Page 1 Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Application Guide For Lenovo Enterprise Network Operating System 8.4...
Page 2 Note: Before using this information and the product it supports, read the general information in the Safety information and Environmental Notices and User Guide documents on the Lenovo Documentation CD and the Warranty Information document that comes with the product. Third Edition (July 2017) © Copyright Lenovo 2017 Portions © Copyright IBM Corporation 2014. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS‐35F‐05925. Lenovo and the Lenovo logo are trademarks of Lenovo in the United States, other countries, or both.
Page 3: Table Of Contents
Browser‐Based Interface . . . . . . . . . . . . . . . . . . . . . . .31 Establishing a Connection . . . . . . . . . . . . . . . . . . . . . . . .32 Using the Chassis Management Module . . . . . . . . . . . . . . . .32 Factory‐Default vs. CMM‐Assigned IP Addresses . . . . . . . . . .32 Using Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Using Secure Shell. . . . . . . . . . . . . . . . . . . . . . . . . .33 Using SSH with Password Authentication . . . . . . . . . . . . .35 Using SSH with Public Key Authentication . . . . . . . . . . . . .35 Using a Web Browser . . . . . . . . . . . . . . . . . . . . . . . .36 Configuring HTTP Access to the BBI . . . . . . . . . . . . . . . .36 Configuring HTTPS Access to the BBI . . . . . . . . . . . . . . .37 BBI Summary . . . . . . . . . . . . . . . . . . . . . . . . . .38 Using Simple Network Management Protocol. . . . . . . . . . . . . .39 BOOTP/DHCP Client IP Address Services . . . . . . . . . . . . . . . . .40 Host Name Configuration . . . . . . . . . . . . . . . . . . . . . .40 SYSLOG Server . . . . . . . . . . . . . . . . . . . . . . . . . . .41 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . .41 Easy Connect Wizard . . . . . . . . . . . . . . . . . . . . . . . . . .42 Configuring the Easy Connect Wizard . . . . . . . . . . . . . . . . .42 Basic System Mode Configuration Example . . . . . . . . . . . . .43 Transparent Mode Configuration Example . . . . . . . . . . . . .44 Redundant Mode Configuration Example . . . . . . . . . . . . .45 Switch Login Levels . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Administrator Password Recovery . . . . . . . . . . . . . . . . . . . .49 Secure FTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 © Copyright Lenovo 2017...
Page 4 Boot Strict Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Acceptable Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 55 Configuring Strict Mode . . . . . . . . . . . . . . . . . . . . . . . 56 Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Configuring No‐Prompt Mode . . . . . . . . . . . . . . . . . . . . . . 57 Chapter 2. Initial Setup ..... 59 Information Needed for Setup . . . . . . . . . . . . . . . . . . . . . . 60 Default Setup Options . . . . . . . . . . . . . . . . . . . . . . . . .
Page 5 Chapter 5. Authentication & Authorization Protocols ..99 RADIUS Authentication and Authorization . . . . . . . . . . . . . . . 100 How RADIUS Authentication Works . . . . . . . . . . . . . . . . 100 Configuring RADIUS on the Switch . . . . . . . . . . . . . . . . . 101 RADIUS Authentication Features in Enterprise NOS . . . . . . . . . . 101 Switch User Accounts . . . . . . . . . . . . . . . . . . . . . . . 102 RADIUS Attributes for Enterprise NOS User Privileges . . . . . . . . 103 TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . 104 How TACACS+ Authentication Works. . . . . . . . . . . . . . . . 104 TACACS+ Authentication Features in Enterprise NOS . . . . . . . . . 105 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . 105 Backdoor . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Command Authorization and Logging . . . . . . . . . . . . . . . . 107 TACACS+ Password Change . . . . . . . . . . . . . . . . . . . . 109 Configuring TACACS+ Authentication on the Switch . . . . . . . . . 109 LDAP Authentication and Authorization . . . . . . . . . . . . . . . . 110 Configuring the LDAP Server. . . . . . . . . . . . . . . . . . . . 110 Configuring LDAP Authentication on the Switch . . . . . . . . . . . 111 © Copyright Lenovo 2017 Contents...
Page 6 Chapter 6. 802.1X Port-Based Network Access Control ..113 Extensible Authentication Protocol over LAN . . . . . . . . . . . . . . 114 EAPoL Authentication Process . . . . . . . . . . . . . . . . . . . 115 EAPoL Message Exchange . . . . . . . . . . . . . . . . . . . . . 116 EAPoL Port States . . . . . . . . . . . . . . . . . . . . . . . . 116 Guest VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Supported RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . 118 EAPoL Configuration Guidelines . . . . . . . . . . . . . . . . . . . . 120 Chapter 7. Access Control Lists....121 Summary of Packet Classifiers . . . . . . . . . . . . . . . . . . . . . ...
Page 7 Chapter 10. Spanning Tree Protocols....171 Spanning Tree Protocol Modes . . . . . . . . . . . . . . . . . . . . . 172 Global STP Control . . . . . . . . . . . . . . . . . . . . . . . . 172 PVRST Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Port States . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Bridge Protocol Data Units . . . . . . . . . . . . . . . . . . . . . 174 Determining the Path for Forwarding BPDUs . . . . . . . . . . . 174 Bridge Priority . . . . . . . . . . . . . . . . . . . . . . . . 174 Port Priority . . . . . . . . . . . . . . . . . . . . . . . . . 175 Root Guard . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Loop Guard. . . . . . . . . . . . . . . . . . . . . . . . . . 175 Port Path Cost. . . . . . . . . . . . . . . . . . . . . . . . . 176 Simple STP Configuration . . . . . . . . . . . . . . . . . . . . . 176 Per‐VLAN Spanning Tree Groups . . . . . . . . . . . . . . . . . . 178 Using Multiple STGs to Eliminate False Loops. . . . . . . . . . . 178 VLAN and STG Assignment . . . . . . . . . . . . . . . . . . 179 Manually Assigning STGs . . . . . . . . . . . . . . . . . . . 180 Guidelines for Creating VLANs . . . . . . . . . . . . . . . . . 180 Rules for VLAN Tagged Ports . . . . . . . . . . . . . . . . . . 180 Adding and Removing Ports from STGs . . . . . . . . . . . . . 181 Switch‐Centric Configuration . . . . . . . . . . . . . . . . . . 182 Configuring Multiple STGs . . . . . . . . . . . . . . . . . . . . . 183 © Copyright Lenovo 2017 Contents...
Page 8 Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . 185 Port States . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 RSTP Configuration Guidelines . . . . . . . . . . . . . . . . . . . 185 RSTP Configuration Example. . . . . . . . . . . . . . . . . . . . 186 Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . 187 MSTP Region. . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Common Internal Spanning Tree . . . . . . . . . . . . . . . . . . 187 MSTP Configuration Guidelines . . . . . . . . . . . . . . . . . . 188 MSTP Configuration Examples . . . . . . . . . . . . . . . . . . . 188 MSTP Configuration Example 1 . . . . . . . . . . . . . . . . . 188 MSTP Configuration Example 2 . . . . . . . . . . . . . . . . . 189 Port Type and Link Type . . . . . . . . . . . . . . . . . . . . . . . 191 Edge/Portfast Port . . . . . . . . . . . . . . . . . . . . . . . . 191 Link Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Chapter 11. Virtual Link Aggregation Groups ... . 193 VLAG Capacities . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 9 Configuring a Management IP Interface . . . . . . . . . . . . . . . 243 Additional Master Configuration . . . . . . . . . . . . . . . . . . 244 Viewing Stack Connections . . . . . . . . . . . . . . . . . . . 244 Binding Members to the Stack . . . . . . . . . . . . . . . . . . 245 Assigning a Stack Backup Switch . . . . . . . . . . . . . . . . 245 Managing a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Connecting to Stack Switches via the Master . . . . . . . . . . . . . 246 Rebooting Stacked Switches via the Master . . . . . . . . . . . . . . 246 Rebooting Stacked Switches using the ISCLI . . . . . . . . . . . 246 Rebooting Stacked Switches using the BBI . . . . . . . . . . . . 247 Upgrading Software in a Stack . . . . . . . . . . . . . . . . . . . . . 248 New Hybrid Stack . . . . . . . . . . . . . . . . . . . . . . . . 248 Converting a EN4093R Stack to a Hybrid Stack . . . . . . . . . . . . 248 New Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Replacing or Removing Stacked Switches . . . . . . . . . . . . . . . . 249 Removing a Switch from the Stack. . . . . . . . . . . . . . . . . . 249 Installing the New Switch or Healing the Topology . . . . . . . . . . 249 Binding the New Switch to the Stack. . . . . . . . . . . . . . . . . 251 Performing a Rolling Reload or Upgrade . . . . . . . . . . . . . . . 252 Starting a Rolling Reload . . . . . . . . . . . . . . . . . . . . 252 Starting a Rolling Upgrade . . . . . . . . . . . . . . . . . . . 252 Saving Syslog Messages . . . . . . . . . . . . . . . . . . . . . . 254 Flexible Port Mapping in Stacking . . . . . . . . . . . . . . . . . . . 256 ISCLI Stacking Commands. . . . . . . . . . . . . . . . . . . . . . . 258 © Copyright Lenovo 2017 Contents...
Page 10 Chapter 14. Virtualization ....259 Chapter 15. Virtual NICs ..... 261 vNIC IDs on the Switch . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 11 FCoE Example Configuration . . . . . . . . . . . . . . . . . . . . . 326 Chapter 18. Fibre Channel ....329 Ethernet vs. Fibre Channel . . . . . . . . . . . . . . . . . . . . . . . 330 Supported Switch Roles . . . . . . . . . . . . . . . . . . . . . . . . 331 NPV Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Full‐Fabric FC/FCoE Switch . . . . . . . . . . . . . . . . . . . . 332 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 © Copyright Lenovo 2017 Contents...
Page 12 Implementing Fibre Channel. . . . . . . . . . . . . . . . . . . . . . 333 Port Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Fibre Channel VLANs . . . . . . . . . . . . . . . . . . . . . . . 334 Port Membership . . . . . . . . . . . . . . . . . . . . . . . . . 334 Switching Mode . . . . . . . . . . . . . . . . . . . . . . . . . 335 NPV Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 336 NPV Port Traffic Mapping . . . . . . . . . . . . . . . . . . . 336 NPV Disruptive Load‐Balancing . . . . . . . . . . . . . . . . 336 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Full Fabric Mode . . . . . . . . . . . . . . . . . . . . . . . . . 338 Full Fabric Zoning. . . . . . . . . . . . . . . . . . . . . . . 338 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 E‐Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Optimized FCoE Traffic Flow . . . . . . . . . . . . . . . . . . 342 Storage Management Initiative Specification (SMI‐S) . . . . . . . . . 343 Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . 343 Fibre Channel Configuration . . . . . . . . . . . . . . . . . . . . . . 344 Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . ...
Page 13 BOOTP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . 399 BOOTP Relay Agent Configuration . . . . . . . . . . . . . . . . . 399 Domain‐Specific BOOTP Relay Agent Configuration. . . . . . . . . . 400 Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . 401 DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . 401 DHCP Relay Agent Configuration. . . . . . . . . . . . . . . . . . 402 Chapter 24. Internet Protocol Version 6 ....403 IPv6 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 IPv6 Address Format . . . . . . . . . . . . . . . . . . . . . . . . . 405 © Copyright Lenovo 2017 Contents...
Page 14 IPv6 Address Types . . . . . . . . . . . . . . . . . . . . . . . . . 406 Unicast Address . . . . . . . . . . . . . . . . . . . . . . . . . 406 Multicast Address . . . . . . . . . . . . . . . . . . . . . . . . 406 Anycast Address . . . . . . . . . . . . . . . . . . . . . . . . . 407 IPv6 Address Auto‐configuration. . . . . . . . . . . . . . . . . . . . 408 IPv6 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . 410 Host vs. Router . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Supported Applications . . . . . . . . . . . . . . . . . . . . . . . . 412 IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . 414 IPv6 Configuration Examples. . . . . . . . . . . . . . . . . . . . 414 IPv6 Configuration Example 1 . . . . . . . . . . . . . . . . . 414 IPv6 Configuration Example 2 . . . . . . . . . . . . . . . . . 415 Chapter 25. Using IPsec with IPv6 ....417 IPsec Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 15 Chapter 30. OSPF ......467 OSPFv2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Types of OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . 468 Types of OSPF Routing Devices . . . . . . . . . . . . . . . . . . . 469 Neighbors and Adjacencies . . . . . . . . . . . . . . . . . . . . . 470 The Link‐State Database . . . . . . . . . . . . . . . . . . . . . . 470 The Shortest Path First Tree . . . . . . . . . . . . . . . . . . . . 471 Internal Versus External Routing . . . . . . . . . . . . . . . . . . 471 © Copyright Lenovo 2017 Contents...
Page 16 OSPFv2 Implementation in Enterprise NOS . . . . . . . . . . . . . . . 472 Configurable Parameters. . . . . . . . . . . . . . . . . . . . . . 472 Defining Areas . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Assigning the Area Index . . . . . . . . . . . . . . . . . . . 473 Using the Area ID to Assign the OSPF Area Number. . . . . . . . 474 Attaching an Area to a Network. . . . . . . . . . . . . . . . . 474 Interface Cost . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Electing the Designated Router and Backup . . . . . . . . . . . . . 475 Summarizing Routes . . . . . . . . . . . . . . . . . . . . . . . 475 Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Configuring Plain Text OSPF Passwords . . . . . . . . . . . . . 479 Configuring MD5 Authentication . . . . . . . . . . . . . . . . 480 Host Routes for Load Balancing. . . . . . . . . . . . . . . . . . . ...
Page 17 Manual Monitor Example . . . . . . . . . . . . . . . . . . . . . 522 Chapter 34. Virtual Router Redundancy Protocol ... 523 VRRP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 VRRP Components . . . . . . . . . . . . . . . . . . . . . . . . 524 Virtual Router. . . . . . . . . . . . . . . . . . . . . . . . . 524 Virtual Router MAC Address . . . . . . . . . . . . . . . . . . 524 Owners and Renters . . . . . . . . . . . . . . . . . . . . . . 524 Master and Backup Virtual Router . . . . . . . . . . . . . . . . 524 Virtual Interface Router . . . . . . . . . . . . . . . . . . . . 525 VRRP Operation . . . . . . . . . . . . . . . . . . . . . . . . . 525 Selecting the Master VRRP Router . . . . . . . . . . . . . . . . . . 525 © Copyright Lenovo 2017 Contents...
Page 18 Failover Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Active‐Active Redundancy . . . . . . . . . . . . . . . . . . . . . 527 Hot‐Standby Redundancy . . . . . . . . . . . . . . . . . . . . . 527 Virtual Router Group . . . . . . . . . . . . . . . . . . . . . . . 528 Enterprise NOS Extensions to VRRP . . . . . . . . . . . . . . . . . . 529 Virtual Router Deployment Considerations . . . . . . . . . . . . . . . 530 Assigning VRRP Virtual Router ID . . . . . . . . . . . . . . . . . 530 Configuring the Switch for Tracking. . . . . . . . . . . . . . . . . 530 High Availability Configurations . . . . . . . . . . . . . . . . . . . . 531 Active‐Active Configuration . . . . . . . . . . . . . . . . . . . . 531 Task 1: Configure CN4093 1 . . . . . . . . . . . . . . . . . . 532 Task 2: Configure CN4093 2 . . . . . . . . . . . . . . . . . . 533 Hot‐Standby Configuration . . . . . . . . . . . . . . . . . . . . 535 Task 1: Configure CN4093 1 . . . . . . . . . . . . . . . . . . 536 Task 2: Configure CN4093 2 . . . . . . . . . . . . . . . . . . 537 Part 7:.
Page 19 Part 8:. Monitoring ..... . . 595 Chapter 40. Remote Monitoring ....597 RMON Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 RMON Group 1–Statistics . . . . . . . . . . . . . . . . . . . . . . . 598 RMON Group 2–History. . . . . . . . . . . . . . . . . . . . . . . . 599 History MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . 599 Configuring RMON History . . . . . . . . . . . . . . . . . . . . 599 © Copyright Lenovo 2017 Contents...
Page 20 RMON Group 3–Alarms . . . . . . . . . . . . . . . . . . . . . . . 601 Alarm MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . 601 Configuring RMON Alarms . . . . . . . . . . . . . . . . . . . . 601 Alarm Example 1 . . . . . . . . . . . . . . . . . . . . . . . 601 Alarm Example 2 . . . . . . . . . . . . . . . . . . . . . . . 602 RMON Group 9–Events . . . . . . . . . . . . . . . . . . . . . . . . 603 Chapter 41. sFLOW ..... . . 605 sFlow Statistical Counters . . . . . . . . . . . . . . . . . . . . . . . ...
Page 21: Preface
Part 1: Getting Started This material is intended to help those new to Enterprise NOS products with the basics of switch management. This part includes the following chapters:  Chapter 1, “Switch Administration,” describes how to access the CN4093 in order to configure the switch and view switch information and statistics. This chapter discusses a variety of manual administration interfaces, including local management via the switch console, and remote administration via Telnet, a web browser or via SNMP.  Chapter 2, “Initial Setup,” describes how to use the built‐in Setup utility to perform first‐time configuration of the switch.  Chapter 3, “Switch Software Management,” describes how to update the N/OS software operating on the switch. Part 2: Securing the Switch  Chapter 4, “Securing Administration,” describes methods for changing the default switch passwords, using Secure Shell and Secure Copy for administration connections, configuring end‐user access control, and placing the switch in protected mode. Chapter 5, “Authentication & Authorization Protocols,” describes different  secure administration for remote administrators. This includes using Remote Authentication Dial‐in User Service (RADIUS), as well as TACACS+ and LDAP. © Copyright Lenovo 2017...
Page 22: Part 4: Advanced Switching Features
(STP) configures the network so that the switch selects the most efficient path when multiple paths exist. Also includes the Rapid Spanning Tree Protocol (RSTP), Per‐VLAN Rapid Spanning Tree Plus (PVRST+), and Multiple Spanning Tree Protocol (MSTP) extensions to STP.  Chapter 11, “Virtual Link Aggregation Groups,” describes using Virtual Link Aggregation Groups (vLAG) to form LAGs spanning multiple vLAG‐capable aggregator switches.  Chapter 12, “Quality of Service,” discusses Quality of Service (QoS) features, including IP filtering using Access Control Lists (ACLs), Differentiated Services, and IEEE 802.1p priority values. Part 4: Advanced Switching Features  Chapter 13, “Stacking,” describes how to implement the stacking feature in the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch. Chapter 14, “Virtualization,” provides an overview of allocating resources  based on the logical needs of the data center, rather than on the strict, physical nature of components.  Chapter 15, “Virtual NICs,” discusses using virtual NIC (vNIC) technology to divide NICs into multiple logical, independent instances.  Chapter 16, “VMready,” discusses virtual machine (VM) support on the CN4093. Chapter 17, “FCoE and CEE,” discusses using various Converged Enhanced  Ethernet (CEE) features such as Priority‐based Flow Control (PFC), Enhanced ...
Page 23: Part 5: Ip Routing
27, “Internet Group Management Protocol,” describes how the Enterprise NOS software implements IGMP Snooping or IGMP Relay to conserve bandwidth in a multicast‐switching environment.  Chapter 28, “Multicast Listener Discovery,” describes how Multicast Listener Discovery (MLD) is used with IPv6 to support host users requests for multicast data for a multicast group.  Chapter 29, “Border Gateway Protocol,” describes Border Gateway Protocol (BGP) concepts and features supported in Enterprise NOS.  Chapter 30, “OSPF,” describes key Open Shortest Path First (OSPF) concepts and their implemented in Enterprise NOS, and provides examples of how to configure your switch for OSPF support.  Chapter 31, “Protocol Independent Multicast,” describes how multicast routing can be efficiently accomplished using the Protocol Independent Multicast (PIM) feature. Part 6: High Availability Fundamentals  Chapter 32, “Basic Redundancy,” describes how the CN4093 supports redundancy through aggregation and Hotlinks.  Chapter 33, “Layer 2 Failover,” describes how the CN4093 supports high‐availability network topologies using Layer 2 Failover. © Copyright Lenovo 2017 Preface...
Page 24: Part 7: Network Management
 Chapter 34, “Virtual Router Redundancy Protocol,” describes how the CN4093 supports high‐availability network topologies using Virtual Router Redundancy Protocol (VRRP). Part 7: Network Management Chapter 35, “Link Layer Discovery Protocol,” describes how Link Layer  Discovery Protocol helps neighboring network devices learn about each others’ ports and capabilities.  Chapter 36, “Simple Network Management Protocol,” describes how to configure the switch for management through an SNMP client. Chapter 37, “Service Location Protocol,” describes the Service Location Protocol  (SLP) that allows the switch to provide dynamic directory services.  Chapter 38, “System License Keys,” describes how to manage Features on Demand (FoD) licenses and how to allocate bandwidth between physical ports within the installed licenses’ limitations. Part 8: Monitoring  Chapter 40, “Remote Monitoring,” describes how to configure the RMON agent on the switch, so that the switch can exchange network monitoring data.  Chapter 41, “sFLOW, described how to use the embedded sFlow agent for sampling network traffic and providing continuous monitoring information to a central sFlow analyzer.  Chapter 42, “Port Mirroring,” discusses tools how copy selected port traffic to a ...
Page 25: Additional References
Additional References Additional information about installing and configuring the CN4093 is available in the following guides:  Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Installation Guide  Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Command Reference for Lenovo Network Operating System 8.4  Lenovo Network Browser‐Based Interface Quick Guide © Copyright Lenovo 2017 Preface...
Page 26: Typographic Conventions
Typographic Conventions The following table describes the typographic styles used in this book. Table 1. Typographic Conventions Typeface or Meaning Example Symbol ABC123 This type is used for names of View the readme.txt file. commands, files, and directories used within the text. Main# It also depicts on‐screen computer output and prompts. ABC123 Main# sys This bold type appears in command examples. It shows text that must be typed in exactly as shown. <ABC123> This italicized type appears in To establish a Telnet session, command examples as a enter: host# telnet <IP address> parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, Read your User’s Guide ...
Page 28 CN4093 Application Guide for N/OS 8.4...
Page 29: Chapter 1. Switch Administration
Chapter 1. Switch Administration Your CN4093 10 Gb Converged Scalable Switch is ready to perform basic switching functions right out of the box. Some of the more advanced features, however, require some administrative configuration before they can be used effectively. The extensive Enterprise NOS switching software included in the CN4093 provides a variety of options for accessing the switch to perform configuration, and to view switch information and statistics. This chapter discusses the various methods that can be used to administer the switch. © Copyright Lenovo 2017...
Page 30: Administration Interfaces
 The Flex System chassis management module tools for general chassis management  A built‐in, text‐based command‐line interface and menu system for access via serial‐port connection or an optional Telnet or SSH session  The built‐in Browser‐Based Interface (BBI) available using a standard web‐browser  SNMP support for access through network management software such as IBM Director. The specific interface chosen for an administrative session depends on user preferences, as well as the switch configuration and the available client tools. In all cases, administration requires that the switch hardware is properly installed and turned on. (see the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Installation Guide). Chassis Management Module The CN4093 10 Gb Converged Scalable Switch is an integral subsystem within the overall Lenovo Flex System. The Flex System chassis also includes a chassis management module (CMM) as the central element for overall chassis management and control. Using the tools available through the CMM, the administrator can configure many of the CN4093 features and can also access other CN4093 administration interfaces. For more information, see “Using the Chassis Management Module” on page Industry Standard Command Line Interface The Industry Standard Command Line Interface (ISCLI) provides a simple, direct method for switch administration. Using a basic terminal, you can issue commands that allow you to view detailed information and statistics about the switch, and to perform any necessary configuration and switch software maintenance. You can establish a connection to the CLI in any of the following ways: ...
Page 31: Browser-Based Interface
Browser-Based Interface The Browser‐based Interface (BBI) provides access to the common configuration, management and operation features of the CN4093 through your Web browser. For more information, refer to the Enterprise NOS BBI Quick Guide. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 32: Establishing A Connection
 Out‐of‐band Management Port 1: 192.168.50.50/24 Remote access using the network requires the accessing terminal to have a valid, routable connection to the switch interface. The client IP address may be configured manually, or an IPv4 address can be provided automatically through the switch using a service such as DHCP or BOOTP relay (see “BOOTP/DHCP Client IP Address Services” on page 40), or an IPv6 address can be obtained using IPv6 stateless address configuration. Note: Throughout this manual, IP address is used in places where either an IPv4 or IPv6 address is allowed. IPv4 addresses are entered in dotted‐decimal notation (for example, 10.10.10.1), while IPv6 addresses are entered in hexadecimal notation (for example, 2001:db8:85a3::8a2e:370:7334). In places where only one type of address is allowed, IPv4 address or IPv6 address is specified. Using the Chassis Management Module The CN4093 is an integral subsystem within the overall Lenovo Flex System. The Flex System chassis includes a chassis management module (CMM) as the central element for overall chassis management and control. The CN4093 uses port 43 (MGT1) to communicate with the chassis management module(s). Even when the CN4093 is in a factory default configuration, you can use the 1Gb Ethernet port on each CMM to configure and manage the CN4093. For more information about using the chassis management module, see the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Installation Guide. Factory-Default vs. CMM-Assigned IP Addresses Each CN4093 must be assigned its own Internet Protocol version 4 (IPv4) address, which is used for communication with an SNMP network manager or other transmission control protocol/Internet Protocol (TCP/IP) applications (for example, BOOTP or TFTP). The factory‐default IPv4 address is 10.90.90.x, where x is based on the number of the bay into which the CN4093 is installed. For additional information, see the Installation Guide. The chassis management module assigns an IPv4 address of 192.168.70.1xx, where xx is also based on the number of the bay ...
Page 33: Using Telnet
CN 4093(config)# [no] access telnet enable Once the switch is configured with an IP address and gateway, you can use Telnet to access switch administration from any workstation connected to the management network. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the following Telnet command: telnet <switch IPv4 or IPv6 address> You will then be prompted to enter a password as explained “Switch Login Levels” on page Two attempts are allowed to log in to the switch. After the second unsuccessful attempt, the Telnet client is disconnected via TCP session closure. Using Secure Shell Although a remote network administrator can manage the configuration of a CN4093 via Telnet, this method does not provide a secure connection. The Secure Shell (SSH) protocol enables you to securely log into another device over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch configuration, SSH ensures that all data sent over the network is encrypted and secure. The switch can do only one session of key/cipher generation at a time. Thus, a SSH/SCP client will not be able to login if the switch is doing key generation at that time. Similarly, the system will fail to do the key generation if a SSH/SCP client is logging in at that time. The supported SSH encryption and authentication methods are listed below.  Server Host Authentication: Client RSA‐authenticates the switch when starting each connection © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 34  Key Exchange: ecdh‐sha2‐nistp521, ecdh‐sha2‐nistp384, ecdh‐sha2‐nistp256, ecdh‐sha2‐nistp224, ecdh‐sha2‐nistp192, rsa2048‐sha256, rsa1024‐sha1, diffie‐hellman‐group‐exchange‐sha256, diffie‐hellman‐group‐exchange‐sha1, diffie‐hellman‐group14‐sha1, diffie‐hellman‐group1‐sha1  Encryption: aes128‐ctr, aes128‐cbc, rijndael128‐cbc, blowfish‐cbc,3des‐cbc, arcfour256, arcfour128, arcfour  MAC: hmac‐sha1, hmac‐sha1‐96, hmac‐md5, hmac‐md5‐96  User Authentication: Local password authentication, RADIUS, TACACS+ CN4093 Application Guide for N/OS 8.4...
Page 35: Using Ssh With Password Authentication
Port type ["DATA"/"MGT"]: mgt Address or name of remote host: 9.43.101.151 Source file name: 11.key Username of the public key: admin Confirm download operation (y/n) ? y Note: When prompted to input a username, a valid user account name must be entered. If no username is entered, the key is stored on the switch, and can be assigned to a user account later. Note: A user account can have up to 100 public keys set up on the switch. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 36: Using A Web Browser
3. Configure a maximum number of 3 failed public key authentication attempts before the system reverts to password‐based authentication: CN 4093(config)# ssh maxauthattempts 3 Once the public key is configured on the switch, the client can use SSH to login from a system where the private key pair is set up: ssh <switch IP address> Using a Web Browser The switch provides a Browser‐Based Interface (BBI) for accessing the common configuration, management and operation features of the CN4093 through your Web browser. You can access the BBI directly from an open Web browser window. Enter the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6 address>). When you first access the switch, you must enter the default username and password: USERID; PASSW0RD (with a zero). You are required to change the password after first login. Configuring HTTP Access to the BBI By default, BBI access via HTTP is disabled on the switch. To enable or disable HTTP access to the switch BBI, use the following commands: CN 4093(config)# access http enable (Enable HTTP access) ‐or‐ CN 4093(config)# no access http enable (Disable HTTP access) The default HTTP web server port to access the BBI is port 80. However, you can ...
Page 37: Configuring Https Access To The Bbi
Email (eg, email address) []: <email address> Confirm generating certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent 4. Save the HTTPS certificate. The certificate is valid only until the switch is rebooted. To save the certificate so that it is retained beyond reboot or power cycles, use the following command: CN 4093(config)# access https save-certificate When a client (such as a web browser) connects to the switch, the client is asked to accept the certificate and verify that the fields match what is expected. Once BBI access is granted to the client, the BBI can be used as described in the Enterprise NOS BBI Quick Guide. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 38: Bbi Summary
BBI Summary The BBI is organized at a high level as follows: Context buttons—These buttons allow you to select the type of action you wish to perform. The Configuration button provides access to the configuration elements for the entire switch. The Statistics button provides access to the switch statistics and state information. The Dashboard button allows you to display the settings and operating status of a variety of switch features. Navigation Window—This window provides a menu list of switch features and functions:  System—this folder provides access to the configuration elements for the entire switch.  Switch Ports—Configure each of the physical ports on the switch. Port‐Based Port Mirroring—Configure port mirroring behavior.   Layer 2—Configure Layer 2 features for the switch.  RMON Menu—Configure Remote Monitoring features for the switch.  Layer 3—Configure Layer 3 features for the switch.  QoS—Configure Quality of Service features for the switch. Access Control—Configure Access Control Lists to filter IP packets.   Virtualization – Configure VMready for virtual machine (VM) support. For information on using the BBI, refer to the Enterprise NOS BBI Quick Guide. CN4093 Application Guide for N/OS 8.4...
Page 39: Using Simple Network Management Protocol
To access the SNMP agent on the CN4093, the read and write community strings on the SNMP manager should be configured to match those on the switch. The read and write community strings on the switch can be changed using the following commands: CN 4093(config)# snmp-server read-community <1‐32 characters> CN 4093(config)# snmp-server write-community <1‐32 characters> The SNMP manager should be able to reach any one of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following commands: CN 4093(config)# snmp-server trap-source <trap source IP interface> CN 4093(config)# snmp-server host <IPv4 address> <trap host community string> For more information on SNMP usage and configuration, see “Simple Network Management Protocol” on page 555. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 40: Bootp/Dhcp Client Ip Address Services
BOOTP/DHCP Client IP Address Services For remote switch administration, the client terminal device must have a valid IP address on the same network as a switch interface. The IP address on the client device may be configured manually, or obtained automatically using IPv6 stateless address configuration, or an IPv4 address may obtained automatically via BOOTP or DHCP relay as discussed below. The CN4093 can function as a relay agent for Bootstrap Protocol (BOOTP) or DHCP. This allows clients to be assigned an IPv4 address for a finite lease period, reassigning freed addresses later to other clients. Acting as a relay agent, the switch can forward a client’s IPv4 address request to up to five BOOTP/DHCP servers. In addition to the five global BOOTP/DHCP servers, up to five domain‐specific BOOTP/DHCP servers can be configured for each of up to 10 VLANs. When a switch receives a BOOTP/DHCP request from a client seeking an IPv4 address, the switch acts as a proxy for the client. The request is forwarded as a UDP Unicast MAC layer message to the BOOTP/DHCP servers configured for the client’s VLAN, or to the global BOOTP/DHCP servers if no domain‐specific BOOTP/DHCP servers are configured for the client’s VLAN. The servers respond to the switch with a Unicast reply that contains the IPv4 default gateway and the IPv4 address for the client. The switch then forwards this reply back to the client. DHCP is described in RFC 2131, and the DHCP relay agent supported on the CN4093 is described in RFC 1542. DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68. BOOTP and DHCP relay are collectively configured using the BOOTP commands and menus on the CN4093. Host Name Configuration The CN4093 supports DHCP host name configuration as described in RFC 2132, option 12. DHCP host name configuration is enabled by default. Host name can be manually configured using the following command: CN 4093(config)# hostname <name> If the host name is manually configured, the switch does not replace it with the ...
Page 41: Syslog Server
An untrusted interface is a port that is configured to receive packets from outside the network or firewall. A trusted interface receives packets only from within the network. By default, all DHCP ports are untrusted. The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and port number that correspond to the local untrusted interface on the switch; it does not contain information regarding hosts interconnected with a trusted interface. By default, DHCP snooping is disabled on all VLANs. You can enable DHCP snooping on one or more VLANs. You must enable DHCP snooping globally. To enable this feature, enter the following commands: CN 4093(config)# ip dhcp snooping vlan <vlan number(s)> CN 4093(config)# ip dhcp snooping Note: When you make a DHCP release from a client, the switch does not forward the Unicast DHCP release packet to the server, the entry is not removed from the DHCP snooping binding table, and the counter for Received Request packets does not increase even though the release packet does arrive at the switch. If you want the DHCP Renew/Release packet to be forwarded to the server and the corresponding entry removed from the DHCP snooping binding table, configure an interface IP address with the sam subnet in the same VLAN. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 42: Easy Connect Wizard
Easy Connect Wizard Lenovo EasyConnect (EZC) is a feature designed to simplify switch configuration. A set of predefined configurations can be applied on the switch via ISCLI. By launching the EZC Wizard, you are prompted for a minimal set of input and the tool automatically customizes the switch software. The EZC Wizard allows you to choose one of the following configuration modes: Basic System mode supports settings for hostname, static management port IP,  netmask, and gateway.  Transparent mode collects server and uplink port settings. vNIC groups are used to define the loop free domains. Note: You can either accept the static defaults or enter a different port list for uplink and/or server ports.  Redundant mode refers to VLAG settings. The EZC configuration will be applied immediately. Any existing configuration will be deleted, the current active or running configuration will not be merged or appended to the EZC configuration. For any custom settings that are not included in the predefined configuration sets, the user has to do it manually. Notes:  EZC is not available in stacking mode.  To support scripting, the feature also has a single‐line format. For more information, please refer to Lenovo Networking ISCLI Reference Guide. Note: To support scripting, the feature also has a single‐line format. For more information, please refer to Lenovo Networking ISCLI Reference Guide. Configuring the Easy Connect Wizard To launch the EZC Wizard, use the following command: CN 4093# easyconnect The wizard displays the available predefined configuration modes. You are ...
Page 43: Basic System Mode Configuration Example
Please enter "dhcp" for dhcp IP. Select management IP address (Current: 10.241.13.32)? Enter management netmask(Current: 255.255.255.128)? Enter management gateway:(Current: 10.241.13.1)? Pending switch port configuration: Hostname: host Management interface: Port: 10.241.13.32 Netmask: 255.255.255.128 Gateway: 10.241.13.1 Note: You can either accept the default values or enter new parameters. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 44: Transparent Mode Configuration Example
Transparent Mode Configuration Example This example shows the parameters available for configuration in Transparent mode: CN 4093# # easyconnect Configure Transparent mode (yes/no)? y Select Uplink Ports (Static Defaults: 17-24)? The following Uplink ports will be enabled: Uplink ports(1G/10G): 17-24 Select Server Ports (Static Defaults: 25-64)? The following Server ports will be enabled: Server ports(1G/10G): 25-64 Pending switch configuration:...
Page 45: Redundant Mode Configuration Example
TierID: vLAG Peer IP: 1.1.1.2 Uplink Ports: Downlink Ports: Disabled Ports: empty Hostname: Primary VLAG Management interface: 192.168.49.50 Netmask: 255.255.255.0 Gateway: 0.0.0.0 Confirm erasing current config to re-configure Easy Connect (yes/no)? © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 46 Notes:  If your selection for a port group contains ports of different speed, the selection is not valid, and you are guided to either select other ports or change the speed of the ports.  All unused port are configured as shut down in the configuration dump. You can either accept the static defaults or enter a different port list for ISL,  uplink, and/or downlink ports. CN4093 Application Guide for N/OS 8.4...
Page 47: Switch Login Levels
Table 3. User Access Levels ‐ Default Settings User Password Description and Tasks Performed Status Account user user The User has no direct responsibility for Disabled switch management. He or she can view all switch status information and statistics, but cannot make any configuration changes to the switch. oper oper The Operator manages all functions of the Disabled switch. The Operator can reset ports, except the management ports. admin admin The Administrator has complete access to all Enabled menus, information and configuration commands on the CN4093, including the ability to change both the user and administrator passwords. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 48 Note: Access to each user level (except admin account) can be disabled by setting the password to an empty value. To disable admin account, use the command: CN 4093(config)# no access user administrator-enable. Admin account can be disabled only if there is at least one user account enabled and configured with administrator privilege. CN4093 Application Guide for N/OS 8.4...
Page 49: Administrator Password Recovery
R - Boot in recovery mode (xmodem download of images to recover switch) Q - Reboot E - Exit Please choose your menu option: c Currently using active configuration block Enter configuration block: a, b or f (active, backup or factory): f © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 50 5. Enter Q to reboot the switch: Boot Management Menu I - Change booting image C - Change configuration block R - Boot in recovery mode (xmodem download of images to recover switch) Q - Reboot E - Exit Please choose your menu option: q Resetting the board.
Page 51: Secure Ftp
Secure FTP Enterprise NOS supports Secure FTP (SFTP) to the switch. SFTP uses Secure Shell (SSH) to transfer files. SFTP encrypts both commands and data, and prevents passwords and sensitive information from being transmitted openly over the network. All file transfer commands include SFTP support along with FTP and TFTP support. SFTP is available through the menu‐based CLI, ISCLI, BBI, and SNMP. The following examples illustrate SFTP support for ISCLI commands: CN 4093# copy sftp {image1|image2|boot-image} [mgt-port|data-port] (Copy software image from SFTP server to the switch) CN 4093# copy sftp {ca-cert|host-cert|host-key} [mgt-port|data-port] (Copy HTTPS certificate or host key from SFTP server to the switch) © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 52: Boot Strict Mode
Boot Strict Mode The implementations specified in this section are compliant with National Institute of Standards and Technology (NIST) Special Publication (SP) 800‐131A. The CN4093 10 Gb Converged Scalable Switch can operate in two boot modes:  Compatibility mode (default): This is the default switch boot mode. This mode may use algorithms and key lengths that may not be allowed/acceptable by NIST SP 800‐131A specification. This mode is useful in maintaining compatibility with previous releases and in environments that have lesser data security requirements.  Strict mode: Encryption algorithms, protocols, and key lengths in strict mode are compliant with NIST SP 800‐131A specification. When in boot strict mode, the switch uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.2 protocols to ensure confidentiality of the data to and from the switch. By default, HTTP, Telnet, and SNMPv1 and SNMPv2 are disabled on the CN4093. Before enabling strict mode, ensure the following:  The software version on all connected switches is Enterprise NOS 8.4.  NIST Strict compliance is enabled on the Chassis Management Module.  The supported protocol versions and cryptographic cipher suites between clients and servers are compatible. For example: if using SSH to connect to the switch, ensure that the SSH client supports SSHv2 and a strong cipher suite that is compliant with the NIST standard. Compliant Web server certificate is installed on the switch, if using BBI.   A new self‐signed certificate is generated for the switch (CN 4093(config)# access https generate-certificate). The new certificate is generated using 2048‐bit RSA key and SHA‐256 digest.  Protocols that are not NIST SP 800‐131A compliant must be disabled or not ...
Page 53 Secure NTP does not comply with Acceptable NIST SP 800-131A specification. When in strict mode, secure NTP is dis- abled. However, it can be enabled, if required. SHA-256 or higher RSA/DSA 2048 or higher © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 54 Table 4. Acceptable Protocols and Algorithms Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm SNMP SNMPv3 only SNMPv1, SNMPv2, SNMPv3 AES-128-CFB-128/SHA1 DES/MD5, AES-128-CFB-128/SHA1 Note: Following algorithms are accept- able if you choose to support old SNMPv3 factory default users: AES-128-CFB/SHA1 DES/MD5 AES-128-CFB-128/SHA1 SSH/SFTP Host Key SSH-RSA SSH-RSA Key Exchange...
Page 55: Acceptable Cipher Suites
AES_128_CBC SHA1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC012 ECDHE 3DES SHA1 SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0033 AES-128_CBC SHA1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0067 AES_128_CBC SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0016 3DES SHA1 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x002F AES_128_CBC SHA1 TLS_RSA_WITH_AES_128_CBC_SHA 0x003C AES_128_CBC SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 0x000A 3DES SHA1 SSL_RSA_WITH_3DES_EDE_CBC_SHA © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 56: Configuring Strict Mode
Configuring Strict Mode To change the switch mode to boot strict mode, use the following command: CN 4093(config)# [no] boot strict enable When strict mode is enabled, you will see the following message: Warning, security strict mode limits the cryptographic algorithms used by secure protocols on this switch. Please see the documentation for full details, and verify that peer devices support acceptable algorithms before enabling this mode.
Page 57: Configuring No-Prompt Mode
Configuring No-Prompt Mode If you expect to administer the switch using SNSC or another browser‐based interface, you need to turn off confirmation prompts. When CLI confirmation prompts are disabled, the switch will choose the default answer. To accomplish this, use one of the following commands: CN 4093(config)# [no] prompting Note: This command will disable CLI confirmation prompts for current and future sessions. CN 4093(config)# [no] terminal dont-ask Note: This command will disable CLI confirmation prompts for the current session only. It also takes precedence over the prompting command ‐ any settings configured through the prompting command will be disregarded for the duration of the current session. For more details, see the Lenovo Flex System Fabric CN4093 10 Gb Converged Scalable Switch Command Reference for Enterprise NOS 8.4. © Copyright Lenovo 2017 Chapter 1: Switch Administration...
Page 58 CN4093 Application Guide for N/OS 8.4...
Page 59: Chapter 2. Initial Setup
Chapter 2. Initial Setup To help with the initial process of configuring your switch, the Enterprise NOS software includes a Setup utility. The Setup utility prompts you step‐by‐step to enter all the necessary information for basic configuration of the switch. Setup can be activated manually from the command line interface any time after login: CN 4093(config)# setup © Copyright Lenovo 2017...
Page 60: Information Needed For Setup
Information Needed for Setup Setup requests the following information:  Basic system information Date & time  Whether to use Spanning Tree Group or not   Optional configuration for each port Speed, duplex, flow control, and negotiation mode (as appropriate)  Whether to use VLAN tagging or not (as appropriate)  Optional configuration for each VLAN  Name of VLAN  Which ports are included in the VLAN   Optional configuration of IP parameters IP address/mask and VLAN for each IP interface  IP addresses for default gateway  Whether IP forwarding is enabled or not  CN4093 Application Guide for N/OS 8.4...
Page 61: Default Setup Options
Enter login password: 2. Enter USERID as the default administrator and PASSW0RD (with a zero) as the default password. 3. Enter the following command at the prompt: CN 4093(config)# setup Stopping Setup To abort the Setup utility, press <Ctrl+C> during any Setup question. When you abort Setup, the system will prompt: Would you like to run from top again? [y/n] Enter n to abort Setup, or y to restart the Setup program at the beginning. Restarting Setup You can restart the Setup utility manually at any time by entering the following command at the administrator prompt: CN 4093(config)# setup © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 62: Setup Part 1: Basic System Configuration
Setup Part 1: Basic System Configuration When Setup is started, the system prompts: "Set Up" will walk you through the configuration of System Date and Time, Spanning Tree, Port Speed/Mode, VLANs, and IP interfaces. [type Ctrl-C to abort "Set Up"] 1. Enter y if you will be configuring VLANs. Otherwise enter n. If you decide not to configure VLANs during this session, you can configure them later using the configuration menus, or by restarting the Setup facility. For more information on configuring VLANs, see the Enterprise NOS Application Guide. Next, the Setup utility prompts you to input basic system information. 2.
Page 63 System clock set to 8:55:36 Wed Jan 28, 2012. 8. Turn BOOTP on or off at the prompt: BootP Option: Current BOOTP: disabled Enter new BOOTP [d/e]: Enter e to enable BOOTP, or enter d to disable BOOTP. 9. Turn Spanning Tree Protocol on or off at the prompt: Spanning Tree: Current Spanning Tree Group 1 setting: ON Turn Spanning Tree Group 1 OFF? [y/n] Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on. © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 64: Setup Part 2: Port Configuration
Setup Part 2: Port Configuration Note: When configuring port options for your switch, some prompts and options may be different. 1. Select whether you will configure VLANs and VLAN tagging for ports: Port Config: Will you configure VLANs and Tagging/Trunk-mode for ports? [y/n] If you wish to change settings for VLANs, enter y or enter n to skip VLAN configuration. Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system. Screen content varies based on the type of chassis unit that you are using and the firmware versions and options that are installed. 2. Select the port to configure, or skip port configuration at the prompt: If you wish to change settings for individual ports, enter the number of the port you wish to configure. To skip port configuration, press <Enter> without specifying any port and go to “Setup Part 3: VLANs” on page 66. 3. Configure Gigabit Ethernet port flow parameters. The system prompts: Gig Link Configuration: Port Flow Control: Current Port EXT1 flow control setting: both...
Page 65 If you have selected to configure VLANs back in Part 1, the system prompts: Port Tagging/Trunk-mode config (Tagged/Trunk-mode port can be a member of multiple VLANs): Current Tagging/Trunk-mode support: disabled Enter new Tagging/Trunk-mode support [d/e]: Enter d to disable VLAN tagging for the port or enter e to enable VLAN tagging for the port. To keep the current setting, press <Enter>. 6. The system prompts you to configure the next port: Enter port (INTA1-C14, EXT1-22): When you are through configuring ports, press <Enter> without specifying any port. Otherwise, repeat the steps in this section. © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 66: Setup Part 3: Vlans
Setup Part 3: VLANs If you chose to skip VLANs configuration back in Part 2, skip to “Setup Part 4: IP Configuration” on page 1. Select the VLAN to configure, or skip VLAN configuration at the prompt: VLAN Config: Enter VLAN number from 2 to 4094, NULL at end: If you wish to change settings for individual VLANs, enter the number of the VLAN you wish to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and go to “Setup Part 4: IP Configuration” on page 2. Enter the new VLAN name at the prompt: Current VLAN name: VLAN 2 Enter new VLAN name: Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>. 3. Enter the VLAN port numbers: Define Ports in VLAN: Current VLAN 2: empty Enter ports one per line, NULL at end:...
Page 67: Setup Part 4: Ip Configuration
2. For the specified IP interface, enter the IP address in IPv4 dotted decimal notation: Current IP address: 0.0.0.0 Enter new IP address: To keep the current setting, press <Enter>. 3. At the prompt, enter the IPv4 subnet mask in dotted decimal notation: Current subnet mask: 0.0.0.0 Enter new subnet mask: To keep the current setting, press <Enter>. 4. If configuring VLANs, specify a VLAN for the interface. This prompt appears if you selected to configure VLANs back in Part 1: Current VLAN: Enter new VLAN [1-4094]: Enter the number for the VLAN to which the interface belongs, or press <Enter> without specifying a VLAN number to accept the current setting. © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 68: Default Gateways
5. At the prompt, enter y to enable the IP interface or n to leave it disabled: Enable IP interface? [y/n] 6. The system prompts you to configure another interface: Enter interface number: (1-128) Repeat the steps in this section until all IP interfaces have been configured. When all interfaces have been configured, press <Enter> without specifying any interface number. Default Gateways 1. At the prompt, select an IP default gateway for configuration or skip default gateway configuration: IP default gateways: Enter default gateway number: (1-3, 4) Enter the number for the IP default gateway to be configured. To skip default gateway configuration, press <Enter> without typing a gateway number and go to “IP Routing” on page 2. At the prompt, enter the IPv4 address for the selected default gateway: Current IP address: 0.0.0.0 Enter new IP address: Enter the IPv4 address in dotted decimal notation, or press <Enter> without ...
Page 69: Ip Routing
IP Routing When IP interfaces are configured for the various IP subnets attached to your switch, IP routing between them can be performed entirely within the switch. This eliminates the need to send inter‐subnet communication to an external router device. Routing on more complex networks, where subnets may not have a direct presence on the CN4093, can be accomplished through configuring static routes or by letting the switch learn routes dynamically. This part of the Setup program prompts you to configure the various routing parameters. At the prompt, enable or disable forwarding for IP Routing: Enable IP forwarding? [y/n] Enter y to enable IP forwarding. To disable IP forwarding, enter n. To keep the current setting, press <Enter>. © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 70: Setup Part 5: Final Steps
Setup Part 5: Final Steps 1. When prompted, decide whether to restart Setup or continue: Would you like to run from top again? [y/n] Enter y to restart the Setup utility from the beginning or n to continue. 2. When prompted, decide whether you wish to review the configuration changes: Review the changes made? [y/n] Enter y to review the changes made during this session of the Setup utility. Enter n to continue without reviewing the changes. We recommend that you review the changes. 3. Next, decide whether to apply the changes at the prompt: Apply the changes? [y/n] Enter y to apply the changes or n to continue without applying. Changes are normally applied. 4. At the prompt, decide whether to make the changes permanent: Save changes to flash? [y/n] Enter y to save the changes to flash. Enter n to continue without saving the ...
Page 71: Optional Setup For Telnet Support
Optional Setup for Telnet Support Note: This step is optional. Perform this procedure only if you are planning on connecting to the CN4093 through a remote Telnet connection. 1. Telnet is enabled by default. To change the setting, use the following command: CN 4093(config)# no access telnet © Copyright Lenovo 2017 Chapter 2: Initial Setup...
Page 72 CN4093 Application Guide for N/OS 8.4...
Page 73: Chapter 3. Switch Software Management
CAUTION: Although the typical upgrade process is all that is necessary in most cases, upgrading from (or reverting to) some versions of Lenovo Enterprise Network Operating System requires special steps prior to or after the software installation process. Please be sure to follow all applicable instructions in the release notes document for the specific software release to ensure that your switch continues to operate as expected after installing new software.
Page 74: Loading New Software To Your Switch
Loading New Software to Your Switch The CN4093 can store up to two different switch software images (called image1 and image2) as well as special boot software (called boot). When you load new software, you must specify where it is placed: either into image1, image2 or boot. For example, if your active image is currently loaded into image1, you would probably load the new image software into image2. This lets you test the new software and reload the original active image (stored in image1), if needed. CAUTION: When you upgrade the switch software image, always load the new boot image and the new software image before you reset the switch. If you do not load a new boot image, your switch might not boot properly (To recover, see “Recover from a Failed Image Upgrade using TFTP” on page 80 or “Recovering from a Failed Image Upgrade using XModem Download” on page 82). To load a new software image to your switch, you will need the following:  The image and boot software loaded on an FTP, SFTP or TFTP server on your net‐ work. Note: Be sure to download both the new boot file and the new image file. The hostname or IP address of the FTP, SFTP or TFTP server  Note: The DNS parameters must be configured if specifying hostnames.  The name of the new software image or boot file When the software requirements are met, use one of the following procedures to download the new software to your switch. You can use the ISCLI or the BBI to download and activate new software. Loading Software via the ISCLI 1.
Page 75: Loading Software Via Bbi
FTP server  TFTP server  SFTP server  Local computer After you log onto the BBI, perform the following steps to load a software image: 1. Click the Configure context tab in the toolbar. 2. In the Navigation Window, select System > Config/Image Control. The Switch Image and Configuration Management page appears. 3. If you are loading software from your computer (HTTP client), skip this step and go to the next. Otherwise, if you are loading software from an FTP, SFTP, or TFTP server, enter the server’s information in the FTP, SFTP, or TFTP Settings section. 4. In the Image Settings section, select the image version you want to replace (Image for Transfer).  If you are loading software from an FTP, SFTP, or TFTP server, enter the file name and click Get Image.  If you are loading software from your computer, click Browse. In the File Upload Dialog, select the file and click OK. Then click Download via  Browser. Once the image has loaded, the page refreshes to show the new software. © Copyright Lenovo 2017 Chapter 3: Switch Software Management...
Page 76: Updating Software On Vlag Switches
Updating Software on vLAG Switches When updating the software and boot images for switches configured with vLAG, first: Make sure that the spanning tree root switch is not one of the vLAG switches   Shut down of ports should done under the port configuration Follow the shut down order of the ports  a. ISL links b. vLAG links c. vLAG health check (MGT port) Then follow this procedure to update the software on vLAG switches: 1. On Switch 2 (the original Secondary switch), shut down all links ISL, vLAG links, and vLAG HC. This is equivalent to powering off Switch 2.  All the traffic will failover to Switch 1 (the original Primary switch.).  After the shutdown of links on Switch 2, there will be N‐S traffic loss of around ~0.16 seconds. 2. Upgrade Switch 2 with the new image. Use FTP, STFP, or TFTP to copy the new ENOS and boot images onto the switch. For more details, see “Loading New Software to Your Switch” on page  After Switch 2 comes up, vLAG HC will be up and vLAG mismatch will happen with vLAG ports down (since it is still Secondary).  The traffic will still be forwarding via Switch 1 (the original Primary switch). 3. On Switch 1 (the original Primary switch), shut down all links ISL, vLAG links, and vLAG HC. This is equivalent to powering off Switch 1 (the original Primary switch) ...
Page 77  Switch 1 will reassume the vLAG Primary role and Switch 2 will reassume the vLAG Secondary role. 6. Make sure that Switch 1 is now the vLAG primary switch and Switch 2 is now the vLAG secondary switch using the following command: CN 4093> show vlag information © Copyright Lenovo 2017 Chapter 3: Switch Software Management...
Page 78: The Boot Management Menu
The Boot Management Menu The Boot Management menu allows you to switch the software image, reset the switch to factory defaults, or to recover from a failed software download. You can interrupt the boot process and enter the Boot Management menu from the serial console port. When the system displays Memory Test, press <Shift+B>. The Boot Management menu appears. Boot Management Menu I - Change booting image C - Change configuration block R - Boot in recovery mode (tftp and xmodem download of images to recover switch) Q - Reboot E - Exit Please choose your menu option: The Boot Management menu allows you to perform the following actions: ...
Page 79: Boot Recovery Mode
X) Use xmodem 1K to serial download an image P) Physical presence (low security mode) R) Reboot E) Exit Option? : The Boot Recovery Mode menu allows you to perform the following actions: To recover from a failed software or boot image upgrade using TFTP, press T  and follow the screen prompts. For more details, see “Recover from a Failed Image Upgrade using TFTP” on page  To recover from a failed software or boot image upgrade using XModem download, press X and follow the screen prompts. For more details, see “Recovering from a Failed Image Upgrade using XModem Download” on page  To enable the loading of an unofficial image, press P and follow the screen prompts. For more details, see “Physical Presence” on page  To restart the boot process from the beginning, press R.  To exit Boot Recovery Mode menu, press E. The boot process continues. © Copyright Lenovo 2017 Chapter 3: Switch Software Management...
Page 80: Recover From A Failed Image Upgrade Using Tftp
Recover from a Failed Image Upgrade using TFTP Use the following procedure to recover from a failed image upgrade using TFTP: 1. Connect a PC to the console port of the switch. 2. Open a terminal emulator program that supports Telnet protocol (for example, HyperTerminal, SecureCRT or PuTTY) and input the proper host name (IP address) and port to connect to the console port of the switch. 3. Boot the switch and access the Boot Management menu by pressing <Shift+B> while the Memory Test is in progress and the dots are being displayed. 4. Enter Boot Recovery Mode by pressing R. The Recovery Mode menu will appear. 5. To start the recovery process using TFTP, press T. The following message will appear: Performing TFTP rescue. Please answer the following questions (enter 'q' to quit): 6. Enter the IP address of the management port: IP addr : 7.
Page 81 Please select one of the following options: T) Configure networking and tftp download an image X) Use xmodem 1K to serial download an image P) Physical presence (low security mode) R) Reboot E) Exit Option? : © Copyright Lenovo 2017 Chapter 3: Switch Software Management...
Page 82: Recovering From A Failed Image Upgrade Using Xmodem Download
Recovering from a Failed Image Upgrade using XModem Download Use the following procedure to recover from a failed image upgrade. 1. Connect a PC to the serial port of the switch. 2. Open a terminal emulator program that supports Xmodem download (for example, HyperTerminal, SecureCRT or PuTTY) and select the following serial port characteristics: Speed: 9600 bps  Data Bits: 8  Stop Bits: 1  Parity: None  Flow Control: None  3. Boot the switch and access the Boot Management menu by pressing <Shift+B> while the Memory Test is in progress and the dots are being displayed. 4. Enter Boot Recovery Mode by pressing R. The Recovery Mode menu will appear. 5. Press X for Xmodem download. You will see the following display: Running xmodem rescue..6. When you see the following message, change the Serial Port speed to 115200 bps: Change the baud rate to 115200 bps and hit the <ENTER> key before initiating the download.
Page 83 Please select one of the following options: T) Configure networking and tftp download an image X) Use xmodem 1K to serial download an image P) Physical presence (low security mode) R) Reboot E) Exit Option? : Boot image recovery is complete. © Copyright Lenovo 2017 Chapter 3: Switch Software Management...
Page 84: Physical Presence
Physical Presence Use the following procedure to enable the installation of unofficial images on the switch: 1. Connect a PC to the console port of the switch. 2. Open a terminal emulator program that supports Telnet protocol (for example, HyperTerminal, SecureCRT or PuTTY) and input the proper host name (IP address) and port to connect to the console port of the switch. 3. Boot the switch and access the Boot Management menu by pressing <Shift+B> while the Memory Test is in progress and the dots are being displayed. 4. Enter Boot Recovery Mode by pressing R. The Recovery Mode menu will appear. 5. To begin the Physical Presence procedure, press P. The following warning message will appear: WARNING: the following test is used to determine physical presence and if completed will put the switch in low security mode. 6. You will be prompted for confirmation: Do you wish to continue y/n? 7.
Page 86 CN4093 Application Guide for N/OS 8.4...
Page 87: Chapter 4. Securing Administration
Chapter 4. Securing Administration This chapter discusses different methods of securing local and remote administration on the CN4093 10 Gb Converged Scalable Switch (CN4093):  “Changing the Switch Passwords” on page 88  “Secure Shell and Secure Copy” on page 89  “End User Access Control” on page 94  “Protected Mode” on page 97 © Copyright Lenovo 2017...
Page 88: Changing The Switch Passwords
Changing the Switch Passwords It is recommended that you change the administrator and user passwords after initial configuration and as regularly as required under your network security policies. To change the administrator password, you must login using the administrator password. Note: If you download user and password information to a switch running a version of ENOS earlier than 8.4, or if you revert the switch to a version of ENOS earlier than 8.4, your passwords will not be transferred because the encryption algorithm changed. Changing the Default Administrator Password The administrator has complete access to all menus, information, and configuration commands, including the ability to change both the user and administrator passwords. The default administrator account is USERID. The default password for the administrator account is PASSW0RD (with a zero). To change the administrator password, use the following procedure: 1. Connect to the switch and log in as the administrator. 2. Use the following command to change the administrator password: CN 4093(config)# access user administrator-password <password> Changing the Default User Password The user login has limited control of the switch. Through a user account, you can ...
Page 89: Secure Shell And Secure Copy
 Determining the permitted actions and customizing service for individual administrators  Encryption of management messages Encrypting messages between the remote administrator and switch   Secure copy support The Enterprise NOS implementation of SSH supports both versions 1.5 and 2.0 and supports SSH clients version 1.5 ‐ 2.x. The following SSH clients have been tested:  SSH 1.2.23 and SSH 1.2.27 for Linux (freeware)  SecureCRT 3.0.2 and SecureCRT 3.0.3 for Windows NT (Van Dyke Technologies, Inc.)  F‐Secure SSH 1.1 for Windows (Data Fellows)  Putty SSH  Cygwin OpenSSH  Mac X OpenSSH  Solaris 8 OpenSSH  AxeSSH SSHPro  SSH Communications Vandyke SSH A  F‐Secure © Copyright Lenovo 2017 Chapter 4: Securing Administration...
Page 90: Configuring Ssh/Scp Features On The Switch
Configuring SSH/SCP Features on the Switch SSH and SCP are disabled by default. To change the setting, using the following procedures. Note: To use SCP, you must first enable SSH. To Enable or Disable the SSH Feature Begin a Telnet session from the console port and enter the following commands: CN 4093(config)# ssh enable (Turn SSH on) CN 4093(config)# no ssh enable (Turn SSH off) To Enable or Disable SCP Enter the following command to enable or disable SCP: CN 4093(config)# [no] ssh scp-enable Configuring the SCP Administrator Password To configure the SCP‐only administrator password, enter the following command ...
Page 91: To Copy The Switch Configuration File To The Scp Host
>> scp [-4|-6] <local filename> <username>@<switch IP address>:putcfg_apply >> scp [-4|-6] <local filename> <username>@<switch IP address>:putcfg_apply_save Example: >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply >> scp ad4.cfg scpadmin@205.178.15.157:putcfg_apply_save The CLI diff command is automatically executed at the end of putcfg to  notify the remote client of the difference between the new and the current configurations. putcfg_apply runs the apply command after the putcfg is done.  putcfg_apply_save saves the new configuration to the flash after  putcfg_apply is done.  The putcfg_apply and putcfg_apply_save commands are provided because extra apply and save commands are usually required after a putcfg; however, an SCP session is not in an interactive mode. © Copyright Lenovo 2017 Chapter 4: Securing Administration...
Page 92: To Copy The Switch Image And Boot Files To The Scp Host
To Copy the Switch Image and Boot Files to the SCP Host Syntax: >> scp [-4|-6] <username>@<switch IP address>:getimg1 <local filename> >> scp [-4|-6] <username>@<switch IP address>:getimg2 <local filename> >> scp [-4|-6] <username>@<switch IP address>:getboot <local filename> Example: >> scp scpadmin@205.178.15.157:getimg1 6.1.0_os.img To Load Switch Configuration Files from the SCP Host Syntax: >>...
Page 93: Ssh And Scp Encryption Of Management Messages
To configure RSA host key, first connect to the CN4093 through the console port (commands are not available via external Telnet connection), and enter the following command to generate it manually. CN 4093(config)# ssh generate-host-key (Generates the host key) When the switch reboots, it will retrieve the host key from the FLASH memory. Note: The switch will perform only one session of key/cipher generation at a time. Thus, an SSH/SCP client will not be able to log in if the switch is performing key generation at that time. Also, key generation will fail if an SSH/SCP client is logging in at that time. SSH/SCP Integration with RADIUS Authentication SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS servers for authentication. The redirection is transparent to the SSH clients. SSH/SCP Integration with TACACS+ Authentication SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified TACACS+ servers for authentication. The redirection is transparent to the SSH clients. © Copyright Lenovo 2017 Chapter 4: Securing Administration...
Page 94: End User Access Control
End User Access Control Enterprise NOS allows an administrator to define end user accounts that permit end users to perform operation tasks via the switch CLI commands. Once end user accounts are configured and enabled, the switch requires username/password authentication. For example, an administrator can assign a user, who can then log into the switch and perform operational commands (effective only until the next switch reboot). Considerations for Configuring End User Accounts A maximum of 20 user IDs are supported on the switch.   Enterprise NOS supports end user support for Console, Telnet, BBI, and SSHv1/v2 access to the switch.  If RADIUS authentication is used, the user password on the Radius server will override the user password on the CN4093. Also note that the password change command modifies only the user switch password on the switch and has no effect on the user password on the Radius server. Radius authentication and user password cannot be used concurrently to access the switch.  Passwords can be up to 64 characters in length for Telnet, SSH, Console, and Web access. Strong Passwords The administrator can require use of Strong Passwords for users to access the CN4093. Strong Passwords enhance security because they make password guessing more difficult. The following rules apply when Strong Passwords are enabled: Minimum length: 8 characters; maximum length: 64 characters   Must contain at least one uppercase alphabet Must contain at least one lowercase alphabet ...
Page 95: User Access Control Menu
CN 4093# show access user uid 1 Enabling or Disabling a User An end user account must be enabled before the switch recognizes and permits login under the account. Once enabled, the switch requires any user to enter both username and password. CN 4093(config)# [no] access user 1 enable Locking Accounts To protect the switch from unauthorized access, the account lockout feature can be enabled. By default, account lockout is disabled. To enable this feature, ensure the strong password feature is enabled (See “Strong Passwords” on page 94). Then use the following command: CN 4093(config)# access user strong-password lockout After multiple failed login attempts, the switch locks the user account if lockout has been enabled on the switch. © Copyright Lenovo 2017 Chapter 4: Securing Administration...
Page 96: Re-Enabling Locked Accounts
Re-enabling Locked Accounts The administrator can re‐enable a locked account by reloading the switch or by using the following command: CN 4093(config)# access user strong-password clear local user lockout username <user name> However, the above command cannot be used to re‐enable an account disabled by the administrator. To re‐enable all locked accounts, use the following command: CN 4093(config)# access user strong-password clear local user lockout all Listing Current Users The show access user command displays defined user accounts and whether or not each user is currently logged into the switch. CN 4093# show access user Usernames: user - Enabled - offline...
Page 97: Protected Mode
Note: Before you turn Protected Mode on, make sure that external management (Telnet) access to one of the switch’s IP interfaces is enabled. Use the following command to turn Protected Mode on: CN 4093(config)# protected-mode enable If you lose access to the switch through the external ports, use the console port to connect directly to the switch, and configure an IP interface with Telnet access. Stacking Mode When the switch is in stacking mode, Protected Mode is automatically enabled for three of the four Protected Mode functions, and the following module functions are disabled:  External Ports (Enabled)  External management over all ports (Enabled)  Restore Factory Defaults Stack members and stack Master can get their IP addresses from the advanced management module (AMM). Stack can be managed using external ports or using the AMM management port. If required, the functionality of new static IP configuration can also be disabled by turning off Protected Mode (CN 4093(config)# no protected-mode enable) and turning it back on (CN 4093(config)# protected-mode enable). © Copyright Lenovo 2017 Chapter 4: Securing Administration...
Page 98 CN4093 Application Guide for N/OS 8.4...
Page 99: Chapter 5. Authentication & Authorization Protocols
Chapter 5. Authentication & Authorization Protocols Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured IPv4 management and device access:  “RADIUS Authentication and Authorization” on page 100  “TACACS+ Authentication” on page 104  “LDAP Authentication and Authorization” on page 110 Note: Enterprise NOS 8.4 does not support IPv6 for RADIUS, TACACS+, or LDAP. © Copyright Lenovo 2017...
Page 100: Radius Authentication And Authorization
RADIUS Authentication and Authorization Enterprise NOS supports the RADIUS (Remote Authentication Dial‐in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back‐end database server. A remote user (the remote administrator) interacts only with the RAS, not the back‐end server and database. RADIUS authentication consists of the following components:  A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866)  A centralized server that stores all the user authorization information A client, in this case, the switch  The CN4093—acting as the RADIUS client—communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back‐end RADIUS server. How RADIUS Authentication Works 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access. CN4093 Application Guide for N/OS 8.4...
Page 101: Configuring Radius On The Switch
CN 4093(config)# radius-server retransmit 3 CN 4093(config)# radius-server timeout 5 RADIUS Authentication Features in Enterprise NOS Enterprise NOS supports the following RADIUS authentication features:  Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866.  Allows a RADIUS secret password of up to 32 characters.  Supports secondary authentication server so that when the primary authentication server is unreachable, the switch can send client authentication requests to the secondary authentication server. Use the following command to show the currently active RADIUS authentication server: CN 4093# show radius-server © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 102: Switch User Accounts
 Supports user‐configurable RADIUS server retry and time‐out values: Time‐out value = 1‐10 seconds  Retries = 1‐3  The switch will time out if it does not receive a response from the RADIUS server within 1‐10 seconds. The switch automatically retries connecting to the RADIUS server 1‐3 times before it declares the server down.  Supports user‐configurable RADIUS application port. The default is UDP port 1645. UDP port 1812, based on RFC 2138, is also supported.  Allows network administrator to define privileges for one or more specific users to access the switch at the RADIUS user database. Switch User Accounts The user accounts listed in Table 7 can be defined in the RADIUS server dictionary file. Table 7. User Access Levels User Account Description and Tasks Performed Password user User The User has no direct responsibility for switch management. He/she can view all switch status information and statistics but cannot make any configuration changes to the switch. oper Operator In addition to User capabilities, the Operator has ...
Page 103: Radius Attributes For Enterprise Nos User Privileges
Irrespective of backdoor being enabled or not, you can always access the switch via the console port by using noradius as radius username. You can then enter the username and password configured on the switch. If you are trying to connect via SSH/Telnet/HTTP/HTTPS, there are two possibilities:  Backdoor is enabled: The switch acts like it is connecting via console.  Secure backdoor is enabled: You must enter the username: noradius. The switch checks if RADIUS server is reachable. If it is reachable, then you must authenticate via remote authentication server. Only if RADIUS server is not reachable, you will be prompted for local user/password to be authenticated against these local credentials. All user privileges, other than those assigned to the Administrator, have to be defined in the RADIUS dictionary. RADIUS attribute 6 which is built into all RADIUS servers defines the administrator. The file name of the dictionary is RADIUS vendor‐dependent. The following RADIUS attributes are defined for Enterprise NOS user privileges levels: Table 8. Enterprise NOS‐proprietary Attributes for RADIUS User Name/Access User-Service-Type Value User Vendor‐supplied Operator Vendor‐supplied Administrator (USERID) Vendor‐supplied © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 104: Tacacs+ Authentication
TACACS+ Authentication Enterprise NOS supports authentication, authorization, and accounting with networks using the Cisco Systems TACACS+ protocol. The CN4093 functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the CN4093 either through a data or management port. TACACS+ offers the following advantages over RADIUS:  TACACS+ uses TCP‐based connection‐oriented transport; whereas RADIUS is UDP‐based. TCP offers a connection‐oriented transport, while UDP offers best‐effort delivery. RADIUS requires additional programmable variables such as re‐transmit attempts and time‐outs to compensate for best‐effort transport, but it lacks the level of built‐in support that a TCP transport offers.  TACACS+ offers full packet encryption whereas RADIUS offers password‐only encryption in authentication requests.  TACACS+ separates authentication, authorization and accounting. How TACACS+ Authentication Works TACACS+ works much in the same way as RADIUS authentication as described on page 100. 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access. During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.f CN4093 Application Guide for N/OS 8.4...
Page 105: Tacacs+ Authentication Features In Enterprise Nos
CN 4093(config)# tacacs-server privilege-mapping Table 10. Alternate TACACS+ Authorization Levels Enterprise NOS User Access TACACS+ Level Level user 0–1 oper 6–8 admin (USERID) 14–15 You can customize the mapping between TACACS+ privilege levels and CN4093 management access levels. Use the following command to manually map each TACACS+ privilege level (0‐15) to a corresponding CN4093 management access level: CN 4093(config)# tacacs-server user-mapping If the remote user is successfully authenticated by the authentication server, the switch verifies the privileges of the remote user and authorizes the appropriate access. © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 106: Backdoor
Backdoor The administrator has an option to allow backdoor access via Telnet using the command: CN 4093(config)# tacacs-server backdoor The default value for Telnet access is disabled. The administrator also can enable secure backdoor to allow access if both the primary and the secondary TACACS+ servers fail to respond. The command for this is: CN 4093(config)# tacacs-server secure-backdoor Note: To obtain the TACACS+ backdoor password for your switch, contact your Service and Support line. Accounting Accounting is the action of recording a userʹs activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, there are no TACACS+ accounting messages sent out. You can use TACACS+ to record and track software login access, configuration changes, and interactive commands. The CN4093 supports the following TACACS+ accounting attributes: protocol (console/telnet/ssh/http)   start_time  stop_time  elapsed_time  disc‐cause Note: When using the Browser‐Based Interface, the TACACS+ Accounting Stop records are sent only if the Quit button on the browser is clicked. CN4093 Application Guide for N/OS 8.4...
Page 107: Command Authorization And Logging
The following rules apply to TACACS+ command authorization and logging:  Only commands from a Console, Telnet, or SSH connection are sent for authori‐ zation and logging. SNMP, BBI, or file‐copy commands (for example, TFTP or sync) are not sent. Only leaf‐level commands are sent for authorization and logging. For example:  CN 4093(config)# is not sent, but the following command is sent: CN 4093(config)# tacacs-server command-logging  The full path of each command is sent for authorization and logging. For example: CN 4093(config)# tacacs-server command-logging  Command arguments are not sent for authorization.  Only executed commands are logged.  Invalid commands are checked by Enterprise NOS and are not sent for authori‐ zation or logging. © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 108  Authorization is performed on each leaf‐level command separately. If the user issues multiple commands at once, each command is sent separately as a full path.  Only the following global commands are sent for authorization and logging: diff  ping  revert  telnet  traceroute  CN4093 Application Guide for N/OS 8.4...
Page 109: Tacacs+ Password Change
CN 4093(config)# tacacs-server timeout 5 5. Configure custom privilege‐level mapping (optional). CN 4093(config)# tacacs-server user-mapping 2 user CN 4093(config)# tacacs-server user-mapping 3 user CN 4093(config)# tacacs-server user-mapping 4 user CN 4093(config)# tacacs-server user-mapping 5 oper © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 110: Ldap Authentication And Authorization
LDAP Authentication and Authorization Enterprise NOS supports the LDAP (Lightweight Directory Access Protocol) method to authenticate and authorize remote administrators to manage the switch. LDAP is based on a client/server model. The switch acts as a client to the LDAP server. A remote user (the remote administrator) interacts only with the switch, not the back‐end server and database. LDAP authentication consists of the following components: A protocol with a frame format that utilizes TCP over IP   A centralized server that stores all the user authorization information A client, in this case, the switch  Each entry in the LDAP server is referenced by its Distinguished Name (DN). The DN consists of the user‐account name concatenated with the LDAP domain name. If the user‐account name is John, the following is an example DN: uid=John,ou=people,dc=domain,dc=com Configuring the LDAP Server CN4093 user groups and user accounts must reside within the same domain. On the LDAP server, configure the domain to include CN4093 user groups and user accounts, as follows:  User Accounts: Use the uid attribute to define each individual user account.  User Groups: Use the members attribute in the groupOfNames object class to create the user groups. The first word of the common name for each user group must be equal to the user group names defined in the CN4093, as follows: admin (USERID)  oper  user ...
Page 111: Configuring Ldap Authentication On The Switch
3. If desired, you may change the default TCP port number used to listen to LDAP. The well‐known port for LDAP is 389. CN 4093(config)# ldap-server port <1‐65000> 4. Configure the number of retry attempts for contacting the LDAP server and the timeout period. CN 4093(config)# ldap-server retransmit 3 (number of server retries) CN 4093(config)# ldap-server timeout 10 (enter the timeout period in seconds) 5. You may change the default LDAP attribute (uid) or add a custom attribute. For instance, Microsoft’s Active Directory requires the cn (common name) attribute. CN 4093(config)# ldap-server attribute username <1‐128 alpha‐numeric characters> © Copyright Lenovo 2017 Chapter 5: Authentication & Authorization Protocols...
Page 112 CN4093 Application Guide for N/OS 8.4...
Page 113: Chapter 6. 802.1X Port-Based Network Access Control
Chapter 6. 802.1X Port-Based Network Access Control Port‐Based Network Access control provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics. It prevents access to ports that fail authentication and authorization. This feature provides security to ports of the CN4093 10 Gb Converged Scalable Switch (CN4093) that connect to blade servers. The following topics are discussed in this section:  “Extensible Authentication Protocol over LAN” on page 114  “EAPoL Authentication Process” on page 115  “EAPoL Port States” on page 116  “Guest VLAN” on page 117  “Supported RADIUS Attributes” on page 118  “EAPoL Configuration Guidelines” on page 120 © Copyright Lenovo 2017...
Page 114: Extensible Authentication Protocol Over Lan
Extensible Authentication Protocol over LAN Enterprise NOS can provide user‐level security for its ports using the IEEE 802.1X protocol, which is a more secure alternative to other methods of port‐based network access control. Any device attached to an 802.1X‐enabled port that fails authentication is prevented access to the network and denied services offered through that port. The 802.1X standard describes port‐based network access control using Extensible Authentication Protocol over LAN (EAPoL). EAPoL provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics and of preventing access to that port in cases of authentication and authorization failures. EAPoL is a client‐server protocol that has the following components: Supplicant or Client  The Supplicant is a device that requests network access and provides the required credentials (user name and password) to the Authenticator and the Authenticator Server.  Authenticator The Authenticator enforces authentication and controls access to the network. The Authenticator grants network access based on the information provided by the Supplicant and the response from the Authentication Server. The Authenticator acts as an intermediary between the Supplicant and the Authentication Server: requesting identity information from the client, forwarding that information to the Authentication Server for validation, relaying the server’s responses to the client, and authorizing network access based on the results of the authentication exchange. The CN4093 acts as an Authenticator.  Authentication Server The Authentication Server validates the credentials provided by the Supplicant to determine if the Authenticator should grant access to the network. The Authentication Server may be co‐located with the Authenticator. The CN4093 relies on external RADIUS servers for authentication. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed full access to services through the port. When the client sends an EAP‐Logoff ...
Page 115: Eapol Authentication Process
802.1x Client Server EAPOL IBM Switch RADIUS-EAP Authenticator Ethernet (RADIUS Client) UDP/IP Port Unauthorized EAPOL-Start EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Challenge EAP-Request (Credentials) EAP-Response (Credentials) Radius-Access-Request Radius-Access-Accept EAP-Success Port Authorized © Copyright Lenovo 2017 Chapter 6: 802.1X Port-Based Network Access Control...
Page 116: Eapol Message Exchange
EAPoL Message Exchange During authentication, EAPOL messages are exchanged between the client and the CN4093 authenticator, while RADIUS‐EAP messages are exchanged between the CN4093 authenticator and the RADIUS server. Authentication is initiated by one of the following methods:  The CN4093 authenticator sends an EAP‐Request/Identity packet to the client  The client sends an EAPOL‐Start frame to the CN4093 authenticator, which responds with an EAP‐Request/Identity frame. The client confirms its identity by sending an EAP‐Response/Identity frame to the CN4093 authenticator, which forwards the frame encapsulated in a RADIUS packet to the server. The RADIUS authentication server chooses an EAP‐supported authentication algorithm to verify the client’s identity, and sends an EAP‐Request packet to the client via the CN4093 authenticator. The client then replies to the RADIUS server with an EAP‐Response containing its credentials. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed full access to services through the controlled port. When the client later sends an EAPOL‐Logoff message to the CN4093 authenticator, the port transitions from authorized to unauthorized state. If a client that does not support 802.1X connects to an 802.1X‐controlled port, the CN4093 authenticator requests the clientʹs identity when it detects a change in the operational state of the port. The client does not respond to the request, and the port remains in the unauthorized state. Note: When an 802.1X‐enabled client connects to a port that is not 802.1X‐controlled, the client initiates the authentication process by sending an EAPOL‐Start frame. When no response is received, the client retransmits the request for a fixed number of times. If no response is received, the client assumes the port is in authorized state, and begins sending frames, even if the port is unauthorized. EAPoL Port States The state of the port determines whether the client is granted access to the network, as follows: ...
Page 117: Guest Vlan
Guest VLAN The guest VLAN provides limited access to unauthenticated ports. The guest VLAN can be configured using the following command: CN 4093(config)# dot1x guest-vlan ? Client ports that have not received an EAPOL response are placed into the Guest VLAN, if one is configured on the switch. Once the port is authenticated, it is moved from the Guest VLAN to its configured VLAN. When Guest VLAN enabled, the following considerations apply while a port is in the unauthenticated state:  The port is placed in the guest VLAN. The Port VLAN ID (PVID) is changed to the Guest VLAN ID.   Port tagging is disabled on the port. © Copyright Lenovo 2017 Chapter 6: 802.1X Port-Based Network Access Control...
Page 118: Supported Radius Attributes
Supported RADIUS Attributes The 802.1X Authenticator relies on external RADIUS servers for authentication with EAP. Table 11lists the RADIUS attributes that are supported as part of RADIUS‐EAP authentication based on the guidelines specified in Annex D of the 802.1X standard and RFC 3580. Table 11. Support for RADIUS Attributes # Attribute Attribute Value 1 User‐Name The value of the Type‐Data field 0‐1 from the supplicant’s EAP‐Response/Identity message. If the Identity is unknown (i.e. Type‐Data field is zero bytes in length), this attribute will have the same value as the Calling‐Station‐Id. 4 NAS‐IP‐Address IPv4 address of the authenticator used for Radius communication. 5 NAS‐Port Port number of the authenticator port to which the supplicant is attached. 24 State Server‐specific value. This is 0‐1 0‐1 0‐1 sent unmodified back to the ...
Page 119 80 Message‐ Always present whenever an Authenticator EAP‐Message attribute is also included. Used to integrity‐protect a packet. 87 NAS‐Port‐ID Name assigned to the authenticator port, e.g. Server1_Port3 Legend: RADIUS Packet Types: A‐R (Access‐Request), A‐A (Access‐Accept), A‐C (Access‐Challenge), A‐R (Access‐Reject) RADIUS Attribute Support: This attribute MUST NOT be present in a packet.   Zero or more instances of this attribute MAY be present in a packet. 0‐1 Zero or one instance of this attribute MAY be present in a packet.   Exactly one instance of this attribute MUST be present in a packet.  One or more of these attributes MUST be present. © Copyright Lenovo 2017 Chapter 6: 802.1X Port-Based Network Access Control...
Page 120: Eapol Configuration Guidelines
EAPoL Configuration Guidelines When configuring EAPoL, consider the following guidelines:  The 802.1X port‐based authentication is currently supported only in point‐to‐point configurations, that is, with a single supplicant connected to an 802.1X‐enabled switch port.  When 802.1X is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled. For example, the STG state of a port is operationally disabled while the port is in the unauthorized state.  The 802.1X supplicant capability is not supported. Therefore, none of its ports can successfully connect to an 802.1X‐enabled port of another device, such as another switch, that acts as an authenticator, unless access control on the remote port is disabled or is configured in forced‐authorized mode. For example, if a CN4093 is connected to another CN4093, and if 802.1X is enabled on both switches, the two connected ports must be configured in force‐authorized mode.  Unsupported 802.1X attributes include Service‐Type, Session‐Timeout, and Termination‐Action.  RADIUS accounting service for 802.1X‐authenticated devices or users is not currently supported.  Configuration changes performed using SNMP and the standard 802.1X MIB will take effect immediately. CN4093 Application Guide for N/OS 8.4...
Page 121: Chapter 7. Access Control Lists
ACLs are configured using the following CLI menu: CN 4093(config)# access-control list <IPv4 ACL number> IPv6 ACLs  Up to 128 ACLs are supported for networks that use IPv6 addressing. IPv6 ACLs are configured using the following CLI menu: CN 4093(config)# access-control list6 <IPv6 ACL number>  Management ACLs Up to 128 MACLs are supported. ACLs for the different types of management protocols (Telnet, HTTPS, etc.) provide greater granularity for securing management traffic. Management ACLs are configured using the following command: CN 4093(config)# access-control macl <MACL number>  VLAN Maps (VMaps) Up to 128 VLAN Maps are supported for attaching filters to VLANs rather than ports. See “VLAN Maps” on page 132 for details. CN 4093(config)# access-control vmap <vmap number> © Copyright Lenovo 2017...
Page 122: Summary Of Packet Classifiers
Summary of Packet Classifiers ACLs allow you to classify packets according to a variety of content in the packet header (such as the source address, destination address, source port number, destination port number, and others). Once classified, packet flows can be identified for more processing. Regular ACLs, and VMaps allow you to classify packets based on the following packet attributes:  Ethernet header options (for regular ACLs and VMaps only) Source MAC address  Destination MAC address  VLAN number and mask  Ethernet type (ARP, IPv4, MPLS, RARP, etc.)  Ethernet Priority (the IEEE 802.1p Priority)   IPv4 header options (for regular ACLs and VMaps only) Source IPv4 address and subnet mask  Destination IPv4 address and subnet mask  Type of Service value  IP protocol number or name as shown in Table  Table 12. Well‐Known Protocol Types Number Protocol Name icmp igmp ospf vrrp CN4093 Application Guide for N/OS 8.4...
Page 123 1985 hsrp gopher snmptrap TCP/UDP application destination port and mask as shown in Table  TCP/UDP flag value as shown in Table 14.  Table 14. Well‐Known TCP flag values Flag Value 0x0020 0x0010 0x0008 0x0004 0x0002 0x0001  Packet format (for regular ACLs and VMaps only) Ethernet format (eth2, SNAP, LLC)  Ethernet tagging format  IP format (IPv4)   Egress port packets (for all ACLs) © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 124: Summary Of Acl Actions
Summary of ACL Actions Once classified using ACLs, the identified packet flows can be processed differently. For each ACL, an action can be assigned. The action determines how the switch treats packets that match the classifiers assigned to the ACL. CN4093 ACL actions include the following:  Pass or Drop the packet  Re‐mark the packet with a new DiffServ Code Point (DSCP)  Re‐mark the 802.1p field  Set the COS queue Assigning Individual ACLs to a Port Once you configure an ACL, you must assign the ACL to the appropriate ports. Each port can accept multiple ACLs, and each ACL can be applied for multiple ports. ACLs can be assigned individually, or in groups. To assign an individual ACL to a port, use the following IP interface commands: CN 4093(config)# interface port <port> CN 4093(config-if)# access-control list <IPv4 ACL number> CN 4093(config-ip)# access-control list6 <IPv6 ACL number> When multiple ACLs are assigned to a port, higher‐priority ACLs are considered ...
Page 125: Acl Groups
DIP = 10.10.10.3 (255.255.255.0) Action = permit ACL Groups organize ACLs into traffic profiles that can be more easily assigned to ports. The CN4093 supports up to 256 ACL Groups. Note: ACL Groups are used for convenience in assigning multiple ACLs to ports. ACL Groups have no effect on the order in which ACLs are applied (see “ACL Order of Precedence” on page 124). All ACLs assigned to the port (whether individually assigned or part of an ACL Group) are considered as individual ACLs for the purposes of determining their order of precedence. Assigning ACL Groups to a Port To assign an ACL Group to a port, use the following commands: CN 4093(config)# interface port <port number> CN 4093(config-if)# access-control group <ACL group number> CN 4093(config-if)# exit © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 126: Acl Metering And Re-Marking
ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the switch by configuring a QoS meter (if desired) and assigning ACLs to ports. Note: When you add ACLs to a port, make sure they are ordered correctly in terms of precedence (see “ACL Order of Precedence” on page 124). Actions taken by an ACL are called In‐Profile actions. You can configure additional In‐Profile and Out‐of‐Profile actions on a port. Data traffic can be metered, and re‐marked to ensure that the traffic flow provides certain levels of service in terms of bandwidth for different types of network traffic. Metering QoS metering provides different levels of service to data streams through user‐configurable parameters. A meter is used to measure the traffic stream against a traffic profile which you create. Thus, creating meters yields In‐Profile and Out‐of‐Profile traffic for each ACL, as follows:  In‐Profile–If there is no meter configured or if the packet conforms to the meter, the packet is classified as In‐Profile.  Out‐of‐Profile–If a meter is configured and the packet does not conform to the meter (exceeds the committed rate or maximum burst rate of the meter), the packet is classified as Out‐of‐Profile. Using meters, you set a Committed Rate in Kbps (1000 bits per second in each Kbps). All traffic within this Committed Rate is In‐Profile. Additionally, you can set a Maximum Burst Size that specifies an allowed data burst larger than the Committed Rate for a brief period. These parameters define the In‐Profile traffic. Meters keep the sorted packets within certain parameters. You can configure a meter on an ACL, and perform actions on metered traffic, such as packet re‐marking. Re-Marking Re‐marking allows for the treatment of packets to be reset based on new network specifications or desired levels of service. You can configure the ACL to re‐mark a packet as follows:  Change the DSCP value of a packet, used to specify the service level that traffic should receive. ...
Page 127: Acl Port Mirroring
CN 4093(config)# access-control list <ACL number> mirror port <destination port> The ACL must be also assigned to it target ports as usual (see “Assigning Individual ACLs to a Port” on page 124, or “Assigning ACL Groups to a Port” on page 125). For VMaps (see “VLAN Maps” on page 132):  CN 4093(config)# access-control vmap <VMap number> mirror port <monitor destination port> Viewing ACL Statistics ACL statistics display how many packets have “hit” (matched) each ACL. Use ACL statistics to check filter performance or to debug the ACL filter configuration. You must enable statistics for each ACL that you wish to monitor: CN 4093(config)# access-control list <ACL number> statistics © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 128: Acl Logging
ACL Logging ACLs are generally used to enhance port security. Traffic that matches the characteristics (source addresses, destination addresses, packet type, etc.) specified by the ACLs on specific ports is subject to the actions (chiefly permit or deny) defined by those ACLs. Although switch statistics show the number of times particular ACLs are matched, the ACL logging feature can provide additional insight into actual traffic patterns on the switch, providing packet details in the system log for network debugging or security purposes. Enabling ACL Logging By default, ACL logging is disabled. Enable or disable ACL logging on a per‐ACL basis as follows: CN 4093(config)# [no] access-control list <IPv4 ACL number> log CN 4093(config)# [no] access-control list6 <IPv6 ACL number> log Logged Information When ACL logging is enabled on any particular ACL, the switch will collect information about packets that match the ACL. The information collected depends on the ACL type:  For IP‐based ACLs, information is collected regarding Source IP address  Destination IP address  TCP/UDP port number ...
Page 129: Rate Limiting Behavior
CN 4093(config)# access-control log rate-limit <1‐1000> Where the limit is specified in packets per second. Log Interval For each log‐enabled ACL, the first packet that matches the ACL initiates an immediate message in the system log. Beyond that, additional matches are subject to the log interval. By default, the switch will buffer ACL log messages for a period of 300 seconds. At the end of that interval, all messages in the buffer are written to the system log. The global interval value can be changed as follows: CN 4093(config)# access-control log interval <5‐600> Where the interval rate is specified in seconds. In any given interval, packets that have identical log information are condensed into a single message. However, the packet count shown in the ACL log message represents only the logged messages, which due to rate‐limiting, may be significantly less than the number of packets actually matched by the ACL. Also, the switch is limited to 64 different ACL log messages in any interval. Once the threshold is reached, the oldest message will be discarded in favor of the new message, and an overflow message will be added to the system log. ACL Logging Limitations ACL logging reserves packet queue 1 for internal use. Features that allow remapping packet queues (such as CoPP) may not behave as expected if other packet flows are reconfigured to use queue 1. © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 130: Acl Configuration Examples
ACL Configuration Examples ACL Example 1 Use this configuration to block traffic to a specific host. All traffic that ingresses on port EXT1 is denied if it is destined for the host at IP address 100.10.1.1. 1. Configure an Access Control List. CN 4093(config)# access-control list 1 ipv4 destination-ip-address 100.10.1.1 CN 4093(config)# access-control list 1 action deny 2. Add ACL 1 to port EXT1. CN 4093(config)# interface port EXT1 CN 4093(config-if)# access-control list 1 CN 4093(config-if)# exit ACL Example 2 Use this configuration to block traffic from a network destined for a specific host ...
Page 131: Acl Example 3
CN 4093(config)# access-control list 4 ipv4 source-ip-address 100.10.1.0 255.255.255.0 CN 4093(config)# access-control list 4 egress-port 3 CN 4093(config)# access-control list 4 action deny 2. Add ACL 4 to port EXT1. CN 4093(config)# interface port EXT1 CN 4093(config-if)# access-control list 4 CN 4093(config-if)# exit © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 132: Vlan Maps
VLAN Maps A VLAN map (VMAP) is an ACL that can be assigned to a VLAN or VM group rather than to a switch port as with regular ACLs. This is particularly useful in a virtualized environment where traffic filtering and metering policies must follow virtual machines (VMs) as they migrate between hypervisors. VMAPs are configured using the following ISCLI command path: CN 4093(config)# access-control vmap <VMAP ID (1‐128)> action Set filter action egress-port Set to filter for packets egressing this port ethernet Ethernet header options ipv4 IP version 4 header options meter ACL metering configuration mirror Mirror options packet-format Set to filter specific packet format types...
Page 133: Vmap Example
CN 4093(config)# access-control vmap 21 packet-format ethernet ethernet-type2 CN 4093(config)# access-control vmap 21 mirror port 4 CN 4093(config)# access-control vmap 21 action permit CN 4093(config)# vlan 3 CN 4093(config-vlan)# vmap 21 intports © Copyright Lenovo 2017 Chapter 7: Access Control Lists...
Page 134: Management Acls
Management ACLs Management ACLs (MACLs) filter inbound traffic (traffic heading toward the CPU). MACLs are applied switch‐wide. Traffic can be filtered based on the following:  IPv4 source address  IPv4 destination address  IPv4 protocols  TCP/UDP destination or source port Lower MACL numbers have higher priority. Up to 128 MACLs can be configured. Following is an example MACL configuration based on a destination IP address and a TCP‐UDP destination port: CN 4093(config)# access-control macl 1 ipv4 destination-ip-address 1.1.1.1 255.255.255.0 CN 4093(config)# access-control macl 1 tcp-udp destination-port 111 0xffff CN 4093(config)# access-control macl 1 statistics CN 4093(config)# access-control macl 1 action permit CN 4093(config)# access-control macl 1 enable Use the following command to view the MACL configuration: ...
Page 135: Part 3: Switch Basics
Part 3: Switch Basics This section discusses basic switching functions:  VLANs  Port Aggregation  Spanning Tree Protocols (Spanning Tree Groups, Rapid Spanning Tree Protocol and Multiple Spanning Tree Protocol)  Quality of Service © Copyright Lenovo 2017...
Page 136 CN4093 Application Guide for N/OS 8.4...
Page 137: Chapter 8. Vlans
Chapter 8. VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments. The following topics are discussed in this chapter:  “VLANs and Port VLAN ID Numbers” on page 139  “VLAN Tagging/Trunk Mode” on page 142  “VLAN Topologies and Design Considerations” on page 147  “Protocol‐Based VLANs” on page 150 “Private VLANs” on page 153  Note: Basic VLANs can be configured during initial switch configuration (see “Using the Setup Utility” in the CN4093 Enterprise NOS 8.4 Command Reference). More comprehensive VLAN configuration can be done from the Command Line Interface (see “VLAN Configuration” as well as “Port Configuration” in the CN4093 Enterprise NOS 8.4 Command Reference). © Copyright Lenovo 2017...
Page 138: Vlans Overview
VLANs Overview Setting up virtual LANs (VLANs) is a way to segment networks to increase network flexibility without changing the physical network topology. With network segmentation, each switch port connects to a segment that is a single broadcast domain. When a switch port is configured to be a member of a VLAN, it is added to a group of ports (workgroup) that belong to one broadcast domain. Ports are grouped into broadcast domains by assigning them to the same VLAN. Frames received in one VLAN can only be forwarded within that VLAN, and multicast, broadcast, and unknown unicast frames are flooded only to ports in the same VLAN. The CN4093 automatically supports jumbo frames. This default cannot be manually configured or disabled. The CN4093 10 Gb Converged Scalable Switch (CN4093) supports jumbo frames with a Maximum Transmission Unit (MTU) of 9,216 bytes. Within each frame, 18 bytes are reserved for the Ethernet header and CRC trailer. The remaining space in the frame (up to 9,198 bytes) comprise the packet, which includes the payload of up to 9,000 bytes and any additional overhead, such as 802.1q or VLAN tags. Jumbo frame support is automatic: it is enabled by default, requires no manual configuration, and cannot be manually disabled. Note: Jumbo frames are not supported for traffic sent to switch management interfaces. CN4093 Application Guide for N/OS 8.4...
Page 139: Vlans And Port Vlan Id Numbers
--------------------------- ------ --- ------------------------- Default VLAN INTA1-EXT22 VLAN 200 empty VLAN 300 empty 4095 Mgmt VLAN EXTM MGT1 Primary Secondary Type Ports vPorts ------- --------- --------------- --------------------- --------- Note: The sample screens that appear in this document might differ slightly from the screens displayed by your system. Screen content varies based on the type of blade chassis unit that you are using and the firmware versions and options that are installed. © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 140: Pvid/Native Vlan Numbers
PVID/Native VLAN Numbers Each port in the switch has a configurable default VLAN number, known as its PVID. By default, the PVID for all non‐management ports is set to 1, which correlates to the default VLAN ID. The PVID for each port can be configured to any VLAN number between 1 and 4094. Use the following CLI commands to view PVIDs:  Port information: CN 4093# show interface information (or) CN 4093# show interface trunk Alias Port Tag Type RMON Lrn Fld PVID DESCRIPTION VLAN(s) NVLAN ------- ---- --- ---------- ---- --- --- ------ -------------- ------ INTA1 Internal 4094...
Page 141 Port Configuration: Access mode port:  CN 4093(config)# interface port <port number> CN 4093(config-if)# switchport access vlan <VLAN ID> Trunk mode port:  CN 4093(config)# interface port <port number> CN 4093(config-if)# switchport trunk native vlan <VLAN ID> Each port on the switch can belong to one or more VLANs, and each VLAN can have any number of switch ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled (see “VLAN Tagging/Trunk Mode” on page 142). © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 142: Vlan Tagging/Trunk Mode
VLAN Tagging/Trunk Mode Enterprise NOS software supports 802.1Q VLAN tagging, providing standards‐based VLAN support for Ethernet systems. Tagging places the VLAN identifier in the frame header of a packet, allowing each port to belong to multiple VLANs. When you add a port to multiple VLANs, you also must enable tagging on that port. Since tagging fundamentally changes the format of frames transmitted on a tagged port, you must carefully plan network designs to prevent tagged frames from being transmitted to devices that do not support 802.1Q VLAN tags, or devices where tagging is not enabled. Important terms used with the 802.1Q tagging feature are:  VLAN identifier (VID)—the 12‐bit portion of the VLAN tag in the frame header that identifies an explicit VLAN.  Port VLAN identifier (PVID)—a classification mechanism that associates a port with a specific VLAN. For example, a port with a PVID of 3 (PVID =3) assigns all untagged frames received on this port to VLAN 3. Any untagged frames received by the switch are classified with the PVID of the receiving port.  Tagged frame—a frame that carries VLAN tagging information in the header. This VLAN tagging information is a 32‐bit field (VLAN tag) in the frame header that identifies the frame as belonging to a specific VLAN. Untagged frames are marked (tagged) with this classification as they leave the switch through a port that is configured as a tagged port.  Untagged frame— a frame that does not carry any VLAN tagging information in the frame header.  Untagged member—a port that has been configured as an untagged member of a specific VLAN. When an untagged frame exits the switch through an untagged member port, the frame header remains unchanged. When a tagged frame exits the switch through an untagged member port, the tag is stripped and the tagged frame is changed to an untagged frame.  Tagged member—a port that has been configured as a tagged member of a specific VLAN. When an untagged frame exits the switch through a tagged member port, the frame header is modified to include the 32‐bit tag associated with the PVID. When a tagged frame exits the switch through a tagged member ...
Page 143 Port 1 Port 2 Port 3 Tagged member PVID = 2 of VLAN 2 Untagged packet 802.1Q Switch Data B efore Port 6 Port 7 Port 8 Untagged member of VLAN 2 BS45011A © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 144 As shown in Figure 4, the untagged packet is marked (tagged) as it leaves the switch through port 5, which is configured as a tagged member of VLAN 2. The untagged packet remains unchanged as it leaves the switch through port 7, which is configured as an untagged member of VLAN 2. Figure 4. 802.1Q tagging (after port‐based VLAN assignment) Tagged member PVID = 2 Port 1 Port 2 Port 3 of VLAN 2 802.1Q Switch CRC* Data (*Recalculated) Port 6 Port 7 Port 8 8100 Priority VID = 2 Untagged memeber of VLAN 2 16 bits 3 bits...
Page 145 16 bits 3 bits 1 bit 12 bits Data After Outgoing untagged packet changed (tag removed) Priority - User_priority - Canonical format indicator - VLAN identifier BS45014A Note: Setting the configuration to factory default (CN 4093(config)# boot configuration-block factory) will reset all non‐management ports to VLAN 1. © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 146: Ingress Vlan Tagging
Ingress VLAN Tagging Tagging can be enabled on an ingress port. When a packet is received on an ingress port, and if ingress tagging is enabled on the port, a VLAN tag with the port PVID is inserted into the packet as the outer VLAN tag. Depending on the egress port setting (tagged or untagged), the outer tag of the packet is retained or removed when it leaves the egress port. Ingress VLAN tagging is used to tunnel packets through a public domain without altering the original 802.1Q status. When ingress tagging is enabled on a port, all packets, whether untagged or tagged, will be tagged again. As shown in Figure 7, when tagging is enabled on the egress port, the outer tag of the packet is retained when it leaves the egress port. If tagging is disabled on the egress port, the outer tag of the packet is removed when it leaves the egress port. Figure 7. 802.1Q tagging (after ingress tagging assignment) Untagged packet received on ingress port 802.1Q Switch Port 1 Port 2 Port 3 Tagged member PVID = 2 of VLAN 2 Untagged packet CRC* Data...
Page 147: Vlan Topologies And Design Considerations
CN 4093(config)# vlan <VLAN ID (1‐4094)> CN 4093(config-vlan)# management When using Spanning Tree, STG 2‐128 may contain only one VLAN unless  Multiple Spanning‐Tree Protocol (MSTP) mode is used. With MSTP mode, STG 1 to 32 can include multiple VLANs. VLAN Configuration Rules VLANs operate according to specific configuration rules. When creating VLANs, consider the following rules that determine how the configured VLAN reacts in any network topology:  All ports involved in aggregation and port mirroring must have the same VLAN configuration. If a port is on a LAG with a mirroring port, the VLAN configura‐ tion cannot be changed. For more information about aggregation, see “Configuring a Static LAG” on page 163.  If a port is configured for port mirroring, the port’s VLAN membership cannot be changed. For more information on configuring port mirroring, see “Port Mirroring” on page 607.  Management VLANs must contain the management port, and can include one or more internal ports (INTx). External ports (EXTx) cannot be members of any management VLAN. © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 148: Example: Multiple Vlans With Tagging Adapters
Example: Multiple VLANs with Tagging Adapters Figure 8. Multiple VLANs with VLAN‐Tagged Gigabit Adapters Server #1 Server #2 VLAN #3 VLAN #1, 2, 3 Switch Module Switch Module Shared Media Gigabit/Tagged adapter PC #1 PC #2 PC #3 PC #4 PC #5 VLAN #2 VLAN #2 VLAN #1 VLAN #3 VLAN #1 &...
Page 149 Component Description PC #4 A member of VLAN 3, this PC can only communicate with Server 1 and Server 2. The associated external switch port has tagging disabled. PC #5 A member of both VLAN 1 and VLAN 2, this PC has a VLAN‐tagging Gigabit Ethernet adapter installed. It can communicate with Server 2 and PC 3 via VLAN 1, and to Server 2, PC 1 and PC 2 via VLAN 2. The associated external switch port is a member of VLAN 1 and VLAN 2, and has tagging enabled. Note: VLAN tagging is required only on ports that are connected to other CN4093s or on ports that connect to tag‐capable end‐stations, such as servers with VLAN‐tagging adapters. © Copyright Lenovo 2017 Chapter 8: VLANs...
Page 150: Protocol-Based Vlans
Protocol-Based VLANs Protocol‐based VLANs (PVLANs) allow you to segment network traffic according to the network protocols in use. Traffic for supported network protocols can be confined to a particular port‐based VLAN. You can give different priority levels to traffic generated by different network protocols. With PVLAN, the switch classifies incoming packets by Ethernet protocol of the packets, not by the configuration of the ingress port. When an untagged or priority‐tagged frame arrives at an ingress port, the protocol information carried in the frame is used to determine a VLAN to which the frame belongs. If a frame’s protocol is not recognized as a pre‐defined PVLAN type, the ingress port’s PVID is assigned to the frame. When a tagged frame arrives, the VLAN ID in the frame’s tag is used. Each VLAN can contain up to eight different PVLANs. You can configure separate PVLANs on different VLANs, with each PVLAN segmenting traffic for the same protocol type. For example, you can configure PVLAN 1 on VLAN 2 to segment IPv4 traffic, and PVLAN 8 on VLAN 100 to segment IPv4 traffic. To define a PVLAN on a VLAN, configure a PVLAN number (1‐8) and specify the frame type and the Ethernet type of the PVLAN protocol. You must assign at least one port to the PVLAN before it can function. Define the PVLAN frame type and Ethernet type as follows: Frame type—consists of one of the following values:  Ether2 (Ethernet II)  SNAP (Subnetwork Access Protocol)  LLC (Logical Link Control)   Ethernet type—consists of a 4‐digit (16 bit) hex value that defines the Ethernet type. You can use common Ethernet protocol values, or define your own values. Following are examples of common Ethernet protocol values: IPv4 = 0800  IPv6 = 86dd  ARP = 0806  Port-Based vs. Protocol-Based VLANs Each VLAN supports both port‐based and protocol‐based association, as follows: ...
Page 151: Pvlan Priority Levels
142. Untagged ports must have PVLAN tagging disabled. Tagged ports can have PVLAN tagging either enabled or disabled. PVLAN tagging has higher precedence than port‐based tagging. If a port is tag enabled, and the port is a member of a PVLAN, the PVLAN tags egress frames that match the PVLAN protocol. Use the tag‐pvl

Lenovo Flex System Fabric CN4093 Application Manual

Chapter 1. Switch Administration

Chapter 2. Initial Setup

Chapter 3. Switch Software Management

Chapter 4. Securing Administration

Chapter 5. Authentication & Authorization Protocols

Chapter 6. 802.1X Port-Based Network Access Control

Chapter 7. Access Control Lists

Chapter 8. Vlans

Chapter 9. Ports and Link Aggregation (LAG)

Chapter 10. Spanning Tree Protocols

Chapter 11. Virtual Link Aggregation Groups

Chapter 12. Quality of Service

Chapter 13. Stacking

Quick Links

Related Manuals for Lenovo Flex System Fabric CN4093

Summary of Contents for Lenovo Flex System Fabric CN4093