TM Alteon OS Application Guide Nortel 10Gb Ethernet Switch Module for IBM BladeCenter® Version 1.0 Part Number: 42C4911, January 2007 2350 Mission College Blvd. Suite 600 Santa Clara, CA 95054 www.bladenetwork.
Alteon OS Application Guide Copyright © 2007 Blade Network Technologies, Inc., 2350 Mission College Blvd., Suite 600, Santa Clara, California, 95054, USA. All rights reserved. Part Number: 42C4911. This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Blade Network Technologies, Inc.
Contents Preface 15 Who Should Use This Guide 15 What You’ll Find in This Guide 16 Typographic Conventions 18 How to Get Help 19 Part 1: Basic Switching 21 Chapter 1: Accessing the Switch 23 Management module setup 24 Factory-Default vs.
Alteon OS Application Guide LDAP Authentication and Authorization 53 Secure Shell and Secure Copy 55 End User Access Control 61 Chapter 2: Port-based Network Access Control 67 Extensible Authentication Protocol over LAN 68 802.1x Authentication Process 69 802.
Alteon OS Application Guide Chapter 5: Spanning Tree Group 105 Overview 106 Bridge Protocol Data Units (BPDUs) 107 Determining the Path for Forwarding BPDUs 107 Spanning Tree Group configuration guidelines 108 Multiple Spanning Trees 110 Default Spanning Tree configuration 110 Why Do We Need Multiple Spanning Trees? 111 Switch-Centric Spanning Tree Group 111 VLAN Participation in Spanning Tree Groups 112 Configuring Multiple Spanning Tree Groups 113 Port Fast Forwarding 115 Configuring Port Fast Forwarding
Alteon OS Application Guide Viewing ACL Statistics 131 ACL Configuration Examples 132 Using DSCP Values to Provide QoS 134 Differentiated Services Concepts 134 Using 802.1p Priorities to Provide QoS 139 802.
Alteon OS Application Guide Chapter 11: Border Gateway Protocol 171 Internal Routing Versus External Routing 172 Forming BGP Peer Routers 173 What is a Route Map? 174 Incoming and Outgoing Route Maps 175 Precedence 176 Configuration Overview 176 Aggregating Routes 178 Redistributing Routes 179 BGP Attributes 180 Local Preference Attribute 180 Metric (Multi-Exit Discriminator) Attribute 180 Selecting Route Paths in BGP 181 BGP Failover Configuration 182 Default Redistribution and Route Aggregation Example 1
Alteon OS Application Guide OSPF Configuration Examples 204 Example 1: Simple OSPF Domain 205 Example 2: Virtual Links 207 Example 3: Summarizing Routes 211 Verifying OSPF Configuration 213 Part 3: High Availability Fundamentals 215 Chapter 13: High Availability 217 Layer 2 Failover 218 VLAN Monitor 218 Setting the Failover Limit 219 L2 Failover with Other Features 219 Configuration Guidelines 220 L2 Failover Configurations 220 Configuring Trunk Failover 223 VRRP Overview 224 VRRP Components 224 VRRP Oper
Alteon OS Application Guide Part 4: Appendices 243 Appendix A: Troubleshooting 245 Monitoring Ports 246 Port Mirroring behavior 247 Configuring Port Mirroring 251 Appendix B: RADIUS Server Configuration Notes 253 Glossary 255 Index 257 42C4911, January 2007 9
Alteon OS Application Guide 10 42C4911, January 2007
Figures Figure 1-1:Switch management on the BladeCenter management module 26 Figure 1-2:BOOTP Relay Agent Configuration 30 Figure 1-3:DHCP Relay Agent Configuration 31 Figure 2-1:Authenticating a Port Using EAPoL 69 Figure 3-1:Default VLAN settings 81 Figure 3-2:Port-based VLAN assignment 82 Figure 3-3:802.1Q tagging (after port-based VLAN assignment) 82 Figure 3-4:802.1Q tag assignment 83 Figure 3-5:802.1Q tagging (after 802.
Alteon OS Application Guide Figure 13-3:Two trunks, one Failover Trigger 222 Figure 13-4:A Non-VRRP, Hot-Standby Configuration 227 Figure 13-5:Active-Active Redundancy 228 Figure 13-6:Hot-Standby Redundancy 229 Figure 13-7:Active-Active High-Availability Configuration 233 Figure 13-8:Hot-Standby Configuration 239 12 42C4911, January 2007
Tables Table 1-1: Table 1-2: Table 1-3: Table 1-4: Table 1-5: Table 4-1: Table 5-1: Table 7-1: Table 7-2: Table 7-3: Table 7-4: Table 7-5: Table 8-1: Table 8-2: Table 8-3: Table 13-1: 42C4911, January 2007 GbESM IP addresses, based on switch-module bay numbers 24 User Access Levels 47 Alteon OS-proprietary Attributes for RADIUS 47 Default TACACS+ Authorization Levels 49 Alternate TACACS+ Authorization Levels 49 Actor vs.
Alteon OS Application Guide 14 42C4911, January 2007
Preface The Alteon OS Application Guide describes how to configure and use the Alteon OS software on the 10Gb Ethernet Switch Module for IBM BladeCenter. For documentation on installing the switch physically, see the Installation Guide for your GbE Switch Module (GbESM). Who Should Use This Guide This Application Guide is intended for network installers and system administrators engaged in configuring and maintaining a network.
Alteon OS Application Guide What You’ll Find in This Guide This guide will help you plan, implement, and administer Alteon OS software. Where possible, each section provides feature overviews, usage examples, and configuration instructions. Part 1: Basic Switching Chapter 1, “Accessing the Switch,” describes how to access the GbE Switch Module to configure, view information and run statistics on the switch.
Alteon OS Application Guide Chapter 11, “Border Gateway Protocol,” describes BGP concepts and BGP features supported in Alteon OS. Chapter 12, “OSPF,” describes OSPF concepts, how OSPF is implemented in Alteon OS, and examples of how to configure your switch for OSPF support.
Alteon OS Application Guide Typographic Conventions The following table describes the typographic styles used in this book. Table 1 Typographic Conventions Typeface or Symbol Meaning Example AaBbCc123 This type is used for names of commands, files, and directories used within the text. View the readme.txt file. It also depicts on-screen computer output and Main# prompts. AaBbCc123 This bold type appears in command examples. It shows text that must be typed in exactly as shown.
Alteon OS Application Guide How to Get Help If you need help, service, or technical assistance, see the "Getting help and technical assistance" appendix in the Nortel 10Gb Ethernet Switch Module for IBM BladeCenter Installation Guide.
Alteon OS Application Guide 20 Preface 42C4911, January 2007
Part 1: Basic Switching This section discusses basic switching functions.
Alteon OS Application Guide 22 42C4911, January 2007
CHAPTER 1 Accessing the Switch The Alteon OS software provides means for accessing, configuring, and viewing information and statistics about the GbE Switch Module.
Alteon OS Application Guide Management module setup The BladeCenter GbE Switch Module is an integral subsystem within the overall BladeCenter system. The BladeCenter chassis includes a management module as the central element for overall chassis management and control. You can use the management module to configure and manage the GbE Switch Module.
Alteon OS Application Guide NOTE – Before you install the GbESM in Bay 8 or Bay 10, confirm that your blade I/O Expansion adapter supports communication to these I/O bays. Default Gateway The default Gateway IP address determines where packets with a destination address outside the current subnet should be sent. Usually, the default Gateway is a router or host acting as an IP gateway to handle connections to other subnets of other TCP/IP networks.
Alteon OS Application Guide Figure 1-1 Switch management on the BladeCenter management module 4. You can use the default IP addresses provided by the management module, or you can assign a new IP address to the switch module through the management module. You can assign this IP address through one of the following methods: Manually through the BladeCenter management module Automatically through the IBM Director Configuration Wizard (available in Director release 5.20.
Alteon OS Application Guide The default value is Disabled for both features. If these features are not already enabled, change the value to Enabled, then Save. NOTE – In Advanced Configuration > Advanced Setup, enable “Preserve new IP configuration on all switch resets,” to retain the switch’s IP interface when you restore factory defaults. This setting preserves the management port’s IP address in the management module’s memory, so you maintain connectivity to the management module after a reset.
Alteon OS Application Guide External management port setup In addition to the internal management ports (MGT1 and MGT2), the 10Gb Ethernet Switch Module (GbESM) also has an external management port (EXT7) to support out-of-band management traffic. Port EXT7 allows you to perform data transfers without taxing the data ports (EXT1-EXT6).
Alteon OS Application Guide Using Telnet Use the management module to access the GbE Switch Module through Telnet. Choose I/O Module Tasks > Configuration from the navigation pane on the left. Select a bay number and click Advanced Configuration > Start Telnet/Web Session > Start Telnet Session. A Telnet window opens a connection to the Switch Module (requires Java 1.4 Plug-in).
Alteon OS Application Guide Figure 1-2 shows a basic BOOTP network example. Boston Raleigh BladeCenter BladeCenter 20.1.1.1 10.1.1.2 BladeCenter BOOT Client asks for IP from BOOTP server BladeCenter acts as BOOTP Relay Agent BOOTP Server Figure 1-2 BOOTP Relay Agent Configuration The use of two servers provide failover redundancy. The client request is forwarded to both BOOTP servers configured on the switch. However, no health checking is supported.
Alteon OS Application Guide DHCP Relay Agent DHCP is described in RFC 2131, and the DHCP relay agent supported on the GbESM is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. DHCP defines the methods through which clients can be assigned an IP address for a finite lease period and allowing reassignment of the IP address to another client later.
Alteon OS Application Guide In GbESM implementation, there is no need for primary or secondary servers. The client request is forwarded to the BOOTP servers configured on the switch. The use of two servers provide failover redundancy. However, no health checking is supported.
Alteon OS Application Guide Using the Browser-Based Interface Use the management module to access the GbE Switch Module through a Web session. Choose I/O Module Tasks > Configuration from the navigation pane on the left. Select a bay number and click Advanced Configuration > Start Telnet/Web Session > Start Web Session. A browser window opens a connection to the Switch Module.
Alteon OS Application Guide Accessing the BBI via HTTPS requires that you generate a certificate to be used during the key exchange. A default certificate is created the first time HTTPS is enabled, but you can create a new certificate defining the information you want to be used in the various fields.
Alteon OS Application Guide Switch Ports – configure each of the physical ports on the switch. Port-Based Port Mirroring – configure port mirroring and mirror port. Layer 2 – Configure Quality of Service (QoS) features for the switch. 42C4911, January 2007 802.1x FDB Virtual LANs Spanning Tree Groups MSTP/RSTP Failover Trunk Groups Trunk Hash LACP Uplink Fast Layer 3 – Configure Layer 3 features for the switch.
Alteon OS Application Guide Using SNMP Alteon OS provides SNMP v1.0 and SNMP v3.0 support for access through any network management software, such as IBM Director or HP-OpenView. SNMP v1.0 To access the SNMP agent on the GbESM, the read and write community strings on the SNMP manager should be configured to match those on the switch. The default read community string on the switch is public and the default write community string is private.
Alteon OS Application Guide For more information on SNMP MIBs and the commands used to configure SNMP on the switch, see the Alteon OS Command Reference. Default configuration Alteon OS has two SNMP v3 users by default. Both of the following users have access to all the MIBs supported by the switch: 1) username 1: adminmd5/password adminmd5. Authentication used is MD5. 2) username 2: adminsha/password adminsha. Authentication used is SHA.
Alteon OS Application Guide 3. Assign the user to the user group. Use the group table to link the user to a particular access group. >> # /cfg/sys/ssnmp/snmpv3/group 5 >> SNMPv3 vacmSecurityToGroup 5# uname admin >> SNMPv3 vacmSecurityToGroup 5# gname admingrp If you want to allow user access only to certain MIBs, see the 'View based Configuration' section.
Alteon OS Application Guide CLI oper equivalent (Configure the oper) /c/sys/ssnmp/snmpv3/usm 5 name "oper" /c/sys/ssnmp/snmpv3/access 4 name "opergrp" rview "oper" wview "oper" nview "oper" /c/sys/ssnmp/snmpv3/group 4 uname oper gname opergrp /c/sys/ssnmp/snmpv3/view 20 name "usr" tree "1.3.6.1.4.1.1872.2.5.1.2" /c/sys/ssnmp/snmpv3/view 21 name "usr" tree "1.3.6.1.4.1.1872.2.5.1.3" /c/sys/ssnmp/snmpv3/view 22 name "usr" tree "1.3.6.1.4.1.1872.2.5.2.2" /c/sys/ssnmp/snmpv3/view 23 name "usr" tree "1.3.6.1.
Alteon OS Application Guide In the example below the user will receive the traps sent by the switch. /c/sys/ssnmp/snmpv3/access 10 name "v1trap" model snmpv1 nview "iso" /c/sys/ssnmp/snmpv3/group 10 model snmpv1 uname v1trap gname v1trap 3. (Assign user to the notify table) Specify the IP address and other trap parameters in the targetAddr and targetParam tables.
Alteon OS Application Guide SNMPv2 trap host configuration The SNMPv2 trap host configuration is similar to the SNMPv1 trap host configuration. Wherever you specify the model, use snmpv2 instead of snmpv1. c/sys/ssnmp/snmpv3/usm 10 name "v2trap" /c/sys/ssnmp/snmpv3/access 10 name "v2trap" model snmpv2 nview "iso" /c/sys/ssnmp/snmpv3/group 10 model snmpv2 uname v2trap gname v2trap /c/sys/ssnmp/snmpv3/notify 10 name v2trap tag v2trap /c/sys/ssnmp/snmpv3/taddr 10 name v2trap addr 47.81.25.
Alteon OS Application Guide The following example shows how to configure a SNMPv3 user v3trap with authentication only: /c/sys/ssnmp/snmpv3/usm 11 name "v3trap" auth md5 authpw v3trap /c/sys/ssnmp/snmpv3/access 11 name "v3trap" level authNoPriv nview "iso" /c/sys/ssnmp/snmpv3/group 11 uname v3trap gname v3trap /c/sys/ssnmp/snmpv3/notify 11 name v3trap tag v3trap /c/sys/ssnmp/snmpv3/taddr 11 name v3trap addr 47.81.25.
Alteon OS Application Guide Securing Access to the Switch Secure switch management is needed for environments that perform significant management functions across the Internet.
Alteon OS Application Guide RADIUS Authentication and Authorization Alteon OS supports the RADIUS (Remote Authentication Dial-in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back-end database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end server and database.
Alteon OS Application Guide 1. Turn RADIUS authentication on, then configure the Primary and Secondary RADIUS servers. >> Main# /cfg/sys/radius (Select the RADIUS Server menu) >> RADIUS Server# on (Turn RADIUS on) Current status: OFF New status: ON >> RADIUS Server# prisrv 10.10.1.1 (Enter primary server IP) Current primary RADIUS server: 0.0.0.0 New pending primary RADIUS server: 10.10.1.1 >> RADIUS Server# secsrv 10.10.1.2 (Enter secondary server IP) Current secondary RADIUS server: 0.0.0.
Alteon OS Application Guide RADIUS Authentication Features in Alteon OS Alteon OS supports the following RADIUS authentication features: Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866. Allows RADIUS secret password up to 32 bytes and less than 16 octets. Supports secondary authentication server so that when the primary authentication server is unreachable, the switch can send client authentication requests to the secondary authentication server.
Alteon OS Application Guide Switch User Accounts The user accounts listed in Table 1-2 can be defined in the RADIUS server dictionary file. Table 1-2 User Access Levels User Account Description and Tasks Performed Password User The User has no direct responsibility for switch management. He/she can view all switch status information and statistics but cannot make any configuration changes to the switch. user Operator The Operator manages all functions of the switch.
Alteon OS Application Guide TACACS+ Authentication Alteon OS supports authentication and authorization with networks using the Cisco Systems TACACS+ protocol. The GbE Switch Module functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the GbE Switch Module either through a data or management port.
Alteon OS Application Guide Authorization Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication. The default mapping between TACACS+ authorization levels and Alteon OS management access levels is shown in Table 1-4. The authorization levels must be defined on the TACACS+ server.
Alteon OS Application Guide Accounting Accounting is the action of recording a user's activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, there are no TACACS+ accounting messages sent out. You can use TACACS+ to record and track software logins, configuration changes, and interactive commands.
Alteon OS Application Guide The following rules apply to TACACS+ command authorization and logging: Only commands from a Console, Telnet, or SSH connection are sent for authorization and logging. SNMP, BBI, or file-copy commands (for example, TFTP or sync) are not sent. Only leaf-level commands are sent for authorization and logging. For example, /cfg is not sent, but /cfg/l3/tacacs/cauth is sent. The full path of each command is sent for authorization and logging.
Alteon OS Application Guide Configuring TACACS+ Authentication on the Switch 1. Turn TACACS+ authentication on, then configure the Primary and Secondary TACACS+ servers. >> Main# /cfg/sys/tacacs+ (Select the TACACS+ Server menu) >> TACACS+ Server# on (Turn TACACS+ on) Current status: OFF New status: ON >> TACACS+ Server# prisrv 10.10.1.1 (Enter primary server IP) Current primary TACACS+ server: 0.0.0.0 New pending primary TACACS+ server: 10.10.1.1 >> TACACS+ Server# secsrv 10.10.1.
Alteon OS Application Guide LDAP Authentication and Authorization Alteon OS supports the LDAP (Lightweight Directory Access Protocol) method to authenticate and authorize remote administrators to manage the switch. LDAP is based on a client/ server model. The switch acts as a client to the LDAP server. A remote user (the remote administrator) interacts only with the switch, not the back-end server and database.
Alteon OS Application Guide Configuring LDAP Authentication on the Switch 1. Turn LDAP authentication on, then configure the Primary and Secondary LDAP servers. >> Main# /cfg/sys/ldap (Select the LDAP Server menu) >> LDAP Server# on (Turn LDAP on) Current status: OFF New status: ON >> LDAP Server# prisrv 10.10.1.1 (Enter primary server IP) Current primary LDAP server: 0.0.0.0 New pending primary LDAP server: 10.10.1.1 >> LDAP Server# secsrv 10.10.1.
Alteon OS Application Guide Secure Shell and Secure Copy Secure Shell (SSH) and Secure Copy (SCP) use secure tunnels to encrypt and secure messages between a remote administrator and the switch. Telnet does not provide this level of security. The Telnet method of managing a GbE Switch Module does not provide a secure connection. SSH is a protocol that enables remote administrators to log securely into the GbE Switch Module over a network to execute management commands.
Alteon OS Application Guide Configuring SSH/SCP features on the switch Before you can use SSH commands, use the following commands to turn on SSH/SCP. SSH and SCP are disabled by default.
Alteon OS Application Guide Configuring the SCP Administrator Password To configure the scpadm (SCP Administrator) password, first connect to the switch via the serial console port. For security reasons, the scpadm password may only be configured when connected through the console port. To configure the password, enter the following command via the CLI. At factory default settings, the current SCP administrator password is admin.
Alteon OS Application Guide To upload the configuration to the switch: Syntax: scp @:putcfg Example: >> # scp ad4.cfg scpadmin@205.178.15.157:putcfg To apply and save the configuration The apply and save commands are still needed after the last command, or use the following commands: >> # scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply >> # scp ad4.cfg scpadmin@205.178.15.
Alteon OS Application Guide Generating RSA Host and Server Keys for SSH Access To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024 bits and is used to identify the GbE Switch Module. The server key is 768 bits and is used to make it impossible to decipher a captured session by breaking into the GbE Switch Module at a later time.
Alteon OS Application Guide SSH/SCP Integration with Radius Authentication SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS servers for authentication. The redirection is transparent to the SSH clients. SSH/SCP Integration with TACACS+ Authentication SSH/SCP is integrated with TACACS+ authentication.
Alteon OS Application Guide An SCP-only administrator’s password is typically used when SecurID is used. For example, it can be used in an automation program (in which the tokens of SecurID are not available) to back up (download) the switch configurations each day. NOTE – The SCP-only administrator’s password must be different from the regular administrator’s password.
Alteon OS Application Guide Strong Passwords The administrator can require use of Strong Passwords for users to access the GbESM. Strong Passwords enhance security because they make password guessing more difficult.
Alteon OS Application Guide Defining User Names and Passwords Use the User ID menu to define user names and passwords. >> User ID 1 # name user1 (Assign name to user ID 1) Current user name: New user name: user1 >> User ID 1 # passwd (Assign password to user ID 1) Changing user password; validation required: Enter current admin password: Enter new user1 password: Re-enter new user1 password: New user1 password accepted.
Alteon OS Application Guide Listing Current Users The cur command displays defined user accounts and whether or not each user is currently logged into the switch.
Alteon OS Application Guide 42C4911, January 2007 Chapter 1: Accessing the Switch 65
Alteon OS Application Guide 66 Chapter 1: Accessing the Switch 42C4911, January 2007
CHAPTER 2 Port-based Network Access Control Port-Based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to ports of the GbESM that connect to blade servers. The following topics are discussed in this section: “Extensible Authentication Protocol over LAN” on page 68 “802.
Alteon OS Application Guide Extensible Authentication Protocol over LAN Alteon OS can provide user-level security for its ports using the IEEE 802.1x protocol, which is a more secure alternative to other methods of port-based network access control. Any device attached to an 802.1x-enabled port that fails authentication is prevented access to the network and denied services offered through that port. The 802.
Alteon OS Application Guide 802.1x Authentication Process The clients and authenticators communicate using Extensible Authentication Protocol (EAP), which was originally designed to run over PPP, and for which the IEEE 802.1x Standard has defined an encapsulation method over Ethernet frames, called EAP over LAN (EAPOL). Figure 2-1 shows a typical message exchange initiated by the client. RADIUS Server 802.
Alteon OS Application Guide EAPoL Message Exchange During authentication, EAPOL messages are exchanged between the client and the GbESM authenticator, while RADIUS-EAP messages are exchanged between the GbESM authenticator and the RADIUS server. Authentication is initiated by one of the following methods: GbESM authenticator sends an EAP-Request/Identity packet to the client Client sends an EAPOL-Start frame to the GbESM authenticator, which responds with an EAP-Request/Identity frame.
Alteon OS Application Guide 802.1x Port States The state of the port determines whether the client is granted access to the network, as follows: Unauthorized While in this state the port discards all ingress and egress traffic except EAP packets. Authorized When the client is successfully authenticated, the port transitions to the authorized state allowing all traffic to and from the client to flow normally. Force Unauthorized You can configure this state that denies all access to the port.
Alteon OS Application Guide Supported RADIUS Attributes The Alteon 802.1x Authenticator relies on external RADIUS servers for authentication with EAP. Table 2 lists the RADIUS attributes that are supported as part of RADIUS-EAP authentication based on the guidelines specified in Annex D of the 802.1x standard and RFC 3580.
Alteon OS Application Guide Configuration Guidelines When configuring EAPoL, consider the following guidelines: The 802.1x port-based authentication is currently supported only in point-to-point configurations, that is, with a single supplicant connected to an 802.1x-enabled switch port. When 802.1x is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled.
Alteon OS Application Guide 74 Chapter 2: Port-based Network Access Control 42C4911, January 2007
CHAPTER 3 VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments.
Alteon OS Application Guide Overview Setting up virtual LANs (VLANs) is a way to segment networks to increase network flexibility without changing the physical network topology. With network segmentation, each switch port connects to a segment that is a single broadcast domain. When a switch port is configured to be a member of a VLAN, it is added to a group of ports (workgroup) that belong to one broadcast domain. Ports are grouped into broadcast domains by assigning them to the same VLAN.
Alteon OS Application Guide VLANs and Port VLAN ID Numbers VLAN Numbers Alteon OS supports up to 1024 VLANs per switch. Even though the maximum number of VLANs supported at any given time is 1024, each can be identified with any number between 1 and 4095. VLAN 1 is the default VLAN for the external ports and the internal blade ports. VLAN 4095 is reserved for use by the internal management ports (MGT1 and MGT2). VLAN 4094 is reserved for use by the external management port (EXT7).
Alteon OS Application Guide Viewing and Configuring PVIDs Use the following CLI commands to view PVIDs: Port information: Alias Port Tag Fast PVID NAME ----- ---- --- ---- ---- ---------------INT1 1 n n 1 INT1 INT2 2 n n 1 INT2 INT3 3 n n 1 INT3 INT4 4 n n 1 INT4 INT5 5 n n 1 INT5 INT6 6 n n 1 INT6 INT7 7 n n 1 INT7 INT8 8 n n 1 INT8 INT9 9 n n 1 INT9 INT10 10 n n 1 INT10 INT11 11 n n 1 INT11 INT12 12 n n 1 INT12 INT13 13 n n 1 INT13 INT14 14 n n 1 INT14 MGT1 15 n n 4095 MGT1 MGT2 16 n n 4095 MGT2 EXT1
Alteon OS Application Guide Each port on the switch can belong to one or more VLANs, and each VLAN can have any number of switch ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled (see “VLAN Tagging” on page 80).
Alteon OS Application Guide VLAN Tagging Alteon OS software supports 802.1Q VLAN tagging, providing standards-based VLAN support for Ethernet systems. Tagging places the VLAN identifier in the frame header of a packet, allowing each port to belong to multiple VLANs. When you add a port to multiple VLANs, you also must enable tagging on that port.
Alteon OS Application Guide Figure 3-1 Default VLAN settings 802.1Q Switch VLAN 1 Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 ...
Alteon OS Application Guide NOTE – The port assignments in the following figures are not meant to match the GbE Switch Module. Figure 3-2 Port-based VLAN assignment Data SA Port 4 CRC DA Port 2 Port 3 Tagged member of VLAN 2 Port 5 Port 1 PVID = 2 Untagged packet 802.1Q Switch Before Port 6 Port 7 Port 8 Untagged member of VLAN 2 BS45011A As shown in Figure 3-3, the untagged packet is marked (tagged) as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2.
Alteon OS Application Guide In Figure 3-4, tagged incoming packets are assigned directly to VLAN 2 because of the tag assignment in the packet. Port 5 is configured as a tagged member of VLAN 2, and port 7 is configured as an untagged member of VLAN 2. Figure 3-4 802.1Q tag assignment Data Tag SA Port 4 CRC DA Port 2 Port 3 Tagged member of VLAN 2 Port 5 Port 1 PVID = 2 Tagged packet 802.
Alteon OS Application Guide VLAN Topologies and Design Considerations By default, the Alteon OS software is configured so that tagging is disabled on all external ports and all internal ports. By default, the Alteon OS software is configured so that all internal ports are members of VLAN 1. By default, the Alteon OS software is configured so that the management ports (MGT1 and MGT2) are members of the management VLAN 4095.
Alteon OS Application Guide Example 1: Multiple VLANs with Tagging Adapters BladeCenter VLAN #1, 2, 3 VLAN #3 GbE Switch Module Figure 3-6 Example 1: Multiple VLANs with VLAN-Tagged Gigabit Adapters The features of this VLAN are described below: Component Description GbE Switch Module This switch is configured for three VLANs that represent three different IP subnets. Two servers and five clients are attached to the switch.
Alteon OS Application Guide Component Description PCs #1 and #2 These PCs are attached to a shared media hub that is then connected to the switch. They belong to VLAN 2 and are logically in the same IP subnet as Server 2 and PC 5. The associated external switch port has tagging disabled. PC #3 A member of VLAN 1, this PC can only communicate with Server 2 and PC 5. The associated external switch port has tagging disabled.
Alteon OS Application Guide Protocol-based VLANs Protocol-based VLANs (PVLANs) allow you to segment network traffic according to the network protocols in use. Traffic generated by supported network protocols can be confined to a particular port-based VLAN. You can give different priority levels to traffic generated by different network protocols. With PVLAN, the switch classifies incoming packets by Ethernet protocol of the packets, not by the configuration of the ingress port.
Alteon OS Application Guide Port-based vs. Protocol-based VLANs Each VLAN supports both port-based and protocol-based association, as follows: The default VLAN configuration is port-based. All data ports are members of VLAN 1, with no PVLAN association. When you add ports to a PVLAN, the ports become members of both the port-based VLAN and the PVLAN. For example, if you add port EXT1 to PVLAN 1 on VLAN 2, the port also becomes a member of VLAN 2.
Alteon OS Application Guide PVLAN Configuration Guidelines Consider the following guidelines when you configure protocol-based VLANs: Each port can support up to 16 VLAN protocols. The GbESM can support up to 16 protocols simultaneously. Each PVLAN must have at least one port assigned before it can be activated. The same port within a port-based VLAN can belong to multiple PVLANs. An untagged port can be a member of multiple PVLANs.
Alteon OS Application Guide 3. Add member ports for this PVLAN. >> VLAN 2 Protocol 1# add int1 Port INT1 is an UNTAGGED port and its current PVID is 1. Confirm changing PVID from 1 to 2 [y/n]: y Current ports for VLAN 2: empty Current ports for VLAN 1, Protocol 3: empty Pending new ports for VLAN 2: INT1 Pending new ports for VLAN 2, Protocol 1: INT1 >> VLAN 2 Protocol 1# add ext1 Port EXT1 is an UNTAGGED port and its current PVID is 1.
Alteon OS Application Guide 6. Verify PVLAN operation.
Alteon OS Application Guide 92 Chapter 3: VLANs 42C4911, January 2007
CHAPTER 4 Ports and Trunking Trunk groups can provide super-bandwidth, multi-link connections between GbE Switch Modules or other trunk-capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link.
Alteon OS Application Guide Overview When using port trunk groups between two switches, as shown in Figure 4-1, you can create a virtual link between the switches, operating up to 60Gb per second, depending on how many physical ports are combined. Each GbESM supports up to 13 trunk groups, and each trunk group can contain up to six member ports.
Alteon OS Application Guide Statistical Load Distribution Network traffic is statistically distributed between the ports in a trunk group. The Alteon OSpowered switch uses the Layer 2 MAC address information present in each transmitted frame for determining load distribution. Each packet’s particular combination of source and destination MAC addresses results in selecting one line in the trunk group for data transmission.
Alteon OS Application Guide Trunk group configuration rules The trunking feature operates according to specific configuration rules. When creating trunks, consider the following rules that determine how a trunk group reacts in any network topology: All trunks must originate from one device, and lead to one destination device. For example, you cannot combine a link from Server 1 and a link from Server 2, into one trunk group. Any physical switch port can belong to only one trunk group.
Alteon OS Application Guide Port Trunking Example In the example below, three ports are trunked between two switches. Alteon Application Switch Trunk 3: Ports 2, 12, and 22 Trunk 1: Ports EXT1, EXT2, and EXT3 GbE Switch Module BladeCenter Figure 4-2 Port Trunk Group Configuration Example Prior to configuring each switch in the above example, you must connect to the appropriate switch’s Command Line Interface (CLI) as the administrator.
Alteon OS Application Guide 1. Connect the switch ports that will be members in the trunk group. 2. Follow these steps on the GbESM: (a) Define a trunk group. >> >> >> >> >> # /cfg/l2/trunk 1 Trunk group 1# add EXT1 Trunk group 1# add EXT2 Trunk group 1# add EXT3 Trunk group 1# ena (Select trunk group 1) (Add port EXT1 to trunk group 1) (Add port EXT2 to trunk group 1) (Add port EXT3 to trunk group 1) (Enable trunk group 1) (b)Apply and verify the configuration.
Alteon OS Application Guide 4. Examine the trunking information on each switch. >> /info/l2/trunk (View trunking information) Information about each port in each configured trunk group is displayed. Make sure that trunk groups consist of the expected ports and that each port is in the expected state. The following restrictions apply: Any physical switch port can belong to only one trunk group. Up to six ports can belong to the same trunk group.
Alteon OS Application Guide Configurable Trunk Hash Algorithm This feature allows you to configure the particular parameters for the GbESM Trunk Hash algorithm instead of having to utilize the defaults. You can configure new default behavior for Layer 2 traffic and Layer 3 traffic using the CLI menu cfg/l2/thash.
Alteon OS Application Guide Link Aggregation Control Protocol Link Aggregation Control Protocol (LACP) is an IEEE 802.3ad standard for grouping several physical ports into one logical port (known as a dynamic trunk group or Link Aggregation group) with any device that supports the standard. Please refer to IEEE 802.3ad-2002 for a full description of the standard. The 802.3ad standard allows standard Ethernet links to form a single Layer 2 link using the Link Aggregation Control Protocol (LACP).
Alteon OS Application Guide LACP automatically determines which member links can be aggregated and then aggregates them. It provides for the controlled addition and removal of physical links for the link aggregation. Each port in the GbESM can have one of the following LACP modes. off (default) The user can configure this port in to a regular static trunk group. active The port is capable of forming an LACP trunk. This port sends LACPDU packets to partner system ports.
Alteon OS Application Guide Configuring LACP Use the following procedure to configure LACP for port EXT1 and port EXT2 to participate in link aggregation. 1. Set the LACP mode on port EXT1. >> # /cfg/l2/lacp/port EXT1 >> LACP port EXT1# mode active 2. Define the admin key on port EXT1. Only ports with the same admin key can form a LACP trunk group. >> LACP port EXT1# adminkey 100 Current LACP port adminkey: 17 New pending LACP port adminkey: 100 3.
Alteon OS Application Guide 104 Chapter 4: Ports and Trunking 42C4911, January 2007
CHAPTER 5 Spanning Tree Group When multiple paths exist on a network, Spanning Tree Group (STG) configures the network so that a switch uses only the most efficient path.
Alteon OS Application Guide Overview Spanning Tree Group (STG) detects and eliminates logical loops in a bridged or switched network. When multiple paths exist, Spanning Tree configures the network so that a switch uses only the most efficient path. If that path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations. GbESM supports IEEE 802.1d Spanning Tree Protocol. It is compatible with PVST+ by configuring each STP Group in different STP instances.
Alteon OS Application Guide Bridge Protocol Data Units (BPDUs) To create a Spanning Tree, the switch generates a configuration Bridge Protocol Data Unit (BPDU), which it then forwards out of its ports. All switches in the Layer 2 network participating in the Spanning Tree gather information about other switches in the network through an exchange of BPDUs. A BPDU is a 64-byte packet that is sent out at a configurable interval, which is typically set for two seconds.
Alteon OS Application Guide Port Path Cost The port path cost assigns lower values to high-bandwidth ports, such as Gigabit Ethernet, to encourage their use. The cost of a port also depends on whether the port operates at full-duplex (lower cost) or half-duplex (higher cost). For example, if a 100-Mbps (Fast Ethernet) link has a “cost” of 10 in half-duplex mode, it will have a cost of 5 in full-duplex mode. The objective is to use the fastest links so that the route with the lowest cost is chosen.
Alteon OS Application Guide If ports are tagged, all trunked ports can belong to multiple STGs. A port that is not a member of any VLAN cannot be added to any STG. The port must be added to a VLAN, and that VLAN added to the desired STG. Rules for VLAN Tagged ports Tagged ports can belong to more than one STG, but untagged ports can belong to only one STG.
Alteon OS Application Guide Multiple Spanning Trees Each GbE Switch Module supports a maximum of 128 Spanning Tree Groups (STGs). Multiple STGs provide multiple data paths, which can be used for load-balancing and redundancy. You enable load balancing between two GbE Switch Modules using multiple STGs by configuring each path with a different VLAN and then assigning each VLAN to a separate STG. Each STG is independent.
Alteon OS Application Guide Why Do We Need Multiple Spanning Trees? Figure 5-1 shows a simple example of why we need multiple Spanning Trees. Two VLANs, VLAN 1 and VLAN 100 exist between application switch A and GbE Switch Module B. If you have a single Spanning Tree Group, the switches see an apparent loop, and one VLAN may become blocked, affecting connectivity, even though no actual loop exists.
Alteon OS Application Guide 17 Switch B 18 BladeCenter Figure 5-2 Implementing Multiple Spanning Tree Groups VLAN Participation in Spanning Tree Groups The VLAN participation for each Spanning Tree Group in Figure 5-2 on page 112 is discussed in the following sections: VLAN 1 Participation If application switch A is the root bridge, then application switch A will transmit the BPDU for VLAN 1 on ports 1 and 2.
Alteon OS Application Guide VLAN 3 Participation For VLAN 3 you can have GbE Switch Module B or application switch C to be the root bridge. If switch B is the root bridge for VLAN 3, Spanning Tree Group 2, then switch B transmits the BPDU out from port 18. Application switch C receives this BPDU on port 8 and is identified as participating in VLAN 3, Spanning Tree Group 2.
Alteon OS Application Guide NOTE – Each instance of Spanning Tree Group is enabled by default. 3. Configure the following on application switch C: Add port 8 to VLAN 3 and define Spanning Tree Group 3 for VLAN 3. >> >> >> >> # /cfg/l2/vlan3 VLAN 3# add 8 VLAN 3# ../stg 2 Spanning Tree Group 2# add 3 (Select VLAN 3 menu) (Add port 8) (Select Spanning Tree Group 2) (Add VLAN 3) VLAN 3 is automatically removed from Spanning Tree Group 1 and by default VLAN 2 remains in Spanning Tree Group 1.
Alteon OS Application Guide Port Fast Forwarding Port Fast Forwarding permits a port that participates in Spanning Tree to bypass the Listening and Learning states and enter directly into the Forwarding state. While in the Forwarding state, the port listens to the BPDUs to learn if there is a loop and, if dictated by normal STG behavior (following priorities, etc.), the port transitions into the Blocking state.
Alteon OS Application Guide Fast Uplink Convergence Fast Uplink Convergence enables the GbESM to quickly recover from the failure of the primary link or trunk group in a Layer 2 network using Spanning Tree Protocol. Normal recovery can take as long as 50 seconds, while the backup link transitions from Blocking to Listening to Learning and then Forwarding states.
CHAPTER 6 Rapid Spanning Tree Protocol/Multiple Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol enhances the Spanning Tree Protocol to provide rapid convergence on Spanning Tree Group 1. IEEE 802.1s Multiple Spanning Tree Protocol extends the Rapid Spanning Tree Protocol, to provide both rapid convergence and load balancing in a VLAN environment.
Alteon OS Application Guide Rapid Spanning Tree Protocol Rapid Spanning Tree Protocol (RSTP) provides rapid convergence of the spanning tree and provides for fast re-configuration critical for networks carrying delay-sensitive traffic such as voice and video. RSTP significantly reduces the time to reconfigure the active topology of the network when changes occur to the physical topology or its configuration parameters. RSTP reduces the bridged-LAN topology to a single Spanning Tree.
Alteon OS Application Guide Port Type and Link Type Spanning Tree configuration includes the following parameters to support RSTP and MSTP: edge port and link type. Although these parameters are configured for Spanning Tree Groups 1-128 (/cfg/l2/stg x/port x), they only take effect when RSTP/MSTP is turned on. Edge Port A port that does not connect to a bridge is called an edge port. Edge ports generally connect to a server, therefore, ports INT1-INT14 should have edge enabled.
Alteon OS Application Guide RSTP Configuration Example This section provides steps to configure Rapid Spanning Tree on the GbE Switch Module, using the Command-Line Interface (CLI). Configure Rapid Spanning Tree 1. Configure port and VLAN membership on the switch. 2. Disable and clear STP groups 2 through 126. >> /cfg/l2/stg 2 >> Spanning Tree Group 2# clear >> Spanning Tree Group 2# off 3. Set the Spanning Tree mode to Rapid Spanning Tree.
Alteon OS Application Guide Multiple Spanning Tree Protocol IEEE 802.1s Multiple Spanning Tree extends the IEEE 802.1w Rapid Spanning Tree Protocol through multiple Spanning Tree Groups. MSTP maintains up to 32 spanning-tree instances, that correspond to STP Groups 1-32. For more information about Spanning Tree Protocol, see Chapter 5, “Spanning Tree Group.” In Multiple Spanning Tree Protocol (MSTP), several VLANs can be mapped to each Spanning-Tree instance.
Alteon OS Application Guide MSTP Configuration Guidelines This section provides important information about configuring Multiple Spanning Tree Groups: When you enable MSTP, you must configure the Region Name, and a default version number of 1 is configured automatically. Each bridge in the region must have the same name, version number, and VLAN mapping.
CHAPTER 7 Quality of Service Quality of Service features allow you to allocate network resources to mission-critical applications at the expense of applications that are less sensitive to such factors as time delays or network congestion. You can configure your network to prioritize specific types of traffic, ensuring that each type receives the appropriate Quality of Service (QoS) level.
Alteon OS Application Guide Overview QoS helps you allocate guaranteed bandwidth to the critical applications, and limit bandwidth for less critical applications. Applications such as video and voice must have a certain amount of bandwidth to work correctly; using QoS, you can provide that bandwidth when necessary. Also, you can put a high priority on applications that are sensitive to timing out or cannot tolerate delay by assigning that traffic to a high-priority queue.
Alteon OS Application Guide The basic GbESM QoS model works as follows: 42C4911, January 2007 Classify traffic: Read DSCP Read 802.1p Priority Match ACL filter parameters Meter traffic: Define bandwidth and burst parameters Select actions to perform on in-profile and out-of-profile traffic Perform actions: Drop packets Pass packets Mark DSCP or 802.
Alteon OS Application Guide Using ACL Filters Access Control Lists are filters that allow you to classify and segment traffic, so you can provide different levels of service to different traffic types. Each filter defines the conditions that must match for inclusion in the filter, and also the actions that are performed when a match is made.
Alteon OS Application Guide Table 7-2 Well-Known Application Ports Number TCP/UDP Application Number TCP/UDP Application Number TCP/UDP Application 20 21 22 23 25 37 42 43 53 69 70 ftp-data ftp ssh telnet smtp time name whois domain tftp gopher 79 80 109 110 111 119 123 143 144 161 162 finger http pop2 pop3 sunrpc nntp ntp imap news snmp snmptrap 179 194 220 389 443 520 554 1645, 1812 1813 1985 bgp irc imap3 ldap https rip rtsp Radius Radius Accounting hsrp Table 7-3 Well-Known TCP flag values
Alteon OS Application Guide Summary of ACL Actions Actions determine how the traffic is treated. The GbESM QoS actions include the following: Pass or Drop Re-mark a new DiffServ Code Point (DSCP) Re-mark the 802.1p field Set the COS queue Understanding ACL Precedence Each ACL has a unique precedence level, based on its number. When an incoming packet matches the highest precedence ACL, the ACL’s configured action takes place.
Alteon OS Application Guide Using ACL Groups Access Control Lists (ACLs) allow you to classify packets according to a particular content in the packet header, such as the source address, destination address, source port number, destination port number, and others. Packet classifiers identify flows for more processing. You can define a traffic profile by compiling a number of ACLs into an ACL Group, and assigning the ACL Group to a port. ACL Groups are assigned and enabled on a per-port basis.
Alteon OS Application Guide Access Control Groups An Access Control Group (ACL Group) is a collection of ACLs. For example: ACL Group 1 ACL 1: VLAN = 1 SIP = 10.10.10.1 (255.255.255.0) Action = permit ACL 2: VLAN = 2 SIP = 10.10.10.2 (255.255.255.0) Action = deny ACL 3: Priority = 7 DIP = 10.10.10.3 (255.255.255.0) Action = permit In the example above, each ACL defines a filter rule. ACL 3 has a higher precedence than ACL 1, based on its number.
Alteon OS Application Guide Metering QoS metering provides different levels of service to data streams through user-configurable parameters. A meter is used to measure the traffic stream against a traffic profile, which you create. Thus, creating meters yields In-Profile and Out-of-Profile traffic for each ACL, as follows: In-Profile–If there is no meter configured or if the packet conforms to the meter, the packet is classified as In-Profile.
Alteon OS Application Guide ACL Configuration Examples Example 1 Use this configuration to block traffic to a specific host. All traffic that ingresses on port EXT1 is denied if it is destined for the host at IP address 100.10.1.1 1. Configure an Access Control List. >> Main# cfg/acl/acl 1 (Define ACL 1) >> ACL 1# ipv4/dip 100.10.1.1 Enter destination IP address mask (default 255.255.255.255): >> Filtering IPv4# .. >> ACL 1# action deny 2. Add ACL 1 to port EXT1.
Alteon OS Application Guide 3. Apply and save the configuration. >> Port EXT2 ACL# apply >> Port EXT2 ACL# save Example 3 Use this configuration to block traffic from a network that is destined for a specific egress port. All traffic that ingresses port EXT1 from the network 100.10.1.0/24 and is destined for port INT1 is denied. 1. Configure an Access Control List. >> >> >> >> >> >> 2. Main# cfg/acl/acl 3 ACL 3# ipv4/sip 100.10.1.0 255.255.255.0 Filtering IPv4# .. ACL 3# egrport int1 ACL 3# ..
Alteon OS Application Guide Using DSCP Values to Provide QoS The six most significant bits in the TOS byte of the IP header are defined as DiffServ Code Points (DSCP). Packets are marked with a certain value depending on the type of treatment the packet must receive in the network device. DSCP is a measure of the Quality of Service (QoS) level of the packet. Differentiated Services Concepts To differentiate between traffic flows, packets can be classified by their DSCP value.
Alteon OS Application Guide The GbESM default settings are based on the following standard PHBs, as defined in the IEEE standards: Expedited Forwarding (EF)—This PHB has the highest egress priority and lowest drop precedence level. EF traffic is forwarded ahead of all other traffic. EF PHB is described in RFC 2598. Assured Forwarding (AF)—This PHB contains four service levels, each with a different drop precedence, as shown below.
Alteon OS Application Guide QoS Levels Table 7-5 shows the default service levels provided by the GbESM, listed from highest to lowest importance: Table 7-5 Default QoS Service Levels Service Level Default PHB Critical CS7 7 Network Control CS6 6 Premium EF, CS5 5 Platinum AF41, AF42, AF43, CS4 4 Gold AF31, AF32, AF33, CS3 3 Silver AF21, AF22, AF23, CS2 2 Bronze AF11, AF12, AF13, CS1 1 Standard DF, CS0 0 136 Chapter 7: Quality of Service 802.
Alteon OS Application Guide DSCP Re-marking and Mapping The GbESM can re-mark the DSCP value of ingress packets to a new value, and set the 802.1p priority value, based on the DSCP value. You can view the default settings by using the cfg/qos/dscp/cur command, as shown below. >> DSCP Remark# cur Current DSCP Remarking Configuration: OFF DSCP -------0 1 ... 51 52 53 54 55 56 57 58 59 60 61 62 63 New DSCP -------0 1 51 52 53 54 55 56 57 58 59 60 61 62 63 New 802.
Alteon OS Application Guide DSCP Re-marking Configuration Example 1. Turn DSCP re-marking on globally, and define the DSCP-DSCP-802.1p mapping. You can use the default mapping, as shown in the cfg/qos/dscp/cur command output. >> Main# cfg/qos/dscp/on (Turn on DSCP re-marking) >> DSCP Remark# dscp 8 (Define DSCP re-marking) Current DSCP remark (for DSCP 8): 8 Enter new DSCP remark (for DSCP 8) [0-63]: 10 >> DSCP Remark# prio (Define DSCP-to-802.
Alteon OS Application Guide Using 802.1p Priorities to Provide QoS Alteon OS provides Quality of Service functions based on the priority bits in a packet’s VLAN header. (The priority bits are defined by the 802.1p standard within the IEEE 802.1q VLAN header.) The 802.1p bits, if present in the packet, specify the priority that should be given to packets during forwarding. Packets with a numerically higher (non-zero) priority are given forwarding preference over packets with lower priority bit value.
Alteon OS Application Guide 802.1p Configuration Example 1. Configure a port’s default 802.1p priority. >> Main# cfg/port EXT1 >> Port EXT1# 8021ppri Current 802.1p priority: 0 Enter new 802.1p priority [0-7]: 1 >> Port EXT1# ena >> Port EXT1# apply 2. (Select port) (Set port’s default 802.1p priority) Map the 802.1p priority value to a COS queue and set the COS queue scheduling weight. >> Main# cfg/qos/8021p (Select 802.1p menu) >> 802.
Part 2: IP Routing This section discusses Layer 3 switching functions. In addition to switching traffic at near line rates, the application switch can perform multi-protocol routing.
Alteon OS Application Guide 142 42C4911, January 2007
CHAPTER 8 Basic IP Routing This chapter provides configuration background and examples for using the GbE Switch Module to perform IP routing functions.
Alteon OS Application Guide IP Routing Benefits The GbE Switch Module uses a combination of configurable IP switch interfaces and IP routing options. The switch IP routing capabilities provide the following benefits: Connects the server IP subnets to the rest of the backbone network. Provides another means to invisibly introduce Jumbo frame technology into the serverswitched network by automatically fragmenting UDP Jumbo frames when routing to nonJumbo frame VLANs or subnets.
Alteon OS Application Guide Routing Between IP Subnets The physical layout of most corporate networks has evolved over time. Classic hub/router topologies have given way to faster switched topologies, particularly now that switches are increasingly intelligent. GbE Switch Modules are intelligent and fast enough to perform routing functions on a par with wire speed Layer 2 switching.
Alteon OS Application Guide Routers can be slower than switches. The cross-subnet side trip from the switch to the router and back again adds two hops for the data, slowing throughput considerably. Traffic to the router increases, increasing congestion. Even if every end-station could be moved to better logical subnets (a daunting task), competition for access to common server pools on different subnets still burdens the routers.
Alteon OS Application Guide Without Layer 3 IP routing on the switch, cross-subnet communication is relayed to the default gateway (in this case, the router) for the next level of routing intelligence. The router fills in the necessary address information and sends the data back to the switch, which then relays the packet to the proper destination subnet using Layer 2 switching.
Alteon OS Application Guide Example of Subnet Routing Prior to configuring, you must be connected to the switch Command Line Interface (CLI) as the administrator. NOTE – For details about accessing and using any of the menu commands described in this example, see the Alteon OS Command Reference. 1. Assign an IP address (or document the existing one) for each router and client workstation.
Alteon OS Application Guide IP interfaces are configured using the following commands at the CLI: >> >> >> >> >> >> >> >> >> >> >> >> # /cfg/l3/if IP Interface IP Interface IP Interface IP Interface IP Interface IP Interface IP Interface IP Interface IP Interface IP Interface IP Interface 1 1# 1# 1# 2# 2# 2# 3# 3# 3# 4# 4# addr 205.21.17.3 ena ../if 2 addr 100.20.10.1 ena ../if 3 addr 131.15.15.1 ena ../if 4 addr 206.30.15.
Alteon OS Application Guide Using VLANs to Segregate Broadcast Domains In the previous example, devices that share a common IP network are all in the same broadcast domain. If you want to limit the broadcasts on your network, you could use VLANs to create distinct broadcast domains. For example, as shown in the following procedure, you could create one VLAN for the client trunks, one for the routers, and one for the servers. In this example, you are adding to the previous configuration. 1.
Alteon OS Application Guide Each time you add a port to a VLAN, you may get the following prompt: Port 4 is an untagged port and its current PVID is 1. Confirm changing PVID from 1 to 2 [y/n]? Enter y to set the default Port VLAN ID (PVID) for the port. 3. Add each IP interface to the appropriate VLAN. Now that the ports are separated into three VLANs, the IP interface for each subnet must be placed in the appropriate VLAN.
Alteon OS Application Guide Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) is a transport protocol that provides a framework for automatically assigning IP addresses and configuration information to other IP hosts or clients in a large TCP/IP network. Without DHCP, the IP address must be entered manually for each network device.
Alteon OS Application Guide DHCP Relay Agent DHCP is described in RFC 2131, and the DHCP relay agent supported on GbE Switch Modules is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. DHCP defines the methods through which clients can be assigned an IP address for a finite lease period and allowing reassignment of the IP address to another client later.
Alteon OS Application Guide DHCP Relay Agent Configuration To enable the GbE Switch Module to be the BOOTP forwarder, you need to configure the DHCP/BOOTP server IP addresses on the switch. You generally configure the IP interface on the client side to match the client’s subnet, and configure VLANs to separate client and server subnets. The DHCP server knows from which IP subnet the newly allocated IP address should come.
CHAPTER 9 Routing Information Protocol In a routed environment, routers communicate with one another to keep track of available routes. Routers can learn about available routes dynamically using the Routing Information Protocol (RIP). Alteon OS software supports RIP version 1 (RIPv1) and RIP version 2 (RIPv2) for exchanging TCP/IP route information with other routers. Distance Vector Protocol RIP is known as a distance vector protocol.
Alteon OS Application Guide Routing Updates RIP sends routing-update messages at regular intervals and when the network topology changes. Each router “advertises” routing information by sending a routing information update every 30 seconds. If a router doesn’t receive an update from another router for 180 seconds, those routes provided by that router are declared invalid.
Alteon OS Application Guide RIPv2 in RIPv1 compatibility mode Alteon OS allows you to configure RIPv2 in RIPv1compatibility mode, for using both RIPv2 and RIPv1 routers within a network. In this mode, the regular routing updates use broadcast UDP data packet to allow RIPv1 routers to receive those packets. With RIPv1 routers as recipients, the routing updates have to carry natural or host mask. Hence, it is not a recommended configuration for most network topologies.
Alteon OS Application Guide Default The RIP router can listen and supply a default route, usually represented as 0.0.0.0 in the routing table. When a router does not have an explicit route to a destination network in its routing table, it uses the default route to forward those packets. Metric The metric field contains a configurable value between 1 and 15 (inclusive) which specifies the current metric for the interface. The metric value typically indicates the total number of hops to the destination.
Alteon OS Application Guide 1. Add VLANs for routing interfaces. >> Main# cfg/l2/vlan 2/ena >> VLAN 2# add ext2 Port EXT2 is an UNTAGGED port and Confirm changing PVID from 1 to 2 >> VLAN 2# /cfg/l2/vlan 3/ena >> VLAN 3# add ext3 Port EXT3 is an UNTAGGED port and Confirm changing PVID from 1 to 3 2. Add IP interfaces to VLANs. >> >> >> >> >> >> 3. (Enable VLAN 2) (Add port EXT2 to VLAN 2) its current PVID is 1. [y/n]: y (Enable VLAN 3) (Add port EXT3 to VLAN 3) its current PVID is 1.
Alteon OS Application Guide 160 Chapter 9: Routing Information Protocol 42C4911, January 2007
CHAPTER 10 IGMP Internet Group Management Protocol (IGMP) is used by IP Multicast routers to learn about the existence of host group members on their directly attached subnet (see RFC 2236). The IP Multicast routers get this information by broadcasting IGMP Membership Queries and listening for IP hosts reporting their host group memberships.
Alteon OS Application Guide IGMP Snooping IGMP Snooping allows the switch to forward multicast traffic only to those ports that request it. IGMP Snooping prevents multicast traffic from being flooded to all ports. The switch learns which server hosts are interested in receiving multicast traffic, and forwards it only to ports connected to those servers. IGMP Snooping conserves bandwidth.
Alteon OS Application Guide IGMP Snooping Configuration Example This section provides steps to configure IGMP Snooping on the GbESM, using the CommandLine Interface (CLI). Configure IGMP Snooping 1. Configure port and VLAN membership on the switch. 2. Turn on IGMP. (Turn on IGMP) >> /cfg/l3/igmp/on 3. Add VLANs to IGMP Snooping and enable the feature. (Access IGMP Snoop menu) (Add VLAN 1 to IGMP snooping) (Enable IGMP Snooping) >> /cfg/l3/igmp/snoop >> IGMP Snoop# add 1 >> IGMP Snoop# ena 4.
Alteon OS Application Guide These commands display information about IGMP Groups and Mrouters learned through IGMP Snooping. Static Multicast Router A static multicast router (Mrouter) can be configured for a particular port on a particular VLAN. A static Mrouter does not have to be learned through IGMP Snooping. A total of 16 static Mrouters can be configured on the GbESM. Both internal and external ports can accept a static Mrouter.
Alteon OS Application Guide IGMP Relay The GbESM can act as an IGMP Relay (or IGMP Proxy) device that relays IGMP multicast messages and traffic between an Mrouter and end stations. IGMP Relay allows the GbESM to participate in network multicasts with no configuration of the various multicast routing protocols, so you can deploy it in the network with minimal effort. To an IGMP host connected to the GbESM, IGMP Relay appears to be an IGMP multicast router (Mrouter).
Alteon OS Application Guide Configure IGMP Relay Use the following procedure to configure IGMP Relay. 1. Configure an IP interface and assign VLANs. >> >> >> >> >> >> >> >> 2. /cfg/l3/if 2 IP Interface IP Interface IP Interface /cfg/l3/if 3 IP Interface IP Interface IP Interface 2# addr 10.10.1.1 2# mask 255.255.255.0 2# vlan 2 3# addr 10.10.1.2 3# mask 255.255.255.0 3# vlan 3 Turn IGMP on. >> /cfg/l3/igmp/on 3. (Turn on IGMP) Enable IGMP Relay and add VLANs to the downstream network.
Alteon OS Application Guide 5. Apply and save the configuration.
Alteon OS Application Guide Additional IGMP Features The following topics are discussed in this section: “FastLeave” on page 168 “IGMP Filtering” on page 168 FastLeave In normal IGMP operation, when the receives an IGMPv2 leave message, it sends a GroupSpecific Query to determine if any other devices in the same group (and on the same port) are still interested in the specified multicast group traffic.
Alteon OS Application Guide Each IGMP Filter allows you to set a start and end point that defines the range of IP addresses upon which the filter takes action. Each IP address in the range must be between 224.0.1.0 and 239.255.255.255. If you choose any as the start point, then the filter acts upon all addresses between 224.0.0.0 and the address entered as the end point. If you enter any as the end point, then the filter acts upon all addresses between the address entered as the start point and 239.255.
Alteon OS Application Guide 3. Assign the IGMP filter to a port.
CHAPTER 11 Border Gateway Protocol Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share and advertise routing information with each other about the segments of the IP address space they can access within their network and with routers on external networks.
Alteon OS Application Guide Internal Routing Versus External Routing To ensure effective processing of network traffic, every router on your network needs to know how to send a packet (directly or indirectly) to any other location/destination in your network. This is referred to as internal routing and can be done with static routes or using active, internal dynamic routing protocols, such as RIP, RIPv2, and OSPF. Static routes should have a higher degree of precedence than dynamic routing protocols.
Alteon OS Application Guide Typically, an AS has one or more border routers—peer routers that exchange routes with other ASs—and an internal routing scheme that enables routers in that AS to reach every other router and destination within that AS. When you advertise routes to border routers on other autonomous systems, you are effectively committing to carry data to the IP space represented in the route being advertised. For example, if you advertise 192.204.4.
Alteon OS Application Guide What is a Route Map? A route map is used to control and modify routing information. Route maps define conditions for redistributing routes from one routing protocol to another or controlling routing information when injecting it in and out of BGP. Route maps are used by OSPF only for redistributing routes.
Alteon OS Application Guide Route Maps Network Filter (rmap) (nwf) Access Lists (alist) Route Map 1 Route Map 2 ----------------------------Route Map 32 1 ------- 1 8 8 1 ------8 9 16 1 ------- 249 8 256 Figure 11-2 Distributing Network Filters in Access Lists and Route Maps Incoming and Outgoing Route Maps You can have two types of route maps: incoming and outgoing.
Alteon OS Application Guide Precedence You can set a priority to a route map by specifying a precedence value with the following command: >> /cfg/l3/rmap /pre (Specify a precedence) The smaller the value the higher the precedence. If two route maps have the same precedence value, the smaller number has higher precedence. Configuration Overview To configure route maps, you need to do the following: 1. Define network filter.
Alteon OS Application Guide 3. (Optional) Configure the attributes in the AS filter menu. >> >> >> >> 4. # cfg/l3/rmap 1/aspath 1 AS Filter 1# as 1 AS Filter 1# action deny AS Filter 1# ena (Specify the attributes in the filter) (Specify the AS number) (Specify the action for the filter) (Enable the AS filter) Set up the BGP attributes.
Alteon OS Application Guide Aggregating Routes Aggregation is the process of combining several different routes in such a way that a single route can be advertised, which minimizes the size of the routing table. You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table. When a subnet is redistributed from an Interior Gateway Protocol (IGP) into BGP, only the network route is injected into the BGP table.
Alteon OS Application Guide Redistributing Routes In addition to running multiple routing protocols simultaneously, Alteon OS software can redistribute information from one routing protocol to another. For example, you can instruct the switch to use BGP to readvertise static routes. This applies to all of the IP-based routing protocols. You can also conditionally control the redistribution of routes between routing domains by defining a method known as route maps between the two domains.
Alteon OS Application Guide BGP Attributes The following two BGP attributes are discussed in this section: Local preference and metric (Multi-Exit Discriminator). Local Preference Attribute When there are multiple paths to the same destination, the local preference attribute indicates the preferred path. The path with the higher preference is preferred (the default value of the local preference attribute is 100).
Alteon OS Application Guide Selecting Route Paths in BGP BGP selects only one path as the best path. It does not rely on metrics attributes to determine the best path. When the same network is learned via more than one BGP peer, BGP uses its policy for selecting the best route to that network. The BGP implementation on the GbE Switch Module uses the following criteria to select a path when the same route is received from multiple peers. 1. Local fixed and static routes are preferred over learned routes.
Alteon OS Application Guide BGP Failover Configuration Use the following example to create redundant default gateways for a GbE Switch Module at a Web Host/ISP site, eliminating the possibility, should one gateway go down, that requests will be forwarded to an upstream router unknown to the switch. As shown in Figure 11-3, the switch is connected to ISP 1 and ISP 2. The customer negotiates with both ISPs to allow the switch to use their peer routers as default gateways.
Alteon OS Application Guide 1. Define the VLANs. For simplicity, both default gateways are configured in the same VLAN in this example. The gateways could be in the same VLAN or different VLANs. >> # /cfg/l2/vlan 1 >> vlan 1# add 2. (Select VLAN 1) (Add a port to the VLAN membership) Define the IP interfaces. The switch will need an IP interface for each default gateway to which it will be connected. Each interface will need to be placed in the appropriate VLAN.
Alteon OS Application Guide 4. Configure BGP peer router 1 and 2. Peer 1 is the primary gateway router. Peer 2 is configured with a metric of “3.” The metric option is key to ensuring gateway traffic is directed to Peer 1, as it will make Peer 2 appear to be three router hops away from the switch. Thus, the switch should never use it unless Peer 1 goes down. >> >> >> >> >> >> >> >> >> >> >> # /cfg/l3/bgp/peer 1 BGP Peer 1# ena BGP Peer 1# addr 200.200.200.2 BGP Peer 1# if 200.200.200.
Alteon OS Application Guide Default Redistribution and Route Aggregation Example This example shows you how to configure the switch to redistribute information from one routing protocol to another and create an aggregate route entry in the BGP routing table to minimize the size of the routing table. As illustrated in Figure 11-4, you have two peer routers: an internal and an external peer router. Configure the GbE Switch Module to redistribute the default routes from AS 200 to AS 135.
Alteon OS Application Guide 3. Configure internal peer router 1 and external peer router 2. >> >> >> >> >> >> >> >> 4. # /cfg/l3/bgp/peer 1 BGP Peer 1# ena BGP Peer 1# addr 10.1.1.4 BGP Peer 1# ras 135 BGP Peer 1# ../peer 2 BGP Peer 2# ena BGP Peer 2# addr 20.20.20.2 BGP Peer 2# ras 200 Configure redistribution for Peer 1. >> # /cfg/l3/bgp/peer 1/redist >> BGP Peer 1# default redistribute >> BGP Peer 1# fixed ena 5.
CHAPTER 12 OSPF Alteon OS supports the Open Shortest Path First (OSPF) routing protocol. The Alteon OS implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss OSPF support for the GbE Switch Module: “OSPF Overview” on page 188. This section provides information on OSPF concepts, such as types of OSPF areas, types of routing devices, neighbors, adjacencies, link state database, authentication, and internal versus external routing.
Alteon OS Application Guide OSPF Overview OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. All routing devices maintain link information in their own Link State Database (LSDB). The LSDB for all routing devices within an area is identical but is not exchanged between different areas.
Alteon OS Application Guide Transit Area—an area that allows area summary information to be exchanged between routing devices. The backbone (area 0), any area that contains a virtual link to connect two areas, and any area that is not a stub area or an NSSA are considered transit areas.
Alteon OS Application Guide Types of OSPF Routing Devices As shown in Figure 12-2, OSPF uses the following types of routing devices: Internal Router (IR)—a router that has all of its interfaces within the same area. IRs maintain LSDBs identical to those of other routing devices within the local area. Area Border Router (ABR)—a router that has interfaces in multiple areas. ABRs maintain one LSDB for each connected area and disseminate routing information between areas.
Alteon OS Application Guide Neighbors and Adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others’ health. To establish neighbor relationships, routing devices periodically send hello packets on each of their interfaces.
Alteon OS Application Guide The Shortest Path First Tree The routing devices use a link-state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination. The cost of an individual interface in OSPF is an indication of the overhead required to send packets across it. The cost is inversely proportional to the bandwidth of the interface. A lower cost indicates a higher bandwidth.
Alteon OS Application Guide OSPF Implementation in Alteon OS Alteon OS supports a single instance of OSPF and up to 4 K routes on the network.
Alteon OS Application Guide Defining Areas If you are configuring multiple areas in your OSPF domain, one of the areas must be designated as area 0, known as the backbone. The backbone is the central OSPF area and is usually physically connected to all other areas. The areas inject routing information into the backbone which, in turn, disseminates the information into other areas. Since the backbone connects the areas in your network, it must be a contiguous area.
Alteon OS Application Guide Using the Area ID to Assign the OSPF Area Number The OSPF area number is defined in the areaid option. The octet format is used in order to be compatible with two different systems of notation used by other OSPF network vendors. There are two valid ways to designate an area ID: Placing the area number in the last octet (0.0.0.n) Most common OSPF vendors express the area ID number as a single number. For example, the Cisco IOS-based router command “network 1.1.1.
Alteon OS Application Guide Interface Cost The OSPF link-state algorithm (Dijkstra’s algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. Usually, the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth.
Alteon OS Application Guide Default Routes When an OSPF routing device encounters traffic for a destination address it does not recognize, it forwards that traffic along the default route. Typically, the default route leads upstream toward the backbone until it reaches the intended area or an external router. Each GbE Switch Module acting as an ABR automatically inserts a default route into each attached area.
Alteon OS Application Guide The OSPF default route configuration can be removed with the command: >> # /cfg/l3/ospf/default none Virtual Links Usually, all areas in an OSPF AS are physically connected to the backbone. In some cases where this is not possible, you can use a virtual link. Virtual links are created to connect one area to the backbone through another non-backbone area (see Figure 12-1 on page 189).
Alteon OS Application Guide Router ID Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP address format. The IP address of the router ID is not required to be included in any IP interface range or in any OSPF area. The router ID can be configured in one of the following two ways: Dynamically—OSPF protocol configures the lowest IP interface IP address as the router ID. This is the default.
Alteon OS Application Guide Figure 12-4 shows authentication configured for area 0 with the password test. Simple authentication is also configured for the virtual link between area 2 and area 0. Area 1 is not configured for OSPF authentication. Application Application Switch 3 Application switch 5 BladeCenter Switch 4 BladeCenter Figure 12-4 OSPF Authentication To configure simple plain text OSPF passwords on the switches shown in Figure 12-4 use the following commands: 1.
Alteon OS Application Guide 3. Enable OSPF authentication for Area 2 on switch 4. >> # /cfg/l3/ospf/aindex 2/auth password (Turn on OSPF password authentication) 4. Configure a simple text password up to eight characters for the virtual link between Area 2 and Area 0 on switches 2 and 4. >> # /cfg/l3/ospf/virt 1/key alteon Use the following commands to configure MD5 authentication on the switches shown in Figure 12-4: 1. Enable OSPF MD5 authentication for Area 0 on switches 1, 2, and 3.
Alteon OS Application Guide 6. Assign MD5 key ID to OSPF virtual link on switches 2 and 4. >> # /cfg/l3/ospf/virt 1/mdkey 2 Host Routes for Load Balancing Alteon OS implementation of OSPF includes host routes. Host routes are used for advertising network device IP addresses to external networks, accomplishing the following goals: ABR Load Sharing As a form of load balancing, host routes can be used for dividing OSPF traffic among multiple ABRs.
Alteon OS Application Guide OSPF Features Not Supported in This Release The following OSPF features are not supported in this release: Summarizing external routes Filtering OSPF routes Using OSPF to forward multicast routes Configuring OSPF on non-broadcast multi-access networks (such as frame relay, X.
Alteon OS Application Guide OSPF Configuration Examples A summary of the basic steps for configuring OSPF on the GbE Switch Module is listed here. Detailed instructions for each of the steps is covered in the following sections: 1. Configure IP interfaces. One IP interface is required for each desired network (range of IP addresses) being assigned to an OSPF area on the switch. 2. (Optional) Configure the router ID. The router ID is required only when configuring virtual links on the switch. 3.
Alteon OS Application Guide Example 1: Simple OSPF Domain In this example, two OSPF areas are defined—one area is the backbone and the other is a stub area. A stub area does not allow advertisements of external routes, thus reducing the size of the database. Instead, a default summary route of IP address 0.0.0.0 is automatically inserted into the stub area. Any traffic for IP address destinations outside the stub area will be forwarded to the stub area’s IP interface, and then into the backbone.
Alteon OS Application Guide 3. Define the backbone. The backbone is always configured as a transit area using areaid 0.0.0.0. >> >> >> >> 4. Shortest Path First # aindex 0 Area (index) 0 # areaid 0.0.0.0 Area (index) 0 # type transit Area (index) 0 # enable OSPF OSPF OSPF OSPF Area Area Area Area (index) (index) (index) (index) 0 1 1 1 # # # # ../aindex 1 areaid 0.0.0.
Alteon OS Application Guide Example 2: Virtual Links In the example shown in Figure 12-6, area 2 is not physically connected to the backbone as is usually required. Instead, area 2 will be connected to the backbone via a virtual link through area 1. The virtual link must be configured at each endpoint. Switch 2 Application Switch 1 BladeCenter BladeCenter Figure 12-6 Configuring a Virtual Link Configuring OSPF for a Virtual Link on Switch #1 1.
Alteon OS Application Guide 4. Define the backbone. >> >> >> >> 5. Open OSPF OSPF OSPF Shortest Path First # aindex 0 Area (index) 0 # areaid 0.0.0.0 Area (index) 0 # type transit Area (index) 0 # enable (Select menu for area index 0) (Set the area ID for backbone area 0) (Define backbone as transit type) (Enable the area) Define the transit area. The area that contains the virtual link must be configured as a transit area. >> >> >> >> 6.
Alteon OS Application Guide Configuring OSPF for a Virtual Link on Switch #2 1. Configure IP interfaces on each network that will be attached to OSPF areas. Two IP interfaces are needed on Switch #2: one for the transit area network on 10.10.12.0/24 and one for the stub area network on 10.10.24.0/24. >> # /cfg/l3/if 1 >> IP Interface 1 # addr 10.10.12.2 >> >> >> >> >> >> 2. IP IP IP IP IP IP Interface Interface Interface Interface Interface Interface 1 1 1 2 2 2 # # # # # # mask 255.255.255.
Alteon OS Application Guide 6. Define the stub area. >> >> >> >> 7. OSPF OSPF OSPF OSPF Area Area Area Area (index) (index) (index) (index) 1 2 2 2 # # # # ../aindex 2 areaid 0.0.0.2 type stub enable Attach the network interface to the backbone. >> OSPF Area (index) 2 # ../if 1 >> OSPF Interface 1 # aindex 1 >> OSPF Interface 1 # enable 8.
Alteon OS Application Guide Example 3: Summarizing Routes By default, ABRs advertise all the network addresses from one area into another area. Route summarization can be used for consolidating advertised addresses and reducing the perceived complexity of the network. If the network IP addresses in an area are assigned to a contiguous subnet range, you can configure the ABR to advertise a single summary route that includes all the individual IP addresses within the area.
Alteon OS Application Guide Follow this procedure to configure OSPF support as shown in Figure 12-7: 1. Configure IP interfaces for each network which will be attached to OSPF areas. >> >> >> >> >> >> >> >> 2. # /cfg/l3/if IP Interface IP Interface IP Interface IP Interface IP Interface IP Interface IP Interface 1 1 1 1 1 2 2 2 # # # # # # # addr 10.10.7.1 mask 255.255.255.0 ena ../if 2 addr 36.128.192.1 mask 255.255.192.0 ena Enable OSPF. >> IP Interface 2 # /cfg/l3/ospf/on 3.
Alteon OS Application Guide 7. Configure route summarization by specifying the starting address and mask of the range of addresses to be summarized. >> >> >> >> >> 8. Interface 2 # Summary Range Summary Range Summary Range Summary Range ../range 1 1 # addr 36.128.192.0 1 # mask 255.255.192.
Alteon OS Application Guide 214 Chapter 12: OSPF 42C4911, January 2007
Part 3: High Availability Fundamentals Internet traffic consists of myriad services and applications which use the Internet Protocol (IP) for data delivery. However, IP is not optimized for all the various applications. High Availability goes beyond IP and makes intelligent switching decisions to provide redundant network configurations.
Alteon OS Application Guide 216 42C4911, January 2007
CHAPTER 13 High Availability GbE Switch Modules support high-availability network topologies through an enhanced implementation of the Virtual Router Redundancy Protocol (VRRP). The following topics are discussed in this chapter: “Layer 2 Failover” on page 218. This section discusses trunk failover without using VRRP. “VRRP Overview” on page 224. This section discusses VRRP operation and Alteon OS redundancy configurations. “Failover Methods” on page 227.
Alteon OS Application Guide Layer 2 Failover The primary application for Layer 2 Failover is to support Network Adapter Teaming. With Network Adapter Teaming, the NICs on each server all share the same IP address, and are configured into a team. One NIC is the primary link, and the other is a standby link. For more details, refer to the NetXen 10 Gb Ethernet Adapter documentation. NOTE – Only two links per server blade can be used for Layer 2 Trunk Failover (one primary and one backup).
Alteon OS Application Guide Setting the Failover Limit The failover limit lets you specify the minimum number of operational links required within each trigger before the trigger initiates a failover event. For example, if the limit is two (/cfg/l2/failovr/trigger x/limit 2), a failover event occurs when the number of operational links in the trigger is two or fewer. When you set the limit to zero, the switch triggers a failover event only when no links in the trigger are operational.
Alteon OS Application Guide Configuration Guidelines This section provides important information about configuring L2 Failover: A failover trigger can monitor multiple static trunks or a single LACP key, but not both. With VLAN Monitor on, the following additional guidelines apply: All external ports in all trunks that are added to a single failover trigger must have the same VLAN membership and have the same PVID. Each failover trigger must operate on a different VLAN membership.
Alteon OS Application Guide Figure 13-2 shows a configuration with two trunks, each in a different Failover Trigger. GbESM 1 is the primary switch for Server 1 and Server 2. GbESM 2 is the primary switch for Server 3 and Server 4. VLAN Monitor is turned on. STP is turned off. If all links go down in trigger 1, GbESM 1 disables all internal ports that reside in VLAN 1. If all links in trigger 2 go down, GbESM 1 disables all internal ports that reside in VLAN 2.
Alteon OS Application Guide Figure 13-3 shows a configuration with two trunks. VLAN Monitor is turned off, so only one Failover Trigger is configured on each switch. GbESM 1 is the primary switch for Server 1 and Server 2. GbESM 2 is the primary switch for Server 3 and Server 4. STP is turned off. If all links in trigger 1 go down, GbESM 1 disables all internal links to server blades.
Alteon OS Application Guide Configuring Trunk Failover The following procedure pertains to example 1, as shown in Figure 13-1. 1. Configure Network Adapter Teaming on the servers. 2. Define a trunk group on the GbESM. >> >> >> >> >> 3.
Alteon OS Application Guide VRRP Overview In a high-availability network topology, no device can create a single point-of-failure for the network or force a single point-of-failure to any other part of the network. This means that your network will remain in service despite the failure of any single device. To achieve this usually requires redundancy for all vital network components.
Alteon OS Application Guide There is no requirement for any VRRP router to be the IP address owner. Most VRRP installations choose not to implement an IP address owner. For the purposes of this chapter, VRRP routers that are not the IP address owner are called renters. Master and Backup Virtual Router Within each virtual router, one VRRP router is selected to be the virtual router master. See “Selecting the Master VRRP Router” on page 226 for an explanation of the selection process.
Alteon OS Application Guide VRRP Operation Only the virtual router master responds to ARP requests. Therefore, the upstream routers only forward packets destined to the master. The master also responds to ICMP ping requests. The backup does not forward any traffic, nor does it respond to ARP requests. If the master is not available, the backup becomes the master and takes over responsibility for packet forwarding and responding to ARP requests.
Alteon OS Application Guide Failover Methods With service availability becoming a major concern on the Internet, service providers are increasingly deploying Internet traffic control devices, such as application switches, in redundant configurations. Traditionally, these configurations have been hot-standby configurations, where one switch is active and the other is in a standby mode. A non-VRRP hot-standby configuration is shown in the figure below: Primary Switch IP: 200.200.200.
Alteon OS Application Guide Active-Active Redundancy In an active-active configuration, shown in Figure 13-5, two switches provide redundancy for each other, with both active at the same time. Each switch processes traffic on a different subnet. When a failure occurs, the remaining switch can process traffic on all subnets. For a configuration example, see “Active-Active Configuration” on page 233.
Alteon OS Application Guide Hot-Standby Redundancy The primary application for VRRP-based hot-standby is to support Server Load Balancing when you have configured Network Adapter Teaming on your server blades. With Network Adapter Teaming, the NICs on each server share the same IP address, and are configured into a team. One NIC is the primary link, and the others are backup links. For more details, refer to the NetXen 10 Gb Ethernet Adapter documentation. The hot-standby model is shown in Figure 13-6.
Alteon OS Application Guide Alteon OS extensions to VRRP This section describes the following VRRP enhancements that are implemented in Alteon OS: Tracking VRRP Router Priority Tracking VRRP Router Priority Alteon OS supports a tracking function that dynamically modifies the priority of a VRRP router, based on its current state. The objective of tracking is to have, whenever possible, the master bidding processes for various virtual routers in a LAN converge on the same switch.
Alteon OS Application Guide Virtual Router Deployment Considerations Review the following issues described in this section to prevent network problems when deploying virtual routers: Assigning VRRP Virtual Router ID Configuring the Switch for Tracking Assigning VRRP Virtual Router ID During the software upgrade process, VRRP virtual router IDs will be automatically assigned if failover is enabled on the switch.
Alteon OS Application Guide The user can implement this behavior by configuring the switch for tracking as follows: 1. Set the priority for switch 1 to 101. 2. Leave the priority for switch 2 at the default value of 100. 3. On both switches, enable tracking based on ports (ports), interfaces (ifs), or virtual routers (vr). You can choose any combination of tracking parameters, based on your network configuration. NOTE – There is no shortcut to setting tracking parameters.
Alteon OS Application Guide High Availability Configurations GbE Switch Modules offer flexibility in implementing redundant configurations. This section discusses the more useful and easily deployed configurations: “Active-Active Configuration” on page 233 “Hot-Standby Configuration” on page 238 Active-Active Configuration Figure 13-7 shows an example configuration where two GbE Switch Modules are used as VRRP routers in an active-active configuration.
Alteon OS Application Guide Task 1: Configure GbESM 1 1. Configure client and server interfaces. /cfg/l3/if 1 >> IP Interface 1# >> IP Interface 1# >> IP Interface 1# >> IP Interface 1# >> Layer 3# if 2 >> IP Interface 2# >> IP Interface 2# >> IP Interface 2# >> IP Interface 2# >> Layer 3# if 3 >> IP Interface 3# >> IP Interface 3# >> IP Interface 3# >> IP Interface 3# >> Layer 3# if 4 >> IP Interface 4# >> IP Interface 4# >> IP Interface 4# 2. addr 192.168.1.100 vlan 10 ena .. addr 192.168.2.
Alteon OS Application Guide 3. Turn on VRRP and configure two Virtual Interface Routers. /cfg/l3/vrrp/on (Turn VRRP on) >> Virtual Router Redundancy Protocol# vr 1(Select virtual router 1) >> VRRP Virtual Router 1# vrid 1 (Set VRID to 1) >> VRRP Virtual Router 1# if 1 (Set interface 1) >> VRRP Virtual Router 1# addr 192.168.1.200(Define IP address) >> VRRP Virtual Router 1# ena (Enable virtual router 1) >> VRRP Virtual Router 1# ..
Alteon OS Application Guide Task 2: Configure GbESM 2 1. Configure client and server interfaces. /cfg/l3/if 1 >> IP Interface 1# >> IP Interface 1# >> IP Interface 1# >> IP Interface 1# >> Layer 3# if 2 >> IP Interface 2# >> IP Interface 2# >> IP Interface 2# >> IP Interface 2# >> Layer 3# if 3 >> IP Interface 3# >> IP Interface 3# >> IP Interface 3# >> IP Interface 3# >> Layer 3# if 4 >> IP Interface 4# >> IP Interface 4# >> IP Interface 4# 2. addr 192.168.1.101 vlan 10 ena .. addr 192.168.2.
Alteon OS Application Guide 3. Turn on VRRP and configure two Virtual Interface Routers. /cfg/l3/vrrp/on (Turn VRRP on) >> Virtual Router Redundancy Protocol# vr 1(Select virtual router 1) >> VRRP Virtual Router 1# vrid 1 (Set VRID to 1) >> VRRP Virtual Router 1# if 1 (Set interface 1) >> VRRP Virtual Router 1# addr 192.168.1.200(Define IP address) >> VRRP Virtual Router 1# ena (Enable virtual router 1) >> VRRP Virtual Router 1# ..
Alteon OS Application Guide Hot-Standby Configuration The primary application for VRRP-based hot-standby is to support Network Adapter Teaming on your server blades. With Network Adapter Teaming, the NICs on each server share the same IP address, and are configured into a team. One NIC is the primary link, and the others are backup links. For more details, refer to the NetXen 10 Gb Ethernet Adapter documentation.
Alteon OS Application Guide Figure 13-8 illustrates a common hot-standby implementation on a single blade server. Notice that the BladeCenter server NICs are configured into a team that shares the same IP address across both NICs. Because only one link can be active at a time, the hot-standby feature controls the NIC failover by having the Standby switch disable its internal ports (holding down the server links). IF 1: 174.14.20.110 IF 2: 10.1.1.110 VIR 1: 174.14.20.100 VIR 2: 10.1.1.
Alteon OS Application Guide 2. Configure Virtual Interface Routers. /cfg/l3/vrrp/on (Turn on VRRP) >> Virtual Router Redundancy Protocol# vr 1(Select Virtual Router 1) >> VRRP Virtual Router 1# ena (Enable VR 1) >> VRRP Virtual Router 1# vrid 1 (Select the Virtual Router ID) >> VRRP Virtual Router 1# if 1 (Select interface for VR 1) >> VRRP Virtual Router 1# addr 174.14.20.100(Define IP address for VR 1) >> VRRP Virtual Router 1# ..
Alteon OS Application Guide Task 2: Configure GbESM 2 1. On GbESM 1, configure the interfaces for clients (174.14.20.111) and servers (10.1.1.111). /cfg/l3/if 1 >> IP Interface 1# >> IP Interface 1# >> IP Interface 1# >> Layer 3# if 2 >> IP Interface 2# >> IP Interface 2# 2. addr 174.14.20.111 ena .. (Define IP address for interface 1) (Enable interface 1) addr 10.1.1.111 ena (Define IP address for interface 2) (Enable interface 2) Configure Virtual Interface Routers.
Alteon OS Application Guide 5. Turn off Spanning Tree Protocol globally. Apply and save changes.
Part 4: Appendices This section describes the following topics: Troubleshooting RADIUS Server Configuration Notes Glossary 42C4911, January 2007
Alteon OS Application Guide 244 42C4911, January 2007
APPENDIX A Troubleshooting This section discusses some tools to help you troubleshoot common problems on the GbE Switch Module: 42C4911, January 2007 “Monitoring Ports” on page 246 245
Alteon OS Application Guide Monitoring Ports The port mirroring feature in the Alteon OS allows you to attach a sniffer to a monitoring port that is configured to receive a copy of all packets that are forwarded from the mirrored port. Alteon OS enables you to mirror port traffic for all layer 2 and layer 3. Port mirroring can be used as a troubleshooting tool or to enhance the security of your network.
Alteon OS Application Guide NOTE – Traffic on VLAN 4095 is not mirrored to the external ports. Port Mirroring behavior This section describes the composition of monitored packets in the GbE Switch Module, based on the configuration of the ports. If a tagged port's PVID is the same as its VLAN ID, then the egress traffic on that port is untagged.
Alteon OS Application Guide Layer 3 Port Mirroring (Monitoring Port and Egress Port in the same GEA) In this scenario, you observe Layer 3 port mirroring on an egress port, and both the egress port and the monitoring port are in the same Gigabit Ethernet Aggregator (GEA) unit. To find out which GEA unit each port resides on, use the /info/geaport command. The monitoring port always shows a tagged packet with a VLAN ID (VID) of the egress port.
Alteon OS Application Guide Layer 3 Port Mirroring (Both Ports in Different GEAs) In this scenario, you observe Layer 3 port mirroring on an egress port, but the egress port and the monitoring port reside on different Gigabit Ethernet Aggregator (GEA) units. To find out which GEA unit each port resides on, use the /info/geaport command.
Alteon OS Application Guide Layer 3 Port Mirroring (MP Packets, Both Ports in the Same GEA) MP packets are generated by the management processor, such as routing packets between direct interfaces. In this scenario, the mirrored port and the monitoring port reside on the same Gigabit Ethernet Aggregator (GEA) unit. To find out which GEA unit each port resides on, use the /info/geaport command. The monitoring port always shows a tagged packet with a VLAN ID (VID) of the ingress port.
Alteon OS Application Guide Configuring Port Mirroring To configure port mirroring for the example shown in Figure A-1, 1. Specify the monitoring port. >> # /cfg/pmirr/monport EXT3 2. (Select port EXT3 for monitoring) Select the ports that you want to mirror.
Alteon OS Application Guide 5. View the current configuration.
APPENDIX B RADIUS Server Configuration Notes Use the following information to modify your RADIUS configuration files for the Nortel Networks BaySecure Access Control RADIUS server, to provide authentication for users of the GbE Switch Module. 1. Create a dictionary file called alteon.dct, with the following content: ################################################################### # alteon.dct - RADLINX Alteon dictionary # # (See README.
Alteon OS Application Guide 2. Open the dictiona.dcm file, and add the following line (as in the example): @alteon.dct ################################################################### # dictiona.dcm ################################################################### # Generic Radius @radius.dct # # Specific Implementations (vendor specific) # @pprtl2l3.dct @acc.dct @accessbd.dct @alteon.dct . . . ################################################################## # dictiona.
Glossary DIP (Destination IP Address) The destination IP address of a frame. Dport (Destination Port) The destination port (application socket: for example, http-80/https-443/DNS-53) NAT (Network Address Translation) Any time an IP address is changed from one source IP or destination IP address to another address, network address translation can be said to have taken place. In general, half NAT is when the destination IP or source IP address is changed from one address to another.
Alteon OS Application Guide Virtual Router A shared address between two devices utilizing VRRP, as defined in RFC 2338. One virtual router is associated with an IP interface. This is one of the IP interfaces that the switch is assigned. All IP interfaces on the GbE Switch Modules must be in a VLAN. If there is more than one VLAN defined on the Web switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member.
Index Symbols C ........................................................................ 161 Cisco EtherChannel ....................................... 96, 99 CIST ................................................................ 121 Class of Service queue ....................................... 140 command conventions .......................................... 18 Command Line Interface .................................... 193 configuration rules port mirroring ............................................
Alteon OS Application Guide F gateway. See default gateway. IP routing cross-subnet example .................................. 145 default gateway configuration ....................... 149 IP interface configuration ..................... 148, 151 IP subnets .................................................. 145 network diagram ......................................... 145 subnet configuration example ....................... 148 switch-based topology ................................. 146 IP subnets ......
Alteon OS Application Guide O R OSPF area types................................................... 188 authentication ............................................. 199 configuration examples........................205 to ?? default route ............................................... 197 external routes ............................................ 203 filtering criteria ........................................... 126 host routes ................................................. 202 link state database .
Alteon OS Application Guide segments. See IP subnets. service ports ......................................................127 SNMP .........................................................36, 193 HP-OpenView ..............................................36 spanning tree configuration rules .........................................96 Spanning-Tree Protocol multiple instances ........................................111 SSH RSA host and server keys ...............................59 SSH/SCP configuring .......
