Upload
netgear-italia
View
62
Download
0
Tags:
Embed Size (px)
Citation preview
ProSafe Switch a Chassis M6100Demo configurazione per l’Accesso
VLAN, QoS, PoE, Port Security, DHCP snooping and Multicast
Formazione Online
Andrea RossiSenior System Engineer
ProSAFE M6100 Chassis Series
The ProSAFE M6100 switch series is a high-quality, high-density,
fully flexible chassis alternative to stackable switches for midsize enterprise edge and SMB core
deployments
+ L2/L3/L4 and IPv4/IPv6 rich services
+ 3-slot switch chassis in compact 4U form-factor
•Fabric and Management redundancy and passive backplane
•Non-stop switching, non-stop routing with hitless failover
•N+1 redundancy for power supplies and
full PoE+ provisioning, and UPOE
+ Extra-high density ‘Big Switch’ • 144 x RJ45 10/100/1000 ports
• 120 x SFP 100/1000 ports
• 72 x RJ45 10GBASE-T ports
• 48 x SFP+ 1000/10GBASE-X ports
• Or a combination
A scalable, flexible solution
3
1G
10G
No PoE UPoE
Edge
Core
Copper
Fiber
M6100
M6100 Chassis Series OverviewChassis Standards re-defined
+ L2/L3/L4 and IPv4/IPv6 rich services
• As all-in-one switch platform for branch offices
• For midsize organizations and campus dense edge
• For SMB redundant, reliable, scalable core
+ Latest advances in hardware and software engineering• Higher flexibility and lower complexity: unique in the market
• Stronger investment protection at a high-value price pointM6100-3S Switch
M6100 Chassis Series OverviewPrice Performance leadership
+ High speed performance• 1.4 Tbps routing / switching capacity
• Up to 1,071 Mpps throughput
• 480 Gbps distributed fabric inter-module
• Each slot provides 2 x 40G access to the passive backplane (80G half-duplex; 160G full-duplex)
+ Distributed fabric = higher flexibility• No dedicated supervisory module
• Any I/O blade complete with hardware and software distributed fabric on board
• Facilitates easier campus management, maintenance and upgrades
+ Superior design and license-free software = lower complexity• Incl. IPv6 L3 routing features (OSPF, PBR, BGP)
• Incl. data center features (DCBX, PFC, ETS, FIP Snooping)
• Innovative slot-1 supervisory and slot-2 backup supervisory design
M6100-3S Switch
Distributed Fabric
+ Innovative design• Removes the need for a dedicated “supervisory” module and its backup
• Provides passive backplane, redundant fabric and redundant management
• Non-stop forwarding / routing resiliency and hitless failover
+ Any blade can be Supervisor• I/O blades are equipped with dedicated hardware and software distributed fabric
Simplicity for management and maintenance or upgrades
More availability and resiliency than any competitive solution in adjacent price range
Class
M6100-3S base chassis features a passive backplane for exceptional availability:
387 years MTBF when at 25ºC / 77ºF ambient (90 years at 55ºC / 131ºF ambient)
To
Distributed Fabric
+ No fastidious configuration• Slot-1 is the Supervisor slot
• Slot-2 is the Back-up Supervisor slot (secondary)
• Back-up Supervisor slot provides default continuous stand-by within the distributed fabric
+ Hitless failover• Should Slot-1 fail, the Back-up Supervisor in Slot-2 instantly takes over as the new Supervisor
NSF feature offers hitless failover for Slot-2 and Slot-3 switching and routing
Fail back requires manual command for more control
Ensures non-stop switching/routing and hitless fail back mechanism as well
M6100 Series Power Over Ethernet
+ Turn PoE on, when needed; easy upgrade, easy downgrade
PoE Daughter Cards
XCM89P Supports PoE (802.3af) and PoE+ (802.3at)
XCM89UP Supports PoE (802.3af), PoE+ (802.3at) and the non-
standard UPOE (Universal Power over Ethernet)
Organization
Application
250 – 499
Users
500 – 1,999
Users
2,000 – 3,999
Users
4,000 +
Users
M6100
When
Core Layer(Central part of the network)
2K users
Distribution Layer(Aggregation of edge traffic)
4K users
Access Layer(Edge of the network)
Anytime
Server Room, Data Center(Server access layer)
4K users
M6100 Proficient ForAll-in-One
Platform
Core;
Distribution;
Server Room;
Edge
Distribution;
Server Room;
Edge
Edge
M6100 Sizing / Placement scenarios
M6100 Series Starter Kits
+ M6100-44G3-POE+ • 1 blade 40x1G 4x10G (XCM8944)
• 1 PoE+ daughter card (XCM89P)
• Ordering SKU: XCM8903SK-10000S
+ M6100-44GF3 • 1 blade 40xSFP 4x10G (XCM8944F)
• Ordering SKU: XCM8903SF-10000S
+ M6100-24X3 • 1 blade 24x10G (XCM8924X)
• Ordering SKU: XCM8903SX-10000S
M6100 Demo
Setup Access Layer with:
VLAN, QoS, Multicast, Port Security, DHCP snooping and PoE support
Footer use for Presentation Title or footnotes11
Scenario
Network Access
Services to support
Scenario
IP PABX
1/0/9
1/0/10
1/0/11
1/0/12
1/0/16
1/0/13
1/0/15
SSID LANSSID GUEST
B4:0E:DC:BD:9C:9F
VLAN (Virtual Local Area Network)
VLAN ID 10
VLAN ID 20
VLAN ID 30
SCOPE
• Separate layer2 traffic
Setup VLAN
• VLAN database
• Go to Switching/VLAN/Basic/VLAN configuration
• Add VLAN ID 10, 20 and 30
Setup VLAN membership
• TAG the port for each VLAN associated to a wireless SSID
• Leave the PVID to 1 (default value)
AP ports
Setup VLAN membership
• Leave the port UNTAGGED for the default VLAN ID 1
• Leave the PVID to 1 (default value)
Computer ports
Setup VLAN membership
• Leave the port UNTAGGED for the default VLAN ID 1
• Leave the PVID to 1 (default value)
IP Phone ports
Setup VLAN membership
• TAG the port with VLAN ID 10
• Set the PVID to 10
On the PABX leave the VLAN value to the default
IP PABX port/s
Setup PVID
• TAG the port with VLAN ID 10
• Set the PVID to 10
On the PABX leave the VLAN value to the default
IP PABX port/s
Setup VLAN membership
• TAG the port with VLAN ID 20
• Set the PVID to 20
Multicast/IP surveillance ports
Setup PVID
• TAG the port with VLAN ID 20
• Set the PVID to 20
Multicast/IP surveillance ports
Setup VLAN membership
• TAG the port with VLAN ID 30
• Set the PVID to 30
UNKNOWN ports
Setup PVID
• TAG the port with VLAN ID 30
• Set the PVID to 30
UNKNOWN ports
Setup VLAN membership
• TAG the port for each VLAN ID must be propagated
• Leave the PVID to 1 (default value)
Firewall/Switches uplink ports
Setup Multicast L2
• Enable IGMP snooping admin mode
IGMP snooping
Setup Multicast L2
• Setup the VLAN ID associated to the multicast traffic
IGMP snooping
Setup Multicast L2
• Enable the IGMP feature on the switch port
IGMP snooping
QoS (Quality of Service)
SCOPE
• Max priority for VoIP traffic
SCOPE
• High priority for multicast traffic
SCOPE
• Bandwidht limit to 10Mbps
Auto-Voip/OUI-based Diffserv -Qos VLAN based
Setup QoS
• Setup the AutoVoIP VLAN ID to 10
• Leave the OUI-based priority to 7 (the highest priority value)
Auto-Voip / OUI based
Setup QoS
• Check if the MAC address phone it’s auto recognized by OUI
• The MAC addr B4:0E:DC:BD:9C:9F is not regognized as a VoIP device
Auto-Voip / OUI based
Setup QoS
• Check if the MAC address phone it’s auto recognized by OUI
• The MAC addr B4:0E:DC:BD:9C:9F is not regognized as a VoIP device
• The other MAC addr is the PC NIC connected to the Phone switch
Auto-Voip / OUI based
Setup QoS
• Add the first half of the MAC to the OUI list
Auto-Voip / OUI based
Setup QoS
• Enable the OUI mechanism on the port
Auto-Voip / OUI based
Setup QoS
• The MAC addr is now correctly recognized and associated to VLAN ID 10
Auto-Voip / OUI based
Setup QoS
• Create the map Class for the multicast and unknown traffic
Qos per VLAN
Setup QoS
• Associate the VLAN ID 20 to the map Class-MULTICAST
Qos per VLAN
Setup QoS
• Associate the VLAN ID 30 to map Class-UNKNOWN
Qos per VLAN
Setup QoS
• Create the policies related to the Class configurated for multicast and
unknown traffic
Qos per VLAN
Setup QoS
• Select the value 3 of CoS (higher value than default 0 and lower than 7 used for VoIP)
Qos per VLAN
Setup QoS
• Limit the bandwidht to 10Mbps, and drop the traffic over
Qos per VLAN
Setup QoS
• Apply the policies to the switch ports
Qos per VLAN
IP camera
AP port
UNK port
Port is down
Security
Port Security DHCP Snooping
SCOPE
Allow only 1 dinamyc MAC address
learned for each UNKNOWN ports
SCOPE
Block DHCP server not authorized on
VLAN ID 20
Setup Port Security
• Enable Port Security feature globally
UNKNOWN ports
Setup Port Security
• Enable Port Security on port
• Limit to only 1 dynamic MAC addr learned
• Enable violation snmp trap
UNKNOWN ports
Setup DHCP snooping
• Enable DHCP snooping globally
• Enable DHCP snooping for VLAN ID 30
UNKNOWN ports
30
Setup DHCP snooping
• Enable Trust Mode on the port where the VLANID 30 DHCP server is
connected to (supposed it’s the firewall, so port 1/0/16)
• Leave all in Trust Mode disabled except the port 1/0/16
UNKNOWN ports
PoE
48
#2 PSU: APS100W
PoE
1
2
3
1. Total PoE budget
2. PoE daughter card installed
3. PoE budget based on the number of PSU
PoE
1 2 3
1. Enable/disable PoE supply (device power cycle or power down)
2. Power mode
3. PoE power limit
4. PoE detection type
4