Enterasys Switching 2010

“There is nothing more important than our customers”

Enterprise Switching

Courseware OverviewVersion 2.2

Course Prerequisites

Student prerequisite knowledge/skills

• Experienced PC user

• Operational knowledge of

Topics not covered in this course• In depth discussion of 802.1D or

802.1Q• TCP/IP

- Ethernet

- 802.1D standard

- 802.1Q standard

• Comprehensive understanding of

• Network design• Wireless• NetSight Management

p gTCP/IP protocol • Dragon

• NAC• Routing Protocols

© 2007 Enterasys Networks, Inc. All rights reserved. 2

Getting Started & Introductions

Cl H• Class Hours- am to ?pm

• Instructor- Luis Alberto Frias Elias and Hugo Mendez Vara

• Attendees- Name?

C ?- Company?

- Job Description?

- What is your experience with Switching?

Are you currently using ETS products? (Which?)- Are you currently using ETS products? (Which?)

- What do you hope to learn about Switching?

- Do you intend to take the ESE Exam?




Product Overview

Enterasys Switching Families

• Enterasys’ Matrix and SecureStack switch offerings include the following product families:

- SecureStack A2- SecureStack B2/B3- SecureStack C2/C3- Enterasys I, D and G series- Matrix N-Series Diamond DFE- Matrix N-Series Platinum DFE- Matrix N-Series Gold DFE- Matrix E1


Agenda

• Switching Product Overview

• Switch Positioning

• The Enterasys Switching AdvantageThe Enterasys Switching Advantage


Enterasys Switch Comparison

Matrix SecureStack SecureStack SecureStack D-Series G-Series

Basic Connectivity

1 L2 and L3

N-SeriesC-SeriesB-SeriesA-Series

Policy,

Optional Routing

More Horse Power

High-end Modular Chassis

1 L2 d L3

Advanced L2 Capabilities

Small, quiet, with Optional Policy

1. Low-Cost L2 10/100 Switching

2. 2 Gb Closed Loop Stacking

1. End-to-End L2 & L3 Enterprise Switching

2. Highest System Redundancy Available

1. L2 and L3 10/100 & 10/100/1000 Switching

2. Up to 48Gb Closed Loop Stacking

1. L2 10/100 & 10/100/1000 Switching

2. Up to 24Gb Closed Loop Stacking

1. L2 and L3 10/100 & 10/100/1000 Switching

2. Policy by default

1. L2 10/100 & 10/100/1000 Switching

2. Optional Policy Available

3. Small form 3. High Density

Stacking (384)

4. Up to 16 Gbuplinks per stack

5. No Enterasys

3. Highest Density and Most Interface Types

4. Multi–User Policy and Most Extensive Software and

g

3. High Density Stacking (384)

4. Mixture of Up to 32 Gb uplinks and/or 16 10Gb uplinks per

3. High Density Stacking (384)

4. Up to 32 Gb uplinks per stack

5. Optional Policy

3. Basic Routing (RIP)

4. IPv6

5. Optional Routing (OSPF

3. Small form factor

4. Whisper quiet fan only when needed

5. No Enterasys Policy Support

Software and Hardware Features (up to 256)

5. 6,000 to 56,000 rules per DFE

6 Multiple

p pstack

5. Policy by default

6. Basic Routing (RIP)

7 C3 IP 6

5. Optional Policy Available

6. Basic Routing (Static routes, RIP v1/2)

Routing (OSPF, PIM-SM, DVMRP, extended ACL’s)

6. Multi–User Policy (8) 6. Multiple

Generations of Technology Operate Concurrently in 1 Chassis

7. Support for Basic

7. C3 IPv6

8. Optional Routing (OSPF, PIM-SM, DVMRP, extended ACL’s)

y ( )

© 2007 Enterasys Networks, Inc. All rights reserved.

ppand Advanced Routing

7

The Enterasys Switching Advantage

•Business-critical applications: - Guarantee network availability for business-critical

applications pp› Prioritise business-critical applications

- Streaming video, ERP, VoIP and e-commerce

- Advanced QoS features:Advanced QoS features:› Advanced packet classification

› Rate limiting

› Strict and weighted fair queuing › Strict and weighted fair queuing

› Traffic prioritization

- Policy.


The Enterasys Switching Advantage

• Secure Networks: • Secure Networks: - N-Series, SecureStack and D, G and I Series switches offer user-based security and

authentication via standards-based, IEEE 802.1X user authentication, as well as alternate methods.

- N-Series, SecureStack and D, G and I Series switches implement granular control of the network infrastructure with policy

- N-Series, SecureStack and D, G and I Series switches support a suite of Secure Networks Solutions empowered by the ability to understand end-users and their business roles within the network

- Secure Network Solutions act in providing dynamic, preemptive, diagnostic, and reactionary mechanisms to secure the network.

- Powerful network management software, NetSight, enables clear visibility of network operation and rapid reconfigurations for adaptation to security concerns




SecureStack Switches

SecureStack Overview

• Next-Generation, High Density Stackable Gigabit Switching

• Extensive Bandwidth, Performance, Scalability and Flexibility


SecureStack Switches Overview

• SecureStack switches are stackable 1u switches- There are three series of SecureStack switches, A2,

B2, B3, C2 and C3

• Stack up to 8 switches- All switches in the stack have to be of the same series (all A2’s B’s or C’s)

, ,› C3’s are the top end, then C2, B3, B2 and A2

All switches in the stack have to be of the same series (all A2 s, B s, or C s).› Minimum code version on the B2 is 4.0 to allow B2/B3 mixed stack

› Minimum code version on the C2 is 5.0 to allow C2/C3 mixed stack

• Units should be stacked in a closed loop for redundancy- One switch acts as the manager for the stack allowing configuration of the entire stack

using only one IP address or console session› Upgrade firmware to the manager switch and the upgrades are applied to all units in the stack

automatically

› Each switch in the stack is a backup for the manager switch, this is based on unit id.

• Password reset button at the back of switches


SecureStack Supported Functionality

• Wire speed switching on all ports • Link Aggregation Groups• Wire-speed switching on all ports- 16,000 MAC addresses

- 802.3x flow control

› No flow control between members of a stack

Link Aggregation Groups- Max 6 LAGS per system

- Max 8 Ports per LAG

› 8 for B/C

› 4 for A2- Eight hardware queues per port

- Jumbo frame (9,216) support

• Multiple Spanning Trees (IEEE 802 1s)

› 4 for A2

- LAG across the stack

• Port Mirroring (Many-to-one only)- Up to 8 ports from/to anywhere in the stack (IEEE 802.1s)

- Max of 4 Spanning Tree Groups

- IEEE 802.1w (Rapid STP)

- IEEE 802.1s (Multiple STP)

- One-to-many is not supported (HW limitation)

• User Security and Authentication (platform dependant)

- 802.1X Authentication • VLAN

- 1024 VLANs (VLAN IDs 1-4094)

- Port-based, protocol-based & tagged VLAN

- GARP and GVRP

- MAC Authentication

- Port Web Authentication (PWA)

- “User + IP Phone” Authentication

Host Sec it• IGMP Snooping

• SNMPv3

• SSH

• Host Security- RADIUS authentication (front panel only)

• MAC Locking


• Node Alias Support- IP support only

13

• A2 Series

SecureStack A2 Series Switches

• A2 Series- Supports 24 and 48 port modules with both POE

and non POE

- A2H124-24FX – 24 Port 100 Meg MTRJ fiberit hswitch

- A2H254-16 – 8 Ports RJ45 copper and 8 Port MTRJ fiber

• All A2’s come with 2 SFP Mini GBIC ports and 2 stack ports on the front of the switch - The stack ports on the A2 are RJ45 ports that use CAT5 or better cables

› When the A2 is in standalone mode (not stacked) the uplink ports can be used as standard Gigabit ports by using the set switch stackport {ethernet | stack} command

- This could give you a total of 28 or 52 active ports, depending on the model.

• No policy support

• No routing support

• Supports 2 Gbps bidirectional throughput per stack port


SecureStack B2

Supports everything the A2 does plusSupports everything the A2 does plus

• CoS and bandwidth control with 8 priority queues per port and rate limitinglimiting

• Optional Policy License B3POL-LIC- Enables Policy and “User + IP phone” authentication support

• B2 SeriesB2 Series- Supports 24 and 48 port modules with both POE

and non POE

- Supports both 10/100 and triple speed.

- Supports 20 Gbps bidirectional throughput per stack port

- B2 uses proprietary stack cables C2CAB-LONG & C2CAB-SHORT*These

All B2s come with 4 SFP Mini GBIC ports and 2 stack ports• All B2s come with 4 SFP Mini GBIC ports and 2 stack ports- The two stack ports are on the rear of the switch

- models that have the 24/48 10/100 & 4 Mini GBIC ports active, for a total of 28/52 active ports.


- On triple speed models, the Mini GBIC ports and the last 4 10/100/1000 ports are “combo ports”. This is discussed in detail later. So you only have 24 or 48 active ports

SecureStack B3

Supports everything the B2 does plusSupports everything the B2 does plus

• Supports 24 Gbps bidirectional throughput per stack portR t b k t 20 Gb i i d t k- Reverts back to 20 Gbps in a mixed stack.

• When working with a mixed B series stack, the stack takes on the lesser of the capabilities of the two devices.- For the B2 and B3 mixed stack:

h b d k- The B2 must be running version 4.0 at a minimum to operate in a mixed stack.- A Policy License is required for every device in the stack in order for policy to work on

the stack at all. B2 Policy License will operate on a B3 - It is recommended that a B3 device be the master of the stack.

C i l 2 li l - Concerning layer 2 policy rules, › They will not work on any devices (B2’s included) in a mixed stack.› If the B2 is the master, the layer 2 policy rules should be disabled to avoid a mismatch in the

stack.


SecureStack C2

Supports everything the B3 does plusSupports everything the B3 does plus

• Supports policy without a policy license requiredS t b i IP l 3 ti ( t ti t RIP b i ACL’ )• Supports basic IP layer 3 routing (static routes, RIP, basic ACL’s)

• Optional License C2L3-LIC (Layer 3 Routing License)- Enables OSPF, PIM, DVMRP, VRRP, Extended ACLs.

• Supports 40 Gbps bidirectional stacking capacity per stack portuppo s 0 G ps d o s g p y p s po* The C2H124-48 can have the 48 10/100 & 4 Mini GBIC ports active, for a total of 52 active ports. The C2K122-24

can have 24 10/100/1000 ports active, plus the 2 10-Gigabit uplink ports for a total of 26 active ports. While on the other models, the Mini GBIC ports and the last 4 10/100/1000 ports are “combo ports”. This is discussed in detail later.


SecureStack Switch Offerings

SecureStack C2 10Gbps Switch (C2K122-24)

24 10/100/1000 RJ45 ports, and 2 XFP (10Gb) li k (26 t t l t ) XFP (10Gb) uplinks (26 total ports)

Both 10 Gbps ports can be active simultaneously

10GBASE-SR –XFP 850 Nanometer serial port for 10-Gigabit Ethernet over Multi Mode Fiber (MMF) via an XFP connector. Supports link lengths ranging from 26 meters to 300 meters depending on grade of fiber installation.

10GBASE-LR-XFP – 1310 Nanometer serial port for 10-Gigabit Ethernet over Single Mode Fiber (SMF) via an XFP connector. Supports 10 Gigabit Ethernet transmission over distances of between 2Km and 10 Km.transmission over distances of between 2Km and 10 Km.

10GBASE-ER-XFP – 1550 Nanometer serial port for 10-Gigabit Ethernet over Single Mode Fiber (SMF) via an XFP connector. Supports “ Long Haul” 10 Gigabit Ethernet transmission over distances of between 2Km and 40 Km.


SecureStack C3

Supports everything the C2 does plusSupports everything the C2 does plus

• Also Supports XFP’s but via an optional 10GE IOM for the C3K switches.- All C3’s must be running firmware version 1.02.01.0004 for the C3K’s to join the stack

• Supports IPv6 routing, OSPFv3, IGMPv3 Snooping, DHCPv6

• Routing License is linked to the Switch serial number- Therefore each switch requires a routing license in a stack for routing to work on each

switch• Supports 48 Gbps bidirectional stacking capacity per stack port

- Reverts back to 40 Gbps in a mixed stackp

• When working with a mixed C series stack, the stack takes on the lesser of the capabilities of the two devices. For the C2 and C3 mixed stack:

- The C2 must be running version 5.02.01.xxx at a minimum to operate in a mixed stack.I i d d h C3 d i b h f h k - It is recommended that a C3 device be the master of the stack

- Concerning layer 2 policy rules, › They will not work on any C2 device in a mixed stack.› If the C2 is the master, the layer 2 policy rules should be disabled to avoid a mismatch in the stack.

- IPv6 will not work in a mixed stack.


IPv6 will not work in a mixed stack.

• Cisco Phone Discovery & Cisco CDP MIB Support

SecureStack C3 Series Switches

• Cisco Phone Discovery & Cisco CDP MIB Support

- This function consists of an update to the existing CDP function to recognize PDUs from Cisco phones. A table of information about detected phones is kept by the switch and can be queried by the network administrator.

• Link Flap Detection- The link flap function detects when a link is going up and down rapidly (also called "link flapping") on a

physical port, and takes the required actions (disable port, and eventually send notification trap) to stop such a condition. If left unresolved, the "link flapping" condition can be detrimental to network stability because it can trigger Spanning Tree and routing table recalculation.

• Set Date & Time via MIB- Add SNMP support to read and write switches date and time.

• VLAN to Policy mapping per Port basis- Change the support from global Configuration to a per port Configuration.

• Selectable Hashing Algorithms- Use this command to set the MAC algorithm mode, which determines the hash mechanism used by the

device when performing layer 2 lookups on received frames. Each algorithm is optimized for a different spread of MAC addresses When changing this mode the switch will display a warning message and prompt spread of MAC addresses. When changing this mode the switch will display a warning message and prompt you to restart the device.

• ctAlias Table Lookup Optimization- Support the ctAliasMacAddressTable in the ctAliasMIB. This contains the same information as the ctAliasTable but is indexed

by MAC address


• IGMPv3 Snooping

SecureStack C3 Series Switches

• IGMPv3 Snooping- Provides better control of Multicast traffic at layer 2

› Reduces overhead on network

› More efficient use of IGMP messaging reduces the flooding of messages

› Removes load from the host devices

› Allows traffic forwarding from sources only to receivers that subscribed

• Setting of static multicast MAC addresses - Create and configure static Layer 2 IGMP entries.

• VLAN Marking of Mirror Traffic- Is an extension to port mirroring which facilitates simultaneous mirroring of multiple source

ports on multiple switches across a network to one or more remote destination ports ports on multiple switches across a network to one or more remote destination ports.

• IPv6 Routing- OSPFv3

- Path MTU DiscoveryPath MTU Discovery

- IPv6 to IPv4 translation

- IPv6 Tunnels

- ICMPv6 messaging, traceroute, ping, SSH2


g g, , p g,

21

• One of the major advantages of the B3 and C3 platforms The B2 and C2

SecureStack B3/C3 Series Switches

• One of the major advantages of the B3 and C3 platforms. The B2 and C2 both had a limit on the number of “masks” that each switch was able to support. This is no longer the case with the B3 and C3.

- For example, with the 10/100 B2 and C2 policy implementation, there is a limit of 18 masks for the entire stack, and a limit of 10 masks per policy. This is not the case with the B3 and C3, which is designed to support a 1:1 ratio of masks per policy.support a 1:1 ratio of masks per policy.

- The following table is a breakdown of the Stack Policy Specifications for the SecureStack B3, C3 and their respective mixed stacks.

B Series Stack Policy ConsiderationsType of Stack B3 Stack B3/B2G Mix B3/B2H Mix

# of Rules/Stack 768 768 100

# of Policy Rules/Stack 768 768 18

# of Rules/Policy 100 100 100

# of Masks/Policy 100 10 10# of Masks/Policy 100 10 10

Layer 2 Rule Support No No No

C Series Stack Policy ConsiderationsType of Stack C3 Stack C3/C2G Mix C3/C2H Mix

# of Rules/Stack 768 768 100

# of Policy Rules/Stack 768 768 18

# of Rules/Policy 100 100 100

# of Masks/Policy 100 10 10


# of Masks/Policy 100 10 10

Layer 2 Rule Support No No No

22

Redundant Power Supplies (non PoE)

• Same power supplies work for the A2, B2 and C

• C2RPS-PSM is a 150 watt Power Supply module used for non-PoEswitches- The PSM Unit has it’s own AC Input

- Do not use with PoE switches

• There are two chassis (shelves) for the C2RPS-PSM (Non PoE)- C2RPS-CHAS8 (8 slot chassis) can service a full stack of non PoE SecureStack switches

› The C2RPS-SYS is the 8 slot chassis and 1 C2RPS-PSM

› Dimensions: 8.77 H x 17.3 W x 10.4 D (in.)

- C2RPS-CHAS2 (2 slot chassis)( )

• Fully Hot Swappable

• All Cable connections at Rear of Unit

M h h LED d SNMP• Management through LEDs and SNMP




Matrix N-Series

Overview of Matrix N-Series Products

Th M i N S i i d l i i i l l i The Matrix N-Series is a modular enterprise wiring closet solution - Supports both Layer 2 switching and Layer 3 IP routing

- Designed for premium edge, backbone, distribution switching, small core, server farm

- Forms one logical switch in chassis

The Distributed Forwarding Engine (DFE) switch modules - Provide Quality of Service (QoS) and wire-speed throughput y ( ) p g p

- Three versions of the Matrix N-Series DFE switch modules: Diamond, Platinum & Gold› Diamond is high end version, Gold is low end version

- Processing load balanced across switch modules

Chasses that accommodate DFE:- One-slot (N1) three-slot (N3), five-slot (N5), seven-slot chassis (N7).

- In addition the DFEs can also be installed in the Matrix E7 chassisIn addition, the DFEs can also be installed in the Matrix E7 chassis

- Standalone N-Series NSA (Network Security Architecture)


Matrix N-Series

• The Matrix N-Series is a modular design. - Four chassis models, the N1, N3, N5 and

the N7

• The Matrix N-Series Standalone switch (NSA)

• Combine Layer 2 switching with l L 2/3/4 l ifi tigranular Layer 2/3/4 classification

• Support advanced Layer 3 IP routing

• Three product lines:- Distributed Forwarding Engines (DFEs), Diamond:

Significant Processing Enhancements over Platinum DFE’s, plus increased Security, Routing & Policy Scalability.

- DFEs, Platinum: optimised for more features and hi h fhigher performance

- DFEs, Gold: optimised for edge connectivity with fewer capabilities of the Platinum

• Designed for wiring closets, server farm aggregations and distribution


farm aggregations and distribution switching.

26

Matrix N-series Chassis

• The Matrix N Series chassis use a passive fully meshed • The Matrix N Series chassis use a passive fully meshed backplane

- File Transfer Matrix 2 (FTM2) point to point connectivity between slots - No FTM 1 connectivity- Hot swap modules and fan traysHot swap modules and fan trays

• Matrix N1 Chassis (7C111)

• Matrix N3 Chassis (7C103)

• Matrix N5 Chassis (7C105-P)- Designed for PoE modules- Supports all modules

• Matrix N7 Chassis (7C107)• Matrix N7 Chassis (7C107)

• Matrix N Series Stand Alone – NSA (2G4072-52)


Power Supply Summary

• Characteristics of the N3 and the N7 power supplies are shown below• Characteristics of the N3 and the N7 power supplies are shown below

Matrix N1 Matrix N3 Matrix N5 Matrix N7

Power supply part number

N/A (Redundant power supplies

7C203-1 7C205-1 6C207-3part number power supplies

are integrated)

Power supply wattage

250 Watts maximum

863 Watts maximum

1200 Watts per power supply

1600 Watts per power supply (Dual Input)

Input frequency 50 to 60 Hz 50 to 60 Hz 50 to 60 Hz 50 to 60 Hz

Input voltage range

100 to 125 Vac 100 to 125 Vac 100 to 125 Vac 100 to 125 Vac

Input current 12 A maximum 12 A maximum 12 A maximum 12 A maximum

Minimum power supplies

1 * 1 * 1 * 1 **pp

* Two power supplies may be installed for redundancy and load sharing.

** Two power supplies are required to support Matrix N7 configurations with six and seven


p pp q pp ginstalled DFEs (also, check power requirements of individual modules as you install them).

• The 6C207-3, has two power connectors. Both power cords MUST be plugged in for the power supply to operate (15 amp circuit required per cord).

Distributed Forwarding Engines (DFEs)

• DFEs are based on a family of nTERA™ ASICs (Application Specific Integrated Circuit) and software-based microprocessors

• DFEs are available in several interface types

• The Matrix N-Series DFEs have fully distributed switch architecture and route processing capabilities- Each interface module is individually driven and managed by on-board processors.


Advanced Distributed Architecture

• Advantages of this architecture are:• Advantages of this architecture are:- Failure only affects users connected to that module.

- Failure of one DFE does not impact users on other modules.

A high powered CPU per module- A high-powered CPU per module

- Custom ASICs, designed specifically for advanced DFE capabilities

- Redundancy and scalability built into each DFEy y

• Highly redundant management - One module is elected as the primary management module

for each management service (host services, routing, SNMP, IP, etc.)

• All other modules are backup for each service• All other modules are backup for each service and keep a copy of the management services information- Uninterrupted system operation in event of module failure



• Multiple DFEs in a chassis will select a primary module for system management.- If the master fails, another module will assume

responsibility for management and distribution of system information.

- If a new DFE is inserted, it will inherit all system parameters of the unit it replacesparameters of the unit it replaces.

• If a module needs to be replaced, it will inherit all configuration settings of the previous module as long as the new module is an exact replacement.

A fi ti fil th t t d i th fil- Any configuration files that were stored in the file system of the newly inserted module will not be deleted and will remain available.



• Matrix N-Series has the ability to store 2 images per chassis- Every module keeps a copy of both images

- All modules run the same firmware version

- Upgrading a module upgrades the entire chassis

S l fi fil b t d h • Several config files can be stored on each DFE module.- Every module keeps a copy of the current

configuration.

- Editable text-based config files contain Layer 2 & 3 info

• All config files contain the following info:• All config files contain the following info:- Global chassis configurations

- Board specific configurations


Platinum and Gold DFEs

• All Platinum and Gold DFEs ship with Firmware or the Enterasys Operating System (EOS)

• All 10/100/1000Base-TX ports support auto-negotiation of duplex mode and speedmode and speed

Platinum DFEs are distinguished by the platinum color on the tab and

Platinum DFEs are distinguished by the platinum color on the tab and

Gold DFEs are distinguished by the gold color on the tab and

d b

Gold DFEs are distinguished by the gold color on the tab and

d bparts numbers that begin with 7parts numbers that begin with 7

product numbers that start with 4product numbers that start with 4


Platinum and Gold DFEs

• A router is associated to a module using the set router slot command• A router is associated to a module using the set router slot command

• Basic routing includes:- Static routes

VRRP (Virtual Router Redundancy Protocol)- VRRP (Virtual Router Redundancy Protocol)

- Basic ACL’s (Access Control Lists)

- RIP (Routing Information Protocol)

- Policy Based Routing

- Denial of Service Protection

• Advanced routing software license (N-EOS-L3) includes:- Extended ACL’s (Access Control Lists)

- OSPF (Open Shortest Path First)

- LSNAT (Load Sharing Network Address Translation)

- DVMRP (Distance Vector Multicast Routing Protocol)

PIM SM (Protocol Independent Multicast Sparse Mode)- PIM-SM (Protocol Independent Multicast Sparse Mode)

• Only one advance routing license is required per chassis.


Platinum and Gold DFEs – A Comparison

F t• Features- Platinum DFE supports advanced features,

such as› Multi-User authentication for maximum limit of

up to 2048 authenticated devices per port dependant on licenses.

› Advanced port mirroring

› Weighted Fair Queuing and Strict Priority Queuing

› FTM1 bridging

- The Gold DFE supports a “less-robust” feature set, such as

› Multi-User authentication for 2 authenticated devices per portdevices per port

› Strict Priority Queuing only


Platinum and Gold DFEs – A Comparison

• Redundancy• Redundancy- Gold DFE management is performed by the single

DFE installed in slot 1› No redundancy by default

Gold DFE can be outfitted with a software - Gold DFE can be outfitted with a software upgrade (part number N-EOS-RED) to provide 1+1 redundancy.

- Platinum DFEs provide N+6 redundancy by default

› Every DFE module is a backup for all others in the chassis

› Failure of one module will not cause the entire “system” to fail.

› Up to 2 router instances are supported in a Platinum chassis.


DFE Mode Switches

44421

3

4

1 – 7H4270-122 – 7H4382-49 and 7H4383-49

4H4282 49 d 4H4283 49

21

3

421

3

4

1 – 7H4270-122 – 7H4382-49 and 7H4383-49

4H4282 49 d 4H4283 49

• Platinum & Gold DFEs have mode switches located on circuit board.

4H4282-49 and 4H4283-493 – 7G4202-304 – 7H4203-72 and 4H4203-72

4H4282-49 and 4H4283-493 – 7G4202-304 – 7H4203-72 and 4H4203-72

Platinum & Gold DFEs have mode switches located on circuit board.

• Switch definitions and positions are as follows:- Switches 1 through 6 – For Enterasys Networks use only.

- Switch 7 – Clear Persistent Data (NVRAM) Switch 7 Clear Persistent Data (NVRAM)

- Switch 8 – Clear Admin Password.




Device Management

Physical Interface Numbers

• Port String Syntax: <port type> <slot> <port number>• Port String Syntax: <port type>. <slot> . <port number>- fe.1.1: 100 Mbps port 1 in chassis slot 1- ge.3.2-3: 1 Gigabit ports 2 and 3 in chassis slot 3- tg.3.1: 10 Gigabit port 1 in chassis slot 3

fe.1.2Port type

SlotPort number

fe.1.2Port type

SlotPort number

• Port Type- Identical format for Matrix N-series, D,G and I series and SecureStack

• Slot

Slot locationSlot location

- For Matrix N-series, slot number from left-to-right or bottom to top- For the D and G series, slot number starting with base ports and counting left-to-right in

expansion slots, 0-based- For SecureStack, device number in stack (which may or may not correspond to the , ( y y p

device’s physical position in stack), 1-based

• Port Number- Identical format for all current switches

Number of port based on the port type in this slot 1 based- Number of port based on the port type in this slot, 1-based› Example: fe.1.1 is the first Fast Ethernet port in slot 1

› Example: ge.1.1 is the first Gigabit Ethernet port in slot 1 (which may logically be the 25th physical port in slot 1)


System Interface Numbers

• Other port types include:- com - COM (console) port- host.0.1 - host port- bp - backplane port fe 1 2fe 1 2bp backplane port- vlan - vlan interfaces- lag - link aggregation ports- lbpk - loopback interfaces

i f

fe.1.2Port type

Slot Port number

fe.1.2Port type

Slot Port number

- rtr – router interfaces- pc – Matrix Security Module

• Wildcards can be used:- fe.*.* All 100 Mbps ports in the chassis

locationlocation

p p- ge.2.* All Gigabit ports on slot 2- ge.*.* All Gigabit ports in the chassis- *.*.* All ports (physical and virtual, including LAG’s) on all slots or modules


Local Management (LM)

• Enterasys switch products may be locally managed via the COM port- The console port on a device may be either an RJ45 or a DB9 connector

- Connections are designed for a VT terminal, a PC with terminal emulation (such as Connections are designed for a VT terminal, a PC with terminal emulation (such as HyperTerminal or Tera Term Pro), or a modem

Terminal Emulation Setting Generic Values

Baud Rate/Transmit 9600

Data Bits 8

Stop Bits 1

Parity None

Fl C t l X /X ff


Flow Control Xon/Xoff

41

Command Line Interface (CLI)

• The Matrix N series and SecureStack A B and C switches all support • The Matrix N-series and SecureStack A, B, and C switches all support an industry-standard Command Line Interface to provide consistency in configuration syntax.

• By default, the Matrix N-series and SecureStack A, B and C switches are configured with three user login accounts: - ro

for Read-Only access

- rw for Read-Write access

- admin for Super-User access


CLI Overview

• Layer 2 switch configuration- Persistent when configured

• Basic CLI usage- Use “?” in CLI to display commands and parameters- Use “tab” for command auto-completion- Use “up arrow or down arrow key” for a previously entered command

• Basic Layer 2 CLI commandsy- Setting system information

› set ip address ip-address [mask ip-mask] [gateway ip-gateway]- show ip address

› set time [mm/dd/ ] [hh mm ss]› set time [mm/dd/yyyy] [hh:mm:ss] - show time

› set system name [string] (good when used with SNMP)

› set system location [string]

› set system contact [string]

- Setting console behaviour› set prompt [“prompt_string”] if you use speech marks then it is possible to put a space between words.


› set logout timeout- set logout 0 default (DFE)

43

CLI Overview

• Reset the systemReset the systemreset

- reset at hh:mm [mm/dd] [“reason”]

- reset in hh:mm [“reason”]

h t- show reset

• Displaying System Information- show system (Pull system information from the DFE, E1, or SecureStack)

- show system hardware (DFE and SecureStack)y ( )

- show system utilization cpu (DFE and SecureStack)

- show switch (SecureStack)

• Displaying System Configuration- dir

- show version

- show config

› show config [facility]g y- show config system (shows only system configurations)- show config port (shows only port configurations)

- clear config mod-num | all (clear a module or the entire chassis for the DFE)› Does not clear IP address use “clear IP address” command for this the happen


In-band Management

• All Enterasys switches can be managed in band through the • All Enterasys switches can be managed in-band through the following IP addresses:- Layer 2 virtual host management port (all Enterasys switches)

- Layer 3 IP routed interfaces (N, G and C)Layer 3 IP routed interfaces (N, G and C)

• Layer 2 virtual host management port- This virtual port is switched/routed to via front panel ports on the device following

normal layer 2 bridging and layer 3 routing rules› The IP address and mask is set using the set ip address command

› The VLAN is set using the following command:- set vlan egress <vid> host.0.1 untagged (N-series)- set host vlan <vid> (SecureStack and G)( )

• Layer 3 IP routed interfaces- For the N-series, the layer 2 virtual host management port can use a locally configured

IP routed interface as its default gateway

- For the SecureStack C series layer 2 virtual host management port cannot be configured on the same VLAN or on the same subnet as any locally configured routed interface

› Only applicable when routing is enabled on the SecureStack C series


WebView and SSL

• WebView can be used for basic switch configuration including Port configuration, VLANS, and MSTP

• WebView is enabled by default on all products. - To use WebView, just bring up a browser and type in the IP Address of the

switch› set webview [ enable | disable | port tcp-port ]

S S k t L (SSL) k b i i t k t • Secure Socket Layer (SSL) works by using a private key to encrypt data for the transmission of private documents over the Internet- SSL can be enabled through the command lineSSL can be enabled through the command line

› set ssl enable

› Set webview enable ssl-only

- To use WebView with SSL, enter https://172.10.1.100 To use WebView with SSL, enter https://172.10.1.100 in your browser where 172.10.1.100 is the switch IP address

- Supported on SecureStack, D, G and I Series switches

- Not supported on Matrix N-series


pp

46

Telnet and SSH

• Telnet is a terminal emulation program for TCP/IP networks. - Once an Enterasys switch has a valid IP address, you can establish a Telnet session to

the device from any TCP/IP based node on the network

- You can manage your devices using Telnet and they will be executed as if you were You can manage your devices using Telnet and they will be executed as if you were entering them via the console or COM port

- The management screens seen during a Telnet session are identical to those seen via the console or COM port

- Telnet sends passwords in clear textTelnet sends passwords in clear text

- All Enterasys devices support Telnet

• Secure Shell (SSH). SSH is a protocol for secure remote login over an insecure network secure remote login over an insecure network - A secure substitute to Telnet by encrypting communications between two hosts

- All the current Enterasys switches support SSH


Firmware Upgrades

• Firmware is the Operating System for the switch

• Enterasys periodically provides firmware upgrades and, less frequently, Boot PROM upgrades. These are required to:- Address software incompatibilities

- Introduce and integrate new features

- Address problems and issues with previous firmware versions

Support new and future technologies- Support new and future technologies

• Enterasys switches primarily support TFTP or BootP server functionality. Other methods of firmware upgrade Other methods of firmware upgrade include FTP and serial (ZMODEM).


Firmware Upgrades

- The firmware image is stored in flash memory and runs in Local RAM. Some relevant definitions follow below.

› NVRAM (Non-Volatile Random Access Memory): RAM that retains its contents (for example, IP addresses) when a unit is powered offIP addresses) when a unit is powered off.

› LRAM (Local RAM): Memory area used by the central processor for operational tables and current processes (for example, SAT tables and VLAN tables).

› Flash Memory: Non-volatile storage that can be electrically erased and reprogrammed. Allows firmware images to be stored, booted, and rewritten as necessary.

› Boot PROM: Holds the boot programs and › Boot PROM: Holds the boot programs and board revisions.


Steps in the Normal Boot-Up Process

• Steps in the normal boot-up process for Enterasys switching products: - The Boot PROM comes online first and runs diagnostics on all memory areas and the

h fEthernet interfaces.

- The Boot PROM then checks the NVRAM settings. These settings tell the Boot PROM where to find the firmware image to load. During a normal boot-up, the firmware image will be loaded from flash memory.

- The Boot PROM will start the Flash Memory Manager to uncompress the firmware image in flash memory, and to copy the uncompressed firmware image into LRAM.

- Once the uncompressed firmware image is in LRAM, the main processor will begin normal operations. SNMP is now available.

• Most devices will take from 30 seconds to a minute to boot up.

If the power up sequence is interrupted or if optional hardware has been - If the power-up sequence is interrupted or if optional hardware has been installed or removed, a device may run an extended diagnostics sequence that may take up to two or more minutes to complete.


Methods for Upgrading Product Firmware

• Two primary methods for upgrading product firmware. Other methods, when supported by a product family, are briefly described in the product specific information at the end of this section.section.

- A TFTP download can be either offline or online. › For an offline TFTP download, the device is taken offline and the image is loaded directly to the

LRAM LRAM.

› With an online (runtime) TFTP download, the device remains online with the old image while the new image is loaded directly to the flash memory.

- BootP process, BootP packets are exchanged to obtain download information. The actual file download of a new firmware image is via TFTP.

› BootP would be used when the device has an image failure. The BootP process happens generally without administrative control.


Upgrading Firmware via TFTP

• The Trivial File Transfer Protocol (TFTP) is a simple protocol for transferring files, defined by RFC 1350. A TFTP server is a station that is manually configured with the IP address of the device it is serving and the firmware image to be downloaded.

• To use TFTP, you have to know the file you want to transfer and where it can be found

• The TFTP program resides in Boot PROM on the switch and can be used to upgrade firmware by transferring (downloading) a new firmware to upgrade firmware by transferring (downloading) a new firmware image either offline or online.


TFTP Offline Method

• The offline TFTP download process for upgrading a firmware is as follows:

- After initialisation of the TFTP server and settings (via Local Management or a network management tool), the device will reboot with a normal boot-up process.

- After the boot-up process is complete, the device will then obtain boot parameters from NVRAM. NVRAM will point to a file to download via TFTP. Then, the TFTP process will begin and the file is loaded directly into (overwriting) the LRAM.

- Once the TFTP download is complete, the device will then erase the contents of flash memory, then compress a copy of the new image and move it to the flash memory.

- Next, the device performs diagnostics and resumes normal operations.

An offline TFTP download must be performed over Ethernet interfaces.


TFTP Online Method

• The online TFTP download process for upgrading firmware is as follows:- The operating image remains in LRAM while the new image is downloaded directly to

the flash memory.y

- On some older switches, they will erase the contents of the flash memory. The compressed file will then download directly into flash.

› Caution should be taken in this state because with no image in flash memory, the device would require a BootP if the device were reset for any reason

- Current switches can hold multiple images so flash is not automatically cleared

› There must be room in flash for an new image or the TFTP download will fail- Example: The DFE’s can hold two images, if this is the case one of the images has to be manually deleted

before a new images can be downloaded to flash

Once the download is complete the device will operate using the old image until such - Once the download is complete, the device will operate using the old image until such time that the device is reset for any reason. Upon reboot, the new image will be utilised via a normal boot up.

› For devices that can hold multiple images, the set boot system command is used to load the new image


Matrix N-Series

• The Matrix N-Series DFEs allow you to download and store up to two image files.

• There are three ways to download firmware to the N-Series devices:firmware to the N Series devices:- An FTP download uses an FTP server connected to

the network and downloads the firmware using the FTP protocol.

A TFTP download uses a TFTP server connected to - A TFTP download uses a TFTP server connected to the network and downloads the firmware using the TFTP protocol.

- An out-of-band download is accomplished via the serial (console) port. By typing the command ( ) p y yp gdownload, you send the firmware image via the ZMODEM protocol from your terminal emulation application.


SecureStacks

• SecureStacks - Firmware may be downloaded using a TFTP server (preferred) or out-of-band via the

console port

Can store up to 2 images- Can store up to 2 images

- Once firmware is downloaded to the management switch the management switch then automatically pushes the firmware to all switches in the stack


Download Firmware using CLI

• Matrix N-series and SecureStacks Matrix N series and SecureStacks - Use the dir command to show currently stored images plus your saved

configurations.› You may have to delete an older image using the delete command before you

d l ddownload a new image.

- The copy command is used to download/upload firmware and configuration files to/from the device

› copy source filename destination filenamepy _ _

› Operation:- Upload: Source file is local and destination file is remote- Download: Source file is remote and destination file is local

› File Type:› File Type:- Local file: File name is specified- Remote file: File name is specified prefixed with URL format

- tftp://172.16.2.10/DFE-P-52604


Download Firmware using CLI

• Copying (downloading) an image from a TFTP server to the switch:

- copy tftp://172.16.2.10/DFE-P-52604 DFE-P-52604 (DFE)

- copy tftp://172.16.2.10/c2-series 03.03.33 system:image (SecureStack)py p // / _ y g ( )

- dload 172.16.2.10 firmware/images/30712.fls (E1)

• When an image is downloaded to the DFE or SecureStack, it will not load the new image right away, to do so you have to:- First tell the switch the image you want it to boot

› show boot system

› t b t t fil› set boot system filename

- Reset the switch (this can be done immediately or at another time)


Management Security

• There are varying levels of security across the product lines to control and monitor management access to the switch hosts.

• Management security involves controlling which users are ll d t it d it h allowed to access, monitor, and manage a switch.

• Features for management security are available from the various Enterasys switching families.- Control plane features

› Login security password

› SNMP community name (v1, v2)

› SNMP user and password (v3)SNMP user and password (v3)

› Host access control authentication

› Secure shell

- Data plane features› 802.1X, PWA, MAC-based authentication

› ACL’s

› MAC locking

› DoS prevention


o p o

59

Management Security

•To secure host management, certain features should be disabled:- The following features should be disabled because passwords are

t i l t t th t k th t lsent in clear text across the network over these protocols› Telnet

set telnet disable

SNMP it ( 1 2)› SNMP community name (v1, v2)clear snmp community public

› WebView without HTTPSset webview disableset webview disable

- As an alternative, the following features should be used:

› SNMP v3 user with authentication and› SNMP v3 user with authentication andencryption

› Host access control authentication

› Secure shell




VLAN’s

VLAN Planning

• Preparing for VLAN Configuration

- Forethought and planning are essential to a f l l fsuccessful VLAN implementation. Before attempting

to configure a single device for VLAN operation, consider the following:

› What is the purpose of the VLAN design? (ie: Security containers Traffic broadcast containment )containers, Traffic broadcast containment..)

› How many VLANs will be required?

› What stations (end users, servers, etc.)will belong to them?

Wh h i h d › What ports on the switch are connected to those stations?

› What ports will be configured as GVRP-aware ports?


VLAN Planning

• Default VLAN and Number of Supported VLANs- By default, all ports on all Enterasys switches are:

› Assigned to VLAN ID 1

› Have egress list on VLAN 1 is set to untagged

› Have a PVID of 1

- The number of VLANs and Range (VIDs) supported varies depending on the device supported varies depending on the device.

- IEEE 802.1Q specifies 4096 VLAN IDs with the allowable user-configurable range for VLAN IDs (VIDs) is from 2 through 4094.

- VID 0 is the null VLAN ID, indicating that the tag header in the frame contains priority inforather than a VLAN identifier.

› It cannot be configured as a port VLAN ID (PVID).

- VID 1 is designated as the default PVID.

- VID 4095 is reserved by IEEE.


VLAN Forwarding

• Ingress – VLAN assignment for received packets- Precedence:

1. 802.1Q VLAN tag (tagged packets only)

2 l ff Cl f2. Policy or Traffic Classification- May overwrite 802.1Q VLAN tag using “tci-overwrite enable”

3. Port VID (PVID)

• Egress – VLAN forwarding for transmitting packetsEgress VLAN forwarding for transmitting packets- Unlearned traffic

› Destination MAC address of packet is not in FDB for VLAN

› Packet forwarded out of every port on the VLAN’s egress list with pecified packet format

- Learned traffic › Destination MAC address of packet is in FDB for VLAN

› Packet forwarded out of the learned port with specified packet format


VLAN Configuration

7-steps to configure VLANs:

1. Review existing VLANs

2. Create and name VLANs

3 A i t VLAN ID3. Assign port VLAN IDs

4. Enable ingress filtering

5. Configure VLAN egress

6. Create management VLAN

7. Enable/disable GVRP – Dynamic Egress


1. Review Existing VLANs

• Display statically and dynamically configured VLAN’s on the device- All VLAN’s and associated egress lists are displayed

- Static VLAN’s are administratively configured

- Dynamic VLAN’s are not configured by the administrator› GVRP automatically configures VLAN’s on a device

show vlan [static] [vlan-list] (N/SecureStack)show vlan [vlan_id | vlan_name] (E1)

- Example:

Matrix N7 Platinum(su)->show vlan 30VLAN: 30 NAME: SERVERS Status: EnabledVLAN Type: Permanent FID: 30Creation Time: 30 days 1 hours 10 minutes 14 seconds agoEgress Ports

fe.1.2-4,6-7;ge.1.3;rtr.1.1;ge.2.43Forbidden Egress Ports

None.Untagged Ports

fe.1.3-4,6-7;ge.1.3;ge.2.43


2. Create & Name VLANs

- Create a VLAN and assign a VLAN ID (VID).› This is a numeric ID.

› The numerical value MUST be › The numerical value MUST be within the range supported by the device.

set vlan {create | enable | disable} vlan-list

- You may also assign VLAN names. › This name is for the administrator’s use

Th f th VLAN h ff t th › The name of the VLAN has no affect on the VLAN or its functioning.

› It is the VLAN ID that “counts.”set vlan name vlan-list vlan-name


3. Assign Port VLAN IDs

All C t S it hAll Current Switches

• When setting a PVID with the set port vlanset port vlan command, you can also add the port to the VLAN’s untagged egress list the VLAN s untagged egress list

- Example: If you assign ports 1, 5, 8, and 9 to the VLAN 44, untagged frames received on those ports can be assigned to the VLAN 44 (via a prompt) this can be done in 1 of 2 ways

Matrix N7 Platinum(su)->set port vlan fe.1.1,5,8-9 44 modify-egress

ORMatrix N7 Platinum(su)->set port vlan fe.1.1,5,8-9 44

The PVID is used to classify untagged frames as they ingress into a given port. Would you like to add the selectedg g p yport(s) to this VLAN's untagged egress list and remove them from all other VLANs untagged egress list (y/n) [n]? NOTE: Choosing 'y' will not remove the port(s) from previouslyconfigured tagged egress lists.

yMatrix N7 Platinum(su)->


5. Configure VLAN Egress

• The egress process dictates where the packet is allowed to go. - The ingress process classifies received frames as belonging to one and only one VLAN.

- The forwarding process looks up learned information in the filtering database to determine where received frames should be forwarded.

• Egress determines which ports will be eligible to transmit frames for a • Egress determines which ports will be eligible to transmit frames for a particular VLAN - VLANs have no egress ports (except VLAN ID 1), until they are configured by static

administration or through dynamic mechanisms › Dynamic Mechanisms included GVRP, policy, or Enterasys Dynamic Egress

- The VLAN egress setting specified the format of the transmitted packet› Tagged, untagged, forbidden


• Configuring VLAN egress lists


• Configuring VLAN egress lists- Add a port as tagged to a VLAN’s egress list if you want it to carry traffic for one or

more VLANs, and the device at the other end of the link also supports VLANs.

- If the device at the other end of the link does not support VLANs, then you must add the port as untagged to the VLAN’s egress list

E h t th it h i bl f tl f di b th - Each port on the switch is capable of concurrently forwarding both tagged or untagged frames for different VLAN’s

› A single port can be assigned to multiple VLAN egress lists as tagged, untagged, or forbidden.

› Default frame format is tagged

set vlan egress vlan-list port-string [untagged | forbidden | tagged]


• Displaying VLAN egress lists


• Displaying VLAN egress lists- The show vlan command displays VLAN’s and associated egress lists

› Ports are only displayed if in the forwarding state on Matrix N-series and SecureStack- No link- Blocking due to spanning tree- Member of a LAG port

Matrix N7 Platinum(su)->show vlan

VLAN: 1 NAME: DEFAULT VLAN Status: EnabledVLAN: 1 NAME: DEFAULT VLAN Status: Enabled VLAN Type: Permanent FID: 1Creation Time: 0 days 0 hours 16 minutes 15 seconds agoEgress Ports

host.0.1;fe.1.2-3,5;fe.2.4-6,8-11 Forbidden Egress Ports

None.Untagged Ports

host.0.1;fe.1.2-3;fe.2.5-6,11

- The show vlan static command displays all ports on the VLAN regardless of forwarding state of the port

› A port that is displayed as an Egress Port and Untagged Port for a VLAN is on this VLAN’s egress list as untagged

› A port that is displayed as only an Egress Port for a VLAN is on this VLAN’s egress list as tagged


6. Create a Management VLAN

• If you are configuring multiple VLANs, it is recommended that you configure a Management VLAN- This allows a station connected to the Management VLAN to manage devices.

- It also improves security by preventing device configuration via ports on other VLANs

• The process of assigning a Management VLAN must be repeated on every infrastructure device on the network to ensure each device has connection to the Management VLAN. - It is not necessary to configure a physical port for management on each switch.

- Only those switches that will have a management station attached need a physical port assigned to the Management VLAN.




Spanning Tree

Agenda

• IEEE 802.1D, Spanning Tree

• IEEE 802.1w, Rapid spanning Tree

• IEEE 802.1t (802.1D maintenance)

• IEEE 802.1s, Multiple Spanning Trees (MST)

• Enterasys Per VLAN Spanning Tree (PVST)

• Span Guard™

• Summary


IEEE 802.1D Spanning Tree

• As of 2003, the IEEE 802.1D version of spanning tree was removed from the specification

• STP has now been superseded by the IEEE 802.1w, Rapid Spanning, Tree Protocol (RSTP) and IEEE 802.1s, Multiple Spanning Tree .

• All Enterasys switches support IEEE 802.1D Spanning Tree

• The Matrix N-series and SecureStack support 802.1w/s by default



• Calculating the Spanning Tree based on the Lowest STP Ids and Costs

- Always Compare these values in this order. If they are equal move on to the next comparison

Root Bridge ID

Path Cost to Root

Designated Bridge ID

Designated Port ID Designated Port ID

Root Port ID



• 802.1D Operation1. Elect a root bridge as the reference point for the network

— Bridge with lowest bridge ID becomes the root› Bridge ID = (2 byte Bridge priority + 6 byte Bridge MAC address)› Example: 80-00-00-E0-63-12-34-56 (where 80-00 is the default bridge priority value and 00-E0-63-12-34-56 is the Example: 80 00 00 E0 63 12 34 56 (where 80 00 is the default bridge priority value and 00 E0 63 12 34 56 is the

bridge MAC address)

Root Bridge



• 802.1D Operation2. Assign path costs to the links

— Path cost value is relative to bandwidth rate (port speed).

Root Bridge

19

4

19

Path Cost to Root BridgeBridge ID 80-00:2Bridge ID 80 00:3 4 + 19 = 23

4

4 19 10080-00:3Bridge ID 80-00:4Bridge ID 80-00:5Bridge ID 80-00:6

4

4 + 19 = 23

4 + 19 + 100 = 123


100100


• 802.1D Operation3. Determine the designated bridge for each LAN segment

— Lowest path cost to the root bridge— If path costs are equal, the designated bridge is the one with the lower bridge ID

Root Bridge

D i t d B idDesignated BridgeBridge 1 is the designated bridge for Bridge 2, Bridge 4

Bridge 2 is the designated bridge for Bridge 3, Bridge 5

B id 3 i th d i t d b id f B id 6Bridge 3 is the designated bridge for Bridge 6



• 802.1D Operation4. Identify Root Ports and Designated Ports

— Root Port: The bridge port that provides the best path to root— Designated Port: A port that provides forwarding of configuration BPDUs

Root Bridge

Bridge ID=80-00:2

Root Port Designated Port

Bridge ID=80-00:3


Bridge ID=80-00:4


Bridge ID=80-00:5


Bridge ID=80-00:6

Root Port Designated Port80-1 80-2

80 3

80-1 80-2

80 3

80-1 80-2 80-2 80-3

80 1

80-3 80-1

80 2


80-3 80-3 80-1 80-2


• 802.1D Operation5. Resolve loops by placing redundant ports in a blocking state

— Determine root & designated ports— Redundant ports are placed into BLOCKING state

Root Bridge

Bridge ID=80-00:2


Bridge ID=80-00:3


Bridge ID=80-00:4


Bridge ID=80-00:5


Bridge ID=80-00:6

Root Port Designated Port80-1 80-2

80-3

80-1 80-2

80-3

80-1 80-2 80-2 80-3

80 1

80-3 80-1

80-2


80 3 80 3 80-1 80 2


6. Maintaining the topology- Hello timer - Max Age timer

F d D l ti- Forward Delay timer

• STA Bridge Port StatesBlocking- Blocking› Not participating in frame transmission› Continues to monitor for management and STA information (still receives BPDUs)

- Listening› Only processes frames addressed to it› Only processes frames addressed to it› Listens to BPDUs to ensure no loops occur on the network› BPDUs received shall be processed, as required by the STA

- Learning› Bridge is passively building its SAT but does not forward framesg p y g

- Forwarding› Able to send and receive data› Participating in frame transmission



• 802.1D Operation Summary- Elect a root bridge: Bridge 1- Assign path costs to the links:

› Bridge ID 2 has path cost of 4 › Bridge ID 3 has path cost of (4 + 19)= 23 › Bridge ID 4 has path cost of 4 › Bridge ID 5 has path cost of (4 + 19)= 23 › Bridge ID 6 has path cost of (4 + 19 + 100)= 123

• Determine the designated bridge:• Determine the designated bridge:› Bridge 1 is the designated bridge for Bridge 2, Bridge 4› Bridge 2 is the designates bridge for Bridge 3, Bridge 5 › Bridge 3 is the designates bridge for Bridge 6 › Bridge 4, Bridge 5, and Bridge 3 are the designated bridges for all respective downstream links

- Identify root and designated ports & block redundant links: as shown below


Agenda

• IEEE 802 1D Spanning Tree• IEEE 802.1D, Spanning Tree



IEEE 802 1s M ltiple Spanning T ees (MST)• IEEE 802.1s, Multiple Spanning Trees (MST)


• Span Guard™

• Recommended Practices

• Summary


802.1w, Rapid Spanning Tree

• IEEE 802.1w, Rapid Reconfiguration Spanning Tree (RSTP), is built upon the original IEEE 802.1D Spanning Tree Protocol parameters.

• IEEE 802.1w and IEEE 802.1D Spanning Tree algorithms will interoperate.

- An RSTP switch detects the STP version when it is connected to an 802.1D STP switch.

Spanning Tree

- When the RSTP port is initialized, it transmits RSTP Bridge Protocol Data Units (BPDUs) for three seconds, it then transitions to sending STP BPDUs if it receives STP


Enhancements of Rapid Reconfiguration Spanning Tree


• Enhancements of Rapid Reconfiguration Spanning Tree

- Port Roles implemented through the use of State Machines, so a Bridge can quickly transition a new Root Port to the Forwarding State without long quickly transition a new Root Port to the Forwarding State without long reconvergence

- Shifts to Per-Port Spanning Tree, rather than 802.1D Bridge Spanning Tree.

- Topology Change Notification's can now be advertised downstream (unlike 802 1D)

Spanning Tree

802.1D).

- Layer 2 MAC Parameters are used to detect link status.

- Rapid-STA information is aged faster (3xHello).

i h 802 S- Interoperates with 802.1D STP.


• Port Roles:


• Port Roles:

-- Root Port: Root Port: The one port that is used to connect to the Root Bridge. › The Root Port is elected based on its least “path-cost” to the Root Bridge..

-- Alternate Port: Alternate Port: Any redundant upstream port that provides an alternate path to the Root Bridge (other than the Root Port)

-- Designated Port: Designated Port: Any downstream port that provides a path back to the Root Bridge for a downstream bridgeBridge for a downstream bridge

-- Backup Port: Backup Port: A port that acts as a redundant Designated Port for a downstream bridge.

-- Edge Port: Edge Port: A port that has no other bridges connected to this port (i.e. User Port). › This is automatically configured by the Bridge Detection State Machine (802.1t Clause 18)


Port Roles and Forwarding


Spanning TreePort Roles and Forwarding

• Ports in Root & Designated port roles are part of the Active Spanning Tree p p gTopology

- These ports are forwarding traffic

• Ports in Alternate & Backup port roles p pare not part of the Active Spanning Tree

- They provide redundant fail-over connectivity in the event of a failed connectivity in the event of a failed Root or Designated Port

Port StatesR A

• RSTP eliminates the Listening and Blocking Port States found in 802.1D STP

Valid RSPT Po t States

D DB


• Valid RSPT Port States:- Forwarding, Learning, Discarding

88

Agenda






• Span Guard™p

• Summary


IEEE 802.1s, Multiple Spanning Trees (MST)

• The original 802.1D standard treats the overall topology as a single network, while switches treat VLANs as completely separate networks.- IEEE 802.1s is a supplement to IEEE 802.1Q

- Ability to map 1 or more VLANs to each spanning tree instance

- MST is built on top of 802.1w Rapid Reconfiguration

- Enterasys has adopted 802.1s in place of PVST

• 802.1s is supported on the following platforms- Matrix N-Series

- SecureStack



• 802.1s Objectives

- Principle Objective: to increase bandwidth utilisation› To allows frames assigned to different VLANs to follow different data routes

› To allow ports to block for some Spanning Trees and forward for others

› To have every ISL (Inter Switch Link) in the topology forwarding for at least one spanning tree› To have every ISL (Inter Switch Link) in the topology forwarding for at least one spanning tree

- The ability to create Spanning Tree instances for each VLAN.

- Fault tolerant network design with automatic reconfiguration



802.1D/w 802.1s

2 3

Non utilized Bandwidth (only redundant)

3 Root2 Root2 Root2 3 3 Root

1 Root Over utilized bandwidth

1 Root1 Root

Excellent Balance of Bandwidth UtilizationOver utilized

bandwidth

VLAN Green

VLAN RedVLAN Blue


Blocked Port

Data Flow

92

Agenda



• IEEE 802 1t (802 1D maintenance)• IEEE 802.1t (802.1D maintenance)



S G d™• Span Guard™

• Summary


Span Guard™

• Span Guard™ is designed to increase security & reliability • Span Guard is designed to increase security & reliability

• Supported Platforms- Matrix N-Series (Gold , Platinum ) Matrix N Series (Gold , Platinum )

- All Secure Stacks

- D, G and I Series

• User devices have no need to run STA protocols• User devices have no need to run STA protocols- “User” ports should never receive or transmit STA PDU’s

- An unauthorized device can attack network using STA PDU’s

• Enabling “Span Guard” on “user” ports- Prevents spanning tree respans when BPDU received on a “user” port

- Notifies network management that they were attempted (via a trap)


Span Guard™STP Attack Mitigation with Span Guard™

• With Span Guard™ enabled:- If a SpanGuard enabled port receives a BPDU, the port to be locked and it will

transition to the Blocking state

- A SpanGuard enabled port will transition out of the Blocking state after a globally specified time or when it is manually unlocked

• Advantages of SpanGuard:- Spoofed BPDU’s will NOT cause Spanning

Tree Topology Changes or “Re-Spans”.

- A Spoofed BPDU attack will be detected and administrator will be notified.

set spantree spanguardtrapenable {disable | enable}

- Accidental addition of repeater or a bridged - Accidental addition of repeater, or a bridged PC will not bring down the network.


Agenda



• IEEE 802.1t (802.1D maintenance)( )



• Span Guard™• Span Guard

• Summary




Link Aggregation

Agenda

• IEEE 802.3ad Link Aggregation

• SmartTrunking

• Product-specific information


S• Summary


Introduction

• Link Aggregation SmartTrunking and other port aggregation • Link Aggregation, SmartTrunking, and other port aggregation algorithms are all methods of:- Bonding together two or more

data channels into a single channel that appears as a single channel that appears as a single, higher-bandwidth, logical link.

- Cost-effective way to implement increased bandwidth.

- Provides redundancy and fault tolerance.

• Link aggregation makes multiple Link aggregation makes multiple physical links appear as a single logical link to Spanning Tree


IEEE 802.3ad Link Aggregation

• IEEE 802 3ad Link Aggregation is a standardsstandards--basedbased method of • IEEE 802.3ad Link Aggregation is a standardsstandards--basedbased method of dynamically grouping multiple physical ports on a network device into one logical link.

• The IEEE 802.3ad is a protocol allows the switch to:- determine which links are eligible to aggregate

- to configure them automatically

• Link Aggregation is supported on full duplex Ethernet ports:

10Mbps - 10Mbps,

- 100Mbps,

- 1000Mbps.


IEEE 802.3ad Link Aggregation

K B fit• Key Benefits- By taking multiple LAN connections and treating them as a unified

aggregated logical link, you can achieve practical benefits in many applications. applications.

- The key benefits of IEEE 802.3ad Link Aggregation are:

› Dynamic configuration: Determines which links are eligible for aggregation, configures them automatically, and provides rapid reconfiguration.

› Higher link availability: Provides higher link availability. The failure of a single link effects only that single link.

› Increased bandwidth: The capacity of an aggregated link is higher than an individual link alone.

› Support of existing IEEE 802.3 MAC clients: Requires Support of existing IEEE 802.3 MAC clients: Requires no change to higher-layer protocols or applications.

› Backwards compatible with 802.3ad-unaware devices:Links that cannot take part in Link Aggregation operate as normal, individual IEEE 802.3 links.


,

101

Link Aggregation Control Protocol

•Link Aggregation Control Protocol (LACP)

- Allows communication of aggregation capabilities between switches and Allows communication of aggregation capabilities between switches, and automatic configuration of links between a switch and its link partner.

- Maintains configuration information (reflecting the inherent properties of the individual links, as well as those manually established by management) to control aggregation.

- LACP exchanges configuration information with other devices to allocate the - LACP exchanges configuration information with other devices to allocate the link to a Link Aggregation Group (LAG).

› A given link is allocated to, at most, one LAG at a time.


802.3ad Terminology

• Link Aggregation Group (LAG): The name used to refer to a logical grouping of individual ports.

• Aggregation system: An arbitrary grouping of one or more ports for the purpose of aggregation.

• Aggregation keys: Parameters identifying which ports can be aggregated together.

• Marker Protocol: Allows the data distribution function a means of determining the point at which a given set of conversations can safely be reallocated from one link to another, without the danger of causing frames in those conversations to be mis-ordered.

• Actor: The local device in a Link Aggregation Control Protocol (LACP) exchange.

• Partner: The remote device in an LACP exchange.


Link Aggregation Scenarios

• There are three scenarios in which link aggregation may be useful in a network, as described below.

- Switch-to-switch connections:Multiple ports on a switch are joined to form an aggregated link. Aggregation of multiple links achieves higher speed connections between switches without hardware upgrade.

- Switch-to-station (server or router) connections: Many server platforms can saturate a single 100 Mbps link. Thus, link capacity limits overall system performance. You can aggregate switch-to-station connections to improve performance.

Station-to-station connections: - Station-to-station connections: Though not a common configuration, you can also aggregate directly between two pairs of end stations


Link Aggregation Rules

•Rules & Recommendations:- Ports must be running full duplex to aggregate.

- A link aggregation cannot be split among systems. Logically, it is a single pipe and, as such, is treated as a single point-to-point connection.

- Link Aggregation is supported only on links using the IEEE 802.3 MAC.

- All links in a LAG must operate at the same data rate.

- A given port will bind to, at most, a single Aggregator at any time. A MAC client is also served by one Aggregator at a time.

•IEEE 802.3ad is supported on:- Matrix N-Series

- SecureStack

- D, G and I Series


Agenda

• IEEE 802.3ad Link Aggregation

• SmartTrunking

• Product-specific information


• Summary• Summary


Product Specific Information

• LACP State• LACP State- By default, LACP is enabled globally and per port on all Enterasys platforms

- LACP can be disabled globally and per portset lacp disable

set port lacp port port-string disable

• VLAN Configurationg- By default, all LAG ports are on VLAN 1’s egress list as untagged with a PVID

equaling 1Matrix N7 Platinum(su)->show vlan static

VLAN: 1 NAME: DEFAULT VLAN Status: Enabled VLAN Type: Permanent FID: 1Creation Time: 0 days 0 hours 13 minutes 3 seconds agoEgress Ports

lag.0.1-48;host.0.1;fe.1.1-48;ge.1.1-6 biddForbidden Egress Ports

None.Untagged Ports

lag.0.1-48;host.0.1;fe.1.1-48;ge.1.1-6



• Displaying LAG Port Settings:- Virtual LAG port parameters with underlying physical ports

show lacp lag-port-string

Matrix N7 Platinum(su)->show lacp lag.0.1p gGlobal Link Aggregation state: enabled Single Port LAGs: disabled

Aggregator: lag.0.1Actor Partner

System Identifier: 00:e0:63:6b:20:0a 00:01:f4:b6:10:41System Priority: 32768 1

Admin Key: 32768Oper Key: 32768 4

Attached Ports: fe.1.1-2


• Displaying Physical Port LACP Settings:


• Displaying Physical Port LACP Settings:- Physical port parameters for a virtual LAG port

show port lacp port port-string {[status {detail | summary}] | [counters]} [sort {port | lag}]

Matrix N7 Platinum(su)->show port lacp port fe.1.1 status detail

Global Link Aggregation state : enabled

Port Instance: fe.1.1 Port enable state: Enabled

ActorPort: 64 PartnerAdminPort: 64

A t S t P i it 32768 P t O P t 31ActorSystemPriority: 32768 PartnerOperPort: 31

ActorPortPriority: 32768 PartnerAdminSystemPriority: 32768

ActorAdminKey: 32768 PartnerOperSystemPriority: 1

ActorOperKey: 32768 PartnerAdminPortPriority: 32768

ActorAdminState: -----GlA PartnerOperPortPriority: 1

ActorOperState: --DCSGlA PartnerAdminKey: 64

ActorSystemID: 00-e0-63-6b-20-0a PartnerOperKey: 4

SelectedAggID: lag.0.1 PartnerAdminState: --DCS-lp

AttachedAggID: lag.0.1 PartnerOperState: --DCSGlA

MuxState: Distributing PartnerAdminSystemID: 00-00-00-00-00-00MuxState: Distributing PartnerAdminSystemID: 00 00 00 00 00 00

DebugRxState: Current PartnerOperSystemID: 00-01-f4-b6-10-41


• Static LAG Ports


• Static LAG Ports

- For aggregating ports that do not support IEEE 802.3ad, static LAG’s may be configured

- LACP is not used to aggregate ports for static LAG ports- LACP is not used to aggregate ports for static LAG ports

- Used with IDS mirroring as the virtual LAG destination port


• Matrix N-Series


• Matrix N Series- Supports the IEEE 802.3ad standard

- Each N-Series Platinum DFE module reserves 48 virtual link aggregator ports shown in the CLI as lag 0 1 through lag 0 48ports, shown in the CLI as lag.0.1 through lag.0.48

- The N-Series Gold DFE modules reserve 24 virtual link aggregator ports, shown in the CLI as lag.0.1 through lag.0.24.

› When a physical port joins a LAG the physical port› When a physical port joins a LAG, the physical portis displayed as dormant in the show port statuscommand

- Supports three different spreading algorithms:› DIP-SIP (default)

› DMAC-SMAC

› Round robin

set lacp outportAlgorithm [ dip-sip | da-sa | round-robin ]

- Supports flow regeneration for virtual LAG port changes:set lacp flowRegeneration [enable | disable ]



• SecureStack - Supports the

IEEE 802.3ad standardIEEE 802.3ad standard› LAG ports can be spread

across the stack

- Capacity› SecureStack C2/C3 B2/B3

- Supports up to 6 LAGs per stack shown in the CLI as lag.0.1 throughlag.0.6S t t 8 t LAG- Supports up to 8 ports per LAG

› SecureStack A2- Supports up to 6 LAGs per stack

shown in the CLI as lag.0.1 throughlag.0.6g

- Supports up to 4 ports per LAG



• LAG Port Considerations • LAG Port Considerations - When physical ports form a LAG port, the physical port settings do not translate into

logical port settings for the LAG portMatrix N7 Platinum(su)->show config vlan

Matrix N7 Platinum(su) >show vlan 333begin!# ***** NON-DEFAULT CONFIGURATION *****!!# vlanset vlan create 333

Matrix N7 Platinum(su)->show vlan 333VLAN: 333 NAME:

Status: Enabled VLAN Type: Permanent FID: 333Creation Time: 0 days 2 hours 27

minutes 43 seconds agoset vlan create 333set vlan egress 333 fe.1.1-4 untagged

Matrix N7 Platinum(su)->show lacp lag.0.1Global Link Aggregation state: enabled

Aggregator: lag.0.1Actor Partner

gEgress Ports

None.Forbidden Egress Ports

None.Untagged Ports

Actor PartnerSystem Identifier: 00:e0:63:6b:20:8a 00:01:f4:c1:5e:01System Priority: 32768 1

Admin Key: 32768Oper Key: 32768 1

Attached Ports: fe.1.1-4

None.

- All physical ports in a LAG will remain part of the virtual LAG port until only one port is operational in the group

› The remaining port will then revert to its physical port settings

› UNLESS, the “single port LAG” feature is enabled on the device


Recommended Practices

• VLAN configuration• VLAN configuration- Configure the VLAN egress and PVID settings for a virtual LAG port and all

of the underlying physical ports identically› This accounts for the situation where all but one port in the LAG become › This accounts for the situation where all but one port in the LAG become

inoperational

Matrix N7 Platinum(su)->set vlan egress 333 lag.0.1 taggedMatrix N7 Platinum(su)->set vlan egress 333 fe.1.1-4 tagged

i 7 l i ( ) t t l l 0 1 5Matrix N7 Platinum(su)->set port vlan lag.0.1 5Matrix N7 Platinum(su)->set port vlan fe.1.1-4 5




Traffic Management

Agenda

• Traffic Management Overview

• Analyse network traffic - Port and VLAN mirroring

• Reduce unwanted traffic- Broadcast suppression

- MAC Locking

- Flow Setup ThrottlingFlow Setup Throttling


Traffic Management Overview

• Traffic Management is:• Traffic Management is:- Control and allocation of bandwidth- Reduction in network delays- Minimization of network congestion Minimization of network congestion

• Traffic Management encompasses:- Management of network capacity- Measuring and modelling network traffic- Analysing network performance


Traffic Management Overview

• Traffic Management - Action Steps:

- Analyse network traffic Analyse network traffic - Throttle broadcast traffic- Reduce unwanted traffic- Rate limit traffic to allocate bandwidth where needed- Manage the network traffic to deliver Quality of Service (QoS)

› Classify traffic using Layer 2, 3, or 4 criteria for prioritization, VLAN assignment, allowing and/or discarding

- Prioritise delay-sensitive traffic using prioritisation classification rules- Eliminate unwanted/malicious traffic using discard classification rules

› Mark prioritised traffic to indicate the forwarding treatment packets receive at each network device along the transmission path

› Specify the forwarding treatment to prioritise, shape and police packet transmission

I il bl b d id h - Increase available bandwidth


Agenda

T ffi M t O i • Traffic Management Overview


R d t d t ffi• Reduce unwanted traffic- Broadcast suppression

- MAC Locking

- Flow Setup Throttling


Analyse Network Traffic

M i T ffi i k l d b t th t f • Managing Traffic requires knowledge about the types of traffic being generated.

• Network analysers (sniffers or probes) capture packet and f i f iframe information- In shared environments, a sniffer sees all traffic present on a LAN

segment

- In switched environments, a sniffer sees only traffic present on the port , y p pto which it is attached

• Mirroring Ports or VLANs permits the copying of traffic to a specified port p p- A sniffer is connected to this port

- Allows capture and analysis of traffic on a specific switch port


Agenda




- MAC Locking



Analyse Network Traffic Port Mirroring

• A feature supported on all Enterasys switchesA feature supported on all Enterasys switches

• Allows you to map a source port to a destination port

- Copies the bit stream from a source port to a destination port› Receive traffic only, transmit traffic only, or both

- Utilize an RMON probe (statistics analyser) or a network analyser (sniffer) for analysis

- Implement Intrusion Detection System (IDS) for detecting security events

I t i l t ti d f t i d- In most implementations, erred frames are not mirrored

- Many-to-one port mirroring is supported on all platforms

- One-to-many mirroring is not supported on all platforms

• Physical ports, logical ports, and backplane ports

Rx

Txy p , g p , p p

may be mirrored:- To another physical port locally

- To another board’s port in the chassis (Matrix N-series)

- To another device’s port in the stack (SecureStack)To another device s port in the stack (SecureStack)

• Can create bottlenecks


Analyse Network Traffic VLAN Mirroring

• A feature not supported on all Enterasys switches

• Mirrors all VLAN traffic to a specified pdestination port- Traffic within a given VLAN can be analysed at one

connection pointVLAN X

Rx• Can create bottlenecks

- Traffic is discarded if target port is oversubscribed

- Many-to-One mapping allows multiple VLANs to be t t ifi d d ti ti t

Tx

sent to a specified destination port

• Frame format option is available on a per-instance basissta ce bas s


Agenda




- MAC Locking



Broadcast Suppression

• Two ways to reduce or contain broadcast traffic in a network: • Two ways to reduce or contain broadcast traffic in a network: - Segment using VLANs - Use broadcast suppression

• Broadcast Suppression FunctionalityBroadcast Suppression Functionality- Regulates flow of broadcast traffic through the network- Restricts number of received broadcast frames allowed to be transmitted- Protects against broadcast storms- Configuration is on the switch and occurs at the CPU

› Port broadcasts all frames› Limiting occurs when the CPU sees the packets coming from source port

• Enterasys switches suppress broadcast packets exceeding user-• Enterasys switches suppress broadcast packets exceeding userconfigured limit- Uses thresholds measured on the basis of packet frequency

PCSwitch

Switch

CPU

FF FF FFFFPC

SwitchSwitch

CPU

FF FF FFFF


Broadcast suppression is configured here. Broadcast suppression occurs here.Broadcast suppression is configured here. Broadcast suppression occurs here.125

Broadcast Suppression

Matrix N-series- Disabled by default

- Threshold value sets packets-per-second threshold on broadcast traffic

› The minimum value is 1 pps.

› The maximum value is 1488100 pps for Gigabit and 148810 pps for Fast Ethernet.

- The command to configure broadcast suppression is:

set port broadcast port_string threshold_value

SecureStack - Identical support to Matrix N-series


Agenda




- MAC Locking



MAC Locking

MAC locking allows administrators to provide access to the network based on a device’s MAC address

MAC Locking - Also known as MAC-based port locking, port locking,

and port security

- Locks a port to one or more MAC addresses, preventing connection of unauthorized devices via a port

- MAC Locking comes in two flavors:› Static MAC Locking

- Locking one or more specified MAC addresses to a port

› Dynamic MAC Locking: - Locking one or more MAC addresses to a port based on chronological order of received

frames after dynamic MAC locking is enabled

- MAC locking is supported on all Enterasys switches


• To implement MAC locking on all platforms, the following

MAC Locking Implementation

To implement MAC locking on all platforms, the following steps must be executed:1. For static MAC locking,

a. Create static MAC addresses for MAC locking on the particular port:- set maclock mac_address port_string create

b. Restrict MAC locking to a maximum number of MAC addresses on particular port:- set maclock static port_string value

2 For dynamic MAC locking2. For dynamic MAC locking,a. Set maximum number of MAC addresses for dynamic MAC locking.

- set maclock firstarrival port_string value

3. Optionally enable the sending of traps via SNMP as an administrative notification tool when the maximum number of MAC addresses allowed to notification tool when the maximum number of MAC addresses allowed to access a port is attempted:— set maclock trap port_string {enable | disable}

4. Enable MAC locking on the particular port:g p p— set maclock enable port_string

5. Enable MAC locking globally:— set maclock enable


Date post:	01-Nov-2014
Category:	Documents
Upload:	bereniluvatar
View:	364 times
Download:	9 times

Enterasys Switching 2010

Documents