Page 1 ® NetApp CN1610 Switch Administrator’s Guide NetApp, Inc. 495 East Java Drive Sunnyvale, CA 94089 U.S.A. Telephone: +1 (408) 822-6000 Fax: +1 (408) 822-4501 Support telephone: +1 (888) 4-NETAPP Documentation comments: doccomments@netapp.com Information Web: www.netapp.com Part number: 215-06287_C0 March 2015...
Page 2: Copyright Information
NetApp assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by NetApp. The use or purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of NetApp.
Page 3 SureStream are trademarks of RealNetworks, Inc. in the U.S.A. and/or other countries. All other brands or products are trademarks or registered trademarks of their respective holders and should be treated as such. NetApp, Inc. is a licensee of the CompactFlash and CF Logo trademarks. NetApp, Inc. NetCache is certified RealSystem compatible.
Page 5: Table Of Contents
Table of Contents Chapter 1 About This Document ......1 Chapter 2 Switch Administration .
Page 6 IGMP snooping ....... . . 64 Jumbo frames ........67 Port mirroring.
Page 7 IEEE 802.1X ........138 SSH ........146 RADIUS .
Page 8 viii Table of Contents...
Page 9: Chapter 1 About This Document
About This Document Purpose ® This guide provides examples of how to use the NetApp CN1610 cluster network switch in a typical network. This document describes the switch features and includes information about using the command-line interface (CLI) to configure them.
Page 10 About This Document...
Page 11: Chapter 2 Switch Administration
Switch Administration About this chapter This chapter provides information about administering the switch, including using the command-line interface (CLI), configuring basic switch settings, and managing the system configuration files. Topics in this This chapter includes the following topics: chapter ◆ “CLI quick start”...
Page 12: Cli Quick Start
CLI quick start About this section This section provides a brief introduction to using the CLI. Note For detailed information about CLI commands, see the CN1610 Network Switch CLI Command Reference. Connecting to the To begin using the CLI, follow these steps: 1.
Page 13: Entering Commands
In Interface Config mode, you can enter commands to configure the specified interface. Note See the CN1610 Network Switch CLI Command Reference for a list of all command modes and instructions on entering them. Using the no form keyword is a specific form of an existing command and does not represent of a command a new or distinct command.
Page 14: Switch Management Interfaces
Switch management interfaces Overview The switch can be managed by using a command-line interface (CLI) or SNMP. You can use any of the following methods to access the CLI: ◆ A serial connection through the console port using a terminal emulator. ◆...
Page 15 Displays IP and other configuration information for show serviceport the service port. For more information on the BOOTP/DHCP commands, see the CN1610 Network Switch CLI Command Reference. Configuration The following commands change the protocol for the network interface from the...
Page 16 The following commands change the network protocol for the service port to and configures static IP information for the port: none (CN1610) # serviceport protocol none (CN1610) # serviceport ip 10.17.21.4 255.255.255.0 10.17.21.1 Switch management interfaces...
Page 17: Ipv6 Management
For SNMP, the switch supports the IPv6 MIB, the ICMPv6 MIB, and private MIB extensions. The CN1610 switch supports router advertisement as an integral part of IPv6. Numerous options are available, including stateless/stateful address configuration, router and address lifetimes, and neighbor discovery timer control.
Page 18 Displays NDP cache information for the network show network ndp port. For more information on the IPv6 management commands, see the CN1610 Network Switch CLI Command Reference. Configuration The following example enables IPv6 management and configures the network...
Page 19: Command Line Logging
Command line logging is disabled by default. Configuration The following example enables command logging: example (CN1610) # config (CN1610) (Config)# logging cli-command The following is an example CLI log message for the user admin <5> JAN 01 00:01:35 0.0.0.0-1 UNKN[54373024]: cmd_logger_api.c(93) 20 % CLI:<connectionID>:<userID>:show vlan-assist-mac-learn all If this feature is enabled, commands are logged immediately after the user is authenticated.
Page 20: File Management
File management Overview The switch FASTPATH software has a user-accessible file system to manage the various files needed for its operation. The file system contains the application software files and a configuration file that is restored each time the switch boots. This section includes the following topics: ◆...
Page 21: Configuration Files And Scripts
File management Configuration files and scripts Overview Switch operation is controlled by a configuration file, which stores the value of the parameters and settings to be applied to the device as a whole, and to each port in particular. The configuration file, which is loaded from flash into RAM when the switch boots, directs and controls the function of various features.
Page 22 ◆ Backup configuration file: The system supports an additional backup file in flash memory, which enables keeping a copy of the startup or running configuration file either for fault-protection purposes or as a way to maintain a previous version of the file. ◆...
Page 23 Displays the contents of a specified script file. script show For more information on configuration file commands, see the CN1610 Network Switch CLI Command Reference. Configuration The following examples show how to copy configuration files among the various examples file types, upload files to a server, and download and apply scripts.
Page 24 File copy: The following command copies the startup configuration file in NVRAM to the backup configuration file: (CN1610) #copy nvram:startup-config nvram:backup-config File uploads: The following command copies the startup configuration file in NVRAM to a location on a TFTP server: (CN1610) #copy nvram:startup-config tftp://10.27.24.49/configs/oct-2010/abc.scr...
Page 25 (CN1610) #show running-config running-config.scr Config script created successfully. The following command uploads a configuration script to a TFTP server: (CN1610) #copy nvram:script abc.scr tftp://10.27.64.141/abc.scr Mode........... TFTP Set TFTP Server IP......10.27.64.141 TFTP Path......../ TFTP Filename........abc.scr Data Type........Config Script Source Filename........
Page 26 (CN1610) #script validate abc.scr ip address dhcp username "admin" password 16d7a4fca7442dda3ad93c9a726597e4 level 15 encrypted exit Configuration script 'abc.scr' validated. (CN1610) #script apply abc.scr Are you sure you want to apply the configuration script? (y/n)y ip address dhcp username "admin" password 16d7a4fca7442dda3ad93c9a726597e4 level 15 encrypted exit Configuration script 'abc.scr' applied.
Page 27: File Uploads And Downloads
File management File uploads and downloads Feature overview The CN1610 switch supports uploading and downloading the following file types to the switch: ◆ Code ◆ Configuration ◆ Text configuration ◆ SSH keys and certificates ◆ CLI banner file The following protocols can be used for uploads or downloads: ◆...
Page 28 SCP and SFTP The CN1610 switch supports Secure Copy (SCP) and Secure FTP (SFTP) as secure methods of file transfer. XMODEM The CN1610 switch supports using the XMODEM protocol to transfer operational code, configuration files, and logs over the serial port. The switch supports both the XMODEM standard mode and the XMODEM-1K mode.
Page 29 (CN1610) #copy nvram:active tftp://10.27.64.141/fw_2011_08_11a (CN1610) #copy nvram:backup tftp://10.27.64.141/fw_2011_08_11b Chapter 2: Switch Administration...
Page 30: Dual Image Support
Dual image support Feature overview Up to two software images and two configuration files can be saved on the flash file system. This allows the user to upgrade the system, while leaving the possibility of reverting to a previous software version or configuration file. Images: One image is designated to be the active image, and the other image is designated to be the backup image.
Page 31 For more information on the commands to configure the dual image feature, see the CN1610 Network Switch CLI Command Reference. Configuration The following commands add a description to the backup image, and configure it example to be the active image the next time the switch boots:...
Page 32: Snmp
SNMP Feature overview You can use SNMP to configure the switch, view settings and statistics, and upload or download code or configuration images. The SNMP agent on the switch supports an incoming get-bulk operation to reduce network management traffic when retrieving a sequence of Management Information Base (MIB) variables and an elaborate set of error codes for improved reporting to the network control station.
Page 33 Command Description Displays the supported MIBs. show sysinfo For more information on SNMP commands, see the CN1610 Network Switch CLI Command Reference. Configuration The following example configures an SNMP community named . It admingroup1 example specifies the IP address and masks of the community, the read/write access level,...
Page 34: User Management
User management Feature overview You can control access to the switch management interface by creating user login names and configuring authentication methods. Users can be configured locally or on a remote authentication server (RAS), and can be assigned read-only and read-write access privileges. This enables you to configure some users to be able to monitor switch status without being able to modify the configuration.
Page 35 Displays the local user status with respect to user show users accounts account lockout and password aging. For more information on the user management commands, see the CN1610 Network Switch CLI Command Reference. Configuration Authentication: The following example configures the default types of...
Page 36: Logs And Syslog
Logs and Syslog Feature overview The CN1610 switch FASTPATH software components generate messages that you can use to understand the state of the system, and to diagnose issues that arise during operation. Messages are generated in response to events, faults, or errors occurring on the platform, and by configuration changes or other occurrences.
Page 37: Log Access
By default, only messages that are of severity ALERT or EMERGENCY are stored in the persistent log. Because these messages are of high value, persistent messages are logged immediately into the persistent log. The administrator has the option of configuring the persistent log to store lower severity messages as well.
Page 38 Emergency (0): system is unusable. Alert (1): action must be taken immediately. Critical (2): critical conditions. Error (3): error conditions. Warning (4): warning conditions. Notice(5): normal but significant conditions. Informational(6): informational messages. Debug(7): debug-level messages. ◆ Timestamp—Each message is time-stamped with the local time or, if the platform is not synchronized, the elapsed time since last reboot.
Page 39: Syslog Configuration
Syslog The CN1610 switch supports using the syslog protocol to forward messages over configuration UDP to one or more collectors or relays. Messages can be forwarded to one or more collectors or relays based on configuration of severity, component ID, or both.
Page 40 (CN1610) #config (CN1610) (Config)#logging persistent 3 Logs and Syslog...
Page 41: Sntp
NTP or SNTP server, NTP and SNTP clients are indistinguishable; to an NTP or SNTP client, NTP and SNTP servers are indistinguishable. Furthermore, any version of NTP is compatible with any other version of NTP1. The CN1610 switch software implements only the client side of SNTP.
Page 42 Displays SNTP client settings. show sntp client Displays SNTP server settings. show sntp server For more information on the SNTP commands, see the CN1610 Network Switch CLI Command Reference. Configuration The following commands configure two SNTP unicast servers, with one having a...
Page 43: Dns Client
DNS server returns the response to the client rather than referring the client to another server for name resolution. Configuration The CN1610 switch supports IPv4 DNS servers. The server address can be options configured statically (by you) or learned dynamically by the DHCP client.
Page 44 For more information on the DNS commands, see the CN1610 Network Switch CLI Command Reference. Configuration The following commands configure a default domain name to complete lookup example requests with unspecified domain names.
Page 45: Environmental Status
Environmental status Feature overview You can monitor the physical status of the switch by observing the status of the fans, power supply status, and temperature. The following status information can be obtained on a unit, or on all units in a stack: Name Description...
Page 46 CLI show You can use the following command in Privileged EXEC mode to view show commands information about the environmental status feature: Command Description Displays environmental status information. show environment Environmental status...
Page 47: Outbound Telnet
Network Virtual Terminal (NVT). Configuration The following example connects from this switch to a remote switch and the example remote switch’s CLI to view data: (CN1610) #telnet 192.168.77.151 Trying 192.168.77.151... (CN1610) # User:admin Password: (switch) >enable...
Page 48 Outbound Telnet...
Page 49: Chapter 3 Ports And Lags
Ports and LAGs About this chapter This chapter describes how to configure and view status information about system ports and link aggregation groups (LAGs). Topics in this This chapter includes the following topics: chapter ◆ “Port configuration” on page 42 ◆...
Page 50: Port Configuration
Port configuration Feature overview Each physical port can be independently configured. This configuration affects how the port operates at the physical level (for example, its speed and duplex operation), and at higher levels (for example, VLAN membership or IP address). You can associate a description to each port to more easily identify how the port is used.
Page 51 The factory default is enabled. LACP Mode LACP is enabled or disabled on this port. For more information on the port configuration commands, see the CN1610 Network Switch CLI Command Reference. CLI show You can use the following...
Page 52 (CN1610) #configure (CN1610) #interface 0/1 (CN1610) (Interface 0/1)#auto-negotiate Port configuration...
Page 53: Sfp Ports
SFP ports Feature overview The CN1610 switch supports 16 SFP and SFP+ ports. If an SFP+ module is plugged in, then the default speed is 10 Gbps and autonegotiation is disabled. Supported SFP The only SFP module supported for the CN1610 cluster network switch is the modules NetApp 10Gb SFP+ optical module (X6589-R6/part number 332-00279R6).
Page 54: Link Aggregation
LAG. Similarly, when links are added to a LAG, the conversations may be shifted to the new link. Static and dynamic The CN1610 switch also supports static LAGs. When a port is added to a LAG as LAGs a static member, it neither transmits nor receives LACPDUs. Configured members are added to the LAG (active participation) immediately if the LAG is configured to be static.
Page 55 particular TCP session. The resolution of this problem is to select the correct physical port within the port channel for transmitting the packet to keep original packets order. The hashing algorithm is configurable for each LAG. The administrator can choose from hash algorithms utilizing the following attributes of a packet to determine the outgoing port: ◆...
Page 56 LACP exchanges. Displays configuration information for ports with show lacp partner respect to their role as partners in LACP exchanges. For more information on the LAG commands, see the CN1610 Network Switch CLI Command Reference. Link aggregation...
Page 57 (CN1610) (Interface 3/1)#lacp admin key 1220 (CN1610) (Interface 3/1)#exit (CN1610) (Config)#interface 0/2 (CN1610) (Interface 0/2)#addport 3/1 (CN1610) (Interface 0/2)#lacp actor admin key 1220 (CN1610) (Interface 0/2)#exit (CN1610) (Config)#interface 0/3 (CN1610) (Interface 0/3)#addport 3/1 (CN1610) (Interface 0/3)#lacp actor admin key 1220...
Page 58 Link aggregation...
Page 59: Chapter 4 Switching
Switching About this chapter This chapter describes how to configure and view status information for Layer 2 switching protocols. Topics in this This chapter includes the following topics: chapter ◆ “Layer 2 forwarding database” on page 52 ◆ “Layer 2 multicast forwarding database”...
Page 60: Layer 2 Forwarding Database
This association can occur from several different mechanisms, but generally is based on the VLAN tag in the packet or the PVID of the port. The CN1610 switch uses the VLAN and the source MAC address to look up the L2FDB. If the address is not known, and the address can be learned, then an entry is added to the database that indicates which port is associated with this MAC address.
Page 61 Command Description Displays all entries in the Layer 2 forwarding show mac-addr-table interface database for a specified interface. Displays the number of entries in the Layer 2 show mac-addr-table count forwarding database. Displays the time, in seconds, after which a Layer 2 show forwardingdb agetime forwarding database entry ages out.
Page 62: Layer 2 Multicast Forwarding Database
(CN1610) (Config)#macfilter 5C:26:0A:57:20:64 2 (CN1610) (Config)#interface 0/5 (CN1610) (Interface 0/5)#macfilter addsrc 5C-26-0A-57-20-64 2 The following example creates an MFDB entry that associates a multicast MAC address to VLAN 3. Then, it adds this filter to interface 0/5 as a destination filter, so that a multicast packet destined to this multicast address on VLAN 100 is allowed only if it is received on interface 0/5.
Page 63 For more information on the Layer 2 MFDB commands, see the CN1610 Network Switch CLI Command Reference. Chapter 4: Switching...
Page 64: Link Layer Discovery Protocol
The CN1610 switch supports both the transmit and receive functions to support device discovery. Devices are not required to implement both functions; you can enable or disable each function separately on a per-port basis.
Page 65 Unit). Inclusion of the optional TLVs in the management set is configurable by the administrator; by default they are not included. The transmit function will extract the local system information and build the LLDPDU based on the specified configuration for the port. In addition, the administrator has control over timing parameters affecting the TTL of LLDPDUs and the interval in which they are transmitted.
Page 66 Enables/disables transmission of Enabled/Disabled Disabled Transmit Enable management address instance. For more information on the LLDP configuration commands, see the CN1610 Network Switch CLI Command Reference. CLI show You can use the following commands in Privileged EXEC mode to view...
Page 67 It also configures the interface to send LLDP notifications when there are changes in topology. (CN1610) #configure (CN1610) (Config)#lldp notification-interval 600 (CN1610) (Config)#lldp timers interval 300 hold 5 reinit 10 (CN1610) (Configure)#interface 0/5 (CN1610) (Interface 0/5)#lldp transmit (CN1610) (Interface 0/5)#lldp transmit-tlv...
Page 68: Industry Standard Discovery Protocol
Industry Standard Discovery Protocol Feature overview Industry Standard Discovery Protocol (ISDP) is a proprietary Layer 2 network protocol which interoperates with Cisco network equipment and is used to share information between neighboring devices (routers, bridges, access servers, and switches). Through the operation of ISDP, the switch can discover information about its neighbors, such as: ◆...
Page 69 The IP address associated with the routing interface, if configured and if routing is supported in the package ◆ Any loopback addresses, if configured and if routing is supported in the package. The CN1610 switch interprets IPv4 addresses only. Other types of addresses are ignored. Chapter 4: Switching...
Page 70 This field typically contains either the host name or the serial number of the device. On the CN1610 switch, this field is populated with either the device's serial number or host name. The host name is always used as the device ID if the host name is configured to a nondefault value.
Page 71 (CN1610) #configure (CN1610) (Config)#isdp timer 120 (CN1610) (Config)#isdp holdtime 60 (CN1610) (Config)#isdp advertise-v2 (CN1610) (Config)#isdp run (CN1610) (Config)#interface 0/5 (CN1610) (Interface 0/5)#isdp enable For more information on the ISDP commands, see the CN1610 Network Switch CLI Command Reference. Chapter 4: Switching...
Page 72: Igmp Snooping
Enabling switches to snoop IGMP packets is a creative way to solve this problem. The CN1610 switch uses the information in the IGMP packets as they are being forwarded throughout the network to determine which segments should receive packets directed to the group address.
Page 73 IP address among the routers. Defaults IGMP is disabled by default. For more information on the IGMP snooping default values and commands, see the CN1610 Network Switch CLI Command Reference. CLI show You can use the following commands in Privileged EXEC mode to view...
Page 74 (CN1610) (Configure)#set igmp (CN1610) (Configure)#exit (CN1610) #vlan database (CN1610) (Vlan)#set igmp groupmembership-interval 10 180 (CN1610) (Vlan)#set igmp maxresponse 10 25 (CN1610) (Vlan)#set igmp mcrtrexpiretime 10 360 (CN1610) (Vlan)#set igmp querier election participate 10 (CN1610) (Vlan)#set igmp querier 10 IGMP snooping...
Page 75: Jumbo Frames
The following example sets the MTU for interface 0/5 to the largest supported examples size: (CN1610) #configure (CN1610) (Configure)#interface 0/5 (CN1610) (Interface 0/5)#mtu 9216 For more information on the command, see the CN1610 Network Switch CLI Command Reference. Chapter 4: Switching...
Page 76: Port Mirroring
Type Determines what traffic is mirrored. RX, TX, or Both Both Information on these parameters and other port mirroring commands can be found in the Port Mirroring section of the CN1610 Network Switch CLI Command Reference. Port mirroring...
Page 77 0/5. The keyword enables the monitor session: mode (CN1610) #configure (CN1610) (Config)#monitor session 1 source interface 0/12 rx (CN1610) (Config)#monitor session 1 destination interface 0/5 (CN1610) (Config)#monitor session 1 mode (CN1610) (Config)#exit (CN1610) #show monitor session 1 Session ID...
Page 78: Flow-Based Mirroring
Flow-based mirroring Feature overview Flow-based mirroring enables you to copy certain types of traffic to a single destination port. This provides flexibility in mirroring traffic, because instead of mirroring all ingress or egress traffic on a port, the switch can mirror a subset of that traffic.
Page 79 (CN1610) (Config-policy-map)#class class_igmp (CN1610) (Config-policy-classmap)#mirror 0/7 (CN1610) (Config-policy-classmap)#exit (CN1610) (config)# (CN1610) (config)#interface 0/4 (CN1610) (Interface 0/4)#service-policy in class_igmp (CN1610) (Interface 0/4)#exit (CN1610) (config)# For more information on the DiffServ commands, see the CN1610 Network Switch CLI Command Reference. Chapter 4: Switching...
Page 80: Storm Control
Storm control Feature overview The storm control feature provides the ability to detect a traffic storm (broadcast, multicast, or unknown unicast traffic received at a very high rate) and prevent these packets from flooding other parts of the network. When storm control is enabled, broadcast, multicast, or unknown unicast traffic begins to drop when that type of traffic exceeds the configured rate threshold for a particular port.
Page 81 Maximum percent of traffic. 0%–100% 5 percent For more information on the parameters and defaults for the storm control commands, see the CN1610 Network Switch CLI Command Reference. CLI show You can use the following command in Privileged EXEC mode to view...
Page 82: Flow Control
Flow control Feature overview IEEE 802.3x flow control is specified in IEEE 802.3x. Flow control allows traffic from one device to be throttled for a specified period of time. It is defined for devices that are directly connected. To inhibit transmission of data frames from another device on the LAN, a device transmits a PAUSE frame, as defined in the specification.
Page 83 (CN1610) #configure (switch) (interface 0/15)#storm-control flowcontrol Chapter 4: Switching...
Page 84 Flow control...
Page 85: Chapter 5 Multiple Spanning Tree Protocol
Multiple Spanning Tree Protocol About this chapter This chapter describes the switch software support for IEEE 802.1s, Multiple Spanning Tree Protocol (MSTP). Topics in this This chapter discusses the following topics: chapter ◆ “MSTP overview” on page 78 ◆ “MSTP functional description”...
Page 86: Mstp Overview
STP functionality is enabled on all ports by default. ◆ The common and internal spanning tree (CIST) instance (MSTID = 0) is the only default MSTP instance. For additional default values, see the CN1610 Network Switch CLI Command Reference. MSTP overview...
Page 87: Mstp Functional Description
MSTP functional description Overview The MSTP algorithm and protocol provides simple and full connectivity for frames assigned to any given VLAN throughout a bridged LAN that comprises arbitrarily interconnected networking devices, each operating MSTP, STP, or RSTP. MSTP allows frames assigned to different VLANs to follow separate paths, each based on an independent multiple spanning tree instance (MSTI), within MST regions composed of LANs and MSTP bridges.
Page 88 The forwarding of BPDUs can be administratively controlled using the following features: ◆ BPDU Guard—When BPDU guard is enabled globally on the switch and a BPDU packet arrives on a port that has been enabled as an edge port, the port is disabled;...
Page 89 VIDs to spanning trees. This is achieved by: 1. Ensuring that the allocation of VIDs to FIDs is unambiguous. The CN1610 switch implements this with a fixed VID-to-FID assignment. Every VID is assigned to one and only one FID, as illustrated in the...
Page 90 2. Ensuring that each FID supported by the bridge is allocated to exactly one spanning tree instance. The CN1610 switch implements this by means of the FID-to-MSTI Allocation Table. The following figure shows an example configuration: Example FID to MSTI Allocation...
Page 91 Example VID to MSTI Allocation VID 1 CIST 0 VID 3 VID 2 MSTI 1 VID 4 VID .. MSTI 2 VID n This allocation ensures that every VLAN is assigned to one and only one MSTI. The CIST is also an instance of spanning tree with a MSTID of 0. An instance can have no VIDs allocated to it, but every VLAN must be allocated to one of the other instances of spanning tree.
Page 92 Control packet The following list defines how MST control packets are transmitted: behavior ◆ BPDU—Always transmitted as untagged. The port receives and transmits BPDUs in all the three MSTP states (discarding, learning, and forwarding). If MSTP is disabled for the device (manual forwarding on all ports), BPDUs received are switched.
Page 93: Mstp Operation In The Network
MSTP operation in the network Example small In the following figure of a small, 802.1d bridged network, STP is necessary to 802.1d bridged create an environment with full connectivity and without loops: network Single STP instance Assume that bridge BrA is elected to be the root bridge, and ports Pt1 on bridge topology BrB and BrC are calculated to be the root ports for those bridges, Port Pt2 on bridge BrB and BrC would be placed into blocking state.
Page 94 For VLAN 10, this single STP topology presents no limitations or inefficiencies. On the other hand, VLAN 20's traffic pattern is inefficient. All frames from bridge BrB will have to traverse a path through bridge BrA before arriving at bridge BrC. If the ports Pt2 on bridge BrB and BrC could be used, these inefficiencies could be eliminated.
Page 95 In order for MSTP to correctly establish the different MSTIs as shown in the preceding figure, some additional changes are required. For example, the configuration would have to be the same on each bridge. That means that bridge BrB would have to add VLAN 10 to its list of supported VLANs (shown in the figure with an asterisk).
Page 96 Multiple MSTP To further illustrate the full connectivity in an MSTP active topology, assume that regions the following rules apply: 1. Each bridge or LAN is in only one region. 2. Every frame is associated with only one VID. 3. Frames are allocated either to the IST or MSTI within any given region. 4.
Page 97 Interactions In the following figure, a third region has been added. Even though this new between multiple region consists of only one bridge, and the MST configuration identifier matches regions the bridges in region 1, it will still be isolated into a region by itself. This is because the only connection between region 1 and region 3 is through a different region.
Page 98 The path of a frame for VLAN 20 can be traced through the MST active topology. A frame originating on an end station on bridge BrA in region 1 will traverse the MSTI2 active topology, since its VID has been allocated to that instance.
Page 99: Mstp Cli Show Commands
MST instance and interface configuration parameters. Displays spanning tree settings and parameters for show spanning-tree summary the switch. For more information on the MSTP commands, see the CN1610 Network Switch CLI Command Reference. Chapter 5: Multiple Spanning Tree Protocol...
Page 100: Mstp Configuration Example
(CN1610) (Config)#spanning-tree mst instance 20 (CN1610) (Config)#spanning-tree mst vlan 10 10 (CN1610) (Config)#spanning tree mst vlan 20 20 The following commands change the name so that all the bridges that want to be part of the same region can form the region, and make the MST ID 10 bridge the root bridge by lowering the priority.
Page 101: Chapter 6 Vlans
VLANs About this chapter This chapter describes how to create and manage VLANs on the switch. Topics in this This chapter includes the following topics: chapter ◆ “Basic VLAN configuration” on page 94 ◆ “Protocol-based VLANs” on page 98 ◆ “MAC-based VLANs”...
Page 102: Basic Vlan Configuration
Basic VLAN configuration Feature overview In a VLAN, untagged traffic is bridged through specified ports based on the receiving port’s port VLAN ID (PVID). VLANs can help to optimize network traffic patterns because broadcast, multicast, and unknown unicast packets are sent only to ports that are members of the VLAN.
Page 103 Next, the destination MAC address is paired with the VLAN ID and searched for in the L2FDB. If it is not found, or if it is the broadcast address, then it is forwarded to all ports that are members of the VLAN. Known unicast packets are switched only to the destination port.
Page 104 Displays port information with respect to VLAN show vlan port associations for a specified port or all ports. For more information on the VLAN commands, see the CN1610 Network Switch CLI Command Reference. Configuration The following figure shows a switch with four ports configured to handle the example traffic for two VLANs.
Page 105 (CN1610) (Vlan)#exit Assign ports to VLANs: The following sequence shows how to configure VLAN settings on ports: (CN1610) (Config)#interface 0/10 (CN1610) (Interface 0/10)#vlan participation include 20 (CN1610) (Interface 0/10)#vlan tagging 20 (CN1610) (Interface 0/10)#vlan acceptframe vlanonly (CN1610) (Interface 0/10)#exit (CN1610) (Config)#interface 0/11...
Page 106: Protocol-Based Vlans
Protocol-based VLANs Feature overview In a protocol-based VLAN, traffic is bridged through specified ports based on the protocol. This feature enables the administrator to define a packet filter that specifies criteria for determining if a packet belongs to a particular VLAN. Protocol-based VLANs are most often used in situations where network segments contain hosts that run multiple protocols.
Page 107 IP VLAN ID Assigns a default VLAN for IP 1–4093 packets. For more information on the protocol-based VLAN commands, see the CN1610 Network Switch CLI Command Reference. Configuration The following figure shows how you can use protocol-based VLANs to keep...
Page 108 On this switch, the administrator configures all IPX traffic to be bound to VLAN 10. All IP and ARP traffic is bound to VLAN 20. By adding ports 1 and 2 to VLAN 10, and adding ports 3 and 4 to VLAN 20, the administrator ensures that no IPX traffic will be admitted to the IP network.
Page 109 (CN1610) #config (CN1610) (Config)#vlan protocol group 100 (CN1610) (Config)#vlan protocol group add protocol 100 ethertype ipx (CN1610) (Config)#vlan protocol group 120 (CN1610) (Config)#vlan protocol group add protocol 120 ethertype arp,ip (CN1610) (Config)#exit (CN1610) #vlan database (CN1610) (Vlan)#protocol group 100 10...
Page 110: Mac-Based Vlans
There is no restriction on the VLAN used in the mapping table. You can specify a static VLAN, dynamic VLAN, or even a nonexistent VLAN. Note The CN1610 switch assigns a VLAN based on the following order of precedence: 1. MAC-based 2.
Page 111 None VLAN ID VLAN to assign Existing VLAN (1-4094) None For more information on the MAC-based VLAN commands, see the CN1610 Network Switch CLI Command Reference. CLI show You can use the following command in Privileged EXEC mode to view...
Page 112: Ip Subnet-Based Vlans
IP subnet-based VLANs Feature overview This feature allows for incoming untagged packets to be assigned to a VLAN and a traffic class based on the source IP address of the packet. An IP-subnet-to-VLAN mapping is defined by configuring an entry in the IP subnet-to-VLAN table that specifies a source IP address, network mask, and the desired VLAN ID.
Page 113 Note The CN1610 switch assigns a VLAN based on the following order of precedence: 1. MAC-based 2. IP subnet-based 3. Protocol-based 4. Port-based (default) Source MAC-based mappings are evaluated and assigned first. Supported You can use the command to view and configure the...
Page 114 Configuration This example configures the switch so that all hosts with IP addresses in the example 192.168.25.0/24 network are members of VLAN 10: (CN1610) #vlan database (CN1610) (Vlan)#vlan association subnet 192.168.25.0 255.255.255.0 10 IP subnet-based VLANs...
Page 115: Double Vlan Tagging
Double VLAN tagging Feature overview The use of virtual metropolitan area networks (MANs) enables passing VLAN traffic from one customer domain to another through a metro core in a simple and cost-effective manner. An additional VLAN tag is used to differentiate customers in the MAN while preserving individual customers’...
Page 116 Payload DVLAN Payload Payload Access port (CV) Uplink port (SP) EtherType 9100 EtherType: 9100 PVID: 20 (SP) PVID: 20 (SP) DVLAN Tagging Enabled DVLAN-tagged Switch 1 Switch 2 Uplink port (SP) Access port (CV) EtherType: 9100 EtherType 9100 PVID: 20 (SP) PVID: 20 (SP) DVLAN Tagging Enabled 802.1Q...
Page 117 The administrator must ensure that tagging is disabled for all service provider VLANs. The following tables show the tagging operation for the various scenarios on ingress and egress: Uplink (service Output at Output at Ingress logic provider) uplink access Untagged Single-tagged Untagged CV-tagged...
Page 118 Displays detailed information about DVLAN show dvlan-tunnel interface tunneling for that interface. For more information on the double VLAN tagging commands, see the CN1610 Network Switch CLI Command Reference. Configuration The following commands configure port 0/5 as an uplink port:...
Page 119 (CN1610) #config (CN1610) (Config)#dvlan-tunnel ethertype custom 5454 primary-tpid (CN1610) (Config)#dvlan-tunnel ethertype custom 5443 (CN1610) (Config)#dvlan-tunnel ethertype 802.1q (CN1610) (Config)#interface 0/5 (CN1610) (Interface 0/5)#mode dvlan-tunnel (CN1610) (Interface 0/5)#exit (CN1610) (Config)#interface 0/6 (CN1610) (Interface 0/6)#mode dvlan-tunnel (CN1610) (Interface 0/6)#exit (CN1610) (Config)#interface 0/4...
Page 120 Double VLAN tagging...
Page 121: Chapter 7 Quality Of Service
Quality of Service About this chapter The CN1610 FASTPATH software provides the following quality of service (QoS) features that help to ensure optimal handling of traffic: ◆ Class of Service (CoS) Queue Mapping—This feature allows traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
Page 122: Class Of Service (Cos) Queue Mapping
Class of service (CoS) queue mapping CoS overview In a typical switch or router, each physical port consists of one or more queues for transmitting packets on the attached network. Multiple queues per port are often provided to give preference to certain packets over others based on user- defined criteria.
Page 123: Operational Overview
CoS mapping configurations can apply system-wide—meaning a change affects all interfaces simultaneously—and on a per-interface basis. Operational Packets traveling through a network device can receive different treatment based overview on a well-defined marking scheme. For a Layer 2 header, the 802.1p user priority contained in the VLAN tag denotes one of eight priority levels.
Page 124 Displays the current global trust mode setting, or show classofservice trust the setting for a specific interface. For more information on the CoS queue mapping commands, see the CN1610 Network Switch CLI Command Reference. Class of service (CoS) queue mapping...
Page 125: Cos Queue Configuration
Defining these on a per-queue basis allows the user to create the desired service characteristics for different types of traffic. Defaults See the CN1610 Network Switch CLI Command Reference for the configurable queue parameters and their default values, CLI show...
Page 126: Qos Map And Queue Configuration Example
QoS map and queue configuration example Description This example illustrates the network operation as it relates to CoS mapping and queue configuration. Four packets are presented to the ingress port 0/10 in the order A, B, C, then D. Port 10 is designated to trust the 802.1p field of the packet, which serves to direct packets A, B, and D to their respective queues on the egress port.
Page 127 Ingress packet A Port 10 UserPri=3 mode='trust dot1p' 802.1p->COS Q Map packet B UserPri=7 packet C (untagged) packet D UserPri=6 port default priority->traffic class Egress Port x Forward via strict switch fabric to some egress weighted 40% Port x weighted 20% weighted 10% weighted 5% weighted 5%...
Page 128 (CN1610) (Interface 0/10)#classofservice dot1p-mapping 6 3 (CN1610) (Interface 0/10)#vlan priority 2 (CN1610) (Interface 0/10)#exit (CN1610) (Config)#interface 0/8 (CN1610) (Interface 0/8)#cos-queue min-bandwidth 0 0 5 5 10 20 40 (CN1610) (Interface 0/8)#cos-queue strict 6 (CN1610) (Interface 0/8)#exit (CN1610) (Config)#exit To configure the egress interface for a sustained maximum data rate of 80 Kbps (assuming a 100 Mbps link speed), the following command could be used.
Page 129: Differentiated Services (Diffserv)
The CN1610 switch supports the ability to assign traffic classes to output CoS queues, and to mirror incoming packets in a traffic stream to a specific egress interface (physical port or LAG).
Page 130 ◆ The packet’s source or destination MAC or IP address. ◆ The packet’s source or destination Layer 4 (TCP or UDP) port number. ◆ The packet’s EtherType value. ◆ The packet’s IP precedence, IP DSCP, or ToS value. ◆ The packet’s protocol number (that is, the IANA logical port number). ◆...
Page 131 ❖ Mark CoS—The packets are marked by DiffServ with the specified CoS value before being presented to the system forwarding element. This selection requires that the Mark CoS value field be set. ❖ Mark CoS as Secondary CoS—For double-tagged packets, the 802.1p tag is marked by DiffServ with the (original) 802.1p value of the inner tag before the packet is presented to the system forwarding element.
Page 132 For more information on the DiffServ commands, see the CN1610 Network Switch CLI Command Reference. Configuration Example 1—Providing equal access to a linked network: This example examples shows how a company network administrator can provide different departments in the company equal access to the human resources network to different departments within the a company.
Page 133 (CN1610) # (CN1610) (config)#diffserv (CN1610) (config)#class-map match-all finance_dept (CN1610) (Config-classmap)#match srcip 172.16.10.0 255.255.255.0 (CN1610) (Config-classmap)#exit (CN1610) (Config-classmap)#class-map match-all marketing_dept (CN1610) (config)#match srcip 172.16.20.0 255.255.255.0 (CN1610) (Config-classmap)#exit (CN1610) (Config-classmap)#class-map match-all test_dept (CN1610) (config)#match srcip 172.16.30.0 255.255.255.0 (CN1610) (Config-classmap)#exit (CN1610) (config)#class-map match-all development_dept (CN1610) (Config-classmap)#match srcip 172.16.40.0 255.255.255.0...
Page 134 (CN1610) (Config-policy-map)#exit (CN1610) (config)# Next, the policy is added to interfaces 0/1 through 0/4 in the inbound direction: (CN1610) (config)#interface 0/1 (CN1610) (Interface 0/1)#service-policy in hr_access (CN1610) (Interface 0/1)#exit (CN1610) (config)#interface 0/2 (CN1610) (Interface 0/2)#service-policy in hr_access (CN1610) (Interface 0/2)#exit...
Page 135 0/5 based on a normal destination address lookup for internet traffic. (CN1610) #interface 0/5 (CN1610) (Interface 0/5)#cos-queue min-bandwidth 0 25 25 25 25 0 0 (CN1610) (Interface 0/5)#exit (CN1610) (Config)#exit (CN1610) # Example 2—VoIP Configuration: One of the most valuable uses of DiffServ...
Page 136 (CN1610) (config)#class-map match-all class_voip (CN1610) (Config-classmap)#match protocol udp (CN1610) (Config-classmap)#exit (CN1610) (config)#class-map match-all class_ef (CN1610) (Config-classmap)#match ip dscp ef (CN1610) (Config-classmap)#exit (CN1610) (config)# Next, a DiffServ policy for inbound traffic named is created and the pol_voip previously created classes are created as instances...
Page 137: Chapter 8 Security Features
Security Features About this chapter This chapter describes how to configure device security features. Topics in this This chapter includes the following topics: chapter ◆ “Denial of service and other protections” on page 130 ◆ “Access control lists” on page 132 ◆...
Page 138: Denial Of Service And Other Protections
The DoS protection feature is always active and does not need or allow any user configuration. Supported The CN1610 switch supports the following DoS and other protections: protections ◆ Protection of the switch under packet load: Packet throttling ensures that the switch is manageable under heavy load.
Page 139 Rate-limiting traffic: A rate-limiting mechanism is often used to limit traffic. For instance, limitations on ICMP and TCP SYN packets can be implemented as part of the denial of service strategy. On the CN1610 switch, rate limiting can be accomplished using the QoS feature.
Page 140: Access Control Lists
Access control lists Feature overview Access control lists (ACLs) ensure that only authorized users have access to specific resources while blocking off any unwarranted attempts to reach network resources. ACLs are used to provide traffic flow control, restrict contents of routing updates, decide which types of traffic are forwarded or blocked, and above all provide security for the network.
Page 141 Creating an access Access lists are a sequential collection of permit and deny conditions. This list definition collection of conditions, known as the filtering criteria, is applied to each packet that is processed by the switch or the router. Packets are forwarded or dropped based on whether or not the packet matches the specified criteria.
Page 142 VLAN. Note ACLs on the CN1610 switch apply only to inbound traffic. Supported Access control lists can only be applied on ingress. Up to 100 access lists can be parameters and defined in the system, with each list having up to 100 rules.
Page 143: Acl Configuration
Displays summary information about all IP ACLs show ip access- lists configured on the switch. For more information on the access list commands, see the CN1610 Network Switch CLI Command Reference. ACL configuration To configure ACLs, follow these steps: overview 1.
Page 144 (CN1610) (Config)#access-list 100 permit udp 192.168.77.0 0.0.0.255 192.168.7 7.3 0.0.0.255 The following commands apply the rule to outbound (egress) traffic on port 0/2. Only traffic matching the criteria will be accepted: (CN1610) (Config)#interface 0/2 (CN1610) (Interface 0/2)#ip access-group 100 out...
Page 145 (CN1610) (Config)#interface 0/5 (CN1610) (config-if-0/5)#mac access-group mac1 in 6 Chapter 8: Security Features...
Page 146: Ieee 802.1X
Supported security methods for communication with remote servers include MD5, PEAP, EAP-TTL, EAP-TTLS, and EAP-TLS. Local 802.1X The CN1610 switch supports a dedicated database for local authentication of authentication users for network access through the 802.1X feature. This functionality is distinct server from management access for the switch.
Page 147: Mac Authentication
MAC-based 802.1X The MAC-Based Authentication is an extension to IEEE 802.1X. This feature focuses on supporting authentication of multiple clients per port; that is, though a port is authorized by one of the clients connected to the port, the other clients that are connected to the same port of the switch do not have access to the port.
Page 148 Authentication Bypass (MAB) is a supplemental authentication mechanism to allow 802.1X unaware clients to authenticate to the network. It uses the 802.1X infrastructure and MAB cannot be supported independent of the 802.1X component. MAC Authentication Bypass (MAB) provides 802.1X-unaware clients controlled access to the network by using the devices' MAC address as an identifier.
Page 149 As stated in section C.2.2 in IEEE 802.1X-2001, an Authenticator-enabled supported switch could reset port counters after authentication succeeds to allow the switch to maintain session statistics. The CN1610 switch does not support this action; therefore, the Authenticator Session Statistics that are defined in IEEE-802.1X-2001 are not supported.
Page 150 Displays the dot1x statistics for a specified port. show dot1x statistics For more information on the 802.1X commands, see the CN1610 Network Switch CLI Command Reference. Configuration This example configures a single RADIUS server used for authentication at example 1: RADIUS 10.10.10.10.
Page 151 Deadtime : 0 Source IP : 0.0.0.0 RADIUS Attribute 4 Mode : Disable RADIUS Attribute 4 Value : 0.0.0.0 (CN1610) (Config)#aaa authentication login radiusList radius (CN1610) (Config)#aaa authentication dot1x default radius (CN1610) (Config)#dot1x system-auth-control (CN1610) (Config)#interface 0/1 (CN1610) (config-if-0/1)#dot1x port-control force-authorized...
Page 152 RADIUS- VLAN assignment by the RADIUS server: assigned VLANs (CN1610) #config (CN1610) (Config)#aaa authorization network default radius Configuration This example shows how to set the guest VLAN on interface 0/16 to VLAN 100. example 4: guest These commands automatically enable the guest VLAN supplicant mode on the VLANs interface.
Page 153 (CN1610) #configure (CN1610) (Config)#interface 0/16 (CN1610) (config-if-0/16)#dot1x guest-vlan 100 (CN1610) (config-if-0/16)# <CTRL+Z> (CN1610) #show dot1x advanced 0/16 Port Guest Unauthenticated VLAN Vlan --------- --------- --------------- 0/16 Disabled Disabled Chapter 8: Security Features...
Page 154: Ssh
Feature overview The CN1610 switch includes secure shell (SSH) functionality to help ensure the security of network transactions. The following table details the SSH support: SSH feature Component type Connection Type Interactive Login Authentication Method Password Ciphers SSH Version 1 SSH Version 2 ◆...
Page 155 SSH feature: Command Description Displays global ssh settings. show ip ssh For more information on the access list commands, see the CN1610 Network Switch CLI Command Reference. Configuration The following commands configure SSH server version 2 with DSA and RSA example...
Page 156: Radius
Note Silently discarded packets are abandoned without any further processing; however, the CN1610 switch RADIUS client generates logs and increments status counters to record these occurrences. RADIUS conforms to a client/server model with secure communications that use UDP as a transport protocol.
Page 157 Although the underlying RADIUS code supports challenge messages, the switch user interface does not integrate support for RADIUS challenge messages. ◆ The RADIUS implementation on the CN1610 switch does not support IPv6. Defaults RADIUS authentication and accounting is disabled and no servers are configured by default.
Page 158: Radius Servers
Displays a summary of statistics for the configured show radius statistics RADIUS accounting servers. For more information on the RADIUS commands, see the CN1610 Network Switch CLI Command Reference. Configuration This example configures two RADIUS servers at 10.10.10.10 and 11.11.11.11.
Page 159 The following command sets the NAS-IP address. If you do not specify an IP address in the command, the NAS-IP address uses the interface IP address that connects the switch to the RADIUS server. (CN1610) #config (CN1610) (Config)#radius-server attribute 4 192.168.20.12 Chapter 8: Security Features...
Page 160: Tacacs
TACACS+ Feature overview TACACS+ provides access control for networked devices by using one or more centralized servers, similar to RADIUS. This protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network.
Page 161 Encryption key shared between host and 0 character– None server 128 characters For more information on the TACACS+ commands, see the CN1610 Network Switch CLI Command Reference. Configuration This example configures two TACACS+ servers at 10.10.10.10 and 11.11.11.11. example Each server has a unique shared secret key. The server at 10.10.10.10 has a default priority of 0, the highest priority, while the other server has a priority of 2.
Page 162 (CN1610) # config (CN1610) (Config)#tacacs-server host 10.10.10.10 (CN1610) (Config)#key tacacs1 (CN1610) (Config)#exit (CN1610) (Config)#tacacs-server host 11.11.11.11 (CN1610) (Config)#key tacacs2 (CN1610) (Config)#priority 2 (CN1610) (Config)#exit (CN1610) (Config)#aaa authentication login tacacsList tacacs local TACACS+...
Page 163: Glossary
Glossary Authentication, Authorization, and Accounting Access Control List Address Resolution Protocol CIST Common and Internal Spanning Tree Command-Line Interface DHCP Dynamic Host Configuration Protocol DSCP Differentiated Services Code Point Extensible Authentication Protocol EAPOL EAP over LAN GARP Generic Attribution Registration Protocol GVRP GARP VLAN Registration Protocol IGMP...
Page 164 Independent VLAN LACP Link Aggregation Control Protocol Media Access Control MDIX Management Dependent Interface Crossover Mirror port Source Mirror Port (the port that mirrors to probe) Mirroring port Destination Mirror Port Monitor port Destination Mirror Port (the port with probe attached) MSTP Multiple Spanning Tree Protocol Network Interface Manager...
Page 165 RSTP Rapid Spanning Tree Protocol SNTP Simple Network Time Protocol Secure Shell Spanning Tree Protocol TACACS Terminal Access Controller Access Control System VLAN Virtual LAN Glossary...
Page 167: Index
Index Numerics CoS mapping behaviors CoS queue 802.1X configuration 802.1x mapping MAC-based monitor mode 802.1X authentication server, local denial of service DHCP/BOOTP client DNS client access control lists double VLAN tag access ports downloading files ACLs dynamic LAGs binding to a VLAN dynamic VLAN assignment, RADIUS-based rules additional documentation...
Page 168 MAC-based VLANs management IGMP snooping interfaces Industry Standard Discovery Protocol IPv6 in-memory log users interface notation, LAGs management interfaces interfaces, switch management mapping, CoS queue IP-subnet-based VLANs MIBs, supported IPv6 management mirroring flow-based port MSTP jumbo frames active topology enforcement states multiple spanning tree regiions multiuser VLAN assignment...
Page 169 rules, ACL TLVs, supported by LLDP traps conditions that generate trusted ports scripting, CLI scripts, using to enter commands service provider port, uplink untrusted ports SFP modules, supported uplink ports SFTP uploading files SNMP example overview overview session limits, Telnet and user management SNMP server configuration SNTP...
Page 170 Index...

NetApp CN1610 Administrator's Manual

Chapter 1 About this Document

Chapter 2 Switch Administration

Chapter 3 Ports and Lags

Chapter 4 Switching

Chapter 5 Multiple Spanning Tree Protocol

Chapter 6 Vlans

Chapter 7 Quality of Service

Chapter 8 Security Features

Glossary

Index

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for NetApp CN1610

Summary of Contents for NetApp CN1610

Table of Contents