4500系列交换机白皮书

数据中心交换机 buffer 需求分析白皮书目录1引言 (3)1.1DC 的网络性能要求 (3)1.2国内OTT 厂商对设备Buffer 的困惑 (4)1.3白皮书的目标 (4)2Buffer 需求的经典理论 (5)2.11BDP 理论 (5)2.2Nick Mckeown 理论 (6)2.3经典理论的适用性 (6)3基于尾丢弃的buffer 需求 (9)3.1丢包的影响 (9)3.1.2丢包对带宽利用率的影响 (9)3.1.3丢包对FCT 的影响 (12)3.2大buffer 的作用 (13)3.2.1吸收突发，减少丢包，保护吞吐 (13)3.2.2带宽分配均匀 (14)3.2.3优化FCT (15)3.3DC 内哪需要大buffer (15)3.4需要多大buffer (17)3.5带宽升级后，buffer 需求的变化 (19)3.6 小结 (19)4基于ECN 的buffer 需求 (21)4.1ECN 的作用 (21)4.2ECN 水线设置 (23)4.3基于ECN 的buffer 需要多大 (24)5基于大小流区分调度的buffer 需求 (27)5.1大小流差异化调度 (27)5.2大小流差异化调度如何实现大buffer 相当甚至更优的性能 (27)5.3基于大小流差异化调度的buffer 需要多大 (28)6 总结 (28)7 缩略语 (29)1 引言1.1DC 的网络性能要求近几年，大数据、云计算、社交网络、物联网等应用和服务高速发展，DC 已经成为承载这些服务的重要基础设施。

随着信息化水平的提高，移动互联网产业快速发展，尤其是视频、网络直播、游戏等行业的爆发式增长，用户对访问体验提出了更高的要求；云计算技术的广泛应用带动数据存储规模、计算能力以及网络流量的大幅增加；此外，物联网、智慧城市以及人工智能的发展也都对DC提出了更多的诉求。

为了满足不断增长的网络需求，DC 内的网络性能要求主要体现在：•低时延。

思科6500与4500区别思科Catalyst 6500交换机是针对大型企业核心网络/数据中心建设所需要的高端口密度、高转发性能、高级智能特性而开发的，其机箱、电源、内部交换架构均是依据大型企业核心网络和数据中心的应用特点而特别优化设计的。

而思科Catalyst 4500系列产品则不同，它通常用作中小型企业（SMB）的核心设备或大型网络的汇聚层设备。

6500与4500的具体区别主要体现在如下几个方面：1、性能：6500系列交换机的交换能力可达到720Gbps（每槽位40G），IPV4数据包吞吐量450Mpps （基于硬件）；而且MAC地址表的容量能够达到64K，IPV4路由表最大达到1M；而4500交换机即使采用思科最新推出的Supervisor Engine 6-E 引擎，其交换能力最大也只能达到320Gbps（每槽位最大24G），IPV4包转发率也只能达到250Mpps，其整体性能与6500E相比相差甚远。

2、硬件架构：6500E的交换架构为无阻塞的交换矩阵架构（Switch Fabric），通过交换矩阵架构，交换机各插槽的板卡能够实现点到点的分布式转发，数据交换效率大大提高；而4500E采用的仍然是传统的总线架构（Classic BUS），交换机各插槽板卡间的通信需要经过一条共享带宽的总线，由交换机控制引擎进行统一调度，它的缺点在于整个交换机的路由性能受限于总线带宽和控制引擎，数据交换能力低下，而且加重了交换机控制引擎的负担。

这种传统的总线架构正逐步被先进的交换矩阵架构所取代。

此外，4500E系列交换机中仅有4507R-E和4510R-E支持双引擎，而6500E系列交换机中的所有型号均支持冗余的双引擎。

3、数据中心应用关键特性VSS：为了强化交换网络中的核心层设备，Cisco推出了VSS技术（虚拟交换技术），VSS的功能是将多台交换机虚拟成单台交换机，在配置VSS之后，不仅可以提高核心交换机的易操作性，同时还能实现核心层的故障恢复率，从而提供不间断通信能力。

C H A P T E R54-1Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SGOL-25340-0154Configuring Storm ControlThis chapter describes how to configure port-based traffic control on the Catalyst 4500 series switch.This chapter consists of these sections:•About Storm Control, page 54-1•Enabling Broadcast Storm Control, page 54-3•Enabling Multicast Storm Control, page 54-4•Disabling Broadcast Storm Control, page 54-5•Disabling Multicast Storm Control, page 54-5•Displaying Storm Control, page 54-6NoteFor complete syntax and usage information for the switch commands used in this chapter, first look at the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:/en/US/products//hw/switches/ps4324/index.htmlIf the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location:/en/US/products/ps6350/index.htmlAbout Storm ControlThis section contains the following subsections:•Hardware-Based Storm Control Implementation, page 54-2•Software-Based Storm Control Implementation, page 54-2Storm control prevents LAN interfaces from being disrupted by a broadcast storm. A broadcast storm occurs when broadcast packets flood the subnet, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in the network configuration can cause a broadcast storm.54-2Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SGOL-25340-01Chapter 54 Configuring Storm ControlAbout Storm ControlSoftware Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SGOL-25340-01Chapter 54 Configuring Storm ControlEnabling Broadcast Storm ControlEnabling Broadcast Storm ControlTo enable storm control, perform this task:The following example shows how to enable storm control on interface:Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface fa3/1Switch(config-if)# storm-control broadcast level 50Switch(config-if)# endSwitch# show storm-controlInterface Filter State Broadcast Multicast Level --------- ------------- --------- --------- -----Fi3/1 Forwarding Enabled Disabled 50.00% Switch# show int fa2/1 capabilities FastEthernet2/1Model: WS-X4148-RJ45V-RJ-45 Type: 10/100BaseTX Speed: 10,100,autoCommandPurposeStep 1Switch# configure terminalEnters global configuration mode.Step 2Switch(config)# interface interface-id Enters interface configuration mode and enter the port to configure.Step 3Switch(config-if)# storm-control broadcast level [high level ]Configures broadcast storm control.Specifies the upper threshold levels for broadcast traffic. The storm control action occurs when traffic utilization reaches this level.(Optional) Specifies the falling threshold level. The normaltransmission restarts (if the action is filtering) when traffic drops below this level for interfaces that support software-based suppression.NoteFor ports that perform hardware-based suppression, the lower threshold is ignored.NoteFor the Catalyst 4500-X Series Switch, on ports operating at 1Gigabit, thresholds less than 0.02% are not supported.Step 4Switch(config-if)# storm-control action {shutdown | trap }Specifies the action to be taken when a storm is detected.The default is to filter out the broadcast traffic and not to send out traps.The shutdown keyword sets the port to error-disable state during a storm. If the recover interval is not set, the port remains in shutdown state.Step 5Switch(config-if)# exit Returns to configuration mode.Step 6Switch(config)# endReturns to privileged EXEC mode.Step 7Switch# show storm-control [interface ] broadcastDisplays the number of packets suppressed.Step 8Switch# copy running-config startup-config(Optional) Saves your entries in the configuration file.Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SGOL-25340-01Chapter 54 Configuring Storm ControlEnabling Multicast Storm ControlDuplex: half,full,auto Auto-MDIX: noTrunk encap. type: 802.1QTrunk mode: on,off,desirable,nonegotiate Channel: yesBroadcast suppression: percentage(0-100), hw Multicast suppression: percentage(0-100), hw Flowcontrol: rx-(none),tx-(none) VLAN Membership: static, dynamic Fast Start: yes CoS rewrite: yes ToS rewrite: yesInline power: yes (Cisco Voice Protocol) SPAN: source/destination UDLD: yes Link Debounce: no Link Debounce Time: no Port Security: yes Dot1x: yesMaximum MTU: 1552 bytes (Baby Giants) Multiple Media Types: no Diagnostic Monitoring: N/AEnabling Multicast Storm ControlCatalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, Supervisor Engine 6L-E, Supervisor Engine 7-E, and Supervisor Engine 7L-E support per-interface multicast suppression, which allows you to subject incoming multicast and broadcast traffic to interface-level suppression.NoteMulticast and broadcast suppression share a common threshold per interface. Multicast suppression takes effect only if broadcast suppression is enabled. Disabling broadcast suppression on an interface also disables multicast suppression.To enable multicast suppression, perform this task:The following example shows how to enable multicast suppression on ports that have broadcast suppression already enabled:Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# int fa3/1Switch(config-if)# storm-control broadcast include multicastCommandPurposeStep 1Switch# configure terminalEnters global configuration mode.Step 2Switch(config)# interface interface-id Enters interface configuration mode and enter the port to configure.Step 3Switch(config-if)# storm-control broadcast include multicast Enables multicast suppression.Step 4Switch(config-if)# exit Returns to configuration mode.Step 5Switch(config)# endReturns to privileged EXEC mode.Step 6Switch# show storm-controlVerifies the configuration.Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SGOL-25340-01Chapter 54 Configuring Storm ControlDisabling Broadcast Storm ControlSwitch(config-if)# end Switch#Switch# show storm-controlInterface Filter State Broadcast Multicast Level --------- ------------- --------- --------- -----Fi3/1 Forwarding Enabled Enabled 50.00%Disabling Broadcast Storm ControlTo disable storm control, perform this task:The following example shows how to disable storm control on interface.Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# int fa3/1Switch(config-if)# no storm-control broadcast level Switch(config-if)# endSwitch# show storm-controlInterface Filter State Broadcast Multicast Level --------- ------------- --------- --------- -----Switch#Disabling Multicast Storm ControlTo disable multicast suppression, perform this task:CommandPurposeStep 1Switch# configure terminalEnters global configuration mode.Step 2Switch(config)# interface interface-id Enters interface configuration mode and enter the port to configure.Step 3Switch(config-if)# no storm-control broadcast levelDisables port storm control.Step 4Switch(config-if)# no storm-control action {shutdown | trap }Disables the specified storm control action and returns to default filter action.Step 5Switch(config-if)# exit Returns to configuration mode.Step 6Switch(config)# endReturns to privileged EXEC mode.Step 7Switch# show storm-control broadcast Verifies your entries.Step 8Switch# copy running-config startup-config(Optional) Saves your entries in the configuration file.CommandPurposeStep 1Switch# configure terminalEnters global configuration mode.Step 2Switch(config)# [no ] storm-control broadcast include multicastEnables and disables multicast suppression.Step 3Switch(config-if)# no storm-control broadcast levelDisables port storm control (broadcast and multicast).Chapter54 Configuring Storm Control Displaying Storm ControlCommand PurposeStep4Switch(config-if)# end Returns to configuration mode.Step5Switch(config)# end Returns to privileged EXEC mode.Displaying Storm ControlNote Use the show interface capabilities command to determine the mode in which storm control is supported on an interface.The following example shows an interface that supports broadcast suppression in software (sw):Switch# show int fa2/1 capabilitiesFastEthernet2/1Model: WS-X4148-RJ45V-RJ-45Type: 10/100BaseTXSpeed: 10,100,autoDuplex: half,full,autoAuto-MDIX: noTrunk encap. type: 802.1QTrunk mode: on,off,desirable,nonegotiateChannel: yesBroadcast suppression: percentage(0-100), hwMulticast suppression: percentage(0-100), hwFlowcontrol: rx-(none),tx-(none)VLAN Membership: static, dynamicFast Start: yesCoS rewrite: yesToS rewrite: yesInline power: yes (Cisco Voice Protocol)SPAN: source/destinationUDLD: yesLink Debounce: noLink Debounce Time: noPort Security: yesDot1x: yesMaximum MTU: 1552 bytes (Baby Giants)Multiple Media Types: noDiagnostic Monitoring: N/ANote Use the show interfaces counters storm-control command to display a count of discarded packets.Switch# show interfaces counters storm-controlPort Broadcast Multicast Level TotalSuppressedPacketsFa2/1 Enabled Disabled 10.00% 46516510Gi3/1 Enabled Enabled 50.00% 0Switch# show storm-controlInterface Filter State Broadcast Multicast Level--------- ------------- --------- --------- -----Fa2/1 Blocking Enabled Disabled 10.00%Gi3/1 Link Down Enabled Enabled 50.00%Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SGOL-25340-01。

华为全系列数据通信产品白皮书第一部分：引言（200字）数据通信产品在现代社会中扮演着至关重要的角色，它们是连接世界的桥梁，促进了信息的传递和交流。

华为作为全球领先的通信技术解决方案提供商，为满足客户需求，推出了一系列高质量的数据通信产品。

本白皮书旨在介绍华为全系列数据通信产品的技术特点、应用场景和优势，帮助用户更好地了解和选择适合自己的产品。

第二部分：产品概述（200字）华为全系列数据通信产品包括路由器、交换机、光纤传输设备等多个种类。

这些产品具备高度的稳定性、可靠性和安全性，能够保证数据传输的质量和效率。

华为路由器是业界领先的产品之一，支持高速连接，稳定运行和智能优化。

交换机则提供灵活的网络管理和控制功能，适用于各种不同规模和需求的环境。

光纤传输设备则可以实现高容量和长距离的数据传送，特别适用于电信、金融和大型企业等行业。

第三部分：技术特点（300字）华为全系列数据通信产品具备一系列重要的技术特点。

首先，这些产品都采用了先进的硬件和软件技术，能够实现高效的数据处理和传输。

其次，华为产品支持灵活的网络配置和管理，可以根据实际需求进行定制和扩展。

同时，华为产品还具备高度的安全性，采用了先进的加密和认证技术，保障了数据的机密性和完整性。

此外，华为产品还支持智能化的运维和管理，通过数据分析和优化，提高了网络的性能和稳定性。

第四部分：应用场景（300字）华为全系列数据通信产品广泛应用于各个领域。

它们可以满足不同规模和需求的数据通信需求，适用于运营商、企业和个人用户等不同类型的客户。

在运营商领域，华为产品可以构建高速、稳定和安全的通信网络，支撑运营商的业务和服务。

在企业领域，华为产品可以实现灵活的网络管理和控制，提供高效的数据传输和存储解决方案。

对于个人用户来说，华为产品可以提供高速的网络连接和智能的家庭网络管理，满足各种娱乐和生活需求。

第五部分：产品优势（200字）华为全系列数据通信产品具备多个优势。

首先，它们拥有领先的技术和创新能力，能够满足不断变化的市场需求。

Junos Pulse Secure Access Service Getting Started Guide for SA Series2500,4500 and6500SSL VPN AppliancesRelease7.2Published:2012-03-20Part Number:,Revision1Juniper Networks,Inc.1194North Mathilda AvenueSunnyvale,California94089USA408-745-2000This product includes the Envoy SNMP Engine,developed by Epilogue T echnology,an Integrated Systems Company.Copyright©1986-1997, Epilogue T echnology Corporation.All rights reserved.This program and its documentation were developed at private expense,and no part of them is in the public domain.This product includes memory allocation software developed by Mark Moraes,copyright©1988,1989,1993,University of T oronto.This product includes FreeBSD software developed by the University of California,Berkeley,and its contributors.All of the documentation and software included in the4.4BSD and4.4BSD-Lite Releases is copyrighted by the Regents of the University of California.Copyright©1979,1980,1983,1986,1988,1989,1991,1992,1993,1994.The Regents of the University of California.All rights reserved.GateD software copyright©1995,the Regents of the University.All rights reserved.Gate Daemon was originated and developed through release3.0by Cornell University and its collaborators.Gated is based on Kirton’s EGP,UC Berkeley’s routing daemon(routed),and DCN’s HELLO routing protocol.Development of Gated has been supported in part by the National Science Foundation.Portions of the GateD software copyright©1988,Regents of the University of California.All rights reserved.Portions of the GateD software copyright©1991,D. L.S.Associates.This product includes software developed by Maker Communications,Inc.,copyright©1996,1997,Maker Communications,Inc.Juniper Networks,Junos,Steel-Belted Radius,NetScreen,and ScreenOS are registered trademarks of Juniper Networks,Inc.in the United States and other countries.The Juniper Networks Logo,the Junos logo,and JunosE are trademarks of Juniper Networks,Inc.All other trademarks,service marks,registered trademarks,or registered service marks are the property of their respective owners.Juniper Networks assumes no responsibility for any inaccuracies in this document.Juniper Networks reserves the right to change,modify, transfer,or otherwise revise this publication without notice.Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks:U.S.Patent Nos.5,473,599,5,905,725,5,909,440,6,192,051,6,333,650,6,359,479,6,406,312, 6,429,706,6,459,579,6,493,347,6,538,518,6,538,899,6,552,918,6,567,902,6,578,186,and6,590,785.Junos Pulse Secure Access Service Getting Started Guide for SA Series2500,4500and6500SSL VPN AppliancesRevision History2010—Revised for SA release7.0.The information in this document is current as of the date on the title page.END USER LICENSE AGREEMENTThe Juniper Networks product that is the subject of this technical documentation consists of(or is intended for use with)Juniper Networks e of such software is subject to the terms and conditions of the End User License Agreement(“EULA”)posted at/support/eula.html.By downloading,installing or using such software,you agree to the terms and conditions of that EULA.Abbreviated T able of ContentsAbout This Guide (ix)Part1Installation and Start-Up Procedures for SA Series2500,4500and6500AppliancesChapter1Getting Started With the SA Series2500,4500and6500SSL VPNAppliances (3)Part2IndexIndex (11)Getting Started Guide for SA Series2500,4500and6500AppliancesT able of ContentsAbout This Guide (ix)Related Documentation (ix)Document Conventions (ix)Requesting T echnical Support (x)Self-Help Online T ools and Resources (x)Opening a Case with JTAC (x)Part1Installation and Start-Up Procedures for SA Series2500,4500and6500AppliancesChapter1Getting Started With the SA Series2500,4500and6500SSL VPNAppliances (3)Step1:Installing the Hardware (3)Device Status LED Behavior (4)Ethernet Port LED Behavior (5)Bonding Ports (5)Step2:Performing Basic Setup (5)Step3:Licensing and Configuring Your Secure Access (7)Part2IndexIndex (11)Getting Started Guide for SA Series2500,4500and6500AppliancesList of T ablesAbout This Guide (ix)T able1:Notice Icons (ix)Part1Installation and Start-Up Procedures for SA Series2500,4500and6500AppliancesChapter1Getting Started With the SA Series2500,4500and6500SSL VPNAppliances (3)T able2:Device Status LEDs (4)T able3:4-Port Copper Gigabit Ethernet LEDs(available on SA4500and SA6500) (5)Getting Started Guide for SA Series2500,4500and6500AppliancesAbout This Guide•Related Documentation on page ix•Document Conventions on page ix•Requesting T echnical Support on page xRelated Documentation•T o download a PDF version of the Secure Access Administration Guide,go to the SecureAccess/SSL VPN Product Documentation page of the Juniper Networks CustomerSupport Center.•For information about the changes that Secure Access clients make to client computers, including installed files and registry changes,and for information about the rightsrequired to install and run Secure Access clients,refer to the Client-side Changes Guide.•For information on how to personalize the look-and-feel of the pre-authentication,password management,and Secure Meeting pages that Secure Access displays toend-users and administrators,refer to the Custom Sign-In Pages Solution Guide. Document ConventionsT able1on page ix defines notice icons used in this guide.Table1:Notice IconsInformational noteIndicates important features or instructions.WarningAlerts you to the risk of personal injury or death.Getting Started Guide for SA Series2500,4500and6500AppliancesRequesting Technical SupportT echnical product support is available through the Juniper Networks T echnical AssistanceCenter(JTAC).If you are a customer with an active J-Care or JNASC support contract,or are covered under warranty,and need post-sales technical support,you can accessour tools and resources online or open a case with JTAC.•JTAC policies—For a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located at/us/en/local/pdf/resource-guides/7100059-en.pdf.•Product warranties—For product warranty information,visit/support/warranty/.•JTAC hours of operation—The JTAC centers have resources available24hours a day,7days a week,365days a year.Self-Help Online Tools and ResourcesFor quick and easy problem resolution,Juniper Networks has designed an onlineself-service portal called the Customer Support Center(CSC)that provides you with thefollowing features:•Find CSC offerings:/customers/support/•Search for known bugs:/kb/•Find product documentation:/techpubs/•Find solutions and answer questions using our Knowledge Base:/•Download the latest versions of software and review release notes:/customers/csc/software/•Search technical bulletins for relevant hardware and software notifications:https:///alerts/•Join and participate in the Juniper Networks Community Forum:/company/communities/•Open a case online in the CSC Case Management tool:/cm/T o verify service entitlement by product serial number,use our Serial Number Entitlement(SNE)T ool:https:///SerialNumberEntitlementSearch/Opening a Case with JTACYou can open a case with JTAC on the Web or by telephone.•Use the Case Management tool in the CSC at /cm/.•Call1-888-314-JTAC(1-888-314-5822toll-free in the USA,Canada,and Mexico).For international or direct-dial options in countries without toll-free numbers,see/support/requesting-support.html.PART1Installation and Start-Up Procedures for SA Series2500,4500and6500 Appliances•Getting Started With the SA Series2500,4500and6500SSL VPNAppliances on page3Getting Started Guide for SA Series2500,4500and6500AppliancesCHAPTER1Getting Started With the SA Series2500, 4500and6500SSL VPN AppliancesThank you for choosing the Juniper Networks SA Series SSL VPN appliance.You caninstall Secure Access and start configuring your system using the following easy steps:NOTE:After installing and setting up your Secure Access,refer to the InitialConfiguration task guide in the administrator Web console to install the mostcurrent Secure Access OS service package,license your Secure Accessappliance,and create a test user to verify user accessibility.To test initialset-up and continue configuring your Secure Access,refer to the“Gettingstarted”section of the Juniper Networks Secure Access Administration Guide.We recommend that you install the Secure Access appliance on your LAN to ensure thatit can communicate with the appropriate resources,like authentication servers,DNSservers,internal Web servers via HTTP/HTTPS,external Web sites via HTTP/HTTPS(optional),Windows file servers(optional),NFS file servers(optional),and client/serverapplications(optional).NOTE:If you decide to install your Secure Access appliance in your DMZ,ensure that the Secure Access appliance can connect to these internalresources.•Step1:Installing the Hardware on page3•Step2:Performing Basic Setup on page5•Step3:Licensing and Configuring Your Secure Access on page7Step1:Installing the HardwareThe Secure Access2500,4500and6500ship with mounting ears and mid-mounts.The Secure Access6500includes rear mounting rails for use in a four-post mountingrack.We recommend you use the rear mounting rails when installing the Secure Access6500in a rack.If you require an additional mounting kit,contact Juniper Networks.Getting Started Guide for SA Series2500,4500and6500AppliancesNext,connect the included cables and power on the Secure Access appliance followingthese steps:1.On the front panel:a.Connect an Ethernet cable from one of the Ethernet ports on the device to a Gigabitswitch port set to1000BaseTX.DO NOT use autoselect on either port.Once you apply power to the Secure Access device,the port uses two LEDs toindicate the connection status,which is described in“Ethernet Port LED Behavior”on page5.b.Plug the serial cable into the console port.2.On the rear panel,plug the power cord into the AC receptacle.There is no on/offswitch on Secure Access.Once you plug the power cord into the AC receptacle,SecureAccess powers up.Hardware installation is complete after you rack-mount the appliance and connect thepower,network,and serial cables.The next step is to connect to the appliance’s serialconsole as described in“Bonding Ports”on page5.Device Status LED BehaviorStartup takes approximately one minute to complete.If you want to turn the device offand on again,we recommend you wait a few seconds between shutting it down andpowering it back up.There are three device status LEDs located on the left-side of the front panel:•Power•Hard disk access•FaultT able2on page4lists the name,color,status,and description of each device statusLED.Table2:Device Status LEDsPOWERGreenDevice is not receiving powerOffOn SteadyDevice is receiving powerHARD DISK ACCESSYellowHard disk is idleOffBlinkingHard disk is being accessedFAULTRedDevice is operating normallyOffSlowPower supply faultblinkingChapter1:Getting Started With the SA Series2500,4500and6500SSL VPN Appliances Table2:Device Status LEDs(continued)Fast blinkingFan failureSolidThermal failureEthernet Port LED BehaviorThe Ethernet port LEDs show the status of each Ethernet port.Table3:4-Port Copper Gigabit Ethernet LEDs(available on SA4500andSA6500)Link/ActivityLinkGreenActivityBlinking greenLink SpeedOff10MbpsGreen100Mbps1GbpsYellowBonding PortsBy default,on the SA6500only,Secure Access uses bonding of the multiple ports toprovide failover protection.Bonding describes a technology for aggregating two physicalports into one logical group.Bonding two ports on Secure Access increases the failovercapabilities by automatically shifting traffic to the secondary port when the primary portfails.The SA6500appliance bonds ports as follows:•Internal port=Port0+Port1•External port=Port2+Port3Secure Access indicates in a message on the System>Network>Overview page whetheror not the failover functionality is enabled.Step2:Performing Basic SetupWhen you boot an unconfigured Secure Access appliance,you need to enter basic networkand machine information through the serial console to make the appliance accessibleto the network.After entering these settings,you can continue configuring the appliancethrough the administrator Web console.This section describes the required serial consolesetup and the tasks you need to perform when connecting to your Secure Accessappliance for the first time.T o perform basic setup:1.Configure a console terminal or terminal emulation utility running on a computer,suchas HyperT erminal,to use these serial connection parameters:•9600bits per second•8-bit No Parity(8N1)•1Stop Bit•No flow control2.Connect the terminal or laptop to the serial cable plugged in to the appliance’s consoleport and press Enter until you are prompted by the initialization script.3.Enter y to proceed and then y to accept the license terms(or r to read the licensefirst).4.Follow the directions in the serial console and enter the machine information for whichyou are prompted,including the:•IP address of the internal port(you configure the external port through the administrator Web console after initial configuration)•Network mask•Default gateway address•Primary DNS server address•Secondary DNS server address(optional)•Default DNS domain name(for example,)•WINS server name or address(optional)•Administrator username•Administrator password•Common machine name(for example,)•Organization name(for example,Acme Gizmo,Inc.)NOTE:Secure Access uses the common machine and organizationnames to create a self-signed digital certificate for use during productevaluation and initial setup.We strongly recommend that you import a signed digital certificate froma trusted certificate authority(CA)before deploying Secure Access forproduction use.For more information,refer to the“Certificates”chapter in the JuniperNetworks Secure Access Administration Guide.Getting Started Guide for SA Series2500,4500and6500AppliancesChapter1:Getting Started With the SA Series2500,4500and6500SSL VPN Appliances5.(FIPS only)The Secure Access FIPS appliances utilize FIPS140-2certified HardwareSecurity Modules(HSM)and require the following pieces of information to initializethe HSM and manage the HSM protected storage:•When prompted by the serial console,enter the security officer name and password.Save these credentials as they are required for creating new restore passwords andfor changing the security officer password.•Enter the key store restore or HSM master key backup password.•Enter the username and password for the HSM private key storage.Security officer names,usernames and key store names must adhere to the followingrequirements.RequirementDescriptionMinimum lengthAt least one character.Maximum length63characters for security officer names and user names.32characters forkeystore names.Alphanumeric,underscore(_),dash(-)and period(.)Valid charactersFirst characterMust be alphabetic.Passwords must be at least six characters.Three characters must be alphabetic andone character must be non-alphabetic.6.In a browser,enter the machine’s URL followed by“/admin”to access the administratorsign-in page.The URL is in the format:https://a.b.c.d/admin,where a.b.c.d is themachine IP address you entered in step4.When prompted with the security alert toproceed without a signed certificate,click Yes.When the administrator sign-in pageappears,you have successfully connected your Secure Access appliance to thenetwork.7.On the sign-in page,enter the administrator user name and password you created instep4and then click Sign In.The administrator Web console opens to theSystem>Status>Overview page.Step3:Licensing and Configuring Your Secure AccessAfter you install Secure Access and perform basic setup,you are ready to install the mostcurrent Secure Access OS service package,license Secure Access,verify accessibility,and complete the configuration process:•T o install the most current Secure Access OS service package,license your SecureAccess and create a test user to verify user accessibility,follow the task guide embeddedin the administrator Web console.•T o test initial set-up and continue configuring your Secure Access,refer to the“GettingStarted”section of the Juniper Networks Secure Access Administration Guide.Getting Started Guide for SA Series2500,4500and6500AppliancesPART2Index•Index on page11Getting Started Guide for SA Series2500,4500and6500AppliancesIndexCcustomer support (x)contacting JTAC (x)Ssupport,technical See technical supportTtechnical supportcontacting JTAC (x)Getting Started Guide for SA Series2500,4500and6500Appliances。

产品简介快速以太网和千兆位以太网线卡Cisco ® Catalyst ® 4500系列可扩展、模块化、高密度交换机提供了性能出众的第二、三、四层交换及智能服务，实现了网络控制和永续性。

这些交换机提供了多种快速以太网和千兆位以太网线卡，包括针对企业与商用交换解决方案的桌面、分支机构骨干和服务器，以及服务供应商城域以太网而优化的光纤及铜缆接口。

千兆位以太网线卡包括经济有效的高性能1000BASE-X 千兆位接口转换器(GBIC)、小型可插拔(SFP)千兆位以太网线卡和高密度10/100/1000BASE-T 三速自动检测、自动协商千兆位以太网线卡。

快速以太网线卡包括各种线速10/100、100-FX 、100BASE-LX10和100BASE-BX-D 密度。

以太网电源线卡Cisco Catalyst 4500系列提供了部署和运营标准以太网电源（PoE ）网络互联所需的线卡、电源和附件。

当将一个符合IEEE 802.3af 标准或思科预标准上电设备连接到PoE 线卡时，PoE 在长达100米的标准第5类非屏蔽双绞线（UTP ）电缆上提供了–48 VDC 电源。

IP 电话、无线基站、摄像机和其他符合IEEE 标准的端口连接设备无需墙壁电源，可使用Cisco Catalyst 4500系列PoE 线卡提供的电源。

此功能使网络管理员能集中控制电源，不必在天花板和其他可能安装上电设备的地方安装插座。

尽管所有如“PoE”、 “馈线电源”和“话音”电源及线卡等说法都是同义词，仍存在两个版本：思科预标准和IEEE 802.3af 标准版本。

每个Cisco Catalyst 4500系列机箱和PoE 电源都支持IEEE 802.3af 标准，而思科预标准电源实施则确保与现有思科上电设备向后兼容。

所有符合IEEE 802.3af 标准的线卡都可区分IEEE 或思科预标准上电设备和未上电网络接口卡(NIC)；确保只在连接了适当设备时供电。