Fujitsu PRIMERGY 10/40GbE Connection Blade 18/8+2, Function Manual

Page 1: ...Page 1 of 71 PRIMERGY PRIMERGY 10 40GbE Connection Blade 18 8 2 Function Manual FUJITSU ...

Page 2: ...Function 33 2 14 EHM Function 35 2 15 IEEE802 1X Authentication Function 36 2 16 Guest VLAN function 41 2 17 Broadcast Multicast storm control function 42 2 18 Port mirroring function 43 2 19 Ether L3 Monitoring Functions 45 2 20 Output rate control function 46 2 21 Port block function 47 2 22 IP route control function 48 2 22 1 Types of IP route information 48 2 22 2 Management of IP Route Inform...

Page 3: ...andardized in IEEE802 1Q Protocol VLAN In the frame header of Ethernet there is a field of 16 bits called as frame type and upper level protocol which is stored in that frame can be identified For example communication of different network protocol called as IP and IPX can be identified at the level of the Ethernet frame VLAN protocol uses this information and VLAN different in each network protoc...

Page 4: ... to VLAN of this device Information of VLAN protocol and information of static study table are defined lan definition It is an instruction group defining logical information related to LAN connection in this device Information of IP address of LAN and network is defined Moreover it is defined according to lan definition related to LAN dependent service of DHCP etc Other definitions It is an instru...

Page 5: ... be noted When one side is connected with the auto negotiation and the other side is connected with fixed FULL full duplex the communication mode is recognized as HALF half duplex In such cases due to high error rate normal communication may not be possible Hence set the communication mode correctly Set both side communicate modes firmly when the communication mode of one side or both sides cannot...

Page 6: ...ut queue with buffermode qos or ratecontrol is discarded in output queue side therefore it is not accumulated in the reception buffer of input port As a result regardless of the frame being disregarded Pause frame is not transmitted In order to execute the flow control steadily set the buffermode to max so that it is not transfered to the port where the ratecontrol is set In case of fixed mode 1 I...

Page 7: ...he entire packet to be input therefore delay of the packets associated with transfer can be minimized Store and forward mode Entire packet is input to this device and then the packet is delivered from the transfer destination port Points to be noted When cut through mode is selected latency is can be reduced and error packets are relayed In case of store and forward mode error packet is not transi...

Page 8: ...ucture definition command default is 300 seconds When port is linked down an entry learned from the corresponding port on FDB is deleted MAC address auto study stop function It is a function to stop the learning of dynamic MAC address in device unit according to structure definition FDB clear function It is a function to delete the dynamically studied FDB entries Conditions like Port unit MAC addr...

Page 9: ...pported by this device is based on IEEE802 1q In this device All the ports are initially set to VID 1 as no tag of VLAN1 setting of each port can be changed to with tag or no tag of specific VLAN VLAN and network address When VLAN function is used bridging communication is closed in this VLAN Therefore to define VLAN means to restrict the broadcasting frame Broadcasting domain at the level of MAC ...

Page 10: ... the section where only the frames with VLAN tag flow Same devices which support VLAN function with tag are connected by normal trunk link End node which cannot recognize VLAN tag is not connected Hybrid link It is the section where frames with and without VLAN tag flow Here multiple VLANs exist and there are access links or trunk links for respecitve VLANs However if focus is on specific protocol...

Page 11: ... VLAN untagged is default VLAN tag at the time of sending packets Handling of VLAN tag at the time of sending packets is according to Tagged Untagged settings of transmission port In case of Tagged port packets are sent with VLAN tag and in case of untagged port these are sent without VLAN tag VLAN type Port VLAN untagged Protocol VLAN untagged Tag VLAN Tagged Port VLAN untagged Protocol VLAN unta...

Page 12: ...it can be recognized that to which VLAN it belongs and the frame with VLAN tag is received routed and relayed with layer 3 switches VLAN between devices When VLAN crosses between the devices by setting the VLAN tag to the frame the VLAN wherefrom the frame has come is distinguished As a result similar VLAN A and VLAN B can communicate in such a way that these are connected with same switching HUB ...

Page 13: ...ased on sending source MAC address Distribution of the load based on sending destination IP address and sending source IP address Load balancing based on sending destination IP address Load balancing based on sending source IP address Load balancing based on the reception Ethernet port It is possible to specify the minimum member port count the trunk group can communicate Trunk group communication...

Page 14: ...col levels Therefore communication with the wrong connection is not possible When the LACP packet from the adjacent device is not received during the fixed time since there is determination of fault link fault detection of link which exceeds the fault detection range of device port is possible Points to be noted It is necessary to enable the LACP before connection for the link aggregation which us...

Page 15: ... mode which linkedup port in the beginning can be selected Moreover linkaggregation can be used as a backup port Points to be noted In the back up port function if error occurs it is possible to switch over the active port at once and when various protocols are used restoration time of each protocol till restoring the communication is required When it is used together with link aggregation if that...

Page 16: ...the system down is not generated Moreover a strong network can be constructed for failure STP chooses the root bridge that is the root of the logical tree structure network Then it decide a STP port mode for each ports The mode is root port designated port or blocking port The root port and designated port forward the packets though blocking port does not forward STP interface have the following s...

Page 17: ...exists in each segment When there are more than 2 ports which have least values port with least bridge priority is adopts It is determined in each path port It can be set in each port and select the AUTO usually 1 You assigned to each bridge the bridge priority It selects the port with the lowest value by calculating for each port of the bridge the root path cost minimum path cost to the root brid...

Page 18: ...c is determined as per the following parameters Parameters Setting target Remarks Hello Time STP bridge hello time Every Bridge Since the root bridge confirms the tree structure it is considered as the sending interval of configuration BPDU Recommended time is 2 seconds Maximum age STP bridge Max age Every Bridge It is a timer value that starts the restructure of tree since configuration BPDU is n...

Page 19: ...nate port Port where alternate path is provided There is a port which has less cost next to root port and it becomes the port having alternate path to root bridge Back up port It is a port of the alternate path of the route specified by specified port When there are more than 2 connections for the same segment on 1 switch it is provided as alternate path Alternate port and backup port will changes...

Page 20: ...it can handle the network per VLAN Therefore MSTP can forward network data more efficiently than STP For example There are 4 switches called Bridge A Bridge B Bridge C and Bridge D and connect them as below diagram topology Using MSTP we can forwards vlan 100 200 frame from Bridge D Bridge B Bridge A and forwards vlan 300 frame from Bridge D Bridge C Bridge A We can not use STP for such behavior ...

Page 21: ...nd or the Web screen Device identification information Representative MAC address essential Physical port identification information ifIndex MIB essential Retention time information TTL essential Physical port explanatory information ifDescr MIB Option Device name information sysName MIB Option Device explanatory information sysDescr MIB Option Device major function information switch router Optio...

Page 22: ...specified ACL packet pattern for the ETHER port which belongs to VLAN It is used while applying to all ETHER ports in same VLAN Upper limit which can be set in device The upper limit which can be set in the device is shown below Upper limit by set command When the CEE function is used 62 devices When the CEE function is not used 64 devices Settings is possible up to upper limit by setting command ...

Page 23: ... is specified When mask value of srcIP and dstIP are same When tos value dscp value is not specified 1 When tos value dscp value is specified 3 When mask value of srcIP and dstIP is different 3 In case of acl ip6 definition When srcIP address is not specified When tc value dscp value is not specified 1 When tc value dscp value is specified 3 When srcIP address is specified When dstIP address is no...

Page 24: ...dscp dscp_value acl vlan vid qos aclmap count queue queue_value acl vlan vid ip6qos aclmap count dscp dscp_value acl vlan vid ip6qos aclmap count queue queue_value acl lan number ip dscp count acl acl_count dscp_value lan number ip6 dscp count acl acl_count dscp_value When chengeQueue is set by the following commands 1 action is consumed interface Config mode qos aclmap count tos tos_value acl che...

Page 25: ... classification is validated user priority by the upper 3 bit of TOS and TC is preferred than the user priority as per default priority for reception packet without CoS or Tag For example in case of frame with VLAN tag which carries the below mentioned IP packet user priority is determined by Precedence upper 3 bits of DSCP of TOS field when qos classification is validated and user priority is det...

Page 26: ...e setting Recommended at the time of priority control 0 Best Effort 1 1 1 Background 0 0 2 Reserved 0 0 3 Excellent Effort 1 1 4 Controlled Load 2 2 5 Video 2 2 6 Voice 3 3 7 Network Control 3 3 Setting for assigning user priority Rank Method of deciding priority of input packet Valid settings 1 TOS qos classification ip tos on 1 TC qos classification ip6 tc on 2 CoS Depending on VLAN Tag control ...

Page 27: ...t ratio of each queue is set and a relative priority control is executed For example when 10 is set for queue 3 and 1 is set for queue 0 the process is executed at a rate of 10 1 for queue 3 and queue 0 WDRR A fixed value Output ratio of each queue is set and a relative priority control is executed WDRR controls data amount whereas WRR controls the number of packets The process example of Strict W...

Page 28: ...v6 Headers Upper limit which can be set in device The upper limit which can be set in the device is shown below Upper limit by set command When the CEE function is used 62 devices When the CEE function is not used 64 devices Settings is possible up to upper limit by setting command in addition with macfilter vlan macfilter lan ip filter qos aclmap vlan qos aclmap lan ip dscp ip6filter vlan ip6filt...

Page 29: ...s specified When dstIP address is not specified 3 When dstIP address is specified When tc value dscp value is not specified 3 When tc value dscp value is specified 5 The number of masks which vlan protocol command consumes are as follows Condition of applied acl Number of masks In case of protocol VLAN definition When vlan protocol ipv4 is specified 3 When vlan protocol ipv6 is specified 1 When vl...

Page 30: ...e qos aclmap count tos tos_value acl chengeQueue qos aclmap count dscp dscp_value acl chengeQueue ip6qos aclmap count dscp dscp_value acl chengeQueue vlan vid qos aclmap count tos tos_value acl chengeQueue vlan vid qos aclmap count dscp dscp_value acl chengeQueue vlan vid ip6qos aclmap count dscp dscp_value acl chengeQueue When the following commands are set 1 action is consumed When vid is same o...

Page 31: ...onnected or port where the listener exist are shown below Port Recognized conditions Multicast router port It is recognized by the following conditions by the multicast router port settings vlan vlan_id igmpsnoop router When auto is specified When the IGMP Query packet is received the concerned port is recognized as a multicast router port When yes port_no is specified At the time of start up port...

Page 32: ...looding is done for all the excessive addresses in the same VLAN Do not use the IGMP snoop function when the group addresses being handled exceed the maximum number that can be registered It cannot be used in the network where communication other than the IPv4 multicast Example IPv6 communication is used Do not enable the IGMP snoop function In this device lower rank 23 bits of IP address are reco...

Page 33: ...ed or port where the listener exist are shown below Port Recognized conditions Multicast router port It is recognized by the following conditions by the multicast router port settings vlan vlan_id igmpsnoop router When auto is specified When MLD Query packets are received that port is recognized as multicast router port When yes port_no is specified At the time of start up the port specified by th...

Page 34: ... all the same VLANs Do not use the MLD snoop function when the group addresses being handled exceeds the maximum number that can be registered In the network that uses the communication of IPv4 multicast enable even the IGMP snoop It cannot be used in the networks that use the communications other than IPv6 multicast Do not enable the MLD snoop function In this device addresses in which the values...

Page 35: ...hed over by re starting after specifying it by boot system mode command Both End Host Mode and common switch mode have independent configuration definitions Points to be noted STP Spanning tree function cannot be used When multiple connections are executed between the connection blade and ToR Top of Rack switch it is recommended to set linkaggregation on both the sides of connection blade and ToR ...

Page 36: ...licant other than the authenticated ones is denied By setting the attributes to the RADIUS server Supplicant is coordinated with VLAN at the time of authentication When VLAN ID is not notified from RADIUS server VID set by ether dot1x vid command is assigned RADIUS server that does operation checking in this device is Fujitsu manufactured Safeauthor V3 5 In this device multiple terminals can be au...

Page 37: ...dards of ID and password base Certificate is not required for user terminal The cost burden can be reduced and high security level can be maintained at the time of introduction PEAP Authentication standards of ID and password base Certificate is not required for user terminal The cost burden can be reduced and high security level can be maintained at the time of introduction User himself can chang...

Page 38: ...l and RADIUS server The challenge and response are exchanged and encrypted by using MD5 hash function and the user is authenticated by RADIUS server At the time of local authentication instead of RADIUS server AAA function in this device is used The sequence of the EAP MD5 authentication of the IEEE802 1X function is shown below ...

Page 39: ...P TLS Authentication EAP TLS is an authentication method wherein the certificate is assigned for both user terminal and RADIUS server The sequence of the EAP TLS authentication of the IEEE802 1X function is shown below ...

Page 40: ...uthentication EAP TTLS authentication is also similar PEAP is an authentication method wherein the certificate is assigned only to the RADIUS server The sequence of PEAP authentication of IEEE802 1X function is shown below ...

Page 41: ...ion the operation which controls the network use of the terminal for which authentication is not permitted can be executed by recovering the terminal where the connection is not denied to other VLAN Points to be noted When guest VLAN function and the dot1x authentication are used together since the authentication is successful during the EAP authentication supplicant which cannot correspond to it ...

Page 42: ...kets of broadcast multicast flow in the network due to error This device sets the threshold and controls the packet by port unit When the flow amount of packet exceeds the threshold the packet is destroyed or the port is blocked to control the flow Points to be noted If the port is blocked due to the flow amount exceeding the threshold the block release should be specified by the online command to...

Page 43: ...e port The target port of the mirror becomes dedicated port for mirror of the source port The port specified with the target of the mirror cannot be specified as a source When there are multiple source ports of the mirror for the target port the packets in the part that exceeds the bandwidth of the target port is discarded When the port status in the STP function of the source port is other than f...

Page 44: ... source port Tagged The contents of tag are tagged only when it is attached to the sending source port At the time of settings without tag In case of multiple address source port in the packets of multicast broadcast and flooding when the settings without tag exist in multiple source port Not tagged When received packet is mirrored the existence and contents of VLAN tag of packet output in the tar...

Page 45: ...tion When monitoring by using backup port function set so as to monitor by operation port When ether L3 monitoring function is set in standby port monitoring is not done Monitoring is started when standby port switches to operation port Moreover when error is detected and when the port which is monitored is blocked the influence of network error can be suppressed to minimum by switching the standb...

Page 46: ...output port Set the control value of output and control the bandwidth with the help of port unit for this device When the bandwidth of traffic exceeds the threshold value the traffic which exceeds the bandwidth is discarded Points to be noted Priority control function and output rate control function which use WRR and WDRR cannot be used together traffic Network Network Network bandwidth limitatio...

Page 47: ...be in blocked state by issuing the offline command which is the Ethernet port control command Automatic block by linkage operation of communication control function Transition to port block state can be specified when control functions such as broadcast Multi cast storm are used Communication control functions which support the transition of the port block state are as follows Back up port functio...

Page 48: ...is managed as a host root 32 bits network mask Interface route IPv6 The IPv6 prefix allocated in the interface is shown It is generated when IPv6 prefix is set as structure definition and when IPv6 prefix information is received by Router Advertisement Message The IPv6 address allocated in the loop back interface is managed as a host root 128 bits network mask RA route IPv6 The generated default r...

Page 49: ...f network configuration and route information 2 22 3 Route Control Function according to the Error Detection of Interface The interface route information can be deleted from the routing table due to error detection such as abnormal detection by hardware of interface The IP route information Route information of same address created by the static routing function can be converted according to the d...

Page 50: ...ic selection of source address And in this device not only IPv4 packets but IPv6 packets can also be transmitted IPv6 router function supported by this device is as follows Static or dynamic routing Packet filtering Points to be noted ICMPv6 redirect message is not sent at the time of IPv6 host function When IPv6 routing function is used route information of prefix length 65 127 cannot be register...

Page 51: ...n the link Range in which communication is possible without router This address starts the beginning 10 bits that is 1111 1110 10 Normally it becomes 0 from the 11th bit to 64th bit Multicast Addresses It is a multicast address Beginning 8 bits are 1111 1111 Static or Dynamic Route Settings The concept of IPv6 network and routing is almost same as of IPv4 The transfer destination is determined acc...

Page 52: ...ay When Router Advertisement Message is received by multiple routers the default router list which can be used as default router is generated in this list the router which can reach the packet is set as default router The generated default router list can be referred by show ipv6 ra default router list command Moreover the set default router can be referred by show ipv6 route command Points to be ...

Page 53: ...d from this device and when explicit source address is not specified by application the address is selected based on a fixed rule from multiple IPv6 addresses The selection rule of the source address which is to be supported by this device is based on the following RFC and the draft RFC3484 Default Address Selection for Internet Protocol version 6 IPv6 ...

Page 54: ...f this device Other countermeasures are necessary as the virus measures software is used in the personal computer The security policy is decided according to connection type There are two directions From outside to inside and From inside to outside in which the data flows when similar LANs are connected even if internet is connected When the security policy is decided it is necessary to consider t...

Page 55: ...nd protocol number can be specified in rewrite condition DSCP value of packets that agree with this condition are re written and transmitted When agreed with multiple conditions condition with smaller definition number is used DSCP value of the packets which is not the target of rewrite are not re written Packets entered in this device are executed by DSCP value rewrite process corresponding to ac...

Page 56: ...applied by specifying priority control algorithm and priority for output queue Points to be noted When used with protocol VLAN function QoS function is disabled for the frame identified as protocol VLAN Refer to vlan protocol command item for the frame recognized as protocol VLAN Moreover QoS that uses ACL is disabled for the packets that are applied for IP MAC filter When priority determination m...

Page 57: ...P MAC address check PAP authentication CHAP authentication Does not use Does not use It is an authentication which uses MAC address HEX12 characters without separating character for user name and MAC address for password Backup configuration or load sharing configuration which uses multiple RADIUS servers is possiblefor the RADIUS client function of this device The authentication server and the ac...

Page 58: ... the same time Even if the RADIUS client function is defined user information of the same group is used When both RADIUS client function aaa radius and user information aaa user are defined in the AAA group authentication is carried out by the RADIUS client function When authentication by the RADIUS client function is successful user information is not used but when authentication fails the authen...

Page 59: ...nd SNMPv3 are supported by this device Moreover standard MIB and Fujitsu extended MIB are supported Hint MIB In MIB there is a standard MIB which is not related to the vendor of the device and device vendor specific extended MIB The standard MIB defined by RFC1213 is the virtual information area to access the respective management object of the management node In RFC the management information whi...

Page 60: ...o the request from SNMP manager Or RMON manager is returned as a response of SNMP RMON groups shown below are supported by this devices statistics Group Collects the basic statistical information of packet number or error number of ETHER port monitored history Group Stores the information collected in statistical group and similar total information as history information Since the history informat...

Page 61: ...a command and show ssh server key rsa command in this device In this device when SSH is connected by sending the SSH host authentication key of this device to SSH client side and if the set and saved key differ the SSH connection is rejected Therefore SSH is connected by resetting or by deleting the SSH host authentication key which is set and saved in SSH client software by device exchange etc Af...

Page 62: ...hat is supported by this device Items Support contents SSH server version OpenSSH 3 9p1 SSH protocol version Supports only the version of SSH Protocol version SSH port number protocol 22 TCP IP protocol version IPv4 IPv6 Host certification protocol RSA Types of host authentication algorithms ssh rsa ssh dss Types of cryptographic methods aes128 cbc 3des cbc blowfish cbc cast128 cbc arcfour aes192 ...

Page 63: ...SH client software In the SSH server function of this device use the SSH client software ssh client software and sftp client software which supports to SSH protocol version 2 since it supports only to SSH protocol version 2 ...

Page 64: ...plication filter function an access related to each server function operated in this device can be controlled Accordingly the maintenance of this device or the terminal which uses the server function of this device is restricted and security can be increased ...

Page 65: ... is acquired is restored in alive status Points to be noted Accounting function of TACACS client function is not supported Unable to use simultaneously with RADIUS client function When both the RADIUS client function aaa radius and TACACS client function aaa tacacsp are defined in AAA group TACACS client function is disabled When both the TACACS client function and user information aaa user are de...

Page 66: ...e same priority exist the server is selected randomly dead state It is a status wherein the usage of server stops temporarily due to TCP connection failure of server or when request of server is timeout Additionally when server of alive status exists defined priority value is not used When the time specified in restoration standby time is elapsed it automatically restores in alive status At the ti...

Page 67: ...WAN Ethernet for the multiple customers the VLAN ID used by customer may be duplicated and the VLAN limit 4096 of IEEE802 1Q specification may be immediately exceeded As per the IEEE802 1Q tunneling the tag is added again with the switch on the career side for the traffic with the tag transmitted by the customer Accordingly customer VLAN traffic can be transmitted as a single VLAN traffic and the ...

Page 68: ...multaneous use with protocol VLAN function when the frame that is recognized as protocol VLAN is received by IEEE802 1Q tunnel port the protocol VLAN is to be applied for that frame and IEEE802 1Q tunneling function will be disabled ...

Page 69: ...tting information of each peer and process by which setting is adjusted is executed Implemented as LLDP extension PFC Priority based Flow Control Though the flow control function explained in section 2 2 is considered as control of link level it is extended such that the flow of each Priority can be controlled therefore it is examined as IEEE802 1 Qbb For example PFC is enabled for the Priority or...

Page 70: ...command Therefore there is a possibility that the other traffic class group or frames of other port address discarded easily by PFC in the situation wherein lots of frame of valid traffic class group are accumulated CEE function is enabled for the frames having size less than 2300 Bytes The flow control does not functioned effectively for the frames having size more than this and the band control ...

Page 71: ...al switch function in this device Virtual Ethernet Bridge VEB The communication between virtual machines on the same physical machine is carried out with virtual switch which operates in the virtualization software Virtual Ethernet Port Aggregator VEPA It is a technology which off loads the process of a virtual switch to external physical switch A physical switch identifies an individual virtual m...