Sun Netra CP3240 Switch Userճ Guide
Contents
1. Navigation IP Precedence Mapping Configuration System ta Syst ie x E Unit Slot Port 10 Switching HE Routing IP Precedence Value Traffic Class MM Security 0 1M FC pve E 1 ov HS Qos 2 0v t Access Control Lists 3 1 t Differentiated Services 4 2B c Class of Service 5 Trust Mode Configuration 2M 6 3M IP DSCP Mapping Configurati 7 3 Interface Configuration Submit Restore Defaults Interface Queue Configuratio uj ue pue 05 5 ES Interface Queue Status FIGURE 23 6 IP DSCP Mapping Configuration Page Navigation 802 1p Priority Mapping Unit Slot Port All 802 1p Priority ig Traffic Class Configuration System Description Switch Network Connectivity Telnet Session Outbound Telnet Client Confi Serial Port User Accounts 1 Oo 0 amp WN aA O Authentication List Configurat Login Session Authentication List Summary User Login Denial of Service Lj Forwarding Database B Log Slot Lj Port Chapter 23 Configuring Class of Service Queuing 203 Note Configure 802 1p Priority Mapping screen from the Switching gt Class of Service menu 204 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 23 7 Navigation I System HEC2. Sun Netra CP3240 Switch User s Guide April 2009 Example 3 Assign Ports to VLAN3 This example shows how to assign the ports that will belong to VLAN 3 and to specify that untagged frames will be accepted on port 0 4 Note that port 0 2 belongs to both VLANs and that port 0 1 can never belong to VLAN 3 CODE EXAMPLE 5 3 Assigning Ports to VLAN3 DTI DTI DTI DTI DTI DTI DTI DTI DTI DTI DTI DTI DTI DTI DTI DTI DTI SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH SWITCH config Config interface 0 2 nterface 0 2 vlan participation include 3 nterface 0 2 exit onfig interface 0 3 nterface 0 3 vlan participation include 3 nterface 0 3 texit cd interface 0 4 erface 0 4 vlan participation include 3 erface 0 4 exit See Config exit config Config interface 0 4 Interface 0 4 vlan acceptframe all Interface 0 4 exit Config exit I I C I I C I I Example 4 Assign VLAN3 as the Default VLAN This example shows how to assign VLAN 3 as the default VLAN for port 0 2 CODE EXAMPLE 5 4 Assigning VLANS as Default DTI DTI DTI DTI DTI SWITCH SWITCH SWITCH SWITCH SWITCH config Config interface 0 2 Interface 0 2 vlan pvid 3 Interface 0 2 exit
3. Chapter 22 Configuring Access Control Lists ACLs 183 Example 5 Show MAC Access Lists CODE EXAMPLE 22 5 Show MAC Access Lists DTI SWITCH show mac access lists Current number of all ACLs 2Maximum number of all ACLs 100 MAC ACL Name Rules Direction Interface s macl 1 inbound 0 5 mac2 1 DTI SWITCH show mac access lists mac1 MAC ACL Name mac1 Rule Number 1 AGELONG i Ba e e eda oe A a deny Destination MAC Address s s 00 11 22 33 44 55 Destination MAC Mask 4 5 9c Le e pes 00 00 00 00 FF FF l ea Ri eee test ae ATP E TRUE DTI SWITCH 184 Sun Netra CP3240 Switch User s Guide April 2009 Setting Up ACLs via Web Interface The following web pages are used in the ACL feature FIGURE 22 2 MAC ACL Configuration Page Create New MAC ACL FIGURE 22 3 MAC ACL Configuration Page Tem MAC ACL Configuration stem ats MAC ACL maci Routing MAC ACL Name maci Security IPv6 Rename Delete ss Current Size Max Size SY Access Control Lists 1 100 FE IP Access Control Lists I E3 MAC Access Control Lists Summary Rule Configuration 8 Interface Configuration Differentiated Services Class of Service BGP4 IP Multicast Stacking 2004 2005 LVL Systems Inc Chapter 22 Configuring Access Control Lists ACLs 185 FIGURE 22 4 MAC ACL Summary Navigation yin MAC ACL Name Direction UnitiSlotiPort Switching Cj Routing
4. Sun Netra CP3240 Switch User s Guide April 2009 in 6 command in 6 Example 4 Set up an ACL with Permit Action CODE EXAMPLE 224 Set Up ACL with Permit Action srcmac any Source MAC DTI SWITCH Config mac access list extended mac2 DTI SWITCH Config mac access list permit Enter a MAC Address Configure a match condition for all the addresses in the Source MAC Address field DTI SWITCH Config mac access list permit any lt dstmac gt any destination field bpdu Enter a MAC Address Configure a match condition for all the MAC addresses in the Destination MAC Address Match on any BPDU destination MAC Address DTI SWITCH Config mac access list permit any any lt ethertypekey gt specify an ipv6 ipx pppoe rarp 0x0600 0xffff the range of Ethertype value vlan cos value log assign queue Cr Enter one of the following keywords to Ethertype appletalk arp ibmsna ipv4 mplsmcast mplsucast netbios novell Enter a four digit hexadecimal number in 0x0600 to Oxffff to specify a custom Configure a match condition based on a VLAN ID Configure a match condition based on a COS Configure logging for this access list rule Configure the Queue Id assignment attribute Press Enter to execute the command DTI SWITCH Config mac access list permit any any DTI SWITCH Config mac access list
5. A Web interface panel for the switch Web page consists of three areas Figure 3 2 m A banner graphic of the switch appears across the top of the panel m A hierarchical tree view appears to the left of the panel The tree consists of a combination of folders subfolders and configuration and status HTML pages You can think of the folders and subfolders as branches and the configuration and status HTML pages as leaves Only the selection of a leaf not a folder or subfolder will cause the display of a new HTML page A folder or subfolder has no corresponding HTML page Chapter 3 Using the Web Interface 37 m At the bottom right of the panel display the currently selected device configuration status and or the user configurable information that you have selected from the tree view FIGURE 3 2 Web Interface Panel Example FIGURE3 3 Configuring an SNMP V3 User Profile 2 4 6 8 10 12 14 16 18 24 3 5 11 13 15 17 19 Open full stack view Navigation User Accounts Help System EHE System E User admin arp Cache L a Inventory Information User Name admin Ey Configuration Password 8 System Description Confirm Password Tr iB Switch service Port Access Mode Read Write Network Connectivity s Telnet Session SNMP v3 User Configuration Outbound Telnet Client Confi SeraliBort SNMP v3 Access Mode mpead hWrite Authentication Protocol None v E Authentication List Configurat Enc
6. brief description of the command Each command entry contains the following information m Format shows the command keywords and parameters required and optional m Mode identifies the command mode you must be in to access the command m Default shows the default value if any of a configurable setting on the device Sun Netra CP3240 Switch User s Guide April 2009 The show commands also contain a description of the information that the command shows Parameter Conventions The following conventions apply to parameters Parameters are order dependent Variables are displayed in this document in italic font and must be replaced with a name or number To use spaces as part of a name parameter enclose it in double quotes For example the expression System Name with Spaces forces the system to accept the spaces uu Empty strings are not valid user defined strings Parameters might be mandatory values optional values choices or a combination Parameter values might be names strings or numbers Table 2 1 describes the conventions this document uses to distinguish between value types TABLE 2 1 Parameter Value Types Symbol Example Description angle value Indicates that you must enter a value in brackets place of the brackets and text inside them square value Indicates an optional parameter that you can brackets enter in place of the brackets and text inside them
7. April 2009 FIGURE 17 1 VLAN Routing Example Network Diagram Layer 3 Switch Physical Port 1 0 2 Physical Port 1 0 3 VLAN Router Port 3 1 l VLAN Router Port 3 2 192 150 3 1 x 192 150 4 1 Physical Port 1 0 1 Layer 2 Switch Suri ee I Example 1 Create Two VLANs The following code sequence shows an example of creating two VLANs with egress frame tagging enabled CODE EXAMPLE 17 1 Creating Two VLANs vlan database vlan 10 vlan 20 exit config interface 0 1 vlan participation include 10 exit interface 0 2 vlan participation include 10 exit interface 0 3 vlan participation include 20 exit exit config Chapter 17 Configuring VLAN Routing 139 140 CODE EXAMPLE 17 1 Creating Two VLANs Continued vlan port tagging all 10 vlan port tagging all 20 exit Next specify the VLAN ID assigned to untagged frames received on the ports config interface 0 1 vlan pvid 10 exit interface 0 2 vlan pvid 10 exit interface 0 3 vlan pvid 20 exit exit Example 2 Set Up VLAN Routing for the VLANs and the Switch The following code sequence shows how to enable routing for the VLANs CODE EXAMPLE 17 2 Enabling Routing for the VLANs vlan database vlan routing 10 vlan routing 20 exit Show ip vlan This returns the logical interface IDs that will be used instead of slot port in subsequent routing commands Assume that VLAN 10 is assigned ID 3 1 and VLAN 20 is assigned ID 3 2 Enabl
8. Policy Attribute Summary Service Configuration Service Summary Service Statistics 5 E eE EEEE E Service Detailed Statistics Chapter 24 Configuring Differentiated Services 225 FIGURE 24 12 DiffServ Policy Attribute Summary Navigation DiffServ Policy Attribute Summary tem 3ysti UR hpolicy Name Policy Type ClassName Attribute Attribute Details ae internet_access In finance dept Assign Queue Assign Queue 1 Security Refresh Pv6 os Access Control Lists i Differentiated Services DiffServ Configuration Class Configuration Class Summary Policy Configuration Policy Summary Policy Attribute Summary Service Configuration Service Summary Service Statistics Service Detailed Statistics e e mg en wen mi weg wi m3 en m 226 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 24 13 DiffServ Policy Attribute Summary Navigation DiffServ Policy Attribute Summary em oO Policy Name Policy Type Class Name Attribute Attribute Details jpeg intemet access In finance dept Assign Queue Assign Queue 1 scuiity internet access In marketing dept Assign Queue Assign Queue 2 Sub internet access In test dept Assign Queue Assign Queue 3 m interet access In development dept Assign Queue Assign Queue 4 Refresh Access Control Lists Differentiated Services S DiffServ Configuration Class Configuration Class Summary Policy Configuration Pol
9. Sequence Number 1 Unit Slot Port Direction 1 0 6 Inbound ACL Type IP ACL FIGURE 22 16 IP ACL Summary System Switching Routing Security IPv6 Qos J Access Control Lists J IP Access Control Lists Configuration Rule Configuration IP ACL Summarv IP ACLID Rules 101 1 Direction Unit Slot Port Inbound 1 0 6 Refresh Chapter 22 Configuring Access Control Lists ACLs 193 Navigation MAC ACL Configuration stem nk MAC ACL Create New Extended MAC ACL Switching Routing MAC ACL Name mac SOS Security IPv6 Submit E T Current Size Max Size SY Access Control Lists 0 100 H IP Access Control Lists EE MAC Access Control Lists Summary Rule Configuration Interface Configuration LJ Differentiated Services Lj Class of Service BGP4 IP Multicast Stacking 2004 2005 LVL7 Systems Inc 194 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 23 Configuring Class of Service Queuing This chapter describes the Class of Service CoS feature and how to configure it This chapter contains the following topics Section Understanding Class of Service CoS on page 23 196 Section Ingress Port Configurations on page 23 197 Section Egress Port Configurations on page 23 198 Section Queue Configurations on page 23 198 Section Configuring CoS Mapping and Queues via CLI on page 23 199 Section Co
10. radius accounting mode 238 radius server 242 radius server host auth 238 radius server key auth 238 Refresh button 42 reload 14 Router BGP Config command mode 22 Router BGP Config mode 28 router ospf 130 148 Router OSPF Config command mode 22 Router OSPF Config mode 27 router rip 145 Router RIP Config command mode 22 Router RIP Config mode 27 routing 118 S Save button 42 script 255 script validate 257 258 service policy 216 session limit 262 session timeout 262 show hardware 10 show igmpsnooping 72 show ip dhcp filtering 250 show ip igmp 74 show ip igmp interface 73 74 show ip interface 158 show ip vlan 148 show lldp 108 show logging 278 280 show loginsession 11 show mac access lists 184 show mac address table igmpsnooping 73 show monitor session 86 show network 12 260 show port all 10 show port description 100 show port channel 64 show port security 95 show running config running config scr 256 show sntp 270 271 show sntp client 270 show sntp server 271 show switchport protected 59 show telnet 261 show users 11 show vlan association subnet 58 status HTML pages 38 storm control broadcast 69 storm control multicast 70 storm control unicast 70 Switch prompt 21 22 switchport protected 59 T TACACS Config mode 28 tacacs server 246 telnet 260 traceroute 252 traffic shape 202 transport output telnet 261 U User Exec
11. 172 16 10 0 255 255 255 0 EN 172 16 40 0 Source IP 255 255 255 0 172 16 20 0 Source IP 255 255 255 0 172 16 30 0 255 255 255 0 214 Sun Netra CP3240 Switch User s Guide April 2009 Enabling DiffServ Inbound Ensure DiffServ operation is enabled for the switch config diffserv Create a DiffServ class of type all for each of the departments and name them Define the match criteria Source IP address for the new classes CODE EXAMPLE 24 1 Creating a Diffserv Class Type All class map match all finance_dept match srcip 172 16 10 0 255 255 255 0 exit class map match all marketing dept match srcip 172 16 20 0 255 255 255 0 exit class map match all test_dept match srcip 172 16 30 0 255 255 255 0 exit class map match all development_dept match srcip 172 16 40 0 255 255 255 0 exit Create a DiffServ policy for inbound traffic named internet access adding the previously created department classes as instances within this policy This policy uses the assign queue attribute to put each department s traffic on a different egress queue This is how the DiffServ inbound policy connects to the CoS queue settings established in the following example CODE EXAMPLE 24 2 Creating a Diffserv Policy for Inbound Traffic policy map internet access in class finance dept assign queue 1 exit class marketing dept assign queue 2 exit Class test dept assign queue 3 exit Class development dep
12. Config exit Chapter 5 Configuring Virtual LANs 57 58 Example 5 Assign IP Addresses to VLAN 2 CODE EXAMPLE 5 5 Assigning IP Addresses to VLAN2 DTI SWITCH vlan database DTI SWITCH Vlan vlan association subnet 192 168 10 10 2554 255 255 0 2 DTI SWITCH Vlan exit DTI SWITCH show vlan association subnet IP Address IP Mask VLAN ID 192 168 10 10 255 255 255 0 2 DTI SWITCH Web Interface Use the following screens to perform the same configurations described in the previous sections but using the Web interface instead of the CLI m Switching gt VLAN gt Configuration To create VLANs and specify port participation m Switching gt VLAN gt Port Configuration To specify the handling of untagged frames on receipt and whether frames will be transmitted tagged or untagged Sun Netra CP3240 Switch User s Guide April 2009 Private Edge VLANs Use the Private Edge VLAN feature to prevent ports on the switch from forwarding traffic to each other even if they are on the same VLAN m Protected ports cannot forward traffic to other protected ports in the same group even if they have the same VLAN membership Protected ports can forward traffic to unprotected ports m Unprotected ports can forward traffic to both protected and unprotected ports You can also configure groups of protected ports but unprotected ports are independent and cannot be added to a gro
13. Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled Disabled Disabled Disabled Disabled Sun Netra CP3240 Switch User s Guide April 2009 Receive Disab Disab Disab Disab Disab Disab Disab Disab Disab Disab Disab Disab Disab ed ed ed ed ed ed ed ed ed Enabled ed ed ed ed Notify Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled Disabled Disabled Disabled Disabled Optional Management TLV s Transmit Information o No No No o o No No o Yes No No o o m CHAPTER 13 Configuring Denial of Service Attack Protection This chapter describes how to configure Denial of Service DoS Protection The FASTPATH firmware feature m Spans two categories m Protection of the host m Protection of the network m Protects against the exploitation of a number of vulnerabilities which would make the host or network unstable m Complies with Nessus LVL7 tested Release 4 3 with Nessus version 2 0 10 Nessus is a widely used vulnerability assessment tool Additionally the Netra CP3240 switch software provides a number of features that help a network administrator protect networks against DoS attacks 113 Configuring Denial of Service via CLI Enter from Global Config mode CODE EXAMPLE 13 1 Configuring DoS via CLI dos control sipdip dos control firstfrag dos con
14. Mode Based Command Hierarchy 25 User Exec Mode 25 Privileged Exec Mode 25 Global Config Mode 25 VLAN Mode 29 Operation Flow 29 Command Completion and Abbreviation 30 CLI Error Messages 31 CLI Line Editing Conventions 31 Using CLI Help 32 Accessing the CLI 34 Comments 34 3 Using the Web Interface 35 vi Sun Netra CP3240 Switch User s Guide April 2009 Configuring for Web Access 36 v To Configure for Web Access 36 Starting the Web Interface 37 Web Page Layout 38 Configuring an SNMP V3 User Profile 41 Command Buttons 42 Establishing Management Security 43 Certificate Generation 44 Configuring Secure Shell 45 Configuring Secure Socket Layer 46 Using Certificate Generation Scripts 47 SSH sshKeygen sh 47 SSL pemCreate sh 47 SSL root cnf 49 SSH server cnf 51 Configuring Virtual LANs 53 VLAN Configuration Example 54 CLI Examples 56 Example 1 Create Two VLANs 56 Example 2 Assign Ports to VLAN2 56 Example 3 Assign Ports to VLAN3 57 Example 4 Assign VLAN3 as the Default VLAN 57 Example 5 Assign IP Addresses to VLAN 2 58 Web Interface 58 Private Edge VLANs 59 CLI Example 59 Example 1 Switchport Protected 59 Contents vii Example 2 Show Switchport Protected 59 Configuring Port Channels by Link Aggregation 61 Using the Link Aggregation Feature 62 Configuring Link Aggregation via CLI 63 CLI Example 1 Create Two Port Channels 64 CLI Example 2 Add Physical Ports to the Port Channels 65 CLI Example 3 Enable
15. Note Access to all commands in the Privileged Exec mode and below is restricted through a password Chapter 2 Using the Command Line Interface 23 FIGURE 2 1 Mode based CLI User Exec Enable Return to the User prompt Passwd Correct Privileged Exec VLAN Global Config Y Bwprovisioning Policy Map Interface Config i i Router OSPF Class Map Line Config a ae i Router BGP Router RIP Policy CI Contig Config Stacking loca ica Config bwallocation traffic class 24 Sun Netra CP3240 Switch User s Guide April 2009 Mode Based Command Hierarchy The commands in one mode are not available until the operator switches to that particular mode with the exception of the User Exec mode commands The User Exec mode commands can also be executed in the Privileged Exec mode The commands available to the operator at any time depend upon the mode Entering a question mark at the CLI prompt displays a list of the currently available commands and descriptions of the commands User Exec Mode When the operator logs in to the CLI the User Exec mode is the initial mode The User Exec mode contains a limited set of commands The command prompt shown at this level is Switch gt Privileged Exec Mode To have access to the full suite of commands the operator must enter the Privileged Exec mode The Privileg
16. Port Summary Navigation Port Summary stem System MST ID 2 ARP Cache g Inventory Information Bcast Storr 2 Dual Image Status Unit SlotiIPort Port Type STP Mode Forwarding State Port Role Mode Mode DD Configuration 1 0 1 Enabled Forwarding Designated Enable Enable E Forwarding Database 3 1 0 2 Enabled Disabled Disabled Enable Enable E El Log 1 0 3 Enabled Disabled Disabled Enable Enable Fe ka 1 014 Enabled Disabled Disabled Enable Enable B Configuration 1 0 5 Enabled Disabled Disabled Enable Enable j Eman 1 0 6 Enabled Disabled Disabled Enable Enable 8 Port Description 1 0 7 Mirrored Enabled Disabled Disabled Enable Enable Mulapie tort Minora 1 0 8 Probe Enabled Disabled Disabled Enable Enable bn ga Opine cum 1 0 9 Enabled Disabled Disabled Enable Enable Bb SNMP 1 0 10 Enabled Disabled Disabled Enable Enable Statistics 1 0 11 Enabled Disabled Disabled Enable Enable Lj System Utilities 1 0 12 Enabled Disabled Disabled Enable Enable E Trap Manager 1 0 13 Enabled Disabled Disabled Enable Enable Ej DHCP Server 1 04 Fnabled Disabled Disabled Fnable Fnable Chapter 9 Configuring Port Mirroring 91 Navigation Multiple Port Mirroring item and Session 1v ARP Cache Inventorv Information Mode Enable MI Dual Image Status Source Port s M Configuration Destination Port 108 Forwarding Database Log J Slot X Port Configuration f Summary Port Descr
17. There are equivalent functions in the Web interface and the terminal interface both applications usually employ the same menus to accomplish a task For example when you log in there is a Main Menu with the same functions available etc There are several differences between the Web and terminal interfaces For example on the Web interface the entire forwarding database can be displayed while the terminal interface only displays 10 entries starting at specified addresses To terminate the Web interface session close the web browser V To Configure for Web Access 1 Configure the switch for network connectivity See Chapter 1 for instructions 2 Connect the switch to the network 3 Use the ip http server command to verify the web server is enabled By default the web server is enabled Sun Netra CP3240 Switch User s Guide April 2009 Starting the Web Interface 1 Enter the IP address of the switch in the Web browser address field 2 Click Login when the Login panel Figure displays FIGURE 3 1 Web Interface Panel Example 3 Enter the appropriate User Name and Password The User Name and associated Password are the same as those used for the terminal interface 4 Click on the Login button The System Description Menu displays as shown in Figure 3 2 with the navigation tree appearing to the left of the screen 5 Make a selection by clicking on the appropriate item in the navigation tree Web Page Layout
18. the current end user configuration for that interface automatically becomes effective m Operation without DHCP Relay On platforms in which the DHCP relay feature is not included hardware support must be available for the DHCP Filtering feature to operate m DHCP Relav When DHCP Filtering is administratively enabled the DHCP relay function must check whether a port is trusted before a DHCP or BootP response is forwarded on the port If the port is untrusted the response is dropped The forwarding of DHCP or BootP request is unaffected Sun Netra CP3240 Switch User s Guide April 2009 m If DHCP Filtering is administratively disabled the operation of the DHCP relay function is unaffected m If Hardware support is available for DHCP Filtering DHCP Filtering may be enabled both routing and non routing interfaces m If Hardware support is unavailable DHCP Filtering may be enabled only on routed interfaces and only on interfaces enabled for DHCP relay Configuring DHCP Filtering The following CLI commands show examples of configuring DHCP Filtering for the switch and for individual interfaces Example 1 Enable DHCP Filtering for the Switch config ip dhcp filtering exit exit Example 2 Enable DHCP Filtering for an Interface config interface 0 11 ip dhcp filtering trust exit exit Chapter 28 Configuring DHCP Filtering 249 Example 3 Show DHCP Filtering Configuration show i
19. y 1 configuration script s deleted Chapter 30 Generating Script Files 255 256 Example 3 script apply running config scr CODE EXAMPLE 30 3 script apply running config scr Command DTI SWITCH script apply running config scr Are you sure you want to apply the configuration script The systems has unsaved changes would you like to save them now y n Y Configuration Saved y n y Example 4 show running config Use this command to capture the running configuration into a script CODE EXAMPLE 30 4 show running config Command DTI SWITCH show running config running config scr Config script created successfully DTI SWITCH script list Configuration Script NameSize Bytes running config scr3201 1 configuration script s found 1020799 bytes free Sun Netra CP3240 Switch User s Guide April 2009 Example 5 copy nvram script Use this command to upload a configuration script CODE EXAMPLE 30 5 copy nvram script Command DTI SWITCH Copy nvram script running config scr tftp 192 168 77 52 running config scr MOd6s sees An RRVRIEREE Se E TFTP Set TFTP Server IP 192 168 77 52 TETP Path ea e Ea a ke S TFTP Filename running config scr Data Type ei iore la Config Script Source Filename running config scr Are you sure you want to start y n y File transfer operation completed successfully
20. 1 Select System gt Configuration gt User Accounts from the hierarchical tree on the left side of the web interface see Figure 3 3 2 Using the User pull down menu select Create to create a new user 3 Enter a new user name in the User Name field 4 Enter a new user password in the Password field and then retype it in the Confirm Password field Note If SNMPv3 Authentication is to be implemented for this user set a password of eight or more alphanumeric characters 5 If you do not need authentication go to Step 9 6 To enable authentication use the Authentication Protocol pull down menu to select either MD5 or SHA for the authentication protocol 7 If you do not need encryption go to Step 9 8 To enable encryption use the Encryption Protocol pull down menu to select DES for the encryption scheme Then enter an encryption code of eight or more alphanumeric characters in the Encryption Key field 9 Click Submit Sun Netra CP3240 Switch User s Guide April 2009 Command Buttons The following command buttons are used throughout the Web interface panels for the switch Command Button Description Save Pressing the Save button implements and saves the changes you just made Some settings may require you to reset the system in order for them to take effect Refresh Pressing the Refresh button that appears next to the Apply button in Web interface panels refreshes the data on the panel Submi
21. 10 10 10 The shared secret is configured to be secret The process creates a new authentication list called radiusList which uses RADIUS as the authentication method This authentication list is associated with the 802 1x default login 802 1x port based access control is enabled for the system and interface 1 0 1 is configured to be in force authorized mode because this is where the RADIUS server and protected network resources are located FIGURE 25 1 FASTPATH with 802 1x Network Access Control Authentication Server RADIUS Authenticator Switch Supplicant LAN If a user or supplicant attempts to communicate via the switch on any interface except interface 0 1 the system challenges the supplicant for login credentials The system encrypts the provided information and transmits it to the RADIUS server If the RADIUS server grants access the system sets the 802 1x port state of the interface to authorized and the supplicant is able to access network resources Chapter 25 Configuring Network Access Control 237 238 CODE EXAMPLE 25 1 Configuring 802 1x Port Access Control config exit radius radius radius radius server host auth 10 10 10 10 server key auth 10 10 10 10 secret secret server host acct 10 10 10 10 server key acct 10 10 10 10 secret secret radius accounting mode authentication login radiusList radius dotix default login radiusList dotix system auth control interface 0 1 exit do
22. 14 16 18 2 4 24 68 0 2 BROADCOM ojo ojo 135 7 9 it 23 24 XGS III 13 15 17 19 3 Open full stack view Navigation CoS Interface Queue Status System d System P Mama HI Unit Slot Port 10 1 B Switching E j Routing Queue Minimum Scheduler Queue Management B Security ID Bandwidth Type Type I QoS 0 15 weighted taildrop 4 Access Control Lists 1 25 strict taildrop a Differentiated Services 2 10 weighted taildrop 70M Claes of Service 8 5 weighted taildrop Mapping Table Configuration 4 5 ighted ild Interface Configuration weg te a lid Interface Queue Configuration 5 20 weighted ta drop 4 6 10 weighted taildrop a BGP4 j IP Multicast jd Stacking 2004 2005 LVL Systems Inc Navigation IP DSCP Mapping Configuration stem System Unit Slot Port Global Switching IP DSCP Value Traffic Class outing Security 0 1M IPv6 2 1 1 QoS 2 1 nm Access Control Lists 3 1v Diff tiated i Pa a itterentiate ervices 4 1 3 J Class of Service S 5 1 Trust Mode Configuration LIT 8 IP Precedence Mapping Confi 6 118 7 1l Interface Configuration 8 ov Interface Queue Configuratio g ov 2 Interface Queue Status 8 10 ov BGP4 v x 44 Chapter 23 Configuring Class of Service Queuing 207 208 Sun Netra CP3240 Switch User s Guide April 2009 Chapter 23 Configuring Class of Service Queuing 209 21
23. 16 1 FIGURE 16 2 FIGURE 17 1 FIGURE 17 2 FIGURE 18 1 FIGURE 19 1 FIGURE 19 2 FIGURE 19 3 FIGURE 21 1 FIGURE 22 1 FIGURE 22 2 FIGURE 22 3 FIGURE 22 4 FIGURE 22 5 Port Security Interface Configuration 96 Port Security Dynamically Learned MAC Addresses 97 Port Security Violation Status 97 98 Port Security Administration 101 Port Security Interface Configuration 101 Port Security Dynamically Learned MAC Addresses 102 Port Security Violation Status 102 103 LLDP Global Configuration 109 LLDP Interface Configuration 110 LLDP Interface Summary 111 LLDP Statistics 111 112 Port Routing Example Network Diagram 117 Port Routing Example Network Diagram 123 SPF Example Network Diagram Inter area Router 129 OSPF Example Network Diagram Border Router 132 VLAN Routing Example Network Diagram 139 RIP for VLAN Routing Example Network Diagram 143 VRRP Example Network Configuration 152 ARP Create 159 ARP Table Configuration 159 160 IPv6 Example 170 IP ACL Example Network Diagram 177 MAC ACL Configuration Page Create New MAC ACL 185 MAC ACL Configuration Page 185 MAC ACL Summary 186 MAC ACL Rule Configuration Create New Rule 186 xviii Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 22 6 FIGURE 22 7 FIGURE 22 8 FIGURE 22 9 FIGURE 22 10 FIGURE 22 11 FIGURE 22 12 FIGURE 22 13 FIGURE 22 14 FIGURE 22 15 FIGURE 22 16 FIGURE 23 1 FIGURE 23 2 FIGURE 23 3 FIGURE 23 4 FIGURE 23 5 FIGURE 23 6 FIGURE 23 7 FIGURE 23 8 FIGURE
24. 18 11 Specifying the IP Address for the Virtual Router ip vrrp 20 ip 192 150 2 1 Set the priority for the port The default priority is 100 CODE EXAMPLE 18 12 Setting Port Priority ip vrrp 20 priority 254 Enable VRRP on the port CODE EXAMPLE 18 13 Enabling VRRP on the Port ip vrrp 20 mode exit Configuring VRRP via Web Interface Use the following screens to perform the same configuration using the Graphical User Interface m Routing gt IP gt Interface Configuration gt System Routing Mode To enable routing for the switch m Routing gt IP gt Interface Configuration To enable routing for the ports and configure their IP addresses and subnet masks m Routing gt VRRP gt VRRP Configuration To enable VRRP for the switch Chapter 18 Configuring Virtual Router Redundancy Protocol 155 156 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 19 Proxy Address Resolution Protocol ARP This chapter describes the Proxy Address Resolution Protocol ARP feature m Proxy ARP allows a router to answer ARP requests where the target IP address is not the router itself but a destination that the router can reach m Ifa host does not know the default gateway proxy ARP can learn the first hop m Machines in one physical network appear to be part of another logical network m Without proxy ARP a router responds to an ARP request only if the target IP address is a
25. 2 Port 1 0 2 Port 1 0 3 VLANs 2 amp 3 VLAN 3 Chapter 5 Configuring Virtual LANs 55 56 CLI Examples The following examples show how to create VLANs assign ports to the VLANs and assign a VLAN as the default VLAN to a port Example 1 Create Two VLANs Use the following commands to create two VLANs and to assign the VLAN IDs while leaving the names blank CODE EXAMPLE 5 1 Creating Two VLANs DTI SWITCH vlan database DTI SWITCH Vlan vlan 2 DTI SWITCH Vlan vlan 3 DTI SWITCH Vlan exit Example 2 Assign Ports to VLAN2 This sequence shows how to assign ports to VLANZ specify that frames will always be transmitted tagged from all member ports and that untagged frames will be rejected on receipt CODE EXAMPLE 5 2 Assigning Ports to VLAN2 DTI SWITCH config DTI SWITCH Config interface 0 1 DTI SWITCH Interface 0 1 vlan participation include 2 DTI SWITCH Interface 0 1 vlan acceptframe vlanonly DTI SWITCH Interface 0 1 texit DTI SWITCH Config interface 0 2 DTI SWITCH Interface 0 2 vlan participation include 2 DTI SWITCH Interface 0 2 vlan acceptframe vlanonly DTI SWITCH Interface 0 2 exit DTI SWITCH Config exit DTI SWITCH config DTI SWITCH Config vlan port tagging all 2 DTI SWITCH Config exit
26. Configuration mode is Switch Interface Loopback id and Switch Interface Tunnel id Line Config This mode allows the operator to configure the console interface The operator can configure the interface from the directly connected console or the virtual terminal used with Telnet The command prompt at this level is Switch line Policy Map Config Use the policy map policy name command to access the QoS policy map configuration mode to configure the QoS policy map Switch Config policy map lt policy name gt Switch Config policy map Policy Class Config Use the class class name command to access the QoS policy classmap mode to attach or remove a diffserv class to a policy and to configure the QoS policy class Switch Config policy map class lt class name gt Switch Config policy classmap Sun Netra CP3240 Switch User s Guide April 2009 Class Map Config This mode consists of class creation deletion and matching commands The class match commands specify layer 2 layer 3 and general match criteria Use the class map lt class map name gt commands to access the QoS class map configuration mode to configure QoS class maps Switch Config class map lt class map name gt Switch Config class map Router OSPF Config In this mode the operator is allowed to access the router OSPF configuration commands The command prompt at this level is Switch Config rou
27. Creating a Second Diffserv Classifier 232 Creating a Diffserv Policy 232 Attaching the Policy to Inbound Interface 234 Configuring 802 1x Port Access Control 238 Configuring RADIUS for Authentication of Users 242 Configuring Access Control for Networked Devices 246 Configuring Traceroute 252 script Command 255 script list and script delete Commands 255 script apply running config scr Command 256 xxvi Sun Netra CP3240 Switch User s Guide April 2009 CODE EXAMPLE 30 4 CODE EXAMPLE 30 5 CODE EXAMPLE 30 6 CODE EXAMPLE 30 7 CODE EXAMPLE 31 1 CODE EXAMPLE 31 2 CODE EXAMPLE 31 3 CODE EXAMPLE 31 4 CODE EXAMPLE 32 1 CODE EXAMPLE 33 1 CODE EXAMPLE 33 2 CODE EXAMPLE 33 3 CODE EXAMPLE 33 4 CODE EXAMPLE 33 5 CODE EXAMPLE 33 6 CODE EXAMPLE 33 7 CODE EXAMPLE 34 1 CODE EXAMPLE 34 2 CODE EXAMPLE 34 3 CODE EXAMPLE 34 4 CODE EXAMPLE 34 5 show running config Command 256 copy nvram script Command 257 script validate running config scr Command 257 script validate default scr Command 258 show network Command 260 show telnet Command 261 transport output telnet Command 261 session limit and session timeout Commands 262 Creating a Pre login Banner 266 show sntp Command 270 show sntp client 270 show snip server Command 271 Configure sntp Command 271 sntp client mode broadcast Command 272 Configure sntp server Command 272 Configure sntp client port Command 272 show logging Command 278 show logging buffered Command 279 show lo
28. DTI SWITCH Config logging host 192 168 21 253 Press Enter to execute the command lt port gt Enter Port ID from 0 to 65535 SWITCH Config logging host 192 168 21 253 4 Press Enter to execute the command lt severitylevel gt Enter Logging Severity Level emergency 0 alert 1 critical 2 error 3 warning 4 notice 5 info 6 debug 7 SWITCH Config logging host 192 168 21 253 4 1 Press Enter to execute the command SWITCH Config logging host 192 168 21 253 4 1 SWITCH Config exit SWITCH show logging hosts lt unit gt Enter switch ID in the range of 1 to 8 SWITCH show logging hosts 1 Chapter 34 Storing and Collecting Message Logs with Syslog 281 CODE EXAMPLE 34 5 Logging Port Configuration Commands Continued Index IP Address Port Status 1 192 168 21 253 4 Active 282 Sun Netra CP3240 Switch User s Guide April 2009 Configuring Syslog via Web Interface The following web pages are used with the Syslog feature FIGURE 34 1 Log Syslog Configuration Page FIGURE 34 2 Log Hosts Configuration Page Add Host Navigation Hosts Configuration System Ey System ARP Cache Inventory Information IP Address Dual Image Status H Configuration Submit Refresh EMI Forwarding Database a9 Log Host Buffered Log Configuration Buffered Log Command Logger Configurat Console Log Configuration Event Log E3
29. Edge device An edge device handles ingress traffic flowing towards the core of the network and egress traffic flowing away from the core An edge device segregates inbound traffic into a small set of traffic classes and is responsible for determining a packet s classification Classification is primarily based on the contents of the Layer 3 and Layer 4 headers and is recorded in the Differentiated Services Code Point DSCP added to a packet s IP header m Interior node A switch in the core of the network is responsible for forwarding packets rather than for classifying them It decodes the DSCP in an incoming packet and provides buffering and forwarding services using the appropriate queue management algorithms Before configuring DiffServ on a particular Sun Netra CP3240 switch you must determine the QoS requirements for the network as a whole The requirements are expressed in terms of rules which are used to classify inbound traffic on a particular interface FASTPATH does not support DiffServ in the outbound direction Sun Netra CP3240 Switch User s Guide April 2009 During configuration you define DiffServ rules in terms of classes policies and services m Class A class consists of a set of rules that identify which packets belong to the class Inbound traffic is separated into traffic classes based on Layer 2 Layer 3 and Layer 4 header data One class type is supported All which specifies that every match criterion d
30. Example 6 script validate running conrigsscr CODE EXAMPLE 30 6 script validate running config scr Command DTI SWITCH script validate running config scr serviceport protocol none network protocol dhcp no network javamode vlan database exit configure logging buffered logging host 192 168 77 151 Configuration script running config scr validated DTI SWITCH script apply running config scr Are you sure you want to apply the configuration script y n y The system has unsaved changes Would you like to save them now y n y Configuration Saved Chapter 30 Generating Script Files 257 258 Example 7 Validate Another Configuration Script CODE EXAMPLE 30 7 script validate default scr Command DTI SWITCH script validate default scr network parms 172 30 4 2 255 255 255 0 0 0 0 0 vlan database exit configure lineconfig exit spanning tree configuration name 00 18 00 00 00 10 interface 0 1 exit interface 0 2 exit interface 0 3 exit continues through interface 0 26 exit exit Configuration script default scr validation succeeded Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 31 Establishing an Outbound Telnet Connection This chapter describes the Outbound Telnet feature and how to establish a connection m This feature establishes an outbound telnet connection between a device and a remote host m When a telnet connection is initiated each s
31. Physical Link Link LACP Intf Type Mode Mode Status Status Trap Mode 1 0 8 Probe Enable Auto Down Enable Enable Chapter 9 Configuring Port Mirroring 87 Configuring Port Mirroring via Web Interface The following web pages are used with the Port Mirroring feature 88 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 9 1 Multiple Port Mirroring FIGURE 9 2 Multiple Port Mirroring Add Source Ports Navigation Multiple Port Mirroring Add Source Ports stem Sm Session 1 i ARP Cache j Inventory Information Source Port s j Dual Image Status N 105 J Configuration 108 Forwarding Database E i 48 v Slot Direction Trand Rx v 3 Port Configuration Add Canc 8 Summary f Port Deseription r Multiple Port Mirroring t Double VLAN Tunneling Double VLAN Tunneling Sumr Chapter 9 Configuring Port Mirroring 89 FIGURE 9 3 Multiple Port Mirroring Navigation Multiple Port Mirroring item System l ARP Cache ich a Inventory Information Mode Disable b Bi Dual image Status Source Port s Txand Rx 1 0 7 B oomusan Destination Port 108 v B Forwarding Database ui Add Source Port Remove Source Port Submit Delete J Port Configuration Summary Port Description Double VLAN Tunneling a Double VLAN Tunneling Sumr 90 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 9 4 System
32. Services DiffServ Configuration Class Configuration Class Summary Policy Summary Policy Class Definition Policy Attribute Summary Service Configuration Service Summary li m mee mei ee mem meh ue mei uei Service Statistics Service Detailed Statistics Chapter 24 Configuring Differentiated Services 223 FIGURE 24 10 DiffServ Policy Class Definition Navigation DiffServ Policy Class Definition tem system Policy Selector internet access v 3witching x E iso Policy Type n Security Member Class List finance dept v nye Policy Attribute Selector Configure Selected Attribute Jos Access Control Lists i Differentiated Services DiffServ Configuration Class Configuration Class Summary Policy Configuration Policy Summary Policy Attribute Summary Service Configuration Service Summary Service Statistics m meg m meg m Service Detailed Statistics 224 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 24 11 Assign Queue Navigation Assign Queue tem system Policy Name internet access Switching n tauti Policy Type In Security Class Name finance_dept Pv6 Queue Id Value Oto6 d I Oto 6 Access Control Lists Differentiated Services Cancel Bl DiffServ Configuration amp Class Configuration Class Summary Policy Configuration Policy Summary Policy Class Definition
33. Set Up a Port Mirroring Session The following command sequence enables port mirroring and specifies a source and destination ports CODE EXAMPLE 9 1 Setting Up a Port Mirroring Session DTI SWITCH config DTI SWITCH Config monitor session 1 mode DTI SWITCH Config monitor session 1 source interface 0 7 lt cr gt Press Enter to execute the command rx Monitor ingress packets only tx Monitor egress packets only DTI SWITCH Config monitor session 1 source interface 0 7 DTI SWITCH Config monitor session 1 destination interface 0 8 DTI SWITCH Config exit Example 2 Show the Port Mirroring Session CODE EXAMPLE 9 2 Showing the Port Mirroring Session DTI SWITCH Show monitor session 1 Session ID Admin Mode Probe Port Mirrored Port Type 1 Enable 1 0 8 01 0 7 Rx Tx Monitor session ID 1 1 is a hardware limitation Sun Netra CP3240 Switch User s Guide April 2009 Example 4 Show Status of Source and Destination Ports Use this command for a specific port The output shows whether the port is the mirror or the probe port what is enabled or disabled on the port etc CODE EXAMPLE 9 3 Showing Status of Source and Destination Ports DTI SWITCH show port 0 7 Admin Physical Physical Link Link LACP Intf Type Mode Mode Status Status Trap Mode 1 0 7 Mirror Enable Auto Down Enable Enable DTI SWITCH show port 0 8 Admin Physical
34. Switching BMC Routing Hg Security EMEN QoS HE Access Control Lists FC Differentiated Services CHEN Class of Service Mapping Table Configuration Interface Queue Configuration Interface Queue Status HG BGP4 H IP Multicast H Stacking 2004 2005 LVL Systems Inc CoS Interface Configuration Page Open full stack view CoS Interface Configuration Unit Slot Port 101 M Interface Shaping Rate 0 0 to 100 in increments of 5 Submit Restore Defaults Chapter 23 Configuring Class of Service Queuing 205 FIGURE 23 8 CoS Interface Queue Configuration Page 2468 10 2 14 16 18 20 22 24 HHH EH EH XGS III 1a 5 7 8 i 13 15 17 19 21 23 Open full stack view Navigation CoS Interface Queue Configuration System sedis Unit Slot P ort AM w Switching MAN Reuting Minimum Bandwidth Allocated 90 Security Queue ID 0v 1 Qos Minimum Bandwidth ms ini H Access Control Lists 15 0to 100 in increments of 5 Mfg Differentiated Services Scheduler Type weighted Nd HEX Class of Service Queue Management Type taildrop Mapping Table Configuration 8 Interface Configuration Interface Queue Configuration Interface Queue Status BGP4 IP Multicast Stacking Restore Defaults for All Queues Submit 2004 2005 LVL Systems Inc 206 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 23 9 CoS Interface Queue Status Page
35. Using the Command Line Interface 31 TABLE 2 7 CLI Editing Conventions Continued Key Sequence Description Ctrl P Go to previous line in history buffer Ctrl R Rewrites or pastes the line Ctrl N Go to next line in history buffer Ctrl Y Prints last deleted character Ctrl Q Enables serial flow Ctrl S Disables serial flow Ctrl Z Return to root command prompt Tab SPACE Command line completion Exit Go to next lower command prompt 32 List available commands keywords or parameters Using CLI Help Enter a question mark at the command prompt to display the commands available in the current mode switch gt enable help logout lost ping address quit lost show telnet Enter into user privilege mode Display help for various special keys Exit this session Any unsaved changes are Send ICMP echo packets to a specified IP Exit this session Any unsaved changes are Display Switch Options and Settings Telnet to a remote host Sun Netra CP3240 Switch User s Guide April 2009 Enter a question mark after each word you enter to display available command keywords or parameters switch network javamode Enable Disable mgmt_vlan Configure the Management VLAN ID of the switch parms Configure Network Parameters of the router protocol Select DHCP BootP or None as the network config protocol If t
36. a limited number of counter resources so it may not be possible to log every ACL rule You can define an ACL with any number of logging rules but the number of rules that are actually logged cannot be determined until the ACL is applied to an interface Furthermore hardware counters that become available after an ACL is applied are not retroactively assigned to rules that were unable to be logged the ACL must be un applied then re applied Rules that are unable to be logged are still active in the ACL for purposes of permitting or denying a matching packet The order of the rules is important when a packet matches multiple rules the first rule takes precedence Also once you define an ACL for a given port all traffic not specifically permitted by the ACL is denied access MAC ACLs MAC ACLs are Layer 2 ACLs You can configure the rules to inspect the following fields of a packet limited by platform Source MAC address Source MAC mask Destination MAC address Destination MAC mask VLAN ID Class of Service CoS 802 1p Ethertype L2 ACLs can apply to one or more interfaces Multiple access lists can be applied to a single interface sequence number determines the order of execution You can assign packets to queues using the assign queue option Chapter 22 Configuring Access Control Lists ACLs 175 IP ACLs IP ACLs classify for Layers 3 and 4 Each ACL is a set of up to ten rules applied to inbound traffic Each rul
37. and Router 2 will be the backup router FIGURE 18 1 VRRP Example Network Configuration Layer 3 Switch acting as Router 2 Layer 3 Switch acting Vi as Router 1 ra Port 1 0 4 192 150 4 1 L Virtual Router ID 20 Virtual Addr 192 150 2 1 Port 1 0 2 192 150 2 1 Virtual Router ID 20 Fi Virtual Addr 192 150 2 1 Layer 2 Switch E ES EN SRE E A ee RR 152 Sun Netra CP3240 Switch User s Guide April 2009 Example 1 Configuring VRRP on FASTPATH as a Master Router Enable routing for the switch IP forwarding is then enabled by default CODE EXAMPLE 18 1 Enabling Routing for the Switch config ip routing exit Configure the IP addresses and subnet masks for the port that will participate in the protocol CODE EXAMPLE 18 2 Configuring IP Addresses and Subnet Masks config interface 0 2 routing ip address 192 150 2 1 255 255 255 0 exit Enable VRRP for the switch CODE EXAMPLE 18 3 Enabling VRRP for the Switch config ip vrrp exit Assign virtual router IDs to the port that will participate in the protocol CODE EXAMPLE 18 4 Assinging a Virtual Router to the Port config interface 0 2 ip vrrp 20 Specify the IP address that the virtual router function will recognize Note that the virtual IP address on port 1 0 2 is the same as the port
38. and or complex network OSPF offers several benefits m Less network traffic Routing table updates are sent only when a change has occurred Only the part of the table that has changed is sent m Updates are sent to a multicast not a broadcast address m Hierarchical management allows the network to be subdivided The top level of the hierarchy of an OSPF network is known as an autonomous system AS or routing domain and is a collection of networks with a common administration and routing strategy The AS is divided into areas intra area routing is used when a source and destination address are in the same area and inter area routing across an OSPF backbone is used when they are not An inter area router communicates with border routers in each of the areas to which it provides connectivity The Sun Netra CP3240 switch operating as a router and running OSPF will determine the best route using the assigned cost and the type of the OSPF route The order for choosing a route if more than one type of route exists is as follows m Intra area m Inter area m External Type 1 m External Type 2 Note External Type 1 is a route that is external to the AS External Type 2 is a route that was learned from other protocols such as RIP Sun Netra CP3240 Switch User s Guide April 2009 Configuring OSPF via CLI The examples in this section show you how to configure Sun Netra CP3240 switch first as an inter area router and then
39. classofservice dotip mapping 6 3 vlan priority 2 exit interface 0 8 cos queue min bandwidth 0 0 5 5 10 20 40 cos queue strict 6 exit exit Chapter 23 Configuring Class of Service Queuing 201 You can also set traffic shaping parameters for the interface If you wish to shape the egress interface for a sustained maximum data rate of 80 Mbps assuming a 100Mbps link speed you would add a simple configuration line expressing the shaping rate as a percentage of link speed CODE EXAMPLE 23 2 Configuring Egress configure interface 0 8 traffic shape 80 exit exit Configuring CoS Mapping and Queues via Web Interface The following web pages are used for the Class of Service feature FIGURE 23 3 CoS Trust Mode Configuration Page FIGURE 23 4 802 1p Priority Mapping Page Navigation n tem tching ating curity 6 8 Access Control Lists Differentiated Services Class of Service IP Precedence Mapping Confi Interface Configuration IP DSCP Mapping Configuratie Interface Queue Configuratio Interface Queue Status Trust Mode Configuration Unit Slot Port Interface Trust Mode Submit Restore Defaults Current 802 1p Priority Mapping 802 1p Priority Ie UUN C 202 Sun Netra CP3240 Switch User s Guide April 2009 untrusted trust ip precedence Traffic Class 1 0 0 1 2 FIGURE 23 5 IP Precedence Mapping Configuration Page
40. configure the Sun Netra CP3240 switch as an inter area router Refer to Figure 17 1 Example 1 OSPF on FASTPATH as an Inter area Router Create the VLANs and enable VLAN routing CODE EXAMPLE 17 8 Creating VLANs and Enabling VLAN Routing on an Inter area Router With OSPF vlan database vlan 10 vlan 20 exit config interface 0 2 vlan participation include 10 exit interface 0 3 vlan participation include 20 exit exit config vlan port tagging all 10 vlan port tagging all 20 exit config interface 0 2 Chapter 17 Configuring VLAN Routing 147 148 CODE EXAMPLE 17 8 Creating VLANs and Enabling VLAN Routing on an Inter area Router With OSPF Continued vlan pvid 10 exit interface 0 3 vlan pvid 20 exit exit vlan database vlan routing 10 vlan routing 20 exit show ip vlan config ip routing exit config interface 3 1 ip address 192 150 3 1 255 255 255 0 exit interface 3 2 ip address 192 150 4 1 255 255 255 0 exit exit Example 2 Specify the Router ID and Enable OSPF for the Switch Specify the router ID CODE EXAMPLE 17 9 Speciying Router ID config router ospf router id 192 150 9 9 enable exit exit Sun Netra CP3240 Switch User s Guide April 2009 Enable OSPF for the VLAN and physical router ports CODE EXAMPLE 17 10 Enabling OSPF for the VLAN and Router Ports config interface 3 1 ip ospf areaid 0 0 0 2 ip ospf exit interface 3 2 ip ospf are
41. destination 20 20 20 1 ipv6 ospf ipv6 ospf network point to point exit interface loopback 0 Chapter 21 Configuring Internet Protocol IPv6 171 CODE EXAMPLE 21 2 Device 2 Continued ip address 2 2 2 2 255 255 255 0 exit exit 172 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 22 Configuring Access Control Lists ACLs This chapter describes how to configure the Access Control Lists ACLs This chapter contains the following topics m Section Understanding Access Control Lists on page 22 174 m Section Configuring Access Control Lists on page 22 176 173 174 Understanding Access Control Lists Access Control Lists ACLs are a collection of permit and deny conditions called rules that provide security by blocking unauthorized users and allowing authorized users to access specific resources ACLs can also provide traffic flow control restrict contents of routing updates and decide which types of traffic are forwarded or blocked Normally ACLs reside in a firewall router or in a router connecting two internal networks You can set up ACLs to control traffic at Layer 2 Layer 3 or Layer 4 MAC ACLs operate on Layer 2 IP ACLs operate on Layers 3 and 4 Features ACL support features include Flow based Mirroring and ACL Logging m Flow based mirroring is the ability to mirror traffic that matches a permit rule to a specific physical port or LAG Flow based mirrorin
42. ee q r LNMM Layer 3 Switch acting as a Border Router Border Router Port 1 0 2 192 150 2 2 Port 1 0 4 Port 1 0 3 192 64 4 1 192 130 3 1 Sun Netra CP3240 Switch User s Guide April 2009 Enable Routing for the Switch CODE EXAMPLE 16 5 Enabling Routing for the Switch config ip routing exit Enable Routing and Assign IP for Ports 1 0 2 1 0 3 and 1 0 4 CODE EXAMPLE 16 6 Enabling Routing and Assigning IP Ports 1 0 2 1 0 3 and 1 0 4 config interface 0 2 routing ip address 192 150 2 2 255 255 255 0 exit interface 0 3 routing ip address 192 130 3 1 255 255 255 0 exit interface 0 4 routing ip address 192 64 4 1 255 255 255 0 exit exit Specify Router ID and Enable OSPF for the Switch Disable 1583 compatibility to prevent a routing loop CODE EXAMPLE 16 7 Specifying Router ID and Enabling OSPF for the Switch config router ospf enable router id 192 130 1 1 no 1583compatibility exit exit Chapter 16 Configuring Open Shortest Path First OSPF 133 134 Enable OSPF for the Ports Enable OSPF for the ports and set the OSPF priority and cost for the ports CODE EXAMPLE 16 8 Enabling OSPF for the Ports config ip ip ip ip exit ip ip ip ip exit ip ip ip ip exit exit interface ospf ospf o
43. following command to allow a static IP network protocol none 2 Set the IP address subnet mask and gateway address by issuing the following command network IP lt ipaddress gt lt netmask gt lt gateway gt Value Description IP address Unique IP address for the switch Each IP parameter is made up of four decimal numbers ranging from 0 to 255 The default for all IP parameters is zeroes 0 0 0 0 Subnet Subnet mask for the LAN Gateway IP address of the default router if the switch is a node outside the IP range of the LAN Configuring for Out Of Band Connectivity Out of band connectivity allows you to access the switch from a remote workstation using the Ethernet network over a private network To use Out of band connectivity you must configure the switch with IP information IP address subnet mask and default gateway Sun Netra CP3240 Switch User s Guide April 2009 W Using DHCP DHCP is enabled by default on the Netra CP3240 switch You need to configure the BootP or DHCP server with information about the switch obtain this information through the serial port connection using the show serviceport command Set up the server with the following values Value Description IP address Unique IP address for the switch Each IP parameter is made up of four decimal numbers ranging from 0 to 255 The default for all IP parameters is zeroes 0 0 0 0 Subnet Subnet mask for the LAN Gateway IP add
44. ip igmp CODE EXAMPLE 8 7 Interface 1 0 2 ip igmp LVL7 FASTPATH Routing Switching Interface 0 2 ip igmp lt cr gt Press Enter to execute the command last member query countConfigure last member query count last member query interval Configure last member query interval query intervalConfigure IGMP query interval query max response timeConfigure maximum response time robustnessConfigure IGMP router robustness startup query countConfigure startup query count startup query intervalConfigure startup query interval versionConfigure IGMP or IGMP Proxy version Chapter 8 Monitoring IGMP Snooping 75 Web Examples The following web pages are used in the IGMP Snooping feature Click Help for more information on the web interface 76 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 8 1 IGMP Snooping Global Configuration and Status Page FIGURE 8 2 IGMP Snooping Interface Configuration Page 0 12 14 16 18 20 22 24 3 15 17 19 21 23 23 Open full stack view Navigation IGMP Snooping Interface Configuration ystem system Unit Slot Port 10 1 Switching A Ga VLAN Admin Mode Disable B Protocol based VLAN Group Membership Interval secs 260 C Fihom Max Response Time secs Less Than Group Membership Interval 10 C GARP a IGMP Snooping Multicast Router Present Expiration Time secs 0 i Configuration and Status Fast Leave Admin Mode Disable v Interface Co
45. naming conventions Type Indicates if the port is a special type of port Admin Mode Selects the Port Control Administration State Physical Mode Selects the desired port speed and duplex mode Physical Status Indicates the port speed and duplex mode Link Status Indicates whether the link is up or down Link Trap Determines whether or not to send a trap when link status changes LACP Mode Displays whether LACP is enabled or disabled on this port Sun Netra CP3240 Switch User s Guide April 2009 TABLE 1 3 Quick Startup User Account Management Quick Startup User Account Management Command show users Privileged EXEC Mode Details Displays all of the users who are allowed to access the networking device Access Mode Shows whether the user is able to change parameters on the networking device Read Write or is only able to view them Read Only As a factory default the admin user has Read Write access and the guest user has Read Only access There can only be one Read Write user and up to five Read Only users show loginsession User EXEC Mode Displays all of the login session information users passwd lt username gt Global Config Mode Allows the user to set passwords or change passwords needed to login A prompt appears after the command is entered requesting the user s old password In the absence of an old password leave the area blank The user must press Enter to
46. queues always sent last Weighted scheduling requires a specification of priority for each queue relative to the other queues based on their minimum bandwidth values m Queue management tail drop FASTPATH supports the tail drop method of queue management This means that any packet forwarded to a full queue is dropped regardless of its importance 198 Sun Netra CP3240 Switch User s Guide April 2009 Configuring CoS Mapping and Queues via CLI Figure 23 1 illustrates the network operation as it relates to CoS mapping and queue configuration Four packets arrive at the ingress port 1 0 10 in the order A B C and D You ve configured port 1 0 10 to trust the 802 1p field of the packet which serves to direct packets A B and D to their respective queues on the egress port These three packets utilize port 1 0 10 s 802 1p to COS Mapping Table In this case the 802 1p user priority 3 was set up to send the packet to queue 5 instead of the default queue 3 Since packet C does not contain a VLAN tag the 802 1p user priority does not exist so Port 1 0 10 relies on its default port priority 2 to direct packet C to egress queue 1 Chapter 23 Configuring Class of Service Queuing 199 FIGURE 23 1 CoS Mapping and Queue Configuration Ingress packet A Port 1 0 10 UserPri 3 mode trust dot1p packet B 802 1p gt COS Q Map UserPri 7 E packet C untagged packet D UserPri 6 p
47. screen to specify transmit and receive functions for individual interfaces FIGURE 12 2 LLDP Interface Configuration J System EMI System Hg Switching LLDP Interface Configuration H DHCP Filtering VLAN HE Protocol based VLAN HE IP Subnet based VLAN HE MAC based VLAN Receive Enable v Filters Eg carp H IGMP Snooping Interface 1010 Transmit Enable v Notify Transmit Management Information v EE Port Channel Optional TLV s OI Svstem Name Multicast Forwarding Database O System Description Ej Spanning Tree O System Capabilities Eg Class of Service Port Description HC Port Security LLDP weg wg wg wg Global Configuration Interface Configuration Interface Summary Statistics Interface Parameters Interface Specifies the port to be affected by these parameters Transmit Mode Enables or disables the transmit function The default is disabled Receive Mode Enables or disables the receive function The default is disabled Transmit Management Information Enables or disables transmission of management address instance Default is disabled Notification Mode Enables or disables remote change notifications The default is disabled Included TLVs Selects TLV information to transmit Choices include System Name System Capabilities System Description and Port Description Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 12 3 L
48. the Outbound Telnet session through the Web interface m Enable or disable administration mode m Set how many sessions you want m Set the session time outs 262 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 31 1 Telnet Session Configuration XGS III 2 4 6 8 10 12 14 16 18 20 22 24 as 7 1 11 13 15 17 19 21 23 System d Eq System ARP Cache Inventory Information Outbound Telnet Client Configuration H Configuration Admin Mode Enable System Description Maximum Sessions 5 0 to 5 E switch Session Timeout minutes Service Port 5 1 to 160 Network Connectivity Submit Telnet Session Outbound Telnet Client Confi Serial Port User Accounts Authentication List Configurat Login Session m m m ue mf m Authentication List Summary User Login Chapter 31 Establishing an Outbound Telnet Connection 263 264 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 32 Creating a Pre Login Banner This chapter describes the Pre Login Banner feature and how to create a banner The Pre Login Banner feature is only for the CLI interface This chapter contains the following topics m Section Creating a Pre login Banner via CLI on page 32 266 m Section Removing a Pre login Banner via CLI on page 32 267 265 Creating a Pre login Banner via CLI This feature a
49. uj pu ej Qu wj amp Syslog Configuration AS slot BMC Port Chapter 34 Storing and Collecting Message Logs with Syslog 283 FIGURE 34 3 Log Hosts Configuration Page Navigation Hosts Configuration System SY System S ARP Cache Inventory Information Dual Image Status Configuration EMI Forwarding Database EX Log Buffered Log Configuration Host 10 254 24 170 IP Address 10 254 24 170 Status Active Port 514 11065535 Submit Delete Refresh Buffered Log Command Logger Configurat Console Log Configuration Event Log e Qu uj e pus us Syslog Configuration Slot Port 284 Sun Netra CP3240 Switch User s Guide April 2009 Navigation Syslog Configuration System a System Admin Stat Or ARP Cache ii epu M Inventory Information Local UDP Port 514 1to 65535 Dual Image Status Messages Received 14 IC Configuration Messages Dropped HI Forwarding Database Messages Relayed n H g Buffered Log Configuration Buffered Log Command Logger Configurat Console Log Configuration Event Log Hosts Configuration ej Qu ej pu Qu 3 uj HG slot EM Port Chapter 34 Storing and Collecting Message Logs with Syslog 285 Interpreting Log Files lt 130 gt JAN 01 00 00 06 0 0 0 0 1 UNKN 0x800023 bootos c 386 4 LN fff A B C H I A Event Oxaaaaaaaa A Prioritv B Timestamp C Stack ID D Component Name
50. 0 2 on both devices connects to the local IPv6 network OSPFVv3 is used to exchange IPv6 routes between the two devices The tunnel interface allows data to be transported between the two remote IPv6 networks over the IPv4 network FIGURE 21 1 IPv6 Example Interface 0 2 Interface 0 1 Interface 0 1 CODE EXAMPLE 21 1 Device 1 ip routing ipv6 unicast routing router ospf router id 1 1 1 1 exit ipv6 router ospf router id 1 1 1 1 exit interface 0 1 routing ip address 20 20 20 1 255 255 255 0 ip ospf exit interface 0 2 routing ipv6 enable ipv6 address 2020 1 1 64 170 Sun Netra CP3240 Switch User s Guide April 2009 CODE EXAMPLE 21 1 Device 1 Continued ipv6 ospf ipv6 ospf network point to point exit interface tunnel 0 ipv6 address 2001 1 64 tunnel mode ipv6ip tunnel source 20 20 20 1 tunnel destination 10 10 10 1 ipv6 ospf ipv6 ospf network point to point exit interface loopback 0 ip address 1 1 1 1 255 255 255 0 exit exit CODE EXAMPLE 21 2 Device 2 ip routing ipv6 unicast routing router ospf router id 2 2 2 2 exit ipv6 router ospf router id 2 2 2 2 exit interface 0 1 routing ip address 10 10 10 1 255 255 255 0 ip ospf exit interface 0 2 routing ipv6 enable ipv6 address 2020 2 2 64 ipv6 ospf ipv6 ospf network point to point exit interface tunnel 0 ipv6 address 2001 2 64 tunnel mode ipv6ip tunnel source 10 10 10 1 tunnel
51. 0 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 24 Configuring Differentiated Services This chapter describes how to configure Differentiated Services DiffServ This chapter contains the following topics m Section Understanding Differentiated Services DiffServ on page 24 212 m Section Configuring Differentiated Services via CLI on page 24 214 m Section Configuring Differentiated Services via Web Interface on page 24 217 m Section Configuring DiffServ for Voice Over IP VoIP on page 24 230 211 212 Understanding Differentiated Services DiffServ Differentiated Services DiffServ is one technique for implementing Quality of Service QoS policies Using DiffServ in your network allows you to directly configure the relevant parameters on the switches and routers rather than using a resource reservation protocol This section explains how to configure the Sun Netra CP3240 switch to identify which traffic class a packet belongs to and how it should be handled to provide the desired quality of service As implemented on the Sun Netra CP3240 switch DiffServ allows you to control what traffic is accepted and what traffic is discarded Traffic to be processed by the DiffServ feature requires an IP header if the system uses IP Precedence or IP DSCP marking How you configure DiffServ support on a Sun Netra CP3240 switch varies depending on the role of the switch in your network m
52. 009 Configuring Proxy ARP via Web Interface The following web pages are used in the proxy ARP feature FIGURE 19 1 ARP Create FIGURE 19 2 ARP Table Configuration 14 16 18 20 22 2 Lj SNMP D Statistics Lj System Utilities m Trap Manager a DHCP Server Open full stack view ARP Table Configuration ein Age Time secs 1200 15to 21600 Switching Response Time secs 1 1to 10 bu Retries 4 Oto 10 Cache Size 1920 256 to 1920 8 ARP Table Configuration Gr Dynamic Renew Total Entry Count 0 Lj osPF Lj BOOTP DHCP Relay Agent Peak Total Entries 0 Lj RIP Active Static Entries 0 B Router Discovery Configured Static Entries 0 a Router BER VLAN Routing Maximum Static Entries 64 Do VRRP Remove from Table None v Security QoS BGP4 gun Chapter 19 Proxy Address Resolution Protocol ARP 159 SNMP Statistics System Utilities Trap Manager DHCP Server SNTP Switching Routing C3 ARP amp f ARP Table Configuration IP OSPF BOOTP DHCP Relay Agent RIP Router Discovery Router VLAN Routing VRRP Perereereee Security 2 4 6 8 10 12 14 16 18 20 22 24 UI EHH HEHE EEI XGS II 24 1 7 9 d 13 15 17 19 21 23 2 Open full stack view ARP Create IP Address MAC Address FIGURE 19 3 160 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 20 Configuring IGMP Proxy This chapter describes how to configure the Internet Group Management Pr
53. 123 Disable 1 to 65535 275 276 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 34 Storing and Collecting Message Logs with Syslog This chapter provides information about how to use the Syslog feature to store and collect message logs This chapter contains the following topics m Section Configuring Syslog via CLI on page 34 278 m Section Configuring Syslog via Web Interface on page 34 283 m Section Interpreting Log Files on page 34 285 277 278 Configuring Syslog via CLI This feature allows you to store system messages and or errors You can store to local files on the switch or a remote server running a syslog daemon Also it provides a method of collecting message logs from many systems The following are examples of the CLI commands used with the Syslog feature Example 1 show logging CODE EXAMPLE 34 1 show logging Command DTI SWITCH show logging Logging Client Local Port 514 CLI Command Logging disabled Console Logging disabled Console Logging Severity Filter alert Buffered Logging enabled Syslog Logging enabled Log Messages Received 66 Log Messages Dropped 0 Log Messages Relayed 0 Sun Netra CP3240 Switch User s Guide April 2009 Example 2 show logging buff CODE EXAMPLE 34 2 show logging buffered Command ered DTI SWITCH show logging buffered lt cr gt Press Enter to execute the command DTI SWITCH
54. 150 5 1 255 255 255 0 exit exit This last step enables RIP for the VLAN router ports Authentication will default to none and no default route entry will be created CODE EXAMPLE 17 7 Enabling RIP for VLAN Router Ports config interface 3 1 ip rip exit interface 3 2 ip rip exit exit Chapter 17 Configuring VLAN Routing 145 Configuring VLAN Routing with RIP via Web Interface Use the following screens to perform the same configuration using the Graphical User Interface m Switching gt VLAN gt Configuration To create the VLANs and specify port participation m Switching gt VLAN gt Port Configuration To specify the handling of untagged frames on receipt and whether frames will be transmitted tagged or untagged m Routing gt VLAN Routing gt Configuration To enable VLAN routing and configure the ports m Routing gt IP gt Interface Configuration To enable routing for the ports and configure their IP addresses and subnet masks To enable routing for the switch and specify the router ID m Routing gt RIP gt Configuration To enable RIP for the switch m Routing gt RIP gt Interface Configuration To enable RIP for the ports and specify the RIP versions 146 Configuring VLAN Routing With OSPF For larger networks Open Shortest Path First OSPF is often used instead of RIP OSPF offers several benefits to the administrator of a large and or complex ne
55. 18DynamicNetwork AssistFwd 0 47 00 01 01 00 5E 37 96 D0DynamicNetwork AssistFwd 0 47 00 01 01 00 5E 7F FF FADynamicNetwork AssistFwd 0 47 00 01 01 00 5E 7F FF FEDynamicNetwork AssistFwd 0 47 Ed E E tA A Chapter8 Monitoring IGMP Snooping 73 74 Example 4 show ip igmp interface CODE EXAMPLE 8 4 show ip igmp interface DTI SWITCH show ip igmp interface 0 2 STOEL POT Ee i ka a L gew i EDS 0 2 IGMP Admin Mode s n neee sees b A Disable Interface Modes sii egli dA ek rude RSS Disable IGMP VEerSIoni i u see bere nachna ae ja SAU nee E ae era en eee 3 Query Interval Sees Ti Wy ye UU ees uec rg 125 Query Max Response Time 1 10 of a second 100 RobustnesS c Foie deve Wu Te E UE 2 Startup Query Interval secs 31 Startup Query COulht cev4 We UR ares e WES 2 Last Member Query Interval 1 10 of a second 10 Last Member Query Count se 2 Example 5 Config ip igmp CODE EXAMPLE 8 5 Config fip igmp LVL7 FASTPATH Routing Switching Config ip igmp cr Press Enter to execute the command Example 6 show ip igmp CODE EXAMPLE 8 6 show ip igmp LVL7 FASTPATH Routing Switching show ip igmp cr Press Enter to execute the command groupsDisplay the subscribed multicast groups interfaceDisplay IGMP configuration information Sun Netra CP3240 Switch User s Guide April 2009 Example 7 Interface 1 0 2
56. 23 9 FIGURE 24 1 FIGURE 24 2 FIGURE 24 3 FIGURE 24 4 FIGURE 24 5 FIGURE 24 6 FIGURE 24 7 FIGURE 24 8 FIGURE 24 9 FIGURE 24 10 MAC ACL Rule Configuration Page Add Destination MAC and MAC Mask 187 MAC ACL Rule Configuration Page View the Current Settings 188 MAC ACL Rule Configuration Page Add Destination MAC and MAC Mask 188 MAC ACL Rule Configuration Page Add Destination MAC and MAC Mask 189 ACL Interface Configuration 190 IP ACL Configuration Page Create a New IP ACL 190 IP ACL Configuration Page Create a Rule and Assign an ID 191 IP ACL Configure IP ACL Rule Properties 191 IP ACL Rule Configuration Page Rule with Protocol and Source IP Configuration 192 Attach IP ACL to an Interface IP ACL Summary 193 193 CoS Mapping and Queue Configuration 200 CoS Configuration Example System Diagram 201 CoS Trust Mode Configuration Page 203 802 1p Priority Mapping Page 203 IP Precedence Mapping Configuration Page 204 IP DSCP Mapping Configuration Page 204 CoS Interface Configuration Page 206 CoS Interface Queue Configuration Page 207 CoS Interface Queue Status Page 208 DiffServ Internet Access Example Network Diagram 214 DiffServ Configuration 217 DiffServ Class Configuration 217 DiffServ Class Configuration 218 Source IP Address 219 DiffServ Class Configuration 220 DiffServ Class Summary 221 DiffServ Policy Configuration 222 DiffServ Policy Configuration 223 DiffServ Policy Class Definition 224 Figure
57. 3 Set Unicast Storm Control for All Interfaces CODE EXAMPLE 7 3 Set Unicast Storm Control for All Interfaces DTI SWITCH config DTI SWITCH Config storm control unicast all DTI SWITCH Config storm control unicast all level 5 DTI SWITCH Config exit DTI SWITCH 70 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 8 Monitoring IGMP Snooping This chapter describes the Internet Group Management Protocol IGMP feature IGMPv3 and IGMP Snooping The IGMP Snooping feature enables the switch to monitor IGMP transactions between hosts and routers It can help conserve bandwidth by allowing the switch to forward IP multicast traffic only to connected hosts that request multicast traffic This chapter contains the following topics m Section CLI Examples on page 8 72 m Section Web Examples on page 8 76 71 72 CLI Examples The following are examples of the commands used in the IGMP Snooping feature Example 1 show igmpsnooping CODE EXAMPLE 8 1 show igmpsnooping DTI SWITCH show igmpsnooping 7 cr Press Enter to execute the command lt unit slot port gt Enter interface in unit slot port format mrouterDisplay IGMP Snooping Multicast Router information lt 1 4093 gt Display IGMP Snooping valid VLAN ID information DTI SWITCH show igmpsnooping Admin Modena l k V ee ee SLE Enable Multicast Control Frame Count 0 Interfaces E
58. 3 1 CODE EXAMPLE 14 1 CODE EXAMPLE 14 2 CODE EXAMPLE 15 1 CODE EXAMPLE 15 2 CODE EXAMPLE 15 3 CODE EXAMPLE 15 4 CODE EXAMPLE 16 1 CODE EXAMPLE 16 2 CODE EXAMPLE 16 3 CODE EXAMPLE 16 4 CODE EXAMPLE 16 5 CODE EXAMPLE 16 6 CODE EXAMPLE 16 7 show ip igmp interface 74 Config ip igmp 74 show ip igmp 74 Interface 1 0 2 ip igmp 75 Setting Up a Port Mirroring Session 86 Showing the Port Mirroring Session 86 Showing Status of Source and Destination Ports 87 show port security 95 show port security on a Specific Interface 95 Config port security 96 Specifying Port Description 100 show port description 100 Setting Global LLDP Parameters 106 Setting Interface LLDP Parameters 107 Showing Global LLDP Parameters 108 Showing Interface LLDP Parameters 108 Configuring DoS via CLI 114 Enabling Routing for the Switch 118 Enabling Routing for Ports on the Switch 118 Enable Routing for the Switch 123 Enable Routing for the Ports 124 Enable RIP for the Switch 124 Enable RIP for Ports 1 0 2 and 1 0 3 125 Enabling Routing for the Switch 130 Assigning IP Addresses for Ports 130 Specifying Router ID and Enabling OSPF for the Switch 130 Enabling and Configuring OSPF for the Ports 131 Enabling Routing for the Switch 133 Enabling Routing and Assigning IP Ports 1 0 2 1 0 3 and 1 0 4 133 Specifying Router ID and Enabling OSPF for the Switch 133 xxiv Sun Netra CP3240 Switch User s Guide April 2009 CODE EXAMPLE 16 8 CODE EXAMPLE 17 1 CODE EXAMPL
59. 3240 Switch User s Guide April 2009 Configuring Link Aggregation via CLI The following Figure 6 1 shows an example of configuring the software to support Link Aggregation LAG to a server and to a Layer 3 switch FIGURE 6 1 LAG Port Channel Example Network Diagram Server Fl Subnet 3 Port 1 0 3 Port 1 0 2 LAG 10 LAG 10 Layer 3 Switch Port 1 0 8 Port 1 0 9 LAG_20 LAG_20 Layer 2 Switch Subnet 2 Subnet 3 Chapter 6 Configuring Port Channels by Link Aggregation 63 64 CLI Example 1 Create Two Port Channels CODE EXAMPLE 6 1 Creating Two Port Channels DTI SWITCH config DTI SWITCH Config port channel lag 10 DTI SWITCH Config port channel lag 20 DTI SWITCH Config exit Use the show port channel all command to show the logical interface ids you will use to identify the port channels in subsequent commands Assume that lag_10 is assigned id 1 1 and lag_20 is assigned id 1 2 CODE EXAMPLE 6 2 Showing Port Channels DTI SWITCH show port channel all Port Link Log Channel Adm Trap STP Mbr Port Port Intf Name Link Mode Mode Mode Type Ports Speed Active 1 1lag 10 Down En En Dis Dynamic 1 2lag 20 Down En En Dis Dynamic Sun Netra CP3240 Switch User s Guide April 2009 CLI Example 2 Add Physical Ports to the Port Channels CODE EXAMPLE 6 3 Addin
60. 4 SUN microsystems Sun Netra CP3240 Switch User s Guide Sun Microsystems Inc www sun com Part No 820 3252 11 April 2009 Revision 01 Submit comments about this document at http www sun com hwdocs feedback Copyright 2009 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 U S A All rights reserved This distribution may include materials developed by third parties Parts of the o may be derived from Berkeley BSD systems licensed from the University of California UNIX is a registered trademark in the U S and in other countries exclusively licensed through X Open Company Ltd Sun Sun Microsystems the Sun logo Netra Sun Ray the Netra logo and the Solaris logo are trademarks or registered trademarks of Sun Microsystems Inc or its subsidiaries in the U S and other countries All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International Inc in the U S and other countries Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems Inc Use of any spare or replacement CPUs is limited to repair or one for one D procement of CPUs in products exported in compliance with U S export laws Use of CPUs as product upgrades unless authorized by the U S Government is strictly prohibited DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS REPRESENTATIONS AND WARRANTIES INCLUDING ANY IMP
61. 4 Enable RIP for Ports 1 0 2 and 1 0 3 config interface 0 2 ip rip ip rip receive version both ip rip send version rip2 exit interface 0 3 ip rip ip rip receive version both ip rip send version rip2 exit exit Configuring RIP via Web Interface Use the following screens to perform the same configuration using the Graphical User Interface m Routing gt IP gt Interface Configuration gt System Routing Mode To enable routing for the switch m Routing gt IP gt Interface Configuration gt Slot Port IP Address Subnet Mask Routing Mode For the remaining commands m Routing gt RIP gt Config gt RIP Admin Mode To enable RIP for the switch m Routing gt RIP gt Interface Configuration To enable RIP for the ports and specify the RIP versions Chapter 15 Configuring Routing Information Protocol 125 126 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 16 Configuring Open Shortest Path First OSPF This chapter describes how to configure OSPF This chapter contains the following topics m Section Understanding Open Shortest Path First OSPF on page 16 128 m Section Configuring OSPF via CLI on page 16 129 m Section Configuring OSPF via Web Interface on page 16 135 127 128 Understanding Open Shortest Path First OSPF Larger networks typically use Open Shortest Path First OSPF instead of RIP To the administrator of a large
62. ACL Rule Configuration Page Rule with Protocol and Source IP Configuration M A Navigation stem System Switching Routing Security IPv6 Qos a Access Control Lists Ig IP Access Control Lists Configuration Summary Rule Configuration J MAC Access Control Lists Configuration Summary Rule Configuration Interface Configuration Differentiated Services 192 Sun Netra CP3240 Switch User s Guide April 2009 IP ACL Rule Configuration IP ACL Rule Action Logging Match Every Protocol Keyword Source IP Address Source IP Mask Source L4 Port Destination IP Address Destination IP Mask Destination L4 Port Service Type 101 M 1 Deny Configure False Configure False Configure 255 IP Configure 192 168 20 0 Configure 255 255 255 0 Configure Configure Configure Configure FIGURE 22 15 Attach IP ACL to an Interface Navigation em iystem iwitching touting iecurity Pye dos Access Control Lists amp IP Access Control Lists Configuration Summary Rule Configuration AY MAC Access Control Lists Configuration Summary si Rule Configuration ACL Interface Configuration Unit Slot Port 10 6 MW Direction Inbound ACL Type IP ACL Mj IP ACL 101 Sequence Number 1 to 4294967295 gel Ben ACL Identifier 101 List of Assigned ACLs
63. Both Port Channels 65 Configuring Link Aggregation via Web Interface 66 Configuring Storm Control 67 Understanding Traffic Storms 68 CLI Examples 69 Example 1 Set Broadcast Storm Control for All Interfaces 69 Example 2 Set Multicast Storm Control for All Interfaces 70 Example 3 Set Unicast Storm Control for All Interfaces 70 Monitoring IGMP Snooping 71 CLI Examples 72 Example 1 show igmpsnooping 72 Example 2 show ip igmp Interface 73 Example 3 show mac address table igmpsnooping 73 Example 4 show ip igmp interface 74 Example 5 Config fip igmp 74 Example 6 show ipigmp 74 Example 7 Interface 1 0 2 ip igmp 75 Web Examples 76 Configuring Port Mirroring 85 Configuring Port Mirroring via CLI 86 Sun Netra CP3240 Switch User s Guide April 2009 10 11 12 13 14 Example 1 Set Up a Port Mirroring Session 86 Example 2 Show the Port Mirroring Session 86 Example 4 Show Status of Source and Destination Ports 87 Configuring Port Mirroring via Web Interface 88 Configuring Port Security 93 Port Security Benefits 94 Configuring Port Security via CLI 95 Example 1 show port security 95 Example 2 show port security ona Specific Interface 95 Example 3 Config port security 96 Configuring Port Security via Web Interfaces 96 Configuring Port Description 99 Configuring Port Description via CLI 100 Example 1 Enter a Description for a Port 100 Example 2 Show the Port Description 100 Configuring Port De
64. E 17 2 CODE EXAMPLE 17 3 CODE EXAMPLE 17 4 CODE EXAMPLE 17 5 CODE EXAMPLE 17 6 CODE EXAMPLE 17 7 CODE EXAMPLE 17 8 Enabling OSPF for the Ports 134 Creating Two VLANs 139 Enabling Routing for the VLANs 140 Configuring IP Addresses and Subnet for the VLAN Ports 141 Configuring VLAN Routing with RIP Support 143 Enabling RIP for the Switch 145 Configuring IP Addresses and Subnet Mask for Non virtual Router Port 145 Enabling RIP for VLAN Router Ports 145 Creating VLANs and Enabling VLAN Routing on an Inter area Router With OSPF 147 CODE EXAMPLE 17 9 CODE EXAMPLE 17 10 CODE EXAMPLE 17 11 CODE EXAMPLE 18 1 CODE EXAMPLE 18 2 CODE EXAMPLE 18 3 CODE EXAMPLE 18 4 CODE EXAMPLE 18 5 CODE EXAMPLE 18 6 CODE EXAMPLE 18 7 CODE EXAMPLE 18 8 CODE EXAMPLE 18 9 CODE EXAMPLE 18 10 CODE EXAMPLE 18 11 CODE EXAMPLE 18 12 CODE EXAMPLE 18 13 CODE EXAMPLE 19 1 CODE EXAMPLE 19 2 CODE EXAMPLE 20 1 CODE EXAMPLE 20 2 Speciying Router ID 148 Enabling OSPF for the VLAN and Router Ports 149 Set OSPF Priority and Cost for the VLAN and Router Ports 149 Enabling Routing for the Switch 153 Configuring IP Addresses and Subnet Masks 153 Enabling VRRP for the Switch 153 Assinging a Virtual Router to the Port 153 Specifying IP Address for Virtual Router 153 Enabling VRRP onthe Port 154 Enabling Routing for the Switch 154 Configuring IP Addresses and Subnet Masks 154 Enabling VRRP for the Switch 154 Assigning a Virtual Router to the Port 154 Specifying t
65. E Thread ID F File Name G Line Number 286 Sun Netra CP3240 Switch User s Guide April 2009 Index Symbols 9 A access list 178 addport 65 authentication login 242 authentication login radius 238 authentication login tacacs 246 C Class Map Config command mode 21 Class Map mode 27 class map 215 classofservice 201 command conventions 16 command modes Class Map Config 21 DHCP Pool Config 22 Global Config 21 Interface Config 21 Line Config 21 Policy Class Config 21 Policy Map Config 21 Privileged Exec 21 Router BGP Config 22 Router OSPF Config 22 Router RIP Config 22 User Exec 21 VLAN 21 config network parms 6 7 configure 9 configure network protocol none 5 6 7 configure sntp 271 configure sntp client mode 272 configure sntp client port 272 configure sntp server 272 copy nvram errorlog 13 msglog 13 script running config scr 257 startup config 13 traplog 13 copy system running config nvram startup config 9 11 14 copy tftp 266 cos queue 201 216 D deny 180 description 100 DHCP Pool Config command mode 22 DHCP Pool Config mode 28 29 diffserv 215 dos control 114 dotix defaultlogin radius 238 dotix port control 238 dotix system auth control 238 E enable 8 287 exit 9 F flow of operationf for the CLI 29 forwarding database differences between the terminal and Web interfaces 36 G Global Config command mode 21 Global C
66. EXAMPLE 31 2 show telnet Command DTI SWITCH show telnet Outbound Telnet Login Timeout minutes 5 Maximum Number of Outbound Telnet Sessions 5 Allow New Outbound Telnet Sessions Yes Example 3 transport output telnet CODE EXAMPLE 31 3 transport output telnet Command DTI SWITCH Config lineconfig lt cr gt Press Enter to execute the command DTI SWITCH Config lineconfig DTI SWITCH Line transport input Displays the protocols to use to connect to a specific line of the router output Displays the protocols to use for outgoing connections from a line DTI SWITCH Line transport output telnet Allow or disallow new telnet sessions DTI SWITCH Line transport output telnet lt cr gt Press Enter to execute the command DTI SWITCH Line transport output telnet DTI SWITCH Line Chapter 31 Establishing an Outbound Telnet Connection 261 Example 4 session limit and session timeout CODE EXAMPLE 31 4 session limit and session timeout Commands DTI SWITCH Line session limit 0 5 Configure the maximum number of outbound telnet sessions allowed DTI SWITCH Line session limit 5 DTI SWITCH Line session timeout 1 160 Enter time in minutes DTI SWITCH Line session timeout 15 Configuring a Telnet Connection via Web Interface You can set up
67. HHH HH mon R 3 15 17 19 21 23 Navigation SNTP Server Configuration l System AY System S PO 3 erver Create v ARP Cache Create iv Inventory Information H Configuration HAQ Forwarding Database Address Address Type IPv4 Port 123 1 to 65535 Tm HS Log c HG slot Priority 1 1 to 3 Eg Port Version 4 1to 4 H SNMP Hg Statistics System Utilities Rig Trap Manager Eig DHCP Server EMEN SNTP 8 Global Configuration Global Status Server Status Submit Delete 274 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 33 4 SNTP Server Status Page Navigation System zN System ARP Cache Inventory Information E Configuration FI Forwarding Database B Log Slot Port SNMP a PPRRERP He Statistics System Utilities 8 8 EgEE Trap Manager 9 DHCP Server ENS SNTP Global Configuration sj Global Status E Navigation A System 34x System ARP Cache Inventory Information H Configuration H Forwarding Database H Log HG slot Eg Port HC SNMP HC statistics EC System Utilities H Trap Manager HEC DHCP Server BS sNTP Global Status Server Configuration We Qus 3 ug Server Status il 2 4 6 t 12 HHH HAHA 135791 Client Mode Port Unicast Poll Interval Broadcast Poll Interval Unicast Poll Timeout Unicast Poll Retry Chapter 33 Configuring Simple Network Time Protocol SNTP No SNTP Server Exists
68. I Error Messages 31 CLI Editing Conventions 31 xxi xxii Sun Netra CP3240 Switch User s Guide April 2009 Code Examples CODE EXAMPLE 4 1 CODE EXAMPLE 4 2 CODE EXAMPLE 4 3 CODE EXAMPLE 4 4 CODE EXAMPLE 5 1 CODE EXAMPLE 5 2 CODE EXAMPLE 5 3 CODE EXAMPLE 5 4 CODE EXAMPLE 5 5 CODE EXAMPLE 5 6 CODE EXAMPLE 6 1 CODE EXAMPLE 6 2 CODE EXAMPLE 6 3 CODE EXAMPLE 6 4 CODE EXAMPLE 7 1 CODE EXAMPLE 7 2 CODE EXAMPLE 7 3 CODE EXAMPLE 8 1 CODE EXAMPLE 8 2 CODE EXAMPLE 8 3 SSH sshKeygen sh Example 47 SSL pemCreate sh Example 47 SSL root cnf Example 49 SSH server cnf Example 51 Creating Two VLANs 56 Assigning Ports to VLAN2 56 Assigning Ports to VLAN3 57 Assigning VLAN3 as Default 57 Assigning IP Addresses to VLAN2 58 Protecting the Switchport 59 Creating Two Port Channels 64 Showing Port Channels 64 Adding Ports to the Port Channels 65 Enabling Both Port Channels 65 Set Broadcast Storm Control for All Interfaces 69 Set Multicast Storm Control for All Interfaces 70 Set Unicast Storm Control for All Interfaces 70 show igmpsnooping 72 show ip igmp Interface 73 show mac address table igmpsnooping 73 xxiii CODE EXAMPLE 8 4 CODE EXAMPLE 8 5 CODE EXAMPLE 8 6 CODE EXAMPLE 8 7 CODE EXAMPLE 9 1 CODE EXAMPLE 9 2 CODE EXAMPLE 9 3 CODE EXAMPLE 10 1 CODE EXAMPLE 10 2 CODE EXAMPLE 10 3 CODE EXAMPLE 11 1 CODE EXAMPLE 11 2 CODE EXAMPLE 12 1 CODE EXAMPLE 12 2 CODE EXAMPLE 12 3 CODE EXAMPLE 12 4 CODE EXAMPLE 1
69. Inbound ACL Type MAC ACL ACL Identifier mac1 6 FIGURE 22 11 IP ACL Configuration Page Create a New IP ACL Sequence Number Navigation IP ACL Configuration em iystem IP ACL Create New Extended IP ACL v IP ACLID 101 100 to 199 Submit Table Current Size Max Size ACL 1 100 iwitching touting jecurity mM Pv6 208 Access Control Lists amp IP Access Control Lists Summary Rule Configuration 190 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 22 12 IP ACL Configuration Page Create a Rule and Assign an ID Navigation IP ACL Rule Configuration em kata IP ACL 101 v witching outing mule aani Rule ID 1 1 to 10 v6 4 Action Deny 08 Match Every False v Access Control Lists IP Access Control Lists Configuration Summary x FIGURE 22 13 IP ACL Configure IP ACL Rule Properties Navigation IP ACL Rule Configuration System SE system IP ACL 101 ti ig Switching t im Routing mE 1 HE security Source IP Address 192 168 20 0 AE pve 2 Source IP Mask 255 255 255 0 EMEN Qos HE Access Control Lists ENEMY IP Access Control Lists Configuration Summary Chapter 22 Configuring Access Control Lists ACLs 191 FIGURE 22 14 IP
70. LDP Interface Summary FIGURE 12 4 LLDP Statistics s System H System aS Switching HE DHCP Filtering BMC vLAN H Protocol based VLAN H IP Subnet based VLAN EC MAC based VLAN Hg Filters BMC GARP H IGMP Snooping H Port Channel HC Multicast Forwarding Database H Spanning Tree H Class of Service HH Port Security EHE LLDP Global Configuration Interface Configuration Interface Summary LLDP Statistics Last Update 0 Days 00 00 00 Total Inserts Total Deletes Total Drops Total Ageouts Transmit Receive TLV TLV Interface Total Total Discards Errors Ageouts Discards Unknowns 10 10 0 0 0 0 0 0 0 Refresh Clear Chapter 12 Configuring Link Layer Discovery Protocol 111 112 System EMI System EHE Switching Eig DHCP Filtering H VLAN Ei Protocol based VLAN H IP Subnet based VLAN EIC MAC based VLAN EC Filters EMI GARP IGMP Snooping Port Channel HC Multicast Forwarding Database HC Spanning Tree HC Class of Service HC Port Security 56 LLDP f Global Configuration Interface Configuration Inter L3 Statistics FIGURE 12 5 m Is LLDP Interface Summary Interface 1 01 1 0 2 1 0 3 1 0 4 1 0 5 1 0 6 1 0 7 1 0 8 1 0 9 1 0 10 1 01 1 0 12 1 0 13 1 0 14 Link Status Link Up Link Down Link Down Link Down Link Down Link Down Link Down Link Down Link Down Link Down Link Down Link Down Link Down Link Down Transmit Disabled Disabled
71. LDP via CLI on page 12 106 m Section Configuring LLDP via Web Interface on page 12 109 105 106 Configuring LLDP via CLI Example 1 Set Global LLDP Parameters Use the following sequence to specify switch wide notification interval and timers for all LLDP interfaces CODE EXAMPLE 12 1 Setting Global LLDP Parameters DTI SWITCH config DTI SWITCH Config lldp notification interval Configure minimum interval to send remote data change notifications timers Configure the LLDP global timer values DTI SWITCH Config lldp notification interval lt interval seconds gt Range lt 5 3600 gt seconds DTI SWITCH Config lldp notification interval 1000 DTI SWITCH Config lldp timers lt cr gt Press Enter to execute the command hold The interval multiplier to set local LLDP data TTL interval The interval in seconds to transmit local LLDP data reinit The delay before re initialization DTI SWITCH Config lldp timers hold 8 reinit 5 DTI SWITCH Config exit DTI SWITCH Sun Netra CP3240 Switch User s Guide April 2009 Example 2 Set Interface LLDP Parameters The following commands configure interface 0 10 to transmit and receive LLDP information CODE EXAMPLE 12 2 Setting Interface LLDP Parameters DTI SWITCH DTI SWITCH DTI SWITCH notification notifications receive transmit transmit mgm
72. LIED WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID Copyright 2009 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 Etats Unis Tous droits r serv s Cette distribution peut comprendre des composants d velopp s par des tierces parties Des parties de ce produit pourront tre d riv es des svst mes Berkeley BSD licenci s par l Universit de Californie UNIX est une marque d pos e aux Etats Unis et dans d autres pays et licenci e exclusivement par X Open Company Ltd Sun Sun Microsystems le logo Sun Netra Sun Ray le logo Netra et le logo Solaris sont des marques de fabrique ou des marques d pos es de Sun Microsystems Inc ou ses filiales aux Etats Unis et dans d autres pays Toutes les marques SPARC sont utilis es sous licence et sont des marques de fabrique ou des marques d pos es de SPARC International Inc aux Etats Unis et dans d autres pays Les produits portant les marques SPARC sont bas s sur une architecture d velopp e par Sun Microsystems Inc L utilisation de pieces detachees ou d unites centrales de remplacement est limitee aux reparations ou a l echange standard d unites centrales pur les produits exportes conformement a la legislation americaine en matiere d exportation Sauf autorisation par les autorites des Etats nis l utilisation d unites centrales po
73. PF Info gt OSPF Admin Mode To enable OSPF for the switch m Routing gt OSPF gt Interface Configuration To enable OSPF for the ports and specify the OSPF Area ID Router Priority and Metric Cost parameters Chapter 16 Configuring Open Shortest Path First OSPF 135 136 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 1 7 Configuring VLAN Routing This chapter describes how to configure the Netra CP3240 switch with some ports supporting VLANs and some supporting routing Also this chapter shows how to configure VLAN with RIP and OSPF You can configure the software to allow traffic on a VLAN to be treated as if the VLAN were a router port A port can be either a VLAN port or a router port but not both However a VLAN port may be part of a VLAN that is itself a router port This chapter contains the following topics m Section Understanding VLAN Routing on page 17 138 m Section Configuring VLAN Routing via CLI on page 17 138 m Section Configuring VLAN Routing via Web Interface on page 17 141 m Section Configuring VLAN Routing With RIP on page 17 142 m Section Configuring VLAN Routing With OSPF on page 17 146 137 Understanding VLAN Routing When a port is enabled for bridging default rather than routing all normal bridge processing is performed for an inbound packet which is then associated with a VLAN Its MAC Destination Address MAC DA and VLAN ID are used to searc
74. Port 1 0 2 Physical Port 1 0 3 VLAN Router Port 3 1 VLAN Router Port 3 2 192 150 3 1 E 192 150 4 1 Example 1 Configuring VLAN Routing with RIP Support The following sequence creates the VLANs and enables VLAN routing CODE EXAMPLE 17 4 Configuring VLAN Routing with RIP Support vlan database vlan 10 vlan 20 exit config interface 0 2 vlan participation include 10 Chapter 17 Configuring VLAN Routing 143 144 CODE EXAMPLE 17 4 Configuring VLAN Routing with RIP Support Continued exit interface 0 3 vlan participation include 20 exit exit config vlan port tagging all 10 vlan port tagging all 20 exit config interface 0 2 vlan pvid 10 exit interface 0 3 vlan pvid 20 exit exit vlan database vlan routing 10 vlan routing 20 exit show ip vlan config ip routing exit config interface 3 1 ip address 192 150 3 1 255 255 255 0 exit interface 3 2 ip address 192 150 4 1 255 255 255 0 exit exit Sun Netra CP3240 Switch User s Guide April 2009 Example 2 Enable RIP for the Switch This step enables RIP for the switch The route preference will default to 15 CODE EXAMPLE 17 5 Enabling RIP for the Switch config router rip enable exit exit The next sequence configures the IP address and subnet mask for a non virtual router port CODE EXAMPLE 17 6 Configuring IP Addresses and Subnet Mask for Non virtual Router Port config interface 0 5 ip address 192
75. Server Server Maximum Entries 3 Server Current Entries 1 SNTP Servers IP Address 81 169 155 234 Address Tvpe IPVA Priority 1 Version 4 Port 123 Last Update Time MAY 18 04 59 13 2005 Last Attempt Time MAY 18 11 59 33 2005 Last Update Status Other Total Unicast Requests 1111 Failed Unicast Requests 361 Example 4 configure sntp CODE EXAMPLE 33 4 Configure sntp Command DTI SWITCH Config sntp broadcastConfigure SNTP client broadcast parameters clientConfigure the SNTP client parameters serverConfigure SNTP server parameters unicastConfigure SNTP client unicast parameters Chapter 33 Configuring Simple Network Time Protocol SNTP 271 Example 5 configure sntp client mode CODE EXAMPLE 33 5 sntp client mode broadcast Command DTI SWITCH Config sntp client mode broadcast lt cr gt Press Enter to execute the command DTI SWITCH Config sntp client mode unicast lt cr gt Press Enter to execute the command DTI SWITCH Config sntp broadcast client poll interval lt 6 10 gt Enter value in the range 6 to 10 Poll interval is 2 value in seconds Example 6 configuring sntp server CODE EXAMPLE 33 6 Configure sntp server Command DTI SWITCH Config f sntp server lv17 cr Press Enter to execute the command lt 1 3 gt Enter SNTP server priority from 1 to 3 Example 7 configure sntp client port CODE EXAMPLE 33 7 Confi
76. a Security H IPv6 Refresh mac1 By Qos Gy Access Control Lists H IP Access Control Lists SQ MAC Access Control Lists Configuration Rule Configuration S Interface Configuration H Differentiated Services Qd Class of Service mg BGPA H IP Multicast H Stacking 2004 2005 LVL Systems Inc FIGURE 22 5 MAC ACL Rule Configuration Create New Rule Navigation Sam MAC ACL mac amp Switching Routing Rule Create New Rule v Security Rule ID 1l a to 10 Eg IPv6 S Action PH Qos Deny v EE Access Control Lists Match Every False v Eig IP Access Control Lists EH MAC Access Control Lists Interface Configuration Eg Differentiated Services GQ Class of Service Eg BGPA FC IP Multicast GQ Stacking 2004 2005 LVL7 Systems Inc 186 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 22 6 MAC ACL Rule Configuration Page Add Destination MAC and MAC Mask Navigation System System Switching Routing Security IPv6 3 QoS HEX Access Control Lists H IP Access Control Lists BS MAC Access Control Lists Configuration 8 Summary B Ed Interface Configuration C3 Differentiated Services Mg Class of Service BGP4 IP Multicast Stacking B 2004 2005 LVL7 Systems Inc MAC ACL Rule MAC ACL Rule Configuration Destination MAC Destination MAC Mask mac1 1 00 11 22 33 44 55 POWVOWVOWOWOWo 00 00 00 00 FF FFI 0oooooooooo
77. aid 0 0 0 3 ip ospf exit exit Set the OSPF priority and cost for the VLAN and physical router ports CODE EXAMPLE 17 11 Set OSPF Priority and Cost for the VLAN and Router Ports config interface 3 1 ip ospf priority 128 ip ospf cost 32 exit interface 3 2 ip ospf priority 255 ip ospf cost 64 exit exit Chapter 17 Configuring VLAN Routing 149 150 Configuring VLAN Routing via Web Interface Use the following screens to perform the configuration described in the previous CLI sections using the Web interface instead Switching gt VLAN gt Configuration To create the VLANs and specify port participation Switching gt VLAN gt Port Configuration To specify the handling of untagged frames on receipt and whether frames will be transmitted tagged or untagged Routing gt VLAN Routing gt Configuration To enable VLAN routing and configure the ports Routing gt IP gt Interface Configuration To enable routing for the ports and configure their IP addresses and subnet masks To enable routing for the switch and specify the router ID Routing gt OSPF gt OSPF Info To enable OSPF for the switch Routing gt OSPF gt Interface Configuration To enable OSPF for the ports and specify the priority and cost parameters Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 18 Configuring Virtual Router Redundancy Protocol This chapter describes how to config
78. app docs prod n900 srvr hic Application Title Part Number Format Location Latest Netra CT 900 Server Product Notes 819 1180 xx PDF Online information Pointer Doc Netra CT 900 Server Getting Started 819 1173 xx Printed Shipping kit Guide Overview Netra CT 900 Server Overview 819 1174 xx PDF Online Installation Netra CT 900 Server Installation 819 1175 xx PDF Online Guide Service Netra CT 900 Server Service Manual 819 1176 xx PDF Online Administration Netra CT 900 Server Administration 819 1177 xx PDF Online and Reference Manual Programming Netra CT 900 Software Developer s 819 1178 xx PDF Online Guide Preface xxxi Application Title Part Number Format Location Safetv Netra CT 900 Server Safety and 819 1179 xx PDF Online Compliance Guide Setup Netra CT 900 Server Hardware 819 1647 xx PDF Online Setup Guide Safety Important Safety Information for 816 7190 xx Printed Shipping kit Sun Hardware Systems Third Party Web Sites Sun is not responsible for the availability of third party web sites mentioned in this document Sun does not endorse and is not responsible or liable for any content advertising products or other materials that are available on or through such sites or resources Sun will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content goods or services that are available on or through such sites or resources Sun W
79. apter 22 Configuring Access Control Lists ACLs 177 178 Example 1 Create ACL 179 and Define an ACL Rule After the mask has been applied it permits packets carrying TCP traffic that matches the specified Source IP address and sends these packets to the specified Destination IP address config access list 179 permit tcp 192 168 77 0 0 0 0 255 192 168 77 3 0 0 0 0 Example 2 Define the Second Rule for ACL 179 Define the rule to set similar conditions for UDP traffic as for TCP traffic access list 179 permit udp 192 168 77 0 0 0 0 255 192 168 77 3 0 0 0 255 exit Example 3 Applv the rule to Inbound Traffic on Port 1 0 2 Oniv traffic matching the criteria will be accepted interface 0 2 ip access group 179 in exit Sun Netra CP3240 Switch User s Guide April 2009 Setting Up a MAC ACL via CLI The following are examples of the commands used for the MAC ACLs feature Chapter 22 Configuring Access Control Lists ACLs 179 180 Example 1 Set up a MAC Access List CODE EXAMPLE 22 1 Set Up a MAC Access Label DTI SWITCH Config mac access list extendedConfigure extended MAC Access List parameters LVL7 FASTPATH Routing Config mac access list extended lt name gt Enter access list name up to 31 characters in length renameRename MAC Access Control List DTI SWITCH Config mac access list extended macl lt cr gt Press Enter to execute the command DTI SWITCH Config mac acce
80. apter describes how to configure storm control on the switch This chapter contains the following topics m Section Understanding Traffic Storms on page 7 68 m Section CLI Examples on page 7 69 67 68 Understanding Traffic Storms A traffic storm is a condition that occurs when incoming packets flood the LAN which creates performance degradation in the network FASTPATH s Storm Control feature protects against this condition FASTPATH provides broadcast multicast and unicast storm recovery for individual interfaces or for all interfaces depending on forwarding plane silicon If the silicon supports configuration for all interfaces you will not be able to configure individual interfaces Unicast Storm Control protects against traffic whose MAC addresses are not known by the system For broadcast multicast and unicast storm control if the rate of traffic ingressing on an interface increases beyond the configured threshold for that type the traffic is dropped To configure storm control you ll enable the feature for all interfaces or for individual interfaces and you ll set the threshold storm control level beyond which the broadcast multicast or unicast traffic will be dropped Configuring a storm control level also enables that form of storm control Disabling a storm control level using the no version of the command sets the storm control level back to default value and disables that form of storm
81. are distinct from IP addresses You can use the IP network number of the sub netted network for the area ID routerid Enter the value of lt routerid gt in dotted decimal notation such as 0 0 0 1 A router ID of 0 0 0 0 is invalid Interface or Valid slot and port number separated by forward slashes For example 0 1 slot port represents slot number 0 and port number 1 Logical Represents a Logical slot and port number This is applicable in the case of Interface a port channel LAC You can use the logical slot port to configure the port channel Character Use double quotation marks to identify character strings for example strings System Name with Spaces An empty string is not valid Sun Netra CP3240 Switch User s Guide April 2009 Slot Port Naming Convention Sun Netra CP3240 switch software references physical entities such as cards and ports by using a slot port naming convention The Sun Netra CP3240 switch software also uses this convention to identify certain logical entities such as Port Channel interfaces The slot number has two uses In the case of physical ports it identifies the card containing the ports In the case of logical and CPU ports it also identifies the type of interface or port TABLE 2 3 Slot Types Slot Type Description Physical slot Physical slot numbers begin with zero and are allocated up to the numbers maximum number of physical slots Logical s
82. are dropped and the maximum transmission unit MTU size is 1500 bytes Network directed broadcast frames are dropped and the maximum transmission unit MTU size is 1500 bytes CODE EXAMPLE 14 2 Enabling Routing for Ports on the Switch config interface 0 2 routing ip address 192 150 2 1 255 255 255 0 exit exit config interface 0 3 routing ip address 192 150 3 1 255 255 255 0 exit exit config interface 0 5 routing ip address 192 150 5 1 255 255 255 0 exit exit Sun Netra CP3240 Switch User s Guide April 2009 Configuring Port Routing via Web Interface Use the following screens to perform the same configuration using the Web interface m Routing gt IP gt Interface Configuration gt System Routing Mode To enable routing for the switch m Routing gt IP gt Interface Configuration gt Slot Port IP Address Subnet Mask Routing Mode For the remaining commands Chapter 14 Configuring Port Routing 119 120 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 15 Configuring Routing Information Protocol This chapter describes how to configure the routing information protocol RIP Routing Information Protocol RIP is one of the protocols which may be used by routers to exchange network topology information It is characterized as an interior gateway protocol and is typically used in small to medium sized networks This chapter contains the following to
83. as a border router They show two areas each with its own border router connected to one inter area router The first diagram shows a network segment with an inter area router connecting areas 0 0 0 2 and 0 0 0 3 The example script shows the commands used to configure a Sun Netra CP3240 switch as the inter area router in the diagram by enabling OSPF on port 0 2 in area 0 0 0 2 and port 0 3 in area 0 0 0 3 Example 1 Configuring an Inter Area Router FIGURE 16 1 SPF Example Network Diagram Inter area Router Layer 3 Switch acting as an Inter area Router Port 1 0 2 192 150 2 1 Port 1 0 3 192 150 3 1 Border Router Border Router Chapter 16 Configuring Open Shortest Path First OSPF 129 Enable Routing for the Switch The following command sequence enables ip routing for the switch CODE EXAMPLE 16 1 Enabling Routing for the Switch config ip routing exit Assign IP Addresses for Ports The following sequence enables routing and assigns IP addresses for ports 0 2 and 0 3 CODE EXAMPLE 16 2 Assigning IP Addresses for Ports config interface 0 2 routing ip address 192 150 2 1 255 255 255 0 exit interface 0 3 routing ip address 192 150 3 1 255 255 255 0 exit exit Specify R
84. ay either reject it or insert a tag using its default VLAN ID A given port may handle traffic for more than one VLAN but it can only support one default VLAN ID Two features let you define packet filters that the switch uses as the matching criteria to determine if a particular packet belongs to a particular VLAN m The IP subnet Based VLAN feature lets you map IP addresses to VLANs by specifying a source IP address network mask and the desired VLAN ID m The MAC based VLAN feature let packets originating from end stations become part of a VLAN according to source MAC address To configure the feature you specify a source MAC address and a VLAN ID The Private Edge VLAN feature lets you set protection between ports located on the switch This means that a protected port cannot forward traffic to another protected port on the same switch The feature does not provide protection between ports located on different switches The diagram in this section shows a switch with four ports configured to handle the traffic for two VLANs Port 0 2 handles traffic for both VLANs while port 0 1 is a member of VLAN 2 only and ports 0 3 and 0 4 are members of VLAN 3 only The script following the diagram shows the commands you would use to configure the switch as shown in the diagram Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 5 1 VLAN Example Network Diagram Layer 3 Switch Port 1 01 AT VLAN
85. cess Control provides a means of preventing unauthorized access by supplicants or users to the services offered by a system Control over the access to a switch and the LAN to which it is connected can be desirable in order to restrict access to publicly accessible bridge ports or departmental LANs FASTPATH achieves access control by enforcing authentication of supplicants that are attached to an authenticator s controlled ports The result of the authentication process determines whether the supplicant is authorized to access services on that controlled port A PAE Port Access Entity can adopt one of two roles within an access control interaction m Authenticator Port that enforces authentication before allowing access to services available via that Port m Supplicant Port that attempts to access services offered by the Authenticator Additionally there exists a third role m Authentication server Server that performs the authentication function necessary to check the credentials of the supplicant on behalf of the Authenticator Completion of an authentication exchange requires all three roles FASTPATH supports the authenticator role only in which the PAE is responsible for communicating with the supplicant The authenticator PAE is also responsible for submitting information received from the supplicant to the authentication server in order for the credentials to be checked which determines the authorization state of t
86. command mode 21 User Exec mode 25 users defaultlogin 242 246 users passwd 11 V values of common parameters 18 vlan acceptframe vlanonly 56 VLAN command mode 21 vlan database 56 58 139 140 VLAN mode 29 vlan participation 139 143 147 vlan participation include 56 vlan port 147 vlan port tagging 56 140 144 vlan pvid 57 144 148 vlan routing 140 144 Index 289 Ww Web interface command buttons 42 panel 38 290 Sun Netra CP3240 Switch User s Guide April 2009
87. configuration command reverses the shutdown of an interface Use the command without the keyword no to re enable a disabled feature or to enable a feature that is disabled by default The behavior of the and the help text are the same for the no keyword m The help message is the same for all forms of the command The help string might be augmented with details about the no form behavior m For the no interface and no inte cases the help options displayed are identical to the case when the no token is not specified as in interface and inte 20 Command Modes The CLI groups commands into modes according to the command function Each of the command modes supports specific Sun Netra CP3240 switch software commands The commands in one mode are not available until you switch to that particular mode with the exception of the User EXEC mode commands You can execute the User EXEC mode commands in the Privileged EXEC mode For detailed information about using the CLI with the switch s software commands and modes refer to the Sun Netra CP3240 Switch Software Reference Manual 820 3253 The command prompt changes in each command mode to help you identify the current mode TABLE 2 5 lists the command modes the prompts visible in each mode and the exit method from that mode Topology is described in Mode Based Topology on page 23 Descriptions and hierarchy of each mode are in Mode Based Command Hi
88. control Using the no version of the storm control command not stating a level disables that form of storm control but maintains the configured level to be active next time that form of storm control is enabled Sun Netra CP3240 Switch User s Guide April 2009 CLI Examples Example 1 Set Broadcast Storm Control for All Interfaces CODE EXAMPLE 7 1 DTI SWITCH DTI SWITCH all ports DTI SWITCH cr level DTI SWITCH rate of port DTI SWITCH DTI SWITCH Set Broadcast Storm Control for All Interfaces config Config storm control broadcast Configure storm control features for all Config storm control broadcast all Press Enter to execute the command Configure storm control thresholds Config storm control broadcast all level Enter the storm control threshold as percent speed Config storm control broadcast all level 7 Config exit Chapter 7 Configuring Storm Control 69 Example 2 Set Multicast Storm Control for All Interfaces CODE EXAMPLE 7 2 Set Multicast Storm Control for All Interfaces DTI SWITCH config DTI SWITCH Config storm control multicast all lt cr gt Press Enter to execute the command level Configure storm control thresholds DTI SWITCH Config storm control multicast all level 8 DTI SWITCH Config exit DTI SWITCH Example
89. curly braces choicel choice2 Indicates that you must select a parameter from the list of choices Vertical bars choicel choice2 Separates the mutually exclusive choices Braces choicel Indicates a choice within an optional within square choice2 element brackets Chapter2 Using the Command Line Interface 17 18 Parameter Values The following conventions apply to the values of the common parameters Table 2 2 describes common parameter values and formatting TABLE 2 2 Common Parameter Values Parameter Description ipaddr This parameter is a valid IP address You can enter the IP address in the following formats a 32 bits a b 8 24 bits a b c 8 8 16 bits a b c d 8 8 8 8 In addition to these formats the CLI accepts decimal hexidecimal and octal formats through the following input formats where n is any valid hexidecimal octal or decimal number Oxn CLI assumes hexidecimal format On CLI assumes octal format with leading zeros n CLI assumes decimal format ipv6 address FE80 0000 0000 0000 020F 24FF FEBF DBCB or FE80 0 0 0 20F 24FF FEBF DBCB or FE80 20F24FF FEBF DBCB or FE80 0 0 0 20F 24FF 128 141 49 32 For additional information refer to RFC 3513 areaid Enter area IDs in dotted decimal notation for example 0 0 0 1 An area ID of 0 0 0 0 is reserved for the backbone Area IDs have the same format as IP addresses but
90. d req default bits 2048 default keyfile privkey pem default md shal prompt no distinguished name req distinguished name x509 extensions req extensions the following sections are specific to the request being built certificate extensions basicConstraints CA false subjectAltName DNS localhost req_distinguished_name countryName US stateOrProvinceName Mississippi localityName ridgeland organizationName Diversified Technology Inc organizationalUnitName Support commonName localhost emailAddress tech ms com Chapter 4 Establishing Management Security 51 CODE EXAMPLE 4 4 SSH server cnf Example Continued req_extensions basicConstraints CA true subjectAltName DNS localhost 52 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 5 Configuring Virtual LANs This chapter provides examples for configuring LANS This chapter contains the following topics m Section VLAN Configuration Example on page 5 54 m Section CLI Examples on page 5 56 m Section Web Interface on page 5 58 m Section Private Edge VLANs on page 5 59 53 54 VLAN Configuration Example Each VLAN in a network has an associated VLAN ID which appears in the IEEE 802 1Q tag in the Layer 2 header of packets transmitted on a VLAN An end station may omit the tag or the VLAN portion of the tag in which case the first switch port to receive the packet m
91. d assignment attribute cr Press Enter to execute the command DTI SWITCH Config mac access list deny any 00 11 22 33 44 55 00 00 00 00 FF FF log assign queue Configure the Queue Id assignment attribute cr Press Enter to execute the command DTI SWITCH Config mac access list deny any 00 11 22 33 44 55 00 0 0 00 00 FF FF log DTI SWITCH Config mac access list exit DTI SWITCH Config exit DTI SWITCH Example 3 Configure MAC Access Group CODE EXAMPLE 22 3 Configure MAC Access Group DTI SWITCH Config interface 0 5 DTI SWITCH Interface 0 5 mac Chapter 22 Configuring Access Control Lists ACLs 181 182 CODE EXAMPLE 22 3 Configure MAC Access Group access groupAttach MAC Access List to Interface DTI SWITCH Interface 0 5 mac access group lt name gt Enter name of MAC Access Control List DTI SWITCH Interface 0 5 mac access group macl inEnter the direction lt in gt DTI SWITCH Interface 0 5 mac access group macl lt cr gt Press Enter to execute the command lt 1 4294967295 gt Enter the sequence number in greater than 0 to rank direction A lower sequence number has higher precedence DTI SWITCH Interface 0 5 mac access group macl cr Press Enter to execute th DTI SWITCH Interface 0 5 mac access group macl DTI SWITCH Interface 0 5 texit DTI SWITCH Config exit DTI SWITCH
92. d interface IDs While optional in IPv4 router advertisement is mandatory in IPv6 Router advertisements specify the network prefix es on a link which can be used by receiving hosts in conjunction with an EUI64 identifier to auto configure a host s address Routers have their network prefixes configured and may use EUI64 or manually configured interface IDs In addition to one or more global addresses each IPv6 interface also has an auto configured link local address which is m Allocated from part of the IPv6 unicast address space m Not visible off the local link m Not globally unique Next hop addresses computed by routing protocols are usually link local During a transition period a global IPv6 Internet backbone may not be available The solution of this is to tunnel IPv6 packets inside IPv4 to reach remote IPv6 islands When a packet is sent over such a link it is encapsulated in IPv4 in order to traverse an IPv4 network and has the IPv4 headers removed at the other end of the tunnel Chapter 21 Configuring Internet Protocol IPv6 169 Interface 0 2 Configuring IPv6 via CLI In Figure 21 1 two devices are connected as shown in the diagram Interface 0 1 on both devices connects to an IPv4 backbone network where OSPF is used as the dynamic routing protocol to exchange IPv4 routes OSPF allows device 1 and device 2 to learn routes to each other from the 20 20 20 x network to the 10 10 10 x network and vice versa Interface
93. ddress The unauthorized server can configure the gateway for the client to be equal to the IP address of the server At that point the client sends all of its IP traffic destined to other networks to the unauthorized machine giving the attacker the possibility of filtering traffic for passwords or employing a man in the middle attack DHCP filtering works by allowing the administrator to configure each port as a trusted or untrusted port The port that has the authorized DHCP server should be configured as a trusted port Any DHCP responses received on a trusted port will be forwarded All other ports should be configured as untrusted Any DHCP or BootP responses received on the ingress side will be discarded The following limitations exist m Port Channels LAGs If an interface becomes a member of a LAG DHCP filtering is no longer become operationally enabled on the interface Instead the interface follows the configuration of the LAG port End user configuration for the interface remains unchanged When an interface is no longer a member of a LAG the current end user configuration for that interface automatically becomes effective m Mirroring lf an interface becomes a probe port DHCP filtering can no longer become operationally enabled on the interface Instead the interface follows the configuration of the LAG port End user configuration for the interface remains unchanged When an interface no longer acts as a probe port
94. e Meaning Examples AaBbCc123 The names of commands files Edit your login file and directories on screen Use 1s a to list all files computer output You have mail AaBbCc123 What you type when contrasted su with on screen computer output password AaBbCc123 Book titles new words or terms Read Chapter 6 in the User s Guide words to be emphasized Replace command line variables with real names or values The settings on your browser might differ from these settings Sun Netra CP3240 Switch User s Guide April 2009 These are called class options You must be superuser to do this To delete a file type rm filename Related Documentation The following table lists the documentation for this product The online documentation is available at http docs sun com app docs prod cp3240 switch l en hic Application Title Part Number Format Location Latest Sun Netra CP3x40 Switch Product 820 3260 xx PDF Online information Notes Ponter doc Sun Netra CP3240 Switch Getting 820 3254 xx Printed Shipping Kit Started Guide Installation Sun Netra CP3240 Switch 820 3251 xx PDF Online Installation Guide Reference Sun Netra CP3240 Switch Software 820 3253 xx PDF Online Reference Manual Safety Sun Netra CP3x40 Switch Safety 820 3505 xx PDF Online and Compliance Manual The following table lists the documentation that is related to this product The online documentation is available at http docs sun com
95. e 30 CLI Error Messages on page 31 CLI Line Editing Conventions on page 31 Using CLI Help on page 32 Accessing the CLI on page 34 Command Syntax A command is one or more words that might be followed by one or more parameters Parameters can be required or optional values Some commands such as show network or clear vlan do not require parameters Other commands such as network parms have parameters for which you must supply a value Parameters are positional you must type the values in the correct order Optional parameters will follow required parameters Following are two examples network parms lt ipaddr gt lt netmask gt gateway In the preceding example lt ipaddr gt and lt netmask gt are the required values for the command and gateway is the optional value for the command snmp server location lt loc gt In the second example lt loc gt is the required parameter for the command 16 Command Conventions The following conventions apply to the command name m The command name is displayed in this document in monospace font and must be typed exactly as shown m Once you have entered enough letters of a command name to uniquely identify the command pressing the spacebar or Tab key causes the system to complete the word m Pressing Ctrl Z returns you to the root level command prompt This reference manual lists each command by the command name and provides a
96. e routing for the switch config ip routing exit Sun Netra CP3240 Switch User s Guide April 2009 The next sequence shows an example of configuring the IP addresses and subnet masks for the virtual router ports CODE EXAMPLE 17 3 Configuring IP Addresses and Subnet for the VLAN Ports config interface 3 1 ip address 192 150 3 1 255 255 255 0 exit interface 3 2 ip address 192 150 4 1 255 255 255 0 exit exit Configuring VLAN Routing via Web Interface Use the following screens to perform the same configuration using the Web Interface m Switching gt VLAN gt Configuration To create the VLANs and specify port participation m Switching gt VLAN gt Port Configuration To specify the handling of untagged frames on receipt and whether frames will be transmitted tagged or untagged m Routing gt VLAN Routing gt Configuration To enable VLAN routing and configure the ports m Routing gt IP gt Interface Configuration To enable routing for the ports and configure their IP addresses and subnet masks To enable routing for the switch Chapter 17 Configuring VLAN Routing 141 142 Configuring VLAN Routing With RIP Routing Information Protocol RIP is one of the protocols which may be used by routers to exchange network topology information It is characterized as an interior gateway protocol and is typically used in small to medium sized networks A router run
97. e specifies whether the contents of a given field should be used to permit or deny access to the network and may apply to one or more of the following fields within a packet Destination IP with wildcard mask Destination L4 Port Every Packet IP DSCP IP Precedence IP TOS Protocol Source IP with wildcard mask Source L4 port Destination Layer 4 port Configuring Access Control Lists W To Configure ACLs 1 2 3 Create a MAC ACL by specifying a name Create an IP ACL by specifying a number Add new rules to the ACL Configure the match criteria for the rules Apply the ACL to one or more interfaces 176 Sun Netra CP3240 Switch User s Guide April 2009 Setting Up an IP ACL via CLI The script in this section shows you how to set up an IP ACL with two rules one applicable to TCP traffic and one to UDP traffic The content of the two rules is the same TCP and UDP packets will only be accepted by the Sun Netra CP3240 switch if the source and destination stations have IP addresses that fall within the defined sets FIGURE 22 1 IP ACL Example Network Diagram Layer 3 Switch Port 1 0 2 ACL 179 UDP or TCP packet to 192 168 77 3 accepted Dest IP in range UDP or TCP packet to 192 168 88 3 rejected Dest IP not in range Layer 2 Switch 192 168 77 1 192 168 77 4 192 168 77 9 192 168 77 2 Ch
98. eature allows the switch to treat multiple physical links between two end points as a single logical link called a port channel All of the physical links in a given port channel must operate in full duplex mode at the same speed You can use the feature to directly connect two switches when the traffic between them requires high bandwidth and reliability or to provide a higher bandwidth connection to a public network You can configure the port channels as either dynamic or static Dynamic configuration uses the IEEE 802 3ad standard which provides for the periodic exchanges of LACPDUs Static configuration is used when connecting the switch to an external switch that does not support the exchange of LACPDUs The feature offers the following benefits m Increased reliability and availability if one of the physical links in the port channel goes down traffic is dynamically and transparently reassigned to one of the other physical links m Increased bandwidth the aggregated physical links deliver higher bandwidth than each individual link m Incremental increase in bandwidth A physical upgrade could produce a 10 times increase in bandwidth LAG produces a two or five times increase useful if only a small increase is needed Management functions treat a port channel as if it were a single physical port You can include a port channel in a VLAN You can configure more than one port channel for a given switch Sun Netra CP
99. ectivity you must configure the switch with IP information IP address subnet mask and default gateway Sun Netra CP3240 Switch User s Guide April 2009 V Using DHCP 1 Enter the following command over the MGMT serial port to enable DHCP client network protocol dhcp You can assign IP information over the network through BootP or DHCP Check with your system administrator to determine whether BootP or DHCP is enabled You need to configure the BootP or DHCP server with information about the switch obtain this information through the serial port connection using the show network command Set up the server with the following values Value Description IP address Unique IP address for the switch Each IP parameter is made up of four decimal numbers ranging from 0 to 255 The default for all IP parameters is zeroes 0 0 0 0 Subnet Subnet mask for the LAN Gateway IP address of the default router if the switch is a node outside the IP range of the LAN MAC address MAC address of the switch When you connect the switch to the network for the first time after setting up the BootP or DHCP server it is configured with the information supplied above The switch is ready for in band connectivity over the switched network If you do not use BootP or DHCP access the switch through the EIA 232 port and configure the network information as described below Chapter 1 Getting Started 5 V Using a Static IP 1 Enter the
100. ecute the command lt port gt Enter port no DTI SWITCH traceroute 216 109 118 74 Tracing route over a maximum of 20 hops 1 10 254 24 1 40 ms 9 ms 10 ms 2 10 254 253 1 30 ms 49 ms 21 ms 3 6323123433 29 ms 10 ms 10 ms 4 63 144 4 1 39 ms 63 ms 67 ms 5 63 144 1 141 70 ms 50 ms 50 ms 6 205 171 21 89 39 ms 70 ms 50 ms 7 205 171 8 154 70 ms 50 ms 70 ms 8 205 171 8 222 70 ms 50 ms 80 ms 9 205 171 251 34 60 ms 90 ms 50 ms 10 209 244 219 181 60 ms 70 ms 70 ms 11 209 244 11 9 60 ms 60 ms 50 ms 12 4 68 121 146 50 ms 70 ms 60 ms 13 4 79 228 2 60 ms 60 ms 60 ms 14 216 115 96 185 110 ms 59 ms 70 ms 15 216 109 120 203 70 ms 66 ms 95 ms 16 216 109 118 74 78 ms 121 ms 69 ms 252 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 30 Generating Script Files This chapter describes how to use Configuration Scripting to generate a text formatted script file that shows the current configuration of the system You can generate multiple scripts and upload and apply them to more than one switch This chapter contains the following topics m Section Understanding Configuration Scripting on page 30 254 m Section Configuring Scripting on page 30 255 253 254 Understanding Configuration Scripting Provides scripts that can be uploaded and downloaded to the system Provides flexibility to create command configuration scripts Can be applied to several switches Can save up to ten scripts or 500K of mem
101. ed Exec mode requires password authentication From Privileged Exec mode the operator can issue any Exec command enter the VLAN mode or enter the Global Config mode The command prompt shown at this level is Switch Global Config Mode This mode permits the operator to make modifications to the running configuration General setup commands are grouped in this mode From the Global Config mode the operator can enter the System Config mode the Physical Port Config mode the Interface Config mode or the protocol specific modes The command prompt at this level is Switch Config From the Global Config mode the operator can enter the following protocol specific modes configuration modes Chapter 2 Using the Command Line Interface 25 26 Interface Config Many features are enabled for a particular interface The Interface commands enable or modify the operation of an interface This mode allows you to enable or modify the operation of an interface and provides access to the router interface configuration commands Use this mode to set up a physical port for a specific logical connection operation In this mode a physical port is set up for a specific logical connection operation The Interface Config mode provides access to the router interface configuration commands The command prompt at this level is Switch Interface lt slot port gt The resulting prompt for the interface configuration command entered in the Global
102. efined for the class must be true for a match to occur m Policy Defines the QoS attributes for one or more traffic classes An example of an attribute is the ability to mark a packet at ingress FASTPATH supports the ability to assign traffic classes to output CoS queues and to mirror incoming packets in a traffic stream to a specific egress interface physical port or LAG The FASTPATH software supports the Traffic Conditioning Policy type which is associated with an inbound traffic class and specifies the actions to be performed on packets meeting the class rules Marking the packet with a given DSCP IP precedence or CoS Policing packets by dropping or re marking those that exceed the class s assigned data rate Counting the traffic within the class m Service Assigns a policy to an interface for inbound traffic Chapter 24 Configuring Differentiated Services 213 Configuring Differentiated Services via CLI This example shows how a network administrator can provide equal access to the Internet or other external network to different departments within a company Each of four departments has its own Class B subnet that is allocated 25 of the available bandwidth on the port accessing the Internet FIGURE 24 1 DiffServ Internet Access Example Network Diagram Layer 3 Switch Port 1 0 5 Outbound Port 1 0 1 Port 1 0 4 Development S ron OE Port 1 0 3 Source IP
103. elcomes Your Comments Sun is interested in improving its documentation and welcomes your comments and suggestions You can submit your comments by going to http www sun com hwdocs feedback Please include the title and part number of your document with your feedback Sun Netra CP3240 Switch User s Guide part number 820 3252 11 xxxii Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 1 Getting Started This chapter provides information and instructions for configuring the switch You must connect a serial console to the switch to begin configuration This chapter contains the following topics m Section Default Settings on page 1 2 m Section Initial Configuration on page 1 2 m Section In band and Out of band Connectivity on page 1 3 Section Quick Start on page 1 8 Default Settings m The switch is configured with all ports enabled set to auto negotiate mtu of 1518 and in Layer 2 MAC switching mode m All ports are in VLAN 1 m DHCP client is enabled on the out of band management port m Telnet acess enabled m HTTP access enabled m SNMP read only community public m SNMP read write community private Initial Configuration By default DHCP on OOB management port is enabled and it s possible to directly telnet into the OOB management interface to configure the switch if DHCP server is running You can use a DHCP server switch serial console or SNMP discovery
104. er Exec mode Type exit to exit to the Privileged Exec mode or press Ctrl Z to switch to the User Exec mode Type exit to exit to the Global Config mode or press Ctrl Z to switch to the User Exec mode Type exit to exit to the Global Config mode or press Ctrl Z to switch to the User Exec mode Type exit to exit to the Global Config mode or press Ctrl Z to switch to the User Exec mode Type exit to exit to the Policy Map mode or press Ctrl Z to switch to the User Exec mode Type exit to exit to the Global Config mode or press Ctrl Z to switch to the User Exec mode Chapter 2 Using the Command Line Interface 21 TABLE 2 5 CLI Command Modes Continued Command Mode Access Method Prompt Exit or Access Previous Mode Router OSPF From the Global Config mode Switch Config Type exit to exit to the Global Config enter the router ospf router Config mode or press Ctrl Z command to switch to the User Exec mode Router OSPFv3 From the Global Config mode Switch Config Type exit to exit to the Global Config enter the ipv6 router ospf rtr t Config mode or press Ctrl Z command to switch to the User Exec mode Router RIP From the Global Config mode Switch Config Type exit to exit to the Global Config enter the router rip router Config mode or press Ctrl Z command to switch to the User Exec mode Router BGP From the Global Config mode Switch Config Type exit to exit to the Global Config enter the
105. erarchy on page 25 Sun Netra CP3240 Switch User s Guide April 2009 TABLE 2 5 CLI Command Modes Command Mode User Exec Privileged Exec Global Config VLAN Config Interface Config Line Config Policy Map Config Policy Class Config Class Map Config Access Method This is the first level of access for performing basic tasks and listing system information From the User Exec mode enter the enable command From the Privileged Exec mode enter the configure command From the Privileged Exec mode enter the vlan database command From the Global Config mode enter the interface lt slot port gt command From the Global Config mode enter the lineconfig command From the Global Config mode enter the policy map policy name command From the Policy Map mode enter the class command From the Global Config mode enter the class map class map name command Prompt Switch Switch Switch Config Switch Vlan Switch Interface lt slot port gt Switch Inter face Loopback lt id gt Switch Inter face Tunnel lt id gt Switch line Switch Config policy map Switch Config policy class map Switch Config class map Exit or Access Previous Mode Enter logout command Type exit or press Ctrl Z to exit to the User Exec mode Type exit to exit to the Privileged Exec mode or press Ctrl Z to switch to the Us
106. execute the command The system then prompts the user for a new password then a prompt to confirm the new password If the new password and the confirmed password match a confirmation message is displayed A user password should not be more than eight characters in length copy system running config nvram startup config Privileged EXEC Mode This command saves passwords and all other changes to the device If you do not save the configuration by entering this command all configurations are lost when a power cycle is performed on the networking device or when the networking device is reset In a stacking environment the running configuration is saved in all units of the stack logout User EXEC and Privileged EXEC Modes Logs the user out of the networking device Chapter 1 Getting Started 11 12 Quick Startup IP Address To view the network parameters the operator can access the device by the following three methods m Simple Network Management Protocol SNMP m Telnet m Web Browser Note Helpful Hint The user should do a copy system running config nvram startup config after configuring the network parameters so that the configurations are not lost TABLE 1 4 Quick Startup IP Address Command Details show network User EXEC Mode Displays the Network Configurations IP Address IP Address of the interface Default IP is 0 0 0 0 Subnet Mask IP Subnet Mask for the
107. eyout serverkey pem nodes out serverreq pem config server cnf reqexts req extensions passout pass PASSWORD S OPENSSL x509 req days VALID_NUM_DAYS in serverreq pem shal extfile server cnf extensions certificate_extensions CA root pem CAkey root pem CAcreateserial out servercert pem passin pass PASSWORD cat servercert pem serverkey pem rootcert pem server pem rm root pem root srl serverkey pem servercert pem serverreq pem HH HH HHH HH HH HE HE HE HE HE HE HE EH HH HE EH HH HH EH HH EH HE HE ERE E NE HEHH Generate the Diffie Hellman weak and strong parameters HH HH HHH HH HE HH HE HE HE HE HE FE HE HE HE HH HE EH HH HE HH HH EH HE HE H E HH HHHH S OPENSSL dhparam check text 5 512 out dh512 pem OPENSSL dhparam check text 5 1024 out dh1024 pem Sun Netra CP3240 Switch User s Guide April 2009 SSL root cnf CODE EXAMPLE 4 3 SSL root cnf Example default settings for example ca default_ca ca ca dir opt ca certificate dir cacert pem database dir index txt new certs dir dir certs private key dir private cakey pem serial dir serial default_crl_days 7 default_days 365 default_md shal policy ca_policy x509_extensions certificate_extensions ca_policy commonName supplied stateOrProvinceName supplied countryName supplied emailAddress supplied organizationName supplied organizationalUnitNa
108. f band information issue the command show network 3 The switch is configured for out of band connectivity and ready for Web based and remote console management Quick Start 1 Turn the Power ON 2 Allow the device to load the software until the login prompt appears The device initial state is called the default mode 3 When the prompt asks for operator login do the following steps a Type admin at the login prompt Because a number of the Quick Setup commands require administrator account rights log into an administrator account Do not enter a password because the default mode does not use a password after typing admin press Enter two times b The CLI User EXEC prompt is displayed i Type enable to switch to the Privileged EXEC mode from User EXEC Sun Netra CP3240 Switch User s Guide April 2009 ii Type configure to switch to the Global Config mode from Privileged EXEC iii Type exit to return to the previous mode iv Enter to show a list of commands that are available in the current mode 4 If you want to access the switch remotely configure the switch for In band or Out of Band connectivity You must configure the device with IP information IP address subnet mask and default gateway System Information and System Setup This section describes the commands you use to view system information and to setup the network device The tables below contain the Quick Start commands that all
109. file copy nvram errorlog errorlog error log lt tftp lt ipaddress gt lt filepath gt lt f msglog message log ilename gt gt traplog trap log Privileged EXEC Mode The URL must be specified as xmodem lt filepath gt filename copy nvram msglog tftp ipaddress filepath f For example ilename gt gt If you are using HyperTerminal you Privileged EXEC Mode must specify where the file is to be received by the PC copy nvram traplog lt tftp lt ipaddress gt lt filepath gt lt f ilename gt gt Privileged EXEC Mode Quick Startup Downloading from TFTP Server Before starting a TFTP server download the operator must complete the Quick Start up for the IP Address TABLE 1 6 Quick Startup Downloading from TFTP Server Command Details copy Sets the destination download tftp ipaddress filepath filename datatype to be an image gt gt nvram startup config system image or a configuration Privileged EXEC Mode file nvram startup config The URL must be specified as copy tftp xipaddress filepath tftp ipaddress filepath filename filename gt gt system image The nvram startup config eee Privileged EXEC Mode downloads the configuration file using tftp and system image option downloads the code file Chapter 1 Getting Started 13 14 Quick Startup Factory Defaults TABLE 1 7 Quick Startup Factory Defaults Comma
110. following m Look up the Layer 3 address in its address table to determine the outbound port m Update the Layer 3 header m Recreate the Layer 2 header The router s IP address is often statically configured in the end station although the FASTPATH software supports protocols such as DHCP that allow the address to be assigned dynamically Likewise you may assign some of the entries in the routing tables used by the router statically but protocols such as RIP and OSPF allow the tables to be created and updated dynamically as the network configuration changes The FASTPATH software always supports Layer 2 bridging but Layer 3 routing must be explicitly enabled first for the FASTPATH software as a whole and then for each port which is to participate in the routed network The configuration commands used in this section s example enable IP routing on ports 0 2 0 3 and 0 5 The router ID is set to the FASTPATH software s management IP address or to that of any active router interface if the management address is not configured Sun Netra CP3240 Switch User s Guide April 2009 After you ve issued the routing configuration commands the following functions are active m IP Forwarding responsible for forwarding received IP packets m ARP Mapping responsible for maintaining the ARP Table used to correlate IP and MAC addresses The table contains both static entries and entries dynamically updated based on information in received ARP
111. for networked devices This chapter contains the following topics m Section Understanding the Terminal Access Controller Access Control System on page 27 244 m Section Configuring Access Control for Networked Devices on page 27 245 243 244 Understanding the Terminal Access Controller Access Control System Terminal Access Controller Access Control System TACACS provides access control for networked devices via one or more centralized servers Similar to RADIUS this protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network TACACS is based on the TACACS protocol described in RFC1492 TACACS uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to encrypt all messages After you configure TACACS as the authentication method for user login the NAS Network Access Server prompts for the user login credentials and requests services from the FASTPATH TACACS client The client then uses the configured list of servers for authentication and provides results back to the NAS You can configure the TACACS server list with one or more hosts defined via their network IP address You can also assign each a priority to determine the order in which the TACACS client will contact them TACACS contacts the server when a connection attempt fails or times out for a higher priority server You can configure each server hos
112. frames m Routing Table Object responsible for maintaining the common routing table used by all registered routing protocols You can then activate RIP or OSPF used by routers to exchange route information on top of IP Routing RIP is most often used in smaller networks while OSPF is most often used for larger and more complex topologies Configuring Port Routing via CLI The diagram in this section shows a Layer 3 switch configured for port routing It connects three different subnets each connected to a different port The script shows the commands you would use to configure a Sun Netra CP3240 switch to provide the port routing support shown in the diagram FIGURE 14 1 Port Routing Example Network Diagram Subnet 3 Port 1 0 3 192 130 3 1 Layer 3 Switch acting as a router Port 1 0 2 Port 1 0 5 192 150 2 2 192 64 4 1 Subnet 2 Subnet 5 Chapter 14 Configuring Port Routing 117 118 Example 1 Enabling Routing for the Switch Use the following command to enable routing for the switch Execution of the command enables IP forwarding by default CODE EXAMPLE 14 1 Enabling Routing for the Switch config ip routing exit Example 2 Enabling Routing for Ports on the Switch Use the following commands to enable routing for ports on the switch The default link level encapsulation format is Ethernet Configure the IP addresses and subnet masks for the ports Network directed broadcast frames
113. g Class of Service CoS 196 Ingress Port Configurations 197 Trusted and Untrusted Ports CoS Mapping Table 197 CoS Mapping Table for Trusted Ports 197 Egress Port Configurations 198 Queue Configurations 198 Configuring CoS Mapping and Queues via CLI 199 Configuring CoS Mapping and Queues via Web Interface 203 Configuring Differentiated Services 211 Understanding Differentiated Services DiffServ 212 Configuring Differentiated Services via CLI 214 Enabling DiffServ Inbound 215 Configuring DiffServ on FASTPATH Software 216 Configuring Differentiated Services via Web Interface 217 Configuring DiffServ for Voice Over IP VoIP 230 Configuring Network Access Control 235 Understanding Port Based Network Access Control 236 Configuring Network Access Control 237 Contents xiii 26 Configuring RADIUS 239 Authenticating Users Through RADIUS 240 Configuring RADIUS 241 27 Configuring Access Control for Networked Devices 243 Understanding the Terminal Access Controller Access Control System 244 Configuring Access Control for Networked Devices 245 28 Configuring DHCP Filtering 247 Understanding Dynamic Host Configuration Protocol DHCP Filtering 248 Configuring DHCP Filtering 249 Example 1 Enable DHCP Filtering for the Switch 249 Example 2 Enable DHCP Filtering for an Interface 249 Example 3 Show DHCP Filtering Configuration 250 29 Configuring Traceroute 251 Configuring Traceroute 252 30 Generating Script Files 253 U
114. g Ports to the Port Channels DTI SWITCH config DTI SWITCH Config interface 0 2 DTI SWITCH Interface 0 2 addport 1 1 DTI SWITCH Interface 0 2 exit DTI SWITCH Config interface 0 3 DTI SWITCH Interface 0 3 addport 1 1 DTI SWITCH Interface 0 3 exit DTI SWITCH Config exit DTI SWITCH config DTI SWITCH Config interface 0 8 DTI SWITCH Interface 0 8 addport 1 2 DTI SWITCH Interface 0 8 exit DTI SWITCH Config interface 0 9 DTI SWITCH Interface 0 9 addport 1 2 DTI SWITCH Interface 0 9 exit DTI SWITCH Config exit CLI Example 3 Enable Both Port Channels By default the system enables link trap notification CODE EXAMPLE 6 4 Enabling Both Port Channels DTI SWITCH config DTI SWITCH Config port channel adminmode all DTI SWITCH Config exit At this point the LAGs could be added to the default management VLAN Chapter 6 Configuring Port Channels by Link Aggregation 65 Configuring Link Aggregation via Web Interface To perform the same configuration as described in the previous CLI sections use Switching gt Link Aggregation gt Configuration on the Web interface To create the port channels specify port participation and enable Link Aggregation LAG support on the switch 66 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 7 Configuring Storm Control This ch
115. g is similar to the redirect function except that in flow based mirroring a copy of the permitted traffic is delivered to the mirror interface while the packet itself is forwarded normally through the device You cannot configure a given ACL rule with mirror and redirect attributes m ACL Logging provides a means for counting the number of hits against an ACL rule When you configure ACL Logging you augment the ACL deny rule specification with a log parameter that enables hardware hit count collection and reporting FASTPATH uses a fixed five minute logging interval at which time trap log entries are written for each ACL logging rule that accumulated a non zero hit count during that interval You cannot configure the logging interval Using ACLs to mirror traffic is called flow based mirroring because the traffic flow is defined by the ACL classification rules This is in contrast to port mirroring where all traffic encountered on a specific interface is replicated on another interface Sun Netra CP3240 Switch User s Guide April 2009 Limitations The following limitations apply to ACLs These limitations are platform dependent Maximum of 100 ACLs Maximum rules per ACL is 8 10 The system supports ACLs set up for inbound traffic only You can configure mirror or redirect attributes for a given ACL rule but not both The system does not support MAC ACLs and IP ACLs on the same interface A hardware platform may support
116. gging traplogs Command 280 show logging hosts Command 280 Logging Port Configuration Commands 281 Code Examples xxvii xxviii Sun Netra CP3240 Switch User s Guide April 2009 Preface This document provides information and instructions for using the configuration options of the Netra CP3240 switch This document shows examples of the use of the Netra CP3240 switch in a typical network It describes the uses and advantages of functions provided by the switch and includes information on configuring those functions using CLI and Web interfaces The Netra CP3240 switch can operate as a Layer 2 switch a Layer 3 router or a combination switch router The switch also includes support for network management and Quaility of Service functions such as Access Control Lists and Differientiated Services The functions you choose to activate will depend on the size and complexity of your network This document illustrates configuration for the following functions m switching m routing m Quality of Service QoS m management Before You Read This Document This document is intended for use by the following users m Experienced system administrators SAs who are responsible for configuring and operating a network using Netra CP3240 switches m Engineers who will be integrating the Netra CP3240 switch into an AdvancedTCA system m Level 1 and or Level 2 support providers xxix XXX Typographic Conventions Typefac
117. gure sntp client port Command DTI SWITCH Config sntp client port 1 cr Press Enter to execute the command lt 6 10 gt Enter value in the range 6 to 10 Poll interval is 2 value in seconds 272 Sun Netra CP3240 Switch User s Guide April 2009 Configuring SNTP via Web Interface The following are examples of Web Interface pages used when configuring the SNTP feature via the Web Interface FIGURE 33 1 SNTP Global Configuration Page FIGURE 33 2 SNTP Global Status Page Navigation BROADCOM SNTP Global Status 8 10 12 24 6 XGS III 1 35 14 16 18 20 HHHH ui y 8 11 13 15 17 o fa s 24 System V System Version 4 S ARP Cache i E Inventory Information Supported Mode Unicast amp Broadcast I Configuration Last Update Time Jan 1 00 00 00 1970 a Forwarding Database Last Attempt Time Jan 1 00 00 00 1970 Mfg Log Ga Slot Last Attempt Status Other IE Port Server IP Address Ig snmp Address Type Unknown H Statistics u HB System Utilities Server Stratum 0 Unspecified I Trap Manager Reference Clock Id I DHCP Server u Server Mode Reserved HEN SNTP A 8 Global Configuration Unicast Server Max Entries 3 amp Unicast Server Current Entries 0 8 Server Configuration Broadcast Count 0 2 Server Status Chapter 33 Configuring Simple Network Time Protocol SNTP 273 FIGURE 33 3 SNTP Server Configuration Page 2 4 6 8 10 12 14 16 18 20 22 c
118. h the MAC address table If routing is enabled for the VLAN and the MAC DA of an inbound unicast packet is that of the internal bridge router interface the packet will be routed An inbound multicast packet will be forwarded to all ports in the VLAN plus the internal bridge router interface if it was received on a routed VLAN Since a port can be configured to belong to more than one VLAN VLAN routing might be enabled for all of the VLANs on the port or for a subset VLAN Routing can be used to allow more than one physical port to reside on the same subnet It could also be used when a VLAN spans multiple physical networks or when additional segmentation or security is required 138 Configuring VLAN Routing via CLI This section provides an example of how to configure the Sun Netra CP3240 switch to support VLAN routing The configuration of the VLAN router port is similar to that of a physical port The main difference is that after the VLAN has been created you must use the show ip vlan command to determine the VLAN s interface ID so that you can use it in the router configuration commands The diagram in this section shows a Layer 3 switch configured for port routing It connects two VLANs with two ports participating in one VLAN and one port in the other The script shows the commands you would use to configure Sun Netra CP3240 switch to provide the VLAN routing support shown in the diagram Sun Netra CP3240 Switch User s Guide
119. he IP Address for the Virtual Router 155 Setting Port Priority 155 Enabling VRRP on the Port 155 show ip interface 158 ip proxy arp 158 Configuring the Interface 163 Setting Unsolicited Report Interval 163 Code Examples xxv CODE EXAMPLE 20 3 CODE EXAMPLE 20 4 CODE EXAMPLE 20 5 CODE EXAMPLE 20 6 CODE EXAMPLE 20 7 CODE EXAMPLE 21 1 CODE EXAMPLE 21 2 CODE EXAMPLE 22 1 CODE EXAMPLE 22 2 CODE EXAMPLE 22 3 CODE EXAMPLE 22 4 CODE EXAMPLE 22 5 CODE EXAMPLE 23 1 CODE EXAMPLE 23 2 CODE EXAMPLE 24 1 CODE EXAMPLE 24 2 CODE EXAMPLE 24 3 CODE EXAMPLE 24 4 CODE EXAMPLE 24 5 CODE EXAMPLE 24 6 CODE EXAMPLE 24 7 CODE EXAMPLE 24 8 CODE EXAMPLE 24 9 CODE EXAMPLE 25 1 CODE EXAMPLE 26 1 CODE EXAMPLE 27 1 CODE EXAMPLE 29 1 CODE EXAMPLE 30 1 CODE EXAMPLE 30 2 CODE EXAMPLE 30 3 Resetting Host Interface Status Parameters 164 Showing IGMP Proxy Host Interfaces 164 Showing Host Interface Status 164 Showing IGMP Proxy Groups 165 Showing Detailed Information About Proxy Groups 165 Device 1 170 Device2 171 Set Up a MAC Access Label 180 Specify MAC ACL Attributes 180 Configure MAC Access Group 181 Set Up ACL with Permit Action 183 Show MAC Access Lists 184 Configuring Ingress 201 Configuring Egress 202 Creating a Diffserv Class Type All 215 Creating a Diffserv Policy for Inbound Traffic 215 Attaching the Policy to Interfaces 216 Setting CoS Queue for Egress 216 Setting Queue on All Ports 232 Creating a Diffserv Classifier 232
120. he help output shows a parameter in angle brackets you must replace the parameter with a value switch network parms lt ipaddr gt Enter the IP Address If there are no additional command keywords or parameters or if additional parameters are optional the following message appears in the output cr Press Enter to execute the command You can also enter a question mark after typing one or more characters of a word to list the available command or parameters that begin with the letters as shown in the following example switch show m mac addr table mac address table monitor Chapter 2 Using the Command Line Interface 33 Accessing the CLI You can access the CLI by using a direct console connection or by using a telnet or SSH connection from a remote management host For the initial connection you must use a direct connection to the console port You cannot access the system remotely until the system has an IP address subnet mask and default gateway You can set the network configuration information manually or you can configure the system to accept these settings from a BOOTP or DHCP server on your network For more information see Network Interface Commands on page 472 Comments The CLI enables the user to type single line annotations at the command prompt for use when writing test or configuration scripts and for better readability The exclamation
121. he port Depending on the outcome of the authentication process the authenticator PAE then controls the authorized unauthorized state of the controlled Port Authentication can be handled locally or via an external authentication server Two are Remote Authentication Dial In User Service RADIUS or Terminal Access Controller Access Control System TACACS FASTPATH currently supports RADIUS TACACS support implementation is planned for the future Sun Netra CP3240 Switch User s Guide April 2009 RADIUS supports an accounting function to maintain data on service usages Under RFC 2866 an extension was added to the RADIUS protocol giving the client the ability to deliver accounting information about a user to an accounting server Exchanges to the accounting server follow similar guidelines as that of an authentication server but the flows are much simpler At the start of service for a user the RADIUS client that is configured to use accounting sends an accounting start packet specifying the type of service that it will deliver Once the server responds with an acknowledgement the client periodically transmits accounting data At the end of service delivery the client sends an accounting stop packet allowing the server to update specified statistics The server again responds with an acknowledgement Configuring Network Access Control The following example configures a single RADIUS server used for authentication and accounting at 10
122. iable most users have standardized on using a network prefix length of 64 bits This leaves 64 bits for the interface specific portion called an Interface ID in IPv6 Depending upon the underlying link addressing the Interface ID can be automatically computed from the link e g MAC address Such an automatically computed Interface ID is called an EUI64 identifier IPv6 packets on the network are of an entirely different format than traditional IPv4 packets and are also encapsulated in a different Ethertype contained within the L2 header to indicate which L3 protocol is used In order to route these packets across L3 requires an infrastructure equivalent to and parallel to that provided for IPv4 Sun Netra CP3240 Switch User s Guide April 2009 Using IPv6 Configurations In FASTPATH IPv6 will coexist with IPv4 As with IPv4 IPv6 routing can be enabled on physical and VLAN interfaces Each L3 routing interface can be used for IPv4 IPv6 or both Routing protocols such as OSPF are capable of computing routes for either IP version or both concurrently Neighbor discovery is the IPv6 replacement for Address Resolution Protocol ARP Router advertisement is part of the neighbor discovery process and is required for IPv6 Stateless auto configuration is part of router advertisement and FASTPATH can support both stateless and stateful auto configuration of end nodes FASTPATH supports both EUI 64 interface identifiers and manually configure
123. icy Summary Policy Attribute Summary Service Configuration Service Summary Service Statistics Service Detailed Statistics Chapter 24 Configuring Differentiated Services 227 FIGURE 24 14 DiffServ Service Configuration Navigation DiffServ Service Configuration tem System Unit SlotiP ort 100 v Switching Policy In internet_access M routing Security Py oS Access Control Lists Y Differentiated Services DiffServ Configuration amp Class Configuration Class Summary Policv Configuration Policy Summary Policy Class Definition EJ Policy Attribute Summary vice Configuration E Service Summary S Service Statistics S Service Detailed Statistics 228 Sun Netra CP3240 Switch User s Guide April 2009 Navigation tem System Switching touting Security Pv6 308 Access Control Lists i Differentiated Services 2 DiffServ Configuration Class Configuration Class Summary B Policy Configuration amp Policy Summary amp Policy Class Definition B Policy Attribute Summary amp Service Configuration 2 Service Statistics E Service Detailed Statistics FIGURE 24 15 DiffServ Service Summary DiffServ Service Summary Unit SlotiP ort Direction Operational Status Policy Name 1 0 1 In Down internet_access 1 0 2 In Down internet access 1 0 3 In Down inte
124. ide of the connection is assumed to originate and terminate at a Network Virtual Terminal NVT m Server and user hosts do not maintain information about the characteristics of each other s terminals and terminal handling conventions m Must use a valid IP address This chapter contains the following topics m Section Configuring a Telnet Connection via CLI on page 31 260 m Section Configuring a Telnet Connection via Web Interface on page 31 262 259 Configuring a Telnet Connection via CLI The following are examples of the CLI commands used with the Outbound Telnet feature Example 1 show network CODE EXAMPLE 31 1 show network Command DTI SWITCH gt telnet 192 168 77 151 Trying 192 168 77 151 DTI SWITCH User admin Password DTI SWITCH gt enable Password DTI SWITCH show network IP Address ii ila eee eters Sead eon o See se ere 192 168 77 151 Subnet Mask deede siek Vaya See ee 255 255 255 0 Default Gatewavi ia A uu AGAIN Wee 192 168 77 127 Burned In MAC Address 00 10 18 82 04 E9 Locally Administered MAC Address 00 00 00 00 00 00 MAC Address Type llle ee eee Burned In Network Configuration Protocol Current DHCP Management VLAN ID ees 1 Web Modes sidere wEWcwpyeueskuesesbBhable Java Mode suele PEDRO HO Disable 260 Sun Netra CP3240 Switch User s Guide April 2009 Example 2 show telnet CODE
125. igation tem System Switching Routing Security IPv6 QoS Access Control Lists X Differentiated Services S DiffServ Configuration me m Class Summary Policy Configuration ee we Policy Summary Policy Class Definition me m Policy Attribute Summary Service Configuration Service Summary pues mei om Service Statistics T Service Detailed Statistics Source IP Address Class Name finance dept Class Type All IP Address 172 16 10 0 IP Mask 255 255 255 0 Submit Cancel Chapter 24 Configuring Differentiated Services 219 FIGURE 24 6 DiffServ Class Configuration Navigation DiffServ Class Configuration tem system Class Selector finance dept v 3witching touting Class Name finance_dept Rename Delete Security Class Type All un Class Match Selector v Add Match Criteria 0 Access Control Lists Match Criteria Values i Differentiated Services Source IP Address 172 16 10 0 255 255 255 0 amp DiffServ Configuration Bl Class Summary Policv Configuration Bl Policy Summary Policv Class Definition Policy Attribute Summary Service Configuration Service Summary 2 Service Statistics 2 Service Detailed Statistics 220 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 24 7 DiffServ Class Summary Navigation DiffServ Class Summary tem cs Class Na
126. ing for new methods of authentication to be added without disrupting existing functionality As a user attempts to connect to a functioning RADIUS supported network a device referred to as the Network Access Server NAS or switch router first detects the contact The NAS or user login interface then prompts the user for a name and password The NAS encrypts the supplied information and a RADIUS client transports the request to a pre configured RADIUS server The server can authenticate the user itself or make use of a back end device to ascertain authenticity In either case a response may or may not be forthcoming to the client If the server accepts the user it returns a positive result with attributes containing configuration information If the server rejects the user it returns a negative result If the server rejects the client or the shared secrets differ the server returns no result If the server requires additional verification from the user it returns a challenge and the request process begins again Sun Netra CP3240 Switch User s Guide April 2009 Configuring RADIUS The following example configures two RADIUS servers at 10 10 10 10 and 11 11 11 11 Each server has a unique shared secret key The shared secrets are configured to be secret1 and secret2 respectively The server at 10 10 10 10 is configured as the primary server The process creates a new authentication list called radiusList which uses RADIUS as the primar
127. ing traplogs 280 logging hosts 280 Example 5 logging port configuration 281 Configuring Syslog via Web Interface 283 Contents XV Interpreting Log Files 285 Index 287 xvi Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 2 1 FIGURE 3 1 FIGURE 3 2 FIGURE 3 3 FIGURE 5 1 FIGURE 6 1 FIGURE 8 1 FIGURE 8 2 FIGURE 8 3 FIGURE 8 4 FIGURE 8 5 FIGURE 8 6 FIGURE 8 7 FIGURE 8 8 FIGURE 9 1 FIGURE 9 2 FIGURE 9 3 FIGURE 9 4 FIGURE 9 5 FIGURE 10 1 Figures Mode based CLI 24 Web Interface Panel Example 37 Web Interface Panel Example 39 Configuring an SNMP V3 User Profile 39 VLAN Example Network Diagram 55 LAG Port Channel Example Network Diagram 63 IGMP Snooping Global Configuration and Status Page 77 IGMP Snooping Interface Configuration Page 77 IGMP Snooping VLAN Configuration 78 IGMP Snooping VLAN Status Page 79 IGMP Snooping Multicast Router Statistics Page 79 IGMP Snooping Multicast Router Configuration Page 80 IGMP Snooping Multicast Router VLAN Statistics Page 81 IGMP Snooping Multicast Router VLAN Configuration Page 82 Multiple Port Mirroring 89 Multiple Port Mirroring Add Source Ports 89 Multiple Port Mirroring 90 System Port Summary 91 92 Port Security Administration 96 xvii FIGURE 10 2 FIGURE 10 3 FIGURE 10 4 FIGURE 10 5 FIGURE 11 1 FIGURE 11 2 FIGURE 11 3 FIGURE 11 4 FIGURE 11 5 FIGURE 12 1 FIGURE 12 2 FIGURE 12 3 FIGURE 12 4 FIGURE 12 5 FIGURE 14 1 FIGURE 15 1 FIGURE
128. interface Default is 0 0 0 0 Default Gateway The default Gateway for this interface Default value is 0 0 0 0 Burned in MAC Address The Burned in MAC Address used for in band connectivity Locally Administered MAC Address Can be configured to allow a locally administered MAC address MAC Address Type Specifies which MAC address should be used for in band connectivity Network Configurations Protocol Current Indicates which network protocol is being used Default is none Management VLAN Id Specifies VLAN id Web Mode Indicates whether HTTP Web is enabled Java Mode Indicates whether java mode is enabled network parms lt ipaddr gt lt netmask gt gateway Privileged EXEC Mode Sets the IP Address subnet mask and gateway of the router The IP Address and the gateway must be on the same subnet IP Address range from 0 0 0 0 to 255 255 255 255 Subnet Mask range from 0 0 0 0 to 255 255 255 255 Gateway Address range from 0 0 0 0 to 255 255 255 255 Sun Netra CP3240 Switch User s Guide April 2009 Quick Startup Uploading from Networking Device to TFTP Server TABLE 1 5 Quick Startup Uploading from Networking Device to TFTP Server Command Details copy nvram startup config Starts the upload displays the mode lt tftp lt ipaddress gt lt filepath gt lt f and type of upload and confirms the ilename gt gt upload is progressing Privileged EXEC Mode The types are config configuration
129. iption 92 Add Source Port Submit Delete le Port Mirroring Double VLAN Tunneling Double VLAN Tunneling Sumr FIGURE 9 5 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 1 0 Configuring Port Security This chapter describes the Port Security feature This chapter contains the following topics m Section Port Security Benefits on page 10 94 m Section Configuring Port Security via CLI on page 10 95 m Section Configuring Port Security via Web Interfaces on page 10 96 93 Port Security Benefits Allows for limiting the number of MAC addresses on a given port Packets that have a matching MAC address secure packets are forwarded all other packets unsecure packets are restricted Enabled on a per port basis When locked only packets with allowable MAC address will be forwarded Supports both dynamic and static Implement two traffic filtering methods These methods can be used concurrently Dynamic Locking User specifies the maximum number of MAC addresses that can be learned on a port The maximum number of MAC addresses is platform dependent and is given in the software Release Notes After the limit is reached additional MAC addresses are not learned Only frames with an allowable source MAC address are forwarded a Static Locking User manually specifies a list of static MAC addresses for a port Dynamically locked addresses can be converted to staticall
130. lass of Service amp aP4 188 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 22 9 MAC ACL Rule Configuration Page Add Destination MAC and MAC Mask Navigation System System Switching Routing Security J rPve 3 Qos HEX Access Control Lists EM IP Access Control Lists Ey MAC Access Control Lists Configuration Summary Interface Configuration Rule Configuration Differentiated Services Mg class of Service aps MAC ACL Rule Action Logging Match Every CoS Destination MAC Destination MAC Mask Ethertype Key Source MAC Source MAC Mask VLAN MAC ACL Rule Configuration 1 Ni Deny Configure False Configure False Configure Configure 00 11 22 33 44 55 Configure 00 00 00 00 FF FF Conti Configure Conti Chapter 22 Configuring Access Control Lists ACLs 189 FIGURE 22 10 ACL Interface Configuration Navigation ACL Interface Configuration stem System UnitiSlotiPort 40 5 v Switching Routing Direction Inbound v Security ACL Type MAC ACL M IPv MAC ACL maci v QoS Sequence Number 1 to 4294967295 Sy Access Control Lists 3 IP Access Control Lists Configuration Summary Rule Configuration JE MAC Access Control Lists f Configuration Summary Rule Configuration Interface Configuration m List of Assigned ACLs Unit SlotlPort Direction 1 0 5
131. llows you to create message screens when logging into the CLI Interface The following apply m By default no Banner file exists m Banner can be uploaded or downloaded m File size cannot be larger than 2K V To Create a Pre Login Banner 1 On your PC using Notepad or another text editor create a banner txt file that contains the banner to be displayed such as the following example FASTPATH s Login Banner Unauthorized access is punishable by law 2 Transfer the file from the PC to the switch using TFTP CODE EXAMPLE 32 1 Creating a Pre login Banner DTI SWITCH copy tftp 192 168 77 52 banner txt nvram clibanner MOC e var I Ro A delis TFTP Set TFTP Server IP wv be ees ve rera rne erg 192 168 77 52 TETP Pathik aeda ule eie du eK I p VEI M p ee S ee d TFTP Filename s Asian i hh a tee dee ee wea xvm ue ee banner txt Data Type 6 eleXiccGOE Ne IR qeu T Na Cli Banner Are you sure you want to start y n y CLI Banner file transfer operation completed successfully DTI SWITCH exit DTI SWITCH gt logout FASTPATH s Login Banner Unauthorized access is punishable by law User 266 Sun Netra CP3240 Switch User s Guide April 2009 Removing a Pre login Banner via CLI Use the no clibanner command to remove the banner from the switch Chapter 32 Creating a Pre Login Banner 267 268 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 33 Configuring Simple Ne
132. lot Logical slots immediately follow physical slots and identify port numbers channel LAG or router interfaces CPU slot The CPU slots immediately follow the logical slots numbers The port identifies the specific physical port or logical interface being managed on a given slot TABLE 2 4 Port Types Port Type Description Physical Ports The physical ports for each slot are numbered sequentially starting from zero Logical Port channel or Link Aggregation Group LAG interfaces are logical Interfaces interfaces that are only used for bridging functions VLAN routing interfaces are only used for routing functions Loopback interfaces are logical interfaces that are always up Tunnel interfaces are logical point to point links that carry encapsulated packets CPU ports CPU ports are handled by the driver as one or more physical entities located on physical slots Note In the CLI loopback and tunnel interfaces do not use the slot port format To specify a loopback interface you use the loopback ID To specify a tunnel interface you use the tunnel ID Chapter 2 Using the Command Line Interface 19 No Form of a Command The no keyword is a specific form of an existing command and does not represent a new or distinct command Almost every configuration command has a no form In general use the no form to reverse the action of a command or reset a value back to the default For example the no shutdown
133. me supplied req default bits 2048 default keyfile privkey pem default md shal prompt no distinguished name req distinguished name x509 extensions req extensions the following sections are specific to the request being built certificate extensions basicConstraints CA true subjectKeyIdentifier hash authorityKeyIdentifier keyid always issuer always req distinguished name countryName US stateOrProvinceName Mississippi localityName Ridgeland organizationName Diversified Technology Inc organizationalUnitName Support commonName Root CA emailAddress tech ms com Chapter 4 Establishing Management Security 49 CODE EXAMPLE 4 3 SSL root cnf Example Continued req extensions basicConstraints CA true 50 Sun Netra CP3240 Switch User s Guide April 2009 SSH server cnf CODE EXAMPLE 4 4 SSH server cnf Example default settings for example ca default ca ca ca dir opt eca certificate dir cacert pem database dir index txt new certs dir dir certs private key dir private cakey pem serial dir serial default_crl_days 7 default_days 365 default_md shal policy ca_policy x509_extensions certificate_extensions ca_policy countryName supplied stateOrProvinceName supplied localityName supplied organizationName supplied organizationalUnitName supplied commonName supplied emailAddress supplie
134. me Class Type Reference Class outing finance_dept All security marketing_dept All Bol test dept All xus development dept All Access Control Lists i Differentiated Services DiffServ Configuration Class Configuration Policy Configuration Policy Summary Policy Class Definition Policy Attribute Summary Service Configuration Service Summary Service Statistics E E Ee EE EEEE Service Detailed Statistics Chapter 24 Configuring Differentiated Services 221 FIGURE 24 8 DiffServ Policy Configuration Navigation DiffServ Policy Configuration tem tem Policy Selector Create Switching outing Policv Name internet access Security Policy Type Inv Pv6 308 Access Control Lists J Differentiated Services DiffServ Configuration Class Configuration Class Summary Policy Summary Policy Class Definition Policy Attribute Summary Service Configuration Service Summary Service Statistics Service Detailed Statistics 222 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 24 9 DiffServ Policy Configuration Navigation DiffServ Policy Configuration tem as Policy Selector internet access v touting Policy Name nemet access Rename Delete security Policy Type n s Available Class List finance dept AddSeleced Css Member Class List No Member Classes Access Control Lists Differentiated
135. n address configured on the interface where the ARP request arrived This chapter contains the following topics m Section Configuring Proxy ARP via CLI on page 19 158 m Section Configuring Proxy ARP via Web Interface on page 19 159 157 Configuring Proxy ARP via CLI The following are examples of the commands used in the proxy ARP feature Example 1 show ip interface CODE EXAMPLE 19 1 show ip interface DTI SWITCH show ip interface lt slot port gt Enter interface in slot port format brief Display summary information about IP configuration settings for all ports DTI SWITCH show ip interface 0 24 Routing Mo de 5 3d4 A a a ee Be ee Disable Administrative M dena e eaea eaea RR un des Enable Forward Net Directed Broadcasts Disable Proxy ARPuizca xd leg du US UE Se ERE Wiebe va EUR Enable Active State leer quede Re o ane alley eo tw cR cx Tn qe Inactive Link Speed Data Rate eee Inactive MAC AddresSSg Ba el eR AR chm E a a eR eig RR 00 10 18 82 06 5F Encapsulatron Type iisoiis en gue uu ex AUR Races Ethernet TP MEUS 4 colton eines Bae REIR eu ar men tek eo Maus cm Sete da jet 1500 Example 2 ip proxy arp CODE EXAMPLE 19 2 ip proxy arp DTI SWITCH Interface 0 24 ip proxy arp cr Press Enter to execute the command DTI SWITCH Interface 0 24 ip proxy arp 158 Sun Netra CP3240 Switch User s Guide April 2
136. nabled for IGMP Snooping 0 10 Vlans enabled for IGMP snooping 20 Sun Netra CP3240 Switch User s Guide April 2009 Example 2 show ip igmp Interface CODE EXAMPLE 8 2 show ip igmp Interface LVL7 FASTPATH Routing Switching show ip igmp interface lt slot port gt Enter interface in unit slot port format membershipDisplay interfaces subscribed to the multicast group statsDisplay IGMP statistical information LVL7 FASTPATH Routing Switching show ip igmp interface 0 10 STIOUt APOPUI U I A a ee ee OM pee are eee SA 0 10 TMP Admin Modei s 3 sued nal si ala ba Ade Dae e ele 28 Enable Interfacey Mode i ete de Sie ee Sh ek Se ees Disable IGMP WNerstOonscesLnesuueeeejveretjei 4g Zee peg 3 Query Interval secs eee eee 125 Query Max Response Time 1 10 of a second 100 Robustnessq c cli due ePi gem ERU La ie a 2 Startup Query Interval secs 31 Startup Query COUN tsi os usc degen em renes ceo e edm ae 2 Last Member Query Interval 1 10 of a second 10 Last Member Query Count lees 2 Example 3 show mac address table igmpsnooping CODE EXAMPLE 8 3 show mac address table igmpsnooping DTI SWITCH show mac address table igmpsnooping cr Press Enter to execute the command DTI SWITCH show mac address table igmpsnooping TypeDescriptionInterfaces 00 01 01 00 5E 00 01 16DynamicNetwork AssistFwd 0 47 00 01 01 00 5E 00 01
137. nce the authentication credentials are loaded and the certificates and authentication keys are formed management security may be configured on the FASTPATH device From privileged EXEC mode issue the command ip ssh This will allow secure shell sessions to be instantiated on the Sun Netra CP3240 switch The message log should be checked for errors if a secure connection cannot be established Entries such as the following indicate the nature of the problem 0 days 02 30 30 File ssh_sys_fastpath c Line 584 tid 40052584 context 0x0x157dba0 deleting 40052584 retval 1 0 days 02 30 30 File ssh_sys_fastpath c Line 401 SSHD exiting global context 0x0x157dba0 0 days 02 30 30 File sshd_main c Line 550 SSHD host key is corrupt did not decode In this case the authentication credentials were invalid and should be regenerated Messages indicating successful start of the ssh service look like the following example 0 days 00 17 07 Unit 1 File sshd main c Line 349 SSHD Done generating server key 0 days 00 17 06 Unit 1 File sshd main c Line 639 SSHD successfully loaded RSA2 key 0 days 00 17 06 Unit 1 File sshd main c Line 627 SSHD successfully opened file ssh host rsa key 0 days 00 17 06 Unit 1 File sshd main c Line 605 SSHD successfully loaded DSA key 0 days 00 17 06 Unit 1 File sshd main c Line 592 SSHD successfully opened file ssh host dsa key 0 days 00 17 06 Uni
138. nd clear config Privileged EXEC Mode Details Enter yes when the prompt pops up to clear all the configurations made to the networking device copy system running config nvram startup config Enter yes when the prompt pops up that asks if you want to save the configurations made to the networking device reload or cold boot the networking device Privileged EXEC Mode Enter yes when the prompt pops up that asks if you want to reset the system You can reset the networking device or cold start the networking device Both work effectively Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 2 Using the Command Line Interface The command line interface CLI is a text based way to manage and monitor the switch and system You can access the CLI by using a direct serial connection or by using a remote logical connection with telnet or SSH For detailed information about using the CLI with the switch s software commands refer to the Sun Netra CP3240 Switch Software Reference Manual 820 3253 This chapter describes the CLI syntax conventions and modes It contains the following sections Command Syntax on page 16 Command Conventions on page 16 Parameter Conventions on page 17 Parameter Values on page 18 Slot Port Naming Convention on page 19 No Form of a Command on page 20 Command Modes on page 20 Command Completion and Abbreviation on pag
139. nderstanding Configuration Scripting 254 Configuring Scripting 255 Example 1 script 255 Example 2 script list and script delete 255 Example 3 script apply running config scr 256 Example 4 show running config 256 Example 5 copynvram script 257 Example 6 script validate running config scr 257 Example 7 Validate Another Configuration Script 258 31 Establishing an Outbound Telnet Connection 259 Configuring a Telnet Connection via CLI 260 xiv Sun Netra CP3240 Switch User s Guide April 2009 Example 1 show network 260 Example 2 show telnet 261 Example 3 transport output telnet 261 Example 4 session limit and session timeout 262 Configuring a Telnet Connection via Web Interface 262 32 Creating a Pre Login Banner 265 Creating a Pre login Banner via CLI 266 v To Create a Pre Login Banner 266 Removing a Pre login Banner via CLI 267 33 Configuring Simple Network Time Protocol SNTP 269 Configuring SNTP via CLI 270 Example 1 show sntp 270 Example 2 show sntp client 270 Example 3 show sntp server 271 Example 4 configure sntp 271 Example 5 configure sntp client mode 272 Example 6 configuring sntp server 272 Example 7 configure sntp client port 272 Configuring SNTP via Web Interface 273 34 Storing and Collecting Message Logs with Syslog 277 Configuring Syslog via CLI 278 Example 1 show Example 2 show Example 3 show Example 4 show logging 278 logging buffered 279 logg
140. nfiguration VLAN Status VLAN Configuration Submit Multicast Router Statistics Bog Chapter8 Monitoring IGMP Snooping 77 FIGURE 8 3 IGMP Snooping VLAN Configuration Navigation System HG System B Switching HG VLAN Rig Protocol based VLAN EMI Filters HG GARP EE IGMP Snooping Configuration and Status Interface Configuration VLAN Status Multicast Router Statistics Multicast Router Configuratio Multicast Router VLAN Statist Multicast Router VLAN Config 8 10 12 14 16 18 20 22 24 xos m ii 13 15 17 19 21 23 23 Open full stack view IGMP Snooping VLAN Configuration VLAN ID New Entry VLAN ID 1to 3965 Admin Mode Enable Fast Leave Admin Mode Disable Group Membership Interval 260 Max Response Time 1 to 3600 Maximum Response Time 10 1to Group Membership Interval 1 Multicast Router Expiry Time 0 0 to 3600 Submit Delete 78 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 8 4 IGMP Snooping VLAN Status Page 14 16 18 2 4 6 BROADCOM LT o o p 35 2 9 14 19 3 2 24 XGS III Open full stack view Navigation tem System itching Group Max Multicast UEAN VLAN Admin Admin Membership Response Router Protocol based VLAN ID Mode Mode Interval Time Expiry Time Filters GARP IGMP Snooping a Configuration and Status Interface Configuration VLAN Configuration Multicast Router Statistics Multicast Router Configuratio Mul
141. nfiguring CoS Mapping and Queues via Web Interface on page 23 203 195 196 Understanding Class of Service CoS The Class of Service CoS feature lets you give preferential treatment to certain types of traffic over others To set up this preferential treatment you can configure the ingress ports the egress ports and individual queues on the egress ports to provide customization that suits your environment The level of service is determined by the egress port queue to which the traffic is assigned When traffic is queued for transmission the rate at which it is serviced depends on how the queue is configured and possibly the amount of traffic present in other queues for that port Some traffic is classified for service i e packet marking before it arrives at the switch If you decide to use these classifications you can map this traffic to egress queues by setting up a CoS Mapping table Each ingress port on the switch has a default priority value set by configuring VLAN Port Priority in the Switching sub menu that determines the egress queue its traffic gets forwarded to Packets that arrive without a priority designation or packets from ports you ve identified as untrusted get forwarded according to this default Sun Netra CP3240 Switch User s Guide April 2009 Ingress Port Configurations Trusted and Untrusted Ports CoS Mapping Table The first task for ingress port configuration is to specify whether t
142. ning RIP sends the contents of its routing table to each of its adjacent routers every 30 seconds When a route is removed from the routing table it is flagged as unusable by the receiving routers after 180 seconds and removed from their tables after an additional 120 seconds There are two versions of RIP m RIPv1 defined in RFC 1058 a Routes are specified by IP destination network and hop count The routing table is broadcast to all stations on the attached network m RIPv2 defined in RFC 1723 a Route specification is extended to include subnet mask and gateway a The routing table is sent to a multicast address reducing network traffic a An authentication method is used for security The Netra CP3240 switch supports both versions of RIP You can configure a given port to m receive packets in either or both formats m transmit packets formatted for RIPv1 or RIPv2 or to send RIPv2 packets to the RIPv1 broadcast address m prevent any RIP packets from being received m prevent any RIP packets from being transmitted Sun Netra CP3240 Switch User s Guide April 2009 Configuring VLAN With RIP via CLI The following example adds support for RIPv2 to the configuration created in the base VLAN routing example A second router using port routing rather than VLAN routing has been added to the network FIGURE 17 2 RIP for VLAN Routing Example Network Diagram Router Router Port 1 0 5 Layer 3 Switch 192 150 5 1 Physical
143. nitial Access Configuration Initial configuration of the Netra CP3240 switch must be done either through the serial console port or though the out of band Ethernet management port MGMT Serial Configuration You can use a locally or remotely attached terminal to configure in band and out of band management through the MGMT serial port 1 To use a locally attached terminal attach one end of a null modem serial cable to the MGMT serial port of the switch and the other end to the COM port of the terminal or workstation 2 For remote attachment attach one end of the serial cable to the MGMT serial port of the switch and the other end to the modem Chapter 1 Getting Started 3 3 Set up the terminal for VT100 terminal emulation a Set the terminal ON b Launch the VT100 application c Configure the COM port as follows i ii iii iv v Set the data rate to 9600 baud Set the data format to 8 data bits 1 stop bit and no parity Set the flow control to none Select the proper mode under Properties Select Terminal keys The Log in User prompt displays when the terminal interface initializes 4 Enter an approved user name and password The default is admin for the user name and the password is blank The switch is installed and loaded with the default configuration Configuring for In band Connectivity In band connectivity allows you to access the switch from a remote workstation To use in band conn
144. ntents xi Configuring Proxy ARP via Web Interface 159 20 Configuring IGMP Proxy 161 Understanding IGMP Proxy 162 Configuring IGMP Proxy via CLI 163 Example 1 Configuring the Interface 163 Example 2 Set the Unsolicited Report Interval 163 Example 3 Reset the Host Interface Status Parameters 164 Example 4 Show IGMP Proxy Host Interfaces 164 Example 5 Show Detailed Listing of Host Interface Status 164 Example 6 Show IGMP Proxy Groups 165 Example 7 Show Detailed Information about IGMP Proxy Groups 165 21 Configuring Internet Protocol IPv6 167 Understanding PPv6 168 Using IPv6 Configurations 169 Configuring IPv6 via CLI 170 22 Configuring Access Control Lists ACLs 173 Understanding Access ControlLists 174 Features 174 Limitations 175 MAC ACLs 175 IPACLs 176 Configuring Access Control Lists 176 v To Configure ACLs 176 Setting Up an IP ACL via CLI 177 Example 1 Create ACL 179 and Define an ACL Rule 178 Example 2 Define the Second Rule for ACL 179 178 Example 3 Apply the rule to Inbound Traffic on Port 1 0 2 178 xii Sun Netra CP3240 Switch User s Guide April 2009 23 24 25 Setting Up a MAC ACL via CLI 179 Example 1 Set up a MAC Access List 180 Example 2 Specify MAC ACL Attributes 180 Example 3 Configure MAC Access Group 181 Example 4 Set up an ACL with Permit Action 183 Example 5 Show MAC Access Lists 184 Setting Up ACLs via Web Interface 185 Configuring Class of Service Queuing 195 Understandin
145. nterface FIGURE 24 2 DiffServ Configuration FIGURE 24 3 DiffServ Class Configuration Navigation DiffServ Class Configuration tem ym Class Selector Create v 3witching touting Class Name finance_dept security Class Type All v Pv6 Submit Cancel 208 Submit Cancel Access Control Lists Differentiated Services 2 DiffServ Configuration nj Bl Class Summary Policv Configuration Policy Summary B Policy Class Definition amp Policy Attribute Summary Bl Service Configuration Bl Service Summary B Service Statistics Service Detailed Statistics Chapter 24 Configuring Differentiated Services 217 FIGURE 24 4 DiffServ Class Configuration Navigation DiffServ Class Configuration tem on Class Selector finance dept TR Class Name finance dep Rename Delete security Class Type All m Class Match Selector Source IP Address J Add Match Criteria Access Control Lists Match Criteria Values Differentiated Services DiffServ Configuration E ass Configuration 2 class summary amp Policy Configuration Policv Summarv B Policy Class Definition amp Policy Attribute Summary 2 Service Configuration amp Service Summary Service Statistics E Service Detailed Statistics 218 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 24 5 Source IP Address Nav
146. o something unique PASSWORD FASTPATH Set the number of days the certs will be valid for VALID NUM DAYS 3650 FE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE EHE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE RE EHE ERE E HE E EE HE E E E GG HHHH Generate the Self Signed Trusted Root Certification Authority CA and Chapter 4 Establishing Management Security 47 48 CODE EXAMPLE 4 2 SSL pemCreate sh Example Continued Private Key HEH HH HHH HH HH HH EH HE HE HE EE HH HH FE HE HE HE E HE HE HH EH HH HH HE HE HH HHHH S OPENSSL req newkey rsa 1024 shal keyout rootkey pem out rootreq pem config root cnf passout pass PASSWORD S OPENSSL x509 req days VALID_NUM_DAYS in rootreq pem shal extfile root cnf extensions certificate_extensions signkey rootkey pem out rootcert pem passin pass PASSWORD cat rootcert pem rootkey pem gt root pem rm rootkey pem rootreq pem FE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE Ab HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE ERE EHE EE E HE E EEE E E EG GE HHHH Generate the Trusted Server Certificate signed by the Root CA FE HE HE HE HE FE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE E E HHHH HHHH S OPENSSL req newkey rsa 1024 shal k
147. of Service NY Port Security Port Security Administration Port Security Interface Confii Port Security Static Port Security Dynamic Port Security Violation Status Unit SlotiP ort 1071 Mm VLAN ID Last Violation MAC address rity Violation Status Eg LLDP 102 Sun Netra CP3240 Switch User s Guide April 2009 H VLAN EC Protocol based VLAN H IP Subnet based VLAN EHEJ MAC based VLAN Eg Filters HE care Hg IGMP Snooping EM Port Channel Multicast Forwarding Database RM Spanning Tree Class of Service EMEN Port Security Port Security Administration Port Security Interface Confir Port Security Static Port Security Dynamic Port Security Violation Status FIGURE 11 5 Port Security Administration Port Security Mode Chapter 11 Configuring Port Description 103 104 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 12 Configuring Link Layer Discovery Protocol This chapter describes the Link Layer Discovery Protocol LLDP feature that allows individual interfaces on the switch to advertise major capabilities and physical descriptions Network managers can view this information and identify system topology and detect bad configurations on the LAN LLDP has separately configurable transmit and receive functions Interfaces can transmit and receive LLDP information This chapter contains the following topics m Section Configuring L
148. og Canc Chapter 22 Configuring Access Control Lists ACLs 187 FIGURE 22 7 MAC ACL Rule Configuration Page View the Current Settings Navigation MAC ACL Rule Configuration System J system MAC ACL maci Bl Switching Rule 1 E Routing d Security Action Denv Configure 1 1Pv6 Logging False Configure 3 Qos i Match Every F i alse Configure I Access Control Lists cos H IP Access Control Lists Configure i Destination MAC 00 11 22 33 44 55 Configure Bi Pr I MAC Access Control Lists Destination MAC Mask adod 0000 EFFE Configuration E K ertype Ke i Summa rtyp y Configure FTA Source MAC Configure _Lonfigure_ O mesemFEEEN Source MAC Mask Interface Configuration VLAN Configure I Differentiated Services E Mg class of Service amp aP4 Delete Navigation MAC ACL Rule Configuration J system MAC ACL maci Bl Switching l Rule 1 v Routing Security Action Deny Configure 1 1Pv6 Logging False Configure 3 Qos 3 Match Every F alse Configure I Access Control Lists cos H IP Access Control Lists Configure i Destination MAC 00 11 22 33 44 55 Configure Ek l gun JEN MAC Access Control Lists Destination MAC Mask a OB OD OO FE EE Configuration Ens ana Suma rtyp y Configure s Configuration Source MAC Configure wa Source MAC Mask Interface Configuration VLAN Configure Delete IE Differentiated Services E MEg c
149. olicy handles incoming packets already marked with a DSCP value of EF per class ef definition or marks UDP packets per the class voip definition with a DSCP value of EF In each case the matching packets are assigned internally to use queue 5 of the egress port to which they are forwarded CODE EXAMPLE 24 8 Creating a Diffserv Policy policy map pol voip in class class ef assign queue 5 exit class class voip mark ip dscp ef Sun Netra CP3240 Switch User s Guide April 2009 CODE EXAMPLE 24 8 Creating a Diffserv Policy assign queue 5 exit exit Chapter 24 Configuring Differentiated Services 233 Attach the defined policy to an inbound service interface CODE EXAMPLE 24 9 Attaching the Policy to Inbound Interface interface 1 0 2 service policy in pol_voip exit exit 234 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 25 Configuring Network Access Control This chapter describes how to configure network access control This chapter contains the following topics m Section Understanding Port Based Network Access Control on page 25 236 m Section Configuring Network Access Control on page 25 237 235 236 Understanding Port Based Network Access Control Port based network access control allows the operation of a system s port s to be controlled to ensure that access to its services is permitted only by systems that are authorized to do so Port Ac
150. onfig mode 25 H HTML 36 HTTP 36 l interface 56 Interface Config command mode 21 Interface Config mode 26 Internet See Web interface ip access group 178 ip address 118 141 145 148 ip dhep filtering 249 ip igmp 74 ip ospf 131 134 149 ip proxy arp 158 ip rip 125 ip routing 130 140 153 ip vrrp 153 154 J JavaScript TM 36 K key tacacs 246 L Line Config command mode 21 Line Config mode 26 lldp 106 logging port configuration 281 logout 11 288 Sun Netra CP3240 Switch User s Guide April 2009 M mac access group 182 mac access list 180 MAC Access list Config mode 28 match srcip 215 mode based command hierarchy 25 mode based topology 23 modes Class Map 27 DHCP Pool Config 28 DHCP Pool Config IPv6 29 Global Config 25 Interface Config 26 Line Config 26 MAC Access list Config 28 Policy Class 26 Policy Map 26 Privileged Exec 25 Router BGP Config 28 Router OSPF Config 27 Router OSPF Config v3 27 Router RIP Config 27 TACACS Config 28 User Exec 25 VLAN 29 monitor session 86 N network parms 12 Next button 42 no 1583compatibility 130 P parameter conventions 17 permit 183 Policy Class Config command mode 21 Policy Class mode 26 Policy Map Config command mode 21 Policy Map mode 26 policy map 215 port channel 64 65 port security 96 Privileged Exec command mode 21 Privileged Exec mode 25 prompts Switch 21 22 R
151. ort default priority gt traffic class v Egress Port 1 0 8 Forvard da o strict switch fabric to egress Port 1 0 8 Q6 D A weighted 40 Q5 weighted 2096 Q4 weighted 1096 Q3 weighted 596 Q2 weighted 596 Q1 C weighted 0 Qo weighted 0 Packet Transmission order B A D C Continuing this example you configured the egress Port 1 0 8 for strict priority on queue 6 and a set a weighted scheduling scheme for queues 5 0 Assuming queue 5 has a higher weighting than queue 1 relative weight values shown as a percentage with 0 indicating the bandwidth is not guaranteed the queue service order is 6 followed by 5 followed by 1 Assuming each queue unloads all packets shown in the diagram the packet transmission order as seen on the network leading out of Port 1 0 8 is B A D C Thus packet B with its higher user precedence than the others is able to work its way through the device with minimal delay and is transmitted ahead of the other packets at the egress port 200 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 23 2 CoS Configuration Example System Diagram Port 1 0 10 Port 1 0 8 TEET Server You will configure the ingress interface uniquely for all cos queue and VLAN parameters CODE EXAMPLE 23 1 Configuring Ingress configure interface 0 10 classofservice trust dotip
152. orts 0 2 and 0 3 as shown in the network illustrated in Figure 15 1 FIGURE 15 1 Port Routing Example Network Diagram Subnet 3 Port 1 0 3 192 130 3 1 Layer 3 Switch acting as a router Port 1 0 2 Port 1 0 5 74 192 150 2 2 192 64 4 1 Subnet 2 Subnet 5 Example 1 Enable Routing for the Switch The following sequence enables routing for the switch CODE EXAMPLE 15 1 Enable Routing for the Switch config ip routing exit Chapter 15 Configuring Routing Information Protocol 123 124 Example 2 Enable Routing for Ports The following command sequence enables routing and assigns IP addresses for ports 1 0 2 and 1 0 3 CODE EXAMPLE 15 2 Enable Routing for the Ports config interface 0 2 routing ip address 192 150 2 1 255 255 255 0 exit interface 0 3 routing ip address 192 150 3 1 255 255 255 0 exit exit Example 3 Enable RIP for the Switch The next sequence enables RIP for the switch The route preference defaults to 15 CODE EXAMPLE 15 3 Enable RIP for the Switch config router rip enable exit exit Sun Netra CP3240 Switch User s Guide April 2009 Example 4 Enable RIP for Ports 1 0 2 and 1 0 3 This command sequence enables RIP for ports 0 2 and 0 3 Authentication defaults to none and no default route entry is created The commands specify that both ports receive both RIPv1 and RIPv2 frames but send only RIPv2 formatted frames CODE EXAMPLE 15
153. ory Provides List Delete Apply Upload Download Provides script format of one CLI command per line The following limitations exist Total number of scripts stored on the system is limited by NVRAM FLASH size Application of scripts is partial if script fails For example if the script executes five of ten commands and the script fails the script stops at five Scripts cannot be modified or deleted while being applied Validation of scripts checks for syntax errors only It does not validate that the script will run Sun Netra CP3240 Switch User s Guide April 2009 Configuring Scripting The following are examples of the CLI commands used for the Configuration Scripting feature Example 1 script CODE EXAMPLE 30 1 script Command DTI SWITCH script apply Applies configuration script to the switch delete Deletes a configuration script file from the switch list Lists all configuration script files present on the switch show Displays the contents of configuration script validate Validate the commands of configuration script Example 2 script list and script delete CODE EXAMPLE 30 2 script list and script delete Commands DTI SWITCH script list Configuration Script NameSize Bytes basic scr 93 running config scr 3201 2 configuration script s found 1020706 bytes free DTI SWITCH script delete basic scr Are you sure you want to delete the configuration script s y n
154. otocol IGMP proxy This chapter contains the following topics m Section Understanding IGMP Proxy on page 20 162 m Section Configuring IGMP Proxy via CLI on page 20 163 161 162 Understanding IGMP Proxy The purpose of IGMP proxy is to enable a multicast router to learn multicast group membership information and be able to forward multicast packets based upon the group membership information The IGMP Proxy is capable of functioning only in certain topologies that does not require Multicast Routing Protocols i e DVMRP PIM DM and PIM SM and have a tree like topology as there is no support for features like spanning tree to correct packet route loops The proxy contains many downstream interfaces and a unique upstream interface explicitly configured It performs the host side of the IGMP protocol on its upstream interface and the router side of the IGMP protocol on its downstream interfaces The IGMP proxy offers a mechanism for multicast forwarding based only upon IGMP membership information The router has to decide about forwarding packets on each of its interfaces based on the IGMP membership information The proxy creates the forwarding entries based on the membership information and adds it to the multicast forwarding cache MFC in order not to make the forwarding decision for subsequent multicast packets with same combination of source and group Sun Netra CP3240 Switch User s Guide April 2009 Configu
155. outer ID and Enable OSPF for the Switch The following sequence specifies the router ID and enables OSPF for the switch Disable 1583 compatibility to prevent the routing loop CODE EXAMPLE 16 3 Specifying Router ID and Enabling OSPF for the Switch Config router ospf enable router id 192 150 9 9 no 1583compatibility exit exit 130 Sun Netra CP3240 Switch User s Guide April 2009 Enable and Configure OSPF for the Ports The following sequence enables OSPF and sets the OSPF priority and cost for the ports CODE EXAMPLE 16 4 Enabling and Configuring OSPF for the Ports config interface 0 2 ip ospf ip ospf areaid 0 0 0 2 ip ospf priority 128 ip ospf cost 32 exit interface 0 3 ip ospf ip ospf areaid 0 0 0 3 ip ospf priority 255 ip ospf cost 64 exit exit Example 2 Configuring OSPF on a Border Router The next diagram shows the same network segment with the Sun Netra CP3240 switch operating as the border router in area 0 0 0 2 The example script shows the commands used to configure the switch with OSPF enabled on port 1 0 2 for communication with the inter area router in the OSPF backbone and on ports 1 0 3 and 1 0 4 for communication with subnets within area 0 0 0 2 Chapter 16 Configuring Open Shortest Path First OSPF 131 132 FIGURE 16 2 OSPF Example Network Diagram Border Router Inter area Router Port 1 0 2 Port 1 0 2 192 150 2 1 192 150 2 2 Se Sa
156. ove EC LLDP EY Routing Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 10 3 Port Security Dynamically Learned MAC Addresses HS VLAN EH Protocol based VLAN EM IP Subnet based VLAN EC MAC based VLAN Filters GARP IGMP Snooping H Port Channel Multicast Forwarding Database Spanning Tree EM Class of Service EHE Port Security Port Security Administration Port Security Static ue e uj uj ug BMC LLDP 2G VLAN HC Protocol based VLAN EG IP Subnet based VLAN H MAC based VLAN Eg Filters EC care H IGMP Snooping Port Channel C Multicast Forwarding Database d Spanning Tree HG Class of Service EMEN Port Security Port Security Administration Port Security Interface Confi Port Security Static Port Security Dynamic l E LLDP Port Security Interface Confir Port Security Violation Status Port Security Dynamically Learned MAC Addresses Unit Slot Port MAC Address Port Security Violation Status Unit Slot Port Last Violation MAC address von v VLAN ID 1071 v VLAN ID Chapter 10 Configuring Port Security 97 VLAN Protocol based VLAN Port Security Administration IP Subnet based VLAN MAC based VLAN Filters Port Security Mode EC GARP IGMP Snooping EC Port Channel Multicast Forwarding Database H Spanning Tree EC Class of Service B Port Security Port Sec Port Security Interface Confir Port Security Static Por
157. over an encrypted channel The server then grants or denies access which the switch honors and either allows or does not allow the user to gain access to the switch If neither of the two servers can be contacted the switch searches its local user database for the user CODE EXAMPLE 27 1 Configuring Access Control for Networked Devices config tacacs server host 10 10 10 10 key tacacsl exit tacacs server host 11 11 11 11 key tacacs2 priority 2 exit authentication login tacacsList tacacs local users defaultlogin tacacsList exit Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 28 Configuring DHCP Filtering This chapter describes the Dynamic Host Configuration Protocol DHCP Filtering feature and how to configure DHCP filtering This chapter contains the following topics m Section Understanding Dynamic Host Configuration Protocol DHCP Filtering on page 28 248 m Section Configuring DHCP Filtering on page 28 249 247 248 Understanding Dynamic Host Configuration Protocol DHCP Filtering DHCP filtering provides security by filtering untrusted DHCP messages An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within network You can use DHCP Filtering as a security measure against unauthorized DHCP servers A known attack can occur when an unauthorized DHCP server responds to a client that is requesting an IP a
158. ow you to view or configure the following information m Software versions m Physical port data m User account management m IP address configuration m Uploading from Networking Device to Out of Band PC Downloading from Out of Band PC to Networking Device Downloading from TFTP Server m Restoring factory defaults For each of these tasks a table shows the command syntax the mode you must be in to execute the command and the purpose and output of the command If you configure any network parameters you should execute the following command copy system running config nvram startup config This command saves the changes to the configuration file You must be in the correct mode to execute the command If you do not save the configuration all changes are lost when you power down or reset the networking device In a stacking environment the running configuration is saved in all units of the stack Chapter 1 Getting Started 9 10 Quick Startup Software Version Information TABLE 1 1 Quick Startup Software Version Information Command Details show hardware Display System Information Privileged EXEC Mode System Description Serial Number MAC Address Software Version Quick Startup Physical Port Data TABLE 1 2 Quick Startup Physical Port Data Command Details show port all Displays the ports Privileged EXEC Mode Interface slot port See the FASTPATH 2000 Command Reference for more information about
159. p dhcp filtering Switch DHCP Filtering is Enabled Interface Trusted 1 0 1 No 1 0 2 No 1 0 3 No 1 0 4 No 1 0 5 No 1 0 6 No 1 0 7 No 1 0 8 No 1 0 9 No 1 0 10 No 1 0 11 Yes 1 0 12 No 1 0 13 No 1 0 14 No 1 0 15 No 250 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 29 Configuring Traceroute This chapter describes how to configure the Traceroute feature Use Traceroute to discover the routes that packets take when traveling on a hop by hop basis to their destination through the network Maps network routes by sending packets with small Time to Live TTL values and watches the ICMP time out announcements Command displays all L3 devices Can be used to detect issues on the network Tracks up to 20 hops Default UPD port used 33343 unless modified in the traceroute command Note You can execute Traceroute with CLI commands only there is no Web interface for this feature 251 Configuring Traceroute The following shows an example of using the traceroute command to determine how many hops there are to the destination The command output shows each IP address the packet passes through and how long it takes to get there In this example the packet takes 16 hops to reach its destination CODE EXAMPLE 29 1 Configuring Traceroute DTI SWITCH traceroute lt ipaddr gt Enter IP address DTI SWITCH traceroute 216 109 118 74 lt cr gt Press Enter to ex
160. pics m Section Understanding Routing Information Protocol on page 15 122 m Section Configuring RIP via CLI on page 15 123 m Section Configuring RIP via Web Interface on page 15 125 121 122 Understanding Routing Information Protocol A router running RIP sends the contents of its routing table to each of its adjacent routers every 30 seconds When a route is removed from the routing table it is flagged as unusable by the receiving routers after 180 seconds and removed from their tables after an additional 120 seconds There are two versions of RIP m RIPv1 defined in RFC 1058 Routes are specified by IP destination network and hop count The routing table is broadcast to all stations on the attached network m RIPv2 defined in RFC 1723 a Route specification is extended to include subnet mask and gateway a The routing table is sent to a multicast address reducing network traffic a An authentication method is used for security The Netra CP3240 switch supports both versions of RIP You can configure a given port to m receive packets in either or both formats m transmit packets formatted for RIPv1 or RIPv2 or to send RIPv2 packets to the RIPv1 broadcast address m prevent any RIP packets from being received m prevent any RIP packets from being transmitted Sun Netra CP3240 Switch User s Guide April 2009 Configuring RIP via CLI The configuration commands used in the following example enable RIP on p
161. ping None jd Data Frames Forwarded bv the CPU 0 24 IGMP Snooping VLAN Ids Enabled for IGMP Snooping Interface Configuration VLAN Status VLAN Configuration Multicast Router Statistics Multicast Router Configuratio Multicast Router VLAN Statist Z Multicast Router VLAN Config Lj Port Channel Lj Multicast Forwarding Database Lj Spanning Tree T 4 ta lil gt IKA Chapter 8 Monitoring IGMP Snooping 83 84 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 9 Configuring Port Mirroring This chapter describes the Port Mirroring feature which can serve as a diagnostic tool debugging tool or means of fending off attacks Port mirroring selects network traffic from specific ports for analysis by a network analyzer while allowing the same traffic to be switched to its destination You can configure many switch ports as source ports and one switch port as a destination port You can also configure how traffic is mirrored on a source port Packets received on the source port transmitted on a port or both received and transmitted can be mirrored to the destination port This chapter contains the following topics m Section Configuring Port Mirroring via CLI on page 9 86 m Section Configuring Port Mirroring via Web Interface on page 9 88 85 86 Configuring Port Mirroring via CLI The following are examples of the commands used in the Port Mirroring feature Example 1
162. point character flags the beginning of a comment The comment flag character can begin a word anywhere on the command line and all input following this character is ignored Any command line that begins with the character is recognized as a comment line and ignored by the parser Some examples of comments are provided in the following code Script file for displaying the ip interface Display information about interfaces show ip interface 0 1 Displays the information about the first interface Display information about the next interface show ip interface 0 2 End of the script file 34 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 3 Using the Web Interface This chapter is a brief introduction to the Web interface This chapter explains how to access the Web based management panels to configure and manage the system This chapter contains the following topics m Section Configuring for Web Access on page 3 36 m Section Starting the Web Interface on page 3 37 35 36 Configuring for Web Access You can manage your switch through a Web browser and Internet connection This is referred to as Web based management To use Web based management the system must be set up for network connectivity To access the switch the Web browser must support m HTML version 4 0 or later m HTTP version 1 1 or later m JavaScript version 1 2 or later m Java Runtime Plug in 1 50 06 or later
163. r s Guide April 2009 Eg GARP Rig IGMP Snooping H Port Channel Fg Multicast Forwarding Database Configuring LLDP via Web Interface The LLDP menu page contains links to the following features m LLDP Configuration m LLDP Statistics m LLDP Connections m LLDP Configuration Use the LLDP Global Configuration page to specify LLDP parameters FIGURE 12 1 LLDP Global Configuration LLDP Global Configuration die Spanning Tree Transmit Interval 30 1 to 32768 HG Class of Service Hold Multiplier 8 2 to 10 H Port Security 3 Re Initialization Delay 5 1 to 10 EMEN LLDP 1 amp B Notification Interval 1000 5 to 3600 E Interface Configuration Submit m we m E Ej F A t o o ia 3 3 tv 2 Statistics E Local Device Information Local Device Summary The LLDP Global Configuration page contains the following fields m Transmit Interval 1 32768 Specifies the interval at which frames are transmitted The default is 30 seconds m Hold Multiplier 2 10 Specifies multiplier on the transmit interval to assign to TTL Default is 4 m Re Initialization Delay 1 10 Specifies delay before a re initialization Default is 2 seconds m Notification Interval 5 3600 Limits the transmission of notifications The default is 5 seconds Chapter 12 Configuring Link Layer Discovery Protocol 109 110 Use the LLDP Interface Configuration
164. ra CP3240 Switch User s Guide April 2009 CLI Error Messages If you enter a command and the system is unable to execute it an error message appears Table 2 6 describes the most common CLI error messages TABLE 2 6 CLI Error Messages Message Text Description Invalid input detected at marker Indicates that you entered an incorrect or unavailable command The carat shows where the invalid text is detected This message also appears if any of the parameters or values are not recognized Command not found Incomplete command Use to list commands Indicates that you did not enter the required keywords or values Ambiguous command Indicates that you did not enter enough letters to uniquely identify the command CLI Line Editing Conventions Table 2 7 describes the key combinations you can use to edit commands or increase the speed of command entry You can access this list from the CLI by entering help from the User or Privileged EXEC modes TABLE 2 7 CLI Editing Conventions Key Sequence Description DEL or Backspace Delete previous character Ctrl A Go to beginning of line Ctrl E Go to end of line Ctrl F Go forward one character Ctrl B Go backward one character Ctrl D Delete current character Ctrl U X Delete to beginning of line Ctrl K Delete to end of line Ctrl W Delete previous word Ctrl T Transpose previous character Chapter 2
165. raffic arriving on a given port is trusted or untrusted A trusted port means that the system will accept at face value a priority designation within arriving packets You can configure the system to trust priority designations based on one of the following fields in the packet header m 802 1 Priority values 0 7 m IP DSCP values 0 63 m IP Precedence values 0 7 You can also configure an ingress port as untrusted where the system ignores priority designations of incoming packets and sends the packet to a queue based on the ingress port s default priority CoS Mapping Table for Trusted Ports Mapping is from the designated field values on trusted ports incoming packets to a traffic class priority actually a CoS traffic queue The trusted port field to traffic class configuration entries form the Mapping Table the switch uses to direct ingress packets from trusted ports to egress queues Chapter 23 Configuring Class of Service Queuing 197 Egress Port Configurations For unit slot port interfaces you can specify the traffic shaping rate for the port which is an upper limit of the transmission bandwidth used specified as a percentage of the maximum link speed Queue Configurations For each queue you can specify Minimum bandwidth guarantee m Scheduler type strict weighted Strict priority scheduling gives an absolute priority with highest priority queues always sent first and lowest priority
166. ress of the default router if the switch is a node outside the IP range of the LAN MAC address MAC address of the switch When you connect the switch to the network for the first time after setting up the BootP or DHCP server it is configured with the information supplied above The switch is ready for out of band connectivity over the front panel Ethernet Management port If you do not use BootP or DHCP access the switch through the MGMT Serial port and configure the network information as described below W Using a Static IP 1 Enter the following command to allow a static IP serviceport protocol none 2 Set the IP address subnet mask and gateway address by issue the following command I serviceport IP lt ipaddress gt netmask lt gateway gt Chapter 1 Getting Started 7 Value Description IP address Unique IP address for the switch Each IP parameter is made up of four decimal numbers ranging from 0 to 255 The default for all IP parameters is zeroes 0 0 0 0 Subnet Subnet mask for the LAN Gateway IP address of the default router if the switch is a node outside the IP range of the LAN MAC address MAC address of the switch Saving Settings 1 To enable these changes to be retained during a reset of the switch type CTRL Z to return to the main prompt type save config at the main menu prompt and type y to confirm the changes 2 To view the changes and verify out o
167. ring IGMP Proxy via CLI The CLI component of FASTPATH allows the end users to configure the network device and to view device settings and statistics using a serial interface or telnet session Example 1 Configuring the Interface This command enables the IGMP Proxy on the router To enable IGMP Proxy on the router no multicast routing protocol should be enabled and also multicast forwarding must be enabled on the router Use this command from the CLI mode CODE EXAMPLE 20 1 Configuring the Interface DTI SWITCH Interface 0 15 ip igmp proxy lt cr gt Press Enter to execute the command reset status Reset All the proxy interface status parameters unsolicited report interval Configure IGMP Proxy unsolicited report interval Example 2 Set the Unsolicited Report Interval This command is valid only when IGMP Proxy is enabled on the interface The value of lt interval gt could be in range of 1 to 260 seconds The default is 1 second Use this command from the Interface mode CODE EXAMPLE 20 2 Setting Unsolicited Report Interval DTI SWITCH Interface 0 15 ip igmp proxy unsolicited report interval lt 1 260 gt Enter unsolicited report interval in seconds Chapter 20 Configuring IGMP Proxy 163 164 Example 3 Reset the Host Interface Status Parameters This command is valid only when IGMP Proxy is enabled on the interface CODE EXAMPLE 20 3 Resetting Host Interface Status Parameter
168. ript should be applied to Router 2 Port 1 0 2 Layer 3 Switch operating as Router 1 Port 1 0 3 Layer 3 Switch operating as Router 2 Chapter 24 Configuring Differentiated Services 231 232 Enter Global Config mode Set queue 5 on all ports to use strict priority mode This queue shall be used for all VoIP packets Activate DiffServ for the switch CODE EXAMPLE 24 5 Setting Queue on All Ports config cos queue strict 5 diffserv Create a DiffServ classifier named class voip and define a single match criterion to detect UDP packets The class type match all indicates that all match criteria defined for the class must be satisfied in order for a packet to be considered a match CODE EXAMPLE 24 6 Creating a Diffserv Classifier class map match all class_voip match protocol udp exit Create a second DiffServ classifier named class ef and define a single match criterion to detect a DiffServ code point DSCP of EF expedited forwarding This handles incoming traffic that was previously marked as expedited elsewhere in the network CODE EXAMPLE 24 7 Creating a Second Diffserv Classifier class map match all class_ef match ip dscp ef exit Create a DiffServ policy for inbound traffic named pol voip then add the previously created classes class ef and class voip as instances within this policy This p
169. rnet access 1 0 4 In Down internet access Refresh FIGURE 24 16 DiffServ VoIP Example Network Diagram Chapter 24 Configuring Differentiated Services 229 Navigation tem System Switching outing Security Pv6 oS Access Control Lists y Differentiated Services DiffServ Configuration 2 Class Configuration amp Class Summary 8 Policy Configuration Policy Summary 8 Policy Class Definition amp Policy Attribute Summary Service Configuration Service Summary S service Statistics amp Service Detailed Statistics DiffServ Configuration DiffServ Admin Mode MIB Table Class table Class Rule table Policy table Policy Instance table Policy Attributes table Service table Enable Submit Current Size Max Size 0 32 0 192 0 64 0 640 0 1920 0 480 Configuring DiffServ for Voice Over IP VoIP One of the most valuable uses of DiffServ is to support Voice over IP VoIP VoIP traffic is inherently time sensitive for a network to provide acceptable service a guaranteed transmission rate is vital This example shows one way to provide the necessary quality of service how to set up a class for UDP traffic have that traffic 230 Sun Netra CP3240 Switch User s Guide April 2009 marked on the inbound side and then expedite the traffic on the outbound side The configuration script is for Router 1 in the accompanying diagram a similar sc
170. router bgp router Config mode or press Ctrl Z lt asnumber gt command to switch to the User Exec mode MAC Access list From the Global Config mode Switch Config Type exit to exit to the Global Config TACACS Config DHCP Pool Config DHCPv6 Pool Config enter mac access list extended lt name gt From the Global Config mode enter tacacs server host lt ip addr gt where lt ip addr is the IP address of the TACACS server on your network From the Global Config mode enter the ip dhcp pool lt pool name gt command From the Global Config mode enter the ip dhcp pool lt pool name gt command mac access list Switch Tacacs Switch Config dhcp pool Switch Config dhcp6 pool Config mode or press Ctrl Z to switch to the Privileged EXEC mode Type exit to exit to the Global Config mode or press Ctrl Z to switch to the Privileged EXEC mode Type exit to exit to the Global Config mode or press Ctr1 Z to switch to the Privileged EXEC mode Type exit to exit to the Global Config mode or press Ctrl Z to switch to the Privileged EXEC mode 22 Sun Netra CP3240 Switch User s Guide April 2009 Mode Based Topology The CLI tree is built on a mode concept in which the commands are available according to the interface Some of the modes in the mode based CLI are depicted in FIGURE 2 1 Note The User Exec commands are also accessible in the Privileged Exec Mode
171. ryption Protocol None v i Login Session Authentication List Summary Encryption Key f user Login r Apply H Forwarding Database Log e Submit 38 Sun Netra CP3240 Switch User s Guide April 2009 2468 10 02 XGS IIT 3 5 Open full stack view X 7 9 11 13 14 16 18 15 17 19 ran System Description System I System 3 System Description ARP Cache i Inventorv Information Svstem Name Ey Configuration Switch System Location System Contact IP Address System Object ID System Up Time MIBs Supported mg Service Port Network Connectivity Telnet Session Outbound Telnet Client Confi Serial Port User Accounts Authentication List Configurat m mei Quei mes meh uei wed m Login Session Authentication List Summary ues ang User Login BMC Forwarding Database LVL7 FASTPATH Routing m ooo 0 0 0 0 Ww 0 days 20 hours 4 minutes RFC 1907 SNMPv2 MIB RFC 2819 RMON MIB LVLT REF MIB SNMP COMMUNITY MIB SNMP FRAMEWORK MIB SNMP MPD MIB SNMP NOTIFICATION MIB SNMP TARGET MIB SNMP USFR BASFD SM MIB Chapter 3 Using the Web Interface 39 40 Configuring an SNMP V3 User Profile Configuring an SNMP V3 user profile is a part of user configuration Any user can connect to the switch using the SNMPv3 protocol but for authentication and encryption additional steps are needed Use the following steps to configure an SNMP V3 new user profile
172. s DTI SWITCH Interface 0 15 ip igmp proxy reset status cr Press Enter to execute the command Example 4 Show IGMP Proxy Host Interfaces This command displays a summary of the host interface status parameters It displays the parameters only when IGMP Proxy is enabled Use this command from Privileged EXEC or User EXEC modes CODE EXAMPLE 20 4 Showing IGMP Proxy Host Interfaces DTI SWITCH show ip igmp proxy Admin Mode se XC RR UR uie RS dace ahd Enable Operational Mode llle Disable Example 5 Show Detailed Listing of Host Interface Status This command displays parameters only when IGMP Proxy is enabled Use the command from Privileged EXEC or User EXEC modes CODE EXAMPLE 20 5 Showing Host Interface Status DTI SWITCH show ip igmp proxy interface Sun Netra CP3240 Switch User s Guide April 2009 Example 6 Show IGMP Proxy Groups Use this command to display information about multicast groups that IGMP proxy reported It displays a table of entries with the following as the fields of each column Use the command from Privileged EXEC or User EXEC modes CODE EXAMPLE 20 6 Showing IGMP Proxy Groups DTI SWITCH show ip igmp proxy groups Example 7 Show Detailed Information about IGMP Proxy Groups Use this command to display information about multicast groups that IGMP proxy reported It displays a table of entries with the following as the field
173. s Both of these applications are well documented by the open source community Detailed descriptions will not be repeated here as the user can check the man pages for detailed help Two scripts are included at the end of thischapter along with some helper files This set of files can be freely modified and used to generate the appropriate self signed credentials Generation of these credentials has been verified using both cygwin and Linux Once the component files are created the credentials must be loaded onto the Sun Netra CP3240 switch This is accomplished using the copy command from a tftp server From privileged EXEC mode issue the following command copy tftp 192 168 77 122 rsal kev nvram sshkey rsal where the IP address of the tftp server should be substituted as appropriate This copy command is repeated for all the authentication components m rsal key nvram sshkev rsal m rsa2 key nvram sshkey rsa2 m dsa key nvram sshkey dsa a dh512 pem nvram sslpem dhweak m dh1024 pem nvram sslpem dhstrong m server pem nvram sslpem server m rootcert pem nvram sslpem root The SSL and SSH credentials may be uploaded separately as needed but as it is likely that if security is required for one access method it would be required for all access methods it is recommended that the certificates and authentication key be created simultaneously Sun Netra CP3240 Switch User s Guide April 2009 Configuring Secure Shell O
174. s GARP IGMP Snooping Port Channel H Multicast Forwarding Database Spanning Tree Class of Service B Port Security B Eee ieee Port Security Static Port Security Administration Port Security Dynamic Port Security Violation Status Eg LLDP EHE Routing Port Security Interface Configuration Unit Slot Port Port Security Maximum Number of Dynamically Learned MAC Addresses Allowed eoo 0 600 Add a Static MAC Address VLAN ID Maximum Number of Statically Locked MAC Addresses Allowed Enable Violation Traps Submit Convert dynamically learned address to statically locked Chapter 11 MOM v Disable 1 1 3965 20 0 20 No v Configuring Port Description 101 FIGURE 11 3 Port Security Dynamically Learned MAC Addresses Protocol based VLAN Port Security Dynamically Learned MAC Addresses IP Subnet based VLAN MAC based VLAN Filters Unit Slot P ort 40M HE GARP MAC Address VLAN ID H IGMP Snooping 3 EC Port Channel EEI Multicast Forwarding Database Spanning Tree H Class of Service H Port Security Port Securitv Administration 8 Port Security Interface Confir Port Security Static HS VLAN H Protocol based VLAN FC IP Subnet based VLAN H MAC based VLAN Eg Filters H care H IGMP Snooping 8 Port Channel FC Multicast Forwarding Database H Spanning Tree HQ Class
175. s actual IP address therefore this router will always be the VRRP master when it is active And the priority default is 255 CODE EXAMPLE 18 5 Specifying IP Address for Virtual Router ip vrrp 20 ip 192 150 2 1 Chapter 18 Configuring Virtual Router Redundancy Protocol 153 154 Enable VRRP on the port CODE EXAMPLE 18 6 Enabling VRRP on the Port ip vrrp 20 mode exit Example 2 Configuring VRRP on FASTPATH as a Backup Router Enable routing for the switch IP forwarding is then enabled by default CODE EXAMPLE 18 7 Enabling Routing for the Switch config ip routing exit Configure the IP addresses and subnet masks for the port that will participate in the protocol CODE EXAMPLE 18 8 Configuring IP Addresses and Subnet Masks config interface 0 4 routing ip address 192 150 4 1 255 255 255 0 exit Enable VRRP for the switch CODE EXAMPLE 18 9 Enabling VRRP for the Switch config ip vrrp 20 exit Assign virtual router IDs to the port that will participate in the protocol CODE EXAMPLE 18 10 Assigning a Virtual Router to the Port config interface 0 4 ip vrrp 20 Sun Netra CP3240 Switch User s Guide April 2009 Specify the IP address that the virtual router function will recognize Since the virtual IP address on port 1 0 4 is the same as Router 1 s port 1 0 2 actual IP address this router will always be the VRRP backup when Router 1 is active CODE EXAMPLE
176. s are acquired from a third party this warning will no longer occur Insecure web sessions may be prevented by disabling the http server using the privileged EXEC mode command no ip http server As with secure shell the best guide for information on FASTPATH commands controlling http and https access is the Sun Netra CP3240 Switch Software Reference Manual 820 3253 Sun Netra CP3240 Switch User s Guide April 2009 Using Certificate Generation Scripts The following four scripts and helper files can be used to generate self signed certificates and authentication keys SSH sshKeygen sh CODE EXAMPLE 4 1 SSH sshKeygen sh Example bin sh FE HE HE IEEE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE ERE E HE HE HE EHE ERE EHE ERE HE HE ERE Ab HE HE HE HE E GEE EEE EEE E E IG E HHHH Generate key files for rsa and dsa FE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE E EEE HHHH RSA V1 usr bin ssh keygen q t rsal f rsal key C N RSA V2 usr bin ssh keygen q t rsa f rsa2 key C N DSA for V2 usr bin ssh keygen q t dsa f dsa key C N SSL pemCreate sh CODE EXAMPLE 4 2 SSL pemCreate sh Example bin sh Ensure that OpenSSL is installed and set the location correctly OPENSSL usr bin openssl Set the password t
177. s of each column Enter this command from Privileged EXEC or User EXEC modes CODE EXAMPLE 20 7 Showing Detailed Information About Proxy Groups DTI SWITCH show ip igmp proxy groups detail Chapter 20 Configuring IGMP Proxy 165 166 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 21 Configuring Internet Protocol IPv6 This chapter describes how to configure Internet Protocol IPv6 This chapter contains the following topics m Section Understanding PPv6 on page 21 168 m Section Using IPv6 Configurations on page 21 169 m Section Configuring IPv6 via CLI on page 21 170 167 168 Understanding PPv6 IPv6 is the next generation of the Internet Protocol With 128 bit addresses versus 32 bit addresses for IPv4 IPv6 solves the address depletion issues seen with IPv4 and removes the requirement for Network Address Translation NATs which is used in IPv4 networks to reduce the number of globally unique IP addresses required for a given network Its aggregate addresses can dramatically reduce the size of the global routing table through well known address combinations Security is more integrated and network configuration is simplified yet more flexible There are many conceptual similarities between IPv4 and IPv6 network operation Addresses still have a network prefix portion subnet and a device interface specific portion host While the length of the network portion is still var
178. s xix FIGURE 24 11 FIGURE 24 12 FIGURE 24 13 FIGURE 24 14 FIGURE 24 15 FIGURE 24 16 FIGURE 25 1 FIGURE 26 1 FIGURE 27 1 FIGURE 31 1 FIGURE 33 1 FIGURE 33 2 FIGURE 33 3 FIGURE 33 4 FIGURE 34 1 FIGURE 34 2 FIGURE 34 3 Assign Queue 225 DiffServ Policy Attribute Summary 226 DiffServ Policy Attribute Summary 227 DiffServ Service Configuration 228 DiffServ Service Summary 229 DiffServ VoIP Example Network Diagram 229 FASTPATH with 802 1x Network Access Control 237 RADIUS Servers in a FASTPATH Network 241 FASTPATH with TACACS 245 Telnet Session Configuration 263 SNTP Global Configuration Page 273 SNTP Global Status Page 273 SNTP Server Configuration Page 274 SNTP Server Status Page 275 Log Syslog Configuration Page 283 Log Hosts Configuration Page Add Host 283 Log Hosts Configuration Page 284 xx Sun Netra CP3240 Switch User s Guide April 2009 Tables TABLE 1 1 TABLE 1 2 TABLE 1 3 TABLE 1 4 TABLE 1 5 TABLE 1 6 TABLE 1 7 TABLE 2 1 TABLE 2 2 TABLE 2 3 TABLE 2 4 TABLE 2 5 TABLE 2 6 TABLE 2 7 Quick Startup Software Version Information 10 Quick Startup Physical Port Data 10 Quick Startup User Account Management 11 Quick Startup IP Address 12 Quick Startup Uploading from Networking Device to TFTP Server 13 Quick Startup Downloading from TFTP Server 13 Quick Startup Factory Defaults 14 Parameter Value Types 17 Common Parameter Values 18 Slot Types 19 Port Types 19 CLI Command Modes 21 CL
179. sage is displayed 2 After the command is successfully parsed and validated the control of execution goes to the corresponding CLI callback function Chapter 2 Using the Command Line Interface 29 3 For mandatory parameters the command tree extends until the mandatory parameters make the leaf of the branch The callback function is invoked only when all the mandatory parameters are provided For optional parameters the command tree extends until the mandatory parameters and the optional parameters make the leaf of the branch However the callback function is associated with the node where the mandatory parameters are fetched The callback function then takes care of the optional parameters 4 Once the control has reached the callback function the callback function has complete information about the parameters entered by the operator 30 Command Completion and Abbreviation Command completion finishes spelling the command when you have typed enough letters of a command to uniquely identify the command word You can execute the command by pressing the Enter key command abbreviation or you can complete the command word by pressing the Tab or spacebar keys command completion The value Er designates that the requested value was not internally accessible This should not happen and indicates that the software is not handling this instance correctly The value of designates that the value is unknown Sun Net
180. scription via the Web Interface 100 Configuring Link Layer Discovery Protocol 105 Configuring LLDP via CLI 106 Example 1 Set Global LLDP Parameters 106 Example 2 Set Interface LLDP Parameters 107 Example 3 Show Global LLDP Parameters 108 Example 4 Show Interface LLDP Parameters 108 Configuring LLDP via Web Interface 109 Configuring Denial of Service Attack Protection 113 Configuring Denial of Service via CLI 114 Configuring Port Routing 115 Contents ix x 15 16 Understanding Port Routing 116 Configuring Port Routing via CLI 117 Example 1 Enabling Routing for the Switch 118 Example 2 Enabling Routing for Ports on the Switch 118 Configuring Port Routing via Web Interface 119 Configuring Routing Information Protocol 121 Understanding Routing Information Protocol 122 Configuring RIP via CLI 123 Example 1 Enable Routing for the Switch 123 Example 2 Enable Routing for Ports 124 Example 3 Enable RIP for the Switch 124 Example 4 Enable RIP for Ports 1 0 2 and 1 0 3 125 Configuring RIP via Web Interface 125 Configuring Open Shortest Path First OSPF 127 Understanding Open Shortest Path First OSPF 128 Configuring OSPF via CLI 129 Example 1 Configuring an Inter Area Router 129 Enable Routing for the Switch 130 Assign IP Addresses for Ports 130 Specify Router ID and Enable OSPF for the Switch 130 Enable and Configure OSPF for the Ports 131 Example 2 Configuring OSPF ona Border Router 131 Enable Routing for the S
181. ser s Guide April 2009 DHCPv6 Pool Config Use the ip dhcp pool lt pool name gt command to access the DHCP Pool Config mode Switch Config ip dhcpv6 pool lt pool name gt Switch Config dhcp6 pool VLAN Mode This mode groups all the commands pertaining to VLANs The command prompt shown at this level is Switch Vlan Operation Flow This section captures the flow of operation for the CLI 1 The operator logs in to the CLI session and enters the User Exec mode In the User Exec mode the exec gt prompt is displayed on the screen The parsing process is initiated whenever the operator types a command and presses Enter The command tree is searched for the command of interest If the command is not found the output message indicates where the offending entry begins For instance if command node A has the command show arp brief but the operator attempts to execute the command show arpp brief the output message is exec gt show arpp brief Invalid input detected at marker If the operator has given an invalid input parameter in the command the message conveys to the operator that an invalid input was detected The layout of the output is exec show arpp brief A Invalid input detected at marker After all the mandatory parameters are entered any additional parameters entered are treated as optional parameters If any of the parameters are not recognized a syntax error mes
182. show logging buffered Buffered In Memory Logging enabled Buffered Logging Wrapping Behavior On Buffered Log Count 66 lt 6 gt Nov 29 13 31 38 0 0 0 0 1 UNKN 292290880 sysapiCfgFilesSeparate CRC check failed 0x0 calculated lt 6 gt Nov 29 13 31 38 0 0 0 0 1 UNKN 292290880 could not separate SYSAPI_CONFIG_FILENAME lt 2 gt Nov 29 13 31 42 0 0 0 0 1 UNKN 292290880 Event Oxaaaaaaaa lt 6 gt Nov 29 13 31 49 0 0 0 0 1 UNKN 296038472 Building defaults for file log cfg version 1 6 Nov 29 13 32 12 0 0 0 0 1 UNKN 295813352 Callback Unit Join 1 6 Nov 29 13 32 12 0 0 0 0 1 UNKN 293358784 Sysapi c 1912 8 sysapi c 1280 3 read and 0xce0a37e0 sysapi c 1131 4 bootos c 332 5 Sysapi c 1912 6 edb c 360 7 EDB oe oe Building defaults for file simCfgData cfg version 3 Chapter 34 Storing and Collecting Message Logs with Syslog 279 Example 3 show logging traplogs CODE EXAMPLE 34 3 show logging traplogs Command DTI SWITCH show logging traplogs Example 4 show logging hosts CODE EXAMPLE 34 4 show logging hosts Command Number of Traps Since Last Reset 16 Trap Log Capacity ze 4X Ev ee ug a qe iS 256 Number of Traps Since Log Last Viewed 0 Log System Up Time Trap 0 6 days 20 22 35 Failed User Login Unit 1 User ID 1 6 days 19 19 58 Multiple Users Unit 0 Slot 3 Port 1 2 5 da
183. spf ospf interface ospf ospf ospf ospf ospf ospf ospf ospf 0 2 areaid 0 0 0 2 priority 128 cost 32 0 3 areaid 0 0 0 2 priority 255 cost 64 interface 0 4 areaid 0 0 0 2 priority 255 cost 64 Sun Netra CP3240 Switch User s Guide April 2009 Configuring OSPF via Web Interface Similar configurations as described in the previous CLI sections can be performed using the Web interface Configuring an Inter Area Router Use the following screens to perform an inter area router configuration using the Web interface m Routing gt IP gt Interface Configuration gt System Routing Mode To enable routing for the switch m Routing gt IP gt Interface Configuration gt Slot Port IP Address Subnet Mask Routing Mode For the remaining commands m Routing gt OSPF gt OSPF Info gt OSPF Admin Mode To enable OSPF for the switch m Routing gt OSPF gt Interface Configuration To enable OSPF for the ports and specify the OSPF Area ID Router Priority and Metric cost parameters Configuring a Border Router Use the following screens to perform the same configuration using the Graphical User Interface m Routing gt IP gt Interface Configuration gt System Routing Mode To enable routing for the switch m Routing gt IP gt Interface Configuration gt Slot Port IP Address Subnet Mask Routing Mode For the remaining commands m Routing gt OSPF gt OS
184. ss list extended macl Example 2 Specify MAC ACL Attributes CODE EXAMPLE 222 Specify MAC ACL Attributes DTI SWITCH Config mac access list extended macl DTI SWITCH Config mac access list deny srcmac Enter a MAC Address Configure a match condition for all the any Source MAC addresses in the Source MAC Address field DTI SWITCH Config mac access list deny any lt dstmac gt Enter a MAC Address any Configure a match condition for all the destination MAC addresses in the Destination MAC Address field bpdu Match on any BPDU destination MAC Address DTI SWITCH Config mac access list deny any 00 11 22 33 44 55 lt dstmacmask gt Enter a MAC Address bit mask Sun Netra CP3240 Switch User s Guide April 2009 CODE EXAMPLE 222 Specify MAC ACL Attributes Continued DTI SWITCH Config mac access list deny any 00 11 22 33 44 55 00 00 00 00 FF FF lt ethertypekey gt Enter one of the following keywords to specify an Ethertype appletalk arp ibmsna ipv4 ipv6 ipx mplsmcast mplsucast netbios novell pppoe rarp lt 0x0600 Oxffff gt Enter a four digit hexadecimal number in the range of 0x0600 to Oxffff to specify a custom Ethertype value vlan Configure a match condition based on a VLAN ID cos Configure a match condition based on a COS value log Configure logging for this access list rule assign queue Configure the Queue I
185. t Chapter 24 Configuring Differentiated Services 215 216 CODE EXAMPLE 24 2 Creating a Diffserv Policy for Inbound Traffic Continued assign queue 4 exit exit Configuring DiffServ on FASTPATH Software Attach the defined policy to interfaces 1 0 1 through 1 0 4 in the inbound direction CODE EXAMPLE 24 3 Attaching the Policy to Interfaces interface 1 0 1 service policy in internet_access exit interface 1 0 2 service policy in internet_access exit interface 1 0 3 service policy in internet_access exit interface 1 0 4 service policy in internet_access exit Set the CoS queue configuration for the presumed egress interface 1 0 5 such that each of queues 1 2 3 and 4 get a minimum guaranteed bandwidth of 25 All queues for this interface use weighted round robin scheduling by default The DiffServ inbound policy designates that these queues are to be used for the departmental traffic through the assign queue attribute It is presumed that the switch will forward this traffic to interface 1 0 5 based on a normal destination address lookup for internet traffic CODE EXAMPLE 24 4 Setting CoS Queue for Egress interface 1 0 5 cos queue min bandwidth 0 25 25 25 25 0 0 exit exit Sun Netra CP3240 Switch User s Guide April 2009 Configuring Differentiated Services via Web Interface Use the following screens to perform the same configuration using the Graphical User I
186. t 1 File sshd control c Line 400 SSHD sshdListenTask started To disable insecure access issue the commands lineconfig no transport input telnet Chapter 4 Establishing Management Security 45 Note Issuing this command terminates all active telnet sessions and no new telnet sessions will be allowed Refer to the Sun Netra CP3240 Switch Command Reference Manual 820 3253 for more information on configuring remote sessions 46 Configuring Secure Socket Layer Optionally or in concert with SSH SSL may be enabled Once again the message log is the best source of feedback for problem determination To enable SSL issue the privileged EXEC mode command ip http secure server Success may be determined by attempting secure web access using https Once again consult the message log for failure information Valid certificates are indicated by a message log entry that looks like the following 0 days 01 25 29 Unit 1 File sslt util c Line 303 SSLT Successfully loaded all required SSL PEM files Certificate information may be accessed using browser specific methods With Internet Explorer the lock icon along the bottom message line can be checked for certificate details Additionally when connecting to a Sun Netra CP3240 switch that uses self generated credentials Explorer will warn the user about the authenticity of the certificate When secure certificate
187. t transmit tlv DTI DTI DTI DTI DTI DTI config Config interface 0 10 Interface 1 0 10 lldp Enable Disable LLDP remote data change Enable Disable LLDP receive capability Enable Disable LLDP transmit capability Include Exclude LLDP management address TLV Include Exclude LLDP optional TLV s SWITCH Interface 0 10 SWITCH Interface 0 10 SWITCH Interface 0 10 SWITCH Interface 0 10 SWITCH Config exit SWITCH lldp receive lldp transmit lldp transmit mgmt exit Chapter 12 Configuring Link Layer Discovery Protocol 107 108 Example 3 Show Global LLDP Parameters CODE EXAMPLE 12 3 Showing Global LLDP Parameters DTI SWITCH show lldp LLDP Global Configuration DTI SWITCH Transmit Interveali icxcscitekeec4 eek edge E ila 30 seconds Transmit Hold Multiplier 8 Bernrt Delays iense dee e wr M A eS 5 seconds Notification Interval Sew tae 9 x E EX E 1000 seconds Example 4 Show Interface LLDP Parameters CODE EXAMPLE 12 4 Showing Interface LLDP Parameters LLDP Interface Configuration DTI SWITCH Interface Link Transmit Receive 1 0 10 Down Enabled Enabled TLV Codes 0 Port Description 1 2 System Description 3 DTI SWITCH show lldp interface 0 10 Disabled nA System Name System Capabilities Sun Netra CP3240 Switch Use
188. t Pressing the Submit button sends the updated configuration to the switch Configuration changes take effect immediately but these changes are not retained across a power cycle unless a save is performed Chapter 3 Using the Web Interface 41 42 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 4 Establishing Management Security This chapter describes how to enable management security Enabling management security is a two step process The first step involves generating and loading appropriate authentication keys SSH and security certificates SSL Optionally a reputable third party such as RSA Security Inc or Entrust Inc can validate these certificates and keys but for evaluation purposes validation is unnecessary The second step involves enabling either SSL or SSH and optionally disabling the insecure versions of telnet and web management Once enabled subsequent management connections may be made in a secure manner This chapter contains the following topics m Section Certificate Generation on page 4 44 m Section Configuring Secure Shell on page 4 45 m Section Configuring Secure Socket Layer on page 4 46 m Section Using Certificate Generation Scripts on page 4 47 43 44 Certificate Generation To generate self signed credentials the open source applications ssh keygen and openssl can be used to create the seven files used to form the security certificates and authentication key
189. t Security Dynamic BE BEE Port Security Violation Status FIGURE 10 5 98 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 1 1 Configuring Port Description This chapter describes the Port Description feature which lets you specify an alphanumeric interface identifier that can be used for SNMP network management This chapter contains the following topics m Section Configuring Port Description via CLI on page 11 100 m Section Configuring Port Description via the Web Interface on page 11 100 99 Configuring Port Description via CLI Use the following commands for the Port Description feature Example 1 Enter a Description for a Port This example specifies the name Test for port 0 10 CODE EXAMPLE 11 1 Specifying Port Description config interface 0 10 description Test exit exit Example 2 Show the Port Description CODE EXAMPLE 11 2 show port description show port description 0 10 Interface 0 10 TfIndex ceivee 10 Description Test MAC Address 00 00 00 01 00 02 Bit Offset Val 10 Configuring Port Description via the Web Interface Use the following Web screen to enter Port Description information 100 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 11 1 Port Security Administration FIGURE 11 2 Port Security Interface Configuration Protocol based VLAN IP Subnet based VLAN MAC based VLAN Filter
190. t security on a Specific Interface LVL7 FASTPATH Routing show port security 0 10 Admin Dynamic Static Violation Intf Mode Limit Limit Trap Mode 0 10Disabled 600 20 Disabled Chapter 10 Configuring Port Security 95 Example 3 Config port security CODE EXAMPLE 10 3 Config port security LVL7 FASTPATH Routing Config port security lt cr gt Press Enter to execute the command LVL7 FASTPATH Routing Config port security 96 Configuring Port Security via Web Interfaces The following Web pages are used in the Port Security feature FIGURE 10 1 Port Security Administration FIGURE 10 2 Port Security Interface Configuration HS VLAN HE Protocol based VLAN Port Security Interface Configuration EMI IP Subnet based VLAN HEC MAC based VLAN a Filters Unit Slot Port MO v HE GARP Port Security Disable v HC IGMP Snooping A m H Port Channel Maximum Number of Dynamically Learned MAC Addresses Allowed 600 0 600 Eg Multicast Forwarding Database Add a Static MAC Address BMC Spanning Tree A Class of Service ee 1 3905 Ea Port Security d Maximum Number of Statically Locked MAC Addresses Allowed 20 0 20 2 Port Security Administration Enable Violation Traps No Port Security Static Port Security Dynamic En E Port Security Violation Status Convert dynamically learned address to statically locked M
191. t with a specific connection type port timeout and shared key or you can use global configuration for the key and timeout Like RADIUS the TACACS server can do the authentication itself or redirect the request to another back end device All sensitive information is encrypted and the shared secret is never passed over the network it is used only to encrypt the data Sun Netra CP3240 Switch User s Guide April 2009 Configuring Access Control for Networked Devices The following example configures two TACACS servers at 10 10 10 10 and 11 11 11 11 Each server has a unique shared secret key The server at 10 10 10 10 has a default priority of 0 the highest priority while the other server has a priority of 2 The process creates a new authentication list called tacacsList which uses TACACS to authenticate and uses local authentication as a backup method This authentication list is then associated with the defaultlogin FIGURE 27 1 FASTPATH with TACACS Authentication Server TACACS Switch NAS Client Authentication Server TACACS quM Chapter 27 Configuring Access Control for Networked Devices 245 246 When a user attempts to log into the switch the NAS or switch prompts for a username and password The switch attempts to communicate with the highest priority configured TACACS server at 10 10 10 10 Upon successful connection with the server the switch and server exchange the login credentials
192. tem Unit Slot Port 101 v VLAN ID Switching vLAN B Protocol based VLAN Filters B GARP amp IGMP Snooping Configuration and Status Multicast Router Interface Configuration VLAN Status m wei un wi VLAN Configuration Multicast Router Statistics Multicast Router Configuratio Multicast Router VLAN Statist Multicast Router VLAN Config ti mg weg ine Chapter 8 Monitoring IGMP Snooping 81 FIGURE 8 8 IGMP Snooping Multicast Router VLAN Configuration Page 6 8 10 2 14 16 18 20 2 24 FFFHEH 13 15 17 19 21 23 EH E 4 MMA pe ee tih Zi i l i Open full stack view Navigation Multicast Router VLAN Configuration ystem System i Unit Slot Port Switching Ga VLAN VLAN ID 1 1 to 3965 d Protocol based VLAN Multicast Router Disable Filters 5 li cus Submit amp IGMP Snooping Configuration and Status Interface Configuration VLAN Status VLAN Configuration Multicast Router Statistics Multicast Router Configuratio Multicast Router VLAN Statist 83 fi IR ep G G Hep 89 82 Sun Netra CP3240 Switch User s Guide April 2009 2 6 8 10 12 14 16 18 20 22 24 2 4 6 1 8 55 7 9 11 13 15 17 19 21 23 XGS III Open full stack view Navigation IGMP Snooping Global Configuration and Status ister m n Admin Mode Disable B 73 VLAN Multicast Control Frame Count 0 E Protocol based VLAN Interfaces Enabled for IGMP Snoo
193. ter ospf Switch Config router Router OSPFv3 Config In this mode the operator is allowed to access the router OSPFv3 configuration commands The command prompt at this level is Switch Config rtr ospf Switch Config rtr Router RIP Config In this mode the operator is allowed to access the router RIP configuration commands The command prompt at this level is Switch Config router rip Switch Config router Chapter 2 Using the Command Line Interface 27 28 Router BGP Config In this mode the operator is allowed to access the router BGP 4 configuration commands The command prompt at this level is Switch Config router bgp lt 1 65535 gt Switch Config routerbgp MAC Access list Config In this mode the operator is allowed to create a MAC Access list and to enter the mode containing Mac Access list configuration commands The command prompt at this level is Switch Config mac access list extended lt name gt Switch Config mac access list TACACS Config In this mode the operator is allowed to configure properties for the TACACS servers The command prompt at this level is Switch Config tacacs server host lt ip addr gt Switch Tacacs DHCP Pool Config Use the ip dhcp pool pool name command to access the DHCP Pool Config mode Switch Config ip dhcp pool lt pool name gt Switch Config dhcp pool Sun Netra CP3240 Switch U
194. ticast Router VLAN Statist ti iig up EE Multicast Router VLAN Config FIGURE 8 5 IGMP Snooping Multicast Router Statistics Page Open full stack view Navigation stem System Unit Slot Port Multicast Router Switching Lj vlan Lj Protocol based VLAN LJ Filters Lj GARP Sy IGMP Snooping Configuration and Status Refresh Interface Configuration VLAN Status VLAN Configuration EEE Multicast Router Statistics Multicast Router Configuratio Multicast Router VLAN Statist Multicast Router VLAN Config i f Chapter 8 Monitoring IGMP Snooping 79 FIGURE 8 6 IGMP Snooping Multicast Router Configuration Page 14 16 18 20 2 4 6 8 10 2 24 BROADCOM 23979 A 3 2 24 XGS III 13 15 17 19 21 2 Open full stack view Navigation Multicast Router Configuration ystem System Unit Slot P ort 10M Multicast Router Disable Submit Switching vLAN 8 Protocol based VLAN C3 Filters Garp 4 IGMP Snooping Configuration and Status Interface Configuration VLAN Status VLAN Configuration Multicast Router Statistics Multicast Router VLAN Statist Multicast Router VLAN Config li mei weg ime m mei m m 80 Sun Netra CP3240 Switch User s Guide April 2009 FIGURE 8 7 IGMP Snooping Multicast Router VLAN Statistics Page Open full stack view Navigation Multicast Router VLAN Statistics ystem Sys
195. tix port control force authorized Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 26 Configuring RADIUS This chapter describes how to configure the Remote Authentication Dial In User Service RADIUS protocol This chapter contains the following topics m Section Authenticating Users Through RADIUS on page 26 240 m Section Configuring RADIUS on page 26 241 239 240 Authenticating Users Through RADIUS Making use of a single database of accessible information as in an Authentication Server can greatly simplify the authentication and management of users in a large network One such type of Authentication Server supports the Remote Authentication Dial In User Service RADIUS protocol as defined by RFC 2865 For authenticating users prior to access the RADIUS standard has become the protocol of choice by administrators of large accessible networks To accomplish the authentication in a secure manner the RADIUS client and RADIUS server must both be configured with the same shared password or secret This secret is used to generate one way encrypted authenticators that are present in all RADIUS packets The secret is never transmitted over the network RADIUS conforms to a secure communications client server model using UDP as a transport protocol It is extremely flexible supporting a variety of methods to authenticate and statistically track users RADIUS is also extensible allow
196. to determine which IP address it reports and use that address to telnet The initial configuration procedure is based on the following assumptions m The switch was not configured before and is in the same state as when you received it m The switch booted successfully m The console connection was established and the console prompt appeared on the screen of a VT100 terminal or terminal equivalent The initial switch configuration is performed through the console port After the initial configuration you can manage the switch either from the already connected console port or remotely through an interface defined during the initial configuration Note The switch is not configured with a default user name and password Note All of the settings that follow are necessary to allow remote management of the switch through Telnet Telnet client or HTTP Web browser Sun Netra CP3240 Switch User s Guide April 2009 W Obtain Configuration Information Before setting up the initial configuration of the switch obtain the following information from your network administrator a The IP address to be assigned to the management interface through which the switch is managed a The IP subnet mask for the network a The IP address of the default gateway In band and Out of band Connectivity Ask the system administrator to determine whether you will configure the switch for in band or out of band connectivity I
197. trol tcpfrag dos control l4port dos control icmp show dos control 114 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 1 4 Configuring Port Routing This chapter how to configure port routing This chapter contains the following topics m Section Understanding Port Routing on page 14 116 m Section Configuring Port Routing via CLI on page 14 117 m Section Configuring Port Routing via Web Interface on page 14 119 115 116 Understanding Port Routing The first networks were small enough for the end stations to communicate directly As networks grew Layer 2 bridging was used to segregate traffic a technology that worked well for unicast traffic but had problems coping with large quantities of multicast packets The next major development was routing where packets were examined and redirected at Layer 3 End stations needed to know how to reach their nearest router and the routers had to understand the network topology so that they could forward traffic Although bridges tended to be faster than routers using routers allowed the network to be partitioned into logical subnetworks which restricted multicast traffic and also facilitated the development of security mechanisms An end station specifies the destination station s Layer 3 address in the packet s IP header but sends the packet to the MAC address of a router When the Layer 3 router receives the packet at minimum it does the
198. twork m Less network traffic Routing table updates are sent only when a change has occurred Only the part of the table which has changed is sent m Updates are sent to a multicast not a broadcast address m Hierarchical management allows the network to be subdivided The top level of the hierarchy of an OSPF network is known as an autonomous system AS or routing domain and is a collection of networks with a common administration and routing strategy The AS is divided into areas intra area routing is used when a source and destination address are in the same area and inter area routing across an OSPF backbone is used when they are not An inter area router communicates with border routers in each of the areas to which it provides connectivity The Sun Netra CP3240 switch operating as a router and running OSPF determines the best route using the assigned cost and the type of the OSPF route The order for choosing a route if more than one type of route exists is as follows Sun Netra CP3240 Switch User s Guide April 2009 m Intra area m Inter area m External Type 1 m External Type 2 Note External Type 1 is a route that is external to the AS External Type 2 is a route that was learned from other protocols such as RIP Configuring VLAN Routing With OSPF via CLI The following example adds support for OSPF to the configuration created in the base VLAN routing example The script shows the commands you would use to
199. twork Time Protocol SNTP This chapter describes how to configure the Simple Network Time Protocol SNTP feature This chapter contains the following topics m Section Configuring SNTP via CLI on page 33 270 m Section Configuring SNTP via Web Interface on page 33 273 269 Configuring SNTP via CLI Usedthis feature for synchronizing network resources This feature m Provides an adaptation of NTP m Provides synchronized network timestamp m Can be used in broadcast or unicast mode m Implements SNTP client over UDP which listens on port 123 The following are examples of the CLI commands used with the SNTP feature Example 1 show sntp CODE EXAMPLE 33 1 show sntp Command DTI SWITCH show sntp lt cr gt Press Enter to execute the command client Display SNTP Client Information server Display SNTP Server Information Example 2 show sntp client CODE EXAMPLE 33 2 show sntp client DTI SWITCH show sntp client Client Supported Modes unicast broadcast SNTP Version 4 Port 123 Client Mode unicast Unicast Poll Interval 6 Poll Timeout seconds 5 Poll Retry 1 270 Sun Netra CP3240 Switch User s Guide April 2009 Example 3 show sntp server CODE EXAMPLE 33 3 show sntp server Command DTI SWITCH show sntp server Server IP Address 81 169 155 234 Server Type ipv4 Server Stratum 3 Server Reference Id NTP Srv 212 186 110 32 Server Mode
200. up Each group s configuration consists of a name and a mask of ports A port can belong to only one set of protected ports but an unprotected port can be added to a group as a protected port The group name is configurable by the network administrator Use the switchport protected command to designate a port as protected Use the show switchport protected command to display a listing of the protected ports CLI Example Example 1 Switchport Protected CODE EXAMPLE 5 6 Protecting the Switchport DTI SWITCH config DTI SWITCH Config interface 0 1 DTI SWITCH Interface 0 1 switchport protected E cr Press Enter to execute the command DTI SWITCH Interface 0 1 switchport protected Example 2 Show Switchport Protected DTI SWITCH show switchport protected 0 1 Chapter 5 Configuring Virtual LANs 59 60 Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 6 Configuring Port Channels by Link Aggregation This chapter describes how to use the Link Aggregation feature to configure port channels via the CLI and the Graphical User Interface This chapter contains the following topics m Section Using the Link Aggregation Feature on page 6 62 m Section Configuring Link Aggregation via CLI on page 6 63 m Section Configuring Link Aggregation via Web Interface on page 6 66 61 62 Using the Link Aggregation Feature The Link Aggregation LAG f
201. ur proceder a des mises a jour de produits est rigoureusement interdite LA DOCUMENTATION EST FOURNIE EN L ETAT ET TOUTES AUTRES CONDITIONS DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES DANS LA MESURE AUTORISEE PARLA LOI APPLICABLE Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE A L APTITUDE A UNE UTILISATION PARTICULIERE OU A L ABSENCE DE CONTREFACON 5 cx CA Adobe PostScript 5 cx CA Adobe PostScript Contents Preface xxix Getting Started 1 Default Settings 2 Initial Configuration 2 v Obtain Configuration Information 3 In band and Out of band Connectivity 3 Initial Access Configuration 3 MGMT Serial Configuration 3 Configuring for In band Connectivity 4 v Using DHCP 5 v UsingaStaticIP 6 Configuring for Out Of Band Connectivity 6 v Using DHCP 7 v UsingaStaticIP 7 Saving Settings 8 Quick Start 8 System Information and System Setup 9 Quick Startup Software Version Information 10 Quick Startup Physical Port Data 10 Quick Startup User Account Management 11 Quick Startup IP Address 12 Quick Startup Uploading from Networking Device to TFTP Server 13 Quick Startup Downloading from TFTP Server 13 Quick Startup Factory Defaults 14 2 Using the Command Line Interface 15 Command Syntax 16 Command Conventions 16 Parameter Conventions 17 Parameter Values 18 Slot Port Naming Convention 19 No Form of a Command 20 Command Modes 20 Mode Based Topology 23
202. ure the Virtual Router Redundancy Protocol VRRP When an end station is statically configured with the address of the router that will handle its routed traffic a single point of failure is introduced into the network If the router goes down the end station is unable to communicate Since static configuration is a convenient way to assign router addresses Virtual Router Redundancy Protocol VRRP was developed to provide a backup mechanism VRRP eliminates the single point of failure associated with static default routes by enabling a backup router to take over from a master router without affecting the end stations using the route The end stations will use a virtual IP address that will be recognized by the backup router if the master router fails Participating routers use an election protocol to determine which router is the master router at any given time A given port may appear as more than one virtual router to the network also more than one port on a Sun Netra CP3240 switch may be configured as a virtual router Either a physical port or a routed VLAN may participate This chapter contains the following topics m Section Configuring VRRP via CLI on page 18 152 m Section Configuring VRRP via Web Interface on page 18 155 151 Configuring VRRP via CLI The following example shows how to configure the Sun Netra CP3240 switch to support VRRP Router 1 will be the default master router for the virtual route
203. witch 133 Enable Routing and Assign IP for Ports 1 0 2 1 0 3 and 1 0 4 133 Specify Router ID and Enable OSPF for the Switch 133 Enable OSPF for the Ports 134 Configuring OSPF via Web Interface 135 Sun Netra CP3240 Switch User s Guide April 2009 17 18 19 Configuring an Inter Area Router 135 Configuring a Border Router 135 Configuring VLAN Routing 137 Understanding VLAN Routing 138 Configuring VLAN Routing via CLI 138 Example 1 Create Two VLANs 139 Example 2 Set Up VLAN Routing for the VLANs and the Switch 140 Configuring VLAN Routing via Web Interface 141 Configuring VLAN Routing With RIP 142 Configuring VLAN With RIP via CLI 143 Example 1 Configuring VLAN Routing with RIP Support 143 Example 2 Enable RIP for the Switch 145 Configuring VLAN Routing with RIP via Web Interface 146 Configuring VLAN Routing With OSPF 146 Configuring VLAN Routing With OSPF via CLI 147 Example 1 OSPF on FASTPATH as an Inter area Router 147 Example 2 Specify the Router ID and Enable OSPF for the Switch 148 Configuring VLAN Routing via Web Interface 150 Configuring Virtual Router Redundancy Protocol 151 Configuring VRRP via CLI 152 Example 1 Configuring VRRP on FASTPATH as a Master Router 153 Example 2 Configuring VRRP on FASTPATH as a Backup Router 154 Configuring VRRP via Web Interface 155 Proxy Address Resolution Protocol ARP 157 Configuring Proxy ARP viaCLI 158 Example 1 show ip interface 158 Example 2 ip proxy arp 158 Co
204. y authentication method and local authentication as a backup method in the event that the RADIUS server cannot be contacted This authentication list is then associated with the default login FIGURE 26 1 RADIUS Servers in a FASTPATH Network Authentication Server RADIUS Switch NAS Client Authentication Server RADIUS m Chapter 26 Configuring RADIUS 241 242 When a user attempts to log in the switch prompts for a username and password The switch then attempts to communicate with the primary RADIUS server at 10 10 10 10 Upon successful connection with the server the login credentials are exchanged over an encrypted channel The server grants or denies access which the switch honors and either allows or does not allow the user to access the switch If neither of the two servers can be contacted the switch searches its local user database for the user CODE EXAMPLE 26 1 Configuring RADIUS for Authentication of Users config radius server host auth 10 10 10 10 radius server key auth 10 10 10 10 secreti secreti radius server host auth 11 11 11 11 radius server key auth 11 11 11 11 secreta secreta radius server primary 10 10 10 10 authentication login radiusList radius local users defaultlogin radiusList exit Sun Netra CP3240 Switch User s Guide April 2009 CHAPTER 27 Configuring Access Control for Networked Devices This chapter describes how to configure the access control
205. y locked addresses Helps secure network by preventing unknown devices from forwarding packets When link goes down all dynamically locked addresses are freed If a specific MAC address is to be set for a port set the dynamic entries to 0 then only allow packets with a MAC address matching the MAC address in the static list Dynamically locked MAC addresses are aged out if another packet with that address is not seen within the age out time The user can set the time out value Dynamically locked MAC addresses are eligible to be learned by another port Static MAC addresses are not eligible for aging Dynamically locked addresses can be converted to statically locked addresses 94 Sun Netra CP3240 Switch User s Guide April 2009 Configuring Port Security via CLI The following are examples of the commands used in the Port Security feature Example 1 show port security CODE EXAMPLE 10 1 DTI SWITCH Example 2 show port security ona Specific Interface CODE EXAMPLE 10 2 show port security show port security cr Press Enter to execute the command all Display port security information for all interfaces slot port Display port security information for a Specific interface Display dynamically learned MAC addresses dynamic static Display statically locked MAC addresses violation Display the source MAC address of the last packet that was discarded on a locked port show por
206. ys 23 31 27 Multiple Users Unit 0 Slot 3 Port 1 3 5 days 19 21 51 Multiple Users Unit 0 Slot 3 Port 1 4 2 days 23 16 32 Link Down Unit 0 Slot 1 Port 2 5 2 days 23 16 03 Link Down Unit 0 Slot 1 Port 1 6 2 days 19 49 28 Multiple Users Unit 0 Slot 3 Port 1 7 2 days 18 20 56 Multiple Users Unit 0 Slot 3 Port 1 8 2 days 17 10 41 Multiple Users Unit 0 Slot 3 Port 1 9 2 days 00 55 42 Multiple Users Unit 0 Slot 3 Port 1 10 2 days 00 55 38 Failed User Login Unit 1 User ID admin 11 2 days 00 20 12 Multiple Users Unit 0 Slot 3 Port 1 DTI SWITCH show logging hosts cr Press Enter to execute the command DTI SWITCH 4 show logging hosts Index IP Address Severity Port Statu T 192 168 21 253 critical 514 Active Sun Netra CP3240 Switch User s Guide April 2009 Example 5 logging port configuration CODE EXAMPLE 34 5 Logging Port Configuration Commands lt cr gt DTI lt cr gt DTI lt cr gt DTI DTI DTI DTI DTI SWITCH config DTI SWITCH Config logging buffered Buffered In Memory Logging Configuration cli command CLI Command Logging Configuration console Console Logging Configuration host Enter IP Address for Logging Host syslog Syslog Configuration DTI SWITCH Config logging host lt hostaddress gt Enter Logging Host IP Address reconfigure Logging Host Reconfiguration remove Logging Host Removal
Download Pdf Manuals
Related Search