master will assume a role as a secondary Backup to avoid further stack disruption. Upon stack reboot, the Master and Backup will resume their regular roles. No Backup If a Backup is not configured on the active Master, or the specified Backup is not operating, then if the active Master fails, the stack will reboot without an active Master. When a group of stacked switches are rebooted without an active Master present, the switches are considered to be isolated. All isolated switches in the stack are placed in a WAITING state until a Master appears. During this WAITING period, all the network ports of these Member switches are placed into operator‐disabled state. Without the Master, a stack cannot respond correctly to networking events. © Copyright Lenovo 2015 Chapter 14: Stacking...
Page 208: Stack Member Identification
Stack Member Identification Each switch in the stack has two numeric identifiers, as follows:  Attached Switch Number (asnum) An asnum is automatically assigned by the Master switch, based on each Member switch’s physical connection in relation to the Master. The asnum is mainly used as an internal ID by the Master switch and is not user‐configurable. Configured Switch Number (csnum):  The csnum is the logical switch ID assigned by the stack administrator. The csnum is used in most stacking‐related configuration commands and switch information output. It is also used as a port prefix to distinguish the relationship between the ports on different switches in the stack. It is recommended that asnum 1 and csnum 1 be used for identifying the Master switch. By default, csnum 1 is assigned to the Master. If csnum 1 is not available, the lowest available csnum is assigned to the Master. CN4093 Application Guide for N/OS 8.2...
Page 209: Configuring A Stack
Configure the same stacking VLAN for all switches in the stack.  Configure the desired stacking interlinks.  Bind Member switches to the Master.  Assign a Backup switch. These tasks are covered in detail in the following sections. Best Configuration Practices The following are guidelines for building an effective switch stack:  Always connect the stack switches in a complete ring topology (see Figure 24 on page 211).  Avoid disrupting the stack connections unnecessarily while the stack is in operation.  For enhanced redundancy when creating port trunks, include ports from different stack members in the trunks.  Avoid altering the stack asnum and csnum definitions unnecessarily while the stack is in operation. When in stacking mode, the highest QoS priority queue is reserved for internal  stacking requirements. Therefore, only seven priority queues will be available for regular QoS use. Configure only as many QoS levels as necessary. This allows the best use of  packet buffers. © Copyright Lenovo 2015 Chapter 14: Stacking...
Page 210: Stacking Vlans
 Before configuring the stack: Identify the VLAN to be used as the stacking VLAN.  Save the current configuration to an external device. The port numbering will  change once stacking is enabled. Use the saved configuration to reassign ports/interfaces as per the new port numbering scheme. Once a stack is configured, port numbers are displayed throughout the BBI using the csnum to identify the switch, followed by the switch port number. For example: Stacking VLANs VLAN 4090 is the default VLAN reserved for internal traffic on stacking ports. Note: Do not use VLAN 4090 for any purpose other than internal stacking traffic. Configuring Each Switch in a Stack To configure each switch for stacking, connect to the internal management IP interface for each switch (assigned by the management system) and use the ISCLI to perform the following steps. Note: IPv6 is not supported in stacking mode. IP interfaces must use IPv4 addressing for proper stack configuration.
Page 211: Configuring A Management Ip Interface
Configuring a Management IP Interface Each switch in a stack can be configured with the external management IP interface (127). The switch’s MAC address must be associated with the management IP interface. This interface can be used for connecting to and managing the switch externally. Follow the steps below: CN4093(config)# interface ip 127 CN4093(configipif)# mac <switch MAC address> ip address <IPv4 address> <subnet mask> enable CN4093(configipif)# exit CN4093(config)# ip gateway 3 mac <switch MAC address> address <gateway IPv4 address> enable © Copyright Lenovo 2015 Chapter 14: Stacking...
Page 212: Additional Master Configuration
To provide continuous Management IP reachability in the event of a Master node failover, an additional floating Management IP address can be set up on the management interface. The floating Management IP address will be used by the backup switch when taking over management from the failed master node. To configure the floating Management IP address, use the following command: CN4093(configif)# floating ip address <IPv4 address> <subnet mask> Note: The Management IP and floating Management IP addresses on the master switch, as well as the Management IP address on the backup switch, must be in the same subnet. Note: In case of a stack split, the floating IP cannot be used anymore due to duplicate IP address issue.
Page 213: Viewing Stack Connections
Backup switch: csnum 1 MAC 74:99:75:21:8d:00 UUID 534c8ca1605846299148305adc9a1f6d Bay Number 4 Configured Switches: csnum UUID Bay MAC asnum C1 534c8ca1605846299148305adc9a1f6d 4 74:99:75:21:8d:00 A5 C2 98c587636548429aba5010f8c62d4e27 3 74:99:75:21:8c:00 A1 C3 534c8ca1605846299148305adc9a1f6d 1 00:00:00:00:00:00 C4 25b884f3c75341e7a0a6417d8602180b 4 08:17:f4:84:34:00 A2 C5 98c587636548429aba5010f8c62d4e27 4 34:40:b5:73:8a:00 A3 C6 534c8ca1605846299148305adc9a1f6d 3 74:99:75:1c:68:00 A4 C7 25b884f3c75341e7a0a6417d8602180b 3 00:00:00:00:00:00 Attached Switches in Stack: asnum UUID Bay MAC csnum State Type A1 98c587636548429aba5010f8c62d4e27 3 74:99:75:21:8c:00 C2 IN_STACK CN4093 A2 25b884f3c75341e7a0a6417d8602180b 4 08:17:f4:84:34:00 C4 IN_STACK EN4093R A3 98c587636548429aba5010f8c62d4e27 4 34:40:b5:73:8a:00 C5 IN_STACK EN4093R A4 534c8ca1605846299148305adc9a1f6d 3 74:99:75:1c:68:00 C6 IN_STACK EN4093R A5 534c8ca1605846299148305adc9a1f6d 4 74:99:75:21:8d:00 C1 IN_STACK CN4093 © Copyright Lenovo 2015 Chapter 14: Stacking...
Page 214: Binding Members To The Stack
Binding Members to the Stack You can bind Member switches to a stack csnum using either their asnum or chassis UUID and bay number : CN4093(config)# stack switchnumber <csnum> universalunicid <chassis UUID> CN4093(config)# stack switchnumber <csnum> bay <bay number (1‐4)> ‐or‐ CN4093(config)# stack switchnumber <csnum> bind <asnum (1‐16)> To remove a Member switch, execute the following command: CN4093(config)# no stack switchnumber <csnum> Assigning a Stack Backup Switch To define a Member switch as a Backup (optional) which will assume the Master role if the Master switch fails, execute the following command: CN4093(config)# stack backup <csnum> Managing a Stack The stack is managed primarily through the Master switch. The Master switch then pushes configuration changes and run‐time information to the Member switches. Use Telnet or the Browser‐Based Interface (BBI) to access the Master, as follows:  Use the management IP address assigned to the Master by the management system.  On any switch in the stack, connect to any port that is not part of an active trunk and is a member of a VLAN. To access the stack, use the IP address of any IP interface that is member of the VLAN. Rebooting Stacked Switches using the ISCLI The administrator can reboot individual switches in the stack, or the entire stack ...
Page 215 The Configure > System > Config/Image Control window allows the administrator to perform a reboot of individual switches in the stack, or the entire stack. The following table describes the stacking Reboot buttons. Table 20. Stacking Boot Management buttons Field Description Reboot Stack Performs a software reboot/reset of all switches in the stack. The software image specified in the Image To Boot drop‐down list becomes the active image. Reboot Master Performs a software reboot/reset of the Master switch. The software image specified in the Image To Boot drop‐down list becomes the active image. Reboot Switches Performs a reboot/reset on selected switches in the stack. Select one or more switches in the drop‐down list, and click Reboot Switches. The software image specified in the Image To Boot drop‐down list becomes the active image. The Update Image/Cfg section of the window applies to the Master. When a new software image or configuration file is loaded, the file first loads onto the Master, and the Master pushes the file to all other switches in the stack, placing it in the same software or configuration bank as that on the Master. For example, if the new image is loaded into image 1 on the Master switch, the Master will push the same firmware to image 1 on each Member switch. © Copyright Lenovo 2015 Chapter 14: Stacking...
Page 216: Upgrading Software In A Stack
Upgrading Software in a Stack New Hybrid Stack Use the following procedure to install software on switches that will be used to form a hybrid stack (two CN4093 and up to six EN4093R switches): 1. Install N/ OS version 8.2 on each switch and reload the switch. Configure the switches to form a stack. See “Configuring a Stack” on page 209. 3. Reload the switches to establish the stack. Converting a EN4093R Stack to a Hybrid Stack Use the following procedure to install software on a stack of EN4093R switches that will be combined with CN4093 switches to form a hybrid stack (up to two CN4093 and up to six EN4093R switches): 1. Install N/ OS version 8.2 on the Master EN4093R switch. 2. Install N/ OS version 8.2 on each CN4093 switch. 3. Reload the switches. 4. Configure stacking on the CN4093 switch(es). The CN4093 must be configured as the Master of the hybrid stack. Reload the switch(es) to establish the stack. New Stack Use the following procedure to install software on two CN4093 switches that will be used to form a stack: 1.
Page 217: Replacing Or Removing Stacked Switches
2. If removing a Master switch, make sure that a Backup switch exists in the stack, then turn off the Master switch. This will force the Backup switch to assume Master operations for the stack. 3. Remove the stack link cables from the old switch only. 4. Disconnect all network cables from the old switch only. 5. Remove the old switch. Installing the New Switch or Healing the Topology If using a ring topology, but not installing a new switch for the one removed, close the ring by connecting the open stack links together, essentially bypassing the removed switch. Otherwise, if replacing the removed switch with a new unit, use the following procedure: Make sure the new switch meets the stacking requirements on page 202. 2. Place the new switch in its determined place according to the CN4093 10Gb Converged Scalable Switch Installation Guide. 3. Connect to the ISCLI of the new switch (not the stack interface) 4. Enable stacking: CN4093(config)# boot stack enable © Copyright Lenovo 2015 Chapter 14: Stacking...
Page 218: Binding The New Switch To The Stack
5. Set the stacking mode. By default, each switch is set to Member mode. However, if the incoming switch has been used in another stacking configuration, it may be necessary to ensure the proper mode is set.  If replacing a Member or Backup switch: CN4093(config)# boot stack mode member  If replacing a Master switch: CN4093(config)# boot stack mode master 6. Configure the stacking VLAN on the new switch, or use the default setting. Although any VLAN may be defined for stack traffic, it is highly recommended that the default, VLAN 4090, be reserved for stacking, as shown in the following command. CN4093(config)# boot stack vlan 4090 7. Designate the stacking links. Use the following command to specify the links to be used in the stacking trunk: CN4093(config)# boot stack higigtrunk <list of external port s> 8. Attach the required stack link cables to the designated stack links on the new switch. 9. Attach the desired network cables to the new switch. 10. Reboot the new switch: CN4093(config)# reload When the new switch boots, it will join the existing stack. Wait for this process to complete. Binding the New Switch to the Stack 1. Log in to the stack interface. Note: If replacing the Master switch, be sure to log in to the stack interface (hosted temporarily on the Backup switch) rather than logging in directly to the newly installed Master.
Page 219: Iscli Stacking Commands
 show boot stack <asnum>|master|backup|all  show stack attachedswitches  show stack backup  show stack dynamic  show stack link  show stack name  show stack pathmap [<csnum>]  show stack pushstatus  show stack switch  show stack switchnumber [<csnum>]  show stack version  stack backup <csnum>  stack name <word>  stack switchnumber <csnum> bind <asnum>  stack switchnumber <csnum> universalunicid <uuid> bay <Slot  ID> © Copyright Lenovo 2015 Chapter 14: Stacking...
Page 220 CN4093 Application Guide for N/OS 8.2...
Page 221: Chapter 15. Virtualization
For details on this feature, see “Ports and Trunking” on page 131.  Virtual Network Interface Card (vNIC) support Some NICs, such as the Emulex Virtual Fabric Adapter, can virtualize NIC resources, presenting multiple virtual NICs to the server’s OS or hypervisor. Each vNIC appears as a regular, independent NIC with some portion of the physical NIC’s overall bandwidth. N/ OS 8.2 supports up to four vNICs over each internal switch port. For details on this feature, see “Virtual NICs” on page 223.  Virtual Link Aggregation (VLAGs) With VLAGs, two switches can act as a single logical device for the purpose of establishing port trunking. Active trunk links from one device can lead to both VLAG peer switches, providing enhanced redundancy, including active‐active VRRP configuration. For details on this feature, see “Virtual Link Aggregation Groups” on page 165  VMready The switch’s VMready software makes it virtualization aware. Servers that run hypervisor software with multiple instances of one or more operating systems can present each as an independent virtual machine (VM). With VMready, the switch automatically discovers virtual machines (VMs) connected to switch. For details on this feature, see “VMready” on page 241. Edge Virtual Bridging (QBG)  The 802.1Qbg/Edge Virtual Bridging (EVB) is an emerging IEEE standard for allowing networks to become virtual machine (VM)‐aware. EVB bridges the gap between physical and virtual network resources. For details on this feature, see “Edge Virtual Bridging” on page 311. © Copyright Lenovo 2015...
Page 222  Unified Fabric Port (UFP) An architecture that logically subdivides a high‐speed physical link connecting to a server NIC or to a Converged Network Adapter (CNA). UFP provides a switch fabric component to control the NIC. For details on this feature, see “Unified Fabric Port” on page 323. Lenovo N/OS virtualization features provide a highly‐flexible framework for allocating and managing switch resources. CN4093 Application Guide for N/OS 8.2...
Page 223: Chapter 16. Virtual Nics
10 Gbps Link with VNIC Hypervisor Multiple Virtual Pipes Lenovo VNIC Switch 2 VNIC INTA1 VNIC VNIC A CN4093 with Lenovo N/OS 8.2 supports the Emulex Virtual Fabric Adapter (VFA) 2‐port 10Gb LOM and Emulex Virtual Fabric Adapter (Fabric Mezz) for Lenovo Flex System to provide the following vNIC features: Up to four vNICs are supported on each internal switch port.   Each vNIC can accommodate one of the following traffic types: regular Ethernet, iSCSI, or Fibre Channel over Ethernet (FCoE).  vNICs with traffic of the same type can be grouped together, along with regular internal ports, external uplink ports, and trunk groups, to define vNIC groups for enforcing communication boundaries.  In the case of a failure on the external uplink ports associated with a vNIC group, the switch can signal affected vNICs for failover while permitting other vNICs to continue operation.  Each vNIC can be allocated a symmetric percentage of the 10Gbps bandwidth on the link (from NIC to switch, and from switch to NIC).  The CN4093 can be used as the single point of vNIC configuration. © Copyright Lenovo 2015...
Page 224: Vnic Ids
By default, vNICs are disabled. The administrator can enable vNICs and configure vNIC features on the switch using the standard management options such as the Lenovo N/OS CLI, the ISCLI, and the Browser‐based Interface (BBI). To enable the vNIC feature on the switch, use the following command on the vNIC Configuration Menu: CN4093(config)# vnic enable Note: The Emulex Virtual Fabric Adapter for Lenovo Flex System can also operate in Physical NIC (PNIC) mode, in which case vNIC features are non-applicable. vNIC IDs vNIC IDs on the Switch Lenovo N/OS 8.2 supports up to four vNICs attached to each internal switch port. Each vNIC is provided its own independent virtual pipe on the port.
Page 225: Vnic Interface Names On The Server
Emulex Virtual Fabric Adapter (Fabric Mezz), when replacing the LOM card: Table 22. vNIC ID Correlation PCIe NIC Port Switch Slot vNIC vNIC ID Function ID Pipe First ASIC Bay 1 INTAx.1 Bay 1 INTAx.2 Bay 1 INTAx.3 Bay 1 INTAx.4 Bay 2 INTAx.1 Bay 2 INTAx.2 Bay 2 INTAx.3 Bay 2 INTAx.4 © Copyright Lenovo 2015 Chapter 16: Virtual NICs...
Page 226 Table 23. vNIC ID Correlation PCIe NIC Port Switch Slot vNIC vNIC ID Function ID Pipe Second ASIC Bay 1 INTBx.1 Bay 1 INTBx.2 Bay 1 INTBx.3 Bay 1 INTBx.4 Bay 2 INTBx.1 Bay 2 INTBx.2 Bay 2 INTBx.3 Bay 2 INTBx.4 For Emulex Virtual Fabric Adapter (Fabric Mezz), when adding it with the LOM Card: Table 24. vNIC ID Correlation PCIe NIC Port Switch Slot vNIC vNIC ID...
Page 227 Table 25. vNIC ID Correlation PCIe NIC Port Switch Slot vNIC vNIC ID Function ID Pipe Bay 3 INTBx.4 Bay 4 INTBx.1 Bay 4 INTBx.2 Bay 4 INTBx.3 Bay 4 INTBx.4 In this, the x in the vNIC ID represents the internal switch port and its corresponding server node of the vNIC pipe. Each physical NIC port is connected to a different switch bay in the blade chassis. © Copyright Lenovo 2015 Chapter 16: Virtual NICs...
Page 228: Vnic Uplink Modes
vNIC Uplink Modes The switch supports two modes for configuring the vNIC uplinks: dedicated mode and shared mode. The default is the dedicated mode. To enable the shared mode, enter the following command: CN4093(config)# vnic uplinkshare In the dedicated mode, only one vNIC group is assigned to an uplink port. This port can be a regular port or a trunk port. The NIC places an outer tag on the vNIC group packets. This outer tag contains the vNIC group VLAN. The uplink NIC strips off the outer tag before sending out the packet. For details, see “vNIC Groups in Dedicated Mode” on page 232. In the shared mode, multiple vNIC groups can be assigned to an uplink port. This port can be a regular port or a trunk port. The vNIC groups share the uplink. You may assign a few vNIC groups to share an uplink and the other vNIC groups to have a single uplink each. In either case, the switch still operates in shared mode. As in the dedicated mode, the NIC places an outer tag on the vNIC group packets. This outer tag contains the vNIC group VLAN. The uplink NIC does not strip off the outer tag. The vNIC group tag defines the regular VLAN for the packet.This behavior is particularly useful in cases where the downstream server does not set any tag. Effectively, each vNIC group is a VLAN, which you can assign by configuring the VLAN to the vNIC group. You must enable the tag configuration on the uplink port. For details, see “vNIC Groups in Shared Mode” on page 232. CN4093 Application Guide for N/OS 8.2...
Page 229 Do not add a port or trunk to mul‐ Can add a port or trunk to multiple tiple vNIC groups that are vNIC groups that are enabled. enabled. Do not configure additional Can configure additional VLANs on VLANs on the uplink ports. the uplink ports. An uplink port can only be in one An uplink port can be in multiple STG. STGs. When you add a port to a vNIC When you add a port to a vNIC group, STP is automatically dis‐ group, STP is automatically disabled. abled. When you remove a port from a When you remove a port from a vNIC vNIC group, STP is automatically group, STP is automatically reset to reset to factory default. factory default. Failover An uplink up/event can trigger An uplink up/event can trigger the the failover state change only of failover state change of multiple vNIC one vNIC group. groups. © Copyright Lenovo 2015 Chapter 16: Virtual NICs...
Page 230: Vnic Bandwidth Metering
Bandwidth Metering Lenovo N/OS 8.2 supports bandwidth metering for vNIC traffic. By default, each of the four vNICs on any given port is allowed an equal share (25%) of NIC capacity when enabled. However, you may configure the percentage of available switch port bandwidth permitted to each vNIC. vNIC bandwidth can be configured as a value from 1 to 100, with each unit representing 1% (or 100Mbps) of the 10Gbps link. By default, each vNICs enabled on a port is assigned 25 units (equal to 25% of the link, or 2.5Gbps). When traffic from the switch to the vNIC reaches its assigned bandwidth limit, the switch will drop packets egressing to the affected vNIC. Note: Bandwidth metering drops excess packets when configured limits are reached. Consider using the ETS feature in applications where packet loss is not desirable (see “Enhanced Transmission Selection” on page 309).
Page 231: Vnic Groups
 group. Only one individual external port, one static trunk, or one dynamic trunk (consisting of multiple external ports) may be added to any given vNIC group.  In dedicated mode, for any internal ports, external port, or port trunk group connected to regular (non‐vNIC) devices: These elements can be placed in only one vNIC group (they cannot be  members of multiple vNIC groups). Once added to a vNIC group, the PVID for the element is automatically set to  use the vNIC group VLAN number, and PVID tagging on the element is automatically disabled.  By default, STP is disabled on any external port added to a vNIC group. STP can be re‐enabled on the port if desired.  Because regular, inner VLAN IDs are ignored by the switch for traffic in vNIC groups, following rules and restrictions apply: The inner VLAN tag may specify any VLAN ID in the full, supported range  (1 to 4095) and may even duplicate outer vNIC group VLAN IDs. However, in the shared mode, inner VLAN tag and the vNIC group VLAN ID should be the same. Per‐VLAN IGMP snooping is not supported in vNIC groups.  The inner VLAN tag is not processed in any way in vNIC groups: The inner  tag cannot be stripped or added on port egress, is not used to restrict multicast traffic, is not matched against ACL filters, and does not influence Layer 3 switching. © Copyright Lenovo 2015 Chapter 16: Virtual NICs...
Page 232 Groups in Dedicated Mode The vNIC group VLAN ID is placed on all vNIC group packets as an “outer” tag. As shown in Figure 26, the outer vNIC group VLAN ID is placed on the packet in addition to any regular VLAN tag assigned by the network, server, or hypervisor. The outer vNIC group VLAN is used only between the CN4093 and the NIC. Figure 26. Outer and Inner VLAN Tags vNIC-Capable Server Ports with Lenovo Switch Ports without vNICs vNICs OS/Hypervisor Regular NIC attached outer Switching uses outer tag; Switch strips VLAN ID vNIC group VLAN ID...
Page 233 Outer tag sets vNIC; Ignores regular VLAN outer tag NIC strips outer tag Inbound Packet Within the CN4093, all Layer 2 switching for packets within a vNIC group is based on the outer vNIC group VLAN. The CN4093 does not consider the regular, inner VLAN ID (if any) for any VLAN‐specific operation. The outer vNIC group VLAN is not removed by the switch before the packet egresses any internal port or external uplink port. For untagged packets sent by the server, the uplink NIC uses this outer tag to switch the packet to destined VLAN. The shared mode is useful is cases where the multiple vNIC groups need to share an uplink port. The vNIC group tag defines the user VLAN. Following is an use case: An ESX server is presented with eight vNICs (four from bay 7 and four from bay 9) used with four virtual switches of the ESX host and with no tagged port groups. A pair of odd/even vNICs is placed within each virtual switch. On the CN4093, four vNIC groups are created and the desired VLAN for each vNIC group is configured. For example, if vNIC group 1 on the CN4093 has four interfaces: 1.1, 2.1, 3.1, 4.1. vNIC group 1 is configured with VLAN 10. Packets coming from any VM connecting with the virtual switch that VMNIC 2 and 3 (vNIC 1.1, 2.1, 3.1, and 4.1 on bay 7 and bay 9) will be assigned with VLAN 10. These packets go out the uplink with VLAN 10 tag. The upstream switch sends these packets to the desired destination on VLAN 10. © Copyright Lenovo 2015 Chapter 16: Virtual NICs...
Page 234: Vnic Teaming Failover
Teaming Failover For NIC failover in a non‐virtualized environment, when a service group’s external uplink ports fail or are disconnected, the switch disables the affected group’s internal ports, causing the server to failover to the backup NIC and switch. However, in a virtualized environment, disabling the affected internal ports would disrupt all vNIC pipes on those ports, not just those that have lost their external uplinks (see Figure 28). Figure 28. Regular Failover in a Virtualized Environment Primary Lenovo Lenovo Switch Servers Virtual Hypervisor Pipes VNIC vSwitch VNIC VNIC VNIC VM 1 VNIC Group 1 VM 2 EXT1 INTA1 VNIC VNIC VNIC VNIC VNIC...
Page 235 VM 4 EXT2 INTA2 VNIC VNIC VNIC VNIC Hypervisor Upon EXT1 link failure, the switch informs the server hypervisor To Backup for failover on affected VNICs only Switch By default, vNIC Teaming Failover is disabled on each vNIC group, but can be enabled or disabled independently for each vNIC group using the following commands: CN4093(config)# vnic vnicgroup <group number> CN4093(vnicgroupconfig)# failover © Copyright Lenovo 2015 Chapter 16: Virtual NICs...
Page 236: Vnic Configuration Example
Configuration Example Consider the following example configuration of vNICs for regular Ethernet traffic: Figure 30. Multiple vNIC Groups Lenovo Switch 1 Lenovo Servers VNIC VNIC VNIC OS or EXT1 VNIC INTA1 Hypervisor VNIC VNIC To Switch 2 VNIC VNIC Group 1 VNIC VNIC VLAN 1000 VNIC VNIC OS or VNIC...
Page 237 CN4093(vnicgroupconfig)# exit CN4093(config)# vnic vnicgroup 2 CN4093(vnicgroupconfig)# vlan 1774 CN4093(vnicgroupconfig)# member INTA1.2 CN4093(vnicgroupconfig)# member INTA2.2 CN4093(vnicgroupconfig)# member INTA3.2 vNIC 3.2 is not enabled. Confirm enabling vNIC3.2 [y/n]: y CN4093(vnicgroupconfig)# port INTA5 CN4093(vnicgroupconfig)# trunk 1 CN4093(vnicgroupconfig)# failover CN4093(vnicgroupconfig)# enable CN4093(vnicgroupconfig)# exit Once VLAN 1000 and 1774 are configured for vNIC groups, they will not be available for regular configuration. Note: vNICs are not supported simultaneously on the same switch ports as VMready. © Copyright Lenovo 2015 Chapter 16: Virtual NICs...
Page 238: Vnics For Iscsi On Emulex Virtual Fabric Adapter
Emulex Virtual Fabric Adapter The N/ OS vNIC feature works with standard network applications like iSCSI as previously described. However, the Emulex Virtual Fabric Adapter for Lenovo Flex System expects iSCSI traffic to occur only on a single vNIC pipe. When using the Emulex Adapter 2, only vNIC pipe 2 may participate in iSCSI. To configure the switch for this solution, iSCSI traffic should be placed in its own vNIC group, comprised of the external uplink port leading to the iSCSI target, and the related <port>.2 vNIC pipes connected to the participating servers. For example: 1. Enable the vNIC feature on the switch. CN4093 # vnic enable 2. Configure the virtual pipes for the iSCSI vNICs attached to each internal port: CN4093(config)# vnic port INTA1 index 2 (Select vNIC 2 on the server port) CN4093(vnic_config)# enable (Enable the vNIC pipe) CN4093(vnic_config)# exit CN4093(config)# vnic port INTA2 index 2(Select vNIC 2 on the server port) CN4093(vnic_config)# enable (Enable the vNIC pipe) CN4093(vnic_config)# exit CN4093(config)# vnic port INTA3 index 2(Select vNIC 2 on the server port) CN4093(vnic_config)# enable (Enable the vNIC pipe) CN4093(vnic_config)# exit Note: vNICs are not supported simultaneously on the same switch ports as VMready.
Page 239: Vnics For Fcoe Using The Emulex Vfa
1. The following steps are required as part of the regular FCoE configuration (see “FIP Snooping Configuration” on page 304): a. Disable the FIP Snooping automatic VLAN creation. b. Disable FIP Snooping on all external ports not used for FCoE. FIP snooping should be enabled only on ports connected to an FCF or ENode. c. Turn on CEE and FIP Snooping. d. Manually configure the FCoE ports and VLAN: enable VLAN tagging on all FCoE ports, and place FCoE ports into a supported VLAN. When CEE is turned on and the regular FCoE configuration is complete, FCoE traffic will be automatically assigned to PFC priority 3, and be initially allocated 50% of port bandwidth via ETS. The following steps are specific to vNIC configuration. 2. On the NIC, ensure that FCoE traffic occurs on vNIC pipe 2 only. Refer to your Emulex VFA documentation for details. 3. On the switch, enable the vNIC feature. CN4093 # vnic enable 4. (Optional) For additional security, set the desired operation mode for FCoE ports: CN4093(config)# fcoe fips port INT1 fcfmode off (Select ENode port; Set as ENode connection) CN4093(config)# fcoe fips port EXT4 fcfmode on (Select FCF port; Set as FCF connection) No additional configuration for vNIC pipes or vNIC groups is required for FCoE. However, for other networks connected to the switch, appropriate vNIC pipes and vNIC groups should be configured as normal, if desired. © Copyright Lenovo 2015 Chapter 16: Virtual NICs...
Page 240 CN4093 Application Guide for N/OS 8.2...
Page 241: Chapter 17. Vmready
Virtualization is used to allocate server resources based on logical needs, rather than on strict physical structure. With appropriate hardware and software support, servers can be virtualized to host multiple instances of operating systems, known as virtual machines (VMs). Each VM has its own presence on the network and runs its own service applications. Software known as a hypervisor manages the various virtual entities (VEs) that reside on the host server: VMs, virtual switches, and so on. Depending on the virtualization solution, a virtualization management server may be used to configure and manage multiple hypervisors across the network. With some solutions, VMs can even migrate between host hypervisors, moving to different physical hosts while maintaining their virtual identity and services. The Lenovo N/OS 8.2 VMready feature supports up to4096 VEs in a virtualized data center environment. The switch automatically discovers the VEs attached to switch ports, and distinguishes between regular VMs, Service Console Interfaces, ® and Kernel/Management Interfaces in a VMware environment. VEs may be placed into VM groups on the switch to define communication boundaries: VEs in the same VM group may communicate with each other, while VEs in different groups may not. VM groups also allow for configuring group‐level settings such as virtualization policies and ACLs. The administrator can also pre‐provision VEs by adding their MAC addresses (or their IPv4 address or VM name in a VMware environment) to a VM group. When a VE with a pre‐provisioned MAC address becomes connected to the switch, the switch will automatically apply the appropriate group membership configuration. The CN4093 with VMready also detects the migration of VEs across different ™ hypervisors. As VEs move, the CN4093 NMotion feature automatically moves the appropriate network configuration as well. NMotion gives the switch the ability to maintain assigned group membership and associated policies, even when a VE moves to a different port on the switch. VMready also works with VMware Virtual Center (vCenter) management software. Connecting with a vCenter allows the CN4093 to collect information about more distant VEs, synchronize switch and VE configuration, and extend migration properties. © Copyright Lenovo 2015...
Page 242: Ve Capacity
VE Capacity When VMready is enabled, the switch will automatically discover VEs that reside in hypervisors directly connected on the switch ports. Lenovo N/OS 8.2 supports up to 4096 VEs. Once this limit is reached, the switch will reject additional VEs. Note: In rare situations, the switch may reject new VEs prior to reaching the supported limit. This can occur when the internal hash corresponding to the new VE is already in use. If this occurs, change the MAC address of the VE and retry the operation.
Page 243  key: Add LACP trunks to the group.  optflood: Enable optimized flooding to allow sending unregistered IPMC to  the Mrouter ports without having any packet loss during the learning period; This option is disabled by default; When optflood is enabled, the flood and cpu settings are ignored. port: Add switch server ports or switch uplink ports to the group. Note that  VM groups and vNICs (see “Virtual NICs” on page 223) are not supported simultaneously on the same port. portchannel: Add static port trunks to the group.  profile: The profile options are not applicable to local VM groups. Only  distributed VM groups may use VM profiles (see “VM Profiles” on page 245). stg: The group may be assigned to a Spanning‐Tree group for broadcast loop  control (see“Spanning Tree Protocols” on page 145). tag: Enable VLAN tagging for the VM group. If the VM group contains ports  which also exist in other VM groups, enable tagging in both VM groups. validate: Set validate mode for the group.  vlan: Each VM group must have a unique VLAN number. This is required for  local VM groups. If one is not explicitly configured, the switch will automatically assign the next unconfigured VLAN when a VE or port is added to the VM group. © Copyright Lenovo 2015 Chapter 17: VMready...
Page 244: Distributed Vm Groups
vmap: Each VM group may optionally be assigned a VLAN‐based ACL (see  “VLAN Maps” on page 254). vm: Add VMs.  VMs and other VEs are primarily specified by MAC address. They can also be specified by UUID or by the index number as shown in various VMready information output (see “VMready Information Displays” on page 256). vport: Add a virtual port.  Add a virtual port to the group. Distributed VM Groups Distributed VM groups allow configuration profiles to be synchronized between the CN4093 and associated hypervisors and VEs. This allows VE configuration to be centralized, and provides for more reliable VE migration across hypervisors. Using distributed VM groups requires a virtualization management server. The management server acts as a central point of access to configure and maintain multiple hypervisors and their VEs (VMs, virtual switches, and so on). The CN4093 must connect to a virtualization management server before distributed VM groups can be used. The switch uses this connection to collect configuration information about associated VEs, and can also automatically push configuration profiles to the virtualization management server, which in turn configures the hypervisors and VEs. See “Virtualization Management Servers” on page 251 for more information. CN4093 Application Guide for N/OS 8.2...
Page 245: Vm Profiles
VLAN, VMs, or port members). Any VM group number currently configured for a local VM group (see “Local VM Groups” on page 242) cannot be converted and must be deleted before it can be used for a distributed VM group. © Copyright Lenovo 2015 Chapter 17: VMready...
Page 246: Assigning Members
Assigning Members VMs, ports, and trunks may be added to the distributed VM group only after the VM profile is assigned. Group members are added, pre‐provisioned, or removed from distributed VM groups in the same manner as with local VM groups (“Local VM Groups” on page 242), with the following exceptions:  VMs: VMs and other VEs are not required to be local. Any VE known by the virtualization management server can be part of a distributed VM group.  The VM group vlan option (see page 243) cannot be used with distributed VM groups. For distributed VM groups, the VLAN is assigned in the VM profile. Synchronizing the Configuration When the configuration for a distributed VM group is modified, the switch updates the assigned virtualization management server. The management server then distributes changes to the appropriate hypervisors. For VM membership changes, hypervisors modify their internal virtual switch port groups, adding or removing internal port memberships to enforce the boundaries defined by the distributed VM groups. Virtual switch port groups created in this fashion can be identified in the virtual management server by the name of the VM profile, formatted as follows: Lenovo_<VM profile name> (or) Lenovo_<VM profile name>_<index number> (for vDS profiles) Using the VM Group command path (CN4093(config)# virt vmgroup <x> vm) to add a server host interface to a distributed VM group does not create a new port group on the virtual switch or move the host. Instead, because the host interface already has its own virtual switch port group on the hypervisor, the VM profile settings are applied to its existing port group. Note: When applying the distributed VM group configuration, the virtualization management server and associated hypervisors must take appropriate actions.
Page 247: Vmcheck
The VMcheck solution addresses these security concerns by validating the MAC addresses assigned to VMs. The switch periodically sends hello messages on server ports. These messages include the switch identifier and port number. The hypervisor listens to these messages on physical NICs and stores the information, which can be retrieved using the VMware Infrastructure Application Programming Interface (VI API). This information is used to validate VM MAC addresses. Two modes of validation are available: Basic and Advanced. Use the following command to select the validation mode or to disable validation: CN4093(config)# [no] virt vmgroup <VM group number> validate {basic|advanced} Basic Validation This mode provides port‐based validation by identifying the port used by a hypervisor. It is suitable for environments in which MAC reassignment or duplication cannot occur. The switch, using the hello message information, identifies a hypervisor port. If the hypervisor port is found in the hello message information, it is deemed to be a trusted port. Basic validation should be enabled when:  A VM is added to a VM group, and the MAC address of the VM interface is in the Layer 2 table of the switch.  A VM interface that belongs to a VM group experiences a “source miss” i.e. is not able to learn new MAC address.  A trusted port goes down. Port validation must be performed to ensure that the port does not get connected to an untrusted source when it comes back up. Use the following command to set the action to be performed if the switch is unable to validate the VM MAC address: CN4093(config)# virt vmcheck action basic {log|link} log generates a log link disables the port © Copyright Lenovo 2015 Chapter 17: VMready...
Page 248 Advanced Validation This mode provides VM‐based validation by mapping a switch port to a VM MAC address. It is suitable for environments in which spoofing, MAC reassignment, or MAC duplication is possible. When the switch receives frames from a VM, it first validates the VM interface based on the VM MAC address, VM Universally Unique Identifier (UUID), Switch port, and Switch ID available in the hello message information. Only if all the four parameters are matched, the VM MAC address is considered valid. In advanced validation mode, if the VM MAC address validation fails, an ACL can be created to drop the traffic received from the VM MAC address on the switch port. Use the following command to specify the number of ACLs to be used for dropping traffic: CN4093(config)# virt vmcheck acls max <1‐256> Use the following command to set the action to be performed if the switch is unable to validate the VM MAC address: CN4093(config)# virt vmcheck action advanced {log|link|acl} Following are the other VMcheck commands: Table 27. VMcheck Commands Command Description CN4093(config)# virt vmware hello {ena| Hello messages setting: hport <port number>|haddr|htimer} enable/add port/advertise this IP address in the hello messages instead of the default management IP address/set the timer to send the hello messages CN4093(config)# no virt vmware hello Disable hello {enable|hport <port number>} messages/remove port CN4093(config)# [no] virt vmcheck Mark a port as trusted; trust <port number or range> Use the no form of the ...
Page 249: Virtual Distributed Switch
Note: vDS works with ESX 4.0 or higher versions. To add a vDS, use the command: CN4093# virt vmware dvswitch add <datacenter name> <dvSwitch name> [<dvSwitch‐version>] Prerequisites Before adding a vDS on the CN4093, ensure the following: VMware vCenter is fully installed and configured and includes a “bladevm”  administration account and a valid SSL certificate.  A virtual distributed switch instance has been created on the vCenter. The vDS version must be higher or the same as the hypervisor version on the hosts.  At least two hypervisors are configured. Guidelines Before migrating VMs to a vDS, consider the following: At any one time, a VM NIC can be associated with only one virtual switch: to the  hypervisor’s virtual switch, or to the vDS. Management connection to the server must be ensured during the migration.  The connection is via the Service Console or the Kernel/Management Interface.  The vDS configuration and migration can be viewed in vCenter at the following locations: vDS: Home> Inventory > Networking  vDS Hosts: Home > Inventory > Networking > vDS > Hosts  Note: These changes will not be displayed in the running configuration on the CN4093. © Copyright Lenovo 2015 Chapter 17: VMready...
Page 250: Migrating To Vds
Migrating to vDS You can migrate VMs to the vDS using vCenter. The migration may also be accomplished using the operational commands on the CN4093 available in the following CLI menus: For VMware vDS operations: CN4093# virt vmware dvswitch ? add Add a dvSwitch to a DataCenter addhost Add a host to a dvSwitch adduplnk Add a physical NIC to dvSwitch uplink ports del Remove a dvSwitch from a DataCenter remhost Remove a host from a dvSwitch remuplnk Remove a physical NIC from dvSwitch uplink ports For VMware distributed port group operations: CN4093# virt vmware dpg ? add Add a port group to a dvSwitch del Delete a port group from a dvSwitch update Update a port group on a dvSwitch vmac Change a VM NIC's port group CN4093 Application Guide for N/OS 8.2...
Page 251: Virtualization Management Servers
The noauth option causes to the switch to ignores SSL certificate authentication. This is required when no authoritative SSL certificate is installed on the vCenter. Note: By default, the vCenter includes only a self-signed SSL certificate. If using the default certificate, the noauth option is required. Once the vCenter configuration has been applied on the switch, the CN4093 will connect to the vCenter to collect VE information. vCenter Scans Once the vCenter is assigned, the switch will periodically scan the vCenter to collect basic information about all the VEs in the datacenter, and more detailed information about the local VEs that the switch has discovered attached to its own ports. © Copyright Lenovo 2015 Chapter 17: VMready...
Page 252: Deleting The Vcenter
The switch completes a vCenter scan approximately every two minutes. Any major changes made through the vCenter may take up to two minutes to be reflected on the switch. However, you can force an immediate scan of the vCenter by using one of the following ISCLI privileged EXEC commands: CN4093# virt vmware scan (Scan the vCenter) ‐or‐ CN4093# show virt vm v r (Scan vCenter and display result) Deleting the vCenter To detach the vCenter from the switch, use the following configuration command: CN4093(config)# no virt vmware vcspec Note: Without a valid vCenter assigned on the switch, any VE configuration changes must be manually synchronized. Deleting the assigned vCenter prevents synchronizing the configuration between the CN4093 and VEs. VEs already operating in distributed VM groups will continue to function as configured, but any changes made to any VM profile or distributed VM group on the switch will affect only switch operation; changes on the switch will not be reflected in the vCenter or on the VEs. Likewise, any changes made to VE configuration on the vCenter will no longer be reflected on the switch. Exporting Profiles VM profiles for discovered VEs in distributed VM groups are automatically synchronized with the virtual management server and the appropriate ...
Page 253: Vmware Operational Commands
VMware Operational Commands The CN4093 may be used as a central point of configuration for VMware virtual switches and port groups using the VMware operational menu, available with the following ISCLI privileged EXEC commands: CN4093# virt vmware ? Distributed port group operations dvswitch VMWare dvSwitch operations export Create or update a vm profile on one host Add a port group to a host scan Perform a VM Agent scan operation now updpg Update a port group on a host vmacpg Change a vnic's port group Add a vswitch to a host Pre-Provisioning VEs VEs may be manually added to VM groups in advance of being detected on the switch ports. By pre‐provisioning the MAC address of VEs that are not yet active, the switch will be able to later recognize the VE when it becomes active on a switch port, and immediately assign the proper VM group properties without further configuration. Undiscovered VEs are added to or removed from VM groups using the following configuration commands: CN4093(config)# [no] virt vmgroup <VM group number> vm <VE MAC address> For the pre‐provisioning of undiscovered VEs, a MAC address is required. Other identifying properties, such as IPv4 address or VM name permitted for known VEs, cannot be used for pre‐provisioning. © Copyright Lenovo 2015 Chapter 17: VMready...
Page 254: Vlan Maps
97). In a virtualized environment, VMAPs allow you to create traffic filtering and metering policies that are associated with a VM group VLAN, allowing filters to follow VMs as they migrate between hypervisors. VMAPs are configured using the following ISCLI configuration command path: CN4093(config)# accesscontrol vmap <VMAP ID> ? action Set filter action egressport Set to filter for packets egressing this port ethernet Ethernet header options ipv4 IP version 4 header options meter ACL metering configuration packetformat Set to filter specific packet format types remark ACL remark configuration statistics Enable access control list statistics tcpudp TCP and UDP filtering options Lenovo N/OS 8.2 supports up to 128 VMAPs. Individual VMAP filters are configured in the same fashion as regular ACLs, except that VLANs cannot be specified as a filtering criteria (unnecessary, since VMAPs are assigned to a specific VLAN or associated with a VM group VLAN). Once a VMAP filter is created, it can be assigned or removed using the following commands:  For regular VLANs, use config‐vlan mode: CN4093(config)# vlan <VLAN ID> CN4093(configvlan)# [no] vmap <VMAP ID> [intports| extports]  For a VM group, use the global configuration mode: CN4093(config)# [no] virt vmgroup <ID> vmap <VMAP ID> [intports|extports] Note: Each VMAP can be assigned to only one VLAN or VM group. However, each VLAN or VM group may have multiple VMAPs assigned to it.
Page 255: Vm Policy Bandwidth Control
VM Policy Bandwidth Control Commands VM Policy Bandwidth Control can be configured using the following configuration commands: CN4093(config)# virt vmpolicy vmbwidth <VM MAC>|<index>|<UUID>| <IPv4 address>|<name> ? (Set the VM to switch rate) txrate <committed rate> <burst> [<ACL number>] (Set the VM received bandwidth) rxrate <committed rate> <burst> (Enable bandwidth control) bwctrl Bandwidth allocation can be defined either for transmit (TX) traffic or receive (RX) traffic. Because bandwidth allocation is specified from the perspective of the VE, the switch command for TX Rate Control (txrate) sets the data rate to be sent from the VM to the switch, and the RX Rate Control (rxrate) sets the data rate to be received by the VM from the switch. The committed rate is specified in multiples of 64 kbps, from 64 to 40,000,000. The maximum burst rate is specified as 32, 64, 128, 256, 1024, 2048, or 4096 kb. If both the committed rate and burst are set to 0, bandwidth control in that direction (TX or RX) will be disabled. When txrate is specified, the switch automatically selects an available ACL for internal use with bandwidth control. Optionally, if automatic ACL selection is not desired, a specific ACL may be selected. If there are no unassigned ACLs available, txrate cannot be configured. © Copyright Lenovo 2015 Chapter 17: VMready...
Page 256: Bandwidth Policies Vs. Bandwidth Shaping
Bandwidth Policies vs. Bandwidth Shaping VM Profile Bandwidth Shaping differs from VM Policy Bandwidth Control. VM Profile Bandwidth Shaping (see “VM Profiles” on page 245) is configured per VM group and is enforced on the server by a virtual switch in the hypervisor. Shaping is unidirectional and limits traffic transmitted from the virtual switch to the CN4093. Shaping is performed prior to transmit VM Policy Bandwidth Control. If the egress traffic for a virtual switch port group exceeds shaping parameters, the traffic is dropped by the virtual switch in the hypervisor. Shaping uses server CPU resources, but prevents extra traffic from consuming bandwidth between the server and the CN4093. VM Policy Bandwidth Control is configured per VE, and can be set independently for transmit and receive traffic. Bandwidth policies are enforced by the CN4093. VE traffic that exceeds configured levels is dropped by the switch upon ingress (for txrate) or before egress (for rxrate). Setting txrate uses ACL resources on the switch. Bandwidth shaping and bandwidth policies can be used separately or in concert. VMready Information Displays The CN4093 can be used to display a variety of VMready information. Note: Some displays depict information collected from scans of a VMware vCenter and may not be available without a valid vCenter. If a vCenter is assigned (see “Assigning a vCenter”...
Page 257 5 00:50:56:9c:00:c8 quark 4 vSwitch0 172.16.46.25 @172.16.46.10 0 Corp 6 00:50:56:9c:29:29 particle 3 vSwitch0 172.16.46.35 @172.16.46.50 0 VM Network 7 00:50:56:9c:47:fd nucleus 3 vSwitch0 172.16.46.45 @172.16.46.50 0 Finance 12 of 12 entries printed * indicates VMware ESX Service Console Interface + indicates VMware ESX/ESXi VMkernel or Management Interface To view additional detail regarding any specific VE, see “vCenter VE Details” on page 259). vCenter Hypervisor Hosts If a vCenter is available, the following ISCLI privileged EXEC command displays the name and UUID of all VMware hosts, providing an essential overview of the data center: CN4093# show virt vmware hosts UUID Name(s), IP Address 00a42681d0e55910a0bfbd23bd3f7800 172.16.41.30 002e063c153cdd118b32a78dd1909a00 172.16.46.10 00f1fe30143cdd1184f2a8ba2cd7ae00 172.16.44.50 0018938e143cdd119f7ad8defa4b8300 172.16.46.20 © Copyright Lenovo 2015 Chapter 17: VMready...
Page 258 Using the following command, the administrator can view more detailed vCenter host information, including a list of virtual switches and their port groups, as well as details for all associated VEs: CN4093# show virt vmware showhost {<UUID>|<IPv4 address>|<host name>} Vswitches available on the host: vSwitch0 Port Groups and their Vswitches on the host: BNT_Default vSwitch0 VM Network vSwitch0 Service Console vSwitch0 VMkernel vSwitch0 MAC Address 00:50:56:9c:21:2f Port 4 Type Virtual Machine VM vCenter Name halibut VM OS hostname localhost.localdomain VM IP Address 172.16.46.15 VM UUID 001c41f3ccd894bb1b946b94b03b9200 Current VM Host 172.16.46.10 Vswitch vSwitch0 Port Group BNT_Default VLAN ID 0 vCenter VEs If a vCenter is available, the following ISCLI privileged EXEC command displays a list of all known VEs: CN4093# show virt vmware vms UUID Name(s), IP Address 001cdf1d863afa5e58c0d197ed3e3300 30vm1 001c1fba5483863fde044953b5caa700 VM90 001c0441c9ed184c7030d6a6bc9b4d00 VM91 001cc06e393ba36b2da9c71098d9a700 vm_new 001c6384f764983c83e3e94fc78f2c00 sturgeon 001c74346bf952bdc48ca410da0c2300 ...
Page 259: Vmready Configuration Example
Port Group BNT_Default VLAN ID 0 VMready Configuration Example This example has the following characteristics:  A VMware vCenter is fully installed and configured prior to VMready configura‐ tion and includes a “bladevm” administration account and a valid SSL certifi‐ cate. The distributed VM group model is used.   The VM profile named “Finance” is configured for VLAN 30, and specifies NIC‐to‐switch bandwidth shaping for 1Mbps average bandwidth, 2MB bursts, and 3Mbps maximum bandwidth.  The VM group includes four discovered VMs on internal switch ports INT1A and INT2A, and one static trunk (previously configured) that includes external ports EXT2 and EXT2. 1. Enable the VMready feature. CN4093(config)# virt enable 2. Specify the VMware vCenter IPv4 address. CN4093(config)# virt vmware vmware vcspec 172.16.100.1 bladevm When prompted, enter the user password that the switch must use for access to the vCenter. 3. Create the VM profile. CN4093(config)# virt vmprofile Finance CN4093(config)# virt vmprofile edit Finance vlan 30 CN4093(config)# virt vmprofile edit Finance shaping 1000 2000 3000 © Copyright Lenovo 2015 Chapter 17: VMready...
Page 260 4. Define the VM group. CN4093(config)# virt vmgroup 1 profile Finance CN4093(config)# virt vmgroup 1 vm arctic CN4093(config)# virt vmgroup 1 vm monster CN4093(config)# virt vmgroup 1 vm sierra CN4093(config)# virt vmgroup 1 vm 00:50:56:4f:f2:00 CN4093(config)# virt vmgroup 1 portchannel 1 When VMs are added, the internal server ports on which they appear are automatically added to the VM group. In this example, there is no need to manually add ports EXT1 and EXT2. 5. If necessary, enable VLAN tagging for the VM group: CN4093(config)# virt vmgroup 1 tag Note: If the VM group contains ports which also exist in other VM groups, tagging should be enabled in both VM groups. In this example configuration, no ports exist in more than VM group.
Page 261: Chapter 18. Fcoe And Cee
 “Converged Enhanced Ethernet” on page 265 Converged Enhanced Ethernet (CEE) refers to a set of IEEE standards developed primarily to enable FCoE, requiring enhancing the existing Ethernet standards to make them lossless on a per‐priority traffic basis, and providing a mechanism to carry converged (LAN/SAN/IPC) traffic on a single physical link. CEE features can also be utilized in traditional LAN (non‐FCoE) networks to provide lossless guarantees on a per‐priority basis, and to provide efficient bandwidth allocation. “Priority‐Based Flow Control” on page 274  Priority‐Based Flow Control (PFC) extends 802.3x standard flow control to allow the switch to pause traffic based on the 802.1p priority value in each packet’s VLAN tag. PFC is vital for FCoE environments, where SAN traffic must remain lossless and must be paused during congestion, while LAN traffic on the same links is delivered with “best effort” characteristics. “Enhanced Transmission Selection” on page 278  Enhanced Transmission Selection (ETS) provides a method for allocating link bandwidth based on the 802.1p priority value in each packet’s VLAN tag. Using ETS, different types of traffic (such as LAN, SAN, and management) that are sensitive to different handling criteria can be configured either for specific bandwidth characteristics, low‐latency, or best‐effort transmission, despite sharing converged links as in an FCoE environment. “Data Center Bridging Capability Exchange” on page 284  Data Center Bridging Capability Exchange Protocol (DCBX) allows neighboring network devices to exchange information about their capabilities. This is used between CEE‐capable devices for the purpose of discovering their peers, negotiating peer configurations, and detecting misconfigurations. © Copyright Lenovo 2015...
Page 262: Fibre Channel Over Ethernet
Figure 31. A Mixed Fibre Channel and FCoE Network FCoE Fibre 802.1p Priority & Usage EXT22 INTA1 Channel 3 FCoE Applications Switch 802.1p Priority & Usage Ethernet INTA2 EXT1 Business-Critical LAN Lenovo Chassis Servers In Figure 31 on page 262, the FCoE network is connected to the Fibre Channel network through an FCoE Forwarder (FCF). The FCF acts as a Fibre Channel gateway to and from the multi‐hop FCoE network. A full‐fabric FC/FCoE switch or a Fibre Channel Node Port Virtualized (NPV) switch may perform the FCF function. Although it may be possible to use an external FCF device, this chapter focuses on using the built‐in Fibre Channel features of the CN4093 itself. CN4093 Application Guide for N/OS 8.2...
Page 263: Fcoe Requirements
FCoE Requirements The following are required for implementing FCoE using the Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch (CN4093) with N/ OS 8.2 software:  The CN4093 must be connected to the Fibre Channel network using the switch’s built‐in Fibre Channel features (see “Fibre Channel” on page 291), or an external FCF device such as another CN4093 switch or a Cisco Nexus 5000 Series Switch.  For each CN4093 internal port participating in FCoE, the connected blade server must use the supported FCoE CNA. Emulex Virtual Fabric Adapters (VFAs) for Lenovo Flex System, which includes vNIC support, is currently a supported.  For each CN4093 internal port participating in FCoE, the connected blade server must include the appropriate FCoE licenses installed, as obtained using the Lenovo website Features on Demand (FoD) service. Contact your sales represen‐ tative for more information on obtaining server feature licenses. CEE must be turned on (see “Turning CEE On or Off” on page 265). When CEE is  on, the DCBX, PFC, and ETS features are enabled and configured with default FCoE settings. These features may be reconfigured, but must remain enabled in order for FCoE to function. FIP snooping must be turned on (see “FCoE Initialization Protocol Snooping” on  page 268). When FIP snooping is turned on, the feature is enabled on all ports by default. The administrator can disable FIP snooping on individual ports that do not require FCoE, but FIP snooping must remain enabled on all FCoE ports in order for FCoE to function. © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 264: Port Trunking
Port Trunking Lenovo N/OS 8.2 supports port trunking for FCoE connections. The Link Aggregation (LAG) can be used for separate FCoE traffic, or for Ethernet and FCoE traffic. FCoE and Ethernet traffic can co‐exist within the same trunk (ports). By default, FCoE servers (CNA/HBA) do not support trunk, while Ethernet (NIC/CNA) are trunk capable. Uplink ports, connected to the FCF, can be grouped as static or dynamic trunks. Internal ports cannot be grouped as trunks. Normal trunk operations such as creating/enabling the trunk, and adding/removing member ports can be performed. When a port is added to a trunk group, FCFs previously detected on the port will be deleted. The deleted FCF may be relearned later. However, this may cause flickering in the network traffic. Priority‐based Flow Control (PFC), and Data Center Bridging Exchange (DCBX) are configured on a per‐port basis. Each port in a trunk must have the same PFC, and DCBX configuration. When a port ceases to be the trunk group member, its configuration does not change. CN4093 Application Guide for N/OS 8.2...
Page 265: Converged Enhanced Ethernet
Although CEE standards were designed with FCoE in mind, they are not limited to FCoE installations. CEE features can be utilized in traditional LAN (non‐FCoE) networks to provide lossless guarantees on a per‐priority basis, and to provide efficient bandwidth allocation based on application needs. Turning CEE On or Off By default on the CN4093, CEE is turned off. To turn CEE on or off, use the following ISCLI configuration mode commands: CN4093(config)# [no] cee enable CAUTION: Turning CEE on will automatically change some 802.1p QoS and 802.3x standard flow control settings on the CN4093. Read the following material carefully to determine whether you will need to take action to reconfigure expected settings. It is recommended that you backup your configuration prior to turning CEE on. Viewing the file will allow you to manually re‐create the equivalent configuration once CEE is turned on, and will also allow you to recover your prior configuration if you need to turn CEE off. Effects on Link Layer Discovery Protocol When CEE is turned on, Link Layer Discovery Protocol (LLDP) is automatically turned on and enabled for receiving and transmitting DCBX information. LLDP cannot be turned off while CEE is turned on. © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 266: Effects On 802.1P Quality Of Service
Effects on 802.1p Quality of Service While CEE is off (the default), the CN4093 allows 802.1p priority values to be used for Quality of Service (QoS) configuration (see “Quality of Service” on page 185). 802.1p QoS default settings are shown in Table 28 on page 266, but can be changed by the administrator. When CEE is turned on, 802.1p QoS is replaced by ETS (see “Enhanced Transmission Selection” on page 278). As a result, while CEE is turned on, the 802.1p QoS configuration commands are no longer available on the switch (the menu is restored when CEE is turned off). In addition, when CEE is turned on, prior 802.1p QoS settings are replaced with new defaults designed for use with ETS priority groups (PGIDs) as shown in Table Table 28. CEE Effects on 802.1p Defaults 802.1p QoS Configuration ETS Configuration With CEE Off (default) With CEE On Priority COSq Weight Priority COSq PGID When CEE is on, the default ETS configuration also allocates a portion of link ...
Page 267: Effects On Flow Control
It is recommended that a configuration backup be made prior to turning CEE on or off. Viewing the configuration file will allow the administrator to manually re‐create the equivalent configuration under the new CEE mode, and will also allow for the recovery of the prior configuration if necessary. Effects on Flow Control When CEE is off (the default), 802.3x standard flow control is enabled on all switch ports by default. When CEE is turned on, standard flow control is disabled on all ports, and in its place, PFC (see “Priority‐Based Flow Control” on page 274) is enabled on all ports for 802.1p priority value 3. This default is chosen because priority value 3 is commonly used to identify FCoE traffic in a CEE environment and must be guaranteed lossless behavior. PFC is disabled for all other priority values. It is recommend that a configuration backup be made prior to turning CEE on or off. Viewing the configuration file will allow the administrator to manually re‐create the equivalent configuration under the new CEE mode, and will also allow for the recovery of the prior configuration if necessary. When CEE is on, PFC can be enabled only on priority value 3 and one other priority. If flow control is required on additional priorities on any given port, consider using standard flow control on that port, so that regardless of which priority traffic becomes congested, a flow control frame is generated. © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 268: Fcoe Initialization Protocol Snooping
FCoE Initialization Protocol Snooping FCoE Initialization Protocol (FIP) snooping is an FCoE feature. In order to enforce point‐to‐point links for FCoE traffic outside the regular Fibre Channel topology, Ethernet ports used in FCoE can be automatically and dynamically configured with Access Control Lists (ACLs). Using FIP snooping, the CN4093 examines the FIP frames normally exchanged between the FCF and ENodes to determine information about connected FCoE devices. This information is used to create narrowly tailored ACLs that permit expected FCoE traffic to and from confirmed Fibre Channel nodes, and deny all other undesirable FCoE or FIP traffic. Global FIP Snooping Settings By default, the FIP snooping feature is turned off for the CN4093. The following commands are used to turn the feature on or off: CN4093(config)# [no] fcoe fips enable Note: FIP snooping requires CEE to be turned on (see “Turning CEE On or Off” on page 265). When FIP snooping is on, port participation may be configured on a port‐by‐port basis (see below). When FIP snooping is off, all FCoE‐related ACLs generated by the feature are ...
Page 269: Port Fcf And Enode Detection
Note: FCoE Fips must be enabled on FSB/FCF switch Port FCF and ENode Detection When FIP snooping is enabled on a port, the port is placed in FCF auto‐detect mode by default. In this mode, the port assumes connection to an ENode unless FIP packets show the port is connected to an external FCF. Ports can also be specifically configured as to whether automatic FCF detection should be used, or whether the port is connected to an external FCF or ENode: CN4093(config)# fcoe fips port <port alias, number, list, or range> fcfmode {auto|on|off} When FCF mode is on, the port is assumed to be connected to a trusted external FCF, and only ACLs appropriate to FCFs will be installed on the port. When off, the port is assumed to be connected to an ENode, and only ACLs appropriate to ENodes will be installed. When the mode is changed (either through manual configuration or as a result of automatic detection), the appropriate ACLs are automatically added, removed, or changed to reflect the new FCF or ENode connection. FCoE Connection Timeout FCoE‐related ACLs and VLANs are added, changed, and removed as FCoE device connection and disconnection are discovered. In addition, the administrator can enable or disable automatic removal of ACLs and VLANs for FCFs and other FCoE connections that timeout (fail or are disconnected) without FIP notification. By default, automatic removal of ACLs upon timeout is enabled. To change this function, use the following CLI command: CN4093(config)# [no] fcoe fips timeoutacl © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 270: Fcoe Acl Rules
FCoE ACL Rules When FIP Snooping is enabled on a port, the switch automatically installs the appropriate ACLs to enforce the following rules for FCoE traffic: Ensure that FIP frames from ENodes may only be addressed to FCFs.   Flag important FIP packets for switch processing. Ensure no end device uses an FCF MAC address as its source.   Each FCoE port is assumed to be connected to an ENode and include ENode‐specific ACLs installed, until the port is either detected or configured to be connected to an external FCF.  Ports that are configured to have FIP snooping disabled will not have any FIP or FCoE related ACLs installed.  Prevent transmission of all FCoE frames from an ENode prior to its successful completion of login (FLOGI) to the FCF.  After successful completion of FLOGI, ensure that the ENode uses only those FCoE source addresses assigned to it by the FCF.  After successful completion of FLOGI, ensure that all ENode FCoE source addresses originate from or are destined to the appropriate ENode port.  After successful completion of each FLOGI, ensure that FCoE frames may only be addressed to the FCFs that accept them. Initially, a basic set of FCoE‐related ACLs will be installed on all ports where FIP snooping is enabled. As the switch encounters FIP frames and learns about FCFs and ENodes that are attached or disconnect, ACLs are dynamically installed or expanded to provide appropriate security. When an FCoE connection logs out, or times out (if ACL timeout is enabled), the related ACLs will be automatically removed. FCoE‐related ACLs are independent of manually configured ACLs used for regular Ethernet purposes. FCoE ACLs generally have a higher priority over standard ACLs. Optimized FCoE Traffic Flow To optimize the FCoE traffic flow, ACL entries are installed by default. Only FCoE ...
Page 271: Fcoe Vlans
FCoE vlan. If you need to manually configure the FC-MAP, use values in the range 0xefcf00 to 0x0efcf4. The other FC-Map values are reserved. Viewing FIP Snooping Information ACLs automatically generated under FIP snooping are independent of regular, manually configure ACLs, and are not listed with regular ACLs in switch information and statistics output. Instead, FCoE ACLs are shown using the following CLI commands: CN4093# show fcoe fips information (Show all FIP‐related information) CN4093# show fcoe fips port <ports> information(Show FIP info for a selected port) © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 272: Operational Commands
For example: CN4093# show fcoe fips port ext4 information FIP Snooping on port ext4: This port has been detected to be an FCF port. FIPS ACLs configured on this port: Ethertype 0x8914, action permit. dmac 00:00:18:01:00:XX, Ethertype 0x8914, action permit. For each ACL, the required traffic criteria are listed, along with the action taken (permit or deny) for matching traffic. ACLs are listed in order of precedence and evaluated in the order shown. The administrator can also view other FCoE information: CN4093# show fcoe fips fcf (Show all detected FCFs) CN4093# show fcoe fips fcoe (Show all FCoE connections) Operational Commands The administrator may use the operational commands to delete FIP‐related entries from the switch. To delete a specific FCF entry and all associated ACLs from the switch, use the following command: CN4093# no fcoe fips fcf <FCF MAC address> [<VLAN number>] FIP Snooping Configuration In this example, as shown in Figure 31 on page 262, port INTA1 is connected to an ENode, and EXT22 is connected to the Fibre Channel network via an internal FCF (see“Fibre Channel” on page 291). FIP snooping can be configured on these ports using the following CLI commands: 1. Enable VLAN tagging on FCoE ports: CN4093(config)# interface port INTA1, EXT22(Select FCoE port) CN4093(configif)# switchport mode trunk(Enable VLAN tagging) CN4093(configif)# exit (Exit port configuration mode) 2. Place FCoE ports into a VLAN supported by the FCF and CNAs (typically VLAN 1002): CN4093(config)# vlan 1002 CN4093(configvlan)# exit...
Page 273 Note: By default, FIP snooping is enabled on all ports and the FCF mode set for automatic detection. The configuration in this step is unnecessary if default settings have not been changed, and is shown merely as a manual configuration example. 7. Save the configuration. © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 274: Priority-Based Flow Control
Priority-Based Flow Control Priority‐based Flow Control (PFC) is defined in IEEE 802.1Qbb. PFC extends the IEEE 802.3x standard flow control mechanism. Under standard flow control, when a port becomes busy, the switch manages congestion by pausing all the traffic on the port, regardless of the traffic type. PFC provides more granular flow control, allowing the switch to pause specified types of traffic on the port, while other traffic on the port continues. PFC pauses traffic based on 802.1p priority values in the VLAN tag. The administrator can assign different priority values to different types of traffic and then enable PFC for up to two specific priority values: priority value 3, and one other. The configuration can be applied on a port‐by‐port basis, or globally for all ports on the switch. Then, when traffic congestion occurs on a port (caused when ingress traffic exceeds internal buffer thresholds), only traffic with priority values where PFC is enabled is paused. Traffic with priority values where PFC is disabled proceeds without interruption but may be subject to loss if port ingress buffers become full. Although PFC is useful for a variety of applications, it is required for FCoE implementation where storage (SAN) and networking (LAN) traffic are converged on the same Ethernet links. Typical LAN traffic tolerates Ethernet packet loss that can occur from congestion or other factors, but SAN traffic must be lossless and requires flow control. For FCoE, standard flow control would pause both SAN and LAN traffic during congestion. While this approach would limit SAN traffic loss, it could degrade the performance of some LAN applications that expect to handle congestion by dropping traffic. PFC resolves these FCoE flow control issues. Different types of SAN and LAN traffic can be assigned different IEEE 802.1p priority values. PFC can then be enabled for priority values that represent SAN and LAN traffic that must be paused during congestion, and disabled for priority values that represent LAN traffic that is more loss‐tolerant. PFC requires CEE to be turned on (“Turning CEE On or Off” on page 265). When CEE is turned on, PFC is enabled on priority value 3 by default. Optionally, the administrator can also enable PFC on one other priority value, providing lossless handling for another traffic type, such as for a business‐critical LAN application. Note: For any given port, only one flow control method can be implemented at any given time: either PFC or standard IEEE 802.3x flow control.
Page 275: Global Vs. Port-By-Port Pfc Configuration
LAN applications that expect uninterrupted traffic flow and tolerate dropping packets during congestion. Use PFC globally only if all priority values assigned for lossless traffic on one or more ports does not carry loss-tolerant traffic on other ports. © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 276: Pfc Configuration Example
PFC Configuration Example Note: DCBX may be configured to permit sharing or learning PFC configuration with or from external devices. This example assumes that PFC configuration is being performed manually. See “Data Center Bridging Capability Exchange” on page 284 for more information on DCBX. This example is consistent with the network shown in Figure 31 on page 262. In ...
Page 277 Note: PFC is enabled on priority 3 by default. If using the defaults, the manual configuration commands shown in this step are not necessary. CN4093(config)# cee port INTA1 pfc priority 3 enable(FCoE priority) CN4093(config)# cee port INTA1 pfc priority 3 description "FCoE"(Optional) CN4093(config)# cee port EXT22 pfc priority 3 enable(FCoE priority) CN4093(config)# cee port EXT22 pfc priority 3 description "FCoE"(Optional) 3. Enable PFC for the business‐critical LAN application: CN4093(config)# cee port INTA2 pfc priority 4 enable(LAN priority) CN4093(config)# cee port INTA2 pfc priority 4 description "Critical LAN" CN4093(config)# cee port EXT1 pfc priority 4 enable( LAN priority) CN4093(config)# cee port EXT1 pfc priority 4 description "Critical LAN" 4. Save the configuration. © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 278: Enhanced Transmission Selection
Enhanced Transmission Selection Enhanced Transmission Selection (ETS) is defined in IEEE 802.1Qaz. ETS provides a method for allocating port bandwidth based on 802.1p priority values in the VLAN tag. Using ETS, different amounts of link bandwidth can specified for different traffic types (such as for LAN, SAN, and management). ETS is an essential component in a CEE environment that carries different types of traffic, each of which is sensitive to different handling criteria, such as Storage Area Networks (SANs) that are sensitive to packet loss, and LAN applications that may be latency‐sensitive. In a single converged link, such as when implementing FCoE, ETS allows SAN and LAN traffic to coexist without imposing contrary handling requirements upon each other. The ETS feature requires CEE to be turned on (see “Turning CEE On or Off” on page 265). 802.1p Priority Values Under the 802.1p standard, there are eight available priority values, with values numbered 0 through 7, which can be placed in the priority field of the 802.1Q VLAN tag: 16 bits 3 bits 12 bits Tag Protocol ID (0x8100) Priority C VLAN ID 15 16 Servers and other network devices may be configured to assign different priority values to packets belonging to different traffic types (such as SAN and LAN). ETS uses the assigned 802.1p priority values to identify different traffic types. The ...
Page 279: Priority Groups
Priority Groups For ETS use, each 801.2p priority value is assigned to a priority group which can then be allocated a specific portion of available link bandwidth. To configure a priority group, the following is required:  CEE must be turned on (“Turning CEE On or Off” on page 265) for the ETS feature to function.  A priority group must be assigned a priority group ID (PGID), one or more 802.1p priority values, and allocated link bandwidth greater than 0%. PGID Each priority group is identified with number (0 through 7, and 15) known as the PGID. PGID 0 through 7 may each be assigned a portion of the switch’s available bandwidth. PGID 8 through 14 are reserved as per the 802.1Qaz ETS standard. PGID 15 is a strict priority group. It is generally used for critical traffic, such as network management. Any traffic with priority values assigned to PGID 15 is permitted as much bandwidth as required, up to the maximum available on the switch. After serving PGID 15, any remaining link bandwidth is shared among the other groups, divided according to the configured bandwidth allocation settings. All 802.1p priority values assigned to a particular PGID should have similar traffic handling requirements. For example, PFC‐enabled traffic should not be grouped with non‐PFC traffic. Also, traffic of the same general type should be assigned to the same PGID. Splitting one type of traffic into multiple 802.1p priorities, and then assigning those priorities to different PGIDs may result in unexpected network behavior. Each 802.1p priority value may be assigned to only one PGID. However, each PGID may include multiple priority values. Up to eight PGIDs may be configured at any given time. © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 280: Assigning Priority Values To A Priority Group
Assigning Priority Values to a Priority Group Each priority group may be configured from its corresponding ETS Priority Group, available using the following command: CN4093(config)# cee global ets prioritygroup pgid <group number (0‐7, or 15)> priority <priority list> where priority list is one or more 802.1p priority values (with each separated by a comma). For example, to assign priority values 0 through 2: CN4093(config)# cee global ets prioritygroup pgid <group number (0‐7, or 15)> priority 0,1,2 Note: Within any specific PGID, the PFC settings (see “Priority-Based Flow Control” on page 274) should be the same (enabled or disabled) for all priority values within the group.
Page 281: Allocating Bandwidth
Unlimited Bandwidth for PGID 15 PGID 15 is permitted unlimited bandwidth and is generally intended for critical traffic (such as switch management). Traffic in this group is given highest priority and is served before the traffic in any other priority group. If PGID 15 has low traffic levels, most of the switch’s bandwidth will be available to serve priority groups 0 through 7. However, if PGID 15 consumes a larger part of the switch’s total bandwidth, the amount available to the other groups is reduced. Note: Consider traffic load when assigning priority values to PGID 15. Heavy traffic in this group may restrict the bandwidth available to other groups. © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 282: Configuring Ets
Configuring ETS Consider an example consistent with that used for port‐based PFC configuration (on page 276): Table 31. ETS Configuration Priority Usage PGID Bandwidth LAN (best effort delivery) LAN (best effort delivery) LAN (best effort delivery) SAN (Fibre Channel over Ethernet, with PFC) Business Critical LAN (lossless Ethernet, with PFC) Latency‐sensitive LAN Latency‐sensitive LAN Network Management (strict) unlimited The example shown in Table 31 is only slightly different than the default configuration shown in Figure 32 on page 278. In this example, latency‐sensitive LAN traffic (802.1p priority 5 through 6) are moved from priority group 2 to priority group 3. This leaves Business Critical LAN traffic (802.1p priority 4) in priority group 2 by itself. Also, a new group for network management traffic has been assigned. Finally, the bandwidth allocation for priority groups 1, 2, and 3 are revised. Note: DCBX may be configured to permit sharing or learning PFC configuration with or from external devices.
Page 283 (Configure link bandwidth restriction) 3. Configure the strict priority group with a description (optional) and a list of 802.1p priority values: CN4093(config)# cee global ets prioritygroup pgid 15 priority 7 CN4093(config)# cee global ets prioritygroup pgid 15 description "Network Management" Note: Priority group 15 is permitted unlimited bandwidth. As such, the commands for priority group 15 do not include bandwidth allocation. 4. Save the configuration. © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 284: Data Center Bridging Capability Exchange
Data Center Bridging Capability Exchange Data Center Bridging Capability Exchange (DCBX) protocol is a vital element of CEE. DCBX allows peer CEE devices to exchange information about their advanced capabilities. Using DCBX, neighboring network devices discover their peers, negotiate peer configurations, and detect misconfigurations. DCBX provides two main functions on the CN4093: Peer information exchange  The switch uses DCBX to exchange information with connected CEE devices. For normal operation of any FCoE implementation on the CN4093, DCBX must remain enabled on all ports participating in FCoE.  Peer configuration negotiation DCBX also allows CEE devices to negotiate with each other for the purpose of automatically configuring advanced CEE features such as PFC, ETS, and (for some CNAs) FIP. The administrator can determine which CEE feature settings on the switch are communicated to and matched by CEE neighbors, and also which CEE feature settings on the switch may be configured by neighbor requirements. The DCBX feature requires CEE to be turned on (see “Turning CEE On or Off” on page 265). DCBX Settings When CEE is turned on, DCBX is enabled for peer information exchange on all ports. For configuration negotiation, the following default settings are configured:  Application Protocol: FCoE and FIP snooping is set for traffic with 802.1p priority 3  PFC: Enabled on 802.1p priority 3  Priority group 0 includes priority values 0 through 2, with bandwidth  allocation of 10% Priority group 1 includes priority value 3, with bandwidth allocation of 50% ...
Page 285 Peer Configuration Negotiation CEE peer configuration negotiation can be set on a per‐port basis for a number of CEE features. For each supported feature, the administrator can configure two independent flags:  The advertise flag When this flag is set for a particular feature, the switch settings will be transmit to the remote CEE peer. If the peer is capable of the feature, and willing to accept the CN4093 settings, it will be automatically reconfigured to match the switch. The willing flag  Set this flag when required by the remote CEE peer for a particular feature as part of DCBX signaling and support. Although some devices may also expect this flag to indicate that the switch will accept overrides on feature settings, the CN4093 retains its configured settings. As a result, the administrator should configure the feature settings on the switch to match those expected by the remote CEE peer. These flags are available for the following CEE features:  Application Protocol DCBX exchanges information regarding FCoE and FIP snooping, including the 802.1p priority value used for FCoE traffic. The advertise flag is set or reset using the following command: CN4093(config)# [no] cee port <port alias or number> dcbx app_proto advertise The willing flag is set or reset using the following command: CN4093(config)# [no] cee port <port alias or number> dcbx app_proto willing © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 286: Configuring Dcbx
 DCBX exchanges information regarding whether PFC is enabled or disabled on the port. The advertise flag is set or reset using the following command: CN4093(config)# [no] cee port <port alias or number> dcbx pfc advertise The willing flag is set or reset using the following command: CN4093(config)# [no] cee port <port alias or number> dcbx pfc willing  DCBX exchanges information regarding ETS priority groups, including their 802.1p priority members and bandwidth allocation percentages. The advertise flag is set or reset using the following command: CN4093(config)# [no] cee port <port alias or number> dcbx ets advertise The willing flag is set or reset using the following command: CN4093(config)# [no] cee port <port alias or number> dcbx ets willing Configuring DCBX Consider an example consistent Figure 31 on page 262 and used with the previous FCoE examples in this chapter:  FCoE is used on port INTA1. CEE features are also used with LANs on ports INTA2 and EXT1.   All other ports are disabled or are connected to non‐CEE devices. In this example, the CN4093 acts as the central point for CEE configuration. FCoE‐related ports will be configured for advertising CEE capabilities, but not to accept external configuration. Other LAN ports that use CEE features will also be configured to advertise feature settings to remote peers, but not to accept external configuration. DCBX will be disabled on all non‐CEE ports. This example can be configured using the following commands: 1. Turn CEE on. CN4093(config)# cee enable Note: Turning CEE on will automatically change some 802.1p QoS and 802.3x standard flow control settings and menus (see “Turning CEE On or Off”...
Page 287 3. Enable desired DCBX advertisements on other CEE ports: CN4093(config)# cee port INTA2 dcbx enable CN4093(config)# cee port INTA2 dcbx app_proto advertise CN4093(config)# cee port INTA2 dcbx ets advertise CN4093(config)# cee port INTA2 dcbx pfc advertise CN4093(config)# cee port EXT1 dcbx enable CN4093(config)# cee port EXT1 dcbx app_proto advertise CN4093(config)# cee port EXT1 dcbx ets advertise CN4093(config)# cee port EXT1 dcbx pfc advertise 4. Disable DCBX for each non‐CEE port as appropriate: CN4093(config)# no cee port INTA3INTC14,EXT2EXT22 dcbx enable 5. Save the configuration. © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 288: Fcoe Example Configuration
Figure 33. A Mixed Fibre Channel and FCoE Network FCoE Fibre 802.1p Priority & Usage EXT22 INTA1 Channel 3 FCoE Applications Switch 802.1p Priority & Usage Ethernet INTA2 EXT1 Business-Critical LAN Lenovo Chassis Servers In Figure 33 on page 288, a Fibre Channel network is connected to the CN4093 on port EXT22. The FCoE‐enabled CN4093 is internally connected to a blade server (ENode) through an FCoE‐enabled CNA on port INTA1. An internal FCF bridges the networks. 1. Configure FCoE ports as trunk ports and add them to FCoE Vlan for FCoE traffic and Native Vlan 1 for FIP negotiation: CN4093(config)# interface port INTA1 (Select FCoE ports) CN4093(configif)# switchport mode trunk (Enable VLAN tagging) CN4093(configif)# switchport trunk allowed vlan 1,1002 (Add VLANs) CN4093(configif)# exit (Exit port configuration mode)
Page 289 CN4093(config)# cee global ets prioritygroup pgid 15 priority 7 CN4093(config)# cee global ets prioritygroup pgid 15 description "Network Management" Note: Priority group 15 is permitted unlimited bandwidth. As such, the commands for priority group 15 do not include bandwidth allocation. 10. Enable desired DCBX configuration negotiation on FCoE ports: CN4093(config)# cee port INTA1 dcbx enable CN4093(config)# cee port INTA1 dcbx app_proto advertise CN4093(config)# cee port INTA1 dcbx ets advertise CN4093(config)# cee port INTA1 dcbx pfc advertise © Copyright Lenovo 2015 Chapter 18: FCoE and CEE...
Page 290 11. Enable desired DCBX advertisements on other CEE ports: CN4093(config)# cee port INTA2 dcbx enable CN4093(config)# cee port INTA2 dcbx app_proto advertise CN4093(config)# cee port INTA2 dcbx ets advertise CN4093(config)# cee port INTA2 dcbx pfc advertise CN4093(config)# cee port EXT1 dcbx enable CN4093(config)# cee port EXT1 dcbx app_proto advertise CN4093(config)# cee port EXT1 dcbx ets advertise CN4093(config)# cee port EXT1 dcbx pfc advertise 12. Disable DCBX for each non‐CEE port as appropriate: CN4093(config)# no cee port INTA3INTC14,EXT2EXT22 dcbx enable 13. Configure the Fibre Channel network: CN4093(config)# system port ext21ext22 type fc CN4093(configvlan)# interface fc EXT22 CN4093(configif)# switchport trunk allowed vlan 1,1002 CN4093(configif)# exit CN4093(config)# vlan 1002 CN4093(configvlan)# npv enable CN4093(configvlan)# npv trafficmap externalinterface EXT22 CN4093(configvlan)# exit Note: The Fibre Channel network is configured as an NPV gateway as described “Fibre Channel” on page 291.
Page 292: Ethernet Vs. Fibre Channel
Ethernet vs. Fibre Channel As a converged switch, the CN4093 10Gb Converged Scalable Switch provides simultaneous support of Ethernet and Fibre Channel networks. Ethernet is ubiquitous in modern networks. It is generally quick, easy, and inexpensive to implement. Ethernet is also flexible and dynamic by nature. Devices join and leave a well‐designed Ethernet network with little impact beyond their individual function. Because flux is the norm, Ethernet is classified as a ʺbest effortʺ delivery protocol. This means that some loss of packets is acceptable, and that with multiple routes often available, packets in a stream may arrive at their destination out of sequence. Ethernet devices are expected to re‐request and resend lost packets, and reassemble data in the proper order at the destination. The Fibre Channel protocol adheres to a very different philosophy. Fibre Channel is most popular in storage networks end‐to‐end stability, reliability, and security are emphasized in favor over low cost and dynamic scalability. In Fibre Channel networks, the connecting ports must be fully authorized to communicate with their well‐defined neighbors. Bandwidth for properly connected devices is tuned to avoid loss due to congestion. Also, routes for traffic are converged in advance, ensuring that only one route is used by any given traffic stream so that packets arrive in their expected sequence. Ethernet and Fibre Channel networks are coming into contact with each other more frequently in modern networks. In some cases, legacy Fibre Channel devices are connected via Ethernet networks using Converged Enhanced Ethernet (CEE), a collection of recent Ethernet features designed to satisfy Fibre Channel delivery expectations. Although not the focus of this chapter, the CN4093 supports CEE and Fibre Channel over Ethernet (FCoE). For details, see “FCoE and CEE” on page 261. Another approach is to use converged switches such as the CN4093 to support direct connection to both Ethernet and Fibre Channel networks. This allows a “best of both worlds” approach, using ubiquitous Ethernet networks for regular traffic, and full connection to Fibre Channel networks for lossless applications and the legacy architecture of established Storage Area Networks. CN4093 Application Guide for N/OS 8.2...
Page 293: Supported Switch Roles
261. These features can be used independently or in conjunction with NPV gateway and full fabric switch features. NPV Gateway As a Node Port Virtualized (NPV) gateway, the CN4093 can act as a Fibre Channel collector, connecting numerous Fibre Channel end‐point devices (known as nodes) for uplink to a Fibre Channel full fabric switch, performing stateless FC/FCoE encapsulation and decapsulation. This helps resolve a typical problem in Fibre Channel networks where port density is low on Director Class SAN switches, or considered too valuable to relegate to individual nodes. As an NPV gateway, the CN4093 acts as a proxy to the upstream full fabric switch on behalf of the connected nodes. The CN4093 supports standard Node Port Identifier Virtualization (NPIV) behavior. The NPV gateway allows concurrent logins from multiple node ports (and multiple server connections) to be forwarded upstream to the full‐fabric switch. The upstream switch provides full fabric services such as zoning enforcement, and makes all switching decisions. The gateway switch appears as a Fibre Channel end node to the full fabric switch, and acts as proxy for the full fabric switch to its connected node devices. When multiple uplink ports are available between the NPV gateway and the upstream switch, nodes are not ensured to be assigned the same uplink whenever they request a session. Only FCoE end nodes are allowed to be downstream connections. All Fibre Channel devices are connected to the full fabric FC switch. Full-Fabric FC/FCoE Switch As a full fabric FC/FCoE switch, the CN4093 authenticates connecting neighbors, provides Fibre Channel IDs, enforces port security among zones, and informs neighboring devices of network changes. © Copyright Lenovo 2015 Chapter 19: Fibre Channel...
Page 294 When acting as a full‐fabric switch, the CN4093 can be connected to NPV gateways or directly to Fibre Channel nodes. In full‐fabric mode, the CN4093 can be connected directly to another full fabric CN4093 through Fibre Channel ISL. For further details, see “E_Ports” on page 301. Limitations In Lenovo N/OS 8.2, CN4093 does not support the following Fibre Channel port types:  FL ports connecting storage fabric loop devices. CN4093 Application Guide for N/OS 8.2...
Page 295: Implementing Fibre Channel
Note: Use only the ISCLI or BBI to configure Fibre Channel. Lenovo N/OS CLI is not supported. After configuring Fibre Channel, save any subsequent configurations only in ISCLI or BBI. If Lenovo N/OS CLI is used to save any switch configuration, the Fibre Channel configuration will be lost.
Page 296: Fibre Channel Vlans
Fibre Channel configuration requires that at least one pair of Omni Ports be set to Fibre Channel mode. The mode for Omni Port pairs or ranges can be configured using the following privileged configuration command: CN4093(config)# [no] system port <low port><high port> type fc Fibre Channel VLANs On the CN4093, each Fibre Channel network connected to the switch must be assigned its own VLAN. For each VLAN used with Fibre Channel, following properties must be defined:  VLAN number Switch role (NPV mode or full fabric mode)   Port membership Fibre Channel ports roles (as uplink ports or node connections)  The following commands are used to define a typical VLAN:  Set or delete a VLAN CN4093(config)# [no] vlan <VLAN number> FCoE networks typically use VLAN 1002. If using a different VLAN for FCoE, be sure that any connected servers and FCoE bridge will support your selection. This command initiates VLAN configuration mode. All VLAN‐related Fibre Channel configuration is performed in this mode. Enable or disable the VLAN  CN4093(configvlan)# [no] shutdown Exit VLAN configuration mode  CN4093(configvlan)# exit Port Membership As with typical VLAN configuration, each VLAN used with a Fibre Channel network must include a description of its port members. VLANs used in Fibre Channel networks follow typical VLAN configuration rules (see “VLANs” on page 111), with the following additions: ...
Page 297: Switching Mode
Full fabric mode The CN4093 supports up to 12 Fibre Channel VLANs at any given time. Only one mode can be active on any specific VLAN at a given time, and only one VLAN can operate in full fabric mode. From within VLAN configuration mode, the following commands are used to specify the Fibre Channel mode:  To enable or disable NPV mode: CN4093(configvlan)# [no] npv enable  To enable or disable full fabric mode: CN4093(config-vlan)# [no] fcf enable Note: When either NPV or full fabric mode are enabled, VLAN tagging is automatically enabled on the VLAN. © Copyright Lenovo 2015 Chapter 19: Fibre Channel...
Page 298: Npv Gateway
NPV Gateway NPV Port Traffic Mapping Within each VLAN used with Fibre Channel, the physical ports may be used in the following roles:  NPV External Interfaces All NPV gateways on the CN4093 must connect to a full fabric switch. The NPV external interface map specifies which Fibre Channel port or ports (Omni Ports set to Fibre Channel mode) are used for this purpose within each Fibre Channel VLAN. At least one Fibre Channel port is required, though two are typically used in order to provide redundancy. The following VLAN configuration command is used to define or remove the uplink: CN4093(configvlan)# [no] npv trafficmap externalinterface <ports>  Fibre Channel over Ethernet node Traffic from Ethernet ports which are properly configured to use CEE and FCoE (see “FCoE and CEE” on page 261) is permitted with no additional configuration. Ethernet  Traffic on regular (non‐FCoE) Ethernet ports will be blocked on Fibre Channel VLANs. NPV Manual Disruptive Load-Balancing Every server connected to the NPV gateway logs into an upstream FC switch through a NP uplink. If multiple NP uplinks are available in a NPV VLAN, the logins are evenly distributed over the available uplinks. The number of logins per uplink can go out of balance if a failed NP uplink is restored or a new uplink is brought online. The NPV gateway does not automatically move Enodes from the existing to new uplinks in such situations. To force the logins to be evenly distributed among all available uplinks in a NPV vlan, the manual load‐balancing CLI is available under the vlan config: CN4093(configvlan)# npv disruptiveloadbalance The load‐balancing is disruptive in nature as few devices are forced to logout and ...
Page 299: Full Fabric Mode
Zones A zone is a logical grouping of end nodes that are permitted to interact with each other. Zones can be grouped into a zonesets, which can be activated or deactivated as a single entity. A zone provides security by restricting access to only those devices that reside within the zone. Zoning also confines change notification floods within each zone. Each zone contains one or more servers and one or more storage devices. Ports and devices in a zone are called zone members. A zone contains one or more zone members. A device can belong to one or more zones. End nodes that are members of a zone can communicate with each other, but they are isolated from nodes in other zones of which they are not a member. If no zone is configured for the device, it resides in the default zone. You can configure the default zone to permit or deny its member devices to communicate with each other. You can specify zone members based on any of the following criteria:  pWWN: The port World Wide Number is a unique ID represting a particular end node. The pWWN is a 64‐bit hexadecimal value (for example, 20:34:00:80:e5:23:f4:55)  FC ID: The Fibre Channel identifier (FC ID) specifies the unique fabric domain ID of a device that connects to a node port on the switch. The FC ID is assigned by the full‐fabric switch during the connection sequence and can change if the device logs out of the Fibre Channel fabric and returns. The FC ID is a 24‐bit hexadecimal value (for example, 0xab00c1), but can also be specified in hexadecimal dotted notation (for example, ab.00.c1) generally representing <domain or device>.<area>.<link> FC alias: The Fibre Channel alias specifies the device that connects to a node  port on the switch. The FC alias is a 1‐64 character text value (for example, StorageOne). © Copyright Lenovo 2015 Chapter 19: Fibre Channel...
Page 300 Note: When you create an FC alias using SNMP, a default pWWN of value 10:00:00:00:00:00:00:00 is automatically assigned to the FC alias. You must change this default pWWN value. Not doing so will result in a conflict of pWWN IDs the next time you try to create an FC alias. Note: The CN4093 uses hard zoning, which is enforced in the switch hardware, based on the pWWNs of the Fibre Channel initiators and targets. The CN4093 supports up the 64 zones per zoneset, each with up to 20 member devices. However, when an FC alias is used, only 10 devices can be members of a zone. Zonesets Zonesets provide a mechanism for conveniently grouping zones. Each zoneset can contain one or more zones. A zone can belong to one or more zonesets. Only one zoneset can be activated at a given time. If you deactivate the active zoneset, no zonesets are active until you activate another zoneset. If you activate one zoneset while another zoneset is active, the currently active zoneset is deactivated. When you activate a zoneset, the new zoneset access policies are applied. Up to four zonesets can be configurated on the switch at any given time, though ...
Page 301: E_Ports
Add (or remove) one or more member zones to the zoneset: CN4093(configzoneset)# [no] member <zone name> Repeat as necessary for each member zone. c. Exit from zoneset configuration: CN4093(configzone)# exit Activating Zoneset Fibre Channel is intended to operate with minimal disruption. To prevent the various synchronization events that would result if each stage of a live zoning configuration was applied, the cumulative configuration changes for zones and zoneset are held in reserve until explicitly activated by the administrator. When activated, the new zoneset will be synchronized throughout the Fibre Channel fabric for each modified zone. Fibre Channel traffic will be temporarily disrupted in modified zones as changes to the fabric are recognized by the connected devices. Until activation, the previously established zoneset will remain in effect. The basic zoneset commands are as follows:  Activate or deactivate a zoneset: CN4093(config)# [no] zoneset activate name <zoneset name>  View the settings for the active zoneset: CN4093# show zoneset active  View the settings for the pending configuration changes: CN4093# show zoneset E_Ports E_ports (expansion ports) connect two full fabric switches to form an inter‐switch link (ISL). Up to four Fibre Channel ISLs can be established between two full fabric switches. © Copyright Lenovo 2015 Chapter 19: Fibre Channel...
Page 302 Configuration Zone Set State is Zone Set State is No change Deactivated. Activated or Deactivated. Zone Set State is Zone Set State is Zone Set gets the Adjacent Activated. Deactivated. Zone Set State (i.e., the Zone Set is activated). Zone Set gets the adjacent Zone Set. Adjacent Zone Set is equal to the Local Zone Set No change Adjacent and Local Zone Sets contain a Zone with ISL Isolated. the same name but different members. Adjacent Zone Set contains Zones that are not Zone Set State becomes included in the Local Zone Set, and/or Local Zone Activated. Set contains Zones that are not included in the Zone Set is the merge of the Adjacent Zone Set. local Zones plus the Adjacent Zones. E‐ports cannot be used to form stack trunk links. Limitations  Lenovo N/OS supports ISL distance up to 3 kms. CN4093 Application Guide for N/OS 8.2...
Page 303: Optimized Fcoe Traffic Flow
CN4093(config)# no fcoe optimizedforwarding enable To re‐enable optimized‐forwarding feature, use the following command sequence: CN4093(config)# no fcoe fips enable CN4093(config)# fcoe optimizedforwarding enable CN4093(config)# fcoe fips enable To view optimized traffic flow information, use the following commands: CN4093(config)# show fcoe optimizedforwarding status (Show current state of feature) CN4093(config)# show fcoe optimizedacls vlan <vlan ID> (Show list of optimized ACLs) Storage Management Initiative Specification (SMI-S) Lenovo N/OS provides a programming interface using the SMI‐S to ease interoperability in a multivendor SAN environment. In this release, only limited support is provided. The CN4093 switch must be operating in full fabric mode. An embedded SMI‐S agent runs on the CN4093 and includes standard profiles as specified in the SMI‐S. These profiles include:  Fabric Profile  Indication Profile Server Profile   Switch Profile Configuration capabilities of switch, fabric, or ports is not supported. Zoning control can be implemented and includes the following functions: Session control (start, commit, and rollback)  © Copyright Lenovo 2015 Chapter 19: Fibre Channel...
Page 304  Zoning updates  Create and destroy zone set, zone, and zone alias  Add/Remove zone to zone set, zone alias, or port WWN to zone and port WWN to zone alias  Activate and deactivate zoneset The IBM Director (includes Tivoli Storage Productivity Center (TPC)) is used to configure and administer the fibre channel fabric. Connection with the SMI‐S agent can be established via IPv4 or IPv6 management interface using HTTP/HTTPS. Use the following link: http://<Management IP address>:5988 (OR) https://<Management IP address>:5989 The namespace for the SMI‐S agent is root/interop. You will need to authenticate using the login and password configured for the switch. Restrictions The current implementation of SMI‐S does not support the following:  NPV mode Zone configuration on the switch that uses FC IDs instead of port WWNs.  Note: The CLI commands may be available, but the zone configuration will not be applied. CN4093 Application Guide for N/OS 8.2...
Page 305: Fibre Channel Configuration
Note: Up to 12 Fibre Channel VLANs can be configured on the switch at any given time, any or all of which can be configured as NPV gateways. 1. Specify which Omni Ports are directly connected to Fibre Channel devices: CN4093(config)# system port ext11ext12 type fc © Copyright Lenovo 2015 Chapter 19: Fibre Channel...
Page 306: Example 2: Full Fabric Fc/Fcoe Switch
Example 2: Full Fabric FC/FCoE Switch Consider the following Fibre Channel network: Figure 35. Using the CN4093 as a Full Fabric FC/FCoE Switch Fibre Channel INTA5 FCoE Zone1 EXT13 Storage Zone1/2 Lenovo INTA6 FCoE Zone1 Converged Switch INTA7 FCoE Zone2 Fibre Channel EXT14 INTA8 FCoE Zone2 Server Zone1 Lenovo Chassis CN4093 Application Guide for N/OS 8.2...
Page 307 2. Enable tagging/trunk mode for internal ports participating in FCoE: CN4093(config)# interface port inta5inta8 CN4093(config-if)# switchport mode trunk CN4093(config-if)# exit 3. Specify all member ports for the VLAN: CN4093(configvlan)# interface port inta5inta8 CN4093(configvlan)# switchport trunk allowed vlan add 200 CN4093(configvlan)# interface fc ext13ext14 CN4093(configvlan)# switchport trunk allowed vlan add 200 Note: At least one Fibre Channel port must be included. 4. Specify a VLAN for the this Fibre Channel network: CN4093(config)# vlan 200 5. Enable full fabric mode on the VLAN: CN4093(config-vlan)# fcf enable CN4093(config-vlan)# exit © Copyright Lenovo 2015 Chapter 19: Fibre Channel...
Page 308 6. Define Fibre Channel zones: CN4093(config)# zone name Zone1 CN4093(config-zone)# member pwwn 20:34:00:80:e5:23:b1:55 CN4093(config-zone)# member pwwn 20:34:00:80:e5:27:f4:56 CN4093(config-zone)# member pwwn 20:34:00:80:e5:28:31:13 CN4093(config-zone)# member pwwn 20:34:00:80:e5:28:31:14 CN4093(config-zone)# exit CN4093(config)# zone name Zone2 CN4093(config-zone)# member pwwn 20:34:00:80:e5:28:43:57 CN4093(config-zone)# member pwwn 20:34:00:80:e5:18:b3:58 CN4093(config-zone)# member pwwn 20:34:00:80:e5:28:31:13 CN4093(config-zone)# exit CN4093(config)# zoneset name City1 CN4093(config-zoneset)# member Zone1 CN4093(config-zoneset)# member Zone2 CN4093(config-zoneset)# exit CN4093(config)# zoneset activate name City1 CN4093 Application Guide for N/OS 8.2...
Page 309: Fibre Channel Standard Protocols Supported
Fabric Device Management Interface (FDMI) NPIV NPV Gateway Fabric Shortest Path First (FSPF) Port security Fibre Channel ping, debugging Fibre Channel Standards ∙ FC‐PH, Revision 4.3 (ANSI/INCITS 230‐1994) FC‐PH, Amendment 1 (ANSI/INCITS 230‐1994/AM1 1996) FC‐PH, Amendment 2 (ANSI/INCITS 230‐1994/AM2‐1999) FC‐PH‐2, Revision 7.4 (ANSI/INCITS 297‐1997) FC‐PH‐3, Revision 9.4 (ANSI/INCITS 303‐1998) FC‐PI, Revision 13 (ANSI/INCITS 352‐2002) FC‐PI‐2, Revision 10 (ANSI/INCITS 404‐2006) FC‐PI‐4, Revision 7.0 FC‐FS, Revision 1.9 (ANSI/INCITS 373‐2003) FC‐FS‐2, Revision 0.91 FC_FS_3 Revision 1.11 FC‐LS, Revision 1.2 FC‐SW‐2, Revision 5.3 (ANSI/INCITS 355‐2001) FC‐SW‐3, Revision 6.6 (ANSI/INCITS 384‐2004) FC‐SW‐5, Revision 8.5 (ANSI/INCITS 461‐2010) FC‐GS‐3, Revision 7.01 (ANSI/INCITS 348‐2001) FC‐GS‐4, Revision 7.91 (ANSI/INCITS 387‐2004) FC‐GS‐6 Revision 9.4 (ANSI/INCITS 463‐2010) FC‐BB‐5, Revision 2.0 for FCoE FCP, Revision 12 (ANSI/INCITS 269‐1996) FCP‐2, Revision 8 (ANSI/INCITS 350‐2003) FCP‐3, Revision 4 (ANSI/INCITS 416‐2006) FC‐MI, Revision 1.92 (INCITS TR‐30‐2002, except for FL‐ports and Class 2) FC‐MI‐2, Revision 2.6 (INCITS TR‐39‐2005) FC‐SP, Revision 1.6 FC‐DA, Revision 3.1 (INCITS TR‐36‐2004) © Copyright Lenovo 2015 Chapter 19: Fibre Channel...
Page 310 CN4093 Application Guide for N/OS 8.2...
Page 311: Chapter 20. Edge Virtual Bridging
Lenovo N/OS EVB features are compliant with the IEEE 802.1Qbg Authors Group Draft 0.2. For a list of documents on this feature, see: http://www.ieee802.org/1/pages/802.1bg.html. Lenovo N/OS implementation of EVB supports the following protocols:  Virtual Ethernet Bridging (VEB) and Virtual Ethernet Port Aggregator (VEPA): VEB and VEPA are mechanisms for switching between VMs on the same hypervisor. VEB enables switching with the server, either in the software (vSwitch), or in the hardware (using single root I/O virtualization capable NICs). VEPA requires the edge switch to support “Reflective Relay”— an operation where the switch forwards a frame back to the port on which it arrived if the destination MAC address is on the same port.  Edge Control Protocol (ECP): ECP is a transport protocol that operates between two peers over an IEEE 802 LAN. ECP provides reliable, in‐order delivery of ULP (Upper Layer Protocol) PDUs (Protocol Data Units).  Virtual Station Interface (VSI) Discovery and Configuration Protocol (VDP): VDP allows hypervisors to advertise VSIs to the physical network. This protocol also allows centralized configuration of network policies that will persist with the VM, independent of its location. EVB Type‐Length‐Value (TLV): EVB TLV is a component of Link Layer  Discovery protocol (LLDP)‐based TLV used to discover and configure VEPA, ECP, and VDP. © Copyright Lenovo 2015 Chapter 20: Edge Virtual Bridging...
Page 312: Evb Operations Overview
Manager (FSM), or the Lenovo System Networking Distributed Switch 5000V. The VSIDB is the central repository for defining sets of network policies that apply to VM network ports. You can configure only one VSIDB. Note: This document does not include the VSIDB configuration details. Please see the SNSC, FSM, or Lenovo System Networking Distributed Switch 5000V guide for details on how to configure VSIDB. The VSIDB operates in the following sequence: 1. Define VSI types in the VSIDB. The VSIDB exports the database when the CN4093 sends a request. 2. Create a VM. Specify VSI type for each VM interface. See the SNSC, FSM, or ...
Page 313: Vlan Behavior
Manual RR and EVB profile cannot be configured on a port at the same time. Note: If a port is a member of an isolated VLAN, the manual reflective relay will not work. See “Private VLANs” on page 128 for more information on isolated VLANs. © Copyright Lenovo 2015 Chapter 20: Edge Virtual Bridging...
Page 314: Evb Configuration
EVB Configuration This section includes the steps to configure EVB based on the following values:  Profile number: 1  Port number: 1  Retry interval: 8000 milliseconds  VSI Database: Manager IP: 172.31.37.187  Port: 80  Note: VSI Database can be accessed via HTTP or HTTPS. The manager IP can be configured with an IPv4 or IPv6 address. 1. Create an EVB profile. CN4093(config)# virt evb profile 1 (Enter number from 1‐16) 2. Enable Reflective Relay. CN4093(confevbprof)# reflectiverelay 3. Enable VSI discovery. CN4093(confevbprof)# vsidiscovery CN4093(confevbprof)# exit 4. Add EVB profile to port. CN4093(config)# interface port 1 CN4093(configif)# evb profile 1 (Enter EVB profile ID) CN4093(configif)# exit 5. Configure ECP retransmission interval. CN4093(config)# ecp retransmitinterval 8000 (Enter retransmission interval in milliseconds (100‐9000) 6. Set VSI database information. CN4093(config)# virt evb vsidb 1 CN4093(confvsidb)# protocol {http|https}(Select VSI database protocol; default is HTTP) CN4093(confvsidb)# host 172.31.37.187 [dataport|extmport|mgtport]...
Page 315 Note: When you connect to a SNSC VSIDB, the port/docpath configuration is as follows: HTTP:  Port: 40080  Docpath: snsc/rest/vsitypes  HTTPS:  Port: 40443  Docpath: snsc/rest/vsitypes  When you connect to a 5000v VSIDB, the port/docpath configuration is as follows:  Port: 80  Docpath: vsitypes © Copyright Lenovo 2015 Chapter 20: Edge Virtual Bridging...
Page 316: Configuring Evb In Stacking Mode
Configuring EVB in Stacking Mode This section is applicable only to CN4093 10Gb Converged Scalable Switch. A stack is a group of up to [eight] CN4093 10Gb Converged Scalable Switch switches with Lenovo N/OS that work together as a unified system. The switches in a stack are interconnected by a stack trunk in a local ring topology. An operational stack must contain one Master and one or more Members, as follows:  Master One switch controls the operation of the stack and is called the Master. The Master provides a single point to manage the stack. A stack must have one and only one Master. The firmware image, configuration information, and run‐time data are maintained by the Master and pushed to each switch in the stack as necessary.  Member Member switches provide additional port capacity to the stack. Members receive configuration changes, run‐time information, and software updates from the Master.  Backup One member switch can be designated as a Backup to the Master. The Backup takes over control of the stack if the Master fails. Configuration information and run‐time data are synchronized with the Master. For details on implementing the stacking feature, see “Stacking” on page 201. EVB can be configured on any port in the stack. Use the Master to configure EVB on a port in the stack. The port numbers in a stack use the following format: <switch number>:<port number> Configure VSIDB on a data or management port that resides on the Master. The Master process the EVB‐related information for all the switch ports in a stack. The Master performs the VSIDB synchronization (See “VSIDB Synchronization” on page 312). The Master synchronizes all EVB changes with the Backup. If the Master fails, the Backup takes over control of the stack. The VSI associations on the Master ports are lost. All other VSI associations remain unchanged.
Page 317: Limitations
Limitations  If both ACL and egress bandwidth metering are enabled, traffic will first be matched with the ACL and will not be limited by bandwidth metering. ACLs based on a source MAC or VLAN must match the source MAC and VLAN  of the VM. If not, the policy will be ignored and you will see the following warning message: "vm: VSI Type ID 100 Associated mac 00:50:56:b6:c0:ff on port 6, ignore 1 mismatched ACL" © Copyright Lenovo 2015 Chapter 20: Edge Virtual Bridging...
Page 318: Unsupported Features
Unsupported features The following features are not supported on ports configured with EVB:  LAG/VLAG  vNIC  VMready CN4093 Application Guide for N/OS 8.2...
Page 319: Chapter 21. Static Multicast Arp
256 ACL and multicast MAC entries together.The ACL entries have a higher priority. In the default profile, the number of static multicast ARP entries that you configure does not affect the total number of ACL entries. © Copyright Lenovo 2015 Chapter 21: Static Multicast ARP...
Page 320: Configuration Example
Configuring Static Multicast ARP To configure multicast MAC ARP, you must perform the following steps:  Configure the static multicast forwarding database (FDB) entry: Since there is no port list specified for static multicast ARP, and the associated MAC address is multicast, you must specify a static multicast FDB entry for the cluster MAC address to limit the multicast domain. If there is no static multicast FDB entry defined for the cluster MAC address, traffic will not be forwarded. Use the following command: CN4093(config)# macaddresstable multicast <cluster MAC address> <port(s)>  Configure the static multicast ARP entry: Multicast ARP static entries should be configured without specifying the list of ports to be used. Use the following command: CN4093(config)# ip arp <destination unicast IP address> <destination multicast MAC address> vlan <cluster VLAN number> Configuration Example Consider the following example:  Cluster unicast IP address: 10.10.10.42  Cluster multicast MAC address: 03:bf:0A:0A:0A:2A  Cluster VLAN: 42  List of individual or port trunks to which traffic should be forwarded: 54 and 56 Following are the steps to configure the static multicast ARP based on the given example: 1. Configure the static multicast FDB entry. CN4093(config)# macaddresstable multicast 03:bf:0A:0A:0A:2A 42 54,56 2. Configure the static multicast ARP entry: CN4093(config)# ip arp 10.10.10.42 03:bf:0A:0A:0A:2A vlan 42 You can verify the configuration using the following commands: Verify static multicast FDB entry: ...
Page 321  Verify static multicast ARP entry: CN4093(config)# show ip arp Current ARP configuration: rearp 5 Current static ARP: ip mac port vlan 10.10.10.42 42 03:bf:0A:0A:0A:2A Total number of arp entries : 2 IP address Flags MAC address VLAN Age Port 10.10.10.1 P fc:cf:62:9d:74:00 42 10.10.10.42 P 03:bf:0A:0A:0A:2A © Copyright Lenovo 2015 Chapter 21: Static Multicast ARP...
Page 322: Limitations
Limitations  You must configure the ARP only in the Layer 2/Layer 3 node or the router node but not in the Layer 2‐only node. Lenovo N/OS cannot validate if the node is Layer 2‐only.  The packet is always forwarded to all the ports as specified in the Multicast MAC address configuration. If VLAN membership changes for the ports, you must update this static multicast MAC entry. If not, the ports, whose membership has changed, will report discards.  ACLs take precedence over static multicast ARP. If an ACL is configured to match and permit ingress of unicast traffic, the traffic will be forwarded based on the ACL rule, and the static multicast ARP will be ignored. CN4093 Application Guide for N/OS 8.2...
Page 323: Chapter 22. Unified Fabric Port
NIC Port Switch Port vPort Switch VNIC OS or vPort Hypervisor VNIC vPort vPort VNIC The UFP protocol has the following operation categories:  Channel Initialization: The server NIC and the switch port negotiate the number of channels and establish channel identifiers. Each UFP channel has a data component and a control component. The two components have the same UFP channel ID.  Channel Control: For an established channel, the switch can modify configurable channel properties by sending a control message on the UFP channel. While the channel ID is the same for the control and data components, the destination MAC address of the control message frame is a well‐known address 0180C2000003.  Discovery Capability: UFP can discover other ports that are UFP enabled. Once you enable UFP, you can check the information statistics for established channels. © Copyright Lenovo 2015 Chapter 22: Unified Fabric Port...
Page 324: Ufp Limitations
UFP Limitations The following limitations apply when configuring UFP:  FCoE must be configured only on vPort 2 of the physical NIC for Emulex CNA and on vport 1 of the physical NIC for Qlogic CNA. UFP port in FCoE mode cannot operate with FIP auto‐VLAN feature.   VLANs that have member vPorts configured in trunk‐, access‐, or auto‐modes cannot have member vPorts configured in tunnel mode or FCoE.  vPorts on a physical port must be members of separate VLANs.  VLANs 4002‐4005 are reserved for outer tagging.  A UFP‐enabled port with no vPorts configured cannot belong to the same VLAN as a UFP‐enabled port that has vPorts configured in trunk, access, or auto modes.  UFP bandwidth is guaranteed lossless only for unicast traffic. VMready is supported only on a vPort which is configure in auto‐VLAN mode.  When a vPort is in auto‐VLAN mode, it can support up to 32 VMGroups.  EVB is supported only on a vPort which is configured in auto‐VLAN mode.  VMready and EVB cannot be configured on the same physical port. UFP vPorts support up to 1024 VLANs in trunk and auto‐mode on the switch in  standalone mode.  When CEE is turned on, FCoE vPort must be used for lossless priority traffic. For loss‐tolerant priority traffic, a non‐FCoE UFP vPort must be used. The lossless property of FCoE vPort is not guaranteed, if lossless and loss‐tolerant traffic are combined.  When the vPort is enabled and the channel link state is up, the system does not support changing vPort VLAN type from private/non‐private to non‐private/private. ...
Page 325: Virtual Ports Modes
 Use pass‐through domain data path types for tunnel mode. In tunnel mode, a vPort can belong to only one VLAN. Use the following command to configure UFP vPort mode: CN4093(config)# ufp port <num> vport <num> CN4093(config_ufp_vport)# network mode {access|trunk|auto|tunnel|fcoe} Default mode is ‘tunnel’ Tunnel Mode In tunnel mode, a vPort can belong to only one VLAN. An outer tag with the vPort’s VLAN ID is inserted in packets that egress the vPort. The inner VLAN tag remains unchanged. The switch processes packets based on the outer tag. When all the ports or vPorts that belong to a particular VLAN are placed in tunnel mode, they belong to one pass‐through domain. Use tunnel mode to send all VM data traffic to an upstream switch, for Layer 2 or Layer 3 processing, in one domain. In such cases, the UFP port or vPort must be in tunnel mode and the upstream switch port must be in 802.1Q trunk mode. Note: Two vPorts on a physical port cannot be members of the same VLAN. © Copyright Lenovo 2015 Chapter 22: Unified Fabric Port...
Page 326: Access Mode
Figure 37. Packet pass‐through in Tunnel Mode Server vNICs vPorts Lenovo Switch Ports without vNICs OS/Hypervisor Regular NIC attaches UFP Switching uses outer tag; Switch strips VLAN ID Channel VLAN ID Ignores regular VLAN outer tag Outbound Packet Switching uses outer tag; Switch adds outer Outer tag sets vNIC;...
Page 327 FCoE Mode FCoE traffic is carried by a vPort. The server‐side endpoint of this virtual port will be represented through a FC vHBA. Setting a virtual port in FCoE mode will enable Priority‐based Flow Control (PFC) on the physical port. A vPort configured in FCoE mode can only be attached to a Fibre Channel (FC) VLAN. Only vPort 2 on a physical port can be configured in FCoE mode. A vPort in FCoE mode operates as a local domain data path type with packets being single tagged. Auto-VLAN Mode When a vPort is configured in auto‐VLAN mode, the vPort participates in VM discovery using VMready or 802.1Qbg. VLANs are dynamically provisioned based on VMready discovery or 802.1Qbg VM association. When a vPort operates in auto‐VLAN mode, it supports 32 VM groups. In the case of 802.1Qbg, when a vPort operates in auto‐VLAN mode, the maximum number of VLANs in the inner tag is 1024 when switch is configured in standalone mode. The vPort cannot be configured in Virtual Ethernet Port Aggregator (VEPA) mode. © Copyright Lenovo 2015 Chapter 22: Unified Fabric Port...
Page 328: Ufp Bandwidth Provisioning
UFP Bandwidth Provisioning UFP provides one mode of bandwidth provisioning for vPort: Strict Bandwidth Provisioning Mode. UFP Strict Bandwidth Provisioning Mode Strict bandwidth provisioning mode configures the switch and NIC apply bidirectional bandwidth control on the vPort as per the defined configuration. By default, a bandwidth of 2.5 Gbps per vPort is guaranteed. If other vPorts are idle, the bandwidth of a vPort can be up to 10 Gbps. A minimum bandwidth of 1 Gbps is provisioned, which can be raised by 100 Mbps increments. The sum of the minimum bandwidth guaranteed for all vPorts together cannot exceed the capacity of the physical link. A vPort can also be configured with a maximum bandwidth. This mode works with the port scheduler to avoid unintended packet drops due to policing through EFP metering block. If flow control is enabled, the switch provides a no‐drop packet forwarding behavior, which improves end‐to‐end TCP‐throughput performance. Note: If a vPort is configured with low upper limit, it might lead to head-of-line congestion on the egress port. By default, uplink ports have a separate traffic class for storage traffic with ...
Page 329: Using Ufp With Other Cn4093 10Gb Converged Scalable Switch Features
Private VLANs It supports the following Private VLAN modes in UFP VPORTs:  Disable Trunk   Host The following are the criteria of these Private VLAN modes: Private‐vlan mode is disabled:  Allow only non‐private domain.   Private‐vlan mode is trunk: Allow both primary and secondary VLAN which are belonging to the private  VLAN domain. Allow non‐private‐vlan domains.  VPORTs belonging to the same UFP port cannot be in the same private‐vlan  domain. For traffic of specific VLAN to be passed through this port, itʹs required that  port to be explicitly added into that VLAN. For example, for this UFP port to pass traffic in private vlan primary 100 and secondary 10, port must be added to both VLANs 100 and 10. Since this port type is intended to be functional as an ISL port, the isolate‐vlan  is allowed to pass through this port type. © Copyright Lenovo 2015 Chapter 22: Unified Fabric Port...
Page 330: Vmready
 Private‐vlan mode is host: Allow only ONE secondary VLAN. In the case of VPORT trunk mode, there  will be multiple VLANs assigned to the VPORT, but we still can only allow ONE secondary VLAN. The other VLANs will be in different private VLAN domain. Not working if physical port of VPORT is in the same Private VLAN domain;  i.e. when a VPORT is configured as private‐vlan host, other VPORTs belonging to the same physical UFP port cannot be in the same private‐vlan domain. Warning if no primary VLAN is associated with the secondary VLAN  assigned to VPORT. UFP with private VLANs is supported under the following limitations:  Available only in standalone mode, not available in stacking. vPorts from the same physical port cannot belong to the same private VLAN  domain.  vPorts cannot be configured with a primary VLAN as a default VLAN, only with secondary VLANs.  UFP ports cannot have switchport mode private‐vlan enabled on them.  Private VLAN is supported only on vPorts configured with trunk or access mode. UFP cannot be configured on promiscuous ports.  For more information on private VLANs, see “Private VLANs” on page 128 . VMReady Configuring with UFP and VMReady, the CN4093 can support up to 32 VMGroups with UFP vPorts in auto‐mode. VMReady is supported only on a vPort which is configured in auto‐VLAN mode. For more information on VMReady, see “VMready” on page 241. 802.1Qbg Configured with Edge Virtual Bridging (EVB), UFP supports up to 1024 VLANs ...
Page 331: Ufp Configuration Examples
2. Configure internal port as UFP. CN4093(config)# ufp port INTA1 enable Warning: "Tagging/Trunkmode" is enabled on UFP port INTA1 3. Configure virtual port. CN4093(config)# ufp port INTA1 vport 1 4. Configure vPort access mode. CN4093(config_ufp_vport)# network mode access 5. Configure vPort default VLAN. CN4093(config_ufp_vport)# network defaultvlan 100 6. Ensure tagging is disabled on vPort. CN4093(config_ufp_vport)# no network defaulttag 7. Specify QoS parameters for the vPort. CN4093(config_ufp_vport)# qos bandwidth min 25 (in percentage) CN4093(config_ufp_vport)# qos bandwidth max 100 (in percentage) 8. Enable vPort. CN4093(config_ufp_vport)# enable CN4093(config_ufp_vport)# exit 9. Configure PVID/Native VLAN for external port 1. CN4093(config)# interface port EXT1 CN4093(configif)# switchport mode access CN4093(configif)# switchport access vlan 100 © Copyright Lenovo 2015 Chapter 22: Unified Fabric Port...
Page 332: Example 2: Trunk Mode
Example 2: Trunk Mode Following is an example configuration of UFP vPorts in trunk mode. 1. Turn on UFP. CN4093(config)# ufp enable 2. Configure internal port 1 as UFP. CN4093(config)# ufp port INTA1 enable Warning: "Tagging/Trunkmode" is enabled on UFP port INTA1 3. Configure virtual port. CN4093(config)# ufp port INTA1 vport 1 4. Configure vPort trunk mode. CN4093(config_ufp_vport)# network mode trunk 5. Configure vPort default VLAN. CN4093(config_ufp_vport)# network defaultvlan 100 6. Specify QoS parameters for the vPort. CN4093(config_ufp_vport)# qos bandwidth min 25 (in percentage) CN4093(config_ufp_vport)# qos bandwidth max 100 (in percentage) 7. Enable vPort. CN4093(config_ufp_vport)# enable CN4093(config_ufp_vport)# exit 8. Configure internal port 2 as UFP. CN4093(config)# ufp port INTA2 enable Warning: "Tagging/Trunkmode" is enabled on UFP port INTA2 9. Configure virtual port. CN4093(config)# ufp port INTA2 vport 3 10. Configure vPort trunk mode. CN4093(config_ufp_vport)# network mode trunk CN4093 Application Guide for N/OS 8.2...
Page 333 12. Ensure tagging is disabled on vPort. CN4093(config_ufp_vport)# no network defaulttag 13. Specify QoS parameters for the vPort. CN4093(config_ufp_vport)# qos bandwidth min 25 (in percentage) CN4093(config_ufp_vport)# qos bandwidth max 100 (in percentage) 14. Enable vPort. CN4093(config_ufp_vport)# enable CN4093(config_ufp_vport)# exit 15. Enable tagging/trunk mode on external port 1. CN4093(config)# interface port EXT1 CN4093(configif)# switchport mode trunk CN4093(configif)# switchport trunk native vlan 100 CN4093(configif)# switchport trunk allowed vlan add 200,300 CN4093(configif)# exit 16. Configure VLAN 200 parameters. CN4093(config)# vlan 200 CN4093(configvlan)# vmember INTA1.1 CN4093(configvlan)# vmember INTA2.3 CN4093(configvlan)# exit 17. Configure VLAN 300 parameters. CN4093(config)# vlan 300 CN4093(configvlan)# vmember INTA1.1 CN4093(configvlan)# vmember INTA2.3 CN4093(configvlan)# exit © Copyright Lenovo 2015 Chapter 22: Unified Fabric Port...
Page 334: Example 3: Auto-Vlan Mode With Vmready
Example 3: Auto-VLAN Mode with VMready 1. Turn on UFP. CN4093(config)# ufp enable 2. Configure internal port 1 as UFP. CN4093(config)# ufp port INTA1 enable Warning: "Tagging/Trunkmode" is enabled on UFP port INTA1 3. Configure virtual port. CN4093(config)# ufp port INTA1 vport 1 4. Configure vPort default VLAN. CN4093(config_ufp_vport)# network defaultvlan 100 5. Configure vPort auto mode. CN4093(config_ufp_vport)# network mode auto Note: VLAN is dynamically added by 802.1Qbg. 6. Specify QoS parameters for the vPort. CN4093(config_ufp_vport)# qos bandwidth min 25 (in percentage) CN4093(config_ufp_vport)# qos bandwidth max 100 (in percentage) 7. Enable vPort. CN4093(config_ufp_vport)# enable CN4093(config_ufp_vport)# exit 8. Enable virtual machine groups. CN4093(config)# virt enable 9.
Page 335: Example 4: Auto-Vlan Mode With Edge Virtual Bridging
Example 4: Auto-VLAN Mode with Edge Virtual Bridging Following is an example configuration of UFP vPorts in auto mode. 1. Turn on UFP. CN4093(config)# ufp enable 2. Configure internal port 1 as UFP. CN4093(config)# ufp port INTA1 enable Warning: "Tagging/Trunkmode" is enabled on UFP port INTA1 3. Configure a vPort. CN4093(config_ufp_vport)# ufp port INTA1 vport 1 4. Configure the vPort’s default VLAN. CN4093(config_ufp_vport)# network defaultvlan 20 5. Set the vPort to tunnel mode. CN4093(config_ufp_vport)# network mode auto Note: VLAN is dynamically added by 802.1Qbg. 6. Configure the EVG profile for the vPort. CN4093(config_ufp_vport)# evb profile 1 © Copyright Lenovo 2015 Chapter 22: Unified Fabric Port...
Page 336: Example 5: Tunnel Mode
7. Specify QoS parameters for the vPort. CN4093(config_ufp_vport)# qos bandwidth min 25 (in percentage) CN4093(config_ufp_vport)# qos bandwidth max 100 (in percentage) 8. Enable vPort. CN4093(config_ufp_vport)# enable CN4093(config_ufp_vport)# exit 9. Configure the Edge Virtual Bridging profile. CN4093(config)# virt evb profile 1 CN4093(confevbprof)# reflectiverelay CN4093(confevbprof)# vsidiscovery CN4093(confevbprof)# exit 10. Configure the Edge Virtual Bridging database. CN4093(config)# virt evb vsidb 1 CN4093(confvsidb)# host 10.100.48.20 CN4093(confvsidb)# filepath vsitypes CN4093(confvsidb)# exit Note: VLANs in the database are dynamically added by 802.1Qbg. Example 5: Tunnel Mode Following is an example configuration of UFP vPorts in tunnel mode. 1. Turn on UFP. CN4093(config)# ufp enable 2.
Page 337: Example 6: Fcoe Mode
9. Configure tagging on external port 1. CN4093(config)# interface port EXT1 CN4093(configif)# tagpvidingress CN4093(configif)# no vlan dot1q tag native CN4093(configif)# switchport access vlan 4000 CN4093(configif)# exit Example 6: FCoE Mode Following is an example configuration of UFP vPorts in FCoE mode. This example is consistent with the network shown in Figure 31 on page 262. 1. Enable CEE. CN4093(config)# cee enable 2. Enable FIPs. CN4093(config)# fcoe fips enable 3. Turn on UFP. CN4093(config)# ufp enable 4. Configure internal port as UFP. CN4093(config)# ufp port INTA1 enable Warning: "Tagging/Trunkmode" is enabled on UFP port INTA1 5. Configure virtual port. CN4093(config)# ufp port INTA1 vport 2 © Copyright Lenovo 2015 Chapter 22: Unified Fabric Port...
Page 338: Example 7: Private Vlan Configuration
6. Configure vPort FCoE mode. CN4093(config_ufp_vport)# network mode fcoe 7. Configure vPort default VLAN. CN4093(config_ufp_vport)# network defaultvlan 1102 8. Ensure tagging is disabled on vPort. CN4093(config_ufp_vport)# no network defaulttag 9. Specify QoS parameters for the vPort. CN4093(config_ufp_vport)# qos bandwidth min 25 (in percentage) CN4093(config_ufp_vport)# qos bandwidth max 100 (in percentage) 10. Enable vPort. CN4093(config_ufp_vport)# enable CN4093(config_ufp_vport)# exit 11. Enable tagging/trunk mode on external port. CN4093(config)# interface port EXT4 CN4093(configif)# switchport mode trunk CN4093(configif)# switchport trunk native vlan 1 CN4093(configif)# switchport trunk allowed vlan add 1,1102 CN4093(configif)# exit Example 7: Private VLAN Configuration Follow this procedure to configure a Private VLAN. 1. Select a VLAN and define the Private VLAN type as primary. CN4093(config)# vlan 700 CN4093(config)# privatevlan primary CN4093(config)# exit 2. Configure a promiscuous port for VLAN 700. CN4093(config)# interface port INTA10 CN4093(configif)# switchport mode privatevlan CN4093(configif)# switchport privatevlan mapping 700 CN4093(configif)# exit...
Page 339: Example 8: Layer 2 Failover Configuration
CN4093(config)# ufp port INTA2 vport 1 CN4093(configufpvport)# network privatevlan trunk CN4093(configufpvport)# network defaultvlan 200 CN4093(configufpvport)# network mode trunk CN4093(configufpvport)# enable CN4093(configufpvport)# exit CN4093(config)# vlan 701 CN4093(configvlan)# vmember INTA1.1 CN4093(configvlan)# exit CN4093(config)# vlan 702 CN4093(configvlan)# vmember INTA2.1 CN4093(configvlan)# exit 6. Verify the configuration. CN4093(config)# show vlan privatevlan Example 8: Layer 2 Failover Configuration While configuring a failover trigger, you cannot use the member command for a physical port that has vPorts configured. Instead, you must use the vmember command to add the vPorts as members of a failover trigger. The following example includes the commands to configure a failover trigger using a physical port INTA8 (UFP not enabled) and vPorts INTA9.1, INTA9.2, INTA9.3, and INTA9.4 configured on UFP‐enabled physical port INTA9. See “Example 1: Access Mode” on page 331 for steps to configure a vPort in access mode. Follow the steps below for configuring the failover trigger: © Copyright Lenovo 2015 Chapter 22: Unified Fabric Port...
Page 340: Updating From Lenovo Networking Os 7.7 Or Prior
CN4093(config)# failover trigger 1 mmon control vmember INTA9.1,INTA9.2,INTA9.3,INT A9.4 Note: If you try to add a physical port (that has vPorts configured) as a member of a trigger, you may see the following error message when you enable the trigger: CN4093(config)#failover trigger 1 ena Failover Error: trigger 1 physical port INTA9 has virtual ports. 3. Enable failover trigger: CN4093(config)# failover trigger 1 enable Updating from Lenovo Networking OS 7.7 or Prior Beginning with N/OS 7.8, physical ports that have UFP enabled cannot be members of a failover trigger; only the vPorts can be members of a failover trigger. In a previous configuration (N/OS 7.7 or prior), If you had UFP‐enabled ports as members of a failover trigger, the trigger will not work as expected after you update the switch software version to N/OS 7.8 or later.You may also experience other issues, such as not being able to shutdown or restart the UFP‐enabled ports. To overcome this issue, do the following: 1. Delete the trigger (CN4093(config)# no failover trigger x). 2. Reconfigure the trigger using the appropriate commands. For the UFP‐enabled port, add the vPorts as members of the failover trigger (CN4093(config)# failover trigger x mmon control vmember ...
Page 341: Chapter 23. Switch Partition
Chapter 23. Switch Partition Switch Partition (SPAR) enables consolidation of multiple network partitions within an embedded switch. SPARs divide the data plane of a physical switch into independent switching domains. Switch partitions are isolated from each other. Traffic originating in one SPAR stays local to that SPAR. Within a partitioned switch, traffic from one SPAR is never delivered to another SPAR. Traffic from one SPAR can, however, be delivered to another SPAR by traversing an upstream link and switch. Each individual SPAR requires exactly one uplink, which can be a port, a port channel, or an LACP group. Limiting SPAR connectivity to one external uplink prevents the creation of loops. SPAR operates as a Layer 2 broadcast network. Hosts on the same VLAN, attached to a SPAR, can communicate with each other and with the upstream switch. Hosts on the same VLAN, but attached to different SPARs, communicate via the upstream switch. © Copyright Lenovo 2015 Chapter 23: Switch Partition...
Page 342: Spar Processing Modes
SPAR Processing Modes SPAR operates in two processing modes. The default mode is pass‐through domain.  Local Domain: In local‐domain processing mode, VLAN classification and assignment is based on the user‐defined VLAN.  Pass‐through Domain: In pass‐through domain processing mode, VLAN classification and assignment is based on the outer tag, which contains the unique domain VLAN ID of the SPAR. The inner tag with the user‐defined VLAN remains unchanged. Local Domain Processing Each SPAR on a switch has a unique VLAN ID, which separates data between SPARs. If multiple networks share the uplink, the upstream switch port must be configured as a 802.1Q trunk port so it can process multiple VLAN traffic from a SPAR. The SPAR domain uses a single uplink port or LAG shared among all the VLANs. For link redundancy or greater bandwidth, the uplinks can be grouped as static or LACP LAG. If a VLAN is defined on multiple SPARs, the egress port mask is used to prevent communication between the SPARs in the same local domain VLAN. Since port membership of each SPAR is unique, the egress port mask ensures that different SPAR ports in the same local domain VLAN do not communicate with each other. In local domain processing, all SPAR ports must have the following settings:  Tagging/Trunk mode must be enabled.  Ingress VLAN tagging is disabled on all SPAR ports.  PVID/Native VLAN is based on any VLAN defined in SPAR. CN4093(config)# interface port <num> CN4093(configif)# switchport trunk native vlan <VLAN number> CN4093 Application Guide for N/OS 8.2...
Page 343: Pass-Through Domain Processing
Pass-Through Domain Processing Pass‐through domain processing is the default operating mode for SPAR when performing L2 switching based on an outer tag. In pass‐through processing mode, each SPAR is identified by its unique VLAN domain ID. Packets are classified based on the SPAR domain ID (outer tag). SPAR ports must be configured in tunnel mode. SPAR provides single or multiple VLAN connectivity through a single uplink port or LAG (static or LACP). VLAN definition within the SPAR domain is not required. Pass‐through domain operates in Q‐In‐Q mode. Inside SPAR, different user‐defined VLAN traffic is classified into single S‐VLAN (service VLAN) associated with the SPAR. Although the uplink can be shared by multiple networks using the pass‐through domain, SPAR will not be server‐VLAN aware. Hence, multiple VLAN traffic will be mixed together in a single broadcast domain, that is, broadcast traffic on different VLANs from the upstream network will reach all servers attached to the SPAR pass‐through domain. The servers drop the packets if they do not belong to the desired VLAN. The pass‐through implementation uses ingress VLAN tagging, that is, tagpvid‐ingress is enabled on all SPAR ports. In pass‐through domain processing mode, all SPAR ports must have the following settings: PVID/Native VLAN tagging is disabled.   Ingress VLAN tagging is enabled on all SPAR ports. PVID/Native VLAN is based on the SPAR DVLAN.  CN4093(config)# interface port <num> CN4093(configif)# switchport trunk native vlan <VLAN number> © Copyright Lenovo 2015 Chapter 23: Switch Partition...
Page 344: Unsupported Features
Unsupported Features The following features are not supported when SPAR is configured:  802.1x  Edge Virtual Bridging  Hotlinks  IGMP  Layer 3 Configuration  Management VLAN  Private VLAN  Protocol VLAN  sFlow  Stacking  STP, RSTP, MRSTP, PVST   vLAG  VMAP  VMready VNIC  Limitations The following limitations apply:  UFP and SPAR cannot be configured together.  Trunks must first be configured for SPAR before they can be used. Static or Link Aggregation Control Protocol (LACP) trunks created on the global switch ...
Page 345  ACLs defined on the global switch can be used for SPAR ports. However, the following restrictions apply: An ACL cannot be shared across SPAR ports if:  • An exit port (CN4093(config)# accesscontrol list <number> egressport port <number>) is used as a filtering criteria and the exit port does not belong to the same SPAR as the port on which the ACL is applied. • A monitor port is used as a filtering criteria, and the monitor port does not belong to the same SPAR as the mirrored port and is not defined on the global switch. These ACL restrictions apply to all ACLs defined in an ACL group.   Port mirroring can be configured on SPAR ports, but the monitor port must either belong to the same SPAR as the mirrored port or must be defined on the global switch.  Layer 2 failover features can be configured on SPAR ports. However, the Layer 2 failover Auto Monitor (AMON) option is not supported. Only the Layer 2 failover Manual Monitor (MMON) option can be used when all ports defined within the trigger belong to the same SPAR. © Copyright Lenovo 2015 Chapter 23: Switch Partition...
Page 346: Spar Vlan Management
SPAR VLAN Management SPAR VLANs use the same 4000 VLAN space available for other applications/features on the switch. The VLAN ID can be in the range of 2 ‐ 4094. VLAN 1 and the management VLAN 4095 are reserved for the global switch context. A VLAN assigned to a SPAR cannot be used for any other switch application. Similarly, VLAN used by any other switch application cannot be assigned to a SPAR. SPAR member ports cannot be members of any other VLAN. CN4093 Application Guide for N/OS 8.2...
Page 347: Example Configurations
This example describes configuration of SPAR 1 in pass‐through mode with internal server ports INTA5 through INTA10, with a single port, EXT1. 1. Create SPAR 1. CN4093(config)# spar 1 Each SPAR is identified with a number that ranges 1 though 8. 2. Add a single uplink port to SPAR 1. CN4093(configspar)# uplink port EXT1 3. Set the mode of the SPAR to passthrough CN4093(configspar)# domain mode passthrough 4. Configure SPAR VLAN to 4081. CN4093(configspar)# domain default vlan 4081 5. Add ports INTA5 through INTA10 to SPAR 1. CN4093(configspar)# domain default member INTA5INTA10 6. Enable SPAR 1. CN4093(configspar)# enable Local Domain Configuration This example demonstrates how to create a SPAR in local‐domain mode consisting of internal server ports INTA11‐INTA14 and a single uplink port, EXT 2. 1. Create SPAR 2. CN4093(config)# spar 2 2. Add uplink port EXT 2 to SPAR 2. CN4093(configspar)# uplink port EXT2 © Copyright Lenovo 2015 Chapter 23: Switch Partition...
Page 348 3. Set the SPAR to local domain mode. CN4093(configspar)# domain mode local 4. Configure SPAR VLAN to 4082. CN4093(configspar)# domain default vlan 4082 5. Add server ports INTA11 through INTA14. CN4093(configspar)# domain default member INTA11INTA14 6. Configure the VLANs for SPAR 2. Each SPAR has a set of local domains numbered 1 through 32, each of which identifies an allowed VLAN. The following steps create three local domains: VLAN, 10, 20, and 30 7. Create local domain 1, assign VLAN 10, and specify the SPAR ports that are members of the that VLAN. CN4093(configspar)# domain local 1 vlan 10 CN4093(configspar)# domain local 1 member INTA11INTA14 CN4093(configspar)# domain local 1 enable 8. Create local domain 2, assign VLAN 20, and specify the SPAR ports that are members of the that VLAN. CN4093(configspar)# domain local 2 vlan 20 CN4093(configspar)# domain local 2 member INTA11INTA14 CN4093(configspar)# domain local 2 enable 9. Create local domain 3, assign VLAN 30, and specify the SPAR ports that are members of the that VLAN. CN4093(configspar)# domain local 3 vlan 30 CN4093(configspar)# domain local 3 member INTA11INTA14 CN4093(configspar)# domain local 3 enable 10. Enable SPAR 2. CN4093(configspar)# enable CN4093 Application Guide for N/OS 8.2...
Page 349: Part 5: Ip Routing
Part 5: IP Routing This section discusses Layer 3 switching functions. In addition to switching traffic at near line rates, the application switch can perform multi‐protocol routing. This section discusses basic routing and advanced routing protocols:  Basic Routing  Routing Information Protocol (RIP)  Internet Group Management Protocol (IGMP)  Border Gateway Protocol (BGP)  Open Shortest Path First (OSPF) © Copyright Lenovo 2015...
Page 350 CN4093 Application Guide for N/OS 8.2...
Page 351: Chapter 24. Basic Ip Routing
 Connects the server IP subnets to the rest of the backbone network.  Provides the ability to route IP traffic between multiple Virtual Local Area Networks (VLANs) configured on the switch. Routing Between IP Subnets The physical layout of most corporate networks has evolved over time. Classic hub/router topologies have given way to faster switched topologies, particularly now that switches are increasingly intelligent. The CN4093 is intelligent and fast enough to perform routing functions on par with wire‐speed Layer 2 switching. The combination of faster routing and switching in a single device provides another service—it allows you to build versatile topologies that account for legacy configurations. Consider an example in which a corporate campus has migrated from a router‐centric topology to a faster, more powerful, switch‐based topology. As is often the case, the legacy of network growth and redesign has left the system with a mix of illogically distributed subnets. This is a situation that switching alone cannot cure. Instead, the router is flooded with cross‐subnet communication. This compromises efficiency in two ways:  Routers can be slower than switches. The cross‐subnet side trip from the switch to the router and back again adds two hops for the data, slowing throughput con‐ siderably. Traffic to the router increases, increasing congestion.  Even if every end‐station could be moved to better logical subnets (a daunting task), competition for access to common server pools on different subnets still burdens the routers. This problem is solved by using CN4093s with built‐in IP routing capabilities. Cross‐subnet LAN traffic can now be routed within the switches with wire speed Layer 2 switching performance. This not only eases the load on the router but saves the network administrators from reconfiguring each and every end‐station with new IP addresses. © Copyright Lenovo 2015...
Page 352 Take a closer look at the CN4093 in the following configuration example: Figure 39. Switch‐Based Routing Topology First Floor Second Floor 10/100 Client Subnet 10/100 Client Subnet 131.15.15.2-254 100.20.10.2-254 10 Gbps Server Subnet: 206.30.15.2-254 Primary Default IF#2 IF#3 Router: 205.21.17.1 IF#4 IF#1 10 Gbps Secondary Default Router: 205.21.17.2 The CN4093 connects the Gigabit Ethernet and Fast Ethernet trunks from various switched subnets throughout one building. Common servers are placed on another subnet attached to the switch. A primary and backup router are attached to the switch on yet another subnet. Without Layer 3 IP routing on the switch, cross‐subnet communication is relayed to the default gateway (in this case, the router) for the next level of routing ...
Page 353: Subnet Routing Example
Subnet Routing Example Prior to configuring, you must be connected to the switch Command Line Interface (CLI) as the administrator. Note: For details about accessing and using any of the menu commands described in this example, see the Lenovo N/OS Command Reference. 1. Assign an IP address (or document the existing one) for each router and client workstation. In the example topology in Figure 39 on page 352, the following IP addresses are used: Table 34. Subnet Routing Example: IP Address Assignments Subnet Devices IP Addresses Primary and Secondary Default ...
Page 354 3. Set each server and workstation’s default gateway to the appropriate switch IP interface (the one in the same subnet as the server or workstation). 4. Configure the default gateways to the routers’ addresses. Configuring the default gateways allows the switch to send outbound traffic to the routers: CN4093(config)# ip gateway 1 address 205.21.17.1 enable CN4093(config)# ip gateway 2 address 205.21.17.2 enable 5. Verify the configuration. CN4093(config)# show interface ip Examine the resulting information. If any settings are incorrect, make the appropriate changes. CN4093 Application Guide for N/OS 8.2...
Page 355: Using Vlans To Segregate Broadcast Domains
Workstations Primary Default Router EXT3 Secondary Default Router EXT4 Common Servers 1 INT5A Common Servers 2 INT6A 2. Add the switch ports to their respective VLANs. The VLANs shown in Table 36 are configured as follows: CN4093(config)# vlan 1 CN4093(configvlan)# exit CN4093(config)# interface port ext1,ext2(Add ports to VLAN 1) CN4093(configif)# switchport mode trunk CN4093(configif)# switchport trunk allowed vlan add 1 CN4093(configif)# exit CN4093(config)# vlan 2 CN4093(configvlan)# exit CN4093(config)# interface port ext3,ext4(Add ports to VLAN 2) CN4093(configif)# switchport mode trunk CN4093(configif)# switchport trunk allowed vlan add 2 CN4093(configif)# exit CN4093(config)# vlan 3 CN4093(configvlan)# exit CN4093(config)# interface port inet5a,int6a(Add ports to VLAN 3) CN4093(configif)# switchport mode trunk CN4093(configif)# switchport trunk allowed vlan add 3 CN4093(configif)# exit © Copyright Lenovo 2015 Chapter 24: Basic IP Routing...
Page 356 Each time you add a port to a VLAN, you may get the following prompt: Port 4 is an untagged port and its current PVID is 1. Confirm changing PVID from 1 to 2 [y/n]? Enter y to set the default Port VLAN ID (PVID) for the port. 3. Add each IP interface to the appropriate VLAN. Now that the ports are separated into three VLANs, the IP interface for each subnet must be placed in the appropriate VLAN. From Table 36, the settings are made as follows: CN4093(config)# interface ip 1 (Select IP interface 1) CN4093(configipif)# vlan 2 (Add VLAN 2) CN4093(configvlan)# exit CN4093(config)# interface ip 2 (Select IP interface 2) CN4093(configipif)# vlan 1 (Add VLAN 1) CN4093(configipif)# exit CN4093(config)# interface ip 3 (Select IP interface 3) CN4093(configipif)# vlan 1 (Add VLAN 1) CN4093(configipif)# exit CN4093(config)# interface ip 4 (Select IP interface 4) CN4093(configipif)# vlan 3 (Add VLAN 3) CN4093(configipif)# exit 4. Verify the configuration. CN4093(config)# show vlan CN4093(config)# show interface information CN4093(config)# show interface ip Examine the resulting information. If any settings are incorrect, make the appropriate changes. CN4093 Application Guide for N/OS 8.2...
Page 357: Bootp Relay Agent
BOOTP Server asks for IP from BOOTP Relay Agent BOOTP server The use of two servers provide failover redundancy. The client request is forwarded to both BOOTP servers configured on the switch. However, no health checking is supported. BOOTP Relay Agent Configuration To enable the CN4093 to be the BOOTP forwarder, you need to configure the BOOTP server IP addresses on the switch, and enable BOOTP relay on the interface(s) on which the BOOTP requests are received. Generally, you should configure the command on the switch IP interface that is closest to the client, so that the BOOTP server knows from which IP subnet the newly allocated IP address should come. Use the following commands to configure the switch as a BOOTP relay agent: CN4093(config)# ip bootprelay enable CN4093(config)# ip bootprelay server <1‐5> address <IPv4 address> Use the following command to enable the Relay functionality on an IP interface: CN4093(config)# interface ip <interface number> CN4093(configipif)# relay CN4093(configipif)# exit © Copyright Lenovo 2015 Chapter 24: Basic IP Routing...
Page 358: Domain-Specific Bootp Relay Agent Configuration
Domain-Specific BOOTP Relay Agent Configuration Use the following commands to configure up to four domain‐specific BOOTP relay agents for each of up to 10 VLANs: CN4093(config)# ip bootprelay bcastdomain <1‐10> vlan <VLAN number> CN4093(config)# ip bootprelay bcastdomain <1‐10> server <1‐5> address <IPv4 address> CN4093(config)# ip bootprelay bcastdomain <1‐10> enable As with global relay agent servers, domain‐specific BOOTP/DHCP functionality may be assigned on a per‐interface basis. CN4093 Application Guide for N/OS 8.2...
Page 359: Dynamic Host Configuration Protocol
The switch ignores DHCP gateway parameters if the gateway is configured. DHCP Relay Agent DHCP is described in RFC 2131, and the DHCP relay agent supported on CN4093s is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. DHCP defines the methods through which clients can be assigned an IP address for a finite lease period and allowing reassignment of the IP address to another client later. Additionally, DHCP provides the mechanism for a client to gather other IP configuration parameters it needs to operate in the TCP/IP network. In the DHCP environment, the CN4093 acts as a relay agent. The DHCP relay feature enables the switch to forward a client request for an IP address to two BOOTP servers with IP addresses that have been configured on the switch. When a switch receives a UDP broadcast on port 67 from a DHCP client requesting an IP address, the switch acts as a proxy for the client, replacing the client source IP (SIP) and destination IP (DIP) addresses. The request is then forwarded as a UDP Unicast MAC layer message to two BOOTP servers whose IP addresses are configured on the switch. The servers respond as a UDP Unicast message back to the switch, with the default gateway and IP address for the client. The destination © Copyright Lenovo 2015 Chapter 24: Basic IP Routing...
Page 360 IP address in the server response represents the interface address on the switch that received the client request. This interface address tells the switch on which VLAN to send the server response to the client. CN4093 Application Guide for N/OS 8.2...
Page 361: Dhcp Relay Agent Configuration
DHCP/BOOTP server IP addresses on the switch. Generally, you should configure the switch IP interface on the client side to match the client’s subnet, and configure VLANs to separate client and server subnets. The DHCP server knows from which IP subnet the newly allocated IP address should come. The following figure shows a basic DHCP network example: Figure 41. DHCP Relay Agent Configuration Boston GbESM 20.1.1.1 DHCP Client DHCP Server In CN4093 implementation, there is no need for primary or secondary servers. The client request is forwarded to the BOOTP servers configured on the switch. The use of two servers provide failover redundancy. However, no health checking is supported. Use the following commands to configure the switch as a DHCP relay agent: CN4093(config)# ip bootprelay server 1 <IP address> CN4093(config)# ip bootprelay server 2 <IP address> CN4093(config)# ip bootprelay server 3 <IP address> CN4093(config)# ip bootprelay server 4 <IP address> CN4093(config)# ip bootprelay server 5 <IP address> CN4093(config)# ip bootprelay enable CN4093(config)# show ip bootprelay Additionally, DHCP Relay functionality can be assigned on a per interface basis. Use the following command to enable the Relay functionality: CN4093(config)# interface ip <Interface number> CN4093(configipif)# relay © Copyright Lenovo 2015 Chapter 24: Basic IP Routing...
Page 362 CN4093 Application Guide for N/OS 8.2...
Page 363: Chapter 25. Internet Protocol Version 6
 RFC 4835 RFC 2462 RFC 3413 RFC 4293 RFC 4861      RFC 2474  RFC 3414  RFC 4301  RFC 4862  RFC 2526  RFC 3484  RFC 4302  RFC 5095  RFC 2711  RFC 3602  RFC 4303  RFC 5114 This chapter describes the basic configuration of IPv6 addresses and how to manage the switch via IPv6 host management. © Copyright Lenovo 2015...
Page 364: Ipv6 Limitations
IPv6 Limitations The following IPv6 features are not supported in this release.  Dynamic Host Control Protocol for IPv6 (DHCPv6)  Border Gateway Protocol for IPv6 (BGP)  Routing Information Protocol for IPv6 (RIPng) Most other Lenovo N/OS 8.2 features permit IP addresses to be configured using either IPv4 or IPv6 address formats. However, the following switch features support IPv4 only:  Default switch management IP address  Bootstrap Protocol (BOOTP) and DHCP  RADIUS, TACACS+ and LDAP  QoS metering and re‐marking ACLs for out‐profile traffic  VMware Virtual Center (vCenter) for VMready Routing Information Protocol (RIP)   Internet Group Management Protocol (IGMP) Border Gateway Protocol (BGP)   Virtual Router Redundancy Protocol (VRRP) sFLOW  CN4093 Application Guide for N/OS 8.2...
Page 365: Ipv6 Address Format
Each IPv6 address has two parts:  Subnet prefix representing the network to which the interface is connected  Local identifier, either derived from the MAC address or user‐configured The preferred hexadecimal format is as follows: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx Example IPv6 address: FEDC:BA98:7654:BA98:FEDC:1234:ABCD:5412 Some addresses can contain long sequences of zeros. A single contiguous sequence of zeros can be compressed to :: (two colons). For example, consider the following IPv6 address: FE80:0:0:0:2AA:FF:FA:4CA2 The address can be compressed as follows: FE80::2AA:FF:FA:4CA2 Unlike IPv4, a subnet mask is not used for IPv6 addresses. IPv6 uses the subnet prefix as the network identifier. The prefix is the part of the address that indicates the bits that have fixed values or are the bits of the subnet prefix. An IPv6 prefix is written in address/prefix‐length notation. For example, in the following address, 64 is the network prefix: 21DA:D300:0000:2F3C::/64 IPv6 addresses can be either user‐configured or automatically configured. Automatically configured addresses always have a 64‐bit subnet prefix and a 64‐bit interface identifier. In most implementations, the interface identifier is derived from the switchʹs MAC address, using a method called EUI‐64. Most Lenovo N/OS 8.2 features permit IP addresses to be configured using either IPv4 or IPv6 address formats. Throughout this manual, IP address is used in places where either an IPv4 or IPv6 address is allowed. In places where only one type of address is allowed, the type (IPv4 or IPv6 is specified). © Copyright Lenovo 2015 Chapter 25: Internet Protocol Version 6...
Page 366: Ipv6 Address Types
IPv6 Address Types IPv6 supports three types of addresses: unicast (one‐to‐one), multicast (one‐to‐many), and anycast (one‐to‐nearest). Multicast addresses replace the use of broadcast addresses. Unicast Address Unicast is a communication between a single host and a single receiver. Packets sent to a unicast address are delivered to the interface identified by that address. IPv6 defines the following types of unicast address:  Global Unicast address: An address that can be reached and identified globally. Global Unicast addresses use the high‐order bit range up to FF00, therefore all non‐multicast and non‐link‐local addresses are considered to be global unicast. A manually configured IPv6 address must be fully specified. Autoconfigured IPv6 addresses are comprised of a prefix combined with the 64‐bit EUI. RFC 4291 defines the IPv6 addressing architecture. The interface ID must be unique within the same subnet.  Link‐local unicast address: An address used to communicate with a neighbor on the same link. Link‐local addresses use the format FE80::EUI Link‐local addresses are designed to be used for addressing on a single link for purposes such as automatic address configuration, neighbor discovery, or when no routers are present. Routers must not forward any packets with link‐local source or destination addresses to other links. Multicast Multicast is communication between a single host and multiple receivers. Packets are sent to all interfaces identified by that address. An interface may belong to any number of multicast groups. A multicast address (FF00 ‐ FFFF) is an identifier for a group interface. The multicast address most often encountered is a solicited‐node multicast address using prefix FF02::1:FF00:0000/104 with the low‐order 24 bits of the unicast or anycast address. The following well‐known multicast addresses are pre‐defined. The group IDs defined in this section are defined for explicit scope values, as follows: FF00:::::::0 through FF0F:::::::0 Anycast Packets sent to an anycast address or list of addresses are delivered to the nearest interface identified by that address. Anycast is a communication between a single ...
Page 368: Ipv6 Address Autoconfiguration
IPv6 Address Autoconfiguration IPv6 supports the following types of address autoconfiguration:  Stateful address configuration Address configuration is based on the use of a stateful address configuration protocol, such as DHCPv6, to obtain addresses and other configuration options. Stateless address configuration  Address configuration is based on the receipt of Router Advertisement messages that contain one or more Prefix Information options. Lenovo N/OS 8.2 supports stateless address configuration. Stateless address configuration allows hosts on a link to configure themselves with link‐local addresses and with addresses derived from prefixes advertised by local routers. Even if no router is present, hosts on the same link can configure themselves with link‐local addresses and communicate without manual configuration. IPv6 Interfaces Each IPv6 interface supports multiple IPv6 addresses. You can manually configure up to two IPv6 addresses for each interface, or you can allow the switch to use stateless autoconfiguration. By default, the switch automatically configures the IPv6 address of its management interface. You can manually configure two IPv6 addresses for each interface, as follows:  Initial IPv6 address is a global unicast or anycast address . CN4093(config)# interface ip <interface number> CN4093(configipif)# ipv6 address <IPv6 address> Note that you cannot configure both addresses as anycast. If you configure an anycast address on the interface you must also configure a global unicast address on that interface.  Second IPv6 address can be a unicast or anycast address . CN4093(configipif)# ipv6 secaddr6 <IPv6 address> CN4093(configipif)# exit You cannot configure an IPv4 address on an IPv6 management interface. Each interface can be configured with only one address type: either IPv4 or IPv6, but not both. When changing between IPv4 and IPv6 address formats, the prior address settings for the interface are discarded.
Page 369 Interface 125/126 is reserved for IPv6 host support. This interface is included in management VLAN 4095. Use the following commands to configure the IPv6 gateway: CN4093(config)# ip gateway6 1 address <IPv6 address> CN4093(config)# ip gateway6 1 enable IPv6 gateway 1 is reserved for IPv6 data interfaces. IPv6 gateway 3 and 4 are the default IPv6 management gateways. © Copyright Lenovo 2015 Chapter 25: Internet Protocol Version 6...
Page 370: Neighbor Discovery
Neighbor Discovery Neighbor Discovery Overview The switch uses Neighbor Discovery protocol (ND) to gather information about other router and host nodes, including the IPv6 addresses. Host nodes use ND to configure their interfaces and perform health detection. ND allows each node to determine the link‐layer addresses of neighboring nodes, and to keep track of each neighbor’s information. A neighboring node is a host or a router that is linked directly to the switch. The switch supports Neighbor Discovery as described in RFC 4861. Neighbor Discover messages allow network nodes to exchange information, as follows:  Neighbor Solicitations allow a node to discover information about other nodes.  Neighbor Advertisements are sent in response to Neighbor Solicitations. The Neighbor Advertisement contains information required by nodes to determine the link‐layer address of the sender, and the sender’s role on the network.  IPv6 hosts use Router Solicitations to discover IPv6 routers. When a router receives a Router Solicitation, it responds immediately to the host.  Routers uses Router Advertisements to announce its presence on the network, and to provide its address prefix to neighbor devices. IPv6 hosts listen for Router Advertisements, and uses the information to build a list of default routers. Each host uses this information to perform autoconfiguration of IPv6 addresses. Redirect messages are sent by IPv6 routers to inform hosts of a better first‐hop  address for a specific destination. Redirect messages are only sent by routers for unicast traffic, are only unicast to originating hosts, and are only processed by hosts. ND configuration for various advertisements, flags, and interval settings is performed on a per‐interface basis using the following command path: CN4093(config)# interface ip <interface number> CN4093(configipif)# [no] ipv6 nd ? CN4093(configipif)# exit To add or remove entries in the static neighbor cache, use the following command path: CN4093(config)# [no] ip neighbors ? CN4093 Application Guide for N/OS 8.2...
Page 371: Supported Applications
Ping The ping command supports IPv6 addresses. Use the following format to ping an IPv6 address: ping <host name>|<IPv6 address> [n <tries (0‐4294967295)>] [w <msec delay (0‐4294967295)>] [l <length (0/32‐65500/2080)>] [s <IP source>] [v <TOS (0‐255)>] [f] [t] To ping a link‐local address (begins with FE80), provide an interface index, as follows: ping <IPv6 address>%<Interface index> [n <tries (0‐4294967295)>] [w <msec delay (0‐4294967295)>] [l <length (0/32‐65500/2080)>] [s <IP source>] [v <TOS (0‐255)>] [f] [t]  Traceroute The traceroute command supports IPv6 addresses (but not link‐local addresses). Use the following format to perform a traceroute to an IPv6 address: traceroute <host name>| <IPv6 address> [<max‐hops (1‐32)> [<msec delay (1‐4294967295)>]] © Copyright Lenovo 2015 Chapter 25: Internet Protocol Version 6...
Page 372  Telnet server The telnet command supports IPv6 addresses, but not link‐local addresses. Use the following format to Telnet into an IPv6 interface on the switch: telnet <host name>| <IPv6 address> [<port>]  Telnet client The telnet command supports IPv6 addresses, but not link‐local addresses. Use the following format to Telnet to an IPv6 address: telnet <host name>| <IPv6 address> [<port>]  HTTP/HTTPS The HTTP/HTTPS servers support both IPv4 and IPv6 connections.  Secure Shell (SSH) connections over IPv6 are supported, but not link‐local addresses. The following syntax is required from the client: ssh u <IPv6 address> Example: ssh u 2001:2:3:4:0:0:0:142  TFTP The TFTP commands support both IPv4 and IPv6 addresses. Link‐local addresses are not supported.  The FTP commands support both IPv4 and IPv6 addresses. Link‐local addresses are not supported.  DNS client DNS commands support both IPv4 and IPv6 addresses. Link‐local addresses are not supported. Use the following command to specify the type of DNS query to be sent first: CN4093(config)# ip dns ipv6 requestversion {ipv4|ipv6} If you set the request version to v4, the DNS application sends an A query first, to resolve the hostname with an IPv4 address. If no A record is found for that hostname (no IPv4 address for that hostname) an AAAA query is sent to resolve the hostname with a IPv6 address. If you set the request version to v6, the DNS application sends an AAAA query first, to resolve the hostname with an IPv6 address. If no AAAA record is found for that hostname (no IPv6 address for that hostname) an A query is sent to resolve the hostname with an IPv4 address. CN4093 Application Guide for N/OS 8.2...
Page 373: Configuration Guidelines
IPv6 interfaces support Path MTU Discovery. The CPU’s MTU is fixed at 1500 bytes.  Support for jumbo frames (1,500 to 9,216 byte MTUs) is limited. Any jumbo frames intended for the CPU must be fragmented by the remote node. The switch can re‐assemble fragmented packets up to 9k. It can also fragment and transmit jumbo packets received from higher layers. IPv6 Configuration Examples This section provides steps to configure IPv6 on the switch. IPv6 Example 1 The following example uses IPv6 host mode to autoconfigure an IPv6 address for the interface. By default, the interface is assigned to VLAN 1. 1. Enable IPv6 host mode on an interface. CN4093(config)# interface ip 2 CN4093(configipif)# ip6host CN4093(configipif)# enable CN4093(configipif)# exit 2. Configure the IPv6 default gateway. CN4093(config)# ip gateway6 1 address 2001:BA98:7654:BA98:FEDC:1234:ABCD:5412 CN4093(config)# ip gateway6 1 enable 3. Verify the interface address. CN4093(config)# show interface ip 2 © Copyright Lenovo 2015 Chapter 25: Internet Protocol Version 6...
Page 374 IPv6 Example 2 Use the following example to manually configure IPv6 on an interface. 1. Assign an IPv6 address and prefix length to the interface. CN4093(config)# interface ip 3 CN4093(configipif)# ipv6 address 2001:BA98:7654:BA98:FEDC:1234:ABCD:5214 CN4093(configipif)# ipv6 prefixlen 64 CN4093(configipif)# ipv6 seccaddr6 2003::1 32 CN4093(configipif)# vlan 2 CN4093(configipif)# enable CN4093(configipif)# exit The secondary IPv6 address is compressed, and the prefix length is 32. 2. Configure the IPv6 default gateway. CN4093(config)# ip gateway6 1 address 2001:BA98:7654:BA98:FEDC:1234:ABCD:5412 CN4093(config)# ip gateway6 1 enable 3. Configure Router advertisements for the interface (optional) CN4093(config)# interface ip 3 CN4093(configipif)# no ipv6 nd suppressra 4. Verify the configuration. CN4093(configipif)# show layer3 CN4093 Application Guide for N/OS 8.2...
Page 375: Chapter 26. Using Ipsec With Ipv6
RFC 4301 for IPv6 security   RFC 4302 for the IPv6 Authentication Header RFCs 2404, 2410, 2451, 3602, and 4303 for IPv6 Encapsulating Security Payload  (ESP), including NULL encryption, CBC‐mode 3DES and AES ciphers, and HMAC‐SHA‐1‐96. RFCs 4306, 4307, 4718, and 4835 for IKEv2 and cryptography   RFC 4552 for OSPFv3 IPv6 authentication RFC 5114 for Diffie‐Hellman groups  Note: This implementation of IPsec supports DH groups 1, 2, 5, 14, and 24. The following topics are discussed in this chapter:  “IPsec Protocols” on page 376  “Using IPsec with the CN4093” on page 377 © Copyright Lenovo 2015...
Page 376: Ipsec Protocols
IPsec Protocols The Lenovo N/OS implementation of IPsec supports the following protocols:  Authentication Header (AH) AHs provide connectionless integrity outand data origin authentication for IP packets, and provide protection against replay attacks. In IPv6, the AH protects the AH itself, the Destination Options extension header after the AH, and the IP payload. It also protects the fixed IPv6 header and all extension headers before the AH, except for the mutable fields DSCP, ECN, Flow Label, and Hop Limit. AH is defined in RFC 4302.  Encapsulating Security Payload (ESP) ESPs provide confidentiality, data origin authentication, integrity, an anti‐replay service (a form of partial sequence integrity), and some traffic flow confidentiality. ESPs may be applied alone or in combination with an AH. ESP is defined in RFC 4303.  Internet Key Exchange Version 2 (IKEv2) IKEv2 is used for mutual authentication between two network elements. An IKE establishes a security association (SA) that includes shared secret information to efficiently establish SAs for ESPs and AHs, and a set of cryptographic algorithms to be used by the SAs to protect the associated traffic. IKEv2 is defined in RFC 4306. Using IKEv2 as the foundation, IPsec supports ESP for encryption and/or authentication, and/or AH for authentication of the remote partner. Both ESP and AH rely on security associations. A security association (SA) is the bundle of algorithms and parameters (such as keys) that encrypt and authenticate a particular flow in one direction. CN4093 Application Guide for N/OS 8.2...
Page 377: Using Ipsec With The Cn4093
Using IPsec with the CN4093 IPsec supports the fragmentation and reassembly of IP packets that occurs when data goes to and comes from an external device. The Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch acts as an end node that processes any fragmentation and reassembly of packets but does not forward the IPsec traffic. The IKEv2 key must be authenticated before you can use IPsec. The security protocol for the session key is either ESP or AH. Outgoing packets are labeled with the SA SPI (Security Parameter Index), which the remote device will use in its verification and decryption process. Every outgoing IPv6 packet is checked against the IPsec policies in force. For each outbound packet, after the packet is encrypted, the software compares the packet size with the MTU size that it either obtains from the default minimum maximum transmission unit (MTU) size (1500) or from path MTU discovery. If the packet size is larger than the MTU size, the receiver drops the packet and sends a message containing the MTU size to the sender. The sender then fragments the packet into smaller pieces and retransmits them using the correct MTU size. The maximum traffic load for each IPSec packet is limited to the following:  IKEv2 SAs: 5  IPsec SAs: 10 (5 SAs in each direction) SPDs: 20 (10 policies in each direction)  IPsec is implemented as a software cryptography engine designed for handling control traffic, such as network management. IPsec is not designed for handling data traffic, such as a VPN. © Copyright Lenovo 2015 Chapter 26: Using IPsec with IPv6...
Page 378: Setting Up Authentication
Setting up Authentication Before you can use IPsec, you need to have key policy authentication in place. There are two types of key policy authentication: Preshared key (default)  The parties agree on a shared, secret key that is used for authentication in an IPsec policy. During security negotiation, information is encrypted before transmission by using a session key created by using a Diffie‐Hellman calculation and the shared, secret key. Information is decrypted on the receiving end using the same key. One IPsec peer authenticates the other peerʹs packet by decryption and verification of the hash inside the packet (the hash inside the packet is a hash of the preshared key). If authentication fails, the packet is discarded. Digital certificate (using RSA algorithms)  The peer being validated must hold a digital certificate signed by a trusted Certificate Authority and the private key for that digital certificate. The side performing the authentication only needs a copy of the trusted certificate authorities digital certificate. During IKEv2 authentication, the side being validated sends a copy of the digital certificate and a hash value signed using the private key. The certificate can be either generated or imported. Note: During the IKEv2 negotiation phase, the digital certificate takes precedence over the preshared key. Creating an IKEv2 Proposal With IKEv2, a single policy can have multiple encryption and authentication types, ...
Page 379: Importing An Ikev2 Digital Certificate
Generating an IKEv2 Digital Certificate To create an IKEv2 digital certificate for authentication: 1. Create an HTTPS certificate defining the information you want to be used in the various fields. CN4093(config)# access https generatecertificate Country Name (2 letter code) []: <country code> State or Province Name (full name) []: <state> Locality Name (eg, city) []: <city> Organization Name (eg, company) []: <company> Organizational Unit Name (eg, section) []: <org. unit> Common Name (eg, YOUR name) []: <name> Email (eg, email address) []: <email address> Confirm generat‘eywing certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent 2. Save the HTTPS certificate. The certificate is valid only until the switch is rebooted. To save the certificate so that it is retained beyond reboot or power cycles, use the following command: CN4093(config)# access https savecertificate © Copyright Lenovo 2015 Chapter 26: Using IPsec with IPv6...
Page 380: Enabling Ikev2 Preshared Key Authentication
3. Enable IKEv2 RSA‐signature authentication: CN4093(config)# access https enable Enabling IKEv2 Preshared Key Authentication To set up IKEv2 preshared key authentication: 1. Enter the local preshared key. CN4093(config)# ikev2 presharekey local <preshared key, a string of 1‐256 chars> 2. If asymmetric authentication is supported, enter the remote key: CN4093(config)# ikev2 presharekey remote <preshared key> <IPv6 host> where the following parameters are used:  preshared key A string of 1‐256 characters  IPv6 host An IPv6‐format host, such as “3000::1” 3. Set up the IKEv2 identification type by entering one of the following commands: CN4093(config)# ikev2 identity local address (use an IPv6 address) CN4093(config)# ikev2 identity local email <email address> CN4093(config)# ikev2 identity local fqdn <domain name> To disable IKEv2 RSA‐signature authentication method and enable preshared key authentication, enter: CN4093(config)# no access https Setting Up a Key Policy When configuring IPsec, you must define a key policy. This key policy can be either manual or dynamic. Either way, configuring a policy involves the following steps:  Create a transform set—This defines which encryption and authentication algo‐ rithms are used. ...
Page 381  apply the selector to any type of traffic proto/icmp type|any  only apply the selector only to ICMP traffic of the specified type (an integer from 1‐255) or to any ICMP traffic proto/tcp  only apply the selector to TCP traffic  source IP address|any the source IP address in IPv6 format or “any” source destination IP address|any the destination IP address in IPv6 format or “any”  destination  prefix length (Optional) the length of the destination IPv6 prefix; an integer from 1‐128 Permitted traffic that matches the policy in force is encrypted, while denied traffic that matches the policy in force is dropped. Traffic that does not match the policy bypasses IPsec and passes through clear (unencrypted). 4. Choose whether to use a manual or a dynamic policy. © Copyright Lenovo 2015 Chapter 26: Using IPsec with IPv6...
Page 382: Using A Manual Key Policy
Using a Manual Key Policy A manual policy involves configuring policy and manual SA entries for local and remote peers. To configure a manual key policy, you need:  The IP address of the peer in IPv6 format (for example, “3000::1”).  Inbound/Outbound session keys for the security protocols. You can then assign the policy to an interface. The peer represents the other end of the security association. The security protocol for the session key can be either ESP or AH. To create and configure a manual policy: 1. Enter a manual policy to configure. CN4093(config)# ipsec manualpolicy <policy number> 2. Configure the policy. CN4093(configipsecmanual)#peer <peer’s IPv6 address> CN4093(configipsecmanual)#trafficselector <IPsec traffic selector> CN4093(configipsecmanual)#transformset <IPsec transform set> CN4093(configipsecmanual)#inah authkey <inbound AH IPsec key> CN4093(configipsecmanual)#inah authspi <inbound AH IPsec SPI> CN4093(configipsecmanual)#inesp cipherkey <inbound ESP cipher key> CN4093(configipsecmanual)#inesp authspi <inbound ESP SPI> CN4093(configipsecmanual)#inesp authkey <inbound ESP authenticator key> CN4093(configipsecmanual)#outah authkey <outbound AH IPsec key> CN4093(configipsecmanual)#outah authspi <outbound AH IPsec SPI> CN4093(configipsecmanual)#outesp cipherkey <outbound ESP cipher key> CN4093(configipsecmanual)#outesp authspi <outbound ESP SPI> CN4093(configipsecmanual)#outesp authkey <outbound ESP authenticator key> where the following parameters are used:  peer’s IPv6 address The IPv6 address of the peer (for example, 3000::1)  IPsec traffic‐selector A number from1‐10 ...
Page 383: Using A Dynamic Key Policy
 3000::1)  index of traffic‐selector A number from1‐10 index of transform‐set A number from1‐10   SA lifetime, in seconds The length of time the SA is to remain in effect; an integer from120‐86400 pfs enable|disable  Whether to enable or disable the perfect forward security feature. The default is disable. Note: In a dynamic policy, the AH and ESP keys are created by IKEv2. © Copyright Lenovo 2015 Chapter 26: Using IPsec with IPv6...
Page 384 3. After you configure the IPSec policy, you need to apply it to the interface to enforce the security policies on that interface and save it to keep it in place after a reboot. To accomplish this, enter: CN4093(configip)# interface ip <IP interface number, 1‐128> CN4093(configipif)# address <IPv6 address> CN4093(configipif)# ipsec dynamicpolicy <policy index, 1‐10> CN4093(configipif)# enable (enable the IP interface) CN4093# write (save the current configuration) CN4093 Application Guide for N/OS 8.2...
Page 385: Chapter 27. Routing Information Protocol
Chapter 27. Routing Information Protocol In a routed environment, routers communicate with one another to keep track of available routes. Routers can learn about available routes dynamically using the Routing Information Protocol (RIP). Lenovo N/OS software supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) for exchanging TCP/IPv4 route information with other routers. Note: Lenovo N/OS 8.2 does not support IPv6 for RIP. Distance Vector Protocol RIP is known as a distance vector protocol. The vector is the network number and next hop, and the distance is the cost associated with the network number. RIP identifies network reachability based on metric, and metric is defined as hop count. One hop is considered to be the distance from one switch to the next, which typically is 1. When a switch receives a routing update that contains a new or changed destination network entry, the switch adds 1 to the metric value indicated in the update and enters the network in the routing table. The IPv4 address of the sender is used as the next hop. Stability RIP includes a number of other stability features that are common to many routing protocols. For example, RIP implements the split horizon and hold‐down mechanisms to prevent incorrect routing information from being propagated. RIP prevents routing loops from continuing indefinitely by limiting the number of hops allowed in a path from the source to a destination. The maximum number of ...
Page 386: Routing Updates
Routing Updates RIP sends routing‐update messages at regular intervals and when the network topology changes. Each router “advertises” routing information by sending a routing information update every 30 seconds. If a router doesn’t receive an update from another router for 180 seconds, those routes provided by that router are declared invalid. The routes are removed from the routing table, but they remain in the RIP routes table. After another 120 seconds without receiving an update for those routes, the routes are removed from regular updates. When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop. RIP routers maintain only the best route (the route with the lowest metric value) to a destination. For more information see The Configuration Menu, Routing Information Protocol Configuration in the Lenovo N/OS Command Reference. RIPv1 RIP version 1 uses broadcast User Datagram Protocol (UDP) data packets for the regular routing updates. The main disadvantage is that the routing updates do not carry subnet mask information. Hence, the router cannot determine whether the route is a subnet route or a host route. It is of limited usage after the introduction of RIPv2. For more information about RIPv1 and RIPv2, refer to RFC 1058 and RFC 2453. RIPv2 RIPv2 is the most popular and preferred configuration for most networks. RIPv2 expands the amount of useful information carried in RIP messages and provides a measure of security. For a detailed explanation of RIPv2, refer to RFC 1723 and RFC 2453. RIPv2 improves efficiency by using multicast UDP (address 224.0.0.9) data packets for regular routing updates. Subnet mask information is provided in the routing updates. A security option is added for authenticating routing updates, by using a shared password. Lenovo N/OS supports using clear password for RIPv2. RIPv2 in RIPv1 Compatibility Mode Lenovo N/OS allows you to configure RIPv2 in RIPv1compatibility mode, for using both RIPv2 and RIPv1 routers within a network. In this mode, the regular routing updates use broadcast UDP data packet to allow RIPv1 routers to receive ...
Page 387: Rip Features
Lenovo N/OS provides the following features to support RIPv1 and RIPv2: Poison Reverse Simple split horizon in RIP omits routes learned from one neighbor in updates sent to that neighbor. That is the most common configuration used in RIP, with the Poison Reverse feature disabled. Split horizon with poisoned reverse enabled includes such routes in updates, but sets their metrics to 16. The disadvantage of using this feature is the increase of size in the routing updates. Triggered Updates Triggered updates are an attempt to speed up convergence. When Triggered Updates is enabled, whenever a router changes the metric for a route, it sends update messages almost immediately, without waiting for the regular update interval. It is recommended to enable Triggered Updates. Multicast RIPv2 messages use IPv4 multicast address (224.0.0.9) for periodic updates. Multicast RIPv2 updates are not processed by RIPv1 routers. IGMP is not needed since these are inter‐router messages which are not forwarded. To configure RIPv2 in RIPv1 compatibility mode, set multicast to disable, and set version to both. Default Route The RIP router can listen and supply a default route, usually represented as IPv4 0.0.0.0 in the routing table. When a router does not have an explicit route to a destination network in its routing table, it uses the default route to forward those packets. Metric The metric field contains a configurable value between 1 and 15 (inclusive) which specifies the current metric for the interface. The metric value typically indicates the total number of hops to the destination. The metric value of 16 represents an unreachable destination. © Copyright Lenovo 2015 Chapter 27: Routing Information Protocol...
Page 388: Rip Configuration Example
Authentication RIPv2 authentication uses plain text password for authentication. If configured using Authentication password, then it is necessary to enter an authentication key value. The following method is used to authenticate a RIP message:  If the router is not configured to authenticate RIPv2 messages, then RIPv1 and unauthenticated RIPv2 messages are accepted; authenticated RIPv2 messages are discarded. If the router is configured to authenticate RIPv2 messages, then RIPv1 and  RIPv2 messages which pass authentication testing are accepted; unauthenticated and failed authentication RIPv2 messages are discarded. For maximum security, RIPv1 messages are ignored when authentication is enabled (interface ip <x>/ ip rip auth type/password); otherwise, the routing information from authenticated messages is propagated by RIPv1 routers in an unauthenticated manner. RIP Configuration Example Note: An interface RIP disabled uses all the default values of the RIP, no matter how the RIP parameters are configured for that interface. RIP sends out RIP regular updates to include an UP interface, but not a DOWN interface.
Page 389 3. Turn on RIP globally and enable RIP for each interface. CN4093(config)# router rip CN4093(configrouterrip)# enable CN4093(configrouterrip)# exit CN4093# interface ip 2 CN4093(configipif)# ip rip enable CN4093(configipif)# exit CN4093# interface ip 3 CN4093(configipif)# ip rip enable CN4093(configipif)# exit Use the following command to check the current valid routes in the routing table of the switch: CN4093# show ip route For those RIP learnt routes within the garbage collection period, that are routes phasing out of the routing table with metric 16, use the following command: CN4093# show ip rip routes Locally configured static routes do not appear in the RIP Routes table. © Copyright Lenovo 2015 Chapter 27: Routing Information Protocol...
Page 390 CN4093 Application Guide for N/OS 8.2...
Page 391: Chapter 28. Internet Group Management Protocol
Chapter 28. Internet Group Management Protocol Internet Group Management Protocol (IGMP) is used by IPv4 Multicast routers to learn about the existence of host group members on their directly attached subnet (see RFC 2236). The IPv4 Multicast routers get this information by broadcasting IGMP Membership Queries and listening for IPv4 hosts reporting their host group memberships. This process is used to set up a client/server relationship between an IPv4 Multicast source that provides the data streams and the clients that want to receive the data. The CN4093 10Gb Converged Scalable Switch (CN4093) can perform IGMP Snooping, or act as an IGMP Relay (proxy) device. Note: Lenovo N/OS 8.2 does not support IPv6 for IGMP. The following topics are discussed in this chapter:  “IGMP Snooping” on page 392 “IGMP Querier” on page 398   “Additional IGMP Features” on page 399 © Copyright Lenovo 2015...
Page 392: Igmp Snooping
IGMP Snooping IGMP Snooping allows the switch to forward multicast traffic only to those ports that request it. IGMP Snooping prevents multicast traffic from being flooded to all ports. The switch learns which server hosts are interested in receiving multicast traffic, and forwards it only to ports connected to those servers. IGMP Snooping conserves bandwidth. With IGMP Snooping, the switch learns which ports are interested in receiving multicast data, and forwards multicast data only to those ports. In this way, other ports are not burdened with unwanted multicast traffic. The switch can sense IGMP Membership Reports from attached clients and act as a proxy to set up a dedicated path between the requesting host and a local IPv4 Multicast router. After the pathway is established, the switch blocks the IPv4 Multicast stream from flowing through any port that does not connect to a host member, thus conserving bandwidth. The client‐server path is set up as follows:  An IPv4 Multicast Router (Mrouter) sends Membership Queries to the switch, which forwards them to all ports in a given VLAN. Hosts that want to receive the multicast data stream send Membership Reports to  the switch, which sends a proxy Membership Report to the Mrouter. The switch sets up a path between the Mrouter and the host, and blocks all other  ports from receiving the multicast.  Periodically, the Mrouter sends Membership Queries to ensure that the host wants to continue receiving the multicast. If a host fails to respond with a Membership Report, the Mrouter stops sending the multicast to that path. The host can send an IGMP Leave packet to the switch, which responds with an  IGMP Groups Specific Query in order to check if there are other clients that want to receive the multicast traffic for the group referenced in the Leave packet. If an IGMP Report is not received, the group is deleted from the port and the multicast path is terminated. The switch then sends a Proxy Leave packet to the Mrouter in order to update it. If the FastLeave option is enabled on a VLAN, the multicast path is terminated immediately and the Leave packet is directly forwarded to the Mrouter. IGMP Groups The CN4093 supports a maximum of 3072 IGMP entries, on a maximum of 1024 ...
Page 393: Igmpv3
CN4093(config)# ip igmp snoop igmpv3 sources <1‐64> IGMPv3 Snooping is compatible with IGMPv1 and IGMPv2 Snooping. You can disable snooping on version 1 and version 2 reports, using the following command: CN4093(config)# no ip igmp snoop igmpv3 v1v2 IGMP Snooping Configuration Example This section provides steps to configure IGMP Snooping on the CN4093, using the Command‐Line Interface (CLI). 1. Configure port and VLAN membership on the switch. 2. Add VLANs to IGMP Snooping and enable IGMP Snooping. CN4093(config)# ip igmp snoop vlan 1 CN4093(config)# ip igmp snoop enable 3. Enable IGMPv3 Snooping (optional). CN4093(config)# ip igmp snoop igmpv3 enable 4. Enable IGMP. CN4093(config)# ip igmp enable (Turn on IGMP) © Copyright Lenovo 2015 Chapter 28: Internet Group Management Protocol...
Page 394 5. View dynamic IGMP information. To display information about IGMP Groups: CN4093# show ip igmp groups Total entries: 5 Total IGMP groups: 2 Note: The <Total IGMP groups> number is computed as the number of unique (Group, Vlan) entries! Note: Local groups (224.0.0.x) are not snooped/relayed and will not appear.
Page 395: Static Multicast Router
Mrouters. If a dynamic Mrouter has the same port and VLAN combination as a static Mrouter, the dynamic Mrouter will not be learned. Following is an example of configuring a static multicast router: 1. For each Mrouter, configure a port, VLAN, and IGMP version of the multicast router. CN4093(config)# ip igmp mrouter EXT5 1 2 2. Verify the configuration. CN4093(config)# show ip igmp mrouter © Copyright Lenovo 2015 Chapter 28: Internet Group Management Protocol...
Page 396: Igmp Relay
IGMP Relay The CN4093 can act as an IGMP Relay (or IGMP Proxy) device that relays IGMP multicast messages and traffic between an Mrouter and end stations. IGMP Relay allows the CN4093 to participate in network multicasts with no configuration of the various multicast routing protocols, so you can deploy it in the network with minimal effort. To an IGMP host connected to the CN4093, IGMP Relay appears to be an IGMP multicast router (Mrouter). IGMP Relay sends Membership Queries to hosts, which respond by sending an IGMP response message. A host can also send an unsolicited Join message to the IGMP Relay. To a multicast router, IGMP Relay appears as a host. The Mrouter sends IGMP host queries to IGMP Relay, and IGMP Relay responds by forwarding IGMP host reports and unsolicited join messages from its attached hosts. IGMP Relay also forwards multicast traffic between the Mrouter and end stations, similar to IGMP Snooping. You can configure up to two Mrouters to use with IGMP Relay. One Mrouter acts as the primary Mrouter, and one is the backup Mrouter. The CN4093 uses ICMP health checks to determine if the primary and backup mrouters are reachable. Configuration Guidelines Consider the following guidelines when you configure IGMP Relay: IGMP Relay is supported in stand‐alone (non‐stacking) mode only.   IGMP Relay and IGMP Snooping/Querier are mutually exclusive—if you enable IGMP Relay, you must turn off IGMP Snooping/Querier.  Add VLANs to the IGMP Relay list, using the following command: <VLAN number> CN4093(config)# ip igmp relay vlan If IGMP hosts reside on different VLANs, you must:  Disable IGMP flooding.  CN4093(config)# vlan <vlan id> CN4093(configvlan)# no flood Enable CPU forwarding to ensure that multicast data is forwarded across the  VLANs. CN4093(config)# vlan <vlan id>...
Page 397: Configure Igmp Relay
Configure IGMP Relay Use the following procedure to configure IGMP Relay. 1. Configure IP interfaces with IPv4 addresses, and assign VLANs. CN4093(config)# interface ip 2 CN4093(configipif)# ip address 10.10.1.1 255.255.255.0 enable CN4093(configipif)# vlan 2 CN4093(configipif)# exit CN4093(config)# interface ip 3 CN4093(configipif)# ip address 10.10.2.1 255.255.255.0 enable CN4093(configipif)# vlan 3 CN4093(configipif)# exit 2. Turn IGMP on. CN4093(config)# ip igmp enable 3. Configure the upstream Mrouters with IPv4 addresses. CN4093(config)# ip igmp relay mrouter 1 address 100.0.1.2 CN4093(config)# ip igmp relay mrouter 1 enable CN4093(config)# ip igmp relay mrouter 2 address 100.0.2.4 CN4093(config)# ip igmp relay mrouter 2 enable 4. Add VLANs to the downstream network and enable IGMP Relay CN4093(config)# ip igmp relay vlan 2 CN4093(config)# ip igmp relay vlan 3 CN4093(config)# ip igmp relay enable © Copyright Lenovo 2015 Chapter 28: Internet Group Management Protocol...
Page 398: Igmp Querier
IGMP Querier IGMP Querier allows the switch to perform the multicast router (Mrouter) role and provide Mrouter discovery when the network or virtual LAN (VLAN) does not have a router. When the IGMP Querier feature is enabled on a VLAN, the switch participates in the Querier election process and has the possibility to be elected as Querier for the VLAN. The IGMP querier periodically broadcasts IGMP Queries and listens for hosts to respond with IGMP Reports indicating their IGMP group memberships. If multiple Mrouters exist on a given network, the Mrouters elect one as the querier, which performs all periodic membership queries. The election process can be based on IPv4 address or MAC address. Note: When IGMP Querier is enabled on a VLAN, the switch performs the role of IGMP querier only if it meets the IGMP querier election criteria. Follow this procedure to configure IGMP Querier. 1. Enable IGMP and configure the source IPv4 address for IGMP Querier on a VLAN. CN4093(config)# ip igmp enable CN4093(config)# ip igmp querier vlan 2 sourceip 10.10.10.1 2.
Page 399: Additional Igmp Features
IGMP Filtering With IGMP Filtering, you can allow or deny a port to learn certain IGMP/IPMC groups. This allows you to restrict users from receiving certain multicast traffic. If access to a multicast group is denied, IGMP Membership Reports from the port are dropped, and the port is not allowed to receive IPv4 multicast traffic from that group. If access to the multicast group is allowed, Membership Reports from the port are forwarded for normal processing. To configure IGMP Filtering, you must globally enable IGMP filtering, define an IGMP filter, assign the filter to a port, and enable IGMP Filtering on the port. To define an IGMP filter, you must configure a range of IPv4 multicast groups, choose whether the filter will allow or deny multicast traffic for groups within the range, and enable the filter. Configuring the Range Each IGMP Filter allows you to set a start and end point that defines the range of IPv4 addresses upon which the filter takes action. Each IPv4 address in the range must be between 224.0.0.0 and 239.255.255.255. Configuring the Action Each IGMP filter can allow or deny IPv4 multicasts to the range of IPv4 addresses configured. If you configure the filter to deny IPv4 multicasts, then IGMP Membership Reports from multicast groups within the range are dropped. You can configure a secondary filter to allow IPv4 multicasts to a small range of addresses within a larger range that a primary filter is configured to deny. The two filters work together to allow IPv4 multicasts to a small subset of addresses within the larger range of addresses. © Copyright Lenovo 2015 Chapter 28: Internet Group Management Protocol...
Page 400 Note: Lower-numbered filters take precedence over higher-number filters. For example, the action defined for IGMP Filter 1 supersedes the action defined for IGMP Filter 2. Configure IGMP Filtering 1. Enable IGMP filtering on the switch. CN4093(config) ip igmp filtering 2. Define an IGMP filter with IPv4 information. CN4093(config) ip igmp profile 1 range 225.0.0.0 226.0.0.0 CN4093(config) ip igmp profile 1 action deny CN4093(config) ip igmp profile 1 enable 3.
Page 401: Chapter 29. Multicast Listener Discovery
Chapter 29. Multicast Listener Discovery Multicast Listener Discovery (MLD) is an IPv6 protocol that a host uses to request multicast data for a multicast group. An IPv6 router uses MLD to discover the presence of multicast listeners (nodes that want to receive multicast packets) on its directly attached links, and to discover specifically the multicast addresses that are of interest to those neighboring nodes. MLD version 1 is derived from Internet Group Management Protocol version 2 (IGMPv2) and MLDv2 is derived from IGMPv3. MLD uses ICMPv6 (IP Protocol 58) message types. See RFC 2710 and RFC 3810 for details. MLDv2 protocol, when compared to MLDv1, adds support for source filtering— the ability for a node to report interest in listening to packets only from specific source addresses, or from all but specific source addresses, sent to a particular multicast address. MLDv2 is interoperable with MLDv1. See RFC 3569 for details on Source‐Specific Multicast (SSM). The following topics are discussed in this chapter:  “MLD Terms” on page 402  “How MLD Works” on page 403  “MLD Capacity and Default Values” on page 406  “Configuring MLD” on page 407 © Copyright Lenovo 2015...
Page 402: Mld Terms
MLD Terms Following are the commonly used MLD terms:  Multicast traffic: Flow of data from one source to multiple destinations.  Group: A multicast stream to which a host can join.  Multicast Router (Mrouter): A router configured to make routing decisions for multicast traffic. The router identifies the type of packet received (unicast or multicast) and forwards the packet to the intended destination.  Querier: An Mrouter that sends periodic query messages. Only one Mrouter on the subnet can be elected as the Querier.  Multicast Listener Query: Messages sent by the Querier. There are three types of queries: General Query: Sent periodically to learn multicast address listeners from an  attached link. CN4093 uses these queries to build and refresh the Multicast Address Listener state. General Queries are sent to the link‐scope all‐nodes multicast address (FF02::1), with a multicast address field of 0, and a maximum response delay of query response interval. Multicast Address Specific Query: Sent to learn if a specific multicast address  has any listeners on an attached link. The multicast address field is set to the IPv6 multicast address. Multicast Address and Source Specific Query: Sent to learn if, for a specified  multicast address, there are nodes still listening to a specific set of sources. Supported only in MLDv2. Note: Multicast Address Specific Queries and Multicast Address and Source Specific Queries are sent only in response to State Change Reports, and never in response to Current State Reports. Multicast Listener Report: Sent by a host when it joins a multicast group, or in  response to a Multicast Listener Query sent by the Querier. Hosts use these reports to indicate their current multicast listening state, or changes in the multicast listening state of their interfaces. These reports are of two types: Current State Report: Contains the current Multicast Address Listening State ...
Page 403: How Mld Works
MLDv2 message A host can send a State Change Report to indicate its desire to stop listening to a  particular multicast address (or source in MLDv2). The Querier then sends a multicast address specific query to verify if there are other listeners of the multicast address. If there aren’t any, the Mrouter deletes the multicast address from its Multicast Address Listener state and stops sending multicast traffic. Similarly in MLDv2, the Mrouter sends a Multicast Address and Source Specific Query to verify if, for a specified multicast address, there are hosts still listening to a specific set of sources. CN4093 supports MLD versions 1 and 2. Note: MLDv2 operates in version 1 compatibility mode when, in a specific network, not all hosts are configured with MLDv2. © Copyright Lenovo 2015 Chapter 29: Multicast Listener Discovery...
Page 404: Mld Querier
How Flooding Impacts MLD When flood option is disabled, the unknown multicast traffic is discarded if no Mrouters are learned on the switch. You can set the flooding behavior by configuring the flood and cpu options. You can optimize the flooding to ensure that unknown IP multicast (IPMC) data packets are not dropped during the learning phase. The flooding options include: flood: Enable hardware flooding in VLAN for the unregistered IPMC; This  option is enabled by default. cpu: Enable sending unregistered IPMC to the Mrouter ports. However, during  the learning period, there will be some packet loss. The cpu option is enabled by default. You must ensure that the flood and optflood options are disabled. optflood: Enable optimized flooding to allow sending the unregistered IPMC  to the Mrouter ports without having any packet loss during the learning period; This option is disabled by default; When optflood is enabled, the flood and cpu settings are ignored. The flooding parameters must be configured per VLAN. Enter the following command to set the flood or cpu options: CN4093(config)# vlan <vlan number> CN4093(config-vlan)# [no] flood CN4093(config-vlan)# [no] cpu CN4093(config-vlan)# [no] optflood MLD Querier An Mrouter acts as a Querier and periodically (at short query intervals) sends query messages in the subnet. If there are multiple Mrouters in the subnet, only one can be the Querier. All Mrouters on the subnet listen to the messages sent by ...
Page 405: Dynamic Mrouters
Dynamic Mrouters The switch learns Mrouters on the ingress VLANs of the MLD‐enabled interface. All report or done messages are forwarded to these Mrouters. By default, the option of dynamically learning Mrouters is disabled. To enable it, use the following command: CN4093(config)# interface ip <interface number> CN4093(config-ip-if)# ipv6 mld dmrtr enable © Copyright Lenovo 2015 Chapter 29: Multicast Listener Discovery...
Page 406: Mld Capacity And Default Values
MLD Capacity and Default Values Table 37 lists the maximum and minimum values of the CN4093 variables. Table 37. CN4093 Capacity Table Variable Maximum Value IPv6 Multicast Entries IPv6 Interfaces for MLD Table 38 lists the default settings for MLD features and variables. Table 38. MLD Timers and Default Values Field Default Value Robustness Variable (RV) Query Interval (QI) 125 seconds Query Response Interval (QRI) 10 seconds Multicast Address Listeners Interval 260 seconds [derived: RV*QI+QRI] (MALI) Other Querier Present Interval [OQPT] 255 seconds [derived: RV*QI + ½ QRI] Start up Query Interval [SQI] 31.25 seconds [derived: ¼ * QI] Startup Query Count [SQC] 2 [derived: RV] Last Listener Query Interval [LLQI] 1 second Last Listener Query Count [LLQC] 2 [derived: RV] Last Listener Query Time [LLQT] 2 seconds [derived: LLQI * LLQT]...
Page 407: Configuring Mld
4. Configure the MLD parameters on the interface: version, robustness, query response interval, MLD query interval, and last listener query interval. CN4093(config-ip-if)# ipv6 mld version <1‐2> (MLD version) CN4093(config-ip-if)# ipv6 mld robust <1‐10> (Robustness) CN4093(config-ip-if)# ipv6 mld qri <1‐256> (In seconds) CN4093(config-ip-if)# ipv6 mld qintrval <1‐608>(In seconds) CN4093(config-ip-if)# ipv6 mld llistnr <1‐32> (In seconds) © Copyright Lenovo 2015 Chapter 29: Multicast Listener Discovery...
Page 408 CN4093 Application Guide for N/OS 8.2...
Page 409: Chapter 30. Border Gateway Protocol
Chapter 30. Border Gateway Protocol Border Gateway Protocol (BGP) is an Internet protocol that enables routers on an IPv4 network to share and advertise routing information with each other about the segments of the IPv4 address space they can access within their network and with routers on external networks. BGP allows you to decide what is the “best” route for a packet to take from your network to a destination on another network rather than simply setting a default route from your border router(s) to your upstream provider(s). BGP is defined in RFC 1771. CN4093 10Gb Converged Scalable Switches (CN4093s) can advertise their IP interfaces and IPv4 addresses using BGP and take BGP feeds from as many as BGP router peers. This allows more resilience and flexibility in balancing traffic from the Internet. Note: Lenovo N/OS 8.2 does not support IPv6 for BGP. The following topics are discussed in this section:  “Internal Routing Versus External Routing” on page 409  “Forming BGP Peer Routers” on page 410 “What is a Route Map?” on page 411   “Aggregating Routes” on page 414 “Redistributing Routes” on page 414 ...
Page 410: Forming Bgp Peer Routers
The iBGP peers have to maintain reciprocal sessions to every other iBGP router in the same AS (in a full‐mesh manner) in order to propagate route information throughout the AS. If the iBGP session shown between the two routers in AS 20 was not present (as indicated in Figure 42), the top router would not learn the route to AS 50, and the bottom router would not learn the route to AS 11, even though the two AS 20 routers are connected via the Flex System and the Application Switch. Figure 42. iBGP and eBGP AS 11 AS 20 ISP A iBGP eBGP Internet AS 50 ISP B Application Switch Typically, an AS has one or more border routers—peer routers that exchange routes with other ASs—and an internal routing scheme that enables routers in that AS to reach every other router and destination within that AS. When you advertise routes to border routers on other autonomous systems, you are effectively committing to carry data to the IPv4 space represented in the route being advertised. For example, if you advertise 192.204.4.0/24, you are declaring that if another router sends you data destined for any address in 192.204.4.0/24, you know how to carry that data to its destination. Forming BGP Peer Routers Two BGP routers become peers or neighbors once you establish a TCP connection between them. For each new route, if a peer is interested in that route (for example, if a peer would like to receive your static routes and the new route is static), an ...
Page 411: What Is A Route Map
43 illustrates the relationship between route maps, access lists and network filters. Figure 43. Distributing Network Filters in Access Lists and Route Maps Route Maps Network Filter (rmap) (nwf) Access Lists (alist) Route Map 1 Route Map 2 ----- ----- ----- ----- ----- ----- ----- Route Map 32 © Copyright Lenovo 2015 Chapter 30: Border Gateway Protocol...
Page 412: Incoming And Outgoing Route Maps
Incoming and Outgoing Route Maps You can have two types of route maps: incoming and outgoing. A BGP peer router can be configured to support up to eight route maps in the incoming route map list and outgoing route map list. If a route map is not configured in the incoming route map list, the router imports all BGP updates. If a route map is configured in the incoming route map list, the router ignores all unmatched incoming updates. If you set the action to deny, you must add another route map to permit all unmatched updates. Route maps in an outgoing route map list behave similar to route maps in an incoming route map list. If a route map is not configured in the outgoing route map list, all routes are advertised or permitted. If a route map in the outgoing route map list is set to permit, matched routes are advertised and unmatched routes are ignored. Precedence You can set a priority to a route map by specifying a precedence value with the following commands: CN4093(config)# routemap <map number> (Select a route map) CN4093(configroutemap)# precedence <1‐255>(Specify a precedence) CN4093(configroutemap)# exit The smaller the value the higher the precedence. If two route maps have the same precedence value, the smaller number has higher precedence. Configuration Overview To configure route maps, you need to do the following: 1. Define network filter. CN4093(config)# ip matchaddress 1 <IPv4 address> <IPv4 subnet mask> CN4093(config)# ip matchaddress 1 enable Enter a filter number from 1 to 256. Specify the IPv4 address and subnet mask of the network that you want to match. Enable the network filter. You can distribute up to 256 network filters among 32 route maps each containing eight access lists. 2. (Optional) Define the criteria for the access list and enable it. Specify the access list and associate the network filter number configured in Step 1.
Page 413 CN4093(configroutemap)# exit 6. Turn BGP on. CN4093(config)# router bgp CN4093(configrouterbgp)# enable 7. Assign the route map to a peer router. Select the peer router and then add the route map to the incoming route map list, CN4093(configrouterbgp)# neighbor 1 routemap in <1‐32> or to the outgoing route map list. CN4093(configrouterbgp)# neighbor 1 routemap out <1‐32> 8. Exit Router BGP mode. CN4093(configrouterbgp)# exit © Copyright Lenovo 2015 Chapter 30: Border Gateway Protocol...
Page 414: Aggregating Routes
CN4093(configrouterbgp)# aggregateaddress <1‐16> <IPv4 address> <mask> CN4093(configrouterbgp)# aggregateaddress enable <1‐16> CN4093(configrouterbgp)# exit An example of creating a BGP aggregate route is shown in “Default Redistribution and Route Aggregation Example” on page 419. Redistributing Routes In addition to running multiple routing protocols simultaneously, Lenovo N/OS software can redistribute information from one routing protocol to another. For example, you can instruct the switch to use BGP to re‐advertise static routes. This applies to all of the IP‐based routing protocols. You can also conditionally control the redistribution of routes between routing domains by defining a method known as route maps between the two domains. For more information on route maps, see “What is a Route Map?” on page 411. Redistributing routes is another way of providing policy control over whether to export OSPF routes, fixed routes, and static routes. For an example configuration, see “Default Redistribution and Route Aggregation Example” on page 419. Default routes can be configured using the following methods:  Import  Originate—The router sends a default route to peers if it does not have any default routes in its routing table.  Redistribute—Default routes are either configured through the default gateway ...
Page 415: Bgp Attributes
CN4093(config)# routemap 1 CN4093(config_route_map)# localpreference <04294967294> CN4093(config_route_map)# enabled CN4093(config_router_map)# exit CN4093(config)# router bgp CN4093(config_router_bgp)# neighbor {<number>/group <number>} routemap {<in/out> <1‐255>} Metric (Multi-Exit Discriminator) Attribute This attribute is a hint to external neighbors about the preferred path into an AS when there are multiple entry points. A lower metric value is preferred over a higher metric value. The default value of the metric attribute is 0. Unlike local preference, the metric attribute is exchanged between ASs; however, a metric attribute that comes into an AS does not leave the AS. When an update enters the AS with a certain metric value, that value is used for decision making within the AS. When BGP sends that update to another AS, the metric is reset to 0. Unless otherwise specified, the router compares metric attributes for paths from external neighbors that are in the same AS. © Copyright Lenovo 2015 Chapter 30: Border Gateway Protocol...
Page 416: Selecting Route Paths In Bgp
Selecting Route Paths in BGP BGP selects only one path as the best path. It does not rely on metric attributes to determine the best path. When the same network is learned via more than one BGP peer, BGP uses its policy for selecting the best route to that network. The BGP implementation on the CN4093 uses the following criteria to select a path when the same route is received from multiple peers. 1. Local fixed and static routes are preferred over learned routes. 2. With iBGP peers, routes with higher local preference values are selected. 3. In the case of multiple routes of equal preference, the route with lower AS path weight is selected. AS path weight = 128 x AS path length (number of autonomous systems traversed). 4. In the case of equal weight and routes learned from peers that reside in the same AS, the lower metric is selected. Note: A route with a metric is preferred over a route without a metric. 5. The lower cost to the next hop of routes is selected. 6. In the case of equal cost, the eBGP route is preferred over iBGP. 7. If all routes have same route type (eBGP or iBGP), the route with the lower router ID is selected.
Page 417: Bgp Failover Configuration
IP: 210.210.210.1 Server 2 BladeCenter Server 1 IP: 200.200.200.11 IP: 200.200.200.10 On the CN4093, one peer router (the secondary one) is configured with a longer AS path than the other, so that the peer with the shorter AS path will be seen by the switch as the primary default gateway. ISP 2, the secondary peer, is configured with a metric of “3,” thereby appearing to the switch to be three router hops away. 1. Define the VLANs. For simplicity, both default gateways are configured in the same VLAN in this example. The gateways could be in the same VLAN or different VLANs CN4093(config)# vlan 1 2. Define the IP interfaces with IPv4 addresses. The switch will need an IP interface for each default gateway to which it will be connected. Each interface must be placed in the appropriate VLAN. These interfaces will be used as the primary and secondary default gateways for the switch. CN4093(config)# interface ip 1 address 200.200.200.1 255.255.255.0 enable CN4093(configipif)# exit CN4093(config)# interface ip 2 address 210.210.210.1 255.255.255.0 enable CN4093(configipif)# exit © Copyright Lenovo 2015 Chapter 30: Border Gateway Protocol...
Page 418 3. Enable IP forwarding. IP forwarding is turned on by default and is used for VLAN‐to‐VLAN (non‐BGP) routing. Make sure IP forwarding is on if the default gateways are on different subnets or if the switch is connected to different subnets and those subnets need to communicate through the switch (which they almost always do). CN4093(config)# ip routing (Enable IP forwarding) Note: To help eliminate the possibility for a Denial of Service (DoS) attack, the forwarding of directed broadcasts is disabled by default. 4. Configure BGP peer router 1 and 2. CN4093(config)# router bgp CN4093(configrouterbgp)# ip routerid 8.8.8.8 CN4093(configrouterbgp)# as 816 CN4093(configrouterbgp)# neighbor 1 remoteaddress 200.200.200.2 CN4093(configrouterbgp)# neighbor 1 remoteas 100 CN4093(configrouterbgp)# no neighbor 1 shutdown CN4093(configrouterbgp)# neighbor 2 remoteaddress 210.210.210.2 CN4093(configrouterbgp)# neighbor 2 remoteas 200 CN4093(configrouterbgp)# no neighbor 2 shutdown ...
Page 419: Default Redistribution And Route Aggregation Example
10.1.1.135 0.0.0.0/0 Default routes towards internal peer router 1. Configure the IP interface. 2. Configure the AS number (AS 135) and router ID number (10.1.1.135) CN4093(config)# router bgp CN4093(configrouterbgp)# as 135 CN4093(configrouterbgp)# exit CN4093(config)# ip routerid 10.1.1.135 3. Configure internal peer router 1 and external peer router 2. CN4093(config)# router bgp CN4093(configrouterbgp)# neighbor 1 remoteaddress 10.1.1.4 CN4093(configrouterbgp)# neighbor 1 remoteas 135 CN4093(configrouterbgp)# no neighbor 1 shutdown CN4093(configrouterbgp)# neighbor 2 remoteaddress 20.20.20.2 CN4093(configrouterbgp)# neighbor 2 remoteas 200 CN4093(configrouterbgp)# no neighbor 2 shutdown 4. Configure redistribution for Peer 1. CN4093(configrouterbgp)# neighbor 1 redistribute defaultaction redistribute CN4093(configrouterbgp)# neighbor 1 redistribute fixed © Copyright Lenovo 2015 Chapter 30: Border Gateway Protocol...
Page 420 5. Configure aggregation policy control. Configure the routes that you want aggregated. CN4093(configrouterbgp)# aggregateaddress 1 135.0.0.0 255.0.0.0 CN4093(configrouterbgp)# aggregateaddress 1 enable CN4093 Application Guide for N/OS 8.2...
Page 421: Chapter 31. Ospf
Chapter 31. OSPF Lenovo N/OS supports the Open Shortest Path First (OSPF) routing protocol. The Lenovo N/OS implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583, and OSPF version 3 specifications in RFC 5340. The following sections discuss OSPF support for the CN4093 10Gb Converged Scalable Switch (CN4093):  “OSPFv2 Overview” on page 422. This section provides information on OSPFv2 concepts, such as types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing.  “OSPFv2 Implementation in Lenovo N/OS” on page 427. This section describes how OSPFv2 is implemented in Lenovo N/OS, such as configuration parameters, electing the designated router, summarizing routes, defining route maps and so forth. “OSPFv2 Configuration Examples” on page 437. This section provides  step‐by‐step instructions on configuring differentOSPFv2 examples: Creating a simple OSPF domain  Creating virtual links  Summarizing routes   “OSPFv3 Implementation in Lenovo N/OS” on page 444. This section describes differences and additional features found in OSPFv3. © Copyright Lenovo 2015...
Page 422: Ospfv2 Overview
OSPFv2 Overview OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. All routing devices maintain link information in their own Link State Database (LSDB). The LSDB for all routing devices within an area is identical but is not exchanged between different areas. Only routing updates are exchanged between areas, thereby significantly reducing the overhead for maintaining routing information on a large, dynamic network. The following sections describe key OSPF concepts. Types of OSPF Areas An AS can be broken into logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. As shown in Figure 46, OSPF defines the following types of areas:  Stub Area—an area that is connected to only one other area. External route information is not distributed into stub areas.  Not‐So‐Stubby‐Area (NSSA)—similar to a stub area with additional capabilities. Routes originating from within the NSSA can be propagated to adjacent transit and backbone areas. External routes from outside the AS can be advertised within the NSSA but can be configured to not be distributed into other areas. Transit Area—an area that carries data traffic which neither originates nor  terminates in the area itself. CN4093 Application Guide for N/OS 8.2...
Page 423 Backbone (NSSA) External LSA Routes ASBR Stub Area, NSSA, ABR = Area Border Router or Transit Area ASBR = Autonomous System Connected to Backbone Boundary Router via Virtual Link Non-OSPF Area RIP/BGP AS © Copyright Lenovo 2015 Chapter 31: OSPF...
Page 424: Types Of Ospf Routing Devices
Types of OSPF Routing Devices As shown in Figure 47, OSPF uses the following types of routing devices:  Internal Router (IR)—a router that has all of its interfaces within the same area. IRs maintain LSDBs identical to those of other routing devices within the local area.  Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain one LSDB for each connected area and disseminate routing information between areas. Autonomous System Boundary Router (ASBR)—a router that acts as a gateway  between the OSPF domain and non‐OSPF domains, such as RIP, BGP, and static routes. Figure 47. OSPF Domain and an Autonomous System OSPF Autonomous System Backbone Area 3 Area 0 Inter-Area Routes External (Summary Routes) ASBR Routes Internal ASBR Router Area 1 Area 2 Neighbors and Adjacencies...
Page 425: The Link-State Database
When LSAs result in changes to the routing device’s LSDB, the routing device forwards the changes to the adjacent neighbors (the DR and BDR) for distribution to the other neighbors. OSPF routing updates occur only when changes occur, instead of periodically. For each new route, if an adjacency is interested in that route (for example, if configured to receive static routes and the new route is indeed static), an update message containing the new route is sent to the adjacency. For each route removed from the route table, if the route has already been sent to an adjacency, an update message containing the route to withdraw is sent. The Shortest Path First Tree The routing devices use a link‐state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination. The cost of an individual interface in OSPF is an indication of the overhead required to send packets across it. The cost is inversely proportional to the bandwidth of the interface. A lower cost indicates a higher bandwidth. Internal Versus External Routing To ensure effective processing of network traffic, every routing device on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active internal routing protocols, such as OSPF, RIP, or RIPv2. It is also useful to tell routers outside your network (upstream providers or peers) about the routes you have access to in your network. Sharing of routing information between autonomous systems is known as external routing. © Copyright Lenovo 2015 Chapter 31: OSPF...
Page 426 Typically, an AS will have one or more border routers (peer routers that exchange routes with other OSPF networks) as well as an internal routing system enabling every router in that AS to reach every other router and destination within that AS. When a routing device advertises routes to boundary routers on other autonomous systems, it is effectively committing to carry data to the IP space represented in the route being advertised. For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to its destination. CN4093 Application Guide for N/OS 8.2...
Page 427: Ospfv2 Implementation In Lenovo N/Os
OSPFv2 Implementation in Lenovo N/OS Lenovo N/OS supports a single instance of OSPF and up to 2K routes on the network. The following sections describe OSPF implementation in Lenovo N/OS: “Configurable Parameters” on page 427   “Defining Areas” on page 427  “Interface Cost” on page 429  “Electing the Designated Router and Backup” on page 429  “Summarizing Routes” on page 430  “Default Routes” on page 430  “Virtual Links” on page 432  “Router ID” on page 433  “Authentication” on page 433 Configurable Parameters In Lenovo N/OS, OSPF parameters can be configured through the Command Line Interfaces (CLI/ISCLI), Browser‐Based Interface (BBI), or through SNMP. For more information, see “Switch Administration” on page 27.”...
Page 428: Assigning The Area Index
Since the backbone connects the areas in your network, it must be a contiguous area. If the backbone is partitioned (possibly as a result of joining separate OSPF networks), parts of the AS will be unreachable, and you will need to configure virtual links to reconnect the partitioned areas (see “Virtual Links” on page 432). Up to three OSPF areas can be connected to the CN4093 with Lenovo N/OS software. To configure an area, the OSPF number must be defined and then attached to a network interface on the switch. The full process is explained in the following sections. An OSPF area is defined by assigning two pieces of information: an area index and an area ID. The commands to define and enable an OSPF area are as follows: CN4093(config)# router ospf <area index> <n.n.n.n> CN4093(configrouterospf)# area areaid <area index> CN4093(configrouterospf)# area enable CN4093(configrouterospf)# exit Note: The aindex option above is an arbitrary index used only on the switch and does not represent the actual OSPF area number. The actual OSPF area number is defined in the areaid portion of the command as explained in the following sections.
Page 429: Attaching An Area To A Network
CN4093(configrouterospf)# enable CN4093(configrouterospf)# exit CN4093(config)# nterface ip 14 CN4093(configipif)# ip address 10.10.10.1 255.255.255.0 enable CN4093(configipif)# ip ospf area 1 CN4093(configipif)# ip ospf enable Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Lenovo N/OS” on page 444). Interface Cost The OSPF link‐state algorithm (Dijkstra’s algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. Usually, the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth. You can manually enter the cost for the output route with the following command: CN4093(configipif)# ip ospf cost <cost value (1‐65535)> Electing the Designated Router and Backup In any area with more than two routing devices, a Designated Router (DR) is ...
Page 430: Summarizing Routes
CN4093(configrouterospf)# arearange address <range number> <IP address> <mask> where <range number> is a number 1 to 16, <IPv4 address> is the base IP address for the range, and <subnet mask> is the IPv4 address mask for the range. For a detailed configuration example, see “Example 3: Summarizing Routes” on page 442. Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Lenovo N/OS” on page 444). Default Routes When an OSPF routing device encounters traffic for a destination address it does not recognize, it forwards that traffic along the default route. Typically, the default route leads upstream toward the backbone until it reaches the intended area or an external router. Each CN4093 acting as an ABR automatically inserts a default route into each attached area. In simple OSPF stub areas or NSSAs with only one ABR leading upstream (see Area 1 in Figure 48), any traffic for IP address destinations outside ...
Page 431 Priority Priority default route Default default route route Metric: ASBR to external networks If the switch is in a transit area and has a configured default gateway, it can inject a default route into rest of the OSPF domain. Use the following command to configure the switch to inject OSPF default routes: CN4093(configrouterospf)# defaultinformation <metric value> <metric type (1 or 2)> In the command above, <metric value> sets the priority for choosing this switch for default route. The value none sets no default and 1 sets the highest priority for default route. Metric type determines the method for influencing routing decisions for external routes. When the switch is configured to inject a default route, an AS‐external LSA with link state ID 0.0.0.0 is propagated throughout the OSPF routing domain. This LSA is sent with the configured metric value and metric type. The OSPF default route configuration can be removed with the command: CN4093(configrouterospf)# no defaultinformation © Copyright Lenovo 2015 Chapter 31: OSPF...
Page 432: Virtual Links
Virtual Links Usually, all areas in an OSPF AS are physically connected to the backbone. In some cases where this is not possible, you can use a virtual link. Virtual links are created to connect one area to the backbone through another non‐backbone area (see Figure 46 on page 423). The area which contains a virtual link must be a transit area and have full routing information. Virtual links cannot be configured inside a stub area or NSSA. The area type must be defined as transit using the following command: CN4093(configrouterospf)# area <area index> type transit The virtual link must be configured on the routing devices at each endpoint of the virtual link, though they may traverse multiple routing devices. To configure a CN4093 as one endpoint of a virtual link, use the following command: CN4093(configrouterospf)# areavirtuallink <link number> neighborrouter <router ID> where <link number> is a value between 1 and 3, <area index> is the OSPF area index of the transit area, and <router ID> is the IP address of the virtual neighbor (nbr), the routing device at the target endpoint. Another router ID is needed when configuring a virtual link in the other direction. To provide the CN4093 with a router ID, see the following section, Router ID. For a detailed configuration example on Virtual Links, see “Example 2: Virtual Links” on page 438. CN4093 Application Guide for N/OS 8.2...
Page 433: Router Id
Routing devices in OSPF areas are identified by a router ID, expressed in IP address format. The router ID is not required to be part of any IP interface range or in any OSPF area, and may even use the CN4093 loopback interface (see “Loopback Interfaces in OSPF” on page 436). The router ID can be configured in one of the following two ways:  Dynamically (the default)—OSPF protocol configures the router ID as the lowest IP loopback interface IP address, if available, or else the lowest IP interface IP address, if available. Once dynamically configured, the router ID does not nor‐ mally undergo further updates.  Statically—Use the following command to manually configure the router ID: CN4093(configrouterospf)# ip routerid <IPv4 address> To change the router ID from static to dynamic, set the router ID to 0.0.0.0, save the configuration, and reboot the CN4093. To view the router ID, enter: CN4093(configrouterospf)# show ip ospf Authentication OSPF protocol exchanges can be authenticated so that only trusted routing devices can participate. This ensures less processing on routing devices that are not listening to OSPF packets. OSPF allows packet authentication and uses IP multicast when sending and receiving packets. Routers participate in routing domains based on pre‐defined passwords. Lenovo N/OS supports simple password (type 1 plain text passwords) and MD5 cryptographic authentication. This type of authentication allows a password to be configured per area. We strongly recommend that you implement MD5 cryptographic authentication as a best practice. Figure shows authentication configured for area 0 with the password test. Simple authentication is also configured for the virtual link between area 2 and area 0. Area 1 is not configured for OSPF authentication. © Copyright Lenovo 2015 Chapter 31: OSPF...
Page 434: Configuring Plain Text Ospf Passwords
Figure 49. OSPF Authentication Area 0 Area 1 Simple authentication key=test Application Switch 2 IF 1 IF 2 Switch 3 Application IF 4 Switch 1 Application IF 3 Switch 5 Virtual link key=blade IF 5 Area 2 ASBR to external networks Switch 4 Configuring Plain Text OSPF Passwords To configure plain text OSPF passwords as shown in Figure...
Page 435: Host Routes For Load Balancing
CN4093(config)# interface ip 3 CN4093(configipif)# ip ospf messagedigestkey 1 CN4093(configipif)# exit 4. Enable OSPF MD5 authentication for Area 2 on switch 4. CN4093(config)# router ospf CN4093(configrouterospf)# area 2 authenticationtype md5 5. Configure MD5 key for the virtual link between Area 2 and Area 0 on switch 2 and switch 4. CN4093(configrouterospf)# messagedigestkey 2 md5key test 6. Assign MD5 key ID to OSPF virtual link on switches 2 and 4. CN4093(configrouterospf)# areavirtuallink 1 messagedigestkey 2 CN4093(configrouterospf)# exit Host Routes for Load Balancing Lenovo N/OS implementation of OSPF includes host routes. Host routes are used for advertising network device IP addresses to external networks, accomplishing the following goals:  ABR Load Sharing As a form of load balancing, host routes can be used for dividing OSPF traffic among multiple ABRs. To accomplish this, each switch provides identical services but advertises a host route for a different IP address to the external network. If each IP address serves a different and equal portion of the external world, incoming traffic from the upstream router should be split evenly among ABRs. © Copyright Lenovo 2015 Chapter 31: OSPF...
Page 436: Loopback Interfaces In Ospf
 ABR Failover Complementing ABR load sharing, identical host routes can be configured on each ABR. These host routes can be given different costs so that a different ABR is selected as the preferred route for each server and the others are available as backups for failover purposes. Equal Cost Multipath (ECMP)  With equal cost multipath, a router potentially has several available next hops towards any given destination. ECMP allows separate routes to be calculated for each IP Type of Service. All paths of equal cost to a given destination are calculated, and the next hops for all equal‐cost paths are inserted into the routing table. If redundant routes via multiple routing processes (such as OSPF, RIP, BGP, or static routes) exist on your network, the switch defaults to the OSPF‐derived route. Loopback Interfaces in OSPF Because loopback interfaces are always available on the switch, loopback interfaces may present an advantage when used as the router ID. If dynamic router ID selection is used (see “Router ID” on page 433), loopback interfaces can be used to force router ID selection. If a loopback interface is configured, its IP address is automatically selected as the router ID, even if other IP interfaces have lower IP addresses. If more than one loopback interface is configured, the lowest loopback interface IP address is selected. Loopback interfaces can be advertised into the OSPF domain by specifying an OSPF host route with the loopback interface IP address. To enable OSPF on an existing loopback interface: CN4093(config)# interface loopback <1‐5> CN4093(configiploopback)# ip ospf area <area ID> enable CN4093(configiploopback)# exit OSPF Features Not Supported in This Release The following OSPF features are not supported in this release: ...
Page 437: Ospfv2 Configuration Examples
Figure 50. A Simple OSPF Domain Backbone Stub Area Area 0 Area 1 (0.0.0.0) (0.0.0.1) IF 1 IF 2 10.10.7.1 10.10.12.1 Network Network 10.10.7.0/24 10.10.12.0/24 Follow this procedure to configure OSPF support as shown in Figure 1. Configure IP interfaces on each network that will be attached to OSPF areas. In this example, two IP interfaces are needed:  Interface 1 for the backbone network on 10.10.7.0/24 © Copyright Lenovo 2015 Chapter 31: OSPF...
Page 438: Example 2: Virtual Links
 Interface 2 for the stub area network on 10.10.12.0/24 CN4093(config)# interface ip 1 CN4093(configipif)# ip address 10.10.7.1 255.255.255.0 enable CN4093(configipif)# exit CN4093(config)# interface ip 2 CN4093(configipif)# ip address 10.10.12.1 255.255.255.0 enable CN4093(configipif)# exit Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Lenovo N/OS” on page 444). 2. Enable OSPF. CN4093(config)# router ospf CN4093(configrouterospf)# enable 3. Define the backbone. The backbone is always configured as a transit area using areaid 0.0.0.0. CN4093(configrouterospf)# area 0 areaid 0.0.0.0 CN4093(configrouterospf)# area 0 type transit CN4093(configrouterospf)# area 0 enable 4. Define the stub area. CN4093(configrouterospf)# area 1 areaid 0.0.0.1 CN4093(configrouterospf)# area 1 type stub...
Page 439 10.10.24.0/24 10.10.14.1 10.10.10.1 Network Network Network Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Lenovo N/OS” on page 444). Configuring OSPF for a Virtual Link on Switch #1 1. Configure IP interfaces on each network that will be attached to the switch. In this example, two IP interfaces are needed:  Interface 1 for the backbone network on 10.10.7.0/24 Interface 2 for the transit area network on 10.10.12.0/24 ...
Page 440 The area that contains the virtual link must be configured as a transit area. CN4093(configrouterospf)# area 1 areaid 0.0.0.1 CN4093(configrouterospf)# area 1 type transit CN4093(configrouterospf)# area 1 enable CN4093(configrouterospf)# exit 6. Attach the network interface to the backbone. CN4093(config)# interface ip 1 CN4093(configipif)# ip ospf area 0 CN4093(configipif)# ip ospf enable CN4093(configipif)# exit 7. Attach the network interface to the transit area. CN4093(config)# interface ip 2 CN4093(configipif)# ip ospf area 1 CN4093(configipif)# ip ospf enable CN4093(configipif)# exit 8. Configure the virtual link. The nbr router ID configured in this step must be the same as the router ID that will be configured for Switch #2 in Step 2 on page 440. CN4093(config)# router ospf CN4093(configrouterospf)# areavirtuallink 1 area 1 CN4093(configrouterospf)# areavirtuallink 1 neighborrouter 10.10.14.1 CN4093(configrouterospf)# areavirtuallink 1 enable Configuring OSPF for a Virtual Link on Switch #2 1. Configure IP interfaces on each network that will be attached to OSPF areas. In this example, two IP interfaces are needed: ...
Page 441 5. Define the transit area. CN4093(configrouterospf)# area 1 areaid 0.0.0.1 CN4093(configrouterospf)# area 1 type transit CN4093(configrouterospf)# area 1 enable 6. Define the stub area. CN4093(configrouterospf)# area 2 areaid 0.0.0.2 CN4093(configrouterospf)# area 2 type stub CN4093(configrouterospf)# area 2 enable CN4093(configrouterospf)# exit 7. Attach the network interface to the transmit area: CN4093(config)# interface ip 1 CN4093(configipif)# ip ospf area 1 CN4093(configipif)# ip ospf enable CN4093(configipif)# exit 8. Attach the network interface to the stub area. CN4093(config)# interface ip 2 CN4093(configipif)# ip ospf area 2 CN4093(configipif)# ip ospf enable CN4093(configipif)# exit 9. Configure the virtual link. The nbr router ID configured in this step must be the same as the router ID that was configured for switch #1 in Step 2 on page 439. CN4093(config)# router ospf CN4093(configrouterospf)# areavirtuallink 1 area 1 CN4093(configrouterospf)# areavirtuallink 1 neighborrouter 10.10.10.1 CN4093(configrouterospf)# areavirtuallink 1 enable © Copyright Lenovo 2015 Chapter 31: OSPF...
Page 442: Example 3: Summarizing Routes
If the network IP addresses in an area are assigned to a contiguous subnet range, you can configure the ABR to advertise a single summary route that includes all the individual IP addresses within the area. The following example shows one summary route from area 1 (stub area) injected into area 0 (the backbone). The summary route consists of all IP addresses from 36.128.192.0 through 36.128.254.255 except for the routes in the range 36.128.200.0 through 36.128.200.255. Note: OSPFv2 supports IPv4 only. IPv6 is supported in OSPFv3 (see “OSPFv3 Implementation in Lenovo N/OS” on page 444). Figure 52. Summarizing Routes Backbone Stub Area Area 0 Area 1 (0.0.0.0) (0.0.0.1) IF 1 IF 2 10.10.7.1...
Page 443: Verifying Ospf Configuration
CN4093(configipif)# exit 7. Configure route summarization by specifying the starting address and mask of the range of addresses to be summarized. CN4093(config)# router ospf CN4093(configrouterospf)# arearange 1 address 36.128.192.0 255.255.192.0 CN4093(configrouterospf)# arearange 1 area 1 CN4093(configrouterospf)# arearange 1 enable CN4093(configrouterospf)# exit 8. Use the hide command to prevent a range of addresses from advertising to the backbone. CN4093(config)# router ospf CN4093(configrouterospf)# arearange 2 address 36.128.200.0 255.255.255.0 CN4093(configrouterospf)# arearange 2 area 1 CN4093(configrouterospf)# arearange 2 hide CN4093(configrouterospf)# exit Verifying OSPF Configuration Use the following commands to verify the OSPF configuration on your switch: show ip ospf  show ip ospf neighbor  show ip ospf database databasesummary  show ip ospf routes  Refer to the Lenovo N/OS Command Reference for information on the preceding commands. © Copyright Lenovo 2015 Chapter 31: OSPF...
Page 444: Ospfv3 Implementation In Lenovo N/Os
OSPFv3 Implementation in Lenovo N/OS OSPF version 3 is based on OSPF version 2, but has been modified to support IPv6 addressing. In most other ways, OSPFv3 is similar to OSPFv2: They both have the same packet types and interfaces, and both use the same mechanisms for neighbor discovery, adjacency formation, LSA flooding, aging, and so on. The administrator should be familiar with the OSPFv2 concepts covered in the preceding sections of this chapter before implementing the OSPFv3 differences as described in the following sections. Although OSPFv2 and OSPFv3 are very similar, they represent independent features on the CN4093. They are configured separately, and both can run in parallel on the switch with no relation to one another, serving different IPv6 and IPv4 traffic, respectively. OSPFv3 Differences from OSPFv2 Note: When OSPFv3 is enabled, the OSPF backbone area (0.0.0.0) is created by default and is always active. OSPFv3 Requires IPv6 Interfaces OSPFv3 is designed to support IPv6 addresses. This requires IPv6 interfaces to be ...
Page 445: Other Internal Improvements
Summary Route 10::0/56 36::0/56 Network Network Note: You can specify a range of addresses to prevent advertising by using the hide option. In this example, routes in the 36::0/8 range are kept private. Use the following procedure to configure OSPFv3 support as shown in Figure © Copyright Lenovo 2015 Chapter 31: OSPF...
Page 446 1. Configure IPv6 interfaces for each link which will be attached to OSPFv3 areas. CN4093(config)# interface ip 3 CN4093(configipif)# ipv6 address 10:0:0:0:0:0:0:1 CN4093(configipif)# ipv6 prefixlen 56 CN4093(configipif)# enable CN4093(configipif)# exit CN4093(config)# interface ip 4 CN4093(configipif)# ip address 36:0:0:0:0:0:1 CN4093(configipif)# ipv6 prefixlen 56 CN4093(configipif)# enable CN4093(configipif)# exit This is equivalent to configuring the IP address and netmask for IPv4 interfaces. 2. Enable OSPFv3. CN4093(config)# ipv6 router ospf CN4093(configrouterospf3)# enable This is equivalent to the OSPFv2 enable option in the router ospf command path. 3. Define the backbone. CN4093(configrouterospf3)# area 0 areaid 0.0.0.0 CN4093(configrouterospf3)# area 0 type transit CN4093(configrouterospf3)# area 0 enable This is identical to OSPFv2 configuration. 4. Define the stub area. CN4093(configrouterospf3)# area 1 areaid 0.0.0.1 CN4093(configrouterospf3)# area 1 type stub CN4093(configrouterospf3)# area 1 enable CN4093(configrouterospf3)# exit This is identical to OSPFv2 configuration. 5. Attach the network interface to the backbone. CN4093(config)# interface ip 3 CN4093(configipif)# ipv6 ospf area 0 CN4093(configipif)# ipv6 ospf enable CN4093(configipif)# exit The ipv6 command path is used instead of the OSPFv2 ip command path 6. Attach the network interface to the stub area. CN4093(config)# interface ip 4 CN4093(configipif)# ipv6 ospf area 1 CN4093(configipif)# ipv6 ospf enable...
Page 447 7. Configure route summarization by specifying the starting address and prefix length of the range of addresses to be summarized. CN4093(config)# ipv6 router ospf CN4093(configrouterospf3)# arearange 1 address 36:0:0:0:0:0:0:0 32 CN4093(configrouterospf3)# arearange 1 area 0 CN4093(configrouterospf3)# arearange 1 enable This differs from OSPFv2 only in that the OSPFv3 command path is used, and the address and prefix are specified in IPv6 format. 8. Use the hide command to prevent a range of addresses from advertising to the backbone. CN4093(configrouterospf)# arearange 2 address 36:0:0:0:0:0:0:0 8 CN4093(configrouterospf)# arearange 2 area 0 CN4093(configrouterospf)# arearange 2 hide CN4093(configrouterospf)# exit This differs from OSPFv2 only in that the OSPFv3 command path is used, and the address and prefix are specified in IPv6 format. © Copyright Lenovo 2015 Chapter 31: OSPF...
Page 448: Neighbor Configuration Example
Neighbor Configuration Example When using NBMA or point to multipoint interfaces, you must manually configure neighbors. The following example includes the steps for neighbor configuration. 1. Configure IPv6 interface parameters: CN4093(config# interface ip 10 CN4093(configipif)# ipv6 address 10:0:0:0:0:0:0:12 64 CN4093(configipif)# vlan 10 CN4093(configipif)# enable CN4093(configipif)# ipv6 ospf area 0 CN4093(configipif)# ipv6 ospf retransmitinterval 5 CN4093(configipif)# ipv6 ospf transmitdelay 1 CN4093(configipif)# ipv6 ospf priority 1 CN4093(configipif)# ipv6 ospf hellointerval 10 CN4093(configipif)# ipv6 ospf deadinterval 40 CN4093(configipif)# ipv6 ospf network pointtomultipoint CN4093(configipif)# ipv6 ospf pollinterval 120 CN4093(configipif)# ipv6 ospf enable CN4093(configipif)# exit 2. Enable OSPFv3: CN4093(config# ipv6 router ospf CN4093(configrouterospf3)# routerid 12.12.12.12 CN4093(configrouterospf3)# enable 3. Define the backbone. CN4093(configrouterospf3)# area 0 areaid 0.0.0.0 CN4093(configrouterospf3)# area 0 stabilityinterval 40 CN4093(configrouterospf3)# area 0 defaultmetric 1 CN4093(configrouterospf3)# area 0 defaultmetric type 1 CN4093(configrouterospf3)# area 0 translationrole candidate CN4093(configrouterospf3)# area 0 type transit CN4093(configrouterospf3)# area 0 enable 4. Configure neighbor entry: CN4093(configrouterospf3)# neighbor 1 address fe80:0:0:0:dceb:ff:fe00:9 CN4093(configrouterospf3)# neighbor 1 interface 10 CN4093(configrouterospf3)# neighbor 1 priority 1 CN4093(configrouterospf3)# neighbor 1 enable CN4093 Application Guide for N/OS 8.2...
Page 449: Chapter 32. Protocol Independent Multicast
Chapter 32. Protocol Independent Multicast Lenovo N/OS supports Protocol Independent Multicast (PIM) in Sparse Mode (PIM‐SM) and Dense Mode (PIM‐DM). Note: Lenovo N/OS 8.2 does not support IPv6 for PIM. The following sections discuss PIM support for the CN4093 10Gb Converged Scalable Switch:  “PIM Overview” on page 449  “Supported PIM Modes and Features” on page 450  “Basic PIM Settings” on page 450  “Additional Sparse Mode Settings” on page 453  “Using PIM with Other Features” on page 454  “PIM Configuration Examples” on page 455 PIM Overview PIM is designed for efficiently routing multicast traffic across one or more IPv4 ...
Page 450: Supported Pim Modes And Features
DRs continue to share routing information with the RP, modifying the multicast routing tree when new receivers join, or pruning the tree when all the receivers in any particular domain are no longer part of the multicast group. Supported PIM Modes and Features For each interface attached to a PIM network component, PIM can be configured to operate either in PIM Sparse Mode (PIM‐SM) or PIM Dense Mode (PIM‐DM).  PIM‐SM is used in networks where multicast senders and receivers comprise a relatively small (sparse) portion of the overall network. PIM‐SM uses a more complex process than PIM‐DM for collecting and optimizing multicast routes, but minimizes impact on other IP services and is more commonly used.  PIM‐DM is used where multicast devices are a relatively large (dense) portion of the network, with very frequent (or constant) multicast traffic. PIM‐DM requires less configuration on the switch than PIM‐SM, but uses broadcasts that can consume more bandwidth in establishing and optimizing routes. The following PIM modes and features are not currently supported in Lenovo N/OS 8.2:  Hybrid Sparse‐Dense Mode (PIM‐SM/DM). Sparse Mode and Dense Mode may be configured on separate IP interfaces on the switch, but are not currently sup‐ ported simultaneously on the same IP interface.  PIM Source‐Specific Multicast (PIM‐SSM) Anycast RP   PIM RP filters Only configuration via the switch ISCLI is supported. PIM configuration is cur‐  rently not available using the menu‐based CLI, the BBI, or via SNMP. Basic PIM Settings To use PIM the following is required: ...
Page 451: Globally Enabling Or Disabling The Pim Feature
Next, PIM must be enabled on the interface, and the PIM network component ID must be specified: CN4093(configipif)# ip pim enable CN4093(configipif)# ip pim componentid <1‐2> CN4093(configipif)# exit By default, PIM component 1 is automatically assigned when PIM is enabled on the IP interface. Note: While PIM is enabled on the interface, the interface VLAN cannot be changed. To change the VLAN, first disable PIM on the interface. © Copyright Lenovo 2015 Chapter 32: Protocol Independent Multicast...
Page 452: Pim Neighbor Filters
PIM Neighbor Filters The CN4093 accepts connection to up to 24 PIM interfaces. By default, the switch accepts all PIM neighbors attached to the PIM‐enabled interfaces, up to the maximum number (72 neighbors). Once the maximum is reached, the switch will deny further PIM neighbors. To ensure that only the appropriate PIM neighbors are accepted by the switch, the administrator can use PIM neighbor filters to specify which PIM neighbors may be accepted or denied on a per‐interface basis. To turn PIM neighbor filtering on or off for a particular IP interface, use the following commands: CN4093(config)# interface ip <Interface number> CN4093(configipif)# [no] ip pim neighborfilter When filtering is enabled, all PIM neighbor requests on the specified IP interface will be denied by default. To allow a specific PIM neighbor, use the following command: CN4093(configipif)# ip pim neighboraddr <neighbor IPv4 address> allow To remove a PIM neighbor from the accepted list, use the following command. CN4093(configipif)# ip pim neighboraddr <neighbor IPv4 address> deny CN4093(configipif)# exit You can view configured PIM neighbor filters globally or for a specific IP interface using the following commands: CN4093(config)# show ip pim neighborfilters CN4093(config)# show ip pim interface <Interface number> neighborfilters CN4093 Application Guide for N/OS 8.2...
Page 453: Additional Sparse Mode Settings
CN4093 to be connected to a peer that has a DR priority setting of 1 or higher in order to ensure that a DR will be present in the network. © Copyright Lenovo 2015 Chapter 32: Protocol Independent Multicast...
Page 454: Specifying A Bootstrap Router
Specifying a Bootstrap Router Using PIM‐SM, a Bootstrap Router (BSR) is a PIM‐capable router that hosts the election of the RP from available candidate routers. For each PIM‐enabled IP interface, the administrator can set the preference level for which the local interface becomes the BSR: CN4093(config)# interface ip <Interface number> CN4093(configipif)# ip pim cbsrpreference <0 to 255> CN4093(configipif)# exit A value of 255 highly prefers the local interface as a BSR. A value of ‐1 indicates that the PIM CBSR preference is not configured on the local interface. Using PIM with Other Features PIM with ACLs or VMAPs If using ACLs or VMAPs, be sure to permit traffic for local hosts and routers. PIM with IGMP If using IGMP (see “Internet Group Management Protocol” on page 391): IGMP static joins can be configured with a PIM‐SM or PIM‐DM multicast group  IPv4 address. Using the ISCLI: CN4093(config)# ip mroute <multicast group IPv4 address> <VLAN> <port>  IGMP Query is disabled by default. If IGMP Querier is needed with PIM, be sure to enable the IGMP Query feature globally, as well as on each VLAN where it is needed. If the switch is connected to multicast receivers and/or hosts, be sure to enable  IGMP snooping globally, as well as on each VLAN where PIM receivers are attached.
Page 455: Pim Configuration Examples
CN4093(configipif)# ip pim enable CN4093(configipif)# ip pim componentid 1 Note: Because, PIM component 1 is assigned to the interface by default, the componentid command is needed only if the setting has been previously changed. 5. Set the Bootstrap Router (BSR) preference: CN4093(configipif)# ip pim cbsrpreference 135 CN4093(configipif)# exit © Copyright Lenovo 2015 Chapter 32: Protocol Independent Multicast...
Page 456 Note: In the following example, since the receivers and sources are connected in different areas, the border router must be configured for the IPMC traffic to be forwarded. Lenovo N/OS supports only partial configuration of PIM border router. Figure 54. Network with both PIM‐DM and PIM‐SM Components...
Page 457 CN4093(configipif)# vlan 102 CN4093(configipif)# enable 4. Enable PIM on the IP interface and assign the PIM component: CN4093(configipif)# ip pim enable CN4093(configipif)# ip pim componentid 2 CN4093(configipif)# exit 5. (Optional) Configure PIM border router if the IPMC traffic is flowing between PIM domains: CN4093(config)# ip pim pmbr enable CN4093(config)# interface ip 22 CN4093(configipif)# ip pim borderbit CN4093(configipif)# exit CN4093(config)# interface ip 11 CN4093(configipif)# ip pim borderbit CN4093(configipif)# exit Note: For PIM Dense Mode, the DR, RP, and BSR settings do not apply. © Copyright Lenovo 2015 Chapter 32: Protocol Independent Multicast...
Page 458 CN4093 Application Guide for N/OS 8.2...
Page 459: Part 6: High Availability Fundamentals
Part 6: High Availability Fundamentals Internet traffic consists of myriad services and applications which use the Internet Protocol (IP) for data delivery. However, IP is not optimized for all the various applications. High Availability goes beyond IP and makes intelligent switching decisions to provide redundant network configurations. © Copyright Lenovo 2015...
Page 460 CN4093 Application Guide for N/OS 8.2...
Page 461: Chapter 33. Basic Redundancy
 “Trunking for Link Redundancy” on page 461  “Hot Links” on page 462 Trunking for Link Redundancy Multiple switch ports can be combined together to form robust, high‐bandwidth trunks to other devices. Since trunks are comprised of multiple physical links, the trunk group is inherently fault tolerant. As long as one connection between the switches is available, the trunk remains active. In Figure 55, four ports are trunked together between the switch and the enterprise routing device. Connectivity is maintained as long as one of the links remain active. The links to the server are also trunked, allowing the secondary NIC to take over in the event that the primary NIC link fails. Figure 55. Trunking Ports for Link Redundancy Enterprise Server Routing Switch NIC 1 Internet NIC 2 Trunk Trunk For more information on trunking, see “Ports and Trunking” on page 131. © Copyright Lenovo 2015...
Page 462: Hot Links
Hot Links Hot Links provides basic link redundancy with fast recovery. Hot Links consists of up to 200 triggers in stand‐alone mode and up to 200 triggers in stacking mode. A trigger consists of a pair of layer 2 interfaces, each containing an individual port, trunk, or LACP adminkey. One interface is the Master, and the other is a Backup. While the Master interface is set to the active state and forwards traffic, the Backup interface is set to the standby state and blocks traffic until the Master interface fails. If the Master interface fails, the Backup interface is set to active and forwards traffic. Once the Master interface is restored, it transitions to the standby state and blocks traffic until the Backup interface fails. You may select a physical port, static trunk, or an LACP adminkey as a Hot Link interface. Only external uplink ports can be members of a Hot Links trigger interface. Forward Delay The Forward Delay timer allows Hot Links to monitor the Master and Backup interfaces for link stability before selecting one interface to transition to the active state. Before the transition occurs, the interface must maintain a stable link for the duration of the Forward Delay interval. For example, if you set the Forward delay timer to 10 seconds (CN4093(config)#hotlinks trigger <x> forwarddelay 10), the switch will select an interface to become active only if a link remained stable for the duration of the Forward Delay period. If the link is unstable, the Forward Delay period starts again. Preemption You can configure the Master interface to resume the active state whenever it becomes available. With Hot Links preemption enabled, the Master interface transitions to the active state immediately upon recovery. The Backup interface immediately transitions to the standby state. If Forward Delay is enabled, the transition occurs when an interface has maintained link stability for the duration of the Forward Delay period. FDB Update Use the FDB update option to notify other devices on the network about updates to the Forwarding Database (FDB). When you enable FDB update, the switch sends multicasts of addresses in the forwarding database (FDB) over the active interface, so that other devices on the network can learn the new path. The Hot Links FBD update option uses the station update rate to determine the rate at which to send FDB packets. CN4093 Application Guide for N/OS 8.2...
Page 463: Configuration Guidelines
Configuration Guidelines The following configuration guidelines apply to Hot links:  Only external ports can be configured as Hot Links.  When Hot Links is turned on, MSTP, RSTP, and PVRST must be turned off.  A port that is a member of the Master interface cannot be a member of the Backup interface. A port that is a member of one Hot Links trigger cannot be a member of another Hot Links trigger. An individual port that is configured as a Hot Link interface cannot be a  member of a trunk. Configuring Hot Links Use the following commands to configure Hot Links. CN4093(config)# hotlinks trigger 1 enable (Enable Hot Links Trigger 1) CN4093(config)# hotlinks trigger 1 master port 38 (Add port to Master interface) CN4093(config)# hotlinks trigger 1 backup port 39(Add port to Backup interface) CN4093(config)# hotlinks enable (Turn on Hot Links) © Copyright Lenovo 2015 Chapter 33: Basic Redundancy...
Page 464 CN4093 Application Guide for N/OS 8.2...
Page 465: Chapter 34. Layer 2 Failover
LACP trunks. Trunks can be added to failover trigger groups. Then, if some specified number of trigger links fail, the switch disables all the internal ports in the switch (unless VLAN Monitor is turned on). When the internal ports are disabled, it causes the NIC team on the affected server blades to failover from the primary to the backup NIC. This process is called a failover event. When the appropriate number of links in a trigger group return to service, the switch enables the internal ports. This causes the NIC team on the affected server blades to fail back to the primary switch (unless Auto‐Fallback is disabled on the NIC team). The backup switch processes traffic until the primary switch’s internal links come up, which can take up to five seconds. VLAN Monitor The VLAN Monitor allows Layer 2 Failover to discern different VLANs. With VLAN Monitor turned on:  If enough links in a trigger fail (see “Setting the Failover Limit” on page 467), the switch disables all internal ports that reside in the same VLAN membership as the trunk(s) in the trigger.  When enough links in the trigger return to service, the switch enables the internal ports that reside in the same VLAN membership as the trunk(s) in the trigger. If you turn off the VLAN Monitor (CN4093# no failover vlan), only one failover trigger is allowed. When a link failure occurs on the trigger, the switch disables all internal server‐blade ports. Auto Monitor Configurations Figure 56 is a simple example of Layer 2 Failover. One CN4093 is the primary, and the other is used as a backup. In this example, all external ports on the primary switch belong to a single trunk group, with Layer 2 Failover enabled, and Failover Limit set to 2. If two or fewer links in trigger 1 remain active, the switch temporarily disables all internal server‐blade ports that reside in VLAN 1. This action causes a failover event on Server 1 and Server 2. © Copyright Lenovo 2015...
Page 466 Figure 56. Basic Layer 2 Failover Trigger 1 Primary Switch Server 1 Server 2 Internet Server 3 Trigger 1 Server 4 Backup Switch Enterprise Routing Switch VLAN 1: VLAN 2: VLAN Monitor = On Figure 57 shows a configuration with two trunks, each in a different Failover Trigger. Switch 1 is the primary switch for Server 1 and Server 2. Switch 2 is the primary switch for Server 3 and Server 4. VLAN Monitor is turned on. STP is turned off. If all links go down in trigger 1, Switch 1 disables all internal ports that reside in VLAN 1. If all links in trigger 2 go down, Switch 1 disables all internal ports that reside in VLAN 2. Figure 57. Two trunks, each in a different Failover Trigger Trigger 1 Switch 1 Server 1...
Page 467: Setting The Failover Limit
Setting the Failover Limit The failover limit lets you specify the minimum number of operational links required within each trigger before the trigger initiates a failover event. For example, if the limit is two, a failover event occurs when the number of operational links in the trigger is two or fewer. When you set the limit to zero, the switch triggers a failover event only when no links in the trigger are operational. Manually Monitoring Port Links The Manual Monitor allows you to configure a set of ports and/or trunks to monitor for link failures (a monitor list), and another set of ports and/or trunks to disable when the trigger limit is reached (a control list). When the switch detects a link failure on the monitor list, it automatically disables the items in control list. When server ports are disabled, the corresponding server’s network adapter can detect the disabled link, and trigger a network‐adapter failover to another port or trunk on the switch, or another switch in the chassis. The switch automatically enables the control list items when the monitor list items return to service. Monitor Port State A monitor port is considered operational as long as the following conditions are true: The port must be in the Link Up state.   If STP is enabled, the port must be in the Forwarding state. If the port is part of an LACP trunk, the port must be in the Aggregated state.  If any of the above conditions is false, the monitor port is considered to have failed. © Copyright Lenovo 2015 Chapter 34: Layer 2 Failover...
Page 468: L2 Failover With Other Features
Control Port State A control port is considered Operational if the monitor trigger is up. As long as the trigger is up, the port is considered operational from a teaming perspective, even if the port itself is actually in the Down state, Blocking state (if STP is enabled on the port), or Not Aggregated state (if part of an LACP trunk). A control port is considered to have failed only if the monitor trigger is in the Down state. To view the state of any port, use one of the following commands: (View port link status) CN4093# show interface link (View port STP status) CN4093# show interface port <x> spanningtree stp <x> (View port LACP status) CN4093# show lacp information L2 Failover with Other Features L2 Failover works together with Link Aggregation Control Protocol (LACP) and with Spanning Tree Protocol (STP), as described in the next sections. LACP Link Aggregation Control Protocol allows the switch to form dynamic trunks. You can use the admin key to add up to two LACP trunks to a failover trigger using automatic monitoring. When you add an admin key to a trigger, any LACP trunk with that admin key becomes a member of the trigger. Spanning Tree Protocol If Spanning Tree Protocol (STP) is enabled on the ports in a failover trigger, the switch monitors the port STP state rather than the link state. A port failure results when STP is not in a Forwarding state (such as Learning, Discarding, or No Link). The switch automatically disables the appropriate internal ports, based on the VLAN monitor. When the switch determines that ports in the trigger are in STP Forwarding state, then it automatically enables the appropriate internal ports, based on the VLAN monitor. The switch fails back to normal operation. CN4093 Application Guide for N/OS 8.2...
Page 469: Configuration Guidelines
A maximum of two LACP keys can be added per trigger.   When VLAN Monitor is on, the following additional guidelines apply: All external ports in all static or LACP trunks added to a specific failover  trigger must belong to the same VLAN and have the same PVID. Different triggers are not permitted to operate on the same VLAN.  Different triggers are not permitted to operate on the same internal port.  For each port in each trunk in a specific failover trigger, the trigger will  monitor the STP state on only the default PVID. Manual Monitor Guidelines  A Manual Monitor can monitor only external ports. Any specific failover trigger can monitor external ports only, static trunks only,  or LACP trunks only. The different types cannot be combined in the same trigger.  A maximum of two LACP keys can be added per trigger.  Management ports, FC ports, and stacking ports cannot be monitored.  Control ports for different triggers must not overlap. Monitor ports may overlap. © Copyright Lenovo 2015 Chapter 34: Layer 2 Failover...
Page 470: Configuring Layer 2 Failover
Configuring Layer 2 Failover Auto Monitor Example The following procedure pertains to the configuration shown in Figure 1. Configure Network Adapter Teaming on the servers. 2. Define a trunk group on the CN4093. CN4093(config)# portchannel 1 port EXT1,EXT2,EXT3 enable 3. Configure Failover parameters. CN4093(config)# failover trigger 1 enable CN4093(config)# failover trigger 1 limit <0‐1024> CN4093(config)# failover trigger 1 amon portchannel 1 4. Verify the configuration. CN4093(config)# show failover trigger 1 information Manual Monitor Example Use the following procedure to configure a Layer 2 Failover Manual Monitor. 1. Configure Network Adapter Teaming on the servers. 2. Specify the links to monitor. CN4093(config)# failover trigger 1 mmon monitor member EXT4,EXT5,EXT6 3. Specify the links to disable when the failover limit is reached. CN4093(config)# failover trigger 1 mmon control member INT13,INT14 4. Configure general Layer 2 Failover parameters. CN4093(config)# failover trigger 1 enable CN4093(config)# failover trigger 1 limit <0‐1024> 5. Enable failover globally. CN4093(config)# failover enable 6.
Page 471: Chapter 35. Virtual Router Redundancy Protocol
Chapter 35. Virtual Router Redundancy Protocol The CN4093 10Gb Converged Scalable Switch (CN4093) supports IPv4 high‐availability network topologies through an enhanced implementation of the Virtual Router Redundancy Protocol (VRRP). Note: Lenovo N/OS 8.2 does not support IPv6 for VRRP. The following topics are discussed in this chapter: “VRRP Overview” on page 471. This section discusses VRRP operation and  Lenovo N/OS redundancy configurations.  “Failover Methods” on page 474. This section describes the three modes of high availability.  “Lenovo N/OS Extensions to VRRP” on page 477. This section describes VRRP enhancements implemented in Lenovo N/OS.  “Virtual Router Deployment Considerations” on page 478. This section describes issues to consider when deploying virtual routers.  “High Availability Configurations” on page 479. This section discusses the more useful and easily deployed redundant configurations.
Page 472: Vrrp Components
VRRP Components Each physical router running VRRP is known as a VRRP router. Virtual Router Two or more VRRP routers can be configured to form a virtual router (RFC 2338). Each VRRP router may participate in one or more virtual routers. Each virtual router consists of a user‐configured virtual router identifier (VRID) and an IPv4 address. Virtual Router MAC Address The VRID is used to build the virtual router MAC Address. The five highest‐order octets of the virtual router MAC Address are the standard MAC prefix (00‐00‐5E‐00‐01) defined in RFC 2338. The VRID is used to form the lowest‐order octet. Owners and Renters Only one of the VRRP routers in a virtual router may be configured as the IPv4 address owner. This router has the virtual router’s IPv4 address as its real interface address. This router responds to packets addressed to the virtual router’s IPv4 address for ICMP pings, TCP connections, and so on. There is no requirement for any VRRP router to be the IPv4 address owner. Most VRRP installations choose not to implement an IPv4 address owner. For the purposes of this chapter, VRRP routers that are not the IPv4 address owner are called renters. Master and Backup Virtual Router Within each virtual router, one VRRP router is selected to be the virtual router master. See “Selecting the Master VRRP Router” on page 473 for an explanation of the selection process. Note: If the IPv4 address owner is available, it will always become the virtual router master.
Page 473: Vrrp Operation
To prevent this from happening, configure redundant links to be used between the switches that form a virtual router. © Copyright Lenovo 2015 Chapter 35: Virtual Router Redundancy Protocol...
Page 474: Failover Methods
Figure 59. A Non‐VRRP, Hot‐Standby Configuration Intranet Clients Primary Switch IP: 200.200.200.100 Internet Servers NFS Server Client Switches Secondary Switch IP: 200.200.200.101 While hot‐standby configurations increase site availability by removing single points‐of‐failure, service providers increasingly view them as an inefficient use of network resources because one functional application switch sits by idly until a failure calls it into action. Service providers now demand that vendorsʹ equipment support redundant configurations where all devices can process traffic when they are healthy, increasing site throughput and decreasing user response times when no device has failed. Lenovo N/OS high availability configurations are based on VRRP. The implementation of VRRP includes proprietary extensions. The Lenovo N/OS implementation of VRRP supports the following modes of high availability: Active‐Active—based on proprietary Lenovo N/OS extensions to VRRP   Hot‐Standby—supports Network Adapter Teaming on your server blades CN4093 Application Guide for N/OS 8.2...
Page 475: Active-Active Redundancy
Active (subnet B and D) Hot-Standby Redundancy The primary application for VRRP‐based hot‐standby is to support Server Load Balancing when you have configured Network Adapter Teaming on your server blades. With Network Adapter Teaming, the NICs on each server share the same IPv4 address, and are configured into a team. One NIC is the primary link, and the others are backup links. For more details, refer to the relevant network adapter documentation. The hot‐standby model is shown in Figure Figure 61. Hot‐Standby Redundancy Active 10.10.10.1 Clients Switch 1 Interswitch Servers Link Enterprise Switch 2 Routing Switch 10.10.10.2 Standby Backup Link © Copyright Lenovo 2015 Chapter 35: Virtual Router Redundancy Protocol...
Page 476: Virtual Router Group
Virtual Router Group The virtual router group ties all virtual routers on the switch together as a single entity. By definition, hot‐standby requires that all virtual routers failover as a group, and not individually. As members of a group, all virtual routers on the switch (and therefore the switch itself), are in either a master or standby state. The virtual router group cannot be used for active‐active configurations or any other configuration that require shared interfaces. A VRRP group has the following characteristics:  When enabled, all virtual routers behave as one entity, and all group settings override any individual virtual router settings.  All individual virtual routers, once the VRRP group is enabled, assume the group’s tracking and priority.  When one member of a VRRP group fails, the priority of the group decreases, and the state of the entire switch changes from Master to Standby. Each VRRP advertisement can include up to 128 addresses. All virtual routers are advertised within the same packet, conserving processing and buffering resources. CN4093 Application Guide for N/OS 8.2...
Page 477: Lenovo N/Os Extensions To Vrrp
Lenovo N/OS Extensions to VRRP This section describes VRRP enhancements that are implemented in Lenovo N/OS. Lenovo N/OS supports a tracking function that dynamically modifies the priority of a VRRP router, based on its current state. The objective of tracking is to have, whenever possible, the master bidding processes for various virtual routers in a LAN converge on the same switch. Tracking ensures that the selected switch is the one that offers optimal network performance. For tracking to have any effect on virtual router operation, preemption must be enabled. Lenovo N/OS can track the attributes listed in Table 39 : Table 39. VRRP Tracking Parameters Parameter Description Number of IP interfaces on the Helps elect the virtual routers with the switch that are active (“up”) most available routes as the master. (An IP interface is considered active when there trackingpriorityincrement is at least one active port on the same interfaces VLAN.) This parameter influences the VRRP routerʹs priority in virtual interface routers. Number of active ports on the same Helps elect the virtual routers with the VLAN most available ports as the master. This parameter influences the VRRP routerʹs trackingpriorityincrement priority in virtual interface routers. ports Note: In a hot‐standby configuration, only external ports are tracked. ...
Page 478: Virtual Router Deployment Considerations
Virtual Router Deployment Considerations Assigning VRRP Virtual Router ID During the software upgrade process, VRRP virtual router IDs will be automatically assigned if failover is enabled on the switch. When configuring virtual routers at any point after upgrade, virtual router ID numbers must be assigned. The virtual router ID may be configured as any number between 1 and 255. Use the following commands to configure the virtual router ID: CN4093(config)# router vrrp CN4093(configvrrp)# virtualrouter 1 virtualrouterid <1‐255> Configuring the Switch for Tracking Tracking configuration largely depends on user preferences and network environment. Consider the configuration shown in Figure 60 on page 475. Assume the following behavior on the network:  Switch 1 is the master router upon initialization. If switch 1 is the master and it has one fewer active servers than switch 2, then  switch 1 remains the master. This behavior is preferred because running one server down is less disruptive than bringing a new master online and severing all active connections in the process.  If switch 1 is the master and it has two or more active servers fewer than switch 2, then switch 2 becomes the master.  If switch 2 is the master, it remains the master even if servers are restored on switch 1 such that it has one fewer or an equal number of servers.
Page 479: High Availability Configurations
Routing Switch NIC 2: 10.0.2.4/24 L2 Switch VIR 1: 192.168.1.200 (Backup) VIR 2: 192.168.2.200 (Master) Although this example shows only two switches, there is no limit on the number of switches used in a redundant configuration. It is possible to implement an active‐active configuration across all the VRRP‐capable switches in a LAN. Each VRRP‐capable switch in an active‐active configuration is autonomous. Switches in a virtual router need not be identically configured. In the scenario illustrated in Figure 62, traffic destined for IPv4 address 10.0.1.1 is forwarded through the Layer 2 switch at the top of the drawing, and ingresses CN4093 1 on port EXT1. Return traffic uses default gateway 1 (192.168.1.1). If the link between CN4093 1 and the Layer 2 switch fails, CN4093 2 becomes the Master because it has a higher priority. Traffic is forwarded to CN4093 2, which forwards it to CN4093 1 through port EXT4. Return traffic uses default gateway 2 (192.168.2.1), and is forwarded through the Layer 2 switch at the bottom of the drawing. © Copyright Lenovo 2015 Chapter 35: Virtual Router Redundancy Protocol...
Page 480 To implement the active‐active example, perform the following switch configuration. Task 1: Configure CN4093 1 1. Configure client and server interfaces. CN4093(config)# interface ip 1 CN4093(configipif)# ip address 192.168.1.100 255.255.255.0 CN4093(configipif)# vlan 10 CN4093(configipif)# enable CN4093(configipif)# exit CN4093(config)# interface ip 2 CN4093(configipif)# ip address 192.168.2.101 255.255.255.0 CN4093(configipif)# vlan 20 CN4093(configipif)# enable CN4093(configipif)# exit CN4093(config)# interface ip 3 CN4093(configipif)# ip address 10.0.1.100 255.255.255.0 CN4093(configipif)# enable CN4093(configipif)# exit CN4093(config)# interface ip 4 CN4093(configipif)# ip address 10.0.2.101 255.255.255.0 CN4093(configipif)# enable CN4093(configipif)# exit 2. Configure the default gateways. Each default gateway points to a Layer 3 router. CN4093(config)# ip gateway 1 address 192.168.1.1 CN4093(config)# ip gateway 1 enable CN4093(config)# ip gateway 2 address 192.168.2.1 CN4093(config)# ip gateway 2 enable 3. Turn on VRRP and configure two Virtual Interface Routers. CN4093(config)# router vrrp CN4093(configvrrp)# enable CN4093(configvrrp)# virtualrouter 1 virtualrouterid 1 CN4093(configvrrp)# virtualrouter 1 interface 1 CN4093(configvrrp)# virtualrouter 1 address 192.168.1.200 CN4093(configvrrp)# virtualrouter 1 enable CN4093(configvrrp)# virtualrouter 2 virtualrouterid 2 CN4093(configvrrp)# virtualrouter 2 interface 2...
Page 481 Task 2: Configure CN4093 2 1. Configure client and server interfaces. CN4093(config)# interface ip 1 CN4093(configipif)# ip address 192.168.1.101 255.255.255.0 CN4093(configipif)# vlan 10 CN4093(configipif)# enable CN4093(configipif)# exit CN4093(config)# interface ip 2 CN4093(configipif)# ip address 192.168.2.100 255.255.255.0 CN4093(configipif)# vlan 20 CN4093(configipif)# enable CN4093(configipif)# exit CN4093(config)# interface ip 3 CN4093(configipif)# ip address 10.0.1.101 255.255.255.0 CN4093(configipif)# enable CN4093(configipif)# exit CN4093(config)# interface ip 4 CN4093(configipif)# ip address 10.0.2.100 255.255.255.0 CN4093(configipif)# enable CN4093(configipif)# exit 2. Configure the default gateways. Each default gateway points to a Layer 3 router. CN4093(config)# ip gateway 1 address 192.168.2.1 CN4093(config)# ip gateway 1 enable CN4093(config)# ip gateway 2 address 192.168.1.1 CN4093(config)# ip gateway 2 enable © Copyright Lenovo 2015 Chapter 35: Virtual Router Redundancy Protocol...
Page 482 3. Turn on VRRP and configure two Virtual Interface Routers. CN4093(config)# router vrrp CN4093(configvrrp)# enable CN4093(configvrrp)# virtualrouter 1 virtualrouterid 1 CN4093(configvrrp)# virtualrouter 1 interface 1 CN4093(configvrrp)# virtualrouter 1 address 192.168.1.200 CN4093(configvrrp)# virtualrouter 1 enable CN4093(configvrrp)# virtualrouter 2 virtualrouterid 2 CN4093(configvrrp)# virtualrouter 2 interface 2 CN4093(configvrrp)# virtualrouter 2 address 192.168.2.200 CN4093(configvrrp)# virtualrouter 2 enable 4. Enable tracking on ports. Set the priority of Virtual Router 2 to 101, so that it becomes the Master. CN4093(configvrrp)# virtualrouter 1 track ports CN4093(configvrrp)# virtualrouter 2 track ports CN4093(configvrrp)# virtualrouter 2 priority 101 CN4093(configvrrp)# exit 5. Configure ports. CN4093(config)# vlan 10 CN4093(configvlan)# exit CN4093(config)# interface port EXT1 CN4093(configif)# switchport mode trunk CN4093(configif)# switchport trunk allowed vlan add 10 CN4093(configif)# exit CN4093(config)# vlan 20 CN4093(configvlan)# exit CN4093(config)# interface port EXT2 CN4093(configif)# switchport mode trunk CN4093(configif)# switchport trunk allowed vlan add 20 CN4093(configif)# exit 6. Turn off Spanning Tree Protocol globally. CN4093(config)# no spanningtree stp 1 CN4093 Application Guide for N/OS 8.2...
Page 483: Hot-Standby Configuration
Switch 2 NIC 1 IP = 10.0.1.2 Enterprise Server 2 Routing Switch IF 1: 174.14.20.111 IF 2: 10.1.1.111 = Active Links VIR 1: 174.14.20.100 VIR 2: 10.1.1.100 = Standby Links © Copyright Lenovo 2015 Chapter 35: Virtual Router Redundancy Protocol...
Page 484 Task 1: Configure CN4093 1 1. On CN4093 1, configure the interfaces for clients (174.14.20.110) and servers (10.1.1.110). CN4093(config)# interface ip 1 CN4093(configipif)# ip address 174.14.20.110(Define IPv4 address for interface 1) CN4093(configipif)# enable CN4093(configipif)# exit CN4093(config)# interface ip 2 CN4093(configipif)# ip address 10.1.1.110(Define IPv4 address for interface 2) CN4093(configipif)# enable CN4093(configipif)# exit 2. Configure Virtual Interface Routers. CN4093(config)# router vrrp CN4093(configvrrp)# enable CN4093(configvrrp)# virtualrouter 1 virtualrouterid 1 CN4093(configvrrp)# virtualrouter 1 interface 1 CN4093(configvrrp)# virtualrouter 1 address 174.14.20.100 CN4093(configvrrp)# virtualrouter 1 enable CN4093(configvrrp)# virtualrouter 2 virtualrouterid 2 CN4093(configvrrp)# virtualrouter 2 interface 2 CN4093(configvrrp)# virtualrouter 2 address 10.1.1.100 CN4093(configvrrp)# virtualrouter 2 enable 3. Enable VRRP Hot Standby. CN4093(configvrrp)# hotstandby (Enable Hot Standby) 4. Configure VRRP Group parameters. Set the VRRP priority to 101, so that this switch is the Master. CN4093(configvrrp)# group enable (Enable Virtual Router Group) CN4093(configvrrp)# group virtualrouterid 1(Set Virtual Router ID for Group) CN4093(configvrrp)# group interface 1 (Set interface for Group) CN4093(configvrrp)# group priority 101(Set VRRP priority to 101) CN4093(configvrrp)# group track ports (Enable tracking on ports) 5.
Page 485 CN4093(configipif)# enable CN4093(configipif)# exit 2. Configure Virtual Interface Routers. CN4093(config)# router vrrp CN4093(configvrrp)# enable CN4093(configvrrp)# virtualrouter 1 virtualrouterid 1 CN4093(configvrrp)# virtualrouter 1 interface 1 CN4093(configvrrp)# virtualrouter 1 address 174.14.20.100 CN4093(configvrrp)# virtualrouter 1 enable CN4093(configvrrp)# virtualrouter 2 virtualrouterid 2 CN4093(configvrrp)# virtualrouter 2 interface 2 CN4093(configvrrp)# virtualrouter 2 address 10.1.1.100 CN4093(configvrrp)# virtualrouter 2 enable 3. Enable VRRP Hot Standby. CN4093(configvrrp)# hotstandby 4. Configure VRRP Group parameters. Use the default VRRP priority of 100, so that this switch is the Standby. CN4093(configvrrp)# group enable (Enable Virtual Router Group) CN4093(configvrrp)# group virtualrouterid 1(Set Virtual Router ID for Group) CN4093(configvrrp)# group interface 1 (Set interface for Group) CN4093(configvrrp)# group track ports (Enable tracking on ports) 5. Turn off Spanning Tree Protocol globally. . CN4093(config)# spanningtree mode disable © Copyright Lenovo 2015 Chapter 35: Virtual Router Redundancy Protocol...
Page 486 CN4093 Application Guide for N/OS 8.2...
Page 488 CN4093 Application Guide for N/OS 8.2...
Page 489: Chapter 36. Link Layer Discovery Protocol
“LLDP Example Configuration” on page 500 LLDP Overview Link Layer Discovery Protocol (LLDP) is an IEEE 802.1AB‐2005 standard for discovering and managing network devices. LLDP uses Layer 2 (the data link layer), and allows network management applications to extend their awareness of the network by discovering devices that are direct neighbors of already known devices. With LLDP, the CN4093 can advertise the presence of its ports, their major capabilities, and their current status to other LLDP stations in the same LAN. LLDP transmissions occur on ports at regular intervals or whenever there is a relevant change to their status. The switch can also receive LLDP information advertised from adjacent LLDP‐capable network devices. In addition to discovery of network resources, and notification of network changes, LLDP can help administrators quickly recognize a variety of common network configuration problems, such as unintended VLAN exclusions or mis‐matched port aggregation membership. The LLDP transmit function and receive function can be independently configured on a per‐port basis. The administrator can allow any given port to transmit only, receive only, or both transmit and receive LLDP information. The LLDP information to be distributed by the CN4093 ports, and that which has been collected from other LLDP stations, is stored in the switch’s Management Information Base (MIB). Network Management Systems (NMS) can use Simple Network Management Protocol (SNMP) to access this MIB information. LLDP‐related MIB information is read‐only. Changes, either to the local switch LLDP information or to the remotely received LLDP information, are flagged within the MIB for convenient tracking by SNMP‐based management systems. For LLDP to provide expected benefits, all network devices that support LLDP should be consistent in their LLDP configuration. LLDP - Stacking Mode In stacking mode, LLDP can be configured only on the ports that are not used to create the stack. The LLDP configuration menus on the stacking ports are disabled. © Copyright Lenovo 2015...
Page 490 When configuring LLDP on a port, use the correct port syntax. See example of port syntax on page 210. CN4093 Application Guide for N/OS 8.2...
Page 491: Enabling Or Disabling Lldp
(Transmit and receive LLDP) (Only transmit LLDP) CN4093(configif)# lldp adminstatus tx_only CN4093(configif)# lldp adminstatus rx_only (Only receive LLDP) CN4093(configif)# no lldp adminstatus (Do not participate in LLDP) (Exit port mode) CN4093(configif)# exit To view the LLDP transmit and receive status, use the following commands: CN4093(config)# show lldp port (status of all ports) (status of selected port) CN4093(config)# show interface port <n> lldp © Copyright Lenovo 2015 Chapter 36: Link Layer Discovery Protocol...
Page 492: Lldp Transmit Features
LLDP Transmit Features Numerous LLDP transmit options are available, including scheduled and minimum transmit interval, expiration on remote systems, SNMP trap notification, and the types of information permitted to be shared. Note: In stacking mode, only the stack Master transmits LLDP information for all the ports in a stack. The stack MAC address is used as the source address in the LLDP packets. Scheduled Interval The CN4093 can be configured to transmit LLDP information to neighboring ...
Page 493: Time-To-Live For Transmitted Information
Trap Notifications If SNMP is enabled on the CN4093 (see “Using Simple Network Management Protocol” on page 35), each port can be configured to send SNMP trap notifications whenever LLDP transmissions are sent. By default, trap notification is disabled for each port. The trap notification state can be changed using the following commands: CN4093(config)# interface port <x> CN4093(configif)# [no] lldp trapnotification CN4093(configif)# exit In addition to sending LLDP information at scheduled intervals, LLDP information is also sent when the CN4093 detects relevant changes to its configuration or status (such as when ports are enabled or disabled). To prevent the CN4093 from sending multiple trap notifications in rapid succession when port status is in flux, a global trap delay timer can be configured. The trap delay timer represents the minimum time permitted between successive trap notifications on any port. Any interval‐driven or change‐driven trap notices from the port will be consolidated until the configured trap delay expires. The minimum trap notification interval can be configured using the following command: CN4093(config)# lldp trapnotificationinterval <interval> where interval is the minimum number of seconds permitted between successive LLDP transmissions on any port. The range is 1 to 3600. The default is 5 seconds. If SNMP trap notification is enabled, the notification messages can also appear in the system log. This is enabled by default. To change whether the SNMP trap notifications for LLDP events appear in the system log, use the following commands: CN4093(config)# [no] logging log lldp © Copyright Lenovo 2015 Chapter 36: Link Layer Discovery Protocol...
Page 494: Changing The Lldp Transmit State
Changing the LLDP Transmit State When the port is disabled, or when LLDP transmit is turned off for the port using the admstat command’s rx_only or disabled options (see “Transmit and Receive Control” on page 491), a final LLDP packet is transmitted with a time‐to‐live value of 0. Neighbors that receive this packet will remove the LLDP information associated with the CN4093 port from their MIB. In addition, if LLDP is fully disabled on a port (using admstat disabled) and later re‐enabled, the CN4093 will temporarily delay resuming LLDP transmissions on the port in order to allow the port LLDP information to stabilize. The reinitialization delay interval can be globally configured for all ports using the following command: CN4093(config)# lldp reinitdelay <interval> where interval is the number of seconds to wait before resuming LLDP transmissions. The range is between 1 and 10. The default is 2 seconds. CN4093 Application Guide for N/OS 8.2...
Page 495: Types Of Information Transmitted
Disabled portprot IEEE 802.1 Port and Protocol VLAN ID Disabled vlanname IEEE 802.1 VLAN Name Disabled protid IEEE 802.1 Protocol Identity Disabled macphy IEEE 802.3 MAC/PHY Disabled Configuration/Status, including the auto‐negotiation, duplex, and speed status of the port. powermdi IEEE 802.3 Power via MDI, indicating the Disabled capabilities and status of devices that require or provide power over twisted‐pair copper links. linkaggr IEEE 802.3 Link Aggregation status for Disabled the port. framesz IEEE 802.3 Maximum Frame Size for the Disabled port. © Copyright Lenovo 2015 Chapter 36: Link Layer Discovery Protocol...
Page 496: Lldp Receive Features
Table 40. LLDP Optional Information Types (continued) Type Description Default Data Center Bridging Capability Enabled dcbx Exchange Protocol (DCBX) for the port. Select all optional LLDP information for Disabled inclusion or exclusion. LLDP Receive Features Types of Information Received When the LLDP receive option is enabled on a port (see “Enabling or Disabling LLDP” on page 491), the port may receive the following information from LLDP‐capable remote systems:  Chassis Information  Port Information  LLDP Time‐to‐Live  Port Description  System Name System Description   System Capabilities Supported/Enabled Remote Management Address  The CN4093 stores the collected LLDP information in the MIB. Each remote ...
Page 497 Note: Received LLDP information can change very quickly. When using show commands, it is possible that flags for some expected events may be too short-lived to be observed in the output. © Copyright Lenovo 2015 Chapter 36: Link Layer Discovery Protocol...
Page 498: Time-To-Live For Received Information
To view detailed information of all remote devices, use the following command: CN4093(config)# show lldp remotedevice detail Local Port Alias: EXT22 Remote Device Index : 1 Remote Device TTL : 94 Remote Device RxChanges : false Chassis Type : Mac Address Chassis Id : 74997574c500 Port Type : Locally Assigned Port Id : 42 Port Description : 42 System Name : GFC System Description : Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch, Lenovo Networking OS: version 7.8.0.43, Boot image: version 7.8.0.43 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge, router Remote Management Address: Subtype : IPv4 Address : 11.1.58.5 Interface Subtype : ifIndex Interface Number : 58 Object Identifier : Local Port Alias: EXT24 Remote Device Index : 2 Remote Device TTL : 108 Remote Device RxChanges : false Chassis Type : Mac Address Chassis Id : 7499751c7100 Port Type : Locally Assigned Port Id : 56 Port Description : EXT14 System Name : CFC System Description : Lenovo Flex System Fabric EN4093R 10Gb Scalable Switch, Lenovo Networking OS: version 7.8.0.48, Boot image: version 7.8.0.48 System Capabilities Supported : bridge, router System Capabilities Enabled : bridge, router Remote Management Address: Subtype : IPv4 Address : 11.1.78.7...
Page 499 Remote devices can also intentionally set their LLDP time‐to‐live to 0, indicating to the switch that the LLDP information is invalid and should be immediately removed. © Copyright Lenovo 2015 Chapter 36: Link Layer Discovery Protocol...
Page 500: Lldp Example Configuration
LLDP Example Configuration 1. Turn LLDP on globally. CN4093(config)# lldp enable 2. Set the global LLDP timer features. (Transmit each 30 seconds) CN4093(config)# lldp refreshinterval 30 CN4093(config)# lldp transmissiondelay 2 (No more often than 2 sec.) CN4093(config)# lldp holdtimemultiplier 4 (Remote hold 4 intervals) (Wait 2 sec. after reinit.) CN4093(config)# lldp reinitdelay 2 CN4093(config)# lldp trapnotificationinterval (Minimum 5 sec. between) 3. Set LLDP options for each port. (Select a switch port) CN4093(config)# interface port <n>...
Page 501: Chapter 37. Simple Network Management Protocol
‐and‐ CN4093(config)# snmpserver writecommunity <1‐32 characters> The SNMP manager should be able to reach the management interface or any one of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following command: CN4093(config)# snmpserver trapsource <trap source IP interface> CN4093(config)# snmpserver host <IPv4 address> <trap host community string> Note: You can use a loopback interface to set the source IP address for SNMP traps. Use the following command to apply a configured loopback interface: CN4093(config)# snmpserver trapsource loopback <1‐5> © Copyright Lenovo 2015...
Page 502: Snmp Version 3
SNMP Version 3 SNMP version 3 (SNMPv3) is an enhanced version of the Simple Network Management Protocol, approved by the Internet Engineering Steering Group in March, 2002. SNMPv3 contains additional security and authentication features that provide data origin authentication, data integrity checks, timeliness indicators and encryption to protect against threats such as masquerade, modification of information, message stream modification and disclosure. SNMPv3 allows clients to query the MIBs securely. SNMPv3 configuration is managed using the following command path: CN4093(config)# snmpserver ? For more information on SNMP MIBs and the commands used to configure SNMP on the switch, see the Lenovo N/OS 8.2 Command Reference. Default Configuration Lenovo N/OS has four SNMPv3 users by default. All the four users have access to all the MIBs supported by the switch: User 1 name is adminmd5 (password adminmd5). Authentication used is MD5.  Privacy protocol used is DES.  User 2 name is adminsha (password adminsha). Authentication used is SHA. Privacy protocol used is DES.  User 3 name is mmv3_mgr (password mmv3_mgr). Authentication used is MD5. Privacy protocol used is DES. User 3 with the default password is used for EHCM level 1 access. For EHCM level 2 and level 3 access, the CMM generates a random password. EHCM level 2 uses MD5 authentication and DES privacy pro‐ tocol. EHCM level 3 uses SHA authentication and AES‐128 privacy protocol  User 4 name is adminshaaes (password Edpq132x!#9Zpx432w). Authentica‐ tion used is SHA. Privacy protocol used is AES‐128. In boot strict mode (See “Boot Strict Mode” on page 41), Lenovo N/OS has two SNMPv3 users:  User 1 name is mmv3_mgr (password mmv3_mgr). Authentication used is SHA. Privacy protocol used is AES‐128.
Page 503 <auth. password> Reenter new authentication password: <auth. password> New authentication password accepted. CN4093(config)# snmpserver user 5 privacyprotocol des privacypassword Changing privacy password; validation required: Enter current admin password: <admin. password> Enter new privacy password: <privacy password> Reenter new privacy password: <privacy password> New privacy password accepted. 2. Configure a user access group, along with the views the group may access. Use the access table to configure the group’s access level. CN4093(config)# snmpserver access 5 name admingrp CN4093(config)# snmpserver access 5 level authpriv CN4093(config)# snmpserver access 5 readview iso CN4093(config)# snmpserver access 5 writeview iso CN4093(config)# snmpserver access 5 notifyview iso Because the read view, write view, and notify view are all set to “iso,” the user type has access to all private and public MIBs. 3. Assign the user to the user group. Use the group table to link the user to a particular access group. CN4093(config)# snmpserver group 5 username admin CN4093(config)# snmpserver group 5 groupname admingrp If you want to allow user access only to certain MIBs, see “View‐Based Configuration,” next. © Copyright Lenovo 2015 Chapter 37: Simple Network Management Protocol...
Page 504 View-Based Configurations Switch User equivalent  To configure an SNMP user equivalent to the switch “user” login, use the following configuration: (Configure the user) CN4093(config)# snmpserver user 4 name usr (Configure access group 3) CN4093(config)# snmpserver access 3 name usrgrp CN4093(config)# snmpserver access 3 readview usr CN4093(config)# snmpserver access 3 writeview usr CN4093(config)# snmpserver access 3 notifyview usr (Assign user to access group 3) CN4093(config)# snmpserver group 3 username usr CN4093(config)# snmpserver group 3 groupname usrgrp (Create views for user) CN4093(config)# snmpserver view 6 name usr CN4093(config)# snmpserver view 6 tree 1.3.6.1.4.1.1872.2.5.1.2 (Agent information) CN4093(config)# snmpserver view 7 name usr CN4093(config)# snmpserver view 7 tree 1.3.6.1.4.1.1872.2.5.1.3 (L2 statistics) CN4093(config)# snmpserver view 8 name usr CN4093(config)# snmpserver view 8 tree 1.3.6.1.4.1.1872.2.5.2.2 (L2 information) CN4093(config)# snmpserver view 9 name usr CN4093(config)# snmpserver view 9 tree 1.3.6.1.4.1.1872.2.5.2.3 (L3 statistics) CN4093(config)# snmpserver view 10 name usr CN4093(config)# snmpserver view 10 tree 1.3.6.1.4.1.1872.2.5.2.3 (L3 information) CN4093(config)# snmpserver view 11 name usr CN4093(config)# snmpserver view 11 tree 1.3.6.1.4.1.1872.2.5.3.3 CN4093 Application Guide for N/OS 8.2...
Page 505   OSPF/BGP/RIP authentication changes Software Resource alert :ARP Table/IP table/Route table/OSPF table full   L3 Link down/up Note: Audit logging is enabled by default and cannot be disabled. The audit logs are accessed remotely via SNMPv3 hosts. Use the following commands to locally manage the logs: CN4093(config)# show sal reverse (Display most recent logs first) CN4093(config)# clear sal (Clear audit logs) © Copyright Lenovo 2015 Chapter 37: Simple Network Management Protocol...
Page 506 CN4093 Application Guide for N/OS 8.2...
Page 507: Configuring Snmp Trap Hosts
CN4093(config)# snmpserver notify 10 tag v1trap 4. Specify the IPv4 address and other trap parameters in the targetAddr and targetParam tables. Use the following commands to specify the user name associated with the targetParam table: CN4093(config)# snmpserver targetaddress 10 name v1trap address 10.70.70.190 CN4093(config)# snmpserver targetaddress 10 parametersname v1param CN4093(config)# snmpserver targetaddress 10 taglist v1param CN4093(config)# snmpserver targetparameters 10 name v1param CN4093(config)# snmpserver targetparameters 10 username v1only CN4093(config)# snmpserver targetparameters 10 message snmpv1 Note: Lenovo N/OS 8.2 supports only IPv4 addresses for SNMP trap hosts. 5. Use the community table to specify which community string is used in the trap. CN4093(config)# snmpserver community 10(Define the community string) index v1trap name public username v1trap © Copyright Lenovo 2015 Chapter 37: Simple Network Management Protocol...
Page 508 CN4093(config)# snmpserver group 10 username v2trap CN4093(config)# snmpserver group 10 groupname v2trap CN4093(config)# snmpserver access 10 name v2trap CN4093(config)# snmpserver access 10 security snmpv2 CN4093(config)# snmpserver access 10 notifyview iso CN4093(config)# snmpserver notify 10 name v2trap CN4093(config)# snmpserver notify 10 tag v2trap CN4093(config)# snmpserver targetaddress 10 name v2trap address 100.10.2.1 CN4093(config)# snmpserver targetaddress 10 taglist v2trap CN4093(config)# snmpserver targetaddress 10 parametersname v2param CN4093(config)# snmpserver targetparameters 10 name v2param CN4093(config)# snmpserver targetparameters 10 message snmpv2c CN4093(config)# snmpserver targetparameters 10 username v2trap CN4093(config)# snmpserver targetparameters 10 security snmpv2 CN4093(config)# snmpserver community 10 index v2trap CN4093(config)# snmpserver community 10 username v2trap Note: Lenovo N/OS 8.2 supports only IPv4 addresses for SNMPv1 and SNMP v2 trap hosts. CN4093 Application Guide for N/OS 8.2...
Page 509 CN4093(config)# snmpserver targetparameters <1‐16> Configure the user in the user table accordingly. It is not necessary to configure the community table for SNMPv3 traps because the community string is not used by SNMPv3. The following example shows how to configure a SNMPv3 user v3trap with authentication only: CN4093(config)# snmpserver user 11 name v3trap CN4093(config)# snmpserver user 11 authenticationprotocol md5 authenticationpassword Changing authentication password; validation required: Enter current admin password: <admin. password> Enter new authentication password: <auth. password> Reenter new authentication password: <auth. password> New authentication password accepted. CN4093(config)# snmpserver access 11 notifyview iso CN4093(config)# snmpserver access 11 level authnopriv CN4093(config)# snmpserver group 11 username v3trap CN4093(config)# snmpserver group 11 tag v3trap CN4093(config)# snmpserver notify 11 name v3trap CN4093(config)# snmpserver notify 11 tag v3trap CN4093(config)# snmpserver targetaddress 11 name v3trap address 47.81.25.66 CN4093(config)# snmpserver targetaddress 11 taglist v3trap CN4093(config)# snmpserver targetaddress 11 parametersname v3param CN4093(config)# snmpserver targetparameters 11 name v3param CN4093(config)# snmpserver targetparameters 11 username v3trap CN4093(config)# snmpserver targetparameters 11 level authNoPriv © Copyright Lenovo 2015 Chapter 37: Simple Network Management Protocol...
Page 510: Snmp Mibs
SNMP MIBs The Lenovo N/OS SNMP agent supports SNMP version 3. Security is provided through SNMP community strings. The default community strings are “public” for SNMP GET operation and “private” for SNMP SET operation. The community string can be modified only through the Command Line Interface (CLI). Detailed SNMP MIBs and trap definitions of the Lenovo N/OS SNMP agent are contained in the following Lenovo N/OS enterprise MIB document: GbScSE10G-L2L3.mib The Lenovo N/OS SNMP agent supports the following standard MIBs: dot1x.mib  ieee8021ab.mib  ieee8023ad.mib  lldpxdcbx.mib  rfc1213.mib  rfc1215.mib  rfc1493.mib  rfc1573.mib  rfc1643.mib  rfc1657.mib  rfc1757.mib  rfc1850.mib  rfc1907.mib  rfc2037.mib  rfc2233.mib ...
Page 511 Signifies that new configuration has been saved. altSwFwDownloadSucess Signifies that firmware has been downloaded to [image1|image2|boot image]. altSwFwDownloadFailure Signifies that firmware downloaded failed to [image1|image2|boot image]. altSwValidLogout Signifies that a user logout has occurred. altSwDefAdminDisable Signifies that the default admin account has been disabled. altSwAcntStrngPswdNotMet Signifies that the configured password does not match strong password complexity. altSwAcntLocked Signifies that account has been locked. altSwAcntUnlocked Signifies that account has been unlocked. altSwSNMPBlockIPTrap Signifies that SNMP requests are blocked; trap includes the blocked IP address. © Copyright Lenovo 2015 Chapter 37: Simple Network Management Protocol...
Page 512 Table 41. Lenovo N/OS‐Supported Enterprise SNMP Traps (continued) Trap Name Description altSwStgNewRoot Signifies that the bridge has become the new root of the STG. altSwCistNewRoot Signifies that the bridge has become the new root of the CIST. altSwStgTopologyChanged Signifies that there was a STG topology change. altSwCistTopologyChanged Signifies that there was a CIST topology change. altSwHotlinksMasterUp Signifies that the Master interface is active. altSwHotlinksMasterDn Signifies that the Master interface is not active. altSwHotlinksBackupUp Signifies that the Backup interface is active. altSwHotlinksBackupDn Signifies that the Backup interface is not active. altSwHotlinksNone Signifies that there are no active interfaces. altSwStgBlockingState Signifies port state has changed to blocking state. altSwTeamingCtrlUp Signifies that the teaming is up. altSwTeamingCtrlDown Signifies that the teaming control is ...
Page 513 Signifies that the default gateway is down. ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable. The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax. ipCurCfgGwAddr is the IP address of the default gateway. altSwDefGwInService Signifies that the default gateway is up and in service. ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable. The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax. ipCurCfgGwAddr is the IP address of the default gateway. altSwDefGwNotInService Signifies that the default gateway is alive but not in service. ipCurCfgGwIndex is the index of the Gateway in ipCurCfgGwTable. The range for ipCurCfgGwIndex is from 1 to ipGatewayTableMax. ipCurCfgGwAddr is the IP address of the default gateway. © Copyright Lenovo 2015 Chapter 37: Simple Network Management Protocol...
Page 514 Table 41. Lenovo N/OS‐Supported Enterprise SNMP Traps (continued) Trap Name Description altSwVrrpNewMaster Indicates that the sending agent has transitioned to “Master” state. vrrpCurCfgVirtRtrIndx is the VRRP virtual router table index referenced in vrrpCurCfgVirtRtrTable. The range is from 1 to vrrpVirtRtrTableMaxSize. vrrpCurCfgVirtRtrAddr is the VRRP virtual router IP address. altSwVrrpNewBackup Indicates that the sending agent has transitioned to “Backup” state. vrrpCurCfgVirtRtrIndx is the VRRP virtual router table index referenced in vrrpCurCfgVirtRtrTable. The range is from 1 to vrrpVirtRtrTableMaxSize. vrrpCurCfgVirtRtrAddr is the VRRP virtual router IP address. altSwVrrpAuthFailure Signifies that a packet has been received from a router whose authentication key or authentication type conflicts with this routerʹs authentication key or authentication type. Implementation of this trap is optional. vrrpCurCfgIfIndx is the VRRP interface index. This is equivalent to ifIndex in RFC 1213 ...
Page 515 Signifies that the switch has become master from backup. altSwStackDuplicateJoinAttempt Signifies that a new switch with duplicate UUID/bay has tried to join the stack. altSwStackLinkUp Signifies that a stack link has become up. altSwStackLinkDown Signifies that a stack link has become down. altSwStackXferError Signifies that a transfer between the master and a member has terminated with error. altSwStackXferSuccess Signifies that a transfer between the master and a member has terminated with no errors. altSwStackSwitchTypeMismatch Signifies that a new switch of different type has attempted to join the stack. altSwStackImageSlotMismatch Signifies that the slot of the boot image of a newly attached switch does not match that of the master. © Copyright Lenovo 2015 Chapter 37: Simple Network Management Protocol...
Page 516 Table 41. Lenovo N/OS‐Supported Enterprise SNMP Traps (continued) Trap Name Description altSwStackImageVersMismatch Signifies that the version of the boot image of a newly attached switch does not match that of the master. altSwStackBootCfgMismatch Signifies that the booted config of a newly attached switch does not match that of the master. altSwStackNvramMasterJoin Signifies that a switch which was configured as a master in NVRAM has attached to the stack. altSwStackForceDetach Signifies that the master has sent a FORCE DETACH message to a member. altVMGroupVMotion Signifies that a virtual machine has moved from a port to another. altVMGroupVMOnline Signifies that an advance provisioned virtual machine has came online. altVMGroupVMVlanChange Signifies that a virtual machine has entered a VLAN, or changed the VLAN. vmCheckSpoofedvm Signifies that a spoofed VM MAC was found. CN4093 Application Guide for N/OS 8.2...
Page 517: Switch Images And Configuration Files
1.3.6.1.4.1872.2.5.1.1.7.1.0 agTransferImage 1.3.6.1.4.1872.2.5.1.1.7.2.0 agTransferImageFileName 1.3.6.1.4.1872.2.5.1.1.7.3.0 agTransferCfgFileName 1.3.6.1.4.1872.2.5.1.1.7.4.0 agTransferDumpFileName 1.3.6.1.4.1872.2.5.1.1.7.5.0 agTransferAction 1.3.6.1.4.1872.2.5.1.1.7.6.0 agTransferLastActionStatus 1.3.6.1.4.1872.2.5.1.1.7.7.0 agTransferUserName 1.3.6.1.4.1872.2.5.1.1.7.9.0 agTransferPassword 1.3.6.1.4.1.1872.2.5.1.1.7.10.0 agTransferTSDumpFileName 1.3.6.1.4.1.1872.2.5.1.1.7.11.0 The following SNMP actions can be performed using the MIBs listed in Table 42.  Load a new Switch image (boot or running) from a FTP/TFTP/SFTP server  Load a previously saved switch configuration from a FTP/TFTP/SFTP server  Save the switch configuration to a FTP/TFTP/SFTP server  Save a switch dump to a FTP/TFTP/SFTP server © Copyright Lenovo 2015 Chapter 37: Simple Network Management Protocol...
Page 518: Loading A New Switch Image
Loading a New Switch Image To load a new switch image with the name “MyNewImage1.img” into image2, follow the steps below. This example shows an FTP/TFTP/SFTP server at IPv4 address 192.168.10.10, though IPv6 is also supported. 1. Set the FTP/TFTP/SFTP server address where the switch image resides: Set agTransferServer.0 "192.168.10.10" 2. Set the area where the new image will be loaded: Set agTransferImage.0 "image2" 3. Set the name of the image: Set agTransferImageFileName.0 "MyNewImage1.img" 4. If you are using an SFTP/FTP server, enter a username: Set agTransferUserName.0 "MyName" 5. If you are using an SFTP/FTP server, enter a password: Set agTransferPassword.0 "MyPassword" 6. Initiate the transfer. To transfer a switch image, enter 2 (gtimg): Set agTransferAction.0 "2" Loading a Saved Switch Configuration To load a saved switch configuration with the name “MyRunningConfig.cfg” into the switch, follow the steps below. This example shows a TFTP server at IPv4 address 192.168.10.10, though IPv6 is also supported. 1. Set the FTP/TFTP/SFTP server address where the switch Configuration File resides: Set agTransferServer.0 "192.168.10.10" 2. Set the name of the configuration file: Set agTransferCfgFileName.0 "MyRunningConfig.cfg" 3.
Page 519: Saving The Switch Configuration
3. If you are using an SFTP/FTP server, enter a username: Set agTransferUserName.0 "MyName" 4. If you are using an SFTP/FTP server, enter a password: Set agTransferPassword.0 "MyPassword" 5. Initiate the transfer. To save a running configuration file, enter 4: Set agTransferAction.0 "4" Saving a Switch Dump To save a switch dump to a FTP/TFTP/SFTP server, follow the steps below. This example shows an FTP/TFTP/SFTP server at 192.168.10.10, though IPv6 is also supported. 1. Set the FTP/TFTP/SFTP server address where the configuration will be saved: Set agTransferServer.0 "192.168.10.10" 2. Set the name of dump file: Set agTransferDumpFileName.0 "MyDumpFile.dmp" 3. If you are using an SFTP/FTP server, enter a username: Set agTransferUserName.0 "MyName" 4. If you are using an SFTP/FTP server, enter a password: Set agTransferPassword.0 "MyPassword" 5. Initiate the transfer. To save a dump file, enter 5: Set agTransferAction.0 "5" © Copyright Lenovo 2015 Chapter 37: Simple Network Management Protocol...
Page 520 CN4093 Application Guide for N/OS 8.2...
Page 521: Part 8: Monitoring
Part 8: Monitoring The ability to monitor traffic passing through the CN4093 can be invaluable for troubleshooting some types of networking problems. This sections cover the following monitoring features:  Remote Monitoring (RMON)  sFLOW  Port Mirroring © Copyright Lenovo 2015...
Page 522 CN4093 Application Guide for N/OS 8.2...
Page 523: Chapter 38. Remote Monitoring
Chapter 38. Remote Monitoring Remote Monitoring (RMON) allows network devices to exchange network monitoring data. RMON performs the following major functions:  Gathers cumulative statistics for Ethernet interfaces  Tracks a history of statistics for Ethernet interfaces  Creates and triggers alarms for user‐defined events RMON Overview The RMON MIB provides an interface between the RMON agent on the switch and an RMON management application. The RMON MIB is described in RFC 1757. The RMON standard defines objects that are suitable for the management of Ethernet networks. The RMON agent continuously collects statistics and proactively monitors switch performance. RMON allows you to monitor traffic flowing through the switch. The switch supports the following RMON Groups, as described in RFC 1757:  RMON Group 1–Statistics  RMON Group 2–History  RMON Group 3–Alarms  RMON Group 9–Events © Copyright Lenovo 2015...
Page 524: Rmon Group 1-Statistics
RMON Group 1–Statistics The switch supports collection of Ethernet statistics as outlined in the RMON statistics MIB, in reference to etherStatsTable. RMON statistics are sampled every second, and new data overwrites any old data on a given port. Note: RMON port statistics must be enabled for the port before you can view RMON statistics. To configure RMON Statistics: 1. Enable RMON on each port where you wish to collect RMON statistics. CN4093(config)# interface port 23 CN4093(configif)# rmon 2. View RMON statistics for the port. CN4093(configif)# show interface port 23 rmoncounters RMON statistics for port 23: etherStatsDropEvents: NA etherStatsOctets: 7305626 etherStatsPkts: 48686 etherStatsBroadcastPkts: 4380 etherStatsMulticastPkts: 6612 etherStatsCRCAlignErrors: 22 etherStatsUndersizePkts: 0 etherStatsOversizePkts: 0 etherStatsFragments: 2 etherStatsJabbers: 0 etherStatsCollisions: 0...
Page 525: Rmon Group 2-History
History MIB Objects The type of data that can be sampled must be of an ifIndex object type, as described in RFC1213 and RFC1573. The most common data type for the history sample is as follows: 1.3.6.1.2.1.2.2.1.1.<x> mgmt.interfaces.ifTable.ifIndex.interface The last digit (x) represents the interface on which to monitor, which corresponds to the switch port number. History sampling is done per port, by utilizing the interface number to specify the port number. Configuring RMON History This example configuration creates an RMON History Group to monitor port 1. It takes a data sample every two minutes, and places the data into one of the 30 requested buckets. After 30 samples are gathered, the new samples overwrite the previous samples, beginning with the first bucket. 1. Enable RMON on each port where you wish to collect RMON History. CN4093(config)# interface port 1 CN4093(configif)# rmon CN4093(configif)# exit 2. Configure the RMON History parameters. CN4093(config)# rmon history 1 interfaceoid 1.3.6.1.2.1.2.2.1.1.<x> CN4093(config)# rmon history 1 requestedbuckets 30 CN4093(config)# rmon history 1 pollinginterval 120 CN4093(config)# rmon history 1 owner "rmon port 1 history" where <x> is the number of the port to monitor. For example, the full OID for port 1 would be: 1.3.6.1.2.1.2.2.1.1.1 © Copyright Lenovo 2015 Chapter 38: Remote Monitoring...
Page 526: Rmon Group 3-Alarms
3. View RMON history for the port. CN4093(config)# show rmon history RMON History group configuration: Index IFOID Interval Rbnum Gbnum 1 1.3.6.1.2.1.2.2.1.1.1 120 30 30 Index Owner 1 rmon port 1 history RMON Group 3–Alarms The RMON Alarm Group allows you to define a set of thresholds used to determine network performance. When a configured threshold is crossed, an alarm is generated. For example, you can configure the switch to issue an alarm if more than 1,000 CRC errors occur during a 10‐minute time interval. Each Alarm index consists of a variable to monitor, a sampling time interval, and parameters for rising and falling thresholds. The Alarm group can be used to track rising or falling values for a MIB object. The object must be a counter, gauge, integer, or time interval. Use one of the following commands to correlate an Alarm index to an Event index: CN4093(config)# rmon alarm <alarm number> risingcrossingindex <event number> CN4093(config)# rmon alarm <alarm number> fallingcrossingindex <event number> Alarm MIB Objects The most common data types used for alarm monitoring are ifStats: errors, drops, bad CRCs, and so on. These MIB Object Identifiers (OIDs) correlate to the ones tracked by the History group. An example of an ICMP stat is as follows: 1.3.6.1.2.1.5.1.<x> mgmt.icmp.icmpInMsgs where x represents the interface on which to monitor, which corresponds to the ...
Page 527: Configuring Rmon Alarms
Configuring RMON Alarms Alarm Example 1 This example configuration creates an RMON alarm that checks ifInOctets on port 20 once every hour. If the statistic exceeds two billion, an alarm is generated that triggers event index 6. Configure the RMON Alarm parameters to track the number of packets received on a port. CN4093(config)# rmon alarm 1 oid 1.3.6.1.2.1.2.2.1.10.129 CN4093(config)# rmon alarm 1 alarmtype rising CN4093(config)# rmon alarm 1 risingcrossingindex 100 CN4093(config)# rmon alarm 1 interval 3600 CN4093(config)# rmon alarm 1 risinglimit 2000000000 CN4093(config)# rmon alarm 1 owner "Alarm for ifInOctets" Alarm Example 2 This example configuration creates an RMON alarm that checks icmpInEchos on the switch once every minute. If the statistic exceeds 200 within a 60 second interval, an alarm is generated that triggers event index 5. Configure the RMON Alarm parameters to track ICMP messages. CN4093(config)# rmon alarm 1 oid 1.3.6.1.2.1.5.8.0 CN4093(config)# rmon alarm 1 alarmtype rising CN4093(config)# rmon alarm 1 risingcrossingindex 110 CN4093(config)# rmon alarm 1 intervaltime 60 CN4093(config)# rmon alarm 1 risinglimit 200 CN4093(config)# rmon alarm 1 sample delta CN4093(config)# rmon alarm 1 owner "Alarm for icmpInEchos" © Copyright Lenovo 2015 Chapter 38: Remote Monitoring...
Page 528: Rmon Group 9-Events
RMON Group 9–Events The RMON Event Group allows you to define events that are triggered by alarms. An event can be a log message, an SNMP trap message, or both. When an alarm is generated, it triggers a corresponding event notification. Use the following commands to correlate an Event index to an alarm: CN4093(config)# rmon alarm <alarm number> risingcrossingindex <event number> CN4093(config)# rmon alarm <alarm number> fallingcrossingindex <event number> RMON events use SNMP and system logs to send notifications. Therefore, an SNMP trap host must be configured for trap event notification to work properly. RMON uses a syslog host to send syslog messages. Therefore, an existing syslog host must be configured for event log notification to work properly. Each log event generates a system log message of type RMON that corresponds to the event. For example, to configure the RMON event parameters. CN4093(config)# rmon event 110 type log CN4093(config)# rmon event 110 description "SYSLOG_this_alarm" CN4093(config)# rmon event 110 owner "log icmpInEchos alarm" This configuration creates an RMON event that sends a syslog message each time it is triggered by an alarm. CN4093 Application Guide for N/OS 8.2...
Page 529: Chapter 39. Sflow
Chapter 39. sFLOW The CN4093 supports sFlow technology for monitoring traffic in data networks. The switch includes an embedded sFlow agent which can be configured to sample network traffic and provide continuous monitoring information of IPv4 traffic to a central sFlow analyzer. The switch is responsible only for forwarding sFlow information. A separate sFlow analyzer is required elsewhere on the network in order to interpret sFlow data. Note: Lenovo N/OS 8.2 does not support IPv6 for sFLOW. sFlow Statistical Counters The CN4093 can be configured to send network statistics to an sFlow analyzer at regular intervals. For each port, a polling interval of 5 to 60 seconds can be configured, or 0 (the default) to disable this feature. When polling is enabled, at the end of each configured polling interval, the CN4093 reports general port statistics and port Ethernet statistics. sFlow Network Sampling In addition to statistical counters, the CN4093 can be configured to collect periodic samples of the traffic data received on each port. For each sample, 128 bytes are copied, UDP‐encapsulated, and sent to the configured sFlow analyzer. For each port, the sFlow sampling rate can be configured to occur once each 256 to 65536 packets, or 0 to disable (the default). A sampling rate of 256 means that one sample will be taken for approximately every 256 packets received on the port. The sampling rate is statistical, however. It is possible to have slightly more or fewer samples sent to the analyzer for any specific group of packets (especially under low traffic conditions). The actual sample rate becomes most accurate over time, and under higher traffic flow.
Page 530: Sflow Example Configuration
sFlow Example Configuration 1. Specify the location of the sFlow analyzer (the server and optional port to which the sFlow information will be sent): (sFlow server address) CN4093(config)# sflow server <IPv4 address> (Set the optional service port) CN4093(config)# sflow port <service port> (Enable sFlow features) CN4093(config)# sflow enable By default, the switch uses established sFlow service port 6343. To disable sFlow features across all ports, use the following command: CN4093(config)# no sflow enable 2. On a per‐port basis, define the statistics polling rate: CN4093(config)# interface port <port> (Statistics polling rate) CN4093(configif)# sflow polling <polling rate> Specify a polling rate between 5 and 60 seconds, or 0 to disable. By default, polling is 0 (disabled) for each port. 3. On a per‐port basis, define the data sampling rate: (Data sampling rate) CN4093(configif)# sflow sampling <sampling rate> Specify a sampling rate between 256 and 65536 packets, or 0 to disable. By default, the sampling rate is 0 (disabled) for each port. 4. Save the configuration. CN4093 Application Guide for N/OS 8.2...
Page 531: Chapter 40. Port Mirroring
In standalone (non‐stacking) mode, the CN4093 supports two monitor ports with two‐way mirroring, or four monitor ports with one‐way mirroring. In stacking mode, one monitor port with two‐way mirroring, or two monitor ports with one‐way mirroring is supported. Each monitor port can receive mirrored traffic from any number of target ports. Lenovo N/OS does not support “one to many” or “many to many” mirroring models where traffic from a specific port traffic is copied to multiple monitor ports. For example, port EXT1 traffic cannot be monitored by both port EXT3 and EXT4 at the same time, nor can port EXT2 ingress traffic be monitored by a different port than its egress traffic. Ingress and egress traffic is duplicated and sent to the monitor port after processing. Note: The CN4093 10Gb Converged Scalable Switch (CN4093) cannot mirror LACPDU packets. Also, traffic on management VLANs is not mirrored to the external ports. © Copyright Lenovo 2015...
Page 532: Port Mirroring Behavior
Port Mirroring Behavior This section describes the composition of monitored packets in the CN4093, based on the configuration of the ports.  Packets mirrored at port egress are mirrored prior to VLAN tag processing and may have a different PVID than packets that egress the port toward their actual network destination.  Packets mirrored at port ingress are not modified. Configuring Port Mirroring The following procedure may be used to configure port mirroring for the example shown in Figure 64 on page 531: 1. Specify the monitoring port, the mirroring port(s), and the port‐mirror direction. CN4093(config)# portmirroring monitorport EXT3 mirroringport EXT1 in CN4093(config)# portmirroring monitorport EXT3 mirroringport EXT2 both 2. Enable port mirroring. CN4093(config)# portmirroring enable 3. View the current configuration. CN4093# show portmirroring (Display the current settings) Port mirroring is enabled Monitoring Ports Mirrored Ports INTA1 none INTA2 none INTA3 none INTA4 none EXT1 none EXT2 none EXT3 EXT1, in EXT2, both EXT4 none CN4093 Application Guide for N/OS 8.2...
Page 534 CN4093 Application Guide for N/OS 8.2...
Page 535 Priority In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s). Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win out for master designation. The protocol of a frame. Can be any value represented by a 8‐bit value in the Proto (Protocol) IP header adherent to the IP specification (for example, TCP, UDP, OSPF, ICMP, and so on.) The source IP address of a frame. SPort The source port (application socket: for example, HTTP‐80/HTTPS‐443/DNS‐53). Tracking In VRRP, a method to increase the priority of a virtual router and thus master designation (with preemption enabled). Tracking can be very valuable in an active/active configuration. You can track the following:  Active IP interfaces on the Web switch (increments priority by 2 for each) Active ports on the same VLAN (increments priority by 2 for each)   Number of virtual routers in master mode on the switch Virtual Interface Router. A VRRP address is an IP interface address shared between two or more virtual routers. Virtual Router A shared address between two devices utilizing VRRP, as defined in RFC 2338. One virtual router is associated with an IP interface. This is one of the IP interfaces that the switch is assigned. All IP interfaces on the CN4093s must be in a VLAN. If there is more than one VLAN defined on the Web switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member. © Copyright Lenovo 2015...
Page 536 VRID Virtual Router Identifier. In VRRP, a numeric ID is used by each virtual router to create its MAC address and identify its peer for which it is sharing this VRRP address. The VRRP MAC address as defined in the RFC is 00‐00‐5E‐00‐01‐<VRID>. If you have a VRRP address that two switches are sharing, then the VRID number needs to be identical on both switches so each virtual router on each switch knows with whom to share. VRRP Virtual Router Redundancy Protocol. A protocol that acts very similarly to Ciscoʹs proprietary HSRP address sharing protocol. The reason for both of these protocols is so devices have a next hop or default gateway that is always available. Two or more devices sharing an IP interface are either advertising or listening for advertisements. These advertisements are sent via a broadcast message to an address such as 224.0.0.18. With VRRP, one switch is considered the master and the other the backup. The master is always advertising via the broadcasts. The backup switch is always listening for the broadcasts. Should the master stop advertising, the backup will take over ownership of the VRRP IP and MAC addresses as defined by the specification. The switch announces this change in ownership to the devices around it by way of a Gratuitous ARP, and advertisements. If the backup switch didnʹt do the Gratuitous ARP the Layer 2 devices attached to the switch would not know that the MAC address had moved in the network. For a more detailed description, refer to RFC 2338. CN4093 Application Guide for N/OS 8.2...
Page 537: Appendix B. Getting Help And Technical Assistance
Lenovo to assist you. Use this information to obtain additional information about Lenovo and Lenovo products, and determine what to do if you experience a problem with your Lenovo system or optional device. Note: This section includes references to IBM web sites and information about obtaining service. IBM is Lenovo's preferred service provider for the System x, Flex System, and NeXtScale System products. Before you call, make sure that you have taken these steps to try to solve the problem yourself. If you believe that you require warranty service for your Lenovo product, the service technicians will be able to assist you more efficiently if you prepare before you call.
Page 538  Start the process of determining a solution to your problem by making the pertinent information available to the service technicians. The IBM service technicians can start working on your solution as soon as you have completed and submitted an Electronic Service Request. You can solve many problems without outside assistance by following the troubleshooting procedures that Lenovo provides in the online help or in the Lenovo product documentation. The Lenovo product documentation also describes the diagnostic tests that you can perform. The documentation for most systems, operating systems, and programs contains troubleshooting procedures and explanations of error messages and error codes. If you suspect a software problem, see the documentation for the operating system or program. CN4093 Application Guide for N/OS 8.2...
Page 539: Appendix C. Notices
Lenovo may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: Lenovo (United States), Inc. 1009 Think Place ‐ Building One Morrisville, NC 27560 U.S.A. Attention: Lenovo Director of Licensing LENOVO PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON‐INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. Lenovo may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. The products described in this document are not intended for use in implantation or other life support applications where malfunction may result in injury or death to persons. The information contained in this document does not affect or change Lenovo product specifications or warranties. Nothing in this document shall operate as an express or implied license or indemnity under the intellectual property rights of Lenovo or third parties. All information contained in this document was obtained in specific environments and is presented as an illustration. The result obtained in other operating environments may vary. Lenovo may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Any references in this publication to non‐Lenovo Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this Lenovo product, and use of those Web sites is at your own risk. © Copyright Lenovo 2015...
Page 540 Any performance data contained herein was determined in a controlled environment. Therefore, the result obtained in other operating environments may vary significantly. Some measurements may have been made on development‐level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. CN4093 Application Guide for N/OS 8.2...
Page 541: Trademarks
Trademarks Lenovo, the Lenovo logo, Flex System, System x, NeXtScale System, and X‐Architecture are trademarks of Lenovo in the United States, other countries, or both. Intel and Intel Xeon are trademarks of Intel Corporation in the United States, other countries, or both. Internet Explorer, Microsoft, and Windows are trademarks of the Microsoft group of companies. Linux is a registered trademark of Linus Torvalds. Other company, product, or service names may be trademarks or service marks of others. © Copyright Lenovo 2015 Appendix C: Notices...
Page 542: Important Notes
Important Notes Processor speed indicates the internal clock speed of the microprocessor; other factors also affect application performance. CD or DVD drive speed is the variable read rate. Actual speeds vary and are often less than the possible maximum. When referring to processor storage, real and virtual storage, or channel volume, KB stands for 1 024 bytes, MB stands for 1 048 576 bytes, and GB stands for 1 073 741 824 bytes. When referring to hard disk drive capacity or communications volume, MB stands for 1 000 000 bytes, and GB stands for 1 000 000 000 bytes. Total user‐accessible capacity can vary depending on operating environments. Maximum internal hard disk drive capacities assume the replacement of any standard hard disk drives and population of all hard‐disk‐drive bays with the largest currently supported drives that are available from Lenovo. Maximum memory might require replacement of the standard memory with an optional memory module. Each solid‐state memory cell has an intrinsic, finite number of write cycles that the cell can incur. Therefore, a solid‐state device has a maximum number of write cycles that it can be subjected to, expressed as total bytes written (TBW). A device that has exceeded this limit might fail to respond to system‐generated commands or might be incapable of being written to. Lenovo is not responsible for replacement of a device that has exceeded its maximum guaranteed number of program/erase cycles, as documented in the Official Published Specifications for the device. Lenovo makes no representations or warranties with respect to non‐Lenovo products. Support (if any) for the non‐Lenovo products is provided by the third party, not Lenovo. Some software might differ from its retail version (if available) and might not include user manuals or all program functionality. CN4093 Application Guide for N/OS 8.2...
Page 543: Recycling Information
Recycling Information Lenovo encourages owners of information technology (IT) equipment to responsibly recycle their equipment when it is no longer needed. Lenovo offers a variety of programs and services to assist equipment owners in recycling their IT products. For information on recycling Lenovo products, go to: http://www.lenovo.com/recycling © Copyright Lenovo 2015 Appendix C: Notices...
Page 544: Particulate Contamination
Particulate Contamination Attention: Airborne particulates (including metal flakes or particles) and reactive gases acting alone or in combination with other environmental factors such as humidity or temperature might pose a risk to the device that is described in this document. Risks that are posed by the presence of excessive particulate levels or concentrations of harmful gases include damage that might cause the device to malfunction or cease functioning altogether. This specification sets forth limits for particulates and gases that are intended to avoid such damage. The limits must not be viewed or used as definitive limits, because numerous other factors, such as temperature or moisture content of the air, can influence the impact of particulates or environmental corrosives and gaseous contaminant transfer. In the absence of specific limits that are set forth in this document, you must implement practices that maintain particulate and gas levels that are consistent with the protection of human health and safety. If Lenovo determines that the levels of particulates or gases in your environment have caused damage to the device, Lenovo may condition provision of repair or replacement of devices or parts on implementation of appropriate remedial measures to mitigate such environmental contamination. Implementation of such remedial measures is a customer responsibility.. Contaminant Limits Particulate • The room air must be continuously filtered with 40% atmospheric dust spot efficiency (MERV 9) according to ASHRAE Standard 52.2 • Air that enters a data center must be filtered to 99.97% efficiency or greater, using high‐efficiency particulate air (HEPA) filters that meet MIL‐STD‐282. • The deliquescent relative humidity of the particulate contamination must be more than 60% • The room must be free of conductive contamination such as zinc whis‐ kers. Gaseous • Copper: Class G1 as per ANSI/ISA 71.04‐1985 • Silver: Corrosion rate of less than 300 Å in 30 days 1 ...
Page 545: Telecommunication Regulatory Statement
Telecommunication Regulatory Statement This product may not be certified in your country for connection by any means whatsoever to interfaces of public telecommunications networks. Further certification may be required by law prior to making any such connection. Contact a Lenovo representative or reseller for any questions. © Copyright Lenovo 2015 Appendix C: Notices...
Page 546: Electronic Emission Notices
Federal Communications Commission (FCC) Statement Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user will be required to correct the interference at his own expense. Properly shielded and grounded cables and connectors must be used to meet FCC emission limits. Lenovo is not responsible for any radio or television interference caused by using other than recommended cables and connectors or by unauthorized changes or modifications to this equipment. Unauthorized changes or modifications could void the user’s authority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that might cause undesired operation. Industry Canada Class A Emission Compliance Statement This Class A digital apparatus complies with Canadian ICES‐003. Avis de Conformité à la Réglementation d'Industrie Canada Cet appareil numérique de la classe A est conforme à la norme NMB‐003 du ...
Page 547: Germany Class A Statement
Zulassungsbescheinigung laut dem Deutschen Gesetz über die elektromagnetische Verträglichkeit von Betriebsmitteln, EMVG vom 20. Juli 2007 (früher Gesetz über die elektromagnetische Verträglichkeit von Geräten), bzw. der EMV EG Richtlinie 2004/108/EC (früher 89/336/EWG), für Geräte der Klasse A. Dieses Gerät ist berechtigt, in übereinstimmung mit dem Deutschen EMVG das EG‐Konformitätszeichen ‐ CE ‐ zu führen. Verantwortlich für die Konformitätserklärung nach Paragraf 5 des EMVG ist die Lenovo (Deutschland) GmbH, Gropiusplatz 10, D‐70563 Stuttgart. Informationen in Hinsicht EMVG Paragraf 4 Abs. (1) 4: Das Gerät erfüllt die Schutzanforderungen nach EN 55024 und EN 55022 Klasse Nach der EN 55022: “Dies ist eine Einrichtung der Klasse A. Diese Einrichtung kann im Wohnbereich Funkstörungen verursachen; in diesem Fall kann vom Betreiber verlangt werden, angemessene Maßnahmen durchzuführen und dafür aufzukommen.” Nach dem EMVG: Dieses Produkt entspricht den Schutzanforderungen der EU‐Richtlinie 2004/108/EG (früher 89/336/EWG) zur Angleichung der Rechtsvorschriften über die elektromagnetische Verträglichkeit in den EU‐Mitgliedsstaaten und hält die Grenzwerte der EN 55022 Klasse A ein. Um dieses sicherzustellen, sind die Geräte wie in den Handbüchern beschrieben zu installieren und zu betreiben. Des Weiteren dürfen auch nur von der Lenovo empfohlene Kabel angeschlossen werden. Lenovo übernimmt keine Verantwortung für die Einhaltung der Schutzanforderungen, wenn das Produkt ohne Zustimmung der Lenovo verändert bzw. wenn Erweiterungskomponenten von Fremdherstellern ohne Empfehlung der Lenovo gesteckt/eingebaut werden. Deutschland: Einhaltung des Gesetzes über die elektromagnetische Verträglichkeit von Betriebsmittein Dieses Produkt entspricht dem “Gesetz über die elektromagnetische Verträglichkeit von Betriebsmitteln” EMVG (früher “Gesetz über die elektromagnetische Verträglichkeit von Gerätenʺ). Dies ist die Umsetzung der EU‐Richtlinie 2004/108/EG (früher 89/336/EWG) in der Bundesrepublik Deutschland. © Copyright Lenovo 2015 Appendix C: Notices...
Page 548: Japan Vcci Class A Statement
Zulassungsbescheinigung laut dem Deutschen Gesetz über die elektromagnetische Verträglichkeit von Betriebsmitteln, EMVG vom 20. Juli 2007 (früher Gesetz über die elektromagnetische Verträglichkeit von Geräten), bzw. der EMV EG Richtlinie 2004/108/EC (früher 89/336/EWG), für Geräte der Klasse A. Dieses Gerät ist berechtigt, in übereinstimmung mit dem Deutschen EMVG das EG‐Konformitätszeichen ‐ CE ‐ zu führen. Verantwortlich für die Konformitätserklärung nach Paragraf 5 des EMVG ist die Lenovo (Deutschland) GmbH, Gropiusplatz 10, D‐70563 Stuttgart. Informationen in Hinsicht EMVG Paragraf 4 Abs. (1) 4: Das Gerät erfüllt die Schutzanforderungen nach EN 55024 und EN 55022 Klasse Nach der EN 55022: “Dies ist eine Einrichtung der Klasse A. Diese Einrichtung kann im Wohnbereich Funkstörungen verursachen; in diesem Fall kann vom Betreiber verlangt werden, angemessene Maßnahmen durchzuführen und dafür aufzukommen.ʺ Nach dem EMVG: “Geräte dürfen an Orten, für die sie nicht ausreichend entstört sind, nur mit besonderer Genehmigung des Bundesministers für Post und Telekommunikation oder des Bundesamtes für Post und Telekommunikation betrieben werden. Die Genehmigung wird erteilt, wenn keine elektromagnetischen Störungen zu erwarten sind.” (Auszug aus dem EMVG, Paragraph 3, Abs. 4). Dieses Genehmigungsverfahren ist nach Paragraph 9 EMVG in Verbindung mit der entsprechenden Kostenverordnung (Amtsblatt 14/93) kostenpflichtig. Anmerkung: Um die Einhaltung des EMVG sicherzustellen sind die Geräte, wie in den Handbüchern angegeben, zu installieren und zu betreiben. Japan VCCI Class A Statement This is a Class A product based on the standard of the Voluntary Control Council for Interference (VCCI). If this equipment is used in a domestic environment, radio interference may occur, in which case the user may be required to take corrective actions. CN4093 Application Guide for N/OS 8.2...
Page 549: Japan Electronics And Information Technology Industries Association
Japan Electronics and Information Technology Industries Association (JEITA) Statement Japan Electronics and Information Technology Industries Association (JEITA) Confirmed Harmonics Guidelines (products less than or equal to 20 A per phase) Japan Electronics and Information Technology Industries Association (JEITA) Confirmed Harmonics Guidelines with Modifications (products greater than 20 A per phase). Korea Communications Commission (KCC) Statement This is electromagnetic wave compatibility equipment for business (Type A). Sellers and users need to pay attention to it. This is for any areas other than home. © Copyright Lenovo 2015 Appendix C: Notices...
Page 550: Russia Electromagnetic Interference (Emi) Class A Statement
Russia Electromagnetic Interference (EMI) Class A statement CN4093 Application Guide for N/OS 8.2...
Page 552: Taiwan Class A Compliance Statement
Taiwan Class A compliance statement CN4093 Application Guide for N/OS 8.2...
Page 553: Index
Trunking 136 autonomous systems (AS) 426 VLANs 136 configuring BGP failover 417 DCBX 286 bandwidth allocation 266 ETS 282 BBI 27 FIP snooping 272 BBI. See Browser‐Based Interface IP routing 353 Bootstrap Router, PIM 454 OSPF 437 PFC 276 port trunking 138 spanning tree groups 156 contamination, particulate and gaseous 544 Converged Enhanced Ethernet. See CEE. © Copyright Lenovo 2015 Index...
Page 554 Converged Network Adapter. See CNA. FCoE 261 bridge module 239 CEE 263 CNA 263 Data Center Bridging Capability Exchange. See DCBX. ENodes 263 date FCF 239 setup 49 FIP snooping 261 DCBX 261 FLOGI 270 default gateway 352 point‐to‐point links 262 configuration example 354 requirements 263 default password 38 SAN 262 default route, OSPF 430 topology 262 Dense Mode, PIM 450 VLANs 271 Designated Router, PIM 449 FCoE Forwarder. See FCF.
Page 555 98 host routes 435 link state database 425 Japan Class A electronic emission statement 548 neighbors 424 Japan Electronics and Information Technology Indus‐ overview 422 tries Association statement 549 redistributing routes 414 JEITA statement 549 route maps 411 jumbo frames 112 route summarization 430 router ID 433 virtual link 432 © Copyright Lenovo 2015 : Index...
Page 556 outgoing route maps 412 QSFP+ 134 Querier (IGMP) 398 packet size 112 particulate contamination 544 RADIUS password authentication 78 administrator account 38 port 1812 and 1645 99 default 38 port 1813 99 user account 38 SSH/SCP 70 passwords 38 Rapid Spanning Tree Protocol (RSTP) 158 payload size 112 receive flow control 50 People’s Republic of China Class A electronic emission redistributing routes 414 statement 551 redundancy Per Hop Behavior (PHB) 190 active‐active 475 PFC 261...
Page 557 TCP 98 routing 355 technical assistance 537 security 111 technical terms setup 51 port VLAN identifier (PVID) 117 Spanning‐Tree Protocol 146 tagged frame 117 tagging 51 tagged member 117 topologies 122 untagged frame 117 vNICs 223 untagged member 117 VLAN identifier (VID) 117 Telnet support optional setup for Telnet support 55 © Copyright Lenovo 2015 : Index...
Page 558 VRRP (Virtual Router Redundancy Protocol) active‐active redundancy 475 hot‐standby redundancy 475 overview 471 virtual interface router 472 virtual router ID numbering 478 vrid 472 VSI 311 VSI Database, See VSIDB. VSI Discovery and Configuration Protocol, See VDP. VSIDB 312 willing flag (DCBX) 285 CN4093 Application Guide for N/OS 8.2...
Page 560 Part Number: 00MY375 Printed in USA (IP) P/N: 00MY375...

Lenovo Flex System Fabric CN4093 Application Manual

Chapter 1. Switch Administration

Chapter 2. Initial Setup

Chapter 3. Service Location Protocol

Chapter 4. System License Keys

Part 2: Securing the Switch

Chapter 5. Securing Administration

Chapter 6. Authentication & Authorization Protocols

Chapter 7. 802.1X Port-Based Network Access Control

Chapter 8. Access Control Lists

Part 3: Switch Basics

Chapter 9. Vlans

Chapter 10. Ports and Trunking

Chapter 11. Spanning Tree Protocols

Chapter 12. Virtual Link Aggregation Groups

Chapter 13. Quality of Service

Part 4:. Advanced Switching Features

Chapter 14. Stacking

Chapter 15. Virtualization

Chapter 16. Virtual Nics

Chapter 17. Vmready

Chapter 18. Fcoe and CEE

Quick Links

Related Manuals for Lenovo Flex System Fabric CN4093

Summary of Contents for Lenovo Flex System Fabric CN4093