Page 1: Quantamesh Ethernet Switch Configuration Guide
QuantaMesh Ethernet Switch Configuration Guide QNOS5 NOS Platform...
Page 2 REVISIONS Version Date Description Authors Oliver Wu, James Chu, 15-Nov-2016 1. 1 release WT Chou, and Thomas Lin 1. New features added including BFD, James Chu, Oliver and WT 28-Mar-2017 VRF Lite, LACP Fallback, and service Chou prohibit access...
Page 3: Table Of Contents
Contents QuantaMesh Ethernet Switch Configuration Guide ..........1 1. QuantaMesh QNOS5 Features ............... 19 1.1. Switching Features Introduction .................... 19 1.1.1. VLAN Support ..............................19 1.1.2. Double VLANs ..............................19 1.1.3. Switching Modes .............................. 19 1.1.4. Spanning Tree Protocols (STP) .......................... 19 1.1.5.
Page 4 1.1.33. Flooding to mRouter Ports ..........................24 1.1.34. IGMP Snooping Querier ............................ 24 1.1.35. Management and Control Plane ACLs ......................25 1.1.36. Remote Switched Port Analyzer (RSPAN) ......................25 1.1.37. Link Dependency ............................... 25 1.1.38. IPv6 Router Advertisement Guard ........................25 1.1.39.
Page 5 1.4.9. SNMP Alarms and Trap Logs ..........................31 1.4.10. Remote Monitoring (RMON) ..........................31 1.4.11. Statistics Application ............................31 1.4.12. Log Messages ..............................31 1.4.13. System Time Management ..........................32 1.4.14. Source IP Address Configuration ........................32 1.4.15. Multiple Linux Routing Tables .......................... 32 1.4.16.
Page 6 1.7.4. VXLAN Gateway ..............................38 2. Getting Started ....................39 2.1. Accessing the switch Command-Line Interface ..............39 2.1.1. Connecting to the Switch Console ........................39 2.2. Accessing the Switch CLI Through the Network ..............40 2.2.1. Using the Service Port or Management VLAN Interface for Remote Management ......... 40 2.2.1.1.
Page 7 3.1.4.2. Configuring the VLANs and Ports on Switch 2 ....................64 3.2. Switchport Modes ........................64 3.3. Port-channels – Operation and Configuration ..............66 3.3.1. Static and Dynamic Port-channel ........................66 3.3.2. Port-channel Hashing ............................66 3.3.2.1. Resilient Hasing ............................67 3.3.2.2.
Page 8 3.7.3. VLAN-based Mirroring ............................87 3.7.4. Flow-based Mirroring ............................87 3.8. Spanning Tree Protocol ......................88 3.8.1. Classic STP, Multiple STP, and Rapdi STP ......................88 3.8.2. STP Operation ..............................88 3.8.3. MSTP in the Network ............................89 3.8.4. Optional STP Features ............................92 3.8.4.1.
Page 9 3.14. AR Guard......................113 3.15. FIP Snooping ..................... 113 3.16. ECN ........................117 3.16.1. Enabling ECN in Microsoft Windows ......................118 3.16.2. Example 1: SLA Example ..........................118 3.16.3. Example 2: Data Cetner TCP (DCTCP) Configuration ..................121 4. Configuring Security Features ..............123 4.1.
Page 10 4.3.9. ACL Limitations ............................... 139 4.3.10. ACL Configuration Process ..........................140 4.3.11. Preventing False ACL Matches ........................140 4.3.12. IPv6 ACL Qualifies ............................141 4.3.13. ACL Configuration Examples ........................... 141 4.3.13.1. Configuring an IP ACL ..........................141 4.3.13.2. Configuring a MAC ACL ..........................143 4.3.13.3.
Page 11 6.2. Enabling Automatic Image Installation and System Configuration ........163 6.2.1. DHCP Auto Install Process..........................164 6.2.1.1. Obtaining IP address Information ......................164 6.2.1.2. Obtaining Other Dynamic Information ....................... 164 6.2.1.3. Obtaining the Image ........................... 165 6.2.1.4. Obtaining the Configuration File ........................ 165 6.2.2.
Page 12 7.3.1.3. VRRP Accept Mode ............................. 187 7.3.1.4. VRRP Route and Interface Tracking ......................187 7.3.2. VRRP Configuration Example .......................... 187 7.3.2.1. VRRP with Load Sharing ..........................188 7.3.2.2. VRRP with Route and Interface Tracking ....................190 7.4. IP Helper 7.4.1. Relay Agent Configuration Example ....................... 195 7.5.
Page 13 7.9.6. VRF Lite Development Scenarios ........................216 7.9.7. VRF Configuration Example ..........................219 8. Configuring Multicast Routing ..............221 8.1. L3 Multicast Overview ......................221 8.1.1. IP Multicast Traffic ............................221 8.1.2. Multicast Protocol Switch Support ......................... 221 8.1.3. Multicast Protocol Roles ..........................222 8.1.4.
Page 14 9.4.1. CoS Queuing Function and Behavior....................... 239 9.4.1.1. Trusted Port Queue Mappings ........................239 9.4.1.2. Un-trusted Port Default Priority ......................... 239 9.4.1.3. Queue Configuration ..........................239 9.4.1.4. Traffic Class Groups ............................ 240 9.4.2. Configuring CoS Queuing and ETS ........................240 9.5.
Page 15 LIST of FIGURES Figure 2-1: SNMP Configuration Topology ..................... 52 Figure 3-1: Simple VLAN Topology ......................58 Figure 3-2: Double VLAN Tagging Network Example ................59 Figure 3-3: Network Topology for VLAN Configuration ................61 Figure 3-4: Port-channel Configuration ....................66 Figure 3-5: STP Blocking........................
Page 16 Figure 4-5:CoPP Configuration Topology ..................... 146 Figure 5-1: CoS Mapping and Queue Configuration ................151 Figure 5-2: DiffServ Internet Access Example Network Diagram ............154 Figure 6-1: System Log Topology ......................173 Figure 6-2: Syslog Server Screen......................175 Figure 6-3: Syslog packet capture ......................175 Figure 7-1: Inter-VLAN Routing ......................
Page 17 LIST of TABLES Table 3-1: VLAN default and maximum values ..................60 Table 3-2: Example VLAN ........................60 Table 3-3: Switch Port Configuration ..................... 61 Table 3-4: Switchport Mode Behavior ....................65 Table 4-1: Authentication Method Summary..................127 Table 4-2: Common EtherType Numbers ..................... 140 Table 4-3: Common IP Protocol Numbers ....................
Page 18 Table 9-2: 802.1p-to-TCG Mapping ..................... 242 Table 9-3: TCG Bandwidth and Scheduling ..................242 Table 9-4: VLAN and VXLAN Comparison ..................... 250 Table 9-5: Terms and Acronyms ......................254 Table 9-6: Terms and Acronyms (Cont.) ....................255 Table 9-7: Terms and Acronyms (Cont.) ....................256...
Page 19: Quantamesh Qnos5 Features
1. QuantaMesh QNOS5 Features This section provides a brief overview of the supported QNOS features. The features are categorized as follows: 1.1. Switching Features Introduction 1.1.1. VLAN Support VLANs are collections of switching ports that comprise a single broadcast domain. Packets are classified as belonging to a VLAN based on either the VLAN tag or a combination of the ingress port and packet contents.
Page 20: Bridge Protocol Data Unit (Bpdu) Guard
Multiple Spanning Tree (MSTP) operation maps VLANs to spanning tree instances. Packets assigned to various VLANs are transmitted along different paths within MSTP Regions (MST Regions). Regions are one or more interconnected MSTP bridges with identical MSTP settings. The MSTP standard lets administrators assign VLAN traffic to unique paths.
Page 21: Asymmetric Flow Control
Flow control enables lower speed switches to communicate with higher speed switches by requesting that the higher speed switch refrains from sending packets. Transmissions are temporarily halted to prevent buffer overflows. 1.1.13. Asymmetric Flow Control When in asymmetric flow control mode, the switch responds to PAUSE frames received from peers by stopping packet transmission, but the switch does not initiate MAC control PAUSE frames.
Page 22: Vlan-Aware Mac-Based Switching
Expandable ports allow the administrator to configure a 40GbE port in either 4×10GbE mode or 1×40GbE mode. When the 40GbE port is operating in 4×10GbE mode, the port operates as four 10GbE ports, each on a separate lane. This mode requires the use of a suitable 4×10GbE to 1×40GbE pigtail cable. Expandable port capability can be enabled on 40G ports using the CLI command [no] port-mode.
Page 23: Sflow
Port mirroring monitors and mirrors network traffic by forwarding copies of incoming and outgoing packets from up to four source ports to a monitoring port. The switch also supports flow-based mirroring, which allows you to copy certain types of traffic to a single destination port. This provides flexibility—instead of mirroring all ingress or egress traffic on a port the switch can mirror a subset of that traffic.
Page 24: Mac Multicast Support
1.1.29. MAC Multicast Support Multicast service is a limited broadcast service that allows one-to-many and many-to-many connections. In Layer 2 multicast services, a single frame addressed to a specific multicast address is received, and copies of the frame to be transmitted on each relevant port are created. 1.1.30.
Page 25: Management And Control Plane Acls
1.1.35. Management and Control Plane ACLs This feature provides hardware-based filtering of traffic to the CPU. An optional 'management' feature is available to apply the ACL on the CPU port. Currently, control packets like BPDU are dropped because of the implicit 'deny all' rule added at the end of the list. To overcome this rule, you must add rules that allow the control packets.
Page 26: Fip Snooping
1.1.39. FIP Snooping The FCoE Initialization Protocol (FIP) is used to perform the functions of FC_BB_E device discovery, initialization, and maintenance. FIP uses a separate EtherType from FCoE to distinguish discovery, initialization, and maintenance traffic from other FCoE traffic. FIP frames are standard Ethernet size (1518 Byte 802.1q frame), whereas FCoE frames are a maximum of 2240 bytes.
Page 27: Aaa Command Authorization
You can configure rules to limit access to the switch management interface based on criteria such as access type and source IP address of the management host. You can also require the user to be authenticated locally or by an external server, such as a RADIUS server. 1.2.2.
Page 28: Mac Authentication Bypass
QNOS software supports RADIUS-based assignment (via 802.1X) of VLANs, including guest and unauthenticated VLANs. The Dot1X feature also supports RADIUS-based assignment of filter IDs as well as MAC-based authentication, which allows multiple supplicants connected to the same port to each authenticate individually.
Page 29: Access Control Lists (Acl)
1.3.1. Access Control Lists (ACL) Access Control Lists (ACLs) ensure that only authorized users have access to specific resources while blocking off any unwarranted attempts to reach network resources. ACLs are used to provide traffic flow control, restrict contents of routing updates, decide which types of traffic are forwarded or blocked, and above all provide security for the network.
Page 30: Management Of Basic Network Information
 Use a telnet client, SSH client, or a direct console connection to access the CLI. The CLI syntax and semantics conform as much as possible to common industry practice. Use a network management system (NMS) to manage and monitor the system through SNMP. The switch supports SNMP v1/v2c/v3 over the UDP/IP transport protocol.
Page 31: Warm Reboot
The Auto Install feature allows the switch to upgrade to a newer software image and update the configuration file automatically during device initialization with limited administrative configuration on the device. The switch can obtain the necessary information from a DHCP server on the network. 1.4.8.
Page 32: System Time Management
1.4.13. System Time Management You can configure the switch to obtain the system time and date through a remote Simple Network Time Protocol (SNTP) server, or you can set the time and date locally on the switch. You can also configure the time zone and information about time shifts that might occur during summer months.
Page 33: Interface Error Disable And Auto Recovery
specify which NOS to load and run on the switch. ONIE support in QNOS facilitates automated data center provisioning by enabling a bare-metal network switch ecosystem. ONIE is a small operating system. It is preinstalled as firmware and requires an ONIE-compliant boot loader (U-Boot/BusyBox), a kernel (Linux) and the ONIE discovery and execution application provided by the ODM.
Page 34: Vlan Routing
 Proprietary BGP MIB support for reporting status variables and internal counters.  Additional route map support: o Match as-path o Set as-path o Set local-preference o Set metric  Supports for inbound and outbound neighbor-specific route maps.  Handles the BGP RTO full condition. ...
Page 35: Bootp/Dhcp Relay Agent
You can create static ARP entries and manage many settings for the dynamic ARP table, such as age time for entries, retries, and cache size. 1.5.7. BOOTP/DHCP Relay Agent The switch BOOTP/DHCP Relay Agent feature relays BOOTP and DHCP messages between DHCP clients and DHCP servers that are located in different IP subnets.
Page 36: Vrf Lite Operation And Configuration
QNOS5, OSPF and BGP can use BFD for monitoring of their neighbors' availability in the network and for fast detection of connection faults with them. 1.5.13. VRF Lite Operation and Configuration The Virtual Routing and Forwarding feature enables a router to function as multiple routers. Each virtual router manages its own routing domain, with its own IP routes, routing interfaces, and host entries.
Page 37: Pim Ipv6 Support
1.6.2.4. PIM IPv6 Support PIM-DM and PIM-SM support IPv6 routes. 1.6.3. MLD/MLDv2 (RFC2710/RFC3810) MLD is used by IPv6 systems (listeners and routers) to report their IP multicast addresses memberships to any neighboring multicast routers. The implementation of MLD v2 is backward compatible with MLD v1. MLD protocol enables the IPv6 router to discover the presence of multicast listeners, the nodes that want to receive the multicast data packets, on its directly attached interfaces.
Page 38: Vxlan Gateway
Note: Support for CoS Queuing and ETS is not available on all platforms. 1.7.4. VXLAN Gateway Logically segregated virtual networks in a data center are sometimes referred to as data center VPNs. The QNOS VXLAN Gateway is a solution that allows VXLAN to communicate with another network, particularly a VLAN.
Page 39: Getting Started
2. Getting Started 2.1. Accessing the switch Command-Line Interface The command-line interface (CLI) provides a text-based way to manage and monitor the switch features. You can access the CLI by using a direct connection to the console port or by using a Telnet or SSH client. To access the switch by using Telnet or Secure Shell (SSH), the switch must have an IP address configured on either the service port or the management VLAN interface, and the management station you use to access the device must be able to ping the switch IP address.
Page 40: Accessing The Switch Cli Through The Network
After a successful login, the screen shows the system prompt, for example (QCT) # To view service port network information, type and press show serviceport ENTER. (QCT) #show serviceport Interface Status....... Up IP Address........172.16.1.91 Subnet Mask........255.255.255.0 Default Gateway........ 172.16.1.254 IPv6 Administrative Mode.......
Page 41: Configuring Service Port Information
Alternatively, you can choose to manage the switch through the production network, which is known as in- band management. Because in-band management traffic is mixed in with production network traffic, it is subject to all of the filtering rules usually applied on a switched/routed port such as ACLs and VLAN tagging. You can access the in-band network management interface through a connection to any front-panel port.
Page 42: Dhcp Option 61
To manually configure the IPv6 address, subnet mask, enter: (QCT)(config)#interface vlan 1 (QCT)(if-vlan 1)#ipv6 address address/prefix-length [eui64] To view the In-Band management information, enter: show ip interface. show ipv6 interface To save these changes so they are retained during a switch reset, enter the following command: copy running-config startup-config 2.2.2.
Page 43: Booting The Switch
in interface configuration mode. (QCT) (Interface 0/1)#ip address dhcp client-id Physical Interface: To enable DHCP with client-id (option 61) on from on the physical interface, issue the commands as shown below: (QCT) #config (QCT) (Config)#interface 0/4 (QCT) (Interface 0/4)#ip address dhcp client-id VLAN Interface: To enable DHCP with client-id (option 61) on from on the VLAN interface, issue the commands as shown below:...
Page 44: Utility Menu Functions
Quanta OS Startup -- Main Menu 1 - Start Quanta OS Application 2 - Display Utility Menu Select (1, 2): For information about the Boot menu, see “Utility Menu Functions”. 5. If you do not start the boot menu, the operational code continues to load. After the switch boots successfully, the User login prompt appears and you can use the local terminal to begin configuring the switch.
Page 45: Start Qnos5 Application
- Start Quanta OS Application - Load Code Update Package - Load Configuration - Select Serial Speed - Retrieve Error Log - Erase Current Configuration - Erase Permanent Storage - Select Boot Method - Activate Backup Image - Start Diagnostic Application - Reboot - Erase All Configuration Files - Quit from Quanta OS Startup...
Page 46 If you use TFTP to download the code, the switch must be connected to the network, and the code to download must be located on the TFTP server. When you use XMODEM, YMODEM, or ZMODEM to download the code, the code must be located on an administrative system that has a console connection to the switch.
Page 47: Load Configuration
Creating tmpfs filesystem on tmpfs for download...done. Select Mode of Transfer (Press T/X/Y/Z for TFTP/XMODEM/YMODEM/ZMODEM) []: 2. Specify the protocol to use for the download.  Enter X to download the image by using the XMODEM file transfer protocol.  Enter Y to download the image by using the YMODEM file transfer protocol.
Page 48: Select Serial Speed
4. Respond to the prompts to begin the file transfer. The configuration file download procedures are very similar to the software image download procedures. For more information about the prompts and how to respond, see “Load Code Update Package”. 2.3.1.4. Select Serial Speed Use option 4 to change the baud rate of the serial interface (console port) on the switch.
Page 49: Erase Current Configuration
2. Specify the protocol to use for the download. 3. Respond to the prompts to begin the file transfer. If you use TFTP to upload the file from the switch to the TFTP server, the prompts and procedures very similar to the steps described for the TFTP software image download. For more information about the prompts and how to respond, see “Load Code Update Package”.
Page 50: Activate Backup Image
If you select a new boot method, the switch uses the selected method for the next boot cycle. 2.3.1.9. Activate Backup Image Use option 9 to activate the backup image. The active image becomes the backup when you select this option.
Page 51: Using The Command-Line Interface
These standards-based management methods allow you to configure and monitor the components of the QNOS software. The method you use to manage the system depends on your network size and requirements, and on your preference. Note: Not all features are supported on all hardware platforms, so some CLI commands and object identifiers (OIDs) might not available on your platform.
Page 52: Snmpv3
2.4.2.1. SNMPv3 SNMP version 3 (SNMPv3) adds security and remote configuration enhancements to SNMP. QNOS has the ability to configure SNMP server, users, and traps for SNMPv3. Any user can connect to the switch using the SNMPv3 protocol, but for authentication and encryption, you need to configure a new user profile. To configure a profile by using the CLI, see the SNMP section in the QNOS CLI Command Reference.
Page 53 testRW Read/Write Default Community-String Group Name IP Address ------------------ ---------------------------- ---------------- private DefaultWrite public DefaultRead testRO DefaultRead testRW DefaultWrite Traps are enabled. Authentication trap is enabled. Version 1,2 notifications Target Address Type Community Version UDP Filter Retries Port name --------------- ------- ------------------- ------- ------ -------- --- ------ 172.16.1.100 Trap testRO...
Page 54 (QCT) (Config)#snmp-server host 172.16.1.102 traps version 3 testUSER noauth 5. Verify the configuration. (QCT) #show snmp views Name OID Tree Type --------------------------- ------------------------------ ---------- Default Included Default snmpVacmMIB Excluded Default usmUser Excluded Default snmpCommunityTable Excluded testVIEW Included DefaultSuper Included (QCT) #show snmp group Name Context Security...
Page 55 (QCT) #show snmp user Name Group Name Auth Priv Meth Meth Remote Engine ID ----------------- -------------- ---- ---- ------------------------- testUSER testGROUP 80001c4c03000000000004 (QCT) #show snmp Community-String Community-Access View Name IP Address ------------------ ---------------- ---------------- ---------------- private Read/Write Default public Read Only Default testRO Read Only...
Page 56 Version 3 notifications Target Address Type Username Security UDP Filter Retries Level Port name --------------- ------- -------------- -------- ------ -------- --- ------- 172.16.1.102 Trap testUSER NoAuth-N System Contact: System Location:...
Page 57: Configuring L2 Switching Features
3. Configuring L2 Switching Features 3.1. VLANs By default, all switchports on the switch are in the same broadcast domain. This means when one host connected to the switch broadcasts traffic, every device connected to the switch receives that broadcast. All ports in a broadcast domain also forward multicast and unknown unicast traffic to the connected host.
Page 58: Vlan Tagging
Figure 3-1: Simple VLAN Topology In this example, each port is manually configured so that the end station attached to the port is a member of the VLAN configured for the port. The VLAN membership for this network is port-based or static. 3.1.1.
Page 59: Default Vlan Behavior
the switch can differentiate between customers in the MAN while preserving an individual customer’s VLAN identification when the traffic enters the customer’s 802.1Q domain. With the introduction of this second tag, customers are no longer required to divide the 4-byte VLAN ID space to send traffic on a Ethernet-based MAN.
Page 60: Vlan Configuration Example
Table 3-1: VLAN default and maximum values 3.1.4. VLAN Configuration Example A network administrator wants to create the VLANs in Table 2: Table 3-2: Example VLAN Figure 3 shows the network topology for this example. As the figure shows, there are two switches, two file servers, and many hosts.
Page 61: Figure 3-3: Network Topology For Vlan Configuration
Figure 3-3: Network Topology for VLAN Configuration The network in Figure 3 has the following characteristics: • Each connection to a host represents multiple ports and hosts. • The Payroll and File servers are connected to the switches through a Port-channel. •...
Page 62: Configuring The Vlans And Ports On Switch 1
3.1.4.1. Configuring the VLANs and Ports on Switch 1 Use the following steps to configure the VLANs and ports on Switch 1. None of the hosts that connect to Switch 1 use the Engineering VLAN (VLAN 100), so it is not necessary to create it on that switch. To configure Switch 1.
Page 63 6. To save the configuration so that it persists across a system reset, use the following command: (QCT) #copy running-config startup-config 7. View the VLAN settings. (QCT) #show vlan VLAN ID VLAN Name VLAN Type Interface(s) ------- -------------------------------- ---------- ------------------------- default Default 0/1,0/2,0/3,0/4,0/5,0/6,...
Page 64: Configuring The Vlans And Ports On Switch 2
Interface is member in: VLAN ID VLAN Name VLAN Type Egress rule ------- -------------------------------- ----------------- ----------- default Default Untagged Marketing Static Tagged Payroll Static Tagged 3.1.4.2. Configuring the VLANs and Ports on Switch 2 Use the following steps to configure the VLANs and ports on Switch 2. Many of the procedures in this section are the same as procedures used to configure Switch 1.
Page 65: Table 3-4: Switchport Mode Behavior
are dropped. If the VLAN associated with an access port is deleted, the PVID of the access port is set to VLAN 1. VLAN 1 may not be deleted. • Trunk — Trunk-mode ports are intended for switch-to-switch links. Trunk ports can receive both tagged and untagged packets.
Page 66: Port-Channels - Operation And Configuration
The General mode port can then be configured as a tagged or untagged member of any VLAN, as shown in “VLAN Configuration Example”. 3.3. Port-channels – Operation and Configuration Port-channel allows one or more full-duplex (FDX) Ethernet links of the same speed to be aggregated together to form a Port-channel.
Page 67: Resilient Hasing
QNOS software support configuration of hashing algorithms for each Port-channel interface. The hashing algorithm is used to distribute traffic load among the physical ports of the Port-channel while preserving the per-flow packet order. The hashing algorithm uses various packet attributes to determine the outgoing physical port. The switch supports the following set of packet attributes to be used for hash computation: ...
Page 68: Port-Channel Interface Overview
An ECMP group is identified by the IP address of one of its members. By entering the IP address in the form <prefix/prefix-length>, the utility predicts the packet's physical egress port based on the destination ECMP group. To predict the an egress physical port when the egress objects are VLAN routing interfaces with Port- channel or port interfaces as members of the VLANs, the utility requires the PVID to be configured on the interfaces and the next hops to be fully installed in hardware.
Page 69: Stp
it's a member of a Port-channel. However this configuration is only actually applied when the port leaves the Port-channel. The Port-channel interface can be a member of a VLAN complying with IEEE 802.1Q. 3.3.4.2. STP Spanning tree does not maintain state for members of a Port-channel, but the Spanning Tree does maintain state for the Port-channel interface.
Page 70: Configuration Dynamic Port-Channels
3.3.5.2. Configuration Dynamic Port-channels The commands in this example show how to configure a dynamic Port-channel on a switch. The Port- channel number is 1 (ch1), and the member ports are 1, 2, 3, 6, and 7. To configure the switch: 1.
Page 71: Configuration Static Port-Channels
partner/long 3.3.5.3. Configuration Static Port-channels The commands in this example show how to configure a static Port-channel on a switch. The Port-channel number is 3 (ch3), and the member ports are 10, 11, 14, and 17. To configure the switch: 1.
Page 72: Lacp Fallback Configuration
0/17 actor/long 10G Full False partner/long 3.4. LACP Fallback Configuration 3.4.1. Configuring Dynamic Port-channels The commands in this example show how to configure a dynamic Port-channel on a switch. The Port- channel number is 1 (ch1), and the member ports are 1, 2, 3, 6, and 7. To configure the switch: 1.
Page 73: Configuring Static Port-Channels
partner/long actor/long 10G Full False partner/long actor/long 10G Full False partner/long actor/long 10G Full False partner/long 4. (Optional) Enable LACP Fallback feature which enabled the switch keep one LACP member port link up even if LACP port doesn’t receive the LACP message from the other side. (QCT) #(if-port-channel ch1)#lacp fallback 5.
Page 74: Mlag - Operation And Configuration
1. Enter interface configuration mode for the ports that are to be configured as Port-channel members. (QCT) (Config)#interface range 0/10-0/12,0/14,0/17 2. Add the ports to Port-channel 3 without LACP. (QCT) (Interface 0/10-0/12,0/14,0/17)#channel-group 3 mode on (QCT) (Interface 0/10-0/12,0/14,0/17)#exit (QCT) (Config)#exit 3.
Page 75: Overview
3.5.1. Overview In a typical layer-2 network, the Spanning Tree Protocol (STP) is deployed to avoid packet storms due to loops in the network. To perform this function, STP sets ports into either a forwarding state or a blocking state. Ports in the blocking state do not carry traffic. In the case of a topology change, STP reconverges to a new loop-free network and updates the port states.
Page 76: Definitions
Figure 3-6: MLAG in a Layer-2 Network 3.5.2.1. Definitions Refer to Figure 7 for the definitions that follow. Figure 3-7: MLAG Components MLAG switches: MLAG-aware switches running QNOS switch firmware. No more than two MLAG aware switches can pair to form one end of the Port-channel. Stacked switches do not support MLAGs. In the above figure, SW1 and SW2 are MLAG peer switches.
Page 77: Configuration Consistency
MLAG switches. Port-channel limitations and capabilities such as min-links and maximum number of ports supported per Port-channel also apply to MLAG interfaces. MLAG member ports: Ports on the peer MLAG switches that are part of the MLAG interface (P1 on SW1 and S1 on SW2).
Page 78  Bpduflood  Auto-edge  TCN-guard  Cost  Edgeport  STP Version  STP MST VLAN configuration  STP MST instance configuration (MST instance ID/port priority/port cost/mode)  Root guard  Loop guard 3. Port-channel interface The following Port-channel attributes must be identical for MLAG Port-channels: ...
Page 79: Mlag Fast Failover
not in sync, the MLAG behavior is undefined. Once the above configuration is in place and consistent, the two switches will form a MLAG that operates in the desired manner. The MLAG may form even if the configuration is not consistent, however, it may not operate consistently in all situations. 3.5.3.
Page 80 (QCT) #config (QCT) (Config)#mlag 3. Create the MLAG domain ID. The domain ID configured on both the MLAG peer switches should be same. In a two-tier MLAG topology, each pair should have different domain ID. (QCT) (Config)#mlag domain 1 4. Configure the MLAG system MAC address and/or MLAG system priority (optional). (QCT) (Config)#mlag system-mac C4:54:44:01:01:01 5.
Page 81 also be configured with this command. The configurable range for the UDP port 1 to 65535 (Default is 60000). (QCT) (if-vlan100)#ip address 192.168.0.2 255.255.255.0 (QCT) (if-vlan100)#exit c. Configure the keepalive source and destination IP address. (QCT) #config (QCT) (Config)#mlag peer-keepalive destination 192.168.0.1 source 192.168.0.2 d.
Page 82: Unidirectional Link Detection (Udld)
member is removed from the MLAG interface, the Primary decides if the minimum criteria is satisfied. If it is not, it will shut down the MLAG interface on both the devices. Shutting down the MLAG interface on the Secondary is not allowed. The MLAG interface can only be shut down on the Primary. FDB entries learned on MLAG interfaces are synced between the two devices.
Page 83: Figure 3-9: Udld Configuration Example
This example shows the steps to configure UDLD on Switch 1 only. The same configuration must be performed on all ports that form partner links with the ports on Switch 1. Figure 3-9: UDLD Configuration Example To configure the ports on Switch 1: 1.
Page 84: Port Mirroring
Disabled Normal Not Applicable Disabled Normal Not Applicable Enabled Aggressive Bidirectional Disabled Normal Not Applicable --More-- or (q)uit Note: If a port has become disabled by the UDLD feature and you want to re-enable the port, use the udld command in Privileged EXEC mode. reset 3.7.
Page 85: Configuring Rspan
(QCT) (Config)#port-monitor session 1 mode (QCT) (Config)#exit 4. View summary information about the port mirroring configuration. (QCT) #show port-monitor session 1 Session Admin Probe Src Mirrored Ref. Type Mode Port VLAN Port Port RVLAN RVLAN ------- ------- ------- ---- -------- ------- ----- ----- ---- ------- ------- Enable 0/10...
Page 86: Configuration On The Intermediate Switch (Sw2)
(QCT) (Config)#vlan database (QCT) (Vlan)#vlan 100 (QCT) (Vlan)#exit 2. Configure VLAN 100 as the RSPAN VLAN. (QCT) #configure (QCT) (Config)#vlan 100 (QCT) (Config)(vlan 100)#remote-span (QCT) (Config)(vlan 100)#exit 3. Configure the RSPAN VLAN as the destination port and the reflector port as port 0/48. (QCT) #configure (QCT) (Config)#port-monitor session 1 destination remote vlan 100 reflector-port 0/48 4.
Page 87: Configuration On The Destination Switch (Sw3)
(QCT) (Interface 0/48)#switchport allowed vlan add tagged 100 (QCT) (Interface 0/48)#exit 3.7.2.3. Configuration on the Destination Switch (SW3) 3.7.3. VLAN-based Mirroring In this example, traffic from all ports that are members of VLAN 10 is mirrored to port 0/18. To configure VLAN based mirroring: 1.
Page 88: Spanning Tree Protocol
(QCT) (Config-mac-access-list)#exit 3. Configure the destination port as port 0/18. (QCT) (Config)#port-monitor session 1 destination interface 0/18 4. Configure the source port as port 0/2. (QCT) (Config)#port-monitor session 1 source interface 0/2 5. Enable the port mirroring session. (QCT) (Config)#port-monitor session 1 mode 6.
Page 89: Mstp In The Network
The switches (bridges) that participate in the spanning tree elect a switch to be the root bridge for the spanning tree. The root bridge is the switch with the lowest bridge ID, which is computed from the unique identifier of the bridge and its configurable priority number. When two switches have an equal bridge ID value, the switch with the lowest MAC address is the root bridge.
Page 90: Figure 3-12: Single Stp Topology
Figure 3-12: Single STP Topology For VLAN 10 this single STP topology is fine and presents no limitations or inefficiencies. On the other hand, VLAN 20's traffic pattern is inefficient. All frames from Switch B will have to traverse a path through Switch A before arriving at Switch C.
Page 91: Figure 3-13: Logical Mstp Environment
Figure 3-13: Logical MSTP Environment For MSTP to correctly establish the different MSTIs as above, some additional changes are required. For example, the configuration would have to be the same on each and every bridge. That means that Switch B would have to add VLAN 10 to its list of supported VLANs.
Page 92: Optional Stp Features
To further illustrate the full connectivity in an MSTP active topology, the following rules apply: 1. Each Bridge or LAN is in only one Region. 2. Every frame is associated with only one VID. 3. Frames are allocated either to the IST or MSTI within any given Region. 4.
Page 93: Root Guard
Ports that have the Edge Port feature enabled continue to transmit BPDUs. The BPDU filtering feature prevents ports configured as edge ports from sending BPDUs. If BPDU filtering is configured globally on the switch, the feature is automatically enabled on all operational ports where the Edge Port feature is enabled.
Page 94: Stp Configuring Examples
flapping. In normal cases, these ports do not receive any BPDU packets. However, someone may forge BPDU to maliciously attack the switch and cause network flapping. BPDU protection can be enabled in RSTP to prevent such attacks. When BPDU protection is enabled, the switch disables an edge port that has received BPDU and notifies the network manager about it.
Page 95: Configuring Mstp
The administrator also configures Port Fast BPDU filtering and Loop Guard to extend STP's capability to prevent network loops. For all other STP settings, the administrator uses the default STP values. To configure the switch: Configure spanning tree mode to STP mode (IEEE 802.1d). (QCT) #config (QCT) (Config)#spanning-tree mode stp 2.
Page 96: Figure 3-15: Mstp Configuration Example
Figure 3-15: MSTP Configuration Example To make multiple switches be part of the same MSTP region, make sure the STP operational mode for all switches is MSTP. Also, make sure the MST region name and revision level are the same for all switches in the region.
Page 97: Igmp Snooping
5. Change the region name so that all the bridges that want to be part of the same region can form the region. (QCT) (Config)#spanning-tree configuration name QCT 6. (Switch A only) Make Switch A the Regional Root for MSTI 1 by configuring a higher priority for MST ID 10. (QCT) (Config)#spanning-tree mst priority 10 12288 7.
Page 98: Figure 3-16: Switch With Igmp Snooping
necessary. The switch can send queries even if it is not the IGMP snooping querier and will use 0.0.0.0 as the source IP address. This will not cause any disruption to the operation of external querier. In this configuration, an IP-multicast router is not required. The three hosts in Figure 16 are connected to ports that enabled for IGMP snooping and are members of VLAN 100.
Page 99 6. View the VLAN routing interface information. (QCT) #show ip interface brief Netdir Multi Interface State IP Address IP Mask Method Bcast CastFwd ---------- ----- --------------- --------------- --------------- -------- -------- -------- vlan 1 Down 0.0.0.0 0.0.0.0 Primary None Disable Disable vlan 100 Down 0.0.0.0...
Page 100: Igmpv3/Ssm Snooping
0/24 VLANs enabled for IGMP snooping....100 VLANs Block enabled for snooping....None (QCT) #show igmp snooping querier vlan 100 VLAN 100 : IGMP Snooping querier status ---------------------------------------------- IGMP Snooping Querier VLAN Mode....Enable Querier Election Participate Mode....Disable Querier VLAN Address......0.0.0.0 Operational State......
Page 101: Mld Snooping
multicast address. This information is used by snooping switches to avoid delivering multicast packets from specific sources to networks where there are no interested receivers. No additional configuration is required to enable IGMPv3/SSM snooping. It is enabled or disabled when snooping is enabled on a VLAN/interface.
Page 102: Mld Snooping Configuration Example
General Query: to learn which multicast address have multicast listeners. Multicast address specific query: to learn if a particular multicast address has any listeners. Multicast Address and Source Specific Queries: to learn if any of sources from the specified list for the particular multicast address has any listeners.
Page 103: Mld Snooping Verification Example
(Switch-1) (Vlan)#set mld 1 Step 2. Enable MLD snooping on all interface and all VLANs (Switch-1) (Config)#ipv6 mld snooping interfacemode all Step 2. Enable MLD snooping on specific interface 0/3-0/9 (Switch-1) (Config)#interface range 0/3-0/9 (Switch-1) (Interface 0/3-0/9)#ipv6 mld snooping interfacemode 3.10.1.2.
Page 104: Mld Snooping Configuration
3.10.2.1. MLD Snooping Configuration Figure 3-18: MLD Snooping Leave Configuration Topology Step 1. Enable MLD Snooping on VLAN 1. (Switch-1) (Config)#vlan database (Switch-1) (Vlan)#set mld 1 (Switch-1) (Vlan)#set mld fast-leave 1 Step 1. Enable MLD snooping on all interface and all VLANs (Switch-1) (Config)#ipv6 mld snooping interfacemode all (Switch-1) (Config)#ipv6 mld snooping fast-leave Step 1.
Page 105: Figure 3-19: Mld Snooping Querier Configuration Example
Figure 3-19: MLD Snooping Querier Configuration Example MLD Snooping Querier Configuration (Switch-1) (Config)#vlan database (Switch-1) (Vlan)#set mld 1 (Switch-1) (Vlan)#exit (Switch-1) (Config)#ipv6 mld snooping (Switch-1) (Config)#ipv6 mld snooping querier address fe80::AAA (Switch-1) (Config)#ipv6 mld snooping querier (Switch-1) (Config)#ipv6 mld snooping querier vlan 1 Display MLD Snooping Querier detailed information.
Page 106: Lldp And Lldp-Med
Querier Election Participate Mode....Disable Querier VLAN Address......:: Operational State......Querier Operational version......1 Operational Max Resp Time...... 10 3.11. LLDP and LLDP-MED LLDP is a standardized discovery protocol defined by IEEE 802.1AB. It allows stations residing on an 802 LAN to advertise major capabilities physical descriptions, and management information to physically adjacent devices allowing a network management system (NMS) to access and display this information.
Page 107 (QCT) #configure (QCT) (Config)#lldp timers interval 60 hold 5 reinit 3 2. Enable port 0/3 to transmit and receive LLDP PDUs. (QCT) (Config)#interface 0/3 (QCT) (Interface 0/3)#lldp transmit (QCT) (Interface 0/3)#lldp receive 3. Enable port 0/3 to transmit management address information in the LLDP PDUs and to send topology change notifications if a device is added or removed from the port.
Page 108: Sflow
(QCT) #show lldp local-device detail 0/3 LLDP Local Device Detail Interface: 0/3 Chassis ID Subtype: MAC Address Chassis ID: 2C:60:0C:52:18:3F Port ID Subtype: MAC Address Port ID: 2C:60:0C:52:18:41 System Name: QCT System Description: LY8, Runtime Code 5.4.00.37, Linux 3.8.13-rt9, U-Boot 2010.12 (Oct 03 2014 - 14:38:07) - ONIE 2014.05.03-7 Port Description: Test Lab Port System Capabilities Supported: bridge, router...
Page 109: Sflow Sampling
Figure 3-20: sFlow Architecture The advantages of using sFlow are: • It is possible to monitor all ports of the switch continuously, with no impact on the distributed switching performance. • Minimal memory is required. Samples are not aggregated into a flow-table on the switch; they are forwarded immediately over the network to the sFlow receiver.
Page 110: Packet Flow Sampling
To perform Packet Flow Sampling, an sFlow Sampler Instance is configured with a Sampling Rate. Packet Flow sampling results in the generation of Packet Flow Records. To perform Counter Sampling, an sFlow Poller Instance is configured with a Polling Interval. Counter Sampling results in the generation of Counter Records. sFlow Agents collect Counter Records and Packet Flow Records and send them as sFlow datagrams to sFlow Collectors.
Page 111 This example shows how to configure the switch so that ports 10-15 and port 23 send sFlow datagrams to an sFlow receiver at the IP address 192.168.20.34. The receiver owner is receiver1, and the timeout is 100000 seconds. A counter sample is generated on the ports every 60 seconds (polling interval), and 1 out of every 8192 packets is sampled.
Page 112: Link Dependency
0/11 0/12 0/13 0/14 0/15 0/23 (QCT) #show sflow samplers Sampler Receiver Packet Max Header Data Source Index Sampling Rate Size ----------- ------- ------------- ---------- 0/10 8192 0/11 8192 0/12 8192 0/13 8192 0/14 8192 0/15 8192 0/23 8192 3.13. Link Dependency The following commands configure a link-dependency group.
Page 113: Ar Guard
(QCT) (Interface 0/8)#link state group 1 upstream (QCT) (Interface 0/8)#exit (QCT) (Config)#interface range 0/3, 0/5 (QCT) (Interface 0/3,0/5)#link state group 1 downstream (QCT) (Interface 0/3,0/5)#exit To view link dependency settings for all groups or for the specified group, along with the group state, use the commands show link state group [group_id] and show link state group group-id detail.
Page 114 The FIP Snooping Bridge solution in QNOS is intended for use only at the edge or perimeter of the switched network and not on an interior switch. To configure FIP snooping: 1. For ports connected to CNAs/ENodes, enable LLDP and DCBX and configure them as DCBX auto-down ports.
Page 115 (QCT) (Config)#vlan database (QCT) (Vlan)#vlan 1000 (QCT) (Vlan)#exit 5. Add VLAN 1000 membership to the ports connected to CNAs and FCF. Enable VLAN tagging on these ports for FCoE VLAN using below interface commands. (QCT) #config (QCT) (Config)#interface range 0/9-0/11 (QCT) (Interface 0/9-0/11)#switchport allowed vlan add tagged 1000 (QCT) (Interface 0/9-0/11)#exit (QCT) (Config)#exit...
Page 116 (QCT) (Config)(Vlan 1000)#exit (QCT) (Config)#queue cos-map all 0 0 (QCT) (Config)#queue cos-map all 1 1 (QCT) (Config)#queue cos-map all 2 2 (QCT) (Config)#queue cos-map all 3 3 (QCT) (Config)#queue cos-map all 4 4 (QCT) (Config)#queue cos-map all 5 5 (QCT) (Config)#queue cos-map all 6 6 (QCT) (Config)#queue cos-map all 7 7 (QCT) (Config)#interface 0/9 (QCT) (Interface 0/9)#description 'QCT CNA'...
Page 117: Ecn
(QCT) (Config)#exit 3.16. ECN Explicit Congestion Notification (ECN) is defined in RFC 3168. Conventional TCP networks signal congestion by dropping packets. A Random Early Discard scheme provides earlier notification than a tail drop scheme by dropping packets already queued for transmission. ECN marks congested packets that would otherwise have been dropped and expects an ECN-capable receiver to signal congestion back to the transmitter without the need to retransmit the packet that would have been dropped.
Page 118: Enabling Ecn In Microsoft Windows
QNOS implements ECN capability as part of the WRED configuration process. Eligible packets are marked by hardware based on the WRED configuration. The network operator can configure any CoS queue to operate in ECN marking mode and can configure different discard thresholds for each color. 3.16.1.
Page 119 1. Define a class-map so that all traffic will be in the set of traffic “cos-any”. (QCT) (Config)#class-map match-all cos-any ipv4 (QCT) (Config-classmap)#match any (QCT) (Config-classmap)#exit 2. Define a class-map such that all traffic with a Cos value of 1 will be in the set of traffic “cos1”. This will be used as a conform-color class map.
Page 120 (QCT) (Config-policy-classmap)#police-simple 10000000 64 conform-action transmit violate- action transmit (QCT) (Config-policy-classmap)#exit (QCT) (Config-policy-map)#exit 7. Define a policy-map in color aware mode matching class “cos-any” (IPv4). Ingress IPv4 traffic arriving at a port participating in this policy will be assigned green, yellow, or red coloring based on the meter. (QCT) (Config)#policy-map two-rate-policy in (QCT) (Config-policy-map)#class tcp 8.
Page 121: Example 2: Data Cetner Tcp (Dctcp) Configuration
10. Set the exponential-weighting-constant. The exponential weighting constant smooths the result of the average queue depth calculation by the function: average depth = (previous queue depth * (1-1/2^n)) + (current queue depth * 1/2^n). The average depth is used in calculating the amount of congestion on a queue. Because the instantaneous queue depth fluctuates rapidly, larger values of the weighting constant cause the average queue depth value to respond to changes more slowly than smaller values.
Page 122 Yellow and red packet configuration (second and third threshold parameters) are kept at the defaults, as no metering to reclassify packets from green to yellow or red is present. The last threshold parameter configures non-TCP packets in CoS queues 0 and 1 to be processed with the WRED defaults. The ecn keyword enables ECN marking of ECN-capable packets on CoS queues 0 and 1.
Page 123: Configuring Security Features
4. Configuring Security Features 4.1. Controlling Management Access A user can access the switch management interface only after providing a valid user name and password combination that matches the user account information stored in the user database configured on the switch.
Page 124: Radius Dynamic Authorization
Figure 4-1: RADIUS Topology The server can authenticate the user itself or make use of a back-end device to ascertain authenticity. In either case a response may or may not be forthcoming to the client. If the server accepts the user, it returns a positive result with attributes containing configuration information.
Page 125 1. Enter RADIUS dynamic authorization configuration mode: (QCT) (config)#aaa server radius dynamic-author 2. Configure the DAC. The server-key, if configured, overrides the global shared secret for this client only: (QCT) (config-radius-da)#client 10.130.191.89 server-key 12345678 3. Set the accepted authorization types ( {all | any | session-key} ) for dynamic RADIUS clients: (QCT) (config-radius-da)#auth-type any...
Page 126: Using Tacacs+ To Control Management Access
4.1.2. Using TACACS+ to Control Management Access TACACS+ (Terminal Access Controller Access Control System) provides access control for networked devices via one or more centralized servers. TACACS+ simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS+ uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to encrypt all messages.
Page 127: Table 4-1: Authentication Method Summary
 radius—Sends the user's ID and password a RADIUS server to be authenticated. The method returns an error if the switch is unable to contact the server.  tacacs+— Sends the user's ID and password to a TACACS+ server to be authenticated. The method returns an error if the switch is unable to contact the server.
Page 128: Configuring Authentication Profiles For Post-Based Authentication
always enters the Privileged EXEC mode without entering the enable password in the default configuration. The methods can be changed, but the preconfigured profiles cannot be deleted or renamed. 4.1.3.1. Configuring Authentication Profiles for Post-based Authentication In addition to authentication profiles to control access to the management interface, you can configure an authentication profile for IEEE 802.1X port-based access control to control access to the network through the switch ports.
Page 129: Configuring An Authentication Profile
4.1.5. Configuring an Authentication Profile The commands in this example create a new authentication profile named myList that uses the RADIUS server configured in the previous example to authenticate users who attempt to access the switch management interface by using SSH or Telnet. If the RADIUS authentication is unsuccessful, the switch uses the local user database to attempt to authenticate the users.
Page 130: Configuring Dhcp Snooping, Dai, And Ipsg
enableNetList enable deny Line Login Method List Enable Method List ------- ----------------- ------------------ Console defaultList enableList Telnet myList enableList myList enableList 4.2. Configuring DHCP Snooping, DAI, and IPSG Dynamic Host Configuration Protocol (DHCP) Snooping, IP Source Guard (IPSG), and Dynamic ARP Inspection (DAI) are layer 2 security features that examine traffic to help prevent accidental and malicious attacks on the switch or network.
Page 131: Populating The Dhcp Snooping Bindings Database
 DHCPRELEASE and DHCPDECLINE messages are dropped if the MAC addresses in the snooping database, but the binding's interface is other than the interface where the message was received.  On untrusted interfaces, the switch drops DHCP packets with a source MAC address that does not match the client hardware address.
Page 132: Dhcp Snooping Logging And Rate Limits
DHCP snooping can be configured on switching VLANs and routing VLANs. When a DHCP packet is received on a routing VLAN, the DHCP snooping application applies its filtering rules and updates the bindings database. If a client message passes filtering rules, the message is placed into the software forwarding path where it may be processed by the DHCP relay agent, the local DHCP server, or forwarded as an IP packet.
Page 133: Dynamic Arp Inspection Overview
If IPSG is disabled on the ingress port, IPSG replies that the MAC is valid. If IPSG is enabled on the ingress port, IPSG checks the bindings database. If the MAC address is in the bindings database and the binding matches the VLAN the frame was received on, IPSG replies that the MAC is valid.
Page 134: Configuring Dhcp Snooping
that provide network access to hosts that are in physically unsecured locations or if network users connect nonstandard hosts to the network. For example, if an employee unknowingly connects a workstation to the network that has a DHCP server, and the DHCP server is enabled, hosts that attempt to acquire network information from the legitimate network DHCP server might obtain incorrect information from the rogue DHCP server.
Page 135: Configuring Ipsg
(QCT) (if-port-channel ch1)#exit 3. Enter interface configuration mode for all untrusted interfaces (ports 1-20) and limit the number of DHCP packets that an interface can receive to 100 packets per second. Port-channel 1 is a trusted port and keeps the default value for rate limiting (unlimited). (QCT) (Config)#interface range 0/1-0/20 (QCT) (Interface 0/1-0/20)#ip dhcp snooping limit rate 100 (QCT) (Interface 0/1-0/20)#exit...
Page 136: Acls
(QCT) (Interface 0/1-0/20)#port-security (QCT) (Interface 0/1-0/20)#exit (QCT) (Config)#exit 3. View IPSG information. (QCT) #show ip verify source Interface Filter Type IP Address MAC Address VLAN ----------- ----------- --------------- ----------------- ----- ip-mac 192.168.3.45 00:1C:23:55:D4:8E ip-mac 192.168.3.33 00:1C:23:AA:B8:01 ip-mac 192.168.3.18 00:1C:23:55:1B:6E ip-mac 192.168.3.49 00:1C:23:67:D3:CC --More-- or (q)uit...
Page 137: Ip Acls
 Source MAC mask  Destination MAC address  Destination MAC mask  VLAN ID  Class of Service (CoS) (802.1p)  EtherType L2 ACLs can apply to one or more interfaces. Multiple access lists can be applied to a single interface; sequence number determines the order of execution.
Page 138: Acl Mirror Function
4.3.4. ACL Mirror Function ACL mirroring provides the ability to mirror traffic that matches a permit rule to a specific physical port or Port-channel. Mirroring is similar to the redirect function, except that in flow-based mirroring a copy of the permitted traffic is delivered to the mirror interface while the packet itself is forwarded normally through the device.
Page 139: Acl Rule Remarks
 Providing control of logging messages. Individual ACL rules defined within an ACL can be set to log traffic only at certain times of the day so you can simply deny access without needing to analyze many logs generated during peak hours. 4.3.7.
Page 140: Acl Configuration Process
4.3.10. ACL Configuration Process To configure ACLs, follow these steps: 1. Create a MAC ACL by specifying a name. 2. Create an IP ACL by specifying a number. 3. Add new rules to the ACL. 4. Configure the match criteria for the rules. 5.
Page 141: Ipv6 Acl Qualifies
Table 4-3: Common IP Protocol Numbers 4.3.12. IPv6 ACL Qualifies IPv6 ACLs support the following additional qualifiers:  Qualify fragmented IPv6 packets (packets that have the next header field set to 44).  Qualify routed IPv6 packets (packets that have a routing extension header (next header field set to 43)).
Page 142: Figure 4-4: Ip Acl Example Network Diagram
Figure 4-4: IP ACL Example Network Diagram To configure the switch: 1. Create an extended ACL and configure a rule for the ACL that permits packets carrying TCP traffic that matches the specified Source IP address (192.168.77.0/24), and sends these packets to the specified Destination IP address (192.168.77.50).
Page 143: Configuring A Mac Acl
Match All........FALSE Protocol........6(tcp) Source IP Address......192.168.77.0 Source IP Wildcard Mask......0.0.0.255 Destination IP Address......192.168.77.50 Destination IP Wildcard Mask....0.0.0.0 Sequence Number: 2 Action......... permit Match All........FALSE Protocol........17(udp) Source IP Address......192.168.77.0 Source IP Wildcard Mask......0.0.0.255 Destination IP Address......
Page 144: Configuring A Time-Based Acl
Current number of all ACLs: 2 Maximum number of all ACLs: 100 MAC ACL Name Rules Direction Interface(s) VLAN(s) ------------------------------- ----- --------- -------------- ---------- mac1 inbound 0/1, 0/2, 0/3, 0/4, 0/5, 0/6, 0/7, 0/8, 0/9, 0/10, --More-- or (q)uit (QCT) #show mac access-lists mac1 ACL Name: mac1 Inbound Interface(s): 0/1, 0/2, 0/3, 0/4, 0/5, 0/6, 0/7, 0/8, 0/9, 0/10, 0/11, 0/12, 0/13, 0/14,0/15, 0/16, 0/17, 0/18, 0/19, 0/20, 0/21, 0/22, 0/23, 0/24, 0/25, 0/26, 0/27, 0/28, 0/29,...
Page 145: Control Plane Policing (Copp)
(QCT) (Config)#time-range work-hours 2. Configure an entry for the time range that applies to the morning shift Monday through Friday. (QCT) (Config-time-range)#periodic weekdays 8:00 to 12:00 3. Configure an entry for the time range that applies to the afternoon shift Monday through Friday. (QCT) (Config-time-range)#periodic weekdays 13:00 to 18:00 4.
Page 146: Copp Configuration Examples
The following illustration shows an example how to setting CoPP to deny/permit control packets to switch. 4.4.1. CoPP Configuration Examples Figure 4-5:CoPP Configuration Topology 1. Create an extended ACL named test and configure rules for the ACL that deny ICMP, telnet and ssh packets that matches the specified Source IP address (172.16.2.100/24).
Page 147 (QCT) #show ip access-lists test ACL Name: test Outbound Interface(s): control-plane Sequence Number: 1 Action......... deny Match All........False IPv4 Protocol........1(icmp) Source IP Address......172.16.2.100 Source IP Wildcard Mask......0.0.0.255 Sequence Number: 2 Action......... deny Match All........False IPv4 Protocol........6(tcp) Source IP Address......
Page 148: Service Prohibit Access
Sequence Number: 5 Action......... permit Match All........TRUE 4.5. Service Prohibit Access In the network design, the switch front ports are usually used for normal L2/L3 traffic and the service port is used for switch management and monitoring. The better way to prevent malicious hacker trying to access switch via switch front port is to isolate management traffic via service port only.
Page 149: Configuring Quality Of Service
5. Configuring Quality of Service 5.1. CoS The CoS feature lets you give preferential treatment to certain types of traffic over others. To set up this preferential treatment, you can configure the ingress ports, the egress ports, and individual queues on the egress ports to provide customization that suits your environment.
Page 150: Supported Queue Management Methods
 Minimum bandwidth guarantee: A percentage of the port’s maximum negotiated bandwidth reserved for the queue.  Scheduler type – strict/weighted: – S t r i c t priority scheduling gives an absolute priority, with traffic in the highest priority queues always sent first, and traffic in the lowest priority queues always sent last.
Page 151: Figure 5-1: Cos Mapping And Queue Configuration
Figure 5-1: CoS Mapping and Queue Configuration Continuing this example, the egress port 0/8 is configured for strict priority on queue 6, and a weighted scheduling scheme is configured for queues 5-0. Assuming queue 5 has a higher weighting than queue 1 (relative weight values shown as a percentage, with 0% indicating the bandwidth is not guaranteed), the queue service order is 6 followed by 5 followed by 1.
Page 152: Diffserv
2. For port 10, configure the 802.1p user priority 3 to send the packet to queue 5 instead of the default queue (queue 3). (QCT) (Interface 0/10)#queue cos-map 3 5 3. For port 10, specify that untagged VLAN packets should have a default priority of 2. (QCT) (Interface 0/10)#switchport priority 2 (QCT) (Interface 0/10)#exit 4.
Page 153: Diffserv Functionality And Switch Roles
5.2.1. DiffServ Functionality and Switch Roles How you configure DiffServ support in QNOS software varies depending on the role of the switch in your network:  Edge device: An edge device handles ingress traffic, flowing towards the core of the network, and egress traffic, flowing away from the core.
Page 154: Figure 5-2: Diffserv Internet Access Example Network Diagram
This example shows how a network administrator can provide equal access to the Internet (or other external network) to different departments within a company. Each of four departments has its own Class B subnet that is allocated 25% of the available bandwidth on the port accessing the Internet. Figure 5-2: DiffServ Internet Access Example Network Diagram The following commands show how to configure the DiffServ example depicted in Figure 23.
Page 155 (QCT) (Config-classmap)#match srcip 172.16.40.0 255.255.255.0 (QCT) (Config-classmap)#exit 3. Create a DiffServ policy for inbound traffic named internet_access, adding the previously created department classes as instances within this policy. This policy uses the assign-queue attribute to put each department's traffic on a different egress queue. This is how the DiffServ inbound policy connects to the CoS queue settings established below.
Page 156: Configuring Switch Management Features
6. Configuring Switch Management Features 6.1. Managing Images and Files Switches maintain several different types of files on the flash file system. Table 8 describes the files that you can manage. You use the command to copy a source file to a destination file. The copy command may copy permit the following actions (depending on the file type): ...
Page 157: Uploading And Downloading Files
 ZMODEM 6.1.2. Uploading and Downloading Files To use FTP, TFTP, SFTP, or SCP for file management, you must provide the IP address of the remote system that is running the appropriate server (FTP, TFTP, SFTP, or SCP). Make sure there is a route from the switch to the remote system.
Page 158: Editing And Downloading Configuration Files
 To use the configuration file on another switch  To manually edit the file You might download a configuration file from a remote server to the switch for the following reasons:  To restore a previous configuration  To load the configuration copied from another switch ...
Page 159: Non-Disruptive Configuration Management
! End of the script file 6.1.4.3. Non-Disruptive Configuration Management The Non-Disruptive Configuration feature can apply a new configuration file without disrupting the operation of features that are unchanged by the new configuration. In the datacenter network, where the network administrator may manage thousands of switches, when the switch configuration is changed by uploading a new configuration file to it, the switch can gracefully resolve any differences between the running configuration and the new configuration.
Page 160 This example shows how to download a firmware image to the switch and activate it. The TFTP server in this example is Tftpd32, an open source TFTP server running on a Windows system.  TFTP server IP address: 172.16.1.102  File path: \image ...
Page 161 Mode........... TFTP Set Server IP........172.16.1.102 Path........../ Filename........QNOS-ly8-5.4.00.32.stk Data Type........Code Destination Filename......backup Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y 5. After the transfer completes, activate the new image so that it becomes the active image after the switch resets.
Page 162: Managing Configuration Scripts
8. Reset the switch to boot the system with the new image. (QCT) #reload Are you sure you would like to reset the system? (y/n) y 6.1.7.1. Managing Configuration Scripts This example shows how to create a configuration script that adds three host name-to-IP address mappings to the host table.
Page 163: Enabling Automatic Image Installation And System Configuration
Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) 4. After you confirm the download information and the script successfully downloads, it is automatically validated for correct syntax. Are you sure you want to start? (y/n) y Validating configuration script...
Page 164: Dhcp Auto Install Process
The Auto Install feature can automatically update the firmware image and obtain configuration information when the switch boots. Auto Install begins the automatic download and installation process when the switch boots and loads a saved configuration that has the persistent Auto Install mode enabled. Additionally, the switch supports a non-persistent Auto Install mode so that Auto Install can be stopped or restarted at any time during switch operation.
Page 165: Obtaining The Image
The DHCP client on the switch also processes the name of the text file (option 125, the V-I vendor-specific Information option) which contains the path to the image file. 6.2.1.3. Obtaining the Image Auto Install attempts to download an image file from a TFTP server only if the switch loads with a saved configuration file that has Auto Install enabled (the command) or if Auto boot-system host autoinstall...
Page 166: Monitoring And Completing The Dhcp Auto Install Process
configuration file does not contain the switch's IP address, the switch attempts a reverse DNS lookup to resolve its host name. A sample fp-net.cfg file follows: config ip host switch1 192.168.1.10 ip host switch2 192.168.1.11 ... <other hostname definitions> exit Once a host name has been determined, the switch issues a TFTP request for a file named hostname.cfg, where hostname is the first thirty-two characters of the switch's host name.
Page 167: Saving A Configuration
Additionally, while the Auto Install is running, you can issue the command to view show autoinstall information about the current Auto Install state. When Auto Install has successfully completed, you can execute a command to validate show running-config the contents of configuration. 6.2.2.1.
Page 168: Default Auto Install Values
 A DNS server must contain an IP address to host name mapping for the TFTP server if the DHCP server response identifies the TFTP server by name.  A DNS server must contain an IP address to host name mapping for the switch if a <hostname>.cfg file is to be downloaded.
Page 169: Downloading A Core Dump
a. The IP address (yiaddr) and subnet mask (option 1) to be assigned to the interface b. The IP address of a default gateway (option 3) c. DNS server address (option 6) d. Name of config file for each host e.
Page 170: Using Tftp Or Ftp To Download A Core Dump
Protocol........nfs Switch-chip-register......TRUE (QCT) (Config)# (QCT) #write core test The configured protocol nfs test PASS (QCT) # 6.3.2. Using TFTP or FTP to Download a Core Dump Use the following commands to download a core dump file via TFTP. To use FTP, substitute in the tftp commands.
Page 171: Manual Time Configuration
The switch also supports the following time configuration settings:  Time Zone — Allows you to specify the offset from Coordinated Universal Time (UTC).  Summer Time/Daylight Saving Time (DST) — In some regions, the time shifts by one hour in the fall and spring.
Page 172: Configuring Sntp
Summer-time is in effect. 6.4.2. Configuring SNTP This example shows how to configure the system clock for a switch in New York City, which has a UTC offset of –5 hours. 1. Specify the SNTP server the client on the switch should contact. You can configure the IP address or host name of the SNTP server.
Page 173: Example 2 To Verify Syslog Host Configuration
Switch A IP: 172.16.100.240/24 Log Server IP: 172.16.100.90/24 Figure 6-1: System Log Topology 6.5.2. Example 2 to Verify Syslog Host Configuration To configure Switch A Configure log server ip address 172.16.100.90. (QCT) (Config)#logging host 172.16.100.90 ipv4 Configure log server received port number to 514. Note: Default syslog server port is 514 (QCT) (Config)#logging host reconfigure 1 port 514 Change the log severity level to 6...
Page 174 severity level mapping number emergency alert critical error warning notice info debug Enable syslog feature (QCT) (Config)#logging syslog Result: The syslog server receives log messages from switch A. Please refer the figure below.
Page 175: Figure 6-2: Syslog Server Screen
Figure 6-2: Syslog Server Screen Figure 6-3: Syslog packet capture Using show logging command to verify the logging configuration (QCT) (Config)#show logging Logging Client Local Port : 514 Logging Client Source Interface : (not configured) CLI Command Logging : disabled Console Logging : enabled...
Page 176 Console Logging Severity Filter : error Buffered Logging : enabled Buffered Logging Severity Filter : info Persistent Logging : disabled Persistent Logging Severity Filter : alert Syslog Logging : enabled Syslog Logging Facility : user Terminal Monitor : disabled Terminal Logging Severity Filter : warning Log Messages Received : 246...
Page 177: Configuring Routing
7. Configuring Routing 7.1. Basic Routing and Features QNOS software runs on multilayer switches that support static and dynamic routing. Table 12 describes some of the general routing features that you can configure on the switch. The table does not list supported routing protocols.
Page 178: When To Configure Vlan Routing
than one physical port to reside on the same subnet. It could also be used when a VLAN spans multiple physical networks, or when additional segmentation or security is required. 7.1.1.1. When to Configure VLAN Routing VLAN routing is required when the switch is used as a layer 3 device. VLAN routing must be configured to allow the switch to forward IP traffic between subnets and allow hosts in different networks to communicate.
Page 179: Configuring Switch A
Figure 7-2: IP Routing Example Topology 7.1.2.1. Configuring Switch A To configure Switch A. 1. Create the VLANs. (QCT) #configure (QCT) (Config)#vlan database (QCT) (Vlan)#vlan 10,20,30,50 2. Configure the VLANs for routing. (QCT) (Config)#interface vlan 10 Interface vlan 10 created for VLAN ID 10 (QCT) (if-vlan10)#interface vlan 20 Interface vlan 20 created for VLAN ID 20 (QCT) (if-vlan20)#interface vlan 30...
Page 180: Configuring Switch B
(QCT) (Config)#interface vlan 10 (QCT) (if-vlan10)#ip address 192.168.10.10 255.255.255.0 (QCT) (if-vlan10)#exit 5. Assign an IP address to VLAN 20. (QCT) (Config)#interface vlan 20 (QCT) (if-vlan20)#ip address 192.168.20.20 255.255.255.0 (QCT) (if-vlan20)#exit 6. Assign an IP address to VLAN 50. (QCT) (Config)#interface vlan 50 (QCT) (if-vlan50)#ip address 192.168.50.50 255.255.255.0 (QCT) (if-vlan50)#exit 7.
Page 181: Ip Unnumbered Configuration Example
(QCT) (if-vlan20)#ip address 192.168.20.25 255.255.255.0 (QCT) (if-vlan20)#exit 5. Assign an IP address to VLAN 30. This command also enables IP routing on the VLAN. (QCT) (Config)#interface vlan 30 (QCT) (if-vlan30)#ip address 192.168.30.30 255.255.255.0 (QCT) (if-vlan30)#exit 6. Configure the VLAN 20 routing interface on Switch A as the default gateway so that any traffic with an unknown destination is sent to Switch A for forwarding.
Page 182 3. Configure port 0/2. (QCT) (Config)#interface 0/2 (QCT) (Interface 0/2)#routing (QCT) (Interface 0/2)#ip unnumbered loopback 1 (QCT) (Interface 0/2)#exit 4. Configure port 0/3. (QCT) (Interface 0/3)#routing (QCT) (Interface 0/3)#ip unnumbered loopback 1 (QCT) (Interface 0/3)#exit (QCT) (Config)# To configure the router 2: 1.
Page 183: Ospf
(QCT) (Config)#ip routing 2. Configure the loopback interface. (QCT) (Config)#interface loopback 1 (QCT) (Interface loopback 1)#ip address 3.0.0.3 /24 (QCT) (Interface loopback 1)#exit 3. Configure port 0/2. (QCT) (Config)#interface 0/2 (QCT) (Interface 0/2)#routing (QCT) (Interface 0/2)#ip unnumbered loopback 1 (QCT) (Interface 0/2)#exit 4.
Page 184: Configuring An Ospf Border Router And Setting Interface Costs
7.2.1. Configuring an OSPF Border Router and Setting Interface Costs This example shows how to configure the QNOS-based switch as an OSPF border router. The commands in this example configure the areas and interfaces on Border Router A shown in Figure 27. Figure 7-4: OSPF Area Border Router To Configure Border Router A: 1.
Page 185 (QCT) #configure (QCT) (Config)#ip routing 5. Assign IP addresses for VLANs 70, 80 and 90. (QCT) (Config)#interface vlan 70 (QCT) (if-vlan70)#ip address 192.150.2.2 255.255.255.0 (QCT) (if-vlan70)#exit (QCT) (Config)#interface vlan 80 (QCT) (if-vlan80)#ip address 192.150.3.1 255.255.255.0 (QCT) (if-vlan80)#exit (QCT) (Config)#interface vlan 90 (QCT) (if-vlan90)#ip address 192.150.4.1 255.255.255.0 (QCT) (if-vlan90)#exit 6.
Page 186: Vrrp
7.3. VRRP The Virtual Router Redundancy (VRRP) protocol is designed to handle default router (L3 switch) failures by providing a scheme to dynamically elect a backup router. VRRP can help minimize black hole periods due to the failure of the default gateway router during which all traffic directed towards it is lost until the failure is detected.
Page 187: Vrrp Accept Mode
7.3.1.3. VRRP Accept Mode The accept mode allows the switch to respond to pings (ICMP Echo Requests) sent to the VRRP virtual IP address. The VRRP specification (RFC 3768) indicates that a router may accept IP packets sent to the virtual router IP address only if the router is the address owner.
Page 188: Vrrp With Load Sharing
 VRRP with Route and Interface Tracking 7.3.2.1. VRRP with Load Sharing In Figure 28, two L3 switches are performing the routing for network clients. Router A is the default gateway for some clients, and Router B is the default gateway for other clients. Figure 7-5: VRRP with Load Sharing Network Diagram This example configures two VRRP groups on each router.
Page 189 (QCT) (Config)#ip vrrp 4. Assign a virtual router ID to the VLAN routing interface for the first VRRP group. (QCT) (Config)#interface vlan 10 (QCT) (if-vlan10)#ip vrrp 10 5. Specify the IP address that the virtual router function will use. The router is the virtual IP address owner (the routing interface has the same IP address as the virtual IP address for the VRRP group), so the priority value is 255.
Page 190: Vrrp With Route And Interface Tracking
(QCT) (Config)#interface vlan 10 (QCT) (if-vlan10)#ip vrrp 10 5. Specify the IP address that the virtual router function will use. (QCT) (if-vlan10)#ip vrrp 10 ip 192.168.10.1 6. Assign a virtual router ID to the VLAN routing interface for the second VRRP group. (QCT) (if-vlan10)#ip vrrp 20 7.
Page 191 Without VRRP interface or route tracking, if something happened to VLAN 25 or the route to the external network, as long as Router A remains up, it will continue to be the VRRP master even though traffic from the clients does not have a path to the external network. However, if the interface and/or route tracking features are configured, Router A can decrease its priority value when the problems occur so that Router B becomes the master.
Page 192 (QCT) (if-vlan10)#ip vrrp 10 track ip route 192.168.200.0/24 (QCT) (if-vlan10)#exit Router B is the backup router for VRID 10. The configured priority is 195. If the VLAN 25 routing interface or route to the external network on Router A go down, the priority of Router A will become 190 (or 180, if both the interface and router are down).
Page 193: Ip Helper
(QCT) (Config)#exit 7.4. IP Helper The IP Helper feature provides the ability for a router to forward configured UDP broadcast packets to a particular IP address. This allows applications to reach servers on non-local subnets. This is possible even when the application is designed to assume a server is always on a local subnet or when the application uses broadcast packets to reach the server (with the limited broadcast address 255.255.255.255, or a network directed broadcast address).
Page 194 server back to the client are assumed to be unicast directly to the client. Because there is no relay in the return direction for protocols other than DHCP, the relay agent retains the source IP address from the original client packet. The relay agent uses a local IP address as the source IP address of relayed DHCP client packets.
Page 195: Relay Agent Configuration Example
Table 7-3: UDP Port Allocation 7.4.1. Relay Agent Configuration Example The example in this section shows how to configure the L3 relay agent (IP helper) to relay and discard various protocols.
Page 196: Figure 7-7: L3 Relay Network Diagram
Figure 7-7: L3 Relay Network Diagram This example assumes that multiple VLAN routing interfaces have been created and configured with IP addresses. To configure the switch: 1. Enable IP helper on the switch. (QCT) #config (QCT) (Config)#ip helper enable 2. Relay DHCP packets received on VLAN 10 to 192.168.40.35 (QCT) (Config)#interface vlan 10 (QCT) (if-vlan10)#ip helper-address 192.168.40.35 dhcp 3.
Page 197: Border Gateway Patrol (Bgp)
(QCT) (if-vlan20)#ip helper-address discard dhcp (QCT) (if-vlan20)#exit 6. Configure the switch so that DHCP packets received from clients in any VLAN other than VLAN 10 and VLAN 20 are relayed to 192.168.40.22. Note: The following command is issued in Global Configuration mode, so it applies to all interfaces except VLAN 10 and VLAN 20.
Page 198: External Bgp Peering
Figure 7-8: Example BGP Network 7.5.1.1. External BGP Peering EBGP peering occurs between two or more BGP routers in different AS's. Peer routers in these different AS's use BGP to maintain a consistent view of the inter-network topology. External BGP peers exchange NLRIs, which contain reachable network destinations along with BGP specific attributes such as AS path information and various metrics.
Page 199: Bgp Behavior
7.5.2. BGP Behavior To begin with, BGP systems form a TCP/IP connection between one another to exchange NLRIs. First, they exchange messages to open and confirm the connection parameters. The initial data flow is the entire BGP routing table. Incremental updates are sent as the routing tables change. BGP does not require periodic refresh of the entire BGP routing table because it relies on the reliable transport provided by TCP.
Page 200: Bgp Configuration Example
5. Prefer the route with the lower MED. By default, MEDs are only compared for routes from the same AS, but a configuration option allows comparison of MEDs from different ASs. A route with no MED is considered to have a MED of 0. 6.
Page 201 (R9) (Config)# 2. Enter Global Config mode and enable routing on the system. (R9) #configure (R9) (Config)#ip routing 3. Enter Interface Config mode for port 0/11. This interface is connected to R2, which is part of the same AS. Assign an IP address to the interface, and enable routing on the interface. (R9) (Config)#interface 0/11 (R9) (Interface 0/11)#ip address 172.18.1.26 255.255.255.252 (R9) (Interface 0/11)#routing...
Page 202 (R9) (Interface loopback 0)#ip ospf area 0 (R9) (Interface loopback 0)#exit 12. Configure the OSPF settings for the router. (R9) (Config)#router ospf (R9) (Config-router)#router-id 9.9.9.9 (R9) (Config-router)#network 172.19.1.0 0.0.0.255 area 0 (R9) (Config-router)#network 172.18.1.0 0.0.0.255 area 0 (R9) (Config-router)#passive-interface 0/12 (R9) (Config-router)#timers spf 3 5 (R9) (Config-router)#max-metric router-lsa summary-lsa on-startup 90 (R9) (Config-router)#exit...
Page 203: Configuring Bgp On Router 3
(R9) (Config-router)#network 172.18.1.24 mask 255.255.255.252 (R9) (Config-router)#network 172.17.1.4 mask 255.255.255.252 (R9) (Config-router)#network 172.17.1.8 mask 255.255.255.252 (R9) (Config-router)#network 172.17.1.12 mask 255.255.255.252 (R9) (Config-router)#network 172.19.1.28 mask 255.255.255.252 (R9) (Config-router)#network 172.19.1.32 mask 255.255.255.252 22. Configure the loopback addresses of routers in AS 65001. (R9) (Config-router)#network 192.168.0.1 mask 255.255.255.255 (R9) (Config-router)#network 192.168.0.2 mask 255.255.255.255 (R9) (Config-router)#network 192.168.0.9 mask 255.255.255.255...
Page 204: Ipv6 Routing
(R3) #configure (R3) (Config)#ip routing 3. Enter Interface Config mode for port 0/12. This is the interface that is connected to R3, which is in a different AS. Assign an IP address to the interface, and enable routing on the interface. (R3) (Interface 0/12)#interface 0/12 (R3) (Interface 0/12)#ip address 172.19.1.29 255.255.255.252 (R3) (Interface 0/12)#routing (R3) (Interface 0/12)#exit...
Page 205: How Does Ipv6 Compare With Ipv6
Translation (NAT), which is used in IPv4 networks to reduce the number of globally unique IP addresses required for a given network. In the QNOS software, IPv6 coexists with IPv4. As with IPv4, IPv6 routing can be enabled on loopback and VLAN interfaces.
Page 206: Default Ipv6 Routing Values
Next hop addresses computed by routing protocols are usually link-local addresses. During the period of transitioning the Internet to IPv6, a global IPv6 Internet backbone may not be available. One transition mechanism is to tunnel IPv6 packets inside IPv4 to reach remote IPv6 islands. When a packet is sent over such a link, it is encapsulated in IPv4 in order to traverse an IPv4 network and has the IPv4 headers removed at the other end of the tunnel.
Page 207: Configuring Global Ip Routing Settings
This section provides information about the commands you use to configure IPv6 routing on in the QNOS software. 7.6.4.1. Configuring Global IP Routing Settings Use the following commands to configure various global IP routing settings for the QNOS software. Table 7-6: Global IP Routing Settings 7.6.4.2.
Page 208: Configuring Ipv6 Neighbor Discovery
Table 7-7: IPv6 Interface Settings 7.6.4.3. Configuring IPv6 Neighbor Discovery Use the following commands to configure IPv6 Neighbor Discovery settings.
Page 209: Table 7-8: Ipv6 Neighbor Discovery Settings
Table 7-8: IPv6 Neighbor Discovery Settings...
Page 210: Configuring Ipv6 Route Table Entries And Route Preferences
7.6.4.4. Configuring IPv6 Route Table Entries and Route Preferences Use the following commands to configure IPv6 Static Routes. Table 7-9: IPv6 Static Routes 7.6.4.5. IPv6 Show Commands Use the following commands to view IPv6 configuration status and related data.
Page 211: Ecmp Hash Selection
Table 7-10: IPv6 Configuration Status 7.7. ECMP Hash Selection Users can choose the load balancing/sharing algorithm used for selecting the final ECMP route. The management interfaces enable choosing various combinations of IP header fields, including the inner or outer IP headers in tunneled packets. Both IPv4 and IPv6 are supported. The field selectors remain the same for all packet types.
Page 212: Configuring Bfd
the session status. On Quanta switches, OSPF and BGP can use BFD for monitoring of their neighbors' availability in the network and for fast detection of connection faults with them. BFD uses a simple 'hello' mechanism that is similar to the neighbor detection components of some well- known protocols.
Page 213: Vrf Lite Operation And Configuration
(Switch) (Config)#router bgp (Switch) (Config-router)# neighbor 172.16.11.6 fall-over bfd (Switch) (Config-router)# exit 4. Enable BFD globally for OSPF: (Switch) (Config)#router ospf (Switch) (Config-router)# bfd (Switch) (Config-router)# exit 5. Configure OSPF to use BFD on the interface: (Switch) #configure (Switch) (Config)#interface 0/9 (Switch) (Interface 0/9)#ip ospf bfd (Switch) (Interface 0/9)#exit 6.
Page 214: Adding Leaked Routes
routing table and a VR, but not across VRs. The switch supports route leaking only through static routes. The switch does not support inter- VRF packet forwarding by connecting a wire between ports belonging to different VR instances 7.9.2. Adding Leaked Routes Connected routes in one router that are leaked into another VR are referred to as leaked host routes.
Page 215 SNMP Management Only the default router can be managed via SNMP. The Authentication, Authorization, and Accounting protocols include services such as the RADIUS client and the TACACS+ client. The switch supports these services only on the default router. The Ping and the Trace Route clients are supported in the Virtual Router context. Network Services Other protocols are supported only in the default router.
Page 216: Vrf Lite Development Scenarios
targets. In the current implementation, BGP does not support either of the above mentioned functionalities. The current release supports VRF-Lite only for IPv4. IPv6 data forwarding and IPv6 protocols are not currently supported. IP Multicast The current Virtual Routing release supports only IPv4 unicast routing. PBR is a routing policy feature useful in overriding routing decisions with Policy Based Routing programmable rules.
Page 217: Figure 7-10: Vrf Scenarios
Targets. b. Exchange the VPN related route information per VR with PE device using Extended communities The internal Routers in the Enterprise networks to provide isolation of different departments/offices at layer- 3 or routing domain. This scenario does not mandate that the BGP protocol be running on the device. It can still be run in this scenario to achieve dynamic route leaking only.
Page 218 (Switch) #show ip route vrf HR Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static B - BGP Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 L - Leaked Route C 10.10.10.0/24 [0/1] directly connected,...
Page 219: Vrf Configuration Example
7.9.7. VRF Configuration Example 1. Create virtual router instances. The following commands create and name two instances and enter VRF Configuration mode for each. In VRF Configuration mode for each VR, a description is added and the maximum number of routes allowed in each virtual instance is configured.
Page 220 The two routes are leaked from the global route table into the Red VR and the connected subnet 8.0.0.0/24 is leaked from the Red VR to the global route table. The following commands also add a non-leaked static route for the 56.6.6.0/24 subnetwork scoped to the domain of Red VR.
Page 221: Configuring Multicast Routing
8. Configuring Multicast Routing 8.1. L3 Multicast Overview IP Multicasting enables a network host (or multiple hosts) to send an IP datagram to multiple destinations simultaneously. The initiating host sends each multicast datagram only once to a destination multicast group address, and multicast routers forward the datagram only to hosts who are members of the multicast group.
Page 222: Multicast Protocol Roles
8.1.3. Multicast Protocol Roles Hosts must have a way to identify their interest in joining any particular multicast group, and routers must have a way to collect and maintain group memberships. These functions are handled by the IGMP protocol in IPv4. In IPv6, multicast routers use the Multicast Listener Discover (MLD) protocol to maintain group membership information.
Page 223: Igmp
strips off the IP encapsulation and forwards the packet as an IP Multicast packet. This process of encapsulating multicast packets in IP is called tunneling. 8.1.8. IGMP The Internet Group Management Protocol (IGMP) is used by IPv4 systems (hosts, L3 switches, and routers) to report their IP multicast group memberships to any neighboring multicast routers.
Page 224: Join Mechanism
Router Alter Option implies a hop by hop option header. MLD 3 types of messages:  General Query: multicast address field is set to 0 (::), is for learning which multicast addresses have listeners on the subnet.  Group-Specific Query: ...
Page 225: Using Pim-Dm As The Multicast Routing Protocol
PIM-SM uses a Bootstrap Router (BSR), which advertises information to other multicast routers about the RP. In a given network, a set of routers can be administratively enabled as candidate bootstrap routers. If it is not apparent which router should be the BSR, the candidates flood the domain with advertisements. The router with the highest priority is elected.
Page 226: Table 8-2: L3 Multicast Defaults
Table 8-2: L3 Multicast Defaults...
Page 227: L3 Multicast Configuration Examples
8.3. L3 Multicast Configuration Examples 8.3.1. Configuring Multicast VLAN Routing with IGMP and PIM-SM This example describes how to configure a switch with two VLAN routing interfaces that route IP multicast traffic between the VLANs. PIM and IGMP are enabled on the switch and interfaces to manage the multicast routing.
Page 228 Switch A. STP is configured on the ports that connect the switch to other switches. OSPF is configured to route unicast traffic between the VLANs. To configure the switch: 1. Create two VLANs and configure them as routing VLANs. (QCT) (Config)#vlan database (QCT) (Vlan)#vlan 10,20 (QCT) (Vlan)#exit (QCT) (Config)#interface vlan 10...
Page 229: Example 1: Mldv1 Configuration
(QCT) (if-vlan10)#ip igmp version 2 (QCT) (if-vlan10)#ip pim (QCT) (if-vlan10)#exit 7. Configure VLAN 20 as a VLAN routing interface and specify the OSPF area. (QCT) (Config)#interface vlan 20 (QCT) (if-vlan20)#ip address 192.168.20.4 255.255.255.0 (QCT) (if-vlan20)#ip ospf area 0 8. Enable IGMPv2 and PIM-SM on the VLAN routing interface. (QCT) (if-vlan20)#ip igmp (QCT) (if-vlan20)#ip igmp version 2 (QCT) (if-vlan20)#ip pim...
Page 230: Example 2: Mldv2 Configuration
Switch-1 Configuration Step 1. Enable MLD and relative routing command on global mode (Switch-1) (Config)#ip routing (Switch-1) (Config)#ipv6 mld router (Switch-1) (Config)#ipv6 unicast-routing (Switch-1) (Config)#ip multicast Step 2. Enable MLD on specific interface or VLAN interface (Switch-1) (Config)#interface range 0/3-0/9 (Switch-1) (Interface 0/3-0/9)#ipv6 mld router (Switch-1) (Interface 0/3-0/9)#ipv6 mld version 1 (Switch-2) (Config)#interface vlan 1...
Page 231 (Switch-1) (Config)#show ipv6 mld interface vlan 1 Interface ........vlan 1 MLD Global Admin Mode ........ Enabled MLD Interface Admin Mode ......Enabled MLD Operational Mode ......... Enabled MLD Version ........1 Query Interval (secs) ......125 Query Max Response Time(milli-secs) ....10000 Robustness ........2 Startup Query Interval (secs)
Page 232: Configuring Data Center Features
9. Configuring Data Center Features 9.1. Data Center Technology Overview QNOS software supports Data Center Bridging (DCB) features to increase the reliability of Ethernet-based networks in the data center. The Ethernet enhancements that DCB provides are well suited for Fibre Channel over Ethernet (FCoE) environments.
Page 233: Pfc Operation And Behavior
considered non-pausable (“drop”) when priority-based flow control is enabled until no-drop is specifically turned on. 9.2.1. PFC Operation and Behavior PFC uses a new control packet defined in IEEE 802.1Qbb and therefore is not compatible with IEEE 802.3 Annex 31B flow control. An interface that is configured for PFC will be automatically disabled for flow control.
Page 234: Data Center Bridging Exchange Protocol
3. Enable PFC and configure traffic marked with 802.1p priority 5 to be paused rather than dropped when congestion occurs. (QCT) (Interface 0/3,0/5,0/10)#data-center-bridging (QCT) (Config-if-dcb)#priority-flow-control mode on (QCT) (Config-if-dcb)#priority-flow-control priority 5 no-drop (QCT) (config-if-dcb)#exit 4. Enable VLAN tagging on the ports so the 802.1p priority is identified. (QCT) (Interface 0/3,0/5,0/10)#switchport allowed vlan add tagged 100 (QCT) (Interface 0/3,0/5,0/10)#exit 9.3.
Page 235: Dcbx And Port Roles
To be interoperable with legacy industry implementations of DCBX protocol, QNOS software uses a hybrid model to support both the IEEE version of DCBX (IEEE 802.1Qaz) and legacy DCBX versions. QNOS software automatically detects if a peer is operating with either of the two CEE DCBX versions or the IEEE standard DCBX version.
Page 236: Configuration Source Port Selection Process
Auto-upstream ports that receive internally propagated information ignore their local configuration and utilize the internally propagated information. Peer configurations received on auto-upstream ports other than the configuration source result in one of two possibilities. If the configuration is compatible with the configuration source, then the DCBX client becomes operationally active on the upstream port.
Page 237: Configuring Dcbx
The newly elected configuration source propagates DCBX client information to the other ports and is internally marked as being the port over which configuration has been received. Configuration changes received from the peer over the configuration source port are propagated to the other auto-configuration ports.
Page 238: Cos Queuing
(QCT) (Interface 0/1)#lldp receive 4. Enable the port as the configuration source. This port is connected to a trusted FCF. Configuration received over this port is propagated to the other auto-configuration ports. (QCT) (Interface 0/1)#lldp dcbx port-role configuration-source (QCT) (Interface 0/1)#exit 5.
Page 239: Cos Queuing Function And Behavior
For platforms that support the multistage scheduling architecture, the COS queue feature provides a method to configure Traffic Class Groups (TCGs) to extend the COS queue management. Multiple COS queues can be mapped to a single TCG. Each TCG can have a configured minimum guaranteed bandwidth allocation and a scheduling algorithm similar to the COS queue configuration.
Page 240: Traffic Class Groups
Defining these settings on a per-queue basis allows the user to create the desired service characteristics for different types of traffic. The tail drop and WRED parameters are specified individually for each supported drop precedence level. In addition, the following settings can be specified on a per-interface basis: ...
Page 241 1. Configure one to one mapping between 802.1p priority and COS Queue on the ingress port. Frames with 802.1p priority 1 are assigned to COS 1 queue and similarly frames with 802.1p priority 2 are assigned to COS2 and so on. (QCT) (Config)#queue cos-map all 0 0 (QCT) (Config)#queue cos-map all 1 1 (QCT) (Config)#queue cos-map all 2 2...
Page 242: Table 9-2: 802.1P-To-Tcg Mapping
(QCT) (Config)#traffic-class-group min-bandwidth 0 0 0 After performing Step 1–Step 9, the data traffic with an 802.1p priority is sent through TCG1, and 45% of the bandwidth (excluding TCG0 bandwidth) is reserved for TCG1. This protects the TCG1 traffic from traffic that is transmitted on TCG2.
Page 243: Enhanced Transmission Selection
9.5. Enhanced Transmission Selection Enhanced Transmission Selection (ETS) enables the sharing and redistribution of network bandwidth between various protocols. To support ETS, QNOS software accepts the ETS traffic class group and bandwidth information Application Priority TLV from auto-upstream devices and propagates it to auto- downstream devices.
Page 244: Vxlan
Logically segregated virtual networks in a data center are sometimes referred to as data center VPNs. VXLAN is one of VPNs. Others include E-VPNs, IP VPNs, TRILL, and VPLS. The encapsulation and decapsulation required by VXLAN is done by devices called Virtual Tunnel Endpoints (VTEPs) or NVEs.
Page 245: Configuration Of Remote Vteps
A source IP address (local VTEP) must be specified for configured VXLAN. The valid source IP interface is either a loopback interface or a routing interface (port-based or VLAN-based) on the router. It is recommended that a loopback interface be dedicated for VXLAN gateway purposes and configured with the intended source IP configuration before associating it with VXLAN.
Page 246: Vtep Nex-Hop Resolution
9.6.2.3. VTEP Nex-hop Resolution A remote VTEP is considered reachable if the gateway has a non-default route to the VTEP's IP address. The VXLAN application determines the reachability of the VTEP's address and registers with the routing table manager for changes in the route to that IP address. When there is a route to the VTEP, the VXLAN application copies the next hops of the best route and uses them as the next hop for the packets forwarded to that VTEP.
Page 247: Mac Learning And Aging
 A local MAC address, which the hardware uses as the outer source MAC address when encapsulating and sending packets on the tunnel. This MAC address is the MAC address of the originating local routing interface MAC address.  For VXLAN tunnel, UDP destination port to use in VXLAN header while encapsulation. ...
Page 248: Ecmp
Overall, the system has a maximum allowed limit of 4096 static host MAC-to-VTEP bindings. At any point in time, the sum of all tenants static host MAC-to-VTEP mappings must be less than or equal to the system limit. Once this limit is reached, configuring new MAC-to-VTEP bindings for any tenant results in failure and a log message is generated.
Page 249: Packet Forwarding
 For incoming IPv4 packets, the DSCP/TOS value from the incoming IPv4 header is copied into the outer IPv4 header’s DCSP/TOS field during encapsulation. Otherwise, the DSCP/TOS value is set to 0. 9.6.2.11. Packet Forwarding The gateway forwards all packets in hardware. There is no software forwarding. 9.6.3.
Page 250: Unicast Vxlan Configuration
Note: QNOS only support PIM-SM Routing support Any 802.1Q capable router or Any VTEP capable router switch Crossing Layer 3 boundary ECMP support Table 9-4: VLAN and VXLAN Comparison 9.6.3.1. Unicast VXLAN Configuration Figure 9-2: Unicast VXLAN Topology Switch-1 Configuration Step 1.
Page 251 Step 2. Enable ip routing (Switch-1) (Config)#ip routing Step 3. Interface Configuration (Switch-1) (Config)#interface loopback 0 (Switch-1) (Interface loopback 0)#ip address 10.1.1.1 255.255.255.255 (Switch-1) (Interface loopback 0)#exit (Switch-1) (Config)#interface 0/1 (Switch-1) (Interface 0/1)#switchport allowed vlan add 201 (Switch-1) (Interface 0/1)#switchport tagging 201 (Switch-1) (Interface 0/1)#exit (Switch-1) (Config)#interface 0/48 (Switch-1) (Interface 0/48)#routing...
Page 252 (Switch-2) (Config)#ip routing Step 3. Interface Configuration (Switch-2) (Config)#interface loopback 0 (Switch-2) (Interface loopback 0)#ip address 10.1.1.2 255.255.255.255 (Switch-2) (Interface loopback 0)#exit (Switch-2) (Config)#interface 0/1 (Switch-2) (Interface 0/1)#switchport allowed vlan add 201 (Switch-2) (Interface 0/1)#switchport tagging 201 (Switch-2) (Interface 0/1)#exit (Switch-2) (Config)#interface 0/48 (Switch-2) (Interface 0/48)#routing (Switch-2) (Interface 0/48)#ip address 11.1.1.2 255.255.255.252...
Page 253 UDP Destination Port......4789 Source Interface....... lb0 VXLAN and VLAN Mapping......VXLAN ID:201 VLAN ID:201 Unicast Group Address......10.1.1.3 10.1.1.2 show remote VTEP learning status (Switch-1) #show vxlan vtep Remote VTEPs for Vxlan: 10.1.1.2 Check the VXLAN address table (Switch-1) #show vxlan address-table Tenant ID Tenant MAC VTEP Interface...
Page 254: Appendix A: Term And Acronyms
Appendix A: Term and Acronyms Table 9-5: Terms and Acronyms...
Page 255: Table 9-6: Terms And Acronyms (Cont.)
Table 9-6: Terms and Acronyms (Cont.)
Page 256: Table 9-7: Terms And Acronyms (Cont.)
Table 9-7: Terms and Acronyms (Cont.)

Quanta Cloud Technology QuantaMesh QNOS5 Configuration Manual

Quantamesh Ethernet Switch Configuration Guide

1 Quantamesh QNOS5 Features

2 Getting Started

Figure 2-1: SNMP Configuration Topology

3 Configuring L2 Switching Features

Figure 3-1: Simple VLAN Topology

Figure 3-2: Double VLAN Tagging Network Example

Table 3-2: Example VLAN

Table 3-3: Switch Port Configuration

4 Configuring Security Features

Figure 4-1: RADIUS Topology

Table 4-3: Common IP Protocol Numbers

Figure 4-4: IP ACL Example Network Diagram

Figure 4-5:Copp Configuration Topology

5 Configuring Quality of Service

Figure 5-1: Cos Mapping and Queue Configuration

Figure 5-2: Diffserv Internet Access Example Network Diagram

Table 6-1: Files to Manage

Quick Links

Summary of Contents for Quanta Cloud Technology QuantaMesh QNOS5