Configuring User Authentication This chapter provides the following information about configuring and monitoring user authentication on Enterasys® N‐Series, S‐Series®, and K‐Series modular switches, A‐Series, B‐Series, C‐Series stackable fixed switches, and D‐Series, G‐Series, and I‐Series standalone fixed switches. Note: Through out this document: • Use of the term “modular switch” indicates that the information is valid for the N-Series, S-Series, and K-Series platforms.
Why Would I Use It in My Network? • Convergence End Point (CEP) • RADIUS Snooping Note: The RADIUS Snooping user authentication feature is detailed in the Configuring RADIUS Snooping feature guide. The RADIUS Snooping feature guide can be found at: https://extranet.enterasys.com/downloads. Enterasys switch products support the configuration of up to three simultaneous authentication methods per user, with a single authentication method applied based upon MultiAuth authentication precedence.
Authentication Overview IEEE 802.1x Using EAP The IEEE 802.1x port‐based access control standard allows you to authenticate and authorize user access to the network at the port level. Access to the switch ports is centrally controlled from an authentication server using RADIUS. The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides the means for communicating the authentication information.
Authentication Overview switch can contain any Filter‐ID attribute configured on the authentication server, allowing policy to be applied for the authenticating user. PWA enhanced mode is supported. PWA enhanced mode allows a user on an un‐authenticated PWA port to enter any URL into the browser and be presented the PWA login page on their initial web access. When enhanced mode is disabled, a user must enter the correct URL to access login.
Authentication Overview Multi-User Authentication Multi‐user authentication provides for the per‐user or per‐device provisioning of network resources when authenticating.
Authentication Overview Figure 1 Applying Policy to Multiple Users on a Single Port Authentication Request User 1 Switch Authentication Response Radius Server SMAC 00-00-00-11-11-11 Authentication Credentials User 1 Authentication Credentials User 2 Authentication Request Authentication Credentials User 3 Authentication Response User 2 SMAC 00-00-00-22-22-22 Port ge.1.5 Authentication Request User 3 Dynamic Admin Rule for Policy 1 SMAC = 00-00-00-11-11-11 ge.1.
Authentication Overview Figure 2 Authenticating Multiple Users With Different Methods on a Single Port Authentication Method 802.1x Switch Radius Server User 1 SMAC 00-00-00-11-11-11 MAU Logic Authentication Method PWA User 2 SMAC 00-00-00-22-22-22 802.1X User 1: 802.
Authentication Overview Figure 3 Selecting Authentication Method When Multiple Methods are Validated SMAC=User 1 SMAC=User 2 SMAC=User 3 Switch MultiAuth Sessions Auth. Agent 802.
Authentication Overview Required authentication credentials depend upon the authentication method being used. For 802.1x and PWA authentication, the switch sends username and password credentials to the authentication server. For MAC authentication, the switch sends the device MAC address and a password configured on the switch to the authentication server. The authentication server verifies the credentials and returns an Accept or Reject message back to the switch.
Authentication Overview RFC 3580 Enterasys switches support the RFC 3580 RADIUS tunnel attribute for dynamic VLAN assignment. The VLAN‐Tunnel‐Attribute implements the provisioning of service in response to a successful authentication. On ports that do not support policy, the packet will be tagged with the VLAN‐ID. The VLAN‐Tunnel‐Attribute defines the base VLAN‐ID to be applied to the user.
Authentication Overview • Value: Indicates the type of tunnel. A value of 0x0D (decimal 13) indicates that the tunneling protocol is a VLAN. Tunnel‐Medium‐Type indicates the transport medium to use when creating a tunnel for the tunneling protocol, determined from Tunnel‐Type attribute.
Authentication Overview • A problem with moving an end system to a new VLAN is that the end system must be issued an IP address on the new VLAN’s subnet to which it has become a member. If the end system does not yet have an IP address, this is not usually a problem. However, if the end system has an IP address, the lease of the address must time out before it attempts to obtain a new address, which may take some time.
Authentication Overview authorization is enabled globally and on the authenticating user’s port, the VLAN specified by the tunnel attributes is applied to the authenticating user. If VLAN authorization is not enabled, the VLAN specified by the policy profile is applied. See “RFC 3580” on page 10 for information about VLAN authorization.
Configuring Authentication Configuring Authentication This section provides details for the configuration of authentication methods, MultiAuth and RADIUS. For information about... Refer to page... Configuring IEEE 802.1x 16 Configuring MAC-based Authentication 17 Configuring Port Web Authentication (PWA) 18 Configuring Convergence End Point (CEP) 19 Configuring MultiAuth Authentication 21 Configuring RADIUS 26 Table 1 lists Authentication parameters and their default values.
Configuring Authentication Table 1 April 15, 2011 Default Authentication Parameters (continued) Parameter Description Default Value pwa Globally enables or disables PWA authentication. Disabled. pwa enhancemode Allows a user on an un-authenticated port to enter any URL in the browser to access the login page. Disabled. radius Enable or disable RADIUS on this device. Disabled. radius accounting Enables or disables RADIUS accounting for this device. Disabled.
Configuring Authentication Configuring IEEE 802.1x Configuring IEEE 802.1x on an authenticator switch port consists of: • Setting the authentication mode globally and per port • Configuring optional authentication port parameters globally and per port • Globally enabling 802.1x authentication for the switch Procedure 1 describes how to configure IEEE 802.1x on an authenticator switch port. Unspecified parameters use their default values. Procedure 1 IEEE 802.
Configuring Authentication Procedure 1 IEEE 802.1x Configuration (continued) Step Task Command(s) 5. If an entity deactivates due to the supplicant logging off, inability to authenticate, or the supplicant or associated policy settings are no longer valid, you can reinitialize a deactivated access entity. If necessary, reinitialize the specified entity. set dot1x init [port-string] [index index-list] 6.
Configuring Authentication Procedure 2 MAC-Based Authentication Configuration (continued) Step Task Command(s) 6. Display MAC authentication configuration or status of active sessions. show macauthentication If a session or port requires reinitialization, reinitialize a specific MAC session or port. set macauthentication macinitialize mac-address 7. show macauthentication session set macauthentication portinitialize port-string 8.
Configuring Authentication When enhanced mode is enabled, PWA will use a guest password and guest user name to grant network access with default policy privileges to users without established login names and passwords. In order to configure guest networking privileges, you need to set the guest status, user name, and password. You can set guest status for no authentication, RADIUS authentication, or disabled.
Configuring Authentication Procedure 4 CEP Detection Group Configuration (continued) Step Task Command(s) 3. Specify the CEP device IP address and mask or set to unknown. set cep detection-id id address {ip-address | unknown} mask {mask | unknown} 4. Set the CEP detection group protocol. set cep detection-id id protocol {tcp | udp | both | none} 5. Set the maximum or minimum port for the TCP or UDP group protocol.
Configuring Authentication Procedure 6 describes setting the MultiAuth idle and session timeout for CEP. Procedure 6 DNS and DHCP Spoofing Configuration Step Task Command(s) 1. Optionally set the MultiAuth authentication idle timeout for this switch. set multiauth idle-timeout cep timeout 2. Optionally set the MultiAuth authentication session timeout for this switch.
Configuring Authentication switch devices). You may change the precedence for one or more methods by setting the authentication methods in the order of precedence from high to low. Any methods not entered are given a lower precedence than the methods entered in their pre‐existing order. For instance, if you start with the default order and only set PWA and MAC, the new precedence order will be PWA, MAC, 802.1x, and CEP. Given the default order of precedence (802.
Configuring Authentication Procedure 9 describes setting the MultiAuth authentication port and maximum user properties. Procedure 9 MultiAuth Authentication Port and Maximum User Properties Configuration Step Task Command(s) 1. Set the specified ports to the MultiAuth authentication optional port mode. set multiauth port mode auth-opt port-string 2. Set the specified ports to the MultiAuth authentication required port mode. set multiauth port mode auth-reqd port-string 3.
Configuring Authentication Procedure 10 MultiAuth Authentication Timers Configuration (continued) Step Task Command(s) 4. Reset the maximum amount of time a session can last before termination to the default value for the specified authentication method. clear multiauth session-timeout auth-method Setting MultiAuth Authentication Traps Traps can be enabled at the system and module levels when the maximum number of users for the system and module, respectively, have been reached.
Configuring Authentication Table 3 MultiAuth Authentication Traps Configuration (continued) Task Command(s) Display MultiAuth authentication idle timeout values. show multiauth idle-timeout Display MultiAuth authentication session timeout values. show multiauth session-timeout Display MultiAuth authentication trap settings. show multiauth trap Configuring VLAN Authorization VLAN authorization allows for the dynamic assignment of users to the same VLAN.
Configuring Authentication If the authentication server returns an invalid policy or VLAN to a switch for an authenticating supplicant, an invalid action of forward, drop, or default policy can be configured. Procedure 13 describes setting dynamic policy profile assignment and invalid policy action configuration. Procedure 13 Policy Profile Assignment and Invalid Action Configuration Step Task Command(s) 1. Identify the profile index to be used in the VID-to-policy mapping.
Configuring Authentication Procedure 14 describes authentication server configuration. Procedure 14 Authentication Server Configuration Step Task Command(s) 1. Configure the index value, IP address, and secret value for this authentication server. set radius server index ip-address [secret-value] 2. Optionally set the number of seconds the switch will wait before retrying authentication server establishment. set radius timeout timeout 3.
Configuring Authentication Procedure 15 describes RADIUS accounting configuration. Procedure 15 April 15, 2011 RADIUS Accounting Configuration Step Task Command(s) 1. Set the minimum interval at which RADIUS accounting sends interim updates. set radius accounting intervalminimum interval 2. Set the number of seconds between each RADIUS accounting interim update. set radius accounting updateinterval interval 3. Set the number of times a switch will attempt to contact a RADIUS accounting server.
Authentication Configuration Example Authentication Configuration Example Our example covers the four supported modular switch and three supported stackable fixed switch authentication types being used in an engineering group: end‐user station, an IP phone, a printer cluster, and public internet access. For the stackable fixed switch devices, the example assumes C3 platform capabilities.
Authentication Configuration Example Figure 5 Stackable Fixed Switch Authentication Configuration Example Overview 4 3 Printer cluster MAC Authentication Enable MAC authentication Set MAC authentication password Enable Port Engineering end-user stations 802.1x authentication Enable Eapol Enable 802.1x Set non-Authentication ports to force-auth LAN Cloud 1 Stackable Switch Configure policies Enable RADIUS Enable multi-user authentication 2 5 Public internet access PWA Authentication IP address: 10.
Authentication Configuration Example 5. Configuring the printer cluster MAC authentication for the modular switch configuration. Configuring the public area internet access for PWA for the stackable fixed switch. 6. Configuring for the public area internet access for PWA for the modular switch. Configuring MultiAuth Authentication MultiAuth authentication must be set to multi whenever multiple users of 802.1x need to be authenticated or whenever any MAC‐based, PWA, or CEP authentication is present.
Authentication Configuration Example Configuring the Engineering Group 802.1x End-User Stations There are three aspects to configuring 802.1x for the engineering group: • Configure EAP on each end‐user station. • Set up an account in RADIUS on the authentication server for each end‐user station. • Configure 802.1x on the switch.
Authentication Configuration Example The following CLI input: • Enables CEP globally on the switch. • Sets CEP policy to a previously configured policy named siemens with an index of 9. • Sets ports ge.1.16‐18 to only accept default Siemens type phones and applies the Siemens policy to the specified ports. System(rw)->set cep enable System(rw)->set cep policy siemens 9 System(rw)->set cep port ge.1.16-18 siemens enable This completes the Siemens CEP end‐user stations configuration.
Terms and Definitions • Setup the RADIUS user account for the public station on the authentication server. • Enable PWA globally on the switch. • Configure the IP address for the public station. • Optionally set up a banner for the initial PWA screen. • Enable PWA enhancemode so that any URL input will cause the PWA sign in screen to appear. • Set PWA gueststatus to RADIUS authentication mode. • Set the PWA login guest name. • Set the PWA login password.
Terms and Definitions Table 4 April 15, 2011 Quality of Service Configuration Terms and Definitions (continued) Term Definition IEEE 802.1x An IEEE standard for port-based Network Access Control that provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails.
Revision History Date Description 05-14-2008 New document 07-11-2008 Added Enterasys Registration mark and fixed Version date in some footers. 02-04-2009 Spelled out D-Series, G-Series, and I-Series when appropriate. 04-29-2009 Clarified stackable fixed switch support. Provided hybrid authentication discussion. 06-23-2009 Clarified Multi-user support for stackable fixed switch devices. 04-15-2011 Added S-Series and K-Series support. Numerous miscellaneous edits.
Flex-Edge This document describes the Flex‐Edge capability on the Enterasys S‐Series® platform. For information about... Refer to page... What is Flex-Edge 1 Implementing Flex-Edge 1 Flex-Edge Overview 2 Terms and Definitions 3 What is Flex-Edge Flex‐Edge is the capability to classify and prioritize traffic as it enters the switch, assert flow control, and ensure that higher priority traffic received by the switch is forwarded to the packet processor ahead of lower priority traffic.
Flex-Edge Overview Flex-Edge Overview All S‐Series switches support the Flex‐Edge feature, which provides a unique mechanism for the classification of traffic as it enters the switch. Figure 1 on page 2 provides a high level view of Flex‐Edge processing. The advanced MAC chip applies packet classification and bandwidth control to the ingressing packets. If required, the MAC chip sends a MAC pause downstream to temporarily stop the traffic coming at the port.
Terms and Definitions Priority queueing, from high priority to low priority, is given to the following four traffic categories: 1. Network control – Protocol packets necessary for maintaining network topology such as: – L2 (STP, GVRP, LACP) – L3 (VRRP, OSPF, RIP, BGP, DVMRP, PIM) – ARP 2. Network discovery – Protocol packets used for dissemination of network characteristics such as LLDP, CtronDP, and CiscoDP 3.
Terms and Definitions Table 1 December 02, 2010 Flex-Edge Terms and Definitions (continued) Term Definition Flex-Edge An S-Series platform capability to classify and prioritize traffic as it enters the switch, assert flow control, and ensure that higher priority traffic received by the switch is forwarded to the packet processor ahead of lower priority traffic. MAC pause A notification to a downstream port to temporarily stop sending packets to this port.
Revision History Date Description December 02, 2010 New Document. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Configuring Link Aggregation This document describes the link aggregation feature and its configuration on Enterasys Matrix® N‐Series, S‐Series®, stackable and standalone switch devices. Note: See the Enterasys Matrix X Router Configuration Guide for X Router link aggregation configuration information. For information about... Refer to page...
Why Would I Use Link Aggregation in My Network Why Would I Use Link Aggregation in My Network The concept of grouping multiple ports into a single link is not a new idea. Cabletronʹs SmartTrunk, Ciscoʹs Inter Switch Link trunking, and Adaptecʹs Duralink are previous examples. The problem with these older methods, from the network administrators point of view, is that they are proprietary.
Link Aggregation Overview Link Aggregation Overview This section provides an overview of link aggregation configuration. LACP Operation In order to allow LACP to determine whether a set of links connect to the same device, and to determine whether those links are compatible from the point of view of aggregation, it is necessary to be able to establish: • A globally unique identifier for each device that participates in link aggregation.
Link Aggregation Overview Figure 1 displays a LAG formation example containing three devices with five 100Mbps ports and three 1Gb ports configured. For this example, all ports are operating in full‐duplex mode, and the admin key for all LAG ports has been set to 100. Device A is the actor and therefore determines which ports will join a LAG. Devices B and C are the partners. In our example two LAGs have formed because the actor ports are shared between two partner devices.
Link Aggregation Overview • Because ports 1 and 2 for both the actor and partner operate in parallel with each other, rule 3 is satisfied for these ports. • Rule 4 is satisfied, regardless of whether single port LAGs are enabled, because there are two aggregatable port pairings between devices A and B. For these reasons, LAG 1 (lag.0.1) is formed using actor and partner ports 1 and 2.
Link Aggregation Overview This is true because port 4 has the lowest priority of the three ports currently in the LAG, and port 5 has the same speed as the port with the lowest priority in the LAG, regardless of its priority. Because port 6 has both a different speed and a higher priority than the port with the lowest priority in the LAG, it is not moved to the attached state.
Link Aggregation Overview Should an aggregatable port be available with all LAG resources depleted for this system, the port is placed in LACP standby state. Ports in standby state do not forward traffic. If all ports initially moved to the attach state for a given LAG become unavailable, a LAG resource will then be available. LACP will initiate a new selection process using the ports in standby state, using the same rules as the initial process of forming LAGs and moving ports to the attached state.
Link Aggregation Overview Table 2 LAG Port Parameters (continued) Term Definition Administrative State A number of port level administrative states can be set for both the actor and partner ports. The following port administrative states are set by default: • lacpactive - Transmitting LACP PDUs is enabled. • lacptimeout - Transmitting LACP PDUs every 30 seconds. If this state is disabled, LACP PDUs are transmitted every 1 second. Note that the actor and partner LACP timeout values must agree.
Link Aggregation Overview • Destination IP address and Source IP address (dip‐sip). This is the most finely tuned criteria in that a port will be assigned based upon a specific IP address combination for the flow. All flows for this IP address combination transit the assigned physical port. • Destination MAC address and Source MAC address (da‐sa). This criteria is less finely tuned in that a port will be assigned based upon the MAC address combination for the flow.
Configuring Link Aggregation Configuring Link Aggregation This section provides details for the configuration of link aggregation on the N‐Series, S‐Series, stackable, and standalone switch products. Table 4 lists link aggregation parameters and their default values. Table 4 Default Link Aggregation Parameters Parameter Description Default Value LACP State Current state of LACP on the device. Enabled System Priority LACP system priority for this device.
Configuring Link Aggregation Procedure 1 Configuring Link Aggregation (continued) Step Task Command(s) 5. Optionally, modify the LAG port parameters. See Table 2 on page 7 for a description of port parameters. See Table 4 on page 10 for LACP port active state for your platform.
Link Aggregation Configuration Example Table 5 Managing Link Aggregation (continued) Task Command Reset the LACP flow regeneration setting to its default value of disabled. clear lacp flowRegeneration Reset the LACP out-put algorithm setting to its default value of DIS-SIP. clear lacp outportAlgorithm Table 6 describes how to display link aggregation information and statistics.
Link Aggregation Configuration Example • LAG3 provides an aggregate of four 1Gb ports between the C3 stackable switches and the server. Each LAG consists of four ports. The primary goal of the aggregates in this example is to provide link and slot redundancy for the affected data streams. With that in mind, LAG members are spread between available system slots. Four out of the five S8 available slots are used providing complete redundancy at the S8. All three slots are used in the S3.
Link Aggregation Configuration Example Figure 3 Example 1 Multiple Device Configuration S8 Distribution Switch S8 to Stackable PORTS ge.1.2 ge.2.2 ge.3.2 ge.4.2 Admin KEY 200 S8 to S3 PORTS ge.1.1 ge.2.1 ge.3.1 ge.4.1 Admin KEY 100 LAG2 LAG1 LAG Admin KEY 1 100 2 200 3 300 System Priority S8 32768 S3 100 SS 100 Server > 100 S3 Edge Switch Stackable Stackable to S8 PORTS ge.1.1 ge.1.2 ge.2.1 ge.2.2 Admin KEY 200 S3 to S8 PORTS ge.1.1 ge.1.2 ge.2.1 ge.3.
Link Aggregation Configuration Example Table 7 LAG and Physical Port Admin Key Assignments Device LAG LAG Admin Key Physical Port Physical Port Admin Key S8 Distribution Switch 1 100 ge.1.1 100 ge.2.1 100 ge.3.1 100 ge.4.1 100 ge.1.2 200 ge.2.2 200 ge.3.2 200 ge.4.2 200 ge.1.1 100 ge.1.2 100 ge.2.1 100 ge.3.1 100 ge.1.1 200 ge.1.2 200 ge.2.1 200 ge.2.2 200 ge.1.3 300 ge.1.4 300 ge.2.3 300 ge.2.
Link Aggregation Configuration Example Given that the intent of the example is to have three LAGs of 4 ports each, there is no need to enable the single port LAG feature. Once the LAGs initiate, they will persist across resets. Should only a single port be active after a reset, the LAG will form regardless of the single port LAG feature setting. Flow regeneration is enabled for the S8 and S3 in our example.
Link Aggregation Configuration Example Next we want to change the system priority for the S3 so that it will be in charge of port selection on LAG1: S3(rw)->set lacp asyspri 100 We next enable flow regeneration on the S3: System(rw)->set lacp flowRegeneration enable Configuring the C3 Stackable Switch The first thing we want to do is set the admin key for all LAGs to the non‐default value of 65535 so that no LAGs will automatically form: C3(rw)->set lacp aadminkey lag.0.
Link Aggregation Configuration Example chassis. The first LAG consists of two 1 Gb ports. The second LAG consists of eight 100Mbps ports. In this example we will ensure that the two 1Gb port LAG forms before the eight 100Mbs port LAG. See Figure 4 on page 19 for an illustration of this example, including port, key and port priority assignments. The LAG configuration will ensure that the two 1Gb ports attach to the first available LAG (LAG1).
Link Aggregation Configuration Example Figure 4 Example 2 Configuration S3 Upstream Switch Upstream to Edge PORTS ge.1.1-4 Port Priority 32768 ge.2.1-4 Port Priority 32768 ge.2.1 Port Priority 100 ge.3.1 Port Priority 100 Admin KEY all ports 100 LAG1 LAG2 KEY 100 KEY 100 Attached 100Mbps Ports Attached 1Gb Ports Edge to Upstream PORTS fe.1.1-8 Port Priority 32768 ge.2.1 Port Priority 100 ge.3.
Link Aggregation Configuration Example Configuring the N3 Edge Switch For this example, we want LAGs to form wherever they can so we will not change the default admin key setting for all LAGs as we did in the multiple device example. Because we want LAG1 and LAG2 as described for this example to form for specific ports, we set the admin key for these LAGs to 100: N3(rw)->set lacp aadminkey lag.0.1-2 100 LACP port state is enabled by default on the N3, so we do not have to enable LACP port state here.
Terms and Definitions S3(rw)->set S3(rw)->set S3(rw)->set S3(rw)->set S3(rw)->set S3(rw)->set port port port port port port lacp lacp lacp lacp lacp lacp port port port port port port ge.1.3 ge.1.4 ge.2.1 ge.2.2 ge.2.3 ge.2.4 aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey 100 100 100 100 100 100 enable enable enable enable enable enable System priority determines which device will be in charge of port selection. This is an optional consideration.
Terms and Definitions Table 8 December 02, 2010 Link Aggregation Configuration Terms and Definitions (continued) Term Definition Admin Key Value assigned to aggregator ports and physical ports that are candidates for joining a LAG. The LACP implementation uses this value to determine which underlying physical ports are capable of aggregating by comparing keys. Aggregator ports allow only underlying ports with admin keys that match the aggregator to join their LAG.
Revision History Date Description December 05, 2008 New Document. December 02, 2010 Update for S-Series, B5, and C5 platforms. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Configuring Link Flap Detection This document provides information about configuring the link flap detection feature on Enterasys Matrix® N‐Series, Enterasys SecureStack™, D‐Series, G‐Series, and I‐Series devices. Note: Link flap detection is not supported on Enterasys Matrix X-Series devices. For information about... Refer to page...
Configuring Link Flap Detection Configuring Link Flap Detection Basic Link Flap Detection Configuration Procedure 1 describes the basic steps to configure link flap detection on Matrix N‐Series, SecureStack, D‐Series, G‐Series, and I‐Series devices. Note: You must be logged in to the Enterasys device with read-write access rights to use the commands shown in this procedure. Procedure 1 Link Flap Detection Configuration Step Task Command(s) 1.
Configuring Link Flap Detection Example Link Flap Detection Configuration PoE devices (for example, VoIP phones or wireless access points) connected to a Matrix N device are experiencing intermittent power losses, though the Matrix N device itself has not experienced any corresponding power losses. The network administrator enables link flap detection on a range of PoE ports to which the PoE devices are connected. Matrix(rw)->set linkflap portstate enable ge.1.
Revision History Date Description 01-29-09 New document Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Configuring Load Sharing Network Address Translation (LSNAT) This document provides the following information about configuring LSNAT on the Enterasys Matrix® N‐Series and the Enterasys S‐Series® platforms. For information about... Refer to page... What is LSNAT? 1 Why Would I Use LSNAT in My Network? 2 How Can I Implement LSNAT? 3 LSNAT Overview 4 Configuring LSNAT 10 LSNAT Configuration Example 16 Terms and Definitions 25 What is LSNAT? LSNAT is a load balancing routing feature.
Why Would I Use LSNAT in My Network? of the server farm associated with the VIP address. The packet is then forwarded to the selected real server. Figure 1 4. The real server sends a service response back to the client with its address as the response source address. 5. At the router, LSNAT sees the real server address and knows it must first translate it back to the VIP address before forwarding the packet on to the client.
How Can I Implement LSNAT? Server and TCP/UDP port verification can ensure that the ports used by LSNAT are operational. TCP/UPD port service verification is capable of determining whether a server is active before creating a session. This feature eliminates the point of failure vulnerability by automatically recognizing a server is down and taking it out of the LSNAT load balancing process.
LSNAT Overview LSNAT Overview This section provides an overview of the LSNAT components. Notes: LSNAT is currently supported on the Enterasys S-Series and N-Series products. This document details the configuration of LSNAT for these products. LSNAT is an advanced routing feature that must be enabled with a license key on the N-Series router. An advanced routing license is currently not required on the S-Series platform.
LSNAT Overview Figure 2 LSNAT Packet Flow ServerFarm1 10.10.125.1:80 DA 10.10. 125.1:80 SA 196.86. 100.12:125 DA 194.56. 13.2:80 SA 196.86. 100.12:125 10.10.125.2:80 Router 10.10.125.3:80 Global Internet Client IP196.86.100.12:125 VIP194.56.13.2:80 DA 194.56. 13.2:80 SA 10.10. 125.1:80 DA 196.86. 100.12:125 SA 194.56. 13.2:80 10.10.125.4:80 The Server Farm The server farm is a logical entity made up of multiple real servers.
LSNAT Overview configured with the default weight, each real server is treated equally as described in the simple round robin. When a non‐default weight is applied to any real servers in the server farm, the algorithm takes that weight into account when assigning sessions to the real servers. Consider the following example. A server farm contains three real servers with the following weights: server A has a weight of 1, server B has a weight of 2, and server C has a weight of 3.
LSNAT Overview Ping Real server failure detection can be configured for ping only. In this case, the real server is pinged before a session is created. TCP/UDP Port Service Verification TCP port service verification can be enabled on one or more load balancing servers. A connect request is sent out to the server port. If the connect request succeeds then LSNAT knows the server is up. You can configure TCP failure detection for both ping and TCP port service verification.
LSNAT Overview You can search for a reply string of “200 OK”. This would result in a successful verification of the service. Because ACV can search for a string in only the first 255 bytes of the response, in most HTTP cases the response will have to be in the packetʹs HTTP header (that is, you will not be able to search for a string contained in the web page itself). Some protocols such as FTP or SMTP require users to issue a command to close the session after making the request.
LSNAT Overview address that returns traffic back through the LSNAT router. Since the client IP addresses are usually unknown to the real server, most real servers end up setting their default router to the LSNAT router. If the LSNAT router is not configured as the default router, the LSNAT router and real server must be located somewhere in the network topology that guarantees that return traffic flows through the LSNAT router.
Configuring LSNAT Managing Connections and Statistics There are three aspects to managing connections: • Clearing all LSNAT counters and bindings or selectively clearing bindings based on ID or matching network tuple information ( sip, sport, dip, dport). • Setting LSNAT limits for the number of bindings, cache size, and number of configurations. • Displaying LSNAT statistics. Configuring UDP-One-Shot Many UDP applications send only two packets in the form of a request and a reply.
Configuring LSNAT Table 1 Default LSNAT Parameters (continued) Parameter Description Default Value Read Till Index Specifies the index to read to in the reply search range for a faildetect reply message. 255 Match Source-Port Binding Mode Use this command to set the source port to virtual server binding behavior for this virtual server. exact Maximum Connections Specifies the maximum number of connections allowed to an LSNAT real server.
Configuring LSNAT • When different VIPs access the same real server in different server farms, the persistence level must be set the same. In order to use stickiness, the following configuration criteria are required: • Stickiness must be configured for the virtual server. • The real servers in this server farm are to be used for all services. The servers are not allowed to be used with other server farms to support other virtual server services.
Configuring LSNAT Procedure 2 Configuring an LSNAT Real Server (continued) Step Task Command(s) 3. In SLB real server configuration command mode, if application or verification error handling was selected, set the verification string that will be used for this real server’s application verification. faildetect acv-command “command-string” 4.
Configuring LSNAT Procedure 3 September 8, 2010 Configuring an LSNAT Virtual Server (continued) Step Task Command(s) 4. In SLB virtual server configuration command mode, configure the virtual server IP address (VIP) or proceed to the next step and configure a range of virtual server IP addresses. You must specify whether the VIP uses TCP or UDP. For TCP ports you can optionally specify the FTP service; for UDP ports you can optionally specify the TFTP service.
Configuring LSNAT Configuring Global Settings Table 3 describes how to configure LSNAT global settings. Table 3 Configuring LSNAT Global Settings Task Command(s) In global configuration command mode, optionally specify a non-default FTP control port for all virtual servers. (Default = 21). ip slb ftpctrlport port-number In global configuration command mode, optionally specify a non-default TFTP control port for all virtual servers. (Default = 69).
LSNAT Configuration Example LSNAT Configuration Example This section provides an enterprise LSNAT configuration example that includes five server farms. These server farms can be logically thought of as either product‐based or enterprise internal server farms. The product‐based server farms are accessible to the general public. The enterprise internal server farms are accessible only to enterprise employees. The myproduct HTTP and FTP server farms provide the product‐based services.
LSNAT Configuration Example Enterprise Internal HTTP Server Farm The enterprise internal HTTP server farm, real server and virtual server configuration will: • Handle HTTP requests from enterprise employees using the www.myinternal.com domain. • Load balance HTTP services across two real servers, using the simple round robin selection process. • Use Application Content Verification TCP failure detection. • Use the VIP 194.56.13.3 port 80.
LSNAT Configuration Example Figure 3 LSNAT Configuration Example September 8, 2010 Page 18 of 28
LSNAT Configuration Example Configuring the myproductHTTP Server Farm and Real Servers Configure the myproductHTTP server farm by: • Naming the server farm myproductHTTP • Configuring round robin as the load balancing algorithm for this server farm (weight will be configured during real server configuration) Configure the real servers on the myproductHTTP server farm by: • Configuring the following real servers: 10.10.10.1:80, 10.10.10.2:80, and 10.10.10.
LSNAT Configuration Example System(rw-config-slb-real)->faildetect acv-command “HEAD / HTTP/1.1\\r\\nHost: www.myproduct.
LSNAT Configuration Example myproductFTP Server Farm and Real Server CLI Input System(rw-config)->ip slb serverfarm myproductFTP System(rw-config-slb-sfarm)->predictor leastconns System(rw-config-slb-sfarm)->real 10.10.10.4 port 21 System(rw-config-slb-real)->faildetect type both System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit System(rw-config-slb-sfarm)->real 10.10.10.
LSNAT Configuration Example • Configuring a faildetect command string, reply string, and read till index value for each HTTP server • Enabling each real server by placing each server in service myinternalHTTP Server Farm and Real Server CLI Input System(rw-config)->ip slb serverfarm myinternalHTTP System(rw-config-slb-sfarm)->predictor roundrobin System(rw-config-slb-sfarm)->real 10.10.10.
LSNAT Configuration Example Configuring the myinternalFTP Server Farm Real Servers Configure the myinternalFTP server farm by: • Naming the server farm myinternalFTP • Configuring least connections as the load balancing algorithm for this server farm Configure the real servers on the myinternalFTP server farm by: • Configuring the following real servers: 10.10.10.10:21 and 10.10.10.
LSNAT Configuration Example Configuring the myinternalSMTP Server Farm and Real Servers Configure the myinternalSMTP server farm by: • Naming the server farm myinternalSMTP • Configuring simple round robin as the load balancing algorithm for this server farm Configure the real servers on the myinternalSMTP server farm by: • Configuring the following real servers: 10.10.10.6:25 and 10.10.10.
Terms and Definitions This completes the LSNAT configuration example. Terms and Definitions Table 5 lists terms and definitions used in this LSNAT configuration discussion. Table 5 September 8, 2010 LSNAT Configuration Terms and Definitions Term Definition Application Content Verification (ACV) A failure detection LSNAT feature that assures that the server application is running before beginning a session.
Terms and Definitions Revision History Date Description 11/14/2008 New document. 04/16/2009 Added 256MB minimum memory requirement on all modules statement. 09/08/2010 Updated for S-Series. Added new resource-limits table. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
Terms and Definitions September 8, 2010 Page 28 of 28
Configuring Multicast This document provides information about configuring and monitoring multicast on Enterasys Matrix® N‐Series, Enterasys SecureStack™, D‐Series, G‐Series, and I‐Series devices. Note: For information on Enterasys Matrix X-Series support, refer to the Enterasys Matrix X Secure Core Router Configuration Guide. For information about... Refer to page...
How Do I Implement Multicast? How Do I Implement Multicast? You can implement the IGMP, DVMRP, and PIM multicast protocols on Enterasys devices using simple CLI commands as described in this document. A basic configuration process involves the following tasks: 1. Configuring the VLANs and IP interfaces on which you want to transmit multicast. 2. Enabling the multicast protocol(s) on configured interfaces. For PIM, you must also configure a unicast routing protocol, such as OSPF.
Understanding Multicast IGMP uses three key components to control multicast membership: • Source — A server that sends an IP multicast data stream with a particular multicast destination IP and MAC address. A server may not have direct IGMP involvement, as it often does not receive a multicast stream, but only sends a multicast stream. • Querier — A device that periodically sends out queries in search of multicast hosts on a directly connected network.
Understanding Multicast IGMP Support on Enterasys Devices Enterasys devices implement IGMP version 2 (RFC 2236), which includes interoperability with version 1 hosts. IGMP version 1 is defined in RFC 1112. Depending on your Enterasys device, IGMP can be configured independently at the switch level (Layer 2) and at the router level (Layer 3).
Understanding Multicast Each router performs an IGMP forwarding check to see if there are any hosts that want to join the multicast group on its locally attached network. Each router drops multicast packets until a host joins the group using one of the following messages: – solicited join (sent in response to an IGMP query produced by the router’s interface) In Figure 2, this type of exchange occurs between Router 1 and Host 1 when: (3) Router 1 sends a query to potential Host 1.
Understanding Multicast Key features of DVMRP are the following: • uses the well‐known multicast IP address 224.0.0.
Understanding Multicast Route Table Each DVMRP‐enabled device builds a DVMRP route table to maintain routes to all networks involved in DVMRP routing. As shown in the following example, the DVMRP route table contains a source network, hop count, route uptime, neighbor expiration time, associated interface, and associated IP address. matrix(router-config)# show ip dvmrp route 6.0.0.0/8, [70/2], uptime 00:00:29, expires 00:01:51 via ge.2.1, 1.1.1.1 In this example, network 6.0.0.
Understanding Multicast As shown in the following example, the Mroute table displays the incoming interface IP address, the multicast group address, the uptime of the stream, incoming interface port number, and the outgoing interface port number. matrix(router-config)# show ip mroute Multicast Routing Table (6.6.6.6, 235.1.1.1), uptime: 00:00:38 Incoming interface: ge.2.1 Outgoing interface list: ge.2.7 (6.6.6.6, 235.1.1.2), uptime: 00:00:37 Incoming interface: ge.2.1 Outgoing interface list: ge.2.
Understanding Multicast 4. 5. 6. 7. Determines if there is active source information for the source network, multicast group (S,G) pair. • If there is not, then the device ignores the prune. • If there is, then the device proceeds as follows. Verifies that the prune was received from a dependent neighbor for the source network. • If it was not, then the device discards the prune. • If it was, then the device proceeds as follows.
Understanding Multicast 4. If the sender was a downstream dependent neighbor from which a prune had previously been received: • Removes the prune state for this neighbor. • If necessary, updates any forwarding cache entries based on this (source, group) pair to include this downstream interface. Figure 3 shows the DVMRP pruning and grafting process.
Understanding Multicast PIM, a shared‐tree technology, designates a router as the rendezvous point (RP), which is the root of a shared tree for a particular group. All sources send packets to the group via the RP (that is, traffic flows from the sender to the RP, and from the RP to the receiver). By maintaining one RP‐ rooted tree instead of multiple source‐rooted trees, bandwidth is conserved. Figure 4 illustrates the PIM traffic flow.
Understanding Multicast 7. A prune message (register‐stop) is sent from the RP to the source’s DR (number 7 in figure). Once traffic is flowing down the SPT, the RPT is pruned for that given S,G. When receivers go away, prunes are sent (S,G prune messages towards the source on the SPT, and *,G prune messages towards the RP on the RPT). When new receivers appear, the process begins again.
Understanding Multicast • Register‐Stop — These messages are used by the RP to tell the source’s DR to stop registering traffic for a particular source. • Join/Prune (J/P) — These messages contain information on group membership received from downstream routers. PIM‐SM adopts RPF technology in the join/prune process.
Understanding Multicast Table 1 PIM Terms and Definitions (continued) Term Definition Rendezvous Point (RP) The root of a group-specific distribution tree whose branches extend to all nodes in the PIM domain that want to receive traffic sent to the group. RPs provide a place for receivers and senders to meet. Senders use RPs to announce their existence, and receivers use RPs to learn about new senders of a group.
Configuring Multicast Configuring Multicast This section provides the following information about configuring multicast on Enterasys Matrix N‐Series, SecureStack, D‐Series, G‐Series, and I‐Series devices. For information about... Refer to page... Configuring IGMP 15 Configuring DVMRP 20 Configuring PIM 24 Note: For information on Enterasys Matrix X-Series support, refer to the Enterasys Matrix X Secure Core Router Configuration Guide.
Configuring Multicast Table 2 IGMP Configuration Commands (Enterasys Matrix N-Series) (continued) Task Command Delete a static IGMP entry or remove one or more ports from an existing entry. set igmp remove-static group vlan-list [modify] [include-ports] [excludeports] Change the IGMP classification of received IP frames. set igmp protocols [classification classification] [protocol-id protocolid] [modify] Clear the binding of IP protocol ID to IGMP classification.
Configuring Multicast Table 4 lists the Layer 3 IGMP configuration commands for SecureStack C2 and C3 devices and G‐ Series devices. Table 4 April 16, 2009 Layer 3 IGMP Configuration Commands (SecureStack C2 and C3 and G-Series) Task Command Enable IGMP on the router. Use the no command to disable IGMP on the router. ip igmp Enable IGMP on an interface. Use the no command to disable IGMP on an interface. ip igmp enable Set the version of IGMP running on the router.
Configuring Multicast Basic IGMP Configurations Procedure 1 describes the basic steps to configure IGMP on Enterasys Matrix N‐Series devices. This procedure assumes that the VLANs on which IGMP will run have been configured and enabled with IP interfaces. Procedure 1 Basic IGMP Configuration (Enterasys Matrix N-Series) Step Task Command 1. In switch mode, configure IGMP for each VLAN interface.
Configuring Multicast Example IGMP Configuration: Enterasys Matrix N-Series matrix->set igmp enable 2, 3 matrix->set igmp query-enable 2, 3 Example IGMP Configuration: SecureStack C2 C2(su)->router C2(su)->router>enable C2(su)->router#configure C2(su)->router(Config)#ip igmp C2(su)->router(Config)#interface vlan 2 C2(su)->router(Config-if(Vlan 2))#ip igmp enable C2(su)->router(Config-if(Vlan 2))#exit C2(su)->router(Config)#interface vlan 3 C2(su)->router(Config-if(Vlan 3))#ip igmp enable C2(su)->router(Co
Configuring Multicast Table 6 lists Layer 3 IGMP show commands for Enterasys Matrix N‐Series devices. Table 6 Layer 3 IGMP Show Commands (Enterasys Matrix N-Series) Task Command Display IGMP information regarding multicast group membership. show ip igmp groups Display multicast-related information about a specific interface or all interfaces. show ip igmp interface [vlan vlan-id] Table 7 lists Layer 2 IGMP show commands for SecureStack, D‐Series, G‐Series, and I‐Series devices.
Configuring Multicast Table 10 lists the DVMRP configuration commands for SecureStack C2 and C3 devices and G‐ Series devices. Table 10 DVMRP Configuration Commands (SecureStack C2 and C3 and G-Series) Task Command Enable the DVMRP process. Use the no command to disable the DVMRP process. ip dvmrp Enable DVMRP on an interface. Use the no command to disable DVMRP on an interface. ip dvmrp enable Configure the metric associated with a set of destinations for DVMRP reports.
Configuring Multicast SecureStack C2 and C3 and G-Series Procedure 5 describes the basic steps to configure DVMRP on SecureStack C2 and C3 devices and G‐Series devices. Procedure 5 Basic DVMRP Configuration (SecureStack C2 and C3 and G-Series) Step Task Command 1. In router configuration mode, enable DVMRP globally. ip dvmrp 2. In router configuration mode, enable DVMRP for each VLAN interface on which DVMRP will run.
Configuring Multicast Router R2 Configuration For the VLAN 1 interface, which provides connection to the Router R1, an IP address is assigned and DVMRP is enabled. For the VLAN 3 interface which provides connection to the host network, an IP address is assigned and DVMRP is enabled. matrix->router matrix->router#enable matrix->router(config)#interface vlan 1 matrix->router(config-if(Vlan 1))#ip address 192.0.1.1 255.255.255.
Configuring Multicast Configuring PIM PIM-SM Configuration Commands Table 13 lists the PIM‐SM set commands for Enterasys Matrix N‐Series devices. Table 13 PIM-SM Set Commands (Enterasys Matrix N-Series) Task Command Enable PIM-SM on a routing interface. Use the no command to disable PIM-SM. ip pim sparse-mode no ip pim sparse-mode Enable the router to announce its candidacy as a BootStrap Router (BSR). Use the no command to remove the router as a BSR candidate.
Configuring Multicast Basic PIM-SM Configurations By default, PIM‐SM is disabled globally on Enterasys Matrix N‐Series, SecureStack C2 and C3, and G‐Series devices and attached interfaces. Basic PIM‐SM configuration includes the following steps: 1. Creating and enabling VLANs with IP interfaces. 2. Configuring the underlying unicast routing protocol (for example, OSPF). 3. Enabling IGMP on the device (only for SecureStack C2 and C3 devices and G‐Series devices) and on the VLANs. 4.
Configuring Multicast Procedure 6 Basic PIM-SM Configuration (continued)(Enterasys Matrix N-Series) Step Task Command(s) 4. ip pim rp-address rp-address groupaddress group-mask [priority priority] If static RP set distribution is desired, configure the static RP set information in global configuration mode. The RP set information must be the same on all PIM routers in the network. Note: Static RP set distribution cannot be combined with BSR RP set distribution in the same PIM domain.
Configuring Multicast Example Configuration Figure 6 illustrates the PIM‐SM configuration of four Enterasys Matrix N‐Series routers shown in the example scripts below. This configuration includes configuring a preferred and a backup BSR for the topology, as well as two RPs for specific multicast groups and a backup RP for all groups. Figure 6 PIM-SM Configuration with Bootstrap Router and Candidate RPs VLAN 9 172.2.2/24 Router R2 VLAN 3 VLAN 5 172.1.2/24 172.2.4/24 VLAN 7 Router R4 VLAN 8 172.1.
Configuring Multicast R1>Router(config)#interface vlan 3 R1>Router(config-if(Vlan 3))#ip address 172.1.2.1 255.255.255.0 R1>Router(config-if(Vlan 3))#no shutdown R1>Router(config-if(Vlan 3))#ip pim sparse-mode R1>Router(config-if(Vlan 3))#exit R1>Router(config)#interface vlan 4 R1>Router(config-if(Vlan 4))#ip address 172.1.3.1 255.255.255.
Configuring Multicast Router R3 Configuration On this router, PIM‐SM is enabled on all interfaces. VLAN 10 is configured as a backup candidate BSR, by leaving its priority at the default of 0. VLAN 10 is also configured as a backup candidate RP for multicast group 224.2.2.0/24, by setting its priority value slightly higher (3) than the priority configured on R2 for the same group (2) (since the C‐RP with the smallest priority value is elected). R3>Router(config)#router id 1.1.1.
Configuring Multicast R4>Router(config)#interface vlan 7 R4>Router(config-if(Vlan 7))#ip address 172.4.4.4 255.255.255.0 R4>Router(config-if(Vlan 7))#no shutdown R4>Router(config-if(Vlan 7))#ip pim sparse-mode R4>Router(config-if(Vlan 7))#exit PIM-SM Display Commands Table 15 lists the PIM show commands for Enterasys Matrix N‐Series devices. Table 15 PIM Show Commands (Enterasys Matrix N-Series) Task Command Display BSR information.
Table 16 PIM Show Commands (SecureStack C2 and C3 and G-Series) (continued) Task Command Display the PIM-SM static RP information. show ip pimsm staticrp Display the IP multicast routing table. show ip mroute [unicast-source-address | multicast-group-address] [summary] Refer to the device’s CLI Reference Guide or Configuration Guide, as applicable, for a description of the output of each command.
Revision History Date Description 09-02-08 New document 04-16-09 Added 256MB minimum memory requirement for PIM. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Configuring Network Address Translation (NAT) This document provides the following information about configuring Network Address Translation on the Enterasys Matrix® N‐Series and the Enterasys S‐Series® platforms. For information about... Refer to page...
Why Would I Use NAT in My Network? Why Would I Use NAT in My Network? Enterasys support for NAT provides a practical solution for organizations who wish to streamline their IP addressing schemes. NAT operates on a router connecting a private network to a public network, simplifying network design and conserving IP addresses.
NAT Overview NAT Overview This section provides an overview of NAT configuration. Notes: NAT is currently supported on the S-Series and N-Series products. This document details the configuration of NAT for the S-Series and N-Series products. NAT is an advanced routing feature that must be enabled with a license key on the N-Series router. An advanced routing license is currently not required on the S-Series platform.
NAT Overview When Server1 responds to Client1, its packet arrives at the NAT router with Client1’s translated address of 200.1.1.1 as the destination address, but leaves the NAT router with Client1’s actual address of 10.1.1.1 as the destination address. Server1’s response is delivered to IP address 10.1.1.1. Figure 1 Basic NAT Static Inside Address Translation External Public Network DA: 200.1.1.50 SA: 200.1.1.1 Internal Private Network NAT ROUTER DA: 200.1.1.1 SA: 200.1.1.50 Server1 200.1.1.
NAT Overview Figure 2 Basic NAPT Static Inside Address Translation External Public Network Internal Private Network DA: 200.1.1.50:80 SA: 200.1.1.1:1025 DA: 200.1.1.50:80 SA: 10.1.1.2:125 DA: 200.1.1.1:1025 SA: 200.1.1.50:80 DA: 10.1.1.2:125 SA: 200.1.1.50:80 NAT ROUTER Server1 200.1.1.50 Client2 10.1.1.2 Dynamic Inside Address Translations Dynamic address bindings are formed from a pre‐configured access‐list of local inside addresses and a pre‐configured address pool of public outside addresses.
NAT Overview Figure 3 Basic NAT Dynamic Inside Address Translation Internal Private Network External Public Network DA: 200.1.1.50 SA: 10.1.1.2 DA: 200.1.1.50 SA: 200.1.1.1 DA: 10.1.1.2 SA: 200.1.1.50 DA: 200.1.1.1 SA: 200.1.1.50 DA: 200.1.1.50 SA: 200.1.1.2 Server1 200.1.1.50 NAT ROUTER Client2 10.1.1.2 DA: 200.1.1.2 SA: 200.1.1.50 DA: 200.1.1.50 SA: 10.1.1.1 DA: 10.1.1.1 SA: 200.1.1.50 Client1 10.1.1.
NAT Overview Client1 Walkthrough: A packet arrives at the NAT router from Client1 with a source address of 10.1.1.1:125, but leaves the NAT router with a source address of 200.1.1.1:1024. In both cases the destination is for Server1’s IP address of 200.1.1.50:80. From Server1’s point of view, Client1’s IP address is 200.1.1.1:1024. Server1 doesn’t know anything about its actual IP address of 10.1.1.1:125.
NAT Overview DNS, FTP and ICMP Support NAT works with DNS by having the DNS Application Layer Gateway (ALG) translate an address that appears in a Domain Name System response to a name or inverse lookup. NAT works with FTP by having the FTP ALG translate the FTP control payload. Both FTP PORT CMD packets and PASV packets, containing IP address information within the data portion, are supported. The FTP control port is configurable.
Configuring NAT NAT Binding A NAT flow has two devices associated with it that are in communication with each other: the client device belonging to the inside (private) network and the server device belonging to the outside (public) network. Each active NAT flow has a binding resource associated with it.
Configuring NAT Table 1 Default NAT Parameters (continued) Parameter Description Default Value Overload Specifies that NAPT translation should take place for this dynamic pool binding. NAT translation Local IP Address The private IP address for this static NAT binding. None Global IP Address The public IP address for this static NAT binding. None Local Port The private L4 port associated with the local-ip for this static NAPT binding.
Configuring NAT Configuring Traditional NAT Static Inside Address Translation Procedure 1 describes how to configure traditional NAT for a static configuration. Procedure 1 Traditional NAT Static Configuration Step Task Command(s) 1. Enable NAT on all interfaces on which translation takes place for both the internal and external networks. ip nat {inside | outside} 2. Enable any static NAT translations of inside source addresses. ip nat inside source static local-ip global-ip 3.
NAT Configuration Examples Table 3 Managing a Traditional NAT Configuration Task Command(s) Configure NAT translation timeout values. ip nat translation {timeout | udp-timeout | tcp-timeout | icmp-timeout | dns-timeout | ftp-timeout} seconds Clear dynamic NAT translations. clear ip nat translation Clear a specific active simple NAT translation. clear ip nat translation inside global-ip local-ip Clear a specific dynamic NAT translation.
NAT Configuration Examples NAT Static Configuration Example This example steps you through a NAT static configuration for both NAT and NAPT translation methods. See Figure 5 on page 13 for a depiction of the NAT static configuration example setup. Our static NAT configuration example configures two clients: Client1 with NAT translation and Client2 with NAPT translation.
NAT Configuration Examples System(su-config-intf-vlan.0.10)->exit System(rw-config)-> Enable NAT outside interface: System(rw-config)->interface vlan 100 System(su-config-intf-vlan.0.100)->ip nat outside System(su-config-intf-vlan.0.100)->exit System(rw-config)-> Enable Static Translation of Inside Source Addresses Enable the NAT static translation of the inside source address: System(rw-config)->ip nat inside source static 10.1.1.1 200.1.1.
NAT Configuration Examples Figure 6 NAT Dynamic Configuration Example External Public Network DA: 200.1.1.50 SA: 200.1.1.1 Internal Private Network DA: 200.1.1.1 SA: 200.1.1.50 DA: 200.1.1.50 SA: 10.1.1.1 DA: 200.1.1.50 SA: 200.1.1.2 DA: 10.1.1.1 SA: 200.1.1.50 DA: 200.1.1.2 SA: 200.1.1.50 VLAN 10 VLAN 100 Client1 10.1.1.1 NAT ROUTER VLAN 200 Server1 200.1.1.50 200.1.1.50:80 DA: 200.1.1.50:80 SA: 200.1.1.3:1025 DA: 200.1.1.50 SA: 10.1.1.2 DA: 200.1.1.3:1025 SA: 200.1.1.50:80 DA: 10.1.1.
NAT Configuration Examples To configure Client3 and Client4 for dynamic NAPT translation on the NAT router, we define access‐list 2 to permit the local IP addresses 10.1.1.3 and 10.1.1.4. We then configure NAT pool dynamicpool with a global range of 200.1.1.3 to 200.1.1.3. We then enable dynamic translation of inside addresses for overload associating access‐list 2 with the NAT pool naptpool.
Terms and Definitions Define the NAT Pools for Global Addresses Define the NAT Pool for the NAT clients: System(rw-config)->ip nat pool natpool 200.1.1.1 200.1.1.2 netmask 255.255.255.0 Define the NAT Pool for the NAPT clients: System(rw-config)->ip nat pool naptpool 200.1.1.3 200.1.1.3 netmask 255.255.255.
Revision History Date Description 09/24/2008 New document 02/12/2009 In ip nat inside source context made clear that VLAN option was for an outside VLAN. 04/16/2009 Input an advanced routing license notice that includes the 256 MB requirement on all modules statement. 09/08/2010 Updated for S-Series. Added new resource-limits table. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice.
Configuring Neighbor Discovery This document provides information about configuring and monitoring neighbor discovery on Enterasys Matrix® N‐Series, Enterasys SecureStack™, D‐Series, G‐Series, and I‐Series devices. Note: For information on Enterasys Matrix X-Series support, refer to the Enterasys Matrix X Secure Core Router Configuration Guide. For information about... Refer to page...
How Do I Implement Neighbor Discovery? How Do I Implement Neighbor Discovery? LLDP, Enterasys Discovery Protocol, and Cisco Discovery Protocol are enabled on Enterasys devices by default. Though all three discovery protocols can run simultaneously, LLDP is the preferred protocol. If a device, attached to a port that has been enabled for neighbor discovery, does not support LLDP but supports Enterasys Discovery Protocol or Cisco Discovery Protocol, then one of those protocols is used instead.
Understanding Neighbor Discovery Figure 1 Communication between LLDP-enabled Devices Discovery MIB Port Device ge. 1.1 IP phone ge. 1.2 PC ge. 1.4 IP switch Discovery MIB Port Device ge. 1.1 IP switch ge. 1.2 IP phone ge. 1.4 IP phone ge. 1.6 IP-PBX Info x.x.x.x x.x.x.x x.x.x.x Info x.x.x.x x.x.x.x x.x.x.x x.x.x.
Understanding Neighbor Discovery There are two primary LLDP‐MED device types (as shown in Figure 2 on page 5): October 15, 2008 • Network connectivity devices, which are LAN access devices such as LAN switch/router, bridge, repeater, wireless access point, or any device that supports the IEEE 802.1AB and MED extensions defined by the standard and can relay IEEE 802 frames via any method.
Understanding Neighbor Discovery Figure 2 LLDP-MED LLDP-MED Network Connectivity Devices: Provide IEEE 802 network access to LLDP-MED endpoints (for example, L2/L3 switch) LLDP-MED Generic Endpoints (Class I): Basic participant endpoints in LLDP-MED (for example, IP communications controller) IP Network Infrastructure (IEEE 802 LAN) LLDP-MED Media Endpoints (Class ll): Supports IP media streams (for media gateways, conference bridges) LLDP-MED Communication Device Endpoints (Class III): Support IP co
Understanding Neighbor Discovery LLDPDU Frames As shown in Figure 3, each LLDPDU frame contains the following mandatory TLVs: • Chassis ID — The chassis identification for the device that transmitted the LLDP packet. • Port ID — The identification of the specific port that transmitted the LLDP packet. The receiving LLDP agent joins the chassis ID and the port ID to correspond to the entity connected to the port where the packet was received.
Configuring LLDP • • – VLAN Name — Allows a bridge to advertise the textual name of any VLAN with which it is configured. – Protocol Identity — Allows a bridge to advertise the particular protocols that are accessible through its port. 802.3 LAN interface extensions TLVs describe attributes associated with the operation of an 802.3 LAN interface: – MAC/PHY Configuration/Status — Advertises the bit‐rate and duplex capability of the sending 802.
Configuring LLDP Table 1 LLDP Configuration Commands (continued) Task Command Set the time-to-live value used in LLDP frames sent by this device. The time-to-live for LLDPDU data is calculated by multiplying the transmit interval by the hold multiplier. The default value is 4. set lldp hold-multiplier multiplier-val Set the minimum interval between LLDP notifications sent by this device. LLDP notifications are sent when a remote system change has been detected. The default value is 5 seconds.
Configuring LLDP Table 1 LLDP Configuration Commands (continued) Task Command Return LLDP parameters to their default values. clear lldp {all | tx-interval | holdmultipler | trap-interval | med-fastrepeat} Return the port status to the default value of both (both transmitting and processing received LLDPDUs are enabled). clear lldp port status port-string Return the port LLDP trap setting to the default value of disabled.
Configuring LLDP Basic LLDP Configurations Procedure 1 describes the basic steps to configure LLDP on Enterasys Matrix N‐Series devices. Procedure 1 Configuring LLDP (Enterasys Matrix N-Series) Step Task Command(s) 1. Configure global system LLDP parameters. set lldp tx-interval set lldp hold-multiplier set lldp trap-interval set lldp med-fast-repeat clear lldp 2.
Configuring LLDP Example LLDP Configuration: Time to Live This example sets the transmit interval to 20 seconds and the hold multiplier to 5, which will configure a time‐to‐live of 100 to be used in the TTL field in the LLDPDU header.
Configuring Enterasys Discovery Protocol Configuring Enterasys Discovery Protocol Enterasys Discovery Protocol Configuration Commands Table 3 lists Enterasys Discovery Protocol configuration commands. Table 3 Enterasys Discovery Protocol Configuration Commands Task Command Enable or disable the Enterasys Discovery Protocol on one or more ports. set cdp state {auto | disable | enable} [port-string] Set a global Enterasys Discovery Protocol authentication code.
Configuring Cisco Discovery Protocol Configuring Cisco Discovery Protocol Cisco Discovery Protocol Configuration Commands Table 5 lists Cisco Discovery Protocol configuration commands. Table 5 Cisco Discovery Protocol Configuration Commands Task Command Enable or disable Cisco Discovery Protocol globally on the device. set ciscodp status {auto | enable | disable} Set the number of seconds between Cisco Discovery Protocol PDU transmissions.
Revision History Date Description 09-29-08 New document 10-15-08 Corrected trademark list and template issues Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Configuring NetFlow This document describes the NetFlow feature and its configuration on Enterasys® N‐Series, S‐Series, K‐Series, and X‐Series modular switches. For information about... Refer to page...
How Can I Implement NetFlow? rescheduled for low usage time blocks, or maybe an illegitimate usage of the network that can be addressed by speaking to the user. • Can look into the flows that transit the network links, providing a means of verifying whether QoS and policy configurations are appropriately configured for your network. • Can understand your network’s flow characteristics, allowing for better planning when transitioning to new applications or services.
How Can I Implement NetFlow? Figure 1 NetFlow Network Profile Example Captured Flows Profile Your Network Using NetFlow HTTP Flow Srdf Srd Padd Dstif Dstl Padd Ge.1.1 173.100.21.2 Ge.1.5 10.0.277.12 Protocol TCP TOS 0x20 SPrt 4967 DPrt 80 ... Voice over IP Srdf Srd Padd Dstif Dstl Padd Ge.1.1 173.100.21.2 Ge.1.3 20.0.100.10 Protocol UDP TOS 0xA0 SPrt 6234 DPrt SIP ... Voice over IP Srdf Srd Padd Dstif Srdf Padd Ge.1.1 173.100.21.2 Ge.1.7 20.0.100.
Understanding Flows 2. Choose up to four collectors and a management application, such as Enterasys SIEM or NetSight Release 4.1 or higher, best suited for the purpose for which you are collecting the data. Install the application on the NetFlow collector server(s). 3. Identify the paths used by the data to be collected by NetFlow. 4. Identify the “choke point” interfaces where the IP packet flows you want NetFlow to capture aggregate. 5. Enable NetFlow on the identified interfaces. 6.
Understanding Flows Figure 2 provides a graphic depiction of how these timers interact. Flows 1 and 3 show a single long lasting logical flow. Flow 1 times out and expires at 30 minutes, the active timer length. Because the flow expires, an export packet is sent to the NetFlow collector. Flow 3 continues this long lasting flow for another 10 minutes. At time 40 minutes the flow ends.
Configuring NetFlow on the Enterasys S-Series, N-Series, and K-Series Modules • Examining flows by priority • Characterizing traffic utilization by device • Examining the amount of traffic per port Configuring NetFlow on the Enterasys S-Series, N-Series, and K-Series Modules The S‐Series, N‐Series (Gold, Platinum, and Diamond), and K‐Series modules all support NetFlow. NetFlow is disabled by default on all devices at device startup.
Configuring NetFlow on the Enterasys S-Series, N-Series, and K-Series Modules Configuring the Active Flow Export Timer The active flow export timer, also referred to as the export interval, sets the maximum amount of time an active flow will be allowed to continue before expiration for this system. Should the active timer expire and the flow terminate, the underlying flow continues as a separate flow.
Configuring NetFlow on the Enterasys S-Series, N-Series, and K-Series Modules When transmitting NetFlow Version 5 reports, the module uses “NetFlow interface” indexes. Normally these would be actual MIB‐2 ifIndex values, but the Version 5 record format limits the values to 2 bytes, which is not sufficient to hold 4‐byte ifIndexes.
Configuring NetFlow on the Enterasys S-Series, N-Series, and K-Series Modules The default behavior is for the template to be sent after 20 flow report packets are sent. Since data record packets are sent out per flow, a long FTP flow may cause the template timeout timer to expire before the maximum number of packets are sent. In any case a refresh of the template is sent at timeout expiration as well.
Configuring NetFlow on the Enterasys S-Series, N-Series, and K-Series Modules If the vlan option is enabled, VLANs associated with both the ingress and egress interfaces are included in the export data for the collector. Use the set netflow export‐data enable {mac | vlan} command to enable either the MAC or VLAN export data. Use the set netflow export‐data disable {mac | vlan} command to disable either the MAC or VLAN export data.
Configuring NetFlow on the X-Series Router Default NetFlow Settings for S-Series, N-Series, and K-Series Systems Table 1 provides a listing of the default NetFlow configuration settings for S‐Series, N‐Series, and K‐Series systems. Table 1 Default NetFlow Configuration Settings for S-Series and N-Series Systems Parameter Description Default Value Cache Status Whether NetFlow caching is globally enabled or disabled.
Configuring NetFlow on the X-Series Router The X‐Series router currently supports data export Version 1 and Version 5. CLI commands are provided to configure certain record format values required for Version 5, such as engine ID and engine type. You must configure a NetFlow export destination before you can enable NetFlow globally or on any ports. NetFlow will start sampling packets after you enable NetFlow globally and on the desired ports.
Configuring NetFlow on the X-Series Router When you execute the clear netflow all command, all NetFlow settings are returned to their default condition. In the case of the global NetFlow cache setting, the default is disabled.
Terms and Definitions Terms and Definitions Table 3 lists terms and definitions used in this NetFlow configuration discussion. Table 3 NetFlow Configuration Terms and Definitions Term Definition Active Flow Timer A timer which specifies the maximum amount of time a flow may stay active. The ongoing flow continues to be tracked as a separate flow. It is the management application’s responsibility to join these flows for analysis/reporting purposes.
NetFlow Version 9 Templates Table 4 NetFlow Version 5 Template Header and Data Field Support (continued) unix_nsecs Residual nanoseconds since 0000 UTC 1970. flow_sequence Sequence counter of total flows seen. engine_type Type of flow-switching engine. engine_id Slot number of the flow-switching engine. sampling_interval First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval. count Number of flows exported in this packet (1-30).
NetFlow Version 9 Templates data record fields defined in the NetFlow standard. The contents of these data record fields are used by the collector software application for flow analysis. Ten base data record fields are included in all Version 9 templates. Up to an additional seven data record fields are included in the appropriate templates.
NetFlow Version 9 Templates specific data records are only supported by IPv4 templates. IPv6 specific data records are only supported by IPv6 templates. Table 7 NetFlow Version 9 Template Data Record Field Support NetFlow Version 9 Base Data Record Fields Data Field Description Templates SIP (Source) IPv4 or IPv6 address of the device that transmitted the packet. 256 - 271 IPv4 addresses (Destination) IPv4 or IPv6 address of the destination device.
NetFlow Version 9 Templates Table 8 NetFlow Version 9 Additional Template Specific Data Record Field Support NetFlow Version 9 Additional Template Specific Data Record Fields Data Field Description Templates Destination VLAN Destination VLAN ID associated with the egress interface for this flow. IPv4: 258, 259, 262, 263, 266, 267, 270, 271 IPv6: 273, 274, 277, 278, 281, 282, 285, 286 Layer 4 Source Port TCP/UDP source port numbers (for example, FTP, Telnet, or equivalent).
Table 9 NetFlow Version 9 Templates (continued) 264 Switch and IPv4 route ID template containing IPv4 base data record entries, along with the route next hop. 265 Switch, IPv4 route ID, and MAC ID template containing IPv4 base data record entries, along with the route next hop and source and destination MAC addresses. 266 Switch, IPv4 route ID, and VLAN ID template containing IPv4 base data record entries, along with the route next hop, and source and destination VLAN IDs.
NetFlow Version 9 Templates Table 9 May 18, 2011 NetFlow Version 9 Templates (continued) 281 Switch, IPv6 route ID, and MAC ID template containing IPv6 base data record entries, along with the route next hop and source and destination MAC addresses. 282 Switch, IPv6 route ID, and VLAN ID template containing IPv6 base data record entries, along with the route next hop, and source and destination VLAN IDs.
Revision History Date Description May 18, 2011 First Release. July 28, 2008 Added Enterasys Registration mark. October 15, 2008 Corrected Tradmarks list. January 23, 2009 Cosmetic changes only. July 15, 2010 Updated for S-Series platform. May 18, 2011 Updated for Release 7.21 changes and K-Series platform. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice.
Configuring Power over Ethernet Management This document provides information about configuring and monitoring Power over Ethernet (PoE) on the PoE‐compliant models of the Enterasys® N‐Series, S‐Series, and K‐Series modular switches, A‐Series, B‐Series, C‐Series stackable fixed switches, and D‐Series and G‐Series standalone switches. Notes: PoE is not supported on Enterasys® I-Series or X-Series devices. For information about... Refer to page...
How Do I Implement PoE? How Do I Implement PoE? You can configure PoE on your PoE‐compliant Enterasys device through the CLI‐based procedures presented in the section “Configuring PoE” on page 4. As part of your plan to implement PoE in your network, you should ensure the following: • The power requirements of your PDs are within the limits of the PoE standards. • Your PoE‐compliant Enterasys device can supply enough power to run your PDs. See Table 1 for power ranges based on each device class.
How Do I Implement PoE? • Automatic mode, in which available power is distributed evenly to PoE‐capable modules based on PoE port count. (This is the default mode.) Any change in available power, due to a change in power supply status or redundancy mode or to the addition or removal of modules, will trigger an automatic redistribution of power. • Manual mode, in which the power budget for each PoE‐capable module is manually configured, using either CLI commands or the MIBs.
Configuring PoE Configuring PoE Table 2 lists the PoE settings that you can configure through the CLI on each PoE‐compliant Enterasys device.
Configuring PoE Stackable A2, A4, B2, B3, C2, C3 and Standalone D-Series Devices Procedure 1 PoE Configuration for Stackable A, B, and C, Standalone D-Series Devices Step Task Command(s) 1. Configure PoE parameters on ports to which PDs are attached. set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type]} • admin — Enables (auto) or disables (off) PoE on a port. The default setting is auto.
Configuring PoE Stackable B5 and C5 Devices Procedure 2 PoE Configuration for Stackable B5 and C5 Devices Step Task Command(s) 1. Configure PoE parameters on ports to which PDs are attached. set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type]} • admin — Enables (auto) or disables (off) PoE on a port. The default setting is auto. • priority — Sets which ports continue to receive power in a low power situation.
Configuring PoE Procedure 2 PoE Configuration for Stackable B5 and C5 Devices (continued) Step Task Command(s) 6. (Optional on C5 only) Set the power redundancy mode on the system if two power supplies are installed. set system power {redundant | non-redundant} • redundant (default) — The power available to the system equals the maximum output of the lowest rated supply (400W or 1200W). If two supplies are installed in redundant mode, system power redundancy is guaranteed if one supply fails.
Configuring PoE Procedure 3 PoE Configuration for G-Series Devices (continued) Step Task Command(s) 4. (Optional) Specify the method the Enterasys device uses to detect connected PDs. set inlinepower detectionmode {auto | ieee} • auto (default) — The Enterasys device first uses the IEEE 802.3af/at standards resistor-based detection method. If that fails, the device uses the proprietary capacitor-based detection method. • ieee — The Enterasys device uses only the IEEE 802.
Configuring PoE Procedure 3 PoE Configuration for G-Series Devices (continued) Step Task Command(s) 7. (Optional) Configure the allocation mode for system power available for PoE. set inlinepower mode {auto | manual} • auto (default) — Available power is distributed evenly to PoE modules based on PoE port count.
Configuring PoE Procedure 3 Step PoE Configuration for G-Series Devices (continued) Task Command(s) Use the clear command to clear the power value manually assigned to one or more modules. clear inlinepower assigned [module-number] Refer to the device’s CLI Reference Guide for more information about each command. Modular N-Series, S-Series, K-Series Devices Procedure 4 PoE Configuration for N-Series, S-Series, K-Series Devices Step Task Command(s) 1.
Configuring PoE Procedure 4 PoE Configuration for N-Series, S-Series, K-Series Devices (continued) Step Task Command(s) 4. (Optional) Set the PoE usage threshold on a module. Valid values are 1–99 percent. set inlinepower threshold usage-threshold module-number Use the clear command to reset the PoE usage threshold on a specified module to the default value of 80 percent.
Configuring PoE Procedure 4 PoE Configuration for N-Series, S-Series, K-Series Devices (continued) Step Task Command(s) 8. (Only if the set inlinepower mode command is set to manual) Assign specific wattage to a PoE module. set inlinepower assigned power-value slot-number If the set inlinepower mode command is set to manual, you must assign power to each PoE module; otherwise, the module ports will not receive power.
Configuring PoE PoE Display Commands Table 3 lists PoE show commands for Enterasys devices. Table 3 PoE Show Commands Task Command Use this command to display PoE properties for a device.
Configuring PoE Revision History Date Description 03-02-2009 New document 06-03-2011 Revised to add A4, B5, C5, S-Series, K-Series Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Configuring Policy This document describes the Enterasys® policy feature and its configuration on Enterasys Matrix® N‐Series, Enterasys SecureStack™, D‐Series, G‐Series, and I‐Series switch devices. Note: See the Enterasys Matrix X Router Configuration Guide for X Router policy configuration information. For information about... Refer to page...
How Can I Implement Policy? Security can be enhanced by allowing only intended users and devices access to network protocols and capabilities.
Policy Overview Standard and Enhanced Policy on Enterasys Platforms There are two sets of policy capabilities supported, depending upon the Enterasys platform. Standard policy is supported on all platforms. Standard policy represents the base policy support for Enterasys platforms. Enhanced policy is an additional set of policy capabilities supported on the N‐Series platforms.
Policy Overview network access and resource usage align with the security requirements, network capabilities, and legitimate user needs as defined by the network administrator. The Policy Role A role, such as sales, admin, or engineering, is first identified and defined in the abstract as the basis for configuring a policy role. Once a role is defined, a policy role is configured and applied to the appropriate context using a set of rules that can control and prioritize various types of network traffic.
Policy Overview Assigning a Class of Service to this Role How a packet is treated as it transits the link can be configured in the Class of Service (CoS). It is through a CoS that Quality of Service (QoS) is implemented. A CoS can be configured for the following values: • 802.
Policy Overview Note: VLAN-to-Policy mapping is supported on the B3, C3, and G3 switches for firmware releases 6.3 and greater. Use the set policy maptable command specifying a single VLAN ID or range of IDs and the policy profile‐index to create a policy maptable entry.
Policy Overview • Applies both the filter‐ID and the VLAN tunnel attributes if all attributes exist If all attributes exist, the following rules apply: • The policy role will be enforced, with the exception that any port PVID specified in the role will be replaced with the VLAN tunnel attributes • The policy map is ignored because the policy role is explicitly assigned • VLAN classification rules are assigned as defined by the policy role vlanauthorization must be enabled or the VLAN tunnel attribu
Policy Overview Policy rules are based on traffic classifications. Table 1 on page 8 provides the supported policy rule traffic classification command options and definitions. An X in the enhanced rule column specifies that this traffic classification rule is only supported on enhanced policy platforms. All other traffic classifications are supported by standard policy.
Policy Overview Note: The optional post-fixed port traffic classification listed in Table 1 for IP, UDP, and TCP source and destination port traffic classifications is supported on DFE blades only. A data value is associated with most traffic classifications to identify the specific network element for that classification.
Policy Overview storage does persist after a reset of the device. Use the storage‐type option to specify the desired storage type for this policy rule entry in an enhanced policy context. Forward and Drop Packets for this entry can be either forwarded or dropped for this traffic classification using the forward and drop policy rule options.
Policy Overview SIP(ip), DIP(ip), Protocol, TOS/DSCP, Fragmentation indication, Destination PORT, and Source Port. Use the set policy syslog command to set syslog rule usage configuration. Quality of Service in a Policy Rules Context Quality of Service (QoS) can be specified directly in a policy role as stated in “Assigning a Class of Service to this Role” on page 5. A CoS can also be applied to a policy rule.
Policy Overview Table 2 Non-Edge Protocols (continued) Protocol Policy Effect Web Server Protocol Stop malicious proxies and application-layer attacks by ensuring only the right Web servers can connect from the right location at the right time, by blocking HTTP on the source port for this device. Legacy Protocols If IPX, AppleTalk, DECnet or other protocols should no longer be running on your network, prevent clients from using them.
Policy Overview Table 3 Standard and Enhanced Policy Capability Cross-Reference (continued) Policy Support Level Policy Capability • TCI Overwrite - The ability to overwrite user priority and other VLAN tag TCI field classification information. • Rule-Use Accounting - The ability to enable policy accounting. • Rule-Use Notification - The ability to enable syslog and traps for rule hit notification. See Syslog and Trap in Table 4.
Policy Overview Table 4 Policy Capability to Traffic Classification Rule Cross-Reference (continued) Traffic Classification Rule D y n a m i c A d m i n V L A N C o S Time-To-Live (TTL) X X X X IP Type of Service X X IP Protocol X X Ether II Packet Type X X LLC DSAP/SSAP/CTRL X X X X X VLAN Tag X X X X TCI-Overwrite X X X X Port String May 18, 2009 D r o p F o r w a r d S y s l o g T r a p D i s a b l e X X X X X X X X X X X X X X X X X X X X
Configuring Policy Configuring Policy This section presents configuration procedures and tables including command description and syntax in the following policy areas: profile, classification, and display. Procedure 1 describes how to configure policy roles and related functionality. Procedure 1 Configuring Policy Roles Step Task Command(s) 1. In switch command mode, create a policy role.
Configuring Policy Procedure 1 Step Configuring Policy Roles (continued) Task Command(s) • append - (Optional) Appends any egress, forbidden, or untagged specified VLANs to the existing list. If append is not specified, all previous settings for this VLAN list are replaced • clear - (Optional) Clears any egress, forbidden or untagged VLANs specified from the existing list. • tci-overwrite - (Optional) Enhanced policy that enables or disables TCI (Tag Control Information) overwrite for this profile.
Configuring Policy Procedure 1 Configuring Policy Roles (continued) Step Task Command(s) 6. Optionally, for enhanced policy capable devices, set a policy maptable entry that associates a VLAN with a policy profile. This option is also supported by the B3, C3, and G3 for releases 6.3 and greater. set policy maptable {vlan-list profile-index} 7. Optionally, set a policy maptable response. set policy maptable response {tunnel | policy | both} • tunnel - Applies the VLAN tunnel attribute.
Configuring Policy Procedure 2 Step Configuring Classification Rules (continued) Task Command(s) • trap - (Optional) An enhanced policy that enables or disables sending SNMP trap messages on first rule use. • disable-port - (Optional) An enhanced policy that enables or disables the ability to disable the ingress port on first rule use. 2. In switch command mode, optionally configure policy rules to associate with a policy role.
Configuring Policy Procedure 2 Configuring Classification Rules (continued) Step Task Command(s) 5. Optionally, for enhanced policy capable devices, enable or disable the the ability to clear rule usage information if operational status “up” is detected on any port. set policy autoclear {[link] [interval interval] [profile {enable | disable}] [ports port-list [append | clear]]} 6. Optionally, for enhanced policy capable devices, set the status of dynamically assigned policy role options.
Configuring Policy Table 5 May 18, 2009 Displaying Policy Configuration and Statistics (continued) Task Command(s) In switch command mode, display a count of the number of times the device has dropped syslog or trap rule usage notifications on ports. show policy dropped-notify In switch command mode, display disabled ports for all rule entries. show policy disabled-ports In switch command mode, display the current state of the autoclear feature.
Policy Configuration Example Policy Configuration Example This section presents a college‐based policy configuration example. Figure 1 displays an overview of the policy configuration. This overview display is followed by a complete discussion of the configuration example. Figure 1 College-Based Policy Configuration Profile: Name: Ports: PVID: CoS: Profile: Name: Ports: VLAN: CoS: 2 student ge.1.1-10 10 8 Guest Services: 10.10.50.0/24 Admin: 10.10.60.0/24 Faculty: 10.10.70.
Policy Configuration Example Roles The example defines the following roles: • guest ‐ Used as the default policy for all unauthenticated ports. Connects a PC to the network providing internet only access to the network. Provides guest access to a limited number of N3 ports to be used specifically for internet only access. Policy is applied using the port level default configuration, or by authentication, in the case of the N3 port internet only access PCs.
Policy Configuration Example Basic Edge Protocols not appropriate to the edge should be blocked. For this example we will block DHCP, DNS, SNMP, SSH, Telnet and FTP at the edge on the data VLAN. We will forward destination port DHCP and DNS and source port for IP address request to facilitate auto configuration and IP address assignment. See Blocking Non‐Edge Protocols at the Edge Network Layer on page 11 for a listing of protocols you should consider blocking at the edge.
Policy Configuration Example For this configuration example, CoS related configuration will be specified as a final CoS. For details on configuring CoS, see the QoS Configuration feature guide located at http://secure.enterasys.com/support/manuals/. Note: CLI command prompts used in this configuration example have the following meaning: • Enterasys(rw)-> - Input on all platforms used in this example. • C3(rw)-> - Input on all SecureStack C3 switches. • StudentC3-> - Input on the student SecureStack C3.
Policy Configuration Example ARP forwarding is required on ether port 0x806. Enterasys(rw)->set policy rule 1 ether 0x806 mask 16 forward Assigning the Guest Policy Profile to All Edge Ports Assign the guest policy profile to all SecureStack and N3 edge ports. Enterasys(rw)->set policy port ge.*.
Policy Configuration Example Students should only be allowed access to the services server (subnet 10.10.50.0/24) and should be denied access to both the administrative (subnet 10.10.60.0/24) and faculty servers (subnet 10.10.70.0/24). StudentC3(rw)->set policy rule 2 ipdestsocket 10.10.60.0 mask 24 drop StudentC3(rw)->set policy rule 2 ipdestsocket 10.10.70.
Policy Configuration Example Configuring Policy for the Edge Faculty SecureStack C3 Configuring the Policy Role The faculty role is configured with: • A profile‐index value of 4 • A name of faculty • A port VLAN of 10 • A CoS of 8 Create a policy role that applies a CoS 8 to data VLAN 10 and configures it to rate‐limit traffic to 1M with a moderate priority of 5.
Policy Configuration Example • A name of phoneN3 • A default port VLAN of 0 • A default CoS of 4 Because VLANs can be applied to N3 ports using the appropriate traffic classification, the explicit deny all PVID 0 will be applied at policy creation. Separate rate limits can be applied to the phone setup and payload ports on the N3 using policy rules. A default CoS of 4 will be applied at policy role creation.
Policy Configuration Example Configuring Policy for the Edge Services N-Series N3 Configuring the Policy Role The services role is configured with: • A profile‐index value of 6 • A name of services • A default port VLAN of 0 • A default CoS when no rule overrides CoS • TCI overwrite enabled ServicesN3(rw)->set policy profile 6 name services pvid-status enable pvid 0 cos-status enable cos 4 tci-overwrite enable Assigning the VLAN-to-Policy Association Setting the VLAN‐to‐policy association will b
Policy Configuration Example Enable Enhanced Policy Capabilities on the Services N3 Platform The services N3 platform supports enhanced policy.
Terms and Definitions Terms and Definitions Table 6 lists terms and definitions used in this policy configuration discussion. Table 6 Policy Configuration Terms and Definitions Term Definition Administrative Profile A logical container that assigns a traffic classification to a policy role. Class of Service (CoS) A logical container for packet priority, queue, and forwarding treatment that determines how the firmware treats a packet as it transits the link.
Revision History Date Description 05-18-2009 New Document. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Configuring Port Mirroring This document provides the following information about configuring and monitoring port mirroring on Enterasys® N‐Series, S‐Series, K‐Series, and X‐Series modular switches, A‐Series, B‐ Series, C‐Series stackable fixed switches, and D‐Series, G‐Series, and I‐Series standalone fixed switches. For information about... Refer to page...
Why Would I Use Port Mirroring in My Network? • Many‐to‐many Depending on your network, ports that you can configure to participate in mirroring include physical ports, virtual ports—including Link Aggregation Group (LAG) and host ports—VLAN interfaces, and intrusion detection ports that are members of a LAG. For more information, refer to “Overview of Port Mirroring Configurations on Enterasys Switches” on page 4.
How Do I Implement Port Mirroring? Figure 2 Using Port Mirroring to Monitor All Incoming Traffic to a Backbone Switch The many‐to‐one configuration in this example would be possible by setting a port mirror on the backbone between source ports 1.2, 2.2 and 2.1 to destination port 1.1. How Do I Implement Port Mirroring? You can implement port mirroring on Enterasys switching devices using simple CLI commands.
Overview of Port Mirroring Configurations on Enterasys Switches Table 1 Port Mirroring Support on Enterasys Switches (continued) Switch IDS VLAN LAG Max.
Overview of Port Mirroring Configurations on Enterasys Switches Refer to the Link Aggregation section of your device’s Configuration Guide or CLI Reference for more information. When used as a source port in a mirror, LAG ports act identically to a single physical port. Either dynamic or static LAGs can be used as source ports. When used as a destination port in a mirror, the mirror is configured as an IDS mirror as described in the next section. Only static LAGs can be used as destination ports.
Configuring Port Mirrors VLAN Mirrors Note: This function is supported only on N-Series, S-Series, and K-Series devices. Creating a VLAN and setting a mirror for the VLAN allows you to monitor all traffic to your specified VLAN interface. For example, you could track all data traveling in and out of a confidential group of workstations, such as a Finance VLAN, by analyzing only one connection point.
Configuring Port Mirrors There is no restriction on the number of source ports that can be included in a mirror to a destination port. The number of active destination or “target” ports allowed at any given time is device‐specific. Refer to Table 1 for a list of support and capacity for each device. Once configured, all packets (network, data, control, etc.) received by the switch will be mirrored. Errored packets will not be mirrored.
Configuring Port Mirrors display the VTAP port. To create the port mirror use the set port mirroring create command specifying the VTAP and the mirrored port. Note: IGMP mirroring functionality (igmp-mcast) is not supported on N-Series Gold devices. If not specified, both received and transmitted frames will be mirrored. Examples This example shows how to create a port mirror to mirror frames transmitted out port fe.1.4 to port fe.1.11: enterasys(rw)->set port mirroring enable fe.1.4 fe.1.
Configuring Port Mirrors • Clearing Port Mirroring (page 10) Reviewing Port Mirroring Use this command to display the status of port mirroring and information about any mirrors configured: show port mirroring Examples This example shows that ports ge.4.1 through ge.4.5 are mirrored to port ge.4.
Configuring Port Mirrors Clearing Port Mirroring Use this command to clear a port mirroring configuration: clear port mirroring source destination Example The following example clears port mirroring between source port ge.6.23 and target port ge.6.26: enterasys(switch-su)-> show port mirroring Source Destination Direction AdminStatus ------------ ------------ --------- ----------ge.6.23 ge.6.26 Rx and Tx enabled ge.6.24 ge.6.26 Rx and Tx enabled ge.6.25 ge.6.
Example: Configuring and Monitoring Port Mirroring Use this command to clear a port mirroring configuration: clear port mirroring source destination Example: Configuring and Monitoring Port Mirroring This section describes how to use Enterasys NetSight Console from a Network Management Station (NMS) to display RMON statistics for monitoring port mirroring. It uses the configuration illustrated in shown in Figure 3.
Example: Configuring and Monitoring Port Mirroring The Add Device screen displays. 5. Model the Platinum DFE by entering its IP address in the field provided. Click OK. 6. (Optional) Model the Gold DFE by repeating steps 4 and 5, using its IP address. 7. On the console main screen, expand All Devices in the file directory tree to show the IP address(es) of the device(s) you just modeled. 8. Right click on 172.16.210.15 (the IP address of the Platinum DFE) and select Device Manager.
Example: Configuring and Monitoring Port Mirroring 10. Repeat step 9 for port 5 (fe.1.5 shown in Figure 3). RMON Ethernet statistics charts will display for ports 1 and 5. 11. Note that the section of the two charts that shows the frame count by frame size lists no larger size frames (512‐1518 bytes). In the next step, you will create large frames. 12. Open the Command Prompt window and set up a continuous ping to the Platinum DFE, as shown below.
Example: Configuring an IDS Mirror Example: Configuring an IDS Mirror Note: This function is not supported on N-Series Gold, X-Series, stackable or standalone fixed switch devices. As stated in the overview about IDS Mirrors on page 5, N‐Series Diamond and Platinum DFEs, S‐ Series, and K‐Series support IDS mirroring on ports that are members of a Link Aggregation Group (LAG). The maximum of physical ports allowed per LAG port is platform specific.
Revision History Date Description 01-16-08 New document 02-20-08 Corrected product naming conventions. 03-12-08 Added statement that VLAN mirroring is not supported on SecureStacks and switches. 07-28-08 Added Enterasys Registration mark. 02-04-09 Spelled out D-Series, G-Series, and I-Series when appropriate. 04-16-09 Added note: port mirrors are automatically enabled on all platforms upon creation. 05-04-2011 Added S-Series and K-Series, other minor changes.
Configuring Quality of Service (QoS) This chapter provides the following information about configuring and monitoring Quality of Service (QoS) on Enterasys® N‐Series, S‐Series®, and K‐Series modular switches, A‐Series, B‐Series, C‐Series stackable fixed switches, and D‐Series, G‐Series, and I‐Series standalone fixed switches. Note: Please see the Enterasys X Secure Core Router Configuration Guide for a complete discussion of QoS as it applies to the X-Series. For information about... Refer to page...
Why Would I Use It in My Network? The S‐Series Flex‐Edge feature, supported only on S‐Series switches, provides the unique capability to classify and prioritize traffic as it enters the switch, assert flow control, and ensure that higher priority traffic received by the switch is forwarded to the packet processor ahead of lower priority traffic. A separate feature guide exists for the S‐Series Flex‐Edge feature and can be found at https://extranet.enterasys.com/downloads.
Quality of Service Overview Class of Service (CoS) You implement QoS features in a Class of Service (CoS). There are four hardware resource components that can be configured as part of a CoS. • Transmit Queues (TxQ) ‐ represent the queuing hardware resources for each port that are used in scheduling packets for egressing the device, as well as rate shaping of traffic based upon outbound buffering.
Quality of Service Overview Table 1 CoS Configuration Terminology (continued) Term Description CoS Port Resource Specifies the transmit queue rate shaping or IRL, ORL, or flood control rate limiter threshold value that the CoS reference is mapped to. CoS Port Configuration Specifies the ports to which CoS resource configuration should be applied, and provides for TxQ scheduling.
Quality of Service Overview Figure 1 Assigning and Marking Traffic with a Priority The ICMP protocol, used for error messaging, has a low bandwidth requirement, with a high tolerance for delay and jitter, and is appropriate for a low priority setting. HTTP and FTP protocols, used respectively for browser‐generated and file transfer traffic, have a medium to high bandwidth requirement, with a medium to high tolerance for delay and jitter, and are appropriate for a medium priority level.
Quality of Service Overview resource reference configured in CoS settings, and the actual TxQ or rate limiting port resource for this mapping. Port Group and Type CoS port groups provide for grouping ports by CoS feature configuration and port type. Ports are required to be configured by groups: this feature provides a meaningful way of identifying ports by similar functionality and port type. Groups consist of a group number and port type and are numbered as such, port‐group.port‐type.
Quality of Service Overview Port Resources Use the CoS port resource configuration layer to associate actual rate limiter values to a port group and hardware resource. Configure CoS port resource by identifying the CoS hardware resource type (TxQ, IRL, ORL, of flood control), port group, and port resource, followed by a rate limiter, or in the case of TxQ, a rate shaper. The rate limit or rate shaper is specified as a unit and a data rate.
Quality of Service Overview TxQ Scheduling TxQs can be configured for TxQ scheduling, also referred to as weighted fair queuing. See Weighted Fair Queuing on page 9 for a detailed discussion of weighted fair queuing. See Preferential Queue Treatment for Packet Forwarding on page 8 for a detailed discussion of all queue treatment types supported. TxQ scheduling is configured in CoS port configuration using the arb‐slice or arb‐percentage options.
Quality of Service Overview Figure 2 Strict Priority Queuing Packet Behavior Low Latency Queuing A Low Latency Queue (LLQ) is a non‐configurable strict priority queue. LLQs are designed to guard against: • Packet loss • Delay • Jitter LLQ hardware resources can not be configured, but a policy can be configured for a CoS that is mapped to an LLQ. In this way, traffic associated with high value real‐time voice or video packets can be mapped to an LLQ.
Quality of Service Overview access to its percentage of time slices so long as there are packets in the queue. Then queue 2 has access to its percentage of time slices, and so on round robin. Weighted fair queuing assures that each queue will get at least the configured percentage of bandwidth time slices. The value of weighted fair queuing is in its assurance that no queue is starved for bandwidth.
Quality of Service Overview Figure 4 Hybrid Queuing Packet Behavior Rate Limiting Rate limiting is used to control the rate of traffic entering (inbound) and/or leaving (outbound) a switch per CoS. Rate limiting allows for the throttling of traffic flows that consume available bandwidth, in the process providing room for other flows.
Quality of Service Overview Figure 5 Rate Limiting Clipping Behavior Flood Control CoS‐based flood control, is a form of rate limiting that prevents configured ports from being disrupted by a traffic storm, by rate limiting specific types of packets through those ports. When flood control is enabled on a port, incoming traffic is monitored over one second intervals.
CoS Hardware Resource Configuration Figure 6 Rate Shaping Smoothing Behavior Rate shaping retains excess packets in a queue and then schedules these packets for later transmission over time. Therefore, the packet output rate is smoothed and bursts in transmission are not propagated as seen with rate limiting.
CoS Hardware Resource Configuration • Names the port group • Assigns ports to the port group • Configures non‐LLQ queues for weighted fair queuing • Maps references to both a best effort and a control queue, based on the already existing LLQs on the device • Maps CoS priority settings to the queues • Enables CoS • Provides related show command displays CoS Port Configuration Layer For the CoS port configuration layer, use the set cos port‐config txq command to: • Configure a new port group t
CoS Hardware Resource Configuration CoS Settings Configuration Layer The final step is to assign the CoS indexes to the TxQ references. In this example, CoS Index 0 (802.1 priority 0) will be our best effort traffic, COS Index 7 (802.1 priority 7) will be assigned to our critical queue. All other priorities will map to the WFQs.
CoS Hardware Resource Configuration 1.0 4 txq 4 1.0 5 txq 5 1.0 6 txq 6 1.0 7 txq 7 1.0 8 txq 9 1.0 9 txq 8 1.0 10 txq 8 1.0 11 txq 8 1.0 12 txq 8 1.0 13 txq 8 1.0 14 txq 9 1.0 15 txq 10 Use the show cos port‐config txq command to display the CoS port layer configuration: System(su)->show cos port-config txq 1.
CoS Hardware Resource Configuration The remainder of this section details a TxQ rate shaping configuration that: • Configures port group 2.0 for port ge.2.17 • Names port group 2.0 txqRateShaper • Configures all other ports for port group 0.0 • Sets the port resource rate for port group 2.
CoS Hardware Resource Configuration 3 3 * 6 * * * Disabled 4 4 * 8 * * * Disabled 5 5 * 10 * * * Disabled 6 6 * 12 * * * Disabled 7 7 * 14 * * * Disabled Note: When a CoS show command displays a default TxQ listing, TxQ numbering is based upon a 16 queue display. 8 user configurable queues are listed as even numbers from 0 to 14. No CoS reference configuration was required for this example. The CoS reference show command will display the default configuration.
CoS Hardware Resource Configuration 2.0 3 txq perc none tail-drop 2.0 4 txq perc none tail-drop 2.0 5 txq perc none tail-drop 2.0 6 txq perc none tail-drop 2.0 7 txq perc none tail-drop 2.0 8 txq perc 50 tail-drop 2.0 9 txq perc none tail-drop 2.0 10 txq perc none tail-drop The port‐config display for port group 2.0 shows that all queues are running in the default strict priority mode (highest non‐LLQ set to 100).
CoS Hardware Resource Configuration • Maps the IRL reference to the CoS setting (802.1 priority) • Enables CoS • Provides related show command displays CoS Port Configuration Layer For the CoS port configuration layer, use the set cos port‐config irl command to assign ports to port group 1.0 for the IRL configuration: System(su)->set cos port-config irl 1.0 ports ge.1.
CoS Hardware Resource Configuration 4 4 * 8 * * * Disabled 5 5 * 10 * * * Disabled 6 6 * 12 * * * Disabled 7 7 * 14 * * * Disabled Use the show cos reference irl command for port group 1.0 to display the CoS reference to rate limiter mapping: System(su)->show cos reference irl 1.0 Group Index Reference Type Rate Limiter ----------- --------- ---- ------------ May 09, 2011 1.0 0 irl 0 1.0 1 irl none 1.0 2 irl none 1.0 3 irl none 1.0 4 irl none 1.
CoS Hardware Resource Configuration Use the show cos port‐resource irl command to display the data rate and unit of the rate limiter for port 1.0: System(su)->show cos port-resource irl 1.0 '?' after the rate value indicates an invalid rate value Group Index Resource Type Unit Rate Rate Limit Type Action ----------- -------- ---- ---- ---------- --------------- ------ 1.0 0 irl pps drop S 1.0 1 irl perc none drop none 1.0 2 irl perc none drop none 1.
CoS Hardware Resource Configuration ---------------------------------------------------------------------System(su)-> ORL Configuration Outbound rate limiters (ORL) allow you to configure a port to prevent the port from transmitting traffic above a certain threshold. In this example, we are going to configure port ge.1.22 to limit the amount of packets it transmits when the packet is marked as CoS Index 0 (802.1 priority 0) to a threshold of 5,000 packets per second.
CoS Hardware Resource Configuration ORL Configuration Example Show Command Output Use the show cos settings command to display the ORL reference to CoS index (802.
CoS Hardware Resource Configuration Use the show cos port‐resource orl command to display the rate limiter unit and rate for the configured ORL resource: System(su)->show cos port-resource orl 1.0 '?' after the rate value indicates an invalid rate value Group Index Resource Type Unit Rate Rate Limit Type Action ----------- -------- ---- ---- ---------- --------------- ------ 1.0 0 orl perc none drop none 1.0 1 orl pps 5000 drop none 1.0 2 orl perc none drop none 1.
CoS Hardware Resource Configuration CoS Reference Layer The CoS reference layer is not applicable to flood control. CoS Settings Layer For the CoS settings layer, using the cos settings command to enable flood control for CoS settings 3 (802.
CoS Hardware Resource Configuration Use the show cos port‐config flood‐ctrl command to display the port group name and assigned ports for port group 1.0. System(su)->show cos port-config flood-ctrl 1.0 Flood Rate Limiting Port Configuration Entries ---------------------------------------------------------------------Port Group Name :S-Series Flood Ctrl Port Group :1 Port Type :0 Assigned Ports :ge.1.
Feature Differences by Platform ge.1.1 ge.1.1 ge.1.1 29 30 31 irl irl irl not-violated not-violated not-violated 0 0 0 Violations are also displayed by resource and port using the show cos port‐resource command. Violating ports are displayed at the end of the resource table. Feature Differences by Platform Flex‐Edge and drop precedence are only supported on the S‐Series platform. CoS Port Type Based on physical capability, all physical ports belong to one of two port types.
ORLs • All S‐Series modules support 4 outbound rate limiters • Enterasys N‐Series, Stackable Switches, D‐Series, G‐Series, and I‐Series devices do not support outbound rate limiters The QoS CLI Command Flow Procedure 1 provides a CLI flow summary of each step in the configuration flow along with the show commands to verify the configuration. All CoS commands can be entered in any command mode. Procedure 1 Class of Service CLI Configuration Command Summary Step Task Command(s) 1.
The QoS CLI Command Flow Procedure 1 Step Task Command(s) 7. Configure a CoS inbound rate limiting index entry, by mapping a port group with a rate-limit value, along with the ability to optionally set syslog, trap, and/or disable port behaviors should the limit be exceeded. This index is used by the rate-limit option when setting an IRL cos reference. set cos port-resource irl port_group.
QoS Policy-Based Configuration Example QoS Policy-Based Configuration Example In our example, an organization’s network administrator needs to assure that VoIP traffic, both originating in and transiting the network of S‐Series edge switches and a S‐Series core router, is configured for QoS with appropriate priority, ToS, and queue treatment. We will also rate limit the VoIP traffic at the edge to 1024 Kbps to guard against DOS attacks, VoIP traffic into the core at 25 Mbps, and H.323 call setup at 5 pps.
QoS Policy-Based Configuration Example Figure 7 QoS Configuration Example VLAN 22 VoIP VLAN 21 Data Core Router Policy Profile: Ports: Default: CoS: egress-vlans: tci-overwrite: ToS: Rate Limit Physical queue: VolPCore-VLAN22 ge.1.2-5 CoS 5 8 22 enabled 184 25 mbps 2 ge.1.2-5 Core Edge ge.1.10 IP addr:10.0.0.1 ge.1.10-13 Policy Profile: Ports: Default: CoS: egress-vlans: tci-overwrite: ToS: Rate Limit Physical queue: VolPCore-VLAN12 ge.1.10-3 CoS 5 9 12 enabled 184 1024 kbps 2 VLAN 11 Data H.
QoS Policy-Based Configuration Example Using NetSight Policy Manager, configure the policy roles and related services as follows: Setting the VoIP Core Policy Profile (Router 1) For S‐Series router 1, we configure a separate policy for VoIP Core. VoIP Core policy deals with packets transiting the core network using VoIP VLAN 22. For role VoIPCore we will: • Configure VoIPEdge‐VLAN22 as the name of the role. • Set default CoS to 5. • Set the default access control to VLAN 22.
Create a Policy Service • Name the service VoIPEdge Service. • Apply the service to the VoIPEdge Policy Role. Create a Rate-limiter Create a rate‐limit as follows: • Inbound rate‐limit of 1 mbps • Apply it to port group types 32/8/100 for index 0 Create Class of Service for VoIPEdge Policy Create CoS 9 as follows: • 802.
QoS Policy-Based Configuration Example • ToS: B8 • Specify IRL index 1 to associate this CoS to the rate limit Create a Traffic Classification Layer Rule Create a transport layer 3 rule as follows: • Traffic Classification Type: IP TCP Port Destination • Enter in Single Value field: 1720 (TCP Port ID) • For IP TCP Port Destination value: 10.0.0.1 with a mask of 255.255.255.
Terms and Definitions s-series(rw)->set policy rule admin-profile vlantag 12 mask 12 port-string ge.1.10-13 admin-pid 1 s-series(rw)->set policy rule 1 vlantag 12 mask 12 vlan 12 cos 9 s-series(rw)->set cos port-resource irl 2.1 0 unit mbps rate 1 s-series(rw)->set cos reference irl 2.1 9 rate-limit 0 s-series(rw)->set cos 9 priority 5 tos-value 184.
Terms and Definitions Table 3 May 09, 2011 Quality of Service Configuration Terms and Definitions (continued) Term Definition Rate Shaping The rescheduling of bursty traffic while in the queue based upon packet buffering such that traffic beyond the configured bandwidth threshold is delayed until bandwidth usage falls below the configured threshold. Type of Service (ToS) An 8-bit field defined by RFC 1349 used for the prioritization of packets within a QoS context.
Revision History Date Description January 28,2008 Initial Release of the Document February 22, 2008 Modifications due to product branding changes. September 18, 2008 Modifications due to product branding changes and minor template updates. January 23, 2009 Cosmetic changes only. May 09, 2011 Updated for S-Series, IRL, ORL, flood control, and Flex-Edge features, plus major rewrite of overview information.
Configuring RADIUS-Snooping This chapter provides the following information about configuring and monitoring RADIUS‐Snooping on Enterasys® N‐Series, S‐Series®, and K‐Series modular switches. For information about... Refer to page...
Why Would I Use RADIUS-Snooping in My Network? Why Would I Use RADIUS-Snooping in My Network? RADIUS‐Snooping allows the Enterasys distribution‐tier switch to identify RADIUS exchanges between devices connected to edge switches and apply policy to those devices even when the edge switch is from another vendor and does not support policy.
RADIUS-Snooping Overview RADIUS-Snooping Configuration MultiAuth Configuration MultiAuth must be enabled if the RADIUS‐Snooping configuration involves the authentication of more than a single user on a port. There are two aspects to multiauthentication in a RADIUS‐Snooping configuration: • The global MultiAuth mode must be changed from the default mode of strict to multi, in order to authenticate multiple downstream users.
RADIUS-Snooping Overview table. By default, the RADIUS‐Snooping flow table is empty. Entries are added to the flow table based upon an index entry. The first matching entry in the table is used for the continuation of the authentication process. When an investigated RADIUS frame transits the RS‐enabled port with a match in the flow table, RS will track that RADIUS request and response exchange and will build a MultiAuth session for the end‐user, based upon what it finds in the RADIUS response frames.
RADIUS-Snooping Overview Figure 1 RADIUS-Snooping Overview RADIUS Server 2 3 The RADIUS Response Frame RADIUS Response Frame is snooped by the distribution-tier switch 1 RADIUS Request Frame is snooped by the distribution-tier switch Distribution-Tier Switch RADIUS Request Frame RADIUS Response Frame Edge Switch Figure 1 on page 5 illustrates the RADIUS request frame and RADIUS response frame paths.
Configuring RADIUS-Snooping Configuring RADIUS-Snooping This section provides details for the configuration of RADIUS‐Snooping on the Enterasys modular switch products. Table 1 lists RS parameters and their default values. Table 1 Default Authentication Parameters Parameter Description Default Value authallocated Specifies the maximum number of allowed RS sessions from all RADIUS clients, on a per port basis.
Configuring RADIUS-Snooping Procedure 1 RADIUS-Snooping Configuration (continued) Step Task Command(s) 4. Enable RADIUS-Snooping on each distribution-tier switch port over which RADIUS request and response frames transit. set radius-snooping port [enable] [timeout seconds] [drop {enabled | disabled}] [authallocated number] [port-string] 5. Configure RADIUS-Snooping flow table index entries. set radius-snooping flow index {client-IP-Address server-IP-Address {port | standard} [secret] 6.
RADIUS-Snooping Configuration Example RADIUS-Snooping Configuration Example Our RADIUS‐Snooping configuration example will configure a distribution‐tier switch for two RADIUS request and response flows (index 1 and index 2). Index 1 is from RADIUS client 10.10.10.10 through the network core to the RADIUS server 50.50.50.50. Index 2 is from RADIUS client 10.10.10.20 through a layer 2 switch to the local RADIUS server 50.50.50.60.
RADIUS-Snooping Configuration Example We first set the global MultiAuth mode to multi on the distribution‐tier switch. We then set the MultiAuth authentication mode to auth‐opt for the upstream (ge.1.5‐10 ) and downstream (ge.1.15‐24) ports. With the MultiAuth settings configured, we enable RADIUS‐Snooping at the system level for the distribution‐tier switch. We then enable RADIUS‐Snooping on the two sets of ports over which all RADIUS‐Snooping request and response frames will transit.
Terms and Definitions This completes the RADIUS‐Snooping configuration example. Terms and Definitions Table 4 lists terms and definitions used in this RADIUS‐Snooping configuration discussion. Table 4 June 03, 2011 RADIUS-Snooping Configuration Terms and Definitions Term Definition Calling-Station ID An attribute field in the RADIUS request and response frames containing the RADIUS client MAC address.
Revision History Date Description 11/07/2008 New Document. 04/16/2009 Added 256 MB on all modules requirement. Added MultiAuth configuration information. 06/03/2011 Updated for S-Series and K-Series. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
Terms and Definitions June 03, 2011 Page 12 of 12
Configuring SNMP This chapter provides the following information about configuring and monitoring SNMP on Enterasys® N‐Series, S‐Series, and K‐Series modular switches, A‐Series, B‐Series, C‐Series stackable fixed switches, and D‐Series, G‐Series, and I‐Series standalone fixed switches For information about... Refer to page...
How Do I Implement SNMP? • A common management platform supported by many network devices How Do I Implement SNMP? You can implement SNMP on Enterasys switching devices using simple CLI commands as described in this document. The configuration process involves the following tasks: 1. Creating users and groups allowed to manage the network through SNMP 2. Setting security access rights 3. Setting SNMP Management Information Base (MIB) view attributes 4.
SNMP Overview information for a specific variable. The agent, upon receiving a Get or Get Next message, will issue a Get Response message to the manager with either the information requested or an error indication about why the request cannot be processed. A Set message allows the manager to request a change to a specific variable. The agent then responds with a Get Response message indicating the change has been made or an error indication about why the change cannot be made.
SNMP Support on Enterasys Devices Community Name Strings Earlier SNMP versions (v1 and v2c) rely on community name strings for authentication. In order for the network management station (NMS) to access the switch, the community string definitions on the NMS must match at least one of the three community string definitions on the switch.
SNMP Support on Enterasys Devices control, SNMPv3 also provides a higher degree of reliability for notifying management stations when critical events occur. SNMPv3 is fully described in RFC 2571, RFC 2572, RFC 2573, RFC 2574, and RFC 2575. SNMPv1 andv2c Network Management Components The Enterasys implementation of SNMPv1 and v2c network management components fall into the following three categories: • Managed devices (such as a switch).
SNMP Support on Enterasys Devices Table 2 SNMP Terms and Definitions (continued) Term Definition engine ID A value used by both the SNMPv3 sender and receiver to propagate inform notifications. group A collection of SNMP users who share the same access privileges.
SNMP Support on Enterasys Devices Table 2 SNMP Terms and Definitions (continued) Term Definition view Specifies permission for accessing SNMP MIB objects granted to a particular SNMP user group. View types and associated access rights are: • read - view-only access • write - allowed to configure MIB agent contents • notify - send trap messages Security Models and Levels An SNMP security model is an authentication strategy that is set up for a user and the group in which the user resides.
Configuring SNMP Configuring SNMP This section provides the following information about configuring SNMP on Enterasys devices: For information about... Refer to page...
Configuring SNMP 1. Determines if the “keys” for trap “doors” do exist. The key that SNMP is looking for is the notification entry created with the set snmp notify command. 2. Searches for the doors matching such a key and verifies that the door is available. If so, this door is tagged or bound to the notification entry.
Configuring SNMP Configuring SNMPv1/SNMPv2c Creating a New Configuration Procedure 1 shows how to create a new SNMPv1 or SNMPv2c configuration. This example assumes that you haven’t any preconfigured community names or access rights. Note: The v1 parameter in this example can be replaced with v2 for SNMPv2c configuration. Procedure 1 New SNMPv1/v2c Configuration Step Task Command(s) 1. Create a community name. set snmp community community name 2.
Configuring SNMP enterasys(su)->set snmp access groupRW security-model v1 read RW write RW notify RW enterasys(su)->set snmp view viewname RW subtree 1 enterasys(su)->set snmp view viewname RW subtree 0.0 enterasys(su)->set snmp view viewname RW subtree 1.3.6.1.6.3.13.1 excluded enterasys(su)->set snmp targetparams TVv1public user public security-model v1 message processing v1 enterasys(su)->set snmp targetaddr TVTrap 10.42.1.
Configuring SNMP • “Configuring the Optional Mask Parameter” on page 16 • “Configuring Secure SNMP Community Names” on page 18 . Procedure 2 SNMPv3 Configuration Step Task Command(s) 1. Create an SNMPv3 user and specify authentication, encryption, and security credentials. set snmp user user [remote remoteid] [authentication {md5 | sha}] [authpassword] [privacy privpassword] • If remote is not specified, the user will be registered for the local SNMP engine.
Configuring SNMP Procedure 2 SNMPv3 Configuration (continued) Step Task Command(s) 6. Set the SNMP target address for notification message generation. set snmp targetaddr targetaddr ipaddr param param [udpport udpport] [mask mask] [timeout timeout] [retries retries] [taglist taglist] [volatile | nonvolatile] • If not specified, udpport will be set to 162. • If not specified, mask will be set to 255.255.255.255. • If not specified, timeout will be set to 1500 (15 seconds).
Configuring SNMP enterasys(su)-> set snmp targetaddr Enterasys_Networks 172.29.10.1 param enterasysn taglist v3TrapTag enterasys(su)-> set snmp notify SNMPv3TrapGen tag v3TrapTag inform How SNMP Will Process This Configuration As described in “How SNMP Processes a Notification Configuration” on page 8, if the SNMP agent on the device needs to send an inform message, it looks to see if there is a notification entry that says what to do with inform messages.
Configuring SNMP Procedure 3 Configuring an EngineID Step Task Command(s) 4. On the N-Series switch, define the same user as in the above example (v3user) with this EngineID and with the same Auth/Priv passwords you used previously. set snmp user v3user remote 800007e5804f190000d232aa40 authentication md5 md5passwd privacy despasswd Note: You can omit the 0x from the EngineID. You can also use the colon notation like this: 80:00:07:e5:80:4f:19:00:00:d 2:32:aa:40 5.
Configuring SNMP enterasys(su)->clear snmp view All 1 enterasys(su)->clear snmp view All 0.0 enterasys(su)->set snmp view viewname All subtree 1.3.6.1.2.1 enterasys(su)->set snmp view viewname All subtree 1.3.6.1.2.1.2 excluded enterasys(su)->show snmp view View Name = All Subtree OID = 1.3.6.1.2.1 Subtree mask = View Type = included Storage type = nonVolatile Row status = active View Name Subtree OID Subtree mask View Type Storage type Row status = = = = = = All 1.3.6.1.2.1.
Configuring SNMP etherStatsPkts1024to1518Octets=1.3.6.1.2.1.16.1.1.1.19. etherStatsOwner=1.3.6.1.2.1.16.1.1.1.20. etherStatsStatus=1.3.6.1.2.1.16.1.1.1.21. As shown in the example output above, when displaying the etherStatsEntry branch, all ports are listed for each leaf before moving on to the ports of the next leaf as the result of listing all of the data in numeric OID order. Here is an abbreviated example of one such SNMP query.
Configuring SNMP View Name Subtree OID Subtree mask View Type Storage type Row status = = = = = = All 1.3.6.1.2.1.1.1.0.244 ff:df included nonVolatile active You can see by the unexpected Subtree OID value that this view actually accommodates only the right‐most 8 bits of the entered decimal value 1012. The hexadecimal equivalent is 0x3f4, and the decimal equivalent of 0xf4 is 244.
Configuring SNMP Enterasys recommends that you “secure” all SNMP community names. You do this by creating a configuration that hides, through the use of “views” sensitive information from SNMP v1/v2c users as follows: Procedure 4 Configuring Secure Community Names Step Task Command(s) 1. Create the following SNMP view group configurations.
Configuring SNMP Procedure 4 Configuring Secure Community Names (continued) Step Task Command(s) 5. Using the viewnames assigned in Step 1, create restricted views for v1/v2c users, and unrestricted views for v3 users. set snmp view viewname securedviewname subtree 1 set snmp view viewname securedviewname subtree 0.0 set snmp view viewname unsecuredviewname subtree 1 set snmp view viewname unsecuredviewname subtree 0.0 6.
Reviewing SNMP Settings Reviewing SNMP Settings Use the following show commands described in this section to review SNMP settings. For show information about.... Refer to page... Community 21 Context 21 Counters 22 Engineid 23 Groups 23 Group Access Rights 23 Target Parameter Profiles 24 Target Address Profiles 24 Notify 24 Notify Filter 25 Notify Profile 25 Users 25 Views 26 Community Use this command to display SNMPv1/SNMPv2c community names and status.
Reviewing SNMP Settings Counters Use this command to display SNMP traffic counter values: show snmp counters Example enterasys(su)->show snmp counters --- mib2 SNMP group counters: snmpInPkts = 396601 snmpOutPkts = 396601 snmpInBadVersions = 0 snmpInBadCommunityNames = 0 snmpInBadCommunityUses = 0 snmpInASNParseErrs = 0 snmpInTooBigs = 0 snmpInNoSuchNames = 0 snmpInBadValues = 0 snmpInReadOnlys = 0 snmpInGenErrs = 0 snmpInTotalReqVars = 403661 snmpInTotalSetVars = 534 snmpInGetRequests = 290 snmpInGetNext
Reviewing SNMP Settings Engineid Use this command to display SNMP engine properties: show snmp engineid Example enterasys(su)->show snmp engineid EngineId: 80:00:15:f8:03:00:e0:63:9d:b5:87 Engine Boots = 12 Engine Time = 162181 Max Msg Size = 2048 Groups Use this command to display SNMP groups: show snmp group groupname group name Example enterasys(su)-> show snmp Security model = Group name = Security/user name = Storage type = Status xxxxxxx = group groupname Enterasys USM Enterasys Enterasys_user no
Reviewing SNMP Settings Target Parameter Profiles Use this command to displaying SNMP target parameter profiles: show snmp targetparams paramsname Example enterasys(su)-> show snmp targetparams enterasys Target Parameter Name Security Name Message Proc.
Reviewing SNMP Settings Status xxxxx = active Notify Filter Use this command to display SNMP notify filter information, identifying which profiles will not receive SNMP notifications: show snmp notifyfilter [profile] [subtree oid-or-mibobject] [volatile | nonvolatile] Example enterasys(su)->show snmp notifyfilter --- SNMP notifyFilter information --Profile = pilot1 Subtree = 1.3.
Reviewing SNMP Settings Views Use this command to display SNMP views: show snmp view viewname Example enterasys(su)->show snmp view readView View Name = Subtree OID = Subtree mask = View Type = Storage type = Status xxxx= March 28, 2011 readView 1 included nonVolatile active Page 26 of 27
Revision History Date Description 05-30-08 New document. 07-28-08 Added Enterasys registration mark. 12-08-08 Made minor edits. 03-28-2011 Updated to include S-Series, K-Series, and minor terminiology changes. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
Configuring Spanning Trees This document provides the following information about configuring and monitoring Spanning Tree protocols on Enterasys® N‐Series, S‐Series, and K‐Series modular switches, A‐Series, B‐Series, C‐Series stackable fixed switches, and D‐Series, G‐Series, and I‐Series standalone fixed switches. For information about... Refer to page...
How Do I Implement Spanning Trees? would continue to circulate endlessly between both switching devices. Without Spanning Tree blocking one of the links, there would be nothing at layer 2 to stop this loop from happening and unnecessarily consuming network memory. As administrator, you would be forced to manually disable one of the links between Switch 1 and 2 for the Figure 1 network to operate.
STP Overview • IEEE 802.1s (Multiple Spanning Tree Protocol) • IEEE 802.1t (Update to 802.1D) Note: MSTP and RSTP are fully compatible and interoperable with each other and with legacy STP. As described previously, STP resolves the problems of physical loops in a network by establishing one primary path between any two devices. It does this by enabling switching devices to exchange information using Bridge Protocol Data Unit (BPDU) messages.
Functions and Features Supported on Enterasys Devices MSTP can automatically detect the version of Spanning Tree being used on a LAN and send out the equivalent type of BPDU. In addition, MSTP incorporates a force version feature that allows you to administratively force MSTP to behave as STP or RSTP. Functions and Features Supported on Enterasys Devices Note: This guide describes features supported on the N-Series, S-Series, K-Series, stackable, and standalone switch platforms.
Functions and Features Supported on Enterasys Devices • Further protecting your network from loop formation with Loop Protect, as described below and in “Understanding and Configuring Loop Protect” on page 22. • Supporting more port density and faster port speeds as described in “Updated 802.1t” on page 5.
Understanding How Spanning Tree Operates Understanding How Spanning Tree Operates This section provides you with a more detailed understanding of how the Spanning Tree operates in a typical network environment. The following concepts are covered.
Understanding How Spanning Tree Operates Root ports and designated ports are left in the forwarding state. Redundant ports are placed in the blocking state to ensure the topology remains loop‐free. Table 2 lists these and additional port states which control the forwarding and learning processes within a topology. Table 1 Spanning Tree Port Roles Port Role Description Root The one port that is used to connect to the root bridge.
Understanding How Spanning Tree Operates MSTP is the default Spanning Tree mode on all Enterasys switch devices.
Understanding How Spanning Tree Operates • Format Selector – One octet in length and is always 0. It cannot be administratively changed. • Configuration Name – A user‐assigned, case sensitive name given to the region. The maximum length of the name is 32 octets. • Revision Level – Two octets in length. The default value of 0 may be administratively changed.
Understanding How Spanning Tree Operates switching device 2 is the root for MSTI 2, and switching device 5 is the CIST regional root. Traffic for all the VLANs attached to an MSTI follow the MSTI’s spanned topology. Various options may be configured on a per‐MSTI basis to allow for differing topologies between MSTIs. To reduce network complexity and processing power needed to maintain MSTIs, you should only create as many MSTIs as needed.
Configuring STP and RSTP Figure 6 Example of Multiple Regions and MSTIs Region 1 1 Region 2 2 Region 3 6 8 5 3 12 4 CIST Regional Root 7 10 CIST Root and CIST Regional Root CIST Regional Root Master Port Table 3 9 11 Master Port MSTI Characteristics for Figure 6 MSTI / Region Characteristics MSTI 1 in Region 1 Root is switching device 4, which is also the CIST regional root MSTI 2 in Region 1 Root is switching device 5 MSTI 1 in Region 2 Root is switching device 7, which is als
Configuring STP and RSTP Since MSTP mode is fully compatible and interoperable with legacy STP and RSTP bridges, in most networks, this default should not be changed. Use the following commands to review, re‐enable and reset the Spanning Tree mode. 1. Review the current configuration on one or more SIDs, ports, or both: show spantree stats [port port-string] [sid sid] [active] Specifying active will display information for port(s) that have received BPDUs since boot. 2.
Configuring STP and RSTP configured with variations of the Spanning Tree port configuration commands. Default settings are listed in Table 4: Table 4 Spanning Tree Port Default Settings Setting Default Value Bridge priority mode 802.
Configuring STP and RSTP Setting a Port Priority You can set a Spanning Tree port priority, a value to be used to break a tie when choosing the root port for a bridge in a case where the choice is between ports connected to the same bridge. The port with the lowest value will be elected. Use this command to set a port priority: set spantree portpri port-string priority [sid sid] Valid priority values are 0–240 (in increments of 16) with 0 indicating high priority. Valid sid values are 0–4094.
Configuring STP and RSTP Adjusting the Bridge Hello Time Caution: Poorly chosen adjustments to bridge and port hello time parameters can have a negative impact on network performance. It is recommended that you do not change these parameters unless you are familiar with Spanning Tree configuration and have determined that adjustments are necessary. Please refer to the IEEE 802.1D specification for guidance. Hello time is the interval at which the bridge or individual ports send BPDU messages.
Configuring STP and RSTP Spanning Tree topology. By adjusting this value, you can configure support for a maximum diameter from the STP root of up to 40 bridges. By default, Enterasys switching devices are set with a maximum age time of 20 seconds, supporting a 20‐bridge span from the root bridge. Use this command to adjust the maximum age setting: set spantree maxage agingtime Valid agingtime values are 6–40 (seconds).
Configuring STP and RSTP Defining Point-to-Point Links Note: Adjusting this function does not apply to stackable and standalone switch devices. By default, the administrative point‐to‐point status is set to auto on all Spanning Tree ports, allowing the Enterasys firmware to determine each port’s point‐to‐point status. In most cases, this setting will not need to be changed and will provide optimal RSTP functionality.
Configuring MSTP show spantree operedge [port port-string] A status of “true” or “Edge‐Port” indicates the port is operating as an edge port. A status of “false” or “Non‐Edge‐Port” indicates it is not. If port‐string is not specified, edge port status will be displayed for all Spanning Tree ports. 4.
Configuring MSTP Figure 7 MSTP Simple Network Configuration Procedure 1 shows how to configure Switches 1 and 2 for MSTP. Procedure 1 Configuring Switches 1 and 2 for Simple MSTP Step Task Command(s) 1. Create VLANs 2 and 3. set vlan create 2-3 2. Set each switch’s configuration name to South. set spantree mstcfgid cfgname South 3. Create MSTI SID 2. set spantree msti sid 2 create 4. Create MSTI SID 3. set spantree msti sid 3 create 5. Create a FID-to-SID mapping for VLAN 2 to SID 2.
Understanding and Configuring SpanGuard Table 6 Commands for Monitoring MSTP (continued) Task Command Display a list of MSTIs configured on the device. show spantree mstilist Display the mapping of one or more filtering database IDs (FIDs) to Spanning Trees. Since VLANs are mapped to FIDs, this shows to which SID a VLAN is mapped. show spantree mstmap [fid fid] Display the Spanning Tree ID(s) assigned to one or more VLANs.
Understanding and Configuring SpanGuard • the timeout expires, • the port is manually unlocked, • the port is no longer administratively configured as adminedge = True, or • the SpanGuard function is disabled. The port will become locked again if it receives another offending BPDU after the timeout expires or it is manually unlocked. In the event of a DoS attack with SpanGuard enabled and configured, no Spanning Tree topology changes or topology reconfigurations will be seen in your network.
Understanding and Configuring Loop Protect Monitoring SpanGuard Status and Settings Use the commands in Table 7 to review SpanGuard status and settings. Table 7 Commands for Monitoring SpanGuard Task Command Display the status of SpanGuard on the device. show spantree spanguard Display the status of the SpanGuard lock function on one or more ports. show spantree spanguardlock [port port-string] Display the SpanGuard timeout setting.
Understanding and Configuring Loop Protect Port Modes and Event Triggers Ports work in two Loop Protect operational modes. If the port is configured so that it is connected to a switching device known to implement Loop Protect, it uses full functional (enhanced) mode. Otherwise, it operates in limited functional (standard) mode.
Understanding and Configuring Loop Protect Figure 8 Basic Loop Protect Scenario Figure 9 shows that, without Loop Protect, a failure could be as simple as someone accidentally disabling Spanning Tree on the port between Switch 2 and 3. Switch 3’s blocking port eventually transitions to a forwarding state which leads to a looped condition.
Understanding and Configuring Loop Protect Configuring Loop Protect This section provides information about Loop Protect configuration: • Enabling or Disabling Loop Protect (page 25) • Specifying Loop Protect Partners (page 25) • Setting the Loop Protect Event Threshold and Window (page 25) • Enabling or Disabling Loop Protect Event Notifications (page 26) • Setting the Disputed BPDU Threshold (page 26) • Monitoring Loop Protect Status and Settings (page 26) Enabling or Disabling Loop Protect B
Understanding and Configuring Loop Protect The Loop Protect window is a timer value, in seconds, that defines a period during which Loop Protect events are counted. The default value is 180 seconds. If the timer is set to 0, the event counter is not reset until the Loop Protect event threshold is reached.
Terms and Definitions Table 8 Commands for Monitoring Loop Protect (continued) Task Command Display the reason for placing a port in a nonforwarding state due to an exceptional condition. show spantree nonforwardingreason [port port-string] [sid sid] Example The following example shows a switching device with Loop Protect enabled on port lag.0.2, SID 56: Enterasys->show spantree lp port lag.0.2 sid 56 LoopProtect is enabled on port lag.0.2, SID 56 Enterasys->show spantree lplock port lag.0.
Terms and Definitions Table 9 March 14, 2011 Spanning Tree Terms and Definitions (continued) Term Definition FID Filter Identifier. Each VLAN is associated to a FID. VLANs are mapped to SIDs using their FID association. Forward delay Time interval (in seconds) the bridge spends in listening or learning mode before it begins forwarding BPDUs. Hello time Time interval (in seconds) at which the bridge sends BPDUs. ISLs Inter-Switch Links.
Revision History Date Description 01-16-2008 New document. 02-20-2008 Corrected product naming conventions. 07-28-2008 Modifications due to product branding changes. 01-20-2009 Corrected description of Spanning Tree instance capacities. 03-14-2011 Updated to include S-Series and K-Series devices. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice.
Configuring Syslog This document provides the following information about configuring and monitoring Syslog on Enterasys® N‐Series, S‐Series, and K‐Series modular switches, A‐Series, B‐Series, C‐Series stackable fixed switches, and D‐Series, G‐Series, and I‐Series standalone fixed switches. For information about... Refer to page...
How Do I Implement Syslog? across multiple platforms, you can use it to integrate log data from many different types of systems into a central repository. Efficient Syslog monitoring and analysis reduces system downtime, increases network performance, and helps tighten security policies. It can help you: • Troubleshoot switches, firewalls and other devices during installation and problem situations. • Perform intrusion detection. • Track user activity.
Syslog Components and Their Use to display messages at a variety of different severity levels about application‐related error conditions occurring on the device. You can decide to have all messages stored locally, as well as to have all messages of a high severity forwarded to another device. You can also have messages from a particular facility sent to some or all of the users of the device, and displayed on the system console.
Syslog Components and Their Use Table 1 Syslog Terms and Definitions (continued) Term Definition Enterays Usage Severity Indicates the severity of the error condition generating the Syslog message. The lower the number value, the higher will be the severity of the condition generating the message.
Syslog Components and Their Use Figure 1 Basic Syslog Scenario Event A: Loss of master module Event B: Admin user telnets into switch Event C: RADIUS processing user access level Events cause Syslog messages Application: SYSTEM Severity 1 Emergency Logging enabled for this priority? YES Generate Syslog Server List Application: CLI Severity 6 Notification Logging enabled for this priority? YES Generate Syslog Server List Application: AAA Severity 8 Debugging Logging enabled for this priority?
Interpreting Messages Interpreting Messages Every system message generated by the Enterasys switch platforms follows the same basic format: time stamp address application [slot] message text Example This example shows Syslog informational messages, displayed with the show logging buffer command. It indicates that messages were generated by facility code 16 (local4) at severity level 5 from the CLI application on IP address 10.42.71.13.
Configuring Syslog Syslog Command Precedence Table 3 lists basic Syslog commands and their order of precedence on Enterays switches. Table 3 Syslog Command Precedence Syslog Component Command Function Logging defaults set logging default {[facility facility] [severity severity] [port port]} Sets default parameters for facility code, severity level and/or UDP port for all Syslog servers and local destinations.
Configuring Syslog Example This sample output from the show logging server command shows that two servers have been added to the device’s Syslog server list. These servers are using the default UDP port 514 to receive messages from clients and are configured to log messages from the local1 and local2 facilities, respectively. Logging severity on both servers is set at 5 (accepting messages at severity levels 5 through 1).
Configuring Syslog Examples This example shows how to configure the switch to forward messages from facility category local6 at severity levels 3, 2, and 1 to Syslog server 1 at IP address 134.141.89.113: Switch1(rw)->set logging server 1 ip-addr 134.141.89.113 facility local6 severity 3 This example shows how to change Syslog defaults so that messages from the local2 facility category at a severity level of 4 will be forwarded to all servers.
Configuring Syslog 4(errors) 7(information) 5(warnings) 8(debugging) 6(notifications) Note: Mnemonic values are case sensitive and must be typed as they are listed in the show logging application command display for your device. Refer to Table 1 for sample CLI mnemonic values. Depending on your platform, you may see different applications listed from those shown in the example above.
Configuring Syslog Displaying to the Current CLI Session Note: This function is not supported on stackable or standalone fixed switches. To display logging to the current CLI console session on an N‐Series, S‐Series, or K‐Series device: set logging here enable This adds the current CLI session to the list of Syslog destinations, and will be temporary if the current CLI session is using Telnet or SSH.
Configuring Syslog Procedure 2 March 15, 2011 Adjusting Settings for an Application Step Task Command(s) 1. Configure Syslog server 2 and accept default settings (listed in Table 4 on page 8). set logging server 2 ip-addr 10.1.1.3 state enable 2. Set the severity level for the AAA application to level 8. set logging application AAA level 8 servers 2 3. Enable console logging and file storage.
Revision History Date Description 04-04-2008 New document 07-28-2008 Modifications due to product rebranding changes. 11-14-2008 Text corrections. 03-15-2011 Added S-Series and K-Series. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
Configuring TACACS+ This document provides information about configuring and monitoring TACACS+ (Terminal Access Controller Access‐Control System Plus) on Enterasys devices. Notes: TACACS+ is supported on most Enterasys devices, with the exception of some Enterasys fixed switches. Refer to your Enterasys device’s Release Notes to determine if your device supports TACACS+. For information on Enterasys Matrix® X-Series TACACS+ support, refer to the Enterasys Matrix X Secure Core Router Configuration Guide.
How Do I Implement TACACS+? How Do I Implement TACACS+? You can configure the TACACS+ client on your Enterasys device in conjunction with one or more (up to eight) TACACS+ access servers to provide authentication, authorization, or accounting services on your network. Each of the TACACS+ services can be implemented on separate servers. You can also configure TACACS+ to use a single TCP connection for all TACACS+ client requests to a given TACACS+ server.
Configuring TACACS+ Configuring TACACS+ Default Settings Table 1 lists the TACACS+ parameters (as displayed through the show tacacs command) and their default values. Table 1 December 2, 2010 TACACS+ Parameters Parameter Description Default Value TACACS+ state Whether the TACACS+ client is enabled or disabled. Disabled TACACS+ service The name of the service that is requested by the TACACS+ client for session authorization.
Configuring TACACS+ Basic TACACS+ Configuration Procedure 1 describes the basic steps to configure TACACS+ on Enterasys devices. It assumes that you have gathered the necessary TACACS+ server information, such as the server’s IP address, the TCP port to use, shared secret, the authorization service name, and access level attribute‐value pairs. Note: You must be logged in to the Enterasys device with read-write access rights to use the commands shown in this procedure.
Configuring TACACS+ Procedure 1 TACACS+ Configuration (continued) Step Task Command(s) 7. Optionally, enable the TACACS+ client to send multiple requests to the server over a single TCP connection. set tacacs singleconnect enable To disable the use of a single TCP connection, use the set tacacs singleconnect disable command. 8. If not already configured, set the primary login authentication method to TACACS+.
TACACS+ Display Commands Table 2 lists TACACS+ show commands. Table 2 TACACS+ Show Commands Task Command Displays all current TACACS+ configuration information and status. show tacacs [state] Displays only the current configuration for one or all TACACS+ servers. show tacacs server {index | all} Displays only the current TACACS+ session settings. The [state] option is valid only for S-Series and Matrix N-Series devices.
Configuring TACACS+ Revision History Date Description 11-06-08 New document 12-02-10 Revised to include additional Enterasys devices Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Configuring Transparent Web Cache Balancing (TWCB) This document provides the following information about configuring Transparent Web Cache Balancing on the Enterasys Matrix® N‐Series platform. For information about... Refer to page...
How Can I Implement TWCB? whom web caching is not desired to a host redirection list, denying these users access to TWCB functionality. • In standard web caching, a user‐cache is configured and assigned to a single cache server. TWCB provides for load balancing across all cache‐servers of a given server farm that can be configured for heavy web‐users using a predictor round‐robin algorithm. • Scalability is provided by the ability to associate up to 128 cache‐servers with the web‐cache.
TWCB Overview Figure 1 TWCB Configuration Overview Cache1 s1Server 186.89.10.51 186.89.10.55 Server Farms s2Server Router Global Internet Cache Servers 176.89.10.20 176.89.10.32 176.89.10.45 176.89.10.50 176.89.10.52 Web Site Host Initial Web Object Request Initial Web Object Response Users Subnet 10.10.10.0/24 All Subsequent Requests for the same object The N‐Series router does not act as a cache for web objects; rather, it redirects HTTP requests to local servers on which web objects are cached.
TWCB Overview The Server Farm The server farm consists of a logical grouping of cache‐servers. Each server farm belongs to a web‐cache. TWCB supports the configuration of up to 5 server farms that can be associated with the web‐cache. There are three aspects to configuring a server farm: • Creating the server farm • Associating one or more cache‐servers with the server farm • Optionally configuring some users to be members of a round‐robin list on that server farm.
TWCB Overview The predictor round‐robin feature allows for the creation of up to 10 user lists. Members of a predictor round‐robin list no longer have a single cache on a single cache server. Instead, web objects for list members are cached across all cache servers associated with this server farm in a round robin fashion. A server farm with a configured predictor round‐robin will only cache members of predictor round‐robin lists associated with that server farm.
TWCB Overview • Place the web‐cache in service. At least one cache server must be in service before you can place a web‐cache in service. The Outbound Interface The outbound interface is typically an interface that connects to the internet. It is the interface that will be used for redirecting web objects from the host web site to the cache server. Within the interface configuration command mode, you can configure this interface to redirect outbound HTTP traffic to the web‐cache.
Configuring TWCB Configuring TWCB This section provides details for the configuration of TWCB on the N‐Series products. For information about... Refer to page... Configuring the Server Farm 8 Configuring the Cache Server 8 Configuring the Web-Cache 9 Configuring the Outbound Interface 9 Configuring the Switch and Router 9 Displaying TWCB Statistics 10 Table 1 lists TWCB parameters and their default values.
Configuring TWCB Table 1 Default Authentication Parameters (continued) Parameter Description Default Value twcb-bindings Specifies the maximum number of router bindings that can be used by TWCB. 32000 twcb-cache Specifies the maximum size of the TWCB cache for this router. 2000 twcb-configs Specifies the maximum number web-caches configurable on this router. 1 Configuring the Server Farm Procedure 1 describes how to configure a TWCB server farm.
Configuring TWCB Configuring the Web-Cache Procedure 3 describes how to configure a TWCB web‐cache. Procedure 3 TWCB Web-Cache Configuration Step Task Command(s) 1. Create a web-cache using the specified name. ip twcb webcache web-cache-name 2. Add the specified server farm to this web-cache. serverfarm serverfarm-name 3. Optionally redirect outbound HTTP requests to a non-standard HTTP port number. http-port port-number 4.
TWCB Configuration Example Displaying TWCB Statistics Procedure 6 describes how to display TWCB statistics. Procedure 6 Displaying TWCB Statistics Step Task Command(s) 1. Display server farm configuration data. show ip twcb wcserverfarm [serverfarm-name] 2. Display web-cache configuration data. show ip twcb webcache [webcache-name] 3. Display cache server connection data. show ip twcb conns [client ip-address | wcserver webcache-name 4. Display cache server statistical data.
TWCB Configuration Example Figure 3 TWCB Configuration Example Overview Users Subnet 20.10.10.0/24 Cache1 s1Server 186.89.10.51 186.89.10.55 VLAN 100 Server Farms s2Server Cache Servers Global Internet Router 176.89.10.20 Web Site Host Users Subnet 10.10.10.
TWCB Configuration Example Matrix>Router(config-twcb-cache)#exit Matrix>Router(config-twcb-wcsfarm)# Configure cache server 186.89.10.55: Matrix>Router(config-twcb-wcsfarm)#cache 186.89.10.
TWCB Configuration Example Configure the outbound interface that connects with the internet: Matrix>Router(config)#interface vlan 100 Matrix>Router(config-if(Vlan 1))#ip twcb cache1 redirect out Matrix>Router(config-if(Vlan 1))#end Matrix>Router# Configure the Switch and Router Configure the TWCB router limits: Matrix(rw)-> set router limits twcb-bindings 20000 Matrix(rw)-> set router limits twcb-cache 5000 Clear the statistical data for this web‐cache: Matrix(rw)->Router#clear ip twcb statistics This c
Revision History Date Description 09/24/2008 New document 04/16/2009 Input an advanced routing license notice that includes the 256 MB memory requirement on all modules statement. Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
Configuring VLANs This document provides the following information about configuring and monitoring 802.1Q VLANs on Enterasys® N‐Series, S‐Series, K‐Series, and X‐Series modular switches, A‐Series, B‐ Series, C‐Series stackable fixed switches, and D‐Series, G‐Series, and I‐Series standalone fixed switches. For information about... Refer to page...
Why Would I Use VLANs in My Network? The primary benefit of 802.1Q VLAN technology is that it allows you to localize and segregrate traffic, improving your administrative efficiency, and enhancing your network security and performance. Figure 1 shows a simple example of using port‐based VLANs to achieve these benefits. In this example, two buildings house the Sales and Finance departments of a single company, and each building has its own internal network.
How Do I Implement VLANs? How Do I Implement VLANs? By default, all Enterasys switches run in 802.1Q VLAN operational mode. All ports on all Enterasys switches are assigned to a default VLAN (VLAN ID 1), which is enabled to operate and assigns all ports an egress status of untagged. This means that all ports will be allowed to transmit frames from the switch without a VLAN tag in their header. Also, there are no forbidden ports (prevented from transmitting frames) configured.
Understanding How VLANs Operate Learning Modes and Filtering Databases Addressing information the switch learns about a VLAN is stored in the filtering database assigned to that VLAN. This database contains source addresses, their source ports, and VLAN IDs, and is referred to when a switch makes a decision as to where to forward a VLAN tagged frame. Each filtering database is assigned a Filtering Database ID (FID).
Understanding How VLANs Operate Ingress Precedence VLAN assignment for received (ingress) frames is determined by the following precedence: 1. 802.1Q VLAN tag (tagged frames only). 2. Policy or Traffic Classification (which may overwrite the 802.1Q VLAN tag). For more information, refer to “Configuring Protocol‐Based VLAN Classification” on page 16. 3. Port VLAN ID (PVID).
VLAN Support on Enterasys Switches Figure 2 Inside the Switch Port 1 A FID 2 Port 4 D FID 3 Port 2 Port 5 Port 3 B FID 2 E FID 4 Port 6 C FID 3 Default FID 1 Assume a unicast untagged frame is received on Port 3 in the example in Figure 2. The frame is classified for VLAN C (the frame’s PVID is VLAN C). The switch would make its forwarding decision by comparing the destination MAC address to information previously learned and entered into its filtering database.
VLAN Support on Enterasys Switches • From 2 through 4093 for stackable and standalone switches This range is based on the following rules: • VID 0 is the null VLAN ID, indicating that the tag header in the frame contains priority information rather than a VLAN identifier. It cannot be configured as a port VLAN ID (PVID). • VID 1 is designated the default PVID value for classifying frames on ingress through a switched port. This default can be changed on a per‐port basis.
VLAN Support on Enterasys Switches As described above, PVID determines the VLAN to which all untagged frames received on associated ports will be classified. Policy classification to a VLAN takes precedence over PVID assignment if: • policy classification is configured to a VLAN, and • PVID override has been enabled for a policy profile, and assigned to port(s) associated with the PVID.
Configuring VLANs Figure 3 Example of VLAN Propagation Using GVRP Switch 1 1 Switch 3 Switch 2 R 1 2 R 2 D D 3 D 3 D 1 1 R R Switch 4 End Station A 1 R R D = Port registered as a member of VLAN Blue = Port declaring VLAN Blue Switch 5 Note: If a port is set to “forbidden” for the egress list of a VLAN, then the VLAN’s egress list will not be dynamically updated with that port. Administratively configuring a VLAN on an 802.
Configuring VLANs Platform Specific Differences Enterasys X-Series Platform Configuration The configuration of VLANs on the X‐Series platform is very similar to the configuration of VLANs on the N‐Series, S‐Series, K‐Series, stackable, and standalone switch platforms, with one major exception. By default, physical ports on the X‐Series are configured to route traffic, not switch traffic, which is the case for the other switch platforms.
Configuring VLANs Default Settings Table 1 lists VLAN parameters and their default values. Table 1 Default VLAN Parameters Parameter Description Default Value garp timer Configures the three GARP timers. The setting is critical and should only be done by someone familiar with the 802.1Q standard. • Join timer: 20 centiseconds Enables or disables the GARP VLAN Registration Protocol (GVRP) on a specific set of ports or all ports. GVRP must be enabled to allow creation of dynamic VLANs.
Configuring VLANs Configuring Static VLANs Procedure 1 describes how to create and configure a static VLAN. Unspecified parameters use their default values. Procedure 1 Static VLAN Configuration Step Task Command(s) 1. Show existing VLANs. show vlan 2. (Applies to X-Series only.) Define the ports to be used for switched traffic. set port mode port-string switched 3. Create VLAN. Refer to Configurable Range on page 6 for valid id values. Each vlan-id must be unique.
Configuring VLANs Procedure 1 Step Static VLAN Configuration (continued) Task Command(s) 6. (cont) • If forbidden is not specified, tagged and untagged egress settings will be cleared from the designated ports. Dynamic configuration: By default, dynamic egress is disabled on all VLANs. If dynamic egress is enabled for a VLAN, the device will add the port receiving a frame to the VLAN’s egress list as untagged according to the VLAN ID of the received frame. 7.
Configuring VLANs Procedure 1 Step 11c. Static VLAN Configuration (continued) Task Command(s) N-Series/S-series/K-Series configuration: configure terminal interface vlan vlan_id ip address ip-address ip-mask no shutdown Note: Each VLAN interface must be configured for routing separately using the interface command shown above. To end configuration on one interface before configuring another, type exit at the command prompt.
Configuring VLANs Procedure 2 provides an example of how to create a secure management VLAN. This example, which sets the new VLAN as VLAN 2, assumes the management station is attached to ge.1.1, and wants untagged frames. The process described in this section would be repeated on every device that is connected in the network to ensure that each device has a secure management VLAN. . Procedure 2 Secure Management VLAN Configuration Step Task Command(s) 1. (Applies to X-Series only.
Configuring VLANs Procedure 3 Dynamic VLAN Configuration (continued) Step Task Command(s) 4. Optionally, set the GARP join, leave, and leaveall timer values. Each timer value is in centiseconds. set garp timer {[join timer-value] [leave timer-value] [leaveall timer-value]} port-string Caution: The setting of GARP timers is critical and should only be changed by personnel familiar with 802.1Q standards.
Configuring VLANs Procedure 4 Configuring Protocol-Based VLAN Classification (continued) Step Task Command(s) 7. Configure the classification rules that will define the protocol to filter on and the VLAN ID to which matching frames will be assigned. set policy rule profile-index {protocol data [mask mask]} [vlan vlan] Example Configuration The following shows an example N‐Series device configuration using the steps in Procedure 4.
Terms and Definitions Table 2 Displaying VLAN Information (continued) Task Command (Applies to N-Series, S-Series, K-Series only.) Display the VLAN constraint setting. show vlan constraint [vlan id] Display the VLAN dynamic egress setting. show vlan dynamicegress [vlan id] Display all static VLANs. show vlan static Display ports assigned to VLANs. show port vlan [port-string] Display existing GVRP settings. show gvrp [port-string] Display static ports on the given vid, group.
Terms and Definitions Table 3 March 15, 2011 VLAN Terms and Definitions (continued) Term Definition Generic Attribute Registration Protocol (GARP) GARP is a protocol used to propagate state information throughout a switched network. Port VLAN List A per port list of all eligible VLANs whose frames can be forwarded out one specific port and the frame format (tagged or untagged) of transmissions for that port.
Revision History Date Description 02-01-2008 New document. 02-20-2008 Corrected product naming conventions. 07-28-2008 Modifications due to product rebranding changes. 01-07-2009 Corrected error in configuration example. 03-15-2011 Added S-Series and K-Series. Removed IGMP snooping (covered in Multicast Feature Guide). Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice.
