Who Should Use This Guide This guide is intended for network installers and system administrators engaged in configuring and maintaining a network. The administrator should be familiar with Ethernet concepts, IP addressing, Spanning Tree Protocol, and SNMP configuration parameters. G8264CS Application Guide for ENOS 8.4...
Page 24
Chapter 11, “Virtual Link Aggregation Groups,” describes using Virtual Link Aggregation Groups (VLAGs) to form LAGs spanning multiple VLAG‐capable aggregator switches. Chapter 10, “Spanning Tree Protocols,” discusses how Spanning Tree Protocol (STP) configures the network so that the switch selects the most efficient path when multiple paths exist. Covers Rapid Spanning Tree Protocol (RSTP), Per‐VLAN Rapid Spanning Tree (PVRST), and Multiple Spanning Tree Protocol (MSTP). Chapter 12, “Quality of Service,” discusses Quality of Service (QoS) features, including IP filtering using Access Control Lists (ACLs), Differentiated Services, and IEEE 802.1p priority values. Part 4: Advanced Switching Features Chapter 13, “Virtualization,” provides an overview of allocating resources based on the logical needs of the data center, rather than on the strict, physical nature of components. Chapter 14, “Virtual NICs,” discusses using virtual NIC (vNIC) technology to divide NICs into multiple logical, independent instances. Chapter 16, “VMready,” discusses virtual machine (VM) support on the G8264CS. Chapter 17, “FCoE and CEE,” discusses using various Converged Enhanced Ethernet (CEE) features such as Priority‐based Flow Control (PFC), Enhanced Transmission Selection (ETS), and FIP Snooping for solutions such as Fibre Channel over Ethernet (FCoE).
Page 26
Part 8: Monitoring Chapter 38, “Remote Monitoring,” describes how to configure the RMON agent on the switch, so that the switch can exchange network monitoring data. Chapter 39, “sFlow, described how to use the embedded sFlow agent for sampling network traffic and providing continuous monitoring information to a central sFlow analyzer. Chapter 40, “Port Mirroring,” discusses tools how copy selected port traffic to a monitor port for network analysis. Part 9: Appendices Appendix A, “Glossary,” describes common terms and concepts used throughout this guide. Appendix C, “Getting help and technical assistance,” provides details on where to go for additional information about Lenovo and Lenovo products. Appendix D, “Notices,” contains safety and environmental notices. G8264CS Application Guide for ENOS 8.4...
Typographic Conventions The following table describes the typographic styles used in this book. Table 1. Typographic Conventions Typeface or Meaning Example Symbol ABC123 This type is used for names of View the readme.txt file. commands, files, and directories used within the text. Main# It also depicts on‐screen computer output and prompts. ABC123 Main# sys This bold type appears in command examples. It shows text that must be typed in exactly as shown. <ABC123> This italicized type appears in To establish a Telnet session, command examples as a enter: host# telnet <IP address> parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, ...
Administration Interfaces Enterprise NOS provides a variety of user‐interfaces for administration. These interfaces vary in character and in the methods used to access them: some are text‐based, and some are graphical; some are available by default, and some require configuration; some can be accessed by local connection to the switch, and others are accessed remotely using various client applications. For example, administration can be performed using any of the following: A built‐in, text‐based command‐line interface and menu system for access via serial‐port connection or an optional Telnet or SSH session The built‐in Browser‐Based Interface (BBI) available using a standard web‐browser SNMP support for access through network management software such as IBM Director or HP OpenView The specific interface chosen for an administrative session depends on user preferences, as well as the switch configuration and the available client tools. In all cases, administration requires that the switch hardware is properly installed and turned on. (see the RackSwitch G8264CS Installation Guide). Command Line Interface The Industry Standard Command Line Interface (ISCLI) provides a simple, direct method for switch administration. Using a basic terminal, you can issue commands that allow you to view detailed information and statistics about the switch, and to perform any necessary configuration and switch software maintenance. You can establish a connection to the ISCLI in any of the following ways: Serial connection via the serial port on the G8264CS (this option is always avail‐ able) Telnet connection over the network SSH connection over the network G8264CS Application Guide for ENOS 8.4...
Using the Switch Data Ports You also can configure in‐band management through any of the switch data ports. To allow in‐band management, use the following procedure: 1. Log on to the switch. 2. Enter IP interface mode. RS 8264CS> enable RS 8264CS# configure terminal RS 8264CS(config)# interface ip <IP interface number> Interface 128 is reserved for out‐of‐band management (see “Using the Note: Switch Management Ports” on page 33). 3. Configure the management IP interface/mask. IPv4: RS 8264CS(config-ip-if)# ip address <management interface IPv4 address> RS 8264CS(config-ip-if)# ip netmask <IPv4 subnet mask> ...
The supported SSH encryption and authentication methods are: Server Host Authentication: Client RSA‐authenticates the switch when starting each connection Key Exchange: ecdh‐sha2‐nistp521, ecdh‐sha2‐nistp384, ecdh‐sha2‐nistp256, ecdh‐sha2‐nistp224, ecdh‐sha2‐nistp192, rsa2048‐sha256, rsa1024‐sha1, diffie‐hellman‐group‐exchange‐sha256, diffie‐hellman‐group‐exchange‐sha1, diffie‐hellman‐group14‐sha1, diffie‐hellman‐group1‐sha1 Encryption: aes128‐ctr, aes128‐cbc, rijndael128‐cbc, blowfish‐cbc,3des‐cbc, arcfour256, arcfour128, arcfour MAC: hmac‐sha1, hmac‐sha1‐96, hmac‐md5, hmac‐md5‐96 User Authentication: Local password authentication, public key authentication, RADIUS, TACACS+ Lenovo Enterprise Network Operating System implements the SSH version 2.0 standard and is confirmed to work with SSH version 2.0‐compliant clients such as the following: OpenSSH_5.4p1 for Linux Secure CRT Version 5.0.2 (build 1021) Putty SSH release 0.60 Using SSH with Password Authentication By default, the SSH feature is disabled. Once the IP parameters are configured and the SSH service is enabled, you can access the command line interface using an SSH connection. To establish an SSH connection with the switch, run the SSH program on your workstation by issuing the SSH command, followed by the switch IPv4 or IPv6 address: # ssh <switch IP address>...
Using a Web Browser The switch provides a Browser‐Based Interface (BBI) for accessing the common configuration, management, and operation features of the G8264CS through your Web browser. By default, BBI access via HTTP is enabled on the switch. You can also access the BBI directly from an open Web browser window. Enter the URL using the IP address of the switch interface (for example, http://<IPv4 or IPv6 address>). Configuring HTTP Access to the BBI By default, BBI access via HTTP is enabled on the switch. To disable or re‐enable HTTP access to the switch BBI, use the following commands: (Enable HTTP access) RS 8264CS(config)# access http enable ‐or‐ (Disable HTTP access) RS 8264CS(config)# no access http enable The default HTTP web server port to access the BBI is port 80. However, you can change the default Web server port with the following command: RS 8264CS(config)# access http port <TCP port number> To access the BBI from a workstation, open a Web browser window and type in the ...
Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [Santa Clara]: Organization Name (eg, company) [Lenovo Networking Operating System]: Organizational Unit Name (eg, section) [Network Engineering]: Common Name (eg, YOUR name) [0.0.0.0]:...
Using Simple Network Management Protocol ENOS provides Simple Network Management Protocol (SNMP) version 1, version 2, and version 3 support for access through any network management software, such as IBM Director or HP‐OpenView. Note: SNMP read and write functions are enabled by default. For best security practices, if SNMP is not needed for your network, it is recommended that you disable these functions prior to connecting the switch to the network. To access the SNMP agent on the G8264CS, the read and write community strings on the SNMP manager must be configured to match those on the switch. The default read community string on the switch is public and the default write community string is private. The read and write community strings on the switch can be configured using the following commands: RS 8264CS(config)# snmp-server read-community <1‐32 characters> ‐and‐ RS 8264CS(config)# snmp-server write-community <1‐32 characters> The SNMP manager must be able to reach any one of the IP interfaces on the switch. For the SNMP manager to receive the SNMPv1 traps sent out by the SNMP agent on the switch, configure the trap host on the switch with the following commands: RS 8264CS(config)# snmp-server trap-source <trap source IP interface> RS 8264CS(config)# snmp-server host <IPv4 address> <trap host community string> To restrict SNMP access to specific IPv4 subnets, use the following commands: RS 8264CS(config)# access management-network <IPv4 address> <subnet mask> snmp-ro ‐and‐...
DHCP SYSLOG Server During switch startup, if the switch fails to get the configuration file, a message can be recorded in the SYSLOG server. The G8264CS supports requesting of a SYSLOG server IP address from the DHCP server as described in RFC 2132, option 7. DHCP SYSLOG server request option is enabled by default. Manually configured SYSLOG server takes priority over DHCP SYSLOG server. Up to two SYSLOG server addresses received from the DHCP server can be used. The SYSLOG server can be learnt over a management port or a data port. Use the RS 8264CS# show logging command to view the SYSLOG server address. DHCP SYSLOG server address option can be enabled/disabled using the following command: RS 8264CS(config)# [no] system dhcp syslog Global BOOTP Relay Agent Configuration To enable the G8264CS to be a BOOTP (or DHCP) forwarder, enable the BOOTP relay feature, configure up to four global BOOTP server IPv4 addresses on the switch, and enable BOOTP relay on the interface(s) on which the client requests are expected. Generally, it is best to configure BOOTP for the switch IP interface that is closest to the client, so that the BOOTP server knows from which IPv4 subnet the newly allocated IPv4 address will come. In the G8264CS implementation, there are no primary or secondary BOOTP servers. The client request is forwarded to all the global BOOTP servers configured on the switch (if no domain‐specific servers are configured). The use of multiple servers provides failover redundancy. However, no health checking is supported. 1.
Page 44
Following is an example of DHCP snooping configuration, where the DHCP server and client are in VLAN 100, and the server connects using port 24. RS 8264CS(config)# ip dhcp snooping vlan 100 RS 8264CS(config)# ip dhcp snooping RS 8264CS(config)# interface port 24 RS 8264CS(config-if)# ip dhcp snooping trust(Optional; Set port as trusted) RS 8264CS(config-if)# ip dhcp snooping information option-insert (Optional; add DHCP option 82) RS 8264CS(config-if)# ip dhcp snooping limit rate 100 (Optional; Set DHCP packet rate) G8264CS Application Guide for ENOS 8.4...
Basic System Mode Configuration Example This example shows the parameters available for configuration in Basic System mode: RS 8264CS# easyconnect Configure Basic system (yes/no)? y Please enter "none" for no hostname. Enter hostname(Default: None)? host Please enter "dhcp" for dhcp IP. Select management IP address (Current: 10.241.13.32)? Enter management netmask(Current: 255.255.255.128)? Enter management gateway:(Current: 10.241.13.1)? Pending switch port configuration: Hostname: host...
Page 50
Note: Access to each user level (except admin account) can be disabled by setting the password to an empty value. To disable admin account, use the command no access user administrator-enable. The Admin account can be disabled only if there is at least one user account enabled and configured with administrator privilege. G8264CS Application Guide for ENOS 8.4...
Idle Disconnect By default, the switch will disconnect your Telnet session after 10 minutes of inactivity. This function is controlled by the idle timeout parameter, which can be set from 0 to 60 minutes, where 0 means the session will never timeout. Use the following command to set the idle timeout value: RS 8264CS(config)# system idle <0‐60> G8264CS Application Guide for ENOS 8.4...
Page 54
Table 3. Acceptable Protocols and Algorithms (continued) Protocol/Function Strict Mode Algorithm Compatibility Mode Algorithm HTTPS TLS 1.2 only TLS 1.0, 1.1, 1.2 See “Acceptable Cipher Suites” on See “Acceptable Cipher Suites” page 56; on page 56; Key Exchange DH Group 24 DH group 1, 2, 5, 14, 24 Encryption 3DES, AES‐128‐CBC 3DES, AES‐128‐CBC Integrity HMAC‐SHA1 HMAC‐SHA1, HMAC‐MD5 IPSec HMAC‐SHA1 HMAC‐SHA1, HMAC‐MD5 3DES, AES‐128‐CBC, HMAC‐SHA1 3DES, AES‐128‐CBC, HMAC‐SHA1, HMAC‐MD5 LDAP LDAP does not comply with NIST Acceptable SP 800‐131A specification. When in strict mode, LDAP is disabled. However, it can be enabled, if required.
Acceptable Cipher Suites The following cipher suites are acceptable (listed in the order of preference) when the RackSwitch G8264CS is in compatibility mode: Table 4. List of Acceptable Cipher Suites in Compatibility Mode Cipher ID Key Authenti- Encryption MAC Cipher Name Exchange cation 0xC027 ECDHE AES_128_ SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA2 0xC013 ECDHE AES_128_ SHA1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC012 ECDHE 3DES SHA1 SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC011 ECDHE SHA1 SSL_ECDHE_RSA_WITH_RC4_128_SHA 0x002F AES_128_ SHA1 TLS_RSA_WITH_AES_128_CBC_SHA 0x003C AES_128_...
Page 58
Power ITEs and High‐Availability features do not comply with NIST SP 800‐131A specification. The G8264CS will not discover Platform agents/Common agents that are not in strict mode. Web browsers that do not use TLS 1.2 cannot be used. Limited functions of the switch managing Windows will be available. G8264CS Application Guide for ENOS 8.4...
Information Needed for Setup Setup requests the following information: Basic system information Date & time Whether to use Spanning Tree Group or not Optional configuration for each port Speed, duplex, flow control, and negotiation mode (as appropriate) Whether to use VLAN trunk mode/tagging or not (as appropriate) Optional configuration for each VLAN Name of VLAN Which ports are included in the VLAN Optional configuration of IP parameters IP address/mask and VLAN for each IP interface IP addresses for default gateway Whether IP forwarding is enabled or not G8264CS Application Guide for ENOS 8.4...
Stopping and Restarting Setup Manually Follow these instructions to manually stop and start the Setup utility. Stopping Setup To abort the Setup utility, press <Ctrl‐C> during any Setup question. When you abort Setup, the system will prompt: Would you like to run from top again? [y/n] Enter n to abort Setup, or y to restart the Setup program at the beginning. Restarting Setup You can restart the Setup utility manually at any time by entering the following command at the administrator prompt: RS 8264CS(config)# setup G8264CS Application Guide for ENOS 8.4...
Page 64
Enter the minute as a number from 00 to 59. To keep the current minute, press <Enter>. 7. Enter the seconds of the current time at the prompt: Enter seconds [37]: Enter the seconds as a number from 00 to 59. To keep the current second, press <Enter>. The system then displays the date and time settings: System clock set to 8:55:36 Wed Jan 28, 2009. 8. Turn Spanning Tree Protocol on or off at the prompt: Spanning Tree: Current Spanning Tree Group 1 setting: ON Turn Spanning Tree Group 1 OFF? [y/n] Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on. G8264CS Application Guide for ENOS 8.4...
Page 66
Enter d to disable VLAN trunk mode/tagging for the port or enter e to enable VLAN tagging for the port. To keep the current setting, press <Enter>. 6. The system prompts you to configure the next port: Enter port (INT1-14, MGT1-2, EXT1-64, MGT): When you are through configuring ports, press <Enter> without specifying any port. Otherwise, repeat the steps in this section. G8264CS Application Guide for ENOS 8.4...
Setup Part 4: IP Configuration The system prompts for IPv4 parameters. Although the switch supports both IPv4 and IPv6 networks, the Setup utility permits only IPv4 configuration. For IPv6 configuration, see Chapter 23, “Internet Protocol Version 6.” IP Interfaces IP interfaces are used for defining the networks to which the switch belongs. Up to 126 IP interfaces can be configured on the RackSwitch G8264CS (G8264CS). The IP address assigned to each IP interface provides the switch with an IP presence on your network. No two IP interfaces can be on the same IP network. The interfaces can be used for connecting to the switch for remote configuration, and for routing between subnets and VLANs (if used). Note: IP interface 128 is reserved for out‐of‐band switch management. 1. Select the IP interface to configure, or skip interface configuration at the prompt: IP Config: IP interfaces: Enter interface number: (1-126) If you wish to configure individual IP interfaces, enter the number of the IP interface you wish to configure. To skip IP interface configuration, press <Enter> without typing an interface number and go to “Default Gateways” on page 70. 2. For the specified IP interface, enter the IP address in IPv4 dotted decimal notation: Current IP address: 0.0.0.0 Enter new IP address: To keep the current setting, press <Enter>.
RADIUS RS 8264CS(config)# ip radius source-interface loopback <1‐5> TACACS+ RS 8264CS(config)# ip tacacs source-interface loopback <1‐5> RS 8264CS(config)# ntp source loopback <1‐5> Loopback Interface Limitations ARP is not supported. Loopback interfaces will ignore ARP requests. Loopback interfaces cannot be assigned to a VLAN. Default Gateways To set up a default gateway: 1. At the prompt, select an IP default gateway for configuration, or skip default gateway configuration: IP default gateways: Enter default gateway number: (1-4) Enter the number for the IP default gateway to be configured. To skip default ...
Setup Part 5: Final Steps 1. When prompted, decide whether to restart Setup or continue: Would you like to run from top again? [y/n] Enter y to restart the Setup utility from the beginning, or n to continue. 2. When prompted, decide whether you wish to review the configuration changes: Review the changes made? [y/n] Enter y to review the changes made during this session of the Setup utility. Enter n to continue without reviewing the changes. We recommend that you review the changes. 3. Next, decide whether to apply the changes at the prompt: Apply the changes? [y/n] Enter y to apply the changes, or n to continue without applying. Changes are normally applied. 4. At the prompt, decide whether to make the changes permanent: Save changes to flash? [y/n] Enter y to save the changes to flash. Enter n to continue without saving the ...
Loading New Software to Your Switch The G8264CS can store up to two different switch software images (called image1 and image2) as well as special boot software (called boot). When you load new software, you must specify where it is placed: either into image1, image2, or boot. For example, if your active image is currently loaded into image1, you would probably load the new image software into image2. This lets you test the new software and reload the original active image (stored in image1), if needed. CAUTION: When you upgrade the switch software image, always load the new boot image and the new software image before you reset the switch. If you do not load a new boot image, your switch might not boot properly (To recover, see “Recovering from a Failed Software Upgrade” on page 80). To load a new software image to your switch, you will need the following: The image and boot software loaded on an FTP, SFTP or TFTP server on your net‐ work. Note: Be sure to download both the new boot file and the new image file. The hostname or IP address of the FTP, SFTP or TFTP server Note: The DNS parameters must be configured if specifying hostnames. The name of the new system image. When the software requirements are met, use one of the following procedures to download the new software to your switch. You can use the ISCLI, USB, or the BBI to download and activate new software. Loading Software via the ISCLI 1. In Privileged EXEC mode, enter the following command: Router# copy {tftp|ftp|sftp} {image1|image2|boot-image} 2.
USB Options You can insert a USB drive into the USB port on the G8264CS and use it to work with switch image and configuration files. You can boot the switch using files located on the USB drive, or copy files to and from the USB drive. To safely remove the USB drive, first use the following command to un‐mount the USB file system: system usb-eject Command mode: Global configuration USB Boot USB Boot allows you to boot the switch with a software image file, boot file, or configuration file that resides on a USB drive inserted into the USB port. Use the following command to enable or disable USB Boot: [no] boot usbboot enable Command mode: Global configuration When enabled, when the switch is reset/reloaded, it checks the USB port. If a USB drive is inserted into the port, the switch checks the root directory on the USB drive for software and image files. If a valid file is present, the switch loads the file and boots using the file. Note: The following file types are supported: FAT32, NTFS (read‐only), EXT2, and EXT3. The following list describes the valid file names, and describes the switch behavior when it recognizes them. The file names must be exactly as shown, or the switch will not recognize them. RSG8264_Boot.img The switch replaces the current boot image with the new image, and boots with the new image. RSG8264_OS.img The switch boots with the new software image. The existing images are not affected. RSG8264_replace1_OS.img The switch replaces the current software image1 with the new image, and boots ...
The Boot Management Menu The Boot Management menu allows you to switch the software image, reset the switch to factory defaults, or to recover from a failed software download. You can interrupt the boot process and enter the Boot Management menu from the serial console port. When the system displays Memory Test, press <Shift B>. The Boot Management menu appears. Resetting the System ... Memory Test ........ Boot Management Menu I - Change booting image C - Change configuration block Q - Reboot E - Exit Please choose your menu option: Current boot image is 1.
Page 82
5. Xmodem download: When you see the following message, change the Serial Port characteristics to 115200 bps: Change the baud rate to 115200 bps and hit the <ENTER> key before initiating the download. a. Press <Enter> to set the system into download accept mode. When the readiness meter displays (a series of “C” characters), start XModem on your terminal emulator. b. When you see the following message, change the Serial Port characteristics to 9600 bps: Change the baud rate back to 9600 bps, hit the <ESC> key. c. When you see the following prompt, enter the image number where you want to install the new software and press <Enter>: ...
Page 84
Parity: None Flow Control: None 3. Boot the switch and access the Boot Management menu by pressing <Shift B> while the Memory Test is in progress and the dots are being displayed. 4. Select X for Xmodem download. The following appears: Perform xmodem download To download an image use 1K Xmodem at 115200 bps. 5. When you see the following message, change the Serial Port characteristics to 115200 bps: Change the baud rate to 115200 bps and hit the <ENTER> key before initiating the download. a.
Identifying the administrator using Name/Password Authentication of remote administrators Authorization of remote administrators Determining the permitted actions and customizing service for individual administrators Encryption of management messages Encrypting messages between the remote administrator and switch Secure copy support Lenovo Enterprise Network Operating System implements the SSH version 2.0 standard and is confirmed to work with SSH version 2.0‐compliant clients such as the following: OpenSSH_5.4p1 for Linux Secure CRT Version 5.0.2 (build 1021) Putty SSH release 0.60 Configuring SSH/SCP Features on the Switch SSH and SCP features are disabled by default. To change the SSH/SCP settings, using the following procedures. Note: To use SCP, you must first enable SSH. To Enable or Disable the SSH Feature Begin a Telnet session from the console port and enter the following command:...
To Load a Switch Configuration File from the SCP Host Syntax: >> scp [-4|-6] <local filename> <username>@<switch IP address>:putcfg Example: >> scp ad4.cfg scpadmin@205.178.15.157:putcfg To Apply and Save the Configuration When loading a configuration file to the switch, the apply and save commands are still required for the configuration commands to take effect. The apply and save commands may be entered manually on the switch, or by using SCP commands. Syntax: >> scp [-4|-6] <local filename> <username>@<switch IP address>:putcfg_apply >> scp [-4|-6] <local filename> <username>@<switch IP address>:putcfg_apply_save Example: >>...
SSH/SCP Integration with TACACS+ Authentication SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified TACACS+ servers for authentication. The redirection is transparent to the SSH clients. G8264CS Application Guide for ENOS 8.4...
The administrator can choose the number of days allowed before each password expires. When a strong password expires, the user is allowed to log in one last time (last time) to change the password. A warning provides advance notice for users to change the password. User Access Control The end‐user access control commands allow you to configure end‐user accounts. Setting up User IDs Up to 20 user IDs can be configured. Use the following commands to define any user name and set the user password at the resulting prompts: RS 8264CS(config)# access user 1 name <1‐64 characters> RS 8264CS(config)# access user 1 password Changing user1 password; validation required: Enter current admin password: <current administrator password> Enter new user1 password: <new user password> Re-enter new user1 password: <new user password>...
RADIUS Authentication and Authorization Enterprise NOS supports the RADIUS (Remote Authentication Dial‐in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back‐end database server. A remote user (the remote administrator) interacts only with the RAS, not the back‐end server and database. RADIUS authentication consists of the following components: A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866) A centralized server that stores all the user authorization information A client: in this case, the switch The G8264CS—acting as the RADIUS client—communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back‐end RADIUS server. How RADIUS Authentication Works The RADIUS authentication process follows these steps: 1. A remote administrator connects to the switch and provides a user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. The authentication server checks the request against the user ID database. 4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access. Configuring RADIUS on the Switch Use the following procedure to configure Radius authentication on your switch. ...
RADIUS Authentication Features in Enterprise NOS ENOS supports the following RADIUS authentication features: Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866. Allows RADIUS secret password up to 32 bytes and less than 16 octets. Supports secondary authentication server so that when the primary authentication server is unreachable, the switch can send client authentication requests to the secondary authentication server. Use the following command to show the currently active RADIUS authentication server: RS 8264CS# show radius-server Supports user‐configurable RADIUS server retry and time‐out values: Time‐out value = 1‐10 seconds Retries = 1‐3 The switch will time out if it does not receive a response from the RADIUS server in 1‐3 retries. The switch will also automatically retry connecting to the RADIUS server before it declares the server down. Supports user‐configurable RADIUS application port. The default is UDP port 1645. UDP port 1812, based on RFC 2138, is also supported. Allows network administrator to define privileges for one or more specific users to access the switch at the RADIUS user database. Switch User Accounts The user accounts listed in Table 6 can be defined in the RADIUS server dictionary ...
TACACS+ Authentication ENOS supports authentication and authorization with networks using the Cisco Systems TACACS+ protocol. The G8264CS functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the G8264CS either through a data port or management port. TACACS+ offers the following advantages over RADIUS: TACACS+ uses TCP‐based connection‐oriented transport; whereas RADIUS is UDP‐based. TCP offers a connection‐oriented transport, while UDP offers best‐effort delivery. RADIUS requires additional programmable variables such as re‐transmit attempts and time‐outs to compensate for best‐effort transport, but it lacks the level of built‐in support that a TCP transport offers. TACACS+ offers full packet encryption whereas RADIUS offers password‐only encryption in authentication requests. TACACS+ separates authentication, authorization and accounting. How TACACS+ Authentication Works TACACS+ works much in the same way as RADIUS authentication as described on page 1. Remote administrator connects to the switch and provides user name and password. 2. Using Authentication/Authorization protocol, the switch sends request to authentication server. 3. Authentication server checks the request against the user ID database. 4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access. During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command. G8264CS Application Guide for ENOS 8.4...
Accounting Accounting is the action of recording a userʹs activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, there are no TACACS+ accounting messages sent out. You can use TACACS+ to record and track software login access, configuration changes, and interactive commands. The G8264CS supports the following TACACS+ accounting attributes: protocol (console/Telnet/SSH/HTTP/HTTPS) start_time stop_time elapsed_time disc_cause Note: When using the Browser‐Based Interface, the TACACS+ Accounting Stop records are sent only if the Logout button on the browser is clicked. Command Authorization and Logging When TACACS+ Command Authorization is enabled, ENOS configuration commands are sent to the TACACS+ server for authorization. Use the following command to enable TACACS+ Command Authorization: RS 8264CS(config)# tacacs-server command-authorization When TACACS+ Command Logging is enabled, ENOS configuration commands are logged on the TACACS+ server. Use the following command to enable TACACS+ Command Logging: RS 8264CS(config)# tacacs-server command-logging The following examples illustrate the format of ENOS commands sent to the TACACS+ server: ...
LDAP Authentication and Authorization ENOS supports the LDAP (Lightweight Directory Access Protocol) method to authenticate and authorize remote administrators to manage the switch. LDAP is based on a client/server model. The switch acts as a client to the LDAP server. A remote user (the remote administrator) interacts only with the switch, not the back‐end server and database. LDAP authentication consists of the following components: A protocol with a frame format that utilizes TCP over IP A centralized server that stores all the user authorization information A client: in this case, the switch Each entry in the LDAP server is referenced by its Distinguished Name (DN). The DN consists of the user‐account name concatenated with the LDAP domain name. If the user‐account name is John, the following is an example DN: uid=John,ou=people,dc=domain,dc=com Configuring the LDAP Server G8264CS user groups and user accounts must reside within the same domain. On the LDAP server, configure the domain to include G8264CS user groups and user accounts, as follows: User Accounts: Use the uid attribute to define each individual user account. If a custom attribute is used to define individual users, it must also be configured on the switch. User Groups: Use the members attribute in the groupOfNames object class to create the user groups. The first word of the common name for each user group must be equal to the user group names defined in the G8264CS, as follows: admin oper user ...
Extensible Authentication Protocol over LAN Lenovo Enterprise Network Operating System can provide user‐level security for its ports using the IEEE 802.1X protocol, which is a more secure alternative to other methods of port‐based network access control. Any device attached to an 802.1X‐enabled port that fails authentication is prevented access to the network and denied services offered through that port. The 802.1X standard describes port‐based network access control using Extensible Authentication Protocol over LAN (EAPoL). EAPoL provides a means of authenticating and authorizing devices attached to a LAN port that has point‐to‐point connection characteristics and of preventing access to that port in cases of authentication and authorization failures. EAPoL is a client‐server protocol that has the following components: Supplicant or Client The Supplicant is a device that requests network access and provides the required credentials (user name and password) to the Authenticator and the Authenticator Server. Authenticator The Authenticator enforces authentication and controls access to the network. The Authenticator grants network access based on the information provided by the Supplicant and the response from the Authentication Server. The Authenticator acts as an intermediary between the Supplicant and the Authentication Server: requesting identity information from the client, forwarding that information to the Authentication Server for validation, relaying the server’s responses to the client, and authorizing network access based on the results of the authentication exchange. The G8264CS acts as an Authenticator. Authentication Server The Authentication Server validates the credentials provided by the Supplicant to determine if the Authenticator ought to grant access to the network. The Authentication Server may be co‐located with the Authenticator. The G8264CS relies on external RADIUS servers for authentication. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed ...
EAPoL Message Exchange During authentication, EAPOL messages are exchanged between the client and the G8264CS authenticator, while RADIUS‐EAP messages are exchanged between the G8264CS authenticator and the RADIUS server. Authentication is initiated by one of the following methods: The G8264CS authenticator sends an EAP‐Request/Identity packet to the client The client sends an EAPOL‐Start frame to the G8264CS authenticator, which responds with an EAP‐Request/Identity frame. The client confirms its identity by sending an EAP‐Response/Identity frame to the G8264CS authenticator, which forwards the frame encapsulated in a RADIUS packet to the server. The RADIUS authentication server chooses an EAP‐supported authentication algorithm to verify the client’s identity, and sends an EAP‐Request packet to the client via the G8264CS authenticator. The client then replies to the RADIUS server with an EAP‐Response containing its credentials. Upon a successful authentication of the client by the server, the 802.1X‐controlled port transitions from unauthorized to authorized state, and the client is allowed full access to services through the controlled port. When the client later sends an EAPOL‐Logoff message to the G8264CS authenticator, the port transitions from authorized to unauthorized state. If a client that does not support 802.1X connects to an 802.1X‐controlled port, the G8264CS authenticator requests the clientʹs identity when it detects a change in the operational state of the port. The client does not respond to the request, and the port remains in the unauthorized state. Note: When an 802.1X‐enabled client connects to a port that is not 802.1X‐controlled, the client initiates the authentication process by sending an EAPOL‐Start frame. When no response is received, the client retransmits the request for a fixed number of times. If no response is received, the client assumes the port is in authorized state, and begins sending frames, even if the port is unauthorized. G8264CS Application Guide for ENOS 8.4...
Supported RADIUS Attributes The 802.1X Authenticator relies on external RADIUS servers for authentication with EAP. Table 10 lists the RADIUS attributes that are supported as part of RADIUS‐EAP authentication based on the guidelines specified in Annex D of the 802.1X standard and RFC 3580. Table 10. Support for RADIUS Attributes # Attribute Attribute Value A-R A-A A-C A-R 1 User‐Name The value of the Type‐Data field 0‐1 from the supplicant’s EAP‐Response/ Identity message. If the Identity is unknown (for example, Type‐Data field is zero bytes in length), this attribute will have the same value as the Calling‐Station‐Id. 4 NAS‐IP‐Address IPv4 address of the authenticator used for Radius communication. 5 NAS‐Port Port number of the authenticator port to which the supplicant is attached. 24 State Server‐specific value. This is sent ...
EAPoL Configuration Guidelines When configuring EAPoL, consider the following guidelines: The 802.1X port‐based authentication is currently supported only in point‐to‐point configurations, that is, with a single supplicant connected to an 802.1X‐enabled switch port. When 802.1X is enabled, a port has to be in the authorized state before any other Layer 2 feature can be operationally enabled. For example, the STG state of a port is operationally disabled while the port is in the unauthorized state. The 802.1X supplicant capability is not supported. Therefore, none of its ports can successfully connect to an 802.1X‐enabled port of another device, such as another switch, that acts as an authenticator, unless access control on the remote port is disabled or is configured in forced‐authorized mode. For example, if a G8264CS is connected to another G8264CS, and if 802.1X is enabled on both switches, the two connected ports must be configured in force‐authorized mode. Unsupported 802.1X attributes include Service‐Type, Session‐Timeout, and Termination‐Action. RADIUS accounting service for 802.1X‐authenticated devices or users is not currently supported. Configuration changes performed using SNMP and the standard 802.1X MIB will take effect immediately. G8264CS Application Guide for ENOS 8.4...
Summary of Packet Classifiers ACLs allow you to classify packets according to a variety of content in the packet header (such as the source address, destination address, source port number, destination port number, and others). Once classified, packet flows can be identified for more processing. IPv4 ACLs, IPv6 ACLs, and VMaps allow you to classify packets based on the following packet attributes: Ethernet header options (for IPv4 ACLs and VMaps only) Source MAC address Destination MAC address VLAN number and mask Ethernet type (ARP, IP, IPv6, MPLS, RARP, etc.) Ethernet Priority (the IEEE 802.1p Priority) IPv4 header options (for IPv4 ACLs and VMaps only) Source IPv4 address and subnet mask Destination IPv4 address and subnet mask Type of Service value IP protocol number or name as shown in Table Table 11. Well‐Known Protocol Types Number Protocol Name icmp igmp ospf vrrp IPv6 header options (for IPv6 ACLs only)
Assigning Individual ACLs to a Port Once you configure an ACL, you must assign the ACL to the appropriate ports. Each port can accept multiple ACLs, and each ACL can be applied for multiple ports. ACLs can be assigned individually. To assign an individual ACLs to a port, use the following IP Interface Mode commands: RS 8264CS(config)# interface port <port> RS 8264CS(config-if)# access-control list <IPv4 ACL number> RS 8264CS(config-if)# access-control list6 <IPv6 ACL number> When multiple ACLs are assigned to a port, higher‐priority ACLs are considered first, and their action takes precedence over lower‐priority ACLs. ACL order of precedence is discussed in the next section. ACL Order of Precedence When multiple ACLs are assigned to a port, they are evaluated in numeric sequence, based on the ACL number. Lower‐numbered ACLs take precedence over higher‐numbered ACLs. For example, ACL 1 (if assigned to the port) is evaluated first and has top priority. If multiple ACLs match the port traffic, only the action of the one with the lowest ACL number is applied. The others are ignored. If no assigned ACL matches the port traffic, no ACL action is applied. ACL Metering and Re-Marking You can define a profile for the aggregate traffic flowing through the G8264CS by ...
ACL Port Mirroring For IPv4 ACLs and VMaps, packets that match the filter can be mirrored to another switch port for network diagnosis and monitoring. The source port for the mirrored packets cannot be a portchannel, but may be a member of a portchannel. The destination port to which packets are mirrored must be a physical port. The action (permit, drop, etc.) of the ACL or VMap must be configured before assigning it to a port. Use the following commands to add mirroring to an ACL: For IPv4 ACLs: RS 8264CS(config)# access-control list <ACL number> mirror port <destination port> The ACL must be also assigned to it target ports as usual (see “Assigning Individual ACLs to a Port” on page 120). For VMaps (see “VLAN Maps” on page 128): RS 8264CS(config)# access-control vmap <VMap number> mirror port <monitor destination port> See the configuration example on page 129. Viewing ACL Statistics ACL statistics display how many packets have “hit” (matched) each ACL. Use ...
Rate Limiting Behavior Because ACL logging can be CPU‐intensive, logging is rate‐limited. By default, the switch will log only 10 matching packets per second. This pool is shared by all log‐enabled ACLs. The global rate limit can be changed as follows: RS 8264CS(config)# access-control log rate-limit <1‐1000> Where the limit is specified in packets per second. Log Interval For each log‐enabled ACL, the first packet that matches the ACL initiates an immediate message in the system log. Beyond that, additional matches are subject to the log interval. By default, the switch will buffer ACL log messages for a period of 300 seconds. At the end of that interval, all messages in the buffer are written to the system log. The global interval value can be changed as follows: RS 8264CS(config)# access-control log interval <5‐600> Where the interval rate is specified in seconds. In any given interval, packets that have identical log information are condensed into a single message. However, the packet count shown in the ACL log message represents only the logged messages, which due to rate‐limiting, may be significantly less than the number of packets actually matched by the ACL. Also, the switch is limited to 64 different ACL log messages in any interval. Once the threshold is reached, the oldest message will be discarded in favor of the new message, and an overflow message will be added to the system log. ACL Logging Limitations ACL logging reserves packet queue 1 for internal use. Features that allow remapping packet queues (such as CoPP) may not behave as expected if other packet flows are reconfigured to use queue 1. G8264CS Application Guide for ENOS 8.4...
ACL Example 3 Use this configuration to block traffic from a specific IPv6 source address. All traffic that ingresses in port 2 with source IP from class 2001:0:0:5:0:0:0:2/128 is denied. 1. Configure an Access Control List. RS 8264CS(config)# access-control list6 3 ipv6 source-address 2001:0:0:5:0:0:0:2 128 RS 8264CS(config)# access-control list6 3 action deny 2. Add ACL 2 to port 2. RS 8264CS(config)# interface port 2 RS 8264CS(config-if)# access-control list6 3 RS 8264CS(config-if)# exit ACL Example 4 Use this configuration to deny all ARP packets that ingress a port.
VLAN Maps A VLAN map (VMap) is an ACL that can be assigned to a VLAN or VM group rather than to a switch port as with IPv4 ACLs. This is particularly useful in a virtualized environment where traffic filtering and metering policies must follow virtual machines (VMs) as they migrate between hypervisors. Note: VLAN maps for VM groups are not supported simultaneously on the same ports as vNICs (see Chapter 14, “Virtual NICs”). The G8264CS supports up to 128 VMaps. Individual VMap filters are configured in the same fashion as IPv4 ACLs, except that VLANs cannot be specified as a filtering criteria (unnecessary, since the VMap are assigned to a specific VLAN or associated with a VM group VLAN). VMaps are configured using the following ISCLI configuration command path: RS 8264CS(config)# access-control vmap <VMap ID> ? action Set filter action egress-port Set to filter for packets egressing this port ethernet Ethernet header options ipv4 IP version 4 header options meter ACL metering configuration mirror...
Using Storm Control Filters Excessive transmission of broadcast or multicast traffic can result in a network storm. A network storm can overwhelm your network with constant broadcast or multicast traffic, and degrade network performance. Common symptoms of a network storm are denial‐of‐service (DoS) attacks, slow network response times, and network operations timing out. The G8264CS provides filters that can limit the number of the following packet types transmitted by switch ports: Broadcast packets Multicast packets Unknown unicast packets (destination lookup failure) Unicast packets whose destination MAC address is not in the Forwarding Database are unknown unicasts. When an unknown unicast is encountered, the switch handles it like a broadcast packet and floods it to all other ports in the VLAN (broadcast domain). A high rate of unknown unicast traffic can have the same negative effects as a broadcast storm. Configure broadcast filters on each port that requires broadcast storm control. Set a threshold that defines the total number of broadcast packets transmitted (0‐2097151), in packets per second. When the threshold is reached, no more packets of the specified type are transmitted. To filter broadcast packets on a port, use the following commands: RS 8264CS(config)# interface port 1 RS 8264CS(config-if)# storm-control broadcast level rate <packets per second> To filter multicast packets on a port, use the following commands: ...
Chapter 8. VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs commonly are used to split up groups of network