Extreme 교육 자료 2018-09-21

목 차 1.Account설정 2. Vlan 생성과 제거 3. Static routing 4. ESRP 5. 기본적인 명령어 6. Sharing (=trunking) 7.Spanning tree protocol 8. SLB 9. Flow-redirection(WCR) 10. Access-list 11. OSPF 2018-09-21

Account 설정 Example #1 Summit48:1 > create account Next possible completions: admin user ( admin은 read/write user는 read only) Summit48:1 > create account admin <name> Summit48:1 > create account admin testadmin encrypted <cr> <password> Summit48:1 > create account admin testadmin testpassword <cr> Summit48:1 > delete account testadmin 2018-09-21

Password 변경 * Summit48:1 # conf account testadmin <tab> Next possible completions: encrypted <name> <cr> * Summit48:1 # conf account testadmin <enter> password: Reenter password: 2018-09-21

VLAN SETTING(1) 기본적으로 Default VLAN에 모든 port들이 들어있다. 먼저 이 port들을 제거 해 준다. Summit48:1 # sh vlan VLAN Interface[0-fdf] with name "Default" created by user Tagging: 802.1Q Tag 1 IP: Waiting for bootp reply. IPX: Not configured STPD: Domain "s0" is not running spanning tree protocol Protocol: Match all unfiltered protocols. Qos Profile: QP1 Ports: 50. (Number of active port=0) Untag: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 2018-09-21

VLAN SETTING(2) Summit48:2 # config default delete port all Summit48:3 # sh vlan VLAN Interface[0-fdf] with name "Default" created by user Tagging: 802.1Q Tag 1 IP: Waiting for bootp reply. IPX: Not configured STPD: Domain "s0" is not running spanning tree protocol Protocol: Match all unfiltered protocols. Qos Profile: QP1 Ports: 0. (Number of active port=0) 2018-09-21

VLAN SETTING(3) *주의 사항 VLAN을 creat 명령어를 사용해 만든다. Summit48:4 # creat vlan test 만든 VLAN에 port를 추가시킨다. Summit48:5 # config vlan test add port 1 – 4 만약 BlackDiamond라면 1:1 – 1:4 형식으로 추가 해야 한다. (모듈 넘버:포트 넘버) VLAN에 IP Address를 입력한다. Summit48:6 # config vlan test ipadd 100.100.100.100/24 IP interface for VLAN locus-inside has been created. IP address = 100.100.100.100, Netmask = 255.255.255.0. VLAN의 IP Address를 바꾸려면 IP Address만 변경하여 위와 동일하게 하면 됨. *주의 사항 만약 여러개의 VLAN이 있으면 VLAN간에 Traffic이 흐르도록 하기 위해 VLAN을 만들 때 마다 * Summit48:14 # enable ipforwarding 명령어를 실행 시킨다. 2018-09-21

VLAN SETTING(4) Summit48:7 # sh vlan VLAN Interface[0-fdf] with name "Default" created by user Tagging: 802.1Q Tag 1 IP: Waiting for bootp reply. IPX: Not configured STPD: Domain "s0" is not running spanning tree protocol Protocol: Match all unfiltered protocols. Qos Profile: QP1 Ports: 0. (Number of active port=0) VLAN Interface[1-fdc] with name “test" created by user Tagging: Untagged (Internal tag 4095) IP: 100.100.100.100/255.255.255.0 Ports: 4. (Number of active port=0) Untag: 1 2 3 4 2018-09-21

VLAN SETTING(5) BlackDiamond:9 # sh vlan Name VID Protocol Addr Flags Proto Super Ports Default 0001 0.0.0.0 /BP -----f----- ANY 0/145 MacVlanDis 4095 ------------------ ---- - ANY 0/ 0 Mgmt 4094 ------------------ ----- ANY 0/ 1 trunk 4093 100.100.100.246/30 -----f--o-- ANY 1/ 1 backbone2 4092 100.100.100.41 /28 -----f--o-- ANY 1/ 1 loop-back 4091 100.100.100.74 /32 -L---f--o-- ANY 0/ 0 neowiz 0601 100.100.101.126/27 -----f--o-- ANY 2/ 2 cckvan 0602 100.100.101.94 /29 M----f--o-- ANY 2/ 2 itventure 0603 100.100.101.250/30 M----f--o-- ANY 2/ 2 test 0604 100.100.102.1 /27 M----f--o-- ANY 2/ 2 backbone1 4090 211.106.158.169/27 -----f--o-- ANY 1/ 1 Flags : M=ESRP Master, E=ESRP Slave, G=GVRP Enabled, L=Loopback Enabled S=SuperVlan, s=SubVlan, R=SubVLAN IP Range Configured C=Domain-masterVlan, c=Domain-memberVlan f=IP Forwarding Enabled, m=IPmc Forwarding Enabled r=RIP Enabled, o=OSPF Enabled, p=PIM Enabled, d=DVMRP Enabled R=IPX RIP Enabled, P=IPX SAP Enabled N=GNS Reply Enabled, 2=IPX Type 20 Forwarding Enabled 2018-09-21

Default Gateway SETTING Summit48:17 # config iproute add default 100.100.100.1   Summit48:18 # sh iproute Destination Gateway Mtr Flags Use VLAN Origin 100.100.100.0/24 100.100.100.100 1 0 test Direct 200.200.200.0/24 200.200.200.200 1 0 test1 Direct 127.0.0.1/8 127.0.0.1 0 U H 0 Default Direct Default Route 100.100.100.1 1 G M 0 test Static Total number of routes = 4. Mask distribution: 1 default routes 1 routes at length 8 2 routes at length 24 Route origin distribution: 3 routes from Direct 1 routes from Static 2018-09-21

STATIC ROUTING SETTING Summit48:20 # config iproute add 200.200.100.0 255.255.255.0 200.200.200.1 destination address next hop Summit48:21 # sh iproute Destination Gateway Mtr Flags Use VLAN Origin 100.100.100.0/24 100.100.100.100 1 0 test Direct 200.200.100.0/24 200.200.200.1 1 G M 0 test1 Static 200.200.200.0/24 200.200.200.200 1 0 test1 Direct 127.0.0.1/8 127.0.0.1 0 U H 0 Default Direct Default Route 100.100.100.1 1 G M 0 test Static Total number of routes = 5. Mask distribution: 1 default routes 1 routes at length 8 3 routes at length 24 Route origin distribution: 3 routes from Direct 2 routes from Static 2018-09-21

Static routing 제거 및 iproute sharing Summit48:20 # config iproute delete 200.200.100.0 255.255.255.0 200.200.200.1 동일한 destination에 대해서 static routing경로가 2개 이상일 경우 이를 round-robin으로 사용할 수 있다. 경로 백업이 아니고 동시에 사용하기 위해서는 다음과 같은 명령어를 사용한다. * Summit48:10 # enable iproute sharing * Summit48:11 # show iprou Destination Gateway Mtr Flags Use VLAN Origin 211.116.235.192/26 211.116.235.245 1 U 111858 global Direct 100.100.100.0/24 100.100.100.1 1 U 154 test1 Direct 200.200.200.0/24 211.116.235.254 1 UG M 0 global Static 200.200.200.0/24 100.100.100.10 1 UG M 0 test1 Static 127.0.0.1/8 127.0.0.1 0 U H 0 Default Direct Default Route 211.116.235.254 1 UG M 124683 global Static 2018-09-21

ESRP SETTING(1) ESRP는 시스코의 HSRP, Foundrynetworks의 FSRP와 같이 L3기능과 동시에 Spanning tree기능과 같이 L2 blocking을 제공한다. 즉 default gateway backup기능과 Link backup기능을 제공한다. MASTER쪽과 SLAVE쪽 VLAN의 IP Address는 동일 하게 setting. ESRP SLAVE ESRP MASTER 만약 어떤 장비에게 Traffic이 흐르지 않는다면 장비가 현재 MASTER에 연결되어 있는지 확인 SLAVE 쪽으론 Traffic이 흐르지 않음. 2018-09-21

enable esrp vlan <name> Enables ESRP on a VLAN disable esrp vlan <name> Disables ESRP on a VLAN config vlan <vlan name> esrp priority <value> Configures the ESRP priority. The range is 0 to 255. The higher number has higher priority. The default setting is 0. config vlan <vlan name> esrp timer <hello_timer> Configures the time between ESRP updates. The range is 1 to 255 seconds. The default setting is 2 seconds. The timer setting must be configured identically for the VLAN across all participating switches. Hello_timer is a protocol show esrp <vlan name> <all> <cr> 2018-09-21

ESRP ELECTION ALGORITHMS(1) 다섯가지의 master 선정방식중 한가지를 설정할 수 있다. 각각의 election algorithms에 대한 선정 기준에 대한 설명이다. 이 방식의 설정은 i chip에서만 가능하다. config vlan <name> esrp election-algorithm <tab> • ports_track_priority_mac — Active ports, tracking information, ESRP riority, MAC address (Default) • track_ports_priority_mac — Tracking information, active ports, ESRP riority, MAC address • priority_ports_track_mac — ESRP priority, active ports, tracking information, • priority_track_ports_mac — ESRP priority, tracking information, active ports, • priority_mac_only — ESRP priority, MAC address 2018-09-21

ESRP ELECTION ALGORITHMS(2) config vlan <name> add track-ping <ipaddress> frequency <seconds> miss <number> 지정된 ip로 ping을 쳐서 응답이 없으면 master가 될 수 없다. config vlan <name> add track-route <ipaddress>/<masklength> 지정된 track-route ipaddress에 대한 route가 없으면 master가 될 수 없다. config vlan <name> add track-vlan <vlan_tracked> 지정된 vlan이 active되지 안으면 master가 될 수 없다. config vlan <name> delete track-ping <ipaddress> frequency <seconds> miss <number> config vlan <name> delete track-route <ipaddress>/<masklength> config vlan <name> delete track-vlan <vlan_tracked> 2018-09-21

ESRP SETTING(2) – ESRP host mode ESRP에서는 host mode를 지원한다. 특정하게 정해진 port로는 ESRP slave에서도 통신이 가능하게 하는 방법이다. Server에서 dual link가 지원되어 한 port는 active이고 다른 port가 slave로 사용 가능한 경우 매우 유용하다. config esrp port-mode [host | normal] ports 여기서 port-mode를 host로 설정해 주어야 한다. 각 server가 active / backup를 지원하는 lan card를 장착하였을 경우 사용 A-server의 active한 쪽이 fail 된다 하더라도 esrp master slave가 바뀌면 안된다. 이런경우 ESRP slave쪽으로 A-server가 통신을 할 수 있어야 한다. Config esrp port-mode host ports를 해주면 A-server도 backup port를 이용하여 slave ESRP쪽을 통해서 통신이 가능하다. active standby ESRP master ESRP slave A B C D E 2018-09-21

기본적인 명령어들 장비의 Configuration을 삭제하는 방법 Summit48:8 # Unconfigure switch all 위와 같은 명령을 내리면 장비가 Configuration을 지운 후 재 부팅 함. 설정된 것이 아니라 새로 만들려는 항목들에 대한 명령어 순서는 대부분이 Create  config 순서로 이루어 진다. Create vlan name Config vlan name 등등의 형식 기존에 가지고 있는 항목들은 대개 enable , disable로 처리된다. Enable route sharing Enable ipforwording 설정에 대해 지우고 싶을때는 delete 혹은 config name delete등의 형식으로 이루어 진다. Delete vlan name Delete account 등의 형태를 가진다. 2018-09-21

기본적인 명령어들 장비에 image 또는 Bootrom을 upgrade 하는 방법 Image upgrage Summit48:19 # download image 100.100.100.100 s4119b2.Z secondary tftp서버 주소 image 명 primary 또는 secondary Summit48:33 # use image secondary 다음 부팅 부턴 secondary에 있는 image를 사용 Summit48:34 # reboot 장비 재 부팅 Bootrom upgrade Summit48:33 # download bootrom 100.100.100.100 sboot_1_9.bin 2018-09-21

기본적인 명령어들 Configuration을 secondary에 저장한 후 다음 부팅부터 secondary에 있는 Configuraton을 사용 Summit48:2 # save configuration secondary Summit48:3 # use configuration secondary Upgrage 후 BlackDiamond에 장착되어 있는 두개의 MSM모듈을 동기화 시킨다. BlackDiamond에서 A Slot에 있는 모든 image와 configuration을 B Slot에 복사 BlackDiamond:1 # synchronize  2018-09-21

기본적인 명령어들 다른 장비와 연결된 port가 제대로 동작하는지 확인 Summit48:8 # Sh port stats   Port Statistics Tue Jan 16 11:44:57 2001 Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Rx Status Count Count Count Count Bcast Mcast ============================================================== 1 ACTIVE 2085 469123 88528 12187150 43295 44841 2 READY 0 0 0 0 0 0 3 READY 0 0 0 0 0 0 4 READY 0 0 0 0 0 0 5 READY 0 0 0 0 0 0 6 READY 0 0 0 0 0 0 7 READY 0 0 0 0 0 0 8 READY 0 0 0 0 0 0 9 READY 0 0 0 0 0 0 10 READY 0 0 0 0 0 0 ================================================================ 0->Clear Counters U->page up D->page down ESC->exit 2018-09-21

기본적인 명령어들 Interface가 10M 인지 100M인지 또는 auto로 configuration 되어 있는지 확인 Summit48:5 # sh ports info Information for port 1: Port state: enabled Link state: active Port diagnostic: pass Configured Duplex mode: auto Actual Duplex Mode: half Configured speed: auto Actual Speed: 10 Link up 1 time(s) Link down 1 time(s) Media type: UTP Has redundant port: no Summit Link disabled Extreme Discovery Protocol: enabled Qos Monitor: disabled Load sharing is not enabled MAC Learning: enabled VLAN information: Default(untagged) Vlan Id: 1 2018-09-21

기본적인 명령어들 Protocol: Vlan Default Priority: 0 type: EtherType value: ffff Qos Profile: None configured Queue to Qos Profile Mapping: Q0: QP1 MinBw 0, MaxBw 100, Pri Low Q1: QP2 MinBw 0, MaxBw 100, Pri Normal Q2: QP3 MinBw 0, MaxBw 100, Pri Medium Q3: QP4 MinBw 0, MaxBw 100, Pri High 만약 port의 상태를 바꾸고자 한다면 다음과 같은 방법을 사용하면 됨. Summit48:21 # configure ports 4 auto off speed 100 duplex full Summit48:22 # configure ports 4 auto off duplex full speed 100  위 2개의 명령어는4번 port를 강재적으로 100 full로 잡는 방법이다. Summit48:23 # configure ports 4 auto on 4번 port를 auto로 잡는 방법임. 2018-09-21

기본적인 명령어들 Port들의 사용율을 체크 할 때 사용. ( spacebar를 사용해 다른 정보들도 볼 수 있음.) Summit48:6 # sh port utilization   Link Utilization Averages Tue Jan 16 11:47:08 2001 Port Link Receive Peak Rx Transmit Peak Transmit Status packet/sec pkt/sec pkt/sec pkt/sec ================================================================ 1 ACTIVE 2 7 0 5 2 READY 0 0 0 0 3 READY 0 0 0 0 4 READY 0 0 0 0 5 READY 0 0 0 0 6 READY 0 0 0 0 7 READY 0 0 0 0 8 READY 0 0 0 0 9 READY 0 0 0 0 10 READY 0 0 0 0 spacebar->toggle screen U->page up D->page down ESC->exit 2018-09-21

기본적인 명령어들 장비에 관한 대략적인 정보를 볼 수 있음. Summit48:14 # sh switch sysName: Summit48 sysLocation: sysContact: support@extremenetworks.com, +1 888 257 3000 System MAC: 00:01:30:6f:cf:00 License: Full L3. Qos Mode: Ingress System Mode: 802.1Q EtherType is 8100. PACE disabled. Jumbo disabled. Current time: Tue Jan 16 15:40:00 2001 Timezone: GMT Offset: 0 minutes, DST is not in effect. Auto DST check: Enabled Boot time: Mon Jan 15 16:24:33 2001 Next reboot: None scheduled Timed upload: None scheduled Temperature: 25C. All fans are operational. 장비의 온도는 0 – 40도를 유지 Power supply: Primary OK, RPS not present 하는 것 이 좋다. 2018-09-21

기본적인 명령어들 Software image selected: primary Software image booted: primary Primary software version: 4.1.19b2 Secondary software version: 4.1.19b2 Configuration selected: primary Configuration booted: primary Primary configuration: 444520 bytes saved on Mon Jan 15 16:22:14 2001 Secondary configuration: Empty 2018-09-21

기본적인 명령어들 enable mirroring to <port> 장비가 사용하고 있는 Boot image와 image를 확인 Summit48:15 # sh ver System ID: 800013-14-0037M02655 Board ID: 700015-11-0037M00694 Left Board ID: 700016-10-0036M00614 Right Board ID: -- Image : Extremeware Version 4.1.19 (Build 2) by Release_Master Wed 08/09/200 0 6:09p BootROM : 1.9 Mirroring 방법 enable mirroring to <port> Example: enable mirroring to port 3 config mirroring add/del ports vlan <vlan name> <hex octet> disable mirroring show mirroring * Summit3:8 # sh mir Mirror port: 3 is up 2018-09-21

기본적인 명령어들 장비의 log를 확인하는 방법 (장비 이상 유무 확인) Summit48:24 # sh log 01/16/2001 16:40.27 <INFO:SYST> Port 1 link down 01/16/2001 16:40.25 <INFO:SYST> serial admin: conf port 1 auto off speed 100 du fu 01/16/2001 16:04.27 <INFO:SYST> User admin logged out from telnet (211.116.235.2 05) 01/16/2001 15:25.15 <INFO:USER> admin logged in through telnet (211.116.235.205) 01/16/2001 14:11.09 <INFO:SYST> User admin logged out from telnet (211.116.235.2 01/16/2001 14:09.16 <INFO:USER> admin logged in through telnet (211.116.235.205) 01/16/2001 11:49.56 <INFO:SYST> serial admin: sh management 01/16/2001 11:43.36 <INFO:USER> admin logged in through console 장비에 시간을 세팅하는 방법(log 확인시 시간 표시) Summit48:6 # configure time 1 / 17 / 2001 09 : 54 : 00 2018-09-21

Sharing (= trunking) Sharing은 cisco의 fast ether channel과 foundrynetworks의 trunk와 동일한 의미이다. 두개의 물리적 포트를 하나의 포트처럼 사용가능하게 하는 방법이다. 100M 이상의 트래픽이 몰리는 구간에 두개의 port를 연결하고 그 포트를 sharing 하면 200M로 사용할 수 있다. * Summit48:1 # enable sharing 45 grouping 45 – 46 Enable sharing <시작port> grouping <시작port> - <끝port> Fast ethernet 4port 까지 가능 ( 800M) 2018-09-21

Spanning Trees Default switch configuration contains one STPD called “s0” By default, spanning tree is disabled on s0 Once the STPD is created, one or more VLANs can be assigned to it Spanning Trees have VLANs as members VLANs are assigned to STPDs All VLANs are automatically made members of “s0” You cannot delete a VLAN from “s0”, however, you can add it to another STPD Default switch configuration contains one STPD called “s0” By default, spanning tree is disabled on s0 Once the STPD is created, one or more VLANs can be assigned to it Spanning Trees have VLANs as members VLANs are assigned to STPDs All VLANs are automatically made members of “s0” You cannot delete a VLAN from “s0”, however, you can add it to another STPD ********************************************************************* One default STP called “s0” Spanning Trees have VLANs as members -- VLANs are assigned to STPDs You cannot delete a VLAN from “s0”, but you can add it to another STPD 2018-09-21

STP Configuration CLI Commands create/delete stpd enable/disable stpd enable/disable stpd port config stpd add vlan config stpd priority config stpd port cost config stpd port priority config stpd hellotime config stpd forwarddelay config stpd maxage unconfig stpd show stpd show stpd port enable ignore-stp vlan <name> In the current release of ExtremeWare, the following are the Spanning Tree Command Line Interface (CLI) commands that can be used. create/delete stpd enable/disable stpd enable/disable stpd port config stpd add vlan config stpd priority config stpd port cost config stpd port priority config stpd hellotime config stpd forwarddelay config stpd maxage unconfig stpd show stpd show stpd port 2018-09-21

create stpd <stpd_name> delete stpd <stpd_name> CLI Command create stpd <stpd_name> delete stpd <stpd_name> Creates an STPD. When created, an STPD has the following default parameters: Bridge priority — 32,768 Hello time — 2 seconds Forward delay — 15 seconds enable stpd <stpd_name> disable stpd <stpd_name> The default setting is disabled 2018-09-21

CLI Command enable stpd <stpd_name> port <portlist> disable stpd <stpd_name> port <portlist> The default setting is enabled config stpd <stpd_name> add vlan <name> config stpd <stpd_name> priority <value> The range is 0 through 65,535. The default setting is 32,768 2018-09-21

CLI Command config stpd <stpd_name> port cost <value> <portlist> For a 10Mbps port, the default cost is 100. For a 100Mbps port, the default cost is 19. For a 1000Mbps port, the default cost is 4. config stpd <stpd_name> port priority <value> <portlist> The range is 0 through 255. The default setting is 128 2018-09-21

CLI Command config stpd <stpd_name> hellotime <value> The hellotime default setting is 2 seconds config stpd <stpd_name> forwarddelay <value> The range is 4 through 30. The default setting is 15 seconds. config stpd <stpd_name> maxage <value> The default setting is 20 seconds. unconfig stpd <stpd_name> 2018-09-21

CLI Command - show stpd show stpd {<stpd_name>} } Displays STP information for one or all STP domains. Stpd: s0 Stp: ENABLED Number of Ports: 3 Ports: 16,17,22 Vlans: Default red blue Bridge Priority: 32768 BridgeID: 80:00:00:e0:2b:03:eb:00 Designated root: 80:00:00:e0:2b:03:18:00 RootPathCost: 4 MaxAge: 20s HelloTime: 2s ForwardDelay: 15s CfgBrMaxAge: 20s CfgBrHelloTime: 2s CfgBrForwardDelay: 15s Topology Change Time: 35s Hold time: 1s Topology Change Detected: FALSE Topology Change: TRUE Number of Topology Changes: 0 Time Since Last Topology Change: 9s } If this matches, then this is the ROOT Bridge Show stpd command displays the following information: STPD name Bridge ID STPD configuration information If the Bridge ID and the Designated Root matches, then this switch is the root Bridge. 2018-09-21

CLI Command - show stpd port show stpd {<stpd_name>} port <portlist> Displays the STP state of a port. * Summit24:6 # show stpd s0 port 1 Stpd: s0 Port: 1 PortId: 8001 Stp: ENABLED Path Cost: 100 Port State: FORWARDING Topology Change Ack: FALSE Port Priority: 128 Designated Root: 00:00:00:00:00:00:00:00 Designated Cost: 0 Designated Bridge: 00:00:00:00:00:00:00:00 Designated Port Id: 0 Press <SPACE> to continue or <Q> to quit: To display the STP state of a port, use the following command: show stpd <stpd_name> port <portllist> This command displays the following: STPD port configuration STPD state (Root Bridge, and so on) STPD port state (forwarding, blocking, and so on) 2018-09-21

SLB (Server Load Balancing) i칩이 들어간 모든 장비에서 지원한다.( submit1i, submit5i, submit7i, blackdiamond등) Server Loadbalancing을 위해서는 다음과 같은 구성요소가 필요하다. Node – 실제 동작을 하는 real server를 말함 Pools – Node(real server)들을 하나의 Group으로 설정 VIP – Virtual IP (사용자가 접속하는 ip address) 위의 세가지 구성요소로 이루어 진다. Server Load Balancing 동작 방식에 따라 다음과 같은 4가지 mode를 지원한다. GO GO 가장 빠른속도의 방법이지만 서버들의 mac과 ip를 동일하게 해주어야함. Transparent hardware로 처리 되므로 빠른 응답, 서버에 loopback설치 필요(권장) Translational 일반적인 L4 switch가 동작되는것과 같음 cpu로 처리됨 Port Translational 가장 늦은 방법, port변환을 해야함 2018-09-21

SLB (Server Load Balancing) Server Load Balancing Algorithms: Round Robin : 순차적으로 한번씩 보냄 Ratio : 서버의 성능에 따라서 비율을 준다. Priority Least Connections : 보낸지 가장 오래된 서버로 보냄 Server Load Balancing 에서 주의점 - Server vlan과 client가 들어오는 vlan이 반드시 나누어져야 한다. Extreme에서는 L3 라우팅이 일어날 때 slb가 이루어 지므로 반드시 vlan이 분리되어야 한다. - Vip는 server vlan이나 또는 client vlan 어느 쪽에 있어도 무방하다. - Health check는 ping-check, L4-port check, service check중 하나를 선택한다. 2018-09-21

SLB (Server Load Balancing) 2018-09-21

SLB (Server Load Balancing) Server Load Balancing mode에서 transparent mode를 사용할 경우 - NT Server에서 loopback interface 설정 방법 NT서버에서 Loopback interface설정은 제어판 -> 새하드웨어 추가설치 -> 네트웍어뎁터 -> microsoft -> Loopback interface로 하면 된다. Loopback interface는 하나만을 설정하고 그 이상의 추가 설치는 하지 않는다 부득이 추가할 경우에는 advanced tab을 이용하여 추가 한다. - Linux & UNIX에서의 Loopback interface 설정 Ifconfig lo:0 <ipaddress> netmask <255.255.255.255> up Make sure that it has the correct default route (netstat –rn) look for 0.0.0.0 If not, add one, Route add default gw <gateway ip> Transparent Mode를 사용할 경우 반드시 Loopback interface address는 Extremenetwork장비의 Vip(virtual ip)로 설정해야 한다. 2018-09-21

SLB (Server Load Balancing) Create slb pool <poolname> {slb-method [ round-robin | ratio| priority| least-connections]} Poolname은 유일해야 하며 기억하기 쉬운 것으로 임의 설정을 한다. SLB-method는 round-robin, ratio, priority, and lest-connections중 하나를 선택한다. Show slb pool Show slb pool detail Show slb node Enable slb node <ipaddress> ping-check Enable slb node <ipaddress> port <port> port-check config slb pool <poolname> add <ipaddress>:<L4Port> {ratio <ratio> |priority <priority>}  SLB pool에다가 node를 추가시키는 명령어. Create slb vip <vipname> pool <poolname> mode [transparent | translation | port-translation] <ipaddress> {- <upper_ipaddress>} {port <L4Port>} Enable slb vip Disable slb vip Show slb vip detail Show slb vip 2018-09-21

SLB (Server Load Balancing) 인터넷 Public network 200.200.200.0/24 Private network 100.100.100.0/24 2 3 100.100.100.2 Port http 100.100.100.3 100.100.100.4 Port ftp 100.100.100.5 1 Client 2018-09-21

SLB (Server Load Balancing) Configuration guide 두개의 vlan으로 나눈다. ( public network과 private network으로 나눈다.) Slb pool을 두개를 만든다 ( httppool, ftppool) - httppool은 node로 100.100.100.2와 100.100.100.3을 갖는다. - ftppool은 node로 100.100.100.4와 100.100.100.5를 갖는다. Vip를 두개를 만든다. ( public network, private network에 각각 하나씩 만든다.) - public network(200.200.200.1)에 만드는 경우는 vip는 public ip를 갖고 real server는 private network에 존재 - private network(100.100.100.6)에 만드는 경우는 nat를 해주는 장비(firewall등등)가 있는 경우 Transparent mode 로 설정하려면 real server에서 loopback address를 vip로 지정해 줘야만 한다. 2018-09-21

SLB (Server Load Balancing) configuration create vlan svlan create vlan cvlan conf svlan add port 1:1-1:10 conf cvlan add port 1:11-1:20 conf svlan ipadd 100.100.100.1/24 conf cvlan ipadd 200.200.200.2/24 enable ipforwarding (vlan을 생성하면 반드시 해주어야 한다.) create slb pool httppool lb-method round conf slb pool httppool add 100.100.100.2 : 80 conf slb pool httppool add 100.100.100.3 : 80 create slb pool ftppool lb-method least conf slb pool ftppool add 100.100.100.4 : ftp conf slb pool ftppool add 100.100.100.5 : ftp create slb vip pubvip pool httppool mode translational 200.200.200.1 : http create slb vip privip pool ftppool mode transparent 100.100.100.6 : ftp enable slb config vlan svlan slb-type server (svlan을 server vlan으로 선언) config vlan cvlan slb-type client (cvlan을 client vlan으로 선언) enable slb node all tcp-port-check (health check를 L4-port까지 check) 2018-09-21

SLB (Server Load Balancing) PING-CHECK Ping-check is Layer 3 based pinging of the physical node. The default ping frequency is one ping generated to the node each 10 seconds. If the node does not respond to any ping within a timeout period of 30 seconds (3 ping intervals), then the node is considered down. PING-CHECK COMMANDS To enable ping-check, use this command: enable slb node <ipaddress> ping-check To disable ping-check, use this command: disable slb node <ipaddress> ping-check 2018-09-21

SLB (Server Load Balancing) TCP-PORT-CHECK TCP-port-check is Layer 4 based TCP port open/close testing of the physical node. The default frequency is 30 seconds and the default timeout is 90 seconds. Port-checking is useful when a node passes ping-checks, but a required TCP service (for example, httpd) has gone down. If the httpd daemon running on TCP port 80 crashed, that would cause a layer 4 port-check on port 80 to fail, because no TCP socket could be opened to that port. If this continues for the duration of the specified port-check timeout, the IP/port combination is considered down. TCP-PORT-CHECK COMMANDS To enable tcp-port-check, use this command: enable slb node <ipaddress>:<L4Port> tcp-port-check To disable tcp-port-check, use this command: disable slb node <ipaddress>:{<L4Port> | all} tcp-port-check 2018-09-21

SLB (Server Load Balancing) SERVICE-CHECK Service-check is Layer 7 based application-dependent checking defined on a VIP. Service-checking is performed on each node in the pool with which this VIP is associated. The default frequency is 60 seconds and the default timeout is 180 seconds. Each service check has associated parameters that you can set. These parameters are described in Table 1 7-3. If the service-check parameters are not specified on an individual node or VIP, the global default values for these parameters are used. The global service-check defaults themselves are configurable, so if you use the same value in many cases, change the global defaults accordingly. In the case of HTTP service-checking, the URL of the Web page to be retrieved, such as “/index.html”, can be specified. A match-string that is expected to be in the retrieved Web page can be specified, such as “Welcome”. If the match-string is found in the first 1,000 bytes of the retrieved Web page, the service-check passes on the particular node. A match-string specified as keyword any-content will match any retrieved text. However, to distinguish valid data in the retrieved text from error text, specifying an actual string to match is suggested. For FTP, Telnet, and POP3 service-check attempts to log on and off the application on the server using the specified userid and password. 2018-09-21

SLB (Server Load Balancing) SERVICE-CHECK COMMANDS To enable service-check, use this command: enable slb vip [<vipname> | all] service-check To disable service-check, use this command: disable slb vip [<vipname> | all] service-check Service-Check Parameters Service Attribute Global Default Value HTTP URL “/” Match-string Any-content FTP Userid “anonymous” Password “anonymous” Telnet Userid “anonymous” SMTP Dns-domain Same as the switch DNS domain. If no DNS domain is configured for the switch, the value is ““. NNTP Newsgroup “ebusiness” POP3 Userid “anonymous” Password “anonymous” 2018-09-21

Flow-redirection (WCR) WEB CACHE REDIRECTION (WCR) Flow redirection은 source, destination, L4-port를 가지고 redirection할 수 있다. IP source address and mask IP destination address and mask Layer 4 port Cache server와 연동해서 TCS(transparent cache switching)을 지원 PBR(policy base routing)을 지원 source ip를 가지고 Destination router를 설정하는 기술 2018-09-21

Flow-redirection (WCR) create flow-redirection <flow_policy> [tcp |udp] destination {<ipaddress/mask> | any]ip-port [<L4Port> | any] source[<ipaddress/mask> | any] config flow-redirection <flow_policy> add next-hop <ipaddress> config flow-redirection <flow_policy> delete next-hop <ipaddress> delete flow-redirection <flow_policy> show flow-redirection config <flow-policy> service-check ping config <flow -policy > service-check L4-port config <flow -policy > service-check http url “/test.htm” match-string “pass” 2018-09-21

Flow-redirection (WCR) CLIENT VLAN 10.10.10.1/24 INTERNET VLAN 10.10.30.1/24 INTERNET 10.10.20.1/24 10.10.20.10/24 , 10.10.20.11/24 CACHE SERVER VLAN 2018-09-21

Flow-redirection (WCR) create vlan client config vlan client add port 1 config vlan client ipaddress 10.10.10.1/24 create vlan cache config vlan cache add port 2 config vlan cache ipaddress 10.10.20.1/24 create vlan internet config vlan internet add port 3 config vlan internet ipaddress 10.10.30.1/24 enable ipforwarding create flow-redirection wcr tcp destination any ip-port 80 source any config flow-redirection wcr add next-hop 10.10.20.10 (CACHE SERVER ADDRESS) config flow-redirection wcr add next-hop 10.10.20.11 (CACHE SERVER ADDRESS) config flow-redirection wcr service-check L4-port 2018-09-21

Access-list Access lists packet filtering 기능 Access policy Routing access policies routing 정보를 advertisement or recognition하는 것을 filtering Route maps Route maps are used to modify or filter routes redistributed into BGP. 2018-09-21

Access-list USING IP ACCESS LISTS Extremenetwork에서 제공하는 access-list는 inbound로만 설정이 가능하다. 즉 어떤 packet이 들어오면 access-list 항목과 비교하여 일치되는 것이 있으면 적용이 된다. ASIC으로 구성되어 CPU에 전혀 부하를 주지 않는다. 동일 VLAN에서도 원하는 port에만 적용 가능하다. Default로 all permit됨 ACCESS LIST적용시 PACKET이 들어올 때와 이에 대한 응답을 줄때 적용이 되는지 안되는지 잘 확인해야 한다. Precedence값으로 ACCESS LIST 적용 순서를 바꿀 수 있다. Create ACCESS LIST하면 바로 적용이 된다. ACCESS LISTS 구성요소 • IP source address and mask • IP destination address and mask • TCP or UDP source port range • TCP or UDP destination port range • Physical source port • Precedence number (optional) 2018-09-21

Access-list ACCESS LIST RULL COMMAND IP LAVEL로 설정할 경우 (CISCO STANDARD ACCESS LIST) create access-list <name> ip destination [<dst_ipaddress>/<dst_mask> | any] source [<src_ipaddress>/<src_mask> | any] [permit<qosprofile> | deny] ports [<portlist> | any]{precedence <precedence_num>} {log} create access-list denyall ip destination any source any deny ports any TCP LAVEL로 설정할 경우 (CISCO EXTENDED ACCESS LIST) create access-list <name> tcp destination[<dst_ipaddress>/<dst_mask> | any] ip-port [<dst_port> | range <dst_port_min><dst_port_max> | any] source[<src_ipaddress>/<src_mask> | any] ip-port[<src_port> | range <src_port_min><src_port_max> | any] [permit <qosprofile> |permit-established | deny] ports [<portlist> |any] {precedence <precedence_num>} {log} create access-list tcp1 tcp destination 10.10.20.100/32 ip any source 10.10.10.100/32 ip any permit qp1 ports any precedence 20 create access-list tcp2 tcp destination 10.10.10.100/32 ip any source 10.10.20.100/32 ip any permit qp1 ports any precedence 21 2018-09-21

Access-list create access-list <name> udp destination[<dst_ipaddress>/<dst_mask> | any] ip-port [<dst_port> | range <dst_port_min><dst_port_max> | any] source[<src_ipaddress>/<src_mask> | any] ip-port[<src_port> | range <src_port_min><src_port_max> | any] [permit <qosprofile> |deny] ports [<portlist> | any] {precedence<precedence_num>} {log} ICMP에 대한 ACCESS LIST 적용 create access-list icmp destination[<dest_ipaddress>/<mask> | any] source [<src_ipaddress>/<source_mask> | any] type<icmp_type> code <icmp_code> [permit |deny] {<portlist>} {log} create access-list denyping icmp destination any source any type 8 code 0 deny ports any delete access-list <name> disable access-list <name> counter enable access-list <name> counter show access-list {<name> | ports <portlist>} Displays access-list information. show access-list-fdb show access-list-monitor 2018-09-21

Access-list X X X X Requirement: 10.1.0.1/24 10.2.0.1/24 10.3.0.1/24 10.4.0.1/24 X X X X Requirement: 1. Deny UDP port 23 traffic to 10.2.0.0/24 2. Deny TCP port 23 traffic to 10.2.0.0/24 3. Deny TCP port 23 traffic from 10.3.0.0/24 4. Permit traffic of 10.2.0.0/24 to QP3 2018-09-21

Access-list create access-list deny102_43 udp destination 10.2.0.0/24 ip-port 23 source any ip-port any deny ports any precedence 10 create access-list deny102_23 tcp destination 10.2.0.0/24 ip-port 23 source any ip-port any deny ports any precedence 20 create access-list deny103_23 tcp destination any ip-port 23 source 10.3.0.0/24 ip-port any deny ports any precedence 30 create access-list perm102d tcp destination 10.2.0.0/24 ip-port any source any ip-port any permit qosprofile qp3 ports any precedence 40 create access-list permit102s tcp destination any ip-port any source 10.2.0.0/24 ip-port any permit qosprofile qp3 ports any precedence 45 2018-09-21

Access profile 설정 장비에 대한 보안을 위해 특정한 client만 접속을 허용하기 위해서 사용한다. create access-profile <access-profile> type ipadress conf access-profile <access-profile> mode [permit | deny | none] conf access-profile <access-profile> add [<seq_number>] [permit | deny] [vlan <name> | ipaddress <ipaddress> <mask> {exact}] enable telnet {access-profile [<access-profile> | none ]} {port <tcp-port-number>} 2018-09-21

Access profile 설정 X Requirement: 10.1.0.1/24 10.2.0.1/24 10.3.0.1/24 10.4.0.1/24 10.1.0.10/24 X Requirement: 1. Only PC (10.1.0.10) can telnet to the 10.1.0.1 i/f 2018-09-21

Access profile 설정 create access-profile perm_telnet type ipaddress conf access-profile perm_telnet add ipa 10.1.10.10/32 (access profile에 client ipaddress를 추가시킴) conf access-profile perm_telnet mode permit (access-profile의 mode를 permit or deny를 설정함) enable telnet access-profile perm_telnet (telnet service에 access-profile을 적용시킴) Note: the access-profile can apply to snmp, web and ssh2. 2018-09-21

Static routing 정보 를 Alpine에 보내기 위해 redistiribute을 설정 해야 함. OSPF 예제 구성 OSPF AREA 20.20.20.0 OSPF Default G/W  OSPF OSPF OSPF  Default G/W 10.10.10.2 30.30.30.2 40.40.40.2 40.40.40.1 10.10.10.1 20.20.20.1 20.20.20.2 30.30.30.1 Static routing 정보 를 Alpine에 보내기 위해 redistiribute을 설정 해야 함. 2018-09-21

OSPF Alpine 설정 과정 * Alpine3804:2 # config default dele port all * Alpine3804:3 # creat vlan vlan10 * Alpine3804:4 # creat vlan vlan20 * Alpine3804:5 # config vlan10 add port 1:1 - 1:10 * Alpine3804:6 # config vlan20 add port 1:11 - 1:20 * Alpine3804:7 # config vlan10 ipadd 10.10 .10.10.1/24 IP interface for VLAN vlan10 has been created. IP address = 10.10.10.1, Netmask = 255.255.255.0. * Alpine3804:8 # config vlan20 ipadd 20.20.20.1/24 IP interface for VLAN vlan20 has been created. IP address = 20.20.20.1, Netmask = 255.255.255.0. 2018-09-21

OSPF * Alpine3804:9 # enable ipforward OSPF를 설정 하기 전에 꼭 실행 * Alpine3804:10 # enable ospf OSPF 프로토콜을 ENABLE 시킴 * Alpine3804:11 # creat ospf area 20.20.20.0 OSPF AREA 생성 * Alpine3804:12 # config ospf add vlan vlan10 area 20.20.20.0 VLAN에 OSPF를 * Alpine3804:13 # config ospf add vlan vlan20 area 20.20.20.0 구동 시킴 * Alpine3804:21 # sh vlan Name VID Protocol Addr Flags Proto Super Ports Default 0001 0.0.0.0 /BP -----f----- ANY 0/ 0 MacVlanDis 4095 ------------------ ----- ANY 0/ 0 Mgmt 4094 ------------------ ----- ANY 0/ 1 vlan10 4093 10.10.10.1 /24 -----f--o-- ANY 1/ 10 VLAN에 OSPF가 동작한다는 표시 vlan20 4092 20.20.20.1 /24 -----f--o-- ANY 1/ 10 2018-09-21

OSPF * Alpine3804:24 # sh ipr OR Destination Gateway Mtr Flags Use M-Use VLAN Acct-1 *d 20.20.20.0/24 20.20.20.1 1 U------u- 25 0 vlan20 0 *d 10.10.10.0/24 10.10.10.1 1 U------u- 305 0 vlan10 0 *oa 30.30.30.0/24 20.20.20.2 10 UG-----um 8 0 vlan20 0 *d 127.0.0.1/8 127.0.0.1 0 U-H----um 0 0 Default 0 *o2 Default Route 20.20.20.2 1 UG-----um 68 0 vlan20 0 2018-09-21

OSPF * Alpine3804:22 # sh ospf area detail Area: 0.0.0.0 (0) Type: Normal Router Id: 20.20.20.1 Spf Runs: 10 Num ABR: 0 Num ASBR: 0 Num LSA: 0 LSA Chksum:0x0 Interfaces: IP addr Ospf State DR IP addr BDR IP addr Inter-Area route Filter: None External route Filter: None Configured Address Ranges: 2018-09-21

OSPF Area: 20.20.20.0 (336860160) Type: Normal Router Id: 20.20.20.1 Spf Runs: 10 Num ABR: 0 Num ASBR: 1 Num LSA: 3 LSA Chksum:0x1a13d Interfaces: IP addr Ospf State DR IP addr BDR IP addr 20.20.20.1 /24 E BDR 20.20.20.2 20.20.20.1 10.10.10.1 /24 E DR 10.10.10.1 0.0.0.0 Inter-Area route Filter: None External route Filter: None Configured Address Ranges: 2018-09-21

OSPF BLACKDIAMOND 설정 과정 * MSM64:3 # config default dele port all * MSM64:4 # creat vlan vlan20 * MSM64:5 # creat vlan vlan30 * MSM64:6 # config vlan20 add port 2:1 1 - 2:10 * MSM64:7 # CO config vlan30 add port 2:11 - 2:20 * MSM64:8 # config vlan20 ipadd 20.20.20.2/24 IP interface for VLAN vlan20 has been created. IP address = 20.20.20.2, Netmask = 255.255.255.0. * MSM64:9 # configvlan vlan30 ipadd 30.30.30.1/24 IP interface for VLAN vlan30 has been created. IP address = 30.30.30.1, Netmask = 255.255.255.0. 2018-09-21

OSPF * MSM64:10 # en ipf * MSM64:11 # enable ospf * MSM64:12 # creat ospf area 20.20.20.0 * MSM64:13 # config ospf add vlan vlan20 area 20.20.20.0 * MSM64:14 # config ospf add vlan vlan30 area 20.20.20.0 * MSM64:15 # config iproute add default 30.30.30.2 Summit 장비로 넘어가기 위한 라우팅 * MSM64:16 # enable ospf export static cost 1 type ase-type-1 static 정보를 동일 OSPF AREA extreme의 redistribute or ase-type-2 로 넘김 * MSM64:36 # sh vlan Name VID Protocol Addr Flags Proto Super Ports Default 0001 0.0.0.0 /BP -----f----- ANY 0/ 0 MacVlanDis 4095 ------------------ ----- ANY 0/ 0 Mgmt 4094 ------------------ ----- ANY 0/ 1 vlan20 4093 20.20.20.2 /24 -----f--o-- ANY 1/ 10 vlan30 4092 30.30.30.1 /24 -----f--o-- ANY 1/ 10 2018-09-21

OSPF * MSM64:51 # sh iproute Destination Gateway Mtr Flags Use M-Use VLAN Origin *20.20.20.0/24 20.20.20.2 1 U u 17 0 vlan20 Direct *10.10.10.0/24 20.20.20.1 10 UG um 62 0 vlan20 OSPFIntra *30.30.30.0/24 30.30.30.1 1 U u 17 0 vlan30 Direct *127.0.0.1/8 127.0.0.1 0 U H um 0 0 Default Direct *Default Route 30.30.30.2 1 UG S um 84 0 vlan30 Static 2018-09-21

OSPF * MSM64:37 # sh ospf area detail Area: 0.0.0.0 (0) Type: Normal Router Id: 30.30.30.1 Spf Runs: 7 Num ABR: 0 Num ASBR: 0 Num LSA: 0 LSA Chksum:0x0 Interfaces: IP addr Ospf State DR IP addr BDR IP addr Inter-Area route Filter: None External route Filter: None Configured Address Ranges: 2018-09-21

OSPF Area: 20.20.20.0 (336860160) Type: Normal Router Id: 30.30.30.1 Spf Runs: 7 Num ABR: 0 Num ASBR: 0 Num LSA: 3 LSA Chksum:0x20c4d Interfaces: IP addr Ospf State DR IP addr BDR IP addr 30.30.30.1 /24 E DOWN 0.0.0.0 0.0.0.0 20.20.20.2 /24 E DR 20.20.20.2 20.20.20.1 Inter-Area route Filter: None External route Filter: None Configured Address Ranges: 2018-09-21

OSPF SUMMIT 48 설정 과정 * Summit48:2 # config default dele port all * Summit48:3 # creat vlan vlan30 * Summit48:4 # creat vlan vlan40 * Summit48:5 # confgig vlan30 add port 1-10 * Summit48:6 # config vlan40 add port 11-20 * Summit48:7 # config vlan30 ipadd 30.30.30.2/24 IP interface for VLAN vlan30 has been created. IP address = 30.30.30.2, Netmask = 255.255.255.0. * Summit48:8 # config vlan40 ipadd 40.40.40.1/24 IP interface for VLAN vlan40 has been created. IP address = 40.40.40.1, Netmask = 255.255.255.0. * Summit48:9 # en ipforward * Summit48:10 # config iproute add default 30.30.30.1 다른 네트웍으로 넘어가기 위한 라우팅 2018-09-21

OSPF Summit 장비는 sh vlan 하면 detail하게 나오기 때문에 ospf에 관한 정보를 못 봄. * Summit48:22 # sh ipr Destination Gateway Mtr Flags Use VLAN Origin 30.30.30.0/24 30.30.30.2 1 U 132 vlan30 Direct 40.40.40.0/24 40.40.40.1 1 U 198 vlan40 Direct 127.0.0.1/8 127.0.0.1 0 U H 0 Default Direct Default Route 30.30.30.1 1 UG M 170 vlan30 Static 2018-09-21