Upload
hamien
View
247
Download
9
Embed Size (px)
Citation preview
LenovoRackSwitchG8264CS
ApplicationGuideForLenovoEnterpriseNetworkOperatingSystem8.4
Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationintheSafetyinformationandEnvironmentalNoticesandUserGuidedocumentsontheLenovoDocumentationCDandtheWarrantyInformationdocumentthatcomeswiththeproduct.
FirstEdition(September2016)
CopyrightLenovo2017PortionsCopyrightIBMCorporation2014.
LIMITEDANDRESTRICTEDRIGHTSNOTICE:IfdataorsoftwareisdeliveredpursuantaGeneralServicesAdministrationGSAcontract,use,reproduction,ordisclosureissubjecttorestrictionssetforthinContractNo.GS35F05925.
LenovoandtheLenovologoaretrademarksofLenovointheUnitedStates,othercountries,orboth.
Copyright Lenovo 2017 3
ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21WhoShouldUseThisGuide .......................22WhatYoullFindinThisGuide ......................23AdditionalReferences ..........................27TypographicConventions ........................28
Part 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 1. Switch Administration . . . . . . . . . . . . . . . . . 31AdministrationInterfaces ........................32
CommandLineInterface .......................32EstablishingaConnection........................33
UsingtheSwitchManagementPorts..................33UsingtheSwitchDataPorts.....................34UsingTelnet ............................35UsingSecureShell..........................35
UsingSSHwithPasswordAuthentication .............36UsingSSHwithPublicKeyAuthentication .............37
UsingaWebBrowser ........................38ConfiguringHTTPAccesstotheBBI................38ConfiguringHTTPSAccesstotheBBI ...............38BrowserBasedInterfaceSummary.................39
UsingSimpleNetworkManagementProtocol..............40BOOTP/DHCPClientIPAddressServices .................41
DHCPHostNameConfiguration ...................41DHCPSYSLOGServer........................42GlobalBOOTPRelayAgentConfiguration ...............42DomainSpecificBOOTPRelayAgentConfiguration...........43DHCPOption82 ..........................43DHCPSnooping ..........................43
EasyConnectWizard ..........................45ConfiguringtheEasyConnectWizard .................45
BasicSystemModeConfigurationExample .............46TransparentModeConfigurationExample.............46RedundantModeConfigurationExample .............47
SwitchLoginLevels ...........................49Setupvs.theCommandLine .......................51IdleDisconnect .............................52BootStrictMode ............................53
AcceptableCipherSuites .......................56ConfiguringStrictMode .......................57ConfiguringNoPromptMode ....................57SSL/TLSVersionLimitation .....................57Limitations .............................57
Chapter 2. Initial Setup. . . . . . . . . . . . . . . . . . . . . . 59InformationNeededforSetup ......................60
4 G8264CS Application Guide for ENOS 8.4
DefaultSetupOptions ......................... 61StoppingandRestartingSetupManually................. 62
StoppingSetup........................... 62RestartingSetup.......................... 62
SetupPart1:BasicSystemConfiguration................. 63SetupPart2:PortConfiguration ..................... 65SetupPart3:VLANs .......................... 67SetupPart4:IPConfiguration ...................... 68
IPInterfaces ............................ 68LoopbackInterfaces ......................... 69
UsingLoopbackInterfacesforSourceIPAddresses ......... 69LoopbackInterfaceLimitations .................. 70
DefaultGateways .......................... 70IPRouting............................. 70
SetupPart5:FinalSteps ......................... 72OptionalSetupforTelnetSupport.................... 73
Chapter 3. Switch Software Management . . . . . . . . . . . . . . 75LoadingNewSoftwaretoYourSwitch.................. 76
LoadingSoftwareviatheISCLI .................... 76LoadingSoftwareviaBBI...................... 77USBOptions ............................ 78
USBBoot............................ 78USBCopy ........................... 79
TheBootManagementMenu ...................... 80RecoveringfromaFailedSoftwareUpgrade .............. 80
RecoveringfromaFailedBootImage ............... 83
Part 2: Securing the Switch . . . . . . . . . . . . . . . . . . . 85
Chapter 4. Securing Administration . . . . . . . . . . . . . . . . 87SecureShellandSecureCopy...................... 88
ConfiguringSSH/SCPFeaturesontheSwitch.............. 88ToEnableorDisabletheSSHFeature ............... 88ToEnableorDisableSCPApplyandSave ............. 89
ConfiguringtheSCPAdministratorPassword ............. 89UsingSSHandSCPClientCommands ................ 89
ToLogIntotheSwitch ...................... 89ToCopytheSwitchConfigurationFiletotheSCPHost ....... 89ToLoadaSwitchConfigurationFilefromtheSCPHost ....... 90ToApplyandSavetheConfiguration ............... 90ToCopytheSwitchImageandBootFilestotheSCPHost ...... 90ToLoadSwitchConfigurationFilesfromtheSCPHost........ 91
SSHandSCPEncryptionofManagementMessages........... 91GeneratingRSAHostKeyforSSHAccess ............... 91SSH/SCPIntegrationwithRadiusAuthentication ............ 91SSH/SCPIntegrationwithTACACS+Authentication.......... 92
Copyright Lenovo 2017 Contents 5
EndUserAccessControl.........................93ConsiderationsforConfiguringEndUserAccounts...........93StrongPasswords..........................93UserAccessControl.........................94
SettingupUserIDs.......................94DefiningaUsersAccessLevel ..................94ValidatingaUsersConfiguration .................94EnablingorDisablingaUser ...................94LockingAccounts ........................94ReEnablingLockedAccounts...................95
ListingCurrentUsers ........................95LoggingintoanEndUserAccount ..................95PasswordFixUpMode .......................95
Chapter 5. Authentication & Authorization Protocols . . . . . . . . . 97RADIUSAuthenticationandAuthorization................98
HowRADIUSAuthenticationWorks .................98ConfiguringRADIUSontheSwitch ..................98RADIUSAuthenticationFeaturesinEnterpriseNOS..........100SwitchUserAccounts.......................100RADIUSAttributesforEnterpriseNOSUserPrivileges ........101
TACACS+Authentication.......................102HowTACACS+AuthenticationWorks................102TACACS+AuthenticationFeaturesinEnterpriseNOS .........103
Authorization .........................103Accounting..........................104
CommandAuthorizationandLogging................104TACACS+PasswordChange ....................105ConfiguringTACACS+AuthenticationontheSwitch.........105
LDAPAuthenticationandAuthorization ................106ConfiguringtheLDAPServer....................106ConfiguringLDAPAuthenticationontheSwitch ...........106
Chapter 6. 802.1X Port-Based Network Access Control . . . . . . . . 109ExtensibleAuthenticationProtocoloverLAN ..............110EAPoLAuthenticationProcess .....................111EAPoLMessageExchange.......................112EAPoLPortStates ..........................113GuestVLAN .............................113SupportedRADIUSAttributes .....................114EAPoLConfigurationGuidelines....................116
Chapter 7. Access Control Lists . . . . . . . . . . . . . . . . . . 117SummaryofPacketClassifiers .....................118SummaryofACLActions.......................119AssigningIndividualACLstoaPort ..................120ACLOrderofPrecedence .......................120ACLMeteringandReMarking .....................120
Metering .............................121ReMarking ...........................121
6 G8264CS Application Guide for ENOS 8.4
ACLPortMirroring.......................... 122ViewingACLStatistics ........................ 122ACLLogging ............................ 123
EnablingACLLogging...................... 123LoggedInformation ........................ 123RateLimitingBehavior...................... 124LogInterval ........................... 124ACLLoggingLimitations ..................... 124
ACLConfigurationExamples ..................... 125ACLExample1.......................... 125ACLExample2.......................... 125ACLExample3.......................... 126ACLExample4.......................... 126ACLExample5.......................... 126ACLExample6.......................... 127
VLANMaps ............................. 128UsingStormControlFilters ...................... 130
Part 3: Switch Basics . . . . . . . . . . . . . . . . . . . . . . 131
Chapter 8. VLANs. . . . . . . . . . . . . . . . . . . . . . . . 133VLANsOverview .......................... 134VLANsandPortVLANIDNumbers .................. 134
VLANNumbers ......................... 134PVID/NativeVLANNumbers ................... 135
VLANTagging/TrunkMode ...................... 136IngressVLANTagging...................... 139Limitations............................ 140
VLANTopologiesandDesignConsiderations.............. 141MultipleVLANswithTagging/TrunkModeAdapters ......... 141VLANConfigurationExample ................... 144
ProtocolBasedVLANs ........................ 145PortBasedvs.ProtocolBasedVLANs ................ 145PVLANPriorityLevels...................... 146PVLANTagging/TrunkMode ................... 146PVLANConfigurationGuidelines ................. 146ConfiguringPVLAN ....................... 147
PrivateVLANs............................ 148PrivateVLANPorts ........................ 148ConfigurationGuidelines..................... 149ConfigurationExample ...................... 149
Chapter 9. Ports and Link Aggregation . . . . . . . . . . . . . . . 151ConfiguringQSFP+Ports ....................... 152AggregationOverview ........................ 153StaticLAGs ............................. 154
StaticLAGRequirements ..................... 154StaticAggregationConfigurationRules ............... 154ConfiguringaStaticLAG ..................... 155
Copyright Lenovo 2017 Contents 7
LinkAggregationControlProtocol ...................157StaticLACPLAGs.........................158LACPPortModes .........................158LACPIndividual .........................159LACPMinimumLinksOption ...................159ConfiguringLACP ........................161
ConfigurableLAGHashAlgorithm...................162
Chapter 10. Spanning Tree Protocols. . . . . . . . . . . . . . . . 165SpanningTreeProtocolModes .....................166GlobalSTPControl ..........................167PVRSTMode.............................167
PortStates............................168BridgeProtocolDataUnits .....................168
HowBPDUWorks.......................168DeterminingthePathforForwardingBPDUs ...........168
SimpleSTPConfiguration .....................170PerVLANSpanningTreeGroups ..................172
UsingMultipleSTGstoEliminateFalseLoops...........172VLANsandSTGAssignment ..................173ManuallyAssigningSTGs ...................174GuidelinesforCreatingVLANs .................174RulesforVLANTagged/TrunkModePorts ............174AddingandRemovingPortsfromSTGs .............175TheSwitchCentricModel ...................176
ConfiguringMultipleSTGs .....................177RapidSpanningTreeProtocol .....................179
PortStates............................179RSTPConfigurationGuidelines ...................179RSTPConfigurationExample ....................180
MultipleSpanningTreeProtocol ....................181MSTPRegion ...........................181CommonInternalSpanningTree ..................181MSTPConfigurationGuidelines ..................182MSTPConfigurationExamples ...................182
MSTPExample1 .......................182MSTPExample2 .......................183
PortTypeandLinkType .......................185Edge/PortfastPort.........................185LinkType ............................185
Chapter 11. Virtual Link Aggregation Groups . . . . . . . . . . . . 187VLAGCapacities ...........................190VLAGsversusPortLAGs .......................190
8 G8264CS Application Guide for ENOS 8.4
ConfiguringVLAGs ......................... 192BasicVLAGConfiguration ..................... 193
ConfiguringtheISL ...................... 193ConfiguringtheVLAG..................... 194VLAGConfigurationVLANsMappedtoMSTI ......... 196
VLAGswithVRRP ........................ 200Task1:ConfigureVLAGPeer1 ................. 200Task2:ConfigureVLAGPeer2 ................. 203
TwotiervLAGswithVRRP .................... 206vLAGPeerGateway ....................... 207ConfiguringVLAGsinMultipleLayers ............... 207
Task1:ConfigureLayer2/3borderswitches............ 208Task2:ConfigureswitchesintheLayer2region. ......... 208
VLAGwithPIM ........................... 210TrafficForwarding ........................ 210HealthCheck........................... 211
Chapter 12. Quality of Service . . . . . . . . . . . . . . . . . . 213QoSOverview ............................ 214UsingACLFilters .......................... 215
SummaryofACLActions ..................... 215ACLMeteringandReMarking ................... 216
Metering ........................... 216ReMarking ......................... 216
UsingDSCPValuestoProvideQoS ................... 217DifferentiatedServicesConcepts .................. 217PerHopBehavior ......................... 219QoSLevels ............................ 220DSCPReMarkingandMapping .................. 220DSCPReMarkingConfigurationExamples ............. 221
DSCPReMarkingConfigurationExample1 ........... 221DSCPReMarkingConfigurationExample2 ........... 221
Using802.1pPrioritytoProvideQoS.................. 223QueuingandScheduling ....................... 224ControlPlaneProtection ....................... 224WREDwithECN ........................... 225
HowWRED/ECNworktogether.................. 225ConfiguringWRED/ECN ..................... 226WRED/ECNConfigurationExample ................ 227
ConfigureGlobalProfileforWRED ............... 227ConfigurePortlevelProfileforWRED .............. 227ConfigureGlobalProfileforECN ................ 228ConfigurePortlevelProfileforECN............... 229VerifyWRED/ECN ...................... 229
Part 4: Advanced Switching Features . . . . . . . . . . . . . . . 231
Chapter 13. Virtualization . . . . . . . . . . . . . . . . . . . . 233
Chapter 14. Virtual NICs . . . . . . . . . . . . . . . . . . . . . 235DefiningServerPorts ......................... 236
Copyright Lenovo 2017 Contents 9
EnablingthevNICFeature .......................236vNICIDs..............................237
vNICIDsontheSwitch ......................237vNICInterfaceNamesontheServer .................237
vNICBandwidthMetering.......................238vNICUplinkModes .........................239LACPLAGs.............................241vNICGroups.............................242
vNICGroupsinDedicatedMode ..................243vNICGroupsinSharedMode ...................243
vNICTeamingFailover........................245vNICConfigurationExample .....................247
BasicvNICConfiguration.....................247vNICsforiSCSIonEmulexEndeavor2 ...............250
Chapter 15. Stacking . . . . . . . . . . . . . . . . . . . . . . 251StackingOverview ..........................252
StackingRequirements.......................252StackingLimitations ........................253
StackMembership..........................254TheMasterSwitch ........................254
SplittingandMergingOneStack ................254MergingIndependentStacks ..................255
BackupSwitchSelection ......................256MasterFailover ........................256SecondaryBackup .......................256MasterRecovery .......................256NoBackup ..........................257
StackMemberIdentification ....................257ConfiguringaStack ..........................258
ConfigurationOverview ......................258BestConfigurationPractices ....................258
StackingVLANs........................259ConfiguringEachSwitchfortheStack ................259AdditionalMasterConfiguration ..................261
ViewingStackConnections...................261BindingMemberstotheStack ..................262AssigningaStackBackupSwitch................262
ManagingtheStack..........................263AccessingtheMasterSwitchCLI ..................263RebootingStackedSwitchesviatheMaster..............263
UpgradingSoftwareinanExistingStack.................265ReplacingorRemovingStackedSwitches................267
RemovingaSwitchfromtheStack..................267InstallingtheNewSwitchorHealingtheTopology ..........267BindingtheNewSwitchtotheStack.................269PerformingaRollingReloadorUpgrade ...............269
StartingaRollingReload ....................269StartingaRollingUpgrade...................270
SavingSyslogMessages ........................271
10 G8264CS Application Guide for ENOS 8.4
ISCLIStackingCommands ...................... 273
Chapter 16. VMready . . . . . . . . . . . . . . . . . . . . . . 275VECapacity ............................. 276DefiningServerPorts ......................... 276VMGroupTypes ........................... 276LocalVMGroups .......................... 277DistributedVMGroups........................ 280
VMProfiles........................... 280InitializingaDistributedVMGroup................. 281AssigningMembers ........................ 281SynchronizingtheConfiguration.................. 282RemovingMemberVEs...................... 282
VMcheck .............................. 283VirtualDistributedSwitch ....................... 285
Prerequisites ........................... 285Guidelines............................ 285MigratingtovDS ......................... 286
VirtualizationManagementServers ................... 287AssigningavCenter........................ 287vCenterScans .......................... 288DeletingthevCenter ....................... 288ExportingProfiles......................... 289VMwareOperationalCommands.................. 289
PreProvisioningVEs ......................... 290VLANMaps ............................. 291VMPolicyBandwidthControl ..................... 292
VMPolicyBandwidthControlCommands .............. 292BandwidthPoliciesvs.BandwidthShaping ............. 293
VMreadyInformationDisplays .................... 294LocalVEInformation....................... 294vCenterHypervisorHosts ..................... 295vCenterVEs........................... 296vCenterVEDetails ........................ 296vCenterSwitchportMappingDetails................ 296
VMreadyConfigurationExample.................... 297
Chapter 17. FCoE and CEE . . . . . . . . . . . . . . . . . . . . 299FibreChanneloverEthernet ...................... 300
TheFCoETopology ........................ 300FCoERequirements ........................ 301
ConvergedEnhancedEthernet..................... 302TurningCEEOnorOff...................... 302EffectsonLinkLayerDiscoveryProtocol............... 302Effectson802.1pQualityofService ................. 303EffectsonFlowControl ...................... 304
Copyright Lenovo 2017 Contents 11
FCoEInitializationProtocolSnooping..................305GlobalFIPSnoopingSettings....................305FIPSnoopingforSpecificPorts...................305PortFCFandENodeDetection...................306FCoEConnectionTimeout .....................306FCoEACLRules .........................307FCoEVLANs ...........................307ViewingFIPSnoopingInformation .................307OperationalCommands......................308FIPSnoopingConfiguration ....................308
PriorityBasedFlowControl......................310GlobalConfiguration.......................311PFCConfigurationExample ....................312
EnhancedTransmissionSelection ....................313802.1pPriorityValues .......................313PriorityGroups ..........................314
PGID ............................314AssigningPriorityValuestoaPriorityGroup ...........315DeletingaPriorityGroup....................315AllocatingBandwidth .....................315
ConfiguringETS.........................316DataCenterBridgingCapabilityExchange ................320
DCBXSettings ..........................320EnablingandDisablingDCBX .................321PeerConfigurationNegotiation .................321
ConfiguringDCBX........................322FCoEExampleConfiguration .....................324
Chapter 18. Fibre Channel . . . . . . . . . . . . . . . . . . . . 327Ethernetvs.FibreChannel.......................328SupportedSwitchRoles ........................329
FCoEGateway ..........................329NPVGateway ..........................329FullFabricFC/FCoESwitch ....................329Limitations ............................330
12 G8264CS Application Guide for ENOS 8.4
ImplementingFibreChannel...................... 331PortModes ........................... 331FibreChannelVLANs ....................... 332PortMembership ......................... 332SwitchingMode......................... 333NPVGateway .......................... 333
NPVPortTrafficMapping................... 333NPVManualDisruptiveLoadBalancing ............. 334
FullFabricZoning ........................ 334Zones ............................ 335Zonesets ........................... 336DefiningZoning ....................... 336ActivatingaZoneset ...................... 338E_Ports ........................... 338Limitations .......................... 339OptimizedFCoETrafficFlow .................. 340StorageManagementInitiativeSpecification(SMIS) ........ 341
FibreChannelConfiguration ...................... 342ConfigurationGuidelines..................... 342Example1:NPVGateway ..................... 342Example2:FullFabricFC/FCoESwitch ............... 343
FibreChannelStandardProtocolsSupported............... 345
Chapter 19. Edge Virtual Bridging . . . . . . . . . . . . . . . . . 347EVBOperationsOverview....................... 348
VSIDBSynchronization ...................... 348VLANBehavior ......................... 349DeletingaVLAN ......................... 349ManualReflectiveRelay...................... 349
EVBConfiguration .......................... 350Limitations............................. 352Unsupportedfeatures ......................... 352
Chapter 20. Static Multicast ARP . . . . . . . . . . . . . . . . . 353ConfiguringStaticMulticastARP.................... 354
ConfigurationExample ...................... 354Limitations............................. 356
Chapter 21. Dynamic ARP Inspection . . . . . . . . . . . . . . . 357UnderstandingARPSpoofingAttacks ................ 357UnderstandingDAI ........................ 357InterfaceTrustStatesandNetworkSecurity ............. 358
DAIConfigurationGuidelinesandRestrictions.............. 360DAIConfigurationExample.................... 360
Part 5: IP Routing. . . . . . . . . . . . . . . . . . . . . . . . 363
Chapter 22. Basic IP Routing . . . . . . . . . . . . . . . . . . . 365IPRoutingBenefits .......................... 366RoutingBetweenIPSubnets ...................... 366
Copyright Lenovo 2017 Contents 13
ExampleofSubnetRouting ......................367UsingVLANstoSegregateBroadcastDomains ............368ConfigurationExample ......................368
ECMPStaticRoutes ..........................371OSPFIntegration .........................371ECMPRouteHashing .......................371ConfiguringECMPStaticRoutes ..................372
DynamicHostConfigurationProtocol ..................373DHCPRelayAgent ..........................374
Chapter 23. Internet Protocol Version 6 . . . . . . . . . . . . . . . 375IPv6Limitations ...........................376IPv6AddressFormat .........................377IPv6AddressTypes ..........................378
UnicastAddress .........................378Multicast.............................378Anycast .............................378
IPv6AddressAutoconfiguration....................380IPv6Interfaces ............................381NeighborDiscovery..........................382
NeighborDiscoveryOverview ...................382Hostvs.Router ..........................383
SupportedApplications ........................384ConfigurationGuidelines .......................385IPv6ConfigurationExamples .....................386
IPv6Example1 ..........................386IPv6Example2 ..........................386
Chapter 24. IPsec with IPv6 . . . . . . . . . . . . . . . . . . . . 389IPsecProtocols ............................390UsingIPsecwiththeRackSwitchG8264CS................391
SettingupAuthentication.....................391CreatinganIKEv2Proposal ...................392ImportinganIKEv2DigitalCertificate ..............392GeneratingaCertificateSigningRequest .............393GeneratinganIKEv2DigitalCertificate..............396EnablingIKEv2PresharedKeyAuthentication ..........396
SettingUpaKeyPolicy......................397UsingaManualKeyPolicy .....................398UsingaDynamicKeyPolicy ....................400
Chapter 25. Routing Information Protocol . . . . . . . . . . . . . . 401DistanceVectorProtocol ........................402Stability ...............................402RoutingUpdates ...........................402RIPv1 ................................403RIPv2 ................................403RIPv2inRIPv1CompatibilityMode...................403RIPFeatures .............................404RIPConfigurationExample......................405
14 G8264CS Application Guide for ENOS 8.4
Chapter 26. Internet Group Management Protocol . . . . . . . . . . 407IGMPTerms ............................. 408HowIGMPWorks .......................... 409IGMPCapacityandDefaultValues................... 410IGMPSnooping........................... 412
IGMPQuerier.......................... 412QuerierElection ......................... 412IGMPGroups .......................... 413IGMPv3Snooping ........................ 413IGMPSnoopingConfigurationGuidelines .............. 415IGMPSnoopingConfigurationExample............... 416AdvancedConfigurationExample:IGMPSnooping .......... 417
Prerequisites......................... 418Configuration......................... 418
TroubleshootingIGMPSnooping .................. 422IGMPRelay ............................. 425
ConfigurationGuidelines..................... 425ConfigureIGMPRelay ...................... 426AdvancedConfigurationExample:IGMPRelay ........... 427
Prerequisites......................... 427Configuration......................... 428
TroubleshootingIGMPRelay.................... 431AdditionalIGMPFeatures ....................... 434
FastLeave ............................ 434IGMPFiltering .......................... 434
ConfiguringtheRange ..................... 434ConfiguringtheAction .................... 435ConfigureIGMPFiltering ................... 435
StaticMulticastRouter....................... 435
Chapter 27. Multicast Listener Discovery . . . . . . . . . . . . . . 437MLDTerms............................. 438HowMLDWorks .......................... 439
HowFloodingImpactsMLD.................... 440MLDQuerier........................... 440QuerierElection ......................... 440DynamicMrouters ........................ 441
MLDCapacityandDefaultValues ................... 442ConfiguringMLD .......................... 443
Chapter 28. Border Gateway Protocol . . . . . . . . . . . . . . . 445InternalRoutingVersusExternalRouting................ 446
RouteReflector .......................... 447ConfiguringRouteReflection.................. 449Restrictions.......................... 450
FormingBGPPeerRouters ...................... 451StaticPeers............................ 451DynamicPeers .......................... 452
ConfiguringDynamicPeers .................. 452RemovingDynamicPeers................... 452
Copyright Lenovo 2017 Contents 15
LoopbackInterfaces ..........................454WhatisaRouteMap?.........................454
NextHopPeerIPAddress .....................455IncomingandOutgoingRouteMaps ................455Precedence ............................456ConfigurationOverview ......................456
AggregatingRoutes ..........................458RedistributingRoutes .........................458BGPCommunities..........................459BGPAttributes............................460
LocalPreferenceAttribute .....................460Metric(MultiExitDiscriminator)Attribute ..............460NextHopAttribute........................461
SelectingRoutePathsinBGP ......................462EqualCostMultiPath .......................462MultipathRelax..........................462
BGPFailoverConfiguration ......................463DefaultRedistributionandRouteAggregationExample ..........465
Chapter 29. Open Shortest Path First . . . . . . . . . . . . . . . . 467OSPFv2Overview ..........................468
TypesofOSPFAreas .......................468TypesofOSPFRoutingDevices ...................469NeighborsandAdjacencies .....................470TheLinkStateDatabase ......................470TheShortestPathFirstTree ....................472InternalVersusExternalRouting ..................472
OSPFv2ImplementationinEnterpriseNOS...............473ConfigurableParameters ......................473DefiningAreas..........................474
AssigningtheAreaIndex ....................474UsingtheAreaIDtoAssigntheOSPFAreaNumber ........475AttachinganAreatoaNetwork .................475
InterfaceCost ...........................476ElectingtheDesignatedRouterandBackup .............476SummarizingRoutes .......................476DefaultRoutes ..........................477VirtualLinks ...........................477RouterID ............................478Authentication ..........................479
ConfiguringPlainTextOSPFPasswords.............480ConfiguringMD5Authentication ................480
HostRoutesforLoadBalancing ...................481LoopbackInterfacesinOSPF ....................482OSPFFeaturesNotSupportedinThisRelease.............482
16 G8264CS Application Guide for ENOS 8.4
OSPFv2ConfigurationExamples.................... 483Example 1:SimpleOSPFDomain .................. 484Example 2:VirtualLinks ...................... 486
ConfiguringOSPFforaVirtualLinkonSwitch#1......... 486ConfiguringOSPFforaVirtualLinkonSwitch#2......... 487OtherVirtualLinkOptions ................... 489
Example 3:SummarizingRoutes .................. 490VerifyingOSPFConfiguration ................... 491
OSPFv3ImplementationinEnterpriseNOS ............... 492OSPFv3DifferencesfromOSPFv2.................. 492
OSPFv3RequiresIPv6Interfaces................ 492OSPFv3UsesIndependentCommandPaths ........... 492OSPFv3IdentifiesNeighborsbyRouterID ............ 493OtherInternalImprovements .................. 493
OSPFv3Limitations ........................ 493OSPFv3ConfigurationExample .................. 493NeighborConfigurationExample .................. 495
Chapter 30. Protocol Independent Multicast. . . . . . . . . . . . . 497PIMOverview ............................ 498SupportedPIMModesandFeatures .................. 499BasicPIMSettings .......................... 500
GloballyEnablingorDisablingthePIMFeature............ 500DefiningaPIMNetworkComponent ................ 500DefininganIPInterfaceforPIMUse ................ 500PIMNeighborFilters ....................... 501
AdditionalSparseModeSettings.................... 503SpecifyingtheRendezvousPoint .................. 503InfluencingtheDesignatedRouterSelection ............. 503SpecifyingaBootstrapRouter ................... 504ConfiguringaLoopbackInterface .................. 504
UsingPIMwithOtherFeatures..................... 506PIMwithACLsorVMAPs ..................... 506PIMwithIGMP.......................... 506
PIMConfigurationExamples ..................... 507Example1:PIMSMwithDynamicRP ................ 507Example2:PIMSMwithStaticRP................. 508Example3:PIMDM........................ 508
Part 6: High Availability Fundamentals . . . . . . . . . . . . . . . 511
Chapter 31. Basic Redundancy . . . . . . . . . . . . . . . . . . 513AggregatingforLinkRedundancy ................... 514VirtualLinkAggregation ....................... 514HotLinks .............................. 515
ForwardDelay .......................... 515Preemption ........................... 515FDBUpdate ........................... 515ConfigurationGuidelines..................... 515ConfiguringHotLinks ...................... 516
Copyright Lenovo 2017 Contents 17
Chapter 32. Layer 2 Failover . . . . . . . . . . . . . . . . . . . 517MonitoringLAGLinks ........................518SettingtheFailoverLimit.......................518ManuallyMonitoringPortLinks ....................519
MonitorPortState.........................519ControlPortState.........................519
L2FailoverwithOtherFeatures ....................520StaticLAGs ...........................520LACP..............................520SpanningTreeProtocol ......................520
ConfigurationGuidelines .......................521ConfiguringLayer2Failover ......................521
Chapter 33. Virtual Router Redundancy Protocol . . . . . . . . . . . 523VRRPOverview ...........................524
VRRPComponents ........................524VirtualRouter.........................524VirtualRouterMACAddress ..................524OwnersandRenters ......................524MasterandBackupVirtualRouter ................525VirtualInterfaceRouter ....................525
VRRPOperation.........................525SelectingtheMasterVRRPRouter ..................526
FailoverMethods ...........................527ActiveActiveRedundancy .....................527VirtualRouterGroup .......................527
EnterpriseNOSExtensionstoVRRP ..................528VirtualRouterDeploymentConsiderations ...............529
AssigningVRRPVirtualRouterID .................529ConfiguringtheSwitchforTracking .................529
HighAvailabilityConfigurations ....................530VRRPHighAvailabilityUsingMultipleVIRs .............530
Task1:ConfigureG8264CS1 ..................531Task2:ConfigureG8264CS2 ..................532
VRRPHighAvailabilityUsingVLAGs................534
Part 7: Network Management . . . . . . . . . . . . . . . . . . . 535
Chapter 34. Link Layer Discovery Protocol . . . . . . . . . . . . . 537LLDPOverview...........................538EnablingorDisablingLLDP......................539
GlobalLLDPSetting........................539TransmitandReceiveControl ...................539
LLDPTransmitFeatures ........................540ScheduledInterval ........................540MinimumInterval.........................540TimetoLiveforTransmittedInformation ..............541TrapNotifications .........................541ChangingtheLLDPTransmitState .................542TypesofInformationTransmitted ..................542
18 G8264CS Application Guide for ENOS 8.4
LLDPReceiveFeatures ........................ 544TypesofInformationReceived ................... 544ViewingRemoteDeviceInformation ................ 544TimetoLiveforReceivedInformation ............... 546
LLDPExampleConfiguration ..................... 548
Chapter 35. Simple Network Management Protocol. . . . . . . . . . 549SNMPVersion1&Version2...................... 549SNMPVersion3........................... 550
DefaultConfiguration....................... 550UserConfigurationExample .................... 551
ConfiguringSNMPTrapHosts ..................... 552SNMPv1TrapHost ........................ 552SNMPv2TrapHostConfiguration ................. 553SNMPv3TrapHostConfiguration ................. 554
SNMPMIBs ............................. 555SwitchImagesandConfigurationFiles ................. 561
LoadingaNewSwitchImage ................... 562LoadingaSavedSwitchConfiguration ............... 562SavingtheSwitchConfiguration .................. 563SavingaSwitchDump ...................... 563
Chapter 36. Service Location Protocol . . . . . . . . . . . . . . . 565ActiveDADiscovery ......................... 566SLPConfiguration .......................... 567
Chapter 37. Secure Input/Output Module . . . . . . . . . . . . . . 569SIOMOverview ........................... 570SettinganSIOMSecurityPolicy.................... 571
EnablingandDisablingtheSIOM .................. 571UsingProtocolsWithSIOM.................... 571
InsecureProtocols ....................... 571SecureProtocols ....................... 572InsecureProtocolsUnaffectedbySIOM ............. 573
ImplementingSecureLDAP(LDAPS) .................. 574EnablingLDAPS ......................... 574DisablingLDAPS......................... 575SyslogsandLDAPS........................ 576
UsingCryptographicMode ...................... 577
Part 8: Monitoring . . . . . . . . . . . . . . . . . . . . . . . 579
Chapter 38. Remote Monitoring . . . . . . . . . . . . . . . . . . 581RMONOverview........................... 582RMONGroup1Statistics ...................... 583RMONGroup2History ....................... 584
HistoryMIBObjectID ....................... 584ConfiguringRMONHistory.................... 584
Copyright Lenovo 2017 Contents 19
RMONGroup3Alarms .......................585AlarmMIBobjects ........................585ConfiguringRMONAlarms....................585
RMONGroup9Events .......................587
Chapter 39. sFlow . . . . . . . . . . . . . . . . . . . . . . . .589sFlowStatisticalCounters .......................589sFlowNetworkSampling .......................589sFlowExampleConfiguration .....................590
Chapter 40. Port Mirroring . . . . . . . . . . . . . . . . . . . . 591PortMirroringModel .........................592ConfiguringPortMirroring ......................593
Part 9: Appendices . . . . . . . . . . . . . . . . . . . . . . . 595
Appendix A. Glossary . . . . . . . . . . . . . . . . . . . . . . 597
Appendix B. VLAN Tagging Changes Since N/OS 7.9 . . . . . . . . . 599ManagingTaggedPortsintheISCLI ..................600ManagingTaggedPortsintheBBIandSNMP ..............603TaggedPortsinConfigurationOutputs .................604TaggedPortsinQBGVLANs......................605TaggedPortsConfigurationScenario ..................606
Appendix C. Getting help and technical assistance . . . . . . . . . . 613
Appendix D. Notices. . . . . . . . . . . . . . . . . . . . . . . 615Trademarks .............................617ImportantNotes ...........................618RecyclingInformation .........................619ParticulateContamination .......................620TelecommunicationRegulatoryStatement ................621ElectronicEmissionNotices ......................622
FederalCommunicationsCommission(FCC)Statement ........622IndustryCanadaClassAEmissionComplianceStatement.......622AvisdeConformitlaRglementationdIndustrieCanada ......622AustraliaandNewZealandClassAStatement ............622EuropeanUnionCompliancetotheElectromagneticCompatibilityDirective622GermanyClassAComplianceStatement ...............623JapanVCCIClassAStatement ...................624JapanElectronicsandInformationTechnologyIndustriesAssociation(JEITA) Statement .........................624KoreaCommunicationsCommission(KCC)Statement .........625
RussiaElectromagneticInterference(EMI)ClassAstatement ........626PeoplesRepublicofChinaClassAelectronicemissionstatement ......627TaiwanClassAcompliancestatement ..................628
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
20 G8264CS Application Guide for ENOS 8.4
Copyright Lenovo 2017 21
PrefaceThisApplicationGuidedescribeshowtoconfigureandusetheLenovoEnterpriseNetworkOperatingSystem 8.4softwareontheRackSwitchG8264CS(referredtoasG8264CSthroughoutthisdocument).Fordocumentationoninstallingtheswitchphysically,seetheInstallationGuideforyourG8264CS.
22 G8264CS Application Guide for ENOS 8.4
Who Should Use This GuideThisguideisintendedfornetworkinstallersandsystemadministratorsengagedinconfiguringandmaintaininganetwork.TheadministratorshouldbefamiliarwithEthernetconcepts,IPaddressing,SpanningTreeProtocol,andSNMPconfigurationparameters.
Copyright Lenovo 2017 Preface 23
What Youll Find in This GuideThisguidewillhelpyouplan,implement,andadministerEnterpriseNOSsoftware.Wherepossible,eachsectionprovidesfeatureoverviews,usageexamples,andconfigurationinstructions.Thefollowingmaterialisincluded:
Part 1: Getting Started
ThismaterialisintendedtohelpthosenewtoENOSproductswiththebasicsofswitchmanagement.Thispartincludesthefollowingchapters:
Chapter 1,SwitchAdministration,describeshowtoaccesstheG8264CStoconfiguretheswitchandviewswitchinformationandstatistics.Thischapterdiscussesavarietyofmanualadministrationinterfaces,includinglocalmanagementviatheswitchconsole,andremoteadministrationviaTelnet,awebbrowser,orviaSNMP.
Chapter 2,InitialSetup,describeshowtousethebuiltinSetuputilitytoperformfirsttimeconfigurationoftheswitch.
Chapter 3,SwitchSoftwareManagement,describeshowtoupdatetheENOSsoftwareoperatingontheswitch.
Part 2: Securing the Switch
Chapter 4,SecuringAdministration,describesmethodsforusingSecureShellforadministrationconnections,andconfiguringenduseraccesscontrol.
Chapter 5,Authentication&AuthorizationProtocols,describesdifferentsecureadministrationforremoteadministrators.ThisincludesusingRemoteAuthenticationDialinUserService(RADIUS),aswellasTACACS+andLDAP.
Chapter 6,802.1XPortBasedNetworkAccessControl,describeshowtoauthenticatedevicesattachedtoaLANportthathaspointtopointconnectioncharacteristics.ThisfeaturepreventsaccesstoportsthatfailauthenticationandauthorizationandprovidessecuritytoportsoftheG8264CSthatconnecttobladeservers.
Chapter 7,AccessControlLists,describeshowtousefilterstopermitordenyspecifictypesoftraffic,basedonavarietyofsource,destination,andpacketattributes.
Chapter 37,SecureInput/OutputModule,describeswhichprotocolscanbeenabled.Thisfeatureallowssecuredtrafficandsecuredauthenticationmanagement.
Part 3: Switch Basics
Chapter 8,VLANs,describeshowtoconfigureVirtualLocalAreaNetworks(VLANs)forcreatingseparatenetworksegments,includinghowtouseVLANtaggingfordevicesthatusemultipleVLANs.ThischapteralsodescribesProtocolbasedVLANs,andPrivateVLANs.
Chapter 9,PortsandLinkAggregation,describeshowtogroupmultiplephysicalportstogethertoaggregatethebandwidthbetweenlargescalenetworkdevices.
24 G8264CS Application Guide for ENOS 8.4
Chapter 11,VirtualLinkAggregationGroups,describesusingVirtualLinkAggregationGroups(VLAGs)toformLAGsspanningmultipleVLAGcapableaggregatorswitches.
Chapter 10,SpanningTreeProtocols,discusseshowSpanningTreeProtocol(STP)configuresthenetworksothattheswitchselectsthemostefficientpathwhenmultiplepathsexist.CoversRapidSpanningTreeProtocol(RSTP),PerVLANRapidSpanningTree(PVRST),andMultipleSpanningTreeProtocol(MSTP).
Chapter 12,QualityofService,discussesQualityofService(QoS)features,includingIPfilteringusingAccessControlLists(ACLs),DifferentiatedServices,andIEEE802.1ppriorityvalues.
Part 4: Advanced Switching Features
Chapter 13,Virtualization,providesanoverviewofallocatingresourcesbasedonthelogicalneedsofthedatacenter,ratherthanonthestrict,physicalnatureofcomponents.
Chapter 14,VirtualNICs,discussesusingvirtualNIC(vNIC)technologytodivideNICsintomultiplelogical,independentinstances.
Chapter 16,VMready,discussesvirtualmachine(VM)supportontheG8264CS.
Chapter 17,FCoEandCEE,discussesusingvariousConvergedEnhancedEthernet(CEE)featuressuchasPrioritybasedFlowControl(PFC),EnhancedTransmissionSelection(ETS),andFIPSnoopingforsolutionssuchasFibreChanneloverEthernet(FCoE).
Chapter 18,FibreChannel,describeshowtoconfiguretheG8264CSforusewithFibreChannelnetworks.
Chapter 19,EdgeVirtualBridging,(EVB)discussestheIEEE802.1QbgastandardsbasedprotocolthatdefineshowvirtualEthernetbridgesexchangeconfigurationinformation.EVBbridgesthegapbetweenphysicalandvirtualnetworkresources,thussimplifyingnetworkmanagement.
Chapter 20,StaticMulticastARP,discussestheconfigurationofastaticARPentrywithmulticastMACaddressforMicrosoftsNetworkLoadBalancing(NLB)featuretofunctionefficiently.
Chapter 21,DynamicARPInspection,discussesthissecurityfeaturethatletsaswitchinterceptandexamineallARPrequestandresponsepacketsinasubnet,discardingthosepacketswithinvalidIPtoMACaddressbindings.Thiscapabilityprotectsthenetworkfrommaninthemiddleattacks.
Part 5: IP Routing
Chapter 22,BasicIPRouting,describeshowtoconfiguretheG8264CSforIProutingusingIPsubnets,BOOTP,andDHCPRelay.
Chapter 23,InternetProtocolVersion6,describeshowtoconfiguretheG8264CSforIPv6hostmanagement.
Copyright Lenovo 2017 Preface 25
Chapter 24,IPsecwithIPv6,describeshowtoconfigureInternetProtocolSecurity(IPsec)forsecuringIPcommunicationsbyauthenticatingandencryptingIPpackets,withemphasisonInternetKeyExchangeversion 2,andauthentication/confidentialityforOSPFv3.
Chapter 25,RoutingInformationProtocol,describeshowtheENOSsoftwareimplementsstandardRoutingInformationProtocol(RIP)forexchangingTCP/IProuteinformationwithotherrouters.
Chapter 26,InternetGroupManagementProtocol,describeshowtheENOSsoftwareimplementsIGMPSnoopingorIGMPRelaytoconservebandwidthinamulticastswitchingenvironment.
Chapter 27,MulticastListenerDiscovery,describeshowMulticastListenerDiscovery(MLD)isusedwithIPv6tosupporthostusersrequestsformulticastdataforamulticastgroup.
Chapter 28,BorderGatewayProtocol,describesBorderGatewayProtocol(BGP)conceptsandfeaturessupportedinENOS.
Chapter 29,OpenShortestPathFirst,describeskeyOpenShortestPathFirst(OSPF)conceptsandtheirimplementedinENOS,andprovidesexamplesofhowtoconfigureyourswitchforOSPFsupport.
Chapter 30,ProtocolIndependentMulticast,describeshowmulticastroutingcanbeefficientlyaccomplishedusingtheProtocolIndependentMulticast(PIM)feature.
Part 6: High Availability Fundamentals
Chapter 31,BasicRedundancy,describeshowtheG8264CSsupportsredundancythroughLAGsandhotlinks.
Chapter 32,Layer2Failover,describeshowtheG8264CSsupportshighavailabilitynetworktopologiesusingLayer2Failover.
Chapter 33,VirtualRouterRedundancyProtocol,describeshowtheG8264CSsupportshighavailabilitynetworktopologiesusingVirtualRouterRedundancyProtocol(VRRP).
Part 7: Network Management
Chapter 34,LinkLayerDiscoveryProtocol,describeshowLinkLayerDiscoveryProtocolhelpsneighboringnetworkdeviceslearnabouteachothersportsandcapabilities.
Chapter 35,SimpleNetworkManagementProtocol,describeshowtoconfiguretheswitchformanagementthroughanSNMPclient.
Chapter 36,ServiceLocationProtocol,describestheServiceLocationProtocol(SLP)thatallowstheswitchtoprovidedynamicdirectoryservices.
26 G8264CS Application Guide for ENOS 8.4
Part 8: Monitoring
Chapter 38,RemoteMonitoring,describeshowtoconfiguretheRMONagentontheswitch,sothattheswitchcanexchangenetworkmonitoringdata.
Chapter 39,sFlow,describedhowtousetheembeddedsFlowagentforsamplingnetworktrafficandprovidingcontinuousmonitoringinformationtoacentralsFlowanalyzer.
Chapter 40,PortMirroring,discussestoolshowcopyselectedporttraffictoamonitorportfornetworkanalysis.
Part 9: Appendices
AppendixA,Glossary,describescommontermsandconceptsusedthroughoutthisguide.
AppendixC,Gettinghelpandtechnicalassistance,providesdetailsonwheretogoforadditionalinformationaboutLenovoandLenovoproducts.
AppendixD,Notices,containssafetyandenvironmentalnotices.
Copyright Lenovo 2017 Preface 27
Additional ReferencesAdditionalinformationaboutinstallingandconfiguringtheG8264CSisavailableinthefollowingguides:
RackSwitchG8264CSInstallationGuide
LenovoRackSwitchG8264CSISCLICommandReferenceforLenovoEnterpriseNetworkOperatingSystem8.4
LenovoRackSwitchG8264CSReleaseNotesforLenovoEnterpriseNetworkOperatingSystem 8.4
28 G8264CS Application Guide for ENOS 8.4
Typographic ConventionsThefollowingtabledescribesthetypographicstylesusedinthisbook.
Table 1. Typographic Conventions
Typeface or Symbol
Meaning Example
ABC123 Thistypeisusedfornamesofcommands,files,anddirectoriesusedwithinthetext.
Viewthereadme.txtfile.
Italsodepictsonscreencomputeroutputandprompts.
Main#
ABC123 Thisboldtypeappearsincommandexamples.Itshowstextthatmustbetypedinexactlyasshown.
Main# sys
Thisitalicizedtypeappearsincommandexamplesasaparameterplaceholder.Replacetheindicatedtextwiththeappropriaterealnameorvaluewhenusingthecommand.Donottypethebrackets.
ToestablishaTelnetsession,enter:host# telnet
Thisalsoshowsbooktitles,specialterms,orwordstobeemphasized.
ReadyourUsersGuidethoroughly.
[ ] Commanditemsshowninsidebracketsareoptionalandcanbeusedorexcludedasthesituationdemands.Donottypethebrackets.
host# ls [-a]
| Theverticalbar( | )isusedincommandexamplestoseparatechoiceswheremultipleoptionsexist.Selectonlyoneofthelistedoptions.Donottypetheverticalbar.
host# set left|right
AaBbCc123 Thisblocktypedepictsmenus,buttons,andothercontrolsthatappearinWebbrowsersandothergraphicalinterfaces.
ClicktheSavebutton.
Copyright Lenovo 2017 29
Part 1: Getting Started
30 G8264CS Application Guide for ENOS 8.4
Copyright Lenovo 2017 31
Chapter 1. Switch AdministrationYourRackSwitchG8264CS(G8264CS)isreadytoperformbasicswitchingfunctionsrightoutofthebox.Someofthemoreadvancedfeatures,however,requiresomeadministrativeconfigurationbeforetheycanbeusedeffectively.
TheextensiveLenovoEnterpriseNetworkOperatingSystemswitchingsoftwareincludedintheG8264CSprovidesavarietyofoptionsforaccessingtheswitchtoperformconfiguration,andtoviewswitchinformationandstatistics.
Thischapterdiscussesthevariousmethodsthatcanbeusedtoadministertheswitch.
32 G8264CS Application Guide for ENOS 8.4
Administration InterfacesEnterpriseNOSprovidesavarietyofuserinterfacesforadministration.Theseinterfacesvaryincharacterandinthemethodsusedtoaccessthem:somearetextbased,andsomearegraphical;someareavailablebydefault,andsomerequireconfiguration;somecanbeaccessedbylocalconnectiontotheswitch,andothersareaccessedremotelyusingvariousclientapplications.Forexample,administrationcanbeperformedusinganyofthefollowing:
Abuiltin,textbasedcommandlineinterfaceandmenusystemforaccessviaserialportconnectionoranoptionalTelnetorSSHsession
ThebuiltinBrowserBasedInterface(BBI)availableusingastandardwebbrowser
SNMPsupportforaccessthroughnetworkmanagementsoftwaresuchasIBMDirectororHPOpenView
Thespecificinterfacechosenforanadministrativesessiondependsonuserpreferences,aswellastheswitchconfigurationandtheavailableclienttools.
Inallcases,administrationrequiresthattheswitchhardwareisproperlyinstalledandturnedon.(seetheRackSwitchG8264CSInstallationGuide).
Command Line InterfaceTheIndustryStandardCommandLineInterface(ISCLI)providesasimple,directmethodforswitchadministration.Usingabasicterminal,youcanissuecommandsthatallowyoutoviewdetailedinformationandstatisticsabouttheswitch,andtoperformanynecessaryconfigurationandswitchsoftwaremaintenance.
YoucanestablishaconnectiontotheISCLIinanyofthefollowingways: SerialconnectionviatheserialportontheG8264CS(thisoptionisalwaysavail
able) Telnetconnectionoverthenetwork SSHconnectionoverthenetwork
Copyright Lenovo 2017 Chapter 1: Switch Administration 33
Establishing a ConnectionThefactorydefaultsettingspermitinitialswitchadministrationthroughonlythebuiltinserialport.Allotherformsofaccessrequireadditionalswitchconfigurationbeforetheycanbeused.
Remoteaccessusingthenetworkrequirestheaccessingterminaltohaveavalid,routableconnectiontotheswitchinterface.TheclientIPaddressmaybeconfiguredmanually,oranIPv4addresscanbeprovidedautomaticallythroughtheswitchusingaservicesuchasDHCPorBOOTPrelay(seeBOOTP/DHCPClientIPAddressServicesonpage 41),oranIPv6addresscanbeobtainedusingIPv6statelessaddressconfiguration.Note: Throughoutthismanual,IPaddressisusedinplaceswhereeitheranIPv4orIPv6addressisallowed.IPv4addressesareenteredindotteddecimalnotation(forexample,10.10.10.1),whileIPv6addressesareenteredinhexadecimalnotation(forexample,2001:db8:85a3::8a2e:370:7334).Inplaceswhereonlyonetypeofaddressisallowed,IPv4addressorIPv6addressisspecified.
Using the Switch Management PortsTomanagetheswitchthroughthemanagementports,youmustconfigureanIPinterfaceforeachmanagementinterface.ConfiguretheIPv4address/maskanddefaultgatewayaddress:
1. Logontotheswitch.
2. EnterGlobalConfigurationmode.
3. ConfigureamanagementIPaddressandmask:
4. Configuretheappropriatedefaultgateway.
IPgateway 4isrequiredforIF128.
OnceyouconfigureamanagementIPaddressforyourswitch,youcanconnecttoamanagementportandusetheTelnetprogramfromanexternalmanagementstationtoaccessandcontroltheswitch.Themanagementportprovidesoutofbandmanagement.
RS 8264CS> enableRS 8264CS# configure terminal
RS 8264CS(config)# interface ip 128RS 8264CS(config-ip-if)# ip address RS 8264CS(config-ip-if)# ip netmask RS 8264CS(config-ip-if)# enableRS 8264CS(config-ip-if)# exit
RS 8264CS(config)# ip gateway 4 address RS 8264CS(config)# ip gateway 4 enable
34 G8264CS Application Guide for ENOS 8.4
Using the Switch Data PortsYoualsocanconfigureinbandmanagementthroughanyoftheswitchdataports.Toallowinbandmanagement,usethefollowingprocedure:
1. Logontotheswitch.
2. EnterIPinterfacemode.
Note: Interface128isreservedforoutofbandmanagement(seeUsingtheSwitchManagementPortsonpage 33).
3. ConfigurethemanagementIPinterface/mask.
IPv4:
IPv6:
4. ConfiguretheVLAN,andenabletheinterface.
5. Configurethedefaultgateway.
IPv4:
IPv6:
Note: Gateway 1,2,and3areusedforinbanddatanetworks.Gateway 4isreservedfortheoutofbandmanagementport(seeUsingtheSwitchManagementPortsonpage 33).
OnceyouconfiguretheIPaddressandhaveanetworkconnection,youcanusetheTelnetprogramfromanexternalmanagementstationtoaccessandcontroltheswitch.Oncethedefaultgatewayisenabled,themanagementstationandyourswitchdonotneedtobeonthesameIPsubnet.
RS 8264CS> enableRS 8264CS# configure terminalRS 8264CS(config)# interface ip
RS 8264CS(config-ip-if)# ip address RS 8264CS(config-ip-if)# ip netmask
RS 8264CS(config-ip-if)# ipv6 address RS 8264CS(config-ip-if)# ipv6 prefixlen
RS 8264CS(config-ip-if)# vlan 1RS 8264CS(config-ip-if)# enableRS 8264CS(config-ip-if)# exit
RS 8264CS(config)# ip gateway address RS 8264CS(config)# ip gateway enable
RS 8264CS(config)# ip gateway6 address RS 8264CS(config)# ip gateway6 enable
Copyright Lenovo 2017 Chapter 1: Switch Administration 35
TheG8264CSsupportsanindustrystandardcommandlineinterface(ISCLI)thatyoucanusetoconfigureandcontroltheswitchoverthenetworkusingtheTelnetprogram.YoucanusetheISCLItoperformmanybasicnetworkmanagementfunctions.Inaddition,youcanconfiguretheswitchformanagementusinganSNMPbasednetworkmanagementsystemoraWebbrowser.
Formoreinformation,seethedocumentslistedinAdditionalReferencesonpage 27.
Using TelnetATelnetconnectionofferstheconvenienceofaccessingtheswitchfromaworkstationconnectedtothenetwork.Telnetaccessprovidesthesameoptionsforuserandadministratoraccessasthoseavailablethroughtheconsoleport.
Bydefault,Telnetaccessisenabled.UsethefollowingcommandstodisableorreenableTelnetaccess:
OncetheswitchisconfiguredwithanIPaddressandgateway,youcanuseTelnettoaccessswitchadministrationfromanyworkstationconnectedtothemanagementnetwork.
ToestablishaTelnetconnectionwiththeswitch,runtheTelnetprogramonyourworkstationandissuethefollowingTelnetcommand:
YouwillthenbepromptedtoenterapasswordasexplainedSwitchLoginLevelsonpage 49.
Twoattemptsareallowedtologintotheswitch.Afterthesecondunsuccessfulattempt,theTelnetclientisdisconnectedviaTCPsessionclosure.
Using Secure ShellAlthougharemotenetworkadministratorcanmanagetheconfigurationofaG8264CSviaTelnet,thismethoddoesnotprovideasecureconnection.TheSecureShell(SSH)protocolenablesyoutosecurelylogintoanotherdeviceoveranetwork
RS 8264CS(config)# [no] access telnet enable
telnet
36 G8264CS Application Guide for ENOS 8.4
toexecutecommandsremotely.AsasecurealternativetousingTelnettomanageswitchconfiguration,SSHensuresthatalldatasentoverthenetworkisencryptedandsecure.
Theswitchcandoonlyonesessionofkey/ciphergenerationatatime.Thus,aSSH/SCPclientwillnotbeabletologiniftheswitchisdoingkeygenerationatthattime.Similarly,thesystemwillfailtodothekeygenerationifaSSH/SCPclientislogginginatthattime.
ThesupportedSSHencryptionandauthenticationmethodsare:
ServerHostAuthentication:ClientRSAauthenticatestheswitchwhenstartingeachconnection
KeyExchange:ecdhsha2nistp521,ecdhsha2nistp384,ecdhsha2nistp256,ecdhsha2nistp224,ecdhsha2nistp192,rsa2048sha256,rsa1024sha1,diffiehellmangroupexchangesha256,diffiehellmangroupexchangesha1,diffiehellmangroup14sha1,diffiehellmangroup1sha1
Encryption:aes128ctr,aes128cbc,rijndael128cbc,blowfishcbc,3descbc,arcfour256,arcfour128,arcfour
MAC:hmacsha1,hmacsha196,hmacmd5,hmacmd596
UserAuthentication:Localpasswordauthentication,publickeyauthentication,RADIUS,TACACS+
LenovoEnterpriseNetworkOperatingSystemimplementstheSSHversion2.0standardandisconfirmedtoworkwithSSHversion2.0compliantclientssuchasthefollowing:
OpenSSH_5.4p1forLinux
SecureCRTVersion5.0.2(build1021)
PuttySSHrelease0.60
Using SSH with Password AuthenticationBydefault,theSSHfeatureisdisabled.OncetheIPparametersareconfiguredandtheSSHserviceisenabled,youcanaccessthecommandlineinterfaceusinganSSHconnection.
ToestablishanSSHconnectionwiththeswitch,runtheSSHprogramonyourworkstationbyissuingtheSSHcommand,followedbytheswitchIPv4orIPv6address:
YouwillthenbepromptedtoenterapasswordasexplainedSwitchLoginLevelsonpage 49.
# ssh
Copyright Lenovo 2017 Chapter 1: Switch Administration 37
Using SSH with Public Key AuthenticationSSHcanalsobeusedforswitchauthenticationbasedonasymmetriccryptography.Publicencryptionkeyscanbeuploadedontheswitchandusedtoauthenticateincomingloginattemptsbasedontheclientsprivateencryptionkeypairs.Afterapredefinednumberoffailedpublickeyloginattempts,theswitchrevertstopasswordbasedauthentication.
Tosetuppublickeyauthentication:
1. EnableSSH:
2. ImportthepublickeyfileusingSFTPorTFTPfortheadminuseraccount::
Notes:
Whenpromptedtoinputausername,avaliduseraccountnamemustbeentered.Ifnousernameisentered,thekeyisstoredontheswitch,andcanbeassignedtoauseraccountlater.
Auseraccountcanhaveupto100publickeyssetupontheswitch.
3. Configureamaximumnumberof3failedpublickeyauthenticationattemptsbeforethesystemrevertstopasswordbasedauthentication:
Oncethepublickeyisconfiguredontheswitch,theclientcanuseSSHtologinfromasystemwheretheprivatekeypairissetup:
RS 8264CS(config)# ssh enable
RS 8264CS(config)# copy {sftp|tftp} public-keyPort type ["DATA"/"MGT"]: mgtAddress or name of remote host: 9.43.101.151Source file name: 11.keyUsername of the public key: adminConfirm download operation (y/n) ? y
RS 8264CS(config)# ssh maxauthattempts 3
# ssh
38 G8264CS Application Guide for ENOS 8.4
Using a Web BrowserTheswitchprovidesaBrowserBasedInterface(BBI)foraccessingthecommonconfiguration,management,andoperationfeaturesoftheG8264CSthroughyourWebbrowser.
Bydefault,BBIaccessviaHTTPisenabledontheswitch.
YoucanalsoaccesstheBBIdirectlyfromanopenWebbrowserwindow.EntertheURLusingtheIPaddressoftheswitchinterface(forexample,http://).
Configuring HTTP Access to the BBIBydefault,BBIaccessviaHTTPisenabledontheswitch.
TodisableorreenableHTTPaccesstotheswitchBBI,usethefollowingcommands:
ThedefaultHTTPwebserverporttoaccesstheBBIisport80.However,youcanchangethedefaultWebserverportwiththefollowingcommand:
ToaccesstheBBIfromaworkstation,openaWebbrowserwindowandtypeintheURLusingtheIPaddressoftheswitchinterface(forexample,http://).
Configuring HTTPS Access to the BBITheBBIcanalsobeaccessedviaasecureHTTPSconnectionovermanagementanddataports.
1. EnableHTTPS.
Bydefault,BBIaccessisenabledviabothHTTPandHTTPSontheswitch.IfHTTPSaccesshasbeendisabled,usethefollowingcommandtoenableBBIAccessviaHTTPS:
2. SettheHTTPSserverportnumber(optional).
TochangetheHTTPSWebserverportnumberfromthedefaultport443,usethefollowingcommand:
3. GeneratetheHTTPScertificate.
RS 8264CS(config)# access http enable (EnableHTTPaccess)or
RS 8264CS(config)# no access http enable (DisableHTTPaccess)
RS 8264CS(config)# access http port
RS 8264CS(config)# access https enable
RS 8264CS(config)# access https port
Copyright Lenovo 2017 Chapter 1: Switch Administration 39
AccessingtheBBIviaHTTPSrequiresthatyougenerateacertificatetobeusedduringthekeyexchange.AdefaultcertificateiscreatedthefirsttimeHTTPSisenabled,butyoucancreateanewcertificatedefiningtheinformationyouwanttobeusedinthevariousfields.
4. SavetheHTTPScertificate.
Thecertificateisvalidonlyuntiltheswitchisrebooted.Tosavethecertificatesoitisretainedbeyondrebootorpowercycles,usethefollowingcommand:
Whenaclient(suchasawebbrowser)connectstotheswitch,theclientisaskedtoacceptthecertificateandverifythatthefieldsmatchwhatisexpected.OnceBBIaccessisgrantedtotheclient,theBBIcanbeused.
Browser-Based Interface SummaryTheBBIisorganizedatahighlevelasfollows:
ContextbuttonsThesebuttonsallowyoutoselectthetypeofactionyouwishtoperform.TheConfigurationbuttonprovidesaccesstotheconfigurationelementsfortheentireswitch.TheStatisticsbuttonprovidesaccesstotheswitchstatisticsandstateinformation.TheDashboardbuttonallowsyoutodisplaythesettingsandoperatingstatusofavarietyofswitchfeatures.
NavigationWindowProvidesamenuofswitchfeaturesandfunctions:
SystemProvidesaccesstotheconfigurationelementsfortheentireswitch.
SwitchPortsConfigureeachofthephysicalportsontheswitch.
PortBasedPortMirroringConfigureportmirroringbehavior.
Layer2ConfigureLayer2featuresfortheswitch.
RMONMenuConfigureRemoteMonitoringfeaturesfortheswitch.
Layer3ConfigureLayer3featuresfortheswitch.
QoSConfigureQualityofServicefeaturesfortheswitch.
AccessControlConfigureAccessControlListstofilterIPpackets.
VirtualizationConfigureVMready.
RS 8264CS(config)# access https generate-certificateCountry Name (2 letter code) [US]:State or Province Name (full name) [CA]:Locality Name (eg, city) [Santa Clara]:Organization Name (eg, company) [Lenovo Networking Operating System]:Organizational Unit Name (eg, section) [Network Engineering]:Common Name (eg, YOUR name) [0.0.0.0]:Email (eg, email address) []:Confirm generating certificate? [y/n]: yGenerating certificate. Please wait (approx 30 seconds)restarting SSL agent
RS 8264CS(config)# access https save-certificate
40 G8264CS Application Guide for ENOS 8.4
Using Simple Network Management ProtocolENOSprovidesSimpleNetworkManagementProtocol(SNMP)version1,version2,andversion3supportforaccessthroughanynetworkmanagementsoftware,suchasIBMDirectororHPOpenView.Note: SNMPreadandwritefunctionsareenabledbydefault.Forbestsecuritypractices,ifSNMPisnotneededforyournetwork,itisrecommendedthatyoudisablethesefunctionspriortoconnectingtheswitchtothenetwork.
ToaccesstheSNMPagentontheG8264CS,thereadandwritecommunitystringsontheSNMPmanagermustbeconfiguredtomatchthoseontheswitch.Thedefaultreadcommunitystringontheswitchispublicandthedefaultwritecommunitystringisprivate.
Thereadandwritecommunitystringsontheswitchcanbeconfiguredusingthefollowingcommands:
TheSNMPmanagermustbeabletoreachanyoneoftheIPinterfacesontheswitch.
FortheSNMPmanagertoreceivetheSNMPv1trapssentoutbytheSNMPagentontheswitch,configurethetraphostontheswitchwiththefollowingcommands:
TorestrictSNMPaccesstospecificIPv4subnets,usethefollowingcommands:
ForIPv6networks,use:
Note: SubnetsallowedforSNMPreadonlyaccessmustnotoverlapwithsubnetsallowedforSNMPreadwriteaccess.
FormoreinformationonSNMPusageandconfiguration,seeChapter 35,SimpleNetworkManagementProtocol.
RS 8264CS(config)# snmp-server read-community
andRS 8264CS(config)# snmp-server write-community
RS 8264CS(config)# snmp-server trap-source RS 8264CS(config)# snmp-server host
RS 8264CS(config)# access management-network snmp-ro
andRS 8264CS(config)# access management-network snmp-rw
RS 8264CS(config)# access management-network6 snmp-ro
andRS 8264CS(config)# access management-network6 snmp-rw
Copyright Lenovo 2017 Chapter 1: Switch Administration 41
BOOTP/DHCP Client IP Address ServicesForremoteswitchadministration,theclientterminaldevicemusthaveavalidIPaddressonthesamenetworkasaswitchinterface.TheIPaddressontheclientdevicemaybeconfiguredmanually,orobtainedautomaticallyusingIPv6statelessaddressconfiguration,oranIPv4addressmayobtainedautomaticallyviaBOOTPorDHCPrelayasdiscussedinthenextsection.
TheG8264CScanfunctionasarelayagentforBootstrapProtocol(BOOTP)orDHCP.ThisallowsclientstobeassignedanIPv4addressforafiniteleaseperiod,reassigningfreedaddresseslatertootherclients.
Actingasarelayagent,theswitchcanforwardaclientsIPv4addressrequesttouptofiveBOOTP/DHCPservers.InadditiontothefiveglobalBOOTP/DHCPservers,uptofivedomainspecificBOOTP/DHCPserverscanbeconfiguredforeachofupto10VLANs.
WhenaswitchreceivesaBOOTP/DHCPrequestfromaclientseekinganIPv4address,theswitchactsasaproxyfortheclient.TherequestisforwardedasaUDPUnicastMAClayermessagetotheBOOTP/DHCPserversconfiguredfortheclientsVLAN,ortotheglobalBOOTP/DHCPserversifnodomainspecificBOOTP/DHCPserversareconfiguredfortheclientsVLAN.TheserversrespondtotheswitchwithaUnicastreplythatcontainstheIPv4defaultgatewayandtheIPv4addressfortheclient.Theswitchthenforwardsthisreplybacktotheclient.
DHCPisdescribedinRFC2131,andtheDHCPrelayagentsupportedontheG8264CSisdescribedinRFC1542.DHCPusesUDPasitstransportprotocol.Theclientsendsmessagestotheserveronport67andtheserversendsmessagestotheclientonport68.
BOOTPandDHCPrelayarecollectivelyconfiguredusingtheBOOTPcommandsandmenusontheG8264CS.
DHCP Host Name ConfigurationTheG8264CSsupportsDHCPhostnameconfigurationasdescribedinRFC2132,option12.DHCPhostnameconfigurationisenabledbydefault.
Hostnamecanbemanuallyconfiguredusingthefollowingcommand:
Ifthehostnameismanuallyconfigured,theswitchdoesnotreplaceitwiththehostnamereceivedfromtheDHCPserver.
Afterthehostnameisconfiguredontheswitch,ifDHCPorDHCPhostnameconfigurationisdisabled,theswitchretainsthehostname.
Theswitchpromptdisplaysthehostname.
Hostnameconfigurationcanbeenabledordisabledusingthefollowingcommand:
RS 8264CS(config)# hostname
RS 8264CS(config)# [no] system dhcp hostname
42 G8264CS Application Guide for ENOS 8.4
DHCP SYSLOG ServerDuringswitchstartup,iftheswitchfailstogettheconfigurationfile,amessagecanberecordedintheSYSLOGserver.
TheG8264CSsupportsrequestingofaSYSLOGserverIPaddressfromtheDHCPserverasdescribedinRFC2132,option7.DHCPSYSLOGserverrequestoptionisenabledbydefault.
ManuallyconfiguredSYSLOGservertakespriorityoverDHCPSYSLOGserver.
UptotwoSYSLOGserveraddressesreceivedfromtheDHCPservercanbeused.TheSYSLOGservercanbelearntoveramanagementportoradataport.
UsetheRS 8264CS# show loggingcommandtoviewtheSYSLOGserveraddress.
DHCPSYSLOGserveraddressoptioncanbeenabled/disabledusingthefollowingcommand:
Global BOOTP Relay Agent ConfigurationToenabletheG8264CStobeaBOOTP(orDHCP)forwarder,enabletheBOOTPrelayfeature,configureuptofourglobalBOOTPserverIPv4addressesontheswitch,andenableBOOTPrelayontheinterface(s)onwhichtheclientrequestsareexpected.
Generally,itisbesttoconfigureBOOTPfortheswitchIPinterfacethatisclosesttotheclient,sothattheBOOTPserverknowsfromwhichIPv4subnetthenewlyallocatedIPv4addresswillcome.
IntheG8264CSimplementation,therearenoprimaryorsecondaryBOOTPservers.TheclientrequestisforwardedtoalltheglobalBOOTPserversconfiguredontheswitch(ifnodomainspecificserversareconfigured).Theuseofmultipleserversprovidesfailoverredundancy.However,nohealthcheckingissupported.
1. UsethefollowingcommandstoconfigureglobalBOOTPrelayservers:
2. EnableBOOTPrelayontheappropriateIPinterfaces.
BOOTP/DHCPRelayfunctionalitymaybeassignedonaperinterfacebasisusingthefollowingcommands:
RS 8264CS(config)# [no] system dhcp syslog
RS 8264CS(config)# ip bootp-relay enableRS 8264CS(config)# ip bootp-relay server address
RS 8264CS(config)# interface ip RS 8264CS(config-ip-if)# relayRS 8264CS(config-ip-if)# exit
Copyright Lenovo 2017 Chapter 1: Switch Administration 43
Domain-Specific BOOTP Relay Agent ConfigurationUsethefollowingcommandstoconfigureuptofivedomainspecificBOOTPrelayagentsforeachofupto10VLANs:
Aswithglobalrelayagentservers,domainspecificBOOTP/DHCPfunctionalitymaybeassignedonaperinterfacebasis(seeStep 2inpage 42).
DHCP Option 82DHCPOption82providesamechanismforgeneratingIPaddressesbasedontheclientdeviceslocationinthenetwork.WhenyouenabletheDHCPrelayagentoptionontheswitch,itinsertstherelayagentinformationoption82inthepacket,andsendsaunicastBOOTPrequestpackettotheDHCPserver.TheDHCPserverusestheoption82fieldtoassignanIPaddress,andsendsthepacket,withtheoriginaloption82fieldincluded,backtotherelayagent.DHCPrelayagentstripsofftheoption82fieldinthepacketandsendsthepackettotheDHCPclient.
Configurationofthisfeatureisoptional.Thefeaturehelpsresolveseveralissueswhereuntrustedhostsaccessthenetwork.SeeRFC3046fordetails.
UsethefollowingcommandstoconfigureDHCPOption82:
DHCP SnoopingDHCPsnoopingprovidessecuritybyfilteringuntrustedDHCPpacketsandbybuildingandmaintainingaDHCPsnoopingbindingtable.ThisfeatureisapplicableonlytoIPv4andonlyworksinnonstackingmode.
Anuntrustedinterfaceisaportthatisconfiguredtoreceivepacketsfromoutsidethenetworkorfirewall.Atrustedinterfacereceivespacketsonlyfromwithinthenetwork.Bydefault,allDHCPportsareuntrusted.
TheDHCPsnoopingbindingtablecontainstheMACaddress,IPaddress,leasetime,bindingtype,VLANnumber,andportnumberthatcorrespondtothelocaluntrustedinterfaceontheswitch;itdoesnotcontaininformationregardinghostsinterconnectedwithatrustedinterface.
Bydefault,DHCPsnoopingisdisabledonallVLANs.YoucanenableDHCPsnoopingononeormoreVLANs.YoumustenableDHCPsnoopingglobally.Toenablethisfeature,enterthefollowingcommands:
RS 8264CS(config)# ip bootp-relay bcast-domain vlan RS 8264CS(config)# ip bootp-relay bcast-domain server address
RS 8264CS(config)# ip bootp-relay bcast-domain enable
RS 8264CS(config)# ip bootp-relay information enable (EnableOption82)RS 8264CS(config)# ip bootp-relay enable (EnableDHCPrelay)RS 8264CS(config)# ip bootp-relay server address
RS 8264CS(config)# ip dhcp snooping vlan RS 8264CS(config)# ip dhcp snooping
44 G8264CS Application Guide for ENOS 8.4
FollowingisanexampleofDHCPsnoopingconfiguration,wheretheDHCPserverandclientareinVLAN100,andtheserverconnectsusingport24.
RS 8264CS(config)# ip dhcp snooping vlan 100RS 8264CS(config)# ip dhcp snoopingRS 8264CS(config)# interface port 24RS 8264CS(config-if)# ip dhcp snooping trust(Optional;Setportastrusted)RS 8264CS(config-if)# ip dhcp snooping information option-insert
(Optional;addDHCPoption82)RS 8264CS(config-if)# ip dhcp snooping limit rate 100
(Optional;SetDHCPpacketrate)
Copyright Lenovo 2017 Chapter 1: Switch Administration 45
Easy Connect WizardLenovoEasyConnect(EZC)isafeaturedesignedtosimplifyswitchconfiguration.AsetofpredefinedconfigurationscanbeappliedontheswitchviaISCLI.BylaunchingtheEZCWizard,youarepromptedforaminimalsetofinputandthetoolautomaticallycustomizestheswitchsoftware.
TheEZCWizardallowsyoutochooseoneofthefollowingconfigurationmodes:
BasicSystemmodesupportssettingsforhostname,staticmanagementportIP,netmask,andgateway.
Transparentmodecollectsserveranduplinkportsettings.vNICgroupsareusedtodefinetheloopfreedomains.
Note: Youcaneitheracceptthestaticdefaultsorenteradifferentportlistforuplinkand/orserverports.
RedundantmodereferstoVLAGsettings.
TheEZCconfigurationwillbeappliedimmediately.Anyexistingconfigurationwillbedeleted,thecurrentactiveorrunningconfigurationwillnotbemergedorappendedtotheEZCconfiguration.
Foranycustomsettingsthatarenotincludedinthepredefinedconfigurationsets,theuserhastodoitmanually.Note: Tosupportscripting,thefeaturealsohasasinglelineformat.Formoreinformation,pleaserefertoLenovoNetworkingISCLIReferenceGuide.
Configuring the Easy Connect WizardTolaunchtheEZCWizard,usethefollowingcommand:
Thewizarddisplaystheavailablepredefinedconfigurationmodes.Youarepromptedtoselectoneofthefollowingoptions:
RS 8264CS# easyconnect
RS 8264CS# easyconnect Auto configures the switch into a set configuration based on the input provided.Current configuration will be overwritten with auto configuration settings.The wizard can be canceled anytime by pressing Ctrl+C.Select which of the following features you want enabled:#Configure Basic system (yes/no)?#Configure Transparent mode (yes/no)?#Configure Switch Redundant mode (yes/no)?
46 G8264CS Application Guide for ENOS 8.4
Basic System Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinBasicSystemmode:
Note: Youcaneitheracceptthedefaultvaluesorenternewparameters.
Transparent Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinTransparentmode:
Notes:
Ifyourselectionforaportgroupcontainsportsofdifferentmodeorspeed,theselectionisnotvalidandyouareguidedtoeitherselectotherportsorchangethespeedoftheports.
Youcaneitheracceptthestaticdefaultsorenteradifferentportlistforuplinkand/orserverports.
RS 8264CS# easyconnect Configure Basic system (yes/no)? y
Please enter "none" for no hostname.Enter hostname(Default: None)? host
Please enter "dhcp" for dhcp IP.Select management IP address (Current: 10.241.13.32)? Enter management netmask(Current: 255.255.255.128)? Enter management gateway:(Current: 10.241.13.1)?
Pending switch port configuration:
Hostname: host Management interface: IP: 10.241.13.32 Netmask: 255.255.255.128 Gateway: 10.241.13.1Confirm erasing current config to re-configure Easy Connect (yes/no)?
RS 8264CS# #easyconnect Configure Transparent mode (yes/no)? ySelect Uplink Ports (Static Defaults: 17-24)? The following Uplink ports will be enabled: Uplink ports(1G/10G): 17-24Select Server Ports (Static Defaults: 25-64)? The following Server ports will be enabled: Server ports(1G/10G): 25-64Pending switch configuration:
Uplink Ports: 17-24 Server Ports: 25-64 Disabled Ports: 1,5,9,13Confirm erasing current config to re-configure Easy Connect (yes/no)?
Copyright Lenovo 2017 Chapter 1: Switch Administration 47
Redundant Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinRedundantmode:
RS 8264CS# #easyconnect Configure Switch Redundant mode (yes/no)? y
Note: It is recommended to select Basic system configuration in order to set the management IP address used for vLAG health check.
Configure Basic system (yes/no)? y
Configure this switch as vLAG Primary or Secondary Peer (primary/secondary)? prim
Select ISL Ports (Static Defaults: 1-16)? The following ISL ports will be enabled: ISL ports(40G) : 1-16
Select vLAG TierID (Default: 101)?
Select management IP address (Current: 192.168.49.50)?
Enter management netmask (Current: 255.255.255.0)?
Select Peer IP address for vLAG healthcheck (Default: 1.1.1.2)? Warning: vLAG healthcheck Peer IP is not reachable.Do you want to select another Peer IP (yes/no)? ySelect Peer IP address for vLAG healthcheck (Default: 1.1.1.2)? Warning: vLAG healthcheck Peer IP is not reachable.Do you want to select another Peer IP (yes/no)? n
Select Uplink Ports (Static Defaults: 17-24)? The following Uplink ports will be enabled: Uplink ports(1G/10G): 17-24
Select Downlink Ports (Static Defaults: 25-64)? The following Downlink ports will be enabled: Downlink ports(1G/10G): 25-64
48 G8264CS Application Guide for ENOS 8.4
Notes:
Ifyourselectionforaportgroupcontainsportsofdifferentspeed,theselectionisnotvalid,andyouareguidedtoeitherselectotherportsorchangethespeedoftheports.
Allunusedportareconfiguredasshutdownintheconfigurationdump.
YoucaneitheracceptthestaticdefaultsorenteradifferentportlistforISL,uplink,and/ordownlinkports.
Please enter "none" for no hostname.Enter hostname(Default: Primary VLAG)?
Please enter "none" for no gateway.Enter management gateway:(Default: 0.0.0.0)?
Pending switch configuration:
vLAG switch type: Primary ISL Ports: 1-16 vLAG TierID: 101 vLAG Peer IP: 1.1.1.2 Uplink Ports: 17-24 Downlink Ports: 25-64 Disabled Ports: empty
Hostname: Primary VLAG Management interface: IP: 192.168.49.50 Netmask: 255.255.255.0 Gateway: 0.0.0.0
Confirm erasing current config to re-configure Easy Connect (yes/no)?
Copyright Lenovo 2017 Chapter 1: Switch Administration 49
Switch Login LevelsToenablebetterswitchmanagementanduseraccountability,threelevelsorclassesofuseraccesshavebeenimplementedontheG8264CS.LevelsofaccesstoCLI,Webmanagementfunctions,andscreensincreaseasneededtoperformvariousswitchmanagementtasks.Conceptually,accessclassesaredefinedasfollows:
UserinteractionwiththeswitchiscompletelypassivenothingcanbechangedontheG8264CS.Usersmaydisplayinformationthathasnosecurityorprivacyimplications,suchasswitchstatisticsandcurrentoperationalstateinformation.
OperatorscanonlyeffecttemporarychangesontheG8264CS.Thesechangeswillbelostwhentheswitchisrebooted/reset.Operatorshaveaccesstotheswitchmanagementfeaturesusedfordailyswitchoperations.Becauseanychangesanoperatormakesareundonebyaresetoftheswitch,operatorscannotseverelyimpactswitchoperation.
Administratorsaretheonlyonesthatmaymakepermanentchangestotheswitchconfigurationchangesthatarepersistentacrossareboot/resetoftheswitch.AdministratorscanaccessswitchfunctionstoconfigureandtroubleshootproblemsontheG8264CS.Becauseadministratorscanalsomaketemporary(operatorlevel)changesaswell,theymustbeawareoftheinteractionsbetweentemporaryandpermanentchanges.
Accesstoswitchfunctionsiscontrolledthroughtheuseofuniqueusernamesandpasswords.Onceyouareconnectedtotheswitchviaconsole,remoteTelnet,orSSH,youarepromptedtoenterapassword.Thedefaultusernames/passwordforeachaccesslevelarelistedinthefollowingtable.Note: Itisrecommendedthatyouchangethedefaultswitchpasswordsafterinitialconfigurationandasregularlyasrequiredunderyournetworksecuritypolicies.
Table 2. UserAccessLevelsDefaultSettings
User Account
Password Description and Tasks Performed Status
user user TheUserhasnodirectresponsibilityforswitchmanagement.Heorshecanviewallswitchstatusinformationandstatistics,butcannotmakeanyconfigurationchangestotheswitch.
Disabled
oper oper TheOperatormanagesallfunctionsoftheswitch.TheOperatorcanresetports,exceptthemanagementports.
Disabled
admin admin ThesuperuserAdministratorhascompleteaccesstoallmenus,information,andconfigurationcommandsontheG8264CS,includingtheabilitytochangeboththeuserandadministratorpasswords.
Enabled
50 G8264CS Application Guide for ENOS 8.4
Note: Accesstoeachuserlevel(exceptadminaccount)canbedisabledbysettingthepasswordtoanemptyvalue.Todisableadminaccount,usethecommandnoaccessuseradministrator-enable.TheAdminaccountcanbedisabledonlyifthereisatleastoneuseraccountenabledandconfiguredwithadministratorprivilege.
Copyright Lenovo 2017 Chapter 1: Switch Administration 51
Setup vs. the Command LineOncetheadministratorpasswordisverified,youaregivencompleteaccesstotheswitch.Iftheswitchisstillsettoitsfactorydefaultconfiguration,youwillneedtorunSetup(seeChapter 2,InitialSetup),autilitydesignedtohelpyouthroughthefirsttimeconfigurationprocess.Iftheswitchhasalreadybeenconfigured,thecommandlineisdisplayedinstead.
52 G8264CS Application Guide for ENOS 8.4
Idle DisconnectBydefault,theswitchwilldisconnectyourTelnetsessionafter10minutesofinactivity.Thisfunctioniscontrolledbytheidletimeoutparameter,whichcanbesetfrom0to60minutes,where0meansthesessionwillnevertimeout.
Usethefollowingcommandtosettheidletimeoutvalue:
RS 8264CS(config)# system idle
Copyright Lenovo 2017 Chapter 1: Switch Administration 53
Boot Strict ModeTheimplementationsspecifiedinthissectionarecompliantwithNationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800131A.
TheRackSwitchG8264CScanoperateintwobootmodes:
Compatibilitymode(default):Thisisthedefaultswitchbootmode.Thismodemayusealgorithmsandkeylengthsthatmaynotbeallowed/acceptablebyNISTSP800131Aspecification.Thismodeisusefulinmaintainingcompatibilitywithpreviousreleasesandinenvironmentsthathavelesserdatasecurityrequirements.
Strictmode:Encryptionalgorithms,protocols,andkeylengthsinstrictmodearecompliantwithNISTSP800131Aspecification.
Wheninbootstrictmode,theswitchusesSecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)1.2protocolstoensureconfidentialityofthedatatoandfromtheswitch.
Beforeenablingstrictmode,ensurethefollowing:
ThesoftwareversiononallconnectedswitchesisEnterpriseNOS8.4.
Thesupportedprotocolversionsandcryptographicciphersuitesbetweenclientsandserversarecompatible.Forexample:ifusingSSHtoconnecttotheswitch,ensurethattheSSHclientsupportsSSHv2andastrongciphersuitethatiscompliantwiththeNISTstandard.
CompliantWebservercertificateisinstalledontheswitch,ifusingBBI.
Anewselfsignedcertificateisgeneratedfortheswitch(RS 8264CS(config)# access https generate-certificate).Thenewcertificateisgeneratedusing2048bitRSAkeyandSHA256digest.
ProtocolsthatarenotNISTSP800131Acompliantmustbedisabledornotused.
OnlySSHv2orhigherisused.
Thecurrentconfiguration,ifany,issavedinalocationexternaltotheswitch.Whentheswitchreboots,boththestartupandrunningconfigurationarelost.
Onlyprotocols/algorithmscompliantwithNISTSP800131Aspecificationareused/enabledontheswitch.PleaseseetheNISTSP800131Apublicationfordetails.Thefollowingtableliststheacceptableprotocolsandalgorithms:
Table 3. AcceptableProtocolsandAlgorithmsProtocol/Function Strict Mode Algorithm Compatibility Mode AlgorithmBGP BGPdoesnotcomplywithNISTSP
800131Aspecification.Wheninstrictmode,BGPisdisabled.However,itcanbeenabled,ifrequired.
Acceptable
CertificateGeneration
RSA2048SHA256
RSA2048SHA256
CertificateAcceptance
RSA2048orhigherSHA224orhigher
RSASHA,SHA2
54 G8264CS Application Guide for ENOS 8.4
HTTPS TLS1.2onlySeeAcceptableCipherSuitesonpage 56;
TLS1.0,1.1,1.2SeeAcceptableCipherSuitesonpage 56;
IKEKeyExchange DHGroup24 DHgroup1,2,5,14,24Encryption 3DES,AES128CBC 3DES,AES128CBCIntegrity HMACSHA1 HMACSHA1,HMACMD5IPSecAH HMACSHA1 HMACSHA1,HMACMD5ESP 3DES,AES128CBC,HMACSHA1 3DES,AES128CBC,
HMACSHA1,HMACMD5LDAP LDAPdoesnotcomplywithNIST
SP800131Aspecification.Wheninstrictmode,LDAPisdisabled.However,itcanbeenabled,ifrequired.
Acceptable
OSPF OSPFdoesnotcomplywithNISTSP800131Aspecification.Wheninstrictmode,OSPFisdisabled.However,itcanbeenabled,ifrequired.
Acceptable
RADIUS RADIUSdoesnotcomplywithNISTSP800131Aspecification.Wheninstrictmode,RADIUSisdisabled.However,itcanbeenabled,ifrequired.
Acceptable
RandomNumberGenerator
NISTSP80090AAESCTRDRBG NISTSP80090AAESCTRDRBG
SecureNTP SecureNTPdoesnotcomplywithNISTSP800131Aspecification.Wheninstrictmode,secureNTPisdisabled.However,itcanbeenabled,ifrequired.
Acceptable
SLP SHA256orhigherRSA/DSA2048orhigher
SNMP SNMPv3onlyAES128CFB128/SHA1
Note:FollowingalgorithmsareacceptableifyouchoosetosupportoldSNMPv3factorydefaultusers:AES128CFB/SHA1DES/MD5AES128CFB128/SHA1
SNMPv1,SNMPv2,SNMPv3DES/MD5,AES128CFB128/SHA1
Table 3. AcceptableProtocolsandAlgorithms(continued)Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm
Copyright Lenovo 2017 Chapter 1: Switch Administration 55
SSH/SFTPHostKey SSHRSA SSHRSAKeyExchange ECDHSHA2NISTP521
ECDHSHA2NISTP384ECDHSHA2NISTP256ECDHSHA2NISTP224RSA2048SHA256DIFFIEHELLMANGROUPEXCHANGESHA256DIFFIEHELLMANGROUPEXCHANGESHA1
ECDHSHA2NISTP521ECDHSHA2NISTP384ECDHSHA2NISTP256ECDHSHA2NISTP224ECDHSHA2NISTP192RSA2048SHA256RSA1024SHA1DIFFIEHELLMANGROUPEXCHANGESHA256DIFFIEHELLMANGROUPEXCHANGESHA1DIFFIEHELLMANGROUP14SHA1DIFFIEHELLMANGROUP1SHA1
Encryption AES128CTRAES128CBC3DESCBC
AES128CTRAES128CBCRIJNDAEL128CBCBLOWFISHCBC3DESCBCARCFOUR256ARCFOUR128ARCFOUR
MAC HMACSHA1HMACSHA196
HMACSHA1HMACSHA196HMACMD5HMACMD596
TACACS+ TACACS+doesnotcomplywithNISTSP800131Aspecification.Wheninstrictmode,TACACS+isdisabled.However,itcanbeenabled,ifrequired.
Acceptable
Table 3. AcceptableProtocolsandAlgorithms(continued)Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm
56 G8264CS Application Guide for ENOS 8.4
Acceptable Cipher SuitesThefollowingciphersuitesareacceptable(listedintheorderofpreference)whentheRackSwitchG8264CSisincompatibilitymode:
Thefollowingciphersuitesareacceptable(listedintheorderofpreference)whentheRackSwitchG8264CSisinstrictmode:
Table 4. ListofAcceptableCipherSuitesinCompatibilityModeCipher ID Key
ExchangeAuthenti-cation
Encryption MAC Cipher Name
0xC027 ECDHE RSA AES_128_CBC
SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
0xC013 ECDHE RSA AES_128_CBC
SHA1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
0xC012 ECDHE RSA 3DES SHA1 SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
0xC011 ECDHE RSA RC4 SHA1 SSL_ECDHE_RSA_WITH_RC4_128_SHA
0x002F RSA RSA AES_128_CBC
SHA1 TLS_RSA_WITH_AES_128_CBC_SHA
0x003C RSA RSA AES_128_CBC
SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
0x0005 RSA RSA RC4 SHA1 SSL_RSA_WITH_RC4_128_SHA