You are on page 1of 129

There is nothing more important than our customers

Enterprise Switching
Courseware Overview
Version 2.2

Course Prerequisites
Student prerequisite knowledge/skills Experienced PC user Operational knowledge of
Ethernet 802.1D standard 802.1Q standard

Topics not covered in this course In depth discussion of 802.1D or 802.1Q TCP/IP Network design Wireless NetSight Management Dragon NAC Routing Protocols

Comprehensive understanding of p g TCP/IP protocol

2007 Enterasys Networks, Inc. All rights reserved.

Getting Started & Introductions


Cl Class Hours H
am to ?pm

Instructor
Luis Alberto Frias Elias and Hugo Mendez Vara

Attendees
- Name? - C Company? ? - Job Description? - What is your experience with Switching? - Are you currently using ETS products? (Which?) - What do you hope to learn about Switching? - Do you intend to take the ESE Exam?

2007 Enterasys Networks, Inc. All rights reserved.

There is nothing more important than our customers

Enterprise Switching
Product Overview

Enterasys Switching Families


Enterasys Matrix and SecureStack switch offerings include the following product families:
- SecureStack A2 - SecureStack B2/B3 - SecureStack C2/C3 - Enterasys I, D and G series - Matrix N-Series Diamond DFE - Matrix N-Series Platinum DFE - Matrix N-Series Gold DFE - Matrix E1

2007 Enterasys Networks, Inc. All rights reserved.

Agenda
Switching Product Overview Switch Positioning The Enterasys Switching Advantage

2007 Enterasys Networks, Inc. All rights reserved.

Enterasys Switch Comparison


SecureStack A-Series
Basic Connectivity

SecureStack B-Series
Advanced L2 Capabilities

D-Series
Small, quiet, with Optional Policy

SecureStack C-Series
Policy, Optional Routing 1. 1 L2 and L3 10/100 & 10/100/1000 Switching 2. Up to 48Gb Closed Loop Stacking g 3. High Density Stacking (384)

G-Series
More Horse Power 1. 1 L2 and L3 d 10/100 & 10/100/1000 Switching 2. Policy by default 3. Basic Routing (RIP)

Matrix N-Series
High-end Modular Chassis

1. Low-Cost L2 10/100 Switching 2. 2 Gb Closed Loop Stacking 3. High Density Stacking (384) 4. Up to 16 Gb uplinks per stack 5. No Enterasys Policy Support

1. L2 10/100 & 10/100/1000 Switching 2. Up to 24Gb Closed Loop Stacking 3. High Density Stacking (384) 4. Up to 32 Gb uplinks per stack 5. Optional Policy Available 6. Basic Routing (Static routes, RIP v1/2)

1. L2 10/100 & 10/100/1000 Switching 2. Optional Policy Available 3. Small form factor 4. Whisper quiet fan only when needed

1. End-to-End L2 & L3 Enterprise Switching 2. Highest System Redundancy Available 3. Highest Density and Most Interface Types 4. MultiUser Policy and Most Extensive Software and Hardware Features (up to 256) 5. 6,000 to 56,000 rules per DFE 6. 6 Multiple Generations of Technology Operate Concurrently in 1 Chassis 7. Support for Basic pp and Advanced Routing

4. Mixture of Up to 4. IPv6 32 Gb uplinks and/or 16 10Gb 5. Optional uplinks p p per Routing (OSPF (OSPF, stack PIM-SM, DVMRP, 5. Policy by extended default ACLs) 6. Basic Routing 6. MultiUser (RIP) Policy (8) y ( ) 7. 7 C3 IPv6 IP 6 8. Optional Routing (OSPF, PIM-SM, DVMRP, extended ACLs)

2007 Enterasys Networks, Inc. All rights reserved.

The Enterasys Switching Advantage

Business-critical applications:
- Guarantee network availability for business-critical applications pp
Prioritise business-critical applications
- Streaming video, ERP, VoIP and e-commerce

- Advanced QoS features:


Advanced packet classification Rate limiting Strict and weighted fair queuing Traffic prioritization

- Policy.

2007 Enterasys Networks, Inc. All rights reserved.

The Enterasys Switching Advantage


Secure Networks:
- N-Series, SecureStack and D, G and I Series switches offer user-based security and authentication via standards-based, IEEE 802.1X user authentication, as well as alternate methods. - N-Series, SecureStack and D, G and I Series switches implement granular control of the network infrastructure with policy - N-Series, SecureStack and D, G and I Series switches support a suite of Secure Networks Solutions empowered by the ability to understand end-users and their business roles within the network - Secure Network Solutions act in providing dynamic, preemptive, diagnostic, and reactionary mechanisms to secure the network. - Powerful network management software, NetSight, enables clear visibility of network operation and rapid reconfigurations for adaptation to security concerns

2007 Enterasys Networks, Inc. All rights reserved.

There is nothing more important than our customers

Enterprise Switching
SecureStack Switches

SecureStack Overview

Next-Generation, High Density Stackable Gigabit Switching Extensive Bandwidth, Performance, Scalability and Flexibility

2007 Enterasys Networks, Inc. All rights reserved.

11

SecureStack Switches Overview


SecureStack switches are stackable 1u switches
- There are three series of SecureStack switches, A2, B2, B3, C2 and C3 , ,
C3s are the top end, then C2, B3, B2 and A2

Stack up to 8 switches
- All switches in the stack have to be of the same series (all A2s Bs or Cs) A2 s, B s, C s).
Minimum code version on the B2 is 4.0 to allow B2/B3 mixed stack Minimum code version on the C2 is 5.0 to allow C2/C3 mixed stack

Units should be stacked in a closed loop for redundancy


- One switch acts as the manager for the stack allowing configuration of the entire stack using only one IP address or console session
Upgrade firmware to the manager switch and the upgrades are applied to all units in the stack automatically Each switch in the stack is a backup for the manager switch, this is based on unit id.

Password reset button at the back of switches

2007 Enterasys Networks, Inc. All rights reserved.

12

SecureStack Supported Functionality


Wire speed switching on all ports Wire-speed
16,000 MAC addresses 802.3x flow control
No flow control between members of a stack

Link Aggregation Groups


Max 6 LAGS per system Max 8 Ports per LAG
8 for B/C 4 for A2

Eight hardware queues per port Jumbo frame (9,216) support -

LAG across the stack

Multiple Spanning Trees


(IEEE 802.1s) 802 1s)
Max of 4 Spanning Tree Groups IEEE 802.1w (Rapid STP) IEEE 802.1s (Multiple STP)

Port Mirroring (Many-to-one only)


Up to 8 ports from/to anywhere in the stack One-to-many is not supported (HW limitation)

User Security and Authentication (platform


dependant)
802.1X Authentication MAC Authentication Port Web Authentication (PWA) User + IP Phone Authentication

VLAN
1024 VLANs (VLAN IDs 1-4094) Port-based, protocol-based & tagged VLAN GARP and GVRP

IGMP Snooping SNMPv3 SSH Node Alias Support


IP support only

Security Host Sec it


RADIUS authentication (front panel only)

MAC Locking

2007 Enterasys Networks, Inc. All rights reserved.

13

SecureStack A2 Series Switches


A2 Series
- Supports 24 and 48 port modules with both POE and non POE - A2H124-24FX 24 Port 100 Meg MTRJ fiber switch it h - A2H254-16 8 Ports RJ45 copper and 8 Port MTRJ fiber

All A2s come with 2 SFP Mini GBIC ports and 2 stack ports on the front of the switch
- The stack ports on the A2 are RJ45 ports that use CAT5 or better cables
When the A2 is in standalone mode (not stacked) the uplink ports can be used as standard Gigabit ports by using the set switch stackport {ethernet | stack} command
- This could give you a total of 28 or 52 active ports, depending on the model.

No policy support No routing support Supports 2 Gbps bidirectional throughput per stack port

2007 Enterasys Networks, Inc. All rights reserved.

14

SecureStack B2
Supports everything the A2 does plus
CoS and bandwidth control with 8 priority queues per port and rate limiting Optional Policy License B3POL-LIC
- Enables Policy and User + IP phone authentication support

B2 Series
- Supports 24 and 48 port modules with both POE and non POE - Supports both 10/100 and triple speed. - Supports 20 Gbps bidirectional throughput per stack port - B2 uses proprietary stack cables C2CAB-LONG & C2CAB-SHORT*These

All B2s come with 4 SFP Mini GBIC ports and 2 stack ports
- The two stack ports are on the rear of the switch - models that have the 24/48 10/100 & 4 Mini GBIC ports active, for a total of 28/52 active ports. - On triple speed models, the Mini GBIC ports and the last 4 10/100/1000 ports are combo ports. This is discussed in detail later. So you only have 24 or 48 active ports
2007 Enterasys Networks, Inc. All rights reserved.

SecureStack B3
Supports everything the B2 does plus
Supports 24 Gbps bidirectional throughput per stack port
- R Reverts b k to 20 Gbps in a mixed stack. t back t Gb i i d t k

When working with a mixed B series stack, the stack takes on the lesser of the capabilities of the two devices.
- For the B2 and B3 mixed stack: - The B2 must be running version 4.0 at a minimum to operate in a mixed stack. h b d k - A Policy License is required for every device in the stack in order for policy to work on the stack at all. B2 Policy License will operate on a B3 - It is recommended that a B3 device be the master of the stack. - C Concerning l i layer 2 policy rules, li l
They will not work on any devices (B2s included) in a mixed stack. If the B2 is the master, the layer 2 policy rules should be disabled to avoid a mismatch in the stack.

2007 Enterasys Networks, Inc. All rights reserved.

SecureStack C2
Supports everything the B3 does plus
Supports policy without a policy license required S Supports basic IP l t b i layer 3 routing ( t ti routes, RIP basic ACLs) ti (static t RIP, b i ACL ) Optional License C2L3-LIC (Layer 3 Routing License)
Enables OSPF, PIM, DVMRP, VRRP, Extended ACLs.

Supports 40 Gbps bidirectional stacking capacity p uppo s 0 G ps d o s g p y per s stack po port

The C2H124-48 can have the 48 10/100 & 4 Mini GBIC ports active, for a total of 52 active ports. The C2K122-24 can have 24 10/100/1000 ports active, plus the 2 10-Gigabit uplink ports for a total of 26 active ports. While on the other models, the Mini GBIC ports and the last 4 10/100/1000 ports are combo ports. This is discussed in detail later.

2007 Enterasys Networks, Inc. All rights reserved.

SecureStack Switch Offerings


SecureStack C2 10Gbps Switch (C2K122-24)
24 10/100/1000 RJ45 ports, and 2 XFP (10Gb) uplinks (26 t t l ports) li k total t ) Both 10 Gbps ports can be active simultaneously

10GBASE-SR XFP 850 Nanometer serial port for 10-Gigabit Ethernet over Multi Mode Fiber (MMF) via an XFP connector. Supports link lengths ranging from 26 meters to 300 meters depending on grade of fiber installation. 10GBASE-LR-XFP 1310 Nanometer serial port for 10-Gigabit Ethernet over Single Mode Fiber (SMF) via an XFP connector. Supports 10 Gigabit Ethernet transmission over distances of between 2Km and 10 Km. 10GBASE-ER-XFP 1550 Nanometer serial port for 10-Gigabit Ethernet over Single Mode Fiber (SMF) via an XFP connector. Supports Long Haul 10 Gigabit Ethernet transmission over distances of between 2Km and 40 Km.

2007 Enterasys Networks, Inc. All rights reserved.

18

SecureStack C3
Supports everything the C2 does plus
Also Supports XFPs but via an optional 10GE IOM for the C3K switches.
- All C3s must be running firmware version 1.02.01.0004 for the C3Ks to join the stack

Supports IPv6 routing, OSPFv3, IGMPv3 Snooping, DHCPv6 Routing License is linked to the Switch serial number
- Therefore each switch requires a routing license in a stack for routing to work on each switch

Supports 48 Gbps bidirectional stacking capacity per stack port


Reverts back to 40 Gbps in a mixed stack p

When working with a mixed C series stack, the stack takes on the lesser of the capabilities of the two devices. For the C2 and C3 mixed stack:
The C2 must be running version 5.02.01.xxx at a minimum to operate in a mixed stack. It i I is recommended that a C3 d i be the master of the stack d d h device b h f h k Concerning layer 2 policy rules,
They will not work on any C2 device in a mixed stack. If the C2 is the master, the layer 2 policy rules should be disabled to avoid a mismatch in the stack.

IPv6 will not work in a mixed stack.

2007 Enterasys Networks, Inc. All rights reserved.

SecureStack C3 Series Switches


Cisco Phone Discovery & Cisco CDP MIB Support
This function consists of an update to the existing CDP function to recognize PDUs from Cisco phones. A table of information about detected phones is kept by the switch and can be queried by the network administrator.

Link Flap Detection


The link flap function detects when a link is going up and down rapidly (also called "link flapping") on a physical port, and takes the required actions (disable port, and eventually send notification trap) to stop such a condition. If left unresolved, the "link flapping" condition can be detrimental to network stability because it can trigger Spanning Tree and routing table recalculation.

Set Date & Time via MIB


Add SNMP support to read and write switches date and time.

VLAN to Policy mapping per Port basis


Change the support from global Configuration to a per port Configuration.

Selectable Hashing Algorithms


Use this command to set the MAC algorithm mode, which determines the hash mechanism used by the device when performing layer 2 lookups on received frames. Each algorithm is optimized for a different spread of MAC addresses. When changing this mode the switch will display a warning message and prompt addresses you to restart the device.

ctAlias Table Lookup Optimization


Support the ctAliasMacAddressTable in the ctAliasMIB. This contains the same information as the ctAliasTable but is indexed by MAC address

2007 Enterasys Networks, Inc. All rights reserved.

20

SecureStack C3 Series Switches


IGMPv3 Snooping
- Provides better control of Multicast traffic at layer 2
Reduces overhead on network More efficient use of IGMP messaging reduces the flooding of messages Removes load from the host devices Allows traffic forwarding from sources only to receivers that subscribed

Setting of static multicast MAC addresses


- Create and configure static Layer 2 IGMP entries.

VLAN Marking of Mirror Traffic


- Is an extension to port mirroring which facilitates simultaneous mirroring of multiple source ports on multiple switches across a network to one or more remote destination ports ports.

IPv6 Routing
- OSPFv3 - Path MTU Discovery - IPv6 to IPv4 translation - IPv6 Tunnels g g, , p g, - ICMPv6 messaging, traceroute, ping, SSH2

2007 Enterasys Networks, Inc. All rights reserved.

21

SecureStack B3/C3 Series Switches


One of the major advantages of the B3 and C3 platforms The B2 and C2 platforms. both had a limit on the number of masks that each switch was able to support. This is no longer the case with the B3 and C3.
For example, with the 10/100 B2 and C2 policy implementation, there is a limit of 18 masks for the entire stack, and a limit of 10 masks per policy. This is not the case with the B3 and C3, which is designed to support a 1:1 ratio of masks per policy. The following table is a breakdown of the Stack Policy Specifications for the SecureStack B3, C3 and their respective mixed stacks. B3 Stack 768 768 100 100 No B3/B2G Mix 768 768 100 10 No B3/B2H Mix 100 18 100 10 No

B Series Stack Policy Considerations


Type of Stack # of Rules/Stack # of Policy Rules/Stack # of Rules/Policy # of Masks/Policy Layer 2 Rule Support

C Series Stack Policy Considerations


Type of Stack # of Rules/Stack # of Policy Rules/Stack # of Rules/Policy # of Masks/Policy Layer 2 Rule Support C3 Stack 768 768 100 100 No C3/C2G Mix 768 768 100 10 No C3/C2H Mix 100 18 100 10 No

2007 Enterasys Networks, Inc. All rights reserved.

22

Redundant Power Supplies (non PoE)


Same power supplies work for the A2, B2 and C C2RPS-PSM is a 150 watt Power Supply module used for non-PoE switches
- The PSM Unit has its own AC Input - Do not use with PoE switches

There are two chassis (shelves) for the C2RPS-PSM (Non PoE)
- C2RPS-CHAS8 (8 slot chassis) can service a full stack of non PoE SecureStack switches
The C2RPS-SYS is the 8 slot chassis and 1 C2RPS-PSM Dimensions: 8.77 H x 17.3 W x 10.4 D (in.)

- C2RPS-CHAS2 (2 slot chassis) ( )

Fully Hot Swappable All Cable connections at Rear of Unit M Management through LEDs and SNMP h h LED d

2007 Enterasys Networks, Inc. All rights reserved.

23

There is nothing more important than our customers

Enterprise Switching
Matrix N-Series

Overview of Matrix N-Series Products


The Matrix N-Series i Th M i N S i is a modular enterprise wiring closet solution d l i i i l l i
- Supports both Layer 2 switching and Layer 3 IP routing - Designed for premium edge, backbone, distribution switching, small core, server farm - Forms one logical switch in chassis

The Distributed Forwarding Engine (DFE) switch modules


- Provide Quality of Service (QoS) and wire-speed throughput y ( ) p g p - Three versions of the Matrix N-Series DFE switch modules: Diamond, Platinum & Gold
Diamond is high end version, Gold is low end version

- Processing load balanced across switch modules

Chasses that accommodate DFE:


- One-slot (N1) three-slot (N3), five-slot (N5), seven-slot chassis (N7). addition - In addition, the DFEs can also be installed in the Matrix E7 chassis - Standalone N-Series NSA (Network Security Architecture)

2007 Enterasys Networks, Inc. All rights reserved.

25

Matrix N-Series
The Matrix N-Series is a modular design.
- Four chassis models, the N1, N3, N5 and the N7

The Matrix N-Series Standalone switch (NSA) Combine Layer 2 switching with granular L l Layer 2/3/4 classification l ifi ti Support advanced Layer 3 IP routing Three product lines:
Distributed Forwarding Engines (DFEs), Diamond: Significant Processing Enhancements over Platinum DFEs, plus increased Security, Routing & Policy Scalability. DFEs, Platinum: optimised for more features and higher hi h performance f DFEs, Gold: optimised for edge connectivity with fewer capabilities of the Platinum

Designed for wiring closets, server farm aggregations and distribution switching.
2007 Enterasys Networks, Inc. All rights reserved.

26

Matrix N-series Chassis


The Matrix N Series chassis use a passive fully meshed backplane
File Transfer Matrix 2 (FTM2) point to point connectivity between slots No FTM 1 connectivity Hot swap modules and fan trays

Matrix N1 Chassis (7C111) Matrix N3 Chassis (7C103) Matrix N5 Chassis (7C105-P)


Designed for PoE modules Supports all modules

Matrix N7 Chassis (7C107) Matrix N Series Stand Alone NSA (2G4072-52)

2007 Enterasys Networks, Inc. All rights reserved.

27

Power Supply Summary


Characteristics of the N3 and the N7 power supplies are shown below

Matrix N1
Power supply part number Power supply wattage Input frequency Input voltage range Input current Minimum power supplies pp N/A (Redundant power supplies are integrated) 250 Watts maximum 50 to 60 Hz 100 to 125 Vac

Matrix N3
7C203-1

Matrix N5
7C205-1

Matrix N7
6C207-3

863 Watts maximum 50 to 60 Hz 100 to 125 Vac

1200 Watts per power supply 50 to 60 Hz 100 to 125 Vac

1600 Watts per power supply (Dual


Input)

50 to 60 Hz 100 to 125 Vac

12 A maximum 1*

12 A maximum 1*

12 A maximum 1*

12 A maximum 1 **

* Two power supplies may be installed for redundancy and load sharing. p pp q pp g ** Two power supplies are required to support Matrix N7 configurations with six and seven installed DFEs (also, check power requirements of individual modules as you install them). The 6C207-3, has two power connectors. Both power cords MUST be plugged in for the power supply to operate (15 amp circuit required per cord).
2007 Enterasys Networks, Inc. All rights reserved.

28

Distributed Forwarding Engines (DFEs)


DFEs are based on a family of nTERA ASICs (Application Specific Integrated Circuit) and software-based microprocessors DFEs are available in several interface types The Matrix N-Series DFEs have fully distributed switch architecture and route processing capabilities
Each interface module is individually driven and managed by on-board processors.

2007 Enterasys Networks, Inc. All rights reserved.

29

Advanced Distributed Architecture


Advantages of this architecture are:
- Failure only affects users connected to that module. - Failure of one DFE does not impact users on other modules. - A high powered CPU per module high-powered - Custom ASICs, designed specifically for advanced DFE capabilities y y - Redundancy and scalability built into each DFE

Highly redundant management


- One module is elected as the primary management module for each management service (host services, routing, SNMP, IP, etc.)

All other modules are backup for each service and keep a copy of the management services information
- Uninterrupted system operation in event of module failure

2007 Enterasys Networks, Inc. All rights reserved.

30

Advanced Distributed Architecture


Multiple DFEs in a chassis will select a primary module for system management.
- If the master fails, another module will assume responsibility for management and distribution of system information. - If a new DFE is inserted, it will inherit all system parameters of the unit it replaces replaces.

If a module needs to be replaced, it will inherit all configuration settings of the previous module as long as the new module is an exact replacement.
- A configuration fil that were stored in th fil Any fi ti files th t t d i the file system of the newly inserted module will not be deleted and will remain available.

2007 Enterasys Networks, Inc. All rights reserved.

31

Advanced Distributed Architecture


Matrix N-Series has the ability to store 2 images per chassis
- Every module keeps a copy of both images - All modules run the same firmware version - Upgrading a module upgrades the entire chassis

S Several config fil l fi files can be stored on each b t d h DFE module.


- Every module keeps a copy of the current configuration. - Editable text-based config files contain Layer 2 & 3 info

All config files contain the following info:


- Global chassis configurations - Board specific configurations

2007 Enterasys Networks, Inc. All rights reserved.

32

Platinum and Gold DFEs


All Platinum and Gold DFEs ship with Firmware or the Enterasys Operating System (EOS) All 10/100/1000Base-TX ports support auto-negotiation of duplex mode and speed

Platinum DFEs are distinguished by the platinum color on the tab and parts numbers that begin with 7

Gold DFEs are distinguished by the gold color on the tab and product numbers d b that start with 4

2007 Enterasys Networks, Inc. All rights reserved.

33

Platinum and Gold DFEs


A router is associated to a module using the set router slot command Basic routing includes:
Static routes VRRP (Virtual Router Redundancy Protocol) Basic ACLs (Access Control Lists) RIP (Routing Information Protocol) Policy Based Routing Denial of Service Protection

Advanced routing software license (N-EOS-L3) includes:


Extended ACLs (Access Control Lists) OSPF (Open Shortest Path First) LSNAT (Load Sharing Network Address Translation) DVMRP (Distance Vector Multicast Routing Protocol) PIM-SM PIM SM (Protocol Independent Multicast Sparse Mode)

Only one advance routing license is required per chassis.

2007 Enterasys Networks, Inc. All rights reserved.

34

Platinum and Gold DFEs A Comparison


F t Features
- Platinum DFE supports advanced features, such as
Multi-User authentication for maximum limit of up to 2048 authenticated devices per port dependant on licenses. Advanced port mirroring Weighted Fair Queuing and Strict Priority Queuing FTM1 bridging

- The Gold DFE supports a less-robust feature set, such as


Multi-User authentication for 2 authenticated devices per port Strict Priority Queuing only

2007 Enterasys Networks, Inc. All rights reserved.

35

Platinum and Gold DFEs A Comparison


Redundancy
Gold DFE management is performed by the single DFE installed in slot 1
No redundancy by default

Gold DFE can be outfitted with a software upgrade (part number N-EOS-RED) to provide 1+1 redundancy. Platinum DFEs provide N+6 redundancy by default
Every DFE module is a backup for all others in the chassis Failure of one module will not cause the entire system to fail. Up to 2 router instances are supported in a Platinum chassis.

2007 Enterasys Networks, Inc. All rights reserved.

36

DFE Mode Switches

4 1
1 7H4270-12 2 7H4382-49 and 7H4383-49 4H4282-49 d 4H4283-49 4H4282 49 and 4H4283 49 3 7G4202-30 4 7H4203-72 and 4H4203-72

2 3

Platinum & Gold DFEs have mode switches located on circuit board. Switch definitions and positions are as follows:
- Switches 1 through 6 For Enterasys Networks use only. - Switch 7 Clear Persistent Data (NVRAM) - Switch 8 Clear Admin Password.

2007 Enterasys Networks, Inc. All rights reserved.

37

There is nothing more important than our customers

Enterprise Switching
Device Management

Physical Interface Numbers


Port String Syntax: <port type> <slot> . <port number> type>.
- fe.1.1: - ge.3.2-3: - tg.3.1: 100 Mbps port 1 in chassis slot 1 1 Gigabit ports 2 and 3 in chassis slot 3 10 Gigabit port 1 in chassis slot 3
Port type Slot location

fe.1.2
Port number

Port Type Slot


- For Matrix N-series, slot number from left-to-right or bottom to top

- Identical format for Matrix N-series, D,G and I series and SecureStack

- For the D and G series, slot number starting with base ports and counting left-to-right in expansion slots, 0-based - For SecureStack, device number in stack (which may or may not correspond to the , ( y y p devices physical position in stack), 1-based

Port Number
- Identical format for all current switches - Number of port based on the port type in this slot 1-based slot, 1 based
Example: fe.1.1 is the first Fast Ethernet port in slot 1 Example: ge.1.1 is the first Gigabit Ethernet port in slot 1 (which may logically be the 25th physical port in slot 1)

2007 Enterasys Networks, Inc. All rights reserved.

39

System Interface Numbers


Other port types include:
- com - COM (console) port - host.0.1 - host port - bp - backplane port - vlan - vlan interfaces - lag - link aggregation ports - lbpk - loopback interfaces - rtr router i interfaces f - pc Matrix Security Module

fe.1.2 fe 1 2
Port type Slot location Port number

Wildcards can be used:


- fe.*.* - ge.2.* - ge.*.* - *.*.* All 100 Mbps p p ports in the chassis All Gigabit ports on slot 2 All Gigabit ports in the chassis All ports (physical and virtual, including LAGs) on all slots or modules

2007 Enterasys Networks, Inc. All rights reserved.

40

Local Management (LM)

Enterasys switch products may be locally managed via the COM port
- The console port on a device may be either an RJ45 or a DB9 connector - Connections are designed for a VT terminal, a PC with terminal emulation (such as HyperTerminal or Tera Term Pro), or a modem

Terminal Emulation Setting

Generic Values

Baud Rate/Transmit Data Bits Stop Bits Parity Flow C t l Fl Control

9600 8 1 None Xon/Xoff X /X ff

2007 Enterasys Networks, Inc. All rights reserved.

41

Command Line Interface (CLI)


The Matrix N series and SecureStack A B and C switches all support N-series A, B, an industry-standard Command Line Interface to provide consistency in configuration syntax.

By default, the Matrix N-series and SecureStack A, B and C switches are configured with three user login accounts:
ro for Read-Only access rw for Read-Write access admin for Super-User access

2007 Enterasys Networks, Inc. All rights reserved.

42

CLI Overview
Layer 2 switch configuration
- Persistent when configured Basic CLI usage
Use ? in CLI to display commands and parameters Use tab for command auto-completion Use up arrow or down arrow key for a previously entered command

Basic Layer 2 CLI commands y


- Setting system information set ip address ip-address [mask ip-mask] [gateway ip-gateway]
- show ip address

set time [mm/dd/ [mm/dd/yyyy] [hh mm ss] ] [hh:mm:ss]


- show time

set system name [string]

(good when used with SNMP)

set system location [string] set system contact [string] - Setting console behaviour set prompt [prompt_string] if you use speech marks then it is possible to put a space between words. set logout timeout
- set logout 0 default (DFE)

2007 Enterasys Networks, Inc. All rights reserved.

43

CLI Overview
Reset the system
reset reset at hh:mm [mm/dd] [reason] reset in hh:mm [reason] show reset h t

Displaying System Information


show system (Pull system information from the DFE, E1, or SecureStack) y show system hardware ( (DFE and SecureStack) ) show system utilization cpu (DFE and SecureStack) show switch (SecureStack)

Displaying System Configuration


dir show version show config show config [facility] g y
- show config system (shows only system configurations) - show config port (shows only port configurations)

clear config mod-num | all

(clear a module or the entire chassis for the DFE)

Does not clear IP address use clear IP address command for this the happen

2007 Enterasys Networks, Inc. All rights reserved.

44

In-band Management
All Enterasys switches can be managed in band through the in-band following IP addresses:
- Layer 2 virtual host management port (all Enterasys switches) - Layer 3 IP routed interfaces (N, G and C)

Layer 2 virtual host management port


- This virtual port is switched/routed to via front panel ports on the device following normal layer 2 bridging and layer 3 routing rules The IP address and mask is set using the set ip address command The VLAN is set using the following command:
- set vlan egress <vid> host.0.1 untagged (N-series) - set host vlan <vid> (SecureStack and G) ( )

Layer 3 IP routed interfaces


- For the N-series, the layer 2 virtual host management port can use a locally configured IP routed interface as its default gateway - For the SecureStack C series layer 2 virtual host management port cannot be configured on the same VLAN or on the same subnet as any locally configured routed interface
Only applicable when routing is enabled on the SecureStack C series

2007 Enterasys Networks, Inc. All rights reserved.

45

WebView and SSL


WebView can be used for basic switch configuration including Port configuration, VLANS, and MSTP WebView is enabled by default on all products.
- To use WebView, just bring up a browser and type in the IP Address of the switch
set webview [ enable | disable | port tcp-port ]

S Secure Socket L S k t Layer (SSL) works by using a private key to k b i i t k t encrypt data for the transmission of private documents over the Internet
- SSL can be enabled through the command line
set ssl enable Set webview enable ssl-only

- To use WebView with SSL, enter https://172.10.1.100 in your browser where 172.10.1.100 is the switch IP address - Supported on SecureStack, D, G and I Series switches - Not supported on Matrix N-series pp

2007 Enterasys Networks, Inc. All rights reserved.

46

Telnet and SSH


Telnet is a terminal emulation program for TCP/IP networks.
- Once an Enterasys switch has a valid IP address, you can establish a Telnet session to the device from any TCP/IP based node on the network - You can manage your devices using Telnet and they will be executed as if you were entering them via the console or COM port - The management screens seen during a Telnet session are identical to those seen via the console or COM port - Telnet sends passwords in clear text - All Enterasys devices support Telnet

Secure Shell (SSH). SSH is a protocol for secure remote login over an insecure network
- A secure substitute to Telnet by encrypting communications between two hosts - All the current Enterasys switches support SSH

2007 Enterasys Networks, Inc. All rights reserved.

47

Firmware Upgrades
Firmware is the Operating System for the switch Enterasys periodically provides firmware upgrades and, less frequently, Boot PROM upgrades. These are required to:
- Address software incompatibilities - Introduce and integrate new features - Address problems and issues with previous firmware versions - Support new and future technologies

Enterasys switches primarily support TFTP or BootP server functionality. Other methods of firmware upgrade include FTP and serial (ZMODEM).

2007 Enterasys Networks, Inc. All rights reserved.

48

Firmware Upgrades
- The firmware image is stored in flash memory and runs in Local RAM. Some relevant definitions follow below.
NVRAM (Non-Volatile Random Access Memory): RAM that retains its contents (for example, IP addresses) when a unit is powered off off. LRAM (Local RAM): Memory area used by the central processor for operational tables and current processes (for example, SAT tables and VLAN tables). Flash Memory: Non-volatile storage that can be electrically erased and reprogrammed. Allows firmware images to be stored, booted, and rewritten as necessary. Boot PROM: Holds the boot programs and board revisions.

2007 Enterasys Networks, Inc. All rights reserved.

49

Steps in the Normal Boot-Up Process

Steps in the normal boot-up process for Enterasys switching products:


- The Boot PROM comes online first and runs diagnostics on all memory areas and the Ethernet interfaces. h f - The Boot PROM then checks the NVRAM settings. These settings tell the Boot PROM where to find the firmware image to load. During a normal boot-up, the firmware image will be loaded from flash memory. - The Boot PROM will start the Flash Memory Manager to uncompress the firmware image in flash memory, and to copy the uncompressed firmware image into LRAM. - Once the uncompressed firmware image is in LRAM, the main processor will begin normal operations. SNMP is now available.

Most devices will take from 30 seconds to a minute to boot up.


- If the power up sequence is interrupted or if optional hardware has been power-up installed or removed, a device may run an extended diagnostics sequence that may take up to two or more minutes to complete.

2007 Enterasys Networks, Inc. All rights reserved.

50

Methods for Upgrading Product Firmware


Two primary methods for upgrading product firmware. Other methods, when supported by a product family, are briefly described in the product specific information at the end of this section.
- A TFTP download can be either offline or online.
For an offline TFTP download, the device is taken offline and the image is loaded directly to the LRAM. LRAM With an online (runtime) TFTP download, the device remains online with the old image while the new image is loaded directly to the flash memory.

- BootP process, BootP packets are exchanged to obtain download information. The actual file download of a new firmware image is via TFTP.
BootP would be used when the device has an image failure. The BootP process happens generally without administrative control.

2007 Enterasys Networks, Inc. All rights reserved.

51

Upgrading Firmware via TFTP


The Trivial File Transfer Protocol (TFTP) is a simple protocol for transferring files, defined by RFC 1350. A TFTP server is a station that is manually configured with the IP address of the device it is serving and the firmware image to be downloaded. To use TFTP, you have to know the file you want to transfer and where it can be found The TFTP program resides in Boot PROM on the switch and can be used to upgrade firmware by transferring (downloading) a new firmware image either offline or online.

2007 Enterasys Networks, Inc. All rights reserved.

52

TFTP Offline Method


The offline TFTP download process for upgrading a firmware is as follows:
After initialisation of the TFTP server and settings (via Local Management or a network management tool), the device will reboot with a normal boot-up process. After the boot-up process is complete, the device will then obtain boot parameters from NVRAM. NVRAM will point to a file to download via TFTP. Then, the TFTP process will begin and the file is loaded directly into (overwriting) the LRAM. Once the TFTP download is complete, the device will then erase the contents of flash memory, then compress a copy of the new image and move it to the flash memory. Next, the device performs diagnostics and resumes normal operations.

An offline TFTP download must be performed over Ethernet interfaces.

2007 Enterasys Networks, Inc. All rights reserved.

53

TFTP Online Method


The online TFTP download process for upgrading firmware is as follows:
- The operating image remains in LRAM while the new image is downloaded directly to the flash memory. y - On some older switches, they will erase the contents of the flash memory. The compressed file will then download directly into flash.
Caution should be taken in this state because with no image in flash memory, the device would require a BootP if the device were reset for any reason

Current switches can hold multiple images so flash is not automatically cleared There must be room in flash for an new image or the TFTP download will fail
- Example: The DFEs can hold two images, if this is the case one of the images has to be manually deleted before a new images can be downloaded to flash

- Once the download is complete the device will operate using the old image until such complete, time that the device is reset for any reason. Upon reboot, the new image will be utilised via a normal boot up.
For devices that can hold multiple images, the set boot system command is used to load the new image

2007 Enterasys Networks, Inc. All rights reserved.

54

Matrix N-Series
The Matrix N-Series DFEs allow you to download and store up to two image files. There are three ways to download firmware to the N-Series devices: N Series
- An FTP download uses an FTP server connected to the network and downloads the firmware using the FTP protocol. - A TFTP download uses a TFTP server connected to the network and downloads the firmware using the TFTP protocol. - An out-of-band download is accomplished via the serial (console) p ( ) port. By typing the command y yp g download, you send the firmware image via the ZMODEM protocol from your terminal emulation application.

2007 Enterasys Networks, Inc. All rights reserved.

55

SecureStacks
SecureStacks
- Firmware may be downloaded using a TFTP server (preferred) or out-of-band via the console port - Can store up to 2 images - Once firmware is downloaded to the management switch the management switch then automatically pushes the firmware to all switches in the stack

2007 Enterasys Networks, Inc. All rights reserved.

56

Download Firmware using CLI


Matrix N-series and SecureStacks N series
- Use the dir command to show currently stored images plus your saved configurations.
You may have to delete an older image using the delete command before you download a new image. d l d

- The copy command is used to download/upload firmware and configuration files to/from the device
copy py source_filename destination_filename

Operation:
- Upload: Source file is local and destination file is remote - Download: Source file is remote and destination file is local

File Type:
- Local file: File name is specified - Remote file: File name is specified prefixed with URL format - tftp://172.16.2.10/DFE-P-52604

2007 Enterasys Networks, Inc. All rights reserved.

57

Download Firmware using CLI


Copying (downloading) an image from a TFTP server to the switch:
copy tftp://172.16.2.10/DFE-P-52604 DFE-P-52604 (DFE) system:image (SecureStack) y g ( ) copy tftp://172.16.2.10/c2-series_03.03.33 py p // / dload 172.16.2.10

firmware/images/30712.fls (E1)

When an image is downloaded to the DFE or SecureStack, it will not load the new image right away, to do so you have to:
- First tell the switch the image you want it to boot
show boot system set b t system fil t boot t filename

- Reset the switch (this can be done immediately or at another time)

2007 Enterasys Networks, Inc. All rights reserved.

58

Management Security
There are varying levels of security across the product lines to control and monitor management access to the switch hosts. Management security involves controlling which users are allowed to access, monitor, and manage a switch. ll dt it d it h Features for management security are available from the various Enterasys switching families.
- Control plane features
Login security password SNMP community name (v1, v2) SNMP user and password (v3) Host access control authentication Secure shell

- Data plane features


802.1X, PWA, MAC-based authentication ACLs MAC locking DoS prevention o p o

2007 Enterasys Networks, Inc. All rights reserved.

59

Management Security
To secure host management, certain features should be disabled:
- The following features should be disabled because passwords are sent i clear t t across the network over these protocols t in l text th t k th t l
Telnet
set telnet disable

SNMP community name (v1, v2) it ( 1 2)


clear snmp community public

WebView without HTTPS


set webview disable

- As an alternative, the following features should be used:


SNMP v3 user with authentication and encryption Host access control authentication Secure shell

2007 Enterasys Networks, Inc. All rights reserved.

60

There is nothing more important than our customers

Enterprise Switching
VLANs

VLAN Planning
Preparing for VLAN Configuration
- Forethought and planning are essential to a successful VLAN implementation. Before attempting f l l f to configure a single device for VLAN operation, consider the following:
What is the purpose of the VLAN design? (ie: Security containers, containers Traffic broadcast containment ) containment..) How many VLANs will be required? What stations (end users, servers, etc.) will belong to them? Wh ports on the switch are connected What h i h d to those stations? What ports will be configured as GVRP-aware ports?

2007 Enterasys Networks, Inc. All rights reserved.

62

VLAN Planning
Default VLAN and Number of Supported VLANs
- By default, all ports on all Enterasys switches are:
Assigned to VLAN ID 1 Have egress list on VLAN 1 is set to untagged Have a PVID of 1

- The number of VLANs and Range (VIDs) supported varies depending on the device device. - IEEE 802.1Q specifies 4096 VLAN IDs with the allowable user-configurable range for VLAN IDs (VIDs) is from 2 through 4094. - VID 0 is the null VLAN ID, indicating that the tag header in the frame contains priority info rather than a VLAN identifier.
It cannot be configured as a port VLAN ID (PVID).

- VID 1 is designated as the default PVID. - VID 4095 is reserved by IEEE.

2007 Enterasys Networks, Inc. All rights reserved.

63

VLAN Forwarding
Ingress VLAN assignment for received packets
Precedence:
1. 2. 2 3. 802.1Q VLAN tag (tagged packets only) Policy or Traffic Classification l ff Cl f
May overwrite 802.1Q VLAN tag using tci-overwrite enable

Port VID (PVID)

Egress VLAN forwarding for transmitting packets


Unlearned traffic
Destination MAC address of packet is not in FDB for VLAN Packet forwarded out of every port on the VLANs egress list with pecified packet format

Learned traffic
Destination MAC address of packet is in FDB for VLAN Packet forwarded out of the learned port with specified packet format

2007 Enterasys Networks, Inc. All rights reserved.

64

VLAN Configuration

7-steps to configure VLANs:


1. Review existing VLANs 2. Create and name VLANs 3. Assign port VLAN IDs 3 A i t ID 4. Enable ingress filtering 5. Configure VLAN egress 6. Create management VLAN 7. Enable/disable GVRP Dynamic Egress

2007 Enterasys Networks, Inc. All rights reserved.

65

1. Review Existing VLANs


Display statically and dynamically configured VLANs on the device
- All VLANs and associated egress lists are displayed - Static VLANs are administratively configured - Dynamic VLANs are not configured by the administrator
GVRP automatically configures VLANs on a device
show vlan [static] [vlan-list] (N/SecureStack) show vlan [vlan_id | vlan_name] (E1)

Example:

Matrix N7 Platinum(su)->show vlan 30


VLAN: 30 NAME: SERVERS Status: Enabled VLAN Type: Permanent FID: 30 Creation Time: 30 days 1 hours 10 minutes 14 seconds ago Egress Ports fe.1.2-4,6-7;ge.1.3;rtr.1.1;ge.2.43 Forbidden Egress Ports None. Untagged Ports fe.1.3-4,6-7;ge.1.3;ge.2.43

2007 Enterasys Networks, Inc. All rights reserved.

66

2. Create & Name VLANs

- Create a VLAN and assign a VLAN ID (VID).


This is a numeric ID. The numerical value MUST be within the range supported by the device.
set vlan {create | enable | disable} vlan-list

- You may also assign VLAN names.


This name is for the administrators use Th name of th VLAN has no affect on the The f the h ff t th VLAN or its functioning. It is the VLAN ID that counts.
set vlan name vlan-list vlan-name

2007 Enterasys Networks, Inc. All rights reserved.

67

3. Assign Port VLAN IDs


All C Current Switches t S it h
When setting a PVID with the set port vlan command, you can also add the port to the VLANs untagged egress list VLAN s - Example: If you assign ports 1, 5, 8, and 9 to the VLAN 44, untagged frames received on those ports can be assigned to the VLAN 44 (via a prompt) this can be done in 1 of 2 ways
Matrix N7 Platinum(su)->set port vlan fe.1.1,5,8-9 44 modify-egress

OR
Matrix N7 Platinum(su)->set port vlan fe.1.1,5,8-9 44 The PVID is used to classify untagged frames as they g given p port. Would y you like to add the selected ingress into a g port(s) to this VLAN's untagged egress list and remove them from all other VLANs untagged egress list (y/n) [n]? NOTE: Choosing 'y' will not remove the port(s) from previously configured tagged egress lists. y Matrix N7 Platinum(su)->

2007 Enterasys Networks, Inc. All rights reserved.

68

5. Configure VLAN Egress

The egress process dictates where the packet is allowed to go.


- The ingress process classifies received frames as belonging to one and only one VLAN. - The forwarding process looks up learned information in the filtering database to determine where received frames should be forwarded.

Egress determines which ports will be eligible to transmit frames for a particular VLAN
- VLANs have no egress ports (except VLAN ID 1), until they are configured by static administration or through dynamic mechanisms
Dynamic Mechanisms included GVRP, policy, or Enterasys Dynamic Egress

- The VLAN egress setting specified the format of the transmitted packet
Tagged, untagged, forbidden

2007 Enterasys Networks, Inc. All rights reserved.

69

5. Configure VLAN Egress


Configuring VLAN egress lists
- Add a port as tagged to a VLANs egress list if you want it to carry traffic for one or more VLANs, and the device at the other end of the link also supports VLANs. - If the device at the other end of the link does not support VLANs, then you must add the port as untagged to the VLANs egress list

- E h port on th switch is capable of concurrently forwarding both Each t the it h i bl f tl f di b th tagged or untagged frames for different VLANs A single port can be assigned to multiple VLAN egress lists as tagged, untagged, or forbidden. Default frame format is tagged
set vlan egress vlan-list port-string [untagged | forbidden | tagged]

2007 Enterasys Networks, Inc. All rights reserved.

70

5. Configure VLAN Egress


Displaying VLAN egress lists
- The show vlan command displays VLANs and associated egress lists
Ports are only displayed if in the forwarding state on Matrix N-series and SecureStack - No link - Blocking due to spanning tree - Member of a LAG port Matrix N7 Platinum(su)->show vlan VLAN: 1 NAME: DEFAULT VLAN Status: Enabled VLAN Type: Permanent FID: 1 Creation Time: 0 days 0 hours 16 minutes 15 seconds ago Egress Ports host.0.1;fe.1.2-3,5;fe.2.4-6,8-11 Forbidden Egress Ports None. Untagged Ports host.0.1;fe.1.2-3;fe.2.5-6,11

- The show vlan static command displays all ports on the VLAN regardless of forwarding state of the port
A port that is displayed as an Egress Port and Untagged Port for a VLAN is on this VLANs egress list as untagged A port that is displayed as only an Egress Port for a VLAN is on this VLANs egress list as tagged

2007 Enterasys Networks, Inc. All rights reserved.

71

6. Create a Management VLAN

If you are configuring multiple VLANs, it is recommended that you configure a Management VLAN
- This allows a station connected to the Management VLAN to manage devices. - It also improves security by preventing device configuration via ports on other VLANs

The process of assigning a Management VLAN must be repeated on every infrastructure device on the network to ensure each device has connection to the Management VLAN.
- It is not necessary to configure a physical port for management on each switch. - Only those switches that will have a management station attached need a physical port assigned to the Management VLAN.

2007 Enterasys Networks, Inc. All rights reserved.

72

There is nothing more important than our customers

Enterprise Switching
Spanning Tree

Agenda

IEEE 802.1D, Spanning Tree IEEE 802.1w, Rapid spanning Tree IEEE 802.1t (802.1D maintenance) IEEE 802.1s, Multiple Spanning Trees (MST) Enterasys Per VLAN Spanning Tree (PVST) Span Guard Summary

2007 Enterasys Networks, Inc. All rights reserved.

74

IEEE 802.1D Spanning Tree

As of 2003, the IEEE 802.1D version of spanning tree was removed from the specification STP has now been superseded by the IEEE 802.1w, Rapid Spanning, Tree Protocol (RSTP) and IEEE 802.1s, Multiple Spanning Tree . All Enterasys switches support IEEE 802.1D Spanning Tree The Matrix N-series and SecureStack support 802.1w/s by default

2007 Enterasys Networks, Inc. All rights reserved.

IEEE 802.1D Spanning Tree


Calculating the Spanning Tree based on the Lowest STP Ids and Costs - Always Compare these values in this order. If they are equal move on to the next comparison

Root Bridge ID Path Cost to Root Designated Bridge ID Designated Port ID Root Port ID

2007 Enterasys Networks, Inc. All rights reserved.

76

IEEE 802.1D Spanning Tree


802.1D Operation
1. Elect a root bridge as the reference point for the network
Bridge with lowest bridge ID becomes the root
Bridge ID = (2 byte Bridge priority + 6 byte Bridge MAC address) Example: 80-00-00-E0-63-12-34-56 (where 80-00 is the default bridge priority value and 00-E0-63-12-34-56 is the 80 00 00 E0 63 12 34 56 80 00 00 E0 63 12 34 56 bridge MAC address)

Root Bridge

2007 Enterasys Networks, Inc. All rights reserved.

77

IEEE 802.1D Spanning Tree


802.1D Operation
2. Assign path costs to the links
Path cost value is relative to bandwidth rate (port speed).

Root Bridge

19

4 4
19
100

Path Cost to Root Bridge


Bridge ID 80-00:2 Bridge ID 80-00:3 80 00:3 Bridge ID 80-00:4 Bridge ID 80-00:5 Bridge ID 80-00:6 4 4 + 19 = 23 4 4 + 19 = 23 4 + 19 + 100 = 123

100

100

2007 Enterasys Networks, Inc. All rights reserved.

78

IEEE 802.1D Spanning Tree


802.1D Operation
3. Determine the designated bridge for each LAN segment
Lowest path cost to the root bridge If path costs are equal, the designated bridge is the one with the lower bridge ID

Root Bridge

Designated Bridge D i t d B id
Bridge 1 is the designated bridge for Bridge 2, Bridge 4 Bridge 2 is the designated bridge for Bridge 3, Bridge 5 Bridge is the designated b id f B id 6 B id 3 i th d i t d bridge for Bridge

2007 Enterasys Networks, Inc. All rights reserved.

79

IEEE 802.1D Spanning Tree


802.1D Operation
4. Identify Root Ports and Designated Ports
Root Port: The bridge port that provides the best path to root Designated Port: A port that provides forwarding of configuration BPDUs

Root Bridge

Bridge ID=80-00:2 Root Port 80-1 Designated Port 80-2 80-3 80 3

Bridge ID=80-00:3 Root Port 80-1 Designated Port 80-2 80-3 80 3

Bridge ID=80-00:4 Root Port 80-1 Designated Port 80-2

Bridge ID=80-00:5 Root Port 80-2 Designated Port 80-3 80-1 80 1

Bridge ID=80-00:6 Root Port 80-3 Designated Port 80-1 80-2 80 2

2007 Enterasys Networks, Inc. All rights reserved.

80

IEEE 802.1D Spanning Tree


802.1D Operation
5. Resolve loops by placing redundant ports in a blocking state
Determine root & designated ports Redundant ports are placed into BLOCKING state

Root Bridge

Bridge ID=80-00:2 Root Port 80-1 Designated Port 80-2 80 3 80-3

Bridge ID=80-00:3 Root Port 80-1 Designated Port 80-2 80 3 80-3

Bridge ID=80-00:4 Root Port 80-1 Designated Port 80-2

Bridge ID=80-00:5 Root Port 80-2 Designated Port 80-3 80-1 80 1

Bridge ID=80-00:6 Root Port 80-3 Designated Port 80-1 80 2 80-2

2007 Enterasys Networks, Inc. All rights reserved.

81

IEEE 802.1D Spanning Tree


6. Maintaining the topology
Hello timer Max Age timer Forward Delay timer F dD l ti

STA Bridge Port States


Blocking
Not participating in frame transmission Continues to monitor for management and STA information (still receives BPDUs)

Listening
Only processes frames addressed to it Listens to BPDUs to ensure no loops occur on the network BPDUs received shall be processed, as required by the STA

Learning
Bridge is passively building its SAT but does not forward frames g p y g

Forwarding
Able to send and receive data Participating in frame transmission

2007 Enterasys Networks, Inc. All rights reserved.

82

IEEE 802.1D Spanning Tree


802.1D Operation Summary
Elect a root bridge: Bridge 1 Assign path costs to the links:
Bridge ID 2 has path cost of 4 Bridge ID 3 has path cost of (4 + 19)= 23 Bridge ID 4 has path cost of 4 Bridge ID 5 has path cost of (4 + 19)= 23 Bridge ID 6 has path cost of (4 + 19 + 100)= 123

Determine the designated bridge:


Bridge 1 is the designated bridge for Bridge 2, Bridge 4 Bridge 2 is the designates bridge for Bridge 3, Bridge 5 Bridge 3 is the designates bridge for Bridge 6 Bridge 4, Bridge 5, and Bridge 3 are the designated bridges for all respective downstream links

Identify root and designated ports & block redundant links: as shown below

2007 Enterasys Networks, Inc. All rights reserved.

83

Agenda
IEEE 802 1D Spanning Tree 802.1D, IEEE 802.1w, Rapid spanning Tree IEEE 802.1t (802.1D maintenance) IEEE 802 1s Multiple Spanning Trees (MST) 802.1s, M ltiple T ees Enterasys Per VLAN Spanning Tree (PVST) Span Guard Recommended Practices Summary

2007 Enterasys Networks, Inc. All rights reserved.

84

802.1w, Rapid Spanning Tree

IEEE 802.1w, Rapid Reconfiguration Spanning Tree (RSTP), is built upon the original IEEE 802.1D Spanning Tree Protocol parameters.

IEEE 802.1w and IEEE 802.1D Spanning Tree algorithms will interoperate.
- An RSTP switch detects the STP version when it is connected to an 802.1D STP switch.

Spanning Tree

- When the RSTP port is initialized, it transmits RSTP Bridge Protocol Data Units (BPDUs) for three seconds, it then transitions to sending STP BPDUs if it receives STP

2007 Enterasys Networks, Inc. All rights reserved.

85

802.1w, Rapid Spanning Tree


Enhancements of Rapid Reconfiguration Spanning Tree
- Port Roles implemented through the use of State Machines, so a Bridge can quickly transition a new Root Port to the Forwarding State without long reconvergence - Shifts to Per-Port Spanning Tree, rather than 802.1D Bridge Spanning Tree. - Topology Change Notification's can now be advertised downstream (unlike 802.1D). 802 1D) - Layer 2 MAC Parameters are used to detect link status. - Rapid-STA information is aged faster (3xHello). - Interoperates with 802 i h 802.1D STP. S
Spanning Tree

2007 Enterasys Networks, Inc. All rights reserved.

86

802.1w, Rapid Spanning Tree


Port Roles:
- Root Port: The one port that is used to connect to the Root Bridge.
The Root Port is elected based on its least path-cost to the Root Bridge. .

- Alternate Port: Any redundant upstream port that provides an alternate path to the Root Bridge (other than the Root Port) - Designated Port: Any downstream port that provides a path back to the Root Bridge for a downstream bridge - Backup Port: A port that acts as a redundant Designated Port for a downstream bridge. - Edge Port: A port that has no other bridges connected to this port (i.e. User Port).
This is automatically configured by the Bridge Detection State Machine (802.1t Clause 18)

2007 Enterasys Networks, Inc. All rights reserved.

87

802.1w, Rapid Spanning Tree


Port Roles and Forwarding Ports in Root & Designated port roles are p part of the Active Spanning Tree p g Topology
- These ports are forwarding traffic

Spanning Tree

Ports in Alternate & Backup port roles pp are not part of the Active Spanning Tree
- They provide redundant fail-over connectivity in the event of a failed Root or Designated Port

Port States
RSTP eliminates the Listening and Blocking Port States found in 802.1D STP Valid RSPT Port States: Po t States
- Forwarding, Learning, Discarding

R D B

A D

2007 Enterasys Networks, Inc. All rights reserved.

88

Agenda
IEEE 802.1D, Spanning Tree IEEE 802.1w, Rapid spanning Tree IEEE 802.1t (802.1D maintenance) IEEE 802.1s, Multiple Spanning Trees (MST) Enterasys Per VLAN Spanning Tree (PVST) Span Guard p Summary

2007 Enterasys Networks, Inc. All rights reserved.

89

IEEE 802.1s, Multiple Spanning Trees (MST)


The original 802.1D standard treats the overall topology as a single network, while switches treat VLANs as completely separate networks.
- IEEE 802.1s is a supplement to IEEE 802.1Q - Ability to map 1 or more VLANs to each spanning tree instance - MST is built on top of 802.1w Rapid Reconfiguration - Enterasys has adopted 802.1s in place of PVST

802.1s is supported on the following platforms


- Matrix N-Series - SecureStack

2007 Enterasys Networks, Inc. All rights reserved.

90

IEEE 802.1s, Multiple Spanning Trees (MST)


802.1s Objectives
- Principle Objective: to increase bandwidth utilisation
To allows frames assigned to different VLANs to follow different data routes To allow ports to block for some Spanning Trees and forward for others To have every ISL (Inter Switch Link) in the topology forwarding for at least one spanning tree

- The ability to create Spanning Tree instances for each VLAN.

- Fault tolerant network design with automatic reconfiguration

2007 Enterasys Networks, Inc. All rights reserved.

91

IEEE 802.1s, Multiple Spanning Trees (MST)

802.1D/w
Non utilized Bandwidth (only redundant)

802.1s

2 Root

3 Root

1 Root
Over utilized bandwidth

Over utilized bandwidth

Excellent Balance of Bandwidth Utilization

1 Root

VLAN Green VLAN Blue VLAN Red Blocked Port Data Flow
2007 Enterasys Networks, Inc. All rights reserved.

92

Agenda

IEEE 802.1D, Spanning Tree IEEE 802.1w, Rapid spanning Tree IEEE 802 1t (802 1D maintenance) 802.1t (802.1D IEEE 802.1s, Multiple Spanning Trees (MST) Enterasys Per VLAN Spanning Tree (PVST) S Span G Guard d Summary

2007 Enterasys Networks, Inc. All rights reserved.

93

Span Guard
Span Guard is designed to increase security & reliability Guard Supported Platforms
- Matrix N-Series (Gold , Platinum ) N Series - All Secure Stacks - D, G and I Series

User devices have no need to run STA protocols


- User ports should never receive or transmit STA PDUs - An unauthorized device can attack network using STA PDUs

Enabling Span Guard on user ports


- Prevents spanning tree respans when BPDU received on a user port - Notifies network management that they were attempted (via a trap)

2007 Enterasys Networks, Inc. All rights reserved.

94

Span Guard STP Attack Mitigation with Span Guard


With Span Guard enabled:
- If a SpanGuard enabled port receives a BPDU, the port to be locked and it will transition to the Blocking state - A SpanGuard enabled port will transition out of the Blocking state after a globally specified time or when it is manually unlocked

Advantages of SpanGuard:
- Spoofed BPDUs will NOT cause Spanning Tree Topology Changes or Re-Spans. - A Spoofed BPDU attack will be detected and administrator will be notified. set spantree spanguardtrapenable {disable | enable} - Accidental addition of repeater or a bridged repeater, PC will not bring down the network.

2007 Enterasys Networks, Inc. All rights reserved.

95

Agenda
IEEE 802.1D, Spanning Tree IEEE 802.1w, Rapid spanning Tree IEEE 802.1t (802.1D maintenance) ( ) IEEE 802.1s, Multiple Spanning Trees (MST) Enterasys Per VLAN Spanning Tree (PVST) Span Guard Guard Summary

2007 Enterasys Networks, Inc. All rights reserved.

96

There is nothing more important than our customers

Enterprise Switching
Link Aggregation

Agenda

IEEE 802.3ad Link Aggregation SmartTrunking Product-specific information Recommended Practices S Summary

2007 Enterasys Networks, Inc. All rights reserved.

98

Introduction
Link Aggregation, SmartTrunking and other port aggregation Aggregation SmartTrunking, algorithms are all methods of:
- Bonding together two or more data channels into a single channel that appears as a single single, higher-bandwidth, logical link. - Cost-effective way to implement increased bandwidth. - Provides redundancy and fault tolerance.

Link aggregation makes multiple physical links appear as a single logical link to Spanning Tree

2007 Enterasys Networks, Inc. All rights reserved.

99

IEEE 802.3ad Link Aggregation


IEEE 802.3ad Link Aggregation is a standards-based method of 802 3ad standardsdynamically grouping multiple physical ports on a network device into one logical link. The IEEE 802.3ad is a protocol allows the switch to:
- determine which links are eligible to aggregate - to configure them automatically

Link Aggregation is supported on full duplex Ethernet ports:


- 10Mbps 10Mbps, - 100Mbps, - 1000Mbps.

2007 Enterasys Networks, Inc. All rights reserved.

100

IEEE 802.3ad Link Aggregation


K Key B Benefits fit
- By taking multiple LAN connections and treating them as a unified aggregated logical link, you can achieve practical benefits in many applications. - The key benefits of IEEE 802.3ad Link Aggregation are:
Dynamic configuration: Determines which links are eligible for aggregation, configures them automatically, and provides rapid reconfiguration. Higher link availability: Provides higher link availability. The failure of a single link effects only that single link. Increased bandwidth: The capacity of an aggregated link is higher than an individual link alone. Support of existing IEEE 802.3 MAC clients: Requires no change to higher-layer protocols or applications. Backwards compatible with 802.3ad-unaware devices: Links that cannot take part in Link Aggregation operate as , normal, individual IEEE 802.3 links.

2007 Enterasys Networks, Inc. All rights reserved.

101

Link Aggregation Control Protocol


Link Aggregation Control Protocol (LACP)
- Allows communication of aggregation capabilities between switches and switches, automatic configuration of links between a switch and its link partner. - Maintains configuration information (reflecting the inherent properties of the individual links, as well as those manually established by management) to control aggregation. - LACP exchanges configuration information with other devices to allocate the link to a Link Aggregation Group (LAG).
A given link is allocated to, at most, one LAG at a time.

2007 Enterasys Networks, Inc. All rights reserved.

102

802.3ad Terminology
Link Aggregation Group (LAG): The name used to refer to a logical grouping of individual ports. Aggregation system: An arbitrary grouping of one or more ports for the purpose of aggregation. Aggregation keys: Parameters identifying which ports can be aggregated together. Marker Protocol: Allows the data distribution function a means of determining the point at which a given set of conversations can safely be reallocated from one link to another, without the danger of causing frames in those conversations to be mis-ordered. Actor: The local device in a Link Aggregation Control Protocol (LACP) exchange. Partner: The remote device in an LACP exchange.

2007 Enterasys Networks, Inc. All rights reserved.

103

Link Aggregation Scenarios

There are three scenarios in which link aggregation may be useful in a network, as described below.
Switch-to-switch connections: Multiple ports on a switch are joined to form an aggregated link. Aggregation of multiple links achieves higher speed connections between switches without hardware upgrade.

Switch-to-station (server or router) connections: Many server platforms can saturate a single 100 Mbps link. Thus, link capacity limits overall system performance. You can aggregate switch-to-station connections to improve performance. Station-to-station connections: Though not a common configuration, you can also aggregate directly between two pairs of end stations

2007 Enterasys Networks, Inc. All rights reserved.

104

Link Aggregation Rules


Rules & Recommendations:
- Ports must be running full duplex to aggregate. - A link aggregation cannot be split among systems. Logically, it is a single pipe and, as such, is treated as a single point-to-point connection. - Link Aggregation is supported only on links using the IEEE 802.3 MAC. - All links in a LAG must operate at the same data rate. - A given port will bind to, at most, a single Aggregator at any time. A MAC client is also served by one Aggregator at a time.

IEEE 802.3ad is supported on:


- Matrix N-Series - SecureStack - D, G and I Series

2007 Enterasys Networks, Inc. All rights reserved.

105

Agenda

IEEE 802.3ad Link Aggregation SmartTrunking Product-specific information Recommended Practices Summary

2007 Enterasys Networks, Inc. All rights reserved.

106

Product Specific Information


LACP State
- By default, LACP is enabled globally and per port on all Enterasys platforms - LACP can be disabled globally and per port
set lacp disable set port lacp port port-string disable

VLAN Configuration g
- By default, all LAG ports are on VLAN 1s egress list as untagged with a PVID equaling 1
Matrix N7 Platinum(su)->show vlan static VLAN: 1 NAME: DEFAULT VLAN VLAN Type: Permanent FID: 1 Creation Time: 0 days 0 hours 13 minutes 3 seconds ago Egress Ports lag.0.1-48;host.0.1;fe.1.1-48;ge.1.1-6 Forbidden Egress Ports bidd None. Untagged Ports lag.0.1-48;host.0.1;fe.1.1-48;ge.1.1-6 Status: Enabled

2007 Enterasys Networks, Inc. All rights reserved.

107

Product Specific Information

Displaying LAG Port Settings:


- Virtual LAG port parameters with underlying physical ports
show lacp lag-port-string

p g Matrix N7 Platinum(su)->show lacp lag.0.1 Global Link Aggregation state: enabled Single Port LAGs: disabled Aggregator: lag.0.1 Actor 00:e0:63:6b:20:0a 32768 32768 32768 fe.1.1-2 Partner 00:01:f4:b6:10:41 1 4

System Identifier: System Priority: Admin Key: Oper Key: Attached Ports:

2007 Enterasys Networks, Inc. All rights reserved.

108

Product Specific Information


Displaying Physical Port LACP Settings:
- Physical port parameters for a virtual LAG port
show port lacp port port-string {[status {detail | summary}] | [counters]} [sort {port | lag}] Matrix N7 Platinum(su)->show port lacp port fe.1.1 status detail Global Link Aggregation state : enabled Port Instance: ActorPort: ActorSystemPriority: A t S t P i it ActorPortPriority: ActorAdminKey: ActorOperKey: ActorAdminState: ActorOperState: ActorSystemID: SelectedAggID: AttachedAggID: MuxState: DebugRxState: fe.1.1 64 32768 32768 32768 32768 -----GlA --DCSGlA 00-e0-63-6b-20-0a lag.0.1 lag.0.1 Distributing Current Port enable state: PartnerAdminPort: P t PartnerOperPort: O P t PartnerAdminSystemPriority: PartnerOperSystemPriority: PartnerAdminPortPriority: PartnerOperPortPriority: PartnerAdminKey: PartnerOperKey: PartnerAdminState: PartnerOperState: PartnerAdminSystemID: PartnerOperSystemID: Enabled 64 31 32768 1 32768 1 64 4 --DCS-lp --DCSGlA 00-00-00-00-00-00 00 00 00 00 00 00 00-01-f4-b6-10-41

2007 Enterasys Networks, Inc. All rights reserved.

109

Product Specific Information


Static LAG Ports - For aggregating ports that do not support IEEE 802.3ad, static LAGs may be configured - LACP is not used to aggregate ports for static LAG ports - Used with IDS mirroring as the virtual LAG destination port

2007 Enterasys Networks, Inc. All rights reserved.

110

Product Specific Information


Matrix N-Series N Series
- Supports the IEEE 802.3ad standard - Each N-Series Platinum DFE module reserves 48 virtual link aggregator ports, ports shown in the CLI as lag 0 1 through lag 0 48 lag.0.1 lag.0.48 - The N-Series Gold DFE modules reserve 24 virtual link aggregator ports, shown in the CLI as lag.0.1 through lag.0.24.
When a physical port joins a LAG the physical port LAG, is displayed as dormant in the show port status command

- Supports three different spreading algorithms:


DIP-SIP (default) DMAC-SMAC Round robin
set lacp outportAlgorithm [ dip-sip | da-sa | round-robin ]

- Supports flow regeneration for virtual LAG port changes:


set lacp flowRegeneration [enable | disable ]

2007 Enterasys Networks, Inc. All rights reserved.

111

Product Specific Information

SecureStack
- Supports the IEEE 802.3ad standard
LAG ports can be spread across the stack

- Capacity
SecureStack C2/C3 B2/B3
- Supports up to 6 LAGs per stack shown in the CLI as lag.0.1 through lag.0.6 - S Supports up to 8 ports per LAG t t t

SecureStack A2
- Supports up to 6 LAGs per stack shown in the CLI as lag.0.1 through g lag.0.6 - Supports up to 4 ports per LAG

2007 Enterasys Networks, Inc. All rights reserved.

112

Product Specific Information


LAG Port Considerations
- When physical ports form a LAG port, the physical port settings do not translate into logical port settings for the LAG port
Matrix N7 Platinum(su)->show config vlan begin ! # ***** NON-DEFAULT CONFIGURATION ***** ! ! # vlan set vlan create 333 set vlan egress 333 fe.1.1-4 untagged Matrix N7 Platinum(su)->show lacp lag.0.1 Global Link Aggregation state: enabled Aggregator: lag.0.1 Actor Partner 00:e0:63:6b:20:8a 00:01:f4:c1:5e:01 32768 1 32768 32768 1 fe.1.1-4

System Identifier: System Priority: Admin Key: Oper Key: Attached Ports:

Matrix N7 Platinum(su)->show vlan 333 Platinum(su) >show VLAN: 333 NAME: Status: Enabled VLAN Type: Permanent FID: 333 Creation Time: 0 days 2 hours 27 minutes 43 seconds ago g Egress Ports None. Forbidden Egress Ports None. Untagged Ports None.

- All physical ports in a LAG will remain part of the virtual LAG port until only one port is operational in the group
The remaining port will then revert to its physical port settings UNLESS, the single port LAG feature is enabled on the device

2007 Enterasys Networks, Inc. All rights reserved.

113

Recommended Practices
VLAN configuration
- Configure the VLAN egress and PVID settings for a virtual LAG port and all of the underlying physical ports identically
This accounts for the situation where all but one port in the LAG become inoperational
Matrix Matrix Matrix i Matrix N7 N7 N7 7 N7 Platinum(su)->set Platinum(su)->set Platinum(su)->set l i ( ) t Platinum(su)->set vlan vlan port t port egress 333 lag.0.1 tagged egress 333 fe.1.1-4 tagged vlan l l lag.0.1 5 0 1 vlan fe.1.1-4 5

2007 Enterasys Networks, Inc. All rights reserved.

114

There is nothing more important than our customers

Enterprise Switching
Traffic Management

Agenda
Traffic Management Overview Analyse network traffic
Port and VLAN mirroring

Reduce unwanted traffic


Broadcast suppression MAC Locking Flow Setup Throttling

2007 Enterasys Networks, Inc. All rights reserved.

116

Traffic Management Overview


Traffic Management is:
- Control and allocation of bandwidth - Reduction in network delays - Minimization of network congestion

Traffic Management encompasses:


- Management of network capacity - Measuring and modelling network traffic - Analysing network performance

2007 Enterasys Networks, Inc. All rights reserved.

117

Traffic Management Overview

Traffic Management - Action Steps:


- Analyse network traffic - Throttle broadcast traffic - Reduce unwanted traffic - Rate limit traffic to allocate bandwidth where needed - Manage the network traffic to deliver Quality of Service (QoS)
Classify traffic using Layer 2, 3, or 4 criteria for prioritization, VLAN assignment, allowing and/or discarding
- Prioritise delay-sensitive traffic using prioritisation classification rules - Eliminate unwanted/malicious traffic using discard classification rules

Mark prioritised traffic to indicate the forwarding treatment packets receive at each network device along the transmission path Specify the forwarding treatment to prioritise, shape and police packet transmission

- I Increase available b d id h il bl bandwidth

2007 Enterasys Networks, Inc. All rights reserved.

118

Agenda
T ffi M Traffic Management O t Overview i Analyse network traffic
Port and VLAN mirroring

R d Reduce unwanted t ffi t d traffic


Broadcast suppression MAC Locking Flow Setup Throttling

2007 Enterasys Networks, Inc. All rights reserved.

119

Analyse Network Traffic


M Managing Traffic requires k i T ffi i knowledge about the types of l d b t th t f traffic being generated. Network analysers (sniffers or probes) capture packet and frame i f f information i
- In shared environments, a sniffer sees all traffic present on a LAN segment - In switched environments, a sniffer sees only traffic present on the port , y p p to which it is attached

Mirroring Ports or VLANs permits the copying of traffic to a p port specified p


- A sniffer is connected to this port - Allows capture and analysis of traffic on a specific switch port

2007 Enterasys Networks, Inc. All rights reserved.

120

Agenda
T ffi M Traffic Management O t Overview i Analyse network traffic
Port and VLAN mirroring

R d Reduce unwanted t ffi t d traffic


Broadcast suppression MAC Locking Flow Setup Throttling

2007 Enterasys Networks, Inc. All rights reserved.

121

Analyse Network Traffic Port Mirroring


A feature supported on all Enterasys switches Allows you to map a source port to a destination port
Copies the bit stream from a source port to a destination port
Receive traffic only, transmit traffic only, or both

Utilize an RMON probe (statistics analyser) or a network analyser (sniffer) for analysis Implement Intrusion Detection System (IDS) for detecting security events In I most implementations, erred f ti l t ti d frames are not mirrored t i d Many-to-one port mirroring is supported on all platforms One-to-many mirroring is not supported on all platforms

Rx Tx

Physical ports, logical p y p , g ports, and backplane p , p ports may be mirrored:


To another physical port locally To another boards port in the chassis (Matrix N-series) To another devices port in the stack (SecureStack) device s

Can create bottlenecks

2007 Enterasys Networks, Inc. All rights reserved.

122

Analyse Network Traffic VLAN Mirroring


A feature not supported on all Enterasys switches p Mirrors all VLAN traffic to a specified destination port
- Traffic within a given VLAN can be analysed at one connection point

VLANX Rx

Can create bottlenecks


- Traffic is discarded if target port is oversubscribed - Many-to-One mapping allows multiple VLANs to be sent t a specified destination port t to ifi d d ti ti t

Tx

Frame format option is available on a persta ce basis instance bas s

2007 Enterasys Networks, Inc. All rights reserved.

123

Agenda
T ffi M Traffic Management O t Overview i Analyse network traffic
Port and VLAN mirroring

R d Reduce unwanted t ffi t d traffic


Broadcast suppression MAC Locking Flow Setup Throttling

2007 Enterasys Networks, Inc. All rights reserved.

124

Broadcast Suppression
Two ways to reduce or contain broadcast traffic in a network:
- Segment using VLANs - Use broadcast suppression

Broadcast Suppression Functionality


- Regulates flow of broadcast traffic through the network - Restricts number of received broadcast frames allowed to be transmitted - Protects against broadcast storms - Configuration is on the switch and occurs at the CPU
Port broadcasts all frames Limiting occurs when the CPU sees the packets coming from source port

Enterasys switches suppress broadcast packets exceeding user userconfigured limit


- Uses thresholds measured on the basis of packet frequency

CPU PC FF FF FF

Switch

FF

Switch

Broadcast suppression is configured here.

Broadcast suppression occurs here.


125

2007 Enterasys Networks, Inc. All rights reserved.

Broadcast Suppression
Matrix N-series
- Disabled by default - Threshold value sets packets-per-second threshold on broadcast traffic The minimum value is 1 pps. The maximum value is 1488100 pps for Gigabit and 148810 pps for Fast Ethernet. - The command to configure broadcast suppression is:
set port broadcast port_string threshold_value

SecureStack
- Identical support to Matrix N-series

2007 Enterasys Networks, Inc. All rights reserved.

126

Agenda
T ffi M Traffic Management O t Overview i Analyse network traffic
Port and VLAN mirroring

R d Reduce unwanted t ffi t d traffic


Broadcast suppression MAC Locking Flow Setup Throttling

2007 Enterasys Networks, Inc. All rights reserved.

127

MAC Locking
MAC locking allows administrators to provide access to the network based on a devices MAC address MAC Locking
- Also known as MAC-based port locking, port locking, and port security - Locks a port to one or more MAC addresses, preventing connection of unauthorized devices via a port - MAC Locking comes in two flavors:
Static MAC Locking
- Locking one or more specified MAC addresses to a port

Dynamic MAC Locking:


- Locking one or more MAC addresses to a port based on chronological order of received frames after dynamic MAC locking is enabled

- MAC locking is supported on all Enterasys switches

2007 Enterasys Networks, Inc. All rights reserved.

128

MAC Locking Implementation


To implement MAC locking on all platforms, the following steps must be executed:
1. For static MAC locking,
a. Create static MAC addresses for MAC locking on the particular port:

b.

set maclock mac_address port_string create

Restrict MAC locking to a maximum number of MAC addresses on particular port:

set maclock static port_string value

2. 2 For dynamic MAC locking locking,


a. Set maximum number of MAC addresses for dynamic MAC locking.

set maclock firstarrival port_string value

3. Optionally enable the sending of traps via SNMP as an administrative notification tool when the maximum number of MAC addresses allowed to access a port is attempted:
set maclock trap port_string {enable | disable}

4. Enable MAC locking on the p g particular p port:


set maclock enable port_string

5. Enable MAC locking globally:


set maclock enable

2007 Enterasys Networks, Inc. All rights reserved.

129