lenovo network application guide for lenovo cloud...
TRANSCRIPT
-
LenovoNetwork
ApplicationGuideforLenovoCloudNetworkOperatingSystem10.4
-
Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationintheSafetyinformationandEnvironmentalNoticesandUserGuidedocumentsontheLenovoDocumentationCD,andtheWarrantyInformationdocumentthatcomeswiththeproduct.
FirstEdition(June2017)
CopyrightLenovo2017PortionsCopyrightIBMCorporation2014.
LIMITEDANDRESTRICTEDRIGHTSNOTICE:IfdataorsoftwareisdeliveredpursuantaGeneralServicesAdministrationGSAcontract,use,reproduction,ordisclosureissubjecttorestrictionssetforthinContractNo.GS35F05925.
LenovoandtheLenovologoaretrademarksofLenovointheUnitedStates,othercountries,orboth.
-
Copyright Lenovo 2017 3
ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21WhoShouldUseThisGuide .......................22ApplicationGuideOverview .......................23AdditionalReferences ..........................27TypographicConventions ........................28
Part 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 1. Switch Administration . . . . . . . . . . . . . . . . . 31AdministrationInterfaces ........................32IndustryStandardCommandLineInterface ................33EstablishingaConnection........................34
UsingtheSwitchManagementInterface................34UsingtheSwitchEthernetPorts ....................35UsingTelnet ............................36UsingSecureShell..........................37
UsingSSHwithPasswordAuthentication .............37UsingSSHwithServerKeyAuthentication .............38
UsingSimpleNetworkManagementProtocol..............39ZeroTouchProvisioning ........................40
DHCPDiscovery ..........................41ZTPBootFile ............................42ForcedlyEnablingorDisablingZTP..................43
DHCPIPAddressServices........................44DHCPClientConfiguration .....................44DHCPv4HostnameConfiguration(Option12) .............45DHCPv4SyslogServer(Option7) ...................45DHCPv4NTPServer(Option42)...................46DHCPv4VendorClassIdentifier(Option60) ..............46DHCPv4Snooping.........................47
ConfiguretheDHCPv4SnoopingBindingTable ...........47ConfiguretheDHCPv4SnoopingSyslog ..............48DHCPSnoopingLimitations ...................48
DHCPRelayAgent .........................48DHCPv4Option82 .........................50
SwitchLoginLevels ...........................51Ping .................................53
PingConfigurableParameters ....................54TestInterruption ........................54PingCount ...........................54PingPacketInterval.......................54PingPacketSize .........................55PingSource ...........................55PingDFBit...........................55PingTimeout ..........................56PingVRF ............................56PingInteractiveMode ......................57
-
4 Application Guide for CNOS 10.4
Traceroute............................... 58TracerouteConfigurableParameters ................. 59
TestInterruption ........................ 59TracerouteSource........................ 59TracerouteVRF......................... 59TracerouteInteractiveMode ................... 60
NetworkTimeProtocol ......................... 61NTPSynchronizationRetry ..................... 61NTPClientandPeer ........................ 62
NTPAuthenticationFieldEncryptionKey ............. 63NTPPollingIntervals ...................... 63NTPPreference......................... 64
DynamicandStaticNTPServers ................... 64NTPAuthentication ......................... 64NTPAuthenticationConfigurationExample .............. 65
DomainNameServerClient ....................... 66SystemLogging ............................ 68
SyslogOutputs........................... 70SyslogSeverityLevels ........................ 71SyslogTimeStamping ........................ 72SyslogRateLimit.......................... 72SyslogServers ........................... 73ConsoleLoggingFloodControl .................... 74DuplicateSyslogMessageSuppression ................ 75CoreDumpInformation....................... 75
IdleDisconnect............................. 76PythonScripting ............................ 77RESTAPIProgramming......................... 78
Chapter 2. Using the Command Line Interface . . . . . . . . . . . . 79CLICommandModes.......................... 80CommandLineInterfaceShortcuts .................... 81
CLIListandRangeInputs ...................... 81CommandAbbreviation....................... 81TabCompletion .......................... 81LineEditing ............................ 82
CommandAliases ........................... 83DefiningAliases.......................... 83RemovingAliases.......................... 83DisplayingAliases......................... 83RulesforUsingAliases....................... 83
Chapter 3. System License Keys . . . . . . . . . . . . . . . . . 87ObtainingLicenseKeys ......................... 88InstallingLicenseKeys ......................... 89UninstallingLicenseKeys ........................ 90TransferringLicenseKeys ........................ 91ONIELicenseKey ........................... 92
-
Copyright Lenovo 2017 : Contents 5
Chapter 4. Switch Software Management . . . . . . . . . . . . . . 93InstallingNewSoftwaretoYourSwitch ..................94
InstallingSystemImagesfromaRemoteServer.............94InstallingSystemImagesfromaUSBDevice ..............96InstallingUbootfromaRemoteServer ................97InstallingUbootfromaUSBDevice ..................98
SelectingaSoftwareImagetoRun ....................99ReloadingtheSwitch .........................100CopyingConfigurationFiles ......................101
CopyConfigurationFilesviaaRemoteServer ............101CopyConfigurationFilestoaUSBDevice ..............102
ResettingtheSwitchtotheFactoryDefaults ...............103ConvertingtheSwitchSoftwareImagefromCNOStoENOS........104TheNE10032BIOSMenu.......................106TheBootManagementMenu ......................107
SwitchingBetweenENOSandCNOSImagesLoadedontheG8272 ...108BootRecoveryMode .......................109RecoveringfromaFailedImageUpgradeusingTFTP .........110RecoveringfromaFailedImageUpgradeusingXModemDownload ..112PhysicalPresence .........................114ONIESubmenu ..........................115
ONIE ................................116
Part 2: Securing the Switch . . . . . . . . . . . . . . . . . . . . 117
Chapter 5. Securing Administration . . . . . . . . . . . . . . . .119SecureShellandSecureCopy .....................120
SSHEncryptionandAuthentication.................121GeneratingRSA/DSAHostKeyforSSHAccess ............121SSHIntegrationwithTACACS+Authentication ............121ConfiguringSSHontheSwitch ...................122UsingSSHClientCommands ....................123
ToLogOntotheSwitch ....................123UsingSecureCopy........................124
CopyingaFileUsingSCP....................124CopyingtheStartupConfigurationUsingSCP ..........124CopyingtheRunningConfigurationUsingSCP ..........124CopyingTechnicalSupportFilesUsingSCP............124
EnduserAccessControl ........................125ConsiderationsforConfiguringEnduserAccounts ..........125StrongPasswords.........................125UserAccessControl........................126
SettingupUsers ........................126DefiningaUsersAccessLevel .................127DeletingaUser........................127TheDefaultUser .......................127PasswordHistoryChecking...................128AdministratorPasswordRecovery................129
-
6 Application Guide for CNOS 10.4
Chapter 6. AAA Protocols . . . . . . . . . . . . . . . . . . . . 131RADIUS............................... 132
RADIUSBasics.......................... 132HowRADIUSAuthenticationWorks ................ 132RADIUSAuthenticationFeaturesinCloudNOS........... 133SwitchUserAccounts ....................... 133RADIUSAttributesforCloudNOSUserPrivileges .......... 134ConfiguringRADIUSontheSwitch................. 134
TACACS+.............................. 136TACACS+Basics......................... 136HowTACACS+AuthenticationWorks ............... 136TACACS+AuthenticationFeaturesinCloudNOS........... 137
Authorization......................... 137Accounting .......................... 137
ConfiguringTACACS+AuthenticationontheSwitch ......... 138Authentication,Authorization,andAccounting ............. 139
AAAGroups ........................... 140GroupLists.......................... 140ConfiguringAAAGroups ................... 141
Authentication .......................... 142ConfiguringAAAAuthentication ................ 142
Authorization.......................... 144ConfiguringAAAAuthorization ................ 144
Accounting ........................... 145ConfiguringAAAAccounting ................. 145
PublicKeyInfrastructure ....................... 146PKIComponents ......................... 146ImplementingaPKISystem .................... 147RemovingPKIComponents .................... 148ViewingPKIComponents ..................... 149
Chapter 7. Access Control Lists. . . . . . . . . . . . . . . . . . 151SupportedACLTypes ........................ 152SummaryofPacketClassifiers ..................... 153SummaryofACLActions ....................... 155ConfiguringPortACLs(PACLs).................... 156ConfiguringRouterACLs(RACLs)................... 157ConfiguringVLANACLs(VACLs)................... 158ConfiguringManagementACLs(MACLs) ................ 160ACLOrderofPrecedence ....................... 161CreatingandModifyingACLs ..................... 162
CreatinganIPv4ACL....................... 163RemovinganIPv4ACL ...................... 163ResequencinganIPv4ACL .................... 163CreatingaMACACL ....................... 165RemovingaMACACL ...................... 165ResequencingaMACACL ..................... 165CreatinganARPACL....................... 166RemovinganARPACL...................... 166ResequencinganARPACL .................... 166
-
Copyright Lenovo 2017 : Contents 7
ViewingACLRuleStatistics......................167ACLConfigurationExamples .....................168
ACLExample1..........................168ACLExample2..........................168ACLExample3..........................169ACLExample4..........................169ACLExample5..........................170ACLExample6..........................170
Part 3: Switch Basics . . . . . . . . . . . . . . . . . . . . . . 171
Chapter 8. Interface Management . . . . . . . . . . . . . . . . . 173InterfaceManagementOverview ....................174ManagementInterface.........................175
VirtualRoutingandForwarding ..................176PhysicalPorts............................177
G8272PhysicalPortCapabilities ..................177G8296PhysicalPortCapabilities ..................177G8332PhysicalPortCapabilities ..................178NE1072TPhysicalPortCapabilities .................178NE1032TPhysicalPortCapabilities .................178NE1032PhysicalPortCapabilities ..................179NE10032PhysicalCapabilities ...................179CLIPortFormat .........................180
PortAggregation ...........................182LoopbackInterfaces ..........................183SwitchVirtualInterfaces ........................184BasicInterfaceConfiguration ......................185
ForwardingErrorCorrection ....................186InterfaceDescription .......................187InterfaceDuplex .........................187InterfaceMACAddress ......................188InterfaceMaximumTransmissionUnit................188InterfaceShutdown ........................189InterfaceSpeed ..........................189FlowControl ...........................190StormControl ..........................191
Chapter 9. Forwarding Database. . . . . . . . . . . . . . . . . . 193MACLearning ............................194StaticMACaddresses .........................195AgingTime.............................196
Chapter 10. VLANs . . . . . . . . . . . . . . . . . . . . . . . 197VLANOverview ...........................198
-
8 Application Guide for CNOS 10.4
VLANConfiguration ......................... 199CreatingaVLAN......................... 200DeletingaVLAN ......................... 201ConfiguringtheStateofaVLAN.................. 202ConfiguringtheNameofaVLAN ................. 204ConfiguringaSwitchAccessPort.................. 205
ConfiguringtheAccessVLAN................. 205ConfiguringaSwitchTrunkPort.................. 207
ConfiguringtheAllowedVLANList............... 207ConfiguringtheNativeVLAN................. 208
NativeVLANTagging........................ 210ConfiguringNativeVLANTagging................. 211
PortVLANIDIngressTagging..................... 213ConfiguringPVIDIngressTagging ................. 213
IPMCFlooding............................ 214VLANTopologiesandDesignConsiderations.............. 215
MultipleVLANswithTrunkModeAdapters ............. 216VLANConfigurationExample ................... 218
Chapter 11. Ports and Link Aggregation . . . . . . . . . . . . . . 219PortConfigurationProfiles ...................... 220
G8272PortConfiguration ..................... 220G8296PortConfiguration ..................... 222G8332PortConfiguration ..................... 226NE1072TPortConfiguration .................... 229NE1032TPortConfiguration .................... 232NE1032PortConfiguration..................... 233NE10032PortConfiguration.................... 234
AggregationOverview ........................ 237CreatingaLAG.......................... 238
StaticLAGs ............................. 239StaticLAGConfigurationRules................... 239ConfiguringaStaticLAG ..................... 240
LinkAggregationControlProtocol ................... 243ConfiguringLACP ........................ 243
SystemPriority ........................ 244PortPriority......................... 245LACPTimeout ........................ 245LACPIndividual ....................... 245LACPMinimumLinks ..................... 246LACPConfigurationExample ................. 247
LAGHashing ............................ 249LAGHashingConfiguration .................... 251
Chapter 12. Spanning Tree Protocol . . . . . . . . . . . . . . . . 253STPOverview ............................ 254
-
Copyright Lenovo 2017 : Contents 9
BridgeProtocolDataUnits .......................255DeterminingthePathforForwardingBPDUs .............255
BPDUGuard.........................255BPDUFilter..........................256RootGuard ..........................256LoopGuard..........................257PortPriority .........................257PortPathCost.........................258
ErrorDisableRecovery ........................259PortTypeandLinkType .......................260
EdgePort ............................260LinkType ............................260
RapidPerVLANSpanningTreePlus ..................261RapidPVST+Parameters ......................262
BridgePriority ........................262PortPriority .........................262PortPathCost.........................263ForwardDelay ........................263HelloTimer..........................263MaximumAgeInterval.....................264
RapidPVST+Configuration ......................265MultipleSpanningTreeProtocol ....................266
CommonInternalSpanningTree ..................266PortStates............................266MSTRegion...........................267MSTPParameters.........................268
HopCount ..........................268ForwardDelay ........................268HelloTimer..........................269MaximumAgeInterval.....................269BridgePriority ........................269PortPriority .........................270PortPathCost.........................270
MSTPConfiguration .........................271MSTPConfigurationExample ...................271
Chapter 13. Virtual Link Aggregation Groups . . . . . . . . . . . . 273vLAGOverview ...........................274
-
10 Application Guide for CNOS 10.4
vLAGCapacities ........................... 276vLAGBenefits .......................... 276vLAGSynchronizationMechanism ................. 277vLAGSystemMAC ........................ 277vLAGandLACPIndividual.................... 278vLAGandLACPSystemPriority .................. 278vLAGLACPMisconfigurationsorCablingErrors ........... 278FDBSynchronization ....................... 279vLAGandSTP .......................... 280vLAGandVRRP......................... 281
vLAGVRRPPassiveMode(HalfActiveActive).......... 281vLAGVRRPActiveMode(FullActiveActive) .......... 281
vLAGConfigurationConsistencyCheck ............... 282vLAGandIGMPSnooping..................... 284
MulticastRouterSynchronization ................ 284IGMPGroupsSynchronization................. 284IGMPQuerierSynchronization ................. 284
vLAGPeerGateway ....................... 285vLAGsversusregularLAGs...................... 286ConfiguringvLAGs.......................... 287
vLAGISL ............................ 288vLAGRoleElection........................ 288vLAGInstance .......................... 289FDBRefresh........................... 290vLAGTierID .......................... 290vLAGStartupDelay ....................... 291vLAGAutorecovery ....................... 292
HealthCheck ............................ 293BasicHealthCheckConfigurationExample ............. 294
BasicvLAGConfigurationExample................... 295ConfiguringtheISL........................ 296ConfiguringthevLAG....................... 297
vLAGConfigurationVLANsMappedtoaMSTInstance ......... 298ConfiguringtheISL........................ 298ConfiguringthevLAG....................... 299
ConfiguringvLAGsinMultipleLayers ................. 300Task1:ConfigureLayer2/3BorderRegion .............. 301
ConfiguringBorderRouter1.................. 301ConfiguringBorderRouter2.................. 301
Task2:ConfigureswitchesintheLayer2region........... 302ConfiguringSwitchA..................... 302ConfiguringSwitchB ..................... 303ConfiguringSwitchesCandD................. 305ConfiguringSwitchE ..................... 306ConfiguringSwitchF..................... 307
Chapter 14. Quality of Service . . . . . . . . . . . . . . . . . . 309QoSOverview ............................ 310
-
Copyright Lenovo 2017 : Contents 11
ClassMaps .............................311QoSClassificationTypes ......................312
UsingACLFilters .......................312UsingClassofServiceFilters ..................313UsingDiffServCodePoint(DSCP)Filters .............314UsingTCP/UDPPortFilters...................316UsingPrecedenceFilters....................316UsingProtocolFilters .....................317
QueuingClassificationTypes ....................318ClassMapConfigurationExamples.................319
QoSClassMapConfigurationExample..............319QueueingClassMapConfigurationExample...........319
PolicyMaps .............................320IngressPolicing ..........................320
DefiningSingleRateandDualRatePolicers ...........320Marking ...........................322
QueuingPolicing .........................322Bandwidth ..........................322Shaping...........................322Priority............................322
PolicyMapConfigurationExample.................323QoSPolicyMapConfigurationExample .............323QueuingPolicyMapConfigurationExample ...........324
ControlPlaneProtection ........................325ControlPlaneConfigurationExamples................326
WRED ...............................328ConfiguringWRED ........................328
WREDConfigurationExample .................328InterfaceServicePolicy ........................330
Limitations ............................330MicroburstDetection .........................331
Chapter 15. CEE . . . . . . . . . . . . . . . . . . . . . . . . 333RoCEandiSCSI ...........................335
RoCERequirements........................335ConvergedEnhancedEthernet .....................336
TurningCEEOnorOff ......................336EffectsonLinkLayerDiscoveryProtocol ...............337Effectson802.1pQualityofService .................337EffectsonFlowControl......................339
PriorityBasedFlowControl......................340PFCConfiguration ........................341PFCConfigurationExample ....................342
EnhancedTransmissionSelection ....................343802.1pPriorityValues .......................343PriorityGroups ..........................344
PGID ............................344AssigningPriorityValuestoaPriorityGroup ...........345AllocatingBandwidth .....................345
ConfiguringETS.........................347
-
12 Application Guide for CNOS 10.4
DataCenterBridgingCapabilityExchange................ 349DCBXModes........................... 349DCBXSettings.......................... 349
EnablingandDisablingDCBX ................. 350PeerConfigurationNegotiation................. 350
ConfiguringDCBX ........................ 351CEEConfigurationExamples ..................... 352
CEEExample1.......................... 352CEEExample2.......................... 353
Part 4: IP Routing. . . . . . . . . . . . . . . . . . . . . . . . 355
Chapter 16. Basic IP Routing . . . . . . . . . . . . . . . . . . . 357IPRouting .............................. 358
DirectandIndirectRouting .................... 359StaticRouting .......................... 359DynamicRouting ......................... 360DefaultGateway......................... 360VirtualRoutingandForwarding .................. 361
RoutingInformationBase ....................... 362RouteswithIndirectNexthops ................... 362
BidirectionalForwardingDetection ................... 363BFDAsynchronousMode ..................... 364BFDEchoMode ......................... 364BFDPeerSupport......................... 365BFDStaticRoutes ......................... 365BFDAuthentication ........................ 366GeneralizedTTLSecurityMechanism ................ 367BFDandBGP .......................... 367BFDandOSPF .......................... 367
RoutingBetweenIPSubnets ...................... 368ExampleofSubnetRouting .................... 369UsingVLANstoSegregateBroadcastDomains............ 370
ConfigurationExample .................... 370ECMPStaticRoutes.......................... 373
RIBSupportforECMPRoutes ................... 373ECMPHashing .......................... 373ConfiguringECMPStaticRoutes.................. 374
DynamicHostConfigurationProtocol.................. 375InternetControlMessageProtocol ................... 376
ICMPRedirects .......................... 377ICMPPortUnreachable...................... 377ICMPUnreachable(exceptPort).................. 377
Chapter 17. Routed Ports . . . . . . . . . . . . . . . . . . . . 379RoutedPortsOverview ........................ 380ConfiguringaRoutedPort....................... 382
ConfiguringOSPFonRoutedPorts................. 383OSPFConfigurationExample .................. 383
-
Copyright Lenovo 2017 : Contents 13
Chapter 18. Address Resolution Protocol . . . . . . . . . . . . . . 385ARPOverview ............................386ARPAgingTimer...........................387ARPInspection ............................388StaticARPEntries ..........................389
StaticARPConfigurationExample .................389ARPEntryStates ...........................390ARPTableRefresh ..........................391
Chapter 19. Internet Protocol Version 6 . . . . . . . . . . . . . . . 393IPv6AddressFormat .........................394IPv6AddressTypes ..........................395
UnicastAddress .........................395Multicast.............................395Anycast .............................396
IPv6Interfaces ............................397NeighborDiscovery..........................398
NeighborDiscoveryOverview ...................398Router ..............................399
SupportedApplications ........................400ConfigurationGuidelines .......................401IPv6ConfigurationExamples .....................402
IPv6Example1 ..........................402IPv6Example2 ..........................402
IPv6Limitations ...........................403
Chapter 20. Internet Group Management Protocol . . . . . . . . . . 405IGMPTerms .............................406HowIGMPWorks ..........................407IGMPCapacityandDefaultValues ...................408IGMPSnooping ...........................409
IGMPv3Snooping.........................410SpanningTreeTopologyChange ..................410IGMPQuerier ..........................411
QuerierElection ........................411MulticastRouterDiscovery.....................413IGMPQueryMessages.......................414IGMPGroups ..........................415IGMPSnoopingConfigurationGuidelines..............417
IGMPSnoopingConfigurationExample.................418AdvancedIGMPSnoopingConfigurationExample ............420
Prerequisites ...........................421Configuration ..........................422
SwitchAConfiguration ....................422SwitchBConfiguration.....................423SwitchCConfiguration ....................424
Troubleshooting .........................425
-
14 Application Guide for CNOS 10.4
AdditionalIGMPFeatures ....................... 428ReportSuppression ........................ 428RobustnessVariable........................ 428FastLeave ............................ 429StaticMulticastRouter....................... 430
Chapter 21. Border Gateway Protocol . . . . . . . . . . . . . . . 431BGPOverview............................ 432
BGPRouterIdentifier ....................... 432InternalRoutingVersusExternalRouting................ 433RouteReflector............................ 435
RouteReflectionConfigurationExample ............... 436Restrictions.......................... 437
FormingBGPPeerRouters ...................... 438BGPPeersandDynamicPeers ................... 438
StaticPeers .......................... 438DynamicPeers ........................ 439
LoopbackInterfaces ......................... 440WhatisaRouteMap? ......................... 441
NextHopPeerIPAddress ..................... 442IncomingandOutgoingRouteMaps ................ 442Precedence............................ 442ConfigurationOverview ...................... 443
AggregatingRoutes.......................... 444RedistributingRoutes ......................... 445BGPCommunities .......................... 447
BGPCommunity ......................... 448BGPExtendedCommunity..................... 449BGPConfederation ........................ 450
BGPPathAttributes ......................... 451WellKnownMandatory ...................... 451WellKnownDiscretionary ..................... 451OptionalTransitive ........................ 451OptionalNonTransitive ...................... 452
BestPathSelectionLogic ....................... 453BGPBestPathSelection...................... 453BGPWeight ........................... 454LocalPreference......................... 454Metric(MultiExitDiscriminator)Attribute.............. 454NextHop ............................ 455BestPathSelectionTuning..................... 455BGPECMP ........................... 457
-
Copyright Lenovo 2017 : Contents 15
BGPFeaturesandFunctions ......................458ASPathFilter ..........................458BGPCapabilityCode.......................458AdministrativeDistance ......................458TTLSecurityCheck ........................459LocalAS .............................459BGPAuthentication ........................460OriginateDefaultRoute ......................460IPPrefixListFilter ........................461DynamicCapability ........................462BGPGracefulRestart .......................462BGPDamping..........................463SoftReconfigurationInbound....................464BGPRouteRefresh........................464BGPMultipleAddressFamilies ...................465BGPandBFD...........................465BGPNextHopTracking ......................466BGPTuning...........................466
BGPFailoverConfiguration ......................467DefaultRedistributionandRouteAggregationExample ..........469DesigningaClosNetworkUsingBGP ..................471
ClosNetworkBGPConfigurationExample ..............472ConfigureFabricSwitchSF1 ..................473ConfigureSpineSwitchSP11 ..................475ConfigureLeafSwitchLP11...................478
Chapter 22. Open Shortest Path First . . . . . . . . . . . . . . . . 481OSPFv2Overview ..........................482
TypesofOSPFAreas .......................483TypesofOSPFRoutingDevices ...................484NeighborsandAdjacencies .....................485TheLinkStateDatabase ......................485TheShortestPathFirstTree ....................486InternalVersusExternalRouting ..................486
-
16 Application Guide for CNOS 10.4
OSPFv2ImplementationinCloudNOS ................. 487ConfigurableParameters...................... 487DefiningAreas .......................... 488
UsingtheAreaIDtoAssigntheOSPFAreaNumber........ 488AttachinganAreatoaNetwork................. 489
InterfaceCost .......................... 489ElectingtheDesignatedRouterandBackup ............. 489SummarizingRoutes....................... 490DefaultRoutes .......................... 491VirtualLinks ........................... 492RouterID ............................ 492Authentication .......................... 493
ConfiguringPlainTextOSPFPasswords ............. 494ConfiguringMD5Authentication ................ 495
LoopbackInterfacesinOSPF .................... 495GracefulRestartHelper ...................... 496OSPFandBFD .......................... 496
OSPFv2ConfigurationExamples.................... 497Example 1:SimpleOSPFDomain .................. 498Example 2:VirtualLinks ...................... 499
ConfiguringOSPFforaVirtualLinkonSwitch1......... 499ConfiguringOSPFforaVirtualLinkonSwitch2......... 500OtherVirtualLinkOptions ................... 501
Example 3:SummarizingRoutes .................. 502VerifyingOSPFConfiguration ................... 503
Chapter 23. Route Maps . . . . . . . . . . . . . . . . . . . . . 505RouteMapsOverview ........................ 506PermitandDenyRules ........................ 507MatchandApplyClauses ....................... 508RouteMapsConfigurationExample .................. 511
Part 5: High Availability Fundamentals . . . . . . . . . . . . . . . 513
Chapter 24. Basic Redundancy . . . . . . . . . . . . . . . . . . 515AggregatingforLinkRedundancy ................... 516VirtualLinkAggregation ....................... 517
Chapter 25. Virtual Router Redundancy Protocol . . . . . . . . . . 519VRRPOverview ........................... 520
VRRPComponents ........................ 521VirtualRouter ........................ 521VirtualRouterMACAddress .................. 521OwnersandRenters ...................... 521MasterandBackupVirtualRouter................ 521VirtualInterfaceRouter.................... 521
AssigningVRRPVirtualRouterID ................. 522VRRPOperation ......................... 522SelectingtheMasterVRRPRouter ................. 522
FailoverMethods........................... 524ActiveActiveRedundancy..................... 524
-
Copyright Lenovo 2017 : Contents 17
CloudNOSExtensionstoVRRP....................525VRRPAdvertisementIntervalandSubsecondFailover........525InterfaceTracking .........................526SwitchBackDelay.........................526BackwardCompatibilitywithVRRPv2................527VRRPAcceptMode ........................527VRRPPreemption .........................528VRRPPriority ..........................528IPv6VRRP............................529
ConfiguringtheSwitchforTracking ..................531BasicVRRPConfiguration .......................532HighAvailabilityConfiguration....................534
VRRPHighAvailabilityUsingMultipleVIRs .............534Task1:ConfigureSwitch1 ...................535Task2:ConfigureSwitch2 ...................536
Part 6: Network Management . . . . . . . . . . . . . . . . . . . 539
Chapter 26. Link Layer Discovery Protocol . . . . . . . . . . . . . 541LLDPOverview...........................542EnablingorDisablingLLDP......................543LLDPTransmitFeatures ........................544
ScheduledInterval ........................544MinimumInterval.........................544TimetoLiveforTransmittedInformation ..............545TrapNotifications .........................545ChangingtheLLDPTransmitState .................546TypesofInformationTransmitted ..................547
LLDPReceiveFeatures........................548TypesofInformationReceived ...................548TimetoLiveforReceivedInformation ................548ViewingRemoteDeviceInformation ................549
DebuggingLLDP ...........................550LLDPExampleConfiguration.....................552
Chapter 27. Service Location Protocol . . . . . . . . . . . . . . . 555SLPAgentsCommunication ......................556
SLPSpecificMessages .......................556SLPSupportedServiceAttributes ..................556
SLPConfiguration..........................557
Chapter 28. Simple Network Management Protocol . . . . . . . . . . 559SNMPVersions............................560
SNMPVersion1&Version2 ....................560SNMPVersion3 .........................560
SNMPProtocolDetails ........................561SNMPNotifications ........................561SNMPDeviceContactandLocation.................561OneTimeAuthenticationforSNMPoverTCP............561
DefaultConfiguration .........................562
-
18 Application Guide for CNOS 10.4
ConfigurationExamples........................ 563BasicSNMPConfigurationExample................. 563UserConfigurationExample .................... 563ConfiguringSNMPTrapHosts................... 564
SNMPMIBs ............................. 565
Chapter 29. Telemetry . . . . . . . . . . . . . . . . . . . . . . 567NetworkTelemetryOverview..................... 568CNOSTelemetryArchitecture ..................... 569TheGangliaAnalyticsApplication................... 571
TheGangliaAgent ........................ 571TheCentralDataAggregator .................... 571TheDataVisualizationFrontEnd .................. 572TheGangliaMetricTool...................... 572UsingGangliawithCNOS ..................... 572
TypesofDataSuppliedbytheCNOSTelemetryAgent .......... 574BufferStatistics .......................... 574
CongestionDropCounters ................... 574BufferUtilizationCounters ................... 574
SettingUptheCNOSTelemetryAgent ................. 577EnabletheTelemetryAgent .................... 577ConfiguretheTelemetryController ................. 577SetUptheTelemetryHeartbeat................... 578
ConfiguringTelemetryAgentParameters ................ 579CongestionDropCounters ..................... 579BSTBufferCounters........................ 588DetectCongestionAfteritHappens................. 594PredictingCongestionBeforeitHappens .............. 599CapacityPlanningBasedonTrendAnalysis ............. 607
Part 7: Hyperconverged Infrastructure . . . . . . . . . . . . . . . 613
Chapter 30. Network Policy Agent . . . . . . . . . . . . . . . . . 615Overview .............................. 616SettinguptheNutanixVDMPlugin .................. 618ViewingVirtualDomainInformation .................. 622UnsubscribingtoNutanixVDMNotifications .............. 623DynamicVLANsandtheVDM .................... 624
DynamicVLANConsiderations .................. 624DynamicVLANCommands .................... 625
Part 8: Monitoring . . . . . . . . . . . . . . . . . . . . . . . 627
Chapter 31. Port Mirroring . . . . . . . . . . . . . . . . . . . . 629PortMirroringOverview ....................... 630SPANConfiguration ......................... 631
Sources ............................. 631Destinations........................... 631Sessions ............................. 631ConfigurationExample ...................... 632
-
Copyright Lenovo 2017 : Contents 19
ERSPANConfiguration........................633SessionTypes...........................633Sources.............................634Destinations ...........................634ERSPANSourceSessionConfigurationExample...........635ERSPANDestinationSessionConfigurationExample .........636
Limitations .............................637
Part 9: Appendices . . . . . . . . . . . . . . . . . . . . . . . 639
Appendix A. Getting help and technical assistance . . . . . . . . . . 641
Appendix B. Notices. . . . . . . . . . . . . . . . . . . . . . . 643Trademarks .............................645ImportantNotes ...........................646RecyclingInformation .........................647ParticulateContamination .......................648TelecommunicationRegulatoryStatement ................649ElectronicEmissionNotices ......................650
FederalCommunicationsCommission(FCC)Statement ........650IndustryCanadaClassAEmissionComplianceStatement.......650AvisdeConformitlaRglementationdIndustrieCanada ......650AustraliaandNewZealandClassAStatement ............650EuropeanUnionCompliancetotheElectromagneticCompatibilityDirective651GermanyClassAStatement....................651JapanVCCIClassAStatement ...................652JapanElectronicsandInformationTechnologyIndustriesAssociation(JEITA) Statement .........................653KoreaCommunicationsCommission(KCC)Statement .........653RussiaElectromagneticInterference(EMI)ClassAstatement ......653PeoplesRepublicofChinaClassAelectronicemissionstatement ....653TaiwanClassAcompliancestatement ................653
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
-
20 Application Guide for CNOS 10.4
-
Copyright Lenovo 2017 21
PrefaceThisApplicationGuidedescribeshowtoconfigureandusetheLenovoCloudNetworkOperatingSystem10.4softwareonthefollowingLenovoRackSwitches:
LenovoRackSwitchG8272.Fordocumentationoninstallingtheswitchphysically,seetheLenovoRackSwitchG8272InstallationGuide.
LenovoRackSwitchG8296.Fordocumentationoninstallingtheswitchphysically,seetheLenovoRackSwitchG8296InstallationGuide.
LenovoRackSwitchG8332.Fordocumentationoninstallingtheswitchphysically,seetheLenovoRackSwitchG8332InstallationGuide.
LenovoThinkSystemNE1032TRackSwitch.Fordocumentationoninstallingtheswitchphysically,seetheLenovoThinkSystemNE1032TRackSwitchInstallationGuide.
LenovoThinkSystemNE1032RackSwitch.Fordocumentationoninstallingtheswitchphysically,seetheLenovoThinkSystemNE1032RackSwitchInstallationGuide.
LenovoThinkSystemNE1072TRackSwitch.Fordocumentationoninstallingtheswitchphysically,seetheLenovoThinkSystemNE1072TRackSwitchInstallationGuide.
LenovoThinkSystemNE10032RackSwitch.Fordocumentationoninstallingtheswitchphysically,seetheLenovoThinkSystemNE10032TRackSwitchInstallationGuide.
-
22 Application Guide for CNOS 10.4
Who Should Use This GuideThisguideisintendedfornetworkinstallersandsystemadministratorsengagedinconfiguringandmaintaininganetwork.TheadministratorshouldbefamiliarwithEthernetconcepts,IPaddressing,SpanningTreeProtocol,andSNMPconfigurationparameters.
-
Copyright Lenovo 2017 : Preface 23
Application Guide OverviewThisguidewillhelpyouplan,implement,andadministertheCloudNOS(CNOS)software.Wherepossible,eachsectionprovidesfeatureoverviews,usageexamples,andconfigurationinstructions.Thefollowingmaterialisincluded:
Part 1: Getting Started
ThismaterialisintendedtohelpthosenewtoCNOSproductswiththebasicsofswitchmanagement.Thispartincludesthefollowingchapters:
Chapter 2,UsingtheCommandLineInterface,describestheCNOScommandlineinterfacemodes,commands,keyboardshortcuts,andaliases.
Chapter 1,SwitchAdministration,describeshowtoaccesstheswitchtoconfiguretheswitch,andviewswitchinformationandstatistics.Thischapterdiscussesavarietyofmanualadministrationinterfaces,includinglocalmanagementviatheswitchconsole,andremoteadministrationviaTelnetorSecureShell.
Chapter 3,SystemLicenseKeys,describeshowtoinstalladditionalfeaturesontheswitch.
Chapter 4,SwitchSoftwareManagement,describeshowtoupdatetheCNOSsoftwareoperatingontheswitchandhowtoconvertfromCNOStoENOS.
Part 2: Securing the Switch
Thismaterialcontainsinformationaboutimplementingsecurityprotocolsontheswitch.Thispartincludesthefollowingchapters:
Chapter 5,SecuringAdministration,describesmethodsforusingSecureShellforadministrationconnections,andconfiguringenduseraccesscontrol.
Chapter 6,AAAProtocols,describesdifferentsecureadministrationmethodsforremoteadministrators.ThisincludesusingRADIUS,TerminalAccessControllerAccessControlSystemPlus(TACACS+)andAuthentication,Authorization,andAccounting(AAA).
Chapter 7,AccessControlLists,describeshowtousefilterstopermitordenyspecifictypesoftraffic,basedonavarietyofsource,destination,andpacketattributes.
Part 3: Switch Basics
Thismaterialcontainsinformationaboutsettingupfeaturesontheswitch.Thispartincludesthefollowingchapters:
Chapter 8,InterfaceManagement,describeshowtoconfiguretheswitchinterfaces,liketheethernetormanagementports.
Chapter 9,ForwardingDatabase,describeshowaLayer2devicecanbeconfiguredtolearnandstoreMACaddressesandtheircorrespondingports.
Chapter 10,VLANs,describeshowtoconfigureVirtualLocalAreaNetworks(VLANs)forcreatingseparatenetworksegments,includinghowtouseVLANtaggingfordevicesthatusemultipleVLANs.
-
24 Application Guide for CNOS 10.4
Chapter 11,PortsandLinkAggregation,describeshowtogroupmultiplephysicalportstogethertoaggregatethebandwidthbetweenlargescalenetworkdevices.
Chapter 12,SpanningTreeProtocol,describeshowtousetheRapidPerVLANSpanningTreePlus(RapidPVST+)andMultipleSpanningTreeProtocol(MSTP)tobuildaloopfreenetworktopology.
Chapter 13,VirtualLinkAggregationGroups,describesusingVirtualLinkAggregationGroups(VLAGs)toformLAGsspanningmultipleVLAGcapableaggregatorswitches.
Chapter 14,QualityofService,discussesQualityofService(QoS)features,includingIPfilteringusingclassmaps,DifferentiatedServices,andIEEE802.1ppriorityvalues.
Chapter 15,CEE,discussesusingvariousConvergedEnhancedEthernet(CEE)featuressuchasPrioritybasedFlowControl(PFC),EnhancedTransmissionSelection(ETS)andDataCenterBridgingCapabilityExchange(DCBX).
Part 4: IP Routing
Thispartincludesthefollowingchapters:
Chapter 16,BasicIPRouting,describeshowtoconfiguretheswitchforIProutingusingIPsubnets,BFD,DHCPRelayandVRF.
Chapter 17,RoutedPorts,describeshowtoconfigureaswitchporttoforwardLayer3traffic.
Chapter 18,AddressResolutionProtocol,describeshowtousetheAddressResolutionProtocol(ARP)protocoltomapanIPv4addresstoaMACaddress.
Chapter 19,InternetProtocolVersion6,describeshowtoconfiguretheswitchtouseIPv6.
Chapter 20,InternetGroupManagementProtocol,describeshowCNOSimplementsInternetGroupManagementProtocol(IGMP)Snoopingtoconservebandwidthinamulticastswitchingenvironment.
Chapter 21,BorderGatewayProtocol,describesBorderGatewayProtocol(BGP)conceptsandfeaturessupportedinCNOS.
Chapter 22,OpenShortestPathFirst,describeskeyOpenShortestPathFirst(OSPF)concepts,andhowtheyareimplementedinCNOS,andprovidesexamplesofhowtoconfigureyourswitchforOSPFsupport.
Chapter 23,RouteMaps,describesroutemapsthatareusedtodefineroutepolicybypermittingordenyingcertainroutesbasedonaconfiguredsetofrules.
Part 5: High Availability Fundamentals
Thispartincludesthefollowingchapters:
Chapter 24,BasicRedundancy,describeshowtheswitchsupportsredundancythroughLAGsandVLAGs.
-
Copyright Lenovo 2017 : Preface 25
Chapter 25,VirtualRouterRedundancyProtocol,describeshowtheswitchsupportshighavailabilitynetworktopologiesusingVirtualRouterRedundancyProtocol(VRRP).
-
26 Application Guide for CNOS 10.4
Part 6: Network Management
Thispartincludesthefollowingchapters:
Chapter 26,LinkLayerDiscoveryProtocol,describeshowLinkLayerDiscoveryProtocol(LLDP)helpsneighboringnetworkdeviceslearnabouteachothersportsandcapabilities.
Chapter 27,ServiceLocationProtocol,describestheServiceLocationProtocol(SLP)thatallowstheswitchtoprovidedynamicdirectoryservices.
Chapter 28,SimpleNetworkManagementProtocol,describeshowtoconfiguretheswitchformanagementthroughaSimpleNetworkManagementProtocol(SNMP)client.
Chapter 29,Telemetry,describestheCNOSNetworkTelemetryAgentandhowtousethedataitprovidestofinetuneyournetwork.
Part 8: Monitoring
Thispartincludesthefollowingchapter:
Chapter 31,PortMirroring,discussestoolstocopyselectedporttraffictoaremotemonitorportfornetworkanalysis.
Part 7: Hyperconverged Infrastructure
Thispartincludesthefollowingchapter:
Chapter 30,NetworkPolicyAgent,howtousetheCNOSnetworkpolicyagentpluginthatworkswithNutanixsVirtualDomainModule.
Part 9: Appendices
Thispartincludesthefollowingappendices:
AppendixA,Gettinghelpandtechnicalassistance,providesdetailsonwheretogoforadditionalinformationaboutLenovoandLenovoproducts.
AppendixB,Notices,containssafetyandenvironmentalnotices.
-
Copyright Lenovo 2017 : Preface 27
Additional ReferencesAdditionalinformationaboutinstallingandconfiguringyourswitchisavailableinthefollowingguides:
LenovoNetworkCommandReferenceforLenovoCloudNetworkOperatingSystem10.4
LenovoNetworkReleaseNotesforLenovoCloudNetworkOperatingSystem10.4foryourswitch
LenovoNetworkPythonProgrammingGuideforLenovoCloudNetworkOperatingSystem10.4
LenovoNetworkRESTAPIProgrammingGuideforLenovoCloudNetworkOperatingSystem10.4
-
28 Application Guide for CNOS 10.4
Typographic ConventionsThefollowingtabledescribesthetypographicstylesusedinthisbook.
Table 1. Typographic Conventions
Typeface or Symbol
Meaning Example
ABC123 Thistypeisusedfornamesofcommands,files,anddirectoriesusedwithinthetext.
Viewthereadme.txtfile.
Italsodepictsonscreencomputeroutputandprompts.
Switch#
ABC123 Thisboldtypeappearsincommandexamples.Itshowstextthatmustbetypedinexactlyasshown.
Switch# ping
Thisitalicizedtypeappearsincommandexamplesasaparameterplaceholder.Replacetheindicatedtextwiththeappropriaterealnameorvaluewhenusingthecommand.Donottypethebrackets.
ToestablishaTelnetsession,enter:Switch# telnet
Thisalsoshowsbooktitles,specialterms,orwordstobeemphasized.
ReadyourUsersGuidethoroughly.
{} Commanditemsshowninsidebracketsaremandatoryandcannotbeexcluded.Donottypethebrackets.
Switch# cp {ftp|sftp}
[] Commanditemsshowninsidebracketsareoptionalandcanbeusedorexcludedasthesituationdemands.Donottypethebrackets.
Switch# configure [device]
| Theverticalbar(|)isusedincommandexamplestoseparatechoiceswheremultipleoptionsexist.Selectonlyoneofthelistedoptions.Donottypetheverticalbar.
Switch# cp {ftp|sftp}
Thisblocktypedepictsmenus,buttons,andothercontrolsthatappearingraphicalinterfaces.
Clickthebutton.
-
Copyright Lenovo 2017 29
Part 1: Getting StartedThissectiondiscussesthefollowingtopics:
SwitchAdministrationonpage 31
SystemLicenseKeysonpage 87
SwitchSoftwareManagementonpage 93
-
30 Application Guide for CNOS 10.4
-
Copyright Lenovo 2017 31
Chapter 1. Switch AdministrationYourRackSwitchisreadytoperformbasicswitchingfunctionsrightoutofthebox.Someofthemoreadvancedfeatures,however,requiresomeadministrativeconfigurationbeforetheycanbeusedeffectively.
TheextensiveLenovoCloudNetworkOperatingSystemfortheswitchprovidesavarietyofoptionsforaccessingtheswitchtoperformavarietyofconfigurationsandtoviewswitchinformationandstatistics.
Thischapterdiscussesthevariousmethodsthatcanbeusedtoadministertheswitch.
-
32 Application Guide for CNOS 10.4
Administration InterfacesCloudNOSprovidesavarietyofuserinterfacesforadministration.Theseinterfacesvaryincharacterandinthemethodsusedtoaccessthem.Somearetextbasedandsomearegraphical;someareavailablebydefault,whileothersrequireconfiguration;somecanbeaccessedbylocalconnectiontotheswitch,whileothersareaccessedremotelyusingvariousclientapplications.Forexample,administrationcanbeperformedusinganyofthefollowing:
Abuiltin,textbasedcommandlineinterface(CLI)andmenusystemforswitchaccessviaaserialportconnectionoranoptionalTelnetorSSHsession
SNMPsupportforaccessthroughthirdpartycommercialandopensourcenetworkmanagementapplications.
Thespecificinterfacechosenforanadministrativesessiondependsonyourpreferences,theswitchconfiguration,andtheavailableclienttools.
Inallcases,administrationrequiresthattheswitchhardwareisproperlyinstalledandturnedon(seetheLenovoRackSwitchInstallationGuide).
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 33
Industry Standard Command Line InterfaceTheIndustryStandardCommandLineInterface(ISCLI)providesasimpleanddirectmethodforswitchadministration.Usingabasicterminal,youcanissuecommandsthatallowyoutoviewdetailedinformationandstatisticsabouttheswitch,andtoperformanynecessaryconfigurationandswitchsoftwaremaintenance.
YoucanestablishaconnectiontotheISCLIinanyofthefollowingways:
Serialconnectionviatheserialportontheswitch(thisoptionisalwaysavailable)
Telnetconnectionoverthenetwork
SSHconnectionoverthenetwork
-
34 Application Guide for CNOS 10.4
Establishing a ConnectionThefactorydefaultsettingspermitinitialswitchadministrationthroughonlythebuiltinserialport.Allotherformsofaccessrequireadditionalswitchconfigurationbeforetheycanbeused.
Remoteaccessusingthenetworkrequirestheaccessingterminaltohaveavalid,routableconnectiontotheswitchinterface.TheclientIPaddressmaybeconfiguredmanually,oranIPaddresscanbeprovidedautomaticallytotheswitchusingaservicesuchasDHCP(seeDHCPIPAddressServicesonpage 44).AnIPv6addresscanalsobeobtainedusingIPv6statelessaddressconfiguration.Note: Throughoutthismanual,IPaddressisusedinplaceswhereeitheranIPv4orIPv6addressisallowed.IPv4addressesareenteredindotteddecimalnotation(forexample,10.10.10.1),whileIPv6addressesareenteredinhexadecimalnotation(forexample,2001:db8:85a3::8a2e:370:7334).Inplaceswhereonlyonetypeofaddressisallowed,IPv4addressorIPv6addressisspecified.
Using the Switch Management InterfaceTomanagetheswitchthroughthemanagementinterface,youmustconfigureitwithanIPinterface.ConfiguretheIPaddressandnetworkmaskanddefaultgatewayaddress:
1. Logontotheswitch.
2. EnterGlobalConfigurationmode.
3. ConfigureamanagementIPaddressandnetworkmask:
IPv4configuration:
IPv6configuration:
4. Configuretheappropriatedefaultgateway:
IPv4configuration:
Switch> enableSwitch# configure deviceSwitch(config)#
Switch(config)# interface mgmt 0Switch(config-if)# ip address /Switch(config-if)# exit
Switch(config)# interface mgmt 0Switch(config-if)# ipv6 address /Switch(config-if)# exit
Switch(config)# vrf context managementSwitch(config-vrf)# ip route 0.0.0.0 0.0.0.0 Switch(config-vrf)# exit
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 35
IPv6configuration:
OnceyouconfigureamanagementIPaddressforyourswitch,youcanconnecttothemanagementportanduseaTelnetoranSSHclientfromanexternalmanagementstationtoaccessandcontroltheswitch.Themanagementportprovidesoutofbandmanagement.Note: Touseatelnetclient,youmustfirstenabletelnetaccesswiththecommand:
Using the Switch Ethernet PortsYoualsocanconfigureinbandmanagementthroughanyoftheswitchethernetports.Toallowinbandmanagement,usethefollowingprocedure:
1. Logontotheswitch.
2. Enterinterfacemodeandconfigureanethernetinterfaceasroutedport.
3. ConfiguretheinterfaceIPaddressandnetworkmask.
IPv4configuration:
IPv6configuration:
4. Configurethedefaultgateway.
IPv4configuration:
IPv6configuration:
Switch(config)# vrf context managementSwitch(config-vrf)# ipv6 route ::/0 Switch(config-vrf)# exit
Switch(config)# feature telnet
Switch> enableSwitch# configure deviceSwitch(config)# interface ethernet /Switch(config-if)# no bridge-port
Switch(config-if)# ip address /
Switch(config-if)# ipv6 address /
Switch(config)# vrf context managementSwitch(config-vrf)# ip route 0.0.0.0 0.0.0.0 Switch(config-vrf)# exit
Switch(config)# vrf context managementSwitch(config-vrf)# ipv6 route ::/0 Switch(config-vrf)# exit
-
36 Application Guide for CNOS 10.4
OnceyouconfiguretheIPaddressandhaveanetworkconnection,youcanuseaTelnetoranSSHclientfromanexternalmanagementstationtoaccessandcontroltheswitch.Oncethedefaultgatewayisenabled,themanagementstationandtheswitchdonotneedtobeonthesameIPsubnet.
Theswitchsupportsanindustrystandardcommandlineinterface(ISCLI)thatyoucanusetoconfigureandcontroltheswitchoverthenetworkusingaTelnetoranSSHclient.YoucanusetheISCLItoperformmanybasicnetworkmanagementfunctions.Inaddition,youcanconfiguretheswitchformanagementusinganSNMPbasednetworkmanagementsystem.
Formoreinformation,seethedocumentslistedinAdditionalReferencesonpage 27.
Using TelnetATelnetconnectionofferstheconvenienceofaccessingtheswitchfromaworkstationconnectedtothenetwork.Telnetaccessprovidesthesameoptionsforuserandadministratoraccessasthoseavailablethroughtheconsoleport.
Bydefault,Telnetaccessisdisabled.UsethefollowingcommandtoenableordisableTelnetaccess:
OncetheswitchisconfiguredwithanIPaddressandgateway,youcanuseTelnettoaccessswitchadministrationfromanyworkstationconnectedtothemanagementnetwork.
ToestablishaTelnetconnectionwiththeswitch,runtheTelnetclientonyourworkstation,useTelnetastheprotocoltypeandtheswitchsIPaddressasthehostname.
YouwillthenbepromptedtoenterapasswordasexplainedinSwitchLoginLevelsonpage 51.
Bydefault,TelnetusesTCPport23oftheremotehosttoestablishaconnectionfromtheswitch.WheninitializingaTelnetsession,youcanspecifytheTCPportoftheremotehostbyusingthefollowingcommandontheswitch:
Note: ThespecifiedportwillbeusedonlyforthecurrentTelnetsession.Futuresessionswillnotusetheselectedport.
Bydefault,TelnetclientswillconnecttothelocalTelnetserverusingTCPport23ontheswitch.ToconfiguretheTCPportusedbyaTelnetclientwhenestablishingaconnectiontotheswitch,usethefollowingcommand:
Switch(config)# [no] feature telnet
Switch# telnet port
Switch(config)# telnet server port
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 37
Using Secure ShellAlthougharemotenetworkadministratorcanmanagetheconfigurationofaswitchviaTelnet,thismethoddoesnotprovideasecureconnection.TheSecureShell(SSH)protocolenablesyoutosecurelylogintoanotherdeviceoveranetworktoexecutecommandsremotely.AsasecurealternativetousingTelnettomanageswitchconfiguration,SSHensuresthatalldatasentoverthenetworkisencryptedandsecure.
Bydefault,SSHaccessisenabled.UsethefollowingcommandtoenableordisableSSHaccess:
Theswitchcandoonlyonesessionofkey/ciphergenerationatatime.Thus,anSSHclientwillnotbeabletologiniftheswitchisdoingkeygenerationatthattime.Similarly,thesystemwillfailtodothekeygenerationifanSSHclientislogginginatthattime.
ThesupportedSSHencryptionandauthenticationmethodsare:
ServerHostAuthentication:ClientRSAauthenticatestheswitchwhenstartingeachconnection
KeyExchange:ecdhsha2nistp521,ecdhsha2nistp384,ecdhsha2nistp256,ecdhsha2nistp224,ecdhsha2nistp192,rsa2048sha256,rsa1024sha1,diffiehellmangroupexchangesha256,diffiehellmangroupexchangesha1,diffiehellmangroup14sha1,diffiehellmangroup1sha1
Encryption:aes128ctr,aes192ctr,aes256ctr,arcfour128,arcfour256
MAC:hmacsha1,hmacripemd160,[email protected]
UserAuthentication:Localpasswordauthentication,TACACS+
LenovoCloudNetworkOperatingSystemimplementstheSSHversion2.0standardandisconfirmedtoworkwithSSHversion2.0compliantclientssuchasthefollowing:
OpenSSH_5.4p1forLinux
SecureCRTVersion5.0.2(build1021)
PuttySSHrelease0.60
Using SSH with Password AuthenticationOncetheIPparametersareconfigured,youcanaccessthecommandlineinterfaceusinganSSHconnection.
ToestablishanSSHconnectionwiththeswitch,runtheSSHclientonyourworkstation,useSSHastheprotocoltypeandtheswitchsIPaddressasthehostname.
YouwillthenbepromptedtoenterapasswordasexplainedinSwitchLoginLevelsonpage 51.
Switch(config)# [no] feature ssh
-
38 Application Guide for CNOS 10.4
Using SSH with Server Key AuthenticationSSHcanalsobeusedforswitchauthenticationbasedonasymmetriccryptography.Serverencryptionkeyscanbegeneratedontheswitchandusedtoauthenticateincomingloginattemptsbasedontheclientsprivateencryptionkeypairs.Afterapredefinednumberoffailedserverkeyauthenticationattempts,aloginerrorwillappearandtheSSHsessionwillbedisconnected.
Tosetupserverkeyauthentication:
1. DisableSSH:
Note: SSHsettingscannotbemodifiedifSSHisenabled.
2. GenerateanSSHkey:
DSA:
RSA:
Note: YoucanalsoconfigurethelengthoftheRSAkeybyusingthefollowingcommand:
3. ConfigureamaximumnumberoffailedserverkeyauthenticationattemptsbeforetheSSHsessionwillbedisconnected:
Note: Thedefaultnumberoffailedattemptsis3.
4. ReenableSSH:
Oncetheserverkeyisconfiguredontheswitch,aclientcanuseSSHtologinfromasystemwheretheprivatekeypairissetup.
Switch(config)# no feature ssh
Switch(config)# ssh key dsa [force]
Switch(config)# ssh key rsa [force]
Switch(config)# ssh key rsa length
Switch(config)# ssh login-attempts
Switch(config)# feature ssh
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 39
Using Simple Network Management ProtocolCNOSprovidesSimpleNetworkManagementProtocol(SNMP)version1,2,and3supportforaccessthroughanynetworkmanagementsoftware,suchasSwitchCenterorLenovoXClarity.Note: TheSNMPreadfunctionisenabledbydefault.Forbestsecuritypractices,ifSNMPisnotneededforyournetwork,disablethisfunctionpriortoconnectingtheswitchtothenetwork.
ToaccesstheSNMPagentontheswitch,thereadandwritecommunitystringsontheSNMPmanagermustbeconfiguredtomatchthoseontheswitch.
Thereadandwritecommunitystringsontheswitchcanbeconfiguredusingthefollowingcommands:
readonlyaccesscommunitystring:
readwriteaccesscommunitystring:
TheSNMPmanagermustbeabletoreachanyoneoftheIPinterfacesontheswitch.
FortheSNMPmanagertoreceivetheSNMPv1trapssentoutbytheSNMPagentontheswitch,configurethetraphostontheswitchwiththefollowingcommand:
FormoreinformationonSNMPusageandconfiguration,seeChapter 28,SimpleNetworkManagementProtocol.
Switch(config)# snmp-server community ro
Switch(config)# snmp-server community rw
Switch(config)# snmp-server host traps version 1
-
40 Application Guide for CNOS 10.4
Zero Touch ProvisioningZeroTouchProvisioning(ZTP)enablesaswitchtoautomaticallyprovisionitselfusingtheresourcesavailableonthenetworkwithoutmanualintervention.WhenaswitchwithZTPenabledstartsup,itlocatesaDHCPserverwhichprovidestheswitchwithaninterfaceIPv4addressandagatewayIPv4address.TheswitchthenobtainstheIPaddressofaTFTPserverfromwhichitwilldownloadthenecessarybootfile.Thenextstepisfortheswitchtorunthebootfile.
Ontheswitch,ZTPwilltriggerwhenanyofthefollowingconditionsaremet:
aswitchbootswithnostartupconfiguration(onlythedefaultconfiguration)
thestartupconfigurationiserasedandtheswitchisreloaded
ZTPisforcedlyenabledfromtheCLINote: ZTPwillnotbetriggeredifitisforcedlydisabledfromtheCLI.
Duringthebootprocess,iftheswitchdoesnotfindastartupconfigurationandZTPisenabled,theswitchwillenterZTPmode.WhenforcedlyenabledfromtheCLI,theswitchentersZTPmoderegardlessofthepresenceofastartupconfiguration.TheswitchwillsearchforavailableDHCPserversandrequestthemtoacquireaninterfaceaddress,agatewayaddress,theTFTPserveraddress,andthebootfilename.
AftertheinformationfromtheDHCPserverisobtained,ZTPwilldownloadandrunthebootfile,andthenexecutetheZTPprocessaccordingtothebootfile.ZTPautomaticallyhandlestheprocessofupgradingtheswitchsoftwareimageandinstallingconfigurationfiles.
Notes:
Duringthebootprocess,apromptwillappearaskingifyouwanttoabortorcontinuetheZTPprocess.IfyouchoosetoexitZTP,theswitchwillcontinuewithitsnormalbootprocess,usingthedefaultconfigurationoranystartupconfiguration,ifoneispresentontheswitchandZTPwasforcedlyenabledfromtheCLI.
IfZTPwasforcedlyenabledandnoDHCPserverwasfoundduringtheZTPprocess,anypreviousIPv4addressmanuallyconfiguredofthemanagementinterfacewillberemoved.
IfZTPiscanceledduringitsexecution,theswitchexitsZTPmode.IfaninterfaceIPv4addresswasobtained,itwillnotbereleased.Ifanyfileswheredownloaded,theywillnotbedeleted.
ImportantZTPeventsareloggedbytheswitchandareavailablefordisplayfromaconsolesession.
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 41
DHCP DiscoveryAfterenteringZTPmode,theswitchsendsaDHCPdiscovermessageonitsmanagementinterfacerequestingDHCPoffersfromtheDHCPserverspresentonthenetwork.ThereceivingDHCPserverreplieswithaDHCPoffermessage.
WhentheDHCPclientreceivestheDHCPoffermessage,itwillrequesttheDHCPservertosendthefollowinginformation:
aninterfaceIPv4address
agatewayIPv4address
theTFTPserverIPaddress(usingoption66)
thebootfilename(usingoption67)
TheswitchcompletestheDHCPnegotiationprocess(requestandacknowledgement)withtheDHCPserver,whichassignstheswitchanIPv4address.TheswitchthenusestheacquiredTFTPserverIPaddresstocontacttheTFTPserver.ThebootfilenamecontainsthecompletefilepathofthebootfileontheTFTPserver.Theswitchthendownloadsthebootfile.
IfnoDHCPserversreplytotheDHCPdiscovermessageorifnoDHCPoffermeetstheZTPrequirements,theswitchwillbeunabletocompletetheDHCPnegotiationandanIPv4addressisnotassigned(exceptthedefaultIPv4address192.168.50.50/24,butthiscannothelptheswitchfinalizetheZTPprocess).ZTPwilltrythreetimestosuccessfullyobtaintherequiredinformation.IfitfailstheDHCPnegotiationthreetimes,theswitchexitsZTPmodeandcontinuesthenormalbootprocess.
Notes:
TheinterfaceIPv4addressobtainedfromtheDHCPserveriskeptandusedevenaftertheZTPprocessover.
ZTPsupportsonlyDHCPv4andnotDHCPv6.
ZTPsupportsonlyTFTPandnotFTP,SCP,HTTP,orothertransferprotocols.
DHCPserversmustbeconfiguredwithoptions66and67toensurethattheswitchalwaysobtainstheTFTPserverhostnameandthebootfilenameduringtheZTPprocess.
DHCPoptions66and67areenabledbydefaultontheswitch.Ifeitherofthemisintentionallydisabled,theZTPprocesswillresultinafailure.
DHCPoption66providestheIPaddressofasingleTFTPserver.ToenableordisableDHCPoption66,usethefollowingcommand:
DHCPoption67providesthefilepathofthebootfileneededbyZTP.ToenableordisableDHCPoption67,usethefollowingcommand:
Switch(config)# [no] ip dhcp client request tftp-server-name
Switch(config)# [no] ip dhcp client request bootfile-name
-
42 Application Guide for CNOS 10.4
ZTP Boot FileThebootfileiswritteninYAMLformatandcontainsswitchmodels,andundereachswitchmodelareseveralfieldsthatinstructtheZTPprocesswhattodo.
Thebootfilemaycontainuptothreefieldsundereachswitchmodel:
img_namethisinstructsZTPtoupdatetheswitchsoftwareimagetothespecifiedimageversionandconfigureitasthestandbyimageontheswitch
configurationthisinstructsZTPtocopythespecifiedconfigurationfilefromtheTFTPserveranduseitasthestartupconfigurationfileontheswitch
scriptthisinstructsZTPtocopythescriptfileandexecuteitontheswitch
ZTPchecksthebootfilefortheswitchmodelandexecutetheappropriateactionsaccordingtothefieldsunderthecorrectswitchmodel.
ZTPsupportstheexecutionofPythonscripts.Ifthereisascriptfieldundertheswitchmodelinthebootfile,thefieldhasahigherprioritythantheothertwofields(img_nameandconfiguration)andZTPwillignorethem.ZTPdownloadsthePythonscriptfiletotheswitchandexecutesit.Thescriptcanalsocontaininstructionstodownloadandinstallaswitchsoftwareimageandaconfigurationfile.Note: ThePythonscriptfileisstoredinatemporaryfolderontheswitchanditwillbedeletedoncetheswitchreloads.
Followingisanexampleofabootfile:
Note: AftertheZTPprocessisover,theswitchwillbereloadedifthesoftwareimageorthestartupconfigurationareupdated.IfZTPexecutesaPythonscript,thereloadingoftheswitchisdecidedbythescriptinstead.
G8272: img_name : G8272-10.4.0.1.img configuration: netboot_config_file_G8272 script : netboot_G8272.py
G8296: img_name : G8296-10.4.0.1.img configuration: netboot_config_file_G8296 script : netboot_G8296.py
G8332: img_name : G8332-10.4.0.1.img configuration: netboot_config_file_G8332 script : netboot_G8332.py
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 43
Forcedly Enabling or Disabling ZTPZTPcanbeforcedlyenabledontheswitchevenifthereisastartupconfigurationpresent.Itcanalsobeforcedlydisabledtonotexecuteevenifthereisnostartupconfiguration.
ZTPcanhaveoneofthefollowingstates:
Default
ForcedlyEnabled
ForcedlyDisabled
ToforcedlyenableZTPontheswitch,usethefollowingcommand:
ToforcedlydisableZTPontheswitch,usethefollowingcommand:
ToresettheZTPtoitsdefaultsetting,usethefollowingcommand:
ToviewthecurrentZTPstate,usethefollowingcommand:
ToviewtheZTPparametersobtainedaftertheZTPprocesshasexecuted,usethefollowingcommand:
Switch(config)# boot zerotouch force enable
Switch(config)# boot zerotouch force disable
Switch(config)# no boot zerotouch force
Switch# display boot
Current ZTP State: EnableCurrent FLASH software: active image: version 10.4.0.1, downloaded 18:39:47 UTC Wed Sep 16 2015 standby image: version 10.4.0.1, downloaded 18:44:40 UTC Wed Sep 16 2015 Uboot: version 10.4.0.1, downloaded 17:49:51 UTC Thu Jul 30 2015Currently set to boot software active imageCurrently scheduled reboot time: noneCurrent port mode: default mode
Switch# display zerotouch
TFTP server: 10.122.3.69Image: G8xxx-10.4.0.1.imgConfiguration: netboot_config_file_G8xxxScript: netboot_G8xxx.py
-
44 Application Guide for CNOS 10.4
DHCP IP Address ServicesForremoteswitchadministration,theclientterminaldevicemusthaveavalidIPaddressonthesamenetworkastheswitchinterface.TheIPaddressontheclientdevicemaybeconfiguredmanually,orobtainedautomaticallyusingIPv6statelessaddressconfiguration,oranIPaddressmaybeobtainedautomaticallyviaDHCPrelayasdiscussedinthenextsection.
TheswitchcanfunctionasarelayagentforDHCP.ThisallowsclientstobeassignedanIPaddressforafiniteleaseperiod,reassigningfreedaddresseslatertootherclients.Actingasarelayagent,theswitchcanforwardaclientsIPaddressrequesttouptofiveDHCPservers.Additionally,uptofivedomainspecificDHCPserverscanbeconfiguredforeachofupto10VLANs.
WhenaswitchreceivesaDHCPrequestfromaclientseekinganIPaddress,theswitchactsasaproxyfortheclient.TherequestisforwardedasaUDPunicastMAClayermessagetotheDHCPserversconfiguredfortheclientsVLANortotheglobalDHCPserversifnodomainspecificDHCPserversareconfiguredfortheclientsVLAN.TheserversrespondtotheswitchwithaunicastreplythatcontainstheIPdefaultgatewayandtheIPaddressfortheclient.Theswitchthenforwardsthisreplybacktotheclient.
DHCPisdescribedinRFC2131andtheDHCPrelayagentsupportedontheswitchisdescribedinRFC1542.DHCPusesUserDatagramProtocol(UDP)asitstransportprotocol.Theclientsendsmessagestotheserveronport67andreceivesmessagesfromtheserveronport68.
DHCP Client ConfigurationDHCPisenabledbydefaultonthemanagementinterfaceanddisabledonallotherinterfaces.YoucanenableDHCPonlyonamaximumof10interfaces,includingthemanagementinterface.
ToenableordisableDHCPonaninterface(forexampleethernetinterface1/12),usethefollowingcommand:
forDHCPv4:
forDHCPv6:
Notes:
DHCPcannotbeenabledonaninterfaceconfiguredasaswitchport,onlyonroutingports.
ManuallyconfiguringanIPaddressonaninterfacewilldisableDHCPforthatinterface.
Switch(config)# interface ethernet 1/12Switch(config-if)# no bridge-portSwitch(config-if)# ip address dhcp
Switch(config)# interface ethernet 1/12Switch(config-if)# no bridge-portSwitch(config-if)# ipv6 address dhcp
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 45
DHCPv4 Hostname Configuration (Option 12)TheswitchsupportsDHCPv4hostnameconfigurationasdescribedinRFC2132,option12.DHCPv4hostnameconfigurationisenabledbydefault.
Theswitchshostnamecanbemanuallyconfiguredusingthefollowingcommand:
Note: Ifthehostnameismanuallyconfigured,theswitchdoesnotreplaceitwiththehostnamereceivedfromtheDHCPv4server.
AfterDHCPconfiguresthehostnameontheswitch,iftheDHCPv4configurationisdisabled,theswitchretainsthehostname.
ToenableordisableDHCPhostnameconfiguration,usethefollowingcommandonaninterface(inthisexample,ethernetport1/12isused):
Toviewthesystemhostnameusethefollowingcommand:
Note: Theswitchpromptalsodisplaysthehostname.
DHCPv4 Syslog Server (Option 7)TheswitchsupportstherequestingoftheSyslogserverIPaddressfromtheDHCPserverasdescribedinRFC2132,option7.TheDHCPv4Syslogserverrequestoptionisdisabledbydefault.Note: ManuallyconfiguredSyslogserverstakepriorityovertheDHCPv4Syslogserver.
UptothreeSyslogserveraddressesreceivedfromtheDHCPv4servercanbeused.TheSyslogserveraddressescanbelearnedoverthemanagementportoranethernetport.
ToenableordisabletheDHCPSyslogserverrequest,usethefollowingcommandonaninterface(inthisexample,ethernetport1/12isused):
ToviewtheSyslogserveraddress,usethefollowingcommand:
Switch(config)# hostname
Switch(config)# interface ethernet 1/12Switch(config-if)# [no] ip dhcp client request host-name
Switch> display hostname
Switch(config)# interface ethernet 1/12Switch(config-if)# [no] ip dhcp client request log-server
Switch> display logging server
Logging server: enabled{*2.2.2.1} Server severity: debugging Server facility: local7 Server vrf: data* - Values assigned by DHCP Client.
-
46 Application Guide for CNOS 10.4
DHCPv4 NTP Server (Option 42)ThisoptionrequesttheDHCPservertoprovidealistofIPaddressesindicatingNetworkTimeProtocol(NTP)serversavailabletotheclient.TheNTPserversarelistedinorderofpreference.TheswitchsupportstherequestingofNTPserversasdescribedinRFC2132,option42.
Bydefault,theswitchdoesnotincludethisrequestinDHCPv4messages.Toenableordisablethisoptiononaninterface,usethefollowingcommand(inthisexample,ethernetport1/12isused):
Note: AnymanuallyconfiguredNTPserverwillnotbeoverwrittenbytheNTPserversreceivedviaDHCPv4.
ToviewthelistofNTPservers,usethefollowingcommand:
DHCPv4 Vendor Class Identifier (Option 60)ThisoptionisusedbyaDHCPclienttoidentifyitselftotheDHCPserver.ItisusedtodefinethevendortypeandfunctionalityoftheDHCPclient.TheDHCPclientcancommunicatetoaserverthatitusesaspecifictypeofhardwareorsoftwarebyspecifyingitsVendorClassIdentifier(VCI).
TheswitchsupportstheidentifyingofaTFTPserverasdescribedinRFC2132,option60.
EachswitchinterfacecanbeconfiguredwithadifferentVCI.
Bydefault,theswitchwillincludethisoptioninDHCPv4packets.ToenableordisabletheidentificationofTFTPserversusethefollowingcommand(inthisexample,ethernetport1/12isused):
Note: DependingontheLenovoRackSwitch,thedefaultVCIisdifferent. fortheLenovoRackSwitchG8272,thedefaultVCIisLENOVOG8272 fortheLenovoRackSwitchG8296,thedefaultVCIisLENOVOG8296 fortheLenovoRackSwitchG8332,thedefaultVCIisLENOVOG8332 fortheLenovoRackSwitchNE10032,thedefaultVCIisLENOVONE10032 fortheLenovoRackSwitchNE1032,thedefaultVCIisLENOVONE1032 fortheLenovoRackSwitchNE1032T,thedefaultVCIisLENOVONE1032T fortheLenovoRackSwitchNE1072T,thedefaultVCIisLENOVONE1072T
Switch(config)# interface ethernet 1/12Switch(config-if)# [no] ip dhcp client request ntp-server
Switch> display ntp peers
Switch(config)# interface ethernet 1/12Switch(config-if)# [no] ip dhcp client class-id
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 47
DHCPv4 SnoopingDHCPsnoopingprovidessecuritybyfilteringuntrustedDHCPpacketsandbybuildingandmaintainingaDHCPsnoopingbindingtable.
AtrustedportisaninterfaceconnectedtoalegitimateDHCPserver.Bydefault,allportsareuntrusted.ToconfigureaportoraSwitchedVirtualInterface(SVI)astrusted,enterthefollowingInterfacemodecommand:
Bydefault,DHCPsnoopingisdisabledonallVLANs.YoucanenableDHCPsnoopinggloballyorononeormoreVLANs.Toenablethisfeatureglobally,enterthefollowingcommand:
ToenableDHCPsnoopingonaspecificVLAN,usethefollowingcommand:
whereVLANistheVLANID.
Configure the DHCPv4 Snooping Binding TableTheDHCPv4snoopingbindingtablecontainstheMACaddress,theIPaddress,leasetime,bindingtype,VLANnumber,andportnumberthatcorrespondtothelocaluntrustedinterfaceontheswitch;itdoesnotcontaininformationregardinghostsinterconnectedwithatrustedinterface.
Thebindingtableissavedtoflashmemoryeverytenminutes.Whenthesystemreboots,thebindingtableisrecoveredfromtheflashfile.ThemaximumnumberofentriesintheDHCPv4snoopingbindingtableis2048.
Sometimesyoumaywanttomanuallyconfigurethebindingtableentries,suchaswhenyouneedtouseastaticIPaddress.Usethefollowingcommandtoconfigureabindingtableentry:
where:
Switch(config-if)# [no] ip dhcp snooping trust
Switch(config)# [no] ip dhcp snooping
Switch(config)# [no] ip dhcp snooping vlan
Switch(config)# ip dhcp snooping binding vlan interface ethernet / expiry
Argument Description
MAC TheMACaddressoftheswitch
VLAN TheVLANID;anintegerfrom13999.
IPaddress AvalidIPv4address
-
48 Application Guide for CNOS 10.4
Configure the DHCPv4 Snooping SyslogTheDHCPsnoopingdaemoncreatessyslogswhensomeimportanteventshappen,suchasachangetoadynamicentryorthetimer.
TherearetwotimersinDHCPsnooping.OnerefreshesDHCPsnoopingbindingentriesevery60seconds.Theotheronesavesthebindingtabletoflasheverytenminutes.ThesesyslogsareusefulformonitoringandadjustingDHCP.
TosettheDHCPsnoopingloglevel,enter::
where:
DHCP Snooping Limitations DHCPsnoopingisnotsupportedonamanagementport.
DHCPisonlysupportedonEthernetports.Itisnotsupportedonaportchannelorroutingport.
DHCPsnoopingdoesnotsupportLACPorstaticaggregations.
DHCPsnoopingisnotsupportedonarangeofports.
DHCP Relay AgentWhenDHCPclientsandassociatedserversarenotonthesamephysicalsubnet,aDHCPrelayagentcantransferDHCPmessagesbetweenthem.WhenaDHCPrequestarrivesonaninterface,therelayagentforwardsthepackettoallDHCP
slot Theethernetslot
port Theethernetport
leasetimerange Theleasetimerange;anintegerfrom14294967295
Argument Description
Switch(config)# logging level dhcp-snp
Table 2.
Logging Level Meaning
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notification
6 Information
7 Debug
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 49
serverIPaddressesconfiguredonthatinterface.TherelayagentforwardsrepliesfromallDHCPserverstothehostthatsenttherequest.IfnoDHCPserversareconfiguredonthatinterface,therelayagentwillnotforwardpackets.
DHCPhastwoversions.DHCPv4isusedtoconfigurehostswithIPv4addresses,IPv4prefixes,andotherconfigurationdatarequiredtooperateinanIPv4network.DHCPv6isusedtoconfigurehostswithIPv6addresses,IPv6prefixes,andotherconfigurationdatarequiredtooperateinanIPv6network.
ForDHCPv4,youcanconfiguretherelayagenttoaddtherelayagentinformation(option82)intheDHCPv4messageandthenforwardittotheDHCPv4server.Thereplyfromtheserverisforwardedbacktotheclientafterremovingoption82.
TheDHCPRelayAgentisgloballyenabledbydefault.TogloballyenableordisableDHCPusethefollowingcommand:
forDHCPv4:
forDHCPv6:
DHCPrelaycanbeconfigureddifferentlyoneachethernetportorVLAN.ThemaximumnumberofDHCPserversconfiguredonaninterfaceis32.ToconfigureDHCPonaninterface,usethefollowingsteps:
1. Entertheconfigurationmenuforthedesiredinterface(inthisexample,ethernetinterface1/12isused):
2. ConfiguretheDHCPserveraddress:
forDHCPv4:
forDHCPv6:
Switch(config)# [no] ip dhcp relay
Switch(config)# [no] ipv6 dhcp relay
Switch(config)# interface ethernet 1/12Switch(config-if)#
Switch(config-if)# ip dhcp relay address
Switch(config-if)# ipv6 dhcp relay address
-
50 Application Guide for CNOS 10.4
3. ToviewthecurrentDHCPsettings,usethefollowingcommand:
forDHCPv4:
forDHCPv6:
DHCPv4 Option 82DHCPv4option82providesamechanismforgeneratingIPaddressesbasedonthelocationinthenetworkoftheclientdevice.WhenyouenabletheDHCPv4relayagentoptionontheswitch,itinsertstherelayagentinformationoption82inthepacket.TheswitchthensendsaunicastDHCPv4requestpackettotheDHCPv4server.TheDHCPv4serverusestheoption82fieldtoassignanIPaddressandsendsthepacket,withtheoriginaloption82fieldincluded,backtotherelayagent.TheDHCPv4relayagentstripsofftheoption82fieldinthepacketandsendsthepackettotheDHCPv4client.
Theconfigurationofthisfeatureisoptional.Thefeaturehelpsresolveseveralissueswhereuntrustedhostsaccessthenetwork.SeeRFC3046fordetails.
ToconfigureDHCPv4option82,usethefollowingcommand:
Switch> display ip dhcp relay
Switch> display ipv6 dhcp relay
Switch(config)# ip dhcp relay information option
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 51
Switch Login LevelsToenablebetterswitchmanagementanduseraccountability,twolevelsorclassesofuseraccesshavebeenimplementedontheswitch.ThelevelsofaccesstoCLImanagementfunctionsandscreensincreaseasneededtoperformvariousswitchmanagementtasks.Conceptually,accessclassesaredefinedasfollows:
NetworkOperatorscanonlymaketemporarychangesontheswitch.Thesechangeswillbelostwhentheswitchisreloadedorreset.Operatorshaveaccesstotheswitchmanagementfeaturesusedfordailyswitchoperations.Becauseanychangesanoperatormakesareundonebyareloadoftheswitch,operatorscannotseverelyimpactswitchoperation.
NetworkAdministratorsaretheonlyonesthatmaymakepermanentchangestotheswitchconfigurationchangesthatarepersistentacrossareloadorresetoftheswitch.Administratorscanaccessswitchfunctionstoconfigureandtroubleshootproblemsonthedevice.Becauseadministratorscanalsomaketemporary(operatorlevel)changesaswell,theymustbeawareoftheinteractionsbetweentemporaryandpermanentchanges.
Note: Thedefault(predefined)accessclassescannotberemovedortheirrulesmodified.Also,newaccessclassescannotbecreated.
Accesstoswitchfunctionsiscontrolledthroughtheuseofuniqueusernamesandpasswords.Onceyouareconnectedtotheswitchviaconsole,Telnet,orSSH,youarepromptedtoenterapassword.ThedefaultusernameandpasswordcombinationsforeachaccesslevelarelistedinTable 3.Note: Itisrecommendedthatyouchangethedefaultswitchpasswordsafterinitialconfigurationandasregularlyasrequiredunderyournetworksecuritypolicies.
Formoredetails,seeEnduserAccessControlonpage 125.
Table 3. DefaultUsernameandPasswordCombinations
User Account
Password Description and Tasks Performed Status
oper oper TheOperatormanagesallfunctionsoftheswitch.TheOperatorcanresetports,exceptthemanagementport.
Disabled
admin admin TheAdministratorhascompleteaccesstoallmenus,information,andconfigurationcommandsontheswitch,includingtheabilitytochangeboththeoperatorandadministratorpasswords.
Enabled
-
52 Application Guide for CNOS 10.4
Todisplaythecurrentroleconfigurations,usethefollowingcommand:
WhileanetworkadministratorhasaccesstoalloftheCLIcommands,anetworkoperatorhasamorelimitedaccess,onlybeingabletoruncommandssuchas:
display
end
exit
logout
quit
terminal
enable
disable
ping
ping6
traceroute
traceroute6
ssh
ssh6
telnet
telnet6
where
configure device
Switch> display role
Role : network-admin Description: Predefined network admin role has access to all commands on the switch----------------------------------------------------------------------Rule Perm Type Scope Entity----------------------------------------------------------------------1 permit read-write
Role : network-operator Description: Predefined network operator role has access to all read commands on the switch----------------------------------------------------------------------Rule Perm Type Scope Entity----------------------------------------------------------------------1 permit read
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 53
PingPing(PollINternetGateway)isanadministrationutilityusedtotesttheconnectivitybetweentwonetworkIPdevices.Italsomeasuresthelengthoftimeittakesforapackettobesenttoaremotehostplusthelengthoftimeittakesforanacknowledgementofthatpackettobereceivedbythesourcehost.
PingfunctionsbysendinganInternetControlMessageProtocol(ICMP)echorequesttothespecifiedremotehostandwaitingforanICMPreplyfromthathost.
Usingthismethod,pingalsodeterminesthetimeintervalbetweenwhentheechorequestissentandwhentheechoreplyisreceived.Thisintervaliscalledroundtriptime.Attheendofthetest,pingwilldisplaytheminimum,maximum,andaverageroundtriptimes,andthestandarddeviationofthemean.
Besidestheroundtriptime,pingcanalsomeasuretherateofpacketloss.Thisisdeterminedbythenumberofreceivedechorepliesoverthenumberofsentechorequests.Itisdisplayedasapercentage.
TheSwitchalsosupportspingforIPv6addressing.
Toperformastandardpingtest,usethefollowingcommands:
IPv4:
IPv6:
Forexample:
Note: IfnospecificVRFinstanceisconfigured,theswitchusesthedefaultmanagementVRF.Inthiscase,theusercanalsousethefollowingcommand:
Switch# ping vrf management
Switch# ping6 vrf management
Switch# ping 10.10.10.1 vrf management
PING 10.10.10.1 (10.10.10.1) from 10.10.10.127: 56(84) bytes of data.64 bytes from 10.10.10.1: icmp_seq=1 ttl=61 time=0.368 ms64 bytes from 10.10.10.1: icmp_seq=2 ttl=61 time=0.280 ms64 bytes from 10.10.10.1: icmp_seq=3 ttl=61 time=0.308 ms64 bytes from 10.10.10.1: icmp_seq=4 ttl=61 time=0.291 ms64 bytes from 10.10.10.1: icmp_seq=5 ttl=61 time=0.320 ms
--- 10.10.10.1 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 3996msrtt min/avg/max/mdev = 0.280/0.313/0.368/0.034 ms
Switch# ping orSwitch# ping6
-
54 Application Guide for CNOS 10.4
Ping Configurable ParametersPingcanbeconfiguredwithvariousparameters,suchasspecifyingthenumberorsizeofechorequests,thetimeintervalbetweeneachtransmission,orthenonresponsivetimeoutintervalforsentpackets.
Test InterruptionPingtestscanbemanuallystoppedatanypointintheprocess.Whentheinterruptionisdetected,pingwillstopsendingechorequestsanddisplaytheresultsbasedonthepacketstransmitteduptothatpoint.
Tomanuallyterminateapingtest,press.
Ping CountBydefault,pingtransmitsasequenceoffiveechorequests.Toconfigurethenumberofpacketssentduringthetest,usethefollowingcommand:
Pingcanalsobeconfiguredtocontinuouslysendechorequestsuntilthetestismanuallyinterrupted.Toachievethis,usethefollowingcommand:
ForIPv6addressing,thecommandsareasfollows:
Ping Packet IntervalBydefault,pingdoesnotwaitbetweenconsecutiveechorequests.Assoonasaechoreplyhasbeenreceivedorthenonresponsivetimerhasexpired,pingwillsendthenextechorequest.
Toconfigureatimeinterval,inseconds,betweenthetransmissionofpackets,usethefollowingcommand:
ForIPv6addressing,thecommandisasfollows:
Switch# ping count
Switch# ping count unlimited
Switch# ping6 count
Switch# ping6 count unlimited
Switch# ping interval
Switch# ping6 interval
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 55
Ping Packet SizeBydefault,pingsendsechorequestswithapacketsizeof56bytes.Specifyingalargersizethanthedefaultcanhelpindetectingthelossofbigpackets.
Toconfigurethepacketsize,inbytes,usethefollowingcommand:
ForIPv6addressing,thecommandisasfollows:
Ping SourceBydefault,pingautomaticallychoosestheoutgoinginterfaceforechorequestsandsendsthepacketsusingtheIPaddressofthatinterface.Tochecktheconnectivityofdifferentpathsthroughthenetwork,youcanspecifytheinterfaceusedforsendingechorequests.
Touseaspecificinterfaceduringthepingtest,usethefollowingcommand:
Note: ThesourceIPv4addressistheIPaddressofthedesiredswitchinterface.
Youcanalsochoosetheinterfaceusedforthepingtestbydirectlyspecifyingthedesiredinterface.Toachievethis,usethefollowingcommand(inthisexample,ethernetport1/12isused):
ForIPv6addressing,thecommandsareasfollows:
Ping DF-BitBydefault,echorequestsarefragmentedwhentheyareforwardedthroughthenetwork.Configuringpacketsnottobefragmentedwhentraversingthenetworkcanbehelpindeterminingthemaximumtransmissionunit(MTU)ofthepath.
Toenablethenonfragmentationofechorequests,usethefollowingcommand:
Note: ThisparameterisconfigurableonlyforIPv4addressing.
Switch# ping packet-size
Switch# ping6 packet-size
Switch# ping source
Switch# ping interface ethernet 1/12
Switch# ping6 source
Switch# ping6 interface ethernet 1/12
Switch# ping df-bit
-
56 Application Guide for CNOS 10.4
Ping TimeoutBydefault,aftersendinganechorequest,pingwaitsuptoamaximumoftwosecondsforanechoreply.Ifthistimeintervalexpiresandanechoreplyisnotreceived,pingwilldeclarethattheremotehosthastimedoutandthatthesentpacketislost.
Toconfigurethetimeoutinterval,inseconds,usethefollowingcommand:
ForIPv6addressing,thecommandisasfollows:
Ping VRFBydefault,pingusesthedefaultVirtualRoutingandForwarding(VRF)instance.ToconfigurepingtouseadifferentVRFinstance,usethefollowingcommand:
Note: YoucanchooseonlybetweenthedefaultormanagementVRFinstances.
ForIPv6addressing,thecommandisasfollows:
Switch# ping timeout
Switch# ping6 timeout
Switch# ping vrf {default|management}
Switch# ping6 vrf {default|management}
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 57
Ping Interactive ModeToconfigureacustompingtest,youcanchoosewhatparameterstochangebycombiningthepreviouslypresentedcommands.
Besidesthisoption,youcancustomizeapingtestbyusingPingInteractiveMode.Inthismode,youcanconfigureadditionalparameters:thetypeofservice(ToS),thehoplimitortimetolive(TTL)andthedatapattern.Note: PingInteractiveModeisonlyavailableforIPv4addressing.
ToenterPingInteractiveMode,usethefollowingcommand:
Youwillbepromptedtospecifythevalueofeachconfigurableparameter.Ifyoudonotenteravalue,thedefaultwillbeused.
Switch# ping
Switch# ping
Vrf context to use [default]: managementProtocol [ip]:Target IP address: 10.241.1.11Repeat count [5]: 7Datagram size [56]: 100Timeout in seconds [2]: 1Sending interval in seconds [1]:Extended commands [n]: yesSource address or interface:Type of service [0]:Set DF bit in IP header? [no]: yesData pattern [0xABCD]:PATTERN: 0xabcdPING 10.241.1.