Extreme 교육 자료 2018-09-21.

Presentation on theme: "Extreme 교육 자료 2018-09-21."— Presentation transcript:

1 Extreme 교육 자료

2 목 차 1.Account설정 2. Vlan 생성과 제거 3. Static routing 4. ESRP 5. 기본적인 명령어
6. Sharing (=trunking) 7.Spanning tree protocol 8. SLB 9. Flow-redirection(WCR) 10. Access-list 11. OSPF

3 Account 설정 Example #1 Summit48:1 > create account
Next possible completions: admin user ( admin은 read/write user는 read only) Summit48:1 > create account admin <name> Summit48:1 > create account admin testadmin encrypted <cr> <password> Summit48:1 > create account admin testadmin testpassword <cr> Summit48:1 > delete account testadmin

4 Password 변경 * Summit48:1 # conf account testadmin <tab>
Next possible completions: encrypted <name> <cr> * Summit48:1 # conf account testadmin <enter> password: Reenter password:

5 VLAN SETTING(1) 기본적으로 Default VLAN에 모든 port들이 들어있다. 먼저 이 port들을 제거 해 준다. Summit48:1 # sh vlan VLAN Interface[0-fdf] with name "Default" created by user Tagging: Q Tag 1 IP: Waiting for bootp reply. IPX: Not configured STPD: Domain "s0" is not running spanning tree protocol Protocol: Match all unfiltered protocols. Qos Profile: QP1 Ports: (Number of active port=0) Untag: 50

6 VLAN SETTING(2) Summit48:2 # config default delete port all
Summit48:3 # sh vlan VLAN Interface[0-fdf] with name "Default" created by user Tagging: Q Tag 1 IP: Waiting for bootp reply. IPX: Not configured STPD: Domain "s0" is not running spanning tree protocol Protocol: Match all unfiltered protocols. Qos Profile: QP1 Ports: (Number of active port=0)

7 VLAN SETTING(3) *주의 사항 VLAN을 creat 명령어를 사용해 만든다.
Summit48:4 # creat vlan test 만든 VLAN에 port를 추가시킨다. Summit48:5 # config vlan test add port 1 – 4 만약 BlackDiamond라면 1:1 – 1:4 형식으로 추가 해야 한다. (모듈 넘버:포트 넘버) VLAN에 IP Address를 입력한다. Summit48:6 # config vlan test ipadd /24 IP interface for VLAN locus-inside has been created. IP address = , Netmask = VLAN의 IP Address를 바꾸려면 IP Address만 변경하여 위와 동일하게 하면 됨. *주의 사항 만약 여러개의 VLAN이 있으면 VLAN간에 Traffic이 흐르도록 하기 위해 VLAN을 만들 때 마다 * Summit48:14 # enable ipforwarding 명령어를 실행 시킨다.

8 VLAN SETTING(4) Summit48:7 # sh vlan
VLAN Interface[0-fdf] with name "Default" created by user Tagging: Q Tag 1 IP: Waiting for bootp reply. IPX: Not configured STPD: Domain "s0" is not running spanning tree protocol Protocol: Match all unfiltered protocols. Qos Profile: QP1 Ports: (Number of active port=0) VLAN Interface[1-fdc] with name “test" created by user Tagging: Untagged (Internal tag 4095) IP: / Ports: (Number of active port=0) Untag:

9 VLAN SETTING(5) BlackDiamond:9 # sh vlan
Name VID Protocol Addr Flags Proto Super Ports Default /BP f ANY /145 MacVlanDis ANY / 0 Mgmt ANY / 1 trunk / f--o-- ANY / 1 backbone / f--o-- ANY / 1 loop-back /32 -L---f--o-- ANY / 0 neowiz / f--o-- ANY / 2 cckvan / M----f--o-- ANY / 2 itventure /30 M----f--o-- ANY / 2 test / M----f--o-- ANY / 2 backbone / f--o-- ANY / 1 Flags : M=ESRP Master, E=ESRP Slave, G=GVRP Enabled, L=Loopback Enabled S=SuperVlan, s=SubVlan, R=SubVLAN IP Range Configured C=Domain-masterVlan, c=Domain-memberVlan f=IP Forwarding Enabled, m=IPmc Forwarding Enabled r=RIP Enabled, o=OSPF Enabled, p=PIM Enabled, d=DVMRP Enabled R=IPX RIP Enabled, P=IPX SAP Enabled N=GNS Reply Enabled, 2=IPX Type 20 Forwarding Enabled

10 Default Gateway SETTING
Summit48:17 # config iproute add default Summit48:18 # sh iproute Destination Gateway Mtr Flags Use VLAN Origin / test Direct / test1 Direct / U H Default Direct Default Route G M test Static Total number of routes = 4. Mask distribution: 1 default routes routes at length 8 2 routes at length 24 Route origin distribution: 3 routes from Direct routes from Static

11 STATIC ROUTING SETTING
Summit48:20 # config iproute add destination address next hop Summit48:21 # sh iproute Destination Gateway Mtr Flags Use VLAN Origin / test Direct / G M test1 Static / test1 Direct / U H Default Direct Default Route G M test Static Total number of routes = 5. Mask distribution: 1 default routes routes at length 8 3 routes at length 24 Route origin distribution: 3 routes from Direct routes from Static

12 Static routing 제거 및 iproute sharing
Summit48:20 # config iproute delete 동일한 destination에 대해서 static routing경로가 2개 이상일 경우 이를 round-robin으로 사용할 수 있다. 경로 백업이 아니고 동시에 사용하기 위해서는 다음과 같은 명령어를 사용한다. * Summit48:10 # enable iproute sharing * Summit48:11 # show iprou Destination Gateway Mtr Flags Use VLAN Origin / U global Direct / U test1 Direct / UG M global Static / UG M test1 Static / U H Default Direct Default Route UG M global Static

13 ESRP SETTING(1) ESRP는 시스코의 HSRP, Foundrynetworks의 FSRP와 같이 L3기능과 동시에
Spanning tree기능과 같이 L2 blocking을 제공한다. 즉 default gateway backup기능과 Link backup기능을 제공한다. MASTER쪽과 SLAVE쪽 VLAN의 IP Address는 동일 하게 setting. ESRP SLAVE ESRP MASTER 만약 어떤 장비에게 Traffic이 흐르지 않는다면 장비가 현재 MASTER에 연결되어 있는지 확인 SLAVE 쪽으론 Traffic이 흐르지 않음.

14 enable esrp vlan <name>
Enables ESRP on a VLAN disable esrp vlan <name> Disables ESRP on a VLAN config vlan <vlan name> esrp priority <value> Configures the ESRP priority. The range is 0 to 255. The higher number has higher priority. The default setting is 0. config vlan <vlan name> esrp timer <hello_timer> Configures the time between ESRP updates. The range is 1 to 255 seconds. The default setting is 2 seconds. The timer setting must be configured identically for the VLAN across all participating switches. Hello_timer is a protocol show esrp <vlan name> <all> <cr>

15 ESRP ELECTION ALGORITHMS(1)
다섯가지의 master 선정방식중 한가지를 설정할 수 있다. 각각의 election algorithms에 대한 선정 기준에 대한 설명이다. 이 방식의 설정은 i chip에서만 가능하다. config vlan <name> esrp election-algorithm <tab> • ports_track_priority_mac — Active ports, tracking information, ESRP riority, MAC address (Default) • track_ports_priority_mac — Tracking information, active ports, ESRP riority, MAC address • priority_ports_track_mac — ESRP priority, active ports, tracking information, • priority_track_ports_mac — ESRP priority, tracking information, active ports, • priority_mac_only — ESRP priority, MAC address

16 ESRP ELECTION ALGORITHMS(2)
config vlan <name> add track-ping <ipaddress> frequency <seconds> miss <number> 지정된 ip로 ping을 쳐서 응답이 없으면 master가 될 수 없다. config vlan <name> add track-route <ipaddress>/<masklength> 지정된 track-route ipaddress에 대한 route가 없으면 master가 될 수 없다. config vlan <name> add track-vlan <vlan_tracked> 지정된 vlan이 active되지 안으면 master가 될 수 없다. config vlan <name> delete track-ping <ipaddress> frequency <seconds> miss <number> config vlan <name> delete track-route <ipaddress>/<masklength> config vlan <name> delete track-vlan <vlan_tracked>

17 ESRP SETTING(2) – ESRP host mode
ESRP에서는 host mode를 지원한다. 특정하게 정해진 port로는 ESRP slave에서도 통신이 가능하게 하는 방법이다. Server에서 dual link가 지원되어 한 port는 active이고 다른 port가 slave로 사용 가능한 경우 매우 유용하다. config esrp port-mode [host | normal] ports 여기서 port-mode를 host로 설정해 주어야 한다. 각 server가 active / backup를 지원하는 lan card를 장착하였을 경우 사용 A-server의 active한 쪽이 fail 된다 하더라도 esrp master slave가 바뀌면 안된다. 이런경우 ESRP slave쪽으로 A-server가 통신을 할 수 있어야 한다. Config esrp port-mode host ports를 해주면 A-server도 backup port를 이용하여 slave ESRP쪽을 통해서 통신이 가능하다. active standby ESRP master ESRP slave A B C D E

18 기본적인 명령어들 장비의 Configuration을 삭제하는 방법
Summit48:8 # Unconfigure switch all 위와 같은 명령을 내리면 장비가 Configuration을 지운 후 재 부팅 함. 설정된 것이 아니라 새로 만들려는 항목들에 대한 명령어 순서는 대부분이 Create  config 순서로 이루어 진다. Create vlan name Config vlan name 등등의 형식 기존에 가지고 있는 항목들은 대개 enable , disable로 처리된다. Enable route sharing Enable ipforwording 설정에 대해 지우고 싶을때는 delete 혹은 config name delete등의 형식으로 이루어 진다. Delete vlan name Delete account 등의 형태를 가진다.

19 기본적인 명령어들 장비에 image 또는 Bootrom을 upgrade 하는 방법 Image upgrage
Summit48:19 # download image s4119b2.Z secondary tftp서버 주소 image 명 primary 또는 secondary Summit48:33 # use image secondary 다음 부팅 부턴 secondary에 있는 image를 사용 Summit48:34 # reboot 장비 재 부팅 Bootrom upgrade Summit48:33 # download bootrom sboot_1_9.bin

20 기본적인 명령어들 Configuration을 secondary에 저장한 후 다음 부팅부터 secondary에 있는
Configuraton을 사용 Summit48:2 # save configuration secondary Summit48:3 # use configuration secondary Upgrage 후 BlackDiamond에 장착되어 있는 두개의 MSM모듈을 동기화 시킨다. BlackDiamond에서 A Slot에 있는 모든 image와 configuration을 B Slot에 복사 BlackDiamond:1 # synchronize 

21 기본적인 명령어들 다른 장비와 연결된 port가 제대로 동작하는지 확인 Summit48:8 # Sh port stats
Port Statistics Tue Jan 16 11:44: Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Rx Status Count Count Count Count Bcast Mcast ============================================================== ACTIVE READY READY READY READY READY READY READY READY READY ================================================================ 0->Clear Counters U->page up D->page down ESC->exit

22 기본적인 명령어들 Interface가 10M 인지 100M인지 또는 auto로 configuration 되어 있는지 확인
Summit48:5 # sh ports info Information for port 1: Port state: enabled Link state: active Port diagnostic: pass Configured Duplex mode: auto Actual Duplex Mode: half Configured speed: auto Actual Speed: 10 Link up 1 time(s) Link down 1 time(s) Media type: UTP Has redundant port: no Summit Link disabled Extreme Discovery Protocol: enabled Qos Monitor: disabled Load sharing is not enabled MAC Learning: enabled VLAN information: Default(untagged) Vlan Id: 1

23 기본적인 명령어들 Protocol: Vlan Default Priority: 0 type: EtherType value: ffff Qos Profile: None configured Queue to Qos Profile Mapping: Q0: QP1 MinBw 0, MaxBw 100, Pri Low Q1: QP2 MinBw 0, MaxBw 100, Pri Normal Q2: QP3 MinBw 0, MaxBw 100, Pri Medium Q3: QP4 MinBw 0, MaxBw 100, Pri High 만약 port의 상태를 바꾸고자 한다면 다음과 같은 방법을 사용하면 됨. Summit48:21 # configure ports 4 auto off speed 100 duplex full Summit48:22 # configure ports 4 auto off duplex full speed 100  위 2개의 명령어는4번 port를 강재적으로 100 full로 잡는 방법이다. Summit48:23 # configure ports 4 auto on 4번 port를 auto로 잡는 방법임.

24 기본적인 명령어들 Port들의 사용율을 체크 할 때 사용. ( spacebar를 사용해 다른 정보들도 볼 수 있음.)
Summit48:6 # sh port utilization Link Utilization Averages Tue Jan 16 11:47: Port Link Receive Peak Rx Transmit Peak Transmit Status packet/sec pkt/sec pkt/sec pkt/sec ================================================================ ACTIVE READY READY READY READY READY READY READY READY READY spacebar->toggle screen U->page up D->page down ESC->exit

25 기본적인 명령어들 장비에 관한 대략적인 정보를 볼 수 있음. Summit48:14 # sh switch
sysName: Summit48 sysLocation: sysContact: System MAC: :01:30:6f:cf:00 License: Full L3. Qos Mode: Ingress System Mode: Q EtherType is PACE disabled. Jumbo disabled. Current time: Tue Jan 16 15:40: Timezone: GMT Offset: 0 minutes, DST is not in effect. Auto DST check: Enabled Boot time: Mon Jan 15 16:24: Next reboot: None scheduled Timed upload: None scheduled Temperature: 25C. All fans are operational. 장비의 온도는 0 – 40도를 유지 Power supply: Primary OK, RPS not present 하는 것 이 좋다.

26 기본적인 명령어들 Software image selected: primary
Software image booted: primary Primary software version: b2 Secondary software version: b2 Configuration selected: primary Configuration booted: primary Primary configuration: bytes saved on Mon Jan 15 16:22: Secondary configuration: Empty

27 기본적인 명령어들 enable mirroring to <port>
장비가 사용하고 있는 Boot image와 image를 확인 Summit48:15 # sh ver System ID: M02655 Board ID: M00694 Left Board ID: M00614 Right Board ID: -- Image : Extremeware Version (Build 2) by Release_Master Wed 08/09/200 0 6:09p BootROM : 1.9 Mirroring 방법 enable mirroring to <port> Example: enable mirroring to port 3 config mirroring add/del ports vlan <vlan name> <hex octet> disable mirroring show mirroring * Summit3:8 # sh mir Mirror port: 3 is up

28 기본적인 명령어들 장비의 log를 확인하는 방법 (장비 이상 유무 확인) Summit48:24 # sh log
01/16/ :40.27 <INFO:SYST> Port 1 link down 01/16/ :40.25 <INFO:SYST> serial admin: conf port 1 auto off speed 100 du fu 01/16/ :04.27 <INFO:SYST> User admin logged out from telnet ( 05) 01/16/ :25.15 <INFO:USER> admin logged in through telnet ( ) 01/16/ :11.09 <INFO:SYST> User admin logged out from telnet ( 01/16/ :09.16 <INFO:USER> admin logged in through telnet ( ) 01/16/ :49.56 <INFO:SYST> serial admin: sh management 01/16/ :43.36 <INFO:USER> admin logged in through console 장비에 시간을 세팅하는 방법(log 확인시 시간 표시) Summit48:6 # configure time 1 / 17 / : 54 : 00

29 Sharing (= trunking) Sharing은 cisco의 fast ether channel과 foundrynetworks의 trunk와 동일한 의미이다. 두개의 물리적 포트를 하나의 포트처럼 사용가능하게 하는 방법이다. 100M 이상의 트래픽이 몰리는 구간에 두개의 port를 연결하고 그 포트를 sharing 하면 200M로 사용할 수 있다. * Summit48:1 # enable sharing 45 grouping 45 – 46 Enable sharing <시작port> grouping <시작port> - <끝port> Fast ethernet 4port 까지 가능 ( 800M)

30 Spanning Trees Default switch configuration contains one STPD called “s0” By default, spanning tree is disabled on s0 Once the STPD is created, one or more VLANs can be assigned to it Spanning Trees have VLANs as members VLANs are assigned to STPDs All VLANs are automatically made members of “s0” You cannot delete a VLAN from “s0”, however, you can add it to another STPD Default switch configuration contains one STPD called “s0” By default, spanning tree is disabled on s0 Once the STPD is created, one or more VLANs can be assigned to it Spanning Trees have VLANs as members VLANs are assigned to STPDs All VLANs are automatically made members of “s0” You cannot delete a VLAN from “s0”, however, you can add it to another STPD ********************************************************************* One default STP called “s0” Spanning Trees have VLANs as members -- VLANs are assigned to STPDs You cannot delete a VLAN from “s0”, but you can add it to another STPD

31 STP Configuration CLI Commands
create/delete stpd enable/disable stpd enable/disable stpd port config stpd add vlan config stpd priority config stpd port cost config stpd port priority config stpd hellotime config stpd forwarddelay config stpd maxage unconfig stpd show stpd show stpd port enable ignore-stp vlan <name> In the current release of ExtremeWare, the following are the Spanning Tree Command Line Interface (CLI) commands that can be used. create/delete stpd enable/disable stpd enable/disable stpd port config stpd add vlan config stpd priority config stpd port cost config stpd port priority config stpd hellotime config stpd forwarddelay config stpd maxage unconfig stpd show stpd show stpd port

32 create stpd <stpd_name> delete stpd <stpd_name>
CLI Command create stpd <stpd_name> delete stpd <stpd_name> Creates an STPD. When created, an STPD has the following default parameters: Bridge priority — 32,768 Hello time — 2 seconds Forward delay — 15 seconds enable stpd <stpd_name> disable stpd <stpd_name> The default setting is disabled

33 CLI Command enable stpd <stpd_name> port <portlist>
disable stpd <stpd_name> port <portlist> The default setting is enabled config stpd <stpd_name> add vlan <name> config stpd <stpd_name> priority <value> The range is 0 through 65,535. The default setting is 32,768

34 CLI Command config stpd <stpd_name> port cost <value> <portlist> For a 10Mbps port, the default cost is 100. For a 100Mbps port, the default cost is 19. For a 1000Mbps port, the default cost is 4. config stpd <stpd_name> port priority <value> <portlist> The range is 0 through 255. The default setting is 128

35 CLI Command config stpd <stpd_name> hellotime <value>
The hellotime default setting is 2 seconds config stpd <stpd_name> forwarddelay <value> The range is 4 through 30. The default setting is 15 seconds. config stpd <stpd_name> maxage <value> The default setting is 20 seconds. unconfig stpd <stpd_name>

36 CLI Command - show stpd show stpd {<stpd_name>} }
Displays STP information for one or all STP domains. Stpd: s Stp: ENABLED Number of Ports: 3 Ports: 16,17,22 Vlans: Default red blue Bridge Priority: 32768 BridgeID: :00:00:e0:2b:03:eb:00 Designated root: :00:00:e0:2b:03:18:00 RootPathCost: 4 MaxAge: 20s HelloTime: 2s ForwardDelay: 15s CfgBrMaxAge: 20s CfgBrHelloTime: 2s CfgBrForwardDelay: 15s Topology Change Time: 35s Hold time: 1s Topology Change Detected: FALSE Topology Change: TRUE Number of Topology Changes: 0 Time Since Last Topology Change: 9s } If this matches, then this is the ROOT Bridge Show stpd command displays the following information: STPD name Bridge ID STPD configuration information If the Bridge ID and the Designated Root matches, then this switch is the root Bridge.

37 CLI Command - show stpd port
show stpd {<stpd_name>} port <portlist> Displays the STP state of a port. * Summit24:6 # show stpd s0 port 1 Stpd: s Port: 1 PortId: Stp: ENABLED Path Cost: 100 Port State: FORWARDING Topology Change Ack: FALSE Port Priority: 128 Designated Root: 00:00:00:00:00:00:00: Designated Cost: 0 Designated Bridge: 00:00:00:00:00:00:00: Designated Port Id: 0 Press <SPACE> to continue or <Q> to quit: To display the STP state of a port, use the following command: show stpd <stpd_name> port <portllist> This command displays the following: STPD port configuration STPD state (Root Bridge, and so on) STPD port state (forwarding, blocking, and so on)

38 SLB (Server Load Balancing)
i칩이 들어간 모든 장비에서 지원한다.( submit1i, submit5i, submit7i, blackdiamond등) Server Loadbalancing을 위해서는 다음과 같은 구성요소가 필요하다. Node – 실제 동작을 하는 real server를 말함 Pools – Node(real server)들을 하나의 Group으로 설정 VIP – Virtual IP (사용자가 접속하는 ip address) 위의 세가지 구성요소로 이루어 진다. Server Load Balancing 동작 방식에 따라 다음과 같은 4가지 mode를 지원한다. GO GO 가장 빠른속도의 방법이지만 서버들의 mac과 ip를 동일하게 해주어야함. Transparent hardware로 처리 되므로 빠른 응답, 서버에 loopback설치 필요(권장) Translational 일반적인 L4 switch가 동작되는것과 같음 cpu로 처리됨 Port Translational 가장 늦은 방법, port변환을 해야함

39 SLB (Server Load Balancing)
Server Load Balancing Algorithms: Round Robin : 순차적으로 한번씩 보냄 Ratio : 서버의 성능에 따라서 비율을 준다. Priority Least Connections : 보낸지 가장 오래된 서버로 보냄 Server Load Balancing 에서 주의점 - Server vlan과 client가 들어오는 vlan이 반드시 나누어져야 한다. Extreme에서는 L3 라우팅이 일어날 때 slb가 이루어 지므로 반드시 vlan이 분리되어야 한다. - Vip는 server vlan이나 또는 client vlan 어느 쪽에 있어도 무방하다. - Health check는 ping-check, L4-port check, service check중 하나를 선택한다.

40 SLB (Server Load Balancing)

41 SLB (Server Load Balancing)
Server Load Balancing mode에서 transparent mode를 사용할 경우 - NT Server에서 loopback interface 설정 방법 NT서버에서 Loopback interface설정은 제어판 -> 새하드웨어 추가설치 -> 네트웍어뎁터 -> microsoft -> Loopback interface로 하면 된다. Loopback interface는 하나만을 설정하고 그 이상의 추가 설치는 하지 않는다 부득이 추가할 경우에는 advanced tab을 이용하여 추가 한다. - Linux & UNIX에서의 Loopback interface 설정 Ifconfig lo:0 <ipaddress> netmask < > up Make sure that it has the correct default route (netstat –rn) look for If not, add one, Route add default gw <gateway ip> Transparent Mode를 사용할 경우 반드시 Loopback interface address는 Extremenetwork장비의 Vip(virtual ip)로 설정해야 한다.

42 SLB (Server Load Balancing)
Create slb pool <poolname> {slb-method [ round-robin | ratio| priority| least-connections]} Poolname은 유일해야 하며 기억하기 쉬운 것으로 임의 설정을 한다. SLB-method는 round-robin, ratio, priority, and lest-connections중 하나를 선택한다. Show slb pool Show slb pool detail Show slb node Enable slb node <ipaddress> ping-check Enable slb node <ipaddress> port <port> port-check config slb pool <poolname> add <ipaddress>:<L4Port> {ratio <ratio> |priority <priority>}  SLB pool에다가 node를 추가시키는 명령어. Create slb vip <vipname> pool <poolname> mode [transparent | translation | port-translation] <ipaddress> {- <upper_ipaddress>} {port <L4Port>} Enable slb vip Disable slb vip Show slb vip detail Show slb vip

43 SLB (Server Load Balancing)
인터넷 Public network /24 Private network /24 2 3 Port http Port ftp 1 Client

44 SLB (Server Load Balancing)
Configuration guide 두개의 vlan으로 나눈다. ( public network과 private network으로 나눈다.) Slb pool을 두개를 만든다 ( httppool, ftppool) - httppool은 node로 와 을 갖는다. - ftppool은 node로 와 를 갖는다. Vip를 두개를 만든다. ( public network, private network에 각각 하나씩 만든다.) - public network( )에 만드는 경우는 vip는 public ip를 갖고 real server는 private network에 존재 - private network( )에 만드는 경우는 nat를 해주는 장비(firewall등등)가 있는 경우 Transparent mode 로 설정하려면 real server에서 loopback address를 vip로 지정해 줘야만 한다.

45 SLB (Server Load Balancing)
configuration create vlan svlan create vlan cvlan conf svlan add port 1:1-1:10 conf cvlan add port 1:11-1:20 conf svlan ipadd /24 conf cvlan ipadd /24 enable ipforwarding (vlan을 생성하면 반드시 해주어야 한다.) create slb pool httppool lb-method round conf slb pool httppool add : 80 conf slb pool httppool add : 80 create slb pool ftppool lb-method least conf slb pool ftppool add : ftp conf slb pool ftppool add : ftp create slb vip pubvip pool httppool mode translational : http create slb vip privip pool ftppool mode transparent : ftp enable slb config vlan svlan slb-type server (svlan을 server vlan으로 선언) config vlan cvlan slb-type client (cvlan을 client vlan으로 선언) enable slb node all tcp-port-check (health check를 L4-port까지 check)

46 SLB (Server Load Balancing)
PING-CHECK Ping-check is Layer 3 based pinging of the physical node. The default ping frequency is one ping generated to the node each 10 seconds. If the node does not respond to any ping within a timeout period of 30 seconds (3 ping intervals), then the node is considered down. PING-CHECK COMMANDS To enable ping-check, use this command: enable slb node <ipaddress> ping-check To disable ping-check, use this command: disable slb node <ipaddress> ping-check

47 SLB (Server Load Balancing)
TCP-PORT-CHECK TCP-port-check is Layer 4 based TCP port open/close testing of the physical node. The default frequency is 30 seconds and the default timeout is 90 seconds. Port-checking is useful when a node passes ping-checks, but a required TCP service (for example, httpd) has gone down. If the httpd daemon running on TCP port 80 crashed, that would cause a layer 4 port-check on port 80 to fail, because no TCP socket could be opened to that port. If this continues for the duration of the specified port-check timeout, the IP/port combination is considered down. TCP-PORT-CHECK COMMANDS To enable tcp-port-check, use this command: enable slb node <ipaddress>:<L4Port> tcp-port-check To disable tcp-port-check, use this command: disable slb node <ipaddress>:{<L4Port> | all} tcp-port-check

48 SLB (Server Load Balancing)
SERVICE-CHECK Service-check is Layer 7 based application-dependent checking defined on a VIP. Service-checking is performed on each node in the pool with which this VIP is associated. The default frequency is 60 seconds and the default timeout is 180 seconds. Each service check has associated parameters that you can set. These parameters are described in Table If the service-check parameters are not specified on an individual node or VIP, the global default values for these parameters are used. The global service-check defaults themselves are configurable, so if you use the same value in many cases, change the global defaults accordingly. In the case of HTTP service-checking, the URL of the Web page to be retrieved, such as “/index.html”, can be specified. A match-string that is expected to be in the retrieved Web page can be specified, such as “Welcome”. If the match-string is found in the first 1,000 bytes of the retrieved Web page, the service-check passes on the particular node. A match-string specified as keyword any-content will match any retrieved text. However, to distinguish valid data in the retrieved text from error text, specifying an actual string to match is suggested. For FTP, Telnet, and POP3 service-check attempts to log on and off the application on the server using the specified userid and password.

49 SLB (Server Load Balancing)
SERVICE-CHECK COMMANDS To enable service-check, use this command: enable slb vip [<vipname> | all] service-check To disable service-check, use this command: disable slb vip [<vipname> | all] service-check Service-Check Parameters Service Attribute Global Default Value HTTP URL “/” Match-string Any-content FTP Userid “anonymous” Password “anonymous” Telnet Userid “anonymous” SMTP Dns-domain Same as the switch DNS domain. If no DNS domain is configured for the switch, the value is ““. NNTP Newsgroup “ebusiness” POP Userid “anonymous” Password “anonymous”

50 Flow-redirection (WCR)
WEB CACHE REDIRECTION (WCR) Flow redirection은 source, destination, L4-port를 가지고 redirection할 수 있다. IP source address and mask IP destination address and mask Layer 4 port Cache server와 연동해서 TCS(transparent cache switching)을 지원 PBR(policy base routing)을 지원 source ip를 가지고 Destination router를 설정하는 기술

51 Flow-redirection (WCR)
create flow-redirection <flow_policy> [tcp |udp] destination {<ipaddress/mask> | any]ip-port [<L4Port> | any] source[<ipaddress/mask> | any] config flow-redirection <flow_policy> add next-hop <ipaddress> config flow-redirection <flow_policy> delete next-hop <ipaddress> delete flow-redirection <flow_policy> show flow-redirection config <flow-policy> service-check ping config <flow -policy > service-check L4-port config <flow -policy > service-check http url “/test.htm” match-string “pass”

52 Flow-redirection (WCR)
CLIENT VLAN /24 INTERNET VLAN /24 INTERNET /24 /24 , /24 CACHE SERVER VLAN

53 Flow-redirection (WCR)
create vlan client config vlan client add port 1 config vlan client ipaddress /24 create vlan cache config vlan cache add port 2 config vlan cache ipaddress /24 create vlan internet config vlan internet add port 3 config vlan internet ipaddress /24 enable ipforwarding create flow-redirection wcr tcp destination any ip-port 80 source any config flow-redirection wcr add next-hop (CACHE SERVER ADDRESS) config flow-redirection wcr add next-hop (CACHE SERVER ADDRESS) config flow-redirection wcr service-check L4-port

54 Access-list Access lists packet filtering 기능 Access policy
Routing access policies routing 정보를 advertisement or recognition하는 것을 filtering Route maps Route maps are used to modify or filter routes redistributed into BGP.

55 Access-list USING IP ACCESS LISTS
Extremenetwork에서 제공하는 access-list는 inbound로만 설정이 가능하다. 즉 어떤 packet이 들어오면 access-list 항목과 비교하여 일치되는 것이 있으면 적용이 된다. ASIC으로 구성되어 CPU에 전혀 부하를 주지 않는다. 동일 VLAN에서도 원하는 port에만 적용 가능하다. Default로 all permit됨 ACCESS LIST적용시 PACKET이 들어올 때와 이에 대한 응답을 줄때 적용이 되는지 안되는지 잘 확인해야 한다. Precedence값으로 ACCESS LIST 적용 순서를 바꿀 수 있다. Create ACCESS LIST하면 바로 적용이 된다. ACCESS LISTS 구성요소 • IP source address and mask • IP destination address and mask • TCP or UDP source port range • TCP or UDP destination port range • Physical source port • Precedence number (optional)

56 Access-list ACCESS LIST RULL COMMAND
IP LAVEL로 설정할 경우 (CISCO STANDARD ACCESS LIST) create access-list <name> ip destination [<dst_ipaddress>/<dst_mask> | any] source [<src_ipaddress>/<src_mask> | any] [permit<qosprofile> | deny] ports [<portlist> | any]{precedence <precedence_num>} {log} create access-list denyall ip destination any source any deny ports any TCP LAVEL로 설정할 경우 (CISCO EXTENDED ACCESS LIST) create access-list <name> tcp destination[<dst_ipaddress>/<dst_mask> | any] ip-port [<dst_port> | range <dst_port_min><dst_port_max> | any] source[<src_ipaddress>/<src_mask> | any] ip-port[<src_port> | range <src_port_min><src_port_max> | any] [permit <qosprofile> |permit-established | deny] ports [<portlist> |any] {precedence <precedence_num>} {log} create access-list tcp1 tcp destination /32 ip any source /32 ip any permit qp1 ports any precedence 20 create access-list tcp2 tcp destination /32 ip any source /32 ip any permit qp1 ports any precedence 21

57 Access-list create access-list <name> udp destination[<dst_ipaddress>/<dst_mask> | any] ip-port [<dst_port> | range <dst_port_min><dst_port_max> | any] source[<src_ipaddress>/<src_mask> | any] ip-port[<src_port> | range <src_port_min><src_port_max> | any] [permit <qosprofile> |deny] ports [<portlist> | any] {precedence<precedence_num>} {log} ICMP에 대한 ACCESS LIST 적용 create access-list icmp destination[<dest_ipaddress>/<mask> | any] source [<src_ipaddress>/<source_mask> | any] type<icmp_type> code <icmp_code> [permit |deny] {<portlist>} {log} create access-list denyping icmp destination any source any type 8 code 0 deny ports any delete access-list <name> disable access-list <name> counter enable access-list <name> counter show access-list {<name> | ports <portlist>} Displays access-list information. show access-list-fdb show access-list-monitor

58 Access-list X X X X Requirement:
/24 /24 /24 /24 X X X X Requirement: 1. Deny UDP port 23 traffic to /24 2. Deny TCP port 23 traffic to /24 3. Deny TCP port 23 traffic from /24 4. Permit traffic of /24 to QP3

59 Access-list create access-list deny102_43 udp destination /24 ip-port 23 source any ip-port any deny ports any precedence 10 create access-list deny102_23 tcp destination /24 ip-port 23 source any ip-port any deny ports any precedence 20 create access-list deny103_23 tcp destination any ip-port 23 source /24 ip-port any deny ports any precedence 30 create access-list perm102d tcp destination /24 ip-port any source any ip-port any permit qosprofile qp3 ports any precedence 40 create access-list permit102s tcp destination any ip-port any source /24 ip-port any permit qosprofile qp3 ports any precedence 45

60 Access profile 설정 장비에 대한 보안을 위해 특정한 client만 접속을 허용하기 위해서 사용한다.
create access-profile <access-profile> type ipadress conf access-profile <access-profile> mode [permit | deny | none] conf access-profile <access-profile> add [<seq_number>] [permit | deny] [vlan <name> | ipaddress <ipaddress> <mask> {exact}] enable telnet {access-profile [<access-profile> | none ]} {port <tcp-port-number>}

61 Access profile 설정 X Requirement:
/24 /24 /24 /24 /24 X Requirement: 1. Only PC ( ) can telnet to the i/f

62 Access profile 설정 create access-profile perm_telnet type ipaddress
conf access-profile perm_telnet add ipa /32 (access profile에 client ipaddress를 추가시킴) conf access-profile perm_telnet mode permit (access-profile의 mode를 permit or deny를 설정함) enable telnet access-profile perm_telnet (telnet service에 access-profile을 적용시킴) Note: the access-profile can apply to snmp, web and ssh2.

63 Static routing 정보 를 Alpine에 보내기 위해 redistiribute을 설정 해야 함.
OSPF 예제 구성 OSPF AREA OSPF Default G/W  OSPF OSPF OSPF  Default G/W Static routing 정보 를 Alpine에 보내기 위해 redistiribute을 설정 해야 함.

64 OSPF Alpine 설정 과정 * Alpine3804:2 # config default dele port all
* Alpine3804:3 # creat vlan vlan10 * Alpine3804:4 # creat vlan vlan20 * Alpine3804:5 # config vlan10 add port 1:1 - 1:10 * Alpine3804:6 # config vlan20 add port 1:11 - 1:20 * Alpine3804:7 # config vlan10 ipadd /24 IP interface for VLAN vlan10 has been created. IP address = , Netmask = * Alpine3804:8 # config vlan20 ipadd /24 IP interface for VLAN vlan20 has been created. IP address = , Netmask =

65 OSPF * Alpine3804:9 # enable ipforward OSPF를 설정 하기 전에 꼭 실행
* Alpine3804:10 # enable ospf OSPF 프로토콜을 ENABLE 시킴 * Alpine3804:11 # creat ospf area OSPF AREA 생성 * Alpine3804:12 # config ospf add vlan vlan10 area VLAN에 OSPF를 * Alpine3804:13 # config ospf add vlan vlan20 area 구동 시킴 * Alpine3804:21 # sh vlan Name VID Protocol Addr Flags Proto Super Ports Default /BP f ANY / 0 MacVlanDis ANY / 0 Mgmt ANY / 1 vlan / f--o-- ANY / 10 VLAN에 OSPF가 동작한다는 표시 vlan / f--o-- ANY / 10

66 OSPF * Alpine3804:24 # sh ipr OR Destination Gateway Mtr Flags Use M-Use VLAN Acct-1 *d / U------u vlan *d / U------u vlan *oa / UG-----um vlan *d / U-H----um Default 0 *o2 Default Route UG-----um vlan

67 OSPF * Alpine3804:22 # sh ospf area detail
Area: (0) Type: Normal Router Id: Spf Runs: 10 Num ABR: 0 Num ASBR: 0 Num LSA: 0 LSA Chksum:0x0 Interfaces: IP addr Ospf State DR IP addr BDR IP addr Inter-Area route Filter: None External route Filter: None Configured Address Ranges:

68 OSPF Area: 20.20.20.0 (336860160) Type: Normal Router Id: 20.20.20.1
Spf Runs: 10 Num ABR: 0 Num ASBR: 1 Num LSA: 3 LSA Chksum:0x1a13d Interfaces: IP addr Ospf State DR IP addr BDR IP addr /24 E BDR /24 E DR Inter-Area route Filter: None External route Filter: None Configured Address Ranges:

69 OSPF BLACKDIAMOND 설정 과정 * MSM64:3 # config default dele port all
* MSM64:4 # creat vlan vlan20 * MSM64:5 # creat vlan vlan30 * MSM64:6 # config vlan20 add port 2: :10 * MSM64:7 # CO config vlan30 add port 2:11 - 2:20 * MSM64:8 # config vlan20 ipadd /24 IP interface for VLAN vlan20 has been created. IP address = , Netmask = * MSM64:9 # configvlan vlan30 ipadd /24 IP interface for VLAN vlan30 has been created. IP address = , Netmask =

70 OSPF * MSM64:10 # en ipf * MSM64:11 # enable ospf
* MSM64:12 # creat ospf area * MSM64:13 # config ospf add vlan vlan20 area * MSM64:14 # config ospf add vlan vlan30 area * MSM64:15 # config iproute add default Summit 장비로 넘어가기 위한 라우팅 * MSM64:16 # enable ospf export static cost 1 type ase-type static 정보를 동일 OSPF AREA extreme의 redistribute or ase-type 로 넘김 * MSM64:36 # sh vlan Name VID Protocol Addr Flags Proto Super Ports Default /BP f ANY / 0 MacVlanDis ANY / 0 Mgmt ANY / 1 vlan / f--o-- ANY / 10 vlan / f--o-- ANY / 10

71 OSPF * MSM64:51 # sh iproute Destination Gateway Mtr Flags Use M-Use VLAN Origin * / U u vlan20 Direct * / UG um vlan20 OSPFIntra * / U u vlan30 Direct * / U H um Default Direct *Default Route UG S um vlan30 Static

72 OSPF * MSM64:37 # sh ospf area detail Area: 0.0.0.0 (0) Type: Normal
Router Id: Spf Runs: 7 Num ABR: 0 Num ASBR: 0 Num LSA: 0 LSA Chksum:0x0 Interfaces: IP addr Ospf State DR IP addr BDR IP addr Inter-Area route Filter: None External route Filter: None Configured Address Ranges:

73 OSPF Area: 20.20.20.0 (336860160) Type: Normal Router Id: 30.30.30.1
Spf Runs: 7 Num ABR: 0 Num ASBR: 0 Num LSA: 3 LSA Chksum:0x20c4d Interfaces: IP addr Ospf State DR IP addr BDR IP addr /24 E DOWN /24 E DR Inter-Area route Filter: None External route Filter: None Configured Address Ranges:

74 OSPF SUMMIT 48 설정 과정 * Summit48:2 # config default dele port all
* Summit48:3 # creat vlan vlan30 * Summit48:4 # creat vlan vlan40 * Summit48:5 # confgig vlan30 add port 1-10 * Summit48:6 # config vlan40 add port 11-20 * Summit48:7 # config vlan30 ipadd /24 IP interface for VLAN vlan30 has been created. IP address = , Netmask = * Summit48:8 # config vlan40 ipadd /24 IP interface for VLAN vlan40 has been created. IP address = , Netmask = * Summit48:9 # en ipforward * Summit48:10 # config iproute add default 다른 네트웍으로 넘어가기 위한 라우팅

75 OSPF Summit 장비는 sh vlan 하면 detail하게 나오기 때문에 ospf에 관한 정보를 못 봄.
* Summit48:22 # sh ipr Destination Gateway Mtr Flags Use VLAN Origin / U vlan30 Direct / U vlan40 Direct / U H Default Direct Default Route UG M vlan30 Static