ProSafe Switch a Chassis M6100Demo configurazione per l’Accesso

VLAN, QoS, PoE, Port Security, DHCP snooping and Multicast

Formazione Online

Andrea RossiSenior System Engineer

andrea.rossi@netgear.com

ProSAFE M6100 Chassis Series

The ProSAFE M6100 switch series is a high-quality, high-density,

fully flexible chassis alternative to stackable switches for midsize enterprise edge and SMB core

deployments

+ L2/L3/L4 and IPv4/IPv6 rich services

+ 3-slot switch chassis in compact 4U form-factor

•Fabric and Management redundancy and passive backplane

•Non-stop switching, non-stop routing with hitless failover

•N+1 redundancy for power supplies and

full PoE+ provisioning, and UPOE

+ Extra-high density ‘Big Switch’ • 144 x RJ45 10/100/1000 ports

• 120 x SFP 100/1000 ports

• 72 x RJ45 10GBASE-T ports

• 48 x SFP+ 1000/10GBASE-X ports

• Or a combination

A scalable, flexible solution

3

1G

10G

No PoE UPoE

Edge

Core

Copper

Fiber

M6100

M6100 Chassis Series OverviewChassis Standards re-defined

+ L2/L3/L4 and IPv4/IPv6 rich services

• As all-in-one switch platform for branch offices

• For midsize organizations and campus dense edge

• For SMB redundant, reliable, scalable core

+ Latest advances in hardware and software engineering• Higher flexibility and lower complexity: unique in the market

• Stronger investment protection at a high-value price pointM6100-3S Switch

M6100 Chassis Series OverviewPrice Performance leadership

+ High speed performance• 1.4 Tbps routing / switching capacity

• Up to 1,071 Mpps throughput

• 480 Gbps distributed fabric inter-module

• Each slot provides 2 x 40G access to the passive backplane (80G half-duplex; 160G full-duplex)

+ Distributed fabric = higher flexibility• No dedicated supervisory module

• Any I/O blade complete with hardware and software distributed fabric on board

• Facilitates easier campus management, maintenance and upgrades

+ Superior design and license-free software = lower complexity• Incl. IPv6 L3 routing features (OSPF, PBR, BGP)

• Incl. data center features (DCBX, PFC, ETS, FIP Snooping)

• Innovative slot-1 supervisory and slot-2 backup supervisory design

M6100-3S Switch

Distributed Fabric

+ Innovative design• Removes the need for a dedicated “supervisory” module and its backup

• Provides passive backplane, redundant fabric and redundant management

• Non-stop forwarding / routing resiliency and hitless failover

+ Any blade can be Supervisor• I/O blades are equipped with dedicated hardware and software distributed fabric

Simplicity for management and maintenance or upgrades

More availability and resiliency than any competitive solution in adjacent price range

Class

M6100-3S base chassis features a passive backplane for exceptional availability:

387 years MTBF when at 25ºC / 77ºF ambient (90 years at 55ºC / 131ºF ambient)

To

Distributed Fabric

+ No fastidious configuration• Slot-1 is the Supervisor slot

• Slot-2 is the Back-up Supervisor slot (secondary)

• Back-up Supervisor slot provides default continuous stand-by within the distributed fabric

+ Hitless failover• Should Slot-1 fail, the Back-up Supervisor in Slot-2 instantly takes over as the new Supervisor

NSF feature offers hitless failover for Slot-2 and Slot-3 switching and routing

Fail back requires manual command for more control

Ensures non-stop switching/routing and hitless fail back mechanism as well

M6100 Series Power Over Ethernet

+ Turn PoE on, when needed; easy upgrade, easy downgrade

PoE Daughter Cards

XCM89P Supports PoE (802.3af) and PoE+ (802.3at)

XCM89UP Supports PoE (802.3af), PoE+ (802.3at) and the non-

standard UPOE (Universal Power over Ethernet)

Organization

Application

250 – 499

Users

500 – 1,999

Users

2,000 – 3,999

Users

4,000 +

Users

M6100

When

Core Layer(Central part of the network)

2K users

Distribution Layer(Aggregation of edge traffic)

4K users

Access Layer(Edge of the network)

Anytime

Server Room, Data Center(Server access layer)

4K users

M6100 Proficient ForAll-in-One

Platform

Core;

Distribution;

Server Room;

Edge

Distribution;

Server Room;

Edge

Edge

M6100 Sizing / Placement scenarios

M6100 Series Starter Kits

+ M6100-44G3-POE+ • 1 blade 40x1G 4x10G (XCM8944)

• 1 PoE+ daughter card (XCM89P)

• Ordering SKU: XCM8903SK-10000S

+ M6100-44GF3 • 1 blade 40xSFP 4x10G (XCM8944F)

• Ordering SKU: XCM8903SF-10000S

+ M6100-24X3 • 1 blade 24x10G (XCM8924X)

• Ordering SKU: XCM8903SX-10000S

M6100 Demo

Setup Access Layer with:

VLAN, QoS, Multicast, Port Security, DHCP snooping and PoE support

Footer use for Presentation Title or footnotes11

Scenario

Network Access

Services to support

Scenario

IP PABX

1/0/9

1/0/10

1/0/11

1/0/12

1/0/16

1/0/13

1/0/15

SSID LANSSID GUEST

B4:0E:DC:BD:9C:9F

VLAN (Virtual Local Area Network)

VLAN ID 10

VLAN ID 20

VLAN ID 30

SCOPE

• Separate layer2 traffic

Setup VLAN

• VLAN database

• Go to Switching/VLAN/Basic/VLAN configuration

• Add VLAN ID 10, 20 and 30

Setup VLAN membership

• TAG the port for each VLAN associated to a wireless SSID

• Leave the PVID to 1 (default value)

AP ports

Setup VLAN membership

• Leave the port UNTAGGED for the default VLAN ID 1

• Leave the PVID to 1 (default value)

Computer ports

Setup VLAN membership

• Leave the port UNTAGGED for the default VLAN ID 1

• Leave the PVID to 1 (default value)

IP Phone ports

Setup VLAN membership

• TAG the port with VLAN ID 10

• Set the PVID to 10

On the PABX leave the VLAN value to the default

IP PABX port/s

Setup PVID

• TAG the port with VLAN ID 10

• Set the PVID to 10

On the PABX leave the VLAN value to the default

IP PABX port/s

Setup VLAN membership

• TAG the port with VLAN ID 20

• Set the PVID to 20

Multicast/IP surveillance ports

Setup PVID

• TAG the port with VLAN ID 20

• Set the PVID to 20

Multicast/IP surveillance ports

Setup VLAN membership

• TAG the port with VLAN ID 30

• Set the PVID to 30

UNKNOWN ports

Setup PVID

• TAG the port with VLAN ID 30

• Set the PVID to 30

UNKNOWN ports

Setup VLAN membership

• TAG the port for each VLAN ID must be propagated

• Leave the PVID to 1 (default value)

Firewall/Switches uplink ports

Setup Multicast L2

• Enable IGMP snooping admin mode

IGMP snooping

Setup Multicast L2

• Setup the VLAN ID associated to the multicast traffic

IGMP snooping

Setup Multicast L2

• Enable the IGMP feature on the switch port

IGMP snooping

QoS (Quality of Service)

SCOPE

• Max priority for VoIP traffic

SCOPE

• High priority for multicast traffic

SCOPE

• Bandwidht limit to 10Mbps

Auto-Voip/OUI-based Diffserv -Qos VLAN based

Setup QoS

• Setup the AutoVoIP VLAN ID to 10

• Leave the OUI-based priority to 7 (the highest priority value)

Auto-Voip / OUI based

Setup QoS

• Check if the MAC address phone it’s auto recognized by OUI

• The MAC addr B4:0E:DC:BD:9C:9F is not regognized as a VoIP device

Auto-Voip / OUI based

Setup QoS

• Check if the MAC address phone it’s auto recognized by OUI

• The MAC addr B4:0E:DC:BD:9C:9F is not regognized as a VoIP device

• The other MAC addr is the PC NIC connected to the Phone switch

Auto-Voip / OUI based

Setup QoS

• Add the first half of the MAC to the OUI list

Auto-Voip / OUI based

Setup QoS

• Enable the OUI mechanism on the port

Auto-Voip / OUI based

Setup QoS

• The MAC addr is now correctly recognized and associated to VLAN ID 10

Auto-Voip / OUI based

Setup QoS

• Create the map Class for the multicast and unknown traffic

Qos per VLAN

Setup QoS

• Associate the VLAN ID 20 to the map Class-MULTICAST

Qos per VLAN

Setup QoS

• Associate the VLAN ID 30 to map Class-UNKNOWN

Qos per VLAN

Setup QoS

• Create the policies related to the Class configurated for multicast and

unknown traffic

Qos per VLAN

Setup QoS

• Select the value 3 of CoS (higher value than default 0 and lower than 7 used for VoIP)

Qos per VLAN

Setup QoS

• Limit the bandwidht to 10Mbps, and drop the traffic over

Qos per VLAN

Setup QoS

• Apply the policies to the switch ports

Qos per VLAN

IP camera

AP port

UNK port

Port is down

Security

Port Security DHCP Snooping

SCOPE

Allow only 1 dinamyc MAC address

learned for each UNKNOWN ports

SCOPE

Block DHCP server not authorized on

VLAN ID 20

Setup Port Security

• Enable Port Security feature globally

UNKNOWN ports

Setup Port Security

• Enable Port Security on port

• Limit to only 1 dynamic MAC addr learned

• Enable violation snmp trap

UNKNOWN ports

Setup DHCP snooping

• Enable DHCP snooping globally

• Enable DHCP snooping for VLAN ID 30

UNKNOWN ports

30

Setup DHCP snooping

• Enable Trust Mode on the port where the VLANID 30 DHCP server is

connected to (supposed it’s the firewall, so port 1/0/16)

• Leave all in Trust Mode disabled except the port 1/0/16

UNKNOWN ports

PoE

48

#2 PSU: APS100W

PoE

1

2

3

1. Total PoE budget

2. PoE daughter card installed

3. PoE budget based on the number of PSU

PoE

1 2 3

1. Enable/disable PoE supply (device power cycle or power down)

2. Power mode

3. PoE power limit

4. PoE detection type

4