lenovo network application guide for lenovo cloud...

LenovoNetwork

ApplicationGuideforLenovoCloudNetworkOperatingSystem10.4

Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationintheSafetyinformationandEnvironmentalNoticesandUserGuidedocumentsontheLenovoDocumentationCD,andtheWarrantyInformationdocumentthatcomeswiththeproduct.

FirstEdition(June2017)

CopyrightLenovo2017PortionsCopyrightIBMCorporation2014.

LIMITEDANDRESTRICTEDRIGHTSNOTICE:IfdataorsoftwareisdeliveredpursuantaGeneralServicesAdministrationGSAcontract,use,reproduction,ordisclosureissubjecttorestrictionssetforthinContractNo.GS35F05925.

LenovoandtheLenovologoaretrademarksofLenovointheUnitedStates,othercountries,orboth.

Copyright Lenovo 2017 3

ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21WhoShouldUseThisGuide .......................22ApplicationGuideOverview .......................23AdditionalReferences ..........................27TypographicConventions ........................28

Part 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 1. Switch Administration . . . . . . . . . . . . . . . . . 31AdministrationInterfaces ........................32IndustryStandardCommandLineInterface ................33EstablishingaConnection........................34

UsingtheSwitchManagementInterface................34UsingtheSwitchEthernetPorts ....................35UsingTelnet ............................36UsingSecureShell..........................37

UsingSSHwithPasswordAuthentication .............37UsingSSHwithServerKeyAuthentication .............38

UsingSimpleNetworkManagementProtocol..............39ZeroTouchProvisioning ........................40

DHCPDiscovery ..........................41ZTPBootFile ............................42ForcedlyEnablingorDisablingZTP..................43

DHCPIPAddressServices........................44DHCPClientConfiguration .....................44DHCPv4HostnameConfiguration(Option12) .............45DHCPv4SyslogServer(Option7) ...................45DHCPv4NTPServer(Option42)...................46DHCPv4VendorClassIdentifier(Option60) ..............46DHCPv4Snooping.........................47

ConfiguretheDHCPv4SnoopingBindingTable ...........47ConfiguretheDHCPv4SnoopingSyslog ..............48DHCPSnoopingLimitations ...................48

DHCPRelayAgent .........................48DHCPv4Option82 .........................50

SwitchLoginLevels ...........................51Ping .................................53

PingConfigurableParameters ....................54TestInterruption ........................54PingCount ...........................54PingPacketInterval.......................54PingPacketSize .........................55PingSource ...........................55PingDFBit...........................55PingTimeout ..........................56PingVRF ............................56PingInteractiveMode ......................57

4 Application Guide for CNOS 10.4

Traceroute............................... 58TracerouteConfigurableParameters ................. 59

TestInterruption ........................ 59TracerouteSource........................ 59TracerouteVRF......................... 59TracerouteInteractiveMode ................... 60

NetworkTimeProtocol ......................... 61NTPSynchronizationRetry ..................... 61NTPClientandPeer ........................ 62

NTPAuthenticationFieldEncryptionKey ............. 63NTPPollingIntervals ...................... 63NTPPreference......................... 64

DynamicandStaticNTPServers ................... 64NTPAuthentication ......................... 64NTPAuthenticationConfigurationExample .............. 65

DomainNameServerClient ....................... 66SystemLogging ............................ 68

SyslogOutputs........................... 70SyslogSeverityLevels ........................ 71SyslogTimeStamping ........................ 72SyslogRateLimit.......................... 72SyslogServers ........................... 73ConsoleLoggingFloodControl .................... 74DuplicateSyslogMessageSuppression ................ 75CoreDumpInformation....................... 75

IdleDisconnect............................. 76PythonScripting ............................ 77RESTAPIProgramming......................... 78

Chapter 2. Using the Command Line Interface . . . . . . . . . . . . 79CLICommandModes.......................... 80CommandLineInterfaceShortcuts .................... 81

CLIListandRangeInputs ...................... 81CommandAbbreviation....................... 81TabCompletion .......................... 81LineEditing ............................ 82

CommandAliases ........................... 83DefiningAliases.......................... 83RemovingAliases.......................... 83DisplayingAliases......................... 83RulesforUsingAliases....................... 83

Chapter 3. System License Keys . . . . . . . . . . . . . . . . . 87ObtainingLicenseKeys ......................... 88InstallingLicenseKeys ......................... 89UninstallingLicenseKeys ........................ 90TransferringLicenseKeys ........................ 91ONIELicenseKey ........................... 92

Copyright Lenovo 2017 : Contents 5

Chapter 4. Switch Software Management . . . . . . . . . . . . . . 93InstallingNewSoftwaretoYourSwitch ..................94

InstallingSystemImagesfromaRemoteServer.............94InstallingSystemImagesfromaUSBDevice ..............96InstallingUbootfromaRemoteServer ................97InstallingUbootfromaUSBDevice ..................98

SelectingaSoftwareImagetoRun ....................99ReloadingtheSwitch .........................100CopyingConfigurationFiles ......................101

CopyConfigurationFilesviaaRemoteServer ............101CopyConfigurationFilestoaUSBDevice ..............102

ResettingtheSwitchtotheFactoryDefaults ...............103ConvertingtheSwitchSoftwareImagefromCNOStoENOS........104TheNE10032BIOSMenu.......................106TheBootManagementMenu ......................107

SwitchingBetweenENOSandCNOSImagesLoadedontheG8272 ...108BootRecoveryMode .......................109RecoveringfromaFailedImageUpgradeusingTFTP .........110RecoveringfromaFailedImageUpgradeusingXModemDownload ..112PhysicalPresence .........................114ONIESubmenu ..........................115

ONIE ................................116

Part 2: Securing the Switch . . . . . . . . . . . . . . . . . . . . 117

Chapter 5. Securing Administration . . . . . . . . . . . . . . . .119SecureShellandSecureCopy .....................120

SSHEncryptionandAuthentication.................121GeneratingRSA/DSAHostKeyforSSHAccess ............121SSHIntegrationwithTACACS+Authentication ............121ConfiguringSSHontheSwitch ...................122UsingSSHClientCommands ....................123

ToLogOntotheSwitch ....................123UsingSecureCopy........................124

CopyingaFileUsingSCP....................124CopyingtheStartupConfigurationUsingSCP ..........124CopyingtheRunningConfigurationUsingSCP ..........124CopyingTechnicalSupportFilesUsingSCP............124

EnduserAccessControl ........................125ConsiderationsforConfiguringEnduserAccounts ..........125StrongPasswords.........................125UserAccessControl........................126

SettingupUsers ........................126DefiningaUsersAccessLevel .................127DeletingaUser........................127TheDefaultUser .......................127PasswordHistoryChecking...................128AdministratorPasswordRecovery................129


Chapter 6. AAA Protocols . . . . . . . . . . . . . . . . . . . . 131RADIUS............................... 132

RADIUSBasics.......................... 132HowRADIUSAuthenticationWorks ................ 132RADIUSAuthenticationFeaturesinCloudNOS........... 133SwitchUserAccounts ....................... 133RADIUSAttributesforCloudNOSUserPrivileges .......... 134ConfiguringRADIUSontheSwitch................. 134

TACACS+.............................. 136TACACS+Basics......................... 136HowTACACS+AuthenticationWorks ............... 136TACACS+AuthenticationFeaturesinCloudNOS........... 137

Authorization......................... 137Accounting .......................... 137

ConfiguringTACACS+AuthenticationontheSwitch ......... 138Authentication,Authorization,andAccounting ............. 139

AAAGroups ........................... 140GroupLists.......................... 140ConfiguringAAAGroups ................... 141

Authentication .......................... 142ConfiguringAAAAuthentication ................ 142

Authorization.......................... 144ConfiguringAAAAuthorization ................ 144

Accounting ........................... 145ConfiguringAAAAccounting ................. 145

PublicKeyInfrastructure ....................... 146PKIComponents ......................... 146ImplementingaPKISystem .................... 147RemovingPKIComponents .................... 148ViewingPKIComponents ..................... 149

Chapter 7. Access Control Lists. . . . . . . . . . . . . . . . . . 151SupportedACLTypes ........................ 152SummaryofPacketClassifiers ..................... 153SummaryofACLActions ....................... 155ConfiguringPortACLs(PACLs).................... 156ConfiguringRouterACLs(RACLs)................... 157ConfiguringVLANACLs(VACLs)................... 158ConfiguringManagementACLs(MACLs) ................ 160ACLOrderofPrecedence ....................... 161CreatingandModifyingACLs ..................... 162

CreatinganIPv4ACL....................... 163RemovinganIPv4ACL ...................... 163ResequencinganIPv4ACL .................... 163CreatingaMACACL ....................... 165RemovingaMACACL ...................... 165ResequencingaMACACL ..................... 165CreatinganARPACL....................... 166RemovinganARPACL...................... 166ResequencinganARPACL .................... 166


ViewingACLRuleStatistics......................167ACLConfigurationExamples .....................168

ACLExample1..........................168ACLExample2..........................168ACLExample3..........................169ACLExample4..........................169ACLExample5..........................170ACLExample6..........................170

Part 3: Switch Basics . . . . . . . . . . . . . . . . . . . . . . 171

Chapter 8. Interface Management . . . . . . . . . . . . . . . . . 173InterfaceManagementOverview ....................174ManagementInterface.........................175

VirtualRoutingandForwarding ..................176PhysicalPorts............................177

G8272PhysicalPortCapabilities ..................177G8296PhysicalPortCapabilities ..................177G8332PhysicalPortCapabilities ..................178NE1072TPhysicalPortCapabilities .................178NE1032TPhysicalPortCapabilities .................178NE1032PhysicalPortCapabilities ..................179NE10032PhysicalCapabilities ...................179CLIPortFormat .........................180

PortAggregation ...........................182LoopbackInterfaces ..........................183SwitchVirtualInterfaces ........................184BasicInterfaceConfiguration ......................185

ForwardingErrorCorrection ....................186InterfaceDescription .......................187InterfaceDuplex .........................187InterfaceMACAddress ......................188InterfaceMaximumTransmissionUnit................188InterfaceShutdown ........................189InterfaceSpeed ..........................189FlowControl ...........................190StormControl ..........................191

Chapter 9. Forwarding Database. . . . . . . . . . . . . . . . . . 193MACLearning ............................194StaticMACaddresses .........................195AgingTime.............................196

Chapter 10. VLANs . . . . . . . . . . . . . . . . . . . . . . . 197VLANOverview ...........................198


VLANConfiguration ......................... 199CreatingaVLAN......................... 200DeletingaVLAN ......................... 201ConfiguringtheStateofaVLAN.................. 202ConfiguringtheNameofaVLAN ................. 204ConfiguringaSwitchAccessPort.................. 205

ConfiguringtheAccessVLAN................. 205ConfiguringaSwitchTrunkPort.................. 207

ConfiguringtheAllowedVLANList............... 207ConfiguringtheNativeVLAN................. 208

NativeVLANTagging........................ 210ConfiguringNativeVLANTagging................. 211

PortVLANIDIngressTagging..................... 213ConfiguringPVIDIngressTagging ................. 213

IPMCFlooding............................ 214VLANTopologiesandDesignConsiderations.............. 215

MultipleVLANswithTrunkModeAdapters ............. 216VLANConfigurationExample ................... 218

Chapter 11. Ports and Link Aggregation . . . . . . . . . . . . . . 219PortConfigurationProfiles ...................... 220

G8272PortConfiguration ..................... 220G8296PortConfiguration ..................... 222G8332PortConfiguration ..................... 226NE1072TPortConfiguration .................... 229NE1032TPortConfiguration .................... 232NE1032PortConfiguration..................... 233NE10032PortConfiguration.................... 234

AggregationOverview ........................ 237CreatingaLAG.......................... 238

StaticLAGs ............................. 239StaticLAGConfigurationRules................... 239ConfiguringaStaticLAG ..................... 240

LinkAggregationControlProtocol ................... 243ConfiguringLACP ........................ 243

SystemPriority ........................ 244PortPriority......................... 245LACPTimeout ........................ 245LACPIndividual ....................... 245LACPMinimumLinks ..................... 246LACPConfigurationExample ................. 247

LAGHashing ............................ 249LAGHashingConfiguration .................... 251

Chapter 12. Spanning Tree Protocol . . . . . . . . . . . . . . . . 253STPOverview ............................ 254


BridgeProtocolDataUnits .......................255DeterminingthePathforForwardingBPDUs .............255

BPDUGuard.........................255BPDUFilter..........................256RootGuard ..........................256LoopGuard..........................257PortPriority .........................257PortPathCost.........................258

ErrorDisableRecovery ........................259PortTypeandLinkType .......................260

EdgePort ............................260LinkType ............................260

RapidPerVLANSpanningTreePlus ..................261RapidPVST+Parameters ......................262

BridgePriority ........................262PortPriority .........................262PortPathCost.........................263ForwardDelay ........................263HelloTimer..........................263MaximumAgeInterval.....................264

RapidPVST+Configuration ......................265MultipleSpanningTreeProtocol ....................266

CommonInternalSpanningTree ..................266PortStates............................266MSTRegion...........................267MSTPParameters.........................268

HopCount ..........................268ForwardDelay ........................268HelloTimer..........................269MaximumAgeInterval.....................269BridgePriority ........................269PortPriority .........................270PortPathCost.........................270

MSTPConfiguration .........................271MSTPConfigurationExample ...................271

Chapter 13. Virtual Link Aggregation Groups . . . . . . . . . . . . 273vLAGOverview ...........................274


vLAGCapacities ........................... 276vLAGBenefits .......................... 276vLAGSynchronizationMechanism ................. 277vLAGSystemMAC ........................ 277vLAGandLACPIndividual.................... 278vLAGandLACPSystemPriority .................. 278vLAGLACPMisconfigurationsorCablingErrors ........... 278FDBSynchronization ....................... 279vLAGandSTP .......................... 280vLAGandVRRP......................... 281

vLAGVRRPPassiveMode(HalfActiveActive).......... 281vLAGVRRPActiveMode(FullActiveActive) .......... 281

vLAGConfigurationConsistencyCheck ............... 282vLAGandIGMPSnooping..................... 284

MulticastRouterSynchronization ................ 284IGMPGroupsSynchronization................. 284IGMPQuerierSynchronization ................. 284

vLAGPeerGateway ....................... 285vLAGsversusregularLAGs...................... 286ConfiguringvLAGs.......................... 287

vLAGISL ............................ 288vLAGRoleElection........................ 288vLAGInstance .......................... 289FDBRefresh........................... 290vLAGTierID .......................... 290vLAGStartupDelay ....................... 291vLAGAutorecovery ....................... 292

HealthCheck ............................ 293BasicHealthCheckConfigurationExample ............. 294

BasicvLAGConfigurationExample................... 295ConfiguringtheISL........................ 296ConfiguringthevLAG....................... 297

vLAGConfigurationVLANsMappedtoaMSTInstance ......... 298ConfiguringtheISL........................ 298ConfiguringthevLAG....................... 299

ConfiguringvLAGsinMultipleLayers ................. 300Task1:ConfigureLayer2/3BorderRegion .............. 301

ConfiguringBorderRouter1.................. 301ConfiguringBorderRouter2.................. 301

Task2:ConfigureswitchesintheLayer2region........... 302ConfiguringSwitchA..................... 302ConfiguringSwitchB ..................... 303ConfiguringSwitchesCandD................. 305ConfiguringSwitchE ..................... 306ConfiguringSwitchF..................... 307

Chapter 14. Quality of Service . . . . . . . . . . . . . . . . . . 309QoSOverview ............................ 310


ClassMaps .............................311QoSClassificationTypes ......................312

UsingACLFilters .......................312UsingClassofServiceFilters ..................313UsingDiffServCodePoint(DSCP)Filters .............314UsingTCP/UDPPortFilters...................316UsingPrecedenceFilters....................316UsingProtocolFilters .....................317

QueuingClassificationTypes ....................318ClassMapConfigurationExamples.................319

QoSClassMapConfigurationExample..............319QueueingClassMapConfigurationExample...........319

PolicyMaps .............................320IngressPolicing ..........................320

DefiningSingleRateandDualRatePolicers ...........320Marking ...........................322

QueuingPolicing .........................322Bandwidth ..........................322Shaping...........................322Priority............................322

PolicyMapConfigurationExample.................323QoSPolicyMapConfigurationExample .............323QueuingPolicyMapConfigurationExample ...........324

ControlPlaneProtection ........................325ControlPlaneConfigurationExamples................326

WRED ...............................328ConfiguringWRED ........................328

WREDConfigurationExample .................328InterfaceServicePolicy ........................330

Limitations ............................330MicroburstDetection .........................331

Chapter 15. CEE . . . . . . . . . . . . . . . . . . . . . . . . 333RoCEandiSCSI ...........................335

RoCERequirements........................335ConvergedEnhancedEthernet .....................336

TurningCEEOnorOff ......................336EffectsonLinkLayerDiscoveryProtocol ...............337Effectson802.1pQualityofService .................337EffectsonFlowControl......................339

PriorityBasedFlowControl......................340PFCConfiguration ........................341PFCConfigurationExample ....................342

EnhancedTransmissionSelection ....................343802.1pPriorityValues .......................343PriorityGroups ..........................344

PGID ............................344AssigningPriorityValuestoaPriorityGroup ...........345AllocatingBandwidth .....................345

ConfiguringETS.........................347


DataCenterBridgingCapabilityExchange................ 349DCBXModes........................... 349DCBXSettings.......................... 349

EnablingandDisablingDCBX ................. 350PeerConfigurationNegotiation................. 350

ConfiguringDCBX ........................ 351CEEConfigurationExamples ..................... 352

CEEExample1.......................... 352CEEExample2.......................... 353

Part 4: IP Routing. . . . . . . . . . . . . . . . . . . . . . . . 355

Chapter 16. Basic IP Routing . . . . . . . . . . . . . . . . . . . 357IPRouting .............................. 358

DirectandIndirectRouting .................... 359StaticRouting .......................... 359DynamicRouting ......................... 360DefaultGateway......................... 360VirtualRoutingandForwarding .................. 361

RoutingInformationBase ....................... 362RouteswithIndirectNexthops ................... 362

BidirectionalForwardingDetection ................... 363BFDAsynchronousMode ..................... 364BFDEchoMode ......................... 364BFDPeerSupport......................... 365BFDStaticRoutes ......................... 365BFDAuthentication ........................ 366GeneralizedTTLSecurityMechanism ................ 367BFDandBGP .......................... 367BFDandOSPF .......................... 367

RoutingBetweenIPSubnets ...................... 368ExampleofSubnetRouting .................... 369UsingVLANstoSegregateBroadcastDomains............ 370

ConfigurationExample .................... 370ECMPStaticRoutes.......................... 373

RIBSupportforECMPRoutes ................... 373ECMPHashing .......................... 373ConfiguringECMPStaticRoutes.................. 374

DynamicHostConfigurationProtocol.................. 375InternetControlMessageProtocol ................... 376

ICMPRedirects .......................... 377ICMPPortUnreachable...................... 377ICMPUnreachable(exceptPort).................. 377

Chapter 17. Routed Ports . . . . . . . . . . . . . . . . . . . . 379RoutedPortsOverview ........................ 380ConfiguringaRoutedPort....................... 382

ConfiguringOSPFonRoutedPorts................. 383OSPFConfigurationExample .................. 383


Chapter 18. Address Resolution Protocol . . . . . . . . . . . . . . 385ARPOverview ............................386ARPAgingTimer...........................387ARPInspection ............................388StaticARPEntries ..........................389

StaticARPConfigurationExample .................389ARPEntryStates ...........................390ARPTableRefresh ..........................391

Chapter 19. Internet Protocol Version 6 . . . . . . . . . . . . . . . 393IPv6AddressFormat .........................394IPv6AddressTypes ..........................395

UnicastAddress .........................395Multicast.............................395Anycast .............................396

IPv6Interfaces ............................397NeighborDiscovery..........................398

NeighborDiscoveryOverview ...................398Router ..............................399

SupportedApplications ........................400ConfigurationGuidelines .......................401IPv6ConfigurationExamples .....................402

IPv6Example1 ..........................402IPv6Example2 ..........................402

IPv6Limitations ...........................403

Chapter 20. Internet Group Management Protocol . . . . . . . . . . 405IGMPTerms .............................406HowIGMPWorks ..........................407IGMPCapacityandDefaultValues ...................408IGMPSnooping ...........................409

IGMPv3Snooping.........................410SpanningTreeTopologyChange ..................410IGMPQuerier ..........................411

QuerierElection ........................411MulticastRouterDiscovery.....................413IGMPQueryMessages.......................414IGMPGroups ..........................415IGMPSnoopingConfigurationGuidelines..............417

IGMPSnoopingConfigurationExample.................418AdvancedIGMPSnoopingConfigurationExample ............420

Prerequisites ...........................421Configuration ..........................422

SwitchAConfiguration ....................422SwitchBConfiguration.....................423SwitchCConfiguration ....................424

Troubleshooting .........................425


AdditionalIGMPFeatures ....................... 428ReportSuppression ........................ 428RobustnessVariable........................ 428FastLeave ............................ 429StaticMulticastRouter....................... 430

Chapter 21. Border Gateway Protocol . . . . . . . . . . . . . . . 431BGPOverview............................ 432

BGPRouterIdentifier ....................... 432InternalRoutingVersusExternalRouting................ 433RouteReflector............................ 435

RouteReflectionConfigurationExample ............... 436Restrictions.......................... 437

FormingBGPPeerRouters ...................... 438BGPPeersandDynamicPeers ................... 438

StaticPeers .......................... 438DynamicPeers ........................ 439

LoopbackInterfaces ......................... 440WhatisaRouteMap? ......................... 441

NextHopPeerIPAddress ..................... 442IncomingandOutgoingRouteMaps ................ 442Precedence............................ 442ConfigurationOverview ...................... 443

AggregatingRoutes.......................... 444RedistributingRoutes ......................... 445BGPCommunities .......................... 447

BGPCommunity ......................... 448BGPExtendedCommunity..................... 449BGPConfederation ........................ 450

BGPPathAttributes ......................... 451WellKnownMandatory ...................... 451WellKnownDiscretionary ..................... 451OptionalTransitive ........................ 451OptionalNonTransitive ...................... 452

BestPathSelectionLogic ....................... 453BGPBestPathSelection...................... 453BGPWeight ........................... 454LocalPreference......................... 454Metric(MultiExitDiscriminator)Attribute.............. 454NextHop ............................ 455BestPathSelectionTuning..................... 455BGPECMP ........................... 457


BGPFeaturesandFunctions ......................458ASPathFilter ..........................458BGPCapabilityCode.......................458AdministrativeDistance ......................458TTLSecurityCheck ........................459LocalAS .............................459BGPAuthentication ........................460OriginateDefaultRoute ......................460IPPrefixListFilter ........................461DynamicCapability ........................462BGPGracefulRestart .......................462BGPDamping..........................463SoftReconfigurationInbound....................464BGPRouteRefresh........................464BGPMultipleAddressFamilies ...................465BGPandBFD...........................465BGPNextHopTracking ......................466BGPTuning...........................466

BGPFailoverConfiguration ......................467DefaultRedistributionandRouteAggregationExample ..........469DesigningaClosNetworkUsingBGP ..................471

ClosNetworkBGPConfigurationExample ..............472ConfigureFabricSwitchSF1 ..................473ConfigureSpineSwitchSP11 ..................475ConfigureLeafSwitchLP11...................478

Chapter 22. Open Shortest Path First . . . . . . . . . . . . . . . . 481OSPFv2Overview ..........................482

TypesofOSPFAreas .......................483TypesofOSPFRoutingDevices ...................484NeighborsandAdjacencies .....................485TheLinkStateDatabase ......................485TheShortestPathFirstTree ....................486InternalVersusExternalRouting ..................486


OSPFv2ImplementationinCloudNOS ................. 487ConfigurableParameters...................... 487DefiningAreas .......................... 488

UsingtheAreaIDtoAssigntheOSPFAreaNumber........ 488AttachinganAreatoaNetwork................. 489

InterfaceCost .......................... 489ElectingtheDesignatedRouterandBackup ............. 489SummarizingRoutes....................... 490DefaultRoutes .......................... 491VirtualLinks ........................... 492RouterID ............................ 492Authentication .......................... 493

ConfiguringPlainTextOSPFPasswords ............. 494ConfiguringMD5Authentication ................ 495

LoopbackInterfacesinOSPF .................... 495GracefulRestartHelper ...................... 496OSPFandBFD .......................... 496

OSPFv2ConfigurationExamples.................... 497Example 1:SimpleOSPFDomain .................. 498Example 2:VirtualLinks ...................... 499

ConfiguringOSPFforaVirtualLinkonSwitch1......... 499ConfiguringOSPFforaVirtualLinkonSwitch2......... 500OtherVirtualLinkOptions ................... 501

Example 3:SummarizingRoutes .................. 502VerifyingOSPFConfiguration ................... 503

Chapter 23. Route Maps . . . . . . . . . . . . . . . . . . . . . 505RouteMapsOverview ........................ 506PermitandDenyRules ........................ 507MatchandApplyClauses ....................... 508RouteMapsConfigurationExample .................. 511

Part 5: High Availability Fundamentals . . . . . . . . . . . . . . . 513

Chapter 24. Basic Redundancy . . . . . . . . . . . . . . . . . . 515AggregatingforLinkRedundancy ................... 516VirtualLinkAggregation ....................... 517

Chapter 25. Virtual Router Redundancy Protocol . . . . . . . . . . 519VRRPOverview ........................... 520

VRRPComponents ........................ 521VirtualRouter ........................ 521VirtualRouterMACAddress .................. 521OwnersandRenters ...................... 521MasterandBackupVirtualRouter................ 521VirtualInterfaceRouter.................... 521

AssigningVRRPVirtualRouterID ................. 522VRRPOperation ......................... 522SelectingtheMasterVRRPRouter ................. 522

FailoverMethods........................... 524ActiveActiveRedundancy..................... 524


CloudNOSExtensionstoVRRP....................525VRRPAdvertisementIntervalandSubsecondFailover........525InterfaceTracking .........................526SwitchBackDelay.........................526BackwardCompatibilitywithVRRPv2................527VRRPAcceptMode ........................527VRRPPreemption .........................528VRRPPriority ..........................528IPv6VRRP............................529

ConfiguringtheSwitchforTracking ..................531BasicVRRPConfiguration .......................532HighAvailabilityConfiguration....................534

VRRPHighAvailabilityUsingMultipleVIRs .............534Task1:ConfigureSwitch1 ...................535Task2:ConfigureSwitch2 ...................536

Part 6: Network Management . . . . . . . . . . . . . . . . . . . 539

Chapter 26. Link Layer Discovery Protocol . . . . . . . . . . . . . 541LLDPOverview...........................542EnablingorDisablingLLDP......................543LLDPTransmitFeatures ........................544

ScheduledInterval ........................544MinimumInterval.........................544TimetoLiveforTransmittedInformation ..............545TrapNotifications .........................545ChangingtheLLDPTransmitState .................546TypesofInformationTransmitted ..................547

LLDPReceiveFeatures........................548TypesofInformationReceived ...................548TimetoLiveforReceivedInformation ................548ViewingRemoteDeviceInformation ................549

DebuggingLLDP ...........................550LLDPExampleConfiguration.....................552

Chapter 27. Service Location Protocol . . . . . . . . . . . . . . . 555SLPAgentsCommunication ......................556

SLPSpecificMessages .......................556SLPSupportedServiceAttributes ..................556

SLPConfiguration..........................557

Chapter 28. Simple Network Management Protocol . . . . . . . . . . 559SNMPVersions............................560

SNMPVersion1&Version2 ....................560SNMPVersion3 .........................560

SNMPProtocolDetails ........................561SNMPNotifications ........................561SNMPDeviceContactandLocation.................561OneTimeAuthenticationforSNMPoverTCP............561

DefaultConfiguration .........................562


ConfigurationExamples........................ 563BasicSNMPConfigurationExample................. 563UserConfigurationExample .................... 563ConfiguringSNMPTrapHosts................... 564

SNMPMIBs ............................. 565

Chapter 29. Telemetry . . . . . . . . . . . . . . . . . . . . . . 567NetworkTelemetryOverview..................... 568CNOSTelemetryArchitecture ..................... 569TheGangliaAnalyticsApplication................... 571

TheGangliaAgent ........................ 571TheCentralDataAggregator .................... 571TheDataVisualizationFrontEnd .................. 572TheGangliaMetricTool...................... 572UsingGangliawithCNOS ..................... 572

TypesofDataSuppliedbytheCNOSTelemetryAgent .......... 574BufferStatistics .......................... 574

CongestionDropCounters ................... 574BufferUtilizationCounters ................... 574

SettingUptheCNOSTelemetryAgent ................. 577EnabletheTelemetryAgent .................... 577ConfiguretheTelemetryController ................. 577SetUptheTelemetryHeartbeat................... 578

ConfiguringTelemetryAgentParameters ................ 579CongestionDropCounters ..................... 579BSTBufferCounters........................ 588DetectCongestionAfteritHappens................. 594PredictingCongestionBeforeitHappens .............. 599CapacityPlanningBasedonTrendAnalysis ............. 607

Part 7: Hyperconverged Infrastructure . . . . . . . . . . . . . . . 613

Chapter 30. Network Policy Agent . . . . . . . . . . . . . . . . . 615Overview .............................. 616SettinguptheNutanixVDMPlugin .................. 618ViewingVirtualDomainInformation .................. 622UnsubscribingtoNutanixVDMNotifications .............. 623DynamicVLANsandtheVDM .................... 624

DynamicVLANConsiderations .................. 624DynamicVLANCommands .................... 625

Part 8: Monitoring . . . . . . . . . . . . . . . . . . . . . . . 627

Chapter 31. Port Mirroring . . . . . . . . . . . . . . . . . . . . 629PortMirroringOverview ....................... 630SPANConfiguration ......................... 631

Sources ............................. 631Destinations........................... 631Sessions ............................. 631ConfigurationExample ...................... 632


ERSPANConfiguration........................633SessionTypes...........................633Sources.............................634Destinations ...........................634ERSPANSourceSessionConfigurationExample...........635ERSPANDestinationSessionConfigurationExample .........636

Limitations .............................637

Part 9: Appendices . . . . . . . . . . . . . . . . . . . . . . . 639

Appendix A. Getting help and technical assistance . . . . . . . . . . 641

Appendix B. Notices. . . . . . . . . . . . . . . . . . . . . . . 643Trademarks .............................645ImportantNotes ...........................646RecyclingInformation .........................647ParticulateContamination .......................648TelecommunicationRegulatoryStatement ................649ElectronicEmissionNotices ......................650

FederalCommunicationsCommission(FCC)Statement ........650IndustryCanadaClassAEmissionComplianceStatement.......650AvisdeConformitlaRglementationdIndustrieCanada ......650AustraliaandNewZealandClassAStatement ............650EuropeanUnionCompliancetotheElectromagneticCompatibilityDirective651GermanyClassAStatement....................651JapanVCCIClassAStatement ...................652JapanElectronicsandInformationTechnologyIndustriesAssociation(JEITA) Statement .........................653KoreaCommunicationsCommission(KCC)Statement .........653RussiaElectromagneticInterference(EMI)ClassAstatement ......653PeoplesRepublicofChinaClassAelectronicemissionstatement ....653TaiwanClassAcompliancestatement ................653

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655


PrefaceThisApplicationGuidedescribeshowtoconfigureandusetheLenovoCloudNetworkOperatingSystem10.4softwareonthefollowingLenovoRackSwitches:

LenovoRackSwitchG8272.Fordocumentationoninstallingtheswitchphysically,seetheLenovoRackSwitchG8272InstallationGuide.



LenovoThinkSystemNE1032TRackSwitch.Fordocumentationoninstallingtheswitchphysically,seetheLenovoThinkSystemNE1032TRackSwitchInstallationGuide.

LenovoThinkSystemNE1032RackSwitch.Fordocumentationoninstallingtheswitchphysically,seetheLenovoThinkSystemNE1032RackSwitchInstallationGuide.

LenovoThinkSystemNE1072TRackSwitch.Fordocumentationoninstallingtheswitchphysically,seetheLenovoThinkSystemNE1072TRackSwitchInstallationGuide.

LenovoThinkSystemNE10032RackSwitch.Fordocumentationoninstallingtheswitchphysically,seetheLenovoThinkSystemNE10032TRackSwitchInstallationGuide.


Who Should Use This GuideThisguideisintendedfornetworkinstallersandsystemadministratorsengagedinconfiguringandmaintaininganetwork.TheadministratorshouldbefamiliarwithEthernetconcepts,IPaddressing,SpanningTreeProtocol,andSNMPconfigurationparameters.

Copyright Lenovo 2017 : Preface 23

Application Guide OverviewThisguidewillhelpyouplan,implement,andadministertheCloudNOS(CNOS)software.Wherepossible,eachsectionprovidesfeatureoverviews,usageexamples,andconfigurationinstructions.Thefollowingmaterialisincluded:

Part 1: Getting Started

ThismaterialisintendedtohelpthosenewtoCNOSproductswiththebasicsofswitchmanagement.Thispartincludesthefollowingchapters:

Chapter 2,UsingtheCommandLineInterface,describestheCNOScommandlineinterfacemodes,commands,keyboardshortcuts,andaliases.

Chapter 1,SwitchAdministration,describeshowtoaccesstheswitchtoconfiguretheswitch,andviewswitchinformationandstatistics.Thischapterdiscussesavarietyofmanualadministrationinterfaces,includinglocalmanagementviatheswitchconsole,andremoteadministrationviaTelnetorSecureShell.

Chapter 3,SystemLicenseKeys,describeshowtoinstalladditionalfeaturesontheswitch.

Chapter 4,SwitchSoftwareManagement,describeshowtoupdatetheCNOSsoftwareoperatingontheswitchandhowtoconvertfromCNOStoENOS.

Part 2: Securing the Switch

Thismaterialcontainsinformationaboutimplementingsecurityprotocolsontheswitch.Thispartincludesthefollowingchapters:

Chapter 5,SecuringAdministration,describesmethodsforusingSecureShellforadministrationconnections,andconfiguringenduseraccesscontrol.

Chapter 6,AAAProtocols,describesdifferentsecureadministrationmethodsforremoteadministrators.ThisincludesusingRADIUS,TerminalAccessControllerAccessControlSystemPlus(TACACS+)andAuthentication,Authorization,andAccounting(AAA).

Chapter 7,AccessControlLists,describeshowtousefilterstopermitordenyspecifictypesoftraffic,basedonavarietyofsource,destination,andpacketattributes.

Part 3: Switch Basics

Thismaterialcontainsinformationaboutsettingupfeaturesontheswitch.Thispartincludesthefollowingchapters:

Chapter 8,InterfaceManagement,describeshowtoconfiguretheswitchinterfaces,liketheethernetormanagementports.

Chapter 9,ForwardingDatabase,describeshowaLayer2devicecanbeconfiguredtolearnandstoreMACaddressesandtheircorrespondingports.

Chapter 10,VLANs,describeshowtoconfigureVirtualLocalAreaNetworks(VLANs)forcreatingseparatenetworksegments,includinghowtouseVLANtaggingfordevicesthatusemultipleVLANs.


Chapter 11,PortsandLinkAggregation,describeshowtogroupmultiplephysicalportstogethertoaggregatethebandwidthbetweenlargescalenetworkdevices.

Chapter 12,SpanningTreeProtocol,describeshowtousetheRapidPerVLANSpanningTreePlus(RapidPVST+)andMultipleSpanningTreeProtocol(MSTP)tobuildaloopfreenetworktopology.

Chapter 13,VirtualLinkAggregationGroups,describesusingVirtualLinkAggregationGroups(VLAGs)toformLAGsspanningmultipleVLAGcapableaggregatorswitches.

Chapter 14,QualityofService,discussesQualityofService(QoS)features,includingIPfilteringusingclassmaps,DifferentiatedServices,andIEEE802.1ppriorityvalues.

Chapter 15,CEE,discussesusingvariousConvergedEnhancedEthernet(CEE)featuressuchasPrioritybasedFlowControl(PFC),EnhancedTransmissionSelection(ETS)andDataCenterBridgingCapabilityExchange(DCBX).

Part 4: IP Routing

Thispartincludesthefollowingchapters:

Chapter 16,BasicIPRouting,describeshowtoconfiguretheswitchforIProutingusingIPsubnets,BFD,DHCPRelayandVRF.

Chapter 17,RoutedPorts,describeshowtoconfigureaswitchporttoforwardLayer3traffic.

Chapter 18,AddressResolutionProtocol,describeshowtousetheAddressResolutionProtocol(ARP)protocoltomapanIPv4addresstoaMACaddress.

Chapter 19,InternetProtocolVersion6,describeshowtoconfiguretheswitchtouseIPv6.

Chapter 20,InternetGroupManagementProtocol,describeshowCNOSimplementsInternetGroupManagementProtocol(IGMP)Snoopingtoconservebandwidthinamulticastswitchingenvironment.

Chapter 21,BorderGatewayProtocol,describesBorderGatewayProtocol(BGP)conceptsandfeaturessupportedinCNOS.

Chapter 22,OpenShortestPathFirst,describeskeyOpenShortestPathFirst(OSPF)concepts,andhowtheyareimplementedinCNOS,andprovidesexamplesofhowtoconfigureyourswitchforOSPFsupport.

Chapter 23,RouteMaps,describesroutemapsthatareusedtodefineroutepolicybypermittingordenyingcertainroutesbasedonaconfiguredsetofrules.

Part 5: High Availability Fundamentals


Chapter 24,BasicRedundancy,describeshowtheswitchsupportsredundancythroughLAGsandVLAGs.


Chapter 25,VirtualRouterRedundancyProtocol,describeshowtheswitchsupportshighavailabilitynetworktopologiesusingVirtualRouterRedundancyProtocol(VRRP).


Part 6: Network Management


Chapter 26,LinkLayerDiscoveryProtocol,describeshowLinkLayerDiscoveryProtocol(LLDP)helpsneighboringnetworkdeviceslearnabouteachothersportsandcapabilities.

Chapter 27,ServiceLocationProtocol,describestheServiceLocationProtocol(SLP)thatallowstheswitchtoprovidedynamicdirectoryservices.

Chapter 28,SimpleNetworkManagementProtocol,describeshowtoconfiguretheswitchformanagementthroughaSimpleNetworkManagementProtocol(SNMP)client.

Chapter 29,Telemetry,describestheCNOSNetworkTelemetryAgentandhowtousethedataitprovidestofinetuneyournetwork.

Part 8: Monitoring

Thispartincludesthefollowingchapter:

Chapter 31,PortMirroring,discussestoolstocopyselectedporttraffictoaremotemonitorportfornetworkanalysis.

Part 7: Hyperconverged Infrastructure

Thispartincludesthefollowingchapter:

Chapter 30,NetworkPolicyAgent,howtousetheCNOSnetworkpolicyagentpluginthatworkswithNutanixsVirtualDomainModule.

Part 9: Appendices

Thispartincludesthefollowingappendices:

AppendixA,Gettinghelpandtechnicalassistance,providesdetailsonwheretogoforadditionalinformationaboutLenovoandLenovoproducts.

AppendixB,Notices,containssafetyandenvironmentalnotices.


Additional ReferencesAdditionalinformationaboutinstallingandconfiguringyourswitchisavailableinthefollowingguides:

LenovoNetworkCommandReferenceforLenovoCloudNetworkOperatingSystem10.4

LenovoNetworkReleaseNotesforLenovoCloudNetworkOperatingSystem10.4foryourswitch

LenovoNetworkPythonProgrammingGuideforLenovoCloudNetworkOperatingSystem10.4

LenovoNetworkRESTAPIProgrammingGuideforLenovoCloudNetworkOperatingSystem10.4


Typographic ConventionsThefollowingtabledescribesthetypographicstylesusedinthisbook.

Table 1. Typographic Conventions

Typeface or Symbol

Meaning Example

ABC123 Thistypeisusedfornamesofcommands,files,anddirectoriesusedwithinthetext.

Viewthereadme.txtfile.

Italsodepictsonscreencomputeroutputandprompts.

Switch#

ABC123 Thisboldtypeappearsincommandexamples.Itshowstextthatmustbetypedinexactlyasshown.

Switch# ping

Thisitalicizedtypeappearsincommandexamplesasaparameterplaceholder.Replacetheindicatedtextwiththeappropriaterealnameorvaluewhenusingthecommand.Donottypethebrackets.

ToestablishaTelnetsession,enter:Switch# telnet

Thisalsoshowsbooktitles,specialterms,orwordstobeemphasized.

ReadyourUsersGuidethoroughly.

{} Commanditemsshowninsidebracketsaremandatoryandcannotbeexcluded.Donottypethebrackets.

Switch# cp {ftp|sftp}

[] Commanditemsshowninsidebracketsareoptionalandcanbeusedorexcludedasthesituationdemands.Donottypethebrackets.

Switch# configure [device]

| Theverticalbar(|)isusedincommandexamplestoseparatechoiceswheremultipleoptionsexist.Selectonlyoneofthelistedoptions.Donottypetheverticalbar.

Switch# cp {ftp|sftp}

Thisblocktypedepictsmenus,buttons,andothercontrolsthatappearingraphicalinterfaces.

Clickthebutton.


Part 1: Getting StartedThissectiondiscussesthefollowingtopics:

SwitchAdministrationonpage 31

SystemLicenseKeysonpage 87

SwitchSoftwareManagementonpage 93


Chapter 1. Switch AdministrationYourRackSwitchisreadytoperformbasicswitchingfunctionsrightoutofthebox.Someofthemoreadvancedfeatures,however,requiresomeadministrativeconfigurationbeforetheycanbeusedeffectively.

TheextensiveLenovoCloudNetworkOperatingSystemfortheswitchprovidesavarietyofoptionsforaccessingtheswitchtoperformavarietyofconfigurationsandtoviewswitchinformationandstatistics.

Thischapterdiscussesthevariousmethodsthatcanbeusedtoadministertheswitch.


Administration InterfacesCloudNOSprovidesavarietyofuserinterfacesforadministration.Theseinterfacesvaryincharacterandinthemethodsusedtoaccessthem.Somearetextbasedandsomearegraphical;someareavailablebydefault,whileothersrequireconfiguration;somecanbeaccessedbylocalconnectiontotheswitch,whileothersareaccessedremotelyusingvariousclientapplications.Forexample,administrationcanbeperformedusinganyofthefollowing:

Abuiltin,textbasedcommandlineinterface(CLI)andmenusystemforswitchaccessviaaserialportconnectionoranoptionalTelnetorSSHsession

SNMPsupportforaccessthroughthirdpartycommercialandopensourcenetworkmanagementapplications.

Thespecificinterfacechosenforanadministrativesessiondependsonyourpreferences,theswitchconfiguration,andtheavailableclienttools.

Inallcases,administrationrequiresthattheswitchhardwareisproperlyinstalledandturnedon(seetheLenovoRackSwitchInstallationGuide).

Copyright Lenovo 2017 Chapter 1: Switch Administration 33

Industry Standard Command Line InterfaceTheIndustryStandardCommandLineInterface(ISCLI)providesasimpleanddirectmethodforswitchadministration.Usingabasicterminal,youcanissuecommandsthatallowyoutoviewdetailedinformationandstatisticsabouttheswitch,andtoperformanynecessaryconfigurationandswitchsoftwaremaintenance.

YoucanestablishaconnectiontotheISCLIinanyofthefollowingways:

Serialconnectionviatheserialportontheswitch(thisoptionisalwaysavailable)

Telnetconnectionoverthenetwork

SSHconnectionoverthenetwork


Establishing a ConnectionThefactorydefaultsettingspermitinitialswitchadministrationthroughonlythebuiltinserialport.Allotherformsofaccessrequireadditionalswitchconfigurationbeforetheycanbeused.

Remoteaccessusingthenetworkrequirestheaccessingterminaltohaveavalid,routableconnectiontotheswitchinterface.TheclientIPaddressmaybeconfiguredmanually,oranIPaddresscanbeprovidedautomaticallytotheswitchusingaservicesuchasDHCP(seeDHCPIPAddressServicesonpage 44).AnIPv6addresscanalsobeobtainedusingIPv6statelessaddressconfiguration.Note: Throughoutthismanual,IPaddressisusedinplaceswhereeitheranIPv4orIPv6addressisallowed.IPv4addressesareenteredindotteddecimalnotation(forexample,10.10.10.1),whileIPv6addressesareenteredinhexadecimalnotation(forexample,2001:db8:85a3::8a2e:370:7334).Inplaceswhereonlyonetypeofaddressisallowed,IPv4addressorIPv6addressisspecified.

Using the Switch Management InterfaceTomanagetheswitchthroughthemanagementinterface,youmustconfigureitwithanIPinterface.ConfiguretheIPaddressandnetworkmaskanddefaultgatewayaddress:

1. Logontotheswitch.

2. EnterGlobalConfigurationmode.

3. ConfigureamanagementIPaddressandnetworkmask:

IPv4configuration:

IPv6configuration:

4. Configuretheappropriatedefaultgateway:

IPv4configuration:

Switch> enableSwitch# configure deviceSwitch(config)#

Switch(config)# interface mgmt 0Switch(config-if)# ip address /Switch(config-if)# exit

Switch(config)# interface mgmt 0Switch(config-if)# ipv6 address /Switch(config-if)# exit

Switch(config)# vrf context managementSwitch(config-vrf)# ip route 0.0.0.0 0.0.0.0 Switch(config-vrf)# exit


IPv6configuration:

OnceyouconfigureamanagementIPaddressforyourswitch,youcanconnecttothemanagementportanduseaTelnetoranSSHclientfromanexternalmanagementstationtoaccessandcontroltheswitch.Themanagementportprovidesoutofbandmanagement.Note: Touseatelnetclient,youmustfirstenabletelnetaccesswiththecommand:

Using the Switch Ethernet PortsYoualsocanconfigureinbandmanagementthroughanyoftheswitchethernetports.Toallowinbandmanagement,usethefollowingprocedure:

1. Logontotheswitch.

2. Enterinterfacemodeandconfigureanethernetinterfaceasroutedport.

3. ConfiguretheinterfaceIPaddressandnetworkmask.

IPv4configuration:

IPv6configuration:

4. Configurethedefaultgateway.

IPv4configuration:

IPv6configuration:

Switch(config)# vrf context managementSwitch(config-vrf)# ipv6 route ::/0 Switch(config-vrf)# exit

Switch(config)# feature telnet

Switch> enableSwitch# configure deviceSwitch(config)# interface ethernet /Switch(config-if)# no bridge-port

Switch(config-if)# ip address /

Switch(config-if)# ipv6 address /

Switch(config)# vrf context managementSwitch(config-vrf)# ip route 0.0.0.0 0.0.0.0 Switch(config-vrf)# exit

Switch(config)# vrf context managementSwitch(config-vrf)# ipv6 route ::/0 Switch(config-vrf)# exit


OnceyouconfiguretheIPaddressandhaveanetworkconnection,youcanuseaTelnetoranSSHclientfromanexternalmanagementstationtoaccessandcontroltheswitch.Oncethedefaultgatewayisenabled,themanagementstationandtheswitchdonotneedtobeonthesameIPsubnet.

Theswitchsupportsanindustrystandardcommandlineinterface(ISCLI)thatyoucanusetoconfigureandcontroltheswitchoverthenetworkusingaTelnetoranSSHclient.YoucanusetheISCLItoperformmanybasicnetworkmanagementfunctions.Inaddition,youcanconfiguretheswitchformanagementusinganSNMPbasednetworkmanagementsystem.

Formoreinformation,seethedocumentslistedinAdditionalReferencesonpage 27.

Using TelnetATelnetconnectionofferstheconvenienceofaccessingtheswitchfromaworkstationconnectedtothenetwork.Telnetaccessprovidesthesameoptionsforuserandadministratoraccessasthoseavailablethroughtheconsoleport.

Bydefault,Telnetaccessisdisabled.UsethefollowingcommandtoenableordisableTelnetaccess:

OncetheswitchisconfiguredwithanIPaddressandgateway,youcanuseTelnettoaccessswitchadministrationfromanyworkstationconnectedtothemanagementnetwork.

ToestablishaTelnetconnectionwiththeswitch,runtheTelnetclientonyourworkstation,useTelnetastheprotocoltypeandtheswitchsIPaddressasthehostname.

YouwillthenbepromptedtoenterapasswordasexplainedinSwitchLoginLevelsonpage 51.

Bydefault,TelnetusesTCPport23oftheremotehosttoestablishaconnectionfromtheswitch.WheninitializingaTelnetsession,youcanspecifytheTCPportoftheremotehostbyusingthefollowingcommandontheswitch:

Note: ThespecifiedportwillbeusedonlyforthecurrentTelnetsession.Futuresessionswillnotusetheselectedport.

Bydefault,TelnetclientswillconnecttothelocalTelnetserverusingTCPport23ontheswitch.ToconfiguretheTCPportusedbyaTelnetclientwhenestablishingaconnectiontotheswitch,usethefollowingcommand:

Switch(config)# [no] feature telnet

Switch# telnet port

Switch(config)# telnet server port


Using Secure ShellAlthougharemotenetworkadministratorcanmanagetheconfigurationofaswitchviaTelnet,thismethoddoesnotprovideasecureconnection.TheSecureShell(SSH)protocolenablesyoutosecurelylogintoanotherdeviceoveranetworktoexecutecommandsremotely.AsasecurealternativetousingTelnettomanageswitchconfiguration,SSHensuresthatalldatasentoverthenetworkisencryptedandsecure.

Bydefault,SSHaccessisenabled.UsethefollowingcommandtoenableordisableSSHaccess:

Theswitchcandoonlyonesessionofkey/ciphergenerationatatime.Thus,anSSHclientwillnotbeabletologiniftheswitchisdoingkeygenerationatthattime.Similarly,thesystemwillfailtodothekeygenerationifanSSHclientislogginginatthattime.

ThesupportedSSHencryptionandauthenticationmethodsare:

ServerHostAuthentication:ClientRSAauthenticatestheswitchwhenstartingeachconnection

KeyExchange:ecdhsha2nistp521,ecdhsha2nistp384,ecdhsha2nistp256,ecdhsha2nistp224,ecdhsha2nistp192,rsa2048sha256,rsa1024sha1,diffiehellmangroupexchangesha256,diffiehellmangroupexchangesha1,diffiehellmangroup14sha1,diffiehellmangroup1sha1

Encryption:aes128ctr,aes192ctr,aes256ctr,arcfour128,arcfour256

MAC:hmacsha1,hmacripemd160,[email protected]

UserAuthentication:Localpasswordauthentication,TACACS+

LenovoCloudNetworkOperatingSystemimplementstheSSHversion2.0standardandisconfirmedtoworkwithSSHversion2.0compliantclientssuchasthefollowing:

OpenSSH_5.4p1forLinux

SecureCRTVersion5.0.2(build1021)

PuttySSHrelease0.60

Using SSH with Password AuthenticationOncetheIPparametersareconfigured,youcanaccessthecommandlineinterfaceusinganSSHconnection.

ToestablishanSSHconnectionwiththeswitch,runtheSSHclientonyourworkstation,useSSHastheprotocoltypeandtheswitchsIPaddressasthehostname.

YouwillthenbepromptedtoenterapasswordasexplainedinSwitchLoginLevelsonpage 51.

Switch(config)# [no] feature ssh


Using SSH with Server Key AuthenticationSSHcanalsobeusedforswitchauthenticationbasedonasymmetriccryptography.Serverencryptionkeyscanbegeneratedontheswitchandusedtoauthenticateincomingloginattemptsbasedontheclientsprivateencryptionkeypairs.Afterapredefinednumberoffailedserverkeyauthenticationattempts,aloginerrorwillappearandtheSSHsessionwillbedisconnected.

Tosetupserverkeyauthentication:

1. DisableSSH:

Note: SSHsettingscannotbemodifiedifSSHisenabled.

2. GenerateanSSHkey:

DSA:

RSA:

Note: YoucanalsoconfigurethelengthoftheRSAkeybyusingthefollowingcommand:

3. ConfigureamaximumnumberoffailedserverkeyauthenticationattemptsbeforetheSSHsessionwillbedisconnected:

Note: Thedefaultnumberoffailedattemptsis3.

4. ReenableSSH:

Oncetheserverkeyisconfiguredontheswitch,aclientcanuseSSHtologinfromasystemwheretheprivatekeypairissetup.

Switch(config)# no feature ssh

Switch(config)# ssh key dsa [force]

Switch(config)# ssh key rsa [force]

Switch(config)# ssh key rsa length

Switch(config)# ssh login-attempts

Switch(config)# feature ssh


Using Simple Network Management ProtocolCNOSprovidesSimpleNetworkManagementProtocol(SNMP)version1,2,and3supportforaccessthroughanynetworkmanagementsoftware,suchasSwitchCenterorLenovoXClarity.Note: TheSNMPreadfunctionisenabledbydefault.Forbestsecuritypractices,ifSNMPisnotneededforyournetwork,disablethisfunctionpriortoconnectingtheswitchtothenetwork.

ToaccesstheSNMPagentontheswitch,thereadandwritecommunitystringsontheSNMPmanagermustbeconfiguredtomatchthoseontheswitch.

Thereadandwritecommunitystringsontheswitchcanbeconfiguredusingthefollowingcommands:

readonlyaccesscommunitystring:

readwriteaccesscommunitystring:

TheSNMPmanagermustbeabletoreachanyoneoftheIPinterfacesontheswitch.

FortheSNMPmanagertoreceivetheSNMPv1trapssentoutbytheSNMPagentontheswitch,configurethetraphostontheswitchwiththefollowingcommand:

FormoreinformationonSNMPusageandconfiguration,seeChapter 28,SimpleNetworkManagementProtocol.

Switch(config)# snmp-server community ro

Switch(config)# snmp-server community rw

Switch(config)# snmp-server host traps version 1


Zero Touch ProvisioningZeroTouchProvisioning(ZTP)enablesaswitchtoautomaticallyprovisionitselfusingtheresourcesavailableonthenetworkwithoutmanualintervention.WhenaswitchwithZTPenabledstartsup,itlocatesaDHCPserverwhichprovidestheswitchwithaninterfaceIPv4addressandagatewayIPv4address.TheswitchthenobtainstheIPaddressofaTFTPserverfromwhichitwilldownloadthenecessarybootfile.Thenextstepisfortheswitchtorunthebootfile.

Ontheswitch,ZTPwilltriggerwhenanyofthefollowingconditionsaremet:

aswitchbootswithnostartupconfiguration(onlythedefaultconfiguration)

thestartupconfigurationiserasedandtheswitchisreloaded

ZTPisforcedlyenabledfromtheCLINote: ZTPwillnotbetriggeredifitisforcedlydisabledfromtheCLI.

Duringthebootprocess,iftheswitchdoesnotfindastartupconfigurationandZTPisenabled,theswitchwillenterZTPmode.WhenforcedlyenabledfromtheCLI,theswitchentersZTPmoderegardlessofthepresenceofastartupconfiguration.TheswitchwillsearchforavailableDHCPserversandrequestthemtoacquireaninterfaceaddress,agatewayaddress,theTFTPserveraddress,andthebootfilename.

AftertheinformationfromtheDHCPserverisobtained,ZTPwilldownloadandrunthebootfile,andthenexecutetheZTPprocessaccordingtothebootfile.ZTPautomaticallyhandlestheprocessofupgradingtheswitchsoftwareimageandinstallingconfigurationfiles.

Notes:

Duringthebootprocess,apromptwillappearaskingifyouwanttoabortorcontinuetheZTPprocess.IfyouchoosetoexitZTP,theswitchwillcontinuewithitsnormalbootprocess,usingthedefaultconfigurationoranystartupconfiguration,ifoneispresentontheswitchandZTPwasforcedlyenabledfromtheCLI.

IfZTPwasforcedlyenabledandnoDHCPserverwasfoundduringtheZTPprocess,anypreviousIPv4addressmanuallyconfiguredofthemanagementinterfacewillberemoved.

IfZTPiscanceledduringitsexecution,theswitchexitsZTPmode.IfaninterfaceIPv4addresswasobtained,itwillnotbereleased.Ifanyfileswheredownloaded,theywillnotbedeleted.

ImportantZTPeventsareloggedbytheswitchandareavailablefordisplayfromaconsolesession.


DHCP DiscoveryAfterenteringZTPmode,theswitchsendsaDHCPdiscovermessageonitsmanagementinterfacerequestingDHCPoffersfromtheDHCPserverspresentonthenetwork.ThereceivingDHCPserverreplieswithaDHCPoffermessage.

WhentheDHCPclientreceivestheDHCPoffermessage,itwillrequesttheDHCPservertosendthefollowinginformation:

aninterfaceIPv4address

agatewayIPv4address

theTFTPserverIPaddress(usingoption66)

thebootfilename(usingoption67)

TheswitchcompletestheDHCPnegotiationprocess(requestandacknowledgement)withtheDHCPserver,whichassignstheswitchanIPv4address.TheswitchthenusestheacquiredTFTPserverIPaddresstocontacttheTFTPserver.ThebootfilenamecontainsthecompletefilepathofthebootfileontheTFTPserver.Theswitchthendownloadsthebootfile.

IfnoDHCPserversreplytotheDHCPdiscovermessageorifnoDHCPoffermeetstheZTPrequirements,theswitchwillbeunabletocompletetheDHCPnegotiationandanIPv4addressisnotassigned(exceptthedefaultIPv4address192.168.50.50/24,butthiscannothelptheswitchfinalizetheZTPprocess).ZTPwilltrythreetimestosuccessfullyobtaintherequiredinformation.IfitfailstheDHCPnegotiationthreetimes,theswitchexitsZTPmodeandcontinuesthenormalbootprocess.

Notes:

TheinterfaceIPv4addressobtainedfromtheDHCPserveriskeptandusedevenaftertheZTPprocessover.

ZTPsupportsonlyDHCPv4andnotDHCPv6.

ZTPsupportsonlyTFTPandnotFTP,SCP,HTTP,orothertransferprotocols.

DHCPserversmustbeconfiguredwithoptions66and67toensurethattheswitchalwaysobtainstheTFTPserverhostnameandthebootfilenameduringtheZTPprocess.

DHCPoptions66and67areenabledbydefaultontheswitch.Ifeitherofthemisintentionallydisabled,theZTPprocesswillresultinafailure.

DHCPoption66providestheIPaddressofasingleTFTPserver.ToenableordisableDHCPoption66,usethefollowingcommand:

DHCPoption67providesthefilepathofthebootfileneededbyZTP.ToenableordisableDHCPoption67,usethefollowingcommand:

Switch(config)# [no] ip dhcp client request tftp-server-name

Switch(config)# [no] ip dhcp client request bootfile-name


ZTP Boot FileThebootfileiswritteninYAMLformatandcontainsswitchmodels,andundereachswitchmodelareseveralfieldsthatinstructtheZTPprocesswhattodo.

Thebootfilemaycontainuptothreefieldsundereachswitchmodel:

img_namethisinstructsZTPtoupdatetheswitchsoftwareimagetothespecifiedimageversionandconfigureitasthestandbyimageontheswitch

configurationthisinstructsZTPtocopythespecifiedconfigurationfilefromtheTFTPserveranduseitasthestartupconfigurationfileontheswitch

scriptthisinstructsZTPtocopythescriptfileandexecuteitontheswitch

ZTPchecksthebootfilefortheswitchmodelandexecutetheappropriateactionsaccordingtothefieldsunderthecorrectswitchmodel.

ZTPsupportstheexecutionofPythonscripts.Ifthereisascriptfieldundertheswitchmodelinthebootfile,thefieldhasahigherprioritythantheothertwofields(img_nameandconfiguration)andZTPwillignorethem.ZTPdownloadsthePythonscriptfiletotheswitchandexecutesit.Thescriptcanalsocontaininstructionstodownloadandinstallaswitchsoftwareimageandaconfigurationfile.Note: ThePythonscriptfileisstoredinatemporaryfolderontheswitchanditwillbedeletedoncetheswitchreloads.

Followingisanexampleofabootfile:

Note: AftertheZTPprocessisover,theswitchwillbereloadedifthesoftwareimageorthestartupconfigurationareupdated.IfZTPexecutesaPythonscript,thereloadingoftheswitchisdecidedbythescriptinstead.

G8272: img_name : G8272-10.4.0.1.img configuration: netboot_config_file_G8272 script : netboot_G8272.py




Forcedly Enabling or Disabling ZTPZTPcanbeforcedlyenabledontheswitchevenifthereisastartupconfigurationpresent.Itcanalsobeforcedlydisabledtonotexecuteevenifthereisnostartupconfiguration.

ZTPcanhaveoneofthefollowingstates:

Default

ForcedlyEnabled

ForcedlyDisabled

ToforcedlyenableZTPontheswitch,usethefollowingcommand:

ToforcedlydisableZTPontheswitch,usethefollowingcommand:

ToresettheZTPtoitsdefaultsetting,usethefollowingcommand:

ToviewthecurrentZTPstate,usethefollowingcommand:

ToviewtheZTPparametersobtainedaftertheZTPprocesshasexecuted,usethefollowingcommand:

Switch(config)# boot zerotouch force enable

Switch(config)# boot zerotouch force disable

Switch(config)# no boot zerotouch force

Switch# display boot

Current ZTP State: EnableCurrent FLASH software: active image: version 10.4.0.1, downloaded 18:39:47 UTC Wed Sep 16 2015 standby image: version 10.4.0.1, downloaded 18:44:40 UTC Wed Sep 16 2015 Uboot: version 10.4.0.1, downloaded 17:49:51 UTC Thu Jul 30 2015Currently set to boot software active imageCurrently scheduled reboot time: noneCurrent port mode: default mode

Switch# display zerotouch

TFTP server: 10.122.3.69Image: G8xxx-10.4.0.1.imgConfiguration: netboot_config_file_G8xxxScript: netboot_G8xxx.py


DHCP IP Address ServicesForremoteswitchadministration,theclientterminaldevicemusthaveavalidIPaddressonthesamenetworkastheswitchinterface.TheIPaddressontheclientdevicemaybeconfiguredmanually,orobtainedautomaticallyusingIPv6statelessaddressconfiguration,oranIPaddressmaybeobtainedautomaticallyviaDHCPrelayasdiscussedinthenextsection.

TheswitchcanfunctionasarelayagentforDHCP.ThisallowsclientstobeassignedanIPaddressforafiniteleaseperiod,reassigningfreedaddresseslatertootherclients.Actingasarelayagent,theswitchcanforwardaclientsIPaddressrequesttouptofiveDHCPservers.Additionally,uptofivedomainspecificDHCPserverscanbeconfiguredforeachofupto10VLANs.

WhenaswitchreceivesaDHCPrequestfromaclientseekinganIPaddress,theswitchactsasaproxyfortheclient.TherequestisforwardedasaUDPunicastMAClayermessagetotheDHCPserversconfiguredfortheclientsVLANortotheglobalDHCPserversifnodomainspecificDHCPserversareconfiguredfortheclientsVLAN.TheserversrespondtotheswitchwithaunicastreplythatcontainstheIPdefaultgatewayandtheIPaddressfortheclient.Theswitchthenforwardsthisreplybacktotheclient.

DHCPisdescribedinRFC2131andtheDHCPrelayagentsupportedontheswitchisdescribedinRFC1542.DHCPusesUserDatagramProtocol(UDP)asitstransportprotocol.Theclientsendsmessagestotheserveronport67andreceivesmessagesfromtheserveronport68.

DHCP Client ConfigurationDHCPisenabledbydefaultonthemanagementinterfaceanddisabledonallotherinterfaces.YoucanenableDHCPonlyonamaximumof10interfaces,includingthemanagementinterface.

ToenableordisableDHCPonaninterface(forexampleethernetinterface1/12),usethefollowingcommand:

forDHCPv4:

forDHCPv6:

Notes:

DHCPcannotbeenabledonaninterfaceconfiguredasaswitchport,onlyonroutingports.

ManuallyconfiguringanIPaddressonaninterfacewilldisableDHCPforthatinterface.

Switch(config)# interface ethernet 1/12Switch(config-if)# no bridge-portSwitch(config-if)# ip address dhcp

Switch(config)# interface ethernet 1/12Switch(config-if)# no bridge-portSwitch(config-if)# ipv6 address dhcp


DHCPv4 Hostname Configuration (Option 12)TheswitchsupportsDHCPv4hostnameconfigurationasdescribedinRFC2132,option12.DHCPv4hostnameconfigurationisenabledbydefault.

Theswitchshostnamecanbemanuallyconfiguredusingthefollowingcommand:

Note: Ifthehostnameismanuallyconfigured,theswitchdoesnotreplaceitwiththehostnamereceivedfromtheDHCPv4server.

AfterDHCPconfiguresthehostnameontheswitch,iftheDHCPv4configurationisdisabled,theswitchretainsthehostname.

ToenableordisableDHCPhostnameconfiguration,usethefollowingcommandonaninterface(inthisexample,ethernetport1/12isused):

Toviewthesystemhostnameusethefollowingcommand:

Note: Theswitchpromptalsodisplaysthehostname.

DHCPv4 Syslog Server (Option 7)TheswitchsupportstherequestingoftheSyslogserverIPaddressfromtheDHCPserverasdescribedinRFC2132,option7.TheDHCPv4Syslogserverrequestoptionisdisabledbydefault.Note: ManuallyconfiguredSyslogserverstakepriorityovertheDHCPv4Syslogserver.

UptothreeSyslogserveraddressesreceivedfromtheDHCPv4servercanbeused.TheSyslogserveraddressescanbelearnedoverthemanagementportoranethernetport.

ToenableordisabletheDHCPSyslogserverrequest,usethefollowingcommandonaninterface(inthisexample,ethernetport1/12isused):

ToviewtheSyslogserveraddress,usethefollowingcommand:

Switch(config)# hostname

Switch(config)# interface ethernet 1/12Switch(config-if)# [no] ip dhcp client request host-name

Switch> display hostname

Switch(config)# interface ethernet 1/12Switch(config-if)# [no] ip dhcp client request log-server

Switch> display logging server

Logging server: enabled{*2.2.2.1} Server severity: debugging Server facility: local7 Server vrf: data* - Values assigned by DHCP Client.


DHCPv4 NTP Server (Option 42)ThisoptionrequesttheDHCPservertoprovidealistofIPaddressesindicatingNetworkTimeProtocol(NTP)serversavailabletotheclient.TheNTPserversarelistedinorderofpreference.TheswitchsupportstherequestingofNTPserversasdescribedinRFC2132,option42.

Bydefault,theswitchdoesnotincludethisrequestinDHCPv4messages.Toenableordisablethisoptiononaninterface,usethefollowingcommand(inthisexample,ethernetport1/12isused):

Note: AnymanuallyconfiguredNTPserverwillnotbeoverwrittenbytheNTPserversreceivedviaDHCPv4.

ToviewthelistofNTPservers,usethefollowingcommand:

DHCPv4 Vendor Class Identifier (Option 60)ThisoptionisusedbyaDHCPclienttoidentifyitselftotheDHCPserver.ItisusedtodefinethevendortypeandfunctionalityoftheDHCPclient.TheDHCPclientcancommunicatetoaserverthatitusesaspecifictypeofhardwareorsoftwarebyspecifyingitsVendorClassIdentifier(VCI).

TheswitchsupportstheidentifyingofaTFTPserverasdescribedinRFC2132,option60.

EachswitchinterfacecanbeconfiguredwithadifferentVCI.

Bydefault,theswitchwillincludethisoptioninDHCPv4packets.ToenableordisabletheidentificationofTFTPserversusethefollowingcommand(inthisexample,ethernetport1/12isused):

Note: DependingontheLenovoRackSwitch,thedefaultVCIisdifferent. fortheLenovoRackSwitchG8272,thedefaultVCIisLENOVOG8272 fortheLenovoRackSwitchG8296,thedefaultVCIisLENOVOG8296 fortheLenovoRackSwitchG8332,thedefaultVCIisLENOVOG8332 fortheLenovoRackSwitchNE10032,thedefaultVCIisLENOVONE10032 fortheLenovoRackSwitchNE1032,thedefaultVCIisLENOVONE1032 fortheLenovoRackSwitchNE1032T,thedefaultVCIisLENOVONE1032T fortheLenovoRackSwitchNE1072T,thedefaultVCIisLENOVONE1072T

Switch(config)# interface ethernet 1/12Switch(config-if)# [no] ip dhcp client request ntp-server

Switch> display ntp peers

Switch(config)# interface ethernet 1/12Switch(config-if)# [no] ip dhcp client class-id


DHCPv4 SnoopingDHCPsnoopingprovidessecuritybyfilteringuntrustedDHCPpacketsandbybuildingandmaintainingaDHCPsnoopingbindingtable.

AtrustedportisaninterfaceconnectedtoalegitimateDHCPserver.Bydefault,allportsareuntrusted.ToconfigureaportoraSwitchedVirtualInterface(SVI)astrusted,enterthefollowingInterfacemodecommand:

Bydefault,DHCPsnoopingisdisabledonallVLANs.YoucanenableDHCPsnoopinggloballyorononeormoreVLANs.Toenablethisfeatureglobally,enterthefollowingcommand:

ToenableDHCPsnoopingonaspecificVLAN,usethefollowingcommand:

whereVLANistheVLANID.

Configure the DHCPv4 Snooping Binding TableTheDHCPv4snoopingbindingtablecontainstheMACaddress,theIPaddress,leasetime,bindingtype,VLANnumber,andportnumberthatcorrespondtothelocaluntrustedinterfaceontheswitch;itdoesnotcontaininformationregardinghostsinterconnectedwithatrustedinterface.

Thebindingtableissavedtoflashmemoryeverytenminutes.Whenthesystemreboots,thebindingtableisrecoveredfromtheflashfile.ThemaximumnumberofentriesintheDHCPv4snoopingbindingtableis2048.

Sometimesyoumaywanttomanuallyconfigurethebindingtableentries,suchaswhenyouneedtouseastaticIPaddress.Usethefollowingcommandtoconfigureabindingtableentry:

where:

Switch(config-if)# [no] ip dhcp snooping trust

Switch(config)# [no] ip dhcp snooping

Switch(config)# [no] ip dhcp snooping vlan

Switch(config)# ip dhcp snooping binding vlan interface ethernet / expiry

Argument Description

MAC TheMACaddressoftheswitch

VLAN TheVLANID;anintegerfrom13999.

IPaddress AvalidIPv4address


Configure the DHCPv4 Snooping SyslogTheDHCPsnoopingdaemoncreatessyslogswhensomeimportanteventshappen,suchasachangetoadynamicentryorthetimer.

TherearetwotimersinDHCPsnooping.OnerefreshesDHCPsnoopingbindingentriesevery60seconds.Theotheronesavesthebindingtabletoflasheverytenminutes.ThesesyslogsareusefulformonitoringandadjustingDHCP.

TosettheDHCPsnoopingloglevel,enter::

where:

DHCP Snooping Limitations DHCPsnoopingisnotsupportedonamanagementport.

DHCPisonlysupportedonEthernetports.Itisnotsupportedonaportchannelorroutingport.

DHCPsnoopingdoesnotsupportLACPorstaticaggregations.

DHCPsnoopingisnotsupportedonarangeofports.

DHCP Relay AgentWhenDHCPclientsandassociatedserversarenotonthesamephysicalsubnet,aDHCPrelayagentcantransferDHCPmessagesbetweenthem.WhenaDHCPrequestarrivesonaninterface,therelayagentforwardsthepackettoallDHCP

slot Theethernetslot

port Theethernetport

leasetimerange Theleasetimerange;anintegerfrom14294967295

Argument Description

Switch(config)# logging level dhcp-snp

Table 2.

Logging Level Meaning

0 Emergency

1 Alert

2 Critical

3 Error

4 Warning

5 Notification

6 Information

7 Debug


serverIPaddressesconfiguredonthatinterface.TherelayagentforwardsrepliesfromallDHCPserverstothehostthatsenttherequest.IfnoDHCPserversareconfiguredonthatinterface,therelayagentwillnotforwardpackets.

DHCPhastwoversions.DHCPv4isusedtoconfigurehostswithIPv4addresses,IPv4prefixes,andotherconfigurationdatarequiredtooperateinanIPv4network.DHCPv6isusedtoconfigurehostswithIPv6addresses,IPv6prefixes,andotherconfigurationdatarequiredtooperateinanIPv6network.

ForDHCPv4,youcanconfiguretherelayagenttoaddtherelayagentinformation(option82)intheDHCPv4messageandthenforwardittotheDHCPv4server.Thereplyfromtheserverisforwardedbacktotheclientafterremovingoption82.

TheDHCPRelayAgentisgloballyenabledbydefault.TogloballyenableordisableDHCPusethefollowingcommand:

forDHCPv4:

forDHCPv6:

DHCPrelaycanbeconfigureddifferentlyoneachethernetportorVLAN.ThemaximumnumberofDHCPserversconfiguredonaninterfaceis32.ToconfigureDHCPonaninterface,usethefollowingsteps:

1. Entertheconfigurationmenuforthedesiredinterface(inthisexample,ethernetinterface1/12isused):

2. ConfiguretheDHCPserveraddress:

forDHCPv4:

forDHCPv6:

Switch(config)# [no] ip dhcp relay

Switch(config)# [no] ipv6 dhcp relay

Switch(config)# interface ethernet 1/12Switch(config-if)#

Switch(config-if)# ip dhcp relay address

Switch(config-if)# ipv6 dhcp relay address


3. ToviewthecurrentDHCPsettings,usethefollowingcommand:

forDHCPv4:

forDHCPv6:

DHCPv4 Option 82DHCPv4option82providesamechanismforgeneratingIPaddressesbasedonthelocationinthenetworkoftheclientdevice.WhenyouenabletheDHCPv4relayagentoptionontheswitch,itinsertstherelayagentinformationoption82inthepacket.TheswitchthensendsaunicastDHCPv4requestpackettotheDHCPv4server.TheDHCPv4serverusestheoption82fieldtoassignanIPaddressandsendsthepacket,withtheoriginaloption82fieldincluded,backtotherelayagent.TheDHCPv4relayagentstripsofftheoption82fieldinthepacketandsendsthepackettotheDHCPv4client.

Theconfigurationofthisfeatureisoptional.Thefeaturehelpsresolveseveralissueswhereuntrustedhostsaccessthenetwork.SeeRFC3046fordetails.

ToconfigureDHCPv4option82,usethefollowingcommand:

Switch> display ip dhcp relay

Switch> display ipv6 dhcp relay

Switch(config)# ip dhcp relay information option


Switch Login LevelsToenablebetterswitchmanagementanduseraccountability,twolevelsorclassesofuseraccesshavebeenimplementedontheswitch.ThelevelsofaccesstoCLImanagementfunctionsandscreensincreaseasneededtoperformvariousswitchmanagementtasks.Conceptually,accessclassesaredefinedasfollows:

NetworkOperatorscanonlymaketemporarychangesontheswitch.Thesechangeswillbelostwhentheswitchisreloadedorreset.Operatorshaveaccesstotheswitchmanagementfeaturesusedfordailyswitchoperations.Becauseanychangesanoperatormakesareundonebyareloadoftheswitch,operatorscannotseverelyimpactswitchoperation.

NetworkAdministratorsaretheonlyonesthatmaymakepermanentchangestotheswitchconfigurationchangesthatarepersistentacrossareloadorresetoftheswitch.Administratorscanaccessswitchfunctionstoconfigureandtroubleshootproblemsonthedevice.Becauseadministratorscanalsomaketemporary(operatorlevel)changesaswell,theymustbeawareoftheinteractionsbetweentemporaryandpermanentchanges.

Note: Thedefault(predefined)accessclassescannotberemovedortheirrulesmodified.Also,newaccessclassescannotbecreated.

Accesstoswitchfunctionsiscontrolledthroughtheuseofuniqueusernamesandpasswords.Onceyouareconnectedtotheswitchviaconsole,Telnet,orSSH,youarepromptedtoenterapassword.ThedefaultusernameandpasswordcombinationsforeachaccesslevelarelistedinTable 3.Note: Itisrecommendedthatyouchangethedefaultswitchpasswordsafterinitialconfigurationandasregularlyasrequiredunderyournetworksecuritypolicies.

Formoredetails,seeEnduserAccessControlonpage 125.

Table 3. DefaultUsernameandPasswordCombinations

User Account

Password Description and Tasks Performed Status

oper oper TheOperatormanagesallfunctionsoftheswitch.TheOperatorcanresetports,exceptthemanagementport.

Disabled

admin admin TheAdministratorhascompleteaccesstoallmenus,information,andconfigurationcommandsontheswitch,includingtheabilitytochangeboththeoperatorandadministratorpasswords.

Enabled


Todisplaythecurrentroleconfigurations,usethefollowingcommand:

WhileanetworkadministratorhasaccesstoalloftheCLIcommands,anetworkoperatorhasamorelimitedaccess,onlybeingabletoruncommandssuchas:

display

end

exit

logout

quit

terminal

enable

disable

ping

ping6

traceroute

traceroute6

ssh

ssh6

telnet

telnet6

where

configure device

Switch> display role

Role : network-admin Description: Predefined network admin role has access to all commands on the switch----------------------------------------------------------------------Rule Perm Type Scope Entity----------------------------------------------------------------------1 permit read-write

Role : network-operator Description: Predefined network operator role has access to all read commands on the switch----------------------------------------------------------------------Rule Perm Type Scope Entity----------------------------------------------------------------------1 permit read


PingPing(PollINternetGateway)isanadministrationutilityusedtotesttheconnectivitybetweentwonetworkIPdevices.Italsomeasuresthelengthoftimeittakesforapackettobesenttoaremotehostplusthelengthoftimeittakesforanacknowledgementofthatpackettobereceivedbythesourcehost.

PingfunctionsbysendinganInternetControlMessageProtocol(ICMP)echorequesttothespecifiedremotehostandwaitingforanICMPreplyfromthathost.

Usingthismethod,pingalsodeterminesthetimeintervalbetweenwhentheechorequestissentandwhentheechoreplyisreceived.Thisintervaliscalledroundtriptime.Attheendofthetest,pingwilldisplaytheminimum,maximum,andaverageroundtriptimes,andthestandarddeviationofthemean.

Besidestheroundtriptime,pingcanalsomeasuretherateofpacketloss.Thisisdeterminedbythenumberofreceivedechorepliesoverthenumberofsentechorequests.Itisdisplayedasapercentage.

TheSwitchalsosupportspingforIPv6addressing.

Toperformastandardpingtest,usethefollowingcommands:

IPv4:

IPv6:

Forexample:

Note: IfnospecificVRFinstanceisconfigured,theswitchusesthedefaultmanagementVRF.Inthiscase,theusercanalsousethefollowingcommand:

Switch# ping vrf management

Switch# ping6 vrf management

Switch# ping 10.10.10.1 vrf management

PING 10.10.10.1 (10.10.10.1) from 10.10.10.127: 56(84) bytes of data.64 bytes from 10.10.10.1: icmp_seq=1 ttl=61 time=0.368 ms64 bytes from 10.10.10.1: icmp_seq=2 ttl=61 time=0.280 ms64 bytes from 10.10.10.1: icmp_seq=3 ttl=61 time=0.308 ms64 bytes from 10.10.10.1: icmp_seq=4 ttl=61 time=0.291 ms64 bytes from 10.10.10.1: icmp_seq=5 ttl=61 time=0.320 ms

--- 10.10.10.1 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 3996msrtt min/avg/max/mdev = 0.280/0.313/0.368/0.034 ms

Switch# ping orSwitch# ping6


Ping Configurable ParametersPingcanbeconfiguredwithvariousparameters,suchasspecifyingthenumberorsizeofechorequests,thetimeintervalbetweeneachtransmission,orthenonresponsivetimeoutintervalforsentpackets.

Test InterruptionPingtestscanbemanuallystoppedatanypointintheprocess.Whentheinterruptionisdetected,pingwillstopsendingechorequestsanddisplaytheresultsbasedonthepacketstransmitteduptothatpoint.

Tomanuallyterminateapingtest,press.

Ping CountBydefault,pingtransmitsasequenceoffiveechorequests.Toconfigurethenumberofpacketssentduringthetest,usethefollowingcommand:

Pingcanalsobeconfiguredtocontinuouslysendechorequestsuntilthetestismanuallyinterrupted.Toachievethis,usethefollowingcommand:

ForIPv6addressing,thecommandsareasfollows:

Ping Packet IntervalBydefault,pingdoesnotwaitbetweenconsecutiveechorequests.Assoonasaechoreplyhasbeenreceivedorthenonresponsivetimerhasexpired,pingwillsendthenextechorequest.

Toconfigureatimeinterval,inseconds,betweenthetransmissionofpackets,usethefollowingcommand:

ForIPv6addressing,thecommandisasfollows:

Switch# ping count

Switch# ping count unlimited

Switch# ping6 count

Switch# ping6 count unlimited

Switch# ping interval

Switch# ping6 interval


Ping Packet SizeBydefault,pingsendsechorequestswithapacketsizeof56bytes.Specifyingalargersizethanthedefaultcanhelpindetectingthelossofbigpackets.

Toconfigurethepacketsize,inbytes,usethefollowingcommand:


Ping SourceBydefault,pingautomaticallychoosestheoutgoinginterfaceforechorequestsandsendsthepacketsusingtheIPaddressofthatinterface.Tochecktheconnectivityofdifferentpathsthroughthenetwork,youcanspecifytheinterfaceusedforsendingechorequests.

Touseaspecificinterfaceduringthepingtest,usethefollowingcommand:

Note: ThesourceIPv4addressistheIPaddressofthedesiredswitchinterface.

Youcanalsochoosetheinterfaceusedforthepingtestbydirectlyspecifyingthedesiredinterface.Toachievethis,usethefollowingcommand(inthisexample,ethernetport1/12isused):

ForIPv6addressing,thecommandsareasfollows:

Ping DF-BitBydefault,echorequestsarefragmentedwhentheyareforwardedthroughthenetwork.Configuringpacketsnottobefragmentedwhentraversingthenetworkcanbehelpindeterminingthemaximumtransmissionunit(MTU)ofthepath.

Toenablethenonfragmentationofechorequests,usethefollowingcommand:

Note: ThisparameterisconfigurableonlyforIPv4addressing.

Switch# ping packet-size

Switch# ping6 packet-size

Switch# ping source

Switch# ping interface ethernet 1/12

Switch# ping6 source

Switch# ping6 interface ethernet 1/12

Switch# ping df-bit


Ping TimeoutBydefault,aftersendinganechorequest,pingwaitsuptoamaximumoftwosecondsforanechoreply.Ifthistimeintervalexpiresandanechoreplyisnotreceived,pingwilldeclarethattheremotehosthastimedoutandthatthesentpacketislost.

Toconfigurethetimeoutinterval,inseconds,usethefollowingcommand:


Ping VRFBydefault,pingusesthedefaultVirtualRoutingandForwarding(VRF)instance.ToconfigurepingtouseadifferentVRFinstance,usethefollowingcommand:

Note: YoucanchooseonlybetweenthedefaultormanagementVRFinstances.


Switch# ping timeout

Switch# ping6 timeout

Switch# ping vrf {default|management}

Switch# ping6 vrf {default|management}


Ping Interactive ModeToconfigureacustompingtest,youcanchoosewhatparameterstochangebycombiningthepreviouslypresentedcommands.

Besidesthisoption,youcancustomizeapingtestbyusingPingInteractiveMode.Inthismode,youcanconfigureadditionalparameters:thetypeofservice(ToS),thehoplimitortimetolive(TTL)andthedatapattern.Note: PingInteractiveModeisonlyavailableforIPv4addressing.

ToenterPingInteractiveMode,usethefollowingcommand:

Youwillbepromptedtospecifythevalueofeachconfigurableparameter.Ifyoudonotenteravalue,thedefaultwillbeused.

Switch# ping

Switch# ping

Vrf context to use [default]: managementProtocol [ip]:Target IP address: 10.241.1.11Repeat count [5]: 7Datagram size [56]: 100Timeout in seconds [2]: 1Sending interval in seconds [1]:Extended commands [n]: yesSource address or interface:Type of service [0]:Set DF bit in IP header? [no]: yesData pattern [0xABCD]:PATTERN: 0xabcdPING 10.241.1.

lenovo network application guide for lenovo cloud...

Documents