Rackswitch G8264CS Application Guide for Lenovo …systemx.lenovofiles.com/help/topic/com.lenovo.rackswitch.g8264cs...Oct 10, 2010 · Lenovo RackSwitch G8264CS Application Guide For

LenovoRackSwitchG8264CS

ApplicationGuideForLenovoEnterpriseNetworkOperatingSystem8.4

Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationintheSafetyinformationandEnvironmentalNoticesandUserGuidedocumentsontheLenovoDocumentationCDandtheWarrantyInformationdocumentthatcomeswiththeproduct.

FirstEdition(September2016)

CopyrightLenovo2017PortionsCopyrightIBMCorporation2014.

LIMITEDANDRESTRICTEDRIGHTSNOTICE:IfdataorsoftwareisdeliveredpursuantaGeneralServicesAdministrationGSAcontract,use,reproduction,ordisclosureissubjecttorestrictionssetforthinContractNo.GS35F05925.

LenovoandtheLenovologoaretrademarksofLenovointheUnitedStates,othercountries,orboth.

Copyright Lenovo 2017 3

ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21WhoShouldUseThisGuide .......................22WhatYoullFindinThisGuide ......................23AdditionalReferences ..........................27TypographicConventions ........................28

Part 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 1. Switch Administration . . . . . . . . . . . . . . . . . 31AdministrationInterfaces ........................32

CommandLineInterface .......................32EstablishingaConnection........................33

UsingtheSwitchManagementPorts..................33UsingtheSwitchDataPorts.....................34UsingTelnet ............................35UsingSecureShell..........................35

UsingSSHwithPasswordAuthentication .............36UsingSSHwithPublicKeyAuthentication .............37

UsingaWebBrowser ........................38ConfiguringHTTPAccesstotheBBI................38ConfiguringHTTPSAccesstotheBBI ...............38BrowserBasedInterfaceSummary.................39

UsingSimpleNetworkManagementProtocol..............40BOOTP/DHCPClientIPAddressServices .................41

DHCPHostNameConfiguration ...................41DHCPSYSLOGServer........................42GlobalBOOTPRelayAgentConfiguration ...............42DomainSpecificBOOTPRelayAgentConfiguration...........43DHCPOption82 ..........................43DHCPSnooping ..........................43

EasyConnectWizard ..........................45ConfiguringtheEasyConnectWizard .................45

BasicSystemModeConfigurationExample .............46TransparentModeConfigurationExample.............46RedundantModeConfigurationExample .............47

SwitchLoginLevels ...........................49Setupvs.theCommandLine .......................51IdleDisconnect .............................52BootStrictMode ............................53

AcceptableCipherSuites .......................56ConfiguringStrictMode .......................57ConfiguringNoPromptMode ....................57SSL/TLSVersionLimitation .....................57Limitations .............................57

Chapter 2. Initial Setup. . . . . . . . . . . . . . . . . . . . . . 59InformationNeededforSetup ......................60

4 G8264CS Application Guide for ENOS 8.4

DefaultSetupOptions ......................... 61StoppingandRestartingSetupManually................. 62

StoppingSetup........................... 62RestartingSetup.......................... 62

SetupPart1:BasicSystemConfiguration................. 63SetupPart2:PortConfiguration ..................... 65SetupPart3:VLANs .......................... 67SetupPart4:IPConfiguration ...................... 68

IPInterfaces ............................ 68LoopbackInterfaces ......................... 69

UsingLoopbackInterfacesforSourceIPAddresses ......... 69LoopbackInterfaceLimitations .................. 70

DefaultGateways .......................... 70IPRouting............................. 70

SetupPart5:FinalSteps ......................... 72OptionalSetupforTelnetSupport.................... 73

Chapter 3. Switch Software Management . . . . . . . . . . . . . . 75LoadingNewSoftwaretoYourSwitch.................. 76

LoadingSoftwareviatheISCLI .................... 76LoadingSoftwareviaBBI...................... 77USBOptions ............................ 78

USBBoot............................ 78USBCopy ........................... 79

TheBootManagementMenu ...................... 80RecoveringfromaFailedSoftwareUpgrade .............. 80

RecoveringfromaFailedBootImage ............... 83

Part 2: Securing the Switch . . . . . . . . . . . . . . . . . . . 85

Chapter 4. Securing Administration . . . . . . . . . . . . . . . . 87SecureShellandSecureCopy...................... 88

ConfiguringSSH/SCPFeaturesontheSwitch.............. 88ToEnableorDisabletheSSHFeature ............... 88ToEnableorDisableSCPApplyandSave ............. 89

ConfiguringtheSCPAdministratorPassword ............. 89UsingSSHandSCPClientCommands ................ 89

ToLogIntotheSwitch ...................... 89ToCopytheSwitchConfigurationFiletotheSCPHost ....... 89ToLoadaSwitchConfigurationFilefromtheSCPHost ....... 90ToApplyandSavetheConfiguration ............... 90ToCopytheSwitchImageandBootFilestotheSCPHost ...... 90ToLoadSwitchConfigurationFilesfromtheSCPHost........ 91

SSHandSCPEncryptionofManagementMessages........... 91GeneratingRSAHostKeyforSSHAccess ............... 91SSH/SCPIntegrationwithRadiusAuthentication ............ 91SSH/SCPIntegrationwithTACACS+Authentication.......... 92

Copyright Lenovo 2017 Contents 5

EndUserAccessControl.........................93ConsiderationsforConfiguringEndUserAccounts...........93StrongPasswords..........................93UserAccessControl.........................94

SettingupUserIDs.......................94DefiningaUsersAccessLevel ..................94ValidatingaUsersConfiguration .................94EnablingorDisablingaUser ...................94LockingAccounts ........................94ReEnablingLockedAccounts...................95

ListingCurrentUsers ........................95LoggingintoanEndUserAccount ..................95PasswordFixUpMode .......................95

Chapter 5. Authentication & Authorization Protocols . . . . . . . . . 97RADIUSAuthenticationandAuthorization................98

HowRADIUSAuthenticationWorks .................98ConfiguringRADIUSontheSwitch ..................98RADIUSAuthenticationFeaturesinEnterpriseNOS..........100SwitchUserAccounts.......................100RADIUSAttributesforEnterpriseNOSUserPrivileges ........101

TACACS+Authentication.......................102HowTACACS+AuthenticationWorks................102TACACS+AuthenticationFeaturesinEnterpriseNOS .........103

Authorization .........................103Accounting..........................104

CommandAuthorizationandLogging................104TACACS+PasswordChange ....................105ConfiguringTACACS+AuthenticationontheSwitch.........105

LDAPAuthenticationandAuthorization ................106ConfiguringtheLDAPServer....................106ConfiguringLDAPAuthenticationontheSwitch ...........106

Chapter 6. 802.1X Port-Based Network Access Control . . . . . . . . 109ExtensibleAuthenticationProtocoloverLAN ..............110EAPoLAuthenticationProcess .....................111EAPoLMessageExchange.......................112EAPoLPortStates ..........................113GuestVLAN .............................113SupportedRADIUSAttributes .....................114EAPoLConfigurationGuidelines....................116

Chapter 7. Access Control Lists . . . . . . . . . . . . . . . . . . 117SummaryofPacketClassifiers .....................118SummaryofACLActions.......................119AssigningIndividualACLstoaPort ..................120ACLOrderofPrecedence .......................120ACLMeteringandReMarking .....................120

Metering .............................121ReMarking ...........................121


ACLPortMirroring.......................... 122ViewingACLStatistics ........................ 122ACLLogging ............................ 123

EnablingACLLogging...................... 123LoggedInformation ........................ 123RateLimitingBehavior...................... 124LogInterval ........................... 124ACLLoggingLimitations ..................... 124

ACLConfigurationExamples ..................... 125ACLExample1.......................... 125ACLExample2.......................... 125ACLExample3.......................... 126ACLExample4.......................... 126ACLExample5.......................... 126ACLExample6.......................... 127

VLANMaps ............................. 128UsingStormControlFilters ...................... 130

Part 3: Switch Basics . . . . . . . . . . . . . . . . . . . . . . 131

Chapter 8. VLANs. . . . . . . . . . . . . . . . . . . . . . . . 133VLANsOverview .......................... 134VLANsandPortVLANIDNumbers .................. 134

VLANNumbers ......................... 134PVID/NativeVLANNumbers ................... 135

VLANTagging/TrunkMode ...................... 136IngressVLANTagging...................... 139Limitations............................ 140

VLANTopologiesandDesignConsiderations.............. 141MultipleVLANswithTagging/TrunkModeAdapters ......... 141VLANConfigurationExample ................... 144

ProtocolBasedVLANs ........................ 145PortBasedvs.ProtocolBasedVLANs ................ 145PVLANPriorityLevels...................... 146PVLANTagging/TrunkMode ................... 146PVLANConfigurationGuidelines ................. 146ConfiguringPVLAN ....................... 147

PrivateVLANs............................ 148PrivateVLANPorts ........................ 148ConfigurationGuidelines..................... 149ConfigurationExample ...................... 149

Chapter 9. Ports and Link Aggregation . . . . . . . . . . . . . . . 151ConfiguringQSFP+Ports ....................... 152AggregationOverview ........................ 153StaticLAGs ............................. 154

StaticLAGRequirements ..................... 154StaticAggregationConfigurationRules ............... 154ConfiguringaStaticLAG ..................... 155


LinkAggregationControlProtocol ...................157StaticLACPLAGs.........................158LACPPortModes .........................158LACPIndividual .........................159LACPMinimumLinksOption ...................159ConfiguringLACP ........................161

ConfigurableLAGHashAlgorithm...................162

Chapter 10. Spanning Tree Protocols. . . . . . . . . . . . . . . . 165SpanningTreeProtocolModes .....................166GlobalSTPControl ..........................167PVRSTMode.............................167

PortStates............................168BridgeProtocolDataUnits .....................168

HowBPDUWorks.......................168DeterminingthePathforForwardingBPDUs ...........168

SimpleSTPConfiguration .....................170PerVLANSpanningTreeGroups ..................172

UsingMultipleSTGstoEliminateFalseLoops...........172VLANsandSTGAssignment ..................173ManuallyAssigningSTGs ...................174GuidelinesforCreatingVLANs .................174RulesforVLANTagged/TrunkModePorts ............174AddingandRemovingPortsfromSTGs .............175TheSwitchCentricModel ...................176

ConfiguringMultipleSTGs .....................177RapidSpanningTreeProtocol .....................179

PortStates............................179RSTPConfigurationGuidelines ...................179RSTPConfigurationExample ....................180

MultipleSpanningTreeProtocol ....................181MSTPRegion ...........................181CommonInternalSpanningTree ..................181MSTPConfigurationGuidelines ..................182MSTPConfigurationExamples ...................182

MSTPExample1 .......................182MSTPExample2 .......................183

PortTypeandLinkType .......................185Edge/PortfastPort.........................185LinkType ............................185

Chapter 11. Virtual Link Aggregation Groups . . . . . . . . . . . . 187VLAGCapacities ...........................190VLAGsversusPortLAGs .......................190


ConfiguringVLAGs ......................... 192BasicVLAGConfiguration ..................... 193

ConfiguringtheISL ...................... 193ConfiguringtheVLAG..................... 194VLAGConfigurationVLANsMappedtoMSTI ......... 196

VLAGswithVRRP ........................ 200Task1:ConfigureVLAGPeer1 ................. 200Task2:ConfigureVLAGPeer2 ................. 203

TwotiervLAGswithVRRP .................... 206vLAGPeerGateway ....................... 207ConfiguringVLAGsinMultipleLayers ............... 207

Task1:ConfigureLayer2/3borderswitches............ 208Task2:ConfigureswitchesintheLayer2region. ......... 208

VLAGwithPIM ........................... 210TrafficForwarding ........................ 210HealthCheck........................... 211

Chapter 12. Quality of Service . . . . . . . . . . . . . . . . . . 213QoSOverview ............................ 214UsingACLFilters .......................... 215

SummaryofACLActions ..................... 215ACLMeteringandReMarking ................... 216

Metering ........................... 216ReMarking ......................... 216

UsingDSCPValuestoProvideQoS ................... 217DifferentiatedServicesConcepts .................. 217PerHopBehavior ......................... 219QoSLevels ............................ 220DSCPReMarkingandMapping .................. 220DSCPReMarkingConfigurationExamples ............. 221

DSCPReMarkingConfigurationExample1 ........... 221DSCPReMarkingConfigurationExample2 ........... 221

Using802.1pPrioritytoProvideQoS.................. 223QueuingandScheduling ....................... 224ControlPlaneProtection ....................... 224WREDwithECN ........................... 225

HowWRED/ECNworktogether.................. 225ConfiguringWRED/ECN ..................... 226WRED/ECNConfigurationExample ................ 227

ConfigureGlobalProfileforWRED ............... 227ConfigurePortlevelProfileforWRED .............. 227ConfigureGlobalProfileforECN ................ 228ConfigurePortlevelProfileforECN............... 229VerifyWRED/ECN ...................... 229

Part 4: Advanced Switching Features . . . . . . . . . . . . . . . 231

Chapter 13. Virtualization . . . . . . . . . . . . . . . . . . . . 233

Chapter 14. Virtual NICs . . . . . . . . . . . . . . . . . . . . . 235DefiningServerPorts ......................... 236


EnablingthevNICFeature .......................236vNICIDs..............................237

vNICIDsontheSwitch ......................237vNICInterfaceNamesontheServer .................237

vNICBandwidthMetering.......................238vNICUplinkModes .........................239LACPLAGs.............................241vNICGroups.............................242

vNICGroupsinDedicatedMode ..................243vNICGroupsinSharedMode ...................243

vNICTeamingFailover........................245vNICConfigurationExample .....................247

BasicvNICConfiguration.....................247vNICsforiSCSIonEmulexEndeavor2 ...............250

Chapter 15. Stacking . . . . . . . . . . . . . . . . . . . . . . 251StackingOverview ..........................252

StackingRequirements.......................252StackingLimitations ........................253

StackMembership..........................254TheMasterSwitch ........................254

SplittingandMergingOneStack ................254MergingIndependentStacks ..................255

BackupSwitchSelection ......................256MasterFailover ........................256SecondaryBackup .......................256MasterRecovery .......................256NoBackup ..........................257

StackMemberIdentification ....................257ConfiguringaStack ..........................258

ConfigurationOverview ......................258BestConfigurationPractices ....................258

StackingVLANs........................259ConfiguringEachSwitchfortheStack ................259AdditionalMasterConfiguration ..................261

ViewingStackConnections...................261BindingMemberstotheStack ..................262AssigningaStackBackupSwitch................262

ManagingtheStack..........................263AccessingtheMasterSwitchCLI ..................263RebootingStackedSwitchesviatheMaster..............263

UpgradingSoftwareinanExistingStack.................265ReplacingorRemovingStackedSwitches................267

RemovingaSwitchfromtheStack..................267InstallingtheNewSwitchorHealingtheTopology ..........267BindingtheNewSwitchtotheStack.................269PerformingaRollingReloadorUpgrade ...............269

StartingaRollingReload ....................269StartingaRollingUpgrade...................270

SavingSyslogMessages ........................271


ISCLIStackingCommands ...................... 273

Chapter 16. VMready . . . . . . . . . . . . . . . . . . . . . . 275VECapacity ............................. 276DefiningServerPorts ......................... 276VMGroupTypes ........................... 276LocalVMGroups .......................... 277DistributedVMGroups........................ 280

VMProfiles........................... 280InitializingaDistributedVMGroup................. 281AssigningMembers ........................ 281SynchronizingtheConfiguration.................. 282RemovingMemberVEs...................... 282

VMcheck .............................. 283VirtualDistributedSwitch ....................... 285

Prerequisites ........................... 285Guidelines............................ 285MigratingtovDS ......................... 286

VirtualizationManagementServers ................... 287AssigningavCenter........................ 287vCenterScans .......................... 288DeletingthevCenter ....................... 288ExportingProfiles......................... 289VMwareOperationalCommands.................. 289

PreProvisioningVEs ......................... 290VLANMaps ............................. 291VMPolicyBandwidthControl ..................... 292

VMPolicyBandwidthControlCommands .............. 292BandwidthPoliciesvs.BandwidthShaping ............. 293

VMreadyInformationDisplays .................... 294LocalVEInformation....................... 294vCenterHypervisorHosts ..................... 295vCenterVEs........................... 296vCenterVEDetails ........................ 296vCenterSwitchportMappingDetails................ 296

VMreadyConfigurationExample.................... 297

Chapter 17. FCoE and CEE . . . . . . . . . . . . . . . . . . . . 299FibreChanneloverEthernet ...................... 300

TheFCoETopology ........................ 300FCoERequirements ........................ 301

ConvergedEnhancedEthernet..................... 302TurningCEEOnorOff...................... 302EffectsonLinkLayerDiscoveryProtocol............... 302Effectson802.1pQualityofService ................. 303EffectsonFlowControl ...................... 304


FCoEInitializationProtocolSnooping..................305GlobalFIPSnoopingSettings....................305FIPSnoopingforSpecificPorts...................305PortFCFandENodeDetection...................306FCoEConnectionTimeout .....................306FCoEACLRules .........................307FCoEVLANs ...........................307ViewingFIPSnoopingInformation .................307OperationalCommands......................308FIPSnoopingConfiguration ....................308

PriorityBasedFlowControl......................310GlobalConfiguration.......................311PFCConfigurationExample ....................312

EnhancedTransmissionSelection ....................313802.1pPriorityValues .......................313PriorityGroups ..........................314

PGID ............................314AssigningPriorityValuestoaPriorityGroup ...........315DeletingaPriorityGroup....................315AllocatingBandwidth .....................315

ConfiguringETS.........................316DataCenterBridgingCapabilityExchange ................320

DCBXSettings ..........................320EnablingandDisablingDCBX .................321PeerConfigurationNegotiation .................321

ConfiguringDCBX........................322FCoEExampleConfiguration .....................324

Chapter 18. Fibre Channel . . . . . . . . . . . . . . . . . . . . 327Ethernetvs.FibreChannel.......................328SupportedSwitchRoles ........................329

FCoEGateway ..........................329NPVGateway ..........................329FullFabricFC/FCoESwitch ....................329Limitations ............................330


ImplementingFibreChannel...................... 331PortModes ........................... 331FibreChannelVLANs ....................... 332PortMembership ......................... 332SwitchingMode......................... 333NPVGateway .......................... 333

NPVPortTrafficMapping................... 333NPVManualDisruptiveLoadBalancing ............. 334

FullFabricZoning ........................ 334Zones ............................ 335Zonesets ........................... 336DefiningZoning ....................... 336ActivatingaZoneset ...................... 338E_Ports ........................... 338Limitations .......................... 339OptimizedFCoETrafficFlow .................. 340StorageManagementInitiativeSpecification(SMIS) ........ 341

FibreChannelConfiguration ...................... 342ConfigurationGuidelines..................... 342Example1:NPVGateway ..................... 342Example2:FullFabricFC/FCoESwitch ............... 343

FibreChannelStandardProtocolsSupported............... 345

Chapter 19. Edge Virtual Bridging . . . . . . . . . . . . . . . . . 347EVBOperationsOverview....................... 348

VSIDBSynchronization ...................... 348VLANBehavior ......................... 349DeletingaVLAN ......................... 349ManualReflectiveRelay...................... 349

EVBConfiguration .......................... 350Limitations............................. 352Unsupportedfeatures ......................... 352

Chapter 20. Static Multicast ARP . . . . . . . . . . . . . . . . . 353ConfiguringStaticMulticastARP.................... 354

ConfigurationExample ...................... 354Limitations............................. 356

Chapter 21. Dynamic ARP Inspection . . . . . . . . . . . . . . . 357UnderstandingARPSpoofingAttacks ................ 357UnderstandingDAI ........................ 357InterfaceTrustStatesandNetworkSecurity ............. 358

DAIConfigurationGuidelinesandRestrictions.............. 360DAIConfigurationExample.................... 360

Part 5: IP Routing. . . . . . . . . . . . . . . . . . . . . . . . 363

Chapter 22. Basic IP Routing . . . . . . . . . . . . . . . . . . . 365IPRoutingBenefits .......................... 366RoutingBetweenIPSubnets ...................... 366


ExampleofSubnetRouting ......................367UsingVLANstoSegregateBroadcastDomains ............368ConfigurationExample ......................368

ECMPStaticRoutes ..........................371OSPFIntegration .........................371ECMPRouteHashing .......................371ConfiguringECMPStaticRoutes ..................372

DynamicHostConfigurationProtocol ..................373DHCPRelayAgent ..........................374

Chapter 23. Internet Protocol Version 6 . . . . . . . . . . . . . . . 375IPv6Limitations ...........................376IPv6AddressFormat .........................377IPv6AddressTypes ..........................378

UnicastAddress .........................378Multicast.............................378Anycast .............................378

IPv6AddressAutoconfiguration....................380IPv6Interfaces ............................381NeighborDiscovery..........................382

NeighborDiscoveryOverview ...................382Hostvs.Router ..........................383

SupportedApplications ........................384ConfigurationGuidelines .......................385IPv6ConfigurationExamples .....................386

IPv6Example1 ..........................386IPv6Example2 ..........................386

Chapter 24. IPsec with IPv6 . . . . . . . . . . . . . . . . . . . . 389IPsecProtocols ............................390UsingIPsecwiththeRackSwitchG8264CS................391

SettingupAuthentication.....................391CreatinganIKEv2Proposal ...................392ImportinganIKEv2DigitalCertificate ..............392GeneratingaCertificateSigningRequest .............393GeneratinganIKEv2DigitalCertificate..............396EnablingIKEv2PresharedKeyAuthentication ..........396

SettingUpaKeyPolicy......................397UsingaManualKeyPolicy .....................398UsingaDynamicKeyPolicy ....................400

Chapter 25. Routing Information Protocol . . . . . . . . . . . . . . 401DistanceVectorProtocol ........................402Stability ...............................402RoutingUpdates ...........................402RIPv1 ................................403RIPv2 ................................403RIPv2inRIPv1CompatibilityMode...................403RIPFeatures .............................404RIPConfigurationExample......................405


Chapter 26. Internet Group Management Protocol . . . . . . . . . . 407IGMPTerms ............................. 408HowIGMPWorks .......................... 409IGMPCapacityandDefaultValues................... 410IGMPSnooping........................... 412

IGMPQuerier.......................... 412QuerierElection ......................... 412IGMPGroups .......................... 413IGMPv3Snooping ........................ 413IGMPSnoopingConfigurationGuidelines .............. 415IGMPSnoopingConfigurationExample............... 416AdvancedConfigurationExample:IGMPSnooping .......... 417

Prerequisites......................... 418Configuration......................... 418

TroubleshootingIGMPSnooping .................. 422IGMPRelay ............................. 425

ConfigurationGuidelines..................... 425ConfigureIGMPRelay ...................... 426AdvancedConfigurationExample:IGMPRelay ........... 427

Prerequisites......................... 427Configuration......................... 428

TroubleshootingIGMPRelay.................... 431AdditionalIGMPFeatures ....................... 434

FastLeave ............................ 434IGMPFiltering .......................... 434

ConfiguringtheRange ..................... 434ConfiguringtheAction .................... 435ConfigureIGMPFiltering ................... 435

StaticMulticastRouter....................... 435

Chapter 27. Multicast Listener Discovery . . . . . . . . . . . . . . 437MLDTerms............................. 438HowMLDWorks .......................... 439

HowFloodingImpactsMLD.................... 440MLDQuerier........................... 440QuerierElection ......................... 440DynamicMrouters ........................ 441

MLDCapacityandDefaultValues ................... 442ConfiguringMLD .......................... 443

Chapter 28. Border Gateway Protocol . . . . . . . . . . . . . . . 445InternalRoutingVersusExternalRouting................ 446

RouteReflector .......................... 447ConfiguringRouteReflection.................. 449Restrictions.......................... 450

FormingBGPPeerRouters ...................... 451StaticPeers............................ 451DynamicPeers .......................... 452

ConfiguringDynamicPeers .................. 452RemovingDynamicPeers................... 452


LoopbackInterfaces ..........................454WhatisaRouteMap?.........................454

NextHopPeerIPAddress .....................455IncomingandOutgoingRouteMaps ................455Precedence ............................456ConfigurationOverview ......................456

AggregatingRoutes ..........................458RedistributingRoutes .........................458BGPCommunities..........................459BGPAttributes............................460

LocalPreferenceAttribute .....................460Metric(MultiExitDiscriminator)Attribute ..............460NextHopAttribute........................461

SelectingRoutePathsinBGP ......................462EqualCostMultiPath .......................462MultipathRelax..........................462

BGPFailoverConfiguration ......................463DefaultRedistributionandRouteAggregationExample ..........465

Chapter 29. Open Shortest Path First . . . . . . . . . . . . . . . . 467OSPFv2Overview ..........................468

TypesofOSPFAreas .......................468TypesofOSPFRoutingDevices ...................469NeighborsandAdjacencies .....................470TheLinkStateDatabase ......................470TheShortestPathFirstTree ....................472InternalVersusExternalRouting ..................472

OSPFv2ImplementationinEnterpriseNOS...............473ConfigurableParameters ......................473DefiningAreas..........................474

AssigningtheAreaIndex ....................474UsingtheAreaIDtoAssigntheOSPFAreaNumber ........475AttachinganAreatoaNetwork .................475

InterfaceCost ...........................476ElectingtheDesignatedRouterandBackup .............476SummarizingRoutes .......................476DefaultRoutes ..........................477VirtualLinks ...........................477RouterID ............................478Authentication ..........................479

ConfiguringPlainTextOSPFPasswords.............480ConfiguringMD5Authentication ................480

HostRoutesforLoadBalancing ...................481LoopbackInterfacesinOSPF ....................482OSPFFeaturesNotSupportedinThisRelease.............482


OSPFv2ConfigurationExamples.................... 483Example 1:SimpleOSPFDomain .................. 484Example 2:VirtualLinks ...................... 486

ConfiguringOSPFforaVirtualLinkonSwitch#1......... 486ConfiguringOSPFforaVirtualLinkonSwitch#2......... 487OtherVirtualLinkOptions ................... 489

Example 3:SummarizingRoutes .................. 490VerifyingOSPFConfiguration ................... 491

OSPFv3ImplementationinEnterpriseNOS ............... 492OSPFv3DifferencesfromOSPFv2.................. 492

OSPFv3RequiresIPv6Interfaces................ 492OSPFv3UsesIndependentCommandPaths ........... 492OSPFv3IdentifiesNeighborsbyRouterID ............ 493OtherInternalImprovements .................. 493

OSPFv3Limitations ........................ 493OSPFv3ConfigurationExample .................. 493NeighborConfigurationExample .................. 495

Chapter 30. Protocol Independent Multicast. . . . . . . . . . . . . 497PIMOverview ............................ 498SupportedPIMModesandFeatures .................. 499BasicPIMSettings .......................... 500

GloballyEnablingorDisablingthePIMFeature............ 500DefiningaPIMNetworkComponent ................ 500DefininganIPInterfaceforPIMUse ................ 500PIMNeighborFilters ....................... 501

AdditionalSparseModeSettings.................... 503SpecifyingtheRendezvousPoint .................. 503InfluencingtheDesignatedRouterSelection ............. 503SpecifyingaBootstrapRouter ................... 504ConfiguringaLoopbackInterface .................. 504

UsingPIMwithOtherFeatures..................... 506PIMwithACLsorVMAPs ..................... 506PIMwithIGMP.......................... 506

PIMConfigurationExamples ..................... 507Example1:PIMSMwithDynamicRP ................ 507Example2:PIMSMwithStaticRP................. 508Example3:PIMDM........................ 508

Part 6: High Availability Fundamentals . . . . . . . . . . . . . . . 511

Chapter 31. Basic Redundancy . . . . . . . . . . . . . . . . . . 513AggregatingforLinkRedundancy ................... 514VirtualLinkAggregation ....................... 514HotLinks .............................. 515

ForwardDelay .......................... 515Preemption ........................... 515FDBUpdate ........................... 515ConfigurationGuidelines..................... 515ConfiguringHotLinks ...................... 516


Chapter 32. Layer 2 Failover . . . . . . . . . . . . . . . . . . . 517MonitoringLAGLinks ........................518SettingtheFailoverLimit.......................518ManuallyMonitoringPortLinks ....................519

MonitorPortState.........................519ControlPortState.........................519

L2FailoverwithOtherFeatures ....................520StaticLAGs ...........................520LACP..............................520SpanningTreeProtocol ......................520

ConfigurationGuidelines .......................521ConfiguringLayer2Failover ......................521

Chapter 33. Virtual Router Redundancy Protocol . . . . . . . . . . . 523VRRPOverview ...........................524

VRRPComponents ........................524VirtualRouter.........................524VirtualRouterMACAddress ..................524OwnersandRenters ......................524MasterandBackupVirtualRouter ................525VirtualInterfaceRouter ....................525

VRRPOperation.........................525SelectingtheMasterVRRPRouter ..................526

FailoverMethods ...........................527ActiveActiveRedundancy .....................527VirtualRouterGroup .......................527

EnterpriseNOSExtensionstoVRRP ..................528VirtualRouterDeploymentConsiderations ...............529

AssigningVRRPVirtualRouterID .................529ConfiguringtheSwitchforTracking .................529

HighAvailabilityConfigurations ....................530VRRPHighAvailabilityUsingMultipleVIRs .............530

Task1:ConfigureG8264CS1 ..................531Task2:ConfigureG8264CS2 ..................532

VRRPHighAvailabilityUsingVLAGs................534

Part 7: Network Management . . . . . . . . . . . . . . . . . . . 535

Chapter 34. Link Layer Discovery Protocol . . . . . . . . . . . . . 537LLDPOverview...........................538EnablingorDisablingLLDP......................539

GlobalLLDPSetting........................539TransmitandReceiveControl ...................539

LLDPTransmitFeatures ........................540ScheduledInterval ........................540MinimumInterval.........................540TimetoLiveforTransmittedInformation ..............541TrapNotifications .........................541ChangingtheLLDPTransmitState .................542TypesofInformationTransmitted ..................542


LLDPReceiveFeatures ........................ 544TypesofInformationReceived ................... 544ViewingRemoteDeviceInformation ................ 544TimetoLiveforReceivedInformation ............... 546

LLDPExampleConfiguration ..................... 548

Chapter 35. Simple Network Management Protocol. . . . . . . . . . 549SNMPVersion1&Version2...................... 549SNMPVersion3........................... 550

DefaultConfiguration....................... 550UserConfigurationExample .................... 551

ConfiguringSNMPTrapHosts ..................... 552SNMPv1TrapHost ........................ 552SNMPv2TrapHostConfiguration ................. 553SNMPv3TrapHostConfiguration ................. 554

SNMPMIBs ............................. 555SwitchImagesandConfigurationFiles ................. 561

LoadingaNewSwitchImage ................... 562LoadingaSavedSwitchConfiguration ............... 562SavingtheSwitchConfiguration .................. 563SavingaSwitchDump ...................... 563

Chapter 36. Service Location Protocol . . . . . . . . . . . . . . . 565ActiveDADiscovery ......................... 566SLPConfiguration .......................... 567

Chapter 37. Secure Input/Output Module . . . . . . . . . . . . . . 569SIOMOverview ........................... 570SettinganSIOMSecurityPolicy.................... 571

EnablingandDisablingtheSIOM .................. 571UsingProtocolsWithSIOM.................... 571

InsecureProtocols ....................... 571SecureProtocols ....................... 572InsecureProtocolsUnaffectedbySIOM ............. 573

ImplementingSecureLDAP(LDAPS) .................. 574EnablingLDAPS ......................... 574DisablingLDAPS......................... 575SyslogsandLDAPS........................ 576

UsingCryptographicMode ...................... 577

Part 8: Monitoring . . . . . . . . . . . . . . . . . . . . . . . 579

Chapter 38. Remote Monitoring . . . . . . . . . . . . . . . . . . 581RMONOverview........................... 582RMONGroup1Statistics ...................... 583RMONGroup2History ....................... 584

HistoryMIBObjectID ....................... 584ConfiguringRMONHistory.................... 584


RMONGroup3Alarms .......................585AlarmMIBobjects ........................585ConfiguringRMONAlarms....................585

RMONGroup9Events .......................587

Chapter 39. sFlow . . . . . . . . . . . . . . . . . . . . . . . .589sFlowStatisticalCounters .......................589sFlowNetworkSampling .......................589sFlowExampleConfiguration .....................590

Chapter 40. Port Mirroring . . . . . . . . . . . . . . . . . . . . 591PortMirroringModel .........................592ConfiguringPortMirroring ......................593

Part 9: Appendices . . . . . . . . . . . . . . . . . . . . . . . 595

Appendix A. Glossary . . . . . . . . . . . . . . . . . . . . . . 597

Appendix B. VLAN Tagging Changes Since N/OS 7.9 . . . . . . . . . 599ManagingTaggedPortsintheISCLI ..................600ManagingTaggedPortsintheBBIandSNMP ..............603TaggedPortsinConfigurationOutputs .................604TaggedPortsinQBGVLANs......................605TaggedPortsConfigurationScenario ..................606

Appendix C. Getting help and technical assistance . . . . . . . . . . 613

Appendix D. Notices. . . . . . . . . . . . . . . . . . . . . . . 615Trademarks .............................617ImportantNotes ...........................618RecyclingInformation .........................619ParticulateContamination .......................620TelecommunicationRegulatoryStatement ................621ElectronicEmissionNotices ......................622

FederalCommunicationsCommission(FCC)Statement ........622IndustryCanadaClassAEmissionComplianceStatement.......622AvisdeConformitlaRglementationdIndustrieCanada ......622AustraliaandNewZealandClassAStatement ............622EuropeanUnionCompliancetotheElectromagneticCompatibilityDirective622GermanyClassAComplianceStatement ...............623JapanVCCIClassAStatement ...................624JapanElectronicsandInformationTechnologyIndustriesAssociation(JEITA) Statement .........................624KoreaCommunicationsCommission(KCC)Statement .........625

RussiaElectromagneticInterference(EMI)ClassAstatement ........626PeoplesRepublicofChinaClassAelectronicemissionstatement ......627TaiwanClassAcompliancestatement ..................628

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629


PrefaceThisApplicationGuidedescribeshowtoconfigureandusetheLenovoEnterpriseNetworkOperatingSystem 8.4softwareontheRackSwitchG8264CS(referredtoasG8264CSthroughoutthisdocument).Fordocumentationoninstallingtheswitchphysically,seetheInstallationGuideforyourG8264CS.


Who Should Use This GuideThisguideisintendedfornetworkinstallersandsystemadministratorsengagedinconfiguringandmaintaininganetwork.TheadministratorshouldbefamiliarwithEthernetconcepts,IPaddressing,SpanningTreeProtocol,andSNMPconfigurationparameters.

Copyright Lenovo 2017 Preface 23

What Youll Find in This GuideThisguidewillhelpyouplan,implement,andadministerEnterpriseNOSsoftware.Wherepossible,eachsectionprovidesfeatureoverviews,usageexamples,andconfigurationinstructions.Thefollowingmaterialisincluded:

Part 1: Getting Started

ThismaterialisintendedtohelpthosenewtoENOSproductswiththebasicsofswitchmanagement.Thispartincludesthefollowingchapters:

Chapter 1,SwitchAdministration,describeshowtoaccesstheG8264CStoconfiguretheswitchandviewswitchinformationandstatistics.Thischapterdiscussesavarietyofmanualadministrationinterfaces,includinglocalmanagementviatheswitchconsole,andremoteadministrationviaTelnet,awebbrowser,orviaSNMP.

Chapter 2,InitialSetup,describeshowtousethebuiltinSetuputilitytoperformfirsttimeconfigurationoftheswitch.

Chapter 3,SwitchSoftwareManagement,describeshowtoupdatetheENOSsoftwareoperatingontheswitch.

Part 2: Securing the Switch

Chapter 4,SecuringAdministration,describesmethodsforusingSecureShellforadministrationconnections,andconfiguringenduseraccesscontrol.

Chapter 5,Authentication&AuthorizationProtocols,describesdifferentsecureadministrationforremoteadministrators.ThisincludesusingRemoteAuthenticationDialinUserService(RADIUS),aswellasTACACS+andLDAP.

Chapter 6,802.1XPortBasedNetworkAccessControl,describeshowtoauthenticatedevicesattachedtoaLANportthathaspointtopointconnectioncharacteristics.ThisfeaturepreventsaccesstoportsthatfailauthenticationandauthorizationandprovidessecuritytoportsoftheG8264CSthatconnecttobladeservers.

Chapter 7,AccessControlLists,describeshowtousefilterstopermitordenyspecifictypesoftraffic,basedonavarietyofsource,destination,andpacketattributes.

Chapter 37,SecureInput/OutputModule,describeswhichprotocolscanbeenabled.Thisfeatureallowssecuredtrafficandsecuredauthenticationmanagement.

Part 3: Switch Basics

Chapter 8,VLANs,describeshowtoconfigureVirtualLocalAreaNetworks(VLANs)forcreatingseparatenetworksegments,includinghowtouseVLANtaggingfordevicesthatusemultipleVLANs.ThischapteralsodescribesProtocolbasedVLANs,andPrivateVLANs.

Chapter 9,PortsandLinkAggregation,describeshowtogroupmultiplephysicalportstogethertoaggregatethebandwidthbetweenlargescalenetworkdevices.


Chapter 11,VirtualLinkAggregationGroups,describesusingVirtualLinkAggregationGroups(VLAGs)toformLAGsspanningmultipleVLAGcapableaggregatorswitches.

Chapter 10,SpanningTreeProtocols,discusseshowSpanningTreeProtocol(STP)configuresthenetworksothattheswitchselectsthemostefficientpathwhenmultiplepathsexist.CoversRapidSpanningTreeProtocol(RSTP),PerVLANRapidSpanningTree(PVRST),andMultipleSpanningTreeProtocol(MSTP).

Chapter 12,QualityofService,discussesQualityofService(QoS)features,includingIPfilteringusingAccessControlLists(ACLs),DifferentiatedServices,andIEEE802.1ppriorityvalues.

Part 4: Advanced Switching Features

Chapter 13,Virtualization,providesanoverviewofallocatingresourcesbasedonthelogicalneedsofthedatacenter,ratherthanonthestrict,physicalnatureofcomponents.

Chapter 14,VirtualNICs,discussesusingvirtualNIC(vNIC)technologytodivideNICsintomultiplelogical,independentinstances.

Chapter 16,VMready,discussesvirtualmachine(VM)supportontheG8264CS.

Chapter 17,FCoEandCEE,discussesusingvariousConvergedEnhancedEthernet(CEE)featuressuchasPrioritybasedFlowControl(PFC),EnhancedTransmissionSelection(ETS),andFIPSnoopingforsolutionssuchasFibreChanneloverEthernet(FCoE).

Chapter 18,FibreChannel,describeshowtoconfiguretheG8264CSforusewithFibreChannelnetworks.

Chapter 19,EdgeVirtualBridging,(EVB)discussestheIEEE802.1QbgastandardsbasedprotocolthatdefineshowvirtualEthernetbridgesexchangeconfigurationinformation.EVBbridgesthegapbetweenphysicalandvirtualnetworkresources,thussimplifyingnetworkmanagement.

Chapter 20,StaticMulticastARP,discussestheconfigurationofastaticARPentrywithmulticastMACaddressforMicrosoftsNetworkLoadBalancing(NLB)featuretofunctionefficiently.

Chapter 21,DynamicARPInspection,discussesthissecurityfeaturethatletsaswitchinterceptandexamineallARPrequestandresponsepacketsinasubnet,discardingthosepacketswithinvalidIPtoMACaddressbindings.Thiscapabilityprotectsthenetworkfrommaninthemiddleattacks.

Part 5: IP Routing

Chapter 22,BasicIPRouting,describeshowtoconfiguretheG8264CSforIProutingusingIPsubnets,BOOTP,andDHCPRelay.

Chapter 23,InternetProtocolVersion6,describeshowtoconfiguretheG8264CSforIPv6hostmanagement.


Chapter 24,IPsecwithIPv6,describeshowtoconfigureInternetProtocolSecurity(IPsec)forsecuringIPcommunicationsbyauthenticatingandencryptingIPpackets,withemphasisonInternetKeyExchangeversion 2,andauthentication/confidentialityforOSPFv3.

Chapter 25,RoutingInformationProtocol,describeshowtheENOSsoftwareimplementsstandardRoutingInformationProtocol(RIP)forexchangingTCP/IProuteinformationwithotherrouters.

Chapter 26,InternetGroupManagementProtocol,describeshowtheENOSsoftwareimplementsIGMPSnoopingorIGMPRelaytoconservebandwidthinamulticastswitchingenvironment.

Chapter 27,MulticastListenerDiscovery,describeshowMulticastListenerDiscovery(MLD)isusedwithIPv6tosupporthostusersrequestsformulticastdataforamulticastgroup.

Chapter 28,BorderGatewayProtocol,describesBorderGatewayProtocol(BGP)conceptsandfeaturessupportedinENOS.

Chapter 29,OpenShortestPathFirst,describeskeyOpenShortestPathFirst(OSPF)conceptsandtheirimplementedinENOS,andprovidesexamplesofhowtoconfigureyourswitchforOSPFsupport.

Chapter 30,ProtocolIndependentMulticast,describeshowmulticastroutingcanbeefficientlyaccomplishedusingtheProtocolIndependentMulticast(PIM)feature.

Part 6: High Availability Fundamentals

Chapter 31,BasicRedundancy,describeshowtheG8264CSsupportsredundancythroughLAGsandhotlinks.

Chapter 32,Layer2Failover,describeshowtheG8264CSsupportshighavailabilitynetworktopologiesusingLayer2Failover.

Chapter 33,VirtualRouterRedundancyProtocol,describeshowtheG8264CSsupportshighavailabilitynetworktopologiesusingVirtualRouterRedundancyProtocol(VRRP).

Part 7: Network Management

Chapter 34,LinkLayerDiscoveryProtocol,describeshowLinkLayerDiscoveryProtocolhelpsneighboringnetworkdeviceslearnabouteachothersportsandcapabilities.

Chapter 35,SimpleNetworkManagementProtocol,describeshowtoconfiguretheswitchformanagementthroughanSNMPclient.

Chapter 36,ServiceLocationProtocol,describestheServiceLocationProtocol(SLP)thatallowstheswitchtoprovidedynamicdirectoryservices.


Part 8: Monitoring

Chapter 38,RemoteMonitoring,describeshowtoconfiguretheRMONagentontheswitch,sothattheswitchcanexchangenetworkmonitoringdata.

Chapter 39,sFlow,describedhowtousetheembeddedsFlowagentforsamplingnetworktrafficandprovidingcontinuousmonitoringinformationtoacentralsFlowanalyzer.

Chapter 40,PortMirroring,discussestoolshowcopyselectedporttraffictoamonitorportfornetworkanalysis.

Part 9: Appendices

AppendixA,Glossary,describescommontermsandconceptsusedthroughoutthisguide.

AppendixC,Gettinghelpandtechnicalassistance,providesdetailsonwheretogoforadditionalinformationaboutLenovoandLenovoproducts.

AppendixD,Notices,containssafetyandenvironmentalnotices.


Additional ReferencesAdditionalinformationaboutinstallingandconfiguringtheG8264CSisavailableinthefollowingguides:

RackSwitchG8264CSInstallationGuide

LenovoRackSwitchG8264CSISCLICommandReferenceforLenovoEnterpriseNetworkOperatingSystem8.4

LenovoRackSwitchG8264CSReleaseNotesforLenovoEnterpriseNetworkOperatingSystem 8.4


Typographic ConventionsThefollowingtabledescribesthetypographicstylesusedinthisbook.

Table 1. Typographic Conventions

Typeface or Symbol

Meaning Example

ABC123 Thistypeisusedfornamesofcommands,files,anddirectoriesusedwithinthetext.

Viewthereadme.txtfile.

Italsodepictsonscreencomputeroutputandprompts.

Main#

ABC123 Thisboldtypeappearsincommandexamples.Itshowstextthatmustbetypedinexactlyasshown.

Main# sys

Thisitalicizedtypeappearsincommandexamplesasaparameterplaceholder.Replacetheindicatedtextwiththeappropriaterealnameorvaluewhenusingthecommand.Donottypethebrackets.

ToestablishaTelnetsession,enter:host# telnet

Thisalsoshowsbooktitles,specialterms,orwordstobeemphasized.

ReadyourUsersGuidethoroughly.

[ ] Commanditemsshowninsidebracketsareoptionalandcanbeusedorexcludedasthesituationdemands.Donottypethebrackets.

host# ls [-a]

| Theverticalbar( | )isusedincommandexamplestoseparatechoiceswheremultipleoptionsexist.Selectonlyoneofthelistedoptions.Donottypetheverticalbar.

host# set left|right

AaBbCc123 Thisblocktypedepictsmenus,buttons,andothercontrolsthatappearinWebbrowsersandothergraphicalinterfaces.

ClicktheSavebutton.


Part 1: Getting Started


Chapter 1. Switch AdministrationYourRackSwitchG8264CS(G8264CS)isreadytoperformbasicswitchingfunctionsrightoutofthebox.Someofthemoreadvancedfeatures,however,requiresomeadministrativeconfigurationbeforetheycanbeusedeffectively.

TheextensiveLenovoEnterpriseNetworkOperatingSystemswitchingsoftwareincludedintheG8264CSprovidesavarietyofoptionsforaccessingtheswitchtoperformconfiguration,andtoviewswitchinformationandstatistics.

Thischapterdiscussesthevariousmethodsthatcanbeusedtoadministertheswitch.


Administration InterfacesEnterpriseNOSprovidesavarietyofuserinterfacesforadministration.Theseinterfacesvaryincharacterandinthemethodsusedtoaccessthem:somearetextbased,andsomearegraphical;someareavailablebydefault,andsomerequireconfiguration;somecanbeaccessedbylocalconnectiontotheswitch,andothersareaccessedremotelyusingvariousclientapplications.Forexample,administrationcanbeperformedusinganyofthefollowing:

Abuiltin,textbasedcommandlineinterfaceandmenusystemforaccessviaserialportconnectionoranoptionalTelnetorSSHsession

ThebuiltinBrowserBasedInterface(BBI)availableusingastandardwebbrowser

SNMPsupportforaccessthroughnetworkmanagementsoftwaresuchasIBMDirectororHPOpenView

Thespecificinterfacechosenforanadministrativesessiondependsonuserpreferences,aswellastheswitchconfigurationandtheavailableclienttools.

Inallcases,administrationrequiresthattheswitchhardwareisproperlyinstalledandturnedon.(seetheRackSwitchG8264CSInstallationGuide).

Command Line InterfaceTheIndustryStandardCommandLineInterface(ISCLI)providesasimple,directmethodforswitchadministration.Usingabasicterminal,youcanissuecommandsthatallowyoutoviewdetailedinformationandstatisticsabouttheswitch,andtoperformanynecessaryconfigurationandswitchsoftwaremaintenance.

YoucanestablishaconnectiontotheISCLIinanyofthefollowingways: SerialconnectionviatheserialportontheG8264CS(thisoptionisalwaysavail

able) Telnetconnectionoverthenetwork SSHconnectionoverthenetwork

Copyright Lenovo 2017 Chapter 1: Switch Administration 33

Establishing a ConnectionThefactorydefaultsettingspermitinitialswitchadministrationthroughonlythebuiltinserialport.Allotherformsofaccessrequireadditionalswitchconfigurationbeforetheycanbeused.

Remoteaccessusingthenetworkrequirestheaccessingterminaltohaveavalid,routableconnectiontotheswitchinterface.TheclientIPaddressmaybeconfiguredmanually,oranIPv4addresscanbeprovidedautomaticallythroughtheswitchusingaservicesuchasDHCPorBOOTPrelay(seeBOOTP/DHCPClientIPAddressServicesonpage 41),oranIPv6addresscanbeobtainedusingIPv6statelessaddressconfiguration.Note: Throughoutthismanual,IPaddressisusedinplaceswhereeitheranIPv4orIPv6addressisallowed.IPv4addressesareenteredindotteddecimalnotation(forexample,10.10.10.1),whileIPv6addressesareenteredinhexadecimalnotation(forexample,2001:db8:85a3::8a2e:370:7334).Inplaceswhereonlyonetypeofaddressisallowed,IPv4addressorIPv6addressisspecified.

Using the Switch Management PortsTomanagetheswitchthroughthemanagementports,youmustconfigureanIPinterfaceforeachmanagementinterface.ConfiguretheIPv4address/maskanddefaultgatewayaddress:

1. Logontotheswitch.

2. EnterGlobalConfigurationmode.

3. ConfigureamanagementIPaddressandmask:

4. Configuretheappropriatedefaultgateway.

IPgateway 4isrequiredforIF128.

OnceyouconfigureamanagementIPaddressforyourswitch,youcanconnecttoamanagementportandusetheTelnetprogramfromanexternalmanagementstationtoaccessandcontroltheswitch.Themanagementportprovidesoutofbandmanagement.

RS 8264CS> enableRS 8264CS# configure terminal

RS 8264CS(config)# interface ip 128RS 8264CS(config-ip-if)# ip address RS 8264CS(config-ip-if)# ip netmask RS 8264CS(config-ip-if)# enableRS 8264CS(config-ip-if)# exit

RS 8264CS(config)# ip gateway 4 address RS 8264CS(config)# ip gateway 4 enable


Using the Switch Data PortsYoualsocanconfigureinbandmanagementthroughanyoftheswitchdataports.Toallowinbandmanagement,usethefollowingprocedure:

1. Logontotheswitch.

2. EnterIPinterfacemode.

Note: Interface128isreservedforoutofbandmanagement(seeUsingtheSwitchManagementPortsonpage 33).

3. ConfigurethemanagementIPinterface/mask.

IPv4:

IPv6:

4. ConfiguretheVLAN,andenabletheinterface.

5. Configurethedefaultgateway.

IPv4:

IPv6:

Note: Gateway 1,2,and3areusedforinbanddatanetworks.Gateway 4isreservedfortheoutofbandmanagementport(seeUsingtheSwitchManagementPortsonpage 33).

OnceyouconfiguretheIPaddressandhaveanetworkconnection,youcanusetheTelnetprogramfromanexternalmanagementstationtoaccessandcontroltheswitch.Oncethedefaultgatewayisenabled,themanagementstationandyourswitchdonotneedtobeonthesameIPsubnet.

RS 8264CS> enableRS 8264CS# configure terminalRS 8264CS(config)# interface ip

RS 8264CS(config-ip-if)# ip address RS 8264CS(config-ip-if)# ip netmask

RS 8264CS(config-ip-if)# ipv6 address RS 8264CS(config-ip-if)# ipv6 prefixlen

RS 8264CS(config-ip-if)# vlan 1RS 8264CS(config-ip-if)# enableRS 8264CS(config-ip-if)# exit

RS 8264CS(config)# ip gateway address RS 8264CS(config)# ip gateway enable

RS 8264CS(config)# ip gateway6 address RS 8264CS(config)# ip gateway6 enable


TheG8264CSsupportsanindustrystandardcommandlineinterface(ISCLI)thatyoucanusetoconfigureandcontroltheswitchoverthenetworkusingtheTelnetprogram.YoucanusetheISCLItoperformmanybasicnetworkmanagementfunctions.Inaddition,youcanconfiguretheswitchformanagementusinganSNMPbasednetworkmanagementsystemoraWebbrowser.

Formoreinformation,seethedocumentslistedinAdditionalReferencesonpage 27.

Using TelnetATelnetconnectionofferstheconvenienceofaccessingtheswitchfromaworkstationconnectedtothenetwork.Telnetaccessprovidesthesameoptionsforuserandadministratoraccessasthoseavailablethroughtheconsoleport.

Bydefault,Telnetaccessisenabled.UsethefollowingcommandstodisableorreenableTelnetaccess:

OncetheswitchisconfiguredwithanIPaddressandgateway,youcanuseTelnettoaccessswitchadministrationfromanyworkstationconnectedtothemanagementnetwork.

ToestablishaTelnetconnectionwiththeswitch,runtheTelnetprogramonyourworkstationandissuethefollowingTelnetcommand:

YouwillthenbepromptedtoenterapasswordasexplainedSwitchLoginLevelsonpage 49.

Twoattemptsareallowedtologintotheswitch.Afterthesecondunsuccessfulattempt,theTelnetclientisdisconnectedviaTCPsessionclosure.

Using Secure ShellAlthougharemotenetworkadministratorcanmanagetheconfigurationofaG8264CSviaTelnet,thismethoddoesnotprovideasecureconnection.TheSecureShell(SSH)protocolenablesyoutosecurelylogintoanotherdeviceoveranetwork

RS 8264CS(config)# [no] access telnet enable

telnet


toexecutecommandsremotely.AsasecurealternativetousingTelnettomanageswitchconfiguration,SSHensuresthatalldatasentoverthenetworkisencryptedandsecure.

Theswitchcandoonlyonesessionofkey/ciphergenerationatatime.Thus,aSSH/SCPclientwillnotbeabletologiniftheswitchisdoingkeygenerationatthattime.Similarly,thesystemwillfailtodothekeygenerationifaSSH/SCPclientislogginginatthattime.

ThesupportedSSHencryptionandauthenticationmethodsare:

ServerHostAuthentication:ClientRSAauthenticatestheswitchwhenstartingeachconnection

KeyExchange:ecdhsha2nistp521,ecdhsha2nistp384,ecdhsha2nistp256,ecdhsha2nistp224,ecdhsha2nistp192,rsa2048sha256,rsa1024sha1,diffiehellmangroupexchangesha256,diffiehellmangroupexchangesha1,diffiehellmangroup14sha1,diffiehellmangroup1sha1

Encryption:aes128ctr,aes128cbc,rijndael128cbc,blowfishcbc,3descbc,arcfour256,arcfour128,arcfour

MAC:hmacsha1,hmacsha196,hmacmd5,hmacmd596

UserAuthentication:Localpasswordauthentication,publickeyauthentication,RADIUS,TACACS+

LenovoEnterpriseNetworkOperatingSystemimplementstheSSHversion2.0standardandisconfirmedtoworkwithSSHversion2.0compliantclientssuchasthefollowing:

OpenSSH_5.4p1forLinux

SecureCRTVersion5.0.2(build1021)

PuttySSHrelease0.60

Using SSH with Password AuthenticationBydefault,theSSHfeatureisdisabled.OncetheIPparametersareconfiguredandtheSSHserviceisenabled,youcanaccessthecommandlineinterfaceusinganSSHconnection.

ToestablishanSSHconnectionwiththeswitch,runtheSSHprogramonyourworkstationbyissuingtheSSHcommand,followedbytheswitchIPv4orIPv6address:

YouwillthenbepromptedtoenterapasswordasexplainedSwitchLoginLevelsonpage 49.

# ssh


Using SSH with Public Key AuthenticationSSHcanalsobeusedforswitchauthenticationbasedonasymmetriccryptography.Publicencryptionkeyscanbeuploadedontheswitchandusedtoauthenticateincomingloginattemptsbasedontheclientsprivateencryptionkeypairs.Afterapredefinednumberoffailedpublickeyloginattempts,theswitchrevertstopasswordbasedauthentication.

Tosetuppublickeyauthentication:

1. EnableSSH:

2. ImportthepublickeyfileusingSFTPorTFTPfortheadminuseraccount::

Notes:

Whenpromptedtoinputausername,avaliduseraccountnamemustbeentered.Ifnousernameisentered,thekeyisstoredontheswitch,andcanbeassignedtoauseraccountlater.

Auseraccountcanhaveupto100publickeyssetupontheswitch.

3. Configureamaximumnumberof3failedpublickeyauthenticationattemptsbeforethesystemrevertstopasswordbasedauthentication:

Oncethepublickeyisconfiguredontheswitch,theclientcanuseSSHtologinfromasystemwheretheprivatekeypairissetup:

RS 8264CS(config)# ssh enable

RS 8264CS(config)# copy {sftp|tftp} public-keyPort type ["DATA"/"MGT"]: mgtAddress or name of remote host: 9.43.101.151Source file name: 11.keyUsername of the public key: adminConfirm download operation (y/n) ? y

RS 8264CS(config)# ssh maxauthattempts 3

# ssh


Using a Web BrowserTheswitchprovidesaBrowserBasedInterface(BBI)foraccessingthecommonconfiguration,management,andoperationfeaturesoftheG8264CSthroughyourWebbrowser.

Bydefault,BBIaccessviaHTTPisenabledontheswitch.

YoucanalsoaccesstheBBIdirectlyfromanopenWebbrowserwindow.EntertheURLusingtheIPaddressoftheswitchinterface(forexample,http://).

Configuring HTTP Access to the BBIBydefault,BBIaccessviaHTTPisenabledontheswitch.

TodisableorreenableHTTPaccesstotheswitchBBI,usethefollowingcommands:

ThedefaultHTTPwebserverporttoaccesstheBBIisport80.However,youcanchangethedefaultWebserverportwiththefollowingcommand:

ToaccesstheBBIfromaworkstation,openaWebbrowserwindowandtypeintheURLusingtheIPaddressoftheswitchinterface(forexample,http://).

Configuring HTTPS Access to the BBITheBBIcanalsobeaccessedviaasecureHTTPSconnectionovermanagementanddataports.

1. EnableHTTPS.

Bydefault,BBIaccessisenabledviabothHTTPandHTTPSontheswitch.IfHTTPSaccesshasbeendisabled,usethefollowingcommandtoenableBBIAccessviaHTTPS:

2. SettheHTTPSserverportnumber(optional).

TochangetheHTTPSWebserverportnumberfromthedefaultport443,usethefollowingcommand:

3. GeneratetheHTTPScertificate.

RS 8264CS(config)# access http enable (EnableHTTPaccess)or

RS 8264CS(config)# no access http enable (DisableHTTPaccess)

RS 8264CS(config)# access http port

RS 8264CS(config)# access https enable

RS 8264CS(config)# access https port


AccessingtheBBIviaHTTPSrequiresthatyougenerateacertificatetobeusedduringthekeyexchange.AdefaultcertificateiscreatedthefirsttimeHTTPSisenabled,butyoucancreateanewcertificatedefiningtheinformationyouwanttobeusedinthevariousfields.

4. SavetheHTTPScertificate.

Thecertificateisvalidonlyuntiltheswitchisrebooted.Tosavethecertificatesoitisretainedbeyondrebootorpowercycles,usethefollowingcommand:

Whenaclient(suchasawebbrowser)connectstotheswitch,theclientisaskedtoacceptthecertificateandverifythatthefieldsmatchwhatisexpected.OnceBBIaccessisgrantedtotheclient,theBBIcanbeused.

Browser-Based Interface SummaryTheBBIisorganizedatahighlevelasfollows:

ContextbuttonsThesebuttonsallowyoutoselectthetypeofactionyouwishtoperform.TheConfigurationbuttonprovidesaccesstotheconfigurationelementsfortheentireswitch.TheStatisticsbuttonprovidesaccesstotheswitchstatisticsandstateinformation.TheDashboardbuttonallowsyoutodisplaythesettingsandoperatingstatusofavarietyofswitchfeatures.

NavigationWindowProvidesamenuofswitchfeaturesandfunctions:

SystemProvidesaccesstotheconfigurationelementsfortheentireswitch.

SwitchPortsConfigureeachofthephysicalportsontheswitch.

PortBasedPortMirroringConfigureportmirroringbehavior.

Layer2ConfigureLayer2featuresfortheswitch.

RMONMenuConfigureRemoteMonitoringfeaturesfortheswitch.

Layer3ConfigureLayer3featuresfortheswitch.

QoSConfigureQualityofServicefeaturesfortheswitch.

AccessControlConfigureAccessControlListstofilterIPpackets.

VirtualizationConfigureVMready.

RS 8264CS(config)# access https generate-certificateCountry Name (2 letter code) [US]:State or Province Name (full name) [CA]:Locality Name (eg, city) [Santa Clara]:Organization Name (eg, company) [Lenovo Networking Operating System]:Organizational Unit Name (eg, section) [Network Engineering]:Common Name (eg, YOUR name) [0.0.0.0]:Email (eg, email address) []:Confirm generating certificate? [y/n]: yGenerating certificate. Please wait (approx 30 seconds)restarting SSL agent

RS 8264CS(config)# access https save-certificate


Using Simple Network Management ProtocolENOSprovidesSimpleNetworkManagementProtocol(SNMP)version1,version2,andversion3supportforaccessthroughanynetworkmanagementsoftware,suchasIBMDirectororHPOpenView.Note: SNMPreadandwritefunctionsareenabledbydefault.Forbestsecuritypractices,ifSNMPisnotneededforyournetwork,itisrecommendedthatyoudisablethesefunctionspriortoconnectingtheswitchtothenetwork.

ToaccesstheSNMPagentontheG8264CS,thereadandwritecommunitystringsontheSNMPmanagermustbeconfiguredtomatchthoseontheswitch.Thedefaultreadcommunitystringontheswitchispublicandthedefaultwritecommunitystringisprivate.

Thereadandwritecommunitystringsontheswitchcanbeconfiguredusingthefollowingcommands:

TheSNMPmanagermustbeabletoreachanyoneoftheIPinterfacesontheswitch.

FortheSNMPmanagertoreceivetheSNMPv1trapssentoutbytheSNMPagentontheswitch,configurethetraphostontheswitchwiththefollowingcommands:

TorestrictSNMPaccesstospecificIPv4subnets,usethefollowingcommands:

ForIPv6networks,use:

Note: SubnetsallowedforSNMPreadonlyaccessmustnotoverlapwithsubnetsallowedforSNMPreadwriteaccess.

FormoreinformationonSNMPusageandconfiguration,seeChapter 35,SimpleNetworkManagementProtocol.

RS 8264CS(config)# snmp-server read-community

andRS 8264CS(config)# snmp-server write-community

RS 8264CS(config)# snmp-server trap-source RS 8264CS(config)# snmp-server host

RS 8264CS(config)# access management-network snmp-ro

andRS 8264CS(config)# access management-network snmp-rw

RS 8264CS(config)# access management-network6 snmp-ro

andRS 8264CS(config)# access management-network6 snmp-rw


BOOTP/DHCP Client IP Address ServicesForremoteswitchadministration,theclientterminaldevicemusthaveavalidIPaddressonthesamenetworkasaswitchinterface.TheIPaddressontheclientdevicemaybeconfiguredmanually,orobtainedautomaticallyusingIPv6statelessaddressconfiguration,oranIPv4addressmayobtainedautomaticallyviaBOOTPorDHCPrelayasdiscussedinthenextsection.

TheG8264CScanfunctionasarelayagentforBootstrapProtocol(BOOTP)orDHCP.ThisallowsclientstobeassignedanIPv4addressforafiniteleaseperiod,reassigningfreedaddresseslatertootherclients.

Actingasarelayagent,theswitchcanforwardaclientsIPv4addressrequesttouptofiveBOOTP/DHCPservers.InadditiontothefiveglobalBOOTP/DHCPservers,uptofivedomainspecificBOOTP/DHCPserverscanbeconfiguredforeachofupto10VLANs.

WhenaswitchreceivesaBOOTP/DHCPrequestfromaclientseekinganIPv4address,theswitchactsasaproxyfortheclient.TherequestisforwardedasaUDPUnicastMAClayermessagetotheBOOTP/DHCPserversconfiguredfortheclientsVLAN,ortotheglobalBOOTP/DHCPserversifnodomainspecificBOOTP/DHCPserversareconfiguredfortheclientsVLAN.TheserversrespondtotheswitchwithaUnicastreplythatcontainstheIPv4defaultgatewayandtheIPv4addressfortheclient.Theswitchthenforwardsthisreplybacktotheclient.

DHCPisdescribedinRFC2131,andtheDHCPrelayagentsupportedontheG8264CSisdescribedinRFC1542.DHCPusesUDPasitstransportprotocol.Theclientsendsmessagestotheserveronport67andtheserversendsmessagestotheclientonport68.

BOOTPandDHCPrelayarecollectivelyconfiguredusingtheBOOTPcommandsandmenusontheG8264CS.

DHCP Host Name ConfigurationTheG8264CSsupportsDHCPhostnameconfigurationasdescribedinRFC2132,option12.DHCPhostnameconfigurationisenabledbydefault.

Hostnamecanbemanuallyconfiguredusingthefollowingcommand:

Ifthehostnameismanuallyconfigured,theswitchdoesnotreplaceitwiththehostnamereceivedfromtheDHCPserver.

Afterthehostnameisconfiguredontheswitch,ifDHCPorDHCPhostnameconfigurationisdisabled,theswitchretainsthehostname.

Theswitchpromptdisplaysthehostname.

Hostnameconfigurationcanbeenabledordisabledusingthefollowingcommand:

RS 8264CS(config)# hostname

RS 8264CS(config)# [no] system dhcp hostname


DHCP SYSLOG ServerDuringswitchstartup,iftheswitchfailstogettheconfigurationfile,amessagecanberecordedintheSYSLOGserver.

TheG8264CSsupportsrequestingofaSYSLOGserverIPaddressfromtheDHCPserverasdescribedinRFC2132,option7.DHCPSYSLOGserverrequestoptionisenabledbydefault.

ManuallyconfiguredSYSLOGservertakespriorityoverDHCPSYSLOGserver.

UptotwoSYSLOGserveraddressesreceivedfromtheDHCPservercanbeused.TheSYSLOGservercanbelearntoveramanagementportoradataport.

UsetheRS 8264CS# show loggingcommandtoviewtheSYSLOGserveraddress.

DHCPSYSLOGserveraddressoptioncanbeenabled/disabledusingthefollowingcommand:

Global BOOTP Relay Agent ConfigurationToenabletheG8264CStobeaBOOTP(orDHCP)forwarder,enabletheBOOTPrelayfeature,configureuptofourglobalBOOTPserverIPv4addressesontheswitch,andenableBOOTPrelayontheinterface(s)onwhichtheclientrequestsareexpected.

Generally,itisbesttoconfigureBOOTPfortheswitchIPinterfacethatisclosesttotheclient,sothattheBOOTPserverknowsfromwhichIPv4subnetthenewlyallocatedIPv4addresswillcome.

IntheG8264CSimplementation,therearenoprimaryorsecondaryBOOTPservers.TheclientrequestisforwardedtoalltheglobalBOOTPserversconfiguredontheswitch(ifnodomainspecificserversareconfigured).Theuseofmultipleserversprovidesfailoverredundancy.However,nohealthcheckingissupported.

1. UsethefollowingcommandstoconfigureglobalBOOTPrelayservers:

2. EnableBOOTPrelayontheappropriateIPinterfaces.

BOOTP/DHCPRelayfunctionalitymaybeassignedonaperinterfacebasisusingthefollowingcommands:

RS 8264CS(config)# [no] system dhcp syslog

RS 8264CS(config)# ip bootp-relay enableRS 8264CS(config)# ip bootp-relay server address

RS 8264CS(config)# interface ip RS 8264CS(config-ip-if)# relayRS 8264CS(config-ip-if)# exit


Domain-Specific BOOTP Relay Agent ConfigurationUsethefollowingcommandstoconfigureuptofivedomainspecificBOOTPrelayagentsforeachofupto10VLANs:

Aswithglobalrelayagentservers,domainspecificBOOTP/DHCPfunctionalitymaybeassignedonaperinterfacebasis(seeStep 2inpage 42).

DHCP Option 82DHCPOption82providesamechanismforgeneratingIPaddressesbasedontheclientdeviceslocationinthenetwork.WhenyouenabletheDHCPrelayagentoptionontheswitch,itinsertstherelayagentinformationoption82inthepacket,andsendsaunicastBOOTPrequestpackettotheDHCPserver.TheDHCPserverusestheoption82fieldtoassignanIPaddress,andsendsthepacket,withtheoriginaloption82fieldincluded,backtotherelayagent.DHCPrelayagentstripsofftheoption82fieldinthepacketandsendsthepackettotheDHCPclient.

Configurationofthisfeatureisoptional.Thefeaturehelpsresolveseveralissueswhereuntrustedhostsaccessthenetwork.SeeRFC3046fordetails.

UsethefollowingcommandstoconfigureDHCPOption82:

DHCP SnoopingDHCPsnoopingprovidessecuritybyfilteringuntrustedDHCPpacketsandbybuildingandmaintainingaDHCPsnoopingbindingtable.ThisfeatureisapplicableonlytoIPv4andonlyworksinnonstackingmode.

Anuntrustedinterfaceisaportthatisconfiguredtoreceivepacketsfromoutsidethenetworkorfirewall.Atrustedinterfacereceivespacketsonlyfromwithinthenetwork.Bydefault,allDHCPportsareuntrusted.

TheDHCPsnoopingbindingtablecontainstheMACaddress,IPaddress,leasetime,bindingtype,VLANnumber,andportnumberthatcorrespondtothelocaluntrustedinterfaceontheswitch;itdoesnotcontaininformationregardinghostsinterconnectedwithatrustedinterface.

Bydefault,DHCPsnoopingisdisabledonallVLANs.YoucanenableDHCPsnoopingononeormoreVLANs.YoumustenableDHCPsnoopingglobally.Toenablethisfeature,enterthefollowingcommands:

RS 8264CS(config)# ip bootp-relay bcast-domain vlan RS 8264CS(config)# ip bootp-relay bcast-domain server address

RS 8264CS(config)# ip bootp-relay bcast-domain enable

RS 8264CS(config)# ip bootp-relay information enable (EnableOption82)RS 8264CS(config)# ip bootp-relay enable (EnableDHCPrelay)RS 8264CS(config)# ip bootp-relay server address

RS 8264CS(config)# ip dhcp snooping vlan RS 8264CS(config)# ip dhcp snooping


FollowingisanexampleofDHCPsnoopingconfiguration,wheretheDHCPserverandclientareinVLAN100,andtheserverconnectsusingport24.

RS 8264CS(config)# ip dhcp snooping vlan 100RS 8264CS(config)# ip dhcp snoopingRS 8264CS(config)# interface port 24RS 8264CS(config-if)# ip dhcp snooping trust(Optional;Setportastrusted)RS 8264CS(config-if)# ip dhcp snooping information option-insert

(Optional;addDHCPoption82)RS 8264CS(config-if)# ip dhcp snooping limit rate 100

(Optional;SetDHCPpacketrate)


Easy Connect WizardLenovoEasyConnect(EZC)isafeaturedesignedtosimplifyswitchconfiguration.AsetofpredefinedconfigurationscanbeappliedontheswitchviaISCLI.BylaunchingtheEZCWizard,youarepromptedforaminimalsetofinputandthetoolautomaticallycustomizestheswitchsoftware.

TheEZCWizardallowsyoutochooseoneofthefollowingconfigurationmodes:

BasicSystemmodesupportssettingsforhostname,staticmanagementportIP,netmask,andgateway.

Transparentmodecollectsserveranduplinkportsettings.vNICgroupsareusedtodefinetheloopfreedomains.

Note: Youcaneitheracceptthestaticdefaultsorenteradifferentportlistforuplinkand/orserverports.

RedundantmodereferstoVLAGsettings.

TheEZCconfigurationwillbeappliedimmediately.Anyexistingconfigurationwillbedeleted,thecurrentactiveorrunningconfigurationwillnotbemergedorappendedtotheEZCconfiguration.

Foranycustomsettingsthatarenotincludedinthepredefinedconfigurationsets,theuserhastodoitmanually.Note: Tosupportscripting,thefeaturealsohasasinglelineformat.Formoreinformation,pleaserefertoLenovoNetworkingISCLIReferenceGuide.

Configuring the Easy Connect WizardTolaunchtheEZCWizard,usethefollowingcommand:

Thewizarddisplaystheavailablepredefinedconfigurationmodes.Youarepromptedtoselectoneofthefollowingoptions:

RS 8264CS# easyconnect

RS 8264CS# easyconnect Auto configures the switch into a set configuration based on the input provided.Current configuration will be overwritten with auto configuration settings.The wizard can be canceled anytime by pressing Ctrl+C.Select which of the following features you want enabled:#Configure Basic system (yes/no)?#Configure Transparent mode (yes/no)?#Configure Switch Redundant mode (yes/no)?


Basic System Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinBasicSystemmode:

Note: Youcaneitheracceptthedefaultvaluesorenternewparameters.

Transparent Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinTransparentmode:

Notes:

Ifyourselectionforaportgroupcontainsportsofdifferentmodeorspeed,theselectionisnotvalidandyouareguidedtoeitherselectotherportsorchangethespeedoftheports.

Youcaneitheracceptthestaticdefaultsorenteradifferentportlistforuplinkand/orserverports.

RS 8264CS# easyconnect Configure Basic system (yes/no)? y

Please enter "none" for no hostname.Enter hostname(Default: None)? host

Please enter "dhcp" for dhcp IP.Select management IP address (Current: 10.241.13.32)? Enter management netmask(Current: 255.255.255.128)? Enter management gateway:(Current: 10.241.13.1)?

Pending switch port configuration:

Hostname: host Management interface: IP: 10.241.13.32 Netmask: 255.255.255.128 Gateway: 10.241.13.1Confirm erasing current config to re-configure Easy Connect (yes/no)?

RS 8264CS# #easyconnect Configure Transparent mode (yes/no)? ySelect Uplink Ports (Static Defaults: 17-24)? The following Uplink ports will be enabled: Uplink ports(1G/10G): 17-24Select Server Ports (Static Defaults: 25-64)? The following Server ports will be enabled: Server ports(1G/10G): 25-64Pending switch configuration:

Uplink Ports: 17-24 Server Ports: 25-64 Disabled Ports: 1,5,9,13Confirm erasing current config to re-configure Easy Connect (yes/no)?


Redundant Mode Configuration ExampleThisexampleshowstheparametersavailableforconfigurationinRedundantmode:

RS 8264CS# #easyconnect Configure Switch Redundant mode (yes/no)? y

Note: It is recommended to select Basic system configuration in order to set the management IP address used for vLAG health check.

Configure Basic system (yes/no)? y

Configure this switch as vLAG Primary or Secondary Peer (primary/secondary)? prim

Select ISL Ports (Static Defaults: 1-16)? The following ISL ports will be enabled: ISL ports(40G) : 1-16

Select vLAG TierID (Default: 101)?

Select management IP address (Current: 192.168.49.50)?

Enter management netmask (Current: 255.255.255.0)?

Select Peer IP address for vLAG healthcheck (Default: 1.1.1.2)? Warning: vLAG healthcheck Peer IP is not reachable.Do you want to select another Peer IP (yes/no)? ySelect Peer IP address for vLAG healthcheck (Default: 1.1.1.2)? Warning: vLAG healthcheck Peer IP is not reachable.Do you want to select another Peer IP (yes/no)? n

Select Uplink Ports (Static Defaults: 17-24)? The following Uplink ports will be enabled: Uplink ports(1G/10G): 17-24

Select Downlink Ports (Static Defaults: 25-64)? The following Downlink ports will be enabled: Downlink ports(1G/10G): 25-64


Notes:

Ifyourselectionforaportgroupcontainsportsofdifferentspeed,theselectionisnotvalid,andyouareguidedtoeitherselectotherportsorchangethespeedoftheports.

Allunusedportareconfiguredasshutdownintheconfigurationdump.

YoucaneitheracceptthestaticdefaultsorenteradifferentportlistforISL,uplink,and/ordownlinkports.

Please enter "none" for no hostname.Enter hostname(Default: Primary VLAG)?

Please enter "none" for no gateway.Enter management gateway:(Default: 0.0.0.0)?

Pending switch configuration:

vLAG switch type: Primary ISL Ports: 1-16 vLAG TierID: 101 vLAG Peer IP: 1.1.1.2 Uplink Ports: 17-24 Downlink Ports: 25-64 Disabled Ports: empty

Hostname: Primary VLAG Management interface: IP: 192.168.49.50 Netmask: 255.255.255.0 Gateway: 0.0.0.0

Confirm erasing current config to re-configure Easy Connect (yes/no)?


Switch Login LevelsToenablebetterswitchmanagementanduseraccountability,threelevelsorclassesofuseraccesshavebeenimplementedontheG8264CS.LevelsofaccesstoCLI,Webmanagementfunctions,andscreensincreaseasneededtoperformvariousswitchmanagementtasks.Conceptually,accessclassesaredefinedasfollows:

UserinteractionwiththeswitchiscompletelypassivenothingcanbechangedontheG8264CS.Usersmaydisplayinformationthathasnosecurityorprivacyimplications,suchasswitchstatisticsandcurrentoperationalstateinformation.

OperatorscanonlyeffecttemporarychangesontheG8264CS.Thesechangeswillbelostwhentheswitchisrebooted/reset.Operatorshaveaccesstotheswitchmanagementfeaturesusedfordailyswitchoperations.Becauseanychangesanoperatormakesareundonebyaresetoftheswitch,operatorscannotseverelyimpactswitchoperation.

Administratorsaretheonlyonesthatmaymakepermanentchangestotheswitchconfigurationchangesthatarepersistentacrossareboot/resetoftheswitch.AdministratorscanaccessswitchfunctionstoconfigureandtroubleshootproblemsontheG8264CS.Becauseadministratorscanalsomaketemporary(operatorlevel)changesaswell,theymustbeawareoftheinteractionsbetweentemporaryandpermanentchanges.

Accesstoswitchfunctionsiscontrolledthroughtheuseofuniqueusernamesandpasswords.Onceyouareconnectedtotheswitchviaconsole,remoteTelnet,orSSH,youarepromptedtoenterapassword.Thedefaultusernames/passwordforeachaccesslevelarelistedinthefollowingtable.Note: Itisrecommendedthatyouchangethedefaultswitchpasswordsafterinitialconfigurationandasregularlyasrequiredunderyournetworksecuritypolicies.

Table 2. UserAccessLevelsDefaultSettings

User Account

Password Description and Tasks Performed Status

user user TheUserhasnodirectresponsibilityforswitchmanagement.Heorshecanviewallswitchstatusinformationandstatistics,butcannotmakeanyconfigurationchangestotheswitch.

Disabled

oper oper TheOperatormanagesallfunctionsoftheswitch.TheOperatorcanresetports,exceptthemanagementports.

Disabled

admin admin ThesuperuserAdministratorhascompleteaccesstoallmenus,information,andconfigurationcommandsontheG8264CS,includingtheabilitytochangeboththeuserandadministratorpasswords.

Enabled


Note: Accesstoeachuserlevel(exceptadminaccount)canbedisabledbysettingthepasswordtoanemptyvalue.Todisableadminaccount,usethecommandnoaccessuseradministrator-enable.TheAdminaccountcanbedisabledonlyifthereisatleastoneuseraccountenabledandconfiguredwithadministratorprivilege.


Setup vs. the Command LineOncetheadministratorpasswordisverified,youaregivencompleteaccesstotheswitch.Iftheswitchisstillsettoitsfactorydefaultconfiguration,youwillneedtorunSetup(seeChapter 2,InitialSetup),autilitydesignedtohelpyouthroughthefirsttimeconfigurationprocess.Iftheswitchhasalreadybeenconfigured,thecommandlineisdisplayedinstead.


Idle DisconnectBydefault,theswitchwilldisconnectyourTelnetsessionafter10minutesofinactivity.Thisfunctioniscontrolledbytheidletimeoutparameter,whichcanbesetfrom0to60minutes,where0meansthesessionwillnevertimeout.

Usethefollowingcommandtosettheidletimeoutvalue:

RS 8264CS(config)# system idle


Boot Strict ModeTheimplementationsspecifiedinthissectionarecompliantwithNationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800131A.

TheRackSwitchG8264CScanoperateintwobootmodes:

Compatibilitymode(default):Thisisthedefaultswitchbootmode.Thismodemayusealgorithmsandkeylengthsthatmaynotbeallowed/acceptablebyNISTSP800131Aspecification.Thismodeisusefulinmaintainingcompatibilitywithpreviousreleasesandinenvironmentsthathavelesserdatasecurityrequirements.

Strictmode:Encryptionalgorithms,protocols,andkeylengthsinstrictmodearecompliantwithNISTSP800131Aspecification.

Wheninbootstrictmode,theswitchusesSecureSocketsLayer(SSL)/TransportLayerSecurity(TLS)1.2protocolstoensureconfidentialityofthedatatoandfromtheswitch.

Beforeenablingstrictmode,ensurethefollowing:

ThesoftwareversiononallconnectedswitchesisEnterpriseNOS8.4.

Thesupportedprotocolversionsandcryptographicciphersuitesbetweenclientsandserversarecompatible.Forexample:ifusingSSHtoconnecttotheswitch,ensurethattheSSHclientsupportsSSHv2andastrongciphersuitethatiscompliantwiththeNISTstandard.

CompliantWebservercertificateisinstalledontheswitch,ifusingBBI.

Anewselfsignedcertificateisgeneratedfortheswitch(RS 8264CS(config)# access https generate-certificate).Thenewcertificateisgeneratedusing2048bitRSAkeyandSHA256digest.

ProtocolsthatarenotNISTSP800131Acompliantmustbedisabledornotused.

OnlySSHv2orhigherisused.

Thecurrentconfiguration,ifany,issavedinalocationexternaltotheswitch.Whentheswitchreboots,boththestartupandrunningconfigurationarelost.

Onlyprotocols/algorithmscompliantwithNISTSP800131Aspecificationareused/enabledontheswitch.PleaseseetheNISTSP800131Apublicationfordetails.Thefollowingtableliststheacceptableprotocolsandalgorithms:

Table 3. AcceptableProtocolsandAlgorithmsProtocol/Function Strict Mode Algorithm Compatibility Mode AlgorithmBGP BGPdoesnotcomplywithNISTSP

800131Aspecification.Wheninstrictmode,BGPisdisabled.However,itcanbeenabled,ifrequired.

Acceptable

CertificateGeneration

RSA2048SHA256

RSA2048SHA256

CertificateAcceptance

RSA2048orhigherSHA224orhigher

RSASHA,SHA2


HTTPS TLS1.2onlySeeAcceptableCipherSuitesonpage 56;

TLS1.0,1.1,1.2SeeAcceptableCipherSuitesonpage 56;

IKEKeyExchange DHGroup24 DHgroup1,2,5,14,24Encryption 3DES,AES128CBC 3DES,AES128CBCIntegrity HMACSHA1 HMACSHA1,HMACMD5IPSecAH HMACSHA1 HMACSHA1,HMACMD5ESP 3DES,AES128CBC,HMACSHA1 3DES,AES128CBC,

HMACSHA1,HMACMD5LDAP LDAPdoesnotcomplywithNIST

SP800131Aspecification.Wheninstrictmode,LDAPisdisabled.However,itcanbeenabled,ifrequired.

Acceptable

OSPF OSPFdoesnotcomplywithNISTSP800131Aspecification.Wheninstrictmode,OSPFisdisabled.However,itcanbeenabled,ifrequired.

Acceptable

RADIUS RADIUSdoesnotcomplywithNISTSP800131Aspecification.Wheninstrictmode,RADIUSisdisabled.However,itcanbeenabled,ifrequired.

Acceptable

RandomNumberGenerator

NISTSP80090AAESCTRDRBG NISTSP80090AAESCTRDRBG

SecureNTP SecureNTPdoesnotcomplywithNISTSP800131Aspecification.Wheninstrictmode,secureNTPisdisabled.However,itcanbeenabled,ifrequired.

Acceptable

SLP SHA256orhigherRSA/DSA2048orhigher

SNMP SNMPv3onlyAES128CFB128/SHA1

Note:FollowingalgorithmsareacceptableifyouchoosetosupportoldSNMPv3factorydefaultusers:AES128CFB/SHA1DES/MD5AES128CFB128/SHA1

SNMPv1,SNMPv2,SNMPv3DES/MD5,AES128CFB128/SHA1

Table 3. AcceptableProtocolsandAlgorithms(continued)Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm


SSH/SFTPHostKey SSHRSA SSHRSAKeyExchange ECDHSHA2NISTP521

ECDHSHA2NISTP384ECDHSHA2NISTP256ECDHSHA2NISTP224RSA2048SHA256DIFFIEHELLMANGROUPEXCHANGESHA256DIFFIEHELLMANGROUPEXCHANGESHA1

ECDHSHA2NISTP521ECDHSHA2NISTP384ECDHSHA2NISTP256ECDHSHA2NISTP224ECDHSHA2NISTP192RSA2048SHA256RSA1024SHA1DIFFIEHELLMANGROUPEXCHANGESHA256DIFFIEHELLMANGROUPEXCHANGESHA1DIFFIEHELLMANGROUP14SHA1DIFFIEHELLMANGROUP1SHA1

Encryption AES128CTRAES128CBC3DESCBC

AES128CTRAES128CBCRIJNDAEL128CBCBLOWFISHCBC3DESCBCARCFOUR256ARCFOUR128ARCFOUR

MAC HMACSHA1HMACSHA196

HMACSHA1HMACSHA196HMACMD5HMACMD596

TACACS+ TACACS+doesnotcomplywithNISTSP800131Aspecification.Wheninstrictmode,TACACS+isdisabled.However,itcanbeenabled,ifrequired.

Acceptable

Table 3. AcceptableProtocolsandAlgorithms(continued)Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm


Acceptable Cipher SuitesThefollowingciphersuitesareacceptable(listedintheorderofpreference)whentheRackSwitchG8264CSisincompatibilitymode:

Thefollowingciphersuitesareacceptable(listedintheorderofpreference)whentheRackSwitchG8264CSisinstrictmode:

Table 4. ListofAcceptableCipherSuitesinCompatibilityModeCipher ID Key

ExchangeAuthenti-cation

Encryption MAC Cipher Name

0xC027 ECDHE RSA AES_128_CBC

SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

0xC013 ECDHE RSA AES_128_CBC

SHA1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

0xC012 ECDHE RSA 3DES SHA1 SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

0xC011 ECDHE RSA RC4 SHA1 SSL_ECDHE_RSA_WITH_RC4_128_SHA

0x002F RSA RSA AES_128_CBC

SHA1 TLS_RSA_WITH_AES_128_CBC_SHA

0x003C RSA RSA AES_128_CBC

SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256

0x0005 RSA RSA RC4 SHA1 SSL_RSA_WITH_RC4_128_SHA

Documents

Rackswitch G8264CS Application Guide for Lenovo …systemx.lenovofiles.com/help/topic/com.lenovo.rackswitch.g8264cs...Oct 10, 2010 · Lenovo RackSwitch G8264CS Application Guide For