53-1002269-02 26 April 2011 PowerConnect B-Series TI24X Configuration Guide
Information in this document is subject to change without notice. © 2011 Dell Inc. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. Trademarks used in this text: Dell, the DELL logo, Dell OpenManage and PowerConnect are trademarks of Dell Inc.; Microsoft, Windows and Windows Server are either trademarks or registered trademarks of Microsoft Corporation in the United States and/ or other countries.
Contents About This Document Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi Command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring basic port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Assigning a port name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Modifying port speed and duplex mode. . . . . . . . . . . . . . . . . . . 25 Auto speed detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Modifying port duplex mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Disabling or re-enabling a port . . . . . . . . . . . . . . . . . . . . . . .
Chapter 4 Monitoring Hardware Components Hardware support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Digital optical monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Supported media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Media not supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Supported media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring IPv6 neighbor discovery . . . . . . . . . . . . . . . . . . . . . . . . . 77 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Neighbor solicitation and advertisement messages . . . . . . . . . 78 Configuring static neighbor entries . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Clearing global IPv6 information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Clearing the IPv6 cache. . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1s Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . .161 Multiple spanning-tree regions . . . . . . . . . . . . . . . . . . . . . . . . .161 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 Configuring MSTP mode and scope . . . . . . . . . . . . . . . . . . . . .163 Configuring additional MSTP parameters . . . . . . . . . . . . . . . .164 Chapter 7 Configuring Basic Layer 2 Features Enabling or disabling the Spanning Tree Protocol (STP).
Chapter 8 Configuring Metro Features Topology groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193 Master VLAN and member VLANs . . . . . . . . . . . . . . . . . . . . . .193 Control ports and free ports . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . .194 Configuring a topology group . . . . . . . . . . . . . . . . . . . . . . . . . .194 Displaying topology group information . . .
Chapter 10 Configuring Virtual LANs (VLANs) VLAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251 Types of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251 Default VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 802.1Q tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 Spanning Tree Protocol (STP) . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Configuration notes and limitations for PowerConnect devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302 Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302 CLI example for Figure 71 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring single link LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 CLI syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Chapter 12 Configuring GARP VLAN Registration Protocol GVRP overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341 Application examples . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring standard numbered ACLs. . . . . . . . . . . . . . . . . . . . . . .364 Standard numbered ACL syntax . . . . . . . . . . . . . . . . . . . . . . . .364 Configuration example for standard numbered ACLs . . . . . . .366 Configuring standard named ACLs . . . . . . . . . . . . . . . . . . . . . . . . .366 Standard named ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . . . .366 Configuration example for standard named ACLs . . . . . . . . . .368 Configuring extended numbered ACLs . . . . . .
Configuring port mirroring and monitoring . . . . . . . . . . . . . . . . . . .395 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395 Monitoring a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397 Monitoring an individual trunk port . . . . . . . . . . . . . . . . . . . . .397 ACL-based inbound mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rate shaping overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424 Configuring outbound rate shaping for a port . . . . . . . . . . . . .424 Configuring outbound rate shaping for a specific priority . . . .425 Configuring outbound rate shaping for a trunk port . . . . . . . .425 Displaying rate shaping configurations . . . . . . . . . . . . . . . . . .
Configuring IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445 Enabling IGMP snooping globally on the device . . . . . . . . . . .447 Configuring the IGMP mode . . . . . . . . . . . . . . . . . . . . . . . . . . .447 Configuring the IGMP version . . . . . . . . . . . . . . . . . . . . . . . . . .448 Disabling IGMP snooping on a VLAN . . . . . . . . . . . . . . . . . . . .448 Disabling transmission and receipt of IGMP packets on a port . . . . . . . . . . . . . . . . . . . . . . .
Changing global IP multicast parameters . . . . . . . . . . . . . . . . . . . .467 Changing dynamic memory allocation for IP multicast groups467 Changing IGMP V1 and V2 parameters . . . . . . . . . . . . . . . . . .468 PIM Dense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470 Initiating PIM multicasts on a network . . . . . . . . . . . . . . . . . . .470 Pruning a multicast tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IGMP Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535 Configuring IGMP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536 Displaying IGMP Proxy traffic . . . . . . . . . . . . . . . . . . . . . . . . . .536 Chapter 20 Configuring LLDP Terms used in this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537 LLDP overview . . . .
Basic IP parameters and defaults – Layer 3 Switches . . . . . . . . . .570 When parameter changes take effect . . . . . . . . . . . . . . . . . . . 571 IP global parameters – Layer 3 Switches. . . . . . . . . . . . . . . . . 571 IP interface parameters – Layer 3 Switches . . . . . . . . . . . . . .575 Basic IP parameters and defaults – Layer 2 Switches . . . . . . . . . . 576 IP global parameters – Layer 2 Switches. . . . . . . . . . . . . . . . . 576 Interface IP parameters – Layer 2 Switches . . . . . . .
Configuring RIP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645 Enabling RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645 Configuring metric parameters . . . . . . . . . . . . . . . . . . . . . . . . .646 Changing the administrative distance. . . . . . . . . . . . . . . . . . .647 Configuring redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . .647 Configuring route learning and advertising parameters . . . . .
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665 Configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665 OSPF parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665 Enable OSPF on the router . . . . . . . . . . . . . . . . . . . . . . . . . . . .666 Assign OSPF areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667 Assigning an area range (optional) . . . . . . . . . . .
Chapter 24 Configuring VRRP and VRRPE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711 Overview of VRRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711 Overview of VRRPE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 Configuration note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 Comparison of VRRP and VRRPE . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755 Enabling BGP4 on the router . . . . . . . . . . . . . . . . . . . . . . . . . .755 Changing the router ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755 Setting the local AS number . . . . . . . . . . . . . . . . . . . . . . . . . . .756 Adding a loopback interface . . . . . . . . . . . . . . . . . . . . . . . . . . .756 Adding BGP4 neighbors. . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring route flap dampening . . . . . . . . . . . . . . . . . . . . . . . . . .809 Globally configuring route flap dampening . . . . . . . . . . . . . . .810 Using a route map to configure route flap dampening for specific routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .810 Using a route map to configure route flap dampening for a specific neighbor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .811 Removing route dampening from a route. . . . . . . . . .
Restricting remote access to management functions . . . . . . . . . .857 Using ACLs to restrict remote access . . . . . . . . . . . . . . . . . . . .857 Defining the console idle time . . . . . . . . . . . . . . . . . . . . . . . . .859 Restricting remote access to the device to specific IP addresses860 Restricting access to the device based on IP or MAC address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring RADIUS security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .892 RADIUS authentication, authorization, and accounting . . . . .893 RADIUS configuration considerations. . . . . . . . . . . . . . . . . . . .896 RADIUS configuration procedure . . . . . . . . . . . . . . . . . . . . . . .896 Configuring Dell-specific attributes on the RADIUS server . . .896 Enabling SNMP to configure RADIUS . . . . . . . . . . . . . . . . . . . .897 Identifying the RADIUS server to the device. . . . .
Chapter 28 Configuring 802.1X Port Security IETF RFC support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .925 How 802.1X port security works . . . . . . . . . . . . . . . . . . . . . . . . . . .925 Device roles in an 802.1X configuration . . . . . . . . . . . . . . . . .925 Communication between the devices . . . . . . . . . . . . . . . . . . .926 Controlled and uncontrolled ports . . . . . . . . . . . . . . . . . . . . . .928 Message exchange during authentication . . . .
Chapter 29 Using the MAC Port Security Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .973 Local and global resources . . . . . . . . . . . . . . . . . . . . . . . . . . . .973 Configuration notes and feature limitations . . . . . . . . . . . . . . 974 Configuring the MAC port security feature . . . . . . . . . . . . . . . . . . . 974 Enabling the MAC port security feature . . . . . . . . . . . . . . . . . .
Configuring multi-device port authentication . . . . . . . . . . . . . . . . .985 Enabling multi-device port authentication . . . . . . . . . . . . . . . .985 Specifying the format of the MAC addresses sent to the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .986 Specifying the authentication-failure action . . . . . . . . . . . . . .986 Generating traps for multi-device port authentication . . . . . .987 Defining MAC address filters. . . . . . . . . . . . . . . . . . . . .
Establishing SNMP community strings . . . . . . . . . . . . . . . . . . . . .1011 Encryption of SNMP community strings . . . . . . . . . . . . . . . . .1012 Adding an SNMP community string . . . . . . . . . . . . . . . . . . . .1012 Displaying the SNMP community strings . . . . . . . . . . . . . . . .1013 Configuring your NMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1014 Configuring SNMP version 3 . . . . . . . . . . . . . . . . . . . . . . . . . .1015 Defining the engine id . . . . . .
Configuring the Syslog service . . . . . . . . . . . . . . . . . . . . . . . . . . . .1037 Displaying the Syslog configuration . . . . . . . . . . . . . . . . . . . .1037 Disabling or re-enabling Syslog. . . . . . . . . . . . . . . . . . . . . . . .1041 Specifying a Syslog server. . . . . . . . . . . . . . . . . . . . . . . . . . . .1041 Specifying an additional Syslog server . . . . . . . . . . . . . . . . . .1041 Disabling logging of a message level . . . . . . . . . . . . . . . . . .
About This Document Introduction This guide describes the following product families from Dell: • PowerConnect B-Series TI24X Layer 2 switch This guide includes procedures for configuring the software. The software procedures show how to perform tasks using the CLI. This guide also describes how to monitor Dell products using statistics and summary screens. This guide applies to the PowerConnect B-Series TI24X models.
For readability, command names in the narrative portions of this guide are presented in bold: for example, show version. Command syntax conventions Command syntax in this manual follows these conventions: command and parameters Commands and parameters are printed in bold. [] Optional parameter. variable Variables are printed in italics enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” | Choose from one of the parameters.
• PowerConnect B-MLXe MIB Reference NOTE For the latest edition of this document, which contains the most up-to-date information, refer to support.dell.com. Getting technical help or reporting errors Dell is committed to ensuring that your investment in our products remains cost-effective. If you need assistance or find errors in the manuals, contact Dell Technical Support.
xxxiv PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Getting Familiar with Management Applications 1 Using the management port The management port is an out-of-band port that customers can use to manage their devices without interfering with the in-band ports. The management port is widely used to download images and configurations and for Telnet sessions. The MAC address for the management port is derived from the base MAC address of the unit, plus the number of ports in the base module.
1 Using the management port PowerConnect(config)#show interfaces management 1 GigEthernetmgmt1 is up, line protocol is up Hardware is GigEthernet, address is 0000.9876.544a (bia 0000.9876.
Logging on through the CLI 1 To display the management interface statistics in brief form, enter the show statistics brief management command.
1 Logging on through the CLI Command completion The CLI supports command completion, so you do not need to enter the entire name of a command or option. As long as you enter enough characters of the command or option name to avoid ambiguity with other commands or options, the CLI understands what you are typing. Scroll control By default, the CLI uses a page mode to paginate displays that are longer than the number of rows in your terminal emulation window.
Using and port number with CLI commands TABLE 1 1 CLI line editing commands (Continued) Ctrl+Key combination Description Ctrl+L; Ctrl+R Repeats the current command line on a new line. Ctrl+N Enters the next command line in the history buffer. Ctrl+P Enters the previous command line in the history buffer. Ctrl+U; Ctrl+X Deletes all characters from the cursor to the beginning of the command line. Ctrl+W Deletes the last word you typed.
1 Using and port number with CLI commands PowerConnect#show interface e 11 | include Internet Internet address is 192.168.1.11/24, MTU 1518 bytes, encapsulation ethernet Syntax: show-command | include regular-expression NOTE The vertical bar ( | ) is part of the command. The regular expression specified as the search string is case sensitive. In the example above, a search string of “Internet” would match the line containing the IP address, but a search string of “internet” would not.
Using and port number with CLI commands 1 --More--, next page: Space, next line: Return key, quit: Control-c /telnet The results of the search are displayed. searching...
1 Using and port number with CLI commands TABLE 2 Special characters for regular expressions Character Operation . The period matches on any single character, including a blank space. For example, the following regular expression matches “aaz”, “abz”, “acz”, and so on, but not just “az”: a.z * The asterisk matches on zero or more sequential instances of a pattern.
Using and port number with CLI commands TABLE 2 1 Special characters for regular expressions (Continued) Character Operation | A vertical bar separates two alternative values or sets of values. The output can match one or the other value. For example, the following regular expression matches output that contains either “abc” or “defg”: abc|defg () Parentheses allow you to create complex expressions.
1 Logging on through Brocade Network Advisor Configuration notes The following configuration notes apply to this feature: • You cannot include additional parameters with the alias at the command prompt. For example, after you create the shoro alias, shoro bgp would not be a valid command. • If configured on the device, authentication, authorization, and accounting is performed on the actual command, not on the alias for the command.
Chapter 2 Configuring Basic Software Features Configuring basic system parameters Dell devices are configured at the factory with default parameters that allow you to begin using the basic features of the system immediately. However, many of the advanced features such as VLANs or routing protocols for the device must first be enabled at the system (global) level before they can be configured.
2 Configuring basic system parameters Entering system administration information You can configure a system name, contact, and location for a device and save the information locally in the configuration file for future reference. This information is not required for system operation but is suggested. When you configure a system name, the name replaces the default system name in the CLI command prompt. The name, contact, and location each can be up to 32 alphanumeric characters.
Configuring basic system parameters 2 When you add a trap receiver, the software automatically encrypts the community string you associate with the receiver when the string is displayed by the CLI. If you want the software to show the community string in the clear, you must explicitly specify this when you add a trap receiver. In either case, the software does not encrypt the string in the SNMP traps sent to the receiver.
2 Configuring basic system parameters • If you specify a loopback interface as the single source for SNMP traps, SNMP trap receivers can receive traps regardless of the states of individual links. Thus, if a link to the trap receiver becomes unavailable but the receiver can be reached through another link, the receiver still receives the trap, and the trap still has the source IP address of the loopback interface.
Configuring basic system parameters 2 Disabling SNMP traps PowerConnect devices come with SNMP trap generation enabled by default for all traps. You can selectively disable one or more of the following traps. NOTE By default, all SNMP traps are enabled at system startup.
2 Configuring basic system parameters Disabling Syslog messages and traps for CLI access PowerConnect devices send Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI. The feature applies to users whose access is authenticated by an authentication-method list based on a local user account, RADIUS server, or TACACS/TACACS+ server.
Configuring basic system parameters 2 The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session. Disabling the Syslog messages and traps Logging of CLI access is enabled by default. If you want to disable the logging, enter the following commands.
2 Configuring basic system parameters PowerConnect(config)# interface ethernet 4 PowerConnect(config-if-e10000-4)# ip address 209.157.22.110/24 PowerConnect(config-if-e10000-4)# exit PowerConnect(config)# ip telnet source-interface ethernet 4 Cancelling an outbound Telnet session If you want to cancel a Telnet session from the console to a remote Telnet server (for example, if the connection is frozen), you can terminate the Telnet session by doing the following. 1.
Configuring basic system parameters TABLE 4 2 Output from the show sntp associations command This field... Displays...
2 Configuring basic system parameters NOTE You can synchronize the time counter with your SNTP server time by entering the sntp sync command from the Privileged EXEC level of the CLI. NOTE Unless you identify an SNTP server for the system time and date, you will need to re-enter the time and date following each reboot. For more details about SNTP, refer to “Specifying a Simple Network Time Protocol (SNTP) server” on page 18.
Configuring basic system parameters 2 New start and end dates for US daylight saving time NOTE This feature applies to US time zones only. Starting in 2007, the system will automatically change the system clock to Daylight Saving Time (DST), in compliance with the new federally mandated start of daylight saving time, which is extended one month beginning in 2007. The DST will start at 2:00am on the second Sunday in March and will end at 2:00am on the first Sunday in November.
2 Configuring basic system parameters These commands configure packet-based broadcast limiting on ports 1 – 8. On each port, the maximum number of broadcast packets per second cannot exceed 65,536 packets per second. On PowerConnect devices, multicast limiting is independent of broadcast limiting. To enable multicast limiting on devices, enter commands such as the following.
Configuring basic system parameters 2 To enable multicast limiting, enter commands such as the following. PowerConnect(config)# interface ethernet 8 PowerConnect(config-mif-e10000-1-8)# multicast limit 9000 kbps Multicast limit in kbits/sec set to 8064 To enable unknown unicast limiting, enter commands such as the following.
2 Configuring basic port parameters Use the show rate-limit unknown-unicast command to display the unknown unicast limit for each port region to which it applies. PowerConnect# show rate-limit unknown-unicast Unknown Unicast Limit Settings: Port Region Combined Limit Packets/Bytes 1 - 12 524288 Packets 13 - 24 65536 Bytes Syntax: show rate-limit unknown-unicast Use the show rate-limit broadcast command to display the broadcast limit or broadcast and multicast limit for each port to which it applies.
Configuring basic port parameters 2 Assigning a port name A port name can be assigned to help identify interfaces on the network. You can assign a port name to physical ports, virtual interfaces, and loopback interfaces. To assign a name to a port. PowerConnect(config)# interface e 2 PowerConnect(config-if-e10000-2)# port-name Marsha Syntax: port-name text The text parameter is an alphanumeric string. The name can be up to 64 characters long. The name can contain blanks.
2 Configuring basic port parameters • • • • • 10-half – 10 Mbps, half duplex 100-full – 100 Mbps, full duplex 100-half – 100 Mbps, half duplex 1000 – 1 Gbps, full duplex (supported on PowerConnect B-Series TI24X 10-GbE ports only) 1000-full-master – 1 Gbps, full duplex master (not supported on the PowerConnect B-Series TI24X) • 1000-full-slave – 1 Gbps, full duplex slave (not supported on the PowerConnect B-Series TI24X) • 10000 – 10 Gbps, full duplex (supported on PowerConnect B-Series TI24X 10-GbE por
Configuring basic port parameters 2 PowerConnect(config)# interface e 8 PowerConnect(config-if-e10000-8)# speed-duplex 10-full Syntax: speed-duplex value The value can be one of the following: • • • • • 10-full 10-half 100-full 100-half auto (default) Disabling or re-enabling a port A port can be made inactive (disable) or active (enable) by selecting the appropriate status option. The default value for a port is enabled. To disable port 8 of a device, enter the following.
2 Configuring basic port parameters Auto-negotiation and advertisement of flow control Auto-negotiation of flow control can be enabled and advertised for 10/100/1000M ports. To enable and advertise flow control capability, enter the following commands. PowerConnect(config)# interface ethernet 21 PowerConnect(config-if-e10000-21)# flow-control To also enable auto-negotiation of flow control, enter the following commands.
Configuring basic port parameters 2 NOTE When any of the commands are applied to a port that is up, the port will be disabled and re-enabled. NOTE When flow-control is enabled, the hardware can only advertise Pause. It does not advertise Asym. Configuring the Interpacket Gap (IPG) IPG is the time delay, in bit time, between frames transmitted by the device. You configure IPG at the interface level. The command you use depends on the interface type on which IPG is being configured.
2 Configuring basic port parameters PowerConnect(config)# interface ethernet 1 PowerConnect(config-if-e10000-1)# ipg-xgmii 120 IPG 120(128) has been successfully configured for port 1 Syntax: [no] ipg-xgmii bit time Enter 96-192 for bit time. The default is 96 bit time. Changing the Gbps fiber negotiation mode The globally configured Gbps negotiation mode is the default mode for all Gbps fiber ports.
Configuring basic port parameters 2 Configuration notes • When a flap dampening port becomes a member of a trunk group, that port, as well as all other member ports of that trunk group, will inherit the primary port configuration. This means that the member ports will inherit the primary port flap dampening configuration, regardless of any previous configuration. • The device counts the number of times a port link state toggles from "up to down", and not from "down to up".
2 Configuring basic port parameters Displaying ports configured with port flap dampening Ports that have been disabled due to the port flap dampening feature are identified in the output of the show link-error-disable command. The following shows an example output. PowerConnect# show link-error-disable Port 1 is forced down by link-error-disable. Use the show link-error-disable all command to display the ports with the port flap dampening feature enabled.
Configuring basic port parameters 2 PowerConnect# show interface ethernet 15 GigabitEthernet15 is up, line protocol is up Link Error Dampening is Enabled Hardware is GigabitEthernet, address is 00e0.5200.010e (bia 00e0.5200.
2 Configuring basic port parameters • The device automatically re-enables the port. To set your device to automatically re-enable Err-Disabled ports, refer to “Configuring the device to automatically re-enable ports” on page 35. Configuration notes • Loopback detection packets are sent and received on both tagged and untagged ports. Therefore, this feature cannot be used to detect a loop across separate devices. • On PowerConnect devices, the port loop detection feature works only on untagged ports.
Configuring basic port parameters 2 Configuring a global loop detection interval The loop detection interval specifies how often a test packet is sent on a port. When loop detection is enabled, the loop detection time unit is 0.1 second, with a default of 10 (one second). The range is from 1 (one tenth of a second) to 100 (10 seconds). You can use the show loop-detection status command to view the loop detection interval.
2 Configuring basic port parameters Syntax: [no] errdisable recovery interval seconds where seconds is a number from 10 to 65535. Clearing loop-detection To clear loop detection statistics and re-enable all ports that are in Err-Disable state because of a loop detection, enter the following command. PowerConnect# clear loop-detection Displaying loop-detection information Use the show loop-detection status command to display loop detection status, as shown.
Configuring basic port parameters 2 Syslog message The following message is logged when a port is disabled due to loop detection. This message also appears on the console. loop-detect: port ?\?\? vlan ?, into errdisable state The Errdisable function logs a message whenever it re-enables a port.
2 38 Configuring basic port parameters PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Operations, Administration, and Maintenance 3 Overview For easy software image management, all devices support the download and upload of software images between the flash modules on the devices and a Trivial File Transfer Protocol (TFTP) server on the network. PowerConnect devices have two flash memory modules: • Primary flash – The default local storage device for image files and configuration files. • Secondary flash – A second flash storage device.
3 Determining the software versions installed and running on a device Compact devices To determine the flash image version running on a Compact device, enter the show version command at any level of the CLI. The following shows an example output. PowerConnect#show version SW: Version 4.2.00b Copyright (c) 1996-2010 Brocade Communications Systems, Inc. Compiled on Dec 02 2010 at 08:07:06 labeled as TIR04200b (6092645 bytes) from Secondary TIR04200b Compressed Boot-Monitor Image size = 373767, Version:04.1.
Determining the software versions installed and running on a device 3 CLI commands Use the following command syntax to verify the flash image: Syntax: verify md5 | sha1 | crc32 ASCII string | primary | secondary [hash code] • • • • • • • md5 – Generates a 16-byte hash code sha1 – Generates a 20-byte hash code crc32 – Generates a 4 byte checksum ascii string – A valid image filename primary – The primary boot image (primary.img) secondary – The secondary boot image (secondary.
3 Image file types Image file types This section lists the boot and flash image file types supported on the PowerConnect B-Series TI24X of switches and how to install them. For information about a specific version of code, refer to the release notes. TABLE 8 Software image files Product Boot image1 Flash image PowerConnect B-Series TI24X GRZxxxxx.bin TISxxxxx.bin (Layer 2) 1. Upgrading software Use the following procedures to upgrade the software.
Using SNMP to upgrade software 3 4. If the flash code version is correct, go to step 5. Otherwise, go to step 1. 5.
3 Changing the block size for TFTP file transfers This command disables password checking for SNMP set requests. If a third-party SNMP management application does not add a password to the password field when it sends SNMP set requests to a device, by default the device rejects the request. Changing the block size for TFTP file transfers When you use TFTP to copy a file to or from a device, the device transfers the data in blocks of 8192 bytes by default.
Displaying the boot preference 3 By default, the device first attempts to boot from the image stored in its primary flash, then its secondary flash, and then from a TFTP server. You can modify this booting sequence at the global CONFIG level of the CLI using the boot system… command. To initiate an immediate boot from the CLI, enter one of the boot system… commands.
3 Loading and saving configuration files You can upload either the startup configuration file or the running configuration file to the TFTP server for backup and use in booting the system: • Startup configuration file – This file contains the configuration information that is currently saved in flash. To display this file, enter the show configuration command at any CLI prompt. • Running configuration file – This file contains the configuration active in the system RAM but not yet saved to flash.
Loading and saving configuration files 3 To disable or re-enable Syslog messages when the startup-config file is changed, use the following command. Syntax: [no] logging enable config-changed Copying a configuration file to or from a TFTP server To copy the startup-config or running-config file to or from a TFTP server, use one of the following methods. NOTE You can name the configuration file when you copy it to a TFTP server.
3 Loading and saving configuration files Preparing the configuration file A configuration file that you create must follow the same syntax rules as the startup-config file the device creates. • The configuration file is a script containing CLI configuration commands. The CLI reacts to each command entered from the file in the same way the CLI reacts to the command if you enter it.
Loading and saving configuration files 3 • If the file contains commands that must be entered in a specific order, the commands must appear in the file in the required order. For example, if you want to use the file to replace an IP address on an interface, you must first remove the old address using “no” in front of the ip address command, then add the new address. Otherwise, the CLI displays an error message and does not implement the command. Here is an example.
3 Scheduling a system reload Maximum file sizes for startup-config file and running-config Each device has a maximum allowable size for the running-config and the startup-config file. If you use TFTP to load additional information into a device running-config or startup-config file, it is possible to exceed the maximum allowable size. If this occurs, you will not be able to save the configuration changes. The maximum size for the running-config and the startup-config file is 64K each.
Diagnostic error codes and remedies for TFTP transfers 3 Reloading after a specific amount of time To schedule a system reload to occur after a specific amount of time has passed on the system clock, use reload after command. For example, to schedule a system reload from the secondary flash one day and 12 hours later, enter the following command at the global CONFIG level of the CLI.
3 Diagnostic error codes and remedies for TFTP transfers Table 0.1: 52 Error code Message Explanation and action 6 TFTP out of buffer space. The file is larger than the amount of room on the device or TFTP server. If you are copying an image file to flash, first copy the other image to your TFTP server, then delete it from flash. (Use the erase flash... CLI command at the Privileged EXEC level to erase the image in the flash.
Chapter Monitoring Hardware Components 4 Hardware support The procedures in this chapter describe how to configure the software to monitor hardware components. You can configure the software to monitor temperature and signal power levels for optical transceivers Table 9 lists which devices support the features discussed in this chapter.
4 Digital optical monitoring • E1MG-100BXD • E1MG-BXU • E1MG-BXD Supported media Digital optical monitoring is supported with the following Dell-qualified media types: • • • • • • • 1000Base-BX-D 1000Base-BX-U 1000Base-LHA 1000Base-LHB 1000Base-LX 1000Base-SX 1000Base-SX 2 Media not supported Digital optical monitoring is not supported for the following optics: • • • • E1MG-100BXU E1MG-100BXD E1MG-BXU E1MG-BXD Configuration limitations A device can monitor a maximum of 24 SFPs and 12 XFPs.
Digital optical monitoring 4 Setting the alarm interval You can optionally change the interval between which alarms and warning messages are sent. The default interval is three minutes. To change the interval, use the following command. PowerConnect(config)# interface ethernet 1 to 2 PowerConnect(config-mif-e10000-1-2)# optical-monitor 10 Syntax: [no] optical-monitor [ alarm-interval ] For alarm-interval, enter a value between 1 and 65535. Enter 0 to disable alarms and warning messages.
4 Digital optical monitoring Port Port 25: Type : 10G XG-SR(XFP) Vendor: Brocade Communications Inc. Version: 02 Part# : JXPR01SW05306 Serial#: F617604000A3 26: Type : EMPTY Use the show media slot command to obtain information about the media device installed in a slot. PowerConnect# show media slot 1 Port 1: Type : 1G M-SX(SFP) Vendor: Brocade Communications, Inc. Version: Part# : PL-XPL-VC-S13-19 Serial#: 425HC109 Port 2: Type : 1G M-SX(SFP) Vendor: Brocade Communications, Inc.
Digital optical monitoring 4 Normal 0.0000 C Normal Low-Alarm Normal Normal Normal 4 Low-Alarm 0.000 mA Normal Syntax: show optic slot number NOTE This function takes advantage of information stored and supplied by the manufacturer of the XFP or SFP transceiver. This information is an optional feature of the Multi-Source Agreement standard defining the optical interface. Not all component suppliers have implemented this feature set.
4 Digital optical monitoring Viewing optical transceiver thresholds The thresholds that determine the alarm status values for an optical transceiver are set by the manufacturer of the XFP or SFP. To view the thresholds for a qualified optical transceiver in a particular port, use the show optic threshold command as shown below.
Chapter 5 Configuring IPv6 Connectivity IPv6 addressing overview NOTE This chapter does not describe IPv6 routing protocols, which are covered in separate chapters throughout this guide. IPv6 was designed to replace IPv4, the Internet protocol that is most commonly used currently throughout the world. IPv6 increases the number of network address bits from 32 (IPv4) to 128 bits, which provides more than enough unique IP addresses to support all of the network devices on the planet into the future.
5 IPv6 addressing overview The prefix-length parameter is specified as a decimal value that indicates the left-most bits of the IPv6 address. The following is an example of an IPv6 prefix. 2001:FF08:49EA:D088::/64 IPv6 address types As with IPv4 addresses, you can assign multiple IPv6 addresses to a switch interface. Table 12 presents the three major types of IPv6 addresses that you can assign to a switch interface.
IPv6 addressing overview TABLE 12 . 5 IPv6 address types Address type Description Address structure Unicast An address for a single interface. A packet sent to a unicast address is delivered to the interface identified by the address. Depends on the type of the unicast address: • Aggregatable global address—An address equivalent to a global or public IPv4 address.
5 IPv6 CLI command support IPv6 stateless autoconfiguration PowerConnect devices use the IPv6 stateless autoconfiguration feature to enable a host on a local link to automatically configure its interfaces with new and globally unique IPv6 addresses associated with its location. The automatic configuration of a host interface is performed without the use of a server, such as a Dynamic Host Configuration Protocol (DHCP) server, or manual configuration.
5 Configuring an IPv6 host address on a Layer 2 switch TABLE 13 IPv6 CLI command support (Continued) IPv6 command Description Switch code Router code ipv6 debug Enables IPv6 debugging. X X ipv6 dns domain-name Configures an IPv6 domain name. X X ipv6 dns server-address Configures an IPv6 DNS server address. X X ipv6 enable Enables IPv6 on an interface. X X ipv6 neighbor Maps a static IPv6 address to a MAC address in the IPv6 neighbor table.
5 Configuring an IPv6 host address on a Layer 2 switch NOTE When configuring an Ipv6 host address on a Layer 2 switch that has multiple VLANs, make sure the configuration includes a designated management VLAN that identifies the VLAN to which the global IP address belongs. Refer to “Designated VLAN for Telnet management sessions to a Layer 2 Switch” on page 863.
Configuring the management port for an IPv6 automatic address configuration 5 Configuring the management port for an IPv6 automatic address configuration You can have the management port configured to automatically obtain an IPv6 address.
5 Configuring basic IPv6 connectivity on a Layer 3 switch • Solicited-node for anycast address FF02:0:0:0:0:1:FF00::0000 • All-nodes link-local multicast group FF02::1 • All-routers link-local multicast group FF02::2 The neighbor discovery feature sends messages to these multicast groups. For more information, refer to “Configuring IPv6 neighbor discovery” on page 77.
Configuring basic IPv6 connectivity on a Layer 3 switch 5 The eui-64 keyword configures the global address with an EUI-64 interface ID in the low-order 64 bits. The interface ID is automatically constructed in IEEE EUI-64 format using the interface MAC address. Configuring a link-local IPv6 address on an interface To explicitly enable IPv6 on a router interface without configuring a global or site-local address for the interface, enter commands such as the following.
5 IPv6 management (IPv6 host support) IPv6 anycast addresses are described in detail in RFC 1884. See RFC 2461 for a description of how the IPv6 Neighbor Discovery mechanism handles anycast addresses. IPv6 management (IPv6 host support) An IPv6 host has IPv6 addresses on its interfaces, but does not have full IPv6 routing enabled on it.
IPv6 management (IPv6 host support) 5 • The ipv6-address you specify must be in hexadecimal format using 16-bit values between colons as documented in RFC 2373. SNMP V3 over IPv6 PowerConnect devices support IPv6 for SNMP version 3. For more information about how to configure SNMP, refer to Chapter 32, “Securing SNMP Access”. SNTP over IPv6 To enable the PowerConnect device to send SNTP packets over IPv6, enter a command such as the following at the Global CONFIG level of the CLI.
5 IPv6 management (IPv6 host support) • The port-number parameter specifies the port number on which the PowerConnect device establishes the Telnet connection. You can specify a value between 1 - 65535. If you do not specify a port number, the PowerConnect device establishes the Telnet connection on port 23. • If the IPv6 address you specify is a link-local address, you must specify the outgoing-interface Ethernet port | ve number parameter.
IPv6 management (IPv6 host support) 5 Using the IPv6 copy command The copy command for IPv6 allows you to do the following: • Copy a file from a specified source to an IPv6 TFTP server. • Copy a file from an IPv6 TFTP server to a specified destination. Copying a file to an IPv6 TFTP server You can copy a file from the following sources to an IPv6 TFTP server: • Flash memory. • Running configuration. • Startup configuration.
5 IPv6 management (IPv6 host support) Copying a file from an IPv6 TFTP server You can copy a file from an IPv6 TFTP server to the following destinations: • Flash memory. • Running configuration. • Startup configuration. Copying a file to flash memory For example, to copy a boot image from an IPv6 TFTP server to the primary or secondary storage location in the device flash memory, enter a command such as the following. PowerConnect# copy tftp flash 2001:7382:e0ff:7837::3 test.
IPv6 management (IPv6 host support) 5 NOTE You cannot use the overwrite option from non-console sessions, because it will disconnect the session. Using the IPv6 ncopy command The ncopy command for IPv6 allows you to do the following: • • • • Copy a primary or secondary boot image from flash memory to an IPv6 TFTP server. Copy the running configuration to an IPv6 TFTP server. Copy the startup configuration to an IPv6 TFTP server Upload various files from an IPv6 TFTP server.
5 IPv6 management (IPv6 host support) Uploading files from an IPv6 TFTP server You can upload the following files from an IPv6 TFTP server: • • • • Primary boot image. Secondary boot image. Running configuration. Startup configuration. Uploading a primary or secondary boot image from an IPv6 TFTP server For example, to upload a primary or secondary boot image from an IPv6 TFTP server to a device flash memory, enter a command such as the following.
IPv6 management (IPv6 host support) 5 For example, to ping a device with the IPv6 address of 2001:3424:847f:a385:34dd::45 from the PowerConnect device, enter the following command.
5 IPv6 management (IPv6 host support) I Indicates that the user interrupted ping. Configuring an IPv6 Syslog server To enable IPv6 logging, specify an IPv6 Syslog server. Enter a command such as the following. PowerConnect(config)# log host ipv6 2000:2383:e0bb::4/128 Syntax: log host ipv6 ipv6-address [ udp-port-num ] • The ipv6-address must be in hexadecimal using 16-bit values between colons as documented in RFC 2373.
Configuring IPv6 neighbor discovery 5 Disabling router advertisement and solicitation messages Router advertisement and solicitation messages enable a node on a link to discover the routers on the same link. By default, router advertisement and solicitation messages are permitted on the device. To disable these messages, configure an IPv6 access control list that denies them. The following shows an example configuration.
5 Configuring IPv6 neighbor discovery An IPv6 host is required to listen for and recognize the following addresses that identify itself: • • • • • • Link-local address. Assigned unicast address. Loopback address. All-nodes multicast address. Solicited-node multicast address. Multicast address to all other groups to which it belongs. You can adjust the following IPv6 neighbor discovery features: • Neighbor solicitation messages for duplicate address detection.
Configuring static neighbor entries 5 After node 1 receives the neighbor advertisement message from node 2, nodes 1 and 2 can now exchange packets on the link. After the link-layer address of node 2 is determined, node 1 can send neighbor solicitation messages to node 2 to verify that it is reachable. Also, nodes 1, 2, or any other node on the same link can send a neighbor advertisement message to the all-nodes multicast address (FF02::1) if there is a change in their link-layer address.
5 Clearing global IPv6 information Clearing the IPv6 cache You can remove all entries from the IPv6 cache or specify an entry based on the following: • IPv6 prefix. • IPv6 address. • Interface type. For example, to remove entries for IPv6 address 2000:e0ff::1, enter the following command at the Privileged EXEC level or any of the Config levels of the CLI.
Displaying global IPv6 information 5 Clearing IPv6 traffic statistics To clear all IPv6 traffic statistics (reset all fields to zero), enter the following command at the Privileged EXEC level or any of the Config levels of the CLI.
5 Displaying global IPv6 information • The ipv6-prefix>/ prefix-length parameter restricts the display to the entries for the specified IPv6 prefix. You must specify the ipv6-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the prefix-length parameter as a decimal value. A slash mark (/) must follow the ipv6-prefix parameter and precede the prefix-length parameter.
Displaying global IPv6 information TABLE 15 5 General IPv6 interface information fields This field... Displays... Interface The interface type, and the port number or number of the interface. Status The status of the interface. The entry in the Status field will be either “up/up” or “down/down”. Routing The routing protocols enabled on the interface. Global Unicast Address The global unicast address of the interface.
5 Displaying global IPv6 information TABLE 16 Detailed IPv6 interface information fields (Continued) This field... Displays... ICMP The setting of the ICMP redirect parameter for the interface. ND The setting of the various neighbor discovery parameters for the interface. Displaying IPv6 neighbor information You can display the IPv6 neighbor table, which contains an entry for each IPv6 neighbor with which the router exchanges IPv6 packets.
Displaying global IPv6 information TABLE 17 5 IPv6 neighbor information fields (Continued) This field... State Displays... The current state of the neighbor. Possible states are as follows: INCOMPLETE – Address resolution of the entry is being performed. *REACH – The static forward path to the neighbor is functioning properly. • REACH – The forward path to the neighbor is functioning properly. • STALE – This entry has remained unused for the maximum interval.
5 Displaying global IPv6 information TABLE 18 General IPv6 TCP connection fields This field... Displays... Local IP address:port The IPv4 or IPv6 address and port number of the local router interface over which the TCP connection occurs. Remote IP address:port The IPv4 or IPv6 address and port number of the remote router interface over which the TCP connection occurs. TCP state The state of the TCP connection. Possible states include the following: LISTEN – Waiting for a connection request.
Displaying global IPv6 information 5 PowerConnect# show ipv6 tcp status 2000:4::110 179 2000:4::106 8222 TCP: TCP = 0x217fc300 TCP: 2000:4::110:179 -> 2000:4::106:8222: state: ESTABLISHED Port: 1 Send: initial sequence number = 242365900 Send: first unacknowledged sequence number = 242434080 Send: current send pointer = 242434080 Send: next sequence number to send = 242434080 Send: remote received window = 16384 Send: total unacknowledged sequence number = 0 Send: total used buffers 0 Receive: initial inc
5 Displaying global IPv6 information TABLE 19 Specific IPv6 TCP connection fields (Continued) This field... Displays... Send: total unacknowledged sequence number = number> The total number of unacknowledged sequence numbers sent by the local router. Send: total used buffers number> The total number of buffers used by the local router in setting up the TCP connection. Receive: initial incoming sequence number = number> The initial incoming sequence number received by the local router.
Displaying global IPv6 information 5 PowerConnect# show ipv6 traffic IP6 Statistics 36947 received, 66818 sent, 0 forwarded, 36867 delivered, 0 rawout 0 bad vers, 23 bad scope, 0 bad options, 0 too many hdr 0 no route, 0 can not forward, 0 redirect sent 0 frag recv, 0 frag dropped, 0 frag timeout, 0 frag overflow 0 reassembled, 0 fragmented, 0 ofragments, 0 can not frag 0 too short, 0 too small, 11 not member 0 no buffer, 66819 allocated, 21769 freed 0 forward cache hit, 46 forward cache miss ICMP6 Statis
5 Displaying global IPv6 information TABLE 20 IPv6 traffic statistics fields (Continued) This field... Displays... bad scope The number of IPv6 packets dropped by the router because of a bad address scope. bad options The number of IPv6 packets dropped by the router because of bad options. too many hdr The number of IPv6 packets dropped by the router because the packets had too many headers. no route The number of IPv6 packets dropped by the router because there was no route.
Displaying global IPv6 information TABLE 20 5 IPv6 traffic statistics fields (Continued) This field... Displays... router soli The number of Router Solicitation messages sent or received by the router. router adv The number of Router Advertisement messages sent or received by the router. nei soli The number of Neighbor Solicitation messages sent or received by the router. nei adv The number of Router Advertisement messages sent or received by the router.
5 Displaying global IPv6 information TABLE 20 IPv6 traffic statistics fields (Continued) This field... Displays... input errors This information is used by Dell Technical Support. TCP statistics 92 active opens The number of TCP connections opened by the router by sending a TCP SYN to another device. passive opens The number of TCP connections opened by the router in response to connection requests (TCP SYNs) received from other devices.
Chapter Configuring Spanning Tree Protocol (STP) Related Features 6 STP overview The Spanning Tree Protocol (STP) eliminates Layer 2 loops in networks, by selectively blocking some ports and allowing other ports to forward traffic, based on global (bridge) and local (port) parameters you can configure. STP related features, such as RSTP and PVST, extend the operation of standard STP, enabling you to fine-tune standard STP and avoid some of its limitations.
6 Configuring standard STP parameters 2. MSTP stands for “Multiple Spanning Tree Protocol”. In this type of STP, each port-based VLAN, including the default VLAN, has its own spanning tree. References in this documentation to “STP” apply to MSTP. The Single Spanning Tree Protocol (SSTP) is another type of STP. SSTP includes all VLANs on which STP is enabled in a single spanning tree. Refer to “Single Spanning Tree (SSTP)” on page 148. Table 22 lists the default STP bridge parameters.
Configuring standard STP parameters TABLE 23 6 Default STP port parameters Parameter Description Default and valid values Priority The preference that STP gives this port relative to other ports for forwarding traffic out of the spanning tree. A higher numerical value means a lower priority. 128 Possible values in PowerConnect B-Series TI24X (configurable in increments of 16) Path Cost The cost of using the port to reach the root bridge.
6 Configuring standard STP parameters Enabling or disabling STP in a port-based VLAN Use the following procedure to disable or enable STP on a device on which you have configured a port-based VLAN. Changing the STP state in a VLAN affects only that VLAN. To enable STP for all ports in a port-based VLAN, enter commands such as the following.
Configuring standard STP parameters 6 PowerConnect(config)#vlan 1 PowerConnect(config-vlan-1)#spanning-tree priority 0 Syntax: [no] spanning-tree [forward-delay ] | [hello-time ] | [maximum-age ] | [priority ] The forward-delay parameter specifies the forward delay and can be a value from 4 – 30 seconds. The default is 15 seconds. NOTE You can configure a device for faster convergence (including a shorter forward delay) using Fast Span.
6 Configuring standard STP parameters STP protection enhancement STP protection provides the ability to prohibit an end station from initiating or participating in an STP topology change. The 802.1W Spanning Tree Protocol (STP) detects and eliminates logical loops in a redundant network by selectively blocking some data paths (ports) and allowing only the best data paths to forward traffic.
Configuring standard STP parameters 6 You can view the STP Protection configuration for all ports on a device, or for a specific port only. The show stp-protect command output shows the port number on which STP Protection is enabled, and the number of BPDUs dropped by each port. To view the STP Protection configuration for all ports on the device, enter the following command at any level of the CLI.
6 Configuring standard STP parameters PowerConnect#show span VLAN 1 BPDU cam_index is 3 and the Master DMA Are(HEX) STP instance owned by VLAN 1 Global STP (IEEE 802.
Configuring standard STP parameters TABLE 24 6 CLI display of STP information (Continued) This field... Displays... Root Cost The cumulative cost from this bridge to the root bridge. If this device is the root bridge, then the root cost is 0. Root Port The port on this device that connects to the root bridge. If this device is the root bridge, then the value is “Root” instead of a port number. Priority Hex This device or VLAN STP priority. The value is shown in hexadecimal format.
6 Configuring standard STP parameters TABLE 24 CLI display of STP information (Continued) This field... Displays... Design Cost The cost to the root bridge as advertised by the designated bridge that is connected to this port. If the designated bridge is the root bridge itself, then the cost is 0. The identity of the designated bridge is shown in the Design Bridge field. Designated Root The root bridge as recognized on this port.
Configuring standard STP parameters 6 PowerConnect#show span detail ====================================================================== VLAN 1 - MULTIPLE SPANNING TREE (MSTP) ACTIVE ====================================================================== Bridge identifier - 0x800000e0804d4a00 Active global timers - Hello: 0 Port 1 is FORWARDING Port - Path cost: 19, Priority: 128, Root: 0x800000e052a9bb00 Designated - Bridge: 0x800000e052a9bb00, Interface: 1, Path cost: 0 Active Timers - None BPDUs - Sen
6 Configuring standard STP parameters TABLE 25 CLI display of detailed STP information for ports (Continued) This field... Displays... Active global timers The global STP timers that are currently active, and their current values. The following timers can be listed: • Hello – The interval between Hello packets. This timer applies only to the root bridge. • Topology Change (TC) – The amount of time during which the topology change flag in Hello packets will be marked, indicating a topology change.
Configuring standard STP parameters TABLE 25 6 CLI display of detailed STP information for ports (Continued) This field... Displays... Active Timers The current values for the following timers, if active: • Message age – The number of seconds this port has been waiting for a hello message from the root bridge. • Forward delay – The number of seconds that have passed since the last topology change and consequent reconvergence.
6 Configuring STP related features PowerConnect#show interface ethernet 11 FastEthernet11 is up, line protocol is up Hardware is FastEthernet, address is 00e0.52a9.bb49 (bia 00e0.52a9.
Configuring STP related features 6 802.1W Rapid Spanning Tree (RSTP) Rapid Spanning Tree Protocol (RSTP), which was 802.1W Draft 3, provided only a subset of the IEEE 802.1W standard; whereas the 802.1W RSTP feature provides the full standard. The implementation of the 802.1W Draft 3 is referred to as RSTP Draft 3. RSTP Draft3 will continue to be supported on devices for backward compatibility. However, customers who are currently using RSTP Draft 3 should migrate to 802.1W. The 802.
6 Configuring STP related features The 802.1W algorithm uses this information to determine if the RST BPDU received by a port is superior to the RST BPDU that the port transmits. The two values are compared in the order as given above, starting with the Root bridge ID. The RST BPDU with a lower value is considered superior. The superiority and inferiority of the RST BPDU is used to assign a role to a port.
Configuring STP related features 6 The topology in Figure 2 contains four bridges. Switch 1 is the root bridge since it has the lowest bridge priority. Switch 2 through Switch 4 are non-root bridges. FIGURE 2 Simple 802.
6 Configuring STP related features Edge ports and edge port roles The Dell implementation of 802.1W allows ports that are configured as Edge ports to be present in an 802.1W topology. (Figure 3). Edge ports are ports of a bridge that connect to workstations or computers. Edge ports do not register any incoming BPDU activities. Edge ports assume Designated port roles. Port flapping does not cause any topology change events on Edge ports since 802.
Configuring STP related features 6 NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops. The topology in Figure 4 is an example of shared media that should not be configured as point-to-point links. In Figure 4, a port on a bridge communicates or is connected to at least two ports. FIGURE 4 Example of shared media Bridge port states Ports roles can have one of the following states: • Forwarding – 802.
6 Configuring STP related features A port on a non-root bridge with a Designated role starts in the discarding state. When that port becomes elected to the Root port role, 802.1W quickly places it into a forwarding state. However, if the Designated port is an Edge port, then the port starts and stays in a forwarding state and it cannot be elected as a Root port. A port with an Alternate or Backup role is always in a discarding state.
Configuring STP related features 6 • Port Protocol Migration – This state machine deals with compatibility with 802.1D bridges. When a legacy BPDU is detected on a port, this state machine configures the port to transmit and receive legacy BPDUs and operate in the legacy mode. • Topology Change – This state machine detects, generates, and propagates topology change notifications. It acknowledges Topology Change Notice (TCN) messages when operating in 802.1D mode.
6 Configuring STP related features • Proposing – The Designated port on the root bridge sends an RST BPDU packet to its peer port that contains a proposal flag. The proposal flag is a signal that indicates that the Designated port is ready to put itself in a forwarding state (Figure 5). The Designated port continues to send this flag in its RST BPDU until it is placed in a forwarding state (Figure 8) or is forced to operate in 802.1D mode. (Refer to “Compatibility of 802.1W with 802.1D” on page 134).
Configuring STP related features 6 • Sync – Once the Root port is elected, it sets a sync signal on all the ports on the bridge. The signal tells the ports to synchronize their roles and states (Figure 6). Ports that are non-edge ports with a role of Designated port change into a discarding state. These ports have to negotiate with their peer ports to establish their new roles and states.
6 Configuring STP related features • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced. The Root port monitors the synced signals from all the bridge ports. Once all bridge ports asserts a synced signal, the Root port asserts its own synced signal (Figure 7).
Configuring STP related features 6 • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state. When the peer Designated port receives the RST BPDU, it rapidly transitions into a forwarding state.
6 Configuring STP related features Handshake when a root port has been elected If a non-root bridge already has a Root port, 802.1W uses a different type of handshake. For example, in Figure 9, a new root bridge is added to the topology.
Configuring STP related features 6 • Proposing and Proposed – The Designated port on the new root bridge (Port4/Switch 60) sends an RST BPDU that contains a proposing signal to Port4/Switch 200 to inform the port that it is ready to put itself in a forwarding state (Figure 10). 802.1W algorithm determines that the RST BPDU that Port4/Switch 200 received is superior to what it can generate, so Port4/Switch 200 assumes a Root port role.
6 Configuring STP related features • Sync and Reroot – The Root port then asserts a sync and a reroot signal on all the ports on the bridge. The signal tells the ports that a new Root port has been assigned and they are to renegotiate their new roles and states. The other ports on the bridge assert their sync and reroot signals. Information about the old Root port is discarded from all ports. Designated ports change into discarding states (Figure 11).
Configuring STP related features 6 • Sync and Rerooted – When the ports on Switch 200 have completed the reroot phase, they assert their rerooted signals and continue to assert their sync signals as they continue in their discarding states. They also continue to negotiate their roles and states with their peer ports (Figure 12).
6 Configuring STP related features • Synced and Agree – When all the ports on the bridge assert their synced signals, the new Root port asserts its own synced signal and sends an RST BPDU to Port4/Switch 60 that contains an agreed flag (Figure 12). The Root port also moves into a forwarding state.
Configuring STP related features 6 The Designated port on Switch 60 goes into a forwarding state once it receives the RST BPDU with the agreed flag.
6 Configuring STP related features Convergence at start up In Figure 15, two bridges Switch 2 and Switch 3 are powered up. There are point-to-point connections between Port3/Switch 2 and Port3/Switch 3. FIGURE 15 Convergence between two bridges Bridge priority = 1500 Switch 2 Port3 Designated port Port3 Root port Switch 3 Bridge priority = 2000 At power up, all ports on Switch 2 and Switch 3 assume Designated port roles and are at discarding states before they receive any RST BPDU.
Configuring STP related features 6 Next, Switch 1 is powered up (Figure 16).
6 Configuring STP related features The Port2/Switch 2 bridge also sends an RST BPDU with an agreed flag Port2/Switch 1 that Port2 is the new Root port. Both ports go into forwarding states. Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2. The 802.
Configuring STP related features 6 For example, Port2/Switch, which is the port that connects Switch 2 to the root bridge (Switch 1), fails. Both Switch 2 and Switch 1 notice the topology change (Figure 18). FIGURE 18 Link failure in the topology Port5 Port3 Port2 Bridge priority = 1500 Port2 Switch 1 Switch 2 Port3 Port3 Bridge priority = 2000 Bridge priority = 1000 Port4 Port4 Switch 3 Switch 1 sets its Port2 into a discarding state.
6 Configuring STP related features When Port2/Switch 2 receives the RST BPDUs, 802.1W algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states.
Configuring STP related features 6 Convergence in a complex 802.1W topology The following is an example of a complex 802.1W topology. FIGURE 19 Complex 802.
6 Configuring STP related features Next Switch 2 sends RST BPDUs with a proposal flag to Port3/Switch 4. Port3 becomes the Root port for the bridge; all other ports are given a Designated port role with discarding states. Port3/Switch 4 sends an RST BPDU with an agreed flag to Switch 2 to confirm that it is the new Root port. The port then goes into a forwarding state. Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit.
Configuring STP related features 6 After convergence is complete, Figure 20 shows the active Layer 2 path of the topology in Figure 19.
6 Configuring STP related features For example, Port3/Switch 2 in Figure 21, fails. Port4/Switch 3 becomes the new Root port. Port4/Switch 3 sends an RST BPDU with a TCN to Port4/Switch 4. To propagate the topology change, Port4/Switch 4 then starts a TCN timer on itself, on the bridge Root port, and on other ports on that bridge with a Designated role. Then Port3/Switch 4 sends RST BPDU with the TCN to Port4/Switch 2. (Note the new active Layer 2 path in Figure 21.
Configuring STP related features 6 • Port2/Switch 2 sends the TCN to Port2/Switch 1 FIGURE 22 Sending TCN to bridges connected to Switch 2 Bridge priority = 200 Port 7 Bridge priority = 1000 Port2 Switch 1 Port2 Port8 Port5 Port3 Port4 Switch 5 Port4 Port3 Switch 3 Port3 Port3 Port4 Bridge priority = 300 Port2 Switch 2 Port3 Port2 Bridge priority = 60 Switch 4 Bridge priority = 400 Port4 Port5 Port5 Port3 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Ind
6 Configuring STP related features Then Switch 1, Switch 5, and Switch 6 send RST BPDUs that contain the TCN to Switch 3 and Switch 4 to complete the TCN propagation (Figure 23).
Configuring STP related features 6 For example, in Figure 24, Switch 10 and Switch 30 receive legacy BPDUs from Switch 20. Ports on Switch 10 and Switch 30 begin sending BPDUs in STP format to allow them to operate transparently with Switch 20. FIGURE 24 802.1W bridges with an 802.1D bridge Switch 10 802.1W Switch 20 802.1D Switch 30 802.1W Once Switch 20 is removed from the LAN, Switch 10 and Switch 30 receive and transmit BPDUs in the STP format to and from each other.
6 Configuring STP related features To enable 802.1W for all ports in a port-based VLAN, enter commands such as the following. PowerConnect(config)#vlan 10 PowerConnect(config-vlan-10)#spanning-tree 802-1w Syntax: [no] spanning-tree 802-1w Note regarding pasting 802.1W settings into the running configuration If you paste 802.
Configuring STP related features 6 NOTE If you change the 802.1W state of the primary port in a trunk group, the change affects all ports in that trunk group. To disable or enable 802.1W on an individual port, enter commands such as the following. PowerConnect(config)#interface e 1 PowerConnect(config-if-e10000-1)#no spanning-tree Syntax: [no] spanning-tree Changing 802.1W bridge parameters When you make changes to 802.1W bridge parameters, the changes are applied to individual ports on the bridge.
6 Configuring STP related features The priority parameter specifies the priority of the bridge. You can enter a value from 0 – 65535. A lower numerical value means the bridge has a higher priority. Thus, the highest priority is 0. The default is 32768. You can specify some or all of these parameters on the same command line. If you specify more than one parameter, you must specify them in the order shown above, from left to right. Changing port parameters The 802.
Configuring STP related features 6 Set the admin-pt2pt-mac to enabled or disabled. If set to enabled, then a port is connected to another port through a point-to-point link. The point-to-point link increases the speed of convergence. This parameter, however, does not auto-detect whether or not the link is a physical point-to-point link. The force-migration-check parameter forces the specified port to sent one RST BPDU.
6 Configuring STP related features TABLE 27 CLI display of 802.1W summary (Continued) This field... Displays... Bridge IEEE 802.1W parameters 140 Bridge Identifier The ID of the bridge. Bridge Max Age The configured max age for this bridge. The default is 20. Bridge Hello The configured hello time for this bridge.The default is 2. Bridge FwdDly The configured forward delay time for this bridge. The default is 15. Force-Version The configured force version value.
Configuring STP related features TABLE 27 6 CLI display of 802.1W summary (Continued) This field... Displays... Hello The hello value derived from the Root port. It is the number of seconds between two Hello packets. Port IEEE 802.1W parameters Port Num The port number shown in a port# format. Pri The configured priority of the port. The default is 128 or 0x80. Port Path Cost The configured path cost on a link connected to this port.
6 Configuring STP related features PowerConnect#show 802-1w detail ====================================================================== VLAN 1 - MULTIPLE SPANNING TREE (MSTP - IEEE 802.
Configuring STP related features TABLE 28 6 CLI display of show spanning-tree 802.1W (Continued) This field... Displays... State The port current 802.1W state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Refer to “Bridge port states” on page 111 and “Edge port and non-edge port states” on page 112. Path Cost The configured path cost on a link connected to this port. Priority The configured priority of the port. The default is 128 or 0x80.
6 Configuring STP related features TABLE 28 CLI display of show spanning-tree 802.1W (Continued) This field... Displays... Machine States The current states of the various state machines on the port: PIM – State of the Port Information state machine. PRT – State of the Port Role Transition state machine. PST – State of the Port State Transition state machine. TCM – State of the Topology Change state machine. PPM – State of the Port Protocol Migration. PTX – State of the Port Transmit state machine.
Configuring STP related features FIGURE 25 6 802.
6 Configuring STP related features FIGURE 26 802.
Configuring STP related features 6 Once a failover occurs, the Switch no longer has an alternate root port. If the port that was an alternate port but became the root port fails, standard STP is used to reconverge with the network. You can minimize the reconvergence delay in this case by setting the forwarding delay on the root bridge to a lower value. For example, if the forwarding delay is set to 15 seconds (the default), change the forwarding delay to a value from 3 – 10 seconds. During failover, 802.
6 Configuring STP related features Enabling 802.1W Draft 3 802.1W Draft 3 is disabled by default. The procedure for enabling the feature differs depending on whether single STP is enabled on the device. NOTE STP must be enabled before you can enable 802.1W Draft 3. Enabling 802.1W Draft 3 when single STP is not enabled By default, each port-based VLAN on the device has its own spanning tree. To enable 802.1W Draft 3 in a port-based VLAN, enter commands such as the following.
Configuring STP related features 6 SSTP uses the same parameters, with the same value ranges and defaults, as the default STP support on devices. Refer to “STP parameters and defaults” on page 93. SSTP defaults SSTP is disabled by default. When you enable the feature, all VLANs on which STP is enabled become members of a single spanning tree. All VLANs on which STP is disabled are excluded from the single spanning tree. To add a VLAN to the single spanning tree, enable STP on that VLAN.
6 PVST/PVST+ compatibility PowerConnect(config) spanning-tree single ethernet 1 priority 10 The commands shown above override the global setting for STP priority and set the priority to 10 for port 1. Here is the syntax for the global STP parameters. Syntax: [no] spanning-tree single [forward-delay ] [hello-time ] | [maximum-age
PVST/PVST+ compatibility 6 Support for Cisco's Per VLAN Spanning Tree plus (PVST+), allows a device to run multiple spanning trees (MSTP) while also interoperating with IEEE 802.1Q devices. Dell ports automatically detect PVST+ BPDUs and enable support for the BPDUs once detected.
6 PVST/PVST+ compatibility FIGURE 27 Interaction of IEEE 802.1Q, PVST, and PVST+ regions PVST BPDUs tunneled through the IEEE 802.1Q region 802.1D BPDUs PVST+Region dual mode port 802.1D BPDUs IEEE 802.1Q Region dual mode port PVST+Region Do not connect PVST BPDUs (over ISL trunks) PVST BPDUs (over ISL trunks) PVST Region VLAN tags and dual mode The dual-mode feature enables a port to send and receive both tagged and untagged frames.
PVST/PVST+ compatibility 6 Configuring PVST+ support PVST+ support is automatically enabled when the port receives a PVST BPDU. You can manually enable the support at any time or disable the support if desired. If you want a tagged port to also support IEEE 802.1Q BPDUs, you need to enable the dual-mode feature on the port. The dual-mode feature is disabled by default and must be enabled manually.
6 PVST/PVST+ compatibility PowerConnect#show span pvst-mode PVST+ Enabled on: Port Method 1 Set by configuration 2 Set by configuration 10 Set by auto-detect 12 Set by configuration 24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information. TABLE 29 CLI display of PVST+ information This field... Displays... Port The Dell port number. NOTE: The command lists information only for the ports on which PVST+ support is enabled.
PVST/PVST+ compatibility 6 Commands on the Dell Device PowerConnect(config)#vlan-group 1 vlan 2 to 4 PowerConnect(config-vlan-group-1)#tagged ethernet 1 PowerConnect(config-vlan-group-1)#exit PowerConnect(config)#interface ethernet 1 PowerConnect(config-if-1)#dual-mode PowerConnect(config-if-1)#pvst-mode These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port.
6 PVST/PVST+ compatibility These commands change the default VLAN ID, configure port 1 as a tagged member of VLANs 1 and 2, and enable the dual-mode feature and PVST+ support on port 1. Since VLAN 1 is tagged in this configuration, the default VLAN ID must be changed from VLAN 1 to another VLAN ID. Changing the default VLAN ID from 1 allows the port to process tagged frames for VLAN 1. VLAN 2 is specified with the dual-mode command, which makes VLAN 2 the port Port Native VLAN.
PVRST compatibility 6 PVRST compatibility PVRST, the "rapid" version of per-VLAN spanning tree (PVST), is a Cisco proprietary protocol. PVRST corresponds to the Dell full implementation of IEEE 802.1w (RSTP). Likewise, PVST, also a Cisco proprietary protocol, corresponds to the Dell implementation of IEEE 802.1D (STP). PowerConnect B-Series TI24X devices also support PVRST compatibility. When it receives PVRST BPDUs on a port configured to run 802.
6 BPDU guard Re-enabling ports disabled by BPDU guard When a BPSU Guard-enabled port is disabled by BPSU Guard, the device will place the port in errdisable state and display a message on the console indicating that the port is errdisabled (refer to “Example console messages” on page 159). In addition, the show interface command output will indicate that the port is errdisabled.
Root guard 6 300 second input rate: 8 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 256 bits/sec, 0 packets/sec, 0.
6 Root guard NOTE Root guard may prevent network connectivity if it is improperly configured. Root guard must be configured on the perimeter of the network rather than the core. NOTE Root guard is not supported when MSTP is enabled. Enabling STP root guard An STP root guard is configured on an interface by entering commands similar to the following.
802.1s Multiple Spanning Tree Protocol 6 802.1s Multiple Spanning Tree Protocol Multiple Spanning Tree Protocol (MSTP), as defined in IEEE 802.1s, allows multiple VLANs to be managed by a single STP instance and supports per-VLAN STP. As a result, several VLANs can be mapped to a reduced number of spanning-tree instances. This ensures loop-free topology for one or more VLANs that have the similar layer-2 topology.
6 802.
802.1s Multiple Spanning Tree Protocol 6 Configuration notes When configuring MSTP, note the following: • With MSTP running, enabling static trunk on ports that are members of many VLANs (4000 or more VLANs) will keep the system busy for 20 to 25 seconds. Configuring MSTP mode and scope With the introduction of MSTP, a system can be either under MSTP mode or not under MSTP mode. The default state is to not be under MSTP mode. MSTP configuration can only be performed in a system under MSTP mode.
6 802.1s Multiple Spanning Tree Protocol NOTE Once under MSTP mode, CIST always controls all ports in the system. If you do not want a port to run MSTP, configure the no spanning-tree command under the specified interface configuration. Using the [no] option on a system that is configured for MSTP mode changes the system to non-MSTP mode. When this switch is made, all MSTP instances are deleted together with all MSTP configurations.
802.1s Multiple Spanning Tree Protocol 6 To configure an MSTP revision number, use a command such as the following at the Global Configuration level. PowerConnect(config)#mstp revision 4 Syntax: [no] mstp revision The revision parameter specifies the revision level for MSTP that you are configuring on the switch. It can be a number from 0 and 65535. The default revision number is 0. Configuring an MSTP instance An MSTP instance is configured with an MSTP ID for each region.
6 802.1s Multiple Spanning Tree Protocol Setting the MSTP global parameters MSTP has many of the options available in RSTP as well as some unique options. To configure MSTP Global parameters for all instances on a switch.
802.1s Multiple Spanning Tree Protocol 6 Syntax: [no] mstp edge-port-auto-detect NOTE If this feature is enabled, it takes the port about 3 seconds longer to come to the enable state. Setting point-to-point link You can set a point-to-point link between ports to increase the speed of convergence. To create a point-to-point link between ports, use a command such as the following at the Global Configuration level.
6 802.1s Multiple Spanning Tree Protocol Example In Figure 31 four device routers are configured in two regions. There are four VLANs in four instances in Region 2. Region 1 is in the CIST.
802.
6 802.
802.1s Multiple Spanning Tree Protocol TABLE 30 6 Output from Show MSTP (Continued) This field... Displays... ExtPath Cost The configured path cost on a link connected to this port to an external MSTP region. Regional Root Bridge The Regional Root Bridge is the MAC address of the Root Bridge for the local region. IntPath Cost The configured path cost on a link connected to this port within the internal MSTP region.
6 802.
802.
6 174 802.
Chapter Configuring Basic Layer 2 Features 7 The procedures in this chapter describe how to configure basic Layer 2 parameters. PowerConnect devices are configured at the factory with default parameters that allow you to begin using the basic features of the system immediately. However, many of the advanced features such as VLANs or routing protocols for the device must first be enabled at the system (global) level before they can be configured.
7 Changing the MAC age time and disabling MAC address learning • Bridge parameters – forward delay, maximum age, hello time, and priority • Port parameters – priority and path cost For configuration details, refer to “Changing STP bridge and port parameters” on page 96. Changing the MAC age time and disabling MAC address learning To change the MAC address age timer, enter a command such as the following.
Configuring static MAC entries 7 Displaying the MAC address table To display the MAC table, enter the following command. PowerConnect#show mac-address Total active entries from all ports = 3 Total static entries from all ports = 1 MAC-Address Port Type VLAN 1234.1234.1234 15 Static 1 0004.8038.2f24 14 Dynamic 1 0004.8038.2f00 13 Dynamic 1 0010.5a86.b159 10 Dynamic 1 In the output of the show mac-address command, the Type column indicates whether the MAC entry is static or dynamic.
7 Configuring static MAC entries Multi-port static MAC address Many applications, such as Microsoft NLB, Juniper IPS, and Netscreen Firewall, use the same MAC address to announce load-balancing services. As a result, a switch must be able to learn the same MAC address on several ports. Multi-port static MAC allows you to statically configure a MAC address on multiple ports using a single command.
Configuring VLAN-based static MAC entries 7 NOTE The location of the static-mac-address command in the CLI depends on whether you configure port-based VLANs on the device. If the device does not have more than one port-based VLAN (VLAN 1, which is the default VLAN that contains all the ports), the static-mac-address command is at the global CONFIG level of the CLI. If the device has more than one port-based VLAN, then the static-mac-address command is not available at the global CONFIG level.
7 Enabling port-based VLANs Use the vlan parameter to remove all MAC addresses for a specific VLAN. Enabling port-based VLANs When using the CLI, port and protocol-based VLANs are created by entering one of the following commands at the global CONFIG level of the CLI. To create a port-based VLAN, enter commands such as the following.
Defining MAC address filters 7 Command syntax Suppose you want to make port 5 a member of port-based VLAN 4, a tagged port. To do so, enter the following. PowerConnect(config)#vlan 4 PowerConnect(config-vlan-4)#tagged e 5 Syntax: tagged ethernet [to [ethernet ...]] Defining MAC address filters MAC layer filtering enables you to build access lists based on MAC layer headers in the Ethernet/IEEE 802.3 frame. You can filter on the source and destination MAC addresses.
7 Defining MAC address filters These commands configure a filter to deny traffic with a source MAC address that begins with “3565” to any destination. The second filter permits all traffic that is not denied by another filter. NOTE Once you apply a MAC filter to a port, the device drops all Ethernet traffic on the port that does not match a MAC permit filter on the port.
Defining MAC address filters 7 NOTE If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced by the new filter group. When a MAC filter is applied to or removed from an interface, a Syslog message such as the following is generated. SYSLOG: <14>Jan 1 00:00:00 10.44.9.11 MAC Filter applied to port 2 by tester from telnet session (filter id=5 ). SYSLOG: <14>Jan 1 00:00:00 10.44.9.
7 Displaying and modifying system parameter default settings PowerConnect(config)#mac filter log-enable PowerConnect(config)#write memory Syntax: [no] mac filter log-enable To configure MAC filter logging for MAC filters applied to ports 1 and 3, enter the following CLI commands.
Displaying and modifying system parameter default settings TABLE 31 7 System parameters in show default values command This system parameter... Defines the maximum number of...
7 Displaying and modifying system parameter default settings TABLE 31 System parameters in show default values command (Continued) This system parameter... Defines the maximum number of... igmp-snoop-mcache IGMP snooping cache entries mld-snoop-mcache MLD snooping cache entries Modifying system parameter default values Information for the configurable tables appears under the columns that are shown in bold type in the above examples.
Egress buffer thresholds for QoS priorities 7 Egress buffer thresholds for QoS priorities NOTES: • The terms QoS priority and traffic class are used interchangeably in this section and mean the same thing. • Buffer threshold level-3 to maximum does not change the buffering behavior of the device. The PowerConnect switch uses egress buffer threshold levels to dynamically adjust each port egress queue (outbound transmit queue) based on QoS priority (traffic class) and jumbo frame support.
7 Egress buffer thresholds for QoS priorities FIGURE 32 Egress buffer thresholds on PowerConnect devices Egress Buffer Thresholds Maximum Level 6 Level 5 Level 4 Level 3 Level 2 Level 1 Minimum Manually increasing buffer thresholds may be useful in situations where applications have intermittent bursts of oversubscription. For example, by increasing a port egress buffer threshold, the PowerConnect will be able to forward oversubscribed packets instead of dropping them.
Egress buffer thresholds for QoS priorities 7 Disabling and re-enabling the default settings for egress buffer thresholds To disable the device from using the default settings for egress buffer thresholds, enter the following command. PowerConnect(config)#no enable egress-buffer-default This command disables the default values for all traffic classes on all ports.
7 Link Fault Signaling (LFS) for 10G Setting the egress buffer threshold for a specific QoS priority on a port or group of ports NOTE Be sure to disable the default settings before performing the tasks in this section. Refer to “Disabling and re-enabling the default settings for egress buffer thresholds” . To set the egress buffer threshold for a specific QoS priority on a port, enter commands such as the following.
Jumbo frame support 7 Enabling LFS To enable LFS between two 10 Gbps Ethernet devices, enter commands such as the following on both ends of the link. PowerConnect(config)#interface e 1 PowerConnect(config-if-e10000-1)#link-fault-signal Syntax: link-fault-signal LFS is OFF by default. Jumbo frame support Ethernet traffic moves in units called frames. The maximum size of frames is called the Maximum Transmission Unit (MTU).
7 192 Jumbo frame support PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring Metro Features 8 Topology groups A topology group is a named set of VLANs that share a Layer 2 topology. Topology groups simplify configuration and enhance scalability of Layer 2 protocols by allowing you to run a single instance of a Layer 2 protocol on multiple VLANs. You can use topology groups with the following Layer 2 protocols: • • • • STP MRP VSRP 802.
8 Topology groups When a Layer 2 topology change occurs on a port in the master VLAN, the same change is applied to that port in all the member VLANs that contain the port. For example, if you configure a topology group whose master VLAN contains ports 1 and 2, a Layer 2 state change on port 1 applies to port 1 in all the member VLANs that contain that port. However, the state change does not affect port 1 in VLANs that are not members of the topology group.
Topology groups 8 PowerConnect(config)# topology-group 2 PowerConnect(config-topo-group-2)# master-vlan 2 PowerConnect(config-topo-group-2)# member-vlan 3 PowerConnect(config-topo-group-2)# member-vlan 4 PowerConnect(config-topo-group-2)# member-vlan 5 PowerConnect(config-topo-group-2)# member-group 2 These commands create topology group 2 and add the following: • Master VLAN 2 • Member VLANs 2, 3, and 4 • Member VLAN group 2 Syntax: [no] topology-group The parameter specifies the
8 Topology groups Displaying STP information To display STP information for a VLAN, enter a command such as the following. PowerConnect# show span vlan 4 VLAN 4 BPDU cam_index is 14344 and the Master DMA Are(HEX) 18 1A STP instance owned by VLAN 2 This example shows STP information for VLAN 4. The line shown in bold type indicates that the VLAN STP configuration is controlled by VLAN 2.
Metro Ring Protocol (MRP) 8 Metro Ring Protocol (MRP) Metro Ring Protocol (MRP) was introduced in two phases: • MRP Phase 1 is supported in all PowerConnect B-Series TI24X devices. Refer to “MRP rings without shared interfaces (MRP Phase 1)” on page 199. • MRP Phase 2 is supported in PowerConnect B-Series TI24X devices. Refer to “MRP rings with shared interfaces (MRP Phase 2)” on page 200. MRP protocol prevents Layer 2 loops and provides fast reconvergence in Layer 2 ring topologies.
8 Metro Ring Protocol (MRP) Figure 33 shows an example of an MRP metro ring. FIGURE 33 Metro ring – normal state Customer A F F Switch B F F F F Switch A Master Node Switch C Customer A F This interface blocks Layer 2 traffic to prevent a loop F Switch D F Customer A B F F Customer A The ring in this example consists of four MRP nodes. Each node has two interfaces with the ring. Each node also is connected to a separate customer network.
Metro Ring Protocol (MRP) 8 Configuration notes • When you configure MRP, Dell recommends that you disable one of the ring interfaces before beginning the ring configuration. Disabling an interface prevents a Layer 2 loop from occurring while you are configuring MRP on the ring nodes. Once MRP is configured and enabled on all the nodes, you can re-enable the interface. • MRP 1 and MRP 2 support are added for the PowerConnect B-Series TI24X devices.
8 Metro Ring Protocol (MRP) MRP rings with shared interfaces (MRP Phase 2) With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN. Figure 35 shows examples of multiple MRP rings that share the same interface.
Metro Ring Protocol (MRP) FIGURE 36 8 Interface IDs and types 1 1 1 T 2 2 2 S1 1 1,2 Port1 2 Ring 2 Ring 1 1,2 Port2 1 2 S2 1 1 1 T 2 2 2 C = customer port For example, in Figure 36, the ID of all interfaces on all nodes on Ring 1 is 1 and all interfaces on all nodes on Ring 2 is 2. Port 1 on node S1 and Port 2 on S2 have the IDs of 1 and 2 since the interfaces are shared by Rings 1 and 2. The ring ID is also used to determine an interface priority.
8 Metro Ring Protocol (MRP) Ring initialization The ring shown in Figure 33 shows the port states in a fully initialized ring without any broken links. Figure 37 shows the initial state of the ring, when MRP is first enabled on the ring switches. All ring interfaces on the master node and member nodes begin in the Preforwarding state (PF). FIGURE 37 Metro ring – initial state Customer A F PF Switch B PF PF PF All ports start in Preforwarding state.
Metro Ring Protocol (MRP) 8 RHP processing in MRP Phase 1 A ring interface can have one of the following MRP states: • Preforwarding (PF) – The interface can forward RHPS but cannot forward data. All ring ports begin in this state when you enable MRP. • Forwarding (F) – The interface can forward data as well as RHPs. An interface changes from Preforwarding to Forwarding when the port preforwarding time expires.
8 Metro Ring Protocol (MRP) FIGURE 38 Metro ring – from preforwarding to forwarding RHP 2 Customer A Forwarding bit is on. Each port changes from Preforwarding to Forwarding when it receives this RHP. F PF F Switch B PF F Switch C Customer A PF F Secondary port receives RHP 1 and changes to Blocking Switch A Master Node Primary port then sends RHP 2 with forwarding bit on PF Switch D F Customer A B PF F Customer A Each RHP also has a sequence number.
Metro Ring Protocol (MRP) FIGURE 39 8 Flow of RHP packets on MRP rings with shared interfaces 1 1 1 (secondary interface) Port2 2 2 1,2 1 Ring 1 Master node (primary interface) Port1 T 2 S1 1 1 S3 Port4 (secondary interface) 2 Port3 (primary interface) Master node 1,2 1 2 Ring 2 1 S2 T 2 2 S4 2 = Ring 1 RHP packet = Ring 2 RHP packet Port 1 on Ring 1 master node is the primary interface of the master node. The primary interface forwards an RHP packet on the ring.
8 Metro Ring Protocol (MRP) FIGURE 40 Metro ring – ring break Customer A F F Switch B F F F F Switch A Master Node Switch C Customer A F Customer A F Switch D F F Customer A If a break in the ring occurs, MRP heals the ring by changing the states of some of the ring interfaces: • Blocking interface – The Blocking interface on the master node has a dead timer. If the dead time expires before the interface receives one of its ring RHPs, the interface changes state to Preforwarding.
Metro Ring Protocol (MRP) 8 When the broken link is repaired, the link interfaces come up in the Preforwarding state, which allows RHPs to travel through the restored interfaces and reach the secondary interface on the master node: • If an RHP reaches the master node secondary interface, the ring is intact. The secondary interface changes to Blocking. The master node sets the forwarding bit on in the next RHP. When the restored interfaces receive this RHP, they immediately change state to Forwarding.
8 Metro Ring Protocol (MRP) Alarm RHP Previously, detection of MRP ring breaks was completely timer based. An absence of Ring Health Packets (RHP) for a period of 3 "hello times" indicated to the MRP master that the ring is broken. This initiated the transition to a topology change as described in the previous section. The convergence time associated with such an event could take several hundreds of milliseconds. Now, each MRP node is made a more active participant in detecting link failures.
Metro Ring Protocol (MRP) FIGURE 42 8 A MRP ring under normal operation (A) and after detection of a failure in the ring (B) Blocked Master Forwarding Blocked Master RHP packet direction Switch B Switch E Switch D Switch C Forwarding Switch E Switch B Switch D Switch C Alarm RHP packet (a) (b) Master VLANs and customer VLANs All the ring ports must be in the same VLAN. Placing the ring ports in the same VLAN provides Layer 2 connectivity for a given customer across the ring.
8 Metro Ring Protocol (MRP) FIGURE 43 Metro ring – ring VLAN and customer VLANs Customer B VLAN 40 Customer A VLAN 30 Switch B ====== ring 1 interfaces 1, 2 topology group 2 master VLAN 2 (1,2) member VLAN 30 (1,2,3) member VLAN 40 (1,2,4) Port 4 Port 3 Port 2 Port 1 Switch B Switch D Port 2 Port 3 Customer A VLAN 30 Port 1 Port 4 Switch D ====== ring 1 interfaces 1,1 topology group 2 master VLAN 2 (1,2) member VLAN 30 (1,2,3) member VLAN 40 (1,2,4) Customer B VLAN 40 Notice that each custom
Metro Ring Protocol (MRP) 8 In Figure 43, VLAN 2 is the master VLAN and contains the MRP configuration parameters for ring 1. VLAN 30 and VLAN 40, the customer VLANs, are member VLANs in the topology group. Since a topology group is used, a single instance of MRP provides redundancy and loop prevention for both the customer VLANs. If you use a topology group: • The master VLAN must contain the ring interfaces. The ports must be tagged, since they will be shared by multiple VLANs.
8 Metro Ring Protocol (MRP) PowerConnect(config)# vlan 2 PowerConnect(config-vlan-2)# metro-ring 1 PowerConnect(config-vlan-2-mrp-1)# name CustomerA PowerConnect(config-vlan-2-mrp-1)# master PowerConnect(config-vlan-2-mrp-1)# ring-interface ethernet 1 ethernet 2 PowerConnect(config-vlan-2-mrp-1)# enable These commands configure an MRP ring on VLAN 2. The ring ID is 1, the ring name is CustomerA, and this node (this PowerConnect device) is the master for the ring. The ring interfaces are 1 and 2.
Metro Ring Protocol (MRP) 8 Changing the hello and preforwarding times You also can change the RHP hello time and preforwarding time. To do so, enter commands such as the following. PowerConnect(config-vlan-2-mrp-1)# hello-time 200 PowerConnect(config-vlan-2-mrp-1)# preforwarding-time 400 These commands change the hello time to 200 ms and change the preforwarding time to 400 ms. Syntax: [no] hello-time Syntax: [no] preforwarding-time The specifies the number of milliseconds.
8 Metro Ring Protocol (MRP) PowerConnect# show metro 1 diag Metro Ring 1 - CustomerA ============= diagnostics results Ring id 2 Diag state enabled Diag frame sent 1230 RHP average time(microsec) 125 Recommended hello time(ms) 100 Recommended Prefwing time(ms) 300 Diag frame lost 0 Syntax: show metro diag This display shows the following information. TABLE 33 CLI display of MRP ring diagnostic information This field... Displays... Ring id The ring ID.
8 Metro Ring Protocol (MRP) PowerConnect# show metro Metro Ring 1 ============= Ring State id 2 enabled Ring role member Master vlan 2 Ring interfaces Interface role Interface Type ethernet 1 primary ethernet 2 secondary RHPs sent 3 Topo group not conf Forwarding state disabled forwarding RHPs rcvd 0 TC RHPs rcvd 0 Hello time(ms) 100 Prefwing time(ms) 300 Active interface none ethernet 2 Regular Tunnel State changes 4 Syntax: show metro This display shows the following information.
8 Metro Ring Protocol (MRP) TABLE 34 CLI display of MRP ring information (Continued) This field... Ring interfaces Displays... The device two interfaces with the ring. NOTE: If the interfaces are trunk groups, only the primary ports of the groups are listed. Interface role Forwarding state Active interface The interface role can be one of the following: primary • Master node – The interface generates RHPs.
Metro Ring Protocol (MRP) 8 Commands on Switch A (master node) The following commands configure a VLAN for the ring. The ring VLAN must contain both of the node interfaces with the ring. Add these interfaces as tagged interfaces, since the interfaces also must be in each of the customer VLANs configured on the node.
8 Virtual Switch Redundancy Protocol (VSRP) PowerConnect(config)# topology-group 1 PowerConnect(config-topo-group-1)# master-vlan 2 PowerConnect(config-topo-group-1)# member-vlan 30 PowerConnect(config-topo-group-1)# member-vlan 40 Commands on Switch C PowerConnect(config)# vlan 2 PowerConnect(config-vlan-2)# tag ethernet 1 to 2 PowerConnect(config-vlan-2)# metro-ring 1 PowerConnect(config-vlan-2-mrp-1)# name “Metro A” PowerConnect(config-vlan-2-mrp-1)# ring-interface ethernet 1 ethernet 2 PowerConnect(c
Virtual Switch Redundancy Protocol (VSRP) 8 The PowerConnect support full VSRP and VSRP-awareness. A PowerConnect device that is not itself configured for VSRP, but is connected to a PowerConnect device that is configured for VSRP, is VSRP aware. You can use VSRP for Layer 2, Layer 3, or for both layers. On Layer 3 Switches, Layer 2 and Layer 3 share the same VSRP configuration information. On Layer 2 Switches, VSRP applies only to Layer 2. Figure 44 shows an example of a VSRP configuration.
8 Virtual Switch Redundancy Protocol (VSRP) Configuration notes • • • • VSRP and 802.1Q-n-Q tagging are not supported together on the same device. VSRP and Super Aggregated VLANs are not supported together on the same device. VSRP does not work on a VLAN which has multicast enabled. PowerConnect support VSRP awareness, and VSRP-aware security features.
Virtual Switch Redundancy Protocol (VSRP) 8 Each backup waits for a specific period of time, the dead Interval, to receive a new hello message from the master. If the backup does not receive a hello message from the master by the time the dead interval expires, the backup sends a hello message of its own, which includes the backup's VSRP priority, to advertise the backup's intent to become the master. If there are multiple backups for the VRID, each backup sends a hello message.
8 Virtual Switch Redundancy Protocol (VSRP) FIGURE 45 VSRP priority Configured priority = 100 Actual priority = (100 - 0) * (3/3) = 100 VSRP Master F F Configured priority = 100 Actual priority = (100 - 0) * (3/3) = 100 VSRP Backup optional link F B B B VSRP Aware VSRP Aware VSRP Aware However, if one of the VRID ports goes down on one of the backups, that backup priority is reduced.
Virtual Switch Redundancy Protocol (VSRP) FIGURE 47 8 VSRP priority bias Configured priority = 150 Actual priority = 150 * (2/3) = 100 VSRP Master F F Configured priority = 100 Actual priority = (100 - 0) * (3/3) = 100 VSRP Backup optional link F B B B X Link down VSRP Aware VSRP Aware VSRP Aware Track ports Optionally, you can configure track ports to be included during VSRP priority calculation.
8 Virtual Switch Redundancy Protocol (VSRP) FIGURE 48 Track port priority Configured priority = 100 Track priority 20 Actual priority = (100 - 0) * (3/3) = 100 VSRP Master F Track port is up F Configured priority = 100 Actual priority = (100 - 0) * (3/3) = 100 VSRP Backup optional link F B B VSRP Aware VSRP Aware B VSRP Aware In Figure 48, the track port is up. SInce the port is up, the track priority does not affect the VSRP priority calculation.
Virtual Switch Redundancy Protocol (VSRP) 8 MAC address failover on VSRP-aware devices VSRP-aware devices maintain a record of each VRID and its VLAN. When the device has received a hello message for a VRID in a given VLAN, the device creates a record for that VRID and VLAN and includes the port number in the record.
8 Virtual Switch Redundancy Protocol (VSRP) TABLE 35 VSRP parameters Parameter Description Default See page... Protocol VSRP state Enabled page 229 NOTE: On a Layer 3 Switch, you must disable VSRP to use VRRPE or VRRP. Virtual Router ID (VRID) The ID of the virtual switch you are creating by configuring multiple devices as redundant links. You must configure the same VRID on each device that you want to use to back up the links.
Virtual Switch Redundancy Protocol (VSRP) TABLE 35 8 VSRP parameters (Continued) Parameter Description Default See page... VRID IP address A gateway address you are backing up. Configuring an IP address provides VRRPE Layer 3 redundancy in addition to VSRP LAyer 2 redundancy. The VRID IP address must be in the same subnet as a real IP address configured on the VSRP interface, but cannot be the same as a real IP address configured on the interface.
8 Virtual Switch Redundancy Protocol (VSRP) TABLE 35 VSRP parameters (Continued) Parameter Description Default See page... Hold-down interval The amount of time a backup that has sent a hello packet announcing its intent to become master waits before beginning to forward traffic for the VRID. The hold-down interval prevents Layer 2 loops from occurring during VSRP rapid failover. The interval can from 1 – 84 seconds.
Virtual Switch Redundancy Protocol (VSRP) 8 • Specify that the device is a backup. Since VSRP, like VRRPE, does not have an “owner”, all VSRP devices are backups. The active device for a VRID is elected based on the VRID priority, which is configurable. • Activate the VRID. The following example shows a simple VSRP configuration.
8 Virtual Switch Redundancy Protocol (VSRP) Timer scale The VSRP hello interval, dead interval, backup hello interval, and hold-down interval timers are individually configurable. You also can easily change all the timers at the same time while preserving the ratios among their values. To do so, change the timer scale. The timer scale is a value used by the software to calculate the timers. The software divides a timer value by the timer scale value. By default, the scale is 1.
Virtual Switch Redundancy Protocol (VSRP) 8 Configuring authentication If the interfaces on which you configure the VRID use authentication, the VSRP packets on those interfaces also must use the same authentication. VSRP supports the following authentication types: • No authentication – The interfaces do not use authentication. This is the default. • Simple – The interfaces use a simple text-string as a password in packets sent on the interface.
8 Virtual Switch Redundancy Protocol (VSRP) Syntax: vsrp-aware vrid no-auth port-list is a valid VRID (from 1 to 255). no-auth specifies no authentication as the preferred VSRP-aware security method. The VSRP device will not accept incoming packets that have authentication strings. simple-text-auth specifies the authentication string for accepting VSRP hello packets, where can be up to 8 characters.
Virtual Switch Redundancy Protocol (VSRP) 8 or Syntax: [no] ip address Changing the backup priority When you enter the backup command to configure the device as a VSRP backup for the VRID, you also can change the backup priority and the track priority: • The backup priority is used for election of the master. The VSRP backup with the highest priority value for the VRID is elected as the master for that VRID. The default priority is 100.
8 Virtual Switch Redundancy Protocol (VSRP) By default, each backup saves the configured timer values to its startup-config file when you save the device configuration. You can configure a backup to instead save the current timer values received from the master when you save the configuration. Saving the current timer values instead of the configured ones helps ensure consistent timer usage for all the VRID devices.
Virtual Switch Redundancy Protocol (VSRP) 8 NOTE If you change the timer scale, the change affects the actual number of seconds. Changing the dead interval The dead interval is the number of seconds a backup waits for a hello message from the master before determining that the master is dead. The default is 3 seconds. This is three times the default hello interval. To change the dead interval, enter a command such as the following at the configuration level for the VRID.
8 Virtual Switch Redundancy Protocol (VSRP) PowerConnect(config-vlan-200-vrid-1)# hold-down-interval 4 Syntax: [no] hold-down-interval The parameter specifies the hold-down interval and can be from 1 – 84 seconds. The default is 2 seconds. NOTE If you change the timer scale, the change affects the actual number of seconds.
Virtual Switch Redundancy Protocol (VSRP) 8 Disabling or re-enabling backup pre-emption By default, a backup that has a higher priority than another backup that has become the master can preempt the master, and take over the role of master. If you want to prevent this behavior, disable preemption. Preemption applies only to backups and takes effect only when the master has failed and a backup has assumed ownership of the VRID.
8 Virtual Switch Redundancy Protocol (VSRP) Syntax: vsrp-aware vrid tc-vlan-flush When this command is enabled, MAC addresses will be flushed at the VLAN level, instead of at the port level. MAC addresses will be flushed for every topology change (TC) received on the VSRP-aware ports. When this command is enabled, the results of the show vsrp-aware vlan command resemble the following.
Virtual Switch Redundancy Protocol (VSRP) TABLE 36 8 CLI display of VSRP VRID or VLAN information This field... Displays... Total number of VSRP routers defined The total number of VRIDs configured on this device. VLAN The VLAN on which VSRP is configured. auth-type The authentication type in effect on the ports in the VSRP VLAN. VRID parameters VRID state The VRID for which the following information is displayed. This device VSRP state for the VRID.
8 Virtual Switch Redundancy Protocol (VSRP) TABLE 36 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... dead-interval The configured value for the dead interval. The dead interval is the number of seconds a backup waits for a hello message from the master for the VRID before determining that the master is no longer active.
Virtual Switch Redundancy Protocol (VSRP) TABLE 37 8 CLI display of VSRP-aware information (Continued) This field... Displays... VRID The VRID. Last Port The most recent active port connection to the VRID. This is the port connected to the current master. If a failover occurs, the VSRP-aware device changes the port to the port connected to the new master. The VSRP-aware device uses this port to send and receive data through the backed up node.
8 Virtual Switch Redundancy Protocol (VSRP) PowerConnect# show vsrp vrid 100 VLAN 100 auth-type no authentication VRID 100 ======== State Administrative-status Advertise-backup Preempt-mode save-current master enabled disabled true false Parameter Configured Current Unit/Formula priority 100 50 (100-0)*(2.0/4.0) hello-interval 1 1 sec/1 dead-interval 3 3 sec/1 hold-interval 3 3 sec/1 initial-ttl 2 2 hops next hello sent in 00:00:00.
Virtual Switch Redundancy Protocol (VSRP) 8 If a VSRP failover from master to backup occurs, VSRP needs to inform MRP of the topology change; otherwise, data from the host continues along the obsolete learned path and never reach the VSRP-linked device, as shown in Figure 51.
8 Virtual Switch Redundancy Protocol (VSRP) There are no CLI commands used to configure this process.
Chapter Configuring Uni-Directional Link Detection (UDLD) and Protected Link Groups 9 UDLD overview Uni-Directional Link Detection (UDLD) monitors a link between two devices and brings the ports on both ends of the link down if the link goes down at any point between the two devices. This feature is useful for links that are individual ports and for trunk links. Figure 53 shows an example. FIGURE 53 UDLD example Without link keepalive, the ports remain enabled.
9 UDLD overview Ports enabled for UDLD exchange proprietary health-check packets once every second (the keepalive interval). If a port does not receive a health-check packet from the port at the other end of the link within the keepalive interval, the port waits for two more intervals. If the port still does not receive a health-check packet after waiting for three intervals, the port concludes that the link has failed and takes the port down.
UDLD overview 9 Changing the Keepalive retries By default, a port waits one second to receive a health-check reply packet from the port at the other end of the link. If the port does not receive a reply, the port tries four more times by sending up to four more health-check packets. If the port still does not receive a reply after the maximum number of retries, the port goes down. You can change the maximum number of keepalive attempts to a value from 3 – 64.
9 UDLD overview PowerConnect#show link-keepalive Total link-keepalive enabled ports: 4 Keepalive Retries: 3 Keepalive Interval: 1 Sec. Port 1 2 3 4 Physical Link Logical Link up up up up down down up down State FORWARDING FORWARDING DISABLED DISABLED Link-vlan 3 Syntax: show link-keepalive TABLE 38 CLI display of UDLD information This field... Displays... Total link-keepalive enabled ports The total number of ports on which UDLD is enabled.
UDLD overview 9 Syntax: show link-keepalive [ethernet] TABLE 39 CLI display of detailed UDLD information This field... Displays... Current State The state of the logical link. This is the link between this port and the port on the other end of the link. Remote MAC Addr The MAC address of the port or device at the remote end of the logical link. Local Port The port number on this device. Remote Port The port number on the device at the remote end of the link.
9 UDLD overview Syntax: clear link-keepalive statistics This command clears the Packets sent, Packets received, and Transitions counters in the show link keepalive ethernet display.
Chapter Configuring Virtual LANs (VLANs) 10 VLAN overview The following sections provide details about the VLAN types and features supported on the PowerConnect B-Series TI24X family of switches. Types of VLANs This section describes the VLAN types supported on devices. VLAN support on PowerConnect devices The first software release for the PowerConnect B-Series TI24X supports Layer 2 port-based VLANs only.
10 VLAN overview Figure 54 shows an example of a device on which a Layer 2 port-based VLAN has been configured. FIGURE 54 Device containing user-defined Layer 2 port-based VLAN DEFAULT-VLAN VLAN ID = 1 Layer 2 Port-based VLAN User-configured port-based VLAN When you add a port-based VLAN, the device removes all the ports in the new VLAN from DEFAULT-VLAN.
VLAN overview 10 • NetBIOS – The device sends NetBIOS broadcasts to all ports within the NetBIOS protocol VLAN. • Other – The device sends broadcasts for all protocol types other than those listed above to all ports within the VLAN. Figure 55 shows an example of Layer 3 protocol VLANs configured within a Layer 2 port-based VLAN.
10 VLAN overview Integrated Switch Routing (ISR) The Integrated Switch Routing (ISR) feature enables VLANs configured on Layer 3 Switches to route Layer 3 traffic from one protocol VLAN or IP subnet, IPX network, or AppleTalk cable VLAN to another. Normally, to route traffic from one IP subnet, IPX network, or AppleTalk cable VLAN to another, you would need to forward the traffic to an external router.
VLAN overview 10 NOTE The Layer 3 Switch routes packets between VLANs of the same protocol. The Layer 3 Switch cannot route from one protocol to another. NOTE IP subnet VLANs are not the same thing as IP protocol VLANs. An IP protocol VLAN sends all IP broadcasts on the ports within the IP protocol VLAN. An IP subnet VLAN sends only the IP subnet broadcasts for the subnet of the VLAN. You cannot configure an IP protocol VLAN and an IP subnet VLAN within the same port-based VLAN.
10 VLAN overview When you configure a port-based VLAN, one of the configuration items you provide is the ports that are in the VLAN. When you configure the VLAN, the device automatically removes the ports that you place in the VLAN from DEFAULT-VLAN. By removing the ports from the default VLAN, the device ensures that each port resides in only one Layer 2 broadcast domain. NOTE Information for the default VLAN is available only after you define another VLAN.
VLAN overview FIGURE 57 10 Packet containing a 802.1Q VLAN tag Untagged Packet Format 6 bytes 6 bytes 2 bytes Destination Address Source Address Type Field 6 bytes 6 bytes 2 bytes Destination Address Source Address Length Field Up to 1500 bytes 4 bytes Data Field CRC Up to 1496 bytes 4 bytes Data Field CRC Ethernet II IEEE 802.3 802.1q Tagged Packet Format 6 bytes 6 bytes 4 bytes 2 bytes Destination Address Source Address 802.
10 VLAN overview FIGURE 58 VLANs configured across multiple devices User-configured port-based VLAN T = 802.1Q tagged port T T Segment 1 T T T T T Segment 2 Segment 1 Segment 2 Tagging is required for the ports on Segment 1 because the ports are in multiple port-based VLANs. Tagging is not required for the ports on Segment 2 because each port is in only one port-based VLAN. Without tagging, a device receiving VLAN traffic from the other device would not be sure which VLAN the traffic is for.
VLAN overview 10 • Port-based VLAN – Affects all ports within the specified port-based VLAN. STP is a Layer 2 protocol. Thus, you cannot enable or disable STP for individual protocol VLANs or for IP subnet, IPX network, or AppleTalk cable VLANs. The STP state of a port-based VLAN containing these other types of VLANs determines the STP state for all the Layer 2 broadcasts within the port-based VLAN. This is true even though Layer 3 protocol broadcasts are sent on Layer 2 within the VLAN.
10 VLAN overview FIGURE 59 Use virtual routing interfaces for routing between Layer 3 protocol VLANs User-configured port-based VLAN User-configured protocol VLAN, IP sub-net VLAN, IPX network VLAN, or AppleTalk cable VLAN VE = virtual interface (“VE” stands for “Virtual Ethernet”) VE 3 VE 1 VE 4 VE 2 Layer 2 and Layer 3 traffic within a VLAN is bridged at Layer 2. Layer 3 traffic between protocol VLANs is routed using virtual interfaces (VE).
VLAN overview 10 Dynamic, static, and excluded port membership When you add ports to a protocol VLAN, IP subnet VLAN, IPX network VLAN, or AppleTalk cable VLAN, you can add them dynamically or statically: • Dynamic ports • Static ports You also can explicitly exclude ports. Dynamic ports Dynamic ports are added to a VLAN when you create the VLAN. However, if a dynamically added port does not receive any traffic for the VLAN protocol within ten minutes, the port is removed from the VLAN.
10 VLAN overview SUBNET Ports in a new protocol VLAN that do not receive traffic for the VLAN protocol age out after 10 minutes and become candidate ports. Figure 61 shows what happens if a candidate port receives traffic for the VLAN protocol.
Routing between VLANs 10 Broadcast leaks A dynamic port becomes a member of a Layer 3 protocol VLAN when traffic from the VLAN's protocol is received on the port. After this point, the port remains an active member of the protocol VLAN, unless the port does not receive traffic from the VLAN's protocol for 20 minutes. If the port does not receive traffic for the VLAN's protocol for 20 minutes, the port ages out and is no longer an active member of the VLAN.
10 Routing between VLANs If you do not need to further partition the port-based VLAN by defining separate Layer 3 VLANs, you can define a single virtual routing interface at the port-based VLAN level and enable IP, IPX, and Appletalk routing on a single virtual routing interface. Some configurations may require simultaneous switching and routing of the same single protocol across different sets of ports on the same router.
Routing between VLANs 10 There is a separate STP domain for each port-based VLAN. Routing occurs independently across port-based VLANs or STP domains. You can define each end of each backbone link as a separate tagged port-based VLAN. Routing will occur independently across the port-based VLANs. Because each port-based VLAN STP domain is a single point-to-point backbone connection, you are guaranteed to never have an STP loop.
10 Routing between VLANs NOTE You must save the configuration (write mem) and reload the software to place the change into effect. The above configuration changes the VLAN ID of 4091 to 10. After saving the configuration and reloading the software, you can configure VLAN 4091 as you would any other VLAN. Syntax: [no] reserved-vlan-map vlan 4091 | 4092 new-vlan For , enter a valid VLAN ID that is not already in use.
Routing between VLANs 10 Configuring port-based VLANs Port-based VLANs allow you to provide separate spanning tree protocol (STP) domains or broadcast domains on a port-by-port basis. This section describes how to perform the following tasks for port-based VLANs using the CLI: • • • • • Create a VLAN Delete a VLAN Modify a VLAN Change a VLAN priority Enable or disable STP on the VLAN Example 1 Figure 62 shows a simple port-based VLAN configuration using a single Layer 2 Switch.
10 Routing between VLANs Example 2 Device IP Subnet1 IPX Net 1 Atalk 100.1 Zone “A” IP Subnet2 IPX Net 2 Atalk 200.1 Zone “B” Port17 Port18 = STP Blocked VLAN ROOT BRIDGE FOR VLAN - BROWN VLAN - GREEN IP Subnet4 IPX Net 4 Atalk 400.1 Zone “D” IP Subnet3 IPX Net 3 Atalk 300.
Routing between VLANs 10 PowerConnect-A(config-vlan-5)# spanning-tree PowerConnect-A(config-vlan-5)# spanning-tree priority 500 PowerConnect-A(config-vlan-5)# end PowerConnect-A# write memory Configuring device-B Enter the following commands to configure device-B.
10 Routing between VLANs Syntax: spanning-tree [ethernet path-cost priority ] forward-delay hello-time maximum-age
Routing between VLANs 10 PowerConnect-A(config-vlan-4)# PowerConnect-A(config-vlan-4)# no untag ethernet 11 deleted port ethe 11 from port-vlan 4. PowerConnect-A(config-vlan-4)# 4. Enter the following commands to exit the VLAN CONFIG mode and save the configuration to the system-config file on flash memory. PowerConnect-A(config-vlan-4)# PowerConnect-A(config-vlan-4)# end PowerConnect-A# write memory You can remove all the ports from a port-based VLAN without losing the rest of the VLAN configuration.
10 Configuring IP subnet, IPX network andprotocol-based VLANs NOTE You do not need to configure values for the STP parameters. All parameters have default values as noted below. Additionally, all values will be globally applied to all ports on the system or on the port-based VLAN for which they are defined. To configure a specific path-cost or priority value for a given port, enter those values using the key words in the brackets [ ] shown in the syntax summary below.
Configuring IP subnet, IPX network andprotocol-based VLANs 10 Also suppose you want a single router interface to be present within all of these separate broadcast domains, without using IEEE 802.1Q VLAN tagging or any proprietary form of VLAN tagging. Figure 63 shows this configuration.
10 Configuring an IPv6 protocol VLAN PowerConnect(config-ip-subnet)# ipx-network 1 ethernet_802.3 name Blue PowerConnect(config-ipx-network)# no dynamic PowerConnect(config-ipx-network)# static ethernet 1 to 12 ethernet 25 PowerConnect(config-ipx-network)# 5. To permanently assign ports 12 – 25 to Appletalk VLAN, enter the following commands.
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) 10 Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) Layer 3 Switches offer the ability to create a virtual routing interface within a Layer 2 STP port-based VLAN or within each Layer 3 protocol, IP subnet, or IPX network VLAN.
10 Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) FIGURE 64 Vlan3 Vlan4 V5 IP/IPX V4 /IPX V4 V5 IP/IPX V7 IP/IPX V4 Vlan2 Vlan8 V6 IP/IPX V4 Building 1 Device-A Routing between protocol-based VLANs Building 2 Device-B Device-B Vlan2 Vlan8 Vlan3 Vlan4 V7 IP/IPX V4 V6 IP/IPX V4 Device-C Device-C V6 IP Vlan2 Vlan8 Vlan3 Building 3 V4 Vlan4 = STP Blocked VLAN To configure the Layer 3 VLANs and virtual routing interfaces on the Layer 3 Switch in Figure 64
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) 10 PowerConnect-A(config-ospf-router)# vlan 2 name IP-Subnet_1.1.2.
10 Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) PowerConnect-A(config-vlan-4)# router-interface ve5 PowerConnect-A(config-vlan-4)# int ve5 PowerConnect-A(config-vif-5)# ip address 1.1.3.1/24 PowerConnect-A(config-vif-5)# ip ospf area 0.0.0.0 PowerConnect-A(config-vif-5)# ipx network 3 ethernet_802.3 PowerConnect-A(config-vif-5)# It is time to configure a separate port-based VLAN for each of the routed backbone ports (Ethernet 25 and 26).
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) 10 PowerConnect-B(config-ospf-router)# vlan 2 name IP-Subnet_1.1.6.
10 Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) Configuration for device-C Enter the following commands to configure device-C. PowerConnect> en No password has been assigned yet... PowerConnect# config t PowerConnect(config)# hostname PowerConnect-C PowerConnect-C(config)# router ospf PowerConnect-C(config-ospf-router)# area 0.0.0.0 normal PowerConnect-C(config-ospf-router)# router ipx PowerConnect-C(config-ospf-router)# vlan 2 name IP-Subnet_1.1.9.
Configuring uplink ports within a port-based VLAN PowerConnect-C(config-vif-5)# PowerConnect-C(config-vif-5)# PowerConnect-C(config-vif-5)# PowerConnect-C(config-vif-5)# PowerConnect-C(config-vif-6)# PowerConnect-C(config-vif-6)# PowerConnect-C(config-vif-6)# PowerConnect-C(config-vif-6)# 10 ip addr 1.1.8.2/24 ip ospf area 0.0.0.0 ipx network 8 ethernet_802.3 int ve6 ip addr 1.1.5.2/24 ip ospf area 0.0.0.0 ipx network 5 ethernet_802.
10 Configuring the same IP subnet address on multiple port-based VLANs Configuring the same IP subnet address on multiple port-based VLANs For a device to route between port-based VLANs, you must add a virtual routing interface to each VLAN. Generally, you also configure a unique IP subnet address on each virtual routing interface. For example, if you have three port-based VLANs, you add a virtual routing interface to each VLAN, then add a separate IP subnet address to each virtual routing interface.
Configuring the same IP subnet address on multiple port-based VLANs FIGURE 66 10 Multiple port-based VLANs with the same protocol address VLAN 2 VLAN 3 VLAN 4 Switch VLAN 2 VE 1 -IP 10.0.0.1/24 VLAN 3 VE 2 -Follow VE 1 VLAN 4 VE 3 -Follow VE 1 Each VLAN still requires a separate virtual routing interface. However, all three VLANs now use the same IP subnet address. In addition to conserving IP subnet addresses, this feature allows containment of Layer 2 broadcasts to segments within an IP subnet.
10 Configuring the same IP subnet address on multiple port-based VLANs • If the destination is in the same VLAN as the source, the device does not need to perform a proxy ARP. To configure multiple VLANs to use the same IP subnet address: • Configure each VLAN, including adding tagged or untagged ports. • Configure a separate virtual routing interface for each VLAN, but do not add an IP subnet address to more than one of the virtual routing interfaces.
Configuring VLAN groups and virtual routing interface groups 10 Configuring VLAN groups and virtual routing interface groups NOTE On PowerConnect B-Series TI24X devices, VLAN groups are supported. To simplify configuration when you have many VLANs with the same configuration, you can configure VLAN groups and virtual routing interface groups. NOTE VLAN groups are supported on Layer 3 Switches and Layer 2 Switches. Virtual routing interface groups are supported only on Layer 3 Switches.
10 Configuring VLAN groups and virtual routing interface groups The parameter with the vlan-group command specifies the VLAN group ID and can be from 1 – 32. The vlan to parameters specify a contiguous range (a range with no gaps) of individual VLAN IDs. Specify the low VLAN ID first and the high VLAN ID second. The command adds all the specified VLANs to the VLAN group.
Configuring VLAN groups and virtual routing interface groups 10 Configuring a virtual routing interface group A virtual routing interface group allows you to associate the same IP subnet interface with multiple port-based VLANs. For example, if you associate a virtual routing interface group with a VLAN group, all the VLANs in the group have the IP interface of the virtual routing interface group.
10 Configuring VLAN groups and virtual routing interface groups The syntax and usage for the ip address command is the same as when you use the command at the interface level to add an IP interface. Displaying the VLAN group and virtual routing interface group information To verify configuration of VLAN groups and virtual routing interface groups, display the running-config file.
Configuring super aggregated VLANs 10 Increasing the number of VLANs you can configure NOTE Although you can specify up to 4095 VLANs, you can configure only 4094 VLANs. VLAN ID 4094 is reserved for use by the Single Spanning Tree feature. To increase the maximum number of VLANs you can configure, enter commands such as the following at the global CONFIG level of the CLI.
10 Configuring super aggregated VLANs Figure 67 shows a conceptual picture of the service that aggregated VLANs provide. Aggregated VLANs provide a path for multiple client channels. The channels do not receive traffic from other channels. Thus, each channel is a private link. FIGURE 67 Conceptual model of the super aggregated VLAN application Client 1 . . . Client 3 . . . Client 5 Client 1 192.168.1.
10 Configuring super aggregated VLANs FIGURE 68 Client 1 Port 1 VLAN 101 . . . Example of a super aggregated VLAN application Client 3 Port 3 VLAN 103 Client 6 Port 1 VLAN 101 Client 5 Port 5 VLAN 105 . . . Client 1 192.168.1.69/24 . . . Client 8 Port 3 VLAN 103 . . . Client 10 Port 5 VLAN 105 209.157.2.
10 Configuring super aggregated VLANs Configuration note • Super Aggregated VLANs and VSRP are not supported together on the same device. Configuring aggregated VLANs To configure aggregated VLANs, perform the following tasks: • On each edge device, configure a separate port-based VLAN for each client connected to the edge device. In each client VLAN: • Add the port connected to the client as an untagged port.
Configuring super aggregated VLANs 10 PowerConnect(config-vlan-105)# tagged ethernet 6 PowerConnect(config-vlan-105)# untagged ethernet 5 PowerConnect(config-vlan-105)# exit PowerConnect(config)# write memory Syntax: [no] vlan [by port] Syntax: [no] tagged ethernet portnum> [to [ | ethernet ] Syntax: [no] untagged ethernet [to | ethernet ] Use the tagged command to add the port that the device uses for the uplink to the core device.
10 Configuring super aggregated VLANs NOTE In these examples, the configurations of the edge devices (A, B, E, and F) are identical. The configurations of the core devices (C and D) also are identical. The aggregated VLAN configurations of the edge and core devices on one side must be symmetrical (in fact, a mirror image) to the configurations of the devices on the other side. For simplicity, the example in Figure 68 on page 291 is symmetrical in terms of the port numbers.
Configuring super aggregated VLANs 10 PowerConnectB(config)# vlan 105 by port PowerConnectB(config-vlan-105)# tagged ethernet 6 PowerConnectB(config-vlan-105)# untagged ethernet 5 PowerConnectB(config-vlan-105)# exit PowerConnectB(config)# write memory Commands for device C Since device C is aggregating channel VLANs from devices A and B into a single path, you need to change the tag type and enable VLAN aggregation.
10 Configuring 802.
Configuring 802.1Q-in-Q tagging To customer interface Uplink to provider cloud Configured tag-type 9100 Untagged DA 10 Default tag-type 8100 Provider Edge Switch SA 8100 Customer VLAN DA Tagged SA 8100 Provider VLAN 8100 Customer VLAN In Figure 69, the untagged ports (to customer interfaces) accept frames that have any 802.1Q tag other than the configured tag-type 9100.
10 Configuring 802.1Q-in-Q tagging To configure 802.1 Q-in-Q tagging as shown in Figure 70, enter commands such as the following on the untagged edge links of devices C and D. PowerConnect(config)# tag-type 9100 e 11 to 12 Syntax: [no] tag-type [ethernet [to ]] The parameter specifies the tag-type number and can be a hexadecimal value from 0 - ffff. The default is 8100.
10 Configuring 802.1Q-in-Q tagging FIGURE 70 Client 1 Port1 VLAN 101 . . . Example 802.1Q-in-Q configuration Client 3 Port3 VLAN 103 Client 6 Port1 VLAN 101 Client 5 Port5 VLAN 105 . . . Client 1 192.168.1.69/24 . . . Client 8 Port3 VLAN 103 . . . Client 10 Port5 VLAN 105 Client 5 209.157.2.
10 Configuring private VLANs Configuring private VLANs A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN. Figure 71 shows an example of an application using a private VLAN. FIGURE 71 Private VLAN used to secure communication between a workstation and servers A private VLAN secures traffic between a primary port and host ports.
Configuring private VLANs 10 • Secondary – The secondary private VLAN are secure VLANs that are separated from the rest of the network by the primary private VLAN. Every secondary private VLAN is associated with a primary private VLAN. The two types of secondary private VLANs are isolated private VLAN and community private VLAN. • Isolated – Broadcasts and unknown-unicasts packet received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN.
10 Configuring private VLANs • PowerConnect B-Series TI24X forward all known unicast traffic in hardware. PowerConnect B-Series TI24X devices, multiple MAC entries do not appear in the MAC address table because the PowerConnect B-Series TI24X transparently manages multiple MAC entries in hardware. • You can configure private VLANs and dual-mode VLAN ports on the same device. However, the dual-mode VLAN ports cannot be members of private VLANs.
Configuring private VLANs 10 Configuring an isolated or community private VLAN To configure a community private VLAN, enter commands such as the following. PowerConnect(config)# vlan 901 PowerConnect(config-vlan-901)# untagged ethernet 5 to 6 PowerConnect(config-vlan-901)# pvlan type community These commands create port-based VLAN 901, add ports 5 and 6 to the VLAN as untagged ports, then specify that the VLAN is a community private VLAN.
10 Configuring private VLANs The pvlan mapping command identifies the other private VLANs for which this VLAN is the primary. The command also specifies the primary VLAN ports to which you are mapping the other private VLANs.The parameters of the pvlan mapping command are as follows: • The parameter specifies another private VLAN. The other private VLAN you want to specify must already be configured.
Dual-mode VLAN ports 10 Syntax: [no] pvlan preference broadcast | unknown-unicast These commands enable forwarding of broadcast, unregistered multicast flood, and unknown-unicast packets to ports within the private VLAN. Dual-mode VLAN ports Configuring a tagged port as a dual-mode port allows it to accept and transmit both tagged traffic and untagged traffic at the same time.
10 Dual-mode VLAN ports You can configure a dual-mode port to transmit traffic for a specified VLAN (other than the DEFAULT-VLAN) as untagged, while transmitting traffic for other VLANs as tagged. Figure 73 illustrates this enhancement.
Displaying VLAN information 10 • The dual-mode feature is disabled by default. Only tagged ports can be configured as dual-mode ports. • In trunk group, either all of the ports must be dual-mode, or none of them can be. The show vlan command displays a separate row for dual-mode ports on each VLAN.
10 Displaying VLAN information PowerConnect# show run Current configuration: ! ver 4.2.
Displaying VLAN information 10 PowerConnect# show vlan 4 Total PORT-VLAN entries: 5 Maximum PORT-VLAN entries: 3210 PORT-VLAN 4, Name [None], Priority level0, Spanning tree Off Untagged Ports: None Tagged Ports: 6 9 10 11 Uplink Ports: None DualMode Ports: 7 8 PowerConnect# show vlan 3 Total PORT-VLAN entries: 5 Maximum PORT-VLAN entries: 3210 PORT-VLAN 3, Name [None], Priority level0, Spanning tree Off Untagged Ports: None Tagged Ports: 6 7 8 9 10 Uplink Ports: None DualMode Ports: None Syntax: show vla
10 310 Displaying VLAN information PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring Trunk Groups and Dynamic Link Aggregation 11 Trunk group overview The Trunk group feature allows you to manually configure multiple high-speed load-sharing links between two Layer 2 Switches or Layer 3 Switches or between a Layer 2 Switch and Layer 3 Switch and a server. In addition to enabling load sharing of traffic, trunk groups provide redundant, alternate paths for traffic if any of the segments fail.
11 Trunk group overview Trunk group connectivity to a server To support termination of a trunk group, the server must have either multiple network interface cards (NICs) or either a dual or quad interface card installed. The trunk server is designated as a server with multiple adapters or a single adapter with multiple ports that share the same MAC and IP address. Figure 75 shows an example of a trunk group between a server and a device.
Trunk group overview 11 • Make sure the device on the other end of the trunk link can support the same number of ports in the link. For example, if you configure a three-port trunk group on the device and the other end is a different type of switch, make sure the other switch can support a three-port trunk group. • All the ports must be connected to the same device at the other end.
11 Trunk group overview Flexible trunk group membership This section describes flexible trunk group membership on the PowerConnect B-Series TI24X devices. PowerConnect B-Series TI24X devices Trunking is supported on non-consecutive ports in a module. For example, you can configure ports e 4, 6, and 7 (excluding e 5) together on a module as a trunk group. In releases prior to the above, the ports in a trunk group must be consecutive.
Trunk group overview 11 Note regarding IPv6 Devices that support IPv6 take a the IPv6 address for a packet into account when sharing traffic across a trunk group. The load sharing is performed in the same way it is for IPv4 addresses; that is; trunk types for which traffic load is shared based on IPv4 address information can now use IPv6 addresses to make the load sharing decision.
11 Configuring a trunk group Configuring a trunk group Follow the steps given below to configure a trunk group. 1. Disconnect the cables from those ports on both systems that will be connected by the trunk group. Do not configure the trunk groups with the cables connected. NOTE If you connect the cables before configuring the trunk groups and then reboot, the traffic on the ports can create a spanning tree loop. 2.
Configuring a trunk group 11 PowerConnect(config)#trunk ethernet 1 to 2 ethernet 3 to 4 Trunk will be created in next trunk deploy PowerConnect(config)#write memory PowerConnect(config)#trunk deploy Example 1: Configuring the trunk groups shown in Figure 75 To configure the trunk groups shown in Figure 74, enter the following commands. Notice that the commands are entered on multiple devices. To configure the trunk group link between device1 and the device,enter the following commands.
11 Configuring a trunk group NOTE The trunk deploy command dynamically places trunk configuration changes into effect, without a software reload. Example 3: Configuring a multi-slot trunk group with one port per module You can select one port per module in a multi-slot trunk group. To configure a two-port multi-slot trunk group consisting of ports 1 on module 1 and 2 on module 2, enter the following commands.
Configuring a trunk group • • • • • • • • 11 Naming a trunk port Disabling or re-enabling a trunk port Deleting a static trunk group (applies to static trunks only) Specifying the minimum number of ports in a trunk group (applies to static trunks only) Monitoring a trunk port Configuring outbound rate shaping on a trunk port Enabling sFlow forwarding on an individual port in a trunk Setting the sFlow sampling rate on an individual port in a trunk NOTE Depending on the operational state of LACP-enabled p
11 Configuring a trunk group NOTE If you enter no config-trunk-ind, all port configuration commands are removed from the individual ports and the configuration of the primary port is applied to all the ports. Also, once you enter the no config-trunk-ind command, the enable, disable, and monitor commands are valid only on the primary port and apply to the entire trunk group. The disable command disables the port. The states of other ports in the trunk group are not affected.
Configuring a trunk group 11 Modifying Trunk Group Membership You can change port membership by removing individual ports from the trunk group. To remove a port from a trunk group, use one of the following methods. To remove ports 3 and 4 from the trunk group, enter the following command: PowerConnect(config)# no trunk ethernet 3 to 4 Syntax: no trunk ethernet | pos [to ] The parameter indicates the port you are removing.
11 Configuring a trunk group For example, the following commands establish a trunk group consisting of 4 ports, then establish a threshold for this trunk group of three ports. PowerConnect(config)#trunk e 31 to34 PowerConnect(config-trunk-31-34)#threshold 3 In this example, if the number of active ports drops below three, then all the ports in the trunk group are disabled. Syntax: [no] threshold • - Specify a threshold number from 2 (default) up to the number of ports in a trunk group.
Displaying trunk group configuration information 11 Displaying trunk group configuration information To display configuration information for the trunk groups, use the show trunk command. This command displays information for configured trunk groups and operational trunk groups. A configured trunk group is one that has been configured in the software but has not been placed into operation by a reset or reboot. An operational trunk group is one that has been placed into operation by a reset or reboot.
11 Dynamic link aggregation TABLE 45 CLI trunk group information (Continued) This field... Duplex Displays... The mode of the port, which can be one of the following: None – The link on the primary trunk port is down. Full – The primary port is running in full-duplex. Half – The primary port is running in half-duplex. • • • NOTE: This field and the following fields apply only to operational trunk groups. Speed The speed set for the port.
Dynamic link aggregation 11 Link aggregation support is disabled by default. You can enable the feature on an individual port basis, in active or passive mode: • Active mode – When you enable a port for active link aggregation, the port can exchange standard LACP Protocol Data Unit (LACPDU) messages to negotiate trunk group configuration with the port on the other side of the link.
11 Dynamic link aggregation • The default key assigned to an aggregate link is based on the port type (1 Gbps port or 10 Gbps port). The device assigns different keys to 10 Gbps ports than on 1 Gbps ports so that ports with different physical capabilities will not be able to form a trunk. NOTE The trunks that will be formed by link aggregation will strictly adhere to the static trunking rules on the device. Be careful in selecting keys if you are manually configuring link aggregation keys.
Dynamic link aggregation 11 • If the feature places a port into a trunk group as a secondary port, all configuration information except information related to link aggregation is removed from the port. For example, if port 3 has an IP interface, and the link aggregation feature places port 3 into a trunk group consisting of ports 1 – 4, the IP interface is removed from the port.
11 Dynamic link aggregation Port1 Group 1 Port2 Port3 Group 2 Port4 Table 46 shows examples of the ports from Figure 78 that will be eligible for an aggregate link based on individual port states.
Dynamic link aggregation 11 Using the default key assigned by the software PowerConnect(config)#interface ethernet 1 PowerConnect(config-if-e10000-1)#link-aggregate active PowerConnect(config)#interface ethernet 2 PowerConnect(config-if-e10000-2)#link-aggregate active The commands in this example enable the active mode of link aggregation on ports 1 and 2. The ports can send and receive LACPDU messages. Note that these ports will use the default key, since one has not been explicitly configured.
11 Dynamic link aggregation When you change a port VLAN membership, the device searches through existing key groups for a port with matching port properties. Specifically, it searches for a match on all three of the following properties: • VLAN ID • default key • port tag type (tagged or untagged) If it finds a match, the port (whose VLAN membership you are changing) gets the matching port key. If it does not find a match, the port gets a new key.
Dynamic link aggregation 11 System priority The system priority parameter specifies the link aggregation priority on the device, relative to the devices at the other ends of the links on which link aggregation is enabled. A higher value indicates a lower priority. You can specify a priority from 0 – 65535. The default is 1. System Priority does not take effect until you toggle the link-aggregate command.
11 Dynamic link aggregation NOTE It is recommended to configure a unique key if ports are tagged or untagged in a VLAN. FIGURE 79 Ports with the same key in different aggregate links Port1 Port2 System ID: dddd.eeee.ffff All these ports have the same key, but are in two separate aggregate links with two other devices. Port3 Ports 5 - 8: Key 4 Port4 Port5 Port6 Port7 Port8 System ID: aaaa.bbbb.cccc Ports 1 - 8 Key 0 System ID: 1111.2222.
Dynamic link aggregation FIGURE 80 11 Multi-slot aggregate link All ports in a multi-slot aggregate link have the same key. Port1 Port2 Port3 Port4 Port5 Port6 Port7 Port8 System ID: aaaa.bbbb.cccc Ports 1 - 4: Key 0 Ports 5 - 8: Key 0 By default, the device ports are divided into 4-port groups. The software dynamically assigns a unique key to each 4-port group.
11 Dynamic link aggregation 17 18 19 20 1 1 1 1 1 1 1 1 481 481 481 481 Yes Yes Yes Yes S S S S Agg Agg Agg Agg Syn Syn Syn Syn Col Col Col Col Dis Dis Dis Dis Def Def Def Def No No No No Ope Ope Ope Ope Syntax: show link-aggregation [ethernet [] Possible values: N/A Default value: N/A Configuring link aggregation parameters You can configure one or more parameters on the same command line, and in any order.
Displaying and determining the status of aggregate links 11 The key parameter identifies the group of ports that are eligible to be aggregated into a trunk group. The software automatically assigns a key to each group of ports. The software assigns the keys in ascending numerical order, beginning with 0. You can change a port group key to a value from 10000 – 65535.
11 Displaying and determining the status of aggregate links • LACP brings the port back up • The port joins a trunk group Displaying link aggregation and port status information Use the show link-aggregation command to determine the operational status of ports associated with aggregate links. To display the link aggregation information for a specific port, enter a command such as the following at any level of the CLI. PowerConnect# show link-aggregation ethernet 5 System ID: 00e0.52a9.
Displaying and determining the status of aggregate links TABLE 47 This field... Act 11 CLI display of link aggregation information (Continued) Displays... Indicates the link aggregation mode, which can be one of the following: No – The mode is passive or link aggregation is disabled (off) on the port.
11 Clearing the negotiated aggregate links table TABLE 47 CLI display of link aggregation information (Continued) This field... Displays... Exp Indicates whether the negotiated link aggregation settings have expired. The settings expire if the port does not receive an LACPDU message from the port at the other end of the link before the message timer expires.
Configuring single link LACP 11 Configuration notes • • • • This feature is supported on 1-GbE and 10-GbE ports. This feature is not supported on static trunk ports. This feature is not intended for the creation of trunk groups. The single link LACP timer is always short (3 seconds) and is not configurable. PDUs are sent out every three seconds. • This feature is not supported on ports that have the link-keepalive command (UDLD) configured.
11 340 Configuring single link LACP PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring GARP VLAN Registration Protocol 12 GVRP overview GARP VLAN Registration Protocol (GVRP) is a Generic Attribute Registration Protocol (GARP) application that provides VLAN registration service by means of dynamic configuration (registration) and distribution of VLAN membership information. A device enabled for GVRP can do the following: • Learn about VLANs from other devices and configure those VLANs on the ports that learn about the VLANs.
12 Application examples FIGURE 81 Example of GVRP Core Device Edge Device A Edge Device B Port 8 Port 5 Port 1 Port 2 Port 7 Port 6 Port 7 Port 6 Port 3 Port 7 Edge Device C Port 8 Port 6 In this example, a core device is attached to three edge devices. Each of the edge devices is attached to other edge devices or host stations (represented by the clouds).
Application examples 12 In this configuration, the edge devices are statically (manually) configured with VLAN information. The core device dynamically configures itself to be a member of each of the edge device VLANs. The operation of GVRP on the core device results in the following VLAN configuration on the device: • VLAN 20 • 1 (tagged) • 2 (tagged) • VLAN 30 • 2 (tagged) • 3 (tagged) • VLAN 40 • 1 (tagged) • 3 (tagged) VLAN 20 traffic can now travel through the core between edge devices A and B.
12 VLAN names VLAN names The show vlans command lists VLANs created by GVRP as “GVRP_VLAN_”. VLAN names for statically configured VLANs are not affected. To distinguish between statically-configured VLANs that you add to the device and VLANs that you convert from GVRP-configured VLANs into statically-configured VLANs, the show vlans command displays a converted VLAN name as “STATIC_VLAN_”.
Configuring GVRP 12 • GVRP is supported only for tagged ports or for untagged ports that are members of the default VLAN. GVRP is not supported for ports that are untagged and are members of a VLAN other than the default VLAN. • To configure GVRP on a trunk group, enable the protocol on the primary port in the trunk group. The GVRP configuration of the primary port is automatically applied to the other ports in the trunk group.
12 Configuring GVRP PowerConnect(config)# gvrp-base-vlan-id 1001 This command changes the GVRP VLAN ID from 4093 to 1001. Syntax: [no] gvrp-base-vlan-id The parameter specifies the new VLAN ID. You can specify a VLAN ID from 2 – 4092 or 4095. Increasing the maximum configurable value of the Leaveall timer By default, the highest value you can specify for the Leaveall timer is 300000 ms. You can increase the maximum configurable value of the Leaveall timer to 1000000 ms.
Configuring GVRP 12 • To specify a range, enter the first port in the range as ethernet followed by to followed by the last port in the range. For example, to add ports 1 – 8, enter the following command: enable ethernet 1 to 8. You can combine lists and ranges in the same command. For example: enable ethernet 1 to 8 ethernet 1 ethernet 2 ethernet 3.
12 Configuring GVRP NOTE When all ports in a dynamically created VLAN (one learned through GVRP) leave the VLAN, the VLAN is immediately deleted from the device's VLAN database. However, this empty VLAN is still maintained in the GVRP database for an amount of time equal to the following. (number-of-GVRP-enabled-up-ports) * (2 * join-timer) While the empty VLAN is in the GVRP database, the VLAN does not appear in the show vlans display but does still appear in the show gvrp vlan all display.
Converting a VLAN created by GVRP into a statically-configured VLAN 12 Resetting the timers to their defaults To reset the Join, Leave, and Leaveall timers to their default values, enter the following command.
12 Displaying GVRP information • CPU utilization statistics • GVRP diagnostic information Displaying GVRP configuration information To display GVRP configuration information, enter a command such as the following.
Displaying GVRP information TABLE 49 12 CLI display of summary GVRP information (Continued) This field... Displays... GVRP Leave-all Timer The value of the Leaveall timer. Configuration that is being used The configuration commands used to enable GVRP on individual ports. If GVRP learning or advertising is disabled on a port, this information also is displayed. Spanning Tree The type of STP enabled on the device. NOTE: The current release supports GVRP only with Single STP.
12 Displaying GVRP information TABLE 50 CLI display of detailed GVRP information for a port This field... Displays... Port number The port for which information is being displayed. GVRP Enabled Whether GVRP is enabled on the port. GVRP Learning Whether the port can learn VLAN information from GVRP. GVRP Applicant Whether the port can advertise VLAN information into GVRP. Port State The port link state, which can be UP or DOWN.
Displaying GVRP information TABLE 51 12 CLI display of summary VLAN information for GVRP This field... Displays... Number of VLANs in the GVRP Database The number of VLANs in the GVRP database. Maximum Number of VLANs that can be present The maximum number of VLANs that can be configured on the device. This number includes statically configured VLANs, VLANs learned through GVRP, and VLANs 1, 4093, and 4094.
12 Displaying GVRP information TABLE 52 CLI display of summary VLAN information for GVRP (Continued) This field... Displays... Fixed Members The ports that are statically configured members of the VLAN. GVRP cannot remove these ports. Normal(Dynamic) Members The ports that were added by GVRP. These ports also can be removed by GVRP. MODE The type of VLAN, which can be one of the following: STATIC – The VLAN is statically configured and cannot be removed by GVRP.
Displaying GVRP information TABLE 53 12 CLI display of GVRP statistics (Continued) This field... Displays... Leave Empty Transmitted The number of Leave Empty messages sent. Leave In Transmitted The number of Leave In messages sent. Empty Transmitted The number of Empty messages sent. Invalid Messages/Attributes Skipped The number of invalid messages or attributes received or skipped. This can occur in the following cases: • The incoming GVRP PDU has an incorrect length.
12 Displaying GVRP information PowerConnect# show process cpu The system has only been up for 6 seconds. Process Name 5Sec(%) 1Min(%) 5Min(%) ARP 0.01 0.00 0.00 BGP 0.00 0.00 0.00 GVRP 0.00 0.00 0.00 ICMP 0.01 0.00 0.00 IP 0.00 0.00 0.00 OSPF 0.00 0.00 0.00 RIP 0.00 0.00 0.00 STP 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 15Min(%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Runtime(ms) 0 0 0 1 0 0 0 0 0 To display utilization statistics for a specific number of seconds, enter a command such as the following.
Clearing GVRP statistics PowerConnect# debug gvrp packets GVRP: Packets debugging GVRP: 0x2095ced4: 01 80 c2 00 00 GVRP: 0x2095cee4: 03 00 01 01 02 GVRP: 0x2095cef4: 00 09 04 05 00 GVRP: 0x2095cf04: 03 ec 04 01 03 GVRP: 0x2095cf14: 09 cb 04 01 0f GVRP: Port 1 RCV GVRP: 0x2095ced4: 01 80 c2 00 00 GVRP: 0x2095cee4: 03 00 01 01 04 GVRP: 0x2095cef4: 04 01 03 ef 04 GVRP: 0x2095cf04: 04 01 0f a1 00 GVRP: Port 1 TX GVRP: 0x207651b8: 01 80 c2 00 00 GVRP: 0x207651c8: 03 00 01 01 02 GVRP: 0x207651d8: 03 ec 04 05 03
12 CLI examples Enter the following commands on the core device. PowerConnect> enable PowerConnect# configure terminal PowerConnect(config)# gvrp-enable PowerConnect(config-gvrp)# enable all These commands globally enable GVRP support and enable the protocol on all ports. Enter the following commands on edge device A.
CLI examples 12 Dynamic core and dynamic edge In this configuration, the core and edge devices have no statically configured VLANs and are enabled to learn and advertise VLANs. The edge and core devices learn the VLANs configured on the devices in the edge clouds. To enable GVRP on all the ports, enter the following command on each edge device and on the core device.
12 CLI examples This configuration does not use any GVRP configuration on the core device. The configuration on the edge device is the same as in “Dynamic core and fixed edge” on page 357.
Chapter Configuring Rule-Based IP Access Control Lists 13 ACL overview This chapter describes how Access Control Lists (ACLs) are implemented and configured in the PowerConnect B-Series TI24X devices. Devices support rule-based ACLs (sometimes called hardware-based ACLs), where the decisions to permit or deny packets are processed in hardware and all permitted packets are switched or routed in hardware. All denied packets are also dropped in hardware.
13 ACL overview • ACL ID – An ACL ID is a number from 1 – 99 (for a standard ACL) or 100 – 199 (for an extended ACL) or a character string. The ACL ID identifies a collection of individual ACL entries. When you apply ACL entries to an interface, you do so by applying the ACL ID that contains the ACL entries to the interface, instead of applying the individual entries to the interface. This makes applying large groups of access filters (ACL entries) to interfaces simple.
How hardware-based ACLs work 13 • If you want to secure access in environments with many users, you might want to configure ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of each ACL. The software permits packets that are not denied by the deny entries. How hardware-based ACLs work When you bind an ACL to inbound traffic on an interface, the device programs the Layer 4 CAM with the ACL. Permit and deny rules are programmed.
13 Configuring standard numbered ACLs • Trunk groups • Virtual routing interfaces • ACLs on the PowerConnect B-Series TI24X devices apply to all traffic, including management traffic. • ACL logging is supported for denied packets and packets that are sent to the CPUto generate the log if logging is enabled on the port and the ACL that is applied to that port. ACL logging is not supported for packets that are processed in hardware (permitted packets).
Configuring standard numbered ACLs 13 Syntax: [no] access-list deny | permit host | [log] Syntax: [no] access-list deny | permit any [log] Syntax: [no] ip access-group in The parameter is the access list number from 1 – 99. The deny | permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded). The parameter specifies the source IP address.
13 Configuring standard named ACLs NOTE If the ACL is for a virtual routing interface, you also can specify a subset of ports within the VLAN containing that interface when assigning an ACL to the interface. Configuration example for standard numbered ACLs To configure a standard ACL and apply it to incoming traffic on port 1, enter the following commands. PowerConnect(config)# access-list 1 deny host 209.157.22.26 log PowerConnect(config)# access-list 1 deny 209.157.29.
Configuring standard named ACLs 13 The parameter is the access list name. You can specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The parameter allows you to specify an ACL number if you prefer. If you specify a number, you can specify from 1 – 99 for standard ACLs.
13 Configuring extended numbered ACLs NOTE If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with subnet mask in the display produced by the show ip access-list command. The host | parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.
Configuring extended numbered ACLs 13 • Destination IP address or host name • Source TCP or UDP port (if the IP protocol is TCP or UDP) • Destination TCP or UDP port (if the IP protocol is TCP or UDP) The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: • • • • • • • Internet Control Message Protocol (ICMP) Internet Group Management Protocol (IGMP) Internet Gateway Routing Protocol (IGRP) Internet Protocol (IP) Open Shortest Path First (OSPF) Transmission
13 Configuring extended numbered ACLs The parameter specifies the portion of the source IP host address to match against. The is in dotted-decimal notation (IP address format). It is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or a zero. Each part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in the mask mean the packet source address must match the . Ones mean any value matches.
Configuring extended numbered ACLs • • • • • • 13 time-exceeded timestamp-reply timestamp-request traffic policy unreachable The parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http.
13 Configuring extended numbered ACLs • flash or 3 – The ACL matches packets that have the flash precedence. If you specify the option number instead of the name, specify number 3. • flash-override or 4 – The ACL matches packets that have the flash override precedence. If you specify the option number instead of the name, specify number 4. • immediate or 2 – The ACL matches packets that have the immediate precedence. If you specify the option number instead of the name, specify number 2.
Configuring extended numbered ACLs 13 The traffic-policy option enables the device to rate limit inbound traffic and to count the packets and bytes per packet to which ACL permit or deny clauses are applied. For configuration procedures and examples, refer to Chapter 17, “Configuring Traffic Policies”. Configuration examples for extended numbered ACLs To configure an extended access list that blocks all Telnet traffic received on port 1 from IP host 209.157.22.26, enter the following commands.
13 Configuring extended named ACLs PowerConnect(config)# PowerConnect(config)# 209.157.22.0/24 PowerConnect(config)# lt telnet neq 5 PowerConnect(config)# access-list 103 deny tcp 209.157.21.0/24 209.157.22.0/24 access-list 103 deny tcp 209.157.21.0/24 eq ftp access-list 103 deny tcp 209.157.21.0/24 209.157.22.0/24 access-list 103 deny udp any range 5 6 209.157.22.0/24 The first entry in this ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x network.
Configuring extended named ACLs 13 The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: • • • • • • • Internet Control Message Protocol (ICMP) Internet Group Management Protocol (IGMP) Internet Gateway Routing Protocol (IGRP) Internet Protocol (IP) Open Shortest Path First (OSPF) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) For TCP and UDP, you also can specify a comparison operator and port name or number.
13 Configuring extended named ACLs mask (where zeros instead of ones are the significant bits) and changes the non-significant portion of the IP address into zeros. For example, if you specify 209.157.22.26/24 or 209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the value appears as 209.157.22.0/24 (if you have enabled display of subnet lengths) or 209.157.22.0 0.0.0.255 in the startup-config file.
Configuring extended named ACLs 13 • eq – The policy applies to the TCP or UDP port name or number you enter after eq. • established – This operator applies only to TCP packets. If you use this operator, the policy applies to TCP packets that have the ACK (Acknowledgment) or RST (Reset) bits set on (set to “1”) in the Control Bits field of the TCP packet header. Thus, the policy applies only to established TCP sessions, not to new sessions. Refer to Section 3.
13 Configuring extended named ACLs • priority or 1 – The ACL matches packets that have the priority precedence. If you specify the option number instead of the name, specify number 1. • routine or 0 – The ACL matches packets that have the routine precedence. If you specify the option number instead of the name, specify number 0. The tos | parameter of the ip access-list command specifies the IP ToS.
Preserving user input for ACL TCP/UDP port numbers 13 Configuration example for extended named ACLs To configure an extended named ACL, enter commands such as the following. PowerConnect(config)#ip access-list extended “block Telnet” PowerConnect(config-ext-nACL)#deny tcp host 209.157.22.
13 Applying an ACL to a virtual interface in a protocol- or subnet-based VLAN Adding a comment to an entry in a numbered ACL To add comments to entries in a numbered ACL, enter commands such as the following. PowerConnect(config)#access-list packets PowerConnect(config)#access-list PowerConnect(config)#access-list PowerConnect(config)#access-list PowerConnect(config)#access-list 100 remark The following line permits TCP 100 100 100 100 permit tcp 192.168.4.40/24 2.2.2.
Enabling ACL logging 13 PowerConnect(config-vlan-ip-subnet)# router-interface ve 20 PowerConnect(config-vlan-ip-subnet)# logging console PowerConnect(config-vlan-ip-subnet)# exit PowerConnect(config-vlan-1)# no vlan-dynamic-discovery Vlan dynamic discovery is disabled PowerConnect(config-vlan-1)# int e 2 PowerConnect(config-if-e10000-2)# disable PowerConnect(config-if-e10000-2)# interface ve 10 PowerConnect(config-vif-10)# ip address 192.168.10.254 255.255.255.
13 Enabling ACL logging PowerConnect(config)# traffic-policy TPD1 rate-limit fixed 100 exceed-action drop PowerConnect(config)# access-list 101 deny ip host 210.10.12.2 any traffic-policy TPD1 log • ACL logging is intended for debugging purpose. Dell recommends that you disable ACL logging after the debug session is over. Configuration Tasks To enable ACL logging, complete the following steps: 1. Create ACL entries with the log option 2.
Enabling strict control of ACL filtering of fragmented packets 13 To display Syslog entries, enter the following command from any CLI prompt: PowerConnect#show log Syslog logging: enabled (0 messages dropped, 2 Buffer logging: level ACDMEINW, 9 messages level code: A=alert C=critical D=debugging I=informational N=notification flushes, 0 overruns) logged M=emergency E=error W=warning Dynamic Log Buffer (50 lines): 0d00h12m18s:W:ACL: ACL: List 122 denied tcp 20.20.15.6(0)(Ethernet 4 20.20.18.
13 Enabling ACL support for switched traffic in the router image Enabling ACL support for switched traffic in the router image By default, when an ACL is applied to a physical or virtual routing interface, the Layer 3 device filters routed traffic only. It does not filter traffic that is switched from one port to another within the same VLAN or virtual routing interface, even if an ACL is applied to the interface.
Enabling ACL filtering based on VLAN membership or VE port membership 13 Enter the no form of the command to disable this feature. Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only) When you bind an IPv4 ACL to a port, the port filters all inbound traffic on the port. However, on a tagged port, there may be a need to treat packets for one VLAN differently from packets for another VLAN.
13 Filtering on IP precedence and ToS values NOTE Before you can bind an IPv4 ACL to specific ports on a virtual interface, you must first enable support for this feature. If this feature is not already enabled on your device, enable it as instructed in the section “Enabling ACL filtering based on VLAN membership or VE port membership” on page 384. To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following.
QoS options for IP ACLs 13 PowerConnect(config)#access-list 104 deny tcp 209.157.21.0/24 209.157.22.0/24 tos normal PowerConnect(config)#access-list 104 deny tcp 209.157.21.0/24 eq ftp 209.157.22.0/24 tos 13 PowerConnect(config)#access-list 104 permit ip any any The first entry in this IP ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x network, if the traffic has the IP ToS option “normal” (equivalent to “0”). The second entry denies all FTP traffic from the 209.157.21.
13 QoS options for IP ACLs Combined ACL for 802.1p marking on PowerConnect B-Series TI24X NOTE For feature support on PowerConnect B-Series TI24X devices, refer to “Combined ACL for 802.1p marking on PowerConnect B-Series TI24X devices” on page 388. Using an ACL to change the forwarding queue for PowerConnect B-Series TI24X devices NOTE For feature support on PowerConnect B-Series TI24X devices, refer to “Using an ACL to change the forwarding queue for PowerConnect B-Series TI24X devices” on page 388.
13 ACL-based rate limiting • Assigns traffic that matches the ACL to the specific hardware forwarding queue (qosp0 – qosp7>. NOTE The 802.1p-and-internal-marking option overrides port-based priority settings. In addition to changing the internal forwarding priority, if the outgoing interface is an 802.1Q interface, this parameter maps the specified priority to its equivalent 802.1p (CoS) priority and marks the packet with the new 802.1p priority.
13 Using ACLs to control multicast features Using ACLs to control multicast features You can use ACLs to control the following multicast features: • Limit the number of multicast groups that are covered by a static rendezvous point (RP) • Control which multicast groups for which candidate RPs sends advertisement messages to bootstrap routers • Identify which multicast group packets will be forwarded or blocked on an interface For configuration procedures, refer to Chapter 19, “Configuring IP Multicast P
Enabling and viewing hardware usage statistics for an ACL 13 Enabling and viewing hardware usage statistics for an ACL The number of configured ACL rules can affect the rate at which hardware resources are used. You can use the show access-list hw-usage on command to enable hardware usage statistics, followed by the show access-list command to determine the hardware usage for an ACL. To gain more hardware resources, you can modify the ACL rules so that it uses less hardware resource.
13 Enabling and viewing hardware usage statistics for an ACL The number of configured ACL rules can affect the rate at which hardware resources are used. You can use the show access-list hw-usage on command to enable hardware usage statistics, followed by the show access-list command to determine the hardware usage for an ACL. To gain more hardware resources, you can modify the ACL rules so that it uses less hardware resource.
Troubleshooting ACLs 13 • To determine whether the issue is specific to fragmentation, remove the Layer 4 information (TCP or UDP application ports) from the ACL, then reapply the ACL.
13 394 Troubleshooting ACLs PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring Port Mirroring and Monitoring 14 Mirroring support by platform The procedures in this chapter describe how to configure port mirroring on devices. Port mirroring is a method of monitoring network traffic that forwards a copy of each incoming or outgoing packet from one port on a network switch to another port where the packet can be analyzed. Port mirroring may be used as a diagnostic tool or debugging feature, especially for preventing attacks.
14 Configuring port mirroring and monitoring • If you configure both ACL mirroring and ACL based rate limiting on the same port, then all packets that match are mirrored, including the packets that exceed the rate limit. • Table 57 lists the number of mirror and monitor ports supported on the devices. TABLE 57 .
Configuring port mirroring and monitoring 14 The previous command is required even though the analyzer port is already set globally by the port mirroring command.
14 ACL-based inbound mirroring Syntax: [no] mirror-port ethernet [ [input | output] Syntax: [no] config-trunk-ind Syntax: [no] monitor ethernet both | in | out The parameter for mirror-port ethernet specifies the port to which the monitored traffic will be copied. The parameter for monitor ethernet specifies the port on which traffic will be monitored. The input or output parameters configure the mirror port exclusively for ingress or egress traffic.
ACL-based inbound mirroring 14 To display ACL mirror settings, enter the show access-list all command. PowerConnect#show access-list all Extended IP access list 101 permit ip any any mirror Specifying the destination mirror port You can specify physical ports or a trunk to mirror traffic from. If you complete the rest of the configuration but do not specify a destination mirror port, the port-mirroring ACL will be non-operational.
14 ACL-based inbound mirroring PowerConnect(config)#interface ethernet 1 PowerConnect(config-if-e10000-1)#ACL-mirror-port ethernet 3 PowerConnect(config)#interface ethernet 2 PowerConnect(config-if-e10000-2)#ACL-mirror-port ethernet 7 Error - Inbound Mirror port 3 already configured for port region 1 - 12 When a destination port is configured for any port within a port region, traffic from any ACL with a mirroring clause assigned to any port in that port region will be mirrored to that destination port.
ACL-based inbound mirroring 14 Behavior of ACL-based mirroring when deleting trunks If you delete a trunk that has ACL-Based Mirroring configured, the ACL-Based Mirroring configuration will be configured on the individual ports that made up the trunk. For example, if a trunk is configured as shown in the following example and is then deleted from the configuration as shown, each of the ports that previously were contained in the trunk will be configured for ACL-Based Mirroring.
14 MAC filter-based mirroring If a port is in both mirrored and non-mirrored VLANs, only traffic on the port from the mirrored VLAN will be mirrored. For example, the following configuration adds VLAN 20 to the previous configuration. In this example, ports 1 and 2 are in both VLAN 10 and VLAN 20. ACL-Based Mirroring is only applied to VLAN 10. Consequently, traffic that is on ports 1 and 2 that belongs to VLAN 20 will not be mirrored.
MAC filter-based mirroring 14 PowerConnect(config)#int e 5 PowerConnect(config-if-e10000-5)#mac filter-group 1 4. Configure the monitor port to use the mirror port. PowerConnect(config-if-e10000-5)#acl-mirror-port ethernet 2 To display ACL mirror settings, enter the show access-list all command.
14 404 MAC filter-based mirroring PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring Quality of Service 15 Classification Quality of Service (QoS) features are used to prioritize the use of bandwidth in a switch. When QoS features are enabled, traffic is classified as it arrives at the switch, and processed through on the basis of configured priorities. Traffic can be dropped, prioritized for guaranteed delivery, or subject to limited delivery options as configured by a number of different mechanisms.
15 Classification Packet received on ingress port Does the packet match an ACL that defines a priority? Yes Trust the DSCPCoS-mapping or the DSCP-marking Yes Trust the DSCP/ToS value No Does the port have Trust DSCP enable? No Is the packet tagged? Yes Trust the 802.
15 Classification Once a packet is classified by one of the procedures mentioned, it is mapped to an internal forwarding queue. There are eight queues designated as 0 to 7. The internal forwarding priority maps to one of these eight queues as shown in Table 58 through Table 61. The mapping between the internal priority and the forwarding queue cannot be changed. Table 58 through Table 61 show the default QoS mappings that are used if the trust level for CoS or DSCP is enabled.
15 QoS queues TABLE 61 Default QoS mappings, columns 48 to 63 (Continued) DSCP value 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 Internal Forwarding Priority 6 6 6 6 6 6 6 6 7 7 7 7 7 7 7 7 Forwarding Queue 6 6 6 6 6 6 6 6 7 7 7 7 7 7 7 7 Mapping between DSCP value and Forwarding Queue cannot be changed.
QoS queues 15 The following sections describe how to change the priority for each of the items listed above. Although it is possible for a packet to qualify for an adjusted QoS priority based on more than one of the criteria listed In the section above, the system always gives a packet the highest priority for which it qualifies.
15 Marking Buffer allocation/threshold for QoS queues By default, Ironware software allocates a certain number of buffers to the outbound transport queue for each port based on QoS priority. The buffers control the total number of packets permitted in the outbound queue for the port. If desired, you can increase or decrease the maximum number of outbound transmit buffers allocated to all QoS queues, or to specific QoS queues on a port or group of ports.
Configuring the QoS mappings 15 Application notes • DSCP-based QoS is not automatically honored for routed and switched traffic. The default is 802.1p to CoS mapping. To honor DSCP-based QoS, you must change the priority mapping to DSCP to CoS mapping. Refer to “Using ACLs to honor DSCP-based QoS” on page 411. • When DSCP marking is enabled, the device changes the contents of the inbound packet ToS field to match the DSCP-based QoS value.
15 Configuring the QoS mappings TABLE 63 Default DSCP to internal forwarding priority mappings (Continued) Internal forwarding priority DSCP value 4 32 – 39 5 40 – 47 6 48 – 55 7 (highest priority queue) 56 – 63 Notice that DSCP values range from 0 – 63, whereas the internal forwarding priority values range from 0 – 7. Any DSCP value within a given range is mapped to the same internal forwarding priority value. For example, any DSCP value from 8 – 15 maps to priority 1.
Configuring the QoS mappings 15 PowerConnect(config)#qos-tos map dscp-priority 40 to 7 PowerConnect(config)#qos-tos map dscp-priority 48 to 3 PowerConnect(config)#qos-tos map dscp-priority 56 to 6 PowerConnect(config)#ip rebind-ACL all The first command in the above example maps priority 1 to DSCP values 0, 2, 3, and 4. These commands configure the mappings displayed in the DSCP to forwarding priority portion of the QoS information display.
15 Scheduling • • • • • • • qosp6 qosp5 qosp4 qosp3 qosp2 qosp1 qosp0 Scheduling Scheduling is the process of mapping a packet to an internal forwarding queue based on its QoS information, and servicing the queues according to a mechanism. This section describes the scheduling methods used on PowerConnect B-Series TI24X devices.
Scheduling 15 By default, when you select the combined SP and WRR queueing method, the device assigns strict priority to traffic in qosp7 and qosp6, and weighted round robin priority to traffic in qosp0 through qosp5. Thus, the device schedules traffic in queue 7 and queue 6 first, based on the strict priority queueing method. When there is no traffic in queue 7 and queue 6, the device schedules the other queues in round-robin fashion from the highest priority queue to the lowest priority queue.
15 Scheduling Renaming the queues The default queue names are qosp7, qosp6, qosp5, qosp4, qosp3, qosp2, qosp1, and qosp0. You can change one or more of the names if desired. To rename queue “qosp3” to “92-octane”, enter the following command. PowerConnect(config)#qos name qosp3 92-octane Syntax: qos name The parameter specifies the name of the queue before the change. The parameter specifies the new name of the queue.
Scheduling 15 Command syntax To change the bandwidth percentages for the queues, enter commands such as the following. Note that this example uses the default queue names.
15 Viewing QoS settings The parameter configures WRR as the queuing mechanism and specifies the percentage of the device outbound bandwidth allocated to the queue. The queues require a minimum bandwidth percentage of 3% for each priority. When jumbo frames are enabled, the minimum bandwidth requirement is 8%. If these minimum values are not met, QoS may not be accurate. NOTE The percentages must add up to 100. The device does not adjust the bandwidth percentages you enter.
Viewing DSCP-based QoS settings 15 PowerConnect#show qos-tos DSCP-->Traffic-Class map: (DSCP = d1d2: 00, 01...63) d2| 0 1 2 3 4 5 6 7 8 9 d1 | -----+---------------------------------------0 | 0 0 0 0 0 0 0 0 1 1 1 | 1 1 1 1 1 1 2 2 2 2 2 | 2 2 2 2 3 3 3 3 3 3 3 | 3 3 4 4 4 4 4 4 4 4 4 | 5 5 5 5 5 5 5 5 6 6 5 | 6 6 6 6 6 6 7 7 7 7 6 | 7 7 7 7 Traffic-Class-->802.1p-Priority map (use to derive DSCP--802.1p-Priority): Traffic | 802.
15 420 Viewing DSCP-based QoS settings PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring Rate Limiting and Rate Shaping on the PowerConnect B-Series TI24X 16 Rate limiting overview This chapter describes how to configure rate limiting and rate shaping on PowerConnect B-Series TI24X devices. Rate limiting applies to inbound ports and rate shaping applies to outbound ports. Port-based fixed rate limiting is supported on inbound ports. This feature allows you to specify the maximum number of kilobits a given port on a PowerConnect device can receive.
16 Rate limiting in hardware Figure 83 shows an example of how Fixed Rate Limiting works. In this example, a Fixed Rate Limiting policy is applied to a port to limit the inbound traffic to 500000 bits (62500 bytes) a second. During the first two one-second intervals, the port receives less than 500000 bits in each interval. However, the port receives more than 500000 bits during the third and fourth one-second intervals, and consequently drops the excess traffic.
Rate limiting in hardware 16 These commands configure a fixed rate limiting policy that allows port 24 to receive a maximum of 64 kilobits per second (65536 bytes per second). If the port receives additional bits during a given one-second interval, the port drops all inbound packets on the port until the next one-second interval starts.
16 Rate shaping overview TABLE 68 CLI display of Fixed Rate Limiting information (Continued) This field... Displays... Configured Input Rate The maximum rate requested for inbound traffic. The rate is measured in or kilobits per second (kbps) for PowerConnect devices. Actual Input Rate The actual maximum rate provided by the hardware. The rate is measured in kilobits per second (kbps) for PowerConnect devices.
16 Rate shaping overview On PowerConnect B-Series TI24X devices, you can specify a value up to the port line rate for . Configuring outbound rate shaping for a specific priority To configure the maximum rate at which outbound traffic is sent out on a port priority queue, enter commands such as the following.
16 426 Rate shaping overview PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring Traffic Policies 17 About traffic policies This chapter describes how traffic policies are implemented and configured in the PowerConnect B-Series TI24X devices.
17 Maximum number of traffic policies supported on a device • You can reference the same traffic policy in more than one ACL entry within an access list. For example, two or more ACL statements in ACL 101 can reference a TPD named TPD1. • You can reference the same traffic policy in more than one access list. For example, ACLs 101 and 102 could both reference a TPD named TPD1. • To modify or delete an active traffic policy, you must first unbind the ACL that references the traffic policy.
ACL-based rate limiting using traffic policies 17 Setting the maximum number of traffic policies supported on a Layer 3 device If desired you can adjust the maximum number of active traffic policies that a Layer 3 device will support. To do so, enter commands such as the following at the Global CONFIG level of the CLI.
17 ACL-based rate limiting using traffic policies Support for fixed rate limiting and adaptive rate limiting PowerConnect B-Series TI24X devices support the following types of ACL-based rate limiting: • Fixed rate limiting – Enforces a strict bandwidth limit. The device forwards traffic that is within the limit but either drops all traffic that exceeds the limit, or forwards all traffic that exceeds the limit at the lowest priority level, according to the action specified in the traffic policy.
ACL-based rate limiting using traffic policies 17 The software allows you to add a reference to a non-existent TPD in an ACL statement and to bind that ACL to an interface. The software does not issue a warning or error message for non-existent TPDs. Use the no form of the command to delete a traffic policy definition. Note that you cannot delete a traffic policy definition if it is currently in use on a port. To delete a traffic policy, first unbind the associated ACL.
17 ACL-based rate limiting using traffic policies 1. Create a traffic policy. Enter a command such as the following. PowerConnect(config)# traffic-policy TPDAfour rate-limit adaptive cir 10000 cbs 1600 pir 20000 pbs 4000 exceed-action drop 2. Create a new extended ACL entry or modify an existing extended ACL entry that references the traffic policy. Example PowerConnect(config)# access-list 104 permit ip host 210.10.12.2 any traffic-policy TPDAfour 3. Bind the ACL to an interface.
ACL-based rate limiting using traffic policies 17 Specifying the action to be taken for packets that are over the limit You can specify the action to be taken when packets exceed the configured cir value for fixed rate limiting, or the cir, cbs, pir, and pbs values for adaptive rate limiting.
17 ACL and rate limit counting Syntax: [no] traffic-policy rate-limit fixed exceed-action permit-at-low-pri Example The following shows an example adaptive rate limiting configuration.
ACL and rate limit counting 17 3. Bind the ACL to an interface. PowerConnect(config)# int e 4 PowerConnect(config-if-e4)# ip access-group 101 in PowerConnect(config-if-e4)# exit The above commands configure an ACL counting policy and apply it to port e4. Port e4 counts the number of packets and the number of bytes on the port that were permitted or denied by ACL filters. Syntax: [no] traffic-policy count Syntax: access-list permit | deny....
17 ACL and rate limit counting Viewing ACL and rate limit counters When ACL counting is enabled on the device, you can use show commands to display the total packet count and byte count of the traffic filtered by ACL statements. The output of the show commands also display the rate limiting traffic counters, which are automatically enabled for active rate limiting traffic policies.
Viewing traffic policies 17 Clearing ACL and rate limit counters The device keeps a running tally of the number of packets and the number of bytes per packet that are filtered by ACL statements and rate limiting traffic policies. You can clear these accumulated counters, essentially resetting them to zero. To do so, use either the clear access-list account traffic-policy or the clear statistics traffic-policy command.
17 Viewing traffic policies TABLE 72 Traffic policy information (Continued) This line... Counting Number of References/Bindings 438 Displays... Shows whether or not ACL counting was configured as part of the traffic policy: Enabled – Traffic policy includes an ACL counting configuration. Disabled – Traffic policy does not include an ACL traffic counting configuration. • • The number of port regions to which this traffic policy applies.
Chapter Configuring IP Multicast Traffic Reduction for PowerConnect B-Series TI24X Switches 18 IGMP snooping overview When a device processes a multicast packet, by default, it broadcasts the packets to all ports except the incoming port of a VLAN. Packets are flooded by hardware without going to the CPU. This behavior causes some clients to receive unwanted traffic.
18 IGMP snooping overview IGMP protocols provide a method for clients and a device to exchange messages, and let the device build a database indicating which port wants what traffic. The protocols do not specify forwarding methods. They require IGMP snooping or multicast protocols such as PIM to handle packet forwarding. PIM can route multicast packets within and outside a VLAN, while IGMP snooping can switch packets only within a VLAN.
IGMP snooping overview 18 NOTE In a topology of one or more connecting devices, at least one device must be running PIM, or configured as active. Otherwise, none of the devices can send out queries, and traffic cannot be forwarded to clients. IGMP snooping enhancements This section describes the enhancements to IGMP snooping . These features are also supported on PowerConnect B-Series TI24X devices, except where noted. Support for IGMP V3 snooping Refer to “IGMP snooping overview” on page 439.
18 PIM SM traffic snooping overview • A user can configure static router ports to force all multicast traffic to these specific ports. • Fast leave for IGMPv2 is supported. Fast leave stops traffic immediately when the port receives a leave message. • Tracking and fast leave for IGMPv3 is supported. If the only client on a port leaves, traffic is stopped immediately. • An IGMP device can be configured as a querier (active) or non-querier (passive). Queriers send queries.
PIM SM traffic snooping overview 18 PIM SM traffic snooping requires IGMP snooping to be enabled on the device. IGMP snooping configures the device to listen for IGMP messages. PIM SM traffic snooping provides a finer level of multicast traffic control by configuring the device to listen specifically for PIM SM join and prune messages sent from one PIM SM router to another through the device. PIM SM snooping support Table 74 shows PIM SM snooping version support by PowerConnect B-Series TI24X devices.
18 PIM SM traffic snooping overview The following figure shows another example application for PIM SM traffic snooping. This example shows devices on the edge of a Global Ethernet cloud (a Layer 2 Packet over SONET cloud). Assume that each device is attached to numerous other devices such as other Layer 2 Switches and Layer 3 Switches (routers). NOTE This example assumes that the devices are actually devices running Layer 2 Switch software.
Configuring IGMP snooping 18 NOTE Use the passive mode of IGMP snooping instead of the active mode. The passive mode assumes that a router is sending group membership queries as well as join and prune messages on behalf of receivers. The active mode configures the device to send group membership queries. • All the device ports connected to the source and receivers or routers must be in the same port-based VLAN.
18 Configuring IGMP snooping VLAN-specific tasks Perform the following VLAN-specific tasks: • • • • • • • • “Configuring the IGMP mode for a VLAN” (active or passive) “Disabling IGMP snooping on a VLAN” “Configuring the IGMP version for a VLAN” “Configuring static router ports.
Configuring IGMP snooping 18 Setting the maximum number of IGMP group addresses When IGMP snooping is enabled, by default, PowerConnect B-Series TI24X devices support up to 4K of IGMP group addresses by default, and the configurable range is from 4096 to 8192. The configured number is the upper limit of an expandable database. Client memberships exceeding the group limit are not processed. Enter a command such as the following to define the maximum number of IGMP group addresses.
18 Configuring IGMP snooping If you do not enter either active or passive, the passive mode is assumed. Configuring the IGMP mode for a VLAN If you specify an IGMP mode for a VLAN, it overrides the global setting. To set the IGMP mode for VLAN 20 to active, enter the following commands.
Configuring IGMP snooping 18 PowerConnect(config-vlan-20)# multicast disable-multicast-snoop Syntax: [no] multicast disable-multicast-snoop Disabling transmission and receipt of IGMP packets on a port When a VLAN is snooping-enabled, all IGMP packets are trapped to the CPU without hardware VLAN flooding. The CPU can block IGMP packets to and from a multicast-disabled port, and does not add it to the output interfaces of hardware resources.
18 Configuring IGMP snooping Syntax: [no] ip multicast query-interval The parameter specifies the time between queries. You can specify a value from 10 3600 seconds. The default is 125 seconds. Modifying the maximum response time The maximum response time is the number of seconds that a client can wait before responding to a query sent by the switch. The default response time is 10 seconds maximum.
Configuring IGMP snooping 18 is the number of seconds from 1 to 5. The default is 2 seconds. Modifying the multicast cache age time You can set the time for an mcache to age out when it does not receive traffic. The traffic is hardware switched. One minute before aging out an mcache, the device mirrors a packet of this mcache to CPU to reset the age. If no data traffic arrives within one minute, this mcache is deleted.
18 Configuring IGMP snooping IGMP V3 membership tracking and fast leave IGMP V3 gives clients membership tracking and fast leave capability. In IGMP V2, only one client on an interface needs to respond to a router's queries. This can leave some clients invisible to the router, making it impossible to track the membership of all clients in a group.
Configuring PIM SM snooping 18 Syntax: [no] multicast fast-leave-v2 Fast convergence In addition to sending periodic general queries, an active device sends general queries when it detects a new port. However, because the device does not recognize the other device's port up event, multicast traffic might still require up to the query-interval time to resume after a topology change.
18 IGMP snooping show commands NOTE The device must be in passive mode before it can be configured for PIM SM snooping. To disable the feature, enter the following command. PowerConnect(config)# no ip pimsm-snooping If you also want to disable IP multicast traffic reduction, enter the following command. PowerConnect(config)# no ip multicast Syntax: [no] ip pimsm-snooping Enabling PIM SM snooping on a VLAN You can enable PIM SM snooping for a specific VLAN.
IGMP snooping show commands 18 PowerConnect# show ip multicast Summary of all vlans. Please use "sh ip mu vlan " for details Version=2, Intervals: Query=125, Group Age=260, Max Resp=10, Other Qr=260 VL10: cfg V3, vlan cfg passive, , pimsm (vlan cfg), 1 grp, 0 (SG) cache, no rtr port To display the IGMP snooping information for a specific VLAN , enter a command such as the following.
18 IGMP snooping show commands Syntax: show ip multicast error The following table describes the output from the show ip multicast error command. Table 0.3: This field Displays SW processed pkt The number of multicast packets processed by IGMP snooping. up-time The time since the IGMP snooping is enabled. Displaying IGMP group information To display information about IGMP groups, enter the following command.
IGMP snooping show commands 18 If you want a report for a specific multicast group, enter that group's address for . Enter detail to display the source list of a specific VLAN. Enter tracking for information on interfaces that have tracking enabled. The following table describes the information displayed by the show ip multicast group command. Table 0.4: This field... Displays... group The address of the group (destination address in this case, 224.1.1.
18 IGMP snooping show commands Table 0.5: This field... Displays... age The mcache age. The mcache will be reset to 0 if traffic continues to arrive, otherwise the mcache will be aged out when it reaches the time defined by the ip multicast mcache-age command. uptime The up time of this mcache in seconds. vidx Vidx specifies output port list index. Range is from 4096 to 8191 ref-cnt The vidx is shared among mcaches having the same output interfaces.
IGMP snooping show commands 18 Displaying the status of IGMP snooping traffic To display status information for IGMP snooping traffic, enter the following command.
18 PIM SM snooping show commands PIM SM snooping show commands This section shows how to display information about PIM SM snooping, including: • “Displaying PIM SM snooping information” • “Displaying PIM SM snooping information on a Layer 2 switch” • “Displaying PIM SM snooping information for a specific group or source group pair” Displaying PIM SM snooping information To display PIM SM snooping information, enter the following command.
PIM SM snooping show commands 18 Syntax: show ip pimsm-snooping vlan Enter the ID of the VLAN for the vlan parameter. If you want to display PIM SM snooping information for one source or one group, enter a command as in the following example. The command also displays the (source, port) list of the group. PowerConnect# show ip pimsm-snooping 239.255.163.2 Show pimsm snooping group 239.255.163.2 in all vlan VLAN ID 100 Group: 239.255.163.
18 Clear commands for IGMP snooping PowerConnect# show ip multicast pimsm-snooping 230.1.1.1 Show pimsm snooping group 230.1.1.1 in all vlans vlan 10,has 2 caches. 1 (*230.1.1.1) has 1 pim join ports out of 1 OIF 1(age=120) 1 has 1 src:20.20.20.66(120) To display PIM SM snooping information for a specific (source, group) pair, enter a command such as the following at any level of the CLI. PowerConnect# show ip multicast pimsm-snooping 230.2.2.2 20.20.20.66 Show pimsm snooping source 20.20.20.
Clear commands for IGMP snooping 18 The parameter specifies the specific VLAN to clear the cache. Clearing traffic on a specific VLAN To clear the traffic counters on a specific VLAN, enter the following command. PowerConnect# clear ip multicast vlan 10 traffic Syntax: clear ip multicast vlan traffic The parameter specifies the specific VLAN on which to clear the traffic counters.
18 464 Clear commands for IGMP snooping PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring IP Multicast Protocols 19 This chapter describes how to configure Layer 3 Switches for Protocol Independent Multicast (PIM). Layer 3 Switches support the following IP multicast versions: • • • • Internet Group Management Protocol (IGMP) V1 and V2 Internet Group Management Protocol (IGMP) V3 PIM Dense mode (PIM DM) V1 (draft-ietf-pim-dm-05) and V2 (draft-ietf-pim-v2-dm-03) PIM Sparse mode (PIM SM) V2 (RFC 2362) NOTE Each multicast protocol uses IGMP.
19 Overview of IP multicasting Mapping of IPv4 Multicast group addresses to Ethernet MAC addresses The IANA owns a block of Ethernet MAC addresses for Multicast usage that are in the range 0100.5e00.0000 through 0100.5e7F.FFFF. For a given IPv4 Multicast group, there is a simple way of obtaining the appropriate Ethernet Destination MAC address that must be used in Layer 2 encapsulation.
Changing global IP multicast parameters 19 • Leaf nodes: Routers that do not have any downstream routers. • Multicast Tree: A unique tree is built for each source group (S,G) pair. A multicast tree is comprised of a root node and one or more nodes that are leaf or intermediate nodes.
19 Changing global IP multicast parameters The parameter specifies the maximum number of multicast cache entries for PIM. Enter a number from 256 – 4096. The default is 1024. Changing IGMP V1 and V2 parameters IGMP allows devices to limit the multicast of IGMP packets to only those ports on the router that are identified as IP Multicast members. This section applies to devices that support IGMP versions 1 and 2.
Changing global IP multicast parameters 19 Modifying IGMP (V1 and V2) maximum response time Maximum response time defines how long the Layer 3 Switch will wait for an IGMP (V1 and V2) response from an interface before concluding that the group member on that interface is down and removing the interface from the group. Possible values are 1 – 10. The default is 10. To change the IGMP (V1 and V2) maximum response time, enter a command such as the following at the global CONFIG level of the CLI.
19 PIM Dense PIM Dense NOTE This section describes the “dense” mode of PIM, described in RFC 1075. Refer to “PIM Sparse” on page 478 for information about PIM Sparse. NOTE On PowerConnect B-Series TI24X devices, this feature is supported. PIM was introduced to simplify some of the complexity of the routing protocol at the cost of additional overhead tied with a greater replication of forwarded multicast packets.
PIM Dense 19 In Figure 86, switch S5 is a leaf node with no group members in its IGMP database. Therefore, the switch must be pruned from the multicast tree. S5 sends a prune message upstream to its neighbor switch S4 to remove itself from the multicast delivery tree and install a prune state, as seen in Figure 86. Switch S5 will not receive any further multicast traffic until the prune age interval expires.
19 PIM Dense 229.225.0.1 Video Conferencing Server Group Member (207.95.5.1, 229.225.0.1) (Source, Group) Group Member 229.225.0.1 Group Group Member Member Group Member ... S1 S2 S3 S4 Prune Message sent to upstream switch (S4) S5 Leaf Node (No Group Members) S6 ... ... Intermediate Node (No Group Members) Group Group Group Member Member Member 229.225.0.
PIM Dense 19 NOTE Version 2 is the default PIM DM version. The only difference between version 1 and version 2 is the way the protocol sends messages. The change is not apparent in most configurations. You can use version 2 instead of version 1 with no impact to your network. However, if you want to continue to use PIM DM V1 on an interface, you must change the version, then save the configuration.
19 PIM Dense PowerConnect(config)#router pim PowerConnect(config-pim-router)#disable-pim Syntax: [no] disable-pim Use the [no] version of the command to re-enable PIM. Enabling a PIM version Using the CLI To enable PIM on an interface, globally enable PIM, then enable PIM on interface 3, enter the following commands. PowerConnect(config)#router pim PowerConnect(config)#int e 3 PowerConnect(config-if-e10000-3)#ip address 207.95.5.
PIM Dense 19 Modifying hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces. Routers use hello messages to inform neighboring routers of their presence. The default rate is 60 seconds. To apply a PIM hello timer of 120 seconds to all ports on the router operating with PIM, enter the following. PowerConnect(config)#router pim PowerConnect(config-pim-router)#hello-timer 120 Syntax: hello-timer <10-3600> The default is 60 seconds.
19 PIM Dense PowerConnect# show ip pim dense Global PIM Dense Mode Settings Hello interval: 60, Neighbor timeout: 180 Graft Retransmit interval: 10, Inactivity interval: 180 Route Expire interval: 200, Route Discard interval: 340 Prune age: 180, Prune wait: 3 Modifying graft retransmit timer The Graft Retransmit Timer defines the interval between the transmission of graft messages. A graft message is sent by a router to cancel a prune state.
PIM Dense 19 When the Highest IP RPF feature is enabled, the selection of the shortest path back to the source is based on which Reverse Path Forwarding (RPF) neighbor in the IP routing table has the highest IP address, if the cost of the routes are the same. For example, in the table above, Gateway 137.80.129.1 will be chosen as the shortest path to the source because it is the RPF neighbor with the highest IP address. When choosing the RPF, the router first checks the Multicast Routing Table.
19 PIM Sparse Syntax: ip pim ttl <1-31> Dropping PIM traffic in hardware Unwanted PIM Dense or PIM Sparse multicast traffic can be dropped in hardware on Layer 3 Switches. . Refer to “Passive multicast route insertion” on page 501. PIM Sparse Devices support Protocol Independent Multicast (PIM) Sparse version 2. PIM Sparse provides multicasting that is especially suitable for widely distributed multicast environments. The Dell implementation is based on RFC 2362.
PIM Sparse 19 • PMBR – A PIM switch that has some interfaces within the PIM domain and other interface outside the PIM domain. PBMRs connect the PIM domain to the Internet. NOTE You cannot configure a routing interface as a PMBR interface for PIM Sparse in the current software release. • BSR – The Bootstrap Router (BSR) distributes RP information to the other PIM Sparse switches within the domain. Each PIM Sparse domain has one active BSR.
19 PIM Sparse • Configure the following global parameter: • Enable the PIM Sparse mode of multicast routing. • Configure the following interface parameters: • Configure an IP address on the interface • Enable PIM Sparse. • Identify the interface as a PIM Sparse border, if applicable. NOTE You cannot configure a routing interface as a PMBR interface for PIM Sparse in the current software release.
PIM Sparse 19 • Entering no router pim command to disable PIM does not require a software reload. • Entering a no router pim command removes all configuration for PIM multicast on a Layer 3 Switch (router pim level) only. Globally enabling and disabling PIM without deleting the multicast configuration As stated above entering a no router pim command deletes the PIM configuration. If you want to disable PIM without deleting any PIM configuration, enter the following command.
19 PIM Sparse PowerConnect(config)#router pim PowerConnect(config-pim-router)#bsr-candidate ethernet 2 30 255 BSR address: 207.95.7.1, hash mask length: 30, priority: 255 This command configures the PIM Sparse interface on port 2 as a BSR candidate, with a hash mask length of 30 and a priority of 255. The information shown in italics above is displayed by the CLI after you enter the candidate BSR configuration command.
PIM Sparse 19 You also can change the group numbers for which the Layer 3 Switch is a candidate RP by deleting address ranges. For example, to delete all addresses from 224.126.22.0 – 224.126.22.255, enter the following command. PowerConnect(config-pim-router)#rp-candidate delete 224.126.22.0 24 Syntax: rp-candidate delete The usage of the parameter is the same as for the rp-candidate add command.
19 PIM Sparse Changing the Shortest Path Tree (SPT) threshold In a typical PIM Sparse domain, there may be two or more paths from a DR (designated router) for a multicast source to a PIM group receiver: • Path through the RP – This is the path the Layer 3 Switch uses the first time it receives traffic for a PIM group. However, the path through the RP may not be the shortest path from the Layer 3 Switch to the receiver.
PIM Sparse 19 Syntax: [no] message-interval The parameter specifies the number of seconds and can from 1 – 65535. The default is 60. Dropping PIM traffic in hardware Unwanted PIM Dense or PIM Sparse multicast traffic can be dropped in hardware on Layer 3 Switches. Refer to “Passive multicast route insertion” on page 501. On PowerConnect B-Series TI24X devices, anycast RP is supported on a fully-meshed topology.
19 PIM Sparse RP2(config-lbif-1)# exit RP2(config)# interface loopback 2 RP2(config-lbif-2)# ip ospf area 0 RP2(config-lbif-2)# ip ospf passive RP2(config-lbif-2)# ip address 10.1.1.2/32 RP2(config-lbif-2)# exit RP2(config)# interface ethernet 1 RP2(config-if-e10000-1)# ip ospf area 0 RP2(config-if-e10000-1)# ip address 192.1.1.
PIM Sparse 19 The configuration examples demonstrate the commands required to enable this application. FIGURE 88 Anycast enabled network in a triangular mesh topology Loopback 1 100.1.1.1 Loopback 2 100.2.1.1 1 1 MSDP RP 1 RP 2 5 Loopback 1 100.1.1.2 Loopback 2 100.2.1.1 3 MSDP MSDP 5 RP 3 3 Loopback 1 100.1.1.3 Loopback 2 100.2.1.1 OSPF Area 0 RP 1 Configuration The following commands provide the configuration for the RP 1 router in Figure 88.
19 PIM Sparse RP 2 Configuration The following commands provide the configuration for the RP 2 router in .Figure 88. RP2(config)#router ospf RP2(config-ospf-router)# area 0 RP2(config-ospf-router)# exit RP2(config)# interface loopback 1 RP2(config-lbif-1)# ip ospf area 0 RP2(config-lbif-1)# ip ospf passive RP2(config-lbif-1)# ip address 100.1.1.
PIM Sparse 19 RP3(config-if-e10000-3)# ip address 192.2.1.3/24 RP3(config-if-e10000-3)# ip pim-sparse RP3(config)# interface ethernet 5 RP3(config-if-e10000-5)# ip ospf area 0 RP3(config-if-e10000-5)# ip ospf cost 2 RP3(config-if-e10000-5)# ip address 192.3.1.3/24 RP3(config-if-e10000-5)# ip pim-sparse RP3(config-if-e10000-5)# exit RP3(config)# router pim RP3(config-pim-router)# rp-address 100.2.1.1 RP3(config-pim-router)# exit RP3(config)# router msdp RP3(config-msdp-router)# msdp-peer 100.1.1.
19 PIM Sparse PowerConnect# show ip pim sparse Global PIM Sparse Mode Settings Hello interval: 60, Neighbor timeout: 180 Bootstrap Msg interval: 130, Candidate-RP Advertisement interval: 60 Join/Prune interval: 60, SPT Threshold: 1 Interface Ethernet e8 TTL Threshold: 1, Enabled Local Address: 207.95.8.1 Interface Ve 1 TTL Threshold: 1, Enabled Local Address: 207.95.6.1 Syntax: show ip pim sparse This example shows the PIM Sparse configuration information on PIM Sparse router A in Figure 87.
PIM Sparse TABLE 75 19 Output of show ip pim sparse (Continued) This field... Displays... PIM Sparse interface information NOTE: You also can display IP multicast interface information using the show ip pim interface command. However, this command lists all IP multicast interfaces, including regular PIM (dense mode) interfaces. The show ip pim sparse command lists only the PIM Sparse interfaces. Interface The type of interface and the interface number.
19 PIM Sparse PowerConnect# show ip pim bsr PIMv2 Bootstrap information This system is the elected Bootstrap Router (BSR) BSR address: 207.95.7.1 Uptime: 00:33:52, BSR priority: 5, Hash mask length: 32 Next bootstrap message in 00:00:20 Next Candidate-RP-advertisement in 00:00:10 RP: 207.95.7.1 group prefixes: 224.0.0.0 / 4 Candidate-RP-advertisement period: 60 This example show information displayed on a Layer 3 Switch that has been elected as the BSR.
PIM Sparse TABLE 77 19 Output of show ip pim bsr (Continued) This field... Displays... group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP. NOTE: This field appears only if this Layer 3 Switch is the BSR. Candidate-RP-adverti sement period Indicates how frequently the BSR sends candidate RP advertisement messages. NOTE: This field appears only if this Layer 3 Switch is the BSR.
19 PIM Sparse TABLE 78 Output of show ip pim resource This field... Displays... alloc Number of nodes of that data that are currently allocated in memory. in-use Number of allocated nodes in use avail Number of allocated nodes are not in use allo-fail Number of allocated notes that failed up-limit Maximum number of nodes that can be allocated for a data structure.
PIM Sparse TABLE 79 19 Output of show ip pim rp-candidate (Continued) This field... Displays... group prefixes Indicates the multicast groups for which the RP listed by the previous field is a candidate RP. NOTE: This field appears only if this Layer 3 Switch is a candidate RP. Candidate-RP-advertisement period Indicates how frequently the BSR sends candidate RP advertisement messages. NOTE: This field appears only if this Layer 3 Switch is a candidate RP.
19 PIM Sparse TABLE 81 Output of show ip pim rp-hash This field... Displays... RP Indicates the IP address of the Rendezvous Point (RP) for the specified PIM Sparse group. Following the IP address is the port or virtual interface through which this Layer 3 Switch learned the identity of the RP. Info source Indicates the IP address on which the RP information was received. Following the IP address is the method through which this Layer 3 Switch learned the identity of the RP.
PIM Sparse 19 PowerConnect# show ip pim nbr Port Neighbor e8 207.95.8.10 Port Neighbor v1 207.95.6.2 Holdtime sec 180 Holdtime sec 180 Age sec 60 Age sec 60 UpTime sec 900 UpTime sec 900 Syntax: show ip pim nbr This display shows the following information. TABLE 83 Output of show ip pim nbr This field... Displays... Port The interface through which the Layer 3 Switch is connected to the neighbor. Neighbor The IP interface of the PIM neighbor interface.
19 PIM Sparse PowerConnect# show ip pim flowcache 238.0.0.1 Multicast flow (24.1.1.100 238.0.0.1): Vidx for source vlan forwarding: 2080 [mcastPrintMll]: vrId 0, ipGrp 238.0.0.1, grpPrefix 32, ipSrc 24.1.1.100, srcPre 32, nextHopIdx 0 1 flow printed Syntax: show ip pim flowcache This display shows the following information. TABLE 84 Output of show ip pim flowcache This field... Displays... Source Indicates the source of the PIM Sparse group. Group Indicates the PIM Sparse group.
PIM Sparse TABLE 85 19 Output of show ip pim mcache (Continued) This field... Displays... forward port The port through which the Layer 3 Switch reaches the source. Count The number of packets forwarded using this cache entry. Sparse Mode Indicates whether the cache entry is for regular PIM (dense mode) or PIM Sparse. This flag can have one of the following values: • 0 – The entry is not for PIM Sparse (and is therefore for the dense mode of PIM). • 1– The entry is for PIM Sparse.
19 PIM Sparse PowerConnect# show ip pim traffic Port e8 Port v1 Hello [Rx 19 [Rx 32 Hello [Rx Tx] 18 19 [Rx 0 Port v2 J/P Tx] 19 RegStop [Rx Tx] 37 0 [Rx 0 Assert Tx] 0 Tx] 20 Register [Rx Tx] 0 0 RegStop [Rx Tx] 0 0 [Rx 0 Assert Tx] 0 Tx] 0 Register [Rx Tx] 0 16 RegStop [Rx Tx] 0 0 [Rx 0 Assert Tx] 0 0 J/P Hello [Rx 0 Register [Rx Tx] 0 0 Tx] J/P Tx] 19 [Rx 0 Total 37 57 32 IGMP Statistics: Total Recv/Xmit 85/110 Total Discard/chksum 0/0 0 0 0 0 0 0 0 Syntax: show ip pi
Passive multicast route insertion 19 This command displays the number of warnings and non-zero PIM errors on the device. This count can increase during transition periods such as reboots and topology changes; however, if the device is stable, the number of errors should not increase. If warnings keep increasing in a stable topology, then there may be a configuration error or problems on the device. To clear the counter for PIM errors, enter the following command.
19 Multicast Source Discovery Protocol (MSDP) For PowerConnect B-Series TI24X devices, you must configure a fully meshed topology between MSDP peers. This is mandated for this release beacuse of lack of any EGP that provides a peer RPF check for SA messages that are forwarded between MSDP peers. PIM Sparse routers use MSDP to register PIM Sparse multicast sources in a domain with the Rendezvous Point (RP) for that domain. Figure 89 shows an example of some PIM Sparse domains.
Multicast Source Discovery Protocol (MSDP) 19 The RP sends the source information to each of its peers by sending a Source Active message. The message contains the IP address of the source, the group address to which the source is sending, and the IP address of the RP interface with its peer. By default, the IP address included in the RP address field of the SA message is the IP address of the originating RP.
19 Multicast Source Discovery Protocol (MSDP) Some MSDP routers that are also RPs can cache Source Active messages. If the RP is not caching Source Active messages, the RP does not send a Join message unless it already has a receiver that wants to join the group. Otherwise, the RP does not send a Join message and does not remember the information in the Source Active message after forwarding it.
Multicast Source Discovery Protocol (MSDP) 19 The connect-source loopback parameter specifies the loopback interface you want to use as the source for sessions with the neighbor. NOTE It is strongly recommended that you use the connect-source loopback parameter when issuing the msdp-peer command. If you do not use this parameter, the Layer 3 Switch uses the subnet interface configured on the port.
19 Multicast Source Discovery Protocol (MSDP) Filtering MSDP source-group pairs The following commands allow you to filter individual source-group pairs in MSDP Source-Active messages: • sa-filter in – Filters source-group pairs received in Source-Active messages from an MSDP neighbor • sa-filter originate – Filters source-group pairs in Source-Active messages in advertisements to an MSDP neighbor Filtering incoming source-active messages The following example configures filters for incoming Source-Act
Multicast Source Discovery Protocol (MSDP) 19 PowerConnect(config)# router msdp PowerConnect(config-msdp-router)# msdp-peer 2.2.2.99 connect-source loopback 1 PowerConnect(config-msdp-router)# msdp-peer 2.2.2.97 connect-source loopback 1 PowerConnect(config-msdp-router)# msdp-peer 2 2 2 96 connect-source loopback The following commands configure the Source-Active filters. PowerConnect(config)# router msdp PowerConnect(config-msdp-router)# sa-filter in 2.2.2.
19 Multicast Source Discovery Protocol (MSDP) Example The following commands configure an IP address on port 3/1. This is the port on which the MSDP neighbors will be configured. PowerConnect(config)# interface ethernet 3/1 PowerConnect(config-if-3/1)# ip address 2.2.2.98/24 PowerConnect(config-if-3/1)# exit The following commands configure a loopback interface. The Layer 3 Switch will use this interface as the source address for communicating with the MSDP neighbors.
Multicast Source Discovery Protocol (MSDP) 19 MSDP mesh groups A PIM Sparse domain can have several RPs that are connected to each other to form an MSDP mesh group. To qualify as a mesh group, the RPs have to be fully meshed; that is, each RP must be connected to all peer RPs in a domain. (See Figure 90.) A mesh group reduces the forwarding of SA messages within a domain. Instead of having every RP in a domain forward SA messages to all the RPs within that domain, only one RP forwards the SA message.
19 Multicast Source Discovery Protocol (MSDP) Example configuration In Figure 90, devices A, B, C, and D are in Mesh Group 1234. The example configuration following the figure shows how the devices are configured to be part of the MSDP mesh group. The example also shows the features that need to be enabled for the MSDP mesh group to work. FIGURE 90 MSDP mesh group 1234 PIM Sparse Domain 10 MSDP Mesh Group 1234 Device C 1.1.3.1 35.35.35.5 Device D 1.1.4.1 134.134.134.
Multicast Source Discovery Protocol (MSDP) 19 PowerConnect(config)# interface loopback 1 PowerConnect(config-lbif-1)#ip address 1.1.1.1 255.255.255.0 PowerConnect(config-lbif-1)# ip pim-sparse PowerConnect(config-lbif-1)# exit PowerConnect(config)# interface ethernet 1/1 PowerConnect(config-if-1/1)# ip address 14.14.14.1 255.255.255.0 PowerConnect(config-if-1/1)# ip pim-sparse PowerConnect(config-if-1/1)# exit PowerConnect(config)# interface ethernet 2/1 PowerConnect(config-if-2/1)# ip address 12.12.12.
19 Multicast Source Discovery Protocol (MSDP) PowerConnect(config)# router msdp PowerConnect(config-msdp-router)# PowerConnect(config-msdp-router)# PowerConnect(config-msdp-router)# PowerConnect(config-msdp-router)# PowerConnect(config-msdp-router)# PowerConnect(config-msdp-router)# PowerConnect(config-msdp-router)# msdp-peer 1.1.3.1 connect-source loopback 1 msdp-peer 1.1.1.1 connect-source loopback 1 msdp-peer 1.1.4.1 connect-source loopback 1 mesh-group 1234 1.1.1.1 mesh-group 1234 1.1.3.
Multicast Source Discovery Protocol (MSDP) 19 The following set of commands configure the MSDP peers of Device C (1.1.3.1) that are inside and outside MSDP mesh group 1234. Device C peers inside the mesh group 1234 are 1.1.1.1, 1.1.2.1, and 1.1.4.1. Device 35.35.35.5 is a peer of Device C, but is outside mesh group 1234. Multicast is enabled on Device C interfaces. PIM and BGP are also enabled. This configuration is not applicable to PowerConnect device because BGP is not supported on the device.
19 Multicast Source Discovery Protocol (MSDP) PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# neighbor 32.32.32.2 next-hop-self neighbor 34.34.34.4 remote-as 444 neighbor 34.34.34.4 next-hop-self neighbor 31.31.31.1 remote-as 111 neighbor 31.31.31.
Multicast Source Discovery Protocol (MSDP) PowerConnect(config)# router pim PowerConnect(config-router-pim)# PowerConnect(config-router-pim)# PowerConnect(config-router-pim)# PowerConnect(config)# router bgp PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerConnect(config-router-bsr)# PowerC
19 Multicast Source Discovery Protocol (MSDP) TABLE 87 MSDP summary information This field... Displays... Peer Address The IP address of the peer interface with the Layer 3 Switch State The state of the MSDP router connection with the peer. The state can be one of the following: • CONNECT – The session is in the active open state. • ESTABLISH – The MSDP session is fully up. • IDLE– The session is idle or inactive. • LISTEN – The session is in the passive open state.
Multicast Source Discovery Protocol (MSDP) 19 This display shows the following information. TABLE 88 MSDP peer information This field... Displays... Total number of MSDP peers The number of MSDP peers configured on the Layer 3 Switch IP Address The IP address of the peer interface with the Layer 3 Switch State The state of the MSDP router connection with the peer. The state can be one of the following: • CONNECT – The session is in the active open state.
19 Multicast Source Discovery Protocol (MSDP) TABLE 88 MSDP peer information (Continued) This field... Displays... Notification Message Error SubCode Transmitted See above. TCP Statistics 518 TCP connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request.
Multicast Source Discovery Protocol (MSDP) TABLE 88 19 MSDP peer information (Continued) This field... Displays... RcvQue The number of sequence numbers in the receive queue. SendQue The number of sequence numbers in the send queue. Displaying source active cache information To display the Source Actives in the MSDP cache, use the following CLI method.
19 Using ACLs to control multicast features Clearing peer information To clear MSDP peer information, enter the following command at the Privileged EXEC level of the CLI: PowerConnect# clear ip msdp peer 205.216.162.1 Remote connection closed Syntax: clear ip msdp peer The command in this example clears the MSDP peer connection with MSDP router 205.216.162.1. The CLI displays a message to indicate when the connection has been successfully closed.
Using ACLs to control multicast features 19 To configure an RP that covers multicast groups in 239.255.162.x, enter commands such as the following. PowerConnect(config)#access-list 2 permit 239.255.162.0 0.0.0.255 PowerConnect(config)#router pim PowerConnect(config-pim-router)#rp-address 43.43.43.1 2 To configure an RP that covers multicast groups in the 239.255.162.x range, except the 239.255.162.2 group, enter commands such as the following. PowerConnect(config)#access-list 5 deny host 239.255.162.
19 Using ACLs to control multicast features PowerConnect#show ip pim rp-map Number of group-to-RP mappings: 6 Group address RP address ------------------------------1 239.255.163.1 43.43.43.1 2 239.255.163.2 43.43.43.1 3 239.255.163.3 43.43.43.1 4 239.255.162.1 99.99.99.5 5 239.255.162.2 99.99.99.5 6 239.255.162.3 99.99.99.5 The display shows the multicast group addresses covered by the RP candidate and the IP address of the RP for the listed multicast group.
Configuring a static multicast route 19 PowerConnect(config)#router pim PowerConnect(config-pim-router)#bsr-candidate loopback 1 32 100 PowerConnect(config-pim-router)#rp-candidate loopback 1 group-list 5 Syntax: [no] rp-candidate ethernet | loopback | ve [group-list ] The | loopback | ve parameter specifies the interface.
19 Configuring a static multicast route NOTE The ethernet parameter does not apply to PIM SM. The distance parameter sets the administrative distance for the route. When comparing multiple paths for a route, the Layer 3 Switch prefers the path with the lower administrative distance. NOTE Regardless of the administrative distances, the Layer 3 Switch always prefers directly connected routes over other routes. The rpf_address parameter specifies an RPF number.
19 Tracing a multicast route Tracing a multicast route The Dell implementation of Mtrace is based on “A ‘traceroute’ facility for IP Multicast”, an Internet draft by S. Casner and B. Fenner. To trace a PIM route, use the following CLI method.. To trace a PIM route to PIM source 209.157.24.62 in group 239.255.162.1, enter a command such as the following. PowerConnect#mtrace source 209.157.24.62 group 239.255.162.1 Type Control-c to abort Tracing the route for tree 209.157.23.188 0 0 1 2 3 207.95.7.2 207.
19 Displaying the multicast configuration for another multicast router Displaying the multicast configuration for another multicast router To display another PIM router PIM configuration, enter a command such as the following. PowerConnect#mrinfo 207.95.8.1 207.95.8.1 -> 207.95.8.10 [PIM/0 /1] 207.95.10.2 -> 0.0.0.0 [PIM/0 /1 /leaf] 209.157.25.1 -> 0.0.0.0 [PIM/0 /1 /leaf] 209.157.24.1 -> 0.0.0.0 [PIM/0 /1 /leaf] 207.95.6.1 -> 0.0.0.0 [PIM/0 /1 /leaf] 128.2.0.1 -> 0.0.0.
IGMP V3 19 IGMP V3 The Internet Group Management Protocol (IGMP) allows an IPV4 interface to communicate IP Multicast group membership information to its neighboring routers. The routers in turn limit the multicast of IP packets with multicast destination addresses to only those interfaces on the router that are identified as IP Multicast group members. This release introduces the support of IGMP version 3 (IGMP V3) on Layer 3 Switches.
19 IGMP V3 Default IGMP version IGMP V3 is available on devices ; however, devices are shipped with IGMP V2 enabled. You must enable IGMP V3 globally or per interface. Also, you must specify what version of IGMP you want to run on a device globally, on each interface (physical port or virtual routing interface), and on each physical port within a virtual routing interface. If you do not specify an IGMP version, IGMP V2 will be used.
IGMP V3 19 To specify the IGMP version for a virtual routing interface on a physical port, enter a command such as the following. PowerConnect(config)# interface ve 3 PowerConnect(config-vif-3)# ip igmp version 3 Syntax: [no] ip igmp version Enter 1, 2, or 3 for . Version 2 is the default version.
19 IGMP V3 For example, two clients (Client A and Client B) belong to group1 but each is receiving traffic streams from different sources. Client A receives a stream from (source_1, group1) and Client B receives it from (source_2, group1). The router still waits for three seconds before it stops the traffic because the two clients are in the same group. If the clients are in different groups, then the three second waiting period is not applied and traffic is stopped immediately.
IGMP V3 19 The parameter specifies the maximum number of seconds for the response time. Enter a value from 1 – 10. The default is 10. IGMP V3 and source specific multicast protocols Enabling IGMP V3 enables source specific multicast (SSM) filtering for PIM Dense (PIM-DM) for multicast group addresses in the 224.0.1.0 through 239.255.255.255 address range.
19 IGMP V3 PowerConnect#show ip igmp group Interface v18 : 1 groups group phy-port static querier life mode 1 239.0.0.1 e20 no yes include Interface v110 : 3 groups group phy-port static querier life mode 2 239.0.0.1 e5 no yes include 3 239.0.0.1 e6 no yes 100 exclude 4 224.1.10.1 e5 no yes include #_src 19 #_src 10 13 1 To display the status of one IGMP multicast group, enter a command such as the following. PowerConnect#show ip igmp group 239.0.0.1 detail Display group 239.0.0.1 in all interfaces.
IGMP V3 TABLE 90 19 Output of show ip igmp group (Continued) This field Displays Static A “yes” entry in this column indicates that the multicast group was configured as a static group; “No”Non-Multicast means it was not. Static multicast groups can be configured in IGMP V2 using the ip igmp static command. In IGMP V3,Multicast static sources Capablecannot Router be configured Capable Routers in static groups.
19 IGMP V3 Enter ve and its or ethernet and its to display information for a specific virtual routing interface or ethernet interface. Entering an address for displays information for a specified group on the specified interface. The report shows the following information. TABLE 91 Output of show ip igmp interface This field Displays Query interval Displays how often a querier sends a general query on the interface.
IGMP Proxy TABLE 92 19 Output of show ip igmp traffic (Continued) This field Displays MbrV2 The IGMP V2 membership report. MbrV3 The IGMP V3 membership report. Leave Number of IGMP V2 “leave” messages on the interface. (See ToEx for IGMP V3.) IsIN Number of source addresses that were included in the traffic. IsEX Number of source addresses that were excluded in the traffic. ToIN Number of times the interface mode changed from exclude to include.
19 IGMP Proxy Also note the following limitations: • IGMP Proxy cannot be enabled on the same interface on which PIM SM, PIM DM, is enabled. • IGMP Proxy is only supported in a PIM Dense environment where there are IGMP clients connected to the Dell device. The Dell device will not send IGMP reports on an IGMP proxy interface for remote clients connected to a PIM neighbor, as it will not be aware of groups that the remote clients are interested in.
Chapter Configuring LLDP 20 This chapter describes how to configure the LLDP protocol: Link layer discovery protocol (LLDP) – The Layer 2 network discovery protocol described in the IEEE 802.1AB standard, Station and Media Access Control Connectivity Discovery. This protocol enables a station to advertise its capabilities to, and to discover, other LLDP-enabled stations in the same 802 LAN segments. LLDP enables network discovery between Network Connectivity devices (such as switches).
20 LLDP overview LLDP overview LLDP enables a station attached to an IEEE 802 LAN/MAN to advertise its capabilities to, and to discover, other stations in the same 802 LAN segments. The information distributed by LLDP (the advertisement) is stored by the receiving device in a standard Management Information Base (MIB), accessible by a Network Management System (NMS) using a management protocol such as the Simple Network Management Protocol (SNMP).
General operating principles 20 • Enables discovery of stations in multi-vendor environments • Network Inventory Data: • Supports optional system name, system description, system capabilities and management address • System description can contain the device product name or model number, version of hardware type, and operating system • Provides device capability, such as switch, router, or WLAN access port • Network troubleshooting: • Information generated by LLDP can be used to detect speed and duplex
20 General operating principles When an LLDP agent receives LLDP packets, it checks to ensure that the LLDPDUs contain the correct sequence of mandatory TLVs, then validates optional TLVs. If the LLDP agent detects any errors in the LLDPDUs and TLVs, it drops them in software. TLVs that are not recognized but do not contain basic formatting errors, are assumed to be valid and are assigned a temporary identification index and stored for future possible alter retrieval by network management.
General operating principles • • • • • • • • • 20 Chassis ID (mandatory) Port ID (mandatory) Time to Live (mandatory) Port description System name System description System capabilities Management address End of LLDPDU • Organizationally-specific TLVs are optional in LLDP implementations and are defined and encoded by individual organizations or vendors. These TLVs include support for, but are not limited to, the IEEE 802.1 and 802.3 standards and the TIA-1057 standard.
20 General operating principles TABLE 93 Chassis ID subtypes ID subtype Description 3 Port component 4 MAC address 5 Network address 6 Interface name 7 Locally assigned 8 – 255 Reserved Devices use chassis ID subtype 4, the base MAC address of the device. Other third party devices may use a chassis ID subtype other than 4. The chassis ID will appear similar to the following on the remote device, and in the CLI display output on the device (show lldp local-info).
MIB support TLV Type = 3 7 bits TLV Information String Length = 2 9 bits 20 Time to Live (TTL) 2 octets TTL value The Time to Live (TTL) Value is the length of time the receiving device should maintain the information acquired by LLDP in its MIB. The TTL value is automatically computed based on the LLDP configuration settings. The TTL value will appear similar to the following on the remote device, and in the CLI display output on the device (show lldp local-info).
20 Configuring LLDP Configuring LLDP This section describes how to enable and configure LLDP. Table 95 lists the LLDP global-level tasks and the default behavior/value for each task.
Configuring LLDP 20 Enabling and disabling LLDP LLDP is enabled by default on individual ports. However, to run LLDP, you must first enable it on a global basis (on the entire device). To enable LLDP globally, enter the following command at the global CONFIG level of the CLI. PowerConnect(config)#lldp run Syntax: [no] lldp run Changing a port LLDP operating mode LLDP packets are not exchanged until LLDP is enabled on a global basis.
20 Configuring LLDP PowerConnect(config)#no lldp enable transmit ports e 7 e 8 e 9 PowerConnect(config)#lldp enable receive ports e 7 e 8 e 9 The above commands change the LLDP operating mode on ports 7, 8, and 9, from transmit only to receive only. Note that if you do not disable the transmit only mode, you will configure the port to both transmit and receive LLDP packets. Syntax: [no] lldp enable receive ports ethernet | all Use the [no] form of the command to disable the receive only mode.
Configuring LLDP 20 where is a number between 16 and 65536. The default number of LLDP neighbors per device is 392. Use the show lldp command to view the configuration. Per port You can change the maximum number of LLDP neighbors for which LLDP data will be retained for each port. By default, the maximum number is four and you can change this to a value between one and 64. For example, to change the maximum number of LLDP neighbors to six, enter the following command.
20 Configuring LLDP To change the minimum time interval between traps and Syslog messages, enter a command such as the following. PowerConnect(config)#lldp snmp-notification-interval 60 When the above command is applied, the LLDP agent will send no more than one SNMP notification and Syslog message every 60 seconds. Syntax: [no] lldp snmp-notification-interval where is a value between 5 and 3600. The default is 5 seconds.
Configuring LLDP 20 NOTE Setting the transmit interval or transmit holdtime multiplier, or both, to inappropriate values can cause the LLDP agent to transmit LLDPDUs with TTL values that are excessively high. This in turn can affect how long a receiving device will retain the information if it is not refreshed. Changing the holdtime multiplier for transmit TTL The holdtime multiplier for transmit TTL is used to compute the actual time-to-live (TTL) value used in an LLDP frame.
20 Configuring LLDP General system information: • • • • • Management address Port description System capabilities System description (not automatically advertised) System name 802.1 capabilities: • VLAN name (not automatically advertised) • Untagged VLAN ID 802.3 capabilities: • • • • Link aggregation information MAC/PHY configuration and status Maximum frame size Power-via-MDI information (not automatically advertised) The above TLVs are described in detail in the following sections.
Configuring LLDP 20 To advertise a IPv4 management address, enter a command such as the following: PowerConnect(config)#lldp advertise management-address ipv4 209.157.2.1 ports e 4 The management address will appear similar to the following on the remote device, and in the CLI display output on the device (show lldp local-info): Management address (IPv4): 209.157.2.
20 Configuring LLDP By default, the system capabilities are automatically advertised when LLDP is enabled on a global basis. To disable this advertisement, enter a command such as the following. PowerConnect(config)#no lldp advertise system-capabilities ports e 4 to 12 The system capabilities will appear similar to the following on the remote device, and in the CLI display output on the device (show lldp local-info).
Configuring LLDP 20 • Untagged VLAN ID VLAN name The VLAN name TLV contains the name and VLAN ID of a VLAN configured on a port. An LLDPDU may include multiple instances of this TLV, each for a different VLAN. To advertise the VLAN name, enter a command such as the following. PowerConnect(config)#lldp advertise vlan-name vlan 99 ports e 4 to 12 The VLAN name will appear similar to the following on the remote device, and in the CLI display output on the device (show lldp local-info).
20 Configuring LLDP PowerConnect(config)#no lldp advertise link-aggregation ports e 12 Syntax: [no] lldp advertise link-aggregation ports ethernet | all The link aggregation advertisement will appear similar to the following on the remote device, and in the CLI display output on the device (show lldp local-info).
Configuring LLDP 20 Maximum frame size: 1522 octets Syntax: [no] lldp advertise max-frame-size ports ethernet | all Displaying LLDP statistics and configuration settings You can use the following CLI show commands to display information about LLDP settings and statistics: • • • • show lldp – Displays a summary of the LLDP configuration settings. show lldp statistics – Displays LLDP global and per-port statistics. show lldp neighbors – Displays a list of the current LLDP neighbors.
20 Configuring LLDP Table 2: This field... Displays... LLDP reinitialize delay The minimum number of seconds the device will wait from when LLDP is disabled on a port, until a request to re-enable LLDP on that port will be honored. LLDP maximum neighbors The maximum number of LLDP neighbors for which LLDP data will be retained, per device. LLDP maximum neighbors per port The maximum number of LLDP neighbors for which LLDP data will be retained, per port.
Configuring LLDP 20 Table 3: This field... Displays... Last neighbor change time The elapsed time (in hours, minutes, and seconds) since a neighbor last advertised information. For example, the elapsed time since a neighbor was last added, deleted, or its advertised information changed. Neighbor entries added The number of new LLDP neighbors detected since the last reboot or since the last time the clear lldp statistics all command was issued.
20 Configuring LLDP Table 4: This field... Displays... Lcl Port The local LLDP port number. Chassis ID The identifier for the chassis. Devices use the base MAC address of the device as the Chassis ID. Port ID The identifier for the port. Devices use the permanent MAC address associated with the port as the port ID. Port Description The description for the port. Devices use the ifDescr MIB object from MIB-II as the port description. System Name The administratively-assigned name for the system.
Configuring LLDP 20 PowerConnect#show lldp neighbors detail ports e 9 Local port: 9 Neighbor: 0800.0f18.cc03, TTL 101 seconds + Chassis ID (network address): 10.43.39.151 + Port ID (MAC address): 0800.0f18.cc03 + Time to live: 120 seconds + Port description : "LAN port" + System name : "regDN 1015,MITEL 5235 DM" + System description : "regDN 1015,MITEL 5235 DM,h/w rev 2,ASIC rev 1,f/w\ Boot 02.01.00.11,f/w Main 02.01.00.
20 Configuring LLDP LLDP configuration details The show lldp local-info command displays the local information advertisements (TLVs) that will be transmitted by the LLDP agent. NOTE The show lldp local-info output will vary based on LLDP configuration settings PowerConnect#show lldp local-info Local port: 5 + Chassis ID (MAC address): 0024.3817.50bb + Port ID (MAC address): 0024.3817.
Resetting LLDP statistics 20 PowerConnect#show lldp local-info ports ethernet 28 Local port: 28 + Chassis ID (MAC address): 0024.3817.50bb + Port ID (MAC address): 0024.3817.50d6 + Time to live: 120 seconds + System name : "TX24 Router" + Port description : "GigabitEthernet28" + System capabilities : bridge, router Enabled capabilities: bridge, router + 802.
20 Clearing cached LLDP neighbor information If you do not specify any ports or use the keyword all, by default, the system will clear the cached LLDP neighbor information for all ports.
Chapter Configuring IP 21 Basic configuration NOTE The terms Layer 3 Switch and router are used interchangeably in this chapter and mean the same thing. IP is enabled by default. Basic configuration consists of adding IP addresses and, for Layer 3 Switches, enabling a route exchange protocol, such as Routing Information Protocol (RIP).
21 Overview IP interfaces Layer 3 Switches and Layer 2 Switches allow you to configure IP addresses. On Layer 3 Switches, IP addresses are associated with individual interfaces. On Layer 2 Switches, a single IP address serves as the management access address for the entire device. All Layer 3 Switches and Layer 2 Switches support configuration and display of IP address in classical subnet format (example: 192.168.1.1 255.255.255.0) and Classless Interdomain Routing (CIDR) format (example: 192.168.1.1/24).
21 Overview Load Balancing Algorithm Y N Y PBR or IP acc policy Mult. Equalcost Paths Lowest Metric N RIP Incoming Port Session Table N Y Fwding Cache N IP Route Table Lowest Admin. Distance BGP4 Y Outgoing Port OSPF ARP Cache Static ARP Table Figure 97 shows the following packet flow: 1. When the Layer 3 Switch receives an IP packet, the Layer 3 Switch checks for filters on the receiving interface.
21 Overview 4. If the IP forwarding cache does not have an entry for the packet, the Layer 3 Switch checks the IP route table for a route to the packet destination. If the IP route table has a route, the Layer 3 Switch makes an entry in the session table or the forwarding cache, and sends the route to a queue on the outgoing ports: • If the running-config contains an IP access policy for the packet, the software makes an entry in the session table.
Overview 21 The software places an entry from the static ARP table into the ARP cache when the entry interface comes up. Here is an example of a static ARP entry. Index 1 IP Address 207.95.6.111 MAC Address 0800.093b.d210 Port 1 Each entry lists the information you specified when you created the entry.
21 Overview Destination 1.1.0.0 NetMask 255.255.0.0 Gateway 99.1.1.2 Port 1 Cost 2 Type R Each IP route table entry contains the destination IP address and subnet mask and the IP address of the next-hop router interface to the destination. Each entry also indicates the port attached to the destination or the next-hop to the destination, the route IP metric (cost), and the type. The type indicates how the IP route table received the route.
Overview 21 To increase the size of the IP forwarding cache, refer to the section “Displaying and modifying system parameter default settings” on page 184. Layer 4 session table The Layer 4 session provides a fast path for forwarding packets. A session is an entry that contains complete Layer 3 and Layer 4 information for a flow of traffic. Layer 3 information includes the source and destination IP addresses. Layer 4 information includes the source and destination TCP and UDP ports.
21 Basic IP parameters and defaults – Layer 3 Switches IP interface redundancy protocols You can configure a Layer 3 Switch to back up an IP interface configured on another Layer 3 Switch. If the link for the backed up interface becomes unavailable, the other Layer 3 Switch can continue service for the interface. This feature is especially useful for providing a backup to a network default gateway.
Basic IP parameters and defaults – Layer 3 Switches 21 • Protocol Independent Multicast Dense (PIM-DM) – refer to “PIM Dense” on page 470 • Protocol Independent Multicast Sparse (PIM-SM) – refer to “PIM Sparse” on page 478 • Router redundancy protocols: • Virtual Router Redundancy Protocol Extended (VRRPE) – refer to Chapter 24, “Configuring VRRP and VRRPE”. • Virtual Router Redundancy Protocol (VRRP) – refer to Chapter 24, “Configuring VRRP and VRRPE”.
21 Basic IP parameters and defaults – Layer 3 Switches TABLE 96 IP global parameters – Layer 3 Switches Parameter Description Default See page... IP state The Internet Protocol, version 4 Enabled n/a NOTE: You cannot disable IP. page 623 IP address and mask notation Format for displaying an IP address and its network mask information. You can enable one of the following: • Class-based format; example: 192.168.1.1 255.255.255.0 • Classless Interdomain Routing (CIDR) format; example: 192.168.1.
Basic IP parameters and defaults – Layer 3 Switches TABLE 96 21 IP global parameters – Layer 3 Switches (Continued) Parameter Description Default See page... Time to Live (TTL) The maximum number of routers (hops) through which a packet can pass before being discarded. Each router decreases a packet TTL by 1 before forwarding the packet. If decreasing the TTL causes the TTL to be 0, the router drops the packet instead of forwarding it.
21 Basic IP parameters and defaults – Layer 3 Switches TABLE 96 IP global parameters – Layer 3 Switches (Continued) Parameter Description Default See page... Static RARP entries An IP address you place in the RARP table for RARP requests from hosts. No entries page 611 NOTE: You must enter the RARP entries manually. The Layer 3 Switch does not have a mechanism for learning or dynamically generating RARP entries.
Basic IP parameters and defaults – Layer 3 Switches 21 IP interface parameters – Layer 3 Switches Table 97 lists the interface-level IP parameters for Layer 3 Switches. TABLE 97 IP interface parameters – Layer 3 Switches Parameter Description Default See page... IP state The Internet Protocol, version 4 Enabled n/a NOTE: You cannot disable IP.
21 Basic IP parameters and defaults – Layer 2 Switches TABLE 97 IP interface parameters – Layer 3 Switches (Continued) Parameter Description Default See page... UDP broadcast forwarding The router can forward UDP broadcast packets for UDP applications such as BootP. By forwarding the UDP broadcasts, the router enables clients on one subnet to find servers attached to other subnets.
21 Basic IP parameters and defaults – Layer 2 Switches TABLE 98 IP global parameters – Layer 2 Switches Parameter Description Default See page... IP address and mask notation Format for displaying an IP address and its network mask information. You can enable one of the following: • Class-based format; example: 192.168.1.1 255.255.255.0 • Classless Interdomain Routing (CIDR) format; example: 192.168.1.
21 Configuring IP parameters – Layer 3 Switches TABLE 98 IP global parameters – Layer 2 Switches (Continued) Parameter Description Default See page... Source interface The IP address the Layer 2 Switch uses as the source address for Telnet, RADIUS, or TACACS/TACACS+ packets originated by the router. The Layer 2 Switch uses its management IP address as the source address for these packets. The management IP address of the Layer 2 Switch.
Configuring IP parameters – Layer 3 Switches 21 Configuring IP addresses You can configure an IP address on the following types of Layer 3 Switch interfaces: • Ethernet port • Virtual routing interface (also called a Virtual Ethernet or “VE”) • Loopback interface By default, you can configure up to 24 IP addresses on each interface. On Compact Layer 3 Switches, you can increase this amount to up to 64 IP subnet addresses per port by increasing the size of the subnet-per-interface table.
21 Configuring IP parameters – Layer 3 Switches • ospf-ignore – This option disables OSPF adjacency formation and also disables advertisement of the interface into OSPF. The subnet is completely ignored by OSPF. NOTE The ospf-passive option disables adjacency formation but does not disable advertisement of the interface into OSPF. To disable advertisement in addition to disabling adjacency formation, you must use the ospf-ignore option.
Configuring IP parameters – Layer 3 Switches 21 You can configure IP routing interface parameters on a virtual interface. This section describes how to configure an IP address on a virtual interface. Other sections in this chapter that describe how to configure interface parameters also apply to virtual interfaces. NOTE The Layer 3 Switch uses the lowest MAC address on the device (the MAC address of port 1) as the MAC address for all ports within all virtual interfaces you configure on the device.
21 Configuring IP parameters – Layer 3 Switches Changing the encapsulation type The Layer 3 Switch encapsulates IP packets into Layer 2 packets, to send the IP packets on the network. (A Layer 2 packet is also called a MAC layer packet or an Ethernet frame.) The source address of a Layer 2 packet is the MAC address of the Layer 3 Switch interface sending the packet. The destination address can be one of the following: • The MAC address of the IP packet destination.
Configuring IP parameters – Layer 3 Switches 21 Configuration considerations for increasing the MTU • When you increase the MTU size of a port, the increase uses system resources. Increase the MTU size only on the ports that need it. For example, if you have one port connected to a server that uses jumbo frames and two other ports connected to clients that can support the jumbo frames, increase the MTU only on those three ports. Leave the MTU size on the other ports at the default value (1500 bytes).
21 Configuring IP parameters – Layer 3 Switches NOTE The new command ip-port-mtu replace the command ip mtu. On the PowerConnect the IP MTU check on egress is validated based on the physical port instead of the ip interface. Therefore, the command ip-port-mtu can be set only on a physical port. In the case of a VE, we can set the ip-port-mtu on a port member of a VE. In contrast with the ip mtu command, the multiple physical ports in a VE can have a different IP MTU.
Configuring IP parameters – Layer 3 Switches 21 If you prefer, you can explicitly set the router ID to any valid IP address. The IP address cannot be in use on another device in the network. NOTE Layer 3 Switches use the same router ID for both OSPF and BGP4. If the router is already configured for OSPF, you may want to use the router ID that is already in use on the router rather than set a new one. To display the router ID, enter the show ip CLI command at any CLI level.
21 Configuring IP parameters – Layer 3 Switches Telnet packets To specify the lowest-numbered IP address configured on a virtual interface as the device source for all Telnet packets, enter commands such as the following. PowerConnect(config)#int loopback 2 PowerConnect(config-lbif-2)#ip address 10.0.0.2/24 PowerConnect(config-lbif-2)#exit PowerConnect(config)#ip telnet source-interface loopback 2 The commands in this example configure loopback interface 2, assign IP address 10.0.0.
Configuring IP parameters – Layer 3 Switches 21 The parameter is a loopback interface or virtual interface number. If you specify an Ethernet port, the is the port number. Configuring ARP parameters Address Resolution Protocol (ARP) is a standard IP protocol that enables an IP Layer 3 Switch to obtain the MAC address of another device interface when the Layer 3 Switch knows the IP address of the interface. ARP is enabled by default and cannot be disabled.
21 Configuring IP parameters – Layer 3 Switches • If the ARP cache does not contain an entry for the destination IP address, the Layer 3 Switch broadcasts an ARP request out all its IP interfaces. The ARP request contains the IP address of the destination. If the device with the IP address is directly attached to the Layer 3 Switch, the device sends an ARP response containing its MAC address. The response is a unicast packet addressed directly to the Layer 3 Switch.
Configuring IP parameters – Layer 3 Switches 21 NOTE If you want to change a previously configured the ARP rate limiting policy, you must remove the previously configured policy using the no rate-limit-arp command before entering the new policy. Changing the ARP aging period When the Layer 3 Switch places an entry in the ARP cache, the Layer 3 Switch also starts an aging timer for the entry. The aging timer ensures that the ARP cache does not retain learned entries that are no longer valid.
21 Configuring IP parameters – Layer 3 Switches Proxy ARP is disabled by default on Layer 3 Switches. This feature is not supported on Layer 2 Switches. You can enable proxy ARP at the Interface level, as well as at the Global CONFIG level, of the CLI. NOTE Configuring proxy ARP at the Interface level overrides the global configuration. Enabling proxy ARP globally To enable IP proxy ARP on a global basis, enter the following command.
Configuring IP parameters – Layer 3 Switches 21 Static entries are useful in cases where you want to pre-configure an entry for a device that is not connected to the Layer 3 Switch, or you want to prevent a particular entry from aging out. The software removes a dynamic entry from the ARP cache if the ARP aging interval expires before the entry is refreshed. Static entries do not age out, regardless of whether the device receives an ARP request from the device that has the entry address.
21 Configuring IP parameters – Layer 3 Switches Configuring forwarding parameters The following configurable parameters control the forwarding behavior of Layer 3 Switches: • • • • Time-To-Live (TTL) threshold Forwarding of directed broadcasts Forwarding of source-routed packets Ones-based and zero-based broadcasts All these parameters are global and thus affect all IP interfaces configured on the Layer 3 Switch. To configure these parameters, use the procedures in the following sections.
Configuring IP parameters – Layer 3 Switches 21 PowerConnect(config)#no ip directed-broadcast To enable directed broadcasts on an individual interface instead of globally for all interfaces, enter commands such as the following. PowerConnect(config)#interface ethernet 1 PowerConnect(config-if-1)#ip directed-broadcast Syntax: [no] ip directed-broadcast Disabling forwarding of IP source-routed packets A source-routed packet specifies the exact router path for the packet.
21 Configuring IP parameters – Layer 3 Switches NOTE When you enable the Layer 3 Switch for zero-based subnet broadcasts, the Layer 3 Switch still treats IP packets with all ones the host portion as IP subnet broadcasts too. Thus, the Layer 3 Switch can be configured to support all ones only (the default) or all ones and all zeroes. NOTE This feature applies only to IP subnet broadcasts, not to local network broadcasts. The local network broadcast address is still expected to be all ones.
Configuring IP parameters – Layer 3 Switches 21 Disabling ICMP destination unreachable messages By default, when a device receives an IP packet that the device cannot deliver, the device sends an ICMP Unreachable message back to the host that sent the packet. You can selectively disable a device response to the following types of ICMP Unreachable messages: • Administration – The packet was dropped by the device due to a filter or ACL configured on the device.
21 Configuring IP parameters – Layer 3 Switches To disable ICMP Host Unreachable messages but leave the other types of ICMP Unreachable messages enabled, enter the following commands instead of the command shown above. PowerConnect(config)#no ip icmp unreachable host If you have disabled all ICMP Unreachable message types but you want to re-enable certain types, for example ICMP Host Unreachable messages, you can do so by entering the following command.
Configuring IP parameters – Layer 3 Switches 21 • The route path, which can be one of the following: • The IP address of a next-hop gateway • An Ethernet port • A virtual interface (a routing interface used by VLANs for routing Layer 3 protocol traffic among one another) • A “null” interface. The Layer 3 Switch drops traffic forwarded to the null interface.
21 Configuring IP parameters – Layer 3 Switches Figure 98 shows an example of a network containing a static route. The static route is configured on Switch A, as shown in the CLI example following the figure. FIGURE 98 Example of a static route 207.95.6.188/24 Switch A 207.95.7.7/24 207.95.6.157/24 e2 Switch B 207.95.7.69/24 The following command configures a static route to 207.95.7.0, using 207.95.6.157 as the next-hop gateway. PowerConnect(config)# ip route 207.95.7.0/24 207.95.6.
Configuring IP parameters – Layer 3 Switches 21 Syntax: ip route / | ethernet | ve [] [distance ] The is the route destination. The is the network mask for the route destination IP address. Alternatively, you can specify the network mask information by entering a forward slash followed by the number of bits in the network mask. For example, you can enter 192.0.0.0 255.255.255.0 as 192.0.0.0/.24.
21 Configuring IP parameters – Layer 3 Switches PowerConnect(config)# ip route 209.157.22.0 255.255.255.0 null0 PowerConnect(config)# write memory Syntax: ip route null0 [] [distance ] or Syntax: ip route / null0 [] [distance ] To display the maximum value for your device, enter the show default values command.
Configuring IP parameters – Layer 3 Switches 21 NOTE You also can bias the Layer 3 Switch to select one of the routes by configuring them with different administrative distances. However, make sure you do not give a static route a higher administrative distance than other types of routes, unless you want those other types to be preferred over the static route. For a list of the default administrative distances, refer to “Changing administrative distances” on page 777.
21 Configuring IP parameters – Layer 3 Switches • When you want to use a specific interface by default to route traffic to a given destination network, but want to allow the Layer 3 Switch to use other interfaces to reach the destination network if the path that uses the default interface becomes unavailable. In this case, give the interface route a lower metric than the normal static route.
Configuring IP parameters – Layer 3 Switches 21 Two static routes to 192.168.7.0/24: --Interface-based route through Port 1, with metric 1. --Standard static route through gateway 192.168.8.11, with metric 3. 192.168.6.188/24 Port 1 Switch A 192.168.8.12/24 Port 4 When route through interface 1 is available, Switch A always uses that route. 192.168.6.69/24 192.168.8.11/24 Switch B Switch C Switch D If route through interface 1 becomes unavailable, Switch A uses alternate route through gateway 192.
21 Configuring IP parameters – Layer 3 Switches Configuring a default network route The Layer 3 Switch enables you to specify a candidate default route without the need to specify the next hop gateway. If the IP route table does not contain an explicit default route (for example, 0.0.0.0/0) or propagate an explicit default route through routing protocols, the software can use the default network route as a default route instead.
Configuring IP parameters – Layer 3 Switches 21 To verify that the route is in the route table, enter the following command at any level of the CLI. PowerConnect# show ip route Total number of IP routes: 2 Start index: 1 B:BGP D:Connected R:RIP Destination NetMask 1 209.157.20.0 255.255.255.0 2 209.157.22.0 255.255.255.0 S:Static Gateway 0.0.0.0 0.0.0.0 O:OSPF *:Candidate default Port Cost Type lb1 1 D 11 1 *D This example shows two routes.
21 Configuring IP parameters – Layer 3 Switches Administrative distance The administrative distance is a unique value associated with each type (source) of IP route. Each path has an administrative distance. The administrative distance is not used when performing IP load sharing, but the administrative distance is used when evaluating multiple equal-cost paths to the same destination from different sources, such as RIP, OSPF and so on.
Configuring IP parameters – Layer 3 Switches 21 • IP static route – The value you assign to the metric parameter when you configure the route. The default metric is 1. Refer to “Configuring load balancing and redundancy using multiple static routes to the same destination” on page 600. • RIP – The number of next-hop routers to the destination. • OSPF – The Path Cost associated with the path. The paths can come from any combination of inter-area, intra-area, and external Link State Advertisements (LSAs).
21 Configuring IP parameters – Layer 3 Switches • If the IP load forwarding cache does not contain a forwarding entry for the destination, the software selects a path from among the available equal-cost paths to the destination, then creates a forwarding entry in the cache based on the calculation. Subsequent traffic for the same destination uses the forwarding entry.
Configuring IP parameters – Layer 3 Switches 21 When IRDP is enabled, the Layer 3 Switch periodically sends Router Advertisement messages out the IP interfaces on which the feature is enabled. The messages advertise the Layer 3 Switch IP addresses to directly attached hosts who listen for the messages. In addition, hosts can be configured to query the Layer 3 Switch for the information by sending Router Solicitation messages.
21 Configuring IP parameters – Layer 3 Switches NOTE To enable IRDP on individual ports, you must leave the feature globally disabled. Syntax: [no] ip irdp [broadcast | multicast] [holdtime ] [maxadvertinterval ] [minadvertinterval ] [preference ] The broadcast | multicast parameter specifies the packet type the Layer 3 Switch uses to send Router Advertisement: • broadcast – The Layer 3 Switch sends Router Advertisement as IP broadcasts. This is the default.
Configuring IP parameters – Layer 3 Switches 21 • If the RARP table contains an entry for the client, the Layer 3 Switch sends a unicast response to the client that contains the IP address associated with the client MAC address in the RARP table. • If the RARP table does not contain an entry for the client, the Layer 3 Switch silently discards the RARP request and does not reply to the client.
21 Configuring IP parameters – Layer 3 Switches This command creates a RARP entry for a client with MAC address 1245.7654.2348. When the Layer 3 Switch receives a RARP request from this client, the Layer 3 Switch replies to the request by sending IP address 192.53.4.2 to the client. Syntax: rarp . The parameter identifies the RARP entry number. You can specify an unused number from 1 to the maximum number of RARP entries supported on the device.
Configuring IP parameters – Layer 3 Switches • • • • 21 time (port 37) netbios-ns (port 137) netbios-dgm (port 138) tacacs (port 65) NOTE The application names are the names for these applications that the Layer 3 Switch software recognizes, and might not match the names for these applications on some third-party devices. The numbers listed in parentheses are the UDP port numbers for the applications. The numbers come from RFC 1340. NOTE Forwarding support for BootP/DHCP is enabled by default.
21 Configuring IP parameters – Layer 3 Switches • • • • • • • • • echo (port 7) mobile-ip (port 434) netbios-dgm (port 138) netbios-ns (port 137) ntp (port 123) tacacs (port 65) talk (port 517) time (port 37) tftp (port 69) In addition, you can specify any UDP application by using the application UDP port number. The parameter specifies the UDP application port number. If the application you want to enable is not listed above, enter the application port number.
Configuring IP parameters – Layer 3 Switches 21 Configuring BootP/DHCP relay parameters A host on an IP network can use BootP/DHCP to obtain its IP address from a BootP/DHCP server. To obtain the address, the client sends a BootP/DHCP request. The request is a subnet directed broadcast and is addressed to UDP port 67. A limited IP broadcast is addressed to IP address 255.255.255.255 and is not forwarded by the Layer 3 Switch or other IP routers.
21 Configuring IP parameters – Layer 2 Switches Configuring the BOOTP/DHCP reply source address You can configure the device so that a BOOTP/DHCP reply to a client contains the server IP address as the source address instead of the router IP address. To do so, enter the following command at the Global CONFIG level of the CLI.
Configuring IP parameters – Layer 2 Switches 21 Devices support both classical IP network masks (Class A, B, and C subnet masks, and so on) and Classless Interdomain Routing (CIDR) network prefix masks: • To enter a classical network mask, enter the mask in IP address format. For example, enter “209.157.22.99 255.255.255.0” for an IP address with a Class-C subnet mask. • To enter a prefix network mask, enter a forward slash ( / ) and the number of bits in the mask immediately after the IP address.
21 Configuring IP parameters – Layer 2 Switches PowerConnect# ping nyc01 PowerConnect# ping nyc01.newyork.com Defining a DNS entry You can define up to four DNS servers for each DNS entry. The first entry serves as the primary default address. If a query to the primary address fails to be resolved after three attempts, the next gateway address is queried (also up to three times). This process continues for each defined gateway address until the query is resolved.
Configuring IP parameters – Layer 2 Switches 21 Domain Name Server newyork.com [ nyc01 nyc02 207.95.6.199 Layer 3 Switch nyc02 ... nyc01 ... Changing the TTL threshold The TTL threshold prevents routing loops by specifying the maximum number of router hops an IP packet originated by the Layer 2 Switch can travel through. Each device capable of forwarding IP that receives the packet decrements (decreases) the packet TTL by one.
21 Configuring IP parameters – Layer 2 Switches Step 3: DHCP Server generates IP addresses for Hosts 1,2,3 and 4. All IP address are assigned in the 192.95.5.1 range. DHCP Server 207.95.7.6 DHCP requests for the other sub-nets were not recognized by 192.95.5.5 the non-DHCP assist router causing 192.95.5.10 incorrect address assignments. 192.95.5.35 192.95.5.30 Step 2: Router assumes the lowest IP address (192.95.5.1) is the gateway address. Router IP addresses configured on the router interface.
Configuring IP parameters – Layer 2 Switches 21 DHCP Server 207.95.7.6 Step 3: Router forwards the DHCP request to the server without touching the gateway address inserted in the packet by the switch. Router Step 2: The switch stamps each DHCP request with the gateway address of the corresponding subnet of the receiving port. Layer 2 Switch Interface 14 Interface 2 Gateway addresses: 192.95.5.1 200.95.6.1 202.95.1.1 202.95.5.1 Host 2 Host 1 Interface 8 192.95.5.x Subnet 1 200.95.6.
21 Configuring IP parameters – Layer 2 Switches Step 4: DHCP Server extracts the gateway address from each packet and assigns IP addresses for each host within the appropriate range. DHCP Server 207.95.7.6 DHCP response with IP addresses for Subnets 1, 2, 3 and 4 192.95.5.10 200.95.6.15 202.95.1.35 202.95.5.25 Router Layer 2 Switch 192.95.5.10 Step 5: IP addresses are distributed to the appropriate hosts. 200.95.6.15 Host 2 Host 1 200.95.6.x Subnet 2 192.95.5.x Subnet 1 Hub 202.95.5.25 202.95.
Displaying IP configuration information and statistics 21 Example To create the configuration indicated in Figure 103 and Figure 104, enter commands such as the following. PowerConnect(config)# dhcp-gateway-list 1 192.95.5.1 PowerConnect(config)# dhcp-gateway-list 2 200.95.6.1 PowerConnect(config)# dhcp-gateway-list 3 202.95.1.1 202.95.5.
21 Displaying IP configuration information and statistics The sections below describe how to display this information. In addition to the information described below, you can display the following IP information. This information is described in other parts of this guide: • • • • • RIP OSPF BGP4 PIM VRRP or VRRPE Displaying global IP configuration information To display IP configuration information, enter the following command at any CLI level.
Displaying IP configuration information and statistics TABLE 101 21 CLI Display of global IP configuration information – Layer 3 Switch (Continued) This field... Displays... router-id The 32-bit number that uniquely identifies the router. By default, the router ID is the numerically lowest IP interface configured on the router. To change the router ID, refer to “Changing the router ID” on page 584. enabled The IP-related protocols that are enabled on the router.
21 Displaying IP configuration information and statistics The show process cpu command includes CPU utilization statistics for ACL, 802.1x, and L2VLAN. L2VLAN contains any packet transmitted to a VLAN by the CPU, including unknown unicast, multicast, broadcast, and CPU forwarded Layer 2 traffic. To display CPU utilization statistics for the previous one-second, one-minute, five-minute, and fifteen-minute intervals, enter the following command at any level of the CLI.
Displaying IP configuration information and statistics 21 PowerConnect# show process cpu 2 Statistics for last 1 sec and 80 ms Process Name Sec(%) Time(ms) ACL 0 0.00 ARP 1 0.01 BGP 0 0.00 DOT1X 0 0.00 GVRP 0 0.00 ICMP 0 0.00 IP 0 0.00 L2VLAN 1 0.01 OSPF 0 0.00 RIP 0 0.00 STP 0 0.00 VRRP 0 0.00 When you specify how many seconds’ worth of statistics you want to display, the software selects the sample that most closely matches the number of seconds you specified.
21 Displaying IP configuration information and statistics TABLE 102 CLI display of interface IP configuration information (Continued) This field... Displays... Status The link status of the interface. If you have disabled the interface with the disable command, the entry in the Status field will be “administratively down”. Otherwise, the entry in the Status field will be either “up” or “down”. Protocol Whether the interface can provide two-way communication.
Displaying IP configuration information and statistics 21 The parameter lets you specify a mask for the mac-address parameter, to display entries for multiple MAC addresses. Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits. The and parameters let you restrict the display to entries for a specific IP address and network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0).
21 Displaying IP configuration information and statistics PowerConnect# show ip static-arp Static ARP table size: 512, configurable from 512 to 1024 Index IP Address MAC Address Port 1 207.95.6.111 0800.093b.d210 1 3 207.95.6.123 0800.093b.d211 1 This example shows two static entries. Note that since you specify an entry index number when you create the entry, it is possible for the range of index numbers to have gaps, as shown in this example.
Displaying IP configuration information and statistics 21 Displaying the forwarding cache To display the IP forwarding cache, enter the following command at any CLI level. PowerConnect# show ip cache Total number of cache entries: 3 D:Dynamic P:Permanent F:Forward U:Us C:Complex Filter W:Wait ARP I:ICMP Deny K:Drop R:Fragment S:Snap Encap IP Address Next Hop MAC Type 1 192.168.1.11 DIRECT 0000.0000.0000 PU 2 192.168.1.255 DIRECT 0000.0000.0000 PU 3 255.255.255.255 DIRECT 0000.0000.
21 Displaying IP configuration information and statistics Displaying the IP route table To display the IP route table, enter the following command at any CLI level. PowerConnect# show ip route Total number of IP routes: 514 Start index: 1 B:BGP D:Connected Destination NetMask 1.1.0.0 255.255.0.0 1.2.0.0 255.255.0.0 1.3.0.0 255.255.0.0 1.4.0.0 255.255.0.0 1.5.0.0 255.255.0.0 1.6.0.0 255.255.0.0 1.7.0.0 255.255.0.0 1.8.0.0 255.255.0.0 1.9.0.0 255.255.0.0 1.10.0.0 255.255.0.0 R:RIP S:Static Gateway 99.1.1.
Displaying IP configuration information and statistics 21 Here is an example of how to use the static option. To display only the static IP routes,enter the following command. PowerConnect# show ip route static Start index: 1 B:BGP D:Connected R:RIP Destination NetMask 192.144.33.11 255.255.255.0 S:Static O:OSPF *:Candidate default Gateway Port Cost Type 209.157.22.12 1 2 S Notice that the route displayed in this example has “S” in the Type field, indicating the route is static.
21 Displaying IP configuration information and statistics TABLE 106 CLI display of IP route table This field... Displays... Destination The destination network of the route. NetMask The network mask of the destination address. Gateway The next-hop router. Port The port through which this router sends packets to reach the route's destination. Cost The route's cost. Type The route type, which can be one of the following: • B – The route was learned from BGP.
Displaying IP configuration information and statistics 21 PowerConnect# show ip traffic IP Statistics 139 received, 145 sent, 0 forwarded 0 filtered, 0 fragmented, 0 reassembled, 0 bad header 0 no route, 0 unknown proto, 0 no buffer, 0 other errors ICMP Statistics Received: 0 total, 0 errors, 0 unreachable, 0 time exceed 0 parameter, 0 source quench, 0 redirect, 0 echo, 0 echo reply, 0 timestamp, 0 timestamp reply, 0 addr mask 0 addr mask reply, 0 irdp advertisement, 0 irdp solicitation Sent: 0 total, 0 e
21 Displaying IP configuration information and statistics TABLE 107 CLI display of IP traffic statistics – Layer 3 Switch (Continued) This field... Displays... ICMP statistics The ICMP statistics are derived from RFC 792, “Internet Control Message Protocol”, RFC 950, “Internet Standard Subnetting Procedure”, and RFC 1256, “ICMP Router Discovery Messages”. Statistics are organized into Sent and Received. The field descriptions below apply to each.
Displaying IP configuration information and statistics TABLE 107 21 CLI display of IP traffic statistics – Layer 3 Switch (Continued) This field... Displays... out segments The number of TCP segments sent by the device. retransmission The number of segments that this device retransmitted because the retransmission timer for the segment had expired before the device at the other end of the connection had acknowledged receipt of the segment.
21 Displaying IP configuration information and statistics PowerConnect# show ip Switch IP address: 192.168.1.2 Subnet mask: 255.255.255.0 Default router address: TFTP server address: Configuration filename: Image filename: 192.168.1.1 None None None Syntax: show ip This display shows the following information. TABLE 108 CLI display of global IP configuration information – Layer 2 Switch This field... Displays...
Displaying IP configuration information and statistics TABLE 109 21 CLI display of ARP cache This field... Displays... IP The IP address of the device. Mac The MAC address of the device. NOTE: If the MAC address is all zeros, the entry is for the default gateway, but the Layer 2 Switch does not have a link to the gateway. Port The port on which the entry was learned. Age The number of minutes the entry has remained unused.
21 Displaying IP configuration information and statistics TABLE 110 CLI display of IP traffic statistics – Layer 2 Switch This field... Displays... IP statistics received The total number of IP packets received by the device. sent The total number of IP packets originated and sent by the device. fragmented The total number of IP packets fragmented by this device to accommodate the MTU of this device or of another device.
Displaying IP configuration information and statistics TABLE 110 21 CLI display of IP traffic statistics – Layer 2 Switch (Continued) This field... Displays... input errors This information is used by Dell customer support. TCP statistics The TCP statistics are derived from RFC 793, “Transmission Control Protocol”. current active tcbs The number of TCP Control Blocks (TCBs) that are currently active. tcbs allocated The number of TCBs that have been allocated.
21 642 Displaying IP configuration information and statistics PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring RIP 22 RIP overview Routing Information Protocol (RIP) is an IP route exchange protocol that uses a distance vector (a number representing distance) to measure the cost of a given route. The cost is a distance vector because the cost often is equivalent to the number of router hops between the Layer 3 Switch and the destination network. A Layer 3 Switch can receive multiple paths to a destination.
22 RIP parameters and defaults RIP global parameters Table 111 lists the global RIP parameters and their default values, and indicates where you can find configuration information. TABLE 111 RIP global parameters Parameter Description Default See page... RIP state The global state of the protocol Disabled page 645 NOTE: You also must enable the protocol on individual interfaces. Globally enabling the protocol does not allow interfaces to send and receive RIP information.
22 Configuring RIP parameters TABLE 112 . RIP interface parameters Parameter Description Default See page... RIP state and version The state of the protocol and the version that is supported on the interface. The version can be one of the following: • Version 1 only • Version 2 only • Version 1, but also compatible with version 2 Disabled page 645 NOTE: You also must enable RIP globally. Metric A numeric cost the router adds to RIP routes learned on the interface.
22 Configuring RIP parameters PowerConnect(config)# interface ethernet 1 PowerConnect(config-if-1)# ip rip v1-only Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only NOTE You must specify the RIP version. Configuring metric parameters By default, a Layer 3 Switch port increases the cost of a RIP route that is learned on the port by one. You can configure individual ports to add more than one to a learned route cost.
Configuring RIP parameters 22 The software adds the offset value to the routing metric (cost) of the routes that match the ACL. If a route matches both a global offset list and an interface-based offset list, the interface-based offset list takes precedence. The interface-based offset list metric is added to the route in this case. You can configure up to 24 global RIP offset lists and up to 24 RIP offset lists on each interface. To configure a global RIP offset list, enter commands such as the following.
22 Configuring RIP parameters • Change the default redistribution metric (optional). The Layer 3 Switch assigns a RIP metric of one to each redistributed route by default. You can change the default metric to a value up to 16. • Enable redistribution. NOTE Do not enable redistribution until you configure the other redistribution parameters. Configuring redistribution filters RIP redistribution filters apply to all interfaces.
Configuring RIP parameters 22 The following command denies redistribution for all OSPF routes that have a metric of 10. PowerConnect(config-rip-router)# deny redistribute 3 ospf address 207.92.0.0 255.255.0.0 match-metric 10 The following commands deny redistribution of all routes except routes for 10.10.10.x and 20.20.20.x. PowerConnect(config-rip-router)# deny redistribute 64 static address 255.255.255.255 255.255.255.255 PowerConnect(config-rip-router)# permit redistribute 1 static address 10.10.10.
22 Configuring RIP parameters PowerConnect(config-rip-router)# no deny redistribute 2 all address 207.92.0.0 255.255.0.0 PowerConnect(config-rip-router)# no redistribution PowerConnect(config-rip-router)# redistribution Configuring route learning and advertising parameters By default, a Layer 3 Switch learns routes from all its RIP neighbors and advertises RIP routes to those neighbors.
Configuring RIP parameters 22 Configuring a RIP neighbor filter By default, a Layer 3 Switch learns RIP routes from all its RIP neighbors. Neighbor filters allow you to specify the neighbor routers from which the device can receive RIP routes. Neighbor filters apply globally to all ports. To configure a RIP neighbor filters, enter a command such as the following.
22 Configuring RIP parameters Suppressing RIP route advertisement on a VRRP or VRRPE backup interface NOTE This section applies only if you configure the Layer 3 Switch for Virtual Router Redundancy Protocol (VRRP) or VRRP Extended (VRRPE). Refer to Chapter 24, “Configuring VRRP and VRRPE”. Normally, a VRRP or VRRPE Backup includes route information for the virtual IP address (the backed up interface) in RIP advertisements.
Displaying RIP filters 22 Applying a RIP route filter to an interface Once you define RIP route filters, you must assign them to individual interfaces. The filters do not take effect until you apply them to interfaces. When you apply a RIP route filter, you also specify whether the filter applies to learned routes or advertised routes: • Out filters apply to routes the Layer 3 Switch advertises to its neighbor on the interface.
22 Displaying CPU utilization statistics TABLE 113 CLI display of RIP filter information (Continued) This field... Displays... Subnet Mask The network mask for the IP address. Neighbor filters The rows underneath “RIP Neighbor Filter Table” list the RIP neighbor filters. If no RIP neighbor filters are configured on the device, the following message is displayed instead: “No Filters are configured in RIP Neighbor Filter Table”. Index Action Neighbor IP Address The filter number.
Displaying CPU utilization statistics PowerConnect#show process cpu The system has only been up for 6 seconds. Process Name 5Sec(%) 1Min(%) 5Min(%) ARP 0.01 0.00 0.00 BGP 0.00 0.00 0.00 GVRP 0.00 0.00 0.00 ICMP 0.01 0.00 0.00 IP 0.00 0.00 0.00 OSPF 0.00 0.00 0.00 RIP 0.00 0.00 0.00 STP 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 15Min(%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.
22 656 Displaying CPU utilization statistics PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring OSPF Version 2 (IPv4) 23 This chapter describes how to configure OSPF Version 2 on Layer 3 Switches using the CLI. OSPF Version 2 is supported on devices running IPv4. NOTE The terms Layer 3 Switch and router are used interchangeably in this chapter and mean the same thing. Overview of OSPF OSPF is a link-state routing protocol. The protocol uses link-state advertisements (LSA) to update neighboring routers regarding its interfaces and information on those interfaces.
23 Overview of OSPF An Autonomous System Boundary Router (ASBR) is a router that is running multiple protocols and serves as a gateway to routers outside an area and those operating with different protocols. The ASBR is able to import and translate different protocol routes into OSPF through a process known as redistribution. For more details on redistribution and configuration examples, refer to “Enable route redistribution” on page 686. FIGURE 105 OSPF operating in a network Area 0.0.0.
Overview of OSPF 23 In an OSPF point-to-point network, where a direct Layer 3 connection exists between a single pair of OSPF routers, there is no need for Designated and Backup Designated Routers, as is the case in OSPF multi-access networks. Without the need for Designated and Backup Designated routers, a point-to-point network establishes adjacency and converges faster. The neighboring routers become adjacent whenever they can communicate directly.
23 Overview of OSPF NOTE Priority is a configurable option at the interface level. You can use this parameter to help bias one router as the DR. FIGURE 107 Backup designated router becomes designated router Designated Router priority 10 Router A X Designated Backup Router priority 5 priority 20 Router C Router B If two neighbors share the same priority, the router with the highest router ID is designated as the DR. The router with the next highest router ID is designated as the BDR.
Overview of OSPF 23 NOTE For details on how to configure the system to operate with the RFC 2178, refer to “Modify OSPF standard compliance setting” on page 694. Reduction of equivalent AS External LSAs An OSPF ASBR uses AS External link advertisements (AS External LSAs) to originate advertisements of a route to another routing domain, such as a BGP4 or RIP domain.
23 Overview of OSPF Figure 108 shows an example of the AS External LSA reduction feature. In this example, Layer 3 Switches D and E are OSPF ASBRs, and thus communicate route information between the OSPF AS, which contains Routers A, B, and C, and another routing domain, which contains Router F. The other routing domain is running another routing protocol, such as BGP4 or RIP. Routers D, E, and F, therefore, are each running both OSPF and either BGP4 or RIP.
Overview of OSPF 23 that flush the duplicate AS External LSAs have more memory for other OSPF data. In Figure 108, since Router D has a higher router ID than Router E, Router D floods the AS External LSAs for Router F to Routers A, B, and C. Router E flushes the equivalent AS External LSAs from its database. Algorithm for AS External LSA reduction Figure 108 shows an example in which the normal AS External LSA reduction feature is in effect.
23 Overview of OSPF All three networks have the same network address, 10.0.0.0. Without support for RFC 2328 Appendix E, an OSPF router uses the same link state ID, 10.0.0.0, for the LSAs for all three networks. For example, if the router generates an LSA with ID 10.0.0.0 for network 10.0.0.0 255.0.0.0, this LSA conflicts with the LSA generated for network 10.0.0.0 255.255.0.0 or 10.0.0.0 255.255.255.0. The result is multiple LSAs that have the same ID but that contain different route information.
Configuring OSPF 23 You also can change the amount of memory allocated to various types of LSA entries. However, these changes require a system reset or reboot. Configuring OSPF Follow the steps given below to begin using OSPF on the router. 1. Enable OSPF on the router. 2. Assign the areas to which the router will be attached. 3. Assign individual interfaces to the OSPF areas. 4. Define redistribution filters, if desired. 5. Enable redistribution, if you defined redistribution filters. 6.
23 Configuring OSPF • • • • • • Define deny redistribution. Define permit redistribution. Enable redistribution. Change the LSA pacing interval. Modify OSPF Traps generated. Modify database overflow interval. Interface parameters: • • • • • • • • • Assign interfaces to an area. Define the authentication key for the interface. Change the authentication-change interval Modify the cost for a link. Modify the dead interval. Modify MD5 authentication key parameters. Modify the priority of the interface.
Configuring OSPF 23 PowerConnect(config-ospf-router)# no router ospf router ospf mode now disabled. All ospf config data will be lost when writing to flash! If you have disabled the protocol but have not yet saved the configuration to the startup-config file and reloaded the software, you can restore the configuration information by re-entering the command to enable the protocol (ex: router ospf).
23 Configuring OSPF • ABRs translate type 7 LSAs into type 5 External LSAs, which can then be flooded throughout the AS. You can configure address ranges on the ABR of an NSSA so that the ABR converts multiple type-7 External LSAs received from the NSSA into a single type-5 External LSA. When an NSSA contains more than one ABR, OSPF elects one of the ABRs to perform the LSA translation for NSSA. OSPF elects the ABR with the highest router ID.
Configuring OSPF 23 Syntax: area | stub [no-summary] The | parameter specifies the area number, which can be a number or in IP address format. If you specify a number, the number can be from 0 – 2,147,483,647. The stub parameter specifies an additional cost for using a route to or from this area and can be from 1 – 16777215. There is no default. Normal areas do not use the cost parameter.
23 Configuring OSPF This example shows two routing domains, a RIP domain and an OSPF domain. The ASBR inside the NSSA imports external routes from RIP into the NSSA as Type-7 LSAs, which the ASBR floods throughout the NSSA. The ABR translates the Type-7 LSAs into Type-5 LSAs. If an area range is configured for the NSSA, the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type-5 LSAs into the backbone.
Configuring OSPF 23 The parameter specifies the IP address portion of the range. The software compares the address with the significant bits in the mask. All network addresses that match this comparison are summarized in a single route advertised by the router. The parameter specifies the portions of the IP address that a route must contain to be summarized in the summary route. In the example above, all networks that begin with 209.157 are summarized into a single route.
23 Configuring OSPF • • • • • • ip ospf auth-change-wait-time • • • • ip ospf passive ip ospf authentication-key [0 | 1] ip ospf cost ip ospf dead-interval ip ospf hello-interval ip ospf md5-authentication key-activation-wait-time | key-id [0 | 1] key ip ospf priority ip ospf retransmit-interval ip ospf transmit-delay For a complete description of these parameters, see the summary of OSPF port parameters in the next se
Configuring OSPF 23 Hello-interval: Represents the length of time between the transmission of hello packets. The value can be from 1 – 65535 seconds. The default is 10 seconds. MD5-authentication activation wait time: The number of seconds the Layer 3 Switch waits until placing a new MD5 key into effect. The wait time provides a way to gracefully transition from one MD5 key to another without disturbing the network. The wait time can be from 0 – 14400 seconds. The default is 300 seconds (5 minutes).
23 Configuring OSPF NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior. If you specify encryption option 1, the software assumes that you are entering the encrypted form of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication.
Configuring OSPF 23 Block flooding of outbound LSAs on specific OSPF interfaces By default, the Layer 3 Switch floods all outbound LSAs on all the OSPF interfaces within an area. You can configure a filter to block outbound LSAs on an OSPF interface. This feature is particularly useful when you want to block LSAs from some, but not all, of the interfaces attached to the area. After you apply filters to block the outbound LSAs, the filtering occurs during the database synchronization and flooding.
23 Configuring OSPF NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link). FIGURE 110 Defining OSPF virtual links within a network OSPF Area 0 Router ID 209.157.22.1 DeviceC OSPF Area 1 “transit area” OSPF Area 2 Router ID 10.0.0.1 DeviceB DeviceA Example Figure 110 shows an OSPF area border router, DeviceA, that is cut off from the backbone area (area 0).
Configuring OSPF 23 The area | parameter specifies the transit area. The parameter specifies the router ID of the OSPF router at the remote end of the virtual link. To display the router ID on a Layer 3 Switch, enter the show ip command. Refer to “Modify virtual link parameters” on page 677 for descriptions of the optional parameters. Modify virtual link parameters OSPF has some parameters that you can modify for virtual links.
23 Configuring OSPF The range for the key activation wait time is from 0 – 14400 seconds. The default value is 300 seconds. Hello Interval: The length of time between the transmission of hello packets. The range is 1 – 65535 seconds. The default is 10 seconds. Retransmit Interval: The interval between the re-transmission of link state advertisements to router adjacencies for this interface. The range is 0 – 3600 seconds. The default is 5 seconds.
Configuring OSPF 23 The bandwidth for interfaces that consist of more than one physical port is calculated as follows: • Trunk group – The combined bandwidth of all the ports. • Virtual interface – The combined bandwidth of all the ports in the port-based VLAN that contains the virtual interface. The default reference bandwidth is 100 Mbps. You can change the reference bandwidth to a value from 1 – 4294967.
23 Configuring OSPF PowerConnect(config-ospf-router)# no auto-cost reference-bandwidth Define redistribution filters Route redistribution imports and translates different protocol routes into a specified protocol type. On routers, redistribution is supported for static routes, OSPF, RIP, and BGP4. When you configure redistribution for RIP, you can specify that static, OSPF, or BGP4 routes are imported into RIP routes.
Configuring OSPF 23 NOTE Do not enable redistribution until you have configured the redistribution filters. If you enable redistribution before you configure the redistribution filters, the filters will not take affect and all routes will be distributed.
23 Configuring OSPF Example To redistribute RIP, static, and BGP4 routes into OSPF, enter the following commands on the Layer 3 Switch acting as an ASBR.
Configuring OSPF 23 To configure an OSPF distribution list: • Configure a standard or extended ACL that identifies the routes you want to deny. Using a standard ACL lets you deny routes based on the destination network, but does not filter based on the network mask. To also filter based on the destination network network mask, use an extended ACL. • Configure an OSPF distribution list that uses the ACL as input.
23 Configuring OSPF The parameter specifies the source address for the policy. Since this ACL is input to an OSPF distribution list, the parameter actually is specifying the destination network of the route. The parameter specifies the portion of the source address to match against. The is in dotted-decimal notation (IP address format). It is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or a zero.
Configuring OSPF 23 The | parameter specifies the ACL name or ID. The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded. The parameter indicates the type of IP packet you are filtering. When using an extended ACL as input for an OSPF distribution list, specify ip. Since this ACL is input to an OSPF distribution list, the parameter actually specifies the destination network of the route.
23 Configuring OSPF PowerConnect(config)# router ospf PowerConnect(config-ospf-router)# default-metric 4 Syntax: default-metric The can be from 1 – 16,777,215. The default is 10. Enable route redistribution To enable route redistribution, use one of the following methods. NOTE Do not enable redistribution until you have configured the redistribution filters. Otherwise, you might accidentally overload the network with routes you did not intend to redistribute.
Configuring OSPF 23 The following command shows the result of the redistribution filter. Since only one of the static IP routes configured above matches the route map, only one route is redistributed. Notice that the route metric is 5 before redistribution but is 8 after redistribution. PowerConnect# show ip ospf database external extensive Index Aging 1 2 LS ID 4.4.0.0 Router 10.10.10.
23 Configuring OSPF The router software can use the route information it learns through OSPF to determine the paths and costs. Example OSPF network with four equal-cost paths OSPF Area 0 R3 H1 R1 Device R4 H2 H3 R5 H4 R6 In the example in Figure , the switch has four paths to R1: • • • • Device->R3 Device->R4 Device->R5 Device->R6 Normally, the switch will choose the path to the R1 with the lower metric. For example, if R3 metric is 1400 and R4 metric is 600, the switch will always choose R4.
Configuring OSPF 23 When you configure an address range, the range takes effect immediately. All the imported routes are summarized according to the configured address range. Imported routes that have already been advertised and that fall within the range are flushed out of the AS and a single route corresponding to the range is advertised.
23 Configuring OSPF Configure default route origination When the Layer 3 Switch is an OSPF Autonomous System Boundary Router (ASBR), you can configure it to automatically generate a default external route into an OSPF routing domain. This feature is called “default route origination” or “default information origination”. By default, Layer 3 Switches do not advertise the default route into the OSPF domain.
Configuring OSPF 23 If you do not use this option, the default redistribution metric type is used for the route type. NOTE If you specify a metric and metric type, the values you specify are used even if you do not use the always option. Modify SPF timers The Layer 3 Switch uses the following timers when calculating the shortest path for OSPF routes: • SPF delay – When the Layer 3 Switch receives a topology change, the software waits before it starts a Shortest Path First (SPF) calculation.
23 Configuring OSPF Modify administrative distance Layer 3 Switches can learn about networks from various protocols, including Border Gateway Protocol version 4 (BGP4), RIP, and OSPF. Consequently, the routes to a network may differ depending on the protocol from which the routes were learned. The default administrative distance for OSPF routes is 110. Refer to “Changing administrative distances” on page 777 for a list of the default distances for all route sources.
Configuring OSPF 23 Configure OSPF group Link State Advertisement (LSA) pacing The Layer 3 Switch paces LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA refresh timer expires. The accumulated LSAs constitute a group, which the Layer 3 Switch refreshes and sends out together in one or more packets.
23 Configuring OSPF • • • • • • • • • • • • • virtual-neighbor-state-change-trap – [MIB object: ospfVirtNbrStateChange] interface-config-error-trap – [MIB object: ospfIfConfigError] virtual-interface-config-error-trap – [MIB object: ospfVirtIfConfigError] interface-authentication-failure-trap – [MIB object: ospfIfAuthFailure] virtual-interface-authentication-failure-trap – [MIB object: ospfVirtIfAuthFailure] interface-receive-bad-packet-trap – [MIB object: ospfIfrxBadPacket] virtual-interface-receive-bad
Clearing OSPF information 23 Syntax: database-overflow-interval The can be from 0 – 86400 seconds. The default is 0 seconds. Specifying the types of OSPF Syslog messages to log You can specify which kinds of OSPF-related Syslog messages are logged. By default, the only OSPF messages that are logged are those indicating possible system errors. If you want other kinds of OSPF messages to be logged, you can configure the device to log them.
23 Clearing OSPF information PowerConnect# clear ip ospf neighbor Syntax: clear ip ospf neighbor [ip | id ] This command clears all OSPF neighbors and the OSPF routes exchanged with the neighbors in the OSPF link state database. After this information is cleared, adjacencies with all neighbors are re-established, and routes with these neighbors exchanged again. To clear information on the device about OSPF neighbor 10.10.10.1, enter the following command.
Displaying OSPF information 23 This command clears all OSPF areas, all OSPF neighbors, and the entire OSPF routing table. After this information has been cleared, adjacencies with all neighbors are re-established, and all OSPF routes are re-learned. To clear information on the device about OSPF area 1, enter the following command. PowerConnect# clear ip ospf area 1 This command clears information about the specified area ID. Information about other OSPF areas is not affected.
23 Displaying OSPF information PowerConnect# show ip ospf config Router OSPF: Enabled Redistribution: Disabled Default OSPF Metric: 10 OSPF Redistribution Metric: Type2 OSPF External LSA Limit: 25000 OSPF Database Overflow Interval: 0 RFC 1583 Compatibility: Enabled Router id: 207.95.11.
Displaying OSPF information PowerConnect# show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 GVRP 0.00 0.00 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.03 0.06 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.00 0.00 5Min(%) 0.09 0.08 0.00 0.00 0.00 0.09 0.00 0.00 0.00 15Min(%) 0.22 0.14 0.00 0.00 0.00 0.12 0.00 0.00 0.
23 Displaying OSPF information Displaying OSPF area information To display OSPF area information, enter the following command at any CLI level. PowerConnect# show ip ospf area Indx Area Type Cost SPFR ABR ASBR LSA Chksum(Hex) 1 0.0.0.0 normal 0 1 0 0 1 0000781f 2 192.147.60.0 normal 0 1 0 0 1 0000fee6 3 192.147.80.0 stub 1 1 0 0 2 000181cd Syntax: show ip ospf area [] | [] The parameter shows information for the specified area.
23 Displaying OSPF information PowerConnect# show ip ospf neighbor detail Port 1 Address 20.2.0.2 Second-to-dead:39 1 20.3.0.2 Second-to-dead:36 1-8 23.5.0.1 Second-to-dead:33 1-2 23.2.0.1 Second-to-dead:33 Pri State 1 FULL/DR 1 FULL/BDR Neigh Address 20.2.0.1 20.3.0.1 Neigh ID 2.2.2.2 Ev Op Cnt 6 2 0 3.3.3.3 5 2 0 1 FULL/DR 23.5.0.2 16.16.16.16 6 2 0 1 FULL/DR 23.2.0.2 15.15.15.
23 Displaying OSPF information TABLE 115 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the Layer 3 Switch and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor. • Attempt – This state is only valid for neighbors attached to non-broadcast networks.
Displaying OSPF information 23 PowerConnect# show ip ospf interface 192.168.1.1 Ethernet 1,OSPF enabled IP Address 192.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 DR: Router ID 0.0.0.0 Interface Address 0.0.0.0 BDR: Router ID 0.0.0.0 Interface Address 0.0.0.0 Neighbor Count = 0, Adjacent Neighbor Count= 1 Neighbor: 2.2.2.
23 Displaying OSPF information TABLE 116 Output of the show ip ospf interface command (Continued) This field Displays Events OSPF Interface Event: Interface_Up = 0x00 Wait_Timer = 0x01 Backup_Seen = 0x02 Neighbor_Change = 0x03 Loop_Indication = 0x04 Unloop_Indication = 0x05 Interface_Down = 0x06 Interface_Passive = 0x07 • • • • • • • • Adjacent Neighbor Count The number of adjacent neighbor routers. Neighbor: The neighbor router ID.
Displaying OSPF information TABLE 117 This field... Path_Type CLI Display of OSPF route information (Continued) Displays... The type of path, which can be one of the following: Inter – The path to the destination passes into another area. Intra – The path to the destination is entirely within the local area. External1 – The path to the destination is a type 1 external route. External2 – The path to the destination is a type 2 external route.
23 Displaying OSPF information PowerConnect# show ip ospf redistribute route 3.1.0.0 255.255.0.0 3.1.0.0 255.255.0.0 static Displaying OSPF external link state information To display external link state information, enter the following command at any CLI level. PowerConnect# show ip ospf database external-link-state Index Aging LS ID Router Netmask Metric 1 1794 1.168.64.0 192.85.0.3 ffffe000 000003e8 2 1794 3.215.0.0 192.85.0.3 ffff0000 000003e8 3 1794 1.27.250.0 192.85.0.3 fffffe00 000003e8 4 1794 1.
Displaying OSPF information TABLE 118 23 CLI display of OSPF external link state information (Continued) This field... Displays... Seq(hex) The sequence number of the LSA. The OSPF neighbor that sent the LSA stamps it with a sequence number to enable the Layer 3 Switch and other OSPF routers to determine which LSA for a given route is the most recent. Chksum A checksum for the LSA packet, which is based on all the fields in the packet except the age field.
23 Displaying OSPF information Index Aging LS ID Router Netmask Metric Flag 3 619 1.27.250.0 192.85.0.3 fffffe00 000003e8 b500 0.0.0.0 LSA Header: age: 619, options: 0x02, seq-nbr: 0x80000003, length: 36 NetworkMask: 255.255.254.0 TOS 0: metric_type: 1, metric: 1000 forwarding_address: 0.0.0.
Displaying OSPF information 23 Syntax: show ip ospf border-routers [] The parameter displays the ABR and ASBR entries for the specified IP address. Displaying OSPF trap status All traps are enabled by default when you enable OSPF. To disable or re-enable an OSPF trap, refer to “Modify OSPF traps generated” on page 693. To display the state of each OSPF trap, enter the following command at any CLI level.
23 710 Displaying OSPF information PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring VRRP and VRRPE 24 This chapter describes how to configure Layer 3 Switches with the following router redundancy protocols: • Virtual Router Redundancy Protocol (VRRP) – The standard router redundancy protocol described in RFC 2338. • VRRP Extended (VRRPE) – An enhanced version of VRRP that overcomes limitations in the standard protocol. NOTE VRRP and VRRPE are separate protocols. You cannot use them together.
24 Overview VRRP is a protocol that provides redundancy to routers within a LAN. VRRP allows you to provide alternate router paths for a host without changing the IP address or MAC address by which the host knows its gateway. Consider the situation shown in Figure 112. FIGURE 112 Switch 1 is Host1 default gateway but is a single point of failure Internet or Enterprise Intranet Internet or Enterprise Intranet e4 e2 Switch 2 Switch 1 e6 e5 192.53.5.1 Host1 Default Gateway 102.53.5.
Overview 24 Figure 113 shows the same example network shown in Figure 112, but with a VRRP virtual router configured on Switch 1 and Switch 2. FIGURE 113 Switch 1 and Switch 2 are configured as a VRRP virtual router for redundant network access for Host1 Internet or enterprise Intranet Internet or enterprise Intranet e4 e2 Router1 VRID1 Router1 = Master e6 IP address = 192.53.5.1 MAC address = 00-00-5E-00-01-01 Priority = 255 Router2 192.53.5.3 e 5 192.53.5.
24 Overview Virtual router MAC address Notice the MAC address associated with VRID1. The first five octets of the address are the standard MAC prefix for VRRP packets, as described in RFC 2338. The last octet is the VRID. THE VRID number becomes the final octet in the virtual MAC address associated with the virtual router. When you configure a VRID, the software automatically assigns its MAC address.
Overview 24 Because the router that owns the IP addresses associated with the VRID always has the highest priority, when all the routers in the virtual router are operating normally, the negotiation process results in the Owner of the VRID IP addresses becoming the Master router. Thus, the VRRP negotiation results in the normal case, in which the hosts’ path to the default route is to the router that owns the interface for that route.
24 Overview Figure 113 on page 713, Switch 1 priority changes from 255 to 20. One of the parameters contained in the Hello messages the Master router sends to its Backups is the Master router priority. If the track port feature results in a change in the Master router priority, the Backup routers quickly become aware of the change and initiate a negotiation for Master router. In Figure 113 on page 713, the track priority results in Switch 1 VRRP priority becoming lower than Switch 2 VRRP priority.
Overview 24 VRRPE is similar to VRRP, but differs in the following respects: • Owners and Backup: • VRRP has an Owner and one or more Backups for each VRID. The Owner is the router on which the VRID's IP address is also configured as a real address. All the other routers supporting the VRID are Backups. • VRRPE does not use Owners. All routers are Backups for a given VRID. The router with the highest priority becomes Master.
24 Overview Figure 114 shows an example of a VRRPE configuration. FIGURE 114 Router1 and Router2 are configured to provide dual redundant network access for the host Internet VRID 1 Switch 1 = Master Virtual IP address 192.53.5.254 Priority = 110 Track Port = e 4 Track Priority = 20 e4 e2 Switch 1 e6 Switch 2 192.53.5.2 e1 192.53.5.3 VRID 1 Switch 2 = Backup Virtual IP address 192.53.5.
Comparison of VRRP and VRRPE 24 Configuration note VRRP-E is supported in the full Layer 3 code only. It is not supported in the Base Layer 3 code. Comparison of VRRP and VRRPE This section compares router redundancy protocols. VRRP VRRP is a standards-based protocol, described in RFC 2338. The VRRP contains the features in RFC 2338.
24 VRRP and VRRPE parameters Virtual router IP address (the address you are backing up) • VRRP – The virtual router IP address is the same as an IP address or virtual interface configured on one of the Layer 3 Switches, which is the “Owner” and becomes the default Master. • VRRPE – The virtual router IP address is the gateway address you want to backup, but does not need to be an IP interface configured on one of the Layer 3 Switch ports or a virtual interface.
VRRP and VRRPE parameters TABLE 119 24 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... VRID MAC address The source MAC address in VRRP or VRRPE packets sent from the VRID interface, and the destination for packets sent to the VRID: • VRRP – A virtual MAC address defined as 00-00-5e-00-01-. The Master owns the Virtual MAC address.
24 Configuring basic VRRP parameters TABLE 119 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Dead interval The number of seconds a Backup waits for a Hello message from the Master for the VRID before determining that the Master is no longer active. If the Master does not send a Hello message before the dead interval expires, the Backups negotiate (compare priorities) to select a new Master for the VRID.
Configuring basic VRRPE parameters 24 Configuring the Owner Router1(config)# router vrrp Router1(config)# inter e 6 Router1(config-if-6)# ip address 192.53.5.1 Router1(config-if-6)# ip vrrp vrid 1 Router1(config-if-6-vrid-1)# owner Router1(config-if-6-vrid-1)# ip-address 192.53.5.1 Router1(config-if-6-vrid-1)# activate Configuring a Backup Router2(config)# router vrrp Router2(config)# inter e 5 Router2(config-if-5)# ip address 192.53.5.
24 Note regarding disabling VRRP or VRRPE Configuration rules for VRRPE • • • • • The interfaces of all routers in a VRID must be in the same IP subnet. The IP address associated with the VRID cannot be configured on any of the Layer 3 Switches. The Hello interval must be set to the same value on all the Layer 3 Switches. The Dead interval must be set to the same value on all the Layer 3 Switches. The track priority for a VRID must be lower than the VRRPE priority.
Configuring additional VRRP and VRRPE parameters • • • • • • 24 Backup Hello messages and message timer (Backup advertisement) Track port Track priority Backup preempt mode Timer scale VRRP-E slow start timer For information about the fields, see the parameter descriptions in the following sections. Refer to “VRRP and VRRPE parameters” on page 720 for a summary of the parameters and their defaults.
24 Configuring additional VRRP and VRRPE parameters Router type A VRRP interface is either an Owner or a Backup for a given VRID. By default, the Owner becomes the Master following the negotiation. A Backup becomes the Master only if the Master becomes unavailable. A VRRPE interface is always a Backup for its VRID. The Backup with the highest VRRP priority becomes the Master.
Configuring additional VRRP and VRRPE parameters 24 The priority parameter specifies the VRRP priority for this interface and VRID. You can specify a value from 3 – 254. The default is 100. The track-priority parameter is the same as above. NOTE You cannot set the priority of a VRRP Owner. The Owner priority is always 255.
24 Configuring additional VRRP and VRRPE parameters Dead interval The Dead interval is the number of seconds a Backup waits for a Hello message from the Master before determining that the Master is dead. When Backups determine that the Master is dead, the Backup with the highest priority becomes the new Master. The Dead interval can be from 1 – 84 seconds. The default is 3.5 seconds. This is three times the default Hello interval (1 second) plus one-half second added by the router software.
Configuring additional VRRP and VRRPE parameters 24 Syntax: track-port ethernet | ve The syntax is the same for VRRP and VRRPE.
24 Configuring additional VRRP and VRRPE parameters To disable preemption on a Backup, enter commands such as the following. Router1(config)# inter e 6 Router1(config-if-6)# ip vrrp vrid 1 Router1(config-if-6-vrid-1)# non-preempt-mode Syntax: non-preempt-mode The syntax is the same for VRRP and VRRPE. Changing the timer scale To achieve sub-second failover times, you can shorten the duration of all scale timers for VSRP, VRRP, and VRRP-E by adjusting the timer scale.
Forcing a Master router to abdicate to a standby router 24 VRRP-E slow start timer In a VRRP-E configuration, if a Master router goes down, the Backup router with the highest priority takes over. When the Master comes back up again, it takes over from the Backup. By default, this transition from Backup back to Master takes place immediately.
24 Displaying VRRP and VRRPE information When you press Enter, the software changes the priority of the Master to the specified priority. If the new priority is lower than at least one Backup priority for the same VRID, the Backup takes over and becomes the new Master until the next software reload or system reset. To verify the change, enter the following command from any level of the CLI.
Displaying VRRP and VRRPE information 24 PowerConnect# show ip vrrp-extended brief Total number of VRRP-Extended routers defined: 1 Interface VRID CurPri P State Master addr Backup addr VIP 6 1 255 P Init 192.53.5.2 192.53.5.3 192.53.5.254 Syntax: show ip vrrp brief | ethernet | ve | stat Syntax: show ip vrrp-extended brief | ethernet | ve | stat The brief parameter displays the summary information.
24 Displaying VRRP and VRRPE information Displaying detailed information To display detailed VRRP or VRRPE information, enter the following command at any level of the CLI. PowerConnect# show ip vrrp Total number of VRRP routers defined: 1 Interface ethernet 6 auth-type no authentication VRID 1 state master administrative-status enabled mode owner priority 255 current priority 255 hello-interval 10000 msec advertise backup: disabled track-port 4 This example is for a VRRP Owner.
Displaying VRRP and VRRPE information 24 PowerConnect# show ip vrrp-extended Total number of VRRP-Extended routers defined: 1 Interface ethernet 6 auth-type no authentication VRID 1 state master administrative-status enabled priority 200 current priority 200 hello-interval 10000 msec dead-interval 30000 msec current dead-interval 30000 msec preempt-mode true virtual ip address 192.53.5.254 advertise backup: enabled master router 192.53.5.2 expires in 00:00:03.
24 Displaying VRRP and VRRPE information TABLE 121 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... state This Layer 3 Switch VRRP or VRRPE state for the VRID. The state can be one of the following: • initialize – The VRID is not enabled (activated). If the state remains “initialize” after you activate the VRID, make sure that the VRID is also configured on the other routers and that the routers can communicate with each other.
Displaying VRRP and VRRPE information TABLE 121 24 CLI display of VRRP or VRRPE detailed information (Continued) This field... preempt-mode Displays... Whether the backup preempt mode is enabled. NOTE: This field does not apply to VRRP Owners. virtual ip address The virtual IP addresses that this VRID is backing up. advertise backup The IP addresses of Backups that have advertised themselves to this Layer 3 Switch by sending Hello messages. NOTE: Hello messages from Backups are disabled by default.
24 Displaying VRRP and VRRPE information PowerConnect# show ip vrrp vrid 1 VRID 1 Interface ethernet 11 state initialize administrative-status disabled mode non-owner(backup)incomplete priority 12 current priority 12 track-priority 22 hello-interval 1 sec dead-interval 0 sec current dead-interval 3.900 sec preempt-mode true advertise backup: disabled Syntax: show ip vrrp vrid [ethernet | ve ] The parameter specifies the VRID.
Displaying VRRP and VRRPE information 24 Displaying statistics To display statistics on most devices, enter a command such as the following at any level of the CLI.
24 Displaying VRRP and VRRPE information TABLE 123 CLI display of VRRP or VRRPE statistics (Continued) This field... Displays... rxed vrrp vrid not found error count The number of VRRP or VRRPE packets received by the interface that contained a VRID that is not configured on this interface. VRID statistics rxed arp packet drop count The number of ARP packets addressed to the VRID that were dropped. rxed ip packet drop count The number of IP packets addressed to the VRID that were dropped.
Displaying VRRP and VRRPE information PowerConnect# show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 GVRP 0.00 0.00 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.00 0.00 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.03 0.07 5Min(%) 0.09 0.08 0.00 0.00 0.00 0.00 0.00 0.00 0.09 15Min(%) 0.22 0.14 0.00 0.00 0.00 0.00 0.00 0.00 0.
24 Configuration examples Configuration examples The following sections contain the CLI commands for implementing the VRRP and VRRPE configurations shown in Figure 113 on page 713 and Figure 114 on page 718. VRRP example To implement the VRRP configuration shown in Figure 113 on page 713, use the following method. Configuring Router1 To configure VRRP Router1, enter the following commands. Router1(config)# router vrrp Router1(config)# inter e 6 Router1(config-if-6)# ip address 192.53.5.
Configuration examples 24 NOTE When you configure a Backup router, the router interface on which you are configuring the VRID must have a real IP address that is in the same subnet as the address associated with the VRID by the Owner. However, the address cannot be the same. The priority parameter establishes the router VRRP priority in relation to the other VRRP routers in this virtual router.
24 Configuration examples Configuring Router2 To configure Router2, enter the following commands. Router1(config)# router vrrp-extended Router1(config)# interface ethernet 5 Router1(config-if-5)# ip address 192.53.5.3/24 Router1(config-if-5)# ip vrrp-extended vrid 1 Router1(config-if-5-vrid-1)# backup priority 100 track-priority 20 Router1(config-if-5-vrid-1)# track-port ethernet 2 Router1(config-if-5-vrid-1)# ip-address 192.53.5.
Chapter Configuring BGP4 25 This chapter provides details on how to configure Border Gateway Protocol version 4 (BGP4) using the CLI. BGP4 is described in RFC 1771. The Dell implementation fully complies with RFC 1771.
25 Overview of BGP4 Figure 115 on page 746 shows a simple example of two BGP4 ASs. Each AS contains three BGP4 switches. All of the BGP4 switches within an AS communicate using IBGP. BGP4 switches communicate with other ASs using EBGP. Notice that each of the switches also is running an Interior Gateway Protocol (IGP). The switches in AS1 are running OSPF and the switches in AS2 are running RIP. Layer 3 Switches can be configured to redistribute routes among BGP4, RIP, and OSPF.
Overview of BGP4 25 • AS-path – A list of the other ASs through which a route passes. BGP4 routers can use the AS-path to detect and eliminate routing loops. For example, if a route received by a BGP4 router contains the AS that the router is in, the router does not add the route to its own BGP4 table. (The BGP4 RFCs refer to the AS-path as “AS_PATH”.) • Additional path attributes – A list of additional parameters that describe the route.
25 Overview of BGP4 7. If the routes have the same origin type, prefer the route with the lowest MED. For a definition of MED, refer to “Configuring the Layer 3 Switch to always compare Multi-Exit Discriminators (MEDs)” on page 779. BGP4 compares the MEDs of two otherwise equivalent paths if and only if the routes were learned from the same neighboring AS. This behavior is called deterministic MED. Deterministic MED is always enabled and cannot be disabled.
Overview of BGP4 25 OPEN message After a BGP4 router establishes a TCP connection with a neighboring BGP4 router, the routers exchange OPEN messages. An OPEN message indicates the following: • BGP version – Indicates the version of the protocol that is in use on the router. BGP version 4 supports Classless Interdomain Routing (CIDR) and is the version most widely used in the Internet. Version 4 also is the only version supported on Layer 3 Switches.
25 Basic configuration and activation for BGP4 • Unreachable routes – A list of routes that have been in the sending router BGP4 table but are no longer feasible. The UPDATE message lists unreachable routes in the same format as new routes. /. KEEPALIVE message BGP4 routers do not regularly exchange UPDATE messages to maintain the BGP4 sessions.
BGP4 parameters 25 NOTE By default, the router ID is the IP address configured on the lowest numbered loopback interface. If the Layer 3 Switch does not have a loopback interface, the default router ID is the lowest numbered IP interface address configured on the device. For more information or to change the router ID, refer to “Changing the router ID” on page 584. If you change the router ID, all current BGP4 sessions are cleared.
25 BGP4 parameters • • • • • Required – Identify BGP4 neighbors. • • • • • • Optional – Change the default local preference for routes. • • • • • • • • • • • • • • • • • • • Optional – Require the first AS in an Update from an EBGP neighbor to be the neighbor AS. Optional – Change the Keep Alive Time and Hold Time. Optional – Change the update timer for route changes. Optional – Enable fast external fallover.
BGP4 parameters 25 Immediately The following parameter changes take effect immediately: • • • • • • • Enable or disable BGP. • • • • • • • • • • • • • • • • Enable or disable use of a default route to resolve a BGP4 next-hop route. Set or change the local AS. Add neighbors. Change the update timer for route changes. Disable or enable fast external fallover. Specify individual networks that can be advertised.
25 Memory considerations After disabling and re-enabling redistribution The following parameter change takes effect only after you disable and then re-enable redistribution: • Change the default MED (metric). Memory considerations BGP4 handles a very large number of routes and therefore requires a lot of memory. For example, in a typical configuration with just a single BGP4 neighbor, a BGP4 router may need to be able to hold up to 80,000 routes.
Basic configuration tasks 25 Basic configuration tasks The following sections describe how to perform the configuration tasks that are required to use BGP4 on the Layer 3 Switch. You can modify many parameters in addition to the ones described in this section. Refer to “Optional configuration tasks” on page 767. Enabling BGP4 on the router When you enable BGP4 on the router, BGP4 is automatically activated. To enable BGP4 on the router, enter the following commands.
25 Basic configuration tasks Setting the local AS number The local AS number identifies the AS the BGP4 router is in. The AS number can be from 1 – 65535. There is no default. AS numbers 64512 – 65535 are the well-known private BGP4 AS numbers and are not advertised to the Internet community. To set the local AS number, enter commands such as the following. PowerConnect(config)# router bgp BGP4: Please configure 'local-as' parameter in order to enable BGP4.
Basic configuration tasks 25 NOTE If the Layer 3 Switch has multiple neighbors with similar attributes, you can simplify configuration by configuring a peer group, then adding individual neighbors to it. The configuration steps are similar, except you specify a peer group name instead of a neighbor IP address when configuring the neighbor parameters, then add individual neighbors to the peer group. Refer to “Adding a BGP4 peer group” on page 763.
25 Basic configuration tasks NOTE The Layer 3 Switch applies the advertisement interval only under certain conditions. The Layer 3 Switch does not apply the advertisement interval when sending initial updates to a BGP4 neighbor. As a result, the Layer 3 Switch sends the updates one immediately after another, without waiting for the advertisement interval. capability orf prefixlist [send | receive] configures cooperative router filtering.
Basic configuration tasks 25 filter-list in | out specifies an AS-path filter list or a list of AS-path ACLs. The in | out keyword specifies whether the list is applied on updates received from the neighbor or sent to the neighbor. If you specify in or out, The parameter specifies the list of AS-path filters. The router applies the filters in the order in which you list them and stops applying the filters in the AS-path filter list when a match is found.
25 Basic configuration tasks NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior. If you specify encryption option 1, the software assumes that you are entering the encrypted form of the password or authentication string.
Basic configuration tasks 25 messages from a neighbor without concluding that the neighbor is dead. The defaults for these parameters are the currently configured global Keep Alive Time and Hold Time. For more information about these parameters, refer to “Changing the Keep Alive Time and Hold Time” on page 767. unsuppress-map removes route dampening from a neighbor routes when those routes have been dampened due to aggregation.
25 Basic configuration tasks PowerConnect# show ip bgp config Current BGP configuration: router bgp local-as 2 neighbor xyz peer-group neighbor xyz password 1 $!2d neighbor 10.10.200.102 peer-group xyz neighbor 10.10.200.102 remote-as 1 neighbor 10.10.200.102 password 1 $on-o Notice that the software has converted the commands that specify an authentication string into the new syntax (described below), and has encrypted display of the authentication strings.
Basic configuration tasks 25 The enable password-display command enables display of the authentication string, but only in the output of the show ip bgp neighbors command. Display of the string is still encrypted in the startup-config file and running-config. Enter the command at the global CONFIG level of the CLI. NOTE The command also displays SNMP community strings in clear text, in the output of the show snmp server command.
25 Basic configuration tasks NOTE If you enter a command to remove the remote AS parameter from a peer group, the software checks to ensure that the peer group does not contain any neighbors. If the peer group does contain neighbors, the software does not allow you to remove the remote AS. The software prevents removing the remote AS in this case so that the neighbors in the peer group that are using the remote AS do not lose connectivity to the Layer 3 Switch.
Basic configuration tasks 25 • If you add a parameter to a peer group that already contains neighbors, the parameter value is applied to neighbors that do not already have the parameter explicitly set. If a neighbor has the parameter explicitly set, the explicitly set value overrides the value you set for the peer group.
25 Basic configuration tasks [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive hold-time ] [update-source loopback ] [weight ] The | parameter indicates whether you are configuring a peer group or an individual neighbor. You can specify a peer group name or IP address with the neighbor command. If you specify a peer group name, you are configuring a peer group.
Optional configuration tasks 25 NOTE The software also contains an option to end the session with a BGP4 neighbor and thus clear the routes learned from the neighbor. Unlike this clear option, the option for shutting down the neighbor can be saved in the startup-config file and thus can prevent the Layer 3 Switch from establishing a BGP4 session with the neighbor even after reloading the software.
25 Optional configuration tasks For each keyword, indicates the number of seconds. The Keep Alive Time can be 0 – 65535. The Hold Time can be 0 or 3 – 65535 (1 and 2 are not allowed). If you set the Hold Time to 0, the router waits indefinitely for messages from a neighbor without concluding that the neighbor is dead. Changing the BGP4 next-hop update timer By default, the Layer 3 Switch updates its BGP4 next-hop tables and affected BGP4 routes five seconds after IGP route changes.
Optional configuration tasks 25 Changing the maximum number of paths for BGP4 load sharing Load sharing enables the Layer 3 Switch to balance traffic to a route across multiple equal-cost paths of the same type (EBGP or IBGP) for the route. To configure the Layer 3 Switch to perform BGP4 load sharing: • Enable IP load sharing if it is disabled. • Set the maximum number of paths. The default maximum number of BGP4 load sharing paths is 1, which means no BGP4 load sharing takes place by default.
25 Optional configuration tasks If an IGP path used by a BGP4 next-hop route path installed in the IP route table changes, then the BGP4 paths and IP paths are adjusted accordingly. For example, if one of the OSPF paths to reach the BGP4 next hop goes down, the software removes this path from the BGP4 route table and the IP route table.
Optional configuration tasks 25 • multi-as – Load sharing is enabled for paths from different ASs. By default, load sharing applies to EBGP and IBGP paths, and does not apply to paths from different neighboring ASs. Specifying a list of networks to advertise By default, the router sends BGP4 routes only for the networks you identify using the network command or that are redistributed into BGP4 from RIP or OSPF. You can specify up to 600 networks.
25 Optional configuration tasks To configure a route map, and use it to set or change route attributes for a network you define for BGP4 to advertise, enter commands such as the following. PowerConnect(config)# route-map set_net permit 1 PowerConnect(config-routemap set_net)# set community no-export PowerConnect(config-routemap set_net)# exit PowerConnect(config)# router bgp PowerConnect(config-bgp-router)# network 100.100.1.
Optional configuration tasks 25 Using the IP default route as a valid next hop for a BGP4 route By default, the Layer 3 Switch does not use a default route to resolve a BGP4 next-hop route. If the IP route lookup for the BGP4 next hop does not result in a valid IGP route (including static or direct routes), the BGP4 next hop is considered to be unreachable and the BGP4 route is not used.
25 Optional configuration tasks Enabling next-hop recursion For each BGP4 route a Layer 3 Switch learns, the Layer 3 Switch performs a route lookup to obtain the IP address of the route next hop. A BGP4 route becomes eligible for installation into the IP route table only if the following conditions are true: • The lookup succeeds in obtaining a valid next-hop IP address for the route. • The path to the next-hop IP address is an Interior Gateway Protocol (IGP) path or a static route path.
25 Optional configuration tasks PowerConnect# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight 1 0.0.0.0/0 10.1.0.2 0 100 0 AS_PATH: 65001 4355 701 80 2 102.0.0.0/24 10.0.0.1 1 100 0 AS_PATH: 65001 4355 1 3 104.0.0.0/24 10.1.0.2 0 100 0 AS_PATH: 65001 4355 701 1 189 4 240.0.0.0/24 102.0.0.1 1 100 0 AS_PATH: 65001 4355 3356 7170 1455 5 250.0.0.0/24 209.
25 Optional configuration tasks PowerConnect# show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf 1 0.0.0.0/0 10.1.0.2 0 100 AS_PATH: 65001 4355 701 80 2 102.0.0.0/24 10.0.0.1 1 100 AS_PATH: 65001 4355 1 3 104.0.0.0/24 10.1.0.2 0 100 AS_PATH: 65001 4355 701 1 189 4 240.0.0.0/24 102.0.0.1 1 100 AS_PATH: 65001 4355 3356 7170 1455 5 250.0.0.0/24 209.157.24.
Optional configuration tasks 25 This Layer 3 Switch can use this route because the Layer 3 Switch has an IP route to the next-hop gateway. Without recursive next-hop lookups, this route would not be in the IP route table. Enabling recursive next-hop lookups The recursive next-hop lookups feature is disabled by default. To enable recursive next-hop lookups, enter the following command at the BGP configuration level of the CLI.
25 Optional configuration tasks Lower administrative distances are preferred over higher distances. For example, if the router receives routes for the same network from OSPF and from RIP, the router will prefer the OSPF route by default. The administrative distances are configured in different places in the software.
Optional configuration tasks 25 This command disables comparison of the AS-Path lengths of otherwise equal paths. When you disable AS-Path length comparison, the BGP4 algorithm shown in “How BGP4 selects a path for a route” on page 747 skips from Step 4 to Step 6. Syntax: [no] as-path-ignore Enabling or disabling comparison of the router IDs Router ID comparison is Step 10 in the algorithm BGP4 uses to select the next path for a route.
25 Optional configuration tasks You can enable the Layer 3 Switch to always compare the MEDs, regardless of the AS information in the paths. For example, if the router receives UPDATES for the same route from neighbors in three ASs, the router would compare the MEDs of all the paths together, rather than comparing the MEDs for the paths in each AS individually. NOTE By default, value 0 (most favorable) is used in MED comparison when the MED attribute is not present.
Optional configuration tasks 25 • A cluster is a group of IGP routers organized into route reflectors and route reflector clients. You configure the cluster by assigning a cluster ID on the route reflector and identifying the IGP neighbors that are members of that cluster. All the configuration for route reflection takes place on the route reflectors. The clients are unaware that they are members of a route reflection cluster. All members of the cluster must be in the same AS.
25 Optional configuration tasks AS1 contains a cluster with two route reflectors and two clients. The route reflectors are fully meshed with other BGP4 routers, but the clients are not fully meshed. They rely on the route reflectors to propagate BGP4 route updates. FIGURE 116 Example of a route reflector configuration AS 1 AS 2 Cluster 1 Route Reflector 1 Route Reflector 2 EBGP Switch IBGP IBGP Route Reflector Client 1 Route Reflector Client 2 10.0.1.0 10.0.2.
Optional configuration tasks 25 • The Layer 3 Switch adds the attributes only if it is a route reflector, and only when advertising IBGP route information to other IBGP neighbors. The attributes are not used when communicating with EBGP neighbors. • A Layer 3 Switch configured as a route reflector sets the ORIGINATOR_ID attribute to the router ID of the router that originated the route.
25 Optional configuration tasks By default, the clients of a route reflector are not required to be fully meshed; the routes from a client are reflected to other clients. However, if the clients are fully meshed, route reflection is not required between clients. If you need to disable route reflection between clients, enter the following command. When the feature is disabled, route reflection does not occur between clients but reflection does still occur between clients and non-clients.
Modifying redistribution parameters 25 The advertise-map parameter configures the router to advertise the more specific routes in the specified route map. The attribute-map parameter configures the router to set attributes for the aggregate routes based on the specified route map. NOTE For the suppress-map, advertise-map, and attribute-map parameters, the route map must already be defined. Refer to “Defining route maps” on page 797 for information on defining a route map.
25 Modifying redistribution parameters The connected parameter indicates that you are redistributing routes to directly attached devices into BGP4. The metric parameter changes the metric. You can specify a value from 0 – 4294967295. The default is 0. The route-map parameter specifies a route map to be consulted before adding the RIP route to the BGP4 route table. NOTE The route map you specify must already be configured on the switch.
Modifying redistribution parameters 25 The route-map parameter specifies a route map to be consulted before adding the OSPF route to the BGP4 route table. NOTE The route map you specify must already be configured on the switch. Refer to “Defining route maps” on page 797 for information about defining route maps.
25 Filtering Redistributing IBGP routes into RIP and OSPF By default, the Layer 3 Switch does not redistribute IBGP routes from BGP4 into RIP or OSPF. This behavior helps eliminate routing loops. However, if your network can benefit from redistributing the IBGP routes from BGP4 into OSPF or RIP, you can enable the Layer 3 Switch to redistribute the routes. To do so, use the following CLI method. To enable the Layer 3 Switch to redistribute BGP4 routes into OSPF and RIP, enter the following command.
Filtering 25 NOTE If the filter is referred to by a route map match statement, the filter is applied in the order in which the filter is listed in the match statement. NOTE You also can filter on IP addresses by using IP ACLs. To define an IP address filter to deny routes to 209.157.0.0, enter the following command. PowerConnect(config-bgp-router)# address-filter 1 deny 209.157.0.0 255.255.0.
25 Filtering Filtering AS-paths You can filter updates received from BGP4 neighbors based on the contents of the AS-path list accompanying the updates. For example, if you want to deny routes that have the AS 4.3.2.1 in the AS-path from entering the BGP4 route table, you can define a filter to deny such routes.
Filtering 25 The ip as-path command configures an AS-path ACL that permits routes containing AS number 100 in their AS paths. The neighbor command then applies the AS-path ACL to advertisements and updates received from neighbor 10.10.10.1. In this example, the only routes the Layer 3 Switch permits from neighbor 10.10.10.1 are those whose AS-paths contain AS-path number 100.
25 Filtering TABLE 124 BGP4 special characters for regular expressions Character Operation . The period matches on any single character, including a blank space. For example, the following regular expression matches for “aa”, “ab”, “ac”, and so on, but not just “a”. a. * The asterisk matches on zero or more sequences of a pattern.
Filtering TABLE 124 25 BGP4 special characters for regular expressions (Continued) Character Operation | A vertical bar (sometimes called a pipe or a “logical or”) separates two alternative values or sets of values. The AS-path can match one or the other value. For example, the following regular expression matches on an AS-path that contains either “abc” or “defg”: (abc)|(defg) NOTE: The parentheses group multiple characters to be treated as one value.
25 Filtering Defining a community filter To define filter 3 to permit routes that have the NO_ADVERTISE community, enter the following command. PowerConnect(config-bgp-router)# community-filter 3 permit no-advertise Syntax: community-filter permit | deny : | internet | local-as | no-advertise | no-export The parameter identifies the filter position in the community filter list and can be from 1 – 100. Thus, the community filter list can contain up to 100 filters.
Filtering 25 Syntax: ip community-list standard [seq ] deny | permit Syntax: ip community-list extended [seq ] deny | permit | The parameter specifies the ACL name. (If you enter a number, the CLI interprets the number as a text string.) The standard or extended parameter specifies whether you are configuring a standard community ACL or an extended one.
25 Filtering These commands configure an IP prefix list named Routesfor20, which permits routes to network 20.20.0.0/24. The neighbor command configures the Layer 3 Switch to use IP prefix list Routesfor20 to determine which routes to send to neighbor 10.10.10.1. The Layer 3 Switch sends routes that go to 20.20.x.x to neighbor 10.10.10.1 because the IP prefix list explicitly permits these routes to be sent to the neighbor.
Filtering 25 The parameter specifies the name or number of a standard, extended, or named ACL. The in | out parameter specifies whether the distribute list applies to inbound or outbound routes: • in – controls the routes the Layer 3 Switch will accept from the neighbor. • out – controls the routes sent to the neighbor. NOTE The command syntax shown above is new.
25 Filtering • A community ACL • An IP prefix list • An IP ACL For routes that match all of the match statements, the route map set statements can perform one or more of the following modifications to the route attributes: • Prepend AS numbers to the front of the route AS-path. By adding AS numbers to the AS-path, you can cause the route to be less preferred when compared to other routes on the basis of the length of the AS-path.
Filtering 25 To delete a route map, enter a command such as the following. When you delete a route map, all the permit and deny entries in the route map are deleted. PowerConnect(config)# no route-map Map1 This command deletes a route map named “Map1”. All entries in the route map are deleted. To delete a specific instance of a route map without deleting the rest of the route map, enter a command such as the following.
25 Filtering The ip address | next-hop | prefix-list parameter specifies an ACL or IP prefix list. Use this parameter to match based on the destination network or next-hop gateway. To configure an IP ACL for use with this command, use the ip access-list command. Refer to “ACL overview” on page 361. To configure an IP prefix list, use the ip prefix-list command. Refer to “Defining IP prefix lists” on page 795.
Filtering 25 PowerConnect(config)# route-map NetMap permit 1 PowerConnect(config-routemap NetMap)# match ip address 1 Syntax: match ip address Syntax: match ip address prefix-list The parameter with the first command specifies an IP ACL and can be a number from 1 – 199 or the ACL name if it is a named ACL. To configure an IP ACL, use the ip access-list or access-list command. Refer to Chapter 13, “Configuring Rule-Based IP Access Control Lists”.
25 Filtering Matching on routes containing a specific set of communities Device software enables you to match routes based on the presence of a community name or number in a route, and to match when a route contains exactly the set of communities you specify. To match based on a set of communities, configure a community ACL that lists the communities, then compare routes against the ACL. Here is an example.
Filtering 25 NOTE This parameter applies only to routes redistributed into OSPF. The comm-list parameter deletes a community from a BGP4 route community attributes field. The community parameter sets the community attribute for the route to the number or well-known type you specify. The dampening [ ] parameter sets route dampening parameters for the route.
25 Filtering NOTE Setting the NLRI type to multicast applies only when you are using the route map to redistribute directly-connected routes. Otherwise, the set option is ignored. The origin igp | incomplete parameter sets the route origin to IGP or INCOMPLETE. The tag parameter sets the route tag. You can specify a tag value from 0 – 4294967295. NOTE This parameter applies only to routes redistributed into OSPF. NOTE You also can set the tag value using a table map.
Filtering 25 • When you use the set ip next-hop peer-address command in an outbound route map filter, peer-address substitutes for the local IP address of the BGP4 session. NOTE You can use this command for a peer group configuration. Deleting a community from a BGP4 route To delete a community from a BGP4 route community attributes field, enter commands such as the following.
25 Filtering Configuring cooperative BGP4 route filtering By default, the Layer 3 Switch performs all filtering of incoming routes locally, on the Layer 3 Switch itself. You can use cooperative BGP4 route filtering to cause the filtering to be performed by a neighbor before it sends the routes to the Layer 3 Switch. Cooperative filtering conserves resources by eliminating unnecessary route updates and filter processing.
Filtering 25 The next two commands change the CLI to the BGP4 configuration level, then apply the IP prefix list to neighbor 1.2.3.4. The last command enables the Layer 3 Switch to send the IP prefix list as an ORF to neighbor 1.2.3.4. When the Layer 3 Switch sends the IP prefix list to the neighbor, the neighbor filters out the 20.20.0.x routes from its updates to the Layer 3 Switch. (This assumes that the neighbor also is configured for cooperative filtering.
25 Filtering NOTE If the Layer 3 Switch or the neighbor is not configured for cooperative filtering, the command sends a normal route refresh message. Displaying cooperative filtering information You can display the following cooperative filtering information: • The cooperative filtering configuration on the Layer 3 Switch. • The ORFs received from neighbors. To display the cooperative filtering configuration on the Layer 3 Switch, enter a command such as the following.
Configuring route flap dampening 25 Configuring route flap dampening A “route flap” is the change in a route state, from up to down or down to up. When a route state changes, the state change causes changes in the route tables of the routers that support the route. Frequent changes in a route state can cause Internet instability and add processing overhead to the routers that support the route.
25 Configuring route flap dampening Globally configuring route flap dampening To enable route flap dampening using the default values, enter the following command. PowerConnect(config-bgp-router)# dampening Syntax: dampening [ ] The parameter specifies the number of minutes after which the route penalty becomes half its value.
Configuring route flap dampening 25 PowerConnect(config)# router bgp PowerConnect(config-bgp-router)# address-filter 9 permit 209.157.22.0 255.255.255.0 255.255.255.0 255.255.255.0 PowerConnect(config-bgp-router)# address-filter 10 permit 209.157.23.0 255.255.255.0 255.255.255.0 255.255.255.
25 Configuring route flap dampening PowerConnect(config)# route-map DAMPENING_MAP_ENABLE permit 1 PowerConnect(config-routemap DAMPENING_MAP_ENABLE)# exit PowerConnect(config)# route-map DAMPENING_MAP_NEIGHBOR_A permit 1 PowerConnect(config-routemap DAMPENING_MAP_NEIGHBOR_A)# set dampening PowerConnect(config-routemap DAMPENING_MAP_NEIGHBOR_A)# exit PowerConnect(config)# router bgp PowerConnect(config-bgp-router)# dampening route-map DAMPENING_MAP_ENABLE PowerConnect(config-bgp-router)# neighbor 10.10.10.
Configuring route flap dampening 25 Here is an example. PowerConnect(config-bgp-router)# aggregate-address 209.1.0.0 255.255.0.0 summary-only PowerConnect(config-bgp-router)# show ip bgp route 209.1.0.0/16 longer Number of BGP Routes matching display condition : 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 209.1.0.0/16 0.0.0.0 101 32768 BAL AS_PATH: 2 209.1.44.
25 Configuring route flap dampening PowerConnect# show ip bgp route 209.1.44.0/24 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 209.1.44.0/24 10.2.0.1 1 101 32768 BLS AS_PATH: Route is advertised to 1 peers: 10.1.0.
Generating traps for BGP TABLE 125 25 Route flap dampening statistics This field... Displays... Total number of flapping routes Total number of routes in the Layer 3 Switch BGP4 route table that have changed state and thus have been marked as flapping routes. Status code Indicates the dampening status of the route, which can be one of the following: > – This is the best route among those in the BGP4 route table to the route destination. • d – This route is currently dampened, and thus unusable.
25 Displaying BGP4 information Syntax: [no] snmp-server enable traps bgp Use the no form of the command to disable BGP traps.
Displaying BGP4 information TABLE 126 25 BGP4 summary information This field... Displays... Router ID The Layer 3 Switch router ID. Local AS Number The BGP4 AS number the router is in. Confederation Identifier The AS number of the confederation the Layer 3 Switch is in. Confederation Peers The numbers of the local ASs contained in the confederation. This list matches the confederation peer list you configure on the Layer 3 Switch.
25 Displaying BGP4 information TABLE 126 BGP4 summary information (Continued) This field... Displays... State The state of this router neighbor session with each neighbor. The states are from this router perspective of the session, not the neighbor perspective. The state values are based on the BGP4 state machine values described in RFC 1771 and can be one of the following for each router: • IDLE – The BGP4 process is waiting to be started.
Displaying BGP4 information 25 PowerConnect# show ip bgp config Current BGP configuration: router bgp address-filter 1 deny any any as-path-filter 1 permit ^65001$ local-as 65002 maximum-paths 4 neighbor pg1 peer-group neighbor pg1 remote-as 65001 neighbor pg1 description "PowerConnect group 1" neighbor pg1 distribute-list out 1 neighbor 192.169.100.1 peer-group pg1 neighbor 192.169.101.1 peer-group pg1 neighbor 192.169.102.1 peer-group pg1 neighbor 192.169.201.1 remote-as 65101 neighbor 192.169.201.
25 Displaying BGP4 information PowerConnect# show process cpu The system has only been up for 6 seconds. Process Name 5Sec(%) 1Min(%) 5Min(%) ARP 0.01 0.00 0.00 BGP 0.00 0.00 0.00 GVRP 0.00 0.00 0.00 ICMP 0.01 0.00 0.00 IP 0.00 0.00 0.00 OSPF 0.00 0.00 0.00 RIP 0.00 0.00 0.00 STP 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 15Min(%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 Runtime(ms) 0 0 0 1 0 0 0 0 0 To display utilization statistics for a specific number of seconds, enter a command such as the following.
Displaying BGP4 information 25 PowerConnect# show ip bgp neighbor 192.168.4.211 routes-summary 1 IP Address: 192.168.4.211 Routes Accepted/Installed:1, Filtered/Kept:11, Filtered:11 Routes Selected as BEST Routes:1 BEST Routes not Installed in IP Forwarding Table:0 Unreachable Routes (no IGP Route for NEXTHOP):0 History Routes:0 NLRIs Received in Update Message:24, Withdraws:0 (0), Replacements:1 NLRIs Discarded due to Maximum Prefix Limit:0, AS Loop:0 Invalid Nexthop:0, Invalid Nexthop Address:0.0.0.
25 Displaying BGP4 information TABLE 127 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Discarded due to Indicates the number of times the Layer 3 Switch discarded an NLRI for the neighbor due to the following reasons: • Maximum Prefix Limit – The Layer 3 Switch configured maximum prefix amount had been reached. • AS Loop – An AS loop occurred. An AS loop occurs when the BGP4 AS-path attribute contains the local AS number.
Displaying BGP4 information 25 PowerConnect# show ip bgp neighbor 10.4.0.2 1 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.
25 Displaying BGP4 information The attribute-entries option shows the attribute-entries associated with routes received from the neighbor. The flap-statistics option shows the route flap statistics for routes received from or sent to the neighbor. The last-packet-with-error option displays the last packet from the neighbor that contained an error. The packet's contents are displayed in decoded (human-readable) format.
Displaying BGP4 information 25 TABLE 128 BGP4 neighbor information (Continued) This field... Displays... RouterID The neighbor router ID. Description The description you gave the neighbor when you configured it on the Layer 3 Switch. State The state of the router session with the neighbor. The states are from this router perspective of the session, not the neighbor perspective.
25 Displaying BGP4 information TABLE 128 BGP4 neighbor information (Continued) This field... Displays... RemovePrivateAs Whether this option is enabled for the neighbor. RefreshCapability Whether this Layer 3 Switch has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability. CooperativeFilteringCapabilit y Whether the neighbor is enabled for cooperative route filtering. Distribute-list Lists the distribute list parameters, if configured.
Displaying BGP4 information 25 TABLE 128 BGP4 neighbor information (Continued) This field... Displays... Last Connection Reset Reason The reason the previous session with this neighbor ended. The reason can be one of the following.
25 828 Displaying BGP4 information TABLE 128 BGP4 neighbor information (Continued) This field... Displays... Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
Displaying BGP4 information 25 TABLE 128 BGP4 neighbor information (Continued) This field... Displays... TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
25 Displaying BGP4 information TABLE 128 BGP4 neighbor information (Continued) This field... Displays... RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue. CngstWnd The number of times the window has changed. Displaying route information for a neighbor You can display routes based on the following criteria: • A summary of the routes for a specific neighbor.
Displaying BGP4 information TABLE 129 25 BGP4 route summary information for a neighbor This field... Displays... Routes Received How many routes the Layer 3 Switch has received from the neighbor during the current BGP4 session: • Accepted/Installed – Indicates how many of the received routes the Layer 3 Switch accepted and installed in the BGP4 route table.
25 Displaying BGP4 information TABLE 129 BGP4 route summary information for a neighbor (Continued) This field... Displays... NLRIs Sent in Update Message The number of NLRIs for new routes the Layer 3 Switch has sent to this neighbor in UPDATE messages: • Withdraws – The number of routes the Layer 3 Switch has sent to the neighbor to withdraw. • Replacements – The number of routes the Layer 3 Switch has sent to the neighbor to replace routes the neighbor already has.
Displaying BGP4 information 25 Displaying the best routes that were nonetheless not installed in the IP route table To display the BGP4 routes received from a specific neighbor that are the “best” routes to their destinations but are not installed in the Layer 3 Switch IP route table, enter a command such as the following at any level of the CLI. PowerConnect# show ip bgp neighbor 192.168.4.
25 Displaying BGP4 information PowerConnect# show ip bgp peer-group pg1 1 BGP peer-group is pg Description: peer group abc SendCommunity: yes NextHopSelf: yes DefaultOriginate: yes Members: IP Address: 192.168.10.10, AS: 65111 Syntax: show ip bgp peer-group [] Only the parameters that have values different from their defaults are listed.
Displaying BGP4 information TABLE 130 25 BGP4 summary route information (Continued) This field... Displays... IBGP routes selected as best routes The number of “best” routes in the BGP4 route table that are IBGP routes. EBGP routes selected as best routes The number of “best” routes in the BGP4 route table that are EBGP routes.
25 Displaying BGP4 information The community option lets you display routes for a specific community. You can specify local-as, no-export, no-advertise, internet, or a private community number. You can specify the community number as either two five-digit integer values of up to 1– 65535, separated by a colon (for example, 12345:6789) or a single long integer value. The community-access-list parameter filters the display using the specified community ACL.
Displaying BGP4 information 25 For information about the fields in this display, refer to Table 131 on page 838. The fields in this display also appear in the show ip bgp display.
25 Displaying BGP4 information Displaying information for a specific route To display BGP4 network information by specifying an IP address within the network, enter a command such as the following at any level of the CLI. PowerConnect# show ip bgp 9.3.4.0 Number of BGP Routes matching display condition : 1 Status codes: s suppressed, d damped, h history, * valid, > Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight *> 9.3.4.0/24 192.168.4.
Displaying BGP4 information TABLE 131 25 BGP4 network information (Continued) This field... Displays... Weight The value that this router associates with routes from a specific neighbor. For example, if the router receives routes to the same destination from two BGP4 neighbors, the router prefers the route from the neighbor with the larger weight. Path The route AS path. NOTE: This field appears only if you do not enter the route option.
25 Displaying BGP4 information These displays show the following information. TABLE 132 BGP4 route information This field... Displays... Total number of BGP Routes The number of BGP4 routes. Status codes A list of the characters the display uses to indicate the route status. The status code is appears in the left column of the display, to the left of each route. The status codes are described in the command output. Prefix The network prefix and mask length.
Displaying BGP4 information TABLE 132 25 BGP4 route information (Continued) This field... Displays... Weight The value that this router associates with routes from a specific neighbor. For example, if the router receives routes to the same destination from two BGP4 neighbors, the router prefers the route from the neighbor with the larger weight. Atomic Whether network information in this route has been aggregated and this aggregation has resulted in information loss.
25 Displaying BGP4 information TABLE 133 BGP4 route-attribute entries information This field... Displays... Total number of BGP Attribute Entries The number of routes contained in this router BGP4 route table. Next Hop The IP address of the next hop router for routes that have this set of attributes. Metric The cost of the routes that have this set of attributes. Origin The source of the route information.
25 Displaying BGP4 information PowerConnect# show ip route Total number of IP routes: 50834 B:BGP D:Directly-Connected O:OSPF R:RIP S:Static Network Address NetMask Gateway 3.0.0.0 255.0.0.0 192.168.13.2 4.0.0.0 255.0.0.0 192.168.13.2 9.20.0.0 255.255.128.0 192.168.13.2 10.1.0.0 255.255.0.0 0.0.0.0 0 10.10.11.0 255.255.255.0 0.0.0.0 0 12.2.97.0 255.255.255.0 192.168.13.2 12.3.63.0 255.255.255.0 192.168.13.2 12.3.123.0 255.255.255.0 192.168.13.2 12.5.252.0 255.255.254.0 192.168.13.2 12.6.42.0 255.255.254.
25 Displaying BGP4 information TABLE 134 Route flap dampening statistics This field... Displays... Total number of flapping routes The total number of routes in the Layer 3 Switch BGP4 route table that have changed state and thus have been marked as flapping routes. Status code Indicates the dampening status of the route, which can be one of the following: > – This is the best route among those in the BGP4 route table to the route destination.
Updating route information and resetting a neighbor session 25 This example shows the active configuration for a route map called “setcomm“. Syntax: show route-map [] Updating route information and resetting a neighbor session The following sections describe ways to update route information with a neighbor, reset the session with a neighbor, and close a session with a neighbor.
25 Updating route information and resetting a neighbor session Use the following CLI methods to configure soft configuration, apply policy changes, and display information for the updates that are filtered out by the policies. Enabling soft reconfiguration To configure a neighbor for soft reconfiguration, enter a command such as the following. PowerConnect(config-bgp-router)# neighbor 10.10.200.102 soft-reconfiguration inbound This command enables soft reconfiguration for updates received from 10.10.
Updating route information and resetting a neighbor session 25 PowerConnect# show ip bgp filtered-routes Searching for matching routes, use ^C to quit... Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 3.0.0.0/8 192.168.4.106 100 0 EF AS_PATH: 65001 4355 701 80 2 4.0.0.0/8 192.168.4.106 100 0 EF AS_PATH: 65001 4355 1 3 4.60.212.0/22 192.168.4.
25 Updating route information and resetting a neighbor session The detail parameter displays detailed information for the routes. The example above shows summary information. NOTE The syntax for displaying received routes is shown. For complete command syntax, refer to “Displaying BGP4 neighbor information” on page 822. NOTE The show ip bgp neighbor received-routes syntax supported in previous software releases is changed to the following syntax: show ip bgp neighbor routes.
Updating route information and resetting a neighbor session 25 PowerConnect(config-bgp-router)# clear ip bgp neighbor 192.168.1.170 soft in This command asks the neighbor to send its BGP4 table (Adj-RIB-Out) again. The Layer 3 Switch applies its filters to the incoming routes and adds, modifies, or removes BGP4 routes as necessary.
25 Updating route information and resetting a neighbor session To place a new or changed outbound policy or filter into effect, you must enter a clear ip bgp neighbor command regardless of whether the neighbor session is up or down. You can enter the command without optional parameters or with the soft out or soft-outbound option. Either way, you must specify a parameter for the neighbor (, , , or all).
Updating route information and resetting a neighbor session 25 Closing or resetting a neighbor session You can close a neighbor session or resend route updates to a neighbor. If you make changes to filters or route maps and the neighbor does not support dynamic route refresh, use the following methods to ensure that neighbors contain only the routes you want them to contain: • If you close a neighbor session, the Layer 3 Switch and the neighbor clear all the routes they learned from each other.
25 Clearing traffic counters Clearing traffic counters You can clear the counters (reset them to 0) for BGP4 messages. To do so, use one of the following methods. To clear the BGP4 message counter for all neighbors, enter the following command. PowerConnect# clear ip bgp traffic Syntax: clear ip bgp traffic To clear the BGP4 message counter for a specific neighbor, enter a command such as the following. PowerConnect# clear ip bgp neighbor 10.0.0.
Clearing diagnostic buffers 25 To un-suppress all the suppressed routes, enter the following command at the Privileged EXEC level of the CLI. PowerConnect# clear ip bgp damping Syntax: clear ip bgp damping [ ] The parameter specifies a particular network. The parameter specifies the network mask. To un-suppress a specific route, enter a command such as the following. PowerConnect# clear ip bgp damping 209.157.22.0 255.255.255.
25 854 Clearing diagnostic buffers PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter 26 Securing Access to Management Functions This chapter explains how to secure access to management functions on a device. NOTE For all devices, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication. Securing access methods The following table lists the management access methods available on a device, how they are secured by default, and the ways in which they can be secured.
26 Securing access methods TABLE 135 Ways to secure management access to devices (Continued) Access method How the access method is secured by default Ways to secure the access method See page Telnet access Not secured Regulate Telnet access using ACLs page 857 Allow Telnet access only from specific IP addresses page 860 Restrict Telnet access based on a client MAC address page 861 Allow Telnet access only from specific MAC addresses page 862 Specify the maximum number of login attempts fo
Restricting remote access to management functions TABLE 135 26 Ways to secure management access to devices (Continued) Access method How the access method is secured by default Ways to secure the access method See page TFTP access Not secured Allow TFTP access only to clients connected to a specific VLAN page 862 Disable TFTP access page 865 Restricting remote access to management functions You can restrict access to management functions from remote sources, including Telnet, , and SNMP.
26 Restricting remote access to management functions PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# access-list 10 deny host 209.157.22.32 log access-list 10 deny 209.157.23.0 0.0.0.255 log access-list 10 deny 209.157.24.0 0.0.0.255 log access-list 10 deny 209.157.25.
Restricting remote access to management functions 26 NOTE The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet and SSH access using ACLs. PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# PowerConnect(config)# access-list 25 deny host 209.157.22.98 log access-list 25 deny 209.157.23.0 0.0.0.
26 Restricting remote access to management functions NOTE In RADIUS, the standard attribute Idle-Timeout is used to define the console session timeout value. The attribute Idle-Timeout value is specified in seconds. Within the switch, it is truncated to the nearest minute, because the switch configuration is defined in minutes. Restricting remote access to the device to specific IP addresses By default, a device does not control remote management access based on the IP address of the managing device.
Restricting remote access to management functions 26 PowerConnect(config)# all-client 209.157.22.69 Syntax: [no] all-client | Restricting access to the device based on IP or MAC address You can restrict remote management access to the device, using Telnet, SSH, HTTP, and HTTPS, based on the connecting client IP or MAC address. Restricting Telnet connection You can restrict Telnet connection to a device based on the client IP address or MAC address.
26 Restricting remote access to management functions PowerConnect(config)# telnet login-retries 5 Syntax: [no] telnet login-retries You can specify from 0 – 5 attempts. The default is 4 attempts. Restricting remote access to the device to specific VLAN IDs You can restrict management access to a device to ports within a specific port-based VLAN.
Restricting remote access to management functions 26 The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access. Syntax: [no] tftp client enable vlan Designated VLAN for Telnet management sessions to a Layer 2 Switch By default, the management IP address you configure on a Layer 2 Switch applies globally to all the ports on the device.
26 Restricting remote access to management functions • SNMP The commands for granting access to each of these management interfaces is described in the following. SSHv2 To allow SSHv2 access to the device, you must generate a Crypto Key as shown in the following command. PowerConnect(config)# crypto key generate Syntax: crypto key [generate | zeroize] The generate parameter generates a dsa key pair. The zeroize parameter deletes the currently operative dsa key pair.
Setting passwords 26 NOTE The Telnet server is enabled by default. Disabling SNMP access SNMP is required if you want to manage a device using Brocade Network Advisor. To disable SNMP management of the device. PowerConnect(config)# no snmp-server To later re-enable SNMP management of the device. PowerConnect(config)# snmp-server Syntax: no snmp-server Disabling TFTP access On PowerConnect B-Series TI24X devices, You can globally disable TFTP to block TFTP client access.
26 Setting passwords Setting a Telnet password By default, the device does not require a user name or password when you log in to the CLI using Telnet. You can assign a password for Telnet access using one of the following methods. Set the password “letmein” for Telnet access to the CLI using the following command at the global CONFIG level.
Setting passwords 26 1. At the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode. PowerConnect> enable PowerConnect# 2. Access the CONFIG level of the CLI by entering the following command. PowerConnect# configure terminal PowerConnect(config)# 3. Enter the following command to set the Super User level password.
26 Setting passwords In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port Configuration). All users with Port Configuration privileges will have the enhanced access. The ip parameter indicates that the enhanced access is for the IP commands.
Setting passwords 26 1. Start a CLI session over the serial interface to the device. 2. Reboot the device. 3. At the initial boot prompt at system startup, enter b to enter the boot monitor mode. 4. Enter no password at the prompt. (You cannot abbreviate this command.) This command will cause the device to bypass the system password check. 5. Enter boot system flash primary at the prompt. 6. After the console prompt reappears, assign a new password.
26 Setting up local user accounts Setting up local user accounts You can define up to 16 local user accounts on a device. User accounts regulate who can access the management functions in the CLI using the following methods: • Telnet access • SNMP access Local user accounts provide greater flexibility for controlling management access to devices than do management privilege level passwords and SNMP community strings of SNMP versions 1 and 2.
Setting up local user accounts 26 • A password can now be set to expire.
26 Setting up local user accounts PowerConnect(config)# username kelly password Enter Password: ******** NOTE When password masking is enabled, press the [Enter] key before entering the password. Syntax: username password [Enter] For [Enter], press the Enter key. Enter the password when prompted. If strict-password-enforcement is enabled, enter a password which contains the required character combination. Refer to “Enabling enhanced user password combination requirements” on page 871.
Setting up local user accounts 26 Enhanced login lockout The CLI provides up to three login attempts. If a user fails to login after three attempts, that user is locked out (disabled). If desired, you can increase or decrease the number of login attempts before the user is disabled. To do so, enter a command such as the following at the global CONFIG level of the CLI.
26 Setting up local user accounts NOTE This requirement is disabled by default, unless configured. Users are not required to press Enter after the MOTD banner is displayed. Configuring a local user account You can create accounts for local users with or without passwords. Accounts with passwords can have encrypted or unencrypted passwords.
Setting up local user accounts 26 • 5 – Read Only level The default privilege level is 0. If you want to assign Super User level access to the account, you can enter the command without privilege 0, as shown in the command example above. The password | nopassword parameter indicates whether the user must enter a password. If you specify password, enter the string for the user's password. You can enter up to 48 characters for .
26 Setting up local user accounts Create password option As an alternative to the commands above, the create-password option allows you to create an encrypted password in one line of command. Also, this new option allows you to create an all-numeric, encrypted password. You can enter. PowerConnect(config)# username wonka privilege 5 create-password willy Syntax: [no] username [privilege ] create-password You can enter up to 48 characters for .
Configuring TACACS/TACACS+ security 26 Configuring TACACS/TACACS+ security You can use the security protocol Terminal Access Controller Access Control System (TACACS) or TACACS+ to authenticate the following kinds of access to the device: • • • • Telnet access SSH access Console access Access to the Privileged EXEC level and CONFIG levels of the CLI The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is sent between a device and an authentication databa
26 Configuring TACACS/TACACS+ security NOTE By default, a user logging into the device from Telnet or SSH would first enter the User EXEC level. The user can enter the enable command to get to the Privileged EXEC level. A user that is successfully authenticated can be automatically placed at the Privileged EXEC level after login. Refer to “Entering privileged EXEC mode after a Telnet or SSH login” on page 886.
Configuring TACACS/TACACS+ security 26 • Command authorization consults a TACACS+ server to get authorization for commands entered by the user When TACACS+ exec authorization takes place, the following events occur. 1. A user logs into the device using Telnet, or SSH. 2. The user is authenticated. 3. The device consults the TACACS+ server to determine the privilege level of the user. 4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the privilege level of the user.
26 Configuring TACACS/TACACS+ security TABLE 136 User action Applicable AAA operations User attempts to gain access to the Privileged EXEC and CONFIG levels of the CLI Enable authentication: aaa authentication enable default Exec authorization (TACACS+): aaa authorization exec default tacacs+ System accounting start (TACACS+): aaa accounting system default start-stop User logs in using Telnet/SSH Login authentication: aaa authentication login default Exec aut
Configuring TACACS/TACACS+ security 26 When you paste commands into the running-config, and AAA command authorization or accounting, or both, are configured on the device, AAA operations are performed on the pasted commands. The AAA operations are performed before the commands are actually added to the running-config. The server performing the AAA operations should be reachable when you paste the commands into the running-config file.
26 Configuring TACACS/TACACS+ security PowerConnect(config)# enable snmp config-tacacs Syntax: [no] enable snmp The parameter specifies the RADIUS configuration mode. RADIUS is disabled by default. The parameter specifies the TACACS configuration mode. TACACS is disabled by default. Identifying the TACACS/TACACS+ servers To use TACACS/TACACS+ servers to authenticate access to a device, you must identify the servers to the device.
Configuring TACACS/TACACS+ security 26 Specifying different servers for individual AAA functions In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example, you can designate one TACACS+ server to handle authorization and another TACACS+ server to handle accounting. You can set the TACACS+ key for each server. To specify different TACACS+ servers for authentication, authorization, and accounting, enter the command such as following.
26 Configuring TACACS/TACACS+ security NOTE The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the device. To specify a TACACS+ server key, enter a command such as following. PowerConnect(config)# tacacs-server key rkwong Syntax: tacacs-server key [0 | 1] When you display the configuration of the device, the TACACS+ keys are encrypted. For example.
Configuring TACACS/TACACS+ security 26 When you configure authentication-method lists for TACACS/TACACS+ authentication, you must create a separate authentication-method list for Telnet/SSH CLI access, and for access to the Privileged EXEC level and CONFIG levels of the CLI. To create an authentication method list that specifies TACACS/TACACS+ as the primary authentication method for securing Telnet/SSH access to the CLI.
26 Configuring TACACS/TACACS+ security NOTE For examples of how to define authentication-method lists for types of authentication other than TACACS/TACACS+, refer to “Configuring authentication-method lists” on page 907. Entering privileged EXEC mode after a Telnet or SSH login By default, a user enters User EXEC mode after a successful login through Telnet or SSH. Optionally, you can configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login.
Configuring TACACS/TACACS+ security 26 Configuring exec authorization When TACACS+ exec authorization is performed, the device consults a TACACS+ server to determine the privilege level of the authenticated user. To configure TACACS+ exec authorization on the device, enter the following command.
26 Configuring TACACS/TACACS+ security If the foundry-privlvl A-V pair is not present, the device extracts the last A-V pair configured for the Exec service that has a numeric value. The device uses this A-V pair to determine the user privilege level. Example user=bob { default service = permit member admin #Global password global = cleartext "cat" service = exec { priv-lvl = 15 } } The attribute name in the A-V pair is not significant; the device uses the last one that has a numeric value.
Configuring TACACS/TACACS+ security 26 You enable TACACS+ command authorization by specifying a privilege level whose commands require authorization. For example, to configure the device to perform authorization for the commands available at the Super User privilege level (that is, all commands on the device), enter the following command.
26 Configuring TACACS/TACACS+ security Configuring TACACS+ accounting for Telnet/SSH (Shell) access To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the device, and an Accounting Stop packet when the user logs out.
Configuring TACACS/TACACS+ security 26 Configuring an interface as the source for all TACACS/TACACS+ packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all TACACS/TACACS+ packets from the Layer 3 Switch.
26 Configuring RADIUS security PowerConnect# show aaa Tacacs+ key: Brocade Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server: 207.95.6.
Configuring RADIUS security 26 NOTE Devices do not support RADIUS security for SNMP (Brocade Network Advisor) access. RADIUS authentication, authorization, and accounting When RADIUS authentication is implemented, the device consults a RADIUS server to verify user names and passwords.
26 Configuring RADIUS security 3. If the command belongs to a privilege level that requires authorization, the device looks at the list of commands delivered to it in the RADIUS Access-Accept packet when the user was authenticated. (Along with the command list, an attribute was sent that specifies whether the user is permitted or denied usage of the commands in the list.) NOTE After RADIUS authentication takes place, the command list resides on the device.
Configuring RADIUS security 26 TABLE 140 User action Applicable AAA operations User logs in using Telnet/SSH Login authentication: aaa authentication login default EXEC accounting Start: aaa accounting exec default start-stop System accounting Start: aaa accounting system default start-stop User logs out of Telnet/SSH session Command authorization for logout command: aaa authorization commands default Command accounting: aaa ac
26 Configuring RADIUS security RADIUS configuration considerations • You must deploy at least one RADIUS server in your network. • Devices support authentication using up to eight RADIUS servers, including those used for 802.1X authentication and for management. The device tries to use the servers in the order you add them to the device configuration. If one RADIUS server times out (does not respond), the device tries the next one in the list.
Configuring RADIUS security 26 • Whether the user is allowed or denied usage of the commands in the list You must add these three Dell vendor-specific attributes to your RADIUS server configuration, and configure the attributes in the individual or group profiles of the users that will access the device. Dell Vendor-ID is 1991, with Vendor-Type 1. The following table describes the Dell vendor-specific attributes.
26 Configuring RADIUS security The parameter specifies the TACACS configuration mode. TACACS is disabled by default. Identifying the RADIUS server to the device To use a RADIUS server to authenticate access to a device, you must identify the server to the device. Example PowerConnect(config)# radius-server host 209.157.22.
Configuring RADIUS security 26 Configuration notes • This feature works with 802.1X and multi-device port authentication only. • As in previous releases, yYou can define up to eight RADIUS servers per device. Configuration example and command syntax The following shows an example configuration. PowerConnect(config)# radius-server host 10.10.10.103 1813 default key mykeyword dot1x port-only PowerConnect(config)# radius-server host 10.10.10.
26 Configuring RADIUS security Configuration notes • This feature works with 802.1X and multic-device port authentication only. • You can map a RADIUS server to a physical port only. You cannot map a RADIUS server to a VE. Configuration example and command syntax To map a RADIUS server to a port, enter commands such as the following. PowerConnect(config)# int e 3 PowerConnect(config-if-e10000-3)# dot1x port-control auto PowerConnect(config-if-e10000-3)# use-radius-server 10.10.10.
Configuring RADIUS security 26 NOTE Encryption of the RADIUS keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility. Setting the retransmission limit The retransmit parameter specifies the maximum number of retransmission attempts. When an authentication request times out, the software will retransmit the request up to the maximum number of retransmissions configured. The default retransmit value is 3 retries.
26 Configuring RADIUS security PowerConnect(config)# aaa authentication enable default radius local none The command above causes RADIUS to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.
Configuring RADIUS security 26 Configuring enable authentication to prompt for password only If Enable authentication is configured on the device, when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a username and password. In this release, you can configure the device to prompt only for a password. The device uses the username entered at login, if one is available.
26 Configuring RADIUS security You enable RADIUS command authorization by specifying a privilege level whose commands require authorization. For example, to configure the device to perform authorization for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Configuring RADIUS security 26 Configuring RADIUS accounting Devices support RADIUS accounting for recording information about user activity and system events. When you configure RADIUS accounting on a device, information is sent to a RADIUS accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
26 Configuring RADIUS security Configuring an interface as the source for all RADIUS packets You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all RADIUS packets from the Layer 3 Switch.
Configuring authentication-method lists 26 Example PowerConnect# show aaa Tacacs+ key: Brocade Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server: 207.95.6.
26 Configuring authentication-method lists • • • • Local user accounts configured on the device Database on a TACACS or TACACS+ server Database on a RADIUS server No authentication NOTE The TACACS/TACACS+, RADIUS, and Telnet login password authentication methods are not supported for SNMP access. NOTE To authenticate Telnet access to the CLI, you also must enable the authentication by entering the enable telnet authentication command at the global CONFIG level of the CLI.
Configuring authentication-method lists 26 Examples of authentication-method lists The following examples show how to configure authentication-method lists. In these examples, the primary authentication method for each is “local”. The device will authenticate access attempts using the locally configured usernames and passwords. The command syntax for each of the following examples is provided in “Command Syntax” on page 909.
26 Configuring authentication-method lists The snmp-server | web-server | enable | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access. NOTE TACACS/TACACS+ and RADIUS are supported only with the enable and login parameters. The parameter specifies the primary authentication method.
Chapter Configuring SSH2 and SCP 27 SSH version 2 support Secure Shell (SSH) is a mechanism for allowing secure remote access to management functions on a device. SSH provides a function similar to Telnet. Users can log into and configure the device using a publicly or commercially available SSH client program, just as they can with Telnet. However, unlike Telnet, which provides no security, SSH provides a secure, encrypted connection to the device.
27 AES encryption for SSH2. • OpenSSH 3.5_p1 and 3.6.1p2 • Solaris Sun-SSH-1.0 NOTE The PowerConnect B-Series TI24X devices support client public key sizes of 2048 bits or less. Supported features SSH2 (Secure Shell version 2 protocol) provides an SSH server. The SSH server allows secure remote access management functions on a device. SSH provides a function that is similar to Telnet, but unlike Telnet, SSH provides a secure, encrypted connection.
Configuring SSH2 27 PowerConnect# show who Console connections: Established you are connecting to this session 2 minutes 56 seconds in idle SSH connections: 1. established, client ip address 2.2.2.1, user is Raymond 1 minutes 15 seconds in idle 2. established, client ip addres 2.2.2.2, user is Ron 2 minutes 25 seconds in idle 3. established, client ip address 2.2.2.1, user is David 1 minutes 8 seconds in idle 4. established, client ip address 2.2.2.1, user is Franchesca 2 minutes 32 seconds in idle 5.
27 Configuring SSH2 Recreating SSH keys You must recreate SSH keys after any one of the following events: • After upgrading from a software release that supports SSH1, to a software release that supports SSH2. • After downgrading a software release that supports SSH2, to a software release that supports SSH1 To recreate SSH keys, enter the following command.
Configuring SSH2 27 To hide the public keys in the running configuration file, enter the following command. PowerConnect# ssh no-show-host-keys Syntax: ssh no-show-host-keys Providing the public key to clients If you are using SSH to connect to a device from a UNIX system, you may need to add the public key on the device to a “known hosts” file; for example, $HOME/.ssh/known_hosts. The following is an example of an entry in a known hosts file.
27 Configuring SSH2 Importing authorized public keys into the device SSH clients that support DSA authentication normally provide a utility to generate an DSA key pair. The private key is usually stored in a password-protected file on the local host; the public key is stored in another file and is not protected. You should collect one public key from each client to be granted access to the device and place all of these keys into one file. This public key file is imported into the device.
Setting optional parameters 27 PowerConnect# show ip client-pub-key ---- BEGIN SSH2 PUBLIC KEY ---Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetz
27 Setting optional parameters Setting the number of SSH authentication retries By default, the device attempts to negotiate a connection with the connecting host three times. The number of authentication retries can be changed to between 1 – 5. For example, the following command changes the number of authentication retries to 5.
Setting optional parameters 27 Setting the SSH port number By default, SSH traffic occurs on TCP port 22. You can change this port number. For example, the following command changes the SSH port number to 2200. PowerConnect(config)# ip ssh port 2200 Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port. Also, you should be careful not to assign SSH to a port that is used by another service.
27 Filtering SSH access using ACLs Example PowerConnect(config)# interface ethernet 4 PowerConnect(config-if-e10000-4)# ip address 209.157.22.110/24 PowerConnect(config-if-e10000-4)# exit PowerConnect(config)# ip ssh source-interface ethernet 4 Configuring the maximum idle time for SSH sessions By default, SSH sessions do not time out. Optionally, you can set the amount of time an SSH session can be inactive before the device closes it.
Displaying SSH connection information PowerConnect# show ip ssh Connection Version Encryption 1 SSH-2 3des-cbc 2 SSH-2 3des-cbc 3 SSH-2 3des-cbc 4 SSH-2 3des-cbc 5 SSH-2 3des-cbc 27 Username Hanuma Mikaila Jenny Mariah Logan Syntax: show ip ssh [begin | exclude | include ] This display shows the following information about the active SSH connections. TABLE 145 SSH connection information This field... Displays... Connection The SSH connection ID.
27 Using Secure copy with SSH2 Using Secure copy with SSH2 Secure Copy (SCP) uses security built into SSH to transfer image and configuration files to and from the device. SCP automatically uses the authentication methods, encryption algorithm, and data compression level configured for SSH. For example, if password authentication is enabled for SSH, the user is prompted for a user name and password before SCP allows a file to be transferred. No additional configuration is required for SCP on top of SSH.
Using Secure copy with SSH2 27 Copying the running config file to an SCP-enabled client To copy the running configuration file on the device to a file called c:\cfg\fdryrun.cfg on the SCP-enabled client, enter the following command. C:\> scp terry@192.168.1.50:runConfig c:\cfg\fdryrun.cfg Copying the startup config file to an SCP-enabled client To copy the startup configuration file on the device to a file called c:\cfg\fdrystart.cfg on the SCP-enabled client, enter the following command.
27 924 Using Secure copy with SSH2 PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter Configuring 802.1X Port Security 28 IETF RFC support When a user logs on to a network that uses 802.1X port security, the device grants (or does not grant) access to network services after the user is authenticated by an authentication server. The user-based authentication in 802.1X port security provides an alternative to granting network access based on a user IP address, MAC address, or subnetwork. The Dell implementation of 802.
28 How 802.1X port security works Figure 117 illustrates these roles. FIGURE 117 Authenticator, client/supplicant, and authentication server in an 802.1X configuration RADIUS Server (Authentication Server) Switch (Authenticator) Client/Supplicant Authenticator – The device that controls access to the network. In an 802.1X configuration, the device serves as the Authenticator. The Authenticator passes messages between the Client and the Authentication Server.
How 802.1X port security works 28 EAPOL messages are passed between the Port Access Entity (PAE) on the Supplicant and the Authenticator. Figure 118 shows the relationship between the Authenticator PAE and the Supplicant PAE. FIGURE 118 Authenticator PAE and supplicant PAE Switch (Authenticator) Authentication Server RADIUS Messages Authenticator PAE 802.
28 How 802.1X port security works Controlled and uncontrolled ports A physical port on the device used with 802.1X port security has two virtual access points a controlled port and an uncontrolled port. The controlled port provides full access to the network. The uncontrolled port provides access only for EAPOL traffic between the Client and the Authentication Server. When a Client is successfully authenticated, the controlled port is opened to the Client. Figure 119 illustrates this concept.
How 802.1X port security works 28 Message exchange during authentication Figure 120 illustrates a sample exchange of messages between an 802.1X-enabled Client, a switch acting as Authenticator, and a RADIUS server acting as an Authentication Server.
28 How 802.1X port security works • EAP-TLS (RFC 2716) – EAP Transport Level Security (TLS) provides strong security by requiring both client and authentication server to be identified and validated through the use of public key infrastructure (PKI) digital certificates. EAP-TLS establishes a tunnel between the client and the authentication server to protect messages from unauthorized users’ eavesdropping activities.
How 802.1X port security works 28 Authenticating multiple hosts connected to the same port Devices support 802.1X authentication for ports with more than one host connected to them. Figure 121 illustrates a sample configuration where multiple hosts are connected to a single 802.1X port. FIGURE 121 Multiple hosts connected to a single 802.1X-enabled port RADIUS Server (Authentication Server) 192.168.9.22 Switch (Authenticator) e1 Hub Clients/Supplicants running 802.
28 How 802.1X port security works 5. If authentication for the Client is unsuccessful the first time, multiple attempts to authenticate the client will be made as determined by the attempts variable in the auth-fail-max-attempts command. • Refer to “Specifying the number of authentication attempts the device makes before dropping packets” on page 950 for information on how to do this. 6.
Configuring 802.1X port security 28 • Dynamic multiple VLAN assignment for 802.1X ports. Refer “Dynamic multiple VLAN assignment for 802.1X ports” on page 939. • Configure a restriction to forward authenticated and unauthenticated tagged and untagged clients to a restricted VLAN. • Configure an override to send failed dot1x and non-dot1x clients to a restricted VLAN. • Configure VLAN assignments for clients attempting to gain access through dual-mode ports. • Enhancements to some show commands.
28 Configuring 802.1X port security • “Dynamically applying IP ACLs and MAC filters to 802.1X ports” on page 941 2. Configure the device role as the Authenticator: • “Enabling 802.1X port security” on page 945 • “Initializing 802.1X on a port” on page 949 (optional) 3.
Configuring 802.1X port security 28 The host | | parameter is either an IP address or an ASCII text string. The dot1x parameter indicates that this RADIUS server supports the 802.1X standard. A RADIUS server that supports the 802.1X standard can also be used to authenticate non-802.1X authentication requests. NOTE To implement 802.1X port security, at least one of the RADIUS servers identified to the device must support the 802.1X standard.
28 Configuring 802.1X port security A pass essentially bypasses the authentication process and permits user access to the network. A fail bypasses the authentication process and blocks user access to the network, unless restrict-vlan is configured, in which case, the user is placed into a VLAN with restricted or limited access. By default, the device will reset the authentication process and retry to authenticate the user. Specify the RADIUS timeout action at the Interface level of the CLI.
Configuring 802.1X port security 28 Syntax: [no] dot1x auth-fail-action restrict-vlan [] Syntax: [no] dot1x auth-timeout-action failure Send a failed Dot1X client to a restricted VLAN In Figure 122, a VoIP phone sends both tagged and untagged traffic to dual-mode port e 3. Assuming the VoIP phone is authenticated to a voice VLAN as tagged, a MAC session for the VoIP phone is learned on the voice VLAN.
28 Configuring 802.1X port security Configuring dynamic VLAN assignment for 802.1X ports When a client successfully completes the EAP authentication process, the Authentication Server (the RADIUS server) sends the Authenticator (the Dell device) a RADIUS Access-Accept message that grants the client access to the network. The RADIUS Access-Accept message contains attributes set for the user in the user's access profile on the RADIUS server.
Configuring 802.1X port security 28 The show interface command displays the VLAN to which an 802.1X-enabled port has been dynamically assigned, as well as the port from which it was moved (that is, the port default VLAN).Refer to “Displaying dynamically assigned VLAN information” on page 957 for sample output indicating the port dynamically assigned VLAN. Dynamic multiple VLAN assignment for 802.
28 Configuring 802.1X port security "U:10;T:12;T:marketing" When the RADIUS server returns a value specifying both untagged and tagged VLAN IDs, the port becomes a dual-mode port, accepting and transmitting both tagged traffic and untagged traffic at the same time. A dual-mode port transmits only untagged traffic on its default VLAN (PVID) and only tagged traffic on all other VLANs.
Configuring 802.1X port security 28 • If the RADIUS Access-Accept message does not contain any VLAN information, the Client dot1x-mac-session is set to “access-is-allowed”. If the port is already in a RADIUS-specified VLAN, it remains in that VLAN. Using dynamic VLAN assignment with the MAC port security feature MAC port security allows the Dell device to learn a limited number of “secure” MAC addresses on an interface.
28 Configuring 802.1X port security Configuration considerations The following restrictions apply to dynamic IP ACLs or MAC address filters: • Inbound dynamic IP ACLs are supported. Outbound dynamic ACLs are not supported. • Inbound Vendor-Specific attributes are supported. Outbound Vendor-Specific attributes are not supported. • A maximum of one IP ACL can be configured in the inbound direction on an interface. • MAC address filters cannot be configured in the outbound direction on an interface.
Configuring 802.1X port security 28 After you globally disable strict security mode, you can re-enable it by entering the following command. PowerConnect(config-dot1x)# global-filter-strict-security Syntax: [no] global-filter-strict-security To disable strict security mode for a specific interface, enter commands such as the following.
28 Configuring 802.1X port security Table 8: Possible values for the filter ID attribute on the RADIUS server ACL or MAC address filter configured on the Dell device mac.2.in mac filter 2 permit 3333.3333.3333 ffff.ffff.ffff any etype eq 0800 mac.2.in mac.3.in mac filter 2 permit 3333.3333.3333 ffff.ffff.ffff any etype eq 0800 mac filter 3 permit 2222.2222.2222 ffff.ffff.ffff any etype eq 0800 Notes • The in the Filter ID attribute is case-sensitive.
Configuring 802.1X port security 28 Table 10: ACL or MAC address filter Vendor-specific attribute on RADIUS server MAC address filter with one entry macfilter.in= deny any any MAC address filter with two entries macfilter.in= permit 0000.0000.3333 ffff.ffff.0000 any, macfilter.in= permit 0000.0000.4444 ffff.ffff.0000 any The RADIUS server allows one instance of the Vendor-Specific attribute to be sent in an Access-Accept message. Enabling 802.1X port security By default, 802.
28 Configuring 802.1X port security By default, all controlled ports on the device are in the authorized state, allowing all traffic. When you activate authentication on an 802.1X-enabled interface, its controlled port is placed in the unauthorized state. When a Client connected to the interface is successfully authenticated, the controlled port is then placed in the authorized state. The controlled port remains in the authorized state until the Client logs off. To activate authentication on an 802.
Configuring 802.1X port security 28 Syntax: [no] timeout re-authperiod The re-authentication interval is a global setting, applicable to all 802.1X-enabled interfaces. To re-authenticate Clients connected to a specific port manually, use the dot1x re-authenticate command. Refer to “Re-authenticating a port manually”, below. Re-authenticating a port manually When periodic re-authentication is enabled, by default the Dell device re-authenticates Clients connected to an 802.
28 Configuring 802.1X port security For example, to cause the Dell device to wait 60 seconds before retransmitting an EAP-request/identity frame to a Client, enter the following command. PowerConnect(config-dot1x)# timeout tx-period 60 If the Client does not send back an EAP-response/identity frame within 60 seconds, the device will transmit another EAP-request/identity frame. Syntax: [no] timeout tx-period where is a value from 1 – 4294967295. The default is 30 seconds.
Configuring 802.1X port security 28 Syntax: supptimeout is a number from 1 – 4294967295 seconds. The default is 30 seconds. Setting the maximum number of EAP frame retransmissions You can optionally specify the number of times the Dell device will retransmit the EAP-request frame. You can specify between 1 – 10 frame retransmissions. For example, to configure the device to retransmit an EAP-request frame to a Client a maximum of three times, enter the following command.
28 Configuring 802.1X port security • • • • • Specify the authentication-failure action Specify the number of authentication attempts the device makes before dropping packets Disabling aging for dot1x-mac-sessions Configure aging time for blocked Clients Clear the dot1x-mac-session for a MAC address Specifying the authentication-failure action In an 802.
Configuring 802.1X port security 28 You can optionally disable aging of the permitted or denied dot1x-mac-sessions, or both, on the Dell device. To disable aging of the permitted dot1x-mac-sessions, enter the following command. PowerConnect(config-dot1x)# mac-session-aging no-aging permitted-mac-only Syntax: [no] mac-session-aging no-aging permitted-mac-only To disable aging of the denied dot1x-mac-sessions, enter the following command.
28 Configuring 802.1X port security Configuring VLAN access for non-EAP-capable clients You can configure the Dell device to grant "guest" or restricted VLAN access to clients that do not support Extensible EAP. The restricted VLAN limits access to the network or applications, instead of blocking access to these services altogether.
Displaying 802.1X information 28 Displaying 802.1X information You can display the following 802.1X-related information: • • • • • The 802.1X configuration on the device and on individual ports Statistics about the EAPOL frames passing through the device 802.1X-enabled ports dynamically assigned to a VLAN User-defined and dynamically applied MAC filters and IP ACLs currently active on the device The 802.1X multiple-host configuration Displaying 802.
28 Displaying 802.1X information TABLE 146 Output from the show dot1x command (Continued) This field... Displays... tx-period When a Client does not send back an EAP-response/identity frame, the amount of time the Dell device waits before retransmitting the EAP-request/identity frame to a Client (default 30 seconds). Refer to “Setting the wait interval for EAP frame retransmissions” on page 947 for information on how to change this setting.
Displaying 802.1X information TABLE 147 28 Output from the show dot1x config command for an interface This field... Displays... Authenticator PAE state The current status of the Authenticator PAE state machine. This can be INITIALIZE, DISCONNECTED, CONNECTING, AUTHENTICATING, AUTHENTICATED, ABORTING, HELD, FORCE_AUTH, or FORCE_UNAUTH.
28 Displaying 802.1X information PowerConnect# show dot1x statistics e 3 Port 3 Statistics: RX EAPOL Start: 0 RX EAPOL Logoff: 0 RX EAPOL Invalid: 0 RX EAPOL Total: 0 RX EAP Resp/Id: 0 RX EAP Resp other than Resp/Id: 0 RX EAP Length Error: 0 Last EAPOL Version: 0 Last EAPOL Source: 0007.9550.0B83 TX EAPOL Total: 217 TX EAP Req/Id: 163 TX EAP Req other than Req/Id: 0 Syntax: show dot1x statistics ethernet The parameter is a valid port number.
Displaying 802.1X information 28 Syntax: clear dot1x statistics all To clear the 802.1X statistics counters on interface e 11, enter the following command. PowerConnect# clear dot1x statistics e 11 Syntax: clear dot1x statistics ethernet The parameter is a valid port number. Displaying dynamically assigned VLAN information The show interface command displays the VLAN to which an 802.
28 Displaying 802.1X information If the VLAN name supplied by the RADIUS server corresponds to a statically configured VLAN, the output indicates that the port is a member of the VLAN to which it was dynamically assigned through 802.1X. If you then enter the write memory command, the VLAN to which the port is currently assigned becomes the port default VLAN in the device configuration.
Displaying 802.1X information 28 PowerConnect# show dot1x ip-ACL e 3 Port 3 IP ACL information: 802.1X dynamic IP ACL (user defined) in: ip access-list extended Port_3_E_IN in Port default IP ACL in: No inbound ip access-list is set 802.1X dynamic IP ACL (user defined) out: ip access-list extended Port_3_E_OUT out Port default IP ACL out: No outbound ip access-list is set Syntax: show dot1x ip-ACL all | ethernet The all keyword displays all dynamically applied IP ACLs active on the device.
28 Displaying 802.1X information Table 149 describes the bold fields in the display. TABLE 149 Output from the show dot1x command for multiple host authentication This field... Displays... Authentication-fail-action The configured authentication-failure action. This can be Restricted VLAN or Block Traffic. Authentication Failure VLAN If the authentication-failure action is Restricted VLAN, the ID of the VLAN to which unsuccessfully authenticated Client ports are assigned.
Displaying 802.1X information TABLE 150 28 Output from the show dot1x config command (Continued) This field... Displays... Original PVID The originally configured (not dynamically assigned) PVID for the port. PVID mac total The number of devices transmitting untagged traffic on the port PVID. PVID mac authorized The number of devices transmitting untagged traffic on the port PVID as a result of dynamic VLAN assignment. num mac sessions The number of dot1x-mac-sessions on the port.
28 Displaying 802.1X information TABLE 151 Output from the show dot1x mac-session command (Continued) This field... Displays... Age The software age of the dot1x-mac-session. PAE State The current status of the Authenticator PAE state machine. This can be INITIALIZE, DISCONNECTED, CONNECTING, AUTHENTICATING, AUTHENTICATED, ABORTING, HELD, FORCE_AUTH, or FORCE_UNAUTH.
Sample 802.1X configurations TABLE 152 28 Output from the show dot1x mac-session brief command (Continued) This field... Displays... Dynamic VLAN Whether the port is a member of a RADIUS-specified VLAN. Dynamic Filters Whether RADIUS-specified IP ACLs or MAC address filters have been applied to the port. Sample 802.1X configurations This section illustrates a sample point-to-point configuration and a sample hub configuration that use 802.1X port security.
28 Sample 802.1X configurations PowerConnect(config)# interface e 1 PowerConnect(config-if-e10000-1)# dot1x port-control auto PowerConnect(config-if-e10000-1)# exit PowerConnect(config)# interface e 2 PowerConnectconfig-if-e10000-2)# dot1x port-control auto PowerConnect(config-if-e10000-2)# exit PowerConnect(config)# interface e 3 PowerConnect(config-if-e10000-3)# dot1x port-control auto PowerConnect(config-if-e10000-3)# exit Hub configuration Figure 124 illustrates a configuration where three 802.
Sample 802.1X configurations PowerConnect(config)# interface e PowerConnect(config-if-e10000-1)# PowerConnect(config-if-e10000-1)# PowerConnect(config-if-e10000-1)# 28 1 dot1x port-control auto dot1x multiple-hosts exit 802.1X Authentication with dynamic VLAN assignment Figure 125 illustrates 802.1X authentication with dynamic VLAN assignment. In this configuration, two user PCs are connected to a hub, which is connected to port e2. Port e2 is configured as a dual-mode port.
28 Using multi-device port authentication and 802.1X security on the same port The part of the running-config related to 802.1X authentication would be as follows.
Using multi-device port authentication and 802.1X security on the same port 28 1. Multi-device port authentication is performed on the device to authenticate the device MAC address. 2. If multi-device port authentication is successful for the device, then the Dell device checks whether the RADIUS server included the Foundry-802_1x-enable VSA (described in Table 153) in the Access-Accept message that authenticated the device. 3.
28 Using multi-device port authentication and 802.1X security on the same port TABLE 153 Dell vendor-specific attributes for RADIUS Attribute Name Attribute ID Data Type Description Foundry-802_1x-enable 6 integer Specifies whether 802.1X authentication is performed when multi-device port authentication is successful for a device. This attribute can be set to one of the following: 0 Do not perform 802.1X authentication on a device that passes multi-device port authentication.
Using multi-device port authentication and 802.1X security on the same port 28 NOTE This example assumes that the IP phone initially transmits untagged packets (for example, CDP or DHCP packets), which trigger the authentication process on the Dell device and client lookup on the RADIUS server. If the phone sends only tagged packets and the port (e 3) is not a member of that VLAN, authentication would not occur. In this case, port e 3 must be added to that VLAN prior to authentication.
28 Using multi-device port authentication and 802.1X security on the same port When User 1 attempts to connect to the network from the PC, he is subject to 802.1X authentication. If User 1 is successfully authenticated, the Access-Accept message from the RADIUS server specifies that the PVID for User 1 port be changed to the VLAN named “User-VLAN”, which is VLAN 3. If 802.
Using multi-device port authentication and 802.1X security on the same port 28 Figure 127 shows a configuration where multi-device port authentication is performed for an IP phone, and 802.1X authentication is performed for a user PC. There is a profile on the RADIUS server for the IP phone MAC address, but not for the PC MAC address. FIGURE 127 802.1X Authentication is performed when a device fails multi-device port authentication User 0050.048e.
28 972 Using multi-device port authentication and 802.
Chapter Using the MAC Port Security Feature 29 This chapter describes how to configure devices to learn “secure” MAC addresses on an interface so that the interface will forward only packets that match the secure addresses. Overview You can configure the device to learn “secure” MAC addresses on an interface. The interface will forward only packets with source MAC addresses that match these learned secure addresses.
29 Configuring the MAC port security feature Configuration notes and feature limitations The following limitations apply to this feature: • MAC port security applies only to Ethernet interfaces. • MAC port security is not supported on static trunk group members or ports that are configured for link aggregation. • MAC port security is not supported on 802.1X port security-enabled ports.
Configuring the MAC port security feature 29 Setting the maximum number of secure MAC addresses for an interface When port security is enabled, an interface can store one secure MAC address. You can increase the number of MAC addresses that can be stored to a maximum of 64, plus the total number of global resources available. For example, to configure interface 11 to have a maximum of 10 secure MAC addresses, enter the following commands.
29 Configuring the MAC port security feature On a tagged interface When specifying a secure MAC address on a tagged interface, you must also specify the VLAN ID. To do so, enter commands such as the following. PowerConnect(config)# int e 11 PowerConnect(config-if-e10000-11)# port security PowerConnect(config-port-security-e10000-11)# secure-mac-address 0050.DA18.
Configuring the MAC port security feature 29 Dropping packets from a violating address To configure the device to drop packets from a violating address and allow packets from secure addresses, enter the following commands. PowerConnect(config)# int e 11 PowerConnect(config-if-e10000-11)# port security PowerConnect(config-port-security-e10000-11)# violation restrict Syntax: violation restrict NOTE When the restrict option is used, the maximum number of MAC addresses that can be restricted is 128.
29 Clearing port security statistics Clearing port security statistics You can clear restricted MAC addresses and violation statistics from ports globally (on all ports) or on individual ports. Clearing restricted MAC addresses To clear all restricted MAC addresses globally, enter the following command. PowerConnect#clear port security restricted-macs all To clear restricted MAC addresses on a specific port, enter a command such as the following.
Displaying port security information 29 The parameter is a valid port number. TABLE 154 Output from the show port security command This field... Displays... Port The port number of the interface. Security Whether the port security feature has been enabled on the interface. Violation The action to be undertaken when a security violation occurs, either “shutdown” or “restrict”.
29 Displaying port security information The parameter is a valid port number. TABLE 156 Output from the show port security statistics command This field... Displays... Port The port number of the interface. Total-Addrs The total number of secure MAC addresses on the interface. Maximum-Addrs The maximum number of secure MAC addresses on the interface. Violation The number of security violations on the port.
Chapter Configuring Multi-Device Port Authentication 30 Multi-device port authentication is a way to configure a device to forward or block traffic from a MAC address based on information received from a RADIUS server. How multi-device port authentication works Multi-device port authentication is a way to configure a device to forward or block traffic from a MAC address based on information received from a RADIUS server.
30 How multi-device port authentication works traffic from this MAC address is encountered on a MAC-authentication-enabled interface, the device sends the RADIUS server an Access-Request message with 0007e90feaa1 as both the username and password. The format of the MAC address sent to the RADIUS server is configurable through the CLI.
Using multi-device port authentication and 802.1X security on the same port 30 Support for dynamic VLAN assignment The multi-device port authentication feature supports dynamic VLAN assignment, where a port can be placed in one or more VLANs based on the MAC address learned on that interface. For details about this feature, refer to “Configuring the RADIUS server to support dynamic VLAN assignment” on page 989.
30 Using multi-device port authentication and 802.1X security on the same port 4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0, then 802.1X authentication is skipped. The device is authenticated, and any dynamic VLANs specified in the Access-Accept message returned during multi-device port authentication are applied to the port. 5. If 802.
Configuring multi-device port authentication 30 If neither of these VSAs exist in a device profile on the RADIUS server, then by default the device is subject to multi-device port authentication (if configured), then 802.1X authentication (if configured). The RADIUS record can be used for both multi-device port authentication and 802.1X authentication.
30 Configuring multi-device port authentication The all option enables the feature on all interfaces at once. You can enable the feature on an interface at the interface CONFIG level. Example PowerConnect(config)# interface e 1 PowerConnect(config-if-e10000-1)# mac-authentication enable Syntax: [no] mac-authentication enable You can also configure multi-device port authentication commands on a range of interfaces.
Configuring multi-device port authentication 30 The command above applies globally to all MAC-authentication-enabled interfaces. Note that the restricted VLAN must already exist on the device. You cannot configure the restricted VLAN to be a non-existent VLAN. If the port is a tagged or dual-mode port, you cannot use a restricted VLAN as the authentication-failure action. To configure the device to drop traffic from non-authenticated MAC addresses in hardware, enter commands such as the following.
30 Configuring multi-device port authentication Configuring dynamic VLAN assignment An interface can be dynamically assigned to one or more VLANs based on the MAC address learned on that interface. When a MAC address is successfully authenticated, the RADIUS server sends the Dell device a RADIUS Access-Accept message that allows the Dell device to forward traffic from that MAC address.
Configuring multi-device port authentication 30 • For tagged or dual-mode ports, if the VLAN ID provided by the RADIUS server does not match the VLAN ID in the tagged packet that contains the authenticated MAC address as its source address, then it is considered an authentication failure, and the configured authentication failure action is performed for the MAC address.
30 Configuring multi-device port authentication You can optionally specify an alternate VLAN to which to move the port when the MAC session for the address is deleted. For example, to place the port in the restricted VLAN, enter commands such as the following.
Configuring multi-device port authentication 30 The dynamic IP ACL is active as long as the client is connected to the network. When the client disconnects from the network, the IP ACL is no longer applied to the port. If an IP ACL had been applied to the port prior to multi-device port authentication; it will be re-applied to the port. The device uses information in the Filter ID to apply an IP ACL on a per-user basis.
30 Configuring multi-device port authentication Configuring the RADIUS server to support dynamic IP ACLs When a port is authenticated using multi-device port authentication, an IP ACL filter that exists in the running-config file on the device can be dynamically applied to the port. To do this, you configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the name or number of the IP ACL.
Configuring multi-device port authentication 30 PowerConnect(config)# interface e 1 PowerConnect(config-if-e10000-1)# mac-authentication dos-protection enable ITo specify a maximum rate for RADIUS authentication attempts, enter commands such as the following.
30 Configuring multi-device port authentication • Non-authenticated MAC addresses that are blocked by the device are aged out if no traffic is received from the address over a fixed hardware aging period (70 seconds), plus a configurable software aging period. (Refer to the next section for more information on configuring the software aging period). You can optionally disable aging for MAC addresses subject to authentication, either for all MAC addresses or for those learned on a specified interface.
Configuring multi-device port authentication 30 PowerConnect(config)# mac-authentication hw-deny-age 10 Syntax: [no] mac-authentication hw-deny-age The parameter is a value from 1 to 65535 seconds. The default is 70 seconds. Specifying the aging time for blocked MAC addresses When the Dell device is configured to drop traffic from non-authenticated MAC addresses, traffic from the blocked MAC addresses is dropped in hardware, without being sent to the CPU.
30 Configuring multi-device port authentication PowerConnect(config)# interface ethernet 3 PowerConnect(config-if-e100-3)# mac-authentication auth-timeout-action success Syntax: [no] mac-authentication auth-timeout-action success Once the success timeout action is enabled, use the no form of the command to reset the RADIUS timeout behavior to retry.
Displaying multi-device port authentication information 30 Syntax: [no] mac-authentication password-override where can have up to 32 alphanumeric characters, but cannot include blank spaces. Limiting the number of authenticated MAC addresses You cannot enable MAC port security on the same port that has multi-device port authentication enabled. To simulate the function of MAC port security, you can enter a command such as the following.
30 Displaying multi-device port authentication information TABLE 159 Output from the show authenticated-mac-address command (Continued) This field... Displays... Accepted MACs The number of MAC addresses that have been successfully authenticated Rejected MACs The number of MAC addresses for which authentication has failed. Attempted-MACs The rate at which authentication attempts are made for MAC addresses.
Displaying multi-device port authentication information 30 PowerConnect# show auth-mac-address 0007.e90f.eaa1 ------------------------------------------------------------------------------MAC/IP Address Port Vlan Authenticated Time Age CAM Index ------------------------------------------------------------------------------0007.e90f.eaa1 : 25.25.25.
30 Displaying multi-device port authentication information PowerConnect# show auth-mac-addresses unauthorized-mac ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age dot1x ------------------------------------------------------------------------------000f.ed00.0321 1 87 No 00d01h03m17s H44 Ena 000f.ed00.0259 1 87 No 00d01h03m17s H44 Ena 000f.ed00.0385 1 87 No 00d01h03m17s H44 Ena 000f.ed00.02bd 1 87 No 00d01h03m17s H44 Ena 000f.ed00.
Displaying multi-device port authentication information 30 Displaying multi-device port authentication settings and authenticated MAC addresses To display the multi-device port authentication settings and authenticated MAC addresses for a port where the feature is enabled, enter the following command. Syntax: show auth-mac-address [detail] [ethernet ] The parameter is a valid port number.
30 Displaying multi-device port authentication information TABLE 163 1002 Output from the show auth-mac-addresses detailed command (Continued) This field... Displays... RADIUS failure action What happens to traffic from a MAC address for which RADIUS authentication has failed either block the traffic or assign the MAC address to a restricted VLAN. Failure restrict use dot1x Indicates if 802.1x traffic that failed multi-device port authentication, but succeeded 802.
Displaying multi-device port authentication information TABLE 163 30 Output from the show auth-mac-addresses detailed command (Continued) This field... Displays... Dynamic ACL applied Indicates whether a dynamic ACL was applied to this port. num Dynamic Tagged Vlan The number of dynamically tagged VLANs on this port. Dynamic Tagged Vlan list The list of dynamically tagged VLANs on this port.
30 1004 Displaying multi-device port authentication information PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter 31 Protecting Against Denial of Service Attacks Protecting against Smurf attacks This chapter explains how to protect your devices from Denial of Service (DoS) attacks. In a Denial of Service (DoS) attack, a router is flooded with useless packets, hindering normal operation. Devices include measures for defending against two types of DoS attacks Smurf attacks and TCP SYN attacks.
31 Protecting against Smurf attacks To avoid being an intermediary in a Smurf attack, make sure forwarding of directed broadcasts is disabled on the device. Directed broadcast forwarding is disabled by default. To disable directed broadcast forwarding, do one of the following.
Protecting against TCP SYN attacks 31 • ICMP DoS attack protection considers packet marked as drop by port-based ingress rate limiting. In this case, even if the port-based ingress rate-limiting reduces the packet per byte rate, DoS attack is still detected by using actual ingress packet per byte rate on a port. NOTE If you configure both DoS attack protection and ACL or MAC filter, the DoS attack statistics for dropped ICMP or TCP SYN packet increments even if the ACL or MAC filter denies the traffic.
31 Protecting against TCP SYN attacks Syntax: ip tcp burst-normal burst-max lockup NOTE This command is available at the global CONFIG level on both Chassis devices and Stackable devices. On Chassis devices, this command is available at the Interface level as well. This command is supported on Ethernet and Layer 3 ATM interfaces. The PowerConnect B-Series TI24X device supports the following burst-normal, burst-max, and lockup values.
Protecting against TCP SYN attacks 31 • Blind TCP packet injection attack The TCP security enhancement is automatically enabled. Protecting against a blind TCP reset attack using the RST bit In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST segments in order to prematurely terminate an active TCP session.
31 Protecting against TCP SYN attacks PowerConnect# show statistics dos-attack ---------------------------- Local Attack Statistics -------------------------ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count --------------------------------------------------------0 0 0 0 --------------------------- Transit Attack Statistics ------------------------Port ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count ----- --------------------------------------------------------11 0 0 0 0 Synt
Chapter Securing SNMP Access 32 SNMP overview SNMP is a set of protocols for managing complex networks. SNMP sends messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. Chapter 26, “Securing Access to Management Functions” introduced a few methods used to secure SNMP access.
32 Establishing SNMP community strings You can configure as many additional read-only and read-write community strings as you need. The number of strings you can configure depends on the memory on the device. There is no practical limit. NOTE If you delete the startup-config file, the device automatically re-adds the default “public” read-only community string the next time you load the software. Encryption of SNMP community strings The software automatically encrypts SNMP community strings.
Establishing SNMP community strings 32 NOTE If you specify encryption option 1, the software assumes that you are entering the encrypted form of the community string. In this case, the software decrypts the community string you enter before using the value for authentication. If you accidentally enter option 1 followed by the clear-text version of the community string, authentication will fail because the value used by the software will not match the value you intended to use.
32 Establishing SNMP community strings PowerConnect# show snmp server Contact: Marshall Location: Copy Center Community(ro): public Community(rw): private Traps Cold start: Link up: Link down: Authentication: Locked address violation: Power supply failure: Fan failure: Temperature warning: STP new root: STP topology change: ospf: Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Total Trap-Receiver Entries: 4 Trap-Receiver IP Address Community 1 207.95.6.211 2 207.95.5.
Establishing SNMP community strings 32 Configuring SNMP version 3 Follow the steps given below to configure SNMP version 3 on devices. 1. Enter an engine ID for the management module using the snmp-server engineid command if you will not use the default engine ID.Refer to “Defining the engine id” on page 1015. 2. Create views that will be assigned to SNMP user groups using the snmp-server view command. refer to “SNMP v3 Configuration examples” on page 1023 for details. 3.
32 Establishing SNMP community strings • Octet 5 is always 03 in hexadecimal and indicates that the next set of values represent a MAC address. • Octets 6 through 11 form the MAC address of the lowest port in the management module. NOTE Engine ID must be a unique number among the various SNMP engines in the management domain. Using the default engine ID ensures the uniqueness of the numbers. Defining an SNMP group SNMP groups map SNMP users to SNMP views.
Establishing SNMP community strings 32 NOTE If you will be using a view other than the "all" view, that view must be configured before creating the user group.Refer to the section “SNMP v3 Configuration examples” on page 1023, especially for details on the include | exclude parameters. Defining an SNMP user account The snmp-server user command does the following: • • • • Creates an SNMP user. Defines the group to which the user will be associated.
32 Defining SNMP views The encrypted parameter means that the MD5 or SHA password will be a digest value. MD5 has 16 octets in the digest. SHA has 20. The digest string has to be entered as a hexadecimal string. In this case, the agent need not generate any explicit digest. If the encrypted parameter is not used, the user is expected to enter the authentication password string for MD5 or SHA. The agent will convert the password string to a digest, as described in RFC 2574.
SNMP version 3 traps 32 NOTE The snmp-server view command supports the MIB objects as defined in RFC 1445. Syntax: [no] snmp-server view included | excluded The parameter can be any alphanumeric name you choose to identify the view. The names cannot contain spaces. The parameter is the name of the MIB object or family.
32 SNMP version 3 traps PowerConnect(config)# snmp-server group admin v3 auth read all write all notify all Syntax: [no] snmp-server group v1 | v2 | v3 auth | noauth | priv [access ] [read | write | notify ] The group parameter defines the name of the SNMP group to be created. The v1, v2, or v3 parameter indicates which version of SNMP to use.
SNMP version 3 traps 32 For SNMP version 3, enter one of the following depending on the authorization required for the host: • v3 auth : Allow only authenticated packets. • v3 no auth : Allow all packets. • v3 priv : A password is required For port , specify the UDP port number on the host that will receive the trap.
32 Displaying SNMP Information Displaying SNMP Information This section lists the commands for viewing SNMP-related information. Displaying the Engine ID To display the engine ID of a management module, enter a command such as the following. PowerConnect# show snmp engineid Local SNMP Engine ID: 800007c70300e05290ab60 Engine Boots: 3 Engine time: 5 Syntax: show snmp engineid The engine ID identifies the source or destination of the packet.
SNMP v3 Configuration examples 32 PowerConnect# show snmp user username = bob ACL id = 2 group = admin security model = v3 group ACL id = 0 authtype = md5 authkey = 3aca18d90b8d172760e2dd2e8f59b7fe privtype = des, privkey = 1088359afb3701730173a6332d406eec engine ID= 800007c70300e052ab0000 Syntax: show snmp user Interpreting varbinds in report packets If an SNMP version 3 request packet is to be rejected by an SNMP agent, the agent sends a report packet that contains one or more varbinds.
32 SNMP v3 Configuration examples More detailed SNMP v3 configuration PowerConnect(config)# snmp-server view internet internet included PowerConnect(config)# snmp-server view system system included PowerConnect(config)# snmp-server community ..... ro PowerConnect(config)# snmp-server community ..... rw PowerConnect(config)# snmp-server contact isc-operations PowerConnect(config)# snmp-server location sdh-pillbox PowerConnect(config)# snmp-server host 128.91.255.32 .....
Chapter Enabling the Foundry Discovery Protocol and Reading Cisco Discovery Protocol Packets 33 Using FDP The Foundry Discovery Protocol (FDP) enables Dell devices to advertise themselves to other devices on the network. When you enable FDP on a device, the device periodically advertises information including the following: • • • • Hostname (device ID) Product platform and capability Software version VLAN and Layer 3 protocol address information for the port sending the update.
33 Using FDP PowerConnect(config-if-1)# no fdp enable Enable or re-enable FDP by entering commands such as the following: PowerConnect(config-if-1)# fdp enable Syntax: [no] fdp enable Changing the FDP update timer By default, a device enabled for FDP sends an FDP update every 60 seconds. You can change the update timer to a value from 5 – 900 seconds. To change the FDP update timer, enter a command such as the following at the global CONFIG level of the CLI.
Using FDP 33 Displaying neighbor information To display a summary list of all the neighbors that have sent FDP updates to this device, enter the following command.
33 Using FDP TABLE 166 Detailed FDP and CDP neighbor information This line... Displays... Device ID The hostname of the neighbor. In addition, this line lists the VLAN memberships and other VLAN information for the neighbor port that sent the update to this device. Entry address(es) The Layer 3 protocol addresses configured on the neighbor port that sent the update to this device. If the neighbor is a Layer 2 Switch, this field lists the management IP address.
Using FDP 33 This example shows information for Ethernet port 3. The port sends FDP updates every 5 seconds. Neighbors that receive the updates can hold them for up to 180 seconds before discarding them. Syntax: show fdp interface [ethernet ] The ethernet parameter lists the information only for the specified interface. Displaying FDP and CDP statistics To display FDP and CDP packet statistics, enter the following command.
33 Reading CDP packets Reading CDP packets Cisco Discovery Protocol (CDP) packets are used by Cisco devices to advertise themselves to other Cisco devices. By default, devices forward these packets without examining their contents. You can configure a device to intercept and display the contents of CDP packets. This feature is useful for learning device and interface information for Cisco devices in the network. Devices support intercepting and interpreting CDP version 1 and version 2 packets.
Reading CDP packets 33 PowerConnect# show fdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater (*) indicates a Cisco device Device ID Local Int Holdtm Capability Platform Port ID -------------- ------------ ------ ---------- ----------- ------------(*)Router Eth 1 124 R cisco RSP4 FastEthernet0 To display detailed information for the neighbors, enter the following command.
33 Reading CDP packets PowerConnect# show fdp entry * Device ID: Router Entry address(es): IP address: 207.95.6.143 Platform: cisco RSP4, Capabilities: Router Interface: Eth 1, Port ID (outgoing port): FastEthernet0 Holdtime : 124 seconds Version : Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-JSV-M), Version 12.0(5)T1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc.
Reading CDP packets 33 PowerConnect# clear fdp counters Syntax: clear fdp counters PowerConnect B-Series TI24X Configuration Guide 53-1002269-02 1033
33 1034 Reading CDP packets PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Chapter 34 Using Syslog This chapter describes how to display Syslog messages and how to configure the Syslog facility, and lists the Syslog messages that devices can display during standard operation. NOTE This chapter does not list Syslog messages that can be displayed when a debug option is enabled.
34 Displaying Syslog messages Displaying Syslog messages To display the Syslog messages in the device local buffer, enter the show logging command at any level of the CLI. The following shows an example display output.
Configuring the Syslog service 34 telnet@PowerConnect#terminal monitor Syslog trace was turned OFF Here is an example of how the Syslog messages are displayed.
34 Configuring the Syslog service PowerConnect#show logging Syslog logging: enabled (0 messages dropped, 0 Buffer logging: level ACDMEINW, 3 messages level code: A=alert C=critical D=debugging I=informational N=notification flushes, 0 overruns) logged M=emergency E=error W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dynamic Log Buffer (50 entries): Dec 15 18:46:17:I:Interface ethernet 4, state up Dec 15 18:45:21:I:Bridge topology change, vlan 4095, interface 4, cha
Configuring the Syslog service 34 In the static log, new messages replace older ones, so only the most recent message is displayed. For example, only the most recent temperature warning message will be present in the log. If multiple temperature warning messages are sent to the log, the latest one replaces the previous one. The static buffer is not configurable. The message types that appear in the static buffer do not appear in the dynamic buffer.
34 Configuring the Syslog service • hh – hours • mm – minutes • ss – seconds For example, “Oct 15 17:38:03” means October 15 at 5:38 PM and 3 seconds. • If you have not set the time and date on the onboard system clock, the time stamp shows the amount of time that has passed since the device was booted, in the following format.
Configuring the Syslog service 34 PowerConnect#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dynamic Log Buffer (50 entries): 21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet18 0010.5a1f.77ed) -> 198.99.4.69(http), 1 event(s) 19d07h03m30s:warning:list 101 denied tcp 209.157.22.
34 Configuring the Syslog service Disabling logging of a message level To change the message level, disable logging of specific message levels. You must disable the message levels on an individual basis. For example, to disable logging of debugging and informational messages, enter the following commands.
Configuring the Syslog service 34 NOTE You can specify only one facility. If you configure the device to use two Syslog servers, the device uses the same facility on both servers.
34 Syslog messages When you display the messages in the Syslog, you see the interface name under the Dynamic Log Buffer section. The actual interface number is appended to the interface name.
Syslog messages TABLE 168 34 Dell Syslog messages Message level Message Explanation Alert modules and 1 power supply, need more power supply!! Indicates that the chassis needs more power supplies to run the modules in the chassis. The parameter indicates the number of modules in the chassis. Alert Fan , , failed A fan has failed. The is the fan number. The describes where the failed fan is in the chassis.
34 Syslog messages TABLE 168 1046 Dell Syslog messages (Continued) Message level Message Explanation Alert Management module at state changed from to . Indicates a state change in a management module. The can be one of the following: • active • standby • crashed • coming-up • unknown Alert OSPF LSA Overflow, LSA Type = Indicates an LSA database overflow.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Debug DOT1X: Not enough memory There is not enough system memory for 802.1X authentication to take place. Contact Dell Technical Support. Error No of prefixes received from BGP peer exceeds maximum prefix-limit...
34 Syslog messages TABLE 168 1048 Dell Syslog messages (Continued) Message level Message Explanation Informational ACL added | deleted | modified from console | telnet | ssh | snmp session A user created, modified, deleted, or applied an ACL through a SNMP, console, SSH, or Telnet session. Informational Bridge is new root, vlan , root ID A Spanning Tree Protocol (STP) topology change has occurred, resulting in the device becoming the root bridge.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Informational DOT1X : port - mac Invalid MAC filter ID - this ID is user defined and cannot be used The port was assigned a MAC address filter ID that had been dynamically created by another user.
34 Syslog messages TABLE 168 1050 Dell Syslog messages (Continued) Message level Message Explanation Informational ERR_DISABLE: Interface ethernet , err-disable recovery timeout Errdisable recovery timer expired and the port has been reenabled. Informational ERR_DISABLE: Interface ethernet 16, err-disable recovery timeout If the wait time (port is down and is waiting to come up) expires and the port is brought up the following message is displayed.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Informational Security: telnet | SSH logout by from src IP , src MAC to USER | PRIVILEGE EXEC mode The specified user logged out of the device. The user was using Telnet or SSH to access the device from either or both the specified IP address and MAC address. The user logged out of the specified EXEC mode.
34 Syslog messages TABLE 168 1052 Dell Syslog messages (Continued) Message level Message Explanation Informational SYSTEM: Optic is not Dell-qualified () Dell does not support the optical transceiver. Informational System: Fan (from left when facing right side), ok The fan status has changed from fail to normal. Informational System: Fan speed changed automatically to The system automatically changed the fan speed to the speed specified in this message.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Informational Trunk group () created by 802.3ad link-aggregation module. 802.3ad link aggregation is configured on the device, and the feature has dynamically created a trunk group (aggregate link). The is a list of the ports that were aggregated to make the trunk group.
34 Syslog messages TABLE 168 1054 Dell Syslog messages (Continued) Message level Message Explanation Notification ACL port fragment packet inspect rate exceeded on port The fragment rate allowed on an individual interface has been exceeded. The indicates the maximum rate allowed. The indicates the port. This message can occur if fragment thottling is enabled.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Notification ISIS L1 ADJACENCY UP on circuit The Layer 3 Switch adjacency with this Level-1 IS has come up. The is the system ID of the IS. The is the ID of the circuit over which the adjacency was established. Notification ISIS L2 ADJACENCY DOWN on circuit The Layer 3 Switch adjacency with this Level-2 IS has gone down.
34 Syslog messages TABLE 168 1056 Dell Syslog messages (Continued) Message level Message Explanation Notification OSPF interface state changed, rid , intf addr , state Indicates that the state of an OSPF interface has changed. The is the router ID of the device. The is the interface IP address.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Notification OSPF intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface configuration error has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
34 Syslog messages TABLE 168 1058 Dell Syslog messages (Continued) Message level Message Explanation Notification OSPF intf rcvd bad pkt: Bad Checksum, rid , intf addr , pkt size , checksum , pkt src addr , pkt type The device received an OSPF packet that had an invalid checksum. The rid is the router ID. The intf addr is the IP address of the interface that received the packet. The pkt size is the number of bytes in the packet.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Notification OSPF intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the device has retransmitted a Link State Advertisement (LSA). The is the router ID of the device. The is the IP address of the interface on the device.
34 Syslog messages TABLE 168 1060 Dell Syslog messages (Continued) Message level Message Explanation Notification OSPF nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF neighbor has changed. The is the router ID of the device. The is the IP address of the neighbor. The is the router ID of the neighbor.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface authentication failure has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
34 Syslog messages TABLE 168 1062 Dell Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface configuration error has occurred. The is the router ID of the device. The is the IP address of the interface on the device.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the device has retransmitted a Link State Advertisement (LSA). The is the router ID of the device. The is the IP address of the interface on the device.
34 Syslog messages TABLE 168 Dell Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF virtual neighbor has changed. The is the router ID of the device. The is the IP address of the neighbor. The is the router ID of the neighbor.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Notification VRRP intf state changed, intf , vrid , state A state change has occurred in a Virtual Router Redundancy Protocol (VRRP) interface. The is the port. The is the virtual router ID (VRID) configured on the interface.
34 Syslog messages TABLE 168 1066 Dell Syslog messages (Continued) Message level Message Explanation Warning list denied () (Ethernet ) -> (), 1 event(s) Indicates that an Access Control List (ACL) denied (dropped) packets. The indicates the ACL number. Numbers 1 – 99 indicate standard ACLs. Numbers 100 – 199 indicate extended ACLs.
Syslog messages TABLE 168 34 Dell Syslog messages (Continued) Message level Message Explanation Warning No global IP! cannot send IGMP msg. The device is configured for ip multicast active but there is no configured IP address and the device cannot send out IGMP queries. Warning No of prefixes received from BGP peer exceeds warning limit The Layer 3 Switch has received more than the allowed percentage of prefixes from the neighbor. The is the IP address of the neighbor.
34 1068 Syslog messages PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Appendix Network Monitoring A This appendix describes the remote monitoring features available on devices. Basic management The following sections contain procedures for basic system management tasks. Viewing system information You can access software and hardware specifics for a Layer 2 Switch or Layer 3 Switch. For software specifics, refer to “Determining the software versions installed and running on a device” on page 39.
A Basic management Syntax: show
Basic management TABLE 169 A Port statistics (Continued) This line... Displays... Trunk The trunk group number, if the port is a member of a trunk group. Tag Whether the port is a tagged member of a VLAN. Priori The QoS forwarding priority of the port (level0 – level7). MAC The MAC address of the port. Name The name of the port, if you assigned a name. Statistics InOctets The total number of good octets and bad octets received.
A Basic management TABLE 169 Port statistics (Continued) This line... Displays... InGiantPkts The total number of packets for which all of the following was true: • The data length was longer than the maximum allowable frame size. • No Rx Error was detected. NOTE: Packets are counted for this statistic regardless of whether the CRC is valid or invalid. InShortPkts The total number of packets received for which all of the following was true: The data length was less than 64 bytes.
Basic management A Traffic counters for outbound traffic You can configure traffic counters (also called transmit counters) that enable the device to count the following packet types on a port or port region: • • • • broadcast packets multicast packets unicast packets dropped packets due to congestion and egress filtering Depending on the parameters specified with the traffic counter configuration, traffic counters record the number of outbound packets from any combination of the following sources: •
A Basic management Example To configure traffic counters for outbound traffic in a specific port region, enter a command such as the following. PowerConnect(config)#transmit-counter 1 port 1 region vlan all prio all enable The above command creates and enables traffic counter 1 on all ports that are in the same port region as port 1. The device will count the number of packets transmitted in this port region that belong to any VLAN and have any assigned priority queue.
Basic management A PowerConnect#show transmit-counter values 1 Transmit Queue Counter Values for Counter 1: Transmitted Frames: Known Unicast : 17204 Multicast & Unknown Unicast : 2797 Broadcast : 5 Dropped Frames: Bridge Egress Filtered : 2 Congestion Drops : 0 PowerConnect#show transmit-counter values 4 Transmit Queue Counter Values for Counter 4: Transmitted Frames: Known Unicast : 124 Multicast & Unknown Unicast : 2752 Broadcast : 0 Dropped Frames: Bridge Egress Filtered : 37 Congestion Drops : 0 Syn
A RMON support RMON support The RMON agent supports the following groups. The group numbers come from the RMON specification (RFC 1757): • • • • Statistics (RMON Group 1) History (RMON Group 2) Alarms (RMON Group 3) Events (RMON Group 9) The CLI allows you to make configuration changes to the control data for these groups, but you need a separate RMON application to view and display the data graphically.
A RMON support PowerConnect#show rmon statistics Ethernet statistics 1 is active, owned by monitor Interface 1 (ifIndex 1) counters Octets 0 Drop events 0 Packets Broadcast pkts 0 Multicast pkts CRC alignment errors 0 Undersize pkts Oversize pkts 0 Fragments Jabbers 0 Collisions 64 octets pkts 0 65 to 127 octets pkts 128 to 255 octets pkts 0 256 to 511 octets pkts 512 to 1023 octets pkts 0 1024 to 1518 octets pkts 0 0 0 0 0 0 0 0 Syntax: show rmon statistics The parameter specifies th
A RMON support TABLE 171 Export configuration and statistics (Continued) This line... Displays... Oversize packets The total number of packets received that were longer than 1518 octets and were otherwise well formed. This number does not include framing bits but does include FCS octets.
sFlow A You can modify the sampling interval and the bucket (number of entries saved before overwrite) using the CLI. In the above example, owner refers to the RMON station that will request the information. NOTE To review the control data entry for each port or interface, enter the show rmon history command. Alarm (RMON group 3) Alarm is designed to monitor configured thresholds for any SNMP integer, time tick, gauge or counter MIB object.
A sFlow • Identifies ingress and egress interfaces for the sampled flows • Combines sFlow samples into UDP packets and forwards them to the sFlow collectors for analysis • Forwards byte and packet count data, or counter samples, to sFlow collectors sFlow is described in RFC 3176, “InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks”. NOTE When sFlow is enabled on a PowerConnect B-Series TI24X switch QoS will support 7 priority queues rather than 8.
sFlow A IPv6 packet sampling IPv6 sampling is performed by the packet processor. The system uses the sampling rate setting to selectively mark the monitoring bit in the header of an incoming packet. Marked packets tell the CPU that the packets are subject to sFlow sampling. Configuration considerations This section lists the sFlow configuration considerations on devices. Hardware support • Devices support sFlow packet sampling of inbound traffic only. These devices do not sample outbound packets.
A sFlow NOTE If an IP address is not already configured when you enable sFlow, the feature uses the source address 0.0.0.0. To display the agent_address, enable sFlow, then enter the show sflow command. Refer to “Enabling sFlow forwarding” on page 1086 and “Displaying sFlow information” on page 1087. Sampling rate The sampling rate is the average ratio of the number of packets incoming on an sFlow enabled port, to the number of flow samples taken from those packets.
sFlow A The sampled sFlow data sent to the collectors includes an agent_address field. This field identifies the device that sent the data. Refer to “Source address” on page 1081. IPv6 devices To specify an sFlow collector on an IPv6 device, enter a command such as the following. PowerConnect(config)#sflow destination ipv6 2003:0:0::0b:02a This command specifies a collector with IPv6 address 2003:0::0b:02a, listening for sFlow data on UDP port 6343.
A sFlow Configuration considerations The sampling rate is a fraction in the form 1/N, meaning that, on average, one out of every N packets will be sampled. The sflow sample command at the global level or port level specifies N, the denominator of the fraction. Thus a higher number for the denominator means a lower sampling rate since fewer packets are sampled. Likewise, a lower number for the denominator means a higher sampling rate because more packets are sampled.
sFlow A Sampling rate for new ports When you enable sFlow on a port, the port's sampling rate is set to the global default sampling rate. This also applies to ports on which you disable and then re-enable sFlow. The port does not retain the sampling rate it had when you disabled sFlow on the port, even if you had explicitly set the sampling rate on the port.
A sFlow To change the sampling rate on an individual port, enter a command such as the following at the configuration level for the port. PowerConnect(config-if-1)#sflow sample 8192 Syntax: [no] sflow sample The parameter specifies the average number of packets from which each sample will be taken. The software rounds the value you enter up to the next odd power of 2. The actual sampling rate becomes one of the values listed in “Changing the default sampling rate”.
sFlow A Command syntax This section shows how to enable sFlow forwarding. Globally enabling sFlow forwarding To enable sFlow forwarding, you must first enable it on a global basis, then on individual interfaces or trunk ports, or both. To globally enable sFlow forwarding, enter the following command. PowerConnect(config)#sflow enable You can now enable sFlow forwarding on individual ports as described in the next two sections.
A sFlow PowerConnect#show sflow sFlow services are enabled. sFlow agent IP address: 123.123.123.1 4 collector destinations configured: Collector IP 192.168.4.204, UDP 6343 Collector IP 192.168.4.200, UDP 6333 Collector IP 192.168.4.202, UDP 6355 Collector IP 192.168.4.203, UDP 6565 Polling interval is 0 seconds. Configured default sampling rate: 1 per 512 packets Actual default sampling rate: 1 per 512 packets 10552 UDP packets exported 24127 sFlow samples collected.
sFlow A ...continued from previous page...
A Configuring a utilization list for an uplink port PowerConnect#clear statistics Syntax: clear statistics This command clears the values in the following fields of the show sflow display: • UDP packets exported • sFlow samples collected NOTE This command also clears the statistics counters used by other features.
Configuring a utilization list for an uplink port A The downlink ethernet parameters and the port numbers you specify after the parameters indicate the downlink ports. Displaying utilization percentages for an uplink After you configure an uplink utilization list, you can display the list to observe the percentage of the uplink bandwidth that each of the downlink ports used during the most recent 30-second port statistics interval.
A 1092 Configuring a utilization list for an uplink port PowerConnect B-Series TI24X Configuration Guide 53-1002269-02
Appendix B Software Specifications IEEE compliance Delldevices support the following standards. TABLE 173 IEEE compliance Standard Description PowerConnect B-Series TI24X 802.1AB Station and Media Access Control Connectivity Discovery Also supports TIA-1057, Telecommunications – IP Telephony Infrastructure -– Link Layer Discovery Protocol (LLDP) for Media Endpoint Devices Yes 802.1d Ethernet Bridging Yes 802.1D MAC Bridges Yes 802.1p Mapping to Priority Queue Yes 802.
B RFC support TABLE 174 1094 Dell RFC support RFC number Protocol or Standard PowerConnect B-Series TI24X 768 User Datagram Protocol (UDP) Yes 783 Trivial File Transfer Protocol (TFTP) Yes 791 Internet Protocol (IP) Yes 792 Internet Control Message Protocol (ICMP) Yes 793 Transmission Control Protocol (TCP) Yes 826 Ethernet Address Resolution Protocol (ARP) Yes 854, 855, and 857 Telnet Yes 894 IP over Ethernet frames Yes 903 Reverse ARP (RARP) Yes 906 Bootstrap loading us
RFC support TABLE 174 B Dell RFC support (Continued) RFC number Protocol or Standard PowerConnect B-Series TI24X 1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy Yes 1541 Dynamic Host Configuration Protocol (DHCP) Yes 1542 BootP Extensions Yes 1573 SNMP MIB II Yes 1591 Domain Name System (DNS) Structure and Delegation Yes 1643 Ethernet Interface MIB Yes 1757 Remote Monitoring (RMON) groups 1, 2, 3, 9 Yes 1905 Protocol Operations for vers
B RFC support TABLE 174 1096 Dell RFC support (Continued) RFC number Protocol or Standard PowerConnect B-Series TI24X 2571 An Architecture of Describing SNMP Management Frameworks Yes 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) Yes 2573 SNMP version 3 Applications Yes 2574 User-based Security (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) Yes 2575 View-based Access Control Model (VACM) for the Simple Network Managemen
RFC support TABLE 174 B Dell RFC support (Continued) RFC number Protocol or Standard PowerConnect B-Series TI24X 3414 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMP V3) Yes 3415 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) Yes 3416 Version 2 of the Protocol Operations for the SNMP Yes 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) Yes 3584 Coexistence betwe
B Internet drafts TABLE 174 RFC number Dell RFC support (Continued) Protocol or Standard PowerConnect B-Series TI24X SSH V 2 Yes SNMP V1, V2c, and V3 Yes TACACS/TACACS+ Yes TELNET and SSH V1 Yes UDLD Yes Username or Password (challenge and response) Yes Internet drafts In addition to the RFCs listed in “RFC support” on page 1093, Delldevices support the following Internet drafts: • draft-ietf-magma-igmp-proxy.txt • TACACS+ Protocol version 1.
