lenovo networking os 10.3 application...

LenovoNetwork

ApplicationGuideforLenovoCloudNetworkOperatingSystem10.3

Note:Beforeusingthisinformationandtheproductitsupports,readthegeneralinformationintheSafetyinformationandEnvironmentalNoticesandUserGuidedocumentsontheLenovoDocumentationCD,andtheWarrantyInformationdocumentthatcomeswiththeproduct.

FirstEdition(February2017)

CopyrightLenovo2017PortionsCopyrightIBMCorporation2014.

LIMITEDANDRESTRICTEDRIGHTSNOTICE:IfdataorsoftwareisdeliveredpursuantaGeneralServicesAdministrationGSAcontract,use,reproduction,ordisclosureissubjecttorestrictionssetforthinContractNo.GS35F05925.

LenovoandtheLenovologoaretrademarksofLenovointheUnitedStates,othercountries,orboth.

Copyright Lenovo 2017 3

ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19WhoShouldUseThisGuide .......................20ApplicationGuideOverview .......................21AdditionalReferences ..........................24TypographicConventions ........................25ISCLICommandModes.........................26CommandLineInterfaceShortcuts....................27

CLIListandRangeInputs......................27CommandAbbreviation .......................27TabCompletion...........................27LineEditing............................28

Part 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 1. Switch Administration . . . . . . . . . . . . . . . . . 31AdministrationInterfaces ........................32

IndustryStandardCommandLineInterface..............32EstablishingaConnection........................33

UsingtheSwitchManagementInterface................33UsingtheSwitchEthernetPorts ....................34UsingTelnet ............................35UsingSecureShell..........................36

UsingSSHwithPasswordAuthentication .............36UsingSSHwithServerKeyAuthentication .............37

UsingSimpleNetworkManagementProtocol..............38ZeroTouchProvisioning ........................39

DHCPDiscovery ..........................40ZTPBootFile ............................41ForcedlyenablingordisablingZTP ..................42

DHCPIPAddressServices........................43DHCPClientConfiguration .....................43DHCPv4HostnameConfiguration(Option12) .............44DHCPv4SyslogServer(Option7) ...................44DHCPv4NTPServer(Option42)...................45DHCPv4VendorClassIdentifier(Option60) ..............45DHCPRelayAgent .........................46DHCPv4Option82 .........................47

SwitchLoginLevels ...........................48

4 Application Guide for CNOS 10.3

Ping ................................. 50PingConfigurableParameters .................... 51

TestInterruption ........................ 51PingCount ........................... 51PingPacketInterval ....................... 51PingPacketSize......................... 52PingSource........................... 52PingDFBit ........................... 52PingTimeout.......................... 53PingVRF............................ 53PingInteractiveMode ...................... 54

Traceroute............................... 55TracerouteConfigurableParameters ................. 56

TestInterruption ........................ 56TracerouteSource........................ 56TracerouteVRF......................... 56TracerouteInteractiveMode ................... 57

NetworkTimeProtocol ......................... 58NTPSynchronizationRetry ..................... 58NTPClientandPeer ........................ 59

NTPAuthenticationFieldEncryptionKey ............. 60NTPPollingIntervals ...................... 60NTPPreference......................... 61

DynamicandStaticNTPServers ................... 61NTPAuthentication ......................... 61

NTPAuthenticationConfigurationExample ............ 62SystemLogging ............................ 63

SyslogOutputs........................... 64SyslogSeverityLevels ........................ 65SyslogTimeStamping ........................ 66SyslogRateLimit.......................... 66SyslogServers ........................... 67ConsoleLoggingFloodControl .................... 68DuplicateSyslogMessageSuppression ................ 69

IdleDisconnect............................. 70PythonScripting ............................ 71RESTAPIProgramming......................... 72

Chapter 2. System License Keys . . . . . . . . . . . . . . . . . 73ObtainingLicenseKeys ......................... 74InstallingLicenseKeys ......................... 75UninstallingLicenseKeys ........................ 76TransferringLicenseKeys ........................ 77ONIELicenseKey ........................... 78

Chapter 3. Switch Software Management . . . . . . . . . . . . . . 79InstallingNewSoftwaretoYourSwitch.................. 80

InstallingSystemImagesfromaRemoteServer ............. 80InstallingSystemImagesfromaUSBDevice .............. 82InstallingUbootfromaRemoteServer ................ 83InstallingUbootfromaUSBDevice ................. 84

Copyright Lenovo 2017 : Contents 5

SelectingaSoftwareImagetoRun ....................85ReloadingtheSwitch ..........................86CopyingConfigurationFiles .......................87

CopyConfigurationFilesviaaRemoteServer .............87CopyConfigurationFilestoaUSBDevice ...............88

ResettingtheSwitchtotheFactoryDefaults ................89ReloadingtheENOSImage .......................90

ReloadtheENOSImageontheG8296andtheG8332 ..........90ReloadtheENOSImageontheG8272 .................91

TheBootManagementMenu .......................93BootRecoveryMode ........................94RecoverfromaFailedImageUpgradeusingTFTP............95RecoveringfromaFailedImageUpgradeusingXModemDownload ...97PhysicalPresence ..........................99ONIEsubmenu..........................100

ONIE ................................101InstallingONIEfromaUSBDevice .................101InstallingONIEfromaRemoteServer ................102BootinginONIEMode.......................103

BootinginONIEInstallMode ..................103BootinginONIEUninstallMode ................104BootinginONIEUpdateMode .................104BootinginONIERescueMode .................104

Part 2: Securing the Switch . . . . . . . . . . . . . . . . . . . . 105

Chapter 4. Securing Administration . . . . . . . . . . . . . . . .107SecureShellandSecureCopy .....................108

SSHEncryptionandAuthentication.................109GeneratingRSA/DSAHostKeyforSSHAccess ............109SSHIntegrationwithTACACS+Authentication ............109ConfiguringSSHontheSwitch ...................110UsingSSHClientCommands ....................111

ToLogOntotheSwitch ....................111UsingSecureCopy........................112

CopyingaFileUsingSCP....................112CopyingtheStartupConfigurationUsingSCP ..........112CopyingtheRunningConfigurationUsingSCP ..........112CopyingTechnicalSupportFilesUsingSCP............112

EnduserAccessControl ........................113ConsiderationsforConfiguringEnduserAccounts ..........113StrongPasswords.........................113UserAccessControl........................114

SettingupUsers ........................114DefiningaUsersAccessLevel .................115DeletingaUser........................115TheDefaultUser .......................115PasswordHistoryChecking...................116AdministratorPasswordRecovery................117


Chapter 5. AAA Protocols . . . . . . . . . . . . . . . . . . . . 119RADIUS............................... 120

RADIUSBasics.......................... 120HowRADIUSAuthenticationWorks ................ 120RADIUSAuthenticationFeaturesinCloudNOS........... 121SwitchUserAccounts ....................... 121RADIUSAttributesforCloudNOSUserPrivileges .......... 122ConfiguringRADIUSontheSwitch................. 122

TACACS+.............................. 124TACACS+Basics......................... 124HowTACACS+AuthenticationWorks ............... 124TACACS+AuthenticationFeaturesinCloudNOS........... 125

Authorization......................... 125Accounting .......................... 125

ConfiguringTACACS+AuthenticationontheSwitch ......... 126Authentication,Authorization,andAccounting ............. 127

AAAGroups ........................... 128GroupLists.......................... 128ConfiguringAAAGroups ................... 129

Authentication .......................... 130ConfiguringAAAAuthentication ................ 130

Authorization.......................... 132ConfiguringAAAAuthorization ................ 132

Accounting ........................... 133ConfiguringAAAAccounting ................. 133

Chapter 6. Access Control Lists. . . . . . . . . . . . . . . . . . 135SupportedACLTypes ........................ 136SummaryofPacketClassifiers ..................... 137SummaryofACLActions ....................... 139ConfiguringPortACLs(PACLs).................... 140ConfiguringRouterACLs(RACLs)................... 141ConfiguringVLANACLs(VACLs)................... 142

VACLConfigurationExample ................... 143ConfiguringManagementACLs(MACLs) ................ 144ACLOrderofPrecedence ....................... 145CreatingandModifyingACLs ..................... 146

CreatinganIPv4ACL....................... 147RemovinganIPv4ACL.................... 147ResequencinganIPv4ACL ................... 147

CreatingaMACACL ....................... 148RemovingaMACACL .................... 148ResequencingaMACACL ................... 148

CreatinganARPACL....................... 149RemovinganARPACL .................... 149ResequencinganARPACL ................... 149

ViewingACLRuleStatistics ...................... 150


ACLConfigurationExamples .....................151ACLExample1..........................151ACLExample2..........................151ACLExample3..........................152ACLExample4..........................152ACLExample5..........................153ACLExample6..........................153

Part 3: Switch Basics . . . . . . . . . . . . . . . . . . . . . . 155

Chapter 7. Interface Management . . . . . . . . . . . . . . . . . 157InterfaceManagementOverview ....................158ManagementInterface.........................159

VirtualRoutingandForwarding ..................160PhysicalPorts............................161

G8272PhysicalPortCapabilities ..................161G8296PhysicalPortCapabilities ..................161G8332PhysicalPortCapabilities ..................162CLIPortFormat .........................163

PortAggregation ...........................165LoopbackInterfaces ..........................166SwitchVirtualInterfaces ........................167BasicInterfaceConfiguration ......................168

InterfaceDescription .......................169InterfaceDuplex .........................169InterfaceMACAddress ......................170InterfaceMaximumTransmissionUnit................170InterfaceShutdown ........................171InterfaceSpeed ..........................171FlowControl ...........................172StormControl ..........................173

Chapter 8. Forwarding Database. . . . . . . . . . . . . . . . . . 175MACLearning ............................176StaticMACaddresses .........................177AgingTime.............................178

Chapter 9. VLANs . . . . . . . . . . . . . . . . . . . . . . . .179VLANOverview ...........................180VLANConfiguration .........................181

CreatingaVLAN .........................182DeletingaVLAN.........................183ConfiguringtheStateofaVLAN ..................184ConfiguringtheNameofaVLAN..................186ConfiguringaSwitchAccessPort ..................187

ConfiguringtheAccessVLAN .................187ConfiguringaSwitchTrunkPort ..................189

ConfiguringtheAllowedVLANList ...............189ConfiguringtheNativeVLAN .................190


NativeVLANTagging........................ 192ConfiguringNativeVLANTagging................. 193

PortVLANIDIngressTagging..................... 195ConfiguringPVIDIngressTagging ................. 195

IPMCFlooding............................ 196VLANTopologiesandDesignConsiderations.............. 197

MultipleVLANswithTrunkModeAdapters ............. 198VLANConfigurationExample ................... 200

Chapter 10. Ports and Link Aggregation . . . . . . . . . . . . . . 201PortConfigurationProfiles ...................... 202

G8272PortConfiguration ..................... 202G8296PortConfiguration ..................... 204G8332PortConfiguration ..................... 207

AggregationOverview ........................ 210CreatingaLAG.......................... 210

StaticLAGs ............................. 212StaticLAGConfigurationRules................... 212ConfiguringaStaticLAG ..................... 213

LinkAggregationControlProtocol ................... 216ConfiguringLACP ........................ 216

SystemPriority ........................ 217PortPriority......................... 218LACPTimeout ........................ 218LACPIndividual ....................... 218LACPConfigurationExample ................. 219

LAGHashing ............................ 221LAGHashingConfiguration .................... 223

Chapter 11. Spanning Tree Protocol . . . . . . . . . . . . . . . . 225STPOverview ............................ 226BridgeProtocolDataUnits ...................... 227

DeterminingthePathforForwardingBPDUs............. 227BPDUGuard ......................... 227BPDUFilter ......................... 228RootGuard.......................... 228LoopGuard ......................... 229PortPriority......................... 229PortPathCost ........................ 230

ErrorDisableRecovery ........................ 231PortTypeandLinkType....................... 232

EdgePort ............................ 232LinkType............................ 232

RapidPerVLANSpanningTreePlus .................. 233RapidPVST+Parameters ..................... 234

BridgePriority ........................ 234PortPriority......................... 234PortPathCost ........................ 235ForwardDelay ........................ 235HelloTimer ......................... 235MaximumAgeInterval .................... 236


RapidPVST+Configuration ......................237MultipleSpanningTreeProtocol ....................238

CommonInternalSpanningTree ..................238PortStates............................238MSTRegion...........................239MSTPParameters.........................240

HopCount ..........................240ForwardDelay ........................240HelloTimer..........................241MaximumAgeInterval.....................241BridgePriority ........................241PortPriority .........................242PortPathCost.........................242

MSTPConfiguration .........................243MSTPConfigurationExample ...................243

Chapter 12. Virtual Link Aggregation Groups . . . . . . . . . . . . 245vLAGOverview ...........................246vLAGCapacities...........................248

vLAGBenefits ..........................248vLAGSynchronizationMechanism .................249vLAGSystemMAC ........................249vLAGandLACPIndividual ....................250vLAGandLACPSystemPriority..................250vLAGLACPMisconfigurationsorCablingErrors...........250FDBSynchronization.......................251vLAGandSTP ..........................252vLAGandVRRP .........................253

vLAGVRRPPassiveMode(HalfActiveActive) ..........253vLAGVRRPActiveMode(FullActiveActive) ..........253

vLAGConfigurationConsistencyCheck ...............254vLAGandIGMPSnooping .....................256

MulticastRouterSynchronization................256IGMPGroupsSynchronization .................256IGMPQuerierSynchronization .................256

vLAGPeerGateway........................257vLAGsversusregularLAGs ......................258ConfiguringvLAGs ..........................259

vLAGISL............................260vLAGRoleElection ........................260vLAGInstance ..........................261FDBRefresh ...........................262vLAGTierID ...........................262vLAGStartupDelay ........................263vLAGAutorecovery.......................264

HealthCheck.............................265BasicHealthCheckConfigurationExample..............266

BasicvLAGConfigurationExample ...................267ConfiguringtheISL ........................268ConfiguringthevLAG .......................269


vLAGConfigurationVLANsMappedtoaMSTInstance ......... 270ConfiguringtheISL........................ 270ConfiguringthevLAG....................... 271

ConfiguringvLAGsinMultipleLayers ................. 272Task1:ConfigureLayer2/3BorderRegion .............. 273

ConfiguringBorderRouter1.................. 273ConfiguringBorderRouter2.................. 273

Task2:ConfigureswitchesintheLayer2region........... 274ConfiguringSwitchA..................... 274ConfiguringSwitchB ..................... 275ConfiguringSwitchesCandD................. 277ConfiguringSwitchE ..................... 278ConfiguringSwitchF..................... 279

Chapter 13. Quality of Service . . . . . . . . . . . . . . . . . . 281QoSOverview ............................ 282ClassMaps............................. 283

QoSClassificationTypes...................... 284UsingACLFilters....................... 284UsingClassofServiceFilters .................. 285UsingDiffServCodePoint(DSCP)Filters ............ 286UsingTCP/UDPPortFilters .................. 288UsingPrecedenceFilters .................... 288UsingProtocolFilters ..................... 289

QueuingClassificationTypes.................... 290ClassMapConfigurationExamples ................. 291

QoSClassMapConfigurationExample ............. 291QueueingClassMapConfigurationExample ........... 291

PolicyMaps ............................. 292IngressPolicing.......................... 292

DefiningSingleRateandDualRatePolicers ........... 292Marking ........................... 294

QueuingPolicing ......................... 294Bandwidth .......................... 294Shaping ........................... 294Priority ........................... 294

PolicyMapConfigurationExample ................. 295QoSPolicyMapConfigurationExample............. 295QueuingPolicyMapConfigurationExample ........... 296

ControlPlaneProtection ....................... 297ControlPlaneConfigurationExamples ............... 298

WRED ............................... 300ConfiguringWRED ........................ 300

WREDConfigurationExample ................. 300InterfaceServicePolicy ........................ 302

Limitations............................ 302MicroburstDetection ......................... 303

Chapter 14. CEE . . . . . . . . . . . . . . . . . . . . . . . . 305RoCEandiSCSI........................... 307

RoCERequirements ........................ 307


ConvergedEnhancedEthernet .....................308TurningCEEOnorOff ......................308EffectsonLinkLayerDiscoveryProtocol ...............309Effectson802.1pQualityofService .................309EffectsonFlowControl......................311

PriorityBasedFlowControl......................312PFCConfiguration ........................313PFCConfigurationExample ....................314

EnhancedTransmissionSelection ....................315802.1pPriorityValues .......................315PriorityGroups ..........................316

PGID ............................316AssigningPriorityValuestoaPriorityGroup ...........317AllocatingBandwidth .....................317

ConfiguringETS.........................318DataCenterBridgingCapabilityExchange ................321

DCBXModes ...........................321DCBXSettings ..........................321

EnablingandDisablingDCBX .................322PeerConfigurationNegotiation .................322

ConfiguringDCBX........................323CEEConfigurationExamples......................324

CEEExample1 ..........................324CEEExample2 ..........................325

Part 4: IP Routing . . . . . . . . . . . . . . . . . . . . . . . . 327

Chapter 15. Basic IP Routing . . . . . . . . . . . . . . . . . . . 329IPRouting..............................330

DirectandIndirectRouting.....................331StaticRouting ..........................331DynamicRouting .........................332DefaultGateway .........................332VirtualRoutingandForwarding ..................333

RoutingInformationBase .......................334RouteswithIndirectNexthops...................334

BidirectionalForwardingDetection ...................335BFDAsynchronousMode .....................336BFDEchoMode..........................336BFDPeerSupport .........................337BFDStaticRoutes .........................337BFDAuthentication ........................338GeneralizedTTLSecurityMechanism................339BFDandBGP...........................339BFDandOSPF ..........................339

RoutingBetweenIPSubnets ......................340ExampleofSubnetRouting.....................341UsingVLANstoSegregateBroadcastDomains ............342

ConfigurationExample.....................342


ECMPStaticRoutes.......................... 345RIBSupportforECMPRoutes ................... 345ECMPHashing .......................... 345ConfiguringECMPStaticRoutes.................. 346

DynamicHostConfigurationProtocol.................. 347InternetControlMessageProtocol ................... 348

ICMPRedirects .......................... 349ICMPPortUnreachable...................... 349ICMPUnreachable(exceptPort).................. 349

Chapter 16. Routed Ports . . . . . . . . . . . . . . . . . . . . 351RoutedPortsOverview ........................ 352ConfiguringaRoutedPort....................... 354

ConfiguringOSPFonRoutedPorts................. 355OSPFConfigurationExample .................. 355

Chapter 17. Address Resolution Protocol. . . . . . . . . . . . . . 357ARPOverview ............................ 358ARPAgingTimer .......................... 359ARPInspection ........................... 360StaticARPEntries.......................... 361

StaticARPConfigurationExample ................. 361ARPEntryStates........................... 362ARPTableRefresh.......................... 363

Chapter 18. Internet Protocol Version 6 . . . . . . . . . . . . . . 365IPv6AddressFormat ......................... 366IPv6AddressTypes ......................... 367

UnicastAddress......................... 367Multicast ............................ 367Anycast ............................. 368

IPv6Interfaces ............................ 369NeighborDiscovery ......................... 370

NeighborDiscoveryOverview ................... 370Router.............................. 371

SupportedApplications........................ 372ConfigurationGuidelines....................... 373IPv6ConfigurationExamples..................... 374

IPv6Example1 .......................... 374IPv6Example2 .......................... 374

IPv6Limitations........................... 375

Chapter 19. Internet Group Management Protocol . . . . . . . . . . 377IGMPTerms ............................. 378HowIGMPWorks .......................... 379IGMPCapacityandDefaultValues................... 380


IGMPSnooping ...........................381IGMPv3Snooping.........................382SpanningTreeTopologyChange ..................382IGMPQuerier ..........................383

QuerierElection ........................383MulticastRouterDiscovery.....................385IGMPQueryMessages.......................386IGMPGroups ..........................387IGMPSnoopingConfigurationGuidelines..............389

IGMPSnoopingConfigurationExample.................390AdvancedIGMPSnoopingConfigurationExample ............392

Prerequisites ...........................393Configuration ..........................394

SwitchAConfiguration ....................394SwitchBConfiguration.....................395SwitchCConfiguration ....................396

Troubleshooting .........................397AdditionalIGMPFeatures.......................400

ReportSuppression ........................400RobustnessVariable ........................400FastLeave............................401StaticMulticastRouter .......................402

Chapter 20. Border Gateway Protocol . . . . . . . . . . . . . . . 403BGPOverview ............................404

BGPRouterIdentifier .......................404InternalRoutingVersusExternalRouting ................405RouteReflector ............................407

RouteReflectionConfigurationExample...............408Restrictions ..........................409

FormingBGPPeerRouters.......................410BGPPeersandDynamicPeers...................410

StaticPeers ..........................410DynamicPeers........................411

LoopbackInterfaces ..........................412WhatisaRouteMap?.........................413

NextHopPeerIPAddress .....................414IncomingandOutgoingRouteMaps ................414Precedence ............................414ConfigurationOverview ......................415

AggregatingRoutes ..........................416RedistributingRoutes .........................417BGPCommunities..........................419

BGPCommunity .........................420BGPExtendedCommunity .....................421BGPConfederation ........................422


BGPPathAttributes ......................... 423WellKnownMandatory ...................... 423WellKnownDiscretionary ..................... 423OptionalTransitive ........................ 423OptionalNonTransitive ...................... 424

BestPathSelectionLogic ....................... 425BGPBestPathSelection...................... 425BGPWeight ........................... 426LocalPreference......................... 426Metric(MultiExitDiscriminator)Attribute.............. 426NextHop ............................ 427BestPathSelectionTuning..................... 427BGPECMP ........................... 429

BGPFeaturesandFunctions ...................... 430ASPathFilter .......................... 430BGPCapabilityCode ....................... 430AdministrativeDistance...................... 430TTLSecurityCheck........................ 431LocalAS............................. 431BGPAuthentication ........................ 432OriginateDefaultRoute ...................... 432IPPrefixListFilter ........................ 433DynamicCapability ........................ 434BGPGracefulRestart ....................... 434BGPDamping .......................... 435SoftReconfigurationInbound ................... 436BGPRouteRefresh ........................ 436BGPMultipleAddressFamilies................... 437BGPandBFD .......................... 437BGPNextHopTracking...................... 438BGPTuning ........................... 438

BGPFailoverConfiguration...................... 439DefaultRedistributionandRouteAggregationExample .......... 441DesigningaClosNetworkUsingBGP.................. 443

ClosNetworkBGPConfigurationExample.............. 444ConfigureFabricSwitchSF1 .................. 445ConfigureSpineSwitchSP11 .................. 447ConfigureLeafSwitchLP11 .................. 450

Chapter 21. Open Shortest Path First . . . . . . . . . . . . . . . 453OSPFv2Overview .......................... 454

TypesofOSPFAreas ....................... 455TypesofOSPFRoutingDevices................... 456NeighborsandAdjacencies .................... 457TheLinkStateDatabase...................... 457TheShortestPathFirstTree .................... 458InternalVersusExternalRouting.................. 458


OSPFv2ImplementationinCloudNOS .................459ConfigurableParameters ......................459DefiningAreas..........................460

UsingtheAreaIDtoAssigntheOSPFAreaNumber ........460AttachinganAreatoaNetwork .................461

InterfaceCost ...........................461ElectingtheDesignatedRouterandBackup .............461SummarizingRoutes .......................462DefaultRoutes ..........................463VirtualLinks ...........................464RouterID ............................464Authentication ..........................465

ConfiguringPlainTextOSPFPasswords.............466ConfiguringMD5Authentication ................467

LoopbackInterfacesinOSPF ....................467GracefulRestartHelper ......................468OSPFandBFD ..........................468

OSPFv2ConfigurationExamples ....................469Example 1:SimpleOSPFDomain ..................470Example 2:VirtualLinks......................471

ConfiguringOSPFforaVirtualLinkonSwitch1 .........471ConfiguringOSPFforaVirtualLinkonSwitch2 .........472OtherVirtualLinkOptions ...................473

Example 3:SummarizingRoutes..................474VerifyingOSPFConfiguration...................475

Chapter 22. Route Maps . . . . . . . . . . . . . . . . . . . . . 477RouteMapsOverview.........................478PermitandDenyRules........................479MatchandApplyClauses.......................480RouteMapsConfigurationExample...................483

Part 5: High Availability Fundamentals . . . . . . . . . . . . . . . 485

Chapter 23. Basic Redundancy . . . . . . . . . . . . . . . . . . 487AggregatingforLinkRedundancy...................488VirtualLinkAggregation.......................489

Chapter 24. Virtual Router Redundancy Protocol . . . . . . . . . . . 491VRRPOverview ...........................492

VRRPComponents ........................493VirtualRouter.........................493VirtualRouterMACAddress ..................493OwnersandRenters ......................493MasterandBackupVirtualRouter ................493VirtualInterfaceRouter ....................493

AssigningVRRPVirtualRouterID .................494VRRPOperation.........................494

SelectingtheMasterVRRPRouter................494FailoverMethods ...........................495

ActiveActiveRedundancy .....................495


CloudNOSExtensionstoVRRP .................... 496VRRPAdvertisementIntervalandSubsecondFailover ........ 496InterfaceTracking......................... 497SwitchBackDelay ........................ 497BackwardCompatibilitywithVRRPv2 ............... 498VRRPAcceptMode........................ 498VRRPPreemption ........................ 499VRRPPriority.......................... 499IPv6VRRP ............................ 500

VirtualRouterDeploymentConsiderations............... 502ConfiguringtheSwitchforTracking................. 502

BasicVRRPConfiguration ....................... 503HighAvailabilityConfiguration .................... 505

VRRPHighAvailabilityUsingMultipleVIRs ............ 505Task1:ConfigureSwitch1 ................... 506Task2:ConfigureSwitch2 ................... 507

Part 6: Network Management . . . . . . . . . . . . . . . . . . . 509

Chapter 25. Link Layer Discovery Protocol . . . . . . . . . . . . . 511LLDPOverview ........................... 512EnablingorDisablingLLDP ...................... 513

TransmitandReceiveControl ................... 513LLDPTransmitFeatures........................ 514

ScheduledInterval ........................ 514MinimumInterval ........................ 514TimetoLiveforTransmittedInformation.............. 515TrapNotifications ........................ 515ChangingtheLLDPTransmitState................. 516TypesofInformationTransmitted.................. 517

LLDPReceiveFeatures ........................ 518TypesofInformationReceived ................... 518TimetoLiveforReceivedInformation ............... 518ViewingRemoteDeviceInformation ................ 519

DebuggingLLDP........................... 520LLDPDebuggingTypes ...................... 520

LLDPExampleConfiguration ..................... 522

Chapter 26. Service Location Protocol . . . . . . . . . . . . . . . 525SLPAgentsCommunication...................... 526

SLPSpecificMessages ....................... 526SLPSupportedServiceAttributes .................. 526

SLPConfiguration .......................... 527

Chapter 27. Simple Network Management Protocol. . . . . . . . . . 529SNMPVersions ........................... 530

SNMPVersion1&Version2.................... 530SNMPVersion3 ......................... 530


SNMPProtocolDetails ........................531SNMPNotifications ........................531SNMPDeviceContactandLocation.................531OneTimeAuthenticationforSNMPoverTCP............531

DefaultConfiguration .........................532ConfigurationExamples ........................533

BasicSNMPConfigurationExample .................533UserConfigurationExample....................533ConfiguringSNMPTrapHosts ...................534

SNMPMIBs.............................535

Part 7: Monitoring . . . . . . . . . . . . . . . . . . . . . . . .537

Chapter 28. Port Mirroring . . . . . . . . . . . . . . . . . . . . 539PortMirroringOverview .......................540SPANConfiguration.........................541

Sources.............................541Destinations ...........................541Sessions.............................541ConfigurationExample ......................542

ERSPANConfiguration........................543SessionTypes...........................543Sources.............................544Destinations ...........................544ERSPANSourceSessionConfigurationExample...........545ERSPANDestinationSessionConfigurationExample .........546

Limitations .............................547

Part 8: Appendices . . . . . . . . . . . . . . . . . . . . . . . 549

Appendix A. Getting help and technical assistance . . . . . . . . . . 551

Appendix B. Notices. . . . . . . . . . . . . . . . . . . . . . . 553Trademarks .............................555ImportantNotes ...........................556RecyclingInformation .........................557ParticulateContamination .......................558TelecommunicationRegulatoryStatement ................559ElectronicEmissionNotices ......................560

FederalCommunicationsCommission(FCC)Statement ........560IndustryCanadaClassAEmissionComplianceStatement.......560AvisdeConformitlaRglementationdIndustrieCanada ......560AustraliaandNewZealandClassAStatement ............560EuropeanUnionCompliancetotheElectromagneticCompatibilityDirective561GermanyClassAStatement....................561JapanVCCIClassAStatement ...................562JapanElectronicsandInformationTechnologyIndustriesAssociation


(JEITA) Statement......................... 563KoreaCommunicationsCommission(KCC)Statement......... 563RussiaElectromagneticInterference(EMI)ClassAstatement ...... 563PeoplesRepublicofChinaClassAelectronicemissionstatement.... 563TaiwanClassAcompliancestatement................ 563

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565


PrefaceThisApplicationGuidedescribeshowtoconfigureandusetheLenovoCloudNetworkOperatingSystem10.3softwareonthefollowingLenovoRackSwitches:

LenovoRackSwitchG8272.Fordocumentationoninstallingtheswitchphysically,seetheLenovoRackSwitchG8272InstallationGuide.




Who Should Use This GuideThisguideisintendedfornetworkinstallersandsystemadministratorsengagedinconfiguringandmaintaininganetwork.TheadministratorshouldbefamiliarwithEthernetconcepts,IPaddressing,SpanningTreeProtocol,andSNMPconfigurationparameters.

Copyright Lenovo 2017 : Preface 21

Application Guide OverviewThisguidewillhelpyouplan,implement,andadministertheCloudNOS(CNOS)software.Wherepossible,eachsectionprovidesfeatureoverviews,usageexamples,andconfigurationinstructions.Thefollowingmaterialisincluded:

Part 1: Getting Started

ThismaterialisintendedtohelpthosenewtoCNOSproductswiththebasicsofswitchmanagement.Thispartincludesthefollowingchapters:

Chapter 1,SwitchAdministration,describeshowtoaccesstheswitchtoconfiguretheswitch,andviewswitchinformationandstatistics.Thischapterdiscussesavarietyofmanualadministrationinterfaces,includinglocalmanagementviatheswitchconsole,andremoteadministrationviaTelnetorSecureShell.

Chapter 2,SystemLicenseKeys,describeshowtoinstalladditionalfeaturesontheswitch.

Chapter 3,SwitchSoftwareManagement,describeshowtoupdatetheCNOSsoftwareoperatingontheswitchandhowtoconvertfromCNOStoENOS.

Part 2: Securing the Switch

Thismaterialcontainsinformationaboutimplementingsecurityprotocolsontheswitch.Thispartincludesthefollowingchapters:

Chapter 4,SecuringAdministration,describesmethodsforusingSecureShellforadministrationconnections,andconfiguringenduseraccesscontrol.

Chapter 5,AAAProtocols,describesdifferentsecureadministrationmethodsforremoteadministrators.ThisincludesusingRADIUS,TerminalAccessControllerAccessControlSystemPlus(TACACS+)andAuthentication,Authorization,andAccounting(AAA).

Chapter 6,AccessControlLists,describeshowtousefilterstopermitordenyspecifictypesoftraffic,basedonavarietyofsource,destination,andpacketattributes.

Part 3: Switch Basics

Thismaterialcontainsinformationaboutsettingupfeaturesontheswitch.Thispartincludesthefollowingchapters:

Chapter 7,InterfaceManagement,describeshowtoconfiguretheswitchinterfaces,liketheethernetormanagementports.

Chapter 8,ForwardingDatabase,describeshowaLayer2devicecanbeconfiguredtolearnandstoreMACaddressesandtheircorrespondingports.

Chapter 9,VLANs,describeshowtoconfigureVirtualLocalAreaNetworks(VLANs)forcreatingseparatenetworksegments,includinghowtouseVLANtaggingfordevicesthatusemultipleVLANs.

Chapter 10,PortsandLinkAggregation,describeshowtogroupmultiplephysicalportstogethertoaggregatethebandwidthbetweenlargescalenetworkdevices.


Chapter 11,SpanningTreeProtocol,describeshowtousetheRapidPerVLANSpanningTreePlus(RapidPVST+)andMultipleSpanningTreeProtocol(MSTP)tobuildaloopfreenetworktopology.

Chapter 12,VirtualLinkAggregationGroups,describesusingVirtualLinkAggregationGroups(VLAGs)toformLAGsspanningmultipleVLAGcapableaggregatorswitches.

Chapter 13,QualityofService,discussesQualityofService(QoS)features,includingIPfilteringusingclassmaps,DifferentiatedServices,andIEEE802.1ppriorityvalues.

Chapter 14,CEE,discussesusingvariousConvergedEnhancedEthernet(CEE)featuressuchasPrioritybasedFlowControl(PFC),EnhancedTransmissionSelection(ETS)andDataCenterBridgingCapabilityExchange(DCBX).

Part 4: IP Routing

Thispartincludesthefollowingchapters:

Chapter 15,BasicIPRouting,describeshowtoconfiguretheswitchforIProutingusingIPsubnets,BFD,DHCPRelayandVRF.

Chapter 16,RoutedPorts,describeshowtoconfigureaswitchporttoforwardLayer3traffic.

Chapter 17,AddressResolutionProtocol,describeshowtousetheAddressResolutionProtocol(ARP)protocoltomapanIPv4addresstoaMACaddress.

Chapter 18,InternetProtocolVersion6,describeshowtoconfiguretheswitchtouseIPv6.

Chapter 19,InternetGroupManagementProtocol,describeshowCNOSimplementsInternetGroupManagementProtocol(IGMP)Snoopingtoconservebandwidthinamulticastswitchingenvironment.

Chapter 20,BorderGatewayProtocol,describesBorderGatewayProtocol(BGP)conceptsandfeaturessupportedinCNOS.

Chapter 21,OpenShortestPathFirst,describeskeyOpenShortestPathFirst(OSPF)concepts,andhowtheyareimplementedinCNOS,andprovidesexamplesofhowtoconfigureyourswitchforOSPFsupport.

Chapter 22,RouteMaps,describesroutemapsthatareusedtodefineroutepolicybypermittingordenyingcertainroutesbasedonaconfiguredsetofrules.

Part 5: High Availability Fundamentals


Chapter 23,BasicRedundancy,describeshowtheswitchsupportsredundancythroughLAGsandVLAGs.

Chapter 24,VirtualRouterRedundancyProtocol,describeshowtheswitchsupportshighavailabilitynetworktopologiesusingVirtualRouterRedundancyProtocol(VRRP).


Part 6: Network Management


Chapter 25,LinkLayerDiscoveryProtocol,describeshowLinkLayerDiscoveryProtocol(LLDP)helpsneighboringnetworkdeviceslearnabouteachothersportsandcapabilities.

Chapter 26,ServiceLocationProtocol,describestheServiceLocationProtocol(SLP)thatallowstheswitchtoprovidedynamicdirectoryservices.

Chapter 27,SimpleNetworkManagementProtocol,describeshowtoconfiguretheswitchformanagementthroughaSimpleNetworkManagementProtocol(SNMP)client.

Part 7: Monitoring

Thispartincludesthefollowingchapter:

Chapter 28,PortMirroring,discussestoolstocopyselectedporttraffictoaremotemonitorportfornetworkanalysis.

Part 8: Appendices

Thispartincludesthefollowingappendices:

AppendixA,Gettinghelpandtechnicalassistance,providesdetailsonwheretogoforadditionalinformationaboutLenovoandLenovoproducts.

AppendixB,Notices,containssafetyandenvironmentalnotices.


Additional ReferencesAdditionalinformationaboutconfiguringtheG8272,theG8296andtheG8332isavailableinthefollowingguides:

LenovoNetworkCommandReferenceforLenovoCloudNetworkOperatingSystem10.3

LenovoNetworkReleaseNotesforLenovoCloudNetworkOperatingSystem10.3

LenovoNetworkPythonProgrammingGuideforLenovoCloudNetworkOperatingSystem10.3

LenovoNetworkRESTAPIProgrammingGuideforLenovoCloudNetworkOperatingSystem10.3


Typographic ConventionsThefollowingtabledescribesthetypographicstylesusedinthisbook.

Table 1. Typographic Conventions

Typeface or Symbol

Meaning Example

ABC123 Thistypeisusedfornamesofcommands,files,anddirectoriesusedwithinthetext.

Viewthereadme.txtfile.

Italsodepictsonscreencomputeroutputandprompts.

Switch#

ABC123 Thisboldtypeappearsincommandexamples.Itshowstextthatmustbetypedinexactlyasshown.

Switch#ping

Thisitalicizedtypeappearsincommandexamplesasaparameterplaceholder.Replacetheindicatedtextwiththeappropriaterealnameorvaluewhenusingthecommand.Donottypethebrackets.

ToestablishaTelnetsession,enter:Switch#telnet

Thisalsoshowsbooktitles,specialterms,orwordstobeemphasized.

ReadyourUsersGuidethoroughly.

{} Commanditemsshowninsidebracketsaremandatoryandcannotbeexcluded.Donottypethebrackets.

Switch#cp{ftp|sftp}

[] Commanditemsshowninsidebracketsareoptionalandcanbeusedorexcludedasthesituationdemands.Donottypethebrackets.

Switch#configure[device]

| Theverticalbar(|)isusedincommandexamplestoseparatechoiceswheremultipleoptionsexist.Selectonlyoneofthelistedoptions.Donottypetheverticalbar.

Switch#cp{ftp|sftp}

Thisblocktypedepictsmenus,buttons,andothercontrolsthatappearingraphicalinterfaces.

Clickthebutton.


ISCLI Command ModesTheISCLIhasthreemajorcommandmodeslistedinorderofincreasingprivileges,asfollows:

UserEXECMode:Switch>Thisistheinitialmodeofaccess.Bydefault,onconsolesessionspasswordcheckingisdisabledforthismode.

PrivilegedEXECmode:Switch#ThismodeisaccessedfromUserEXECMode.Thismodecanbeaccessedusingthefollowingcommand:enable

ConfigurationMode:Switch(config)#Thismodeallowsyoutomakechangestotherunningconfiguration.Ifyousavetheconfiguration,thesettingssurviveareloadoftheswitch.SeveralsubmodescanbeaccessedfromtheUserEXECMode.Thismodecanbeaccessedusingthefollowingcommand:configure[device]

Eachmodeprovidesaspecificsetofcommands.Mostlowerprivilegemodecommandsareaccessiblewhenusingahigherprivilegemode.Note: ThewordSwitchisagenerictermusedthroughouttheApplicationGuidetoindicatethehostnameoftheswitchwhenissuingcommands.DependingontheLenovoRachSwitch,thedefaultCLIpromptwilldisplayeitherG8272,G8296orG8332asthehostname.


Command Line Interface ShortcutsThefollowingshortcutsallowyoutoentercommandsquicklyandeasily.

CLI List and Range InputsForVLANandportcommandsthatallowanindividualitemtobeselectedfromwithinanumericrange,listsandrangesofitemscannowbespecified.Forexample,thevlancommandpermitsthefollowingoptions:

Thenumbersinarangemustbeseparatedbyadash:

Multiplerangesoritemsarepermittedusingacomma:,

Donotusespaceswithinlistandrangespecifications.

Rangescanalsobeusedtoapplythesamecommandoptiontomultipleitems.Forexample,toaccessmultipleportswithonecommand:

Command AbbreviationMostcommandscanbeabbreviatedbyenteringthefirstcharacterswhichdistinguishthecommandfromtheothersinthesamemode.Forexample,considerthefollowingfullcommand:

Itcanbeabbreviatedasfollows:

Tab CompletionByenteringthefirstletterofacommandatanypromptandpressing,theISCLIdisplaysallavailablecommandsoroptionsthatbeginwiththatletter.Enteringadditionallettersfurtherrefinesthelistofcommandsoroptionsdisplayed.Ifonlyonecommandfitstheinputtextwhenispressed,thatcommandissuppliedonthecommandline,waitingtobeentered.

Ifmultiplecommandssharethetypedcharacters,whenyoupress,theISCLIcompletesthecommonpartofthesharedsyntax.

Switch(config)#vlan1,3,1094 (accessVLANs1,3,and1094)Switch(config)#vlan120 (accessVLANs1through20)Switch(config)#vlan15,9099,10901094(accessmultipleranges)Switch(config)#vlan15,19,20,10901094(accessamixoflistsandranges)

Switch(config)#spanningtreemst14cost4096 (instances1through4)

Switch(config)#displaymacaddresstableinterfaceethernet1/12

Switch(config)#dispmaadie1/12


Line EditingThefollowingkeystrokecommandsareavailableforeditingcommandlines:

Command Behavior

Movesthecursortothebeginningoftheline.

Movesthecursoronecharactertotheleft.

Deletesthecharacteratthecursor.

Movesthecursortotheendoftheline.

Movesthecursoronecharactertotheright.

Killsalltexttotherightofthecursor,puttingitintoabuffer.

Clearsthescreen,leavingthecurrentlineintactatthetop.

Movetothenextcommandinthecommandhistory.

Movetothepreviouscommandinthecommandhistory.

Swapsthecharacteratthecursorwiththecharactertotheleftofthecursor.

Clearsalltextfromthecommandline.

Deletesfromthecursortothestartoftheword.

Yanksthetextfromthekillbuffer.

Movesthecursorbackwardsoneword.

Capitalizesthefirstletterofthewordorthecharacterwherethecursorispointing.

Deletestotheendofthewordtotherightofthecursor.

Movesthecursorforwardsoneword.

Changesthetexttolowercasefromthecursortotheendoftheword.

Changesthetexttouppercasefromthecursortotheendoftheword.


Part 1: Getting StartedThissectiondiscussesthefollowingtopics:

SwitchAdministrationonpage 31

SystemLicenseKeysonpage 73

SwitchSoftwareManagementonpage 79


Chapter 1. Switch AdministrationYourRackSwitchisreadytoperformbasicswitchingfunctionsrightoutofthebox.Someofthemoreadvancedfeatures,however,requiresomeadministrativeconfigurationbeforetheycanbeusedeffectively.

TheextensiveLenovoCloudNetworkOperatingSystemfortheswitchprovidesavarietyofoptionsforaccessingtheswitchtoperformavarietyofconfigurationsandtoviewswitchinformationandstatistics.

Thischapterdiscussesthevariousmethodsthatcanbeusedtoadministertheswitch.


Administration InterfacesCloudNOSprovidesavarietyofuserinterfacesforadministration.Theseinterfacesvaryincharacterandinthemethodsusedtoaccessthem.Somearetextbasedandsomearegraphical;someareavailablebydefault,whileothersrequireconfiguration;somecanbeaccessedbylocalconnectiontotheswitch,whileothersareaccessedremotelyusingvariousclientapplications.Forexample,administrationcanbeperformedusinganyofthefollowing:

Abuiltin,textbasedcommandlineinterface(CLI)andmenusystemforswitchaccessviaaserialportconnectionoranoptionalTelnetorSSHsession

SNMPsupportforaccessthroughthirdpartycommercialandopensourcenetworkmanagementapplications.

Thespecificinterfacechosenforanadministrativesessiondependsonyourpreferences,theswitchconfiguration,andtheavailableclienttools.

Inallcases,administrationrequiresthattheswitchhardwareisproperlyinstalledandturnedon(seetheLenovoRackSwitchInstallationGuide).

Industry Standard Command Line InterfaceTheIndustryStandardCommandLineInterface(ISCLI)providesasimpleanddirectmethodforswitchadministration.Usingabasicterminal,youcanissuecommandsthatallowyoutoviewdetailedinformationandstatisticsabouttheswitch,andtoperformanynecessaryconfigurationandswitchsoftwaremaintenance.

YoucanestablishaconnectiontotheISCLIinanyofthefollowingways:

Serialconnectionviatheserialportontheswitch(thisoptionisalwaysavailable)

Telnetconnectionoverthenetwork

SSHconnectionoverthenetwork

Copyright Lenovo 2017 Chapter 1: Switch Administration 33

Establishing a ConnectionThefactorydefaultsettingspermitinitialswitchadministrationthroughonlythebuiltinserialport.Allotherformsofaccessrequireadditionalswitchconfigurationbeforetheycanbeused.

Remoteaccessusingthenetworkrequirestheaccessingterminaltohaveavalid,routableconnectiontotheswitchinterface.TheclientIPaddressmaybeconfiguredmanually,oranIPaddresscanbeprovidedautomaticallytotheswitchusingaservicesuchasDHCP(seeDHCPIPAddressServicesonpage 43).AnIPv6addresscanalsobeobtainedusingIPv6statelessaddressconfiguration.Note: Throughoutthismanual,IPaddressisusedinplaceswhereeitheranIPv4orIPv6addressisallowed.IPv4addressesareenteredindotteddecimalnotation(forexample,10.10.10.1),whileIPv6addressesareenteredinhexadecimalnotation(forexample,2001:db8:85a3::8a2e:370:7334).Inplaceswhereonlyonetypeofaddressisallowed,IPv4addressorIPv6addressisspecified.

Using the Switch Management InterfaceTomanagetheswitchthroughthemanagementinterface,youmustconfigureitwithanIPinterface.ConfiguretheIPaddressandnetworkmaskanddefaultgatewayaddress:

1. Logontotheswitch.

2. EnterGlobalConfigurationmode.

3. ConfigureamanagementIPaddressandnetworkmask:

IPv4configuration:

IPv6configuration:

4. Configuretheappropriatedefaultgateway:

IPv4configuration:

Switch>enableSwitch#configuredeviceSwitch(config)#

Switch(config)#interfacemgmt0Switch(configif)#ipaddress/Switch(configif)#noshutdownSwitch(configif)#exit

Switch(config)#interfacemgmt0Switch(configif)#ipv6address/Switch(configif)#noshutdownSwitch(configif)#exit

Switch(config)#vrfcontextmanagementSwitch(configvrf)#iproute0.0.0.00.0.0.0Switch(configvrf)#exit


IPv6configuration:

OnceyouconfigureamanagementIPaddressforyourswitch,youcanconnecttothemanagementportanduseaTelnetoranSSHclientfromanexternalmanagementstationtoaccessandcontroltheswitch.Themanagementportprovidesoutofbandmanagement.

Using the Switch Ethernet PortsYoualsocanconfigureinbandmanagementthroughanyoftheswitchethernetports.Toallowinbandmanagement,usethefollowingprocedure:

1. Logontotheswitch.

2. Enterinterfacemodeandconfigureanethernetinterfaceasroutedport.

3. ConfiguretheinterfaceIPaddressandnetworkmask.

IPv4configuration:

IPv6configuration:

4. Configurethedefaultgateway.

IPv4configuration:

IPv6configuration:

OnceyouconfiguretheIPaddressandhaveanetworkconnection,youcanuseaTelnetoranSSHclientfromanexternalmanagementstationtoaccessandcontroltheswitch.Oncethedefaultgatewayisenabled,themanagementstationandtheswitchdonotneedtobeonthesameIPsubnet.

Switch(config)#vrfcontextmanagementSwitch(configvrf)#ipv6route::/0Switch(configvrf)#exit

Switch>enableSwitch#configuredeviceSwitch(config)#interfaceethernet/Switch(configif)#nobridgeport

Switch(configif)#ipaddress/

Switch(configif)#ipv6address/

Switch(config)#vrfcontextmanagementSwitch(configvrf)#iproute0.0.0.00.0.0.0Switch(configvrf)#exit

Switch(config)#vrfcontextmanagementSwitch(configvrf)#ipv6route::/0Switch(configvrf)#exit


Theswitchsupportsanindustrystandardcommandlineinterface(ISCLI)thatyoucanusetoconfigureandcontroltheswitchoverthenetworkusingaTelnetoranSSHclient.YoucanusetheISCLItoperformmanybasicnetworkmanagementfunctions.Inaddition,youcanconfiguretheswitchformanagementusinganSNMPbasednetworkmanagementsystem.

Formoreinformation,seethedocumentslistedinAdditionalReferencesonpage 24.

Using TelnetATelnetconnectionofferstheconvenienceofaccessingtheswitchfromaworkstationconnectedtothenetwork.Telnetaccessprovidesthesameoptionsforuserandadministratoraccessasthoseavailablethroughtheconsoleport.

Bydefault,Telnetaccessisdisabled.UsethefollowingcommandtoenableordisableTelnetaccess:

OncetheswitchisconfiguredwithanIPaddressandgateway,youcanuseTelnettoaccessswitchadministrationfromanyworkstationconnectedtothemanagementnetwork.

ToestablishaTelnetconnectionwiththeswitch,runtheTelnetclientonyourworkstation,useTelnetastheprotocoltypeandtheswitchsIPaddressasthehostname.

YouwillthenbepromptedtoenterapasswordasexplainedinSwitchLoginLevelsonpage 48.

Bydefault,TelnetusesTCPport23oftheremotehosttoestablishaconnectionfromtheswitch.WheninitializingaTelnetsession,youcanspecifytheTCPportoftheremotehostbyusingthefollowingcommandontheswitch:

Note: ThespecifiedportwillbeusedonlyforthecurrentTelnetsession.Futuresessionswillnotusetheselectedport.

Bydefault,TelnetclientswillconnecttothelocalTelnetserverusingTCPport23ontheswitch.ToconfiguretheTCPportusedbyaTelnetclientwhenestablishingaconnectiontotheswitch,usethefollowingcommand:

Switch(config)#[no]featuretelnet

Switch#telnetport

Switch(config)#telnetserverport


Using Secure ShellAlthougharemotenetworkadministratorcanmanagetheconfigurationofaswitchviaTelnet,thismethoddoesnotprovideasecureconnection.TheSecureShell(SSH)protocolenablesyoutosecurelylogintoanotherdeviceoveranetworktoexecutecommandsremotely.AsasecurealternativetousingTelnettomanageswitchconfiguration,SSHensuresthatalldatasentoverthenetworkisencryptedandsecure.

Bydefault,SSHaccessisenabled.UsethefollowingcommandtoenableordisableSSHaccess:

Theswitchcandoonlyonesessionofkey/ciphergenerationatatime.Thus,anSSHclientwillnotbeabletologiniftheswitchisdoingkeygenerationatthattime.Similarly,thesystemwillfailtodothekeygenerationifanSSHclientislogginginatthattime.

ThesupportedSSHencryptionandauthenticationmethodsare:

ServerHostAuthentication:ClientRSAauthenticatestheswitchwhenstartingeachconnection

KeyExchange:ecdhsha2nistp521,ecdhsha2nistp384,ecdhsha2nistp256,ecdhsha2nistp224,ecdhsha2nistp192,rsa2048sha256,rsa1024sha1,diffiehellmangroupexchangesha256,diffiehellmangroupexchangesha1,diffiehellmangroup14sha1,diffiehellmangroup1sha1

Encryption:aes128ctr,aes192ctr,aes256ctr,arcfour128,arcfour256

MAC:hmacsha1,hmacripemd160,[email protected]

UserAuthentication:Localpasswordauthentication,TACACS+

LenovoCloudNetworkOperatingSystemimplementstheSSHversion2.0standardandisconfirmedtoworkwithSSHversion2.0compliantclientssuchasthefollowing:

OpenSSH_5.4p1forLinux

SecureCRTVersion5.0.2(build1021)

PuttySSHrelease0.60

Using SSH with Password AuthenticationOncetheIPparametersareconfigured,youcanaccessthecommandlineinterfaceusinganSSHconnection.

ToestablishanSSHconnectionwiththeswitch,runtheSSHclientonyourworkstation,useSSHastheprotocoltypeandtheswitchsIPaddressasthehostname.

YouwillthenbepromptedtoenterapasswordasexplainedinSwitchLoginLevelsonpage 48.

Switch(config)#[no]featuressh


Using SSH with Server Key AuthenticationSSHcanalsobeusedforswitchauthenticationbasedonasymmetriccryptography.Serverencryptionkeyscanbegeneratedontheswitchandusedtoauthenticateincomingloginattemptsbasedontheclientsprivateencryptionkeypairs.Afterapredefinednumberoffailedserverkeyauthenticationattempts,aloginerrorwillappearandtheSSHsessionwillbedisconnected.

Tosetupserverkeyauthentication:

1. DisableSSH:

Note: SSHsettingscannotbemodifiedifSSHisenabled.

2. GenerateanSSHkey:

DSA:

RSA:

Note: YoucanalsoconfigurethelengthoftheRSAkeybyusingthefollowingcommand:

3. ConfigureamaximumnumberoffailedserverkeyauthenticationattemptsbeforetheSSHsessionwillbedisconnected:

Note: Thedefaultnumberoffailedattemptsis3.

4. ReenableSSH:

Oncetheserverkeyisconfiguredontheswitch,aclientcanuseSSHtologinfromasystemwheretheprivatekeypairissetup.

Switch(config)#nofeaturessh

Switch(config)#sshkeydsa[force]

Switch(config)#sshkeyrsa[force]

Switch(config)#sshkeyrsalength

Switch(config)#sshloginattempts

Switch(config)#featuressh


Using Simple Network Management ProtocolCNOSprovidesSimpleNetworkManagementProtocol(SNMP)version1,2,and3supportforaccessthroughanynetworkmanagementsoftware,suchasSwitchCenterorLenovoXClarity.Note: TheSNMPreadfunctionisenabledbydefault.Forbestsecuritypractices,ifSNMPisnotneededforyournetwork,disablethisfunctionpriortoconnectingtheswitchtothenetwork.

ToaccesstheSNMPagentontheswitch,thereadandwritecommunitystringsontheSNMPmanagermustbeconfiguredtomatchthoseontheswitch.

Thereadandwritecommunitystringsontheswitchcanbeconfiguredusingthefollowingcommands:

readonlyaccesscommunitystring:

readwriteaccesscommunitystring:

TheSNMPmanagermustbeabletoreachanyoneoftheIPinterfacesontheswitch.

FortheSNMPmanagertoreceivetheSNMPv1trapssentoutbytheSNMPagentontheswitch,configurethetraphostontheswitchwiththefollowingcommand:

FormoreinformationonSNMPusageandconfiguration,seeChapter 27,SimpleNetworkManagementProtocol.

Switch(config)#snmpservercommunityro

Switch(config)#snmpservercommunityrw

Switch(config)#snmpserverhosttrapsversion1


Zero Touch ProvisioningZeroTouchProvisioning(ZTP)enablesaswitchtoautomaticallyprovisionitselfusingtheresourcesavailableonthenetworkwithoutmanualintervention.WhenaswitchwithZTPenabledstartsup,itlocatesaDHCPserverwhichprovidestheswitchwithaninterfaceIPv4addressandagatewayIPv4address.TheswitchthenobtainstheIPaddressofaTFTPserverfromwhichitwilldownloadthenecessarybootfile.Thenextstepisfortheswitchtorunthebootfile.

Ontheswitch,ZTPwilltriggerwhenanyofthefollowingconditionsaremet:

aswitchbootswithnostartupconfiguration(onlythedefaultconfiguration)

thestartupconfigurationiserasedandtheswitchisreloaded

ZTPisforcedlyenabledfromtheCLINote: ZTPwillnotbetriggeredifitisforcedlydisabledfromtheCLI.

Duringthebootprocess,iftheswitchdoesnotfindastartupconfigurationandZTPisenabled,theswitchwillenterZTPmode.WhenforcedlyenabledfromtheCLI,theswitchentersZTPmoderegardlessofthepresenceofastartupconfiguration.TheswitchwillsearchforavailableDHCPserversandrequestthemtoacquireaninterfaceaddress,agatewayaddress,theTFTPserveraddress,andthebootfilename.

AftertheinformationfromtheDHCPserverisobtained,ZTPwilldownloadandrunthebootfile,andthenexecutetheZTPprocessaccordingtothebootfile.ZTPautomaticallyhandlestheprocessofupgradingtheswitchsoftwareimageandinstallingconfigurationfiles.

Notes:

Duringthebootprocess,apromptwillappearaskingifyouwanttoabortorcontinuetheZTPprocess.IfyouchoosetoexitZTP,theswitchwillcontinuewithitsnormalbootprocess,usingthedefaultconfigurationoranystartupconfiguration,ifoneispresentontheswitchandZTPwasforcedlyenabledfromtheCLI.

IfZTPwasforcedlyenabledandnoDHCPserverwasfoundduringtheZTPprocess,anypreviousIPv4addressmanuallyconfiguredofthemanagementinterfacewillberemoved.

IfZTPiscanceledduringitsexecution,theswitchexitsZTPmode.IfaninterfaceIPv4addresswasobtained,itwillnotbereleased.Ifanyfileswheredownloaded,theywillnotbedeleted.

ImportantZTPeventsareloggedbytheswitchandareavailablefordisplayfromaconsolesession.


DHCP DiscoveryAfterenteringZTPmode,theswitchsendsaDHCPdiscovermessageonitsmanagementinterfacerequestingDHCPoffersfromtheDHCPserverspresentonthenetwork.ThereceivingDHCPserverreplieswithaDHCPoffermessage.

WhentheDHCPclientreceivestheDHCPoffermessage,itwillrequesttheDHCPservertosendthefollowinginformation:

aninterfaceIPv4address

agatewayIPv4address

theTFTPserverIPaddress(usingoption66)

thebootfilename(usingoption67)

TheswitchcompletestheDHCPnegotiationprocess(requestandacknowledgement)withtheDHCPserver,whichassignstheswitchanIPv4address.TheswitchthenusestheacquiredTFTPserverIPaddresstocontacttheTFTPserver.ThebootfilenamecontainsthecompletefilepathofthebootfileontheTFTPserver.Theswitchthendownloadsthebootfile.

IfnoDHCPserversreplytotheDHCPdiscovermessageorifnoDHCPoffermeetstheZTPrequirements,theswitchwillbeunabletocompletetheDHCPnegotiationandanIPv4addressisnotassigned(exceptthedefaultIPv4address192.168.50.50/24,butthiscannothelptheswitchfinalizetheZTPprocess).ZTPwilltrythreetimestosuccessfullyobtaintherequiredinformation.IfitfailstheDHCPnegotiationthreetimes,theswitchexitsZTPmodeandcontinuesthenormalbootprocess.

Notes:

TheinterfaceIPv4addressobtainedfromtheDHCPserveriskeptandusedevenaftertheZTPprocessover.

ZTPsupportsonlyDHCPv4andnotDHCPv6.

ZTPsupportsonlyTFTPandnotFTP,SCP,HTTP,orothertransferprotocols.

DHCPserversmustbeconfiguredwithoptions66and67toensurethattheswitchalwaysobtainstheTFTPserverhostnameandthebootfilenameduringtheZTPprocess.

DHCPoptions66and67areenabledbydefaultontheswitch.Ifeitherofthemisintentionallydisabled,theZTPprocesswillresultinafailure.

DHCPoption66providestheIPaddressofasingleTFTPserver.ToenableordisableDHCPoption66,usethefollowingcommand:

DHCPoption67providesthefilepathofthebootfileneededbyZTP.ToenableordisableDHCPoption67,usethefollowingcommand:

Switch(config)#[no]ipdhcpclientrequesttftpservername

Switch(config)#[no]ipdhcpclientrequestbootfilename


ZTP Boot FileThebootfileiswritteninYAMLformatandcontainsswitchmodels,andundereachswitchmodelareseveralfieldsthatinstructtheZTPprocesswhattodo.

Thebootfilemaycontainuptothreefieldsundereachswitchmodel:

img_namethisinstructsZTPtoupdatetheswitchsoftwareimagetothespecifiedimageversionandconfigureitasthestandbyimageontheswitch

configurationthisinstructsZTPtocopythespecifiedconfigurationfilefromtheTFTPserveranduseitasthestartupconfigurationfileontheswitch

scriptthisinstructsZTPtocopythescriptfileandexecuteitontheswitch

ZTPchecksthebootfilefortheswitchmodelandexecutetheappropriateactionsaccordingtothefieldsunderthecorrectswitchmodel.

ZTPsupportstheexecutionofPythonscripts.Ifthereisascriptfieldundertheswitchmodelinthebootfile,thefieldhasahigherprioritythantheothertwofields(img_nameandconfiguration)andZTPwillignorethem.ZTPdownloadsthePythonscriptfiletotheswitchandexecutesit.Thescriptcanalsocontaininstructionstodownloadandinstallaswitchsoftwareimageandaconfigurationfile.Note: ThePythonscriptfileisstoredinatemporaryfolderontheswitchanditwillbedeletedoncetheswitchreloads.

Followingisanexampleofabootfile:

Note: AftertheZTPprocessisover,theswitchwillbereloadedifthesoftwareimageorthestartupconfigurationareupdated.IfZTPexecutesaPythonscript,thereloadingoftheswitchisdecidedbythescriptinstead.

G8272:img_name:G827210.3.0.1.imgconfiguration:netboot_config_file_G8272script:netboot_G8272.py




Forcedly enabling or disabling ZTPZTPcanbeforcedlyenabledontheswitchevenifthereisastartupconfigurationpresent.Itcanalsobeforcedlydisabledtonotexecuteevenifthereisnostartupconfiguration.

ZTPcanhaveoneofthefollowingstates:

Default

ForcedlyEnabled

ForcedlyDisabled

ToforcedlyenableZTPontheswitch,usethefollowingcommand:

ToforcedlydisableZTPontheswitch,usethefollowingcommand:

ToresettheZTPtoitsdefaultsetting,usethefollowingcommand:

ToviewthecurrentZTPstate,usethefollowingcommand:

ToviewtheZTPparametersobtainedaftertheZTPprocesshasexecuted,usethefollowingcommand:

Switch(config)#bootzerotouchforceenable

Switch(config)#bootzerotouchforcedisable

Switch(config)#nobootzerotouchforce

Switch#displayboot

CurrentZTPState:EnableCurrentFLASHsoftware:activeimage:version10.3.0.1,downloaded18:39:47UTCWedSep162015standbyimage:version10.3.0.1,downloaded18:44:40UTCWedSep162015Uboot:version10.3.0.1,downloaded17:49:51UTCThuJul302015CurrentlysettobootsoftwareactiveimageCurrentlyscheduledreboottime:noneCurrentportmode:defaultmode

Switch#displayzerotouch

TFTPserver:10.122.3.69Image:G8xxx10.3.0.1.imgConfiguration:netboot_config_file_G8xxxScript:netboot_G8xxx.py


DHCP IP Address ServicesForremoteswitchadministration,theclientterminaldevicemusthaveavalidIPaddressonthesamenetworkastheswitchinterface.TheIPaddressontheclientdevicemaybeconfiguredmanually,orobtainedautomaticallyusingIPv6statelessaddressconfiguration,oranIPaddressmaybeobtainedautomaticallyviaDHCPrelayasdiscussedinthenextsection.

TheswitchcanfunctionasarelayagentforDHCP.ThisallowsclientstobeassignedanIPaddressforafiniteleaseperiod,reassigningfreedaddresseslatertootherclients.Actingasarelayagent,theswitchcanforwardaclientsIPaddressrequesttouptofiveDHCPservers.Additionally,uptofivedomainspecificDHCPserverscanbeconfiguredforeachofupto10VLANs.

WhenaswitchreceivesaDHCPrequestfromaclientseekinganIPaddress,theswitchactsasaproxyfortheclient.TherequestisforwardedasaUDPunicastMAClayermessagetotheDHCPserversconfiguredfortheclientsVLANortotheglobalDHCPserversifnodomainspecificDHCPserversareconfiguredfortheclientsVLAN.TheserversrespondtotheswitchwithaunicastreplythatcontainstheIPdefaultgatewayandtheIPaddressfortheclient.Theswitchthenforwardsthisreplybacktotheclient.

DHCPisdescribedinRFC2131andtheDHCPrelayagentsupportedontheswitchisdescribedinRFC1542.DHCPusesUserDatagramProtocol(UDP)asitstransportprotocol.Theclientsendsmessagestotheserveronport67andreceivesmessagesfromtheserveronport68.

DHCP Client ConfigurationDHCPisenabledbydefaultonthemanagementinterfaceanddisabledonallotherinterfaces.YoucanenableDHCPonlyonamaximumof10interfaces,includingthemanagementinterface.

ToenableordisableDHCPonaninterface(forexampleethernetinterface1/12),usethefollowingcommand:

forDHCPv4:

forDHCPv6:

Notes:

DHCPcannotbeenabledonaninterfaceconfiguredasaswitchport,onlyonroutingports.

ManuallyconfiguringanIPaddressonaninterfacewilldisableDHCPforthatinterface.

Switch(config)#interfaceethernet1/12Switch(configif)#nobridgeportSwitch(configif)#ipaddressdhcp

Switch(config)#interfaceethernet1/12Switch(configif)#nobridgeportSwitch(configif)#ipv6addressdhcp


DHCPv4 Hostname Configuration (Option 12)TheswitchsupportsDHCPv4hostnameconfigurationasdescribedinRFC2132,option12.DHCPv4hostnameconfigurationisenabledbydefault.

Theswitchshostnamecanbemanuallyconfiguredusingthefollowingcommand:

Note: Ifthehostnameismanuallyconfigured,theswitchdoesnotreplaceitwiththehostnamereceivedfromtheDHCPv4server.

AfterDHCPconfiguresthehostnameontheswitch,iftheDHCPv4configurationisdisabled,theswitchretainsthehostname.

ToenableordisableDHCPhostnameconfiguration,usethefollowingcommandonaninterface(inthisexample,ethernetport1/12isused):

Toviewthesystemhostnameusethefollowingcommand:

Note: Theswitchpromptalsodisplaysthehostname.

DHCPv4 Syslog Server (Option 7)TheswitchsupportstherequestingoftheSyslogserverIPaddressfromtheDHCPserverasdescribedinRFC2132,option7.TheDHCPv4Syslogserverrequestoptionisdisabledbydefault.Note: ManuallyconfiguredSyslogserverstakepriorityovertheDHCPv4Syslogserver.

UptothreeSyslogserveraddressesreceivedfromtheDHCPv4servercanbeused.TheSyslogserveraddressescanbelearnedoverthemanagementportoranethernetport.

ToenableordisabletheDHCPSyslogserverrequest,usethefollowingcommandonaninterface(inthisexample,ethernetport1/12isused):

ToviewtheSyslogserveraddress,usethefollowingcommand:

Switch(config)#hostname

Switch(config)#interfaceethernet1/12Switch(configif)#[no]ipdhcpclientrequesthostname

Switch>displayhostname

Switch(config)#interfaceethernet1/12Switch(configif)#[no]ipdhcpclientrequestlogserver

Switch>displayloggingserver

Loggingserver:enabled{*2.2.2.1}Serverseverity:debuggingServerfacility:local7Servervrf:data*ValuesassignedbyDHCPClient.


DHCPv4 NTP Server (Option 42)ThisoptionrequesttheDHCPservertoprovidealistofIPaddressesindicatingNetworkTimeProtocol(NTP)serversavailabletotheclient.TheNTPserversarelistedinorderofpreference.TheswitchsupportstherequestingofNTPserversasdescribedinRFC2132,option42.

Bydefault,theswitchdoesnotincludethisrequestinDHCPv4messages.Toenableordisablethisoptiononaninterface,usethefollowingcommand(inthisexample,ethernetport1/12isused):

Note: AnymanuallyconfiguredNTPserverwillnotbeoverwrittenbytheNTPserversreceivedviaDHCPv4.

ToviewthelistofNTPservers,usethefollowingcommand:

DHCPv4 Vendor Class Identifier (Option 60)ThisoptionisusedbyaDHCPclienttoidentifyitselftotheDHCPserver.ItisusedtodefinethevendortypeandfunctionalityoftheDHCPclient.TheDHCPclientcancommunicatetoaserverthatitusesaspecifictypeofhardwareorsoftwarebyspecifyingitsVendorClassIdentifier(VCI).

TheswitchsupportstheidentifyingofaTFTPserverasdescribedinRFC2132,option60.

EachswitchinterfacecanbeconfiguredwithadifferentVCI.

Bydefault,theswitchwillincludethisoptioninDHCPv4packets.ToenableordisabletheidentificationofTFTPserversusethefollowingcommand(inthisexample,ethernetport1/12isused):

Note: DependingontheLenovoRackSwitch,thedefaultVCIisdifferent. fortheLenovoRackSwitchG8272,thedefaultVCIisLENOVOG8272 fortheLenovoRackSwitchG8296,thedefaultVCIisLENOVOG8296 fortheLenovoRackSwitchG8332,thedefaultVCIisLENOVOG8332

Switch(config)#interfaceethernet1/12Switch(configif)#[no]ipdhcpclientrequestntpserver

Switch>displayntppeers

Switch(config)#interfaceethernet1/12Switch(configif)#[no]ipdhcpclientclassid


DHCP Relay AgentWhenDHCPclientsandassociatedserversarenotonthesamephysicalsubnet,aDHCPrelayagentcantransferDHCPmessagesbetweenthem.WhenaDHCPrequestarrivesonaninterface,therelayagentforwardsthepackettoallDHCPserverIPaddressesconfiguredonthatinterface.TherelayagentforwardsrepliesfromallDHCPserverstothehostthatsenttherequest.IfnoDHCPserversareconfiguredonthatinterface,therelayagentwillnotforwardpackets.

DHCPhastwoversions.DHCPv4isusedtoconfigurehostswithIPv4addresses,IPv4prefixes,andotherconfigurationdatarequiredtooperateinanIPv4network.DHCPv6isusedtoconfigurehostswithIPv6addresses,IPv6prefixes,andotherconfigurationdatarequiredtooperateinanIPv6network.

ForDHCPv4,youcanconfiguretherelayagenttoaddtherelayagentinformation(option82)intheDHCPv4messageandthenforwardittotheDHCPv4server.Thereplyfromtheserverisforwardedbacktotheclientafterremovingoption82.

TheDHCPRelayAgentisgloballyenabledbydefault.TogloballyenableordisableDHCPusethefollowingcommand:

forDHCPv4:

forDHCPv6:

DHCPrelaycanbeconfigureddifferentlyoneachethernetportorVLAN.ThemaximumnumberofDHCPserversconfiguredonaninterfaceis32.ToconfigureDHCPonaninterface,usethefollowingsteps:

1. Entertheconfigurationmenuforthedesiredinterface(inthisexample,ethernetinterface1/12isused):

2. ConfiguretheDHCPserveraddress:

forDHCPv4:

forDHCPv6:

Switch(config)#[no]ipdhcprelay

Switch(config)#[no]ipv6dhcprelay

Switch(config)#interfaceethernet1/12Switch(configif)#

Switch(configif)#ipdhcprelayaddress

Switch(configif)#ipv6dhcprelayaddress


3. ToviewthecurrentDHCPsettings,usethefollowingcommand:

forDHCPv4:

forDHCPv6:

DHCPv4 Option 82DHCPv4option82providesamechanismforgeneratingIPaddressesbasedonthelocationinthenetworkoftheclientdevice.WhenyouenabletheDHCPv4relayagentoptionontheswitch,itinsertstherelayagentinformationoption82inthepacket.TheswitchthensendsaunicastDHCPv4requestpackettotheDHCPv4server.TheDHCPv4serverusestheoption82fieldtoassignanIPaddressandsendsthepacket,withtheoriginaloption82fieldincluded,backtotherelayagent.TheDHCPv4relayagentstripsofftheoption82fieldinthepacketandsendsthepackettotheDHCPv4client.

Theconfigurationofthisfeatureisoptional.Thefeaturehelpsresolveseveralissueswhereuntrustedhostsaccessthenetwork.SeeRFC3046fordetails.

ToconfigureDHCPv4option82,usethefollowingcommand:

Switch>displayipdhcprelay

Switch>displayipv6dhcprelay

Switch(config)#ipdhcprelayinformationoption


Switch Login LevelsToenablebetterswitchmanagementanduseraccountability,twolevelsorclassesofuseraccesshavebeenimplementedontheswitch.ThelevelsofaccesstoCLImanagementfunctionsandscreensincreaseasneededtoperformvariousswitchmanagementtasks.Conceptually,accessclassesaredefinedasfollows:

NetworkOperatorscanonlymaketemporarychangesontheswitch.Thesechangeswillbelostwhentheswitchisreloadedorreset.Operatorshaveaccesstotheswitchmanagementfeaturesusedfordailyswitchoperations.Becauseanychangesanoperatormakesareundonebyareloadoftheswitch,operatorscannotseverelyimpactswitchoperation.

NetworkAdministratorsaretheonlyonesthatmaymakepermanentchangestotheswitchconfigurationchangesthatarepersistentacrossareloadorresetoftheswitch.Administratorscanaccessswitchfunctionstoconfigureandtroubleshootproblemsonthedevice.Becauseadministratorscanalsomaketemporary(operatorlevel)changesaswell,theymustbeawareoftheinteractionsbetweentemporaryandpermanentchanges.

Note: Thedefault(predefined)accessclassescannotberemovedortheirrulesmodified.Also,newaccessclassescannotbecreated.

Accesstoswitchfunctionsiscontrolledthroughtheuseofuniqueusernamesandpasswords.Onceyouareconnectedtotheswitchviaconsole,Telnet,orSSH,youarepromptedtoenterapassword.ThedefaultusernameandpasswordcombinationsforeachaccesslevelarelistedinTable 2.Note: Itisrecommendedthatyouchangethedefaultswitchpasswordsafterinitialconfigurationandasregularlyasrequiredunderyournetworksecuritypolicies.

Formoredetails,seeEnduserAccessControlonpage 113.

Table 2. UserAccessLevelsDefaultSettings

User Account

Password Description and Tasks Performed Status

oper oper TheOperatormanagesallfunctionsoftheswitch.TheOperatorcanresetports,exceptthemanagementport.

Disabled

admin admin TheAdministratorhascompleteaccesstoallmenus,information,andconfigurationcommandsontheswitch,includingtheabilitytochangeboththeoperatorandadministratorpasswords.

Enabled


Todisplaythecurrentroleconfigurations,usethefollowingcommand:

WhileanetworkadministratorhasaccesstoalloftheCLIcommands,anetworkoperatorhasamorelimitedaccess,onlybeingabletoruncommandssuchas:

display

end

exit

logout

quit

terminal

enable

disable

ping

ping6

traceroute

traceroute6

ssh

shh6

telnet

telnet6

where

configuredevice

Switch>displayrole

Role:networkadminDescription:PredefinednetworkadminrolehasaccesstoallcommandsontheswitchRulePermTypeScopeEntity1permitreadwrite

Role:networkoperatorDescription:PredefinednetworkoperatorrolehasaccesstoallreadcommandsontheswitchRulePermTypeScopeEntity1permitread


PingPing(PollINternetGateway)isanadministrationutilityusedtotesttheconnectivitybetweentwonetworkIPdevices.Italsomeasuresthelengthoftimeittakesforapackettobesenttoaremotehostplusthelengthoftimeittakesforanacknowledgementofthatpackettobereceivedbythesourcehost.

PingfunctionsbysendinganInternetControlMessageProtocol(ICMP)echorequesttothespecifiedremotehostandwaitingforanICMPreplyfromthathost.

Usingthismethod,pingalsodeterminesthetimeintervalbetweenwhentheechorequestissentandwhentheechoreplyisreceived.Thisintervaliscalledroundtriptime.Attheendofthetest,pingwilldisplaytheminimum,maximum,andaverageroundtriptimes,andthestandarddeviationofthemean.

Besidestheroundtriptime,pingcanalsomeasuretherateofpacketloss.Thisisdeterminedbythenumberofreceivedechorepliesoverthenumberofsentechorequests.Itisdisplayedasapercentage.

TheSwitchalsosupportspingforIPv6addressing.

Toperformastandardpingtest,usethefollowingcommands:

IPv4:

IPv6:

Forexample:

Note: IfnospecificVRFinstanceisconfigured,theswitchusesthedefaultmanagementVRF.Inthiscase,theusercanalsousethefollowingcommand:

Switch#pingvrfmanagement

Switch#ping6vrfmanagement

Switch#ping10.10.10.1vrfmanagement

PING10.10.10.1(10.10.10.1)from10.10.10.127:56(84)bytesofdata.64bytesfrom10.10.10.1:icmp_seq=1ttl=61time=0.368ms64bytesfrom10.10.10.1:icmp_seq=2ttl=61time=0.280ms64bytesfrom10.10.10.1:icmp_seq=3ttl=61time=0.308ms64bytesfrom10.10.10.1:icmp_seq=4ttl=61time=0.291ms64bytesfrom10.10.10.1:icmp_seq=5ttl=61time=0.320ms

10.10.10.1pingstatistics5packetstransmitted,5received,0%packetloss,time3996msrttmin/avg/max/mdev=0.280/0.313/0.368/0.034ms

Switch#pingorSwitch#ping6


Ping Configurable ParametersPingcanbeconfiguredwithvariousparameters,suchasspecifyingthenumberorsizeofechorequests,thetimeintervalbetweeneachtransmission,orthenonresponsivetimeoutintervalforsentpackets.

Test InterruptionPingtestscanbemanuallystoppedatanypointintheprocess.Whentheinterruptionisdetected,pingwillstopsendingechorequestsanddisplaytheresultsbasedonthepacketstransmitteduptothatpoint.

Tomanuallyterminateapingtest,press.

Ping CountBydefault,pingtransmitsasequenceoffiveechorequests.Toconfigurethenumberofpacketssentduringthetest,usethefollowingcommand:

Pingcanalsobeconfiguredtocontinuouslysendechorequestsuntilthetestismanuallyinterrupted.Toachievethis,usethefollowingcommand:

ForIPv6addressing,thecommandsareasfollows:

Ping Packet IntervalBydefault,pingdoesnotwaitbetweenconsecutiveechorequests.Assoonasaechoreplyhasbeenreceivedorthenonresponsivetimerhasexpired,pingwillsendthenextechorequest.

Toconfigureatimeinterval,inseconds,betweenthetransmissionofpackets,usethefollowingcommand:

ForIPv6addressing,thecommandisasfollows:

Switch#pingcount

Switch#pingcountunlimited

Switch#ping6count

Switch#ping6countunlimited

Switch#pinginterval

Switch#ping6interval


Ping Packet SizeBydefault,pingsendsechorequestswithapacketsizeof56bytes.Specifyingalargersizethanthedefaultcanhelpindetectingthelossofbigpackets.

Toconfigurethepacketsize,inbytes,usethefollowingcommand:


Ping SourceBydefault,pingautomaticallychoosestheoutgoinginterfaceforechorequestsandsendsthepacketsusingtheIPaddressofthatinterface.Tochecktheconnectivityofdifferentpathsthroughthenetwork,youcanspecifytheinterfaceusedforsendingechorequests.

Touseaspecificinterfaceduringthepingtest,usethefollowingcommand:

Note: ThesourceIPv4addressistheIPaddressofthedesiredswitchinterface.

Youcanalsochoosetheinterfaceusedforthepingtestbydirectlyspecifyingthedesiredinterface.Toachievethis,usethefollowingcommand(inthisexample,ethernetport1/12isused):

ForIPv6addressing,thecommandsareasfollows:

Ping DF-BitBydefault,echorequestsarefragmentedwhentheyareforwardedthroughthenetwork.Configuringpacketsnottobefragmentedwhentraversingthenetworkcanbehelpindeterminingthemaximumtransmissionunit(MTU)ofthepath.

Toenablethenonfragmentationofechorequests,usethefollowingcommand:

Note: ThisparameterisconfigurableonlyforIPv4addressing.

Switch#pingpacketsize

Switch#ping6packetsize

Switch#pingsource

Switch#pinginterfaceethernet1/12

Switch#ping6source

Switch#ping6interfaceethernet1/12

Switch#pingdfbit


Ping TimeoutBydefault,aftersendinganechorequest,pingwaitsuptoamaximumoftwosecondsforanechoreply.Ifthistimeintervalexpiresandanechoreplyisnotreceived,pingwilldeclarethattheremotehosthastimedoutandthatthesentpacketislost.

Toconfigurethetimeoutinterval,inseconds,usethefollowingcommand:


Ping VRFBydefault,pingusesthedefaultVirtualRoutingandForwarding(VRF)instance.ToconfigurepingtouseadifferentVRFinstance,usethefollowingcommand:

Note: YoucanchooseonlybetweenthedefaultormanagementVRFinstances.


Switch#pingtimeout

Switch#ping6timeout

Switch#pingvrf{default|management}

Switch#ping6vrf{default|management}


Ping Interactive ModeToconfigureacustompingtest,youcanchoosewhatparameterstochangebycombiningthepreviouslypresentedcommands.

Besidesthisoption,youcancustomizeapingtestbyusingPingInteractiveMode.Inthismode,youcanconfigureadditionalparameters:thetypeofservice(ToS),thehoplimitortimetolive(TTL)andthedatapattern.Note: PingInteractiveModeisonlyavailableforIPv4addressing.

ToenterPingInteractiveMode,usethefollowingcommand:

Youwillbepromptedtospecifythevalueofeachconfigurableparameter.Ifyoudonotenteravalue,thedefaultwillbeused.

Switch#ping

Switch#ping

Vrfcontexttouse[default]:managementProtocol[ip]:TargetIPaddress:10.241.1.11Repeatcount[5]:7Datagramsize[56]:100Timeoutinseconds[2]:1Sendingintervalinseconds[1]:Extendedcommands[n]:yesSourceaddressorinterface:Typeofservice[0]:SetDFbitinIPheader?[no]:yesDatapattern[0xABCD]:PATTERN:0xabcdPING10.241.1.11(10.241.1.11)100(128)bytesofdata.108bytesfrom10.241.1.11:icmp_seq=1ttl=61time=0.337ms108bytesfrom10.241.1.11:icmp_seq=2ttl=61time=0.288ms108bytesfrom10.241.1.11:icmp_seq=3ttl=61time=0.311ms108bytesfrom10.241.1.11:icmp_seq=4ttl=61time=0.288ms108bytesfrom10.241.1.11:icmp_seq=5ttl=61time=0.317ms108bytesfrom10.241.1.11:icmp_seq=6ttl=61time=0.288ms108bytesfrom10.241.1.11:icmp_seq=7ttl=61time=0.315ms

10.241.1.11pingstatistics7packetstransmitted,7received,0%packetloss,time5997msrttmin/avg/max/mdev=0.288/0.306/0.337/0.022ms


TracerouteTracerouteisadiagnostictoolusedtodeterminethenetworkroutebetweentheswitchandaremotedevice.Itdisplaysthenetworknodes(routersorgatewaydevices)crossedbyapacketuntilitarrivesatthespecifieddestination.

TraceroutesendsasequenceofUserDatagramProtocol(UDP)packetsaddressedtoaremotedevice.Todeterminetheintermediateroutersbetweenthesourceandthedestinationdevices,tracerouteadjuststhetimetolive(TTL)value,alsoknownashoplimit,ofeachsequenceofsentpackets.Whenapacketcrossesarouter,itshoplimitisdecreasedbyone.Ifarouterdetectsahoplimitofzero,itdiscardsthepacketandsendsthesourcehostanInternetControlMessageProtocol(ICMP)errormessageTimeExceeded.

Tracerouteconfiguresthestartingsequenceofpacketswithahoplimitofone.Thepacketsreachthefirstrouterandtheirhoplimitisreducedfromonetozero.Therouterwillnotforwardthepackets,butwillinsteaddiscardthem.Then,itsendsanICMPerrormessagetothesourcehost.

Traceroutesendsthenextsetofpacketswithahoplimitoftwo.Thistime,thefirstrouterforwardsthepackets,reducingtheirTTLvaluefromtwotoone.Thepacketsreachthesecondrouter,whichupdatestheirhoplimittozeroanddiscardsthem.Then,thesecondsrouterwillsendthesourcehostanICMPerrormessage.

TraceroutecontinuestosendpacketswithincreasinghoplimituntilthetargetedremotedevicereceivesthepacketsandreturnsanICMPechoreply.

Afterreceivingtheechoreply,tracerouteusesthereturnedICMPmessagestocreatealistoftherouterscrossedbythepackets.Itusesthetimeintervalbetweentransmissionandreceptionofpacketsasthedelay(orlatency)valueforeachnode.

TheSwitchalsosupportstracerouteforIPv6addressing.

Toperformatraceroutetest,usethefollowingcommands:

IPv4:

IPv6:

Forexample:

Switch#traceroute

Switch#traceroute6

Switch#traceroute10.241.1.11

tracerouteto10.241.1.11(10.241.1.11),30hopsmax,56bytepackets110.241.41.1(10.241.41.1)1.988ms2.117ms2.299ms210.241.4.254(10.241.4.254)1.903ms1.914ms2.649ms310.241.1.33(10.241.1.33)1.138ms1.195ms1.242ms410.241.1.11(10.241.1.11)1.085ms!X1.079ms!X1.087ms!X


Traceroute Configurable ParametersTracerouteislesscustomizablethanping,providingoptionsonlyforchoosingtheoutgoinginterfaceorVirtualRoutingandForwarding(VRF)instance.

Test InterruptionTraceroutetestscanbemanuallystoppedatanypointintheprocess.Whentheinterruptionisdetected,traceroutewillstopsendingUDPpacketsanddisplaytheresultsbasedonthepacketstransmitteduptothatpoint.

TomanuallyterminateaTraceroutetest,press.

Traceroute SourceBydefault,tracerouteautomaticallychoosestheoutgoinginterfaceforsendingUDPpacketsandtransmitsthepacketsusingtheIPaddressofthatinterface.Tochecktheconnectivityofdifferentpathsthroughthenetwork,youcanspecifytheinterfaceusedforsendingpackets.

Touseacertaininterfaceduringatraceroutetest,usethefollowingcommand:

Note: ThesourceIPv4addressistheIPaddressofthedesiredswitchinterface.


InthecaseofIPv6addressing,youcanalsochoosetheinterfaceusedforthetraceroutetestbydirectlyspecifyingthedesiredinterface.Toachievethis,usethefollowingcommand(inthisexample,ethernetport1/12isused):

Traceroute VRFBydefault,tracerouteusesthedefaultVirtualRoutingandForwarding(VRF)instance.ToconfiguretraceroutetouseadifferentVRFinstance,usethefollowingcommand:

Note: YoucanchooseonlybetweenthedefaultormanagementVRFinstances.


Switch#traceroutesource

Switch#traceroute6source

Switch#traceroute6interfaceethernet1/12

Switch#traceroutevrf{default|management}

Switch#traceroute6vrf{default|managemen

lenovo networking os 10.3 application...

Documents