Lenovo Networking OS 10.3 Application...
Transcript of Lenovo Networking OS 10.3 Application...
-
LenovoNetwork
ApplicationGuideforLenovoCloudNetworkOperatingSystem10.3
-
Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationintheSafetyinformationandEnvironmentalNoticesandUserGuidedocumentsontheLenovoDocumentationCD,andtheWarrantyInformationdocumentthatcomeswiththeproduct.
FirstEdition(February2017)
CopyrightLenovo2017PortionsCopyrightIBMCorporation2014.
LIMITEDANDRESTRICTEDRIGHTSNOTICE:IfdataorsoftwareisdeliveredpursuantaGeneralServicesAdministrationGSAcontract,use,reproduction,ordisclosureissubjecttorestrictionssetforthinContractNo.GS35F05925.
LenovoandtheLenovologoaretrademarksofLenovointheUnitedStates,othercountries,orboth.
-
Copyright Lenovo 2017 3
ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19WhoShouldUseThisGuide .......................20ApplicationGuideOverview .......................21AdditionalReferences ..........................24TypographicConventions ........................25ISCLICommandModes.........................26CommandLineInterfaceShortcuts....................27
CLIListandRangeInputs......................27CommandAbbreviation .......................27TabCompletion...........................27LineEditing............................28
Part 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 1. Switch Administration . . . . . . . . . . . . . . . . . 31AdministrationInterfaces ........................32
IndustryStandardCommandLineInterface..............32EstablishingaConnection........................33
UsingtheSwitchManagementInterface................33UsingtheSwitchEthernetPorts ....................34UsingTelnet ............................35UsingSecureShell..........................36
UsingSSHwithPasswordAuthentication .............36UsingSSHwithServerKeyAuthentication .............37
UsingSimpleNetworkManagementProtocol..............38ZeroTouchProvisioning ........................39
DHCPDiscovery ..........................40ZTPBootFile ............................41ForcedlyenablingordisablingZTP ..................42
DHCPIPAddressServices........................43DHCPClientConfiguration .....................43DHCPv4HostnameConfiguration(Option12) .............44DHCPv4SyslogServer(Option7) ...................44DHCPv4NTPServer(Option42)...................45DHCPv4VendorClassIdentifier(Option60) ..............45DHCPRelayAgent .........................46DHCPv4Option82 .........................47
SwitchLoginLevels ...........................48
-
4 Application Guide for CNOS 10.3
Ping ................................. 50PingConfigurableParameters .................... 51
TestInterruption ........................ 51PingCount ........................... 51PingPacketInterval ....................... 51PingPacketSize......................... 52PingSource........................... 52PingDFBit ........................... 52PingTimeout.......................... 53PingVRF............................ 53PingInteractiveMode ...................... 54
Traceroute............................... 55TracerouteConfigurableParameters ................. 56
TestInterruption ........................ 56TracerouteSource........................ 56TracerouteVRF......................... 56TracerouteInteractiveMode ................... 57
NetworkTimeProtocol ......................... 58NTPSynchronizationRetry ..................... 58NTPClientandPeer ........................ 59
NTPAuthenticationFieldEncryptionKey ............. 60NTPPollingIntervals ...................... 60NTPPreference......................... 61
DynamicandStaticNTPServers ................... 61NTPAuthentication ......................... 61
NTPAuthenticationConfigurationExample ............ 62SystemLogging ............................ 63
SyslogOutputs........................... 64SyslogSeverityLevels ........................ 65SyslogTimeStamping ........................ 66SyslogRateLimit.......................... 66SyslogServers ........................... 67ConsoleLoggingFloodControl .................... 68DuplicateSyslogMessageSuppression ................ 69
IdleDisconnect............................. 70PythonScripting ............................ 71RESTAPIProgramming......................... 72
Chapter 2. System License Keys . . . . . . . . . . . . . . . . . 73ObtainingLicenseKeys ......................... 74InstallingLicenseKeys ......................... 75UninstallingLicenseKeys ........................ 76TransferringLicenseKeys ........................ 77ONIELicenseKey ........................... 78
Chapter 3. Switch Software Management . . . . . . . . . . . . . . 79InstallingNewSoftwaretoYourSwitch.................. 80
InstallingSystemImagesfromaRemoteServer ............. 80InstallingSystemImagesfromaUSBDevice .............. 82InstallingUbootfromaRemoteServer ................ 83InstallingUbootfromaUSBDevice ................. 84
-
Copyright Lenovo 2017 : Contents 5
SelectingaSoftwareImagetoRun ....................85ReloadingtheSwitch ..........................86CopyingConfigurationFiles .......................87
CopyConfigurationFilesviaaRemoteServer .............87CopyConfigurationFilestoaUSBDevice ...............88
ResettingtheSwitchtotheFactoryDefaults ................89ReloadingtheENOSImage .......................90
ReloadtheENOSImageontheG8296andtheG8332 ..........90ReloadtheENOSImageontheG8272 .................91
TheBootManagementMenu .......................93BootRecoveryMode ........................94RecoverfromaFailedImageUpgradeusingTFTP............95RecoveringfromaFailedImageUpgradeusingXModemDownload ...97PhysicalPresence ..........................99ONIEsubmenu..........................100
ONIE ................................101InstallingONIEfromaUSBDevice .................101InstallingONIEfromaRemoteServer ................102BootinginONIEMode.......................103
BootinginONIEInstallMode ..................103BootinginONIEUninstallMode ................104BootinginONIEUpdateMode .................104BootinginONIERescueMode .................104
Part 2: Securing the Switch . . . . . . . . . . . . . . . . . . . . 105
Chapter 4. Securing Administration . . . . . . . . . . . . . . . .107SecureShellandSecureCopy .....................108
SSHEncryptionandAuthentication.................109GeneratingRSA/DSAHostKeyforSSHAccess ............109SSHIntegrationwithTACACS+Authentication ............109ConfiguringSSHontheSwitch ...................110UsingSSHClientCommands ....................111
ToLogOntotheSwitch ....................111UsingSecureCopy........................112
CopyingaFileUsingSCP....................112CopyingtheStartupConfigurationUsingSCP ..........112CopyingtheRunningConfigurationUsingSCP ..........112CopyingTechnicalSupportFilesUsingSCP............112
EnduserAccessControl ........................113ConsiderationsforConfiguringEnduserAccounts ..........113StrongPasswords.........................113UserAccessControl........................114
SettingupUsers ........................114DefiningaUsersAccessLevel .................115DeletingaUser........................115TheDefaultUser .......................115PasswordHistoryChecking...................116AdministratorPasswordRecovery................117
-
6 Application Guide for CNOS 10.3
Chapter 5. AAA Protocols . . . . . . . . . . . . . . . . . . . . 119RADIUS............................... 120
RADIUSBasics.......................... 120HowRADIUSAuthenticationWorks ................ 120RADIUSAuthenticationFeaturesinCloudNOS........... 121SwitchUserAccounts ....................... 121RADIUSAttributesforCloudNOSUserPrivileges .......... 122ConfiguringRADIUSontheSwitch................. 122
TACACS+.............................. 124TACACS+Basics......................... 124HowTACACS+AuthenticationWorks ............... 124TACACS+AuthenticationFeaturesinCloudNOS........... 125
Authorization......................... 125Accounting .......................... 125
ConfiguringTACACS+AuthenticationontheSwitch ......... 126Authentication,Authorization,andAccounting ............. 127
AAAGroups ........................... 128GroupLists.......................... 128ConfiguringAAAGroups ................... 129
Authentication .......................... 130ConfiguringAAAAuthentication ................ 130
Authorization.......................... 132ConfiguringAAAAuthorization ................ 132
Accounting ........................... 133ConfiguringAAAAccounting ................. 133
Chapter 6. Access Control Lists. . . . . . . . . . . . . . . . . . 135SupportedACLTypes ........................ 136SummaryofPacketClassifiers ..................... 137SummaryofACLActions ....................... 139ConfiguringPortACLs(PACLs).................... 140ConfiguringRouterACLs(RACLs)................... 141ConfiguringVLANACLs(VACLs)................... 142
VACLConfigurationExample ................... 143ConfiguringManagementACLs(MACLs) ................ 144ACLOrderofPrecedence ....................... 145CreatingandModifyingACLs ..................... 146
CreatinganIPv4ACL....................... 147RemovinganIPv4ACL.................... 147ResequencinganIPv4ACL ................... 147
CreatingaMACACL ....................... 148RemovingaMACACL .................... 148ResequencingaMACACL ................... 148
CreatinganARPACL....................... 149RemovinganARPACL .................... 149ResequencinganARPACL ................... 149
ViewingACLRuleStatistics ...................... 150
-
Copyright Lenovo 2017 : Contents 7
ACLConfigurationExamples .....................151ACLExample1..........................151ACLExample2..........................151ACLExample3..........................152ACLExample4..........................152ACLExample5..........................153ACLExample6..........................153
Part 3: Switch Basics . . . . . . . . . . . . . . . . . . . . . . 155
Chapter 7. Interface Management . . . . . . . . . . . . . . . . . 157InterfaceManagementOverview ....................158ManagementInterface.........................159
VirtualRoutingandForwarding ..................160PhysicalPorts............................161
G8272PhysicalPortCapabilities ..................161G8296PhysicalPortCapabilities ..................161G8332PhysicalPortCapabilities ..................162CLIPortFormat .........................163
PortAggregation ...........................165LoopbackInterfaces ..........................166SwitchVirtualInterfaces ........................167BasicInterfaceConfiguration ......................168
InterfaceDescription .......................169InterfaceDuplex .........................169InterfaceMACAddress ......................170InterfaceMaximumTransmissionUnit................170InterfaceShutdown ........................171InterfaceSpeed ..........................171FlowControl ...........................172StormControl ..........................173
Chapter 8. Forwarding Database. . . . . . . . . . . . . . . . . . 175MACLearning ............................176StaticMACaddresses .........................177AgingTime.............................178
Chapter 9. VLANs . . . . . . . . . . . . . . . . . . . . . . . .179VLANOverview ...........................180VLANConfiguration .........................181
CreatingaVLAN .........................182DeletingaVLAN.........................183ConfiguringtheStateofaVLAN ..................184ConfiguringtheNameofaVLAN..................186ConfiguringaSwitchAccessPort ..................187
ConfiguringtheAccessVLAN .................187ConfiguringaSwitchTrunkPort ..................189
ConfiguringtheAllowedVLANList ...............189ConfiguringtheNativeVLAN .................190
-
8 Application Guide for CNOS 10.3
NativeVLANTagging........................ 192ConfiguringNativeVLANTagging................. 193
PortVLANIDIngressTagging..................... 195ConfiguringPVIDIngressTagging ................. 195
IPMCFlooding............................ 196VLANTopologiesandDesignConsiderations.............. 197
MultipleVLANswithTrunkModeAdapters ............. 198VLANConfigurationExample ................... 200
Chapter 10. Ports and Link Aggregation . . . . . . . . . . . . . . 201PortConfigurationProfiles ...................... 202
G8272PortConfiguration ..................... 202G8296PortConfiguration ..................... 204G8332PortConfiguration ..................... 207
AggregationOverview ........................ 210CreatingaLAG.......................... 210
StaticLAGs ............................. 212StaticLAGConfigurationRules................... 212ConfiguringaStaticLAG ..................... 213
LinkAggregationControlProtocol ................... 216ConfiguringLACP ........................ 216
SystemPriority ........................ 217PortPriority......................... 218LACPTimeout ........................ 218LACPIndividual ....................... 218LACPConfigurationExample ................. 219
LAGHashing ............................ 221LAGHashingConfiguration .................... 223
Chapter 11. Spanning Tree Protocol . . . . . . . . . . . . . . . . 225STPOverview ............................ 226BridgeProtocolDataUnits ...................... 227
DeterminingthePathforForwardingBPDUs............. 227BPDUGuard ......................... 227BPDUFilter ......................... 228RootGuard.......................... 228LoopGuard ......................... 229PortPriority......................... 229PortPathCost ........................ 230
ErrorDisableRecovery ........................ 231PortTypeandLinkType....................... 232
EdgePort ............................ 232LinkType............................ 232
RapidPerVLANSpanningTreePlus .................. 233RapidPVST+Parameters ..................... 234
BridgePriority ........................ 234PortPriority......................... 234PortPathCost ........................ 235ForwardDelay ........................ 235HelloTimer ......................... 235MaximumAgeInterval .................... 236
-
Copyright Lenovo 2017 : Contents 9
RapidPVST+Configuration ......................237MultipleSpanningTreeProtocol ....................238
CommonInternalSpanningTree ..................238PortStates............................238MSTRegion...........................239MSTPParameters.........................240
HopCount ..........................240ForwardDelay ........................240HelloTimer..........................241MaximumAgeInterval.....................241BridgePriority ........................241PortPriority .........................242PortPathCost.........................242
MSTPConfiguration .........................243MSTPConfigurationExample ...................243
Chapter 12. Virtual Link Aggregation Groups . . . . . . . . . . . . 245vLAGOverview ...........................246vLAGCapacities...........................248
vLAGBenefits ..........................248vLAGSynchronizationMechanism .................249vLAGSystemMAC ........................249vLAGandLACPIndividual ....................250vLAGandLACPSystemPriority..................250vLAGLACPMisconfigurationsorCablingErrors...........250FDBSynchronization.......................251vLAGandSTP ..........................252vLAGandVRRP .........................253
vLAGVRRPPassiveMode(HalfActiveActive) ..........253vLAGVRRPActiveMode(FullActiveActive) ..........253
vLAGConfigurationConsistencyCheck ...............254vLAGandIGMPSnooping .....................256
MulticastRouterSynchronization................256IGMPGroupsSynchronization .................256IGMPQuerierSynchronization .................256
vLAGPeerGateway........................257vLAGsversusregularLAGs ......................258ConfiguringvLAGs ..........................259
vLAGISL............................260vLAGRoleElection ........................260vLAGInstance ..........................261FDBRefresh ...........................262vLAGTierID ...........................262vLAGStartupDelay ........................263vLAGAutorecovery.......................264
HealthCheck.............................265BasicHealthCheckConfigurationExample..............266
BasicvLAGConfigurationExample ...................267ConfiguringtheISL ........................268ConfiguringthevLAG .......................269
-
10 Application Guide for CNOS 10.3
vLAGConfigurationVLANsMappedtoaMSTInstance ......... 270ConfiguringtheISL........................ 270ConfiguringthevLAG....................... 271
ConfiguringvLAGsinMultipleLayers ................. 272Task1:ConfigureLayer2/3BorderRegion .............. 273
ConfiguringBorderRouter1.................. 273ConfiguringBorderRouter2.................. 273
Task2:ConfigureswitchesintheLayer2region........... 274ConfiguringSwitchA..................... 274ConfiguringSwitchB ..................... 275ConfiguringSwitchesCandD................. 277ConfiguringSwitchE ..................... 278ConfiguringSwitchF..................... 279
Chapter 13. Quality of Service . . . . . . . . . . . . . . . . . . 281QoSOverview ............................ 282ClassMaps............................. 283
QoSClassificationTypes...................... 284UsingACLFilters....................... 284UsingClassofServiceFilters .................. 285UsingDiffServCodePoint(DSCP)Filters ............ 286UsingTCP/UDPPortFilters .................. 288UsingPrecedenceFilters .................... 288UsingProtocolFilters ..................... 289
QueuingClassificationTypes.................... 290ClassMapConfigurationExamples ................. 291
QoSClassMapConfigurationExample ............. 291QueueingClassMapConfigurationExample ........... 291
PolicyMaps ............................. 292IngressPolicing.......................... 292
DefiningSingleRateandDualRatePolicers ........... 292Marking ........................... 294
QueuingPolicing ......................... 294Bandwidth .......................... 294Shaping ........................... 294Priority ........................... 294
PolicyMapConfigurationExample ................. 295QoSPolicyMapConfigurationExample............. 295QueuingPolicyMapConfigurationExample ........... 296
ControlPlaneProtection ....................... 297ControlPlaneConfigurationExamples ............... 298
WRED ............................... 300ConfiguringWRED ........................ 300
WREDConfigurationExample ................. 300InterfaceServicePolicy ........................ 302
Limitations............................ 302MicroburstDetection ......................... 303
Chapter 14. CEE . . . . . . . . . . . . . . . . . . . . . . . . 305RoCEandiSCSI........................... 307
RoCERequirements ........................ 307
-
Copyright Lenovo 2017 : Contents 11
ConvergedEnhancedEthernet .....................308TurningCEEOnorOff ......................308EffectsonLinkLayerDiscoveryProtocol ...............309Effectson802.1pQualityofService .................309EffectsonFlowControl......................311
PriorityBasedFlowControl......................312PFCConfiguration ........................313PFCConfigurationExample ....................314
EnhancedTransmissionSelection ....................315802.1pPriorityValues .......................315PriorityGroups ..........................316
PGID ............................316AssigningPriorityValuestoaPriorityGroup ...........317AllocatingBandwidth .....................317
ConfiguringETS.........................318DataCenterBridgingCapabilityExchange ................321
DCBXModes ...........................321DCBXSettings ..........................321
EnablingandDisablingDCBX .................322PeerConfigurationNegotiation .................322
ConfiguringDCBX........................323CEEConfigurationExamples......................324
CEEExample1 ..........................324CEEExample2 ..........................325
Part 4: IP Routing . . . . . . . . . . . . . . . . . . . . . . . . 327
Chapter 15. Basic IP Routing . . . . . . . . . . . . . . . . . . . 329IPRouting..............................330
DirectandIndirectRouting.....................331StaticRouting ..........................331DynamicRouting .........................332DefaultGateway .........................332VirtualRoutingandForwarding ..................333
RoutingInformationBase .......................334RouteswithIndirectNexthops...................334
BidirectionalForwardingDetection ...................335BFDAsynchronousMode .....................336BFDEchoMode..........................336BFDPeerSupport .........................337BFDStaticRoutes .........................337BFDAuthentication ........................338GeneralizedTTLSecurityMechanism................339BFDandBGP...........................339BFDandOSPF ..........................339
RoutingBetweenIPSubnets ......................340ExampleofSubnetRouting.....................341UsingVLANstoSegregateBroadcastDomains ............342
ConfigurationExample.....................342
-
12 Application Guide for CNOS 10.3
ECMPStaticRoutes.......................... 345RIBSupportforECMPRoutes ................... 345ECMPHashing .......................... 345ConfiguringECMPStaticRoutes.................. 346
DynamicHostConfigurationProtocol.................. 347InternetControlMessageProtocol ................... 348
ICMPRedirects .......................... 349ICMPPortUnreachable...................... 349ICMPUnreachable(exceptPort).................. 349
Chapter 16. Routed Ports . . . . . . . . . . . . . . . . . . . . 351RoutedPortsOverview ........................ 352ConfiguringaRoutedPort....................... 354
ConfiguringOSPFonRoutedPorts................. 355OSPFConfigurationExample .................. 355
Chapter 17. Address Resolution Protocol. . . . . . . . . . . . . . 357ARPOverview ............................ 358ARPAgingTimer .......................... 359ARPInspection ........................... 360StaticARPEntries.......................... 361
StaticARPConfigurationExample ................. 361ARPEntryStates........................... 362ARPTableRefresh.......................... 363
Chapter 18. Internet Protocol Version 6 . . . . . . . . . . . . . . 365IPv6AddressFormat ......................... 366IPv6AddressTypes ......................... 367
UnicastAddress......................... 367Multicast ............................ 367Anycast ............................. 368
IPv6Interfaces ............................ 369NeighborDiscovery ......................... 370
NeighborDiscoveryOverview ................... 370Router.............................. 371
SupportedApplications........................ 372ConfigurationGuidelines....................... 373IPv6ConfigurationExamples..................... 374
IPv6Example1 .......................... 374IPv6Example2 .......................... 374
IPv6Limitations........................... 375
Chapter 19. Internet Group Management Protocol . . . . . . . . . . 377IGMPTerms ............................. 378HowIGMPWorks .......................... 379IGMPCapacityandDefaultValues................... 380
-
Copyright Lenovo 2017 : Contents 13
IGMPSnooping ...........................381IGMPv3Snooping.........................382SpanningTreeTopologyChange ..................382IGMPQuerier ..........................383
QuerierElection ........................383MulticastRouterDiscovery.....................385IGMPQueryMessages.......................386IGMPGroups ..........................387IGMPSnoopingConfigurationGuidelines..............389
IGMPSnoopingConfigurationExample.................390AdvancedIGMPSnoopingConfigurationExample ............392
Prerequisites ...........................393Configuration ..........................394
SwitchAConfiguration ....................394SwitchBConfiguration.....................395SwitchCConfiguration ....................396
Troubleshooting .........................397AdditionalIGMPFeatures.......................400
ReportSuppression ........................400RobustnessVariable ........................400FastLeave............................401StaticMulticastRouter .......................402
Chapter 20. Border Gateway Protocol . . . . . . . . . . . . . . . 403BGPOverview ............................404
BGPRouterIdentifier .......................404InternalRoutingVersusExternalRouting ................405RouteReflector ............................407
RouteReflectionConfigurationExample...............408Restrictions ..........................409
FormingBGPPeerRouters.......................410BGPPeersandDynamicPeers...................410
StaticPeers ..........................410DynamicPeers........................411
LoopbackInterfaces ..........................412WhatisaRouteMap?.........................413
NextHopPeerIPAddress .....................414IncomingandOutgoingRouteMaps ................414Precedence ............................414ConfigurationOverview ......................415
AggregatingRoutes ..........................416RedistributingRoutes .........................417BGPCommunities..........................419
BGPCommunity .........................420BGPExtendedCommunity .....................421BGPConfederation ........................422
-
14 Application Guide for CNOS 10.3
BGPPathAttributes ......................... 423WellKnownMandatory ...................... 423WellKnownDiscretionary ..................... 423OptionalTransitive ........................ 423OptionalNonTransitive ...................... 424
BestPathSelectionLogic ....................... 425BGPBestPathSelection...................... 425BGPWeight ........................... 426LocalPreference......................... 426Metric(MultiExitDiscriminator)Attribute.............. 426NextHop ............................ 427BestPathSelectionTuning..................... 427BGPECMP ........................... 429
BGPFeaturesandFunctions ...................... 430ASPathFilter .......................... 430BGPCapabilityCode ....................... 430AdministrativeDistance...................... 430TTLSecurityCheck........................ 431LocalAS............................. 431BGPAuthentication ........................ 432OriginateDefaultRoute ...................... 432IPPrefixListFilter ........................ 433DynamicCapability ........................ 434BGPGracefulRestart ....................... 434BGPDamping .......................... 435SoftReconfigurationInbound ................... 436BGPRouteRefresh ........................ 436BGPMultipleAddressFamilies................... 437BGPandBFD .......................... 437BGPNextHopTracking...................... 438BGPTuning ........................... 438
BGPFailoverConfiguration...................... 439DefaultRedistributionandRouteAggregationExample .......... 441DesigningaClosNetworkUsingBGP.................. 443
ClosNetworkBGPConfigurationExample.............. 444ConfigureFabricSwitchSF1 .................. 445ConfigureSpineSwitchSP11 .................. 447ConfigureLeafSwitchLP11 .................. 450
Chapter 21. Open Shortest Path First . . . . . . . . . . . . . . . 453OSPFv2Overview .......................... 454
TypesofOSPFAreas ....................... 455TypesofOSPFRoutingDevices................... 456NeighborsandAdjacencies .................... 457TheLinkStateDatabase...................... 457TheShortestPathFirstTree .................... 458InternalVersusExternalRouting.................. 458
-
Copyright Lenovo 2017 : Contents 15
OSPFv2ImplementationinCloudNOS .................459ConfigurableParameters ......................459DefiningAreas..........................460
UsingtheAreaIDtoAssigntheOSPFAreaNumber ........460AttachinganAreatoaNetwork .................461
InterfaceCost ...........................461ElectingtheDesignatedRouterandBackup .............461SummarizingRoutes .......................462DefaultRoutes ..........................463VirtualLinks ...........................464RouterID ............................464Authentication ..........................465
ConfiguringPlainTextOSPFPasswords.............466ConfiguringMD5Authentication ................467
LoopbackInterfacesinOSPF ....................467GracefulRestartHelper ......................468OSPFandBFD ..........................468
OSPFv2ConfigurationExamples ....................469Example 1:SimpleOSPFDomain ..................470Example 2:VirtualLinks......................471
ConfiguringOSPFforaVirtualLinkonSwitch1 .........471ConfiguringOSPFforaVirtualLinkonSwitch2 .........472OtherVirtualLinkOptions ...................473
Example 3:SummarizingRoutes..................474VerifyingOSPFConfiguration...................475
Chapter 22. Route Maps . . . . . . . . . . . . . . . . . . . . . 477RouteMapsOverview.........................478PermitandDenyRules........................479MatchandApplyClauses.......................480RouteMapsConfigurationExample...................483
Part 5: High Availability Fundamentals . . . . . . . . . . . . . . . 485
Chapter 23. Basic Redundancy . . . . . . . . . . . . . . . . . . 487AggregatingforLinkRedundancy...................488VirtualLinkAggregation.......................489
Chapter 24. Virtual Router Redundancy Protocol . . . . . . . . . . . 491VRRPOverview ...........................492
VRRPComponents ........................493VirtualRouter.........................493VirtualRouterMACAddress ..................493OwnersandRenters ......................493MasterandBackupVirtualRouter ................493VirtualInterfaceRouter ....................493
AssigningVRRPVirtualRouterID .................494VRRPOperation.........................494
SelectingtheMasterVRRPRouter................494FailoverMethods ...........................495
ActiveActiveRedundancy .....................495
-
16 Application Guide for CNOS 10.3
CloudNOSExtensionstoVRRP .................... 496VRRPAdvertisementIntervalandSubsecondFailover ........ 496InterfaceTracking......................... 497SwitchBackDelay ........................ 497BackwardCompatibilitywithVRRPv2 ............... 498VRRPAcceptMode........................ 498VRRPPreemption ........................ 499VRRPPriority.......................... 499IPv6VRRP ............................ 500
VirtualRouterDeploymentConsiderations............... 502ConfiguringtheSwitchforTracking................. 502
BasicVRRPConfiguration ....................... 503HighAvailabilityConfiguration .................... 505
VRRPHighAvailabilityUsingMultipleVIRs ............ 505Task1:ConfigureSwitch1 ................... 506Task2:ConfigureSwitch2 ................... 507
Part 6: Network Management . . . . . . . . . . . . . . . . . . . 509
Chapter 25. Link Layer Discovery Protocol . . . . . . . . . . . . . 511LLDPOverview ........................... 512EnablingorDisablingLLDP ...................... 513
TransmitandReceiveControl ................... 513LLDPTransmitFeatures........................ 514
ScheduledInterval ........................ 514MinimumInterval ........................ 514TimetoLiveforTransmittedInformation.............. 515TrapNotifications ........................ 515ChangingtheLLDPTransmitState................. 516TypesofInformationTransmitted.................. 517
LLDPReceiveFeatures ........................ 518TypesofInformationReceived ................... 518TimetoLiveforReceivedInformation ............... 518ViewingRemoteDeviceInformation ................ 519
DebuggingLLDP........................... 520LLDPDebuggingTypes ...................... 520
LLDPExampleConfiguration ..................... 522
Chapter 26. Service Location Protocol . . . . . . . . . . . . . . . 525SLPAgentsCommunication...................... 526
SLPSpecificMessages ....................... 526SLPSupportedServiceAttributes .................. 526
SLPConfiguration .......................... 527
Chapter 27. Simple Network Management Protocol. . . . . . . . . . 529SNMPVersions ........................... 530
SNMPVersion1&Version2.................... 530SNMPVersion3 ......................... 530
-
Copyright Lenovo 2017 : Contents 17
SNMPProtocolDetails ........................531SNMPNotifications ........................531SNMPDeviceContactandLocation.................531OneTimeAuthenticationforSNMPoverTCP............531
DefaultConfiguration .........................532ConfigurationExamples ........................533
BasicSNMPConfigurationExample .................533UserConfigurationExample....................533ConfiguringSNMPTrapHosts ...................534
SNMPMIBs.............................535
Part 7: Monitoring . . . . . . . . . . . . . . . . . . . . . . . .537
Chapter 28. Port Mirroring . . . . . . . . . . . . . . . . . . . . 539PortMirroringOverview .......................540SPANConfiguration.........................541
Sources.............................541Destinations ...........................541Sessions.............................541ConfigurationExample ......................542
ERSPANConfiguration........................543SessionTypes...........................543Sources.............................544Destinations ...........................544ERSPANSourceSessionConfigurationExample...........545ERSPANDestinationSessionConfigurationExample .........546
Limitations .............................547
Part 8: Appendices . . . . . . . . . . . . . . . . . . . . . . . 549
Appendix A. Getting help and technical assistance . . . . . . . . . . 551
Appendix B. Notices. . . . . . . . . . . . . . . . . . . . . . . 553Trademarks .............................555ImportantNotes ...........................556RecyclingInformation .........................557ParticulateContamination .......................558TelecommunicationRegulatoryStatement ................559ElectronicEmissionNotices ......................560
FederalCommunicationsCommission(FCC)Statement ........560IndustryCanadaClassAEmissionComplianceStatement.......560AvisdeConformitlaRglementationdIndustrieCanada ......560AustraliaandNewZealandClassAStatement ............560EuropeanUnionCompliancetotheElectromagneticCompatibilityDirective561GermanyClassAStatement....................561JapanVCCIClassAStatement ...................562JapanElectronicsandInformationTechnologyIndustriesAssociation
-
18 Application Guide for CNOS 10.3
(JEITA) Statement......................... 563KoreaCommunicationsCommission(KCC)Statement......... 563RussiaElectromagneticInterference(EMI)ClassAstatement ...... 563PeoplesRepublicofChinaClassAelectronicemissionstatement.... 563TaiwanClassAcompliancestatement................ 563
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
-
Copyright Lenovo 2017 19
PrefaceThisApplicationGuidedescribeshowtoconfigureandusetheLenovoCloudNetworkOperatingSystem10.3softwareonthefollowingLenovoRackSwitches:
LenovoRackSwitchG8272.Fordocumentationoninstallingtheswitchphysically,seetheLenovoRackSwitchG8272InstallationGuide.
LenovoRackSwitchG8296.Fordocumentationoninstallingtheswitchphysically,seetheLenovoRackSwitchG8296InstallationGuide.
LenovoRackSwitchG8332.Fordocumentationoninstallingtheswitchphysically,seetheLenovoRackSwitchG8332InstallationGuide.
-
20 Application Guide for CNOS 10.3
Who Should Use This GuideThisguideisintendedfornetworkinstallersandsystemadministratorsengagedinconfiguringandmaintaininganetwork.TheadministratorshouldbefamiliarwithEthernetconcepts,IPaddressing,SpanningTreeProtocol,andSNMPconfigurationparameters.
-
Copyright Lenovo 2017 : Preface 21
Application Guide OverviewThisguidewillhelpyouplan,implement,andadministertheCloudNOS(CNOS)software.Wherepossible,eachsectionprovidesfeatureoverviews,usageexamples,andconfigurationinstructions.Thefollowingmaterialisincluded:
Part 1: Getting Started
ThismaterialisintendedtohelpthosenewtoCNOSproductswiththebasicsofswitchmanagement.Thispartincludesthefollowingchapters:
Chapter 1,SwitchAdministration,describeshowtoaccesstheswitchtoconfiguretheswitch,andviewswitchinformationandstatistics.Thischapterdiscussesavarietyofmanualadministrationinterfaces,includinglocalmanagementviatheswitchconsole,andremoteadministrationviaTelnetorSecureShell.
Chapter 2,SystemLicenseKeys,describeshowtoinstalladditionalfeaturesontheswitch.
Chapter 3,SwitchSoftwareManagement,describeshowtoupdatetheCNOSsoftwareoperatingontheswitchandhowtoconvertfromCNOStoENOS.
Part 2: Securing the Switch
Thismaterialcontainsinformationaboutimplementingsecurityprotocolsontheswitch.Thispartincludesthefollowingchapters:
Chapter 4,SecuringAdministration,describesmethodsforusingSecureShellforadministrationconnections,andconfiguringenduseraccesscontrol.
Chapter 5,AAAProtocols,describesdifferentsecureadministrationmethodsforremoteadministrators.ThisincludesusingRADIUS,TerminalAccessControllerAccessControlSystemPlus(TACACS+)andAuthentication,Authorization,andAccounting(AAA).
Chapter 6,AccessControlLists,describeshowtousefilterstopermitordenyspecifictypesoftraffic,basedonavarietyofsource,destination,andpacketattributes.
Part 3: Switch Basics
Thismaterialcontainsinformationaboutsettingupfeaturesontheswitch.Thispartincludesthefollowingchapters:
Chapter 7,InterfaceManagement,describeshowtoconfiguretheswitchinterfaces,liketheethernetormanagementports.
Chapter 8,ForwardingDatabase,describeshowaLayer2devicecanbeconfiguredtolearnandstoreMACaddressesandtheircorrespondingports.
Chapter 9,VLANs,describeshowtoconfigureVirtualLocalAreaNetworks(VLANs)forcreatingseparatenetworksegments,includinghowtouseVLANtaggingfordevicesthatusemultipleVLANs.
Chapter 10,PortsandLinkAggregation,describeshowtogroupmultiplephysicalportstogethertoaggregatethebandwidthbetweenlargescalenetworkdevices.
-
22 Application Guide for CNOS 10.3
Chapter 11,SpanningTreeProtocol,describeshowtousetheRapidPerVLANSpanningTreePlus(RapidPVST+)andMultipleSpanningTreeProtocol(MSTP)tobuildaloopfreenetworktopology.
Chapter 12,VirtualLinkAggregationGroups,describesusingVirtualLinkAggregationGroups(VLAGs)toformLAGsspanningmultipleVLAGcapableaggregatorswitches.
Chapter 13,QualityofService,discussesQualityofService(QoS)features,includingIPfilteringusingclassmaps,DifferentiatedServices,andIEEE802.1ppriorityvalues.
Chapter 14,CEE,discussesusingvariousConvergedEnhancedEthernet(CEE)featuressuchasPrioritybasedFlowControl(PFC),EnhancedTransmissionSelection(ETS)andDataCenterBridgingCapabilityExchange(DCBX).
Part 4: IP Routing
Thispartincludesthefollowingchapters:
Chapter 15,BasicIPRouting,describeshowtoconfiguretheswitchforIProutingusingIPsubnets,BFD,DHCPRelayandVRF.
Chapter 16,RoutedPorts,describeshowtoconfigureaswitchporttoforwardLayer3traffic.
Chapter 17,AddressResolutionProtocol,describeshowtousetheAddressResolutionProtocol(ARP)protocoltomapanIPv4addresstoaMACaddress.
Chapter 18,InternetProtocolVersion6,describeshowtoconfiguretheswitchtouseIPv6.
Chapter 19,InternetGroupManagementProtocol,describeshowCNOSimplementsInternetGroupManagementProtocol(IGMP)Snoopingtoconservebandwidthinamulticastswitchingenvironment.
Chapter 20,BorderGatewayProtocol,describesBorderGatewayProtocol(BGP)conceptsandfeaturessupportedinCNOS.
Chapter 21,OpenShortestPathFirst,describeskeyOpenShortestPathFirst(OSPF)concepts,andhowtheyareimplementedinCNOS,andprovidesexamplesofhowtoconfigureyourswitchforOSPFsupport.
Chapter 22,RouteMaps,describesroutemapsthatareusedtodefineroutepolicybypermittingordenyingcertainroutesbasedonaconfiguredsetofrules.
Part 5: High Availability Fundamentals
Thispartincludesthefollowingchapters:
Chapter 23,BasicRedundancy,describeshowtheswitchsupportsredundancythroughLAGsandVLAGs.
Chapter 24,VirtualRouterRedundancyProtocol,describeshowtheswitchsupportshighavailabilitynetworktopologiesusingVirtualRouterRedundancyProtocol(VRRP).
-
Copyright Lenovo 2017 : Preface 23
Part 6: Network Management
Thispartincludesthefollowingchapters:
Chapter 25,LinkLayerDiscoveryProtocol,describeshowLinkLayerDiscoveryProtocol(LLDP)helpsneighboringnetworkdeviceslearnabouteachothersportsandcapabilities.
Chapter 26,ServiceLocationProtocol,describestheServiceLocationProtocol(SLP)thatallowstheswitchtoprovidedynamicdirectoryservices.
Chapter 27,SimpleNetworkManagementProtocol,describeshowtoconfiguretheswitchformanagementthroughaSimpleNetworkManagementProtocol(SNMP)client.
Part 7: Monitoring
Thispartincludesthefollowingchapter:
Chapter 28,PortMirroring,discussestoolstocopyselectedporttraffictoaremotemonitorportfornetworkanalysis.
Part 8: Appendices
Thispartincludesthefollowingappendices:
AppendixA,Gettinghelpandtechnicalassistance,providesdetailsonwheretogoforadditionalinformationaboutLenovoandLenovoproducts.
AppendixB,Notices,containssafetyandenvironmentalnotices.
-
24 Application Guide for CNOS 10.3
Additional ReferencesAdditionalinformationaboutconfiguringtheG8272,theG8296andtheG8332isavailableinthefollowingguides:
LenovoNetworkCommandReferenceforLenovoCloudNetworkOperatingSystem10.3
LenovoNetworkReleaseNotesforLenovoCloudNetworkOperatingSystem10.3
LenovoNetworkPythonProgrammingGuideforLenovoCloudNetworkOperatingSystem10.3
LenovoNetworkRESTAPIProgrammingGuideforLenovoCloudNetworkOperatingSystem10.3
-
Copyright Lenovo 2017 : Preface 25
Typographic ConventionsThefollowingtabledescribesthetypographicstylesusedinthisbook.
Table 1. Typographic Conventions
Typeface or Symbol
Meaning Example
ABC123 Thistypeisusedfornamesofcommands,files,anddirectoriesusedwithinthetext.
Viewthereadme.txtfile.
Italsodepictsonscreencomputeroutputandprompts.
Switch#
ABC123 Thisboldtypeappearsincommandexamples.Itshowstextthatmustbetypedinexactlyasshown.
Switch#ping
Thisitalicizedtypeappearsincommandexamplesasaparameterplaceholder.Replacetheindicatedtextwiththeappropriaterealnameorvaluewhenusingthecommand.Donottypethebrackets.
ToestablishaTelnetsession,enter:Switch#telnet
Thisalsoshowsbooktitles,specialterms,orwordstobeemphasized.
ReadyourUsersGuidethoroughly.
{} Commanditemsshowninsidebracketsaremandatoryandcannotbeexcluded.Donottypethebrackets.
Switch#cp{ftp|sftp}
[] Commanditemsshowninsidebracketsareoptionalandcanbeusedorexcludedasthesituationdemands.Donottypethebrackets.
Switch#configure[device]
| Theverticalbar(|)isusedincommandexamplestoseparatechoiceswheremultipleoptionsexist.Selectonlyoneofthelistedoptions.Donottypetheverticalbar.
Switch#cp{ftp|sftp}
Thisblocktypedepictsmenus,buttons,andothercontrolsthatappearingraphicalinterfaces.
Clickthebutton.
-
26 Application Guide for CNOS 10.3
ISCLI Command ModesTheISCLIhasthreemajorcommandmodeslistedinorderofincreasingprivileges,asfollows:
UserEXECMode:Switch>Thisistheinitialmodeofaccess.Bydefault,onconsolesessionspasswordcheckingisdisabledforthismode.
PrivilegedEXECmode:Switch#ThismodeisaccessedfromUserEXECMode.Thismodecanbeaccessedusingthefollowingcommand:enable
ConfigurationMode:Switch(config)#Thismodeallowsyoutomakechangestotherunningconfiguration.Ifyousavetheconfiguration,thesettingssurviveareloadoftheswitch.SeveralsubmodescanbeaccessedfromtheUserEXECMode.Thismodecanbeaccessedusingthefollowingcommand:configure[device]
Eachmodeprovidesaspecificsetofcommands.Mostlowerprivilegemodecommandsareaccessiblewhenusingahigherprivilegemode.Note: ThewordSwitchisagenerictermusedthroughouttheApplicationGuidetoindicatethehostnameoftheswitchwhenissuingcommands.DependingontheLenovoRachSwitch,thedefaultCLIpromptwilldisplayeitherG8272,G8296orG8332asthehostname.
-
Copyright Lenovo 2017 : Preface 27
Command Line Interface ShortcutsThefollowingshortcutsallowyoutoentercommandsquicklyandeasily.
CLI List and Range InputsForVLANandportcommandsthatallowanindividualitemtobeselectedfromwithinanumericrange,listsandrangesofitemscannowbespecified.Forexample,thevlancommandpermitsthefollowingoptions:
Thenumbersinarangemustbeseparatedbyadash:
Multiplerangesoritemsarepermittedusingacomma:,
Donotusespaceswithinlistandrangespecifications.
Rangescanalsobeusedtoapplythesamecommandoptiontomultipleitems.Forexample,toaccessmultipleportswithonecommand:
Command AbbreviationMostcommandscanbeabbreviatedbyenteringthefirstcharacterswhichdistinguishthecommandfromtheothersinthesamemode.Forexample,considerthefollowingfullcommand:
Itcanbeabbreviatedasfollows:
Tab CompletionByenteringthefirstletterofacommandatanypromptandpressing,theISCLIdisplaysallavailablecommandsoroptionsthatbeginwiththatletter.Enteringadditionallettersfurtherrefinesthelistofcommandsoroptionsdisplayed.Ifonlyonecommandfitstheinputtextwhenispressed,thatcommandissuppliedonthecommandline,waitingtobeentered.
Ifmultiplecommandssharethetypedcharacters,whenyoupress,theISCLIcompletesthecommonpartofthesharedsyntax.
Switch(config)#vlan1,3,1094 (accessVLANs1,3,and1094)Switch(config)#vlan120 (accessVLANs1through20)Switch(config)#vlan15,9099,10901094(accessmultipleranges)Switch(config)#vlan15,19,20,10901094(accessamixoflistsandranges)
Switch(config)#spanningtreemst14cost4096 (instances1through4)
Switch(config)#displaymacaddresstableinterfaceethernet1/12
Switch(config)#dispmaadie1/12
-
28 Application Guide for CNOS 10.3
Line EditingThefollowingkeystrokecommandsareavailableforeditingcommandlines:
Command Behavior
Movesthecursortothebeginningoftheline.
Movesthecursoronecharactertotheleft.
Deletesthecharacteratthecursor.
Movesthecursortotheendoftheline.
Movesthecursoronecharactertotheright.
Killsalltexttotherightofthecursor,puttingitintoabuffer.
Clearsthescreen,leavingthecurrentlineintactatthetop.
Movetothenextcommandinthecommandhistory.
Movetothepreviouscommandinthecommandhistory.
Swapsthecharacteratthecursorwiththecharactertotheleftofthecursor.
Clearsalltextfromthecommandline.
Deletesfromthecursortothestartoftheword.
Yanksthetextfromthekillbuffer.
Movesthecursorbackwardsoneword.
Capitalizesthefirstletterofthewordorthecharacterwherethecursorispointing.
Deletestotheendofthewordtotherightofthecursor.
Movesthecursorforwardsoneword.
Changesthetexttolowercasefromthecursortotheendoftheword.
Changesthetexttouppercasefromthecursortotheendoftheword.
-
Copyright Lenovo 2017 29
Part 1: Getting StartedThissectiondiscussesthefollowingtopics:
SwitchAdministrationonpage 31
SystemLicenseKeysonpage 73
SwitchSoftwareManagementonpage 79
-
30 Application Guide for CNOS 10.3
-
Copyright Lenovo 2017 31
Chapter 1. Switch AdministrationYourRackSwitchisreadytoperformbasicswitchingfunctionsrightoutofthebox.Someofthemoreadvancedfeatures,however,requiresomeadministrativeconfigurationbeforetheycanbeusedeffectively.
TheextensiveLenovoCloudNetworkOperatingSystemfortheswitchprovidesavarietyofoptionsforaccessingtheswitchtoperformavarietyofconfigurationsandtoviewswitchinformationandstatistics.
Thischapterdiscussesthevariousmethodsthatcanbeusedtoadministertheswitch.
-
32 Application Guide for CNOS 10.3
Administration InterfacesCloudNOSprovidesavarietyofuserinterfacesforadministration.Theseinterfacesvaryincharacterandinthemethodsusedtoaccessthem.Somearetextbasedandsomearegraphical;someareavailablebydefault,whileothersrequireconfiguration;somecanbeaccessedbylocalconnectiontotheswitch,whileothersareaccessedremotelyusingvariousclientapplications.Forexample,administrationcanbeperformedusinganyofthefollowing:
Abuiltin,textbasedcommandlineinterface(CLI)andmenusystemforswitchaccessviaaserialportconnectionoranoptionalTelnetorSSHsession
SNMPsupportforaccessthroughthirdpartycommercialandopensourcenetworkmanagementapplications.
Thespecificinterfacechosenforanadministrativesessiondependsonyourpreferences,theswitchconfiguration,andtheavailableclienttools.
Inallcases,administrationrequiresthattheswitchhardwareisproperlyinstalledandturnedon(seetheLenovoRackSwitchInstallationGuide).
Industry Standard Command Line InterfaceTheIndustryStandardCommandLineInterface(ISCLI)providesasimpleanddirectmethodforswitchadministration.Usingabasicterminal,youcanissuecommandsthatallowyoutoviewdetailedinformationandstatisticsabouttheswitch,andtoperformanynecessaryconfigurationandswitchsoftwaremaintenance.
YoucanestablishaconnectiontotheISCLIinanyofthefollowingways:
Serialconnectionviatheserialportontheswitch(thisoptionisalwaysavailable)
Telnetconnectionoverthenetwork
SSHconnectionoverthenetwork
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 33
Establishing a ConnectionThefactorydefaultsettingspermitinitialswitchadministrationthroughonlythebuiltinserialport.Allotherformsofaccessrequireadditionalswitchconfigurationbeforetheycanbeused.
Remoteaccessusingthenetworkrequirestheaccessingterminaltohaveavalid,routableconnectiontotheswitchinterface.TheclientIPaddressmaybeconfiguredmanually,oranIPaddresscanbeprovidedautomaticallytotheswitchusingaservicesuchasDHCP(seeDHCPIPAddressServicesonpage 43).AnIPv6addresscanalsobeobtainedusingIPv6statelessaddressconfiguration.Note: Throughoutthismanual,IPaddressisusedinplaceswhereeitheranIPv4orIPv6addressisallowed.IPv4addressesareenteredindotteddecimalnotation(forexample,10.10.10.1),whileIPv6addressesareenteredinhexadecimalnotation(forexample,2001:db8:85a3::8a2e:370:7334).Inplaceswhereonlyonetypeofaddressisallowed,IPv4addressorIPv6addressisspecified.
Using the Switch Management InterfaceTomanagetheswitchthroughthemanagementinterface,youmustconfigureitwithanIPinterface.ConfiguretheIPaddressandnetworkmaskanddefaultgatewayaddress:
1. Logontotheswitch.
2. EnterGlobalConfigurationmode.
3. ConfigureamanagementIPaddressandnetworkmask:
IPv4configuration:
IPv6configuration:
4. Configuretheappropriatedefaultgateway:
IPv4configuration:
Switch>enableSwitch#configuredeviceSwitch(config)#
Switch(config)#interfacemgmt0Switch(configif)#ipaddress/Switch(configif)#noshutdownSwitch(configif)#exit
Switch(config)#interfacemgmt0Switch(configif)#ipv6address/Switch(configif)#noshutdownSwitch(configif)#exit
Switch(config)#vrfcontextmanagementSwitch(configvrf)#iproute0.0.0.00.0.0.0Switch(configvrf)#exit
-
34 Application Guide for CNOS 10.3
IPv6configuration:
OnceyouconfigureamanagementIPaddressforyourswitch,youcanconnecttothemanagementportanduseaTelnetoranSSHclientfromanexternalmanagementstationtoaccessandcontroltheswitch.Themanagementportprovidesoutofbandmanagement.
Using the Switch Ethernet PortsYoualsocanconfigureinbandmanagementthroughanyoftheswitchethernetports.Toallowinbandmanagement,usethefollowingprocedure:
1. Logontotheswitch.
2. Enterinterfacemodeandconfigureanethernetinterfaceasroutedport.
3. ConfiguretheinterfaceIPaddressandnetworkmask.
IPv4configuration:
IPv6configuration:
4. Configurethedefaultgateway.
IPv4configuration:
IPv6configuration:
OnceyouconfiguretheIPaddressandhaveanetworkconnection,youcanuseaTelnetoranSSHclientfromanexternalmanagementstationtoaccessandcontroltheswitch.Oncethedefaultgatewayisenabled,themanagementstationandtheswitchdonotneedtobeonthesameIPsubnet.
Switch(config)#vrfcontextmanagementSwitch(configvrf)#ipv6route::/0Switch(configvrf)#exit
Switch>enableSwitch#configuredeviceSwitch(config)#interfaceethernet/Switch(configif)#nobridgeport
Switch(configif)#ipaddress/
Switch(configif)#ipv6address/
Switch(config)#vrfcontextmanagementSwitch(configvrf)#iproute0.0.0.00.0.0.0Switch(configvrf)#exit
Switch(config)#vrfcontextmanagementSwitch(configvrf)#ipv6route::/0Switch(configvrf)#exit
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 35
Theswitchsupportsanindustrystandardcommandlineinterface(ISCLI)thatyoucanusetoconfigureandcontroltheswitchoverthenetworkusingaTelnetoranSSHclient.YoucanusetheISCLItoperformmanybasicnetworkmanagementfunctions.Inaddition,youcanconfiguretheswitchformanagementusinganSNMPbasednetworkmanagementsystem.
Formoreinformation,seethedocumentslistedinAdditionalReferencesonpage 24.
Using TelnetATelnetconnectionofferstheconvenienceofaccessingtheswitchfromaworkstationconnectedtothenetwork.Telnetaccessprovidesthesameoptionsforuserandadministratoraccessasthoseavailablethroughtheconsoleport.
Bydefault,Telnetaccessisdisabled.UsethefollowingcommandtoenableordisableTelnetaccess:
OncetheswitchisconfiguredwithanIPaddressandgateway,youcanuseTelnettoaccessswitchadministrationfromanyworkstationconnectedtothemanagementnetwork.
ToestablishaTelnetconnectionwiththeswitch,runtheTelnetclientonyourworkstation,useTelnetastheprotocoltypeandtheswitchsIPaddressasthehostname.
YouwillthenbepromptedtoenterapasswordasexplainedinSwitchLoginLevelsonpage 48.
Bydefault,TelnetusesTCPport23oftheremotehosttoestablishaconnectionfromtheswitch.WheninitializingaTelnetsession,youcanspecifytheTCPportoftheremotehostbyusingthefollowingcommandontheswitch:
Note: ThespecifiedportwillbeusedonlyforthecurrentTelnetsession.Futuresessionswillnotusetheselectedport.
Bydefault,TelnetclientswillconnecttothelocalTelnetserverusingTCPport23ontheswitch.ToconfiguretheTCPportusedbyaTelnetclientwhenestablishingaconnectiontotheswitch,usethefollowingcommand:
Switch(config)#[no]featuretelnet
Switch#telnetport
Switch(config)#telnetserverport
-
36 Application Guide for CNOS 10.3
Using Secure ShellAlthougharemotenetworkadministratorcanmanagetheconfigurationofaswitchviaTelnet,thismethoddoesnotprovideasecureconnection.TheSecureShell(SSH)protocolenablesyoutosecurelylogintoanotherdeviceoveranetworktoexecutecommandsremotely.AsasecurealternativetousingTelnettomanageswitchconfiguration,SSHensuresthatalldatasentoverthenetworkisencryptedandsecure.
Bydefault,SSHaccessisenabled.UsethefollowingcommandtoenableordisableSSHaccess:
Theswitchcandoonlyonesessionofkey/ciphergenerationatatime.Thus,anSSHclientwillnotbeabletologiniftheswitchisdoingkeygenerationatthattime.Similarly,thesystemwillfailtodothekeygenerationifanSSHclientislogginginatthattime.
ThesupportedSSHencryptionandauthenticationmethodsare:
ServerHostAuthentication:ClientRSAauthenticatestheswitchwhenstartingeachconnection
KeyExchange:ecdhsha2nistp521,ecdhsha2nistp384,ecdhsha2nistp256,ecdhsha2nistp224,ecdhsha2nistp192,rsa2048sha256,rsa1024sha1,diffiehellmangroupexchangesha256,diffiehellmangroupexchangesha1,diffiehellmangroup14sha1,diffiehellmangroup1sha1
Encryption:aes128ctr,aes192ctr,aes256ctr,arcfour128,arcfour256
MAC:hmacsha1,hmacripemd160,[email protected]
UserAuthentication:Localpasswordauthentication,TACACS+
LenovoCloudNetworkOperatingSystemimplementstheSSHversion2.0standardandisconfirmedtoworkwithSSHversion2.0compliantclientssuchasthefollowing:
OpenSSH_5.4p1forLinux
SecureCRTVersion5.0.2(build1021)
PuttySSHrelease0.60
Using SSH with Password AuthenticationOncetheIPparametersareconfigured,youcanaccessthecommandlineinterfaceusinganSSHconnection.
ToestablishanSSHconnectionwiththeswitch,runtheSSHclientonyourworkstation,useSSHastheprotocoltypeandtheswitchsIPaddressasthehostname.
YouwillthenbepromptedtoenterapasswordasexplainedinSwitchLoginLevelsonpage 48.
Switch(config)#[no]featuressh
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 37
Using SSH with Server Key AuthenticationSSHcanalsobeusedforswitchauthenticationbasedonasymmetriccryptography.Serverencryptionkeyscanbegeneratedontheswitchandusedtoauthenticateincomingloginattemptsbasedontheclientsprivateencryptionkeypairs.Afterapredefinednumberoffailedserverkeyauthenticationattempts,aloginerrorwillappearandtheSSHsessionwillbedisconnected.
Tosetupserverkeyauthentication:
1. DisableSSH:
Note: SSHsettingscannotbemodifiedifSSHisenabled.
2. GenerateanSSHkey:
DSA:
RSA:
Note: YoucanalsoconfigurethelengthoftheRSAkeybyusingthefollowingcommand:
3. ConfigureamaximumnumberoffailedserverkeyauthenticationattemptsbeforetheSSHsessionwillbedisconnected:
Note: Thedefaultnumberoffailedattemptsis3.
4. ReenableSSH:
Oncetheserverkeyisconfiguredontheswitch,aclientcanuseSSHtologinfromasystemwheretheprivatekeypairissetup.
Switch(config)#nofeaturessh
Switch(config)#sshkeydsa[force]
Switch(config)#sshkeyrsa[force]
Switch(config)#sshkeyrsalength
Switch(config)#sshloginattempts
Switch(config)#featuressh
-
38 Application Guide for CNOS 10.3
Using Simple Network Management ProtocolCNOSprovidesSimpleNetworkManagementProtocol(SNMP)version1,2,and3supportforaccessthroughanynetworkmanagementsoftware,suchasSwitchCenterorLenovoXClarity.Note: TheSNMPreadfunctionisenabledbydefault.Forbestsecuritypractices,ifSNMPisnotneededforyournetwork,disablethisfunctionpriortoconnectingtheswitchtothenetwork.
ToaccesstheSNMPagentontheswitch,thereadandwritecommunitystringsontheSNMPmanagermustbeconfiguredtomatchthoseontheswitch.
Thereadandwritecommunitystringsontheswitchcanbeconfiguredusingthefollowingcommands:
readonlyaccesscommunitystring:
readwriteaccesscommunitystring:
TheSNMPmanagermustbeabletoreachanyoneoftheIPinterfacesontheswitch.
FortheSNMPmanagertoreceivetheSNMPv1trapssentoutbytheSNMPagentontheswitch,configurethetraphostontheswitchwiththefollowingcommand:
FormoreinformationonSNMPusageandconfiguration,seeChapter 27,SimpleNetworkManagementProtocol.
Switch(config)#snmpservercommunityro
Switch(config)#snmpservercommunityrw
Switch(config)#snmpserverhosttrapsversion1
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 39
Zero Touch ProvisioningZeroTouchProvisioning(ZTP)enablesaswitchtoautomaticallyprovisionitselfusingtheresourcesavailableonthenetworkwithoutmanualintervention.WhenaswitchwithZTPenabledstartsup,itlocatesaDHCPserverwhichprovidestheswitchwithaninterfaceIPv4addressandagatewayIPv4address.TheswitchthenobtainstheIPaddressofaTFTPserverfromwhichitwilldownloadthenecessarybootfile.Thenextstepisfortheswitchtorunthebootfile.
Ontheswitch,ZTPwilltriggerwhenanyofthefollowingconditionsaremet:
aswitchbootswithnostartupconfiguration(onlythedefaultconfiguration)
thestartupconfigurationiserasedandtheswitchisreloaded
ZTPisforcedlyenabledfromtheCLINote: ZTPwillnotbetriggeredifitisforcedlydisabledfromtheCLI.
Duringthebootprocess,iftheswitchdoesnotfindastartupconfigurationandZTPisenabled,theswitchwillenterZTPmode.WhenforcedlyenabledfromtheCLI,theswitchentersZTPmoderegardlessofthepresenceofastartupconfiguration.TheswitchwillsearchforavailableDHCPserversandrequestthemtoacquireaninterfaceaddress,agatewayaddress,theTFTPserveraddress,andthebootfilename.
AftertheinformationfromtheDHCPserverisobtained,ZTPwilldownloadandrunthebootfile,andthenexecutetheZTPprocessaccordingtothebootfile.ZTPautomaticallyhandlestheprocessofupgradingtheswitchsoftwareimageandinstallingconfigurationfiles.
Notes:
Duringthebootprocess,apromptwillappearaskingifyouwanttoabortorcontinuetheZTPprocess.IfyouchoosetoexitZTP,theswitchwillcontinuewithitsnormalbootprocess,usingthedefaultconfigurationoranystartupconfiguration,ifoneispresentontheswitchandZTPwasforcedlyenabledfromtheCLI.
IfZTPwasforcedlyenabledandnoDHCPserverwasfoundduringtheZTPprocess,anypreviousIPv4addressmanuallyconfiguredofthemanagementinterfacewillberemoved.
IfZTPiscanceledduringitsexecution,theswitchexitsZTPmode.IfaninterfaceIPv4addresswasobtained,itwillnotbereleased.Ifanyfileswheredownloaded,theywillnotbedeleted.
ImportantZTPeventsareloggedbytheswitchandareavailablefordisplayfromaconsolesession.
-
40 Application Guide for CNOS 10.3
DHCP DiscoveryAfterenteringZTPmode,theswitchsendsaDHCPdiscovermessageonitsmanagementinterfacerequestingDHCPoffersfromtheDHCPserverspresentonthenetwork.ThereceivingDHCPserverreplieswithaDHCPoffermessage.
WhentheDHCPclientreceivestheDHCPoffermessage,itwillrequesttheDHCPservertosendthefollowinginformation:
aninterfaceIPv4address
agatewayIPv4address
theTFTPserverIPaddress(usingoption66)
thebootfilename(usingoption67)
TheswitchcompletestheDHCPnegotiationprocess(requestandacknowledgement)withtheDHCPserver,whichassignstheswitchanIPv4address.TheswitchthenusestheacquiredTFTPserverIPaddresstocontacttheTFTPserver.ThebootfilenamecontainsthecompletefilepathofthebootfileontheTFTPserver.Theswitchthendownloadsthebootfile.
IfnoDHCPserversreplytotheDHCPdiscovermessageorifnoDHCPoffermeetstheZTPrequirements,theswitchwillbeunabletocompletetheDHCPnegotiationandanIPv4addressisnotassigned(exceptthedefaultIPv4address192.168.50.50/24,butthiscannothelptheswitchfinalizetheZTPprocess).ZTPwilltrythreetimestosuccessfullyobtaintherequiredinformation.IfitfailstheDHCPnegotiationthreetimes,theswitchexitsZTPmodeandcontinuesthenormalbootprocess.
Notes:
TheinterfaceIPv4addressobtainedfromtheDHCPserveriskeptandusedevenaftertheZTPprocessover.
ZTPsupportsonlyDHCPv4andnotDHCPv6.
ZTPsupportsonlyTFTPandnotFTP,SCP,HTTP,orothertransferprotocols.
DHCPserversmustbeconfiguredwithoptions66and67toensurethattheswitchalwaysobtainstheTFTPserverhostnameandthebootfilenameduringtheZTPprocess.
DHCPoptions66and67areenabledbydefaultontheswitch.Ifeitherofthemisintentionallydisabled,theZTPprocesswillresultinafailure.
DHCPoption66providestheIPaddressofasingleTFTPserver.ToenableordisableDHCPoption66,usethefollowingcommand:
DHCPoption67providesthefilepathofthebootfileneededbyZTP.ToenableordisableDHCPoption67,usethefollowingcommand:
Switch(config)#[no]ipdhcpclientrequesttftpservername
Switch(config)#[no]ipdhcpclientrequestbootfilename
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 41
ZTP Boot FileThebootfileiswritteninYAMLformatandcontainsswitchmodels,andundereachswitchmodelareseveralfieldsthatinstructtheZTPprocesswhattodo.
Thebootfilemaycontainuptothreefieldsundereachswitchmodel:
img_namethisinstructsZTPtoupdatetheswitchsoftwareimagetothespecifiedimageversionandconfigureitasthestandbyimageontheswitch
configurationthisinstructsZTPtocopythespecifiedconfigurationfilefromtheTFTPserveranduseitasthestartupconfigurationfileontheswitch
scriptthisinstructsZTPtocopythescriptfileandexecuteitontheswitch
ZTPchecksthebootfilefortheswitchmodelandexecutetheappropriateactionsaccordingtothefieldsunderthecorrectswitchmodel.
ZTPsupportstheexecutionofPythonscripts.Ifthereisascriptfieldundertheswitchmodelinthebootfile,thefieldhasahigherprioritythantheothertwofields(img_nameandconfiguration)andZTPwillignorethem.ZTPdownloadsthePythonscriptfiletotheswitchandexecutesit.Thescriptcanalsocontaininstructionstodownloadandinstallaswitchsoftwareimageandaconfigurationfile.Note: ThePythonscriptfileisstoredinatemporaryfolderontheswitchanditwillbedeletedoncetheswitchreloads.
Followingisanexampleofabootfile:
Note: AftertheZTPprocessisover,theswitchwillbereloadedifthesoftwareimageorthestartupconfigurationareupdated.IfZTPexecutesaPythonscript,thereloadingoftheswitchisdecidedbythescriptinstead.
G8272:img_name:G827210.3.0.1.imgconfiguration:netboot_config_file_G8272script:netboot_G8272.py
G8296:img_name:G829610.3.0.1.imgconfiguration:netboot_config_file_G8296script:netboot_G8296.py
G8332:img_name:G833210.3.0.1.imgconfiguration:netboot_config_file_G8332script:netboot_G8332.py
-
42 Application Guide for CNOS 10.3
Forcedly enabling or disabling ZTPZTPcanbeforcedlyenabledontheswitchevenifthereisastartupconfigurationpresent.Itcanalsobeforcedlydisabledtonotexecuteevenifthereisnostartupconfiguration.
ZTPcanhaveoneofthefollowingstates:
Default
ForcedlyEnabled
ForcedlyDisabled
ToforcedlyenableZTPontheswitch,usethefollowingcommand:
ToforcedlydisableZTPontheswitch,usethefollowingcommand:
ToresettheZTPtoitsdefaultsetting,usethefollowingcommand:
ToviewthecurrentZTPstate,usethefollowingcommand:
ToviewtheZTPparametersobtainedaftertheZTPprocesshasexecuted,usethefollowingcommand:
Switch(config)#bootzerotouchforceenable
Switch(config)#bootzerotouchforcedisable
Switch(config)#nobootzerotouchforce
Switch#displayboot
CurrentZTPState:EnableCurrentFLASHsoftware:activeimage:version10.3.0.1,downloaded18:39:47UTCWedSep162015standbyimage:version10.3.0.1,downloaded18:44:40UTCWedSep162015Uboot:version10.3.0.1,downloaded17:49:51UTCThuJul302015CurrentlysettobootsoftwareactiveimageCurrentlyscheduledreboottime:noneCurrentportmode:defaultmode
Switch#displayzerotouch
TFTPserver:10.122.3.69Image:G8xxx10.3.0.1.imgConfiguration:netboot_config_file_G8xxxScript:netboot_G8xxx.py
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 43
DHCP IP Address ServicesForremoteswitchadministration,theclientterminaldevicemusthaveavalidIPaddressonthesamenetworkastheswitchinterface.TheIPaddressontheclientdevicemaybeconfiguredmanually,orobtainedautomaticallyusingIPv6statelessaddressconfiguration,oranIPaddressmaybeobtainedautomaticallyviaDHCPrelayasdiscussedinthenextsection.
TheswitchcanfunctionasarelayagentforDHCP.ThisallowsclientstobeassignedanIPaddressforafiniteleaseperiod,reassigningfreedaddresseslatertootherclients.Actingasarelayagent,theswitchcanforwardaclientsIPaddressrequesttouptofiveDHCPservers.Additionally,uptofivedomainspecificDHCPserverscanbeconfiguredforeachofupto10VLANs.
WhenaswitchreceivesaDHCPrequestfromaclientseekinganIPaddress,theswitchactsasaproxyfortheclient.TherequestisforwardedasaUDPunicastMAClayermessagetotheDHCPserversconfiguredfortheclientsVLANortotheglobalDHCPserversifnodomainspecificDHCPserversareconfiguredfortheclientsVLAN.TheserversrespondtotheswitchwithaunicastreplythatcontainstheIPdefaultgatewayandtheIPaddressfortheclient.Theswitchthenforwardsthisreplybacktotheclient.
DHCPisdescribedinRFC2131andtheDHCPrelayagentsupportedontheswitchisdescribedinRFC1542.DHCPusesUserDatagramProtocol(UDP)asitstransportprotocol.Theclientsendsmessagestotheserveronport67andreceivesmessagesfromtheserveronport68.
DHCP Client ConfigurationDHCPisenabledbydefaultonthemanagementinterfaceanddisabledonallotherinterfaces.YoucanenableDHCPonlyonamaximumof10interfaces,includingthemanagementinterface.
ToenableordisableDHCPonaninterface(forexampleethernetinterface1/12),usethefollowingcommand:
forDHCPv4:
forDHCPv6:
Notes:
DHCPcannotbeenabledonaninterfaceconfiguredasaswitchport,onlyonroutingports.
ManuallyconfiguringanIPaddressonaninterfacewilldisableDHCPforthatinterface.
Switch(config)#interfaceethernet1/12Switch(configif)#nobridgeportSwitch(configif)#ipaddressdhcp
Switch(config)#interfaceethernet1/12Switch(configif)#nobridgeportSwitch(configif)#ipv6addressdhcp
-
44 Application Guide for CNOS 10.3
DHCPv4 Hostname Configuration (Option 12)TheswitchsupportsDHCPv4hostnameconfigurationasdescribedinRFC2132,option12.DHCPv4hostnameconfigurationisenabledbydefault.
Theswitchshostnamecanbemanuallyconfiguredusingthefollowingcommand:
Note: Ifthehostnameismanuallyconfigured,theswitchdoesnotreplaceitwiththehostnamereceivedfromtheDHCPv4server.
AfterDHCPconfiguresthehostnameontheswitch,iftheDHCPv4configurationisdisabled,theswitchretainsthehostname.
ToenableordisableDHCPhostnameconfiguration,usethefollowingcommandonaninterface(inthisexample,ethernetport1/12isused):
Toviewthesystemhostnameusethefollowingcommand:
Note: Theswitchpromptalsodisplaysthehostname.
DHCPv4 Syslog Server (Option 7)TheswitchsupportstherequestingoftheSyslogserverIPaddressfromtheDHCPserverasdescribedinRFC2132,option7.TheDHCPv4Syslogserverrequestoptionisdisabledbydefault.Note: ManuallyconfiguredSyslogserverstakepriorityovertheDHCPv4Syslogserver.
UptothreeSyslogserveraddressesreceivedfromtheDHCPv4servercanbeused.TheSyslogserveraddressescanbelearnedoverthemanagementportoranethernetport.
ToenableordisabletheDHCPSyslogserverrequest,usethefollowingcommandonaninterface(inthisexample,ethernetport1/12isused):
ToviewtheSyslogserveraddress,usethefollowingcommand:
Switch(config)#hostname
Switch(config)#interfaceethernet1/12Switch(configif)#[no]ipdhcpclientrequesthostname
Switch>displayhostname
Switch(config)#interfaceethernet1/12Switch(configif)#[no]ipdhcpclientrequestlogserver
Switch>displayloggingserver
Loggingserver:enabled{*2.2.2.1}Serverseverity:debuggingServerfacility:local7Servervrf:data*ValuesassignedbyDHCPClient.
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 45
DHCPv4 NTP Server (Option 42)ThisoptionrequesttheDHCPservertoprovidealistofIPaddressesindicatingNetworkTimeProtocol(NTP)serversavailabletotheclient.TheNTPserversarelistedinorderofpreference.TheswitchsupportstherequestingofNTPserversasdescribedinRFC2132,option42.
Bydefault,theswitchdoesnotincludethisrequestinDHCPv4messages.Toenableordisablethisoptiononaninterface,usethefollowingcommand(inthisexample,ethernetport1/12isused):
Note: AnymanuallyconfiguredNTPserverwillnotbeoverwrittenbytheNTPserversreceivedviaDHCPv4.
ToviewthelistofNTPservers,usethefollowingcommand:
DHCPv4 Vendor Class Identifier (Option 60)ThisoptionisusedbyaDHCPclienttoidentifyitselftotheDHCPserver.ItisusedtodefinethevendortypeandfunctionalityoftheDHCPclient.TheDHCPclientcancommunicatetoaserverthatitusesaspecifictypeofhardwareorsoftwarebyspecifyingitsVendorClassIdentifier(VCI).
TheswitchsupportstheidentifyingofaTFTPserverasdescribedinRFC2132,option60.
EachswitchinterfacecanbeconfiguredwithadifferentVCI.
Bydefault,theswitchwillincludethisoptioninDHCPv4packets.ToenableordisabletheidentificationofTFTPserversusethefollowingcommand(inthisexample,ethernetport1/12isused):
Note: DependingontheLenovoRackSwitch,thedefaultVCIisdifferent. fortheLenovoRackSwitchG8272,thedefaultVCIisLENOVOG8272 fortheLenovoRackSwitchG8296,thedefaultVCIisLENOVOG8296 fortheLenovoRackSwitchG8332,thedefaultVCIisLENOVOG8332
Switch(config)#interfaceethernet1/12Switch(configif)#[no]ipdhcpclientrequestntpserver
Switch>displayntppeers
Switch(config)#interfaceethernet1/12Switch(configif)#[no]ipdhcpclientclassid
-
46 Application Guide for CNOS 10.3
DHCP Relay AgentWhenDHCPclientsandassociatedserversarenotonthesamephysicalsubnet,aDHCPrelayagentcantransferDHCPmessagesbetweenthem.WhenaDHCPrequestarrivesonaninterface,therelayagentforwardsthepackettoallDHCPserverIPaddressesconfiguredonthatinterface.TherelayagentforwardsrepliesfromallDHCPserverstothehostthatsenttherequest.IfnoDHCPserversareconfiguredonthatinterface,therelayagentwillnotforwardpackets.
DHCPhastwoversions.DHCPv4isusedtoconfigurehostswithIPv4addresses,IPv4prefixes,andotherconfigurationdatarequiredtooperateinanIPv4network.DHCPv6isusedtoconfigurehostswithIPv6addresses,IPv6prefixes,andotherconfigurationdatarequiredtooperateinanIPv6network.
ForDHCPv4,youcanconfiguretherelayagenttoaddtherelayagentinformation(option82)intheDHCPv4messageandthenforwardittotheDHCPv4server.Thereplyfromtheserverisforwardedbacktotheclientafterremovingoption82.
TheDHCPRelayAgentisgloballyenabledbydefault.TogloballyenableordisableDHCPusethefollowingcommand:
forDHCPv4:
forDHCPv6:
DHCPrelaycanbeconfigureddifferentlyoneachethernetportorVLAN.ThemaximumnumberofDHCPserversconfiguredonaninterfaceis32.ToconfigureDHCPonaninterface,usethefollowingsteps:
1. Entertheconfigurationmenuforthedesiredinterface(inthisexample,ethernetinterface1/12isused):
2. ConfiguretheDHCPserveraddress:
forDHCPv4:
forDHCPv6:
Switch(config)#[no]ipdhcprelay
Switch(config)#[no]ipv6dhcprelay
Switch(config)#interfaceethernet1/12Switch(configif)#
Switch(configif)#ipdhcprelayaddress
Switch(configif)#ipv6dhcprelayaddress
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 47
3. ToviewthecurrentDHCPsettings,usethefollowingcommand:
forDHCPv4:
forDHCPv6:
DHCPv4 Option 82DHCPv4option82providesamechanismforgeneratingIPaddressesbasedonthelocationinthenetworkoftheclientdevice.WhenyouenabletheDHCPv4relayagentoptionontheswitch,itinsertstherelayagentinformationoption82inthepacket.TheswitchthensendsaunicastDHCPv4requestpackettotheDHCPv4server.TheDHCPv4serverusestheoption82fieldtoassignanIPaddressandsendsthepacket,withtheoriginaloption82fieldincluded,backtotherelayagent.TheDHCPv4relayagentstripsofftheoption82fieldinthepacketandsendsthepackettotheDHCPv4client.
Theconfigurationofthisfeatureisoptional.Thefeaturehelpsresolveseveralissueswhereuntrustedhostsaccessthenetwork.SeeRFC3046fordetails.
ToconfigureDHCPv4option82,usethefollowingcommand:
Switch>displayipdhcprelay
Switch>displayipv6dhcprelay
Switch(config)#ipdhcprelayinformationoption
-
48 Application Guide for CNOS 10.3
Switch Login LevelsToenablebetterswitchmanagementanduseraccountability,twolevelsorclassesofuseraccesshavebeenimplementedontheswitch.ThelevelsofaccesstoCLImanagementfunctionsandscreensincreaseasneededtoperformvariousswitchmanagementtasks.Conceptually,accessclassesaredefinedasfollows:
NetworkOperatorscanonlymaketemporarychangesontheswitch.Thesechangeswillbelostwhentheswitchisreloadedorreset.Operatorshaveaccesstotheswitchmanagementfeaturesusedfordailyswitchoperations.Becauseanychangesanoperatormakesareundonebyareloadoftheswitch,operatorscannotseverelyimpactswitchoperation.
NetworkAdministratorsaretheonlyonesthatmaymakepermanentchangestotheswitchconfigurationchangesthatarepersistentacrossareloadorresetoftheswitch.Administratorscanaccessswitchfunctionstoconfigureandtroubleshootproblemsonthedevice.Becauseadministratorscanalsomaketemporary(operatorlevel)changesaswell,theymustbeawareoftheinteractionsbetweentemporaryandpermanentchanges.
Note: Thedefault(predefined)accessclassescannotberemovedortheirrulesmodified.Also,newaccessclassescannotbecreated.
Accesstoswitchfunctionsiscontrolledthroughtheuseofuniqueusernamesandpasswords.Onceyouareconnectedtotheswitchviaconsole,Telnet,orSSH,youarepromptedtoenterapassword.ThedefaultusernameandpasswordcombinationsforeachaccesslevelarelistedinTable 2.Note: Itisrecommendedthatyouchangethedefaultswitchpasswordsafterinitialconfigurationandasregularlyasrequiredunderyournetworksecuritypolicies.
Formoredetails,seeEnduserAccessControlonpage 113.
Table 2. UserAccessLevelsDefaultSettings
User Account
Password Description and Tasks Performed Status
oper oper TheOperatormanagesallfunctionsoftheswitch.TheOperatorcanresetports,exceptthemanagementport.
Disabled
admin admin TheAdministratorhascompleteaccesstoallmenus,information,andconfigurationcommandsontheswitch,includingtheabilitytochangeboththeoperatorandadministratorpasswords.
Enabled
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 49
Todisplaythecurrentroleconfigurations,usethefollowingcommand:
WhileanetworkadministratorhasaccesstoalloftheCLIcommands,anetworkoperatorhasamorelimitedaccess,onlybeingabletoruncommandssuchas:
display
end
exit
logout
quit
terminal
enable
disable
ping
ping6
traceroute
traceroute6
ssh
shh6
telnet
telnet6
where
configuredevice
Switch>displayrole
Role:networkadminDescription:PredefinednetworkadminrolehasaccesstoallcommandsontheswitchRulePermTypeScopeEntity1permitreadwrite
Role:networkoperatorDescription:PredefinednetworkoperatorrolehasaccesstoallreadcommandsontheswitchRulePermTypeScopeEntity1permitread
-
50 Application Guide for CNOS 10.3
PingPing(PollINternetGateway)isanadministrationutilityusedtotesttheconnectivitybetweentwonetworkIPdevices.Italsomeasuresthelengthoftimeittakesforapackettobesenttoaremotehostplusthelengthoftimeittakesforanacknowledgementofthatpackettobereceivedbythesourcehost.
PingfunctionsbysendinganInternetControlMessageProtocol(ICMP)echorequesttothespecifiedremotehostandwaitingforanICMPreplyfromthathost.
Usingthismethod,pingalsodeterminesthetimeintervalbetweenwhentheechorequestissentandwhentheechoreplyisreceived.Thisintervaliscalledroundtriptime.Attheendofthetest,pingwilldisplaytheminimum,maximum,andaverageroundtriptimes,andthestandarddeviationofthemean.
Besidestheroundtriptime,pingcanalsomeasuretherateofpacketloss.Thisisdeterminedbythenumberofreceivedechorepliesoverthenumberofsentechorequests.Itisdisplayedasapercentage.
TheSwitchalsosupportspingforIPv6addressing.
Toperformastandardpingtest,usethefollowingcommands:
IPv4:
IPv6:
Forexample:
Note: IfnospecificVRFinstanceisconfigured,theswitchusesthedefaultmanagementVRF.Inthiscase,theusercanalsousethefollowingcommand:
Switch#pingvrfmanagement
Switch#ping6vrfmanagement
Switch#ping10.10.10.1vrfmanagement
PING10.10.10.1(10.10.10.1)from10.10.10.127:56(84)bytesofdata.64bytesfrom10.10.10.1:icmp_seq=1ttl=61time=0.368ms64bytesfrom10.10.10.1:icmp_seq=2ttl=61time=0.280ms64bytesfrom10.10.10.1:icmp_seq=3ttl=61time=0.308ms64bytesfrom10.10.10.1:icmp_seq=4ttl=61time=0.291ms64bytesfrom10.10.10.1:icmp_seq=5ttl=61time=0.320ms
10.10.10.1pingstatistics5packetstransmitted,5received,0%packetloss,time3996msrttmin/avg/max/mdev=0.280/0.313/0.368/0.034ms
Switch#pingorSwitch#ping6
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 51
Ping Configurable ParametersPingcanbeconfiguredwithvariousparameters,suchasspecifyingthenumberorsizeofechorequests,thetimeintervalbetweeneachtransmission,orthenonresponsivetimeoutintervalforsentpackets.
Test InterruptionPingtestscanbemanuallystoppedatanypointintheprocess.Whentheinterruptionisdetected,pingwillstopsendingechorequestsanddisplaytheresultsbasedonthepacketstransmitteduptothatpoint.
Tomanuallyterminateapingtest,press.
Ping CountBydefault,pingtransmitsasequenceoffiveechorequests.Toconfigurethenumberofpacketssentduringthetest,usethefollowingcommand:
Pingcanalsobeconfiguredtocontinuouslysendechorequestsuntilthetestismanuallyinterrupted.Toachievethis,usethefollowingcommand:
ForIPv6addressing,thecommandsareasfollows:
Ping Packet IntervalBydefault,pingdoesnotwaitbetweenconsecutiveechorequests.Assoonasaechoreplyhasbeenreceivedorthenonresponsivetimerhasexpired,pingwillsendthenextechorequest.
Toconfigureatimeinterval,inseconds,betweenthetransmissionofpackets,usethefollowingcommand:
ForIPv6addressing,thecommandisasfollows:
Switch#pingcount
Switch#pingcountunlimited
Switch#ping6count
Switch#ping6countunlimited
Switch#pinginterval
Switch#ping6interval
-
52 Application Guide for CNOS 10.3
Ping Packet SizeBydefault,pingsendsechorequestswithapacketsizeof56bytes.Specifyingalargersizethanthedefaultcanhelpindetectingthelossofbigpackets.
Toconfigurethepacketsize,inbytes,usethefollowingcommand:
ForIPv6addressing,thecommandisasfollows:
Ping SourceBydefault,pingautomaticallychoosestheoutgoinginterfaceforechorequestsandsendsthepacketsusingtheIPaddressofthatinterface.Tochecktheconnectivityofdifferentpathsthroughthenetwork,youcanspecifytheinterfaceusedforsendingechorequests.
Touseaspecificinterfaceduringthepingtest,usethefollowingcommand:
Note: ThesourceIPv4addressistheIPaddressofthedesiredswitchinterface.
Youcanalsochoosetheinterfaceusedforthepingtestbydirectlyspecifyingthedesiredinterface.Toachievethis,usethefollowingcommand(inthisexample,ethernetport1/12isused):
ForIPv6addressing,thecommandsareasfollows:
Ping DF-BitBydefault,echorequestsarefragmentedwhentheyareforwardedthroughthenetwork.Configuringpacketsnottobefragmentedwhentraversingthenetworkcanbehelpindeterminingthemaximumtransmissionunit(MTU)ofthepath.
Toenablethenonfragmentationofechorequests,usethefollowingcommand:
Note: ThisparameterisconfigurableonlyforIPv4addressing.
Switch#pingpacketsize
Switch#ping6packetsize
Switch#pingsource
Switch#pinginterfaceethernet1/12
Switch#ping6source
Switch#ping6interfaceethernet1/12
Switch#pingdfbit
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 53
Ping TimeoutBydefault,aftersendinganechorequest,pingwaitsuptoamaximumoftwosecondsforanechoreply.Ifthistimeintervalexpiresandanechoreplyisnotreceived,pingwilldeclarethattheremotehosthastimedoutandthatthesentpacketislost.
Toconfigurethetimeoutinterval,inseconds,usethefollowingcommand:
ForIPv6addressing,thecommandisasfollows:
Ping VRFBydefault,pingusesthedefaultVirtualRoutingandForwarding(VRF)instance.ToconfigurepingtouseadifferentVRFinstance,usethefollowingcommand:
Note: YoucanchooseonlybetweenthedefaultormanagementVRFinstances.
ForIPv6addressing,thecommandisasfollows:
Switch#pingtimeout
Switch#ping6timeout
Switch#pingvrf{default|management}
Switch#ping6vrf{default|management}
-
54 Application Guide for CNOS 10.3
Ping Interactive ModeToconfigureacustompingtest,youcanchoosewhatparameterstochangebycombiningthepreviouslypresentedcommands.
Besidesthisoption,youcancustomizeapingtestbyusingPingInteractiveMode.Inthismode,youcanconfigureadditionalparameters:thetypeofservice(ToS),thehoplimitortimetolive(TTL)andthedatapattern.Note: PingInteractiveModeisonlyavailableforIPv4addressing.
ToenterPingInteractiveMode,usethefollowingcommand:
Youwillbepromptedtospecifythevalueofeachconfigurableparameter.Ifyoudonotenteravalue,thedefaultwillbeused.
Switch#ping
Switch#ping
Vrfcontexttouse[default]:managementProtocol[ip]:TargetIPaddress:10.241.1.11Repeatcount[5]:7Datagramsize[56]:100Timeoutinseconds[2]:1Sendingintervalinseconds[1]:Extendedcommands[n]:yesSourceaddressorinterface:Typeofservice[0]:SetDFbitinIPheader?[no]:yesDatapattern[0xABCD]:PATTERN:0xabcdPING10.241.1.11(10.241.1.11)100(128)bytesofdata.108bytesfrom10.241.1.11:icmp_seq=1ttl=61time=0.337ms108bytesfrom10.241.1.11:icmp_seq=2ttl=61time=0.288ms108bytesfrom10.241.1.11:icmp_seq=3ttl=61time=0.311ms108bytesfrom10.241.1.11:icmp_seq=4ttl=61time=0.288ms108bytesfrom10.241.1.11:icmp_seq=5ttl=61time=0.317ms108bytesfrom10.241.1.11:icmp_seq=6ttl=61time=0.288ms108bytesfrom10.241.1.11:icmp_seq=7ttl=61time=0.315ms
10.241.1.11pingstatistics7packetstransmitted,7received,0%packetloss,time5997msrttmin/avg/max/mdev=0.288/0.306/0.337/0.022ms
-
Copyright Lenovo 2017 Chapter 1: Switch Administration 55
TracerouteTracerouteisadiagnostictoolusedtodeterminethenetworkroutebetweentheswitchandaremotedevice.Itdisplaysthenetworknodes(routersorgatewaydevices)crossedbyapacketuntilitarrivesatthespecifieddestination.
TraceroutesendsasequenceofUserDatagramProtocol(UDP)packetsaddressedtoaremotedevice.Todeterminetheintermediateroutersbetweenthesourceandthedestinationdevices,tracerouteadjuststhetimetolive(TTL)value,alsoknownashoplimit,ofeachsequenceofsentpackets.Whenapacketcrossesarouter,itshoplimitisdecreasedbyone.Ifarouterdetectsahoplimitofzero,itdiscardsthepacketandsendsthesourcehostanInternetControlMessageProtocol(ICMP)errormessageTimeExceeded.
Tracerouteconfiguresthestartingsequenceofpacketswithahoplimitofone.Thepacketsreachthefirstrouterandtheirhoplimitisreducedfromonetozero.Therouterwillnotforwardthepackets,butwillinsteaddiscardthem.Then,itsendsanICMPerrormessagetothesourcehost.
Traceroutesendsthenextsetofpacketswithahoplimitoftwo.Thistime,thefirstrouterforwardsthepackets,reducingtheirTTLvaluefromtwotoone.Thepacketsreachthesecondrouter,whichupdatestheirhoplimittozeroanddiscardsthem.Then,thesecondsrouterwillsendthesourcehostanICMPerrormessage.
TraceroutecontinuestosendpacketswithincreasinghoplimituntilthetargetedremotedevicereceivesthepacketsandreturnsanICMPechoreply.
Afterreceivingtheechoreply,tracerouteusesthereturnedICMPmessagestocreatealistoftherouterscrossedbythepackets.Itusesthetimeintervalbetweentransmissionandreceptionofpacketsasthedelay(orlatency)valueforeachnode.
TheSwitchalsosupportstracerouteforIPv6addressing.
Toperformatraceroutetest,usethefollowingcommands:
IPv4:
IPv6:
Forexample:
Switch#traceroute
Switch#traceroute6
Switch#traceroute10.241.1.11
tracerouteto10.241.1.11(10.241.1.11),30hopsmax,56bytepackets110.241.41.1(10.241.41.1)1.988ms2.117ms2.299ms210.241.4.254(10.241.4.254)1.903ms1.914ms2.649ms310.241.1.33(10.241.1.33)1.138ms1.195ms1.242ms410.241.1.11(10.241.1.11)1.085ms!X1.079ms!X1.087ms!X
-
56 Application Guide for CNOS 10.3
Traceroute Configurable ParametersTracerouteislesscustomizablethanping,providingoptionsonlyforchoosingtheoutgoinginterfaceorVirtualRoutingandForwarding(VRF)instance.
Test InterruptionTraceroutetestscanbemanuallystoppedatanypointintheprocess.Whentheinterruptionisdetected,traceroutewillstopsendingUDPpacketsanddisplaytheresultsbasedonthepacketstransmitteduptothatpoint.
TomanuallyterminateaTraceroutetest,press.
Traceroute SourceBydefault,tracerouteautomaticallychoosestheoutgoinginterfaceforsendingUDPpacketsandtransmitsthepacketsusingtheIPaddressofthatinterface.Tochecktheconnectivityofdifferentpathsthroughthenetwork,youcanspecifytheinterfaceusedforsendingpackets.
Touseacertaininterfaceduringatraceroutetest,usethefollowingcommand:
Note: ThesourceIPv4addressistheIPaddressofthedesiredswitchinterface.
ForIPv6addressing,thecommandisasfollows:
InthecaseofIPv6addressing,youcanalsochoosetheinterfaceusedforthetraceroutetestbydirectlyspecifyingthedesiredinterface.Toachievethis,usethefollowingcommand(inthisexample,ethernetport1/12isused):
Traceroute VRFBydefault,tracerouteusesthedefaultVirtualRoutingandForwarding(VRF)instance.ToconfiguretraceroutetouseadifferentVRFinstance,usethefollowingcommand:
Note: YoucanchooseonlybetweenthedefaultormanagementVRFinstances.
ForIPv6addressing,thecommandisasfollows:
Switch#traceroutesource
Switch#traceroute6source
Switch#traceroute6interfaceethernet1/12
Switch#traceroutevrf{default|management}
Switch#traceroute6vrf{default|managemen