NEC N8406-022A User Manual

N8406-022A 1Gb Intelligent L2 Switch

Application Guide

Part number: 856-126757-106-00

First edition: July 2008

express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. NEC shall not be liable for technical or editorial errors or omissions contained herein.

Microsoft®, Windows®, and Windows NT® are U.S. registered trademarks of Microsoft Corporation. SunOS™ and Solaris™ are trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Cisco® is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. Part number: 856-126757-106-00 First edition: July 2008

Contents

Accessing the switch

Introduction.............................................................................................................................................................6

Additional references..............................................................................................................................................6

Typographical conventions.....................................................................................................................................6

Management Network ............................................................................................................................................7

Connecting through the console port................................................................................................................7

Connecting through Telnet................................................................................................................................7

Connecting through Secure Shell .....................................................................................................................7

Using the command line interfaces ........................................................................................................................8

Configuring an IP interface................................................................................................................................8

Using the Browser-based Interface........................................................................................................................9

Using Simple Network Management Protocol........................................................................................................9

SNMP v1.0........................................................................................................................................................9

SNMP v3.0......................................................................................................................................................10

Default configuration.......................................................................................................................................10

User configuration...........................................................................................................................................10

View based configurations..............................................................................................................................11

Configuring SNMP trap hosts..........................................................................................................................12

Secure access to the switch.................................................................................................................................14

Setting allowable source IP address ranges...................................................................................................14

RADIUS authentication and authorization.......................................................................................................14

TACACS+ authentication................................................................................................................................18

Secure Shell and Secure Copy.......................................................................................................................23

User access control..............................................................................................................................................27

Setting up user IDs..........................................................................................................................................27

Ports and trunking

Introduction...........................................................................................................................................................28

Ports on the switch...............................................................................................................................................28

Port trunk groups..................................................................................................................................................28

Statistical load distribution...............................................................................................................................29

Built-in fault tolerance......................................................................................................................................29

Before you configure trunks..................................................................................................................................29

Trunk group configuration rules............................................................................................................................29

Port trunking example...........................................................................................................................................30

Configuring trunk groups (AOS CLI example).................................................................................................31

Configuring trunk groups (BBI example).........................................................................................................32

Configurable Trunk Hash algorithm......................................................................................................................34

Link Aggregation Control Protocol........................................................................................................................35

Configuring LACP ...........................................................................................................................................36

VLANs

Introduction...........................................................................................................................................................37

Overview...............................................................................................................................................................37

VLANs and port VLAN ID numbers......................................................................................................................37

VLAN numbers................................................................................................................................................37

PVID numbers.................................................................................................................................................37

Viewing and configuring PVIDs.......................................................................................................................38

VLAN tagging .......................................................................................................................................................38

VLANs and IP interfaces ......................................................................................................................................41

VLAN topologies and design considerations........................................................................................................41

VLAN configuration rules ................................................................................................................................41

Multiple VLANS with tagging................................................................................................................................42

Configuring the example network....................................................................................................................43

FDB static entries.................................................................................................................................................48

Trunking support for FDB static entries...........................................................................................................48

Configuring a static FDB entry........................................................................................................................48

Spanning Tree Protocol

Introduction...........................................................................................................................................................49

Overview...............................................................................................................................................................49

Accessing the switch 3

Bridge Protocol Data Units...................................................................................................................................49

Determining the path for forwarding BPDUs...................................................................................................49

Spanning Tree Group configuration guidelines....................................................................................................50

Default Spanning Tree configuration...............................................................................................................50

Adding a VLAN to a Spanning Tree Group.....................................................................................................50

Creating a VLAN.............................................................................................................................................50

Rules for VLAN tagged ports ..........................................................................................................................50

Adding and removing ports from STGs...........................................................................................................51

Assigning cost to ports and trunk groups........................................................................................................51

Multiple Spanning Trees.......................................................................................................................................51

Why do we need Multiple Spanning Trees?....................................................................................................51

VLAN participation in Spanning Tree Groups.................................................................................................52

Configuring Multiple Spanning Tree Groups...................................................................................................52

Port Fast Forwarding............................................................................................................................................54

Configuring Port Fast Forwarding...................................................................................................................55

Fast Uplink Convergence.....................................................................................................................................55

Configuration guidelines..................................................................................................................................55

Configuring Fast Uplink Convergence ............................................................................................................55

RSTP and MSTP

Introduction...........................................................................................................................................................56

Rapid Spanning Tree Protocol .............................................................................................................................56

Port state changes..........................................................................................................................................56

Port type and link type.....................................................................................................................................56

RSTP configuration guidelines........................................................................................................................57

RSTP configuration example ..........................................................................................................................57

Multiple Spanning Tree Protocol ..........................................................................................................................59

MSTP region...................................................................................................................................................59

Common Internal Spanning Tree....................................................................................................................59

MSTP configuration guidelines .......................................................................................................................59

MSTP configuration example..........................................................................................................................59

IGMP Snooping

Introduction...........................................................................................................................................................64

Overview...............................................................................................................................................................64

FastLeave .......................................................................................................................................................64

IGMP Filtering.................................................................................................................................................65

Static multicast router......................................................................................................................................65

IGMP Snooping configuration example...........................................................................................................65

Remote monitoring

Introduction...........................................................................................................................................................74

Overview...............................................................................................................................................................74

RMON group 1 — statistics.............................................................................................................................74

RMON group 2 — history................................................................................................................................77

RMON group 3 — alarms................................................................................................................................79

RMON group 9 — events................................................................................................................................83

High availability

Introduction...........................................................................................................................................................85

Uplink Failure Detection .......................................................................................................................................85

Failure Detection Pair......................................................................................................................................86

Spanning Tree Protocol with UFD...................................................................................................................86

Configuration guidelines..................................................................................................................................86

Monitoring Uplink Failure Detection................................................................................................................87

Configuring Uplink Failure Detection...............................................................................................................87

Troubleshooting tools

Introduction...........................................................................................................................................................90

Port Mirroring........................................................................................................................................................90

Configuring Port Mirroring (AOS CLI example)...............................................................................................91

Configuring Port Mirroring (BBI example).......................................................................................................92

Other network troubleshooting techniques...........................................................................................................94

Console and Syslog messages.......................................................................................................................94

Ping.................................................................................................................................................................94

Trace route......................................................................................................................................................94

Statistics and state information.......................................................................................................................94

Accessing the switch 4

Customer support tools...................................................................................................................................94

Accessing the switch 5

Accessing the switch

Introduction

This guide describes how to use and configure the switch on the Layer2 switch mode. For the information of how to use on the SmartPanel mode, see the SmartPanel Reference Guide. For the information of SSH, RADIUS, and TACACS+ on the SmartPanel mode, this guide will help you.

This guide will help you plan, implement, and administer the switch software. Where possible, eac h section provides feature overviews, usage examples, and configuration instructions.

• “Accessing the switch” describes how to configure and view information and statistics on the switch over an IP network. This chapter also discusses different methods to manage the switch for remote administrators, such as setting specific IP addresses and using Remote Authentication Dial-in User Service (RADIUS) authentication, Secure Shell (SSH), and Secure Copy (SCP) for secure access to the switch.

• “Ports and port trunking” describes how to group multiple physical ports together to aggregate the bandwidth between large-scale network devices.

• “VLANs” describes how to configure Virtual Local Area Networks (VLANs) for creating separate network segments, including how to use VLAN tagging for devices that use multiple VLANs.

• “Spanning Tree Protocol” discusses how spanning trees configure the network so that the switch uses the most efficient path when multiple paths exist.

• “Rapid Spanning Tree Protocol/Multiple Spanning Tree Protocol” describes extensions to the Spanning Tree Protocol that provide rapid convergence of spanning trees for fast reconfiguration of the network.

• “IGMP Snooping” describes how to use IGMP to conserve bandwidth in a multicast-switching environment.

• “Remote Monitoring” describes how to configure the RMON agent on the switch, so the switch can exchange

network monitoring data.

• “High Availability” describes how the switch supports high-availabilit y network topologies. This release provides Uplink Failure Detection.

• “Troubleshooting tools” describes Port Mirroring and other troubleshooting techniques.

Additional references

Additional information about installing and configuring the switch is available in the following guides.

• N8406-022A 1Gb Intelligent L2 Switch User’s Guide

• N8406-022A 1Gb Intelligent L2 Switch Command Reference Guide (AOS)

• N8406-022A 1Gb Intelligent L2 Switch Command Reference Guide (ISCLI)

• N8406-022A 1Gb Intelligent L2 Switch Browser-based Interface Reference Guide

• N8406-022A 1Gb Intelligent L2 Switch SmartPanel Reference Guide

Typographical conventions

The following table describes the typographic styles used in this guide:

Table 1 Typographic conventions

Typeface or symbol Meaning Example

AaBbCc123

[ ]

This type depicts onscreen computer output and prompts. This type displays in command examples and shows text that must be typed in exactly as shown. This bracketed type displays in command examples as a parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows guide titles, special terms, or words to be emphasized. Command items shown inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets.

Main#

Main# sys

To establish a Telnet session, enter:

host# telnet <IP address>

Read your user guide thoroughly.

host# ls [-a]

Accessing the switch 6

Management Network

The 1Gb Intelligent L2 Switch is a Switch Module within the Blade Enclosure. The Blade Enclosur e includes an Enclosure Manager Card which manages the modules and CPU Blades in the enclosure.

The 1Gb Intelligent L2 Switch communicates with the Enclosure Manager Card through its internal management port (port 19). The factory default settings permit management and control access to the switch through the 10/100 Mbps Ethernet port on the Blade Enclosure, or the built-in console port. You also can use the external Ethernet ports to manage and control this switch.

The switch management network has the following characteristics:

• Port 19 — Management port 19 has the following configuration:

• Flow control: both

• Auto-negotiation

• Untagged

• Port VLAN ID (PVID): 4095

• VLAN 4095 — Management VLAN 4095 isolates management traffic within the switch. VLAN 4095 contains

only one member port (port 19). No other ports can be members of VLAN 4095.

• Interface 256 — Management interface 256 is associated with VLAN 4095. No other interfaces can be associated with VLAN 4095. You can configure the IP address of the management interface manually or through Dynamic Host Control Protocol (DHCP).

• Gateway 4 — This gateway is the default gateway for the management interface.

• STG 32 — If the switch is configured to use multiple spanning trees, spanning tree group 32 (STG 32)

contains management VLAN 4095, and no other VLANS are allowed in STG 32. The default status of STG 32 is off. If the switch is configured to use Rapid Spanning Tree Protocol, STG 1 contains management VLAN 4095.

To access the switch management interface:

• Use the Enclosure Manager Card internal DHCP server, through Enclosure-Based IP Addressing

• Assign a static IP interface to the switch management interface

(interface 256).

Connecting through the console port

Using a null modem cable, you can directly connect to the switch through the console port. A console connection is required in order to configure Telnet or other remote access applications. For more information on establishing console connectivity to the switch, see the User’s Guide.

Connecting through Telnet

By default, Telnet is enabled on the switch. Once the IP parameters are configured, you can access the CLI from any workstation connected to the network using a Telnet connection. Telnet access provides the same options for a user and an administrator as those available through the console port, minus certain commands. T he switch supports four concurrent Telnet connections.

To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the telnet command, followed by the switch IP address:

telnet <switch IP address>

Connecting through Secure Shell

By default, the Secure Shell (SSH) protocol is disabled on the switch. SSH enables you to securely log into another computer over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch configuration, SSH ensures that all data sent over the network is encrypted and secure. For more information, see the “Secure Shell and Secure Copy” section later in this chapter. For additional information on the CLI, see the

Command Reference Guide.

Accessing the switch 7

Using the command line interfaces

The command line interface (CLI) can be accessed via local terminal connection or a remote session using Telnet or SSH. The CLI is the most direct method for collecting switch information and performing switch configuration.

The switch provides two CLI modes: The menu-based AOS CLI, and the tree-based ISCLI. You can set the switch to use either CLI mode.

The Main Menu of the AOS CLI, with administrator privileges, is displayed below:

[Main Menu] info - Information Menu stats - Statistics Menu cfg - Configuration Menu oper - Operations Command Menu boot - Boot Options Menu maint - Maintenance Menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] save - Save updated config to FLASH [global command] revert - Revert pending or applied changes [global command] exit - Exit [global command, always available]

For complete information about the AOS CLI, refer to the Command Reference Guide (AOS). The ISCLI provides a tree-based command structure, for users familiar with similar products. An example of a typical ISCLI command is displayed below:

Switch(config)# spanning-tree stp 1 enable

For complete information about the ISCLI, refer to the Command Reference Guide (ISCLI).

Configuring an IP interface

An IP interface address must be set on the switch to provide management access to the switch over an IP network. By default, the management interface is set up to request its IP address from a DHCP server on the Enclosure Manager Card.

If you configure an IP address manually, the following example shows how to manually configure an IP address on the switch:

1. Configure an IP interface for the Telnet connection, using the sample IP address of 205.21.17.3.

2. The pending subnet mask address and broadcast address are automatically calculated.

>> # /cfg/l3/if 256

>> IP Interface 256# addr 205.21.17.3

Current IP address: 0.0.0.0

New pending IP address: 205.21.17.3

Pending new subnet mask: 255.255.255.0

. . . . . . . . . . . .

>> IP Interface 256# ena

3. If necessary, configure default gateway.

(Select IP interface 256)

(Assign IP address for the interface)

(Enable IP interface 256)

Accessing the switch 8

4. Configuring the default gateways allows the switch to send outbound traffic to the routers.

>> IP Interface 256# ../gw 4 (Select default gateway 4)

>> Default gateway 4# addr 205.21.17.1 (Assign IP address for a router)

>> Default gateway 4# ena (Enable default gateway 4)

5. Apply, verify, and save the configuration.

>> Default gateway 4# apply (Apply the configuration)

>> Default gateway 4# save (Save the configuration)

>> # /cfg/dump (Verify the configuration)

NOTE: When the dhcp function on this switch is enabled, the IP address obtained from the DHCP server overrides the static IP address configured manually.

Using the Browser-based Interface

By default, the Browser-based Interface (BBI) protocol is enabled on the switch. The Browser-based Interface (BBI) provides access to the common configuration, management and operation features of the switch through your Web browser. For more information, see the Browser-based Interface Reference Guide.

The BBI is organized at a high level as follows:

• Configuration — These menus provide access to the configuration elements for the entire switch.

• System — Configure general switch configuration elements.

• Switch ports — Configure switch ports and related features.

• Port-based port mirroring — Configure mirrored ports and monitoring ports.

• Layer 2 — Configure Layer 2 features, including trunk groups, VLANs, and Spanning Tree Protocol.

• RMON menu — Configure Remote Monitoring (RMON) functions.

• Layer 3 — Configure all of the IP related information, including IGMP Snooping.

• Uplink Failure Detection — Configure a Failover Pair of Links to Monitor and Links to Disable.

• Statistics — These menus provide access to the switch statistics and state information.

• Dashboard — These menus display settings and operating status of a variety of switch features.

Using Simple Network Management Protocol

The switch software provides SNMP v1.0 and SNMP v3.0 support for access through any network management software.

SNMP v1.0

To access the SNMP agent on the switch, the read and write community strings on the SNMP manager should be configured to match those on the switch. The default read community string on the switch is public and the default write community string is private.

The read and write community strings on the switch can be changed using the following commands on the CLI.

and

The SNMP manager should be able to reach the management interface or any one of the IP interfaces on the switch.

For the SNMP manager to receive the traps sent out by the SNMP agent on the switch, the trap host on the switch should be configured with the following command:

For more details, see “Configuring SNMP trap hosts”.

>> /cfg/sys/ssnmp/rcomm

>> /cfg/sys/ssnmp/wcomm

/cfg/sys/ssnmp/snmpv3/taddr

Accessing the switch 9

SNMP v3.0

SNMPv3 is an enhanced version of the Simple Network Management Protocol, approved by the Internet Engineering Steering Group in March, 2002. SNMP v3.0 contains additional security and authentication features that provide data origin authentication, data integrity checks, timeliness indicators, and encr yption to prot ect against threats such as masquerade, modification of information, message stream modification, and disclosure.

SNMP v3 ensures that the client can use SNMP v3 to query the MIBs, mainly for security. To access the SNMP v3.0 menu, enter the following command in the CLI:

>> # /cfg/sys/ssnmp/snmpv3

For more information on SNMP MIBs and the commands used to configure SNMP on the switch, see the Command Reference Guide.

Default configuration

The switch software has two users by default. Both the users 'adminmd5' and 'adminsha' have access to all the MIBs supported by the switch.

1. username 1: adminmd5/password adminmd5. Authentication used is MD5.

2. username 2: adminsha/password adminsha. Authentication used is SHA.

3. username 3: v1v2only/password none.

To configure an SNMP user name, enter the following command from the CLI:

>> # /cfg/sys/ssnmp/snmpv3/usm 6

User configuration

Users can be configured to use the authentication/privacy options. Currentl y we support two authentication algorithms: MD5 and SHA. These can be specified using the command: /cfg/sys/ssnmp/snmpv3/usm <x>/auth md5|sha

1. To configure a user with name 'test,' authentication type MD5, and authentication password of 'test,' privacy option DES with privacy password of 'test,' use the following CLI commands:

>> # /cfg/sys/ssnmp/snmpv3/usm 5 >> SNMPv3 usmUser 5 # name "test" >> SNMPv3 usmUser 5 # auth md5 >> SNMPv3 usmUser 5 # authpw test >> SNMPv3 usmUser 5 # priv des

2. Once a user is configured you need to specify the access level for this user along with the views the user is

3. The group table links the user to a particular access group.

If you want to allow user access only to certain MIBs, see the “View based configurations” section.

>> SNMPv3 usmUser 5 # privpw test

allowed access to. This is specified in the access table.

>> # /cfg/sys/ssnmp/snmpv3/access 5 >> SNMPv3 vacmAccess 5 # name "testgrp" >> SNMPv3 vacmAccess 5 # level authPriv >> SNMPv3 vacmAccess 5 # rview "iso" >> SNMPv3 vacmAccess 5 # wview "iso" >> SNMPv3 vacmAccess 5 # nview "iso"

>> # /cfg/sys/ssnmp/snmpv3/group 5 >> SNMPv3 vacmSecurityToGroup 5 # uname test >> SNMPv3 vacmSecurityToGroup 5 # gname testgrp

Accessing the switch 10

View based configurations

CLI user equivalent

To configure an SNMP user equivalent to the CLI 'user,' use the following configuration:

/c/sys/ssnmp/snmpv3/usm 4 name "usr" /c/sys/ssnmp/snmpv3/access 3 name "usrgrp" rview "usr" wview "usr" nview "usr" /c/sys/ssnmp/snmpv3/group 4 uname usr gname usrgrp /c/sys/ssnmp/snmpv3/view 6 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.1.2" /c/sys/ssnmp/snmpv3/view 7 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.1.3" /c/sys/ssnmp/snmpv3/view 8 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.2.2" /c/sys/ssnmp/snmpv3/view 9 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.2.3" /c/sys/ssnmp/snmpv3/view 10 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.3.2" /c/sys/ssnmp/snmpv3/view 11 name "usr" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.3.3"

CLI oper equivalent

To configure an SNMP user equivalent to the CLI ‘oper’, use the following configuration:

/c/sys/ssnmp/snmpv3/usm 5 name "oper" /c/sys/ssnmp/snmpv3/access 4 name "opergrp" rview "oper" wview "oper" nview "oper" /c/sys/ssnmp/snmpv3/group 4 uname oper gname opergrp /c/sys/ssnmp/snmpv3/view 20 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.1.2" /c/sys/ssnmp/snmpv3/view 21 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.1.3" /c/sys/ssnmp/snmpv3/view 22 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.2.2" /c/sys/ssnmp/snmpv3/view 23 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.2.3" /c/sys/ssnmp/snmpv3/view 24 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.3.2" /c/sys/ssnmp/snmpv3/view 25 name "oper" tree " 1.3.6.1.4.1.11.2.3.7.11.33.1.2.3.3"

Accessing the switch 11

Configuring SNMP trap hosts

SNMPv1 trap host

1. Configure a user with no authentication and password.

/c/sys/ssnmp/snmpv3/usm 10

2. Configure an access group and group table entries for the user. The command

3. Configure an entry in the notify table.

4. Specify the IP address and other trap parameters in the targetAddr and targetParam tables. The

5. The community string used in the traps is specified using the community table.

name "v1trap"

/c/sys/ssnmp/snmpv3/access <x>/nview can be used to specify which traps can be received by the

user. In the example below the user will receive the traps sent by the switch.

/c/sys/ssnmp/snmpv3/access 10 name "v1trap" model snmpv1 nview "iso" /c/sys/ssnmp/snmpv3/group 10 model snmpv1 uname v1trap gname v1trap

/c/sys/ssnmp/snmpv3/notify 10 name v1trap tag v1trap

c/sys/ssnmp/snmpv3/tparam <x>/uname command is used to specify the user name used with this

targetParam table.

/c/sys/ssnmp/snmpv3/taddr 10 name v1trap addr 47.80.23.245 taglist v1trap pname v1param /c/sys/ssnmp/snmpv3/tparam 10 name v1param mpmodel snmpv1 uname v1trap model snmpv1

/c/sys/ssnmp/snmpv3/comm 10 index v1trap name public uname v1trap

Accessing the switch 12

SNMPv2 trap host configuration

The SNMPv2 trap host configuration is similar to the SNMPv1 trap host configuration. Wherever you specify the model you need to specify snmpv2 instead of snmpv1.

c/sys/ssnmp/snmpv3/usm 10 name "v2trap" /c/sys/ssnmp/snmpv3/access 10 name "v2trap" model snmpv2 nview "iso" /c/sys/ssnmp/snmpv3/group 10 model snmpv2 uname v2trap gname v2trap /c/sys/ssnmp/snmpv3/taddr 10 name v2trap addr 47.81.25.66 taglist v2trap pname v2param /c/sys/ssnmp/snmpv3/tparam 10 name v2param mpmodel snmpv2c uname v2trap model snmpv2 /c/sys/ssnmp/snmpv3/notify 10 name v2trap tag v2trap /c/sys/ssnmp/snmpv3/comm 10 index v2trap name public uname v2trap

SNMPv3 trap host configuration

To configure a user for SNMPv3 traps you can choose to send the traps with both privacy and authentication, with authentication only, or without privacy or authentication.

This is configured in the access table using the command: /c/sys/ssnmp/snmpv3/access <x>/level, and /c/sys/ssnmp/snmpv3/tparam <x>. The user in the user table should be configured accordingly.

It is not necessary to configure the community table for SNMPv3 traps because the community string is not used by SNMPv3.

The following example shows how to configure a SNMPv3 user v3trap with authentication onl y:

/c/sys/ssnmp/snmpv3/usm 11 name "v3trap" auth md5 authpw v3trap /c/sys/ssnmp/snmpv3/access 11 name "v3trap" level authNoPriv nview "iso" /c/sys/ssnmp/snmpv3/group 11 uname v3trap gname v3trap /c/sys/ssnmp/snmpv3/taddr 11 name v3trap addr 47.81.25.66 taglist v3trap pname v3param /c/sys/ssnmp/snmpv3/tparam 11 name v3param uname v3trap level authNoPriv /c/sys/ssnmp/snmpv3/notify 11 name v3trap tag v3trap

For more information on using SNMP, see the Command Reference Guide.

Accessing the switch 13

Secure access to the switch

Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured management:

• Limiting management users to a specific IP address range. See the “Setting allowable source IP address ranges” section in this chapter.

• Authentication and authorization of remote administrators. See the “RADIUS authentication and authorization” section or the “TACACS+ authentication” section, both later in this chapter.

• Encryption of management information exchanged between the remote administrator and the switch. See the “Secure Shell and Secure Copy” section later in this chapter.

Setting allowable source IP address ranges

To limit access to the switch without having to configure filters for each switch port, you can set a source IP address (or range) that will be allowed to connect to the switch IP interface through Telnet, SSH, SNMP, or the switch browser-based interface (BBI).

When an IP packet reaches the application switch, the source IP address is checked against the range of addresses defined by the management network and management mask. If the source IP address of the host or hosts is within this range, it is allowed to attempt to log in. Any packet addressed to a switch IP interface with a source IP address outside this range is discarded.

Configuring an IP address range for the management network

Configure the management network IP address and mask from the System Menu in the CLI. For example:

>> Main# /cfg/sys/access/mgmt/add

Enter Management Network Address: 192.192.192.0

Enter Management Network Mask: 255.255.255.128

In this example, the management network is set to 192.192.192.0 and management mask is set to

255.255.255.128. This defines the following range of allowed IP addresses: 192.192.192.1 to 192.192.192.127.

The following source IP addresses are granted or not granted access to the switch:

• A host with a source IP address of 192.192.192.21 falls within the defined range and would be allowed to access the switch.

• A host with a source IP address of 192.192.192.192 falls outside the defined range and is not granted access. To make this source IP address valid, you would need to shift the host to an IP address within the valid range specified by the mnet and mmask or modify the mnet to be 192.192.192.128 and the mmask to be

255.255.255.128. This would put the 192.192.192.192 host within the valid range allowed by the mnet and mmask (192.192.192.128-255).

RADIUS authentication and authorization

The switch supports the Remote Authentication Dial-in User Service (RADIUS) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS) — the switch — is a client to the back-end database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end server and database.

RADIUS authentication consists of the following components:

• A protocol with a frame format that utilizes User Datagram Protocol (UDP) over IP, based on Request For Comments (RFC) 2138 and 2866

• A centralized server that stores all the user authorization information

• A client, in this case, the switch

The switch, acting as the RADIUS client, communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back-end RADIUS server.

Accessing the switch 14

How RADIUS authentication works

RADIUS authentication works as follows:

1. A remote administrator connects to the switch and provides the user name and password.

2. Using Authentication/Authorization protocol, the switch sends the request to the authentication server.

3. The authentication server checks the request against the user ID database.

4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access.

Configuring RADIUS on the switch (AOS CLI example)

To configure RADIUS on the switch, do the following:

1. Turn RADIUS authentication on, and then configure the Primary and Secondary RADIUS servers. For example:

>> Main# /cfg/sys/radius (Select the RADIUS Server menu)

>> RADIUS Server# on (Turn RADIUS on)

Current status: OFF

New status: ON

>> RADIUS Server# prisrv 10.10.1.1 (Enter primary server IP)

Current primary RADIUS server: 0.0.0.0

New pending primary RADIUS server: 10.10.1.1

>> RADIUS Server# secsrv 10.10.1.2 (Enter secondary server IP)

Current secondary RADIUS server: 0.0.0.0

New pending secondary RADIUS server: 10.10.1.2

2. Configure the primary RADIUS secret and secondary RADIUS secret.

>> RADIUS Server# secret

Enter new RADIUS secret: <1-32 character secret>

>> RADIUS Server# secret2

Enter new RADIUS second secret: <1-32 character secret>

CAUTION: If you configure the RADIUS secret using any method other than a direct console connection, the secret may be transmitted over the network as clear text.

3. If desired, you may change the default User Datagram Protocol (UDP) port number used to listen to RADIUS.

4. The well-known port for RADIUS is 1645.

>> RADIUS Server# port

Current RADIUS port: 1645

Enter new RADIUS port [1500-3000]: <port number>

5. Configure the number of retry attempts for contacting the RADIUS server and the timeout period.

>> RADIUS Server# retries

Current RADIUS server retries: 3

Enter new RADIUS server retries [1-3]:<server retries>

>> RADIUS Server# time

Current RADIUS server timeout: 3

Enter new RADIUS server timeout [1-10]: 10 (Enter the timeout period in seconds)

6. Configure the number of retry attempts for contacting the RADIUS server and the timeout period.

>> RADIUS Server# apply

>> RADIUS Server# save

Accessing the switch 15

Configuring RADIUS on the switch (BBI example)

1. Configure RADIUS parameters. a. Click the Configure context button. b. Open the System folder, and select Radius.

Open

Select

c. Enter the IP address of the primary and secondary RADIUS servers, and enter the RADIUS secret for

each server. Enable the RADIUS server.

CAUTION: If you configure the RADIUS secret using any method other than a direct console connection, the secret may be transmitted over the network as clear text.

d. Click Submit.

Accessing the switch 16

2. Apply, verify, and save the configuration.

RADIUS authentication features

The switch supports the following RADIUS authentication features:

• Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and RFC 2866.

• Allows RADIUS secret password up to 32 bytes.

• Supports secondary authentication server so that when the primary authent ication server is unreachable, the

switch can send client authentication requests to the secondary authentication server. Use the /cfg/sys/radius/cur command to show the currently active RADIUS authentication server.

• Supports user-configurable RADIUS server retry and time-out values:

• Time-out value = 1-10 seconds

• Retries = 1-3

• The switch will time out if it does not receive a response from the RADIUS server in one to three retries. The

switch will also automatically retry connecting to the RADIUS server before it declares the server down.

• Supports user-configurable RADIUS application port. The default is 1645/User Data gram Protocol (UDP)- based on RFC 2138. Port 1812 is also supported.

• Allows network administrator to define privileges for one or more specific users to access the switch at the RADIUS user database.

• Allows the administrator to configure RADIUS backdoor and secure backdoor for Telnet, SSH, HTTP, and HTTPS access.

User accounts for RADIUS users

1. Apply

2. Verify

3. Save

The user accounts listed in the following table can be defined in the RADIUS server dictionary file.

Table 2 User access levels

User account Description and tasks performed User User interaction with the switch is completely passive; nothing can be changed on the switch.

Users may display information that has no security or privacy implications, such as switch statistics and current operational state information.

Operator Operators can only effect temporary changes on the switch. These changes are lost when

the switch is rebooted/reset. Operators have access to the switch management features used for daily switch operations. Because any changes an operator makes are undone by a reset of the switch, operators cannot severely impact switch operation, but do have access to the Maintenance menu. By default, the operator account is disabled and has no password.

Administrator Administrators are the only ones that can make permanent changes to the switch

configuration — changes that are persistent across a reboot/reset of the switch. Administrators can access switch functions to configure and troubleshoot problems on the switch level. Because administrators can also make temporary (operator-level) changes as well, they must be aware of the interactions between temporary and permanent changes.

Accessing the switch 17

RADIUS attributes for user privileges

When the user logs in, the switch authenticates the level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server.

If the authentication server successfully authenticates the remote user, the switch verifies the privileges of the remote user and authorizes the appropriate access. The administrator has the option to allow backdoor access through the console port only, or through the console and Telnet/SSH/HTTP/HTT PS access. When backdoor access is enabled, access is allowed even if the primary and secondary authentic ation servers are reachable. Only when both the primary and secondary authentication servers are not reachable, the administrator has the option to allow secure backdoor (secbd) access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When RADIUS is on, you can have either back door or secure backdoor enabl ed, but not both at the same time. The default value for backdoor access through the console port only is enabled. You always can access the switch via the console port, by using noradius and the administrator password, whether backdoor/secure backdoor are enabled or not. The default value for backdoor and secure backdo or access through Telnet/SSH/HTTP/HTTPS is disabled.

All user privileges, other than those assigned to the administrator, must be defined in the RADIUS dictionary. RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The file name of the dictionary is RADIUS vendor-dependent. The RADIUS attributes shown in the following table are defined for user privilege levels.

Table 3 Proprietary attributes for RADIUS

User name/access User service type Value User Vendor-supplied 255 Operator Vendor-supplied 252

TACACS+ authentication

The switch software supports authentication, authorization, and accounting with networks using the Cisco Systems TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. T he remote user is defined as someone requiring management access to the switch either through a data or management port.

TACACS+ offers the following advantages over RADIUS:

• TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requir es additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers.

• TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in authentication requests.

• TACACS+ separates authentication, authorization, and accounting.

How TACACS+ authentication works

TACACS+ works much in the same way as RADIUS authentication.

1. Remote administrator connects to the switch and provides user name and password. NOTE: The user name and password can have a maximum len gth of 128 characters. The password

cannot be left blank.

2. Using Authentication/Authorization protocol, the switch sends request to authentication server.

3. Authentication server checks the request against the user ID database.

4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access.

During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.

TACACS+ authentication features

Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log in to a device or gain access to its services. Switch software supports ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time password authentication are not supported.

Accessing the switch 18

Authorization

Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication.

The default mapping between TACACS+ authorization privilege levels and switch management access levels is shown in the table below. The privilege levels listed in the following table must be defined on the TACACS+ server.

Table 4 Default TACACS+ privilege levels

User access level TACACS+ level user 0

oper 3 admin 6

Alternate mapping between TACACS+ privilege levels and this switch management access levels is s hown in the table below. Use the command /cfg/sys/tacacs/cmap ena to use the alternate TACACS+ privilege levels.

Table 5 Alternate TACACS+ privilege levels

User access level TACACS+ level user 0—1

oper 6— 8 admin 14—15

You can customize the mapping between TACACS+ privilege levels and this switch management access levels. Use the /cfg/sys/tacacs/usermap command to manually map each TACACS+ privilege level (0-15) to a corresponding this switch management access level (user, oper, admin, none).

If the remote user is authenticated by the authentication server, the switch verifies the privileges of the remote user and authorizes the appropriate access. When both the primary and secondary authentication servers are not reachable, the administrator has an option to allow backdoor access via the console only or console and T elnet access. The default is disable for Telnet access and enable for console access. The administrator also can enable secure backdoor (/cfg/sys/tacacs/secbd) to allow access if both the primary and secondary TACACS+ servers fail to respond.

Accounting

Accounting is the action of recording a user’s activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed via TACACS+, no TACACS+ accounting messages are sent out.

You can use TACACS+ to record and track software logins, configuration changes, and interactive commands. The switch supports the following TACACS+ accounting attributes:

• protocol (console/telnet/ssh/http)

• start_time

• stop_time

• elapsed_time

NOTE: When using the browser-based Interface, the TACACS+ Accounting Stop records are sent only if the Quit button on the browser is clicked.

Accessing the switch 19

Configuring TACACS+ authentication on the switch (AOS CLI example)

1. Turn TACACS+ authentication on, then configure the Primary and Secondar y TACACS+ servers.

>> Main# /cfg/sys/tacacs (Select the TACACS+ Server menu)

>> TACACS+ Server# on (Turn TACACS+ on)

Current status: OFF

New status: ON

>> TACACS+ Server# prisrv 10.10.1.1 (Enter primary server IP)

Current primary TACACS+ server: 0.0.0.0

New pending primary TACACS+ server: 10.10.1.1

>> TACACS+ Server# secsrv 10.10.1.2 (Enter secondary server IP)

Current secondary TACACS+ server: 0.0.0.0

New pending secondary TACACS+ server: 10.10.1.2

2. Configure the TACACS+ secret and second secret.

>> TACACS+ Server# secret

Enter new TACACS+ secret: <1-32 character secret>

>> TACACS+ Server# secret2

Enter new TACACS+ second secret: <1-32 character secret>

CAUTION: If you configure the TACACS+ secret using any method other than a direct console connection, the secret may be transmitted over the network as clear text.

3. If desired, you may change the default TCP port number used to listen to TACACS+.

4. The well-known port for TACACS+ is 49.

>> TACACS+ Server# port

Current TACACS+ port: 49

Enter new TACACS+ port [1-65000]: <port number>

5. Configure the number retry attempts for contacting the TACACS+ server and the timeout period.

>> TACACS+ Server# retries

Current TACACS+ server retries: 3

Enter new TACACS+ server retries [1-3]: 2

>> TACACS+ Server# time

Current TACACS+ server timeout: 5

Enter new TACACS+ server timeout [4-15]: 10 (Enter the timeout period in minutes)

6. Configure custom privilege-level mapping (optional).

>> TACACS+ Server# usermap 2

Current privilege mapping for remote privilege 2: not set

Enter new local privilege mapping: user

>> TACACS+ Server# usermap 3 user

>> TACACS+ Server# usermap 4 user

>> TACACS+ Server# usermap 5 oper

7. Apply and save the configuration.

Accessing the switch 20

Configuring TACACS+ authentication on the switch (BBI example)

1. Configure TACACS+ authentication for the switch. a. Click the Configure context button. b. Open the System folder, and select Tacacs+.

Open

Select

c. Enter the IP address of the primary and secondary TACACS+ servers, and enter the TACACS+ secret.

Enable TACACS+.

d. Click Submit.

Accessing the switch 21

e. Configure custom privilege-level mapping (optional). Click Submit to accept each mapping change.

2. Apply, verify, and save the configuration.

1. Apply

2. Verify

3. Save

Accessing the switch 22

Secure Shell and Secure Copy

Secure Shell (SSH) and Secure Copy (SCP) use secure tunnels to encrypt and secure messages between a remote administrator and the switch. Telnet does not provide this level of security. The Telnet method of managing a switch does not provide a secure connection.

SSH is a protocol that enables remote administrators to log securely into the switch over a network to execute management commands. By default, SSH is disabled (off) on the switch.

SCP is typically used to copy files securely from one machine to another. SCP uses SSH for encryption of data on the network. On a switch, SCP is used to download and upload the switch configuration via secure channels. By default, SCP is disabled on the switch.

The switch implementation of SSH is based on version 1.5 and version 2.0, and supports SSH clients from version

1.0 through version 2.0. Client software can use SSH version 1 or version 2. The following SSH clients are

supported:

• SSH 3.0.1 for Linux (freeware)

• SecureCRT® 4.1.8 (VanDyke Technologies, Inc.)

• OpenSSH_3.9 for Linux (FC 3)

• FedoraCore 3 for SCP commands

• PuTTY Release 0.58 (Simon Tatham) for Windows

Configuring SSH and SCP features (AOS CLI example)

Before you can use SSH commands, use the following commands to turn on SSH and SCP.

Enabling or disabling SSH

To enable the SSH feature, connect to the switch CLI and enter the following commands:

>> # /cfg/sys/sshd/on (Turn SSH on)

Current status: OFF

New status: ON

SSHD# apply (Apply the changes to start generating RSA host and server keys)

RSA host key generation starts

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RSA host key generation completes (lasts 212549 ms)

RSA host key is being saved to Flash ROM, please don’t reboot the box immediately.

RSA server key generation starts

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RSA server key generation completes (lasts 75503 ms)

RSA server key is being saved to Flash ROM, please don’t reboot the box immediately.

------------------------------------------------------------------------Apply complete; don’t forget to “save” updated configuration.

NOTE: Secure Shell can be configured using the console port only. SSH menus do not display if you access the switch using Telnet or the Browser-based Interface.

Accessing the switch 23

Enabling or disabling SCP apply and save

Enter the following commands from the switch CLI to enable the SCP putcfg_apply and putcfg_apply_save commands:

>> # /cfg/sys/sshd/ena (Enable SCP apply and save)

>> # /cfg/sys/sshd/dis (Disable SCP apply and save)

SSHD# apply (Apply the changes)

Configuring the SCP administrator password

To configure the scpadmin (SCP administrator) password, first connect to the switch via the RS-232 management console. For security reasons, the scpadmin password can be configured only when connected directly to the switch console.

To configure the password, enter the following CLI command. At factory default settings, the current SCP administrator password is admin.

>> # /cfg/sys/sshd/scpadm

Changing SCP-only Administrator password; validation required. . .

Enter current administrator password: <password>

Enter new SCP-only administrator password: <new password>

Re-enter new SCP-only administrator password: <new password>

New SCP-only administrator password accepted.

IMPORTANT: The SCP-only administrator password must be different from the regular administrator password.

Using SSH and SCP client commands

The following shows the format for using some client commands. The examples below use 205.178.15.157 as the IP address of a sample switch.

Logging in to the switch

Enter the following command to log in to the switch:

ssh <user>@<switch IP address>

For example:

>> # ssh admin@205.178.15.157

Downloading configuration from the switch using SCP

Enter the following command to download the switch configuration using SCP. You will be prompted for a password:

scp <user>@<switch IP address>:getcfg <local filename>

For example:

>> # scp scpadmin@205.178.15.157:getcfg ad4.cfg

The switch prompts you for the scpadmin password.

Uploading configuration to the switch using SCP

Enter the following command to upload configuration to the switch. You will be prompted for a password.

scp <local filename> <user>@<switch IP address>:putcfg

Accessing the switch 24

For example:

>> # scp ad4.cfg admin@205.178.15.157:putcfg

Applying and saving configuration

Enter the apply and save commands after the command above (scp ad4.cfg 205.178.15.157:putcfg), or use the following commands. You will be prompted for a password.

>> # scp <local_filename> <user>@<switch IP addr>:putcfg_apply

>> # scp <local_filename> <user>@<switch IP addr>:putcfg_apply_save

For example:

>> # scp ad4.cfg admin@205.178.15.157:putcfg_apply

>> # scp ad4.cfg admin@205.178.15.157:putcfg_apply_save

Note the following:

• The diff command is automatically executed at the end of putcfg to notify the remote client of the difference between the new and the current configurations.

• putcfg_apply runs the apply command after the putcfg is done.

• putcfg_apply_save saves the new configuration to the flash after putcfg_appl y is done.

• The putcfg_apply and putcfg_apply_save commands are provided because extra apply and save commands

are usually required after a putcfg.

SSH and SCP encryption of management messages

The following encryption and authentication methods are supported for SSH and SCP:

• Server Host Authentication — Client RSA authenticates the switch at the beginning of every connection

• Key Exchange — RSA

• Encryption — AES256-CBC, AES192-CBC, 3DES-CBC, 3DES, ARCFOUR

• User Authentication — Local password authentication, RADIUS, TACACS+

Accessing the switch 25

Generating RSA host and server keys for SSH access

To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024 bits and is used to identify the switch. The server key is 768 bits and is used to make it impossible to decipher a captured session by breaking into the switch at a later time.

When the SSH server is first enabled and applied, the switch automatically generates the RSA host and server keys and is stored in the flash memory.

To configure RSA host and server keys, first connect to the switch console connection (commands are not available via Telnet connection), and enter the following commands to generate them manuall y:

>> # /cfg/sys/sshd/hkeygen (Generates the host key)

>> # /cfg/sys/sshd/skeygen (Generates the server key)

These two commands take effect immediately without the need of an apply command. When the switch reboots, it will retrieve the host and server keys from the flash memory. If these two keys are not

available in the flash memory and if the SSH server feature is enabled, the switch automatically generates them during the system reboot. This process may take several minutes to complete.

The switch can also automatically regenerate the RSA server key. To set the interval of RSA server key autogeneration, use the following command:

>> # /cfg/sys/sshd/intrval <number of hours (0-24)>

A value of 0 denotes that RSA server key autogeneration is disabled. When greater than 0, the s witch will auto generate the RSA server key every specified interval; however, RSA server key generation is skipped if the switch is busy doing other key or cipher generation when the timer expires.

The switch will perform only one session of key/cipher generation at a time. Thus, an SSH/SCP client will not be able to log in if the switch is performing key generation at that time, or if another client has logged in immediately prior. Also, key generation will fail if an SSH/SCP client is logging in at that time.

SSH/SCP integration with RADIUS and TACACS+ authentication

SSH/SCP is integrated with RADIUS and TACACS+ authentication. After the RADIUS or TACACS+ server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS or TACACS+ servers for authentication. The redirection is transparent to the SSH clients.

Accessing the switch 26

User access control

The switch allows an administrator to define end user accounts that permit end users to perform limited actions on the switch. Once end user accounts are configured and enabled, the switch requires username/password authentication.

For example, an administrator can assign a user who can log into the switch and perform operational commands (effective only until the next switch reboot).

The administrator defines access levels for each switch user, as shown in the following table.

Table 6 User access levels

User account Description Password admin The Administrator has complete access to all menus, information, and

configuration commands on the switch, including the ability to change both the user and administrator passwords.

oper The Operator manages all functions of the switch. The Operator can reset

ports or the entire switch.

user The User has no direct responsibility for switch management.

He/she can view all switch status information and statistics but cannot make any configuration changes to the switch.

Passwords can be up to 128 characters in length for TACACS+, RADIUS, Telnet, SSH, console, and BBI access. If RADIUS authentication is used, the user password on the Radius server will override the user password on the

switch. Also note that the password-change command on the switch modifies only the “use switch” password and has no effect on the user password on the Radius server. RADIUS authentication and user password cannot be used concurrently to access the switch.

admin

oper

user

Setting up user IDs

The administrator can configure up to 10 user accounts. To configure an end-user account, perform the following steps:

1. Select a user ID to define.

>> # /cfg/sys/access/user/uid 1

2. Define the user name and password.

>> User ID 1 # name jane (Assign name “jane” to user ID 1)

Current user name:

New user name: jane

3. Define the user access level. By default, the end user is assigned to the user access level. To change the user’s access level, enter the user Class of Service (cos) command, and select one of the available options.

>> User ID 1 # cos <user|oper|admin>

4. Enable the user ID.

>> # /cfg/sys/access/user/uid <#>/ena

Once an end user account is configured and enabled, the user can login to the switch using the username/password combination. The level of switch access is determined by the user CoS for the account. The CoS corresponds to the user access levels described in the User access levels table.

Accessing the switch 27

Ports and trunking

Introduction

The first part of this chapter describes the different types of ports used on the switch. This information is useful in understanding other applications described in this guide, from the context of the embedded s witch/server environment.

For specific information on how to configure ports for speed, auto-negotiation, and duplex modes, see the port commands in the Command Reference Guide.

The second part of this chapter provides configuration background and examples for trunking multiple ports together. Trunk groups can provide super-bandwidth, multi-link connections between switches or other trunkcapable devices. A trunk group is a group of links that act together, combining their bandwidth to create a single, larger virtual link. The switch provides trunking support for the five external ports, two crosslink ports, and 16 server ports.

Ports on the switch

The following table describes the Ethernet ports of the switch, including the port name and function. NOTE: The actual mapping of switch ports to NIC interfaces is dependant on the operating system software,

the type of server blade, and the enclosure type. For more information, see the User’s Guide.

Table 7 Ethernet switch port names

Port number Port alias 1 Downlink1

2 Downlink2 3 Downlink3 4 Downlink4 5 Downlink5 6 Downlink6 7 Downlink7 8 Downlink8 9 Downlink9 10 Downlink10 11 Downlink11 12 Downlink12 13 Downlink13 14 Downlink14 15 Downlink15 16 Downlink16 17 XConnect1 18 XConnect2 19 Mgmt 20 Uplink1 21 Uplink2 22 Uplink3 23 Uplink4 24 Uplink5

Port trunk groups

When using port trunk groups between two switches, you can create an aggregate li nk operating at up to five Gigabits per second, depending on how many physical ports are combined. The switch supports up to 12 trunk groups per switch, each with up to six ports per trunk group.

The trunking software detects broken trunk links (link down or disabled) and redirects traffic to other trunk members within that trunk group. You can only use trunking if each link has the same configuration for speed, flow control, and auto-negotiation.

Ports and trunking 28

Statistical load distribution

In a configured trunk group containing more than one port, the load distribution is determined by inform ation embedded within the data frame. For IP traffic, the switch will calculate the trunk port to use for forwarding traffic by implementing the load distribution algorithm on value equals to modulus of (XOR of last 3 bits of Source and last 3 bits of Destination IP address). For non-IP traffic, the switch will calculate the trunk port to use for forwarding traffic by implementing the load distribution algorithm on value equals to modul us of (XOR of last 3 bits of Source and last 3 bits of Destination MAC address).

Built-in fault tolerance

Since each trunk group is composed of multiple physical links, the trunk group is inherently fault tolerant. As long as even one physical link between the switches is available, the trunk remains active.

Statistical load distribution is maintained whenever a link in a trunk group is lost or returned to service.

Before you configure trunks

When you create and enable a trunk, the trunk members (switch ports) take on certain settings necessary for correct operation of the trunking feature.

Before you configure your trunk, you must consider these settings, along with specific configurati on rules, as follows:

1. Read the configuration rules provided in the “Trunk group configuration rul es” section.

2. Determine which switch ports (up to six) are to become trunk members (the specific ports making up the trunk).

3. Ensure that the chosen switch ports are set to enabled, using the /cfg/port command.

4. Trunk member ports must have the same VLAN configuration.

5. Consider how the existing spanning tree will react to the new trunk configuration. See the “Spanning Tree Protocol” chapter for spanning tree group configuration guidelines.

6. Consider how existing VLANs will be affected by the addition of a trunk.

Trunk group configuration rules

The trunking feature operates according to specific configuration rules. When creating trunks, consider the following rules that determine how a trunk group reacts in any network topology:

• All trunks must originate from one device, and lead to one destination device. For example, you cannot combine a link from Server 1 and a link from Server 2 into one trunk group.

• Any physical switch port can belong to only one trunk group.

• Trunking must comply with Cisco® EtherChannel® technology.

• All trunk member ports must be assigned to the same VLAN configuration before the trunk can be enabled.

• All trunk member ports must be set to full duplex mode.

• All trunk member ports must be configured for the same speed.

• If you change the VLAN settings of any trunk member, you cannot apply the change until you change the

VLAN settings of all trunk members.

• When an active port is configured in a trunk, the port becomes a trunk member when you enable the trunk using the /cfg/l2/trunk x/ena command. The spanning tree parameters for the port then change to reflect the new trunk settings.

• All trunk members must be in the same spanning tree group and can belong to only one spanning tree group. However if all ports are tagged, then all trunk ports can belong to multiple spanning tree groups.

• When a trunk is enabled, the trunk spanning tree participation setting takes precedence over that of any trunk member.

• You cannot configure a trunk member as a monitor port in a Port Mirroring configuration.

• A monitor port cannot monitor trunks; however, trunk members can be monitored.

Ports and trunking 29

+ 65 hidden pages

NEC N8406-022A User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Accessing the switch

Introduction

Additional references

Typographical conventions

Management Network

Connecting through the console port

Connecting through Telnet

Connecting through Secure Shell

Using the command line interfaces

Configuring an IP interface

Using the Browser-based Interface

Using Simple Network Management Protocol

SNMP v1.0

SNMP v3.0

Default configuration

User configuration

View based configurations

CLI user equivalent

CLI oper equivalent

Configuring SNMP trap hosts

SNMPv1 trap host

SNMPv2 trap host configuration

SNMPv3 trap host configuration

Secure access to the switch

Setting allowable source IP address ranges

Configuring an IP address range for the management network

RADIUS authentication and authorization

How RADIUS authentication works

Configuring RADIUS on the switch (AOS CLI example)

Configuring RADIUS on the switch (BBI example)

RADIUS authentication features

User accounts for RADIUS users

RADIUS attributes for user privileges

TACACS+ authentication

How TACACS+ authentication works

TACACS+ authentication features

Authorization

Accounting

Secure Shell and Secure Copy

Configuring SSH and SCP features (AOS CLI example)

Enabling or disabling SSH

Enabling or disabling SCP apply and save

Configuring the SCP administrator password

Using SSH and SCP client commands

Logging in to the switch

Downloading configuration from the switch using SCP

Uploading configuration to the switch using SCP

Applying and saving configuration

SSH and SCP encryption of management messages

Generating RSA host and server keys for SSH access

SSH/SCP integration with RADIUS and TACACS+ authentication

User access control

Setting up user IDs

Ports and trunking

Introduction

Ports on the switch

Port trunk groups

Statistical load distribution

Built-in fault tolerance

Before you configure trunks

Trunk group configuration rules