Dell PowerConnect 5500 Series System User Guide Regulatory Models: PowerConnect 5524, 5524P, 5548, 5548P
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. ____________________ Information in this document is subject to change without notice. © 2012 Dell Inc. All rights reserved.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintTOC.fm Table of Contents 1 Preface 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Version 6 (IPv6) Support Stack Support 13 14 . . . . . . . . . . . . . . . 15 . . . . . . . . . . . . . . . . . . . . . . 15 . . . . . . . . . . . . . . . . . . 15 . . . . . . . . . . . . . . . . . . . . . 16 Power over Ethernet .
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintTOC.fm Spanning Tree Protocol Features Link Aggregation . . . . . . . . . . . . . 21 . . . . . . . . . . . . . . . . . . . . 23 Quality of Service Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 . . . . . . . . . . . . . . . . . . . . 28 Device Management Features . Security Features Port Profile (CLI Macro) DHCP Server . . . . . . . . . . . . . . . . . 30 . . . . . . . . .
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintTOC.fm 5 Configuring the Switch Configuration Work Flow . . . . . . . . . . . . . . 54 . . . . . . . . . . . . . . . . 55 Connecting the Switch to the Terminal Booting the Switch . . . . . . . . . 56 . . . . . . . . . . . . . . . . . . . 57 Configuring the Stack . . . . . . . . . . . . . . . . . . Configuration Using the Setup Wizard 6 . . . . . . . . .
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintTOC.fm GUI Terms. . . . . . . . . . . . . . . . . . . . . . . . . CLI Commands 8 . . . . . . . . . . . . . . . . . . . . . . Network Security . Port Security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Time Range . . . . . . . . . . . . . . . . . . . . . . . 120 . . . . . . . . . . . . . . . . . . . . . . 122 . . . . . . . . . . . . . . . . .
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintTOC.fm sFlow 10 Ports 369 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . 378 379 . . . . . . . . . . . . . . . . . . . . . . . . Jumbo Frames . . . . . . . . . . . . . . 384 . . . . . . . . . . . . . . . . . . . . . 388 . . . . . . . . . . . . . . . . . . . . . . .
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintTOC.fm 13 Spanning Tree . . . . . . . . . . . . . . . . . . . . Spanning Tree Protocol Overview . Global Settings . . . . . . . . . . . 429 . . . . . . . . . . . . . . . . . . . . 431 STP Port Settings. . . . . . . . . . . . . . . . . . . . 436 STP LAG Settings . . . . . . . . . . . . . . . . . . . . 441 Rapid Spanning Tree . . . . . . . . . . . . . . . . . . 14 VLANs 448 . . . . . . . . .
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintTOC.fm LAG Membership 16 Multicast . . . . . . . . . . . . . . . . . . . . . . . . Multicast Support Overview. Global Parameters . 509 . . . . . . . . . . . . . . . . . . . 511 513 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 . . . . . . . . . . . . . . . . . . . . . 519 Bridge Multicast Forward All . . . . . . . . . . . . . . . . . . 525 . . . . . . . . . . . . . . . . . . .
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintTOC.fm Dynamic ARP Inspection List . . . . . . . . . . . . . . . . . . . . . . . . 557 . . . . . . . . . . . . . . . . . . . . . 559 Dynamic ARP Inspection Entries VLAN Settings Trusted Interfaces . . . . . . . . . . . . . . . . . . . 561 19 DHCP Snooping . . . . . . . . . . . . . . . . . . . 563 . . . . . . . . . . . . . . . . . . . . 564 . . . . . . . . . . . . . . . . . . . . . .
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintTOC.fm 22 Quality of Service . . . . . . . . . . . . . . . . . QoS Features and Components General . . . . . . . . . . . . . . 641 . . . . . . . . . . . . . . . . . . . . . . . . . 643 QoS Basic Mode . QoS Statistics Index 659 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 . . . . . . . . . . . . . . . . . . . . . . 688 QoS Advanced Mode Glossary 640 . . .
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintTOC.
1 Preface PowerConnect 5524/5548 and PowerConnect 5524P/5548P are stackable, advanced multi-layer devices. This guide contains the information needed for installing, configuring, and maintaining the device through the web-based management system, called the OpenManage Switch Administrator. This guide describes how to configure each system through the web-based management system and through CLI commands.
2 Features This section describes the features of the PowerConnect 5524/P and 5548/P switches. For a complete list of all updated device features, see the latest software version Release Notes. This section contains the following topics: • IP Version 6 (IPv6) Support • Stack Support • Power over Ethernet • Green Ethernet • Head of Line Blocking Prevention • Flow Control Support (IEEE 802.
• Security Features • DHCP Server • Protected Ports • iSCSI Optimization • Proprietary Protocol Filtering IP Version 6 (IPv6) Support The device functions as an IPv6-compliant host, as well as an IPv4 host (also known as dual stack). This enables device operation in a pure IPv6 network as well as in a combined IPv4/IPv6 network. For more information, see "IP Addressing" on page 202. Stack Support The system supports up to eight units with two fixed HDMI stacking ports. The HDMI ports are 1.
• IP Gateways • PDAs • Audio and video remote monitoring For more information, see "Power over Ethernet" on page 157. Green Ethernet Green Ethernet, also known as Energy Efficient Ethernet (EEE), is an effort to make networking equipment environmentally friendly, by reducing the power usage of Ethernet connections. The Short-Reach method, which reduces power over Ethernet cables shorter than 40m, is supported by the device. For more information, see "Green Ethernet Configuration" on page 384.
Virtual Cable Testing (VCT) VCT detects and reports copper link cabling faults, such as open cables and cable shorts. For more information, see "Diagnostics" on page 248. Auto-Negotiation Auto-negotiation enables the device to advertise modes of operation. The auto-negotiation function enables an exchange of information between two devices that share a point-to-point link segment, and automatically configures both devices to take maximum advantage of their transmission capabilities.
Static MAC Entries MAC entries can be manually entered in the Bridging Table, as an alternative to learning them from incoming frames. These user-defined entries are not subject to aging, and are preserved across resets and reboots. For more information, see "Static Addresses" on page 418. Self-Learning MAC Addresses The device enables controlled MAC address learning from incoming packets. The MAC addresses are stored in the Bridging Table. For more information, see "Dynamic Addresses" on page 421.
Layer 2 Features IGMP Snooping Internet Group Membership Protocol (IGMP) Snooping examines IGMP frame contents, when they are forwarded by the device from work stations to an upstream Multicast router. From the frame, the device identifies work stations configured for Multicast sessions, and which Multicast routers are sending Multicast frames. The IGMP Querier simulates the behavior of a Multicast router. This enables snooping of the Layer 2 Multicast domain even if there is no Multicast router.
VLAN Supported Features VLAN Support VLANs are collections of switching ports that comprise a single Broadcast domain. Packets are classified as belonging to a VLAN, based on either the VLAN tag or on a combination of the ingress port and packet contents. Packets sharing common attributes can be grouped in the same VLAN. For more information, see "VLANs" on page 459. Port-Based Virtual LANs (VLANs) Port-based VLANs classify incoming packets to VLANs, based on their ingress port.
forwarded. Non-VoIP traffic is dropped from the Voice VLAN in Auto-Voice VLAN Secure mode. Voice VLAN also provides QoS to VoIP, ensuring that the quality of voice does not deteriorate if the IP traffic is received unevenly. For more information, see "Voice VLAN" on page 491. Guest VLAN Guest VLAN provides limited network access to unauthorized ports.
Fast Link STP can take 30–60 seconds to converge. During this time, STP detects possible loops, enabling time for status changes to propagate and for relevant devices to respond. This period of 30-60 seconds is considered too long a response time for many applications. The Fast Link option bypasses this delay, and can be used in network topologies, where forwarding loops do not occur.
Link Aggregation Up to 32 Aggregated Links may be defined, each with up to eight member ports, to form a single Link Aggregated Group (LAG). This enables: • Fault tolerance protection from physical link disruption • Higher bandwidth connections • Improved bandwidth granularity • High bandwidth server connectivity A LAG is composed of ports with the same speed, set to full-duplex operation. For more information, see "LAG Configuration" on page 403.
are established or enforced. 802.1p is a spin-off of the 802.1Q (VLANs) standard. 802.1p establishes eight levels of priority, similar to the IP Precedence IP Header bit-field. Advanced QoS Frames that match an ACL and were permitted entrance are implicitly labeled with the name of the ACL that permitted their entrance. Advanced mode QoS actions defined in network policies can then be applied to these flows. The switch can set DSCP values and map IPv6 DSCP to egress queues in the same way it does for IPv4.
SNMP Versions 1, 2, and 3 Simple Network Management Protocol (SNMP) over the UDP/IP protocol controls access to the system. A list of community entries is defined, each consisting of a community string and its access privileges. There are three levels of SNMP security: read-only, read-write, and super. Only a super user can access the Community table. For more information, see "SNMP" on page 307. Web-Based Management Web-based management enables managing the system from any web browser.
Auto-Update of Configuration/Image File This feature facilitates installation of new devices. When you enable the various auto-update options, the device automatically downloads a new image or configuration file when it receives its IP address from a TFTP server, and automatically reboots, using the image or configuration file it received. For more information, see "Auto-Update/Configuration Feature" on page 331.
SNTP The Simple Network Time Protocol (SNTP) assures accurate network Ethernet Switch clock time synchronization up to the millisecond. Time synchronization is performed by a network SNTP server. Time sources are prioritized by strata. Strata define the distance from the reference clock. The higher the stratum (where zero is the highest), the more accurate the clock. For more information, see "Time Synchronization" on page 162.
Security Features SSL Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. It relies upon certificates and public and private keys. Port-Based Authentication (Dot1x) Port-based authentication enables authenticating system users on a per-port basis via an external server. Only authenticated and approved system users can transmit and receive data.
Due to the complexity of 802.1x setup and configuration, many mistakes can be made that might cause loss of connectivity or incorrect behavior. The 802.1x Monitor mode enables applying 802.1x functionality to the switch, with all necessary RADIUS and/or domain servers active, without actually taking any action that may cause unexpected behavior. In this way, the user can test the 802.1x setup before actually applying it. For more information, see "RADIUS" on page 284.
Access Control Lists (ACL) Access Control Lists (ACL) enable network managers to define classification actions and rules for specific ingress ports. Packets entering an ingress port with an active ACL, are either admitted or denied entry and the ingress port is disabled. If they are denied entry, the user can disable the port. Dynamic ACL/Dynamic Policy Assignment (DACL/DPA) The network administrator can specify the user's ACL in the RADIUS server.
DHCP Server Dynamic Host Configuration Protocol (DHCP) provides a means of passing configuration information (including the IP address of a TFTP server and a configuration file name) to hosts on a TCP/IP network. The switch can serve as a DHCP server or client. For more information on the device serving as a DHCP server, see "DHCP Server" on page 290. For more information on the device serving as a DHCP client, see "DHCP IPv4 Interface" on page 207.
The relay agent information option (Option 82) in the DHCP protocol enables a DHCP relay agent to send additional client information, upon requesting an IP address. Option 82 specifies the relaying switch's MAC address, the port identifier, and the VLAN that forwarded the packet. For more information, see "DHCP Relay" on page 577.
3 Hardware Description This section describes PowerConnect 5500 hardware.
Device Models The PowerConnect 5500 switches combine versatility with minimal management requirements.
Front Panel Figure 5-1 shows the front panel of the PowerConnect 5548 device with its various ports labelled. The PowerConnect 5524 device from the PowerConnect 5548 device in that there are 24 G ports and not 48. Figure 5-2 shows the buttons/LEDs on the right side in greater detail. Figure 3-1. PowerConnect 5548 Ports Giga Ports (odd numbered) USB Port Console Port HDMI Ports Giga Ports (even numbered) SPF+ Ports The following ports are found on the devices.
NOTE: it is recommended to use HDMI cable version 1.4 • Single USB Port This port is used for firmware upgrade from a USB device. Buttons and LEDs LEDs on Front Panel Figure 5-2 shows the extreme, right-hand part of the front panel, which contains buttons and LEDs, in addition to ports. Figure 3-2. Button/LED Panel Console Port Stacking Unit ID Reset Power Status Fan RPS Port LEDs Master These LEDs are described in Table 5-1 and Table 5-2.
The Reset button does not extend beyond the unit’s front, and it must be activated with a pin. Back Panel The back panel of the non-PoE models, shown in Figure 5-3, contains a Redundant Power Supply (RPS) connector, Location LED, and power connector. The back panel of the PoE models, shown in Figure 5-4, contains a Modular Power Supply (MPS) connector, Location LED, power connector, and two fan outlets. Figure 3-3. PowerConnect 5524/48 Back Panel Locator RPS A/C Power Supply Figure 3-4.
• A/C Power Supply — Connector for AC power supply. See "Power Supplies" on page 42 for more information. • Fans — Fan outlets. See "Ventilation System" on page 38 for more information. Ventilation System The PowerConnect 5500/P switches have two built-in fans. Operation can be verified by observing the LED that indicates if one or more fans are faulty (see Table 5-1). The fan outlets are shown in Figure 5-4.
Table 3-1. System LED Indicators (Continued) LED Color Description Stacking No. Indicates the unit ID of the device in the stack. Modular/Redundan Green Static cy Power Supply Red Static (MPS/RPS) Off The MPS/RPS is currently operating. The MPS/RPS failed. Locator Green Flashing Locator function is enabled. Green Static Locator function is disabled. Green Static The device is a master unit. Off The device is not a master unit. Green Static All device fans are operating normally.
Port LEDs Gigabit Ports Each Giga port has two LEDs associated with it. The speed/link (LNK) LED is located on the left side of the port, while the activity/PoE LED is located on the right side of the port. The activity/PoE LED is labelled ACT in non-PoE devices, and is labelled PoE in PoE-enabled devices, as shown in Figure 5-5. Figure 3-5. Giga Port LEDs ACT/PoE LNK LNK ACT/PoE Table 5-2 describes the LED indications for the Gigabit ports: Table 3-2.
Table 5-3 describes the LED indications for Gigabit ports on PoE-enabled devices. Table 3-3. Giga Port s on PoE-enabled Devices LEDs LED Color Description LNK Flashing green Link is up and the port is either transmitting or receiving at 1000 Mbs. Flashing amber Link is up and the port is either transmitting or receiving data at 100 Mbps. Solid green Link is up high speed. Solid amber Link is up at lower speeds. Off Port is currently not operating.
SFP LEDs The SFP+ ports each have two LEDs, marked as LNK and ACT, associated with them. Figure 5-5 describes these LEDs. Table 3-5. SFP Port LEDs LED Color Description LNK Solid green Link is at highest speed. Solid amber Link is at lowest speed. Off Port is currently not linked. Flashing green Port is either transmitting or receiving. ACT Stack ID LED The front panel of the device contains a Stack ID panel used to display the Unit ID for the Stack Master and members, as shown in Figure 5-2.
4 Stacking Overview This section describes how the Stacking feature of the PowerConnect 5500 series functions.
Stack Overview The PowerConnect 5500 Stacking feature provides multiple switch management through a single switch, so that all units in the stack are treated as if they were a single switch. All stack members are accessed through the management IP address, through which the stack is managed. Each switch is a member in a stack, although the stack may consist of only a single switch. Up to eight units can be stacked.
• Slave Unit — Runs a slave version of the software that enables the applications running on the Master’s CPU to control and manage the resources of the slave unit. • Master Backup — Runs as a slave unit, as described above, and in addition, continuously monitors the existence and operation of the stack master. If the master unit fails, the master-backup unit assumes the Master Backup role. Stacking Units PowerConnect 5500 series switches use two HDMI 10G ports for stacking.
The results of this process are shown in Figure . Figure 4-1.
Stack Topology The PowerConnect 5500 series systems operates in a ring or chain topology. Ring Topology In a ring topology all units in the stack are connected to each other, forming a circle. Each unit in the stack accepts data and sends it to the unit to which it is attached. The packet continues through the stack until it reaches its destination. The system discovers the optimal path on which to send traffic. Figure shows units of a stack connected in a ring topology.
• Loading Software onto Stack Members • Rebooting the Stack • Managing Configuration Files on the Stack Adding a Unit to the Stack The recommended procedure to add a unit to a stack is as follows: 1 Place the powered-off unit in its physical place in the stack, and insert the stacking link in the unit (but do not connect it to the rest of the stack). 2 Power up the unit, and set the correct Unit ID, as described below. 3 Reboot the unit and connect it to the rest of the stack through the stack link.
2 Turn on the unit to begin auto boot and press Return or Esc to abort and enter the Start Up menu. Startup Menu [1]Download Software [2]Erase Flash File [3]Password Recovery Procedure [4]Set Terminal Baud-Rate [5]Stack Menu [6]Back 3 Select Stack Menu to open the Stack Menu. [1]Show Unit Stack ID [2]Set Unit Stack ID [3]Back 4 Select Set Unit Stack ID. Enter either a Unit ID for manual assignment or 0 to indicate that the unit ID will be assigned automatically.
• – When a master-enabled unit is inserted to a running stack, (or when Master and Backup master both start at the same time), they exchange each other’s UP TIME (the time since they powered up). If the time difference is smaller than 10 minutes, the unit with the lowest unit ID is elected; otherwise, the unit with the longest UP time is elected. – If a Master-enabled unit (with ID 1 or 2) is inserted into an operational stack, it will be elected as a backup master.
configuration is not saved, for example, dynamically-learned MAC addresses are not saved, but dynamic information is learned quickly and automatically by network traffic. Switching from the Master to the Master Backup The Master Backup replaces the Stack Master if one or more of the following events occur: • The Stack Master fails or is removed from the stack. • Links from the Stack Master to the stacking members fails. • User performs soft switchover via the Web interface or the CLI.
Table 4-1. Port Configurations when Replacing Units (Continued) New Unit Original Unit New Port Configuration 5524P or 5524 5548P or 5548 The PowerConnect 5524/P 24 Gigabit ports receives the first 24 Giga 5548/P port configurations. The 10 Giga port configurations remain the same. The remaining ports receive the default port configuration. 5524P or 5524 Port configurations remain the same.
• Uploading configuration files to an external TFTP server/HTTP client • Downloading configuration files from an external TFTP server/HTTP client • Download/upload through the USB port NOTE: Stack configuration for all configured ports is saved, even if the stack is reset and/or the ports are no longer present.
5 Configuring the Switch This section describes the configuration that must be performed after the switch is installed and connected to power supplies. Additional advanced functions are described in "Advanced Switch Configuration" on page 63. NOTE: Before proceeding further, read the release notes for this product. You can download the release notes from the Dell Support website at support.dell.com.
Configuration Work Flow To configure the switches: 1 For each switch in the stack: a Connect it to a terminal, as described in the "Connecting the Switch to the Terminal" on page 56. b Boot the switch, as described in the "Booting the Switch" on page 57. c Assign a unit ID to the switch, as described in "Assigning Unit IDs" on page 48. 2 Connect the units in the stack to each other, as described in "Configuring the Stack" on page 58.
Connecting the Switch to the Terminal The switch is configured and monitored through a terminal desktop system that runs terminal emulation software. The switch connects to the terminal through the console port. To connect the switch to a terminal: 1 Connect an RS-232 cable to a VT100-compatible terminal or the serial connector of a desktop system running terminal emulation software.
Booting the Switch After the local terminal is connected, turn on power. The switch then goes through power-on self-test (POST). POST runs every time the switch is started and checks hardware components, to determine if the switch is operational before completely booting. If the system detects a critical problem, the boot process stops. If POST passes successfully, a valid executable image is loaded into RAM. POST messages are displayed on the terminal and indicate test success or failure.
Configuring the Stack The switch is always considered to be a stack of switches even if the stack only contains a single switch. If there is more than one switch in the stack, each switch must be configured individually. See "Assigning Unit IDs" on page 48 for instructions on how to configure the stack. Configuration Using the Setup Wizard The Setup Wizard guides you through the initial switch configuration to get the system up and running as quickly as possible.
• The IP address to be assigned to the VLAN 1 interface through which the switch is to be managed (by default, every external and internal port is a member of the VLAN 1) • The IP subnet mask for the network • The default gateway (next hop router) IP address for configuring the default route 2 Boot the Master unit. The system automatically prompts you to use the Setup Wizard.
To manage the switch using SNMP (required for Dell Network Manager) you can: • Setup the initial SNMP version 2 account now. • Return later and set up the SNMP version account. For more information on setting up a SNMP version 2 account, see the user documentation. Would you like to set up the SNMP management interface now? [Y/N] 4 Enter [N] to skip to Step 7 or enter [Y] to continue the Setup Wizard.
other accounts and change privilege levels later. For more information on setting up user accounts and changing privilege levels, see the user documentation. To set up a user account: Enter the user name: Please enter the user password: Please reenter the user password: 8 Enter the following: • User name, for example "admin" • Password and password confirmation. 9 Press Enter. The following information is displayed: Next, an IP address is setup. The IP address is defined on the default VLAN (VLAN 1).
12 Enter the default gateway. 13 Press Enter. The following is displayed (example): This is the configuration information that has been collected: SNMP Interface = "Dell Network Manager"@192.168.2.10 User Account setup = admin Password = ********** Management IP address = 192.168.2.100 255.255.255.0 Default Gateway = 192.168.2.1 The following information is displayed: If the information is correct, please select (Y) to save the configuration and copy to the start-up configuration file.
Advanced Switch Configuration 6 This section describes how to perform various configuration operations through the CLI.
Using the CLI This section provides some general information for using the CLI. For a complete description of CLI commands, refer to the Dell PowerConnect 55xx Systems CLI Reference Guide. Command Mode Overview The CLI is divided into command modes, each with a specific command set. Entering a question mark at the terminal prompt displays a list of commands available for that particular command mode. In each mode, a specific command is used to navigate from one mode to another.
Privileged access can be protected, to prevent unauthorized access and to secure operating parameters. Passwords are displayed on the screen, and are case-sensitive. NOTE: The enable command is only necessary if you login with privilege level less than 15. To access and list the Privileged EXEC mode commands: 1 At the prompt type enable and press . 2 When a password prompt displays, enter the password and press . The Privileged EXEC mode prompt displays as the device host name followed by #.
To access Global Configuration mode, at the Privileged EXEC Mode prompt, type configure and press . The Global Configuration mode displays as the device host name followed by (config) and the pound sign #. console# configure console(configure)# To list the Global Configuration commands, enter a question mark at the command prompt.
Accessing the Device Through the CLI You can manage the device using CLI commands, over a direct connection to the terminal console, or via a Telnet connection. Direct Connection Connect the device to the console and enter the CLI commands upon receiving a prompt. Telnet Connection Telnet is a terminal emulation TCP/IP protocol. RS-232 terminals can be virtually connected to the local device through a TCP/IP protocol network.
Retrieving an IP Address Receiving an IP Address from a DHCP Server When using the DHCP protocol to retrieve an IP address, the device acts as a DHCP client. When the device is reset, the DHCP command is saved in the configuration file, but the IP address is not. To retrieve an IP address from a DHCP server, perform the following steps: 1 Select and connect any port to a DHCP server or to a subnet that has a DHCP server on it.
3 To verify the IP address, type show ip interface at the system prompt, as shown in the following example. console# show ip interface IP Address I/F Type Directed Precedence Status -------- ----- Broadcast ----------------- --------- -------- -------- 0.0.0.0/32 gi2/0/1 DHCP disable No Valid 10.5.234.
To retrieve an IP address from a BOOTP server: 1 Select and connect any port to a BOOTP server or subnet containing such a server. 2 At the system prompt, enter the delete startup configuration command to delete the Startup Configuration from flash. The device reboots with no configuration and in 60 seconds starts sending BOOTP requests. The device receives the IP address automatically.
Security Management and Password Configuration System security is handled through the Authentication, Authorization, and Accounting (AAA) mechanism that manages user access rights, privileges, and management methods. AAA uses both local and remote user databases. Data encryption is handled through the SSH mechanism.
• Disabled: When the password-recovery mechanism is invoked, one-time access to the device without a password is stilled enabled, however all configuration files (startup and backups) are removed and the following log message is generated to the terminal after boot process completed: “All configuration and user files were removed” Configuring an Initial Terminal Password To configure an initial terminal password, enter the following commands: console(config)# aaa authentication login default line console(
Configuring an Initial SSH Password To configure an initial SSH password, enter the following commands: console(config)# aaa authentication login default line console(config)# aaa authentication enable default line console(config)# line ssh console(config-line)# login authentication default console(config-line)# enable authentication default console(config-line)# password jones Configuring an Initial HTTP Password To configure an initial HTTP password, enter the following commands: console(config)# ip http
Configuring Login Banners Banners can be defined for each line, such as console and telnet) or for all lines. They are disabled by default. The following types of banners can be defined: • Message-of-the-Day Banner (motd) — Displayed when the user connects to the device, before login.
• Login Banner — Displayed after the Message-of-the-Day Banner, and before the user has logged in.
Startup Menu Procedures The Startup menu enables performing various tasks, such as software download, flash handling and password recovery. You can enter the Startup menu when booting the device. User input must be entered immediately after the POST test. To enter the Startup menu: • Turn the power on.
To download software through the Startup menu: 1 From the Startup menu, press [1]. The following prompt is displayed: Downloading code using XMODEM !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 2 When using the HyperTerminal, click Transfer on the HyperTerminal Menu Bar and select Send File. 3 In the Filename field, enter the file path for the file to be downloaded. 4 Ensure that the Xmodem protocol is selected in the Protocol field. 5 Press Send. The software is downloaded.
The configuration is erased when the system is reset. Password Recovery - Option[3] If a password is lost, the Password Recovery procedure can be called from the Startup menu. The procedure enables entry to the device a single time without entering a password. To recover a lost password when entering the local terminal only: 1 From the Startup menu, select [3]. 2 Continue the regular startup by logging in without a password. 3 Enter a new password or press 'ESC' to exit.
Software Download This section contains instructions for downloading device software (system and boot images) through a TFTP server or USB port. The TFTP server must be configured before downloading the software. Software Auto Synch in Stack When several units are stacked, they must all run the same software version.
2 Enter the show bootvar command, to verify which system image is currently active. The following is an example of the information that is displayed: console# show bootvar Unit Image Filename Version Date Status ---- ----- --------- --------- --------------------- --------- 2 1 image-1 1.0.0.13 04-Aug-2010 08:27:30 Active* 2 2 image-2 1.0.0.
5 Select the image for the next boot by entering the boot system command. After this command, enter the show bootvar command to verify that the copy indicated as a parameter in the boot system command is selected for the next boot.
1 Enter the show version command to verify which software version is currently running on the device. The following is an example of the information that appears: console# show version Unit Boot version HW version ----- -------------- SW version ----------------- ---------- 2 1.0.0.11 1.0.0.24 console# 2 Enter the copy {tftp://|usb://}{tftp address}/{file name} boot command to copy the boot image to the device. The following is an example of the information that appears: console# copy tftp://50.
7 Using Dell OpenManage Administrator This section provides an introduction to the Dell OpenManage Switch Administrator user interface.
Starting the Application NOTE: Before starting the application the IP address must be defined. For more information, see "Accessing the Device Through the CLI" on page 67. 1 Open a web browser. 2 Enter the device’s IP address in the address bar and press . 3 When the Log In window displays, enter a user name and password. NOTE: Passwords are both case sensitive and alpha-numeric. 4 Click OK. The Dell OpenManage Switch Administrator home page displays.
Device Representation The home page contains a graphical representation of the units in the stack’s front panels. Figure 9-1 displays the 5548 model, but the display for the other models are similar. Figure 7-1. PowerConnect Device Port Indicators Giga Ports (odd numbered) Stacking Unit ID Giga Ports (even numbered) The graphic display on the home page displays the Unit ID and port indicators that specify whether a specific port is currently active.
• gi—Giga port • te —Ten Giga port • x — Unit ID • z — Port number Dell PowerConnect 55xx Systems User Guide
Using the Switch Administrator Buttons This section describes the buttons found on the OpenManage Switch Administrator interface. Information Buttons Table 9-2 describes the information buttons that provide access to online support and online help, as well as information about the OpenManage Switch Administrator interfaces. These are displayed at the top of each page. Table 7-2. Information Buttons Button Description Support Opens the Dell Support page at support.dell.
Table 7-3. Device Management Icons (Continued) Refresh 88 Refreshes device information from the Running Configuration file.
Field Definitions Fields that are user-defined can contain between 1–159 characters, unless otherwise noted on the OpenManage Switch Administrator web page. All letters or characters can be used, except the following: "\ / : * ? < >" Common GUI Features Table 9-4 describes the common functions that can be performed on many GUI pages. Table 7-4. Common GUI Elements Button Description Apply Save changes entered in GUI page to the Running Configuration file. Back Go to previous page.
Table 7-4. Common GUI Elements (Continued) Button Description Telnet Opens a Telnet window. This only works in the Explorer 6 and Firefox browsers. GUI Terms Each GUI page in the tree view is described in the following sections. A brief introduction is provided along with steps specifying how to enter information in the page. The following terms are used: • Enter — Indicates that information may be entered in the field. It does not imply that the field is mandatory.
Button Description Ctrl+F4 Any combination of keys clicked simultaneously, for example: Ctrl and F4. Screen Display Indicates system messages and prompts appearing on the console. all When a parameter is required to define a range of ports or parameters and all is an option, the default for the command is all when no parameters are defined. For example, the command interface range port-channel has the option of either entering a range of channels, or selecting all.
Network Security 8 This section describes the various mechanisms for providing security on the switch.
Port Security Network security can be enhanced by limiting access on a port to users with specific MAC addresses. The MAC addresses can be dynamically learned, or they can be statically configured. Port security has the following modes: • Classic Lock — Locked port security monitors both received and learned packets that are received on specific ports. Access to the locked port is limited to users with specific MAC addresses.
To configure port security: 1 Click Switching > Network Security > Port Security to display the Port Security: Summary page. Figure 8-1. Port Security: Summary Security parameters are displayed for all ports or LAGs, depending on the selected interface type. 2 To modify the security parameters for a port, select it, and click Edit. 3 Enter the following fields: – Interface — Select the interface to be configured. – Current Port Status — Displays the current port status.
• Limited Dynamic Lock — Locks the port by deleting the dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both relearning and aging MAC addresses are enabled. – Max Entries (0-128) — Enter the maximum number of MAC addresses that can be learned on the port. The Max Entries field is enabled only if Locked is selected in the Set Port field, and the Limited Dynamic Lock mode is selected in Learning Mode field.
Table 8-1. Port Security CLI Commands (Continued) CLI Command Description port security max {max-addr} Specifies the maximum number of MAC addresses that can be learned on the port. no port security max Use the no form of this command to restore the default port security mode {lock | maxaddresses } Configures the port security learning mode. no port security mode Use the no form of this command to restore the default configuration.
The following is an example of the CLI commands: console # show ports security Port Status Learning ------- -------- -------- Action Maximum -------- ------- Trap ---- Frequency --------- gi1/0/1 Disabled Max-Addresses - 10 - - gi1/0/2 Disabled Lock - 1 - - gi1/0/3 Disabled Lock - 1 - - gi1/0/4 Disabled Lock - 1 - - gi1/0/5 Disabled Lock - 1 - - gi1/0/6 Disabled Lock - 1 - - gi1/0/7 Disabled Lock - 1 - - gi1/0/8 Disabled Lock - 1 - - gi1/0/9 Disabled Lock -
ACLs This section describes Access Control Lists (ACLs), which enable defining classification actions and rules for specific ingress or egress ports. It contains the following topics: • ACL Overview • MAC-Based ACLs • MAC-Based ACEs • IPv4-Based ACLs • IPv4-Based ACEs • IPv6-Based ACLs • IPv6-Based ACEs ACL Overview Access Control Lists (ACLs) enable network managers to define classification actions and rules for specific ingress or egress ports.
• IPv6-based ACL —Examines the Layer 3 layer of IPv6 frames MAC-Based ACLs To define a MAC-based ACL: 1 Click Switching > Network Security > MAC Based ACL to display the MAC Based ACL: Summary page. Figure 8-2. MAC Based ACL: Summary The currently-defined MAC-based ACLs are displayed. 2 To add a new ACL, click Add ACL, and enter the name of the new ACL.
Configuring MAC-Based ACLs Using CLI Commands The following table summarizes the CLI commands for configuring MAC-based ACLs. Table 8-2. MAC Based ACL CLI Commands CLI Command Description Defines an ACL and places the device in MAC-extended ACL configuration no mac access-list extended acl- mode. name Use the no form of this command to remove the ACL. mac access-list extended aclname show interfaces access-lists Displays access lists applied on interfaces.
MAC-Based ACEs To add rules to an ACL: 1 Click Switching > Network Security > MAC Based ACE to display the MAC Based ACE: Summary page. Figure 8-3. MAC Based ACE: Summary The currently-defined rules for the selected ACL are displayed. 2 To add a rule click Add ACE. 3 Select the ACL for which a rule is being created. 4 Enter the fields: – New Rule Priority — Enter the priority of the ACE. ACEs with higher priority are processed first.
– Dest. MAC Address — Match the destination MAC address to which packets are addressed to this address. In addition to the Destination MAC address, you can enter a Wildcard Mask that specifies which bits in the source address are used for matching and which bits are ignored. A wildcard of 00:00:00:00:00:00 means the bits must be matched exactly; ff:ff:ff:ff:ff:ff means the bits are irrelevant. Any combination of 0s and ffs can be used.
Configuring MAC-Based ACEs Using CLI Commands The following table summarizes the CLI commands for configuring MAC- based ACEs. Table 8-3. MAC Based ACE CLI Commands CLI Command Description permit {any|source-ip-address source-wildcard} {any|destination destinationwildcard} [eth-type 0|aarp|amber|decspanning|decnetiv|diagnostic|dsm|etype-6000] [vlan vlan-id] [cos cos coswildcard] [time-range timerange-name] Sets permit conditions for an MAC access list (in MAC ACL configuration mode).
IPv4-Based ACLs To define an IPv4-based ACL: 1 Click Switching > Network Security > IPv4 Based ACL to display the IPv4 Based ACL: Summary page. Figure 8-4. IPv4 Based ACL: Summary The previously-defined IPv4 ACLs are displayed. 2 To add a new ACL, click Add ACL. 3 Enter the name of the new ACL. Names are case-sensitive.
Configuring IP-based ACLs Using CLI Commands The following table summarizes the CLI commands for configuring IP-based ACLs. Table 8-4. IP-Based ACL CLI Commands CLI Command Description Defines an IPv4 access list and places the device in IPv4 access list no ip access-list extended acl- configuration mode name Use the no form of this command to remove the access list.
The currently-defined rules for the selected ACL are displayed. 2 To add a rule, click Add ACE. 3 Select a user-defined ACL, and enter the following fields: 106 – New ACE Priority (1-2147483647) —Enter the priority of the ACE. ACEs with higher priority are processed first. One is the highest priority. – Protocol Select From List — Select to create an ACE, based on a specific protocol. The following options are available: • ICMP — Internet Control Message Protocol (ICMP).
• HMP — Host Mapping Protocol (HMP). Collects network information from various networks hosts. HMP monitors hosts spread over the internet as well as hosts in a single network. • RDP — Reliable Data Protocol (RDP). provide a reliable data transport service for packet-based applications. • IDPR — Matches the packet to the IDPR protocol. • IDRP — Matches the packet to the Inter-Domain Routing Protocol (IDRP). • RVSP — Matches the packet to the ReSerVation Protocol (RSVP).
– Source Port (0 - 65535) — Enter the TCP/UDP source port. Enter either Single, Range or select Any to include all ports. – Destination Port (0 - 65535) — Enter the TCP/UDP destination port. Enter either a Single, Range or select Any to include all ports. – Source IP Address — Enter the source IP address to which addresses in the packet are compared.
– – – ICMP Code — Enter an ICMP message code for filtering ICMP packets that are filtered by ICMP message type or ICMP message code. This field is available only when ICMP is selected in the Protocol field. The following options are available: • ICMP Code — Enter an ICMP code. • Any — Check to use all ICMP codes. IGMP — IGMP packets can be filtered by IGMP message type. This field is available only when IGMP is selected in the Protocol field.
Configuring IP-based ACEs Using CLI Commands The following table summarizes the CLI commands for configuring IP-based ACLs. Table 8-5. IP-Based ACE CLI Commands CLI Command Description permit protocol {any|source-ip-address source-wildcard} {any|destination-ipaddress destination-wildcard} [dscp number|precedence number] [time-range time-range-name] Sets conditions to allow a packet to pass a named IP access list ( in access list configuration mode).
Table 8-5. IP-Based ACE CLI Commands (Continued) CLI Command Description deny protocol {any|source-ip-address source-wildcard} {any|destination-ipaddress destination-wildcard} [dscp number|precedence number] [time-range time-range-name] [disable-port|log-input] Sets deny conditions for IPv4 access list (in access list configuration mode).
IPv6-Based ACLs The IPv6 Based ACL Page displays and enables the creation of IPv6 ACLs, which check pure IPv6-based traffic. IPv6 ACLs do not check IPv6-over-IPv4 or ARP packets. To define IPv6-based ACLs: 1 Click Switching > Network Security > IPv6 Based ACL to display the IPv6 Based ACL: Summary page. Figure 8-6. IPv6 Based ACL: Summary A list of all of the currently defined IPv6-based ACLs is displayed. 2 To add a new ACL, click Add ACL. 3 Enter the name of the new ACL. Names are case-sensitive.
Configuring IPv6-based ACLs Using CLI Commands The following table summarizes the CLI commands for configuring IPv6-based ACLs. Table 8-6. IP-Based ACL CLI Commands CLI Command Description ipv6 access-list [access-list- Defines an IPv6 access list and places name] the device in IPv6 access list configuration mode no ipv6 access-list [accessUse the no form of this command to remove the access list.
The currently-defined rules for the selected ACL are displayed. 2 To add a rule click Add ACE. 3 Select a user-defined ACL for which a rule is being created. 4 Enter the following fields: 114 – New Rule Priority — Enter the ACE priority that determines which ACE is matched to a packet, based on a first match. – Protocol Select from List — Select to create an ACE, based on a specific protocol. The following options are available: • TCP — Transmission Control Protocol (TCP).
• – – – – Any — Check to use all ICMP types. ICMP Code — Specifies an ICMP message code for filtering ICMP packets that are filtered by ICMP message type or ICMP message code. This field is available only when ICMP is selected in the Protocol field. The following options are available: • ICMP Code — Enter an ICMP code. • Any — Check to use all ICMP codes. Source IP Address — Enter the source IP address to which addresses in the packet are compared.
– Shutdown — Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed. – Logging of Dropped Packets — Check to activate logging of dropped packets. Configuring IP-based ACEs Using CLI Commands The following table summarizes the CLI commands for configuring IP-based ACLs. Table 8-7. IP-Based ACE CLI Commands CLI Command Description permit protocol {any|{source-prefix/length Sets permit conditions }{any|destination- prefix/length } [dscp for IPv6 access list.
Table 8-7. IP-Based ACE CLI Commands (Continued) CLI Command Description deny protocol {any|{source-prefix/length }{any|destination-prefix|length} [dscp number|precedence number] [time-range time-range-name] [disable-port|log-input] Sets deny conditions for IPv4 access list (in Access List Configuration mode).
ACL Binding When an ACL is bound to an interface, all the rules that have been defined for the ACL are applied to that interface. Whenever an ACL is assigned on a port or LAG, flows from that ingress or egress interface that do not match the ACL, are matched to the default rule, which is to Drop unmatched packets.
2 To bind an ACL to an interface, select an interface and click Edit. 3 Select an ACL(s). You can select one of each type (MAC-based ACL, IPv4-based ACL or IPv6-based ACL) or one IPv4-based ACL and one IPv6-based ACL. Configuring ACL Bindings Using CLI Commands The following table summarizes the CLI commands for configuring ACL Bindings. . Table 8-8.
Proprietary Protocol Filtering Protocol filters are used to disallow receiving specific proprietary protocol packets through an interface. These can be enabled for specific ports. If a protocol filter is enabled on a port, you cannot enable a QoS ACL on this port. To configure Proprietary Protocol Filtering: 1 Click Switching > Network Security > Proprietary Protocol Filtering to display the Proprietary Protocol Filtering: Summary page. Figure 8-9.
4 Move the required protocols from the Available Protocols list to the Filtered Protocols list. The following displays the protocols and the addresses that are blocked: Table 8-9. Protocol Filtering Protocol Destination Address Protocol Type blockcdp 0100.0ccc.cccc 0x2000 blockvtp 0100.0ccc.cccc 0x2003 blockdtp 0100.0ccc.cccc 0x2004 blockudld 0100.0ccc.cccc 0x0111 blockpagp 0100.0ccc.cccc 0x0104 blocksstp 0100.0ccc.cccd - blockall 0100.0ccc.ccc0 - 0100.0ccc.
Time Range Time ranges can be defined and associated with an QoS ACL, so that it is applied only during that time range. There are two types of time ranges: • Absolute —This type of time range begins on a specific date or immediately and ends on a specific date or extends infinitely. It is created in the Time Range pages. A recurring element can be added to it. • Recurring — This is a time range element that is added to an absolute range, and begins and ends on a recurring basis.
Absolute Time Range To define an absolute time range: 1 Click Switching > Network Security > Time Range to display the Time Range: Summary page. Figure 8-10. Time Range: Summary The existing Time Ranges are displayed. 2 To add a new time range, click Add. 3 Enter the name of the time range in the Time Range Name field. 4 Define the Absolute Start time. – To begin the Time Range immediately, click Immediate.
5 Define the Absolute End time. – To indicate that the Time Range should not end, click Infinite. – To determine the time at which the Time Range ends, enter values in the Date and Time fields. See "Configuring Time Ranges Using CLI Commands" on page 125 for the CLI commands for creating time ranges. Time Range Recurrence To add a recurring time range element to an absolute time range: 1 Click Switching > Network Security > Time Range Recurrence to display the Recurring Time Range: Summary page.
2 To add a recurring time range element to a time range, click Add. 3 Select the Time Range Name to which you want to add the Time Range Recurrence. The Absolute Start and Absolute End fields are displayed. 4 Check if the recurrence is Daily or Weekly in Recurrence type. 5 If the recurrence is Daily, enter: – Start Time — Select the time on which the time range starts. – End Time— Select the time on which the time range ends. – Weekday — Select the day of the week on which the time range occurs.
Table 8-11. Time Range CLI Commands (Continued) CLI Command Description periodic day-of-the-week hh:mm to day-of-the-week hh:mm Adds a recurring time range to the time range. no periodic day-of-the-week hh:mm to day-of-the-week hh:mm periodic list hh:mm to hh:mm day-of-theweek1 [day-of-the-week2… day-ofthe-week7] Use the no form of the commands to remove the recurring time range.
Dot1x Authentication This section describes Dot1x authentication. It contains the following topics: • Port-Based Authentication Overview • Dot1x Overview • Port-Based Authentication Global • Port-Based Authentication Interface Settings • Monitoring Users • Host Authentication • Port Authentication Users Port-Based Authentication Overview Port-based authentication enables authenticating system users on a per-port basis via an external server.
The device supports Port Based Authentication via RADIUS servers. Dot1x Overview Dot1x is an IEEE standard for port-based network access control. The Dot1x framework enables a device (the supplicant) to request port access from a remote device (authenticator) to which it is connected. The supplicant is permitted to send data to the port only after it is authenticated and authorized.
Dynamic VLAN Assignment (DVA) Dynamic VLAN Assignment (DVA) is also referred to as RADIUS VLAN Assignment in this guide. When a port is in Multiple Session mode and is DVA-enabled, the switch automatically adds the port as an untagged member of the VLAN that is assigned by the RADIUS server during the authentication process. The switch classifies untagged packets to the assigned VLAN if the packets originated from the devices or ports that are authenticated and authorized.
username and password must be entered in lower case and with no delimiting characters (for example: aaccbb55ccff). To use MAC-based authentication at a port: – A Guest VLAN must be defined. – The port must be Guest-VLAN-enabled. – The packets from the first supplicant, at the port before it is authorized, must be untagged. You can configure a port to use Dot1x only, MAC-based only, or Dot1x and MAC-based authentication.
• If a port is Guest-VLAN-enabled, the switch automatically adds the port as an untagged member of the Guest VLAN when the port is not authorized, and removes the port from the Guest VLAN when the first supplicant of the port is authorized. • The Guest VLAN cannot be used as both the Voice VLAN and an unauthenticated VLAN. The switch also uses the Guest VLAN for authentication at ports configured with Multiple Session mode and MAC-based authentication.
Port-Based Authentication Global To globally configure authentication: 1 Click Switching > Network Security > Dot1 Authentication > Port Based Authentication Global to display the Port Based Authentication Global page. Figure 8-12. Port Based Authentication Global 2 Enter the following fields: 132 – Port Based Authentication State — Enable/disable port-based authentication. – Authentication Method — Select an authentication method.
• RADIUS, None — Perform port authentication first by using the RADIUS server. If no response is received from RADIUS (for example, if the server is down), then no authentication is performed, and the session is permitted. • RADIUS — Authenticate the user on the RADIUS server. If no authentication is performed, the session is not permitted. • None — Do not authenticate the user. Permit the session. – Guest VLAN — Enable/disable the use of a Guest VLAN for unauthorized ports.
Table 8-12. Port-Based Authentication Global CLI Commands (Continued) CLI Command Description dot1x system-auth-control monitor [vlan vlan-id] Enables 802.1x globally the 802.1x Monitoring mode and define the Monitor VLAN. no dot1x system-auth-control monitor Use the no format of the command to return to default. Contains a list of VLANs. The guest VLAN is selected from the VLAN List. dot1x guest-vlan no dot1x guest-vlan Use the no form of this command to disable access. Displays 802.
Port-Based Authentication Interface Settings To configure 802.1x authentication on an interface: 1 Click Switching > Network Security > Dot1 Authentication > Port Based Authentication Interface Settings to display the Port Based Authentication Interface Settings: Summary page. Figure 8-13. Port Based Authentication Interface Settings Port parameters for the selected unit are displayed. 2 Click Edit. 3 Select a port for which the authentication parameters apply in the Interface drop-down list.
• Authorized — Places the interface into an authorized state without being authenticated. The interface resends and receives normal traffic without client port-based authentication. • Unauthorized — Denies the selected interface system access by moving the interface into unauthorized state. The device cannot provide authentication services to the client through the interface. – Current Interface Control — Displays the current port authorization state.
• Authenticated ports are added to the supplicant VLAN as untagged. • Authenticated ports remain unauthenticated VLAN and Guest VLAN members. Static VLAN configuration is not applied to the port. • The following list of VLANs cannot participate in DVA: an Unauthenticated VLAN, a Dynamic VLAN that was created by GVRP, a Voice VLAN, a Default VLAN and a Guest VLAN. • Delete the supplicant VLAN while the supplicant is logged in.
– Supplicant Timeout (1-65535) — Enter the amount of time that lapses before EAP requests are resent to the supplicant. The field value is in seconds. – Max EAP Requests (1-10) — Enter the maximum number of EAP requests that can be sent. If a response is not received after the defined period (supplicant timeout), the authentication process is restarted.
Table 8-13. Port-Based Authentication Interface CLI Commands (Continued) CLI Command Description dot1x re-authentication Enables periodic re-authentication of the client. no dot1x re-authentication Use the no form of this command to restore the default configuration. dot1x timeout re-authperiod seconds Sets the number of seconds between reauthentication attempts. no dot1x timeout supp-timeout Use the no form of this command to restore the default configuration.
Table 8-13. Port-Based Authentication Interface CLI Commands (Continued) CLI Command Description show dot1x advanced Displays 802.1X advanced features for the switch or specified interface. show dot1x users [username username] Displays 802.1X users for the device. dot1x guest-vlan enable Enables using a guest VLAN for unauthorized ports. no dot1x guest-vlan enable Use the no form of this command to restore the default configuration.
Monitoring Users Use the Monitoring Users page to view rejected users. 1 Click Switching > Network Security > Dot1 Authentication > Monitoring Users to display the Monitoring Users page. Figure 8-14. Monitoring Users 2 Select a supplicant that was authenticated on the port. The supplicant’s information is displayed. – User Name — Name assigned to this port. – Port — Number of port. – VLAN — Port belongs to this VLAN. – MAC Address — Source of traffic.
Table 8-14. Reject Reason Description Abbreviation Description ACL-DEL ACL was deleted by a user. ACL-NOTEXST ACL sent by the RADIUS server does not exist on the device. ACL-OVRFL ACL sent by the RADIUS server cannot be applied because of TCAM overflow. AUTH-ERR Rejected by RADIUS due to wrong user name or password in the RADIUS server. FLTR-ERR RADIUS accept message contains more than two filter IDs. FRS-MTH-DENY First method is deny.
Monitoring Users Using the CLI Commands The following table summarizes the CLI commands for monitoring users: Table 8-15. Monitoring Users CLI Commands CLI Command Description show dot1x monitoring result [username username] Displays the captured information of each interface/host on the switch/stack.
Host Authentication Use the Host Authentication page to define the authentication mode on the port, and the action to perform if a violation is detected. To view ports and their authentication information: 1 Click Switching > Network Security > Dot1 Authentication > Host Authentication to display the Host Authentication: Summary page. Figure 8-15. Host Authentication: Summary A list of the ports and their authentication modes is displayed.
– • Not in Auto Mode — The port control is Forced Authorized, and clients have full port access. • Single-host Lock — The port control is Auto and a single client has been authenticated via the port. • No Single Host — Multiple Host is enabled. Number of Violations — Displays the number of packets that arrive on the interface in single-host mode, from a host whose MAC address is not the supplicant MAC address. 2 Click Edit.
• Shutdown — Discard the packet from any unlearned source and shut down the port. Ports remain shutdown until they are activated, or the switch is reset. Host Authentication pages: Table 8-16. Host Authentication CLI Commands CLI Command Description dot1x host-mode {multihost|single-host|multisessions} Allows a single host (client) or multiple hosts on an IEEE 802.1x-authorized port.
Port Authentication Users The Port Authentication Users page enables you to view users that attempted to be authenticated. To view ports and their authentication definitions: 1 Click Switching > Network Security > Dot1 Authentication > Port Authentication Users to display the Port Authentication Users page. Figure 8-16. Port Authentication Users The ports and their authentication definitions are displayed. – User Name — Supplicant names that were authenticated on each port. – Port — Number of port.
– Authentication Method — Method by which the last session was authenticated. The options are: • None—No authentication is applied; it is automatically authorized. • RADIUS—Supplicant was authenticated by a RADIUS server. • MAC Address—Displays the supplicant MAC address. – MAC Address — MAC address of user who attempted to be authenticated. – VLAN — VLAN assigned to the user.
Display Port Authentication Users Using the CLI Commands The following table summarizes the CLI commands for displaying port authentication users: Table 8-17. Display Port Authentication Users CLI Commands CLI Command Description Displays active 802.1x authenticated users for the device.
Configuring System Information 9 This section describes how to set system parameters, such as security features, switch software, system time, logging parameters and more.
General Switch Information This section describes how to view and set general switch parameters. It contains the following topics: • Asset Information • System Health • Power over Ethernet Asset Information Use the Asset page to view and configure general device information, including the system name, location, contact, system MAC Address, System Object ID, date, time, and system up time.
2 Enter/view the parameters: – System Name (0-159 Characters) — Enter the user-defined device name. – System Contact (0-159 Characters) — Enter the name of the contact person. – System Location (0-159 Characters) — Enter the location where the system is currently running. – MAC Address — Displays the device MAC address. – Sys Object ID — Displays the vendor's authoritative identification of the network management subsystem contained in the entity. – Date — Enter the current date (mandatory).
Entering Asset Information Using the CLI Commands The following table summarizes the CLI commands for entering fields displayed on the Asset page. Table 9-1. Asset CLI Command CLI Command Description snmp-server contact text Configures the system contact (sysContact) name. no snmp-server contact snmp-server location text no snmp-server location Use the no form of the command to remove the system contact information. Configures the system location string.
System Health To view the device’s power information and set fan administration state: 1 Click System > General > System Health in the tree view to display the System Health page. Figure 9-2. System Health The System Health page displays the following fields: – Unit No. — The unit in the stack for which information is displayed. Power Supply Status —Displays the following columns: – PS — The power status of the internal power unit.
– RPS — The device has one of two auxiliary power supplies: Redundant Power Supply (RPS) for non-PoE devices and Modular Power Supply (MPS) for PoE devices. Only one of these may be present at one time. For each type of power supply, the possible options are: • Checked — The power supply is operating normally. • Unchecked — The power supply is not operating normally. • Not Present — The power supply is currently not present. – Temperature — Displays the temperature on the device.
– Fan Admin State — Set one of the options: • Auto — Fans are turned on when the internal temperature of the switch is higher than the threshold displayed on the Summary page in the Condition field. • ON — Turns fan on under all conditions Table 9-2.
The following is an example of the CLI commands: console# show system Unit Type ---- ---------------------2 PowerConnect 5548 Unit Main Power Supply Redundant Power Supply ---- ----------------- ---------------------2 OK Unit Fans Status ---- ------------2 OK Unit Temperature (Celsius) Temperature Sensor Status ---- ------------------------- --------------------2 41 Unit OK Up time ---- --------------2 02,00:03:32 Power over Ethernet A Power over Ethernet (PoE) switch is a type of PSE (P
• Wireless access points • IP gateways • Audio and video remote monitoring devices PDs are connected to the device via the Gigabit ports. To configure PoE parameters on devices equipped with PoE: 1 Click System > General > Power over Ethernet in the tree view to display the Power Over Ethernet: Summary page. Figure 9-3. Power Over Ethernet: Summary 2 The PoE global parameters are displayed: – 158 Power Status — The inline power source status. • On — The power supply unit is functioning.
• Faulty — The power supply unit is functioning, but an error has occurred, for example, a power overload or a short circuit. – Nominal Power — The actual amount of power the device can supply, in watts. – Consumed Power — The amount of the power used by the device, in watts. 3 Enter the following parameters: – System Usage Threshold (1-99 Percent) — Enter the percentage of power consumed before a trap is generated. – Traps — Enable/disable traps if system usage goes over the threshold.
– Power Limit (0-15.4) — Enter the maximum amount of power that the PoE unit may deliver to this port. – Powered Device (0-24 characters) — Enter a user-defined description of the PD connected to the port, such as: "Bob Smith’s telephone". The following fields are displayed on this page: – PoE Operational Status — Whether the port is currently providing power. If it is not providing power, the reason is displayed. – Power Consumption — The amount of power being consumed by the powered device.
Table 9-4. Power Over Ethernet CLI Commands (Continued) CLI Command Description power inline priority {critical|high|low} Configures the priority of the interface from the point of view of inline power management. no power inline priority Use the no form of this command to restore the default configuration. power inline usage-threshold Configures the threshold for triggering alarms. no power inline usagethreshold Use the no form of this command to restore the default configuration.
Time Synchronization The system clock runs from the moment the system starts up, and keeps track of the date and time. The date and time may be either set manually, or it may be received from an SNTP server.
Setting System Time and Daylight Savings Time Use the Manual Time Settings page to set system date/time manually (as opposed to receiving them from an external SNTP server). For more information on SNTP, see "System Time from an SNTP Server" on page 170. If system time is kept using an external SNTP clock, and the external SNTP clock fails, the system time reverts to the time set here or in the Asset page.
• Estonia — Last weekend of March until the last weekend of October. • Finland — Last weekend of March until the last weekend of October. • France — Last weekend of March until the last weekend of October. • Germany — Last weekend of March until the last weekend of October. • Greece — Last weekend of March until the last weekend of October. • Hungary — Last weekend of March until the last weekend of October. • India — India does not operate Daylight Saving Time.
• Romania — Last weekend of March until the last weekend of October. • Russia — From the 29th March until the 25th October. • Serbia — Last weekend of March until the last weekend of October. • Slovak Republic — Last weekend of March until the last weekend of October. • South Africa — South Africa does not operate Daylight Saving Time. • Spain — Last weekend of March until the last weekend of October. • Sweden — Last weekend of March until the last weekend of October.
To manually set the device time: 1 Click System > Time Synchronization > Manual Time Settings in the tree view to display the Manual Time Settings page. Figure 9-4. Manual Time Settings 2 Enter the following local settings: – Date — The system date. – Local Time — The system time. – Time Zone Offset — The difference between Greenwich Mean Time (GMT) and local time. For example, the Time Zone Offset for Paris is GMT +1:00, while the local time in New York is GMT –5:00.
– European — The device switches to DST at 1:00 am on the last Sunday in March, and reverts to standard time at 1:00 am on the last Sunday in October. The European option applies to EU members, and other European countries using the EU standard. – Other — Specifies that you will set DST manually in the fields described below. If you selected USA or European you are finished. If you selected Other, proceed to the next step. There are two types of DST possible when Others is selected.
• – Time — The time at which DST begins every year. To — The recurring time that DST ends each year, for example, DST ends locally every fourth Friday in October at 5:00 am. The possible options are: • Day — The day of the week at which DST ends every year. • Week — The week within the month at which DST ends every year. • Month — The month of the year in which DST ends every year. • Time — The time at which DST ends every year.
Table 9-5. Manual Time Setting CLI Commands (Continued) CLI Description clock summer-time zone date date month year hh:mm date month year hh:mm [offset] Configures the system to automatically switch to summer time (Daylight Savings Time) for a specific period - date/month/year format. clock summer-time zone Use the no form of the command to date month date year hh:mm configure the system not to switch to month date year hh:mm summer time (Daylight Savings Time).
A sample script to set system time manually is shown below Table 9-6. CLI Script to Set Manual System Time CLI Description Console# clock set 13:32:00 7 Nov 2010 Set the system time. Set the time zone to GMT console(config)# clock timezone Ohio +2 plus 2 hours. The name of the zone "Ohio" is purely for documentation purposes. This is not mandatory for manual time, but is recommended. It enables anyone seeing the time to know what that time is in respect to their timezone.
SNTP Overview The switch supports the Simple Network Time Protocol (SNTP), which provides accurate network switch clock time synchronization of up to 100 milliseconds. The implementation of SNTP is based on SNTPv4 (RFC 2030). SNTP is a simple and lighter version of NTP, and can be used when the ultimate performance of the full NTP implementation, described in RFC-1305, is not required. SNTP operates with NTP, thus an SNTP client can work with both SNTP and NTP servers.
device time and date are synchronized when it proactively requests synchronization information. Anycast polling to get time information is preferable to Broadcast polling, because it is more secure. Time levels T3 and T4 are used to determine from which server time information is accepted. • Broadcast Broadcast information is used if receiving Broadcast packets has been enabled, and one of the following situations occurs: – The SNTP server IP address has not been defined.
Algorithm for Selecting Designated SNTP Server Messages received from SNTP servers are logged, until there are three responding servers, or the timer expires. In any event, when the third message is received, the timer expires. A server is selected to be the “designated server” according to the following criteria: • The stratum (the distance in terms of NTP hops from the best authoritative time servers) is considered, and the server with the best (lowest) stratum is selected.
MD5 (Message Digest 5) Authentication safeguards device synchronization paths to SNTP servers. MD5 is an algorithm that produces a 128-bit hash value. MD5 is a variation of MD4, and increases MD4 security. MD5 both verifies the integrity of the communication and authenticates the origin of the communication. Global Settings (Clock Source) System time can be set manually, or it may be received from an external SNTP server.
2 Select the Clock Source. The possible options are: – Local —System time is taken from the device’s internal clock. Set this as defined in "Manual Time Settings" on page 162. – SNTP — System time is set via an SNTP server. Set SNTP parameters as defined in "System Time from an SNTP Server" on page 170. Defining the Clock Source Using CLI Commands The following table summarizes the CLI commands for setting the clock source. Table 9-7.
To define the types of server from which the device accepts SNTP information and the polling interval: 1 Click System > Time Synchronization > SNTP Global Settings in the tree view to display the SNTP Global Settings page. Figure 9-6. SNTP Global Settings 2 Enter the fields: 176 – Poll Interval (60-86400) — Enter the interval (in seconds) at which the SNTP servers are polled. – Receive Broadcast Servers Updates — Enable/disable receiving time information from Broadcast servers.
Defining SNTP Global Settings Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the SNTP Global Settings pages. Table 9-8. SNTP Global Parameters CLI Commands CLI Command Description sntp client poll timer seconds Sets the polling time for an SNTP client. no sntp client poll timer sntp broadcast client enable no sntp broadcast client enable Use the no form of this command to restore the default configuration. Enables SNTP Broadcast clients.
To configure SNTP authentication: 1 Click System > Time Synchronization > SNTP Authentication in the tree view to display the SNTP Authentication: Summary page. Figure 9-7. SNTP Authentication: Summary The previously-defined authentication keys are displayed. 2 Enable/disable SNTP Authentication. This enables/disables authenticating SNTP sessions between the device and an SNTP server. 3 Multiple keys can be defined. To add a new SNTP authentication key, click Add, and enter the fields.
– Trusted Key — Check to specify that the encryption key is used to authenticate the (Unicast) SNTP server. If this is not checked, the key is not used for authentication (and another key(s) is used). Defining SNTP Authentication Settings Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the SNTP Authentication pages. Table 9-9.
SNTP Servers To add an SNTP server or display SNTP server information: 1 Click System > Time Synchronization > SNTP Servers in the tree view to display the SNTP Servers: Summary page. Figure 9-8. SNTP Servers: Summary The following is displayed for the previously-defined servers: 180 – SNTP Server — IP address of server. – Polling — Polls the selected SNTP server for system time information, when enabled.
– – Preference — SNTP server providing SNTP system time information. The system displays on of the following options: • Primary — The server from which time was last accepted. • Secondary — All other servers from which time was received. Status — The operating SNTP server status. The possible options are: • Up — The SNTP server is currently operating normally. • Down — An SNTP server is currently not available, for example, the SNTP server is currently not connected or is currently down.
– Link Local Interface — When the server supports an IPv6 Link Local address, this specifies the Link Local interface. Select one of the possible options: • VLAN — The VLAN on which the IPv6 interface is configured. • ISATAP — The IPv6 interface is configured on an ISATAP tunnel. – SNTP Server — Enter the SNTP server’s IP address. – Poll Interval — Enable/disable polling the selected SNTP server for system time information, when enabled.
The following is an example of the CLI commands: console(config)# sntp server 100.1.1.
To enable receiving Anycast updates on an interface: 1 Click System > Time Synchronization > SNTP Interface Settings to display the SNTP Interface Settings: Summary page. Figure 9-9. SNTP Interface Settings: Summary The following fields are displayed for every interface for which an SNTP interface has been enabled: – Interface — The port, LAG or VLAN on which SNTP is enabled. – Receive Servers Updates — Displays whether the interface is enabled to receive updates from the SNTP server.
Defining SNTP Interface Settings Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the SNTP Interface Settings pages. Table 9-11. SNTP Interface Settings CLI Commands CLI Command Description sntp client enable {[[gigabitethernet|tengigabitethern et] port-id|vlan vlan-id|portchannel LAG-number]} Enables the SNTP client on an interface in Global Configuration mode. sntp client enable Enables SNTP client on an interface in Interface Configuration mode.
The following is an example of the CLI commands: console# configure console(config)# sntp client enable gi1/0/1 console# exit console# configure console(config)# interface gi1/0/1 console(config-if)# sntp client enable console# show sntp configuration SNTP port : 123 . Polling interval: 1024 seconds. No MD5 authentication keys. Authentication is not required for synchronization. No trusted keys.
Table 9-12. Manual Time Setting CLI Commands (Continued) CLI Description console(config)#sntp client poll timer 6 Set polling time to 6 seconds. console(config)#sntp unicast client enable Enable accepting time from predefined Unicast clients. console(config)#sntp unicast client poll Enable polling predefined Unicast clients. console(config)#sntp server 10.4.1.3 poll Define the server that will be used as an SNTP server. console(config)#exit Display SNTP settings.
Logs The Logs feature enables the switch to keep several, independent logs. Each log is a set of entries that record system events. It contains the following topics: • System Log Overview • Global Parameters • RAM Log • Log File (in Flash) • Login History • Remote Log Server System Log Overview System logs record events and report errors or informational messages. Some aspects of system logging can be configured, as described below.
Logs stored on the Logging buffer are deleted when the device is reset. • Logging file (flash) — Messages are stored in flash memory. When the buffer is full, messages are written starting at the beginning of the memory block (overwriting the old messages). • SYSLOG Server — Messages are sent to a remote server. This is useful for central and remote management and to provide more space for storage of messages. Up-to eight SYSLOG servers can be defined in the Remote Log Server Settings pages.
If you enable logging, some events are automatically logged, and in addition, you can enable/disable specific types of logging and set their destination. To configure logging: 1 Click System > Logs > Global Parameters in the tree view to display the Global Parameters page. Figure 9-10. Global Parameters 2 Enable/disable logging in the Logging drop-down list. Console logs are enabled by default, and cannot be disabled.
– Log Copy Files Events — Enable/disable generating logs when files are copied. – Log Management Access Events — Enable/disable generating logs when the device is accessed using a management method, for example, each time the device is accessed using SSH, a device log is generated. 4 To select the destination of logging messages, according to their severity levels, check the minimum severity level that will be associated with the console log, RAM log, Log file (Flash memory) and remote SYSLOG servers.
Table 9-13. Global Log Parameters CLI Commands (Continued) CLI Command Description management logging {deny} Enables Management Access List (ACL) deny events. no management logging {deny} Use the no form of this command to disable logging management access list events. aaa logging {login} no aaa logging {login} Enables logging authentication login events. Use the no form of this command to disable logging authentication login events.
RAM Log To manage the RAM log buffer: 1 Click System > Logs > RAM Log in the tree view to display the RAM Log page. Figure 9-11. RAM Log The Max RAM Log Entries (20-400) line, which contains the maximum number of RAM log entries permitted, is displayed. When the log buffer is full, the oldest entries are overwritten. The Current Setting contains how many entries are currently permitted, and you can change this number in the New Setting (after reset) field.
– Log Time — The time at which the log was entered into the RAM Log table. – Severity — The log severity. – Description — The log entry text. 2 To remove all entries from the RAM log, click Clear Log. Viewing and Clearing the RAM Log Table Using the CLI Commands The following table summarizes the CLI commands for setting the size of the RAM log buffer, viewing, and clearing entries in the RAM log. Table 9-14.
Log File (in Flash) To view and/or clear the flash memory log file: 1 Click System > Logs > Log File in the tree view to display the Log File page. Figure 9-12. Log File The following is displayed for the existing logs: – Log Index — The log number in the Log file. – Log Time — The time at which the log was entered. – Severity — The log severity. – Description — The log entry text. 2 To remove all entries from the log file, click Clear Log.
Displaying the Log File Table Using the CLI Commands The following table summarizes the CLI commands for setting fields displayed in the Log File page. Table 9-15. Log File Table CLI Commands CLI Command Description show logging file Displays the logging state and the SYSLOG messages stored in the logging file. The following is an example of the CLI commands: console# show logging file Logging is enabled. Console Logging: Level info. Console Messages: 0 Dropped. Buffer Logging: Level info.
To enable user history logging and view user login history: 1 Click System > Logs > Login History in the tree view to display the Login History page. Figure 9-13. Login History The login history for the selected user or all users is displayed. 2 Enable/disable Login History to File to record login history. 3 Select a user or All from the User Name drop-down list. The login history for this user is displayed in the following fields: • Login Time — The time the selected user logged on to the device.
Displaying the Device Login History Using CLI Commands The following table summarizes the CLI commands for viewing and setting fields displayed in the Login History page. Table 9-16. Login History CLI Commands CLI Command Description aaa login-history file Enables writing to the login history file. no aaa login-history file Use the no form of this command to disable writing to the login history file. show users login-history Displays the user’s login history.
Remote Log Server Log messages can be sent to remote log servers, using the SYSLOG protocol. To add a remote log server: 1 Click System > Logs > Remote Server Settings in the tree view to display the Remote Log Server: Summary page. Figure 9-14. Remote Log Server: Summary The previously-defined remote servers are displayed. 2 To add a remote log server, click Add, and enter the fields: – Supported IP Format — Select whether the IPv4 or IPv6 format is supported.
• – 200 Global — A globally unique IPv6 address; visible and reachable from different subnets. Link Local Interface — When the server supports an IPv6 Link Local address, this specifies the Link Local interface. The possible options are: • VLAN — The VLAN on which the IPv6 interface is configured. • ISATAP — The IPv6 interface is configured on an ISATAP tunnel. – New Log Server IP Address — Enter the IP address of the remote SYSLOG server.
Working with Remote Server Logs Using the CLI Commands The following table summarizes the CLI command for working with remote log servers. Table 9-17. Remote Log Server CLI Commands CLI Command Description logging host {ipv4-address|ipv6address|hostname} [port port-id] [severity level] [facility facility] [description text] Logs messages to a remote server with this IP address.
IP Addressing This section describes how to configure IP addresses on the switch, and contains the following topics: • IP Addressing Overview • IPv4 Interface Parameters • DHCP IPv4 Interface • IPv4 Static Routing • IPv6 Interfaces • IPv6 Default Gateway • ISATAP Tunnel • IPv6 Neighbors • IPv6 Routes Table • Domain Name System • Default Domain Names • Host Name Mapping • ARP • UDP Relay IP Addressing Overview The device functions as an IPv6-compliant host, as well as an IPv4-host
All IPv6 address formats are acceptable, yet for display purposes, the system displays the most abbreviated form, which replaces groups of zeros with double colons and removes the leading zeros. IPv6 Prefixes While Unicast IPv6 addresses written with their prefix lengths are permitted, in practice their prefix lengths are always 64 bits, and therefore are not required to be expressed. Any prefix that is less than 64 bits is a route or address range that summarizes a portion of the IPv6 address space.
The IP address is assigned even if the above validation procedure concludes that the IP address in question is not unique, but a SYSLOG message is generated. In addition to the above validation procedure every time a switch receives an ARP request with a sender IP address that is equal to its IP address defined on the input interface it sends a SYSLOG message informing of IP duplication, containing the sender IP and MAC addresses, from the received ARP message.
The previously-assigned IP addresses are displayed. 2 To add an IP address to an interface, click Add, and enter the fields: – IP Address — Enter the IP address assigned to the interface. – Network Mask — Select the subnetwork mask to which traffic can be routed. – Prefix Length — Enter the number of bits that comprise the IP address prefix of the subnetwork. – Interface — Select the interface for which the IP address is defined.
The following are sample procedures to configure a static IPv4 address on an interface using CLI and then to remove it: Table 9-19. Sample CLI Script to Configure IPv4 Statically on a VLAN CLI Command Description console#config Enter Global Configuration mode. console(config)# interface vlan 1 Enter Interface mode for VLAN 1. console(config-if)# ip address 10.5.225.40 /27 Set the routing interface with prefix length of 27. console(config-if)# ip defaultgateway 10.5.225.
DHCP IPv4 Interface The switch can operate in the following ways: • It can function as a DHCP client that obtains its own IP from a DHCP server, as described in this section • It can function as a DHCP server that allocates IP addresses to other devices, as described in "DHCP Server" on page 290 When the interface is configured as a DHCP client, it keeps requesting an IP address from the DHCP server, until it receives one.
To define the switch as a DHCP client: 1 Click System > IP Addressing > DHCP IPv4 Interface in the tree view to display the DHCP IPv4 Interface: Summary page. Figure 9-16.
The previously-configured DHCP IPv4 interfaces are displayed. 2 To add an interface that can receive an IP address, click Add and select the whether the interface is a port, LAG or VLAN in the Interface field. Defining DHCP IPv4 Interfaces Using CLI Commands The following table summarizes the CLI commands for setting fields in the DHCP IPv4 Interface pages. Table 9-21.
Configuring DHCP IPv4 Interfaces Using CLI The following is a sample CLI script to configure a dynamic IPv4 address on an interface and then to remove it: Table 9-22. Sample CLI Script to Configure IPv4 Dynamically on a VLAN CLI Command Description console#config Enter Global Configuration mode. console(config)# interface vlan 1 Enter VLAN mode for VLAN 1. console(config)# no switchport Enable the port to work as an IP interface (Layer 3 mode).
When routing traffic, the next hop is determined according to the longest prefix match (LPM algorithm). A destination IPv4 address may match multiple routes in the IPv4 Static Route table. The switch uses the matched route with the longest prefix match. To add an IPv4 static route: 1 Click System > IP Addressing > IPv4 Static Routing in the tree view to display the IPv4 Static Routing: Summary page. Figure 9-17.
– Next Hop — Enter the IP address to which the packet is forwarded on the route to the destination address. This is typically the address of a neighboring switch. – Route Type — Select the route type. The possible options are: – • Reject — Rejects the route and stops routing to the destination network via all gateways. This ensures that if a frame arrives with the destination IP of this route, it is dropped. • Remote — The route is a remote path.
Configuring Two IP Networks on Two Different VLANS Using CLI The following shows how to configure two IP networks on two different VLANS using CLI: Table 9-25. Sample CLI Script to Configure Two IP Networks on Two Different VLANSs CLI Command Description console#config Enter Global Configuration mode. console(config)# vlan database Enter VLAN mode. console(config-vlan)# vlan 100-150 Create VLANs number 100 to 150. console(config-vlan)# exit Exit VLAN mode.
Figure 9-18. IP Routing Setup Switch VLAN 100 PC 1.1.1.1 VLAN 150 PC 2.1.1.1 IPv6 Interfaces The system supports IPv6-addressable hosts. To define IPv6 interfaces: 1 Click System > IP Addressing > IPv6 Interface in the tree view to open the IPv6 Interface: Summary page. Figure 9-19.
2 Select an interface. The IPv6 addresses defined on the interface are displayed. In addition to the fields described in the Add pages, the following fields are displayed: – ICMP Error Rate Limit Interval (0-2147483647) — Enter the rate-limit interval for ICMPv6 error messages in milliseconds.
– Send ICMP Unreachable — Enable/disable transmission of ICMPv6 address Unreachable messages. When enabled, unreachable messages are generated for any packet arriving on the interface with unassigned TCP/UDP port. 4 To add an address to an IPv6 interface, click Add IPv6 Address, and enter the fields for the selected interface: – 216 IPv6 Address Type — Check the means by which the IP address was added to the interface.
Defining IPv6 Interfaces Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the IPv6 Interface pages. Table 9-26. IPv6 Interfaces CLI Commands CLI Command Description ipv6 enable [no-autoconfig] Enables the IPv6 addressing mode on an interface.
Table 9-26. IPv6 Interfaces CLI Commands (Continued) CLI Command Description ipv6 address ipv6address/prefix-length linklocal Configures an IPv6 link-local address for an interface. no ipv6 address link-local ipv6 unreachables no ipv6 unreachables Use the no form of this command to return to the default link local address on the interface. Enables the generation of ICMP for IPv6 (ICMPv6) unreachable messages for packets arriving on a specified interface.
The following is a sample script to configure IPv6 using CLI: Table 9-27. Sample CLI Script to Configure IPv6 on a Port CLI Command Description console#config Enter Global Configuration mode. console(config)# interface vlan 1 Enter VLAN mode for VLAN 1. console(config-if)# ipv6 enable Enable IPv6 (dynamic). console(config-if)# ipv6 address 5::1/64 Set the IPv6 address (static) IPv6 Default Gateway Use the IPv6 Default Gateway pages to configure and view the default IPv6 router addresses.
To configure a router: 1 Click System > IP Addressing > IPv6 Default Gateway in the tree view to display the IPv6 Default Gateway: Summary page. Figure 9-20. IPv6 Default Gateway: Summary The previously-defined routers are displayed with the following fields: 220 – IPv6 Default IPv6 Address — The router’s address. – Interface — The interface on which the router is accessed. – Type — The means by which the default gateway was configured.
– State — The router’s status. The possible options are: • Incomplete — Address resolution is in progress and the link-layer address of the default gateway has not yet been determined. • Reachable — The default gateway is known to have been reachable recently (within tens of seconds ago). • Stale — The default gateway is no longer known to be reachable but until traffic is sent to the default gateway, no attempt is made to verify its reachability.
Table 9-28. IPv6 Default Gateway CLI Commands (Continued) CLI Command Description show ipv6 route Displays the current state of the IPv6 routing table. The following are examples of these CLI command: console(config)# ipv6 default-gateway fe80::abcd console(config-if)# do show ipv6 route Codes: L - Local, S - Static, I - ICMP, ND - Router Advertisement The number in the brackets is the metric.
After the last IPv4 address is removed from the interface, the ISATAP IP interface state becomes inactive and is represented as Down, however the Admin state remains Enabled. When defining tunneling, note the following: • An IPv6 Link Local address is assigned to the ISATAP interface. The initial IP address is assigned to the interface, and the interface state becomes Active. • If an ISATAP interface is active, the ISATAP router IPv4 address is resolved via DNS by using ISATAP-to-IPv4 mapping.
To define an IPv6 ISATAP tunnel: 1 Click System > IP Addressing > IPv6 ISATAP Tunnel in the tree view to display the ISATAP Tunnel page. Figure 9-21. IPv6 ISATAP Tunnel 2 Enter the fields: – ISATAP Status —Enable/disable the status of ISATAP on the device. – IPv4 Address Type — Enter the source of the IPv4 address used by the tunnel. The options are: – 224 • Auto —Use the dynamic address. • None —Disable the ISATAP tunnel • Manual —Use the manual address assigned.
– Tunnel Router's Domain Name — Enter a specific automatic tunnel router domain name. – Domain Name Query Interval (10 - 3600) — Enter the interval between DNS queries (before the IP address of the ISATAP router is known) for the automatic tunnel router domain name. – ISATAP Router Solicitation Interval (10 - 3600) — Enter the interval between router solicitations messages when there is no active router.
Table 9-29. ISATAP Tunnel CLI Commands (Continued) CLI Command Description Configures the interval between DNS Queries (before the IP address of the no tunnel isatap query-interval ISATAP router is known) for the automatic tunnel router domain name. tunnel isatap query-interval seconds Use the no form of this command to restore the default configuration.
Table 9-30. ISATAP Tunnel CLI Script CLI Command Description console (config)# ip domain lookup Enable DNS lookup console(config)# ip name-server 176.16.1.18 Define DNS server console(config)# interface tunnel 1 Enter tunnel mode console(config-tunnel)#tunnel mode ipv6ip isatap Enable tunnel. console(config-tunnel)#tunnel source auto The system minimum IPv4 address will be used as the source address for packets sent on the tunnel interface.
IPv6 Neighbors The Neighbors feature is similar in functionality to the IPv4 Address Resolution Protocol (ARP) feature. It enables detecting Link Local addresses within the same subnet, and includes a database for maintaining reachability information about active neighbors. The device supports a total of up to 64 neighbors, obtained statically or dynamically. When removing an IPv6 interface, all neighbors entered statically or learned dynamically, are removed.
The previously-defined neighbors are displayed along with their states. The possible states are: – Incomplete — An address resolution is in progress, and the link-layer address of the neighbor has not yet been determined. – Reachable — The neighbor is known to have been reachable recently (within tens of seconds). – Stale — The neighbor is no longer known to be reachable, but until traffic is sent to the neighbor, no attempt is made to verify its reachability.
4 To modify or remove an IPv6 neighbor, click Edit, and enter the fields described on the Add page. 5 If an entry for the specified IPv6 address already exists in the neighbor discovery cache, as learned through the IPv6 neighbor discovery process, you can convert the entry to a static entry. To do this, select Static in the Type field. Defining IPv6 Neighbors Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the IPv6 Neighbors pages. Table 9-31.
The following is an example of the CLI commands: console# config console(config)# ipv6 neighbor 3000::a31b vlan 1 001b.3f9c.84ea console# show ipv6 neighbors dynamic Interface IPv6 Address HW Address State Router --------- ------------ ---------- ----- ----- VLAN 1 3000::a31b 0001b.3f9c.
IPv6 Routes Table The IPv6 Routes Table describes how to reach IPv6 destinations. The routing table is used to determine the next-hop address and the interface used for forwarding. Each dynamic entry also has an associated invalidation timer value (extracted from Router Advertisements). This timer is used to delete entries that are no longer advertised.
– Prefix Length — The length of the IPv6 prefix. This field is applicable only when the destination address is defined as a global IPv6 address. – Interface — The interface that is used to forward the packet. Interface refers to any Port, LAG or VLAN. – Next Hop — The address to which the packet is forwarded on the route to the Destination address (typically the address of a neighboring router). This can be either a Link Local or Global IPv6 address.
The following is an example of the CLI commands: console> show ipv6 route Codes: L - Local, S - Static, I - ICMP, ND - Router Advertisement The number in the brackets is the metric.
Domain Name System The Domain Name System (DNS) converts user-defined domain names into IP addresses. Each time a domain name is assigned, the DNS service translates the name into a numeric IP address, for example, www.ipexample.com is translated into 192.87.56.2. DNS servers maintain domain name databases and their corresponding IP addresses.
4 To add a DNS server, click Add, and enter the fields: – Supported IP Format — Select whether the IPv4 or IPv6 format is supported. – IPv6 Address Type — When the server supports IPv6, this specifies the type of static address supported. The possible options are: – • Link Local — A Link Local address that is non-routable and used for communication on the same network only. • Global — A globally unique IPv6 address; visible and reachable from different subnets.
Table 9-33. DNS CLI Commands (Continued) CLI Command Description clear host Deletes entries from the host name-toaddress cache. clear host dhcp {name|*} Deletes entries from the host name-toaddress mapping received from DHCP. show hosts Displays the default domain name, the list of name server hosts, the static and the cached list of host names and addresses The following is an example of the CLI commands: console (config)# ip domain lookup console(config)# ip name-server 176.16.1.
Default Domain Names A default domain name is used when an IP address cannot be mapped to a known domain name. This domain name is applied to all unqualified host names. To define the default domain name: 1 Click System > IP Addressing > Default Domain Name to display the Default Domain Name page. Figure 9-25. Default Domain Name If there is a currently-defined default domain name, it is displayed. 2 Enter the Default Domain Name (1 - 160 Characters).
Defining Default Domain Names Using the CLI Commands The following table summarizes the CLI commands for configuring the default domain name: Table 9-34. Default Domain Name CLI Commands CLI Command Description ip domain-name name Defines a default domain name that the software uses to complete unqualified host names. no ip domain-name The no form of the command disables the use of the Domain Name System (DNS). The following is an example of the CLI commands: console(config)# ip domain-name dell.
Host Name Mapping Host names can be dynamically mapped to IP addresses through the Domain Name System pages, or statically through the Host Name Mapping page. To assign IP addresses to static host names. 1 Click System > IP Addressing > Host Name Mapping in the tree view to display the Host Name Mapping: Summary page. Figure 9-26. Host Name Mapping: Summary The currently-defined host names are displayed. 2 Click Add to add a new host name. Up to four IP addresses can be added.
– – IPv6 Address Type — When the server supports IPv6, this specifies the type of static address supported. The possible options are: • Link Local — A Link Local address that is non-routable and used for communication on the same network only. • Global — A globally unique IPv6 address; visible and reachable from different subnets. Link Local Interface — When the server supports an IPv6 Link Local address, this specifies the Link Local interface.
The following is an example of the CLI commands: console(config)# ip host accounting.abc.com 176.10.23.1 ARP The Address Resolution Protocol (ARP) converts IP addresses into physical MAC addresses. ARP enables a host to communicate with other hosts when their IP addresses are known. To add an IP/MAC address mapping: 1 Click System > IP Addressing > ARP in the tree view to display the ARP: Summary page. Figure 9-27.
The entries in the table are displayed. 2 Enter the parameters: • ARP Entry Age Out (1 - 40000000) — Enter the amount of time in seconds that can pass between ARP requests for this address. After this period, the entry is deleted from the table. • Clear ARP Table Entries — Select the type of ARP entries that are cleared on all devices. The possible options are: • None — ARP entries are not cleared. • All — All ARP entries are cleared. • Dynamic — Only learned ARP entries are cleared.
Configuring ARP Using the CLI Commands The following table summarizes the CLI commands for setting fields displayed in the ARP pages. Table 9-36. ARP CLI Commands CLI Command Description arp ip_addr mac_addr Adds a permanent entry in the ARP {[gigabitethernet|tengigabit cache. ethernet] port-number|vlan vlan-id|port-channel LAGnumber} no arp ip-address Removes an ARP entry from the ARP Table. arp timeout seconds Configures how long an entry remains in the ARP cache.
UDP Relay Switches do not typically route IP Broadcast packets between IP subnets. However, if configured, the switch can relay specific UDP Broadcast packets received from its IPv4 interfaces to specific destination IP addresses. To configure the relaying of UDP packets received from a specific IPv4 interface with a destination UDP port: 1 Click System > IP Addressing > UDP Relay in the tree view to display the UDP Relay: Summary page. Figure 9-28.
The UDP relays are displayed. 2 To add a UDP relay, click Add, and enter the fields: – Source IP Address — Select the source IP address to where the switch is to relay UDP Broadcast packets, based on a configured UDP destination port. The interface must be one of the IPv4 interfaces configured on the switch. Select All for all addresses.
The following is an example of the CLI commands: console (config)# ip helper-address all 172.16.9.9 49 53 console (config)# do show ip helper-address Interface Helper Address UDP Ports ----------- --------------- -------------------------- All 49,53 172.16.9.
Diagnostics This section describes how to perform cable tests on copper and fiber optic cables.
Integrated Cable Test Time Domain Reflectometry (TDR) technology is used to test the quality and characteristics of a copper cable attached to a port. Cables up to 120 meters long can be tested. Cables can only be tested when the ports are in the down state, with the exception of Approximated Cable Length test. This test can only be performed when the port is up and operating at 1 Gbps.
4 Ensure that the cable is connected to tested port. Go to the Test tab. 5 Click Test Now. The copper cable and Approximate Cable Length tests are performed, and the following test results are displayed: – Test Result — Displays the cable test results. The possible options are: • No Cable — There is no cable connected to the port. • Open Cable — The cable is connected on only one side. • Short Cable — A short has occurred in the cable. • OK — The cable passed the test.
The following is an example of the CLI commands: console> enable console# test cable-diagnostics tdr gi1/0/3 Cable is open at 100 meters. console# show cable-diagnostics cable-length interface gi2/0/5 Port Length [meters] ------- ---------------- gi2/0/5 < 50 Optical Transceiver Diagnostics The Optical Transceiver Diagnostics page displays the operating conditions reported by the SFP (Small Form-factor Pluggable) transceiver.
To view the results of optical fiber tests: • Click System > Diagnostics > Optical Transceiver Diagnostics in the tree view to display the Optical Transceiver Diagnostics page. Figure 9-30. Optical Transceiver Diagnostics The following fields are displayed for the selected unit: 252 – Port — The port number on which the cable was tested. – Temperature — The temperature (C) at which the cable is operating. – Voltage — The voltage at which the cable is operating.
Performing Fiber Optic Cable Tests Using CLI Commands The following table contains the CLI command for performing fiber optic cable tests. Table 9-39. Fiber Optic Cable Test CLI Commands CLI Command Description Displays the optical transceiver show fiber-ports opticaldiagnostics.
Management Security This section describes the pages used to manage device security.
This means, for example, that the set of managers allowed via Telnet may be different than the set of Web-based managers which is, in turn, may be different than the set of secure-web based managers, and so on. A specific management access method may be completely disabled by denying all user access to it (e.g. denying all users access to CLI/Telnet management effectively disables CLI/Telnet as an available management interface to the system).
Creating an Access Profile To define an access profile with a single rule: 1 Click System > Management Security > Access Profiles in the tree view to display the Access Profiles: Summary page. Figure 9-31. Access Profiles: Summary The currently-defined access profiles are displayed. 2 To activate an access profile, select it in the Active Access Profile field. If you select Console Only, active management of the device can only be performed using the console connection. This profile cannot be removed.
– Rule Priority (1-65535) — Enter the rule priority. Rules are applied to packets according to their priority. These can be viewed in the Profile Rules: Summary page. – Management Method — Select the management method to which the access profile is applied. Users using this management method are authenticated using this access profile. The possible options are: • All — The access profile is applied to all management methods. • Telnet — The access profile is applied to Telnet users.
Defining Access Profiles Using CLI Commands The following table contains the CLI command for defining an access profile, without its rules. The CLI commands for defining the rules are described in "Defining Access Profile Rules Using CLI Commands" on page 260. Table 9-40. Access Profile CLI Commands CLI Command Description management access-list name Defines an access-list for management. Use the no form of this command to delete an no management access-list access list.
Profile Rules If an access profile already exists, meaning that a single rule has been defined on it, use the Profile Rules pages to add additional rules to it. To add a rule to a management access profiles: 1 Click System > Management Security > Profile Rules in the tree view to display the Profile Rules: Summary page. Figure 9-32. Profile Rules: Summary 2 Select an access profile name. Its rules are displayed in the order that they will be implemented.
Defining Access Profile Rules Using CLI Commands The following table summarizes the CLI commands for adding rules to access profiles. Table 9-41. Access Profiles CLI Commands CLI Command Description permit[[gigabitethernet|tengigab Sets port permit conditions for the itethernet port-number]|vlan management access list.
Table 9-41. Access Profiles CLI Commands (Continued) CLI Command Description show management access-list [name] Displays the active management access-lists. show management access-class Displays information about management access-class.
Authentication Profiles In addition to access profiles, you can configure authentication for management access methods, such as SSH, console, Telnet, HTTP, and HTTPS. User authentication can occur: • Locally • Via an external server, such as a TACACS+ or a RADIUS server User authentication occurs in the order that the methods are selected, for example, if both the Local and RADIUS options are selected, the user is authenticated first locally.
To create an authentication profile: 1 Click System > Management Security > Authentication Profiles in the tree view to display the Authentication Profiles: Summary page. Figure 9-33. Authentication Profiles: Summary All currently-defined authentication profiles are displayed. 2 Click Add to add a new authentication profile, and enter the fields: – Profile Name (1-12 Characters) — Enter the name of the new authentication profile. Profile names cannot include blank spaces.
• Enable — The enable (encrypted) password is used for authentication (defined in "Enable Password" on page 274). • Local — The user authentication is performed by the device, which checks the user name and password for authentication. • RADIUS — The user authentication is performed by the RADIUS server. For more information, see "RADIUS" on page 284. • TACACS+ — The user authentication is performed by the TACACS+ server. For more information, see "TACACS+" on page 275.
Select Authentication After Authentication Profiles are defined, the Authentication Profiles can be assigned to Management Access methods, for example, console users can be authenticated by Authentication Profile 1, while Telnet users can be authenticated by Authentication Profile 2. To assign an authentication profile to a management access method: 1 Click System > Management Security > Select Authentication in the tree view to display the Select Authentication page. Figure 9-34.
3 For Secure HTTP and HTTP types of users, select one or all of the Optional Methods and click the right-arrow to move them to the Selected Methods. The options are: – Local — Authentication occurs locally. – None — No authentication method is used for access. – RADIUS — Authentication occurs at the RADIUS server. – TACACS+ — Authentication occurs at the TACACS+ server.
The following is an example of the CLI commands that sets authentication for the console using the default method list that was previously-defined: console(config)#line console console(config-line)# enable authentication default console(config-line)# login authentication default console(config-line)# exit The following is an example of the CLI commands that creates an authentication method list for http server access (RADIUS and local): console(config)# ip http authentication aaa loginauthentication radius
Active Users To view active users on the device: • Click System > Management Security > Active Users in the tree view to display the Active Users page. Figure 9-35. Active Users The following fields are displayed for all active users: 268 – Name — Active users logged into the device. – Protocol — The management method by which the user is connected to the device. – Location — The user’s IP address.
Displaying Active Users Using CLI Commands The following table summarizes the CLI commands for viewing active users connected to the device. Table 9-44. Active Users CLI Commands CLI Command Description show users Displays information about active users. The following example shows an example of the CLI command: console> show users Username Protocol Location -------- -------- --------- Bob Serial John SSH 172.16.0.1 Robert HTTP 172.16.0.8 Betty Telnet 172.16.1.
Local User Database Use the Local User Database pages to define users, passwords and access levels. To add a new user: 1 Click System > Management Security > Local User Database in the tree view to display the Local User Database: Summary page. Figure 9-36. Local User Database: Summary All users are displayed even if they have been suspended. If a user has been suspended, it can be restored here by selecting the Reactivate Suspended User field.
– Access Level — Select a user access level. The lowest user access level is 1 and 15 is the highest user access level. Users with access level 15 are Privileged Users, and only they can access and use the switch administrator. – Password (8-64 characters) — Enter the password of the user. – Confirm Password — Confirm the password of the user. The following fields are displayed: • Expiry Date — The expiration date of the user-defined password.
The following is an example of the CLI commands: console(config)# username bob password lee privilege 15 console# set username bob active Line Passwords To add a line password for Console, Telnet, and Secure-Telnet users: 1 Click System > Management Security > Line Passwords in the tree view to display the Line Password page. Figure 9-37. Line Password 2 Enter the fields for each type of user, separately: 272 – Password (0 - 159 Characters) — Enter the line password for accessing the device.
– Console/Telnet/Secure Telnet Line Aging (1-365) — Check to set the amount of time in days that elapses before a line password is aged out. Enter the number of days after which the password expires. – Expiry Date — Displays the expiration date of the line password. – Lockout Status — Displays whether the user currently has access (status Usable), or whether the user is locked out due to too many failed authentication attempts since the user last logged in successfully (status Locked).
Enable Password To set a local password to control access to Normal and Privilege levels activities. 1 Click System > Management Security > Enable Passwords in the tree view to display the Enable Password page. Figure 9-38. Enable Password 2 Enter the fields: 274 – Select Enable Access Level — Select the access level to associate with the enable password. The lowest user access level is 1 and 15 is the highest user access level.
– Expiry Date — If Aging is selected, displays the expiration date of the enable password. – Lockout Status — Displays the number of failed authentication attempts since the user last logged in successfully (if the Enable Login Attempts checkbox is selected in the Password Management page.) Specifies LOCKOUT, when the user account is locked. – Reactivate Suspended User — Check to reactivate the specified user’s access rights. Access rights can be suspended after unsuccessfully attempting to login.
The TACACS+ protocol ensures network integrity through encrypted protocol exchanges between the device and TACACS+ server. To configure TACACS+ servers: 1 Click System > Management Security > TACACS+ in the tree view to display the TACACS+: Summary page. Figure 9-39. TACACS+: Summary The list of currently-defined TACACS+ servers is displayed. The parameters for each server is displayed, along with its connection status. 2 Enter the default parameters for TACACS+ servers.
– Key String (1-128 Characters) — The authentication and encryption key for TACACS+ communications between the device and the TACACS+ server. This key must match the encryption key sent by the TACACS+ server. This key is encrypted. – Timeout for Reply (1-30) — The amount of time that passes before the connection between the device and the TACACS+ server times out. 3 To add a TACACS+ server, click Add, and enter the fields on the page.
Wherever available, check Use Default to use a value that was entered in the TACACS+: Summary page. Defining TACACS+ Settings Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the TACACS+ Settings pages. Table 9-48. TACACS+ CLI Commands CLI Command Description tacacs-server host {ip Configures a TACACS+ host. address|hostname}[singleUse the no form of this command to connection] [port port-number] delete the specified TACACS+ host.
The following is an example of the CLI commands: console(config)# tacacs-server source-ip 172.16.8.1 console# show tacacs Device Configuration ----------------------------IP Address Status Port Single TimeOut Source IP Priority Connection ---------- -----1.1.1.11 ------ Not ---------- -------- ---------- -------- 49 No Global Global 10 49 No Global Global 19 49 No Global Global 18 49 No Global Global 17 Connected 1.1.1.21 Not Connected 1.1.1.31 Not Connected 1.1.1.
Password aging starts immediately after password management is enabled. However it is only effective if system time on the device is taken from an SNTP server. Passwords expire according to the user-defined expiration date/time. Ten days prior to password expiration, the device displays a password expiration warning message. After the password has expired, users can log in a few additional times.
To define password management parameters: 1 Click System > Management Security > Password Management in the tree view to display the Password Management page. Figure 9-40. Password Management 2 Check the required fields and enter their values: – Enable Strong Passwords — Check to enable this feature. – Number of Classes — Select a number of character classes. The character classes are: upper case characters, lower case characters, digits and punctuation.
– Password Minimum Length (8-64 characters) — When checked, specifies the minimum password length. Enter the minimum password length. – Enable Login Attempts — When checked, enables locking a user out of the device when a faulty password is used more than the number of times entered. Select the maximum number of login attempts. – Global Password Aging (1-365) — When checked, specifies that the password will expire in the number of days entered. Enter the number of days.
Table 9-49. Password Management CLI Commands (Continued) CLI Command Description password min-length length Defines the minimum password length. no password min-length Use the no form of this command to remove the restriction. passwords aging days Enforces password aging. no passwords aging Use the no form of this command to return to default. password history number Defines the amount of times a password is changed, before the password can be reused.
Table 9-50. CLI Script to Configure Strong Password CLI Command Description console(config)# passwords strength minimum character-classes 3 Enable that passwords must contain at least three character classes. password min-length 8 Enable that passwords must contain at least eight characters. console(config)# username admin privilege 15 password FGH123!@# Create a user named "admin" with privilege level 15 and password that fits the strength rules.
To add a RADIUS server: 1 Click System > Management Security > RADIUS in the tree view to display the RADIUS: Summary page. Figure 9-41. RADIUS: Summary The RADIUS default parameters and previously-defined RADIUS servers are displayed. 2 Enter the default parameters to be used when these parameters are not entered for a specific server. – Default Retries (1-10) — The default number of transmitted requests sent to RADIUS server before a failure occurs.
– Source IPv6 Address — The source IP v6 address that is used for communication with RADIUS servers. 3 To add a RADIUS server, click Add, and enter the fields: – Supported IP Format — Select whether the IPv4 or IPv6 format is supported. – IP Address — Enter the RADIUS server IP address. – Priority (0-65535) — Enter the priority of the authentication server being added. 0 is the highest value. This is used to configure the order in which servers are queried.
– Source IP Address — The device IP address that is used for communication with RADIUS servers. Defining RADIUS Servers Using CLI Commands The following table summarizes the CLI commands for defining fields displayed on the RADIUS pages. Table 9-51.
Table 9-51. RADIUS Server CLI Commands (Continued) CLI Command Description radius-server source-ipv6 source-ipv6-address Specifies the source IPv6 address that will be used for the IPv6 communication with RADIUS servers. no radius-server source-ipv6 source-ipv6-address Use the no form of this command to restore the default configuration. radius-server retransmit retries Specifies the number of times the software searches the list of no radius-server retransmit RADIUS server hosts.
The following is an example of CLI commands: console(config)# radius-server host 192.168.10.1 authport 20 timeout 20 console(config)# radius-server key enterprise-server console# show radius-servers IP address Port Port Time- Ret- Dead- Auth Acct Out rans Time Source IP Prio. Usage --------------- ----- ----- ------ ------ ------ --------------- ----- --1.1.1.11 1812 1813 Global Global Global Global 10 all 1.1.1.21 1812 1813 Global Global Global Global 19 all 1.1.1.
DHCP Server The switch can operate as either: • DHCP client that obtains its own IP from a DHCP server, as described in "DHCP IPv4 Interface" on page 207 • DHCP server that allocates IP addresses to other devices, as described in this section This section contains the following topics: • DHCP Server Overview • DHCP Server Properties • Network Pool • Excluded Addresses • Static Hosts • Address Binding DHCP Server Overview A DHCP server uses a defined pool of IP addresses (user-defined) from w
DHCP Server Properties If the device is configured to act as a DHCP server, pinging capability can be enabled. The DHCP server pings an IP address in the address pool before assigning that IP address to a requesting client. If the ping is unanswered, the DHCP server assumes that the address is not in use and assigns the address to the client. To configure the device as a DHCP server: 1 Click System > DHCP Server > DHCP Server Properties in the tree view to display the DHCP Server Properties page.
2 Enter the fields: – DHCP Server Status — Enable/disable the ability of the device to function as a DHCP server. – DHCP Ping — Enable/disable the DHCP server to ping the offered IP address before responding to a client request. – DHCP Ping Retries — Enter the number of pings that are sent before discarding an IP address. Use Default reverts to the default Ping Retries setting. – DHCP Ping Timeout — Enter the maximum time interval (in milliseconds) that the DHCP server waits for a ping reply.
Table 9-52. DHCP Server CLI Commands (Continued) CLI Command Description ip dhcp ping timeout milliseconds Specifies the time interval during which a DHCP server waits for a ping reply from an address pool. no ip dhcp ping timeout Use the no form of this command to restore default values.
Network Pool When the device is serving as a DHCP server, a pool of IP addresses must be defined, from which the switch will allocate IP addresses to clients. Each IP pool has a lease duration. To create a pool of IP addresses, and define their lease durations: 1 Click System > DHCP Server > Network Pool in the tree view to display the Network Pool: Summary page. Figure 9-43. Network Pool: Summary The previously-defined network pools are displayed.
• Network Mask — Check and enter the pool’s network mask. • Prefix Length — Check and enter the number of bits that comprise the address prefix. – Address Pool Start — Enter the first IP address in the range of the network pool. – Address Pool End — Enter the last IP address in the range of the network pool. – Lease Duration — Enter the amount of time a DHCP client can use an IP address from this pool. The total lease duration is 4294967295 seconds, i.e. 49710.2696 days.
• Peer-to-Peer — Point-to-point communications with a NetBIOS name server are used to register and resolve computer names to IP addresses. • Mixed — A combination of b-node and p-node communications is used to register and resolve NetBIOS names. M-node first uses b-node; then, if necessary, p-node. M-node is typically not the best choice for larger networks because its preference for b-node Broadcasts increases network traffic. • Hybrid — A hybrid combination of b-node and p-node is used.
Table 9-53. Network Pool CLI Commands (Continued) CLI Command Description address {network-number|low low-address high highaddress} {mask|prefixlength} Configures the subnet number, mask and start and end addresses for a DHCP address pool on a DHCP Server. no address Use the no form of this command to remove the subnet number and mask. Configures the time duration of the lease for an IP address that is assigned from a DHCP server to a DHCP client.
Table 9-53. Network Pool CLI Commands (Continued) CLI Command Description time-server ip-address [ipaddress2 ... ip-address8] Specifies the time servers list for a DHCP client. no time-server Use the no form of this command to remove the time servers list. next-server ip-address Configures the next server in the boot process of a DHCP client. no next-server Use the no form of this command to remove the boot server.
Excluded Addresses By default, the DHCP server assumes that all pool addresses in a pool may be assigned to clients. A single IP address or a range of IP addresses can be excluded. To define an excluded address range: 1 Click System > DHCP Server > Excluded Addresses in the tree view to display the Excluded Addresses: Summary page. Figure 9-44. Excluded Addresses: Summary The previously-defined excluded IP addresses are displayed.
– End IP Address — Last IP address in the range of excluded IP addresses. Excluding Addresses Using CLI Commands The following table summarizes the CLI commands for excluding addresses. Table 9-54. Excluding Addresses Using CLI Commands CLI Command Description ip dhcp excluded-address lowaddress [high-address] Configures a DHCP address pool on a DHCP Server and enter DHCP Pool Configuration mode.
Static Hosts To manually allocate permanent IP addresses to clients (known as static hosts): 1 Click System > DHCP Server > Static Hosts in the tree view to display the Static Hosts: Summary page. Figure 9-45. Static Hosts: Summary The static hosts are displayed. 2 To add a static host, click Add, and enter the fields: – Host Name — Enter the host pool name, which can be a string of symbols and an integer. – IP Address — Enter the IP address that was statically assigned to the host.
– Client Identifier — Enter a unique identification of the client specified in dotted hexadecimal notation, such as: 01b6.0819.6811.72. or: – MAC Address — Enter the MAC address of DHCP static host. – Client Name — The name of the client, using a standard set of ASCII characters. The client name must not include the domain name. – Default Router — Enter the default router for the DHCP client. – Domain Name Server — Enter the DNS server available to the DHCP client.
– Next Server — Enter the IP address of the next server in the boot process of a DHCP client. If the next server in the boot process is not configured, the DHCP server uses inbound interface helper addresses as boot servers. – Next Server Name — Enter the name of the next server in the boot process. – Image File Name — Enter the name of the file that is used as a boot image. Defining Static Hosts Using CLI Commands The following table summarizes the CLI commands for defining static hosts. Table 9-55.
The following is an example of the CLI commands: console(config)# ip dhcp pool host station console(config-dhcp)#ip host accounting.website.com 176.10.23.1 console# show hosts System Name: Default domain: Domain name is not configured Name/address lookup is enable Name servers (Preference order): 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 Configured host name-to-address mapping: Host IP Address --------------------------------- ----------------------accounting.website.com 304 176.10.23.
Address Binding Use the Address Binding page to view and remove the IP addresses allocated by the switch and their corresponding MAC addresses. To view and/or remove address bindings: • Click System > DHCP Server > Address Binding in the tree view to display the Address Binding page. Figure 9-46. Address Binding The following fields for the address bindings are displayed: – IP Address — The IP addresses of the client.
• Permanent — The IP address, obtained dynamically from the switch, is owned by the client permanently (unless changes in the network environment/connections take place, for any reason). • Dynamic — The IP address, obtained dynamically from the switch, is owned by the client for a specified period of time. The IP address is revoked at the end of this period, at which time the client must request another IP address.
SNMP This section describes the Simple Network Management Protocol (SNMP) for managing network devices. It contains the following topics: • SNMP Overview • SNMP Global Settings • SNMP Views • SNMP Access Control (Groups) • SNMP User Security Model (Users) • SNMP Communities • SNMP Notification Filters • SNMP Notification Recipients SNMP Overview The switch supports the SNMPv1, SNMPv2 and SNMPv3. SNMP v1 and v2 The SNMP agent maintains a list of variables that are used to manage the switch.
• Privacy — Protects against disclosure of message content. Cipher BlockChaining (CBC) is used for encryption. Either authentication alone can be enabled on an SNMP message, or both authentication and privacy can be enabled on an SNMP message. However privacy cannot be enabled without authentication. • Timeliness — Protects against message delay or message redundancy. The SNMP agent compares incoming message to the message time information. • Key Management — Defines key generation, updates, and use.
– Privacy — SNMP frames can carry encrypted data. These mechanisms can be combined to provide three levels of security: – No security – Authentication – Authentication and Privacy. Note that for both authentication and privacy to be enabled, two groups with the same name, one with authentication and one with privacy, must be created. A group is a label for a combination of attributes that determines whether members have read, write, and/or notify privileges. Users can be associated with a group.
The local information is stored in four read-only MIB variables: snmpEngineId, snmpEngineBoots, snmpEngineTime, and snmpEngineMaxMessageSize. To configure SNMP: 1 Click System > SNMP > Global Parameters in the tree view to display the Global Parameters page. Figure 9-47. Global Parameters The global parameters are displayed. 2 Enter the fields: – Local Engine ID (10-64 Hex Characters) — Check and enter the local device engine ID. The field value is a hexadecimal string.
– Use Default — Check to use the device-generated Engine ID. The default Engine ID is based on the device MAC address, and is defined per standard as: • First 4 octets — First bit = 1, the rest is IANA Enterprise number = 674. • Fifth octet — Set to 3 to indicate the MAC address that follows. • Last 6 octets — MAC address of the device. – SNMP Notifications — Enable/disable the switch sending SNMP notifications.
Table 9-56. SNMP Global Parameters Commands (Continued) CLI Command Description snmp-server trap authentication Enables the router to send Simple Network Management Protocol traps when authentication fails. Use the no form of this command to disable SNMP failed authentication traps. no snmp-server trap authentication show snmp Checks the status of SNMP communications.
Views can be attached to groups in the Access Control pages. To create an SNMP view: 1 Click System > SNMP > View Settings in the tree view to display the View Settings: Summary page. Figure 9-48. View Setting: Summary 2 Select a view name. Its subtrees are displayed. 3 To remove a subtree from an SNMP view, click Remove. The subtrees of the default views (Default, DefaultSuper) cannot be changed. 4 To add a new view, click Add, and enter a new View Name (1-30 Characters).
• Selected from List — Select the device feature OID by using the Up and Down buttons to scroll through a list of all device OIDs. Or: • – Insert — Specify the device feature OID. View Type — Specify if the defined OID branch will be included or excluded in the selected SNMP view. Defining SNMP Views Using CLI Commands The following table summarizes the CLI commands for defining fields displayed in the View Settings pages. Table 9-57.
SNMP Access Control (Groups) For ease of use, users may be assigned to groups. In this way, it is possible to assign feature access rights to an entire group, instead of assigning them individually to users. Users are created in the User Security Model pages. Groups can be defined in any version of SNMP, but only SNMPv3 groups can be assigned authentication methods.
– Security Model — Select the SNMP version of the group. – Security Level — Select the security level attached to the group. Security levels apply to SNMPv3 only. The possible options are: – • No Authentication — Neither authentication nor the privacy security levels are assigned to the group. • Authentication — Authenticates SNMP messages, and ensures that the origin of the SNMP message is authenticated. • Privacy — Encrypts SNMP message. Operation — Select the group access rights.
The following is an example of the CLI commands: console (config)# snmp-server group user-group v3 priv read user-view console# show snmp groups Name Security Model ----- ----- Views Level Read Write ------- ------- ------- Notify ---------- 1 V1 noauth - - - 2 V1 noauth - - - 3 V1 noauth - - - 4 V1 noauth - - - 5 V1 noauth - - - SNMP User Security Model (Users) An SNMP user is defined by the following: • Login credentials (username, password, and authentication met
To create an SNMP V3 user, and assign it to a group and view: 1 Click System > SNMP > User Security Model in the tree view to display the User Security Model: Summary page. Figure 9-50. User Security Model: Summary The currently-defined users and their groups are displayed. 2 To add a user, click Add, and enter the fields: 318 – User Name (1-30 Characters) — Enter a new user name. – Engine ID — Specifies the local or remote SNMP entity, to which the user is connected.
– Authentication Method — Select an authentication method used to authenticate users. The possible options are: • None — No user authentication is used. • MD5 Password — HMAC-MD5-96 password is used for authentication. • SHA Password — Users are authenticated using the HMAC-SHA96 authentication level. • MD5 Key — Users are authenticated using the HMAC-MD5 algorithm. • SHA Key — Users are authenticated using the HMAC-SHA-96 authentication level.
Defining SNMPv3 Users Using CLI Commands The following table summarizes the CLI commands for defining fields displayed in the User Security Model pages. Table 9-59. SNMP Users CLI Commands CLI Command Description snmp-server user username groupname {v1|v2c|[remote-host] v3 [encrypted] [auth {md5|sha} auth-password]} Configures a new SNMP V3 user. show snmp users [username] Displays the configuration of users. Use the no form of the no snmp-server user username [remote- command to remove a user.
To define an SNMP community: 1 Click System > SNMP > Communities in the tree view to display the Communities: Summary page. Figure 9-51. SNMP Community The Basic and Advanced tables are displayed. 2 To add a new community, click Add. 3 Define the SNMP management station by entering its IP address information: – Supported IP Format — Select whether the IPv4 or IPv6 format is being used. – IPv6 Address Type — When the community supports IPv6, this specifies the type of static address supported.
• – Global — A globally unique IPv6 address; visible and reachable from different subnets. Link Local Interface — When the server supports an IPv6 Link Local address, this specifies the Link Local interface. The possible options are: • VLAN — The VLAN on which the IPv6 interface is configured. • ISATAP — The IPv6 interface is configured on an ISATAP tunnel.
– Group Name — Select the group to be associated with the community. Configuring Communities Using CLI Commands The following table summarizes the CLI commands for setting fields in the Community pages. Table 9-60. SNMP Community CLI Commands CLI Command Description snmp-server community community [view view-name] [ro|rw|su] {ipv4-address|ipv6-address} [mask mask-value|prefix-length prefix-value] [type router|oob] Sets up the community access string to permit access to the SNMP protocol.
• Selection of trap generation parameters • Access control checks After creating a notification filter, attach it to a notification recipient in the SNMPv1,2 Notification Recipients pages. To add a notification filter: 1 Click System > SNMP > Notification Filters in the tree view to display the Notification Filter: Summary page. Figure 9-52. Notification Filter: Summary 2 The OIDs of the selected filter are displayed.
4 To add a new notification filter, click Add. 5 In addition to the fields described in the Summary page, enter the fields: – Filter Name (1-30 Characters) — Enter the notification filter name. – New Object Identifier Tree — Check to specify the device feature OID included or excluded in the selected SNMP view. Selected from List — Select the device feature OID by using the Up and Down buttons to scroll through a list of all device OIDs. • or: Object ID — Specify the device feature OID.
The following is an example of CLI commands: console (config)# snmp-server filter user1 iso included console(config)# end console # show snmp filters Name OID Tree Type ----------- ------------- -------- user1 iso Included SNMP Notification Recipients An SNMP notification is a trap message, sent from the switch to the SNMP management station, indicating that a certain event has occurred, such as a link up or down.
To add notification recipients, and attach them to notification filters: 1 Click System > SNMP > Notification Recipient in the tree view to display the Notification Recipients: Summary page. Figure 9-53. Notification Recipients: Summary The previously-defined notification recipients are displayed. 2 To add a new notification recipient, click Add, and enter the fields: – Supported IP Format — Select whether the IPv4 or IPv6 format is supported.
– Link Local Interface — When the server supports an IPv6 Link Local address, this specifies the Link Local interface. The possible options are: • VLAN — The IPv6 interface is configured on this VLAN. • ISATAP — The IPv6 interface is configured on an ISATAP tunnel. – Recipient IP — The IP address to whom the traps are sent. – Notification Type — The notification sent. The possible options are: • Trap — Traps are sent. • Inform — Informs are sent.
Configuring SNMP Notification Recipients Using CLI Commands The following table summarizes the CLI commands for setting fields in the Notification Recipients pages. Table 9-62.
File Management This section describes how to manage device firmware (image files) and configuration files. It contains the following topics: • File Management Overview • Auto-Update/Configuration Feature • File Download • File Upload • Active Images • Copy Files • File System File Management Overview This section describes the system files found in the system and how they can be updated (downloaded) and backed up (uploaded).
device. This can be done manually in the Copy Files page or see "AutoUpdate/Configuration Feature" on page 331 for more information about how to perform this automatically. • Image Files—Files with extension .ros. System file images are saved in two flash files called Image 1 and Image 2. The active image contains the active copy, while the other image contains a backup copy. The device boots and runs from the active image.
The required configuration files/images are stored on a USB key or TFTP server, and these are downloaded to all the devices in the network when the device boots up instead of booting from a local startup configuration file.
Setup File Format A line in a setup file contains all or some of the above fields separated by spaces (in the following order): If the field is omitted, it is considered to be blank. A line can be in one of the following formats: • Format A—Contains all possible fields: Examples: – 0080.c200.
• Format B—Contains the following 4 fields: Example: 0080.c200.0010 switch-X.text pc5500-4018.ros This means that the line applies to the device with MAC address: 0080.c200.0010. The switch-x.text is the Startup Configuration file and pc5500-4018.ros is the new image file. • Format C—Contains the following 5 fields: Example: 192.168.0.10 255.255.255.0 switch.
Triggering the Auto-Update/Configuration Process When the Auto-Update/Configuration feature is enabled (in the Auto Update of Configuration/Image File page), the device automatically attempts to download a new image or configuration file (under certain circumstances) using one of the following processes: • The Auto-Update process is triggered from the USB drive if a USB key in the USB drive is found.
• If the auto process involved setting the IP address of the device from the setup file, the auto process from the TFTP server can be triggered. • If the USB drive contains a setup file, but that setup file does not include a line that can be used for the current device, the DHCP client is able to trigger the Auto-Update process from TFTP (because the USB process never started at all). Automatic DHCP IP Interface Assignment The user can manually define a DHCP interface in the DHCP IPv4 page.
– 2. 3. 4. • If a new image file was loaded, the device is rebooted. • The USB drive is searched for a configuration file (.text extension). If there is more than one configuration file, the file named powerconnect.text is loaded (if it is not found the process is stopped). One or more setup files are found—If a single setup file is found, it is used; if several files are found, the file powerconnect.setup is used. If no setup file with this name is found, the process is stopped.
– • The configuration file specified by the line does not exist on the USB key or is corrupted. • The image file specified by the line does not exist on the USB key or is corrupted. If parsing of the line failed for some other reason, the line is ignored and a SYSLOG message is sent. NOTE: When both Auto-Update and Auto-Configuration are performed, the image file is loaded first, the device is booted and then the configuration file is loaded.
• Device - On the device, one of the following cases may exist: – If Configuration Auto-Config is selected, the device is configured with the configuration file on the TFTP server only if the Startup configuration file is empty. – If Force Configuration Download at Next Startup is selected, the device is configured with the configuration file on the TFTP server whether the Startup configuration file is not empty or not.
Preparations for Firmware Image Download from TFTP The image file download consists of the following steps: • The switch downloads the Indirect Image File and extracts from it the name of the image file. Note: If the size of the image name bigger than 160 octets only the first 160 octets will be used • If the image file version differs from the current image file version, then the image file is loaded and the switch is rebooted.
Auto Update Configuration through the GUI To set the auto update and configuration parameters: . NOTE: For the automatic options in this page to work the following must be implemented: • Since Auto-Config depends on retrieving information from a DHCP server, the startup configuration needs to include a DHCP IP interface. The device is defined as a DHCP client, as described in "DHCP IPv4 Interface" on page 207. After reboot, this command is not saved in the Startup configuration.
The auto-update-configuration options are displayed. 2 Modify the auto-update configuration parameters as required: – Configuration Auto-Config (boot host auto-config)— Enable/disable automatic download of the configuration parameters to the Running Configuration file. By default, this occurs only if the Startup Configuration file is empty. – Firmware Auto-Update (boot host auto-update)— Enable/disable automatic download of the image file.
Table 9-63. Auto Update of Configuration/Image File CLI Commands (Continued) CLI Command Description boot host dhcp Forces the mechanism used to download a configuration file at the next system startup. no boot host dhcp Use the no form of this command to restore the host configuration file to the default. boot host auto-save no boot host auto-save Enables automatic saving of Running configuration in Startup configuration after download.
The following is an example of the CLI command to configure auto-update on the switch: console# configure console(config)# boot host auto-save console(config)# interface vlan 1 console(config-if)# ip address dhcp console(config-if)# 01-Oct-2006 15:19:51 %BOOTP_DHCP_CL-WDHCPIPCANDIDATE: The device is waiting for IP address verification on interface Vlan 1 , IP 10.5.225.47, mask 255.255.255.224, DHCP server 10.5.224.
To download from a USB port or when management computer uses HTTP 1 Click System > File Management > File Download in the tree view to display the File Download page. Figure 9-55. File Download 2 For HTTP, enter the IP Format fields for the HTTP server IP address. – Supported IP Format — Select whether IPv4 or IPv6 format is supported. – IPv6 Address Type — When the server supports IPv6, this specifies the type of static address supported.
3 Select a Firmware/Configuration option. The possible options are: – Firmware Download — A firmware file is downloaded. – Configuration Download — A configuration file is downloaded. 4 Select to download firmware or a configuration file via a USB port or HTTP in Download Protocol. 5 If the Firmware Download option was selected, enter the following: – Source File Name (1-64 characters) — The file to be downloaded. – Destination File Type — The destination file type to which the file is downloaded.
To download files using TFTP 1 Click System > File Management > File Download in the tree view to display the File Download page. Figure 9-56. File Download 2 Enter the IP Format fields for the TFTP server IP address. – Supported IP Format — Select whether IPv4 or IPv6 format is supported. – IPv6 Address Type — When the server supports IPv6, this specifies the type of static address supported.
– Link Local Interface — When the server supports an IPv6 Link Local address, this specifies the Link Local interface. The possible options are: • VLAN — The VLAN on which the IPv6 interface is configured. • ISATAP — The IPv6 interface is configured on an ISATAP tunnel. 3 Select a Firmware/Configuration option. The possible options are: – Firmware Download — A firmware file is downloaded. – Configuration Download — A configuration file is downloaded.
– Destination File Name — The destination file to which the configuration file is downloaded. The possible options are: • Running Configuration — Check to download commands into the Running Configuration file. The current file is overwritten. • Startup Configuration — Check to download commands into the Startup Configuration file. The current file is overwritten. • New File Name (1-64 characters) — Check to download commands into a configuration backup file. Enter the filename.
The following methods can be used: • To upload from a USB port or when management computer uses HTTP • To upload a file or image using TFTP To upload from a USB port or when management computer uses HTTP 1 Click System > File Management > File Upload in the tree view to display the File Upload page. Figure 9-57. File Upload 2 Configuration Upload is selected automatically. 3 Select to upload a configuration file when the management computer is using HTTP or from a USB port in Download Protocol.
To upload a file or image using TFTP 1 Click System > File Management > File Upload in the tree view to display the File Upload page. Figure 9-58. File Upload 2 Enter the IP Format fields for the TFTP server IP address. – Supported IP Format — Select whether IPv4 or IPv6 format is supported. – IPv6 Address Type — When the server supports IPv6, this specifies the type of static address supported.
– Link Local Interface — When the server supports an IPv6 Link Local address, this specifies the Link Local interface. The possible options are: • VLAN — The VLAN on which the IPv6 interface is configured. • ISATAP — The IPv6 interface is configured on an ISATAP tunnel. 3 Select one of the options: – Firmware Upload — A firmware file is uploaded. – Configuration Upload — A configuration file is uploaded. 4 Select to upload firmware or a configuration file via a TFTP server in Download Protocol.
Uploading Files Using CLI Commands The following table summarizes the CLI commands for setting fields displayed in the File Upload page. Table 9-65. File Upload CLI Commands CLI Command Description copy source-url destination-url Copies any file from a source to a destination. The following is an example of the CLI commands: console# copy image tftp://10.6.6.64/uploaded.
Active Images There are two firmware images, Image1 and Image2, stored on the switch. One of these images is identified as the active image, and the other is identified as the inactive image. The switch boots from the active image. You can switch the inactive image to the active image, and then reboot the switch. The active image file for each unit in the stack can be individually selected.
– Active Image — The name of the image file that is currently active on the unit in the stack. – After Reset — The image file that will be active on the unit in the stack after the device is reset. The possible options are: • Image 1 — Activates Image file 1 after the device is reset. • Image 2 — Activates Image file 2 after the device is reset. 2 Click Apply to select the image file to be used after reset in After Reset.
• Copy a configuration file to the Running Configuration file. It is important to be aware that copying a file to the Running Configuration file actually executes these commands, so some of the configuration commands might fail (for example when trying to create a VLAN that is already defined on the system). • Restore configuration factory defaults. To copy files: 1 Click System > File Management > Copy Files in the tree view to display the Copy Files page. Figure 9-60.
– Destination Unit — Check to copy the firmware to either the Backup Master unit or all units in the stack. 3 To copy the Running Configuration file of the Master unit to the Startup Configuration file of the Master unit or vice versa, select Copy Configuration Firmware and enter the options: – Source — Select either the Running Configuration or the Startup Configuration file.
The following is an example of the CLI commands: console# delete startup-config Delete startup-config [y/n]? y console# 01-Oct-2006 16:10:51 %FILE-I-DELETE: File Delete file URL flash://startup-config console# copy running-config startup-config Overwrite file [startup-config] ?[Yes/press any key for no]....
File System Use the File System page to view information about files currently stored on the system, including file names, file sizes, files modifications, and file permissions. The files system permits managing up to two user-defined backup configuration files. To view information about files: 1 Click System > File Management > File System in the tree view to display the File System page. Figure 9-61. File System 2 Select the File Location.
The following information is displayed for all files in the system: – File Name — The name of the file currently stored in the file management system. – Size — The file size. – Modified — The date the file was last modified. – Permission — The permission type assigned to the file. 3 The following system-wide information is displayed if Flash was selected: – Total Bytes — The total amount of the space currently being used. – Free Bytes — The remaining amount of space currently free.
Stack Management This section describes how to manage the stack. It consists of the following topics: • Stack Management Overview • Stack Unit ID • Versions • Reset • Unit Identification (Location) Stack Management Overview A stack consists of up to eight units, with support for up to 400 network ports. Unit 1 usually acts as the stack master and Unit 2 is the backup master. All other units act as slaves.
To switch from the Backup Master unit to the Master Unit or set unit IDs: 1 Click System > Stack Management > Stack Unit ID in the tree view to display the Stack Unit ID page. Figure 9-62. Stack Unit ID 2 Enter the fields: 362 – Switch Stack Control from Unit 1 to Unit 2 — Check this field to make unit 2 the Master unit. – Unit ID After Reset — Select Auto if you want the system to assign the unit ID after reset. Select a number to assign the unit an ID manually.
Managing Stacks Using the CLI Commands The following table summarizes the CLI commands for setting fields displayed in the Stack Unit ID page. Table 9-69. Stack Unit ID CLI Commands CLI Command Description stack master unit Makes the unit specified be the Master unit. no stack master Use the no version to restore the default Master unit. switch current-unit-number Changes the unit ID of a specific unit.
Versions To view the hardware and software versions currently running on the switch: • Click System > Stack Management > Versions in the tree view to display the Versions page. Figure 9-63. Versions The following fields are displayed: 364 – Unit ID — The unit number for which the device versions are displayed. – Software Version — The current software version running on the device. – Boot Version — The current Boot version running on the device.
Displaying Device Versions Using the CLI The following table summarizes the CLI commands for viewing fields displayed in the Versions page. Table 9-70. Versions CLI Commands CLI Command Description show version [unit-id] Displays system version information for a unit or for the whole stack. The following is an example of the CLI commands: console> show version 2 Unit SW Version Boot Version HW Version ---2 ------------- ------------- -----------1.0.0.8 1.0.0.02 00.00.
2 Click System > Stack Management > Reset in the tree view to display the Reset page. Figure 9-64. Reset 3 In the Reset Unit ID field, select either the unit ID to be reset or Stack to reset all the units in the stack. Resetting the Device Using the CLI The following table summarizes the CLI commands for performing a reset of the device via the CLI: Table 9-71. Reset CLI Command CLI Command Description reload [slot unit] Reloads the operating system of a single unit or of all the units.
The following is an example of the CLI command: console# reload You haven't saved your changes. Are you sure you want to continue? (Y/N)[N] Y This command will reset the whole system and disconnect your current session. Do you want to continue? (Y/N)[N] Unit Identification (Location) The Location LED on a unit helps you to discover a specific unit, or indeed, all the units in a stack.
2 Enter the fields: – Identify Unit ID —Select a unit. This unit’s Location and Power LED start blinking. Select All to cause the Location LEDs in all the units in the stack to light up. – Identification Duration (2-60) —Enter a time interval. The Location and Power LED light up for this period of time. Setting the Location LED Using the CLI The following table summarizes the CLI commands for setting the Location LED: Table 9-72.
sFlow This section describes sFlow monitoring of traffic. It contains the following sections: • sFlow Overview • Workflow • sFlow Receiver Settings • sFlow Interface Settings • sFlow Statistics sFlow Overview The sFlow feature enables collecting statistics using the sFlow sampling technology, based on sFlow V5. This sampling technology is embedded within switches and routers. It provides the ability to continuously monitor traffic flows on some or all the interfaces, simultaneously.
Workflow By default, flow and counter sampling are disabled. To enable sFlow sampling: 1 Set the IP address of a receiver (also known as a collector) for sFlow statistics. Use the sFlow Receivers Settings page for this. 2 Enable flow and/or counter sampling, direct the samples to a receiving interface, and configure the average sampling rate. Use the sFlow Interface Settings pages for this. 3 View and clear the sFlow statistics counters. Use the sFlow Statistics page for this.
sFlow Receiver Settings To set the sFlow receiver parameters: 1 Click System > sFlow > sFlow Receivers Settings in the tree view to display the sFlow Receivers Settings: Summary page. Figure 9-66. sFlow Receivers Settings: Summary The sflow parameters are displayed. 2 To add a receiver (sflow analyzer), click Add and select one of the pre-defined sampling definition indices in Index. 3 Enter the receiver’s address fields: – Supported IP Format — Select whether IPv4 or IPv6 format is supported.
– – – IPv6 Address Type — When the server supports IPv6, this specifies the type of static address supported. The possible options are: • Link Local — A Link Local address that is non-routable and used for communication on the same network only. • Global — A globally unique IPv6 address; visible and reachable from different subnets. Link Local Interface — When the server supports an IPv6 Link Local address, this specifies the Link Local interface.
The following is an example of the CLI commands: console(config)# sflow receiver 2 1.1.1.1 port 6343 console# show sflow configuration Receivers Index IP Address Port Max Datagram Size ----- -------------------- -------- ---------------1 0.0.0.0 6343 1400 2 172.16.1.2 6343 1400 3 0.0.0.0 6343 1400 4 0.0.0.0 6343 1400 5 0.0.0.0 6343 1400 6 0.0.0.0 6343 1400 7 0.0.0.0 6343 1400 8 0.0.0.
sFlow Interface Settings To sample datagrams or counters from a port, the port must be associated with a receiver. sFlow port settings can be configured only after a receiver has been defined in the sFlow Receiver Settings pages. To enable sampling and configure the port from which to collect the sFlow information: 1 Click System > sFlow > sFlow Interface Settings in the tree view to display the sFlow Interface Settings: Summary page. Figure 9-67.
– Flow Sampling Average Sampling Rate(1024–1073741823) — If x is entered, a flow sample will be taken for each x frames. – Flow Sampling Receiver Index — Select one of the indices that was defined in the sFlow Receivers Settings pages. – Flow Sampling Maximum Header Size (20–256) — Maximum number of bytes that should be copied from a sampled packet. – Counters Sampling — Enable/disable counters sampling.
sFlow Statistics To view sFlow statistics: 1 Click System > sFlow > sFlow Statistics in the tree view to display the sFlow Statistics page. Figure 9-68. sFlow Statistics The following sflow statistics per interface are displayed: – Interface — Port for which sample was collected. – Packets Sampled — Number of packets sampled. – Datagrams Sent to Receiver — Number of sFlow sampling packets sent. 2 Click Clear Statistics to clear the counters.
Viewing sFlow Statistics Using the CLI The following table summarizes the CLI commands for viewing sFlow statistics: Table 9-75. sFlow Statistics CLI Command CLI Command Description show sflow statistics [port-id] Displays sFlow statistics for ports that are enabled for Flow sampling or Counters sampling. clear sflow statistics [port-id] Clears sFlow statistics for ports that are enabled for Flow sampling or Counters sampling.
Ports This section describes how to configure port functionality.
Overview This section includes a description of port features and describes the following: • Auto-Negotiation • MDI/MDIX • Flow Control • Back Pressure • Port Default Settings Auto-Negotiation Auto-negotiation enables automatic detection of speed, duplex mode and flow control on all switching 10/100/1000BaseT ports. Auto-negotiation is enabled on all ports by default.
irrelevant. The standard wiring for end stations is known as MDI (Media Dependent Interface), and the standard wiring for hubs and switches is known as MDIX. Flow Control The device supports 802.3x flow control for ports configured to Full Duplex mode. By default, this feature is enabled on all ports, and it can be disabled per port. Flow control creates a lossless link with no packet loss.
Table 10-1.
Jumbo Frames Jumbo frames are frames of up to 10 Kb in size. If Jumbo frames are not enabled, the system supports a packet size of up to 1,632 bytes. To enable jumbo frames: 1 Click Switching > Ports > Jumbo Frames in the tree view to display the Jumbo Frames page. Figure 10-1. Jumbo Frames The current jumbo frames setting is displayed 2 Enable/disable jumbo frames in the New Setting (after reset) field. NOTE: You must save the configuration and reboot the device in order to make jumbo frames operational.
Configuring Jumbo Frames Using CLI Commands The following table summarizes the CLI commands for configuring Jumbo frames. Table 10-2. Jumbo Frames CLI Commands CLI Command Description port jumbo-frame Enables jumbo frames on the device. no port jumbo-frame Use the no form of this command to disable jumbo frames.
Green Ethernet Configuration Green Ethernet is a name of a set of features that are designed to reduce the power consumption of a device, and so make it environmentally friendly. The Green Ethernet feature reduces overall power usage in the following ways: • Energy Efficient Ethernet — When using EEE, systems on both sides of the link can disable portions of their functionality and save power during periods of low link utilization.
The above two energy saving modes must be enabled globally and then configured per port. Green Ethernet Configuration To configure Green Ethernet settings: 1 Click Switching > Ports > Green Ethernet Configuration in the tree view to display the Green Ethernet Configuration: Summary page. Figure 10-2. Green Ethernet Configuration: Summary 2 The amount of energy saved from the last switch reboot is displayed in the Cumulative Energy Saved field.
• Current Power Consumption — Displays the current power consumption. • Power Savings — Displays the percentage of power saved by running in Green Ethernet mode. 4 Select a unit in the stack to display its power consumption parameters. Its ports are displayed along with the following settings.
– Remote Rx Timer (μsec) — Indicates the local link partner’s reflection of the remote link partner’s Rx value. Configuring Green Ethernet Using CLI Commands The following table summarizes the CLI commands for configuring Green Ethernet. Table 10-3. Green Ethernet CLI Commands CLI Command Description green-ethernet short-reach no green-ethernet short-reach Enables/disables Green Ethernet short reach mode. green-ethernet short-reach force Forces short-reach mode on an interface.
Protected Ports Protected Port Overview Protected ports provide Layer 2 isolation between interfaces (Ethernet ports and LAGs) that share the same Broadcast domain (VLAN) with other interfaces. This can be used to set up a group of ports that receive similar services. A protected port does not forward traffic (Unicast, Multicast, or Broadcast) to any other protected port on the same switch. A community is a group of protected ports.
Protected Port Configuration To configure protected ports and establish their communities: 1 Click Switching > Ports > Protected Ports in the tree view to display the Protected Ports: Summary page. Figure 10-3. Protected Ports: Summary A summary of all the ports and their statuses is displayed. 2 Click Edit. 3 Select the unit and interface. 4 Enter values for the following fields: • State — Select Protected/Unprotected to enable/disable port protection.
Configuring Protected Ports Using CLI Commands The following table summarizes the CLI commands for configuring protected ports. Table 10-4. Protected Ports CLI Commands CLI Command Description switchport protected-port Isolates Unicast, Multicast, and Broadcast traffic on a port at Layer 2 from other protected ports on the same switch. no switchport protected-port Use the no form of this command to disable protection on the port.
Port Profile Port profiles provide a convenient way to save and share a port configuration. When a port profile, which is a set of CLI commands having a unique name, is applied to a port, the CLI commands contained within the profile (macro) are executed and added to the Running Configuration file. Port profiles can be applied to a specific interface, a range of interfaces, or globally.
To assign a profile to a port: 1 Click Switching > Ports > Port Profile in the tree view to display the Port Profiles: Summary page. Figure 10-4. Port Profile: Summary A summary of all the interfaces and their profiles is displayed. 2 To assign the Global profile to the system, check Run Global Profile. Apply the global profile before applying a built-in interface profile. 3 To assign a profile to an interface, click Edit. 4 Select a unit/interface and a Assigned Profile.
– Native VLAN ID(1-4094) — Enter the VLAN ID used for untagged traffic to trunk ports, or check None. The remaining fields on this page are display-only, and describe the port configuration of the profile. The following fields are described: Port Security fields: – Mode — Learning mode. The possible options are: • Classic Lock — Locks the port using the classic lock mechanism. The port is immediately locked, regardless of the number of addresses that have already been learned.
When each of the chosen network layer protocols has been configured, packets from each network layer protocol can be sent over the link. The link remains configured for communications until explicit LCP or NCP packets close the link, or until some external event occurs. This is the actual switch port link type. It may differ from the administrative state. • Disable — Disables point-to-point link. • Auto — The device automatically establishes a point-to-point link.
Table 10-5. Port Profiles CLI Commands (Continued) CLI Command Description show parser macro Displays the parameters for all [{brief|description [interface configured macros or for one [gigabitethernet|tengigabitetherne macro on the switch.
Table 10-6. Create a Global Macro Script (Continued) CLI Command Description vlan database Enter the commands in the macro, which create VLANs 40 through 50. vlan 40-50 @ console(config)# do show parser macro name interswitch Display the macro. console(config)# macro global apply interswitch Apply the macro. The following is a script that creates an interface macro. Table 10-7.
Port Configuration If port configuration is modified while the port is a LAG member, the configuration change is only effective after the port is removed from the LAG. To configure a port: 1 Click Switching > Ports > Port Configuration in the tree view to display the Port Configuration: Summary page. Figure 10-5. Port Configuration: Summary All ports on the selected unit and their configuration settings are displayed. 2 To modify the port settings, click Edit and select a port.
• 398 Down — Traffic is disabled through the port. – Current Port Status — Displays whether the port is currently operational or non-operational. – Re-Activate Suspended Port — Check to reactivate a port if the port has been disabled through the locked port security option. – Operational Status — Displays the port operational status. The possible options are: • Suspended — Port is currently active, and is not receiving or transmitting traffic.
– Admin Advertisement — Check the auto-negotiation setting the port advertises. The possible options are: • Max Capability — The port advertises all the options that it can support. • 10 Half — The port advertises for a 10 mbps speed port and half duplex mode setting. • 10 Full — The port advertises for a 10 mbps speed port and full duplex mode setting. • 100 Half — The port advertises for a 100 mbps speed port and half duplex mode setting.
– MDI/MDIX — Select one of the options that enables the device to decipher between crossed and uncrossed cables. Hubs and switches are deliberately wired opposite to the way end stations are wired, so that when a hub or switch is connected to an end station, a straight through Ethernet cable can be used, and the pairs are match up properly.
Table 10-8. Port Configuration CLI Commands (Continued) CLI Command Description set interface active Reactivates an interface that is {[gigabitethernet|tengigabitethe shutdown. rnet] interface|port-channel LAGnumber} speed {10|100|1000|10000} no speed Configures the speed of a given Ethernet interface when not using auto negotiation. Use the no form of this command to restore the default configuration.
Table 10-8. Port Configuration CLI Commands (Continued) CLI Command Description show interfaces advertise Displays the interface’s negotiation advertisement settings. show interfaces status Displays the status for all configured [[gigabitethernet|tengigabitethe interfaces. rnet] port-number|port-channel LAG-number] Displays the description for all show interfaces description [[gigabitethernet|tengigabitethe configured interfaces.
LAG Configuration Use the LAG Configuration pages to configure LAGs. The device supports up to 32 LAGs per system, meaning for all units in the stack. For information about Link Aggregated Groups (LAGs) and assigning ports to LAGs, see "Link Aggregation" on page 500. To configure LAGs: 1 Click Switching > Ports > LAG Configuration in the tree view to display the LAG Configuration: Summary page. Figure 10-6. LAG Configuration: Summary The LAG parameters are displayed. 2 To configure a LAG, click Edit.
• Static — The ports comprise a single logical port for high-speed connections between networking devices. • LACP — Link Aggregate Control Protocol. LACP-enabled LAGs can exchange information with other links in order to update and maintain LAG configurations automatically. – Description (0 - 64 Characters) — Enter a user-defined description of the configured LAG. – LAG Type — Displays the port types that comprise the LAG. – Admin Status — Enable/disable the selected LAG.
1000 Full — The LAG advertises for a 1000 mbps speed LAG and full duplex mode setting. • – Current Advertisement — Displays the speed that the LAG advertises to its neighbor LAG to start the negotiation process. The possible field values are those specified in the Admin Advertisement field. – Neighbor Advertisement — Displays the neighboring LAG advertisement settings. The field values are identical to the Admin Advertisement field values. – Admin Flow Control — Enable/disable flow control on the LAG.
Table 10-9. LAG Configuration CLI Commands (Continued) CLI Command Description shutdown Disables the LAG. no shutdown Use the no form of this command to restart the LAG. speed {10|100|1000|10000} Configures the speed of the LAG when not using auto negotiation. no speed Use the no form of this command to restore the default configuration. negotiation [capability1 [capability2…capability5] no negotiation Enables auto negotiation operation for the speed and duplex parameters of a LAG.
The following is an example of the CLI commands: console(config)# interface port-channel 1 console(config-if)# no negotiation console(config-if)# speed 100 console(config-if)# flowcontrol on console(config-if)# exit console(config)# interface port-channel 2 console(config-if)# shutdown console(config-if)# exit console(config-if)# end console# show interfaces port-channel Channel Ports --------- --------- ch1 Inactive: gi/1/0/(11-13) ch2 Active: gi/1/0/14 Dell PowerConnect 55xx Systems User Guide 40
Storm Control When Broadcast, Multicast, or Unknown Unicast frames are received, they are duplicated, and a copy is sent to all possible egress ports. This means that in practice, they are sent to all ports belonging to the relevant VLAN. In this way, one ingress frame is turned into many, creating the potential for a storm. Storm protection provides the ability to limit the number of frames entering the switch, and to define the types of frames that are counted towards this limit.
Storm control parameters are displayed for all ports on the selected unit. 2 To configure Storm Control on a port, click Edit. 3 Select a port from the Port drop-down list and enter the following fields: – Broadcast Control — Enable/disable forwarding Broadcast packets on the specific interface. – Broadcast Mode — Select the counting mode. The possible options are: – • Multicast & Broadcast — Counts Broadcast and Multicast traffic together towards the bandwidth threshold.
Table 10-10. Storm Control CLI Commands (Continued) CLI Command Description show ports storm-control port Displays the storm control configuration.
Port Mirroring Switches usually only forward frames to relevant ports. To monitor traffic, either for information gathering, such as statistical analysis, or for troubleshooting higher-layer protocol operation, the Mirroring feature forwards frames to a monitoring port. Mirroring provides the ability to specify that a desired destination (target) port will receive a copy of all traffic passing through designated source ports.
• All QoS/CoS rules that apply to the destination port, as an egress, such as traffic shaping, are suspended for the duration of the mirroring session. Any such settings, configured on the port during the mirroring session, take effect only after the port is no longer a destination port for a mirroring session. • Ingress mirrored packets may arrive at the ingress port either with an 802.1q tag or without.
Port Mirroring To specify source and destination ports for port mirroring: 1 Click Switching > Ports > Port Mirroring in the tree view to display the Port Mirroring: Summary page. Figure 10-8. Port Mirroring: Summary The previously-defined source ports for the selected Destination Port are displayed, along with the fields defined in the Add page and their status. – Status — Indicates if the port is currently being monitored (Active) or not being monitored (notReady), because of some problem.
Configuring Port Mirroring Using CLI Commands The following table summarizes the CLI commands for configuring Port Mirroring. Table 10-11. Port Mirroring CLI Commands CLI Command Description port monitor srcinterface-id [rx|tx] Starts a port monitoring session. This must be performed in Interface Configuration mode, which is the destination interface. no port monitor srcinterface-id show ports monitor Use the no form of this command to stop a port monitoring session.
Dell PowerConnect 55xx Systems User Guide 415
Address Tables 11 This section describes how MAC addresses are handled on the device.
Overview MAC addresses, associated with ports, are stored in the Static Address or the Dynamic Address tables. Packets, addressed to a destination stored in one of these tables, are forwarded to the associated port. MAC addresses are dynamically learned when packets arrive at the device. Addresses are associated with ports by learning the source address of the frame. Frames, addressed to a destination MAC address that is not associated with any port, are flooded to all ports of the relevant VLAN.
Static Addresses Static addresses are manually assigned to a specific interface and VLAN on the switch. If a static address is seen on another interface, the address is ignored and it is not written to the address table. To define a static address: 1 Click Switch > Address Tables > Static Address Table in the tree view to display the Static Address Table: Summary page. Figure 11-1. Static Address Table A list of the currently-defined static addresses is displayed. 2 To add a static address, click Add.
• Permanent — The MAC address is never aged out of the table and, if it is saved to the Startup Configuration, it is retained after rebooting. • Delete on Reset — The MAC address is deleted when the device is reset. • Delete on Timeout — The MAC address is deleted when a timeout occurs. • Secure — The MAC address is secure when the interface is in classic locked mode.
The following is an example of the CLI commands: console(config-if)#bridge address 00:60:70:4C:73:FF permanent gi1/0/8 console# show mac address-table static Aging time is 300 sec 420 VLAN MAC Address Port Type ---- ------------------ -------- -------- 1 00:60:70:4C:73:FF gi1/0/8 static 1 00:60:70:8C:73:FF gi1/0/8 static 200 00:10:0D:48:37:FF gi1/0/9 static Dell PowerConnect 55xx Systems User Guide
Dynamic Addresses The Dynamic Address Table contains the MAC addresses acquired by monitoring the source addresses of traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports in the VLAN of the frame.
3 To clear the table, check Clear Table. 4 To display a subset of the addresses in a particular order, enter the query criteria and sort key under Query By, and click Query. The following fields are displayed for entries matching the query criteria: – VLAN ID — VLAN ID in the entry. – MAC Address — Interface MAC address. – Interface — Port or LAG associated with the MAC address.
The following is an example of the CLI commands: console(config)# mac address-table aging-time 600 console# show mac address-table dynamic Aging time is 300 sec VLAN MAC Address Port Type ---- ------------------ -------- -------- 1 00:60:70:4C:73:FF gi1/0/8 dynamic 1 00:60:70:8C:73:FF gi1/0/8 dynamic Dell PowerConnect 55xx Systems User Guide 423
GARP 12 This section describes how to configure Generic Attribute Registration Protocol (GARP) on the device.
GARP Overview Generic Attribute Registration Protocol (GARP) is a general-purpose protocol that registers network connectivity or membership-style information. GARP defines a set of devices interested in a given network attribute, such as VLAN or Multicast address. The Generic Attribute Registration Protocol (GARP) provides a generic framework whereby devices in a bridged LAN, such as end stations and switches, can register and de-register attribute values, such as VLAN Identifiers, with each other.
GARP Timers To enable a GARP timer on an interface: 1 Click Switching > GARP > GARP Timers in the tree view to open the GARP Timers: Summary page. Figure 12-1. GARP Timers: Summary The GARP timers are displayed. 2 Click Edit. 3 Select an interface, and enter the fields: 426 – GARP Join Timer (10 - 2147483640) — Enter the time, in milliseconds, during which Protocol Data Units (PDU) are transmitted.
Defining GARP Timers Using CLI Commands This table summarizes the CLI commands for defining GARP timers as displayed in the GARP Timers pages. Table 12-1. GARP Timer CLI Commands CLI Command Description garp timer {join|leave|leaveall} timer_value Adjusts the GARP application join, leave, and leaveall GARP timer values.
Spanning Tree This chapter describes the Spanning Tree Protocol.
Spanning Tree Protocol Overview Spanning Tree Protocol (STP) provides tree topography for any bridge arrangement. STP eliminates loops by providing a unique path between end stations on a network. Loops occur when alternate routes exist between hosts. Loops, in an extended network, can cause bridges to forward traffic indefinitely, resulting in packets not arriving at their destination, increased traffic, and reduced network efficiency.
instance is associated with the Layer 2 domain on which it performs loop detection and mitigation. This enables a port to be stopped in one instance, such as traffic from VLAN A that is causing a loop, while traffic can remain active in another domain where no loop was seen, such as on VLAN B. MSTP provides full connectivity for packets allocated to any VLAN, and transmits packets assigned to various VLANs, through different multiple spanning tree (MST) regions. MST regions act as a single bridge.
Global Settings To enable STP and select the STP mode on the device: 1 Click Switching > Spanning Tree > Global Settings in the tree view to display the Global Settings page. Figure 13-1. Global Settings The currently-defined settings are displayed. 2 Enter the fields: – Spanning Tree State — Enable Spanning Tree on the device. – STP Operation Mode — Select the STP mode enabled on the device. The possible options are: • Classic STP — Enables Classic STP on the device.
– – BPDU Handling — Select how Bridge Protocol Data Unit (BPDU) packets are managed when STP is disabled on the port/device. BPDUs are used to transmit spanning tree information. The possible options are: • Filtering — Filter BPDU packets when spanning tree is disabled on an interface. • Flooding — Flood BPDU packets when spanning tree is disabled on an interface. Path Cost Default Values — Select the method used to assign default path costs to STP ports.
– Forward Delay (4-30) — Check to use device forward delay time, which is the interval of time in seconds that a bridge remains in a listening and learning state before forwarding packets. Enter a value. Designated Root — Displays the following: – Bridge ID — The bridge priority and MAC address. – Root Bridge ID — The root bridge priority and MAC address. – Root Port — The port number that offers the lowest cost path from this bridge to the Root Bridge.
Table 13-1. STP Global Parameter CLI Commands (Continued) CLI Command Description spanning-tree pathcost method Sets the default path cost method. {long|short} Use the no form of this command to return no spanning-tree pathcost to the default configuration. method spanning-tree priority Configures the spanning tree priority. priority Use the no form of this command to restore the default device spanning-tree priority.
The following is an example of the CLI commands: console(config)# spanning-tree console(config)# spanning-tree mode rstp console(config)# spanning-tree priority 12288 console(config)# spanning-tree hello-time 5 console(config)# spanning-tree max-age 12 console(config)# spanning-tree forward-time 25 console(config)# exit Dell PowerConnect 55xx Systems User Guide 435
STP Port Settings To assign STP properties to individual ports: 1 Click Switching > Spanning Tree > STP Port Settings in the tree view to display the STP Port Settings: Summary page. Figure 13-2. STP Port Settings: Summary The ports and their STP settings are displayed. 2 To modify STP settings on a port, click Edit. 3 Select the port, and enter the fields: 436 – STP — Enable/disable STP on the port. – Fast Link — Check to enable Fast Link mode for the port.
– BPDU Guard — Check to enable BPDU Guard on the port. – Root Guard — Check to prevent devices outside the network core from being assigned the spanning tree root. – Port State — Displays the current STP state of a port. If the port state is not disabled, it determines what forwarding action is taken on traffic. The possible port states are: – • Disabled — STP is currently disabled on the port. The port forwards traffic while learning MAC addresses.
– Speed — Displays the speed at which the port is operating. – Path Cost (1-200000000) — Enter the port contribution to the root path cost. The path cost is adjusted to a higher or lower value, and is used to forward traffic when a path being rerouted. – Default Path Cost — Check to use the default path cost. – Priority — Select the priority value that influences the port choice when a bridge has two ports connected in a loop. The priority value is provided in increments of 16.
Table 13-2. STP Port Settings CLI Commands (Continued) CLI Command Description spanning-tree port-priority priority Configures port priority. no spanning-tree port-priority Use the no form of this command to restore the default configuration. Displays spanning tree configuration. show spanning-tree [[gigabitethernet|tengigabiteth ernet] port-number|port-channel LAG-number][instance instanceid] spanning-tree portfast Enables Fast Link mode.
The following is an example of the CLI commands: console> enable console# configure console(config)# interface gi1/0/1 console(config-if)# spanning-tree enable console(config-if)# spanning-tree cost 35000 console(config-if)# spanning-tree port-priority 96 console(config-if)# spanning-tree portfast console(config-if)# exit console(config)# exit console# show spanning-tree gi1/0/15 instance 12 Port gi1/0/15 enabled State: discarding Role: alternate Port ID: 128.
STP LAG Settings To assign STP parameters to LAGs: 1 Click Switching > Spanning Tree > LAG Settings in the tree view to display the STP LAG Settings: Summary page. Figure 13-3. STP LAG Settings: Summary The LAGs and their STP settings are displayed. 2 To modify STP settings on a LAG, click Edit. 3 Select a LAG from the Select a LAG drop-down menu. 4 Enter the fields. – STP — Enable/disable STP on the LAG. – Fast Link — Check to enable Fast Link mode for the LAG.
– – 442 LAG State — Displays the current STP state of the LAG. If enabled, the LAG state determines what forwarding action is taken on traffic. If the bridge discovers a malfunctioning LAG, the LAG is placed in the Broken state. Possible LAG states are: • Disabled — STP is currently disabled on the LAG. The LAG forwards traffic while learning MAC addresses. • Blocking — The LAG is blocked and cannot be used to forward traffic or learn MAC addresses.
– Path Cost (1-200000000) — Enter the amount the LAG contributes to the root path cost. The path cost is adjusted to a higher or lower value, and is used to forward traffic when a path is being rerouted. The path cost has a value of 1 to 200000000. – Default Path Cost — Check for the device to use the default path cost. – Priority — Select the priority value of the LAG. The priority value influences the LAG choice when a bridge has looped ports. The priority value is given in steps of 16.
Rapid Spanning Tree While classic spanning tree prevents Layer 2 forwarding loops on a general network topology, convergence can take from 30 to 60 seconds. This delay provides time to detect possible loops, and propagate status changes. Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies that enable a faster convergence of the spanning tree, without creating forwarding loops.
– Role — Displays the port role assigned by the STP algorithm in order to provide STP paths. The possible options are: • Root — This port provides the lowest cost path to forward packets to root switch. • Designated — This port is the interface through which the bridge is connected to the LAN, which provides the lowest cost path from the LAN to the Root Bridge. • Alternate — This port provides an alternate LAG to the root switch from the root interface.
configured, packets from each network layer protocol can be sent over the link. The link remains configured for communications until explicit LCP or NCP packets close the link, or until some external event occurs. This is the actual switch port link type. It may differ from the administrative state. • Disable — Disables point-to-point link. • Auto — The device automatically establishes a point-to-point link. – Point-to-Point Operational Status — Displays the Point-to-Point operating state.
Table 13-3. Rapid STP Parameters CLI Command (Continued) CLI Command Description show spanning-tree [[gigabitethernet|tengigabiteth ernet] port-number|port-channel LAG-number] Displays spanning tree configuration.
Multiple Spanning Tree This section describes Multiple Spanning Tree Protocol (MSTP).
MSTP Overview MSTP maps VLANs into STP instances, using various load balancing scenarios. As a result of this partitioning into instances, if port A is blocked in one STP instance, the same port can be placed in the Forwarding State in another STP instance. In addition, packets assigned to various VLANs are transmitted along different paths within Multiple Spanning Trees Regions (MST Regions). Regions are one or more Multiple Spanning Tree bridges by which frames can be transmitted.
2 Enter the following fields: – Region Name (1-32 Characters) — Enter the user-defined MSTP region name. – Revision (0-65535) — Enter the unsigned 16-bit number that identifies the current MST configuration revision. The revision number is required as part of the MST configuration. – Max Hops (1-40) — Enter the total number of hops that occur in a specific region before the BPDU is discarded. Once the BPDU is discarded, the port information is aged out.
Table 13-4. MSTP Properties CLI Commands (Continued) CLI Command Description show {current|pending} Displays the current or pending MST region configuration. show spanning tree mstconfiguration Displays the MSTP configuration.
VLAN to MSTP Instance To map VLANs to MSTP instances: 1 Click Switching > Spanning Tree > VLAN to MSTP Instance in the tree view to display the VLAN to MSTP Instance: Summary page. Figure 13-6. VLAN to MSTP Instance: Summary The MSTP instances and their associated VLANs are displayed. 2 To associate a VLAN with an MSTP instance, click Edit. 3 Select the MSTP instance, the VLAN and whether to add or remove the VLAN from the MSTP instance association.
• Add —Add these VLANS to the MST instance. • Remove —Remove these VLANS from the MST instance. Mapping VLAN to MSTP Instances Using CLI Commands The following table summarizes the CLI commands for mapping VLANs to MSTP instances. Table 13-5. Mapping VLAN to MSTP Instances Using CLI Commands CLI Command Description spanning-tree mst configuration Enters MST Configuration mode. instance instance-id vlan vlan-range Maps VLANs to an MST instance.
MSTP Instance Settings To configure MSTP instances: 1 Click Switching > Spanning Tree > MSTP Instance Settings in the tree view to display the MSTP Instance Settings page. Figure 13-7. MSTP Instance Settings The MSTP instances and their associated VLANs are displayed. 2 Select an Instance ID. 3 Enter the Bridge Priority (0-61440) of this bridge for the selected MSTP instance. 4 The following fields are displayed: 454 – Included VLANs — Displays VLANs included in this instance.
– Root Port — Root port of the selected instance. – Root Path Cost — Root path cost of the selected instance. – Bridge ID — Bridge priority and the MAC address of this switch for the selected instance. – Remaining Hops — Number of hops remaining to the next destination. Configuring MSTP Instances Using CLI Commands The following table summarizes the CLI commands for configuring the fields in the MSTP Instance pages. Table 13-6.
MSTP Interface Settings To assign interfaces to MSTP instances: 1 Click Switching > Spanning Tree > MSTP Interface Settings in the tree view to display the MSTP Interface Settings: Summary page. Figure 13-8. MSTP Interface Settings: Summary MSTP interface settings for the selected instance is displayed. 2 To set MSTP settings for an interface, click Edit. 3 Select an instance, and enter the fields: 456 – Interface ID — Assign either ports or LAGs to the selected MSTP instance.
Boundary port attaches MST bridges to LAN in an outlying region. If the port is a boundary port, it also indicates whether the device on the other side of the link is working in RSTP or STP mode. – Role — Displays the port role assigned by the STP algorithm in order to provide to STP paths. The possible options are: • Root — This port provides the lowest cost path to forward packets to root switch.
Defining MSTP Interfaces Using CLI Commands The following table summarizes the CLI commands for defining MSTP interfaces as displayed in the MSTP Interfaces pages. Table 13-7. MSTP Interface CLI Commands CLI Command Description spanning-tree mst instance-id cost cost Sets the path cost of the port for MST calculations (in Interface Configuration mode).
14 VLANs This chapter describes how VLANs are configured on the device.
Virtual LAN Overview A VLAN is a switched network that is logically segmented on an organizational basis, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network, or the fact that they might be intermingled with other teams.
Frame Flow Figure 16-1 describes the flow of VLAN frames from the Ingress port to the Egress port: Figure 14-1. Frame Flow Through a VLAN Ingress Progress Egress Received Frame T ransmitted Frame VLAN Classification Ingress Filtering Forwarding Decision Egress Filtering Filtering Database When a frame is received, it must be assigned a VLAN.
QinQ Tagging QinQ tagging enables you to add an additional tag to previously-tagged packets. The added tag provides a VLAN ID to each customer, which ensures private and segregated network traffic. The VLAN ID tag is assigned to a customer port in the service provider network. The designated port then provides additional services to the packets with the double-tags. This enables administrators to expand service to VLAN users.
Ingress filtering is always enabled on Trunk-mode ports. Incoming frames will undergo ingress filtering, and if correctly tagged, (tagged with a VID of one of the VLANs to which the port currently belongs) are admitted. The default PVID is 1 (the default VLAN). If another VID is configured as the port’s PVID, and the corresponding VLAN is deleted from the port or from the system, the port’s PVID reverts to 1, meaning that the port is made a member of the default VLAN.
Acceptable Frame Type The acceptable frame type can be set on a port to accept all frames (tagged and untagged), tagged only, or untagged only. This setting takes precedence over all other settings, so that if the acceptable frame type is tagged only, incoming untagged frames are silently discarded, even if the port has a valid PVID.
VLAN Membership The device supports up to 2-4094 VLANs. Ports are assigned to a VLAN in the Port Settings pages. To view the ports in a VLAN, and assign various parameters: 1 Click Switching > VLAN > VLAN Membership in the tree view to display the VLAN Membership: Summary page. Figure 14-2. VLAN Membership: Summary The ports in the selected unit/VLAN are displayed along with their statuses.
– T — Tagged. The interface is a member of a VLAN. All packets forwarded by the interface are tagged. The packets contain VLAN information. – U — Untagged. The interface is a member of a VLAN. Packets forwarded by the interface are untagged. – F — Forbidden. The interface is denied membership to a VLAN. – Blank — The interface is not a VLAN member. Packets associated with the interface are not forwarded.
Table 14-1. VLAN Membership CLI Commands (Continued) CLI Command Description vlan {vlan-range}[name vlanname] Creates a VLAN. no vlan vlan-range Use the no form of this command to restore the default configuration or delete a VLAN. name string Adds a name to a VLAN. dot1x auth-not-req Enables unauthorized devices access to the VLAN. no dot1x auth-not-req Use the no form of this command to disable access to the VLAN.
Port Settings After a VLAN has been defined, assign ports to it. To assign a VLAN to untagged packets, arriving on the device, enter the port default VLAN ID (PVID). All untagged packets arriving to the device are tagged by the ports PVID. All ports must have a defined PVID. If no other value is configured, the default VLAN PVID is used. VLAN ID #1 is the default VLAN, and cannot be deleted from the system.
– Port VLAN Mode — Enter the port VLAN mode. The possible options are: • General — The port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full 802.1Q mode). • Access — The port belongs to a single untagged VLAN. When a port is in Access mode, the packet types that are accepted on the port cannot be designated. Ingress filtering cannot be enabled/disabled on an access port.
– Frame Type — Select the packet type accepted on the port. The possible options are: • Admit All — Both tagged and untagged packets are accepted on the port. • Admit Tagged Only — Only tagged packets are accepted on the port. • Admit Untagged Only — Only untagged packets are accepted on the port. – Ingress Filtering — Enable/disable ingress filtering, which discards packets that are destined to VLANs of which the specific port is not a member.
Table 14-2. Port-to-VLAN Group Assignments CLI Commands (Continued) CLI Command Description switchport access vlan {vlanid|none} Configures the VLAN ID when the interface is in access mode. no switchport access vlan Use the no form of this command to restore the default configuration. switchport trunk allowed vlan {all|none|add vlan-list|remove vlan-list|except vlan-list} Sets the trunk characteristics when the interface is in Trunking mode.
Table 14-2. Port-to-VLAN Group Assignments CLI Commands (Continued) CLI Command Description switchport mode {access|trunk|general|private-vlan {promiscuous|host}|customer} Configure the VLAN membership mode of a port. no switchport mode 472 Use the no form of this command to restore the default configuration.
The following is an example of the CLI commands: console(config)# vlan database console(config-vlan)# vlan 23-25 console(config-vlan)# end console(config)# interface vlan 23 console(config-if)# name Marketing console(config-if)# end console(config)# interface gi1/0/8 console(config-if)# switchport mode access console(config-if)# switchport access vlan 23 console(config-if)# end console(config)# interface gi1/0/9 console(config-if)# switchport mode trunk console(config-if)# switchport mode trunk allowed vlan
LAGs Settings VLANs can either be composed of individual ports or of LAGs. Untagged packets entering the device are tagged with the LAGs ID specified by the PVID. To configure LAGS on a VLAN: 1 Click Switching > VLAN > LAG Settings in the tree view to display the VLAN LAG Settings page. Figure 14-4. VLAN LAG Settings All LAGs and their settings are displayed. 2 To modify the LAG settings, click Edit, and enter the fields: 474 – LAG — Select the LAG to be modified.
– Port VLAN Mode — Enter the port VLAN mode. The possible options are: • General — The port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full 802.1Q mode). • Access — The port belongs to a single untagged VLAN. When a port is in Access mode, the packet types that are accepted on the port cannot be designated. Ingress filtering cannot be enabled/disabled on an access port.
– Frame Type — Packet type accepted by the LAG. The possible options are: • Admit All — Tagged and untagged packets are both accepted by the LAG. • Admit Tag Only — Only tagged packets are accepted by the LAG. • Admit Untagged Only — Only untagged packets are accepted on the LAG. – Ingress Filtering — Enable/disable Ingress filtering by the LAG. Ingress filtering discards packets that are destined to VLANs of which the specific LAG is not a member.
Protocol Groups Protocol groups are based on protocol-based VLANs. Protocol-based VLANs Untagged frames received on a VLAN-aware switch can be classified by methods others than source port, such as data-link-layer protocol identification. This classification method is referred to as protocol-based VLANs. Protocol-based VLANs are useful for isolating Layer 2 traffic of various Layer 3 protocols.
Similarly, there may be implied dependencies between encapsulations, so that specifying an encapsulation implies defining the protocol group for related encapsulations. An example of this is specifying the Ethernet encapsulation, even by default, implies IEEE802 encapsulation, as per RFC 1042. The following standards are relevant: • IEEE802.1V defines VLAN assignment by protocol type.
To define a protocol group: 1 Click Switching > VLAN > Protocol Group in the tree view to display the Protocol Group: Summary page. Figure 14-5. Protocol Group: Summary The currently-defined protocol groups are displayed. 2 To add a new protocol group, click Add, and enter the fields: – Frame Type — Select a frame type to be accepted in the protocol group. – Protocol Value — Select a protocol name. or – Ethernet-Based Protocol Value (0600 - FFFF) — Enter the Ethernet protocol group type.
Defining VLAN Protocol Groups Using CLI Commands The following table summarizes the CLI commands for defining VLAN Protocol groups. Table 14-3. VLAN Protocol Groups CLI Commands CLI Command Description map protocol protocol [encapsulation] protocolsgroup group Maps a protocol to a protocol group. Protocol groups are used for protocolbased VLAN assignment. no map protocol protocol [encapsulation] Use the no form of this command to delete a protocol from a group.
Protocol Port A protocol port is a port assigned to a particular protocol group. Traffic from particular types of frames may be assigned to a protocol group, which has a port and VLAN associated with it. To add an interface to a protocol group: 1 Click Switching > VLAN > Protocol Port in the tree view to display the Protocol Port: Summary page. Figure 14-6. Protocol Port: Summary A list of previously-defined protocol groups is displayed.
Protocol ports can either be attached to a VLAN ID or a VLAN name. – VLAN ID (1- 4094) —Check and enter a VLAN ID. or – VLAN Name — Check and enter a VLAN name. Defining Protocol Ports Using CLI Commands The following table summarizes the CLI command for defining protocol ports. Table 14-4. Protocol Port CLI Commands CLI Command Description switchport general map protocols-group group vlan vlan-id Sets a protocol-based classification rule. Use the no form of this command to delete a classification.
GVRP Parameters GARP VLAN Registration Protocol (GVRP) is provided for automatic distribution of VLAN membership information among VLAN-aware bridges. GVRP enables VLAN-aware bridges to automatically learn VLANs-to-bridgeports mapping, without having to individually configure each bridge and register VLAN membership.
3 Check Unit ID and select a unit ID to view ports on the unit, or select LAGs to view the LAGs in the system. 4 To set GVRP for an interface, click Edit, and enter the fields: – Interface — Specifies port or LAG for editing GVRP settings. – GVRP State — Enable/disable GVRP on the interface. – Dynamic VLAN Creation — Enable/disable Dynamic VLAN creation on the interface. – GVRP Registration — Enable/disable VLAN registration through GVRP on the interface.
Table 14-5. GVRP Global Parameters CLI Commands (Continued) CLI Command Description show gvrp configuration Displays GVRP configuration [[gigabitethernet|tengigabitet information, including timer values, hernet] port-number|portwhether GVRP and dynamic VLAN channel LAG-number] creation is enabled, and which ports are running GVRP. Displays GVRP error statistics. show gvrp error-statistics [[gigabitethernet|tengigabitet hernet] port-number|portchannel LAG-number] Displays GVRP statistics.
console(config)# gvrp enable console(config)# interface gi1/0/1 console(config-if)# gvrp enable console(config-if)# gvrp vlan-creation-forbid console(config-if)# gvrp registration-forbid console(config-if)# end console# show gvrp configuration GVRP Feature is currently Disabled on the device.
Private VLAN Private VLANs (PVLANs) provide Layer 2 isolation between ports that share the same Broadcast domain, or in other words, they create a point-to-multipoint Broadcast domain. The ports can be located anywhere in the Layer 2 network, as opposed to protected ports which must be in the same stack.
To configure PVLANs: 1 Click Switching > VLAN > Private VLAN in the tree view to display the Private VLAN: Summary page. Figure 14-8. Private VLAN: Summary The previously-defined private VLANs are displayed. 2 To query by Associated Primary VLAN ID, check that field, enter a VLAN ID, and click Query. The associated VLANs are displayed. 3 To define a private VLAN, click Assign, and enter the fields: 488 – Private VLAN ID — Select a VLAN to be assigned.
– Associate Primary VLAN — If the Private VLAN type is Isolated, check to associate the isolated VLAN with a primary VLAN, thus allowing traffic between isolated and promiscuous ports. – Primary VLAN ID — Select a VLAN to be associated with the isolated VLAN. 4 To assign ports to the private VLAN, click Membership. 5 Select a Primary VLAN ID. 6 Select a Isolated VLAN ID. 7 Select the ports to be assigned to each VLAN, and assign each port/LAG a port type in the Admin row of ports/LAGs.
Table 14-6. Private VLAN CLI Commands (Continued) CLI Command Description switchport private-vlan mapping primary-vlan-id [add|remove] secondary-vlanlist Configures the VLANs of the privatevlan promiscuous port. Use the no form of this command to reset to default no switchport private-vlan mapping switchport private-vlan hostassociation primary-vlan-id secondary-vlan-id no switchport private-vlan host-association show vlan private-vlan [tag vlan-id] Configures the VLANs of the privatevlan host port.
Voice VLAN The Voice VLAN feature enables you to enhance VoIP service by configuring ports to carry IP-voice traffic from IP phones on a specific VLAN. This VLAN is configured with a QoS profile that ensures high voice quality. Equipment, such as VOIP phones, transmits IP traffic with a pre-configured Organizational Unique Identifier (OUI) prefix in the source MAC address.
Properties To set voice VLAN parameters that apply to the voice VLAN on the device: 1 Click Switching > VLAN > Voice VLAN > Properties in the tree view to display the Properties page. Figure 14-9. Properties 2 Enter the fields: 492 – Voice VLAN State — Select Enable to use the Voice VLAN feature on the device. – Voice VLAN ID — Select the VLAN that is to be the voice VLAN. – Class of Service — Select to add a CoS level to untagged packets, received on the voice VLAN.
– Voice VLAN Aging Time — Enter the interval of time after which the port exits the voice VLAN, if no voice packets are received. The aging time starts after the MAC address is aged out from the Dynamic MAC Address table. The default time is 300 sec. For more information on defining MAC address age out time, see "Dynamic Addresses" on page 421. Defining Voice VLAN Properties Using CLI Commands The following table summarizes the CLI command for defining voice VLAN properties. Table 14-7.
The following is an example of some of the CLI commands: console# show voice vlan 1440 minutes Aging timeout: OUI table MAC Address Prefix Description 00:E0:BB 3COM 00:03:6B Cisco 00:E0:75 Veritel 00:D0:1E Pingtel 00:01:E3 Siemens 00:60:B9 NEC/Philips 00:0F:E2 Huawei-3COM 00:09:6E Avaya Voice VLAN VLAN ID: 8 CoS: 6 Remark: Yes 494 Interface Enabled Secure Activated --------- -------- ------ --------- gi1/0/1 Yes Yes Yes gi1/0/2 Yes Yes Yes gi1/0/3 Yes Yes Yes gi1/0
Port Setting To configure voice VLAN ports properties: 1 Click Switching > VLAN > Voice VLAN > Port Setting in the tree view to display the Port Setting: Summary page. Figure 14-10. Voice VLAN Port Setting A list of the ports and their voice VLAN settings is displayed. 2 To modify the voice VLAN settings for an interface, click Edit, and enter the fields: – Interface — Enter the specific port or LAG to which the Voice VLAN settings are applied. – Voice VLAN Mode — Select the Voice VLAN mode.
– • None — Disables the selected port/LAG on the Voice VLAN. This is the default. • Static — Statically adds the port to the Voice VLAN. This is usually done for VoIP uplink ports that connect the device to VoIP PBX, for example. • Auto — Indicates that if traffic with an IP phone MAC address is transmitted on the port/LAG, the port/LAG joins the Voice VLAN. The port/LAG is aged out of the voice VLAN if the IP phone’s MAC address (with an OUI prefix) is aged out.
The following is an example of the CLI commands: console(config)# interface gi1/0/1 console(config-if)# voice vlan enable console(config-if)# voice vlan secure console(config-if)# OUI Organizationally Unique Identifiers (OUIs) are a 24-bit numbers assigned by the Institute of Electrical and Electronics Engineers, Incorporated (IEEE) Registration Authority to equipment manufacturers. Up to 128 OUIs can be stored on the switch. Nine specific OUIs of popular VoIP phones manufacturers are stored by default.
To view existing OUIs, and add new OUIs: 1 Click Switching > VLAN > Voice VLAN > OUI in the tree view to display the OUI Summary. Figure 14-11. OUI: Summary The previously-defined OUIs are displayed. 2 To add a new OUI, click Add, and enter the fields: 498 – Telephony OUI — Enter a new OUI. – Description — Enter an OUI description up to 32 characters.
Defining Voice VLAN OUIs Using CLI Commands The following table summarizes the CLI command for defining Voice VLAN OUIs. Table 14-9. Voice VLAN OUIs CLI Commands CLI Command Description voice vlan oui-table {add Configures the voice OUI table. mac-address-prefix|remove Use the no form of this command to restore mac-address-prefix} the default configuration.
Link Aggregation This section describes link aggregation of ports.
Link Aggregation Overview Link Aggregation optimizes port usage by linking a group of ports together to form a single LAG (aggregated group). Aggregating ports multiplies the bandwidth between the devices, increases port flexibility, and provides link redundancy. The device supports the following types of LAGs: • Static LAGs — Manually-configured LAGs. • Link Aggregation Control Protocol (LACP) LAGs — LACP LAGs negotiate aggregating a port’s links with other LACP ports located on a different device.
Ports added to a LAG lose their individual port configuration. When ports are removed from the LAG, the original port configuration is applied to the ports. The device uses a hash function to assign packets to a LAG member. The hash function statistically load-balances the aggregated link members. The device considers an Aggregated Link to be a single logical port. Aggregate ports can be linked into link-aggregation port-groups. Each group comprises ports with the same speed, set to full-duplex operations.
LACP Parameters To define LACP LAGs, configure LACP global and port parameters, such as LACP system priority, timeout, and port priority. With all factors equal, when the LAG is configured with more candidate ports than the maximum number of active ports allowed, the switch activates the highest priority candidate ports from the dynamic LAG. To set LACP parameters: 1 Click Switching > Link Aggregation > LACP Parameters in the tree view to display the LACP Parameters page. Figure 15-1.
– LACP Port Priority (1-65535) — Enter the LACP priority value for the port. – LACP Timeout — Select the rate of periodic transmissions of LACP PDUs. The possible options are: • Long — Slow transmission rate • Short — Fast transmission rate Configuring LACP Parameters Using CLI Commands The following table summarizes the CLI commands for configuring LACP parameters as displayed in the LACP Parameters page. Table 15-1.
The following is an example of the CLI commands: console (config)# lacp system-priority 120 console (config)# interface gi1/0/11 console (config-if)# lacp port-priority 247 console (config-if)# lacp timeout long console (config-if)# end console# show lacp gi1/0/11 statistics Port gi1/0/11 LACP Statistics: LACP PDUs sent:2 LACP PDUs received:2 Dell PowerConnect 55xx Systems User Guide 505
LAG Membership Each device supports up to 32 LAGs per system, and eight ports per LAG. When you add a port to a LAG, the port acquires the LAG’s properties. If the port cannot be configured with the LAG’s properties, it is not added to the LAG and an error message is generated. If the first port joining the LAG cannot be configured with the LAG settings, the port is added to the LAG, using the port default settings, and an error message is generated.
The LACP and static LAGs on each unit are displayed along with their member ports. This page displays the following fields: – LACP — Aggregates the port to a LAG, using LACP. – LAG — Adds a port to a LAG, and indicates the specific LAG to which the port belongs. 2 Click Edit to change the status of a port in a LAG. 3 Select the LAG. 4 In the LACP row (the first row), toggle the button under the port number to assign either the LACP or the static LAG.
Multicast This chapter describes Multicast support on the device.
Multicast Support Overview Multicast forwarding enables a single packet to be forwarded to multiple destinations. Layer 2 Multicast service is based on a Layer 2 device receiving a single packet addressed to a specific Multicast address. Multicast forwarding creates copies of the packet, and transmits the packets to the relevant ports.
IGMP Internet Group Multicast Protocol (IGMP) adds IGMP packets to Multicast traffic. When IGMP Snooping is enabled globally, all IGMP packets are forwarded to the CPU. The CPU analyzes the incoming packets and determines: • Which ports want to join which Multicast groups. • Which ports have Multicast routers generating IGMP queries. • What routing protocols are forwarding packets and Multicast traffic.
Global Parameters To enable Multicast filtering and IGMP Snooping: 1 Click Switching > Multicast Support > Global Parameters in the tree view to display the Global Parameters page. Figure 16-1. Global Parameters 2 Enter the fields: – Bridge Multicast Filtering — Enable/disable Multicast filtering. Disabled is the default value. – IGMP Snooping Status — Enable/disable IGMP Snooping on the device. Disabled is the default value.
Enabling Multicast Filtering and IGMP Snooping Using CLI Commands The following table summarizes the CLI commands for enabling Multicast Filtering and IGMP snooping as displayed on the Global Parameters page. Table 16-1. Multicast Filtering and Snooping CLI Commands CLI Command Description bridge multicast filtering Enables filtering of Multicast addresses. no bridge multicast filtering Use the no form of this command to disable multicast address filtering.
Bridge Multicast Groups The Bridge Multicast Group: Summary page displays the ports and LAGs attached to a Multicast service group and the manner in which the port or LAG joined it. To add and configure a Multicast group: 1 Click Switching > Multicast Support > Bridge Multicast Group in the tree view to display the Bridge Multicast Group: Summary page. Figure 16-2. Bridge Multicast Group: Summary The ports and LAGs in the selected Multicast Group are displayed.
2 Select a VLAN and enter the Multicast group IP address in Bridge Multicast Address. Two rows of ports and LAGs are displayed: for each unit – Static — Displays available static ports/LAGs. These port/LAGs can be included or excluded from the Multicast groups, as described below. – Current — Displays status of ports/LAGs in the Multicast group, as actually applied. 3 For each port in the VLAN, toggle to S to join the port to the selected Multicast group as a static port.
Managing Bridge Multicast Groups Using CLI Commands The following table summarizes the CLI commands for managing Multicast service members as displayed in the Bridge Multicast Group pages. Table 16-3. Bridge Multicast Group CLI Commands CLI Command Description bridge multicast address {macmulticast-address|ip-multicastaddress} Registers MAC-layer Multicast addresses to the bridge table, and adds static ports to the group.
VLAN MAC Address Ports ---- ----------- ---------- 1 0100.5e02.0203 gi1/0/8 19 0100.5e02.0208 gi1/0/8 console # show bridge multicast address-table format ip VLAN IP Address Type Ports ---- ----------- ----- ---------- 1 224-239.130|2.2.3 static gi1/0/11, gi1/0/12 Forbidden ports for multicast addresses: 516 VLAN IP Address Ports ---- ----------- ---------- 1 224-239.130|2.2.
Bridge Multicast Forward All Use the Bridge Multicast Forward All page to attach ports or LAGs to a device that is attached to a neighboring Multicast router/switch. After IGMP Snooping is enabled, Multicast packets are forwarded to the appropriate port or VLAN. To attach interfaces to a Multicast service: 1 Click Switching > Multicast Support > Bridge Multicast Forward All in the tree view to display the Bridge Multicast Forward All page. Figure 16-3.
– Static — Displays available static ports/LAGs. These port/LAGs can be included or excluded from the Multicast groups, as described below. – Current — Displays status of ports/LAGs, as actually applied, in the Multicast group. Managing LAGs and Ports Attached to Multicast Routers Using CLI Commands The following table summarizes the CLI commands for managing LAGs and ports attached to Multicast routers as displayed on the Bridge Multicast Forward All page. Table 16-4.
IGMP Snooping IGMP Snooping can be enabled globally, as described in the Global Parameters page. It can also be enabled per VLAN to support selective IPv4 Multicast forwarding. In this case, Bridge Multicast filtering must also be enabled. By default, a Layer 2 switch forwards Multicast frames to all ports of the relevant VLAN, essentially treating the frame as if it were a Broadcast.
The IGMP Snooping Querier is used to support a Layer 2 Multicast domain of snooping switches in the absence of a Multicast router, for example, where Multicast content is provided by a local server, but the router (if one exists) on that network does not support Multicast. There should only be a single IGMP Querier in a Layer 2 Multicast domain. The switch supports standards-based IGMP Querier election when more than one IGMP Querier is present in the domain.
3 Enter the fields: • IGMP Snooping Status — Enable/disable the monitoring of network traffic to determine which hosts have asked to be sent Multicast traffic. The switch performs IGMP snooping only if IGMP snooping and Bridge Multicast filtering are both globally enabled. • Operational IGMP Snooping Status — Displays whether IGMP Snooping is enabled. • MRouter Ports Auto Learn — Enables or disables auto learning of the ports to which the Mrouter is connected.
• IGMP Querier Status — Enables or disables the IGMP Querier. The IGMP Querier simulates the behavior of a Multicast router, enabling snooping of the Layer 2 Multicast domain even though there is no Multicast router. • Querier Source IP Address — Select the IP address of the IGMP Querier. Use either the VLAN’s IP address or define a unique IP address that will be used as a source address of the querier. • Operational Source Querier IP Address — Operational Querier IP address.
Table 16-5. IGMP Snooping CLI Commands (Continued) CLI Command Description ip igmp query-max-responsetime seconds Configures the Query Maximum Response time. no ip igmp query-max-response- Use the no format of the command to time return to default. ip igmp last-member-querycount count Configures the Last Member Query Counter. no ip igmp last-member-querycount Use the no format of the command to return to default.
The following is an example of the CLI commands: console (config)# ip igmp snooping console (config)# interface vlan 1 console (config-if)# ip igmp snooping mrouter learn-pim-dvmrp console (config)# interface vlan 1 console (config-if)# ip igmp snooping leave-time-out 60 console # do show ip igmp snooping groups VLAN IP Address Querier Ports ---- ---------- ------ ---------------------- 1 |2.2.3 Yes gi1/0/1, gi1/0/2 224-239.
Unregistered Multicast Multicast frames are generally forwarded to all ports in the VLAN. If IGMP Snooping is enabled, the device learns about the existence of Multicast groups and tracks which ports have joined what Multicast group. Multicast groups can also be statically enabled. This enables the device to forward the Multicast frames (from a registered Multicast group) only to ports that are registered to that Multicast group.
The action for each port is displayed. 2 To modify the forwarding action for an interface, click Edit, and enter the fields. • Interface — Select a port or LAG. • Unregistered Multicast — Select the forwarding status of the selected interface. The possible options are: • Forwarding — Enables forwarding of unregistered Multicast frames on the selected port or port-channel. • Filtering — Enables filtering of unregistered Multicast frames on the selected VLAN interface.
Multicast TV VLAN This section describes the Multicast TV VLAN feature. It contains the following sections: • Multicast TV VLAN Overview • Multicast TV VLAN Membership • Multicast TV VLAN Mapping Multicast TV VLAN Overview The Multicast TV VLAN feature provides the ability to supply Multicast transmissions to Layer 2-isolated subscribers, without replicating the Multicast transmissions for all subscriber VLANs. The subscribers are the only receivers of the Multicast transmissions.
Multicast TV VLAN Membership To view Multicast TV VLANs: • Click Switching > Multicast Support > Multicast TV VLAN Membership in the tree view to display the Multicast TV VLAN Membership page. Figure 16-6. Multicast TV VLAN Membership The receiver and transceiver ports in the selected TV VLAN are displayed. Displaying Multicast TV VLAN Membership Using CLI Commands The following table summarizes the CLI command for displaying Multicast TV VLAN membership: Table 16-7.
The following is an example of the CLI commands: console # show vlan multicast-tv vlan 1 Source Ports ------------------------------------gi1/0/8, gi1/0/9 Receiver Ports ------------------------------------gi2/0/1-18, gi3/0/1-18, gi4/0/1-18 Multicast TV VLAN Mapping To set the Multicast Group IP address for a TV VLAN: 1 Click Switching > Multicast Support > Multicast TV VLAN Mapping in the tree view to display the Multicast TV VLAN Mapping: Summary page. Figure 16-7.
• Multicast Group IP Address — Enter the Multicast group IP address for which the IGMP Snooping is enabled. Mapping Multicast TV VLANs to IP Addresses Using CLI Commands The following table summarizes the CLI command for mapping Multicast TV VLANs to Multicast IP addresses: Table 16-8. Unregistered Multicast CLI Commands CLI Command Description ip igmp snooping vlan vlan-id multicast-tv ip-multicast-address [count number] Defines the Multicast IP addresses that are associated with a Multicast-TV VLAN.
17 LLDP The section describes the Link Layer Discovery Protocol (LLDP).
LLDP Overview The Link Layer Discovery Protocol (LLDP) enables network managers to troubleshoot and enhance network management by discovering and maintaining network topologies over multi-vendor environments. LLDP discovers network neighbors by standardizing methods for network devices to advertise themselves to other systems, and to store discovered information.
LLDP Properties To enable and configure LLDP: 1 Click System > LLDP > LLDP Properties in the tree view to display the LLDP Properties page. Figure 17-1. LLDP Properties The current LLDP properties are displayed. 2 Enter the fields: – Enable LLDP — Enable/disable LLDP on the device. – Updates Interval (5-32768) — Enter the rate at which LLDP advertisement updates are sent. – Hold Multiplier (2-10) — Enter the hold time to be sent in the LLDP update packets, as a multiple of the timer value.
– Reinitializing Delay (1-10) — Enter the minimum time, in seconds, that an LLDP port waits before reinitializing LLDP transmission. – Transmit Delay (1-8192) — Enter the amount of time that passes between successive LLDP frame transmissions, due to changes in the LLDP local systems MIB. To use the default values for any field, select Use Default.
Configuring LLDP Using CLI Commands The following commands are used to set the fields in the LLDP Properties page. Table 17-1. LLDP Properties CLI Commands CLI Command Description lldp run Enables enable LLDP. no lldp run Use the no form of this command to disable LLDP. lldp timer seconds Specifies how often the software sends LLDP updates. no lldp timer Use the no form of this command to restore the default configuration.
The following is an example of the CLI commands: console(config)# interface gi1/0/1 console(config-if)# lldp run console(config)# lldp timer 30 console(config)# lldp hold-multiplier 3 console(config)# lldp reinit 4 536 Dell PowerConnect 55xx Systems User Guide
LLDP Port Settings LLDP configuration of a port includes activating LLDP notification on it, and selecting the optional TLVs that will be sent in the LLDP PDU, in addition to the mandatory ones. By setting these properties, it is possible to provide additional types of information to those network devices that support the LLDP. To configure LLDP per port: 1 Click System > LLDP > LLDP Port Settings in the tree view to display the LLDP Port Settings: Summary page. Figure 17-2.
• Tx & Rx — Enables LLDP on transmitting and receiving LLDP packets. • Disable — LLDP is disabled on the port. 4 Move the optional TLVs that the switch should advertise from the Available TLV list to the Optional TLV list. The TLVs advertise the following: – Port Description — Information about the port, including manufacturer, product name, and hardware/software version. – System Name — System's assigned name (in alpha-numeric format). This value equals the sysName object.
Configuring LLDP Port Settings Using CLI Commands The following commands are used to configure LLDP on ports. Table 17-2. LLDP Port Settings CLI Commands CLI Command Description lldp transmit Enables transmitting LLDP on an interface. no lldp transmit Use the no form of this command to stop transmitting LLDP on an interface. lldp receive Enables receiving LLDP on an interface. no lldp receive Use the no form of this command to stop receiving LLDP on an interface.
MED Network Policy An LLDP-MED network policy is a set of configuration settings that is identified by a network policy number. Policies are loaded into LLDP-MED TLVs, and sent to devices connected to the switch.
To add a MED network policy: 1 Click System > LLDP > MED Network Policy in the tree view to display the MED Network Policy: Summary page. Figure 17-3. MED Network Policy: Summary Previously-defined network policies are displayed. 2 To add a network policy, click Add, and enter the fields: – Network Policy Number — Select an available network policy number. – Application — Select the application (type of traffic) for which the network policy is defined.
– User Priority — Select the traffic priority assigned to the network application. – DSCP Value — Select the value to be used by neighbors to mark the traffic sent to the switch. Configuring MED Network Policies Using CLI Commands The following commands are used to configure MED network policies. Table 17-3.
LLDP MED Port Settings To assign MED network policies to ports: 1 Click System > LLDP > MED Port Settings in the tree view to display the MED Port Settings: Summary page. Figure 17-4. MED Port Settings: Summary 2 Select the unit in the stack. All ports on that unit are displayed along with the following fields: – LLDP MED Status — Specifies if LLDP-MED is enabled on the selected port. – Network Policy — Specifies whether a network policy is assigned to the port.
– Available TLVs — Contains a list of available TLVs that can be advertised by the port. The possible options are: • Network Policy — Advertises the network policy attached to the port. • Location — Advertises the port’s location. • PoE-PSE — Indicates if the connected media is a PoE or PSE (Power Sourcing Equipment) device. Move the TLVs to be published to the Tx Optional TLVs list. – Available Network Policy — Contains a list of network policies that can be assigned to a port.
– Device ID — The device ID advertised, for example, the device MAC address. – Device Type — The type of device. – LLDP MED Capabilities — The TLVs that are advertised by the port. – LLDP MED Device Type — Specifies whether a sender is a network connectivity device or an endpoint device. – Application — The following fields are displayed for each possible application type: – – • Application Type — The application type.
Configuring MED on Ports Using CLI Commands The following commands are used to set the fields in the MED Port Settings pages. Table 17-4. LLDP Properties CLI Commands CLI Command Description lldp med enable [tlv … tlv4] Enables LLDP MED on an interface. no lldp med enable Use the no form of this command to disable LLDP MED on an interface. lldp med network-policy {add|remove} number Attaches or removes an LLDP MED network policy on an interface.
The following is an example of the CLI commands: console(config)# interface gi1/0/3 console(config)# lldp med location civic-address 6162636465 console# show lldp med configuration Fast Start Repeat Count: 4.
Neighbors Information Use the Neighbors Information page to view information that was received in LLDP advertisements from neighboring devices. The neighbor’s information is deleted after timeout. Timeout is the maximum interval that can pass without receiving an LLDP PDU from a neighbor. The timeout value is computed from the neighbor’s Time to Live TLV. To view neighbors information: 1 Click System > LLDP > Neighbors Information in the tree view to display the Neighbors Information page. Figure 17-5.
– Device ID — Neighboring device ID – System Name — Name of the neighboring system – Port ID — Neighboring port ID – Capabilities — Neighboring device capabilities 2 Click Clear Neighbors Table to delete all the entries or select Remove to delete a specific port entry. 3 Click the Details button of a port to display the Neighbors Information: Details page for that port.
The following is an example of the CLI commands: console# show lldp neighbors Port Device ID Port ID System Capabili TTL Name ties --------- ----------------- -------- ------- ------- ---- 550 gi2/0/17 00:75:73:71:72:55 1/e21 0 91 gi2/0/33 00:12:cf:7c:63:a0 1/e1 0 92 gi2/0/33 00:11:22:11:22:33 1/g39 0 107 gi2/0/33 00:aa:aa:aa:aa:aa 1/e37 0 106 gi2/0/41 a4:ba:db:57:7c:8d g13 O 97 Dell PowerConnect 55xx Systems User Guide
Dynamic ARP Inspection 18 This section describes dynamic ARP inspection.
Dynamic ARP Inspection Overview ARP Inspection eliminates man-in-the-middle attacks, where false ARP packets are inserted into the subnet. ARP requests and responses are inspected, and their MAC-address-to-IP-address binding is checked according to the ARP Inspection List defined by the user (in the Dynamic ARP Inspection List and Dynamic ARP Inspection Entries pages).
Global Settings To enable ARP inspection on the device: 1 Click Switching > Dynamic ARP Inspection > Global Settings in the tree view to display the Global Settings page. Figure 18-1. Global Settings 2 Enter the fields: • Enable ARP Inspection — Enable/disable ARP inspection. • ARP Inspection Validate — Enable/disable the following checking source MAC address, destination MAC address and IP addresses against the respective addresses in the ARP body.
Setting Dynamic ARP Inspection Global Settings Using CLI Commands The following table summarizes the CLI commands for configuring the fields in the Global Settings pages. Table 18-1. ARP Inspection Global Settings CLI Commands CLI Command Description ip arp inspection Enables ARP inspection. no ip arp inspection Use the no form of this command to disable ARP inspection. ip arp inspection validate Performs specific checks for dynamic ARP inspection.
Dynamic ARP Inspection List An ARP inspection list consists of entries where each entry is a pair of MAC/IP addresses. To create a new ARP inspection list and add the first entry to it: 1 Click Switching > Dynamic ARP Inspection > Dynamic ARP Inspection List in the tree view to display the Dynamic ARP Inspection List: Summary page. Figure 18-2. Dynamic ARP Inspection List: Summary The dynamic ARP lists are displayed.
Creating a Dynamic ARP Inspection List Using CLI Commands The following table summarizes the CLI commands for configuring the fields in the Dynamic ARP Inspection List pages. Table 18-2. Dynamic ARP Inspection List CLI Commands CLI Command Description ip arp inspection list create name Creates a static ARP binding list and enters the ARP list configuration mode. no ip arp inspection list create name Use the no form of this command to delete the list.
Dynamic ARP Inspection Entries To add additional addresses to the lists defined in the Dynamic ARP Inspection List page: 1 Click Switching > Dynamic ARP Inspection Entries > Dynamic ARP Inspection Entries in the tree view to display the Dynamic ARP Inspection Entries: Summary page. Figure 18-3. Dynamic ARP Inspection Entries: Summary The dynamic ARP entries for the selected list are displayed. 2 To add a new address pair to a list, click Add and select the list.
Adding Entries to a Dynamic ARP Inspection List Using CLI Commands The following table summarizes the CLI commands for configuring the fields in the Dynamic ARP Inspection Entries pages. Table 18-3. Dynamic ARP Inspection List Entries CLI Commands CLI Command Description ip ip-address mac-address mac-address Creates a static ARP binding. show ip arp inspection list Displays the static ARP binding list. Use the no form of this command to no ip ip-address mac-address delete a static ARP binding..
VLAN Settings To assign a list of IP/MAC address pairs, defined in the Dynamic ARP Inspection List pages, to a VLAN: 1 Click Switching > Dynamic ARP Inspection Entries > VLAN Settings in the tree view to display the VLAN Settings: Summary page. Figure 18-4. VLAN Settings: Summary The VLANs and their associated lists of IP/MAC address pairs are displayed. 2 To designate a VLAN to be associated with an ARP inspection list, click Add VLAN and enter the VLAN ID.
Assigning IP/MAC Address Pairs to VLANs Using CLI Commands The following table summarizes the CLI commands for configuring the fields in the VLAN Settings pages. Table 18-4. Assigning IP/MAC Address Pairs to VLANs CLI Commands CLI Command Description ip arp inspection vlan vlan- Enables ARP inspection on a VLAN, based id on the DHCP Snooping database. Use the no form of this command to disable ARP inspection on a VLAN.
Trusted Interfaces Interfaces are untrusted if the packet is received from an interface outside the network or from an interface beyond the network firewall. Trusted interfaces receive packets only from within the network or the network firewall. To configure an interface to be trusted: 1 Click Switching Dynamic ARP Inspection Trusted Interface in the tree view to display the Trusted Interface: Summary page. Figure 18-5.
Configuring Trusted Interfaces Using CLI Commands The following table summarizes the CLI commands for configuring the fields in the Trusted Interface pages. Table 18-5. Configuring Trusted Interface Parameters CLI Commands CLI Command Description ip arp inspection trust Configures an interface trust state that determines if incoming ARP packets are inspected. no ip arp inspection trust Use the no form of this command to restore the default configuration.
DHCP Snooping 19 This section describes DHCP Snooping and DHCP Relay features.
DHCP Snooping This section describes DHCP snooping. It contains the following topics: • DHCP Snooping Overview • Global Parameters • VLAN Settings • Trusted Interfaces • Snooping Binding Database DHCP Snooping Overview DHCP snooping expands network security by providing layer security between untrusted interfaces and DHCP servers.
Table 19-1. DHCP Packet Handling when DHCP Snooping is Enabled (Continued) Packet Type Arriving from Untrusted Ingress Interface Arriving from Trusted Ingress Interface DHCPOFFER Filter. Forward the packet according to DHCP information. If the destination address is unknown the packet is filtered. DHCPREQUEST Forward to trusted interfaces only. Forward to trusted interfaces only. DHCPACK Filter. Same as DHCPOFFER and an entry is added to the Binding database. DHCPNAK Filter.
As shown in Table 21-1, the DHCP Snooping Binding database is updated by interception of DHCPACK, DHCPDECLINE and DHCPRELEASE packets, and is stored in non-volatile memory. Even if a port is down, its entries are not deleted. NOTE: Only DHCP requests on untrusted ports are maintained in the Binding database. Limitations The following limitations apply: • Enabling DHCP snooping uses TCAM resources.
To configure DHCP snooping on the device: 1 Click Switching > DHCP Snooping > Global Parameters in the tree view to display the Global Parameters page. Figure 19-1. Global Parameters 2 Enable/disable DHCP snooping on the device in the DHCP Snooping Status field. 3 If DHCP snooping is enabled, enter the fields: – Option 82 Passthrough — Enable/disable whether to forward (enable) or filter (disable) DHCP packets, received from untrusted interfaces, with option-82 information.
The following table summarizes the CLI commands for configuring DHCP snooping global parameters. Table 19-2. DHCP Snooping Global Parameters CLI Commands CLI Command Description ip dhcp snooping Globally enables DHCP snooping. no ip dhcp snooping Use the no form of this command to return to the default setting. Allows a device to accept DHCP packets with option-82 information no ip dhcp snooping information from an untrusted port.
The following is an example of some of the CLI commands: console(config)# ip dhcp snooping console(config)# ip dhcp snooping information option allowed-untrusted console(config)# ip dhcp snooping verify console(config)# ip dhcp snooping database console(config)# ip dhcp snooping database frequency 1200 console# show ip dhcp snooping DHCP snooping is enabled DHCP snooping database: enabled Option 82 on untrusted port is allowed Verification of hwaddr field is enabled DHCP snooping file update frequency is co
VLAN Settings To separate ports in a VLAN, enable DHCP snooping on it. Before you enable DHCP snooping on a VLAN, you must globally enable DHCP snooping on the device. When DHCP snooping is disabled for a VLAN, the Binding entries that were collected for that VLAN are removed from the Binding database. To enable/disable DHCP snooping on a VLAN: 1 Click Switching > DHCP Snooping > VLAN Settings in the tree view to display the VLAN Settings page. Figure 19-2.
Configuring DHCP Snooping on VLANs Using CLI Commands The following table summarizes the CLI commands for configuring DHCP snooping on VLANs . Table 19-3. DHCP Snooping on VLANs CLI Commands CLI Command Description ip dhcp snooping vlan vlan-id Enables DHCP snooping on a VLAN. no ip dhcp snooping vlan-id Use the no form of this command to disable DHCP snooping on a VLAN.
Trusted Interfaces To define a trusted interface: 1 Click Switching > DHCP Snooping > Trusted Interface in the tree view to display the Trusted Interface: Summary page. Figure 19-3. Trusted Interfaces: Summary A list of the interfaces is displayed. 2 To change the trust status of an interface, click Edit, and enter the fields: 572 – Interface — Select a unit and port or LAG. – Trust Status — Enable/disable DHCP Snooping Trust mode on the selected port or LAG.
Configuring DHCP Snooping Trusted Interfaces Using CLI Commands The following table summarizes the CLI commands for configuring DHCP snooping trusted interfaces. Table 19-4. DHCP Snooping Trusted Interfaces CLI Commands CLI Command Description ip dhcp snooping trust Configures an interface as trusted for DHCP snooping purposes. no ip dhcp snooping trust Use the no form of this command to return to the default setting.
To query and add IP addresses to the Binding database: 1 Click Switching > DHCP Snooping > Binding Database in the tree view to display the Binding Database: Summary page. Figure 19-4. Binding Database A list of the database entries is displayed. 2 To query the database, enter query criteria and click Query. Database entries matching the query are displayed. 3 To add a entry, click Add, and enter the fields: – – 574 Type — Select the entry type.
– VLAN ID — Select the VLAN ID to which the IP address is associated in the entry. – IP Address — Enter the IP address to be recorded in the entry. – Interface — Select the unit and port or LAG to be recorded in the entry. – Lease Time — If the entry is dynamic, enter the amount of time that the entry will be active in the DHCP Database. If there is no Lease Time, check Infinite.
Table 19-5. DHCP Snooping Binding Database CLI Commands (Continued) CLI Command Description show ip dhcp snooping binding [mac-address mac-address] [ipaddress ip-address] [vlan vlanid][[gigabitethernet|tengigabitet hernet] port-number|port-channel LAG-number]] Displays the DHCP snooping binding database and configuration information for all interfaces or some interfaces on a switch.
DHCP Relay This section describes DHCP relay. It contains the following topics: • DHCP Relay Overview • Option 82 • Global Settings • Interface Settings DHCP Relay Overview The device can act as a DHCP Relay agent that listens for DHCP messages, and relays them between DHCP servers and clients, which reside in different VLANs or IP subnets. This functionality is intended to be used when the client ingress VLAN is different than the VLAN on which DHCP servers are connected.
Option 82 Overview The relay agent information option (Option 82) in the DHCP protocol enables a DHCP relay agent to send additional client information when requesting an IP address. Option 82 specifies the relaying switch's MAC address, the port identifier, and the VLAN that forwarded the packet. Both DHCP snooping and DHCP relay can insert option 82 into traversing packets.
Option 82 To enable Option82 insertion: 1 Click Switching > DHCP Relay > Option 82 in the tree view to display the Option 82 page. Figure 19-5. Option 82 2 Enable/disable Option 82 insertion.
Configuring Option 82 Using CLI Commands The following table summarizes the CLI commands for defining fields displayed in the Option 82 page. Table 19-6. CLI Option 82 Commands CLI Command Description ip dhcp information option Enables DHCP option-82 data insertion. no ip dhcp information option Use the no form of this command to disable DHCP option-82 data insertion.
3 To add a DHCP server, click Add. 4 Enter the IP address of the DHCP server in the DHCP Server IP Address field. Defining Global Parameters Using CLI Commands The following table summarizes the CLI commands for defining fields displayed in the Global Settings pages. Table 19-7. Global Parameters CLI Commands CLI Command Description ip dhcp relay enable Enables DHCP relay features on the device. no ip dhcp relay enable Use the no form of this command to disable the DHCP relay agent.
Interface Settings . NOTE: For DHCP Relay to function on an interface, it also must be activated globally in the Global Settings page. To enable DHCP relay on a port, LAG, or VLAN: 1 Click Switching > DHCP Relay > Interface Settings in the tree view to display the Interface Settings: Summary page. Figure 19-7. Interface Settings: Summary The currently-define DHCP interfaces are displayed. 2 To enable DHCP relay on an interface, click Add. 3 Select the interface.
Defining Interface Settings Using CLI Commands The following table summarizes the CLI commands for defining fields displayed in the Interface Settings pages. Interface Settings Parameters CLI Commands CLI Command Description ip dhcp relay enable Enables the DHCP relay features on the interface (in Interface Configuration mode). no ip dhcp relay enable Use the no form of this command to disable the DHCP relay agent feature on the interface.
iSCSI Optimization This section describes iSCSI optimization.
Optimizing iSCSI Overview The Internet Small Computer System Interface (iSCSI) is an IP-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets, and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet, and can enable location-independent data storage and retrieval.
Limitations The following limitations exist: 586 • All iSCSI connections receive the relevant QoS, regardless of whether they are being monitored or not. If, for example, a feature was disabled for some period and was enabled again, it is possible that there are iSCSI TCP connections that were established during this period of time. These cannot be monitored, because all relevant information was already passed at the beginning of the session.
• Each session supports at most four TCP connections. If a new TCP connection of an already opened iSCSI session arrives, and there are already four TCP connections, the new connection replaces the oldest one, within this specific iSCSI session. • A short flow interruption, caused by STP topology change or administrative port-down action, might cause the TCP connection to reinitiate without closing the iSCSI session.
Global Parameters Use the Global Parameters page to enable iSCSI and to set iSCSI QoS frame priority. You may also enable Remark to change the DSCP or CoS user priority field in the packet. In the QoS Properties pages, you can then set the queuing to strict priority or WRR, and map the CoS or DSCP to the desired queue in the CoS to Queue or DSCP to Queue pages.
– iSCSI Aging Time — Enter how long the device will wait, after the last received frame of an iSCSI session, before deleting the session from the list. Enabling iSCSI automatically enables Jumbo frames and enables Flow Control on all interfaces. Jumbo frames are only enabled after copying the Running configuration to the Startup configuration and resetting the device (the Flow Control changes are effective immediately).
The following is an example of the CLI commands: console(config)# iscsi enable console(config)# iscsi cos dscp 31 console(config)# iscsi aging time 10 console# show iscsi Target: iqn.1993-11.com.disk-vendor:diskarrays.sn.45678 -------------------------------------------------------Session 1: --------Initiator: iqn.1992-04.com.os-vendor.plan9:cdrom.12. storage:sys1.
iSCSI Targets To add an iSCSI target: 1 Click System > iSCSI Optimization > iSCSI Targets in the tree view to display the iSCSI Targets: Summary page. Figure 20-2. iSCSI Targets: Summary The currently-defined targets are displayed. 2 To add a new target, click Add. 3 Enter the fields: – TCP Port — TCP port used by the target for iSCSI communications. – IP Address — IP address of the target. The IP address 0.0.0.0 is any IP address. – Target Name (0-223 characters) — Name of the target.
Defining iSCSI Targets Using CLI Commands The following table summarizes the CLI commands for defining fields displayed in the iSCSI Targets Table. Table 20-2. iSCSI Targets Table CLI Commands CLI Command Description iscsi target port tcp-port-1 [tcp-port-2… tcp-port-8] [address ip-address] [name target-name] Configures iSCSI port/s, target address and name. Use the no form of this command to delete an iSCSI target.
iSCSI Sessions To display information about iSCSI communications to various targets: 1 Click System > iSCSI Optimization > iSCSI Sessions in the tree view to display the iSCSI Sessions page. Figure 20-3. iSCSI Sessions 2 Select a target and click Details. The following is displayed: – Target Name — The name of the target. – Initiator Name — The name of the initiator. – ISID — The iSCSI session ID. – Session Life Time — The amount of time that has passed since the first frame of the session.
– Initiators/Targets — The IP address and TCP port used by each initiator and target in the session is displayed. Displaying iSCSI Sessions Using CLI Commands The following table summarizes the CLI commands for displaying iSCSI sessions. Table 20-3. iSCSI CLI Commands CLI Command Description show iscsi sessions [detailed] Displays iSCSI sessions The following is an example of the CLI commands: console(config)# show iscsi sessions Target: iqn.1993-11.com.disk-vendor:diskarrays.sn.
Configuring iSCSI Using CLI The following is a sample procedure to configure the iSCSI feature using CLI: Table 20-4. Sample CLI Script to Configure iSCSI CLI Command Description iscsi enable Enable iSCSI. iscsi cos vpt 2 remark Set iSCSI flow to use VPT 2 (Layer 2 CoS). This VPT value replaces the original VPT in the packet. show iscsi sessions Verify that iSCSI is enabled and that the iSCSI flows are displayed.
Statistics/RMON 21 This section describes many of the statistics available on the device. The only exception is the QoS statistics described in "Quality of Service" on page 640.
Table Views This section displays statistics in table form.
Denied ACEs Counters The Denied ACEs counters contain the number of packets that were dropped (denied) because they did not meet ACL criteria expressed in some ACE. To display the denied ACE counters: 1 Click Statistics/RMON > Table Views > Denied ACEs Counters in the tree view to display the Denied ACEs Counters page. Figure 21-1. Denied ACEs Counters The global number of dropped packets is displayed along with the number of dropped packets on each interface.
Viewing Denied ACE Counters Statistics Using the CLI Commands The following table contains the CLI commands for viewing denied ACE counters statistics. Table 21-1. Denied ACE Counters CLI Commands CLI Command Description show interfaces access-lists Displays Access List counters.
Utilization Summary Use the Utilization Summary page to display interface utilization. This page is refreshed periodically to minimize impact on performance. Display may be disrupted during this period. To display interface utilization statistics: 1 Click Statistics/RMON > Table Views > Utilization Summary in the tree view to display the Utilization Summary page. Figure 21-2. Utilization Summary 2 Select a unit and port/LAG. The following fields are displayed: 600 – Port/LAG — The port/LAG number.
– % Unicast Received — Percentage of Unicast packets received on the interface. – % Non Unicast Packets Received — Percentage of non-Unicast packets received on the interface. – % Error Packets Received — Percentage of packets with errors received on the interface. 3 Select one of the Refresh Rate options to specify how frequently the statistics should be refreshed. The CPU utilization chart is displayed.
Counter Summary To display the number of received and transmitted packets on ports, as numeric figures and not percentages: 1 Click Statistics/RMON > Table Views > Counter Summary in the tree view to display the Counter Summary page. Figure 21-3. Counter Summary Counters for the selected units or LAG are displayed. 2 Select a port/LAG. The following fields are displayed: 602 – Port/LAG — The interface number. – Interface Status — Status of the interface: Up or Down.
– Transmitted Unicast Packets — Number of transmitted Unicast packets from the interface. – Received Non Unicast Packets — Number of received non-Unicast packets on the interface. – Transmitted Non Unicast Packets — Number of transmitted nonUnicast packets from the interface. – Received Errors — Number of received packets with errors on the interface. 3 Select one of the Refresh Rate options to specify how frequently the counters should be refreshed.
Interface Statistics To display the number of received and transmitted packets on an interface: 1 Click Statistics/RMON > Table Views > Interface Statistics in the tree view to display the Interface Statistics page. Figure 21-4. Interface Statistics 2 Select a port/LAG. 3 Select one of the Refresh Rate options to specify how frequently the counters should be refreshed. The following fields are displayed: Receive Statistics – 604 Total Bytes (Octets) — Amount of octets received on the selected interface.
– Unicast Packets — Number of Unicast packets received on the selected interface. – Multicast Packets — Number of Multicast packets received on the selected interface. – Broadcast Packets — Number of Broadcast packets received on the selected interface. – Packets with Errors — Number of errors packets received on the selected interface. Transmit Statistics – Total Bytes (Octets) — Number of octets transmitted from the selected interface.
Etherlike Statistics To display interface error statistics: 1 Click Statistics/RMON > Table Views > Etherlike Statistics in the tree view to display the Etherlike Statistics page. Figure 21-5. Etherlike Statistics 2 Select a port/LAG. The following fields are displayed: 606 – Frame Check Sequence (FCS) Errors — Number of frames received that are an integral number of octets in length but do not pass the FCS check.
– Excessive Collisions — Number of frames for which transmission fails due to excessive collisions. – Internal MAC Transmit Errors — Number of frames for which reception fails due to an internal MAC sublayer receive error. – Oversize Packets — Number of frames received that exceed the maximum permitted frame size. – Received Pause Frames — Number of MAC Control frames received with a PAUSE operation code.
The following is an example of the CLI command for all ports: console# show interfaces counters Port InUcastPkts InMcastPkts InBcastPkts InOctets ------- ------------ ----------- ----------- -------gi2/0/1 0 0 0 0 gi2/0/2 0 0 0 0 gi2/0/3 0 0 0 0 gi2/0/4 0 0 0 0 gi2/0/5 0 0 0 0 Port OutUcastPkts OutMcastPkts OutBcastPkts OutOctets --------- ------------ ------------ ------------ -----------gi2/0/1 0 0 0 0 gi2/0/2 0 0 0 0 gi2/0/3 0 0 0 0 gi2/0/4 0 0 0 0 The fo
GVRP Statistics To display device GVRP statistics: 1 Click Statistics/RMON > Table Views > GVRP Statistics in the tree view to display the GVRP Statistics page. Figure 21-6. GVRP Statistics 2 Select a port/LAG. The number of received and transmitted packets in the following counters is displayed: GVRP Statistics Table – Join Empty — The number of GVRP Join Empty packets. – Empty — The number of GVRP empty packets. – Leave Empty — The number of GVRP Leave Empty packets.
– Leave In — The number of GVRP Leave In packets. – Leave All — The number of GVRP Leave All packets. GVRP Error Statistics – Invalid Protocol ID — The number of GVRP Invalid Protocol ID errors. – Invalid Attribute Type — The number of GVRP Invalid Attribute ID errors. – Invalid Attribute Value — The number of GVRP Invalid Attribute Value errors. – Invalid Attribute Length — The number of GVRP Invalid Attribute Length errors. – Invalid Event — The number of GVRP Invalid Events errors.
The following is an example of the CLI commands: console# show gvrp statistics GVRP Statistics: ---------------Legend: rJE : Join Empty Received rEmp : Empty Received rJIn: Join In Received rLIn: Leave In Received rLE : Leave Empty Received rLA : Leave All Received sJE : Join Empty Sent sJIn: Join In Sent sEmp : Empty Sent sLE Port sLIn: Leave In Sent : Leave Empty Sent rJE rJIn rEmp sLA : Leave All Sent rLIn rLE rLA sJE sJIn sEmp ----- ----- ----- ----- ----- ----- ----- ---- ----- --
EAP Statistics For information about EAP, see "Dot1x Authentication" on page 127. To display EAP statistics: 1 Click Statistics/RMON > Table Views > EAP Statistics in the tree view to display the EAP Statistics page. Figure 21-7. EAP Statistics 2 Select a port/LAG. The following fields are displayed: 612 – Frames Received — The number of valid EAPOL frames received on the port. – Frames Transmitted — The number of EAPOL frames transmitted via the port.
– Start Frames Receive — The number of EAPOL Start frames received on the port. – Log off Frames Receive — The number of EAPOL Logoff frames received on the port. – Respond ID Frames Receive — The number of EAP Resp/ID frames received on the port. – Respond Frames Receive — The number of valid EAP Response frames received on the port. – Request ID Frames Transmit — The number of EAP Req/ID frames transmitted via the port.
The following is an example of the CLI commands: console# show dot1x statistics gi1/0/1 EapolFramesRx: 11 EapolFramesTx: 12 EapolStartFramesRx: 1 EapolLogoffFramesRx: 1 EapolRespIdFramesRx: 3 EapolRespFramesRx: 6 EapolReqIdFramesTx: 3 EapolReqFramesTx: 6 InvalidEapolFramesRx: 0 EapLengthErrorFramesRx: 0 LastEapolFrameVersion: 1 LastEapolFrameSource: 0008.3b79.
RMON Components This section describes Remote Monitoring (RMON), which enables network managers to display network information from a remote location.
Statistics To display device utilization statistics and errors that occurred on the device: 1 Click Statistics/RMON > RMON > Statistics in the tree view to display the Statistics page. Figure 21-8. Statistics 2 Select a port/LAG. The following fields are displayed: 616 – Received Bytes (Octets) — Number of bytes received on the selected interface. – Received Packets — Number of packets received on the selected interface.
– Multicast Packets Received — Number of good Multicast packets received on the interface, since the device was last refreshed. – CRC&Align Errors — Number of packets received with a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but with either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).
– Frames of 1024 to Max Octets — Number of 1024-Max Octet frames received on the interface, since the device was last refreshed. 3 Select one of the Refresh Rate options to specify how frequently the statistics should be refreshed. Configuring RMON Statistics Using the CLI Commands The following table contains the CLI commands for viewing and enabling RMON statistics. Table 21-5. Configuring RMON Statistics Using CLI Command CLI Command Description show rmon statistics Displays RMON Ethernet statistics.
History Control To display the requested RMON history group statistics or request a new sample of interface statistics: 1 Click Statistics/RMON > RMON > History Control in the tree view to display the History Control: Summary page. Figure 21-9. History Control: Summary Previously-defined samples are displayed. 2 To add a new entry, click Add. The New History Entry number, which uniquely identifies the sample, is displayed. 3 Enter the fields for the entry: – Source Interface — Sampled Ethernet interface.
– Max No. of Samples to Keep (1-50) — Number of samples to be saved. – Sampling Interval (1-3600) — The time interval in seconds between samples. Configuring RMON History Control Using the CLI Commands The following table contains the CLI commands for configuring RMON history control. Table 21-6. RMON History Control CLI Commands CLI Command Description rmon collection stats index [owner ownername|bucket bucket-number] [interval seconds] Enables and configures RMON on an interface.
History Table The History Table page displays interface-specific statistical network samplings. Each table entry represents the counter values compiled during a single sample. To display RMON statistics for a specified sample: 1 Click Statistics/RMONRMONHistory Table in the tree view to display the History Table page. Figure 21-10. History Table 2 Select a History Entry No. The following fields are displayed: – Owner — RMON station or user that requested the RMON information. – Sample No.
– Drop Events — Number of dropped packets due to lack of network resources during the sampling interval. This may not represent the exact number of dropped packets, but rather the number of times dropped packets were detected. – Received Bytes (Octets) — Number of data octets, including bad packets, received on the network. – Received Packets — Number of packets received during the sampling interval. – Broadcast Packets — Number of good Broadcast packets received during the sampling interval.
Viewing the RMON History Table Using the CLI Commands The following table contains the CLI commands for viewing the RMON history table. Table 21-7. RMON History Table CLI Commands CLI Command Description show rmon history index Displays RMON Ethernet statistics history.
Events Control Events are actions that are performed when an alarm is generated (alarms are defined in the Alarms page). An event can be any combination of logs/traps. If the action includes logging, then the events are logged in the Events Log page. To define an RMON event: 1 Click Statistics/RMON > RMON > Events Control in the tree view to display the Events Control: Summary page. Figure 21-11. Events Control: Summary The currently-defined events are displayed.
3 Enter the fields: – Event Entry — Displays a new event number. – Community — Enter the community to which the event belongs or keep the default community. – Description — Enter the event description. – Type — Select the event action. The possible options are: – • None — No action is taken. • Log — When an alarm occurs, a log entry is recorded. • Trap — When an alarm occurs, a trap is generated. • Log and Trap — When an alarm occurs, a log entry is recorded and a trap is generated.
The following is an example of the CLI commands: console(config)# rmon event 1 log console(config)# exit console# show rmon events Index Description Type Community Owner Last Time Sent ----- ----------- ------ --------- ----- ----------- 1 Errors Log Default Community CLI Jan 18 2002 23:58:17 2 High Broadcast LogTrap Router Manager Jan 18 2002 23:59:48 626 Dell PowerConnect 55xx Systems User Guide
Events Log The Events log displays the log of events that occurred. An event is logged when the type of the event is Log or Log and Trap. The action in the event is performed when the event is bound to an alarm (see the Alarms page) and the conditions of the alarm have occurred. To display the events log: • Click Statistics/RMON > RMON > Events Log in the tree view to display the Events Control page. Figure 21-12. Events Control The following fields are displayed: – Event — The event identifier.
– Description — Description of the log entry. Viewing Device Events Using the CLI Commands The following table contains the CLI commands for viewing device events. Table 21-9. Device Event Viewing CLI Commands CLI Command Description show rmon log [event] Displays the RMON logging table.
alarm is issued when a rising threshold is crossed. One or more alarms are bound to an event. The event indicates the action to be taken when the alarm occurs. To add an RMON alarm: 1 Click Statistics/RMON > RMON > Alarms in the tree view to display the Alarms: Summary page. Figure 21-13. Alarms: Summary The currently-defined alarms are displayed. 2 To add a new alarm, click Add and enter the fields: – Alarm Entry — Displays a new alarm entry.
– 630 Sample Type — Select the sampling method for the selected variable and comparing the value against the thresholds. The possible options are: • Delta — Subtracts the last sampled value from the current value. The difference in the values is compared to the threshold. • Absolute — Compares the values directly with the thresholds at the end of the sampling interval. – Rising Threshold (0–2147483647) — Enter the rising counter value that triggers the rising event alarm.
Defining Device Alarms Using the CLI Commands The following table contains the CLI commands for defining device alarms. Table 21-10. Device Alarm CLI Commands CLI Command Description rmon alarm index Configures RMON alarm conditions. MIB_Object_ID interval Use the no form of this command to rthreshold fthreshold remove an alarm. revent fevent [type type] [startup direction] [owner name] no rmon alarm index show rmon alarm-table Displays summary of the alarm table.
The following is an example of the CLI commands: console(config)# rmon alarm 1000 1.3.6.1.2.1.2.2.1.10.1 360000 1000000 1000000 10 20 console# show rmon alarm-table Index ----123 OID ---------------------1.3.6.1.2.1.2.2.1.10.1 1.3.6.1.2.1.2.2.1.10.1 1.3.6.1.2.1.2.2.1.10.
Charts This section describes how to display statistics as charts. It contains the following topics: • Ports • LAGs • CPU Utilization Ports To display port statistics in chart format: 1 Click Statistics/RMON > Charts > Ports in the tree view to display the Ports page. Figure 21-14. Ports 2 Select the unit ID of a unit in the stack for which you want to display statistics.
3 Check the type of statistics to be displayed: – Interface Statistics — Select the interface statistics to display. – Etherlike Statistics — Select the frame error statistics to display. – RMON Statistics — Select the RMON statistics to display. – GVRP Statistics — Select the GVRP statistics type to display. – Refresh Rate — Select the amount of time that passes before the statistics are refreshed. 4 To draw a chart for the selected statistics, click Draw.
Viewing Port Statistics Using the CLI Commands The CLI commands for viewing port statistics are the same CLI commands described above. The Ports page simply shows the same statistics in chart form. LAGs To display LAG statistics in chart format: 1 Click Statistics/RMON > Charts > LAGs in the tree view to display the LAGs page. Figure 21-15. LAGs 2 Check the type of statistics to be displayed: – Interface Statistics — Select the interface statistics to display.
– GVRP Statistics — Select the GVRP statistics type to display. – Refresh Rate — Select the amount of time that passes before the statistics are refreshed. 3 To draw a chart for the selected statistics, click Draw. The chart for the selected statistic is displayed on the page. Viewing LAG Statistics Using the CLI Commands The following table contains the CLI commands for viewing LAG statistics. Table 21-11.
The following is an example of the CLI commands: console# show rmon statistics gi1/0/1 Port gi1/0/1 Dropped: 0 Octets: 0 Packets: 0 Broadcast: 0 Multicast: 0 CRC Align Errors: 0 Collisions: 0 Undersize Pkts: 0 Oversize Pkts: 0 Fragments: 0 Jabbers: 0 64 Octets: 0 65 to 127 Octets: 1 128 to 255 Octets: 1 256 to 511 Octets: 1 512 to 1023 Octets: 0 1024 to max Octets: 0 Dell PowerConnect 55xx Systems User Guide 637
CPU Utilization Use the CPU Utilization page to display the system’s CPU utilization and percentage of CPU resources consumed by each unit in the stack. Each unit in the stack is assigned a color on the graph. To display CPU utilization in chart format: 1 Click Statistics/RMON > Charts > CPU Utilization in the tree view to display the CPU Utilization page. Figure 21-16. CPU Utilization 2 Select the Refresh Rate to specify how frequently the statistics should be refreshed.
Viewing CPU Utilization Using CLI Commands The following table summarizes the CLI commands for viewing CPU utilization. Table 21-12. CPU Utilization CLI Commands CLI Command Description show cpu utilization Displays CPU utilization. The following is an example of the CLI commands: console# show cpu utilization CPU utilization service is on.
Quality of Service 22 This section provides information for configuring Quality of Service (QoS).
QoS Features and Components The QoS feature is used to optimize network performance. It provides classification of incoming traffic into traffic classes, based on one or more attributes, including: – Device configuration – Ingress interface – Packet contents QoS includes the following features: • Traffic Classification — Classifies each incoming packet, as belonging to a specific traffic flow, based on the packet contents and/or interface.
This is the default QoS mode. • Advanced Mode — Per-flow Quality of Service (QoS). In Advanced mode, a per-flow QoS consists of a class map and a policer: • – A class map defines the kind of traffic in a flow, and contains one or more ACLs. Packets that match the ACLs belong to the flow. – A policer applies the configured QoS to a flow. The QoS configuration of a flow may consist of the egress queue, the DSCP or CoS value, and actions on out-of-profile (excess) traffic.
General This section contains the following topics: • QoS Mode • QoS Properties • Queue • Mapping to Queue • Bandwidth • TCP Congestion Avoidance QoS Mode To enable/disable the QoS mode: 1 Click Quality of Service > General >QoS Mode in the tree view to display the QoS Mode page. Figure 22-1. QoS Mode 2 Select the QoS Mode.
– Advanced — QoS is enabled in Advanced mode on the switch. – Disable — QoS is not enabled on the switch. Setting QoS Mode Using CLI Commands The following table summarizes the CLI commands for setting the QoS mode. Table 22-1. QoS Mode CLI Commands CLI Command Description qos [basic|advanced] Enables QoS on the device. no qos Use the no form of this command to disable QoS on the device show qos Displays the QoS mode.
QoS Properties To set the default CoS value on incoming, untagged packets: 1 Click Quality of Service > General > QoS Properties in the tree view to display the QoS Properties: Summary page. Figure 22-2. QoS Properties: Summary The default CoS values for all interfaces on the selected unit are displayed. 2 To modify the CoS value for an interface, click Edit, and enter the fields: – Interface — Select a port or LAG if required. – Set Default CoS — Enter the default CoS tag value for untagged packets.
Configuring QoS Properties Using CLI Commands The following table summarizes the CLI commands for configuring fields in the QoS Properties: Summary page. Table 22-2. QoS Properties CLI Commands CLI Command Description qos cos default-cos Defines the default CoS value of a port. no qos cos Use the no form of this command to restore the default configuration.
Combination of WRR and Strict Priority The priority for handling traffic can be selected for each queue. When the queuing mode is Weighted Round Robin for all queues, queues are serviced according to their weights. If all queues are assigned strict priority, queues are serviced according to that order. The following is true if some queues are assigned strict priority and others are assigned WRR: • If one queue is assigned strict priority, all higher queues are also assigned strict priority.
To select the priority method and enter WRR weights: 1 Click Quality of Service > General > Queue in the tree view to display the Queue page. Figure 22-3. Queue The queues are displayed. 2 Enter the parameters for the queues: 648 – Strict Priority — Check to indicate that traffic scheduling for the selected queue, and all higher queues, is based strictly on the queue priority. – WRR — Check to indicate that traffic scheduling for the selected queue is based on WRR.
– Scheduling WRR Weight — If WRR is selected, enter the WRR weight assigned to the queue. – % of WRR Bandwidth — Displays the amount of bandwidth assigned to the queue. These values represent the percent of the WRR weight. Configuring Queue Settings Using CLI Commands The following table summarizes the CLI commands for configuring fields in the Queue page. Table 22-3.
CoS to Queue The CoS to Queue page maps CoS priorities to an egress queue, meaning that the egress queues of the incoming packets is based on the CoS priority in their VLAN Tags. For incoming, untagged packets, the CoS priority is the default CoS priority assigned to ingress ports. By changing CoS to Queue mapping, Queue schedule method, and bandwidth allocation, it is possible to achieve the desired quality of services in a network.
To map CoS values to egress queues: 1 Click Quality of Service > General > CoS to Queue in the tree view to display the CoS to Queue page. Figure 22-4. CoS to Queue The CoS/queue mappings are displayed. 2 Enter the fields: – Class of Service — The CoS priority tag values, where zero is the lowest priority and 7 is the highest priority. – Queue — The queue to which the CoS priority is mapped.
Mapping CoS Priorities to Queues Using CLI Commands The following table summarizes the CLI commands for configuring fields in the CoS to Queue page . Table 22-4. CoS to Queue CLI Commands CLI Command Description wrr-queue cos-map queue-id cos1 ... cos8 Maps CoS values to the egress queues. no wrr-queue cos-map [queueid] Use the no form of this command to restore the default configuration.
To map DSCP to queues: 1 Click Quality of Service > General > DSCP to Queue in the tree view to display the DSCP to Queue page. Figure 22-5. DSCP to Queue The DSCP values in the incoming packet and its associated queues are displayed. 2 Enter the fields: – DSCP In — The values of the DSCP field in the incoming packet. – Queue — The queue to which packets with the specific DSCP value is assigned. The values are 1-8, where 1 is the lowest value, and 8 is the highest.
Mapping DSCP Values to Queues Using CLI Commands The following table summarizes the CLI commands for configuring fields in the DSCP to Queue page. Table 22-5. DSCP to Queue CLI Commands CLI Command Description qos map dscp-queue dscp-list to Modifies the DSCP to queue queue-id mapping. no qos map dscp-queue [dscplist] Use the no form of this command to restore the default configuration.
To configure bandwidth limitation: 1 Click Quality of Service > General > Bandwidth in the tree view to display the Bandwidth: Summary page. Figure 22-6. Bandwidth: Summary The ingress and egress rates are displayed for all ports on the selected unit. 2 To set interface parameters, click Edit. 3 Select an interface, and enter the fields: – Enable Ingress Rate Limit — Enable/disable ingress traffic limit for the interface. If this field is selected, enter the Ingress Rate Limit.
– Egress Shaping Rate — Enable/disable egress traffic limitation. If this field is selected, enter the following fields. – Committed Information Rate (CIR) — Enter the average maximum amount of data allowed to be sent on the egress interface, measured in bits per second. – Committed Burst Size (CBS) — Enter the maximum burst of data that is allowed to be sent on the egress interface, even though it is above the CIR. This is defined in number of bytes of data.
TCP Congestion Avoidance Use the TCP Congestion Avoidance page to activate a congestion avoidance algorithm. The algorithm breaks up or prevents TCP global synchronization in a congested node, where the congestion is due to various sources sending packets with the same byte count. To configure TCP congestion avoidance: 1 Click Quality of Service > General > TCP Congestion Avoidance in the tree view to display the TCP Congestion Avoidance page.
Configuring TCP Congestion Avoidance Using CLI Commands The following table summarizes the CLI commands for configuring fields in the TCP Congestion Avoidance page. Table 22-7. TCP Congestion Avoidance CLI Commands CLI Command Description qos wrr-queue wrtd Enables Weighted Random Tail Drop (WRTD). no qos wrr-queue wrtd Use the no form of this command to disable WRTD.
QoS Basic Mode This section describes QoS Basic mode. It contains the following topics: • Basic Mode Overview • Workflow to Configure Basic Mode • Global Settings • DSCP Rewrite • Interface Settings Basic Mode Overview In QoS Basic mode, a specific domain in the network can be defined as trusted. Within that domain, packets are marked with CoS priority and/or DSCP values, to signal the type of service they require.
Global Settings Use the Global Settings page to enable Trust on all interfaces on the switch. This configuration is only active when the QoS mode is Basic. Packets entering a QoS domain are classified at the edge of the QoS domain. For more information on setting Trust mode on an interface, see "Interface Settings" on page 664. To define Trust configuration: 1 Click Quality of Service > QoS Basic Mode > Global Settings in the tree view to display the Global Settings page. Figure 22-8.
2 Enter the fields: – – Trust Mode — Enable/disable Trust mode. • CoS — Traffic is mapped to queues, based on the VPT field in the VLAN tag, or based on the per-port default CoS value (if there is no VLAN tag on the incoming packet). The mapping of the VPT to queue can be configured in the CoS to Queue page. • DSCP — All IP traffic is mapped to queues, based on the DSCP field in the IP header. The mapping of the DSCP to queue is configured in the DSCP to Queue page.
DSCP Rewrite Use the DSCP Rewrite page to rewrite the DSCP tags for incoming traffic, when different DSCP values are used in the incoming and outgoing domains. Changing the DSCP value used in one domain to the DSCP value used in the other domain preserves the priority of traffic used in the first domain. As an example, assume that there are three levels of service: Silver, Gold, and Platinum. The DSCP incoming values used to mark these levels are 10, 20, and 30 respectively.
To map DSCP In values to DSCP Out values: 1 Click Quality of Service > QoS Basic Mode > DSCP Rewrite in the tree view to display the DSCP Rewrite page. Figure 22-9.
2 For each DSCP In value (DSCP value of the incoming packet) that needs to be rewritten to an alternative value, set a DSCP Out value. Assigning DSCP Rewrite Values Using CLI Commands The following table summarizes the CLI commands for configuring fields in the DSCP Rewrite page. Table 22-9. DSCP Rewrite CLI Commands CLI Command Description qos map dscp-mutation indscp to out-dscp Configures the DSCP to DSCP Mutation table.
To define QoS Trust for an interface: 1 Click Quality of Service > QoS Basic Mode > Interface Settings in the tree view to display the Interface Settings: Summary page. Figure 22-10. Interface Settings: Summary Trust mode is displayed for each interface on the selected unit. 2 To change the QoS trust state for an interface, click Edit, and select an interface on a unit. 3 Enable/disable the QoS Trust State.
Assigning Interface Settings Using CLI Commands The following table summarizes the CLI commands for configuring fields in the Interface Settings page. Table 22-10. Interface Settings CLI Commands CLI Command Description qos trust Enables each port trust state while the system is in the basic QoS mode. no qos trust Use the no form of this command to disable the trust state on each port.
Table 22-11. Sample CLI Script to Configure QoS Basic Mode (Continued) CLI Command Description console(config)#interface gi1/0/1 Enter Interface mode on port gi1/0/1. console(config-if)#service-acl input mac1 Bind MAC1 to port gi1/0/1.
QoS Advanced Mode This section describes QoS Advanced mode. It contains the following topics: • Advanced Mode Overview • Workflow to Configure Advanced QoS Mode • DSCP Mapping • Class Mapping • QoS Policers • Policy Binding Advanced Mode Overview In Advanced mode, the switch uses policies to support per-flow QoS. A policy and its components have the following characteristics and relationships: • A policy contains one or more class maps.
• If you bind a policy map to more than one port and one of its classes contains a single policer, all policy map rules will be multiplied per port (using up more TCAM resources). • An aggregate policer applies the QoS to all of its flows in aggregation, regardless of policies and ports. Advanced QoS settings consist of the following elements: • Rules — All frames matching a single group of rules are considered to be a flow. • Actions — To be applied to frames in each flow that match the rules.
a Single Policer — Create a policy that associates a class map with a single policer in the Policy Table pages and the Class Mapping pages. Within the policy, define the single policer. b Aggregate Policer — Create a QoS action for each flow. This action sends all matching frames to the same policer (aggregate policer), defined in the Aggregate Policer pages. Create a policy that associates a class map with the aggregate policer in the Policy Table pages.
To set new DSCP values: 1 Click Quality of Service > QoS Advanced Mode > DSCP Mapping to display the DSCP Mapping page. Figure 22-11. DSCP Mapping 2 If the Exceed Action is Out-of-Profile (in the Policy Class Maps page) or Remark DSCP (in the Aggregate Policy page), the DSCP In values are rewritten with the DSCP Out values. Set the DSCP Out values as required.
Configuring DSCP Mapping Using CLI Commands The following table summarizes the CLI commands for setting the fields in the DSCP Mapping page. Table 22-12. DSCP Mapping CLI Commands CLI Command Description qos map policed-dscp dscp-list Configures the policed-DSCP map for to dscp-mark-down remarking purposes. no qos map policed-dscp [dscp- Use the no form of this command to list] restore the default configuration.
To define a class map: 1 Click Quality of Service > QoS Advanced Mode > Class Mapping to display the Class Mapping: Summary page. Figure 22-12. Class Mapping: Summary The previously-defined class maps are displayed. 2 To add a class map, click Add. A new class map is added by selecting one or two ACLs and assigning them a class map name. If a class map has two ACLs, specify that a frame must match both ACLs, or that it must match either one or both of the ACLs selected. 3 Enter the parameters.
– Match ACL Type — Enter the criteria that a packet must match in order to belong to the flow defined by the class map. The possible options are: • IP — A packet must match either of the IP-based ACLs in the class map. • MAC — A packet must match the MAC-based ACL in the class map. • IP and MAC — A packet must match the IP-based ACL and the MAC-based ACL in the class map (match-all). • IP or MAC — A packet must match either the IP-based ACL or the MAC-based ACL in the class map (match-any).
Table 22-13. Class Mapping CLI Commands (Continued) CLI Command Description match access-group acl-name Defines the match criteria for classifying traffic. no match access-group acl-name Use the no form of this command to delete the match criteria. show class-map [class-map-name] Displays information about the class map.
QoS Policers Overview The rate of traffic that matches a pre-defined set of rules can be measured, and limits, such as limiting the rate of file-transfer traffic that is allowed on a port, can be enforced. This is done by using the ACLs in the class map(s) to match the desired pattern of traffic, and by using a policer to apply QoS on the matching traffic. A policer is configured with a QoS specification.
Aggregate Policers To define an aggregate policer: 1 Click Quality of Service > QoS Advanced Mode > Aggregate Policer to display the Aggregate Policer: Summary page. Figure 22-13. Aggregate Policer: Summary The existing aggregate policers are displayed. 2 To add an aggregate policer, click Add, and enter the fields. – Aggregate Policer Name — Enter the name of the Aggregate Policer. – Committed Information Rate (CIR) — Enter the maximum bandwidth allowed in bits per second.
– Exceed Action — Select the action to be performed on incoming packets that exceed the CIR. The possible options are: • None — No action is performed on packets exceeding the defined CIR value. • Drop — Packets exceeding the defined CIR value are dropped. • Remark DSCP — The DSCP values of packets exceeding the defined CIR value are rewritten to a value entered in the DSCP Mapping pages.
Single Policers Defining Aggregate Policers Using CLI Commands The following table summarizes the CLI commands for setting the fields in the Aggregate Policer pages. Table 22-15. Aggregate Policer CLI Commands CLI Command Description qos aggregate-policer aggregate-policer-name committed-rate-kbps excessburst-byte[exceed-action {drop|policed-dscp-transmit}] Defines the policer parameters that can be applied to multiple traffic classes within the same policy map.
Only those policies that are bound to an interface are active (see the Policy Binding pages). After a policy has been added, class maps can be added in the Policy Table pages. To create a QoS policy: 1 Click Quality of Service > QoS Advanced Mode > Policy Table to display the Policy Table: Summary page. Figure 22-14. Policy Table: Summary The previously-defined policies are displayed. 2 To create a policy, click Add. 3 Enter the name of the new policy in the Policy Name field.
Defining Policies Using CLI Commands The following table summarizes the CLI commands for setting the fields in the Policy Table page. Table 22-16. Policy Table CLI Commands CLI Command Description policy-map policy-map-name Creates a policy map and enters the Policymap Configuration mode. no policy-map policy-mapname Use the no form of this command to delete a policy map.
Policy Class Maps One or more class maps can be added to a policy. A class map defines the type of packets that are considered to belong to the same traffic flow. To add a class map to a policy: 1 Click Quality of Service > QoS Advanced Mode > Policy Class Maps to display the Policy Class Maps: Summary page. Figure 22-15. Policy Class Maps: Summary 2 Select a policy in the Policy Name field. The class maps in that policy are displayed. 3 To add a class map, click Add. 4 Enter the parameters.
– Class Map Name — Select an existing class map to be associated with the policy. Class maps are created in the Class Mapping pages. – Action Type — Select the action regarding the ingress CoS and/or DSCP value of all the matching packets. – – – • None — Ignore the ingress CoS and/or DSCP value. The matching packets are sent as best effort. • Trust CoS, DSCP — If this option is selected, the switch will trust the CoS or DSCP value of the matching packet.
– Ingress Committed Burst Size (CBS) (Range: 3000 - 16769020) — Enter the CBS in bytes. See its description in the Bandwidth pages. – Exceed Action — Select the action assigned to incoming packets exceeding the CIR. The possible options are: • None — No action. • Drop — Packets exceeding the defined CIR value are dropped. • Out-of-Profile DSCP — Packets, exceeding the defined CIR, are forwarded with a new DSCP, derived from the DSCP Mapping pages.
Table 22-17. Policy Class Maps CLI Commands (Continued) CLI Command Description qos aggregate-policer aggregate-policer-name committed-rate-kbps excessburst-byte [exceed-action {drop|policed-dscp-transmit}] Defines the policer parameters that can be applied to multiple traffic classes. Use the no form of this command to remove an existing aggregate policer. no qos aggregate-policer aggregate-policer-name show policy-map [policy-mapname] Displays all policy maps or a specific policy map.
Policy Binding After policies are created, they must be bound to interfaces (ports or LAGs).When a policy is bound to a specific interface, it becomes active on it (subject to time range restrictions). Only one policy can be active on a single interface, but a single policy can be bound to more than one interface. When a policy is bound to an interface, it filters and applies QoS to ingress traffic that belongs to the flows defined in the policy. The policy does not apply to traffic egress to the same port.
Previously-defined policy bindings are displayed. 2 To bind a policy to an interface, click Add. 3 Select the interface assigned to the policy. 4 Select the Policy Name to be activated on the interface. Defining Policy Binding Using CLI Commands The following table summarizes the CLI commands for setting the fields in the Policy Binding pages. Table 22-18. Policy Binding CLI Commands CLI Command Description service-policy input policy-map-name Applies a policy map to the input of a particular interface.
QoS Statistics This section describes how to view and manage QoS statistics.
Policer Statistics A Single Policer is bound to a class map from a single policy. An Aggregate Policer is bound to one or more class maps from one or more policies. Use the Policer Statistics pages to view the number of in-profile and out-ofprofile packets received from an interface that meet the conditions defined in the class map of a policy. To view policer statistics: 1 Click Quality of Service QoS Statistics Policer Statistics to display the Policer Statistics: Summary page. Figure 22-17.
– Class Map — Statistics are displayed for this class map. – In-Profile Bytes — Number of in-profile bytes received. – Out-of-Profile Bytes — Number of out-of-profile bytes received. 2 Click Add to add a new counter that applies to another policy-class map. 3 Enter the fields: – Interface — Select the interface for which the counter is defined. – Policy - Class Map Name — Select a policy class map pair.
Aggregated Policer To view aggregated policer statistics: 1 Click Quality of Service QoS Statistics Aggregate Policer to display the Aggregate Policer: Summary page. Figure 22-18. Aggregate Policer: Summary The following statistics for the previously-defined counters are displayed: – Aggregate Policer Name — Policer on which statistics are based. – In-Profile Bytes — Number of in-profile packets that were received. – Out-of-Profile Bytes — Number of out-of-profile packets that were received.
3 Select an aggregate policer in the Aggregate Policer Name field. Defining Aggregate Policer Statistics Using CLI Commands The following table summarizes the CLI commands for setting the fields in the Aggregate Policer Statistics pages. Table 22-20. Aggregate Policer Statistics CLI Commands CLI Command Description qos statistics aggregate-policer aggregate-policer-name Enables counting in-profile and out-of-profile bytes vis-a-vis an aggregate policer.
To view Queue Statistics: 1 Click Quality of Service QoS Statistics Queues Statistics to display the Queues Statistics: Summary. Figure 22-19. Queues Statistics: Summary The statistics for previously-defined counters are displayed. – Counter Set —Number of counter. – Port —Number of port. – Queue —Number of queue. – Total Packets —Number of packets forwarded or tail dropped. – Tail Drop Packets —Percentage of packets that were tail dropped.
2 To add a new counter, click Add, and enter the fields: – Counter Set—Select the counter set. The possible options are: • Set 1 — Displays the statistics that contains all interfaces and queues with a high DP (Drop Precedence). • Set 2 — Displays the statistics that contains all interfaces and queues with a low DP. – Interface — Select the unit/interface for which Queue statistics are displayed. – Queue — Select the queue on which packets were forwarded or tail dropped.
Glossary Figure 23-1. This glossary contains key technical words of interest. A B C D E F G H I L M N O P Q R S T U V W A Access Mode Specifies the method by which user access is granted to the system. Access Profiles Allows network managers to define profiles and rules for accessing the switch module. Access to management functions can be limited to user groups, which are defined by the following criteria: • Ingress interfaces • Source IP address or Source IP subnets ACL Access Control List.
Authentication Profiles Sets of rules which that enables login to and authentication of users and applications. Auto-negotiation Allows 10/100 Mpbs or 10/100/1000 Mbps Ethernet ports to establish for the following features: • Duplex/Half Duplex mode • Flow Control • Speed B Back Pressure A mechanism used with Half Duplex mode that enables a port not to receive a message. Backplane The main BUS that carries information in the switch module.
Boot Version The boot version. BootP Bootstrap Protocol. Enables a workstation to discover its IP address, an IP address of a BootP server on a network, or a configuration file loaded into the boot of a switch module. BPDU Bridge Protocol Data Unit. Provide bridging information in a message format. BPDUs are sent across switch module information with in Spanning Tree configuration. BPDU packets contain information on ports, addresses, priorities, and forwarding costs.
Class of Service (CoS). Class of Service is the 802.1p priority scheme. CoS provides a method for tagging packets with priority information. A CoS value between 0-7 is added to the Layer II header of packets, where zero is the lowest priority and seven is the highest. A overlapping transmission of two or more packets that collide. The data transmitted cannot be used, and the session is restarted. CLI Command Line Interface. A set of line commands used to configure the system.
• Full Duplex Mode — Permits for bisynchronous communication, for example, a telephone. Two parties can transmit information at the same time. • Half Duplex Mode — Permits asynchronous communication, for example, a walkie-talkie. Only one party can transmit information at a time. Dynamic VLAN Assignment (DVA) • Allows automatic assignment of users to VLANs during the RADIUS server authentication.
First In First Out. A queuing process where the first packet in the queue is the first packet out of the packet. Flapping Flapping occurs when an interfaces state is constantly changing. For example, an STP port constantly changes from listening to learning to forwarding. This may cause traffic loss. Flow Control Enables lower speed devices to communicate with higher speed devices, that is, that the higher speed device refrains from sending packets. Fragment Ethernet packets smaller than 576 bits.
HTTP HyperText Transport Protocol. Transmits HTML documents between servers and clients on the internet. I IC Integrated Circuit. Integrated Circuits are small electronic devices composed from semiconductor material. ICMP Internet Control Message Protocol. Allows gateway or destination host to communicate with a source host, for example, to report a processing error. IEEE Institute of Electrical and Electronics Engineers.
Ports on which network traffic is received. IP Internet Protocol. Specifies the format of packets and there addressing method. IP addresses packets and forwards the packets to the correct port. IP Address Internet Protocol Address. A unique address assigned to a network device with two or more interconnected LANs or WANs. IP Version 6 (IPv6) A version of IP addressing with longer addresses than the traditional IPv4.
Establishes a connections and ensures that all data arrives to their destination. Packets inspected at the Layer 3 level are analyzed and forwarding decisions, based on their applications. LLDP-MED Link Layer Discovery Protocol - Media Endpoint Discovery. LLDP allows network managers to troubleshoot and enhance network management by discovering and maintaining network topologies over multi-vendor environments.
Message Digest 5. An algorithm that produces a 128-bit hash. MD5 is a variation of MD4, and increases MD4 security. MD5 verifies the integrity of the communication, authenticates the origin of the communication. MDI Media Dependent Interface. A cable used for end stations. MDIX Media Dependent Interface with Crossover (MDIX). A cable used for hubs and switches. MIB Management Information Base. MIBs contain information describing specific aspects of network components.
O OID Organizationally Unique Identifiers. Identifiers associated with a Voice VLAN. OUI Object Identifier. Used by SNMP to identify managed objects. In the SNMP Manager/Agent network management paradigm, each managed object must have an OID to identify it. P Packets Blocks of information for transmission in packet switched systems. PDU Protocol Data Unit. A data unit specified in a layer protocol consisting of protocol control information and layer user data. PING Packet Internet Groper.
Q QoS Quality of Service. QoS allows network managers to decide how and what network traffic is forwarded according to priorities, application types, and source and destination addresses. Query Extracts information from a database and presents the information for use. R RA RADIUS Advertisement. RD RADIUS Discovery. RS Router Solicitation. RADIUS Remote Authentication Dial-In User Service. A method for authenticating system users, and tracking connection time. RMON Remote Monitoring.
S Segmentation Divides LANs into separate LAN segments for bridging. Segmentation eliminates LAN bandwidth limitations. Server A central computer that provides services to other computers on a network. Services may include file storage and access to applications. SNMP Simple Network Management Protocol. Manages LANs. SNMP based software communicates with network devices with embedded SNMP agents.
Sub-network. Subnets are portions of a network that share a common address component. On TCP/IP networks, devices that share a prefix are part of the same subnet. For example, all devices with a prefix of 157.100.100.100 are part of the same subnet. Subnet Mask Used to mask all or part of an IP address used in a subnet address. Switch Filters and forwards packets between LAN segments. Switches support any packet protocol type. T TCP/IP Transmissions Control Protocol.
V VLAN Virtual Local Area Networks. Logical subgroups with a Local Area Network (LAN) created via software rather than defining a hardware solution. VoIP Voice over IP. W WAN Wide Area Networks. Networks that cover a large geographical area. Wildcard Mask Specifies which IP address bits are used, and which bits are ignored. A wild switch module mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all the bits are important.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.fm Index Numerics 24/48 G Ports 35 802.1ab (LLDP-MED) 27 802.1d 21 802.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.fm Egress ports 699 First In First Out 700 Egress Shaping Rates 654 Flapping 700 Emergency Call Service 532 Flow Control 380, 700 Enable 275 Flow Control Support (IEEE 802.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.fm Green Ethernet Configuration 384 ICMP 701 Guest VLAN 21 Icons 87 GVRP 610, 700 Identifying a switch via LED 32 GVRP parameters 483 IEEE 701 GVRP statistics 609 IEEE 802.1d 701 GVRP Support 20 IEEE 802.1p 701 IEEE 802.1Q 20, 701 IEEE 802.1s Multiple Spanning Tree 22 H Hardware description 33 Hardware version 364 IEEE 802.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.fm Multicast 508, 517 P Multicast TV VLAN 21 Packets 705 Multicast TV VLAN Mapping 529 Password configuration 71 Multicast TV VLAN Membership Password management 29, 279 527 Password recovery 78 Multiple STP (MSTP) 429 Passwords 84, 275 Path Cost 432 N PDU 705 ND 704 PING 705 Neighbor Advertisement 704 PoE 15, 157 Neighbor Discovery.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Maintenance Projects\Dell Contax\Dell_ContaxUG_PrintIX.
25 Revision History Rev Date Description A5 May 1, 2012 Added "Auto-Update/Configuration Feature" on page 331 A4 April 4, 2012 Made the following corrections: • Put a the note (of the recommendation of using HDMI cable version to 1.4 for stacking) more clearly. • Fixed RDP description A4 April 2, 2012 Following corrections made: • Add description regarding the Egress ACL feature • Enter comments regarding the PVLAN feature. • Fixed RDP abbreviation to Reliable Data Protocol in ACL section.