BLADE OS™ Application Guide RackSwitch™ G8000 Version 5.1 Part Number: BMD00136_rev 1, November 2009 2350 Mission College Blvd. Suite 600 Santa Clara, CA 95054 www.bladenetwork.
BLADE OS 5.1 Application Guide Copyright © 2010 Blade Network Technologies, Inc., 2350 Mission College Blvd., Suite 600, Santa Clara, California, 95054, USA. All rights reserved. Part Number: BMD00136. This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Blade Network Technologies, Inc.
Contents Preface 11 Who Should Use This Guide 11 What You’ll Find in This Guide 11 Typographic Conventions 13 How to Get Help 14 Chapter 1: Accessing the Switch 15 Configuring an IP Interface 15 Using Telnet 17 BOOTP Relay Agent 17 DHCP Relay Agent 18 Using the Browser-Based Interface 19 Configuring BBI access via HTTP 19 Configuring BBI access via HTTPS 20 Using SNMP 22 SNMP v1, v2 22 SNMP v3.
BLADE OS 5.1 Application Guide Supported RADIUS Attributes 45 Configuration Guidelines 46 Chapter 3: VLANs 47 Overview 47 VLANs and Port VLAN ID Numbers 48 VLAN Numbers 48 PVID Numbers 48 VLAN Tagging 50 VLAN Topologies and Design Considerations 54 VLAN Configuration Rules 54 Multiple VLANs with Tagging Adapters 55 VLAN Configuration Example 57 Protocol-Based VLANs 58 Port-Based vs.
BLADE OS 5.
BLADE OS 5.
BLADE OS 5.
BLADE OS 5.
BLADE OS 5.
BLADE OS 5.
Preface The RackSwitch G8000 Application Guide describes how to configure and use the software on the RackSwitch G8000 switch. For documentation about installing the switch physically, see the Installation Guide for your switch. Who Should Use This Guide This Application Guide is intended for network installers and system administrators engaged in configuring and maintaining a network.
BLADE OS 5.1 Application Guide 12 : Preface Chapter 6, “Link Layer Discovery Protocol,” describes how Link Layer Discovery Protocol helps neighboring network devices learn about each others’ ports and capabilities. Chapter 7, “Quality of Service,” discusses Quality of Service features, including IP filtering using Access Control Lists, Differentiated Services, and IEEE 802.1p priority values.
BLADE OS 5.1 Application Guide Typographic Conventions The following table describes the typographic styles used in this book. Table 1 Typographic Conventions Typeface or Symbol Meaning Example AaBbCc123 This type is used for names of commands, files, and directories used within the text. View the readme.txt file. It also depicts on-screen computer output and prompts. Main# AaBbCc123 Main# sys This bold type appears in command examples. It shows text that must be typed in exactly as shown.
BLADE OS 5.1 Application Guide How to Get Help If you need help, service, or technical assistance, call BLADE Network Technologies Technical Support: US toll free calls: 1-800-414-5268 International calls: 1-408-834-7871 You also can visit our web site at the following address: http://www.bladenetwork.net Click the Support tab. The warranty card received with your product provides details for contacting a customer support representative.
CHAPTER 1 Accessing the Switch The Blade OS software provides means for accessing, configuring, and viewing information and statistics about the RackSwitch G8000.
BLADE OS 5.1 Application Guide To access the switch, the following IP parameters must be configured: IP address Subnet mask Default gateway address 1. Log on to the switch. 2. Enter IP interface mode. RS G8000> enable RS G8000# configure terminal RS G8000 (config)# interface ip 1 3. Configure an IP interface, subnet mask, and VLAN assignment. Enable the interface.
BLADE OS 5.1 Application Guide Using Telnet A Telnet connection offers the convenience of accessing the switch from any workstation connected to an interface port. Telnet access provides the same options for user access and administrator access as those available through the console port. To configure the switch for Telnet access, the switch must have an IP address.
BLADE OS 5.1 Application Guide BOOTP Relay Agent Configuration To enable the G8000 to be the BOOTP forwarder, you need to configure the BOOTP server IP addresses on the switch, and enable BOOTP relay on the interface(s) on which the BOOTP requests are received. Generally, you should configure the command on the switch IP interface that is closest to the client, so that the BOOTP server knows from which IP subnet the newly allocated IP address should come.
BLADE OS 5.1 Application Guide DHCP Relay Agent Configuration To enable the G8000 to be the BOOTP forwarder, you need to configure the DHCP/BOOTP server IP addresses on the switch. Generally, you should configure the switch IP interface on the client side to match the client’s subnet, and configure VLANs to separate clients and server subnets. The DHCP server knows from which IP subnet the newly allocated IP address should come. In G8000 implementation, there is no need for primary or secondary servers.
BLADE OS 5.1 Application Guide For workstation access to your switch via the BBI, open a Web browser window and type in the URL using the IP interface address of the switch, such as: http://10.10.10.1 Configuring BBI access via HTTPS The BBI can also be accessed via a secure HTTPS connection over interface ports. 1. Enable HTTPS By default, BBI access via HTTPS is disabled on the switch. To enable BBI Access via HTTPS, use the following command: >> # access https enable 2.
BLADE OS 5.1 Application Guide When a client (e.g. web browser) connects to the switch, the client is asked to accept the certificate and verify that the fields match what is expected. Once BBI access is granted to the client, the BBI can be used as described in the RackSwitch G8000 BBI Quick Guide. The BBI is organized at a high level as follows: Context buttons – These buttons allow you to select the type of action you wish to perform.
BLADE OS 5.1 Application Guide Using SNMP Blade OS provides SNMP v1.0 and SNMP v3.0 support for access through any network management software, such as IBM Director or HP-OpenView. SNMP v1, v2 To access the SNMP agent on the G8000, the read and write community strings on the SNMP manager should be configured to match those on the switch. The default read community string on the switch is public and the default write community string is private.
BLADE OS 5.1 Application Guide To configure an SNMP user name, enter the following command: RS G8000 (config)# snmp-server user <1-16> name <1-32> User Configuration: Users can be configured to use the authentication/privacy options. The G8000 supports two authentication algorithms: MD5 and SHA, as specified in the following command: snmp-server user <1-16> authentication-protocol md5|sha 1.
BLADE OS 5.1 Application Guide Configuring SNMP Trap Hosts SNMPv1 Trap Host Configuration 1. Configure a user with no authentication and password. RS G8000 (config)# snmp-server user 10 name v1trap 2. Configure an access group and group table entries for the user.
BLADE OS 5.1 Application Guide SNMPv2 Trap Host Configuration The SNMPv2 trap host configuration is similar to the SNMPv1 trap host configuration. Wherever you specify the model, use snmpv2 instead of snmpv1.
BLADE OS 5.1 Application Guide SNMPv3 Trap Host Configuration To configure a user for SNMPv3 traps, you can choose to send the traps with both privacy and authentication, with authentication only, or without privacy or authentication. This is configured in the access table using the following commands: RS G8000 (config)# snmp-server access <1-32> level RS G8000 (config)# snmp-server target-parameters <1-16> Configure the user in the user table accordingly.
BLADE OS 5.1 Application Guide Securing Access to the Switch Secure switch management is needed for environments that perform significant management functions across the Internet.
BLADE OS 5.1 Application Guide How RADIUS Authentication Works 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access.
BLADE OS 5.1 Application Guide RADIUS Authentication Features in Blade OS Blade OS supports the following RADIUS authentication features: Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866. Allows RADIUS secret password up to 32 bytes and less than 16 octets. Supports secondary authentication server so that when the primary authentication server is unreachable, the switch can send client authentication requests to the secondary authentication server.
BLADE OS 5.1 Application Guide Table 2 User Access Levels User Account Description and Tasks Performed Password Operator The Operator manages all functions of the switch. The Operator can reset ports. oper Administrator admin The super-user Administrator has complete access to all commands, information, and configuration commands on the switch, including the ability to change both the user and operator passwords.
BLADE OS 5.1 Application Guide TACACS+ Authentication Blade OS supports authentication and authorization with networks using the Cisco Systems TACACS+ protocol. The G8000 functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the G8000 through a data port.
BLADE OS 5.1 Application Guide Authorization Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication. The default mapping between TACACS+ authorization levels and Blade OS management access levels is shown in Table 4. The authorization levels must be defined on the TACACS+ server.
BLADE OS 5.1 Application Guide Accounting Accounting is the action of recording a user's activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, there are no TACACS+ accounting messages sent out. You can use TACACS+ to record and track software logins, configuration changes, and interactive commands.
BLADE OS 5.1 Application Guide Configuring TACACS+ Authentication 1. Configure the Primary and Secondary TACACS+ servers, and enable TACACS authentication. RS G8000 (config)# tacacs-server primary-host 10.10.1.1 RS G8000 (config)# tacacs-server secondary-host 10.10.1.2 RS G8000 (config)# tacacs-server enable 2. Configure the TACACS+ secret and second secret. RS G8000 (config)# tacacs-server primary-host 10.10.1.1 key <1-32 character secret> RS G8000 (config)# tacacs-server secondary-host 10.10.1.
BLADE OS 5.1 Application Guide Configuring the LDAP Server G8000 user groups and user accounts must reside within the same domain. On the LDAP server, configure the domain to include G8000 user groups and user accounts, as follows: User Accounts: Use the uid attribute to define each individual user account. User Groups: Use the members attribute in the groupOfNames object class to create the user groups.
BLADE OS 5.1 Application Guide Secure Shell Secure Shell (SSH) use secure tunnels to encrypt and secure messages between a remote administrator and the switch. Telnet does not provide this level of security. The Telnet method of managing a G8000 does not provide a secure connection. SSH is a protocol that enables remote administrators to log securely into the G8000 over a network to execute management commands.
BLADE OS 5.1 Application Guide Generating RSA Host and Server Keys for SSH Access To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024 bits and is used to identify the G8000. The server key is 768 bits and is used to make it impossible to decipher a captured session by breaking into the G8000 at a later time.
BLADE OS 5.1 Application Guide End User Access Control BLADE OS allows an administrator to define end user accounts that permit end users to perform operation tasks via the switch CLI commands. Once end user accounts are configured and enabled, the switch requires username/password authentication. For example, an administrator can assign a user, who can then log into the switch and perform operational commands (effective only until the next switch reboot).
BLADE OS 5.1 Application Guide Use the Strong Password commands to configure Strong Passwords. >> # access user strong-password enable User Access Control Use the end user access control commands to configure user IDs. Setting Up User IDs, User Names, and Passwords Up to 10 user IDs can be configured. Define each user name and password.
BLADE OS 5.1 Application Guide Listing Current Users The cur command displays defined user accounts and whether or not each user is currently logged into the switch.
CHAPTER 2 Port-based Network Access Control Port-Based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to ports of the G8000 that connect to servers. The following topics are discussed in this section: “Extensible Authentication Protocol over LAN” on page 41 “802.
BLADE OS 5.1 Application Guide Authenticator The Authenticator enforces authentication and controls access to the network. The Authenticator grants network access based on the information provided by the Supplicant and the response from the Authentication Server.
BLADE OS 5.1 Application Guide Figure 1 Authenticating a Port Using EAPoL RADIUS Server 802.
BLADE OS 5.1 Application Guide The RADIUS authentication server chooses an EAP-supported authentication algorithm to verify the client’s identity, and sends an EAP-Request packet to the client via the G8000 authenticator. The client then replies to the RADIUS server with an EAP-Response containing its credentials. Upon a successful authentication of the client by the server, the 802.
BLADE OS 5.1 Application Guide Supported RADIUS Attributes The G8000 802.1X Authenticator relies on external RADIUS servers for authentication with EAP. Table 6 lists the RADIUS attributes that are supported as part of RADIUS-EAP authentication based on the guidelines specified in Annex D of the 802.1X standard and RFC 3580. Table 6 Support for RADIUS Attributes # Attribute Attribute Value A-R 1 User-Name 1 The value of the Type-Data field from the supplicant’s EAP-Response/Identity message.
BLADE OS 5.1 Application Guide Configuration Guidelines When configuring EAPoL, consider the following guidelines: The 802.1X port-based authentication is currently supported only in point-to-point configurations, that is, with a single supplicant connected to an 802.1X-enabled switch port. When 802.1X is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled.
CHAPTER 3 VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs commonly are used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments.
BLADE OS 5.1 Application Guide VLANs and Port VLAN ID Numbers VLAN Numbers The G8000 supports up to 1024 VLANs per switch. Even though the maximum number of VLANs supported at any given time is 1024, each can be identified with any number between 1 and 4094. VLAN 1 is the default VLAN for all ports.
BLADE OS 5.1 Application Guide Viewing and Configuring PVIDs Use the following CLI commands to view PVIDs: Port information: RS G8000# show interface information Alias Port Tag Edge Lrn Fld PVID NAME ----- ---- --- ---- --- --- ---- -------------1 1 y n e e 1 1 2 2 y n e e 1 2 3 3 y n e e 1 3 4 4 y n e e 1 4 5 5 y n e e 1 5 6 6 y n e e 1 6 ... ... ...
BLADE OS 5.1 Application Guide VLAN Tagging Blade OS software supports IEEE 802.1Q VLAN tagging, providing standards-based VLAN support for Ethernet systems. Tagging places the VLAN identifier in the frame header of a packet, allowing each port to belong to multiple VLANs. When you add a port to multiple VLANs, you also must enable tagging on that port.
BLADE OS 5.1 Application Guide Figure 2 Default VLAN settings 802.1Q Switch VLAN 1 Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 ... PVID = 1 DA CRC SA Incoming untagged packet Data Outgoing untagged packet (unchanged) CRC Data SA DA Key By default: All ports are assigned PVID = 1 All ports are untagged members of VLAN 1 BS45010A Note – The port numbers specified in these illustrations may not directly correspond to the physical port configuration of your switch model.
BLADE OS 5.1 Application Guide Figure 3 Port-based VLAN assignment Data SA Port 4 CRC DA Port 2 Port 3 Tagged member of VLAN 2 Port 5 Port 1 PVID = 2 Untagged packet 802.1Q Switch Before Port 6 Port 7 Port 8 Untagged member of VLAN 2 BS45011A As shown in Figure 4, the untagged packet is marked (tagged) as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2.
BLADE OS 5.1 Application Guide Figure 5 802.1Q tag assignment Data Tag SA Port 4 CRC DA Port 2 Port 3 Tagged member of VLAN 2 Port 5 Port 1 PVID = 2 Tagged packet 802.1Q Switch Before Port 6 Port 7 Port 8 Untagged member of VLAN 2 BS45013A As shown in Figure 6, the tagged packet remains unchanged as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2.
BLADE OS 5.1 Application Guide VLAN Topologies and Design Considerations By default, the G8000 software is configured so that tagging is disabled on all ports. By default, the G8000 software is configured so that all ports are members of VLAN 1. If you configure Spanning Tree, note that Spanning Tree Groups 2-128 may contain only one VLAN. VLAN Configuration Rules VLANs operate according to specific configuration rules.
BLADE OS 5.1 Application Guide Multiple VLANs with Tagging Adapters Figure 7 illustrates a network topology described in Table 7 and the configuration example on page page 57.
BLADE OS 5.1 Application Guide The features of this VLAN are described below: Table 7 Multiple VLANs Example Component Description G8000 switch This switch is configured with three VLANs that represent three different IP subnets. Five ports are connected downstream to servers. Two ports are connected upstream to routing switches. Uplink ports are members of all three VLANs, with VLAN tagging enabled. Server 1 This server is a member of VLAN 1 and has presence in only one IP subnet.
BLADE OS 5.1 Application Guide VLAN Configuration Example Use the following procedure to configure the example network shown in Figure 7. 1. Enable VLAN tagging on ports that support multiple VLANs. RS G8000 (config)# interface port 5 RS G8000 (config-if)# tagging RS G8000 (config-if)# exit 2. Enable tagging on uplink ports that support multiple VLANs.
BLADE OS 5.1 Application Guide Protocol-Based VLANs Protocol-based VLANs (PVLANs) allow you to segment network traffic according to the network protocols in use. Traffic for supported network protocols can be confined to a particular port-based VLAN. You can give different priority levels to traffic generated by different network protocols. With PVLAN, the switch classifies incoming packets by Ethernet protocol of the packets, not by the configuration of the ingress port.
BLADE OS 5.1 Application Guide Port-Based vs. Protocol-Based VLANs Each VLAN supports both port-based and protocol-based association, as follows: The default VLAN configuration is port-based. All data ports are members of VLAN 1, with no PVLAN association. When you add ports to a PVLAN, the ports become members of both the port-based VLAN and the PVLAN. For example, if you add port 1 to PVLAN 1 on VLAN 2, the port also becomes a member of VLAN 2.
BLADE OS 5.1 Application Guide PVLAN Configuration Guidelines Consider the following guidelines when you configure protocol-based VLANs: Each port can support up to 16 VLAN protocols. The G8000 can support up to 16 protocols simultaneously. Each PVLAN must have at least one port assigned before it can be activated. The same port within a port-based VLAN can belong to multiple PVLANs. An untagged port can be a member of multiple PVLANs.
BLADE OS 5.1 Application Guide 5. Enable the PVLAN. RS G8000 (config-vlan)# protocol-vlan 1 enable 6. Verify PVLAN operation. RS G8000 (config)# show protocol-vlan PVLAN ----1 Protocol -------2 FrameType EtherType -------------------ether2 0800 PVLAN ----1 PVLAN-Tagged Ports --------------------------1, 2 Priority -------2 Status -----ena Ports ----------1, 2 Private VLANs Private VLANs provide Layer 2 isolation between the ports within the same broadcast domain.
BLADE OS 5.1 Application Guide Private VLAN Ports Private VLAN ports are defined as follows: Promiscuous—A promiscuous port is a port that belongs to the primary VLAN. The promiscuous port can communicate with all the interfaces, including ports in the secondary VLANs (Isolated VLAN and Community VLANs). Each promiscuous port can belong to only one Private VLAN. Isolated—An isolated port is a host port that belongs to an isolated VLAN.
BLADE OS 5.1 Application Guide Configuration Example Follow this procedure to configure a Private VLAN. 1. Select a VLAN and define the Private VLAN type as primary. RS RS RS RS RS RS G8000 G8000 G8000 G8000 G8000 G8000 (config)# vlan (config-vlan)# (config-vlan)# (config-vlan)# (config-vlan)# (config-vlan)# 100 enable member 2 private-vlan type primary private-vlan enable exit 2. Configure a secondary VLAN and map it to the primary VLAN.
BLADE OS 5.
CHAPTER 4 Ports and Trunking Trunk groups can provide super-bandwidth, multi-link connections between switches or other trunk-capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link.
BLADE OS 5.1 Application Guide Each packet’s particular MAC or IP address information results in selecting one line in the trunk group for data transmission. The more data streams feeding the trunk lines, the more evenly traffic distribution becomes. Built-In Fault Tolerance Since each trunk group is comprised of multiple physical links, the trunk group is inherently fault tolerant. As long as one connection between the switches is available, the trunk remains active.
BLADE OS 5.1 Application Guide Static Trunk Group Configuration Rules The trunking (portchannel) feature operates according to specific configuration rules. When creating trunks, consider the following rules that determine how a trunk group reacts in any network topology: All trunks must originate from one device, and lead to one destination device. Any physical switch port can belong to only one trunk group. Trunking from third-party devices must comply with Cisco® EtherChannel® technology.
BLADE OS 5.1 Application Guide Port Trunking Example In the example below, three ports are trunked between two switches. Figure 8 Port Trunk Group Configuration Example Trunk 3: Ports 2, 23, and 30 2 30 23 Trunk 1: Ports 1, 7, and 32 1 7 32 Prior to configuring each switch in the above example, you must connect to the appropriate switch’s Command Line Interface (CLI) as the administrator.
BLADE OS 5.1 Application Guide 3. Connect the switch ports that will be members in the trunk group. Trunk group 3 (on the G8000) is now connected to trunk group 1 (on the other switch). Note – In this example, two G8000 switches are used. If a third-party device supporting link aggregation is used (such as Cisco routers and switches with EtherChannel technology or Sun's Quad Fast Ethernet Adapter), trunk groups on the third-party device should be configured manually.
BLADE OS 5.
BLADE OS 5.1 Application Guide A port’s Link Aggregation Identifier (LAG ID) determines how the port can be aggregated. The Link Aggregation ID (LAG ID) is constructed mainly from the system ID and the port’s admin key, as follows: System ID is an integer value based on the switch’s MAC address and the system priority assigned in the CLI. Admin key A port’s Admin key is an integer value (1-65535) that you can configure in the CLI.
BLADE OS 5.1 Application Guide When the system is initialized, all ports by default are in LACP off mode and are assigned unique admin keys. To make a group of ports aggregatable, you assign them all the same admin key. You must set the port’s LACP mode to active to activate LACP negotiation. You can set other port’s LACP mode to passive, to reduce the amount of LACPDU traffic at the initial trunk-forming stage.
CHAPTER 5 Spanning Tree Group When multiple paths exist on a network, Spanning Tree Group (STG) configures the network so that a switch uses only the most efficient path.
BLADE OS 5.1 Application Guide The relationship between port, trunk groups, VLANs, and Spanning Trees is shown in Table 9. Table 9 Ports, Trunk Groups, and VLANs Switch Element Belongs To Port Trunk group or One or more VLANs Trunk group One or more VLANs VLAN (non-default) One Spanning Tree Group Note – Due to Spanning Tree’s sequence of listening, learning, and forwarding or blocking, lengthy delays may occur.
BLADE OS 5.1 Application Guide Determining the Path for Forwarding BPDUs When determining which port to use for forwarding and which port to block, the RackSwitch G8000 uses information in the BPDU, including each bridge priority ID. A technique based on the “lowest root cost” is then computed to determine the most efficient path for forwarding. Bridge Priority The bridge priority parameter controls which bridge on the network is the STG root bridge.
BLADE OS 5.1 Application Guide Spanning Tree Group Guidelines This section provides important information on configuring Spanning Tree Groups (STGs): Adding a VLAN to a Spanning Tree Group If no VLANs exist beyond the default VLAN 1 see “Creating a VLAN” on page 76 for information on adding ports to VLANs.
BLADE OS 5.1 Application Guide Rules for VLAN Tagged Ports Tagged ports can belong to more than one STG, but untagged ports can belong to only one STG. When a tagged port belongs to more than one STG, the egress BPDUs are tagged to distinguish the BPDUs of one STG from those of another STG. An untagged port cannot span multiple STGs. Adding and Removing Ports from STGs When you add a port to a VLAN that belongs to an STG, the port is also added to the STG.
BLADE OS 5.1 Application Guide Multiple Spanning Trees Each RackSwitch G8000 supports a maximum of 128 Spanning Tree Groups (STGs). Multiple STGs provide multiple data paths, which can be used for load-balancing and redundancy. You enable load balancing between two G8000s using multiple STGs by configuring each path with a different VLAN and then assigning each VLAN to a separate STG. Each STG is independent.
BLADE OS 5.1 Application Guide Figure 9 Two VLANs on one Spanning Tree Group VLAN 1, STG 1 Switch 1 X Switch 2 VLAN 2, STG 1 VLAN 2 traffic blocked by STG 1 In Figure 10, VLAN 1 and VLAN 2 belong to different Spanning Tree Groups. The two instances of Spanning Tree separate the topology without forming a loop. Both VLANs can forward packets between the switches without losing connectivity.
BLADE OS 5.1 Application Guide Spanning Tree with ISLs This configuration shows how to configure Spanning Tree Protocol with Inter-Switch Links (ISLs). In normal operation, the ISL is blocked by Spanning Tree. If there is an uplink failure on one switch, the ISL becomes active, and traffic passes through the ISL to the active uplink.
BLADE OS 5.1 Application Guide Multiple Spanning Tree Group Protocol Multiple Spanning Tree extends Rapid Spanning Tree Protocol through multiple Spanning Tree Groups, using multiple VLANs in each STG. MSTP supports up to 32 Spanning-Tree instances, that correspond to STP Groups 1-32. In Multiple Spanning Tree Protocol (MSTP), several VLANs can be mapped to each Spanning-Tree instance. Each Spanning-Tree instance is independent of other instances.
BLADE OS 5.1 Application Guide MSTP Configuration Guidelines This section provides important information about configuring Multiple Spanning Tree Groups: When MSTP is turned on, the switch automatically moves all VLANs to the CIST. When MSTP is turned off, the switch moves all VLANs from the CIST to STG 1. When enabling MSTP, Region Name must be configured, and a default version number of one is configured automatically.
BLADE OS 5.1 Application Guide This configuration shows how to configure MSTP Groups on the switch, as shown in Figure 12. 1. Configure port membership and define the Spanning Tree groups for VLAN 1. Enable tagging on uplink ports that share VLANs. Port 51 and port 52 connect to the Enterprise Routing switches.
BLADE OS 5.1 Application Guide Port Fast Forwarding Port Fast Forwarding permits a port that participates in Spanning Tree to bypass the Listening and Learning states and enter directly into the Forwarding state. While in the Forwarding state, the port listens to the BPDUs to learn if there is a loop and, if dictated by normal STG behavior (following priorities, etc.), the port transitions into the Blocking state.
BLADE OS 5.1 Application Guide Hot Links For network topologies that require Spanning Tree to be turned off, Hot Links provides basic link redundancy with fast recovery. Hot Links consists of up to 25 triggers. A trigger consists of a pair of layer 2 interfaces, each containing an individual port, trunk, or LACP adminkey. One interface is the Master, and the other is a Backup.
BLADE OS 5.1 Application Guide Configuration Guidelines The following configuration guidelines apply to Hot links: Ports that are configured as Hot Link interfaces must have STP disabled. When Hot Links is turned on, MSTP, RSTP, and PVRST must be turned off. When Hot Links is turned on, UplinkFast must be disabled. A port that is a member of the Master interface cannot be a member of the Backup interface.
CHAPTER 6 Link Layer Discovery Protocol The BLADE OS software support Link Layer Discovery Protocol (LLDP). This chapter discusses the use and configuration of LLDP on the switch: “LLDP Overview” on page 87 “Enabling or Disabling LLDP” on page 88 “LLDP Transmit Features” on page 89 “LLDP Receive Features” on page 93 “LLDP Example Configuration” on page 95 LLDP Overview Link Layer Discovery Protocol (LLDP) is an IEEE 802.1AB-2005 standard for discovering and managing network devices.
BLADE OS 5.1 Application Guide The LLDP information to be distributed by the G8000 ports, and that which has been collected from other LLDP stations, is stored in the switch’s Management Information Base (MIB). Network Management Systems (NMS) can use Simple Network Management Protocol (SNMP) to access this MIB information. LLDP-related MIB information is read-only.
BLADE OS 5.1 Application Guide LLDP Transmit Features Numerous LLDP transmit options are available, including scheduled and minimum transmit interval, expiration on remote systems, SNMP trap notification, and the types of information permitted to be shared. Scheduled Interval The G8000 can be configured to transmit LLDP information to neighboring devices once each 5 to 32768 seconds. The scheduled interval is global; the same interval value applies to all LLDP transmit-enabled ports.
BLADE OS 5.1 Application Guide Time-to-Live for Transmitted Information The transmitted LLDP information is held by remote systems for a limited time. A time-to-live parameter allows the switch to determine how long the transmitted data should be held before it expires. The hold time is configured as a multiple of the configured transmission interval. >> # lldp holdtime-multiplier where multiplier is a value between 2 and 10.
BLADE OS 5.1 Application Guide If SNMP trap notification is enabled, the notification messages can also appear in the system log. This is enabled by default.
BLADE OS 5.1 Application Guide LLDP transmissions can also be configured to enable or disable inclusion of optional information, using the following command (Interface Port mode): >> # [no] lldp tlv where type is an LLDP information option from Table 10: Table 10 LLDP Optional Information Types Type Description portdesc Port Description sysname System Name sysdescr System Description syscap System Capabilities mgmtaddr Management Address portvid IEEE 802.
BLADE OS 5.
BLADE OS 5.1 Application Guide To view detailed information for a remote device, specify the Index number as found in the summary.
BLADE OS 5.1 Application Guide LLDP Example Configuration 1. Turn LLDP on globally. >> # lldp enable 2. Set the global LLDP timer features. >> >> >> >> >> # # # # # lldp lldp lldp lldp lldp transmission-delay 30 transmission-delay 2 holdtime-multiplier 4 reinit-delay 2 trap-notification-interval 5 (Schedule transmit every 30 seconds) (Never more often than 2 seconds) (Hold on remote side for 4 intervals) (Wait 2 seconds after reinitialization) (Minimum 5 seconds between traps) 3.
BLADE OS 5.
CHAPTER 7 Quality of Service Quality of Service features allow you to allocate network resources to mission-critical applications at the expense of applications that are less sensitive to such factors as time delays or network congestion. You can configure your network to prioritize specific types of traffic, ensuring that each type receives the appropriate Quality of Service (QoS) level.
BLADE OS 5.1 Application Guide Figure 13 QoS Model Ingress Ports Classify Packets Perform Actions ACL Filter Permit/Deny Queue and Schedule Egress COS Queue The G8000 uses the Differentiated Services (DiffServ) architecture to provide QoS functions. DiffServ is described in IETF RFC 2474 and RFC 2475. With DiffServ, you can establish policies to direct traffic.
BLADE OS 5.1 Application Guide Using ACL Filters Access Control Lists (ACLs) are filters that allow you to classify and segment traffic, so you can provide different levels of service to different traffic types. Each filter defines the conditions that must match for inclusion in the filter, and also the actions that are performed when a match is made.
BLADE OS 5.
BLADE OS 5.1 Application Guide Summary of ACL Actions Actions determine how the traffic is treated. The G8000 QoS actions include the following: Pass or Drop Re-mark a new DiffServ Code Point (DSCP) Re-mark the 802.1p field Set the COS queue ACL Port Mirroring Packets that match an ACL can be mirrored to an interface port. The port through which packets are mirrored must be a physical port. A portchannel cannot be used as a mirror port, but the mirror port can be a member of a portchannel.
BLADE OS 5.1 Application Guide Within each precedence group, ACLs that are assigned to the port are processed in numeric sequence, based on ACL number. Lower-numbered ACLs take precedence over higher-numbered ACLs. For example, ACL 1 (if assigned to the port) is evaluated first and has top priority within precedence group 1. For each precedence group, only the first assigned ACL that matches the port traffic is considered.
BLADE OS 5.1 Application Guide Access Control List Groups An Access Control List Group (ACL Group) is a collection of ACLs. For example: ACL Group 1 ACL 1: VLAN = 1 SIP = 10.10.10.1 (255.255.255.0) Action = permit ACL 2: VLAN = 2 SIP = 10.10.10.2 (255.255.255.0) Action = deny ACL 3: Priority = 7 DIP = 10.10.10.3 (255.255.255.0) Action = permit ACL Groups organize ACLs into traffic profiles that can be more easily assigned to ports. The G8000 supports up to 640 ACL Groups.
BLADE OS 5.1 Application Guide ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the G8000 by configuring a QoS meter (if desired) and assigning ACL Groups to ports. When you add ACL Groups to a port, make sure they are ordered correctly in terms of precedence. Actions taken by an ACL are called In-Profile actions. You can configure additional In-Profile and Out-of-Profile actions on a port.
BLADE OS 5.1 Application Guide Viewing ACL Statistics ACL statistics display how many packets hit (matched) each ACL. Use ACL statistics to check filter performance, and debug the ACL filters. You must enable statistics for each ACL that you want to monitor. >> # access-control list statistics ACL Configuration Examples ACL Example 1 Use this configuration to block traffic to a specific host. All traffic that ingresses on port 1 is denied if it is destined for the host at IP address 100.10.1.
BLADE OS 5.1 Application Guide ACL Example 3 Use this configuration to block traffic from a network that is destined for a specific egress port. All traffic that ingresses port 1 from the network 100.10.1.0/24 and is destined for port 20 is denied. 1. Configure an Access Control List. >> # access-control list 3 ipv4 source-ip-address 100.10.1.0 255.255.255.0 >> # access-control list 3 egress-port 20 >> # access-control list 3 action deny 2. Add ACL 3 to port 1.
BLADE OS 5.
BLADE OS 5.1 Application Guide Using DSCP Values to Provide QoS The six most significant bits in the TOS byte of the IP header are defined as DiffServ Code Points (DSCP). Packets are marked with a certain value depending on the type of treatment the packet must receive in the network device. DSCP is a measure of the Quality of Service (QoS) level of the packet. Differentiated Services Concepts To differentiate between traffic flows, packets can be classified by their DSCP value.
BLADE OS 5.1 Application Guide Per-Hop Behavior The DSCP value determines the Per Hop Behavior (PHB) of each packet. The PHB is the forwarding treatment given to packets at each hop. QoS policies are built by applying a set of rules to packets, based on the DSCP value, as they hop through the network. The G8000 default settings are based on the following standard PHBs, as defined in the IEEE standards: Expedited Forwarding (EF)—This PHB has the highest egress priority and lowest drop precedence level.
BLADE OS 5.1 Application Guide QoS Levels Table 14 shows the default service levels provided by the G8000, listed from highest to lowest importance: Table 14 Default QoS Service Levels Service Level Default PHB 802.
BLADE OS 5.1 Application Guide DSCP Re-Marking and Mapping DSCP Re-Marking Overview The G8000 can re-mark the DSCP value of ingress packets to a new value, and set the 802.1p priority value, based on the DSCP value. You can view the default settings by using the command shown below. >> DSCP Remark# cur Current DSCP Remarking Configuration: OFF DSCP -------0 1 2 3 4 5 6 7 8 9 10 ... 55 56 57 58 59 60 61 62 63 New DSCP -------0 1 2 3 4 5 6 7 8 9 10 New 802.
BLADE OS 5.1 Application Guide DSCP Re-Marking Configuration Example 1. Turn DSCP re-marking on globally, and define the DSCP-DSCP-802.1p mapping. You can use the default mapping. >> # qos dscp re-marking >> # qos dscp dscp-mapping >> # qos dscp dot1p-mapping <802.1p value> 2. Enable DSCP re-marking on a port. >> # interface port 1 >> # qos dscp-remarking Using 802.1p Priorities to Provide QoS 802.
BLADE OS 5.1 Application Guide Ingress packets receive a priority value, as follows: Tagged packets—G8000 reads the 802.1p priority in the VLAN tag. Untagged packets—G8000 tags the packet and assigns an 802.1p priority, based on the port’s default priority. Egress packets are placed in a COS queue based on the priority value, and scheduled for transmission based on the scheduling weight of the COS queue. 802.1p Configuration Example 1. Configure a port’s default 802.1p priority.
BLADE OS 5.
CHAPTER 8 Basic IP Routing This chapter provides configuration background and examples for using the G8000 to perform IP routing functions.
BLADE OS 5.1 Application Guide Figure 16 The Router Legacy Network Server Subnet Internet Server Subnet Internet G8000 In this example, a corporate campus has migrated from a router-centric topology to a faster, more powerful, switch-based topology. As is often the case, the legacy of network growth and redesign has left the system with a mix of illogically distributed subnets. This is a situation that switching alone cannot cure. Instead, the router is flooded with cross-subnet communication.
BLADE OS 5.1 Application Guide Example of Subnet Routing Consider the role of the G8000 in the following configuration example: Figure 17 Switch-Based Routing Topology Default router: 205.21.17.1 10GbE (port 49) IF 1 VLAN 1 IF 2 VLAN 2 IF 4 VLAN 4 IF 3 VLAN 3 Server subnet 3: 206.30.15.2-254 Server subnet 1: 100.20.10.2-254 Server subnet 2: 131.15.15.2-254 The switch connects the Gigabit Ethernet and Fast Ethernet trunks from various switched subnets throughout one building.
BLADE OS 5.1 Application Guide Using VLANs to Segregate Broadcast Domains If you want to control the broadcasts on your network, use VLANs to create distinct broadcast domains. Create one VLAN for each server subnet, and one for the router. Configuration Example This section describes the steps used to configure the example topology shown in Figure 17 on page 117. 1. Assign an IP address (or document the existing one) for each router and each server.
BLADE OS 5.1 Application Guide 3. Determine which switch ports and IP interfaces belong to which VLANs. The following table adds port and VLAN information: Table 17 Subnet Routing Example: Optional VLAN Ports Devices IP Interface Switch Ports VLAN # Default router 1 49 1 Web servers 2 1 and 2 2 Database servers 3 3 and 4 3 Terminal Servers 4 5 and 6 4 Note – To perform this configuration, you must be connected to the switch Command Line Interface (CLI) as the administrator. 4.
BLADE OS 5.1 Application Guide 5. Assign a VLAN to each IP interface. Now that the ports are separated into VLANs, the VLANs are assigned to the appropriate IP interface for each subnet.
BLADE OS 5.1 Application Guide ECMP Static Routes Equal-Cost Multi-Path (ECMP) is a forwarding mechanism that routes packets along multiple paths of equal cost. ECMP provides equally-distributed link load sharing across the paths. The hashing algorithm used is based on the source IP address (SIP). ECMP routes allow the switch to choose between several next hops toward a given destination. The switch performs periodic health checks (ping) on each ECMP gateway.
BLADE OS 5.1 Application Guide You may add up to five (5) gateways for each static route. Use the following command to check the status of ECMP static routes: RS G8000 (config)# show ip route static Current ecmp static routes: Destination Mask Gateway If GW Status --------------- --------------- --------------- ---- ----------10.10.1.1 255.255.255.255 100.10.1.1 1 up 200.20.2.2 1 down 10.20.2.2 10.20.2.2 10.20.2.2 255.255.255.255 10.233.3.3 255.255.255.255 10.234.4.4 255.255.255.255 10.235.5.
BLADE OS 5.1 Application Guide To enable DHCP on an IP interface, use the following commands: RS G8000 (config)# interface ip 2 RS G8000 (config-ip-if)# dhcp enable RS G8000 (config-ip-if)# exit DHCP Relay Agent DHCP is described in RFC 2131, and the DHCP relay agent supported on G8000s is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68.
BLADE OS 5.1 Application Guide Use the following commands to configure the switch as a DHCP relay agent: >> >> >> >> # # # # ip bootp-relay server 1 ip bootp-relay server 2 ip bootp-relay enable show ip bootp-relay Additionally, DHCP Relay functionality can be assigned on a per interface basis.
CHAPTER 9 Routing Information Protocol In a routed environment, routers communicate with one another to keep track of available routes. Routers can learn about available routes dynamically using the Routing Information Protocol (RIP). BLADE OS software supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) for exchanging TCP/IP route information with other routers. Distance Vector Protocol RIP is known as a distance vector protocol.
BLADE OS 5.1 Application Guide Routing Updates RIP sends routing-update messages at regular intervals and when the network topology changes. Each router “advertises” routing information by sending a routing information update every 30 seconds. If a router doesn’t receive an update from another router for 180 seconds, those routes provided by that router are declared invalid. The routes are removed from the routing table, but they remain in the RIP routes table.
BLADE OS 5.1 Application Guide RIP Features BLADE OS provides the following features to support RIPv1 and RIPv2: Poison Simple split horizon in RIP scheme omits routes learned from one neighbor in updates sent to that neighbor. That is the most common configuration used in RIP, that is setting this Poison to DISABLE. Split horizon with poisoned reverse includes such routes in updates, but sets their metrics to 16. The disadvantage of using this feature is the increase of size in the routing updates.
BLADE OS 5.1 Application Guide Authentication RIPv2 authentication uses plaintext password for authentication. If configured using Authentication password, then it is necessary to enter an authentication key value. The following method is used to authenticate a RIP message: If the router is not configured to authenticate RIPv2 messages, then RIPv1 and unauthenticated RIPv2 messages are accepted; authenticated RIPv2 messages are discarded.
BLADE OS 5.1 Application Guide 2. Add IP interfaces to VLANs. >> >> >> >> >> >> >> >> >> # interface ip 2 (config-ip-if)# enable (config-ip-if)# address 102.1.1.1 (config-ip-if)# vlan 2 (config-ip-if)# exit # interface ip 3 (config-ip-if)# enable (config-ip-if)# address 103.1.1.1 (config-ip-if)# vlan 3 3. Turn on RIP globally and enable RIP for each interface.
BLADE OS 5.
CHAPTER 10 Border Gateway Protocol Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share and advertise routing information with each other about the segments of the IP address space they can access within their network and with routers on external networks.
BLADE OS 5.1 Application Guide Static routes should have a higher degree of precedence than dynamic routing protocols. If the destination route is not in the route cache, then the packets are forwarded to the default gateway which may be incorrect if a dynamic routing protocol is enabled. It is also useful to tell routers outside your network (upstream providers or peers) about the routes you can access in your network.
BLADE OS 5.1 Application Guide Forming BGP Peer Routers Two BGP routers become peers or neighbors once you establish a TCP connection between them. For each new route, if a peer is interested in that route (for example, if a peer would like to receive your static routes and the new route is static), an update message is sent to that peer containing the new route.
BLADE OS 5.1 Application Guide Figure 19 Distributing Network Filters in Access Lists and Route Maps Route Maps Network Filter (rmap) (nwf) Access Lists (alist) Route Map 1 Route Map 2 ----------------------------Route Map 32 1 ------- 1 8 8 1 ------8 9 16 1 ------- 249 8 256 Incoming and Outgoing Route Maps You can have two types of route maps: incoming and outgoing.
BLADE OS 5.1 Application Guide Precedence You can set a priority to a route map by specifying a precedence value with the following command (Route Map mode): >> # precedence <1-255> (Specify a precedence) The smaller the value the higher the precedence. If two route maps have the same precedence value, the smaller number has higher precedence. Configuration Overview To configure route maps, you need to do the following: 1. Define a network filter.
BLADE OS 5.1 Application Guide 4. Set up the BGP attributes. If you want to overwrite the attributes that the peer router is sending, then define the following BGP attributes: Specify the AS numbers that you want to prepend to a matched route and the local preference for the matched route. Specify the metric [Multi Exit Discriminator (MED)] for the matched route.
BLADE OS 5.1 Application Guide Aggregating Routes Aggregation is the process of combining several different routes in such a way that a single route can be advertised, which minimizes the size of the routing table. You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table.
BLADE OS 5.1 Application Guide BGP Attributes The following two BGP attributes are discussed in this section: Local preference and metric (Multi-Exit Discriminator). Local Preference Attribute When there are multiple paths to the same destination, the local preference attribute indicates the preferred path. The path with the higher preference is preferred (the default value of the local preference attribute is 100).
BLADE OS 5.1 Application Guide Selecting Route Paths in BGP BGP selects only one path as the best path. It does not rely on metric attributes to determine the best path. When the same network is learned via more than one BGP peer, BGP uses its policy for selecting the best route to that network. The BGP implementation on the G8000 uses the following criteria to select a path when the same route is received from multiple peers. 1. Local fixed and static routes are preferred over learned routes. 2.
BLADE OS 5.1 Application Guide BGP Failover Configuration Use the following example to create redundant default gateways for a G8000 at a Web Host/ISP site, eliminating the possibility, should one gateway go down, that requests will be forwarded to an upstream router unknown to the switch. As shown in Figure 20, the switch is connected to ISP 1 and ISP 2. The customer negotiates with both ISPs to allow the switch to use their peer routers as default gateways.
BLADE OS 5.1 Application Guide 2. Define the IP interfaces. The switch will need an IP interface for each default gateway to which it will be connected. Each interface must be placed in the appropriate VLAN. These interfaces will be used as the primary and secondary default gateways for the switch.
BLADE OS 5.1 Application Guide Default Redistribution and Route Aggregation Example This example shows you how to configure the switch to redistribute information from one routing protocol to another and create an aggregate route entry in the BGP routing table to minimize the size of the routing table. As illustrated in Figure 21, you have two peer routers: an internal and an external peer router. Configure the G8000 to redistribute the default routes from AS 200 to AS 135.
BLADE OS 5.1 Application Guide 3. Configure internal peer router 1 and external peer router 2. >> >> >> >> >> >> >> # router bgp (config-router-bgp)# (config-router-bgp)# (config-router-bgp)# (config-router-bgp)# (config-router-bgp)# (config-router-bgp)# neighbor neighbor neighbor neighbor neighbor neighbor 1 1 1 2 2 2 enable remote-address 10.1.1.4 remote-as 135 enable remote-address 20.20.20.2 remote-as 200 4. Configure redistribution for Peer 1.
BLADE OS 5.
CHAPTER 11 OSPF BLADE OS supports the Open Shortest Path First (OSPF) routing protocol. The BLADE OS implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss OSPF support for the RackSwitch G8000: “OSPF Overview” on page 145. This section provides information on OSPF concepts, such as types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing.
BLADE OS 5.1 Application Guide Types of OSPF Areas An AS can be broken into logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed.
BLADE OS 5.1 Application Guide Types of OSPF Routing Devices As shown in Figure 23, OSPF uses the following types of routing devices: Internal Router (IR)—a router that has all of its interfaces within the same area. IRs maintain LSDBs identical to those of other routing devices within the local area. Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain one LSDB for each connected area and disseminate routing information between areas.
BLADE OS 5.1 Application Guide Neighbors and Adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others’ health. To establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces.
BLADE OS 5.1 Application Guide The Shortest Path First Tree The routing devices use a link-state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination. The cost of an individual interface in OSPF is an indication of the overhead required to send packets across it. The cost is inversely proportional to the bandwidth of the interface. A lower cost indicates a higher bandwidth.
BLADE OS 5.1 Application Guide OSPF Implementation in BLADE OS BLADE OS supports a single instance of OSPF and up to 4K routes on the network.
BLADE OS 5.1 Application Guide Defining Areas If you are configuring multiple areas in your OSPF domain, one of the areas must be designated as area 0, known as the backbone. The backbone is the central OSPF area and is usually physically connected to all other areas. The areas inject routing information into the backbone which, in turn, disseminates the information into other areas. Since the backbone connects the areas in your network, it must be a contiguous area.
BLADE OS 5.1 Application Guide Using the Area ID to Assign the OSPF Area Number The OSPF area number is defined in the areaid option. The octet format is used in order to be compatible with two different systems of notation used by other OSPF network vendors. There are two valid ways to designate an area ID: Placing the area number in the last octet (0.0.0.n) Most common OSPF vendors express the area ID number as a single number. For example, the Cisco IOS-based router command “network 1.1.
BLADE OS 5.1 Application Guide Interface Cost The OSPF link-state algorithm (Dijkstra’s algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. Usually, the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth.
BLADE OS 5.1 Application Guide Default Routes When an OSPF routing device encounters traffic for a destination address it does not recognize, it forwards that traffic along the default route. Typically, the default route leads upstream toward the backbone until it reaches the intended area or an external router. Each G8000 acting as an ABR automatically inserts a default route into each attached area.
BLADE OS 5.1 Application Guide Virtual Links Usually, all areas in an OSPF AS are physically connected to the backbone. In some cases where this is not possible, you can use a virtual link. Virtual links are created to connect one area to the backbone through another non-backbone area (see Figure 22 on page 146). The area which contains a virtual link must be a transit area and have full routing information. Virtual links cannot be configured inside a stub area or NSSA.
BLADE OS 5.1 Application Guide Router ID Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP address format. The IP address of the router ID is not required to be included in any IP interface range or in any OSPF area, and may even use the G8000 loopback interface.
BLADE OS 5.1 Application Guide Figure 25 OSPF Authentication Switch 2 Switch 1 Switch 3 Switch 5 key=blade Switch 4 Configuring Plain Text OSPF Passwords To configure simple plain text OSPF passwords on the switches shown in Figure 25 use the following commands: 1. Enable OSPF authentication for Area 0 on switches 1, 2, and 3. >> (config-router-ospf)# area 0 authentication-type password 2.
BLADE OS 5.1 Application Guide 4. Configure a simple text password up to eight characters for the virtual link between Area 2 and Area 0 on switches 2 and 4. >> # area-virtual-link 1 key blade Configuring MD5 Authentication Use the following commands to configure MD5 authentication on the switches shown in Figure 25: 1. Enable OSPF MD5 authentication for Area 0 on switches 1, 2, and 3. >> # area 0 authentication-type md5 2. Configure MD5 key ID for Area 0 on switches 1, 2, and 3.
BLADE OS 5.1 Application Guide Host Routes for Load Balancing BLADE OS implementation of OSPF includes host routes. Host routes are used for advertising network device IP addresses to external networks, accomplishing the following goals: ABR Load Sharing As a form of load balancing, host routes can be used for dividing OSPF traffic among multiple ABRs. To accomplish this, each switch provides identical services but advertises a host route for a different IP address to the external network.
BLADE OS 5.1 Application Guide OSPF Configuration Examples A summary of the basic steps for configuring OSPF on the G8000 is listed here. Detailed instructions for each of the steps is covered in the following sections: 1. Configure IP interfaces. One IP interface is required for each desired network (range of IP addresses) being assigned to an OSPF area on the switch. 2. (Optional) Configure the router ID. The router ID is required only when configuring virtual links on the switch. 3.
BLADE OS 5.1 Application Guide Example 1: Simple OSPF Domain In this example, two OSPF areas are defined—one area is the backbone and the other is a stub area. A stub area does not allow advertisements of external routes, thus reducing the size of the database. Instead, a default summary route of IP address 0.0.0.0 is automatically inserted into the stub area. Any traffic for IP address destinations outside the stub area will be forwarded to the stub area’s IP interface, and then into the backbone.
BLADE OS 5.1 Application Guide 3. Define the backbone. The backbone is always configured as a transit area using areaid 0.0.0.0. >> (config-router-ospf)# area 0 area-id 0.0.0.0 >> (config-router-ospf)# area 0 type transit >> (config-router-ospf)# area 0 enable 4. Define the stub area. >> >> >> >> (config-router-ospf)# (config-router-ospf)# (config-router-ospf)# (config-router-ospf)# area 1 area-id 0.0.0.1 area 1 type stub area 1 enable exit 5. Attach the network interface to the backbone.
BLADE OS 5.1 Application Guide Example 2: Virtual Links In the example shown in Figure 27, area 2 is not physically connected to the backbone as is usually required. Instead, area 2 will be connected to the backbone via a virtual link through area 1. The virtual link must be configured at each endpoint. Figure 27 Configuring a Virtual Link Switch 1 Switch 2 Configuring OSPF for a Virtual Link on Switch #1 1. Configure IP interfaces on each network that will be attached to the switch.
BLADE OS 5.1 Application Guide 3. Enable OSPF. >> # router ospf >> (config-router-ospf)# enable 4. Define the backbone. >> (config-router-ospf)# area 0 area-id 0.0.0.0 >> (config-router-ospf)# area 0 type transit >> (config-router-ospf)# area 0 enable 5. Define the transit area. The area that contains the virtual link must be configured as a transit area. >> >> >> >> (config-router-ospf)# (config-router-ospf)# (config-router-ospf)# (config-router-ospf)# area 1 area-id 0.0.0.
BLADE OS 5.1 Application Guide Configuring OSPF for a Virtual Link on Switch #2 1. Configure IP interfaces on each network that will be attached to OSPF areas. In this example, two IP interfaces are needed: Interface 1 for the transit area network on 10.10.12.0/24 Interface 2 for the stub area network on 10.10.24.
BLADE OS 5.1 Application Guide 6. Define the stub area. >> >> >> >> (config-router-ospf)# (config-router-ospf)# (config-router-ospf)# (config-router-ospf)# area 2 area-id 0.0.0.2 area 1 type stub area 1 enable exit 7. Attach the network interface to the backbone. >> >> >> >> # interface ip 1 (config-ip-if)# ip ospf area 1 (config-ip-if)# ip ospf enable (config-ip-if)# exit 8. Attach the network interface to the transit area.
BLADE OS 5.1 Application Guide Example 3: Summarizing Routes By default, ABRs advertise all the network addresses from one area into another area. Route summarization can be used for consolidating advertised addresses and reducing the perceived complexity of the network. If the network IP addresses in an area are assigned to a contiguous subnet range, you can configure the ABR to advertise a single summary route that includes all the individual IP addresses within the area.
BLADE OS 5.1 Application Guide 2. Enable OSPF. >> # router ospf >> (config-router-ospf)# enable 3. Define the backbone. >> (config-router-ospf)# area 0 area-id 0.0.0.0 >> (config-router-ospf)# area 0 type transit >> (config-router-ospf)# area 0 enable 4. Define the stub area. >> >> >> >> (config-router-ospf)# (config-router-ospf)# (config-router-ospf)# (config-router-ospf)# area 1 area-id 0.0.0.1 area 1 type stub area 1 enable exit 5. Attach the network interface to the backbone.
BLADE OS 5.1 Application Guide Verifying OSPF Configuration Use the following commands to verify the OSPF configuration on your switch: show ip ospf show ip ospf neighbor show ip ospf database database-summary show ip ospf routes Refer to the BLADE OS Command Reference for information on the above commands.
BLADE OS 5.
CHAPTER 12 IPv6 Host Management Internet Protocol version 6 (IPv6) is a network layer protocol intended to expand the network address space. IPv6 is a robust and expandable protocol that meets the need for increased physical address space. The switch supports IPv6 host management, as defined in RFCs 2460, 2461, 2462, 2463, and 2465. This chapter describes the basic configuration of IPv6 host management on the switch. IPv6 host management allows you to assign an IPv6 address, and manage the switch via IPv6.
BLADE OS 5.1 Application Guide Unlike IPv4, a subnet mask is not used for IPv6 addresses. IPv6 uses the subnet prefix as the network identifier. The prefix is the part of the address that indicates the bits that have fixed values or are the bits of the subnet prefix. An IPv6 prefix is written in address/prefix-length notation. For example, in the following address, 64 is the network prefix: 21DA:D300:0000:2F3C::/64 IPv6 addresses can be either user-configured or automatically configured.
BLADE OS 5.1 Application Guide Multicast Multicast is communication between a single host and multiple receivers. Packets are sent to all interfaces identified by that address. An interface may belong to any number of multicast groups. A multicast address (FF00 - FFFF) is an identifier for a group interface. The multicast address most often encountered is a solicited-node multicast address using prefix FF02::1:FF00:0000/104 with the low-order 24 bits of the unicast or anycast address.
BLADE OS 5.1 Application Guide IPv6 Interfaces Each IPv6 interface supports multiple IPv6 addresses. You can manually configure up to two IPv6 addresses for each interface, or you can allow the switch to use stateless autoconfiguration. You can manually configure two IPv6 addresses for each interface, as follows: Initial IPv6 address is a global unicast or anycast address.
BLADE OS 5.1 Application Guide Neighbor Discovery Neighbor Discovery Overview The switch uses Neighbor Discovery protocol (ND) to gather information about other router and host nodes, including the IPv6 addresses. Host nodes use ND to configure their interfaces and perform health detection. ND allows each node to determine the link-layer addresses of neighboring nodes, and to keep track of each neighbor’s information. A neighboring node is a host or a router that is linked directly to the switch.
BLADE OS 5.1 Application Guide You can configure each IPv6 interface as either a host node or a router node. You can manually assign an IPv6 address to an interface in host mode, or the interface can be assigned an IPv6 address by an upstream router, using information from router advertisements to perform stateless auto-configuration.
BLADE OS 5.1 Application Guide SSH Secure Shell (SSH) connections over IPv6 are supported. The following syntax is required from the client: ssh -u Example: ssh -u 2001:2:3:4:0:0:0:142 TFTP The TFTP commands support both IPv4 and IPv6 addresses. Link-local addresses are not supported. FTP The FTP commands support both IPv4 and IPv6 addresses. Link-local addresses are not supported. DNS client DNS commands support both IPv4 and IPv6 addresses.
BLADE OS 5.1 Application Guide Configuration Guidelines When you configure an interface for IPv6, consider the following guidelines: IPv6 only supports static routes. Support for subnet router anycast addresses is not available. A single interface can accept either IPv4 or IPv6 addresses, but not both IPv4 and IPv6 addresses. A single interface can accept multiple IPv6 addresses. A single interface can accept only one IPv4 address.
BLADE OS 5.1 Application Guide IPv6 Configuration Examples This section provides steps to configure IPv6 on the switch. IPv6 Example 1 The following example uses IPv6 host mode to autoconfigure an IPv6 address for the interface. By default, the interface is assigned to VLAN 1. 1. Enable IPv6 host mode on an interface. >> >> >> >> # interface ip 2 (config-ip-if)# ip6host (config-ip-if)# enable (config-ip-if)# exit 2. Configure the IPv6 default gateway.
BLADE OS 5.1 Application Guide 3. Configure Neighbor Discovery advertisements for the interface (optional) >> # interface ip 3 >> (config-ip-if)# no ipv6 nd suppress-ra 4. Verify the configuration.
CHAPTER 13 IGMP Internet Group Management Protocol (IGMP) is used by IP Multicast routers to learn about the existence of host group members on their directly attached subnet (see RFC 2236). The IP Multicast routers get this information by broadcasting IGMP Membership Queries and listening for IP hosts reporting their host group memberships.
BLADE OS 5.1 Application Guide The switch can sense IGMP Membership Reports from attached clients and act as a proxy to set up a dedicated path between the requesting host and a local IP Multicast router. After the pathway is established, the switch blocks the IP Multicast stream from flowing through any port that does not connect to a host member, thus conserving bandwidth.
BLADE OS 5.1 Application Guide With FastLeave enabled on the VLAN, a port can be removed immediately from the port list of the group entry when the IGMP Leave message is received, unless a multicast router was learned on the port. Enable FastLeave only on VLANs that have only one host connected to each physical port.
BLADE OS 5.1 Application Guide IGMPv3 Snooping is compatible with IGMPv1 and IGMPv2 Snooping. You can disable snooping on version 1 and version 2 reports, using the following command: RS G8000 (config)# no ip igmp snoop igmpv3 v1v2 IGMP Snooping Configuration Example This section provides steps to configure IGMP Snooping on the switch. Configure IGMP Snooping 1. Configure port and VLAN membership on the switch. 2. Enable IGMP Snooping. RS G8000 (config)# ip igmp snoop enable 3.
BLADE OS 5.1 Application Guide These commands display information about IGMP Groups and Mrouters learned by the switch. Static Multicast Router A static multicast router (Mrouter) can be configured for a particular port on a particular VLAN. A static Mrouter does not have to be learned through IGMP Snooping. Any data port can accept a static Mrouter. When you configure a static Mrouter on a VLAN, it replaces any dynamic Mrouters learned through IGMP Snooping. Configure a Static Multicast Router 1.
BLADE OS 5.1 Application Guide IGMP Relay The G8000 can act as an IGMP Relay (or IGMP Proxy) device that relays IGMP multicast messages and traffic between an Mrouter and end stations. IGMP Relay allows the G8000 to participate in network multicasts with no configuration of the various multicast routing protocols, so you can deploy it in the network with minimal effort. To an IGMP host connected to the G8000, IGMP Relay appears to be an IGMP multicast router (Mrouter).
BLADE OS 5.1 Application Guide Configure IGMP Relay Use the following procedure to configure IGMP Relay. 1. Configure an IP interface and assign VLANs. >> >> >> >> >> >> >> >> >> >> >> >> # interface ip 2 (config-ip-if)# ip address (config-ip-if)# ip netmask (config-ip-if)# vlan 2 (config-ip-if)# enable (config-ip-if)# exit # interface ip 3 (config-ip-if)# ip address (config-ip-if)# ip netmask (config-ip-if)# vlan 3 (config-ip-if)# enable (config-ip-if)# exit 10.10.1.1 255.255.255.0 10.10.2.1 255.255.
BLADE OS 5.1 Application Guide IGMP Filtering With IGMP Filtering, you can allow or deny a port to send and receive multicast traffic to certain multicast groups. Unauthorized users are restricted from streaming multicast traffic across the network. If access to a multicast group is denied, IGMP Membership Reports from the port are dropped, and the port is not allowed to receive IP multicast traffic from that group.
BLADE OS 5.1 Application Guide Configure IGMP Filtering 1. Enable IGMP Filtering on the switch. >> # ip igmp filtering 2. Define an IGMP filter. >> # ip igmp profile 1 range 224.0.1.0 226.0.0.0 >> # ip igmp profile 1 action deny >> # ip igmp profile 1 enable 3. Assign the IGMP filter to a port.
BLADE OS 5.
CHAPTER 14 High Availability RackSwitch G8000s support high-availability network topologies through Layer 2 Failover and an enhanced implementation of the Virtual Router Redundancy Protocol (VRRP). The following topics are discussed in this chapter: “Layer 2 Failover” on page 192. This section discusses trunk failover without using VRRP. “VRRP Overview” on page 196. This section discusses VRRP operation and BLADE OS redundancy configurations. “Failover Methods” on page 198.
BLADE OS 5.1 Application Guide Layer 2 Failover The primary application for Layer 2 Failover is to support Network Adapter Teaming. With Network Adapter Teaming, all the NICs on each server share the same IP address, and are configured into a team. One NIC is the primary link, and the other is a standby link. For more details, refer to the documentation for your Ethernet adapter. Note – Only two links per server can be used for Layer 2 Trunk Failover (one primary and one backup).
BLADE OS 5.1 Application Guide Manual Monitor Configuration Figure 29 is a simple example of Layer 2 Failover. One G8000 is the primary, and the other is used as a backup. In this example, all ports on the primary switch belong to a single trunk group, with Layer 2 Failover enabled, and Failover Limit set to 2. If two or fewer links in trigger 1 remain active, the switch temporarily disables all control ports. This action causes a failover event on Server 1 and Server 2.
BLADE OS 5.1 Application Guide Monitor Port State A monitor port is considered operation as long as the following conditions are true: The port must be in the Link Up state. If STP is enabled, the port must be in the Forwarding state. If the port is part of an LACP trunk, the port must be in the Aggregated state. If any of the above conditions is false, the monitor port is considered to have failed. Control Port State A control port is considered Operational if the monitor trigger is up.
BLADE OS 5.1 Application Guide When the switch determines that ports in the trigger are in STP Forwarding state, then it automatically enables the appropriate control ports. The switch fails back to normal operation. Configuration Guidelines This section provides important information about configuring Layer 2 Failover. Any specific failover trigger can monitor ports only, static trunks only, or LACP trunks only. The different types cannot be combined in the same trigger.
BLADE OS 5.1 Application Guide VRRP Overview In a high-availability network topology, no device can create a single point-of-failure for the network or force a single point-of-failure to any other part of the network. This means that your network will remain in service despite the failure of any single device. To achieve this usually requires redundancy for all vital network components.
BLADE OS 5.1 Application Guide Master and Backup Virtual Router Within each virtual router, one VRRP router is selected to be the virtual router master. See “Selecting the Master VRRP Router” on page 198 for an explanation of the selection process. Note – If the IP address owner is available, it will always become the virtual router master. The virtual router master forwards packets sent to the virtual router.
BLADE OS 5.1 Application Guide Selecting the Master VRRP Router Each VRRP router is configured with a priority between 1–254. A bidding process determines which VRRP router is or becomes the master—the VRRP router with the highest priority. The master periodically sends advertisements to an IP multicast address. As long as the backups receive these advertisements, they remain in the backup state.
BLADE OS 5.1 Application Guide Active-Active Redundancy In an active-active configuration, shown in Figure 30, two switches provide redundancy for each other, with both active at the same time. Each switch processes traffic on a different subnet. When a failure occurs, the remaining switch can process traffic on all subnets. For a configuration example, see “Active-Active Configuration” on page 202.
BLADE OS 5.1 Application Guide BLADE OS Extensions to VRRP This section describes VRRP enhancements that are implemented in BLADE OS. BLADE OS supports a tracking function that dynamically modifies the priority of a VRRP router, based on its current state. The objective of tracking is to have, whenever possible, the master bidding processes for various virtual routers in a LAN converge on the same switch. Tracking ensures that the selected switch is the one that offers optimal network performance.
BLADE OS 5.1 Application Guide Virtual Router Deployment Considerations Assigning VRRP Virtual Router ID During the software upgrade process, VRRP virtual router IDs will be automatically assigned if failover is enabled on the switch. When configuring virtual routers at any point after upgrade, virtual router ID numbers must be assigned.
BLADE OS 5.1 Application Guide High Availability Configurations G8000s offer flexibility in implementing redundant configurations. This section discusses the more useful and easily deployed configurations: “Active-Active Configuration” on page 202 Active-Active Configuration Figure 31 shows an example configuration where two G8000s are used as VRRP routers in an active-active configuration. In this configuration, both switches respond to packets. VIR 1: 192.168.1.200 (Master) VIR 2: 192.168.2.
BLADE OS 5.1 Application Guide Task 1: Configure G8000 1 1. Configure client and server interfaces.
BLADE OS 5.1 Application Guide 4. Enable tracking on ports. Set the priority of Virtual Router 1 to 101, so that it becomes the Master. >> >> >> >> (config-vrrp)# (config-vrrp)# (config-vrrp)# (config-vrrp)# virtual-router 1 track ports virtual-router 1 priority 101 virtual-router 2 track ports exit 5. Configure ports. >> >> >> >> >> >> >> >> # vlan 10 (config-vlan)# (config-vlan)# (config-vlan)# # vlan 20 (config-vlan)# (config-vlan)# (config-vlan)# enable member 1 exit enable member 2 exit 6.
BLADE OS 5.1 Application Guide Task 2: Configure G8000 2 1. Configure client and server interfaces.
BLADE OS 5.1 Application Guide 4. Enable tracking on ports. Set the priority of Virtual Router 2 to 101, so that it becomes the Master. >> >> >> >> (config-vrrp)# (config-vrrp)# (config-vrrp)# (config-vrrp)# virtual-router 1 track ports virtual-router 2 track ports virtual-router 2 priority 101 exit 5. Configure ports. >> >> >> >> >> >> >> >> # vlan 10 (config-vlan)# (config-vlan)# (config-vlan)# # vlan 20 (config-vlan)# (config-vlan)# (config-vlan)# enable member 1 exit enable member 2 exit 6.
APPENDIX A Monitoring Ports The port mirroring feature in the G8000 allows you to attach a sniffer to a monitoring port that is configured to receive a copy of all packets that are forwarded from the mirrored port. The G8000 enables you to mirror port traffic for all layer 2 and layer 3. Port mirroring can be used as a troubleshooting tool or to enhance the security of your network. For example, an IDS server can be connected to the monitor port to detect intruders attacking the network.
BLADE OS 5.1 Application Guide Port Mirroring Behavior This section describes the composition of monitored packets in the switch, based on the configuration of the ports. The following port-mirroring cases apply to the G8000: Ingress mirrored packets are not modified. Egress mirrored packets are tagged with the PVID of the egress port. Configuring Port Mirroring To configure port mirroring for the example shown in Figure 32: 1.
Index [ ]....................................................................... 13 broadcast storm control .......................................106 broadcast storms ................................................106 Browser-Based Interface .....................................150 Numerics C 802.1p .............................................................. 112 802.1Q VLAN tagging ......................................... 50 Cisco EtherChannel ........................................67, 69 CIST .
BLADE OS 5.1 Application Guide EtherChannel ...................................................... 65 as used with port trunking ........................ 67, 69 Extensible Authentication Protocol over LAN (EAPoL) 41 external routing ......................................... 131, 149 F Failover ............................................................ 192 failover overview.................................................... 198 fault tolerance port trunking .............................................
BLADE OS 5.1 Application Guide O R OSPF area types................................................... 146 authentication ............................................. 156 configuration examples........................161 to ?? default route ............................................... 154 external routes ............................................ 159 filtering criteria ............................................. 99 host routes .................................................
BLADE OS 5.1 Application Guide Spanning-Tree Protocol multiple instances ......................................... 79 SSH RSA host and server keys .............................. 37 SSH/SCP configuring .................................................. 36 statistical load distribution .................................... 65 summarizing routes ........................................... 153 switch failover .................................................. 198 switch ports VLANs membership ...................
