Page 1 Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch Application Guide For Networking OS 8.2...
Page 2 Note: Before using this information and the product it supports, read the general information in the Safety information and Environmental Notices and User Guide documents on the Lenovo Documentation CD and the Warranty Information document that comes with the product. First Edition (March 2015) © Copyright Lenovo 2015 Portions © Copyright IBM Corporation 2014. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS‐35F‐05925. Lenovo and the Lenovo logo are trademarks of Lenovo in the United States, other countries, or both.
Page 3: Table Of Contents
Chapter 2. Initial Setup ..... . 47 Information Needed for Setup . . . . . . . . . . . . . . . . . . . . . .47 Default Setup Options . . . . . . . . . . . . . . . . . . . . . . . . . .48 Stopping and Restarting Setup Manually . . . . . . . . . . . . . . . . .48 Setup Part 1: Basic System Configuration . . . . . . . . . . . . . . . . .48 Setup Part 2: Port Configuration . . . . . . . . . . . . . . . . . . . . .50 Setup Part 3: VLANs . . . . . . . . . . . . . . . . . . . . . . . . . .51 Setup Part 4: IP Configuration . . . . . . . . . . . . . . . . . . . . . .52 IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Default Gateways . . . . . . . . . . . . . . . . . . . . . . . . . .53 IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Setup Part 5: Final Steps . . . . . . . . . . . . . . . . . . . . . . . . .54 Optional Setup for Telnet Support . . . . . . . . . . . . . . . . . . . .55 © Copyright Lenovo 2015...
Page 4 Chapter 3. Service Location Protocol ....57 Active DA Discovery . . . . . . . . . . . . . . . . . . . . . . . . 57 SLP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 58 Chapter 4. System License Keys ....59 Obtaining Activation Keys . . . . . . . . . . . . . . . . . . . . . .
Page 5 Chapter 9. VLANs ......111 VLANs Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . 112 VLANs and Port VLAN ID Numbers . . . . . . . . . . . . . . . . . . 113 VLAN Tagging/Trunk Mode . . . . . . . . . . . . . . . . . . . . . . 117 Ingress VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . 120 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . 121 VLAN Topologies and Design Considerations . . . . . . . . . . . . . . 122 © Copyright Lenovo 2015 Contents...
Page 6 Protocol‐Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . 125 Port‐Based vs. Protocol‐Based VLANs . . . . . . . . . . . . . . . . 125 PVLAN Priority Levels . . . . . . . . . . . . . . . . . . . . . . 126 PVLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . . . 126 PVLAN Configuration Guidelines . . . . . . . . . . . . . . . . . 126 Configuring PVLAN . . . . . . . . . . . . . . . . . . . . . . . 126 Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Private VLAN Ports . . . . . . . . . . . . . . . . . . . . . . . . 128 Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 129 Configuration Example . . . . . . . . . . . . . . . . . . . . . . 129 Chapter 10. Ports and Trunking ....131 Configuring Port Modes. . . . . . . . . . . . . . . . . . . . . . . . ...
Page 7 Part 4:. Advanced Switching Features ....199 Chapter 14. Stacking ..... . 201 Stacking Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Stacking Requirements. . . . . . . . . . . . . . . . . . . . . . . 202 Stacking Limitations . . . . . . . . . . . . . . . . . . . . . . . . 203 © Copyright Lenovo 2015 Contents...
Page 8 Stack Membership . . . . . . . . . . . . . . . . . . . . . . . . . . 204 The Master Switch . . . . . . . . . . . . . . . . . . . . . . . . 204 Splitting and Merging One Stack . . . . . . . . . . . . . . . . 204 Merging Independent Stacks . . . . . . . . . . . . . . . . . . 205 Backup Switch Selection . . . . . . . . . . . . . . . . . . . . . . 207 Master Failover . . . . . . . . . . . . . . . . . . . . . . . . 207 Master Recovery . . . . . . . . . . . . . . . . . . . . . . . 207 No Backup . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Stack Member Identification . . . . . . . . . . . . . . . . . . . . 208 Configuring a Stack. . . . . . . . . . . . . . . . . . . . . . . . . . 209 Configuration Overview . . . . . . . . . . . . . . . . . . . . . . 209 Best Configuration Practices . . . . . . . . . . . . . . . . . . . . 209 Stacking VLANs . . . . . . . . . . . . . . . . . . . . . . . 210 Configuring Each Switch in a Stack . . . . . . . . . . . . . . . . . 210 Configuring a Management IP Interface . . . . . . . . . . . . . . . 211 Additional Master Configuration . . . . . . . . . . . . . . . . . . 212 Viewing Stack Connections . . . . . . . . . . . . . . . . . . . 213 Binding Members to the Stack . . . . . . . . . . . . . . . . . ...
Page 9 Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . 262 The FCoE Topology . . . . . . . . . . . . . . . . . . . . . . . . 262 FCoE Requirements . . . . . . . . . . . . . . . . . . . . . . . . 263 Port Trunking . . . . . . . . . . . . . . . . . . . . . . . . . 264 Converged Enhanced Ethernet . . . . . . . . . . . . . . . . . . . . . 265 Turning CEE On or Off . . . . . . . . . . . . . . . . . . . . . . 265 Effects on Link Layer Discovery Protocol . . . . . . . . . . . . . . . 265 Effects on 802.1p Quality of Service . . . . . . . . . . . . . . . . . 266 Effects on Flow Control . . . . . . . . . . . . . . . . . . . . . . 267 FCoE Initialization Protocol Snooping . . . . . . . . . . . . . . . . . . 268 Global FIP Snooping Settings . . . . . . . . . . . . . . . . . . . . 268 FIP Snooping for Specific Ports . . . . . . . . . . . . . . . . . . . 268 FIPS Trunk Support on Server Ports . . . . . . . . . . . . . . . . . 268 Port FCF and ENode Detection . . . . . . . . . . . . . . . . . . . 269 FCoE Connection Timeout . . . . . . . . . . . . . . . . . . . . . 269 FCoE ACL Rules . . . . . . . . . . . . . . . . . . . . . . . . . 270 Optimized FCoE Traffic Flow . . . . . . . . . . . . . . . . . . . . 270 FCoE VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Viewing FIP Snooping Information . . . . . . . . . . . . . . . . . 271 Operational Commands . . . . . . . . . . . . . . . . . . . . . . 272 FIP Snooping Configuration . . . . . . . . . . . . . . . . . . . . 272 © Copyright Lenovo 2015 Contents...
Page 10 Priority‐Based Flow Control . . . . . . . . . . . . . . . . . . . . . . 274 Global vs. Port‐by‐Port PFC Configuration . . . . . . . . . . . . . . 275 PFC Configuration Example . . . . . . . . . . . . . . . . . . . . 276 Enhanced Transmission Selection. . . . . . . . . . . . . . . . . . . . 278 802.1p Priority Values . . . . . . . . . . . . . . . . . . . . . . . 278 Priority Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 279 PGID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Assigning Priority Values to a Priority Group . . . . . . . . . . . 280 Deleting a Priority Group . . . . . . . . . . . . . . . . . . . 280 Allocating Bandwidth . . . . . . . . . . . . . . . . . . . . . 281 Configuring ETS . . . . . . . . . . . . . . . . . . . . . . . . . 282 Data Center Bridging Capability Exchange. . . . . . . . . . . . . . . . 284 DCBX Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Configuring DCBX . . . . . . . . . . . . . . . . . . . . . . . . 286 FCoE Example Configuration . . . . . . . . . . . . . . . . . . . . . 288 Chapter 19. Fibre Channel ....291 Ethernet vs. Fibre Channel . . . . . . . . . . . . . . . . . . . . . . . ...
Page 11 Part 5:. IP Routing......349 Chapter 24. Basic IP Routing ....351 IP Routing Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Routing Between IP Subnets . . . . . . . . . . . . . . . . . . . . . . 351 Subnet Routing Example . . . . . . . . . . . . . . . . . . . . . . 353 Using VLANs to Segregate Broadcast Domains . . . . . . . . . . . . 355 © Copyright Lenovo 2015 Contents...
Page 12 BOOTP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . 357 BOOTP Relay Agent Configuration . . . . . . . . . . . . . . . . . 357 Domain‐Specific BOOTP Relay Agent Configuration . . . . . . . . . 358 Dynamic Host Configuration Protocol. . . . . . . . . . . . . . . . . . 359 DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . 359 DHCP Relay Agent Configuration . . . . . . . . . . . . . . . . . 361 Chapter 25. Internet Protocol Version 6 ....363 IPv6 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 IPv6 Address Format . . . . . . . . . . . . . . . . . . . . . . . . . 365 IPv6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 13 Chapter 31. OSPF ......421 OSPFv2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Types of OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . 422 Types of OSPF Routing Devices . . . . . . . . . . . . . . . . . . . 424 Neighbors and Adjacencies . . . . . . . . . . . . . . . . . . . . . 424 The Link‐State Database . . . . . . . . . . . . . . . . . . . . . . 425 The Shortest Path First Tree . . . . . . . . . . . . . . . . . . . . 425 Internal Versus External Routing . . . . . . . . . . . . . . . . . . 425 © Copyright Lenovo 2015 Contents...
Page 14 OSPFv2 Implementation in Lenovo N/OS . . . . . . . . . . . . . . . . 427 Configurable Parameters. . . . . . . . . . . . . . . . . . . . . . 427 Defining Areas . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Assigning the Area Index . . . . . . . . . . . . . . . . . . . 428 Using the Area ID to Assign the OSPF Area Number. . . . . . . . 428 Attaching an Area to a Network. . . . . . . . . . . . . . . . . 429 Interface Cost . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Electing the Designated Router and Backup . . . . . . . . . . . . . 429 Summarizing Routes . . . . . . . . . . . . . . . . . . . . . . . 430 Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 Router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Configuring Plain Text OSPF Passwords . . . . . . . . . . . . . 434 Configuring MD5 Authentication . . . . . . . . . . . . . . . . 434 Host Routes for Load Balancing. . . . . . . . . . . . . . . . . . . 435 Loopback Interfaces in OSPF . . . . . . . . . . . . . . . . . . . . ...
Page 15 Part 7:. Network Management ....487 Chapter 36. Link Layer Discovery Protocol ... . . 489 LLDP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Enabling or Disabling LLDP . . . . . . . . . . . . . . . . . . . . . . 491 Global LLDP Setting . . . . . . . . . . . . . . . . . . . . . . . . 491 Transmit and Receive Control . . . . . . . . . . . . . . . . . . . 491 © Copyright Lenovo 2015 Contents...
Page 16 LLDP Transmit Features. . . . . . . . . . . . . . . . . . . . . . . . 492 Scheduled Interval . . . . . . . . . . . . . . . . . . . . . . . . 492 Minimum Interval . . . . . . . . . . . . . . . . . . . . . . . . 492 Time‐to‐Live for Transmitted Information . . . . . . . . . . . . . . 493 Trap Notifications . . . . . . . . . . . . . . . . . . . . . . . . 493 Changing the LLDP Transmit State . . . . . . . . . . . . . . . . . 494 Types of Information Transmitted. . . . . . . . . . . . . . . . . . 495 LLDP Receive Features . . . . . . . . . . . . . . . . . . . . . . . . 496 Types of Information Received . . . . . . . . . . . . . . . . . . . 496 Viewing Remote Device Information . . . . . . . . . . . . . . . . 496 Time‐to‐Live for Received Information . . . . . . . . . . . . . . . 498 LLDP Example Configuration . . . . . . . . . . . . . . . . . . . . . 500 Chapter 37. Simple Network Management Protocol..501 SNMP Version 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 17 People’s Republic of China Class A electronic emission statement . . . . . . 551 Taiwan Class A compliance statement . . . . . . . . . . . . . . . . . . 552 Index ......553 © Copyright Lenovo 2015 Contents...
Page 18 CN4093 Application Guide for N/OS 8.2...
Page 19: Preface
 Chapter 1, “Switch Administration,” describes how to access the CN4093 in order to configure the switch and view switch information and statistics. This chapter discusses a variety of manual administration interfaces, including local management via the switch console, and remote administration via Telnet, a web browser, or via SNMP.  Chapter 2, “Initial Setup,” describes how to use the built‐in Setup utility to perform first‐time configuration of the switch.  Chapter 3, “Service Location Protocol,” describes the Service Location Protocol (SLP) that allows the switch to provide dynamic directory services.  Chapter 4, “System License Keys,” describes how to manage Features on Demand (FoD) licenses and how to allocate bandwidth between physical ports within the installed licenses’ limitations. Part 2: Securing the Switch  Chapter 5, “Securing Administration,” describes methods for changing the default switch passwords, using Secure Shell and Secure Copy for administration connections, configuring end‐user access control, and placing the switch in protected mode.  Chapter 6, “Authentication & Authorization Protocols,” describes different secure administration for remote administrators. This includes using Remote Authentication Dial‐in User Service (RADIUS), as well as TACACS+ and LDAP. © Copyright Lenovo 2015...
Page 20 (STP) configures the network so that the switch selects the most efficient path when multiple paths exist. Also includes the Rapid Spanning Tree Protocol (RSTP), Per‐VLAN Rapid Spanning Tree Plus (PVRST+), and Multiple Spanning Tree Protocol (MSTP) extensions to STP.  Chapter 12, “Virtual Link Aggregation Groups,” describes using Virtual Link Aggregation Groups (VLAG) to form trunks spanning multiple VLAG‐capable aggregator switches.  Chapter 13, “Quality of Service,” discusses Quality of Service (QoS) features, including IP filtering using Access Control Lists (ACLs), Differentiated Services, and IEEE 802.1p priority values. Part 4: Advanced Switching Features  Chapter 14, “Stacking,” describes how to implement the stacking feature in the Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch. Chapter 15, “Virtualization,” provides an overview of allocating resources  based on the logical needs of the data center, rather than on the strict, physical nature of components.  Chapter 16, “Virtual NICs,” discusses using virtual NIC (vNIC) technology to divide NICs into multiple logical, independent instances. Chapter 17, “VMready,” discusses virtual machine (VM) support on the  CN4093.  Chapter 18, “FCoE and CEE,” discusses using various Converged Enhanced Ethernet (CEE) features such as Priority‐based Flow Control (PFC), Enhanced ...
Page 21 28, “Internet Group Management Protocol,” describes how the Lenovo N/OS software implements IGMP Snooping or IGMP Relay to conserve bandwidth in a multicast‐switching environment. Chapter 29, “Multicast Listener Discovery,” describes how Multicast Listener  Discovery (MLD) is used with IPv6 to support host users requests for multicast data for a multicast group.  Chapter 30, “Border Gateway Protocol,” describes Border Gateway Protocol (BGP) concepts and features supported in Lenovo N/OS. Chapter 31, “OSPF,” describes key Open Shortest Path First (OSPF) concepts  and their implemented in Lenovo N/OS, and provides examples of how to configure your switch for OSPF support.  Chapter 32, “Protocol Independent Multicast,” describes how multicast routing can be efficiently accomplished using the Protocol Independent Multicast (PIM) feature. Part 6: High Availability Fundamentals  Chapter 33, “Basic Redundancy,” describes how the CN4093 supports redundancy through trunking and Hotlinks.  Chapter 34, “Layer 2 Failover,” describes how the CN4093 supports high‐availability network topologies using Layer 2 Failover. © Copyright Lenovo 2015 Preface...
Page 22: Additional References
Chapter 39, “sFLOW, described how to use the embedded sFlow agent for sampling network traffic and providing continuous monitoring information to a central sFlow analyzer. Chapter 40, “Port Mirroring,” discusses tools how copy selected port traffic to a  monitor port for network analysis. Part 9: Appendices  Appendix A, “Glossary,” describes common terms and concepts used throughout this guide.  Appendix B, “Getting help and technical assistance,” describes how to get help.  Appendix C, “Notices,” provides trademark and other compliance information. Additional References Additional information about installing and configuring the CN4093 is available in the following guides:  Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch Installation Guide  Lenovo N/OS Menu‐Based CLI Command Reference  Lenovo N/OS ISCLI Command Reference  Lenovo N/OS Browser‐Based Interface Quick Guide CN4093 Application Guide for N/OS 8.2...
Page 23: Typographic Conventions
To establish a Telnet session, command examples as a enter: host# telnet <IP address> parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, Read your User’s Guide special terms, or words to be thoroughly. emphasized. host# ls [a] Command items shown inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets. The vertical bar ( | ) is used in host# set left|right command examples to separate choices where multiple options exist. Select only one of the listed options. Do not type the vertical bar. This block type depicts menus, Click the Save button. AaBbCc123 buttons, and other controls that appear in Web browsers and other graphical interfaces. © Copyright Lenovo 2015 Preface...
Page 24 CN4093 Application Guide for N/OS 8.2...
Page 26 CN4093 Application Guide for N/OS 8.2...
Page 27: Chapter 1. Switch Administration
Administration Interfaces The switch software provides a variety of user‐interfaces for administration. These interfaces vary in character and in the methods used to access them: some are text‐based, and some are graphical; some are available by default, and some require configuration; some can be accessed by local connection to the switch, and others are accessed remotely using various client applications. For example, administration can be performed using any of the following: The Flex System chassis management module tools for general chassis  management  A built‐in, text‐based command‐line interface and menu system for access via serial‐port connection or an optional Telnet or SSH session  The built‐in Browser‐Based Interface (BBI) available using a standard web‐browser  SNMP support for access through network management software such as IBM Director. The specific interface chosen for an administrative session depends on user preferences, as well as the switch configuration and the available client tools. In all cases, administration requires that the switch hardware is properly installed and turned on. (see the Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch Installation Guide). Chassis Management Module The CN4093 10Gb Converged Scalable Switch is an integral subsystem within the overall Lenovo Flex System. The Flex System chassis also includes a chassis management module (CMM) as the central element for overall chassis management and control. Using the tools available through the CMM, the administrator can configure many of the CN4093 features and can also access other CN4093 administration interfaces. For more information, see “Using the Chassis Management Module” on page © Copyright Lenovo 2015...
Page 28: Industry Standard Command Line Interface
Industry Standard Command Line Interface The Industry Standard Command Line Interface (ISCLI) provides a simple, direct method for switch administration. Using a basic terminal, you can issue commands that allow you to view detailed information and statistics about the switch, and to perform any necessary configuration and switch software maintenance. You can establish a connection to the CLI in any of the following ways:  Serial connection via the serial port on the CN4093 (this option is always avail‐ able)  Telnet connection over the network  SSH connection over the network When you first access the switch, you must enter the default username and password: USERID; PASSW0RD (with a zero). You are required to change the password after first login. Browser-Based Interface The Browser‐based Interface (BBI) provides access to the common configuration, management and operation features of the CN4093 through your Web browser. For more information, refer to the Lenovo N/OS BBI Quick Guide. CN4093 Application Guide for N/OS 8.2...
Page 29: Establishing A Connection
IPv4 Address Assigned by CMM Bay 1 10.90.90.91 192.168.70.120 Bay 2 10.90.90.92 192.168.70.121 Bay 3 10.90.90.93 192.168.70.122 Bay 4 10.90.90.94 192.168.70.123 Note: CN4093s installed in Bay 1 and Bay 2 connect to server NICs 1 and 2, respectively. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 30: Using Telnet
Using Telnet A Telnet connection offers the convenience of accessing the switch from a workstation connected to the network. Telnet access provides the same options for user and administrator access as those available through the console port. By default, Telnet access is disabled. Use the following commands (available on the console only) to enable or disable Telnet access: CN4093(config)# [no] access telnet enable Once the switch is configured with an IP address and gateway, you can use Telnet to access switch administration from any workstation connected to the management network. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the following Telnet command: telnet <switch IPv4 or IPv6 address> You will then be prompted to enter a password as explained “Switch Login Levels” on page Two attempts are allowed to log in to the switch. After the second unsuccessful attempt, the Telnet client is disconnected via TCP session closure. Using Secure Shell Although a remote network administrator can manage the configuration of a CN4093 via Telnet, this method does not provide a secure connection. The Secure Shell (SSH) protocol enables you to securely log into another device over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch configuration, SSH ensures that all data sent over the network is encrypted and secure. The switch can do only one session of key/cipher generation at a time. Thus, a SSH/SCP client will not be able to login if the switch is doing key generation at that time. Similarly, the system will fail to do the key generation if a SSH/SCP client is logging in at that time. The supported SSH encryption and authentication methods are listed below.  Server Host Authentication: Client RSA‐authenticates the switch when starting each connection  Key Exchange: ecdh‐sha2‐nistp521, ecdh‐sha2‐nistp384, ecdh‐sha2‐nistp256, ecdh‐sha2‐nistp224, ecdh‐sha2‐nistp192, rsa2048‐sha256, rsa1024‐sha1, diffie‐hellman‐group‐exchange‐sha256, diffie‐hellman‐group‐exchange‐sha1, diffie‐hellman‐group14‐sha1, diffie‐hellman‐group1‐sha1 ...
Page 31  User Authentication: Local password authentication, RADIUS, TACACS+ The following SSH clients have been tested:  OpenSSH_5.1p1 Debian‐3ubuntu1  SecureCRT 5.0 (Van Dyke Technologies, Inc.)  Putty beta 0.60 Note: The Lenovo N/OS implementation of SSH supports version 2.0 and supports SSH client version 2.0. Using SSH with Password Authentication By default, the SSH feature is enabled. For information about enabling and using SSH for switch access, see “Secure Shell and Secure Copy” on page Once the IP parameters are configured and the SSH service is enabled, you can access the command line interface using an SSH connection. To establish an SSH connection with the switch, run the SSH program on your workstation by issuing the SSH command, followed by the switch IPv4 or IPv6 address: # ssh <switch IP address> You will then be prompted to enter a password as explained “Switch Login Levels” on page Using SSH with Public Key Authentication SSH can also be used for switch authentication based on asymmetric cryptography. ...
Page 32: Using A Web Browser
Note: A user account can have up to 100 public keys set up on the switch. c. Configure a maximum number of 3 failed public key authentication attempts before the system reverts to password‐based authentication: CN4093(config)# ssh maxauthattempts 3 Once the public key is configured on the switch, the client can use SSH to login from a system where the private key pair is set up: # ssh <switch IP address> Using a Web Browser The switch provides a Browser‐Based Interface (BBI) for accessing the common configuration, management and operation features of the CN4093 through your Web browser. You can access the BBI directly from an open Web browser window. Enter the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6 address>). When you first access the switch, you must enter the default username and password: USERID; PASSW0RD (with a zero). You are required to change the password after first login. Configuring HTTP Access to the BBI By default, BBI access via HTTP is disabled on the switch. To enable or disable HTTP access to the switch BBI, use the following commands: CN4093(config)# access http enable (Enable HTTP access) ‐or‐ CN4093(config)# no access http enable (Disable HTTP access) The default HTTP web server port to access the BBI is port 80. However, you can change the default Web server port with the following command: CN4093(config)# access http port <TCP port number> To access the BBI from a workstation, open a Web browser window and type in the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6 address>).
Page 33: Configuring Https Access To The Bbi
3. Generate the HTTPS certificate. Accessing the BBI via HTTPS requires that you generate a certificate to be used during the key exchange. A default certificate is created the first time HTTPS is enabled, but you can create a new certificate defining the information you want to be used in the various fields. CN4093(config)# access https generatecertificate Country Name (2 letter code) []: <country code> State or Province Name (full name) []: <state> Locality Name (eg, city) []: <city> Organization Name (eg, company) []: <company> Organizational Unit Name (eg, section) []: <org. unit> Common Name (eg, YOUR name) []: <name> Email (eg, email address) []: <email address> Confirm generating certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent 4. Save the HTTPS certificate. The certificate is valid only until the switch is rebooted. To save the certificate so that it is retained beyond reboot or power cycles, use the following command: CN4093(config)# access https savecertificate When a client (such as a web browser) connects to the switch, the client is asked to accept the certificate and verify that the fields match what is expected. Once BBI access is granted to the client, the BBI can be used as described in the Lenovo N/OS BBI Quick Guide. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 34: Bbi Summary
BBI Summary The BBI is organized at a high level as follows: Context buttons—These buttons allow you to select the type of action you wish to perform. The Configuration button provides access to the configuration elements for the entire switch. The Statistics button provides access to the switch statistics and state information. The Dashboard button allows you to display the settings and operating status of a variety of switch features. Navigation Window—This window provides a menu list of switch features and functions:  System—this folder provides access to the configuration elements for the entire switch.  Switch Ports—Configure each of the physical ports on the switch. Port‐Based Port Mirroring—Configure port mirroring behavior.   Layer 2—Configure Layer 2 features for the switch.  RMON Menu—Configure Remote Monitoring features for the switch.  Layer 3—Configure Layer 3 features for the switch.  QoS—Configure Quality of Service features for the switch. Access Control—Configure Access Control Lists to filter IP packets.   Virtualization – Configure VMready for virtual machine (VM) support. For information on using the BBI, refer to the Lenovo N/OS BBI Quick Guide. CN4093 Application Guide for N/OS 8.2...
Page 35: Using Simple Network Management Protocol
Using Simple Network Management Protocol Lenovo N/OS provides Simple Network Management Protocol (SNMP) version 1, version 2, and version 3 support for access through any network management software, such as IBM Director. To access the SNMP agent on the CN4093, the read and write community strings on the SNMP manager should be configured to match those on the switch. The read and write community strings on the switch can be changed using the following commands: CN4093(config)# snmpserver readcommunity <1‐32 characters> ‐and‐ CN4093(config)# snmpserver writecommunity <1‐32 characters> The SNMP manager should be able to reach any one of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following commands: CN4093(config)# snmpserver trapsource <trap source IP interface> CN4093(config)# snmpserver host <IPv4 address> <trap host community string> For more information on SNMP usage and configuration, see “Simple Network Management Protocol” on page 501. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 36: Bootp/Dhcp Client Ip Address Services
BOOTP/DHCP Client IP Address Services For remote switch administration, the client terminal device must have a valid IP address on the same network as a switch interface. The IP address on the client device may be configured manually, or obtained automatically using IPv6 stateless address configuration, or an IPv4 address may obtained automatically via BOOTP or DHCP relay as discussed below. The CN4093 can function as a relay agent for Bootstrap Protocol (BOOTP) or DHCP. This allows clients to be assigned an IPv4 address for a finite lease period, reassigning freed addresses later to other clients. Acting as a relay agent, the switch can forward a client’s IPv4 address request to up to five BOOTP/DHCP servers. In addition to the five global BOOTP/DHCP servers, up to five domain‐specific BOOTP/DHCP servers can be configured for each of up to 10 VLANs. When a switch receives a BOOTP/DHCP request from a client seeking an IPv4 address, the switch acts as a proxy for the client. The request is forwarded as a UDP Unicast MAC layer message to the BOOTP/DHCP servers configured for the client’s VLAN, or to the global BOOTP/DHCP servers if no domain‐specific BOOTP/DHCP servers are configured for the client’s VLAN. The servers respond to the switch with a Unicast reply that contains the IPv4 default gateway and the IPv4 address for the client. The switch then forwards this reply back to the client. DHCP is described in RFC 2131, and the DHCP relay agent supported on the CN4093 is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. BOOTP and DHCP relay are collectively configured using the BOOTP commands and menus on the CN4093. Host Name Configuration The CN4093 supports DHCP host name configuration as described in RFC 2132, option 12. DHCP host name configuration is enabled by default. Host name can be manually configured using the following command: CN4093(config)# hostname <name> If the host name is manually configured, the switch does not replace it with the host name received from the DHCP server.
Page 37: Syslog Server
SYSLOG Server During switch startup, if the switch fails to get the configuration file, a message can be recorded in the SYSLOG server. The CN4093 supports requesting of a SYSLOG server IP address from the DHCP server as described in RFC 2132, option 7. DHCP SYSLOG server request option is enabled by default. Manually configured SYSLOG server takes priority over DHCP SYSLOG server. Up to two SYSLOG server addresses received from the DHCP server can be used. The SYSLOG server can be learnt over a management port or a data port. Use the CN4093# show logging command to view the SYSLOG server address. DHCP SYSLOG server address option can be enabled/disabled using the following command: CN4093(config)# [no] system dhcp syslog © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 38: Switch Login Levels
Switch Login Levels To enable better switch management and user accountability, three levels or classes of user access have been implemented on the CN4093. Levels of access to CLI, Web management functions, and screens increase as needed to perform various switch management tasks. Conceptually, access classes are defined as follows:  User interaction with the switch is completely passive—nothing can be changed on the CN4093. Users may display information that has no security or privacy implications, such as switch statistics and current operational state information.  Operators can only effect temporary changes on the CN4093. These changes will be lost when the switch is rebooted/reset. Operators have access to the switch management features used for daily switch operations. Because any changes an operator makes are undone by a reset of the switch, operators cannot severely impact switch operation.  Administrators are the only ones that may make permanent changes to the switch configuration—changes that are persistent across a reboot/reset of the switch. Administrators can access switch functions to configure and troubleshoot problems on the CN4093. Because administrators can also make temporary (operator‐level) changes as well, they must be aware of the interactions between temporary and permanent changes. Access to switch functions is controlled through the use of unique user names and passwords. Once you are connected to the switch via console, remote Telnet, or SSH, you are prompted to enter a password. The default user names/password for each access level are listed in the following table. Note: It is recommended that you change default switch passwords after initial configuration and as regularly as required under your network security policies.
Page 39 To disable admin account, use the command: CN4093(config)# no access user administratorenable. Admin account can be disabled only if there is at least one user account enabled and configured with administrator privilege. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 40: Secure Ftp
Secure FTP Lenovo N/OS supports Secure FTP (SFTP) to the switch. SFTP uses Secure Shell (SSH) to transfer files. SFTP encrypts both commands and data, and prevents passwords and sensitive information from being transmitted openly over the network. All file transfer commands include SFTP support along with FTP and TFTP support. SFTP is available through the menu‐based CLI, ISCLI, BBI, and SNMP. The following examples illustrate SFTP support for ISCLI commands: CN4093# copy sftp {image1|image2|bootimage} [mgtport|dataport] (Copy software image from SFTP server to the switch) CN4093# copy sftp {cacert|hostcert|hostkey} [mgtport|dataport] (Copy HTTPS certificate or host key from SFTP server to the switch) CN4093 Application Guide for N/OS 8.2...
Page 41: Boot Strict Mode
Acceptable Protocols and Algorithms Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm BGP does not comply with NIST SP Acceptable 800-131A specification. When in strict mode, BGP is disabled. However, it can be enabled, if required. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 42 Table 4. Acceptable Protocols and Algorithms Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm Certificate RSA-2048 RSA 2048 Generation SHA-256 SHA 256 Certificate RSA 2048 or higher Acceptance SHA 224 or higher SHA, SHA2 HTTPS TLS 1.2 only TLS 1.0, 1.1, 1.2 “Acceptable Cipher Suites” on “Acceptable Cipher Suites”...
Page 43 ARCFOUR HMAC-SHA1 HMAC-SHA1 HMAC-SHA1-96 HMAC-SHA1-96 HMAC-MD5 HMAC-MD5-96 TACACS+ TACACS+ does not comply with NIST Acceptable SP 800-131A specification. When in strict mode, TACACS+ is disabled. However, it can be enabled, if required. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 44: Acceptable Cipher Suites
Acceptable Cipher Suites The following cipher suites are acceptable (listed in the order of preference) when the CN4093 10Gb Converged Scalable Switch is in compatibility mode: Table 5. List of Acceptable Cipher Suites in Compatibility Mode Cipher ID Key Authenticati Encryption MAC Cipher Name Exchan 0xC027 ECDHE AES_128_CB SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA2 0xC013 ECDHE AES_128_CB SHA1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC012 ECDHE 3DES SHA1 SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC011 ECDHE SHA1 SSL_ECDHE_RSA_WITH_RC4_128_SHA 0x002F AES_128_CB SHA1 TLS_RSA_WITH_AES_128_CBC_SHA 0x003C AES_128_CB SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 0x0005...
Page 45: Limitations
When strict mode is enabled, you will see the following message: Warning, security strict mode limits the cryptographic algorithms used by secure protocols on this switch. Please see the documentation for full details, and verify that peer devices support acceptable algorithms before enabling this mode. The mode change will take effect after reloading the switch and the configuration will be wiped during the reload. System will enter security strict mode with default factory configuration at next boot up. Do you want SNMPV3 support old default users in strict mode (y/n)? For SNMPv3 default users, see “SNMP Version 3” on page 502. When strict mode is disabled, the following message is displayed: Warning, disabling security strict mode. The mode change will take effect after reloading the switch. You must reboot the switch for the boot strict mode enable/disable to take effect. Limitations In Lenovo N/OS 8.2, consider the following limitation/restrictions if you need to operate the switch in boot strict mode:  Power ITEs and High‐Availability features do not comply with NIST SP 800‐131A specification. The CN4093 will not discover Platform agents/Common agents that are not in  strict mode. Web browsers that do not use TLS 1.2 cannot be used.   Limited functions of the switch managing Windows will be available. © Copyright Lenovo 2015 Chapter 1: Switch Administration...
Page 46 CN4093 Application Guide for N/OS 8.2...
Page 47: Chapter 2. Initial Setup
To help with the initial process of configuring your switch, the Lenovo N/OS software includes a Setup utility. The Setup utility prompts you step‐by‐step to enter all the necessary information for basic configuration of the switch. Setup can be activated manually from the command line interface any time after login: CN4093(config)# setup Information Needed for Setup Setup requests the following information:  Basic system information Date & time  Whether to use Spanning Tree Group or not   Optional configuration for each port Speed, duplex, flow control, and negotiation mode (as appropriate)  Whether to use VLAN tagging or not (as appropriate)   Optional configuration for each VLAN Name of VLAN  Which ports are included in the VLAN   Optional configuration of IP parameters IP address/mask and VLAN for each IP interface  IP addresses for default gateway  Whether IP forwarding is enabled or not  © Copyright Lenovo 2015...
Page 48: Default Setup Options
3. Enter the following command at the prompt: CN4093(config)# setup Stopping and Restarting Setup Manually Stopping Setup To abort the Setup utility, press <Ctrl‐C> during any Setup question. When you abort Setup, the system will prompt: Would you like to run from top again? [y/n] Enter n to abort Setup, or y to restart the Setup program at the beginning. Restarting Setup You can restart the Setup utility manually at any time by entering the following command at the administrator prompt: CN4093(config)# setup Setup Part 1: Basic System Configuration When Setup is started, the system prompts: "Set Up" will walk you through the configuration of System Date and Time, Spanning Tree, Port Speed/Mode, VLANs, and IP interfaces. [type CtrlC to abort "Set Up"] 1. Enter y if you will be configuring VLANs. Otherwise enter n. If you decide not to configure VLANs during this session, you can configure them later using the configuration menus, or by restarting the Setup facility. For more information on configuring VLANs, see the Lenovo N/OS Application Guide. Next, the Setup utility prompts you to input basic system information. CN4093 Application Guide for N/OS 8.2...
Page 49 3. Enter the month of the current system date at the prompt: System Date: Enter month [1]: Enter the month as a number from 1 to 12. To keep the current month, press <Enter>. 4. Enter the day of the current date at the prompt: Enter day [3]: Enter the date as a number from 1 to 31. To keep the current day, press <Enter>. The system displays the date and time settings: System clock set to 18:55:36 Wed Jan 28, 2012. 5. Enter the hour of the current system time at the prompt: System Time: Enter hour in 24hour format [18]: Enter the hour as a number from 00 to 23. To keep the current hour, press <Enter>. 6. Enter the minute of the current time at the prompt: Enter minutes [55]: Enter the minute as a number from 00 to 59. To keep the current minute, press <Enter>. 7. Enter the seconds of the current time at the prompt: Enter seconds [37]: Enter the seconds as a number from 00 to 59. To keep the current second, press <Enter>. The system then displays the date and time settings: System clock set to 8:55:36 Wed Jan 28, 2012. 8. Turn BOOTP on or off at the prompt: BootP Option: Current BOOTP: disabled Enter new BOOTP [d/e]: © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 50: Setup Part 2: Port Configuration
Enter e to enable BOOTP, or enter d to disable BOOTP. 9. Turn Spanning Tree Protocol on or off at the prompt: Spanning Tree: Current Spanning Tree Group 1 setting: ON Turn Spanning Tree Group 1 OFF? [y/n] Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on. Setup Part 2: Port Configuration Note: When configuring port options for your switch, some prompts and options may be different. 1. Select whether you will configure VLANs and VLAN tagging for ports: Port Config: Will you configure VLANs and Tagging/Trunkmode for ports? [y/n] If you wish to change settings for VLANs, enter y, or enter n to skip VLAN configuration. Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system.
Page 51: Setup Part 3: Vlans
Setup Part 3: VLANs If you chose to skip VLANs configuration back in Part 2, skip to “Setup Part 4: IP Configuration” on page 1. Select the VLAN to configure, or skip VLAN configuration at the prompt: VLAN Config: Enter VLAN number from 2 to 4094, NULL at end: If you wish to change settings for individual VLANs, enter the number of the VLAN you wish to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and go to “Setup Part 4: IP Configuration” on page 2. Enter the new VLAN name at the prompt: Current VLAN name: VLAN 2 Enter new VLAN name: Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>. 3. Enter the VLAN port numbers: Define Ports in VLAN: Current VLAN 2: empty Enter ports one per line, NULL at end: Enter each port, by port number, and confirm placement of the port into this VLAN. When you are finished adding ports to this VLAN, press <Enter> without specifying any port. 4. Configure Spanning Tree Group membership for the VLAN: Spanning Tree Group membership: Enter new STG index [1128](802.1d)/[1](RSTP)/[032](MSTP): © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 52: Setup Part 4: Ip Configuration
5. The system prompts you to configure the next VLAN: VLAN Config: Enter VLAN number from 2 to 4094, NULL at end: Repeat the steps in this section until all VLANs have been configured. When all VLANs have been configured, press <Enter> without specifying any VLAN. Setup Part 4: IP Configuration The system prompts for IPv4 parameters. Although the switch supports both IPv4 and IPv6 networks, the Setup utility permits only IPv4 configuration. For IPv6 configuration, see “Internet Protocol Version 6” on page 363. IP Interfaces IP interfaces are used for defining the networks to which the switch belongs. Up to 128 IP interfaces can be configured on the CN4093 10Gb Converged Scalable Switch (CN4093). The IP address assigned to each IP interface provides the switch with an IP presence on your network. No two IP interfaces can be on the same IP network. The interfaces can be used for connecting to the switch for remote configuration, and for routing between subnets and VLANs (if used). Note: Interfaces125-128 is reserved for IPv4 switch management. 1. Select the IP interface to configure, or skip interface configuration at the prompt: IP Config: IP interfaces: Enter interface number: (1128) If you wish to configure individual IP interfaces, enter the number of the IP interface you wish to configure. To skip IP interface configuration, press <Enter> without typing an interface number and go to “Default Gateways” on page 53. ...
Page 53: Default Gateways
Enable IP interface? [y/n] 6. The system prompts you to configure another interface: Enter interface number: (1128) Repeat the steps in this section until all IP interfaces have been configured. When all interfaces have been configured, press <Enter> without specifying any interface number. Default Gateways 1. At the prompt, select an IP default gateway for configuration, or skip default gateway configuration: IP default gateways: Enter default gateway number: (13, 4) Enter the number for the IP default gateway to be configured. To skip default gateway configuration, press <Enter> without typing a gateway number and go to “IP Routing” on page 2. At the prompt, enter the IPv4 address for the selected default gateway: Current IP address: 0.0.0.0 Enter new IP address: Enter the IPv4 address in dotted decimal notation, or press <Enter> without specifying an address to accept the current setting. 3. At the prompt, enter y to enable the default gateway, or n to leave it disabled: Enable default gateway? [y/n] 4. The system prompts you to configure another default gateway: Enter default gateway number: (14) Repeat the steps in this section until all default gateways have been configured. When all default gateways have been configured, press <Enter> without specifying any number. © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 54: Ip Routing
IP Routing When IP interfaces are configured for the various IP subnets attached to your switch, IP routing between them can be performed entirely within the switch. This eliminates the need to send inter‐subnet communication to an external router device. Routing on more complex networks, where subnets may not have a direct presence on the CN4093, can be accomplished through configuring static routes or by letting the switch learn routes dynamically. This part of the Setup program prompts you to configure the various routing parameters. At the prompt, enable or disable forwarding for IP Routing: Enable IP forwarding? [y/n] Enter y to enable IP forwarding. To disable IP forwarding, enter n. To keep the current setting, press <Enter>. Setup Part 5: Final Steps 1. When prompted, decide whether to restart Setup or continue: Would you like to run from top again? [y/n] Enter y to restart the Setup utility from the beginning, or n to continue. 2. When prompted, decide whether you wish to review the configuration changes: Review the changes made? [y/n] Enter y to review the changes made during this session of the Setup utility. Enter n to continue without reviewing the changes. We recommend that you review the changes. 3. Next, decide whether to apply the changes at the prompt: Apply the changes? [y/n] Enter y to apply the changes, or n to continue without applying. Changes are normally applied. 4. At the prompt, decide whether to make the changes permanent: Save changes to flash? [y/n] Enter y to save the changes to flash. Enter n to continue without saving the changes. Changes are normally saved at this point. 5. If you do not apply or save the changes, the system prompts whether to abort them: Abort all changes? [y/n] CN4093 Application Guide for N/OS 8.2...
Page 55: Optional Setup For Telnet Support
“Changing the Switch Passwords” on page Optional Setup for Telnet Support Note: This step is optional. Perform this procedure only if you are planning on connecting to the CN4093 through a remote Telnet connection. 1. Telnet is enabled by default. To change the setting, use the following command: CN4093(config)# no access telnet © Copyright Lenovo 2015 Chapter 2: Initial Setup...
Page 56 CN4093 Application Guide for N/OS 8.2...
Page 57: Chapter 3. Service Location Protocol
 Service Agent (SA) provides service registration and service advertisement. Note: In this release, SA supports UA/DA on Linux with SLPv2 support.  Directory Agent (DA) collects service information from Service Agents to provide a repository of service information in order to centralize it for efficient access by User Agents. There can only be one Directory Agent present per given host. The Directory Agent acts as an intermediate tier in the SLP architecture, placed between the User Agents and the Service Agents, so they communicate only with the Directory Agent instead of with each other. This eliminates a large portion of the multicast request or reply traffic on the network, and it protects the Service Agents from being overwhelmed by too many service requests. Services are described by the configuration of attributes associated with a type of service. A User Agent can select an appropriate service by specifying the attributes that it needs in a service request message. When service replies are returned, they contain a Uniform Resource Locator (URL) pointing to the service desired, and other information, such as server load, needed by the User Agent. Active DA Discovery When a Service Agent or User Agent initializes, it can perform Active Directory Agent Discovery using a multicast service request and specifies the special, reserved service type (service:directory-agent). Active DA Discovery is achieved through the same mechanism as any other discovery using SLP. The Directory Agent replies with unicast service replies, which provides the URLs and attributes of the requested service. © Copyright Lenovo 2015 Chapter 3: Service Location Protocol...
Page 58: Slp Configuration
SLP Configuration Use the following ISCLI commands to configure SLP for the switch: Table 7. SLP ISCLI Commands Command Syntax and Usage [no] ip slp enable Enables or disables SLP on the switch. Command mode: Global configuration [no] ip slp active-da-discovery enable Enables or disables Active DA Discovery. Command mode: Global configuration ip slp active-da-discovery-start-wait-time <1‐10> Configures the wait time before starting Active DA Discovery, in seconds. The default value is 3 seconds. Command mode: Global configuration clear ip slp directory-agents Clears all Directory Agents learned by the switch. Command mode: Global configuration show ip slp information Displays SLP information. Command mode: All show ip slp directoryagents Displays Directory Agents learned by the switch. ...
Page 59: Chapter 4. System License Keys
You can also use the website to review and manage licenses, and to obtain additional help if required. Note: An IBM ID and password are required to log into the FoD website. If you do not yet have an IBM ID, you can register at the website. Activation keys are provided as files that must be uploaded to the CN4093. To acquire an activation key, use the FoD website to purchase an Authorization Code. You will need to provide the unique ID (UID) of the specific CN4093 where the key will be installed. The UID is the last 12 characters of the CN4093 serial number. This serial number is located on the Part Number (PN) label and is also displayed during successful login to the device. When available, download the activation key file from the FoD site. Installing Activation Keys Once FoD activation key files have been acquired, they must be installed on the CN4093. The example below depicts use of the CN4093 Command Line Interface (CLI), but other device interfaces (such as SNMP) may also be used. The CN4093 must be reset to activate any newly installed licenses. To install activation keys, complete the following steps: a. Log in to the CN4093. b. At the CLI prompt, enter the following commands: CN4093> enable CN4093# configure terminal CN4093(config)# softwarekey CN4093(config)# enakey addr <server IP address> keyfile <key filename> c. Follow the prompts to enter the appropriate parameters, including the file transfer protocol and server parameters. © Copyright Lenovo 2015 Chapter 4: System License Keys...
Page 60: Transferring Activation Keys
Note: Repeat the enakey command for any additional keys being installed. d. Once the key file has been uploaded to the CN4093, reset the device to activate any newly installed licenses.: CN4093(config)# reload The system prompts you to confirm your request. Once confirmed, the system will reboot with the new licenses. Transferring Activation Keys Licenses keys are based on the unique CN4093 device serial number and are non‐transferable. In the event that the CN4093 must be replaced, a new activation key must be acquired and installed. When the replacement is handled through Lenovo Service and Support, your original license will be transferred to the serial number of the replacement unit and you will be provided a new license key. Trial Keys Trial keys are license keys used for evaluation purposes, upgrading the number of available ports for limited time. They are managed and obtained like regular license keys, from the Lenovo System x Features on Demand (FoD) website: http://www.ibm.com/systems/x/fod/ Trial keys expire after a predefined number of days. 10 days before the expiration date, the switch will begin to issue the following syslog messages: The software demo license for Upgrade1 will expire in 10 days. The switch will automatically reset to the factory configuration after the license expires. Please backup your configuration or enter a valid license key so the configuration will not be lost. When the trial license expires, all features enabled by the key are disabled, configuration files (active and backup) are deleted and the switch resets to the factory configuration. To prevent this, either install a regular upgrade license to overwrite the trial key, or manually remove the trial key and reset the switch. Once a trial key is installed, it cannot be reused. Flexible Port Mapping Flexible Port Mapping allows administrators to manually enable or disable specific switch ports within the limitations of the installed licenses’ bandwidth. For instance, the FlexSystem may include two compute nodes and a single QSFP+ ...
Page 61 The total bandwidth required for this operation amounts to 80 Gbps (40 Gbps for the four additional 10 Gbps internal ports and 40 Gbps for the additional external QSFP+ port). The administrator decides to allocate this bandwidth by deactivating 6 internal and 2 external 10 Gbps ports. To implement the above scenario, follow these steps: a. Deactivate the ports required to clear the 80 Gbps required bandwidth: CN4093(config)# no boot portmap INTA9 CN4093(config)# no boot portmap INTA10 CN4093(config)# no boot portmap INTA11 CN4093(config)# no boot portmap INTA12 CN4093(config)# no boot portmap INTA13 CN4093(config)# no boot portmap INTA14 CN4093(config)# no boot portmap EXT9 CN4093(config)# no boot portmap EXT10 b. Activate the required ports: CN4093(config)# boot portmap INTB1 CN4093(config)# boot portmap INTC1 CN4093(config)# boot portmap INTB2 CN4093(config)# boot portmap INTC2 CN4093(config)# boot portmap EXT3 c. A reboot is required for the changes to take effect. CN4093(config)# reload Flexible Port Mapping is disabled if all available licenses are installed (all physical ports are available). Removing a license key reverts the port mapping to the default settings for the remaining licensing level. To manually revert the port mapping to the default settings use the following command: CN4093(config)# default boot portmap © Copyright Lenovo 2015 Chapter 4: System License Keys...
Page 62 CN4093 Application Guide for N/OS 8.2...
Page 64 CN4093 Application Guide for N/OS 8.2...
Page 65: Chapter 5. Securing Administration
To change the administrator password, you must login using the administrator password. Changing the Default Administrator Password The administrator has complete access to all menus, information, and configuration commands, including the ability to change both the user and administrator passwords. The default administrator account is USERID. The default password for the administrator account is PASSW0RD (with a zero). To change the administrator password, use the following procedure: 1. Connect to the switch and log in as the administrator. 2. Use the following command to change the administrator password: CN4093(config)# access user administratorpassword <password> Changing the Default User Password The user login has limited control of the switch. Through a user account, you can view switch information and statistics, but you can’t make configuration changes. The default password for the user account is user. This password can be changed from the user account. The administrator can change all passwords, as shown in the following procedure. 1. Connect to the switch and log in as the administrator. 2. Use the following command to change the user password: CN4093(config)# access user userpassword <password> © Copyright Lenovo 2015...
Page 66: Secure Shell And Secure Copy
SCP is typically used to copy files securely from one machine to another. SCP uses SSH for encryption of data on the network. On a CN4093, SCP is used to download and upload the switch configuration via secure channels. Although SSH and SCP are disabled by default, enabling and using these features provides the following benefits:  Identifying the administrator using Name/Password  Authentication of remote administrators  Authorization of remote administrators  Determining the permitted actions and customizing service for individual administrators  Encryption of management messages Encrypting messages between the remote administrator and switch   Secure copy support The Lenovo N/OS implementation of SSH supports both versions 1.5 and 2.0 and supports SSH clients version 1.5 ‐ 2.x. The following SSH clients have been tested:  SSH 1.2.23 and SSH 1.2.27 for Linux (freeware)  SecureCRT 3.0.2 and SecureCRT 3.0.3 for Windows NT (Van Dyke Technologies, Inc.)  F‐Secure SSH 1.1 for Windows (Data Fellows)  Putty SSH  Cygwin OpenSSH  Mac X OpenSSH  Solaris 8 OpenSSH  AxeSSH SSHPro ...
Page 67: To Enable Or Disable The Ssh Feature
Note: The 4 option (the default) specifies that an IPv4 switch address will be used. The 6 option specifies IPv6. Example: >> ssh scpadmin@205.178.15.157 To Copy the Switch Configuration File to the SCP Host Syntax: >> scp [4|6] <username>@<switch IP address>:getcfg <local filename> © Copyright Lenovo 2015 Chapter 5: Securing Administration...
Page 68: To Load A Switch Configuration File From The Scp Host
Example: >> scp scpadmin@205.178.15.157:getcfg ad4.cfg To Load a Switch Configuration File from the SCP Host Syntax: >> scp [4|6] <local filename> <username>@<switch IP address>:putcfg Example: >> scp ad4.cfg scpadmin@205.178.15.157:putcfg To Apply and Save the Configuration When loading a configuration file to the switch, the apply and save commands are still required, in order for the configuration commands to take effect. The apply and save commands may be entered manually on the switch, or by using SCP commands. Syntax: >> scp [4|6] <local filename> <username>@<switch IP address>:putcfg_apply >> scp [4|6] <local filename> <username>@<switch IP address>:putcfg_apply_save Example: >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply_save  The CLI diff command is automatically executed at the end of putcfg to notify the remote client of the difference between the new and the current configurations. putcfg_apply runs the apply command after the putcfg is done.  putcfg_apply_save saves the new configuration to the flash after  putcfg_apply is done.
Page 69: To Load Switch Configuration Files From The Scp Host
Thus, an SSH/SCP client will not be able to log in if the switch is performing key generation at that time. Also, key generation will fail if an SSH/SCP client is logging in at that time. © Copyright Lenovo 2015 Chapter 5: Securing Administration...
Page 70: Ssh/Scp Integration With Radius Authentication
SSH/SCP Integration with RADIUS Authentication SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS servers for authentication. The redirection is transparent to the SSH clients. SSH/SCP Integration with TACACS+ Authentication SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified TACACS+ servers for authentication. The redirection is transparent to the SSH clients. CN4093 Application Guide for N/OS 8.2...
Page 71: End User Access Control
 Passwords can be up to 128 characters in length for TACACS, RADIUS, Telnet, SSH, Console, and Web access. Strong Passwords The administrator can require use of Strong Passwords for users to access the CN4093. Strong Passwords enhance security because they make password guessing more difficult. The following rules apply when Strong Passwords are enabled: Minimum length: 8 characters; maximum length: 64 characters   Must contain at least one uppercase alphabet Must contain at least one lowercase alphabet   Must contain at least one number Must contain at least one special character:  Supported special characters: ! “ # % & ‘ ( ) ; < = >> ? [\] * + , ‐ . / : ^ _ { | } ~  Cannot be same as the username  No consecutive four characters can be the same as in the old password When strong password is enabled, users can still access the switch using the old password but will be advised to change to a strong password while attempting to log in. Strong password requirement can be enabled using the following command: CN4093(config)# access user strongpassword enable © Copyright Lenovo 2015 Chapter 5: Securing Administration...
Page 72: User Access Control Menu
The administrator can choose the number of days allowed before each password expires. When a strong password expires, the user is allowed to log in one last time (last time) to change the password. A warning provides advance notice for users to change the password. User Access Control Menu The end‐user access control commands allow you to configure end‐user accounts. Setting Up User IDs Up to 20 user IDs can be configured in the User ID menu. CN4093(config)# access user 1 name <1‐8 characters> CN4093(config)# access user 1 password Changing user1 password; validation required: Enter current admin password: <current administrator password> Enter new user1 password: <new user password> Reenter new user1 password: <new user password> New user1 password accepted. Defining a User’s Access Level The end user is by default assigned to the user access level (also known as class of service, or CoS). CoS for all user accounts have global access to all resources except for User CoS, which has access to view only resources that the user owns. For more information, see Table 8 on page To change the user’s level, enter the class of service command: CN4093(config)# access user 1 level {user|operator|administrator} Validating a User’s Configuration CN4093# show access user uid 1 Enabling or Disabling a User An end user account must be enabled before the switch recognizes and permits ...
Page 73: Re-Enabling Locked Accounts
Re-enabling Locked Accounts The administrator can re‐enable a locked account by reloading the switch or by using the following command: CN4093(config)# access user strongpassword clear local user lockout username <user name> However, the above command cannot be used to re‐enable an account disabled by the administrator. To re‐enable all locked accounts, use the following command: CN4093(config)# access user strongpassword clear local user lockout all © Copyright Lenovo 2015 Chapter 5: Securing Administration...
Page 74: Listing Current Users
Listing Current Users The show access user command displays defined user accounts and whether or not each user is currently logged into the switch. CN4093# show access user Usernames: user Enabled offline oper Disabled offline admin Always Enabled online 1 session Current User ID table: 1: name USERID , ena, cos admin , password valid, offline 2: name jane , ena, cos user , password valid, online 3: name john , ena, cos user , password valid, online Logging In to an End User Account Once an end user account is configured and enabled, the user can login to the switch, using the username/password combination. The level of switch access is determined by the Class of Service established for the end user account. Protected Mode Protected Mode settings allow the switch administrator to block the management module from making configuration changes that affect switch operation. The switch retains control over those functions. The following management module functions are disabled when Protected Mode is turned on:  External Ports: Enabled/Disabled  External management over all ports: Enabled/Disabled ...
Page 75: Stacking Mode
Stacking Mode When the switch is in stacking mode, Protected Mode is automatically enabled for three of the four Protected Mode functions, and the following module functions are disabled:  External Ports (Enabled)  External management over all ports (Enabled)  Restore Factory Defaults Stack members and stack Master can get their IP addresses from the advanced management module (AMM). Stack can be managed using external ports or using the AMM management port. If required, the functionality of new static IP configuration can also be disabled by turning off Protected Mode (CN4093(config)# no protectedmode) and turning it back on (CN4093(config)# protectedmode enable). © Copyright Lenovo 2015 Chapter 5: Securing Administration...
Page 76 CN4093 Application Guide for N/OS 8.2...
Page 77: Chapter 6. Authentication & Authorization Protocols
Chapter 6. Authentication & Authorization Protocols Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured IPv4 management and device access:  “RADIUS Authentication and Authorization” on page 78  “TACACS+ Authentication” on page 82  “LDAP Authentication and Authorization” on page 87 Note: Lenovo N/OS 8.2 does not support IPv6 for RADIUS, TACACS+, or LDAP. © Copyright Lenovo 2015...
Page 78: Radius Authentication And Authorization
RADIUS Authentication and Authorization Lenovo N/OS supports the RADIUS (Remote Authentication Dial‐in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back‐end database server. A remote user (the remote administrator) interacts only with the RAS, not the back‐end server and database. RADIUS authentication consists of the following components:  A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866) A centralized server that stores all the user authorization information   A client, in this case, the switch The CN4093—acting as the RADIUS client—communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back‐end RADIUS server. How RADIUS Authentication Works 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access. Configuring RADIUS on the Switch Use the following procedure to configure Radius authentication on your CN4093.
Page 79: Radius Authentication Features In Lenovo N/Os
If you configure the RADIUS secret using any method other than through the console port, the secret may be transmitted over the network as clear text. 3. If desired, you may change the default UDP port number used to listen to RADIUS. The well‐known port for RADIUS is 1645. CN4093(config)# radiusserver port <UDP port number> 4. Configure the number retry attempts for contacting the RADIUS server, and the timeout period. CN4093(config)# radiusserver retransmit 3 CN4093(config)# radiusserver timeout 5 RADIUS Authentication Features in Lenovo N/OS Lenovo N/OS supports the following RADIUS authentication features:  Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866.  Allows a RADIUS secret password of up to 32 characters.  Supports secondary authentication server so that when the primary authentication server is unreachable, the switch can send client authentication requests to the ...
Page 80: Switch User Accounts
Switch User Accounts The user accounts listed in Table 8 can be defined in the RADIUS server dictionary file. Table 8. User Access Levels User Account Description and Tasks Performed Password user User The User has no direct responsibility for switch management. He/she can view all switch status information and statistics but cannot make any configuration changes to the switch. oper Operator In addition to User capabilities, the Operator has limited switch management access, including the ability to make temporary, operational configuration changes to some switch features, and to reset switch ports (other than management ports). PASSW0RD Administrator The super‐user Administrator has complete access to all menus, information, and configuration (USERID) commands on the switch, including the ability to change both the user and administrator passwords. CN4093 Application Guide for N/OS 8.2...
Page 81: Radius Attributes For Lenovo N/Os User Privileges
RADIUS Attributes for Lenovo N/OS User Privileges When the user logs in, the switch authenticates his/her level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server. If the remote user is successfully authenticated by the authentication server, the switch will verify the privileges of the remote user and authorize the appropriate access. The administrator has two options: to allow backdoor access via Telnet, SSH, HTTP, or HTTPS; to allow secure backdoor access via console, Telnet, SSH, or BBI. Secure backdoor provides access to the switch when the RADIUS servers cannot be reached. The default CN4093 setting for backdoor and secure backdoor access is disabled. Backdoor access is always enabled on the console port. Irrespective of backdoor being enabled or not, you can always access the switch via the console port by using noradius as radius username. You can then enter the username and password configured on the switch. If you are trying to connect via SSH/Telnet/HTTP/HTTPS, there are two possibilities:  Backdoor is enabled: The switch acts like it is connecting via console.  Secure backdoor is enabled: You must enter the username: noradius. The switch checks if RADIUS server is reachable. If it is reachable, then you must authenticate via remote authentication server. Only if RADIUS server is not reachable, you will be prompted for local user/password to be authenticated against these local credentials. All user privileges, other than those assigned to the Administrator, have to be defined in the RADIUS dictionary. RADIUS attribute 6 which is built into all RADIUS servers defines the administrator. The file name of the dictionary is RADIUS vendor‐dependent. The following RADIUS attributes are defined for Lenovo N/OS user privileges levels: Table 9. Lenovo N/OS‐proprietary Attributes for RADIUS User Name/Access...
Page 82: Tacacs+ Authentication
TACACS+ Authentication Lenovo N/OS supports authentication, authorization, and accounting with networks using the Cisco Systems TACACS+ protocol. The CN4093 functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the CN4093 either through a data or management port. TACACS+ offers the following advantages over RADIUS:  TACACS+ uses TCP‐based connection‐oriented transport; whereas RADIUS is UDP‐based. TCP offers a connection‐oriented transport, while UDP offers best‐effort delivery. RADIUS requires additional programmable variables such as re‐transmit attempts and time‐outs to compensate for best‐effort transport, but it lacks the level of built‐in support that a TCP transport offers.  TACACS+ offers full packet encryption whereas RADIUS offers password‐only encryption in authentication requests.  TACACS+ separates authentication, authorization and accounting. How TACACS+ Authentication Works TACACS+ works much in the same way as RADIUS authentication as described on page 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access. During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.
Page 83: Tacacs+ Authentication Features In Lenovo N/Os
TACACS+ Authentication Features in Lenovo N/OS Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log in to a device or gain access to its services. Lenovo N/OS supports ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one‐time password authentication are not supported. Authorization Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication. The default mapping between TACACS+ authorization levels and Lenovo N/OS management access levels is shown in Table 10. The authorization levels listed in this table must be defined on the TACACS+ server. Table 10. Default TACACS+ Authorization Levels Lenovo N/OS User Access TACACS+ Level Level user oper admin (USERID) Alternate mapping between TACACS+ authorization levels and Lenovo N/OS management access levels is shown in Table 11. Use the following command to use the alternate TACACS+ authorization levels: CN4093(config)# tacacsserver privilegemapping Table 11. Alternate TACACS+ Authorization Levels Lenovo N/OS User Access...
Page 84: Accounting
  disc‐cause Note: When using the Browser-Based Interface, the TACACS+ Accounting Stop records are sent only if the Quit button on the browser is clicked. Command Authorization and Logging When TACACS+ Command Authorization is enabled (CN4093(config)# tacacsserver commandauthorization), Lenovo N/OS configuration commands are sent to the TACACS+ server for authorization. When TACACS+ Command Logging is enabled (CN4093(config)# tacacsserver commandlogging), Lenovo N/OS configuration commands are logged on the TACACS+ server. The following examples illustrate the format of Lenovo N/OS commands sent to the TACACS+ server: authorization request, cmd=cfgtree, cmdarg=/cfg/l3/if...
Page 85: Tacacs+ Password Change
Configuring TACACS+ Authentication on the Switch 1. Configure the IPv4 addresses of the Primary and Secondary TACACS+ servers, and enable TACACS authentication. CN4093(config)# tacacsserver primaryhost 10.10.1.1(Enter primary server IPv4 address) CN4093(config)# tacacsserver primaryhost mgtport CN4093(config)# tacacsserver secondaryhost 10.10.1.1 (Enter secondary server IPv4 address) CN4093(config)# tacacsserver secondaryhost dataport CN4093(config)# tacacsserver enable 2. Configure the TACACS+ secret and second secret. CN4093(config)# tacacsserver primaryhost 10.10.1.1 key <1‐32 character secret> CN4093(config)# tacacsserver secondaryhost 10.10.1.2 key <1‐32 character secret> If you configure the TACACS+ secret using any method other than a direct console connection, the secret may be transmitted over the network as clear text. 3. If desired, you may change the default TCP port number used to listen to TACACS+. The well‐known port for TACACS+ is 49. CN4093(config)# tacacsserver port <TCP port number> © Copyright Lenovo 2015 Chapter 6: Authentication & Authorization Protocols...
Page 86 4. Configure the number of retry attempts, and the timeout period. CN4093(config)# tacacsserver retransmit 3 CN4093(config)# tacacsserver timeout 5 5. Configure custom privilege‐level mapping (optional). CN4093(config)# tacacsserver usermapping 2 user CN4093(config)# tacacsserver usermapping 3 user CN4093(config)# tacacsserver usermapping 4 user CN4093(config)# tacacsserver usermapping 5 oper CN4093 Application Guide for N/OS 8.2...
Page 87: Ldap Authentication And Authorization
 User Accounts: Use the uid attribute to define each individual user account. User Groups:  Use the members attribute in the groupOfNames object class to create the user groups. The first word of the common name for each user group must be equal to the user group names defined in the CN4093, as follows: admin (USERID)  oper  user  Configuring LDAP Authentication on the Switch 1. Turn LDAP authentication on, then configure the Primary and Secondary LDAP servers. CN4093(config)# ldapserver primaryhost 10.10.1.1 (Enter primary server IPv4 address) CN4093(config)# ldapserver primaryhost 10.10.1.2 (Enter secondary server IPv4 address) 2. Configure the domain name. CN4093(config)# ldapserver domain <ou=people,dc=my‐domain,dc=com> © Copyright Lenovo 2015 Chapter 6: Authentication & Authorization Protocols...
Page 88 3. If desired, you may change the default TCP port number used to listen to LDAP. The well‐known port for LDAP is 389. CN4093(config)# ldapserver port <1‐65000> 4. Configure the number of retry attempts for contacting the LDAP server, and the timeout period. CN4093(config)# ldapserver retransmit 3(server retries) CN4093(config)# ldapserver timeout 10 (Enter the timeout period in seconds) CN4093 Application Guide for N/OS 8.2...
Page 89: Chapter 7. 802.1X Port-Based Network Access Control
Chapter 7. 802.1X Port-Based Network Access Control Port‐Based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to ports of the CN4093 10Gb Converged Scalable Switch (CN4093) that connect to blade servers. The following topics are discussed in this section:  “Extensible Authentication Protocol over LAN” on page 90  “EAPoL Authentication Process” on page 91  “EAPoL Port States” on page 93 “Guest VLAN” on page 93   “Supported RADIUS Attributes” on page 94 “EAPoL Configuration Guidelines” on page 96  © Copyright Lenovo 2015...
Page 90: Extensible Authentication Protocol Over Lan
Extensible Authentication Protocol over LAN Lenovo N/OS can provide user‐level security for its ports using the IEEE 802.1X protocol, which is a more secure alternative to other methods of port‐based network access control. Any device attached to an 802.1X‐enabled port that fails authentication is prevented access to the network and denied services offered through that port. The 802.1X standard describes port‐based network access control using Extensible Authentication Protocol over LAN (EAPoL). EAPoL provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics and of preventing access to that port in cases of authentication and authorization failures. EAPoL is a client‐server protocol that has the following components: Supplicant or Client  The Supplicant is a device that requests network access and provides the required credentials (user name and password) to the Authenticator and the Authenticator Server.  Authenticator The Authenticator enforces authentication and controls access to the network. The Authenticator grants network access based on the information provided by the Supplicant and the response from the Authentication Server. The Authenticator acts as an intermediary between the Supplicant and the Authentication Server: requesting identity information from the client, forwarding that information to the Authentication Server for validation, relaying the server’s responses to the client, and authorizing network access based on the results of the authentication exchange. The CN4093 acts as an Authenticator.  Authentication Server The Authentication Server validates the credentials provided by the Supplicant to determine if the Authenticator should grant access to the network. The Authentication Server may be co‐located with the Authenticator. The CN4093 relies on external RADIUS servers for authentication. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed ...
Page 91: Eapol Authentication Process
802.1x Client Server EAPOL IBM Switch RADIUS-EAP Authenticator Ethernet (RADIUS Client) UDP/IP Port Unauthorized EAPOL-Start EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Challenge EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Accept EAP-Success Port Authorized © Copyright Lenovo 2015 Chapter 7: 802.1X Port-Based Network Access Control...
Page 92: Eapol Message Exchange
EAPoL Message Exchange During authentication, EAPOL messages are exchanged between the client and the CN4093 authenticator, while RADIUS‐EAP messages are exchanged between the CN4093 authenticator and the RADIUS server. Authentication is initiated by one of the following methods:  The CN4093 authenticator sends an EAP‐Request/Identity packet to the client  The client sends an EAPOL‐Start frame to the CN4093 authenticator, which responds with an EAP‐Request/Identity frame. The client confirms its identity by sending an EAP‐Response/Identity frame to the CN4093 authenticator, which forwards the frame encapsulated in a RADIUS packet to the server. The RADIUS authentication server chooses an EAP‐supported authentication algorithm to verify the client’s identity, and sends an EAP‐Request packet to the client via the CN4093 authenticator. The client then replies to the RADIUS server with an EAP‐Response containing its credentials. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed full access to services through the controlled port. When the client later sends an EAPOL‐Logoff message to the CN4093 authenticator, the port transitions from authorized to unauthorized state. If a client that does not support 802.1X connects to an 802.1X‐controlled port, the CN4093 authenticator requests the clientʹs identity when it detects a change in the operational state of the port. The client does not respond to the request, and the port remains in the unauthorized state. Note: When an 802.1X-enabled client connects to a port that is not 802.1X-controlled, the client initiates the authentication process by sending an EAPOL-Start frame.
Page 93: Eapol Port States
While in this state the port discards all ingress and egress traffic except EAP packets.  Authorized When the client is successfully authenticated, the port transitions to the authorized state allowing all traffic to and from the client to flow normally.  Force Unauthorized You can configure this state that denies all access to the port.  Force Authorized You can configure this state that allows full access to the port. Guest VLAN The guest VLAN provides limited access to unauthenticated ports. The guest VLAN can be configured using the following command: dot1x guestvlan ? CN4093(config)# Client ports that have not received an EAPOL response are placed into the Guest VLAN, if one is configured on the switch. Once the port is authenticated, it is moved from the Guest VLAN to its configured VLAN. When Guest VLAN enabled, the following considerations apply while a port is in the unauthenticated state:  The port is placed in the guest VLAN. The Port VLAN ID (PVID) is changed to the Guest VLAN ID.   Port tagging is disabled on the port. © Copyright Lenovo 2015 Chapter 7: 802.1X Port-Based Network Access Control...
Page 94: Supported Radius Attributes
Supported RADIUS Attributes The 802.1X Authenticator relies on external RADIUS servers for authentication with EAP. Table 12lists the RADIUS attributes that are supported as part of RADIUS‐EAP authentication based on the guidelines specified in Annex D of the 802.1X standard and RFC 3580. Table 12. Support for RADIUS Attributes # Attribute Attribute Value 1 User‐Name The value of the Type‐Data field 0‐1 from the supplicant’s EAP‐Response/Identity message. If the Identity is unknown (i.e. Type‐Data field is zero bytes in length), this attribute will have the same value as the Calling‐Station‐Id. 4 NAS‐IP‐Address IPv4 address of the authenticator used for Radius communication. 5 NAS‐Port Port number of the authenticator port to which the supplicant is attached. 24 State Server‐specific value. This is 0‐1 0‐1 0‐1 sent unmodified back to the ...
Page 95 80 Message‐ Always present whenever an Authenticator EAP‐Message attribute is also included. Used to integrity‐protect a packet. 87 NAS‐Port‐ID Name assigned to the authenticator port, e.g. Server1_Port3 Legend: RADIUS Packet Types: A‐R (Access‐Request), A‐A (Access‐Accept), A‐C (Access‐Challenge), A‐R (Access‐Reject) RADIUS Attribute Support: This attribute MUST NOT be present in a packet.   Zero or more instances of this attribute MAY be present in a packet. 0‐1 Zero or one instance of this attribute MAY be present in a packet.   Exactly one instance of this attribute MUST be present in a packet.  One or more of these attributes MUST be present. © Copyright Lenovo 2015 Chapter 7: 802.1X Port-Based Network Access Control...
Page 96: Eapol Configuration Guidelines
EAPoL Configuration Guidelines When configuring EAPoL, consider the following guidelines:  The 802.1X port‐based authentication is currently supported only in point‐to‐point configurations, that is, with a single supplicant connected to an 802.1X‐enabled switch port.  When 802.1X is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled. For example, the STG state of a port is operationally disabled while the port is in the unauthorized state.  The 802.1X supplicant capability is not supported. Therefore, none of its ports can successfully connect to an 802.1X‐enabled port of another device, such as another switch, that acts as an authenticator, unless access control on the remote port is disabled or is configured in forced‐authorized mode. For example, if a CN4093 is connected to another CN4093, and if 802.1X is enabled on both switches, the two connected ports must be configured in force‐authorized mode.  Unsupported 802.1X attributes include Service‐Type, Session‐Timeout, and Termination‐Action.  RADIUS accounting service for 802.1X‐authenticated devices or users is not currently supported.  Configuration changes performed using SNMP and the standard 802.1X MIB will take effect immediately. CN4093 Application Guide for N/OS 8.2...
Page 97: Chapter 8. Access Control Lists
Chapter 8. Access Control Lists Access Control Lists (ACLs) are filters that permit or deny traffic for security purposes. They can also be used with QoS to classify and segment traffic in order to provide different levels of service to different traffic types. Each filter defines the conditions that must match for inclusion in the filter, and also the actions that are performed when a match is made. Lenovo N/OS 8.2 supports the following ACLs:  IPv4 ACLs Up to 256 ACLs are supported for networks that use IPv4 addressing. IPv4 ACLs are configured using the following CLI menu: CN4093(config)# accesscontrol list <IPv4 ACL number> IPv6 ACLs  Up to 128 ACLs are supported for networks that use IPv6 addressing. IPv6 ACLs are configured using the following CLI menu: CN4093(config)# accesscontrol list6 <IPv6 ACL number>  Management ACLs Up to 128 MACLs are supported. ACLs for the different types of management protocols (Telnet, HTTPS, etc.) provide greater granularity for securing management traffic. Management ACLs are configured using the following CLI menu: CN4093(config)# accesscontrol macl <MACL number>  VLAN Maps (VMaps) Up to 128 VLAN Maps are supported for attaching filters to VLANs rather than ports. See “VLAN Maps” on page 106 for details. CN4093(config)# accesscontrol vmap <vmap number> © Copyright Lenovo 2015...
Page 98: Summary Of Packet Classifiers
Summary of Packet Classifiers ACLs allow you to classify packets according to a variety of content in the packet header (such as the source address, destination address, source port number, destination port number, and others). Once classified, packet flows can be identified for more processing. Regular ACLs, and VMaps allow you to classify packets based on the following packet attributes:  Ethernet header options (for regular ACLs and VMaps only) Source MAC address  Destination MAC address  VLAN number and mask  Ethernet type (ARP, IPv4, MPLS, RARP, etc.)  Ethernet Priority (the IEEE 802.1p Priority)   IPv4 header options (for regular ACLs and VMaps only) Source IPv4 address and subnet mask  Destination IPv4 address and subnet mask  Type of Service value  IP protocol number or name as shown in Table  Table 13. Well‐Known Protocol Types Number Protocol Name icmp igmp ospf vrrp CN4093 Application Guide for N/OS 8.2...
Page 99 Accounting gopher snmptrap hsrp TCP/UDP application destination port and mask as shown in Table 14.  TCP/UDP flag value as shown in Table 15.  Table 15. Well‐Known TCP flag values Flag Value 0x0020 0x0010 0x0008 0x0004 0x0002 0x0001  Packet format (for regular ACLs and VMaps only) Ethernet format (eth2, SNAP, LLC)  Ethernet tagging format  IP format (IPv4)   Egress port packets (for all ACLs) © Copyright Lenovo 2015 Chapter 8: Access Control Lists...
Page 100: Summary Of Acl Actions
Summary of ACL Actions Once classified using ACLs, the identified packet flows can be processed differently. For each ACL, an action can be assigned. The action determines how the switch treats packets that match the classifiers assigned to the ACL. CN4093 ACL actions include the following:  Pass or Drop the packet  Re‐mark the packet with a new DiffServ Code Point (DSCP)  Re‐mark the 802.1p field  Set the COS queue Assigning Individual ACLs to a Port Once you configure an ACL, you must assign the ACL to the appropriate ports. Each port can accept multiple ACLs, and each ACL can be applied for multiple ports. ACLs can be assigned individually, or in groups. To assign an individual ACL to a port, use the following IP interface commands: CN4093(config)# interface port <port> CN4093(configif)# accesscontrol list <IPv4 ACL number> CN4093(configip)# accesscontrol list6 <IPv6 ACL number> When multiple ACLs are assigned to a port, higher‐priority ACLs are considered first, and their action takes precedence over lower‐priority ACLs. ACL order of precedence is discussed in the next section. To create and assign ACLs in groups, see “ACL Groups” on page 101. ACL Order of Precedence When multiple ACLs are assigned to a port, they are evaluated in numeric sequence, based on the ACL number. Lower‐numbered ACLs take precedence over higher‐numbered ACLs. For example, ACL 1 (if assigned to the port) is ...
Page 101: Acl Groups
Order of Precedence” on page 100). All ACLs assigned to the port (whether individually assigned or part of an ACL Group) are considered as individual ACLs for the purposes of determining their order of precedence. © Copyright Lenovo 2015 Chapter 8: Access Control Lists...
Page 102: Assigning Acl Groups To A Port
Assigning ACL Groups to a Port To assign an ACL Group to a port, use the following commands: CN4093(config)# interface port <port number> CN4093(configif)# accesscontrol group <ACL group number> CN4093(configif)# exit ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the switch by configuring a QoS meter (if desired) and assigning ACLs to ports. Note: When you add ACLs to a port, make sure they are ordered correctly in terms of precedence (see “ACL Order of Precedence” on page 100).
Page 103: Acl Port Mirroring
ACL Port Mirroring For regular ACLs and VMaps, packets that match an ACL on a specific port can be mirrored to another switch port for network diagnosis and monitoring. The source port for the mirrored packets cannot be a portchannel, but may be a member of a portchannel. The destination port to which packets are mirrored must be a physical port. If the ACL or VMap has an action (permit, drop, etc.) assigned, it cannot be used to mirror packets for that ACL. Use the following commands to add mirroring to an ACL:  For regular ACLs: CN4093(config)# accesscontrol list <ACL number> mirror port <destination port> The ACL must be also assigned to it target ports as usual (see “Assigning Individual ACLs to a Port” on page 100, or “Assigning ACL Groups to a Port” on page 102). For VMaps (see “VLAN Maps” on page 106):  CN4093(config)# accesscontrol vmap <VMap number> mirror port <monitor destination port> Viewing ACL Statistics ACL statistics display how many packets have “hit” (matched) each ACL. Use ACL statistics to check filter performance or to debug the ACL filter configuration. You must enable statistics for each ACL that you wish to monitor: CN4093(config)# accesscontrol list <ACL number> statistics © Copyright Lenovo 2015 Chapter 8: Access Control Lists...
Page 104: Acl Configuration Examples
ACL Configuration Examples ACL Example 1 Use this configuration to block traffic to a specific host. All traffic that ingresses on port EXT1 is denied if it is destined for the host at IP address 100.10.1.1 1. Configure an Access Control List. CN4093(config)# accesscontrol list 1 ipv4 destinationipaddress 100.10.1.1 CN4093(config)# accesscontrol list 1 action deny 2. Add ACL 1 to port EXT1. CN4093(config)# interface port EXT1 CN4093(configif)# accesscontrol list 1 CN4093(configif)# exit ACL Example 2 Use this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses in port EXT2 with source IP from class 100.10.1.0/24 and destination IP 200.20.2.2 is denied. 1. Configure an Access Control List. CN4093(config)# accesscontrol list 2 ipv4 sourceipaddress 100.10.1.0 255.255.255.0 CN4093(config)# accesscontrol list 2 ipv4 destinationipaddress 200.20.2.2 255.255.255.255 CN4093(config)# accesscontrol list 2 action deny 2. Add ACL 2 to port EXT2. CN4093(config)# interface port EXT2 CN4093(configif)# accesscontrol list 2 CN4093(configif)# exit CN4093 Application Guide for N/OS 8.2...
Page 105 ACL Example 3 This configuration blocks traffic from a network that is destined for a specific egress port. All traffic that ingresses port EXT1 from the network 100.10.1.0/24 and is destined for port 3 is denied. 1. Configure an Access Control List. CN4093(config)# accesscontrol list 4 ipv4 sourceipaddress 100.10.1.0 255.255.255.0 CN4093(config)# accesscontrol list 4 egressport 3 CN4093(config)# accesscontrol list 4 action deny 2. Add ACL 4 to port EXT1. CN4093(config)# interface port EXT1 CN4093(configif)# accesscontrol list 4 CN4093(configif)# exit © Copyright Lenovo 2015 Chapter 8: Access Control Lists...
Page 106: Vlan Maps
VLAN Maps A VLAN map (VMAP) is an ACL that can be assigned to a VLAN or VM group rather than to a switch port as with regular ACLs. This is particularly useful in a virtualized environment where traffic filtering and metering policies must follow virtual machines (VMs) as they migrate between hypervisors. VMAPs are configured using the following ISCLI command path: CN4093(config)# accesscontrol vmap <VMAP ID (1‐128)> action Set filter action egressport Set to filter for packets egressing this port ethernet Ethernet header options ipv4 IP version 4 header options meter ACL metering configuration mirror Mirror options packetformat Set to filter specific packet format types remark ACL remark configuration statistics Enable access control list statistics tcpudp TCP and UDP filtering options The CN4093 supports up to 128 VMAPs. Individual VMAP filters are configured in the same fashion as regular ACLs, except that VLANs cannot be specified as a filtering criteria (unnecessary, since the VMAP are assigned to a specific VLAN or associated with a VM group VLAN). Once a VMAP filter is created, it can be assigned or removed using the following configuration commands:  For a regular VLAN: CN4093(config)# vlan <VLAN ID> CN4093(configvlan)# [no] vmap <VMap ID> [intports|extports]  For a VM group (see “VM Group Types” on page 242): CN4093(config)# [no] virt vmgroup <ID> vmap <VMap ID> [intports|extports] Note: Each VMAP can be assigned to only one VLAN or VM group. However, each VLAN or VM group may have multiple VMAPs assigned to it.
Page 107 VMap Example In this example, EtherType 2 traffic from VLAN 3 server ports is mirrored to a network monitor on port 4. CN4093(config)# accesscontrol vmap 21 packetformat ethernet ethernettype2 CN4093(config)# accesscontrol vmap 21 mirror port 4 CN4093(config)# accesscontrol vmap 21 action permit CN4093(config)# vlan 3 CN4093(configvlan)# vmap 21 intports © Copyright Lenovo 2015 Chapter 8: Access Control Lists...
Page 108: Management Acls
Management ACLs Management ACLs (MACLs) filter inbound traffic i.e. traffic toward the CPU. MACLs are applied switch‐wide. Traffic can be filtered based on the following:  IPv4 source address IPv4 destination address   IPv4 protocols TCP/UDP destination or source port  Lower MACL numbers have higher priority. Up to 128 MACLs can be configured. Following is an example MACL configuration based on a destination IP address and a TCP‐UDP destination port: CN4093(config)# accesscontrol macl 1 ipv4 destinationipaddress 1.1.1.1 255.255.255.0 CN4093(config)# accesscontrol macl 1 tcpudp destinationport 111 0xffff CN4093(config)# accesscontrol macl 1 statistics CN4093(config)# accesscontrol macl 1 action permit CN4093(config)# accesscontrol macl 1 enable Use the following command to view the MACL configuration: CN4093(config)# show accesscontrol macl 1 MACL 1 profile : Enabled IPv4 - DST IP : 1.1.1.1/255.255.255.0 TCP/UDP - DST Port : 111/0xffff Action : Permit...
Page 109: Part 3: Switch Basics
Part 3: Switch Basics This section discusses basic switching functions:  VLANs  Port Trunking  Spanning Tree Protocols (Spanning Tree Groups, Rapid Spanning Tree Protocol, and Multiple Spanning Tree Protocol)  Quality of Service © Copyright Lenovo 2015...
Page 110 CN4093 Application Guide for N/OS 8.2...
Page 111: Chapter 9. Vlans
“Using the Setup Utility” in the Lenovo N/OS 8.2 Command Reference). More comprehensive VLAN configuration can be done from the Command Line Interface (see “VLAN Configuration” as well as “Port Configuration” in the Lenovo N/OS 8.2 Command Reference). © Copyright Lenovo 2015...
Page 112: Vlans Overview
VLANs Overview Setting up virtual LANs (VLANs) is a way to segment networks to increase network flexibility without changing the physical network topology. With network segmentation, each switch port connects to a segment that is a single broadcast domain. When a switch port is configured to be a member of a VLAN, it is added to a group of ports (workgroup) that belong to one broadcast domain. Ports are grouped into broadcast domains by assigning them to the same VLAN. Frames received in one VLAN can only be forwarded within that VLAN, and multicast, broadcast, and unknown unicast frames are flooded only to ports in the same VLAN. The CN4093 automatically supports jumbo frames. This default cannot be manually configured or disabled. The CN4093 10Gb Converged Scalable Switch (CN4093) supports jumbo frames with a Maximum Transmission Unit (MTU) of 9,216 bytes. Within each frame, 18 bytes are reserved for the Ethernet header and CRC trailer. The remaining space in the frame (up to 9,198 bytes) comprise the packet, which includes the payload of up to 9,000 bytes and any additional overhead, such as 802.1q or VLAN tags. Jumbo frame support is automatic: it is enabled by default, requires no manual configuration, and cannot be manually disabled. Note: Jumbo frames are not supported for traffic sent to switch management interfaces. CN4093 Application Guide for N/OS 8.2...
Page 113: Vlans And Port Vlan Id Numbers
Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system. Screen content varies based on the type of blade chassis unit that you are using and the firmware versions and options that are installed. © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 114 PVID/Native VLAN Numbers Each port in the switch has a configurable default VLAN number, known as its PVID. By default, the PVID for all non‐management ports is set to 1, which correlates to the default VLAN ID. The PVID for each port can be configured to any VLAN number between 1 and 4094. Use the following CLI commands to view PVIDs:  Port information: CN4093# show interface information (or) CN4093# show interface trunk Alias Port Tag Type RMON Lrn Fld Openflow PVID DESCRIPTION VLAN(s) Trk NVLAN INTA1 1 n Internal d e e d 4094 INTA1 4094 INTA2 2 n Internal d e e d 1 INTA2 INTA3 3 n Internal d e e d 1 INTA3 INTA4 4 n Internal d e e d 1 INTA4 INTA5 5 n Internal d e e d 1 INTA5 INTA6 6 n Internal d e e d 1 INTA6 INTA7 7 n Internal d e e d 1 INTA7 INTA8 8 n Internal d e e d 1 INTA8 INTA9 9 n Internal d e e d 1 INTA9 CN4093 Application Guide for N/OS 8.2...
Page 115 Note: The sample output that appears in this document might differ slightly from that displayed by your system. Output varies based on the type of blade chassis unit that you are using and the firmware versions and options that are installed. © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 116  Port Configuration: Access Mode Port CN4093(config)# interface port <port number> CN4093(configif)# switchport access vlan <VLAN ID> For Trunk Mode Port CN4093(config)# interface port <port number> CN4093(configif)# switchport trunk native vlan <VLAN ID> Each port on the switch can belong to one or more VLANs, and each VLAN can have any number of switch ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled (see “VLAN Tagging/Trunk Mode” on page 117). CN4093 Application Guide for N/OS 8.2...
Page 117: Vlan Tagging/Trunk Mode
Important terms used with the 802.1Q tagging feature are:  VLAN identifier (VID)—the 12‐bit portion of the VLAN tag in the frame header that identifies an explicit VLAN.  Port VLAN identifier (PVID)—a classification mechanism that associates a port with a specific VLAN. For example, a port with a PVID of 3 (PVID =3) assigns all untagged frames received on this port to VLAN 3. Any untagged frames received by the switch are classified with the PVID of the receiving port.  Tagged frame—a frame that carries VLAN tagging information in the header. This VLAN tagging information is a 32‐bit field (VLAN tag) in the frame header that identifies the frame as belonging to a specific VLAN. Untagged frames are marked (tagged) with this classification as they leave the switch through a port that is configured as a tagged port.  Untagged frame— a frame that does not carry any VLAN tagging information in the frame header.  Untagged member—a port that has been configured as an untagged member of a specific VLAN. When an untagged frame exits the switch through an untagged member port, the frame header remains unchanged. When a tagged frame exits the switch through an untagged member port, the tag is stripped and the tagged frame is changed to an untagged frame.  Tagged member—a port that has been configured as a tagged member of a specific VLAN. When an untagged frame exits the switch through a tagged member port, the frame header is modified to include the 32‐bit tag associated with the PVID. When a tagged frame exits the switch through a tagged member port, the frame header remains unchanged (original VID remains). © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 118 Figure 2. Default VLAN settings 802.1Q Switch VLAN 1 Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 PVID = 1 Data Incoming Outgoing untagged untagged packet Data packet (unchanged) By default: All ports are assigned PVID = 1 All external ports are untagged members of VLAN 1 All internal server ports are untagged members of VLAN 1 BS45010A...
Page 119 Port 3 Tagged member PVID = 2 of VLAN 2 Tagged packet 802.1Q Switch Data B efore Port 6 Port 7 Port 8 Untagged member of VLAN 2 As shown in Figure 6, the tagged packet remains unchanged as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. However, the tagged packet is stripped (untagged) as it leaves the switch through port 7, which is configured as an untagged member of VLAN 2. © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 120: Ingress Vlan Tagging
Figure 6. 802.1Q tagging (after 802.1Q tag assignment) PVID = 2 Tagged member Port 1 Port 2 Port 3 of VLAN 2 802.1Q Switch Data Port 6 Port 7 Port 8 8100 Priority VID = 2 Untagged member CRC* (*Recalculated) of VLAN 2 16 bits 3 bits 1 bit 12 bits...
Page 121: Limitations
Tag 1 After Before Port 6 Port 7 Port 8 Untagged member of VLAN 2 CRC* Data Tag 1 By default, ingress tagging is disabled. To enable ingress tagging on a port, use the following commands: CN4093(config)# interface port <number> CN4093(configif)# tagpvidingress Limitations Ingress tagging cannot be configured with the following features/configurations:  vNIC ports  VMready ports  UFP ports  Management ports © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 122: Vlan Topologies And Design Considerations
VLAN Topologies and Design Considerations  By default, the Lenovo N/OS software is configured so that tagging is disabled on all external ports and on all internal ports.  By default, the Lenovo N/OS software is configured so that all internal ports are members of VLAN 1.  By default, the Lenovo N/OS software is configured so that the management port is a member of the default management VLAN 4095.  Multiple management VLANs can be configured on the switch, in addition to the default VLAN 4095, using the following commands: CN4093(config)# vlan <x> CN4093(configvlan)# management When using Spanning Tree, STG 2‐128 may contain only one VLAN unless  Multiple Spanning‐Tree Protocol (MSTP) mode is used. With MSTP mode, STG 1 to 32 can include multiple VLANs. VLAN Configuration Rules VLANs operate according to specific configuration rules. When creating VLANs, consider the following rules that determine how the configured VLAN reacts in any network topology: All ports involved in trunking and port mirroring must have the same VLAN  configuration. If a port is on a trunk with a mirroring port, the VLAN configura‐ tion cannot be changed. For more information trunk groups, see “Configuring a Static Port Trunk” on page 137.  If a port is configured for port mirroring, the port’s VLAN membership cannot be changed. For more information on configuring port mirroring, see “Port Mir‐ roring” on page 531.
Page 123 Server #1 This server is a member of VLAN 3 and has presence in only one IP subnet. The associated internal switch port is only a member of VLAN 3, so tagging is disabled. Server #2 This high‐use server needs to be accessed from all VLANs and IP subnets. The server has a VLAN‐tagging adapter installed with VLAN tagging turned on. The adapter is attached to one of the internal switch ports, that is a member of VLANs 1, 2, and 3, and has tagging enabled. Because of the VLAN tagging capabilities of both the adapter and the switch, the server is able to communicate on all three IP subnets in this network. Broadcast separation between all three VLANs and subnets, however, is maintained. PCs #1 and These PCs are attached to a shared media hub that is then connected to the switch. They belong to VLAN 2 and are logically in the same IP subnet as Server 2 and PC 5. The associated external switch port has tagging disabled. PC #3 A member of VLAN 1, this PC can only communicate with Server 2 and PC 5. The associated external switch port has tagging disabled. © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 124 Component Description PC #4 A member of VLAN 3, this PC can only communicate with Server 1 and Server 2. The associated external switch port has tagging disabled. PC #5 A member of both VLAN 1 and VLAN 2, this PC has a VLAN‐tagging Gigabit Ethernet adapter installed. It can communicate with Server 2 and PC 3 via VLAN 1, and to Server 2, PC 1 and PC 2 via VLAN 2. The associated external switch port is a member of VLAN 1 and VLAN 2, and has tagging enabled. Note: VLAN tagging is required only on ports that are connected to other CN4093s or on ports that connect to tag-capable end-stations, such as servers with VLAN-tagging adapters.
Page 125: Protocol-Based Vlans
SNAP (Subnetwork Access Protocol)  LLC (Logical Link Control)   Ethernet type—consists of a 4‐digit (16 bit) hex value that defines the Ethernet type. You can use common Ethernet protocol values, or define your own values. Following are examples of common Ethernet protocol values: IPv4 = 0800  IPv6 = 86dd  ARP = 0806  Port-Based vs. Protocol-Based VLANs Each VLAN supports both port‐based and protocol‐based association, as follows:  The default VLAN configuration is port‐based. All data ports are members of VLAN 1, with no PVLAN association.  When you add ports to a PVLAN, the ports become members of both the port‐based VLAN and the PVLAN. For example, if you add port EXT1 to PVLAN 1 on VLAN 2, the port also becomes a member of VLAN 2.  When you delete a PVLAN, it’s member ports remain members of the port‐based VLAN. For example, if you delete PVLAN 1 from VLAN 2, port EXT1 remains a member of VLAN 2.  When you delete a port from a VLAN, the port is deleted from all corresponding PVLANs. © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 126: Pvlan Priority Levels
PVLAN Priority Levels You can assign each PVLAN a priority value of 0‐7, used for Quality of Service (QoS). PVLAN priority takes precedence over a port’s configured priority level. If no priority level is configured for the PVLAN (priority = 0), each port’s priority is used (if configured). All member ports of a PVLAN have the same PVLAN priority level. PVLAN Tagging When PVLAN tagging is enabled, the switch tags frames that match the PVLAN protocol. For more information about tagging, see “VLAN Tagging/Trunk Mode” on page 117. Untagged ports must have PVLAN tagging disabled. Tagged ports can have PVLAN tagging either enabled or disabled. PVLAN tagging has higher precedence than port‐based tagging. If a port is tag enabled, and the port is a member of a PVLAN, the PVLAN tags egress frames that match the PVLAN protocol. Use the tag‐pvlan command (vlan <x> protocolvlan <x> tagpvlan <x>) to define the complete list of tag‐enabled ports in the PVLAN. Note that all ports not included in the PVLAN tag list will have PVLAN tagging disabled. PVLAN Configuration Guidelines Consider the following guidelines when you configure protocol‐based VLANs:  Each port can support up to 16 VLAN protocols. The CN4093 can support up to 16 protocols simultaneously.   Each PVLAN must have at least one port assigned before it can be activated. The same port within a port‐based VLAN can belong to multiple PVLANs.   An untagged port can be a member of multiple PVLANs. A port cannot be a member of different VLANs with the same protocol  association.
Page 127 VLAN (PVID/Native VLAN), you will be asked to confirm changing the PVID to the current VLAN. 5. Enable the PVLAN. CN4093(configvlan)# protocolvlan 1 enable CN4093(configvlan)# exit 6. Verify PVLAN operation. . CN4093(config)# show vlan VLAN Name Status MGT Ports 1 Default VLAN ena dis INTA2EXT15 EXT19 2 VLAN 2 ena dis INTA1 INTA2 Primary Secondary Type Ports vPorts PVLAN Protocol FrameType EtherType Priority Status Ports 2 1 Ether2 0800 2 enabled INTA1 INTA2 PVLAN PVLANTagged Ports none none © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 128: Private Vlans
Private VLANs Private VLANs provide Layer 2 isolation between the ports within the same broadcast domain. Private VLANs can control traffic within a VLAN domain, and provide port‐based security for host servers. Lenovo N/OS supports Private VLAN configuration as described in RFC 5517. Use Private VLANs to partition a VLAN domain into sub‐domains. Each sub‐domain is comprised of one primary VLAN and one secondary VLAN, as follows:  Primary VLAN—carries unidirectional traffic downstream from promiscuous ports. Each Private VLAN has only one primary VLAN. All ports in the Private VLAN are members of the primary VLAN.  Secondary VLAN—Secondary VLANs are internal to a private VLAN domain, and are defined as follows: Isolated VLAN—carries unidirectional traffic upstream from the host servers  toward ports in the primary VLAN. Each Private VLAN can contain only one Isolated VLAN. Community VLAN—carries upstream traffic from ports in the community  VLAN to other ports in the same community, and to ports in the primary VLAN. Each Private VLAN can contain multiple community VLANs. After you define the primary VLAN and one or more secondary VLANs, you map the secondary VLAN(s) to the primary VLAN. Private VLAN Ports Private VLAN ports are defined as follows:  Promiscuous—A promiscuous port is an external port that belongs to the primary VLAN. The promiscuous port can communicate with all the interfaces, including ports in the secondary VLANs (Isolated VLAN and Community VLANs). Isolated—An isolated port is a host port that belongs to an isolated VLAN. Each  isolated port has complete layer 2 separation from other ports within the same private VLAN (including other isolated ports), except for the promiscuous ports. ...
Page 129: Configuration Guidelines
 All VLANs that comprise the Private VLAN must belong to the same Spanning Tree Group. Configuration Example Follow this procedure to configure a Private VLAN. 1. Select a VLAN and define the Private VLAN type as primary. CN4093(config)# vlan 700 CN4093(configvlan)# privatevlan primary CN4093(configvlan)# exit 2. Configure a promiscuous port for VLAN 700. CN4093(config)# interface port 1 CN4093(configif)# switchport mode privatevlan CN4093(configif)# switchport privatevlan mapping 700 CN4093(configif)# exit 3. Configure two secondary VLANs: isolated VLAN and community VLAN. CN4093(config)# vlan 701 CN4093(configvlan)# privatevlan isolated CN4093(configvlan)# exit CN4093(config)# vlan 702 CN4093(configvlan)# privatevlan community CN4093(configvlan)# exit 4. Map secondary VLANs to primary VLAN. CN4093(config)# vlan 700702 CN4093(configvlan)# stg 1 CN4093(configvlan)# exit CN4093(config)# vlan 700 CN4093(configvlan)# privatevlan association 701,702 CN4093(configvlan)# exit © Copyright Lenovo 2015 Chapter 9: VLANs...
Page 130 5. Configure host ports for secondary VLANs. CN4093(config)# interface port 2 CN4093(configif)# switchport mode privatevlan CN4093(configif)# switchport privatevlan hostassociation 700 701 CN4093(configif)# exit CN4093(config)# interface port 3 CN4093(configif)# switchport mode privatevlan CN4093(configif)# switchport privatevlan hostassociation 700 702 CN4093(configif)# exit 6. Verify the configuration. CN4093(config)# show vlan privatevlan Primary Secondary Type Ports 700 701 isolated 1 2 700 702 community 1 3 CN4093 Application Guide for N/OS 8.2...
Page 131: Chapter 10. Ports And Trunking
Chapter 10. Ports and Trunking Trunk groups can provide super‐bandwidth, multi‐link connections between the CN4093 10Gb Converged Scalable Switch (CN4093) and other trunk‐capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. This chapter provides configuration background and examples for trunking multiple ports together:  “Configuring Port Modes” on page 132  “Configuring QSFP+ Ports” on page 134  “Trunking Overview” on page 135  “Static Trunks” on page 136 “Configurable Trunk Hash Algorithm” on page 139   “Link Aggregation Control Protocol” on page 141 © Copyright Lenovo 2015...
Page 132: Configuring Port Modes
Configuring Port Modes The switch allows you to set the port mode. Select the port mode that fits your network configuration. Switch port modes are available based on the installation license. The following port modes are available:  Base Port mode: Fourteen 10Gb internal (1 port x 14 blade servers)  Eight 10Gb external   Upgrade 1 Port mode: Twenty Eight 10Gb internal (2 ports x 14 blade servers)  Eight 10Gb external  Two 40Gb external   Upgrade 2 Port mode: Forty Two 10Gb internal (3 ports x 14 Blade servers)  Fourteen 10Gb external  Two 40Gb external  Base Port mode is the default. To upgrade the port mode, you must obtain a software license key. The following command sequence is an example of how to upgrade the port mode (e.g. switch SN Y010CM2CN058): CN4093# softwarekey Enter hostname or IP address of SFTP/TFTP server: 9.44.143.105 Enter name of file on SFTP/TFTP server: ...
Page 133 INTA7 7 n Internal d e e 1 INTA7 1 INTA8 8 n Internal d e e 1 INTA8 1 INTA9 9 n Internal d e e 1 INTA9 1 EXT1 43 n External d e e 1 EXT1 1 EXT2 44 n External d e e 1 EXT2 1 EXT3 45 n External d e e 1 EXT3 1 EXT4 46 n External d e e 1 EXT4 1 EXT5 47 n External d e e 1 EXT5 1 EXT6 48 n External d e e 1 EXT6 1 EXT7 49 n External d e e 1 EXT7 1 EXT8 50 n External d e e 1 EXT8 1 EXT9 51 n External d e e 1 EXT9 1 EXT10 52 n External d e e 1 EXT10 1 EXT11 53 n External d e e 1 EXT11 1 EXT12 54 n External d e e 1 EXT12 1 EXT13 55 n External d e e 1 EXT13 1 EXT14 56 n External d e e 1 EXT14 1 EXT15 57 n External d e e 1 EXT15 1 EXT16 58 n External d e e 1 EXT16 1 EXT17 59 n External d e e 1 EXT17 1 EXT18 60 n External d e e 1 EXT18 1 EXT19 61 n External d e e 1 EXT19 1 EXT20 62 n External d e e 1 EXT20 1 EXT21 63 n External d e e 1 EXT21 1 EXT22 64 n External d e e 1 EXT22 1 EXTM 65 n Mgmt d e e 4095 EXTM 4095 MGT1 66 y Mgmt d e e 4095 MGT1 4095 * = PVID/NativeVLAN is tagged. # = PVID is ingress tagged. Trk = Trunk mode NVLAN = NativeVLAN © Copyright Lenovo 2015 Chapter 10: Ports and Trunking...
Page 134: Configuring Qsfp+ Ports
Configuring QSFP+ Ports QSFP+ ports support both 10GbE and 40GbE, as shown in Table 16. Table 16. QSFP+ Port Numbering Physical Port Number 40GbE mode 10GbE mode Port EXT3 Port EXT3 Ports EXT3‐EXT6 Port EXT7 Port EXT7 Ports EXT7‐EXT10 QSFP+ ports are available only when Upgrade 1 is installed (see “Configuring Port Modes” on page 132). The following procedure allows you to change the QSFP+ port mode. 1. Display the current port mode for the QSFP+ ports. CN4093# show boot qsfpportmodes QSFP ports booted configuration: Port EXT3, EXT4, EXT5, EXT6 10G Mode Port EXT7, EXT8, EXT9, EXT10 10G Mode QSFP ports saved configuration: Port EXT3, EXT4, EXT5, EXT6 10G Mode Port EXT7, EXT8, EXT9, EXT10 10G Mode 2. Change the port mode to 40GbE. Select the physical port number. CN4093(config)# boot qsfp40Gports ext3 3. Verify the change. CN4093# show boot qsfpportmodes QSFP ports booted configuration: Port EXT3, EXT4, EXT5, EXT6 10G Mode Port EXT7, EXT8, EXT9, EXT10 10G Mode QSFP ports saved configuration: Port EXT3 40G Mode Port EXT7, EXT8, EXT9, EXT10 10G Mode 4.
Page 135: Trunking Overview
Trunking Overview When using port trunk groups between two switches, as shown in Figure 9, you can create a virtual link between them, operating with combined throughput levels that depends on how many physical ports are included. Two trunk types are available: static trunk groups (portchannel), and dynamic LACP trunk groups. Up to 64 trunks of each type are supported, depending of the number and type of available ports. Each trunk can include up to 16 member ports. Figure 9. Port Trunk Group Switch 1 Switch 2 Aggregate Port Trunk Trunk groups are also useful for connecting a CN4093 to third‐party devices that support link aggregation, such as Cisco routers and switches with EtherChannel technology (not ISL trunking technology) and Sunʹs Quad Fast Ethernet Adapter. Trunk Group technology is compatible with these devices when they are configured manually. Trunk traffic is statistically distributed among the ports in a trunk group, based on a variety of configurable options. Also, since each trunk group is comprised of multiple physical links, the trunk group is inherently fault tolerant. As long as one connection between the switches is available, the trunk remains active and statistical load balancing is maintained whenever a port in a trunk group is lost or returned to service. © Copyright Lenovo 2015 Chapter 10: Ports and Trunking...
Page 136: Static Trunks
Static Trunks Before Configuring Static Trunks When you create and enable a static trunk, the trunk members (switch ports) take on certain settings necessary for correct operation of the trunking feature. Before you configure your trunk, you must consider these settings, along with specific configuration rules, as follows:  Read the configuration rules provided in the section, “Static Trunk Group Configuration Rules” on page 136.” Determine which switch ports are to become trunk members (the specific ports  making up the trunk).  Ensure that the chosen switch ports are set to enabled.  Ensure all member ports in a trunk have the same VLAN configuration.  Consider how the existing Spanning Tree will react to the new trunk configuration. See “Spanning Tree Protocols” on page 145 for configuration guidelines. Consider how existing VLANs will be affected by the addition of a trunk.  Static Trunk Group Configuration Rules The trunking feature operates according to specific configuration rules. When creating trunks, consider the following rules that determine how a trunk group reacts in any network topology:  All trunks must originate from one network entity (a single device, or multiple devices acting in a stack) and lead to one destination entity. For example, you cannot combine links from two different servers into one trunk group. ...
Page 137: Configuring A Static Port Trunk
Lenovo Blade Trunk 1: Ports EXT1, EXT2, and EXT3 Switch IBM Blade Chassis Prior to configuring each switch in the preceding example, you must connect to the appropriate switch’s Command Line Interface (CLI) as the administrator. Note: For details about accessing and using any of the menu commands described in this example, see the Lenovo N/OS Command Reference. © Copyright Lenovo 2015 Chapter 10: Ports and Trunking...
Page 138 1. Connect the switch ports that will be members in the trunk group. 2. Configure the trunk using these steps on the CN4093: a. Define a trunk group. CN4093(config)# portchannel 1 port ext1,ext2,ext3 (Add port s to trunk group 1) CN4093(config)# portchannel 1 enable b. Verify the configuration. CN4093(config)# show portchannel information Examine the resulting information. If any settings are incorrect, make appropriate changes. 3. Repeat the process on the other switch. CN4093(config)# portchannel 3 port 2,12,22 CN4093(config)# portchannel 3 enable Trunk group 1 (on the CN4093) is now connected to trunk group 3 on the Application Switch. Note: In this example, a CN4093 and an application switch are used. If a third-party device supporting link aggregation is used (such as Cisco routers and switches with EtherChannel technology or Sun's Quad Fast Ethernet Adapter), trunk groups on the third-party device should be configured manually.
Page 139: Configurable Trunk Hash Algorithm
Note: At least one Layer 2 option must always be enabled; The smac and dmac options may not both be disabled at the same time.  For Layer 3 IPv4/IPv6 traffic, one of the following are permitted: Source IP address (sip)  CN4093(config)# portchannel thash l3thash l3sourceipaddress Destination IP address (dip)  CN4093(config)# portchannel thash l3thash l3destinationipaddress Both source and destination IP address (enabled by default)  CN4093(config)# portchannel thash l3thash l3sourcedestinationip If Layer 2 hashing is preferred for Layer 3 traffic, disable the Layer 3 sip and dip hashing options and enable the useL2 option: CN4093(config)# portchannel thash l3thash l3usel2hash Layer 3 traffic will then use Layer 2 options for hashing. © Copyright Lenovo 2015 Chapter 10: Ports and Trunking...
Page 140  Ingress port number (disabled by default) CN4093(config)# portchannel thash ingress  Layer 4 port information (disabled by default) CN4093(config)# portchannel thash l4port When enabled, Layer 4 port information (TCP, UPD, etc.) is added to the hash if available. The L4port option is ignored when Layer 4 information is not included in the packet (such as for Layer 2 packets), or when the useL2 option is enabled. Note: For MPLS packets, Layer 4 port information is excluded from the hash calculation. Instead, other IP fields are used, along with the first two MPLS labels. The CN4093 supports the following FCoE hashing options: CN4093(config)# portchannel thash fcoe cntagid CN4093(config)# portchannel thash fcoe destinationid CN4093(config)# portchannel thash fcoe fabricid CN4093(config)# portchannel thash fcoe originatorid CN4093(config)# portchannel thash fcoe responderid...
Page 141: Link Aggregation Control Protocol
The CN4093 supports up to 64 LACP trunks, each with up to 16 ports. Note: LACP implementation in Lenovo N/OS does not support the Churn machine, an option used to detect if the port is operable within a bounded time period between the actor and the partner. Only the Marker Responder is implemented, and there is no marker protocol generator.
Page 142 To avoid the Actor switch ports (with the same admin key) from aggregating in another trunk group, you can configure a trunk ID. Ports with the same admin key (although with different LAG IDs) compete to get aggregated in a trunk group. The LAG ID for the trunk group is decided based on the first port that is aggregated in the group. Ports with this LAG ID get aggregated and the other ports are placed in suspended mode. As per the configuration shown in Table 17, if port 38 gets aggregated first, then the LAG ID of port 38 would be the LAG ID of the trunk. Port 40 would be placed in suspended mode. When in suspended mode, a port transmits only LACP data units (LACPDUs) and discards all other traffic. A port may also be placed in suspended mode for the following reasons:  When LACP is configured on the port but it stops receiving LACPDUs from the partner switch.  When the port has a different LAG ID because of the partner switch MAC being different. For example: when a switch is connected to two partners. Trunk ID can be configured using the following command: CN4093(config)# portchannel <65‐128> lacp key <adminkey of the LAG> LACP provides for the controlled addition and removal of physical links for the link aggregation. Each port in the CN4093 can have one of the following LACP modes. off (default)  The user can configure this port in to a regular static trunk group. active  The port is capable of forming an LACP trunk. This port sends LACPDU packets to partner system ports. passive  The port is capable of forming an LACP trunk. This port only responds to the LACPDU packets sent from an LACP active port. Each active LACP port transmits LACP data units (LACPDUs), while each passive LACP port listens for LACPDUs. During LACP negotiation, the admin key is exchanged. The LACP trunk group is enabled as long as the information matches at both ends of the link. If the admin key value changes for a port at either end of the link, that port’s association with the LACP trunk group is lost. If an LACP group member port is connected to a port that is in LACP off mode, the LACP port will not be able to converge and the link goes down. When the system is initialized, all ports by default are in LACP off mode and are ...
Page 143: Lacp Individual
Ports assigned with an LACP admin key are prevented by default from forming individual links if they cannot join an LACP trunk group. To override this behavior, use the following commands: CN4093(config)# interface port <port no or range> CN4093(configif)# no lacp suspendindividual This allows the selected ports to be treated as normal link‐up ports, which may forward data traffic according to STP, Hot Links or other applications, if they do not receive any LACPDUs. To configure the LACP individual setting for all the ports in a static LACP trunk, use the following commands: CN4093(configif)# interface portchannel lacp <adminkey of the LAG> CN4093(configif)# [no] lacp suspendindividual Note: By default, external ports are configured with lacp suspend-individual, while internal ports are configured with no lacp suspend-individual. © Copyright Lenovo 2015 Chapter 10: Ports and Trunking...
Page 144: Configuring Lacp
Configuring LACP Use the following procedure to configure LACP for ports 7, 8, and 9 to participate in a single link aggregation. 1. Configure port parameters. All ports that participate in the LACP trunk group must have the same settings, including VLAN membership. 2. Select the port range and define the admin key. Only ports with the same admin key can form an LACP trunk group. CN4093(config)# interface port 79 CN4093(configif)# lacp key 100 3. Set the LACP mode. CN4093(configif)# lacp mode active CN4093(configif)# exit 4. Optionally allow member ports to individually participate in normal data traffic if no LACPDUs are received. CN4093(configif)# no lacp suspendindividual CN4093(configif)# exit 5. Set the link aggregation as static, by associating it with trunk ID 65: CN4093(configif)# portchannel 65 lacp key 100 CN4093 Application Guide for N/OS 8.2...
Page 145: Chapter 11. Spanning Tree Protocols
“Port Type and Link Type” on page 164  Spanning Tree Protocol Modes Lenovo N/OS 8.2 supports the following STP modes:  Rapid Spanning Tree Protocol (RSTP) IEEE 802.1D (2004) RSTP allows devices to detect and eliminate logical loops in a bridged or switched network. When multiple paths exist, STP configures the network so that only the most efficient path is used. If that path fails, STP automatically configures the best alternative active path on the network in order to sustain network operations. RSTP is an enhanced version of IEEE 802.1D (1998) STP, providing more rapid convergence of the Spanning Tree network path states on STG 1. See “Rapid Spanning Tree Protocol” on page 158 for details.  Per‐VLAN Rapid Spanning Tree (PVRST+) PVRST mode is based on RSTP to provide rapid Spanning Tree convergence, but supports instances of Spanning Tree, allowing one STG per VLAN. PVRST mode is compatible with Cisco R‐PVST/R‐PVST+ mode. PVRST is the default Spanning Tree mode on the CN4093. See “PVSRT Mode” on page 146 for details.  Multiple Spanning Tree Protocol (MSTP) IEEE 802.1Q (2003) MSTP provides both rapid convergence and load balancing in a VLAN environment. MSTP allows multiple STGs, with multiple VLANs in each. See “Multiple Spanning Tree Protocol” on page 160 for details. © Copyright Lenovo 2015...
Page 146: Global Stp Control
(Globally disable Spanning Tree) Spanning Tree can be re‐enabled by specifying the STP mode: CN4093(config)# spanningtree mode {pvrst|rstp|mst} PVSRT Mode Note: Per-VLAN Rapid Spanning Tree (PVRST) is enabled by default on the CN4093. Using STP, network devices detect and eliminate logical loops in a bridged or switched network. When multiple paths exist, Spanning Tree configures the network so that a switch uses only the most efficient path. If that path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations. Lenovo N/OS PVRST mode is based on IEEE 802.1w RSTP. Like RSTP, PVRST mode provides rapid Spanning Tree convergence. However, PVRST mode is enhanced for multiple instances of Spanning Tree. In PVRST mode, each VLAN may be automatically or manually assigned to one of 127 available STGs, with each STG acting as an independent, simultaneous instance of STP. PVRST uses IEEE 802.1Q tagging to differentiate STP BPDUs and is compatible with Cisco R‐PVST/R‐PVST+ modes. The relationship between ports, trunk groups, VLANs, and Spanning Trees is shown in Table Table 18. Ports, Trunk Groups, and VLANs Switch Element...
Page 147: Port States
If STP is globally enabled, for ports where STP is turned off, inbound BPDUs will instead be discarded. Determining the Path for Forwarding BPDUs When determining which port to use for forwarding and which port to block, the CN4093 uses information in the BPDU, including each bridge ID. A technique based on the “lowest root cost” is then computed to determine the most efficient path for forwarding. Bridge Priority The bridge priority parameter controls which bridge on the network is the STG root bridge. To make one switch become the root bridge, configure the bridge priority lower than all other switches and bridges on your network. The lower the value, the higher the bridge priority. Use the following command to configure the bridge priority: <x> CN4093(config)# spanningtree stp bridge priority <0‐65535> © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 148 Port Priority The port priority helps determine which bridge port becomes the root port or the designated port. The case for the root port is when two switches are connected using a minimum of two links with the same path‐cost. The case for the designated port is in a network topology that has multiple bridge ports with the same path‐cost connected to a single segment, the port with the lowest port priority becomes the designated port for the segment. Use the following commands to configure the port priority: CN4093(config)# interface port <x> CN4093(configif)# spanningtree stp <STG> priority <port priority> where priority value is a number from 0 to 240, in increments of 16 (such as 0, 16, 32, and so on). If the specified priority value is not evenly divisible by 16, the value will be automatically rounded down to the nearest valid increment whenever manually changed in the configuration. Root Guard The root guard feature provides a way to enforce the root bridge placement in the network. It keeps a new device from becoming root and thereby forcing STP re‐convergence. If a root‐guard enabled port detects a root device, that port will be placed in a blocked state. You can configure the root guard at the port level using the following commands: CN4093(config)# interface port <port number> CN4093(configif)# spanningtree guard root The default state is none (disabled). Loop Guard In general, STP resolves redundant network topologies into loop‐free topologies. The loop guard feature performs additional checking to detect loops that might not be found using Spanning Tree. STP loop guard ensures that a non‐designated port does not become a designated port. To globally enable loop guard, enter the following command: CN4093(config)# spanningtree loopguard Note: The global loop guard command will be effective on a port only if the port-level loop guard command is set to default as shown below: CN4093(configif)# spanningtree guard loop none To enable loop guard at the port level, enter the following command:...
Page 149: Simple Stp Configuration
Use the following command to modify the port path cost: CN4093(config)# interface port <port number> CN4093(configif)# spanningtree stp <STG> pathcost <path cost value> CN4093(configif)# exit The port path cost can be a value from 1 to 200000000. Specify 0 for automatic path cost. Simple STP Configuration Figure 11 depicts a simple topology using a switch‐to‐switch link between two switches (via either external ports or internal Inter‐Switch Links). Figure 11. Spanning Tree Blocking a Switch‐to‐Switch Link Enterprise Routing Switches Switch 1 Switch 2 Blocks Link Server Server Server Server © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 150 To prevent a network loop among the switches, STP must block one of the links between them. In this case, it is desired that STP block the link between the blade switches, and not one of the CN4093 uplinks or the Enterprise switch trunk. During operation, if one CN4093 experiences an uplink failure, STP will activate the switch‐to‐switch link so that server traffic on the affected CN4093 may pass through to the active uplink on the other CN4093, as shown in Figure Figure 12. Spanning Tree Restoring the Switch‐to‐Switch Link Enterprise Uplink Routing Failure Switches Switch 1 Switch 2 Restores Link Server Server Server Server In this example, port 10 on each switch is used for the switch‐to‐switch link. To ensure that the CN4093 switch‐to‐switch link is blocked during normal operation, the port path cost is set to a higher value than other paths in the network. To configure the port path cost on the switch‐to‐switch links in this example, use the following commands on each switch. CN4093(config)# interface port 10 CN4093(configif)# spanningtree stp 1 pathcost 60000 CN4093(configif)# exit CN4093 Application Guide for N/OS 8.2...
Page 151: Per-Vlan Spanning Tree Groups
Loop is active is active Application Switch Application Switch With a single Spanning Tree, Using multiple STGs, one link becomes blocked. both links may be active. In the second network, the problem of improper link blocking is resolved when the VLANs are placed into different Spanning Tree Groups (STGs). Since each STG has its own independent instance of Spanning Tree, each STG is responsible only for the loops within its own VLAN. This eliminates the false loop, and allows both VLANs to forward packets between the switches at the same time. © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 152: Vlan And Stg Assignment
VLAN and STG Assignment In PVRST mode, up to 128 STGs are supported. Ports cannot be added directly to an STG. Instead, ports must be added as members of a VLAN, and the VLAN must then be assigned to the STG. STG 1 is the default STG. Although VLANs can be added to or deleted from default STG 1, the STG itself cannot be deleted from the system. By default, STG 1 is enabled and includes VLAN 1, which by default includes all switch ports (except for management VLANs and management ports). STG 128 is reserved for switch management. By default, STG 128 is disabled, but includes management VLAN 4095 and the management ports. By default, all other STGs (STG 2 through 127) are enabled, though they initially include no member VLANs. VLANs must be assigned to STGs. By default, this is done automatically using VLAN Automatic STG Assignment (VASA), though it can also be done manually (see “Manually Assigning STGs” on page 153). When VASA is enabled (as by default), each time a new VLAN is configured, the switch will automatically assign that new VLAN to its own STG. Conversely, when a VLAN is deleted, if its STG is not associated with any other VLAN, the STG is returned to the available pool. The specific STG number to which the VLAN is assigned is based on the VLAN number itself. For low VLAN numbers (1 through 127), the switch will attempt to assign the VLAN to its matching STG number. For higher numbered VLANs, the STG assignment is based on a simple modulus calculation; the attempted STG number will “wrap around,” starting back at the top of STG list each time the end of the list is reached. However, if the attempted STG is already in use, the switch will select the next available STG. If an empty STG is not available when creating a new VLAN, the VLAN is automatically assigned to default STG 1. If ports are tagged, each tagged port sends out a special BPDU containing the tagged information. Also, when a tagged port belongs to more than one STG, the egress BPDUs are tagged to distinguish the BPDUs of one STG from those of another STG. VASA is enabled by default, but can be disabled or re‐enabled using the following command: CN4093(config)# [no] spanningtree stgauto If VASA is disabled, when you create a new VLAN, that VLAN automatically belongs to default STG 1. To place the VLAN in a different STG, assign it manually. VASA applies only to PVRST mode and is ignored in RSTP and MSTP modes. CN4093 Application Guide for N/OS 8.2...
Page 153: Manually Assigning Stgs
Guidelines for Creating VLANs  When you create a new VLAN, if VASA is enabled (the default), that VLAN is automatically assigned its own STG. If VASA is disabled, the VLAN automatically belongs to STG 1, the default STG. To place the VLAN in a different STG, see “Manually Assigning STGs” on page 153. The VLAN is automatically removed from its old STG before being placed into the new STG.  Each VLANs must be contained within a single STG; a VLAN cannot span multiple STGs. By confining VLANs within a single STG, you avoid problems with Spanning Tree blocking ports and causing a loss of connectivity within the VLAN. When a VLAN spans multiple switches, it is recommended that the VLAN remain within the same STG (be assigned the same STG ID) across all the switches.  If ports are tagged, all trunked ports can belong to multiple STGs.  A port cannot be directly added to an STG. The port must first be added to a VLAN, and that VLAN added to the desired STG. Rules for VLAN Tagged Ports  Tagged ports can belong to more than one STG, but untagged ports can belong to only one STG. When a tagged port belongs to more than one STG, the egress BPDUs are tagged  to distinguish the BPDUs of one STG from those of another STG. © Copyright Lenovo 2015 Chapter 11: Spanning Tree Protocols...
Page 154: Adding And Removing Ports From Stgs
Adding and Removing Ports from STGs  When you add a port to a VLAN that belongs to an STG, the port is also added to that STG. However, if the port you are adding is an untagged port and is already a member of another STG, that port will be removed from its current STG and added to the new STG. An untagged port cannot belong to more that one STG. For example: Assume that VLAN 1 belongs to STG 1, and that port 1 is untagged and does not belong to any STG. When you add port 1 to VLAN 1, port 1 will automatically become part of STG 1. However, if port 5 is untagged and is a member of VLAN 3 in STG 2, then adding port 5 to VLAN 1 in STG 1 will not automatically add the port to STG 1. Instead, the switch will prompt you to decide whether to change the PVID from 3 to 1: "Port 5 is an UNTAGGED/Access Mode port and its current PVID/Native VLAN is 3. Confirm changing PVID/Native VLAn from 3 to 1 [y/n]:" y  When you remove a port from VLAN that belongs to an STG, that port will also be removed from the STG. However, if that port belongs to another VLAN in the same STG, the port remains in the STG. As an example, assume that port 2 belongs to only VLAN 2, and that VLAN 2 belongs to STG 2. When you remove port 2 from VLAN 2, the port is moved to default VLAN 1 and is removed from STG 2. However, if port 2 belongs to both VLAN 1 and VLAN 2, and both VLANs belong to STG 1, removing port 2 from VLAN 2 does not remove port 2 from STG 1, because the port is still a member of VLAN 1, which is still a member of STG 1.  An STG cannot be deleted, only disabled. If you disable the STG while it still contains VLAN members, Spanning Tree will be off on all ports belonging to that VLAN. The relationship between port, trunk groups, VLANs, and Spanning Trees is shown in Table 18 on page 146.
Page 155: Configuring Multiple Stgs

Lenovo Flex System Fabric CN4093 Application Manual

Chapter 1. Switch Administration

Chapter 2. Initial Setup

Chapter 3. Service Location Protocol

Chapter 4. System License Keys

Part 2: Securing the Switch

Chapter 5. Securing Administration

Chapter 6. Authentication & Authorization Protocols

Chapter 7. 802.1X Port-Based Network Access Control

Chapter 8. Access Control Lists

Part 3: Switch Basics

Chapter 9. Vlans

Chapter 10. Ports and Trunking

Chapter 11. Spanning Tree Protocols

Chapter 12. Virtual Link Aggregation Groups

Chapter 13. Quality of Service

Part 4:. Advanced Switching Features

Chapter 14. Stacking

Chapter 15. Virtualization

Chapter 16. Virtual Nics

Chapter 17. Vmready

Chapter 18. Fcoe and CEE

Quick Links

Related Manuals for Lenovo Flex System Fabric CN4093

Summary of Contents for Lenovo Flex System Fabric CN4093