Juniper Networks EX2500 Ethernet Switch Configuration Guide Release 3.0 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.
Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document.
Table of Contents About This Guide xi Objectives ....................................................................................................... xi Audience......................................................................................................... xi Supported Platforms ....................................................................................... xi Documentation Conventions..........................................................................
EX2500 Ethernet Switch Configuration Guide TACACS+ Authentication........................................................................ 14 How TACACS+ Authentication Works .............................................. 14 TACACS+ Authentication Features in the EX2500 Switch ................ 14 Command Authorization and Logging ............................................... 16 Configuring TACACS+ Authentication on the Switch ........................ 16 Secure Shell .......................................
Table of Contents PVRST Configuration Guidelines .............................................................. 38 Configuring PVRST .................................................................................. 38 Multiple Spanning Tree Protocol .................................................................... 39 MSTP Region ........................................................................................... 39 Common Internal Spanning Tree....................................................
EX2500 Ethernet Switch Configuration Guide History MIB Object ID.............................................................................. 67 Configuring RMON History ...................................................................... 67 RMON Group 3—Alarms ................................................................................ 68 Alarm MIB Objects................................................................................... 68 Configuring RMON Alarms ..................................
List of Figures Figure 1: Default VLAN Settings .................................................................... 24 Figure 2: Port-Based VLAN Assignment ........................................................ 25 Figure 3: 802.1Q Tagging (after Port-Based VLAN Assignment) ................... 25 Figure 4: 802.1Q Tag Assignment ................................................................ 25 Figure 5: 802.1Q Tagging (after 802.1Q Tag Assignment) ............................
EX2500 Ethernet Switch Configuration Guide viii List of Figures
List of Tables Table 1: Table 2: Table 3: Table 4: Table 5: Table 6: Table 7: Table 8: Table 9: Table 10: Table 11: Table 12: Table 13: Table 14: Table 15: Table 16: Notice Icons ................................................................................... xii EX2500 Text and Syntax Conventions........................................... xii EX2500 Ethernet Switch Documentation ...................................... xiii User Access Levels ..............................................................
EX2500 Ethernet Switch Configuration Guide x List of Tables
About This Guide This preface provides the following guidelines for using the Juniper Networks EX2500 Ethernet Switch Configuration Guide: Objectives on page xi Audience on page xi Supported Platforms on page xi Documentation Conventions on page xii List of Technical Publications on page xiii Documentation Feedback on page xiii Requesting Technical Support on page xiii Objectives This guide describes how to configure and use the software on the EX2500 Ethernet Switch.
EX2500 Ethernet Switch Configuration Guide Documentation Conventions Table 1 describes the notice icons used in this manual. Table 2 describes the EX2500 text and syntax conventions. Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death.
About This Guide List of Technical Publications Table 3 lists the documentation supporting the EX2500 Ethernet Switch. All documentation for EX Series Ethernet Switches is available at http://www.juniper.net/techpubs/. Table 3: EX2500 Ethernet Switch Documentation Document Description EX2500 Ethernet Switch Quick Start Provides brief installation and initial configuration instructions. EX2500 Ethernet Switch Hardware Guide Provides information and instructions for installing an EX2500 Ethernet Switch.
EX2500 Ethernet Switch Configuration Guide Self-Help Online Tools and Resources For quick and easy problem resolution, the Juniper Networks online self-service portal—the Customer Support Center (CSC)—provides the following features: Find CSC offerings: http://www.juniper.net/customers/support/ Search for known bugs: http://www2.juniper.net/kb/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.
Part 1 EX2500 Ethernet Switch Applications This configuration guide will help you plan, implement, and administer EX2500 software. Where possible, each chapter provides feature overviews, usage examples, and configuration instructions. “Accessing the Switch” on page 3 describes how to access the switch to perform administration tasks. This chapter also discusses different methods to manage the switch for remote administrators using specific IP addresses, authentication, and Secure Shell (SSH).
EX2500 Ethernet Switch Configuration Guide 2 EX2500 Ethernet Switch Applications
Chapter 1 Accessing the Switch The EX2500 software provides a means for accessing, configuring, and viewing information and statistics about the EX2500 Ethernet Switch.
EX2500 Ethernet Switch Configuration Guide 3. Configure the management IP address, subnet mask, and default gateway. ex2500(config)# interface ip-mgmt address 10.10.10.2 ex2500(config)# interface ip-mgmt netmask 255.255.255.0 ex2500(config)# interface ip-mgmt enable ex2500(config)# interface ip-mgmt gateway 10.10.10.
Chapter 1: Accessing the Switch DHCP is an extension of another network IP management protocol, Bootstrap Protocol (BOOTP), with an additional capability of being able to allocate reusable network addresses and configuration parameters for client operation. Built on the client/server model, DHCP allows hosts or clients on an IP network to obtain their configurations from a DHCP server, thereby reducing network administration.
EX2500 Ethernet Switch Configuration Guide By default, EX2500 Web Device Manager access is enabled on the switch. Configuring EX2500 Web Device Manager Access via HTTP By default, EX2500 Web Device Manager access via HTTP is enabled. Use the following command to disable or enable EX2500 Web Device Manager access on the switch via HTTP: ex2500(config)# [no] access http enable The default HTTP Web server port to access the EX2500 Web Device Manager is port 80.
Chapter 1: Accessing the Switch The EX2500 Web Device Manager is organized at a high level as follows: Context tabs—These tabs allow you to select the type of action you wish to perform. The Configure tab provides access to the configuration elements for the entire switch. The Monitor tab provides access to the switch statistics and state information. The Dashboard tab allows you to display settings and operating status of a variety of switch features.
EX2500 Ethernet Switch Configuration Guide SNMPv3 SNMPv3 is an enhanced version of the Simple Network Management Protocol, approved by the Internet Engineering Steering Group in March, 2002. SNMPv3 contains additional security and authentication features that provide data origin authentication, data integrity checks, timeliness indicators, and encryption to protect against threats such as masquerade, modification of information, message stream modification, and disclosure.
Chapter 1: Accessing the Switch 2. Configure a user access group, along with the views the group may access. Use the access table to configure the group’s access level. Because the read view, write view, and notify view are all set to iso, the user type has access to all private and public MIBs.
EX2500 Ethernet Switch Configuration Guide SNMPv3 Trap Host Configuration To configure a user for SNMPv3 traps, you can choose to send the traps with both privacy and authentication, with authentication only, or without privacy or authentication. This is configured in the access table with the following commands: ex2500(config)# snmp-server access <1-32> level ex2500(config)# snmp-server target-parameters <1-16> Configure the user in the user table accordingly.
Chapter 1: Accessing the Switch RADIUS Authentication and Authorization The EX2500 switch supports the RADIUS (Remote Authentication Dial-in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back-end database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end server and database.
EX2500 Ethernet Switch Configuration Guide 3. If desired, you may change the default UDP port number used to listen to RADIUS. The well-known port for RADIUS is 1812. ex2500(config)# radius-server port 4. Configure the number of retry attempts for contacting the RADIUS server, and the timeout period.
Chapter 1: Accessing the Switch Switch User Accounts The user accounts listed in Table 4 can be defined in the RADIUS server dictionary file. Table 4: User Access Levels User Account Description and Tasks Performed Password User The User has no direct responsibility for switch management. user He or she can view all switch status information and statistics but cannot make any configuration changes to the switch. Operator The Operator manages all functions of the switch.
EX2500 Ethernet Switch Configuration Guide TACACS+ Authentication The EX2500 switch supports authentication and authorization with networks using the TACACS+ protocol. The EX2500 switch functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the EX2500 switch either through a data port or a management port.
Chapter 1: Accessing the Switch The default mapping between TACACS+ authorization levels and EX2500 management access levels is shown in Table 6. The authorization levels must be defined on the TACACS+ server. Table 6: Default TACACS+ Authorization Levels EX2500 User Access Level TACACS+ level user 0 oper 3 admin 6 Alternate mapping between TACACS+ authorization levels and EX2500 management access levels is shown in Table 7.
EX2500 Ethernet Switch Configuration Guide NOTE: When you are using the EX2500 Web Device Manager, the TACACS+ Accounting Stop records are sent only if the Logout button on the browser is clicked. Command Authorization and Logging When TACACS+ Command Authorization is enabled, EX2500 configuration commands are sent to the TACACS+ server for authorization.
Chapter 1: Accessing the Switch Secure Shell Secure Shell (SSH) uses secure tunnels to encrypt and secure messages between a remote administrator and the switch. Telnet does not provide this level of security. The Telnet method of managing an EX2500 switch does not provide a secure connection. SSH is a protocol that enables remote administrators to log securely into the EX2500 over a network to execute management commands.
EX2500 Ethernet Switch Configuration Guide When the SSH server is first enabled and applied, the switch automatically generates the RSA host and server keys, which are stored in the Flash memory. To configure RSA host and server keys, enter the following commands to generate them manually: ex2500(config)# ssh generate-host-key ex2500(config)# ssh generate-server-key When the switch reboots, it will retrieve the host and server keys from the Flash memory.
Chapter 1: Accessing the Switch Considerations for Configuring End User Accounts A maximum of 10 user IDs are supported on the switch. The EX2500 switch supports end user support for console, Telnet, EX2500 Web Device Manager, and SSHv1 or SSHv2 access to the switch. If RADIUS authentication is used, the user password on the RADIUS server will override the user password on the EX2500 switch.
EX2500 Ethernet Switch Configuration Guide Listing Current Users The following command displays defined user accounts and whether or not each user is currently logged in to the switch.
Chapter 2 VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs commonly are used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments.
EX2500 Ethernet Switch Configuration Guide VLANs and Port VLAN ID Numbers VLAN Numbers The EX2500 switch supports up to 1024 VLANs per switch. Even though the maximum number of VLANs supported at any given time is 1024, each can be identified with any number between 1 and 4094. VLAN 1 is the default VLAN for the data ports. VLAN 4095 is used by the management network, which includes the management port.
Chapter 2: VLANs VLAN Tagging EX2500 software supports 802.1Q VLAN tagging, providing standards-based VLAN support for Ethernet systems. Tagging places the VLAN identifier in the frame header of a packet, allowing each port to belong to multiple VLANs. When you add a port to multiple VLANs, you also must enable tagging on that port.
EX2500 Ethernet Switch Configuration Guide Figure 1: Default VLAN Settings 802.1Q Switch VLAN 1 Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 ... PVID = 1 DA CRC SA Incoming untagged packet Data Outgoing untagged packet (unchanged) CRC Data SA DA Key By default: All ports are assigned PVID = 1 All ports are untagged members of VLAN 1 BS45010A NOTE: The port numbers specified in these illustrations might not directly correspond to the physical port configuration of your switch model.
Chapter 2: VLANs Figure 2: Port-Based VLAN Assignment Data SA Port 4 CRC DA Port 2 Port 3 Tagged member of VLAN 2 Port 5 Port 1 PVID = 2 Untagged packet 802.1Q Switch Before Port 6 Port 7 Port 8 Untagged member of VLAN 2 BS45011A As shown in Figure 3, the untagged packet is marked (tagged) as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2.
EX2500 Ethernet Switch Configuration Guide As shown in Figure 5, the tagged packet remains unchanged as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. However, the tagged packet is stripped (untagged) as it leaves the switch through port 7, which is configured as an untagged member of VLAN 2. Figure 5: 802.1Q Tagging (after 802.1Q Tag Assignment) Port 4 Port 1 Port 2 802.
Chapter 2: VLANs All ports that are involved in port mirroring must have memberships in the same VLANs. If a port is configured for port mirroring, the port’s VLAN membership cannot be changed. For more information on configuring port mirroring, see “Monitoring Ports with Port Mirroring” on page 81. Multiple VLANs Configuration Example Figure 6 shows a sample network consisting of an EX2500 switch configured with multiple VLANs with VLAN-tagged gigabit adapters.
EX2500 Ethernet Switch Configuration Guide Table 8: Components of Sample Network with Multiple VLANs (2 of 2) Component Description Server 5 A member of VLAN 1 and VLAN 2, this server can communicate only with Server 1, Server 2, and Server 3. The associated switch port has tagging enabled. Enterprise Routing switches These switches must have all three VLANs (VLAN 1, 2, 3) configured. They can communicate with Server 1, Server 2, and Server 5 via VLAN 1.
Chapter 2: VLANs Private VLANs Private VLANs provide Layer 2 isolation between the ports within the same broadcast domain. Private VLANs can control traffic within a VLAN domain, and provide port-based security for host servers. Use private VLANs to partition a VLAN domain into sub-domains. Each sub-domain is comprised of one primary VLAN and one or more secondary VLANs, as follows: Primary VLAN—Carries unidirectional traffic downstream from promiscuous ports.
EX2500 Ethernet Switch Configuration Guide Private VLAN Configuration Guidelines The following guidelines apply when configuring private VLANs: The default VLAN 1 cannot be a private VLAN. The management VLAN 4095 cannot be a private VLAN. The management port cannot be a member of a private VLAN. IGMP Snooping must be disabled on isolated VLANs. Each secondary port’s (isolated port and community ports) PVID must match its corresponding secondary VLAN ID.
Chapter 3 Spanning Tree Protocol When multiple paths exist on a network, Spanning Tree Protocol configures the network so that a switch uses only the most efficient path.
EX2500 Ethernet Switch Configuration Guide The relationship between port, trunk groups, VLANs, and spanning trees is shown in Table 9.
Chapter 3: Spanning Tree Protocol Port Priority The port priority helps determine which bridge port becomes the root or designated port. The case for the root port is when 2 switches are connected using a minimum of two links with the same path-cost. The case for the designated port is in a network topology that has multiple bridge ports with the same path-cost connected to a single segment—the port with the lowest port priority becomes the designated port for the segment.
EX2500 Ethernet Switch Configuration Guide Each STG must have a VLAN assigned to it before it becomes functional. You cannot configure other STG settings until the VLAN is assigned. If the STG VLAN is unassigned, other configuration settings are cleared. Assign a VLAN and reconfigure the STG settings. NOTE: To ensure proper operation with switches that use Cisco Per VLAN Spanning Tree (PVST+), you must either create a separate STG for each VLAN, or manually add all associated VLANs into a single STG.
Chapter 3: Spanning Tree Protocol When you remove a port from a VLAN that belongs to an STG, that port is removed from the STG. However, if that port belongs to another VLAN in the same STG, the port remains in the STG. As an example, assume that port 1 belongs to VLAN 2, and VLAN 2 belongs to STG 2. When you remove port 1 from VLAN 2, port 1 is also removed from STG 2. The port moves to the default VLAN 1.
EX2500 Ethernet Switch Configuration Guide Port Type and Link Type Spanning tree configuration includes the following parameters to support RSTP and MSTP: edge port and link type. Edge Port A port that does not connect to a bridge is called an edge port. Edge ports can start forwarding as soon as the link is up. Edge ports do not take part in Spanning Tree, and should not receive BPDUs. A port with edge enabled is intended to be connected directly to a host.
Chapter 3: Spanning Tree Protocol Per VLAN Rapid Spanning Tree Per VLAN Rapid Spanning Tree Plus Protocol (PVRST+) enhances the RSTP protocol by adding the ability to have multiple Spanning Tree Groups (STGs). PVRST+ is based on IEEE 802.1w Rapid Spanning Tree Protocol. In PVRST mode, the EX2500 switch supports a maximum of 128 Spanning Tree Groups (STGs). Multiple STGs provide multiple data paths, which can be used for load balancing and redundancy.
EX2500 Ethernet Switch Configuration Guide In Figure 8, VLAN 1 and VLAN 2 belong to different Spanning Tree Groups. The two instances of Spanning Tree separate the topology without forming a loop. Both VLANs can forward packets between the switches without losing connectivity.
Chapter 3: Spanning Tree Protocol Multiple Spanning Tree Protocol Multiple Spanning Tree Protocol (MSTP) extends Rapid Spanning Tree Protocol through multiple Spanning Tree Groups, using multiple VLANs in each STG. MSTP supports up to 32 Spanning Tree instances, that correspond to Spanning Tree Groups 1 through 32. For more information about Spanning Tree Protocol, see “Spanning Tree Protocol” on page 31. In Multiple Spanning Tree Protocol (MSTP), several VLANs can be mapped to each Spanning Tree instance.
EX2500 Ethernet Switch Configuration Guide Figure 9 shows how multiple spanning trees can provide redundancy without wasting any uplink ports. In this example, the server ports are split between two separate VLANs. Both VLANs belong to two different Multiple Spanning Tree (MSTP) Groups. The spanning-tree priority values are configured so that each routing switch is the root for a different MSTP instance. All of the uplinks are active, with each uplink port backing up the other.
Chapter 3: Spanning Tree Protocol Add server ports 1 and 2 to VLAN 1. Add uplink ports 19 and port 20 to VLAN 1. ex2500(config)# vlan 1 ex2500(config-vlan)# enable ex2500(config-vlan)# member 1 ex2500(config-vlan)# member 2 ex2500(config-vlan)# member 19 ex2500(config-vlan)# member 20 ex2500(config-vlan)# stg 1 ex2500(config-vlan)# exit 2. Configure Multiple Spanning Tree Protocol. Configure the MSTP region name and version, and set the spanning tree mode to mst.
EX2500 Ethernet Switch Configuration Guide Configuration Guidelines When you enable Fast Uplink Convergence, the EX2500 switch automatically makes the following configuration changes: Sets the bridge priority to 61440 so that it does not become the root switch. Increases the cost of all ports by 30000, across all VLANs and Spanning Tree Groups. This ensures that traffic never flows through the EX2500 switch to get to another switch unless there is no other path.
Chapter 4 Ports and Trunking Trunk groups can provide super-bandwidth, multi-link connections between switches or other trunk-capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. This chapter provides configuration background and examples for trunking multiple ports together.
EX2500 Ethernet Switch Configuration Guide Each packet’s particular MAC or IP address information results in selecting one line in the trunk group for data transmission. The more data streams are feeding the trunk lines, the more evenly traffic is distributed. Built-In Fault Tolerance Since each trunk group is made up of multiple physical links, the trunk group is inherently fault tolerant. As long as one connection between the switches is available, the trunk remains active.
Chapter 4: Ports and Trunking You cannot change the VLAN membership for a trunk group’s member port. You can change the VLAN membership of the trunk group. When an active port is configured in a trunk, the port becomes a trunk member when you enable the trunk. The Spanning Tree parameters for the port then change to reflect the new trunk settings. All trunk members must be in the same Spanning Tree Group (STG) and can belong to only one Spanning Tree Group (STG).
EX2500 Ethernet Switch Configuration Guide 1. Follow these steps on the EX2500 switch: a. Define a trunk group. ex2500(config)# portchannel 3 member 2,9, 16 ex2500(config)# portchannel 3 enable b. Verify the configuration. ex2500(config)# show portchannel 3 Examine the resulting information. If any settings are incorrect, make appropriate changes. 2. Repeat the process on the other switch.
Chapter 4: Ports and Trunking Configurable Trunk Hash Algorithm This feature allows you to configure parameters for the trunk hash algorithm, instead of using the default values. Use the IP Trunk Hash commands to configure new default behavior for Layer 2 traffic and Layer 3 traffic. The trunk hash settings affect both static trunks and LACP trunks.
EX2500 Ethernet Switch Configuration Guide NOTE: LACP implementation in the EX2500 switch does not support the Churn machine, an option used to detect if the port is operable within a bounded time period between the actor and the partner. Only the Marker Responder is implemented, and there is no marker protocol generator. A port’s Link Aggregation Identifier (LAG ID) determines how the port can be aggregated.
Chapter 4: Ports and Trunking When the system is initialized, all ports by default are in LACP off mode and are assigned unique admin keys. To make a group of ports aggregatable, you assign them all the same admin key. You must set the port’s LACP mode to active to activate LACP negotiation. You can set other port’s LACP mode to passive, to reduce the amount of LACPDU traffic at the initial trunk-forming stage.
EX2500 Ethernet Switch Configuration Guide We recommend that you use the default long timeout to reduce LAPDU processing. If the CPU utilization rate of your switch remains at 100% for periods of 90 seconds or more, consider using static trunks instead of LACP. However, if CPU use is low, you can set the LACP timeout value on the switch to short (3 seconds), instead.
Chapter 5 Quality of Service Quality of Service features allow you to allocate network resources to mission-critical applications at the expense of applications that are less sensitive to such factors as time delays or network congestion. You can configure your network to prioritize specific types of traffic, ensuring that each type receives the appropriate Quality of Service (QoS) level.
EX2500 Ethernet Switch Configuration Guide Figure 11: QoS Model Ingress Ports Classify Packets Perform Actions ACL Filter Permit/Deny Queue and Schedule Egress COS Queue The basic QoS model works as follows: Classify traffic: Read the DSCP value. Read the 802.1p priority value. Match ACL filter parameters. Perform actions: Permit packets. Deny packets. Map the 802.1p priority to a COS queue. Map the DSCP to a COS queue.
Chapter 5: Quality of Service Each ACL contains rules that define the matching criteria for data packets. The ACL checks each packet against its rules, to determine if there is a match. If the packet matches the ACL’s rules, the ACL performs its configured action: either permit or deny the packet. The EX2500 switch supports the following ACL types: MAC Extended ACLs IP Standard ACLs IP Extended ACLs MAC Extended ACLs The switch supports up to 127 MAC Extended ACLs, numbered from 1 through 127.
EX2500 Ethernet Switch Configuration Guide IP Extended ACLs The switch supports up to 128 IP ACLs (standard and extended), numbered from 128 through 254.
Chapter 5: Quality of Service Table 13: Well-Known Application Ports Number TCP/UDP Application Number TCP/UDP Application Number TCP/UDP Application 20 ftp-data 79 finger 179 bgp 21 ftp 80 http 194 irc 22 ssh 109 pop2 220 imap3 23 telnet 110 pop3 389 ldap 25 smtp 111 sunrpc 443 https 37 time 119 nntp 520 rip 42 name 123 ntp 554 rtsp 43 whois 143 imap 1645, 1812 RADIUS 53 domain 144 news 1813 RADIUS accounting 69 tftp 161 snmp 1985 hsrp 70 g
EX2500 Ethernet Switch Configuration Guide Assigning ACLs to a Port Once you configure an ACL, you must assign the ACL to a port. Each port can accept multiple ACLs. Note that higher-priority ACLs are considered first, and their action takes precedence over lower-priority ACLs. When you assign an ACL to a port, the ACL acts only upon ingress traffic, not egress traffic.
Chapter 5: Quality of Service 3. Verify the configuration. ex2500# show access-lists 1 Standard IP Access List 1 ---------------------------Source IP address Source IP address mask Destination IP address Destination IP address mask In Port List Filter Action Status : : : : : : : 0.0.0.0 0.0.0.0 100.10.1.1 255.255.255.255 1 Deny InActive ACL Example 2—Blocking Traffic from a Source to a Destination Use this configuration to block traffic from a network destined for a specific host address.
EX2500 Ethernet Switch Configuration Guide ACL Example 4—Blocking All Except Certain Packets Use this configuration to block all traffic except traffic of certain types. HTTP/HTTPS, DHCP, and ARP packets are permitted on the port. All other traffic is denied. 1. Configure one IP ACL for each type of traffic that you want to permit.
Chapter 5: Quality of Service Using Storm Control Filters The EX2500 switch provides filters that can limit the number of the following packet types transmitted by switch ports: Broadcast packets Multicast packets Unknown unicast packets (destination lookup failure) Broadcast Storms Excessive transmission of broadcast or multicast traffic can result in a broadcast storm. A broadcast storm can overwhelm your network with constant broadcast or multicast traffic, and degrade network performance.
EX2500 Ethernet Switch Configuration Guide Using DSCP Values to Provide QoS The switch uses the Differentiated Services (DiffServ) architecture to provide QoS functions. DiffServ is described in IETF RFCs 2474 and 2475. The six most significant bits in the ToS byte of the IP header are defined as DiffServ Code Points (DSCP). Packets are marked with a certain value depending on the type of treatment the packet must receive in the network device.
Chapter 5: Quality of Service Per Hop Behavior The DSCP value determines the Per Hop Behavior (PHB) of each packet. The PHB is the forwarding treatment given to packets at each hop. QoS policies are built by the application of a set of rules to packets, based on the DSCP value, as they hop through the network.
EX2500 Ethernet Switch Configuration Guide QoS Levels Table 16 shows the default service levels provided by the switch, listed from highest to lowest importance. Table 16: Default QoS Service Levels Service Level Default PHB 802.
Chapter 5: Quality of Service Using 802.1p Priority to Provide QoS The EX2500 switch provides Quality of Service (QoS) functions based on the priority bits in a packet’s VLAN header. (The priority bits are defined by the 802.1p standard within the IEEE 802.1Q VLAN header.) The 802.1p bits, if present in the packet, specify the priority that should be given to packets during forwarding.
EX2500 Ethernet Switch Configuration Guide Queuing and Scheduling The EX2500 switch has eight output Class of Service (COS) queues per port, into which each packet is placed. Each packet’s 802.1p priority determines its COS queue. Higher COS queue numbers provide forwarding precedence. You can map 802.1p priority value to a COS queue, as follows: ex2500(config)# qos transmit-queue mapping <802.
Chapter 6 Remote Monitoring Remote Monitoring (RMON) allows network devices to exchange network monitoring data. The following topics are discussed in this chapter: RMON Overview on page 65 RMON Group 1—Statistics on page 66 RMON Group 2—History on page 67 RMON Group 3—Alarms on page 68 RMON Group 9—Events on page 69 RMON Overview RMON allows the switch to track events and trigger alarms when a threshold is reached and to notify administrators by issuing a syslog message or SNMP trap.
EX2500 Ethernet Switch Configuration Guide RMON Group 1—Statistics The switch supports collection of Ethernet statistics as outlined in the RMON statistics MIB, in reference to etherStatsTable. You can configure RMON statistics on a per-port basis. RMON statistics are sampled every second, and new data overwrites any old data on a given port. NOTE: You must configure RMON statistics for the port before you can view RMON statistics. Use the following procedure to configure RMON statistics: 1.
Chapter 6: Remote Monitoring RMON Group 2—History The RMON History Group allows you to sample and archive Ethernet statistics for a specific interface during a specific time interval. History sampling is done per port. NOTE: RMON port statistics must be enabled for the port before an RMON History Group can monitor the port. Data is gathered during discreet sampling intervals and stored in “buckets.
EX2500 Ethernet Switch Configuration Guide 3. View RMON history for the port. ex2500(config)# show rmon history RMON is enabled Index -----1 IFOID ---------ifEntry.1.7 Interval -------120 Rbnum ----30 Gbnum ----30 History Ether table is empty RMON Group 3—Alarms The RMON Alarm Group allows you to define a set of thresholds to determine network performance. When a configured threshold is crossed, an alarm is generated.
Chapter 6: Remote Monitoring RMON Group 9—Events The RMON Event Group allows you to define events that are triggered by alarms. An event can be a log message, an SNMP trap, or both. When an alarm is generated, it triggers a corresponding event notification.
EX2500 Ethernet Switch Configuration Guide 70 RMON Group 9—Events
Chapter 7 IGMP Internet Group Management Protocol (IGMP) is used by IP Multicast routers to learn about the existence of host group members on their directly attached subnet (see RFC 2236). The IP Multicast routers get this information by broadcasting IGMP Membership Queries and listening for IP hosts reporting their host group memberships. This process is used to set up a client/server relationship between an IP Multicast source that provides the data streams and the clients that want to receive the data.
EX2500 Ethernet Switch Configuration Guide The client-server path is set up as follows: 1. An IP Multicast router (Mrouter) sends Membership Queries to the switch, which forwards them to all ports in a given VLAN. 2. Hosts that want to receive the multicast data stream send Membership Reports to the switch, which sends a proxy Membership Report to the Mrouter. 3. The switch sets up a path between the Mrouter and the host, and blocks all other ports from receiving the multicast. 4.
Chapter 7: IGMP IGMPv3 Snooping IGMPv3 includes new membership report messages to extend IGMP functionality. The switch provides snooping capability for all types of IGMP version 3 (IGMPv3) Membership Reports. IGMPv3 supports Source-Specific Multicast (SSM). SSM identifies session traffic by both source and group addresses. The IGMPv3 implementation keeps records on the multicast hosts present in the network.
EX2500 Ethernet Switch Configuration Guide 4. Enable IGMPv3 Snooping (optional). ex2500(config)# ip igmp snoop igmpv3 enable 5. View dynamic IGMP information. ex2500# show ip igmp groups Note: Local groups (224.0.0.x) are not snooped/relayed and will not appear. Source Group VLAN Port Version Mode Expires Fwd -------------- --------------- ------- ------ -------- ----- ------- --10.1.1.1 232.1.1.1 2 4 V3 INC 4:16 Yes 10.1.1.5 232.1.1.1 2 4 V3 INC 4:16 Yes * 232.1.1.1 2 4 V3 INC No 10.10.10.43 235.0.0.
Chapter 8 High Availability Through Uplink Failure Detection This chapter describes how to use Uplink Failure Detection (UFD) to ensure that network resources remain available if one switch is removed for service.
EX2500 Ethernet Switch Configuration Guide Figure 14: Uplink Failure Detection Example Enterprise Routing Switch Enterprise Routing Switch LtM EX2500 EX2500 LtD NIC 1 NIC 2 Server Failure Detection Pair To use UFD, you must configure a Failure Detection Pair and then turn UFD on. A Failure Detection Pair consists of the following groups of ports: Link to Monitor (LtM)—The Link to Monitor group consists of one port or one trunk group. The switch monitors the LtM for link failure.
Chapter 8: High Availability Through Uplink Failure Detection Ports that are already members of a trunk group are not allowed to be assigned to an LtM. A port cannot be added to a trunk group if it already belongs to an LtM. An LtD can contain one or more ports, and/or one or more trunks.
EX2500 Ethernet Switch Configuration Guide 78 Monitoring UFD
Part 2 Appendixes “Monitoring Ports with Port Mirroring” on page 81 discusses the main tool for troubleshooting your switch—monitoring ports.
EX2500 Ethernet Switch Configuration Guide 80 Appendixes
Appendix A Monitoring Ports with Port Mirroring This appendix explains port mirroring to help you monitor ports and troubleshoot common problems on the EX2500 switch. The following topics are discussed in this appendix: Port Mirroring Overview on page 81 Configuring Port Mirroring on page 82 Port Mirroring Overview The port mirroring feature in the EX2500 switch allows you to copy traffic from specified ports and forward it to another port for monitoring or packet analysis.
EX2500 Ethernet Switch Configuration Guide As shown in Figure 15, port 2 is acting as a monitor port, receiving mirrored traffic from three other switch ports: ingress traffic from port 4, egress traffic from port 7, and both ingress and egress traffic from port 10. A sniffer could be attached to port 2 in order to monitor the mirrored traffic on ports 4, 7, and 10. NOTE: Ingress and egress traffic is duplicated and sent to the monitor port after regular switch processing is complete.
Part 3 Indexes Index on page 85 Indexes 83
EX2500 Ethernet Switch Configuration Guide 84 Indexes
Index Numerics 802.1p priority for QoS ................................................63 802.1Q VLAN tagging ...................................................23 A Access Control Lists. See ACLs. accessing the switch management interface .............................................3 RADIUS authentication ...........................................11 security .....................................................................10 TACACS+ authentication.......................................
EX2500 Ethernet Switch Configuration Guide H help, requesting ............................................................ xiii high availability, overview............................................ 75 history, RMON ............................................................... 67 HP-OpenView .................................................................. 7 I IBM Director ..................................................................... 7 ICMP .....................................................
Index Q QoS 802.1p priority ........................................................63 ACLs ..........................................................................52 COS queuing and scheduling .................................64 DSCP .........................................................................60 DSCP mapping, viewing .........................................62 EX2500 QoS model ................................................52 overview .......................................................
EX2500 Ethernet Switch Configuration Guide U UDP ................................................................................. 54 UFD ................................................................................. 75 configuration ........................................................... 77 configuration guidelines ......................................... 76 example ................................................................... 75 Failure Detection Pair .......................................
