16 Configuring Policy This chapter provides an overview of Enterasys policy operation, describes policy terminology, and explains how to configure policy on Fixed Switch platforms using the CLI. Configuring IGMP Snooping. Configure the IP address of the sFlow Collector being configured. Configure the owner identity string and timeout value for an sFlow Collector in the switchs sFlow Receivers Table set sflow receiver index owner owner-string timeout timeout 2. clear multiauth idle-timeout auth-method 3. SNMP Support on Enterasys Switches Terms and Definitions Table 12-2 lists common SNMP terms and defines their use on Enterasys devices. Policy Configuration Overview The following example creates a policy profile with a profile-index value of 1 and a profile name, student, that can be used by the RADIUS Filter-ID functionality: System(rw)->set policy profile 1 name student Setting a Default VLAN for a Role A default VLAN can be configured for a policy role. Enabling Master Preemption By default, a router is enabled to preempt a lower priority master for the configured virtual router. Database contains 1 Enterasys S8-Chassis Manuals (available for free online viewing or downloading in PDF): Hardware installation manual . Configuring VRRP 2. Note: Only one IOM containing a memory card slot may be installed in an I-Series switch. Managing the Firmware Image 6-1 Managing Switch Configuration and Files 6-4 Managing the Firmware Image This section describes how to download a firmware image, set the firmware to be used at system startup, revert to a previous image, and set TFTP parameters. lacptimeout - Transmitting LACP PDUs every 30 seconds. This configuration requires a charging circuit to charge the DC capacitors of the modules in a controlled way. Autodidacte dans de multiples domaines informatique, je suis passionn par la scurit informatique.<br>actuellement technicien et admin systme, j'envisage long terme une rorientation (via des formations o diplme scolaire) dans le domaine de l'audit et du pentest. Table 26-3 lists the logging commands that require different user access permissions when the security mode is set to C2. If you have different switches with VLANs and want to connect them together you have to set the egress state of the ports where the switches are connect together: example: Switch A is connected with Switch B (let's say the uplink port between both is ge.1.1 then you have to: - create the VLAN : set vlan create 20 Tabl e 268providesanexplanationofthecommandoutput. Neighbor Discovery Overview connected neighbors. Thefollowingtabledescribestheoutputofthiscommand. You can insert a new rule into a specified entry location using the insert option. Using Multicast in Your Network unsolicited join (sent as a request without receiving an IGMP query first) In Figure 19-2, this type of exchange occurs between Router 2 and Host 2 when: (6) Host 2 sends a join message to Router 2. The router with the highest priority is elected the DR, and the router with the next highest priority is elected the BDR. Examples 17-18 Chapter 18: Configuring Network Monitoring Basic Network Monitoring Features .. 18-1 Console/Telnet History Buffer . Chapter 20: IP Configuration Enabling the Switch for Routing . 20-1 Router Configuration Modes 20-1 Entering Router Configuration Modes . 20-2 Example Configuring Area Virtual-Link Authentication . 22-14 Configuring Area Virtual-Link Timers. 22-14 Configuring Route Redistribution 22-14 Configuring Passive Interfaces .. Extended IPv4 ACL Configuration .. 24-12 MAC ACL Configuration .. 24-13 Chapter 25: Configuring and Managing IPv6 Managing IPv6 . Disabling and Enabling Ports .. 26-9 MAC Locking Defaults . 26-9 MAC Locking Configuration .. 26-10 TACACS+ .. 11-3 13-1 13-2 13-3 14-1 15-1 15-2 15-3 15-4 15-5 15-6 15-7 15-8 15-9 15-10 15-11 15-12 15-13 15-14 15-15 15-16 15-17 16-1 17-1 17-2 17-3 17-4 17-5 19-1 19-2 19-3 19-4 19-5 19-6 22-1 22-2 22-3 22-4 22-5 22-6 23-1 23-2 23-3 25-1 Link Aggregation Example.. 11-12 Communication between LLDP-enabled Devices . 13-3 LLDP-MED .. 4-7 4-8 5-1 6-1 7-1 7-2 7-3 8-1 8-2 8-3 8-4 9-1 9-2 9-3 10-1 10-2 10-3 10-4 11-1 11-2 11-3 11-4 11-5 11-6 11-7 12-1 12-2 12-3 12-4 12-5 13-1 13-2 13-3 13-4 13-5 13-6 14-1 14-2 14-3 14-4 15-1 15-2 15-3 15-4 15-5 15-6 15-7 15-8 15-9 15-10 15-11 16-1 16-2 16-3 16-4 16-5 xx Default DHCP Server Parameters . 4-20 Configuring Pool Parameters 16-6 17-1 18-1 18-2 18-3 18-4 18-5 18-6 18-7 18-8 19-1 19-2 19-3 19-4 19-5 19-6 19-7 19-8 19-9 19-10 20-1 20-2 20-3 21-1 21-2 21-3 22-1 22-2 23-1 23-2 24-1 25-1 25-2 25-3 25-4 25-5 25-6 26-1 26-2 26-3 26-4 26-5 26-6 26-7 26-8 26-9 26-10 26-11 26-12 26-13 26-14 Policy Configuration Terms and Definitions 16-18 CoS Configuration Terminology About This Guide This guide provides basic configuration information for the Enterasys Networks Fixed Switch platforms using the Command Line Interface (CLI0, including procedures and code examples. Table 8-6 show snmp access Output Details, Overview: Single, Rapid, and Multiple Spanning Tree Protocols, Tabl e 91showsadetailedexplanationofcommandoutput. Spanning Tree Basics The MSTP enabled network may contain any combination of Single Spanning Tree (SST) regions and Multiple Spanning Tree (MST) regions. TACACS+ Configuring the Source Address You can configure the source IP address used by the TACACS+ application on the switch when generating packets for management purposes. Licensing Advanced Features When adding a new unit to an existing stack, the ports on a switch lacking a licensed feature that has been enabled on the master will not pass traffic until the license has been enabled on the added switch. Configuring RIP on page 21-1 Configure OSPFv2. set system power {redundant | nonredundant} redundant (default) The power available to the system equals the maximum output of the lowest rated supply (400W or 1200W). Do you want to continue (y/n) [n]? Figure 23-3 Multi-Backup VRRP Configuration Example 172.111.0.0/18 Default Gateway 172.111.1.1 ge.1.1 VLAN 111 172.111.1.1/16 172.111.128.0/18 Default Gateway 172.111.1.150 172.111.64.0/18 Default Gateway 172.111.1.50 VRID 1 172.111.1.1 VRID 2 172.111.1.50 VRID 3 172.111.1.150 Router R1 ge.1.1 VLAN 111 172.111.1.2/16 Router R2 ge.1.2 172.200.2. Valid sid values are 04094. MAC Locking If a connected end station exceeds the maximum values configured with the set maclock firstarrival and set maclock static commands (a violation). Setting security access rights 3. Can you upload files from other sources? Refer to page Quality of Service Overview secondly, you must identify these flows in a way that QoS can recognize. If the port is configured so that it is connected to a switching device known to implement Loop Protect, it uses full functional (enhanced) mode. S, K, and 7100 Series CLI Reference Guide for Version 8.41 Aug 2015 Access Control Lists on the A4 A4(su)->router(Config)#access-list mac mymac permit 00:01:00:02:00:01 any assignqueue 2 A4(su)->router(Config)#show access-lists mymac mymac MAC access-list 1: deny 00-E0-ED-1D-90-D5 any 2: permit 00:01:00:02:00:01 any assign-queue 2 A4(su)->router(Config)#access-list interface mymac fe.1.2 in A4(su)->router(Config)#show access-lists interface fe.1.2 24-14 Port-string Access-list ----------- ----------- fe.1. 1.4 IP phone ge. After setting the index and IP address you are prompted to enter a secret value for this authentication server. Testing Network Connectivity Configuring Static Routes Procedure 20-3 lists the commands to configure a static route. 2. The RP de-encapsulates each register message and sends the resulting multicast packet down the shared tree. Enable OSPF in the interface. An ABR keeps a separate copy of the link-state database for each area to which it is connected. UsethiscommandtodisplaythesystemIPaddressandsubnetmask. 4. Terms and Definitions 20-12 IP Configuration. Meraki MS Switches Features. ThisexampleshowshowtodisplayLLDPconfigurationinformation. ARP poisoning is a tactic where an attacker injects false ARP packets into the subnet, normally by broadcasting ARP responses in which the attacker claims to be someone else. Also described in this chapter are port link flap detection, port mirroring, and transmit queue monitoring and how to configure them. Configuring Syslog Table 14-3 Syslog Command Precedence (continued) Syslog Component Command Function Server settings set logging server index ip-addr ipaddr [facility facility] [severity severity] [descr descr] [port port] state enable | disable During or after new server setup, specifies a server index, IP address, and operational state for a Syslog server. Ports assigned to a new port group cannot belong to another non-default port group entry and must be comprised of the same port type as defined by the port group you are associating it with. set snmp community community_name 2. If you clear a license from a member unit in a stack while the master unit has a activated license, the status of the member will change to ConfigMismatch and its ports will be detached from the stack. You may want to set a rate limit that would guard against excessive streaming. Preventing clients from using legacy protocols such as IPX, Apple Talk, and DECnet that should no longer be running on your network. show ip mroute [unicast-source-address | multicast-group-address] [summary] Refer to the devices CLI Reference Guide, as applicable, for an example of each commands output. C5(su)->router(Config)#show access-lists 120 Extended IP access list 120 1: deny ip 20.0.0.1 0.0.255.255 any 2: deny ip 30.0.0.1 0.0.255.255 any 3: deny ip 40.0.0.1 0.0.255.255 any 4: permit ip any any C5(su)->router(Config)#no access-list 120 2 3 C5(su)->router(Config)#show access-lists 120 Extended IP access list 120 1: deny ip 20.0.0.1 0.0.255. Procedure 4-4 DHCP Server Configuration on a Non-Routing System Step Task Command(s) 1. Select none to allow all frames to pass through. Table 8-3 Link Flap Detection Show Commands Task Command Display whether the port is enabled for generating an SNMP trap message if its link state changes. Note: Globally enabling 802.1x on a switch sets the port-control type to auto for all ports. Optionally, change the administratively assigned key for each aggregation on the device. Review and define edge port status as follows: 1. The cost of a virtual link is not configured. Using the Command Line Interface commands without optional parameters, the defaults section lists None. Senders use RPs to announce their existence, and receivers use RPs to learn about new senders of a group. Configuration Guide Firmware Version 6.03.xx.xxxx. Searches for the doors matching such a key and verifies that the door is available. FIPS mode is persistent and shown in the running configuration. The final tie breaker is the receiving port ID. Revision Level Two octets in length. Assigning Port Costs Each interface has a Spanning Tree port cost associated with it, which helps to determine the quickest path between the root bridge and a specified destination. Refer to Procedure 4-3 on page 4-14 to configure the switch SNTP client for authentication. A typical network may contain multiple MST regions as well as separate LAN segments running legacy STP and RSTP Spanning Tree protocols. Reset the MultiAuth authentication idle timeout value to its default value for the specified authentication method. Procedure 19-3 describes the basic steps to configure DVMRP on fixed switches with advanced routing enabled. Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. CoS Hardware Resource Configuration 1.0 4 irl none 1.0 5 irl none 1.0 6 irl none 1.0 7 irl none 1.0 8 irl none 1.0 9 irl none 1.0 10 irl none 1.0 95 irl none 1.0 96 irl none 1.0 97 irl none 1.0 98 irl none 1.0 99 irl none Use the show cos port-resource irl command to display the data rate and unit of the rate limiter for port 1.0: System(su)->show cos port-resource irl 1. The power available for PoE is 150W. If LAG members with different port speeds should tie for the lowest port priority, the LAG member with the lowest port number breaks the tie. enable|disable EnablesordisablesClassofServiceontheswitch.Defaultstateis disabled. This overrides the specified timeout variable: set spantree spanguardlock port-string Monitoring SpanGuard Status and Settings Use the commands in Table 15-9 to review SpanGuard status and settings. Based on the exchanged BPDU information, the spanning tree algorithm selects one of the switches on the network as the root switch for the tree topology. Removing Units from an Existing Stack The hierarchy of the switches that will assume the function of backup manager is also determined in case the current manager malfunctions, is powered down, or is disconnected from the stack. The switch can enforce a system-wide default for password aging (set system password aging). Quality of Service Overview queue 2 has access to its percentage of time slices, and so on round robin. 5 User Account and Password Management This chapter describes user account and password management features, which allow enhanced control of password usage and provide additional reporting of usage. DHCP Configuration C5(su)->router(Config)#exit C5(su)->router#exit C5(su)->router>exit C5(su)->set dhcp enable C5(su)->set dhcp pool autopool2 network 6.6.0.0 255.255.0.0 Managing and Displaying DHCP Server Parameters Table 4-6 lists additional DHCP server tasks. Extensible Authentication Protocol (EAP) A protocol that provides the means for communicating the authentication information in an IEEE 802.1x context. Both: management-access and network-access. DHCP Configuration IP Address Pools IP address pools must be configured for both automatic and manual IP address allocation by a DHCP server. Meraki MS Switches have many valuable key features. This guarantees that the default behavior of a bridge is to not be part of an MST region. Auto-negotiation is enabled by default. If a downstream router has no hosts for a multicast stream, it sends a prune message to the upstream router. Alternatively, you can specify only the interface to be used to contact the DHCPv6 server and the Fixed Switch device will use the DHCPV6-ALL-AGENTS multicast address (FF02::1:2) to relay DHCPv6 messages to the DHCPv6 server. Display the current timeout period for aging learned MAC entries/ show mac agetime 3. Procedure 17-1 Step Task Command(s) 1. Any such invalidity, illegality, or unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other jurisdiction. Refer to page Link Aggregation Overview 11-1 Configuring Link Aggregation 11-9 Link Aggregation Configuration Example 11-11 Terms and Definitions 11-15 Link Aggregation Overview IEEE 802.3ad link aggregation provides a standardized means of grouping multiple parallel Ethernet interfaces into a single logical Layer 2 link. student Connects a dorm room PC to the network through a Student Fixed Switch port. Access Control Lists on the A4 Table 24-1 ACL Rule Precedence (continued) ACL Type and Rule Priority Example IP SIP any DIP exact 18 permit any 10.0.1.22 IP SIP any DIP any 17 deny any any MAC SA any DA any 16 deny any any Rule actions include: Deny drop the packet. For an IPv6 ACLs, the following protocols can be specified in a rule: Any IPv6 protocol Transmission Control Protocol (TCP) User Datagram Protocol (UDP) IPv6 Internet Control Message Protocol (ICMPv6) TCP and UDP rules can match specific source and destination ports. Assign switch ports to the VLAN. You can configure ports to only use MDI or MDIX connections with the set port mdix command. Optionally, remove a static route. However, IPv6 natively provides for auto-configuration of IP addresses through the IPv6 Neighbor Discovery Protocol (NDP) and the use of Router Advertisement messages. After you have established your connection to the switch, follow these steps to download the latest firmware: 1. Using Multicast in Your Network Figure 19-1 IGMP Querier Determining Group Membership IGMP Querier IGMP Query IGMP Membership IGMP Membership Router for 224.1.1.1 Router for 226.7.8.9 Member of 224.1.1.1 Member of 226.7.8.9 As shown in Figure 19-1, a multicast-enabled device can periodically ask its hosts if they want to receive multicast traffic. It also makes management secure by preventing configuration through ports assigned to other VLANs. Chapter 19, Configuring Multicast Configure VRRP. A DHCP server manages a user-configured pool of IP addresses from which it can make assignments upon client requests. Using Multicast in Your Network Figure 19-3 DVMRP Pruning and Grafting Source DVMRP Multicast Multicast Traffic Graft Prune Prune* IGMP Join * Prune before new host was added New Host Existing Host Protocol Independent Multicast (PIM) Overview PIM dynamically builds a distribution tree for forwarding multicast data on a network. engine ID A value used by both the SNMPv3 sender and receiver to propagate inform notifications. Using the Command Line Interface Note: At the end of the lookup display, the system will repeat the command you entered without the ?. As soon as a rule is matched, processing of the access list stops. Table 20-9 show ip pimsm interface vlan Output Details, Table 20-10 show ip pimsm interface stats Output Details. DHCP Configuration The subnet of the IP address being issued should be on the same subnet as the ingress interface (that is, the subnet of the host IP address of the switch, or if routing interfaces are configured, the subnet of the routing interface). Thischapterdescribesswitchrelatedloggingandnetworkmanagementcommandsandhowto usethem. VRRP is available only on those fixed switch platforms that support advanced routing and on which an advanced feature license has been enabled. Further, if a BPDU timeout occurs on a port, its state becomes listening until a new BPDU is received. Figure 10-4 provides an overview of the fixed switch authentication configuration. show snmp engineid Display SNMP group information. Ifportstringisnotspecified,PWAinformationwillbedisplayedforallports. Set the minimum rate (in packets per second) of transmitted packets in a sampling interval. Agent 802. Display the MAC addresses in the switchs filtering database (FID). By default, this value is 10 link flapping instances. A typical situation occurs when a host requests an IP address with no DHCP server located on that segment. show snmp counters Display SNMP engine properties. (8) When it no longer wants to receive the stream, Host 2 can do one of the following: - Send a leave message to Router 2. Paths to Root If the bridge is not elected as root, one or more ports provide a path back to the root bridge. For information about security modes and profiles, see Chapter 26, Configuring Security Features. Password Management Overview guest read-only enabled 0 0 no 00:00 24:00 mon tue wed Password Management Overview Individual user account passwords are configured with the set password command. Configuring OSPF Interfaces OSPF is disabled by default and must be enabled on routing interfaces with the ip ospf enable command in interface configuration mode. Configuring Authentication Note: User + IP Phone authentication is not supported on the I-Series With User + IP Phone authentication, the policy role for the IP phone is statically mapped using a policy admin rule which assigns any frames received with a VLAN tag set to a specific VID (for example, Voice VLAN) to a specified policy role (for example, IP Phone policy role). Refer to the CLI Reference for your platform for details about the commands listed below. The [state] option is valid only for S-Series and Matrix N-Series devices. Enterasys devices support version 2 of the PIM protocol as described in RFC 4601 and draft-ietfpim-sm-v2-new-09. Spanning Tree Basics that port will be selected as root. Procedure 25-5 on page 25-13 lists the tasks and commands to configure Neighbor Discovery on routing interfaces. ieee The Enterasys device uses only the IEEE 802. Since MSTP mode is fully compatible and interoperable with legacy STP and RSTP bridges, in most networks, this default should not be changed. For example, you could assign WRR to queues 0 through 4 by assigning 20 percent to each of those queues, and then setting queue 5 to SP. Refer to RFC 1157 for a full description of functionality. If authentication is not specified, no authentication will be applied. Router 4 is configured as an ASBR connected to a RIP autonomous system. sFlow requires very little memory or CPU usage. Refer to page ACL Configuration Overview Inserting a new ACL rule entry into an ACL Moving an ACL rule to a new location in an ACL Apply the ACL to VLAN interfaces, to ports, or to Link Aggregation ports. Additional Configuration Tasks Setting User Accounts and Passwords Enterasys switches are shipped with three default user accounts: A super-user access account with a username of admin and no password A read-write access account with a username of rw and no password A read-only access account with a username of ro and no password Enterasys recommends that, for security purposes, you set up one or more unique user accounts with passwords and disable the default login accounts. sFlow sFlow Agent Functionality Packet flow sampling and counter sampling are performed by sFlow Instances associated with individual Data Sources within the sFlow Agent. Terms and Definitions Table 20-3 IP Routing Terms and Definitions (continued) Term Definition relay agent A DHCPv6 application that provides a means for relaying DHCPv6 requests between a subnet to which no DHCP server is connected to other subnets on which servers are attached. Enable or disable Telnet services, inbound, outbound, or all. Please consult the release notes or configuration guide to properly configure a static multicast Filter Database Entry for: 00-00-00-00-00-00 on vlan.0.123 . UsethiscommandtodisplaySNMPtrafficcountervalues. Note: When configuring any string or name parameter input for any command, do not use any letters with diacritical marks (an ancillary glyph added to a letter). OSPF routes IP packets based solely on the destination IP address found in the IP packet header. When operating in unicast mode, optionally change the number of poll retries to a unicast SNTP server. Ctrl+I or TAB Complete word. IPv6 Routing Configuration Setting Routing General Parameters IPv6 routing parameters are set in router global configuration mode. Telnet Overview on page 4-23 Configure the Secure Shell V2 (SSHv2) client and server. The memory card provides a removable, non-volatile means for storing the system configuration and IP address only, and may be used to move the systems configuration to another switch.
