G8264 Application Guide for Lenovo Networking OS 8systemx.lenovofiles.com/help/topic/com.lenovo.rackswitch.g8264.doc/...Lenovo RackSwitch G8264 Application Guide For Lenovo Enterprise

LenovoRackSwitchG8264

ApplicationGuideForLenovoEnterpriseNetworkOperatingSystem8.4

Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationintheSafetyinformationandEnvironmentalNoticesandUserGuidedocumentsontheLenovoDocumentationCDandtheWarrantyInformationdocumentthatcomeswiththeproduct.

FirstEdition(September2016)

CopyrightLenovo2016PortionsCopyrightIBMCorporation2014.

LIMITEDANDRESTRICTEDRIGHTSNOTICE:IfdataorsoftwareisdeliveredpursuantaGeneralServicesAdministrationGSAcontract,use,reproduction,ordisclosureissubjecttorestrictionssetforthinContractNo.GS35F05925.

LenovoandtheLenovologoaretrademarksofLenovointheUnitedStates,othercountries,orboth.

Copyright Lenovo 2016 3

ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23WhoShouldUseThisGuide .......................24WhatYoullFindinThisGuide ......................25AdditionalReferences ..........................29TypographicConventions ........................30

Part 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 1. Switch Administration . . . . . . . . . . . . . . . . . 33AdministrationInterfaces ........................34

CommandLineInterface .......................34EstablishingaConnection........................35

UsingtheSwitchManagementPorts..................35UsingtheSwitchDataPorts.....................36UsingTelnet ............................37UsingSecureShell..........................37

UsingSSHwithPasswordAuthentication .............38UsingSSHwithPublicKeyAuthentication .............39

UsingaWebBrowser ........................40ConfiguringHTTPAccesstotheBBI................40ConfiguringHTTPSAccesstotheBBI ...............40BrowserBasedInterfaceSummary.................41

UsingSimpleNetworkManagementProtocol..............43BOOTP/DHCPClientIPAddressServices .................44

DHCPHostNameConfiguration ...................44DHCPSYSLOGServer........................45GlobalBOOTPRelayAgentConfiguration ...............45DomainSpecificBOOTPRelayAgentConfiguration...........46DHCPOption82 ..........................46DHCPSnooping ..........................46

EasyConnectWizard ..........................48ConfiguringtheEasyConnectWizard .................48

BasicSystemModeConfigurationExample .............49TransparentModeConfigurationExample.............49RedundantModeConfigurationExample .............50

SwitchLoginLevels ...........................52Setupvs.theCommandLine .......................54IdleDisconnect .............................55BootStrictMode ............................56

AcceptableCipherSuites .......................59ConfiguringStrictMode .......................60ConfiguringNoPromptMode ....................60SSL/TLSVersionLimitation .....................60Limitations .............................60

Scripting................................62

4 G8264 Application Guide for ENOS 8.4

Chapter 2. Initial Setup . . . . . . . . . . . . . . . . . . . . . 63InformationNeededforSetup...................... 64DefaultSetupOptions ......................... 65SettingtheManagementInterfaceDefaultIPAddress ............ 66StoppingandRestartingSetupManually................. 67

StoppingSetup........................... 67RestartingSetup.......................... 67

SetupPart1:BasicSystemConfiguration................. 68SetupPart2:PortConfiguration ..................... 70SetupPart3:VLANs .......................... 72SetupPart4:IPConfiguration ...................... 73

IPInterfaces ............................ 73LoopbackInterfaces ......................... 74

UsingLoopbackInterfacesforSourceIPAddresses ......... 74LoopbackInterfaceLimitations .................. 75

DefaultGateways .......................... 75IPRouting............................. 75

SetupPart5:FinalSteps ......................... 77OptionalSetupforTelnetSupport.................... 78

Chapter 3. Switch Software Management . . . . . . . . . . . . . . 79LoadingNewSoftwaretoYourSwitch.................. 80

LoadingSoftwareviatheISCLI .................... 80LoadingSoftwareviaBBI...................... 81USBOptions ............................ 82

USBBoot............................ 82USBCopy ........................... 83

TheBootManagementMenu ...................... 84RecoveringfromaFailedSoftwareUpgrade .............. 84

RecoveringfromaFailedBootImage ............... 87

Part 2: Securing the Switch . . . . . . . . . . . . . . . . . . . 89

Chapter 4. Securing Administration . . . . . . . . . . . . . . . . 91SecureShellandSecureCopy...................... 92

ConfiguringSSH/SCPFeaturesontheSwitch.............. 92ToEnableorDisabletheSSHFeature ............... 92ToEnableorDisableSCPApplyandSave ............. 93

ConfiguringtheSCPAdministratorPassword ............. 93UsingSSHandSCPClientCommands ................ 93

ToLogIntotheSwitch ...................... 93ToCopytheSwitchConfigurationFiletotheSCPHost ....... 93ToLoadaSwitchConfigurationFilefromtheSCPHost ....... 94ToApplyandSavetheConfiguration ............... 94ToCopytheSwitchImageandBootFilestotheSCPHost ...... 94ToLoadSwitchConfigurationFilesfromtheSCPHost........ 95

SSHandSCPEncryptionofManagementMessages........... 95GeneratingRSAHostKeyforSSHAccess ............... 95SSH/SCPIntegrationwithRadiusAuthentication ............ 95SSH/SCPIntegrationwithTACACS+Authentication.......... 96

Copyright Lenovo 2016 Contents 5

EndUserAccessControl.........................97ConsiderationsforConfiguringEndUserAccounts...........97StrongPasswords..........................97UserAccessControl.........................98

SettingupUserIDs.......................98DefiningaUsersAccessLevel ..................98ValidatingaUsersConfiguration .................98EnablingorDisablingaUser ...................98LockingAccounts ........................98ReEnablingLockedAccounts...................99

ListingCurrentUsers ........................99LoggingintoanEndUserAccount ..................99PasswordFixUpMode .......................99

Chapter 5. Authentication & Authorization Protocols . . . . . . . . . 101RADIUSAuthenticationandAuthorization...............102

HowRADIUSAuthenticationWorks ................102ConfiguringRADIUSontheSwitch .................102RADIUSAuthenticationFeaturesinEnterpriseNOS..........104SwitchUserAccounts.......................104RADIUSAttributesforEnterpriseNOSUserPrivileges ........105

TACACS+Authentication.......................106HowTACACS+AuthenticationWorks................106TACACS+AuthenticationFeaturesinEnterpriseNOS .........107

Authorization .........................107Accounting..........................108

CommandAuthorizationandLogging................108ConfiguringTACACS+AuthenticationontheSwitch.........109

LDAPAuthenticationandAuthorization ................110ConfiguringtheLDAPServer....................110ConfiguringLDAPAuthenticationontheSwitch ...........110

Chapter 6. 802.1X Port-Based Network Access Control . . . . . . . . 113ExtensibleAuthenticationProtocoloverLAN ..............114EAPoLAuthenticationProcess .....................115EAPoLMessageExchange.......................116EAPoLPortStates ..........................117GuestVLAN .............................117SupportedRADIUSAttributes .....................118EAPoLConfigurationGuidelines....................120

Chapter 7. Access Control Lists . . . . . . . . . . . . . . . . . . 121SummaryofPacketClassifiers .....................122SummaryofACLActions.......................123AssigningIndividualACLstoaPort ..................124ACLOrderofPrecedence .......................124ACLMeteringandReMarking .....................124

Metering .............................125ReMarking ...........................125

ACLPortMirroring ..........................126


ViewingACLStatistics ........................ 126ACLLogging ............................ 127

EnablingACLLogging...................... 127LoggedInformation ........................ 127RateLimitingBehavior...................... 128LogInterval ........................... 128ACLLoggingLimitations ..................... 128

ACLConfigurationExamples ..................... 129ACLExample1.......................... 129ACLExample2.......................... 129ACLExample3.......................... 130ACLExample4.......................... 130ACLExample5.......................... 130ACLExample6.......................... 131

VLANMaps ............................. 132ManagementACLs.......................... 134UsingStormControlFilters ...................... 135

Chapter 8. Secure Input/Output Module . . . . . . . . . . . . . . 137SIOMOverview ........................... 138SettinganSIOMSecurityPolicy.................... 139

EnablingandDisablingtheSIOM .................. 139UsingProtocolsWithSIOM.................... 139

InsecureProtocols ....................... 139SecureProtocols ....................... 140InsecureProtocolsUnaffectedbySIOM ............. 141

ImplementingSecureLDAP(LDAPS) .................. 142EnablingLDAPS ......................... 142DisablingLDAPS......................... 143SyslogsandLDAPS........................ 144

UsingCryptographicMode ...................... 145

Part 3: Switch Basics . . . . . . . . . . . . . . . . . . . . . . 147

Chapter 9. VLANs. . . . . . . . . . . . . . . . . . . . . . . . 149VLANsOverview .......................... 150VLANsandPortVLANIDNumbers .................. 150

VLANNumbers ......................... 150PVID/NativeVLANNumbers ................... 151

VLANTagging/TrunkMode ...................... 152IngressVLANTagging...................... 155Limitations............................ 156

VLANTopologiesandDesignConsiderations.............. 157MultipleVLANswithTagging/TrunkModeAdapters ......... 158VLANConfigurationExample ................... 161


ProtocolBasedVLANs........................162PortBasedvs.ProtocolBasedVLANs ................162PVLANPriorityLevels ......................163PVLANTagging/TrunkMode ...................163PVLANConfigurationGuidelines ..................163ConfiguringPVLAN .......................164

PrivateVLANs............................165PrivateVLANPorts ........................165ConfigurationGuidelines .....................166ConfigurationExample ......................166

Chapter 10. Ports and Link Aggregation . . . . . . . . . . . . . . 169ConfiguringQSFP+Ports.......................170AggregationOverview ........................172StaticLAGs.............................173

StaticLAGRequirements .....................173StaticAggregationConfigurationRules...............173ConfiguringaStaticLAG .....................174

LinkAggregationControlProtocol ...................176StaticLACPLAGs.........................177LACPPortModes .........................178LACPIndividual .........................178LACPMinimumLinksOption ...................179ConfiguringLACP ........................180

ConfigurableLAGHashAlgorithm...................181

Chapter 11. Spanning Tree Protocols. . . . . . . . . . . . . . . . 183SpanningTreeProtocolModes .....................184GlobalSTPControl ..........................185PVRSTMode.............................185

PortStates............................186BridgeProtocolDataUnits .....................186

HowBPDUWorks.......................186DeterminingthePathforForwardingBPDUs ...........186

SimpleSTPConfiguration .....................188PerVLANSpanningTreeGroups ..................190

UsingMultipleSTGstoEliminateFalseLoops...........190VLANsandSTGAssignment ..................191ManuallyAssigningSTGs ...................192GuidelinesforCreatingVLANs .................192RulesforVLANTagged/TrunkModePorts ............192AddingandRemovingPortsfromSTGs .............193TheSwitchCentricModel ...................194

ConfiguringMultipleSTGs .....................195RapidSpanningTreeProtocol .....................197

PortStates............................197RSTPConfigurationGuidelines ...................197RSTPConfigurationExample ....................198


MultipleSpanningTreeProtocol .................... 199MSTPRegion........................... 199CommonInternalSpanningTree.................. 199MSTPConfigurationGuidelines.................. 200MSTPConfigurationExamples ................... 200

MSTPExample1 ....................... 200MSTPExample2 ....................... 201

PortTypeandLinkType....................... 203Edge/PortfastPort ........................ 203LinkType............................ 203

Chapter 12. Virtual Link Aggregation Groups . . . . . . . . . . . . 205VLAGCapacities ........................... 208VLAGsversusPortLAGs ....................... 208ConfiguringVLAGs ......................... 210

BasicVLAGConfiguration ..................... 211ConfiguringtheISL ...................... 211ConfiguringtheVLAG..................... 212VLAGConfigurationVLANsMappedtoMSTI ......... 214ConfiguringHealthCheck................... 217

VLAGswithVRRP ........................ 218Task1:ConfigureVLAGPeer1 ................. 218Task2:ConfigureVLAGPeer2 ................. 221

TwotiervLAGswithVRRP .................... 224vLAGPeerGateway ....................... 225ConfiguringVLAGsinMultipleLayers ............... 225

Task1:ConfigureLayer2/3borderswitches............ 226Task2:ConfigureswitchesintheLayer2region. ......... 226

VLAGwithPIM ........................... 228TrafficForwarding ........................ 228HealthCheck........................... 229

Chapter 13. Quality of Service . . . . . . . . . . . . . . . . . . 231QoSOverview ............................ 232UsingACLFilters .......................... 233

SummaryofACLActions ..................... 233ACLMeteringandReMarking ................... 234

Metering ........................... 234ReMarking ......................... 234

UsingDSCPValuestoProvideQoS ................... 235DifferentiatedServicesConcepts .................. 235PerHopBehavior ......................... 237QoSLevels ............................ 238DSCPReMarkingandMapping .................. 238DSCPReMarkingConfigurationExamples ............. 239

DSCPReMarkingConfigurationExample1 ........... 239DSCPReMarkingConfigurationExample2 ........... 239

Using802.1pPrioritytoProvideQoS.................. 241QueuingandScheduling ....................... 242ControlPlaneProtection ....................... 242


WREDwithECN...........................244HowWRED/ECNworktogether ..................244ConfiguringWRED/ECN......................245WRED/ECNConfigurationExample.................246

ConfigureGlobalProfileforWRED ...............246ConfigurePortlevelProfileforWRED ..............246ConfigureGlobalProfileforECN ................247ConfigurePortlevelProfileforECN...............248VerifyWRED/ECN ......................248

Chapter 14. Precision Time Protocol . . . . . . . . . . . . . . . . 251OrdinaryClockMode.........................253TransparentClockMode........................253TracingPTPPackets .........................254ViewingPTPInformation .......................254

Part 4: Advanced Switching Features. . . . . . . . . . . . . . . . 255

Chapter 15. OpenFlow . . . . . . . . . . . . . . . . . . . . . . 257OpenFlowOverview .........................258SwitchProfiles ............................259OpenFlowVersions ..........................260OpenFlowInstance ..........................261FlowTables .............................262StaticFlows .............................264

PortMembership .........................266FDBAgingandECMPwithOpenFlow................267StaticFlowExamples.......................267

TableMiss ..............................270FailSecureMode ...........................271EmergencyMode ...........................272OpenFlowPorts...........................274

OpenFlowEdgePorts.......................274LinkAggregation .........................275DataPathID...........................276

sFlowCompatibility .........................277OpenFlowGroups..........................278ConfiguringOpenFlow ........................279

ConfigurationExample1OpenFlowBootProfile...........279ConfigurationExample2DefaultBootProfile ............282

FeatureLimitations ..........................284

Chapter 16. Deployment Profiles . . . . . . . . . . . . . . . . . 285AvailableProfiles ...........................286SelectingProfiles ...........................287AutomaticConfigurationChanges ...................288


Chapter 17. Virtualization . . . . . . . . . . . . . . . . . . . . 289

Chapter 18. Stacking . . . . . . . . . . . . . . . . . . . . . . 291StackingOverview .......................... 292

StackingRequirements ...................... 292StackingLimitations ....................... 293

StackMembership .......................... 294TheMasterSwitch ........................ 294

SplittingandMergingOneStack................ 294MergingIndependentStacks.................. 295

BackupSwitchSelection...................... 296MasterFailover ........................ 296SecondaryBackup....................... 296MasterRecovery ....................... 296NoBackup .......................... 297

StackMemberIdentification.................... 297ConfiguringaStack.......................... 298

ConfigurationOverview ...................... 298BestConfigurationPractices .................... 298

StackingVLANs ....................... 299ConfiguringEachSwitchfortheStack ................ 299ConfiguringaManagementIPInterface ............... 301AdditionalMasterConfiguration .................. 302

ViewingStackConnections ................... 302BindingMemberstotheStack ................. 304AssigningaStackBackupSwitch ................ 304

ManagingtheStack .......................... 305AccessingtheMasterSwitchCLI.................. 305RebootingStackedSwitchesviatheMaster .............. 305AccessingtheMemberSwitchCLI ................. 306

UpgradingSoftwareinanExistingStack ................ 307ReplacingorRemovingStackedSwitches ................ 309

RemovingaSwitchfromtheStack ................. 309InstallingtheNewSwitchorHealingtheTopology.......... 309BindingtheNewSwitchtotheStack ................ 311PerformingaRollingReloadorUpgrade............... 311

StartingaRollingReload .................... 311StartingaRollingUpgrade ................... 312

SavingSyslogMessages ........................ 313ISCLIStackingCommands ...................... 315

Chapter 19. Virtual NICs . . . . . . . . . . . . . . . . . . . . . 317DefiningServerPorts ......................... 318EnablingthevNICFeature....................... 318vNICIDs .............................. 319

vNICIDsontheSwitch ...................... 319vNICInterfaceNamesontheServer................. 319

vNICBandwidthMetering ...................... 320vNICUplinkModes ......................... 321LACPLAGs ............................. 323


vNICGroups.............................324vNICGroupsinDedicatedMode ..................325vNICGroupsinSharedMode ...................325

vNICTeamingFailover........................327vNICConfigurationExample .....................329

BasicvNICConfiguration.....................329vNICsforiSCSIonEmulexEndeavor2 ...............332vNICsforFCoEonEmulexVirtualFabricAdapter ..........333

Chapter 20. VMready . . . . . . . . . . . . . . . . . . . . . . 337VECapacity.............................338DefiningServerPorts.........................338VMGroupTypes...........................338LocalVMGroups ...........................339DistributedVMGroups ........................342

VMProfiles ...........................342InitializingaDistributedVMGroup .................343AssigningMembers ........................343SynchronizingtheConfiguration ..................344RemovingMemberVEs ......................344

VMcheck ..............................345VirtualDistributedSwitch .......................347

Prerequisites ...........................347Guidelines ............................347MigratingtovDS.........................348

VirtualizationManagementServers...................349AssigningavCenter ........................349vCenterScans ..........................350DeletingthevCenter........................350ExportingProfiles .........................351VMwareOperationalCommands ..................351

PreProvisioningVEs.........................352VLANMaps .............................353VMPolicyBandwidthControl.....................354

VMPolicyBandwidthControlCommands ..............354BandwidthPoliciesvs.BandwidthShaping..............355

VMreadyInformationDisplays .....................356LocalVEInformation .......................356vCenterHypervisorHosts.....................357vCenterVEs ...........................358vCenterVEDetails........................359vCenterSwitchportMappingDetails ................359

VMreadyConfigurationExample ....................360

Chapter 21. FCoE and CEE . . . . . . . . . . . . . . . . . . . . 361FibreChanneloverEthernet......................362

TheFCoETopology ........................362FCoERequirements ........................363PortAggregation.........................363


ConvergedEnhancedEthernet..................... 364TurningCEEOnorOff...................... 364EffectsonLinkLayerDiscoveryProtocol............... 364Effectson802.1pQualityofService ................. 365EffectsonFlowControl ...................... 366

FCoEInitializationProtocolSnooping .................. 367GlobalFIPSnoopingSettings .................... 367FIPSnoopingforSpecificPorts ................... 367PortFCFandENodeDetection ................... 368FCoEConnectionTimeout ..................... 368FCoEACLRules ......................... 369OptimizedFCoETrafficFlow.................... 369FCoEVLANs........................... 370ViewingFIPSnoopingInformation................. 370OperationalCommands ...................... 371FIPSnoopingConfiguration .................... 371

PriorityBasedFlowControl ...................... 373Globalvs.PortbyPortConfiguration ................ 374PFCConfigurationExample .................... 375

EnhancedTransmissionSelection.................... 377802.1pPriorityValues....................... 377PriorityGroups.......................... 378

PGID............................ 378AssigningPriorityValuestoaPriorityGroup ........... 379DeletingaPriorityGroup ................... 379AllocatingBandwidth ..................... 379

ConfiguringETS ......................... 380DataCenterBridgingCapabilityExchange................ 384

DCBXSettings.......................... 384EnablingandDisablingDCBX ................. 385PeerConfigurationNegotiation................. 385

ConfiguringDCBX ........................ 386

Chapter 22. Edge Virtual Bridging . . . . . . . . . . . . . . . . . 389EVBOperationsOverview....................... 390

VSIDBSynchronization ...................... 390VLANBehavior ......................... 391DeletingaVLAN ......................... 391ManualReflectiveRelay...................... 391VSIDBIPv6Support ....................... 392

EVBConfiguration .......................... 393Limitations............................. 395Unsupportedfeatures ......................... 395

Chapter 23. Static Multicast ARP . . . . . . . . . . . . . . . . . 397ConfiguringStaticMulticastARP.................... 398

ConfigurationExample ...................... 398Limitations............................. 400


Chapter 24. Dynamic ARP Inspection. . . . . . . . . . . . . . . . 401UnderstandingARPSpoofingAttacks ................401UnderstandingDAI ........................401InterfaceTrustStatesandNetworkSecurity .............402

DAIConfigurationGuidelinesandRestrictions ..............404DAIConfigurationExample ....................404

Chapter 25. Unified Fabric Port . . . . . . . . . . . . . . . . . . 407UFPLimitations...........................408VirtualPortsModes..........................409

vPortSTagMapping.....................409vPortVLANMapping .....................409UFPvPortMode .......................409TunnelMode .........................409802.1QTrunkMode......................410AccessMode .........................410FCoEMode ..........................411AutoVLANMode.......................411

UFPBandwidthProvisioning .....................412ETSMode ............................412UFPStrictBandwidthProvisioningMode..............414

UsingUFPwithOtherRackSwitchG8264Features ............415Layer2Failover..........................415IncreasedVLANLimits ......................415PrivateVLANs ..........................415VMReady ............................416802.1Qbg.............................416

UFPConfigurationExamples......................417Example1:AccessMode......................417Example2:TrunkMode......................418Example3:AutoVLANMode ...................420Example4:TunnelMode......................420Example5:FCoEMode ......................421Example6:Layer2FailoverConfiguration ..............422

Part 5: IP Routing . . . . . . . . . . . . . . . . . . . . . . . . 425

Chapter 26. Basic IP Routing . . . . . . . . . . . . . . . . . . . 427IPRoutingBenefits ..........................428RoutingBetweenIPSubnets ......................428ExampleofSubnetRouting ......................429

UsingVLANstoSegregateBroadcastDomains ............430ConfigurationExample ......................430

ARPLocalProxy ..........................433ECMPStaticRoutes ..........................434

OSPFIntegration .........................434ECMPRouteHashing .......................434ConfiguringECMPStaticRoutes ..................435

DynamicHostConfigurationProtocol ..................436DHCPRelayAgent ..........................437


Chapter 27. Policy-Based Routing . . . . . . . . . . . . . . . . . 439PBRPoliciesandACLs ........................ 440ApplyingPBRACLs ......................... 440ConfiguringRouteMaps ....................... 441

MatchClauses .......................... 441SetClauses............................ 441ConfiguringHealthCheck ..................... 443

ExamplePBRConfiguration ...................... 444ConfiguringPBRwithotherFeatures .................. 445UnsupportedFeatures ........................ 445DynamicPBR(MultiTenant) ..................... 446

FeaturesandLimitations...................... 446ExampleConfiguration ...................... 446

Chapter 28. Routed Ports . . . . . . . . . . . . . . . . . . . . 449Overview .............................. 450ConfiguringaRoutedPort....................... 452

ConfiguringOSPFonRoutedPorts................. 452OSPFConfigurationExample ................... 453ConfiguringRIPonRoutedPorts .................. 453RIPConfigurationExample .................... 453ConfiguringPIMonRoutedPorts .................. 454PIMConfigurationExample.................... 454ConfiguringBGPonRoutedPorts.................. 455ConfiguringIGMPonRoutedPorts ................. 455

Limitations............................. 456

Chapter 29. Internet Protocol Version 6 . . . . . . . . . . . . . . 457IPv6Limitations........................... 458IPv6AddressFormat ......................... 459IPv6AddressTypes ......................... 460

UnicastAddress......................... 460Multicast ............................ 460Anycast ............................. 460

IPv6AddressAutoconfiguration .................... 462IPv6Interfaces ............................ 463NeighborDiscovery ......................... 464

NeighborDiscoveryOverview ................... 464Hostvs.Router .......................... 465

SupportedApplications........................ 466ConfigurationGuidelines....................... 467IPv6ConfigurationExamples..................... 468

IPv6Example1 .......................... 468IPv6Example2 .......................... 468

Chapter 30. IPsec with IPv6 . . . . . . . . . . . . . . . . . . . 471IPsecProtocols ............................ 472


UsingIPsecwiththeLenovoRackSwitchG8264 .............473SettingupAuthentication.....................473

CreatinganIKEv2Proposal ...................474ImportinganIKEv2DigitalCertificate ..............474GeneratingaCertificateSigningRequest .............475GeneratinganIKEv2DigitalCertificate..............478EnablingIKEv2PresharedKeyAuthentication ..........478

SettingUpaKeyPolicy......................479UsingaManualKeyPolicy .....................480UsingaDynamicKeyPolicy ....................482

Chapter 31. Routing Information Protocol . . . . . . . . . . . . . . 483DistanceVectorProtocol ........................484Stability ...............................484RoutingUpdates ...........................484RIPv1 ................................485RIPv2 ................................485RIPv2inRIPv1CompatibilityMode...................485RIPFeatures .............................486RIPConfigurationExample......................487

Chapter 32. Internet Group Management Protocol . . . . . . . . . . 489IGMPTerms .............................490HowIGMPWorks ..........................491IGMPCapacityandDefaultValues ...................492IGMPSnooping ...........................494

IGMPQuerier ..........................494QuerierElection .........................494IGMPGroups ..........................495IGMPv3Snooping.........................495IGMPSnoopingConfigurationGuidelines..............497IGMPSnoopingConfigurationExample ...............498AdvancedConfigurationExample:IGMPSnooping ..........499

Prerequisites .........................500Configuration .........................500

TroubleshootingIGMPSnooping..................504IGMPRelay .............................507

ConfigurationGuidelines .....................507ConfigureIGMPRelay.......................508AdvancedConfigurationExample:IGMPRelay ............509

Prerequisites .........................509Configuration .........................510

TroubleshootingIGMPRelay....................513AdditionalIGMPFeatures.......................516

FastLeave............................516IGMPFiltering..........................516

ConfiguringtheRange.....................516ConfiguringtheAction .....................517ConfigureIGMPFiltering....................517

StaticMulticastRouter .......................517


Chapter 33. Multicast Listener Discovery . . . . . . . . . . . . . . 519MLDTerms............................. 520HowMLDWorks .......................... 521

HowFloodingImpactsMLD.................... 522MLDQuerier........................... 522QuerierElection ......................... 522DynamicMrouters ........................ 523

MLDCapacityandDefaultValues ................... 524ConfiguringMLD .......................... 525

Chapter 34. Border Gateway Protocol . . . . . . . . . . . . . . . 527InternalRoutingVersusExternalRouting................ 528

RouteReflector .......................... 529ConfiguringRouteReflection.................. 531Restrictions.......................... 532

FormingBGPPeerRouters ...................... 533StaticPeers............................ 533DynamicPeers .......................... 534

ConfiguringDynamicPeers .................. 534RemovingDynamicPeers................... 534

LoopbackInterfaces ......................... 536WhatisaRouteMap? ......................... 536

NextHopPeerIPAddress ..................... 537IncomingandOutgoingRouteMaps ................ 537Precedence............................ 538ConfigurationOverview ...................... 538

AggregatingRoutes.......................... 540RedistributingRoutes ......................... 540BGPCommunities .......................... 541BGPAttributes ............................ 542

LocalPreferenceAttribute ..................... 542Metric(MultiExitDiscriminator)Attribute.............. 542NextHopAttribute ........................ 543

SelectingRoutePathsinBGP...................... 544EqualCostMultiPath ....................... 544MultipathRelax ......................... 544

BGPFailoverConfiguration...................... 545DefaultRedistributionandRouteAggregationExample .......... 547

Chapter 35. Open Shortest Path First . . . . . . . . . . . . . . . 549OSPFv2Overview .......................... 550

TypesofOSPFAreas ....................... 550TypesofOSPFRoutingDevices................... 551NeighborsandAdjacencies .................... 552TheLinkStateDatabase...................... 552TheShortestPathFirstTree .................... 554InternalVersusExternalRouting.................. 554


OSPFv2ImplementationinEnterpriseNOS...............555ConfigurableParameters ......................555DefiningAreas..........................556

AssigningtheAreaIndex ....................556UsingtheAreaIDtoAssigntheOSPFAreaNumber ........557AttachinganAreatoaNetwork .................557

InterfaceCost ...........................558ElectingtheDesignatedRouterandBackup .............558SummarizingRoutes .......................558DefaultRoutes ..........................559VirtualLinks ...........................559RouterID ............................560Authentication ..........................561

ConfiguringPlainTextOSPFPasswords.............562ConfiguringMD5Authentication ................562

HostRoutesforLoadBalancing ...................563LoopbackInterfacesinOSPF ....................564OSPFFeaturesNotSupportedinThisRelease.............564

OSPFv2ConfigurationExamples ....................565Example 1:SimpleOSPFDomain ..................566Example 2:VirtualLinks......................568

ConfiguringOSPFforaVirtualLinkonSwitch#1 .........568ConfiguringOSPFforaVirtualLinkonSwitch#2 .........569OtherVirtualLinkOptions ...................571

Example 3:SummarizingRoutes..................572VerifyingOSPFConfiguration...................573

OSPFv3ImplementationinEnterpriseNOS...............574OSPFv3DifferencesfromOSPFv2 ..................574

OSPFv3RequiresIPv6Interfaces ................574OSPFv3UsesIndependentCommandPaths ...........574OSPFv3IdentifiesNeighborsbyRouterID ............575OtherInternalImprovements ..................575

OSPFv3Limitations ........................575OSPFv3ConfigurationExample...................575NeighborConfigurationExample ..................577

Chapter 36. Protocol Independent Multicast . . . . . . . . . . . . . 579PIMOverview............................580SupportedPIMModesandFeatures ..................581BasicPIMSettings ..........................582

GloballyEnablingorDisablingthePIMFeature ............582DefiningaPIMNetworkComponent ................582DefininganIPInterfaceforPIMUse.................582PIMNeighborFilters .......................583

AdditionalSparseModeSettings ....................585SpecifyingtheRendezvousPoint ..................585InfluencingtheDesignatedRouterSelection.............585SpecifyingaBootstrapRouter....................586ConfiguringaLoopbackInterface..................586


UsingPIMwithOtherFeatures..................... 588PIMwithACLsorVMAPs ..................... 588PIMwithIGMP.......................... 588PIMwithVLAG......................... 588

PIMConfigurationExamples ..................... 589Example1:PIMSMwithDynamicRP ................ 589Example2:PIMSMwithStaticRP................. 590Example3:PIMDM........................ 590

Part 6: High Availability Fundamentals . . . . . . . . . . . . . . . 593

Chapter 37. Basic Redundancy . . . . . . . . . . . . . . . . . . 595AggregatingforLinkRedundancy ................... 596VirtualLinkAggregation ....................... 596HotLinks .............................. 597

ForwardDelay .......................... 597Preemption ........................... 597FDBUpdate ........................... 597ConfigurationGuidelines..................... 597ConfiguringHotLinks ...................... 598

StackingforHighAvailabilityTopologies ................ 599

Chapter 38. Layer 2 Failover . . . . . . . . . . . . . . . . . . . 601MonitoringLAGLinks ........................ 602SettingtheFailoverLimit ....................... 602ManuallyMonitoringPortLinks .................... 603

MonitorPortState ........................ 603ControlPortState ......................... 603

L2FailoverwithOtherFeatures.................... 604StaticLAGs ........................... 604LACP .............................. 604SpanningTreeProtocol ...................... 604

ConfigurationGuidelines....................... 605ConfiguringLayer2Failover...................... 605

Chapter 39. Virtual Router Redundancy Protocol . . . . . . . . . . 607VRRPOverview ........................... 608

VRRPComponents ........................ 608VirtualRouter ........................ 608VirtualRouterMACAddress .................. 608OwnersandRenters ...................... 608MasterandBackupVirtualRouter................ 609VirtualInterfaceRouter.................... 609

VRRPOperation ......................... 609SelectingtheMasterVRRPRouter ................. 610

FailoverMethods........................... 611ActiveActiveRedundancy..................... 611VirtualRouterGroup....................... 611

EnterpriseNOSExtensionstoVRRP .................. 612


VirtualRouterDeploymentConsiderations ...............613AssigningVRRPVirtualRouterID .................613ConfiguringtheSwitchforTracking .................613VRRPNextHopTracking .....................614

HighAvailabilityConfigurations ....................615VRRPHighAvailabilityUsingMultipleVIRs .............615

Task1:ConfigureG82641 ...................616Task2:ConfigureG82642 ...................617

VRRPHighAvailabilityUsingVLAGs................619

Part 7: Network Management . . . . . . . . . . . . . . . . . . . 621

Chapter 40. Link Layer Discovery Protocol . . . . . . . . . . . . . 623LLDPOverview...........................624LLDPStackingMode ........................625EnablingorDisablingLLDP......................626

GlobalLLDPSetting........................626TransmitandReceiveControl ...................626

LLDPTransmitFeatures ........................627ScheduledInterval ........................627MinimumInterval.........................627TimetoLiveforTransmittedInformation ..............628TrapNotifications .........................628ChangingtheLLDPTransmitState .................629TypesofInformationTransmitted ..................629

LLDPReceiveFeatures........................631TypesofInformationReceived ...................631ViewingRemoteDeviceInformation ................631TimetoLiveforReceivedInformation ................633

LLDPExampleConfiguration.....................635

Chapter 41. Simple Network Management Protocol . . . . . . . . . . 637SNMPVersion1&Version2 ......................637SNMPVersion3 ...........................638ConfiguringSNMPTrapHosts.....................640

SNMPv2TrapHostConfiguration..................641SNMPv3TrapHostConfiguration..................642

SNMPMIBs.............................643SwitchImagesandConfigurationFiles .................651

LoadingaNewSwitchImage ....................652LoadingaSavedSwitchConfiguration................652SavingtheSwitchConfiguration..................653SavingaSwitchDump.......................653

Chapter 42. Service Location Protocol . . . . . . . . . . . . . . . 655ActiveDADiscovery .........................656SLPConfiguration..........................657

Chapter 43. NETCONF . . . . . . . . . . . . . . . . . . . . . . 659NETCONFOverview .........................660


XMLRequirements .......................... 661InstallingtheNETCONFClient .................... 662UsingJuniperPerlClient....................... 664EstablishingaNETCONFSession ................... 665NETCONFOperations........................ 667ProtocolOperationsExamples ..................... 668

........................... 668........................... 669 .......................... 671 .......................... 672 .............................. 672............................. 673 .............................. 674 .......................... 675 ........................... 675 ........................ 676 .................... 677

Part 8: Monitoring . . . . . . . . . . . . . . . . . . . . . . . 681

Chapter 44. Remote Monitoring . . . . . . . . . . . . . . . . . . 683RMONOverview........................... 684RMONGroup1Statistics ...................... 685RMONGroup2History ....................... 686

HistoryMIBObjectID ....................... 686ConfiguringRMONHistory.................... 686

RMONGroup3Alarms ....................... 687AlarmMIBobjects ........................ 687ConfiguringRMONAlarms .................... 687

RMONGroup9Events....................... 689

Chapter 45. sFlow . . . . . . . . . . . . . . . . . . . . . . . 691sFlowStatisticalCounters ....................... 691sFlowNetworkSampling....................... 691sFlowExampleConfiguration ..................... 692

Chapter 46. Port Mirroring . . . . . . . . . . . . . . . . . . . . 693PortMirroringModel ......................... 694ConfiguringPortMirroring ...................... 695

Part 9: Appendices . . . . . . . . . . . . . . . . . . . . . . . 697

Appendix A. Getting help and technical assistance. . . . . . . . . . 699

Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . . 701Trademarks............................. 703ImportantNotes........................... 704RecyclingInformation......................... 705ParticulateContamination ....................... 706TelecommunicationRegulatoryStatement................ 707


ElectronicEmissionNotices ......................708FederalCommunicationsCommission(FCC)Statement ........708IndustryCanadaClassAEmissionComplianceStatement.......708AvisdeConformitlaRglementationdIndustrieCanada ......708AustraliaandNewZealandClassAStatement ............708EuropeanUnionCompliancetotheElectromagneticCompatibilityDirective708GermanyClassAComplianceStatement ...............709JapanVCCIClassAStatement ...................710JapanElectronicsandInformationTechnologyIndustriesAssociation(JEITA) Statement .........................710KoreaCommunicationsCommission(KCC)Statement .........711

RussiaElectromagneticInterference(EMI)ClassAstatement ........712PeoplesRepublicofChinaClassAelectronicemissionstatement ......713TaiwanClassAcompliancestatement ..................714


PrefaceThisApplicationGuidedescribeshowtoconfigureandusetheLenovoEnterpriseNetworkOperatingSystem 8.4softwareontheLenovoRackSwitchG8264(referredtoasG8264throughoutthisdocument).Fordocumentationoninstallingtheswitchphysically,seetheInstallationGuideforyourG8264.


Who Should Use This GuideThisguideisintendedfornetworkinstallersandsystemadministratorsengagedinconfiguringandmaintaininganetwork.TheadministratorshouldbefamiliarwithEthernetconcepts,IPaddressing,SpanningTreeProtocol,andSNMPconfigurationparameters.

Copyright Lenovo 2016 Preface 25

What Youll Find in This GuideThisguidewillhelpyouplan,implement,andadministerEnterpriseNOSsoftware.Wherepossible,eachsectionprovidesfeatureoverviews,usageexamples,andconfigurationinstructions.Thefollowingmaterialisincluded:

Part 1: Getting Started

ThismaterialisintendedtohelpthosenewtoENOSproductswiththebasicsofswitchmanagement.Thispartincludesthefollowingchapters:

Chapter 1,SwitchAdministration,describeshowtoaccesstheG8264toconfiguretheswitchandviewswitchinformationandstatistics.Thischapterdiscussesavarietyofmanualadministrationinterfaces,includinglocalmanagementviatheswitchconsole,andremoteadministrationviaTelnet,awebbrowser,orviaSNMP.

Chapter 2,InitialSetup,describeshowtousethebuiltinSetuputilitytoperformfirsttimeconfigurationoftheswitch.

Chapter 3,SwitchSoftwareManagement,describeshowtoupdatetheENOSsoftwareoperatingontheswitch.

Part 2: Securing the Switch

Chapter 4,SecuringAdministration,describesmethodsforusingSecureShellforadministrationconnections,andconfiguringenduseraccesscontrol.

Chapter 5,Authentication&AuthorizationProtocols,describesdifferentsecureadministrationforremoteadministrators.ThisincludesusingRemoteAuthenticationDialinUserService(RADIUS),aswellasTACACS+andLDAP.

Chapter 6,802.1XPortBasedNetworkAccessControl,describeshowtoauthenticatedevicesattachedtoaLANportthathaspointtopointconnectioncharacteristics.ThisfeaturepreventsaccesstoportsthatfailauthenticationandauthorizationandprovidessecuritytoportsoftheG8264thatconnecttobladeservers.

Chapter 7,AccessControlLists,describeshowtousefilterstopermitordenyspecifictypesoftraffic,basedonavarietyofsource,destination,andpacketattributes.

Chapter 8,SecureInput/OutputModule,describeswhichprotocolscanbeenabled.Thisfeatureallowssecuredtrafficandsecuredauthenticationmanagement.

Part 3: Switch Basics

Chapter 9,VLANs,describeshowtoconfigureVirtualLocalAreaNetworks(VLANs)forcreatingseparatenetworksegments,includinghowtouseVLANtaggingfordevicesthatusemultipleVLANs.ThischapteralsodescribesProtocolbasedVLANs,andPrivateVLANs.

Chapter 10,PortsandLinkAggregation,describeshowtogroupmultiplephysicalportstogethertoaggregatethebandwidthbetweenlargescalenetworkdevices.


Chapter 12,VirtualLinkAggregationGroups,describesusingVirtualLinkAggregationGroups(VLAGs)toformLAGsspanningmultipleVLAGcapableaggregatorswitches.

Chapter 11,SpanningTreeProtocols,discusseshowSpanningTreeProtocol(STP)configuresthenetworksothattheswitchselectsthemostefficientpathwhenmultiplepathsexist.CoversRapidSpanningTreeProtocol(RSTP),PerVLANRapidSpanningTree(PVRST),andMultipleSpanningTreeProtocol(MSTP).

Chapter 13,QualityofService,discussesQualityofService(QoS)features,includingIPfilteringusingAccessControlLists(ACLs),DifferentiatedServices,andIEEE802.1ppriorityvalues.

Chapter 14,PrecisionTimeProtocol,describestheconfigurationofPTPforclocksynchronization.

Part 4: Advanced Switching Features

Chapter 15,OpenFlow,describeshowtocreateanOpenFlowSwitchinstanceontheRackSwitchG8264.

Chapter 16,DeploymentProfiles,describeshowtheG8264canoperateindifferentmodesfordifferentdeploymentscenarios,adjustingswitchcapacitylevelstooptimizeperformancefordifferenttypesofnetworks.

Chapter 17,Virtualization,providesanoverviewofallocatingresourcesbasedonthelogicalneedsofthedatacenter,ratherthanonthestrict,physicalnatureofcomponents.

Chapter 18,Stacking,describeshowtocombinemultipleswitchesintoasingle,aggregateswitchentity.

Chapter 19,VirtualNICs,discussesusingvirtualNIC(vNIC)technologytodivideNICsintomultiplelogical,independentinstances.

Chapter 20,VMready,discussesvirtualmachine(VM)supportontheG8264.

Chapter 21,FCoEandCEE,discussesusingvariousConvergedEnhancedEthernet(CEE)featuressuchasPrioritybasedFlowControl(PFC),EnhancedTransmissionSelection(ETS),andFIPSnoopingforsolutionssuchasFibreChanneloverEthernet(FCoE).

Chapter 22,EdgeVirtualBridging,(EVB)discussestheIEEE802.1QbgastandardsbasedprotocolthatdefineshowvirtualEthernetbridgesexchangeconfigurationinformation.EVBbridgesthegapbetweenphysicalandvirtualnetworkresources,thussimplifyingnetworkmanagement.

Chapter 23,StaticMulticastARP,discussestheconfigurationofastaticARPentrywithmulticastMACaddressforMicrosoftsNetworkLoadBalancing(NLB)featuretofunctionefficiently.

Chapter 24,DynamicARPInspection,discussesthissecurityfeaturethatletsaswitchinterceptandexamineallARPrequestandresponsepacketsinasubnet,discardingthosepacketswithinvalidIPtoMACaddressbindings.Thiscapabilityprotectsthenetworkfrommaninthemiddleattacks.

Chapter 25,UnifiedFabricPort,describeshowUFPlogicallysubdividesahighspeedphysicallinkconnectingtoaserverNIC.UFPprovidesaswitchfabriccomponenttocontroltheNIC.


Part 5: IP Routing

Chapter 26,BasicIPRouting,describeshowtoconfiguretheG8264forIProutingusingIPsubnets,BOOTP,andDHCPRelay.

Chapter 27,PolicyBasedRoutingdescribeshowtoconfiguretheG8264toforwardtrafficbasedondefinedpoliciesratherthanentriesintheroutingtable.

Chapter 28,RoutedPortsdescribeshowtoconfigureaswitchporttoforwardLayer3traffic.

Chapter 29,InternetProtocolVersion6,describeshowtoconfiguretheG8264forIPv6hostmanagement.

Chapter 30,IPsecwithIPv6,describeshowtoconfigureInternetProtocolSecurity(IPsec)forsecuringIPcommunicationsbyauthenticatingandencryptingIPpackets,withemphasisonInternetKeyExchangeversion 2,andauthentication/confidentialityforOSPFv3.

Chapter 31,RoutingInformationProtocol,describeshowtheENOSsoftwareimplementsstandardRoutingInformationProtocol(RIP)forexchangingTCP/IProuteinformationwithotherrouters.

Chapter 32,InternetGroupManagementProtocol,describeshowtheENOSsoftwareimplementsIGMPSnoopingorIGMPRelaytoconservebandwidthinamulticastswitchingenvironment.

Chapter 33,MulticastListenerDiscovery,describeshowMulticastListenerDiscovery(MLD)isusedwithIPv6tosupporthostusersrequestsformulticastdataforamulticastgroup.

Chapter 34,BorderGatewayProtocol,describesBorderGatewayProtocol(BGP)conceptsandfeaturessupportedinENOS.

Chapter 35,OpenShortestPathFirst,describeskeyOpenShortestPathFirst(OSPF)conceptsandtheirimplementedinENOS,andprovidesexamplesofhowtoconfigureyourswitchforOSPFsupport.

Chapter 36,ProtocolIndependentMulticast,describeshowmulticastroutingcanbeefficientlyaccomplishedusingtheProtocolIndependentMulticast(PIM)feature.

Part 6: High Availability Fundamentals

Chapter 37,BasicRedundancy,describeshowtheG8264supportsredundancythroughstacking,LAGs,andhotlinks.

Chapter 38,Layer2Failover,describeshowtheG8264supportshighavailabilitynetworktopologiesusingLayer2Failover.

Chapter 39,VirtualRouterRedundancyProtocol,describeshowtheG8264supportshighavailabilitynetworktopologiesusingVirtualRouterRedundancyProtocol(VRRP).


Part 7: Network Management

Chapter 40,LinkLayerDiscoveryProtocol,describeshowLinkLayerDiscoveryProtocolhelpsneighboringnetworkdeviceslearnabouteachothersportsandcapabilities.

Chapter 41,SimpleNetworkManagementProtocol,describeshowtoconfiguretheswitchformanagementthroughanSNMPclient.

Chapter 42,ServiceLocationProtocol,describestheServiceLocationProtocol(SLP)thatallowstheswitchtoprovidedynamicdirectoryservices.

Chapter 43,NETCONF,describeshowtomanagetheG8264usingNetworkConfigurationProtocol(NETCONF),amechanismbasedontheExtensibleMarkupLanguage(XML).

Part 8: Monitoring

Chapter 44,RemoteMonitoring,describeshowtoconfiguretheRMONagentontheswitch,sothattheswitchcanexchangenetworkmonitoringdata.

Chapter 45,sFlow,describedhowtousetheembeddedsFlowagentforsamplingnetworktrafficandprovidingcontinuousmonitoringinformationtoacentralsFlowanalyzer.

Chapter 46,PortMirroring,discussestoolshowcopyselectedporttraffictoamonitorportfornetworkanalysis.

Part 9: Appendices

AppendixA,Glossary,describescommontermsandconceptsusedthroughoutthisguide.

AppendixA,Gettinghelpandtechnicalassistance,providesdetailsonwheretogoforadditionalinformationaboutLenovoandLenovoproducts.

AppendixB,Notices,containssafetyandenvironmentalnotices.


Additional ReferencesAdditionalinformationaboutinstallingandconfiguringtheG8264isavailableinthefollowingguides:

LenovoRackSwitchG8264InstallationGuide

LenovoRackSwitchG8264ISCLICommandReferenceforLenovoEnterpriseNetworkOperatingSystem8.4

LenovoRackSwitchG8264ReleaseNotesforLenovoEnterpriseNetworkOperatingSystem 8.4


Typographic ConventionsThefollowingtabledescribesthetypographicstylesusedinthisbook.

Table 1. Typographic Conventions

Typeface or Symbol

Meaning Example

ABC123 Thistypeisusedfornamesofcommands,files,anddirectoriesusedwithinthetext.

Viewthereadme.txtfile.

Italsodepictsonscreencomputeroutputandprompts.

Main#

ABC123 Thisboldtypeappearsincommandexamples.Itshowstextthatmustbetypedinexactlyasshown.

Main#sys

Thisitalicizedtypeappearsincommandexamplesasaparameterplaceholder.Replacetheindicatedtextwiththeappropriaterealnameorvaluewhenusingthecommand.Donottypethebrackets.

ToestablishaTelnetsession,enter:host#telnet

Thisalsoshowsbooktitles,specialterms,orwordstobeemphasized.

ReadyourUsersGuidethoroughly.

[ ] Commanditemsshowninsidebracketsareoptionalandcanbeusedorexcludedasthesituationdemands.Donottypethebrackets.

host#ls[a]

| Theverticalbar( | )isusedincommandexamplestoseparatechoiceswheremultipleoptionsexist.Selectonlyoneofthelistedoptions.Donottypetheverticalbar.

host#setleft|right

AaBbCc123 Thisblocktypedepictsmenus,buttons,andothercontrolsthatappearinWebbrowsersandothergraphicalinterfaces.

ClicktheSavebutton.


Part 1: Getting Started


Chapter 1. Switch AdministrationYourRackSwitchG8264(G8264)isreadytoperformbasicswitchingfunctionsrightoutofthebox.Someofthemoreadvancedfeatures,however,requiresomeadministrativeconfigurationbeforetheycanbeusedeffectively.

TheextensiveLenovoEnterpriseNetworkOperatingSystemswitchingsoftwareincludedintheG8264providesavarietyofoptionsforaccessingtheswitchtoperformconfiguration,andtoviewswitchinformationandstatistics.

Thischapterdiscussesthevariousmethodsthatcanbeusedtoadministertheswitch.


Administration InterfacesEnterpriseNOSprovidesavarietyofuserinterfacesforadministration.Theseinterfacesvaryincharacterandinthemethodsusedtoaccessthem:somearetextbased,andsomearegraphical;someareavailablebydefault,andsomerequireconfiguration;somecanbeaccessedbylocalconnectiontotheswitch,andothersareaccessedremotelyusingvariousclientapplications.Forexample,administrationcanbeperformedusinganyofthefollowing:

Abuiltin,textbasedcommandlineinterfaceandmenusystemforaccessviaserialportconnectionoranoptionalTelnetorSSHsession

ThebuiltinBrowserBasedInterface(BBI)availableusingastandardwebbrowser

SNMPsupportforaccessthroughnetworkmanagementsoftwaresuchasIBMDirectororHPOpenView

Thespecificinterfacechosenforanadministrativesessiondependsonuserpreferences,aswellastheswitchconfigurationandtheavailableclienttools.

Inallcases,administrationrequiresthattheswitchhardwareisproperlyinstalledandturnedon.(seetheLenovoRackSwitchG8264InstallationGuide).

Command Line InterfaceTheIndustryStandardCommandLineInterface(ISCLI)providesasimple,directmethodforswitchadministration.Usingabasicterminal,youcanissuecommandsthatallowyoutoviewdetailedinformationandstatisticsabouttheswitch,andtoperformanynecessaryconfigurationandswitchsoftwaremaintenance.

YoucanestablishaconnectiontotheISCLIinanyofthefollowingways: SerialconnectionviatheserialportontheG8264(thisoptionisalwaysavailable) Telnetconnectionoverthenetwork SSHconnectionoverthenetwork

Copyright Lenovo 2016 Chapter 1: Switch Administration 35

Establishing a ConnectionThefactorydefaultsettingspermitinitialswitchadministrationthroughonlythebuiltinserialport.Allotherformsofaccessrequireadditionalswitchconfigurationbeforetheycanbeused.

Remoteaccessusingthenetworkrequirestheaccessingterminaltohaveavalid,routableconnectiontotheswitchinterface.TheclientIPaddressmaybeconfiguredmanually,oranIPv4addresscanbeprovidedautomaticallythroughtheswitchusingaservicesuchasDHCPorBOOTPrelay(seeBOOTP/DHCPClientIPAddressServicesonpage 44),oranIPv6addresscanbeobtainedusingIPv6statelessaddressconfiguration.Note: Throughoutthismanual,IPaddressisusedinplaceswhereeitheranIPv4orIPv6addressisallowed.IPv4addressesareenteredindotteddecimalnotation(forexample,10.10.10.1),whileIPv6addressesareenteredinhexadecimalnotation(forexample,2001:db8:85a3::8a2e:370:7334).Inplaceswhereonlyonetypeofaddressisallowed,IPv4addressorIPv6addressisspecified.

Using the Switch Management PortsTomanagetheswitchthroughthemanagementports,youmustconfigureanIPinterfaceforeachmanagementinterface.ConfiguretheIPv4address/maskanddefaultgatewayaddress:

1. Logontotheswitch.

2. EnterGlobalConfigurationmode.

3. ConfigureamanagementIPaddressandmask:

4. Configuretheappropriatedefaultgateway.

IPgateway 4isrequiredforIF128.

OnceyouconfigureamanagementIPaddressforyourswitch,youcanconnecttoamanagementportandusetheTelnetprogramfromanexternalmanagementstationtoaccessandcontroltheswitch.Themanagementportprovidesoutofbandmanagement.

RS G8264>enableRS G8264#configureterminal

RS G8264(config)#interfaceip128RS G8264(configipif)#ipaddressRS G8264(configipif)#ipnetmaskRS G8264(configipif)#enableRS G8264(configipif)#exit

RS G8264(config)#ipgateway 4addressRS G8264(config)#ipgateway 4enable


Using the Switch Data PortsYoualsocanconfigureinbandmanagementthroughanyoftheswitchdataports.Toallowinbandmanagement,usethefollowingprocedure:

1. Logontotheswitch.

2. EnterIPinterfacemode.

Note: Interface128isreservedforoutofbandmanagement(seeUsingtheSwitchManagementPortsonpage 35).

3. ConfigurethemanagementIPinterface/mask.

IPv4:

IPv6:

4. ConfiguretheVLAN,andenabletheinterface.

5. Configurethedefaultgateway.

IPv4:

IPv6:

Note: Gateway 1,2,and3areusedforinbanddatanetworks.Gateway 4isreservedfortheoutofbandmanagementport(seeUsingtheSwitchManagementPortsonpage 35).

OnceyouconfiguretheIPaddressandhaveanetworkconnection,youcanusetheTelnetprogramfromanexternalmanagementstationtoaccessandcontroltheswitch.Oncethedefaultgatewayisenabled,themanagementstationandyourswitchdonotneedtobeonthesameIPsubnet.

RS G8264>enableRS G8264#configureterminalRS G8264(config)#interfaceip

RS G8264(configipif)#ipaddressRS G8264(configipif)#ipnetmask

RS G8264(configipif)#ipv6addressRS G8264(configipif)#ipv6prefixlen

RS G8264(configipif)#vlan1RS G8264(configipif)#enableRS G8264(configipif)#exit

RS G8264(config)#ipgateway addressRS G8264(config)#ipgateway enable

RS G8264(config)#ipgateway6addressRS G8264(config)#ipgateway6enable


TheG8264supportsanindustrystandardcommandlineinterface(ISCLI)thatyoucanusetoconfigureandcontroltheswitchoverthenetworkusingtheTelnetprogram.YoucanusetheISCLItoperformmanybasicnetworkmanagementfunctions.Inaddition,youcanconfiguretheswitchformanagementusinganSNMPbasednetworkmanagementsystemoraWebbrowser.

Formoreinformation,seethedocumentslistedinAdditionalReferencesonpage 29.

Using TelnetATelnetconnectionofferstheconvenienceofaccessingtheswitchfromaworkstationconnectedtothenetwork.Telnetaccessprovidesthesameoptionsforuserandadministratoraccessasthoseavailablethroughtheconsoleport.

Bydefault,Telnetaccessisenabled.UsethefollowingcommandstodisableorreenableTelnetaccess:

OncetheswitchisconfiguredwithanIPaddressandgateway,youcanuseTelnettoaccessswitchadministrationfromanyworkstationconnectedtothemanagementnetwork.

ToestablishaTelnetconnectionwiththeswitch,runtheTelnetprogramonyourworkstationandissuethefollowingTelnetcommand:

YouwillthenbepromptedtoenterapasswordasexplainedSwitchLoginLevelsonpage 52.

Twoattemptsareallowedtologintotheswitch.Afterthesecondunsuccessfulattempt,theTelnetclientisdisconnectedviaTCPsessionclosure.

Using Secure ShellAlthougharemotenetworkadministratorcanmanagetheconfigurationofaG8264viaTelnet,thismethoddoesnotprovideasecureconnection.TheSecureShell(SSH)protocolenablesyoutosecurelylogintoanotherdeviceoveranetwork

RS G8264(config)#[no]accesstelnetenable

telnet


toexecutecommandsremotely.AsasecurealternativetousingTelnettomanageswitchconfiguration,SSHensuresthatalldatasentoverthenetworkisencryptedandsecure.

Theswitchcandoonlyonesessionofkey/ciphergenerationatatime.Thus,aSSH/SCPclientwillnotbeabletologiniftheswitchisdoingkeygenerationatthattime.Similarly,thesystemwillfailtodothekeygenerationifaSSH/SCPclientislogginginatthattime.

ThesupportedSSHencryptionandauthenticationmethodsare:

ServerHostAuthentication:ClientRSAauthenticatestheswitchwhenstartingeachconnection

KeyExchange:ecdhsha2nistp521,ecdhsha2nistp384,ecdhsha2nistp256,ecdhsha2nistp224,ecdhsha2nistp192,rsa2048sha256,rsa1024sha1,diffiehellmangroupexchangesha256,diffiehellmangroupexchangesha1,diffiehellmangroup14sha1,diffiehellmangroup1sha1

Encryption:aes128ctr,aes128cbc,rijndael128cbc,blowfishcbc,3descbc,arcfour256,arcfour128,arcfour

MAC:hmacsha1,hmacsha196,hmacmd5,hmacmd596

UserAuthentication:Localpasswordauthentication,publickeyauthentication,RADIUS,TACACS+

LenovoEnterpriseNetworkOperatingSystemimplementstheSSHversion2.0standardandisconfirmedtoworkwithSSHversion2.0compliantclientssuchasthefollowing:

OpenSSH_5.4p1forLinux

SecureCRTVersion5.0.2(build1021)

PuttySSHrelease0.60

Using SSH with Password AuthenticationBydefault,theSSHfeatureisdisabled.OncetheIPparametersareconfiguredandtheSSHserviceisenabled,youcanaccessthecommandlineinterfaceusinganSSHconnection.

ToestablishanSSHconnectionwiththeswitch,runtheSSHprogramonyourworkstationbyissuingtheSSHcommand,followedbytheswitchIPv4orIPv6address:

YouwillthenbepromptedtoenterapasswordasexplainedSwitchLoginLevelsonpage 52.

#ssh


Using SSH with Public Key AuthenticationSSHcanalsobeusedforswitchauthenticationbasedonasymmetriccryptography.Publicencryptionkeyscanbeuploadedontheswitchandusedtoauthenticateincomingloginattemptsbasedontheclientsprivateencryptionkeypairs.Afterapredefinednumberoffailedpublickeyloginattempts,theswitchrevertstopasswordbasedauthentication.

Tosetuppublickeyauthentication:

1. EnableSSH:

2. ImportthepublickeyfileusingSFTPorTFTPfortheadminuseraccount::

Notes:

Whenpromptedtoinputausername,avaliduseraccountnamemustbeentered.Ifnousernameisentered,thekeyisstoredontheswitch,andcanbeassignedtoauseraccountlater.

Auseraccountcanhaveupto100publickeyssetupontheswitch.

3. Configureamaximumnumberof3failedpublickeyauthenticationattemptsbeforethesystemrevertstopasswordbasedauthentication:

Oncethepublickeyisconfiguredontheswitch,theclientcanuseSSHtologinfromasystemwheretheprivatekeypairissetup:

RS G8264(config)#sshenable

RS G8264(config)#copy{sftp|tftp}publickeyPorttype["DATA"/"MGT"]:mgtAddressornameofremotehost:9.43.101.151Sourcefilename:11.keyUsernameofthepublickey:adminConfirmdownloadoperation(y/n)?y

RS G8264(config)#sshmaxauthattempts3

#ssh


Using a Web BrowserTheswitchprovidesaBrowserBasedInterface(BBI)foraccessingthecommonconfiguration,management,andoperationfeaturesoftheG8264throughyourWebbrowser.

Bydefault,BBIaccessviaHTTPisenabledontheswitch.

YoucanalsoaccesstheBBIdirectlyfromanopenWebbrowserwindow.EntertheURLusingtheIPaddressoftheswitchinterface(forexample,http://).

Configuring HTTP Access to the BBIBydefault,BBIaccessviaHTTPisenabledontheswitch.

TodisableorreenableHTTPaccesstotheswitchBBI,usethefollowingcommands:

ThedefaultHTTPwebserverporttoaccesstheBBIisport80.However,youcanchangethedefaultWebserverportwiththefollowingcommand:

ToaccesstheBBIfromaworkstation,openaWebbrowserwindowandtypeintheURLusingtheIPaddressoftheswitchinterface(forexample,http://).

Configuring HTTPS Access to the BBITheBBIcanalsobeaccessedviaasecureHTTPSconnectionovermanagementanddataports.

1. EnableHTTPS.

Bydefault,BBIaccessisenabledviabothHTTPandHTTPSontheswitch.IfHTTPSaccesshasbeendisabled,usethefollowingcommandtoenableBBIAccessviaHTTPS:

2. SettheHTTPSserverportnumber(optional).

TochangetheHTTPSWebserverportnumberfromthedefaultport443,usethefollowingcommand:

3. GeneratetheHTTPScertificate.

RS G8264(config)#accesshttpenable (EnableHTTPaccess)or

RS G8264(config)#noaccesshttpenable (DisableHTTPaccess)

RS G8264(config)#accesshttpport

RS G8264(config)#accesshttpsenable

RS G8264(config)#accesshttpsport


AccessingtheBBIviaHTTPSrequiresthatyougenerateacertificatetobeusedduringthekeyexchange.AdefaultcertificateiscreatedthefirsttimeHTTPSisenabled,butyoucancreateanewcertificatedefiningtheinformationyouwanttobeusedinthevariousfields.

4. SavetheHTTPScertificate.

Thecertificateisvalidonlyuntiltheswitchisrebooted.Tosavethecertificatesoitisretainedbeyondrebootorpowercycles,usethefollowingcommand:

Whenaclient(suchasawebbrowser)connectstotheswitch,theclientisaskedtoacceptthecertificateandverifythatthefieldsmatchwhatisexpected.OnceBBIaccessisgrantedtotheclient,theBBIcanbeused.

Browser-Based Interface SummaryTheBBIisorganizedatahighlevelasfollows:

ContextbuttonsThesebuttonsallowyoutoselectthetypeofactionyouwishtoperform.TheConfigurationbuttonprovidesaccesstotheconfigurationelementsfortheentireswitch.TheStatisticsbuttonprovidesaccesstotheswitchstatisticsandstateinformation.TheDashboardbuttonallowsyoutodisplaythesettingsandoperatingstatusofavarietyofswitchfeatures.

NavigationWindowProvidesamenuofswitchfeaturesandfunctions:

SystemProvidesaccesstotheconfigurationelementsfortheentireswitch.

SwitchPortsConfigureeachofthephysicalportsontheswitch.

PortBasedPortMirroringConfigureportmirroringbehavior.

Layer2ConfigureLayer2featuresfortheswitch.

RMONMenuConfigureRemoteMonitoringfeaturesfortheswitch.

Layer3ConfigureLayer3featuresfortheswitch.

QoSConfigureQualityofServicefeaturesfortheswitch.

AccessControlConfigureAccessControlListstofilterIPpackets.

CEEConfigureConvergedEnhancedEthernet(CEE).

FCoEConfigureFibreChanneloverEthernet(FCoE).

VirtualizationConfigurevNICsandVMreadyforvirtualmachines(VMs).

RS G8264(config)#accesshttpsgeneratecertificateCountryName(2lettercode)[US]:StateorProvinceName(fullname)[CA]:LocalityName(eg,city)[SantaClara]:OrganizationName(eg,company)[LenovoNetworkingOperatingSystem]:OrganizationalUnitName(eg,section)[NetworkEngineering]:CommonName(eg,YOURname)[0.0.0.0]:Email(eg,emailaddress)[]:Confirmgeneratingcertificate?[y/n]:yGeneratingcertificate.Pleasewait(approx30seconds)restartingSSLagent

RS G8264(config)#accesshttpssavecertificate


DoveGatewayConfigureDistributedOverlayVirtualEthernet.


Using Simple Network Management ProtocolENOSprovidesSimpleNetworkManagementProtocol(SNMP)version1,version2,andversion3supportforaccessthroughanynetworkmanagementsoftware,suchasIBMDirectororHPOpenView.Note: SNMPreadandwritefunctionsareenabledbydefault.Forbestsecuritypractices,ifSNMPisnotneededforyournetwork,itisrecommendedthatyoudisablethesefunctionspriortoconnectingtheswitchtothenetwork.

ToaccesstheSNMPagentontheG8264,thereadandwritecommunitystringsontheSNMPmanagermustbeconfiguredtomatchthoseontheswitch.Thedefaultreadcommunitystringontheswitchispublicandthedefaultwritecommunitystringisprivate.

Thereadandwritecommunitystringsontheswitchcanbeconfiguredusingthefollowingcommands:

TheSNMPmanagermustbeabletoreachanyoneoftheIPinterfacesontheswitch.

FortheSNMPmanagertoreceivetheSNMPv1trapssentoutbytheSNMPagentontheswitch,configurethetraphostontheswitchwiththefollowingcommands:

TorestrictSNMPaccesstospecificIPv4subnets,usethefollowingcommands:

ForIPv6networks,use:

Note: SubnetsallowedforSNMPreadonlyaccessmustnotoverlapwithsubnetsallowedforSNMPreadwriteaccess.

FormoreinformationonSNMPusageandconfiguration,seeChapter 41,SimpleNetworkManagementProtocol.

RS G8264(config)#snmpserverreadcommunity

andRS G8264(config)#snmpserverwritecommunity

RS G8264(config)#snmpservertrapsourceRS G8264(config)#snmpserverhost

RS G8264(config)#accessmanagementnetworksnmpro

andRS G8264(config)#accessmanagementnetworksnmprw

RS G8264(config)#accessmanagementnetwork6snmpro

andRS G8264(config)#accessmanagementnetwork6snmprw


BOOTP/DHCP Client IP Address ServicesForremoteswitchadministration,theclientterminaldevicemusthaveavalidIPaddressonthesamenetworkasaswitchinterface.TheIPaddressontheclientdevicemaybeconfiguredmanually,orobtainedautomaticallyusingIPv6statelessaddressconfiguration,oranIPv4addressmayobtainedautomaticallyviaBOOTPorDHCPrelayasdiscussedinthenextsection.

TheG8264canfunctionasarelayagentforBootstrapProtocol(BOOTP)orDHCP.ThisallowsclientstobeassignedanIPv4addressforafiniteleaseperiod,reassigningfreedaddresseslatertootherclients.

Actingasarelayagent,theswitchcanforwardaclientsIPv4addressrequesttouptofiveBOOTP/DHCPservers.InadditiontothefiveglobalBOOTP/DHCPservers,uptofivedomainspecificBOOTP/DHCPserverscanbeconfiguredforeachofupto10VLANs.

WhenaswitchreceivesaBOOTP/DHCPrequestfromaclientseekinganIPv4address,theswitchactsasaproxyfortheclient.TherequestisforwardedasaUDPUnicastMAClayermessagetotheBOOTP/DHCPserversconfiguredfortheclientsVLAN,ortotheglobalBOOTP/DHCPserversifnodomainspecificBOOTP/DHCPserversareconfiguredfortheclientsVLAN.TheserversrespondtotheswitchwithaUnicastreplythatcontainstheIPv4defaultgatewayandtheIPv4addressfortheclient.Theswitchthenforwardsthisreplybacktotheclient.

DHCPisdescribedinRFC2131,andtheDHCPrelayagentsupportedontheG8264isdescribedinRFC1542.DHCPusesUDPasitstransportprotocol.Theclientsendsmessagestotheserveronport67andtheserversendsmessagestotheclientonport68.

BOOTPandDHCPrelayarecollectivelyconfiguredusingtheBOOTPcommandsandmenusontheG8264.

DHCP Host Name ConfigurationTheG8264supportsDHCPhostnameconfigurationasdescribedinRFC2132,option12.DHCPhostnameconfigurationisenabledbydefault.

Hostnamecanbemanuallyconfiguredusingthefollowingcommand:

Ifthehostnameismanuallyconfigured,theswitchdoesnotreplaceitwiththehostnamereceivedfromtheDHCPserver.

Afterthehostnameisconfiguredontheswitch,ifDHCPorDHCPhostnameconfigurationisdisabled,theswitchretainsthehostname.

Theswitchpromptdisplaysthehostname.

Hostnameconfigurationcanbeenabledordisabledusingthefollowingcommand:

RS G8264(config)# hostname

RS G8264(config)# [no] systemdhcphostname


DHCP SYSLOG ServerDuringswitchstartup,iftheswitchfailstogettheconfigurationfile,amessagecanberecordedintheSYSLOGserver.

TheG8264supportsrequestingofaSYSLOGserverIPaddressfromtheDHCPserverasdescribedinRFC2132,option7.DHCPSYSLOGserverrequestoptionisenabledbydefault.

ManuallyconfiguredSYSLOGservertakespriorityoverDHCPSYSLOGserver.

UptotwoSYSLOGserveraddressesreceivedfromtheDHCPservercanbeused.TheSYSLOGservercanbelearntoveramanagementportoradataport.

UsetheRS G8264#showloggingcommandtoviewtheSYSLOGserveraddress.

DHCPSYSLOGserveraddressoptioncanbeenabled/disabledusingthefollowingcommand:

Global BOOTP Relay Agent ConfigurationToenabletheG8264tobeaBOOTP(orDHCP)forwarder,enabletheBOOTPrelayfeature,configureuptofourglobalBOOTPserverIPv4addressesontheswitch,andenableBOOTPrelayontheinterface(s)onwhichtheclientrequestsareexpected.

Generally,itisbesttoconfigureBOOTPfortheswitchIPinterfacethatisclosesttotheclient,sothattheBOOTPserverknowsfromwhichIPv4subnetthenewlyallocatedIPv4addresswillcome.

IntheG8264implementation,therearenoprimaryorsecondaryBOOTPservers.TheclientrequestisforwardedtoalltheglobalBOOTPserversconfiguredontheswitch(ifnodomainspecificserversareconfigured).Theuseofmultipleserversprovidesfailoverredundancy.However,nohealthcheckingissupported.

1. UsethefollowingcommandstoconfigureglobalBOOTPrelayservers:

2. EnableBOOTPrelayontheappropriateIPinterfaces.

BOOTP/DHCPRelayfunctionalitymaybeassignedonaperinterfacebasisusingthefollowingcommands:

RS G8264(config)# [no] systemdhcpsyslog

RS G8264(config)#ipbootprelayenableRS G8264(config)#ipbootprelayserveraddress

RS G8264(config)#interfaceipRS G8264(configipif)#relayRS G8264(configipif)#exit


Domain-Specific BOOTP Relay Agent ConfigurationUsethefollowingcommandstoconfigureuptofivedomainspecificBOOTPrelayagentsforeachofupto10VLANs:

Aswithglobalrelayagentservers,domainspecificBOOTP/DHCPfunctionalitymaybeassignedonaperinterfacebasis(seeStep 2inpage 45).

DHCP Option 82DHCPOption82providesamechanismforgeneratingIPaddressesbasedontheclientdeviceslocationinthenetwork.WhenyouenabletheDHCPrelayagentoptionontheswitch,itinsertstherelayagentinformationoption82inthepacket,andsendsaunicastBOOTPrequestpackettotheDHCPserver.TheDHCPserverusestheoption82fieldtoassignanIPaddress,andsendsthepacket,withtheoriginaloption82fieldincluded,backtotherelayagent.DHCPrelayagentstripsofftheoption82fieldinthepacketandsendsthepackettotheDHCPclient.

Configurationofthisfeatureisoptional.Thefeaturehelpsresolveseveralissueswhereuntrustedhostsaccessthenetwork.SeeRFC3046fordetails.

UsethefollowingcommandstoconfigureDHCPOption82:

DHCP SnoopingDHCPsnoopingprovidessecuritybyfilteringuntrustedDHCPpacketsandbybuildingandmaintainingaDHCPsnoopingbindingtable.ThisfeatureisapplicableonlytoIPv4andonlyworksinnonstackingmode.

Anuntrustedinterfaceisaportthatisconfiguredtoreceivepacketsfromoutsidethenetworkorfirewall.Atrustedinterfacereceivespacketsonlyfromwithinthenetwork.Bydefault,allDHCPportsareuntrusted.

TheDHCPsnoopingbindingtablecontainstheMACaddress,IPaddress,leasetime,bindingtype,VLANnumber,andportnumberthatcorrespondtothelocaluntrustedinterfaceontheswitch;itdoesnotcontaininformationregardinghostsinterconnectedwithatrustedinterface.

Bydefault,DHCPsnoopingisdisabledonallVLANs.YoucanenableDHCPsnoopingononeormoreVLANs.YoumustenableDHCPsnoopingglobally.Toenablethisfeature,enterthefollowingcommands:

RS G8264(config)#ipbootprelaybcastdomainvlanRS G8264(config)#ipbootprelaybcastdomainserveraddress

RS G8264(config)#ipbootprelaybcastdomainenable

RS G8264(config)#ipbootprelayinformationenable(EnableOption82)RS G8264(config)#ipbootprelayenable(EnableDHCPrelay)RS G8264(config)#ipbootprelayserveraddress

RS G8264(config)#ipdhcpsnoopingvlanRS G8264(config)#ipdhcpsnooping


FollowingisanexampleofDHCPsnoopingconfiguration,wheretheDHCPserverandclientareinVLAN100,andtheserverconnectsusingport24.

RS G8264(config)#ipdhcpsnoopingvlan100RS G8264(config)#ipdhcpsnoopingRS G8264(config)#interfaceport24RS G8264(configif)#ipdhcpsnoopingtrust(Optional;Setportastrusted)RS G8264(configif)#ipdhcpsnoopinginformationoptioninsert

(Optional;addDHCPoption82)RS G8264(configif)#ipdhcpsnoopinglimitrate100

(Optional;SetDHCPpacketrate)


Easy Connect WizardLenovoEasyConnect(EZC)isafeaturedesignedtosimplifyswitchconfiguration.AsetofpredefinedconfigurationscanbeappliedontheswitchviaISCLI.BylaunchingtheEZCWizard,youarepromptedforaminimalsetofinputandthetoolautomaticallycustomizestheswitchsoftware.

TheEZCWizardallowsyoutochooseoneofthefollowingconfigurationmodes:

BasicSystemmodesupportssettingsforhostname,staticmanagementportIP,netmask,andgateway.

Transparentmodecollectsserveranduplinkportsettings.vNICgroupsareusedtodefinetheloopfreedomains.

Note: Youcaneitheracceptthestaticdefaultsorenteradifferentportlistforuplinkand/orserverports.

RedundantmodereferstoVLAGsettings.

TheEZCconfigurationwillbeappliedimmediately.Anyexistingconfigurationwillbedeleted,thecurrentactiveorrunningconfigurationwillnotbemergedorappendedtotheEZCconfiguration.

Foranycustomsettingsthatarenotincludedinthepredefinedconfigurationsets,theuserhastodoitmanually.

Notes:

EZCisnotavailableinstackingmode.

Tosupportscripting,thefeaturealsohasasinglelineformat.Formoreinformation,pleaserefertoLenovoNetworkingISCLIReferenceGuide.

Configuring the Easy Connect WizardTolaunchtheEZCWizard,usethefollowingcommand:

Thewizarddisplaystheavailablepredefinedconfigurationmodes.Youarepromptedtoselectoneofthefollowingoptions:

RS G8264#easyconnect

RS G8264#easyconnectAutoconfigurestheswitchintoasetconfigurationbasedontheinputprovided.Currentconfigurationwillbeoverwrittenwithautoconfigurationsettings.ThewizardcanbecanceledanytimebypressingCtrl+C.Selectwhichofthefollowingfeaturesyouwantenabled:#ConfigureBasicsystem(yes/no)?#ConfigureTransparentmode(yes/no)?#ConfigureSwitchRedundantmode(yes/no)?


Basic System Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinBasicSystemmode:

Note: Youcaneitheracceptthedefaultvaluesorenternewparameters.

Transparent Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinTransparentmode:

Notes:

Ifyourselectionforaportgroupcontainsportsofdifferentmodeorspeed,theselectionisnotvalidandyouareguidedtoeitherselectotherportsorchangethespeedoftheports.

Youcaneitheracceptthestaticdefaultsorenteradifferentportlistforuplinkand/orserverports.

RS G8264#easyconnectConfigureBasicsystem(yes/no)?y

Pleaseenter"none"fornohostname.Enterhostname(Default:None)?host

Pleaseenter"dhcp"fordhcpIP.SelectmanagementIPaddress(Current:10.241.13.32)?Entermanagementnetmask(Current:255.255.255.128)?Entermanagementgateway:(Current:10.241.13.1)?

Pendingswitchportconfiguration:

Hostname:hostManagementinterface:IP:10.241.13.32Netmask:255.255.255.128Gateway:10.241.13.1ConfirmerasingcurrentconfigtoreconfigureEasyConnect(yes/no)?

RS G8264##easyconnectConfigureTransparentmode(yes/no)?ySelectUplinkPorts(StaticDefaults:1724)?ThefollowingUplinkportswillbeenabled:Uplinkports(1G/10G):1724SelectServerPorts(StaticDefaults:2564)?ThefollowingServerportswillbeenabled:Serverports(1G/10G):2564Pendingswitchconfiguration:

UplinkPorts:1724ServerPorts:2564DisabledPorts:1,5,9,13ConfirmerasingcurrentconfigtoreconfigureEasyConnect(yes/no)?


Redundant Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinRedundantmode:

RS G8264##easyconnectConfigureSwitchRedundantmode(yes/no)?y

Note:ItisrecommendedtoselectBasicsystemconfigurationinordertosetthemanagementIPaddressusedforvLAGhealthcheck.

ConfigureBasicsystem(yes/no)?y

ConfigurethisswitchasvLAGPrimaryorSecondaryPeer(primary/secondary)?prim

SelectISLPorts(StaticDefaults:116)?ThefollowingISLportswillbeenabled:ISLports(40G):116

SelectvLAGTierID(Default:101)?

SelectmanagementIPaddress(Current:192.168.49.50)?

Entermanagementnetmask(Current:255.255.255.0)?

SelectPeerIPaddressforvLAGhealthcheck(Default:1.1.1.2)?Warning:vLAGhealthcheckPeerIPisnotreachable.DoyouwanttoselectanotherPeerIP(yes/no)?ySelectPeerIPaddressforvLAGhealthcheck(Default:1.1.1.2)?Warning:vLAGhealthcheckPeerIPisnotreachable.DoyouwanttoselectanotherPeerIP(yes/no)?n

SelectUplinkPorts(StaticDefaults:1724)?ThefollowingUplinkportswillbeenabled:Uplinkports(1G/10G):1724

SelectDownlinkPorts(StaticDefaults:2564)?ThefollowingDownlinkportswillbeenabled:Downlinkports(1G/10G):2564


Notes:

Ifyourselectionforaportgroupcontainsportsofdifferentspeed,theselectionisnotvalid,andyouareguidedtoeitherselectotherportsorchangethespeedoftheports.

Allunusedportareconfiguredasshutdownintheconfigurationdump.

YoucaneitheracceptthestaticdefaultsorenteradifferentportlistforISL,uplink,and/ordownlinkports.

Pleaseenter"none"fornohostname.Enterhostname(Default:PrimaryVLAG)?

Pleaseenter"none"fornogateway.Entermanagementgateway:(Default:0.0.0.0)?

Pendingswitchconfiguration:

vLAGswitchtype:PrimaryISLPorts:116vLAGTierID:101vLAGPeerIP:1.1.1.2UplinkPorts:1724DownlinkPorts:2564DisabledPorts:empty

Hostname:PrimaryVLAGManagementinterface:IP:192.168.49.50Netmask:255.255.255.0Gateway:0.0.0.0

ConfirmerasingcurrentconfigtoreconfigureEasyConnect(yes/no)?


Switch Login LevelsToenablebetterswitchmanagementanduseraccountability,threelevelsorclassesofuseraccesshavebeenimplementedontheG8264.LevelsofaccesstoCLI,Webmanagementfunctions,andscreensincreaseasneededtoperformvariousswitchmanagementtasks.Conceptually,accessclassesaredefinedasfollows:

UserinteractionwiththeswitchiscompletelypassivenothingcanbechangedontheG8264.Usersmaydisplayinformationthathasnosecurityorprivacyimplications,suchasswitchstatisticsandcurrentoperationalstateinformation.

OperatorscanonlyeffecttemporarychangesontheG8264.Thesechangeswillbelostwhentheswitchisrebooted/reset.Operatorshaveaccesstotheswitchmanagementfeaturesusedfordailyswitchoperations.Becauseanychangesanoperatormakesareundonebyaresetoftheswitch,operatorscannotseverelyimpactswitchoperation.

Administratorsaretheonlyonesthatmaymakepermanentchangestotheswitchconfigurationchangesthatarepersistentacrossareboot/resetoftheswitch.AdministratorscanaccessswitchfunctionstoconfigureandtroubleshootproblemsontheG8264.Becauseadministratorscanalsomaketemporary(operatorlevel)changesaswell,theymustbeawareoftheinteractionsbetweentemporaryandpermanentchanges.

Accesstoswitchfunctionsiscontrolledthroughtheuseofuniqueusernamesandpasswords.Onceyouareconnectedtotheswitchviaconsole,remoteTelnet,orSSH,youarepromptedtoenterapassword.Thedefaultusernames/passwordforeachaccesslevelarelistedinthefollowingtable.Note: Itisrecommendedthatyouchangethedefaultswitchpasswordsafterinitialconfigurationandasregularlyasrequiredunderyournetworksecuritypolicies.

Table 2. UserAccessLevelsDefaultSettings

User Account

Password Description and Tasks Performed Status

user user TheUserhasnodirectresponsibilityforswitchmanagement.Heorshecanviewallswitchstatusinformationandstatistics,butcannotmakeanyconfigurationchangestotheswitch.

Disabled

oper oper TheOperatormanagesallfunctionsoftheswitch.TheOperatorcanresetports,exceptthemanagementports.

Disabled

admin admin ThesuperuserAdministratorhascompleteaccesstoallmenus,information,andconfigurationcommandsontheG8264,includingtheabilitytochangeboththeuserandadministratorpasswords.

Enabled


Note: Accesstoeachuserlevel(exceptadminaccount)canbedisabledbysettingthepasswordtoanemptyvalue.Todisableadminaccount,usethecommandnoaccessuseradministratorenable.TheAdminaccountcanbedisabledonlyifthereisatleastoneuseraccountenabledandconfiguredwithadministratorprivilege.


Setup vs. the Command LineOncetheadministratorpasswordisverified,youaregivencompleteaccesstotheswitch.Iftheswitchisstillsettoitsfactorydefaultconfiguration,youwillneedtorunSetup(seeChapter 2,InitialSetup),autilitydesignedtohelpyouthroughthefirsttimeconfigurationprocess.Iftheswitchhasalreadybeenconfigured,thecommandlineisdisplayedinstead.


Idle DisconnectBydefault,theswitchwilldisconnectyourTelnetsessionafter10minutesofinactivity.Thisfunctioniscontrolledbytheidletimeoutparameter,whichcanbesetfrom0to60minutes,where0meansthesessionwillnevertimeout.

Usethefollowingcommandtosettheidletimeoutvalue:

RS G8264(config)#systemidle


Boot Strict ModeTheimplementationsspecifiedinthissectionarecompliantwithNationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800131A.

TheRackSwitchG8264canoperateintwobootmodes:

Compatibilitymode(default):Thisisthedefaultswitchbootmode.Thismodemayusealgorithmsandkeylengthsthatmaynotbeallowed/acceptablebyNISTSP800131Aspecification.Thismodeisusefulinmaintainingcompatibilitywithpreviousreleasesandinenvironmentsthathavelesserdatasecurityrequirements.

Strictmode:Encryptionalgorithms,protocols,andkeylengthsinstrictmodearecompliantwithNISTSP800131Aspecification.

Wheninbootstrictmode,theswitchusesSecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)1.2protocolstoensureconfidentialityofthedatatoandfromtheswitch.

Beforeenablingstrictmode,ensurethefollowing:

ThesoftwareversiononallconnectedswitchesisEnterpriseNOS8.4.

Thesupportedprotocolversionsandcryptographicciphersuitesbetweenclientsandserversarecompatible.Forexample:ifusingSSHtoconnecttotheswitch,ensurethattheSSHclientsupportsSSHv2andastrongciphersuitethatiscompliantwiththeNISTstandard.

CompliantWebservercertificateisinstalledontheswitch,ifusingBBI.

Anewselfsignedcertificateisgeneratedfortheswitch(RS G8264(config)# accesshttpsgeneratecertificate).Thenewcertificateisgeneratedusing2048bitRSAkeyandSHA256digest.

ProtocolsthatarenotNISTSP800131Acompliantmustbedisabledornotused.

OnlySSHv2orhigherisused.

Thecurrentconfiguration,ifany,issavedinalocationexternaltotheswitch.Whentheswitchreboots,boththestartupandrunningconfigurationarelost.

Onlyprotocols/algorithmscompliantwithNISTSP800131Aspecificationareused/enabledontheswitch.PleaseseetheNISTSP800131Apublicationfordetails.Thefollowingtableliststheacceptableprotocolsandalgorithms

Documents

G8264 Application Guide for Lenovo Networking OS 8systemx.lenovofiles.com/help/topic/com.lenovo.rackswitch.g8264.doc/...Lenovo RackSwitch G8264 Application Guide For Lenovo Enterprise