Upload
lenguyet
View
230
Download
2
Embed Size (px)
Citation preview
LenovoRackSwitchG8264
ApplicationGuideForLenovoEnterpriseNetworkOperatingSystem8.4
Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationintheSafetyinformationandEnvironmentalNoticesandUserGuidedocumentsontheLenovoDocumentationCDandtheWarrantyInformationdocumentthatcomeswiththeproduct.
FirstEdition(September2016)
CopyrightLenovo2016PortionsCopyrightIBMCorporation2014.
LIMITEDANDRESTRICTEDRIGHTSNOTICE:IfdataorsoftwareisdeliveredpursuantaGeneralServicesAdministrationGSAcontract,use,reproduction,ordisclosureissubjecttorestrictionssetforthinContractNo.GS35F05925.
LenovoandtheLenovologoaretrademarksofLenovointheUnitedStates,othercountries,orboth.
Copyright Lenovo 2016 3
ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23WhoShouldUseThisGuide .......................24WhatYoullFindinThisGuide ......................25AdditionalReferences ..........................29TypographicConventions ........................30
Part 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . 31
Chapter 1. Switch Administration . . . . . . . . . . . . . . . . . 33AdministrationInterfaces ........................34
CommandLineInterface .......................34EstablishingaConnection........................35
UsingtheSwitchManagementPorts..................35UsingtheSwitchDataPorts.....................36UsingTelnet ............................37UsingSecureShell..........................37
UsingSSHwithPasswordAuthentication .............38UsingSSHwithPublicKeyAuthentication .............39
UsingaWebBrowser ........................40ConfiguringHTTPAccesstotheBBI................40ConfiguringHTTPSAccesstotheBBI ...............40BrowserBasedInterfaceSummary.................41
UsingSimpleNetworkManagementProtocol..............43BOOTP/DHCPClientIPAddressServices .................44
DHCPHostNameConfiguration ...................44DHCPSYSLOGServer........................45GlobalBOOTPRelayAgentConfiguration ...............45DomainSpecificBOOTPRelayAgentConfiguration...........46DHCPOption82 ..........................46DHCPSnooping ..........................46
EasyConnectWizard ..........................48ConfiguringtheEasyConnectWizard .................48
BasicSystemModeConfigurationExample .............49TransparentModeConfigurationExample.............49RedundantModeConfigurationExample .............50
SwitchLoginLevels ...........................52Setupvs.theCommandLine .......................54IdleDisconnect .............................55BootStrictMode ............................56
AcceptableCipherSuites .......................59ConfiguringStrictMode .......................60ConfiguringNoPromptMode ....................60SSL/TLSVersionLimitation .....................60Limitations .............................60
Scripting................................62
4 G8264 Application Guide for ENOS 8.4
Chapter 2. Initial Setup . . . . . . . . . . . . . . . . . . . . . 63InformationNeededforSetup...................... 64DefaultSetupOptions ......................... 65SettingtheManagementInterfaceDefaultIPAddress ............ 66StoppingandRestartingSetupManually................. 67
StoppingSetup........................... 67RestartingSetup.......................... 67
SetupPart1:BasicSystemConfiguration................. 68SetupPart2:PortConfiguration ..................... 70SetupPart3:VLANs .......................... 72SetupPart4:IPConfiguration ...................... 73
IPInterfaces ............................ 73LoopbackInterfaces ......................... 74
UsingLoopbackInterfacesforSourceIPAddresses ......... 74LoopbackInterfaceLimitations .................. 75
DefaultGateways .......................... 75IPRouting............................. 75
SetupPart5:FinalSteps ......................... 77OptionalSetupforTelnetSupport.................... 78
Chapter 3. Switch Software Management . . . . . . . . . . . . . . 79LoadingNewSoftwaretoYourSwitch.................. 80
LoadingSoftwareviatheISCLI .................... 80LoadingSoftwareviaBBI...................... 81USBOptions ............................ 82
USBBoot............................ 82USBCopy ........................... 83
TheBootManagementMenu ...................... 84RecoveringfromaFailedSoftwareUpgrade .............. 84
RecoveringfromaFailedBootImage ............... 87
Part 2: Securing the Switch . . . . . . . . . . . . . . . . . . . 89
Chapter 4. Securing Administration . . . . . . . . . . . . . . . . 91SecureShellandSecureCopy...................... 92
ConfiguringSSH/SCPFeaturesontheSwitch.............. 92ToEnableorDisabletheSSHFeature ............... 92ToEnableorDisableSCPApplyandSave ............. 93
ConfiguringtheSCPAdministratorPassword ............. 93UsingSSHandSCPClientCommands ................ 93
ToLogIntotheSwitch ...................... 93ToCopytheSwitchConfigurationFiletotheSCPHost ....... 93ToLoadaSwitchConfigurationFilefromtheSCPHost ....... 94ToApplyandSavetheConfiguration ............... 94ToCopytheSwitchImageandBootFilestotheSCPHost ...... 94ToLoadSwitchConfigurationFilesfromtheSCPHost........ 95
SSHandSCPEncryptionofManagementMessages........... 95GeneratingRSAHostKeyforSSHAccess ............... 95SSH/SCPIntegrationwithRadiusAuthentication ............ 95SSH/SCPIntegrationwithTACACS+Authentication.......... 96
Copyright Lenovo 2016 Contents 5
EndUserAccessControl.........................97ConsiderationsforConfiguringEndUserAccounts...........97StrongPasswords..........................97UserAccessControl.........................98
SettingupUserIDs.......................98DefiningaUsersAccessLevel ..................98ValidatingaUsersConfiguration .................98EnablingorDisablingaUser ...................98LockingAccounts ........................98ReEnablingLockedAccounts...................99
ListingCurrentUsers ........................99LoggingintoanEndUserAccount ..................99PasswordFixUpMode .......................99
Chapter 5. Authentication & Authorization Protocols . . . . . . . . . 101RADIUSAuthenticationandAuthorization...............102
HowRADIUSAuthenticationWorks ................102ConfiguringRADIUSontheSwitch .................102RADIUSAuthenticationFeaturesinEnterpriseNOS..........104SwitchUserAccounts.......................104RADIUSAttributesforEnterpriseNOSUserPrivileges ........105
TACACS+Authentication.......................106HowTACACS+AuthenticationWorks................106TACACS+AuthenticationFeaturesinEnterpriseNOS .........107
Authorization .........................107Accounting..........................108
CommandAuthorizationandLogging................108ConfiguringTACACS+AuthenticationontheSwitch.........109
LDAPAuthenticationandAuthorization ................110ConfiguringtheLDAPServer....................110ConfiguringLDAPAuthenticationontheSwitch ...........110
Chapter 6. 802.1X Port-Based Network Access Control . . . . . . . . 113ExtensibleAuthenticationProtocoloverLAN ..............114EAPoLAuthenticationProcess .....................115EAPoLMessageExchange.......................116EAPoLPortStates ..........................117GuestVLAN .............................117SupportedRADIUSAttributes .....................118EAPoLConfigurationGuidelines....................120
Chapter 7. Access Control Lists . . . . . . . . . . . . . . . . . . 121SummaryofPacketClassifiers .....................122SummaryofACLActions.......................123AssigningIndividualACLstoaPort ..................124ACLOrderofPrecedence .......................124ACLMeteringandReMarking .....................124
Metering .............................125ReMarking ...........................125
ACLPortMirroring ..........................126
6 G8264 Application Guide for ENOS 8.4
ViewingACLStatistics ........................ 126ACLLogging ............................ 127
EnablingACLLogging...................... 127LoggedInformation ........................ 127RateLimitingBehavior...................... 128LogInterval ........................... 128ACLLoggingLimitations ..................... 128
ACLConfigurationExamples ..................... 129ACLExample1.......................... 129ACLExample2.......................... 129ACLExample3.......................... 130ACLExample4.......................... 130ACLExample5.......................... 130ACLExample6.......................... 131
VLANMaps ............................. 132ManagementACLs.......................... 134UsingStormControlFilters ...................... 135
Chapter 8. Secure Input/Output Module . . . . . . . . . . . . . . 137SIOMOverview ........................... 138SettinganSIOMSecurityPolicy.................... 139
EnablingandDisablingtheSIOM .................. 139UsingProtocolsWithSIOM.................... 139
InsecureProtocols ....................... 139SecureProtocols ....................... 140InsecureProtocolsUnaffectedbySIOM ............. 141
ImplementingSecureLDAP(LDAPS) .................. 142EnablingLDAPS ......................... 142DisablingLDAPS......................... 143SyslogsandLDAPS........................ 144
UsingCryptographicMode ...................... 145
Part 3: Switch Basics . . . . . . . . . . . . . . . . . . . . . . 147
Chapter 9. VLANs. . . . . . . . . . . . . . . . . . . . . . . . 149VLANsOverview .......................... 150VLANsandPortVLANIDNumbers .................. 150
VLANNumbers ......................... 150PVID/NativeVLANNumbers ................... 151
VLANTagging/TrunkMode ...................... 152IngressVLANTagging...................... 155Limitations............................ 156
VLANTopologiesandDesignConsiderations.............. 157MultipleVLANswithTagging/TrunkModeAdapters ......... 158VLANConfigurationExample ................... 161
Copyright Lenovo 2016 Contents 7
ProtocolBasedVLANs........................162PortBasedvs.ProtocolBasedVLANs ................162PVLANPriorityLevels ......................163PVLANTagging/TrunkMode ...................163PVLANConfigurationGuidelines ..................163ConfiguringPVLAN .......................164
PrivateVLANs............................165PrivateVLANPorts ........................165ConfigurationGuidelines .....................166ConfigurationExample ......................166
Chapter 10. Ports and Link Aggregation . . . . . . . . . . . . . . 169ConfiguringQSFP+Ports.......................170AggregationOverview ........................172StaticLAGs.............................173
StaticLAGRequirements .....................173StaticAggregationConfigurationRules...............173ConfiguringaStaticLAG .....................174
LinkAggregationControlProtocol ...................176StaticLACPLAGs.........................177LACPPortModes .........................178LACPIndividual .........................178LACPMinimumLinksOption ...................179ConfiguringLACP ........................180
ConfigurableLAGHashAlgorithm...................181
Chapter 11. Spanning Tree Protocols. . . . . . . . . . . . . . . . 183SpanningTreeProtocolModes .....................184GlobalSTPControl ..........................185PVRSTMode.............................185
PortStates............................186BridgeProtocolDataUnits .....................186
HowBPDUWorks.......................186DeterminingthePathforForwardingBPDUs ...........186
SimpleSTPConfiguration .....................188PerVLANSpanningTreeGroups ..................190
UsingMultipleSTGstoEliminateFalseLoops...........190VLANsandSTGAssignment ..................191ManuallyAssigningSTGs ...................192GuidelinesforCreatingVLANs .................192RulesforVLANTagged/TrunkModePorts ............192AddingandRemovingPortsfromSTGs .............193TheSwitchCentricModel ...................194
ConfiguringMultipleSTGs .....................195RapidSpanningTreeProtocol .....................197
PortStates............................197RSTPConfigurationGuidelines ...................197RSTPConfigurationExample ....................198
8 G8264 Application Guide for ENOS 8.4
MultipleSpanningTreeProtocol .................... 199MSTPRegion........................... 199CommonInternalSpanningTree.................. 199MSTPConfigurationGuidelines.................. 200MSTPConfigurationExamples ................... 200
MSTPExample1 ....................... 200MSTPExample2 ....................... 201
PortTypeandLinkType....................... 203Edge/PortfastPort ........................ 203LinkType............................ 203
Chapter 12. Virtual Link Aggregation Groups . . . . . . . . . . . . 205VLAGCapacities ........................... 208VLAGsversusPortLAGs ....................... 208ConfiguringVLAGs ......................... 210
BasicVLAGConfiguration ..................... 211ConfiguringtheISL ...................... 211ConfiguringtheVLAG..................... 212VLAGConfigurationVLANsMappedtoMSTI ......... 214ConfiguringHealthCheck................... 217
VLAGswithVRRP ........................ 218Task1:ConfigureVLAGPeer1 ................. 218Task2:ConfigureVLAGPeer2 ................. 221
TwotiervLAGswithVRRP .................... 224vLAGPeerGateway ....................... 225ConfiguringVLAGsinMultipleLayers ............... 225
Task1:ConfigureLayer2/3borderswitches............ 226Task2:ConfigureswitchesintheLayer2region. ......... 226
VLAGwithPIM ........................... 228TrafficForwarding ........................ 228HealthCheck........................... 229
Chapter 13. Quality of Service . . . . . . . . . . . . . . . . . . 231QoSOverview ............................ 232UsingACLFilters .......................... 233
SummaryofACLActions ..................... 233ACLMeteringandReMarking ................... 234
Metering ........................... 234ReMarking ......................... 234
UsingDSCPValuestoProvideQoS ................... 235DifferentiatedServicesConcepts .................. 235PerHopBehavior ......................... 237QoSLevels ............................ 238DSCPReMarkingandMapping .................. 238DSCPReMarkingConfigurationExamples ............. 239
DSCPReMarkingConfigurationExample1 ........... 239DSCPReMarkingConfigurationExample2 ........... 239
Using802.1pPrioritytoProvideQoS.................. 241QueuingandScheduling ....................... 242ControlPlaneProtection ....................... 242
Copyright Lenovo 2016 Contents 9
WREDwithECN...........................244HowWRED/ECNworktogether ..................244ConfiguringWRED/ECN......................245WRED/ECNConfigurationExample.................246
ConfigureGlobalProfileforWRED ...............246ConfigurePortlevelProfileforWRED ..............246ConfigureGlobalProfileforECN ................247ConfigurePortlevelProfileforECN...............248VerifyWRED/ECN ......................248
Chapter 14. Precision Time Protocol . . . . . . . . . . . . . . . . 251OrdinaryClockMode.........................253TransparentClockMode........................253TracingPTPPackets .........................254ViewingPTPInformation .......................254
Part 4: Advanced Switching Features. . . . . . . . . . . . . . . . 255
Chapter 15. OpenFlow . . . . . . . . . . . . . . . . . . . . . . 257OpenFlowOverview .........................258SwitchProfiles ............................259OpenFlowVersions ..........................260OpenFlowInstance ..........................261FlowTables .............................262StaticFlows .............................264
PortMembership .........................266FDBAgingandECMPwithOpenFlow................267StaticFlowExamples.......................267
TableMiss ..............................270FailSecureMode ...........................271EmergencyMode ...........................272OpenFlowPorts...........................274
OpenFlowEdgePorts.......................274LinkAggregation .........................275DataPathID...........................276
sFlowCompatibility .........................277OpenFlowGroups..........................278ConfiguringOpenFlow ........................279
ConfigurationExample1OpenFlowBootProfile...........279ConfigurationExample2DefaultBootProfile ............282
FeatureLimitations ..........................284
Chapter 16. Deployment Profiles . . . . . . . . . . . . . . . . . 285AvailableProfiles ...........................286SelectingProfiles ...........................287AutomaticConfigurationChanges ...................288
10 G8264 Application Guide for ENOS 8.4
Chapter 17. Virtualization . . . . . . . . . . . . . . . . . . . . 289
Chapter 18. Stacking . . . . . . . . . . . . . . . . . . . . . . 291StackingOverview .......................... 292
StackingRequirements ...................... 292StackingLimitations ....................... 293
StackMembership .......................... 294TheMasterSwitch ........................ 294
SplittingandMergingOneStack................ 294MergingIndependentStacks.................. 295
BackupSwitchSelection...................... 296MasterFailover ........................ 296SecondaryBackup....................... 296MasterRecovery ....................... 296NoBackup .......................... 297
StackMemberIdentification.................... 297ConfiguringaStack.......................... 298
ConfigurationOverview ...................... 298BestConfigurationPractices .................... 298
StackingVLANs ....................... 299ConfiguringEachSwitchfortheStack ................ 299ConfiguringaManagementIPInterface ............... 301AdditionalMasterConfiguration .................. 302
ViewingStackConnections ................... 302BindingMemberstotheStack ................. 304AssigningaStackBackupSwitch ................ 304
ManagingtheStack .......................... 305AccessingtheMasterSwitchCLI.................. 305RebootingStackedSwitchesviatheMaster .............. 305AccessingtheMemberSwitchCLI ................. 306
UpgradingSoftwareinanExistingStack ................ 307ReplacingorRemovingStackedSwitches ................ 309
RemovingaSwitchfromtheStack ................. 309InstallingtheNewSwitchorHealingtheTopology.......... 309BindingtheNewSwitchtotheStack ................ 311PerformingaRollingReloadorUpgrade............... 311
StartingaRollingReload .................... 311StartingaRollingUpgrade ................... 312
SavingSyslogMessages ........................ 313ISCLIStackingCommands ...................... 315
Chapter 19. Virtual NICs . . . . . . . . . . . . . . . . . . . . . 317DefiningServerPorts ......................... 318EnablingthevNICFeature....................... 318vNICIDs .............................. 319
vNICIDsontheSwitch ...................... 319vNICInterfaceNamesontheServer................. 319
vNICBandwidthMetering ...................... 320vNICUplinkModes ......................... 321LACPLAGs ............................. 323
Copyright Lenovo 2016 Contents 11
vNICGroups.............................324vNICGroupsinDedicatedMode ..................325vNICGroupsinSharedMode ...................325
vNICTeamingFailover........................327vNICConfigurationExample .....................329
BasicvNICConfiguration.....................329vNICsforiSCSIonEmulexEndeavor2 ...............332vNICsforFCoEonEmulexVirtualFabricAdapter ..........333
Chapter 20. VMready . . . . . . . . . . . . . . . . . . . . . . 337VECapacity.............................338DefiningServerPorts.........................338VMGroupTypes...........................338LocalVMGroups ...........................339DistributedVMGroups ........................342
VMProfiles ...........................342InitializingaDistributedVMGroup .................343AssigningMembers ........................343SynchronizingtheConfiguration ..................344RemovingMemberVEs ......................344
VMcheck ..............................345VirtualDistributedSwitch .......................347
Prerequisites ...........................347Guidelines ............................347MigratingtovDS.........................348
VirtualizationManagementServers...................349AssigningavCenter ........................349vCenterScans ..........................350DeletingthevCenter........................350ExportingProfiles .........................351VMwareOperationalCommands ..................351
PreProvisioningVEs.........................352VLANMaps .............................353VMPolicyBandwidthControl.....................354
VMPolicyBandwidthControlCommands ..............354BandwidthPoliciesvs.BandwidthShaping..............355
VMreadyInformationDisplays .....................356LocalVEInformation .......................356vCenterHypervisorHosts.....................357vCenterVEs ...........................358vCenterVEDetails........................359vCenterSwitchportMappingDetails ................359
VMreadyConfigurationExample ....................360
Chapter 21. FCoE and CEE . . . . . . . . . . . . . . . . . . . . 361FibreChanneloverEthernet......................362
TheFCoETopology ........................362FCoERequirements ........................363PortAggregation.........................363
12 G8264 Application Guide for ENOS 8.4
ConvergedEnhancedEthernet..................... 364TurningCEEOnorOff...................... 364EffectsonLinkLayerDiscoveryProtocol............... 364Effectson802.1pQualityofService ................. 365EffectsonFlowControl ...................... 366
FCoEInitializationProtocolSnooping .................. 367GlobalFIPSnoopingSettings .................... 367FIPSnoopingforSpecificPorts ................... 367PortFCFandENodeDetection ................... 368FCoEConnectionTimeout ..................... 368FCoEACLRules ......................... 369OptimizedFCoETrafficFlow.................... 369FCoEVLANs........................... 370ViewingFIPSnoopingInformation................. 370OperationalCommands ...................... 371FIPSnoopingConfiguration .................... 371
PriorityBasedFlowControl ...................... 373Globalvs.PortbyPortConfiguration ................ 374PFCConfigurationExample .................... 375
EnhancedTransmissionSelection.................... 377802.1pPriorityValues....................... 377PriorityGroups.......................... 378
PGID............................ 378AssigningPriorityValuestoaPriorityGroup ........... 379DeletingaPriorityGroup ................... 379AllocatingBandwidth ..................... 379
ConfiguringETS ......................... 380DataCenterBridgingCapabilityExchange................ 384
DCBXSettings.......................... 384EnablingandDisablingDCBX ................. 385PeerConfigurationNegotiation................. 385
ConfiguringDCBX ........................ 386
Chapter 22. Edge Virtual Bridging . . . . . . . . . . . . . . . . . 389EVBOperationsOverview....................... 390
VSIDBSynchronization ...................... 390VLANBehavior ......................... 391DeletingaVLAN ......................... 391ManualReflectiveRelay...................... 391VSIDBIPv6Support ....................... 392
EVBConfiguration .......................... 393Limitations............................. 395Unsupportedfeatures ......................... 395
Chapter 23. Static Multicast ARP . . . . . . . . . . . . . . . . . 397ConfiguringStaticMulticastARP.................... 398
ConfigurationExample ...................... 398Limitations............................. 400
Copyright Lenovo 2016 Contents 13
Chapter 24. Dynamic ARP Inspection. . . . . . . . . . . . . . . . 401UnderstandingARPSpoofingAttacks ................401UnderstandingDAI ........................401InterfaceTrustStatesandNetworkSecurity .............402
DAIConfigurationGuidelinesandRestrictions ..............404DAIConfigurationExample ....................404
Chapter 25. Unified Fabric Port . . . . . . . . . . . . . . . . . . 407UFPLimitations...........................408VirtualPortsModes..........................409
vPortSTagMapping.....................409vPortVLANMapping .....................409UFPvPortMode .......................409TunnelMode .........................409802.1QTrunkMode......................410AccessMode .........................410FCoEMode ..........................411AutoVLANMode.......................411
UFPBandwidthProvisioning .....................412ETSMode ............................412UFPStrictBandwidthProvisioningMode..............414
UsingUFPwithOtherRackSwitchG8264Features ............415Layer2Failover..........................415IncreasedVLANLimits ......................415PrivateVLANs ..........................415VMReady ............................416802.1Qbg.............................416
UFPConfigurationExamples......................417Example1:AccessMode......................417Example2:TrunkMode......................418Example3:AutoVLANMode ...................420Example4:TunnelMode......................420Example5:FCoEMode ......................421Example6:Layer2FailoverConfiguration ..............422
Part 5: IP Routing . . . . . . . . . . . . . . . . . . . . . . . . 425
Chapter 26. Basic IP Routing . . . . . . . . . . . . . . . . . . . 427IPRoutingBenefits ..........................428RoutingBetweenIPSubnets ......................428ExampleofSubnetRouting ......................429
UsingVLANstoSegregateBroadcastDomains ............430ConfigurationExample ......................430
ARPLocalProxy ..........................433ECMPStaticRoutes ..........................434
OSPFIntegration .........................434ECMPRouteHashing .......................434ConfiguringECMPStaticRoutes ..................435
DynamicHostConfigurationProtocol ..................436DHCPRelayAgent ..........................437
14 G8264 Application Guide for ENOS 8.4
Chapter 27. Policy-Based Routing . . . . . . . . . . . . . . . . . 439PBRPoliciesandACLs ........................ 440ApplyingPBRACLs ......................... 440ConfiguringRouteMaps ....................... 441
MatchClauses .......................... 441SetClauses............................ 441ConfiguringHealthCheck ..................... 443
ExamplePBRConfiguration ...................... 444ConfiguringPBRwithotherFeatures .................. 445UnsupportedFeatures ........................ 445DynamicPBR(MultiTenant) ..................... 446
FeaturesandLimitations...................... 446ExampleConfiguration ...................... 446
Chapter 28. Routed Ports . . . . . . . . . . . . . . . . . . . . 449Overview .............................. 450ConfiguringaRoutedPort....................... 452
ConfiguringOSPFonRoutedPorts................. 452OSPFConfigurationExample ................... 453ConfiguringRIPonRoutedPorts .................. 453RIPConfigurationExample .................... 453ConfiguringPIMonRoutedPorts .................. 454PIMConfigurationExample.................... 454ConfiguringBGPonRoutedPorts.................. 455ConfiguringIGMPonRoutedPorts ................. 455
Limitations............................. 456
Chapter 29. Internet Protocol Version 6 . . . . . . . . . . . . . . 457IPv6Limitations........................... 458IPv6AddressFormat ......................... 459IPv6AddressTypes ......................... 460
UnicastAddress......................... 460Multicast ............................ 460Anycast ............................. 460
IPv6AddressAutoconfiguration .................... 462IPv6Interfaces ............................ 463NeighborDiscovery ......................... 464
NeighborDiscoveryOverview ................... 464Hostvs.Router .......................... 465
SupportedApplications........................ 466ConfigurationGuidelines....................... 467IPv6ConfigurationExamples..................... 468
IPv6Example1 .......................... 468IPv6Example2 .......................... 468
Chapter 30. IPsec with IPv6 . . . . . . . . . . . . . . . . . . . 471IPsecProtocols ............................ 472
Copyright Lenovo 2016 Contents 15
UsingIPsecwiththeLenovoRackSwitchG8264 .............473SettingupAuthentication.....................473
CreatinganIKEv2Proposal ...................474ImportinganIKEv2DigitalCertificate ..............474GeneratingaCertificateSigningRequest .............475GeneratinganIKEv2DigitalCertificate..............478EnablingIKEv2PresharedKeyAuthentication ..........478
SettingUpaKeyPolicy......................479UsingaManualKeyPolicy .....................480UsingaDynamicKeyPolicy ....................482
Chapter 31. Routing Information Protocol . . . . . . . . . . . . . . 483DistanceVectorProtocol ........................484Stability ...............................484RoutingUpdates ...........................484RIPv1 ................................485RIPv2 ................................485RIPv2inRIPv1CompatibilityMode...................485RIPFeatures .............................486RIPConfigurationExample......................487
Chapter 32. Internet Group Management Protocol . . . . . . . . . . 489IGMPTerms .............................490HowIGMPWorks ..........................491IGMPCapacityandDefaultValues ...................492IGMPSnooping ...........................494
IGMPQuerier ..........................494QuerierElection .........................494IGMPGroups ..........................495IGMPv3Snooping.........................495IGMPSnoopingConfigurationGuidelines..............497IGMPSnoopingConfigurationExample ...............498AdvancedConfigurationExample:IGMPSnooping ..........499
Prerequisites .........................500Configuration .........................500
TroubleshootingIGMPSnooping..................504IGMPRelay .............................507
ConfigurationGuidelines .....................507ConfigureIGMPRelay.......................508AdvancedConfigurationExample:IGMPRelay ............509
Prerequisites .........................509Configuration .........................510
TroubleshootingIGMPRelay....................513AdditionalIGMPFeatures.......................516
FastLeave............................516IGMPFiltering..........................516
ConfiguringtheRange.....................516ConfiguringtheAction .....................517ConfigureIGMPFiltering....................517
StaticMulticastRouter .......................517
16 G8264 Application Guide for ENOS 8.4
Chapter 33. Multicast Listener Discovery . . . . . . . . . . . . . . 519MLDTerms............................. 520HowMLDWorks .......................... 521
HowFloodingImpactsMLD.................... 522MLDQuerier........................... 522QuerierElection ......................... 522DynamicMrouters ........................ 523
MLDCapacityandDefaultValues ................... 524ConfiguringMLD .......................... 525
Chapter 34. Border Gateway Protocol . . . . . . . . . . . . . . . 527InternalRoutingVersusExternalRouting................ 528
RouteReflector .......................... 529ConfiguringRouteReflection.................. 531Restrictions.......................... 532
FormingBGPPeerRouters ...................... 533StaticPeers............................ 533DynamicPeers .......................... 534
ConfiguringDynamicPeers .................. 534RemovingDynamicPeers................... 534
LoopbackInterfaces ......................... 536WhatisaRouteMap? ......................... 536
NextHopPeerIPAddress ..................... 537IncomingandOutgoingRouteMaps ................ 537Precedence............................ 538ConfigurationOverview ...................... 538
AggregatingRoutes.......................... 540RedistributingRoutes ......................... 540BGPCommunities .......................... 541BGPAttributes ............................ 542
LocalPreferenceAttribute ..................... 542Metric(MultiExitDiscriminator)Attribute.............. 542NextHopAttribute ........................ 543
SelectingRoutePathsinBGP...................... 544EqualCostMultiPath ....................... 544MultipathRelax ......................... 544
BGPFailoverConfiguration...................... 545DefaultRedistributionandRouteAggregationExample .......... 547
Chapter 35. Open Shortest Path First . . . . . . . . . . . . . . . 549OSPFv2Overview .......................... 550
TypesofOSPFAreas ....................... 550TypesofOSPFRoutingDevices................... 551NeighborsandAdjacencies .................... 552TheLinkStateDatabase...................... 552TheShortestPathFirstTree .................... 554InternalVersusExternalRouting.................. 554
Copyright Lenovo 2016 Contents 17
OSPFv2ImplementationinEnterpriseNOS...............555ConfigurableParameters ......................555DefiningAreas..........................556
AssigningtheAreaIndex ....................556UsingtheAreaIDtoAssigntheOSPFAreaNumber ........557AttachinganAreatoaNetwork .................557
InterfaceCost ...........................558ElectingtheDesignatedRouterandBackup .............558SummarizingRoutes .......................558DefaultRoutes ..........................559VirtualLinks ...........................559RouterID ............................560Authentication ..........................561
ConfiguringPlainTextOSPFPasswords.............562ConfiguringMD5Authentication ................562
HostRoutesforLoadBalancing ...................563LoopbackInterfacesinOSPF ....................564OSPFFeaturesNotSupportedinThisRelease.............564
OSPFv2ConfigurationExamples ....................565Example 1:SimpleOSPFDomain ..................566Example 2:VirtualLinks......................568
ConfiguringOSPFforaVirtualLinkonSwitch#1 .........568ConfiguringOSPFforaVirtualLinkonSwitch#2 .........569OtherVirtualLinkOptions ...................571
Example 3:SummarizingRoutes..................572VerifyingOSPFConfiguration...................573
OSPFv3ImplementationinEnterpriseNOS...............574OSPFv3DifferencesfromOSPFv2 ..................574
OSPFv3RequiresIPv6Interfaces ................574OSPFv3UsesIndependentCommandPaths ...........574OSPFv3IdentifiesNeighborsbyRouterID ............575OtherInternalImprovements ..................575
OSPFv3Limitations ........................575OSPFv3ConfigurationExample...................575NeighborConfigurationExample ..................577
Chapter 36. Protocol Independent Multicast . . . . . . . . . . . . . 579PIMOverview............................580SupportedPIMModesandFeatures ..................581BasicPIMSettings ..........................582
GloballyEnablingorDisablingthePIMFeature ............582DefiningaPIMNetworkComponent ................582DefininganIPInterfaceforPIMUse.................582PIMNeighborFilters .......................583
AdditionalSparseModeSettings ....................585SpecifyingtheRendezvousPoint ..................585InfluencingtheDesignatedRouterSelection.............585SpecifyingaBootstrapRouter....................586ConfiguringaLoopbackInterface..................586
18 G8264 Application Guide for ENOS 8.4
UsingPIMwithOtherFeatures..................... 588PIMwithACLsorVMAPs ..................... 588PIMwithIGMP.......................... 588PIMwithVLAG......................... 588
PIMConfigurationExamples ..................... 589Example1:PIMSMwithDynamicRP ................ 589Example2:PIMSMwithStaticRP................. 590Example3:PIMDM........................ 590
Part 6: High Availability Fundamentals . . . . . . . . . . . . . . . 593
Chapter 37. Basic Redundancy . . . . . . . . . . . . . . . . . . 595AggregatingforLinkRedundancy ................... 596VirtualLinkAggregation ....................... 596HotLinks .............................. 597
ForwardDelay .......................... 597Preemption ........................... 597FDBUpdate ........................... 597ConfigurationGuidelines..................... 597ConfiguringHotLinks ...................... 598
StackingforHighAvailabilityTopologies ................ 599
Chapter 38. Layer 2 Failover . . . . . . . . . . . . . . . . . . . 601MonitoringLAGLinks ........................ 602SettingtheFailoverLimit ....................... 602ManuallyMonitoringPortLinks .................... 603
MonitorPortState ........................ 603ControlPortState ......................... 603
L2FailoverwithOtherFeatures.................... 604StaticLAGs ........................... 604LACP .............................. 604SpanningTreeProtocol ...................... 604
ConfigurationGuidelines....................... 605ConfiguringLayer2Failover...................... 605
Chapter 39. Virtual Router Redundancy Protocol . . . . . . . . . . 607VRRPOverview ........................... 608
VRRPComponents ........................ 608VirtualRouter ........................ 608VirtualRouterMACAddress .................. 608OwnersandRenters ...................... 608MasterandBackupVirtualRouter................ 609VirtualInterfaceRouter.................... 609
VRRPOperation ......................... 609SelectingtheMasterVRRPRouter ................. 610
FailoverMethods........................... 611ActiveActiveRedundancy..................... 611VirtualRouterGroup....................... 611
EnterpriseNOSExtensionstoVRRP .................. 612
Copyright Lenovo 2016 Contents 19
VirtualRouterDeploymentConsiderations ...............613AssigningVRRPVirtualRouterID .................613ConfiguringtheSwitchforTracking .................613VRRPNextHopTracking .....................614
HighAvailabilityConfigurations ....................615VRRPHighAvailabilityUsingMultipleVIRs .............615
Task1:ConfigureG82641 ...................616Task2:ConfigureG82642 ...................617
VRRPHighAvailabilityUsingVLAGs................619
Part 7: Network Management . . . . . . . . . . . . . . . . . . . 621
Chapter 40. Link Layer Discovery Protocol . . . . . . . . . . . . . 623LLDPOverview...........................624LLDPStackingMode ........................625EnablingorDisablingLLDP......................626
GlobalLLDPSetting........................626TransmitandReceiveControl ...................626
LLDPTransmitFeatures ........................627ScheduledInterval ........................627MinimumInterval.........................627TimetoLiveforTransmittedInformation ..............628TrapNotifications .........................628ChangingtheLLDPTransmitState .................629TypesofInformationTransmitted ..................629
LLDPReceiveFeatures........................631TypesofInformationReceived ...................631ViewingRemoteDeviceInformation ................631TimetoLiveforReceivedInformation ................633
LLDPExampleConfiguration.....................635
Chapter 41. Simple Network Management Protocol . . . . . . . . . . 637SNMPVersion1&Version2 ......................637SNMPVersion3 ...........................638ConfiguringSNMPTrapHosts.....................640
SNMPv2TrapHostConfiguration..................641SNMPv3TrapHostConfiguration..................642
SNMPMIBs.............................643SwitchImagesandConfigurationFiles .................651
LoadingaNewSwitchImage ....................652LoadingaSavedSwitchConfiguration................652SavingtheSwitchConfiguration..................653SavingaSwitchDump.......................653
Chapter 42. Service Location Protocol . . . . . . . . . . . . . . . 655ActiveDADiscovery .........................656SLPConfiguration..........................657
Chapter 43. NETCONF . . . . . . . . . . . . . . . . . . . . . . 659NETCONFOverview .........................660
20 G8264 Application Guide for ENOS 8.4
XMLRequirements .......................... 661InstallingtheNETCONFClient .................... 662UsingJuniperPerlClient....................... 664EstablishingaNETCONFSession ................... 665NETCONFOperations........................ 667ProtocolOperationsExamples ..................... 668
........................... 668........................... 669 .......................... 671 .......................... 672 .............................. 672............................. 673 .............................. 674 .......................... 675 ........................... 675 ........................ 676 .................... 677
Part 8: Monitoring . . . . . . . . . . . . . . . . . . . . . . . 681
Chapter 44. Remote Monitoring . . . . . . . . . . . . . . . . . . 683RMONOverview........................... 684RMONGroup1Statistics ...................... 685RMONGroup2History ....................... 686
HistoryMIBObjectID ....................... 686ConfiguringRMONHistory.................... 686
RMONGroup3Alarms ....................... 687AlarmMIBobjects ........................ 687ConfiguringRMONAlarms .................... 687
RMONGroup9Events....................... 689
Chapter 45. sFlow . . . . . . . . . . . . . . . . . . . . . . . 691sFlowStatisticalCounters ....................... 691sFlowNetworkSampling....................... 691sFlowExampleConfiguration ..................... 692
Chapter 46. Port Mirroring . . . . . . . . . . . . . . . . . . . . 693PortMirroringModel ......................... 694ConfiguringPortMirroring ...................... 695
Part 9: Appendices . . . . . . . . . . . . . . . . . . . . . . . 697
Appendix A. Getting help and technical assistance. . . . . . . . . . 699
Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . . 701Trademarks............................. 703ImportantNotes........................... 704RecyclingInformation......................... 705ParticulateContamination ....................... 706TelecommunicationRegulatoryStatement................ 707
Copyright Lenovo 2016 Contents 21
ElectronicEmissionNotices ......................708FederalCommunicationsCommission(FCC)Statement ........708IndustryCanadaClassAEmissionComplianceStatement.......708AvisdeConformitlaRglementationdIndustrieCanada ......708AustraliaandNewZealandClassAStatement ............708EuropeanUnionCompliancetotheElectromagneticCompatibilityDirective708GermanyClassAComplianceStatement ...............709JapanVCCIClassAStatement ...................710JapanElectronicsandInformationTechnologyIndustriesAssociation(JEITA) Statement .........................710KoreaCommunicationsCommission(KCC)Statement .........711
RussiaElectromagneticInterference(EMI)ClassAstatement ........712PeoplesRepublicofChinaClassAelectronicemissionstatement ......713TaiwanClassAcompliancestatement ..................714
22 G8264 Application Guide for ENOS 8.4
Copyright Lenovo 2016 23
PrefaceThisApplicationGuidedescribeshowtoconfigureandusetheLenovoEnterpriseNetworkOperatingSystem 8.4softwareontheLenovoRackSwitchG8264(referredtoasG8264throughoutthisdocument).Fordocumentationoninstallingtheswitchphysically,seetheInstallationGuideforyourG8264.
24 G8264 Application Guide for ENOS 8.4
Who Should Use This GuideThisguideisintendedfornetworkinstallersandsystemadministratorsengagedinconfiguringandmaintaininganetwork.TheadministratorshouldbefamiliarwithEthernetconcepts,IPaddressing,SpanningTreeProtocol,andSNMPconfigurationparameters.
Copyright Lenovo 2016 Preface 25
What Youll Find in This GuideThisguidewillhelpyouplan,implement,andadministerEnterpriseNOSsoftware.Wherepossible,eachsectionprovidesfeatureoverviews,usageexamples,andconfigurationinstructions.Thefollowingmaterialisincluded:
Part 1: Getting Started
ThismaterialisintendedtohelpthosenewtoENOSproductswiththebasicsofswitchmanagement.Thispartincludesthefollowingchapters:
Chapter 1,SwitchAdministration,describeshowtoaccesstheG8264toconfiguretheswitchandviewswitchinformationandstatistics.Thischapterdiscussesavarietyofmanualadministrationinterfaces,includinglocalmanagementviatheswitchconsole,andremoteadministrationviaTelnet,awebbrowser,orviaSNMP.
Chapter 2,InitialSetup,describeshowtousethebuiltinSetuputilitytoperformfirsttimeconfigurationoftheswitch.
Chapter 3,SwitchSoftwareManagement,describeshowtoupdatetheENOSsoftwareoperatingontheswitch.
Part 2: Securing the Switch
Chapter 4,SecuringAdministration,describesmethodsforusingSecureShellforadministrationconnections,andconfiguringenduseraccesscontrol.
Chapter 5,Authentication&AuthorizationProtocols,describesdifferentsecureadministrationforremoteadministrators.ThisincludesusingRemoteAuthenticationDialinUserService(RADIUS),aswellasTACACS+andLDAP.
Chapter 6,802.1XPortBasedNetworkAccessControl,describeshowtoauthenticatedevicesattachedtoaLANportthathaspointtopointconnectioncharacteristics.ThisfeaturepreventsaccesstoportsthatfailauthenticationandauthorizationandprovidessecuritytoportsoftheG8264thatconnecttobladeservers.
Chapter 7,AccessControlLists,describeshowtousefilterstopermitordenyspecifictypesoftraffic,basedonavarietyofsource,destination,andpacketattributes.
Chapter 8,SecureInput/OutputModule,describeswhichprotocolscanbeenabled.Thisfeatureallowssecuredtrafficandsecuredauthenticationmanagement.
Part 3: Switch Basics
Chapter 9,VLANs,describeshowtoconfigureVirtualLocalAreaNetworks(VLANs)forcreatingseparatenetworksegments,includinghowtouseVLANtaggingfordevicesthatusemultipleVLANs.ThischapteralsodescribesProtocolbasedVLANs,andPrivateVLANs.
Chapter 10,PortsandLinkAggregation,describeshowtogroupmultiplephysicalportstogethertoaggregatethebandwidthbetweenlargescalenetworkdevices.
26 G8264 Application Guide for ENOS 8.4
Chapter 12,VirtualLinkAggregationGroups,describesusingVirtualLinkAggregationGroups(VLAGs)toformLAGsspanningmultipleVLAGcapableaggregatorswitches.
Chapter 11,SpanningTreeProtocols,discusseshowSpanningTreeProtocol(STP)configuresthenetworksothattheswitchselectsthemostefficientpathwhenmultiplepathsexist.CoversRapidSpanningTreeProtocol(RSTP),PerVLANRapidSpanningTree(PVRST),andMultipleSpanningTreeProtocol(MSTP).
Chapter 13,QualityofService,discussesQualityofService(QoS)features,includingIPfilteringusingAccessControlLists(ACLs),DifferentiatedServices,andIEEE802.1ppriorityvalues.
Chapter 14,PrecisionTimeProtocol,describestheconfigurationofPTPforclocksynchronization.
Part 4: Advanced Switching Features
Chapter 15,OpenFlow,describeshowtocreateanOpenFlowSwitchinstanceontheRackSwitchG8264.
Chapter 16,DeploymentProfiles,describeshowtheG8264canoperateindifferentmodesfordifferentdeploymentscenarios,adjustingswitchcapacitylevelstooptimizeperformancefordifferenttypesofnetworks.
Chapter 17,Virtualization,providesanoverviewofallocatingresourcesbasedonthelogicalneedsofthedatacenter,ratherthanonthestrict,physicalnatureofcomponents.
Chapter 18,Stacking,describeshowtocombinemultipleswitchesintoasingle,aggregateswitchentity.
Chapter 19,VirtualNICs,discussesusingvirtualNIC(vNIC)technologytodivideNICsintomultiplelogical,independentinstances.
Chapter 20,VMready,discussesvirtualmachine(VM)supportontheG8264.
Chapter 21,FCoEandCEE,discussesusingvariousConvergedEnhancedEthernet(CEE)featuressuchasPrioritybasedFlowControl(PFC),EnhancedTransmissionSelection(ETS),andFIPSnoopingforsolutionssuchasFibreChanneloverEthernet(FCoE).
Chapter 22,EdgeVirtualBridging,(EVB)discussestheIEEE802.1QbgastandardsbasedprotocolthatdefineshowvirtualEthernetbridgesexchangeconfigurationinformation.EVBbridgesthegapbetweenphysicalandvirtualnetworkresources,thussimplifyingnetworkmanagement.
Chapter 23,StaticMulticastARP,discussestheconfigurationofastaticARPentrywithmulticastMACaddressforMicrosoftsNetworkLoadBalancing(NLB)featuretofunctionefficiently.
Chapter 24,DynamicARPInspection,discussesthissecurityfeaturethatletsaswitchinterceptandexamineallARPrequestandresponsepacketsinasubnet,discardingthosepacketswithinvalidIPtoMACaddressbindings.Thiscapabilityprotectsthenetworkfrommaninthemiddleattacks.
Chapter 25,UnifiedFabricPort,describeshowUFPlogicallysubdividesahighspeedphysicallinkconnectingtoaserverNIC.UFPprovidesaswitchfabriccomponenttocontroltheNIC.
Copyright Lenovo 2016 Preface 27
Part 5: IP Routing
Chapter 26,BasicIPRouting,describeshowtoconfiguretheG8264forIProutingusingIPsubnets,BOOTP,andDHCPRelay.
Chapter 27,PolicyBasedRoutingdescribeshowtoconfiguretheG8264toforwardtrafficbasedondefinedpoliciesratherthanentriesintheroutingtable.
Chapter 28,RoutedPortsdescribeshowtoconfigureaswitchporttoforwardLayer3traffic.
Chapter 29,InternetProtocolVersion6,describeshowtoconfiguretheG8264forIPv6hostmanagement.
Chapter 30,IPsecwithIPv6,describeshowtoconfigureInternetProtocolSecurity(IPsec)forsecuringIPcommunicationsbyauthenticatingandencryptingIPpackets,withemphasisonInternetKeyExchangeversion 2,andauthentication/confidentialityforOSPFv3.
Chapter 31,RoutingInformationProtocol,describeshowtheENOSsoftwareimplementsstandardRoutingInformationProtocol(RIP)forexchangingTCP/IProuteinformationwithotherrouters.
Chapter 32,InternetGroupManagementProtocol,describeshowtheENOSsoftwareimplementsIGMPSnoopingorIGMPRelaytoconservebandwidthinamulticastswitchingenvironment.
Chapter 33,MulticastListenerDiscovery,describeshowMulticastListenerDiscovery(MLD)isusedwithIPv6tosupporthostusersrequestsformulticastdataforamulticastgroup.
Chapter 34,BorderGatewayProtocol,describesBorderGatewayProtocol(BGP)conceptsandfeaturessupportedinENOS.
Chapter 35,OpenShortestPathFirst,describeskeyOpenShortestPathFirst(OSPF)conceptsandtheirimplementedinENOS,andprovidesexamplesofhowtoconfigureyourswitchforOSPFsupport.
Chapter 36,ProtocolIndependentMulticast,describeshowmulticastroutingcanbeefficientlyaccomplishedusingtheProtocolIndependentMulticast(PIM)feature.
Part 6: High Availability Fundamentals
Chapter 37,BasicRedundancy,describeshowtheG8264supportsredundancythroughstacking,LAGs,andhotlinks.
Chapter 38,Layer2Failover,describeshowtheG8264supportshighavailabilitynetworktopologiesusingLayer2Failover.
Chapter 39,VirtualRouterRedundancyProtocol,describeshowtheG8264supportshighavailabilitynetworktopologiesusingVirtualRouterRedundancyProtocol(VRRP).
28 G8264 Application Guide for ENOS 8.4
Part 7: Network Management
Chapter 40,LinkLayerDiscoveryProtocol,describeshowLinkLayerDiscoveryProtocolhelpsneighboringnetworkdeviceslearnabouteachothersportsandcapabilities.
Chapter 41,SimpleNetworkManagementProtocol,describeshowtoconfiguretheswitchformanagementthroughanSNMPclient.
Chapter 42,ServiceLocationProtocol,describestheServiceLocationProtocol(SLP)thatallowstheswitchtoprovidedynamicdirectoryservices.
Chapter 43,NETCONF,describeshowtomanagetheG8264usingNetworkConfigurationProtocol(NETCONF),amechanismbasedontheExtensibleMarkupLanguage(XML).
Part 8: Monitoring
Chapter 44,RemoteMonitoring,describeshowtoconfiguretheRMONagentontheswitch,sothattheswitchcanexchangenetworkmonitoringdata.
Chapter 45,sFlow,describedhowtousetheembeddedsFlowagentforsamplingnetworktrafficandprovidingcontinuousmonitoringinformationtoacentralsFlowanalyzer.
Chapter 46,PortMirroring,discussestoolshowcopyselectedporttraffictoamonitorportfornetworkanalysis.
Part 9: Appendices
AppendixA,Glossary,describescommontermsandconceptsusedthroughoutthisguide.
AppendixA,Gettinghelpandtechnicalassistance,providesdetailsonwheretogoforadditionalinformationaboutLenovoandLenovoproducts.
AppendixB,Notices,containssafetyandenvironmentalnotices.
Copyright Lenovo 2016 Preface 29
Additional ReferencesAdditionalinformationaboutinstallingandconfiguringtheG8264isavailableinthefollowingguides:
LenovoRackSwitchG8264InstallationGuide
LenovoRackSwitchG8264ISCLICommandReferenceforLenovoEnterpriseNetworkOperatingSystem8.4
LenovoRackSwitchG8264ReleaseNotesforLenovoEnterpriseNetworkOperatingSystem 8.4
30 G8264 Application Guide for ENOS 8.4
Typographic ConventionsThefollowingtabledescribesthetypographicstylesusedinthisbook.
Table 1. Typographic Conventions
Typeface or Symbol
Meaning Example
ABC123 Thistypeisusedfornamesofcommands,files,anddirectoriesusedwithinthetext.
Viewthereadme.txtfile.
Italsodepictsonscreencomputeroutputandprompts.
Main#
ABC123 Thisboldtypeappearsincommandexamples.Itshowstextthatmustbetypedinexactlyasshown.
Main#sys
Thisitalicizedtypeappearsincommandexamplesasaparameterplaceholder.Replacetheindicatedtextwiththeappropriaterealnameorvaluewhenusingthecommand.Donottypethebrackets.
ToestablishaTelnetsession,enter:host#telnet
Thisalsoshowsbooktitles,specialterms,orwordstobeemphasized.
ReadyourUsersGuidethoroughly.
[ ] Commanditemsshowninsidebracketsareoptionalandcanbeusedorexcludedasthesituationdemands.Donottypethebrackets.
host#ls[a]
| Theverticalbar( | )isusedincommandexamplestoseparatechoiceswheremultipleoptionsexist.Selectonlyoneofthelistedoptions.Donottypetheverticalbar.
host#setleft|right
AaBbCc123 Thisblocktypedepictsmenus,buttons,andothercontrolsthatappearinWebbrowsersandothergraphicalinterfaces.
ClicktheSavebutton.
Copyright Lenovo 2016 31
Part 1: Getting Started
32 G8264 Application Guide for ENOS 8.4
Copyright Lenovo 2016 33
Chapter 1. Switch AdministrationYourRackSwitchG8264(G8264)isreadytoperformbasicswitchingfunctionsrightoutofthebox.Someofthemoreadvancedfeatures,however,requiresomeadministrativeconfigurationbeforetheycanbeusedeffectively.
TheextensiveLenovoEnterpriseNetworkOperatingSystemswitchingsoftwareincludedintheG8264providesavarietyofoptionsforaccessingtheswitchtoperformconfiguration,andtoviewswitchinformationandstatistics.
Thischapterdiscussesthevariousmethodsthatcanbeusedtoadministertheswitch.
34 G8264 Application Guide for ENOS 8.4
Administration InterfacesEnterpriseNOSprovidesavarietyofuserinterfacesforadministration.Theseinterfacesvaryincharacterandinthemethodsusedtoaccessthem:somearetextbased,andsomearegraphical;someareavailablebydefault,andsomerequireconfiguration;somecanbeaccessedbylocalconnectiontotheswitch,andothersareaccessedremotelyusingvariousclientapplications.Forexample,administrationcanbeperformedusinganyofthefollowing:
Abuiltin,textbasedcommandlineinterfaceandmenusystemforaccessviaserialportconnectionoranoptionalTelnetorSSHsession
ThebuiltinBrowserBasedInterface(BBI)availableusingastandardwebbrowser
SNMPsupportforaccessthroughnetworkmanagementsoftwaresuchasIBMDirectororHPOpenView
Thespecificinterfacechosenforanadministrativesessiondependsonuserpreferences,aswellastheswitchconfigurationandtheavailableclienttools.
Inallcases,administrationrequiresthattheswitchhardwareisproperlyinstalledandturnedon.(seetheLenovoRackSwitchG8264InstallationGuide).
Command Line InterfaceTheIndustryStandardCommandLineInterface(ISCLI)providesasimple,directmethodforswitchadministration.Usingabasicterminal,youcanissuecommandsthatallowyoutoviewdetailedinformationandstatisticsabouttheswitch,andtoperformanynecessaryconfigurationandswitchsoftwaremaintenance.
YoucanestablishaconnectiontotheISCLIinanyofthefollowingways: SerialconnectionviatheserialportontheG8264(thisoptionisalwaysavailable) Telnetconnectionoverthenetwork SSHconnectionoverthenetwork
Copyright Lenovo 2016 Chapter 1: Switch Administration 35
Establishing a ConnectionThefactorydefaultsettingspermitinitialswitchadministrationthroughonlythebuiltinserialport.Allotherformsofaccessrequireadditionalswitchconfigurationbeforetheycanbeused.
Remoteaccessusingthenetworkrequirestheaccessingterminaltohaveavalid,routableconnectiontotheswitchinterface.TheclientIPaddressmaybeconfiguredmanually,oranIPv4addresscanbeprovidedautomaticallythroughtheswitchusingaservicesuchasDHCPorBOOTPrelay(seeBOOTP/DHCPClientIPAddressServicesonpage 44),oranIPv6addresscanbeobtainedusingIPv6statelessaddressconfiguration.Note: Throughoutthismanual,IPaddressisusedinplaceswhereeitheranIPv4orIPv6addressisallowed.IPv4addressesareenteredindotteddecimalnotation(forexample,10.10.10.1),whileIPv6addressesareenteredinhexadecimalnotation(forexample,2001:db8:85a3::8a2e:370:7334).Inplaceswhereonlyonetypeofaddressisallowed,IPv4addressorIPv6addressisspecified.
Using the Switch Management PortsTomanagetheswitchthroughthemanagementports,youmustconfigureanIPinterfaceforeachmanagementinterface.ConfiguretheIPv4address/maskanddefaultgatewayaddress:
1. Logontotheswitch.
2. EnterGlobalConfigurationmode.
3. ConfigureamanagementIPaddressandmask:
4. Configuretheappropriatedefaultgateway.
IPgateway 4isrequiredforIF128.
OnceyouconfigureamanagementIPaddressforyourswitch,youcanconnecttoamanagementportandusetheTelnetprogramfromanexternalmanagementstationtoaccessandcontroltheswitch.Themanagementportprovidesoutofbandmanagement.
RS G8264>enableRS G8264#configureterminal
RS G8264(config)#interfaceip128RS G8264(configipif)#ipaddressRS G8264(configipif)#ipnetmaskRS G8264(configipif)#enableRS G8264(configipif)#exit
RS G8264(config)#ipgateway 4addressRS G8264(config)#ipgateway 4enable
36 G8264 Application Guide for ENOS 8.4
Using the Switch Data PortsYoualsocanconfigureinbandmanagementthroughanyoftheswitchdataports.Toallowinbandmanagement,usethefollowingprocedure:
1. Logontotheswitch.
2. EnterIPinterfacemode.
Note: Interface128isreservedforoutofbandmanagement(seeUsingtheSwitchManagementPortsonpage 35).
3. ConfigurethemanagementIPinterface/mask.
IPv4:
IPv6:
4. ConfiguretheVLAN,andenabletheinterface.
5. Configurethedefaultgateway.
IPv4:
IPv6:
Note: Gateway 1,2,and3areusedforinbanddatanetworks.Gateway 4isreservedfortheoutofbandmanagementport(seeUsingtheSwitchManagementPortsonpage 35).
OnceyouconfiguretheIPaddressandhaveanetworkconnection,youcanusetheTelnetprogramfromanexternalmanagementstationtoaccessandcontroltheswitch.Oncethedefaultgatewayisenabled,themanagementstationandyourswitchdonotneedtobeonthesameIPsubnet.
RS G8264>enableRS G8264#configureterminalRS G8264(config)#interfaceip
RS G8264(configipif)#ipaddressRS G8264(configipif)#ipnetmask
RS G8264(configipif)#ipv6addressRS G8264(configipif)#ipv6prefixlen
RS G8264(configipif)#vlan1RS G8264(configipif)#enableRS G8264(configipif)#exit
RS G8264(config)#ipgateway addressRS G8264(config)#ipgateway enable
RS G8264(config)#ipgateway6addressRS G8264(config)#ipgateway6enable
Copyright Lenovo 2016 Chapter 1: Switch Administration 37
TheG8264supportsanindustrystandardcommandlineinterface(ISCLI)thatyoucanusetoconfigureandcontroltheswitchoverthenetworkusingtheTelnetprogram.YoucanusetheISCLItoperformmanybasicnetworkmanagementfunctions.Inaddition,youcanconfiguretheswitchformanagementusinganSNMPbasednetworkmanagementsystemoraWebbrowser.
Formoreinformation,seethedocumentslistedinAdditionalReferencesonpage 29.
Using TelnetATelnetconnectionofferstheconvenienceofaccessingtheswitchfromaworkstationconnectedtothenetwork.Telnetaccessprovidesthesameoptionsforuserandadministratoraccessasthoseavailablethroughtheconsoleport.
Bydefault,Telnetaccessisenabled.UsethefollowingcommandstodisableorreenableTelnetaccess:
OncetheswitchisconfiguredwithanIPaddressandgateway,youcanuseTelnettoaccessswitchadministrationfromanyworkstationconnectedtothemanagementnetwork.
ToestablishaTelnetconnectionwiththeswitch,runtheTelnetprogramonyourworkstationandissuethefollowingTelnetcommand:
YouwillthenbepromptedtoenterapasswordasexplainedSwitchLoginLevelsonpage 52.
Twoattemptsareallowedtologintotheswitch.Afterthesecondunsuccessfulattempt,theTelnetclientisdisconnectedviaTCPsessionclosure.
Using Secure ShellAlthougharemotenetworkadministratorcanmanagetheconfigurationofaG8264viaTelnet,thismethoddoesnotprovideasecureconnection.TheSecureShell(SSH)protocolenablesyoutosecurelylogintoanotherdeviceoveranetwork
RS G8264(config)#[no]accesstelnetenable
telnet
38 G8264 Application Guide for ENOS 8.4
toexecutecommandsremotely.AsasecurealternativetousingTelnettomanageswitchconfiguration,SSHensuresthatalldatasentoverthenetworkisencryptedandsecure.
Theswitchcandoonlyonesessionofkey/ciphergenerationatatime.Thus,aSSH/SCPclientwillnotbeabletologiniftheswitchisdoingkeygenerationatthattime.Similarly,thesystemwillfailtodothekeygenerationifaSSH/SCPclientislogginginatthattime.
ThesupportedSSHencryptionandauthenticationmethodsare:
ServerHostAuthentication:ClientRSAauthenticatestheswitchwhenstartingeachconnection
KeyExchange:ecdhsha2nistp521,ecdhsha2nistp384,ecdhsha2nistp256,ecdhsha2nistp224,ecdhsha2nistp192,rsa2048sha256,rsa1024sha1,diffiehellmangroupexchangesha256,diffiehellmangroupexchangesha1,diffiehellmangroup14sha1,diffiehellmangroup1sha1
Encryption:aes128ctr,aes128cbc,rijndael128cbc,blowfishcbc,3descbc,arcfour256,arcfour128,arcfour
MAC:hmacsha1,hmacsha196,hmacmd5,hmacmd596
UserAuthentication:Localpasswordauthentication,publickeyauthentication,RADIUS,TACACS+
LenovoEnterpriseNetworkOperatingSystemimplementstheSSHversion2.0standardandisconfirmedtoworkwithSSHversion2.0compliantclientssuchasthefollowing:
OpenSSH_5.4p1forLinux
SecureCRTVersion5.0.2(build1021)
PuttySSHrelease0.60
Using SSH with Password AuthenticationBydefault,theSSHfeatureisdisabled.OncetheIPparametersareconfiguredandtheSSHserviceisenabled,youcanaccessthecommandlineinterfaceusinganSSHconnection.
ToestablishanSSHconnectionwiththeswitch,runtheSSHprogramonyourworkstationbyissuingtheSSHcommand,followedbytheswitchIPv4orIPv6address:
YouwillthenbepromptedtoenterapasswordasexplainedSwitchLoginLevelsonpage 52.
#ssh
Copyright Lenovo 2016 Chapter 1: Switch Administration 39
Using SSH with Public Key AuthenticationSSHcanalsobeusedforswitchauthenticationbasedonasymmetriccryptography.Publicencryptionkeyscanbeuploadedontheswitchandusedtoauthenticateincomingloginattemptsbasedontheclientsprivateencryptionkeypairs.Afterapredefinednumberoffailedpublickeyloginattempts,theswitchrevertstopasswordbasedauthentication.
Tosetuppublickeyauthentication:
1. EnableSSH:
2. ImportthepublickeyfileusingSFTPorTFTPfortheadminuseraccount::
Notes:
Whenpromptedtoinputausername,avaliduseraccountnamemustbeentered.Ifnousernameisentered,thekeyisstoredontheswitch,andcanbeassignedtoauseraccountlater.
Auseraccountcanhaveupto100publickeyssetupontheswitch.
3. Configureamaximumnumberof3failedpublickeyauthenticationattemptsbeforethesystemrevertstopasswordbasedauthentication:
Oncethepublickeyisconfiguredontheswitch,theclientcanuseSSHtologinfromasystemwheretheprivatekeypairissetup:
RS G8264(config)#sshenable
RS G8264(config)#copy{sftp|tftp}publickeyPorttype["DATA"/"MGT"]:mgtAddressornameofremotehost:9.43.101.151Sourcefilename:11.keyUsernameofthepublickey:adminConfirmdownloadoperation(y/n)?y
RS G8264(config)#sshmaxauthattempts3
#ssh
40 G8264 Application Guide for ENOS 8.4
Using a Web BrowserTheswitchprovidesaBrowserBasedInterface(BBI)foraccessingthecommonconfiguration,management,andoperationfeaturesoftheG8264throughyourWebbrowser.
Bydefault,BBIaccessviaHTTPisenabledontheswitch.
YoucanalsoaccesstheBBIdirectlyfromanopenWebbrowserwindow.EntertheURLusingtheIPaddressoftheswitchinterface(forexample,http://).
Configuring HTTP Access to the BBIBydefault,BBIaccessviaHTTPisenabledontheswitch.
TodisableorreenableHTTPaccesstotheswitchBBI,usethefollowingcommands:
ThedefaultHTTPwebserverporttoaccesstheBBIisport80.However,youcanchangethedefaultWebserverportwiththefollowingcommand:
ToaccesstheBBIfromaworkstation,openaWebbrowserwindowandtypeintheURLusingtheIPaddressoftheswitchinterface(forexample,http://).
Configuring HTTPS Access to the BBITheBBIcanalsobeaccessedviaasecureHTTPSconnectionovermanagementanddataports.
1. EnableHTTPS.
Bydefault,BBIaccessisenabledviabothHTTPandHTTPSontheswitch.IfHTTPSaccesshasbeendisabled,usethefollowingcommandtoenableBBIAccessviaHTTPS:
2. SettheHTTPSserverportnumber(optional).
TochangetheHTTPSWebserverportnumberfromthedefaultport443,usethefollowingcommand:
3. GeneratetheHTTPScertificate.
RS G8264(config)#accesshttpenable (EnableHTTPaccess)or
RS G8264(config)#noaccesshttpenable (DisableHTTPaccess)
RS G8264(config)#accesshttpport
RS G8264(config)#accesshttpsenable
RS G8264(config)#accesshttpsport
Copyright Lenovo 2016 Chapter 1: Switch Administration 41
AccessingtheBBIviaHTTPSrequiresthatyougenerateacertificatetobeusedduringthekeyexchange.AdefaultcertificateiscreatedthefirsttimeHTTPSisenabled,butyoucancreateanewcertificatedefiningtheinformationyouwanttobeusedinthevariousfields.
4. SavetheHTTPScertificate.
Thecertificateisvalidonlyuntiltheswitchisrebooted.Tosavethecertificatesoitisretainedbeyondrebootorpowercycles,usethefollowingcommand:
Whenaclient(suchasawebbrowser)connectstotheswitch,theclientisaskedtoacceptthecertificateandverifythatthefieldsmatchwhatisexpected.OnceBBIaccessisgrantedtotheclient,theBBIcanbeused.
Browser-Based Interface SummaryTheBBIisorganizedatahighlevelasfollows:
ContextbuttonsThesebuttonsallowyoutoselectthetypeofactionyouwishtoperform.TheConfigurationbuttonprovidesaccesstotheconfigurationelementsfortheentireswitch.TheStatisticsbuttonprovidesaccesstotheswitchstatisticsandstateinformation.TheDashboardbuttonallowsyoutodisplaythesettingsandoperatingstatusofavarietyofswitchfeatures.
NavigationWindowProvidesamenuofswitchfeaturesandfunctions:
SystemProvidesaccesstotheconfigurationelementsfortheentireswitch.
SwitchPortsConfigureeachofthephysicalportsontheswitch.
PortBasedPortMirroringConfigureportmirroringbehavior.
Layer2ConfigureLayer2featuresfortheswitch.
RMONMenuConfigureRemoteMonitoringfeaturesfortheswitch.
Layer3ConfigureLayer3featuresfortheswitch.
QoSConfigureQualityofServicefeaturesfortheswitch.
AccessControlConfigureAccessControlListstofilterIPpackets.
CEEConfigureConvergedEnhancedEthernet(CEE).
FCoEConfigureFibreChanneloverEthernet(FCoE).
VirtualizationConfigurevNICsandVMreadyforvirtualmachines(VMs).
RS G8264(config)#accesshttpsgeneratecertificateCountryName(2lettercode)[US]:StateorProvinceName(fullname)[CA]:LocalityName(eg,city)[SantaClara]:OrganizationName(eg,company)[LenovoNetworkingOperatingSystem]:OrganizationalUnitName(eg,section)[NetworkEngineering]:CommonName(eg,YOURname)[0.0.0.0]:Email(eg,emailaddress)[]:Confirmgeneratingcertificate?[y/n]:yGeneratingcertificate.Pleasewait(approx30seconds)restartingSSLagent
RS G8264(config)#accesshttpssavecertificate
42 G8264 Application Guide for ENOS 8.4
DoveGatewayConfigureDistributedOverlayVirtualEthernet.
Copyright Lenovo 2016 Chapter 1: Switch Administration 43
Using Simple Network Management ProtocolENOSprovidesSimpleNetworkManagementProtocol(SNMP)version1,version2,andversion3supportforaccessthroughanynetworkmanagementsoftware,suchasIBMDirectororHPOpenView.Note: SNMPreadandwritefunctionsareenabledbydefault.Forbestsecuritypractices,ifSNMPisnotneededforyournetwork,itisrecommendedthatyoudisablethesefunctionspriortoconnectingtheswitchtothenetwork.
ToaccesstheSNMPagentontheG8264,thereadandwritecommunitystringsontheSNMPmanagermustbeconfiguredtomatchthoseontheswitch.Thedefaultreadcommunitystringontheswitchispublicandthedefaultwritecommunitystringisprivate.
Thereadandwritecommunitystringsontheswitchcanbeconfiguredusingthefollowingcommands:
TheSNMPmanagermustbeabletoreachanyoneoftheIPinterfacesontheswitch.
FortheSNMPmanagertoreceivetheSNMPv1trapssentoutbytheSNMPagentontheswitch,configurethetraphostontheswitchwiththefollowingcommands:
TorestrictSNMPaccesstospecificIPv4subnets,usethefollowingcommands:
ForIPv6networks,use:
Note: SubnetsallowedforSNMPreadonlyaccessmustnotoverlapwithsubnetsallowedforSNMPreadwriteaccess.
FormoreinformationonSNMPusageandconfiguration,seeChapter 41,SimpleNetworkManagementProtocol.
RS G8264(config)#snmpserverreadcommunity
andRS G8264(config)#snmpserverwritecommunity
RS G8264(config)#snmpservertrapsourceRS G8264(config)#snmpserverhost
RS G8264(config)#accessmanagementnetworksnmpro
andRS G8264(config)#accessmanagementnetworksnmprw
RS G8264(config)#accessmanagementnetwork6snmpro
andRS G8264(config)#accessmanagementnetwork6snmprw
44 G8264 Application Guide for ENOS 8.4
BOOTP/DHCP Client IP Address ServicesForremoteswitchadministration,theclientterminaldevicemusthaveavalidIPaddressonthesamenetworkasaswitchinterface.TheIPaddressontheclientdevicemaybeconfiguredmanually,orobtainedautomaticallyusingIPv6statelessaddressconfiguration,oranIPv4addressmayobtainedautomaticallyviaBOOTPorDHCPrelayasdiscussedinthenextsection.
TheG8264canfunctionasarelayagentforBootstrapProtocol(BOOTP)orDHCP.ThisallowsclientstobeassignedanIPv4addressforafiniteleaseperiod,reassigningfreedaddresseslatertootherclients.
Actingasarelayagent,theswitchcanforwardaclientsIPv4addressrequesttouptofiveBOOTP/DHCPservers.InadditiontothefiveglobalBOOTP/DHCPservers,uptofivedomainspecificBOOTP/DHCPserverscanbeconfiguredforeachofupto10VLANs.
WhenaswitchreceivesaBOOTP/DHCPrequestfromaclientseekinganIPv4address,theswitchactsasaproxyfortheclient.TherequestisforwardedasaUDPUnicastMAClayermessagetotheBOOTP/DHCPserversconfiguredfortheclientsVLAN,ortotheglobalBOOTP/DHCPserversifnodomainspecificBOOTP/DHCPserversareconfiguredfortheclientsVLAN.TheserversrespondtotheswitchwithaUnicastreplythatcontainstheIPv4defaultgatewayandtheIPv4addressfortheclient.Theswitchthenforwardsthisreplybacktotheclient.
DHCPisdescribedinRFC2131,andtheDHCPrelayagentsupportedontheG8264isdescribedinRFC1542.DHCPusesUDPasitstransportprotocol.Theclientsendsmessagestotheserveronport67andtheserversendsmessagestotheclientonport68.
BOOTPandDHCPrelayarecollectivelyconfiguredusingtheBOOTPcommandsandmenusontheG8264.
DHCP Host Name ConfigurationTheG8264supportsDHCPhostnameconfigurationasdescribedinRFC2132,option12.DHCPhostnameconfigurationisenabledbydefault.
Hostnamecanbemanuallyconfiguredusingthefollowingcommand:
Ifthehostnameismanuallyconfigured,theswitchdoesnotreplaceitwiththehostnamereceivedfromtheDHCPserver.
Afterthehostnameisconfiguredontheswitch,ifDHCPorDHCPhostnameconfigurationisdisabled,theswitchretainsthehostname.
Theswitchpromptdisplaysthehostname.
Hostnameconfigurationcanbeenabledordisabledusingthefollowingcommand:
RS G8264(config)# hostname
RS G8264(config)# [no] systemdhcphostname
Copyright Lenovo 2016 Chapter 1: Switch Administration 45
DHCP SYSLOG ServerDuringswitchstartup,iftheswitchfailstogettheconfigurationfile,amessagecanberecordedintheSYSLOGserver.
TheG8264supportsrequestingofaSYSLOGserverIPaddressfromtheDHCPserverasdescribedinRFC2132,option7.DHCPSYSLOGserverrequestoptionisenabledbydefault.
ManuallyconfiguredSYSLOGservertakespriorityoverDHCPSYSLOGserver.
UptotwoSYSLOGserveraddressesreceivedfromtheDHCPservercanbeused.TheSYSLOGservercanbelearntoveramanagementportoradataport.
UsetheRS G8264#showloggingcommandtoviewtheSYSLOGserveraddress.
DHCPSYSLOGserveraddressoptioncanbeenabled/disabledusingthefollowingcommand:
Global BOOTP Relay Agent ConfigurationToenabletheG8264tobeaBOOTP(orDHCP)forwarder,enabletheBOOTPrelayfeature,configureuptofourglobalBOOTPserverIPv4addressesontheswitch,andenableBOOTPrelayontheinterface(s)onwhichtheclientrequestsareexpected.
Generally,itisbesttoconfigureBOOTPfortheswitchIPinterfacethatisclosesttotheclient,sothattheBOOTPserverknowsfromwhichIPv4subnetthenewlyallocatedIPv4addresswillcome.
IntheG8264implementation,therearenoprimaryorsecondaryBOOTPservers.TheclientrequestisforwardedtoalltheglobalBOOTPserversconfiguredontheswitch(ifnodomainspecificserversareconfigured).Theuseofmultipleserversprovidesfailoverredundancy.However,nohealthcheckingissupported.
1. UsethefollowingcommandstoconfigureglobalBOOTPrelayservers:
2. EnableBOOTPrelayontheappropriateIPinterfaces.
BOOTP/DHCPRelayfunctionalitymaybeassignedonaperinterfacebasisusingthefollowingcommands:
RS G8264(config)# [no] systemdhcpsyslog
RS G8264(config)#ipbootprelayenableRS G8264(config)#ipbootprelayserveraddress
RS G8264(config)#interfaceipRS G8264(configipif)#relayRS G8264(configipif)#exit
46 G8264 Application Guide for ENOS 8.4
Domain-Specific BOOTP Relay Agent ConfigurationUsethefollowingcommandstoconfigureuptofivedomainspecificBOOTPrelayagentsforeachofupto10VLANs:
Aswithglobalrelayagentservers,domainspecificBOOTP/DHCPfunctionalitymaybeassignedonaperinterfacebasis(seeStep 2inpage 45).
DHCP Option 82DHCPOption82providesamechanismforgeneratingIPaddressesbasedontheclientdeviceslocationinthenetwork.WhenyouenabletheDHCPrelayagentoptionontheswitch,itinsertstherelayagentinformationoption82inthepacket,andsendsaunicastBOOTPrequestpackettotheDHCPserver.TheDHCPserverusestheoption82fieldtoassignanIPaddress,andsendsthepacket,withtheoriginaloption82fieldincluded,backtotherelayagent.DHCPrelayagentstripsofftheoption82fieldinthepacketandsendsthepackettotheDHCPclient.
Configurationofthisfeatureisoptional.Thefeaturehelpsresolveseveralissueswhereuntrustedhostsaccessthenetwork.SeeRFC3046fordetails.
UsethefollowingcommandstoconfigureDHCPOption82:
DHCP SnoopingDHCPsnoopingprovidessecuritybyfilteringuntrustedDHCPpacketsandbybuildingandmaintainingaDHCPsnoopingbindingtable.ThisfeatureisapplicableonlytoIPv4andonlyworksinnonstackingmode.
Anuntrustedinterfaceisaportthatisconfiguredtoreceivepacketsfromoutsidethenetworkorfirewall.Atrustedinterfacereceivespacketsonlyfromwithinthenetwork.Bydefault,allDHCPportsareuntrusted.
TheDHCPsnoopingbindingtablecontainstheMACaddress,IPaddress,leasetime,bindingtype,VLANnumber,andportnumberthatcorrespondtothelocaluntrustedinterfaceontheswitch;itdoesnotcontaininformationregardinghostsinterconnectedwithatrustedinterface.
Bydefault,DHCPsnoopingisdisabledonallVLANs.YoucanenableDHCPsnoopingononeormoreVLANs.YoumustenableDHCPsnoopingglobally.Toenablethisfeature,enterthefollowingcommands:
RS G8264(config)#ipbootprelaybcastdomainvlanRS G8264(config)#ipbootprelaybcastdomainserveraddress
RS G8264(config)#ipbootprelaybcastdomainenable
RS G8264(config)#ipbootprelayinformationenable(EnableOption82)RS G8264(config)#ipbootprelayenable(EnableDHCPrelay)RS G8264(config)#ipbootprelayserveraddress
RS G8264(config)#ipdhcpsnoopingvlanRS G8264(config)#ipdhcpsnooping
Copyright Lenovo 2016 Chapter 1: Switch Administration 47
FollowingisanexampleofDHCPsnoopingconfiguration,wheretheDHCPserverandclientareinVLAN100,andtheserverconnectsusingport24.
RS G8264(config)#ipdhcpsnoopingvlan100RS G8264(config)#ipdhcpsnoopingRS G8264(config)#interfaceport24RS G8264(configif)#ipdhcpsnoopingtrust(Optional;Setportastrusted)RS G8264(configif)#ipdhcpsnoopinginformationoptioninsert
(Optional;addDHCPoption82)RS G8264(configif)#ipdhcpsnoopinglimitrate100
(Optional;SetDHCPpacketrate)
48 G8264 Application Guide for ENOS 8.4
Easy Connect WizardLenovoEasyConnect(EZC)isafeaturedesignedtosimplifyswitchconfiguration.AsetofpredefinedconfigurationscanbeappliedontheswitchviaISCLI.BylaunchingtheEZCWizard,youarepromptedforaminimalsetofinputandthetoolautomaticallycustomizestheswitchsoftware.
TheEZCWizardallowsyoutochooseoneofthefollowingconfigurationmodes:
BasicSystemmodesupportssettingsforhostname,staticmanagementportIP,netmask,andgateway.
Transparentmodecollectsserveranduplinkportsettings.vNICgroupsareusedtodefinetheloopfreedomains.
Note: Youcaneitheracceptthestaticdefaultsorenteradifferentportlistforuplinkand/orserverports.
RedundantmodereferstoVLAGsettings.
TheEZCconfigurationwillbeappliedimmediately.Anyexistingconfigurationwillbedeleted,thecurrentactiveorrunningconfigurationwillnotbemergedorappendedtotheEZCconfiguration.
Foranycustomsettingsthatarenotincludedinthepredefinedconfigurationsets,theuserhastodoitmanually.
Notes:
EZCisnotavailableinstackingmode.
Tosupportscripting,thefeaturealsohasasinglelineformat.Formoreinformation,pleaserefertoLenovoNetworkingISCLIReferenceGuide.
Configuring the Easy Connect WizardTolaunchtheEZCWizard,usethefollowingcommand:
Thewizarddisplaystheavailablepredefinedconfigurationmodes.Youarepromptedtoselectoneofthefollowingoptions:
RS G8264#easyconnect
RS G8264#easyconnectAutoconfigurestheswitchintoasetconfigurationbasedontheinputprovided.Currentconfigurationwillbeoverwrittenwithautoconfigurationsettings.ThewizardcanbecanceledanytimebypressingCtrl+C.Selectwhichofthefollowingfeaturesyouwantenabled:#ConfigureBasicsystem(yes/no)?#ConfigureTransparentmode(yes/no)?#ConfigureSwitchRedundantmode(yes/no)?
Copyright Lenovo 2016 Chapter 1: Switch Administration 49
Basic System Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinBasicSystemmode:
Note: Youcaneitheracceptthedefaultvaluesorenternewparameters.
Transparent Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinTransparentmode:
Notes:
Ifyourselectionforaportgroupcontainsportsofdifferentmodeorspeed,theselectionisnotvalidandyouareguidedtoeitherselectotherportsorchangethespeedoftheports.
Youcaneitheracceptthestaticdefaultsorenteradifferentportlistforuplinkand/orserverports.
RS G8264#easyconnectConfigureBasicsystem(yes/no)?y
Pleaseenter"none"fornohostname.Enterhostname(Default:None)?host
Pleaseenter"dhcp"fordhcpIP.SelectmanagementIPaddress(Current:10.241.13.32)?Entermanagementnetmask(Current:255.255.255.128)?Entermanagementgateway:(Current:10.241.13.1)?
Pendingswitchportconfiguration:
Hostname:hostManagementinterface:IP:10.241.13.32Netmask:255.255.255.128Gateway:10.241.13.1ConfirmerasingcurrentconfigtoreconfigureEasyConnect(yes/no)?
RS G8264##easyconnectConfigureTransparentmode(yes/no)?ySelectUplinkPorts(StaticDefaults:1724)?ThefollowingUplinkportswillbeenabled:Uplinkports(1G/10G):1724SelectServerPorts(StaticDefaults:2564)?ThefollowingServerportswillbeenabled:Serverports(1G/10G):2564Pendingswitchconfiguration:
UplinkPorts:1724ServerPorts:2564DisabledPorts:1,5,9,13ConfirmerasingcurrentconfigtoreconfigureEasyConnect(yes/no)?
50 G8264 Application Guide for ENOS 8.4
Redundant Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinRedundantmode:
RS G8264##easyconnectConfigureSwitchRedundantmode(yes/no)?y
Note:ItisrecommendedtoselectBasicsystemconfigurationinordertosetthemanagementIPaddressusedforvLAGhealthcheck.
ConfigureBasicsystem(yes/no)?y
ConfigurethisswitchasvLAGPrimaryorSecondaryPeer(primary/secondary)?prim
SelectISLPorts(StaticDefaults:116)?ThefollowingISLportswillbeenabled:ISLports(40G):116
SelectvLAGTierID(Default:101)?
SelectmanagementIPaddress(Current:192.168.49.50)?
Entermanagementnetmask(Current:255.255.255.0)?
SelectPeerIPaddressforvLAGhealthcheck(Default:1.1.1.2)?Warning:vLAGhealthcheckPeerIPisnotreachable.DoyouwanttoselectanotherPeerIP(yes/no)?ySelectPeerIPaddressforvLAGhealthcheck(Default:1.1.1.2)?Warning:vLAGhealthcheckPeerIPisnotreachable.DoyouwanttoselectanotherPeerIP(yes/no)?n
SelectUplinkPorts(StaticDefaults:1724)?ThefollowingUplinkportswillbeenabled:Uplinkports(1G/10G):1724
SelectDownlinkPorts(StaticDefaults:2564)?ThefollowingDownlinkportswillbeenabled:Downlinkports(1G/10G):2564
Copyright Lenovo 2016 Chapter 1: Switch Administration 51
Notes:
Ifyourselectionforaportgroupcontainsportsofdifferentspeed,theselectionisnotvalid,andyouareguidedtoeitherselectotherportsorchangethespeedoftheports.
Allunusedportareconfiguredasshutdownintheconfigurationdump.
YoucaneitheracceptthestaticdefaultsorenteradifferentportlistforISL,uplink,and/ordownlinkports.
Pleaseenter"none"fornohostname.Enterhostname(Default:PrimaryVLAG)?
Pleaseenter"none"fornogateway.Entermanagementgateway:(Default:0.0.0.0)?
Pendingswitchconfiguration:
vLAGswitchtype:PrimaryISLPorts:116vLAGTierID:101vLAGPeerIP:1.1.1.2UplinkPorts:1724DownlinkPorts:2564DisabledPorts:empty
Hostname:PrimaryVLAGManagementinterface:IP:192.168.49.50Netmask:255.255.255.0Gateway:0.0.0.0
ConfirmerasingcurrentconfigtoreconfigureEasyConnect(yes/no)?
52 G8264 Application Guide for ENOS 8.4
Switch Login LevelsToenablebetterswitchmanagementanduseraccountability,threelevelsorclassesofuseraccesshavebeenimplementedontheG8264.LevelsofaccesstoCLI,Webmanagementfunctions,andscreensincreaseasneededtoperformvariousswitchmanagementtasks.Conceptually,accessclassesaredefinedasfollows:
UserinteractionwiththeswitchiscompletelypassivenothingcanbechangedontheG8264.Usersmaydisplayinformationthathasnosecurityorprivacyimplications,suchasswitchstatisticsandcurrentoperationalstateinformation.
OperatorscanonlyeffecttemporarychangesontheG8264.Thesechangeswillbelostwhentheswitchisrebooted/reset.Operatorshaveaccesstotheswitchmanagementfeaturesusedfordailyswitchoperations.Becauseanychangesanoperatormakesareundonebyaresetoftheswitch,operatorscannotseverelyimpactswitchoperation.
Administratorsaretheonlyonesthatmaymakepermanentchangestotheswitchconfigurationchangesthatarepersistentacrossareboot/resetoftheswitch.AdministratorscanaccessswitchfunctionstoconfigureandtroubleshootproblemsontheG8264.Becauseadministratorscanalsomaketemporary(operatorlevel)changesaswell,theymustbeawareoftheinteractionsbetweentemporaryandpermanentchanges.
Accesstoswitchfunctionsiscontrolledthroughtheuseofuniqueusernamesandpasswords.Onceyouareconnectedtotheswitchviaconsole,remoteTelnet,orSSH,youarepromptedtoenterapassword.Thedefaultusernames/passwordforeachaccesslevelarelistedinthefollowingtable.Note: Itisrecommendedthatyouchangethedefaultswitchpasswordsafterinitialconfigurationandasregularlyasrequiredunderyournetworksecuritypolicies.
Table 2. UserAccessLevelsDefaultSettings
User Account
Password Description and Tasks Performed Status
user user TheUserhasnodirectresponsibilityforswitchmanagement.Heorshecanviewallswitchstatusinformationandstatistics,butcannotmakeanyconfigurationchangestotheswitch.
Disabled
oper oper TheOperatormanagesallfunctionsoftheswitch.TheOperatorcanresetports,exceptthemanagementports.
Disabled
admin admin ThesuperuserAdministratorhascompleteaccesstoallmenus,information,andconfigurationcommandsontheG8264,includingtheabilitytochangeboththeuserandadministratorpasswords.
Enabled
Copyright Lenovo 2016 Chapter 1: Switch Administration 53
Note: Accesstoeachuserlevel(exceptadminaccount)canbedisabledbysettingthepasswordtoanemptyvalue.Todisableadminaccount,usethecommandnoaccessuseradministratorenable.TheAdminaccountcanbedisabledonlyifthereisatleastoneuseraccountenabledandconfiguredwithadministratorprivilege.
54 G8264 Application Guide for ENOS 8.4
Setup vs. the Command LineOncetheadministratorpasswordisverified,youaregivencompleteaccesstotheswitch.Iftheswitchisstillsettoitsfactorydefaultconfiguration,youwillneedtorunSetup(seeChapter 2,InitialSetup),autilitydesignedtohelpyouthroughthefirsttimeconfigurationprocess.Iftheswitchhasalreadybeenconfigured,thecommandlineisdisplayedinstead.
Copyright Lenovo 2016 Chapter 1: Switch Administration 55
Idle DisconnectBydefault,theswitchwilldisconnectyourTelnetsessionafter10minutesofinactivity.Thisfunctioniscontrolledbytheidletimeoutparameter,whichcanbesetfrom0to60minutes,where0meansthesessionwillnevertimeout.
Usethefollowingcommandtosettheidletimeoutvalue:
RS G8264(config)#systemidle
56 G8264 Application Guide for ENOS 8.4
Boot Strict ModeTheimplementationsspecifiedinthissectionarecompliantwithNationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800131A.
TheRackSwitchG8264canoperateintwobootmodes:
Compatibilitymode(default):Thisisthedefaultswitchbootmode.Thismodemayusealgorithmsandkeylengthsthatmaynotbeallowed/acceptablebyNISTSP800131Aspecification.Thismodeisusefulinmaintainingcompatibilitywithpreviousreleasesandinenvironmentsthathavelesserdatasecurityrequirements.
Strictmode:Encryptionalgorithms,protocols,andkeylengthsinstrictmodearecompliantwithNISTSP800131Aspecification.
Wheninbootstrictmode,theswitchusesSecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)1.2protocolstoensureconfidentialityofthedatatoandfromtheswitch.
Beforeenablingstrictmode,ensurethefollowing:
ThesoftwareversiononallconnectedswitchesisEnterpriseNOS8.4.
Thesupportedprotocolversionsandcryptographicciphersuitesbetweenclientsandserversarecompatible.Forexample:ifusingSSHtoconnecttotheswitch,ensurethattheSSHclientsupportsSSHv2andastrongciphersuitethatiscompliantwiththeNISTstandard.
CompliantWebservercertificateisinstalledontheswitch,ifusingBBI.
Anewselfsignedcertificateisgeneratedfortheswitch(RS G8264(config)# accesshttpsgeneratecertificate).Thenewcertificateisgeneratedusing2048bitRSAkeyandSHA256digest.
ProtocolsthatarenotNISTSP800131Acompliantmustbedisabledornotused.
OnlySSHv2orhigherisused.
Thecurrentconfiguration,ifany,issavedinalocationexternaltotheswitch.Whentheswitchreboots,boththestartupandrunningconfigurationarelost.
Onlyprotocols/algorithmscompliantwithNISTSP800131Aspecificationareused/enabledontheswitch.PleaseseetheNISTSP800131Apublicationfordetails.Thefollowingtableliststheacceptableprotocolsandalgorithms