Feature Guide

Configuring User Authentication
Thischapterprovidesthefollowinginformationaboutconfiguringandmonitoringuser authenticationonEnterasysNSeries,SSeries,andKSeriesmodularswitches,ASeries, BSeries,CSeriesstackablefixedswitches,andDSeries,GSeries,andISeriesstandalonefixed switches.

Note: Through out this document: Use of the term modular switch indicates that the information is valid for the N-Series, S-Series, and K-Series platforms. Use of the term stackable fixed switch indicates that the information is valid for the A-Series, B-Series, and C-Series platforms. Use of the term standalone fixed switch indicates that the information is valid for the D-Series, G-Series, and I-Series platforms. For information about... What is User Authentication? Why Would I Use It in My Network? How Can I Implement User Authentication? Authentication Overview Configuring Authentication Authentication Configuration Example Terms and Definitions Refer to page... 1 2 2 2 14 29 34
What is User Authentication?

Authenticationistheabilityofanetworkaccessserver,withadatabaseofvalidusersanddevices, toacquireandverifytheappropriatecredentialsofauserordevice(supplicant)attemptingto gainaccesstothenetwork.EnterasysauthenticationusestheRADIUSprotocoltocontrolaccessto switchportsfromanauthenticationserverandtomanagethemessageexchangebetweenthe authenticatingdeviceandtheserver.BothMultiAuthandMultiuserauthenticationare supported.MultiAuthistheabilitytoconfiguremultipleauthenticationmodesforauserand applytheauthenticationmodewiththehighestprecedence.Multiuseristheabilityto appropriatelyauthenticatemultiplesupplicantsonasinglelinkandprovisionnetworkresources, baseduponanappropriatepolicyforeachsupplicant.TheEnterasysswitchproductssupportthe followingfiveauthenticationmethods: IEEE802.1x MACbasedAuthentication(MAC) PortWebAuthentication(PWA)
April 15, 2011
Page 1 of 36
Why Would I Use It in My Network?
ConvergenceEndPoint(CEP) RADIUSSnooping
Note: The RADIUS Snooping user authentication feature is detailed in the Configuring RADIUS Snooping feature guide. The RADIUS Snooping feature guide can be found at: https://extranet.enterasys.com/downloads.
Enterasysswitchproductssupporttheconfigurationofuptothreesimultaneousauthentication methodsperuser,withasingleauthenticationmethodappliedbaseduponMultiAuth authenticationprecedence.

Networkresourcesrepresentamajorcapitalinvestmentforyourorganizationandcanbe vulnerabletobothundesiredresourceusageandmaliciousintentfromoutsideusers. Authenticationprovidesyouwithauservalidationfunctionwhichassuresthatthesupplicant requestingaccesshastherighttodosoandisaknownentity.Tothedegreeasupplicantisnota knownentity,accesscanbedeniedorgrantedonalimitedbasis.Theabilityofauthenticationto bothvalidateausersidentityanddefinetheresourcesavailabletotheuserassuresthatvaluable networkresourcesarebeingusedforthepurposesintendedbythenetworkadministrator.
How Can I Implement User Authentication?

Takethefollowingstepstoimplementuserauthentication: Determinethetypesofdevicestobeauthenticated. Determinethecorrectauthenticationtypeforeachdevice. Determineanappropriatepolicybestsuitedfortheuseofthatdeviceonyournetwork. ConfigureRADIUSuseraccountsontheauthenticationserverforeachdevice. Configureuserauthentication.
Authentication Overview
Note: See the Enterasys Matrix X Core Router Configuration Guide for X-Series switch authentication configuration information.
For information about... IEEE 802.1x Using EAP MAC-Based Authentication (MAC) Port Web Authentication (PWA) Convergence End Point (CEP) Multi-User And MultiAuth Authentication Remote Authentication Dial-In Service (RADIUS)
Refer to page... 3 3 3 4 4 8
April 15, 2011
Page 2 of 36
IEEE 802.1x Using EAP

TheIEEE802.1xportbasedaccesscontrolstandardallowsyoutoauthenticateandauthorizeuser accesstothenetworkattheportlevel.Accesstotheswitchportsiscentrallycontrolledfroman authenticationserverusingRADIUS.TheExtensibleAuthenticationProtocol(EAP),definedin RFC3748,providesthemeansforcommunicatingtheauthenticationinformation. TherearethreesupportedtypesofEAP: MD5EAPMD5isachallengehandshakeprotocoloverEAPthatauthenticatestheuser withanormalusernameandpassword. TLSEAPTLSprovidesatransportlayersecuritybaseduponthepresentationand acceptanceofdigitalcertificatesbetweenthesupplicantandtheauthenticationserver. ProtectedProtectedExtensibleAuthenticationProtocol(PEAP)optionallyauthenticatesthe authenticationservertotheclientusinganX509certificateusingaTLStunnel,afterwhich theclientauthenticationcredentialsareexchanged.
AllEnterasysplatformssupportIEEE802.1x,whichprotectsagainstunauthorizedaccesstoa network,DoSattacks,theftofservicesanddefacementofcorporatewebpages. 802.1xconfigurationconsistsofsettingport,global802.1xparameters,andRADIUSparameters ontheswitchestopointtheswitchtotheauthenticationserver.TheFilterIDRADIUSattribute canbeconfiguredontheauthenticationservertodirectdynamicpolicyassignmentontheswitch tothe802.1xauthenticatingendsystem.
MAC-Based Authentication (MAC)

MACbasedauthentication(MAC)authenticatesadeviceusingthesourceMACaddressof receivedpackets.TheauthenticatorsendstheauthenticationserverasourceMACaddressasthe usernameandapasswordthatyouconfigureontheswitch.Iftheauthenticationserverreceives validcredentialsfromtheswitch,RADIUSreturnsanAcceptmessagetotheswitch.MAC authenticationenablesswitchestoauthenticateendsystems,suchasprintersandcamcorder devicesthatdonotsupport802.1xorwebauthentication.SinceMACbasedauthentication authenticatesthedevice,nottheuser,andissubjecttoMACaddressspoofingattacks,itshould notbeconsideredasecureauthenticationmethod.However,itdoesprovidealevelof authenticationforadevicewhereotherwisenonewouldbepossible. Themodularswitch,stackablefixedswitch,andstandalonefixedswitchdevicessupport MACbasedauthentication.
Port Web Authentication (PWA)

PortWebAuthentication(PWA)authenticatesauserbyutilizingawebbrowserforthelogin processtoauthenticatetothenetwork.TologinusingPWA,auseropensthewebbrowser requestingaURLthateitherdirectlyaccessesthePWAloginpageorisautomaticallyredirectedto theloginpage.AtthePWAloginpage,theuserentersaloginusernameandpassword.Onthe switch,eithertheChallengeHandshakeAuthenticationProtocol(CHAP)orthePassword AuthenticationProtocol(PAP)verifiestheusernameandpasswordcredentialsprovidedtothe authenticationserver.Ifthecredentialsarevalidated,theauthenticationserverreturnsaRADIUS Acceptmessage,optionallycontainingFilterIDortunnelattributes,totheswitch. PAPusesanunencryptedpassword.CHAPusesthepasswordtogenerateadigestthatis transmittedtotheauthenticationserver.IfRADIUSdeterminesthatthedigestmatchesthedigest generatedontheauthenticationserver,accessisgranted.Theacceptancemessagebacktothe
April 15, 2011
Page 3 of 36
switchcancontainanyFilterIDattributeconfiguredontheauthenticationserver,allowingpolicy tobeappliedfortheauthenticatinguser. PWAenhancedmodeissupported.PWAenhancedmodeallowsauseronanunauthenticated PWAporttoenteranyURLintothebrowserandbepresentedthePWAloginpageontheirinitial webaccess.Whenenhancedmodeisdisabled,ausermustenterthecorrectURLtoaccesslogin. Themodularswitches,BSeriesandCSeriesstackablefixedswitches,andthestandalonefixed switchessupportPWA.

Note: For stackable fixed switches and standalone fixed switches: One user per PWA-configured port can be authenticated PWA authentication supports RFC 3580 VLAN authorization on B3, B5, C3, C5,and G3 devices
Convergence End Point (CEP)

CEPdetectsanIPtelephonyorvideodeviceonaportanddynamicallyappliesaspecificpolicyto theport.Theswitchdetectsaconvergenceendpointbyinspectingreceivedpacketsforspecific trafficattributes.CEPdoesnotrequireaRADIUSconfiguration. TheCEPimplementationsupportsthefollowingdetectionmethods: CiscoPhoneDetectionthefirmwareparsesaCiscoDiscoveryProtocol(CDP)packetto identifythephonetype.IfitwassentbyanIPphone,thefirmwareusesthephonetype.A responseissentbacktothephone,verifyingauthentication. SiemensHiPathPhoneDetectionTCP/UPDportnumbersnoopingisused.Port4060isthe defaultportforcommunication. H.323PhoneDetectionTCP/UDPportnumbersnoopingandreservedIPaddresssnooping areused.Ports17181720andIPaddress224.0.1.41arethedefaultvalues. SessionInitiationProtocol(SIP)PhoneDetectionTCP/UDPportnumbersnoopingand reservedIPaddresssnoopingareused.Port5060andIPaddress224.0.1.75arethedefault values.
ThemodularswitchessupportCEP.
Multi-User And MultiAuth Authentication

ThissectionwilldiscussmultiuserandMultiAuthauthentication.MultiuserandMultiAuthare separateconcepts.Theprimarydifferencebetweenthetwoisasfollows: Multiuserauthenticationreferstotheabilitytoauthenticatemultipleusersanddeviceson thesameport,witheachuserordevicebeingprovidedtheappropriatelevelofnetwork resourcesbaseduponpolicy. MultiAuthauthenticationreferstotheabilityofasingleormultipleuser(s),device(s),or port(s)tosuccessfullyauthenticateusingmultipleauthenticationmethodsatthesametime, suchas802.1x,PWA,andMAC,withprecedencedeterminingwhichauthenticationmethodis actuallyappliedtothatuser,device,orport.
April 15, 2011
Page 4 of 36
Multi-User Authentication
Multiuserauthenticationprovidesfortheperuserorperdeviceprovisioningofnetwork resourceswhenauthenticating.Itsupportstheabilitytoreceivefromtheauthenticationserver: Apolicytrafficprofile,basedontheuseraccountsRADIUSFilterIDconfiguration AbaseVLANID,basedontheRFC3580tunnelattributesconfiguration,alsoknownas dynamicVLANassignment
Whenasinglesupplicantconnectedtoanaccesslayerportauthenticates,apolicyprofilecanbe dynamicallyappliedtoalltrafficontheport.Whenmultiuserauthenticationisnotimplemented, andmorethanonesupplicantisconnectedtoaport,firmwaredoesnotprovisionnetwork resourcesonaperuserorperdevicebasis.Differentusersordevicesmayrequireadifferentset ofnetworkresources.ThefirmwaretracksthesourceMACaddressforeachauthenticatinguser regardlessoftheauthenticatingprotocolbeingused.Provisioningnetworkresourcesona peruserbasisisaccomplishedbyapplyingthepolicyconfiguredintheRADIUSFilterID,orthe baseVLANIDconfiguredintheRFC3580tunnelattributes,foragivenusersMACaddress.The RADIUSFilterIDandtunnelattributesarepartoftheRADIUSuseraccountandareincludedin theRADIUSAcceptmessageresponsefromtheauthenticationserver. Thenumberofallowedusersperportcanbeconfiguredusingthesetmultiauthportnumusers command.Theshowmultiauthportcommanddisplaysboththeallowednumberofusers configuredandthemaximumnumberofuserssupportedperportforthedevice.Theallowed numberofusersdefaultstothemaximumnumberofsupportedusersfortheportforamodular switchplatformandto1forthestackablefixedswitchandstandalonefixedswitchplatforms.
Note: Multi-user authentication on stackable fixed switch and standalone fixed switch platforms requires that the switch be the point of authentication, in order to apply policy.
InFigure 1eachuseronportge.1.5sendsanauthenticationrequesttotheRADIUSserver.Based upontheSourceMACaddress(SMAC),RADIUSlooksuptheaccountforthatuserandincludes theFilterIDassociatedwiththataccountintheauthenticationresponsebacktotheswitch(see sectionTheRADIUSFilterIDonpage 9forFilterIDinformation).Thepolicyspecifiedinthe FilterIDisthenappliedtotheuser.SeesectionRFC3580onpage 10forinformationondynamic VLANassignmentandtunnelattributeconfiguration.
April 15, 2011
Page 5 of 36
Figure 1
Applying Policy to Multiple Users on a Single Port
Authentication Request Authentication Response
Switch
Radius Server
Authentication Credentials User 1 Authentication Credentials User 2
User 1
SMAC 00-00-00-11-11-11
Authentication Credentials User 3 Dynamic Admin Rule for Policy 1 SMAC = 00-00-00-11-11-11 ge.1.5 Dynamic Admin Rule for Policy 2 SMAC = 00-00-00-22-22-22 ge.1.5 Dynamic Admin Rule for Policy 3 SMAC = 00-00-00-33-33-33 ge.1.5 User1 Filter ID --> Policy X
User 2
SMAC 00-00-00-22-22-22
Port ge.1.5
User2 Filter ID --> Policy Y
User3 Filter ID --> Policy Z
User 3
SMAC 00-00-00-33-33-33
MultiAuth Authentication
Authenticationmodesupportprovidesfortheglobalsettingofasingleauthenticationmode 802.1X(strictmode)ormultiplemodes(MultiAuth)peruserorportwhenauthenticating. Strictmodeistheappropriatemodewhenauthenticatingasingle802.1Xuser.Alltrafficonthe portreceivesthesamepolicyinstrictmode.WhenauthenticatingPWA,CEP,orMAC,youmust useMultiAuthauthentication,whetherauthenticatingasingleormultiplesupplicants. MultiAuthauthenticationsupportsthesimultaneousconfigurationofuptothreeauthentication methodsperuseronthesameport,butonlyonemethodperuserisactuallyapplied.When MultiAuthauthenticationportshaveacombinationofauthenticationmethodsenabled,andauser issuccessfullyauthenticatedformorethanonemethodatthesametime,theconfigured authenticationmethodprecedencewilldeterminewhichRADIUSreturnedFilterIDwillbe processedandresultinanappliedtrafficpolicyprofile.SeeSettingMultiAuthAuthentication Precedenceonpage 21forauthenticationmethodprecedencedetails. ThenumberofusersordevicesMultiAuthauthenticationsupportsdependsuponthetypeof device,whethertheportsarefixedaccessoruplink,andwhetherincreasedportcapacityorextra chassisusercapacityMUAlicenseshavebeenapplied.Seethefirmwarecustomerreleasenote thatcomeswithyourdevicefordetailsonthenumberofusersordevicessupportedperport. InFigure 2,multipleusersareauthenticatedonasingleporteachwithadifferentauthentication method.Inthiscase,eachuseronasingleportsuccessfullyauthenticateswithadifferent authenticationtype.Theauthenticationmethodisincludedintheauthenticationcredentialssent totheRADIUSserver.RADIUSlooksuptheuseraccountforthatuserbasedupontheSMAC.The FilterIDforthatuserisreturnedtotheswitchintheauthenticationresponse,andthe authenticationisvalidatedforthatuser.
April 15, 2011
Page 6 of 36
Figure 2
Authenticating Multiple Users With Different Methods on a Single Port
Authentication Method 802.1x
Switch
Radius Server
User 1
SMAC 00-00-00-11-11-11
802.1X
MAU Logic
User 1: 802.1X Authentication Credentials
PWA MAC CEP
User 2: PWA Authentication Credentials
Authentication Method PWA
User 2
SMAC 00-00-00-22-22-22
User 3: MAC Authentication Credentials
Port
Authentication Method MAC
User1 Filter ID --> Policy Y User2 Filter ID --> Policy X
User 3
SMAC 00-00-00-33-33-33
User3 Filter ID --> Policy Z
InFigure 3,fullMultiAuthauthenticationtakesplaceinthatmultipleusersonasingleportare validatedformorethanoneauthenticationmethod.Theappliedauthenticationandpolicyare basedupontheauthenticationmethodprecedencelevel.Onthefarrightcolumnofthefigure,the authenticationmethodsarelistedfromtoptobottominorderofprecedence(thedefaultorderis displayed).User1isauthenticatingwithboththe802.1xandPWAmethods,withtheCredit policy.Boththe802.1xandPWAauthenticationmethodsarevalidated,butonlythe802.1x MultiAuthsessionisapplied,becausethathasthehighestprecedence.User2isauthenticating withbothPWAandMACmethods,withtheSalespolicy.PWA,havingahigherprecedencethan MAC,istheMultiAuthsessionappliedforUser2.User3isaguestandisauthenticatingwiththe MACmethodonly.TheMACMultiAuthsession,withtheGuestpolicyisappliedforUser3.
April 15, 2011
Page 7 of 36
Figure 3
Selecting Authentication Method When Multiple Methods are Validated
SMAC=User 1
SMAC=User 2
SMAC=User 3
Switch
MultiAuth Sessions
<User 1, 802.1x, Authenticated, PID=Credit, Applied>
Auth. Agent
802.1X
Credit Policy Role
<User 2, PWA, Authenticated, PID=Sales, Applied> <User 1, PWA, Authenticated, PID=Credit, Not Applied>
MAU Logic
PWA MAC CEP
Sales Policy Role
<User 3, MAC, Authenticated, PID=Guest, Applied> <User 1, MAC, Authenticated, PID=Guest, Not Applied> <User 2, MAC, Authenticated, PID=Guest, Not Applied>
Port X
Guest Policy Role
Remote Authentication Dial-In Service (RADIUS)

ThissectionprovidesdetailsfortheconfigurationofRADIUSandRFC3580attributes.
For information about... How RADIUS Data Is Used The RADIUS Filter-ID RFC 3580 Policy Maptable Response Refer to page... 9 9 10 12
TheRemoteAuthenticationDialInUserService(RADIUS)isanextensibleprotocolusedtocarry authenticationandauthorizationinformationbetweentheswitchandtheAuthenticationServer (AS).RADIUSisusedbytheswitchforcommunicatingsupplicantsuppliedcredentialstothe authenticationserverandtheauthenticationresponsefromtheauthenticationserverbacktothe switch.Thisinformationexchangeoccursoverthelinklayerprotocol. TheswitchactsasaclienttoRADIUSusingUDPport1812bydefault(configurableintheset radiuscommand).Theauthenticationservercontainsadatabaseofvalidsupplicantuseraccounts withtheircorrespondingcredentials.Theauthenticationserverchecksthattheinformation receivedfromtheswitchiscorrect,usingauthenticationschemessuchasPAP,CHAP,orEAP.The authenticationserverreturnsanAcceptorRejectmessagetotheswitchbasedonthecredential validationperformedbyRADIUS.Theimplementationprovidesenhancednetworksecurityby usingasharedsecretandMD5passwordencryption.
April 15, 2011
Page 8 of 36
Requiredauthenticationcredentialsdependupontheauthenticationmethodbeingused.For 802.1xandPWAauthentication,theswitchsendsusernameandpasswordcredentialstothe authenticationserver.ForMACauthentication,theswitchsendsthedeviceMACaddressanda passwordconfiguredontheswitchtotheauthenticationserver.Theauthenticationserververifies thecredentialsandreturnsanAcceptorRejectmessagebacktotheswitch.
How RADIUS Data Is Used

TheEnterasysswitchbasesitsdecisiontoopentheportandapplyapolicyorclosetheportbased ontheRADIUSmessage,theportsdefaultpolicy,andunauthenticatedbehaviorconfiguration. RADIUSprovidesaccountingfunctionalitybywayofaccountingpacketsfromtheswitchtothe RADIUSserver,forsuchsessionstatisticsasstartandend,totalpackets,andsessionendreason events.Thisdatacanbeusedforbothbillingandnetworkmonitoringpurposes. AdditionallyRADIUSiswidelyusedbyVoIPserviceproviders.Itisusedtopasslogincredentials ofaSIPendpoint(likeabroadbandphone)toaSIPRegistrarusingdigestauthentication,and thentotheauthenticationserverusingRADIUS.Sometimesitisalsousedtocollectcalldetail records(CDRs)laterused,forinstance,tobillcustomersforinternationallongdistance. Ifyouconfigureanauthenticationmethodthatrequirescommunicationwithanauthentication server,youcanusetheRADIUSFilterIDattributetodynamicallyassigneitherapolicyprofileor managementleveltoauthenticatingsupplicants.
The RADIUS Filter-ID

TheRADIUSFilterIDattributeconsistsofastringthatisformattedintheRADIUSAccessAccept packetsentbackfromtheauthenticationservertotheswitchduringtheauthenticationprocess. EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilterIDattribute thatspecifiesthenameofeitherapolicyprofileormanagementleveltheusershouldbeassigned uponsuccessfulauthentication.Duringtheauthenticationprocess,whentheauthenticationserver returnsaRADIUSAccessAcceptpacketthatincludesaFilterIDmatchingapolicyprofilename configuredontheswitch,theswitchthendynamicallyappliesthepolicyprofiletothephysical portthesupplicantisauthenticatingon. ThedecoratedFilterIDsupportsapolicyattribute,amanagementaccessattribute,orbothinthe followingformats:
Enterasys:version=1:policy=policyname Enterasys:version=1:mgmt=access-mgmtType Enterasys:version=1:mgmt=access-mgmtType:policy=policyname
policynameisthenameofthepolicytoapplytothisauthentication. accessmgmtTypessupportedare:ro(readonly),rw(readwrite),andsu(superuser). TheundecoratedFilterIDsupportsthepolicyattributeonlyinthefollowingformat:

policyname
Theundecoratedformatissimplyastringthatspecifiesapolicyprofilename.Theundecorated formatcannotbeusedformanagementaccessauthentication.DecoratedFilterIDsareprocessed first.IfnodecoratedFilterIDsarefound,thenundecoratedFilterIDsareprocessed.Ifmultiple FilterIDsarefoundthatcontainconflictingvalues,aSyslogmessageisgenerated.
April 15, 2011
Page 9 of 36
RFC 3580
EnterasysswitchessupporttheRFC3580RADIUStunnelattributefordynamicVLAN assignment.TheVLANTunnelAttributeimplementstheprovisioningofserviceinresponsetoa successfulauthentication.Onportsthatdonotsupportpolicy,thepacketwillbetaggedwiththe VLANID.TheVLANTunnelAttributedefinesthebaseVLANIDtobeappliedtotheuser.
Dynamic VLAN Assignment

TheRADIUSservermayoptionallyincludeRADIUStunnelattributesinaRADIUS AccessAcceptmessagefordynamicVLANassignmentoftheauthenticatedendsystem. RFC3580sRADIUStunnelattributesareoftenconfiguredonaRADIUSservertodynamically assignusersbelongingtothesameorganizationalgroupwithinanenterprisetothesameVLAN, ortoplacealloffendingusersaccordingtotheorganizationssecuritypolicyinaQuarantine VLAN.Tunnelattributesaredeployedforenterprisesthathaveendsystemauthentication configuredonthenetwork.Forexample,allengineerscanbedynamicallyassignedtothesame VLANuponauthentication,whilesalesareassignedtoanotherVLANuponauthentication. ThenameofthefeatureonEnterasysplatformsthatimplementsdynamicVLANassignment throughthereceiptofRADIUStunnelattributesisVLANauthorization.VLANauthorization dependsuponreceiptoftheRFC3580RADIUStunnelattributesinRADIUSAccessAccept messages.VLANauthorizationmustbeenabledgloballyandonaperportbasisfortheTunnel attributestobeprocessed.Whendisabledperportorglobally,thedevicewillnotprocessTunnel attributes. ThefirmwaresupportsVLANauthorizationonthemodularswithches,stackablefixedswitches, andstandalonefixedswitches. Bydefault,allpolicycapableEnterasysplatformswilldynamicallyassignapolicyprofiletothe portofanauthenticatinguserbasedonthereceiptoftheFilterIDRADIUSattribute.Thisisnot thecaseforRADIUStunnelattributesinthat,bydefault,VLANauthorizationisdisabled. TheNSeries,startinginfirmwarerelease5.31.xx,theSSeries,andKSeriesplatformssupport RFC3580RADIUSVLANTunnelattributes.
VLAN Authorization Attributes

ThreeTunnelattributesareusedfordynamicVLANAuthorization: TunnelTypeattribute(Type=64,Length=6,Tag=0,Value=0x0DforVLAN) TunnelMediumTypeattribute(Type=65,Length=6,Tag=0,Value=0x06for802media) TunnelPrivateGroupIDattribute(Type=81,Length>=3,String=VIDinASCII)
TheTunnelTypeattributeindicatesthetunnelingprotocoltobeusedwhenthisattributeis formattedinRADIUSAccessRequestmessages,orthetunnelprotocolinusewhenthisattribute isformattedinRADIUSAccessAcceptmessages.SetTunnelTypeattributeparametersas follows: Type:Setto64forTunnelTypeRADIUSattribute Length:Setto6forsixbytelengthofthisRADIUSattribute Tag:Providesameansofgroupingattributesinthesamepacketwhichrefertothesame tunnel.Validvaluesforthisfieldarefrom0x01through0x1F,inclusive.Setto0ifunused. Unlessalternativetunneltypesareprovided,itisonlynecessaryfortunnelattributesto specifyasingletunnel.Asaresult,whereitisonlydesiredtospecifytheVLANID,thetag fieldshouldbesettozero(0x00)inalltunnelattributes.
April 15, 2011
Page 10 of 36
Value:Indicatesthetypeoftunnel.Avalueof0x0D(decimal13)indicatesthatthetunneling protocolisaVLAN.
TunnelMediumTypeindicatesthetransportmediumtousewhencreatingatunnelforthe tunnelingprotocol,determinedfromTunnelTypeattribute.SetTunnelMediumTypeattribute parametersasfollows: Type:Setto65forTunnelMediumTypeRADIUSattribute Length:Setto6forsixbytelengthofthisRADIUSattribute Tag:Providesameansofgroupingattributesinthesamepacketwhichrefertothesame tunnel.Validvalueforthisfieldare0x01through0x1F,inclusive.Setto0ifunused.Unless alternativetunneltypesareprovided,itisonlynecessaryfortunnelattributestospecifya singletunnel.Asaresult,whereitisonlydesiredtospecifytheVLANID,thetagfieldshould besettozero(0x00)inalltunnelattributes. Value:Indicatesthetypeoftunnel.Avalueof0x06indicatesthatthetunnelingmedium pertainsto802media(includingEthernet)
TunnelPrivateGroupIDattributeindicatesthegroupIDforaparticulartunneledsession.Setthe TunnelPrivateGroupIDattributeparametersasfollows: Type:Setto81forTunnelPrivateGroupIDRADIUSattribute Length:Settoavaluegreaterthanorequalto3. Tag:Providesameansofgroupingattributesinthesamepacketwhichrefertothesame tunnel.Validvaluesforthisfieldarefrom0x01through0x1F,inclusive.Setto0ifunused. Unlessalternativetunneltypesareprovided,itisonlynecessaryfortunnelattributesto specifyasingletunnel.Asaresult,whereitisonlydesiredtospecifytheVLANID,thetag fieldshouldbesettozero(0x00)inalltunnelattributes. String:Indicatesthegroup.FortheVLANIDintegervalue,itisencodedasastringusing ASCII.Forexample,theVLANIDintegervalue103wouldberepresentedas0x313033
VLAN Authorization Considerations

VLANAuthorizationposessomeoperationalandmanagementissuesonthenetwork. AVLANisnotasecuritycontainer.Itisabroadcastcontainerandusedtosegmentbroadcast trafficonthenetwork.ACLsimplementedatthelayer3routedinterfaceforaVLANonly provideaccesscontrolfortrafficintoandoutoftheVLAN.Noaccesscontrolmechanismfor intraVLANcommunicationsexists,thereforeuserswithintheVLANarenotprotectedfrom eachother.MalicioustrafficallowedontoaVLANcanpotentiallyinfectalltrafficonthe VLAN.Suchaninfectioncanconsumevaluablehardwareresourcesontheinfrastructure, suchasCPUcyclesandmemory.Infectionscanbetransmittedtootherhostswithinthe VLANandtothelayer3routedboundary.Thisleadstothedirectcompetitionofmalicious trafficwithbusinesscriticaltrafficonthenetwork. EndToEndQoScannotbetrulyguaranteedifQoSisimplementedatthelayer3routed interfaceforanetworkwherebusinesscriticalapplicationsareclassifiedandprioritized. IfVLANsareimplementedtogrouptogetherusersthataremembersofthesame organizationalgroup,thenaVLANmustbeconfiguredeverywhereinthenetworktopology whereamemberofthatorganizationalunitmayconnecttothenetwork.Forexample,ifan engineermayconnecttothenetworkfromanylocation,thentheEngineeringVLANmustbe configuredonallaccesslayerdevicesinthenetwork.TheseVLANconfigurationsleadto overextendedbroadcastdomainsaswellasaddedconfigurationcomplexityinthenetwork topology.
April 15, 2011
Page 11 of 36
AproblemwithmovinganendsystemtoanewVLANisthattheendsystemmustbeissued anIPaddressonthenewVLANssubnettowhichithasbecomeamember.Iftheendsystem doesnotyethaveanIPaddress,thisisnotusuallyaproblem.However,iftheendsystemhas anIPaddress,theleaseoftheaddressmusttimeoutbeforeitattemptstoobtainanew address,whichmaytakesometime.TheIPaddressassignmentprocess,implementedby DHCP,andtheauthenticationprocessarenotconjoinedontheendsystem.Therefore,this leadstoendsystemspossessinganinvalidIPaddressafterdynamicVLANAuthorizationand lostIPconnectivityuntilitscurrentIPaddresstimesout.Furthermore,whenanewIPaddress iseventuallyassignedtotheendsystem,IPconnectivityisdisruptedforallapplicationson theendsystem.
Policy Maptable Response

Thepolicymaptableresponse,orconflictresolution,featureallowsyoutodefinehowthesystem shouldhandleallowinganauthenticateduserontoaportbasedonthecontentsoftheRADIUS Acceptmessagereply.Therearethreepossibleresponsesettings:tunnelmode,policymode,or bothtunnelandpolicy,alsoknownashybridauthenticationmode. Whenthemaptableresponseissettotunnelmode,thesystemwillusethetunnelattributesinthe RADIUSreplytoapplyaVLANtotheauthenticatinguserandwillignoreanyFilterIDattributes intheRADIUSreply.Whentunnelmodeisconfigured,VLANtopolicymappingcanoccurif configuredonamodularswitchplatform.VLANtopolicymappingwillnotoccurintunnel modeonastackablefixedswitchorstandalonefixedswitchplatform. Whenthemaptableresponseissettopolicymode,thesystemwillusetheFilterIDattributesin theRADIUSreplytoapplyapolicytotheauthenticatinguserandwillignoreanytunnel attributesintheRADIUSreply.Whenpolicymodeisconfigured,noVLANtopolicymapping willoccur. Whenthemaptableresponseissettoboth,orhybridauthenticationmode,bothFilterID attributes(dynamicpolicyassignment)andtunnelattributes(dynamicVLANassignment)sentin RADIUSAcceptmessagerepliesareusedtodeterminehowtheswitchshouldhandle authenticatingusers.Whenhybridauthenticationmodeisconfigured,VLANtopolicymapping canoccur,asdescribedbelowinWhenPolicyMaptableResponseisBoth.
Note: Hybrid authentication is supported by modular switch devices, B-Series and C-Series stackable fixed switches and the G3 device for Releases 6.3 and greater.
UsinghybridauthenticationmodeeliminatesthedependencyonhavingtoassignVLANs throughpolicyrolesVLANscanbeassignedbymeansofthetunnelattributeswhilepolicy rolescanbeassignedbymeansoftheFilterIDattributes.Alternatively,onmodularswitch platforms,VLANtopolicymappingcanbeusedtomappoliciestousersusingtheVLAN specifiedbythetunnelattributes,withouthavingtoconfigureFilterIDattributesontheRADIUS server.Thisseparationgivesadministratorsmoreflexibilityinsegmentingtheirnetworksbeyond theplatformspolicyrolelimits.
When Policy Maptable Response is Both

HybridauthenticationmodeusesbothFilterIDattributesandtunnelattributes.Toenablehybrid authenticationmode,usethesetpolicymaptablecommandandsettheresponseparameterto both.Whenconfiguredtousebothsetsofattributes: IfboththeFilterIDandtunnelattributesarepresentintheRADIUSreply,thenthepolicy profilespecifiedbytheFilterIDisappliedtotheauthenticatinguser,andifVLAN
April 15, 2011
Page 12 of 36
authorizationisenabledgloballyandontheauthenticatingusersport,theVLANspecifiedby thetunnelattributesisappliedtotheauthenticatinguser. IfVLANauthorizationisnotenabled,theVLANspecifiedbythepolicyprofileisapplied.See RFC3580onpage 10forinformationaboutVLANauthorization. IftheFilterIDattributesarepresentbutthetunnelattributesarenotpresent,thepolicy profilespecifiedbytheFilterIDisapplied,alongwiththeVLANspecifiedbythepolicy profile. IfthetunnelattributesarepresentbuttheFilterIDattributesarenotpresent,andifVLAN authorizationisenabledgloballyandontheauthenticatingusersport,thentheswitchwill checktheVLANtopolicymappingtable(configuredwiththesetpolicymaptable command): IfanentrymappingthereceivedVLANIDtoapolicyprofileisfound,thenthatpolicy profile,alongwiththeVLANspecifiedbythepolicyprofile,willbeappliedtothe authenticatinguser. Ifnomatchingmappingtableentryisfound,theVLANspecifiedbythetunnelattributes willbeappliedtotheauthenticatinguser. IftheVLANtopolicymappingtableisinvalid,thenthe etsysPolicyRFC3580MapInvalidMappingMIBisincrementedandtheVLANspecifiedby thetunnelattributeswillbeappliedtotheauthenticatinguser.
IfVLANauthorizationisnotenabled,thetunnelattributesareignored.
When Policy Maptable Response is Profile

WhentheswitchisconfiguredtouseonlyFilterIDattributes,bysettingthesetpolicymaptable commandresponseparametertopolicy: IftheFilterIDattributesarepresent,thespecifiedpolicyprofilewillbeappliedtothe authenticatinguser.IfnoFilterIDattributesarepresent,thedefaultpolicy(ifitexists)willbe applied. Ifthetunnelattributesarepresent,theyareignored.NoVLANtopolicymappingwilloccur.
When Policy Maptable Response is Tunnel

Whentheswitchisconfiguredtouseonlytunnelattributes,bysettingthesetpolicymaptable commandresponseparametertotunnel,andifVLANauthorizationisenabledbothgloballyand ontheauthenticatingusersport: Ifthetunnelattributesarepresent,thespecifiedVLANwillbeappliedtotheauthenticating user.VLANtopolicymappingcanoccuronamodularswitchplatform;VLANtopolicy mappingwillnotoccuronastackablefixedswitchorstandalonefixedswitchplatform. Ifthetunnelattributesarenotpresent,thedefaultpolicyVLANwillbeapplied;ifthedefault policyVLANisnotconfigured,theportVLANwillbeapplied. IftheFilterIDattributesarepresent,theyareignored.
IfVLANauthorizationisnotenabled,theuserwillbeallowedontotheportwiththedefault policy,ifitexists.Ifnodefaultpolicyexists,theportVLANwillbeapplied.
April 15, 2011
Page 13 of 36
Configuring Authentication
Thissectionprovidesdetailsfortheconfigurationofauthenticationmethods,MultiAuthand RADIUS.
For information about... Configuring IEEE 802.1x Configuring MAC-based Authentication Configuring Port Web Authentication (PWA) Configuring Convergence End Point (CEP) Configuring MultiAuth Authentication Configuring RADIUS Refer to page... 16 17 18 19 21 26
Table 1listsAuthenticationparametersandtheirdefaultvalues. Table 1 Default Authentication Parameters

Description Enables or disables CEP for the specified port. Enables and disables 802.1x authentication both globally and per port. Configures 802.1x authentication. Globally enables or disables MAC authentication on a device. Sets the number of MAC authentication sessions supported on the specified port Enables or disables MAC authentication on a port Specifies the period length for which no traffic is received before a MultiAuth session is set to idle. Globally sets MultiAuth for this device. Specifies the MultiAuth port mode to use for the specified port. Specifies the authentication mode to use when multiple authentication types are successfully authenticated. Specifies the maximum amount of time a session can live. Default Value Disabled. Globally: Disabled. Per Port: Enabled. auto - auto authorization mode. Disabled. Based upon the device and license. See the firmware release notes for your device. Disabled. 300 seconds.
Parameter cep port dot1x
dot1x authconfig macauthentication macauthentication authallocated macauthentication port MultiAuth idle-timeout
MultiAuth mode MultiAuth port mode
strict - authentication limited to 802.1x for a single user on a port. auth-opt - Authentication is optional based upon global and port configuration. Precedence from high to low: 802.1x, PWA, MAC, CEP. 0 - no timeout in effect.
MultiAuth precedence
MultiAuth session-timeout
April 15, 2011
Page 14 of 36
Table 1
Default Authentication Parameters (continued)

Description Globally enables or disables PWA authentication. Allows a user on an un-authenticated port to enter any URL in the browser to access the login page. Enable or disable RADIUS on this device. Enables or disables RADIUS accounting for this device. Specifies the minimum interval before sending updates for RADIUS accounting. Specifies the number of times a switch will attempt to contact an authentication server for RADIUS accounting that is not responding. Specifies the amount of time for a switch to make contact with a RADIUS server. Specifies the minimum interval between interim updates for RADIUS accounting. Specifies the number of times a switch will try to establish with the authentication server. Specifies the amount of time a switch will wait to receive a response from the authentication server before sending another request. Specifies authentication server configuration scope. Enables or disables globally and per port VLAN authorization. Determines whether dynamic VLAN tagging will be none, tagged, untagged, or dynamic for an egress frame. Default Value Disabled. Disabled.
Parameter pwa pwa enhancemode
radius radius accounting radius accounting intervalminimum radius accounting retries
Disabled. Disabled. 600 seconds.
2.
radius accounting timeout radius accounting updateinterval radius retries
5 seconds.
1800 seconds.
3.
radius timeout
20 seconds.
realm VLAN authorization VLAN egress format
Both: management-access and network-access. Globally: Disabled. Per Port: Enabled. Untagged.
April 15, 2011
Page 15 of 36
Configuring IEEE 802.1x

ConfiguringIEEE802.1xonanauthenticatorswitchportconsistsof: Settingtheauthenticationmodegloballyandperport Configuringoptionalauthenticationportparametersgloballyandperport Globallyenabling802.1xauthenticationfortheswitch
Procedure 1describeshowtoconfigureIEEE802.1xonanauthenticatorswitchport.Unspecified parametersusetheirdefaultvalues. Procedure 1

Step 1. Task Set the IEEE 802.1x authentication mode both globally and per port: Auto - The switch will only forward authenticated frames. Forced-auth - 802.1x authentication is effectively disabled for this port. All received frames are forwarded. Forced-unauth - 802.1x authentication is effectively disabled on the port. If 802.1x is the only authentication method on the port, all frames are dropped. Note: Before enabling 802.1x authentication on the switch, you must set the authentication mode of ports that will not be participating in 802.1x authentication to forced-authorized to assure that frames will be forwarded on these ports. Examples of this kind of port are connections between switches and connections between a switch and a router. The setting of dot1x options other than authcontrolled-portcontrol are optional. 2. Display the access entity index values. Ports used to authenticate and authorize supplicants utilize access entities that maintain entity state, counters, and statistics for an individual supplicant. You need to know the index value associated with a single entity to enable, disable, initialize, or reauthenticate a single entity. Enable EAP on the stackable fixed switch or standalone fixed switch. EAP is enabled on the modular switch when enabling IEEE 802.1x. See Step 4. Enable IEEE 802.1x globally on the switch. Ports default to enabled. show dot1x auth-session-stats
IEEE 802.1x Configuration

Command(s) set dot1x auth-config {[authcontrolled-portcontrol {auto | forced-auth | forced-unauth}] [keytxenabled{false | true}] [maxreq value] [quietperiod value] [reauthenabled {false | true}] [reauthperiod value] [servertimeout timeout] [supptimeout timeout] [txperiod value]} [port-string]
3.
set eapol [enable | disable] [auth-mode {auto | forced-auth | forced-unauth} port-string set dot1x {enable | disable}
4.
April 15, 2011
Page 16 of 36
Procedure 1
Step 5. Task
IEEE 802.1x Configuration (continued)

Command(s) set dot1x init [port-string] [index index-list]
If an entity deactivates due to the supplicant logging off, inability to authenticate, or the supplicant or associated policy settings are no longer valid, you can reinitialize a deactivated access entity. If necessary, reinitialize the specified entity. If the authentication for a supplicant times out or is lost for any reason, you can reauthenticate that supplicant. If necessary, reauthenticate the specified entity. Display IEEE 802.1x configuration.
6.
set dot1x reauth [port-string] [index index-list]
7.
show dot1x auth-config
Configuring MAC-based Authentication

ConfiguringMACbasedauthenticationonaswitchconsistsof: SettingtheglobalMACauthenticationpasswordfortheswitch OptionallysettingthenumberofMACauthenticationsessionsallowedonaport EnablingMACauthenticationonaport EnablingMACauthenticationglobally Settingtheauthenticationmodetomulti Optionallyreinitializingorreauthenticatingexistingsessions
Procedure 2describeshowtoconfigureMACbasedauthentication.Unspecifiedparametersuse theirdefaultvalues. Procedure 2

Step 1. Task Optionally set or clear a global password on the switch.
MAC-Based Authentication Configuration

Command(s) set macauthentication password password clear macauthentication password password set macauthentication authallocated number port-string
2.
Set or clear the number of MAC authentication sessions supported on a port. The modular switch platform allows for the setting of the number of MAC authentication sessions supported on a port. Enable or disable MAC authentication on a port. By default, MAC authentication is disabled for all ports. MAC authentication must be enabled on the ports that will use it. Enable or disable MAC authentication globally on the device. By default, MAC authentication is globally disabled on the device. Set the MultiAuth mode.
3.
set macauthentication port {enable | disable}
4.
set macauthentication {enable | disable}
5.
set multiauth mode multi
April 15, 2011
Page 17 of 36
Procedure 2
Step 6. Task
MAC-Based Authentication Configuration (continued)

Command(s) show macauthentication show macauthentication session set macauthentication macinitialize mac-address set macauthentication portinitialize port-string
Display MAC authentication configuration or status of active sessions. If a session or port requires reinitialization, reinitialize a specific MAC session or port.
7.
8.
If a session or port requires reauthentication, reauthenticate a specific MAC session or port.
set macauthentication macreauthenticate mac-address set macauthentication portreauthenticate port-string
Configuring Port Web Authentication (PWA)

ConfiguringPWAontheswitchconsistsof: SettingtheIPaddresswhichtheuserwillauthenticatetoontheswitch OptionallyenablingPWAenhancedmodeandconfigureguestnetworkingprivileges EnablingPWAontheport GloballyenablingPWAontheswitch Settingtheauthenticationmode
Procedure 3describeshowtoconfigurePWAauthentication.Unspecifiedparametersusetheir defaultvalues. Procedure 3

Step 1. 2. Task Set the IP address for the end-station the supplicant accesses. Optionally enable or disable PWA enhanced mode. Enable or disable PWA. PWA must be enabled on the port for PWA to function. Globally enable or disable PWA on the switch.
Port Web Authentication (PWA) Configuration

Command(s) set pwa ipaddress ip-address set pwa enhancemode enable set pwa enhancemode disabled set pwa portcontrol enable port-string set pwa portcontrol disable port-string set pwa enable set pwa disabled
3.
4.
5. 6.
Set the MultiAuth mode. Display PWA configuration.
set multiauth mode multi show pwa
Optionally Enable Guest Network Privileges

WithPWAenhancedmodeenabled,youcanoptionallyconfigureguestnetworkingprivileges. Guestnetworkingallowsanadministratortospecifyasetofcredentialsthatwill,bydefault, appearonthePWAloginpageofanendstationwhenauserattemptstoaccessthenetwork.
April 15, 2011
Page 18 of 36
Whenenhancedmodeisenabled,PWAwilluseaguestpasswordandguestusernametogrant networkaccesswithdefaultpolicyprivilegestouserswithoutestablishedloginnamesand passwords. Inordertoconfigureguestnetworkingprivileges,youneedtosetthegueststatus,username,and password.Youcansetgueststatusfornoauthentication,RADIUSauthentication,ordisabled. Whenyousetgueststatustonoauthentication,gueststatusisprovidedwithitsassociatedpolicy, butnoauthenticationtakesplace.WhenyousetgueststatustoRADIUSauthentication,guest statusisprovidedonlyafterasuccessfulauthenticationtakesplace.Ifguestnetworkingstatusis disabled,allsupplicantsmustbeauthenticatedwithavalidusernameandpasswordatthelogin page. Table 2describeshowtooptionallyenableguestnetworkingprivileges. Table 2
Task Optionally enable guest status without authentication Optionally enable guest status with authentication. Optionally disable guest status
PWA Guest Networking Privileges Configuration

Command(s) set pwa gueststatus authnone set pwa gueststatus authradius set pwa gueststatus disable
Configuring Convergence End Point (CEP)

ConfiguringCEPconsistsof: CreatingaCEPdetectiongroupforNonCiscoDetectionCEPtypes EnablingtheCEPgroupforCiscoDetection SettingtheCEPpolicyperCEPtype EnablingCEPontheport Settingtheauthenticationmode
Creating a CEP Detection Group

CEPdetectiongroupscanbecreated,deleted,enabled,ordisabled.YoucreateaCEPdetection groupbyassociatinganIDwiththecreatecommand.Onceagroupiscreated,youassociateaCEP type,IPaddress,protocol,andhighorlowprotocolporttoit.ThetypecanbeH.323,Siemens,or SIP.TheIPaddressistheIPaddressoftheCEPdevice.Bydefault,H.323willuse224.0.1.41asits IPaddressandSiemenswillhavenoIPaddressconfigured.TheprotocolcanbeTCPorUDP.The highorlowprotocolportisthemaximumorminimumTCPorUDPporttobeusedbythegroup. Procedure 4describesthecreationofaCEPdetectiongroup. Procedure 4
Step 1. 2. Task Create a new CEP detection group or enable, disable, or delete an existing group. Specify the CEP type to be associated with the this group.
CEP Detection Group Configuration

Command(s) set cep detection-id id {create | enable | disable | delete} set cep detection-id id type {h323 | siemens | sip}
April 15, 2011
Page 19 of 36
Procedure 4
Step 3. 4. 5. Task
CEP Detection Group Configuration (continued)

Command(s) set cep detection-id id address {ip-address | unknown} mask {mask | unknown} set cep detection-id id protocol {tcp | udp | both | none} set cep detection-id id {porthigh | portlow} port
Specify the CEP device IP address and mask or set to unknown. Set the CEP detection group protocol. Set the maximum or minimum port for the TCP or UDP group protocol.
Procedure 5describesthestepstoconfigureCEP. Procedure 5

Step 1. 2. 3. Task Determine the policy profile index of the profile you wish to associate with a CEP type. Associate a policy profile with a CEP type. Enable or disable the CEP device port for the CEP type If you are using the Cisco discovery protocol, enable the Cisco discovery protocol. You can also optionally set the voice VLAN ID, whether tagged traffic is trusted or untrusted, and 802.1X priority transmitted to the Cisco IP phone to format in the 802.1Q VLAN tag of its VoIP traffic. If the Cisco discovery protocol is enabled on any port, enable the Cisco discovery protocol globally. Globally enable or disable CEP on the switch.
CEP Configuration
Command(s) show policy profile all set cep policy {cisco | h323 | siemens | sip} policy-index set cep port port-string cep-type enable set cep port port-string cep-type disable set ciscodp port { [status {disable | enable}] [ vvid {vlan-id | none | dot1p | untagged}] [trust-ext {trusted | untrusted}] [cos-ext value] } port-string
4.
5.
set ciscodp status
6.
set cep enable set cep disable
7. 8.
Set the MultiAuth mode. Display CEP connections, detection, policy and port settings.
set multiauth mode multi show cep {connections | detection | policy | port}
Setting MultiAuth Idle and Session Timeout for CEP

ThereisnomeansofdetectingifaSiemens,SIP,orH323phonegoesawayotherthaninthecaseof alinkdown.Therefore,ifthesetypesofphonesarenotdirectlyconnectedtotheswitchportand thephonegoesaway,theswitchwillstillseethephoneconnectionandanyconfiguredpolicywill remainontheport.DetectedCEPswillberemovedfromtheconnectiontableiftheydonotsend trafficforatimeequaltotheMultiAuthauthenticationidletimeoutvalue.CEPsarealsoremoved ifthetotaldurationofthesessionexceedsthetimespecifiedintheMultiAuthauthentication sessiontimeout.
April 15, 2011
Page 20 of 36
Procedure 6describessettingtheMultiAuthidleandsessiontimeoutforCEP. Procedure 6

Step 1. 2. Task Optionally set the MultiAuth authentication idle timeout for this switch. Optionally set the MultiAuth authentication session timeout for this switch.
DNS and DHCP Spoofing Configuration

Command(s) set multiauth idle-timeout cep timeout set multiauth session-timeout cep timeout
Configuring MultiAuth Authentication

ConfiguringMultiAuthauthenticationconsistsof: SettingMultiAuthauthenticationmodesetting SettingMultiAuthauthenticationprecedencesettings SettingMultiAuthauthenticationportproperties SettingMultiAuthauthenticationidletimeoutvalues SettingMultiAuthauthenticationsessiontimeoutvalues SettingMultiAuthauthenticationtrapsettings
Setting MultiAuth Authentication Mode

MultiAuthauthenticationmodecanbesettoMultiAuthorstrict802.1Xsingleusermode.Set MultiAuthauthenticationtoMultiAuthwhenmultipleusersneedtobeauthenticatedfor802.1X orinallcasesforMAC,PWA,andCEPauthentication. Procedure 7describessettingtheMultiAuthauthenticationmode. Procedure 7
Step 1. 2. Task For a single user, single authentication 802.1x port configuration, set MultiAuth mode to strict. For multiple user 802.1x authentication or any non-802.1x authentication, set the system authentication mode to use multiple authenticators simultaneously. To clear the MultiAuth authentication mode.
MultiAuth Authentication Configuration

Command(s) set multiauth mode strict set multiauth mode multi
3.
clear multiauth mode
Setting MultiAuth Authentication Precedence

MultiAuthauthenticationadministrativeprecedencegloballydetermineswhichauthentication methodwillbeselectedwhenauserissuccessfullyauthenticatedformultipleauthentication methodsonasingleport.Whenausersuccessfullyauthenticatesmorethanonemethodatthe sametime,theprecedenceoftheauthenticationmethodswilldeterminewhichRADIUSreturned FilterIDwillbeprocessedandresultinanappliedtrafficpolicyprofile. MultiAuthauthenticationprecedencedefaultstothefollowingorderfromhightolow:802.1x, PWA,MAC,andCEP(802.1x,PWA,andMAConstackablefixedswitchandstandalonefixed
April 15, 2011
Page 21 of 36
switchdevices).Youmaychangetheprecedenceforoneormoremethodsbysettingthe authenticationmethodsintheorderofprecedencefromhightolow.Anymethodsnotenteredare givenalowerprecedencethanthemethodsenteredintheirpreexistingorder.Forinstance,ifyou startwiththedefaultorderandonlysetPWAandMAC,thenewprecedenceorderwillbePWA, MAC,802.1x,andCEP. Giventhedefaultorderofprecedence(802.1x,PWA,MAC,andCEP),ifauserwastosuccessfully authenticatewithPWAandMAC,theauthenticationmethodRADIUSFilterIDappliedwouldbe PWA,becauseithasahigherpositionintheorder.AMACsessionwouldauthenticate,butits associatedRADIUSFilterIDwouldnotbeapplied. Procedure 8describessettingtheorderforMultiAuthauthenticationprecedence. Procedure 8
Step 1. Task Set a new order of precedence for the selection of the RADIUS Filter-ID that will be returned when multiple authentication methods are authenticated at the same time for a single user. Reset the order MultiAuth authentication precedence to the default values.
MultiAuth Authentication Precedence Configuration

Command(s) set multiauth precedence {[dot1x] [mac] [pwa] [cep] [radius-snooping]}
2.
clear multiauth precedence
Setting MultiAuth Authentication Port Properties

MultiAuthauthenticationsupportstheconfigurationofMultiAuthportandmaximumnumberof usersperportproperties.TheMultiAuthportpropertycanbeconfiguredasfollows: AuthenticationOptionalAuthenticationmethodsareactiveontheportbaseduponthe globalandportauthenticationmethod.Beforeauthenticationsucceeds,thecurrentpolicyrole appliedtotheportisassignedtotheingresstraffic.Thisisthedefaultroleifnoauthenticated userordeviceexistsontheport.Afterauthenticationsucceeds,theuserordeviceisallowed toaccessthenetworkaccordingtothepolicyinformationreturnedfromtheauthentication server,intheformoftheRADIUSFilterIDattribute,orthestaticconfigurationontheswitch. Thisisthedefaultsetting. AuthenticationRequiredAuthenticationmethodsareactiveontheport,basedonthe globalandperportauthenticationmethodconfigured.Beforeauthenticationsucceeds,no trafficisforwardedontothenetwork.Afterauthenticationsucceeds,theuserordevicegains accesstothenetworkbaseduponthepolicyinformationreturnedbytheauthenticationserver intheformoftheRADIUSFilterIDattribute,orthestaticconfigurationontheswitch. ForceAuthenticatedTheportiscompletelyaccessiblebyallusersanddevicesconnectedto theport,allauthenticationmethodsareinactiveontheport,andallframesareforwarded ontothenetwork. ForceUnauthenticatedTheportiscompletelyclosedforaccessbyallusersanddevices connectedtotheport.Allauthenticationmethodsareinactiveandallframesarediscarded.
April 15, 2011
Page 22 of 36
Procedure 9describessettingtheMultiAuthauthenticationportandmaximumuserproperties. Procedure 9

Step 1. 2. 3. 4. 5. Task Set the specified ports to the MultiAuth authentication optional port mode. Set the specified ports to the MultiAuth authentication required port mode. Set the specified ports to the MultiAuth authentication force authenticated port mode. Set the specified ports to the MultiAuth authentication force unauthenticated port mode. Optionally set the maximum number of authenticated users for the specified port. Notes: This value can be set to any value up to the maximum number of MultiAuth users supported for the device. See the firmware release notes that come with your device for the maximum number of supported MultiAuth users the device supports. 6. 7. Reset the ports MultiAuth authentication port clear multiauth port mode port-string mode to the default value for the specified ports. Reset the ports MultiAuth authentication port maximum number of users to the default value for the specified ports. clear multiauth port numusers port-string
MultiAuth Authentication Port and Maximum User Properties Configuration

Command(s) set multiauth port mode auth-opt port-string set multiauth port mode auth-reqd port-string set multiauth port mode force-auth port-string set multiauth port mode force-unauth port-string set multiauth port mode numusers numusers port-string
Setting MultiAuth Authentication Timers

Theidletimeoutsettingdeterminestheamountofidletimeinwhichnotraffictransitsthelinkfor auserordevicebeforetheconnectionisremovedfromtheconnectiontable.Theidletimeoutcan besetforanyauthenticationmethod. Thesessiontimeoutsettingdeterminesthemaximumamountoftimeasessioncanlastbefore beingterminated. Procedure 10describessettingtheMultiAuthauthenticationtimers. Procedure 10
Step 1. Task Optionally set the MultiAuth authentication idle timeout value for the specified authentication method. Reset the MultiAuth authentication idle timeout value to its default value for the specified authentication method. Optionally set the maximum amount of time a session can last before termination for the specified authentication method.
MultiAuth Authentication Timers Configuration

Command(s) set multiauth idle-timeout auth-method timeout clear multiauth idle-timeout auth-method
2.
3.
set multiauth session-timeout auth-method timeout
April 15, 2011
Page 23 of 36
Procedure 10
Step 4. Task
MultiAuth Authentication Timers Configuration (continued)

Command(s) clear multiauth session-timeout auth-method
Reset the maximum amount of time a session can last before termination to the default value for the specified authentication method.
Setting MultiAuth Authentication Traps

Trapscanbeenabledatthesystemandmodulelevelswhenthemaximumnumberofusersforthe systemandmodule,respectively,havebeenreached.Trapscanbeenabledattheportlevelfor authenticationsuccess,failure,terminationandwhenthemaximumnumberofusershavebeen reachedontheportorallsupportedtraps. Themodularswitchplatformssupportauthenticationtraps Procedure 11describessettingtheMultiAuthauthenticationtraps. Procedure 11
Step 1. 2. 3. Task Optionally enable MultiAuth authentication system traps. Optionally enable MultiAuth authentication module traps. Optionally enable MultiAuth authentication port traps. Disable MultiAuth authentication traps for the specified trap type.
MultiAuth Authentication Traps Configuration

Command(s) set multiauth trap system {enabled | disabled} set multiauth trap module {enabled | disabled} set multiauth trap port port-string {all | success | failed | terminated | max-reached} clear multiauth trap trap-type {all | success | failed | terminated | max-reached}
4.
Displaying MultiAuth Configuration Information

MultiAuthauthenticationsupportsthedisplayofsystemwideMultiAuthauthenticationvalues, MultiAuthauthenticationcounters,portsettings,enduserMACaddresses,sessioninformation, idletimeoutsettings,sessiontimeoutsettings,andtrapsettings. Table 3describesdisplayingofMultiAuthauthenticationsettingsandstatistics. Table 3
Task Display system-wide MultiAuth authentication values. Display MultiAuth authentication counters. Display MultiAuth authentication port settings for all or the specified ports. Display end-user MAC addresses per port for all MAC addresses and ports or for those specified. Display MultiAuth authentication sessions for all sessions or the specified authentication method, MAC address, or ports.
MultiAuth Authentication Traps Configuration

Command(s) show multiauth show multiauth counters show multiauth port [port-string] show multiauth station [mac-address] [port-string] show multiauth session [agent auth-method] [mac-address] [port-string]
April 15, 2011
Page 24 of 36
Table 3
Task
MultiAuth Authentication Traps Configuration (continued)

Command(s) show multiauth idle-timeout show multiauth session-timeout show multiauth trap
Display MultiAuth authentication idle timeout values. Display MultiAuth authentication session timeout values. Display MultiAuth authentication trap settings.
Configuring VLAN Authorization

VLANauthorizationallowsforthedynamicassignmentofuserstothesameVLAN.You configureVLANauthorizationattributeswithinRADIUS.OntheswitchyouenableVLAN authorizationbothgloballyandperport.VLANauthorizationisdisabledgloballybydefault. VLANauthorizationisenabledperportbydefault.YoucanalsosettheVLANegressformat perport.VLANegressformatdefaultstountagged.VLANegressformatcanbesetasfollows: noneNoegressmanipulationwillbemade. taggedTheauthenticatingportwillbeaddedtothecurrenttaggedegressfortheVLANID returned. untaggedTheauthenticatingportwillbeaddedtothecurrentuntaggedegressforthe VLANIDreturned. dynamicEgressformattingwillbebaseduponinformationcontainedintheauthentication response.
TheVLANauthorizationtablewillalwayslistanytunnelattributesVIDsthathavebeenreceived forauthenticatedendsystems,butaVIDwillnotactuallybeassignedunlessVLANauthorization isenabledbothgloballyandontheauthenticatingport.DynamicVLANauthorizationoverrides theportPVID.DynamicVLANauthorizationisnotreflectedintheshowportvlandisplay.The VLANegresslistmaybestaticallyconfigured,enabledbaseduponthesetvlanauthorization egresscommand,orhavedynamicegressenabledtoallowfullVLANmembershipand connectivity. Procedure 12describessettingVLANauthorizationconfiguration. Procedure 12
Step 1. 2. 3. Task Enable or disable VLAN authorization both globally and per port. Reset VLAN authorization configuration to default values for the specified port-list or for all. Display VLAN authorization configuration settings for the specified port-list or for all.
VLAN Authorization Configuration

Command(s) set vlanauthorization {enable | disable} clear valanauthorization {port-list | all} show vlanauthorization {port-list | all}
Setting Dynamic Policy Profile Assignment and Invalid Policy Action

Dynamicpolicyprofileassignmentisimplementedusingthepolicymappingtable.WhenVLAN authorizationisenabled,authenticatedusersaredynamicallyassignedtothereceivedtunnel attributesVID,unlesspreemptedbyapolicymaptableconfigurationentry.Dynamicpolicy profileassignmentissupportedbymappingaVIDtoapolicyroleuponreceiptofaRADIUS tunnelattribute.
April 15, 2011
Page 25 of 36
IftheauthenticationserverreturnsaninvalidpolicyorVLANtoaswitchforanauthenticating supplicant,aninvalidactionofforward,drop,ordefaultpolicycanbeconfigured. Procedure 13describessettingdynamicpolicyprofileassignmentandinvalidpolicyaction configuration. Procedure 13

Step 1. 2. 3. 4. Task Identify the profile index to be used in the VID-to-policy mapping. Map the VLAN ID to the profile index. Display the current maptable configuration. Set the action to take when an invalid policy or VLAN is received by the authenticating switch.
Policy Profile Assignment and Invalid Action Configuration

Command(s) show policy profile all set policy maptable {vlan-list profile-index | response {tunnel | policy | both}} show policy maptable. set policy invalid action {default-policy | drop | forward}
Note: Dynamic policy profile assignment is supported on the Matrix E1 and modular switch platforms.
Configuring RADIUS
Youcanset,clear,anddisplayRADIUSconfigurationforbothauthenticationandaccounting.
Configuring the Authentication Server

Therearefouraspectstoconfiguringtheauthenticationserver: StateenablesordisablestheRADIUSclientforthisswitch. Establishmentvaluesconfigureatimersettingthelengthoftimebeforeretries,aswellasthe numberofretries,beforetheswitchdeterminestheauthenticationserverisdownand attemptstoestablishwiththenextserverinitslist. ServeridentificationprovidesfortheconfigurationoftheserverIPaddressandindexvalue. Theindexdeterminestheorderinwhichtheswitchwillattempttoestablishasessionwithan authenticationserver.AftersettingtheindexandIPaddressyouarepromptedtoentera secretvalueforthisauthenticationserver.Anyauthenticationrequeststothisauthentication servermustpresentthecorrectsecretvaluetogainauthentication. Therealmprovidesforconfigurationscopeforthisserver:managementaccess,network access,orboth.
FirmwaresupportstheconfigurationofmultipleASs.Thelowestindexvalueassociatedwiththe serverdeterminestheprimaryserver.Iftheprimaryserverisdown,theoperationalserverwith thenextlowestindexvalueisused.Iftheswitchfailstoestablishcontactwiththeauthentication serverbeforeaconfiguredtimeout,theswitchwillretryfortheconfigurednumberoftimes. Serverscanberestrictedtomanagementaccessornetworkaccessauthenticationbyconfiguring therealmoption.
April 15, 2011
Page 26 of 36
Procedure 14describesauthenticationserverconfiguration. Procedure 14

Step 1. 2. Task Configure the index value, IP address, and secret value for this authentication server. Optionally set the number of seconds the switch will wait before retrying authentication server establishment. Optionally set the number of retries that will occur before the switch declares an authentication server down. Optionally set the authentication server configuration scope to management access, network access, or both for all or the specified authentication server. Globally enable or disable RADIUS on the switch. Reset the specified RADIUS setting to its default value. Display the current RADIUS authentication server settings.
Authentication Server Configuration

Command(s) set radius server index ip-address [secret-value] set radius timeout timeout
3.
set radius retries retries
4.
set radius realm {management-access | network-access | any} {as-index | all}
5. 6. 7.
set radius {enable | disable} clear radius {[state] [retries] [timeout] [server [index | all] [realm {index | all}] show radius [state | retries | authtype | timeout | server [index | all]]
Configuring RADIUS Accounting

TherearefouraspectstoconfiguringRADIUSaccounting: StateenablesordisablesRADIUSaccounting Updatevaluesallowthespecificationofthelengthoftheperiodbeforeaccountingupdates startandtheintervalbetweenupdates Establishmentvaluesconfigureatimersettingthelengthoftimebeforeretries,aswellasthe numberofretries,beforetheswitchdeterminestheRADIUSaccountingserverisdownand attemptstoestablishwiththenextserverinitslist. ServeridentificationprovidesfortheconfigurationoftheRADIUSaccountingserverIP addressandindexvalue.Theindexdeterminestheorderinwhichtheswitchwillattemptto establishwithanaccountingserver.AftersettingtheindexandIPaddressyouareprompted toenterasecretvalueforthisaccountingserver.
FirmwaresupportstheconfigurationofmultipleRADIUSaccountingservers.Thelowestindex valueassociatedwiththeserverdeterminestheprimaryserver.Iftheprimaryserverisdown,the operationalserverwiththenextlowestindexvalueisused.Iftheswitchfailstoestablishcontact withtheprimaryserverbeforeaconfiguredtimeout,theswitchwillretryfortheconfigured numberoftimes.
April 15, 2011
Page 27 of 36
Procedure 15describesRADIUSaccountingconfiguration. Procedure 15

Step 1. 2. 3. 4. 5. 6. 7. Task Set the minimum interval at which RADIUS accounting sends interim updates. Set the number of seconds between each RADIUS accounting interim update. Set the number of times a switch will attempt to contact a RADIUS accounting server. Set the amount of time to establish contact with a RADIUS accounting server before timing out. Configure the RADIUS accounting server. Enable or disable RADIUS accounting on this switch. Reset RADIUS accounting parameters to default values or clear server definitions on this switch. Display RADIUS accounting configuration or statistics.
RADIUS Accounting Configuration

Command(s) set radius accounting intervalminimum interval set radius accounting updateinterval interval set radius accounting retries retries set radius accounting timeout timeout {index | all} set radius accounting server {index | all} ip_address udp-port [server-secret] set radius accounting {enable | disable} clear radius accounting {[server {index | all}] [retries {index | all}] [timeout {index | all}] [intervalminimum] [updateinterval]} show radius accounting [updateinterval | intervalminimum | state | server {index | all}]
8.
April 15, 2011
Page 28 of 36
Authentication Configuration Example

Ourexamplecoversthefoursupportedmodularswitchandthreesupportedstackablefixed switchauthenticationtypesbeingusedinanengineeringgroup:enduserstation,anIPphone,a printercluster,andpublicinternetaccess.Forthestackablefixedswitchdevices,theexample assumesC3platformcapabilities.SeeFigure 4foranoverviewofthemodularswitch authenticationconfigurationandFigure 5onpage 30foranoverviewofthestackablefixedswitch authenticationconfiguration. Figure 4 Modular Switch Authentication Configuration Example Overview
Engineering end-user stations 801.1x authentication

Enable 802.1x Set non-Authentication ports to force-auth
Printer cluster MAC Authentication

Enable MAC authentication Set MAC authentication password Enable Port
Engineering Group Siemens CEP

Enable CEP Associate Policy Enable Port
LAN Cloud 1
Modular Switch Router
Configure policies Enable RADIUS Enable multi-user authentication
Public internet access PWA Authentication IP address: 10.10.10.101

Enable PWA Configure IP address Enable Enhance Mode Enable Guest Status for RADIUS Authentification Set Guest ID and Password Enable Port
Radius Server 1 IP address: 10.20.10.01

Create RADIUS user accounts
April 15, 2011
Page 29 of 36
Figure 5
Stackable Fixed Switch Authentication Configuration Example Overview
Printer cluster MAC Authentication

Enable MAC authentication Set MAC authentication password Enable Port
Engineering end-user stations 802.1x authentication

Enable Eapol Enable 802.1x Set non-Authentication ports to force-auth
LAN Cloud 1
Stackable Switch
Configure policies Enable RADIUS Enable multi-user authentication
2 5
Public internet access PWA Authentication IP address: 10.10.10.201
Enable PWA Configure IP address Enable Enhance Mode Enable Guest Status for RADIUS Authentification Set Guest ID and Password Enable Port
Radius Server 1 IP address: 10.20.10.01

Create RADIUS user accounts
Note: The modular switch and stackable fixed switch authentication examples are presented here as a single discussion. Any input and information that is not applicable to both platform groups is identified. All other information is applicable to both platform groups. The stackable fixed switch example discussion assumes a C3 device authentication functionality.
OurconfigurationexampleconsistsofthefollowingstepsasshowninFigure 4andFigure 5and describedinthesectionsthatfollow: 1. 2. 3. 4. Configuringpolicies,RADIUS,andMultiAuthauthenticationontheswitch. CreatingRADIUSuseraccountsontheauthenticationserver. Configuringfortheengineeringgroup802.1xenduserstations,includingtheIPphoneinthe stackablefixedswitchconfiguration. ConfiguringfortheengineeringgroupSiemensCEPdevicesforthemodularswitch configuration.ConfiguringtheprinterclusterMACauthenticationforthestackablefixed switchconfiguration.
April 15, 2011
Page 30 of 36
5. 6.
ConfiguringtheprinterclusterMACauthenticationforthemodularswitchconfiguration. ConfiguringthepublicareainternetaccessforPWAforthestackablefixedswitch. ConfiguringforthepublicareainternetaccessforPWAforthemodularswitch.
Configuring MultiAuth Authentication

MultiAuthauthenticationmustbesettomultiwhenevermultipleusersof802.1xneedtobe authenticatedorwheneveranyMACbased,PWA,orCEPauthenticationispresent.Forports wherenoauthenticationispresent,suchasswitchtoswitch,orswitchtorouterconnections,you shouldalsosetMultiAuthportmodetoforceauthenticatetoassurethattrafficisnotblockedbya failedauthentication.Forpurposesofthisexample,wewilllimitauthenticationtoamaximumof 6usersperport. ThefollowingCLIinput: SetsMultiAuthauthenticationtomulti. Setsportswithswitchtoswitchandswitchtorouterconnectionstoforceauthenticate. Setsthemaximumnumberofusersthatcanauthenticateoneachportto6.
System(rw)->set multiauth mode multi System(rw)->set multiauth port mode force-auth ge.1.5-7 System(rw)->set multiauth port numusers 6 ge.1.5-7 System(rw)->set multiauth port mode force-auth ge.1.19-24 System(rw)->set multiauth port numusers 6 ge.1.19-24
EnablesMultiAuthauthenticationsystemandmoduletrapsforthemodularswitch configuration.
System(rw)->set multiauth trap system enabled System(rw)->set multiauth trap module enabled
ThiscompletestheMultiAuthauthenticationconfigurationpieceforthisexample.Keepinmind thatyouwouldwanttousethesetmultiauthprecedencecommand,tospecifywhich authenticationmethodshouldtakeprecedence,shouldyouhaveasingleuserconfiguredfor multipleauthenticationsonthesameport.
Enabling RADIUS On the Switch

Theswitchneedstobeinformedabouttheauthenticationserver.UsethefollowingCLIinputto ConfiguretheauthenticationserverIPaddressontheswitch. EnabletheRADIUSserver.
System(rw)->set radius server 1 10.20.10.01 System(rw)->set radius enable
Creating RADIUS User Accounts On The Authentication Server

RADIUSaccountcreationontheauthenticationserverisspecifictotheRADIUSapplicationyou areusing.PleaseseethedocumentationthatcomeswithyourRADIUSapplication.Createan accountforalluserstobeauthenticated.
April 15, 2011
Page 31 of 36
Configuring the Engineering Group 802.1x End-User Stations

Therearethreeaspectstoconfiguring802.1xfortheengineeringgroup: ConfigureEAPoneachenduserstation. SetupanaccountinRADIUSontheauthenticationserverforeachenduserstation. Configure802.1xontheswitch.
ConfiguringEAPontheenduserstationandsettinguptheRADIUSaccountforeachstationis dependentuponyouroperatingsystemandtheRADIUSapplicationbeingused,respectively.The importantthingthenetworkadministratorshouldkeepinmindisthatthesetwoconfigurations shouldbeinplacebeforemovingontothe802.1xconfigurationontheswitch.Inan802.1x configuration,policyisspecifiedintheRADIUSaccountconfigurationontheauthentication serverusingtheRADIUSFilterID.SeeTheRADIUSFilterIDonpage 9forRADIUSFilterID information.IfaRADIUSFilterIDexistsfortheuseraccount,theRADIUSprotocolreturnsitin theRADIUSAcceptmessageandthefirmwareappliesthepolicytotheuser.

Note: Globally enabling 802.1x on a switch sets the port-control type to auto for all ports. Be sure to set port-control to forced-auth on all ports that will not be authenticating using 802.1x and no other authentication method is configured. Otherwise these ports will fail authentication and traffic will be blocked.
ThefollowingCLIinput: EnablesEAPonthestackablefixedswitch Enables802.1xontheswitch Setsportcontroltoforcedauthforallconnectionsbetweenswitchesandrouters,because theydonotuseauthenticationandwouldbeblockedifnotsettoforcedauth.
C3(rw)->set eapol enable
System(rw)->set dot1x enable System(rw)->set dot1x auth-config authcontrolled-portcontrol forced-auth ge.1.5 System(rw)->set dot1x auth-config authcontrolled-portcontrol forced-auth ge.1.19 System(rw)->set dot1x auth-config authcontrolled-portcontrol forced-auth ge.2.24
Thiscompletesthe802.1xenduserstationsconfiguration.
Configuring the Engineering Group Siemens CEP Devices

Note: CEP is supported on the modular switch platforms. Stackable fixed switch platforms authenticate IP phone devices using either 802.1x or MAC authentication. 802.1x is used in this stackable fixed switch authentication example for the IP phone implementation.
IfaSiemensphoneisinsertedintoaportenabledforSiemensCEP,thefirmwaredetects communicationonUDP/TCPport4060.UsepolicymanagertoconfigureapolicywithaVLAN, CoS,andratelimitappropriatetoVoIP.SeetheQoSFeatureGuideConfigurationExamplesection at:https://extranet.enterasys.com/downloadsforaQoSVoIPpolicyconfigurationexample.Once anexistingpolicyisconfigured,thesetceppolicycommandcanbeusedtoapplythepolicy.
April 15, 2011
Page 32 of 36
ThefollowingCLIinput: EnablesCEPgloballyontheswitch. SetsCEPpolicytoapreviouslyconfiguredpolicynamedsiemenswithanindexof9. Setsportsge.1.1618toonlyacceptdefaultSiemenstypephonesandappliestheSiemens policytothespecifiedports.
System(rw)->set cep enable System(rw)->set cep policy siemens 9 System(rw)->set cep port ge.1.16-18 siemens enable
ThiscompletestheSiemensCEPenduserstationsconfiguration.
Configuring the Printer Cluster for MAC-Based Authentication

PerformthefollowingtaskstoconfigureMACbasedauthenticationfortheprinterclusterinour example: SetupanaccountforeachprinterontheauthenticationserverthatcontainstheprinterMAC address,theMACauthenticationpasswordconfiguredontheswitch,andaRADIUSFilterID entryspecifyingtheprinterpolicy. ConfigureapolicyusingthepolicymanagerspecifyingtheprinterclusterVLANand optionallyconfiguringaCoSandratelimit. EnableMACauthenticationgloballyontheswitch. EntertheMACauthenticationpasswordasenterasysontheswitch. SettheMACauthenticationsignificantbitsto24. EnableMACauthenticationontheportsusedbytheprintercluster:ge.1.34
WiththeauthenticationserverconfiguredwithaRADIUSaccountforeachprinter,andtheprinter policypreconfigured,enterthefollowingCLIinput:
System(rw)->set macauthentication enable System(rw)->set macauthentication password enterasys System(rw)->set macauthentication significant-bits 24 System(rw)->set macauthentication port enable ge.1.3-4
ThiscompletestheprinterclusterMACauthenticationconfiguration.
Configuring the Public Area PWA Station

ThepublicareaPWAstationprovidesvisitorstoyourbusinesssitewithopenaccesstothe internet,whileatthesametimeisolatingthestationfromanyaccesstoyourinternalnetwork.In ordertoprovideadefaultsetofnetworkresourcestocommunicateoverHTTP,policymustbeset toonlyallowDHCP,ARP,DNS,andHTTP.Youmaywanttosetaratelimitthatwouldguard againstexcessivestreaming.YouwillalsoneedtosetupRADIUSforthepublicstationaccounton theauthenticationserver.Thisconfigurationwillincludetheguestname,password,anda RADIUSFilterIDforthepublicpolicy. PerformthefollowingtaskstoconfigurethepublicstationforPWAauthentication: Configurethepolicyappropriatetothepublicstation.
April 15, 2011
Page 33 of 36
Terms and Definitions
SetuptheRADIUSuseraccountforthepublicstationontheauthenticationserver. EnablePWAgloballyontheswitch. ConfiguretheIPaddressforthepublicstation. OptionallysetupabannerfortheinitialPWAscreen. EnablePWAenhancemodesothatanyURLinputwillcausethePWAsigninscreentoappear. SetPWAgueststatustoRADIUSauthenticationmode. SetthePWAloginguestname. SetthePWAloginpassword. EnablePWAontheswitchportwherethepublicstationisconnected.
OncethepolicyandRADIUSaccountareconfigured,enterthefollowingCLIinputontheswitch:
System(rw)->set pwa enable System(rw)->set pwa ipaddress 10.10.10.101 System(rw)->set banner \Enterasys Networks Public Internet Access Station\ System(rw)->set pwa enhancemode enable System(rw)->set pwa guestatus authradius System(rw)->set pwa guestname guest System(rw)->set pwa guestpassword password System(rw)->set pwa portcontrol enable ge.1.6
ThiscompletestheAuthenticationconfigurationexample.

Table 4liststermsanddefinitionsusedinthisAuthenticationconfigurationdiscussion. Table 4
Term Authentication Server (AS) Authenticator Convergence End Point (CEP) Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) Extensible Authentication Protocol (EAP)
Quality of Service Configuration Terms and Definitions

Definition An entity providing authorization services to an authenticator using RADIUS. The authentication server may be on the same device or be at a remote location. The switch seeking authentication from the authentication server for a supplicant. A protocol capable of detecting an IP telephony or video device on a port and dynamically applying a specific policy to the port. Serves as a means for the Internet to translate human-readable computer hostnames, e.g. www.example.com, into the IP addresses. A protocol used by networked clients to obtain various parameters necessary for the clients to operate in an Internet Protocol (IP) network. A protocol that provides the means for communicating the authentication information in an IEEE 802.1x context.
April 15, 2011
Page 34 of 36
Table 4
Term
Quality of Service Configuration Terms and Definitions (continued)

Definition An IEEE standard for port-based Network Access Control that provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. A means of authenticating a device attempting to gain access to the network based upon the device MAC address and a secret keyword known to the authenticator and the RADIUS application on the authentication server. The ability to authenticate multiple authentication modes for a user and applying the authentication mode with the highest precedence. The ability to appropriately authenticate multiple supplicants on a single link and provision network resources, based upon policy associated with each supplicant. A means of authenticating a user by utilizing a web browser for the login process to authenticate to the network. An Enterasys proprietary string formatted in the RADIUS Access-Accept packet sent back from the authentication server to the switch containing either the policy to apply to the supplicant, the management type for the port, or both. An AAA (Authentication, Authorization, and Accounting) protocol for controlling access to network resources used by ISPs and corporations managing access to Internet or internal networks across an array of access technologies. The user or device seeking access to network resources.
IEEE 802.1x
MAC-based Authentication MultiAuth Authentication Multi-user Authentication Port Web Authentication (PWA) RADIUS Filter-ID
RADIUS Protocol
Supplicant
April 15, 2011
Page 35 of 36
Revision History
Date 05-14-2008 07-11-2008 02-04-2009 04-29-2009 06-23-2009 04-15-2011 Description New document Added Enterasys Registration mark and fixed Version date in some footers. Spelled out D-Series, G-Series, and I-Series when appropriate. Clarified stackable fixed switch support. Provided hybrid authentication discussion. Clarified Multi-user support for stackable fixed switch devices. Added S-Series and K-Series support. Numerous miscellaneous edits.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2011Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSMATRIX,SSERIESandanylogosassociatedtherewith, aretrademarksorregisteredtrademarksofEnterasys Networks, Inc.,intheUnitedStatesandothercountries.For
acompletelistofEnterasystrademarks,seehttp://www.enterasys.com/company/trademarks.aspx.
Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
Flex-Edge
ThisdocumentdescribestheFlexEdgecapabilityontheEnterasysSSeriesplatform.
For information about... What is Flex-Edge Implementing Flex-Edge Flex-Edge Overview Terms and Definitions Refer to page... 1 1 2 3
What is Flex-Edge
FlexEdgeisthecapabilitytoclassifyandprioritizetrafficasitenterstheswitch,assertflow control,andensurethathigherprioritytrafficreceivedbytheswitchisforwardedtothepacket processoraheadoflowerprioritytraffic.WiththeseFlexEdgecapabilities,theswitchis significantlylessvulnerabletonetworkcongestionissuesatpeaktraffictimes.Trafficcriticalto ensuringthealwaysupoperationalstateofthenetworkandtomaintainingapplication continuityisidentifiedandprioritizedatingress,priortobeingpassedtothepacketprocessor. Networkhighavailabilityisassured,andimportantusersandapplicationsareguaranteed bandwidthandpriority. ThediversityofIPenableddevices,combinedwithrealtimeapplicationssuchasVoIP,videoand audiostreaming,andsoftwareondemand,haveexponentiallyincreasednetworktrafficvolume. Theintroductionofthesefunctionalitiescreatesaneedforbandwidthmanagementtoprevent portoversubscriptionandassurethatthelowestprioritypacketsaredroppedshouldport oversubscriptionoccur.FlexEdgeprovideskeycomponentsofthatbandwidthmanagement requirement. PacketclassificationandprioritizationishandledbytheadvancedMediaAccessControl(MAC) chip.Shouldcongestionstarttooccur,theMACchipiscapableofsendingaMACpauseoutthe congestingportrequestingthatdownstreamportstemporarilystopsendingtraffictothedevice. FlexEdgeforwardshigherprioritypacketstothepacketprocessoraheadoflowerpriority packets.AnydroppingofpacketsishandledinthepacketbufferbyQoS.
Implementing Flex-Edge
DropprecedenceistheonlyadministrativelyconfigurableFlexEdgeparameter.Allother FlexEdgeprocessingishardcoded.DropprecedenceisaCoSsettingthatisappliedtoapolicy rule.Dropprecedencecansetthepacketprioritytofavored,besteffort,orunfavored.
December 02, 2010
Page 1 of 5
Flex-Edge Overview
Flex-Edge Overview
AllSSeriesswitchessupporttheFlexEdgefeature,whichprovidesauniquemechanismforthe classificationoftrafficasitenterstheswitch. Figure 1onpage 2providesahighlevelviewofFlexEdgeprocessing.TheadvancedMACchip appliespacketclassificationandbandwidthcontroltotheingressingpackets.Ifrequired,the MACchipsendsaMACpausedownstreamtotemporarilystopthetrafficcomingattheport. Packetsclassifiedwiththehighestpriorityareforwardedtothepacketprocessorbeforepackets withalowerpriority.Packetbufferingprovidesreliefforcongestionattheegress.Ifpacketsmust bedropped,lowestprioritypacketsaredroppedinthepacketbufferbaseduponQoS configuration.Finally,packetsegressthedevicebaseduponpacketscheduling. Figure 1 Flex-Edge Processing
TheFlexEdgefeatureassignsoneoffourtrafficcategoriestoeachpacketasitenterstheswitch. FlexEdge,usingtheMACchipcapabilityontheswitch,queueseachoffourtrafficcategoriesinto itsownprioritizedqueue.Eachqueuewillnotpassanytrafficontothepacketprocessoruntilall higherpriorityqueuesareempty. Ifflowcontrolisenabledontheport,eithermanuallyorusingautonegotiation,FlexEdgeapplies backpressuretofrontandaggregatorportstoavoiddiscard.TheMACcapabilitymonitorstraffic onallports,bycategoryandpriority,andmakesintelligentdecisionsconcerningwhichfront panelportstoinitiateflowcontrolon,bysendingaMACPAUSEframetothesendingdeviceout theportcausingthecongestion.

Note: The Flex-Edge feature and the port priority (IEEE 802.1D) configuration are functionally separate and have no affect on each other.
December 02, 2010
Page 2 of 5
Priorityqueueing,fromhighprioritytolowpriority,isgiventothefollowingfourtraffic categories: 1. NetworkcontrolProtocolpacketsnecessaryformaintainingnetworktopologysuchas: 2. 3. 4. L2(STP,GVRP,LACP) L3(VRRP,OSPF,RIP,BGP,DVMRP,PIM) ARP
NetworkdiscoveryProtocolpacketsusedfordisseminationofnetworkcharacteristicssuch asLLDP,CtronDP,andCiscoDP ConfigureddropprecedencePacketsassociatedwithapolicyrulethatspecifiesaClassof Servicewithaconfigureddropprecedenceoffavored(0),besteffort(1),orunfavored(2) BesteffortAlltrafficthatdoesntfallintoanyothercategorylistedhere
Networkcontrol,networkdiscovery,andbesteffortprioritiesarehardcodedandcannotbe modified.DropprecedenceisassignedtoaClassofServiceusingthesetcossettingscommand andappliedtoapolicyruleusingthesetpolicyrulecommand.Besteffortistrafficthatis undefinedwithintheFlexEdgecontext,andthereforebydefinitioncannotbeconfiguredfor purposesofbackpressureorforwardingpriority.Besteffortcategorizedtrafficisgiventhelowest prioritybytheFlexEdgemechanism,withtheexceptionofunfavoreddropprecedencewhichis thelowestprioritypossiblewithintheFlexEdgemechanism.

Note: See the QoS feature Guide for a complete discussion of Class of Service. See the Policy feature guide for details on how a Class of Service is applied to policy. Enterasys feature guides can be accessed on the Enterasys Support public website: http://secure.enterasys.com/support/manuals/
TheonlyuserconfigurableaspectoftheFlexEdgefeatureisdropprecedence.Dropprecedenceis aCoSsettingsoption.CoSsettingsareassignedtoapolicyrule.InaFlexEdgecontext,drop precedenceislimitedtorulesthatapplytoasingleportandspecifyatrafficclassificationofeither portormacsource.Foranypacketsmatchingthepolicyrule,youcanassignoneofthree dropprecedenceprioritylevels: FavoredAdropprecedencevalueof0providesabetterchanceofbeingpassedonforpacket processingthantrafficcategorizedasbesteffort. BestEffortAdropprecedencevalueof1providesabesteffortlevelofprioritywithinthe FlexEdgepriorityscheme. UnfavoredAdropprecedencevalueof2providesasomewhatworsechanceofbeingpassed onforpacketprocessingthantrafficcategorizedasbesteffort.Thisisthelowestpossible prioritysettingwithintheFlexEdgemechanism.

Table 1liststermsanddefinitionsusedinthislinkFlexEdgediscussion. Table 1
Term CoS drop-precedence
Flex-Edge Terms and Definitions

Definition Class of Service. A CoS setting assigned to a policy rule, specifing a traffic classification to either a port or mac-source of favored, best-effort, or unfavored.
December 02, 2010
Page 3 of 5
Table 1
Term
Flex-Edge Terms and Definitions (continued)

Definition An S-Series platform capability to classify and prioritize traffic as it enters the switch, assert flow control, and ensure that higher priority traffic received by the switch is forwarded to the packet processor ahead of lower priority traffic. A notification to a downstream port to temporarily stop sending packets to this port. An advanced processing chip capable, in the Flex-Edge context, of applying packet classification and bandwidth control to ingressing packets, as well as sending a MAC pause downstream for the congesting port. The ability to queue packets based upon traffic classification to assure that higher priority traffic is serviced by the port ahead of lower priority traffic. Quality-of-Service. Voice-over-IP
Flex-Edge
MAC pause Media Access Control (MAC) priority queuing QoS VoIP
December 02, 2010
Page 4 of 5
Revision History
Date December 02, 2010 Description New Document.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2010Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSMATRIX,ENTERASYSSECURESTACKandanylogos associatedtherewith,aretrademarksorregisteredtrademarksofEnterasys Networks, Inc.,intheUnitedStates andothercountries. ForacompletelistofEnterasystrademarks,seehttp://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
Configuring Link Aggregation

ThisdocumentdescribesthelinkaggregationfeatureanditsconfigurationonEnterasysMatrix NSeries,SSeries,stackableandstandaloneswitchdevices.
Note: See the Enterasys Matrix X Router Configuration Guide for X Router link aggregation configuration information.
For information about... What is Link Aggregation Why Would I Use Link Aggregation in My Network How Can I Implement Link Aggregation Link Aggregation Overview Configuring Link Aggregation Link Aggregation Configuration Example Terms and Definitions
Refer to page... 1 2 2 3 10 12 21
What is Link Aggregation

IEEE802.3adlinkaggregationprovidesastandardizedmeansofgroupingmultipleparallel EthernetinterfacesintoasinglelogicalLayer2link.TheformedgroupofEthernetinterfacesis referredtoasaLinkAggregationGroup(LAG).DynamicLAGformationandactivationis providedbytheLinkAggregationControlProtocol(LACP). EachpairofLAGphysicalportsismadeupofalocalportonthedeviceresponsibleforLACP negotiation,referredtoastheactor,anditsdirectlylinkedremoteportonthedeviceparticipating intheLACPnegotiation,referredtoasthepartner.LAGsformautomaticallybaseduponasetof criteria(seeHowaLAGFormsonpage 3). OnlyLAGmembersintheattachedstatecarryusertraffic.OncetheLAGisformed,thesystem ID,madeupofasystempriorityandthedeviceMACaddress,determineswhichdevicewillbein chargeofchoosingtheLAGportmembersthatwillbemovedtotheattachedstate.Whileport speedisnotacriteriaforjoiningaLAG,theportspeedmustmatchforallportsthatareplacedin theLACPattachedstate.AggregatableportsnotselectedtocarrytrafficforthisLAGareavailable tothenextLAGaslongasLAGresourcesarenotdepleted.ShouldLAGresourcesbecome depleted,aggregatableportsareplacedinLACPstandbystate. 802.3adLACPaggregationscanberunbetweencombinationsofswitches,routers,andedge devices,suchasaserver,thatsupportLACP.
Note: Earlier (proprietary) implementations of port aggregation referred to groups of aggregated ports as trunks.
December 02, 2010
Page 1 of 23
Why Would I Use Link Aggregation in My Network
Why Would I Use Link Aggregation in My Network

Theconceptofgroupingmultipleportsintoasinglelinkisnotanewidea.Cabletrons SmartTrunk,CiscosInterSwitchLinktrunking,andAdaptecsDuralinkarepreviousexamples. Theproblemwiththeseoldermethods,fromthenetworkadministratorspointofview,isthat theyareproprietary.Administratorswhowantedtoimplementfasterlogicallinksfacedmajor problemsiftheyalsowanted,orneeded,touseadifferentbrandofnetworkinghardware.Link aggregationisstandardsbasedallowingforinteroperabilitybetweenmultiplevendorsinthe network. Olderimplementationsrequiredmanualconfiguration.WithLACP,ifasetoflinkscanaggregate, theywillaggregate.LACPsabilitytoautomaticallyaggregatelinksrepresentsatimesaverforthe networkadministratorwhowillnotberequiredtomanuallyconfiguretheaggregates.However, manualoverridesareprovidedforwhentheadministratorneedstocustomize.Linkaggregation alsoprovidesforrapidconfigurationandreconfigurationwhentherearechangesinthephysical connections.Linkaggregationwillautomaticallyandquicklyconvergethenewconfiguration. Thisconvergencetypicallyoccursinonesecondorless. Linkaggregationisacosteffectivewaytoimplementincreasedbandwidth.Amajorbenefitof linkaggregationistheabilitytoincrementallyaddbandwidthinalinearfashion.Withoutlink aggregation,ifthereisaneedtoincreasethebandwidthfora100Mbpspipe,theonlychoiceisan exponentialupgradetoa1000Mbpspipe.Ifthereisaneedfora300Mbpspipe,aggregatingthree 100Mbpsportsisbothlessexpensive,becauseaforklifthardwareupgradeisavoided,andmakes formoreefficientuseofthesystemportsthatarealreadyavailable. Thephysicallinkswithintheaggregatecanserveasredundantbackupstooneanother.Sinceonly asingleMACaddressrepresentingtheentireaggregateispresentedtotheMACclient,thefailure ofanylinkwithintheaggregateistransparent.Failoverishandledwithinthelinkaggregation sublayer.
How Can I Implement Link Aggregation

Toimplementlinkaggregation: EnableLACPonthenetworkdevice Optionallysetanondefaultsystempriorityforthedevice Optionallychangetheadministrativelyassignedkeyforeachportonthedevice OptionallyenablesingleportLAGsonthedevice EnableLACPportstateonSSeries,B5,andC5platforms OptionallychangeLAGparametersoneachport OptionallychangehowflowswillbehavewhenchangestakeplacetotheLAG OptionallychangetheloadbalancingbehaviorforflowsovertheLAG OptionallyassignstaticportstoaLAGwhenthepartnerdeviceonlysupportsanonLACP methodofaggregation
December 02, 2010
Page 2 of 23
Link Aggregation Overview

Thissectionprovidesanoverviewoflinkaggregationconfiguration.
LACP Operation
InordertoallowLACPtodeterminewhetherasetoflinksconnecttothesamedevice,andto determinewhetherthoselinksarecompatiblefromthepointofviewofaggregation,itis necessarytobeabletoestablish: Agloballyuniqueidentifierforeachdevicethatparticipatesinlinkaggregation. Ameansofidentifyingthesetofcapabilitiesassociatedwitheachportandwitheach aggregator,asunderstoodbyagivendevice. AmeansofidentifyingaLAGanditsassociatedaggregator.
Foreachaggregatableportinthedevice,LACP: Maintainsconfigurationinformation(reflectingtheinherentpropertiesoftheindividuallinks aswellasthoseestablishedbynetworkadministration)tocontrolaggregation. ExchangesconfigurationinformationwithotherdevicestoallocatethelinktoaLAG.

Note: A given link is allocated to, at most, one LAG at a time. The allocation mechanism attempts to maximize aggregation, subject to management controls.
AttachestheporttotheaggregatorusedbytheLAG,anddetachestheportfromthe aggregatorwhenitisnolongerusedbytheLAG. Usesinformationfromthepartnerdeviceslinkaggregationcontrolentitytodecidewhether toaggregateports.
TheoperationofLACPinvolvesthefollowingactivities: Checkingthatcandidatelinkscanactuallybeaggregated. ControllingtheadditionofalinktoaLAGandthecreationofthegroupifnecessary. Monitoringthestatusofaggregatedlinkstoensurethattheaggregationisstillvalid. RemovingalinkfromaLAGifitsmembershipisnolongervalid,andremovingthegroupifit nolongerhasanymemberlinks.
How a LAG Forms

LAGsformautomaticallywithLACPenabledonthedevice.Therearefourcriteriaforforminga LAG.Bothactorandpartnerportsmust: 1. 2. 3. 4. Operateinfullduplexmode. HavematchinglocalLAGandphysicalportadminkeysforthedevicecontrollingLAG formation. OperateinparallelinthataLAGcanhaveonlytwodevicesassociatedwithit. ConsistoftwoormorephysicalactortopartnerportpairingsunlessthesingleportLAG featureisenabled.
December 02, 2010
Page 3 of 23
Figure 1displaysaLAGformationexamplecontainingthreedeviceswithfive100Mbpsportsand three1Gbportsconfigured.Forthisexample,allportsareoperatinginfullduplexmode,andthe adminkeyforallLAGportshasbeensetto100.DeviceAistheactorandthereforedetermines whichportswilljoinaLAG.DevicesBandCarethepartners. InourexampletwoLAGshaveformedbecausetheactorportsaresharedbetweentwopartner devices.AttemptingtoformasingleLAGusingalltheactorportswouldhavebrokentherule thatactorandpartnerportsmustoperateinparallel. Figure 1 LAG Formation
Device B
PARTNER
Port Speed
100M 100M 100M
Admin Key
100 100 100
1 2 3
ACTOR
Admin Key
100 100 200
Port Speed
100M 100M 100M
Device A
LAG 1
1 2 3
LAG 2
100 100 100 300 400
100M 100M 1Gb 1Gb 1Gb
4 5 6 7 8
Device C
1 2 3 4 5 6 7 8
100M 100M 100M 100M 100M 1Gb 1Gb 1Gb
100 100 100 100 100 100 100 100
Actorports13ondeviceAdirectlyconnecttopartnerports13ondeviceB: Wehavealreadystatedthatallportsareoperatinginfullduplexmode,sorule1issatisfied forallthreeports. Investigatingtheportadminkeys,weseethatports1and2ondeviceAaresetto100(the samesettingasallLAGportsonthedevice),whileport3ondeviceAissetto200.Becausethe portadminkeysarethesameforboththeLAGportandthesephysicalports,ports1and2 satisfyrule2.Becausetheadminkeyforphysicalport3isdifferentfromanypossibleLAGfor thisdevice,port3cannotbepartofanyLAG.
December 02, 2010
Page 4 of 23
Becauseports1and2forboththeactorandpartneroperateinparallelwitheachother,rule3 issatisfiedfortheseports. Rule4issatisfied,regardlessofwhethersingleportLAGsareenabled,becausetherearetwo aggregatableportpairingsbetweendevicesAandB.
Forthesereasons,LAG1(lag.0.1)isformedusingactorandpartnerports1and2. Actorports48ondeviceAdirectlyconnecttopartnerports48ondeviceC: Becauseallportsareoperatinginfullduplexmode,ruleoneissatisfiedforallfiveports. Investigatingportadminkeys,weseethatports46ondeviceAaresetto100(thesame settingasallLAGportsonthedevice),whileports7and8ondeviceAaresetto300and400, respectively.BecauseportadminkeysforallLAGsandthephysicalports46arethesame, physicalports46satisfyrule2.Becausetheadminkeysettingsforphysicalports7and8do notagreewithanyLAGadminkeysettingonthedevice,ports7and8cannotbepartofany LAG. Becauseports46forboththeactorandpartneroperateinparallelwitheachother,rule3is satisfiedfortheseports. Rule4issatisfied,regardlessofwhethersingleportLAGisenabled,becausetherearethree aggregatableportpairingsbetweendevicesAandC.
Forthesereasons,LAG2isformedusingactorandpartnerports46.
Note: Port speed is not a consideration in the forming phase for LAGs. LAG 2 contains 100Mbps and 1Gb port members.
Attached Ports
OnceaLAGisformed,twostepsmusttakeplacebeforetrafficcanpassovertheLAG: Thedevicethatwillchoosewhichportstomovetotheattachedstatemustbeidentified TheprocessofmovingthechosenportstotheLACPattachedstatemusttakeplace
AsystemID,madeupofthedeviceMACaddressandthesystempriority,isassociatedwitheach device.ThedevicewiththelowersystempriorityisinchargeofselectingtheLAGmembersto movetotheattachedstate.Ifasystemprioritytieoccurs,thesystemwiththelowerMACaddress valuebreaksthetie. OnlyLAGmemberswiththesameportspeedcanbemovedtotheattachedstate.Inacasewhere multiplespeedsarepresentinaLAG,theLAGmemberwiththelowestportpriorityonthedevice incharge,aswellasallothermemberswiththesameportspeedasthememberwiththelowest portpriority,areselectedandmovedtotheattachedstate.UsingLAG2inFigure 1onpage 4asan example,iftheLAG2memberportprioritiesaresetasshowninTable 1onpage 5,ports4and5 aremovedtotheattachedstate. Table 1 LAG2 Port Priority Assignments
Port Speed 100Mbps 100Mbps 1Gb Port Priority 200 300 300 Port Number 4 5 6
December 02, 2010
Page 5 of 23
Thisistruebecauseport4hasthelowestpriorityofthethreeportscurrentlyintheLAG,andport 5hasthesamespeedastheportwiththelowestpriorityintheLAG,regardlessofitspriority. Becauseport6hasbothadifferentspeedandahigherprioritythantheportwiththelowest priorityintheLAG,itisnotmovedtotheattachedstate. IfLAGmemberswithdifferentportspeedsshouldtieforthelowestportpriority,theLAG memberwiththelowestportnumberbreaksthetie.Inourexample,shouldallthreeportshave thesameportpriority,ports4and5wouldstillbetheportsmovedtotheattachedstatebecause port4hasthelowestportnumberandport5hasthesameportspeedasport4. Ifinourexampleyouwantedthereverseoutcomeofport6movedtotheattachedstateinsteadof ports4and5,settingport6toalowerprioritythanports4and5,aswellasenablingthesingle portLAGfeatureonthisdevice,wouldaccomplishthatgoal. AggregatableportsnotmovedtotheattachedstatearemadeavailabletoformanotherLAG providingaLAGresourceisavailableforthissystem.Port6inFigure 1onpage 4,wasnotmoved totheattachedstate.Theonlycriteriaport6doesnotmeettoformitsownLAGisrule4:beinga singleaggregatableport.ThesingleportLAGfeaturemustbeenabledforport6toformaLAG.If singleportLAGisenabledonthissystem,port6wouldformandattachtoLAG3.Figure 2 illustratesthethreeLAGsdescribedinthisexample. Figure 2 LAGs Moved to Attached State
Device B
PARTNER
Port Speed
100M 100M 100M
Admin Key
100 100 100
1 2 3
ACTOR
Admin Key
100 100 200
Port Speed
100M 100M 100M
Device A
LAG 1
1 2 3
LAG 2
100 100
100M 100M
4 5
LAG 3
Device C
1 2 3 4 5 6 7 8
100M 100M 100M 100M 100M 1Gb 1Gb 1Gb
100 100 100 100 100 100 100 100
100 300 400
1Gb 1Gb 1Gb
6 7 8
December 02, 2010
Page 6 of 23
ShouldanaggregatableportbeavailablewithallLAGresourcesdepletedforthissystem,theport isplacedinLACPstandbystate.Portsinstandbystatedonotforwardtraffic.Ifallportsinitially movedtotheattachstateforagivenLAGbecomeunavailable,aLAGresourcewillthenbe available.LACPwillinitiateanewselectionprocessusingtheportsinstandbystate,usingthe samerulesastheinitialprocessofformingLAGsandmovingportstotheattachedstate.
Single Port Attached State Rules

Bydefault,aLAGmustcontaintwoormoreactorandpartnerportpairsfortheLAGtobe initiatedbythisdevice.AfeatureexiststoallowthecreationofasingleportLAGthatisdisabled bydefault.IfsingleportLAGisenabled,asingleportLAGcanbecreatedonthisdevice.Ifsingle portLAGisdisabled,asingleportLAGwillnotbeinitiatedbythisdevice.Ifapeerdeviceisable toformasingleportLAGandadvertisesitswillingnesstodoso,asingleportLAGcanform. TherearethreeconditionsunderwhichasingleportLAGcanexistandtheLAGmembercanbe movedtotheattachedstate: ThesingleportLAGfeatureisenabled. or, ThesingleportLAGfeatureisdisabled,butthepeerdeviceisableandwillingtoformasingle portLAG. or, AnalreadyexistingLAGconfigurationpersiststhroughadeviceormodulereset.Ifupon resetthereisonlyasingleportactiveforanalreadyexistingLAG,thatsingleportwillmove totheattachedstateregardlessofthesingleportLAGsetting.
LAG Port Parameters

LAGportparameterscanbechangedperport. Table 2specifiestheLACPportparametersthatcanbechanged. Table 2
Term Port Admin Key
LAG Port Parameters

Definition The port admin key can be set for both the actor and partner side of the link. The admin key only affects the local device. LACP uses this value to determine which underlying physical ports are capable of aggregating. Aggregator ports allow only underlying ports with physical port and LAG admin keys that match to join a LAG. Setting the physical port admin key to a different value than any LAG resource on the device will ensure that this link does not join a LAG. Valid values are 1 - 65535. Default value is 32768. Port priority can be set for both the actor and partner side of the link. The port priority plays a role in determining which set of ports will move to the attached state and pass traffic. The lower port priority, for the port on the system in charge of selecting ports to move to the attached state, determines which ports will actually move to the attached state. If a LAG is made up of ports with different speeds, setting a lower port priority to ports with the desired speed for the LAG will ensure that those ports move to the attached state. Port priority is also used to determine which ports join a LAG if the number of ports available exceeds the number of ports supported for that device. Valid values are 0 - 65535, with lower values designating higher priority. Default value is 32768.
Port Priority
December 02, 2010
Page 7 of 23
Table 2
Term
LAG Port Parameters (continued)

Definition A number of port level administrative states can be set for both the actor and partner ports. The following port administrative states are set by default: lacpactive - Transmitting LACP PDUs is enabled. lacptimeout - Transmitting LACP PDUs every 30 seconds. If this state is disabled, LACP PDUs are transmitted every 1 second. Note that the actor and partner LACP timeout values must agree. lacpagg - Aggregation on this port is enabled. lacpsync - Transition to synchronization state is allowed. lacpcollect - Transition to collection state is allowed. lacpdist - Transition to distribution state is allowed. lacpdef - Transition to defaulted state is allowed. lacpexpire - Transition to expired state is allowed. It is recommended that these default states not be changed unless you know what you are doing. Contact Enterasys customer support should you need assistance modifying port level administrative states.
Administrative State
Partner Default System ID LACP PDU processing
A default partner system ID can be set. This is a default MAC address for the system partner. (Optional) LACP PDU processing can be enabled or disabled for this port.
Flow Regeneration
Note: The flow regeneration feature is supported on the N-Series and S-Series platforms only.
Flowregenerationdetermineshowflowswillbehavewhenanewportjoinsalinkaggregation. Whenenabled,LACPwillredistributeallexistingflowsovertheLAG,takingintoaccountthe newport(s)thatjoinedtheLAG.Itwillalsoattempttoloadbalanceexistingflowstotake advantageofthenewportthathasjoinedtheLAG.Whenflowregenerationisdisabledandanew portjoinstheLAG,thedistributionofcurrentflowsremainsunchangedanddoesnottake advantageofthenewport.AllnewflowswilltakeintoaccountthenewportontheLAG.Flow regenerationisdisabledbydefault.
The Out-Port Algorithm

Note: The out-port algorithm feature is supported on the N-Series and S-Series platforms only.
Theoutportalgorithmdeterminesthecriteriatobeusedfordataforwardingportselection.There arethreealgorithmcriteriatochoosefrom:
December 02, 2010
Page 8 of 23
DestinationIPaddressandSourceIPaddress(dipsip).Thisisthemostfinelytunedcriteriain thataportwillbeassignedbaseduponaspecificIPaddresscombinationfortheflow.All flowsforthisIPaddresscombinationtransittheassignedphysicalport. DestinationMACaddressandSourceMACaddress(dasa).Thiscriteriaislessfinelytunedin thataportwillbeassignedbasedupontheMACaddresscombinationfortheflow.Allflows forthisMACaddresscombinationtransittheassignedport. Simpleroundrobin(roundrobin).Thisistheleastfinelytunedcriteriainthataportis assignedbaseduponthenextportinaroundrobinsequencewithnoconsiderationtothe sourceordestinationoftheflow.

Note: The round robin out-port algorithm should not be assigned if fragmented frames exist in the network. Use of round robin can result in the fragments being sent out different ports, causing out of order packets.
Static Port Assignment

StaticportassignmentallowsyoutoassignportstoaLAGwhenthepartnerdevicedoesnot supportLACP,butdoessupportanotherproprietaryformoflinkaggregation.Toassignastatic port,specifytheLAGportID,theadminkeyvalueforthisLAG,andtheportstobeassigned.If youdonotspecifyanadminkeyvalue,akeywillbeassignedaccordingtothespecified aggregator.Forexample,akeyof4wouldbeassignedtolag.0.4.
Platform LAG and Physical Port Support

ThenumberofLAGsandthenumberofportsperLAGsupportedareplatformspecific.The numberofLAGssupportedisonasystembasis.SeeTable 3foralistingofthenumberofLAGs andthenumberofportsperLAGsupportedforyourplatform. Table 3 Enterasys Platform LAG Support
Number of LAGs Supported 127 62 62 4 48 6 6 Number of Ports in a LAG No Limitation No Limitation No Limitation 4 No Limitation 8 8
Enterasys Platform S-Series Modues N-Series DFE Diamond Modules N-Series DFE Platinum Modules N-Series DFE Gold Modules N Standalone (NSA) Stackable switch (all platforms) Standalone switch platforms
Note: For stackable platforms, the number of LAGs supported is per stack. A stack of stackable switches operate as a single logical device.
December 02, 2010
Page 9 of 23

ThissectionprovidesdetailsfortheconfigurationoflinkaggregationontheNSeries,SSeries, stackable,andstandaloneswitchproducts. Table 4listslinkaggregationparametersandtheirdefaultvalues. Table 4 Default Link Aggregation Parameters
Description Current state of LACP on the device. LACP system priority for this device. The Port Administrative Key (also referred to as operational key). Determines which ports move to the attached state when ports of different speeds form a LAG. Also determines which ports join a LAG if the ports available exceed the number of ports supported by the device. Allows or disallows a LAG to be created with a single port. Port state providing for transmission of LACP PDUs. Default Value Enabled 32768 32768 32768
Parameter LACP State System Priority Port Key Port Priority
Single Port State LACP Port Active State
Disabled (disallows creation of a single port LAG) N-Series, B2, B3, C2, C3: Enabled S-Series, B5, C5: Disabled 30 second: frequency of LACP PDU transmission 90 seconds: period before declaring the partner port down
LACP Port Timeout State Port state determining the frequency of LACP PDU transmission and period before declaring the partner LACP port down if no response is received.
Procedure 1describeshowtoconfigurelinkaggregation.
Note: In Procedure 1, Step 6, setting flow regeneration, and Step 7, setting the output algorithm, are only supported on the N-Series and S-Series products. All other steps are supported by the N-Series, S-Series, stackable, and standalone switch products.
Procedure 1
Step 1. Task

Command(s) set lacp {disable | enable}
In switch command mode, enable LACP on the device. LACP state is enabled by default for all devices. Optionally, change the system priority for the device. Optionally, change the administratively assigned key for each aggregation on the device. Optionally, enable single port LAGs on the device.
2. 3. 4.
set lacp asyspri value set lacp aadminkey port-string value set lacp singleportlag {enable | disable}
December 02, 2010
Page 10 of 23
Procedure 1
Step 5. Task
Configuring Link Aggregation (continued)

Command(s) set port lacp port port-string { [aadminkey aadminkey] [aportpri aportpri] [padminsyspri padminsyspri] [padminsysid padminsysid] [padminkey padminkey] [padminportpri padminportpri] [padminport padminport] [aadminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}] [padminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}] [enable | [disable] }
Optionally, modify the LAG port parameters. See Table 2 on page 7 for a description of port parameters. See Table 4 on page 10 for LACP port active state for your platform.
6. 7. 8.
Optionally, change how flows behave when a port joins or is removed from a LAG. Optionally, change the out-port behavior for flows over the LAG. Optionally, assign static ports to a LAG when the partner device only supports a non-LACP method of aggregation.
set lacp flowRegeneration {enable | disable} set lacp outportAlgorithm {dip-sip | da-sa | round-robin} set lacp static lagportstring [key] port-string
Table 5describeshowtomanagelinkaggregation. Table 5

Task Reset LACP to the default state of enabled. Reset LACP system priority or admin key settings to the default values. Remove specific static ports from an aggregation. Reset the single port LAG feature to the default value of disabled. Reset a link aggregation port setting to the default value for one or more ports. See Table 2 on page 7 for a description of port parameters.
Managing Link Aggregation

Command clear lacp state clear lacp {[asyspri] [aadminkey port-string]} clear lacp static lagportstring port-string clear lacp singleportlag clear port lacp port port-string { [aadminkey] [aportpri] [padminsyspri] [padminsysid] [padminkey] [padminportpri] [padminport] [aadminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all}] [padminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all}] }
December 02, 2010
Page 11 of 23
Link Aggregation Configuration Example
Table 5
Task
Managing Link Aggregation (continued)

Command clear lacp flowRegeneration clear lacp outportAlgorithm
Reset the LACP flow regeneration setting to its default value of disabled. Reset the LACP out-put algorithm setting to its default value of DIS-SIP.
Table 6describeshowtodisplaylinkaggregationinformationandstatistics. Table 6

Task Display the global LACP enable state, or display information about one or more aggregator ports. Display the status of the single port LAG function. Display link aggregation information for one or more underlying physical ports. On N-Series and S-Series devices, display LACP flow regeneration state. On N-Series and S-Series devices, display the current configured out-port algorithm.
Displaying Link Aggregation Information and Statistics

Command show lacp [state | port-string]
show lacp singleportlag show port lacp port port-string {[status {detail | summary}] | [counters]} [sort {port | lag}] show lacp flowRegeneration show lacp outportAlgorithm

Thissectionpresentstwoconfigurationexamples: Anexampleoflinkaggregationsbetweenmultipledevices AnexampleoflinkaggregationwhenaLAGcontainsphysicalportswithdifferentspeeds
Link Aggregation Configuration Example 1

ThisexampleprovidesalinkaggregationconfigurationexamplethatincludesanS3edgeswitch, anS8distributionswitch,andtwoC3stackableswitchesthatwillaggregatebothendusersatthe edgeandthedatafromalocalserver. SeeFigure 3onpage 14foranillustrationofthisexample,includingport,key,andsystempriority assignments. ThreeLAGsarecreatedfortheexample: LAG1providesanuplinkaggregateoffour1GbportsfortheS3connectededgedevicesto theS8distributionswitch. LAG2providesanuplinkaggregateoffour1GbportsfortheC3stackableswitchestotheS8 distributionswitchforboththeenduserandserverdataflows.
December 02, 2010
Page 12 of 23
LAG3providesanaggregateoffour1GbportsbetweentheC3stackableswitchesandthe server.
EachLAGconsistsoffourports.Theprimarygoaloftheaggregatesinthisexampleistoprovide linkandslotredundancyfortheaffecteddatastreams.Withthatinmind,LAGmembersare spreadbetweenavailablesystemslots.FouroutofthefiveS8availableslotsareusedproviding completeredundancyattheS8.AllthreeslotsareusedintheS3.Thefourportsfromtheserverto theC3stackableswitchesandtheC3stackableswitchestotheS8areevenlysplitbetweenthetwo stackableswitches. ForthisexamplewewillmanuallyconfiguretheLAGsthatwillformandpreventanyotherLAGs fromforming.BecausewehavespecificporttoLAGgoalsinmind,thefirstthingwewanttodo oneachdeviceistoensurethatLAGsformonlywhereweconfigurethem.Sincetheadminkey fortheLAGanditsassociatedportsmustagreefortheLAGtoform,aneasywaytoensurethat LAGsdonotautomaticallyformistosettheadminkeyforallLAGSonalldevicestoa nondefaultvalue.Thephysicalportswillinitiallyretainadminkeydefaults.Inourexample,the adminkeysforallLAGsaresettothehighestconfigurablevalueof65535.
December 02, 2010
Page 13 of 23
Figure 3
Example 1 Multiple Device Configuration

S8 Distribution Switch
S8 to S3 PORTS ge.1.1 ge.2.1 ge.3.1 ge.4.1 Admin KEY 100
S8 to Stackable PORTS ge.1.2 ge.2.2 ge.3.2 ge.4.2 Admin KEY 200
LAG Admin KEY 1 100 2 200 3 300 System Priority S8 32768 S3 100 SS 100 Server > 100
LAG1 Stackable
S3 to S8 PORTS ge.1.1 ge.1.2 ge.2.1 ge.3.1 Admin KEY 100
LAG2
S3 Edge Switch
Stackable to S8 PORTS ge.1.1 ge.1.2 ge.2.1 ge.2.2 Admin KEY 200 Stackable to Server PORTS fe.1.1 fe.1.2 fe.2.1 fe.2.2 Admin KEY 300
LAG3
End-Users
End-Users
Server to Stackable PORTS NIC1 NIC2 NIC3 NIC4 Admin KEY 300
BothphysicalportandLAGadminkeyswillbesetasshowninTable 7toensurethattheLAGs formonlyforthedesiredports.
December 02, 2010
Page 14 of 23
Table 7
Device
LAG and Physical Port Admin Key Assignments

LAG 1 LAG Admin Key 100 Physical Port ge.1.1 ge.2.1 ge.3.1 ge.4.1 2 200 ge.1.2 ge.2.2 ge.3.2 ge.4.2 Physical Port Admin Key 100 100 100 100 200 200 200 200 100 100 100 100 200 200 200 200 300 300 300 300 300 300 300 300
S8 Distribution Switch
S3 Edge Switch
100
ge.1.1 ge.1.2 ge.2.1 ge.3.1
C3 Stackable Switch
200
ge.1.1 ge.1.2 ge.2.1 ge.2.2
300
ge.1.3 ge.1.4 ge.2.3 ge.2.4
Server
300
NIC1 ETH NIC2 ETH NIC3 ETH NIC4 ETH
WhichdevicedeterminesportselectionfortheLAGisanoptionalconsideration.Ifsystem prioritiesremainatthedefaultvalue,thelowestMACaddressdevicedeterminesportselection fortheLAG.Forpurposesofthisexample,wewillsetthesystempriorityoftheS3to100to ensureitwillcontrolportselectionforLAG1,insteadoftheS8.TheC3stackableswitchsystem prioritywillbesetto100toensureitwillcontrolportselectionforLAG2,insteadoftheS8.Forthe stackableswitchtocontrolportselectionforLAG3requiresthatyouensurethattheserverhasa systempriorityhigherthan100. EachLAGinourexampleismadeupofphysicalportsofthesamespeed,sothereisnoneedtoset theportprioritytoanondefaultvalue.Theonlyportvaluetobechangedistheadminkeyfor eachphysicalportandeachLAG.ThesemodificationsaredetailedinTable 7onpage 15.
December 02, 2010
Page 15 of 23
GiventhattheintentoftheexampleistohavethreeLAGsof4portseach,thereisnoneedto enablethesingleportLAGfeature.OncetheLAGsinitiate,theywillpersistacrossresets.Should onlyasingleportbeactiveafterareset,theLAGwillformregardlessofthesingleportLAG featuresetting. FlowregenerationisenabledfortheS8andS3inourexample.Thissettingwillensurethatshould aLAGportbecomedisabledandthenbecomeactiveagain,LACPwillredistributeexistingflows overalltheportsinthenewLAG.Thestackableswitchdoesnotsupportflowregeneration. Theoutputalgorithmdefaultstoselectingtheoutputportbaseduponthedestinationandsource IPaddress.Thissettingwillnotbechangedinourexample.Inanycase,notethatthestackable switchdoesnotsupporttheoutputalgorithmfeature.
Configuring the S8 Distribution Switch

ThefirstthingwewanttodoissettheadminkeyforallLAGstothenondefaultvalueof65535so thatnoLAGswillautomaticallyform:
S8(rw)->set lacp aadminkey lag.0.* 65535
LAGs1and2willformontheS8soweneedtosettheadminkeysfortheseLAGs:
S8(rw)->set lacp aadminkey lag.0.1 100 S8(rw)->set lacp aadminkey lag.0.2 200
LACPportstateisdisabledbydefaultontheS8,sowewillenableLACPportstatehere.Wenext wanttosettheadminkeysandportenableLACPfortheS8physicalports:
S8(rw)->set S8(rw)->set S8(rw)->set S8(rw)->set S8(rw)->set S8(rw)->set S8(rw)->set S8(rw)->set port port port port port port port port lacp lacp lacp lacp lacp lacp lacp lacp port port port port port port port port ge.1.1 ge.2.1 ge.3.1 ge.4.1 ge.1.2 ge.2.2 ge.3.2 ge.4.2 aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey 100 100 100 100 200 200 200 200 enable enable enable enable enable enable enable enable
BecausewewanttheS3andtheC3stackabletobeinchargeofportselection,thesystempriority fortheS8willbeleftatthedefaultvalueof32768.WenextenableflowregenerationontheS8:
S8(rw)->set lacp flowRegeneration enable
Configuring the S3 Edge Switch

S3(rw)->set lacp aadminkey lag.0.* 65535
LAG1willformontheS3soweneedtosettheadminkeyforthisLAG:
S3(rw)->set lacp aadminkey lag.0.1 100
LACPportstateisdisabledbydefaultontheS3,sowewillenableLACPportstatehere.Wenext wanttosettheadminkeysandportenableLACPfortheS3physicalports:
S3(rw)->set S3(rw)->set S3(rw)->set S3(rw)->set port port port port lacp lacp lacp lacp port port port port ge.1.1 ge.1.2 ge.2.1 ge.3.1 aadminkey aadminkey aadminkey aadminkey 100 100 100 100 enable enable enable enable
December 02, 2010
Page 16 of 23
NextwewanttochangethesystempriorityfortheS3sothatitwillbeinchargeofportselection onLAG1:
S3(rw)->set lacp asyspri 100
WenextenableflowregenerationontheS3:
System(rw)->set lacp flowRegeneration enable
Configuring the C3 Stackable Switch

C3(rw)->set lacp aadminkey lag.0.* 65535
LAGs2and3willformonthestackableswitchsoweneedtosettheadminkeyforthisLAG:
C3(rw)->set lacp aadminkey lag.0.2 200 C3(rw)->set lacp aadminkey lag.0.3 300
LACPportstateisenabledbydefaultontheC3,sowedonothavetoenableLACPportstatehere. Wenextwanttosettheadminkeysforthestackableswitchphysicalports:
C3(rw)->set C3(rw)->set C3(rw)->set C3(rw)->set C3(rw)->set C3(rw)->set C3(rw)->set C3(rw)->set port port port port port port port port lacp lacp lacp lacp lacp lacp lacp lacp port port port port port port port port ge.1.1 ge.1.2 ge.2.1 ge.2.2 ge.1.3 ge.1.4 ge.2.3 ge.2.4 aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey 200 200 200 200 300 300 300 300
Nextwewanttochangethesystempriorityforthestackableswitchsothatitwillbeinchargeof portselectiononLAGs2and3:
C3(rw)->set lacp asyspri 100
Configuring the Server

ConfiguringlinkaggregationontheserverisdependentupontheinstalledLACPapplication. Therearethreeaspectstolinkaggregationontheserveryoumustensureforthisexample: TheadminkeyforLAG3mustbesetto300 TheadminkeysforeachNICportmustbesetto300 Thesystempriorityfortheservermustbesetgreaterthan100toensurethatthestackable switchwillcontrolportselection
Thiscompletestheexample1configuration.
Link Aggregation Configuration Example 2

ItisunlikelythatyouwillrunoutofLAGresourcesformostlinkaggregationconfigurations,but itispossible.SeeTable 3onpage 9foralistingofLAGsupportforyoursystem.Shouldyourun outofLAGresources,excessaggregatableportsareplacedinstandbymode. Makinguseoftheportpriorityparameter,thisexampleshowshowyoucanensuretheorderin whichaggregatableportsformaLAGandaremovedtotheattachedstate.Inconfiguration example2,twouplinkLAGswillbemanuallyconfiguredbetweenanS3chassisandanN3
December 02, 2010
Page 17 of 23
chassis.ThefirstLAGconsistsoftwo1Gbports.ThesecondLAGconsistsofeight100Mbpsports. Inthisexamplewewillensurethatthetwo1GbportLAGformsbeforetheeight100Mbsport LAG. SeeFigure 4onpage 19foranillustrationofthisexample,includingport,keyandportpriority assignments. TheLAGconfigurationwillensurethatthetwo1GbportsattachtothefirstavailableLAG (LAG1).Theeight100MbpsportswillthenattachtothesecondavailableLAG(LAG2) WhichdevicedeterminesportselectionfortheLAGisanoptionalconsideration.Forthis example,systemprioritiesarenotmodified,thelowestMACaddressdevicewilldetermineport selectionfortheLAG. Therearetwophysicalportspeedsinourexample,100Mbpsand1Gb.ALAGonlymovesportsof thesamespeedtotheattachedstate.Selectingtheportstomovetoattachedstateisbasedupon thelowestportpriority.Ifportprioritiesarethesame,thelowestportnumberbreaksthetie.For ourexample,wewanttoensurethatthe1GbportsaremovedtotheattachedstatforLAG1.Port priorityfor1Gbportsissetto100.Portpriorityfor100Mbpsportsisleftatthedefaultvalueof 32768. TheadminkeyforeachphysicalportandLAGintheexampleissetto100.Thisensuresthat LAGswillformforeachsetofports. ForthisexamplewewillallowsingleportLAGstoform.ThesingleportLAGfeaturewillbeset toenabledforbothdevices. Flowregenerationisenabledforbothdevicesinourexample.Thissettingwillensurethatshould aLAGportdropoutandthenbecomeactiveagain,LACPwillredistributeexistingflowsoverall theportsinthenewLAG. Theoutputalgorithmdefaultstoselectingtheoutputportbaseduponthedestinationandsource IPaddress.Thissettingwillnotbechangedinourexample.
December 02, 2010
Page 18 of 23
Figure 4
Example 2 Configuration
S3 Upstream Switch
Upstream to Edge PORTS ge.1.1-4 Port Priority 32768 ge.2.1-4 Port Priority 32768 ge.2.1 Port Priority 100 ge.3.1 Port Priority 100 Admin KEY all ports 100
LAG1
LAG2
KEY 100
KEY 100
Attached 100Mbps Ports
Attached 1Gb Ports
Edge to Upstream PORTS fe.1.1-8 Port Priority 32768 ge.2.1 Port Priority 100 ge.3.1 Port Priority 100 Admin Key for all ports 100
N3 Edge Switch
End-Users
December 02, 2010
Page 19 of 23
Configuring the N3 Edge Switch

Forthisexample,wewantLAGstoformwherevertheycansowewillnotchangethedefault adminkeysettingforallLAGsaswedidinthemultipledeviceexample.BecausewewantLAG1 andLAG2asdescribedforthisexampletoformforspecificports,wesettheadminkeyforthese LAGsto100:
N3(rw)->set lacp aadminkey lag.0.1-2 100
LACPportstateisenabledbydefaultontheN3,sowedonothavetoenableLACPportstate here.WenextwanttosettheadminkeysfortheN3edgephysicalportsassociatedwithLAG1and LAG2:

N3(rw)->set N3(rw)->set N3(rw)->set N3(rw)->set N3(rw)->set N3(rw)->set N3(rw)->set N3(rw)->set N3(rw)->set N3(rw)->set port port port port port port port port port port lacp lacp lacp lacp lacp lacp lacp lacp lacp lacp port port port port port port port port port port ge.2.1 ge.3.1 fe.1.1 fe.1.2 fe.1.3 fe.1.4 fe.1.5 fe.1.6 fe.1.7 fe.1.8 aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey 100 100 100 100 100 100 100 100 100 100
Systemprioritydetermineswhichdevicewillbeinchargeofportselection.Thisisanoptional consideration.Forthisexamplewewillleavesystempriorityatthedefaultvalueandallowthe devicewiththelowestMACaddresstodetermineportselection. PortprioritydeterminestheorderinwhichaggregatableportsavailableforaLAGaremovedto theattachedstate.Forthisexamplewewanttoensurethatthetwo1Gbportsmovetotheattached stateforLAG1beforetheeight100MbpsportsmovetotheattachedstateforLAG2.Wewillsetthe portpriorityto100forthetwo1Gbactorportsshouldthisdevicebeinchargeofselectingportsto movetotheattachedstate:

N3(rw)->set port lacp port ge.2.1 aportpri 100 N3(rw)->set port lacp port ge.3.1 aportpri 100
WenextenablesingleportLAGsonthisdevice:
System(rw)->set lacp singleportlag enable
WenextenableflowregenerationontheN3:
System(rw)->set lacp flowRegeneration enable
Configuring the S3 Upstream Switch

Forthisexample,wewantLAGstoformwherevertheycansowewillnotchangethedefault adminkeysettingforallLAGsaswedidinthemultipledeviceexample.Autonegotiationwillset portsge.1.14andge.2.14to100MbpstomatchtheremoteN3connectedports.Becausewewant LAG1andLAG2,asdescribedforthisexample,toformforspecificports,wesettheadminkeyfor theseLAGsto100:
System(rw)->set lacp aadminkey lag.0.1-2 100
LACPportstateisdisabledbydefaultontheS3,sowewillenableLACPportstatehere.Wenext wanttosettheadminkeysandportenableLACPfortheS3physicalportsassociatedwithLAG1:
S3(rw)->set S3(rw)->set S3(rw)->set S3(rw)->set port port port port lacp lacp lacp lacp port port port port ge.2.1 ge.3.1 ge.1.1 ge.1.2 aadminkey aadminkey aadminkey aadminkey 100 100 100 100 enable enable enable enable
December 02, 2010
Page 20 of 23
S3(rw)->set S3(rw)->set S3(rw)->set S3(rw)->set S3(rw)->set S3(rw)->set
port port port port port port
lacp lacp lacp lacp lacp lacp
port port port port port port
ge.1.3 ge.1.4 ge.2.1 ge.2.2 ge.2.3 ge.2.4
aadminkey aadminkey aadminkey aadminkey aadminkey aadminkey
100 100 100 100 100 100
enable enable enable enable enable enable
Systemprioritydetermineswhichdevicewillbeinchargeofportselection.Thisisanoptional consideration.Forthisexamplewewillleavesystempriorityatthedefaultvalueandallowthe devicewiththelowestMACaddresstodetermineportselection. PortprioritydeterminestheorderinwhichaggregatableportsavailableforaLAGaremovedto theattachedstate.Forthisexamplewewanttoensurethatthetwo1Gbportsmovetotheattached stateforLAG1beforetheeight1GbportsmovetotheattachedstateforLAG2.Wewillsettheport priorityto100forthetwo1Gbactorportsshouldthisdevicebeinchargeofselectingportsto movetotheattachedstate:

S3(rw)->set port lacp port ge.2.1 aportpri 100 S3(rw)->set port lacp port ge.3.1 aportpri 100
WenextenablesingleportLAGsonthisdevice:
S3(rw)->set lacp singleportlag enable
WenextenableflowregenerationontheS3:
S3(rw)->set lacp flowRegeneration enable
Thiscompletestheexample2configuration.

Table 8liststermsanddefinitionsusedinthislinkaggregationconfigurationdiscussion. Table 8
Term Aggregator
Link Aggregation Configuration Terms and Definitions

Definition Virtual port that controls link aggregation for underlying physical ports. Each device provides aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.x (depending upon the device, see Table 3 on page 9 for LAG resources available on your device). Link Aggregation Group. Once underlying physical ports (i.e.; fe.x.x, or ge.x.x) are associated with an aggregator port, the resulting aggregation will be represented as one LAG with a lag.x.x port designation. Link Aggregation Control Protocol Data Unit. The protocol exchanges aggregation state/mode information by way of a ports actor and partner operational states. LACPDUs sent by the first party (the actor) convey to the second party (the actors protocol partner) what the actor knows, both about its own state and that of its partner. An actor is the local device sending LACPDUs. Its protocol partner is the device on the other end of the link aggregation. Each maintains current status of the other via LACPDUs containing information about their ports LACP status and operational state.
LAG
LACPDU
Actor and Partner
December 02, 2010
Page 21 of 23
Table 8
Term
Link Aggregation Configuration Terms and Definitions (continued)

Definition Value assigned to aggregator ports and physical ports that are candidates for joining a LAG. The LACP implementation uses this value to determine which underlying physical ports are capable of aggregating by comparing keys. Aggregator ports allow only underlying ports with admin keys that match the aggregator to join their LAG. Port priority determines which physical ports are moved to the attached state when physical ports of differing speeds form a LAG. Port priority also determines which ports will join a LAG when the number of supported ports for a LAG is exceeded. Value used to build a LAG ID, which determines aggregation precedence. If there are two partner devices competing for the same aggregator, LACP compares the LAG IDs for each grouping of ports. The LAG with the lower LAG ID is given precedence and will be allowed to use the aggregator.
Admin Key
Port Priority
System Priority
December 02, 2010
Page 22 of 23
Revision History
Date December 05, 2008 December 02, 2010 Description New Document. Update for S-Series, B5, and C5 platforms.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2010Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSMATRIX,ENTERASYS,SSERIESandanylogos associatedtherewith,aretrademarksorregisteredtrademarksofEnterasys Networks, Inc.,intheUnitedStates andothercountries. ForacompletelistofEnterasystrademarks,seehttp://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
Configuring Link Flap Detection

Thisdocumentprovidesinformationaboutconfiguringthelinkflapdetectionfeatureon EnterasysMatrixNSeries,EnterasysSecureStack,DSeries,GSeries,andISeriesdevices.
Note: Link flap detection is not supported on Enterasys Matrix X-Series devices.
For information about... What is Link Flap Detection? Why Would I Use Link Flap Detection in My Network? How Do I Implement Link Flap Detection? Configuring Link Flap Detection
Refer to page... 1 1 1 2
What is Link Flap Detection?

Thelinkflapdetectionfeaturemonitorslinkflapping(thatis,whenalinkgoesupanddown rapidly)onaphysicalport.LinkflappingindicatesaLayer1(physicallayer)problem,suchasa faultycableorGBIC.Iflinkflappingoccurs,yourEnterasysdevicecanreactbydisablingthe affectedportandgeneratingasyslogentryandanSNMPtraptonotifyyouoftheevent.
Why Would I Use Link Flap Detection in My Network?

Ifleftunresolved,linkflappingcanbedetrimentaltonetworkstabilitybytriggeringSpanning Treeandroutingtablerecalculations.ByenablingthelinkflapdetectionfeatureonyourEnterasys device,youcanmonitorandactuponlinkflappingtoavoidtheserecalculations.
How Do I Implement Link Flap Detection?

YoucanenablelinkflapdetectiongloballyonyourEnterasysdeviceoronspecificports,suchas uplinkports.Thelinkflapdetectionfeatureallowsyoutospecifytheactionthatoccurswhena certainnumberoflinkflappinginstancesoccurwithinacertainperiodoftime.Bydefault,ifaport onwhichlinkflapisenabledexperiencesfivelinkflappinginstanceswithina10secondperiod, thatportwillbedisabledfor300secondsandbothasyslogentryandanSNMPtrapwillbe generated. Ifaporthasbeendisabledbecauseofexcessivelinkflapping,youcanresettheporttooperational.
January 29, 2009
Page 1 of 4

Basic Link Flap Detection Configuration
Procedure 1describesthebasicstepstoconfigurelinkflapdetectiononMatrixNSeries, SecureStack,DSeries,GSeries,andISeriesdevices.
Note: You must be logged in to the Enterasys device with read-write access rights to use the commands shown in this procedure.
Procedure 1
Step 1. Task
Link Flap Detection Configuration

Command(s) set port trap port-string {enable | disable}
In switch mode, enable ports for sending SNMP trap messages when their link status changes. By default, all ports on your Enterasys device are enabled to send SNMP trap messages indicating changes in their link status (up or down).
2.
Enable link flap detection either globally or on specific ports. By default, link flap is disabled globally.
set linkflap globalstate {disable | enable} set linkflap portstate {disable | enable} [port-string] set linkflap interval port-string interval_value set linkflap threshold port-string threshold_value
3.
(Optional) Set the time interval (in seconds) for accumulating link flapping instances. By default, this value is set to 10 seconds. (Optional) Set the number of link flapping instances necessary to trigger the link flap action. By default, this value is five link flapping instances. (Optional) Set how the Enterasys device will react to excessive link flapping: Disable the port Generate a Syslog entry Generate an SNMP trap message All of the above By default, all of the above actions occur in reaction to excessive link flapping. To clear reactions to excessive link flapping, use the clear command.
4.
5.
set linkflap action port-string {disableInterface | gensyslogentry | gentrap | all}
clear linkflap action [port-string] {disableInterface | gensyslogentry | gentrap | all} set linkflap downtime port-string downtime_value
6.
(Optional) Set the time interval, in seconds, that one or more ports will be disabled after excessive link flapping. By default, this value is 300 seconds.
RefertothedevicesCLIReferenceGuideorConfigurationGuideformoreinformationabouteach command.
January 29, 2009
Page 2 of 4
Example Link Flap Detection Configuration

PoEdevices(forexample,VoIPphonesorwirelessaccesspoints)connectedtoaMatrixNdevice areexperiencingintermittentpowerlosses,thoughtheMatrixNdeviceitselfhasnotexperienced anycorrespondingpowerlosses.Thenetworkadministratorenableslinkflapdetectiononarange ofPoEportstowhichthePoEdevicesareconnected.
Matrix(rw)->set linkflap portstate enable ge.1.1-12
Thenetworkadministratoralsosetsvaluesfortheinterval,threshold,anddowntimeontheports.
Matrix(rw)->set linkflap interval ge.1.1-12 20 Matrix(rw)->set linkflap threshold ge.1.1-12 8 Matrix(rw)->set linkflap downtime ge.1.1-12 600
Ifthelinkflapthresholdisexceededwithinthelinkflapinterval(eightlinkflapconditionswithin 20seconds,asconfiguredabove),theMatrixNdevicewill,bydefault,disabletheport(for600 seconds,asconfiguredabove)andgeneratebothasyslogentryandanSNMPtrap.Thesedefault actionscanbechangedbyusingtheset linkflap actioncommand. TheMatrixNdevicedisablesportsge.1.1andge.1.2whenexcessivelinkflappingoccursonthe ports.Thenetworkadministratorcancheckthestatusoftheportsandthenumberoflinkflap conditionsthatoccurredbyusingtheshow linkflap metricscommand. Whiletheportsaredisabled,thenetworkadministratorreplacesthepotentiallyfaultyEthernet cablesconnectingtheportstothePoEdevices.Thenetworkadministratorthenenablestheports.
Matrix(rw)->clear linkflap down ge.1.1-2
IfnoadditionalpowerlossesoccuronthePoEdevicesandnoadditionallinkflappingconditions occur,thenetworkadministratordisableslinkflapdetectiononthePoEports.
Matrix(rw)->set linkflap portstate disable ge.1.1-12
Link Flap Detection Display Commands

Table 1listslinkflapdetectionshowcommandsforMatrixNSeries,SecureStack,DSeries, GSeries,andISeriesdevices. Table 1
Task Display whether the port is enabled for generating an SNMP trap message if its link state changes. Display link flap detection state and configuration information. The show linkflap parameters and show linkflap metrics commands provide summary views of your current link flap detection configuration.
Link Flap Detection Show Commands

Command show port trap [port-string] show linkflap {globalstate | portstate | parameters | metrics | portsupported | actsupported | maximum | downports | action | operstatus | threshold | interval] | downtime | currentcount | totalcount | timelapsed | violations [port-string]}
RefertothedevicesCLIReferenceGuideorConfigurationGuideforadescriptionoftheoutputof eachcommand.
January 29, 2009
Page 3 of 4
Revision History
Date 01-29-09 Description New document
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2009Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSMATRIX,ENTERASYSNETSIGHT,SECURESTACK, ENTERASYSSECURESTACK,LANVIEW,WEBVIEW,andanylogosassociatedtherewith,aretrademarksor registeredtrademarksofEnterasys Networks, Inc.,intheUnitedStatesandothercountries.Foracompletelistof Enterasystrademarks,seehttp://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
Configuring Load Sharing Network Address Translation (LSNAT)

ThisdocumentprovidesthefollowinginformationaboutconfiguringLSNATontheEnterasys MatrixNSeriesandtheEnterasysSSeriesplatforms.
For information about... What is LSNAT? Why Would I Use LSNAT in My Network? How Can I Implement LSNAT? LSNAT Overview Configuring LSNAT LSNAT Configuration Example Terms and Definitions Refer to page... 1 2 3 4 10 16 25
What is LSNAT?
LSNATisaloadbalancingroutingfeature.Itprovidesloadsharingbetweenmultipleservers groupedintoserverfarmsthatcanbetailoredtoanindividualserviceorallservices,without requiringanymodificationtoclientsorservers.ExamplesofwellknownservicesareHTTPon port80,SMTP(email)onport25,orFTPonport21.LSNATisdefinedinRFC2391. TherearethreeLSNATconfigurationcomponents: Theclientthatisrequestingaservicefromtheserver Thevirtualserver,configuredontheLSNATrouter,thatinterceptstheservicerequestand determinesthephysical(real)servertherequestwillbeforwardedto Theserverfarmthatisalogicalentitycontainingthemultiplerealservers,oneofwhichwill servicetheclientsrequest
Figure 1onpage 2providesthefollowingexampleofanLSNATdeployment: 1. 2. Arequestforserviceissentbytheclienttotheserverfarm. ThedestinationaddressfortheservicerequestisthevirtualserversuniqueVirtualIP(VIP) address.AVIPaddresscanbeanIPaddressoranIPaddressandportaddresscombination. ThesameIPaddresscanbeusedformultiplevirtualserversifadifferentportaddressisused. TheLSNATconfiguredrouterrecognizestheVIPaddressandknowsthatLSNATmustselect arealservertoforwardtherequestto. Beforeforwardingtherequest,basedupontheserverloadbalancingprocessconfigured (roundrobinisdisplayed),LSNATselectstherealserverforthisrequest.LSNATchangesthe destinationIPaddressfromtheVIPaddresstotheaddressoftheselectedrealservermember
Page 1 of 28
3.
September 8, 2010
Why Would I Use LSNAT in My Network?
oftheserverfarmassociatedwiththeVIPaddress.Thepacketisthenforwardedtothe selectedrealserver. 4. 5. Therealserversendsaserviceresponsebacktotheclientwithitsaddressastheresponse sourceaddress. Attherouter,LSNATseestherealserveraddressandknowsitmustfirsttranslateitbackto theVIPaddressbeforeforwardingthepacketontotheclient.
Figure 1
LSNAT Overview
ServerFarm
Real Server IP Address
2
Real Server IP Address Request VIP to Real IP Address Translation LSNAT Configured Virtual IP Address
3 4
Real Server IP Address Server Response Packet
Router
Global Internet
5
Response Real al IP to VIP Address Translation Client
Real Server IP Address
Why Would I Use LSNAT in My Network?

Theneedforloadsharingariseswhenasingleserverisnotabletocopewiththedemandfor multiplesessionssimultaneously.Legacyloadsharingschemeswereoftenadhocand platformspecific,havingtheproblemoflengthyreorderingtimesontheserversandtheinability toaccountforserverloadvariations.LSNATconfigurationandoperationisseparatefromthe clientandserversandthereforedoesnotcarewhichclient,server,orserviceisinvolved.Itmerely mapsasingleVIPtomultiplerealserverIPaddressandportcombinations,basedupona configuredloadbalancingalgorithm,andforwardspacketsaccordingly. Withloadsharingovermultipleservers,reliabilityisincreasedbyallowingyoutotakean individualserverofflineforscheduledmaintenance,withoutdisruptingongoingservice operations.Theserversareeasilyremovedandreplacedinthequeuemakingmaintenancea transparentactivity,eliminatingmaintenancerelateddowntimeforthesite. Loadsharingalsoprovidesredundancyinthecaseofaserverfailure.LSNATautomatically removesthefailedserverfromtheselectionprocess.Whenthefailedserverbecomesactiveagain, LSNATautomaticallyaddstheserverbackintotheselectionprocess.
September 8, 2010
Page 2 of 28
How Can I Implement LSNAT?
ServerandTCP/UDPportverificationcanensurethattheportsusedbyLSNATareoperational. TCP/UPDportserviceverificationiscapableofdeterminingwhetheraserverisactivebefore creatingasession.Thisfeatureeliminatesthepointoffailurevulnerabilitybyautomatically recognizingaserverisdownandtakingitoutoftheLSNATloadbalancingprocess. SecurityisimprovedsinceonlytheVIPisknown,notthespecificserveraddresses,ensuringthat onlytheappropriatetrafficgoestotheservers. LSNATimprovesnetworkperformancebylevelingtrafficovermanysystems.UsingLSNATin conjunctionwithAggregateLinksremovestheperformancebottleneckandreliabilityconcernsof onephysicallinktoaserverbybundlingmultiplelinks,withfailoverifalinkgoesdown. UtilizingtheIPPolicyandQoSfeaturesoftheSSeriesandNSeriesdeviceswiththeLSNAT featurefurtherimprovestheperformanceandsecurityofthenetwork.WhentiedwiththeVirtual RedundantRouterProtocol(VRRP),thenetworkbecomesevenmorereliableandsecure. Forallthesereasons,LSNATisidealforenterpriseaccountwebservers,applicationservers,or databaseservers.
How Can I Implement LSNAT?

ToimplementLSNATinyournetwork: 1. Configureoneormoreserverfarmsby: 2. Specifyingaserverfarmname Configuringrealserversasmembersoftheserverfarm Specifyingaloadbalancingalgorithmforeachserverfarm
Configureeachrealserverby: Optionallyconfiguringrealserverfaildetectsettings Optionallylimitingthemaximumnumberofactiveconnectionsforthisrealserver Optionallyspecifyingaroundrobinweightvalueforthisrealserver Enablingtherealserverforservice
3.
Configureavirtualserverby: Specifyingavirtualservername Associatingavirtualserverwithaserverfarm ConfiguringavirtualserverIPaddress(VIP) Optionallyrestrictingaccesstospecificvirtualserverclients Optionallyspecifyingastickytypeandidletimeout Enablingthevirtualserverforservice
4.
Configureglobalvirtualserversettingsby: OptionallydefininganonstandardFTPporttobeusedbyvirtualservers Optionallyallowingallclientstodirectlyaccessallservicesprovidedbyrealservers
5.
Managearealserverbyoptionallyclearingloadbalancingconnectionsorstatistics
September 8, 2010
Page 3 of 28
LSNAT Overview
LSNAT Overview
ThissectionprovidesanoverviewoftheLSNATcomponents.
Notes: LSNAT is currently supported on the Enterasys S-Series and N-Series products. This document details the configuration of LSNAT for these products. LSNAT is an advanced routing feature that must be enabled with a license key on the N-Series router. An advanced routing license is currently not required on the S-Series platform. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the configuration guide that comes with your Enterasys N-Series product in order to enable the LSNAT command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales. A minimum of 256 MB of memory is required on all modules in order to enable LSNAT. See the SDRAM field of the show system hardware command to display the amount of memory installed on a module. An N-Series module memory can be upgraded to 256 MB using the DFE-256MB-UGK memory kit.
TheLSNATconfigurationismadeupofoneormoreserverfarms,eachcontainingmultiplereal serversthatfacetheclientthroughaconfiguredvirtualserver.AllaspectsofanLSNAT configurationrelatetotheconfigurationormanagementofoneofthesethreeLSNATcomponents: serverfarm,realserver,andvirtualserver. Figure 2onpage 5presentsanLSNATpacketflow.Arequestforservicesissentbytheclientto theVirtualserverIPaddress(VIP)ontheLSNATconfiguredrouter.Thesourceaddressforthis requestistheclientIPaddress.ThedestinationaddressfortherequestistheLSNATconfigured VIPaddress.TheLSNATconfiguredrouterrecognizestheVIPaddressandbasedupontheserver loadbalancingprocessconfigured(roundrobinisdisplayed)LSNATchangesthedestination addressfromtheVIPaddresstotheaddressofoneoftherealservermembersoftheserverfarm associatedwiththeVIPaddress.Thepacketisforwardedtotheselectedrealserver. Whentherealserversendsaresponsebacktotheclient,LSNATseestherealserveraddressand translatesitbacktotheVIPaddressbeforeforwardingthepacketontotheclient.
September 8, 2010
Page 4 of 28
LSNAT Overview
Figure 2
LSNAT Packet Flow

ServerFarm1
10.10.125.1:80
DA 10.10. 125.1:80 SA 196.86. 100.12:125 10.10.125.2:80
DA 194.56. 13.2:80 SA 196.86. 100.12:125
Router
10.10.125.3:80
Global Internet
VIP194.56.13.2:80
Client IP196.86.100.12:125
DA 194.56. 13.2:80 SA 10.10. 125.1:80 10.10.125.4:80
DA 196.86. 100.12:125 SA 194.56. 13.2:80
The Server Farm

Theserverfarmisalogicalentitymadeupofmultiplerealservers.Youconfigureaserverfarmby namingitandpopulatingitwithrealservermembers.Eachserverfarmisassociatedwitha virtualserverthatisconfiguredwithauniqueVirtualIP(VIP)address.Youcanconfigure multipleserverfarmsforasinglerouter,buteachserverfarmmustbeassociatedwithaunique virtualserver.Eachserverfarmisconfiguredtousealoadbalancingalgorithm.Theload balancingalgorithmdeterminestherealserverselectionprocessforthisserverfarm.Theserver farmdefaultstoaroundrobinloadbalancingalgorithm.
Server Selection Process

Theserverselectionprocessdeterminesthemannerinwhicharealserverwillbeselectedforthis session.Theserverselectionprocessisoneofthreeconfigurableloadbalancingalgorithms,also referredtoaspredictors:roundrobin,weightedroundrobin,andleastconnections.
Round Robin
Theroundrobinalgorithmtreatsallserversequallybyorderingtheserversandselectingthem oneatatimeforeachnewsessionrequest.Whenitgetstothelastrealserverintheordering,it startsatthebeginningagain.
Weighted Round Robin

Weightedroundrobinisaroundrobinalgorithmthattakesintoaccountaweightassignedtoeach realserver.Weightisawayofaccountingfortheresourcedifferencesbetweenservers.Ifaserver hasthecapacitytohandletwicethenumberofsessionsasanotherserver,itsweightratiotothe otherservercanbesetto2:1.Thedefaultweightforallrealserversis1.Whenallrealserversare
September 8, 2010
Page 5 of 28
LSNAT Overview
configuredwiththedefaultweight,eachrealserveristreatedequallyasdescribedinthesimple roundrobin.Whenanondefaultweightisappliedtoanyrealserversintheserverfarm,the algorithmtakesthatweightintoaccountwhenassigningsessionstotherealservers. Considerthefollowingexample.Aserverfarmcontainsthreerealserverswiththefollowing weights:serverAhasaweightof1,serverBhasaweightof2,andserverChasaweightof3.For eachsix(thesumofthethreeweights)activesessions,serverAwillbeassigned1session,serverB willbeassigned2sessions,andserverCwillbeassigned3sessionsinaroundrobinfashion.For thisexample,theweightratiobetweenthethreeserverswouldbe1:2:3.
Least Connections
Theleastconnectionsalgorithmalwaysassignsthenextsessiontotheserverwiththeleast numberofactivesessionscurrentlyassigned.
Stickiness
StickinessreferstotheabilityofavirtualservertoassociatetheclientsourceIPaddress(and optionally,destinationIPanddestinationUDP/TCPportnumber)IPnetworktupleinformationto arealserver. Avirtualserverusingstickinesswillcreateastickyentrywhenitcreatesabinding.Thesticky entrycontainsamappingoftheIPnetworktupleinformationandtherealserverthatwas selected.Thebindingscancomeandgobutthestickyentriespersistusingaseparateidletimer. Whenanewrequestisprocessedbyavirtualserver,thestickytableischeckedforanentry matchingthevirtualserversstickytype.Ifanentryisfound,thentheloadbalancingalgorithmis skippedandtherequestismappedtothestickyentrysindicatedrealserver. Inthiswayavirtualserverassociatesparticularclientstoarealserverforaslongasthesticky entryremainsinthetable. Astickyentrywillonlystartagingwhenithasnoassociatedbindings.
The Real Server

Arealserverisanactualphysicalserverthatisamemberofaserverfarm.Oncearealserver becomesamemberofaserverfarm,youmustenableitforservice.Allotherrealserver configurationsareoptional. Realserversmaybelongtomultipleserverfarms.Eachserverfarmisaccessedbyauniquevirtual server.TheLSNATrouterwillapplytheloadbalancingalgorithmfortheserverfarmassociated withthissession.Thevirtualserverconfigurationcontainstheoptionalstickypersistence configurationforthissession. Eachrealservercanbeoptionallyconfiguredforfailuredetection,maximumnumberofactive connections,andrealserverweightusedbytheweightedroundrobinloadbalancingalgorithm.
Failure Detection
ItisimportantforLSNATtoknowwhetheraserverisdownsoitcanberemovedfromtheserver selectionprocess.Thereareanumberofmethodstodeterminewhetherarealserverisupor downbeforebeingselectedforapotentialLSNATsession: PingTherealserverispinged. TCP/UDPPortServiceVerificationTheapplicationserviceportisverified. ApplicationContentVerification(ACV)Thecontentofanapplicationisverified.
September 8, 2010
Page 6 of 28
LSNAT Overview
Ping
Realserverfailuredetectioncanbeconfiguredforpingonly.Inthiscase,therealserverispinged beforeasessioniscreated.
TCP/UDP Port Service Verification

TCPportserviceverificationcanbeenabledononeormoreloadbalancingservers.Aconnect requestissentouttotheserverport.IftheconnectrequestsucceedsthenLSNATknowstheserver isup.YoucanconfigureTCPfailuredetectionforbothpingandTCPportserviceverification. UPDportserviceverificationcanbeenabledononeormoreloadbalancingservers.LSNAT accomplishesthisbysendingaUDPpacketwith\r\n(CarriageReturn/LineFeed)asdatato theUDPport.IftheserverrespondswithanICMPPortUnreachablemessage,itisconcluded thattheportisnotactiveandtheserverisreportedasDOWN.Otherwise,iftheLSNATrouter eithergetsdatabackfromtherequesttotheserverordoesnotgetanyresponseatall,itis assumedthattheportisactiveandtheserverisreportedasUP.Thelackofaresponsecould alsobetheresultoftheserveritselfnotbeingavailableandcouldproduceanerroneousindication oftheserverbeingUP.ToavoidthiswhenrequestingaUDPapplicationonaUDPport,an ICMPpingisissuedfirsttoensurethattheserverisavailablebeforesubmittingtheUDP applicationrequest.
Application Content Verification

ApplicationContentVerification(ACV)canbeenabledonaporttoverifythecontentofan applicationononeormoreloadbalancingservers.ACVisamethodofensuringthatdatacoming fromyourserversremainsintactanddoesnotchangewithoutyourknowledge.ACVcan simultaneouslyprotectagainstserveroutages,accidentalfilemodificationordeletion,andservers whosesecurityhasbeencompromised.Byitsnature,ACVisprotocolindependentandis designedtoworkwithanytypeofserverthatcommunicatesviaformattedASCIItextmessages, includingHTTP,FTP,andSMTP.ForACVverification,youspecifythefollowing: Astringthattheroutersendstoasingleserver.ThestringcanbeasimpleHTTPcommandto getaspecificHTMLpage,oritcanbeacommandtoexecuteauserdefinedCGIscriptthat teststheoperationoftheapplication. Thereplythattheapplicationoneachserversendsbackisusedbytheroutertovalidatethe content.InthecasewhereaspecificHTMLpageisretrieved,thereplycanbeastringthat appearsonthepage,suchasOK.IfaCGIscriptisexecutedontheserver,itshouldreturna specificresponse(forexample,OK)thattheroutercanverify.
ACVworksbysendingacommandtoyourserverandsearchingtheresponseforacertainstring. Ifitfindsthestring,theserverismarkedasUp.Ifthestringisnotfound,theserverismarkedas Down. Forexample,ifyousentthefollowingstringtoyourHTTPserver,HEAD/ HTTP/1.1\\r\\nHost:www.enterasys.com\\r\\n\\r\\n,youcouldexpecttogetaresponseof areturnedstringsimilartothefollowing:

HTTP/1.1 200 OK Date: Tue, 11 Dec 2007 20:03:40 GMT Server: Apache/2.0.40 (Red Hat Linux) Last-Modified: Wed, 19 Sep 2007 13:56:03 GMT ETag: 297bc-b52-65f942c0 Accept-Ranges: bytes Content-Length: 2898
September 8, 2010
Page 7 of 28
LSNAT Overview
Youcansearchforareplystringof200OK.Thiswouldresultinasuccessfulverificationofthe service. BecauseACVcansearchforastringinonlythefirst255bytesoftheresponse,inmostHTTPcases theresponsewillhavetobeinthepacketsHTTPheader(thatis,youwillnotbeabletosearchfor astringcontainedinthewebpageitself). SomeprotocolssuchasFTPorSMTPrequireuserstoissueacommandtoclosethesessionafter makingtherequest.Afaildetectacvquitcommandallowsfortheinputofthequitstring required.
The Virtual Server

Thevirtualserverfunctionsasapublicfacetotheclientfortherealservertheclientwishesto access.TheclientaccessestherealserverbydirectingservicerequeststotheVirtualIP(VIP) addressconfiguredonthevirtualserver. Beforeenablingavirtualserveryoumustnameit,associateitwithaserverfarm,andconfigure theVIP.Optionallyyoucanrestrictaccesstothevirtualservertospecifiedclients,specifythetype ofsessionpersistence,allowspecifiedclientsdirectaccesstoarealserver,andallowallclientsto directlyaccessallservicesnotspecificallyaccessedthroughthevirtualserver. YoumustconfigureavirtualserverwithaVIPforeachserverfarminyoursystem.ThesameIP addresscanbeusedfortheVIPofmultiplevirtualserversprovidedadifferentportisspecified foreachVIP. Incaseswherethereisonlyoneloadbalancingdecisionmadeforthisclienttovirtualserverforall TCP/UDPconnections,thematchsourceportanybindingmodeallowsServerLoadBalancing (SLB)connectionsthroughthevirtualservertocreateasinglebindingthatwillmatchanysource porttheclientusesdestinedtothesamevirtualserverVIPaddressandUDP/TCPport.Configure thematchsourceportanybindingmodeusingthebindingmatchsourceportcommand.
Configuring Direct Access to Real Servers

WhentheLSNATrouterhasbeenconfiguredwithserverfarms,withrealserversandvirtual serversconfiguredandinservice,therealserversareprotectedfromdirectclientaccessforall services. Ifyouwanttoprovidedirectclientaccesstorealserversconfiguredaspartofaserverfarm,there aretwomechanismsthatcanprovidedirectclientaccess. Thefirstmechanism,configuredwithinglobalconfigurationmodewiththeipslbrealserver accessclientcommand,allowsyoutoidentifyspecificclientnetworksthatcansetupconnections directlytoarealserversIPaddress,aswellascontinuetousethevirtualserverIPaddress. Thesecondmechanism,configuredinglobalconfigurationmodewiththeipslbrealserver accessunrestrictedcommand,allowsallclientstodirectlyaccessallservicesprovidedbyreal servers.
The Source NAT Pool

LSNATsupportsNetworkAddressTranslating(NAT)oftheclientIPaddressasdescribedin Section3.3ofRFC2391.AguidedetailingtheNATfeatureisavailableat: http://secure.enterasys.com/support/manuals/. WithastandardLSNATconnection,theclientsIPaddressispassedthroughtherouter unNATed.TheconsequenceofthisisthattherealservermusthavearoutefortheclientIP
September 8, 2010
Page 8 of 28
LSNAT Overview
addressthatreturnstrafficbackthroughtheLSNATrouter.SincetheclientIPaddressesare usuallyunknowntotherealserver,mostrealserversendupsettingtheirdefaultroutertothe LSNATrouter.IftheLSNATrouterisnotconfiguredasthedefaultrouter,theLSNATrouterand realservermustbelocatedsomewhereinthenetworktopologythatguaranteesthatreturntraffic flowsthroughtheLSNATrouter. Ifinstead,theclientIPaddressisNATed,thisallowstherealserverstobelocatedanywhereina network,sincethepacketsfromroutertorealserverwillbesourceNATedwithanIPaddress ownedbytherouteritself. UsethesourcenatpoolcommandtospecifyaNATpooltouseforsourceNATing.TheNATpool isusedinanoverloadmode.
The FTP Control Port

TheFTPportassignmentdefaultstoport21.YoucangloballyassignanonstandardFTPcontrol portinglobalconfigurationmodethatwillbeusedbyallvirtualservers.
The Virtual Server Virtual Port and Real Server Port

Whenconfiguringavirtualserverandrealserver,theportmustbeconfiguredforaprotocoltype andportvalue.Thissectionspecifiesportprotocolandportvalueconsiderationstotakeinto accountwhenconfiguringavirtualserverorrealserver.
Virtual Server Virtual Port

Theconfigurationofthevirtualservervirtualporthastwomeaningsdependinguponwhether theporthasazeroornonzerovalue: Ifanonzerovalueisset,thenincomingpacketsdestinationportsarematchedtothatport. Ifazerovalueisset,thentheincomingpacketsdestinationportswillonlymatchthatvirtual serverifthereisnononzeroportmatchwithanothervirtualserver.Inthiscasethezeroport isacatchallthatmeansmatchanyport.
Thevirtualservervirtualportprotocol(UDP/TCP)mustalwaysmatchtherealserverport protocol. ThevirtualserverisidentifiedbyitsVirtualIPAddress(VIP),portprotocol,andportnumber.A virtualserverconfiguredforagivenVIPandportnumbermustbeconfiguredforeitherUDPor TCP,butcannotbeconfiguredforboth.
Real Server Port

Theconfigurationoftherealserverporthastwomeanings: Ifanonzerovalueissettotherealserverport,thenanybindingscreatedusingthatreal serverwillusetherealserversdestinationport. Ifazerovalueissettotherealserverport,thenanybindingscreatedusingthatrealserver willusetheclientsoriginaldestinationport. Iftherealserversportissetto0,theonlyvalidfaildetecttypesfortherealserverisnoneor ping.
September 8, 2010
Page 9 of 28
Configuring LSNAT
Managing Connections and Statistics

Therearethreeaspectstomanagingconnections: ClearingallLSNATcountersandbindingsorselectivelyclearingbindingsbasedonIDor matchingnetworktupleinformation(sip,sport,dip,dport). SettingLSNATlimitsforthenumberofbindings,cachesize,andnumberofconfigurations. DisplayingLSNATstatistics.
Configuring UDP-One-Shot
ManyUDPapplicationssendonlytwopacketsintheformofarequestandareply.Forsuch applicationsitisawasteofresourcestosetupanewbindingandhardwareconnectionforevery requestandthenleteachbindingidleageout.WithUDPoneshotconfigured,abindingis createdandtherequestpacketissent.Thereceptionofareplypacketbackcausesthebindingto bedeletedwithinonesecond.BindingscreatedbyUDPoneshotwillnotresultintheinstallation ofahardwareconnection. UsetheudponeshotcommandinSLBvirtualserverconfigurationcommandmodetoenable UDPoneshotonavirtualserver.
Configuring LSNAT
ThissectionprovidesdetailsfortheconfigurationofLSNATontheEnterasysSSeriesand NSeriesproducts. Table 1listsLSNATparametersandtheirdefaultvalues. Table 1 Default LSNAT Parameters
Description The port number for the FTP control port for all virtual servers. The load balancing algorithm for this server farm. Method used to determine the state of a real server. The ICMP Ping failure detection interval. The number of times an ICMP ping failure will result in a retry. Specifies an application failure detection interval in seconds. Specifies the number of times a TCP application failure will result in a retry. Application port monitoring faildetect type. Default Value 21 Round Robin Ping 5 seconds 4 15 seconds 4 TCP
Parameter Port Number (FTP) Predictor Faildetect Type Ping Interval Ping Retries application failure interval application failure retries Failure Detection Application
September 8, 2010
Page 10 of 28
Configuring LSNAT
Table 1
Default LSNAT Parameters (continued)

Description Specifies the index to read to in the reply search range for a faildetect reply message. Use this command to set the source port to virtual server binding behavior for this virtual server. Specifies the maximum number of connections allowed to an LSNAT real server. Specifies a real server weight value for the weighted round robin load balancing algorithm. A special service type, such as FTP or TFTP, if the virtual port number is different than the default for that service. The type of stickiness to use for the virtual server. Specifies the age out interval for sticky entries that have no associated bindings. Default Value 255
Parameter Read Till Index
Match Source-Port Binding Mode Maximum Connections
exact
Unlimited
Weight
Service Type
None
Stickiness Type Sticky Timeout
None SIP: 7200 seconds SIP DIP-PORT: 7200 seconds
Table 2listsLSNATresourcelimits. Table 2 LSNAT Resource Limits

S-Series 65536 500 300 65536 1000 500 SSA 131072 500 300 65536 1000 500 N-Series 32768 500 50 2000 1000 50
Resource Bindings Reals Server Farms Sticky Entries VIP Addresses Virtual Servers
LSNAT Configuration Considerations

ThefollowingconsiderationsmustbetakenintoaccountwhenconfiguringLSNATonEnterasys SSeriesandNSeriesdevices: Onchassisbasedsystems,onlyonerouterperchassiswillbeallowedtorunLSNATatagiven time. ALLmodulesinthechassismusthaveupgradedmemorytoaminimumof256MB,and,in thecaseofanNSeriesplatform,musthaveanadvancedroutinglicenseactivated.The advancedroutinglicenseisnotcurrentlyrequiredontheSSeriesplatform.
September 8, 2010
Page 11 of 28
Configuring LSNAT
WhendifferentVIPsaccessthesamerealserverindifferentserverfarms,thepersistencelevel mustbesetthesame.
Inordertousestickiness,thefollowingconfigurationcriteriaarerequired: Stickinessmustbeconfiguredforthevirtualserver. Therealserversinthisserverfarmaretobeusedforallservices.Theserversarenotallowed tobeusedwithotherserverfarmstosupportothervirtualserverservices.Thereisone exceptiontothisrule,describedinthenextbulletitem. StickinessmeansallTCPportsorallUDPportsonthevirtualserveraresupported,butnot both.YoucancreatetwovirtualserverswitheitherthesameIPaddressanddifferentports,or differentIPaddresses(oneforTCPprotocols/portsandoneforUDPprotocols/ports)anduse thesamerealservers(withdifferentserverfarmnames).ThatwayallTCPandUDPportsare supportedbythesamesetofrealservers. Port0inthevirtualserverhastobeusedtosupportthisserviceandisreservedforthis purpose.
Configuring an LSNAT Server Farm

Procedure 1describeshowtoconfigureanLSNATserverfarm. Procedure 1
Step 1. 2. Task In global router configuration command mode, specify a name for this server farm. In SLB server farm configuration command mode, specify the load balancing algorithm for this server farm. In SLB server farm configuration command mode, enable the this server farm. The default setting for server farms is inservice.
LSNAT Server Farm Configuration

Command(s) ip slb serverfarm serverfarmname predictor [roundrobin | leastconns]
3.
inservice
Configuring an LSNAT Real Server

Procedure 2describeshowtoconfigureanLSNATrealserver. Procedure 2
Step 1. Task In SLB server farm configuration command mode, configure the real server members for this server farm and enter real server configuration command mode. In SLB real server configuration command mode, optionally configure the error handling on this real server.
Configuring an LSNAT Real Server

Command(s) real ip-address [port number]
2.
faildetect {type {both | ping | app [tcp | udp] | acv [tcp | udp] | none}} | ping-int seconds ping-retries number | app-int seconds app-retries number
September 8, 2010
Page 12 of 28
Configuring LSNAT
Procedure 2
Step 3. Task
Configuring an LSNAT Real Server (continued)

Command(s) faildetect acv-command command-string
In SLB real server configuration command mode, if application or verification error handling was selected, set the verification string that will be used for this real servers application verification. In SLB real server configuration command mode, if application or verification error handling was selected, set the verification reply string that will be used for this real servers application verification. In SLB real server configuration command mode, if required, set the verification quit string for when the protocol requires the user to issue a command to close the session. In SLB real server configuration command mode, optionally set an exact application verification reply string index for when the contents of the response is not known to you. In SLB real server configuration command mode, optionally limit the maximum number of active connections for this real server. In SLB real server configuration command mode, optionally configure a weight for this real server to be used by the round robin load balancing algorithm. In SLB real server configuration command mode, enable each real server for service.
4.
faildetect acv-reply reply-string
5.
faildetect acv-quit quit-string
6.
faildetect read-till-index index-number
7.
maxconns maximum-number
8.
weight weight-number
9.
inservice
Configuring an LSNAT Virtual Server

Procedure 3describeshowtoconfigureanLSNATvirtualserver. Procedure 3
Step 1. 2. Task In global router configuration command mode, specify a name for this virtual server. In SLB virtual server configuration command mode, optionally specify a match source port to virtual server binding behavior. In SLB virtual server configuration command mode, associate this virtual server with a server farm.
Configuring an LSNAT Virtual Server

Command(s) ip slb vserver vserver-name binding match source-port {any | exact}
3.
serverfarm serverfarm-name
September 8, 2010
Page 13 of 28
Configuring LSNAT
Procedure 3
Step 4. Task
Configuring an LSNAT Virtual Server (continued)

Command(s) virtual ip-address {tcp | udp} port [service service-name]
In SLB virtual server configuration command mode, configure the virtual server IP address (VIP) or proceed to the next step and configure a range of virtual server IP addresses. You must specify whether the VIP uses TCP or UDP. For TCP ports you can optionally specify the FTP service; for UDP ports you can optionally specify the TFTP service. In SLB virtual server configuration command mode, if you did not configure a VIP in the preceding step, configure a range of virtual server IP addresses. You must specify whether the VIPs will use TCP or UDP. For TCP ports you can optionally specify the FTP service; for UDP ports you can optionally specify TFTP service. In SLB virtual server configuration command mode, optionally configure a client source NAT pool to source NAT the traffic through the virtual server with the IP addresses from the NAT pool. In SLB virtual server configuration command mode, enable the virtual server for service In SLB virtual server configuration command mode, optionally configure this virtual server to participate in VRRP state changes. Specify the VLAN on which the VRRP is configured and the virtual router ID associated with the routing interface for this VRRP. In SLB virtual server configuration command mode, optionally restrict access to this virtual server to configured clients. In SLB virtual server configuration command mode, optionally configure UDP application connections to delete the binding when the reply packet is received. Bindings created by UDP-one-shot will not result in the installation of a hardware connection. In SLB virtual server configuration command mode, optionally configure the stickiness type. In SLB virtual server configuration command mode optionally configure the sticky entry timeout value for this virtual server. In global configuration command mode, optionally allow specific clients to access the load balancing real servers in a particular LSNAT server farm without address translation. In router command mode, optionally clear sticky entries or remove bindings.
5.
virtual-range start-address end-address {tcp | udp} port [service service-name]
6.
source nat pool pool
7. 8.
inservice vrrp vlan vlan vrid
9.
client [ip-address network-mask]
10.
udp-one-shot
11. 12.
sticky type [sip | sip dip-dport] sticky timeout timeperiod
13.
ip slb real-server access client client-ip-address {ip-prefix | mask}
14.
clear ip slb {sticky | bindings} {all | id id | match {sip | *} {sport | *} {dip | *} {dport | *}}
September 8, 2010
Page 14 of 28
Configuring LSNAT
Configuring Global Settings

Table 3describeshowtoconfigureLSNATglobalsettings. Table 3
Task In global configuration command mode, optionally specify a non-default FTP control port for all virtual servers. (Default = 21). In global configuration command mode, optionally specify a non-default TFTP control port for all virtual servers. (Default = 69). In global configuration command mode, optionally allow all clients to directly access all services provided by real servers, except for those services configured for server load balancing. In global configuration command mode, allows specific client networks to access the real servers without address translation.
Configuring LSNAT Global Settings

Command(s) ip slb ftpctrlport port-number
ip slb tftpctrlport port-number
ip slb real-server access unrestricted
ip slb real-server access client client-ip-address {ip-prefix | mask}
Displaying LSNAT Configuration Information and Statistics

Table 4describeshowtodisplayLSNATconfigurationinformationandstatistics. Table 4
Task Display the specified or all server farm configurations Display all real server configurations for this system or those for the specified server farm. Display all or the specified virtual servers for this system. Display server load balancing statistics. Display SLB bindings. Display LSNAT configuration information. Display active server load balancing sticky mode connections. Display sticky statistics.
Displaying LSNAT Configurations and Statistics

Command(s) show ip slb serverfarms [detail | serverfarmname] show ip slb reals [detail | serverfarm serverfarmname [detail]]
show ip slb vservers [detail | virtserver-name] show ip slb statistics show ip slb bindings {match [ip-address | *] | id id | summary} show ip slb info show ip slb sticky {match sip port dip port | id id | summary} show ip slb statistics-sticky
September 8, 2010
Page 15 of 28
LSNAT Configuration Example

ThissectionprovidesanenterpriseLSNATconfigurationexamplethatincludesfiveserverfarms. Theseserverfarmscanbelogicallythoughtofaseitherproductbasedorenterpriseinternalserver farms.Theproductbasedserverfarmsareaccessibletothegeneralpublic.Theenterpriseinternal serverfarmsareaccessibleonlytoenterpriseemployees.ThemyproductHTTPandFTPserver farmsprovidetheproductbasedservices.ThemyinternalHTTP,FTP,andSMTPserverfarms provideenterpriseinternalservices.
Product-Based and Enterprise Internal Domains

TheHTTPandFTPdomainsprovidingpublicaccesstotheproductbasedserverfarmsare: www.myproduct.com ftp.myproduct.com
TheHTTP,FTP,andSMTPdomainsprovidingemployeeaccesstotheenterpriseinternalserver farmsare: www.myinternal.com ftp.myinternal.com smtp.myinternal.com
Server Farms
Forboththepublicproductbasedandenterpriseinternalserverfarms,theenterpriseITclients willhavedirectaccesstotheserverswithoutanyaddresstranslationrequired.Allotherclients thathaveaccessrightstotheseserverfarmswillbeaddresstranslated.
Product-Based HTTP Server Farm

TheproductbasedHTTPserverfarm,realserverandvirtualserverconfigurationwill: HandleHTTPrequestsfromthegeneralpublicusingthewww.myproduct.comdomain. LoadbalanceHTTPservicesacrossthethreerealserversassociatedwith www.myproduct.com,usingtheweightedroundrobinselectionprocesswitharatioof3:2:2. Theweightedroundrobinselectionprocesstakesintoaccounttheresourcedifferences betweenthethreeservers. UseApplicationContentVerificationTCPfailuredetection. UsetheVIP194.56.12.2port80.
Product-Based FTP Server Farm

TheproductbasedFTPserverfarm,realserverandvirtualserverconfigurationwill: HandleFTPrequestsfromthegeneralpublicusingtheftp.myproduct.comdomain. LoadbalanceFTPservicesusingtheleastconnectionspredictoracrosstworealservers. UsebothpingandTCPapplicationfailuredetection. UsetheVIP194.56.12.2port21.
September 8, 2010
Page 16 of 28
Enterprise Internal HTTP Server Farm

TheenterpriseinternalHTTPserverfarm,realserverandvirtualserverconfigurationwill: HandleHTTPrequestsfromenterpriseemployeesusingthewww.myinternal.comdomain. LoadbalanceHTTPservicesacrosstworealservers,usingthesimpleroundrobinselection process. UseApplicationContentVerificationTCPfailuredetection. UsetheVIP194.56.13.3port80.
Enterprise Internal FTP Server Farm

TheenterpriseinternalFTPserverfarm,realserverandvirtualserverconfigurationwill: HandleFTPrequestsfromenterpriseemployeesusingtheftp.myinternal.comdomain. LoadbalanceFTPservicesusingtheleastconnectionspredictoracrosstworealservers. UsebothpingandTCPapplicationfailuredetection. UsetheVIP194.56.13.3port21.
Enterprise Internal SMTP Server Farm

TheenterpriseinternalSMTPserverfarm,realserverandvirtualserverconfigurationwill: HandleSMTPrequestsfromtheenterpriseemployeesusingthesmtp.myproduct.com domain. LoadbalanceSMTPservicesacrosstworealservers,usingthesimpleroundrobinselection process. UseboththepingandTCPapplicationfailuredetection. UsetheVIP194.56.13.3port25.
SeeFigure 3onpage 18forapresentationofthisLSNATconfiguration.
September 8, 2010
Page 17 of 28
Figure 3
September 8, 2010
Page 18 of 28
Configuring the myproductHTTP Server Farm and Real Servers

ConfigurethemyproductHTTPserverfarmby: NamingtheserverfarmmyproductHTTP Configuringroundrobinastheloadbalancingalgorithmforthisserverfarm(weightwillbe configuredduringrealserverconfiguration)
ConfiguretherealserversonthemyproductHTTPserverfarmby: Configuringthefollowingrealservers:10.10.10.1:80,10.10.10.2:80,and10.10.10.3:80 ConfiguringtheHTTPserversforApplicationContentVerificationTCPerrorhandling Configuringafaildetectcommandstring,replystring,andreadtillindexvalueforeachHTTP server Configuringweightforeachrealserver Enablingeachrealserverbyplacingeachserverinservice

Note: We will not modify the maximum number of active connections allowed on any real server for this configuration example.
myproductHTTP Server Farm and Real Server CLI Input

System(rw)->configure System(rw-config)->ip slb serverfarm myproductHTTP System(rw-config-slb-sfarm)->predictor roundrobin System(rw-config-slb-sfarm)->real 10.10.10.1 port 80 System(rw-config-slb-real)->faildetect type acv System(rw-config-slb-real)->faildetect acv-command HEAD / HTTP/1.1\\r\\nHost: www.myproduct.com\\r\\n\\r\\n System(rw-config-slb-real)->faildetect acv-reply 200 OK System(rw-config-slb-real)->faildetect read-till-index 100 System(rw-config-slb-real)->weight 3 System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit System(rw-config-slb-sfarm)->real 10.10.10.2 port 80 System(rw-config-slb-real)->faildetect type acv System(rw-config-slb-real)->faildetect acv-command HEAD / HTTP/1.1\\r\\nHost: www.myproduct.com\\r\\n\\r\\n System(rw-config-slb-real)->faildetect acv-reply 200 OK System(rw-config-slb-real)->faildetect read-till-index 100 System(rw-config-slb-real)->weight 2 System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit System(rw-config-slb-sfarm)->real 10.10.10.3 port 80 System(rw-config-slb-real)->faildetect type acv
September 8, 2010
Page 19 of 28
System(rw-config-slb-real)->faildetect acv-command HEAD / HTTP/1.1\\r\\nHost: www.myproduct.com\\r\\n\\r\\n System(rw-config-slb-real)->faildetect acv-reply 200 OK System(rw-config-slb-real)->faildetect read-till-index 100 System(rw-config-slb-real)->weight 2 System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit System(rw-config-slb-sfarm)->exit System(rw-config)->
Configuring myproduct-80 Virtual Server

ConfigurethevirtualserverforthemyproductHTTPserverfarmby: Namingthevirtualservermyproduct80 AssociatingthevirtualserverwiththemyproductHTTPserverfarm AssigningthevirtualserverIPaddresswiththeTCPprotocolforwww(port80) Settingtheidletimeoutvalueof360seconds Placingthevirtualserverinservice
myproduct-80 Virtual Server CLI Input

System(rw-config)->ip slb vserver myproduct-80 System(rw-config-slb-vserver)->serverfarm myproductHTTP System(rw-config-slb-vserver)->virtual 194.56.12.2 tcp www System(rw-config-slb-vserver)->idle timeout 360 System(rw-config-slb-vserver)->inservice System(rw-config-slb-vserver)->exit System(rw-config)->
Configuring the myproductFTP Server Farm and Real Servers

ConfigurethemyproductFTPserverfarmby: NamingtheserverfarmmyproductFTP Configuringleastconnectionsastheloadbalancingalgorithmforthisserverfarm
ConfiguretherealserversonthemyproductFTPserverfarmby: Configuringthefollowingrealservers:10.10.10.4:21and10.10.10.5:21 ConfiguringtheFTPserversforbothpingandTCPportserviceverification Enablingeachrealserverbyplacingeachserverinservice

Notes: We will not modify the maximum number of active connections allowed on any real server for this configuration example.
September 8, 2010
Page 20 of 28
myproductFTP Server Farm and Real Server CLI Input

System(rw-config)->ip slb serverfarm myproductFTP System(rw-config-slb-sfarm)->predictor leastconns System(rw-config-slb-sfarm)->real 10.10.10.4 port 21 System(rw-config-slb-real)->faildetect type both System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit System(rw-config-slb-sfarm)->real 10.10.10.5 port 21 System(rw-config-slb-real)->faildetect type both System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit
Configuring myproduct-21 Virtual Server

ConfigurethevirtualserverforthemyproductFTPserverfarmby: GloballysettingtheFTPcontrolportforallvirtualserversto21 Namingthevirtualservermyproduct21 AssociatingthevirtualserverwiththemyproductFTPserverfarm AssigningthevirtualserverIPaddress,TCPprotocol,andFTPservice Settingtheidletimeoutvalueof360seconds Placingthevirtualserverinservice
myproductFTP Virtual Server CLI Input

System(rw-config)->ip slb ftpctrlport 21 System(rw-config)->ip slb vserver myproduct-21 System(rw-config-slb-vserver)->serverfarm myproductFTP System(rw-config-slb-vserver)->virtual 194.56.12.2 tcp ftp System(rw-config-slb-vserver)->idle timeout 360 System(rw-config-slb-vserver)->inservice System(rw-config-slb-vserver)->exit System(rw-config)->
Configuring the myinternalHTTP Server Farm and Real Servers

ConfigurethemyinternalHTTPserverfarmby: NamingtheserverfarmmyinternalHTTP Configuresimpleroundrobinastheloadbalancingalgorithmforthisserverfarm
Configuretherealserversonthemyinternalserverfarmby: Configuringthefollowingrealservers:10.10.10.8:80and10.10.10.9:80 ConfiguringtheHTTPserversforApplicationContentVerificationTCPerrorhandling
September 8, 2010
Page 21 of 28
Configuringafaildetectcommandstring,replystring,andreadtillindexvalueforeachHTTP server Enablingeachrealserverbyplacingeachserverinservice
myinternalHTTP Server Farm and Real Server CLI Input

System(rw-config)->ip slb serverfarm myinternalHTTP System(rw-config-slb-sfarm)->predictor roundrobin System(rw-config-slb-sfarm)->real 10.10.10.8 port 80 System(rw-config-slb-real)->faildetect type acv System(rw-config-slb-real)->faildetect acv-command HEAD / HTTP/1.1\\r\\nHost: www.myinternalHTTP.com\\r\\n\\r\\n System(rw-config-slb-real)->faildetect acv-reply 200 OK System(rw-config-slb-real)->faildetect read-till-index 100 System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit System(rw-config-slb-sfarm)->real 10.10.10.9 port 80 System(rw-config-slb-real)->faildetect type acv System(rw-config-slb-real)->faildetect acv-command HEAD / HTTP/1.1\\r\\nHost: www.myinternalHTTP.com\\r\\n\\r\\n System(rw-config-slb-real)->faildetect acv-reply 200 OK System(rw-config-slb-real)->faildetect read-till-index 100 System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit System(rw-config-slb-sfarm)->exit System(rw-config)->
Configuring myinternal-80 Virtual Server

ConfigurethevirtualserverforthemyinternalHTTPserverfarmby: Namingthevirtualservermyinternal80 AssociatingthevirtualserverwiththemyinternalHTTPserverfarm AssigningthevirtualserverIPaddresswiththeidletimeoutvalueof360seconds Placingthevirtualserverinservice
myinternal-80 Virtual Server CLI Input

System(rw-config)->ip slb vserver myinternal-80 System(rw-config-slb-vserver)->serverfarm myinternalHTTP System(rw-config-slb-vserver)->virtual 194.56.13.3 tcp www System(rw-config-slb-vserver)->idle timeout 360 System(rw-config-slb-vserver)->inservice System(rw-config-slb-vserver)->
September 8, 2010
Page 22 of 28
Configuring the myinternalFTP Server Farm Real Servers

ConfigurethemyinternalFTPserverfarmby: NamingtheserverfarmmyinternalFTP Configuringleastconnectionsastheloadbalancingalgorithmforthisserverfarm
ConfiguretherealserversonthemyinternalFTPserverfarmby: Configuringthefollowingrealservers:10.10.10.10:21and10.10.10.11:21 ConfiguringtheFTPserversforbothpingandTCPportserviceverification Enablingeachrealserverbyplacingeachserverinservice
myinternalFTP Server Farm and Real Servers CLI Input

System(rw-config)->ip slb serverfarm myinternalFTP System(rw-config-slb-sfarm)->predictor leastconns System(rw-config-slb-sfarm)->real 10.10.10.10 port 21 System(rw-config-slb-real)->faildetect type both System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit System(rw-config-slb-sfarm)->real 10.10.10.11 port 21 System(rw-config-slb-real)->faildetect type both System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit System(rw-config-slb-sfarm)->exit System(rw-config)->

ConfigurethevirtualserverforthemyinternalFTPserverfarmby: Namingthevirtualservermyinternal21 AssociatingthevirtualserverwiththemyinternalFTPserverfarm AssigningthevirtualserverIPaddresswiththeidletimeoutvalueof360seconds Placingthevirtualserverinservice

System(rw-config)->ip slb vserver myinternal-21 System(rw-config-slb-vserver)->serverfarm myinternalFTP System(rw-config-slb-vserver)->virtual 194.56.13.3 tcp 21 System(rw-config-slb-vserver)->idle timeout 360 System(rw-config-slb-vserver)->inservice System(rw-config-slb-vserver)->exit System(rw-config)->
September 8, 2010
Page 23 of 28
Configuring the myinternalSMTP Server Farm and Real Servers

ConfigurethemyinternalSMTPserverfarmby: NamingtheserverfarmmyinternalSMTP Configuringsimpleroundrobinastheloadbalancingalgorithmforthisserverfarm
ConfiguretherealserversonthemyinternalSMTPserverfarmby: Configuringthefollowingrealservers:10.10.10.6:25and10.10.10.7:25 ConfiguringtheSMTPserversforbothpingandTCPportserviceverification Enablingeachrealserverbyplacingeachserverinservice

Notes: We will not modify the maximum number of active connections allowed on any real server for this configuration example.
myinternalSMTP Server Farm and Real Servers CLI Input

System(rw-config)->ip slb serverfarm myinternalSMTP System(rw-config-slb-sfarm)->predictor roundrobin System(rw-config-slb-sfarm)->real 10.10.10.6 port 25 System(rw-config-slb-real)->faildetect type both System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit System(rw-config-slb-sfarm)->real 10.10.10.7 port 25 System(rw-config-slb-real)->faildetect type both System(rw-config-slb-real)->inservice System(rw-config-slb-real)->exit

ConfigurethevirtualserverforthemyinternalSMTPserverfarmby: Namingthevirtualservermyinternal25 AssociatingthevirtualserverwiththemyinternalSMTPserverfarm AssigningthevirtualserverIPaddresswiththeidletimeoutvalueof360seconds Placingthevirtualserverinservice

System(rw-config)->ip slb vserver myinternal-25 System(rw-config-slb-vserver)->serverfarm myinternalSMTP System(rw-config-slb-vserver)->virtual 194.56.13.3 tcp 25 System(rw-config-slb-vserver)->idle timeout 360 System(rw-config-slb-vserver)->inservice System(rw-config-slb-vserver)->exit System(rw-config)->
September 8, 2010
Page 24 of 28
ThiscompletestheLSNATconfigurationexample.

Table 5liststermsanddefinitionsusedinthisLSNATconfigurationdiscussion. Table 5
Term Application Content Verification (ACV) binding least connections load balancing LSNAT
LSNAT Configuration Terms and Definitions

Definition A failure detection LSNAT feature that assures that the server application is running before beginning a session. A resource that tracks a connection from client to the LSNAT router and from the LSNAT router to the real server. A load balancing algorithm that assigns sessions based upon the server in the pool with the least current active sessions assigned. An LSNAT feature that assigns sessions over multiple real servers based upon a configured predictor. LSNAT is a load balancing routing feature that provides load sharing between multiple servers grouped into server farms. LSNAT can be tailored to individual services or all services. A failure detection LSNAT feature that assures that the port is in an up state before beginning a session. A load balancing (sharing) algorithm such as round robin, weighted round robin and least connection. The actual physical server that provides the services requested by the client. A data packet sent by the client to the virtual server requesting services. A data packet sent by the real server to the service requesting client. A logical entity of multiple real servers that faces the client through a virtual server. The concept that the client will be directed to the same physical server for the duration of a session based upon a configured binding type (TCP, SIP, or SIP DPORT). A load balancing algorithm that assigns sessions based upon an equal weight ordering of the servers. When all servers in the ordering have been assigned a session, the algorithm returns to the first server in the server list. An LSNAT feature that assures all service requests from a particular client will be directed to the same real server for that session. The IP address of the LSNAT virtual server that functions as the public face of the real server. A logical entity that the client interacts with by acting as the public face for the real server. A load balancing algorithm that assigns sessions based upon the configured server weight. For instance, if there are two servers the first of which has a weight of 2 and the second has a weight of 3, then for every 5 sessions, the first will be assigned 2 sessions and the second will be assigned 3 sessions.
port service verification predictor real server request packet response packet server farm session sticky type
simple round robin
sticky mode Virtual IP (VIP) address virtual server weighted round robin
September 8, 2010
Page 25 of 28
Revision History
Date 11/14/2008 04/16/2009 09/08/2010 Description New document. Added 256MB minimum memory requirement on all modules statement. Updated for S-Series. Added new resource-limits table.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2010Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSMATRIX,ENTERASYSSSERIESandanylogosassociated therewith,aretrademarksorregisteredtrademarksofEnterasys Networks, Inc.,intheUnitedStatesandother countries.ForacompletelistofEnterasystrademarks,seehttp://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
September 8, 2010
Page 26 of 28
September 8, 2010
Page 28 of 28
Configuring Multicast
ThisdocumentprovidesinformationaboutconfiguringandmonitoringmulticastonEnterasys MatrixNSeries,EnterasysSecureStack,DSeries,GSeries,andISeriesdevices.
Note: For information on Enterasys Matrix X-Series support, refer to the Enterasys Matrix X Secure Core Router Configuration Guide.
For information about... What Is Multicast? Why Would I Use Multicast in My Network? How Do I Implement Multicast? Understanding Multicast Configuring Multicast
Refer to page... 1 1 2 2 15
What Is Multicast?
Multicastisaonesourcetomanydestinationsmethodofsimultaneouslysendinginformation overanetworkusingthemostefficientdeliverystrategyovereachlink.Onlytheendstationsthat explicitlyindicateaneedtoreceiveagivenmulticaststreamwillreceiveit. Applicationsthattakeadvantageofmulticastincludevideoconferencing,streamingvideo, corporatecommunications,distancelearning,anddistributionofsoftware,stockquotes,and news. Multicasttechnologyincludesthefollowingprotocols: InternetGroupManagementProtocol(IGMP) DistanceVectorMulticastRoutingProtocol(DVMRP) ProtocolIndependentMulticast(PIM)
Why Would I Use Multicast in My Network?

Unlikeunicastandbroadcast,multicastusesnetworkinfrastructureefficientlybecauseonlyone copyofthesourcetrafficissentthroughoutthenetwork,goingonlytointerestedreceivers, minimizingtheburdenplacedonthesender,network,andreceiver.Theroutersinthenetwork takecareofreplicatingthepacket,wherenecessary,toreachmultiplereceivers.Ifarouterdecides thattherearenointerestedusersdownstreamfromitself,itprunesthestreambacktothenext router.Thus,unwantedstreamsarenotsenttotheprunedrouters,savingbandwidthand preventingunwantedpacketsfrombeingsent.
April 16, 2009
Page 1 of 32
How Do I Implement Multicast?
How Do I Implement Multicast?

YoucanimplementtheIGMP,DVMRP,andPIMmulticastprotocolsonEnterasysdevicesusing simpleCLIcommandsasdescribedinthisdocument.Abasicconfigurationprocessinvolvesthe followingtasks: 1. 2. ConfiguringtheVLANsandIPinterfacesonwhichyouwanttotransmitmulticast. Enablingthemulticastprotocol(s)onconfiguredinterfaces.
ForPIM,youmustalsoconfigureaunicastroutingprotocol,suchasOSPF.
Understanding Multicast
Asdescribedintheprecedingoverview,multicastallowsasourcetosendasinglecopyofdata usingasingleIPaddressfromawelldefinedrangeforanentiregroupofrecipients(amulticast group).AsourcesendsdatatoamulticastgroupbysimplysettingthedestinationIPaddressof thedatagramtobethemulticastgroupaddress.Sourcesdonotneedtoregisterinanywaybefore theycanbeginsendingdatatoagroup,anddonotneedtobemembersofthegroupthemselves. Routersbetweenthesourceandrecipientsusethegroupaddresstoroutethedata,forwarding duplicatedatapacketsonlywhenthepathtorecipientsdiverges. Hoststhatwishtoreceivedatafromthemulticastgroupjointhegroupbysendingamessagetoa multicastrouteronalocalinterface,usingamulticastgroupmembershipdiscoveryprotocol,such asIGMP.Formoreinformation,seeInternetGroupManagementProtocol(IGMP)onpage2. Multicastrouterscommunicateamongthemselvesusingamulticastroutingprotocol,suchas DVMRPorPIMSM.Theseprotocolscalculateamulticastdistributiontreeofrecipientstoensure that: multicasttrafficreachesallrecipientsthathavejoinedthemulticastgroup multicasttrafficdoesnotreachnetworksthatdonothaveanysuchrecipients(unlessthe networkisatransitnetworkonthewaytootherrecipients) thenumberofidenticalcopiesofthesamedataflowingoverthesamelinkisminimized.
Formoreinformation,seeDistanceVectorMulticastRoutingProtocol(DVMRP)onpage5and ProtocolIndependentMulticast(PIM)onpage10.
Internet Group Management Protocol(IGMP)

Overview
Groupmembershipmanagementisfundamentaltothemulticastingprocess.Anarbitrarygroup ofreceiverscanexpressinterestinreceivingaparticularmulticaststream,regardlessofthe physicalorgeographicalboundariesofitsmembers. ThepurposeofIPmulticastgroupmanagementistooptimizeaswitchednetworksperformance somulticastpacketswillonlybeforwardedtothoseportscontainingmulticastgrouphostsor multicastswitchdevicesinsteadoffloodingtoallportsinthesubnet(VLAN).
April 16, 2009
Page 2 of 32
IGMPusesthreekeycomponentstocontrolmulticastmembership: SourceAserverthatsendsanIPmulticastdatastreamwithaparticularmulticast destinationIPandMACaddress.AservermaynothavedirectIGMPinvolvement,asitoften doesnotreceiveamulticaststream,butonlysendsamulticaststream. QuerierAdevicethatperiodicallysendsoutqueriesinsearchofmulticasthostsona directlyconnectednetwork.IfmultiplequeriersarepresentontheLAN,thequerierwiththe lowestIPaddressassumestherole. HostAclientendstationthatsendsoneoftwoIGMPmessagestoaquerier: JoinmessageIndicatesthehostwantstoreceivetransmissionsassociatedtoa particularmulticastgroup. LeavemessageIndicatesthehostwantstostopreceivingthemulticasttransmissions. IGMP Querier Determining Group Membership
IGMP Querier
Figure 1
IGMP Query
IGMP Membership
Router for 224.1.1.1
IGMP Membership
Router for 226.7.8.9
Member of 224.1.1.1
Member of 226.7.8.9
AsshowninFigure 1,amulticastenableddevicecanperiodicallyaskitshostsiftheywantto receivemulticasttraffic.IfthereismorethanonedeviceontheLANperformingIPmulticasting, oneofthesedevicesiselectedquerierandassumestheresponsibilityofqueryingtheLANfor groupmembers. BasedonthegroupmembershipinformationlearnedfromIGMP,adevicecandeterminewhich(if any)multicasttrafficneedstobeforwardedtoeachofitsports.AtLayer3,multicastswitch devicesusethisinformation,alongwithamulticastroutingprotocol,tosupportIPmulticasting acrosstheInternet. IGMPprovidesthefinalstepinIPmulticastdelivery.Itisonlyconcernedwithforwarding multicasttrafficfromthelocalswitchdevicetogroupmembersonadirectlyattachedsubnetwork orLANsegment. IGMPneitheraltersnorroutesanyIPmulticastpackets.SinceIGMPisnotconcernedwiththe deliveryofIPmulticastpacketsacrosssubnetworks,anexternalIPmulticastdeviceisneededifIP multicastpacketshavetoberoutedacrossdifferentsubnetworks.
April 16, 2009
Page 3 of 32
IGMP Support on Enterasys Devices

EnterasysdevicesimplementIGMPversion2(RFC2236),whichincludesinteroperabilitywith version1hosts.IGMPversion1isdefinedinRFC1112. DependingonyourEnterasysdevice,IGMPcanbeconfiguredindependentlyattheswitchlevel (Layer2)andattherouterlevel(Layer3). EnterasysdevicessupportIGMPasfollows: PassivelysnoopingontheIGMPqueryandIGMPreportpacketstransferredbetweenIP multicastswitchesandIPmulticasthostgroupstolearnIPmulticastgroupmembers.Each Layer2devicerecordswhichportsIGMPpacketsarereceivedon,dependingonthekindof IGMPmessage,somulticastdatatrafficisnotfloodedacrosseveryportontheVLANwhenit isreceivedbytheswitch. IGMPsnoopingisdisabledbydefaultonEnterasysdevices.Youcanautomaticallyenableit usingthesetigmpenablecommandonEnterasysMatrixNSeriesdevicesortheset igmpsnoopingadminmodecommandforSecureStackandDSeries,GSeries,andISeries devicesasdescribedinConfiguringIGMPonpage 15. ActivelysendingIGMPquerymessagestolearnlocationsofmulticastswitchesandmember hostsinmulticastgroupswithineachVLAN.
Example: Sending a Multicast Stream

Figure 2 Sending a Multicast Stream with No Directly Attached Hosts
Router 1
Solicited Join
3 2
Network A
4 5
Host 1
1
Switch 1 Multicast Server
Unsolicited Join & IGMP Leave
6 2
Router 2
7 8
Host 2
Figure 2providesanexampleofIGMPprocessingonEnterasysdeviceswhentherearenodirectly attachedhosts. 1. 2. AsingleIPmulticastserver,withnodirectlyattachedhosts,sendsamulticaststreamintothe networkviaSwitch1. BecauseIGMPsnoopingisdisabled,Switch1floodsthemulticaststreamtoallportswhich arelinkedtoRouter1andRouter2.
April 16, 2009
Page 4 of 32
EachrouterperformsanIGMPforwardingchecktoseeifthereareanyhoststhatwanttojoin themulticastgrouponitslocallyattachednetwork.Eachrouterdropsmulticastpacketsuntil ahostjoinsthegroupusingoneofthefollowingmessages: solicitedjoin(sentinresponsetoanIGMPqueryproducedbytheroutersinterface) InFigure 2,thistypeofexchangeoccursbetweenRouter1andHost1when: (3) Router1sendsaquerytopotentialHost1. (4) Host1respondswithajoinmessage. (5) Router1forwardsthemulticaststream. unsolicitedjoin(sentasarequestwithoutreceivinganIGMPqueryfirst) InFigure 2,thistypeofexchangeoccursbetweenRouter2andHost2when: (6) Host2sendsajoinmessagetoRouter2. (7) Router2forwardsthemulticaststreamtoHost2. (8) Whenitnolongerwantstoreceivethestream,Host2candooneofthefollowing: SendaleavemessagetoRouter2. TimeouttheIGMPentrybynotrespondingtofurtherqueriesfromRouter2.
Distance Vector Multicast Routing Protocol (DVMRP)

Overview
DVMRP,whichisusedforroutingmulticastswithinasingle,autonomoussystem,isdesignedto beusedasaninteriorgatewayprotocol(IGP)withinamulticastdomain.Itisadistancevector routingprotocolthatreliesonIGMPfunctionalitytoprovideconnectionlessdatagramdeliveryto agroupofhostsacrossanetwork. DVMRProutesmulticasttrafficusingatechniqueknownasreversepathforwarding(RPF).When arouterreceivesIPmulticastpackets,itfirstdoesanRPFchecktodetermineifthepacketsare receivedonthecorrectinterface. Ifso,therouterforwardsthepacketsouttothefollowing: LocalIGMPreceiversforthatgrouponinterfacesforwhichthetransmittingrouteristhe designatedforwarder Neighborroutersthathaveindicatedtheirdependenceonthetransmittingrouterfor forwardingmulticastpacketsfromthatsource(thisisdeterminedduringDVMRPRoute Exchange)andfromwhichthetransmittingrouterhasnotreceivedanyprunemessages.
Ifnot,thepacketsarediscardedbytherouter.Thetransmittingrouterdoesnotforwardthe packetsbacktothesource. IfarouterisattachedtoasetofVLANsthatdonotwanttoreceivefromaparticularmulticast group,theroutercansendaprunemessagebackupthedistributiontreetostopsubsequent packetsfromtravelingwheretherearenomembers.DVMRPperiodicallyrefloodsinorderto reachanynewhoststhatwanttoreceivefromaparticulargroup. DVMRProutersdynamicallydiscovertheirneighborsbysendingneighborprobemessages periodicallytoanIPmulticastgroupaddressthatisreservedforallDVMRProuters.
April 16, 2009
Page 5 of 32
KeyfeaturesofDVMRParethefollowing: usesthewellknownmulticastIPaddress224.0.0.4 usesIGMPtoexchangeroutingdatagrams doesnotrequireanunderlyingLayer3routingprotocoltoprovideapathtoremotemulticast destinations combinesmanyofthefeaturesoftheRoutingInformationProtocol(RIP)withtheTruncated ReversePathBroadcasting(TRPB)algorithmtoroutemulticastpacketsbetweensourcesand receivers
DVMRP Support on Enterasys Devices

Notes: DVMRP is supported on Enterasys Matrix N-Series, SecureStack C2 and C3, and G-Series platforms on which routing has been enabled. On SecureStack C2 and C3 devices and G-Series devices, DVMRP is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license to enable the DVMRP command set.
DVMRProutingisimplementedonEnterasysdevicesasspecifiedinRFC1075anddraftietfidmr dvmrpv310.txt. EnterasysdevicessupportthefollowingDVMRPcomponents: ProbeMessagesforneighbordiscovery RouteTableformaintainingroutestoallDVRMPnetworks RouteReportsforrouteexchangewithadjacentdevices MrouteTableformaintainingpersourcegroupmulticasttrees PruneMessagesforterminatingmulticastdeliverytrees GraftMessagesforreaddingprunedmulticastdeliverytrees
Probe Messages
EachDVMRPenabledinterfacetransmitsmulticastprobepacketstoinformotherDVMRP routersthatitisoperational.Probemessagesaresentevery10secondsoneveryinterfacerunning DVMRP.Thesemessagesprovide: AmechanismforDVMRPdevicestolocateeachother.Probemessagescontainalistofthe neighborsdetectedforeachenabledinterface.Ifnoneighborsarefound,thenetworkis consideredtobealeafnetwork. AmechanismforDVMRPdevicestodeterminethecapabilitiesofneighboringdevices. ProbemessagescontainflagsaboutneighborsDVMRPcapabilitiesandversioncompliance. Akeepalivefunctionforquicklydetectingneighborloss.Ifaprobemessagefroman adjacentneighborisnotseenwithin35seconds,theneighboristimedout.
April 16, 2009
Page 6 of 32
Route Table
EachDVMRPenableddevicebuildsaDVMRProutetabletomaintainroutestoallnetworks involvedinDVMRProuting.Asshowninthefollowingexample,theDVMRProutetablecontains asourcenetwork,hopcount,routeuptime,neighborexpirationtime,associatedinterface,and associatedIPaddress.
matrix(router-config)# show ip dvmrp route 6.0.0.0/8, [70/2], uptime 00:00:29, expires 00:01:51 via ge.2.1, 1.1.1.1
Inthisexample,network6.0.0.0/8isrunningDVMRPandis2hopsaway,learnedfrominterface ge.2.1,whichhastheIPaddress1.1.1.1.
Route Reports
DVMRPenableddevicessendroutereportpacketstoadjacentDVMRPdevicesevery60seconds. WhenaDVMRPdevicereceivesone,itcheckstoverifythatthereportisfromaknownneighbor beforeprocessing. Thefirsttimeadeviceseesitsownaddressinaneighborsprobepacket,itsendsaunicastcopyof itsentireroutingtabletotheneighbortoreducestartuptime. Theroutereportpacketcontainsdataaboutallnetworks/routesofwhichthesendingdeviceis aware.Thisinformationisusedtodeterminethereversepathbacktoaparticularmulticast source.EveryDVMRPdevicekeepsaseparatemetricassociatedwitheachroute.Thismetricis thesumofallinterfacemetricsbetweenthedeviceoriginatingthereportandthesourcenetwork. DVMRPdevicesacceptroutereportsforaggregatedsourcenetworksinaccordancewithclassless interdomaindevices(CIDR).Thismeansthat,ifapruneorgraftisreceivedonadownstream interfaceforwhichthesourcenetworkisaggregated,thenapruneorgraftshouldbesent upstream(tothemulticastsource). IfaDVMRPdevicehasalargenumberofDVMRProutes,itwillspreadroutereportsacrossthe routeupdateinterval(60seconds)toavoidbottlenecksinprocessingandroutesynchronization issues. Forthepurposeofpruning,DVMRPneedstoknowwhichdownstreamroutesdependonthe deviceforreceivingmulticaststreams.Usingpoisonreverse,theupstreamroutermaintainsa tableofthesourcenetworkandalldownstreamdevicesthataredependentontheupstream device.
Mroute Table
DVMRPenableddevicesusethemroutetabletomaintainasourcespecificforwardingtree. WhenaDVMRPdeviceisinitialized,itassumestheroleofthedesignatedforwarderforallofits locallyattachednetworks.Beforeforwardinganypackets,alldevicesuseIGMPtolearnwhich networkswouldliketoreceiveparticularmulticastgroupstreams.Inthecaseofashared network,thedevicewithalowerinterfacemetric(aconfigurablevalue),orthelowerIPaddress willbecomethedesignatedforwarder. ADVMRPdeviceforwardsmulticastpacketsfirstbydeterminingtheupstreaminterface,and thenbybuildingthedownstreaminterfacelist.Ifadownstreamrouterhasnohostsforamulticast stream,itsendsaprunemessagetotheupstreamrouter.Iftheupstreamroutersoutboundlistis nowempty,itmaysendaprunemessagetoitsupstreamrouter. Ifadownstreamdevicehasprunedamulticastgroupthatahostwouldliketonowreceive,the downstreamdevicemustsendaDVMRPgraftmessagetoitsupstreamdevice.TheDVMRPgraft willtraversethesourcespecificmulticastdeliverytreetothedevicethatisreceivingthisstream.
April 16, 2009
Page 7 of 32
Asshowninthefollowingexample,theMroutetabledisplaystheincominginterfaceIPaddress, themulticastgroupaddress,theuptimeofthestream,incominginterfaceportnumber,andthe outgoinginterfaceportnumber.

matrix(router-config)# show ip mroute Multicast Routing Table (6.6.6.6, 235.1.1.1), uptime: 00:00:38 Incoming interface: ge.2.1 Outgoing interface list: ge.2.7 (6.6.6.6, 235.1.1.2), uptime: 00:00:37 Incoming interface: ge.2.1 Outgoing interface list: ge.2.7
Inthisexample,thedeviceisreceivingmulticaststreamsforgroups235.1.1.1and235.1.1.2fromIP address6.6.6.6onportge.2.1.Thisdeviceisforwardingmulticaststreamstothe235.1.1.1and 235.1.1.2groupsonportge.2.7aspartoftheoutgoinginterfacelist.
Prune Messages
IfadevicereceivesadatagramthathasnoIGMPgroupmemberspresent,andallthedownstream networksareleafnetworks,thedevicesendsaprunepacketupstreamtothesourcetree. Whensendingapruneupstream,thedevice: 1. Decidesiftheupstreamneighboriscapableofreceivingprunes. 2. 3. Ifitisnot,thenthesendingdeviceproceedsnofurther. Ifitis,thenthesendingdeviceproceedsasfollows.
Stopsanypendinggraftsawaitingacknowledgments. Determinestheprunelifetime. Thisvalueshouldbetheminimumofthedefaultprunelifetime(randomizedtoprevent synchronization)andtheremainingprunelifetimesofthedownstreamneighbors.
4.
Formsandtransmitsthepackettotheupstreamneighborforthesource.
Toensurethepruneisaccepted,theDVMRPenableddevicesetsanegativecachepruneentryfor threeseconds.Ifthetraffichasnotstoppedafterthreeseconds,thedevicesendsanotherprune anddoublesthecacheentry.Thismethodiscalledexponentialbackoff.Themoreprunesthatare dropped,thelongerthebackoffbecomes. Aftertheprunelifetimeexpires(twohours),theprunetransmissionprocessisrepeated. Whenreceivingaprune,theupstreamdevice: 1. Decidesifthesendingneighborisknown. 2. 3. Iftheneighborisunknown,itdiscardsthereceivedprune. Iftheneighborisknown,thereceivingdeviceproceedsasfollows.
Ensurestheprunemessagecontainsatleastthecorrectamountofdata. Copiesthesourceaddress,groupaddress,andprunetimeoutvalue,and,ifitisavailablein thepacket,thenetmaskvaluetodeterminetheroutetowhichthepruneapplies.
April 16, 2009
Page 8 of 32
4.
Determinesifthereisactivesourceinformationforthesourcenetwork,multicastgroup(S,G) pair. Ifthereisnot,thenthedeviceignorestheprune. Ifthereis,thenthedeviceproceedsasfollows.
5.
Verifiesthattheprunewasreceivedfromadependentneighborforthesourcenetwork. Ifitwasnot,thenthedevicediscardstheprune. Ifitwas,thenthedeviceproceedsasfollows.
6.
DeterminesifapruneiscurrentlyactivefromthesamedependentneighborforthisS,Gpair. Ifnotactive,createsastateforthenewpruneandsetsatimerfortheprunelifetime Ifactive,resetsthetimertothenewtimeoutvalue.
7.
Determinesifalldependentdownstreamdevicesontheinterfacefromwhichtheprunewas receivedhavenowsentprunes. Iftheyhavenot,removestheinterfacefromallforwardingcacheentriesforthisgroup instantiatedusingtheroutetowhichthepruneapplies. Iftheyhave,determinesiftherearegroupmembersactiveontheinterfaceandifthis deviceisthedesignatedforwarderforthenetwork.
Graft Messages
Leafdevicessendgraftmessageswhenthefollowingoccur: Anewlocalmemberjoinsagroupthathasbeenprunedupstreamandthisdeviceisthe designatedforwarderforthesource. Anewdependentdownstreamdeviceappearsonaprunedbranch. Adependentdownstreamdeviceonaprunedbranchrestarts. AgraftretransmissiontimerexpiresbeforeagraftACKisreceived.
Graftmessagesaresentupstreamhopbyhopuntilthemulticasttreeisreached.Sincethereisno waytotellwhetheragraftmessagewaslostorthesourcehasstoppedsending,eachgraft messageisacknowledgedhopbyhop. Whensendinggrafts,thedownstreamdevicedoesthefollowing: 1. 2. 3. 4. Verifiesapruneexistsforthesourcenetworkandgroup. Verifiesthattheupstreamdeviceiscapableofreceivingprunes(andthereforegrafts). Addsthegrafttotheretransmissiontimerlistawaitinganacknowledgment. Formulatesandtransmitsthegraftpacket.
Whenreceivinggrafts,theupstreamdevicedoesthefollowing: 1. Verifieswhethertheneighborisknown. 2. 3. Ifunknown,discardsthereceivedgraft. Ifknown,proceedsasfollows.
Ensuresthegraftmessagecontainsatleastthecorrectamountofdata. SendsbackagraftACKtothesender.
April 16, 2009
Page 9 of 32
4.
Ifthesenderwasadownstreamdependentneighborfromwhichaprunehadpreviouslybeen received: Removestheprunestateforthisneighbor. Ifnecessary,updatesanyforwardingcacheentriesbasedonthis(source,group)pairto includethisdownstreaminterface.
Figure 3showstheDVMRPpruningandgraftingprocess. Figure 3 DVMRP Pruning and Grafting

Source
DVMRP Multicast
Multicast Traffic
Prune
Graft Prune*
IGMP Join
* Prune before new host was added
New Host
Existing Host
Protocol Independent Multicast (PIM)

Overview
PIMdynamicallybuildsadistributiontreeforforwardingmulticastdataonanetwork.Itis designedforusewheretheremaybemanydevicescommunicatingatthesametime,andanyone ofthedevicescouldbethesenderatanyparticulartime.ScenariosforusingPIMmulticasting includedesktopvideoconferencingandtelephoneconferencecalls. PIMreliesonIGMPtechnologytodeterminegroupmembershipsandusesexistingunicastroutes toperformreversepathforwarding(RPF)checks,whichare,essentially,aroutelookuponthe source.Itsroutingenginethenreturnsthebestinterface,regardlessofhowtheroutingtableis constructed.Inthissense,PIMisindependentofanyroutingprotocol.ItcanperformRPFchecks usingprotocolspecificroutes(forexample,OSPFroutes),staticroutes,oracombinationofroute types.
April 16, 2009
Page 10 of 32
PIM,asharedtreetechnology,designatesarouterastherendezvouspoint(RP),whichistheroot ofasharedtreeforaparticulargroup.AllsourcessendpacketstothegroupviatheRP(thatis, trafficflowsfromthesendertotheRP,andfromtheRPtothereceiver).BymaintainingoneRP rootedtreeinsteadofmultiplesourcerootedtrees,bandwidthisconserved. Figure 4illustratesthePIMtrafficflow. Figure 4 PIM Traffic Flow
7 3 1
DR
Source
RP
Last Hop Router
Receiver
1.
ThesourcesDRregisters(thatis,encapsulates)andsendsmulticastdatafromthesource directlytotheRPviaaunicastroutingprotocol(number1infigure).TheRPdeencapsulates eachregistermessageandsendstheresultingmulticastpacketdownthesharedtree. Thelasthoprouter(thatis,thereceiversDR)sendsamulticastgroup(*,G)joinmessage upstreamtotheRP,indicatingthatthereceiverwantstoreceivethemulticastdata(number2 infigure).ThisbuildstheRPtree(RPT)betweenthelasthoprouterandtheRP. TheRPsendsanS,Gjoinmessagetothesource(number3infigure).Itmaysendthejoin messageimmediately,orafterthedatarateexceedsaconfiguredthreshold.Thisallowsthe administratortocontrolhowPIMSMusesnetworkresources. Thelasthoprouterjoinstheshortestpathtree(SPT)andsendsanS,Gjoinmessagetothe source.(number4infigure).ThisbuildstheSPT. Nativemulticastpackets(thatis,nonregisteredpackets)aresentfromthesourcesDRtothe receiveronitsSPT(number5infigure),whileregisteredmulticastpacketscontinuetobesent fromthesourcesDRtotheRP. AprunemessageissentfromthelasthoproutertotheRP(number6infigure).
2.
3.
4. 5.
6.
April 16, 2009
Page 11 of 32
7.
Aprunemessage(registerstop)issentfromtheRPtothesourcesDR(number7infigure). OncetrafficisflowingdowntheSPT,theRPTisprunedforthatgivenS,G.
Whenreceiversgoaway,prunesaresent(S,GprunemessagestowardsthesourceontheSPT,and *,GprunemessagestowardstheRPontheRPT).Whennewreceiversappear,theprocessbegins again.
PIM Support on Enterasys Devices

Notes: PIM is supported on Enterasys Matrix N-Series, SecureStack C2 and C3, and G-Series platforms on which routing has been enabled. On SecureStack C2 and C3 devices and G-Series devices, PIM is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license to enable the PIM command set. A minimum of 256 MB of memory is required on DFE modules in order to enable PIM. See the SDRAM field of the show system hardware command to display the amount of memory installed on a module. Module memory can be upgraded to 256 MB using the DFE-256MB-UGK memory kit.
Enterasysdevicessupportversion2ofthePIMprotocolasdescribedinRFC2362anddraftietf pimsmv2new09. ThePIMspecificationsdefineseveralmodesormethodsbywhichaPIMroutercanbuildthe distributiontree.Enterasysdevicessupportsparsemode(PIMSM),whichusesonlythoserouters thatneedtobeincludedinforwardingmulticastdata.PIMSMusesahostinitiatedprocessto buildandmaintainthemulticastdistributiontree.Sparsemoderoutersusebandwidthmore efficientlythanothermodes,butcanrequiremoreprocessingtimewhenworkingwithlarge numbersofstreams.
Key Features
KeyfeaturesofPIMSMarethefollowing: usesIGMPtopropagategroupmembershipinformation sendshellomessagestodetermineneighborpresenceandconfiguration sendsjoin/prunemessagestodeterminetheneedtoretainmulticastrouteinformationfora particulargrouponaninterlace sendsassertmessagestoresolveconflictsthatoccurregardinginboundinterfaces usesroutesintheMulticastRoutingInformationBase(MRIB)toperformitsreversepath forwardingcheck
Message Types
EnterasysPIMSMenableddevicesusethefollowingmessagetypes: HelloThesemessagesannouncethesenderspresencetootherPIMSMdevices.Thehello packetincludesoptionssuchas: Holdtimethelengthoftimetokeepthesenderreachable Designatedrouter(DR)priorityusedtodesignatewhichPIMSMdevicewillacton behalfofsourcesandreceiversinthePIMSMdomain
RegisterThesemessagesareusedbyasourcesDRtoencapsulate(register)multicastdata, andsendittotherendezvouspoint(RP)aPIMSMrouterdesignatedastherootofa sharedtree.
April 16, 2009
Page 12 of 32
RegisterStopThesemessagesareusedbytheRPtotellthesourcesDRtostopregistering trafficforaparticularsource. Join/Prune(J/P)Thesemessagescontaininformationongroupmembershipreceivedfrom downstreamrouters. PIMSMadoptsRPFtechnologyinthejoin/pruneprocess.Whenamulticastpacketarrives, therouterfirstjudgesthecorrectnessofthearrivinginterfaces: Ifthepacketisasourceaddress/multicastgroup(S,G)entry(ontheshortestpathtree (SPT)),thenthecorrectinterfaceisthereversepathforwarding(RPF)interfacetowards thesource. IfthepacketisnotanS,Gentry(ontheRPtree(RPT)),thenthecorrectinterfaceisthe RPFinterfacetowardstheRP.
ArouterdirectlyconnectedtothehostsisoftenreferredtoasaleafrouterorDR.Theleaf routerisresponsibleforsendingtheprunemessagestotheRP,informingittostopsending multicastpacketsassociatedwithaspecificmulticastgroup.WhentheRPreceivestheprune message,itwillnolongerforwardthemulticasttrafficouttheinterfaceonwhichitreceived theprunemessage. AssertThesemessagesindicatethatthedevicereceivedadatapacketonitsoutbound (receiving)interfaceforthegroup.TheyreportthemetricordistancetothesourceorRPto helpthedeviceidentifythemostdirectpathtotherootofthetree.Ifmultipleroutersclaimto havethemostdirectpathtothesourceorRP,eachdevicesendsitsownassertmessageand therouterwiththebestmetricwins.Theotherdevicewillthenremovethatlinkfromits outboundinterfacelistforthegroup. BootstrapThesemessagesaresentbythePIMSMrouterthathasbeenelectedasthe bootstraprouter(BSR)toinformallPIMSMroutesoftheRP/groupmappings. CandidateRPmessageThesemessagesaresentbytheconfiguredcandidateRProutersto theBSRtoinformtheBSRofitsRP/groupcandidacy.
PIM Terms and Definitions

Table 1liststermsanddefinitionsusedinPIMconfiguration. Table 1
Term Bootstrap Router (BSR)
PIM Terms and Definitions

Definition A PIM router responsible for collecting, within a PIM domain, the set of potential rendezvous points (RPs) and distributing the RP set information to all PIM routers within the domain. The BSR is dynamically elected from the set of candidate BSRs. RP set information includes group-to-RP mappings.
Candidate Bootstrap Router (Candidate-BSR)
A small number of routers within a PIM domain are configured as candidate BSRs, and each C-BSR is given a BSR priority. All C-BSRs multicast bootstrap messages (BSMs) containing their priority to the ALL-PIM-ROUTERS group. When a C-BSR receives a bootstrap message from a C-BSR with a higher priority, it stops sending. This continues until only one C-BSR remains sending bootstrap messages, and it becomes the elected BSR for the domain.
April 16, 2009
Page 13 of 32
Table 1
Term
PIM Terms and Definitions (continued)

Definition The root of a group-specific distribution tree whose branches extend to all nodes in the PIM domain that want to receive traffic sent to the group. RPs provide a place for receivers and senders to meet. Senders use RPs to announce their existence, and receivers use RPs to learn about new senders of a group. The RP router, for the group, is selected by using the hash algorithm defined in RFC 2362.
Rendezvous Point (RP)
Candidate Rendezvous Point (Candidate-RP)
PIM routers configured to participate as RPs for some or all groups. C-RPs send C-RP Advertisement messages to the BSR. The messages contain the list of group prefixes for which the C-RP is willing to be the RP. Once the PIM-SM routers receive the BSRs message, the routers use a common hashing algorithm to hash the C-RP address, group, and mask together to identify which router will be the RP for a given group. A C-RP router must also learn which PIM-SM router is the BSR. Each designated candidate-BSR (C-BSR) asserts itself as the BSR, then defers once it receives a preferable BSR message. Eventually, all C-RPs send their messages to a single BSR, which communicates the Candidate RP-set to all PIM-SM routers in the domain.
Static RP
If a BSR is not used to distribute RP set information, RP-to-group mappings are configured statically on each router. Static RP configuration and use of bootstrap routers are mutually exclusive. You should not configure both in a PIM-SM domain because such configuration could result in inconsistent RP sets. Statically configured RP set information will take precedence over RP set information learned from a BSR.
Designated Router (DR)
A designated router is elected from all the PIM routers on a shared network. DRs are responsible for encapsulating multicast data from local sources into PIM-SM register messages and for unicasting them to the RP. The router with the highest priority wins the DR election. In the case of a tie, the router with the highest IP address wins. A contiguous set of routers that implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers. A router that connects a PIM domain to other multicast routing domains.
PIM Domain PIM Multicast Border Router (PMBR)
April 16, 2009
Page 14 of 32
ThissectionprovidesthefollowinginformationaboutconfiguringmulticastonEnterasysMatrix NSeries,SecureStack,DSeries,GSeries,andISeriesdevices.
For information about... Configuring IGMP Configuring DVMRP Configuring PIM Refer to page... 15 20 24
Configuring IGMP
IGMPisconfiguredinswitchmodeonEnterasysMatrixNSeriesdevices.OnSecureStack, DSeries,GSeries,andISeriesdevices,IGMPcanbeconfiguredindependentlyattheswitchlevel (Layer2)forIGMPsnooping.OnSecureStackC2andC3devicesandGSeriesdevices,IGMPcan alsobeconfiguredattherouterlevel(Layer3)fordetermininghostmembershipondirectly attachedsubnets.AtLayer2,IGMPcanbeenabledforVLANs,regardlessofwhetheritisenabled onroutedinterfaces.If,however,IGMPisenabledonaroutedinterface,andtheroutedinterface isaroutedVLAN,thenIGMPmustalsobeenabledattheswitchlevel.
IGMP Configuration Commands

Table 2liststheIGMPconfigurationcommandsforEnterasysMatrixNSeriesdevices. Table 2
Task Enable IGMP on one or more VLANs. Disable IGMP on one or more VLANs. Enable IGMP querying on one or more VLANs. Disable IGMP querying on one or more VLANs. Determine what action to take with multicast frames when the multicast group table is full. Configure IGMP settings on one or more VLANs.
IGMP Configuration Commands (Enterasys Matrix N-Series)

Command set igmp enable vlan-list set igmp disable vlan-list set igmp query-enable vlan-list set igmp query-disable vlan-list set igmp grp-full-action action set igmp config vlan-list {[queryinterval query-interval] [igmp-version igmpversion] [max-resp-time max-resp-time] [robustness robustness] [last-mem-int last-mem-int] set igmp delete vlan-list set igmp add-static group vlan-list [modify] [include-ports] [excludeports]
Remove IGMP configuration settings for one or more VLANs. Create a new static IGMP entry or add one or more new ports to an existing entry.
April 16, 2009
Page 15 of 32
Table 2
Task
IGMP Configuration Commands (Enterasys Matrix N-Series) (continued)

Command set igmp remove-static group vlan-list [modify] [include-ports] [excludeports] set igmp protocols [classification classification] [protocol-id protocolid] [modify] clear igmp protocols [protocol-id protocol-id] set igmp number-groups number
Delete a static IGMP entry or remove one or more ports from an existing entry. Change the IGMP classification of received IP frames. Clear the binding of IP protocol ID to IGMP classification. Set the number of multicast groups supported by the Enterasys Matrix N-Series deviceto either 4096 or 16,384.
Table 3liststheLayer2IGMPconfigurationcommandsforSecureStack,DSeries,GSeries,andI Seriesdevices. Table 3 Layer 2 IGMP Configuration Commands (SecureStack, D-Series, G-Series, and ISeries Devices)
Task Enable or disable IGMP on the system. Enable or disable IGMP on one or all ports. Configure the IGMP group membership interval time for the system. Configure the IGMP query maximum response time for the system. Configure the IGMP multicast router expiration time for the system. Create a new static IGMP entry or add one or more new ports to an existing entry. Delete a static IGMP entry or remove one or more new ports from an existing entry. Clear all IGMP snooping entries. Command set igmpsnooping adminmode {enable | disable} set igmpsnooping interfacemode portstring {enable | disable} set igmpsnooping groupmembershipinterval time set igmpsnooping maxresponse time set igmpsnooping mcrtrexpire time set igmpsnooping add-static group vlanlist [modify] [port-string] set igmpsnooping remove-static group vlan-list [modify] [port-string] clear igmpsnooping
April 16, 2009
Page 16 of 32
Table 4liststheLayer3IGMPconfigurationcommandsforSecureStackC2andC3devicesandG Seriesdevices. Table 4

Task Enable IGMP on the router. Use the no command to disable IGMP on the router. Enable IGMP on an interface. Use the no command to disable IGMP on an interface. Set the version of IGMP running on the router. Use the no command to reset IGMP to the default version of 2 (IGMPv2). Set the IGMP query interval on a routing interface. Use the no command to reset the IGMP query interval to the default value of 125 seconds. Set the maximum response time interval advertised in IGMPv2 queries. Use the no command to reset the IGMP maximum response time to the default value of 100 (one tenth of a second). Set the interval between general IGMP queries sent on startup. Use the no command to reset the IGMP startup query interval to the default value of 31 seconds. Set the number of IGMP queries sent out on startup, separated by the startup-query-interval. Use the no command to reset the IGMP startup query count to the default value of 2. Set the maximum response time being inserted into group-specific queries sent in response to leave group messages. Use the no command to reset the IGMP last member query interval to the default value of 1 second. Set the number of group-specific queries sent before assuming there are no local members. Use the no command to reset the IGMP last member query count to the default value of 2. Configure the robustness tuning for expected packet loss on an IGMP routing interface. Use the no command to reset the IGMP robustness value to the default of 2.
Layer 3 IGMP Configuration Commands (SecureStack C2 and C3 and G-Series)

Command ip igmp no ip igmp ip igmp enable no ip igmp enable ip igmp version version no ip igmp ip igmp query-interval time no ip igmp query-interval ip igmp query-max-response-time time no ip igmp query-max-response-time
ip igmp startup-query-interval time no ip igmp startup-query-interval
ip igmp startup-query-count count no ip igmp startup-query-count
ip igmp last-member-query-interval time no ip igmp last-member-query-interval
ip igmp last-member-query-count count no ip igmp last-member-query-count
ip igmp robustness robustness no ip igmp robustness
April 16, 2009
Page 17 of 32
Basic IGMP Configurations

Procedure 1describesthebasicstepstoconfigureIGMPonEnterasysMatrixNSeriesdevices. ThisprocedureassumesthattheVLANsonwhichIGMPwillrunhavebeenconfiguredand enabledwithIPinterfaces. Procedure 1
Step 1. Task In switch mode, configure IGMP for each VLAN interface.
Basic IGMP Configuration (Enterasys Matrix N-Series)

Command set igmp config vlan-list {[query-interval query-interval] [igmp-version igmpversion] [max-resp-time max-resp-time] [robustness robustness] [lastmem-int last-mem-int]} set igmp enable vlan-list set igmp query-enable vlan-list
2. 3.
In switch mode, enable IGMP on each VLAN interface. In switch mode, enable IGMP querying on each of the VLANs specified in step 2.
Procedure 2describesthebasicstepstoconfigureLayer2IGMPsnoopingonSecureStack,D Series,GSeries,andISeriesdevices.ThisprocedureassumesthattheVLANsonwhichIGMP willrunhavebeenconfiguredandenabledwithIPinterfaces. Procedure 2

Step 1. 2. Task In switch mode, enable IGMP globally. In switch mode, enable IGMP on each of the VLAN ports.
Basic IGMP Configuration (SecureStack, D-Series, G-Series, and I-Series)

Command set igmpsnooping adminmode enable set igmpsnooping interfacemode port-string enable
Procedure 3describesthebasicstepstoconfigureLayer3IGMPqueryingonSecureStackC2and C3devicesandGSeriesdevices.ThisprocedureassumesthattheVLANsonwhichIGMPwill runhavebeenconfiguredandenabledwithIPinterfaces. Procedure 3

Step 1. 2. Task In router configuration mode, enable IGMP globally. In router configuration mode, enable IGMP on each VLAN interface that will be required to determine host membership on directly attached subnets.
Basic IGMP Configuration (SecureStack C2 and C3 and G-Series)

Command ip igmp ip igmp enable
FormoreinformationonIGMPCLIcommands,refertoyourdevicesCLIReferenceGuideor ConfigurationGuide,asapplicable.
April 16, 2009
Page 18 of 32
Example IGMP Configuration: Enterasys Matrix N-Series

matrix->set igmp enable 2, 3 matrix->set igmp query-enable 2, 3
Example IGMP Configuration: SecureStack C2

C2(su)->router C2(su)->router>enable C2(su)->router#configure C2(su)->router(Config)#ip igmp C2(su)->router(Config)#interface vlan 2 C2(su)->router(Config-if(Vlan 2))#ip igmp enable C2(su)->router(Config-if(Vlan 2))#exit C2(su)->router(Config)#interface vlan 3 C2(su)->router(Config-if(Vlan 3))#ip igmp enable C2(su)->router(Config-if(Vlan 3))#exit
IGMP Display Commands

Table 5listsLayer2IGMPshowcommandsforEnterasysMatrixNSeriesdevices. Table 5
Task Display the status of IGMP on one or more VLANs. Display the IGMP query status of one or more VLANs. Display the action to be taken with multicast frames when the multicast IGMP group table is full. Display IGMP configuration information for one or more VLANs. Display IGMP information regarding multicast group membership. Display static IGMP ports for one or more VLANs or IGMP groups. Display the binding of IP protocol id to IGMP classification. Display IGMP information for a specific VLAN. Display IGMP reporter information.
Layer 2 IGMP Show Commands (Enterasys Matrix N-Series)

Command show igmp enable vlan-list show igmp query vlan-list show igmp grp-full-action show igmp config vlan-list show igmp groups [group group] [vlanlist vlan-list] [sip sip] [-verbose] show igmp static vlan-list [group group] show igmp protocols show igmp vlan [vlan-list] show igmp reporters [portlist portlist] [group group] [vlan-list vlan-list] [sip sip] show igmp flows [portlist portlist] [group group] [vlan-list vlan-list] [sip sip] show igmp counters show igmp number-groups
Display IGMP flow information.
Display IGMP counter information. Display the number of multicast groups supported by the Enterasys Matrix N-Series device.
April 16, 2009
Page 19 of 32
Table 6listsLayer3IGMPshowcommandsforEnterasysMatrixNSeriesdevices. Table 6

Task Display IGMP information regarding multicast group membership. Display multicast-related information about a specific interface or all interfaces.
Layer 3 IGMP Show Commands (Enterasys Matrix N-Series)

Command show ip igmp groups show ip igmp interface [vlan vlan-id]
Table 7listsLayer2IGMPshowcommandsforSecureStack,DSeries,GSeries,andISeries devices. Table 7

Task Display IGMP snooping information. Display static IGMP ports for one or more VLANs or IGMP groups. Display multicast forwarding database (MFDB) information.
Layer 2 IGMP Show Commands (SecureStack, D-Series, G-Series, and I-Series)

Command show igmpsnooping show igmpsnooping static vlan-list [group group] show igmpsnooping mfdb
Table 8listsLayer3IGMPshowcommandsforSecureStackC2andC3devicesandGSeries devices. Table 8

Task Display IGMP information regarding multicast group membership. Display multicast-related information about a specific interface or all interfaces.
Layer 3 IGMP Show Commands (SecureStack C2 and C3 and G-Series)

Command show ip igmp groups show ip igmp interface [vlan vlan-id]
Configuring DVMRP
DVMRP Configuration Commands
Table 9liststheDVMRPconfigurationcommandsforEnterasysMatrixNSeriesdevices. Table 9
Task Enable or disable DVMRP on an interface.
DVMRP Configuration Commands (Enterasys Matrix N-Series)

Command ip dvmrp no ip dvmrp
Configure the metric associated with a set of destinations for DVMRP reports.
ip dvmrp metric metric
April 16, 2009
Page 20 of 32
Table 10liststheDVMRPconfigurationcommandsforSecureStackC2andC3devicesandG Seriesdevices. Table 10

Task Enable the DVMRP process. Use the no command to disable the DVMRP process. Enable DVMRP on an interface. Use the no command to disable DVMRP on an interface. Configure the metric associated with a set of destinations for DVMRP reports.
DVMRP Configuration Commands (SecureStack C2 and C3 and G-Series)

Command ip dvmrp no ip dvmrp ip dvmrp enable no ip dvmrp enable ip dvmrp metric metric
Basic DVMRP Configurations

Bydefault,DVMRPisdisabledgloballyonEnterasysMatrixNSeries,SecureStackC2andC3,and GSeriesdevicesandattachedinterfaces.BasicDVMRPconfigurationincludesthefollowing steps: 1. 2. 3. CreatingandenablingVLANs. EnablingIGMPonthedevice(onlyforSecureStackC2andC3devicesandGSeriesdevices) andontheVLANs. EnablingDVMRPontheVLANs.
BothProcedure 4andProcedure 5assumethefollowing: VLANshavebeenconfiguredandenabledwithIPinterfaces. IGMPhasbeenenabled.ForinformationonenablingIGMP,seeConfiguringIGMPonpage 15.
Enterasys Matrix N-Series

Procedure 4describesthebasicstepstoconfigureDVMRPonEnterasysMatrixNSeriesdevices. Procedure 4
Step 1. Task In router interface configuration mode, enable DVMRP on each VLAN interface on which DVMRP will run.
Basic DVMRP Configuration (Enterasys Matrix N-Series)

Command ip dvmrp
April 16, 2009
Page 21 of 32
SecureStack C2 and C3 and G-Series

Procedure 5describesthebasicstepstoconfigureDVMRPonSecureStackC2andC3devicesand GSeriesdevices. Procedure 5
Step 1. Task In router configuration mode, enable DVMRP globally. In router configuration mode, enable DVMRP for each VLAN interface on which DVMRP will run.
Basic DVMRP Configuration (SecureStack C2 and C3 and G-Series)

Command ip dvmrp
2.
ip dvmrp enable
Example DVMRP Configuration

Figure 5illustratestheDVMRPconfigurationoftwoEnterasysMatrixNSeriesdevicesshownin theexamplebelow.Thisexampleassumesthefollowing: VLANshavebeenconfiguredandenabledwithIPinterfaces IGMPhasbeenenabledontheVLANs DVMRP Configuration on Two Routers
VLAN 2
Router R1
Figure 5
VLAN 3 VLAN 1
Router R2
192.40.0.1
192.0.1.2
192.0.1.1
192.20.0.1
Router R1 Configuration
FortheVLAN1interface,whichprovidesconnectiontoRouterR2,anIPaddressisassignedand DVMRPisenabled.FortheVLAN2interface,whichprovidesconnectiontothehostnetwork,an IPaddressisassignedandDVMRPisenabled.
matrix->router matrix->router#enable matrix->router(config)#interface vlan 1 matrix->router(config-if(Vlan 1))#ip address 192.0.1.2 255.255.255.0 matrix->router(config-if(Vlan 1))#ip dvmrp matrix->router(config-if(Vlan 1))#no shutdown matrix->router(config-if(Vlan 1))#exit matrix->router(config)#interface vlan 2 matrix->router(config-if(Vlan 2))#ip address 192.40.0.1 255.255.255.0 matrix->router(config-if(Vlan 2))#ip dvmrp matrix->router(config-if(Vlan 2))#no shutdown matrix->router(config-if(Vlan 2))#exit
April 16, 2009
Page 22 of 32
FortheVLAN1interface,whichprovidesconnectiontotheRouterR1,anIPaddressisassigned andDVMRPisenabled.FortheVLAN3interfacewhichprovidesconnectiontothehostnetwork, anIPaddressisassignedandDVMRPisenabled.
matrix->router matrix->router#enable matrix->router(config)#interface vlan 1 matrix->router(config-if(Vlan 1))#ip address 192.0.1.1 255.255.255.0 matrix->router(config-if(Vlan 1))#ip dvmrp matrix->router(config-if(Vlan 1))#no shutdown matrix->router(config-if(Vlan 1))#exit matrix->router(config)#interface vlan 3 matrix->router(config-if(Vlan 3))#ip address 192.20.0.1 255.255.255.0 matrix->router(config-if(Vlan 3))#ip dvmrp matrix->router(config-if(Vlan 3))#no shutdown matrix->router(config-if(Vlan 3))# exit
Displaying DVMRP Information

Table 11liststheDVMRPshowcommandsforEnterasysMatrixNSeriesdevices. Table 11
Task Display information about the routes in the DVMRP routing table. Display the IP multicast routing table.
DVMRP Show Commands (Enterasys Matrix N-Series)

Command show ip dvmrp route show ip mroute [unicast-source-address | multicast-group-address] [summary]
Table 12liststheDVMRPshowcommandsforSecureStackC2andC3devicesandGSeries devices. Table 12

Task Display DVMRP routing information, neighbor information, or DVMRP enable status. Display the IP multicast routing table.
DVMRP Show Commands (SecureStack C2 and C3 and G-Series)

Command show ip dvmrp [route|neighbor|status] show ip mroute [unicast-source-address | multicast-group-address] [summary]
RefertothedevicesCLIReferenceGuideorConfigurationGuide,asapplicable,foranexampleof eachcommandsoutput.
April 16, 2009
Page 23 of 32
Configuring PIM
PIM-SM Configuration Commands
Table 13liststhePIMSMsetcommandsforEnterasysMatrixNSeriesdevices. Table 13
Task Enable PIM-SM on a routing interface. Use the no command to disable PIM-SM. Enable the router to announce its candidacy as a BootStrap Router (BSR). Use the no command to remove the router as a BSR candidate. Set the priority for which a router will be elected as the designated router (DR). Use the no command to disable the DR functionality. Set a static rendezvous point (RP) for a multicast group. Use the no command to remove the static RP configuration. Enable the router to advertise itself as a PIM candidate rendezvous point (RP) to the BSR. Use the no command to remove the router as an RP candidate.
PIM-SM Set Commands (Enterasys Matrix N-Series)

Command ip pim sparse-mode no ip pim sparse-mode ip pim bsr-candidate pim-interface [hash-mask-length] [priority]] no ip bsr-candidate ip pim dr-priority priority no ip dr-priority ip pim rp-address rp-address groupaddress group-mask [priority priority] no ip rp-address rp-address groupaddress group-mask ip pim rp-candidate pim-interface group-address group-mask [priority priority] no ip pim rp-candidate pim-interface group-address group-mask
Table 14liststhePIMSMsetcommandsforSecureStackC2andC3devicesandGSeriesdevices. Table 14

Task
PIM-SM Set Commands (SecureStack C2 and C3 and G-Series)

Command
Set the administrative mode of PIM-SM multicast ip pimsm routing across the router to enabled. By default, no ip pimsm PIM-SM is globally disabled. Use the no command to disable PIM (across the entire stack, if applicable). Create a manual RP IP address for the PIM-SM router. Use the no command to remove a previously configured RP. Enable PIM-SM multicast routing on a routing interface. By default, PIM is disabled on all IP interfaces. Use the no command to disable PIM on the specific interface. Configure the transmission frequency of hello messages, in seconds, between PIM-enabled neighbors. Use the no command to reset the hello interval to the default, 30 seconds. ip pimsm staticrp ipaddress groupadress groupmask no ip pimsm staticrp ipaddress groupadress groupmask ip pimsm enable no ip pimsm enable
ip pimsm query-interval seconds no ip pimsm query-interval
April 16, 2009
Page 24 of 32
Basic PIM-SM Configurations

Bydefault,PIMSMisdisabledgloballyonEnterasysMatrixNSeries,SecureStackC2andC3,and GSeriesdevicesandattachedinterfaces.BasicPIMSMconfigurationincludesthefollowing steps: 1. 2. 3. 4. CreatingandenablingVLANswithIPinterfaces. Configuringtheunderlyingunicastroutingprotocol(forexample,OSPF). EnablingIGMPonthedevice(onlyforSecureStackC2andC3devicesandGSeriesdevices) andontheVLANs. ConfiguringPIMSMonthedevice(onlyforSecureStackC2andC3devicesandGSeries devices)andontheVLANs.
BothProcedure 6andProcedure 7assumethefollowing: VLANshavebeenconfiguredandenabledwithIPinterfaces. Theunicastroutingprotocolhasbeenconfigured. IGMPhasbeenenabledonthedevicesandVLANsthatwillbeconnectedwithhosts.For informationonenablingIGMP,seeConfiguringIGMPonpage15.
Procedure 6describesthebasicstepstheconfigurePIMSMonanEnterasysMatrixNSeries device. Procedure 6 Step Task

1. If desired, change the DR priority of one or more interfaces on the Enterasys Matrix N-Series router from the default value of 1 in interface configuration mode. The highest priority PIM router on a shared network is elected the DR for that network. 2. If the dynamic BSR RP set distribution method is used on the network, configure at least one PIM router as a candidate BSR in interface configuration mode. Note that the Enterasys Matrix N-Series router does not act as a BSR without being explicitly configured to do so. 3. If the dynamic BSR RP set distribution method will be used on the network, configure at least one PIM router as a Candidate Rendezvous Point in global configuration mode. Note that the Enterasys Matrix N-Series router does not act as an RP without being explicitly configured to do so. ip pim rp-candidate pim-interface group-address group-mask [priority priority] ip pim bsr-candidate pim-interface [hash-mask-length] [priority]
Basic PIM-SM Configuration (Enterasys Matrix N-Series) Command(s)

ip pim dr-priority priority
April 16, 2009
Page 25 of 32
Procedure 6 Step Task

4.
Basic PIM-SM Configuration (continued)(Enterasys Matrix N-Series) Command(s)

ip pim rp-address rp-address groupaddress group-mask [priority priority]
If static RP set distribution is desired, configure the static RP set information in global configuration mode. The RP set information must be the same on all PIM routers in the network. Note: Static RP set distribution cannot be combined with BSR RP set distribution in the same PIM domain. Routers with statically configured RP set information discard RP set information learned from a BSR.
5.
In interface configuration mode, configure PIMSM on the Matrix N-Series router interfaces that will run PIM-SM.
ip pim sparse-mode
Procedure 7describesthebasicstepstoconfigurePIMSMonaSecureStackC2andC3devices andGSeriesdevices.

)))))
Procedure 7 Step Task

1. 2. 3.
Basic PIM-SM Configuration (SecureStack C2 and C3 and G-Series) Command(s)

ip pimsm ip pimsm staticrp ipaddress groupadress groupmask ip pimsm enable
In global configuration mode, enable PIM-SM on the device. In global configuration mode, if desired, create a manual RP IP address for the PIM-SM router. In interface configuration mode, enable PIM-SM on the devices VLAN interfaces that will run PIM-SM.
April 16, 2009
Page 26 of 32
Example Configuration
Figure 6illustratesthePIMSMconfigurationoffourEnterasysMatrixNSeriesroutersshownin theexamplescriptsbelow.ThisconfigurationincludesconfiguringapreferredandabackupBSR forthetopology,aswellastwoRPsforspecificmulticastgroupsandabackupRPforallgroups. Figure 6 PIM-SM Configuration with Bootstrap Router and Candidate RPs
VLAN 9
172.2.2/24
Router R2
VLAN 3
172.1.2/24
VLAN 5
172.2.4/24
VLAN 2
VLAN 7
Router R1
172.1.1/24
Router R4
VLAN 8
172.4.4/24
172.1.3/24
172.3.4/24
VLAN 4
VLAN 6
Router R3
172.3.3/24
VLAN 10
Onthisrouter,IGMPisenabledonVLAN2,whichconnectstohosts,andPIMSMisenabledon allinterfaces.IGMPisusedtodeterminehostgroupmembershipondirectlyattachedsubnets. NotethatIGMPisenabledinswitchmodeonEnterasysMatrixNSeriesrouters. VLAN2isconfiguredasthebackupcandidateRPforallmulticastgroupsbyusingthedefaultRP priorityof192.NotethattheCRPwiththesmallestpriorityvalueiselected. Alternatively,youcouldconfigurealoopbackinterfaceasacandidateRP,toavoidthe dependencyonaparticularinterface.
R1>Router(config)#router id 1.1.1.1 R1>Router(config)#interface vlan 2 R1>Router(config-if(Vlan 2))#ip address 172.1.1.1 255.255.255.0 R1>Router(config-if(Vlan 2))#no shutdown R1>Router(config-if(Vlan 2))#exit R1>set igmp enable 2 R1>set igmp query-enable 2 R1>Router(config)#ip pim rp-candidate 172.1.1.1 224.0.0.0 240.0.0.0 R1>Router(config)#interface vlan 2 R1>Router(config-if(Vlan 2))#ip pim sparse-mode R1>Router(config-if(Vlan 2))#exit
April 16, 2009
Page 27 of 32
R1>Router(config)#interface vlan 3 R1>Router(config-if(Vlan 3))#ip address 172.1.2.1 255.255.255.0 R1>Router(config-if(Vlan 3))#no shutdown R1>Router(config-if(Vlan 3))#ip pim sparse-mode R1>Router(config-if(Vlan 3))#exit R1>Router(config)#interface vlan 4 R1>Router(config-if(Vlan 4))#ip address 172.1.3.1 255.255.255.0 R1>Router(config-if(Vlan 4))#no shutdown R1>Router(config-if(Vlan 4))#ip pim sparse-mode R1>Router(config-if(Vlan 4))#exit
Onthisrouter,PIMSMisenabledonallinterfaces.VLAN9isconfiguredasacandidateBSRand isassignedapriorityhigherthanthedefaultof0.NotethattheCBSRwiththelargestpriority valueiselected. VLAN9isalsoconfiguredasacandidateRPforthemulticastgroup224.2.2.0/24.Itspriorityisset to2,whichwillmostlikelymakeittheelectedRPforthatparticulargroup,sincetheCRPwith thesmallestpriorityvalueiselected.(NotethatRouterR3hasanRPcandidatepriorityvalueof3 forthatgroup.) Again,alternatively,youcouldconfigurealoopbackinterfaceasacandidateBSRorRP,toavoid thedependencyonaparticularinterface.
R2>Router(config)#router id 1.1.1.2 R2>Router(config)#interface vlan 3 R2>Router(config-if(Vlan 3))#ip address 172.1.2.2 255.255.255.0 R2>Router(config-if(Vlan 3))#no shutdown R2>Router(config-if(Vlan 3))#ip pim sparse-mode R2>Router(config-if(Vlan 3))#exit R2>Router(config)#interface vlan 9 R2>Router(config-if(Vlan 9))#ip address 172.2.2.2 255.255.255.0 R2>Router(config-if(Vlan 9))#no shutdown R2>Router(config-if(Vlan 9))#ip pim bsr-candidate vlan 9 priority 2 R2>Router(config-if(Vlan 9))#ip pim sparse-mode R2>Router(config-if(Vlan 9))#exit R2>Router(config)#ip pim rp-candidate 172.2.2.2 224.2.2.0 255.255.255.0priority 2 R2>Router(config)#interface vlan 8 R2>Router(config-if(Vlan 8))#ip address 172.2.3.2 255.255.255.0 R2>Router(config-if(Vlan 8))#no shutdown R2>Router(config-if(Vlan 8))#ip pim sparse-mode R2>Router(config-if(Vlan 8))#exit R2>Router(config)#interface vlan 5 R2>Router(config-if(Vlan 5))#ip address 172.2.4.2 255.255.255.0 R2>Router(config-if(Vlan 5))#no shutdown R2>Router(config-if(Vlan 5))#ip pim sparse-mode R2>Router(config-if(Vlan 5))#exit
April 16, 2009
Page 28 of 32
Onthisrouter,PIMSMisenabledonallinterfaces.VLAN10isconfiguredasabackupcandidate BSR,byleavingitspriorityatthedefaultof0. VLAN10isalsoconfiguredasabackupcandidateRPformulticastgroup224.2.2.0/24,bysetting itspriorityvalueslightlyhigher(3)thanthepriorityconfiguredonR2forthesamegroup(2) (sincetheCRPwiththesmallestpriorityvalueiselected).
R3>Router(config)#router id 1.1.1.3 R3>Router(config)#interface vlan 4 R3>Router(config-if(Vlan 4))#ip address 172.1.3.3 255.255.255.0 R3>Router(config-if(Vlan 4))#no shutdown R3>Router(config-if(Vlan 4))#ip pim sparse-mode R3>Router(config-if(Vlan 4))#exit R3>Router(config)# interface vlan 8 R3>Router(config-if(Vlan 8))#ip address 172.2.3.3 255.255.255.0 R3>Router(config-if(Vlan 8))#no shutdown R3>Router(config-if(Vlan 8))#ip pim sparse-mode R3>Router(config-if(Vlan 8))#exit R3>Router(config)#interface vlan 10 R3>Router(config-if(Vlan 10))#ip address 172.3.3.3 255.255.255.0 R3>Router(config-if(Vlan 10))#no shutdown R3>Router(config-if(Vlan 10))#ip pim bsr-candidate vlan 10 R3>Router(config-if(Vlan 10))#ip pim sparse-mode R3>Router(config-if(Vlan 10))#exit R3>Router(config)#ip pim rp-candidate 172.3.3.3 224.2.2.0 255.255.255.0 priority 3 R3>Router(config)#interface vlan 6 R3>Router(config-if(Vlan 6))#ip address 172.3.4.3 255.255.255.0 R3>Router(config-if(Vlan 6))#no shutdown R3>Router(config-if(Vlan 6))#ip pim sparse-mode R3>Router(config-if(Vlan 6))#exit
ThisrouterdoesnotplayanyspecialroleinPIMSM,exceptthatithashostsdirectlyconnectedto it.IGMPisenabledontheinterfacethatconnectstohostsandPIMSMisenabledonallinterfaces.
R4>Router(router-config)#router id 1.1.1.4 R4>Router(config)#interface vlan 5 R4>Router(config-if(Vlan 5))#ip address 172.2.4.4 255.255.255.0 R4>Router(config-if(Vlan 5))#no shutdown R4>Router(config-if(Vlan 5))#ip pim sparse-mode R4>Router(config-if(Vlan 5))#exit R4>Router(config)#interface vlan 6 R4>Router(config-if(Vlan 6))#ip address 172.3.4.4 255.255.255.0 R4>Router(config-if(Vlan 6))#no shutdown R4>Router(config-if(Vlan 6))#ip pim sparse-mode R4>Router(config-if(Vlan 6))#exit
April 16, 2009
Page 29 of 32
R4>Router(config)#interface vlan 7 R4>Router(config-if(Vlan 7))#ip address 172.4.4.4 255.255.255.0 R4>Router(config-if(Vlan 7))#no shutdown R4>Router(config-if(Vlan 7))#ip pim sparse-mode R4>Router(config-if(Vlan 7))#exit
PIM-SM Display Commands

Table 15liststhePIMshowcommandsforEnterasysMatrixNSeriesdevices. Table 15
Task Display BSR information. Display information about PIM interfaces that are currently up (not shutdown). Display information about discovered PIM neighbors. Display the active RPs that are cached with associated multicast routing entries. Display the RP that is being selected for a specified group. Display the IP multicast routing table. Display the IP multicast forwarding table.
PIM Show Commands (Enterasys Matrix N-Series)

Command show ip pim bsr show ip pim interface [interface] show ip pim neighbor [interface] show ip pim rp [group | mapping | multicast-group-address] show ip pim rp-hash group-address show ip mroute [unicast-source-address | multicast-group-address] [summary] show ip mforward [unicast-sourceaddress | multicast-group-address] [summary] show ip rfp
Display the reverse path of an address in the unicast table.
Table 16liststhePIMshowcommandsforSecureStackC2andC3devicesandGSeriesdevices. Table 16

Task Display system-wide PIM-SM routing information. Display the table containing objects specific to a PIM domain. Display PIM-SM status of the router interfaces. With the stats parameter, this command displays statistical information for PIM-SM on the specified interface. Display the routers PIM neighbors. Display the PIM information for candidate RPs for all IP multicast groups or for a specific group address. Display the RP that will be selected from the set of active RP routers.
PIM Show Commands (SecureStack C2 and C3 and G-Series)

Command show ip pimsm show ip pimsm componenttable show ip pimsm interface {vlan vlan-id | stats {vlan-id | all}}
show ip pimsm neighbor [vlan-id] show ip pimsm rp {group-address groupmask | all | candidate} show ip pimsm rphash group-address
April 16, 2009
Page 30 of 32
Table 16
Task
PIM Show Commands (SecureStack C2 and C3 and G-Series) (continued)

Command show ip pimsm staticrp show ip mroute [unicast-source-address | multicast-group-address] [summary]
Display the PIM-SM static RP information. Display the IP multicast routing table.
RefertothedevicesCLIReferenceGuideorConfigurationGuide,asapplicable,foradescriptionof theoutputofeachcommand.
Revision History
Date 09-02-08 04-16-09 Description New document Added 256MB minimum memory requirement for PIM.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2009Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYSNETWORKS,ENTERASYSSECURENETWORKS,NETSIGHT,ENTERASYS NETSIGHT,ENTERASYSMATRIX,andanylogosassociatedtherewith,aretrademarksorregisteredtrademarks ofEnterasysNetworks,Inc.,intheUnitedStatesand/orothercountries.ForacompletelistofEnterasys trademarks,seehttp://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
Configuring Network Address Translation (NAT)

ThisdocumentprovidesthefollowinginformationaboutconfiguringNetworkAddress TranslationontheEnterasysMatrixNSeriesandtheEnterasysSSeriesplatforms.
For information about... What is Network Address Translation? Why Would I Use NAT in My Network? How Can I Implement NAT? NAT Overview Configuring NAT NAT Configuration Examples Terms and Definitions Refer to page... 1 2 2 3 9 12 17
What is Network Address Translation?

NetworkAddressTranslation(NAT)andNetworkAddressPortTranslation(NAPT)aremethods ofconcealingasetofhostaddressesonaprivatenetworkbehindapoolofpublicaddresses. TogethertheyarereferredtoastraditionalNAT.AtraditionalNATconfigurationismadeupofa privatenetworkandapublicnetworkthatareconnectedbyarouterwithNATenabledonit. BasicNATisamethodbywhichIPaddressesaremappedfromonegroupofaddressesto another,transparenttotheenduser.AbasicNATtranslationisalwaysbetweenasingleprivateIP addressandasinglepublicIPaddress. NAPTisamethodbywhichmanyprivatenetworkaddresses,alongwitheachprivateaddress associatedTCP/UDPport,aretranslatedintoasinglepublicnetworkaddressanditsassociated TCP/UDPports.GiventhatthereisonlyasinglepublicIPaddressassociatedwiththe translations,itisthepublicporttheprivateaddressanditsportareassociatedwiththatallowsfor theuniquenessofeachtranslation. Inaddition,thefollowingfeaturesarealsosupported: StaticandDynamicNATPoolBinding FTP,DNS,andICMP(withfivedifferenterrormessages)softwarepathNATtranslation
September 08, 2010
Page 1 of 18
Why Would I Use NAT in My Network?
Why Would I Use NAT in My Network?

EnterasyssupportforNATprovidesapracticalsolutionfororganizationswhowishtostreamline theirIPaddressingschemes.NAToperatesonarouterconnectingaprivatenetworktoapublic network,simplifyingnetworkdesignandconservingIPaddresses.NATcanhelporganizations mergemultiplenetworkstogetherandenhancenetworksecurityby: Helpingtopreventmaliciousactivityinitiatedbyoutsidehostsfromenteringthecorporate network Improvingthereliabilityoflocalsystemsbystoppingworms Augmentingprivacybykeepingprivateintranetaddresseshiddenfromviewofthepublic internet,therebyinhibitingscans LimitingthenumberofIPaddressesusedforprivateintranetsthatarerequiredtobe registeredwiththeInternetAssignedNumbersAuthority(IANA) ConservingthenumberofglobalIPaddressesneededbyaprivateintranet
How Can I Implement NAT?

ToimplementNATinyournetwork: EnableNATonboththeinside(local)andoutside(public)interfacestobeusedfortranslation Ifyouintendtouseinsidesourceaddressdynamictranslation(seeDynamicInsideAddress Translationsonpage 5fordetails): Defineanaccesslistofinsideaddresses DefineaNATaddresspoolofoutsideaddresses Enabledynamictranslationofinsideaddressesspecifyinganaccesslistofinside addressesandaNATaddresspoolofoutsideaddresses OptionallyconfigureoverloadforNAPT(defaultstoNAT) Optionallyspecifytheinterfacetowhichtranslationsareapplied
Ifyouintendtouseinsidesourceaddressstatictranslation(seeStaticInsideAddress Translationonpage 3fordetails),enableinsidesourceaddressstatictranslationinthe appropriateNATorNAPTcontext OptionallychangetheNATFTPcontrolportfromitsdefaultof21 Optionallyenableforceflowstoforceallflowstobetranslatedbetweenoutsideandinside addresses OptionallymodifymaximumallowedentriesandNATtranslationtimeoutvalues
September 08, 2010
Page 2 of 18
NAT Overview
NAT Overview
ThissectionprovidesanoverviewofNATconfiguration.
Notes: NAT is currently supported on the S-Series and N-Series products. This document details the configuration of NAT for the S-Series and N-Series products. NAT is an advanced routing feature that must be enabled with a license key on the N-Series router. An advanced routing license is currently not required on the S-Series platform. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the configuration guide that comes with your Enterasys N-Series product in order to enable the NAT command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales. A minimum of 256 MB of memory is required on all modules in order to enable NAT. See the SDRAM field of the show system hardware command to display the amount of memory installed on a module. An N-Series module memory can be upgraded to 256 MB using the DFE-256MB-UGK memory kit.
NAT Configuration
AtraditionalNATconfigurationismadeupofaprivatenetworkorintranet,apublicnetwork, andarouterthatinterconnectsthetwonetworks.Theprivatenetworkismadeupofoneormore hostsanddeviceseachassignedaninside(internal)addressthatisnotintendedtobedirectly connectabletoapublicnetworkhostordevice.Thepublicnetworkhostsordeviceshaveoutside (external)uniquelyregisteredpublicaddresses.Therouterinterconnectingtheprivateandpublic networkssupporttraditionalNAT.ItisNATsresponsibilitytotranslatetheinsideaddresstoa uniqueoutsideaddresstofacilitatecommunicationwiththepublicnetworkforintranetdevices. NATallowstranslationsbetweenIPaddresses.NAPTallowstranslationsbetweenmultipleinside addressesandtheirassociatedportsandasingleoutsideIPaddressanditsassociatedports.NAT andNAPTsupportbothstaticanddynamicinsideaddresstranslation.
Static Inside Address Translation

StaticinsideaddresstranslationsareonetoonebindingsbetweentheinsideandoutsideIP addresses.Astaticaddressbindingdoesnotexpireuntilthecommandthatdefinesthebindingis negated.WhenconfiguringNATforstaticinsideaddresstranslation,youassignalocalIPaddress andaglobalIPaddresstothebinding.WhenconfiguringNAPTforstaticinsideaddress translation,youassignalocalIPaddressandoneofitsassociatedL4portsandaglobalIPaddress andoneofitsassociatedL4portstothebinding.Youalsospecifywhetherthepacketprotocolis TCPorUDPforthisbinding.
NAT Static Inside Address Translation

Figure 1onpage 4displaysabasicNATstaticinsideaddresstranslationoverview.Client1hasa sourceaddressof10.1.1.1(itsownIPaddress)andadestinationaddressof200.1.1.50(theServer1 IPaddress).ThestatictranslationisconfiguredbetweenthelocalIPaddress(Client1sownIP address)andtheglobalIPaddress200.1.1.1(anavailablepublicnetworkaddress). ApacketarrivesattheNATrouterfromClient1withasourceaddressof10.1.1.1,butleavesthe NATrouterwithasourceaddressof200.1.1.1.InbothcasesthedestinationisforServer1sIP addressof200.1.1.50.FromServer1spointofview,Client1sIPaddressis200.1.1.1.Server1doesnt knowanythingaboutitsactualIPaddressof10.1.1.1.
September 08, 2010
Page 3 of 18
NAT Overview
WhenServer1respondstoClient1,itspacketarrivesattheNATrouterwithClient1stranslated addressof200.1.1.1asthedestinationaddress,butleavestheNATrouterwithClient1sactual addressof10.1.1.1asthedestinationaddress.Server1sresponseisdeliveredtoIPaddress10.1.1.1. Figure 1 Basic NAT Static Inside Address Translation
External Public Network DA: 200.1.1.50 SA: 200.1.1.1 Server1 200.1.1.50 DA: 200.1.1.1 SA: 200.1.1.50
Internal Private Network
NAT ROUTER
DA: 200.1.1.50 SA: 10.1.1.1 DA: 10.1.1.1 SA: 200.1.1.50 Client1 10.1.1.1
NAPT Static Inside Address Translation

Figure 2onpage 5displaysabasicNAPTstaticinsideaddresstranslationoverview.Client1hasa sourceIPaddressof10.1.1.2andL4portof125(itsownIPaddressandport)andadestination addressof200.1.1.50andL4portof80(theServer1IPaddressandport).Thestatictranslationis configuredbetweenthelocalIPaddress(Client1sownIPaddressandport)andtheglobalIP address200.1.1.1andL4port1025(anavailablepublicnetworkaddressandport). ApacketarrivesattheNATrouterfromClient1withasourceaddressof10.1.1.2:125,butleaves theNATrouterwithasourceaddressof200.1.1.1:1025.Inbothcasesthedestinationisfor Server1sIPaddressof200.1.1.50:80.FromServer1spointofview,Client1sIPaddressis 200.1.1.1:1025.Server1doesntknowanythingaboutitsactualIPaddressof10.1.1.2:125. WhenServer1respondstoClient1,itspacketarrivesattheNATrouterwithClient1stranslated addressof200.1.1.1:1025asthedestinationaddress,butleavestheNATrouterwithClient1s actualaddressof10.1.1.2:125asthedestinationaddress.Server1sresponseisdeliveredtoIP address10.1.1.2:125.
September 08, 2010
Page 4 of 18
NAT Overview
Figure 2
Basic NAPT Static Inside Address Translation
External Public Network DA: 200.1.1.50:80 SA: 200.1.1.1:1025 DA: 200.1.1.1:1025 SA: 200.1.1.50:80
Internal Private Network DA: 200.1.1.50:80 SA: 10.1.1.2:125 DA: 10.1.1.2:125 SA: 200.1.1.50:80
NAT ROUTER
Server1 200.1.1.50 Client2 10.1.1.2
Dynamic Inside Address Translations

Dynamicaddressbindingsareformedfromapreconfiguredaccesslistoflocalinsideaddresses andapreconfiguredaddresspoolofpublicoutsideaddresses.Accesslistsareconfiguredusing theaccesslistcommand.Addresspoolsareconfiguredusingtheipnatpoolcommand. IPaddressesdefinedfordynamicbindingsarereassignedwhenevertheybecomefree.Unlikea statictranslationwhichpersistsuntilthecommandthatdefinesthebindingisnegated,aNAT translationtimeoutoptionisconfigurablefordynamictranslationsanddefaultsto240seconds. ThedynamicinsideaddresstranslationdefaultstoNAT.Toconfigureadynamicinsideaddress translationforNAPT,specifytheoverloadoptionwhencreatingthetranslationlist.Globalports aredynamicallyassignedbetweentherangeof1024and4999. YoucanalsospecifytheVLANinterfaceoverwhichthistranslationwillbeapplied.Otherwise, thetranslationappliestoallinterfaces.
NAT Dynamic Inside Address Translation

Figure 3onpage 6displaysabasicNATdynamicinsideaddresstranslationoverview.The overviewshowstwointernalnetworkclients:Client1andClient2.Theaccesslistassignedtothis dynamictranslationmustcontainpermitsfortheIPaddressofeachlocalclient(10.1.1.1and 10.1.1.2).ANATpoolmustbeconfiguredwithatleastatwoaddressrangeofpubliclyavailableIP addressesandassignedtothisdynamictranslation.InthiscasethepublicIPaddressrangeisfrom 200.1.1.1to200.1.1.2.ThisisaNATdynamictranslationsowedonotassigntheoverloadoption.
Client1 Walkthrough:
ApacketarrivesattheNATrouterfromClient1withasourceaddressof10.1.1.1,butleavesthe NATrouterwithasourceaddressfromtheassignedpool,inthiscase:200.1.1.2.Inbothcasesthe destinationisforServer1sIPaddressof200.1.1.50.FromServer1spointofview,Client1sIP addressis200.1.1.2.Server1doesntknowanythingaboutitsactualIPaddressof10.1.1.1. WhenServer1respondstoClient1,itspacketarrivesattheNATrouterwithClient1stranslated addressof200.1.1.2asthedestinationaddress,butleavestheNATrouterwithClient1sactual addressof10.1.1.1asthedestinationaddress.Server1sresponseisdeliveredtoIPaddress10.1.1.1.
September 08, 2010
Page 5 of 18
NAT Overview
Figure 3
Basic NAT Dynamic Inside Address Translation
External Public Network DA: 200.1.1.50 SA: 200.1.1.1 DA: 200.1.1.1 SA: 200.1.1.50 DA: 200.1.1.50 SA: 200.1.1.2 Server1 200.1.1.50 DA: 200.1.1.2 SA: 200.1.1.50
Internal Private Network DA: 200.1.1.50 SA: 10.1.1.2 DA: 10.1.1.2 SA: 200.1.1.50
NAT ROUTER
Client2 10.1.1.2
DA: 200.1.1.50 SA: 10.1.1.1 DA: 10.1.1.1 SA: 200.1.1.50 Client1 10.1.1.1
ApacketarrivesattheNATrouterfromClient2withasourceaddressof10.1.1.2,butleavesthe NATrouterwiththeremainingavailablesourceaddressfromtheassignedpool,inthiscase: 200.1.1.1.InbothcasesthedestinationisforServer1sIPaddressof200.1.1.50.FromServer1s pointofview,Client2sIPaddressis200.1.1.1.Server1doesntknowanythingaboutitsactualIP addressof10.1.1.2. WhenServer1respondstoClient2,itspacketarrivesattheNATrouterwithClient2stranslated addressof200.1.1.1asthedestinationaddress,butleavestheNATrouterwithClient2sactual addressof10.1.1.2asthedestinationaddress.Server1sresponseisdeliveredtoIPaddress10.1.1.2.
NAPT Dynamic Inside Address Translation

Figure 4onpage 7displaysabasicNAPTdynamicinsideaddresstranslationoverview.The overviewshowstwointernalnetworkclients:Client1andClient2.Theaccesslistassignedtothis dynamictranslationmustcontainpermitsfortheIPaddressofeachlocalclient(10.1.1.1and 10.1.1.2).ANATpoolcanbeconfiguredwithasingleIPaddressforitsrangeofpubliclyavailable IPaddressesandassignedtothisdynamictranslation.AsinglepublicIPaddresswillbesufficient becauseNAPTwillusetheavailableL4portrangeofthisaddresswhenassigningaddressesfor dynamictranslation.InthiscasethepublicIPaddressrangeisfrom200.1.1.1to200.1.1.1.Thisisa NAPTdynamictranslationsowemustassigntheoverloadoption.
September 08, 2010
Page 6 of 18
NAT Overview
ApacketarrivesattheNATrouterfromClient1withasourceaddressof10.1.1.1:125,butleaves theNATrouterwithasourceaddressof200.1.1.1:1024.Inbothcasesthedestinationisfor Server1sIPaddressof200.1.1.50:80.FromServer1spointofview,Client1sIPaddressis 200.1.1.1:1024.Server1doesntknowanythingaboutitsactualIPaddressof10.1.1.1:125. WhenServer1respondstoClient1,itspacketarrivesattheNATrouterwithClient1stranslated addressof200.1.1.1:1024asthedestinationaddress,butleavestheNATrouterwithClient1s actualaddressof10.1.1.1:125asthedestinationaddress.Server1sresponseisdeliveredtoIP address10.1.1.1:125. Figure 4 Basic NAPT Dynamic Inside Address Translation
Internal Private Network DA: 200.1.1.50:80 SA: 10.1.1.2:125 DA: 10.1.1.2:125 SA: 200.1.1.50:80
External Public Network DA: 200.1.1.50:80 SA: 200.1.1.1:1025 DA: 200.1.1.1:1025 SA: 200.1.1.50:80 DA: 200.1.1.50:80 SA: 200.1.1.1:1024 Server1 200.1.1.50 DA: 200.1.1.1:1024 SA: 200.1.1.50:80
NAT ROUTER
Client2 10.1.1.2
DA: 200.1.1.50:80 SA: 10.1.1.1:125 DA: 10.1.1.1:125 SA: 200.1.1.50:80 Client1 10.1.1.1
ApacketarrivesattheNATrouterfromClient2withasourceaddressof10.1.1.2:125,butleaves theNATrouterwithasourceaddressof200.1.1.1:1025.Inbothcasesthedestinationisfor Server1sIPaddressof200.1.1.50:80.FromServer1spointofview,Client2sIPaddressis 200.1.1.1:1025.Server1doesntknowanythingaboutitsactualIPaddressof10.1.1.2:125. WhenServer1respondstoClient2,itspacketarrivesattheNATrouterwithClient2stranslated addressof200.1.1.1:1025asthedestinationaddress,butleavestheNATrouterwithClient1s actualaddressof10.1.1.2:125asthedestinationaddress.Server1sresponseisdeliveredtoIP address10.1.1.2:125.
September 08, 2010
Page 7 of 18
NAT Overview
DNS, FTP and ICMP Support

NATworkswithDNSbyhavingtheDNSApplicationLayerGateway(ALG)translateanaddress thatappearsinaDomainNameSystemresponsetoanameorinverselookup. NATworkswithFTPbyhavingtheFTPALGtranslatetheFTPcontrolpayload.BothFTPPORT CMDpacketsandPASVpackets,containingIPaddressinformationwithinthedataportion,are supported.TheFTPcontrolportisconfigurable. TheNATimplementationalsosupportsthetranslationoftheIPaddressembeddedinthedata portionoffollowingtypesofICMPerrormessage:destinationunreachable(type3),sourcequench (type4),redirect(type5),timeexceeded(type11)andparameterproblem(type12).
NAT Timeouts
Themaximumtimeoutvalueinsecondsperflowisconfigurableforthefollowingflowtypes: Dynamictranslation UDPandTCP ICMP DNS FTP
NAT Router Limits

Routerparameterssuchasthenumberofbindingsandcachesizeusevaluablememoryresources thataresharedbyotherroutingfunctionssuchasLSNATandTWCBonafirstcomefirstserved basis.Bydefaultthesesettingsaresettomaximumvalues.Byloweringthemaximumlimitfor affectedparameters,theresourcedeltabetweenthenewlimitandthemaximumvalueforthat parameterwillbeavailabletootherroutingfunctionssuchasLSNATandTWCB.Maximum limitscanbesetorclearedforthefollowingNATrelatedrouterparameters: NATbindings Cachesize Dynamicmappingconfigurations Staticmappingconfigurations Interfaceconfigurations GlobalAddressconfigurations Globalportconfigurations
Note: The maximum number of bindings and cache available should only be modified to assure availability to functionalities that share these resources such as TWCB, NAT and LSNAT. It is recommended that you consult with Enterasys customer support before modifying these parameter values.
September 08, 2010
Page 8 of 18
Configuring NAT
NAT Binding
ANATflowhastwodevicesassociatedwithitthatareincommunicationwitheachother:the clientdevicebelongingtotheinside(private)networkandtheserverdevicebelongingtothe outside(public)network.EachactiveNATflowhasabindingresourceassociatedwithit.Each flowisbaseduponthefollowingcriteria: IfitisanonFTPNATflow: SourceIPAddressTheinsideclientIPaddress DestinationIPAddressTheoutsideserverIPaddress
IfitisaNAPTorFTPflow: SourceIPAddressTheinsideclientIPaddress DestinationIPAddressTheoutsideserverIPaddress SourcePortTheinsideclientsourceport DestinationPortTheoutsideserverdestinationport
Enabling NAT
Whentrafficsubjecttotranslationoriginatesfromorisdestinedtoaninterface,thatinterfacemust beenabledforNAT.Iftheinterfaceispartoftheinternalprivatenetwork,itshouldbeenabledas aninsideinterface.Iftheinterfaceispartoftheexternalpublicnetwork,itshouldbeenabledasan outsideinterface.
Configuring NAT
ThissectionprovidesdetailsfortheconfigurationofNATontheSSeriesandNSeriesproducts. Table 1listsNATparametersandtheirdefaultvalues. Table 1 Default NAT Parameters
Description Specifies that NAT should be enabled on this interface as a local private network interface. Specifies that NAT should be enabled on this interface as an external public network interface. Identifies a group of NAT IP addresses used by the dynamic address binding feature for NAT translation. Specifies the start and end of a range of IP addresses for this NAT pool. Default Value None
Parameter Inside NAT Interface Type Outside NAT Interface Type Pool Name
None
None
Pool IP Address Range Access List
None
Specifies a list of IP addresses to None translate when enabling dynamic translation of inside source addresses.
September 08, 2010
Page 9 of 18
Configuring NAT
Table 1
Default NAT Parameters (continued)

Description Specifies that NAPT translation should take place for this dynamic pool binding. The private IP address for this static NAT binding. The public IP address for this static NAT binding. The private L4 port associated with the local-ip for this static NAPT binding. The public L4 port associated with the global-ip for this static NAPT binding. Specifies the timeout value applied to dynamic translations. Specifies the timeout value applied to the UDP translations. Specifies the timeout value applied to the TCP translations. Specifies the timeout value applied to the ICMP translations. Specifies the timeout value applied to the DNS translations. Specifies the timeout value applied to the FTP translations. Default Value NAT translation
Parameter Overload
Local IP Address Global IP Address Local Port Global Port Timeout UDP timeout TCP timeout ICMP timeout DNS timeout FTP timeout
None None None None 240 seconds 240 seconds 240 seconds 240 seconds 240 seconds 240 seconds
Table 2listsNATresourcelimits. Table 2 NAT Resource Limits

S-Series 65536 2000 10 20 1000 N-Series 32768 1000 10 10 500
Resource Global Bindings IP Addresses Pools Port Mapped Addresses Static Rules
September 08, 2010
Page 10 of 18
Configuring NAT
Configuring Traditional NAT Static Inside Address Translation

Procedure 1describeshowtoconfiguretraditionalNATforastaticconfiguration. Procedure 1
Step 1. Task Enable NAT on all interfaces on which translation takes place for both the internal and external networks. Enable any static NAT translations of inside source addresses. Enable any static NAPT translations of inside source addresses, specifying whether the L4 port is a TCP or UDP port.
Traditional NAT Static Configuration

Command(s) ip nat {inside | outside}
2. 3.
ip nat inside source static local-ip global-ip ip nat inside source static {tcp | udp} local-ip local-port global-ip global-port
Configuring Traditional NAT Dynamic Inside Address Translation

Procedure 2describeshowtoconfiguretraditionalNATforadynamicconfiguration. Procedure 2
Step 1. Task Enable NAT on all interfaces on which translation takes place for both the internal and external networks. Define an access-list of permits for all inside addresses to be used by this dynamic translation. Define a NAT address pool for all outside addresses to be used by this dynamic translation. Enable dynamic translation of inside source addresses. Specify the overload option for NAPT translations. Optionally specify an outside interface VLAN.
Traditional NAT Dynamic Configuration

Command(s) ip nat {inside | outside}
2.
access-list list-number {deny | permit} source ip nat pool name start-ip-address end-ip-address {netmask netmask | prefix-length prefix-length} ip nat inside source [list access-list] pool pool-name [overload | interface vlan vlan-id [overload]]
3.
4.
Managing a Traditional NAT Configuration

Table 3describeshowtomanagetraditionalNATconfigurations. Table 3
Task

Command(s)
Optionally specify a non-default NAT FTP control port. ip nat ftp-control-port port-number Configure the maximum number of translation entries. ip nat translation max-entries number
September 08, 2010
Page 11 of 18
NAT Configuration Examples
Table 3
Task

Command(s) ip nat translation {timeout | udp-timeout | tcp-timeout | icmp-timeout | dns-timeout | ftp-timeout} seconds clear ip nat translation clear ip nat translation inside global-ip local-ip clear ip nat translation {tcp | upd} inside global-ip global-port local-ip local-port set router limits {nat-bindings nat-bindings | nat-cache nat-cache | nat-dynamic-configs nat-dynamic-configs | nat-static-config nat-static-config | nat-interface-config nat-interface-config | nat-global-addr-cfg nat-global-addr-cfg | nat-global-port-cfg nat-global-port-cfg}
Configure NAT translation timeout values.
Clear dynamic NAT translations. Clear a specific active simple NAT translation. Clear a specific dynamic NAT translation. Set NAT router limits
Displaying NAT Statistics

Table 4describeshowtodisplayNATstatistics. Table 4
Task Display active NAT translations. Display NAT translation statistics. Display NAT router limits
Displaying NAT Statistics

Command(s) show ip nat translations [verbose] show ip nat statistics [verbose] show router limits [nat-bindings] [nat-cache] [nat-dynamic-config] [nat-static-config] [nat-interface-config] [nat-global-addr-cfg] [nat-global-port-cfg]

Thissectionprovidesaconfigurationexampleforboththestaticanddynamicconfigurations. EachexampleincludesboththeNATandNAPTtranslationmethods.
Note: For purposes of our examples we will not modify the maximum number of translation entries or any NAT router limits. These parameters should only be modified to assure availability to functionalities that share these resources such as TWCB and LSNAT. It is recommended that you consult with Enterasys customer support before modifying these parameter values. Depending upon the firmware version, the CLI prompts on your system may differ from those presented in this section. We will also assume that the FTP control port will use the default value.
September 08, 2010
Page 12 of 18
NAT Static Configuration Example

ThisexamplestepsyouthroughaNATstaticconfigurationforbothNATandNAPTtranslation methods.SeeFigure 5onpage 13foradepictionoftheNATstaticconfigurationexamplesetup. OurstaticNATconfigurationexampleconfigurestwoclients:Client1withNATtranslationand Client2withNAPTtranslation.BothclientsareontheinternalprivatenetworkVLAN10interface andcommunicatewithServer1overtheexternalpublicnetworkVLAN100interface.NATis enabledonVLAN10asaninsideinterface.NATisenabledonVLAN100asanoutsideinterface. ThesearetheonlyVLANsoverwhichtranslationoccursforthestaticportionofthisconfiguration example. ToconfigureClient1ontheNATrouter,weenablestaticNATtranslationoftheinsidesource addressspecifyinglocalIPaddress10.1.1.1andglobalIPaddress200.1.1.1.Server1willonlysee Client1asIPaddress200.1.1.1. ToconfigureClient2ontheNATrouter,weenablestaticNATtranslationoftheinsidesource addressspecifyinglocalIPaddress10.1.1.2:125andglobalIPaddress200.1.1.2:1025.Server1will onlyseeClient2asIPaddress200.1.1.2:1025. Figure 5 NAT Static Configuration Example
External Public Network DA: 200.1.1.50 SA: 200.1.1.1 DA: 200.1.1.1 SA: 200.1.1.50 VLAN 100 DA: 200.1.1.50:80 SA: 200.1.1.2:1025 Server1 200.1.1.50 200.1.1.50:80 DA: 200.1.1.2:1025 SA: 200.1.1.50:80 DA: 200.1.1.50:80 SA: 10.1.1.2:125 DA: 10.1.1.2:125 SA: 200.1.1.50:80 Client2 10.1.1.2.125 Internal Private Network DA: 200.1.1.50 SA: 10.1.1.1 DA: 10.1.1.1 SA: 200.1.1.50
NAT ROUTER
VLAN 10 Client1 10.1.1.1
Enable NAT Inside and Outside Interfaces

EnableNATinsideinterface:
System(rw)->configure System(rw-config)->interface vlan 10 System(su-config-intf-vlan.0.10)->ip nat inside
September 08, 2010
Page 13 of 18
System(su-config-intf-vlan.0.10)->exit System(rw-config)->
EnableNAToutsideinterface:
System(rw-config)->interface vlan 100 System(su-config-intf-vlan.0.100)->ip nat outside System(su-config-intf-vlan.0.100)->exit System(rw-config)->
Enable Static Translation of Inside Source Addresses

EnabletheNATstatictranslationoftheinsidesourceaddress:
System(rw-config)->ip nat inside source static 10.1.1.1 200.1.1.1
EnabletheNAPTstatictranslationoftheinsidesourceaddress:
System(rw-config)->ip nat inside source static tcp 10.1.1.2:125 200.1.1.2:1025
NAT Dynamic Configuration Example

ThisexamplestepsyouthroughaNATDynamicConfigurationforbothNATandNAPT translationmethods.SeeFigure 6onpage 15foradepictionoftheexamplesetup. OurdynamicNATconfigurationexampleconfiguresfourclients:Client1andClient2withNAT translationandClient3andClient4withNAPTtranslation.ThetwoNATclientsareonthe internalprivatenetworkVLAN10interfaceandcommunicatewithServer1overtheexternal publicnetworkVLAN100interface.ThetwoNAPTclientsareontheinternalprivatenetwork VLAN20andcommunicatewithServer1overtheexternalpublicnetworkVLAN200interface. NATisenabledonVLAN10andVLAN20asinsideinterfaces.NATisenabledonVLAN100and VLAN200asoutsideinterfaces.ThesearetheonlyVLANsoverwhichtranslationoccursforthe dynamicportionofthisconfigurationexample. ToconfigureClient1andClient2fordynamicNATtranslationontheNATrouter,wedefine accesslist1topermitthelocalIPaddresses10.1.1.1and10.1.1.2.WethenconfiguretheNAT translationNATpoolnatpoolwiththeglobaladdressrangeof200.1.1.1to200.1.1.2.Wethen enabledynamictranslationofinsideaddressesassociatingaccesslist1withtheNATpool natpool.
September 08, 2010
Page 14 of 18
Figure 6
NAT Dynamic Configuration Example

External Public Network DA: 200.1.1.50 SA: 200.1.1.1 DA: 200.1.1.1 SA: 200.1.1.50 DA: 200.1.1.50 SA: 200.1.1.2 DA: 200.1.1.2 SA: 200.1.1.50 VLAN 100 VLAN 200
Internal Private Network DA: 200.1.1.50 SA: 10.1.1.1 DA: 10.1.1.1 SA: 200.1.1.50 VLAN 10
NAT ROUTER
Client1 10.1.1.1
Server1 200.1.1.50 200.1.1.50:80
DA: 200.1.1.50:80 SA: 200.1.1.3:1025 DA: 200.1.1.3:1025 SA: 200.1.1.50:80
DA: 200.1.1.50 SA: 10.1.1.2 DA: 10.1.1.2 SA: 200.1.1.50 Client2 10.1.1.2
DA: 200.1.1.50:80 SA: 200.1.1.3:1024 DA: 200.1.1.3:1024 SA: 200.1.1.50:80
VLAN 20 DA: 200.1.1.50:80 SA: 10.1.1.3:125 DA: 10.1.1.3:125 SA: 200.1.1.50:80 Client3 10.1.1.3 VLAN 20 DA: 200.1.1.50:80 SA: 10.1.1.4:125 DA: 10.1.1.4:125 SA: 200.1.1.50:80 Client4 10.1.1.4
September 08, 2010
Page 15 of 18
ToconfigureClient3andClient4fordynamicNAPTtranslationontheNATrouter,wedefine accesslist2topermitthelocalIPaddresses10.1.1.3and10.1.1.4.WethenconfigureNATpool dynamicpoolwithaglobalrangeof200.1.1.3to200.1.1.3.Wethenenabledynamictranslationof insideaddressesforoverloadassociatingaccesslist2withtheNATpoolnaptpool.
Enable NAT Inside and Outside Interfaces

EnableNATinsideinterface:
System(rw)->configure System(rw-config)->interface vlan 10 System(su-config-intf-vlan.0.10)->ip nat inside System(su-config-intf-vlan.0.10)->exit System(rw-config)->interface vlan 20 System(su-config-intf-vlan.0.20)->ip nat inside System(su-config-intf-vlan.0.20)->exit System(rw-config)->
EnableNAToutsideinterface:
System(rw-config)->interface vlan 100 System(su-config-intf-vlan.0.100)->ip nat outside System(su-config-intf-vlan.0.100)->exit System(rw-config)->interface vlan 200 System(su-config-intf-vlan.0.200)->ip nat outside System(su-config-intf-vlan.0.200)->exit System(rw-config)->
Define Inside Address Access-Lists

Defineinsideaddressaccesslist1forNATclients:
System(rw-config)->access-list 1 permit host 10.1.1.1 System(rw-config)->access-list 1 permit host 10.1.1.2 System(rw-config)->
Defineinsideaddressaccesslist2forNAPTclients:
System(rw-config)->access-list 2 permit host 10.1.1.3 System(rw-config)->access-list 2 permit host 10.1.1.4 System(rw-config)->
September 08, 2010
Page 16 of 18
Define the NAT Pools for Global Addresses

DefinetheNATPoolfortheNATclients:
System(rw-config)->ip nat pool natpool 200.1.1.1 200.1.1.2 netmask 255.255.255.0
DefinetheNATPoolfortheNAPTclients:
System(rw-config)->ip nat pool naptpool 200.1.1.3 200.1.1.3 netmask 255.255.255.0 System(rw-config)->
Enable Dynamic Translation of Inside Source Addresses

EnabletheNATdynamictranslationoftheinsidesourceaddress:
System(rw-config)->ip nat inside source list 1 pool natpool
EnabletheNAPTdynamictranslationoftheinsidesourceaddress:
System(rw-config)->ip nat inside source list 2 pool naptpool overload
ThiscompletestheNATconfigurationexample.

Table 5liststermsanddefinitionsusedinthisNATconfigurationdiscussion. Table 5
Term Basic NAT Dynamic Address Binding Inside (private) address NAT Address Pool Network Address Port Translation (NAPT) Network Address Translation (NAT) Outside (public) address Static Address Binding Traditional NAT
NAT Configuration Terms and Definitions

Definition Refers to Network Address Translation (NAT) only. Provides a binding based upon an internal algorithm between an address from an access-list of local addresses to an address from a pool of global addresses for NAT and TCP/UDP port number translations for NAPT. An IP address internal to the network only reachable by the external network by translation. A grouping of global addresses used by both NAT and NAPT dynamic address binding. Provides a mechanism to connect a realm with private addresses to an external realm with globally unique registered addresses by mapping many network addresses, along with their associated TCP/UDP ports into a single network address and its associated TCP/UDP ports. Provides a mechanism to connect an internal realm with private addresses to an external realm with globally unique registered addresses by mapping IP addresses from one group to another, transparent to the end user. A registered global IP address external to the private network that the inside address is translated to. Provides a one-to-one binding between local addresses to global addresses for NAT and TCP/UDP port number translations for NAPT. Refers to both NAT and NAPT.
September 08, 2010
Page 17 of 18
Revision History
Date 09/24/2008 02/12/2009 04/16/2009 09/08/2010 Description New document In ip nat inside source context made clear that VLAN option was for an outside VLAN. Input an advanced routing license notice that includes the 256 MB requirement on all modules statement. Updated for S-Series. Added new resource-limits table.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2010Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSMATRIX,ENTERASYSSSERIESandanylogosassociated therewith,aretrademarksorregisteredtrademarksofEnterasys Networks, Inc.,intheUnitedStatesandother countries.ForacompletelistofEnterasystrademarks,seehttp://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
Configuring Neighbor Discovery

Thisdocumentprovidesinformationaboutconfiguringandmonitoringneighbordiscoveryon EnterasysMatrixNSeries,EnterasysSecureStack,DSeries,GSeries,andISeriesdevices.
For information about... What is Neighbor Discovery? Why Would I Use Neighbor Discovery in My Network? How Do I Implement Neighbor Discovery? Understanding Neighbor Discovery Configuring LLDP
Refer to page... 1 1 2 2 7
What is Neighbor Discovery?

NeighbordiscoveryistheLayer2processinwhichadeviceidentifiesandadvertisesitselftoits directlyconnectedneighbors.Enterasysdevicessupportthefollowingneighbordiscovery protocols: LinkLayerDiscoveryProtocol(LLDP)anditsextension,LLDPMED,whichistheIEEE 802.1ABstandardforneighbordiscovery
Note: Currently, LLDP is not supported on Enterasys I-Series devices.
EnterasysDiscoveryProtocol,fordiscoveringEnterasysdevices CiscoDiscoveryProtocol,fordiscoveringCiscodevices
Why Would I Use Neighbor Discovery in My Network?

Neighbordiscoveryisusefulforthefollowing: Determininganaccuratephysicalnetworktopology Creatinganinventoryofnetworkdevices Troubleshootingthenetwork
October 15, 2008
Page 1 of 14
How Do I Implement Neighbor Discovery?
How Do I Implement Neighbor Discovery?

LLDP,EnterasysDiscoveryProtocol,andCiscoDiscoveryProtocolareenabledonEnterasys devicesbydefault.Thoughallthreediscoveryprotocolscanrunsimultaneously,LLDPisthe preferredprotocol. Ifadevice,attachedtoaportthathasbeenenabledforneighbordiscovery,doesnotsupport LLDPbutsupportsEnterasysDiscoveryProtocolorCiscoDiscoveryProtocol,thenoneofthose protocolsisusedinstead.
Understanding Neighbor Discovery

Asstatedpreviously,theneighbordiscoveryprotocolssupporttheLayer2processofnetwork devicesadvertisingtheiridentitiesandcapabilitiesonaLANanddiscoveringthatinformation abouttheirdirectlyconnectedneighbors.WhileEnterasysDiscoveryProtocolandCisco DiscoveryProtocolarevendorspecificprotocols,LLDPisanindustrystandard(IEEE802.1AB), vendorneutralprotocol. TheLLDPenableddeviceperiodicallyadvertisesinformationaboutitself(suchasmanagement address,capabilities,mediaspecificconfigurationinformation)inanLLDPDU(LinkLayer DiscoveryProtocolDataUnit),whichissentinasingle802.3Ethernetframe(seeFigure 3onpage 6).AnLLDPDUconsistsofasetofTLV(type,length,andvalue)attributes.Theinformation, whichisextractedandtabulatedbyanLLDPenableddevicespeers,isrecordedinIEEEdefined managementinformationbase(MIB)modules,makingitpossiblefortheinformationtobe accessedbyanetworkmanagementsystemusingamanagementprotocolsuchasSNMP.The informationisagedtoensurethatitiskeptuptodate.Portscanbeconfiguredtosendthis information,receivethisinformation,orboth. TheLLDPagentoperatesonlyinanadvertisingmode,andhencedoesnotsupportanymeansfor solicitinginformationorkeepingstatebetweentwoLLDPentities. LLDPcanbeusedformanyadvancedfeaturesinaVoIPnetworkenvironment.Thesefeatures includebasicconfiguration,networkpolicyconfiguration,locationidentification(includingfor EmergencyCallService/E911),PoweroverEthernetmanagement,andinventorymanagement. Tofulfilltheseneeds,thestandardprovidesextensionstoIEEE802.1ABthatarespecifictothe requirementsofmediaendpointdevicesinanIEEE802LAN.Interactionbehaviorbetweenthe mediaendpointdevicesandtheLANinfrastructureelementsarealsodescribedwheretheyare relevanttocorrectoperationormultivendorinteroperability.Mediaendpointdevicesaddressed include,butarenotlimitedto,IPphones,IPvoice/mediagateways,IPmediaservers,andIP communicationcontrollers. Figure 1onpage3showsanexampleofLLDPcommunicationbetweendevices,doneviaLayer2 withLLDPDUpackets.ThecommunicationisonlybetweenLLDPenableddevicesthe informationisnotforwardedtootherdevices.
October 15, 2008
Page 2 of 14
Figure 1
Communication between LLDP-enabled Devices

Discovery MIB Port Device ge. 1.1 IP switch ge. 1.2 IP phone ge. 1.4 IP phone ge. 1.6 IP-PBX
Discovery MIB Port Device ge. 1.1 IP phone ge. 1.2 PC ge. 1.4 IP switch
Info x.x.x.x x.x.x.x x.x.x.x
Info x.x.x.x x.x.x.x x.x.x.x x.x.x.x
PSTN
Im a switch
Im a switch
Im a switch
Im a switch
Im a switch
Im a switch
Im a switch Im an IP phone
Im an IP-PBX
Im an IP phone
LLDP-MED
TheLLDPMediaEndpointDiscovery(LLDPMED)extensionofLLDPisdefinedtoshare informationbetweenmediaendpointdevicessuchasIPtelephones,mediagateways,media servers,andnetworkconnectivitydevices. EitherLLDPorLLDPMED,butnotboth,canbeusedonaninterfacebetweentwodevices.A switchportusesLLDPMEDwhenitdetectsthatanLLDPMEDdeviceisconnectedtoit. LLDPMEDprovidesthefollowingbenefits: AutodiscoveryofLANpolicies,suchasVLANID,802.1ppriority,andDiffServcodepoint settings,leadingtoplugandplaynetworking.ThisissupportedonEnterasysMatrixNSeries devicesonly. Devicelocationandtopologydiscovery,allowingcreationoflocationdatabasesand,inthe caseofVoIP,provisionofE911services.ThisissupportedonEnterasysMatrixNSeries devicesonly. ExtendedandautomatedpowermanagementofPoweroverEthernetendpoints Inventorymanagement,allowingnetworkadministratorstotracktheirnetworkdevicesand todeterminetheircharacteristics,suchasmanufacturer,softwareandhardwareversions,and serialorassetnumbers.
October 15, 2008
Im an IP phone
Im a PC
Page 3 of 14
TherearetwoprimaryLLDPMEDdevicetypes(asshowninFigure 2onpage5): Networkconnectivitydevices,whichareLANaccessdevicessuchasLANswitch/router, bridge,repeater,wirelessaccesspoint,oranydevicethatsupportstheIEEE802.1ABandMED extensionsdefinedbythestandardandcanrelayIEEE802framesviaanymethod. Endpointdevices,whichhavethreedefinedsubtypesorclasses: LLDPMEDGenericEndpoint(ClassI)Allendpointproductsthat,whilerequiringthe baseLLDPdiscoveryservicesdefinedinthestandard,donotsupportIPmediaoractas anendusercommunicationdevice,suchasIPcommunicationscontrollers,other communicationrelatedservers,oranydevicerequiringbasicservices.Discoveryservices definedinthisclassincludeLANconfiguration,devicelocation,networkpolicy,power management,andinventorymanagement. LLDPMEDMediaEndpoint(ClassII)AllendpointproductsthathaveIPmedia capabilitiesbutthatmaynotbeassociatedwithaparticularenduser,suchasvoice/media gateways,conferencebridges,andmediaservers.Capabilitiesincludeallofthe capabilitiesdefinedforGenericEndpoint(ClassI)andareextendedtoincludeaspects relatedtomediastreaming.Discoveryservicesdefinedinthisclassincludemediatype specificnetworklayerpolicydiscovery. LLDPMEDCommunicationEndpoint(ClassIII)Allendpointproductsthatactasan endpointusercommunicationdevicesupportingIPmedia.Capabilitiesincludeallofthe capabilitiesdefinedfortheGenericEndpoint(ClassI)andMediaEndpoint(ClassII) devicesandareextendedtoincludeaspectsrelatedtoenduserdevices,suchasIP phones,PCbasedsoftphones,andothercommunicationdevicesthatdirectlysupportthe enduser.
October 15, 2008
Page 4 of 14
Figure 2
LLDP-MED
LLDP-MED Network Connectivity Devices: Provide IEEE 802 network access to LLDP-MED endpoints (for example, L2/L3 switch)
LLDP-MED Generic Endpoints (Class I): Basic participant endpoints in LLDP-MED (for example, IP communications controller)
IP Network Infrastructure
(IEEE 802 LAN)
LLDP-MED Media Endpoints (Class ll): Supports IP media streams (for media gateways, conference bridges)
LLDP-MED Communication Device Endpoints (Class III): Support IP communication end user (for example, IP phone, soft phone)
October 15, 2008
Page 5 of 14
LLDPDU Frames
AsshowninFigure 3,eachLLDPDUframecontainsthefollowingmandatoryTLVs: ChassisIDThechassisidentificationforthedevicethattransmittedtheLLDPpacket. PortIDTheidentificationofthespecificportthattransmittedtheLLDPpacket.The receivingLLDPagentjoinsthechassisIDandtheportIDtocorrespondtotheentity connectedtotheportwherethepacketwasreceived. TimetoLiveThelengthoftimethatinformationcontainedinthereceiveLLDPpacketwill bevalid. EndofLLDPDUIndicatesthefinalTLVoftheLLDPDUframe. Frame Format
IEEE 802.3 LLDP frame format
DA LLDP_Multicast address 6 octets SA MAC address 6 octets
LLDP Ethertype
Figure 3
Data + pad LLDPDU 1500 octets FCS 4 octets
88-CC 2 octets
LLDPDU format
Chassis ID TLV Port ID TLV (M) (M) Time to Live TLV (M) Optional TLV ... Optional TLV
End of LLDPDU TLV (M)
M = Mandatory TLV (required for all LLDPDUs)
EachLLDPDUframecanalsocontainthefollowingoptionalTLVs: PortDescriptionTheportfromwhichtheLLDPagenttransmittedtheframe. SystemNameThesystemsadministrativelyassignedname. SystemDescriptionIncludesthesystemsname,hardwareversion,OSlevel,and networkingsoftwareversion. SystemCapabilitiesAbitmapthatdefinestheprimaryfunctionsofthesystem.The currentlydefinedcapabilitiesinclude,amongotherthings,WLANaccesspoint,router,and telephone. ManagementAddressTheIPorMACaddressassociatedwiththelocalLLDPagentthat maybeusedtoreachhigherlayerentities.
AnLLDPDUframecanalsocontainthefollowingextensionTLVs: 802.1VLANextensionTLVsdescribeattributesassociatedwithVLANs: PortVLANIDAllowsabridgeporttoadvertisetheportsVLANidentifier(PVID)that willbeassociatedwithuntaggedorprioritytaggedframesitreceives. Port&ProtocolVLANIDAllowsabridgetoadvertisewhetheritsupportsprotocol VLANsand,ifso,whatVLANIDstheseprotocolswillbeassociatedwith.
October 15, 2008
Page 6 of 14
Configuring LLDP
VLANNameAllowsabridgetoadvertisethetextualnameofanyVLANwithwhichit isconfigured. ProtocolIdentityAllowsabridgetoadvertisetheparticularprotocolsthatare accessiblethroughitsport.
802.3LANinterfaceextensionsTLVsdescribeattributesassociatedwiththeoperationofan 802.3LANinterface: MAC/PHYConfiguration/StatusAdvertisesthebitrateandduplexcapabilityofthe sending802.3node,thecurrentduplexandbitratingofthesending802.3node,and whetherthesesettingsweretheresultofautonegotiationduringlinkinitiationormanual override. PowerViaMDIAdvertisesthepowerviaMDIcapabilitiesofthesending802.3node. LinkAggregationAdvertiseswhetherthelinkiscapableofbeingaggregated,whether itiscurrentlyinanaggregation,and,ifitisinanaggregation,theportoftheaggregation. MaximumFrameSizeAdvertisesthemaximumsupported802.3framesizeofthe sendingstation.
LLDPMEDextensionTLVs: CapabilitiesIndicatesthenetworkconnectivitydevicescapabilities. NetworkPolicyUsedtoconfiguretagged/untaggedVLANID/L2priority/DSCPon LLDPMEDendpoints(forexample,IPphones). LocationIdentificationProvidesthelocationidentifierinformationtocommunication endpointdevices,basedontheconfigurationofthenetworkconnectivitydeviceitis connectedto. ExtendedPowerviaMDIEnablesadvancedpowermanagementbetweenLLDPMED endpointsandnetworkconnectivitydevices. InventoryManagementIncludeshardwarerevision,firmwarerevision,software revision,serialnumber,manufacturername,modelname,andassetID.
SomeTLVssupportmultiplesubtypes.Forexample,PortIDissentasanifName(e.g.,ge.1.1) betweenEnterasysdevices,butwhenanLLDPMEDendpointisdetectedonaport,thatTLV subtypechangestoanetworkaddress(MACaddress),andotherMEDTLVsaresent,asdefined bytheMEDspec.
Configuring LLDP
LLDP Configuration Commands
Table 1listsLLDPconfigurationcommands.Thetableindicateswhichcommandsaredevice specific. Table 1
Task Set the time, in seconds, between successive LLDP frame transmissions initiated by changes in the LLDP local system information. Default value is 30 seconds.
LLDP Configuration Commands

Command set lldp tx-interval frequency
October 15, 2008
Page 7 of 14
Configuring LLDP
Table 1
Task
LLDP Configuration Commands (continued)

Command set lldp hold-multiplier multiplier-val
Set the time-to-live value used in LLDP frames sent by this device. The time-to-live for LLDPDU data is calculated by multiplying the transmit interval by the hold multiplier. The default value is 4. Set the minimum interval between LLDP notifications sent by this device. LLDP notifications are sent when a remote system change has been detected. The default value is 5 seconds. Set the number of fast start LLDPDUs to be sent when an LLDP-MED endpoint device is detected. Network connectivity devices transmit only LLDP TLVs in LLDPDUs until they detect that an LLDPMED endpoint device has connected to a port. At that point, the network connectivity device starts sending LLDP-MED TLVs at a fast start rate on that port. The default value is 3. Enable or disable transmitting and processing received LLDPDUs on a port or range of ports. Enable or disable sending LLDP traps when a remote system change is detected. Enable or disable sending an LLDP-MED trap when a change in the topology has been sensed on the port (that is, a remote endpoint device has been attached or removed from the port). Configure LLDP-MED location information on a port or range of ports. Currently, only Emergency Call Services (ECS) Emergency Location Identification Number (ELIN) is supported. ELIN is a special phone number used to indicate location, and is assigned and associated with small geographies in the organization.It is one of the forms of identification that the location identification TLV provides. This command applies to Enterasys Matrix N-Series devices only. Select the optional LLDP and LLDP-MED TLVs to be transmitted in LLDPDUs by the specified port or ports.
set lldp trap-interval frequency
set lldp med-fast-repeat count
set lldp port status {tx-enable | rxenable | both | disable} port-string set lldp port trap {enable | disable} port-string set lldp port med-trap {enable | disable} port-string
set lldp port location-info elin elinstring port-string
set lldp port tx-tlv {[all] | [portdesc] [sys-name] [sys-desc] [sys-cap] [mgmtaddr] [vlan-id] [stp] [lacp] [gvrp] [mac-phy] [poe] [link-aggr] [max-frame] [medcap] [med-pol] [medloc] [med-poe]} port-string set lldp port network-policy {all | voice | voice-signaling | guest-voice | guest-voice-signaling | softphone-voice | video-conferencing | streaming-video | video-signaling} [state {enable | disable}] [ tag {tagged | untagged}] [vid {vlan-id | dot1p}] [cos cos-value] [dscp dscp-value] port-string
Configure network policy for a set of applications on a port or range of ports. The policies configured with this command are sent in LLDPDUs as LLDP-MED Network Policy TLVs. Multiple Network Policy TLVs can be sent in a single LLDPDU. This command applies to Enterasys Matrix N-Series devices only.
October 15, 2008
Page 8 of 14
Configuring LLDP
Table 1
Task
LLDP Configuration Commands (continued)

Command clear lldp {all | tx-interval | holdmultipler | trap-interval | med-fastrepeat} clear lldp port status port-string
Return LLDP parameters to their default values.
Return the port status to the default value of both (both transmitting and processing received LLDPDUs are enabled). Return the port LLDP trap setting to the default value of disabled. Return the port LLDP-MED trap setting to the default value of disabled. Return the port ECS ELIN location setting to the default value of null. This command applies to Enterasys Matrix N-Series devices only. Return network policy for a set of applications on a port or range of ports to default values. This command applies to Enterasys Matrix N-Series devices only.
clear lldp port trap port-string clear lldp port med-trap port-string clear lldp port location-info elin port-string
clear lldp port network-policy {all | voice | voice-signaling | guest-voice | guest-voice-signaling | softphone-voice | video-conferencing | streaming-video | video-signaling} {[state ] [ tag ] [vid ] [cos ] [dscp ] } portstring clear lldp port tx-tlv {[all] | [portdesc] [sys-name] [sys-desc] [sys-cap] [mgmtaddr] [vlan-id] [stp] [lacp] [gvrp] [mac-phy] [poe] [link-aggr] [max-frame] [medcap] [med-pol] [medloc] [med-poe]} port-string
Clear the optional LLDP and LLDP-MED TLVs to be transmitted in LLDPDUs by the specified port or ports to the default value of disabled.
RefertothedevicesCLIReferenceGuideorConfigurationGuide,asapplicable,formoreinformation abouteachcommand.
October 15, 2008
Page 9 of 14
Configuring LLDP
Basic LLDP Configurations

Procedure 1describesthebasicstepstoconfigureLLDPonEnterasysMatrixNSeriesdevices. Procedure 1
Step 1. Task Configure global system LLDP parameters.
Configuring LLDP (Enterasys Matrix N-Series)

Command(s) set lldp tx-interval set lldp hold-multiplier set lldp trap-interval set lldp med-fast-repeat clear lldp
2.
Enable/disable specific ports to: Transmit and process received LLDPDUs Send LLDP traps Send LLDP-MED traps set/clear lldp port status set/clear lldp port trap set/clear lldp port med-trap set/clear lldp port location-info set/clear lldp port network-policy set/clear lldp tx-tlv
3. 4. 5.
Configure an ECS ELIN value for specific ports. Configure Network Policy TLVs for specific ports. Configure which optional TLVs should be sent by specific ports. For example, if you configured an ECS ELIN and/or Network Policy TLVs, you must enable those optional TLVs to be transmitted on the specific ports.
Procedure 2describesthebasicstepstoconfigureLLDPonSecureStack,DSeries,andGSeries devices. Procedure 2

Step 1. Task Configure global system LLDP parameters.
Configuring LLDP (SecureStack, D-Series, and G-Series)

Command(s) set lldp tx-interval set lldp hold-multiplier set lldp trap-interval set lldp med-fast-repeat clear lldp
2.
Enable/disable specific ports to: Transmit and process received LLDPDUs Send LLDP traps Send LLDP-MED traps set/clear lldp port status set/clear lldp port trap set/clear lldp port med-trap set/clear lldp tx-tlv
3.
Configure which optional TLVs should be sent by specific ports.
October 15, 2008
Page 10 of 14
Configuring LLDP
Example LLDP Configuration: Time to Live

Thisexamplesetsthetransmitintervalto20secondsandtheholdmultiplierto5,whichwill configureatimetoliveof100tobeusedintheTTLfieldintheLLDPDUheader.
Router1(rw)->set lldp tx-interval 20 Router1(rw)->set lldp hold-multiplier 5
Example LLDP Configuration: Location Information

OnanEnterasysMatrixNSeriesdevice,afteryouconfigurealocationinformationvalue,you mustalsoconfiguretheporttosendtheLocationInformationTLVwiththeset lldp port tx-tlvcommand.ThisexampleconfigurestheELINidentifier5551234567onportsge.1.1 throughge.1.6andthenconfigurestheportstosendtheLocationInformationTLV.
Matrix(rw)->set lldp port location-info 5551234567 ge.1.1-6 Matrix(rw)->set lldp port tx-tlv med-loc ge.1.1-6
LLDP Display Commands

Table 2listsLLDPshowcommands.Thetableindicateswhichcommandsaredevicespecific. Table 2
Task Display LLDP configuration information. Display the LLDP status of one or more ports. Display the ports that are enabled to send an LLDP notification when a remote system change has been detected or an LLDP-MED notification when a change in the topology has been sensed. Display information about which optional TLVs have been configured to be transmitted on ports. Display configured location information for one or more ports. This command applies to Enterasys Matrix N-Series devices only. Display the local system information stored for one or more ports. Display the remote system information stored for a remote device connected to a local port. Display LLDP port network policy configuration information. This command applies to Enterasys Matrix N-Series devices only. show lldp port local-info [port-string] show lldp port remote-info [portstring] show lldp port network policy {all | voice | voice-signaling | guest-voice | guestvoice-signaling | software-voice | video-conferencing | streaming-video | videosignaling} [port-string]
LLDP Show Commands

Command show lldp show lldp port status [port-string] show lldp port trap [port-string]
show lldp port tx-tlv [port-string] show lldp port location-info [portstring]
October 15, 2008
Page 11 of 14
Configuring Enterasys Discovery Protocol
Configuring Enterasys Discovery Protocol

Enterasys Discovery Protocol Configuration Commands
Table 3listsEnterasysDiscoveryProtocolconfigurationcommands. Table 3
Task Enable or disable the Enterasys Discovery Protocol on one or more ports. Set a global Enterasys Discovery Protocol authentication code. Set the message interval frequency (in seconds) of the Enterasys Discovery Protocol. Set the hold time value for Enterasys Discovery Protocol configuration messages. Reset Enterasys Discovery Protocol settings to defaults.
Enterasys Discovery Protocol Configuration Commands

Command set cdp state {auto | disable | enable} [port-string] set cdp auth auth-code set cdp interval frequency set cdp hold-time hold-time clear cdp {[state] [port-state portstring] [interval] [hold-time] [authcode]}
Example Enterasys Discovery Protocol Configuration

ThisexampleshowshowtogloballyenableCDP:
Router1(rw)->set cdp state enable
ThisexampleshowshowtoenabletheCDPforportge.1.2:
Router1(rw)->set cdp state enable ge.1.2
ThisexampleshowshowtodisabletheCDPforportge.1.2:
Router1(rw)->set cdp state disable ge.1.2
Enterasys Discovery Protocol Show Commands

Table 4listsEnterasysDiscoveryProtocolshowcommands. Table 4
Task Display the status of the CDP discovery protocol and message interval on one or more ports. Display Network Neighbor Discovery information from all supported discovery protocols.
Enterasys Discovery Protocol Show Commands

Command show cdp [port-string] show neighbors [port-string]
October 15, 2008
Page 12 of 14
Configuring Cisco Discovery Protocol
Configuring Cisco Discovery Protocol

Cisco Discovery Protocol Configuration Commands
Table 5listsCiscoDiscoveryProtocolconfigurationcommands. Table 5
Task Enable or disable Cisco Discovery Protocol globally on the device. Set the number of seconds between Cisco Discovery Protocol PDU transmissions. Set the time to live (TTL) for Cisco Discovery Protocol PDUs. This is the amount of time (in seconds) neighboring devices will hold PDU transmissions from the sending device. Set the status, voice VLAN, extended trust mode, and CoS priority for untrusted traffic for the Cisco Discovery Protocol on one or more ports.

Command set ciscodp status {auto | enable | disable} set ciscodp timer time set ciscodp holdtime time
set ciscodp port { [status {disable | enable}] [ vvid {<vlan-id> | none | dot1p | untagged}] [trust-ext {trusted | untrusted}] [cos-ext value] } <portstring> clear ciscodp { [status | timer | holdtime | port {status | vvid | trust-ext | cos-ext}] } <port-string>
Clear the Cisco Discovery Protocol back to the default values.
Example Cisco Discovery Protocol Configuration

ThisexampleshowshowtoenableCiscoDiscoveryProtocolonthedevice:
Matrix(rw)->set ciscodp status enable

Table 6listsCiscoDiscoveryProtocolshowcommands. Table 6
Task
Cisco Discovery Protocol Show Commands

Command
Display global Cisco Discovery Protocol information. show ciscodp Display summary information about the Cisco Discovery Protocol on one or more ports. Display Network Neighbor Discovery information from all supported discovery protocols. show ciscodp port info [port-string] show neighbors [port-string]
October 15, 2008
Page 13 of 14
Revision History
Date 09-29-08 10-15-08 Description New document Corrected trademark list and template issues
Configuring NetFlow
ThisdocumentdescribestheNetFlowfeatureanditsconfigurationonEnterasysNSeries, SSeries,KSeries,andXSeriesmodularswitches.
For information about... What Is NetFlow? Why Would I Use It in My Network? How Can I Implement NetFlow? Understanding Flows Configuring NetFlow on the Enterasys S-Series, N-Series, and K-Series Modules Configuring NetFlow on the X-Series Router Terms and Definitions NetFlow Version 5 Record Format NetFlow Version 9 Templates Refer to page... 1 1 2 4 6 11 14 14 15
What Is NetFlow?
NetFlowisaflowbaseddatacollectionprotocolthatprovidesinformationaboutthepacketflows beingsentoveranetwork.NetFlowcollectsdatabyidentifyingunidirectionalIPpacketflows betweenasinglesourceIPaddress/portandasingledestinationIPaddress/port,usingthesame Layer3protocolandvaluesfoundinafixedsetofIPpacketfieldsforeachflow.NetFlowcollects identifiedflowsandexportsthemtoaNetFlowcollector.UptofourNetFlowcollectorscanbe configuredonasupporteddevice.ANetFlowmanagementapplicationretrievesthedatafromthe collectorforanalysisandreportgeneration.

Standardsystemfeedbackissimplynotgranularenoughtoprovideforsuchnetwork requirementsasplanning,userorapplicationmonitoring,securityanalysis,anddatamining.For example,becauseofitsabilitytoidentifyandcapturenetworkflows,NetFlow: Providesameanstoprofileallflowsonyournetworkoveraperiodoftime.Anetworkprofile providesthegranularityofinsightintoyournetworknecessaryforsuchsecurenetwork functionalityasestablishingroleswithpolicyandapplyingQoStopolicy. ProvidesameansofisolatingthesourceofDoSattacksallowingyoutoquicklyrespondwith apolicy,ACL,QoSchange,orallofthesetodefeattheattack. Canidentifythecauseofanintermittentlysluggishnetwork.Knowingthecauseallowsyouto determinewhetheritisanunexpected,butlegitimate,networkusagethatmightbe
Page 1 of 21
May 18, 2011
How Can I Implement NetFlow?
rescheduledforlowusagetimeblocks,ormaybeanillegitimateusageofthenetworkthatcan beaddressedbyspeakingtotheuser. Canlookintotheflowsthattransitthenetworklinks,providingameansofverifyingwhether QoSandpolicyconfigurationsareappropriatelyconfiguredforyournetwork. Canunderstandyournetworksflowcharacteristics,allowingforbetterplanningwhen transitioningtonewapplicationsorservices.

Havingaprofileofcapturedflowsthattransityournetworkovertimeisacrucialfirststepin implementingasecurenetwork.ThisNetFlowprofileprovidesyouwithagoodunderstandingof theactualgroupandindividualbehaviorsthatmakeuptherolesyousetbypolicyandtowhich youapplyQoS.Aprofilecanalsobeveryhelpfulduringnetworkplanningexercises,suchas projectinghowanetworkmightreacttotheintroductionofanewapplicationpriortoactual implementation.Figure 1illustratesanexampleofaNetFlownetworkprofilesetup.
May 18, 2011
Page 2 of 21
Figure 1
NetFlow Network Profile Example

Profile Your Network Using NetFlow
Srdf Srd Padd Dstif Dstl Padd Ge.1.1 173.100.21.2 Ge.1.5 10.0.277.12 Srdf Srd Padd Dstif Dstl Padd Ge.1.1 173.100.21.2 Ge.1.3 20.0.100.10 Srdf Srd Padd Dstif Srdf Padd Ge.1.1 173.100.21.2 Ge.1.7 20.0.100.50 Protocol TCP Protocol UDP Protocol TCP TOS 0x20 TOS 0xA0 TOS 0x00 SPrt 4967 SPrt 6234 SPrt 21 DPrt 80 DPrt SIP DPrt 4623 ...
Captured Flows
HTTP Flow
Voice over IP
...
Voice over IP
...
Enable NetFlow
Enable NetFlow
LAN Cloud
Enable NetFlow
NetFlow Collector IP Address

10.10.0.1
Independent Flows
Flows captured and cached at ingress port
NetFlow export packets sent to the collector/management application based upon a flow expiration criteria Management Application Installed
TocompleteaNetFlownetworkprofile,enableNetFlowonallportswherepacketflows aggregate.AtthetopofFigure 1youwillfindanabbreviatedsampleoftheindependentflow recordsthatarecapturedateachNetFlowenabledport.Theseflowrecordswillberetained locallyinacacheuntilaflowexpirationcriteriahasbeenmet.Asshown,whenoneoftheflow expirationcriteriaismet,NetFlowexportpacketsarethensenttotheNetFlowcollectorserver(s), whereacollectorandmanagementapplicationhasbeeninstalled.Themanagementapplication willprocesstherecordsandgenerateusefulreports.Thesereportsprovideyouwithaclear pictureoftheflowsthattraverseyournetwork,baseduponsuchdatapointsassourceand destinationaddress,startandendtime,application,andpacketpriority. ThefollowingstepsprovideahighleveloverviewofaNetFlowimplementation: 1. DeterminethebusinessornetworkpurposeoftheinformationNetFlowwillprovideyou.
May 18, 2011
Page 3 of 21
Understanding Flows
2.
Chooseuptofourcollectorsandamanagementapplication,suchasEnterasysSIEMor NetSightRelease4.1orhigher,bestsuitedforthepurposeforwhichyouarecollectingthe data.InstalltheapplicationontheNetFlowcollectorserver(s). IdentifythepathsusedbythedatatobecollectedbyNetFlow. IdentifythechokepointinterfaceswheretheIPpacketflowsyouwantNetFlowtocapture aggregate. EnableNetFlowontheidentifiedinterfaces. IdentifyuptofourNetFlowcollectorserversbyconfiguringtheIPaddressforeachcollector. UsethedatareportinggeneratedbytheNetFlowmanagementapplicationtoaddressthe purposedeterminedinstep1.
3. 4. 5. 6. 7.
Understanding Flows
TheconceptofaflowiscriticaltounderstandingNetFlow.AflowisastreamofIPpacketsin whichthevaluesofafixedsetofIPpacketfieldsisthesameforeachpacketinthestream.Aflow isidentifiedbyasetofkeyIPpacketfieldsfoundintheflow.Eachpacketcontainingthesame valueforallkeyfieldsisconsideredpartofthesameflow,untilflowexpirationoccurs.Ifapacket isviewedwithanykeyfieldvaluethatisdifferentfromanycurrentflow,anewflowisstarted baseduponthekeyfieldvaluesforthatpacket.TheNetFlowprotocolwilltrackaflowuntilan expirationcriteriahasbeenmet,uptoaconfigurednumberofcurrentflows. Thedatacapturedforeachflowisdifferent,basedontheNetFlowexportversionformat supportedbythenetworkdevice.Thisdatacanincludesuchitemsaspacketcount,bytecount, destinationinterfaceindex,startandendtime,andnexthoprouter.SeeNetFlowVersion5Record Formatonpage 14forNetFlowVersion5templatedatafielddescriptionsandNetFlowVersion9 Templatesonpage 15forNetFlowVersion9templatedatafielddescriptions.
Flow Expiration Criteria

FlowdatarecordsarenotexportedbythenetworkswitchtotheNetFlowcollector(s)until expirationtakesplace.Therearetwotimersthataffectflowexpiration:theNetFlowactiveand inactivetimers. Theactivetimerdeterminesthemaximumamountoftimealonglastingflowwillremainactive beforeexpiring.Whenalonglastingactiveflowexpires,duetotheactivetimerexpiring,another flowisimmediatelycreatedtocontinuetheongoingflow.Itistheresponsibilityofthe managementapplicationontheNetFlowcollectortorejointhesemultipleflowsthatmakeupa singlelogicalflow.TheactivetimerisconfigurableintheCLI(seeConfiguringtheActiveFlow ExportTimeronpage 7). TheinactivetimerdeterminesthelengthoftimeNetFlowwaitsbeforeexpiringagivenflowonce thatflowhasstopped.Theinactivetimerisafixedvalueof40secondsandcannotbeconfigured. RulesforexpiringNetFlowcacheentriesinclude: Flowswhichhavebeenidlefor40seconds(fixedvalueinfirmware)areexpiredandremoved fromthecache. Longlivedflowsareexpiredandremovedfromthecache.(Flowsarenotallowedtolivemore than30minutesbydefault;theunderlyingpacketconversationremainsundisturbed). Flowsassociatedwithaninterfacethathasgonedownareautomaticallyexpired.
May 18, 2011
Page 4 of 21
Understanding Flows
Figure 2providesagraphicdepictionofhowthesetimersinteract.Flows1and3showasingle longlastinglogicalflow.Flow1timesoutandexpiresat30minutes,theactivetimerlength. Becausetheflowexpires,anexportpacketissenttotheNetFlowcollector.Flow3continuesthis longlastingflowforanother10minutes.Attime40minutestheflowends.The40secondinactive timerinitiatesandexpiresat40minutesand40secondsresultinginanexportpackettothe NetFlowcollectorforflow3.AttheNetFlowcollector,themanagementapplicationjoinsthetwo flowsintoasinglelogicalflowforpurposesofanalysisandreporting. Flow2isa7.5minuteflowthatneverexpirestheactivetimer.Itbeginsat2.5minutesandendsat 10minutes.At10minutestheinactivetimercommencesandexpirestheflowat10minutesand40 seconds.Atthistime,NetFlowsendsanexportpacketfortheflowtotheNetFlowcollectorfor processing. Figure 2 Flow Expiration Timers
Flow Expiration
Flows Flow 1
Flow 1 expires
Flow 2
Flow 2 expires
Flow 3
Flow 3 expires Time
2.5 Min.
10 Min. 10 Min. 40 Sec.
30 Min.
40 Min. 40 Min. 40 Sec.
Flow has expired and export packet sent
Flow has stopped, start of inactivity timer
Deriving Information from Collected Flows

Oneachcollectionserver,aNetFlowcollectorapplicationcorrelatesthereceivedrecordsand preparesthemforusebytheNetFlowmanagementapplication.(Insomecasesthecollectorand managementapplicationsarebundledinasingleapplication.)Themanagementapplication retrievestheflowrecords,combinesflowsthatwerebrokenupduetoexpirationrules,and aggregatesflowsbaseduponcommonvalues,beforeprocessingthedataintousefulreports viewablebythenetworkadministrator. Correlatedreportscanbethebasisforsuchinformationcategoriesas: Understandingwhoisoriginatingandreceivingthetraffic Characterizingtheapplicationsthatareutilizingthetraffic
May 18, 2011
Page 5 of 21
Configuring NetFlow on the Enterasys S-Series, N-Series, and K-Series Modules
Examiningflowsbypriority Characterizingtrafficutilizationbydevice Examiningtheamountoftrafficperport

TheSSeries,NSeries(Gold,Platinum,andDiamond),andKSeriesmodulesallsupportNetFlow. NetFlowisdisabledbydefaultonalldevicesatdevicestartup. ThissectioncoversthefollowingNetFlowconfigurationtopics: EnterasysNetFlowImplementation ConfiguringtheActiveFlowExportTimer ConfiguringtheNetFlowCollectorIPAddress ConfiguringtheNetFlowExportVersion ConfiguringNetFlowExportVersionRefresh ConfiguringaNetFlowPort ConfiguringtheNetFlowCache DisplayingNetFlowConfigurationandStatistics
Enterasys NetFlow Implementation

TheSSeries,NSeries,andKSeriesarchitecturesprovideapowerfulmechanismforcollecting networkflowstatistics,withreportingcapacitythatscaleswiththeadditionofeachmodule.For eachflow,packetandbytecountstatisticsarecollectedbythemodulesforwardinghardware.The flowreportgenerationlogicisdistributed,permittingeachmoduletoreportflowsonitsown ports. TheNetFlowimplementationenablesthecollectionofNetFlowdataonbothswitchedandrouted frames,allowingmodulesinallareasofanetworkinfrastructuretocollectandreportflowdata. RoutingdoesnotneedtobeenabledtoutilizeNetFlowdatacollection.Flowdetaildependsonthe contentoftheframeandthepaththeframetakesthroughtheswitch. NetFlowcanbeenabledonallportsonasystem,includingfixedfrontpanelports,LAGports, andNEMports.RouterinterfaceswhichmaptoVLANsmaynotbeenableddirectly. NetFlowrecordsaregeneratedonlyforflowsforwhichahardwareconnectionhasbeen established.Aslongasthenetworkconnectionexists(andNetFlowisenabled),NetFlowrecords willbegenerated.Flowsthatareswitchedinfirmware(softforwarded)willnothaveNetFlow recordsreported.Forflowsthatarerouted,thefirmwarereportsthesourceanddestination ifIndexesasthephysicalports,notroutedinterfaces. InthecaseofaLAGport,themodule(s)thatthephysicalportsareonwillgenerateNetFlow recordsindependently.Theywillhowever,reportthesourceifIndexastheLAGport.TheFlow SequenceCounterfieldintheNetFlowHeaderisuniquepermodule.TheEngineIDfieldofthe NetFlowHeaderisusedtoidentifyeachuniquemodule. NetFlowrequiresaminimumof256MBofmemoryinallmodulesinachassisrunning5.41.xx firmwareandabovetoenableNetFlow.
May 18, 2011
Page 6 of 21
Configuring the Active Flow Export Timer

Theactiveflowexporttimer,alsoreferredtoastheexportinterval,setsthemaximumamountof timeanactiveflowwillbeallowedtocontinuebeforeexpirationforthissystem.Shouldtheactive timerexpireandtheflowterminate,theunderlyingflowcontinuesasaseparateflow.Itisthe responsibilityofthemanagementapplicationtorecognizethemultipleflowsasasinglelogical flowforanalysisandreportingpurposes.Theactiveflowexporttimerdefaultsto30minutes.
Notes: Some NetFlow management applications expect to see export packets prior to some set interval that is often as low as 1 minute. Check the documentation for your management application and make sure that the export interval is configured for a value that does not exceed that value.
Usethesetnetflowexportintervalcommandtochangetheactiveflowexporttimervaluefor eachsystem. Usetheclearnetflowexportintervalcommandtoresettheactiveflowexporttimertoitsdefault value.
Configuring the NetFlow Collector IP Address

ExpiredNetFlowrecordsarebundledintoNetFlowexportpacketsandsenttotheNetFlow collectorusingtheUDPprotocol.ConfiguringtheIPaddressoftheNetFlowcollectordestination determineswhereexpiredNetFlowrecordsforthissystemaresent.UptofourNetFlowcollectors maybeconfiguredforeachsystem.MultiplesystemsmaybeconfiguredforoneormoreNetFlow collectors.YoucanoptionallyspecifytheUDPporttobeusedontheNetFlowcollector.By default,noNetFlowcollectorisconfiguredonasystem. Ifyouattempttoenterfivecollectordestinations,thefollowingerrordisplays:
Set failed. If previously configured, you must "clear netflow export-destination" first.
Thismessageindicatesthatyouhaveconfiguredthemaximumnumberofexportdestinationsfor thedevice.Removeaconfiguredexportdestinationusingtheclearnetflowexportdestination ipaddresscommandbeforeaddinganadditionalexportdestination. UsethesetnetflowexportdestinationcommandtoconfiguretheIPaddressofaNetFlow collectorforthissystemandoptionallysettheUDPport. UsetheclearnetflowexportdestinationcommandtoclearthespecifiedNetFlowcollector configuration.
Configuring the NetFlow Export Version

TheEnterasysSSeries,NSeries,andKSeriesplatformssupportNetFlowexportversions5and9. Thedefaultexportversionis5. Theprimarydifferencebetweenthetwoversionsisthatversion5isafixeddatarecordwithout multicastsupport,whereversion9isaflexible,extensible,templatebaseddatarecordthat providesthecompleteifIndexvalueand64bitcounters. WithNetFlowversion5,packetsaremadeupofaseriesofdatarecordsandareexportedtothe collectionserverwhenthemaximumnumberofNetFlowrecordsisreached.
May 18, 2011
Page 7 of 21
WhentransmittingNetFlowVersion5reports,themoduleusesNetFlowinterfaceindexes. NormallythesewouldbeactualMIB2ifIndexvalues,buttheVersion5recordformatlimitsthe valuesto2bytes,whichisnotsufficienttohold4byteifIndexes.NetFlowcollectorapplications thatusethein/outinterfaceindexestogatherSNMPdataabouttheinterface(suchasifName) musttranslatetheinterfaceindexesusingtheEnterasysMIBetsysNetFlowMIB (1.3.1.6.1.4.1.5624.1.2.61). WithNetFlowversion9,packetsaremadeupoftemplatescontainingasetofdatarecords. Templatesaresentaftertheperiodconfiguredforthetemplatetimeoutwhenamoduleor collectionserverfirstbootsup.Datarecordsforversion9cannotbeprocessedwithoutan uptodatetemplate.Collectorsignoreincomingpacketsuntilatemplatearrives.Templatesare refreshedperiodicallybaseduponapacketrefreshrateandtimeoutperiod.Settingthe appropriaterefreshrateforyoursystemmustbedetermined,sincethedefaultsettingsofa 20packetrefreshrateanda30minutetimeoutmaynotbeoptimalforyourenvironment.See ConfiguringNetFlowExportVersionRefreshonpage 8. NetFlowVersion9recordsgeneratedbymodulesusetrueMIB2ifIndexvaluessincethetemplate mechanismpermitstransmissionof4byteifIndexes.Version9alsouses8bytepacketandbyte counters,sotheyarelesslikelytorollover.Checkwithyourcollectorprovidertodetermineif theyprovidethenecessarysupport. ThecurrentEnterasysVersion9implementation: Doesnotsupportaggregationcaches. Provides15IPv4and15IPv6predefinedtemplates.TheSSeriesfirmwareautomatically selectstheappropriatetemplateforeachflowdependingonwhethertheflowisroutedor switched,whetheritisaTCP/UDPpacketornot,andcontainsfieldsappropriatetothedata recordssupportedinthetemplate.SeeTable 6onpage 216foralistingoftheheaderfields supportedbytheNetFlowVersion9templates.SeeTable 7onpage 217foralistingofthe basedatarecordfieldssupportedbyallNetFlowVersion9templates.SeeTable 8onpage 217 foralistingoftheadditionaltemplatespecificdatarecordfieldssupportedbytheNetFlow Version9templates.SeeTable 9onpage 218foralistingofIPv4andIPv6Version9NetFlow templatesbytemplateIDanddescription.
Usethesetnetflowexportversion{5|9}commandtosettheNetFlowexportversion. Usetheclearnetflowexportversioncommandtoresettheexportversiontothedefaultvalueof Version5.
Configuring NetFlow Export Version Refresh

Version9templaterecordshavealimitedlifetimeandmustbeperiodicallyrefreshed.Templates areretransmittedwheneither thepacketrefreshrateisreached,or thetemplatetimeoutisreached.
Templaterefreshbasedonthetimeoutperiodisperformedoneverymodule.Sinceeachmodule handlesitsownpackettransmissions,templaterefreshbasedonnumberofexportpacketssentis managedbyeachmoduleindependently. TherefreshratedefinesthemaximumdelayaneworrestartedNetFlowcollectorwould experience,beforeitlearnstheformatofthedatarecordsbeingforwarded(fromthetemplate referencedbythedatarecords).RefreshratesaffectNetFlowcollectorsduringtheirstartup. Collectorsmustignoreincomingdataflowreportsuntiltherequiredtemplateisreceived.
May 18, 2011
Page 8 of 21
Thedefaultbehaviorisforthetemplatetobesentafter20flowreportpacketsaresent.Sincedata recordpacketsaresentoutperflow,alongFTPflowmaycausethetemplatetimeouttimerto expirebeforethemaximumnumberofpacketsaresent.Inanycasearefreshofthetemplateis sentattimeoutexpirationaswell. Settingtheappropriaterefreshrateforyoursystemmustbedetermined,becausethedefault settingsofa20flowreportrefreshrateanda30minutetimeoutmaynotbeoptimalforyour environment.Forexample,aswitchprocessinganextremelyslowflowrateof,say,20flowreports perhalfhour,wouldrefreshthetemplatesonlyeveryhalfhourusingthedefaultsettings,whilea switchsending300flowreportpacketspersecondwouldrefreshthetemplates15timesper second. Enterasysrecommendsthatyouconfigureyoursystemsoitdoesnotrefreshtemplatesmoreoften thanoncepersecond. UsethesetnetflowtemplatecommandtosettheNetFlowexporttemplaterefreshrateand timeoutforthissystem. UsetheclearnetflowtemplatecommandtoresettheNetFlowexporttemplaterefreshrateand timeouttothedefaultvalues.
Configuring a NetFlow Port

NetFlowrecordsareonlycollectedonportsthatareenabledforNetFlow. UsethesetnetflowportenablecommandtoenableNetFlowonthespecifiedports. Useeitherthesetnetflowportdisablecommandortheclearnetflowportcommandtodisable NetFlowonthespecifiedports. Usetheclearnetflowportcommandtosettheporttothedefaultvalueofdisabled.
Configuring the NetFlow Cache

EnablingtheNetFlowCachegloballyenablesNetFlowonallmodulesforthissystem.When NetFlowrecognizesanewflowontheingressport,itcreatesaNetFlowrecordforthatflow.The NetFlowrecordresidesintheNetFlowcacheforthatportuntilanexpirationeventistriggeredfor thatflow,atwhichtimeitissentalongwithotherexpiredflowsinanexportpackettothe NetFlowcollectorforprocessing. UsethesetnetflowcacheenablecommandtoenableNetFlowonthissystem. UsethesetnetflowcachedisablecommandtogloballydisableNetFlowonthissystem. UsetheclearnetflowcachecommandtoresettheNetFlowcachetothedefaultvalueofdisabled forthismodule.
Configuring Optional NetFlow Export Data

TheexportofoptionalsourceanddestinationMACaddressandVLANIDdataisdisabledby default.Includingtheseexportdataoptionsintheflowrecordmakestherecordlargerandresults infewerrecordsandexportedpackets. Ifthemacoptionisenabled,bothincomingsourceanddestinationMACaddressesareincluded intheexportdataforthecollector.
May 18, 2011
Page 9 of 21
Ifthevlanoptionisenabled,VLANsassociatedwithboththeingressandegressinterfacesare includedintheexportdataforthecollector. Usethesetnetflowexportdataenable{mac|vlan}commandtoenableeithertheMACorVLAN exportdata. Usethesetnetflowexportdatadisable{mac|vlan}commandtodisableeithertheMACor VLANexportdata. UsetheclearnetflowexportdatacommandtoresetbothMACandVLANoptionalexportdata configurationtothedefaultvalueofdisabled.
Displaying NetFlow Configuration and Statistics

Usetheshownetflowcommandtodisplaythecurrentconfigurationandexportstatisticsforthis system. UsetheshownetflowconfigportstringcommandtodisplaytheNetFlowconfigurationfora singleorsetofports. Usetheshownetflowstatisticsexportcommandtodisplayexportstatisticsforthissystem. Procedure 1providesaCLIexampleofaNetFlowsetup.Steps13arerequired.Steps47are optionaldependingupontheneedsofyourconfiguration. Procedure 1
Step 1. 2. Task Enable NetFlow collection on the specified port. Configure up to four NetFlow collector destination servers for this system. One server is configured per command. Globally enable the NetFlow cache for this system. Verify the required NetFlow configuration. Optionally, modify the active flow timer value for this system.
Configuring NetFlow on S-Series, N-Series, and K-Series Systems

Command(s) System(rw)->set netflow port port_string enable System(rw)->set netflow export-destination ip-address [udp-port] System(rw)->set netflow cache enable System(rw)->show netflow System(rw)->set netflow export-interval interval
3.
4. 5. 6.
Optionally, change NetFlow record format System(rw)->set netflow export-version between version 5 and version 9 for this system. version If using version 9, optionally modify the number of export packets sent that cause a template to be retransmitted by an individual module and/or the length of the timeout period, in minutes, after which a template is retransmitted by all modules in the system. Optionally, enable NetFlow Version 9 optional MAC and VLAN export data. Verify any configuration changes made. System(rw)->set netflow template {[refresh-rate packets] [timeout minutes]
7. 8.
System(rw)->set netflow export-data {enable | disable} {mac | vlan} System(rw)->show netflow config
May 18, 2011
Page 10 of 21
Configuring NetFlow on the X-Series Router
Default NetFlow Settings for S-Series, N-Series, and K-Series Systems

Table 1providesalistingofthedefaultNetFlowconfigurationsettingsforSSeries,NSeries,and KSeriessystems. Table 1 Default NetFlow Configuration Settings for S-Series and N-Series Systems
Description Whether NetFlow caching is globally enabled or disabled. The IP address of the NetFlow collector which is the destination of the NetFlow UDP packets. The time out interval when the NetFlow cache is flushed and the data is exported, if the maximum number of entries has not been reached. The NetFlow flow record format used when exporting NetFlow packets. Version can be either 5 or 9. The number of seconds after a flow stops before NetFlow sends an export packet for that flow to the collector. The exporting of MAC and VLAN data by source and destination address. Whether NetFlow is enabled or disabled on a port. The number of export packets sent before NetFlow retransmits a template to the collector when using NetFlow Version 9. When using NetFlow Version 9, the number of minutes NetFlow waits before retransmitting a template to the collector. Default Value Disabled globally None 30 minutes
Parameter Cache Status Destination IP address Export Interval
Export Version
Version 5
Inactive flow timer
40 seconds (non-configurable) Disabled Disabled 20 export packets
Optional Export Data Port state Refresh-rate
Timeout-period
30 minutes

OntheXSeriesrouter,NetFlowclassificationandcachingareperformedontheInput/Output Modules(IOMs),whileNetFlowexportfunctionalityisperformedontheControlModule(CM). Packetsaresampledatingressattherateconfiguredforthewholesystemwiththeset samplingratecommand(seeProcedure 2onpage 12).TheIOMsclassifythesampledpackets intoflows,updateNetFlowcounters,anddeterminetheendoftheflows.TheIOMssendflow datatotheCMforexportwhentheconfiguredexportintervaltimeexpires(defaultis30minutes) orwhenthecacheisfull. TheNetFlowexportprocessontheCMgathersanyfurtherdataneededtocompletethedata recordformatfortheconfiguredNetFlowversionandsendstheflowrecordstotheconfigured NetFlowcollector.NotethatonlyoneNetFlowexportdestination(collector)canbeconfigured perXSeriessystem. NetFlowcanbeenabledonanyportontheXSeriesrouter.
May 18, 2011
Page 11 of 21
TheXSeriesroutercurrentlysupportsdataexportVersion1andVersion5.CLIcommandsare providedtoconfigurecertainrecordformatvaluesrequiredforVersion5,suchasengineIDand enginetype. YoumustconfigureaNetFlowexportdestinationbeforeyoucanenableNetFlowgloballyoron anyports.NetFlowwillstartsamplingpacketsafteryouenableNetFlowgloballyandonthe desiredports. Procedure 2

Step 1. 2. 3. Task Optionally, check the current NetFlow configuration settings and sampling rate. Optionally, change the sampling rate for packets. Configure the NetFlow collector destination. You cannot enable NetFlow globally or on ports until an export destination has been configured. Configure the administrative interface used as the source IP address of the exported NetFlow packets. Configure the NetFlow flow record version to be used for the flow data packets. Version 5 is the default. Optionally, also configure the BGP AS address type. Default is peer-as. 6. 7. 8. If using Version 5, configure the engine ID and engine type. Optionally, configure the export interval. The default is 30 minutes. Optionally, configure the maximum number of flows that can be saved into the cache. The default is 64 KB. Enable NetFlow globally. Enable NetFlow on the desired ports. set netflow engine-id engine-id type engine-type set netflow export-interval min set netflow entries max-num
Configuring NetFlow on X-Series Router Systems

Command(s) show netflow config set sampling-rate number set netflow export-destination ip-address [udp-port] set netflow interface port-string
4.
5.
set netflow export version {1 | 5} [origin-as | peer-as]
9. 10.
set netflow cache enable set netflow port port-string enable
Disabling NetFlow
TodisableNetFlowonaport,useeitherofthefollowingcommands:
set netflow port port-string disable clear netflow port port-string
WhenyoudisableNetFlowonaport,NetFlowwillstopsamplingandthecurrentflowdatawill beexportedwhentheexporttimeoutintervalexpires. TodisableNetFlowglobally,useeitherofthefollowingcommands:

set netflow cache disable clear netflow all
May 18, 2011
Page 12 of 21
Whenyouexecutetheclearnetflowallcommand,allNetFlowsettingsarereturnedtotheir defaultcondition.InthecaseoftheglobalNetFlowcachesetting,thedefaultisdisabled.
Displaying NetFlow Information

TodisplaythecurrentNetFlowconfigurationsettings:
show netflow config
TodisplayNetFlowstatisticsonaperportbasis:
show netflow statistics port-string
TodisplayflowcountersforthecurrentcachedNetFlowinformation,onasystemwideor IOMspecificbasis:
show netflow cache-flow [slot-id]
Default NetFlow Settings for the X-Series Router

Table 2providesalistingofthedefaultNetFlowsettingsfortheXSeriesRouter. Table 2 Default NetFlow Settings for the X-Series Router
Description Whether NetFlow caching is globally enabled or disabled. The rate at which packets are captured, or sampled. 100 indicates that 1 in 100 packets is captured. The ID number of the flow switching engine. This ID is required by NetFlow export version 5 format. The type of flow switching engine. This value is required by NetFlow export version 5 format. This is the interface used for the source IP address of the exported NetFlow UDP datagrams. The IP address of the NetFlow collector which is the destination of the NetFlow UDP packets. The UDP port on the NetFlow collector. The NetFlow flow record format used when exporting NetFlow packets. Version can be either 1 or 5. The time out interval when the NetFlow cache is flushed and the data is exported, if the maximum number of entries has not been reached. Whether the BGP AS addresses are origin or peer. BGP AS addresses are not supported by Version 1. The maximum number of flows saved into the cache. Whether NetFlow is enabled or disabled on a port. Default Value Disabled globally 100 0 0 eth0 None 2055 Version 5
Parameter Cache Status Sampling Rate Engine ID Engine Type Administrative Interface Destination IP Destination UDP port Export Version
Export Interval
30 minutes
Export AS Number of Entries Port state
peer AS 84 KB Disabled
May 18, 2011
Page 13 of 21

Table 3liststermsanddefinitionsusedinthisNetFlowconfigurationdiscussion. Table 3
Term Active Flow Timer
NetFlow Configuration Terms and Definitions

Definition A timer which specifies the maximum amount of time a flow may stay active. The ongoing flow continues to be tracked as a separate flow. It is the management applications responsibility to join these flows for analysis/reporting purposes. A stream of IP packets that has not yet met an expiration criteria, in which the value of a set of key fields is the same for each packet in the stream. A capture of information pertaining to a single flow within the NetFlow Cache based upon data type values supported by the NetFlow version format/template. A timer that determines how long a flow for which no packets are being received remains active. Contains the flow records for all currently active flows. A location where a condensed and detailed history of flow information that entered each NetFlow-enabled switch or router is archived for use by the NetFlow management application. A transport mechanism that periodically (based upon a timer or the number of flows accumulated in the cache) sends NetFlow data from the cache to a NetFlow collector for data analysis. A packet of flow records or version 9 templates (or both) that is periodically sent to the NetFlow collector based upon an export criteria. Enterasys SIEM, NetSight Release 4.1 and higher, or third-party software application(s) installed on the NetFlow collector, with client or browser access from a PC, capable of data reduction, monitoring, analysis, and/or troubleshooting specific to the purpose you are using NetFlow. Primarily determines the data types supported and whether the format is fixed or in an extensible template.
Flow Flow Record Inactive Flow Timer NetFlow Cache NetFlow Collector
NetFlow Export
NetFlow Export Packet NetFlow Management Application NetFlow Version
NetFlow Version 5 Record Format

Table 4providesalistinganddescriptionfortheNetFlowVersion5headerfields.Table 5 providesalistinganddescriptionforNetFlowVersion5datarecordfields.Thecontentsofthese datafieldsareusedbythecollectorsoftwareapplicationforflowanalysis.Datafieldsare identifiedinthedatarecordpacketsentbythenetworkswitchtothecollector.Thedatarecords containthevaluesspecifiedbytheformat. Table 4 NetFlow Version 5 Template Header and Data Field Support
NetFlow Version 5 Header Data Field count sys_uptime unix_secs Field Contains Number of flows exported in this packet (1-30). Current time in milliseconds since the export device booted. Current count of seconds since 0000 UTC 1970.
May 18, 2011
Page 14 of 21
NetFlow Version 9 Templates
Table 4
NetFlow Version 5 Template Header and Data Field Support (continued)

Residual nanoseconds since 0000 UTC 1970. Sequence counter of total flows seen. Type of flow-switching engine. Slot number of the flow-switching engine. First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval. Number of flows exported in this packet (1-30).
unix_nsecs flow_sequence engine_type engine_id sampling_interval count
Table 5
NetFlow Version 5 Data Record Field Format
NetFlow Version 5 Data Record Format Data Field srcaddr dstaddr nexthop input output dPkts dOctets first last srcport dstport pad1 tcp_flags prot tos src_as dst_as src_mask dst_mask pad2 Field Contains Source IP address of the device that transmitted the packet. IP address of the destination of the packet. IP address of the next hop router. SNMP index of input interface. SNMP index of output interface. Number of packets in the flow. Total number of Layer 3 bytes in the packets of the flow. SysUptime at start of flow. SysUptime at the time the last packet of the flow was received. TCP/UDP source port number or equivalent. TCP/UDP destination port number or equivalent. Unused (zero) bytes. Cumulative OR of TCP flags. IP protocol type (for example, TCP = 6; UDP = 17). IP type of service (ToS). Autonomous system number of the source, either origin or peer. Autonomous system number of the destination, either origin or peer. Source address prefix mask bits. Destination address prefix mask bits. Unused (zero) bytes.

TheNetFlowVersion9implementationsupports15IPv4(templates256through271)and15IPv6 (templates272through287)Version9templates.ThetemplatesareEnterasysdefinedsupporting
May 18, 2011
Page 15 of 21
datarecordfieldsdefinedintheNetFlowstandard.Thecontentsofthesedatarecordfieldsare usedbythecollectorsoftwareapplicationforflowanalysis.Tenbasedatarecordfieldsare includedinallVersion9templates.Uptoanadditionalsevendatarecordfieldsareincludedin theappropriatetemplates. ThemodularswitchplatformimplementationoftheNetFlowVersion9templatesaredetailedin thefollowingtables: Table 6onpage 16providesalistinganddescriptionofthesupportedNetFlowVersion9 headerfields Table 7onpage 17providesalistinganddescriptionofthesupportedNetFlowVersion9base datarecordfields Table 8onpage 17providesalistingofthesupportedadditionaltemplatespecificdatarecord fields Table 9onpage 18providesthetemplateIDandageneraldescriptionofeachmodularswitch Version9template
Table 6onpage 16detailstheNetFlowVersion9templateheaderfieldssupportedbyallVersion9 templates. Table 6 NetFlow Version 9 Template Header Support
NetFlow Version 9 Header Data Field Format Version Flow Record Count Description NetFlow template Version 9 The total number of records in the export packet, which is the sum of the options flow set records, template flowset records, and data flowset records. Time in milliseconds since this device was first booted. Time in seconds since 0000 UTC 1970, at which the export packet leaves the exporter. Incremental sequence counter of all export packets sent from the exporter. This is an accumulative count that lets the collector know if any packets have been missed. Engine Type (1 = Line Card). Engine ID (One based module slot number). Templates All Templates All Templates
Sys Up Time Unix Seconds Flow Sequence Counter
All Templates All Templates All Templates
Source ID
All Templates
Table 7onpage 17detailstheNetFlowVersion9basedatarecordfieldssupportedbyVersion9 templates.BasedatarecordfieldsaresupportedbyallIPv4andIPv6Version9templates.IPv4
May 18, 2011
Page 16 of 21
specificdatarecordsareonlysupportedbyIPv4templates.IPv6specificdatarecordsareonly supportedbyIPv6templates. Table 7 NetFlow Version 9 Template Data Record Field Support
NetFlow Version 9 Base Data Record Fields Data Field SIP Description (Source) IPv4 or IPv6 address of the device that transmitted the packet. (Destination) IPv4 or IPv6 address of the destination device. MIBII 32-bit ID of the interface on which the packet was transmitted. MIBII 32-bit ID of the interface on which the packet was received. Templates 256 - 271 IPv4 addresses 272 - 287 IPv6 addresses 256 - 271 IPv4 addresses 272 - 287 IPv6 addresses All templates All templates
DIP
Dest IfIndex Source IfIndex Packet Count Byte Count Start Time Last Time IP Protocol Source TOS
The number of packets switched through this flow. All templates The number of bytes switched through this flow. sysUptime in milliseconds at which the first packet of this flow was switched. sysUptime in milliseconds at which the last packet of this flow was switched. IP protocol for this flow. (Source) Type of service field value for this flow. All templates All templates All templates All templates All templates
Table 8detailstheadditionalNetFlowVersion9datarecordfieldsspecifictoagivenVersion9 template. Table 8 NetFlow Version 9 Additional Template Specific Data Record Field Support
NetFlow Version 9 Additional Template Specific Data Record Fields Data Field Source MAC Description Source MAC addresses for this flow. Templates IPv4: 257, 259, 261, 263, 265, 267, 269, 271 IPv6: 272, 274, 276, 278, 280, 282, 284, 286 Destination MAC Destination MAC addresses for this flow. IPv4: 257, 259, 261, 263, 265, 267, 269, 271 IPv6: 272, 274, 276, 278, 280, 282, 284, 286 Source VLAN Source VLAN ID associated with the ingress interface for this flow. IPv4: 258, 259, 262, 263, 266, 267, 270, 271 IPv6: 273, 274, 277, 278, 281, 282, 285, 286
May 18, 2011
Page 17 of 21
Table 8
NetFlow Version 9 Additional Template Specific Data Record Field Support
NetFlow Version 9 Additional Template Specific Data Record Fields Data Field Destination VLAN Description Destination VLAN ID associated with the egress interface for this flow. Templates IPv4: 258, 259, 262, 263, 266, 267, 270, 271 IPv6: 273, 274, 277, 278, 281, 282, 285, 286 Layer 4 Source Port TCP/UDP source port numbers (for example, FTP, Telnet, or equivalent). IPv4: 260, 261, 262, 263, 268, 269, 270, 271 IPv6: 275, 276, 277, 278, 283, 284, 285, 286 Layer 4 Destination Port TCP/UDP destination port numbers (for example, FTP, Telnet, or equivalent). IPv4: 260, 261, 262, 263, 268, 269, 270, 271 IPv6: 275, 276, 277, 278, 283, 284, 285, 286 Next Hop Router Specifies the BGP IPv4 or IPv6 next-hop address. IPv4: 264, 265, 266, 267, 268, 269, 270, 271 IPv6: 279, 280, 281, 282, 283. 284, 285, 286
Table 9providesadescriptionofeachIPv4andIPv6NetFlowVersion9templatepertemplateID. Table 9 NetFlow Version 9 Templates
IPv4 Version 9 Templates Template ID 256 257 258 259 Description Base switch template containing IPv4 base data record entries. Switch and MAC ID template containing IPv4 base data record entries, along with source and destination MAC addresses. Switch and VLAN ID template containing IPv4 base data record entries and source and destination VLAN IDs. Switch, MAC ID, and VLAN ID template containing IPv4 base data record entries, along with source and destination MAC addresses and source and destination VLAN IDs. Switch and Layer 4 port template containing IPv4 base data record entries, along with source and destination Layer 4 ports. Switch, Layer 4 port, and MAC ID template containing IPv4 base data record entries, along with source and destination layer 4 ports and source and destination MAC addresses. Switch, Layer 4 port, and VLAN ID template containing IPv4 base data record entries, along with source and destination Layer 4 ports and source and destination VLAN IDs. Switch, Layer 4 port , MAC ID, and VLAN ID template containing IPv4 base data record entries, along with source and destination Layer 4 port, source and destination MAC addresses and source and destination VLAN IDs.
260 261
262
263
May 18, 2011
Page 18 of 21
Table 9
264 265 266 267
NetFlow Version 9 Templates (continued)

Switch and IPv4 route ID template containing IPv4 base data record entries, along with the route next hop. Switch, IPv4 route ID, and MAC ID template containing IPv4 base data record entries, along with the route next hop and source and destination MAC addresses. Switch, IPv4 route ID, and VLAN ID template containing IPv4 base data record entries, along with the route next hop, and source and destination VLAN IDs. Switch, IPv4 next hop, MAC ID, and VLAN ID template containing IPv4 base data record entries, along with the route next hop, source and destination MAC addresses, and source and destination VLAN IDs. Switch, IPv4 route ID, and Layer 4 port template containing IPv4 base data record entries, along with the route next hop, and source and destination Layer 4 ports. Switch, IPv4 route ID, Layer 4 port and MAC ID template containing IPv4 base data record entries, along with the route next hop, source and destination Layer 4 port, and source and destination MAC addresses. Switch, IPv4 next hop, Layer 4 port and VLAN ID template containing IPv4 base data record entries, along with the route next hop, source and destination Layer 4 ports, and source and destination VLAN IDs. Switch, IPv4 next hop, Layer 4 port, MAC ID, and VLAN ID template containing IPv4 base data record entries, along with the IPv4 next hop, source and destination Layer 4 ports, source and destination MAC addresses, and source and destination VLAN IDs.
268 269
270
271
IPv6 Version 9 Templates 272 273 274 275 Base switch template containing IPv6 base data record entries. Switch and MAC ID template containing IPv6 base data record entries, along with source and destination MAC addresses. Switch and VLAN ID template containing IPv6 base data record entries and source and destination VLAN IDs. Switch, MAC ID, and VLAN ID template containing IPv6 base data record entries, along with source and destination MAC addresses and source and destination VLAN IDs. Switch and Layer 4 port template containing IPv6 base data record entries, along with source and destination Layer 4 ports. Switch, Layer 4 port, and MAC ID template containing IPv6 base data record entries, along with source and destination layer 4 ports and source and destination MAC addresses. Switch, Layer 4 port, and VLAN ID template containing IPv6 base data record entries, along with source and destination Layer 4 ports and source and destination VLAN IDs. Switch, Layer 4 port , MAC ID, and VLAN ID template containing IPv6 base data record entries, along with source and destination Layer 4 port, source and destination MAC addresses and source and destination VLAN IDs. Switch and IPv6 route ID template containing IPv6 base data record entries, along with the route next hop.
276 277
278
279
280
Table 9
281 282 283
NetFlow Version 9 Templates (continued)

Switch, IPv6 route ID, and MAC ID template containing IPv6 base data record entries, along with the route next hop and source and destination MAC addresses. Switch, IPv6 route ID, and VLAN ID template containing IPv6 base data record entries, along with the route next hop, and source and destination VLAN IDs. Switch, IPv6 next hop, MAC ID, and VLAN ID template containing IPv6 base data record entries, along with the route next hop, source and destination MAC addresses, and source and destination VLAN IDs. Switch, IPv6 route ID, and Layer 4 port template containing IPv6 base data record entries, along with the route next hop, and source and destination Layer 4 ports. Switch, IPv6 route ID, Layer 4 port and MAC ID template containing IPv6 base data record entries, along with the route next hop, source and destination Layer 4 port, and source and destination MAC addresses. Switch, IPv6 next hop, Layer 4 port and VLAN ID template containing IPv6 base data record entries, along with the route next hop, source and destination Layer 4 ports, and source and destination VLAN IDs. Switch, IPv6 next hop, Layer 4 port, MAC ID, and VLAN ID template containing IPv6 base data record entries, along with the IPv6 next hop, source and destination Layer 4 ports, source and destination MAC addresses, and source and destination VLAN IDs.
284 285
286
287
May 18, 2011
Page 20 of 21
Revision History
Date May 18, 2011 July 28, 2008 October 15, 2008 January 23, 2009 July 15, 2010 May 18, 2011 Description First Release. Added Enterasys Registration mark. Corrected Tradmarks list. Cosmetic changes only. Updated for S-Series platform. Updated for Release 7.21 changes and K-Series platform.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2011Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSSSERIES,ENTERASYSNETSIGHT,LANVIEW, WEBVIEW,andanylogosassociatedtherewith,aretrademarksorregisteredtrademarksof Enterasys Networks, Inc.,intheUnitedStatesandothercountries. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
Configuring Power over Ethernet Management

ThisdocumentprovidesinformationaboutconfiguringandmonitoringPoweroverEthernet (PoE) onthePoEcompliantmodelsoftheEnterasysNSeries,SSeries,andKSeriesmodular switches,ASeries,BSeries,CSeriesstackablefixedswitches,andDSeriesandGSeries standaloneswitches.
Notes: PoE is not supported on Enterasys I-Series or X-Series devices.
For information about... What is PoE? Why Would I Use PoE in My Network? How Do I Implement PoE? Configuring PoE
Refer to page... 1 1 2 4
What is PoE?
PoE,definedinIEEEstandards802.3afand802.3at,referstotheabilitytoprovide48Vdc(for 802.3af)or54Vdc(for802.3at)operationalpowerthroughanEthernetcablefromaswitchor otherdevicethatcanprovideaPoEcompliantportconnectiontoapowereddevice(PD). ExamplesofPDsarethefollowing: VoiceoverIPdevicessuchasPoEcompliantdigitaltelephones Pan/Tilt/Zoom(PTZ)IPsurveillancecameras DevicesthatsupportWirelessApplicationProtocol(WAP)suchaswirelessaccesspoints
Ethernetimplementationsemploydifferentialsignalsovertwistedpaircables.Thisrequiresa minimumoftwotwistedpairsforasinglephysicallink.Bothendsofthecableareisolatedwith transformersblockinganyDCorcommonmodevoltageonthesignalpair.PoEexploitsthisfact byusingtwotwistedpairsasthetwoconductorstosupplyadirectcurrenttoaPD.Onepair carriesthepowersupplycurrentandtheotherpairprovidesapathforthereturncurrent.
Why Would I Use PoE in My Network?

UsingPoEallowsyoutooperatePDsinlocationswithoutlocalpower(thatis,withoutAC outlets).Havingsuchanetworksetupcanreducethecostsassociatedwithinstallingelectrical wiringandACoutletstopowerthevariousdevices.
June 3, 2011
Page 1 of 14
How Do I Implement PoE?

YoucanconfigurePoEonyourPoEcompliantEnterasysdevicethroughtheCLIbased procedurespresentedinthesectionConfiguringPoEonpage4.Aspartofyourplanto implementPoEinyournetwork,youshouldensurethefollowing: ThepowerrequirementsofyourPDsarewithinthelimitsofthePoEstandards. YourPoEcompliantEnterasysdevicecansupplyenoughpowertorunyourPDs.SeeTable 1 forpowerrangesbasedoneachdeviceclass. PoE Powered Device Classes
Power Output at Port 15.4 watts 4.0 watts 7.0 watts 15.4 watts 34 watts (802.3at) Reserved (802.3af) Power Range Used by Device 0.44 to 12.95 watts 0.44 to 3.84 watts 3.84 to 6.49 watts 6.49 to 12.95 watts 12.95 to 25.5 watts (802.3at) Treat as class 0 (802.3af)
Table 1
Class 0 1 2 3 4
IfSNMPtrapsareenabled,theEnterasysdevicegeneratesatraptonotifythenetwork administratorifanyofthefollowingoccur: Ifthepowerneededorrequestedexceedsthepoweravailable IfapowerstateoccursonaPD(forexample,whenaPDispowereduporunplugged)
IfinsufficientpowerisavailableforanattachedPD,thecorrespondingportLEDontheEnterasys deviceturnsamber.TheLEDalsoturnsamberifaPoEfaultoccurs(forexample,ashortinthe Ethernetcable).
Allocation of PoE Power to Modules

Notes: This feature is available only on the G-Series, N-Series, S-Series, and K-Series products.
TheswitchfirmwaredeterminesthepoweravailableforPoEbasedonhardwareconfiguration, powersupplystatus,andpowersupplyredundancymode.Thesystemcalculatesandreservesthe correctamountofpowerrequiredbytheinstalledhardwarecomponentsandthenmakesthe balanceofpoweravailableforPoE.Whenanychangeismadetothehardwareconfiguration, powersupplystatus,orredundancymode,thefirmwarerecalculatesthepoweravailableforPoE. OntheSSeries,NSeries,andKSeriesswitches,youcanalsomanuallyconfigurethemaximum percentageofPoEpoweravailabletothechassisasapercentageofthetotalinstalledPoEpower withthesetinlinepoweravailablecommand.(ThisfeatureisnotconfigurableontheGSeries.)If thepowerneededorrequestedexceedsthepoweravailable,thesystemwillgenerateatrapto notifythesystemmanager,iftrapsareenabled. ThepoweravailableforPoEisdistributedbasedontheconfiguredallocationmode,setwiththe setinlinepowermodecommand:
June 3, 2011
Page 2 of 14
Automaticmode,inwhichavailablepowerisdistributedevenlytoPoEcapablemodules basedonPoEportcount.(Thisisthedefaultmode.)Anychangeinavailablepower,duetoa changeinpowersupplystatusorredundancymodeortotheadditionorremovalofmodules, willtriggeranautomaticredistributionofpower. Manualmode,inwhichthepowerbudgetforeachPoEcapablemoduleismanually configured,usingeitherCLIcommandsortheMIBs.Thesumofthewattageconfiguredfor eachmodulecannotexceedthetotalpoweravailableontheswitchforPoE. ThepowerbudgetforeachPoEcapablemodulecanbeconfiguredmanuallyontheGSeries withthecommandsetinlinepowerassignandontheSSeries,NSeries,andKSerieswith thecommandsetinlinepowerassigned. Theconfiguredwattageassignmentsareusedtocalculateeachslotspercentageoftotal availablepower.IfthetotalavailablePoEpowerisreduced,aredistributionofavailable powerwilloccur,applyingthecalculatedpercentages.
When Manual Mode is Configured

Whenmanualdistributionmodeisconfigured,ifaPoEmoduleisaddedtotheswitch,thePoE powerbudgetforexistingmoduleswillnotberecalculated.Thenewmodulewillhaveapower budgetofzerountilitismanuallyprovisioned.Sincethesumofthemanuallyprovisioned wattagescannotexceedthetotalsystempoweravailable,itmaybenecessarytoadjustexisting budgetstofreeuppowerforthenewmodule. WhenaPoEmoduleisremovedfromaswitchconfiguredwithmanualpowerdistributionmode, thePoEbudgetforeachmodulewillnotberecalculated,basedontheassumptionthatthemodule removedwillbereplacedwithanewmodulethatshouldreceivethesameamountofPoEpower. Asnotedabove,ifthetotalavailablePoEpowerisreduced,thepowerwillautomaticallybe redistributedbasedonapplyingthecalculatedpercentages.IfanadditionalPoEsupplyis installed,thereisnoimpactontheassignedPoEsincespecificwattageshavebeenassignedto eachmodule.OnlytheTotalPowerDetectedvaluewillchange.TheextraPoEpower,however, isavailableforfurtherredistributionmanually.
Management of PoE Power to PDs

Note: This feature is available only on B5, C5, G-Series, N-Series, S-Series, and K-Series products.
ForeachPoEcapablemoduleorswitch(fortheproductslistedabove),youcanconfigurehowits PoEcontrollermakespoweravailabletoattachedpowereddevices(PDs).Onapermodulebasis, youcanconfigure: Realtimemode,inwhichthePoEcontrollercalculatesthepowerneededbyaPDbasedon theactualpowerconsumptionoftheattacheddevices. Classmode,inwhichthePoEcontrollermanagespowerbasedontheIEEE802.3af/.3at definitionoftheclasslimitsadvertisedbytheattacheddevices,withtheexceptionthatfor class0andclass4devices,actualpowerconsumptionwillalwaysbeused.Inthismode,the maximumamountofpowerrequiredbyadeviceintheadvertisedclassisreservedforthe port,regardlessoftheactualamountofpowerbeingusedbythedevice.
PowermanagementtoPDsisconfiguredwiththecommandsetinlinepowermanagement.PoE classesaredefinedinTable 1onpage 2.
June 3, 2011
Page 3 of 14
Configuring PoE
Configuring PoE
Table 2liststhePoEsettingsthatyoucanconfigurethroughtheCLIoneachPoEcompliant Enterasysdevice. Table 2 PoE Settings Supported on Enterasys Devices
G-Series D-Series N-Series K-Series X X X X X X S-Series X X X X X X
B3
C2
A2
A4
B2
B5
C3 X X X X
Setting Port-specific PoE parameters SNMP traps PoE usage threshold PD detection method System power redundancy System power allocation Module power allocation PD power management
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X X
C5
X X X X
X X X X X X X
X X X
X X X
RefertotheappropriatedevicespecificPoEconfigurationprocedure. StackablefixedswitchesA2,A4,B2,B3,C2,andC3:Procedure 1onpage5 StandaloneDSeries:Procedure 1onpage5 StackablefixedswitchesB5andC5:Procedure 2onpage6 StandaloneGSeries:Procedure 3onpage7 ModularNSeries,SSeries,andKSeries:Procedure 4onpage10
Note: You must be logged on to the Enterasys device with read-write access rights to use the commands shown in the procedures in the following sections.
June 3, 2011
Page 4 of 14
Configuring PoE
Stackable A2, A4, B2, B3, C2, C3 and Standalone D-Series Devices
Procedure 1
Step 1. Task Configure PoE parameters on ports to which PDs are attached. admin Enables (auto) or disables (off) PoE on a port. The default setting is auto. priority Sets which ports continue to receive power in a low power situation. If all ports have the same priority and the system has to cut power to the PDs, the PDs attached to the lowest numbered ports have the highest priority for receiving power. The default setting is low. type Associates an alias with a PD, such as siemens phone. 2. 3. (Optional) Enable SNMP trap messages on the device. The default setting is enabled. (Optional) Set the PoE usage threshold on the device. Valid values are 11100 percent. The default setting is 80 percent. (Optional) Specify the method the Enterasys device uses to detect connected PDs. auto (default) The Enterasys device first uses the IEEE 802.3af/at standards resistor-based detection method. If that fails, the device uses the proprietary capacitor-based detection method. ieee The Enterasys device uses only the IEEE 802.3af/at standards resistor-based detection method. set inlinepower trap {disable | enable} unit-number set inlinepower threshold usage-threshold unit-number set inlinepower detectionmode {auto | ieee}
PoE Configuration for Stackable A, B, and C, Standalone D-Series Devices

Command(s) set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type]}
4.
RefertothedevicesConfigurationGuideorCLIReferenceGuideformoreinformationabouteach command.
June 3, 2011
Page 5 of 14
Configuring PoE
Stackable B5 and C5 Devices

Procedure 2
Step 1. Task Configure PoE parameters on ports to which PDs are attached. admin Enables (auto) or disables (off) PoE on a port. The default setting is auto. priority Sets which ports continue to receive power in a low power situation. If all ports have the same priority and the system has to cut power to the PDs, the PDs attached to the lowest numbered ports have the highest priority for receiving power. The default setting is low. type Associates an alias with a PD, such as siemens phone. 2. 3. (Optional) Enable SNMP trap messages on the device. The default setting is enabled. (Optional) Set the PoE usage threshold on the device. Valid values are 11100 percent. The default setting is 80 percent. (Optional) Specify the method the Enterasys device uses to detect connected PDs. auto (default) The Enterasys device first uses the IEEE 802.3af/st standards resistor-based detection method. If that fails, the device uses the proprietary capacitor-based detection method. ieee The Enterasys device uses only the IEEE 802.3af/at standards resistor-based detection method. 5. (Optional) Set the PoE management mode on a specified module. realtime (default) Manages power based on the actual power consumption of the ports. class Manages power based on the IEEE 802.3af/at definition of the class upper limit for each attached PD, except classes 0 and 4, for which the actual power consumption is used. In this mode, the maximum amount of power required by a PD in the advertised class is reserved for the port, regardless of the actual amount of power being used by the device. set inlinepower management {realtime | class} module-number set inlinepower trap {disable | enable} unit-number set inlinepower threshold usage-threshold unit-number set inlinepower detectionmode {auto | ieee}
PoE Configuration for Stackable B5 and C5 Devices

4.
June 3, 2011
Page 6 of 14
Configuring PoE
Procedure 2
Step 6. Task
PoE Configuration for Stackable B5 and C5 Devices (continued)

Command(s) set system power {redundant | non-redundant}
(Optional on C5 only) Set the power redundancy mode on the system if two power supplies are installed. redundant (default) The power available to the system equals the maximum output of the lowest rated supply (400W or 1200W). If two supplies are installed in redundant mode, system power redundancy is guaranteed if one supply fails. non-redundant The combined output of both supplies is available to the system. In this mode, a power supply failure may result in a system reset. Also called additive mode. If two power supplies are installed, the power supply LEDs on the devices front panel indicate whether the power supplies are in redundant mode (green LEDs) or non-redundant mode (amber LEDs).
RefertothedevicesConfigurationGuideorCLIReferenceGuideformoreinformationabouteach command.
G-Series Devices
Procedure 3
Step 1. Task Configure PoE parameters on ports to which PDs are attached. admin Enables (auto) or disables (off) PoE on a port. The default setting is auto. priority Sets which ports continue to receive power in a low power situation. If all ports have the same priority and the system has to cut power to the PDs, the PDs attached to the lowest numbered ports have the highest priority for receiving power. The default setting is low. type Associates an alias with a PD, such as siemens phone. 2. 3. (Optional) Enable SNMP trap messages on the module. The default setting is enabled. (Optional) Set the PoE usage threshold on the module. Valid values are 11100 percent. Use the clear command to reset the PoE usage threshold on a specified module to the default value of 80 percent. set inlinepower trap {disable | enable} module-number set inlinepower threshold usage-threshold module-number clear inlinepower threshold module-number
PoE Configuration for G-Series Devices

June 3, 2011
Page 7 of 14
Configuring PoE
Procedure 3
Step 4. Task
PoE Configuration for G-Series Devices (continued)

Command(s) set inlinepower detectionmode {auto | ieee}
(Optional) Specify the method the Enterasys device uses to detect connected PDs. auto (default) The Enterasys device first uses the IEEE 802.3af/at standards resistor-based detection method. If that fails, the device uses the proprietary capacitor-based detection method. ieee The Enterasys device uses only the IEEE 802.3af/at standards resistor-based detection method.
5.
(Optional) Set the power redundancy mode on the system if two power supplies are installed. redundant (default) The power available to the system equals the maximum output of the lowest rated supply (400W or 1200W). If two supplies are installed in redundant mode, system power redundancy is guaranteed if one supply fails. non-redundant The combined output of both supplies is available to the system. In this mode, a power supply failure may result in a system reset. Also called additive mode. If two power supplies are installed, the power supply LEDs on the devices front panel indicate whether the power supplies are in redundant mode (green LEDs) or non-redundant mode (amber LEDs).
set system power {redundant | non-redundant}
6.
(Optional) Set the PoE management mode on a specified module. realtime (default) Manages power based on the actual power consumption of the ports. class Manages power based on the IEEE 802.3af/at definition of the class upper limit for each attached PD, except classes 0 and 4, for which the actual power consumption is used. In this mode, the maximum amount of power required by a PD in the advertised class is reserved for the port, regardless of the actual amount of power being used by the device.
set inlinepower management {realtime | class} module-number
June 3, 2011
Page 8 of 14
Configuring PoE
Procedure 3
Step 7. Task

Command(s) set inlinepower mode {auto | manual}
(Optional) Configure the allocation mode for system power available for PoE. auto (default) Available power is distributed evenly to PoE modules based on PoE port count. A change in available power, due to a change in power supply status or redundancy mode or to the addition or removal of modules, triggers an automatic redistribution of power to the PoE controller on each PoE-capable module. manual The power budget for each PoE module is configured manually, using the set inlinepower assign command. The configured wattage assignments are used to calculate each modules percentage of total available power. If the total available PoE power changes, a redistribution of available power occurs, applying the calculated percentages. In manual mode, power recalculations do not occur under the following circumstances: A PoE module is added. The new module has a power budget of zero until it is manually provisioned. Since the sum of the manually provisioned wattages cannot exceed the total system power available, you may have to adjust existing budgets to free up power for the new module. A PoE module is removed. In this case, the assumption is that the removed module will be replaced with a new module that should receive the same amount of PoE power.
8.
(Only if the set inlinepower mode command is set to manual) Assign specific wattage to a PoE module. If the set inlinepower mode command is set to manual, you must assign power to each PoE module; otherwise, the module ports will not receive power. The sum of the wattage configured for each module cannot exceed the total power available for PoE on the Enterasys device. If a G-Series device is configured for non-redundant mode (set system power) and manual mode (set inlinepower mode) and a power supply fails, the G-Series device redistributes the remaining power to the modules. When power is restored on the failed power supply, however, you must manually reconfigure the power for each module.
set inlinepower assign watts module-number
June 3, 2011
Page 9 of 14
Configuring PoE
Procedure 3
Step Task

Command(s) clear inlinepower assigned [module-number]
Use the clear command to clear the power value manually assigned to one or more modules.
RefertothedevicesCLIReferenceGuideformoreinformationabouteachcommand.
Modular N-Series, S-Series, K-Series Devices

Procedure 4
Step 1. Task Configure PoE parameters on ports to which PDs are attached. admin Enables (auto) or disables (off) PoE on a port. The default setting is auto. priority Sets which ports continue to receive power in a low power situation. If all ports have the same priority and the system has to cut power to the PDs, the PDs attached to the lowest numbered ports have the highest priority for receiving power. The default setting is low. type Associates an alias with a PD, such as siemens phone. powerlimit Sets the maximum power, in milliwatts, allowed on a port. Valid values are 015400. How this parameter is set can affect the class of PD that can be attached to the port. See Table 1. The default setting is 15400. Use the clear command to set the ports PoE parameters back to the default settings. 2. (Optional) Enable an SNMP trap message to be sent when the status of the chassis PoE power supplies or the PoE system redundancy changes. The default setting is disable. Use the clear command to reset chassis power trap messaging back to the default state of disabled. 3. (Optional) Enable an SNMP trap message to be sent whenever the status of a modules ports changes, or whenever the modules PoE usage threshold is crossed. The default setting is disable. Use the clear command to reset PoE trap messaging for a module back to default state of disabled. clear port inlinepower port-string {[admin] [priority] [type] [powerlimit]} set inlinepower powertrap {disable | enable}
PoE Configuration for N-Series, S-Series, K-Series Devices

Command(s) set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type] [powerlimit powerlimit]}
clear inlinepower powertrap
set inlinepower psetrap {disable | enable} module-number
clear inlinepower psetrap module-number
June 3, 2011
Page 10 of 14
Configuring PoE
Procedure 4
Step 4. Task
PoE Configuration for N-Series, S-Series, K-Series Devices (continued)

Command(s) set inlinepower threshold usage-threshold module-number clear inlinepower threshold module-number
(Optional) Set the PoE usage threshold on a module. Valid values are 199 percent. Use the clear command to reset the PoE usage threshold on a specified module to the default value of 80 percent.
5.
(Optional) Set the maximum percentage of total PoE power available that a chassis can withdraw from the total PoE power detected. Use the clear command to reset the percentage of the total power available to a chassis to the default value of 100.
set inlinepower available max-percentage
clear inlinepower available
6.
(Optional) Set the PoE management mode on a specified module. realtime (default) Manages power based on the actual power consumption of the ports. class Manages power based on the IEEE 802.3af definition of the class upper limit for each attached PD, except classes 0 and 4, for which the actual power consumption is used. In this mode, the maximum amount of power required by a PD in the advertised class is reserved for the port, regardless of the actual amount of power being used by the device. Use the clear command to reset the PoE management mode on a specified module back to the default setting.
set inlinepower management {realtime | class} module-number
clear inlinepower management module-number set inlinepower mode {auto | manual}
7.
(Optional) Configure the allocation mode for system power available for PoE. auto (default) Available power is distributed evenly to PoE modules based on PoE port count. Any change in available power, due to a change in power supply status or redundancy mode or to the addition or removal of modules, triggers an automatic redistribution of power to the PoE controller on each PoE module. manual The power budget for each PoE module is configured manually, using the set inlinepower assigned command. The configured wattage assignments are used to calculate each modules percentage of total available power. If the total available PoE power changes, a redistribution of available power occurs, applying the calculated percentages. Use this command to reset chassis power allocation to the default mode.
clear inlinepower mode
June 3, 2011
Page 11 of 14
Configuring PoE
Procedure 4
Step 8. Task
PoE Configuration for N-Series, S-Series, K-Series Devices (continued)

Command(s) set inlinepower assigned power-value slot-number
(Only if the set inlinepower mode command is set to manual) Assign specific wattage to a PoE module. If the set inlinepower mode command is set to manual, you must assign power to each PoE module; otherwise, the module ports will not receive power. If the value set with this command is greater than the maximum power percentage specified with the set inlinepower available command, a warning will display in the show inlinepower output. If you execute these parameters, a ratio of assigned power is applied to each module. Use the clear command to clear the power value manually assigned to one or more modules.
clear inlinepower assigned [slot-number]
RefertothedevicesConfigurationGuideformoreinformationabouteachcommand.
Example PoE Configuration

APoEcompliantGSeriesdeviceisconfiguredasfollows: One400Wpowersupplyisinstalled.ThepoweravailableforPoEis150W. TwoPoEmodulesareinstalled. Thesetinlinepowermodecommandissettoauto,whichmeansthatthepoweravailablefor PoE(150W)isdistributedevenly75WtoeachPoEmodule. ThepowerrequiredtorunthePDs,whichareallconnectedtothisGSeriesdevicethrough themoduleinslot2,is100W.
TomakepoweravailableforallthePDsconnectedtothemoduleinslot2,thenetwork administratormustfirstchangethesettingofthesetinlinepowermodecommand:
G3(su)->set inlinepower mode manual
Whenthissettingforthesetinlinepowermodecommandchangestomanual,noneofthe150W availableforPoEareassignedtothePoEmodules.Thenetworkadministratormustassignthe 150W,orsomeportionofthe150WtothePoEmodulestopowertheattachedPDs.

G3(su)->set inlinepower assign 100 2
June 3, 2011
Page 12 of 14
Configuring PoE
PoE Display Commands

Table 3listsPoEshowcommandsforEnterasysdevices. Table 3
Task Use this command to display PoE properties for a device. Use this command to display information about the ports that support PoE: Type of PD attached (if specified) Administrative and operational status Priority Class of PD attached Power used by the PD
PoE Show Commands

Command show inlinepower show port inlinepower [port-string]
RefertothedevicesCLIReferenceGuideorConfigurationGuideforadescriptionoftheoutputof eachcommand.
June 3, 2011
Page 13 of 14
Configuring PoE
Revision History
Date 03-02-2009 06-03-2011 Description New document Revised to add A4, B5, C5, S-Series, K-Series
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2011Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSNETSIGHT,andanylogosassociatedtherewith,are trademarksorregisteredtrademarksofEnterasys Networks, Inc.,intheUnitedStatesandothercountries.Fora completelistofEnterasystrademarks,seehttp://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
June 3, 2011
Page 14 of 14
Configuring Policy
ThisdocumentdescribestheEnterasyspolicyfeatureanditsconfigurationonEnterasysMatrix NSeries,EnterasysSecureStack,DSeries,GSeries,andISeriesswitchdevices.
Note: See the Enterasys Matrix X Router Configuration Guide for X Router policy configuration information.
For information about... What is Policy? Why Would I Use Policy in My Network? How Can I Implement Policy? Policy Overview Configuring Policy Policy Configuration Example Terms and Definitions
Refer to page... 1 1 2 2 15 21 31
What is Policy?
PolicyisacomponentofSecureNetworksthatprovidesfortheconfigurationofrolebased profilesforsecuringandprovisioningnetworkresourcesbasedupontheroletheuserordevice playswithintheenterprise.Byfirstdefiningtheuserordevicerole,networkresourcescanbe granularlytailoredtoaspecificuser,system,service,orportbasedcontextbyconfiguringand assigningrulestothepolicyrole.ApolicyrolecanbeconfiguredforanycombinationofClassof Service,VLANassignment,classificationruleprecedence,logging,accounting,ordefault behaviorbaseduponL2,L3,andL4packetfields.Hybridauthenticationallowseitherpolicyor dynamicVLANassignment,orboth,tobeappliedthroughRADIUSauthorization.
Why Would I Use Policy in My Network?

ThethreeprimarybenefitsofusingEnterasysSecureNetworkspolicyinyournetworkare provisioningandcontrolofnetworkresources,security,andcentralizedoperationalefficiency usingtheEnterasysNetSightPolicyManager. Policyprovidesfortheprovisioningandcontrolofnetworkresourcesbycreatingpolicyrolesthat allowyoutodeterminenetworkprovisioningandcontrolattheappropriatenetworklayer,fora givenuserordevice.Witharoledefined,rulescanbecreatedbaseduponupto23traffic classificationtypesfortrafficdroporforwarding.AClassofService(CoS)canbeassociatedwith eachroleforpurposesofsettingpriority,forwardingqueue,ratelimiting,andrateshaping.
May 18, 2009
Page 1 of 32
How Can I Implement Policy?
Securitycanbeenhancedbyallowingonlyintendedusersanddevicesaccesstonetwork protocolsandcapabilities.Someexamplesare: EnsuringthatonlyapprovedstationscanuseSNMP,preventingunauthorizedstationsfrom viewing,reading,andwritingnetworkmanagementinformation Preventingedgeclientsfromattachingnetworkservicesthatareappropriatelyrestrictedto datacentersandmanagedbytheenterpriseITorganizationsuchasDHCPandDNSservices IdentifyingandrestrictingroutingtolegitimateroutingIPaddressestopreventDoS, spoofing,dataintegrityandotherroutingrelatedsecurityissues EnsuringthatFTP/TFTPfiletransfersandfirmwareupgradesonlyoriginatefromauthorized fileandconfigurationmanagementservers PreventingclientsfromusinglegacyprotocolssuchasIPX,AppleTalk,andDECnetthat shouldnolongerberunningonyournetwork
EnterasysNetSightPolicyManagerprovidesacentralizedpointandclickconfiguration,andone clickpushingofdefinedpolicyouttoallnetworkelements.UsetheEnterasysNetSightPolicy Managerforeaseofinitialconfigurationandresponsetosecurityandprovisioningissuesthat maycomeupduringrealtimenetworkoperation.
How Can I Implement Policy?

Toimplementpolicy: Identifytherolesofusersanddevicesinyourorganizationthataccessthenetwork Createapolicyroleforeachidentifieduserrole Associateclassificationrulesandadministrativeprofileswitheachpolicyrole Optionally,configureaclassofserviceandassociateitdirectlywiththepolicyroleorthrough aclassificationrule Optionally,enablehybridauthentication,whichallowsRADIUSfilterIDandtunnel attributestobeusedtodynamicallyassignpolicyrolesandVLANstoauthenticatingusers Optionally,setdeviceresponsetoinvalidpolicy
Policy Overview
Introduction
Thissectionprovidesanoverviewofpolicyconfiguration.PolicyisimplementedonanEnterasys platformbyassociatingusersanddevicesinthenetworkwithdefinedenterpriseroles(suchas sales,engineering,oradministration)thatareconfiguredinapolicyrole.Thepolicyroleis associatedwithrulesthatdefinehownetworkresourceswillbeprovisionedandcontrolledfor rolemembers,aswellashowsecuritywillbeappliedtotherolemember.Anadministrative profileassociatesaspecificrolemembertrafficclassificationwithapolicyrole.
Note: In a CLI configuration context, the policy role is configured within a policy profile using the set policy profile command. Through out this discussion, policy role and policy profile mean the same thing.
May 18, 2009
Page 2 of 32
Policy Overview
Standard and Enhanced Policy on Enterasys Platforms

Therearetwosetsofpolicycapabilitiessupported,dependingupontheEnterasysplatform. Standardpolicyissupportedonallplatforms.Standardpolicyrepresentsthebasepolicysupport forEnterasysplatforms.Enhancedpolicyisanadditionalsetofpolicycapabilitiessupportedon theNSeriesplatforms.Unlessapolicycapabilityorfunctionisspecifiedasbeingamemberofthe enhancedpolicysetorotherwisequalified,inthisdiscussion,standardpolicyisassumed,andthe capabilityappliestoallEnterasysplatformsthatsupportpolicy.
The Enterasys NetSight Policy Manager

EnterasysNetSightPolicyManagerisamanagementGUIthatautomatesthedefinitionand enforcementofnetworkwidepolicyrules.Iteliminatestheneedtoconfigurepoliciesona devicebydevicebasisusingcomplexCLIcommands.ThePolicyManagersGUIprovideseaseof classificationruleandpolicyrolecreation,becauseyouonlydefinepoliciesonceusinganeasyto understandpointandclickGUIandregardlessofthenumberofmoves,addsorchangestothe policyrole,PolicyManagerautomaticallyenforcesrolesonEnterasyssecurityenabled infrastructuredevices. ThisdocumentpresentspolicyconfigurationfromtheperspectiveoftheCLI.Thoughitispossible toconfigurepolicyfromtheCLI,CLIpolicyconfigurationinevenasmallnetworkcanbe prohibitivelycomplexfromanoperationalpointofview.Itishighlyrecommendedthatpolicy configurationbeperformedusingtheNetSightPolicyManager.TheNetSightPolicyManager provides: Easeofruleandpolicyrolecreation Theabilitytostoreandandretrieverolesandpolicies Theability,withasingleclick,toenforcepolicyacrossmultipledevices
TheofficialPolicyManagerdocumentationisaccessedusingonlinehelpfromwithinthe application.ThisonlinedocumentationcompletelycoverstheconfigurationofpolicyinaPolicy Managercontext.ForaccesstothePolicyManagerdatasheetortosetupademooftheproduct, seehttp://www.enterasys.com/products/visibilitycontrol/netsightpolicymanager.aspx.
Understanding Roles in a Secure Network

ThecapacitytodefinerolesisdirectlyderivedfromtheabilityoftheMatrixNSeries,SecureStack, andstandalonedevicestoisolatepacketflowsbyinspectingLayer2,Layer3,andLayer4packet fieldswhilemaintaininglinerate.Thiscapabilityallowsforthegranularapplicationofapolicyto a: Specificuser(MAC,IPaddressorinterface) Groupofusers(maskedMACorIPaddress) System(IPaddress) Service(suchasTCPorUDP) Port(physicalorapplication)
Becauseusers,devices,andapplicationsareallidentifiablewithinaflow,anetworkadministrator hasthecapacitytodefineandcontrolnetworkaccessandusagebytheactualroletheuseror deviceplaysinthenetwork.Thenatureofthesecuritychallenge,applicationaccess,oramountof networkresourcerequiredbyagivenattacheduserordevice,isverymuchdependentuponthe rolethatuserordeviceplaysintheenterprise.Definingandapplyingeachroleassuresthat
May 18, 2009
Page 3 of 32
Policy Overview
networkaccessandresourceusagealignwiththesecurityrequirements,networkcapabilities,and legitimateuserneedsasdefinedbythenetworkadministrator.
The Policy Role

Arole,suchassales,admin,orengineering,isfirstidentifiedanddefinedintheabstractasthe basisforconfiguringapolicyrole.Oncearoleisdefined,apolicyroleisconfiguredandappliedto theappropriatecontextusingasetofrulesthatcancontrolandprioritizevarioustypesofnetwork traffic.Therulesthatmakeupapolicyrolecontainbothclassificationdefinitionsandactionstobe enforcedwhenaclassificationismatched.ClassificationsincludeLayer2,Layer3,andLayer4 packetfields.PolicyactionsthatcanbeenforcedincludeVLANassignment,filtering,inbound ratelimiting,outboundrateshaping,priorityclassmappingandlogging.
Policy Roles
Defining a Policy Role
Thepolicyroleisacontainerthatholdsallaspectsofpolicyconfigurationforaspecificrole.Policy rolesareidentifiedbyanumericprofileindexvaluebetween1andthemaximumnumberofroles supportedontheplatform.Pleaseseeyourdevicesfirmwarereleasenotesforthemaximum numberofrolessupported.Policyrolesareconfiguredusingthesetpolicyprofilecommand. Policyconfigurationiseitherdirectlyspecifiedwiththesetpolicyprofilecommandoris associatedwiththerolebyspecifyingtheprofileindexvaluewithinthecommandsyntaxwhere thegivenpolicyoptionisconfigured.Forexample,whenconfiguringapolicymaptableentry usingthesetpolicymaptablecommand(seeVLANtoPolicyMappingonpage 5),thecommand syntaxrequiresthatyouidentifythepolicyrolethemaptableentrywillbeassociatedwith,by specifyingtheprofileindexvalue. Whenmodifyinganexistingpolicyrolethedefaultbehavioristoreplacetheexistingrolewiththe newpolicyroleconfiguration.Usetheappendoptiontolimitthechangetotheexistingpolicy roletotheoptionsspecifiedintheenteredcommand. Apolicyrolecanalsobeidentifiedbyatextnameofbetween1and64characters.Thisnamevalue isusedbytheRADIUSfilterIDattributetoidentifythepolicyroletobeappliedbytheswitch withasuccessfulauthentication.
Setting a Default VLAN for this Role

AdefaultVLANcanbeconfiguredforapolicyrole.AdefaultVLANwillonlybeusedwhen eitheraVLANisnotspecificallyassignedbyaclassificationruleorallpolicyroleclassification rulesaremissed.ToconfigureadefaultVLAN,enablepvidstatusandspecifytheportVLANto beused.pvidstatusisdisabledbydefault.
Note: Enterasys supports the assignment of port VLAN-IDs 1 - 4094 (4093 on the SecureStack switch). VLAN-IDs 0 and 4095 can not be assigned as port VLAN-IDs, but do have special meanings within a policy context and can be assigned to the pvid parameter (See the Configuring VLANs feature guide at http://secure.enterasys.com/support/manuals/ for further information on these two VLAN-IDs. Within a policy context: 0 - Specifies an explicit deny all 4095 - Specifies an explicit permit all
May 18, 2009
Page 4 of 32
Policy Overview
Assigning a Class of Service to this Role

HowapacketistreatedasittransitsthelinkcanbeconfiguredintheClassofService(CoS).Itis throughaCoSthatQualityofService(QoS)isimplemented.ACoScanbeconfiguredforthe followingvalues: 802.1ppriority IPTypeofService(ToS)rewritevalue PriorityTransmitQueue(TxQ)alongwithaforwardingbehavior Inboundandoutboundratelimiterpertransmitqueue Outboundrateshaperpertransmitqueue
CoSconfigurationsareidentifiedbyanumericvaluebetween0255.07arefixed802.1pCoS configurations.CoSconfigurations8255areuserconfigurable.Policyusesthecosoption followedbytheCoSconfigurationIDvaluetoassociateaCoSwithapolicyrole. QoSconfigurationdetailsarebeyondthescopeofthisfeatureguide.SeetheQoSConfiguration featureguidelocatedathttp://secure.enterasys.com/support/manuals/foracompletediscussion ofQoSconfiguration.
Adding Tagged, Untagged, and Forbidden Ports to the VLAN Egress Lists
TheVLANEgresslistcontainsalistofportsthataframeforthisVLANcanexit.Specifiedports areautomaticallyassignedtotheVLANegresslistforthispolicyroleastagged,untagged,or forbidden.
Overwriting VLAN Tags Priority and Classification Settings

Enhanced Policy
TCIoverwritesupportstheapplicationofrulestoapolicyrolethatoverwritethecurrentuser priorityandotherclassificationinformationintheVLANtagsTCIfield.TCIoverwritemustbe enabledforboththepolicyroleandtheporttheroleisappliedto. UsethesetpolicyprofiletcioverwritecommandtoenableTCIoverwriteonapolicyrole. UsethesetporttcioverwritecommandtoenableTCIoverwriteonthespecifiedport.
VLAN-to-Policy Mapping
Enhanced Policy
VLANtoPolicymappingprovidesforthemanualconfigurationofaVLANtoPolicyassociation thatcreatesapolicymaptableentrybetweenthespecifiedVLANandthespecifiedpolicyrole.A policymaptableholdstheVLANtoPolicymappings.WhenanincomingtaggedVLANpacketis seenbytheswitch,alookupofthepolicymaptabledetermineswhetheraVLANtopolicy mappingexists.Ifthemappingexists,theassociatedpolicyisappliedtothispacket. Thisfeaturecanbeusedatthedistributionlayerinenvironmentswherenonpolicycapableedge switchesaredeployedandthereisnopossibilityofapplyingEnterasyspolicyattheedge.Tagged framesreceivedatthedistributionlayerinterfaceforaVLANwithanentryinthepolicymaptable willhavetheassociatedpolicyappliedtotheframe.
May 18, 2009
Page 5 of 32
Policy Overview
Note: VLAN-to-Policy mapping is supported on the B3, C3, and G3 switches for firmware releases 6.3 and greater.
UsethesetpolicymaptablecommandspecifyingasingleVLANIDorrangeofIDsandthepolicy profileindextocreateapolicymaptableentry.
Applying Policy Using the RADIUS Response Attributes

Ifanauthenticationmethodthatrequirescommunicationwithanauthenticationserveris configuredforauser,theRADIUSfilterIDattributecanbeusedtodynamicallyassignapolicy roletotheauthenticatinguser.SupportedRADIUSattributesaresenttotheswitchintheRADIUS accessacceptmessage.TheRADIUSfilterIDcanalsobeappliedinhybridauthenticationmode. HybridauthenticationmodedetermineshowtheRADIUSfilterIDandthethreeRFC3580VLAN tunnelattributes(VLANAuthorization),wheneitherorallareincludedintheRADIUS accessacceptmessage,willbehandledbytheswitch.ThethreeVLANtunnelattributesdefinethe baseVLANIDtobeappliedtotheuser.Ineithercase,conflictresolutionbetweenRADIUS attributesisprovidedbythemaptableresponsefeature.
Note: VLAN-to-policy mapping to maptable response configuration behavior is as follows: If the RADIUS response is set to policy, any VLAN-to-policy maptable configuration is ignored for all platforms. If the RADIUS response is set to tunnel, VLAN-to-policy mapping can occur on an N-Series platform; VLAN-to-policy mapping will not occur on a SecureStack or standalone platform. If the RADIUS response is set to both and both the filter-ID and tunnel attributes are present, VLAN-to-policy mapping configuration is ignored. See the When Policy Maptable Response is Both section of the Configuring User Authentication feature guide for exceptions to this behavior.
PleaseseetheConfiguringUserAuthenticationfeatureguidelocatedat http://secure.enterasys.com/support/manuals/foradiscussionofRADIUSconfiguration,the RADIUSfilterID,andVLANauthorization. Usethepolicyoptionofthesetpolicymaptableresponsecommandtoconfiguretheswitchto dynamicallyassignapolicyusingtheRADIUSfilterIDintheRADIUSresponsemessage.
Applying Policy Using Hybrid Authentication Mode

Enhanced Policy
Note: Hybrid authentication is an enhanced policy capability. For the B3, C3, and G3 platforms, hybrid authentication is supported for Releases 6.3 and greater.
Hybridauthenticationisanauthenticationcapabilitythatallowstheswitchtouseboththe filterIDandtunnelattributesintheRADIUSresponsemessagetodeterminehowtotreatthe authenticatinguser. Hybridauthenticationisconfiguredbyspecifyingthebothoptioninthesetpolicymaptable command.Thebothoption: AppliestheVLANtunnelattributesiftheyexistandthefilterIDattributedoesnot AppliesthefilterIDattributeifitexistsandtheVLANtunnelattributesdonot
May 18, 2009
Page 6 of 32
Policy Overview
AppliesboththefilterIDandtheVLANtunnelattributesifallattributesexist
Ifallattributesexist,thefollowingrulesapply: Thepolicyrolewillbeenforced,withtheexceptionthatanyportPVIDspecifiedintherole willbereplacedwiththeVLANtunnelattributes Thepolicymapisignoredbecausethepolicyroleisexplicitlyassigned VLANclassificationrulesareassignedasdefinedbythepolicyrole
vlanauthorizationmustbeenabledortheVLANtunnelattributesareignoredandthedefault VLANisused.PleaseseetheConfiguringUserAuthenticationfeatureguidelocatedat http://secure.enterasys.com/support/manuals/foracompleteVLANAuthorizationdiscussion. HybridModesupporteliminatesthedependencyofVLANassignmentbasedonroles.Asa result,VLANscanbeassignedviathetunnelprivategroupID,asdefinedperRFC3580,while assigningrolesviathefilterID.Thisseparationgivesadministratorsmoreflexibilitytosegment theirnetworksforefficiencybeyondtherolelimitsassociatedwiththeB3,C3,andG3platforms.
Device Response to Invalid Policy

Enhanced Policy
Theactionthatthedeviceshouldtakewhenaskedtoapplyaninvalidorunknownpolicycanbe specified.Theavailableactionsare: Ignoretheresultandsearchforthenextpolicyassignmentrule.Ifallrulesaremissed,the defaultpolicyisapplied. Blocktraffic Forwardtrafficasifnopolicyhasbeenassignedusing802.1D/Qrules
Usethesetpolicyinvalidactioncommandtospecifyadefaultactiontotakewhenaskedtoapply aninvalidorunknownpolicy.
Classification Rules
Classificationrulesassociatespecifictrafficclassificationsorpolicybehaviorswiththepolicyrole. Therearetwoaspectsofclassificationruleconfiguration: Theassociationofatrafficclassificationwithapolicyrolebyassigningthetrafficclassification toanadministrativeprofile. Theassignmentofpolicyrulesthatdefinedesiredpolicybehaviorsforthespecifiedtraffic classificationtype.
Boththeadministrativeprofileandpolicyrulesareassociatedwiththepolicyrolebyspecifying theadminpidoption,inthecaseofanadministrativeprofile,oraprofileindexvalue,inthecase ofthepolicyrule.Administrativeprofilesandpolicyrulesareconfiguredusingthesetpolicyrule command. Theadministrativeprofileassignsatrafficclassificationtoapolicyrolebyusingthe adminprofileoptionofthesetpolicyrulecommand.

Note: Standard policy supports the VLAN tag traffic classification for administrative profiles. All other traffic classifications are enhanced policy in an administrative profile context. See Table 1 for a listing of supported traffic classifications.
May 18, 2009
Page 7 of 32
Policy Overview
Policyrulesarebasedontrafficclassifications.Table 1onpage 8providesthesupportedpolicy ruletrafficclassificationcommandoptionsanddefinitions.AnXintheenhancedrulecolumn specifiesthatthistrafficclassificationruleisonlysupportedonenhancedpolicyplatforms.All othertrafficclassificationsaresupportedbystandardpolicy. AdetaileddiscussionofsupportedtrafficclassificationsisavailableintheTrafficClassification RulessectionoftheNetSightPolicyManageronlinehelp. Table 1 Administrative Policy and Policy Rule Traffic Classifications
Description Classifies based on MAC source address. Classifies based on MAC destination address. Classifies based on source IPX address. Classifies based on destination IPX address. Classifies based on source IPX socket. Classifies based on destination IPX socket. Classifies based on transmission control in IPX. Classifies based on IPX packet type. Classifies based on source IP address with optional post-fixed port. Classifies based on destination IP address with optional post-fixed port. Classifies based on IP fragmentation value. Classifies based on UDP source port and optional post-fix IP address. Classifies based on UDP destination port and optional post-fix IP address. Classifies based on TCP source port and optional post-fix IP address. Classifies based on TCP destination port and optional post-fix IP address. Classifies based on ICMP type. Classifies based on Type of Service field in IP packet. Classifies based on protocol field in IP packet. Classifies based on type field in Ethernet II packet. Classifies based on DSAP/SSAP pair in 802.3 type packet. Classifies based on VLAN tag. Classifies based on Tag Control Information. Classifies based on port-string. Attribute ID 1 2 3 4 5 6 7 8 12 13 14 15 16 17 18 19 21 22 25 26 27 28 31 X X X X X X X X X Enhanced Rule
Traffic Classification macsource macdest ipxsource ipxdest ipxsourcesocket ipxdestsocket ipxclass ipxtype ipsourcesocket ipdestsocket ip frag udpsourceportip udpdestportip tcpsourceportip tcpdestportip icmptype iptos ipproto ether llcDsapSsap vlantag tci port
May 18, 2009
Page 8 of 32
Policy Overview
Note: The optional post-fixed port traffic classification listed in Table 1 for IP, UDP, and TCP source and destination port traffic classifications is supported on DFE blades only.
Adatavalueisassociatedwithmosttrafficclassificationstoidentifythespecificnetworkelement forthatclassification.Fordatavalueandassociatedmaskdetails,seetheValidValuesforPolicy ClassificationRulestableinthesetpolicyrulecommanddiscussionofthecommandreference guideforyourplatform.
Configuring Policy Role Traffic Classification Precedence

Enhanced Policy
Eachpolicyrolehasaprecedencelistassociatedwithitthatdeterminestheorderinwhich classificationrulesareappliedtoapacket.Thelowertheplacementoftheclassificationrule attributeinthelist,thehighertheprecedencevalueofthatattributewhenapplyingclassification rules. AllclassificationruleattributessupportedbytheplatformhaveastaticnumericIDvalueandare membersofaprecedencelist.SeeTable 1onpage 8foralistingofclassificationruleattributesand theirassociatedattributeIDvalues. Usetheshowpolicyprofilecommandtodisplaythecurrentprecedencelistassociatedwitha policyrole. Bydefault,theprecedencelistismadeupofattributevalues131,withunsupportedIDvaluesnot specified.Theprecedencelistassociatedwithagivenrolecanbemodifiedusingtheprecedence optioninthesetpolicyprofilecommand.ThefollowingNSeriesexamplesetstheport(31) attributetothehighestprecedenceandleavestheremainingattributesinthedefaultordering:
Matrix(rw)->set policy profile 200 precedence 31,1-8,12-19,21-22,25-28 Matrix(rw)->show policy profile 200 Profile Index :200 Profile Name : . . . Rule Precedence :31,1-8,12-19,21-22,25-28 :Port (31), MACSource (1), MACDest (2), IPXSource (3), :IPXDest (4), IPXSrcSocket (5), IPXDstSocket (6), :IPXClass (7), IPXType (8), IPSource (12), :IPDest (13), IPFrag (14), UDPSrcPort (15), :UDPDestPort (16), TCPSrcPort (17), TCPDestPort (18), :ICMPType (19), IPTOS (21), IPProto (22), Ether (25), :LLCDSAPSSAP (26), VLANTag (27), TCI (28) . . . Matrix(rw)->
Specifying Storage Type

Enhanced Policy
Enhancedpolicyprovidesforspecifyingthestoragetypeforthisruleentry.Storagetypesare volatileandnonvolatile.Volatilestoragedoesnotpersistafteraresetofthedevice.Nonvolatile
May 18, 2009
Page 9 of 32
Policy Overview
storagedoespersistafteraresetofthedevice.Usethestoragetypeoptiontospecifythedesired storagetypeforthispolicyruleentryinanenhancedpolicycontext.
Forward and Drop

Packetsforthisentrycanbeeitherforwardedordroppedforthistrafficclassificationusingthe forwardanddroppolicyruleoptions.
Allowed Traffic Rule-Type on a Port

Enhanced Policy
Allowedtrafficruletypeonaportisanenhancedpolicythatprovidesforthesetting,foreach port,ofthetrafficclassificationruletypesthatwillbeallowedorignoredinanadminprofile.By default,alltrafficruletypesareallowed. Usethesetpolicyallowedtypecommandtoconfigureasubsetoftrafficruletypesthatwillbe allowedonthespecifiedports.Allunspecifiedtrafficruletypeswillbesettoignore.Theappend optionprovidesfortheadditionofspecifiedruletypesforthecurrentsubsetofallowed ruletypes.Theclearoptionprovidesforthesubtractionofspecifiedruletypesfromthecurrent subsetofallowedruletypes. Usetheshowpolicyallowedtypecommandtodisplayatableofthecurrentallowedandignored trafficruletypesforthespecifiedport(s). SeeTable 1onpage 8foralistingofsupportedallowedtrafficclassificationruletypes.Usethe attributeIDvalue,specifiedinTable 1,intherulelistforthesetpolicyallowedtypecommandto identifythetrafficclassificationtobeaddedtoordeletedfromtheallowedtypelistforthe specifiedports.
Policy Accounting
Enhanced Policy
Policyaccountingisanenhancedpolicycapabilitythatcontrolsthecollectionofclassificationrule hits.Ifahitoccursonapolicyrule,policyaccountingflagsthatthehithasoccurredandwill remainflaggeduntilcleared.Policyaccountingisenabledbydefault.Policyaccountingcanbe enabledordisabledusingthesetpolicyaccountingcommand.
Policy Syslog Rule Usage

Enhanced Policy
Policysyslogruleusageisanenhancedpolicycapabilitythatprovidesforthesettingofruleusage messageformattingtomachineorhumanreadableandsetsthecontrolforextendedsyslog messageformat. Enablingthemachinereadableoptionformatstheruleusagemessagesinarawdataformatthat canthenbeparsedbyauserwrittenscriptingbackend.Thisprovidestheenterprisewiththe abilitytoformatthedatainamannerthatismostusefultotheenterprise.Disablingthe machinereadableoptionformatsthesameruleusagedatainahumanreadableformat. Settingsyslogruleusagetoextendedformatincludesadditionalinformationintheruleusage syslogmessage.Thedataincludedintheextendedformatisasfollows:VLANandCOSassigned, andthefollowingfieldsfoundinthepacket:DESTMAC,SRCMAC,TAG(8100:tci),EtherType,
May 18, 2009
Page 10 of 32
Policy Overview
SIP(ip),DIP(ip),Protocol,TOS/DSCP,Fragmentationindication,DestinationPORT,andSource Port. Usethesetpolicysyslogcommandtosetsyslogruleusageconfiguration.
Quality of Service in a Policy Rules Context

QualityofService(QoS)canbespecifieddirectlyinapolicyroleasstatedinAssigningaClassof ServicetothisRoleonpage 5.ACoScanalsobeappliedtoapolicyrule.TheCoSspecifiedatthe policyrolelevelisthedefaultandisonlyusedifnoruleistriggered.Therefore,ifaCoSisapplied toboththepolicyroleandapolicyrule,theCoSspecifiedinthepolicyruletakesprecedenceover theCoSinthepolicyroleforthetrafficclassificationcontextspecifiedinthepolicyrule.Asstated inthepolicyrolediscussion,CoSconfigurationdetailsarebeyondthescopeofthisdocument.See theQoSConfigurationfeatureguidelocatedathttp://secure.enterasys.com/support/manuals/fora completediscussionofQoSconfiguration.
Blocking Non-Edge Protocols at the Edge Network Layer

EdgeclientsshouldbepreventedfromactingasserversforanumberofIPservices.IfnonedgeIP servicesaccidentlyormaliciouslyattachtotheedgeofthenetwork,theyarecapableofdisrupting networkoperation.IPservicesshouldonlybeallowedwhereandwhenyournetworkdesign requires.ThissectionidentifiestenIPServicesyoushouldconsiderblockingattheedgeunless allowingthemispartofyournetworkarchitecture.SeeAssigningTrafficClassificationRuleson page 25foranexampleofhowtoconfigureasubsetoftheserecommendedIPservicestodrop trafficattheedge. Table 2
Protocol DHCP Server Protocol
Non-Edge Protocols
Policy Effect Every network needs DHCP. Automatically mitigate the accidental or malicious connection of a DHCP server to the edge of your network to prevent DoS or data integrity issues, by blocking DHCP on the source port for this device. DNS is critical to network operations. Automatically protect your name servers from malicious attack or unauthorized spoofing and redirection, by blocking DNS on the source port for this device. RIP, OSPF, and BGP topology protocols should only originate from authorized router connection points to ensure reliable network operations. Routers and default gateways should not be moving around your network without approved change processes being authorized. Prevent DoS, spoofing, data integrity and other router security issues by blocking router source MAC and router source IP addresses at the edge. Prevent data theft and worm propagation by blocking SMTP at the edge. Only approved management stations or management data collection points need to be speaking SNMP. Prevent unauthorized users from using SNMP to view, read, or write management information. Ensure file transfers and firmware upgrades are only originating from authorized file and configuration management servers.
DNS Server Protocol
Routing Topology Protocols
Router Source MAC and Router Source IP Address
SMTP/POP Server Protocols SNMP Protocol
FTP and TFTP Server Protocols
May 18, 2009
Page 11 of 32
Policy Overview
Table 2
Protocol
Non-Edge Protocols (continued)

Policy Effect Stop malicious proxies and application-layer attacks by ensuring only the right Web servers can connect from the right location at the right time, by blocking HTTP on the source port for this device. If IPX, AppleTalk, DECnet or other protocols should no longer be running on your network, prevent clients from using them. Some organizations even take the approach that unless a protocol is specifically allowed, all others are denied.
Web Server Protocol
Legacy Protocols
Standard and Enhanced Policy Considerations

ThissectionitemizesadditionalpolicyconsiderationsfortheSecureStackandstandalone platforms,andprovidesatablecrossreferencingstandardandenhancedpolicycapabilityand policycapabilitytotrafficclassificationrules. NotallSecureStackplatformssupportpolicy.OnsomeSecureStackandstandaloneplatforms policysupportrequiresapurchasedlicense.Seethefirmwarereleasenotesthatcomewithyour deviceforpolicysupportandlicenserequirementsdetails. Table 3providesalistingofpolicycapabilitiesbystandardandenhancedsupportlevel.Standard policycapabilitiesarefurthergranulatedbasedupontrafficclassificationsupport.SeeTable 4on page 13foracrossreferenceoftrafficclassificationtopolicycapabilitysupport. Table 3 Standard and Enhanced Policy Capability Cross-Reference
Policy Capability Dynamic PID Assign Rule - The ability to dynamically assign a policy based upon a traffic classification (Standard policy is limited to the port-string traffic classification). See Dynamic in Table 4. Admin PID Assign Rule - The ability to administratively assign a policy based upon a traffic classification (Standard policy is limited to the port-string traffic classification). See Admin in Table 4. VLAN Forwarding - The ability to assign a forwarding VLAN rule. (Standard policy is limited to the Ether II packet type and port-string classification rules). See VLAN in Table 4. Standard Deny - The ability to assign a drop traffic rule. See Drop in Table 4. Permit - The ability to assign a forward traffic rule. See Forward in Table 4. CoS Assign Rule - The ability to assign a CoS rule. See CoS in Table 4. Priority - The ability to assign traffic priority using a CoS assignment. See CoS in Table 4. Longest Prefix Rules - The ability to always look at the highest bit mask for an exact traffic classification match. VLAN Assign Rule - The ability to assign rules based upon the ingress VLAN. (TCI overwrite must be enabled on DFE blades).
Policy Support Level
May 18, 2009
Page 12 of 32
Policy Overview
Table 3
Standard and Enhanced Policy Capability Cross-Reference (continued)

Policy Capability TCI Overwrite - The ability to overwrite user priority and other VLAN tag TCI field classification information. Rule-Use Accounting - The ability to enable policy accounting. Rule-Use Notification - The ability to enable syslog and traps for rule hit notification. See Syslog and Trap in Table 4.
Policy Support Level
Enhanced
Invalid Policy Action- The ability to set a drop, forward, or default-policy behavior based upon an invalid action. Port Disable Action - The ability to disable a port upon first rule hit. See Disable in Table 4. Precedence Reordering - The ability to reorder traffic classification precedence for a policy role.
Table 4providesacrossreferenceofstandard( )andenhanced(X)policycapabilitytotraffic classificationrule. Table 4 Policy Capability to Traffic Classification Rule Cross-Reference
D y n a m i c X X X X X X X X X X X X X X X X F o r w a r d S y s l o g X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X D i s a b l e X X X X X X X X X X X X X X X X
Traffic Classification Rule MAC Source Address MAC Destination Address IPX Source Address IPX Destination Address IPX Source Socket IPX Destination Socket IPX Transmission Control IPX Type Field IP Source Address IP Destination Address IP Fragmentation UPD Port Source UDP Port Destination TCP Port Source TCP Port Destination ICMP Packet Type
A d m i n X X X X X X X X X X X X X X X X
V L A N X X X X X X X X X X X X X X X X
C o S
D r o p
T r a p X X X X X X X X X X X X X X X X
May 18, 2009
Page 13 of 32
Policy Overview
Table 4
Policy Capability to Traffic Classification Rule Cross-Reference (continued)

D y n a m i c X X X X X X X F o r w a r d X S y s l o g X X X X X X X X X X X X X X X X X X X X D i s a b l e X X X X X X X X
Traffic Classification Rule Time-To-Live (TTL) IP Type of Service IP Protocol Ether II Packet Type LLC DSAP/SSAP/CTRL VLAN Tag TCI-Overwrite Port String
A d m i n X X X X X X X
V L A N X X X
C o S X
D r o p X
T r a p X X X X X X X X
May 18, 2009
Page 14 of 32
Configuring Policy
Configuring Policy
Thissectionpresentsconfigurationproceduresandtablesincludingcommanddescriptionand syntaxinthefollowingpolicyareas:profile,classification,anddisplay. Procedure 1describeshowtoconfigurepolicyrolesandrelatedfunctionality. Procedure 1
Step 1. Task In switch command mode, create a policy role. name - (Optional) Specifies a name for this policy profile; used by the filter-ID attribute. This is a string from 1 to 64 characters. pvid-status - (Optional) Enables or disables PVID override for this policy profile. If all the classification rules associated with this profile are missed, then this parameter, if specified, determines the default VLAN for this profile. pvid - (Optional) Specifies the PVID to assign to packets, if PVID override is enabled and invoked as the default behavior. cos-status - (Optional) Enables or disables Class of Service override for this policy profile. If all the classification rules associated with this profile are missed, then this parameter, if specified, determines the default CoS assignment. cos - (Optional) Specifies a CoS value to assign to packets, if CoS override is enabled and invoked as the default behavior. Valid values are 0 to 255. egress-vlans - (Optional) Specifies the port to which this policy profile is applied should be added to the egress list of the VLANs defined by egress-vlans. Packets will be formatted as tagged. forbidden-vlans - (Optional) Specifies the port to which this policy profile is applied should be added as forbidden to the egress list of the VLANs defined by forbidden-vlans. Packets from this port will not be allowed to participate in the listed VLANs. untagged-vlans - (Optional) Specifies the port to which this policy profile is applied should be added to the egress list of the VLANs defined by untagged-vlans. Packets will be formatted as untagged.
Configuring Policy Roles

Command(s) set policy profile profile-index [name name] [pvid-status {enable | disable}] [pvid pvid] [cos-status {enable | disable}] [cos cos] [egress-vlans egress-vlans] [forbidden-vlans forbidden-vlans] [untagged-vlans untagged-vlans] [append] [clear] [tci-overwrite {enable | disable}] [precedence precedence-list]
May 18, 2009
Page 15 of 32
Configuring Policy
Procedure 1
Step Task
Configuring Policy Roles (continued)

Command(s)
append - (Optional) Appends any egress, forbidden, or untagged specified VLANs to the existing list. If append is not specified, all previous settings for this VLAN list are replaced clear - (Optional) Clears any egress, forbidden or untagged VLANs specified from the existing list. tci-overwrite - (Optional) Enhanced policy that enables or disables TCI (Tag Control Information) overwrite for this profile. When enabled, rules configured for this profile are allowed to overwrite user priority and other classification information in the VLAN tags TCI field. If this parameter is used in a profile, TCI overwrite must be enabled on ports. See Step 3 below. precedence - (Optional) Enhanced policy that assigns a rule precedence to this profile. Lower values will be given higher precedence. 2. Optionally, for enhanced policy capable devices, assign the action the device will apply to an invalid or unknown policy. default-policy - Instructs the device to ignore this result and search for the next policy assignment rule. drop - Instructs the device to block traffic. forward - Instructs the device to forward traffic. Optionally, for enhanced policy capable devices, enable or disable the TCI overwrite function on one or more ports. Optionally, for enhanced policy capable devices, enable or disable policy accounting, which flags classification rule hits. Optionally, for enhanced policy capable devices, set the rule usage and extended format syslog policy settings. machine-readable - (Optional) Sets the formatting of rule usage messages to raw data that a user script can format according to the needs of the enterprise, otherwise message is set to human readable. extended-format - (Optional) Sets the control to include additional information in the rule usage syslog messages, otherwise the original rule usage syslog message format is used. set policy invalid action {default-policy | drop | forward}
3.
set port tcioverwrite port-string {enable | disable} set policy accounting {enable | disable} set policy syslog [machine-readable] [extended-format]
4.
5.
May 18, 2009
Page 16 of 32
Configuring Policy
Procedure 1
Step 6. Task
Configuring Policy Roles (continued)

Command(s) set policy maptable {vlan-list profile-index}
Optionally, for enhanced policy capable devices, set a policy maptable entry that associates a VLAN with a policy profile. This option is also supported by the B3, C3, and G3 for releases 6.3 and greater. Optionally, set a policy maptable response. tunnel - Applies the VLAN tunnel attribute. policy - Applies the policy specified in the filter-ID. both - An enhanced policy option that applies either or all the filter-ID and VLAN tunnel attributes or the policy depending upon whether one or both are present. This option is also supported by the B3, C3, and G3 for releases 6.3 and greater.
7.
set policy maptable response {tunnel | policy | both}
Procedure 2describeshowtoconfigureclassificationrulesasanadministrativeprofileorto assignpolicyrulestoapolicyrole. Procedure 2

Step 1. Task In switch command mode, optionally set an administrative profile to assign traffic classifications to a policy role. See Table 1 on page 8 for traffic classification-type descriptions and enhanced policy information. See the set policy rule command discussion in the command reference guide that comes with your device for traffic classification data and mask information. port-string - (Optional) Applies this administratively-assigned rule to a specific ingress port. N-Series devices with firmware versions 3.00.xx and higher also support the set policy port command as an alternative to administratively assign a profile rule to a port. storage-type - (Optional) An enhanced policy that adds or removes this entry from non-volatile storage. admin-pid - Associates this administrative profile with a policy profile index ID. Valid values are 1 - 1023. syslog - (Optional) An enhanced policy that enables or disables sending of syslog messages on first rule use.
Configuring Classification Rules

Command(s) set policy rule admin-profile classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] [admin-pid admin-pid] [syslog {enable | disable}][trap {enable | disable}] [disable-port {enable | disable}]
May 18, 2009
Page 17 of 32
Configuring Policy
Procedure 2
Step Task
Configuring Classification Rules (continued)

Command(s)
trap - (Optional) An enhanced policy that enables or disables sending SNMP trap messages on first rule use. disable-port - (Optional) An enhanced policy that enables or disables the ability to disable the ingress port on first rule use. 2. In switch command mode, optionally configure policy rules to associate with a policy role. See Table 1 on page 8 for traffic classification-type descriptions and enhanced policy information. See the set policy rule command discussion in the command reference guide that comes with your device for traffic classification data and mask information. port-string - (Optional) Applies this policy rule to a specific ingress port. N-Series devices with firmware versions 3.00.xx and higher also support the set policy port command as an alternative way to assign a profile rule to a port. storage-type - (Optional) An enhanced policy that adds or removes this entry from non-volatile storage. vlan - (Optional) Classifies this rule to a VLAN ID. drop | forward - (Optional) Specifies that packets within this classification will be dropped or forwarded. cos - (Optional) Specifies that this rule will classify to a Class-of-Service ID. Valid values are 0 - 255. A value of -1 indicates that no CoS forwarding behavior modification is desired. syslog - (Optional) An enhanced policy that enables or disables sending of syslog messages on first rule use. trap - (Optional) An enhanced policy that enables or disables sending SNMP trap messages on first rule use. disable-port - (Optional) An enhanced policy that enables or disables the ability to disable the ingress port on first rule use. 3. 4. Optionally, for enhanced policy capable devices, assign a policy role to a port. Optionally, for enhanced policy capable devices, assign a list of allowed traffic rules that can be applied to the admin profile for one or more ports. set policy port port-name admin-id set policy allowed-type port-string traffic-rule rule-list [append | clear] set policy rule profile-index classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] [vlan vlan] | [drop | forward] [admin-pid admin-pid] [cos cos] [syslog {enable | disable}][trap {enable | disable}] [disable-port {enable | disable}]
May 18, 2009
Page 18 of 32
Configuring Policy
Procedure 2
Step 5. Task
Configuring Classification Rules (continued)

Command(s) set policy autoclear {[link] [interval interval] [profile {enable | disable}] [ports port-list [append | clear]]} set policy dynamic [syslog-default {enable | disable}] [trap-default {enable | disable}]}
Optionally, for enhanced policy capable devices, enable or disable the the ability to clear rule usage information if operational status up is detected on any port. Optionally, for enhanced policy capable devices, set the status of dynamically assigned policy role options.
6.
Table 5describeshowtodisplaypolicyinformationandstatistics. Table 5

Task In switch command mode, display policy role information. In switch command mode, display the action the device shall apply on an invalid or unknown policy. In switch command mode, display the current control status of the collection of rule usage statistics. In switch command mode, display syslog parameters for policy rule entries. In switch command mode, display VLAN-ID to policy role mappings table. In switch command mode, display TCI overwrite tag control information on one or more ports. In switch command mode, display policy classification and admin rule information.
Displaying Policy Configuration and Statistics

Command(s) show policy profile {all | profile-index [consecutive-pids] [-verbose]} show policy invalid {default-policy | drop | forward} show policy accounting
show policy syslog [machine-readable] [extended-format] show policy maptable vlan-list show port tcioverwrite [port-string]
show policy rule [attribute] | [all] | [admin-profile] | [profile-index] [porthit] classification-type [data] [mask mask] [port-string port-string] [rule-status {active | not-inservice | not-ready}] [storage-type {non-volatile | volatile}] [vlan vlan] | [drop | forward] [dynamic-pid dynamic-pid] [cos cos] [admin-pid admin-pid] [syslog {enable | disable}] [-verbose] [trap {enable | disable}] [disable-port {enable | disable}] [usage-list] [display-if-used] show policy capability show policy allowed-type port-string [-verbose]
In switch command mode, display all policy classification capabilities for this device. In switch command mode, display a list of currently supported traffic rules applied to the administrative profile for one or more ports.
May 18, 2009
Page 19 of 32
Configuring Policy
Table 5
Task
Displaying Policy Configuration and Statistics (continued)

Command(s) show policy dropped-notify
In switch command mode, display a count of the number of times the device has dropped syslog or trap rule usage notifications on ports. In switch command mode, display disabled ports for all rule entries. In switch command mode, display the current state of the autoclear feature. In switch command mode, display status of dynamically assigned roles.
show policy disabled-ports show policy autoclear {all | link | interval | profile | ports} show policy dynamic {[syslog-default] [trap-default]}
May 18, 2009
Page 20 of 32
Policy Configuration Example

Thissectionpresentsacollegebasedpolicyconfigurationexample.Figure 1displaysanoverview ofthepolicyconfiguration.Thisoverviewdisplayisfollowedbyacompletediscussionofthe configurationexample. Figure 1 College-Based Policy Configuration
Profile: Name: Ports: PVID: CoS: Profile: Name: Ports: VLAN: CoS: 2 student ge.1.1-10 10 8 Services: 10.10.50.0/24 Admin: 10.10.60.0/24 Faculty: 10.10.70.0/24
1 (Default) guest All Edge Ports 0 4
Guest
Students
Profile: Name: Ports: VLAN: CoS: 3 phoneSS ge.1.1-10 11 10
Enhanced Policy: Policy Accounting enabled Policy Syslog machine-readable Policy Invalid Action default-policy Port TCI Overwrite ge.1.1-10
N5 Distribution Switch/Router
Profile: Name: Ports: Data: 7 distribution ge.1.1-26 Cos 11
Profile: Name: Ports: VLAN: CoS:
4 faculty ge.1.1-10 10 8
Faculty
Services
Profile: Name: Ports: PVID: Default CoS: Phone: Setup: Payload: VLAN:
5 phoneN3 ge.1.1-10 0 4 CoS 9 CoS 10 11
Profile: Name: Ports: PVID: Default CoS: VLAN: CoS:
6 services ge.1.1-10 0 4 10 8
May 18, 2009
Page 21 of 32
Roles
Theexampledefinesthefollowingroles: guestUsedasthedefaultpolicyforallunauthenticatedports.ConnectsaPCtothenetwork providinginternetonlyaccesstothenetwork.Providesguestaccesstoalimitednumberof N3portstobeusedspecificallyforinternetonlyaccess.Policyisappliedusingtheportlevel defaultconfiguration,orbyauthentication,inthecaseoftheN3portinternetonlyaccessPCs. studentConnectsadormroomPCtothenetworkthroughaStudentSecureStackC3port. AconfiguredCoSratelimitsthePC.Configuredrulesdenyaccesstoadministrativeand facultyservers.ThePCauthenticatesusingRADIUS.Hybridauthenticationisenabled.The studentpolicyroleisappliedusingthefilterIDattribute.ThebaseVLANisappliedusingthe tunnelattributesreturnedintheRADIUSresponsemessage.Ifallrulesaremissed,the settingsconfiguredinthestudentpolicyprofileareapplied. phoneSSConnectsadormroomorfacultyofficeVoIPphonetothenetworkusinga SecureStackport.AconfiguredCoSratelimitsthephoneandappliesahighpriority.The phoneauthenticatesusingRADIUS.Hybridauthenticationisenabled.Policyisappliedusing thefilterIDreturnedintheRADIUSresponsemessage.ThebaseVLANisappliedusingthe tunnelattributesreturnedintheRADIUSresponsemessage.Ifallrulesaremissed,the settingsconfiguredinthephoneSSpolicyprofileareapplied. facultyConnectsafacultyofficePCtothenetworkthroughaFacultySecureStackC3port. AconfiguredCoSratelimitsthePC.Aconfiguredruledeniesaccesstotheadministrative servers.ThePCauthenticatesusingRADIUS.Hybridauthenticationisenabled.Thefaculty policyroleisappliedusingthefilterIDattribute.ThebaseVLANisappliedusingthetunnel attributesreturnedintheRADIUSresponsemessagefortheauthenticatinguser.Ifallrules aremissed,thesettingsconfiguredinthefacultypolicyprofileareapplied. phoneN3ConnectsaservicesVoIPphonetothenetworkusinganN3port.Aconfigured CoSratelimitsthephoneforbothsetupandpayload,andappliesahighpriority.Thephone authenticatesusingRADIUS.Tunnelauthenticationisenabled.ThebaseVLANisapplied usingthetunnelattributesreturnedintheRADIUSresponsemessage.Policyisappliedusing amaptableconfiguration.Ifallrulesaremissed,thesettingsconfiguredinthephoneN3 policyprofileareapplied. servicesConnectsaservicesPCtothenetworkthroughanN3port.AconfiguredCoSrate limitsthePC.Servicesaredeniedaccesstoboththestudentandfacultyservers.ThePC authenticatesusingRADIUS.ThebaseVLANisappliedusingthetunnelattributesreturned intheRADIUSresponsemessagefortheauthenticatinguser.Theservicespolicyroleis appliedusingapolicymaptablesetting.Thepolicyaccounting,syslog,invalidactionandTCI overwriteenhancedpoliciesareenabledforthisrole.Ifallrulesaremissed,thesettings configuredintheservicespolicyprofileareapplied. distributionTheDistributionpolicyroleisappliedatthedistributionlayerprovidingrate limiting.
Policy Domains
Itisusefultobreakuppolicyimplementationintologicaldomainsforeaseofunderstandingand configuration.Forthisexample,itisusefultoconsiderfourdomains:basicedge,standardedgeon theSecureStacks,premiumedgeontheN3,andpremiumdistribution.
May 18, 2009
Page 22 of 32
Basic Edge
Protocolsnotappropriatetotheedgeshouldbeblocked.ForthisexamplewewillblockDHCP, DNS,SNMP,SSH,TelnetandFTPattheedgeonthedataVLAN.Wewillforwarddestinationport DHCPandDNSandsourceportforIPaddressrequesttofacilitateautoconfigurationandIP addressassignment.SeeBlockingNonEdgeProtocolsattheEdgeNetworkLayeronpage 11fora listingofprotocolsyoushouldconsiderblockingattheedge.
Standard Edge
PlatformssupportingstandardpolicywillberatelimitedusingaconfiguredCoSthatwillbe appliedtothestudentandfaculty,andphoneSSpolicyroles.Thoughlistedasanenhancedpolicy feature,theSecureStackC3supportsthehybridauthenticationenhancedpolicycapability.Hybrid authenticationwillbeenabled.
Premium Edge
PlatformssupportingenhancedpolicywillberatelimitedusingaconfiguredCoSthatisapplied totheservicesandphoneN3policyrole.Thepremiumedgewillbeenabledforthefollowing enhancedpolicycapabilities: PolicyAccounting Syslogruleusageenabledandsettomachinereadable Invalidpolicyactionsettodrop TCIoverwriteenabled
Premium Distribution
ThedistributionlayerswitchrouterwillberatelimitedusingaconfiguredCoS.Premium distributionwillbeenabledforthefollowingenhancedpolicycapabilities: PolicyAccounting SyslogRuleUsageenabledandsettomachinereadable Invalidpolicyactionsettodrop TCIoverwriteenabled
Platform Configuration
ThissectionwillprovidetheCLIbasedpolicyconfigurationonthefollowingplatforms: StudentSecureStackC3 FacultySecureStackC3 ServicesN3 DistributionSwitch
InCLImode,configurationtakesplaceoneachplatform.WhenusingtheNetSightPolicy Manager,configurationtakesplaceatacentrallocationandispushedouttotheappropriate networkdevices.
May 18, 2009
Page 23 of 32
Forthisconfigurationexample,CoSrelatedconfigurationwillbespecifiedasafinalCoS.For detailsonconfiguringCoS,seetheQoSConfigurationfeatureguidelocatedat http://secure.enterasys.com/support/manuals/.

Note: CLI command prompts used in this configuration example have the following meaning: Enterasys(rw)-> - Input on all platforms used in this example. C3(rw)-> - Input on all SecureStack C3 switches. StudentC3-> - Input on the student SecureStack C3. FacultyC3-> - Input on the faculty SecureStack C3. ServicesN3(rw)-> - Input on the services N-Series N3. DistributionN5(rw)-> - Input on the distribution N-Series N5.
Configuring Guest Policy on Edge Platforms

Alledgeportswillbesetwithadefaultguestpolicyusingthesetpolicyportcommand.This guestpolicyprovidesforaninternetonlyaccesstothenetwork.Usersonallportswillattemptto authenticate.Iftheauthenticationsucceeds,thepolicyreturnedbyauthenticationor,inthecaseof theN3configuration,themaptablesetting,overridesthedefaultportpolicysetting.If authenticationfails,theguestpolicyisused.OntheN3,fiveportsareusedbyPCsatlocations throughoutthecampus,suchasthelibrary,toprovideaccesstotheinternet.ThePCsattachedto thesefiveportswillauthenticatewiththeguestpolicyrole.Publicfacingserviceswouldalsobe configuredforgueststatusinaschoolorenterprisescenario.Publicfacingservicesarenotpartof thisexample.
Configuring the Policy Role

Theguestroleisconfiguredwith: Aprofileindexvalueof1 Anameofguest APVIDsetto0 ACoSsetto4
Createtheguestpolicyprofileonallplatforms:
Enterasys(rw)->set policy profile 1 name guest pvid-status enable pvid 0 cos-status enable cos 4
Assigning Traffic Classification Rules

ForcaseswherediscoverymusttakeplacetoassignanIPaddress,DNSandDHCPtrafficmustbe allowed.ForwardingoftrafficisallowedonUDPsourceport68(IPaddressrequest)andUDP destinationports53(DNS)and67(DHCP).
Enterasys(rw)->set policy rule 1 udpsourceport 68 mask 16 forward Enterasys(rw)->set policy rule 1 udpdestportIP 53 mask 16 forward Enterasys(rw)->set policy rule 1 udpdestportIP 67 mask 16 forward
Guestpolicyallowsinternettraffic.TCPdestinationPorts80,8080,and443willbeallowedtraffic forwarding.
Enterasys(rw)->set policy rule 1 tcpdestportIP 80 mask 16 forward Enterasys(rw)->set policy rule 1 tcpdestportIP 443 mask 16 forward Enterasys(rw)->set policy rule 1 tcpdestport 8080 mask 16 forward
May 18, 2009
Page 24 of 32
ARPforwardingisrequiredonetherport0x806.
Enterasys(rw)->set policy rule 1 ether 0x806 mask 16 forward
Assigning the Guest Policy Profile to All Edge Ports

AssigntheguestpolicyprofiletoallSecureStackandN3edgeports.
Enterasys(rw)->set policy port ge.*.1-47 1
Configuring Policy for the Edge Student SecureStack C3

Thestudentroleisconfiguredwith: Aprofileindexvalueof2 Anameofstudent AportVLANof10 ACoSof8
CreateapolicyrolethatappliesaCoS8todataVLAN10andconfiguresittoratelimittrafficto 1Mwithamoderatepriorityof5.
StudentC3(rw)->set policy profile 2 name student pvid-status enable pvid 10 cos-status enable cos 8
Assigning Hybrid Authentication

ConfiguretheRADIUSserveruseraccountswiththeappropriatetunnelinformationusingVLAN authorizationandpolicyfilterIDforstudentrolemembersanddevices.Enablehybrid authentication,allowingtheswitchtouseboththefilterIDandtunnelattributesintheRADIUS responsemessage.SetaVLANtopolicymappingasbackupincasetheresponsedoesnotinclude theRADIUSfilterIDattribute.ThismappingisignoredifRADIUSfilterIDattributeispresentin theRADIUSresponsemessage.
StudentC3(rw)->set policy maptable response both StudentC3(rw)->set policy maptable 10 2

ForwardtrafficonUDPsourceportforIPaddressrequest(68),andUDPdestinationportsfor protocolsDHCP(67)andDNS(53).DroptrafficonUDPsourceportsforprotocolsDHCP(67)and DNS(53).DroptrafficforprotocolsSNMP(161),SSH(22),Telnet(23)andFTP(20and21)onboth thedataandphoneVLANs.
StudentC3(rw)->set StudentC3(rw)->set StudentC3(rw)->set StudentC3(rw)->set StudentC3(rw)->set StudentC3(rw)->set StudentC3(rw)->set StudentC3(rw)->set StudentC3(rw)->set StudentC3(rw)->set policy policy policy policy policy policy policy policy policy policy rule rule rule rule rule rule rule rule rule rule 2 2 2 2 2 2 2 2 2 2 udpsourceport 68 mask 16 forward udpdestport 67 mask 16 forward udpdestport 53 mask 16 forward udpsourceportIP 67 mask 16 drop udpsourceportIP 53 mask 16 drop udpdestportIP 16 mask 16 drop tcpdestportIP 22 mask 16 drop tcpdestportIP 23 mask 16 drop tcpdestportIP 20 mask 16 drop tcpdestportIP 21 mask 16 drop
May 18, 2009
Page 25 of 32
Studentsshouldonlybeallowedaccesstotheservicesserver(subnet10.10.50.0/24)andshouldbe deniedaccesstoboththeadministrative(subnet10.10.60.0/24)andfacultyservers(subnet 10.10.70.0/24).

StudentC3(rw)->set policy rule 2 ipdestsocket 10.10.60.0 mask 24 drop StudentC3(rw)->set policy rule 2 ipdestsocket 10.10.70.0 mask 24 drop
Configuring PhoneSS Policy for the Edge SecureStack C3

ThephoneSSroleisconfiguredonboththedormroomandfacultyofficeC3swith: Aprofileindexof3 AnameofphoneSS AportVLANof11 ACoSof10
BecausewecannotapplyseparateratelimitstothephonesetupandpayloadportsontheC3 usingpolicyrules,applyCoS10withthehigherpayloadappropriateratelimitof100kbpsanda highpriorityof6tothephoneSSrole.

C3(rw)->set policy profile 3 name phoneSS pvid-status enable pvid 11 cos-status enable cos 10

DroptrafficforprotocolsSNMP(161),SSH(22),Telnet(23)andFTP(20and21)onthephone VLAN.ForwardtrafficonUDPsourceportforIPaddressrequest(68)andforwardtrafficonUDP destinationportsforprotocolsDHCP(67)andDNS(53)onthephoneVLAN,tofacilitatephone autoconfigurationandIPaddressassignment.
C3(rw)->set C3(rw)->set C3(rw)->set C3(rw)->set C3(rw)->set C3(rw)->set C3(rw)->set C3(rw)->set policy policy policy policy policy policy policy policy rule rule rule rule rule rule rule rule 3 3 3 3 3 3 3 3 udpdestportIP tcpdestportIP tcpdestportIP tcpdestportIP tcpdestportIP udpsourceport udpdestportIP udpdestportIP 161 mask 16 drop 22 mask 16 drop 23 mask 16 drop 20 mask 16 drop 21 mask 16 drop 68 mask 16 forward 67 mask 16 forward 53 mask 16 forward

ConfiguretheRADIUSserveruseraccountswiththeappropriatetunnelinformationusingVLAN authorizationandpolicyfilterIDforphoneSSrolemembersanddevices.Enablehybrid authentication,allowingtheswitchtouseboththefilterIDandtunnelattributesintheRADIUS responsemessage.SetaVLANtopolicymappingasbackupincasetheresponsedoesnotinclude theRADIUSfilterIDattribute.ThismappingisignoredifRADIUSfilterIDattributeispresentin theRADIUSresponsemessage.
C3(rw)->set policy maptable response both C3(rw)->set policy maptable 11 3
May 18, 2009
Page 26 of 32
Configuring Policy for the Edge Faculty SecureStack C3

Thefacultyroleisconfiguredwith: Aprofileindexvalueof4 Anameoffaculty AportVLANof10 ACoSof8
CreateapolicyrolethatappliesaCoS8todataVLAN10andconfiguresittoratelimittrafficto 1Mwithamoderatepriorityof5.
FacultyC3(rw)->set policy profile 4 name faculty pvid-status enable pvid 10 cos-status enable cos 8

ConfiguretheRADIUSserveruseraccountswiththeappropriatetunnelinformationusingVLAN authorizationandpolicyfilterIDforfacultyrolemembersanddevices.Enablehybrid authentication.SetaVLANtopolicymapping.ThismappingisignorediftheRADIUSfilterID attributeispresentintheRADIUSresponsemessage.
StudentC3(rw)->set policy maptable response both StudentC3(rw)->set policy maptable 10 4

ForwardtrafficonUDPsourceportforIPaddressrequest(68),andUDPdestinationportsfor protocolsDHCP(67)andDNS(53).DroptrafficonUDPsourceportsforprotocolsDHCP(67)and DNS(53).DroptrafficforprotocolsSNMP(161),SSH(22),Telnet(23)andFTP(20and21)onboth thedataandphoneVLANs.
FacultyC3(rw)->set FacultyC3(rw)->set FacultyC3(rw)->set FacultyC3(rw)->set FacultyC3(rw)->set FacultyC3(rw)->set FacultyC3(rw)->set FacultyC3(rw)->set FacultyC3(rw)->set FacultyC3(rw)->set policy policy policy policy policy policy policy policy policy policy rule rule rule rule rule rule rule rule rule rule 4 4 4 4 4 4 4 4 4 4 udpsourceport 68 mask 16 forward udpdestport 67 mask 16 forward udpdestport 53 mask 16 forward udpsourceportIP 67 mask 16 drop udpsourceportIP 53 mask 16 drop udpdestportIP 16 mask 16 drop tcpdestportIP 22 mask 16 drop tcpdestportIP 23 mask 16 drop tcpdestportIP 20 mask 16 drop tcpdestportIP 21 mask 16 drop
Facultyshouldonlybeallowedaccesstotheservices(subnet10.10.50.0/24)andthefacultyservers (subnet10.10.70.0/24)andshouldbedeniedaccesstotheadministrativeserver(subnet 10.10.60.0/24).

FacultyC3(rw)->set policy rule 4 ipdestsocket 10.10.60.0 mask 24 drop
Configuring PhoneN3 Policy for the Edge N-Series N3

ThephoneN3roleisconfiguredontheservicesN3with: Aprofileindexof5
May 18, 2009
Page 27 of 32
AnameofphoneN3 AdefaultportVLANof0 AdefaultCoSof4
BecauseVLANscanbeappliedtoN3portsusingtheappropriatetrafficclassification,theexplicit denyallPVID0willbeappliedatpolicycreation.Separateratelimitscanbeappliedtothephone setupandpayloadportsontheN3usingpolicyrules.AdefaultCoSof4willbeappliedatpolicy rolecreation.

ServicesN3(rw)->set policy profile 5 name phoneN3 pvid-status enable pvid 0 cos-status enable cos 4

ForwardtrafficonUDPsourceportforIPaddressrequest(68)andandforwardtrafficonUDP destinationportsforprotocolsDHCP(67)andDNS(53)onthephoneVLAN,tofacilitatephone autoconfigurationandIPaddressassignment.DroptrafficforprotocolsSNMP(161),SSH(22), Telnet(23)andFTP(20and21)onthephoneVLAN.
ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set policy policy policy policy policy policy policy policy rule rule rule rule rule rule rule rule 5 5 5 5 5 5 5 5 udpsourceport udpdestportIP udpdestportIP udpdestportIP tcpdestportIP tcpdestportIP tcpdestportIP tcpdestportIP 68 mask 16 forward 67 mask 16 forward 53 mask 16 forward 161 mask 16 drop 22 mask 16 drop 23 mask 16 drop 20 mask 16 drop 21 mask 16 drop
ApplyaCoS9tophonesetupdataonVLAN11,ratelimitingthedatato5ppswithahighpriority of7onport2427. ApplyaCoS10tophonepayloaddataonVLAN11,ratelimitingthedatato100kbpswithahigh priorityof7forbothsourceanddestinationonport5004.

ServicesN3(rw)->set policy rule 5 upddestIP 2427 mask 16 vlan 11 cos 9 ServicesN3(rw)->set policy rule 5 updsourceIP 5004 mask 16 vlan 11 cos 10 ServicesN3(rw)->set policy rule 5 upddestIP 5004 mask 16 vlan 11 cos 10
Assigning the VLAN-to-Policy Association

Thenatureofservicesrelateddevicesthatmightconnecttoaswitchportisnotasstaticaswith thestudentorfacultyroles.Servicesrelatednetworkneedscanrunthegamutfromtemporary multimediaeventstostandardofficeusers.TheremaybemultipleVLANandpolicyrole associationsthattakecareofservicesrelatedneeds,dependingupontheconnecteduser.Thismay includetherequirementformultipleservicesrelatedroles. Forservices,thenetworkadministratordesiresgreaterresourceusageflexibilityinassigningthe policytoVLANassociation.Authenticationinthiscasewillreturnonlythetunnelattributesin theresponsemessagebasedupontherequirementsoftheauthenticatinguser.Settingthe VLANtopolicyassociationwillbehandledbythemaptableconfiguration,allowingforeasein changingthepolicyassociatedwithaVLANontheflyusingPolicyManager.Specifythatthe tunnelattributesreturnedintheRADIUSresponsemessagewillbeusedbytheauthenticating user.AssociateVLAN11withpolicyrole5usingthesetpolicymaptablecommand.
ServicesN3(rw)->set policy maptable response tunnel ServicesN3(rw)->set policy maptable 11 5
May 18, 2009
Page 28 of 32
Configuring Policy for the Edge Services N-Series N3

Theservicesroleisconfiguredwith: Aprofileindexvalueof6 Anameofservices AdefaultportVLANof0 AdefaultCoSwhennoruleoverridesCoS TCIoverwriteenabled
ServicesN3(rw)->set policy profile 6 name services pvid-status enable pvid 0 cos-status enable cos 4 tci-overwrite enable
Assigning the VLAN-to-Policy Association

SettingtheVLANtopolicyassociationwillbehandledbythepolicymaptablesetting,allowing foreaseinchangingthepolicyassociatedwithaVLANontheflyusingPolicyManager.Specify thatthetunnelattributesreturnedintheRADIUSresponsemessagewillbeusedbythe authenticatinguser.AssociateVLAN10withpolicyrole6usingthesetpolicymaptable command.
ServicesN3(rw)->set policy maptable response tunnel ServicesN3(rw)->set policy maptable 10 6

ForwardtrafficonUDPsourceportforIPaddressrequest(68)andforwardtrafficonUDP destinationportsforprotocolsDHCP(67)andDNS(53)onthedataVLAN,tofacilitatePCauto configurationandIPaddressassignment.DroptrafficforprotocolsSNMP(161),SSH(22),Telnet (23)andFTP(20and21)onthephoneVLAN.
ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set policy policy policy policy policy policy policy policy policy policy rule rule rule rule rule rule rule rule rule rule 6 6 6 6 6 6 6 6 6 6 udpsourceportIP 68 mask 16 vlan 10 forward udpdestportIP 67 mask 16 vlan 10 forward udpdestportIP 53 mask 16 vlan 10 forward udpdestportIP 67 mask 16 vlan 10 drop udpdestportIP 53 mask 16 vlan 10 drop udpdestportIP 161 mask 16 drop tcpdestportIP 22 mask 16 drop tcpdestportIP 23 mask 16 drop tcpdestportIP 20 mask 16 drop tcpdestportIP 21 mask 16 drop
ApplyaCoS8todataVLAN10andconfigureittoratelimittrafficto1Mandmoderatepriority of5forservicesIPsubnet10.10.30.0mask28.Wewillalsoenabletrapsandsyslogforthissubnet.
ServicesN3(rw)->set policy rule 6 ipsourcesocket 10.10.30.0 mask 28 syslog enable trap enable vlan 10 cos 8
Servicesshouldonlybeallowedaccesstotheservicesserver(subnet10.10.50.0/24)andshouldbe deniedaccesstothefacultyservers(subnet10.10.70.0/24)andadministrativeservers(subnet 10.10.60.0/24).

ServicesN3(rw)->set policy rule 6 ipdestsocket 10.10.60.0 mask 24 drop ServicesN3(rw)->set policy rule 6 ipdestsocket 10.10.70.0 mask 24 drop
May 18, 2009
Page 29 of 32
Enable Enhanced Policy Capabilities on the Services N3 Platform

TheservicesN3platformsupportsenhancedpolicy.Thefollowingenhancedpolicycapabilities areenabled:policyaccountingtoflagtheoccurrenceofarulehit,syslogruleusagesetto machinereadableforenterprisespecificbackendsyslogstatisticsgathering,aninvalidactionset todefaultpolicyshouldaninvalidpolicyoccur,TCIoverwriteenabledtoallowforTypeof Service(ToS)overwritefortheVoIPphone.
ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set policy accounting enable policy syslog machine-readable policy invalid action default-policy port tcioverwrite ge.1.1-10
Configuring the Distribution Layer Role

Thedistributionroleisconfiguredwith: Aprofileindexvalueof7 Anameofdistribution AdefaultCoSwhennoruleoverridesCoS TCIoverwriteenabled
DistributionN5(rw)->set policy profile 7 name distribution cos-status enable cos 4 tci-overwrite enable
Assigning the Traffic Classification to the Policy Role

Assignportsge.1.126tothedistributionpolicyrole,specifyingtheassociatedports126,enable trapsandenablesyslog.
DistributionN5(rw)->set policy rule admin-profile port ge.1.1-26 admin-pid 7 port-string ge.1.1-26 trap enable syslog enable.

AssignaCoStodistributionupanddownstreamlinkports,ratelimitingthetrafficto25M.
DistributionN5(rw)->set policy rule 7 port ge.1.1-26 cos 11 DistributionN5(rw)->set policy rule 7 port ge.2.1-26 cos 11
Enable Enhanced Policy Capabilities on the Distribution N5 Platform

TheservicesN5platformsupportsenhancedpolicy.Thefollowingenhancedpolicycapabilities areenabled:policyaccountingtoflagtheoccurrenceofarulehit,syslogruleusagesetto machinereadableforbackendsyslogstatisticsgathering,aninvalidactionsettodefaultpolicy shouldaninvalidpolicyoccur,TCIoverwriteenabledtoallowforTypeofService(ToS)overwrite fortheVoIPphone.
ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set ServicesN3(rw)->set policy accounting enable policy syslog machine-readable policy invalid action default-policy port tcioverwrite ge.1.1-26 port tcioverwrite ge.2.1-26
Thiscompletesthepolicyconfigurationforthisschoolexample.
May 18, 2009
Page 30 of 32

Table 6liststermsanddefinitionsusedinthispolicyconfigurationdiscussion. Table 6
Term Administrative Profile Class of Service (CoS) Enhanced Policy Filter-ID
Policy Configuration Terms and Definitions

Definition A logical container that assigns a traffic classification to a policy role. A logical container for packet priority, queue, and forwarding treatment that determines how the firmware treats a packet as it transits the link. Enterasys policy features that apply to a subset of platforms that support policy. A string that is formatted in the RADIUS access-accept packet sent back from the authentication server to the switch during the authentication process. In the Enterasys policy context, the string contains the name of the policy role to be applied to the authenticating user or device.
Hybrid Authentication An authentication feature that allows the switch to use both the filter-ID and tunnel attributes in the RADIUS response message to determine how to treat the authenticating user. Policy A component of Secure Networks that provides for the configuration of a role based profile for the securing and provisioning of network resources based upon the function the user or device plays within the enterprise network. A logical entity that can be configured to provide VLAN to policy role mappings. A logical container for the rules that define a particular policy role. A logical container providing for the specification of policy behaviors associated with a policy role. The grouping of individual users or devices into a logical behavioral profile for the purpose of applying policy. A numeric traffic classification value, associated with the policy role, the ordering of which on a precedence list determines the sequence in which classification rules are applied to a packet. Enterasys policy features that apply to all platforms that support policy. A policy feature, when enabled in a policy role, allows for the overwrite of the current user priority and other classification information in the VLAN tags TCI field. A network element such as MAC or IP address, packet type, port, or VLAN used as the basis for identifying the traffic to which the policy will be applied. Untagged VLAN frames are classified to the VLAN associated with the port it enters. Tagged VLAN frames are classified to the VLAN specified in the VLAN tag; the PVID is ignored. An aspect of RFC3580 that provides for the inclusion of the VLAN tunnel attribute in the RADIUS Access-Accept packet defining the base VLAN-ID to be applied to the authenticating user or device. A configured list of ports that a frame for this VLAN can exit.
Policy Maptable Policy Profile/Role Policy Rule Role Rule Precedence
Standard Policy TCI Overwrite Traffic Classification Untagged and Tagged VLAN VLAN Authorization
VLAN Egress List
May 18, 2009
Page 31 of 32
Revision History
Date 05-18-2009 Description New Document.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2009Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSMATRIX,ENTERASYSNETSIGHT,SECURESTACK, ENTERASYSSECURESTACK,andanylogosassociatedtherewith,aretrademarksorregisteredtrademarksof Enterasys Networks, Inc.,intheUnitedStatesandothercountries.ForacompletelistofEnterasystrademarks,see
http://www.enterasys.com/company/trademarks.aspx.
Configuring Port Mirroring

Thisdocumentprovidesthefollowinginformationaboutconfiguringandmonitoringport mirroringonEnterasysNSeries,SSeries,KSeries,andXSeriesmodularswitches,ASeries,B Series,CSeriesstackablefixedswitches,andDSeries,GSeries,andISeriesstandalonefixed switches.
For information about... What Is Port Mirroring? Why Would I Use Port Mirroring in My Network? How Do I Implement Port Mirroring? Functions and Features Supported on Enterasys Switches Overview of Port Mirroring Configurations on Enterasys Switches Configuring Port Mirrors Example: Configuring and Monitoring Port Mirroring Example: Configuring an IDS Mirror Refer to page... 1 1 3 3 4 6 11 14
What Is Port Mirroring?

Portmirroring,alsoknownasportredirect,isanetworktrafficmonitoringmethod.Itforwardsa copyofeachincomingoroutgoingframe(orboth)fromoneormoreswitchportstoanotherport orportswherethedatacanbestudied.Oncethebitstreamfromoneormoresourceportsis mirroredtooneormoredestinationports,youcanfurtheranalyzethecaptureddatausingan RMONprobe,anetworksniffer,oranIntrusionDetectionSystem(IDS),withoutaffectingthe originalportsnormalswitchoperation.
Why Would I Use Port Mirroring in My Network?

Portmirroringisanintegrateddiagnostictoolfortrackingnetworkperformanceandsecuritythat isespeciallyusefulforfendingoffnetworkintrusionandattacks.Itisalowcostalternativeto networktapsandothersolutionsthatmayrequireadditionalhardware,maydisruptnormal networkoperation,mayaffectclientapplications,andmayevenintroduceanewpointoffailure intoyournetwork.Portmirroringscalesbetterthansomealternativesandiseasiertomonitor.Itis convenienttouseinnetworkswhereportsarescarce. Dependingonthetypesofswitchingdevicesonwhichyouwanttoimplementit,youcansetup thefollowingtypesofportmirroringrelationshipsoninboundoroutboundtraffic(orboth):
May 04, 2011
Onetoone(sourceporttodestinationport) Manytoone Onetomany

Page 1 of 15
Why Would I Use Port Mirroring in My Network?
Manytomany
Dependingonyournetwork,portsthatyoucanconfiguretoparticipateinmirroringinclude physicalports,virtualportsincludingLinkAggregationGroup(LAG)andhostportsVLAN interfaces,andintrusiondetectionportsthataremembersofaLAG.Formoreinformation,refer toOverviewofPortMirroringConfigurationsonEnterasysSwitchesonpage4. Youcanuseportmirroringforanalyzingbidirectionaltrafficandensuringconnectivitybetween, forexample,adepartmentalswitchanditshighspeeduplinktoyourbackboneswitchasshown inFigure 1. Figure 1 Using Port Mirroring to Monitor a Departmental Switch
Thisonetooneconfigurationwouldallowyoutocapturetrafficinbothdirectionstothe backboneuplinkport.Inthisexample,youwouldsetaportmirrorbetweendepartmentalswitch port4.1(source)andthedestinationport4.2connectedtothetrafficprobe. Youcanalsouseportmirroring,forexample,tomonitorincomingtraffictoyourbackboneswitch asshowninFigure 2.
May 04, 2011
Page 2 of 15
How Do I Implement Port Mirroring?
Figure 2
Using Port Mirroring to Monitor All Incoming Traffic to a Backbone Switch
Themanytooneconfigurationinthisexamplewouldbepossiblebysettingaportmirroronthe backbonebetweensourceports1.2,2.2and2.1todestinationport1.1.
How Do I Implement Port Mirroring?

YoucanimplementportmirroringonEnterasysswitchingdevicesusingsimpleCLIcommands. Oncethespecificdeviceportsareoperationallylinked,youusethesetportmirrorcommandto createamirroringrelationshipbetweenyourintendedsourceandyourtargetport(s).Youcanalso useCLItooperationallydisablemirroring,ifnecessary,andtospecifywhethertomirrorreceived traffic,transmittedtraffic,orboth.Someswitchingdevicesalsoprovidetheoptionofmonitoring multicasttrafficbyallowingyoutoenableIGMPmirroringonspecificports.
Note: It is important to not oversubscribe ports in a mirroring configuration. This can cause bottlenecks and will result in discarded traffic.
Refertothefollowingsectiontodeterminetheporttypesandcapacitiesforportmirroring supportedonyourEnterasysdevice.
Functions and Features Supported on Enterasys Switches

AllEnterasysswitchessupportmanytooneportmirroring.Somealsosupportonetomanyand manytomanyconfigurations.Specificcapabilities,suchashowmanydestinationportscanbe activeatanyonetime,varybydevice.Table 1listsportmirroringsupportandcapacityforeach switchingdevice. Table 1
Switch S-Series K-Series
Port Mirroring Support on Enterasys Switches

IDS yes yes VLAN yes yes LAG yes yes Max. Mirrors 15 per chassis 4 per chassis Many-toOne yes yes One-toMany yes yes Many-toMany yes yes
May 04, 2011
Page 3 of 15
Overview of Port Mirroring Configurations on Enterasys Switches
Table 1
Switch
Port Mirroring Support on Enterasys Switches (continued)

IDS yes VLAN yes LAG yes Max. Mirrors 16 per chassis 64 for N-Standalone (NSA) no no no no no no yes no no 3 per chassis unlimited 1 per stack or standalone yes yes yes yes yes no no yes no Many-toOne yes One-toMany yes Many-toMany yes
N-Series Diamond and Platinum
N-Series Gold X-Series Stackable and Standalone fixed switch devices
Note: Source and target ports of a one-to-many and a many-to-one mirror cannot overlap.

Oneormoresourceportscanbemirroredlocallytoanotherphysicalportwithinthesame Enterasysswitchingmodule.PhysicalportscanalsobemirroredtoanotherIOMport(ina modularchassis),ortoanotherswitchinastack.Inaddition,virtualportsandothertypesofport configurationscanalsoparticipateinmirroringonEnterasysswitchingdevicesasdescribedinthe followingsections: LAGMirrors(page4) IDSMirrors(page5) VLANMirrors(page6)
LAG Mirrors
Note: This function is not supported on X-Series modular devices, or on stackable or standalone fixed switch devices.
EachNSeries,SSeries,andKSeriesmoduledesignatesaspecificnumberofvirtuallink aggregationportswhichtheLinkAggregationControlProtocol(LACP)canusetodynamically groupmultiplephysicalportsintoonelogicallink.Onceunderlyingphysicalports(suchasfe.x.x orge.x.x)areassociatedwithanaggregatorport,theresultingaggregationisrepresentedasone LinkAggregationGroup(LAG)withalag.x.xportdesignation. Devicespecificcapacitiesareasfollows: NSeriesDFEPlatinum,Diamond,andNSA48portsdesignatedintheCLIaslag.0.1 throughlag.0.48. NSeriesDFEGold4portsdesignatedintheCLIaslag.0.1throughlag.0.4. SSeries127LAGssupported,lag.0.1throughlag.0.127 KSeries36LAGssupported,lag.0.1throughlag.0.36
May 04, 2011
Page 4 of 15
RefertotheLinkAggregationsectionofyourdevicesConfigurationGuideorCLIReferenceformore information. Whenusedasasourceportinamirror,LAGportsactidenticallytoasinglephysicalport.Either dynamicorstaticLAGscanbeusedassourceports.Whenusedasadestinationportinamirror, themirrorisconfiguredasanIDSmirrorasdescribedinthenextsection.OnlystaticLAGscanbe usedasdestinationports.
IDS Mirrors
Note: This function is supported only on N-Series Platinum and Diamond, S-Series, and K-Series switches.
SinceIDSdevicesarenormallybandwidthlimited,theybenefitfromdistributionofmirroreddata acrossmultipleports(forexample,aGigabitportmirroredtomultipleFastEthernetports). AnIDSmirrorisaonetomanyportmirrorthathasbeendesignedforusewithanIntrusion DetectionSystem.Thetarget(destination)portofanIDSmirrormustbeavirtualLAGportthat youadministrativelysetcalledastaticLAG.Onceconfigured,anIDSmirrorloadsharestraffic amongalldestinationportsintheLAGyousetastheportmirror. ThesystemhashesthesourceportconversationbasedonsourceanddestinationIP(SIP/DIP) addresspairsandsendsthesamepairsoutthesamephysicalportinthedestinationmirror.This way,eachIDSdevicewillseealloftheconversationsbetweenaDIP/SIPandwillnotduplicatethe sameinformationoutmultipledestinationports.WhenIDSmirroringisenabled,thesystem performsaLayer3lookupforallframes.AllnonIPtraffic(includingcontrolframes)issenttoan arbitrary,designatedphysicaloutport.ThisportisincludedintheDIP/SIPhashlist.Ifthe switchdetectsafailureofanyofthephysicalportsintheLAG,itwillautomaticallyredistribute theDIP/SIPconversationsamongtheremainingportsintheLAG.WithIDSmirroring,source trafficisloadsharedamongalldestinationportstoensurenopacketloss. WhenconfiguringIDSmirroringonyourNSeriesDiamondorPlatinum,SSeries,orKSeries device,youmusttakeintoconsiderationthefollowing: OnlyoneIDSmirrorisallowedperchassis. Asofrelease5.xx.xx,mirroringofmultiple(unlimitednumberof)sourceportstoanIDS destinationportissupported. TendestinationportsmustbereservedforanIDSmirror. AllDIP/SIPpairswillbetransmittedoutthesamephysicalport. AllnonIPtrafficwillbemirroredoutthefirstphysicalportinaLAG.Thisportwillalsobe usedforIPtraffic. PortfailureorlinkrecoveryinaLAGwillcauseanautomaticredistributionoftheDIP/SIP conversations.
RefertoExample:ConfiguringanIDSMirroronpage 14formoreinformation.
May 04, 2011
Page 5 of 15
Configuring Port Mirrors
VLAN Mirrors
Note: This function is supported only on N-Series, S-Series, and K-Series devices.
CreatingaVLANandsettingamirrorfortheVLANallowsyoutomonitoralltraffictoyour specifiedVLANinterface.Forexample,youcouldtrackalldatatravelinginandoutofa confidentialgroupofworkstations,suchasaFinanceVLAN,byanalyzingonlyoneconnection point.ConsiderationswhenconfiguringVLANmirrorsinclude: AonetomanyormanytooneVLANmirrorisconsideredasingledestinationport. ManytoonemappingallowsmultipleVLANstobesenttoonespecificdestinationport. Oversubscribedtrafficwillbedropped.
Avoiding Bottlenecks
Itisespeciallyimportanttonotoversubscribeportsinamirroringconfigurationbecausethiscan causebottlenecksandwillresultindiscardedtraffic. If,forexample,thereare10usersinVLAN1,eachattachedtoa10Mbpsport,whenyoumirrored VLAN1toanother10Mbpsporttowhichyoursnifferisattached,theprobeswitchwould probablyhavetodroppacketsatthedestinationport.Sinceyourpurposeinconfiguring mirroringistoseeallofthetrafficforVLAN1,itwouldbebetterinthisscenariotoattachthe sniffertoa100Mbpsport.

Asstatedpreviously,porttypesandnumbersofportsyoucanconfigureforportmirroring dependonwhatfeaturesandfunctionsyourEnterasysdevicessupport.ReferbacktoTable 1fora listofsupportandcapacityforeachdevice.
Note: When a port mirror is created, It is automatically enabled on all platforms.
Thissectionprovidesinstructionsforconfiguringthefollowingswitchproducts: NSeries,SSeries,KSeries(page6) XSeries(page8) StackableandStandaloneSwitches(page10)
N-Series, S-Series, K-Series

PortmirroringconfigurationsupportdiffersslightlybetweendevicetypesintheNSeries platform.GoldDFEssupportmirroringofphysicalportsandvirtualports,includingLAGports. Inadditiontotheseporttypes,DiamondandPlatinumNSeriesDFEs,SSeriesanKSeriesalso supportmirroringonVLANinterfaces,andIDSportscreatedaspartofaLAG.Alldevicesallow youtomirrorreceiveddata,transmitteddata,orboth.
May 04, 2011
Page 6 of 15
Thereisnorestrictiononthenumberofsourceportsthatcanbeincludedinamirrortoa destinationport.Thenumberofactivedestinationortargetportsallowedatanygiventimeis devicespecific.RefertoTable 1foralistofsupportandcapacityforeachdevice. Onceconfigured,allpackets(network,data,control,etc.)receivedbytheswitchwillbemirrored. Erroredpacketswillnotbemirrored.UnlessyoudisableSpanningTreeondestinationports,they willcontinuetofunctionasactivebridgeports,inaccordancewiththeSMON(Switch Monitoring)standard. UsethecommandsinthenextsectionstoperformthefollowingtasksonyourNSeries,SSeries, andKSeriesdevices: ReviewingPortMirroring(page7) SettingPortorVLANMirroring(page7) ClearingPortMirroring(page8)
Reviewing Port Mirroring

Usethiscommandtodisplaythestatusofportmirroringandinformationaboutanymirrors configured:
show port mirroring
Examples
Thisexampleshowsthatnoportmirrorsareconfiguredonthedevice:
enterasys(rw)->show port mirroring No Port Mirrors configured. IGMP Multicast Mirror status Disabled
Thisexampleshowsthataportmirrorisconfiguredbetweensourceportfe.1.4andfe.1.11and thatbothreceived(Rx)andtransmitted(Tx)frameswillbemonitored.Italsoshowsthat mirroringstatusiscurrentlyadministrativelyandoperationallyenabled.Amirrormustbe administrativelyenabled(asdescribedinthenextsection)anditssourceanddestinationports musthaveanactivelinkforoperationalstatustobeenabled.

enterasys(rw)->show port mirroring Port Mirroring ============== Source Port = fe.1.4 Target Port = fe.1.11 Frames Mirrored = Rx and Tx Port Mirroring Admin status = enabled Port Mirroring Oper status = enabled
Setting Port or VLAN Mirroring

Usethiscommandtocreateanewmirroringrelationship,toenableordisableanexisting mirroringrelationship,ortoenableordisablemirroringofIGMPmulticastframes.Optionally, youcanspecifywhethertomirrorreceivedframes,transmittedframes,orboth:
set port mirroring {create | disable | enable} | igmp-mcast {enable | disable}source destination [both | rx | tx]
ForfirmwareRelease7.11andhigher,tomirrorVLANtraffictoaport,youmustfirstcreatea VLANMIB2interfacetousefortheSMONMIBusingthesetvlaninterfacecreatecommand. TheresultingportisaVTAP(vtap.0.vlanid).Usetheshowportvtap.0.vlanidcommandto
May 04, 2011
Page 7 of 15
displaytheVTAPport.Tocreatetheportmirrorusethesetportmirroringcreatecommand specifyingtheVTAPandthemirroredport.
Note: IGMP mirroring functionality (igmp-mcast) is not supported on N-Series Gold devices.
Ifnotspecified,bothreceivedandtransmittedframeswillbemirrored.
Examples
Thisexampleshowshowtocreateaportmirrortomirrorframestransmittedoutportfe.1.4to portfe.1.11:
enterasys(rw)->set port mirroring enable fe.1.4 fe.1.11 tx
Thisexampleshowshowtocreateamanytoonemirroringconfigurationbetweensourceports fe.1.2,fe.1.3andfe.1.4,andtargetportfe.1.10.Bydefault,framesinbothdirectionswillbe mirrored:

enterasys(rw)->set port mirroring create fe.1.2-4 fe.1.10
ThisexampleshowshowtoconfiguremirroringfromVLANs5and6todestinationport1inslot 2ofaDFEchassis(fe.2.1):
enterasys(rw)->set vlan interface 5-6 create enterasys(rw)->set port mirroring create vtap.0.5-6 fe.2.1 Note: If you configure a port mirror on an uplink (tagged) port, make sure the port is assigned to egress frames with that VLAN tag. For more information about configuring VLANs, refer to your products Configuration Guide.
Clearing Port Mirroring

Usethiscommandtoclearaportmirroringconfiguration:
clear port mirroring {igmp-mcast | source destination}
X-Series
TheXSeriesRouterallowsyoutomirror(orredirect)receivedandtransmittedtrafficbeing switchedonaportforthepurposesofnetworktrafficanalysisandconnectionassurance.When portmirroringisenabled,oneportbecomesamonitorportforanotherportwithinthesystem. TheXRoutersupportsonetoone,onetomany,manytoone,andmanytomanymirroringof trafficreceivedandtraffictransmittedonphysicalIOMports. Portsmustbeinswitchmodeinordertoparticipateinmirroring.
Notes: VLAN, IDS, and LAG mirroring are not supported on the X-Series.
UsethecommandsinthenextsectionstoperformthefollowingtasksonyourXSeriesdevice: ReviewingPortMirroring(page9) SettingPortMirroring(page9)
May 04, 2011
Page 8 of 15
ClearingPortMirroring(page10)
Reviewing Port Mirroring

Usethiscommandtodisplaythestatusofportmirroringandinformationaboutanymirrors configured:
show port mirroring
Examples
Thisexampleshowsthatportsge.4.1throughge.4.5aremirroredtoportge.4.32,amanytoone mirror,thatthemirrorisadministrativelyenabledandoperationally(linked)enabled,andthat onlyreceivedframesarebeingmonitored:
enterasys(switch-ro)-> show port mirroring Source -----ge.4.1 ge.4.2 ge.4.3 ge.4.4 ge.4.5 Destination -----------ge.4.32 ge.4.32 ge.4.32 ge.4.32 ge.4.32 Direction --------Rx only Rx only Rx only Rx only Rx only AdminStatus ----------enabled enabled enabled enabled enabled OperStatus ---------enabled enabled enabled enabled enabled
Setting Port Mirroring

Usethiscommandtocreateanewmirroringrelationship,ortoenableordisableanexisting mirroringrelationship:
set port mirroring {create | disable | enable} source destination [rx|tx|both]
Portsmustbeinswitchmodeinordertoparticipateinamirroringrelationship.
Examples
Thisexamplecreatesamanytooneportmirroringofreceivedandtransmittedframeswithports ge.6.23throughge.6.25asthesourceportsandge.6.26asthetargetport.Notethatmirroringof bothreceivedandtransmittedframesisthedefault.
enterasys(switch-su)-> set port mirroring create ge.6.23-25 ge.6.26 enterasys(switch-su)-> show port mirroring Source Destination Direction AdminStatus ------------ ------------ --------- ----------ge.6.23 ge.6.26 Rx and Tx enabled ge.6.24 ge.6.26 Rx and Tx enabled ge.6.25 ge.6.26 Rx and Tx enabled
OperStatus ---------enabled enabled enabled
Thisexampleshowshowtodisableoneofthepreviouslycreatedmirroringrelationships:
enterasys(switch-su)-> set port mirroring disable ge.6.23 ge.6.26 enterasys(switch-su)-> show port mirroring Source Destination Direction AdminStatus ------------ ------------ --------- ----------ge.6.23 ge.6.26 Rx and Tx disabled ge.6.24 ge.6.26 Rx and Tx enabled ge.6.25 ge.6.26 Rx and Tx enabled
OperStatus ---------disabled enabled enabled
May 04, 2011
Page 9 of 15
Clearing Port Mirroring

clear port mirroring source destination
Example
Thefollowingexampleclearsportmirroringbetweensourceportge.6.23andtargetportge.6.26:
enterasys(switch-su)-> show port mirroring Source Destination Direction AdminStatus ------------ ------------ --------- ----------ge.6.23 ge.6.26 Rx and Tx enabled ge.6.24 ge.6.26 Rx and Tx enabled ge.6.25 ge.6.26 Rx and Tx enabled OperStatus ---------enabled enabled enabled
matrix-x(switch-su)-> clear port mirroring ge.6.23 ge.6.26 matrix-x(switch-su)-> show port mirroring Source Destination Direction AdminStatus OperStatus ------------ ------------ --------- ----------- ---------ge.6.24 ge.6.26 Rx and Tx enabled enabled ge.6.25 ge.6.26 Rx and Tx enabled enabled
Stackable and Standalone Switches

EnterasysASeries,BSeries,CSeriesstackablefixedswitchesandDSeries,GSeries,andISeries standalonefixedswitchessupportthefollowingmirroringfeatures: Mirroringcanbeconfiguredinamanytooneconfigurationsothatonetarget(destination) portcanmonitortrafficonupto8sourceports. Onlyonemirrordestinationportcanbeconfiguredperstackorstandalone. Bothtransmitandreceivetrafficwillbemirrored. Adestinationportwillonlyactasamirroringportwhenthesessionisoperationallyactive.If themirroringsessionisnotoperationallyactive,thenthedestinationportwillactasanormal portandparticipateinallnormaloperationwithrespecttotransmittingtrafficand participatinginprotocols.
Note: One-to-many mirroring, many-to-many mirroring, and IDS, LAG, and VLAN mirroring are not supported.
Reviewing, Setting, and Clearing Port Mirroring

Commandsforconfiguringstackableandstandalonefixedswitchdevicesareverysimilartothose describedandshownintheoutputexamplesfortheNSeries,SSeries,KSeriesonpage6. Usethiscommandtodisplaythestatusofportmirroringandinformationaboutanymirrors configured:
show port mirroring
Usethiscommandtocreateanewmirroringrelationship,ortoenableordisableanexisting mirroringrelationship:
set port mirroring {create | disable | enable}
May 04, 2011
Page 10 of 15
Example: Configuring and Monitoring Port Mirroring
clear port mirroring source destination

ThissectiondescribeshowtouseEnterasysNetSightConsolefromaNetworkManagement Station(NMS)todisplayRMONstatisticsformonitoringportmirroring.Itusestheconfiguration illustratedinshowninFigure 3. Figure 3 Example Port Mirroring Configuration
Thefollowingprocedureshowshowtocreateandverifythisconfiguration: 1. 2. AssignIPaddress172.16.210.15toanNSeriesPlatinumDFE.
Platinum(su)->set ip address 172.16.210.15
AssignIPaddress172.16.210.25toanNSeriesGoldDFE.
Gold(su)->set ip address 172.16.210.25
3.
LogontoNetsightConsole.
4.
Ontheconsolemainscreen,expandMyNetworkinthefiledirectorytree,rightclickAll Devices,andselectAddDevice.
May 04, 2011
Page 11 of 15
TheAddDevicescreendisplays.
5. 6. 7. 8.
ModelthePlatinumDFEbyenteringitsIPaddressinthefieldprovided.ClickOK. (Optional)ModeltheGoldDFEbyrepeatingsteps4and5,usingitsIPaddress. Ontheconsolemainscreen,expandAllDevicesinthefiledirectorytreetoshowtheIP address(es)ofthedevice(s)youjustmodeled. Rightclickon172.16.210.15(theIPaddressofthePlatinumDFE)andselectDeviceManager. ThedevicemanagerscreendisplaysforthePlatinumDFE.
9.
Rightclickonport1(fe.1.1showninFigure 3)andselectRMONEthernetStatistics.
May 04, 2011
Page 12 of 15
10. Repeatstep9forport5(fe.1.5showninFigure 3). RMONEthernetstatisticschartswilldisplayforports1and5.
11. Notethatthesectionofthetwochartsthatshowstheframecountbyframesizelistsnolarger sizeframes(5121518bytes).Inthenextstep,youwillcreatelargeframes. 12. OpentheCommandPromptwindowandsetupacontinuouspingtothePlatinumDFE,as shownbelow.Usel1400tosetthesizeofthepingframeto1400bytesandttoseta continuousping.
13. ReferbacktotheRMONEthernetStatisticswindowsopenedinSteps9and10.Youshouldsee thenumberof10241518framesincrementingonPort1becausetheNMSisconnectedonthis port.YoushouldalsoseethattheselargersizeframesarenotincrementingonPort5. 14. FromtheterminalsessionwiththePlatinumDFE,createaportmirroringinstancewithport1 (fe.1.1)asthesourceandport5(fe.1.5)asthedestinationport.

Platinum(su)->set port mirroring create fe.1.1 fe.1.5 both
15. Verifythemirroringconfiguration.
Platinum(su)->show port mirroring Port Mirroring ============== Source Port = fe.1.1 Target Port = fe.1.5 Frames Mirrored = Rx and Tx Port Mirroring Admin status = enabled Port Mirroring Oper status = enabled
16. ReferagaintotheRMONEthernetStatisticswindowsandnoticethatbothport1andport5 arenowincrementingthelargersizeframes.Ifyouconnectedanetworkanalyzertoport5, youwouldseetheseframesbeingreceivedandtransmittedonport1.
May 04, 2011
Page 13 of 15
Example: Configuring an IDS Mirror
Example: Configuring an IDS Mirror

Note: This function is not supported on N-Series Gold, X-Series, stackable or standalone fixed switch devices.
AsstatedintheoverviewaboutIDSMirrorsonpage5,NSeriesDiamondandPlatinumDFEs,S Series,andKSeriessupportIDSmirroringonportsthataremembersofaLinkAggregation Group(LAG).ThemaximumofphysicalportsallowedperLAGportisplatformspecific.Only manuallyformed(static)LAGscanbeusedasmirroreddestinationports. Procedure 1showshowtocreateastaticLAGandthencreateanIDSmirrortothatLAGport destination.Inthisexample,portsge.1.1throughge.1.5areadministrativelysettoformlag.0.21, whichisthensettomirrortrafficfromportge.1.10. FormoreinformationoncommandparametersusedinLAGconfiguration,refertotheLink AggregationsectioninyourproductsConfigurationGuideorCLIReference.
Note: When creating a static LAG for port mirroring, you must assign a unique admin key to aggregating ports. If ports other than the desired underlying physical ports share the same admin key value, aggregation will fail or undesired aggregations will form.
Procedure 1
Step 1. Task
Configuring a Static LAG for an IDS Mirror

Command(s) set lacp static lag.0.21 key 4000 ge.1.1-5 set port mirror create fe.1.10 lag.0.21 both
Create a static LAG aggregating ports ge.1.1 through ge.1.5 into LAG port 21 and assign a unique admin key to that LAG port. Create a port mirror between source port ge.1.10 and the static LAG.
2.
May 04, 2011
Page 14 of 15
Revision History
Date 01-16-08 02-20-08 03-12-08 07-28-08 02-04-09 04-16-09 05-04-2011 Description New document Corrected product naming conventions. Added statement that VLAN mirroring is not supported on SecureStacks and switches. Added Enterasys Registration mark. Spelled out D-Series, G-Series, and I-Series when appropriate. Added note: port mirrors are automatically enabled on all platforms upon creation. Added S-Series and K-Series, other minor changes.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2011Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSNETSIGHT,andanylogosassociatedtherewith,are trademarksorregisteredtrademarksofEnterasys Networks, Inc.,intheUnitedStatesandothercountries.Fora
completelistofEnterasystrademarks,seehttp://www.enterasys.com/company/trademarks.aspx.
Configuring Quality of Service (QoS)

ThischapterprovidesthefollowinginformationaboutconfiguringandmonitoringQualityof Service(QoS)onEnterasysNSeries,SSeries,andKSeriesmodularswitches,ASeries, BSeries,CSeriesstackablefixedswitches,andDSeries,GSeries,andISeriesstandalonefixed switches.
Note: Please see the Enterasys X Secure Core Router Configuration Guide for a complete discussion of QoS as it applies to the X-Series.
For information about... What Is Quality of Service? Why Would I Use It in My Network? How Can I Implement Quality of Service? Quality of Service Overview CoS Hardware Resource Configuration Feature Differences by Platform The QoS CLI Command Flow QoS Policy-Based Configuration Example Terms and Definitions
Refer to page... 1 2 2 2 13 28 29 31 36
What Is Quality of Service?

QualityofService(QoS)is: Amechanismforthemanagementofbandwidth Theabilitytogivepreferentialtreatmenttosomepacketsoverothers Baseduponpacketclassificationandforwardingtreatment
Youconfigurepacketpreferenceandforwardingtreatmentbaseduponaflowssensitivityto delay,delayvariation(jitter),bandwidth,availability,andpacketdrop.
Note: A flow is a stream of IP packets in which the value of a fixed set of IP packet fields is the same for each packet in the stream. Each packet containing the same value for all of these fields is considered part of the same flow, until flow expiration occurs. If a packet is viewed with any set member field value that is different from any current flow, a new flow is started based upon the set field values for that packet.
QoSusespacketpriority,inconjunctionwithqueuetreatmentconfiguration,todeterminethe interfacesinboundandforwardingbehaviorforapacket.Packetpreferenceandforwarding treatmentforagivenflowcanbeappliedtorolesconfiguredinEnterasyspolicy.

May 09, 2011 Page 1 of 38
TheSSeriesFlexEdgefeature,supportedonlyonSSeriesswitches,providestheunique capabilitytoclassifyandprioritizetrafficasitenterstheswitch,assertflowcontrol,andensure thathigherprioritytrafficreceivedbytheswitchisforwardedtothepacketprocessoraheadof lowerprioritytraffic.AseparatefeatureguideexistsfortheSSeriesFlexEdgefeatureandcanbe foundathttps://extranet.enterasys.com/downloads.

WithoutQoS,allpacketsaretreatedasthoughthedeliveryrequirementsandcharacteristicsof anygivenpacketareequaltoanyotherpacket.Inotherwords,nonQoSpacketdeliveryisnot abletotakeintoaccountapplicationsensitivitytopacketdelay,jitter,amountofbandwidth required,packetloss,oravailabilityrequirementsoftheflow.QoSprovidesmanagement mechanismsfortheseflowcharacteristics.
How Can I Implement Quality of Service?

QoSdetermineshowaflowwillbetreatedasittransitsthelink.Todeterminehowaflowshould betreated,youmustfirstunderstandthecharacteristicsoftheflowsonyournetwork,and secondly,youmustidentifytheseflowsinawaythatQoScanrecognize.Inthissense,QoSisthe thirdstepinathreestepprocess.ThethreestepsEnterasysrecommendsforconfiguringQoSare: UnderstandyournetworkflowsusingNetFlow AssociatetheflowsonyournetworkwithawelldefinedroleusingEnterasyspolicy ConfiguretheappropriatelinkbehaviorforthatrolebyassociatingtherolewithaQoS configuration
Quality of Service Overview

QoSisallaboutmanagingthebandwidthinamannerthatalignsthedeliveryrequirementsofa givenflowwiththeavailableportresources.InaQoScontext,aflowisastreamofpacketsthatare classifiedwiththesameclassofserviceasthepacketstransittheinterface.QoSmanages bandwidthforeachflowby: Assigningdifferentprioritylevelstodifferentpacketflows. MarkingorremarkingthepacketpriorityatportingresswithaTypeofService(ToS). Sortingflowsbytransitqueue.Higherpriorityqueuesgetpreferentialaccesstobandwidth duringpacketforwarding. Limitingtheamountofbandwidthavailabletoagivenflowbyeitherdropping(ratelimiting) orbuffering(rateshaping)packetsinexcessofconfiguredlimits.
TheseQoSabilitiescollectivelymakeupaClassofService(CoS).Theremainderofthissection willdescribeCoSanditscomponents.
Note: The following overview and configuration discussion will take place in an S-Series context. See Feature Differences by Platform on page 28 for a listing of CoS feature differences.
May 09, 2011
Page 2 of 38
Class of Service (CoS)

YouimplementQoSfeaturesinaClassofService(CoS).Therearefourhardwareresource componentsthatcanbeconfiguredaspartofaCoS. TransmitQueues(TxQ)representthequeuinghardwareresourcesforeachportthatare usedinschedulingpacketsforegressingthedevice,aswellasrateshapingoftrafficbased uponoutboundbuffering. InboundRateLimiters(IRL)allowyoutoconfigureathresholdabovewhichaportwillnot processtraffic. OutboundRateLimiters(ORL)allowyoutoconfigureathresholdabovewhichaportwill nottransmittraffic. FloodControlconfiguresathresholdabovewhichaportwillnotreceiveunknownunicast, multicast,orbroadcastpackets.
TheCoSconfigurationofeachqueueorporthardwareresourceisoptional.TxQshavethree configurablequeueoptions:queuemapping,queuerateshapingandqueuescheduling.IRL,ORL, andfloodcontroleachhaveasingleconfigurableratelimitingporthardwareresourceoption. CoSconfigurationisappliedtotheingressingpacketbaseduponthepackets802.1priority,port, andpolicysettings. Howthefirmwaretreatsapacketasittransitsthelinkdependsuponthepriorityandforwarding treatmentsconfiguredintheCoSassignedtothepacket.Upto256uniqueCoSentriescanbe configured.CoSentries07areconfiguredbydefaultwithan802.1ppriorityassignedanddefault forwardingtreatment.CoSentries07cannotberemoved.CoSentries07arereservedfor mappingan802.1pprioritytoaCoSindex.CoSentries8255canbeconfiguredandusedbypolicy forthefollowingservices: 802.1ppriority IPTypeofService(ToS)marking PriorityTransmitQueue(TxQ)withconfigurableforwardingbehavior Inbound(IRL)and/oroutbound(ORL)ratelimiter Outboundrateshaperpertransmitqueue Floodcontrol
ThereareuptofourareasofCoSconfigurationdependingonwhattypeofhardwareresourceyou wanttoconfigure.TheterminologyassociatedwithCoSconfigurationisintroducedinTable 1. Table 1

Term CoS Setting
CoS Configuration Terminology

Description Maps configured resources to a CoS index. When a packet is received, the packet is mapped to a CoS index based on the packet 802.1 priority, port, and policy role, if a policy role is present. The CoS index translates into available hardware resources through indirect mappings to TxQ, IRL, ORL, or the administrative state of flood control. An optional drop precedence can be configured. Provides a means of mapping a CoS setting to a specific hardware resource, such as a TxQ, IRL, or ORL.
CoS Reference
May 09, 2011
Page 3 of 38
Table 1
Term
CoS Configuration Terminology (continued)

Description Specifies the transmit queue rate shaping or IRL, ORL, or flood control rate limiter threshold value that the CoS reference is mapped to. Specifies the ports to which CoS resource configuration should be applied, and provides for TxQ scheduling.
CoS Port Resource CoS Port Configuration
CoS Settings
UsetheCoSsettingsconfigurationwhenmappingthepriorityoftheingressingpackettoa hardwareresourcereference,floodcontrolstate,dropprecedencebehavior,or802.1priorityor ToSremarking.
CoS Hardware Resource Reference

TheCoShardwareresourcereferencecanbe: Areferencetoatransmitqueue.OntheSSeries,validvaluesare010. Aninboundratelimiterreference.OntheSSeries,validvaluesare031. Anoutboundratelimiterreference.OntheSSeries,validvaluesare03.
CoS Flood Control State

CoSfloodcontrolstateenablesordisablesfloodcontrolfortheCoSsetting.
CoS Priority and ToS Rewrite

ThetwoparametersconfigurableforCoSpriorityare802.1pandTypeofService(ToS).EachCoS canbemappedtoan802.1ppriorityandaToSrewritevalue.802.1pandToSarespecifiedinthe CoSsettingsconfigurationlayer. The802.1pparameteris: AsubsetofToSwithvalues07(upper3bitsofthe8bitToSfield) Supportedinbothlayer2andlayer3
TheToSparameteris: An8bitfieldwithvalues0255 Supportedinlayer3only AlsoreferredtoastheDifferentiatedServicesCodePoint(DSCP)whenlimitedtothelower5 bitsofthefield
Figure 1displaystherelationshipbetweenyourapplication,prioritylevel,802.1p,andToS assignments(shownhereusingDSCPterminology). QoSpriority/ToSconfiguration: Derivesitscharacteristicrequirementsfromtheendsystemapplication. Isconfiguredontheedgedevicetheapplicationisconnectedto Ispropagatedthroughthenetworkintheprotocolpacketheader
May 09, 2011
Page 4 of 38
Figure 1
Assigning and Marking Traffic with a Priority
TheICMPprotocol,usedforerrormessaging,hasalowbandwidthrequirement,withahigh tolerancefordelayandjitter,andisappropriateforalowprioritysetting.HTTPandFTP protocols,usedrespectivelyforbrowsergeneratedandfiletransfertraffic,haveamediumtohigh bandwidthrequirement,withamediumtohightolerancefordelayandjitter,andareappropriate foramediumprioritylevel.Voice(VoIP),usedforvoicecalls,hasalowbandwidthrequirement, butisverysensitivetodelayandjitterandisappropriateforahighprioritylevel. SeeRFC1349forfurtherdetailsonToS.SeeRFCs2474and2475forfurtherdetailsonDSCP.
Drop-Precedence
DropPrecedenceindicatesapreferencefordroppingpackets,oftenusedinassociationwith weightedfairqueuing.ThisSSeriesonlyfeatureusestheconfiguredvaluetoprioritizepackets onthequeue.Dropprecedencecansetthepacketprioritytofavored,besteffort,orunfavored. DropprecedencehasaspecialmeaningwithinaFlexEdgecontext.Packetsassigneda dropprecedencevalueareassigneda4thlevelofpriorityintheFlexEdgemechanism,andare limitedtorulesappliedtoasingleport.SeetheFlexEdgefeatureguideforadetailedFlexEdge dropprecedencediscussion.TheFlexEdgefeatureguidecanbefoundat https://extranet.enterasys.com/downloads.
CoS Reference
UsetheCoSreferenceconfigurationifyouneedto: Mapatransmitqueuereferencetoanysupportedtransmitqueueontheport. MapaCoSsettingIRLorORLreferencetoanIRLorORLportresourceratelimiter.
TheCoSreferenceconfigurationissetbyspecifyingthetypeofhardwareresourceforthe reference(TxQ,IRL,ORL),theportgroupthereferenceisbeingappliedto,andthehardware
May 09, 2011
Page 5 of 38
resourcereferenceconfiguredinCoSsettings,andtheactualTxQorratelimitingportresourcefor thismapping.
Port Group and Type

CoSportgroupsprovideforgroupingportsbyCoSfeatureconfigurationandporttype.Portsare requiredtobeconfiguredbygroups:thisfeatureprovidesameaningfulwayofidentifyingports bysimilarfunctionalityandporttype. Groupsconsistofagroupnumberandporttypeandarenumberedassuch,portgroup.porttype. Theportgroupnumberisconfigurable.Theporttypeisfixedbasedupontheportmodule.Aport onanSSeriesmoduleisalwaysporttype1. Forexample:portgroup0,porttype0wouldbenumberedportgroup0.0.Adefaultportgroup existsperhardwareresource:TxQ,IRL,ORL,andfloodcontrol.Thedefaultportgroupis identifiedasportgroup0andporttype0or1andareindexedas0.0or0.1foreachfeature.These defaultportgroupscannotberemovedandallphysicalportsinthesystemareassignedtooneof thetwoportgroupsforeachfeature. Additionalportgroups,uptoeleventotal,maybecreatedbychangingtheportgroupvalue.Ports assignedtoanewportgroupcannotbelongtoanothernondefaultportgroupentryandmustbe comprisedofthesameporttypeasdefinedbytheportgroupyouareassociatingitwith.The creationofadditionalportgroupscouldbeusedtocombinesimilarportsbytheirfunctionfor flexibility.Forinstance,portsassociatedwithuserscanbeaddedtoaportgroupcalledUsersand portsassociatedwithuplinkportscanbeaddedtoaportgroupcalledUplink.Usingtheseport groups,aclassofserviceuniquetoeachgroupcanassigndifferentratelimitstoeachportgroup. UserportscanbeassignedaratelimitconfiguredinoneCoS,whileUplinkportscanbeassigned adifferentratelimitconfiguredinanotherCoS.Amaximumof8configurableTxQsperCoSare supported.
Note: Only non-low latency queues are configurable for CoS port group. Which queues are Low Latency Queues (LLQ) depends upon the hardware. LLQs are labeled LLQ in the show cos port-config command display.
PortTypeisafixedvaluethatdeterminestheTxQ,IRL,ORL,andfloodcontrolresource capabilitiesbaseduponthemoduletheportbelongsto.Knowledgeofthesecapabilitiesis importantwhenconfiguringqueuebehaviors.SeeCoSPortTypeonpage 28foralistingofport typesbyplatform. CoSporttypecanbedeterminedusingtheshowcosporttypecommand.
CoS Settings Reference to Port Resource Mapping

UsetheCoSreferenceconfigurationtomaptheresourcereferencefromtheCoSsettings configurationtotheporthardwareresourcesbeingacteduponbythisconfiguration. TxQCoSreferenceMapstheCoSsettingsTxQreferencetothequeuetheCoSsettings referenceisbeingremappedto.Forexample,iftheCoSsettingsTxQreferenceissetto8and thequeueforthisconfigurationissetto9,hardwareresourcequeue8isremappedtoqueue9 forthisCoSconfiguration. IRLCoSreferenceMapstheCoSsettingsIRLreferencetotheIRLportresourcetheratelimit istobeappliedto. ORLCoSreferenceMapstheCoSsettingsORLreferencetotheORLportresourcetherate limitistobeappliedto.
May 09, 2011
Page 6 of 38
Port Resources
UsetheCoSportresourceconfigurationlayertoassociateactualratelimitervaluestoaportgroup andhardwareresource.ConfigureCoSportresourcebyidentifyingtheCoShardwareresource type(TxQ,IRL,ORL,offloodcontrol),portgroup,andportresource,followedbyaratelimiter,or inthecaseofTxQ,arateshaper. Theratelimitorrateshaperisspecifiedasaunitandadatarate.Theunitspecifieseithera percentageofthetotalorapacketspersecondvaluefollowedthethedatarateasanumericvalue. Forexample10,000packetspersecondwouldbeexpressedasunitppsrate10000.Thedefault unitsettingispercentage.Ifonlyrateisspecified,theratevalueisapercentage. TxQSettingaTxQrateshapermeansthatallpacketsabovethespecifiedratelimitarefirst buffered.Onlywhenthebufferfillsarepacketsdropped. TxQratelimitingprovidesforsettingataildropbehavior,bywhichtransmitframesare discardedfromthetailofthequeue. TxQrateshapingisdirectlyconfiguredusingCoSportresourcesconfiguration.TheCoS settingandCoSreferenceconfigurationsdonotapplytoTxQrateshaping. IRLSettinganIRLratelimitermeansthatpacketsingressingtheportwillnotbeallowedto exceedtheratespecifiedbytheratelimiter.Iftherateisexceeded,youcanspecifywhether packetsthatexceedtheratelimitshouldbedroppedandwhethertheportshouldbedisabled. Youcanenableordisablesyslogandtrapfeatures. IRLportresourcesarefirstreferencedusingtheCoSsettingsandCoSreference configurations.PortsareappliedtothespecifiedCoSportresourcesusingtheCoSport configuration. ORLSettinganORLratelimitermeansthatoutboundpacketsabovethespecifiedthreshold arenottransmitted.Iftherateisexceeded,youcanspecifywhetherpacketsthatexceedthe ratelimitshouldbedroppedandwhethertheportshouldbedisabled,andenableordisable syslogandtrapfeatures. ORLportresourcesarefirstreferencedusingtheCoSsettingsandCoSreference configurations.PortsareappliedtothespecifiedCoSportresourcesusingtheCoSport configuration. FloodcontrolSettingafloodcontrolratelimitermeansthatreceivedpacketsofthespecified typethatexceedthefloodcontrolthresholdwillbepreventedfromegressinganyport. Configurablepackettypesare: unknownunicast multicast broadcast
Iftherateisexceeded,youcanspecifywhethertheportshouldbedisabled.Youcanenableor disablesyslogandtrapfeatures.
Port Configuration
TheCoSportconfigurationlayerappliesaportlisttotheportgroup.ConfigureCoSport configurationbyidentifyingtheCoShardwareresourcetype(TxQ,IRL,ORL,orfloodcontrol) andportgroupforthisportconfiguration,anameforthisconfiguration,aportlistofports assignedtothisportgroup,andwhethertheportlistshouldclearedorbeappendedtoany existingportlist.TxQportconfigurationcanalsobeconfiguredforTxQscheduling.
May 09, 2011
Page 7 of 38
TxQ Scheduling
TxQscanbeconfiguredforTxQscheduling,alsoreferredtoasweightedfairqueuing.See WeightedFairQueuingonpage 9foradetaileddiscussionofweightedfairqueuing.See PreferentialQueueTreatmentforPacketForwardingonpage 8foradetaileddiscussionofall queuetreatmenttypessupported. TxQschedulingisconfiguredinCoSportconfigurationusingthearbsliceorarbpercentage options.ThearbsliceoptionsegmentstheTxQschedulingtimeslicepoolbynumericvalues.The arbpercentageoptionsegmentstheTxQschedulingtimeslicepoolbyapercentageofthepool. WhenconfiguringTxQschedulingavalueisspecifiedforallqueuesinTxQorderfromlowestto highest.A0isenteredforanyqueue(configurableorLLQ)notimeslicesareallocatedto.All entriesinaconfigurationmustadduptoeitherthetotalnumberofslicessupportedor100percent dependinguponthechosenoption.Usetheshowportconfigtxqcommandtodisplaythetotal numberofslicessupportedforyourdevice.Bydefault,thetotalnumberoftimeslicesisspecified forthehighestuserconfigurable(nonLLQ)queue. IfyouareusingadefaultTxQconfigurationforthisportgroup(youareneitherremappingCoS prioritiesnorTxQs),TxQschedulingcanbeconfigureddirectlyinCoSportconfigurationwithout CoSsettings,reference,orportresourceconfiguration.
Preferential Queue Treatment for Packet Forwarding

Therearethreetypesofpreferentialqueuetreatmentsforpacketforwarding:strictpriority, weightedfair,andhybrid.
Strict Priority Queuing

WithStrictPriorityQueuing,ahigherpriorityqueuemustbeemptybeforealowerpriorityqueue cantransmitanypackets.StrictpriorityqueuingisdepictedinFigure 2.Inboundpacketsenteron theupperleftandproceedtotheappropriatequeue,basedupontheTxQconfigurationinthe CoS.Outboundpacketsexitthequeuesonthelowerright.Atthistimeonlyqueue3packetsare forwarded.Thiswillbetrueuntilqueue3iscompletelyempty.Queue2packetswillthenbe forwarded.Queue1packetswillonlyforwardifbothqueue2andqueue3areempty.Queue0 packetswillonlyforwardifallotherqueuesareempty.Strictpriorityqueuingassuresthatthe highestpriorityqueuewithanypacketsinitwillget100percentofthebandwidthavailable.This isparticularlyusefulforoneormoreprioritylevelswithlowbandwidthandlowtolerancefor delay.Theproblemwithstrictpriorityqueuingisthatshouldthehigherlevelqueuesneverfully empty,lowerlevelqueuescanbestarvedofbandwidth.
May 09, 2011
Page 8 of 38
Figure 2
Strict Priority Queuing Packet Behavior
Low Latency Queuing

ALowLatencyQueue(LLQ)isanonconfigurablestrictpriorityqueue.LLQsaredesignedto guardagainst: Packetloss Delay Jitter
LLQhardwareresourcescannotbeconfigured,butapolicycanbeconfiguredforaCoSthatis mappedtoanLLQ.Inthisway,trafficassociatedwithhighvaluerealtimevoiceorvideopackets canbemappedtoanLLQ.TheLLQprioritywilldeterminewhenmappedtrafficwillbeserviced relativetoothertraffic.Forexample,SSeriesqueues0,9,and10areLLQs.Ifavoicepolicyis mappedtoaCoSwithaTxQreferencethatisinturnmappedtoqueue9,thisvoicetrafficwillbe servicedassoonasqueue10isemptyandwillcontinuetobeservicedaheadofanylowerpriority queueuntilthereisnotrafficleftinqueue9. LLQsarehardwaredependent.Notallhardwaredevicessupportlowlatencyqueuing.Usethe showcosportconfigtxqcommandtodisplayLLQsforagivenmodule.
Weighted Fair Queuing

Withweightedfairqueuing,queueaccesstobandwidthisdividedupbypercentagesofthetime slicesavailable.Forexample,if100percentisdividedinto64timeslices,andeachqueueis configuredfor25percent,eachqueuewillget16timeslices,afterwhichthenextlowestpriority queuewillgetthenext16,andsoon.Shouldaqueueemptybeforeusingitscurrentshareoftime slices,theremainingtimeslicesaresharedwithallremainingqueues.Figure 3depictshow weightedfairqueuingworks.Inboundpacketsenterontheupperleftoftheboxandproceedto theappropriatepriorityqueue.Outboundpacketsexitthequeuesonthelowerright.Queue3has
May 09, 2011
Page 9 of 38
accesstoitspercentageoftimeslicessolongastherearepacketsinthequeue.Thenqueue2has accesstoitspercentageoftimeslices,andsoonroundrobin.Weightedfairqueuingassuresthat eachqueuewillgetatleasttheconfiguredpercentageofbandwidthtimeslices.Thevalueof weightedfairqueuingisinitsassurancethatnoqueueisstarvedforbandwidth.Thedownsideof weightedfairqueuingisthatpacketsinahighpriorityqueue,withlowtolerancefordelay,will waituntilallotherqueueshaveusedthetimeslicesavailabletothembeforeforwarding.So weightedfairqueuingwouldnotbeappropriateforapplicationswithhighsensitivitytodelayor jitter,suchasVoIP. Figure 3 Weighted Fair Queuing Packet Behavior
Hybrid Queuing
Hybridqueuingcombinesthepropertiesofbothstrictpriorityandweightedfairqueuing. Figure 4onpage 11,depictshybridqueuing.Theconfigurationisforstrictpriorityqueuingon queue3andweightedfairqueuingfortheremainingqueues,withqueue2receiving50percentof theremainingtimeslices,andtheotherqueuesreceiving25percenteach.Thebenefitofhybrid queuingisthatqueuesconfiguredasstrictwillreceiveallthebandwidththatisavailableinthe orderoftheirpriorityuntilempty.Remainingbandwidthwillbeusedbytheweightedfairqueues baseduponthetimeslicepercentagesconfigured.Thedownsideremainsthatanytimestrict priorityqueuingisused,shouldthestrictpriorityqueuesneverfullyempty,remainingqueues willbestarvedofbandwidth.
May 09, 2011
Page 10 of 38
Figure 4
Hybrid Queuing Packet Behavior
Rate Limiting
Ratelimitingisusedtocontroltherateoftrafficentering(inbound)and/orleaving(outbound)a switchperCoS.Ratelimitingallowsforthethrottlingoftrafficflowsthatconsumeavailable bandwidth,intheprocessprovidingroomforotherflows.Ratelimitingguaranteesthe availabilityofbandwidthforothertrafficbypreventingtheratelimitedtrafficfromconsuming morethantheassignedamountofanetworksresources.Ratelimitingaccomplishesthisby settingacaponthebandwidthutilizationofspecifictypesofbothinboundandoutboundtraffic. Whenaratelimithasbeenexceeded,theCoScanbeconfiguredtoperformoneorallofthe following:recordaSyslogmessage,sendanSNMPtraptoinformtheadministrator,and automaticallydisabletheport. Figure 5onpage 12illustrateshowburstytrafficisclippedabovetheassignedthresholdwithrate limitingapplied.
May 09, 2011
Page 11 of 38
Figure 5
Rate Limiting Clipping Behavior
Flood Control
CoSbasedfloodcontrol,isaformofratelimitingthatpreventsconfiguredportsfrombeing disruptedbyatrafficstorm,byratelimitingspecifictypesofpacketsthroughthoseports.When floodcontrolisenabledonaport,incomingtrafficismonitoredoveronesecondintervals.During aninterval,theincomingtrafficrateforeachconfiguredtraffictype(unknownunicast,broadcast, ormulticast)iscomparedwiththeconfiguredtrafficfloodcontrolrate,specifiedinpacketsper second.If,duringaonesecondinterval,theincomingtrafficofaconfiguredtypereachesthe trafficfloodcontrolrateconfiguredontheport,CoSbasedfloodcontroldropsthetrafficuntilthe intervalends.Packetsarethenallowedtoflowagainuntilthelimitisagainreached.
Rate Shaping
RateShapingthrottlestherateatwhichaporttransmits(outbound)queuedpackets.RateShaping bufferspacketsreceivedabovetheconfiguredrateonaperCoSbasis,ratherthandroppingthem. Onlywhenbuffercapacityisexceededarepacketsdropped.Rateshapingmaybeconfiguredfora CoSonaport,foran802.1ppriorityonaport,orforallClassesofServiceonaport. Figure 6onpage 13illustrateshowburstytrafficissmoothedoutwhenitburstsabovethe assignedthresholdwithrateshapingapplied.
May 09, 2011
Page 12 of 38
CoS Hardware Resource Configuration
Figure 6
Rate Shaping Smoothing Behavior
Rateshapingretainsexcesspacketsinaqueueandthenschedulesthesepacketsforlater transmissionovertime.Therefore,thepacketoutputrateissmoothedandburstsintransmission arenotpropagatedasseenwithratelimiting. Rateshapingcanbeimplementedformultiplereasons,suchascontrollingbandwidth,tooffer differinglevelsofservice,ortoavoidtrafficcongestiononotherlinksinthenetworkbyremoving theburstinesspropertyoftrafficthatcanleadtodiscardedpackets.Rateshapingisimportantfor realtimetraffic,wherepacketlossisextremelydetrimentaltotheseapplications.Insteadof discardingtrafficimposedbyratelimiting,delaysareinducedintoitstransmissionbyretaining thedataforfuturetransmission.However,thedelaysmustalsobeboundedtothedegreethatthe trafficissensitivetodelays.

ThissectionprovidesaconfigurationexampleforeachCoShardwareresource.
TxQ Scheduling Configuration

Transmitqueues(TxQ)representthehardwareresourcesforeachportthatareusedinscheduling packetsforegressingthedevice.TheSSeriesschedulerrunsinaLowLatencymodewhichallows thecustomertoconfigureahybridofstrictpriorityandweightedfairqueuing. Forthedeviceinthisexample,eachporthas11transmitqueues.Queues0,9and10arelow latencyqueues(LLQ).YoucannotconfigureanLLQ.Queues18arenonLLQsandcanbe configured.Thehardwareschedulerwillserviceallpacketsonqueue10andthenqueue9.Once therearenomorepackets,theavailablebandwidthwillbeusedtoservicequeues18basedonthe configured(strictorweightedfairqueue)ordefaultmode(strict).Ifthereisanyavailable bandwidthafterservicingthesequeues,thentheremainderofthebandwidthwillbeusedto processqueue0. Bydefault,nonLLQsruninstrictprioritymodebutcanbeconfiguredforweightedfairqueue mode.ThroughCoSreferencemappings,youcanmaptheTxQreferencetoaTxQhardware queueandfurtherconfigureCoStomeetyourrequirements. TheremainderofthissectiondetailsaTxQconfigurationthat: Createsanewportgroup
May 09, 2011
Page 13 of 38
Namestheportgroup Assignsportstotheportgroup ConfiguresnonLLQqueuesforweightedfairqueuing Mapsreferencestobothabesteffortandacontrolqueue,basedonthealreadyexistingLLQs onthedevice MapsCoSprioritysettingstothequeues EnablesCoS Providesrelatedshowcommanddisplays
CoS Port Configuration Layer

FortheCoSportconfigurationlayer,usethesetcosportconfigtxqcommandto: Configureanewportgrouptemplate1.0 NametheportgrouptemplateWFQConfiguration Assignportsge.1.3,ge.1.5andge.1.22toportgroup1.0 Configurequeues18asweightedfairqueuesbytimeslice: Queue10 Queue20 Queue310 Queue410 Queue515 Queue615 Queue720 Queue830
Whenconfiguringweightedfairqueues,configuredpercentagesmustaddupto100%ofthe supportedtimeslices.Inthiscase,theportsupports100timeslices. CoSportConfigurationCLIinput:

System(su)->set cos port-config txq 1.0 name WFQConfiguration ports ge.1.3,5,22 arb-slice 0,0,0,10,10,15,15,20,30,0,0
CoS TxQ Reference Configuration Layer

Bydefault,TxQreferences18maptohardwarequeues18.WearegoingtoremapTxQ reference1toqueue0andTxQreference8toqueue9.ThiswillallowTxQreference1tobeour besteffortqueuewhichwillonlybeservicedifallotherqueuesareempty. TxQreference8willbeforcriticaltrafficandwillbeservicedbeforeanyotherconfigurablequeue. TxQreferences27willbeservicedbasedonWFQ. TheCoSTxQreferencelayermappingstoqueuesareconfiguredusingthesetcosreferencetxq command.CoSTxQreferencemappingCLIinput:
System(su)->set cos reference txq 1.0 1 queue 0 System(su)->set cos reference txq 1.0 8 queue 9
May 09, 2011
Page 14 of 38
CoS Settings Configuration Layer

ThefinalstepistoassigntheCoSindexestotheTxQreferences.Inthisexample,CoSIndex0 (802.1priority0)willbeourbestefforttraffic,COSIndex7(802.1priority7)willbeassignedto ourcriticalqueue.AllotherprioritieswillmaptotheWFQs.
System(su)->set cos settings 0 txq-reference 1 System(su)->set cos settings 2 txq-reference 3 System(su)->set cos settings 3 txq-reference 4 System(su)->set cos settings 4 txq-reference 5 System(su)->set cos settings 5 txq-reference 6 System(su)->set cos settings 6 txq-reference 7 System(su)->set cos settings 7 txq-reference 8
Enable CoS State

CoSconfigurationmustbeenabledtobecomeactive,usingthesetcosstateenablecommand:
System(su)->set cos state enable
TxQ Configuration Example Show Command Output

UsetheshowcossettingscommandtodisplayCoSsettingslayerconfiguration:
System(su)->show cos settings
* Means attribute has not been configured
CoS Index --------0 1 2 3 4 5 6 7
Priority ---------0 1 2 3 4 5 6 7
ToS ------* * * * * * * *
TxQ ----1 2 3 4 5 6 7 8
IRL ----* * * * * * * *
ORL ----* * * * * * * *
Drop Prec Flood-Ctrl --------- ---------* * * * * * * * Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled
UsetheshowcosreferencetxqcommandtodisplaytheCoSreferenceconfigurationforport group1.0:
System(su)->show cos reference txq 1.0
Group Index Reference Type
Queue
----------- --------- ---- -----------1.0 1.0 1.0 1.0 0 1 2 3 txq txq txq txq 0 0 2 3
May 09, 2011
Page 15 of 38
1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0
4 5 6 7 8 9 10 11 12 13 14 15
txq txq txq txq txq txq txq txq txq txq txq txq
4 5 6 7 9 8 8 8 8 8 9 10
UsetheshowcosportconfigtxqcommandtodisplaytheCoSportlayerconfiguration:
System(su)->show cos port-config txq 1.0
* Percentage/queue (if any) are approximations based on [(slices/queue) / total number of slices]
Transmit Queue Port Configuration Entries ---------------------------------------------------------------------Port Group Name Port Group Port Type Assigned Ports Arbiter Mode Slices/queue :WFQConfiguration :1 :0 :ge.1.3,5,22 :Low Latency Queue :Q [ 0]: LLQ :Q [ 4]: :Q [ 8]: 10 30 Q [ 1]: Q [ 5]: 0 15 Q [ 2]: Q [ 6]: 0 15 Q [ 3]: Q [ 7]: 10 20
Q [ 9]: LLQ Q [ 1]:
Q [10]: LLQ 0% Q [ 3]: 15% Q [ 7]: 10% 20%
Percentage/queue :Q [ 0]: LLQ :Q [ 4]: :Q [ 8]:
0% Q [ 2]: 15% Q [ 6]:
10% Q [ 5]:
30% Q [ 9]: LLQ
Q [10]: LLQ
----------------------------------------------------------------------
TxQ Rate Shaping Configuration

Eachtransmitqueuehasthecapabilitytorateshapealltrafficbeingtransmittedonthequeue.In thisexample,weconfigureportge.2.17torateshapealltrafficegressingtransmitqueue8(the actualhardwarequeue,nottheTxQreference)toathresholdof50%oftheportsbandwidth.All queuesremaininthedefaultstrictprioritymode.Anytrafficexceedingthisamountwillbefirst bufferedandrescheduledfortransmission.Bufferedtrafficisonlydroppedifthebufferfills.Rate shapingprovidestwoservices.Thebufferingofexcesspacketsassuresthattrafficinexcessofthe configuredvaluewillberescheduledandtransmittedaslongasthebuffersdonotfill.Thelimit specifiedassuresthatlowerqueuesareservicedinanoversubscriptionsituationbaseduponthe defaultstrictprioritymodebehavior.
May 09, 2011
Page 16 of 38
TheremainderofthissectiondetailsaTxQrateshapingconfigurationthat: Configuresportgroup2.0forportge.2.17 Namesportgroup2.0txqRateShaper Configuresallotherportsforportgroup0.0 Setstheportresourcerateforportgroup2.0onqueue8to50%ofportbandwidth EnablesCoS Providesrelatedshowcommanddisplays

FortheCoSportconfigurationlayer,usethesetcosportconfigtxqcommandto: Configureportgrouptemplate0.0forallportsonthedeviceexceptforge.2.17 Configureportgrouptemplate2.0forportge.2.17 Nameportgrouptemplate2.0txqRateShaper
CoSportConfigurationCLIinput:
System(su)->set cos port-config txq 0.0 ports ge.2.1-16,18-48;tg.2.101-104 System(su)->set cos port-config txq 2.0 name txqRateShaper ports ge.2.17
CoS TxQ Port Resource Layer

ItisattheportresourceTxQconfigurationlayerthatthebandwidthrateshaper,overwhichall packetsarebuffered,isappliedtoahardwarequeue.Wewillapplyabandwidthrateof50%to TxQqueue8forportgroup2.0.
System(su)->set cos port-resource txq 2.0 8 unit percentage rate 50
Enable CoS State

TxQ Rate Shaping Configuration Example Show Command Output

NoCoSSettingsconfigurationwasrequiredforthisexample.TheCoSsettingsshowcommand willdisplaythedefaultconfiguration.UsetheshowcossettingscommandtodisplayCoSsettings layerconfiguration:
CoS Index --------0 1 2
Priority ---------0 1 2
ToS ------* * *
TxQ ----0 2 4
IRL ----* * *
ORL ----* * *
Drop Prec Flood-Ctrl --------- ---------* * * Disabled Disabled Disabled
May 09, 2011
Page 17 of 38
3 4 5 6 7
3 4 5 6 7
* * * * *
6 8 10 12 14
* * * * *
* * * * *
* * * * *
Disabled Disabled Disabled Disabled Disabled
Note: When a CoS show command displays a default TxQ listing, TxQ numbering is based upon a 16 queue display. 8 user configurable queues are listed as even numbers from 0 to 14.
NoCoSreferenceconfigurationwasrequiredforthisexample.TheCoSreferenceshowcommand willdisplaythedefaultconfiguration.Usetheshowcosreferencetxqcommandtodisplaythe CoSreferenceconfigurationforportgroup2.0:

System(su)->show cos reference txq 2.0
Group Index Reference Type
Queue
----------- --------- ---- -----------2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 txq txq txq txq txq txq txq txq txq txq txq txq txq txq txq txq 0 1 2 3 4 5 6 7 8 8 8 8 8 8 9 10
Usetheshowcosportresourcetxqcommandtodisplaythenewrateshaperconfigurationfor queue8forportgroup2.0:
System(su)->show cos port-resource txq 2.0
'?' after the rate value indicates an invalid rate value
Group Index Resource Type Unit
Rate
Algorithm --------tail-drop tail-drop tail-drop
----------- -------- ---- ---- ---------2.0 2.0 2.0 0 1 2 txq txq txq perc none perc none perc none
May 09, 2011
Page 18 of 38
2.0 2.0 2.0 2.0 2.0 2.0 2.0 2.0
3 4 5 6 7 8 9 10
txq txq txq txq txq txq txq txq
perc none perc none perc none perc none perc none perc 50 perc none perc none
tail-drop tail-drop tail-drop tail-drop tail-drop tail-drop tail-drop tail-drop
Theportconfigdisplayforportgroup2.0showsthatallqueuesarerunninginthedefaultstrict prioritymode(highestnonLLQsetto100).Usetheshowcosportconfigtxqcommandtodisplay theportconfigsettingsportgroup2.0:

System(su)->show cos port-config txq 2.0
* Percentage/queue (if any) are approximations based on [(slices/queue) / total number of slices]
Transmit Queue Port Configuration Entries ---------------------------------------------------------------------Port Group Name Port Group Port Type Assigned Ports Arbiter Mode Slices/queue :txqRateShaper :2 :0 :ge.2.17 :Low Latency Queue :Q [ 0]: LLQ :Q [ 4]: 0 Q [ 1]: Q [ 5]: 0 0 Q [ 2]: Q [ 6]: 0 0 Q [ 3]: Q [ 7]: 0 0
:Q [ 8]: 100 Percentage/queue :Q [ 0]: LLQ :Q [ 4]:
Q [ 9]: LLQ Q [ 1]:
Q [10]: LLQ 0% Q [ 3]: 0% Q [ 7]: 0% 0%
0% Q [ 2]: 0% Q [ 6]:
0% Q [ 5]:
:Q [ 8]: 100% Q [ 9]: LLQ
Q [10]: LLQ
----------------------------------------------------------------------
IRL Configuration
Inboundratelimiters(IRL)allowyoutoconfigureaporttopreventtheportfromprocessing trafficaboveacertainthreshold.Inthisexample,wearegoingtoconfigureportgroup1.0,ports ge.1.3,ge.1.5andge.1.22,todiscardpacketsitreceiveswhenthepacketmapstoCoSIndex1 (802.1priority1)andthethresholdgoesabove10,000packetspersecond. TheremainderofthissectiondetailsanIRLconfigurationthat: Specifiestheportgroup Assignsportstotheportgroup MapstheratelimiterdataunitandratetotheIRLratelimiter MapstheratelimitertotheIRLreference
May 09, 2011
Page 19 of 38
MapstheIRLreferencetotheCoSsetting(802.1priority) EnablesCoS Providesrelatedshowcommanddisplays

FortheCoSportconfigurationlayer,usethesetcosportconfigirlcommandtoassignportsto portgroup1.0fortheIRLconfiguration:
System(su)->set cos port-config irl 1.0 ports ge.1.3,5,22
CoS Port Resource Layer

FortheCoSportresourcelayer,usethesetcosportresourceirlcommandtosetthe packetspersecondrateto10,000packetsandenableSyslogforthisIRLportgroup1.0mappedto IRLresource0:
System(su)->set cos port-resource irl 1.0 0 unit pps rate 10000 syslog enable
CoS Reference Layer

FortheCoSreferencelayer,usingthesetcosreferenceirlcommand,mapIRLreference0to ratelimit0forportgroup1.0:
System(su)->set cos reference irl 1.0 0 rate-limit 0
CoS Settings Layer

FortheCoSsettingslayer,usingthecossettingscommand,mapIRLreference0toCoSsettings1 (802.1priority1):
System(su)->set cos settings 1 irl-reference 0
Enable CoS State

IRL Configuration Example Show Command Output

UsetheshowcossettingscommandtodisplaytheIRLresourcereferencetoTxQ,topriority,to CoSindexmapping:
CoS Index --------0 1 2 3
Priority ---------0 1 2 3
ToS ------* * * *
TxQ ----0 2 4 6
IRL ----* 0 * *
ORL ----* * * *
Drop Prec Flood-Ctrl --------- ---------* * * * Disabled Disabled Disabled Disabled
May 09, 2011
Page 20 of 38
4 5 6 7
4 5 6 7
* * * *
8 10 12 14
* * * *
* * * *
* * * *
Disabled Disabled Disabled Disabled
Usetheshowcosreferenceirlcommandforportgroup1.0todisplaytheCoSreferencetorate limitermapping:
System(su)->show cos reference irl 1.0
Group Index Reference Type Rate Limiter ----------- --------- ---- -----------1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl 0 none none none none none none none none none none none none none none none none none none none none none none none none none none none none none none none
May 09, 2011
Page 21 of 38
Usetheshowcosportresourceirlcommandtodisplaythedatarateandunitoftheratelimiter forport1.0:
System(su)->show cos port-resource irl 1.0
Rate
Rate Limit Type Action --------------- -----drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop S none none none none none none none none none none none none none none none none none none none none none none none
----------- -------- ---- ---- ---------1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl irl pps 10000
perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none perc none
Usetheshowcosportconfigirlcommandtodisplaytheportgroupnameandassignedportsfor portgroup1.0:
System(su)->show cos port-config irl 1.0
Inbound Rate Limiting Port Configuration Entries ---------------------------------------------------------------------Port Group Name Port Group Port Type Assigned Ports :S-Series 24 IRL :1 :0 :ge.1.3,5,22
May 09, 2011
Page 22 of 38
---------------------------------------------------------------------System(su)->
ORL Configuration
Outboundratelimiters(ORL)allowyoutoconfigureaporttopreventtheportfromtransmitting trafficaboveacertainthreshold.Inthisexample,wearegoingtoconfigureportge.1.22tolimitthe amountofpacketsittransmitswhenthepacketismarkedasCoSIndex0(802.1priority0)toa thresholdof5,000packetspersecond. TheremainderofthissectiondetailsanORLconfigurationthat: Specifiestheportgroup Assignsaporttotheportgroup MapstheratelimiterdataunitandratetotheORLratelimiter MapstheratelimitertotheORLreference MapstheORLreferencetotheCoSsetting802.1priority EnablesCoS Providesrelatedshowcommanddisplays

FortheCoSportconfigurationlayer,usethesetcosportconfigorlcommandtoassignportsto portgroup1.0fortheORLconfiguration:
System(su)->set cos port-config orl 1.0 ports ge.1.22

FortheCoSportresourcelayer,usethesetcosportresourceorlcommandtosetthe packetspersecondrateto5,000packets,forthisIRLportgroup1.0mappedtoORLresource1:
System(su)->set cos port-resource orl 1.0 1 unit pps rate 5000
CoS Reference Layer

FortheCoSreferencelayer,usingthesetcosreferenceorlcommand,mapORLreference1to ratelimit1forportgroup1.0:
System(su)->set cos reference orl 1.0 1 rate-limit 1
CoS Settings Layer

FortheCoSsettingslayer,usingthecossettingscommand,mapORLreference1toCoSsettings1 (802.1priority1):
System(su)->set cos settings 0 orl-reference 1
Enable CoS State

May 09, 2011
Page 23 of 38
ORL Configuration Example Show Command Output

UsetheshowcossettingscommandtodisplaytheORLreferencetoCoSindex(802.1priority) mapping:
CoS Index --------0 1 2 3 4 5 6 7
Priority ---------0 1 2 3 4 5 6 7
ToS ------* * * * * * * *
TxQ ----0 2 4 6 8 10 12 14
IRL ----* * * * * * * *
ORL ----1 * * * * * * *
Drop Prec Flood-Ctrl --------- ---------* * * * * * * * Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled
UsetheshowcosreferenceorlcommandtodisplaytheratelimitertoORLreferencemapping:
System(su)->show cos reference orl 1.0
Group Index Reference Type Rate Limiter ----------- --------- ---- -----------1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 orl orl orl orl orl orl orl orl orl orl orl orl orl orl orl orl none 1 none none none none none none none none none none none none none none
May 09, 2011
Page 24 of 38
Usetheshowcosportresourceorlcommandtodisplaytheratelimiterunitandrateforthe configuredORLresource:
System(su)->show cos port-resource orl 1.0
Rate
Rate Limit Type Action --------------- -----drop drop drop drop none none none none
----------- -------- ---- ---- ---------1.0 1.0 1.0 1.0 0 1 2 3 orl orl orl orl perc none pps 5000
perc none perc none
Usetheshowcosportconfigorlcommandtodisplaytheportgroupnameandassignedportsfor portgroup1.0.
System(su)->show cos port-config orl 1.0
Outbound Rate Limiting Port Configuration Entries ---------------------------------------------------------------------Port Group Name Port Group Port Type Assigned Ports :S-Series 4 ORL :1 :0 :ge.1.22
---------------------------------------------------------------------System(su)->
Flood Control Configuration

Floodcontrol(floodctrl)providesfortheconfigurationofaratelimitertolimittheamountof unknownunicast,multicastorbroadcastpacketsaportreceivesfromegressingallotherports.In thisexample,portge.1.3willbeconfiguredtolimitthereceptionofunknownunicastpacketson CoSIndex3(802.1priority3)toathresholdof3,000packetspersecond.

FortheCoSportconfigurationlayer,usethesetcosportconfigfloodctrlcommandtoassign portstoportgroup1.0forthefloodcontrolconfiguration:
System(su)->set cos port-config flood-ctrl 1.0 ports ge.1.3

FortheCoSportresourcelayer,usethesetcosportresourcefloodctrlcommandtosetthe packetspersecondrateto3,000packets,forthisfloodcontrolportgroup1.0:
System(su)->set cos port-resource flood-ctrl 1.0 unknown-unicast unit pps rate 3000
May 09, 2011
Page 25 of 38
CoS Reference Layer

TheCoSreferencelayerisnotapplicabletofloodcontrol.
CoS Settings Layer

FortheCoSsettingslayer,usingthecossettingscommandtoenablefloodcontrolforCoSsettings 3(802.1priority3):
System(su)->set cos settings 3 flood-ctrl enable
Enable CoS State

Flood Control Configuration Example Show Command Output

UsetheshowcossettingscommandtodisplaythefloodcontrolstatetoCoSindex(802.1priority) mapping:
show cos settings
CoS Index --------0 1 2 3 4 5 6 7
Priority ---------0 1 2 3 4 5 6 7
ToS ------* * * * * * * *
TxQ ----0 2 4 6 8 10 12 14
IRL ----* * * * * * * *
ORL ----* * * * * * * *
Drop Prec Flood-Ctrl --------- ---------* * * * * * * * Disabled Disabled Disabled Enabled Disabled Disabled Disabled Disabled
Usetheshowcosportresourcefloodctrlcommandtodisplaythefloodcontrolunitandrateto floodcontrolresourcemapping:
System(su)->show cos port-resource flood-ctrl 1.0
Rate
Rate Limit Type Action --------------- -----none none none
----------- -------- ---- ---- ---------1.0 1.0 1.0 1 2 3 fld fld fld pps 3000
perc none perc none
May 09, 2011
Page 26 of 38
Usetheshowcosportconfigfloodctrlcommandtodisplaytheportgroupnameandassigned portsforportgroup1.0.
System(su)->show cos port-config flood-ctrl 1.0
Flood Rate Limiting Port Configuration Entries ---------------------------------------------------------------------Port Group Name Port Group Port Type Assigned Ports :S-Series Flood Ctrl :1 :0 :ge.1.3
---------------------------------------------------------------------System(su)->
Enabling CoS State

CoSstateisaglobalsettingthatmustbeenabledforCoSconfigurationstobeappliedtoaport. WhenCoSstateisenabled,controlsconfiguredforCoSsupersedeportlevelcontrolsforpriority queuemapping,IRL,andTxQ.TheseportlevelsettingscanbeconfiguredindependentofCoS state,butwillhavenoaffectwhileCoSisenabled.DisablingCoSresultsintherestorationof currentportlevelsettings. UsethesetcosstateenablecommandtoenableCoSstategloballyforthissystem. UsethesetcosstatedisablecommandtodisableCoSstategloballyforthissystem. UsetheshowcosstatecommandtodisplaythecurrentstatusofCoSstate.
Displaying CoS Violations

CoSviolationscanbedisplayedperphysicalratelimitforIRL,ORL,andfloodcontroltoshow youwhenaratelimithasbeenviolated.Usetheshowcosviolationcommandtodisplayports thathavealimiterviolatedaswellasanyportsthatmaybedisabledbythelimiter. Thefollowingexampledisplaysdefaultvaluesfortheshowcosviolationirlcommandoutputon anSSeriesdevice:
System(su)->show cos violation irl ge.1.1:* Rate-Limiter Index -----------0 1 2 3 4 5 6 7 8 9 10 Rate-Limiter Status -----------not-violated not-violated not-violated not-violated not-violated not-violated not-violated not-violated not-violated not-violated not-violated Rate-Limiter Counter -------------------0 0 0 0 0 0 0 0 0 0 0
Port -----------ge.1.1 ge.1.1 ge.1.1 ge.1.1 ge.1.1 ge.1.1 ge.1.1 ge.1.1 ge.1.1 ge.1.1 ge.1.1 ...
Type ---irl irl irl irl irl irl irl irl irl irl irl
May 09, 2011
Page 27 of 38
Feature Differences by Platform
ge.1.1 ge.1.1 ge.1.1
29 30 31
irl irl irl
not-violated not-violated not-violated
0 0 0
Violationsarealsodisplayedbyresourceandportusingtheshowcosportresourcecommand. Violatingportsaredisplayedattheendoftheresourcetable.
Feature Differences by Platform

FlexEdgeanddropprecedenceareonlysupportedontheSSeriesplatform.
CoS Port Type

Basedonphysicalcapability,allphysicalportsbelongtooneoftwoporttypes.Theimportanceof thisporttypedistinctionliesintheresourcesavailablefortransmitqueueandinboundrate limitingCoSfeatures. Moduleporttypesupport: AllSSeriesmodulessupportporttype0. TheEnterasysNSeriesDFE7GR427012,7G427012,7G427009,and7G427010modules supportporttype0.AllotherNSeriesmodulessupportporttype1. AllStackableSwitchessupportporttype0. Allothermodulessupportporttypeof1.
TxQs
AllSSeriesmodulessupport11queues NSeriesPorttype0supports16queues,Porttype1supports4queues CoSTxQfeaturesarenotsupportedonallotherplatforms
IRLs
AllSSeriesmodulessupport24inboundratelimiters. NSeriesporttype0supports32inboundratelimiters,porttype1supports8inboundrate limiters. EnterasysStackableswitches,DSeries,GSeries,andISeriesdevicessupport99inboundrate limiters. EnterasysStackableswitches,DSeries,GSeries,andISeriesonlysupporttheIRLKbpsunit option. FortheC3andC5devices,IRLconfigurationisonlysupportedwithinapolicyrolecontext. ConfigurationofIRLswithinrulesarenotsupported.Inamixedstack,C3CoSfeature limitationsapply.C5scannotbemixedwithC3sandC2sinastack.
May 09, 2011
Page 28 of 38
ORLs
AllSSeriesmodulessupport4outboundratelimiters EnterasysNSeries,StackableSwitches,DSeries,GSeries,andISeriesdevicesdonotsupport outboundratelimiters
The QoS CLI Command Flow

Procedure 1providesaCLIflowsummaryofeachstepintheconfigurationflowalongwiththe showcommandstoverifytheconfiguration.AllCoScommandscanbeenteredinanycommand mode. Procedure 1
Step 1. Task Inspect both the TxQs and IRL support for the installed ports. This information is used to determine the module port type for port group.
Class of Service CLI Configuration Command Summary

Command(s) show cos port-type txq show cos port-type irl show cos port-type orl show cos port-type flood-ctrl
2.
Set the CoS transmit queue port group configuration by mapping a physical port list to a port group for purposes of TxQ configuration. Optionally associate a name and the configuration of a TxQ weighted fair queue behavior configuration. Verify the new configuration. Set the CoS inbound rate-limit port group configuration by mapping a physical port list to a port group for purposes of IRL configuration, optionally allowing the association of a name for this configuration. Verify the new configuration. Set the CoS outbound rate-limit port group configuration by mapping a physical port list to a port group for purposes of ORL configuration, optionally allowing the association of a name for this configuration. Verify the new configuration. Set the CoS flood control limit port group configuration by mapping a physical port list to a port group for purposes of flood control configuration, optionally allowing the association of a name for this configuration. Verify the new configuration. Configure a Class of Service transmit queue port resource entry, by mapping a port group with a transmit queue and applying a TxQ rate shaping value to the mapping. Verify configuration changes.
set cos port-config txq group-type-index [name name] [ports port-list] [append] | [clear] [arb-slice slice-list] [arb-percentage percentage-list] show cos port-config txq port_group.port_type
3.
set cos port-config irl port_group.port_type name name ports ports_list show cos port-config irl
4.
set cos port-config orl port_group.port_type name name ports ports_list show cos port-config orl
5.
set cos port-config flood-ctrl port_group.port_type name name ports ports_list show cos port-config flood-ctrl
6.
set cos port-resource txq port_group.port_type tx_queue unit unit rate rate show cos port-resource txq port_group.port_type
The QoS CLI Command Flow
Procedure 1
Step 7. Task
Class of Service CLI Configuration Command Summary (continued)

Command(s) set cos port-resource irl port_group.port_type index unit unit rate rate syslog setting trap setting disable-port setting show cos port-resource irl port_group.port_type
Configure a CoS inbound rate limiting index entry, by mapping a port group with a rate-limit value, along with the ability to optionally set syslog, trap, and/or disable port behaviors should the limit be exceeded. This index is used by the rate-limit option when setting an IRL cos reference. Configure a CoS outbound rate limiting index entry, by mapping a port group with a rate-limit value, along with the ability to optionally set syslog, trap, and/or disable port behaviors should the limit be exceeded. This index is used by the rate-limit option when setting an ORL cos reference. Configure a CoS flood control index entry, by mapping a port group with a traffic type such as multicast or broadcast, along with the ability to optionally set syslog, trap, and/or disable port behaviors should the limit be exceeded. This index is used by the rate-limit option when setting a flood control cos reference. Set a CoS transmit queue reference configuration, by mapping a port group to a queue resource ID and associating the mapping with a transmit reference. Verify the new CoS reference configuration. Set a CoS inbound rate limiting reference configuration, by mapping a port group with a rate limiter resource ID and associating the mapping with an IRL reference. Verify the new CoS reference configuration. Set a CoS outbound rate limiting reference configuration, by mapping a port group with a rate limiter resource ID and associating the mapping with an ORL reference. Verify the new CoS reference configuration. Modify a currently configured CoS or create a new CoS. Verify the new CoS configuration. All TxQ to port group mappings are associated with the transmit queue reference. All IRL to port group mappings are associated with the inbound rate limiter reference. Enable CoS state for the system. Verify the new CoS state.
8.
set cos port-resource orl port_group.port_type index unit unit rate rate syslog setting trap setting disable-port setting show cos port-resource orl port_group.port_type
9.
set cos port-resource flood-ctrl port_group.port_type traffic-type unit unit rate rate syslog setting trap setting disable-port setting show cos port-resource flood-ctrl port_group.port_type set cos reference txq port_group.port_type reference queue queue show cos reference txq port_group.port_type
10.
11.
set cos reference irl port_group.port_type reference rate-limit IRLreference show cos reference irl port_group.port_type
12.
set cos reference orl port_group.port_type reference rate-limit IRLreference show cos reference orl port_group.port_type
13.
set cos settings cos-list [priority priority] [tos-value tos-value] [txq-reference txq-reference] [irl-reference irl-reference] [orl-reference orl-reference] [drop-precedence drop-precedence] [flood-ctrl state] show cos settings set cos state enable show cos state
14.
May 09, 2011
Page 30 of 38
QoS Policy-Based Configuration Example

Inourexample,anorganizationsnetworkadministratorneedstoassurethatVoIPtraffic,both originatinginandtransitingthenetworkofSSeriesedgeswitchesandaSSeriescorerouter,is configuredforQoSwithappropriatepriority,ToS,andqueuetreatment.Wewillalsoratelimitthe VoIPtrafficattheedgeto1024KbpstoguardagainstDOSattacks,VoIPtrafficintothecoreat25 Mbps,andH.323callsetupat5pps.Datatrafficretainsthedefaultconfiguration. ThisexampleplacesQoSconfigurationwithinapolicycontext.Policyisnotrequiredtoconfigure QoS. ThisexampleassumesCEPauthenticationusingH.323forVoIP.Ifyouarenotauthenticatingyour VoIPendpointwithCEPH.323authentication,youwillneedtoadjusttheVoIPpolicy accordingly.Forinstance,SIPusesUDPport5060,nottheTCPport1720.
Notes: Enterasys highly recommends that you use the NetSight Policy Manager to configure QoS on your network, whether you are applying policy or not. This example discusses the QoS configuration using Policy Manager followed by CLI input summaries.
Tosimplifythisdiscussionoftheconfigurationprocess,thisexampleislimitedtotheVoIP configurationcontext.Table 2providesasetofsamplevaluesforpriority,IRL,andtransmitqueue acrossanumberofrealworldtraffictypes.Thistablecanbeusedasanaidinthinkingabouthow youmightwanttoapplyCoSacrossyournetwork.Notethatscavengerclassistrafficthatshould betreatedaslessthanbesteffort:externalwebtraffic,forinstance. Table 2 CoS Sample Values By Traffic Type
Transmit Queue IRL Name Priority Edge Loop Detect Scavenger Best Effort Bulk Data Critical Data Network Control Network Management RTP Voice/Video 0 0 1 2 3 4 5 6 1 Mbps 7 25 Mbps 3 3 25% 25% 40 PPS 2 Mbps 1 Mbps 2 2 1Mbps 25% 25% 1 1 80% 45% 45% 10 PPS 15 Mbps Core 10 PPS 0 0 10% 5% 5% Queue # Edge Core Shaping Edge Core WFQ Edge Core
Figure 7displaysthenetworksetupforthisexampleconfiguration,withthedesiredProfile/QoS summaryforeachnetworknode.EachnodeisconfiguredwithVoIPandDataVLANs.EachVoIP VLANcontainsfour1gigabitinterfacesforeachnode.
May 09, 2011
Page 31 of 38
Figure 7
QoS Configuration Example
VLAN 22 VoIP Core Router

Policy Profile: Ports: Default: CoS: egress-vlans: tci-overwrite: ToS: Rate Limit Physical queue: VolPCore-VLAN22 ge.1.2-5 CoS 5 8 22 enabled 184 25 mbps 2
VLAN 21 Data
ge.1.2-5
Core Edge
ge.1.10 IP addr:10.0.0.1
ge.1.10-13 Policy Profile: Ports: Default: CoS: egress-vlans: tci-overwrite: ToS: Rate Limit Physical queue: VolPCore-VLAN12 ge.1.10-3 CoS 5 9 12 enabled 184 1024 kbps 2 H.323 CEP: Policy Profile: Ports: Default: CoS: tci-overwrite: tcidestIP Port 1720: Rate Limit Tos Physical queue: Authentication H323CallSetup ge.1.10 CoS 5 10 enabled 10.0.01 1024 kbps 184 2
Edge Router
VLAN 11 Data
VLAN 12 VoIP
Acoreprofilefortherouterandanedgeprofilefortheswitchprovideforthedifferenceinrate limitingneedsbetweentheenduserandaggregationdevices.Acallsetupprofileprovidesrate limitingforthesetupaspectoftheVoIPcall.EachedgeandcoreVLANprofilewillbeconfigured fordefaultCoS5(bestdefaultpriorityforvoiceandvideo),theadditionofitsassociatedVLANto itsegressVLANlist,andToSoverwrite.WewillcreateaseparateCoSforboththeedgeandcore tohandleToS,ratelimitandqueueconfigurationforthesedevices. TheH.323callsetupprofilewillbeconfiguredsothatTCPcallsetuptrafficontheTCPdestination port1720:10.0.0.1ofitsgigabitlinkwillbeconfiguredfortheproperratelimitonthatport.
May 09, 2011
Page 32 of 38
UsingNetSightPolicyManager,configurethepolicyrolesandrelatedservicesasfollows:
Setting the VoIP Core Policy Profile (Router 1)

ForSSeriesrouter1,weconfigureaseparatepolicyforVoIPCore.VoIPCorepolicydealswith packetstransitingthecorenetworkusingVoIPVLAN22.ForroleVoIPCorewewill: ConfigureVoIPEdgeVLAN22asthenameoftherole. SetdefaultCoSto5. SetthedefaultaccesscontroltoVLAN22. EnableTCIoverwritesothatToSwillberewrittenforthispolicy.
Create a Policy Service

NametheserviceVoIPCoreService. ApplytheservicetotheVoIPCorePolicyRole.
Create a Rate-limiter
Createaratelimitasfollows: Inboundratelimitof25mbps Applyittoportgrouptypes32/8/100forindex0
Create Class of Service for VoIPEdge Policy

CreateCoS8asfollows: 802.1ppriority:5 ToS:B8 SpecifyIRLindex0toassociatethisCoStotheratelimit
Create a Rule
CreateaLayer2trafficclassificationruleforVLANID22withintheVoIPCoreservice. AssociateCoS8astheactionfortherule.
Setting the VoIP Edge Policy Profile (Switch 1)

ForSSeriesSwitch1,weconfigureaseparatepolicyforVoIPedge.VoIPedgepolicydealswith packetstransitingtheedgenetworkusingVoIPVLAN12withedgeaccess.ForroleVoIPEdgewe will: ConfigureVoIPEdgeVLAN12asthenameoftherole. SetdefaultCoSto5. SetthedefaultaccesscontroltoVLAN22. EnableTCIoverwritesothatToSwillberewrittenforthispolicy.
May 09, 2011
Page 33 of 38

NametheserviceVoIPEdgeService. ApplytheservicetotheVoIPEdgePolicyRole.
Createaratelimitasfollows: Inboundratelimitof1mbps Applyittoportgrouptypes32/8/100forindex0
Create Class of Service for VoIPEdge Policy

CreateCoS9asfollows: 802.1ppriority:5 ToS:B8 SpecifyIRLindex0toassociatethisCoStotheratelimit
Create a Rule
CreateaLayer2trafficclassificationruleforVLANID22withintheVoIPEdgeservice. AssociateCoS9astheactionfortherule.
Setting the H.323 Call Setup Policy Profile

H.323CallSetuppolicydealswiththecallsetuptrafficforVoIPH.323authenticatedusersdirectly attachedtoSwitch1usinglinkge.1.10.ForroleH.323CallSetupwewill: ConfigureH323CallSetupasthenameoftherole. SetdefaultCoSto5. EnableTCIoverwritesothatToSwillberewrittenforthispolicy.

NametheserviceH323CallSetupService. ApplytheservicetotheH323CallSetupPolicyRole.
Createaratelimitasfollows: Inboundratelimitof5pps Applyittoportgrouptypes32/8/100forindex1
Create Class of Service for H323CallSetup Policy

CreateCoS10asfollows: 802.1ppriority:5
ToS:B8 SpecifyIRLindex1toassociatethisCoStotheratelimit
Create a Traffic Classification Layer Rule

Createatransportlayer3ruleasfollows: TrafficClassificationType:IPTCPPortDestination EnterinSingleValuefield:1720(TCPPortID) ForIPTCPPortDestinationvalue:10.0.0.1withamaskof255.255.255.255 AssociateCoS10astheactionfortherule
Applying Role and Associated Services to Network Nodes

Onceyouhavecreatedyourrolesandassociatedtheappropriateservicestothem,youmustapply theappropriaterole(s)tothenetworknodesasfollows:
Router 1
ThepolicyrolecreationdiscussedaboveisappropriateforRouter1asfollows: ApplyroleVoIPCoreVLAN22toportsge.1.25.
Switch 1
VoIPEdgeandH323CallSetuprolesareappliedtoSwitch1asfollows: ApplyroleVoIPEdgeVLAN12toportsge.1.1013. ApplyroleH323CallSetuptoportge.1.10
CLI Summaries for This QoS Configuration

ThisQoSconfigurationcanbeinputfromtheCLIusingthefollowingentries:
Summary of Command Line Input for S-Series Router 1

s-series(rw)->set policy profile 1 name VoIPCore-VLAN22 cos 5 egress-vlans 22 tci-overwrite enable s-series(rw)->set policy rule admin-profile vlantag 22 mask 12 port-string ge.1.2-5 admin-pid 1 s-series(rw)->set policy rule 1 vlantag 22 mask 12 vlan 22 cos 8 s-series(rw)->set cos port-resource irl 1.1 0 unit mbps rate 25 s-series(rw)->set cos reference irl 1.1 8 rate-limit 0 s-series(rw)->set cos 8 priority 5 tos-value 184.0 txq-reference 8 irl-reference 0 s-series(rw)->set cos state enable
Summary of Command Line Input for S-Series Switch 1

s-series(rw)->set policy profile 1 name VoIPEdge-VLAN12 cos 5 egress-vlans 12 tci-overwrite enable
May 09, 2011
Page 35 of 38
s-series(rw)->set policy rule admin-profile vlantag 12 mask 12 port-string ge.1.10-13 admin-pid 1 s-series(rw)->set policy rule 1 vlantag 12 mask 12 vlan 12 cos 9 s-series(rw)->set cos port-resource irl 2.1 0 unit mbps rate 1 s-series(rw)->set cos reference irl 2.1 9 rate-limit 0 s-series(rw)->set cos 9 priority 5 tos-value 184.0 txq-reference 8 irl-reference 1 s-series(rw)->set policy profile 2 name H323CallSetup cos 5 tci-overwrite enable s-series(rw)->set policy rule admin-profile port ge.1.10 mask 16 port-string ge.1.10 admin-pid 2 s-series(rw)->set policy rule 1 tcpdestportIP 1720:10.0.0.1 cos 10 port-string ge.1.10 s-series(rw)->set cos port-resource irl 3.1 2 unit pps rate 5 s-series(rw)->set cos reference irl 3.1 10 rate-limit 1 s-series(rw)->set cos 10 priority 5 tos-value 184.0 txq-reference 8 irl-reference 2 s-series(rw)->set cos state enable

Table 3liststermsanddefinitionsusedinthisQualityofServiceconfigurationdiscussion. Table 3
Term Class of Service (CoS)
Quality of Service Configuration Terms and Definitions

Definition The grouping of priority and forwarding behaviors that collectively determine packet bandwidth behavior as it transits the link, including: 802.1p, IP ToS rewrite, priority Transmit Queue (TxQ), Inbound and/or outbound Rate Limiter (IRL) and outbound rate shaper. Differentiated Services Code Point. The lower 6 bits of the ToS field defined by RFC 2474. In a QoS context, a sequence of IP packets that share a common class of service and forwarding treatment as they transit the interface. Queue behavior during the packet egress stage (strict priority, weighted fair, hybrid). The change in a flows packet spacing on the link due to the bursty and congestive nature of the IP network. This irregular spacing - jitter - can severely degrade the quality of voice calls or multimedia presentations. The grouping of ports based upon the same CoS features and port type. The differentiation of ports based upon TxQ, IRL, ORL, and flood control resource capabilities. The preference of one packet (classification) or queue (packet forwarding) over another. A bandwidth management mechanism able to preferentially treat packets based upon packet classification and forwarding treatment. The bounding of bandwidth used by a QoS packet flow such that excess packets are dropped/clipped.
DSCP Flows Forwarding Treatment Jitter
Port Group Port Type Priority Quality of Service (QoS) Rate Limiting
May 09, 2011
Page 36 of 38
Table 3
Term
Quality of Service Configuration Terms and Definitions (continued)

Definition The rescheduling of bursty traffic while in the queue based upon packet buffering such that traffic beyond the configured bandwidth threshold is delayed until bandwidth usage falls below the configured threshold. An 8-bit field defined by RFC 1349 used for the prioritization of packets within a QoS context.
Rate Shaping
Type of Service (ToS)
May 09, 2011
Page 37 of 38
Revision History
Date January 28,2008 February 22, 2008 September 18, 2008 January 23, 2009 May 09, 2011 Description Initial Release of the Document Modifications due to product branding changes. Modifications due to product branding changes and minor template updates. Cosmetic changes only. Updated for S-Series, IRL, ORL, flood control, and Flex-Edge features, plus major rewrite of overview information.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2011Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSNETSIGHT,LANVIEW,WEBVIEW,SSERIESandany logosassociatedtherewith,aretrademarksorregisteredtrademarksofEnterasys Networks, Inc.,intheUnited Statesandothercountries.ForacompletelistofEnterasystrademarks,see http://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
Configuring RADIUS-Snooping
Thischapterprovidesthefollowinginformationaboutconfiguringandmonitoring RADIUSSnoopingonEnterasysNSeries,SSeries,andKSeriesmodularswitches.
For information about... What is RADIUS-Snooping? Why Would I Use RADIUS-Snooping in My Network? How Can I Implement RADIUS-Snooping? RADIUS-Snooping Overview Configuring RADIUS-Snooping RADIUS-Snooping Configuration Example Terms and Definitions Refer to page... 1 2 2 2 6 8 10
What is RADIUS-Snooping?
RADIUSSnooping(RS)isoneoftheEnterasysMultiAuthsuiteofauthenticationmethods.See theConfiguringAuthenticationFeatureGuideforadetaileddiscussionoftheotherauthentication methodssupportedbyEnterasysmodularswitches.RSresidesonthedistributiontierswitch, allowingformanagementofanydirectlyconnectededgeswitchthatusestheRADIUSprotocolto authenticateanetworkendstation,butdoesnotsupportthefullcomplementoftheEnterasys SecureNetworkscapabilities. TheRADIUSclientedgeswitchinitiatesanauthenticationrequest,bysendingaRADIUSrequest totheRADIUSserverthatresidesupstreamofthedistributiontierswitch.Byinvestigatingthe RADIUSrequestframes,RScandeterminetheMACaddressoftheenduserdevicebeing authenticated.ThenetworkadministratorcreatesauseraccountontheRADIUSserverforthe enduserthatincludesanypolicy,dynamicVLANassignment,andotherRADIUSandRS attributesforthisendstation.ByinvestigatingtheRADIUSresponsefromtheRADIUSserver,RS canbuildaMutiAuthsessionasthoughtheenduserweredirectlyconnectedtothe distributiontierdevice. SessionsdetectedbyRSfunctionidenticallytolocalauthenticatedsessionsfromtheperspectiveof theEnterasysMultiAuthframework,withtheexceptionthatRScannotforceareauthentication event;itcanonlytimeoutthesession.
June 03, 2011
Page 1 of 12
Why Would I Use RADIUS-Snooping in My Network?
Why Would I Use RADIUS-Snooping in My Network?

RADIUSSnoopingallowstheEnterasysdistributiontierswitchtoidentifyRADIUSexchanges betweendevicesconnectedtoedgeswitchesandapplypolicytothosedevicesevenwhenthe edgeswitchisfromanothervendoranddoesnotsupportpolicy.RADIUSSnoopingprovides,but isnotlimitedto,thefollowingfunctionalities: RFC3580DynamicVLANassignment Authenticationmodessupport Idleandsessiontimeoutssupport Multiuserauthenticationonaport Multiauthenticationmethodsupport
WithRSenabledonthedistributiontierswitch,theseSecureNetworkscapabilitiescanbe configuredbythenetworkadministratoronanenduserbasis.
How Can I Implement RADIUS-Snooping?

RSrequiresthatunencryptedRADIUSrequestframes,fromtheedgeswitch,transitthe distributiontierswitch,beforeproceedingtotheupstreamRADIUSserverforvalidation.
Note: A router cannot reside between the RADIUS client and the distribution-tier switch enabled for RS. The presence of a router would modify the calling-station ID of the RADIUS request frame that RS depends upon to learn the MAC address of the end-station for this session.
ToconfigureRSonadistributiontierswitch: SettheglobalMultiAuthmodetomulti SettheMultiAuthportmodetoauthoptforallportsthatarepartoftheRSconfiguration GloballyenableRSonthedistributiontierswitch EnableRSonallportsoverwhichRADIUSrequestandresponseframeswilltransit OptionallychangetheperiodRSwillwaitforaRADIUSresponseframefromtheserver PopulatetheRADIUSSnoopingflowtablewithRSclientandRADIUSservercombinations
RADIUS-Snooping Overview
ThissectionprovidesanoverviewofRADIUSSnoopingconfigurationandmanagement.
Note: RADIUS-Snooping is currently only supported on Enterasys modular switch products. A minimum of 256 MB of memory is required on all DFE modules in the switch, in order to enable RADIUS-Snooping. See the SDRAM field of the show system hardware command to display the amount of memory installed on a module. Module memory can be upgraded to 256 MB using the DFE-256MB-UGK memory kit.
June 03, 2011
Page 2 of 12
RADIUS-Snooping Configuration
MultiAuth Configuration
MultiAuthmustbeenablediftheRADIUSSnoopingconfigurationinvolvestheauthenticationof morethanasingleuseronaport.Therearetwoaspectstomultiauthenticationina RADIUSSnoopingconfiguration: TheglobalMultiAuthmodemustbechangedfromthedefaultmodeofstricttomulti,in ordertoauthenticatemultipledownstreamusers. TheMultiAuthportmodemustbesettoauthoptforbothupstream(totheRADIUSserver) anddownstream(totheauthenticatingswitch)ports.SettingglobalMultiAuthtomultisets thedefaultportvaluefromauthopttoforceauth.Resetthemodefortheaffectedportsto authopt.
SeetheConfiguringUserAuthenticationfeatureguideathttps://extranet.enterasys.com/downloads/ foracompletediscussiononMultiAuthconfiguration.
Enabling RADIUS-Snooping
RSisenabledgloballyonthedistributiontierswitch.Itisalsoenabledonthedistributiontier switchportsdirectlyattachedtotheedgeswitchthattheRADIUSrequestframestransit,fromthe edgeswitchtotheRADIUSserver,aswellastheportstheresponseframestransit,fromthe RADIUSserverbacktotheedgeswitch.
Configuring Enabled Port Settings

ThenumberofsecondsthefirmwarewaitsforaRADIUSresponseafteritsuccessfullysnoopsa RADIUSrequestcanbesetperport.Ifyoudonotsetthistimeoutattheportlevel,thesystem levelsettingisused. InsomecasesitmaybenecessarytodropRADIUStrafficbetweenthedistributiontierdeviceand theedgeswitches.Youcanenableordisablepacketdroponaperportbasis.Packetsarealways droppedforaresourceissuesituation.RSisnotcapableofforcingareauthenticationeventshould itbeunabletoinvestigateaRADIUSrequestexchange.DroppingaRADIUSrequestpacketdueto resourceexhaustion,inmostcases,willcausetheedgedevicetoretryaRADIUSrequest, providinganotheropportunitytosnooptheRADIUSexchange.Frameswithaninvalidformatfor thecallingstationIDareonlydroppedwhendropisenabled.Inthecaseofdroppingframeswith aninvalidformat,authenticationwillnottakeplaceforthisenduser. TheauthallocatedvaluespecifiesthemaximumnumberofRSusersperport.Youcanconfigure thisnumberofallowedRSusersonaperportbasis.Thedefaultvaluedependsuponthesystem licenseforthisdevice.Youshouldsetthisauthallocatedvalueequaltoorlessthantheconfigured valueforthesetmultiauthportnumuserscommand.Thisvalueisthemaximumnumberofusers perportforallauthenticationclients.Typically,authallocatedandmultiauthportnumusersare settothesamevalue.
Populating the RADIUS-Snooping Flow Table

TheRADIUSSnoopingflowtableisafilterthatdetermineswhichRADIUSserverandclient combinationswillbesnooped.Ifthesecretisconfigured,theresponseframesarecheckedfor validMD5checksum,inordertovalidatethesender. TheRSflowtablecontainsRADIUSserverandcliententriesforeachRADIUSserverandclient combinationforwhichRSwillbeusedonthissystem.TheRADIUSclientIPaddressand authenticatingRADIUSserverIPaddressaremanuallyenteredintotheRADIUSSnoopingflow
June 03, 2011
Page 3 of 12
table.Bydefault,theRADIUSSnoopingflowtableisempty.Entriesareaddedtotheflowtable baseduponanindexentry.Thefirstmatchingentryinthetableisusedforthecontinuationofthe authenticationprocess. WhenaninvestigatedRADIUSframetransitstheRSenabledportwithamatchintheflowtable, RSwilltrackthatRADIUSrequestandresponseexchangeandwillbuildaMultiAuthsessionfor theenduser,baseduponwhatitfindsintheRADIUSresponseframes.
Setting the RADIUS-Snooping Timeout

AtimeoutisconfiguredtosetthenumberofsecondsthatthefirmwarewaitsforaRADIUS responseframetobereturnedfromtheRADIUSserver,aftersuccessfullysnoopingaRADIUS requestframefromtheclient.Ifnoresponseisseenbeforethetimeoutexpires,thesessionis terminated.
RADIUS-Snooping Management
RADIUSSnoopingmanagementoptionsareavailableto: TerminateallRSsessionsoronaperportorMACaddressbasis ResetallRSconfigurationtoitsdefaultsettings ClearallRADIUSSnoopingflowtableentriesorperindexentry DisplayRSstatistics
RADIUS Session Attributes

TheRADIUSattributesdefiningthesessionarereturnedintheRADIUSresponseframe.RADIUS attributesareusedtoconfiguretheuseronthesystem.AttributesexplicitlysupportedbyRSthat maybeincludedintheRADIUSresponseframeare: IdleTimeoutIfnoframesareseenfromthisMACaddress,forthenumberofseconds configured,thesessionwillbeterminated. SessionTimeoutThesessionisterminatedafterthenumberofsecondsconfigured. FilterIDDefinesthepolicyprofile(role)andCLImanagementprivilegelevel,justasit wouldforanyotherlocalauthenticationagent. TunnelGroupIdSpecifiestheVLANIDforthissession.
Note: Numerous attributes may be supported by the RADIUS client for general RADIUS protocol support. Such attributes are beyond the scope of this document. This RS implementation does not interfere with normal RADIUS client attribute support. The list above indicates attributes actually used by this RADIUS-Snooping application once authentication is successfully completed.
June 03, 2011
Page 4 of 12
Figure 1
RADIUS Server
The RADIUS Response Frame
RADIUS Response Frame is snooped by the distribution-tier switch Distribution-Tier Switch
RADIUS Request Frame is snooped by the distribution-tier switch
RADIUS Request Frame RADIUS Response Frame
Edge Switch
Figure 1onpage 5illustratestheRADIUSrequestframeandRADIUSresponseframepaths.As theRADIUSrequestframefromtheRADIUSclientedgedevicetransitsthedistributiontier switch,itissnooped.AnRSsessioniscreatedonthedistributiontierswitch,if: RADIUSsnoopingisenabledontheswitch RADIUSSnoopingisenabledontheport TheRADIUSclientedgedeviceandRADIUSservercombinationaredefinedintheRADIUS snoopingflowtable
WhentheRADIUSserverreceivestherequest,theauthenticatingdeviceisfirstvalidated.After validatingtheauthenticatingdevice,theserverauthenticatestheusersessionitselfbasedon passedusernameandpasswordattributes.Ifthatsucceedsanaccessacceptmessagecontaining RADIUSattributesissentbacktotheclient,otherwiseanaccessrejectmessageissentback.Asthe RADIUSresponseframetransitsthedistributiontierswitch,theRADIUSattributescontainedin theresponseframeareappliedtothissession,ifanRSsessionwascreatedforthisclientserver combinationandthesessionhasnottimedout.
June 03, 2011
Page 5 of 12
ThissectionprovidesdetailsfortheconfigurationofRADIUSSnoopingontheEnterasysmodular switchproducts. Table 1listsRSparametersandtheirdefaultvalues. Table 1 Default Authentication Parameters
Description Specifies the maximum number of allowed RS sessions from all RADIUS clients, on a per port basis. Specifies traffic drop behavior for this port. Enables or disables RS on the distribution-tier switch in a system context or on this port in a port context. Enables or disables packet drop in a port context. Specifies the global MultiAuth mode. The numeric ID of a RADIUS-Snooping flow table entry. Specifies the MultiAuth authentication mode on a per port basis. Specifies the number of seconds that the firmware waits, from the time it successfully snoops a RADIUS request frame, for a RADIUS response frame from the RADIUS server, before terminating the session. Specifies the RADIUS secret for this RADIUS-Snooping flow table entry. Specifies the RADIUS UDP port. Standard refers to the default value. Default Value 8, 128, or 256 depending upon the system license for this device Disabled Disabled
Parameter authallocated
drop enable/disable
Global MultiAuth mode index MultiAuth port mode RADIUS-Snooping timeout
Strict None Auth-opt 20 seconds
secret UDP port/standard
No secret 1812
Configuring RADIUS-Snooping on the Distribution-Tier Switch

Procedure 1describeshowtoconfigureRADIUSSnoopingonthedistributiontierswitch. Procedure 1
Step 1. 2. 3. Task Globally enable MultiAuth for multi mode. Configure each upstream and downstream port for the auth-opt mode. Globally enable RADIUS-Snooping on the distribution-tier switch.
RADIUS-Snooping Configuration
Command(s) set multiauth mode multi set multiauth port mode auth-opt port-string set radius-snooping enable
June 03, 2011
Page 6 of 12
Procedure 1
Step 4. Task
RADIUS-Snooping Configuration (continued)

Command(s) set radius-snooping port [enable] [timeout seconds] [drop {enabled | disabled}] [authallocated number] [port-string] set radius-snooping flow index {client-IP-Address server-IP-Address {port | standard} [secret] set radius-snooping timeout seconds
Enable RADIUS-Snooping on each distribution-tier switch port over which RADIUS request and response frames transit. Configure RADIUS-Snooping flow table index entries. Optionally modify the RADIUS-Snooping timeout setting.
5.
6.
Managing RADIUS-Snooping
Table 2describeshowtomanageRADIUSSnoopingonthedistributiontierswitch. Table 2
Task To terminate active sessions on the system for the specified port or MAC address. To reset all RS configuration to its default value on this system. To clear all entries or the specified index entry from the RS flow table.
Managing RADIUS-Snooping
Command(s) set radius-snooping initialize {port port-string | mac-address} clear radius-snooping all clear radius-snooping flow {all | index}
Displaying RADIUS-Snooping Statistics

Table 3describeshowtodisplayRADIUSSnoopingstatistics. Table 3 Displaying RADIUS-Snooping Statistics
To display a general overview of the global RS status. To display the RS status for the specified port. To display information for all or the specified flow index entry. To display a summary of sessions for the specified port or MAC address.
show radius-snooping show radius-snooping port port-string show radius-snooping flow {index | all} show radius-snooping session {port port-string | mac mac-address}
June 03, 2011
Page 7 of 12
RADIUS-Snooping Configuration Example

OurRADIUSSnoopingconfigurationexamplewillconfigureadistributiontierswitchfortwo RADIUSrequestandresponseflows(index1andindex2).Index1isfromRADIUSclient 10.10.10.10throughthenetworkcoretotheRADIUSserver50.50.50.50.Index2isfromRADIUS client10.10.10.20throughalayer2switchtothelocalRADIUSserver50.50.50.60.Eachflowis transitingthesingledistributiontierswitchconfiguredinthisexample. SeeFigure 2foranillustrationoftheexamplesetup. Figure 2 RADIUS-Snooping Configuration Example Overview
RADIUS Server
50.50.50.50
RADIUS Server
50.50.50.60
Network Core
Layer 2 Switch
Index 1 Flows
Distribution-Tier Switch
Index 2 Flows
Edge Switch RADIUS Client

10.10.10.10
Wireless Access Point RADIUS Client

10.10.10.20
Authenticating Devices
Authenticating Devices
June 03, 2011
Page 8 of 12
WefirstsettheglobalMultiAuthmodetomultionthedistributiontierswitch.Wethensetthe MultiAuthauthenticationmodetoauthoptfortheupstream(ge.1.510)anddownstream (ge.1.1524)ports. WiththeMultiAuthsettingsconfigured,weenableRADIUSSnoopingatthesystemlevelforthe distributiontierswitch.WethenenableRADIUSSnoopingonthetwosetsofportsoverwhichall RADIUSSnoopingrequestandresponseframeswilltransit.Inthesamecommandlinewe: Settheporttimeouttothesystemtimeoutvalue(0) Enabledroponallports SetthemaximumnumberofRSsessionsperportto256
WethenconfigurethetwoflowsasspecifiedaboveforUDPport1812andasecretofmysecret. Wecompletetheconfigurationbychangingthetimeoutvalueatthesystemlevelto15seconds fromadefaultof20seconds.
Configure the Distribution-tier Switch

SettheMultiAuthmodeforthesystem
System(su)->set multiauth mode multi
SettheMultiAuthauthenticationmodeforeachport
System(su)->set multiauth port mode auth-opt ge.1.5-10,15-24
EnableRSonthissystem:
System(su)->set radius-snooping enable
EnableRSandsetconfigurationforportsonthissystem
System(su)->set radius-snooping port enable drop enabled authallocated 256 ge.1.5-10 System(su)->set radius-snooping port enable drop enabled authallocated 256 ge.1.15-24
ConfigureRSflowtableentries
System(su)->set radius-snooping flow 1 10.10.10.10 50.50.50.50 1812 mysecret System(su)->set radius-snooping flow 2 10.10.10.20 50.50.50.60 1812 mysecret
ConfigureRStimeoutforthissystem
System(su)->set radius-snooping timeout 15
Managing RADIUS-Snooping on the Distribution-tier Switch

Terminateanactivesessiononportge.1.15:
System(su)->set radius-snooping initialize port ge.1.15
ResetallRSconfigurationtoitsdefaultvalue: System(su)->clear radius-snooping all Clearentryindex2fromtheRSflowtable: System(su)->clear radius-snooping flow 2
June 03, 2011
Page 9 of 12
ThiscompletestheRADIUSSnoopingconfigurationexample.

Table 4liststermsanddefinitionsusedinthisRADIUSSnoopingconfigurationdiscussion. Table 4
Term Calling-Station ID Distribution-Tier Switch Edge Switch Filter-ID
RADIUS-Snooping Configuration Terms and Definitions

Definition An attribute field in the RADIUS request and response frames containing the RADIUS client MAC address. The switch that aggregates edge switch traffic heading into the core network or other distribution devices. The switch directly connected to the end-user device. A vendor defined RADIUS attribute that the modular switch authentication implementation makes use of, allowing the authenticating device to assign policy, CLI privilege level, and dynamic VLAN assignment to the end-user. The ability to authenticate a user for multiple authentication methods such as 802.1x, MAC, PWA, or CEP, while only applying the authentication method with the highest authentication precedence. The ability to authenticate multiple users on a port, assigning unique policy to each user based upon the user account RADIUS server configuration and policy configuration on the distribution-tier switch. The aspect of Secure Networks functionality that provides authentication capabilities including, but not limited to, multi-user and multi-method authentication, application of policy and Dynamic VLAN assignment. In a RADIUS-Snooping context the RADIUS client is the non-Secure Networks capable edge switch that is responsible for authenticating its attached end-user device or port. A table containing the RADIUS client and server ID defining valid RS sessions. Frames sent by the RADIUS client to the RADIUS server requesting end-user authentication validation. Frames sent by the RADIUS server to the RADIUS client either validating or rejecting an authentication validation request. These frames can also contain the Filter-ID attribute allowing the assignment of policy, CLI privilege, and dynamic VLAN assignment. Provides non-Secure Networks capable edge switches with the full range of Secure Networks authentication capabilities when the RADIUS server is upstream of the distribution-tier switch.
Multi-Authentication Methods Multi-User Authentication MutiAuth Framework RADIUS Client
RADIUS-Snooping flow table RADIUS Request Frames RADIUS Response Frames
RADIUS-Snooping
June 03, 2011
Page 10 of 12
Revision History
Date 11/07/2008 04/16/2009 06/03/2011 Description New Document. Added 256 MB on all modules requirement. Added MultiAuth configuration information. Updated for S-Series and K-Series.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2011Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSNETSIGHT,LANVIEW,WEBVIEW,SSERIES,andany logosassociatedtherewith,aretrademarksorregisteredtrademarksofEnterasys Networks, Inc.,intheUnited Statesandothercountries.ForacompletelistofEnterasystrademarks,see http://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
June 03, 2011
Page 12 of 12
Configuring SNMP
ThischapterprovidesthefollowinginformationaboutconfiguringandmonitoringSNMPon EnterasysNSeries,SSeries,andKSeriesmodularswitches,ASeries,BSeries,CSeries stackablefixedswitches,andDSeries,GSeries,andISeriesstandalonefixedswitches
For information about... What Is SNMP? Why Would I Use SNMP in My Network? How Do I Implement SNMP? SNMP Overview SNMP Support on Enterasys Devices Configuring SNMP Reviewing SNMP Settings Refer to page... 1 1 2 2 4 8 21
Note: For information about configuring SNMP on the X-Series, refer to the X-Series Configuration Guide.
What Is SNMP?
TheSimpleNetworkManagementProtocol(SNMP)isanapplicationlayerprotocolthatfacilitates theexchangeofmanagementinformationbetweennetworkdevices.Themostwidelyused managementprotocolonInternetProtocol(IP)networks,ithelpsyoumonitornetwork performance,troubleshootproblems,andplanfornetworkgrowth. SNMPssimplicityliesinthefactthatitusesabasicsetofcommandmessagestorelay notificationsofeventsanderrorconditionsoveraconnectionlesscommunicationlink. Mostnetworkdevicessupportthethreeversionsoftheprotocol:SNMPv1,SNMPv2c,and SNMPv3.Thelatestversion,SNMPv3,providesenhancedsecurityandadministrativefeaturesas describedinthisdocument.
Why Would I Use SNMP in My Network?

SNMPisasimple,costeffectivetoolformonitoringyournetworkdevicesforconditionsthat warrantadministrativeattention.Itiswidelyusedbecauseitis: EasilyintegratedintoyourexistingLANtopology Basedonanopenstandard,makingitnonproprietaryandwelldocumented Flexibleenoughtocommunicatethespecificconditionsyouneedmonitoredinyournetwork
March 28, 2011
Page 1 of 27
How Do I Implement SNMP?
Acommonmanagementplatformsupportedbymanynetworkdevices
How Do I Implement SNMP?

YoucanimplementSNMPonEnterasysswitchingdevicesusingsimpleCLIcommandsas describedinthisdocument.Theconfigurationprocessinvolvesthefollowingtasks: 1. 2. 3. 4. 5. 6. 7. CreatingusersandgroupsallowedtomanagethenetworkthroughSNMP Settingsecurityaccessrights SettingSNMPManagementInformationBase(MIB)viewattributes SettingtargetparameterstocontroltheformattingofSNMPnotificationmessages SettingtargetaddressestocontrolwhereSNMPnotificationsaresent SettingSNMPnotificationparameters(filters) ReviewingSNMPstatistics
SNMP Overview
ItishelpfultounderstandthefollowingSNMPcomponentsdescribedinthissection:
For information about... Manager/Agent Model Components Message Functions Access to MIB Objects Refer to page... 2 2 3
Manager/Agent Model Components

SNMPprovidesamessageformatforcommunicationbetweenmanagersandagents,whichusea MIBandarelativelysmallsetofcommandstoexchangeinformation.TheSNMPmanagercanbe partofanetworkmanagementsystem,suchasEnterasysNetSight,whiletheagentandMIB resideontheswitch. TheSNMPagentactsuponrequestsfromthemanagertoeithercollectdatafromtheMIBorset dataintotheMIB.Arepositoryforinformationaboutdeviceparametersandnetworkdata,the MIBisorganizedinatreestructureinwhichindividualvariablesarerepresentedasleavesonthe branches.Auniqueobjectidentifier(OID)distinguisheseachvariableintheMIBandisthemeans bywhichthemanagerandagentspecifywhichmanagedelementsarechanged. Anagentcansendunsolicitednotificationmessages(alsoknownastrapsorinforms)alertingthe SNMPmanagertoaconditiononthenetwork.Theseconditionsincludesuchthingsasimproper userauthentication,restarts,linkstatus(upordown),MACaddresstracking,closingofaTCP connection,lossofconnectiontoaneighbor,orothersignificantevents.
Message Functions
SNMPusesfivebasicmessagetypes(Get,GetNext,GetResponse,Set,andTrap)tocommunicate betweenthemanagerandtheagent.TheGetandGetNextmessagesallowthemanagertorequest
March 28, 2011
Page 2 of 27
SNMP Overview
informationforaspecificvariable.Theagent,uponreceivingaGetorGetNextmessage,willissue aGetResponsemessagetothemanagerwitheithertheinformationrequestedoranerror indicationaboutwhytherequestcannotbeprocessed. ASetmessageallowsthemanagertorequestachangetoaspecificvariable.Theagentthen respondswithaGetResponsemessageindicatingthechangehasbeenmadeoranerror indicationaboutwhythechangecannotbemade. Atraporinformmessageallowstheagenttospontaneouslyinformthemanagerofan importanteventinthenetwork. TheSNMPmanagerandagentuseinformationintheMIBtoperformtheoperationsdescribedin Table 1. Table 1 SNMP Message Functions
Function Retrieves a value from a specific variable. Retrieves a value from a variable within a table.1 Retrieves large blocks of data, such as multiple rows in a table, that would otherwise require the transmission of many small blocks of data. Replies to a get-request, get-next-request, and set-request sent by a management station. Stores a value in a specific variable. Unsolicited message sent by an SNMP agent to an SNMP manager when an event has occurred.
Operation get-request get-next-request get-bulk-request2 get-response set-request trap | inform3
1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk operation is only supported in SNMPv2c or later. 3. Inform notifications are only supported in SNMPv3.
Trap Versus Inform Messages

Ascomparedtoearlierversions,SNMPv3providesahigherdegreeofreliabilityfornotifying managementstationswhencriticaleventsoccur.Traditionally,SNMPagentscommunicated eventstoSNMPmanagersviatraps.However,ifatemporarynetworkproblempreventedthe managerfromreceivingthetrap,thenthetrapwouldbelost.SNMPv3providesinforms,which areamorereliableformoftraps.TheSNMPagentinitiatestheinformprocessbysendingan informrequesttothemanager.Themangerrespondstotheinformrequesttoacknowledge receiptofthemessage.Iftheinformisnotreceivedbythemanager,theinformrequestwill timeoutandanewinformrequestwillbesent.Subsequentinformrequestswillbesentas previousrequeststimeoutuntileitheranacknowledgementisreceivedfromthemanager,or untilaprespecifiedretrycountisreached.
Access to MIB Objects

SNMPusesthefollowingauthenticationmethodstograntuseraccesstoMIBobjectsand functions.
March 28, 2011
Page 3 of 27
SNMP Support on Enterasys Devices
Community Name Strings

EarlierSNMPversions(v1andv2c)relyoncommunitynamestringsforauthentication.Inorder forthenetworkmanagementstation(NMS)toaccesstheswitch,thecommunitystringdefinitions ontheNMSmustmatchatleastoneofthethreecommunitystringdefinitionsontheswitch.A communitystringcanhaveoneoftheseattributes: Readonly(ro)GivesreadaccesstoauthorizedmanagementstationstoallobjectsintheMIB exceptthecommunitystrings,butdoesnotallowwriteaccess. Readwrite(rw)Givesreadandwriteaccesstoauthorizedmanagementstationstoall objectsintheMIB,butdoesnotallowaccesstothecommunitystrings.
User-Based
SNMPv3providesaUserBasedSecurityModel(USM)whichreliesonausernamematchfor authenticatedaccesstonetworkmanagementcomponents. RefertoSecurityModelsandLevelsonpage 7formoreinformation.

Note: This guide describes features supported on the Enterasys N-Series, S-Series, K-Series, stackable, and standalone switch platforms. For information on Enterasys X Router support, refer to the Enterasys X-Series Configuration Guide.
Bydefault,SNMPVersion1(SNMPv1)isconfiguredonEnterasysswitches.Thedefault configurationincludesasinglecommunitynamepublicwhichgrantsreadwriteaccesstothe wholeMIBtreeforbothSNMPv1andSNMPv2c. ThissectionprovidesthefollowinginformationaboutSNMPsupportonEnterasysdevices:

For information about... Versions Supported Terms and Definitions Security Models and Levels Access Control Refer to page... 4 5 7 7
Versions Supported
EnterasysdevicessupportthreeversionsofSNMP: Version1(SNMPv1)ThisistheinitialimplementationofSNMP.RefertoRFC1157forafull descriptionoffunctionality. Version2(SNMPv2c)ThesecondreleaseofSNMP,describedinRFC1907,hasadditions andenhancementstodatatypes,countersize,andprotocoloperations. Version3(SNMPv3)ThisisthemostrecentversionofSNMP,andincludessignificant enhancementstoadministrationandsecurity.ThemajordifferencebetweenSNMPv3and earlierversionsisthatv3providesaUserBasedSecurityModel(USM)toassociateuserswith managedaccesstosecurityinformation.Inadditiontobettersecurityandbetteraccess
March 28, 2011
Page 4 of 27
control,SNMPv3alsoprovidesahigherdegreeofreliabilityfornotifyingmanagement stationswhencriticaleventsoccur. SNMPv3isfullydescribedinRFC2571,RFC 2572,RFC2573,RFC2574,andRFC2575.
SNMPv1 andv2c Network Management Components

TheEnterasysimplementationofSNMPv1andv2cnetworkmanagementcomponentsfallintothe followingthreecategories: Manageddevices(suchasaswitch). SNMPagentsandMIBs,includingSNMPtraps,communitystrings,andRemoteMonitoring (RMON)MIBs,whichrunonmanageddevices. SNMPnetworkmanagementapplications,suchastheEnterasysNetSightapplication,which communicatewithagentstogetstatisticsandalertsfromthemanageddevices.
SNMPv3 User-Based Security Model (USM) Enhancements

SNMPv3addstov1andv2ccomponentsbyprovidingsecureaccesstodevicesbyauthenticating andencryptingframesoverthenetwork.TheEnterasyssupportedadvancedsecurityfeatures providedinSNMPv3sUserBasedSecurityModelareasfollows: MessageintegrityCollectsdatasecurelywithoutbeingtamperedwithorcorrupted. AuthenticationDeterminesthemessageisfromavalidsource. EncryptionScramblesthecontentsofaframetopreventitfrombeingseenbyan unauthorizedsource.
UnlikeSNMPv1andSNMPv2c,inSNMPv3,theconceptofSNMPagentsandSNMPmanagersno longerapply.TheseconceptshavebeencombinedintoanSNMPentity.AnSNMPentityconsists ofanSNMPengineandSNMPapplications.AnSNMPengineconsistsofthefollowingfour components: DispatcherSendsandreceivesmessages. MessageprocessingsubsystemAcceptsoutgoingPDUsfromthedispatcherand preparesthemfortransmissionbywrappingtheminamessageheaderandreturning themtothedispatcher.Alsoacceptsincomingmessagesfromthedispatcher,processes eachmessageheader,andreturnstheenclosedPDUtothedispatcher. SecuritysubsystemAuthenticatesandencryptsmessages. AccesscontrolsubsystemThiscomponentdetermineswhichusersandwhich operationsareallowedaccesstomanagedobjects.

Table 2listscommonSNMPtermsanddefinestheiruseonEnterasysdevices. Table 2
Term community context
SNMP Terms and Definitions

Definition A name string used to authenticate SNMPv1 and v2c users. A subset of MIB information to which associated users have access rights.
March 28, 2011
Page 5 of 27
Table 2
Term engine ID group inform
SNMP Terms and Definitions (continued)

Definition A value used by both the SNMPv3 sender and receiver to propagate inform notifications. A collection of SNMP users who share the same access privileges. A notification message sent by an SNMPv3 agent to a network management station, a console, or a terminal to indicate the occurrence of a significant event, such as when a port or device goes up or down, when there are authentication failures, and when power supply errors occur. Management Information Base, a repository for information about device parameters and network data organized in a tree structure. Associates target parameters to an SNMP notify filter to determine who should not receive SNMP notifications. This is useful for fine-tuning the amount of SNMP traffic generated. Object Identifier, a unique ID distinguishing each variable in the MIB and is the means by which the SNMP manager and agent specify which managed elements are changed. The permitted level of security within a security model. The three levels of SNMP security are: no authentication required (NoAuthNoPriv) authentication required (AuthNoPriv) privacy (authPriv)
MIB notify profile
OID
security level
security model
An authentication strategy that is set up for an SNMP user and the group in which the user resides. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP frame. Specifies whether an SNMP user entry will be stored in volatile or nonvolatile memory. A list of SNMP notify values that link a target (managment station IP) address to specific SNMP notifications. A unique identifier and a specific IP address that will receive SNMP notification messages. Controls where and under what circumstances SNMP notifications will be sent. This entry can be bound to a target IP address allowed to receive SNMP notification messages. A notification message sent by an SNMPv1 or v2c agent to a network management station, a console, or a terminal to indicate the occurrence of a significant event, such as when a port or device goes up or down, when there are authentication failures, and when power supply errors occur. A person registered in SNMPv3 to access management information. In v1 and v2c, a user is set with the community name string. User-Based Security Model, the SNMPv3 authenticatiion model which relies on a user name match for access to network management components. View-based Access Control Model, which determines remote access to SNMP managed objects, allowing subsets of management information to be organized into user views.
storage type taglist target address target parameter
trap
user USM VACM
March 28, 2011
Page 6 of 27
Table 2
Term view
SNMP Terms and Definitions (continued)

Definition Specifies permission for accessing SNMP MIB objects granted to a particular SNMP user group. View types and associated access rights are: read - view-only access write - allowed to configure MIB agent contents notify - send trap messages
Security Models and Levels

AnSNMPsecuritymodelisanauthenticationstrategythatissetupforauserandthegroupin whichtheuserresides.Asecuritylevelisthepermittedlevelofsecuritywithinasecuritymodel. ThethreelevelsofSNMPsecurityonEnterasysdevicesare:Noauthenticationrequired (NoAuthNoPriv);authenticationrequired(AuthNoPriv);andprivacy(authPriv).Acombination ofasecuritymodelandasecurityleveldetermineswhichsecuritymechanismisemployedwhen handlinganSNMPframe.Table 3identifiesthelevelsofSNMPsecurityavailableonEnterasys devicesandauthenticationrequiredwithineachmodel. Table 3
Model v1 v2c
SNMP Security Models and Levels

Security Level NoAuthNoPriv NoAuthNoPriv Authentication Community string Community string User name MD5 or SHA Encryption None None None None How It Works Uses a community string match for authentication. Uses a community string match for authentication. Uses a user name match for authentication. Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBCDES (DES-56) standard.
v3 / USM NoAuthNoPriv AuthNoPriv
authPriv
MD5 or SHA
DES
Access Control
InadditiontotheSecurityModelsandLevelsdescribedabove,theEnterasysimplementationof SNMPalsoprovidesaViewbasedAccessControlModel(VACM),whichdeterminesremote accesstomanagedobjects.VACMallowsyoutoorganizesubsetsofmanagementinformationinto views.Managementinformationthatisinausersviewgivestheuserthecorrespondingaccess leveltothatmanagementinformation:eitherread,write,ornotify.Individualuserscanbe organizedintogroupsforwhomyoucanpredefinewhatviewsareavailablebasedonthe securitymodelandsecuritylevelusedtorequestaccess.Inthisway,VACMallowsyoutopermit ordenyaccesstoanyindividualitemofmanagementinformationdependingonausersgroup membershipandthelevelofsecurityprovidedbythecommunicationschannel.
March 28, 2011
Page 7 of 27
Configuring SNMP
Configuring SNMP
ThissectionprovidesthefollowinginformationaboutconfiguringSNMPonEnterasysdevices:
For information about... Configuration Basics How SNMP Processes a Notification Configuration SNMP Defaults Configuring SNMPv1/SNMPv2c Configuring SNMPv3 Configuring Secure SNMP Community Names Refer to page... 8 8 9 10 11 18
Configuration Basics
CompletinganSNMPconfigurationonanEnterasysdeviceinvolvesdefininguserswhowillbe authorizedtoreceiveSNMPnotificationsaboutnetworkevents,associatingsecurity(target) paramenters,accessrightsandMIBviewstothoseusers,andspecifyinganIPaddresswherethey willreceivenotifications.Thebasicstepsinthisprocessare: 1. CreatinganamethatwillactasanSNMPuserpassword: 2. 3. 4. 5. 6. 7. ThiswillbeacommunitynameforanSNMPv1orv2cconfiguration,or. AusernameforanSNMPv3configuration.
CreatingagroupfortheusernamedinStep 1. CreatingaccessrightsfortheusergroupnamedinStep 2. DefiningMIBview(s)fortheusergroup. Creatingatargetparametersentrytoassociatesecurityandauthorizationcriteriatotheusers createdinStep 1. VerifyingifanyapplicableSNMPnotificationentriesexist,orcreatinganewone.Youwilluse thisentrytosendSNMPnotificationmessagestotheappropriatetargetsconfiguredinStep 5. CreatingatargetaddressentrytobindamanagementIPaddressto: ThenotificationentryandtagnamecreatedinStep 6,and ThetargetparametersentrycreatedinStep 5.
Note: Commands for configuring SNMP on Enterasys devices are independent during the SNMP setup process. For instance, target parameters can be specified when setting up optional notification filters even though these parameters have not yet been created with the set snmp targetparams command. The steps in this section are a guideline to configuring SNMP and do not necessarily need to be executed in this order.
How SNMP Processes a Notification Configuration

InordertosendatraporinformnotificationrequestedbyaMIBcode,theSNMPagentrequires theequivalentofatrapdoor,akeytounlockthedoor,andaprocedureforcrossingthe doorstep.Todetermineifalltheseelementsareinplace,theSNMPagentprocessesadevice configurationasfollows:
March 28, 2011
Page 8 of 27
Configuring SNMP
1. 2.
Determinesifthekeysfortrapdoorsdoexist.ThekeythatSNMPislookingforisthe notificationentrycreatedwiththesetsnmpnotifycommand. Searchesforthedoorsmatchingsuchakeyandverifiesthatthedoorisavailable.Ifso,this dooristaggedorboundtothenotificationentry.Itwasbuiltusingthesetsnmptargetaddr command,whichspecifiesthemanagementstationIPaddresstowhichthisdoorleads,and theprocedure(targetparams)tocrossthedoorstep Verifiesthatthedescriptionofhowtostepthroughthedooris,infact,there.Theagentchecks targetparamsentriesanddeterminesthisdescriptionwasmadewiththesetsnmp targetparamscommand,whichtellsexactlywhichSNMPprotocoltouseandwhat communityorusernametoprovide. Verifiesthatthespecifiedname,configuredusingeitherthesetsnmpcommunityorsetsnmp usercommandisavailable. Sendsthenotificationmessagetothetargetaddress.
3.
4. 5.
SNMP Defaults
Device Start Up Configuration
Bydefault,SNMPv1isconfiguredonEnterasysswitches.Table 4liststhedefaultconfiguration parameters,whichincludeasinglecommunitynamepublicgrantingreadwriteaccesstothe wholeMIBtreeforbothSNMPv1andSNMPv2c. Table 4 Default Enterasys SNMP Configuration
Default Value public rw (read-write) public v1 all (for read, write, and notify access) all (entire MIB tree)
Parameter Community name Group access privileges Group user name Security model Security access rights MIB view
YoucanrevisethisdefaultconfigurationbyfollowingthestepsdescribedinAddingtoor ModifyingtheDefaultConfigurationonpage 11. TotakeadvantageoftheadvancedsecurityandotherfeaturesavailableinSNMPv3,itis recommendedthatyouaddtotheEnterasysdefaultconfigurationbyconfiguringSNMPv3as describedinConfiguringSNMPv3onpage 11. ReferalsotoConfiguringSecureSNMPCommunityNamesonpage18foradescriptionofa recommendedconfigurationthatwillpreventunsecuredaccesstoSNMPinformation.
March 28, 2011
Page 9 of 27
Configuring SNMP
Configuring SNMPv1/SNMPv2c
Creating a New Configuration
Procedure 1showshowtocreateanewSNMPv1orSNMPv2cconfiguration.Thisexample assumesthatyouhaventanypreconfiguredcommunitynamesoraccessrights.
Note: The v1 parameter in this example can be replaced with v2 for SNMPv2c configuration.
Procedure 1
Step 1. 2. 3. Task
New SNMPv1/v2c Configuration

Command(s) set snmp community community name set snmp group group name user community name security-model v1 set snmp access group name security model v1 read viewname write viewname notify viewname set snmp view viewname viewname subtree subtree set snmp targetparams targetparams user community name security-model v1 message processing v1 set snmp targetaddr targetaddr ipaddr param targetparams taglist taglist set snmp notify notify tag taglist
Create a community name. Create a security model (VACM) group using the community name you assigned in step 1. Set security access rights for the VACM group.
4. 5.
Set MIB view attributes. Specify the target parameters for SNMP notification message generation. Specify the target address to which SNMP notification messages generated using the specified target parameters will be sent. Specify a name for this notification entry and bind it to the target address.
6.
7.
Example
ThefollowingexampleisanEnterasysNSeriesdeviceconfigurationusingthestepsin Procedure 1.Itshowshowto: Createthecommunitynamepublic. AssignthepublicusertothegroupnamedgroupRWandtheSNMPv1securitymodel. Specifythat,ifSNMPmessagesarereceivedwiththepublicnamestring,theviewRWfor readrequests,writerequests,andnotifyrequestswillbeappliedtothisuser. FortheviewRW,includetheMIBsubtreedenotedwithOID1and0.0,andexcludeview accesstosubtreedenotedwithOID1.3.6.1.6.3.13.1(whichisthenotificationMIB). Assignatargetparametersentry,TVv1public,forsecuritylevelprocessingtothepublic communityname. CreateatargetaddressentrynamedTVTrapatIPaddress10.42.1.10,whichwillusesecurity andauthorizationcriteriacontainedinthetargetparametersentrycalledTVv1public,.and bindtheseparameterstogetherwithatagentrycalledTVTrapTag.
enterasys(su)->set snmp community public enterasys(su)->set snmp group groupRW user public security model v1
March 28, 2011
Page 10 of 27
Configuring SNMP
enterasys(su)->set snmp access groupRW security-model v1 read RW write RW notify RW enterasys(su)->set snmp view viewname RW subtree 1 enterasys(su)->set snmp view viewname RW subtree 0.0 enterasys(su)->set snmp view viewname RW subtree 1.3.6.1.6.3.13.1 excluded enterasys(su)->set snmp targetparams TVv1public user public security-model v1 message processing v1 enterasys(su)->set snmp targetaddr TVTrap 10.42.1.10 param TVv1public taglist TVTraptag enterasys(su)->set snmp notify TVTrap tag TVTrapTag
Adding to or Modifying the Default Configuration

Bydefault,SNMPv1isconfiguredonEnterasysswitches.Asinglecommunitynamepublicis configured,whichgrantsreadwriteaccesstothewholeMIBtreeforbothSNMPv1and SNMPv2c. Thebeginningcommandsequenceinthedefaultconfigurationissimilartothefirstpartofthe previousexample.Itlookslikethis:
enterasys(su)->set enterasys(su)->set enterasys(su)->set All enterasys(su)->set snmp community public snmp group groupRW user public security-model v1 snmp access groupRW security-model v1 read All write All notify snmp view viewname All subtree 1
Note: Any use of the parameter 'All' must be exactly as shown in this example. Any other variation (including, but not limited to, values such as 'all' or 'ALL') will not be valid.
Youcanmodifythisdefaultconfigurationasshowninthefollowingexamples.
Adding a New Community Name

UsethesecommandstoaddanewSNMPv1communitynamecallednewnamewiththesame permissionsasthedefaultconfiguration:
enterasys(su)->set snmp community newname enterasys(su)->set snmp group groupRW user newname security-model v1
Usethiscommandtoremovethepubliccommunitynamefromthedefaultconfiguration:
enterasys(su)->clear snmp community public Note: You can leave the set snmp group groupRW user public security-model v1 statement in the default configuration in case you want to re-activate the public community name at some point, or can clear it as well.
RefertoConfiguringSecureSNMPCommunityNamesonpage18foradescriptionofa recommendedconfigurationthatwillpreventunsecuredaccesstoSNMPinformation.
Configuring SNMPv3
Procedure 2showshowtocompleteabasicSNMPv3configuration.Foradditionalconfiguration information,referto: ConfiguringanSNMPv3InformorTrapEngineIDonpage14 ConfiguringanSNMPViewonpage15
March 28, 2011
Page 11 of 27
Configuring SNMP
ConfiguringtheOptionalMaskParameteronpage16 ConfiguringSecureSNMPCommunityNamesonpage18 SNMPv3 Configuration

Command(s) set snmp user user [remote remoteid] [authentication {md5 | sha}] [authpassword] [privacy privpassword]
Procedure 2
Step 1. Task
Create an SNMPv3 user and specify authentication, encryption, and security credentials. If remote is not specified, the user will be registered for the local SNMP engine. If authentication is not specified, no authentication will be applied. If privacy is not specified, no encryption will be applied.
2.
Create a user group and add the user created in Step 1. If storage type is not specified, nonvolatile will be applied.
set snmp group groupname user user security-model usm [volatile | nonvolatile]
3.
Set security access rights for the group. If security level is not specified, no authentication will be applied. Only one context, the default context, is supported in this release. There is no need to configure this parameter. If read view is not specified none will be applied. If write view is not specified, none will be applied. If notify view is not specified, none will be applied. If storage type is not specified, entries will be stored as permanent and will be held through device reboot.
set snmp access groupname securitymodel usm [noauthentication | authentication | privacy] [exact | prefix] [read readviewname] [write writeviewname] [notify notifyviewname] [volatile | nonvolatile]
4.
Define views created in Step 3. If not specified, mask will be set to ff:ff:ff:ff. If not specified, subtree use will be included. If storage type is not specified, nonvolatile (permanent) will be applied.
set snmp view viewname viewname subtree subtree [mask mask] [included | excluded] [volatile | nonvolatile]
5.
Set SNMP target parameters. If not specified, security level will be set to noauthentication. If not specified, storage type will be set to nonvolatile.
set snmp targetparams targetparams user user security-model usm message-processing v3 [noauthentication | authentication | privacy] [volatile | nonvolatile]
March 28, 2011
Page 12 of 27
Configuring SNMP
Procedure 2
Step 6. Task
SNMPv3 Configuration (continued)

Command(s) set snmp targetaddr targetaddr ipaddr param param [udpport udpport] [mask mask] [timeout timeout] [retries retries] [taglist taglist] [volatile | nonvolatile]
Set the SNMP target address for notification message generation. If not specified, udpport will be set to 162. If not specified, mask will be set to 255.255.255.255. If not specified, timeout will be set to 1500 (15 seconds). If not specified, number of retries will be set to 3. If taglist is not specified, none will be set. If not specified, storage type will be nonvolatile.
7.
Set SNMP notification parameters. If not specified, message type will be set to trap. If not specified, storage type will be set to nonvolatile.
set snmp notify notify tag tag [trap | inform] [volatile | nonvolatile]
ThefollowingexampleisanEnterasysNSeriesdeviceconfigurationusingthestepsin Procedure 2.Itshowshowto CreatetheuserEnterasys_user,specifyingauthentication,encryption,andsecurity credentials. AssignEnterasys_usertotheEnterasysgroupandassociateittotheSNMPv3securitymodel, usm. Specifythat,ifSNMPmessagesarereceivedwithauthenticationandencryption,theview, readViewforreadrequests,andtheviewwriteViewforwriterequestswillbeappliedtothis usergroupbasedontheUSMsecuritymodel. FortheviewwriteView,includetheMIBsubtreedenotedwithOID1,andexcludethesubtree denotedbyOID1.3.6.1.4.1.5624.1.2.16. AssignanSNMPv3targetparametersentrynamedenterasysntotheEnterasys_userusing theUSMsecuritymodel. CreateatargetaddressentrynamedEnterasys_NetworksatIPaddress172.29.10.1whichwill usesecurityandauthorizationcriteriacontainedinatargetparametersentrycalled enterasysn,andbindtheseparameterstogetherwithatagentrycalledv3TrapTag.
enterasys(su)-> set snmp user Enterasys_user authentication md5 my_authentication privacy my_privacy enterasys(su)-> set snmp group Enterasys user Enterasys_user security-model usm enterasys(su)-> set snmp access Enterasys security-model usm privacy read readView write writeView enterasys(su)-> set snmp view viewname readView subtree 1 enterasys(su)-> set snmp view viewname writeView subtree 1 enterasys(su)-> set snmp view viewname writeView subtree 1.3.6.1.4.1.5624.1.2.16 excluded enterasys(su)-> set snmp targetparams enterasysn user Enterasys_user security-model usm message-processing v3
March 28, 2011
Page 13 of 27
Configuring SNMP
enterasys(su)-> set snmp targetaddr Enterasys_Networks 172.29.10.1 param enterasysn taglist v3TrapTag enterasys(su)-> set snmp notify SNMPv3TrapGen tag v3TrapTag inform
How SNMP Will Process This Configuration

AsdescribedinHowSNMPProcessesaNotificationConfigurationonpage 8,iftheSNMP agentonthedeviceneedstosendaninformmessage,itlookstoseeifthereisanotificationentry thatsayswhattodowithinformmessages.Then,itlookstoseeifthetaglist(v3TrapTag) specifiedinthenotificationentryexists.Ifitexists,thentheinformmessageissenttothetarget addressesspecifiedbythetaglist,(Enterasys_Networks)usingtheparametersspecifiedforeach address(enterasysn).
Configuring an SNMPv3 Inform or Trap Engine ID

ThissectionprovidesadditionalinformationforconfiguringSNMPv3informortrapnotifications. ThestepsinProcedure 3onpage 14addtothefollowingconfigurationexample:
enterasys(su)->set snmp view viewname All subtree 1 enterasys(su)->set snmp user v3user authentication md5 md5passwd privacy despasswd enterasys(su)->set snmp group v3group user v3user security-model usm enterasys(su)->set snmp access v3group security-model usm privacy exact read All write All notify All enterasys(su)->set snmp notify v3notify tag v3tag inform enterasys(su)->set snmp targetaddr v3TA 134.141.209.73 param v3TP taglist v3tag enterasys(su)->set snmp targetparams v3TP user v3user security-model usm message-processing v3 privacy
Inform EngineIDs
IntheEnterasysSNMPimplementation,thereceiversEngineIDvalueisusedbyboththesender andreceivertopropagateinformnotifications.InordertosendandreceiveSNMPv3informsin theirmostsecureform(withauthenticationandprivacyenabled),youmustconfigureauserID andcorrespondingreceiverEngineIDonthesenderasshownintheexampleinProcedure 3.This exampleassumesthatNetSightConsoleisthereceiver,andanNSeriesswitchisthesender.
Note: The following file location and EngineID are provided as examples. Your settings will vary.
Procedure 3addstotheconfigurationexampleshowninConfiguringanSNMPv3Informor TrapEngineIDonpage14. Procedure 3

Step 1. 2. Task If necessary, create an SNMP3 configuration. On the management station, navigate to and display the Netsight Console SNMP trap configuration file. Determine the EngineID from this line in the configuration file.
Configuring an EngineID
Command(s) Refer to Configuring an SNMPv3 Inform or Trap Engine ID on page 14. C:\Program Files\Enterasys Networks\NetSight Shared\snmptrapd.conf oldEngineID 0x800007e5804f190000d232aa40
3.
March 28, 2011
Page 14 of 27
Configuring SNMP
Procedure 3
Step 4. Task
Configuring an EngineID
Command(s) set snmp user v3user remote 800007e5804f190000d232aa40 authentication md5 md5passwd privacy despasswd Note: You can omit the 0x from the EngineID. You can also use the colon notation like this: 80:00:07:e5:80:4f:19:00:00:d 2:32:aa:40
On the N-Series switch, define the same user as in the above example (v3user) with this EngineID and with the same Auth/Priv passwords you used previously.
5.
Navigate to and display the user configuration on the management station. (This assumes that you have already created the user in Netsight Console, so you will only need to add it to the configuration file of the trap daemon.) Using any plain text editor, add this line to the configuration file.
C:\Program Files\Enterasys Networks\NetSight Console\Bin\snmptrapd.conf
6.
createuser v3user MD5 md5passwd DES despasswd
Trap EngineID
Tousetrapsinsteadofinformnotifications,youwouldchangetheprecedingconfigurationas follows: 1. 2. Usethiscommandtospecifytrapnotifications:
set snmp notify v3notify tag v3tag trap
VerifythatthecreateuserentryintheNetSightConsoleSNMPtrapconfigurationlookslike this: createuser -e 0x800015f80300e06314d79c v3user MD5 md5passwd DES despasswd
Whenyouarefinishedmodifyingtheconfiguration,savethefileandrestarttheSNMPTrap ServiceusingNetsightServicesManager.
Note: When installed on a Unix platform, the NetSight server must be manually restarted.
Configuring an SNMP View

ItispossibletoincludecertainOIDsandexcludecertainotherOIDswithinoneSNMPMIBview. Youdothisbystackingdifferentsetsnmpview includesandexcludeswhichspecifyasingle viewname.ThisallowstheusertoviewalloftheincludedOIDstringsfortheirassociatedview name,minusalloftheexcludedOIDstringsfortheirviewname.Ifnosuchparameteris specified,includedisassumed. Thoughitispossibletocreateandusemultipleviewnamesasdesired,fordemonstration purposesitissimplesttomodifythedefaultview,sinceitisalreadybeingreferencedbythe remainderoftheSNMPcommandset. Thefollowingexampleremovesthedefaultviewspecifications,andinsertsonewhichpermits accesstobranchMIB1.3.6.1.2.1withtheexceptionofbranchinterfaces1.3.6.1.2.1.2.:
March 28, 2011
Page 15 of 27
Configuring SNMP
enterasys(su)->clear snmp view All 1 enterasys(su)->clear snmp view All 0.0 enterasys(su)->set snmp view viewname All subtree 1.3.6.1.2.1 enterasys(su)->set snmp view viewname All subtree 1.3.6.1.2.1.2 excluded enterasys(su)->show snmp view View Name = All Subtree OID = 1.3.6.1.2.1 Subtree mask = View Type = included Storage type = nonVolatile Row status = active View Name Subtree OID Subtree mask View Type Storage type Row status = = = = = = All 1.3.6.1.2.1.2 excluded nonVolatile active
YoucantestthisconfigurationusinganyMIBbrowserdirectedtotheIPoftheconfigureddevice andusingthedefaultcommunitynamepublicassociatedwiththeviewAll.Ifconfigured correctly,onlyyourspecifiedsectionsoftheMIBswillbevisible.
Configuring the Optional Mask Parameter

Note: The mechanics of determining exactly how to configure the optional mask parameter make for an inefficient use of time if you will only be using the query once. However, for data retrieved repeatedly, using the method described in the following examples can prevent the unnecessary transfer of much SNMP data over your network.
AsdefinedinRFC2575,anSNMPmaskisanoptionalparameterofthesetsnmpviewcommand. Youcanuseamasktomodifyaviewinclusion,designatingcertainoctetsofanOIDstringaswild carddontcarevalues.Oncedefined,youcanviewwithinaMIBbranch(usingaMIBbrowser suchasthatofferedwithintheNetSightsuiteofproducts)onlythoseleavesassociatedwith specificitems,suchasdesignatedportnumbers,MACaddresses,andIPaddresses. Forexample,theRMONStatisticsMIBbranchisdefinedasfollows,withtheleavesdefined withinthatbrancheachhavingmultipleiterations,oneforeachport.

etherStatsEntry=1.3.6.1.2.1.16.1.1.1 etherStatsIndex=1.3.6.1.2.1.16.1.1.1.1.<port> etherStatsDataSource=1.3.6.1.2.1.16.1.1.1.2.<port> etherStatsDropEvents=1.3.6.1.2.1.16.1.1.1.3.<port> etherStatsOctets=1.3.6.1.2.1.16.1.1.1.4.<port> etherStatsPkts=1.3.6.1.2.1.16.1.1.1.5.<port> etherStatsBroadcastPkts=1.3.6.1.2.1.16.1.1.1.6.<port> etherStatsMulticastPkts=1.3.6.1.2.1.16.1.1.1.7.<port> etherStatsCRCAlignErrors=1.3.6.1.2.1.16.1.1.1.8.<port> etherStatsUndersizePkts=1.3.6.1.2.1.16.1.1.1.9.<port> etherStatsOversizePkts=1.3.6.1.2.1.16.1.1.1.10.<port> etherStatsFragments=1.3.6.1.2.1.16.1.1.1.11.<port> etherStatsJabbers=1.3.6.1.2.1.16.1.1.1.12.<port> etherStatsCollisions=1.3.6.1.2.1.16.1.1.1.13.<port> etherStatsPkts64Octets=1.3.6.1.2.1.16.1.1.1.14.<port> etherStatsPkts65to127Octets=1.3.6.1.2.1.16.1.1.1.15.<port> etherStatsPkts128to255Octets=1.3.6.1.2.1.16.1.1.1.16.<port> etherStatsPkts256to511Octets=1.3.6.1.2.1.16.1.1.1.17.<port> etherStatsPkts512to1023Octets=1.3.6.1.2.1.16.1.1.1.18.<port>
March 28, 2011
Page 16 of 27
Configuring SNMP
etherStatsPkts1024to1518Octets=1.3.6.1.2.1.16.1.1.1.19.<port> etherStatsOwner=1.3.6.1.2.1.16.1.1.1.20.<port> etherStatsStatus=1.3.6.1.2.1.16.1.1.1.21.<port>
Asshownintheexampleoutputabove,whendisplayingtheetherStatsEntrybranch,allportsare listedforeachleafbeforemovingontotheportsofthenextleafastheresultoflistingallofthe datainnumericOIDorder. HereisanabbreviatedexampleofonesuchSNMPquery.

Object etherStatsIndex etherStatsIndex etherStatsDataSource etherStatsDataSource etherStatsStatus etherStatsStatus Instance 1001 1518 1001 1518 1001 1518 Type INTEGER INTEGER OBJECT ID OBJECT ID INTEGER INTEGER Value 1001 1518 1.3.6.1...11001 1.3.6.1...12006 valid(1) valid(1)
Example
Thisexampleshowsyouhowtousethemask parametertosignificantlyrefineyourquery output,sothatonlydataforspecifiedportsisreturned.Forthisexample,assumethatNSeries slot1port12isofinterest. ThefirsttenoctetsoftheetherStatsEntry(1.3.6.1.2.1.16.1.1.1)mustmatchexactlyasspecified.The nextoctet,representingeachofthe21possibleleaveswithinthatbranch,neednotmatchexactly. Theremainder,representingtheportnumber,mustmatchexactlyasspecified. Thebitrepresentationsforthiswouldbe1111111111011111,or0xffdf.IftheactualOIDstring beingmaskedislongerthanthespecifiedbits,themissingbitstotherightareassumedtobe1s.It isthusonlynecessarytomakethemasklongenough(inincrementsof8bitbytes)todesignate, witha0bit,anydesiredwildcardOIDstringoctets. ThefollowingisanSNMPViewusingthesespecifications,startingwithadefaultconfiguration.
enterasys(su)->show snmp view View Name = All Subtree OID = 1 Subtree mask = View Type = included Storage type = nonVolatile Row status = active View Name Subtree OID Subtree mask View Type Storage type Row status = = = = = = All 0.0 included nonVolatile active
enterasys(su)->clear snmp view All 1 enterasys(su)->set snmp view viewname All subtree 1.3.6.1.2.1.16.1.1.1.0.1012 mask ff:df enterasys(su)->show snmp view View Name = All Subtree OID = 0.0 Subtree mask = View Type = included Storage type = nonVolatile Row status = active
March 28, 2011
Page 17 of 27
Configuring SNMP
View Name Subtree OID Subtree mask View Type Storage type Row status
= = = = = =
All 1.3.6.1.2.1.1.1.0.244 ff:df included nonVolatile active
YoucanseebytheunexpectedSubtreeOIDvaluethatthisviewactuallyaccommodatesonlythe rightmost8bitsoftheentereddecimalvalue1012.Thehexadecimalequivalentis0x3f4,andthe decimalequivalentof0xf4is244.Itisthereforetruethatthisdefinedsubtreewillgetahiton multipleportvalues(244,500,756,1012,etc),shouldtheyexist.Thishasnothingtodowiththe mask,andeverythingtodowiththereasonablelimitationsofMIBdesign.

Note: Any use of the mask parameter assumes the View Type is configured as included. Parameters included or excluded cannot be specified along with the mask parameter.
AnSNMPqueryoftheetherStatsEntrybranchusingthecommunitynameassociatedwiththis definedviewwoulddisplayaresultsimilertothefollowing.
Object etherStatsIndex etherStatsDataSource etherStatsDropEvents etherStatsOctets etherStatsPkts etherStatsBroadcastPkts etherStatsMulticastPkts etherStatsCRCAlignErrors etherStatsUndersizePkts etherStatsOversizePkts etherStatsFragments etherStatsJabbers etherStatsCollisions etherStatsPkts64Octets etherStatsPkts65to127Octets etherStatsPkts128to255Octets etherStatsPkts256to511Octets etherStatsPkts512to1023Octets etherStatsPkts1024to1518Octets etherStatsOwner etherStatsStatus Instance 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 1012 Type INTEGER OBJECT ID Counter Counter Counter Counter Counter Counter Counter Counter Counter Counter Counter Counter Counter Counter Counter Counter Counter OCTET STRING INTEGER Value 1012 1.3.6.1...11012 54323 302877211 1592774 793487 729406 0 0 0 0 0 0 0 458931 55190 656909 57 1 monitor valid(1)
Configuring Secure SNMP Community Names

Procedure 4providesanexampleofarecommendedconfigurationthatwillpreventunsecured SNMPv1/v2caccessofpotentiallysecuritycompromisinginformation. Asdiscussedpreviouslyinthisdocument,SNMPv1andv2careinherentlyinsecuredevice managementprotocols.Communitynamesusedtodefineaccesslevelsarepassedincleartextin allprotocolframessenttothemanagedentityandmaybevisiblebyreadonlySNMPuserswhen queryingcertainSNMPconfigurationrelatedobjects.Inaddition,youmaybefurtherexposing yournetworkduetoconfigurationconventionswhichreusethecommunitynamesinother aspectsofentitymanagement,suchasCLIloginpasswords,andSNMPsecuritynames.
March 28, 2011
Page 18 of 27
Configuring SNMP
EnterasysrecommendsthatyousecureallSNMPcommunitynames.Youdothisbycreatinga configurationthathides,throughtheuseofviewssensitiveinformationfromSNMPv1/v2c usersasfollows: Procedure 4

Step 1. Task Create the following SNMP view group configurations. An admin (v3) view group with secure read, write, and notify access A read-only view group with unsecure (v1 and v2c) access A read-write view group with unsecure (v1 and v2c) access
Configuring Secure Community Names

Command(s) set snmp access admin-groupname security-model usm privacy exact read secured-viewname write secureviewname notify secured-viewname set snmp access read-only-groupname security-model v1 exact read unsecured-viewname set snmp access read-only-groupname security-model v2c exact read unsecured-viewname set snmp access read-write-groupname security-model v1 exact read unsecure-viewname write unsecuredviewname set snmp access read-write-groupname security-model v2c exact read unsecured-viewname write unsecuredviewname
2.
Create v1/v2c public and private community names and security names.
set snmp community privatecommunityname securityname readwrite-securityname set snmp community publiccommunityname securityname readonly-securityname
3.
Create user groups and bind them to the security names created in Step 2.
set snmp group admin-groupname user admin-username set snmp group read-only-groupname user read-only-securityname security-model v1 set snmp group read-write-groupname user read-write-securityname security-model v1 set snmp group read-only-groupname user read-only-securityname security-model v2c set snmp group read-write-groupname user read-write-securityname security-model v2c
4.
Using the admin-username assinged in Step 3, create the v3 user and define authentication keys.
set snmp user admin-username authentication sha auth-key privacy priv-key
March 28, 2011
Page 19 of 27
Configuring SNMP
Procedure 4
Step 5. Task
Configuring Secure Community Names (continued)

Command(s) set snmp view viewname securedviewname subtree 1 set snmp view viewname securedviewname subtree 0.0 set snmp view viewname unsecuredviewname subtree 1 set snmp view viewname unsecuredviewname subtree 0.0
Using the viewnames assigned in Step 1, create restricted views for v1/v2c users, and unrestricted views for v3 users.
6.
Exclude the following from the restricted view snmpUsmMIB (which contains v3 user names, but no passwords) snmpVacmMIB (which contains SNMP view configurations) snmpCommunityTable (which contains community names)
set snmp view viewname unsecuredviewname subtree 1.3.6.1.6.3.15 excluded set snmp view viewname unsecuredviewname subtree 1.3.6.1.6.3.16 excluded set snmp view viewname unsecuredviewname subtree 1.3.6.1.6.3.18.1.1 excluded
Example
ThefollowingexampleshowsanNSeriesdeviceconfigurationusingthestepsinProcedure 4.
enterasys(su)->set snmp access gAdmin security-model usm privacy exact read vSecured write vSecured notify vSecured enterasys(su)->set snmp access gReadOnlyV1V2C security-model v1 exact read vUnsecured enterasys(su)->set snmp access gReadOnlyV1V2C security-model v2c exact read vUnsecured enterasys(su)->set snmp access gReadWriteV1V2C security-model v1 exact read vUnsecured write vUnsecured enterasys(su)->set snmp access gReadWriteV1V2C security-model v2c exact read vUnsecured write vUnsecured enterasys(su)->set snmp community cnPrivate securityname sn_v1v2c_rw enterasys(su)->set snmp community cnPublic securityname sn_v1v2c_ro enterasys(su)->set snmp group gReadOnlyV1V2C user sn_v1v2c_ro security-model v1 enterasys(su)->set snmp group gReadWriteV1V2C user sn_v1v2c_rw security-model v1 enterasys(su)->set snmp group gReadOnlyV1V2C user sn_v1v2c_ro security-model v2c enterasys(su)->set snmp group gReadWriteV1V2C user sn_v1v2c_rw security-model v2c enterasys(su)->set snmp group gAdmin user it-admin security-model usm enterasys(su)->set snmp user it-admin authentication sha auth_key privacy priv_key enterasys(su)->set snmp view viewname vSecured subtree 1 enterasys(su)->set snmp view viewname vSecured subtree 0.0 enterasys(su)->set snmp view viewname vUnsecured subtree 1 enterasys(su)->set snmp view viewname vUnsecured subtree 0.0 enterasys(su)->set snmp view viewname vUnsecured subtree 1.3.6.1.6.3.15 excluded enterasys(su)->set snmp view viewname vUnsecured subtree 1.3.6.1.6.3.16 excluded enterasys(su)->set snmp view viewname vUnsecured subtree 1.3.6.1.6.3.18.1.1 excluded
March 28, 2011
Page 20 of 27
Reviewing SNMP Settings

UsethefollowingshowcommandsdescribedinthissectiontoreviewSNMPsettings. For show information about....
Community Context Counters Engineid Groups Group Access Rights Target Parameter Profiles Target Address Profiles Notify Notify Filter Notify Profile Users Views
Refer to page...
21 21 22 23 23 23 24 24 24 25 25 25 26
Community
UsethiscommandtodisplaySNMPv1/SNMPv2ccommunitynamesandstatus.Notethatthe namefieldisobscuredforsecuritypurposes:
show snmp community name
Example
enterasys(su)->show snmp community name Name = ************ Security name = public Context = default context Transport tag = Storage type = nonVolatile Status = active
Context
Usethiscommandtodisplaythe contextlistconfigurationforSNMPviewbasedaccesscontrol:
show snmp context
Example
enterasys(su)->show snmp context --- Configured contexts: default context (all mibs)
March 28, 2011
Page 21 of 27
Counters
UsethiscommandtodisplaySNMPtrafficcountervalues:
show snmp counters
Example
enterasys(su)->show snmp counters --- mib2 SNMP group counters: snmpInPkts = 396601 snmpOutPkts = 396601 snmpInBadVersions = 0 snmpInBadCommunityNames = 0 snmpInBadCommunityUses = 0 snmpInASNParseErrs = 0 snmpInTooBigs = 0 snmpInNoSuchNames = 0 snmpInBadValues = 0 snmpInReadOnlys = 0 snmpInGenErrs = 0 snmpInTotalReqVars = 403661 snmpInTotalSetVars = 534 snmpInGetRequests = 290 snmpInGetNexts = 396279 snmpInSetRequests = 32 snmpInGetResponses = 0 snmpInTraps = 0 snmpOutTooBigs = 0 snmpOutNoSuchNames = 11 snmpOutBadValues = 0 snmpOutGenErrs = 0 snmpOutGetRequests = 0 snmpOutGetNexts = 0 snmpOutSetRequests = 0 snmpOutGetResponses = 396601 snmpOutTraps = 0 snmpSilentDrops = 0 snmpProxyDrops = 0 --- USM Stats counters: usmStatsUnsupportedSecLevels = 0 usmStatsNotInTimeWindows = 0 usmStatsUnknownUserNames = 0 usmStatsUnknownEngineIDs = 0 usmStatsWrongDigests = 0 usmStatsDecryptionErrors = 0
March 28, 2011
Page 22 of 27
Engineid
UsethiscommandtodisplaySNMPengineproperties:
show snmp engineid
Example
enterasys(su)->show snmp engineid EngineId: 80:00:15:f8:03:00:e0:63:9d:b5:87 Engine Boots = 12 Engine Time = 162181 Max Msg Size = 2048
Groups
UsethiscommandtodisplaySNMPgroups:
show snmp group groupname group name
Example
enterasys(su)-> show snmp Security model = Group name = Security/user name = Storage type = Status xxxxxxx = group groupname Enterasys USM Enterasys Enterasys_user nonVolatile active
Group Access Rights

UsethiscommandtodisplayanSNMPgroupsaccessrights:
show snmp access groupname
Example
enterasys(su)-> show snmp access Enterasys Group = Security model = Security level = Read View = Write View = Notify View = Context match = Storage type = Status xxxxxxxxx= Enterasys USM authPriv readView writeView "default context" (exact) nonVolatile active
March 28, 2011
Page 23 of 27
Target Parameter Profiles

UsethiscommandtodisplayingSNMPtargetparameterprofiles:
show snmp targetparams paramsname
Example
enterasys(su)-> show snmp targetparams enterasys Target Parameter Name Security Name Message Proc. Model Security Level Storage type Status xxxx = = = = = = enterasys Enterasys_user USM authNoPriv nonVolatile active
Target Address Profiles

UsethiscommandtodisplaySNMPtargetaddressinformation:
show snmp targetaddr
Example
enterasys(su)-> show snmp targetaddr Target Address Name = Enterasys_user Tag List = IP Address = 172.29.10.1 UDP Port# = 162 Target Mask = 255.255.255.255 Timeout = 1500 Retry count = 3 Parameters = enterasys Storage type = nonVolatile Status xxxx = active
Notify
UsethiscommandtodisplaytheSNMPnotifyconfiguration:
show snmp notify
Example
enterasys(su)->show snmp notify --- SNMP notifyTable information --Notify name = 1 Notify Tag = Console Notify Type = trap Storage type = nonVolatile Status xxxxx = active Notify name Notify Tag Notify Type Storage type = = = = 2 TrapSink trap nonVolatile
March 28, 2011
Page 24 of 27
Status
xxxxx = active
Notify Filter
UsethiscommandtodisplaySNMPnotifyfilterinformation,identifyingwhichprofileswillnot receiveSNMPnotifications:
show snmp notifyfilter [profile] [subtree oid-or-mibobject] [volatile | nonvolatile]
Example
enterasys(su)->show snmp notifyfilter --- SNMP notifyFilter information --Profile = pilot1 Subtree = 1.3.6 Subtree mask Filter type = included Storage type = nonVolatile Status xxxxx = active
Notify Profile
UsethiscommandtodisplaySNMPnotifyprofileinformation:
show snmp notifyprofile [profile] [targetparam targetparam] [volatile | nonvolatile]
Example
enterasys(su)->show snmp notifyprofile area51 --- SNMP notifyProfile information --Notify Profile = area51 TargetParam = v3ExampleParams Storage type = nonVolatile Status xxxxx = active
Users
UsethiscommandtoisplaySNMPv3users:
show snmp user user
Example
enterasys(su)->show snmp user Enterasys_user EngineId xxxxxxxxxxxxxxx= Username = Auth protocol = Privacy protocol = Storage type = Status xxxxxxxxxxxxxxxxx= 80:00:15:f8:03:00:e0:63:9d:cb:89 Enterasys_user usmHMACMD5AuthProtocol usmDESPrivProtocol nonVolatile active
March 28, 2011
Page 25 of 27
Views
UsethiscommandtodisplaySNMPviews:
show snmp view viewname
Example
enterasys(su)->show snmp view readView View Name = Subtree OID = Subtree mask = View Type = Storage type = Status xxxx= readView 1 included nonVolatile active
March 28, 2011
Page 26 of 27
Revision History
Date 05-30-08 07-28-08 12-08-08 03-28-2011 Description New document. Added Enterasys registration mark. Made minor edits. Updated to include S-Series, K-Series, and minor terminiology changes.
Configuring Spanning Trees

ThisdocumentprovidesthefollowinginformationaboutconfiguringandmonitoringSpanning TreeprotocolsonEnterasysNSeries,SSeries,andKSeriesmodularswitches,ASeries,BSeries, CSeriesstackablefixedswitches,andDSeries,GSeries,andISeriesstandalonefixedswitches.
For information about... What Is the Spanning Tree Protocol? Why Would I Use Spanning Trees in My Network? How Do I Implement Spanning Trees? STP Overview Functions and Features Supported on Enterasys Devices Understanding How Spanning Tree Operates Configuring STP and RSTP Configuring MSTP Understanding and Configuring SpanGuard Understanding and Configuring Loop Protect Terms and Definitions Refer to page... 1 1 2 2 4 6 11 18 20 22 27
Note: For information about configuring Spanning Tree on the X-Series, refer to the X-Series Configuration Guide.
What Is the Spanning Tree Protocol?

TheSpanningTreeProtocol(STP)resolvestheproblemsofphysicalloopsinanetworkby establishingoneprimarypathbetweenanytwodevices.Duplicatepathsarebarredfromuseand becomestandbyorblockedpathsuntiltheoriginalpathfails,atwhichpointduplicatepathscan bebroughtintoservice.Shouldabridgebeaddedcreatingaredundantpath,STPblocksoneof thepaths.Basically,thetreeintheSpanningTreeProtocolistheoptimalbranchingofnetwork pathsthatSTPenableddeviceskeepinmemoryforefficientandfaulttolerantdataforwarding.
Why Would I Use Spanning Trees in My Network?

Redundantlinksmustbefactoredintoeventhesimplestoftopologiestoprotectagainstdataloss anddowntimeduetoanysinglepointoffailure.However,redundantlinkscanalsosetanendless loopinmotion,significantlystressingyournetworksspeedandefficiency.AsshowninFigure 1, aplannedredundantlinkbetweenSwitch1andSwitch2makesitpossibleforabridgingloopto occur.IfStation1transmitsamulticastorbroadcastpackettoStation2inthisscenario,thepacket
March 14, 2011
Page 1 of 29
How Do I Implement Spanning Trees?
wouldcontinuetocirculateendlesslybetweenbothswitchingdevices.WithoutSpanningTree blockingoneofthelinks,therewouldbenothingatlayer2tostopthisloopfromhappeningand unnecessarilyconsumingnetworkmemory.Asadministrator,youwouldbeforcedtomanually disableoneofthelinksbetweenSwitch1and2fortheFigure 1networktooperate. Figure 1 Redundant Link Causes a Loop in a Non-STP Network
WithSpanningTreerunningonyournetworkdevices,therewouldbenoneedforyouto manuallydisablelinks.STPwouldautomaticallyblockoneoftheredundantpaths,asshownin Figure 2,restoringasmoothdatatransferbetweenSwitch1and2andendusers.Intheeventthat theprimary(unblocked)pathfailed,STPwouldplacetheblockedpathbackintoserviceand blockthefailedlink.Whenenabled,itwoulddothisautomatically,withoutadministrative intervention. Figure 2 Loop Avoided When STP Blocks a Duplicate Path
How Do I Implement Spanning Trees?

Bydefault,SpanningTreeisenabledgloballyonNSeries,SSeries,KSeries,stackable,and standaloneswitchdevicesandenabledonallports.ThedefaultversionissettoMSTPmode,an enhancementofthestandard802.1D(seeMultipleSpanningTreesonpage3).Inmostnetworks, thesedefaultsshouldnotbechanged.However,ifyouareknowledgeableaboutSpanningTrees andconfiguringSTPalgorithms,youwillbeabletoadjustparameterstofinetuneSTP performanceinyournetworkasdescribedinthisdocument.ByusingtheSpanningTree monitoringcommandsdescribedhere,youwillalsobeabletobetterunderstandthedefaultSTP configurationonyourEnterasysdeviceandhowitoperatesinyournetwork.
STP Overview
EnterasysswitchdevicessupporttheSpanningTreeProtocol(STP),RapidSpanningTreeProtocol (RSTP),andMultipleSpanningTreeProtocol(MSTP)asdefinedinthefollowingstandardsand describedinthisdocument: IEEE802.1D(SpanningTreeProtocol) IEEE802.1w(RapidSpanningTreeProtocol)
March 14, 2011
Page 2 of 29
STP Overview
IEEE802.1s(MultipleSpanningTreeProtocol) IEEE802.1t(Updateto802.1D)
Note: MSTP and RSTP are fully compatible and interoperable with each other and with legacy STP.
Asdescribedpreviously,STPresolvestheproblemsofphysicalloopsinanetworkbyestablishing oneprimarypathbetweenanytwodevices.Itdoesthisbyenablingswitchingdevicestoexchange informationusingBridgeProtocolDataUnit(BPDU)messages.STPusesBPDUstodesignatea bridgeforeachswitchedLANsegment,andonerootbridgefortheSpanningTree.Theroot bridgeisthelogicalcenteroftheSpanningTreeandisusedtodeterminewhichpathstoblockand whichtoopen. IfyouarefamiliarwithSTPoperationandwishtoadjustthedefaultsinyournetwork,youcan determinethetopologyoftheSpanningTreebyadjustingthebridgepriority,portpriority,and pathcost.Thebridgepriorityassignsthebridgesrelativeprioritycomparedtootherbridges.The portpriorityassignstheportspriorityinrelationtotheotherportsonthesamebridge.Bydefault, theportcostisavalueassignedtotheportbasedonthespeedoftheport.Thefasterthespeed,the lowerthecost.Thishelpstodeterminethequickestpathbetweentherootbridgeandaspecified destination.Thesegmentattachedtotherootbridgenormallyhasapathcostofzero. EachbridgehasaBridgeIdentification(BID),whichisderivedfromthebridgesMACaddress andbridgepriority.ThebridgewiththelowestBIDbecomestherootbridge.
Rapid Spanning Tree

RapidSpanningTree(RSTP)optimizesconvergenceinaproperlyconfigurednetworkby significantlyreducingthetimetoreconfigurethenetworksactivetopologywhenphysical topologyorconfigurationparameterchangesoccur.RSTPprovidesrapidconnectivityfollowing thefailureofaswitchingdevice,switchport,oraLAN.
Multiple Spanning Trees

MultipleSpanningTree(MSTP)optimizestheutilizationofredundantlinksbetweenswitching devicesinanetwork.ItassignseachVLANpresentonthenetworktoaparticularSpanningTree instance,allowingeachswitchporttobeinadistinctstateforeachsuchinstance:blockingforone SpanningTreewhileforwardingforanother.Thus,trafficassociatedwithonesetofVLANscan traverseaparticularinterswitchlink,whiletrafficassociatedwithanothersetofVLANscanbe blockedonthatlink.IfVLANsareassignedtoSpanningTreeswisely,nointerswitchlinkwillbe completelyidle,maximizingnetworkutilization. MSTPenhancesSTPandRSTPwiththefollowingfeatures: BackwardscompatibilitywithSTPandRSTP. AbilitytocreateasingleCommonandInternalSpanningTree(CIST)thatrepresentsthe connectivityoftheentirenetwork. Userscangroupanynumberofdevicesintoindividualregions,witheachregionbehaving andpresentingitselfasasingleswitchingdevicetotherestofthenetwork. AregioncancontainmultipleinstancesoftheSpanningTree,whereeachinstancecan supportmultipleVLANs.
March 14, 2011
Page 3 of 29
Functions and Features Supported on Enterasys Devices
MSTPcanautomaticallydetecttheversionofSpanningTreebeingusedonaLANandsendout theequivalenttypeofBPDU.Inaddition,MSTPincorporatesaforceversionfeaturethatallows youtoadministrativelyforceMSTPtobehaveasSTPorRSTP.

Note: This guide describes features supported on the N-Series, S-Series, K-Series, stackable, and standalone switch platforms. For information on X-Series support, refer to the X-Series Configuration Guide.
Maximum STP Capacities

Bydefault,MultipleSpanningTreemodeisgloballyenabledonEnterasysswitchingdevicesand oneSpanningTreeisconfiguredasSpanningTreeID(SID)0. Maximumdevicecapacities,includingthedefaultSpanningTreeare: 4SIDinstancesonstackableandstandaloneswitchdevices,exceptfortheC5whichsupports upto8SIDinstances 9SIDinstancesonDFEGoldSeriesdevices 65SIDinstancesonDFEPlatinumandDiamondSeriesdeviceswith256MBofmemory installed(includingSID0) 65SIDinstancesonSSeriesswitches(includingSID0) 32SIDinstancesonKSeriesswitches
Enterasysswitchingdevicessupportadefault20bridgespanfromtherootbridge.Youcan configuresupportforamaximumdiameterofupto40bridgesfromtheSpanningTreerootas describedinDefiningtheMaximumAgeTimeonpage 15.
STP Features
EnterasysswitchingdevicesprovideseamlessSpanningTreefunctionalityby: CreatingasingleSpanningTreefromanyarrangementofswitchingorbridgingelements. Compensatingautomaticallyforthefailure,removal,oradditionofanyswitchingdevicein anactivedatapath. Achievingportchangesinshorttimeintervals,whichestablishesastableactivetopology quicklywithminimalnetworkdisturbance. Usingaminimumamountofcommunicationsbandwidthtoaccomplishtheoperationofthe SpanningTreeProtocol. Reconfiguringtheactivetopologyinamannerthatistransparenttostationstransmittingand receivingdatapackets. ManagingthetopologyinaconsistentandreproduciblemannerthroughtheuseofSpanning TreeProtocolparameters. IncreasingsecurityandreliabilitywithSpanGuard,asdescribedbelowandin UnderstandingandConfiguringSpanGuardonpage20.
March 14, 2011
Page 4 of 29
FurtherprotectingyournetworkfromloopformationwithLoopProtect,asdescribedbelow andinUnderstandingandConfiguringLoopProtectonpage22. SupportingmoreportdensityandfasterportspeedsasdescribedinUpdated802.1ton page 5.
SpanGuard
TheEnterasysSpanGuardfeaturehelpsprotectyournetworkfromtwosituationsthatcancausea DenialofServicecondition:repeatedtopologychangenotificationsandanunwantedbridgebeing insertedintoandforcingtrafficthroughthetopology. SpanGuardincreasessecurityandreliabilitybypreventingSpanningTreerespansthatcanoccur whenBPDUsarereceivedonedge(user)ports,andnotifiesnetworkmanagementthattheywere attempted. IfaSpanGuardenabledportreceivesaBPDU,itbecomeslockedandtransitionstotheblocking state.Itwillonlytransitionoutoftheblockingstateafteragloballyspecifiedtimeorwhenitis manuallyunlocked. Bydefault,SpanGuardisgloballydisabledonNSeries,SSeries,stackable,andstandaloneswitch devicesandmustbegloballyenabledtooperateonalluserports.Forconfigurationinformation, refertoUnderstandingandConfiguringSpanGuardonpage 20.
Loop Protect
TheLoopProtectfeaturepreventsorshortcircuitsloopformationcausedbyredundantpathsin yournetworkbyrequiringportstoreceivetype2BPDUs(RSTP/MSTP)onpointtopointinter switchlinks(ISLs)beforetheirstatesareallowedtobecomeforwarding.Further,ifaBPDU timeoutoccursonaport,itsstatebecomeslisteninguntilaBPDUisreceived. Inthisway,bothupstreamanddownstreamfacingportsareprotected.Whenarootoralternate portlosesitspathtotherootbridgeduetoamessageageexpiration,ittakesontheroleof designatedportandwillnotforwardtrafficuntilaBPDUisreceived.Whenaportisintendedto bethedesignatedportinanISL,itconstantlyproposesandwillnotforwarduntilaBPDUis received,andwillreverttolisteningifitfailstogetaresponse.Thisprotectsagainst misconfigurationandprotocolfailurebytheconnectedbridge. Bydefault,theLoopProtectfeatureisgloballydisabledonEnterasysswitchdevicesandmustbe globallyenabledtooperateonallports.Forconfigurationinformation,refertoUnderstanding andConfiguringLoopProtectonpage 22.
Updated 802.1t
IEEE802.1tisenabledbydefaultonEnterasysswitchdevices.ThisupdatedSpanningTree protocolsupportsmultipleSpanningTrees,moreswitchportdensityandfasterportspeeds. 802.1tincludesthefollowingupdates: Newbridgeidentifierencoding(4bitpriority,12bitsystemIDextension,48bitbridge address) Newportidentifierencoding(4bitpriority,12bitportnumber) Bridgedetectionstatemachine(foredgeportidentification) Pathcostdefaultvalues(switchbetweenoldandnewdefaultvalues)
March 14, 2011
Page 5 of 29
Understanding How Spanning Tree Operates

ThissectionprovidesyouwithamoredetailedunderstandingofhowtheSpanningTreeoperates inatypicalnetworkenvironment.Thefollowingconceptsarecovered. ElectingtheRootBridge(page6) AssigningPathCosts(page6) DeterminingtheDesignatedBridge(page6) IdentifyingPortRolesandAssigningPortStates(page6) MSTPOperation(page7)
Electing the Root Bridge

ArootbridgeisthelogicalcenteroftheSpanningTreetopology.Rootisdeterminedwhenbridges periodicallyadvertisetheirSTPinformationtotheirneighborsbytransmittingBPDUscontaining theirrootIDandbridgeID.Eachreceivingbridgeanalyzesthisinformation,electingthebridge withthelowestbridgeIDasroot.
Assigning Path Costs

SpanningTreeassignseachLANsegmentapathcost,whichisaportspeedbasedvalue associatedwitheachlinkandtherelativecosttotraversethatlink.
Determining the Designated Bridge

SpanningTreecalculatesadesignatedbridge,whichisthebridgeofferingthelowestpathcostto therootbridge.Ifpathcostsareequal,thedesignatedbridgeistheonewiththelowerbridgeID. Eachbridgeisservicedbyonlyonedesignatedbridge.Therootbridgeservesasthedesignated bridgeforallbridgestowhichitisdirectlyattached.Foreachbridge,SpanningTreecalculatesall possiblepathsbacktotherootbridge.Ifthepathcostisequalfrommultiplepaths,thedesignated bridgewillbedeterminedbythelowestbridgeID.
Identifying Port Roles and Assigning Port States

Oneachbridge,SpanningTreeidentifiesarootport,whichistheportthatprovidesthebestpath totherootbridge,andadesignatedport,whichistheportthatforwardsconfigurationBPDUs fromtherootbridge.Ifabridgeiselectedasthedesignatedbridgeforotherdownstreamdevices, thentheportsthatconnecttothesedownstreamdevicesaredenotedasdesignatedports. SpanningTreeusesthefollowingparameterstodeterminerootportsanddesignatedports: Pathcosttoroot DesignatedbridgeID DesignatedbridgeportID
STPsmaingoalistoensurethateverylinkconnectingarootportandadesignatedport transitionstotheforwardingstateasquicklyaspossible.TheseandotherSTPportroles (describedinTable 1)willdictateforwardingandassignmentoftheportstates(describedin Table 2).
March 14, 2011
Page 6 of 29
Rootportsanddesignatedportsareleftintheforwardingstate.Redundantportsareplacedinthe blockingstatetoensurethetopologyremainsloopfree.Table 2liststheseandadditionalport stateswhichcontroltheforwardingandlearningprocesseswithinatopology. Table 1 Spanning Tree Port Roles

Description The one port that is used to connect to the root bridge. It is elected based on its least path-cost to the root bridge and is forwarding traffic. Any redundant upstream port that provides an alternate path to the root bridge (other than the root port). Any downstream port that provides a path back to the root bridge for a downstream bridge. This port is forwarding traffic. A port that acts as a redundant designated port on a shared LAN.
Port Role Root Alternate Designated Backup
Table 2
Spanning Tree Port States

Behavior Actively preventing traffic from using this path. Still receiving BPDUs, so continuing to monitor for management and STA information. Continuing to block traffic while waiting for protocol information to determine whether to go back to the blocking state, or continue to the learning state. Listens to BPDUs to ensure no loops occur on the network. Learning station location information but continuing to block traffic. Forwarding traffic and continuing to learn station location information. Disabled administratively or by failure.
Port State Blocking Listening
Learning Forwarding Disabled
Typically,switchportsareeitherinblockingorforwardingstate.Asstatedpreviously,a forwardingportisaportthathasthelowestpathcosttotherootbridge.Aportwillneverbe placedinforwardingstateunlesstherearenoredundantlinksandSpanningTreedeterminesthat itisthebestpathtotherootbridge.Ifthenetworktopologychanges(forexample,duetoafailed linkortheadditionofanewswitchingdevicetothenetwork),theportsonaswitchwillbein listeningandlearningstates.Blockingportsareusedtopreventnetworkloops.Onceaswitch determinesthebestpathtotherootbridge,allotherportswillbeinblockingstate.Blockedports donotforwardframes,buttheystillreceiveBPDUs.Ifaswitchdeterminesthatablockedport shouldnowbethedesignatedport,itwillgointolisteningstate.ItwillcheckalltheBPDUsto makesurealoopwillnotbecreatedoncetheportgoestoforwardingstate.
MSTP Operation
MSTPmakesitpossibleforVLANswitchingdevicestousemultipleSpanningTrees,allowing trafficbelongingtodifferentVLANstoflowoverpotentiallydifferentpathswithintheLAN.It buildsupontheadvancementsofRSTPwithitsdecreasedtimefornetworkrespans.MSTPs principleobjectiveistoincreasebandwidthutilizationbyallowing: FramesassignedtodifferentVLANstofollowdifferentdataroutes PortstoblockforsomeSpanningTreesandforwardforothers EveryISLinthetopologytobeforwardingforatleastoneSpanningTree
March 14, 2011
Page 7 of 29
MSTPisthedefaultSpanningTreemodeonallEnterasysswitchdevices. ThefollowingconceptsinvolvedinMSTPoperationaredescribedinthissection: CommonandInternalSpanningTree(CIST)(page8) MSTRegion(page8) MultipleSpanningTreeInstances(MSTI)(page9)
Common and Internal Spanning Tree (CIST)

MSTPusesallSpanningTreeregioninformationtocreateasingleCommonandInternal SpanningTree(CIST)thatrepresentstheconnectivityoftheentirenetwork.Thisisequivalentto thesingleSpanningTreeusedforSTPandRSTP. TheMSTPenablednetworkcontainsoneCISTandaminimumofatleastoneMSTregion.A typicalnetworkmaycontainnumerousMSTregionsaswellasseparateLANsegmentsrunning legacySTPandRSTPSpanningTreeprotocols. TheCISTcontainsarootbridge,whichistherootoftheSpanningTreeforthenetwork.TheCIST rootisnotnecessarilylocatedinsideanMSTregion.EachregioncontainsaCISTregionalroot, unlesstheCISTrootispartoftheregion.BridgesinanMSTPtopologycomparetheirreceived BPDUstocalculatetheirshortestpathtotheCISTroot,CISTregionalrootandMSTIregionalroot.
MST Region
AnMSTregionisagroupofdevicesthatareconfiguredtogethertoformalogicalregion.The MSTregionpresentsitselftotherestofthenetworkasasingleswitchingdevice,whichsimplifies administration.Pathcostisonlyincrementedwhentrafficentersorleavestheregion,regardless ofthenumberofdeviceswithintheregion.EachLANcanonlybeamemberofoneregion. Figure 3showsthattheMSTregionappearsasasingleswitchingdevicetoDevices1and2,but reallyconsistsofthreedevices. Figure 3 Example of an MST Region
Device 1
Device 2
MST Region
ForaswitchingdevicetobeconsideredaspartofanMSTregion,itmustbeadministratively configuredwiththesameconfigurationidentifierinformationasallotherdevicesintheMST region.Theconfigurationidentifierconsistsofthefollowingfourseparateparts:
March 14, 2011
Page 8 of 29
FormatSelectorOneoctetinlengthandisalways0.Itcannotbeadministrativelychanged. ConfigurationNameAuserassigned,casesensitivenamegiventotheregion.The maximumlengthofthenameis32octets. RevisionLevelTwooctetsinlength.Thedefaultvalueof0maybeadministrativelychanged. ConfigurationDigest16octetHMACMD5signaturecreatedfromtheconfiguredVLAN Identification(VID)/FilteringIdentification(FID)toMultipleSpanningTreeInstances(MSTI) mappings.Alldevicesmusthaveidenticalmappingstohaveidenticalconfigurationdigests.
TheMSTregiondesignatesoneCISTregionalrootbridgefortheregion,regardlessofthenumber ofMSTIs.TheregionalrootprovidestheconnectivityfromtheregiontotheCISTrootwhenthe CISTrootliesoutsidetheregion.
Multiple Spanning Tree Instances (MSTI)

InsidetheMSTregion,aseparatetopologyismaintainedfromtheoutsideworld.EachMST regionmaycontainupto64differentMSTIs.TheEnterasysswitchdevicemapsVLANIDs(VIDs) andFilteringIDs(FIDs)toeachotherinaonetoonecorrelation;forexample,FID3=VID3.VID/ FIDsaremappedtodifferentMSTIstocreateatypeofloadbalancing.
Determining FID-to-SID Mappings

VLANsaremappedtoMSTIsthroughaFIDtoSIDmappingcorrelationwhichisthekeyelement inMSTPconfiguration.EachVLANisassociatedtoaFIDand,duringMSTIcreation,VLANsare mappedtoSpanningTreeIDsusingtheirFIDassociation.Thismappingiscontainedwithinthe MSTconfigurationdigestdescribedintheprevioussectionanddisplayedinthefollowing example.Bydefault,everybridgewillhaveaFIDtoSIDmappingthatequalsVLANFID1/SID0. UsethiscommandtodetermineMSTIconfigurationidentifierinformation,andwhetherornot thereisamisconfigurationduetononmatchingconfigurationidentifiercomponents:
show spantree mstcfgid
Example
ThisexampleshowshowtodisplayMSTIconfigurationidentifierinformation.Inthiscase,this bridgebelongstoRegion1:
Enterasys->show spantree mstcfgid MST Configuration Identifier: Format Selector: Configuration Name: Revision Level: 0 Region1 88
Configuration Digest: 6d:d7:93:10:91:c9:69:ff:48:f2:ef:bf:cd:8b:cc:de
InorderforotherbridgestobelongtoRegion1,allfourelementsofthosebridgesconfiguration IDoutputmustmatch.Theonlydefaultvaluethatmustbechangedforthistohappenisthe configurationnamesetting. UsethiscommandtochangetheconfigurationnamefromthedefaultbridgeMACaddressvalue toRegion1:

set spantree mstcfgid cfgname Region1
SinceanMSTIisaseparateSpanningTree,eachMSTIhasitsownrootinsidetheMSTregion. Figure 4andFigure 5showtwoMSTIsinasingleregion.Switchingdevice3istherootforMSTI1,
March 14, 2011
Page 9 of 29
switchingdevice2istherootforMSTI2,andswitchingdevice5istheCISTregionalroot.Traffic foralltheVLANsattachedtoanMSTIfollowtheMSTIsspannedtopology. VariousoptionsmaybeconfiguredonaperMSTIbasistoallowfordifferingtopologiesbetween MSTIs.ToreducenetworkcomplexityandprocessingpowerneededtomaintainMSTIs,you shouldonlycreateasmanyMSTIsasneeded. Figure 4 MSTI 1 in a Region
CIST Root 1 MSTI 1 5 MST CIST Regional Root 2
3 MSTI 1 Regional Root

Legend:
Physical Link Blocked VLANs
Figure 5
MSTI 2 in the Same Region
MSTI 2
2 MSTI 2 Regional Root 4
5 MST CIST Regional Root
3
Legend:
Physical Link Blocked VLANs
Figure 6shows3regionswithfiveMSTIs.Table 3definesthecharacteristicsofeachMSTI.Ports connectedtoPCsfromdevices1,3,9,and11willbeautomaticallydetectedasedgeports.Devices 4and10aretheCISTregionalrootsand,becausetheycontainthemasterportfortheirregions,are alsotheregionalrootdevices.EachMSTIcanbeconfiguredtoforwardandblockvariousVLANs.
March 14, 2011
Page 10 of 29
Configuring STP and RSTP
Figure 6
Example of Multiple Regions and MSTIs
Region 1
1 2
Region 2
6 8
Region 3
9
12
10
11
CIST Regional Root
CIST Root and CIST Regional Root
CIST Regional Root
Master Port
Master Port
Table 3
MSTI Characteristics for Figure 6

Characteristics Root is switching device 4, which is also the CIST regional root Root is switching device 5 Root is switching device 7, which is also the CIST root Root is switching device 11 Root is switching device 12 Switching device 10 is the CIST regional root
MSTI / Region MSTI 1 in Region 1 MSTI 2 in Region 1 MSTI 1 in Region 2 MSTI 1 in Region 3 MSTI 2 in Region 3

Caution: Spanning Tree configuration should be performed only by personnel who are very knowledgeable about Spanning Trees and the configuration of the Spanning Tree Algorithms. Otherwise, the proper operation of the network could be at risk.
ThissectionprovidesinformationaboutthefollowingSpanningTreetasks: ReviewingandEnablingSpanningTree(page11) AdjustingSpanningTreeParameters(page12) EnablingtheBackupRootFunction(page16) AdjustingRSTPParameters(page16)
Reviewing and Enabling Spanning Tree

Bydefault,SpanningTreeisenabledgloballyonEnterasysswitchdevicesandenabledonall ports.Onallswitchingdevices,thedefaultSpanningTreeversionissettoMSTP(802.1s)mode.
March 14, 2011
Page 11 of 29
SinceMSTPmodeisfullycompatibleandinteroperablewithlegacySTPandRSTPbridges,in mostnetworks,thisdefaultshouldnotbechanged. Usethefollowingcommandstoreview,reenableandresettheSpanningTreemode. 1. ReviewthecurrentconfigurationononeormoreSIDs,ports,orboth:

show spantree stats [port port-string] [sid sid] [active]
Specifyingactivewilldisplayinformationforport(s)thathavereceivedBPDUssinceboot. 2. 3. Ifnecessary,globallyenableSpanningTree:
set spantree stpmode ieee8021
ReviewthestatusofSpanningTreeononeormoreports:
show spantree portadmin [port port-string]
4.
Ifnecessary,reenableSpanningTreeononeormoreports:
set spantree portadmin port-string enable
Example
ThisexampleshowshowtodisplaythedevicesSpanningTreeconfiguration:
Enterasys->show spantree stats SID Spanning tree mode Designated Root Designated Root Priority Designated Root Cost Designated Root Port Root Max Age Root Hello Time Root Forward Delay Bridge ID MAC Address Bridge priority Bridge Max Age Bridge Hello Time Bridge Forward Delay Topology Change Count Time Since Top Change - 1 - enabled - 00-e0-63-6c-9b-6d - 0 - 1 - ge.5.1 - 20 sec - 2 sec
- 15 sec - 00-e0-63-9d-b5-87 - 32768 - 20 sec - 2 sec
- 15 sec - 6539 - 00 days 00:00:00
Note: By default, Spanning Tree is enabled globally on N-Series, S-Series, stackable, and standalone switch devices and enabled on all ports.
Adjusting Spanning Tree Parameters

YoumayneedtoadjustcertainSpanningTreeparametersifthedefaultvaluesarenotsuitablefor yourbridgeconfiguration.ParametersaffectingtheentireSpanningTreeareconfiguredwith variationsoftheglobalbridgeconfigurationcommands.Interfacespecificparametersare
March 14, 2011
Page 12 of 29
configuredwithvariationsoftheSpanningTreeportconfigurationcommands.Defaultsettings arelistedinTable 4: Table 4

Setting Bridge priority mode Bridge priority Port priority Port cost Hello time (bridge and ports) Bridge forward delay Bridge maximum aging time
Spanning Tree Port Default Settings

Default Value 802.1t 32768 128 0 (automatically calculated based on port speed) 2 seconds 15 seconds 20 seconds
Usethecommandsinthefollowingsectionstoadjustthesedefaults.
Note: Poorly chosen adjustments to these parameters can have a negative impact on network performance. Please refer to the IEEE 802.1D specification for guidance.
Setting Bridge Priority Mode and Priority

Bridgeprioritymodeaffectstherangeofpriorityvaluesusedtodeterminewhichdeviceis selectedastheSpanningTreeroot.Bydefault,switchingdevicesaresetto802.1tmodeas describedinUpdated802.1tonpage5.802.1tmodeusesbridgepriorityvaluesof0to61440,in incrementsof4096,with0indicatinghighpriorityand61440lowpriority.Legacy(802.1D) priorityvaluesare0to65535. Usethiscommandtosetthebridgeprioritymode:
set spantree bridgepriortymode 802.1t | 802.1d
Inadditiontosettingprioritymode,youcangloballyconfigurethepriorityofanindividual bridge.Whentwobridgestieforpositionastherootbridge,thissettingaffectsthelikelihoodthat abridgewillbeselected.Thelowerthebridgespriority,themorelikelythebridgewillbeselected astherootbridge. Usethiscommandtosetthebridgepriority:

set spantree priority priority [sid]
Validpriority valuesare: For802.1tprioritymode:061440(inincrementsof4096),with0indicatinghighpriority and61440lowpriority.Valueswillautomaticallyberoundedupordown,dependingon the802.1tvaluetowhichtheenteredvalueisclosest. For802.1Dprioritymode:065535(inincrementsof1),with0indicatinghighpriorityand 65535lowpriority.
Validsidvaluesare04094.Ifnotspecified,SID0willbeassumed.
March 14, 2011
Page 13 of 29
Setting a Port Priority

YoucansetaSpanningTreeportpriority,avaluetobeusedtobreakatiewhenchoosingtheroot portforabridgeinacasewherethechoiceisbetweenportsconnectedtothesamebridge.The portwiththelowestvaluewillbeelected. Usethiscommandtosetaportpriority:
set spantree portpri port-string priority [sid sid]
Validpriorityvaluesare0240(inincrementsof16)with0indicatinghighpriority. Validsidvaluesare04094.Ifnotspecified,SID0willbeassumed.
Assigning Port Costs

EachinterfacehasaSpanningTreeportcostassociatedwithit,whichhelpstodeterminethe quickestpathbetweentherootbridgeandaspecifieddestination.Byconvention,thehigherthe portspeed,thelowertheportcost.Bydefault,thisvalueissetto0,whichforcestheportto recalculateSpanningTreeportcostbasedonthespeedoftheportandwhetherornotlegacy (802.1D)pathcostisenabled. UsethiscommandtoassigndifferentSpanningTreeportcosts:
set spantree adminpathcost port-string cost [sid sid]
Va1idcostvaluesare: 065535iflegacypathcostisenabled. 0200000000iflegacypathcostisdisabled.
Validsidvaluesare04094.Ifnotspecified,SID0willbeassumed.
Notes: Please refer to the IEEE 802.1D specification for guidance in setting appropriate cost values for your port speeds. By default, legacy path cost is disabled. Enabling the device to calculate legacy path costs affects the range of valid values that can be administratively assigned. To check the status of legacy path cost, use show spantree legacypathcost. To disable legacy path cost, if necessary use set spantree legacypathcost disable.
Adjusting Bridge Protocol Data Unit (BPDU) Intervals

UsethecommandsinthissectiontoadjustdefaultBPDUintervalvalues. Table 5 BPDU Interval Defaults
Default Value 2 seconds 15 seconds 20 seconds
BPDU Interval Hello time (bridge and ports) Forward delay Maximum age time
March 14, 2011
Page 14 of 29
Adjusting the Bridge Hello Time

Caution: Poorly chosen adjustments to bridge and port hello time parameters can have a negative impact on network performance. It is recommended that you do not change these parameters unless you are familiar with Spanning Tree configuration and have determined that adjustments are necessary. Please refer to the IEEE 802.1D specification for guidance.
HellotimeistheintervalatwhichthebridgeorindividualportssendBPDUmessages.Bydefault, bridgehellomodeisenabled,meaningthedeviceusesasinglebridgeadministrativehellotime. Adjustthebridgehellotimeasfollows: 1. Checkthestatusofbridgehellomode:

show spantree bridgehellomode
2. 3.
Ifnecessary,reenablebridgehellomode:
set spantree bridgehellomode enable
Setanewhellotimeinterval:
set spantree hello interval
Validintervalvaluesare110.
Adjusting Port Hello Times

Youcansetthedevicetouseperportadministrativehellotimesbydisablingbridgehellomode andadjustingthehellotimeintervalforoneormoreportsasfollows: 1. 2. 3. Checkthestatusofbridgehellomode:
show spantree bridgehellomode
Ifnecessary,disablebridgehellomode:
set spantree bridgehellomode disable
Setanewhellotimeintervalforoneormoreports:
set spantree porthello port-string interval
Validintervalvaluesare10100
Adjusting the Forward Delay Interval

Whenrapidtransitioningisnotpossible,forwarddelayisusedtosynchronizeBPDUforwarding. Theforwarddelayintervalistheamountoftimespentlisteningfortopologychangeinformation afteraninterfacehasbeenactivatedforbridgingandbeforeforwardingactuallybegins.This delayisrequiredbecauseeverydevicemustreceiveinformationabouttopologychangesbeforeit startstoforwardframes.Inaddition,eachportneedstimetolistenforconflictinginformationthat wouldmakeitreturntoablockingstate.Otherwise,temporarydataloopsmightresult. Usethiscommandtoadjusttheforwarddelayintervalsetting:
set spantree fwddelay delay
Validdelayvaluesare430.
Defining the Maximum Age Time

IfabridgedoesnothearBPDUsfromtherootbridgewithintheinterval(numberofseconds) specifiedasmaximumagetime,itassumesthatthenetworkhaschangedandrecomputesthe
March 14, 2011
Page 15 of 29
SpanningTreetopology.Byadjustingthisvalue,youcanconfiguresupportforamaximum diameterfromtheSTProotofupto40bridges.Bydefault,Enterasysswitchingdevicesareset withamaximumagetimeof20seconds,supportinga20bridgespanfromtherootbridge. Usethiscommandtoadjustthemaximumagesetting:

set spantree maxage agingtime
Validagingtimevaluesare640(seconds).
Setting the Maximum Configurable STPs

Note: Adjusting this setting applies only to N-Series and S-Series devices.
Bydefault,MultipleSpanningTreemodeisgloballyenabledonEnterasysswitchingdevicesand oneSpanningTreeisconfiguredasSpanningTreeID(SID)0.AsdescribedinMaximumSTP Capacitiesonpage4,devicessupportdifferentnumbersofSpanningTreeinstances(including SID0),dependingontheirmodeltypeandmemoryinstalled.SIDvaluesarefrom1to4094. NSeries,SSeries,andKSeriesdevicesallowyoutosetthemaximumnumberofuserconfigured SpanningTreesallowedonthedevice:

set spantree maxconfigurablestps numstps
ValidnumstpsvaluesforNSeries,SSeries,andKSeriesdevicesare: 18forDFEGoldSeriesdevices 164forDFEDiamond,DFEPlatinum,andSSeriesdevices 132forKSeriesdevices
Enabling the Backup Root Function

DisabledbydefaultonNSeries,SSeries,stackable,andstandaloneswitchdevices,thebackup rootfunctionworksonlywhenthebackuprootenabledbridgeisdirectlyconnectedtotheroot bridge.ItthenpreventsstaleSpanningTreeinformationfromcirculatingthroughoutthenetwork intheeventthatthelinkbetweentherootbridgeandthebackuprootenabledbridgeislost.Ifthis happens,thebackuprootwilldynamicallyloweritsbridgepriorityrelativetotheexistingroot bridgespriority,causingittoimmediatelybeselectedasthenewrootbridge. UsethiscommandtoenablethebackuprootfunctiononaSID:
set spantree backuproot sid enable
WhenSNMPtrapmessagingisconfiguredandthebackuprootfunctionisenabled,atrap messagewillbegeneratedwhenthebackupbecomesthenewrootofthenetwork.
Adjusting RSTP Parameters

Sincerapidlinkreconfigurationcanhappenonlyonapointtopointlinkoranedgeport(aport thatisknowntobeontheedgeofabridgedLAN),insomecasesyoumaywanttodefinethem administratively.However,sinceedgeportandpointtopointlinksareautomaticallydetectedon Enterasysswitchingdevices,inmostcasesyouwillnotneedtochangethesedefaultport designations.
March 14, 2011
Page 16 of 29
Defining Point-to-Point Links

Note: Adjusting this function does not apply to stackable and standalone switch devices.
Bydefault,theadministrativepointtopointstatusissettoautoonallSpanningTreeports, allowingtheEnterasysfirmwaretodetermineeachportspointtopointstatus.Inmostcases,this settingwillnotneedtobechangedandwillprovideoptimalRSTPfunctionality.Youcan, however,usethefollowingcommandstoreviewand,ifnecessary,changethepointtopoint statusofaSpanningTreelink. ReviewanddefinethepointtopointstatusofanRSTPlinkasfollows: 1. DisplaythepointtopointoperatingstatusofaLANsegmentattachedtoaport:

show spantree operpoint [port port-string]
AstatusoftrueindicatestheLANsegmentisoperatingasapointtopointlink. Astatusoffalseindicatesitisnot. Ifportstringisnotspecified,pointtopointoperatingstatuswillbedisplayedforallSpanning Treeports. 2. DisplaythepointtopointadministrativestatusofaLANsegmentattachedtoaport:

show spantree adminpoint [port port-string]
Astatusoftrueindicatestheportisadministrativelysettobeconsideredpointtopoint. Astatusoffalseindicatestheportisadministrativelysettobeconsiderednonpointto point. Astatusofauto(thedefaultsetting)indicatesthatthefirmwareisallowedtodeterminethe portspointtopointstatus. Ifportstringisnotspecified,pointtopointadministrativestatuswillbedisplayedforall SpanningTreeports. 3. Ifnecessary,changethepointtopointadministrativestatusofaLANsegmentattachedtoa port:

set spantree adminpoint port-string auto | true | false
Defining Edge Port Status

Bydefault,edgeportstatusisdisabledonallports.Whenenabled,thisindicatesthataportison theedgeofabridgedLAN.Youcanusethefollowingcommandstoreviewand,ifnecessary, changetheedgeportdetectionstatusonthedeviceandtheedgeportstatusofSpanningTree ports. Reviewanddefineedgeportstatusasfollows: 1. Displaythestatusofedgeportdetection:
show spantree autoedge
2. 3.
Ifdesired,enableedgeportdetection:
set spantree autoedge enable
Displaytheedgeportoperatingstatusofoneormoreport(s):
March 14, 2011
Page 17 of 29
Configuring MSTP
show spantree operedge [port port-string]
AstatusoftrueorEdgePortindicatestheportisoperatingasanedgeport. AstatusoffalseorNonEdgePortindicatesitisnot. Ifportstringisnotspecified,edgeportstatuswillbedisplayedforallSpanningTreeports. 4. Displaytheedgeportadministrativestatusofoneormoreport(s):

show spantree adminedge [port port-string]
AstatusoftrueorEdgePortindicatestheportisadministrativelysettobeconsideredan edgeport. AstatusoffalseorNonEdgePortindicatestheportisadministrativelysettobe consideredanonedgeport. Ifportstringisnotspecified,edgeportadministrativestatuswillbedisplayedforallSpanning Treeports. 5. Ifnecessary,changetheedgeportadministrativestatusofoneormoreport(s):

set spantree adminedge port-string true
Configuring MSTP
InorderforMSTPtoprovidemultipleforwardingpaths,thefollowingmusthappen: Theconfigurationidentifiermustmatchonallbridgeswithintheregion. Allbridgesmustbewithinthesameregion. AllbridgesmustbeconnectedtoMSTPawarebridges.(Theycanbeconnectedusingashared mediasuchasarepeaterprovidedthatasingleSpanningTreedevicedoesnotresideonthat LAN).
Note: A single Spanning Tree device between two MSTP bridges will terminate the ability to have multiple forwarding paths.
ThissectionprovidesinformationaboutthefollowingMSTPtasks: Example:SimpleMSTPConfiguration(page18) AdjustingMSTPParameters(page19) MonitoringMSTP(page19)
Example: Simple MSTP Configuration

ThefollowingexampledescribessettingupthesimpleMSTPnetworkshowninFigure 7.By default,eachswitchingdevicewillbeinitsownMSTregionusingitsownMACaddressasthe MSTconfigurationID.ThisconfigurationgroupsSwitch1andSwitch2intoasingleMSTregion withanMSTIconfigurationnameofSouth.ItmapsVLAN2toMSTISID2andVLAN3to MSTISID 3.
March 14, 2011
Page 18 of 29
Configuring MSTP
Figure 7
MSTP Simple Network Configuration
Procedure 1showshowtoconfigureSwitches1and2forMSTP. Procedure 1

Step 1. 2. 3. 4. 5. 6. Task Create VLANs 2 and 3. Set each switchs configuration name to South. Create MSTI SID 2. Create MSTI SID 3. Create a FID-to-SID mapping for VLAN 2 to SID 2. Create a FID-to-SID mapping for VLAN 3 to SID 3.
Configuring Switches 1 and 2 for Simple MSTP

Command(s) set vlan create 2-3 set spantree mstcfgid cfgname South set spantree msti sid 2 create set spantree msti sid 3 create set spantree mstmap 2 sid 2 set spantree mstmap 3 sid 3
Adjusting MSTP Parameters

YoumayneedtoadjustcertainSpanningTreeparametersifthedefaultvaluesarenotsuitablefor yourbridgeconfiguration.ReferbacktoAdjustingSpanningTreeParametersonpage 12and AdjustingRSTPParametersonpage 16forinformationonadjustingSpanningTreedefaults. ChangesmadetoglobalandportrelatedSpanningTreedefaultswilltakeaffectifthedeviceis runninginSTP,RSTP,orMSTP.
Monitoring MSTP
UsethecommandsinTable 6tomonitorMSTPstatisticsandconfigurationsonNSeries,SSeries, stackable,andstandaloneswitchdevices.Youcanalsousetheshowcommandsdescribedin ReviewingandEnablingSpanningTreeonpage11toreviewinformationrelatedtoall SpanningTreeprotocolactivity. Table 6
Task Verify that MSTP is running on the device. Display the maximum configurable MSTIs allowed on the device.
Commands for Monitoring MSTP

Command show spantree version show spantree maxconfigurablestps
March 14, 2011
Page 19 of 29
Understanding and Configuring SpanGuard
Table 6
Task
Commands for Monitoring MSTP (continued)

Command show spantree mstilist show spantree mstmap [fid fid]
Display a list of MSTIs configured on the device. Display the mapping of one or more filtering database IDs (FIDs) to Spanning Trees. Since VLANs are mapped to FIDs, this shows to which SID a VLAN is mapped. Display the Spanning Tree ID(s) assigned to one or more VLANs. Display MST configuration identifier elements, including format selector, configuration name, revision level, and configuration digest. Display protocol-specific MSTP counter information.
show spantree vlanlist [vlan-list] show spantree mstcfgid
show spantree debug [port port-string] [sid sid] [active]

ThissectionprovidesinformationaboutthefollowingSpanGuardtopicsandtasks: WhatIsSpanGuard?(page20) HowDoesItOperate?(page20) ConfiguringSpanGuard(page21)
What Is SpanGuard?
AsdescribedpreviouslyintheoverviewofSpanGuardonpage5,thisfeatureenablesEnterasys switchingdevicestodetectunauthorizedbridgesinyournetwork,resolvingthethreatofrepeated topologychangenotificationsornewrootbridgeannouncementscausingaDenialofService (DoS)condition.ItpreventsSpanningTreerespansthatcanoccurwhenBPDUsarereceivedon userportsandnotifiesyou(networkmanagement)theywereattempted. IfaSpanGuardenabledportreceivesaBPDU,itbecomeslockedandtransitionstotheblocking state.Itwillonlytransitionoutoftheblockingstateafteragloballyspecifiedtimeorwhenitis manuallyunlocked. Bydefault,SpanGuardisgloballydisabledonNSeries,SSeries,stackable,andstandaloneswitch devicesandmustbegloballyenabledtooperateonalluserports.Forconfigurationinformation, refertoConfiguringSpanGuardonpage 21.
How Does It Operate?

SpanGuardhelpsprotectagainstSpanningTreeDenialofService(DoS)SpanGuardattacksas wellasunintentional/unauthorizedconnectedbridgesbyinterceptingreceivedBPDUson configuredportsandlockingtheseportssotheydonotprocessanyreceivedpackets. Whenenabled,receptionofaBPDUonaportthatisadministrativelyconfiguredasaSpanning Treeedgeport(adminedge=True)willcausetheporttobecomelockedandthestatesetto blocking.Whenthisconditionismet,packetsreceivedonthatportwillnotbeprocessedfora specifiedtimeoutperiod.Theportwillbecomeunlockedwheneither:
March 14, 2011
Page 20 of 29
thetimeoutexpires, theportismanuallyunlocked, theportisnolongeradministrativelyconfiguredasadminedge=True,or theSpanGuardfunctionisdisabled.
TheportwillbecomelockedagainifitreceivesanotheroffendingBPDUafterthetimeoutexpires oritismanuallyunlocked. IntheeventofaDoSattackwithSpanGuardenabledandconfigured,noSpanningTreetopology changesortopologyreconfigurationswillbeseeninyournetwork.ThestateofyourSpanning TreewillbecompletelyunaffectedbythereceptionofanyspoofedBPDUs,regardlessofthe BPDUtype,ratereceivedordurationoftheattack. Bydefault,whenSNMPandSpanGuardareenabled,atrapmessagewillbegeneratedwhen SpanGuarddetectsthatanunauthorizedporthastriedtojoinaSpanningTree.
Configuring SpanGuard
UsethefollowingcommandstoconfiguredeviceportsforSpanGuard,toenabletheSpanGuard function,andtoreviewSpanGuardstatusonthedevice.
Reviewing and Setting Edge Port Status

Note: In order to utilize the SpanGuard function, you must know which ports are connected between switching devices as ISLs (inter-switch links). Also, you must configure edge port status (adminedge = true or false) on the entire switch, as described in Defining Edge Port Status on page 17, before SpanGuard will work properly.
Reviewandsetedgeportstatusasfollows: 1. 2. 3. UsetheshowcommandsdescribedinDefiningEdgePortStatusonpage17todetermine edgeportadministrativestatusonthedevice. SetedgeportadministrativestatustofalseonallknownISLs. SetedgeportadministrativestatustotrueonanyremainingportswhereSpanGuard protectionisdesired.ThisindicatestoSpanGuardthattheseportsarenotexpectingtoreceive anyBPDUs.IftheseportsdoreceiveBPDUs,theywillbecomelocked.
Enabling and Adjusting SpanGuard

UsethiscommandtoenableSpanGuardonthedevice:
set spantree spanguard enable
UsethiscommandtoadjusttheSpanGuardtimeoutvalue.Thissetsthelengthoftimethata SpanGuardaffectedportwillremainlocked:
set spantree spanguardtimeout timeout
Validvaluesare065535seconds.Defaultis300seconds.Settingthevalueto0willsetthe timeouttoforever. UsethiscommandtomanuallyunlockaportthatwaslockedbytheSpanGuardfunction.This overridesthespecifiedtimeoutvariable:

set spantree spanguardlock port-string
March 14, 2011
Page 21 of 29
Understanding and Configuring Loop Protect
Monitoring SpanGuard Status and Settings

UsethecommandsinTable 7toreviewSpanGuardstatusandsettings. Table 7
Task Display the status of SpanGuard on the device. Display the status of the SpanGuard lock function on one or more ports. Display the SpanGuard timeout setting. Display the status of the SpanGuard trap function.
Commands for Monitoring SpanGuard

Command show spantree spanguard show spantree spanguardlock [port port-string] show spantree spanguardtimeout show spantree spanguardtrapenable

ThissectionprovidesinformationaboutthefollowingLoopProtecttopicsandtasks: WhatIsLoopProtect?(page22) HowDoesItOperate?(page22) ConfiguringLoopProtect(page25)
What Is Loop Protect?

AsdescribedpreviouslyintheoverviewofLoopProtectonpage5,thisfeaturepreventsorshort circuitsloopformationinyournetwork.Itdoesthisbyrequiringportstoreceivetype2BPDUs (RSTP/MSTP)onpointtopointinterswitchlinks(ISLs)beforetheirstatesareallowedtobecome forwarding.Further,ifaBPDUtimeoutoccursonaport,itsstatebecomesnonforwardinguntila BPDUisreceived. Inthisway,bothupstreamanddownstreamfacingportsareprotected.Whenarootoralternate portlosesitspathtotherootbridgeduetoamessageageexpiration,ittakesontheroleof designatedportandwillnotforwardtrafficuntilaBPDUisreceived. WhenaportisintendedtobethedesignatedportinanISL,itconstantlyproposesandwillnot forwarduntilaBPDUisreceived.Thisprotectsagainstmisconfigurationandprotocolfailureby theconnectedbridge.
How Does It Operate?

LoopProtectoperatesasaperport,perMSTinstancefeatureandshouldbesetonISLs.Itis comprisedofseveralrelatedfunctions,including: ControllingportforwardingstatebasedonreceptionofagreementBPDUs ControllingportforwardingstatebasedonreceptionofdisputedBPDUs Communicatingportnonforwardingstatusthroughtrapsandsyslogmessages Disablingaportbasedonfrequencyoffailureevents
March 14, 2011
Page 22 of 29
Port Modes and Event Triggers

PortsworkintwoLoopProtectoperationalmodes.Iftheportisconfiguredsothatitisconnected toaswitchingdeviceknowntoimplementLoopProtect,itusesfullfunctional(enhanced)mode. Otherwise,itoperatesinlimitedfunctional(standard)mode. ConnectiontoaLoopProtectswitchingdeviceguaranteesthatthealternateagreement mechanismisimplementedand,therefore,thedesignatedportcanrelyonreceivingaresponseto itsproposalregardlessoftheroleoftheconnectedport.Thishastwoimportantimplications. First,thedesignatedportconnectedtoanonrootportmaytransitiontoforwarding.Second,there isnoambiguitywhenatimeouthappens;aLoopProtecteventhasoccurred. Infullmode,whenatype2BPDUisreceivedandtheportisdesignatedandpointtopoint,the timerissetto3timeshelloTime.Limitedmodeaddsafurtherrequirementthattheflagsfieldin theBPDUindicatesarootrole.Iftheportisaboundaryport,theMSTIsforthatportfollowthe CIST(forexampleiftheMSTIporttimersaresetaccordingtotheCISTporttimer).Iftheportis internaltotheregion,thentheMSTIporttimersaresetindependentlyusingtheparticularMSTI message. LoopProtectinitializestheMSTItimertozeroanddoesnotallowthedesignatedporttotransition fromlisteningtolearninguntilthetimerbecomesnonzero.Iftheportisnotdesignated,thetimer doesnotapply.Itsstateiscontrolledthroughnormalprotocolbehavior. AdisputedBPDUisoneinwhichtheflagsfieldindicatesadesignatedrole,alearningstate,and thepriorityvectorisworsethanthatalreadyheldbytheport.IfadisputedBPDUisreceived,the portisforcedtothelisteningstate. MessageageexpirationandtheexpirationoftheLoopProtecttimerarebotheventsforwhich LoopProtectgeneratesanoticelevelsyslogmessage.Youcanalsoconfiguretrapstoreportthese events,aswellasasyslogmessageandtrapfordisputedBPDUs. Inaddition,youcanconfigureLoopProtecttoforcethelockingofaSID/portwhenoneormore eventsoccurs.Whentheconfigurednumberofeventshappenwithinagivenwindowoftime,the portwillbeforcedintoblockingandheldthereuntilyoumanuallyunlockit.
Example: Basic Loop Protect Configuration

ThefollowingsampleconfigurationshowshowLoopProtectfunctionsinabasicSpanningTree topology. IntheexampleinFigure 8,Switch1istherootbridgewithBPDUsbeingsenttobothSwitch2and 3.(DesignatedportsarelabeledDandrootportsarelabeledR.)Switch3hasplacedtheportthat connectstoSwitch2inablockingstate.
March 14, 2011
Page 23 of 29
Figure 8
Basic Loop Protect Scenario
Figure 9showsthat,withoutLoopProtect,afailurecouldbeassimpleassomeoneaccidentally disablingSpanningTreeontheportbetweenSwitch2and3.Switch3sblockingporteventually transitionstoaforwardingstatewhichleadstoaloopedcondition. Figure 9 Spanning Tree Without Loop Protect
Figure 10showsthat,withLoopProtectenabled,Switch3willnotgotoaforwardingstateuntilit hasreceivedaBPDUfromSwitch2. Figure 10 Spanning Tree with Loop Protect
March 14, 2011
Page 24 of 29
Configuring Loop Protect

ThissectionprovidesinformationaboutLoopProtectconfiguration: EnablingorDisablingLoopProtect(page25) SpecifyingLoopProtectPartners(page25) SettingtheLoopProtectEventThresholdandWindow(page25) EnablingorDisablingLoopProtectEventNotifications(page26) SettingtheDisputedBPDUThreshold(page26) MonitoringLoopProtectStatusandSettings(page26)
Enabling or Disabling Loop Protect

Bydefault,LoopProtectisdisabledonallports.Usethiscommandtoenable(or,ifdesired, disable)thefeatureononeormoreports:
set spantree lp port-string {enable | disable} [sid sid]
IfnoSIDisspecified,SID0isassumed. ThiscommandtakesprecedenceoverperportSTPenable/disablestate(portAdmin).Normally, portAdmindisabledwouldcauseaporttogoimmediatelytoforwarding.IfLoopProtectis enabled,thatportshouldgotolisteningandremainthere.

Note: The Loop Protect enable/disable settings for an MSTI port should match those for the CIST port.
Specifying Loop Protect Partners

Bydefault,eachportisnotsetasaLoopProtectcapablepartner.IftheportissetasaLoopProtect capablepartner(true),thenthefullfunctionalityoftheLoopProtectfeatureisused.Ifthevalueis false,thenthereissomeambiguityastowhetheranActivePartnertimeoutisduetoaloop protectioneventorisanormalsituationduetothefactthatthepartnerportdoesnottransmit AlternateAgreementBPDUs.Therefore,aconservativeapproachistakeninthatdesignatedports willnotbeallowedtoforwardunlessreceivingagreementsfromaportwithrootrole.Thistypeof timeoutwillnotbeconsideredaloopprotectionevent.Loopprotectionismaintainedbykeeping theportfromforwarding,butsincethisisnotconsideredaloopevent,itwillnotbefactoredinto lockingtheport. UsethiscommandtosettheLoopProtectpartnerstateononeormoreports:
set spantree lpcapablepartner port-string {true | false}
Setting the Loop Protect Event Threshold and Window

TheLoopProtecteventthresholdisaglobalintegervariablethatprovidesprotectioninthecaseof intermittentfailures.Thedefaultvalueis3.Iftheeventcounterreachesthethresholdwithina givenperiod(theeventwindow),thentheportforthegivenSIDbecomeslocked(thatis,held indefinitelyintheblockingstate).Ifthethresholdis0,theportsareneverlocked. UsethiscommandtosettheLoopProtecteventthreshold:
set spantree lpthreshold value
March 14, 2011
Page 25 of 29
TheLoopProtectwindowisatimervalue,inseconds,thatdefinesaperiodduringwhichLoop Protecteventsarecounted.Thedefaultvalueis180seconds.Ifthetimerissetto0,theevent counterisnotresetuntiltheLoopProtecteventthresholdisreached. UsethiscommandtosettheLoopProtecteventwindowvalueinseconds:

set spantree lpwindow value
Enabling or Disabling Loop Protect Event Notifications

LoopProtecttrapsaresentwhenaLoopProtecteventoccurs,thatis,whenaportgoestolistening duetonotreceivingBPDUs.Thetrapindicatesport,SIDandloopprotectionstatus. UsethiscommandtoenableordisableLoopProtecteventnotification.Bydefault,thisisdisabled:
set spantree lptrapenable {enable | disable}
Setting the Disputed BPDU Threshold

AdisputedBPDUisoneinwhichtheflagsfieldindicatesadesignatedroleandalearningstate, andthepriorityvectorisworsethanthatalreadyheldbytheport.IfadisputedBPDUisreceived, theportisforcedtothelisteningstate.Refertothe802.1Q2005standard,IEEEStandardforLocal andMetropolitanAreaNetworksVirtualBridgedLocalAreaNetworks,forafulldescriptionofthe disputemechanism,whichpreventsloopingincasesofonewaycommunication. ThedisputedBPDUthresholdisanintegervariablethatrepresentsthenumberofdisputed BPDUsthatmustbereceivedonagivenport/SIDuntiladisputedBPDUtrapissentandasyslog messageisissued.Forexample,ifthethresholdis10,thenatrapisissuedwhen10,20,30(andso on)disputedBPDUshavebeenreceived.Thetrapindicatesport,SIDandtotalDisputedBPDU count. UsethiscommandtosetthedisputedBPDUthreshold:
set spantree disputedbpduthreshold value
Defaultvalueis0,whichmeansthattrapsarenotsent.
Monitoring Loop Protect Status and Settings

UsethecommandsinTable 8tomonitorLoopProtectsettings. Table 8
Task Display the Loop Protect status per port, per SID, or both. Display the Loop Protect lock status per port, per SID, or both.
Commands for Monitoring Loop Protect

Command show spantree lp [port port-string] [sid sid] show spantree lplock [port port-string] [sid sid]
Note: A port can become locked if a configured number of Loop Protect events occur during the configured window of time. Once a port is forced into blocking (locked), it remains locked until manually unlocked with the clear spantree lplock command. Display the Loop Protect capability of a link partner for one or more ports.
show spantree lpcapablepartner [port port-string]
March 14, 2011
Page 26 of 29
Table 8
Task
Commands for Monitoring Loop Protect (continued)

Command show spantree nonforwardingreason [port port-string] [sid sid]
Display the reason for placing a port in a nonforwarding state due to an exceptional condition.
Example
ThefollowingexampleshowsaswitchingdevicewithLoopProtectenabledonportlag.0.2,SID 56:
Enterasys->show spantree lp port lag.0.2 sid 56 LoopProtect is enabled on port lag.0.2, SID 56 Enterasys->show spantree lplock port lag.0.2 sid 56 LoopProtect Lock status for port lag.0.2, SID 56_ is UNLOCKED Enterasys->show spantree lpcapablepartner port lag.0.2 Link partner of port lag.0.2_is LoopProtect-capable. Enterasys->show spantree nonforwardingreason port lag.0.2 Port lag.0.2 has been placed in listening or blocking state on SID 0 by the LoopProtect feature.

Table 9liststermsanddefinitionsusedinSpanningTreeconfiguration. Table 9
Term Alternate port Backup port
Spanning Tree Terms and Definitions

Definition Acts as an MSTP alternate path to the root bridge than that provided by the root port. Acts as an MSTP backup for the path provided by a designated port toward the leaves of the Spanning Tree. Backup ports can exist only where two ports are connected together in a loopback mode or bridge with two or more connections to a shared LAN segment. Bridge identification, which is derived from the bridges MAC address and bridge priority. The bridge with the lowest BID becomes the root bridge. Bridge Protocol Data Unit messages. Used by STP to exchange information, including designating a bridge for each switched LAN segment, and one root bridge for the Spanning Tree. Switching device. Assigns the bridges relative priority compared to other bridges. Common and Internal Spanning Tree created by MSTP to represent the connectivity of the entire network. This is equivalent to the single Spanning Tree used for STP and RSTP. Communications between MST regions occurs using the CIST. A forwarding port within an active topology elected for every switched LAN segment. Port on the edge of a bridged LAN.
BID BPDU
Bridge Bridge priority CIST
Designated port Edge port
March 14, 2011
Page 27 of 29
Table 9
Term FID
Spanning Tree Terms and Definitions (continued)

Definition Filter Identifier. Each VLAN is associated to a FID. VLANs are mapped to SIDs using their FID association. Time interval (in seconds) the bridge spends in listening or learning mode before it begins forwarding BPDUs. Time interval (in seconds) at which the bridge sends BPDUs. Inter-Switch Links. Prevents or short circuits loop formation in a network with redundant paths by requiring ports to receive type 2 BPDUs (RSTP/MSTP) on point-to-point inter-switch links (ISLs) before their states are allowed to become forwarding. The MSTI port whose connecting CIST port is root port for an entire MST region. Maximum time (in seconds) the bridge can wait without receiving a configuration message (bridge hello) before attempting to reconfigure. An MSTP group of devices configured together to form a logical region. The MST region presents itself to the rest of the network as a single device, which simplifies administration. Multiple Spanning Tree Instance. N-Series, S-Series, stackable, and standalone switch devices support up to 64 MSTIs. Sum of the port costs in the best path to the root bridge. Value assigned to a port based on the speed of the port. The faster the speed, the lower the cost. This helps to determine the quickest path between the root bridge and a specified destination. The segment attached to the root bridge normally has a path cost of zero. Assigns a ports priority in relation to the other ports on the same bridge. Logical center of the Spanning Tree, used by STP to determine which paths to block and which to open. Port in an active topology through which the root bridge can be reached. Spanning tree identifier. By default, SID 0 is assumed. VLANs are mapped to SIDs using their FID association. Prevents Spanning Tree respans that can occur when BPDUs are received on user ports and notifies network management that they were attempted.
Forward delay Hello time ISLs Loop Protect
Master port Max age MST region
MSTI Path cost Port cost
Port priority Root bridge Root port SID SpanGuard
March 14, 2011
Page 28 of 29
Revision History
Date 01-16-2008 02-20-2008 07-28-2008 01-20-2009 03-14-2011 Description New document. Corrected product naming conventions. Modifications due to product branding changes. Corrected description of Spanning Tree instance capacities. Updated to include S-Series and K-Series devices.
Configuring Syslog
ThisdocumentprovidesthefollowinginformationaboutconfiguringandmonitoringSyslogon EnterasysNSeries,SSeries,andKSeriesmodularswitches,ASeries,BSeries,CSeries stackablefixedswitches,andDSeries,GSeries,andISeriesstandalonefixedswitches.
For information about... What Is Syslog? Why Would I Use Syslog in My Network? How Do I Implement Syslog? Syslog Overview Syslog Operation on Enterasys Devices Syslog Components and Their Use Interpreting Messages Configuring Syslog Refer to page... 1 1 2 2 2 3 6 6
Note: For information about logging on the X-Series, refer to the X-Series Configuration Guide.
What Is Syslog?
Syslog,shortforSystemLogging,isastandardforforwardinglogmessagesinanIPnetworkthat istypicallyusedfornetworksystemmanagementandsecurityauditing.Thetermoftenappliesto boththeactualSyslogprotocol,aswellastheapplicationsendingSyslogmessages. AsdefinedinRFC3164,theSyslogprotocolisaclient/servertypeprotocolwhichenablesastation ordevicetogenerateandsendasmalltextualmessage(lessthan1024bytes)toaremotereceiver calledtheSyslogserver.MessagesaretransmittedusingUserDatagramProtocol(UDP)packets andarereceivedonUDPport514.Thesemessagesinformaboutsimplechangesinoperational statusorwarnofmoresevereissuesthatmayaffectsystemoperations.
Why Would I Use Syslog in My Network?

Whenmanagedproperly,logsaretheeyesandearsofyournetwork.Theycaptureeventsand showyouwhenproblemsarise,givingyouinformationyouneedtomakecriticaldecisions, whetheryouarebuildingapolicyruleset,finetuninganIntrusionDetectionSystem,or validatingwhichportsshouldbeopenonaserver.However,sinceitispracticallyimpossibleto wadethroughthevolumesoflogdataproducedbyallyourserversandnetworkdevices,Syslogs abilitytoplacealleventsintoasingleformatsotheycanbeanalyzedandcorrelatedmakesita vitalmanagementtool.BecauseSyslogissupportedbyawidevarietyofdevicesandreceivers
March 15, 2011
Page 1 of 13
How Do I Implement Syslog?
acrossmultipleplatforms,youcanuseittointegratelogdatafrommanydifferenttypesof systemsintoacentralrepository. EfficientSyslogmonitoringandanalysisreducessystemdowntime,increasesnetwork performance,andhelpstightensecuritypolicies.Itcanhelpyou: Troubleshootswitches,firewallsandotherdevicesduringinstallationandproblemsituations. Performintrusiondetection. Trackuseractivity.
How Do I Implement Syslog?

Bydefault,SyslogisoperationalonEnterasysswitchdevicesatstartup.Allgeneratedmessages areeligibleforloggingtolocaldestinationsandtoremoteserversconfiguredasSyslogservers. UsingsimpleCLIcommands,youcanadjustdevicedefaultstoconfigurethefollowing: Messagesourceswhichsystemapplicationsonwhichmodulesshouldlogmessages? Messagedestinationswillmessagesbesenttothelocalconsole,thelocalfilesystem,orto remoteSyslogservers?Whichfacility(functionalprocess)willbeallowedtosendtoeach destination?
ThefollowingsectionprovidesanoverviewofSyslogfeaturesandfunctionssupportedon Enterasysdevicesandtheirdefaultconfigurations.Latersectionswillprovideinstructionson changingdefaultsettingstosuityournetworkloggingneeds.
Syslog Overview
Developersofvariousoperatingsystems,processes,andapplicationsdeterminethecircumstances thatwillgeneratesystemmessagesandwritethosespecificationsintotheirprograms.Messages canbegeneratedtogivestatus,eitheratacertainperiodoftime,oratsomeotherinterval,suchas theinvocationorexitofaprogram.Messagescanalsobegeneratedduetoasetofconditions beingmet.Typically,developersquantifythesemessagesintooneofseveralbroadcategories, generallyconsistingofthefacilitythatgeneratedthem,alongwithanindicationoftheseverityof themessage.Thisallowssystemadministratorstoselectivelyfilterthemessagesandbepresented withthemoreimportantandtimesensitivenotificationsquickly,whilealsohavingtheabilityto placestatusorinformativemessagesinafileforlaterreview. Switchesmustbeconfiguredwithrulesfordisplayingand/orforwardingeventmessages generatedbytheirapplications.Inaddition,Syslogserversneedtobeconfiguredwith appropriaterulestocollectmessagessotheycanbestoredforfuturereference.Thisdocument willdescribehowtocompletethesekeyconfigurationstepsonNSeries,SSeries,stackable,and standaloneswitchplatforms.
Syslog Operation on Enterasys Devices

Note: This guide describes features supported on the N-Series, S-Series, K-Series, stackable, and standalone switch platforms. For information on X-Series support, refer to the X-Series Configuration Guide.
TheSyslogimplementationonEnterasysdevicesusesaseriesofsystemloggingmessagestotrack deviceactivityandstatus.Thesemessagesinformusersaboutsimplechangesinoperational statusorwarnofmoresevereissuesthatmayaffectsystemoperations.Loggingcanbeconfigured
March 15, 2011
Page 2 of 13
Syslog Components and Their Use
todisplaymessagesatavarietyofdifferentseveritylevelsaboutapplicationrelatederror conditionsoccurringonthedevice. Youcandecidetohaveallmessagesstoredlocally,aswellastohaveallmessagesofahigh severityforwardedtoanotherdevice.Youcanalsohavemessagesfromaparticularfacilitysentto someoralloftheusersofthedevice,anddisplayedonthesystemconsole.Forexample,youmay wantallmessagesthataregeneratedbythemailfacilitytobeforwardedtooneparticularSyslog server.Howeveryoudecidetoconfigurethedispositionoftheeventmessages,theprocessof havingthemsenttoaSyslogcollectorgenerallyconsistsof: Determiningwhichmessagesatwhichseveritylevelswillbeforwarded. Definingoneormoreremotereceivers(Syslogservers/consoledisplays).
Filtering by Severity and Facility

Syslogdaemonsdeterminemessageprioritybyfilteringthembasedonacombinedfacilityand severitycode.SeverityindicatestheseriousnessoftheerrorconditiongeneratingtheSyslog message.Thisisavaluefrom1to8,with1indicatinghighestseverity.Facilitycategorizeswhich functionalprocessisgeneratinganerrormessage.TheEnterasysimplementationusestheeight facilitydesignationsreservedforlocaluse:local0local7definedinRFC3164.Youcanmodify thesedefaultfacilityandseverityvaluestocontrolmessagereceiptandaidinmessagesortingon targetservers. Forexample,youcanconfigureallroutermessagestogotoServer1usingfacilitylocal1,whileall SNMPmessagesgotoServer1usingfacilitylocal2. ThefollowingsectionsprovidegreaterdetailonmodifyingkeySyslogcomponentstosuityour enterprise.

Table 1describestheEnterasysimplementationofkeySyslogcomponents. Table 1
Term Facility
Syslog Terms and Definitions

Definition Categorizes which functional process is generating an error message. Syslog combines this value and the severity value to determine message priority. Enterays Usage Enterasys uses the eight facility designations reserved for local use: local0 local7. Default is local4, which allows the message severity portion of the priority code to be visible in clear text, making message interpretation easiest. For more information about facility designations, refer to RFC 3164.
March 15, 2011
Page 3 of 13
Table 1
Term Severity
Syslog Terms and Definitions (continued)

Definition Indicates the severity of the error condition generating the Syslog message. The lower the number value, the higher will be the severity of the condition generating the message. Enterays Usage Enterasys devices provide the following eight levels: 1 - emergencies (system is unusable) 2 - alerts (immediate action required) 3 - critical conditions 4 - error conditions 5 - warning conditions 6 - notifications (significant conditions) 7 - informational messages 8 - debugging messages The default Syslog configuration allows applications (log message sources) to forward messages at a severity level of 6, and destinations (console, file system, or remote Syslog servers) to log messages at a severity level of 8. Note: Numerical values used in Enterasys syslog CLI and the feature's configuration MIB range from 1-8. These map to the RFC 3164 levels of 0-7 respectively. Syslog messages generated report the RFC 3164 specified level values.
Application
Client software applications running on devices that can generate Syslog messages.
Enterasys supported applications and their associated CLI mnemonic values include: CLI - Command Line Interface SNMP - Simple Network Management Protocol Webview - Enterasys Web-based system management System - System messages RtrFe - Router Forwarding Engine Trace - Trace logging RtrLSNat - Load Share Network Address Translation FlowLimt - Flow limiting UPN - User Personalized Networks AAA - Authentication, Authorization and Accounting Use the show logging application all command to list supported applications and the corresponding CLI numeric or mnemonic values you can use to configure application logging on your devices.
Syslog server
A remote server configured to collect and store Syslog messages.
Enterasys devices allow up to 8 server IP addresses to be configured as destinations for Syslog messages. By default, Syslog server is globally enabled, with no IP addresses configured, at a severity level of 8.
Basic Syslog Scenario

Figure 1showsabasicscenarioofhowSyslogcomponentsoperateonanEnterasysswitch.By default,allapplicationsrunningontheEnterasysswitchareallowedtoforwardSyslogmessages generatedatseveritylevels6through1.Intheconfigurationshown,thesedefaultsettingshave notbeenchanged.
March 15, 2011
Page 4 of 13
Figure 1
Basic Syslog Scenario

Application: SYSTEM Severity 1 Emergency
Event A: Loss of master module
Logging enabled for this priority?
YES
Generate Syslog Server List
Event B: Admin user telnets into switch
Application: CLI Severity 6 Notification
YES
Generate Syslog Server List
Event C: RADIUS processing user access level
Application: AAA Severity 8 Debugging
NO
Events cause Syslog messages
Syslog Applications Component
Loop Through Syslog Server List
Server priority threshold met?
YES
Syslog Server Component
Insert Syslog Facility Value
SYSTEM: Resetting DFE for loss of master module CLI: User:admin logged in from 121.20.142.190(telnet)
Send Syslog Message
DefaultapplicationsettingsintheexampleinFigure 1havenotbeenmodified.Therefore,an emergencymessagetriggeredbyasystemresetduetolossofthemastermoduleisforwardedto Syslogdestinations.TheCLIrelatedmessagenotifyingthatauserhasloggedinremotelyisalso forwarded.ConfiguredSyslogserver(s)willreceiveallforwardedmessagessincetheirdefault severitythresholdisat8(acceptingmessagesatallseveritylevels). Anymessagesgeneratedbyapplicationsatseveritylevels7and8arenotforwardedinthis example.Forinstance,forwardingdoesnotoccurforanAAAauthenticationrelateddebugging messagewithinformationaboutRADIUSaccesslevelprocessingforaparticularuser.Ifatsome pointintimeitbecomesnecessary,forexample,tologallAAAauthenticationrelatedmessage activityandtosaveittoafilesoauthenticationdetailscanbetracked,theadministratorcanallow thatspecificapplicationtoforwarddebuggingmessagestoaSyslogserver,aswellastothe consoleandpersistentfilestorage. Formoreinformationonhowtoconfigurethesebasicsettings,refertoSyslogCommand Precedenceonpage7,andtheConfigurationExamplesonpage11.
March 15, 2011
Page 5 of 13
Interpreting Messages
Interpreting Messages
EverysystemmessagegeneratedbytheEnterasysswitchplatformsfollowsthesamebasicformat:
<facility/severity> time stamp address application [slot] message text
Example
ThisexampleshowsSysloginformationalmessages,displayedwiththeshowloggingbuffer command.Itindicatesthatmessagesweregeneratedbyfacilitycode16(local4)atseveritylevel5 fromtheCLIapplicationonIPaddress10.42.71.13.
Switch1(rw)->show logging buffer <165>Sep 4 07:43:09 10.42.71.13 CLI[5]User:rw logged in from 10.2.1.122 (telnet) <165>Sep 4 07:43:24 10.42.71.13 CLI[5]User: debug failed login from 10.4.1.100 (telnet)
Table 2describesthecomponentsofthesemessages. Table 2 Syslog Message Components Description

Combined code indicating the facility generating the message and the severity level used to determine message priority. Facility codes 16 23 are Syslog designations for local0 - local7, the Enterasys supported designations for local use. For a complete list of facility codes, refer to RFC 3164. Month, date, and time the Syslog message appeared. IP address of the client originating the Syslog message. Client process generating the Syslog message. Slot location of the device module generating the Syslog message. Brief description of error condition.
Component
Facility/Severity
Example Code
<165> = Numerical code indicating a message from facility local4 at severity 5.
Time stamp Address Application Slot/Module Message text
Sep
4 07:43:09
10.42.71.13 CLI (5) = Slot 5 in the chassis. User: debug failed login from 10.4.1.100 (telnet)
Configuring Syslog
Usetheproceduresinthissectiontoperformthefollowingloggingconfigurationtasks: SyslogCommandPrecedence(page7) ConfiguringSyslogServer(s)(page7) ModifyingSyslogServerDefaults(page8) ReviewingandConfiguringLoggingforApplications(page9) EnablingConsoleLoggingandFileStorage(page10) ConfigurationExamples(page11)
March 15, 2011
Page 6 of 13
Configuring Syslog
Syslog Command Precedence

Table 3listsbasicSyslogcommandsandtheirorderofprecedenceonEnteraysswitches. Table 3 Syslog Command Precedence
Function Sets default parameters for facility code, severity level and/or UDP port for all Syslog servers and local destinations. Settings will be applied when Syslog servers are configured without specifying values with the set logging server command. This command overrides factory defaults. During or after new server setup, specifies a server index, IP address, and operational state for a Syslog server. Optionally, this command specifies a facility code, severity level at which messages will be accepted, text string description, and/or UDP port for the specified server. This command overrides system defaults for the specified server. If not specified with this or the set logging default command, optional server parameters will be set to the system defaults listed in Table 4 on page 8. Sets the severity level at which one or all applications will send messages to Syslog servers. If not specified, settings will apply to all configured servers and severity level will not be changed from system defaults.
Syslog Component Command Logging defaults set logging default {[facility facility] [severity severity] [port port]}
Server settings
set logging server index ip-addr ipaddr [facility facility] [severity severity] [descr descr] [port port] state enable | disable
Application settings
set logging application {[mnemonic|all]} [level level] [servers servers]
About Server and Application Severity Levels

Bydefault,clientapplicationswillforwardSyslogmessagesatseveritylevels6through1,and serverswilllogmessagesatallseveritylevels(8through1).Youcanusetheproceduresdescribed inthischaptertochangetheseparameters,finetuningthescopeofmessageloggingand modifyingtheSyslogbehaviorbetweenoneormoreclientapplicationsandoneormoreservers.
Configuring Syslog Server(s)

UsethefollowingcommandstoconfigureoneormoreserversasdestinationsforSyslogmessages andverifytheconfiguration: 1. AddaSyslogservertothedevicesserverlist:
set logging server index ip-addr ip-addr state enable
Indexisavaluefrom1to8thatspecifiestheservertableindexnumberforthisserver. 2. (Optional)Verifytheserverconfiguration:
show logging server [index]
Ifindexisnotspecified,informationforallconfiguredSyslogserverswillbedisplayed.
March 15, 2011
Page 7 of 13
Configuring Syslog
Example
Thissampleoutputfromtheshowloggingservercommandshowsthattwoservershavebeen addedtothedevicesSyslogserverlist.TheseserversareusingthedefaultUDPport514toreceive messagesfromclientsandareconfiguredtologmessagesfromthelocal1andlocal2facilities, respectively.Loggingseverityonbothserversissetat5(acceptingmessagesatseveritylevels5 through1).Usingthecommandsdescribedinthenextsection,thesesettingscanbechangedona perserverbasis,orforallservers.
Switch1(rw)->show logging server IP Address Facility Severity Description Port Status ------------------------------------------------------------------------1 132.140.82.111 local1 warning(5) default 514 enabled 2 132.140.90.84 local2 warning(5) default 514 enabled
Modifying Syslog Server Defaults

Unlessotherwisespecified,theswitchwillusethedefaultserversettingslistedinTable 4forits configuredSyslogservers: Table 4 Syslog Server Default Settings
Default Setting local4 8 (accepting all levels) no description applied UDP port 514
Parameter facility severity descr port
Usethefollowingcommandstochangethesesettingseitherduringorafterenablinganewserver.
Displaying System Logging Defaults

Todisplaysystemloggingdefaults,oralllogginginformation,includingdefaults:
show logging {default|all}
Modifying Default Settings

Youcanchangefactorydefaultloggingsettingsusingoneofthefollowingmethods. Tospecifyloggingparametersduringorafternewserversetup:
set logging server index ip-addr ip-addr [facility facility] [severity severity] [descr descr] [port port] state enable
Ifnotspecified,optionalserverparameterswillbesettothesystemdefaultslistedinTable 4. ReferbacktoFilteringbySeverityandFacilityandtoTable 1formoreinformationonhow theseparametersoperate. Tochangedefaultparametersforallservers:

set logging default {[facility facility] [severity severity] [port port]}
March 15, 2011
Page 8 of 13
Configuring Syslog
Examples
Thisexampleshowshowtoconfiguretheswitchtoforwardmessagesfromfacilitycategorylocal6 atseveritylevels3,2,and1toSyslogserver1atIPaddress134.141.89.113:
Switch1(rw)->set logging server 1 ip-addr 134.141.89.113 facility local6 severity 3
ThisexampleshowshowtochangeSyslogdefaultssothatmessagesfromthelocal2facility categoryataseveritylevelof4willbeforwardedtoallservers.Thesesettingswillapplytoall newlyconfiguredservers,unlessexplicitlyconfiguredwiththesetloggingservercommand:

Switch1(rw)->set logging default facility local2 severity 4
Reviewing and Configuring Logging for Applications

Bydefault,allapplicationsrunningonEnterasysswitchdevicesareallowedtoforwardmessages atseveritylevels6through1toallconfigureddestinations(Syslogservers,theconsole,orthefile system).
Displaying Current Application Severity Levels

Todisplayloggingseveritylevelsforoneorallapplicationscurrentlyrunningonyourdevice:
show logging application {mnemonic|all}
Example
Thisexampleshowsoutputfromtheshowloggingapplicationallcommand.Anumericand mnemonicvalueforeachapplicationislistedwiththeseveritylevelatwhichlogginghasbeen configuredandtheserver(s)towhichmessageswillbesent.Inthiscase,loggingforapplications hasnotbeenchangedfromthedefaultseveritylevelof6.Thismeansthatnotificationsand messageswithseverityvalues6through1willbesenttoconfiguredservers.
Switch1(rw)->show logging application all Application Current Severity Level Server List ---------------------------------------------------------88 RtrAcl 6 1-8 89 CLI 6 1-8 90 SNMP 6 1-8 91 Webview 6 1-8 93 System 6 1-8 95 RtrFe 6 1-8 96 Trace 6 1-8 105 RtrLSNat 6 1-8 111 FlowLimt 6 1-8 112 UPN 6 1-8 117 AAA 6 1-8 118 Router 6 1-8 140 AddrNtfy 6 1-8 141 OSPF 6 1-8 142 VRRP 6 1-8 145 RtrArpProc 6 1-8 147 LACP 6 1-8 148 RtrNat 6 1-8 151 RtrTwcb 6 1-8 158 HostDoS 6 1-8 1(emergencies) 2(alerts) 3(critical)
March 15, 2011
Page 9 of 13
Configuring Syslog
4(errors) 7(information)
5(warnings) 8(debugging)
6(notifications)
Note: Mnemonic values are case sensitive and must be typed as they are listed in the show logging application command display for your device. Refer to Table 1 for sample CLI mnemonic values. Depending on your platform, you may see different applications listed from those shown in the example above.
Modifying Severity Levels and Assigning Syslog Servers for Applications

ApplicationsrunningonEnterasysdeviceswillusethedefaultSyslogsettingsunlessotherwise configuredbythesetloggingserverorsetloggingdefaultcommandsaspreviouslydescribed. Tomodifytheseveritylevelatwhichlogmessageswillbeforwardedandtheserver(s)towhich theywillbesentforoneorallapplications:
set logging application {[mnemonic|all]} [level level] [servers servers]
Example
ThisexampleshowshowtosettheseveritylevelforSSH(SecureShell)to5sothatwarning conditionsandmessagesofgreaterseverity(levels5to1)generatedbythatapplicationwillbe senttoSyslogserver1.
Switch1(rw)->set logging application SSH level 5 server 1
Enabling Console Logging and File Storage

Stackableandstandaloneswitchdevicesallowyoutodisplayloggingmessagestotheconsoleand savetoapersistentfile.Inaddition,NSeries,SSeries,andKSeriesdevicesalsoprovidethe optionofallowingyoutodisplaymessagestothecurrentconsoleCLIsessiononly(setlogging here). Consoleloggingallowsyoutoviewonlyasmanymessagesaswillfitonthescreen.Asnew messagesappear,oldmessagessimplyscrollofftheconsole.Whilethisisatemporarymeansof logginginformation,itallowsyoutotrackveryspecificactivitiesquicklyandeasily.Consolelog messagescanalsobesavedtoapersistentfile.OntheNSeries,SSeries,andKSeries,consolelog messagescanbesavedtoapersistentfileattwolocations: slotX/logs/current.logLocationofcurrentsystemlogmessages(upto256k),whereX specifiestheslotlocationofthedevice. slotX/logs/old.logLocationofprevioussystemlogmessages,whereXspecifiestheslot locationofthedevice.Currentmessageswillbemovedtotheold.logwhencurrent.logfile exceeds256k.
Usethefollowingcommandstoreviewandconfigureconsoleloggingandfilestorage.
Displaying to the Console and Saving to a File

Todisplaylogmessagestotheconsoleandsavetoapersistentfile:
set logging local console enable file enable Note: The set logging local command requires that you specify both console and file settings. For example, set logging local console enable would not execute without also specifying file enable or disable.
March 15, 2011
Page 10 of 13
Configuring Syslog
Displaying to the Current CLI Session

Note: This function is not supported on stackable or standalone fixed switches.
TodisplayloggingtothecurrentCLIconsolesessiononanNSeries,SSeries,orKSeriesdevice:
set logging here enable
ThisaddsthecurrentCLIsessiontothelistofSyslogdestinations,andwillbetemporaryifthe currentCLIsessionisusingTelnetorSSH.
Displaying a Log File

TodisplaythecontentsofthepersistentlogfileonNSeries,SSeries,andKSeriesdevices:
show file slotslotnumber/logs/current.log|old.log Notes: These log files may also be copied to another device using FTP or TFTP. You cannot display the contents of the persistent log file on stackable or standalone switches. Use the show logging buffer command to show the most recent entries.
Configuration Examples
Enabling a Server and Console Logging
Procedure 1showshowyouwouldcompleteabasicSyslogconfiguration.Inthisexample,the defaultapplicationseveritylevelhasnotbeenmodified,allowingallapplicationstoforward messagestoconfigureddestinations.OneSyslogserverisconfiguredonIPaddress10.1.1.2, loggingallmessages.Consoleloggingisenabled,butpersistentfilestorageisnot. Procedure 1
Step 1. 2. 3. Task Configure Syslog server 1 and accept default settings (listed in Table 4 on page 8). (Optional) Verify that application logging settings are at default values for the enabled server. Enable console logging and disable file storage.
Configuring a Server and Console Logging

Command(s) set logging server 1 ip-addr 10.1.1.2 state enable show logging application all set logging local console enable file disable
Note: The set logging local command requires that you specify both console and file settings. For example, set logging local console enable would not execute without also specifying file enable or disable.
Adjusting Settings to Allow for Logging at the Debug Level

Procedure 2showshowyouwouldadjustthepreviousSyslogconfigurationsothatallAAA relatedauthenticationmessages(level8)couldbeforwardedtoServer2atIPaddress10.1.1.3, displayedontheconsoleandsavedtopersistentfilestorage.ThiswouldenableallSyslog messagingcapabilitiesforthisparticularapplication.Sincetheseverityforthisnewserverhasnot changedfromthedefaultoflevel8,thereisnoneedtoadjustthissetting.
March 15, 2011
Page 11 of 13
Configuring Syslog
Procedure 2
Step 1. 2. 3. Task
Adjusting Settings for an Application

Command(s) set logging server 2 ip-addr 10.1.1.3 state enable set logging application AAA level 8 servers 2 set logging local console enable file enable
Configure Syslog server 2 and accept default settings (listed in Table 4 on page 8). Set the severity level for the AAA application to level 8. Enable console logging and file storage.
March 15, 2011
Page 12 of 13
Revision History
Date 04-04-2008 07-28-2008 11-14-2008 03-15-2011 Description New document Modifications due to product rebranding changes. Text corrections. Added S-Series and K-Series.
Configuring TACACS+
ThisdocumentprovidesinformationaboutconfiguringandmonitoringTACACS+(Terminal AccessControllerAccessControlSystemPlus) onEnterasysdevices.
Notes: TACACS+ is supported on most Enterasys devices, with the exception of some Enterasys fixed switches. Refer to your Enterasys devices Release Notes to determine if your device supports TACACS+. For information on Enterasys Matrix X-Series TACACS+ support, refer to the Enterasys Matrix X Secure Core Router Configuration Guide. For information about... What is TACACS+? Why Would I Use TACACS+ in My Network? How Do I Implement TACACS+? Understanding TACACS+ Configuring TACACS+ Refer to page... 1 1 2 2 3
What is TACACS+?
TACACS+,asecurityprotocoldevelopedbyCiscoSystems,canbeusedasanalternativetothe standardRADIUSsecurityprotocol(RFC2865).TACACS+runsoverTCPandencryptsthebody ofeachpacket. BasedonthenowobsoleteTACACSprotocol(definedinRFC1492),TACACS+isdefinedinan unpublishedandexpiredInternetDraftdraftgranttacacs02.txt,TheTACACS+Protocol Version1.78,January,1997.
Why Would I Use TACACS+ in My Network?

TACACS+providesthefollowingservices: Userauthentication Userauthorization Accounting(useractivity)
December 2, 2010
Page 1 of 7
How Do I Implement TACACS+?
How Do I Implement TACACS+?

YoucanconfiguretheTACACS+clientonyourEnterasysdeviceinconjunctionwithoneormore (uptoeight)TACACS+accessserverstoprovideauthentication,authorization,oraccounting servicesonyournetwork.EachoftheTACACS+servicescanbeimplementedonseparateservers. YoucanalsoconfigureTACACS+touseasingleTCPconnectionforallTACACS+clientrequests toagivenTACACS+server. FormoreinformationaboutthebasicTACACS+configuration,seeBasicTACACS+ Configurationonpage 4.
Understanding TACACS+
TACACS+clientfunctionalityfallsintofourbasiccapabilities: Authenticationandsessionauthorization Commandauthorization Sessionaccounting Commandaccounting
Session Authorization and Accounting

TheTACACS+clientisdisabledbydefault.WhentheTACACS+clientisenabledonanEnterasys deviceandasessionisinitiated,theconfiguredsessionauthorizationparametersaresentbythe clienttotheTACACS+server.Theparametervaluesmustmatchaserviceandaccesslevel attributevaluepairconfiguredontheserverforthesessiontobeauthorized.Iftheparameter valuesdonotmatch,thesessionisnotallowed. Theservicenameandattributevaluepairscanbeanycharacterstring,andaredeterminedby yourTACACS+serverconfiguration. Whensessionaccountingisenabled,theTACACS+serverlogsaccountinginformation,suchas startandstoptimes,IPaddressoftheremoteuser,andsoforth,foreachauthorizedclientsession.
Command Authorization and Accounting

TACACS+commandauthorizationandaccountingcanoccuronlyduringaTACACS+authorized session. Whencommandauthorizationisenabled,theTACACS+servercheckswhethereachcommandis permittedforthatauthorizedsessionandreturnsasuccessorfailureforeachone.Ifthe authorizationfails,thecommandisnotexecuted. Whencommandaccountingisenabled,theTACACS+serverlogsaccountinginformation,suchas thecommandstringandIPaddressoftheremoteuserforeachcommandexecutedduringthe session.
December 2, 2010
Page 2 of 7
Configuring TACACS+
Configuring TACACS+
Default Settings
Table 1liststheTACACS+parameters(asdisplayedthroughtheshow tacacscommand)and theirdefaultvalues. Table 1 TACACS+ Parameters
Description Whether the TACACS+ client is enabled or disabled. The name of the service that is requested by the TACACS+ client for session authorization. The attribute-value pairs that are mapped to the read-only, read-write, and super-user access privilege levels for the service requested for session authorization. The TACACS+ client sends session accounting information, such as start and stop times, to a TACACS+ server for logging. The TACACS+ client checks with a TACACS+ server whether each command is permitted for that authorized session. The TACACS+ client sends command accounting information, such as the command string and IP address of the remote user, to a TACACS+ server for logging. The TACACS+ client sends multiple requests to a TACACS+ server over a single TCP connection. The period of time (in seconds) the device waits for a response from the TACACS+ server before it times out and declares an error. Default Value Disabled exec read-only: priv-lvl, 0 read-write: priv-lvl, 1 super-user: priv-lvl, 15 Disabled
Parameter TACACS+ state TACACS+ service TACACS+ session authorization A-V pairs TACACS+ session accounting state TACACS+ command authorization state TACACS+ command accounting state TACACS+ singleconnect state TACACS+ Server Timeout
Disabled
Disabled
Disabled 10 seconds
December 2, 2010
Page 3 of 7
Configuring TACACS+
Basic TACACS+ Configuration

Procedure 1describesthebasicstepstoconfigureTACACS+onEnterasysdevices.Itassumesthat youhavegatheredthenecessaryTACACS+serverinformation,suchastheserversIPaddress,the TCPporttouse,sharedsecret,theauthorizationservicename,andaccesslevelattributevalue pairs.
Note: You must be logged in to the Enterasys device with read-write access rights to use the commands shown in this procedure.
Procedure 1
Step 1. Task
TACACS+ Configuration
Command(s) set tacacs enable
Enable the TACACS+ client. To disable the TACACS+ client, use the set tacacs disable command.
2.
Configure the TACACS+ servers, up to a maximum of eight, to be used by the TACACS+ client. Define the IP address, TCP port, and secret for each server. Optionally, change the timeout for each server from the default, 10 seconds. Possible timeout values are 130 seconds. To remove one or all configured TACACS+ servers, or return the timeout value to its default value for one or all configured TACACS+ servers, use the clear tacacs server {all | index} [timeout] command.
set tacacs server {index [ipaddress port secret]] | all timeout seconds}
3.
Optionally, enable session accounting. To disable TACACS+ session accounting, use the set tacacs session accounting disable command.
set tacacs session accounting enable
4.
Optionally, configure the TACACS+ session authorization service or access level. The default service name is exec. Refer to Table 1 on page 3 for the default values of the access level attribute-value pairs. To return the TACACS+ session authorization settings to their default values, use the clear tacacs session authorization {[service] [read-only] [read-write] [superuser]} command.
set tacacs session {authorization service name | read-only attribute value | read-write attribute value | super-user attribute value}
5.
Optionally, enable per-command accounting. To disable TACACS+ accounting on a per-command basis, use the set tacacs command accounting disable command.
set tacacs command accounting enable
6.
Optionally, enable per-command authorization. To disable TACACS+ authorization on a per-command basis, use the set tacacs command authorization disable command.
set tacacs command authorization enable
December 2, 2010
Page 4 of 7
Configuring TACACS+
Procedure 1
Step 7. Task
TACACS+ Configuration (continued)

Command(s) set tacacs singleconnect enable
Optionally, enable the TACACS+ client to send multiple requests to the server over a single TCP connection. To disable the use of a single TCP connection, use the set tacacs singleconnect disable command.
8.
If not already configured, set the primary login authentication method to TACACS+.
set authentication login tacacs
RefertothedevicesCLIReferenceorConfigurationGuide,asappropriate,formoreinformation abouteachcommand.
Example TACACS+ Configuration

InthefollowingconfigurationexampleonanSSeriesdevice,theTACACS+serverisdefinedas havingtheIPaddress192.168.10.10.TheTCPportissetto49,whichisthestandardTACACS+ TCPport.Theauthorizationserviceissettobasicandthereadwriteaccessprivilegeissetto5. Sessionandcommandaccountingareenabled,asiscommandauthorization.AsingleTCP connectionwillbeusedforallTACACS+communicationwith192.168.10.10.Finally,theprimary loginauthenticationmethodissettoTACACS+.
S Chassis(rw)->set tacacs enable S Chassis(rw)->set tacacs server 1 192.168.10.10 49 mysecret S Chassis(rw)->set tacacs session accounting enable S Chassis(rw)->set tacacs session authorization service basic S Chassis(rw)->set tacacs session authorization read-write priv-lvl 5 S Chassis(rw)->set tacacs command accounting enable S Chassis(rw)->set tacacs command authorization enable S Chassis(rw)->set tacacs singleconnect enable S Chassis(rw)->set authentication login tacacs
December 2, 2010
Page 5 of 7
TACACS+ Display Commands

Table 2listsTACACS+showcommands. Table 2
Task Displays all current TACACS+ configuration information and status. Displays only the current configuration for one or all TACACS+ servers. Displays only the current TACACS+ session settings. The [state] option is valid only for S-Series and Matrix N-Series devices. Displays only the current status for TACACS+ per-command authorization and accounting. The [state] option is valid only for S-Series and Matrix N-Series devices. Displays only the current singleconnect status. The [state] option is valid only for S-Series and Matrix N-Series devices.
TACACS+ Show Commands

Command show tacacs [state] show tacacs server {index | all} show tacacs session {authorization | accounting} [state] show tacacs command {accounting | authorization} [state]
show tacacs singleconnect [state]
RefertothedevicesCLIReferenceorConfigurationGuide,asappropriate,formoreinformation abouteachcommand.
Configuring TACACS+
Revision History
Date 11-06-08 12-02-10 Description New document Revised to include additional Enterasys devices
December 2, 2010
Page 7 of 7
Configuring Transparent Web Cache Balancing (TWCB)

ThisdocumentprovidesthefollowinginformationaboutconfiguringTransparentWebCache BalancingontheEnterasysMatrixNSeriesplatform.
For information about... What is User Transparent Web Cache Balancing (TWCB)? Why Would I Use TWCB in My Network? How Can I Implement TWCB? TWCB Overview Configuring TWCB TWCB Configuration Example Refer to page... 1 1 2 2 7 10
What is User Transparent Web Cache Balancing (TWCB)?

TransparentWebCacheBalancing(TWCB)providesforthestoringoffrequentlyaccessedweb objectsonacacheoflocalservers.EachHTTPrequestistransparentlyredirectedbytheNSeries routertoaconfiguredcacheserver.Whenauserfirstaccessesawebobject,thatobjectisstoredon acacheserver.Eachsubsequentrequestfortheobjectusesthiscachedobject,avoidingtheneedto accessthehostwebsite.
Why Would I Use TWCB in My Network?

Formostnetworks,webservicesaretheprimaryconsumerofnetworkbandwidth.Webcaching reducesnetworktrafficandaidesinoptimizingbandwidthusagebylocalizingwebtraffic patterns,allowingcontentrequeststobefulfilledlocally.Webcachingallowsenduserstoaccess webobjectsstoredonlocalcacheserverswithamuchfasterresponsetimethanaccessingthe sameobjectsoveraninternetconnectionorthroughadefaultgateway.Thiscanalsoresultin substantialcostsavingsbyreducingtheinternetbandwidthusage. TWCBaddsthreeimportantelementstostandardwebcaching:transparency,loadbalancing,and scalability: Instandardwebcaching,networkusersmustsettheirbrowserstocachewebtraffic.Because webcachingishighlysensitivetouserpreference,userssometimesbalkatthisrequirement, andtheinabilitytocontroluserbehaviorcanbeaproblemforthenetworkadministrator. TWCBissaidtobetransparenttotheuserbecausewebtrafficisautomaticallyrerouted,and theabilitytoconfigurecachingisremovedfromtheuserandresidesinsteadinthehandsof thenetworkadministrator.WithTWCBtheusercannotbypasswebcachingoncesetupby thenetworkadministrator.Ontheotherhand,thenetworkadministratorcanaddusersfor
April 16, 2009
Page 1 of 14
How Can I Implement TWCB?
whomwebcachingisnotdesiredtoahostredirectionlist,denyingtheseusersaccessto TWCBfunctionality. Instandardwebcaching,ausercacheisconfiguredandassignedtoasinglecacheserver. TWCBprovidesforloadbalancingacrossallcacheserversofagivenserverfarmthatcanbe configuredforheavywebusersusingapredictorroundrobinalgorithm. Scalabilityisprovidedbytheabilitytoassociateupto128cacheserverswiththewebcache. Thisscalabilityisfurtherrefinedbytheabilitytologicallyassociatecacheserverswithupto5 serverfarms.
How Can I Implement TWCB?

ImplementingTWCBrequiresaroutednetworkwithIPinterfacesthatallowtheNSeriesrouter tosendrequestsfortheinternettothecorrectwebcachingdevice. TherearefiveaspectstoTWCBconfiguration: Createtheserverfarmsthatwillcachethewebobjectsandpopulatethemwithcacheservers. Optionallyassociateheavywebuserswitharoundrobinlistwhichcachesthoseusersweb objectsacrossallserversassociatedwiththeconfiguredserverfarm. OptionallyspecifythehostswhoseHTTPrequestswillorwillnotberedirectedtothe cacheservers. Createawebcachethattheserverfarmswillbeassociatedwith. Applythecachingpolicytoanoutboundinterface,toredirectHTTPtrafficonthatinterfaceto thecacheservers.
TWCB Overview
Notes: TWCB is currently only supported for N-Series products. TWCB is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the configuration guide that comes with your Enterasys Matrix DFE or NSA product in order to enable the TWCB command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales. A minimum of 256 MB of memory is required on all modules in order to enable TWCB. See the SDRAM field of the show system hardware command to display the amount of memory installed on a module. Module memory can be upgraded to 256 MB using the DFE-256MB-UGK memory kit.
ATWCBconfigurationismadeupofoneormorecacheserversthatarelogicallygroupedina serverfarmandoneormoreserverfarmsthatareassociatedwithawebcache.ThecurrentTWCB implementationsupportsasinglewebcache. Figure 1onpage 3providesanoverviewofaTWCBconfiguration.Inouroverview,Cache1isthe nameofthewebcache.Itismadeupoftwoserverfarms:s1Serverands2Server.Thes1Server serverfarmisconfiguredwith2cacheserversfromthe186.89.0.0subnet.Thes2Serverserver farmisconfiguredwith5cacheserversfromthe176.89.0.0subnet.Webobjectsforeachenduser arecachedonacacheserver.
April 16, 2009
Page 2 of 14
TWCB Overview
Figure 1
TWCB Configuration Overview

Cache1 s1Server
186.89.10.51 186.89.10.55 Server Farms s2Server Cache Servers 176.89.10.20 176.89.10.32 176.89.10.45 176.89.10.50 176.89.10.52
Router Global Internet
Web Site Host
Initial Web Object Request Initial Web Object Response
Users Subnet 10.10.10.0/24
All Subsequent Requests for the same object
TheNSeriesrouterdoesnotactasacacheforwebobjects;rather,itredirectsHTTPrequeststo localserversonwhichwebobjectsarecached.Thecacheserversshouldhaveawebbasedproxy cacherunning.TheSquidapplicationisanexampleofawebbasedproxycache. Inourexample,auseronthe10.10.10.0/24subnetmakesawebrequestfromthewebsitehost.The response,containingthewebobject,issenttoboththerequestinguserandacacheforthat enduserthatresidesonacacheserver. Therouterselectsacacheservertocachethewebobjectsforeachenduser.Oncecreated,allweb objectsforthatenduserwillbesenttothatcacheunlesstheenduserisamemberofapredictor roundrobinlistassociatedwithaserverfarm.Webobjectsthatbelongtomembersofapredictor roundrobinlistareloadbalancedacrossallthecacheserversconfiguredforthatserverfarm. Enduserswithparticularlyheavywebusageshouldbelongtoapredictorroundrobinlistto avoidoverwhelmingtheresourcesofasinglecacheserver. Onceawebobjectresidesinthecache,anyfuturerequestsforthatwebobjectwillbehandledby thecacheserveruntilthecacheentryexpires.Cacheentryexpirationisconfiguredinthe webbasedproxycacheapplicationinstalledonthecacheserver. TherearefivecomponentsinaTWCBconfiguration: Theserverfarm Thecacheserver Thewebcache Theoutboundinterface Theswitchandrouter
April 16, 2009
Page 3 of 14
TWCB Overview
The Server Farm

Theserverfarmconsistsofalogicalgroupingofcacheservers.Eachserverfarmbelongstoa webcache.TWCBsupportstheconfigurationofupto5serverfarmsthatcanbeassociatedwith thewebcache. Therearethreeaspectstoconfiguringaserverfarm: Creatingtheserverfarm Associatingoneormorecacheserverswiththeserverfarm Optionallyconfiguringsomeuserstobemembersofaroundrobinlistonthatserverfarm.
Youcreateaserverfarmbynamingit.Uponnamingaserverfarm,youareplacedinwebcache serverfarmconfigurationmode.Withinthiscommandmodeyoucanassociateupto128 cacheserversacrossallserverfarms.Thecacheserveristhephysicalserveronwhichtheenduser cacheiscreated. Thedefaultbehaviorisfortheroutertoselectacacheserveronwhichasinglecacheperenduser willreside.Allwebobjectscachedforthatenduserwillusethatsinglecache.Thisdefault behaviorissufficientforenduserswithmoderateorlightwebusage.Shouldasinglecacheserver beassociatedwithoneormoreheavywebusers,cacheserverresourcescaneasilybe overwhelmed.Thepredictorroundrobinloadbalancingfeaturehelpsaddressthisissue. InFigure 2weseehowanenduser,configuredforstandardcaching,onlyaccessescachedweb objectsfromthecacheserverwhereitscacheresides.Inthiscase,theendusercacheresidesonthe s1Serverserverfarm186.89.10.51cacheserver.Thes2Serverserverfarmisconfiguredwitha predictorroundrobinlist.Eachlistmemberhasitswebobjectscachedacrossallthecacheservers onthes2Serverserverfarm. Figure 2 Predictor Round-Robin Overview
Cache1 s1Server
Standard Caching Behavior
186.89.10.51 186.89.10.55 Server Farms s2Server Cache Servers Router 176.89.10.20 176.89.10.32 176.89.10.45 176.89.10.50 176.89.10.52 Global Internet
Web Site Host
Initial Web Object Request Initial Web Object Response
Predictor Round-Robin List Members
All Subsequent Requests for the same object
April 16, 2009
Page 4 of 14
TWCB Overview
Thepredictorroundrobinfeatureallowsforthecreationofupto10userlists.Membersofa predictorroundrobinlistnolongerhaveasinglecacheonasinglecacheserver.Instead,web objectsforlistmembersarecachedacrossallcacheserversassociatedwiththisserverfarmina roundrobinfashion.Aserverfarmwithaconfiguredpredictorroundrobinwillonlycache membersofpredictorroundrobinlistsassociatedwiththatserverfarm.Youmusthaveatleast twoserverfarmsifyouhavebothuserswhobelongtoapredictorroundrobinlistanduserswho usethedefaultcachingbehavior.
The Cache Server

Thecacheserveristhephysicalserveronwhichanendusercacheresides.Eachcacheserver belongstoaserverfarm.Youcanconfigureupto128cacheserversperwebcache.Youcreatea cacheserverbyenteringitsIPaddresswithinthewebcacheserverfarmconfigurationcommand mode.Onceentered,youareplacedinTWCBcacheserverconfigurationcommandmode. WithinTWCBcacheserverconfigurationcommandmode,youcanselectthetypeoffaildetection thatwillbeusedbythiscacheserverandsetitsparameters.Faildetectionspecifiesthemethod thatwillbeusedbytheroutertodeterminewhetherthecacheserverisinanupordownstate. Faildetectiontypecanbesettoping,application,orboth.Theapplicationmethoddefaultstoa checkofserviceavailabilityonport80.AnonstandardHTTPportcanbeconfigured.The applicationmethodwillusethisconfigurationwhencheckingserviceavailability.Boththe intervalbetweenretriesandthenumberofretriesforeachmethodareconfigurable. Youcanconfigurethemaximumnumberofconnections(bindings)allowedforthiscacheserver. Maximumconnectionsdefaultto5000.
Note: The maximum number of bindings available should only be modified to assure availability to functionalities that share these resources such as TWCB, NAT and LSNAT. It is recommended that you consult with Enterasys customer support before modifying this value. See The TWCB Binding on page 6 for a discussion on the TWCB binding.
Onceacacheserverisconfigured,youmustplaceitinserviceforthecacheservertobeactiveon theserverfarm.
The Web-Cache
Thewebcacheisalogicalentityinwhichallserverfarmsreside.ThecurrentTWCB implementationsupportsasinglewebcache.Youcreateawebcachebynamingitinrouter configurationcommandmode.Onceentered,youareplacedinTWCBwebcacheconfiguration commandmode.OnceinTWCBwebcacheconfigurationcommandmode,youcan: Addupto5serverfarmstoawebcache. OptionallyspecifyanonstandardportfortheredirectionofHTTPrequests.OutboundHTTP requestsaredirectedtoport80bydefault. CreatebypasslistscontainingarangeofhostwebsitesforwhichHTTPrequestsarenot redirectedtothecacheserversforthiswebcache.SomewebsitesrequiresourceIPaddress authenticationforuseraccess.HTTPrequestsforthesesitescannotberedirectedtothecache servers.TWCBwillnotbeenabledforHTTPrequeststothesehostwebsiteswhenconfigured asmembersofabypasslist. SpecifytheenduserswhoseHTTPrequestsareorarenotredirectedtothecacheserver. EnduserspermittedredirectiontakepartinTWCB.Endusersdeniedredirectiondonottake partinTWCB.Allendusersarepermittedredirectionbydefault.
April 16, 2009
Page 5 of 14
TWCB Overview
Placethewebcacheinservice.Atleastonecacheservermustbeinservicebeforeyoucan placeawebcacheinservice.
The Outbound Interface

Theoutboundinterfaceistypicallyaninterfacethatconnectstotheinternet.Itistheinterfacethat willbeusedforredirectingwebobjectsfromthehostwebsitetothecacheserver.Withinthe interfaceconfigurationcommandmode,youcanconfigurethisinterfacetoredirectoutbound HTTPtraffictothewebcache.Uptothreeoutboundinterfacescanberedirectedtothewebcache.
The Switch and Router

WithinswitchconfigurationcommandmodeyoucansetTWCBrelatedrouterlimits. RouterlimitscanbesetandresetforthenumberofTWCBbindings,thesizeoftheTWCBcache, andthenumberofwebcachesthatcanbeconfigured. Bindingsandcachesizeusememoryresources.Amaximumof32000bindingsandcachesizeof 10000aresharedbysuchapplicationsasTWCB,NAT,andLSNATonafirstcome,firstserved basis.BysettingthemaximumnumberofbindingsandcachesizeusedbyTWCBtoavaluelower thanthemaximumvalue,youassurethattheremainingbindingswillbeavailableforusebyother applications.
Note: The maximum number of bindings and cache available should only be modified to assure availability to functionalities that share these resources such as TWCB, NAT and LSNAT. It is recommended that you consult with Enterasys customer support before modifying these parameter values.
Whenresettingrouterlimitstothedefaultvalues,ifyoudonotspecifyaparameter,youwillreset routerlimitsforallTWCB,NAT,andLSNATparameters. WithinrouterconfigurationcommandmodeyoucanclearTWCBstatistics.
The TWCB Binding

ATWCBflowhasthreedevicesassociatedwithit:aclientthatinitiatesaservicerequest,the destinationdevicethatrespondstotheservicerequest,andacacheserverthatcachestheresponse data.EachactiveTWCBflowhasabindingresourceassociatedwithit.Eachflowisbasedupon thefollowingcriteria: SourceIPAddressTheclientIPaddress DestinationIPAddressTheIPaddressofthedestinationdevice DestinationPortTheDestinationDevicePort CacheServerIPAddressTheIPaddressofthecacheserver
UsetheshowiptwcbconnscommandtodisplayactiveTWCBflowsforthisdevice.
April 16, 2009
Page 6 of 14
Configuring TWCB
Configuring TWCB
ThissectionprovidesdetailsfortheconfigurationofTWCBontheNSeriesproducts.
For information about... Configuring the Server Farm Configuring the Cache Server Configuring the Web-Cache Configuring the Outbound Interface Configuring the Switch and Router Displaying TWCB Statistics Refer to page... 8 8 9 9 9 10
Table 1listsTWCBparametersandtheirdefaultvalues. Table 1 Default Authentication Parameters

Description Specifies a beginning and end IP address range of a predictor round-robin list, bypass-list, or host redirect list. Specifies whether the ping, application, or both ping and application detection method will be used to determine TWCB cache server up or down status. Specifies the period between each test of the TWCB cache server up or down status. Specifies the number of times the ping faildetect method will test the TWCB cache server up or down status. Specifies the period between each test of the TWCB cache server up or down status. Specifies the number of times the application faildetect method will test the TWCB cache server up or down status. Specifies the maximum number of connections (bindings) allowed for this server. Specifies the HTTP port to which outbound HTTP requests are redirected. Default Value None.
Parameter ip-address-begin, ip-address-end
ping, app, or both
ping.
ping-int
5 seconds
ping-retries
app-int
15 seconds
app-retries
maxconns
5000
http-port
80.
April 16, 2009
Page 7 of 14
Configuring TWCB
Table 1
Default Authentication Parameters (continued)

Description Specifies the maximum number of router bindings that can be used by TWCB. Specifies the maximum size of the TWCB cache for this router. Specifies the maximum number web-caches configurable on this router. Default Value 32000
Parameter twcb-bindings
twcb-cache twcb-configs
2000 1
Configuring the Server Farm

Procedure 1describeshowtoconfigureaTWCBserverfarm. Procedure 1
Step 1. 2. 3. Task Create the server farm. Associate a cache server with the server farm. Optionally configure a predictor round-robin list.
TWCB Server Farm Configuration

Command(s) ip twcb wcserverfarm serverfarm-name cache ip-address predictor roundrobin ip-address-begin ip-address-end
Configuring the Cache Server

Procedure 2describeshowtoconfigureaTWCBcacheserver. Procedure 2
Step 1. 2. Task Create the cache server. Configure the cache server fail detection method. The application method checks for service availability on the HTTP port. 3. Optionally configure the cache server fail detection method parameters. Optionally change the maximum number of connections (bindings) allowed for this cache server. Place the cache server in service. faildetect [ping-int seconds] [ping-retries number] [app-int seconds] [app-retries number] maxconns number
TWCB Cache Server Configuration

Command(s) cache ip-address faildetect type [ping | app | both]
4.
5.
inservice
April 16, 2009
Page 8 of 14
Configuring TWCB
Configuring the Web-Cache

Procedure 3describeshowtoconfigureaTWCBwebcache. Procedure 3
Step 1. 2. 3. 4. Task Create a web-cache using the specified name.
TWCB Web-Cache Configuration

Command(s) ip twcb webcache web-cache-name
Add the specified server farm to this web-cache. serverfarm serverfarm-name Optionally redirect outbound HTTP requests to a non-standard HTTP port number. Optionally specify web host sites for which HTTP requests are not redirected to the cache servers. Optionally permit or deny redirection of HTTP requests for the list of end-users to this web-cache. Place this web-cache in service. http-port port-number bypass-list range begin-ip-address end-ip-address hosts {permit | deny} redirect range begin-ip-address end-ip-address inservice
5.
6.
Configuring the Outbound Interface

ConfiguringanHTTPoutboundinterfaceconsistsofsettingtheredirectionofoutboundHTTP trafficfromthisinterfacetothecacheservers. Procedure 4describeshowtoconfigurethisinterfaceforHTTPoutboundredirection. Procedure 4
Step 1. Task Redirect outbound HTTP traffic from this outbound interface to the cache servers.
HTTP Outbound Interface Configuration

Command(s) ip twcb webcache-name redirect out
Configuring the Switch and Router

Procedure 5describeshowtoconfigureTWCBswitchandrouterrelatedparameters. Procedure 5
Step 1. Task Optionally set or reset TWCB bindings, cache, and configuration limits.
TWCB Switch and Router Mode Configuration

Command(s) set router limits {twcb-bindings twcb-bindings | twcb-cache twcb-cache | twcb-configs 1} clear router limits [twcb-binding] [twcb-cache] [twcb-configs]
2.
Optionally reset the statistical data for the specified web-cache.
clear ip twcb statistics [webcache-name] [all]
April 16, 2009
Page 9 of 14
TWCB Configuration Example
Displaying TWCB Statistics

Procedure 6describeshowtodisplayTWCBstatistics. Procedure 6
Step 1. 2. 3. 4. 5. 6. Task Display server farm configuration data. Display web-cache configuration data. Display cache server connection data. Display cache server statistical data. Display TWCB entry and memory limits. Display router limits.
Displaying TWCB Statistics

Command(s) show ip twcb wcserverfarm [serverfarm-name] show ip twcb webcache [webcache-name] show ip twcb conns [client ip-address | wcserver webcache-name show ip twcb stats show limits show router limits [twcb-bindings] [twcb-cache] [twcb-configs]

InthisTWCBconfigurationexamplewewillstepthroughtheconfigurationoftwoserverfarms nameds1Serverands2Server.Thes1Serverserverfarmwillhaveroundrobinpredictorenduser rangesassociatedwithitfromboththe20.10.10.0/24subnetandthe10.10.10.0/24subnet,forusers withanexpectationofheavywebsiteaccessrequirements.Allotherusersnotmembersofa predictorroundrobinlistordeniedhostredirectwillusethes2Serverserverfarmwithastandard cache. Thes1Serverwillhavecacheservers186.89.10.51and186.89.10.55associatedwithit.Thes2Server willhavecacheserver196.89.10.20associatedwithit.s1Servercacheserverswillusefaildetect typepingwithfaildetectparametervalueschangedtoanintervalof4secondsandthenumberof retriesto5.Thes2Servercacheserverswillusetheapplicationfaildetecttype,withfaildetect parametervalueschangedtoanintervalof12secondsandthenumberofretriesto5.The maximumnumberofconnectionspercacheserverwillbeconfiguredfor800forbothserver farms. Thewebcachewillbeconfiguredascache1.TheHTTPportbeingusedhasbeenchangedfrom thedefaultof80to8080.AbypasslisthasbeenconfiguredtodenyTWCBfunctionalityforweb requeststowebhostsites50.10.10.30to50.10.10.43becausethesesitesrequireIPaddress authenticationforuseraccess.Endusers10.10.10.25to10.10.10.30havebeenconfiguredtodeny TWCBfunctionality. OntheswitchTWCBrouterbindingsarelimitedto20,000andtheTWCBcachesizeislimitedto 5000. SeeFigure 3onpage 11foradepictionoftheexamplesetup.
April 16, 2009
Page 10 of 14
Figure 3
TWCB Configuration Example Overview
Cache1 s1Server
186.89.10.51 186.89.10.55 VLAN 100 Server Farms s2Server Cache Servers 176.89.10.20 Router Web Site Host Global Internet
Redirect VLAN 100
Configure the s1Server Server Farm

Createtheserverfarm:
Matrix>router Matrix>Router>enable Matrix>Router>#configure Enter configuration commands: Matrix>Router(config)#ip twcb wcserverfarm s1Server Matrix>Router(config-twcb-wcsfarm)#
Configuretheendusersthatwillusethisserverfarmbysettingtheroundrobinpredictor ranges:
Matrix>Router(config-twcb-wcsfarm)#predictor roundrobin 10.10.10.01 10.10.10.15 Matrix>Router(config-twcb-wcsfarm)#predictor roundrobin 20.10.10.25 20.10.10.60 Matrix>Router(config-twcb-wcsfarm)#
Configurecacheserver186.89.10.51:
Matrix>Router(config-twcb-wcsfarm)#cache 186.89.10.51 Matrix>Router(config-twcb-cache)#faildetect type ping Matrix>Router(config-twcb-cache)#faildetect ping-int 4 Matrix>Router(config-twcb-cache)#faildetect ping-retries 5 Matrix>Router(config-twcb-cache)#maxconns 800 Matrix>Router(config-twcb-cache)#inservice
April 16, 2009
Page 11 of 14
Matrix>Router(config-twcb-cache)#exit Matrix>Router(config-twcb-wcsfarm)#
Matrix>Router(config-twcb-wcsfarm)#cache 186.89.10.55 Matrix>Router(config-twcb-cache)#faildetect type ping Matrix>Router(config-twcb-cache)#faildetect ping-int 4 Matrix>Router(config-twcb-cache)#faildetect ping-retries 5 Matrix>Router(config-twcb-cache)#maxconns 800 Matrix>Router(config-twcb-cache)#inservice Matrix>Router(config-twcb-cache)#exit Matrix>Router(config-twcb-wcsfarm)#exit Matrix>Router(config)#
Configure the s2Server Server Farm

Configureserverfarms2Server:
Matrix>Router(config)#ip twcb wcserverfarm s2Server Matrix>Router(config-twcb-wcsfarm)#
Matrix>Router(config-twcb-wcsfarm)#cache 176.89.10.20 Matrix>Router(config-twcb-cache)#faildetect type app Matrix>Router(config-twcb-cache)#faildetect app-int 12 Matrix>Router(config-twcb-cache)#faildetect app-retries 5 Matrix>Router(config-twcb-cache)#maxconns 800 Matrix>Router(config-twcb-cache)#inservice Matrix>Router(config-twcb-cache)#exit Matrix>Router(config-twcb-wcsfarm)#exit Matrix>Router(config)#
Configure the cache1 Web Cache

Configurethewebcachecache1:
Matrix>Router(config)#ip twcb webcache cache1 Matrix>Router(config-twcb-webcache)#http-port 8080 Matrix>Router(config-twcb-webcache)#serverfarm s1Server Matrix>Router(config-twcb-webcache)#serverfarm s2Server Matrix>Router(config-twcb-webcache)#bypass-list range 50.10.10.30 50.10.10.43 Matrix>Router(config-twcb-webcache)#hosts redirect deny redirect range 10.10.10.25 10.10.10.30 Matrix>Router(config-twcb-webcache)#exit Matrix>Router(config)#
April 16, 2009
Page 12 of 14
Configuretheoutboundinterfacethatconnectswiththeinternet:
Matrix>Router(config)#interface vlan 100 Matrix>Router(config-if(Vlan 1))#ip twcb cache1 redirect out Matrix>Router(config-if(Vlan 1))#end Matrix>Router#
Configure the Switch and Router

ConfiguretheTWCBrouterlimits:
Matrix(rw)-> set router limits twcb-bindings 20000 Matrix(rw)-> set router limits twcb-cache 5000
Clearthestatisticaldataforthiswebcache:
Matrix(rw)->Router#clear ip twcb statistics
ThiscompletestheTWCBconfigurationexample.
April 16, 2009
Page 13 of 14
Revision History
Date 09/24/2008 04/16/2009 Description New document Input an advanced routing license notice that includes the 256 MB memory requirement on all modules statement.
Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthis documentanditswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasys Networksto determinewhetheranysuchchangeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYS NETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL, ORCONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS) ARISINGOUTOFORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDIN THEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWN OF,THEPOSSIBILITYOFSUCHDAMAGES. Enterasys Networks, Inc. 50MinutemanRoad Andover,MA01810 2009Enterasys Networks, Inc.Allrightsreserved. ENTERASYS,ENTERASYS NETWORKS,ENTERASYSMATRIX,ENTERASYSNETSIGHT,LANVIEW, WEBVIEW,andanylogosassociatedtherewith,aretrademarksorregisteredtrademarksof Enterasys Networks, Inc.,intheUnitedStatesandothercountries.ForacompletelistofEnterasystrademarks,see http://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespective companies.
Configuring VLANs
Thisdocumentprovidesthefollowinginformationaboutconfiguringandmonitoring802.1Q VLANsonEnterasysNSeries,SSeries,KSeries,andXSeriesmodularswitches,ASeries,B Series,CSeriesstackablefixedswitches,andDSeries,GSeries,andISeriesstandalonefixed switches.
For information about... What Is a VLAN? Why Would I Use VLANs in My Network? How Do I Implement VLANs? Understanding How VLANs Operate VLAN Support on Enterasys Switches Configuring VLANs Terms and Definitions Refer to page... 1 1 3 3 6 9 18
Note: This document describes the configuration and operation of VLANs as defined by the IEEE 802.1Q standard and assumes that all devices being configured support that standard. No other types of VLANs will be covered.
What Is a VLAN?
AVLANisaVirtualLocalAreaNetworkagroupingofnetworkdevicesthatislogically segmentedbyfunctions,projectteams,orapplicationswithoutregardtothephysicallocationof users.Forexample,severalendstationsmightbegroupedasadepartment,suchasEngineering orFinance,havingthesameattributesasaLAN,eventhoughtheyarenotallonthesamephysical LANsegment. Toaccomplishthislogicalgrouping,thenetworkadministratoruses802.1QVLANcapable switchingdevicesandassignseachswitchportinaparticulargrouptoaVLAN.PortsinaVLAN sharebroadcasttrafficandbelongtothesamebroadcastdomain.BroadcasttrafficinoneVLANis nottransmittedoutsidethatVLAN.
Why Would I Use VLANs in My Network?

VirtualLANsallowyoutopartitionnetworktrafficintologicalgroupsandcontroltheflowofthat trafficthroughthenetwork.Oncethetrafficand,ineffect,theuserscreatingthetraffic,are assignedtoaVLAN,thenbroadcastandmulticasttrafficiscontainedwithintheVLANandusers canbeallowedordeniedaccesstoanyofthenetworksresources.Also,youhavetheoptionof configuringsomeoralloftheportsonadevicetoallowframesreceivedwithaparticularVLAN IDandprotocoltobetransmittedonalimitednumberofports.Thiskeepsthetrafficassociated withaparticularVLANandprotocolisolatedfromtheotherpartsofthenetwork.
March 15, 2011 Page 1 of 20
Why Would I Use VLANs in My Network?
Theprimarybenefitof802.1QVLANtechnologyisthatitallowsyoutolocalizeandsegregrate traffic,improvingyouradministrativeefficiency,andenhancingyournetworksecurityand performance. Figure 1showsasimpleexampleofusingportbasedVLANstoachievethesebenefits.Inthis example,twobuildingshousetheSalesandFinancedepartmentsofasinglecompany,andeach buildinghasitsowninternalnetwork.Theendstationsineachbuildingconnecttoaswitchonthe bottomfloor.Thetwoswitchesareconnectedtooneanotherwithahighspeedlink. Figure 1 VLAN Business Scenario
Building One
Building Two
F
10 9
A
S
trunk
7 6
SmartSwitch
Member of Sales Network
F
SmartSwitch
Member of Finance Network
WithoutanyVLANsconfigured,theentirenetworkintheexampleinFigure 1wouldbea broadcastdomain,andtheswitcheswouldfollowtheIEEE802.1Dbridgingspecificationtosend databetweenstations.AbroadcastormulticasttransmissionfromaSalesworkstationinBuilding OnewouldpropagatetoalltheswitchportsonSwitchA,crossthehighspeedlinktoSwitchB, andthenbepropagatedoutallswitchportsonSwitchB.Theswitchestreateachportasbeing equivalenttoanyotherport,andhavenounderstandingofthedepartmentalmembershipsof eachworkstation. OnceSalesandFinanceareplacedontwoseparateVLANs,eachswitchunderstandsthatcertain individualportsorframesaremembersofseparateworkgroups.Inthisenvironment,abroadcast ormulticastdatatransmissionfromoneoftheSalesstationsinBuildingOnewouldreachSwitch A,besenttotheportsconnectedtootherlocalmembersoftheSalesVLAN,crossthehighspeed linktoSwitchB,andthenbesenttoanyotherportsandworkstationsonSwitchBthatare membersoftheSalesVLAN.SeparateVLANsalsoprovidesunicastseparationbetweenSalesand Finance.FinancecannotpingSalesunlessthereisaroutedVLANconfiguredforbothFinanceand Sales. AnotherbenefittoVLANuseintheprecedingexamplewouldbeyourabilitytoleverageexisting investmentsintimeandequipmentduringcompanyreorganization.If,forinstance,theFinance userschangelocationbutremaininthesameVLANconnectedtothesameswitchport,their networkaddressesdonotchange,andswitchandrouterconfigurationisleftintact.
March 15, 2011
Page 2 of 20
How Do I Implement VLANs?
How Do I Implement VLANs?

Bydefault,allEnterasysswitchesrunin802.1QVLANoperationalmode.Allportsonall EnterasysswitchesareassignedtoadefaultVLAN(VLANID1),whichisenabledtooperateand assignsallportsanegressstatusofuntagged.Thismeansthatallportswillbeallowedtotransmit framesfromtheswitchwithoutaVLANtagintheirheader.Also,therearenoforbiddenports (preventedfromtransmittingframes)configured. YoucanusetheCLIcommandsdescribedinthisdocumenttocreateadditionalVLANs,to customizeVLANstosupportyourorganizationalrequirements,andtomonitorVLAN configuration.
Preparing for VLAN Configuration

AlittleforethoughtandplanningisessentialtoasuccessfulVLANimplementation.Before attemptingtoconfigureasingledeviceforVLANoperation,considerthefollowing: WhatisthepurposeofmyVLANdesign?(Forexample:securityortrafficbroadcast containment). HowmanyVLANswillberequired? Whatstations(endusers,servers,etc.)willbelongtothem? Whatportsontheswitchareconnectedtothosestations? WhatportswillbeconfiguredasGARPVLANRegistrationProtocol(GVRP)awareports?
Determininghowyouwantinformationtoflowandhowyournetworkresourcescanbebestused toaccomplishthiswillhelpyoucustomizethetasksdescribedinthisdocumenttosuityourneeds andinfrastructure. Onceyourplanningiscomplete,youwouldproceedthroughthestepsdescribedinConfiguring VLANsonpage9.
Understanding How VLANs Operate

802.1QVLANoperationdiffersslightlyfromhowaswitchednetworkingsystemoperates.These differencesareduetotheimportanceofkeepingtrackofeachframeanditsVLANassociationas itpassesfromswitchtoswitch,orfromporttoportwithinaswitch. VLANenabledswitchesactonhowframesareclassifiedintoaparticularVLAN.Sometimes, VLANclassificationisbasedontagsintheheadersofdataframes.TheseVLANtagsareaddedto dataframesbytheswitchastheframesaretransmittedoutcertainports,andarelaterusedto makeforwardingdecisionsbytheswitchandotherVLANawareswitches.Intheabsenceofa VLANtagheader,theclassificationofaframeintoaparticularVLANdependsuponthe configurationoftheswitchportthatreceivedtheframe. ThefollowingbasicconceptsofVLANoperationwillbediscussedinthissection: LearningModesandFilteringDatabases(page4) VLANAssignmentandForwarding(page4) ExampleofaVLANSwitchinOperation(page5)
March 15, 2011
Page 3 of 20
Learning Modes and Filtering Databases

AddressinginformationtheswitchlearnsaboutaVLANisstoredinthefilteringdatabase assignedtothatVLAN.Thisdatabasecontainssourceaddresses,theirsourceports,andVLAN IDs,andisreferredtowhenaswitchmakesadecisionastowheretoforwardaVLANtagged frame.EachfilteringdatabaseisassignedaFilteringDatabaseID(FID). AswitchlearnsandusesVLANaddressinginformationbythefollowingmodes: IndependentVirtualLocalAreaNetwork(VLAN)Learning(IVL):EachVLANusesitsown filteringdatabase.Transparentsourceaddresslearningperformedasaresultofincoming VLANtrafficisnotmadeavailabletoanyotherVLANforforwardingpurposes.Thissetting isusefulforhandlingdevices(suchasservers)withNICsthatshareacommonMACaddress. OneFIDisassignedperVLAN.ThisisthedefaultmodeonEnterasysswitches. SharedVirtualLocalAreaNetwork(VLAN)Learning(SVL):TwoormoreVLANsare groupedtosharecommonsourceaddressinformation.Thissettingisusefulforconfiguring morecomplexVLANtrafficpatterns,withoutforcingtheswitchtofloodtheunicasttrafficin eachdirection.ThisallowsVLANstoshareaddressinginformation.Itenablesportsor switchesindifferentVLANstocommunicatewitheachother(whentheirindividualportsare configuredtoallowthistooccur).OneFIDisusedbytwoormoreVLANs.
VLAN Assignment and Forwarding

Receiving Frames from VLAN Ports
Bydefault,Enterasysswitchesrunin802.1Qoperationalmode,whichmeansthateveryframe receivedbytheswitchmustbelongto,orbeassignedto,aVLAN.Thetypeofframeunder considerationandthefiltersettingoftheswitchdetermineshowitforwardsVLANframes.This involvesprocessingtrafficasitenters(ingresses)andexits(egresses)theVLANswitchportsas describedbelow.
Untagged Frames
When,forexample,theswitchreceivesaframefromPort1anddeterminestheframedoesnot currentlyhaveaVLANtag,butrecognizesthatPort1isamemberofVLANA,itwillclassifythe frametoVLANA.Inthisfashion,alluntaggedframesenteringaVLANswitchassume membershipinaVLAN.
Note: A VLAN ID is always assigned to a port. By default, it is the default VLAN (VLAN ID = 1).
Theswitchwillnowdecidewhattodowiththeframe,asdescribedinForwardingDecisionson page5.
Tagged Frames
When,forexample,theswitchreceivesataggedframefromPort4anddeterminestheframeis taggedforVLANC,itwillclassifyittothatVLANregardlessofitsportVLANID(PVID).This framemayhavealreadybeenthroughaVLANawareswitch,ororiginatedfromastationcapable ofspecifyingaVLANmembership.Ifaswitchreceivesaframecontainingatag,theswitchwill classifytheframeinregardtoitstagratherthanthePVIDforitsport,followingtheingress precedenceruleslistedbelow.
March 15, 2011
Page 4 of 20
Ingress Precedence
VLANassignmentforreceived(ingress)framesisdeterminedbythefollowingprecedence: 1. 2. 3. 802.1QVLANtag(taggedframesonly). PolicyorTrafficClassification(whichmayoverwritethe802.1QVLANtag).Formore information,refertoConfiguringProtocolBasedVLANClassificationonpage 16. PortVLANID(PVID).
Forwarding Decisions
VLANforwardingdecisionsfortransmittingframesisdeterminedbywhetherornotthetraffic beingclassifiedisorisnotintheVLANsforwardingdatabaseasfollows: Unlearnedtraffic:WhenaframesdestinationMACaddressisnotintheVLANsforwarding database(FDB),itwillbeforwardedoutofeveryportontheVLANsegresslistwiththe frameformatthatisspecified.RefertoBroadcasts,Multicasts,andUnlearnedUnicasts belowforanexample. Learnedtraffic:WhenaframesdestinationMACaddressisintheVLANsforwarding database,itwillbeforwardedoutofthelearnedportwiththeframeformatthatisspecified. RefertoLearnedUnicastsbelowforanexample.
Broadcasts, Multicasts, and Unlearned Unicasts

Ifaframewithabroadcast,multicast,orotherunknownaddressisreceivedbyan802.1QVLAN awareswitch,theswitchcheckstheVLANclassificationoftheframe.Theswitchthenforwards theframeoutallportsthatareidentifiedintheForwardingListforthatVLAN.Forexample,if Port3,shownintheexampleinFigure 2,receivedtheframe,theframewouldthenbesenttoall portsthathadVLANCintheirPortVLANList.
Learned Unicasts
WhenaVLANswitchreceivesaframewithaknownMACaddressasitsdestinationaddress,the actiontakenbytheswitchtodeterminehowtheframeistransmitteddependsontheVLAN,the VLANassociatedFID,andiftheportidentifiedtosendtheframeisenabledtodoso. Whenaframeisreceived,itisclassifiedintoaVLAN.Thedestinationaddressislookedupinthe FIDassociatedwiththeVLAN.Ifamatchisfound,itisforwardedouttheportidentifiedinthe lookupif,andonlyif,thatportisallowedtotransmitframesforthatVLAN.Ifamatchisnot found,thentheframeisfloodedoutallportsthatareallowedtotransmitframesbelongingtothat VLAN.
Example of a VLAN Switch in Operation

Theoperationofan802.1QVLANswitchisbestunderstoodfromapointofviewoftheswitch itself.Toillustratethisconcept,theexamplesthatfollowviewtheswitchoperationsfrominside theswitch. Figure 2depictstheinsideofaswitchwithsixports,numbered1through6.Theswitchhasbeen configuredtoassociateVLANAandBwithFID2,VLANCandDwithFID3,andVLANEwith FID4.ItshowshowaforwardingdecisionismadebycomparingaframesdestinationMACto theFIDtowhichitisclassified.
March 15, 2011
Page 5 of 20
VLAN Support on Enterasys Switches
Figure 2
Inside the Switch

Port 1 Port 2 Port 3
A FID 2 D FID 3
B FID 2 E FID 4
C FID 3 Default FID 1
Port 4
Port 5
Port 6
AssumeaunicastuntaggedframeisreceivedonPort3intheexampleinFigure 2.Theframeis classifiedforVLANC(theframesPVIDisVLANC).Theswitchwouldmakeitsforwarding decisionbycomparingthedestinationMACaddresstoinformationpreviouslylearnedand enteredintoitsfilteringdatabase.Inthiscase,theMACaddressislookedupintheFDBforFID3, whichisassociatedwithVLANsCandD.LetssaytheswitchrecognizesthedestinationMACof theframeasbeinglocatedoutPort4. HavingmadetheforwardingdecisionbasedonentriesintheFID,theswitchnowexaminesthe portVLANegresslistofPort4todetermineifitisallowedtotransmitframesbelongingtoVLAN C.Ifso,theframeistransmittedoutPort4.IfPort4hasnotbeenconfiguredtotransmitframes belongingtoVLANC,theframeisdiscarded. If,ontheotherhand,aunicastuntaggedframeisreceivedonPort5,itwouldbeclassifiedfor VLANE.Port5hasisownfilteringdatabaseandisnotawareofwhataddressinginformationhas beenlearnedbyotherVLANs.Port5looksupthedestinationMACaddressinitsFID.Ifitfindsa match,itforwardstheframeouttheappropriateport,ifandonlyif,thatportisallowedto transmitframesforVLANE.Ifamatchisnotfound,theframeisfloodedoutallportsthatare allowedtotransmitVLANEframes.

Dependingontheproductfamily,Enterasysswitchessupportamaximumofupto4094active VLANs.Thereisadistinction,however,betweenthemaximumnumberofactiveVLANssome switchessupportandtherangeofVLANID(VID)values.Forexample,whilethestackableand standaloneswitchproductssupport1024activeVLANs,theydosupportVIDsfromanywherein thefull802.1Qspecifiedrange.Thesedifferencesarelistedbelow.
Maximum Active VLANs

ThetotalnumberofactiveVLANssupportedonEnterasysswitchproductfamiliesis: Upto4094onNSeries,SSeries,KSeries,andXSeries Upto1024onstackable(ASeries,BSeries,CSeries)andstandalone(DSeries,GSeries,I Series)switchdevices
Configurable Range
TheallowableuserconfigurablerangeforVLANIDs(VIDs)is: From2through4094onNSeries,SSeries,KSeries,andXSeriesswitches
March 15, 2011
Page 6 of 20
From2through4093forstackableandstandaloneswitches
Thisrangeisbasedonthefollowingrules: VID0isthenullVLANID,indicatingthatthetagheaderintheframecontainspriority informationratherthanaVLANidentifier.ItcannotbeconfiguredasaportVLANID(PVID). VID1isdesignatedthedefaultPVIDvalueforclassifyingframesoningressthrougha switchedport.Thisdefaultcanbechangedonaperportbasis. VID4095isreservedbyIEEEforimplementationuse. VID4094isreservedonstackableandstandaloneswitches.

Notes: Each VLAN ID in a network must be unique. If you enter a duplicate VLAN ID, the Enterasys switch assumes you intend to modify the existing VLAN.
VLAN Types
EnterasysswitchessupporttrafficclassificationforthefollowingVLANtypes:
Static and Dynamic VLANs

AllVLANsonanEnterasysswitcharecategorizedasbeingeitherstaticordynamic.StaticVLANs arethosethatareexplicitlycreatedontheswitchitself,persistentlyremainingaspartofthe configuration,regardlessofactualusage.DynamicVLANs,ontheotherhand,arenotnecessarily persistent.TheirpresencereliesontheimplementationofGVRPanditseffectonegress membershipasdescribedinGARPVLANRegistrationProtocol(GVRP)Supportonpage8.
Port-Based VLANs
PortbasedVLANsareconfiguredbyassociatingswitchportstoVLANsintwoways:first,by manipulatingtheportVLANID(PVID);andsecond,byaddingtheportitselftotheegresslistof theVLANcorrespondingtothePVID.AnytrafficreceivedbyaportisassociatedtotheVLAN identifiedbytheportsPVID.Byvirtueofthisassociation,thistrafficmayegresstheswitchonly onthoseportslistedontheVLANsegresslist.Forexample,givenaVLANnamedMarketing, withanIDvalueof6,bychangingthePVIDvaluesofports1through3to6,andaddingthose portstotheegresslistoftheVLAN,weeffectivelyrestrictthebroadcastdomainofMarketingto thosethreeports.Ifabroadcastframeisreceivedonport1,itwillbetransmittedoutports2and3 only.Inthissense,VLANmembershipisdeterminedbythelocationoftrafficingress,andfrom theperspectiveoftheaccesslayerwhereusersaremostcommonlylocatedegressisgenerally untagged.
Policy-Based VLANs
RatherthanmakingVLANmembershipdecisionssimplybasedonportconfiguration,each incomingframecanbeexaminedbytheclassificationenginewhichusesamatchbasedlogicto assigntheframetoadesiredVLAN.Forexample,youcouldsetupapolicywhichdesignatesall emailtrafficbetweenthemanagementofficersofacompanytoaspecificVLANsothatthistraffic isrestrictedtocertainportionsofthenetwork.Withrespecttonetworkusage,theadministrative advantagesofpolicyclassificationwouldbeapplicationprovisioning,acceptableusepolicy,and distributionlayerpolicy.Alloftheseprovisionsmayinvolvesimultaneousutilizationofinter switchlinksbymultipleVLANs,requiringparticularattentiontotagged,forbidden,and untaggedegresssettings.
March 15, 2011
Page 7 of 20
Asdescribedabove,PVIDdeterminestheVLANtowhichalluntaggedframesreceivedon associatedportswillbeclassified.PolicyclassificationtoaVLANtakesprecedenceoverPVID assignmentif: policyclassificationisconfiguredtoaVLAN,and PVIDoverridehasbeenenabledforapolicyprofile,andassignedtoport(s)associatedwith thePVID.
Formoreinformation,refertothePolicyClassificationchapterinyourdevicesconfiguration guideortheConfiguringPolicyFeatureGuide.
GARP VLAN Registration Protocol (GVRP) Support

ThepurposeoftheGARP(GenericAttributeRegistrationProtocol)VLANRegistrationProtocol (GVRP)istodynamicallycreateVLANsacrossaswitchednetwork.GVRPallowsGVRPaware devicestodynamicallyestablishandupdatetheirknowledgeofthesetofVLANsthatcurrently haveactivemembers. Bydefault,GVRPisgloballyenabledbutdisabledattheportlevelonallEnterasysdevicesexcept theNSeries.OntheNSeries,GVRPisenabledgloballyandattheportlevel.ToallowGVRPto dynamicallycreateVLANs,itmustbeenabledgloballyandalsooneachindividualportas describedinConfiguringDynamicVLANsonpage15.
How It Works
WhenaVLANisdeclared,theinformationistransmittedoutGVRPconfiguredportsonthe deviceinaGARPformattedframeusingtheGVRPmulticastMACaddress.Aswitchthatreceives thisframeexaminestheframeandextractstheVLANIDs.GVRPthendynamicallyregisters (creates)theVLANsandaddsthereceivingporttoitstaggedmemberlistfortheextractedVLAN IDs.TheinformationisthentransmittedouttheotherGVRPconfiguredportsofthedevice. Figure 3showsanexampleofhowVLANBluefromendstationAwouldbepropagatedacrossa switchnetwork.Inthisfigure,port1ofSwitch4isregisteredasbeingamemberofVLANBlue andSwitch4declaresthisfactoutallitsports(2and3)toSwitch1andSwitch 2.Thesetwo switchesregisterthisintheportegresslistsoftheports(Switch1,port1andSwitch2,port1)that receivedtheframeswiththeinformation.Switch2,whichisconnectedtoSwitch3andSwitch5 declaresthesameinformationtothosetwoswitchesandtheportegresslistofeachportis updatedwiththenewinformation,accordingly.
March 15, 2011
Page 8 of 20
Configuring VLANs
Figure 3
Example of VLAN Propagation Using GVRP

Switch 1 Switch 2 Switch 3
R 2 D
D 3
D 3 D
Switch 4 1
End Station A
Switch 5
R D
= Port registered as a member of VLAN Blue = Port declaring VLAN Blue
Note: If a port is set to forbidden for the egress list of a VLAN, then the VLANs egress list will not be dynamically updated with that port.
AdministrativelyconfiguringaVLANonan802.1QswitchcreatesastaticVLANentrythatwill alwaysremainregisteredandwillnottimeout.However,GVRPcreateddynamicentrieswill timeout,andtheirregistrationswillberemovedfromthememberlistiftheendstationis removed.Thisensuresthat,ifswitchesaredisconnectedorifendstationsareremoved,the registeredinformationremainsaccurate. TheendresultofGVRPdynamicVLANconfigurationisthateachportsegresslistisupdated withinformationaboutVLANsthatresideonthatport,eveniftheactualstationontheVLANis severalhopsaway.
Configuring VLANs
OnceyouhaveplannedyourimplementationstrategyasdescribedinPreparingforVLAN Configurationonpage 3,youcanbeginconfiguringVLANsasdescribedinthissection.The followinginformationforconfiguringVLANsonanEnterasysswitchwillbecovered: PlatformSpecificDifferences(page10) DefaultSettings(page11) ConfiguringStaticVLANs(page12) CreatingaSecureManagementVLAN(page14) ConfiguringDynamicVLANs(page15) ConfiguringProtocolBasedVLANClassification(page16)
March 15, 2011
Page 9 of 20
Configuring VLANs
Platform Specific Differences

Enterasys X-Series Platform Configuration
TheconfigurationofVLANsontheXSeriesplatformisverysimilartotheconfigurationof VLANsontheNSeries,SSeries,KSeries,stackable,andstandaloneswitchplatforms,withone majorexception.Bydefault,physicalportsontheXSeriesareconfiguredtoroutetraffic,not switchtraffic,whichisthecasefortheotherswitchplatforms.Therefore,bydefault,noports resideontheegresslistforVLAN1unlesstheportisexplicitlyconfiguredtoswitchtrafficusing thesetportmode<portstring>switchedcommand,andexplicitlyconfiguredonVLAN1s egresslistusingthesetvlanegress<vid><portstring>commandasdescribedinConfiguring StaticVLANsonpage12.
VLAN Naming Convention for IP Interfaces

AVLANisidentifiedbyitsID,whichisanumberfrom14094.OntheXSeriesdevices,aVLAN entityconfiguredonaroutinginterfacecanbespecifiedinCLIcommandsintheformat: vlan.instance.vlan_id,whereinstanceisthebridginginstance,andvlan_idistheVLANID(1 4094).TheXSeriescurrentlysupportsonlyonebridginginstance.Therefore,instanceisalways1. So,forexample,todisplayinformationaboutVLAN100,ineitherswitchorroutermodes,you wouldenter:
show interface vlan.1.100
ThisconventionisdifferentfromotherEnterasysswitchplatforms,wheretheformatinthis instancewouldbevlanvlan_id.
VLAN Constraints
VLANconstraintsisaNSeries,SSeries,andKSeriesplatformfeaturethatcontrolsthefiltering databasetowhichVLANsareallowedtobelong.ThisfeatureisnotsupportedonXSeries, stackable,orstandaloneswitchplatforms.
Protected Ports
ProtectedPortsisafeaturesupportedonthestackableandstandaloneswitchplatformsthatis usedtopreventportsfromforwardingtraffictoeachother,evenwhentheyareonthesame VLAN.Portscanbedesignatedaseitherprotectedorunprotected.Portsareunprotectedby default.Multiplegroupsofprotectedportsaresupported. Portsthatareconfiguredtobeprotected: Cannotforwardtraffictootherprotectedportsinthesamegroup,regardlessofhavingthe sameVLANmembership. Canforwardtraffictoportswhichareunprotected(notlistedinanygroup). Canforwardtraffictoprotectedportsinadifferentgroup,iftheyareinthesameVLAN.
Unprotectedportscanforwardtraffictobothprotectedandunprotectedports.Aportmaybelong toonlyonegroupofprotectedports. Thisfeatureonlyappliestoportswithinaswitch.Itdoesnotapplyacrossmultipleswitchesina network.Also,itisnotsupportedonNSeries,SSeries,KSeries,orXSeriesplatforms.
March 15, 2011
Page 10 of 20
Configuring VLANs
Default Settings
Table 1listsVLANparametersandtheirdefaultvalues. Table 1 Default VLAN Parameters
Description Configures the three GARP timers. The setting is critical and should only be done by someone familiar with the 802.1Q standard. Enables or disables the GARP VLAN Registration Protocol (GVRP) on a specific set of ports or all ports. GVRP must be enabled to allow creation of dynamic VLANs. Ports can be set to discard frames based on whether or not they contain a VLAN tag. When enabled on a port, the VLAN IDs of incoming frames are compared to the ports egress list. If the received VLAN ID does not match a VLAN ID on the ports egress list, the frame is dropped. 802.1Q VLAN/port association. Prevents ports from forwarding traffic to each other, even when they are on the same VLAN. Configures VLANs to use an independent or shared filtering database. Enables or disables dynamic egress processing for a given VLAN. Configures the egress ports for a VLAN and the type of egress for the ports. Egress type can be tagged, untagged, or forbidden. Associates a text name to one or more VLANs. Default Value Join timer: 20 centiseconds Leave timer: 60 centiseconds Leaveall timer: 1000 centiseconds Disabled at the port level Enabled at the global level Note: The N-Series has GVRP enabled at the port level and enabled globally. No frames are discarded
Parameter garp timer
GVRP
port discard
port ingress filter
Enabled
port vlan ID (PVID) protected port (Applies to stackable and standalone switches only.) vlan constraint (Applies to N-Series, SSeries, K-Series only.) vlan dynamicegress vlan egress
VLAN1/ Default VLAN Unprotected
VLANs use an independent filtering database Disabled Tagged
vlan name
None
March 15, 2011
Page 11 of 20
Configuring VLANs
Configuring Static VLANs

Procedure 1describeshowtocreateandconfigureastaticVLAN.Unspecifiedparametersuse theirdefaultvalues. Procedure 1
Step 1. 2. 3. Task Show existing VLANs. (Applies to X-Series only.) Define the ports to be used for switched traffic. Create VLAN. Refer to Configurable Range on page 6 for valid id values. Each vlan-id must be unique. If an existing vlan-id is entered, the existing VLAN is modified. Optionally, assign a name to the VLAN. Valid strings are from 1 to 32 characters. Assign switched ports to the VLAN. This sets the port VLAN ID (PVID). The PVID determines the VLAN to which all untagged frames received on the port will be classified.
Static VLAN Configuration

Command(s) show vlan set port mode port-string switched set vlan create vlan-id
4. 5.
set vlan name vlan-id string set port vlan port-string vlan-id
Note: If the VLAN specified has not already been created, the set port vlan command will create it. It will also add the VLAN to the ports egress list as untagged, and remove the default VLAN from the ports egress list. This automatically changes the existing untagged VLAN egress permission to match the new PVID value. 6. Configure VLAN egress, which determines which ports a frame belonging to the VLAN may be forwarded out on. Static configuration: Add the port to the VLAN egress list for the device. The default setting, tagged, allows the port to transmit frames for a particular VLAN. The untagged setting allows the port to transmit frames without a VLAN tag. This setting is usually used to configure a port connected to an end user device. The forbidden setting prevents the port from participating in the specified VLAN and ensures that any dynamic requests for the port to join the VLAN will be ignored. If necessary, remove ports from the VLAN egress list. If specified, the forbidden setting will be cleared from the designated ports and the ports will be reset as allowed to egress frames, if so configured by either static or dynamic means. set vlan egress vlan-id portstring forbidden | tagged | untagged
clear vlan egress vlan-list portstring [forbidden]
March 15, 2011
Page 12 of 20
Configuring VLANs
Procedure 1
Step Task
Static VLAN Configuration (continued)

Command(s)
6. (cont) If forbidden is not specified, tagged and untagged egress settings will be cleared from the designated ports. Dynamic configuration: By default, dynamic egress is disabled on all VLANs. If dynamic egress is enabled for a VLAN, the device will add the port receiving a frame to the VLANs egress list as untagged according to the VLAN ID of the received frame. 7. (Applies to N -Series, S-Series, K-Series only.) Optionally, set VLAN constraints to control the filtering database a VLAN will use for forwarding traffic. Filtering databases can be shared or independent. By default, filtering databases are independent. Optionally, enable ingress filtering on a port to drop those incoming frames that do not have a VLAN ID that matches a VLAN ID on the ports egress list. Optionally, choose to discard tagged or untagged, (or both) frames on selected ports. Select none to allow all frames to pass through. (Applies to stackable and standalone switches only.) Optionally, configure protected ports. This prevents ports from forwarding traffic to each other, even when they are on the same VLAN. The group-id value identifies the assigned ports and can range from 0 to 2. You can also set a protected port group name of up to 32 characters in length. 11. If the device supports routing, enter router configuration mode and configure an IP address on the VLAN interface, as shown in the following sub-steps: 11a. X-Series configuration: router configure interface vlan.1.vlan_id ip address ip-address/maxlen no shutdown Stackable /Standalone configuration: router enable configure terminal interface vlan vlan_id ip address ip-address ip-mask no shutdown set vlan dynamicegress vlan-id {enable | disable}
set vlan constraint vlan-id setnum [shared | independent]
8.
set port ingress-filter portstring enable
9.
set port discard port-string {tagged | untagged | none | both} set port protected port-string group-id
10.
set port protected name group-id name
11b.
March 15, 2011
Page 13 of 20
Configuring VLANs
Procedure 1
Step 11c. Task
Static VLAN Configuration (continued)

Command(s) N-Series/S-series/K-Series configuration: configure terminal interface vlan vlan_id ip address ip-address ip-mask no shutdown
Note: Each VLAN interface must be configured for routing separately using the interface command shown above. To end configuration on one interface before configuring another, type exit at the command prompt. Enabling interface configuration mode is required for completing interface-specific configuration tasks.
ThefollowingshowsanexampleSSeriesdeviceconfigurationusingthestepsinProcedure 1.In thisexample,VLAN100iscreatedandnamedVLANRED.Portsge.1.2,1.3and1.4areassignedto VLAN100andaddedtoitsegresslist.VLAN100isthenconfiguredasaroutinginterfacewithan IPaddressof120.20.20.24.
Note: Refer to Procedure 1to determine which platform-specific commands may apply to your device when following this example configuration. Switch1(su)->set vlan create 100 Switch1(su)->set vlan name 100 VLANRED Switch1(su)->set port vlan ge.1.2-4 100 The PVID is used to classify untagged frames as they ingress into a given port. Would you like to add the selected port(s) to this VLAN's untagged egress list and remove them from all other VLANs untagged egress list (y/n) [n]? NOTE: Choosing 'y' will not remove the port(s) from previously configured tagged egress lists. y Switch1(su)->configure terminal Switch1(su-config)->interface vlan 100 Switch1(su-config-intf-vlan.0.100)->ip address 120.20.20.1/24 Switch1(su-config-intf-vlan.0.100)->no shutdown
IfyouwanttoconfigureaporttodropincomingframesthatdonothaveaVLANIDthatmatches aVLANIDontheportsegresslist,usethesetportingressfiltercommand.Forexample:
Switch1(su)->set port ingress-filter ge.1.2-4 enable
Ifyouwanttoconfigureaporttodiscardtaggedoruntaggedincomingframes,usethesetport discardcommand.Forexample,toconfiguretheportstodroptaggedframesoningress:
Switch1(su)->set port discard ge.1.2-4 tagged
Creating a Secure Management VLAN

IfyouareconfiguringanEnterasysdeviceformultipleVLANs,itmaybedesirabletoconfigurea managementonlyVLAN.ThisallowsastationconnectedtothemanagementVLANtomanage thedevice.Italsomakesmanagementsecurebypreventingconfigurationthroughportsassigned tootherVLANs.
March 15, 2011
Page 14 of 20
Configuring VLANs
Procedure 2providesanexampleofhowtocreateasecuremanagementVLAN.Thisexample, whichsetsthenewVLANasVLAN2,assumesthemanagementstationisattachedtoge.1.1,and wantsuntaggedframes.Theprocessdescribedinthissectionwouldberepeatedoneverydevice thatisconnectedinthenetworktoensurethateachdevicehasasecuremanagementVLAN.

.
Procedure 2
Step 1. 2. 3. 4. Task
Secure Management VLAN Configuration

Command(s) set port mode host.0.1; ge.1.1 2 switched set vlan create 2 set port vlan host.0.1; ge.1.1 2 set vlan egress 2 host.0.1; ge.1.1 2 untagged
(Applies to X-Series only.) Configure the ports to be used as switch ports. Create a new VLAN. Set the PVID for the host port and the desired switch port to the VLAN created in Step 2. If not done automatically when executing the previous command, add the host port and desired switch port(s) to the new VLANs egress list. Set a private community name to assign to this VLAN for which you can configure access rights and policies.
5.
set snmp community private
Note: By default, community namewhich determines remote access for SNMP managementis set to public with read-write access. For more information, refer to your devices SNMP documentation.
Configuring Dynamic VLANs

Procedure 3describeshowtoenabletheGARP(GenericAttributeRegistrationProtocol)VLAN RegistrationProtocol(GVRP),whichisneededtocreatedynamicVLANs.Bydefault,GVRPis enabledgloballybutdisabledattheportlevel.GVRPmustbegloballyenabledandalsoenabled onspecificportsinordertogenerateandprocessGVRPadvertisementframes.
Note: Refer to GARP VLAN Registration Protocol (GVRP) Support on page 8 for conceptual information about GVRP.
Procedure 3
Step 1. Task
Dynamic VLAN Configuration

Command(s) show gvrp [port-string]
Show existing GVRP configuration for a port or list of ports. If no port-string is entered, the global GVRP configuration and all port GVRP configurations are displayed. If necessary, enable GVRP on those ports assigned to a VLAN. You must specifically enable GVRP on ports, since it is disabled on ports by default. Display the existing GARP timer values.
2.
set gvrp enable port-string
3.
show garp timer [port-string]
March 15, 2011
Page 15 of 20
Configuring VLANs
Procedure 3
Step 4. Task
Dynamic VLAN Configuration (continued)

Command(s) set garp timer {[join timer-value] [leave timer-value] [leaveall timer-value]} port-string
Optionally, set the GARP join, leave, and leaveall timer values. Each timer value is in centiseconds.
Caution: The setting of GARP timers is critical and should only be changed by personnel familiar with 802.1Q standards.
Configuring Protocol-Based VLAN Classification

ProtocolbasedVLANscanbeconfiguredusingthepolicyclassificationCLIcommands,asshown inthissection,orbyusingNetSightPolicyManager. Procedure 4describeshowtodefineprotocolbasedframefilteringpoliciestoassignframesto particularVLANs.RefertoyourEnterasyspolicyconfigurationandCLIdocumentationformore information.
Note: Depending on your Enterasys switching device, your options for configuring policy classification may differ from the examples provided in this section. Refer to your devices documentation for a list of CLI commands and functions supported.
Procedure 4
Step 1. 2. 3. Task
Configuring Protocol-Based VLAN Classification

Command(s) set port mode port-string switched set vlan create vlan-id set vlan egress vlan-id port-string [forbidden | tagged | untagged]
(Applies to X-Series only.) Configure the ports to be used as switch ports. Create the VLANs to which frames will be assigned by the policy. Valid values are 14094. Configure VLAN egress, which determines which ports a frame belonging to the VLAN may be forwarded out on. The default setting, tagged, allows the port to transmit frames for a particular VLAN. Disable ingress filtering on the ingress ports on which the policy will be applied. Create the policy profile that enables PVID override. This function allows a policy rule classifying a frame to a VLAN to override PVID assignment configured with the set port vlan command. When none of its associated classification rules match, the configuration of the policy profile itself will determine how frames are handled by default. In this case, the default VLAN is specified with the pvid pvid parameter. Configure the administrative rules that will assign the policy profile to all frames received on the desired ingress ports.
4. 5.
set port ingress-filter port-string disable set policy profile profile-index [name name] [pvid-status {enable | disable}] [pvid pvid]
6.
set policy rule admin-profile port port-string [port-string portstring] [admin-pid admin-pid]
March 15, 2011
Page 16 of 20
Configuring VLANs
Procedure 4
Step 7. Task
Configuring Protocol-Based VLAN Classification (continued)

Command(s) set policy rule profile-index {protocol data [mask mask]} [vlan vlan]
Configure the classification rules that will define the protocol to filter on and the VLAN ID to which matching frames will be assigned.
ThefollowingshowsanexampleNSeriesdeviceconfigurationusingthestepsinProcedure 4. ThisexampleconfiguresapolicythatensuresthatIPtrafficreceivedonthespecifiedingressports willbemappedtoVLAN2,whileallothertypesoftrafficwillbemappedtoVLAN3. 1. 2. TwoVLANsarecreated:VLAN2andVLAN3. Ports1through5ontheGigabitEthernetmoduleinslot4areconfiguredasegressportsfor theVLANswhileports8through10ontheGigabitEthernetmoduleinslot5areconfigured asingressportsthatwilldothepolicyclassification. Policyprofilenumber1iscreatedthatenablesPVIDoverrideanddefinesthedefaultbehavior (classifytoVLAN3)ifnoneoftheclassificationrulescreatedfortheprofilearematched. Administrativerulesarecreatedthatapplypolicyprofilenumber1toallframesreceivedon theingressportsge.5.8through10. Classificationrulesarecreatedforpolicyprofilenumber1thatassignIPframestoVLAN2. TherulesidentifyIPframesbyusingtheetherprotocolparameter,whichclassifiesonthe TypefieldintheheadersofLayer2EthernetIIframes,andtheprotocoldataof0x0800(IP type),0x0806(ARPtype),and0x8035(RARPtype).
vlan create 2, 3 vlan egress 2 ge.4.1-2 vlan egress 3 ge.4.3-5 port ingress-filter ge.5.8-10 disable policy profile 1 name protocol_based_vlan pvid-status enable policy rule admin-profile port ge.5.8 port-string ge.5.8 policy rule admin-profile port ge.5.9 port-string ge.5.9 policy rule admin-profile port ge.5.10 port-string ge.5.10 policy rule 1 ether 0x0800 mask 16 vlan 2 policy rule 1 ether 0x0806 mask 16 vlan 2 policy rule 1 ether 0x8035 mask 16 vlan 2
3. 4. 5.
Switch1(su)->set Switch1(su)->set Switch1(su)->set Switch1(su)->set Switch1(su)->set pvid 3 Switch1(su)->set admin-pid 1 Switch1(su)->set admin-pid 1 Switch1(su)->set admin-pid 1 Switch1(su)->set Switch1(su)->set Switch1(su)->set
Monitoring VLANs
Table 2describestheshowcommandsthatdisplayinformationaboutVLANconfigurations.Refer toyourdevicesCLIdocumentationforadescriptionoftheoutputofeachshowcommand. Table 2
Task Display all existing VLANs.
Displaying VLAN Information

Command show vlan
March 15, 2011
Page 17 of 20
Table 2
Task
Displaying VLAN Information (continued)

Command show vlan constraint [vlan id] show vlan dynamicegress [vlan id] show vlan static show port vlan [port-string] show gvrp [port-string] show igmp static [vlan id] show port protected [port-string] | [group-id] show port protected name group-id
(Applies to N-Series, S-Series, K-Series only.) Display the VLAN constraint setting. Display the VLAN dynamic egress setting. Display all static VLANs. Display ports assigned to VLANs. Display existing GVRP settings. Display static ports on the given vid, group. (Applies to stackable and standalone switches only.) Display port(s) configured in protected mode (Applies to stackable and standalone switches only.) Display the name of a specific group of protected ports.

Table 3liststermsanddefinitionsusedinVLANconfiguration. Table 3
Term Default VLAN Filtering Database
VLAN Terms and Definitions

Definition The VLAN to which all ports are assigned upon initialization. The default VLAN has a VLAN ID of 1 and cannot be deleted or renamed. A database structure within the switch that keeps track of the associations between MAC addresses, VLANs, and interface (port) numbers. The Filtering Database is referred to when a switch makes a forwarding decision on a frame. Addressing information that the device learns about a VLAN is stored in the filtering database assigned to that VLAN. Several VLANs can be assigned to the same FID to allow those VLANs to share addressing information. This enables the devices in the different VLANs to communicate with each other when the individual ports have been configured to allow communication to occur. The configuration is accomplished using the Local Management VLAN Forwarding Configuration screen. By default a VLAN is assigned to the FID that matches its VLAN ID.
Filtering Database Identifier (FID)
Forwarding List GARP Multicast Registration Protocol (GMRP) GARP VLAN Registration Protocol (GVRP)
A list of the ports on a particular device that are eligible to transmit frames for a selected VLAN. A GARP application that functions in a similar fashion as GVRP, except that GMRP registers multicast addresses on ports to control the flooding of multicast frames. A GARP application used to dynamically create VLANs across a switched network.
March 15, 2011
Page 18 of 20
Table 3
Term
VLAN Terms and Definitions (continued)

Definition GARP is a protocol used to propagate state information throughout a switched network. A per port list of all eligible VLANs whose frames can be forwarded out one specific port and the frame format (tagged or untagged) of transmissions for that port. The Port VLAN List specifies what VLANs are associated with a single port for frame transmission purposes. Four bytes of data inserted in a frame that identifies the VLAN/frame classification. The Tag Header is inserted into the frame directly after the Source MAC address field. Twelve bits of the Tag Header represent the VLAN ID. The remaining bits are other control information. A data frame that contains a Tag Header. A VLAN aware device can add the Tag Header to any frame it transmits. A data frame that does not have a Tag Header. A unique number (between 1 and 4094) that identifies a particular VLAN. A 32-character alphanumeric name associated with a VLAN ID. The VLAN Name is intended to make user-defined VLANs easier to identify and remember.
Generic Attribute Registration Protocol (GARP) Port VLAN List
Tag Header (VLAN Tag)
Tagged Frame Untagged Frame VLAN ID VLAN Name
March 15, 2011
Page 19 of 20
Revision History
Date 02-01-2008 02-20-2008 07-28-2008 01-07-2009 03-15-2011 Description New document. Corrected product naming conventions. Modifications due to product rebranding changes. Corrected error in configuration example. Added S-Series and K-Series. Removed IGMP snooping (covered in Multicast Feature Guide).

Feature Guide

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Feature Guide

Încărcat de

Drepturi de autor:

Formate disponibile

Configuring User Authentication

Thischapterprovidesthefollowinginformationaboutconfiguringandmonitoringuser authenticationonEnterasysNSeries,SSeries,andKSeriesmodularswitches,ASeries, BSeries,CSeriesstackablefixedswitches,andDSeries,GSeries,andISeriesstandalonefixed switches.

What is User Authentication?

April 15, 2011

Why Would I Use It in My Network?

Enterasysswitchproductssupporttheconfigurationofuptothreesimultaneousauthentication methodsperuser,withasingleauthenticationmethodappliedbaseduponMultiAuth authenticationprecedence.

Why Would I Use It in My Network?

How Can I Implement User Authentication?

April 15, 2011

IEEE 802.1x Using EAP

MAC-Based Authentication (MAC)

Port Web Authentication (PWA)

April 15, 2011

Convergence End Point (CEP)

Multi-User And MultiAuth Authentication

April 15, 2011

April 15, 2011

Applying Policy to Multiple Users on a Single Port

Authentication Request Authentication Response

Authentication Request Authentication Response

User2 Filter ID --> Policy Y

User3 Filter ID --> Policy Z

April 15, 2011

Authenticating Multiple Users With Different Methods on a Single Port

Authentication Method 802.1x

User 1: 802.1X Authentication Credentials

PWA MAC CEP

User 2: PWA Authentication Credentials

Authentication Method PWA

User 3: MAC Authentication Credentials

User1 Filter ID --> Policy Y User2 Filter ID --> Policy X

User3 Filter ID --> Policy Z

April 15, 2011

Selecting Authentication Method When Multiple Methods are Validated

PWA MAC CEP

Sales Policy Role

Remote Authentication Dial-In Service (RADIUS)

April 15, 2011

How RADIUS Data Is Used

The RADIUS Filter-ID

policynameisthenameofthepolicytoapplytothisauthentication. accessmgmtTypessupportedare:ro(readonly),rw(readwrite),andsu(superuser). TheundecoratedFilterIDsupportsthepolicyattributeonlyinthefollowingformat:

April 15, 2011

Dynamic VLAN Assignment

VLAN Authorization Attributes

April 15, 2011

VLAN Authorization Considerations

April 15, 2011

Policy Maptable Response

When Policy Maptable Response is Both

April 15, 2011

When Policy Maptable Response is Profile

When Policy Maptable Response is Tunnel

April 15, 2011

Table 1listsAuthenticationparametersandtheirdefaultvalues. Table 1 Default Authentication Parameters

Parameter cep port dot1x

dot1x authconfig macauthentication macauthentication authallocated macauthentication port MultiAuth idle-timeout

MultiAuth mode MultiAuth port mode

April 15, 2011

Default Authentication Parameters (continued)

Parameter pwa pwa enhancemode

radius radius accounting radius accounting intervalminimum radius accounting retries

Disabled. Disabled. 600 seconds.

radius accounting timeout radius accounting updateinterval radius retries