Version
RackSwitch G8000
Application Guide
Part Number BMD00041, November
RackSwitch G8000 Application Guide
Chapter 2 Port-based Network Access Control
Contents
Chapter 1 Accessing the Switch
Preface
Chapter 4 Ports and Trunking
Chapter 5 Spanning Tree
Chapter 6 Quality of Service
Chapter 7 Remote Monitoring
Chapter 9 IGMP
Appendix A Troubleshooting
Chapter 8 Basic IP Routing
Chapter 10 High Availability
Figures
RackSwitch G8000 Application Guide
BMD00041, November
Tables
RackSwitch G8000 Application Guide
BMD00041, November
Preface
Who Should Use This Guide
What You’ll Find in This Guide
Symbol
Typographic Conventions
RackSwitch G8000 Application Guide
Table 1 Typographic Conventions
How to Get Help
“Configuring an IP Interface” on page “Using Telnet” on page
Accessing the Switch
CHAPTER
“Using the Browser-Based Interface” on page “Using SNMP” on page
4. Configure the default gateway. Enable the gateway
Configuring an IP Interface
1. Log on to the switch 2. Enter IP interface mode
Command Reference
Using Telnet
Configuring BBI access via HTTP
Using the Browser-Based Interface
Configuring BBI access via HTTPS
The BBI is organized at a high level as follows
SNMP v1
Using SNMP
Default configuration
SNMP
User configuration
RS G8000 config# snmp-server group 5 group-name admingrp
RackSwitch G8000 Application Guide
RS G8000 config# snmp-server group 5 user-name admin
22 Chapter 1 Accessing the Switch
SNMPv1 trap host
Configuring SNMP Trap Hosts
SNMPv2 trap host configuration
1. Configure an entry in the notify table
SNMPv3 trap host configuration
“TACACS+ Authentication” on page
Securing Access to the Switch
“RADIUS Authentication and Authorization” on page
“End User Access Control” on page
RADIUS Authentication and Authorization
How RADIUS authentication works
Configuring RADIUS
2. Configure the RADIUS secret and enable the feature
RADIUS authentication features in Blade OS
Vendor-supplied
Switch User Accounts
RADIUS Attributes for G8000 user privileges
Vendor-supplied
TACACS+ Authentication
How TACACS+ authentication works
Authorization
TACACS+ authentication features in Blade OS
RS G8000 config# tacacs-server privilege-mapping
Accounting
Command authorization and logging
RS G8000 config# tacacs-server command-authorization
2. Configure the TACACS+ secret and second secret
Configuring TACACS+ Authentication
RS G8000 config# tacacs-server command-logging
4. Configure the number of retry attempts, and the timeout period
Secure Shell
Configuring SSH features on the switch
SSH encryption of management messages
RS G8000 config# ssh generate-host-key
Generating RSA Host and Server Keys for SSH access
SSH Integration with RADIUS/TACACS+ Authentication
RS G8000 config# ssh generate-server-key
User Access Control
End User Access Control
Considerations for configuring End User Accounts
Setting up User IDs
Logging into an End User account
Defining a User’s access level
Listing current Users
Enabling or Disabling a User
38 Chapter 1 Accessing the Switch
RackSwitch G8000 Application Guide
BMD00041, November
“802.1X authentication process” on page
Port-based Network Access Control
“Extensible Authentication Protocol over LAN” on page
“Configuration guidelines” on page
Extensible Authentication Protocol over LAN
Port Unauthorized
802.1X authentication process
Port Authorized
EAPoL message exchange
Authorized
802.1X port states
Unauthorized
Force Unauthorized
44 Chapter 2 Port-based Network Access Control
Supported RADIUS attributes
RackSwitch G8000 Application Guide
Table 2 Support for RADIUS Attributes
Configuration guidelines
46 Chapter 2 Port-based Network Access Control
RackSwitch G8000 Application Guide
BMD00041, November
“VLANs and Port VLAN ID Numbers” on page “VLAN Tagging” on page
VLANs
CHAPTER
“VLAN Topologies and Design Considerations” on page
Overview
VLAN numbers
VLANs and Port VLAN ID Numbers
Viewing VLANs
Viewing and Configuring PVIDs
PVID numbers
VLAN Tagging
Figure 3-1 Default VLAN settings
BS45010A
Figure 3-3 802.1Q tagging after port-based VLAN assignment
Figure 3-2 Port-based VLAN assignment
Before
untagged packet
Figure 3-4 802.1Q tag assignment
Figure 3-5 802.1Q tagging after 802.1Q tag assignment
16 bits
VLAN configuration rules
VLAN Topologies and Design Considerations
Component
Multiple VLANs with Tagging Adapters
Description
Component
Description
2. Enable tagging on uplink ports that support multiple VLANs
VLAN configuration example
1. Enable VLAN tagging on server ports that support multiple VLANs
3. Configure the VLANs and their member ports
Private VLANs
Private VLAN ports
Configuration guidelines
Configuration example
1. Select a VLAN and define the Private VLAN type as primary
RackSwitch G8000 Application Guide
2. Configure a secondary VLAN and map it to the primary VLAN
3. Verify the configuration
enable
62 Chapter 3 VLANs
RackSwitch G8000 Application Guide
BMD00041, November
CHAPTER
Ports and Trunking
“Configurable Trunk Hash Algorithm” on page
““Overview” on page 64” “Port Trunking Example” on page
Statistical load distribution
Built-In fault tolerance
Overview
Before you configure static trunks
Static trunk group configuration rules
All trunk members must be in the same Spanning Tree Group STG and can belong to only one Spanning Tree Group STG. However if all ports are tagged, then all trunk ports can belong to multiple STGs
Trunk 1 Ports 1, 7, and
Port Trunking Example
Trunk 3 Ports 2, 23, and
1. Follow these steps on the G8000
4. Examine the trunking information on each switch
2. Repeat the process on the other switch
3. Connect the switch ports that will be members in the trunk group
RS G8000 config# portchannel 1 member 1,7,32
Configurable Trunk Hash Algorithm
Link Aggregation Control Protocol
Admin key
Each port on the switch can have one of the following LACP modes
Configuring LACP
LACP configuration guidelines
3. Set the LACP mode
“Overview” on page “Rapid Spanning Tree Protocol” on page
Spanning Tree
CHAPTER
“Per VLAN Rapid Spanning Tree” on page
Overview
Table 5-1 Ports, Trunk Groups, and VLANs
Determining the Path for Forwarding BPDUs
Bridge Protocol Data Units BPDUs
Bridge Priority
Port Priority
Spanning Tree Group configuration guidelines
Changing the Spanning Tree mode
Port Path Cost
Assigning a VLAN to a Spanning Tree Group
Rules for VLAN Tagged ports
Creating a VLAN
Adding and removing ports from STGs
BMD00041, November
RackSwitch G8000 Application Guide
Chapter 5 Spanning Tree
Rapid Spanning Tree Protocol
Port state changes
Edge Port
RSTP configuration guidelines
Port Type and Link Type
Link Type
1. Configure port and VLAN membership on the switch
RSTP configuration example
Configure Rapid Spanning Tree
2. Set the Spanning Tree mode to Rapid Spanning Tree
Default Spanning Tree configuration
Per VLAN Rapid Spanning Tree
Figure 5-1 Two VLANs on one Spanning Tree Group
Why do we need multiple Spanning Trees?
Figure 5-2 Two VLANs, each on a different Spanning Tree Group
Configuring PVRST
PVRST configuration guidelines
1. Set the Spanning-tree mode to PVRST+
MSTP Region
Multiple Spanning Tree Protocol
Common Internal Spanning Tree
MSTP configuration guidelines
RackSwitch G8000 Application Guide
Passing VLAN
Blocking VLAN
Blocking VLAN
Configuring Multiple Spanning Tree Groups
2. Configure Multiple Spanning Tree Protocol
member
RackSwitch G8000 Application Guide
enable
member
Configuring Fast Uplink Convergence
Configuration Guidelines
Fast Uplink Convergence
92 Chapter 5 Spanning Tree
RackSwitch G8000 Application Guide
BMD00041, November
“Using Storm Control Filters” on page
Quality of Service
“Overview” on page “Using ACL Filters” on page
“Using DSCP Values to Provide QoS” on page
COS Queue
Permit/Deny
Filter
Overview
Using ACL Filters
MAC Extended ACLs
IP Standard ACLs
IP Extended ACLs
RS G8000 config# no access-list ip extended
RackSwitch G8000 Application Guide
RS G8000 config# access-list ip extended
Table 6-1 Well-known protocol types
Port 1 access group ACL IP Extended
Understanding ACL priority
Assigning ACLs to a port
ACL IP Extended
Viewing ACL statistics
1. Configure an Access Control List
ACL configuration examples
Example
3. Verify the configuration
Example
Use this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses port 10 with source IP from the class 100.10.1.0/24 and destination IP 200.20.2.2 is denied
1. Configure an Access Control List
2. Assign the ACL to port
RackSwitch G8000 Application Guide
1. Configure an Access Control List
1. Configure an Access Control List
config# ip access-list ip extended
4. Configure a MAC ACL to deny all other traffic
2. Configure IP ACLs to deny all other traffic
Example
RS G8000 config-if#
RackSwitch G8000 Application Guide
RS G8000 config# interface port
ip access-group 1103 in
Configuring storm control
Using Storm Control Filters
Broadcast storms
Differentiated Services Concepts
Using DSCP Values to Provide QoS
7 6 5 4
The switch can perform the following actions to the DSCP
Per Hop Behavior
RackSwitch G8000 Application Guide
QoS Levels
Default QoS Service Levels
Service Level
DSCP-to-802.1p mapping
Using 802.1p Priority to Provide QoS
Figure 6-3 Layer 2 802.1q/802.1p VLAN tagged packet
Queuing and Scheduling
802.1p configuration example
1. Configure a port’s default 802.1p priority value to
Overview
Remote Monitoring
CHAPTER
1. Enable RMON on a port
Configuring RMON statistics
RMON group 1-Statistics
2. Configure the RMON statistics on a port
History MIB Object ID
RMON group 2-History
RS G8000# show rmon history
1. Enable RMON on a port
RMON group 3-Alarms
Configuring RMON History
2. Configure the RMON History parameters for a port
Configuring RMON Alarms
Alarm MIB objects
Example
1. Configure the RMON Alarm parameters to track ICMP messages
Configure RMON events
RMON group 9-Events
1. Configure the RMON event parameters
CHAPTER
Basic IP Routing
“Dynamic Host Configuration Protocol” on page
“IP Routing Benefits” on page
IP Routing Benefits
Routing Between IP Subnets
Figure 8-1 The Router Legacy Network
Traffic to the router increases, increasing congestion
Example of Subnet Routing
Figure 8-2 Switch-Based Routing Topology
2. Assign an IP interface for each subnet attached to the switch
Using VLANs to segregate Broadcast Domains
Configuration example
Table 8-1 Subnet Routing Example IP Address Assignments
enable
4. Add the switch ports to their respective VLANs
RackSwitch G8000 Application Guide
enable
8. Verify the configuration
6. Configure the default gateway to the routers’ addresses
7. Enable IP routing
5. Assign a VLAN to each IP interface
Dynamic Host Configuration Protocol
128 Chapter 8 Basic IP Routing
RackSwitch G8000 Application Guide
BMD00041, November
“IGMP Snooping” on page “IGMPv3 Snooping” on page
IGMP
CHAPTER
“Static Multicast Router” on page
IGMP Snooping
RS G8000 config# no ip igmp flood
IGMPv3 Snooping
FastLeave
RS G8000 config# ip igmp fastleave VLAN number
RS G8000 config# no ip igmp snoop igmpv3 exclude
IGMP Snooping configuration example
Configure IGMP Snooping
RS G8000 config# ip igmp snoop igmpv3 sources
RS G8000# show ip igmp groups
RackSwitch G8000 Application Guide
5. View dynamic IGMP information
RS G8000# show ip igmp mrouter
Static Multicast Router
Configure a Static Multicast Router
2. Verify the configuration
“Uplink Failure Detection” on page
High Availability
CHAPTER
BMD00041, November
Uplink Failure Detection
Figure 10-1 Uplink Failure Detection example
Configuration guidelines
Failure Detection Pair
Spanning Tree Protocol with UFD
Link to Monitor LtM
1. Configure Network Adapter Teaming on the servers
Configuring UFD
Monitoring UFD
2. Assign the Link to Monitor LtM ports
“Monitoring Ports” on page
Troubleshooting
APPENDIX A
BMD00041, November
Monitoring Ports
Figure A-1 Monitoring Ports
2. Enable port mirroring
Configuring Port Mirroring
Port Mirroring behavior
3. View the current configuration
142 Appendix A Troubleshooting
RackSwitch G8000 Application Guide
BMD00041, November
Index
Symbols
Numerics