enterasys switch configuration guide

Port Slot/Unit Parameters Used in the CLI. Refer to page Policy Configuration Overview Identifying and restricting routing to legitimate routing IP addresses to prevent DoS, spoofing, data integrity and other routing related security issues. Untagged. ThisexampleshowshowtodisplaystatisticsforVLAN80. ENTERASYS MATRIX-V V2H124-24FX QUICK REFERENCE MANUAL . User Authentication Overview Figure 10-3 Selecting Authentication Method When Multiple Methods are Validated SMAC=User 1 SMAC=User 2 SMAC=User 3 Switch MultiAuth Sessions Auth. no ip route dest-prefix dest-prefixmask forwarding-rtr-addr 3. Link Aggregation Control Protocol (LACP) is described in Chapter 11, Configuring Link Aggregation. The default password is set to a blank string. PIM-SM adopts RPF technology in the join/prune process. Display the current settings for the Management Authentication Notification MIB. Display the current timeout period for aging learned MAC entries/ show mac agetime 3. Lead and handle change configuration team of process upon business requirements. Policy-Based VLANs Rather than making VLAN membership decisions simply based on port configuration, each incoming frame can be examined by the classification engine which uses a match-based logic to assign the frame to a desired VLAN. It is auto configured with the cost of the intra-area path between the two ABRs that make up the virtuallink. Start the TFTP application. IP Broadcast Settings specific network or subnet. Policy profile number 1 is created that enables PVID override and defines the default behavior (classify to VLAN 3) if none of the classification rules created for the profile are matched. Spanning Tree Basics Figure 15-8 MSTI 1 in a Region CIST Root 1 MSTI 1 2 5 MST CIST Regional Root 3 4 MSTI 1 Regional Root Legend: Physical Link Blocked VLANs Figure 15-9 MSTI2 in the Same Region MSTI 2 1 5 MST CIST Regional Root 3 2 MSTI 2 Regional Root 4 Legend: Physical Link Blocked VLANs Figure 15-10 on page 15-19 shows 3 regions with five MSTIs. OSPF Configuration Task List and Commands, Table 20-2 OSPF Configuration Task List and Commands. Dynamic ARP Inspection Loopback addresses (in the range 127.0.0.0/8) Logging Invalid Packets By default, DAI writes a log message to the normal buffered log for each invalid ARP packet it drops. Refer to page Security Mode Configuration FIPS mode is disabled by default. C5(su)->set policy rule 1 ipsourcesocket 1.2.3. Decides if the upstream neighbor is capable of receiving prunes. set system power {redundant | nonredundant} redundant (default) The power available to the system equals the maximum output of the lowest rated supply (400W or 1200W). Configuring ACLs Procedure 24-2 Configuring IPv6 ACLs (continued) Step Task Command(s) 3. Considerations About Using clear config in a Stack 4. Configuring Port Link Flap Detection Procedure 8-2 Link Flap Detection Configuration (continued) Step Task Command(s) 4. It is designed for use where there may be many devices communicating at the same time, and any one of the devices could be the sender at any particular time. Can be no less than the max advertisement interval. Configuring IRDP Configuring IRDP Using IRDP in Your Network The ICMP Router Discovery Protocol (IRDP), described in RFC 1256, enables a host on multicast or broadcast networks to determine the address of a router it can use as a default gateway. Procedure 25-1 Configuring IPv6 Management Step Task Command(s) 1. Understanding How VLANs Operate Shared Virtual Local Area Network (VLAN) Learning (SVL): Two or more VLANs are grouped to share common source address information. Type router, then C5(su)->router> Type enable. Assign to queue assign the packet to a queue Note: Unlike other Fixed Switch platforms, A4 ACLs are not terminated with an implicit deny all rule. sFlow Using sFlow in Your Network The advantages of using sFlow include: sFlow makes it possible to monitor ports of a switch, with no impact on the distributed switching performance. Thisexampledisplaystheoutputofthiscommand. Packets sent to 172.111.1.1/16 would go to Router R2. The forward delay interval is the amount of time spent listening for topology change information after an interface has been activated for bridging and before forwarding actually begins. This implementation supports the creation of Security Associations (SAs) with servers configured for RADIUS, and the RADIUS application helps define the IPsec flow. 2. For example, for a network with the address 192.168.0.0/16, the directed broadcast address would be 192.168.255.255. ACL Configuration Overview This section describes ACL creation, rule entry, and application of the ACL to a port or routing VLAN required to implement an ACL, as well as, the features available for managing ACL rules and displaying ACLs. Use the advertise-interval command to change the advertise-interval for this VRID. If these assumptions are not true, please refer to Chapter 1, Setting Up a Switch for the First Time for more information. Lockout is configured at the system level, not at the user account level. Note that the actor and partner LACP timeout values must agree. 3 CLI Basics This chapter provides information about CLI conventions for stackable and standalone switches and CLI properties that you can configure. Disable Telnet inbound while leaving Telnet outbound enabled, and show the current state. show snmp community name Display the context list configuration for SNMP view- show snmp context based access control. Based on the exchanged BPDU information, the spanning tree algorithm selects one of the switches on the network as the root switch for the tree topology. MSTI Multiple Spanning Tree Instance. Connect the RJ45 connector at one end of the cable to the RJ45 console port on the D2 . (Optional) Set the number of link flapping instances necessary to trigger the link flap action. Policy Configuration Overview regardless of the number of moves, adds, or changes to the policy role, Policy Manager automatically enforces roles on Enterasys security-enabled infrastructure devices. Switch (config-if)#ip address {your ip address} {mask} Switch (config-if)#no shutdown Configuration of default gateway takes place in the configuration mode and the command does not include the mask for the ip. Table 26-3 show macauthentication Output Details. To clear the MultiAuth authentication mode. show mgmt-auth-notify 2. enable|disable EnablesordisablesClassofServiceontheswitch.Defaultstateis disabled. Managing the Firmware Image Setting the Boot Firmware Use the show boot system command to display the image file currently configured to be loaded at startup. Table 13-2 LLDP Show Commands Task Command Display LLDP configuration information. set sntp poll-retry retry 5. Determine an appropriate policy best suited for the use of that device on your network. Connecting to a Switch This procedure describes how to connect to a switch. Active Cisco 800 Series Router Configuration. DHCP snooping forwards valid DHCP client messages received on non-routing VLANs. Configuring SNMP security model and security level used to request access. Terms and Definitions 15-38 Configuring Spanning Tree. Configuring the S8 Distribution Switch The first thing we want to do is set the admin key for all LAGs to the non-default value of 65535 so that no LAGs will automatically form: S8(rw)->set lacp aadminkey lag.0. VRRP is available only on those fixed switch platforms that support advanced routing and on which an advanced feature license has been enabled. ThisexampleclearsDHCPv6statisticsforVLAN80. interface {vlan vlan-id | loopback loopbackid } 2. Any such invalidity, illegality, or unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other jurisdiction. DHCP Snooping Procedure 26-6 Basic Configuration for DHCP Snooping Step Task Command(s) 1. HP Procurve 2600,3com 4500 Series Switch Configuration, Enterasys Creation of reports for specific clients. User Manuals, Guides and Specications for your Enterasys C5K175-24 Switch. (Not applicable for super user accounts.) UsethiscommandtodisplaythecontentsoftheNeighborCache. DHCP Configuration Table 4-7 Default DHCP Server Parameters Parameter Description Default Value Number of ping packets Specifies the number of ping packets the DHCP server sends to an IP address before assigning the address to a requesting client 2 packets Configuring DHCP IP Address Pools This section provides procedures for the basic configuration of automatic (dynamic) and manual (static) IP address pools, as well as a list of the commands to configure other optional pool parameters. Procedure 5-4 Configuring Management Authentication Notification MIB Settings Step Task Command(s) 1. Determine the correct authentication type for each device. Both source and target devices need to support ICMPv6 echo requests and echo responses. RMON Table 18-1 RMON Group Event RMON Monitoring Group Functions and Commands (continued) What It Does What It Monitors CLI Command(s) Controls the generation and notification of events from the device. RESTRICTIONS. Configured passwords are transmitted and stored in a one-way encrypted form, using a FIPS 140-2 compliant algorithm. By default, RIP version 2 supports automatic route summarization, which summarizes sub-prefixes to the classful network boundary when crossing network boundaries. Cisco Nexus 5000 Series NX-OS Software Configuration Guide. For detailed information about the CLI commands used in this book, refer to the CLI Reference for your Fixed Switch platform. SNMP Support on Enterasys Switches Table 12-1 SNMP Message Functions (continued) Operation Function get-response Replies to a get-request, get-next-request, and set-request sent by a management station. IPv6 Routing Configuration Procedure 25-4 Configuring Static Routers Step Task Command(s) 1. See Procedure 20-2 on page 20-4. ip address ip-address ip-mask [secondary] 2. Prepare high/low level design & solution. Configuring OSPF Areas Router 3(su)->router(Config-router)#area 0.0.0.1 stub no-summary Router 3(su)->router(Config-router)#area 0.0.0.1 default-cost 15 Router 5 Router 5(su)->router(Config)#router ospf 1 Router 5(su)->router(Config-router)#area 0.0.0.2 stub Router 5(su)->router(Config-router)#area 0.0.0.2 default-cost 15 Router 6 Router 6(su)->router(Config)#router ospf 1 Router 6(su)->router(Config-router)#area 0.0.0.2 stub Router 6(su)->router(Config-router)#area 0.0.0. Tabl e 268providesanexplanationofthecommandoutput. Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch ports. You can choose to reset the system to use the new firmware image immediately, or you can choose to only specify the new image to be loaded the next time the switch is rebooted. Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. show snmp group groupname grpname Display an SNMP groups access rights. In the event any provision of this Agreement is found to be invalid, illegal or unenforceable, the validity, legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired thereby, and that provision shall be reformed, construed and enforced to the maximum extent permissible. Enterasys Core Switch/Router Commands Enable Untagged Vlans: set port vlan ge.2.1-30 20 set vlan egress 20 ge.2.1-30 untagged reload Enable jumbo frame support: show port jumbo set port jumbo enable ge.2.22-30 Enable LACP: show lacp state <=== to discover global lacp setting status set lacp {disable|enable} Configuration Guide Firmware 6.61.xx and Higher. Configuring SNMP Procedure 12-3 Configuring an EngineID (continued) Step Task Command(s) 4. A dependent downstream device on a pruned branch restarts. The higher priority traffic through the device is serviced first before lower priority traffic. IP-directed broadcasts Disabled. Configuring a Stack of New Switches 1. UsethiscommandtoenableordisableClassofService. 14881000 for 10- Gigabit ports Use the show port broadcast command to display current threshold settings. IPv6 Neighbor Discovery Neighbor Discovery Configuration Refer to Table 25-2 on page 25-4 for the default Neighbor Discovery values. VLAN authorization egress format Determines whether dynamic VLAN tagging will be none, tagged, untagged, or dynamic for an egress frame. Table 14-4 show netstat Output Details. Link Aggregation Configuration Example Table 11-4 Managing Link Aggregation (continued) Task Command Reset the maximum number of LACP groups to the default of 6. clear lacp groups If the number of LACP groups has been changed from the default, executing this command will result in a system reset and LACP configuration settings will be returned to their default values, including the group limit. Configure the IP address of the sFlow Collector being configured. Configure PoE parameters on ports to which PDs are attached. This basic configuration requires the configuration of four interfaces and associated IP addresses. Ifnointerfaceisspecified,IPv6DHCPstatisticsforallinterfacesarecleared. Setting security access rights 3. The Extreme switch does not use it and does not assert CTS. If so, this door is tagged or bound to the notification entry. Using the all parameter will display all default and non-default configuration settings. Using Multicast in Your Network Table 19-1 PIM-SM Message Types (continued) Message Type Description Join/Prune (J/P) These messages contain information on group membership received from downstream routers. trap | inform3 Unsolicited message sent by an SNMP agent to an SNMP manager when an event has occurred. VLAN Support on Enterasys Switches If a unicast untagged frame is received on Port 5, it would be classified for VLAN 50. set snmp view viewname securedviewname subtree 1 set snmp view viewname securedviewname subtree 0.0 set snmp view viewname unsecuredviewname subtree 1 set snmp view viewname unsecuredviewname subtree 0.0 6. 100 Procedure 18-1 describes how to configure RMON. Table 18-2 lists RMON parameters and their default values. Configuring Link Aggregation The virtual link aggregation ports continue to be designated as lag.0.x, where x can range from 1 to 24, depending on the maximum number of LAGs configured. However, it does provide a level of authentication for a device where otherwise none would be possible. This is done using the set system service-class console-only command. The switch can enforce a system-wide default for password aging (set system password aging). 6 Firmware Image and File Management This chapter describes how to download and install a firmware image file and how to save and display the system configuration as well as manage files on the switch. 4. For both DVMRP and PIM-SM for IPv4 to operate, IGMP must be enabled. 5. Display the types of switches supported in the stack, using the show switch switchtype command. In this sense, QoS is the third step in a three step process. SpanGuard helps protect against Spanning Tree Denial of Service (DoS) SpanGuard attacks as well as unintentional or unauthorized connected bridges, by intercepting received BPDUs on configured ports and locking these ports so they do not process any received packets. Packet flow sampling and counter sampling are designed as part of an integrated system. You can do this by doing the following: Connect the switch to PuTTY with a 9-pin serial cable. Use the show spantree mstcfgid command to determine MSTI configuration identifier information, and whether or not there is a misconfiguration due to non-matching configuration identifier components: This example shows how to display MSTI configuration identifier information. GARP Multicast Registration Protocol (GMRP) A GARP application that functions in a similar fashion as GVRP, except that GMRP registers multicast addresses on ports to control the flooding of multicast frames. Configuring PIM-SM R1(su)->router(Config)#interface vlan 3 R1(su)->router(Config-if(Vlan 3))#ip address 172.1.2.1 255.255.255.0 R1(su)->router(Config-if(Vlan 3))#ip igmp enable R1(su)->router(Config-if(Vlan 3))#ip ospf enable R1(su)->router(Config-if(Vlan 3))#ip pimsm enable R1(su)->router(Config-if(Vlan 3))#no shutdown R1(su)->router(Config-if(Vlan 3))#exit R1(su)->router(Config)#interface vlan 4 R1(su)->router(Config-if(Vlan 4))#ip address 172.1.3.1 255.255.255. Enable OSPF in the interface. If there is still a tie, these ports are connected via a shared medium. Configuring VLANs Procedure 9-1 Static VLAN Configuration (continued) Step Task Command(s) 4. See The RADIUS Filter-ID on page 8 for RADIUS Filter-ID information. To use the ping commands, configure the switch for network (in-band) connection. Assigning Port Costs Each interface has a Spanning Tree port cost associated with it, which helps to determine the quickest path between the root bridge and a specified destination. Step 10. Understanding and Configuring Loop Protect Valid values are 065535 seconds. Configuring VRRP then advertisements are sent every advertising interval to let other VRRP routers in this VRID know the router is still acting as master of the VRID. Configuring ACLs C5(su)->router(Config)#show access-lists ipv6list1 ipv6list1 IPV6 access-list 1: deny icmpv6 2001:DB08:10::1/64 any 2: permit tcp 2001:db08:20::20/64 eq snmp any assign-queue 5 3: permit ipv6 2001:FFFF:30::30/64 any C5(su)->router(Config)#interface vlan 200 C5(su)->router(Config-if(Vlan 200))#ipv6 access-group ipv6list1 in C5(su)->router(Config-if(Vlan 200))#exit Configuring MAC ACLs Procedure 24-3 describes how to configure a MAC ACL. SNMP Support on Enterasys Switches Versions Supported Enterasys devices support three versions of SNMP: Version 1 (SNMPv1) This is the initial implementation of SNMP. The console port on the manager switch remains active for out-of-band (local) switch management, but the console port on each member switch is deactivated. The hosts are configured to use 172.111.1.1/16 as the default route. Setting the value to 0 will set the timeout to forever. Refer to RFC 1157 for a full description of functionality. Create an SNMPv3 user and specify authentication, encryption, and security credentials. 1 Setting Up a Switch for the First Time This chapter describes how to configure an Enterasys stackable or standalone Fixed Switch received from the factory that has not been previously configured. Policy Configuration Overview Examples This example assigns a rule to policy profile 3 that will filter Ethernet II Type 1526 frames to VLAN 7: C5(su)->set policy rule 3 ether 1526 vlan 7 This example assigns a rule to policy profile 5 that will forward UDP packets from source port 45: C5(su)->set policy rule 5 udpsourceport 45 forward This example assigns a rule to policy profile 1 that will drop IP source traffic from IP address 1.2.3.4, UDP port 123. Downloading New Firmware Enterasys C5 Command Line Interface Enterasys Networks, Inc. 50 Minuteman Rd. Optionally, enable the TACACS+ client to send multiple requests to the server over a single TCP connection. Class of Service is based on the IEEE 802.1D (802. This allows VLANs to share addressing information. , ./ `. @ # $ % ^ & * () ? RMON Table 18-2 Default RMON Parameters (continued) Parameter Description Default Value capture asksize The RMON capture requested maximum octets to save in the buffer. The set inlinepower mode command is set to auto, which means that the power available for PoE (150W) is distributed evenly75W to each PoE module. Optionally, remove a static route. Neighbor Discovery Overview connected neighbors. area area-id virtual-link router-id Refer to Configuring Area Virtual-Links on page 22-12 for more information. A manual pool can be configured using either the clients hardware address (set dhcp pool hardware-address) or the clients client-identifier (set dhcp pool client-identifier), but using both is not recommended. Optionally, save the configuration to a backup file named myconfig in the configs directory and copy the file to your computer using TFTP. Table 15-2 provides a summary of STP port roles. Table 26-3 lists the logging commands that require different user access permissions when the security mode is set to C2. Configuring Node Aliases Procedure 4-10 Configuring MAC Address Settings Step Task Command(s) 1. Port Configuration Overview vlan for vlan interfaces lag for IEEE802.3 link aggregation ports Where unit_or_slotnumber can be: 1 - 8 for stackable switches (up to 8 units in a stack) 1 - 3 for I-Series standalone switches (Note that the uplink ports are considered to be slot 3) 1 - 4 for G-Series standalone switches Where port number depends on the device. Configuring Authentication Authentication Required Authentication methods are active on the port, based on the global and per port authentication method configured. If it is, then the sending device proceeds as follows. If you clear a license from a member unit in a stack while the master unit has a activated license, the status of the member will change to ConfigMismatch and its ports will be detached from the stack. assign ingress vlan using: set port vlan [port-string] X port string is the port number. You can also use the colon notation like this: 80:00:07:e5:80:4f:19:00:00:d2:32:aa:40 5. Configuring STP and RSTP Figure 15-10 Example of Multiple Regions and MSTIs Region 1 1 Region 2 2 Region 3 6 8 5 12 3 4 CIST Regional Root 7 10 CIST Root and CIST Regional Root CIST Regional Root Master Port Table 15-5 9 11 Master Port MSTI Characteristics for Figure 15-10 MSTI / Region Characteristics MSTI 1 in Region 1 Root is switching device 4, which is also the CIST regional root MSTI 2 in Region 1 Root is switching device 5 MSTI 1 in Region 2 Root is switching device 7, w. Configuring STP and RSTP Reviewing and Enabling Spanning Tree By default, Spanning Tree is enabled globally on Enterasys switch devices and enabled on all ports. Database contains 1 Enterasys S8-Chassis Manuals (available for free online viewing or downloading in PDF): Hardware installation manual . Default Settings Configuring OSPF Interface Timers The following OSPF timers are configured at the interface level in interface configuration mode: Hello Interval Dead Interval Retransmit Interval Transmit Delay Use the hello interval (ip ospf hello-interval) and dead interval (ip ospf dead-interval) timers to ensure efficient adjacency between OSPF neighbors. DHCP Snooping ------set system service-acl my-sacl deny ip-source 192.168.10.10 mask 255.255.255.255 service ssh priority 1 set system service-acl my-sacl permit port ge.1.1 priority 2 set system service-acl my-sacl permit port ge.1.2 priority 3 set system service-acl my-sacl permit ip-source 10.10.22. DHCP Snooping into the software forwarding path, where it may be processed by the DHCP relay agent, the local DHCP server, or forwarded as an IP packet. Configuring PIM-SM Figure 19-6 PIM-SM Configuration VLAN 9 172.2.2/24 Router R2 VLAN 3 VLAN 5 VLAN 7 VLAN 2 172.2.4/24 VLAN 8 172.1.2/24 Router R1 172.1.1/24 Router R4 172.4.4/24 172.3.4/24 172.1.3/24 VLAN 4 VLAN 6 Router R3 172.3.3/24 VLAN 10 Routers R1 and R4 Configuration On Router R1, at the switch level, IGMP snooping is enabled globally and on the ports connected to hosts. This value should be the minimum of the default prune lifetime (randomized to prevent synchronization) and the remaining prune lifetimes of the downstream neighbors. In the shared LAN example it may take over as designated port if the original designated port is disabled. Terms and Definitions 9-16 Configuring VLANs. Auto-negotiation is enabled by default. priority Sets which ports continue to receive power in a low power situation. Figure 3-2 provides an example. Ctrl+I or TAB Complete word. set txqmonitor downtime seconds The default value is 0, meaning that disabled ports will remain disabled until cleared manually or until their next link state transition.

enterasys switch configuration guide 2023