primergy 10/40gbe connection blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf ·...

47
Page 1 of 47- PRIMERGY PRIMERGY 10/40GbE Connection Blade 18/8+2 Configuration Guide FUJITSU

Upload: phungnguyet

Post on 07-Mar-2018

219 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 1 of 47-

PRIMERGY

PRIMERGY 10/40GbE Connection Blade 18/8+2 Configuration Guide

FUJITSU

Page 2: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 2 of 47-

CONTENTS

1. CONFIGURING VLAN .......................................................................................... 4

1.1 CONFIGURING UNTAG VLAN .......................................................................................................... 4 1.2 CONFIGURING TAG VLAN............................................................................................................. 4 1.3 CONFIGURING PROTOCOL VLAN .................................................................................................. 5

2. CONFIGURING LINK AGGREGATION ............................................................... 6

2.1 CONFIGURING STATIC LINK AGGREGATION .................................................................................. 6 2.2 CONFIGURING LINK AGGREGATION WITH LACP .......................................................................... 7

3. CONFIGURING BACKUP PORT ......................................................................... 8

4. CONFIGURING MAC FILTERING ........................................................................ 9

4.1 CONFIGURING MAC FILTER 1 ..................................................................................................... 10 4.2 CONFIGURING MAC FILTER 2 ...................................................................................................... 11 4.3 CONFIGURING MAC FILTER 3 ...................................................................................................... 11 4.4 CONFIGURING MAC FILTER 4 ..................................................................................................... 12 4.5 CONFIGURING MAC FILTER 5 ..................................................................................................... 12

5. CONFIGURING STATIC MAC FORWARDING .................................................. 14

6. CONFIGURING QOS ......................................................................................... 15

6.1 CONFIGURING PRIORITY CONTROL .............................................................................................. 15 6.2 CONFIGURING PRIORITY CONTROL REWRITE............................................................................... 15

6.2.1. DSCP value rewrite ........................................................................................................... 16 6.2.2. IP Precedence value rewrite ............................................................................................. 16 6.2.3. Change queue of packets in VLAN .................................................................................. 17

7. CONFIGURING SPANNING TREE .................................................................... 18

7.1 CONFIGURING STP ..................................................................................................................... 18 7.2 CONFIGURING MSTP ................................................................................................................. 19

8. CONFIGURING IGMP SNOOPING .................................................................... 22

9. CONFIGURING MLD SNOOPING ..................................................................... 24

10. CONFIGURING IEEE 802.1X AUTHENTICATION............................................. 26

11. CONFIGURING PORT MIRRORING .................................................................. 29

12. CONFIGURING ETHER L3 MONITORING ........................................................ 30

12.1 CONFIGURING ETHER L3 MONITORING WITH PORT ................................................................... 30 12.2 CONFIGURING ETHER L3 MONITORING WITH LINK AGGREGATION............................................ 31

13. CONFIGURING PORT RECOVERY LIMIT FUNCTION ..................................... 32

14. CONFIGURING IP FILTERING .......................................................................... 34

14.1 CONFIGURING IP FILTER 1 .......................................................................................................... 34 14.2 CONFIGURING IP FILTER 2 (IPV6 FILTERING) ............................................................................ 35 14.3 CONFIGURING IP FILTER 3 .......................................................................................................... 36 14.4 CONFIGURING IP FILTER 4 .......................................................................................................... 37 14.5 CONFIGURING IP FILTER 5 .......................................................................................................... 37

15. CONFIGURING DSCP VALUE CHANGE .......................................................... 38

16. CONFIGURING SNMP AGENT .......................................................................... 39

16.1 CONFIGURING SNMP ................................................................................................................. 39 16.2 CONFIGURING SNMPV3 ............................................................................................................. 39

17. CONFIGURING SYSTEM LOG .......................................................................... 41

Page 3: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 3 of 47-

18. CONFIGURING SCHEDULE FUNCTION .......................................................... 42

18.1 CONFIGURING THE RESERVATION OF SWITCHING CONFIGURATION FILE .................................... 42

19. CONFIGURING APPLICATION FILTER ............................................................ 42

20. CONFIGURING IEEE802.1Q TUNNELING ........................................................ 43

21. CONFIGURING CEE .......................................................................................... 46

Page 4: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 4 of 47-

1. Configuring VLAN

1.1 Configuring untag vlan This section describes the example of how to configure untag vlan.

[Configuration Target]

Assign Interface0/1 to untag VLAN(VID10)

Assign Interface0/5 to untag VLAN(VID20)

Assign IP address(192.168.20.1/24) VLAN(VID20).

[Commands]

#Assign Interface0/1 to untag VLAN10

(config)#interface 0/1

(config-if)#vlan untag 10

#Assign Interface0/5 to untag VLAN20

(config)#interface 0/5

(config-if)#vlan untag 20

#Assign IP address(192.168.20.1/24) to VLAN(VID20)

(config)#lan 0 ip address 192.168.20.1/24 3

(config)#lan 0 vlan20

#Save the configuration

(config)#save

1.2 Configuring tag VLAN

This section describes the example of how to configure tag vlan.

[Configuration Target]

Assign Interface0/1 to tag VLAN(VID10)

Assign Interface0/5 to tag VLAN(VID20)

Assign VLAN(VID20) to IP address(192.168.20.1/24)

[Commands]

#Assign Interface0/1 to tag VLAN10,20

(config)#interface 0/1

(config-if)#vlan tag 10,20

#Assign Interface0/5 to tag VLAN10,20

(config)#interface 0/5

(config-if)#vlan tag 10,20

#Assign IP address(192.168.20.1/24) to VLAN(VID20)

(config)#lan 0 ip address 192.168.20.1/24 3

(config)#lan 0 vlan20

#Save the configuration

(config)#save

Page 5: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 5 of 47-

1.3 Configuring protocol VLAN

This section describes how to configure protocol VLAN which IP protocol packets are

sent/received with VLAN10 and VLAN20. Packets except IP protocol are sent/received with

VLAN100. [Configuration Target]

Assign Interface0/1 to untag VLAN(VID10,100)

Assign Interface0/5 to untag VLAN(VID20,100)

Assign VLAN10,20 to IPv4 Protocol VLAN

Assign IP address(192.168.20.1/24) to VLAN(VID20)

[Commands]

#Assign Interface0/1 to untag VLAN10, 100

(config)#interface 0/1

(config-if)#vlan untag 10,100

#Assign Interface0/5 to untag VLAN20, 100

(config)#interface 0/5

(config-if)#vlan untag 20,100

#Configure VLAN10, 20 as protocol VLAN of IPv4

(config)#vlan 10 protocol ipv4

(config)#vlan 20 protocol ipv4

#Assign IP address 192.168.20.1/24 to VLAN20

(config)#lan 0 ip address 192.168.20.1/24 3

(config)#lan 0 vlan20

Save the configuration

(config)#save

Page 6: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 6 of 47-

2. Configuring Link Aggregation

2.1 Configuring Static Link Aggregation This section describes how to configure link aggregation without LACP with 4 links.

[Configuration Target]

Configure static link aggregation with Interface0/19-0/22

Assign IP address(192.168.20.1/24) to VLAN(VID20)

[Commands]

#SBAX3#1

#Assign Interface0/19-0/22 to tag VLAN(VID10,20)

(config)#interface range 0/19-0/22

(config-if)#vlan tag 10,20

#Configure static link aggregation with Interface0/19-0/22

(config)#interface range 0/19-0/22

(config-if)#type linkaggregation 1

(config-if)#vlan untag 20

#Assign VLAN(VID20) to IP address(192.168.20.1/24)

(config)#lan 0 ip address 192.168.20.1/24 3

(config)#lan 0 vlan20

#Save the configuration

(config)#save

#SBAX3#2

#Assign Interface0/19-0/22 to tag VLAN(VID10,20)

(config)#interface range 0/19-0/22

(config-if)#vlan tag 10,20

#Configure static link aggregation with Interface0/19-0/22

(config)#interface range 0/19-0/22

(config-if)#type linkaggregation 1

(config-if)#vlan untag 20

#Assign IP address(192.168.20.2/24) to VLAN(VID20)

(config)#lan 0 ip address 192.168.20.2/24 3

(config)#lan 0 vlan20

#Save the configuration

(config)#save

SBAX3#1 SBAX3#2

Page 7: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 7 of 47-

2.2 Configuring Link Aggregation with LACP This section describes how to configure link aggregation with LACP with 4 links.

[Configuration Target]

Configure link aggregation with LACP with Interface0/19-0/22

Assign VLAN(VID20) to IP address(192.168.20.1/24)

[Commands]

#SBAX3#1

#Assign Interface0/19-0/22 to tag VLAN(VID10,20)

(config)#interface range 0/19-0/22

(config-if)#vlan tag 10,20

#Configure link aggregation with LACP with Interface0/19-0/22 and set active mode

(config)#interface range 0/19-0/22

(config-if)#type linkaggregation 1

(config)#ll(?)inkaggregation 1 mode active

#Assign IP address(192.168.20.1/24) to VLAN(VID20)

(config)#lan 0 ip address 192.168.20.1/24 3

(config)#lan 0 vlan20

#Save the configuration

(config)#save

#SBAX3#2

#Assign Interface0/19-0/22 to tag VLAN(VID10,20)

(config)#interface range 0/19-0/22

(config-if)#vlan tag 10,20

#Configure link aggregation with LACP with Interface0/19-0/22 and set active mode

(config)#interface range 0/19-0/22

(config-if)#type linkaggregation 1

(config)#ll(?)inkaggregation 1 mode active

#Assign IP address(192.168.20.2/24) to VLAN(VID20)

(config)#lan 0 ip address 192.168.20.2/24 3

(config)#lan 0 vlan20

#Save the configuration

(config)#save

SBAX3#1 SBAX3#2

Page 8: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 8 of 47-

3. Configuring Backup Port This section describes how to configure backup port.

[Configuration Target]

Configure backup port group with interface0/19,0/26 and set 0/19 to master port and 0/26 to

backup port.

Configure master port to preference port

[Commands]

#SBAX3#1

#Configure Interface0/19 to master port of backup port(group1).

SBAX3(config)#interface 0/19

SBAX3(config-if)#type backup 1 master

#Configure Interface0/26 to backup port port of backup port(group1).

(config)#interface 0/26

(config-if)#type backup 1 backup

#Configure backup group1 to master port preference mode.

(config)#backup 1 mode master

#Save the configuration

(config)#save

Switch

Backup Port

Switch

Master port

Page 9: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 9 of 47-

4. Configuring MAC filtering

This section describes how to configure MAC filtering which can limit network traffic and

restrict network for security with combination of MAC address, Packet , ethernet type, VLAN

ID and CoS value.

[Filtering Condition]

Packet data flow can be controlled by specifying the following parameter.

1)Specify ACL MAC definition and ACL VLAN definition for filter

- Source MAC Information(MAC address/Packet format /Ethernet Type/LSAP)

- Destination MAC Information(MAC address/Packet format/Ethernet Type/LSAP)

- VLAN ID

- CoS Value

- Source IP Information(IP Address/Address Mask)

- Destination IP Information(IP Address/Address Mask)

- Protocol

- TCP/UDP port number

- ICMP TYPE、ICMP CODE

- TOS value、DSCP value of IP packet

2)Specify the interface for MAC filter

3)Specify action(reject or pass) for MAC filter

[Filtering Design Policy]

There are two way for filtering design.

Unexpected

Connection

Unexpected access

Wrong access

Allowed Access

Allowed Server

Page 10: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 10 of 47-

A. Pass the specified packets and reject the others.

B. Reject the specified packets and pass the others.

This chapter explains the following examples for A.

-Pass only packets of the specified source MAC address.

-Pass only packets of the specified destination MAC address.

And explains the following example for B.

-Reject only packets of the specified packet format.

Note:

When this function is used with protocol VLAN, MAC filtering for the frame recognized as

protocol VLAN is disabled. Please refer the “vlan protocol” command to know the frames

recognized as protocol VLAN

4.1 Configuring MAC filter 1

This section describes how to configure MAC filter which passes only packets of the specified

source MAC address and rejects the other packets.

[Filtering Design]

VLAN 10 consists of interface0/1-0/8 and they are untag VLAN.

VLAN 20 consists of interface0/1-0/4 and interface0/9-0/12.Interface0/1-0/4 is tag VLAN and

Interface0/9-0/12 is untag VLAN.

Interface0/4-0/8 in VLAN 10 pass packets of the only source MAC address00:0b:01:02:03:04

and rejects the other packets.

[Commands]

#Configure ACL which specifies source MAC address 00:0b:01:02:03:04 and VLAN 10.---(1)

(config)#acl 100 mac 00:0b:01:02:03:04 any any

(config)#acl 100 vlan 10 any

#Configure ACL which specifies all packet format of VLAN10. --- (2)

(config)#acl 110 vlan 10 any

#Configure mac filter which pass packets specified by (1) in interface0/2.

(config)#interface 0/2

(config-if)#macfilter 0 pass 100

#Configure mac filter which rejects packets specified by (2) in interface0/2.

(config)#interface 0/2

(config-if)#macfilter 1 reject 110

Page 11: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 11 of 47-

4.2 Configuring MAC filter 2

This section describes how to configure MAC filter which passes only packets of the specified

destination MAC address and rejects the other packets.

[Filtering Design]

VLAN 10 consists of interface0/1-0/8 and they are untag VLAN.

VLAN 20 consists of interface0/1-0/4 and interface0/9-0/12.Interface0/1-0/4 is tag VLAN and

Interface0/9-0/12 is untag VLAN.

Interface0/4-0/8 in VLAN 10 pass packets of the only destination MAC

address00:0b:01:02:03:04 and rejects the other packets.

[Commands]

#Configure ACL which specifies destination MAC address 00:0b:01:02:03:04 and VLAN

10.---(1)

(config)#acl 120 mac any 00:0b:01:02:03:04 any

(config)#acl 120 vlan 10 any

#Configure ACL which specifies all packet format of VLAN10. --- (2)

(config)#acl 110 vlan 10 any

#Configure mac filter which pass packets specified by (1) in interface0/4-0/8

(config)#interface range 0/4-0/8

(config-if)#macfilter 0 pass 120

#Configure mac filter which rejects packets specified by (2) in interface0/4-0/8

(config)#interface range 0/4-0/8

(config-if)#macfilter 1 reject 110

4.3 Configuring MAC filter 3

This section describes how to configure MAC filter which rejects only packets of the specified

destination MAC address and passes the other packets.

[Filtering Design]

VLAN 10 consists of interface0/1-0/8 and they are untag VLAN.

VLAN 20 consists of interface0/1-0/4 and interface0/9-0/12.Interface0/1-0/4 is tag VLAN and

Interface0/9-0/12 is untag VLAN.

Interface0/1-0/4 rejects IP protocol packets and passes the other packets.

[Commands]

#Configure ACL which specifies IP protocol(IP,ARP,Reserve ARP) ---(1)

(config)#acl 130 mac any any ether 0800

(config)#acl 131 mac any any ether 0806

(config)#acl 132 mac any any ether 8035

Configure mac filter which rejects packets specified by (1) in interface0/1-0/4

and rejects packets specified by (2) in interface0/4-0/8

(config)#interface range 0/1-0/4

(config-if)#macfilter 0 reject 130

(config-if)#macfilter 1 reject 131

(config-if)#macfilter 2 reject 132

Page 12: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 12 of 47-

4.4 Configuring MAC filter 4

This section describes how to configure MAC filter which rejects only the traffic between the

specified MAC addresses.

[Filtering Design]

VLAN 10 consists of interface0/1-0/4 with untag and 0/5-0/8 with tag.

VLAN 20 consists of interface0/1-0/4 with tag and interface0/5-0/8 with tag.

In VLAN10, Only TCP Traffic is rejected between MAC address 00:0b:01:02:03:04 and

00:0b:11:12:13:14

In VLAN20, Only UDP traffic is rejected between MAC address 00:0b:21:22:23:24 and

00:0b:31:32:33:34.

[Commands]

#Configure ACL which specifies TCP packets of source MAC address 00:0b:01:02:03:04 and

destination MAC address 00:0b:11:12:13:14. --- (1)

(config)#acl 0 00:0b:01:02:03:04 00:0b:11:12:13:14 any

(config)#acl 0 ip any any 6 any

#Configure ACL which specifies TCP packets of source MAC address 00:0b:11:12:13:14 and

destination MAC address 00:0b:01:02:03:04. --- (2)

(config)#acl 1 00:0b:11:12:13:14 00:0b:01:02:03:04 any

(config)#acl 1 ip any any 6 any

#Configure ACL which specifies UDP packets of source MAC address 00:0b:21:22:23:24 and

destination MAC address 00:0b:31:32:33:34. --- (3)

(config)#acl 2 00:0b:21:22:23:24 00:0b:31:32:33:04 any

(config)#acl 2 ip any any 17 any

#Configure ACL which specifies UDP packets of source MAC address 00:0b:31:32:33:34 and

destination MAC address 00:0b:21:22:23:24. --- (4)

(config)#acl 3 00:0b:21:22:23:24 00:0b:31:32:33:04 any

(config)#acl 3 ip any any 17 any

#Configure mac filter which rejects packets specified by (1) and (2) in VLAN10.

(config)#vlan 10 macfilter 0 reject 0

(config)#vlan 10 macfilter 1 reject 1

#Configure mac filter which rejects packets specified by (3) and (4) in VLAN20.

(config)#vlan 20 macfilter 0 reject 2

(config)#vlan 20 macfilter 1 reject 3

4.5 Configuring MAC filter 5

This section describes how to configure MAC filter which passes only the traffic between the

specified MAC addresses.

[Filtering Design]

VLAN 10 consists of interface0/1-0/4 with untag and 0/5-0/8 with tag.

VLAN 20 consists of interface0/5-0/8 with untag.

In VLAN10, Only IP protocol packets are passed.

In VLAN20, Only FNA protocol packets are passed.

[Commands]

#Configure ACL which specifies IP protocol(IP,ARP,Reserve ARP) ---(1)

(config)#acl 10 mac any any ether 0800

(config)#acl 11 mac any any ether 0806

Page 13: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 13 of 47-

(config)#acl 12 mac any any ether 8035

#Configure ACL which specifies FNA format---(2)

(config)#acl 20 mac any any llc 8080

(config)#acl 21 mac any any llc 0000

(config)#acl 22 mac any any llc 0001

#Configure ACL which specifies all packets-----(3)

(config)#acl 30 mac any any any

#Configure mac filter which rejects packets except packets specified by (1) in VLAN10 --(4)

(config)#vlan 10 macfilter 0 pass 10

(config)#vlan 10 macfilter 1 pass 11

(config)#vlan 10 macfilter 2 pass 12

(config)#vlan 10 macfilter 3 reject 30

#Configure mac filter which rejects packets except packets specified by (2) in VLAN20 --(5)

(config)#vlan 20 macfilter 0 pass 20

(config)#vlan 20 macfilter 1 pass 21

(config)#vlan 20 macfilter 2 pass 22

(config)#vlan 20 macfilter 3 reject 30

Page 14: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 14 of 47-

5. Configuring Static MAC forwarding

This Section describes how to add MAC address to FDB as static entries.

MAC address can be manually entered in FDB which doesn’t age out and you can avoid

flooding of extra frames to network.

[Configuration Targets]

Assign Interface0/2, 0/5 which Server#1,#2 are connected to VLAN(VID10).

Assign Interface0/10 which Server#3 is connected to VLAN(VID20).

Add MAC address of Servers to FDB as static entry.

Server#1 MAC address: 00:00:00:00:00:11

Server#2 MAC address: 00:00:00:00:00:22

Server#2 MAC address: 00:00:00:00:00:33

[Commands]

#Assign Interface0/2 and 0/5 to untag VLAN(VID10)

(config)#interface range 0/2,0/5

(config-if)#vlan untag 10

#Assign Interface0/10 to untag VLAN(VID20)

(config)#interface 0/10

(config-if)#vlan untag 20

#Add MAC address to FDB in VLAN10.

(config)#vlan 10 forward 0 00:00:00:00:00:11 2

(config)#vlan 10 forward 1 00:00:00:00:00:22 5

#Add MAC address to FDB in VLAN20.

(config)#vlan 20 forward 0 00:00:00:00:00:33 10

#Save the configuration

(config)#save

VLAN10 VLAN20

Server#1 Server#2 Server#3

Page 15: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 15 of 47-

6. Configuring QoS 6.1 Configuring priority control This section describes how to configure priority control which assigns egress port queue of

different priority to User priority value(Cos) in VLAN tag.

[Priority Control Design]

Packet Type CoS

Value

Queue class

Managemnet 3 3

Voice

FAX 2 2

Movie 1 1

Other 1 0

0

[Commands

(config)#interface 0/1

(config-if)#qos prioritymap 0 0

(config-if)#qos prioritymap 1 1

(config-if)#qos prioritymap 2 2

(config-if)#qos prioritymap 3 3

6.2 Configuring priority control rewrite

This section describes how to configure priority control rewrite which rewrites priority control

information of packets specified with combination of Mac address, packet format, Ethernet

type, VLAN ID and CoS value.

[Rewrite Condition]

Priority control information can be controlled by specifying the following parameter.

1)Specify ACL MAC definition and ACL VLAN definition for filter

- Source MAC Information(MAC address/Packet format /Ethernet Type/LSAP)

- Destination MAC Information(MAC address/Packet format/Ethernet Type/LSAP)

- VLAN ID

- CoS Value

- Source IP Information(IP Address/Address Mask)

- Destination IP Information(IP Address/Address Mask)

- TCP/UDP port number

- ICMP TYPE、ICMP CODE

- TOS value、DSCP value of IP packet

2)Specify the interface for MAC filter

3)Specify action(reject or pass) for MAC filter

- Rewrite DSCP value

- Rewrite ip precedence value

- Change queue which the received packets in ingress port use in egress port.

Page 16: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 16 of 47-

6.2.1. DSCP value rewrite

This section describes how to configure DSCP value rewrite of all ingress packets in the

specified interfaces in VLAN.

[Rewrite request]

VLAN 10 consists of interface0/1-0/8 and they are tag VLAN.

DSCP value of all packets is rewrite to 40 in interface0/1.

[Commands]

#Configure ACL which specifies all packets --- (1)

(config)#acl 120 mac any any any

#Configure DSCP value rewrite which rewrites DSCP value of packets specified by (1) to 40

(config)#interface 0/1

(config-if)#qos aclmap 0 dscp 40 120

#Save the configuration

(config)#save

6.2.2. IP Precedence value rewrite

This section describes how to configure IP precedence value rewrite which rewrites IP

precedence value of packets which has the specified CoS value in the specified port in VLAN.

[Rewrite request]

VLAN 10 consists of interface0/1-0/8 and they are tag VLAN.

IP precedence value of packets which have CoS value 5 is rewrite to 40 in VLAN10.

[Commands]

#Configure ACL which specifies packets of VLAN ID10 and CoS value 5 ---(1)

(config)#acl 150 vlan 10 5

#Configure QoS ACL map which rewrites ip precedence value of packets specified by (1) to 6

in interface0/1-0/8 in VLAN10.

(config)#interface range 0/1-0/8

(config-if)#qos aclmap 0 tos 6 150

#Save the configuration

(config)#save

Page 17: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 17 of 47-

6.2.3. Change queue of packets in VLAN

This section describes how to configure change queue function which changes queue which

the received packets in ingress port use in egress port.

[Rewrite request]

VLAN20 consists of interface0/1-0/5 and 0/1-0/4 is tag VLAN. 0/5 is untag VLAN.

Queue of packets of source Mac address 00:0b:01:02:03:04 is changed to 3.

[Commands]

#Configure ACL which specifies source MAC address 00:0b:01:02:03:04 ---(1)

(config)#acl 100 mac 00:0b:01:02:03:04 any any

#Configure QoS ACL map which changes queue of packets specified by(1) in VLAN20.

(config)#vlan 20 qos aclmap 0 queue 3 100

#Save the configuration

(config)#save

Note:

When this function is used with protocol VLAN, QoS for the frame recognized as protocol

VLAN is disabled. Please refer the “vlan protocol” command to know the frames recognized as

protocol VLAN

When this function is used with MAC filtering, QoS for the frame matched with MAC filtering

disabled.

Page 18: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 18 of 47-

7. Configuring Spanning Tree

This section describes how to configure STP.

7.1 Configuring STP

[Configuration Target]

Enable STP

Assign Interface0/17 and 0/26 to VLAN(VID10)

[Commands]

#Assign Interface0/17 and 0/26 to VLAN(VID10)

(config)#interface range 0/17-0/26

(config-if)#vlan untag 10

#Enable STP in Interface0/1 and 0/2.

(config)#interface range 0/1-0/2

(config-if)#stp use on

#Save the configuration

(config)#save

Switch

Switch

Page 19: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 19 of 47-

7.2 Configuring MSTP

This section describes how to configure MSTP. MSTP can handle frames per VLAN.

[Configuration Target]

Control frames per VLAN by using MSTP in the following VLAN environment.

[Instance 0]

Bridge Priority: SBAX3#1 -> SBAX3#2 -> SBAX3#3 -> SBAX3#4

[Instance 1]

Bridge Priority: SBAX3#1 -> SBAX3#2 -> SBAX3#3 -> SBAX3#4

VLAN 100、200

[Instance 2]

Bridge Priority: SBAX3#1 -> SBAX3#3 -> SBAX3#2 -> SBAX3#4

VLAN 300

<SBAX3#1>

Connect interface0/19 to SBAX3#2

Connect interafce0/26 to SBAX3#3

Configure STP path cost of interface 0/19 and 0/26 to 20000 for all instances.

SBAX3#1

SBAX3#2

SBAX3#4

SBAX3#3

VLAN100,200

VLAN300

Page 20: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 20 of 47-

<SBAX3#2>

Connect interface0/19 to SBAX3#1

Connect interafce0/23 to SBAX3#3

Connect interafce0/26 to SBAX3#4

Configure STP path cost of interface 0/19,0/23 and 0/26 to 20000 for all instances.

<SBAX3#3>

Connect interface0/19 to SBAX3#1

Connect interafce0/23 to SBAX3#2

Connect interafce0/26 to SBAX3#4

Configure STP path cost of interface 0/19,0/23 and 0/26 to 20000 for all instances.

<SBAX3#4>

Connect interface0/19 to SBAX3#2

Connect interafce0/26 to SBAX3#3

Configure STP path cost of interface 0/19 and 0/26 to 20000 for all instances.

Connect the servers of VLAN100 to interface0/20-0/21.

Connect the servers of VLAN200 to interface0/22.

Connect the servers of VLAN300 to interface0/24-0/25.

[Commands]

#SBAX3#1

#Configure STP path cost in interface0/19、0/23.

(config)#interface range 0/19,0/23

(config-if)#stp domain 0 cost 20000

(config-if)#stp domain 1 cost 20000

(config-if)#stp domain 2 cost 20000

#Configure VLAN

(config)#interface range 0/19,0/23

(config-if)#vlan tag 100,200,300

#Configure STP

(config)#stp mode mstp

(config)#stp domain 1 vlan 100,200

(config)#stp domain 2 vlan 300

(config)#stp domain 0 priority 4096

(config)#stp domain 1 priority 4096

(config)#stp domain 2 priority 4096

#Save the configuration

(config)#save

#SBAX3#2

#Configure STP path cost in interface0/19、0/23、0/26

(config)#interface range 0/19,0/23,0/26

(config-if)#stp domain 0 cost 20000

(config-if)#stp domain 1 cost 20000

(config-if)#stp domain 2 cost 20000

#Configure VLAN

(config)#interface range 0/19,0/23,0/26

(config-if)#vlan tag 100,200,300

#Configure STP

Page 21: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 21 of 47-

(config)#stp mode mstp

(config)#stp domain 1 vlan 100,200

(config)#stp domain 2 vlan 300

(config)#stp domain 0 priority 8192

(config)#stp domain 1 priority 8192

(config)#stp domain 2 priority 12288

#Save the configuraton

(config)#save

#SBAX3#3

#Configure STP path cost in interface0/19、0/23、0/26

(config)#interface range 0/19,0/23,0/26

(config-if)#stp domain 0 cost 20000

(config-if)#stp domain 1 cost 20000

(config-if)#stp domain 2 cost 20000

#Configure VLAN

(config)#interface range 0/19,0/23,0/26

(config-if)#vlan tag 100,200,300

#Configure STP

(config)#stp mode mstp

(config)#stp domain 1 vlan 100,200

(config)#stp domain 2 vlan 300

(config)#stp domain 0 priority 12288

(config)#stp domain 1 priority 12288

(config)#stp domain 2 priority 8192

#Save the configuration

(config)#save

#SBAX3#4

#Configure STP path cost in interface0/19、0/26

(config)#interface range 0/19,0/26

(config-if)#stp domain 0 cost 20000

(config-if)#stp domain 1 cost 20000

(config-if)#stp domain 2 cost 20000

#Configure VLAN

(config)#interface range 0/19,0/26

(config-if)#vlan tag 100,200,300

#Configure STP

(config)#stp mode mstp

(config)#stp domain 1 vlan 100,200

(config)#stp domain 2 vlan 300

(config)#stp domain 0 priority 32768

(config)#stp domain 1 priority 32768

(config)#stp domain 2 priority 32768

#Save the configuration

(config)#save

Page 22: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 22 of 47-

8. Configuring IGMP Snooping

SBAX3 detects the port which requires multicast packets and transfers multicast packets to

just the port by using IGMP snooping. This constrains the flooding of multicast traffic and

avoids transferring unnecessary multicast packets to servers.

Note:

- Network may not work if multicast communication is done without IGMP

- The port which is connected with IGMP Snoop enabled device should be set as multicast

router port.

- If more than 2 multicast routers are connected with SBAX3, the multicast router port

have to be set. If multicaset router port is not set, multicast packets may not be received

at the host which is beyond the multicast router because multicast router port does not

recognize correctly.

- In SBAX3, the entry of the group addresses that is registerd once is not erased, only the

information of output port is erased. The group addresses can be deleted by “clear

igmpsnoop group” command if there are unnecessary group addresses

- When the number of multicast group address is exceeded the limit of registering, the

packet which address is exceeded one is flooded in the same VLAN. IGMP snoop function

should not be used if the number of multicast group is exceeded the limit.

- SBAX3 discriminates only low 23 bit address. SBAX3 deal with “224.1.1.1” and

“225.1.1.1” as the same address. If there are the listeners which registers those address,

they received packets of both addresses.

- When IGMP Snoop become enabled, Source address will be “0.0.0.0” when there are no

“vlan igmpsnoop source” definition. If the device which can not deal with IGMP Query

packets which source address is “0.0.0.0”, configure the source address by “vlan

igmpsnoop source” command. As well, in the network where multicast router is

connected, the larger number than multicast router address should be set as source

address

- In the environment where IGMP V1/V2 is mixed, set “vlan igmpsnoop proxy” as “off”.

- IGMP snooping can not use in the network where other protocol(such as IPv6) is used.

Disabled the function in such environment

- In the network where multicast router is not connected, do not disabled the Querier by

“vlan igmpsnoop querier” command.

Multicast

Router#1 Multicast Router#2

Listener Listener Listener

Sender Sender

Page 23: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 23 of 47-

[Configuration Target]

Use IGMP snooping

Listner#1 Port: Interface0/1,0/2

VLAN: 10

Listener#2 Port:Interface0/3,0/4

VLAN:11

Lsitener#3 Port:Interface0/5,0/6

VLAN:12

Multicast router#1 is connected to interface0/25 which VLAN10-12 is assigned with tag VALN.

Multicast router#2 is connected to interface0/26 which VLAN10 is assigned with tag VALN.

[Commands]

#Enable IGMP snooping

(config)#igmpsnoop use on

(config)#interface range 0/1-0/2 vlan untag 10

(config-if)vlan untag 10

(config)#interface 0/3-0/4

(config-if)#vlan untag 11

(config)#interface 0/5-0/6

(config-if)#vlan untag 12

(config)#interface 0/25

(config-if)#vlan tag 10,11,12

(config)#interface 0/26

(config-if)#vlan untag 10

#Configure the multicast port for VLAN10 which multiple multicast routers are connected

(config)#vlan 10 igmpsnoop router yes 25,26

#Save the configuration

(config)#save

Page 24: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 24 of 47-

9. Configuring MLD Snooping

SBAX3 detects the port which requires IPv6 multicast packets and transfers multicast packets

to just the port by using MLD snooping. This constrains the flooding of IPv6 multicast traffic

and avoids transferring unnecessary IPv6 multicast packets to servers.

Note:

- Network may not work if IPv6 multicast communication is done without MLD

- The port which is connected with MLD Snoop enabled device should be set as multicast

router port.

- If more than 2 multicast routers are connected with SBAX3, the multicast router port

have to be set. If multicaset router port is not set, IPv6 multicast packets may not be

received at the host which is beyond the multicast router because multicast router port

does not recognize correctly.

- In SBAX3, the entry of the group addresses that is registerd once is not erased, only the

information of output port is erased. The group addresses can be deleted by “clear

mldsnoop group” command if there are unnecessary group addresses

- When the number of multicast group address is exceeded the limit of registering, the

packet which address is exceeded one is flooded in the same VLAN. MLD snoop function

should not be used if the number of multicast group is exceeded the limit.

- When MLD Snoop become enabled, Source address will be “::” when there are no “vlan

mldsnoop source” definition. If the device which can not deal with MLD Query packets

which source address is “::”, configure the source address by “vlan mldsnoop source”

command. As well, in the network where multicast router is connected, the larger

number than multicast router address should be set as source address

- In the network where IPv4 is used, IGMP snooping function should be enabled too.

- IGMP snooping can not use in the network where other protocol(except IP) is used.

Disabled the function in such environment

- In the network where multicast router is not connected, do not disable the Querier by

“vlan mldsnoop querier” command.

Multicast Router#1

Multicast Router#2

Sender Sender

Listener Listener Listener

Page 25: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 25 of 47-

[Configuration Target]

Use MLD snooping

Listner#1 Port: Interface0/1,0/2

VLAN: 10

Listener#2 Port:Interface0/3,0/4

VLAN:11

Lsitener#3 Port:Interface0/5,0/6

VLAN:12

Multicast router#1 is connected to interface0/25 which VLAN10-12 is assigned with tag VALN.

Multicast router#2 is connected to interface0/26 which VLAN10 is assigned with tag VALN.

[Commands]

#Enable MLD snooping

(config)#mldsnoop use on

(config)#interface range 0/1-0/2 vlan untag 10

(config-if)vlan untag 10

(config)#interface 0/3-0/4

(config-if)#vlan untag 11

(config)#interface 0/5-0/6

(config-if)#vlan untag 12

(config)#interface 0/25

(config-if)#vlan tag 10,11,12

(config)#interface 0/26

(config-if)#vlan untag 10

#Configure the multicast port for VLAN10 which multiple multicast routers are connected

(config)#vlan 10 mldsnoop router yes 25,26

#Save the configuration

(config)#save

Page 26: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 26 of 47-

10. Configuring IEEE 802.1X Authentication

This section describes how to configure IEEE802.1X authentication.

Note

Don’t assign VLAN ID to ports which use IEEE802.1X authentication.

Configure AAA group ID correctly for IEEE802.1X authentication.

Only EAP-MD5 can be used as authentication method for local authentication.

The following accounting information can not be gotten correctly in multiple authentication

environment per one physical port

- The number of Tx packet

- The number of Rx packet

- The number of Tx byte

- The number of Rx byte

[Configuration Target]

Use IEEE802.1X authentication in interface0/1-0/3.

Authentication database of Interface0/1-0/3 is following

-Interface0/1、0/2 : RADIUS Server

-Interface0/3 : Authentication information set locally

AAA Group ID

-Interface0/1、0/2 :0

-Interface0/3 :1

Authenticated per Supplicant MAC address

Available users in interface 0/3 are following.

User ID Password Assigned VLAN ID

Supp1 Supp1-pass VLAN123

Supp2 Supp2-pass VLAN100

RADIUS Server IP Address: 172.16.1.100

RADIUS Server is connected to VLAN13.

RADIUS Server secret :radius-secret

Collect authentication and accounting information in RADIUS server used by interface 0/1 and

RADIUS Server 172.16.1.100

Supplicant#1 Supplicant#2 Supplicant#3

0/1 0/2 0/3

0/19 0/22 0/26

VLAN10

VLAN11 VLAN100

VLAN123

Page 27: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 27 of 47-

0/2

Accounting information and Attribute supported by SBAX3 is following.

-Session time :Acct-Session-Time

- Tx packet number :Acct-Output-Packets

- Rx packet number :Acct-Input-Packets

- Tx byte :Acct-Output-Octets

- Rx byte :Acct-Input-Packets

Note

Configure the following attributes in RADISU server in order to assign VLAN ID to users.

Please see user guide of RADIUS server for how to configure.

name number Attribute value

Tunnel-Type 64 VLAN (13)

Tunnel-Media-Type 65 802 (6)

Tunnel-Private-Group-ID 81 VLAN ID (coded by ASCII code)

When multiple tunnel attributes are configured by tag, the least available value is assigned to

users as VLAN information.

[Commands]

#Enable IEEE802.1X authentication

(config)#dot1x use on

#Configure port which RADIUS server is connected to

(config)#interface 0/26

(config-if)#vlan untag 13

#Configure VLAN for RADIUS server

(config)#lan 0 vlan 13

(config)#lan 0 ip address 172.16.1.101/16 3

#Configure VLAN which supplicants authenticated by IEEE802.1X are connected to

(config)#interface 0/19

(config-if)#vlan untag 10

(config)#interface 0/20

(config-if)#vlan untag 11

(config)#interface 0/21

(config-if)#vlan untag 100

(config)#interface 0/22

(config-if)#vlan untag 123

#Conifgure IEEE802.1X authentication port

(config)#interface 0/1

(config-if)#dot1x aaa 0

(config-if)#dot1x use on

(config)#interface 0/2

(config-if)#dot1x aaa 0

(config-if)#dot1x use on

(config)#interface 0/3

(config-if)#dot1x aaa 1

(config-if)#dot1x use on

#Configure AAA group information using RADIUS server.

(config)#aaa 0 name radiusAuth

(config)#aaa 0 radius service client both

Page 28: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 28 of 47-

(config)#aaa 0 radius auth source 172.16.1.101

(config)#aaa 0 radius client server-info auth secret radius-secret

(config)#aaa 0 radius client server-info auth address 172.16.1.100

(config)#aaa 0 radius client server-info accounting secret radius-secret

(config)#aaa 0 radius client server-info accounting address 172.16.1.100

#Configure AAA group information using local authentication information

(config)# aaa 1 name localAuth

(config)# aaa 1 user 0 id Supp1

(config)# aaa 1 user 0 password Supp1-pass

(config)# aaa 1 user 0 supplicant vid 123

(config)# aaa 1 user 1 id Supp2

(config)# aaa 1 user 1 password Supp2-pass

(config)# aaa 1 user 1 supplicant vid 100

#Save the configuration

(config)#save

Page 29: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 29 of 47-

11. Configuring Port Mirroring

This section describes how to configure port mirroring function.

You can monitor the Rx/Tx traffic of source port in the target port by using port mirroring

function.

This section explains how to configure source port to interfce0/19 and target port to interface

0/26 and mirror Rx traffic of source port to target port.

[Configuration Target]

Configure interface0/19 to source port(Rx)

Configure interface0/26 to target port.

[Commands]

#Configure interface0/26 to mirror port.

(config)#interface 0/26

(config-if)#type mirror 0 19 rx

#Save the configuration

(config)#save

Source Port

Target Port

Analyzer

Page 30: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 30 of 47-

12. Configuring Ether L3 Monitoring

This section describes how to configure L3 Monitoring.

With the use of L3 Monitoring, The port which detects and monitors the errors of the path can

be offline by monitoring the peer with specified ether port.

Note

Offline port have to be online manually by online command.

12.1 Configuring Ether L3 Monitoring with port

[Configuration Target]

Use Interface 0/19

VLAN ID and Network Address is

VLAN ID:1, Network address:192.168.10.0/24

Use Ether L3 Monitoring

[Commands]

#SBAX3#1

#Configure Interface 0/19

(config)#interface range 0/19

(config-if)#vlan untag 1

#Set the IP address 192.168.10.1/24

(config)#lan 0 ip address 192.168.10.1/24 3

(config)#lan 0 vlan 1

#Set the IP address of the destination

(config)#interface 0/19

(config-if)#icmpwatch address 192.168.10.2

#Set the interval of monitoring

(config)#interface 0/19

(config-if)#icmpwatch interval 15s 40s 5s

#Save the configuration

(config)#save

#SBAX3#2

#Configure Interface 0/19

(config)#interface range 0/19

(config-if)#vlan untag 1

#Set the IP address 192.168.10.2/24

(config)#lan 0 ip address 192.168.10.2/24 3

(config)#lan 0 vlan 1

#Save the configuration

Monitor

SBAX3#1 SBAX3#2

Page 31: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 31 of 47-

(config)#save

12.2 Configuring Ether L3 Monitoring with Link Aggregation

This section describes how to configure L3 Monitoring with Link Aggregation.

[Configuration Target]

Use Interface 0/1 – 0/4

VLAN ID and Network Address is

VLAN ID:10, Network address:192.168.10.0/24

Use Ether L3 Monitoring

[Commands]

#SBAX3#1

#Configure Interface 0/1 – 0/4

(config)#interface range 0/1 – 0/4

(config-if)#vlan tag 10

#Configure the Link Aggregation with Interface 0/1 – 0/4

(config)# interface range 0/1-0/4

(config-if)#type linkaggregation 1

#Set the IP address 192.168.10.1/24

(config)#lan 0 ip address 192.168.10.1/24 3

(config)#lan 0 vlan 10

#Set the IP address of the destination

(config)#linkaggregation 1 icmpwatch address 192.168.10.2

#Set the interval of monitoring

(config)#linkaggregation 1 icmpwatch interval 15s 40s 5s

#Save the configuration

(config)#save

#SBAX3#2

#Configure Interface 0/1 – 0/4

(config)#interface range 0/1 – 0/4

(config-if)#vlan tag 10

#Configure the Link Aggregation with Interface 0/1 – 0/4

(config)# interface range 0/1-0/4

(config-if)#type linkaggregation 1

#Set the IP address 192.168.10.2/24

(config)#lan 0 ip address 192.168.10.2/24 3

(config)#lan 0 vlan 10

#Save the configuration

(config)#save

Page 32: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 32 of 47-

13. Configuring port recovery limit function

This section describes how to configure port offline function

With the use of port offline function, stable network can be keeped because the port can be the

offline state even when it is intermittent failure.

In this example, Master port will be offline when Master is intermittent failure.

[Configuration Target]

SBAX3#1

Use Interface 0/19, 0/26 as backup port

(Interface 0/19 is Master port, Interface 0/26 is backup port, Use Master port preferentially.)

Use offline by the number of link down

Set the upper limit of link down

SBAX3#2

Use Interface 0/19, 0/26 as backup port

(Interface 0/19 is Master port, Interface 0/26 is backup port, Use Master port preferentially.)

Use offline by the number of link down

Set the upper limit of link down

[Commands]

#SBAX3#1

#Set the upper limit of link down on Interface0/19

(config)#interface 0/19

(config-if)#recovery limit 5

#Configure Interface 0/19 as Master port of backup port group

(config)#interface 0/19

(config-if)#type backup 1 master

Jan 01 10:13:43 127.0.0.1 SBAX3: l2nsm: backup 1 definition is invalid. backup port is not

defined.

#(Above message will appear when only backup or master is defined Because both master

and backup have to be defined in backup group. Backup group will be enabled when other

port definition is done.)

#Configure Interface 0/26 as backup port of backup port group

(config)#interface 0/26

(config-if)#type backup 1 backup

#Set the backup group 1 as master port preferential

(config)#backup 1 mode master

SBAX3#1

SBAX3#2

Page 33: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 33 of 47-

#Save the configuration

(config)#save

#SBAX3#2

#Set the upper limit of link down on Interface0/19

(config)#interface 0/19

(config-if)#recovery limit 5

#Configure Interface 0/19 as Master port of backup port group

(config)#interface 0/19

(config-if)#type backup 1 master

Jan 01 10:18:13 127.0.0.1 SBAX3: l2nsm: backup 1 definition is invalid. backup port is not

defined.

#Configure Interface 0/26 as backup port of backup port group

(config)#interface 0/26

(config-if)#type backup 1 backup

#Set the backup group 1 as master port preferential

(config)#backup 1 mode master

#Save the configuration

(config)#save

Page 34: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 34 of 47-

14. Configuring IP Filtering

This section describes how to configure IP filtering which controls packets by combination of IP

address and port number for network security.

[IP Filtering Condition]

Packet data flow can be controlled by specifying the following parameter in ACL.

- Source IP Information(IP Address/Address Mask/Port Number)

- Destination IP Information(IP Address/Address Mask/Port Number)

- Protocol

- TOS value、DSCP value of IP packet

Hint

How to decide IP address and Address Mask

There are 2 elements for filtering condition, the one is “IP Address”, the other is “Address

mask”. The packets that wil be controlled is only what logical AND of IP address and Address

mask of received packets is coincident with specified IP address.

[IP Filtering design policy]

There are two way for filtering design.

A. Pass the specified packets and reject the others.

B. Reject the specified packets and pass the others.

This chapter explains the following examples for A.

-Pass only packets to access the specified service.

-Pass only packets to the specified server

And explains the following example for B.

-Reject only packets to the specified server

-Reject only ping to the specified server.

Note:

If there are multiple IP filtering condition, priority will be set and it is applied from smallest

number. Network may not work if this priority is not considered when the Filtering is set.

14.1 Configuring IP filter 1

This section describes how to configure IP filter which passes access to Web server and DNS

sever and rejects the other accesses.

[Configuration Target]

Use Interface 0/1

VLAN ID and Network Address is

VLAN ID:10, Network address:192.168.10.0/24

[IP filtering design]

Pass access to Web server from 192.168.1.0/24

Pass access to DNS server from 192.168.1.0/24

Pass ICMP packets

Reject the other packets

[Commands]

#set Interface 0/1

(config)#interface 0/1

(config-if)#vlan tag 10

Page 35: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 35 of 47-

#Set the network 192.168.10.0/24

(config)#lan 0 ip address 192.168.10.0/24 3

(config)#lan 0 vlan 10

#Pass TCP packets to port80 of Web Server

(config)#acl 0 ip 192.168.1.0/24 any 6 any

(config)#acl 0 tcp any 80

(config)#lan 0 ip filter 0 pass acl 0

#Pass UDP packets to port53 of DNS server.

(config)#acl 1 ip 192.168.1.0/24 192.168.0.10/32 17 any

(config)#acl 0 udp any 53

(config)#lan 0 ip filter 1 pass acl 1

#Pass ICMP packets

(config)#acl 2 ip any any 1 any

(config)#acl 2 icmp any any

(config)#lan 0 ip filter 2 pass acl 2

#Reject the other packets

(config)#acl 3 ip any any any

(config)#lan 0 ip filter 3 reject acl 3

#Save the configuration

(config)#save

14.2 Configuring IP filter 2 (IPv6 Filtering)

This section describes how to configure IPv6 filter which passes access to Web server and DNS

sever and rejects the other accesses.

[Configuration Target]

Use Interface 0/1

VLAN ID and Network Address is

VLAN ID:10, Network address: 2001:db8:1::/64

[IP filtering design]

Pass access to Web server from 2001:db8:1::/64

Pass access to DNS server from 2001:db8:1::/64

Pass ICMPv6 packets

Reject the other packets

[Commands]

#set Interface 0/1

(config)#interface 0/1

(config-if)#vlan tag 10

#set the network 2001:db8:1::/64

(config)#lan 0 ip6 address 2001:db8:1::/64

(config)#lan 0 vlan 10

#Pass TCP packets to port80 of Web Server

(config)# acl 0 ip6 2001:db8:1::/64 any 6 any

(config)# acl 0 tcp any 80

(config)# lan 0 ip6 filter 0 pass acl 0

#Pass UDP packets to port53 of DNS server.

(config)# acl 1 ip6 2001:db8:1::/64 any 17 any

Page 36: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 36 of 47-

(config)# acl 1 udp any 53

(config)# lan 0 ip6 filter 1 pass acl 1

#Pass ICMPv6 packets

(config)# acl 2 ip6 any any 58

(config)# acl 2 icmp any any

(config)# lan 0 ip6 filter 2 pass acl 2

#Reject the other packets

(config)# acl 3 ip6 any any any any

(config)# lan 0 ip6 filter 3 reject acl 3

#Save the configuration

(config)#save

14.3 Configuring IP filter 3

This section describes how to configure IP filter which allows access to specified server in

internal network and DNS sever and rejects the accesses to other servers.

[Configuration Target]

Use Interface 0/1

VLAN ID and Network Address is

VLAN ID:10, Network address:192.168.10.0/24

[IP filtering design]

Allows access to the Web server(192.168.1.5/32) in internal network

Allows access to the DNS server in internal network

Pass ICMP packets

Reject the other packets

[Commands]

#set Interface 0/1

(config)#interface 0/1

(config-if)#vlan tag 10

#Set the network 192.168.10.0/24

(config)#lan 0 ip address 192.168.10.0/24 3

(config)#lan 0 vlan 10

#Pass TCP packets to port80 of Web Server

(config)#acl 0 ip 192.168.1.0/24 any 6 any

(config)#acl 0 tcp any 80

(config)#lan 0 ip filter 0 pass acl 0

#Pass UDP packets to port53 of DNS server.

(config)# acl 1 ip 192.168.0.0/24 192.168.1.10/32 17 any

(config)# acl 1 udp any 53

(config)# lan 0 ip filter 1 pass acl 1

#Pass ICMP packets

(config)#acl 2 ip any any 1 any

(config)#acl 2 icmp any any

(config)#lan 0 ip filter 2 pass acl 2

#Reject the other packets

(config)#acl 3 ip any any any

(config)#lan 0 ip filter 3 reject acl 3

Page 37: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 37 of 47-

#Save the configuration

(config)#save

14.4 Configuring IP filter 4

This section describes how to configure IP filter which deny the access only to FTS server in

external network

[Configuration Target]

Use Interface 0/1

VLAN ID and Network Address is

VLAN ID:10, Network address:192.168.10.0/24

[IP filtering design]

Deny access from host in internal network(192.168.1.0/24) to the FTP server(192.168.0.5) in

external network

[Commands]

#set Interface 0/1

(config)#interface 0/1

(config-if)#vlan tag 10

#Set the network 192.168.10.0/24

(config)#lan 0 ip address 192.168.10.0/24 3

(config)#lan 0 vlan 10

#reject FTP packets from internal LAN to 192.168.0.5

(config)# acl 0 ip 192.168.1.0/24 192.168.0.5/32 6 any

(config)# acl 0 tcp any 21

(config)# lan 0 ip filter 0 reject acl 0

#Save the configuration

(config)#save

14.5 Configuring IP filter 5

This section describes how to configure IP filter which deny the only ping(ICMP ECHO) to

specified server in internal network, and allows other ICMP packets, other protocol packets

and packets to other hosts.

[Configuration Target]

Use Interface 0/1

VLAN ID and Network Address is

VLAN ID:10, Network address:192.168.10.0/24

[IP filtering design]

Deny ping(ICMP ECHO) from external host to the server(192.168.1.5/32) in internal network.

Others are all passed

[Commands]

#set Interface 0/1

(config)#interface 0/1

(config-if)#vlan tag 10

#Set the network 192.168.10.0/24

(config)#lan 0 ip address 192.168.10.0/24 3

(config)#lan 0 vlan 10

Page 38: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 38 of 47-

#reject ICMP packet of ICMP type 8 to 192.168.1.5/32

(config)# acl 0 ip any 192.168.1.5/32 1 any

(config)# acl 0 icmp 8 any

(config)# lan 0 ip filter 0 reject acl 0

#Pass other all packets

(config)# acl 1 ip any any any any

(config)# lan 0 ip filter 1 pass acl 1

#Save the configuration

(config)#save

15. Configuring DSCP value change

This section describes how to configure DSCP value change which can adapt policy for policy

based network. DSCP value can be changed by the combination of IP address and port number

in the packets which is sent to network from SBAX3 or received from network to SBAX3.

SBAX3 can change DSCP value to specify the following condition in ACL definition.

- Protocol

- Information of source(IP address/Address mask/port number)

- Information of destination(IP address/Address mask/port number)

- TOS or DSCP value of IP packets, or Traffic Class or DSCP value of IPv6 packets

We will explain the example that is on the assumption that network has the following policy

- FTS(DSCP value is 10) is the highest priority

- Others are not set.

[Configuration Target]

- Source IP address/Address mask 192.168.1.0/24

- Source port number No assign

- Destination IP address/Address mask No assign

- Destination port number 20(ftp-data), 21(ftp)

- Protocol TCP

- DSCP value 0

- New DSCP value 10

[Commands]

#change DSCP value from 0 to 10 for FTP server access

(config)#acl 0 ip 192.168.1.0/24 any 6 dscp 0

(config)#acl 0 tcp any 20,21

(config)#lan 0 ip dscp 0 acl 0 10

#Save the configuration

(config)#save

Page 39: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 39 of 47-

16. Configuring SNMP Agent

This section describes how to configure SNMP agent which informs MIB information of SNMP

host.

16.1 Configuring SNMP

[Configuration Target]

Use SNMP agent function

Administrator suzuki

System name SBAX3

Location 1F

Agent IP address 192.168.1.1

SNMP host IP address 192.168.1.100

community public00

[Commands]

#Configure SNMPagent information

(config)#snmp agent contact suzuki

(config)#snmp agent sysname SBAX3

(config)#snmp agent location 1F

(config)#snmp agent adress 192.168.1.1

#Configure SNMPhost information

(config)#snmp manager 0 192.168.1.100 public00 off disable

#Enable SNMP agent function

(config)#snmp service on

#Save the configuration

(config)#save

16.2 Configuring SNMPv3

This section describes how to configure for SNMPv3 access

[Configuration Target]

Use SNMP agent function

Administrator suzuki

System name SBAX3

SNMP host 192.168.1.100

lan 0 192.168.1.1

Administrator :Suzuki System name:SBAX3 Agent IP address 192.168.1.1

Inform MIB information against

SNMP request

Page 40: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 40 of 47-

Location 1F

Agent address:192.168.1.1

SNMP host address:192.168.1.100

Host address for trap: 192.168.1.100

User name:user00

Authentication protocol:MD5

Password : auth_password

Encryption Protocol : DES

Password: priv_password

MIB view: Only system and interfaces groups are enabled

Only linkDown and linkUp traps are enabled.

[Commands]

#Configure SNMP agent infomration

(config)#snmp agent contact suzuki

(config)#snmp agent sysname SBAX3

(config)#snmp agent location 1F

(config)#snmp agent adress 192.168.1.1

#Configure SNMPv3 Information

(config)#snmp user 0 name user00

(config)#snmp user 0 address 0 192.168.1.100

(config)#snmp user 0 notification 0 192.168.1.100

#Configure Authentication/Encryption protocol

(config)#snmp user 0 auth md5 auth_password

(config)#snmp user 0 priv des priv_password

#Configure MIB view information

(config)#snmp user 0 read view 0

(config)#snmp user 0 notify view 0

(config)#snmp view 0 subtree 0 include system

(config)#snmp view 0 subtree 1 include interfaces

(config)#snmp view 0 subtree 2 include linkdown

(config)#snmp view 0 subtree 3 include linkup

#Enable SNMP Agent function

(config)#snmp service on

#Savte the configuration

(config)#save

Page 41: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 41 of 47-

17. Configuring System Log

This section describes how to configure system log function which sends system logs to syslog

server.

[Configuration Target]

Configure the following priority

-Priority LOG_ERROR

-Priority LOG_WARNING

-Priority LOG_NOTICE

-Priority LOG_INFO

Syslog server IP address 192.168.1.10

[Commands]

(config)#syslog server 192.168.1.10

Configure System log

(config)#syslog pri error, warm, notice, info

Save the configuration

(config)#save

Syslog server 192.168.1.10

lan 0 192.168.1.1

Send system logs

Page 42: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 42 of 47-

18. Configuring Schedule function

This section describes how to configure schedule function. Schedule function of SBAX3 is the

following

- Reservation of switching configuration file

SBAX3 can have 2 configuration files. And we can prepare the configuration in advance for

configuration change of operation, and then we can switch the configuration at specified date

18.1 Configuring the reservation of switching configuration file

[Configuration Target]

The time of switching 2006/12/01 6:30

Configuration change config1 -> config2

[Commands]

#switching the configuration

(config)#addact 0 0612010630 reset conifg 2

Save the configuration

(config)#save

19. Configuring Application Filter

This section describes how to configure application filter function whch can control the access

to the servers that is connected with SBAX3. With this function, Security will be more robust

because we can restrict the terminal which can be used for maintenance or use.

[Configuration Target]

Permit the access to TELNET/FTP/SSH server only from the Host for management

(192.168.1.100)

Permit the access to Time server only from the Host in internal network(192.168.1.0/24).

No restriction for other servers.

Note:

When the packets to SBAX3 is rejected by Ip filtering, we can not access even if permit the

access by application filter

[Commands]

#Reject the default access against the server function

(config)#serverinfo ftp filter default reject

(config)#serverinfo telnet filter default reject

(config)#serverinfo ssh filter default reject

(config)#serverinfo time filter default reject

#Permit the access to the FTP/Telnet/SSH server function from host for management

(config)#acl 0 ip 192.168.1.100/32 any any any

(config)#serverinfo ftp filter 0 accept acl 0

(config)#serverinfo telnet filter 0 accept acl 0

(config)#serverinfo ssh filter 0 accept acl 0

#Permit the access to the Time server function from hosts in internal network

(config)#acl 1 ip 192.168.1.0/24 any any any

(config)#serverinfo tme filter 0 accept acl 1

#Save the configuration

(config)#save

Page 43: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 43 of 47-

20. Configuring IEEE802.1Q Tunneling

This section describes how to configure IEEE802.1Q Tunneling of customer A, customer B,

SBAX3#1 and SBAX3#2 in below diagram.

Customer A

interface0/23

tag VLAN10,20

interface0/20, dot1qtunnel

untag VLAN35

interface0/26 interface0/19

tag VLAN 35 / 40

[Service Provider]

Customer B

interface0/23

tag VLAN20,30

Customer A

interface0/23

tag VLAN 10,20

Customer B

interface0/23

tag VLAN 20,30

【SBAX3#1】 【SBAX3#2】

interface0/22

dot1qtunnel

untag VLAN35

interface0/23, dot1qtunnel

untag VLAN40

interface0/19

dot1qtunnel

untag VLAN40

Page 44: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 44 of 47-

[Configuration Target]

Customer A

Assign Interface0/23 to tag VLAN10, 20

Customer B,

Assign Interface0/23 to tag VLAN20, 30

SBAX3#1

Assign Interface0/19 to untag VLAN40

Assign Interface0/20 to untag VLAN35

Assign Interface0/26 to tag VLAN35, 40

Configure Interface0/19-0/20 for IEEE802.1Q tunneling port

Configure the use of IEEE802.1Q tunneling port.

SBAX3#2

Assign Interface0/19 to tag VLAN35, 40

Assign Interface0/22 to untag VLAN35

Assign Interface0/23 to untag VLAN40

Configure Interface0/22-0/23 for IEEE802.1Q tunneling port

Configure the use of IEEE802.1Q tunneling port.

[Commands]

#Customer A

# Assign Interface0/23 to tag VLAN10, 20

(config)#interface 0/23

(config-if)#vlan tag 10,20

#Customer A

# Assign Interface0/23 to tag VLAN20, 30

(config)#interface 0/23

(config-if)#vlan tag 20,30

#SBAX3#1

#Assign Interface0/19 to untag VLAN40

(config)#interface 0/19

(config-if)#vlan untag 40

#Assign Interface0/20 to untag VLAN35

(config)#interface 0/20

(config-if)#vlan untag 35

#Assign Interface0/26 to tag VLAN35, 40

(config)#interface 0/26

(config-if)#vlan tag 35,40

#Configure Interface0/19-0/20 for IEEE802.1Q tunneling port

(config)#interface range 0/19-0/20

(config-if)#dot1qtunnel use on

# Configure the use of IEEE802.1Q tunneling port.

(config)#dot1qtunnel use on

#SBAX3#2

#Assign Interface0/19 to tag VLAN35, 40

(config)#interface 0/19

(config-if)#vlan tag 35,40

Page 45: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 45 of 47-

#Assign Interface0/22 to untag VLAN35

(config)#interface 0/22

(config-if)#vlan untag 35

#Assign Interface0/23 to untag VLAN40

(config)#interface 0/23

(config-if)#vlan untag 40

#Configure Interface0/22-0/23 for IEEE802.1Q tunneling port

(config)#interface range 0/22-0/23

(config-if)#dot1qtunnel use on

#Configure the use of IEEE802.1Q tunneling port.

(config)#dot1qtunnel use on

#Save the configuration

(config)#save

Page 46: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 46 of 47-

21. Configuring CEE

This section describes how to configure CEE function of the example below.

[Configuration Target]

CNA

Setting the port which is connected with SBAX3 to accept DCBX setting(willing bit is on)

SBAX3 / FCoE SW

Assign CEE port to tag VLAN1002

Assign CEE port to untag VLAN1 for FIP frame forwarding.

Configure CEE port of priority group1 as bandwidth 40.

Configure CEE port of priority group2 as bandwidth 60.

Enable PFC setting of priority group2

Configure priority 3 as priority group2 and others are priority group1

Configure FCoE priority as priority 3

Enable CEE function

[Commands]

#SBAX3

#Enable priority group1, 2

(config)# cee priority group 1 use on

(config)# cee priority group 2 use on

#Configure priority 3 as priority group2 and others are priority group1

(config)# cee priority map 1 1 1 2 1 1 1 1

#Assign Interface0/19, 0/23 to tag VLAN1002

(config)# interface range 0/19,0/23

(config-if)# vlan tag 1002

#Assing Interface0/19, 0/23 to untag VLAN1 for FIP frame forwarding

(config-if)# vlan untag 1

#Configure Interface0/19, 0/23 to send/receive LLDP information

(config-if)# lldp mode enable

#Configure weight value of priority group1 for Interface0/19, 0/23 as 40.

(config-if)# cee priority group 1 weight 40

SBAX3

CNA FCoE SW

(FCF)

Interface 0/19

vlan tag 1002

vlan untag1

Interface 0/23

vlan tag 1002

vlan untag1

Page 47: PRIMERGY 10/40GbE Connection Blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf · Page 4 of 47- 1. Configuring VLAN 1.1 Configuring untag vlan This section describes

Page 47 of 47-

#Configure weight value of priority group2 for Interface0/19, 0/23 as 60.

(config-if)# cee priority group 2 weight 40

#Enable PFC for priority group2 for Interface0/19, 0/23 as 60.

(config-if)# cee priority group 2 pfc on

#Configure FCoE priority for Interface0/19, 0/23 as priority 3

(config-if)# dcbx fcoe-priority-bits 08

#Enable CEE function of Interface0/19, 0/23

(config-if)# cee use on

#Enable CEE function of SBAX3

(config-if)# end

(config)# cee mode on

#Save the configuration

(config)#save