Escolar Documentos
Profissional Documentos
Cultura Documentos
Enterprise Switching
Courseware Overview
Version 2.2
Course Prerequisites
Student prerequisite knowledge/skills Experienced PC user Operational knowledge of
Ethernet 802.1D standard 802.1Q standard
Topics not covered in this course In depth discussion of 802.1D or 802.1Q TCP/IP Network design Wireless NetSight Management Dragon NAC Routing Protocols
Instructor
Luis Alberto Frias Elias and Hugo Mendez Vara
Attendees
- Name? - C Company? ? - Job Description? - What is your experience with Switching? - Are you currently using ETS products? (Which?) - What do you hope to learn about Switching? - Do you intend to take the ESE Exam?
Enterprise Switching
Product Overview
Agenda
Switching Product Overview Switch Positioning The Enterasys Switching Advantage
SecureStack B-Series
Advanced L2 Capabilities
D-Series
Small, quiet, with Optional Policy
SecureStack C-Series
Policy, Optional Routing 1. 1 L2 and L3 10/100 & 10/100/1000 Switching 2. Up to 48Gb Closed Loop Stacking g 3. High Density Stacking (384)
G-Series
More Horse Power 1. 1 L2 and L3 d 10/100 & 10/100/1000 Switching 2. Policy by default 3. Basic Routing (RIP)
Matrix N-Series
High-end Modular Chassis
1. Low-Cost L2 10/100 Switching 2. 2 Gb Closed Loop Stacking 3. High Density Stacking (384) 4. Up to 16 Gb uplinks per stack 5. No Enterasys Policy Support
1. L2 10/100 & 10/100/1000 Switching 2. Up to 24Gb Closed Loop Stacking 3. High Density Stacking (384) 4. Up to 32 Gb uplinks per stack 5. Optional Policy Available 6. Basic Routing (Static routes, RIP v1/2)
1. L2 10/100 & 10/100/1000 Switching 2. Optional Policy Available 3. Small form factor 4. Whisper quiet fan only when needed
1. End-to-End L2 & L3 Enterprise Switching 2. Highest System Redundancy Available 3. Highest Density and Most Interface Types 4. MultiUser Policy and Most Extensive Software and Hardware Features (up to 256) 5. 6,000 to 56,000 rules per DFE 6. 6 Multiple Generations of Technology Operate Concurrently in 1 Chassis 7. Support for Basic pp and Advanced Routing
4. Mixture of Up to 4. IPv6 32 Gb uplinks and/or 16 10Gb 5. Optional uplinks p p per Routing (OSPF (OSPF, stack PIM-SM, DVMRP, 5. Policy by extended default ACLs) 6. Basic Routing 6. MultiUser (RIP) Policy (8) y ( ) 7. 7 C3 IPv6 IP 6 8. Optional Routing (OSPF, PIM-SM, DVMRP, extended ACLs)
Business-critical applications:
- Guarantee network availability for business-critical applications pp
Prioritise business-critical applications
- Streaming video, ERP, VoIP and e-commerce
- Policy.
Enterprise Switching
SecureStack Switches
SecureStack Overview
Next-Generation, High Density Stackable Gigabit Switching Extensive Bandwidth, Performance, Scalability and Flexibility
11
Stack up to 8 switches
- All switches in the stack have to be of the same series (all A2s Bs or Cs) A2 s, B s, C s).
Minimum code version on the B2 is 4.0 to allow B2/B3 mixed stack Minimum code version on the C2 is 5.0 to allow C2/C3 mixed stack
12
VLAN
1024 VLANs (VLAN IDs 1-4094) Port-based, protocol-based & tagged VLAN GARP and GVRP
MAC Locking
13
All A2s come with 2 SFP Mini GBIC ports and 2 stack ports on the front of the switch
- The stack ports on the A2 are RJ45 ports that use CAT5 or better cables
When the A2 is in standalone mode (not stacked) the uplink ports can be used as standard Gigabit ports by using the set switch stackport {ethernet | stack} command
- This could give you a total of 28 or 52 active ports, depending on the model.
No policy support No routing support Supports 2 Gbps bidirectional throughput per stack port
14
SecureStack B2
Supports everything the A2 does plus
CoS and bandwidth control with 8 priority queues per port and rate limiting Optional Policy License B3POL-LIC
- Enables Policy and User + IP phone authentication support
B2 Series
- Supports 24 and 48 port modules with both POE and non POE - Supports both 10/100 and triple speed. - Supports 20 Gbps bidirectional throughput per stack port - B2 uses proprietary stack cables C2CAB-LONG & C2CAB-SHORT*These
All B2s come with 4 SFP Mini GBIC ports and 2 stack ports
- The two stack ports are on the rear of the switch - models that have the 24/48 10/100 & 4 Mini GBIC ports active, for a total of 28/52 active ports. - On triple speed models, the Mini GBIC ports and the last 4 10/100/1000 ports are combo ports. This is discussed in detail later. So you only have 24 or 48 active ports
2007 Enterasys Networks, Inc. All rights reserved.
SecureStack B3
Supports everything the B2 does plus
Supports 24 Gbps bidirectional throughput per stack port
- R Reverts b k to 20 Gbps in a mixed stack. t back t Gb i i d t k
When working with a mixed B series stack, the stack takes on the lesser of the capabilities of the two devices.
- For the B2 and B3 mixed stack: - The B2 must be running version 4.0 at a minimum to operate in a mixed stack. h b d k - A Policy License is required for every device in the stack in order for policy to work on the stack at all. B2 Policy License will operate on a B3 - It is recommended that a B3 device be the master of the stack. - C Concerning l i layer 2 policy rules, li l
They will not work on any devices (B2s included) in a mixed stack. If the B2 is the master, the layer 2 policy rules should be disabled to avoid a mismatch in the stack.
SecureStack C2
Supports everything the B3 does plus
Supports policy without a policy license required S Supports basic IP l t b i layer 3 routing ( t ti routes, RIP basic ACLs) ti (static t RIP, b i ACL ) Optional License C2L3-LIC (Layer 3 Routing License)
Enables OSPF, PIM, DVMRP, VRRP, Extended ACLs.
The C2H124-48 can have the 48 10/100 & 4 Mini GBIC ports active, for a total of 52 active ports. The C2K122-24 can have 24 10/100/1000 ports active, plus the 2 10-Gigabit uplink ports for a total of 26 active ports. While on the other models, the Mini GBIC ports and the last 4 10/100/1000 ports are combo ports. This is discussed in detail later.
10GBASE-SR XFP 850 Nanometer serial port for 10-Gigabit Ethernet over Multi Mode Fiber (MMF) via an XFP connector. Supports link lengths ranging from 26 meters to 300 meters depending on grade of fiber installation. 10GBASE-LR-XFP 1310 Nanometer serial port for 10-Gigabit Ethernet over Single Mode Fiber (SMF) via an XFP connector. Supports 10 Gigabit Ethernet transmission over distances of between 2Km and 10 Km. 10GBASE-ER-XFP 1550 Nanometer serial port for 10-Gigabit Ethernet over Single Mode Fiber (SMF) via an XFP connector. Supports Long Haul 10 Gigabit Ethernet transmission over distances of between 2Km and 40 Km.
18
SecureStack C3
Supports everything the C2 does plus
Also Supports XFPs but via an optional 10GE IOM for the C3K switches.
- All C3s must be running firmware version 1.02.01.0004 for the C3Ks to join the stack
Supports IPv6 routing, OSPFv3, IGMPv3 Snooping, DHCPv6 Routing License is linked to the Switch serial number
- Therefore each switch requires a routing license in a stack for routing to work on each switch
When working with a mixed C series stack, the stack takes on the lesser of the capabilities of the two devices. For the C2 and C3 mixed stack:
The C2 must be running version 5.02.01.xxx at a minimum to operate in a mixed stack. It i I is recommended that a C3 d i be the master of the stack d d h device b h f h k Concerning layer 2 policy rules,
They will not work on any C2 device in a mixed stack. If the C2 is the master, the layer 2 policy rules should be disabled to avoid a mismatch in the stack.
20
IPv6 Routing
- OSPFv3 - Path MTU Discovery - IPv6 to IPv4 translation - IPv6 Tunnels g g, , p g, - ICMPv6 messaging, traceroute, ping, SSH2
21
22
There are two chassis (shelves) for the C2RPS-PSM (Non PoE)
- C2RPS-CHAS8 (8 slot chassis) can service a full stack of non PoE SecureStack switches
The C2RPS-SYS is the 8 slot chassis and 1 C2RPS-PSM Dimensions: 8.77 H x 17.3 W x 10.4 D (in.)
Fully Hot Swappable All Cable connections at Rear of Unit M Management through LEDs and SNMP h h LED d
23
Enterprise Switching
Matrix N-Series
25
Matrix N-Series
The Matrix N-Series is a modular design.
- Four chassis models, the N1, N3, N5 and the N7
The Matrix N-Series Standalone switch (NSA) Combine Layer 2 switching with granular L l Layer 2/3/4 classification l ifi ti Support advanced Layer 3 IP routing Three product lines:
Distributed Forwarding Engines (DFEs), Diamond: Significant Processing Enhancements over Platinum DFEs, plus increased Security, Routing & Policy Scalability. DFEs, Platinum: optimised for more features and higher hi h performance f DFEs, Gold: optimised for edge connectivity with fewer capabilities of the Platinum
Designed for wiring closets, server farm aggregations and distribution switching.
2007 Enterasys Networks, Inc. All rights reserved.
26
27
Matrix N1
Power supply part number Power supply wattage Input frequency Input voltage range Input current Minimum power supplies pp N/A (Redundant power supplies are integrated) 250 Watts maximum 50 to 60 Hz 100 to 125 Vac
Matrix N3
7C203-1
Matrix N5
7C205-1
Matrix N7
6C207-3
12 A maximum 1*
12 A maximum 1*
12 A maximum 1*
12 A maximum 1 **
* Two power supplies may be installed for redundancy and load sharing. p pp q pp g ** Two power supplies are required to support Matrix N7 configurations with six and seven installed DFEs (also, check power requirements of individual modules as you install them). The 6C207-3, has two power connectors. Both power cords MUST be plugged in for the power supply to operate (15 amp circuit required per cord).
2007 Enterasys Networks, Inc. All rights reserved.
28
29
All other modules are backup for each service and keep a copy of the management services information
- Uninterrupted system operation in event of module failure
30
If a module needs to be replaced, it will inherit all configuration settings of the previous module as long as the new module is an exact replacement.
- A configuration fil that were stored in th fil Any fi ti files th t t d i the file system of the newly inserted module will not be deleted and will remain available.
31
32
Platinum DFEs are distinguished by the platinum color on the tab and parts numbers that begin with 7
Gold DFEs are distinguished by the gold color on the tab and product numbers d b that start with 4
33
34
35
Gold DFE can be outfitted with a software upgrade (part number N-EOS-RED) to provide 1+1 redundancy. Platinum DFEs provide N+6 redundancy by default
Every DFE module is a backup for all others in the chassis Failure of one module will not cause the entire system to fail. Up to 2 router instances are supported in a Platinum chassis.
36
4 1
1 7H4270-12 2 7H4382-49 and 7H4383-49 4H4282-49 d 4H4283-49 4H4282 49 and 4H4283 49 3 7G4202-30 4 7H4203-72 and 4H4203-72
2 3
Platinum & Gold DFEs have mode switches located on circuit board. Switch definitions and positions are as follows:
- Switches 1 through 6 For Enterasys Networks use only. - Switch 7 Clear Persistent Data (NVRAM) - Switch 8 Clear Admin Password.
37
Enterprise Switching
Device Management
fe.1.2
Port number
- Identical format for Matrix N-series, D,G and I series and SecureStack
- For the D and G series, slot number starting with base ports and counting left-to-right in expansion slots, 0-based - For SecureStack, device number in stack (which may or may not correspond to the , ( y y p devices physical position in stack), 1-based
Port Number
- Identical format for all current switches - Number of port based on the port type in this slot 1-based slot, 1 based
Example: fe.1.1 is the first Fast Ethernet port in slot 1 Example: ge.1.1 is the first Gigabit Ethernet port in slot 1 (which may logically be the 25th physical port in slot 1)
39
fe.1.2 fe 1 2
Port type Slot location Port number
40
Enterasys switch products may be locally managed via the COM port
- The console port on a device may be either an RJ45 or a DB9 connector - Connections are designed for a VT terminal, a PC with terminal emulation (such as HyperTerminal or Tera Term Pro), or a modem
Generic Values
41
By default, the Matrix N-series and SecureStack A, B and C switches are configured with three user login accounts:
ro for Read-Only access rw for Read-Write access admin for Super-User access
42
CLI Overview
Layer 2 switch configuration
- Persistent when configured Basic CLI usage
Use ? in CLI to display commands and parameters Use tab for command auto-completion Use up arrow or down arrow key for a previously entered command
set system location [string] set system contact [string] - Setting console behaviour set prompt [prompt_string] if you use speech marks then it is possible to put a space between words. set logout timeout
- set logout 0 default (DFE)
43
CLI Overview
Reset the system
reset reset at hh:mm [mm/dd] [reason] reset in hh:mm [reason] show reset h t
Does not clear IP address use clear IP address command for this the happen
44
In-band Management
All Enterasys switches can be managed in band through the in-band following IP addresses:
- Layer 2 virtual host management port (all Enterasys switches) - Layer 3 IP routed interfaces (N, G and C)
45
S Secure Socket L S k t Layer (SSL) works by using a private key to k b i i t k t encrypt data for the transmission of private documents over the Internet
- SSL can be enabled through the command line
set ssl enable Set webview enable ssl-only
- To use WebView with SSL, enter https://172.10.1.100 in your browser where 172.10.1.100 is the switch IP address - Supported on SecureStack, D, G and I Series switches - Not supported on Matrix N-series pp
46
Secure Shell (SSH). SSH is a protocol for secure remote login over an insecure network
- A secure substitute to Telnet by encrypting communications between two hosts - All the current Enterasys switches support SSH
47
Firmware Upgrades
Firmware is the Operating System for the switch Enterasys periodically provides firmware upgrades and, less frequently, Boot PROM upgrades. These are required to:
- Address software incompatibilities - Introduce and integrate new features - Address problems and issues with previous firmware versions - Support new and future technologies
Enterasys switches primarily support TFTP or BootP server functionality. Other methods of firmware upgrade include FTP and serial (ZMODEM).
48
Firmware Upgrades
- The firmware image is stored in flash memory and runs in Local RAM. Some relevant definitions follow below.
NVRAM (Non-Volatile Random Access Memory): RAM that retains its contents (for example, IP addresses) when a unit is powered off off. LRAM (Local RAM): Memory area used by the central processor for operational tables and current processes (for example, SAT tables and VLAN tables). Flash Memory: Non-volatile storage that can be electrically erased and reprogrammed. Allows firmware images to be stored, booted, and rewritten as necessary. Boot PROM: Holds the boot programs and board revisions.
49
50
- BootP process, BootP packets are exchanged to obtain download information. The actual file download of a new firmware image is via TFTP.
BootP would be used when the device has an image failure. The BootP process happens generally without administrative control.
51
52
53
Current switches can hold multiple images so flash is not automatically cleared There must be room in flash for an new image or the TFTP download will fail
- Example: The DFEs can hold two images, if this is the case one of the images has to be manually deleted before a new images can be downloaded to flash
- Once the download is complete the device will operate using the old image until such complete, time that the device is reset for any reason. Upon reboot, the new image will be utilised via a normal boot up.
For devices that can hold multiple images, the set boot system command is used to load the new image
54
Matrix N-Series
The Matrix N-Series DFEs allow you to download and store up to two image files. There are three ways to download firmware to the N-Series devices: N Series
- An FTP download uses an FTP server connected to the network and downloads the firmware using the FTP protocol. - A TFTP download uses a TFTP server connected to the network and downloads the firmware using the TFTP protocol. - An out-of-band download is accomplished via the serial (console) p ( ) port. By typing the command y yp g download, you send the firmware image via the ZMODEM protocol from your terminal emulation application.
55
SecureStacks
SecureStacks
- Firmware may be downloaded using a TFTP server (preferred) or out-of-band via the console port - Can store up to 2 images - Once firmware is downloaded to the management switch the management switch then automatically pushes the firmware to all switches in the stack
56
- The copy command is used to download/upload firmware and configuration files to/from the device
copy py source_filename destination_filename
Operation:
- Upload: Source file is local and destination file is remote - Download: Source file is remote and destination file is local
File Type:
- Local file: File name is specified - Remote file: File name is specified prefixed with URL format - tftp://172.16.2.10/DFE-P-52604
57
firmware/images/30712.fls (E1)
When an image is downloaded to the DFE or SecureStack, it will not load the new image right away, to do so you have to:
- First tell the switch the image you want it to boot
show boot system set b t system fil t boot t filename
58
Management Security
There are varying levels of security across the product lines to control and monitor management access to the switch hosts. Management security involves controlling which users are allowed to access, monitor, and manage a switch. ll dt it d it h Features for management security are available from the various Enterasys switching families.
- Control plane features
Login security password SNMP community name (v1, v2) SNMP user and password (v3) Host access control authentication Secure shell
59
Management Security
To secure host management, certain features should be disabled:
- The following features should be disabled because passwords are sent i clear t t across the network over these protocols t in l text th t k th t l
Telnet
set telnet disable
60
Enterprise Switching
VLANs
VLAN Planning
Preparing for VLAN Configuration
- Forethought and planning are essential to a successful VLAN implementation. Before attempting f l l f to configure a single device for VLAN operation, consider the following:
What is the purpose of the VLAN design? (ie: Security containers, containers Traffic broadcast containment ) containment..) How many VLANs will be required? What stations (end users, servers, etc.) will belong to them? Wh ports on the switch are connected What h i h d to those stations? What ports will be configured as GVRP-aware ports?
62
VLAN Planning
Default VLAN and Number of Supported VLANs
- By default, all ports on all Enterasys switches are:
Assigned to VLAN ID 1 Have egress list on VLAN 1 is set to untagged Have a PVID of 1
- The number of VLANs and Range (VIDs) supported varies depending on the device device. - IEEE 802.1Q specifies 4096 VLAN IDs with the allowable user-configurable range for VLAN IDs (VIDs) is from 2 through 4094. - VID 0 is the null VLAN ID, indicating that the tag header in the frame contains priority info rather than a VLAN identifier.
It cannot be configured as a port VLAN ID (PVID).
63
VLAN Forwarding
Ingress VLAN assignment for received packets
Precedence:
1. 2. 2 3. 802.1Q VLAN tag (tagged packets only) Policy or Traffic Classification l ff Cl f
May overwrite 802.1Q VLAN tag using tci-overwrite enable
Learned traffic
Destination MAC address of packet is in FDB for VLAN Packet forwarded out of the learned port with specified packet format
64
VLAN Configuration
65
Example:
66
67
OR
Matrix N7 Platinum(su)->set port vlan fe.1.1,5,8-9 44 The PVID is used to classify untagged frames as they g given p port. Would y you like to add the selected ingress into a g port(s) to this VLAN's untagged egress list and remove them from all other VLANs untagged egress list (y/n) [n]? NOTE: Choosing 'y' will not remove the port(s) from previously configured tagged egress lists. y Matrix N7 Platinum(su)->
68
Egress determines which ports will be eligible to transmit frames for a particular VLAN
- VLANs have no egress ports (except VLAN ID 1), until they are configured by static administration or through dynamic mechanisms
Dynamic Mechanisms included GVRP, policy, or Enterasys Dynamic Egress
- The VLAN egress setting specified the format of the transmitted packet
Tagged, untagged, forbidden
69
- E h port on th switch is capable of concurrently forwarding both Each t the it h i bl f tl f di b th tagged or untagged frames for different VLANs A single port can be assigned to multiple VLAN egress lists as tagged, untagged, or forbidden. Default frame format is tagged
set vlan egress vlan-list port-string [untagged | forbidden | tagged]
70
- The show vlan static command displays all ports on the VLAN regardless of forwarding state of the port
A port that is displayed as an Egress Port and Untagged Port for a VLAN is on this VLANs egress list as untagged A port that is displayed as only an Egress Port for a VLAN is on this VLANs egress list as tagged
71
If you are configuring multiple VLANs, it is recommended that you configure a Management VLAN
- This allows a station connected to the Management VLAN to manage devices. - It also improves security by preventing device configuration via ports on other VLANs
The process of assigning a Management VLAN must be repeated on every infrastructure device on the network to ensure each device has connection to the Management VLAN.
- It is not necessary to configure a physical port for management on each switch. - Only those switches that will have a management station attached need a physical port assigned to the Management VLAN.
72
Enterprise Switching
Spanning Tree
Agenda
IEEE 802.1D, Spanning Tree IEEE 802.1w, Rapid spanning Tree IEEE 802.1t (802.1D maintenance) IEEE 802.1s, Multiple Spanning Trees (MST) Enterasys Per VLAN Spanning Tree (PVST) Span Guard Summary
74
As of 2003, the IEEE 802.1D version of spanning tree was removed from the specification STP has now been superseded by the IEEE 802.1w, Rapid Spanning, Tree Protocol (RSTP) and IEEE 802.1s, Multiple Spanning Tree . All Enterasys switches support IEEE 802.1D Spanning Tree The Matrix N-series and SecureStack support 802.1w/s by default
Root Bridge ID Path Cost to Root Designated Bridge ID Designated Port ID Root Port ID
76
Root Bridge
77
Root Bridge
19
4 4
19
100
100
100
78
Root Bridge
Designated Bridge D i t d B id
Bridge 1 is the designated bridge for Bridge 2, Bridge 4 Bridge 2 is the designated bridge for Bridge 3, Bridge 5 Bridge is the designated b id f B id 6 B id 3 i th d i t d bridge for Bridge
79
Root Bridge
80
Root Bridge
81
Listening
Only processes frames addressed to it Listens to BPDUs to ensure no loops occur on the network BPDUs received shall be processed, as required by the STA
Learning
Bridge is passively building its SAT but does not forward frames g p y g
Forwarding
Able to send and receive data Participating in frame transmission
82
Identify root and designated ports & block redundant links: as shown below
83
Agenda
IEEE 802 1D Spanning Tree 802.1D, IEEE 802.1w, Rapid spanning Tree IEEE 802.1t (802.1D maintenance) IEEE 802 1s Multiple Spanning Trees (MST) 802.1s, M ltiple T ees Enterasys Per VLAN Spanning Tree (PVST) Span Guard Recommended Practices Summary
84
IEEE 802.1w, Rapid Reconfiguration Spanning Tree (RSTP), is built upon the original IEEE 802.1D Spanning Tree Protocol parameters.
IEEE 802.1w and IEEE 802.1D Spanning Tree algorithms will interoperate.
- An RSTP switch detects the STP version when it is connected to an 802.1D STP switch.
Spanning Tree
- When the RSTP port is initialized, it transmits RSTP Bridge Protocol Data Units (BPDUs) for three seconds, it then transitions to sending STP BPDUs if it receives STP
85
86
- Alternate Port: Any redundant upstream port that provides an alternate path to the Root Bridge (other than the Root Port) - Designated Port: Any downstream port that provides a path back to the Root Bridge for a downstream bridge - Backup Port: A port that acts as a redundant Designated Port for a downstream bridge. - Edge Port: A port that has no other bridges connected to this port (i.e. User Port).
This is automatically configured by the Bridge Detection State Machine (802.1t Clause 18)
87
Spanning Tree
Ports in Alternate & Backup port roles pp are not part of the Active Spanning Tree
- They provide redundant fail-over connectivity in the event of a failed Root or Designated Port
Port States
RSTP eliminates the Listening and Blocking Port States found in 802.1D STP Valid RSPT Port States: Po t States
- Forwarding, Learning, Discarding
R D B
A D
88
Agenda
IEEE 802.1D, Spanning Tree IEEE 802.1w, Rapid spanning Tree IEEE 802.1t (802.1D maintenance) IEEE 802.1s, Multiple Spanning Trees (MST) Enterasys Per VLAN Spanning Tree (PVST) Span Guard p Summary
89
90
91
802.1D/w
Non utilized Bandwidth (only redundant)
802.1s
2 Root
3 Root
1 Root
Over utilized bandwidth
1 Root
VLAN Green VLAN Blue VLAN Red Blocked Port Data Flow
2007 Enterasys Networks, Inc. All rights reserved.
92
Agenda
IEEE 802.1D, Spanning Tree IEEE 802.1w, Rapid spanning Tree IEEE 802 1t (802 1D maintenance) 802.1t (802.1D IEEE 802.1s, Multiple Spanning Trees (MST) Enterasys Per VLAN Spanning Tree (PVST) S Span G Guard d Summary
93
Span Guard
Span Guard is designed to increase security & reliability Guard Supported Platforms
- Matrix N-Series (Gold , Platinum ) N Series - All Secure Stacks - D, G and I Series
94
Advantages of SpanGuard:
- Spoofed BPDUs will NOT cause Spanning Tree Topology Changes or Re-Spans. - A Spoofed BPDU attack will be detected and administrator will be notified. set spantree spanguardtrapenable {disable | enable} - Accidental addition of repeater or a bridged repeater, PC will not bring down the network.
95
Agenda
IEEE 802.1D, Spanning Tree IEEE 802.1w, Rapid spanning Tree IEEE 802.1t (802.1D maintenance) ( ) IEEE 802.1s, Multiple Spanning Trees (MST) Enterasys Per VLAN Spanning Tree (PVST) Span Guard Guard Summary
96
Enterprise Switching
Link Aggregation
Agenda
IEEE 802.3ad Link Aggregation SmartTrunking Product-specific information Recommended Practices S Summary
98
Introduction
Link Aggregation, SmartTrunking and other port aggregation Aggregation SmartTrunking, algorithms are all methods of:
- Bonding together two or more data channels into a single channel that appears as a single single, higher-bandwidth, logical link. - Cost-effective way to implement increased bandwidth. - Provides redundancy and fault tolerance.
Link aggregation makes multiple physical links appear as a single logical link to Spanning Tree
99
100
101
102
802.3ad Terminology
Link Aggregation Group (LAG): The name used to refer to a logical grouping of individual ports. Aggregation system: An arbitrary grouping of one or more ports for the purpose of aggregation. Aggregation keys: Parameters identifying which ports can be aggregated together. Marker Protocol: Allows the data distribution function a means of determining the point at which a given set of conversations can safely be reallocated from one link to another, without the danger of causing frames in those conversations to be mis-ordered. Actor: The local device in a Link Aggregation Control Protocol (LACP) exchange. Partner: The remote device in an LACP exchange.
103
There are three scenarios in which link aggregation may be useful in a network, as described below.
Switch-to-switch connections: Multiple ports on a switch are joined to form an aggregated link. Aggregation of multiple links achieves higher speed connections between switches without hardware upgrade.
Switch-to-station (server or router) connections: Many server platforms can saturate a single 100 Mbps link. Thus, link capacity limits overall system performance. You can aggregate switch-to-station connections to improve performance. Station-to-station connections: Though not a common configuration, you can also aggregate directly between two pairs of end stations
104
105
Agenda
IEEE 802.3ad Link Aggregation SmartTrunking Product-specific information Recommended Practices Summary
106
VLAN Configuration g
- By default, all LAG ports are on VLAN 1s egress list as untagged with a PVID equaling 1
Matrix N7 Platinum(su)->show vlan static VLAN: 1 NAME: DEFAULT VLAN VLAN Type: Permanent FID: 1 Creation Time: 0 days 0 hours 13 minutes 3 seconds ago Egress Ports lag.0.1-48;host.0.1;fe.1.1-48;ge.1.1-6 Forbidden Egress Ports bidd None. Untagged Ports lag.0.1-48;host.0.1;fe.1.1-48;ge.1.1-6 Status: Enabled
107
p g Matrix N7 Platinum(su)->show lacp lag.0.1 Global Link Aggregation state: enabled Single Port LAGs: disabled Aggregator: lag.0.1 Actor 00:e0:63:6b:20:0a 32768 32768 32768 fe.1.1-2 Partner 00:01:f4:b6:10:41 1 4
System Identifier: System Priority: Admin Key: Oper Key: Attached Ports:
108
109
110
111
SecureStack
- Supports the IEEE 802.3ad standard
LAG ports can be spread across the stack
- Capacity
SecureStack C2/C3 B2/B3
- Supports up to 6 LAGs per stack shown in the CLI as lag.0.1 through lag.0.6 - S Supports up to 8 ports per LAG t t t
SecureStack A2
- Supports up to 6 LAGs per stack shown in the CLI as lag.0.1 through g lag.0.6 - Supports up to 4 ports per LAG
112
System Identifier: System Priority: Admin Key: Oper Key: Attached Ports:
Matrix N7 Platinum(su)->show vlan 333 Platinum(su) >show VLAN: 333 NAME: Status: Enabled VLAN Type: Permanent FID: 333 Creation Time: 0 days 2 hours 27 minutes 43 seconds ago g Egress Ports None. Forbidden Egress Ports None. Untagged Ports None.
- All physical ports in a LAG will remain part of the virtual LAG port until only one port is operational in the group
The remaining port will then revert to its physical port settings UNLESS, the single port LAG feature is enabled on the device
113
Recommended Practices
VLAN configuration
- Configure the VLAN egress and PVID settings for a virtual LAG port and all of the underlying physical ports identically
This accounts for the situation where all but one port in the LAG become inoperational
Matrix Matrix Matrix i Matrix N7 N7 N7 7 N7 Platinum(su)->set Platinum(su)->set Platinum(su)->set l i ( ) t Platinum(su)->set vlan vlan port t port egress 333 lag.0.1 tagged egress 333 fe.1.1-4 tagged vlan l l lag.0.1 5 0 1 vlan fe.1.1-4 5
114
Enterprise Switching
Traffic Management
Agenda
Traffic Management Overview Analyse network traffic
Port and VLAN mirroring
116
117
Mark prioritised traffic to indicate the forwarding treatment packets receive at each network device along the transmission path Specify the forwarding treatment to prioritise, shape and police packet transmission
118
Agenda
T ffi M Traffic Management O t Overview i Analyse network traffic
Port and VLAN mirroring
119
120
Agenda
T ffi M Traffic Management O t Overview i Analyse network traffic
Port and VLAN mirroring
121
Utilize an RMON probe (statistics analyser) or a network analyser (sniffer) for analysis Implement Intrusion Detection System (IDS) for detecting security events In I most implementations, erred f ti l t ti d frames are not mirrored t i d Many-to-one port mirroring is supported on all platforms One-to-many mirroring is not supported on all platforms
Rx Tx
122
VLANX Rx
Tx
123
Agenda
T ffi M Traffic Management O t Overview i Analyse network traffic
Port and VLAN mirroring
124
Broadcast Suppression
Two ways to reduce or contain broadcast traffic in a network:
- Segment using VLANs - Use broadcast suppression
CPU PC FF FF FF
Switch
FF
Switch
Broadcast Suppression
Matrix N-series
- Disabled by default - Threshold value sets packets-per-second threshold on broadcast traffic The minimum value is 1 pps. The maximum value is 1488100 pps for Gigabit and 148810 pps for Fast Ethernet. - The command to configure broadcast suppression is:
set port broadcast port_string threshold_value
SecureStack
- Identical support to Matrix N-series
126
Agenda
T ffi M Traffic Management O t Overview i Analyse network traffic
Port and VLAN mirroring
127
MAC Locking
MAC locking allows administrators to provide access to the network based on a devices MAC address MAC Locking
- Also known as MAC-based port locking, port locking, and port security - Locks a port to one or more MAC addresses, preventing connection of unauthorized devices via a port - MAC Locking comes in two flavors:
Static MAC Locking
- Locking one or more specified MAC addresses to a port
128
b.
3. Optionally enable the sending of traps via SNMP as an administrative notification tool when the maximum number of MAC addresses allowed to access a port is attempted:
set maclock trap port_string {enable | disable}
129