53-1002266-01 18 March 2011 PowerConnect B-Series FCX Configuration Guide
Information in this document is subject to change without notice. © 2011 Dell Inc. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. Trademarks used in this text: Dell, the DELL logo, Dell OpenManage and PowerConnect are trademarks of Dell Inc.; Microsoft, Windows,and Windows Server are either trademarks or registered trademarks of Microsoft Corporation in the United States and/ or other countries.
Contents About This Document Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix Device nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xl Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 2 Configuring Basic Software Features Configuring basic system parameters . . . . . . . . . . . . . . . . . . . . . . . . 18 Entering system administration information . . . . . . . . . . . . . . . 18 Configuring Simple Network Management Protocol (SNMP) parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Disabling Syslog messages and traps for CLI access . . . . . . . . 22 Cancelling an outbound Telnet session . . . . . . . . . . . . . . . . . . .
Loading and saving configuration files . . . . . . . . . . . . . . . . . . . . . . . 65 Replacing the startup configuration with the running configuration 65 Replacing the running configuration with the startup configuration 66 Logging changes to the startup-config file . . . . . . . . . . . . . . . . . 66 Copying a configuration file to or from a TFTP server . . . . . . . . 66 Dynamic configuration loading . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing information about software licenses . . . . . . . . . . . . . . . . . . 91 Viewing the License ID (LID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Viewing the license database . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Viewing software packages installed in the device . . . . . . . . . . 93 Chapter 5 Stackable Devices IronStack overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 IronStack technology features . . . . . . . . . . .
Image mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Advanced feature privileges (PowerConnect B-Series FCX ) . .154 Configuration mismatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 Memory allocation failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Recovering from a mismatch . . . . . . . . . . . . . . . . . . . . . . . . . .156 Troubleshooting secure-setup. . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 management features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 IPv6 management ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 IPv6 debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200 IPv6 Web management using HTTP and HTTPS . . . . . . . . . . .200 IPv6 logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Name-to-IPv6 address resolution using IPv6 DNS server . . . .
Error disable recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286 Enabling error disable recovery . . . . . . . . . . . . . . . . . . . . . . . .286 Setting the recovery interval . . . . . . . . . . . . . . . . . . . . . . . . . . .286 Displaying the error disable recovery state by interface . . . . .287 Displaying the recovery state for all conditions . . . . . . . . . . . .287 Displaying the recovery state by port number and cause. . . .287 Errdisable Syslog messages . . .
Displaying and modifying system parameter default settings . . . .321 Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . .321 Displaying system parameter default values . . . . . . . . . . . . . .321 Modifying system parameter default values . . . . . . . . . . . . . .325 TDynamic Buffer Allocation for an IronStack. . . . . . . . . . . . . . . . . .326 Generic buffer profiles on PowerConnect Stackable devices .329 Remote Fault Notification (RFN) on 1G fiber connections . . . . .
Chapter 11 Configuring Uni-Directional Link Detection (UDLD) and Protected Link Groups UDLD overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383 UDLD for tagged ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384 Configuration notes and feature limitations . . . . . . . . . . . . . .384 Enabling UDLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385 Enabling UDLD for tagged ports . . . . . . . . . . . . . . . . . . .
Dynamic link aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 IronStack LACP trunk group configuration example . . . . . . . . 411 Examples of valid LACP trunk groups . . . . . . . . . . . . . . . . . . . . 411 Configuration notes and limitations . . . . . . . . . . . . . . . . . . . . .412 Adaptation to trunk disappearance . . . . . . . . . . . . . . . . . . . . .413 Flexible trunk eligibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring IP subnet, IPX network, and protocol-based VLANs within port-based VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Configuring an IPv6 protocol VLAN . . . . . . . . . . . . . . . . . . . . . . . . .458 Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) . . . . . . . . . . . . . . . . . . . . . . . . . .458 Configuring protocol VLANs with dynamic ports . . . . . . . . . . . . . . .464 Aging of dynamic ports . . . . . . . . . . . . . . . . . . . . . . .
Displaying VLAN information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500 Displaying VLANs in alphanumeric order . . . . . . . . . . . . . . . . .500 Displaying system-wide VLAN information . . . . . . . . . . . . . . . .501 Displaying global VLAN information . . . . . . . . . . . . . . . . . . . . .502 Displaying VLAN information for specific ports . . . . . . . . . . . .502 Displaying a port VLAN membership . . . . . . . . . . . . . . . . . . . .
Configuration notes and feature limitations . . . . . . . . . . . . . . . . . .529 Configuration example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530 Configuring MAC-based VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . .531 Using MAC-based VLANs and 802.1X security on the same port531 Configuring generic and Dell vendor-specific attributes on the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .532 Aging for MAC-based VLAN . . . . .
Preserving user input for ACL TCP/UDP port numbers. . . . . . . . . .566 Managing ACL comment text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567 Adding a comment to an entry in a numbered ACL . . . . . . . . .567 Adding a comment to an entry in a named ACL. . . . . . . . . . . .568 Deleting a comment from an ACL entry . . . . . . . . . . . . . . . . . .568 Viewing comments in an ACL . . . . . . . . . . . . . . . . . . . . . . . . . .
QoS for stackable devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595 QoS profile restrictions in an IronStack . . . . . . . . . . . . . . . . . .595 QoS behavior for trusting Layer 2 (802.1p) in an IronStack . .595 QoS behavior for trusting Layer 3 (DSCP) in an IronStack . . .595 QoS behavior on port priority and VLAN priority in an IronStack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596 QoS behavior for 802.1p marking in an IronStack . . . . . . . .
ACL statistics and rate limit counting . . . . . . . . . . . . . . . . . . . . . . .619 Enabling ACL statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .619 Enabling ACL statistics with rate limiting traffic policies. . . . .620 Viewing ACL and rate limit counters . . . . . . . . . . . . . . . . . . . . .620 Clearing ACL and rate limit counters . . . . . . . . . . . . . . . . . . . .621 Viewing traffic policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rate limiting in hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .644 How Fixed rate limiting works . . . . . . . . . . . . . . . . . . . . . . . . . .644 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645 Configuring a port-based rate limiting policy . . . . . . . . . . . . . .645 Configuring an ACL-based rate limiting policy . . . . . . . . . . . . .645 Displaying the fixed rate limiting configuration . . . . . . . . . . . .
General operating principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687 Operating modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687 LLDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688 TLV support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .689 MIB support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .692 Syslog messages. . . . . . . . . . .
PIM Dense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .733 Initiating PIM multicasts on a network . . . . . . . . . . . . . . . . . . .734 Pruning a multicast tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .734 Grafts to a multicast Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . .736 PIM DM versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .736 Configuring PIM DM . . . . . . . . . . . . . . . . . . . . . .
Chapter 26 Configuring IP Basic configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .784 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .784 Full Layer 3 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .784 IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .785 IP packet flow through a Layer 3 Switch. . . . . . . . . . . . . . . . . .
Chapter 27 Configuring Multicast Listening Discovery (MLD) Snooping on PowerConnect B-Series FCX Switches Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .889 Configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .891 Configuring queriers and non-queriers. . . . . . . . . . . . . . . . . . .892 VLAN specific configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .892 Using MLDv1 with MLDv2 . . . . . . . . . . . .
Configuring RIP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .910 Enabling RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .910 Configuring metric parameters . . . . . . . . . . . . . . . . . . . . . . . . .910 Changing the administrative distance. . . . . . . . . . . . . . . . . . .911 Configuring redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . .912 Configuring route learning and advertising parameters . . . . .
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .930 Configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931 OSPF parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931 Enabling OSPF on the router . . . . . . . . . . . . . . . . . . . . . . . . . . .932 Assigning OSPF areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .933 Assigning an area range (optional) . . . . . . . . . . . .
Displaying OSPF information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .966 Displaying general OSPF configuration information . . . . . . . .967 Displaying CPU utilization statistics . . . . . . . . . . . . . . . . . . . . .968 Displaying OSPF area information . . . . . . . . . . . . . . . . . . . . . .969 Displaying OSPF neighbor information . . . . . . . . . . . . . . . . . . .969 Displaying OSPF interface information. . . . . . . . . . . . . . . . . . .
Optional configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004 Changing the Keep Alive Time and Hold Time . . . . . . . . . . . 1004 Changing the BGP4 next-hop update timer . . . . . . . . . . . . . 1005 Enabling fast external fallover. . . . . . . . . . . . . . . . . . . . . . . . 1005 Changing the maximum number of paths for BGP4 load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006 Customizing BGP4 load sharing . . . . . . . . . . . . . . . . . . .
Configuring route flap dampening . . . . . . . . . . . . . . . . . . . . . . . . 1054 Globally configuring route flap dampening . . . . . . . . . . . . . 1055 Using a route map to configure route flap dampening for specific routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055 Using a route map to configure route flap dampening for a specific neighbor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056 Removing route dampening from a route. . . . . . . . . . . . . .
Configuring basic VRRP parameters . . . . . . . . . . . . . . . . . . . . . . Configuring the Owner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration rules for VRRP. . . . . . . . . . . . . . . . . . . . . . . . . 1113 1113 1113 1113 Configuring basic VRRPE parameters . . . . . . . . . . . . . . . . . . . . . 1113 Configuration rules for VRRPE . . . . . . . . . . . . . . . . . . . . . . . .
Setting up local user accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . 1154 Enhancements to username and password . . . . . . . . . . . . 1154 Configuring a local user account . . . . . . . . . . . . . . . . . . . . . 1158 Create password option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1160 Changing a local user password . . . . . . . . . . . . . . . . . . . . . . .1161 Configuring SSL security for the Web Management Interface . . .
TCP Flags - edge port security . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201 Using TCP Flags in combination with other ACL features . . 1202 Chapter 33 Configuring SSH2 and SCP SSH version 2 support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tested SSH2 clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unsupported features . . . . . . . . . . . . . . . . . . . . . .
Configuring 802.1X port security . . . . . . . . . . . . . . . . . . . . . . . . . 1227 Configuring an authentication method list for 802.1X . . . . 1227 Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . 1228 Configuring dynamic VLAN assignment for 802.1X ports . . 1230 Dynamically applying IP ACLs and MAC address filters to 802.1X ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1234 Enabling 802.1X port security. . . . . . . . . . . . . . . . . . . . .
Configuring the MAC port security feature . . . . . . . . . . . . . . . . . Enabling the MAC port security feature . . . . . . . . . . . . . . . . Setting the maximum number of secure MAC addresses for an interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting the port security age timer . . . . . . . . . . . . . . . . . . . . Specifying secure MAC addresses . . . . . . . . . . . . . . . . . . . . Autosaving secure MAC addresses to the startup-config file. . . . . . . . . .
Configuring multi-device port authentication . . . . . . . . . . . . . . . Enabling multi-device port authentication . . . . . . . . . . . . . . Specifying the format of the MAC addresses sent to the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying the authentication-failure action . . . . . . . . . . . . Generating traps for multi-device port authentication . . . . Defining MAC address filters. . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 38 Configuring web authentication options . . . . . . . . . . . . . . . . . . . Enabling RADIUS accounting for web authentication . . . . . Changing the login mode (HTTPS or HTTP) . . . . . . . . . . . . . Specifying trusted ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying hosts that are permanently authenticated . . . . Configuring the re-authentication period . . . . . . . . . . . . . . . Defining the web authentication cycle . . . . . . . . . . . . . . . . .
DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1349 How DHCP snooping works . . . . . . . . . . . . . . . . . . . . . . . . . . 1350 System reboot and the binding database . . . . . . . . . . . . . . .1351 Configuration notes and feature limitations . . . . . . . . . . . . .1351 Configuring DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . .1351 Clearing the DHCP binding database . . . . . . . . . . . . . . . . . .
Displaying SNMP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . .1377 Displaying the Engine ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1377 Displaying SNMP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1377 Displaying user information. . . . . . . . . . . . . . . . . . . . . . . . . . 1378 Interpreting varbinds in report packets . . . . . . . . . . . . . . . . 1378 SNMP v3 Configuration examples . . . . . . . . . . . . . . . . . . . . . . . .
sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1427 sFlow version 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1427 sFlow support for IPv6 packets. . . . . . . . . . . . . . . . . . . . . . . 1428 Configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . 1429 Configuring and enabling sFlow . . . . . . . . . . . . . . . . . . . . . . 1430 Configuring sFlow version 5 features . . . . . . . . . . . . . . . . .
About This Document Introduction This guide describes the following product families from Dell: • PowerConnect B-Series FCX Stackable Switches. This guide includes procedures for configuring the software. The software procedures show how to perform tasks using the CLI. This guide also describes how to monitor Dell products using statistics and summary screens. This guide applies to the PowerConnect models listed in Table 1.
Document conventions This section describes text formatting conventions and important notice formats used in this document.
NOTE A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information. CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.
NOTE If you do not have an active Internet connection, you can find contact information on your purchase invoice, packing slip, bill, or Dell product catalog. Dell provides several online and telephone-based support and service options. Availability varies by country and product, and some services may not be available in your area. To contact Dell for sales, technical support, or customer service issues: 1. Visit http://support.dell.com. 2. Click your country or region at the bottom of the page.
Chapter Getting Familiar with Management Applications 1 Table 3 lists the individual Dell PowerConnect switches and the management application features they support.
1 Using the management port • No packet received on a management port is sent to any in-band ports, and no packets received on in-band ports are sent to a management port. • • • • A management port is not part of any VLAN Protocols are not supported on the management port. Creating a management VLAN disables the management port on the device.
1 Logging on through the CLI 22 packets output, 1540 bytres, 0 underruns Transmitted 0 broadcasts, 6 multicasts, 16 unicasts 0 output errors, 0 collisions To display the management interface information in brief form, enter the show interfaces brief management command. Syntax: show interfaces brief management PowerConnect(config)#show interfaces brief management 1 Port Link State Dupl Speed Trunk Tag Pri mgmt1 Up None Full 1G None No 0 MAC 0000.9876.
1 Logging on through the CLI You can initiate a local Telnet or SNMP connection by attaching a cable to a port and specifying the assigned management station IP address. The commands in the CLI are organized into the following levels: • User EXEC – Lets you display information and perform basic tasks such as pings and traceroutes.
Using stack-unit, slot number, and port number with CLI commands 1 ipx lock-address logging mac --More--, next page: Space, next line: Return key, quit: Control-c The software provides the following scrolling options: • Press the Space bar to display the next page (one screen at a time). • Press the Return or Enter key to display the next line (one line at a time). • Press Ctrl+C or Ctrl+Q to cancel the display. Line editing commands The CLI supports the following line editing commands.
1 Using stack-unit, slot number, and port number with CLI commands • slot number and port number • stack-unit, slot number, and port number The following sections show which format is supported on which devices. The ports are labelled on the front panels of the devices. CLI nomenclature on Stackable devices Stackable devices (PowerConnect B-Series FCX) use the stack-unit/slot/port nomenclature.
Using stack-unit, slot number, and port number with CLI commands 1 Displaying lines that do not contain a specified string The following command filters the output of the show who command so it displays only lines that do not contain the word “closed”. This command can be used to display open connections to the Dell PowerConnect device.
1 Using stack-unit, slot number, and port number with CLI commands --More--, next page: Space, next line: Return key, quit: Control-c /telnet The results of the search are displayed. searching...
Using stack-unit, slot number, and port number with CLI commands TABLE 5 1 Special characters for regular expressions Character Operation . The period matches on any single character, including a blank space. For example, the following regular expression matches “aaz”, “abz”, “acz”, and so on, but not just “az”: a.z * The asterisk matches on zero or more sequential instances of a pattern.
1 Using stack-unit, slot number, and port number with CLI commands TABLE 5 Special characters for regular expressions (Continued) Character Operation | A vertical bar separates two alternative values or sets of values. The output can match one or the other value. For example, the following regular expression matches output that contains either “abc” or “defg”: abc|defg () Parentheses allow you to create complex expressions.
Logging on through the Web Management Interface 1 Configuration notes The following configuration notes apply to this feature: • You cannot include additional parameters with the alias at the command prompt. For example, after you create the shoro alias, shoro bgp would not be a valid command. • If configured on the Dell PowerConnect device, authentication, authorization, and accounting is performed on the actual command, not on the alias for the command.
1 Logging on through the Web Management Interface FIGURE 2 Web Management Interface login dialog The login username and password you enter depends on whether your device is configured with AAA authentication for SNMP. If AAA authentication for SNMP is not configured, you can use the user name “get” and the default read-only password “public” for read-only access.
Logging on through the Web Management Interface FIGURE 3 1 First panel for Layer 3 Switch features NOTE If you are using Internet Explorer 6.0 to view the Web Management Interface, make sure the version you are running includes the latest service packs. Otherwise, the navigation tree (the left-most pane in Figure 3) will not display properly. For information on how to load the latest service packs, refer to the on-line help provided with your Web browser.
1 Logging on through the Web Management Interface Using the CLI, you can modify the appearance of the Web Management Interface with the web-management command. To cause the Web Management Interface to display the List view by default, enter the following command. PowerConnect(config)#web-management list-menu To disable the front panel frame, enter the following command.
Logging on through the Web Management Interface 1 Front Panel Device Front Panel Frame Menu Type (Tree View shown) Page Menu Bottom Frame Menu Frame Device NOTE The tree view is available when you use the Web Management Interface with Netscape 4.0 or higher or Internet Explorer 4.0 or higher browsers.
1 Logging on through Brocade Network Advisor Logging on through Brocade Network Advisor Refer to the Brocade® Network Advisor manual for information about using Brocade Network Advisor.
Chapter Configuring Basic Software Features 2 Table 6 lists the individual Dell PowerConnect switches and the basic software features they support.
2 Configuring basic system parameters TABLE 6 Supported basic software features Feature PowerConnect B-Series FCX Auto-negotiation and advertisement of flow control Yes PHY FIFO Rx and TX Depth Yes Interpacket Gap (IPG) adjustment Yes CLI support for 100BaseTX and 100BaseFX Yes Gbps fiber negotiate mode Yes QoS priority Yes VOIP autoconfiguration and CDP Yes Port flap dampening Yes Port loop detection Yes Configuring basic system parameters Dell PowerConnect devices are configured at
Configuring basic system parameters 2 PowerConnect(config)# hostname zappa zappa(config)# snmp-server contact Support Services zappa(config)# snmp-server location Centerville zappa(config)# end zappa# write memory Syntax: hostname Syntax: snmp-server contact Syntax: snmp-server location The text strings can contain blanks. The SNMP text strings do not require quotation marks when they contain blanks but the host name does.
2 Configuring basic system parameters To specify an SNMP trap receiver and change the UDP port that will be used to receive traps, enter a command such as the following. PowerConnect(config)# snmp-server host 2.2.2.2 0 mypublic port 200 PowerConnect(config)# write memory Syntax: snmp-server host [0 | 1] [port ] The parameter specifies the IP address of the trap receiver.
Configuring basic system parameters 2 To change the holddown time for SNMP traps, enter a command such as the following at the global CONFIG level of the CLI. PowerConnect(config)# snmp-server enable traps holddown-time 30 The command in this example changes the holddown time for SNMP traps to 30 seconds. The device waits 30 seconds to allow convergence in STP and OSPF before sending traps to the SNMP trap receiver.
2 Configuring basic system parameters • OSPF • VRRP • VRRPE To stop link down occurrences from being reported, enter the following. PowerConnect(config)# no snmp-server enable traps link-down Syntax: [no] snmp-server enable traps Disabling Syslog messages and traps for CLI access Dell PowerConnect devices send Syslog messages and SNMP traps when a user logs into or out of the User EXEC or Privileged EXEC level of the CLI.
Configuring basic system parameters 2 PowerConnect# show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 12 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dynamic Log Buffer (50 entries): Oct 15 18:01:11:info:dg logout from USER EXEC mode Oct 15 17:59:22:info:dg logout from PRIVILEGE EXEC mode Oct 15
2 Configuring basic system parameters NOTE Dell PowerConnect devices do not retain time and date information across power cycles. Unless you want to reconfigure the system time counter each time the system is reset, Dell PowerConnect recommends that you use the SNTP feature. To identify an SNTP server with IP address 208.99.8.95 to act as the clock reference for a Dell PowerConnect device, enter the following. PowerConnect(config)# sntp server 208.99.8.
Configuring basic system parameters 2 PowerConnect# show sntp status Clock is synchronized, stratum = 4, reference clock = 10.70.20.23 precision is 2**-20 reference time is 3489354594.3780510747 clock offset is 0.0000 msec, root delay is 0.41 msec root dispersion is 0.11 msec, peer dispersion is 0.00 msec sntp poll-interval is 10 secs Syntax: show sntp status The following table describes the information displayed by the show sntp status command.
2 Configuring basic system parameters By default, Dell PowerConnect switches and routers do not change the system time for daylight saving time. To enable daylight saving time, enter the following command. PowerConnect# clock summer-time Syntax: clock summer-time Although SNTP servers typically deliver the time and date in Greenwich Mean Time (GMT), you can configure the Dell PowerConnect device to adjust the time for any one-hour offset from GMT or for one of the following U.S.
Configuring basic system parameters 2 Syntax: [no] clock timezone us Enter pacific, eastern, central, or mountain for . This command must be configured on every device that follows the US DST. To verify the change, run a show clock command. PowerConnect # show clock Refer to October 19, 2006 - Daylight Saving Time 2007 Advisory, posted on kp.foundrynet.
2 Configuring basic system parameters The variable specifies the maximum number of packets per second. It can be any number that is a multiple of 65536, up to a maximum value of 2147418112. If you enter the multicast limit command, multicast packets are included in the corresponding limit. If you specify 0, limiting is disabled. If you specify a number that is not a multiple of 65536, the software rounds the number to the next multiple of 65536. Limiting is disabled by default.
Configuring basic system parameters 2 Syntax: show rate-limit unknown-unicast Use the show rate-limit broadcast command to display the broadcast limit or broadcast and multicast limit for each port to which it applies.
2 Configuring basic system parameters NOTE If you are using a Web client to view the message of the day, and your banners are very wide, with large borders, you may need to set your PC display resolution to a number greater than the width of your banner. For example, if your banner is 100 characters wide and the display is set to 80 characters, the banner may distort, or wrap, and be difficult to read. If you set your display resolution to 120 characters, the banner will display correctly.
Configuring basic system parameters 2 To enable the requirement to press the Enter key after the MOTD is displayed, enter a command such as the following. PowerConnect(config)# banner motd require-enter-key Syntax: [no] banner motd require-enter-key Use the no form of the command to disable the requirement. Setting a privileged EXEC CLI level banner You can configure the Dell PowerConnect device to display a message when a user enters the Privileged EXEC CLI level.
2 Configuring basic port parameters Configuring a local MAC address for Layer 2 management traffic By default, Layer 2 devices use the MAC address of the first port as the MAC address for Layer 2 management traffic. For example, when the Dell PowerConnect device receives an ARP request for its management IP address, it responds with the first port MAC address.
Configuring basic port parameters 2 Modifying port speed and duplex mode The Gigabit Ethernet copper ports are designed to auto-sense and auto-negotiate the speed and duplex mode of the connected device. If the attached device does not support this operation, you can manually enter the port speed to operate at either 10, 100, or 1000 Mbps. The default and recommended setting is 10/100/1000 auto-sense. NOTE You can modify the port speed of copper ports only; this feature does not apply to fiber ports.
2 Configuring basic port parameters Maximum Port speed advertisement and Port speed down-shift are enhancements to the auto-negotiation feature, a mechanism for accommodating multi-speed network devices by automatically configuring the highest performance mode of inter-operation between two connected devices.
Configuring basic port parameters 2 Syntax: [no] link-config gig copper autoneg-control down-shift ethernet [ethernet ] | to ... Specify the variable in the following formats: • PowerConnect B-Series FCX stackable switches – You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. You can enable port speed down-shift on one or two ports at a time.
2 Configuring basic port parameters To disable selective auto-negotiation of 100m-auto on ports 0/1/21 to 0/1/25 and 0/1/30, enter the following. PowerConnect(config)# no link-config gig copper autoneg-control 100m-auto ethernet 0/1/21 to 0/1/25 ethernet 0/1/30 Configuring maximum port speed advertisement To configure a maximum port speed advertisement of 10 Mbps on a port that has auto-negotiation enabled, enter a command such as the following at the Global CONFIG level of the CLI.
Configuring basic port parameters 2 • 100-half • auto (default) Configuring MDI/MDIX Dell PowerConnect devices support automatic Media Dependent Interface (MDI) and Media Dependent Interface Crossover (MDIX) detection on all Gbps Ethernet Copper ports. MDI/MDIX is a type of Ethernet port connection using twisted pair cabling. The standard wiring for end stations is MDI, whereas the standard wiring for hubs and switches is MDIX. MDI ports connect to MDIX ports using straight-through twisted pair cabling.
2 Configuring basic port parameters Disabling or re-enabling a port A port can be made inactive (disable) or active (enable) by selecting the appropriate status option. The default value for a port is enabled. To disable port 8 of a Dell PowerConnect device, enter the following. PowerConnect(config)# interface ethernet 8 PowerConnect(config-if-e1000-8)# disable You also can disable or re-enable a virtual interface. To do so, enter commands such as the following.
Configuring basic port parameters 2 Disabling or re-enabling flow control You can configure the Dell PowerConnect device to operate with or without flow control. Flow control is enabled by default globally and on all full-duplex ports. You can disable and re-enable flow control at the Global CONFIG level for all ports. When enabled globally, you can disable and re-enable flow control on individual ports. To disable flow control, enter the following command.
2 Configuring basic port parameters Displaying flow-control status The show interface command displays configuration, operation, and negotiation status where applicable. For example, on a PowerConnect Stackable device, issuing the command for 10/100/1000M port 0/1/21 displays the following output. PowerConnect# show interfaces ethernet 0/1/21 GigabitEthernet0/1/21 is up, line protocol is up Hardware is GigabitEthernet, address is 00e0.5204.4014 (bia 00e0.5204.
Configuring basic port parameters 2 Symmetric flow control addresses the requirements of a lossless service class in an Internet Small Computer System Interface (iSCSI) environment. It is supported on FCX standalone units as well as on all FCX units in an IronStack. About XON and XOFF thresholds An 802.3x PAUSE frame is generated when the buffer limit at the ingress port reaches or exceeds the port’s upper watermark threshold (XOFF limit).
2 Configuring basic port parameters • The following QoS features are not supported together with symmetric flow control: - Dynamic buffer allocation (CLI commands qd-descriptor and qd-buffer) - Buffer profiles (CLI command buffer-profile port-region) - DSCP-based QoS (CLI command trust dscp) NOTE Although the above QoS features are not supported with symmetric flow control, the CLI will still accept these commands. The last command issued will be the one placed into effect on the device.
Configuring basic port parameters 2 Syntax: symmetric-flow-control set 1 | 2 xoff <%> xon <%> symmetric-flow-control set 1 sets the XOFF and XON limits for 1G ports. symmetric-flow-control set 2 sets the XOFF and XON limits for 10G ports. For xoff <%>, the <%> minimum value is 60% and the maximum value is 95%. For xon <%>, the <%> minimum value is 50% and the maximum value is 90%. Use the show symmetric command to view the default or configured XON and XOFF thresholds.
2 Configuring basic port parameters Configuring PHY FIFO Rx and Tx depth PHY devices on PowerConnect B-Series FCX devices contain transmit and receive synchronizing FIFOs to adjust for frequency differences between clocks. The phy-fifo-depth command allows you to configure the depth of the transmit and receive FIFOs. There are 4 settings (0-3) with 0 as the default. A higher setting indicates a deeper FIFO. The default setting works for most connections.
Configuring basic port parameters 2 Syntax: [no] ipg For value, enter a number in the range from 48-120 bit times in multiples of 8. The default is 96. As a result of the above configuration, the output from the show interface Ethernet 0/1/21 command is as follows. PowerConnect# show interfaces ethernet 0/1/21 GigabitEthernet 0/1/21 is up, line protocol is up Hardware is GigabitEthernet, address is 00e0.5204.4014 (bia 00e0.5204.
2 Configuring basic port parameters Chassis-based and Stackable devices NOTE The following procedure applies to Stackable devices and to Chassis-based 100/1000 Fiber interface modules only. The CLI syntax for enabling and disabling 100BaseFX support on these devices differs than on a Compact device. Make sure you refer to the appropriate procedures.
Configuring basic port parameters 2 NOTE When Gbps negotiation mode is turned off (CLI command gig-default neg-off), the Dell device may inadvertently take down both ends of a link. This is a hardware limitation for which there is currently no workaround. Modifying port priority (QoS) You can give preference to the inbound traffic on specific ports by changing the Quality of Service (QoS) level on those ports. For information and procedures, refer to Chapter 17, “Configuring Quality of Service”.
2 Configuring basic port parameters Enabling dynamic configuration of a Voice over IP (VoIP) phone You can create a voice VLAN ID for a port, or for a group of ports. To create a voice VLAN ID for a port, enter commands such as the following. PowerConnect(config)# interface ethernet 2 PowerConnect(config-if-e1000-2)# voice-vlan 1001 To create a voice VLAN ID for a group of ports, enter commands such as the following.
Configuring basic port parameters 2 If the port link state toggles from up to down for a specified number of times within a specified period, the interface is physically disabled for the specified wait period. Once the wait period expires, the port link state is re-enabled. However, if the wait period is set to zero (0) seconds, the port link state will remain disabled until it is manually re-enabled.
2 Configuring basic port parameters PowerConnect(config)# interface ethernet 2/1 PowerConnect(config-if-e10000-2/1)# no link-error-disable 10 3 10 Displaying ports configured with port flap dampening Ports that have been disabled due to the port flap dampening feature are identified in the output of the show link-error-disable command. The following shows an example output. PowerConnect# show link-error-disable Port 2/1 is forced down by link-error-disable.
Configuring basic port parameters TABLE 10 2 Output of show link-error-disable (Continued) This column... State Counter Displays... The port state can be one of the following: Idle – The link is normal and no link state toggles have been detected or sampled. • Down – The port is disabled because the number of sampled errors exceeded the configured threshold. • Err – The port sampled one or more errors. • • • • If the port state is Idle, this field displays N/A.
2 Configuring basic port parameters Port loop detection This feature allows the Dell PowerConnect device to disable a port that is on the receiving end of a loop by sending test packets. You can configure the time period during which test packets are sent. Strict mode and loose mode There are two types of loop detection; Strict Mode and Loose Mode. In Strict Mode, a port is disabled only if a packet is looped back to that same port.
Configuring basic port parameters 2 loops because STP cannot prevent loops across different VLANs. In these instances, the ports are not blocked and loop detection is able to send out probe packets in one VLAN and receive packets in another VLAN. In this way, loop detection running in Loose Mode disables both ingress and egress ports. Enabling loop detection Use the loop-detection command to enable loop detection on a physical port (Strict Mode) or a VLAN (Loose Mode).
2 Configuring basic port parameters The above command will cause the Dell PowerConnect device to automatically re-enable ports that were disabled because of a loop detection. By default, the device will wait 300 seconds before re-enabling the ports. You can optionally change this interval to a value from 10 to 65535 seconds. Refer to “Specifying the recovery time interval” on page 54. Syntax: [no] errdisable recovery cause loop-detection Use the [no] form of the command to disable this feature.
Configuring basic port parameters 2 If a port is errdisabled in Strict mode, it shows “ERR-DISABLE by itself”. If it is errdisabled due to its associated vlan, it shows “ERR-DISABLE by vlan ?” The following command displays the current disabled ports, including the cause and the time.
2 Configuring basic port parameters TABLE 11 Field definitions for the show loop-detection resource command (Continued) This field... Describes... get-mem The number of get-memory requests size The size init The number of requests initiated Syslog message The following message is logged when a port is disabled due to loop detection. This message also appears on the console.
Chapter Operations, Administration, and Maintenance 3 Table 12 lists the individual Dell PowerConnect switches and the operations, administration, and maintenance features they support.
3 Determining the software versions installed and running on a device You can update the software contained on a flash module using TFTP to copy the update image from a TFTP server onto the flash module. In addition, you can copy software images and configuration files from a flash module to a TFTP server. NOTE Dell PowerConnect devices are TFTP clients but not TFTP servers. You must perform the TFTP transaction from the Dell PowerConnect device.
Determining the software versions installed and running on a device 3 Determining the boot image version running on the device To determine the boot image running on a device, enter the show flash command at any level of the CLI. The following shows an example output. PowerConnect#show flash Active Management Module (Slot 9): Compressed Pri Code size = 3613675, Version 03.1.00aT3e3 (sxr03100a.bin) Compressed Sec Code size = 2250218, Version 03.1.00aT3e1 (sxs03100a.
3 Determining the software versions installed and running on a device CLI commands Use the following command syntax to verify the flash image: Syntax: verify md5 | sha1 | crc32 | primary | secondary [] • • • • • • • md5 – Generates a 16-byte hash code sha1 – Generates a 20-byte hash code crc32 – Generates a 4 byte checksum ascii string – A valid image filename primary – The primary boot image (primary.img) secondary – The secondary boot image (secondary.
Image file types 3 Image file types This section lists the boot and flash image file types supported and how to install them on the PowerConnect family of switches. For information about a specific version of code, refer to the release notes. TABLE 13 Software image files Product Boot image1 Flash image PowerConnect B-Series FCX GRZxxxxxx.bin FCXSxxxxx.bin (Layer 2) or FCXRxxxxx.bin (Layer 3) 1.
3 Using SNMP to upgrade software PowerConnect#copy flash console startup-config.backup ver ver 7.2.
Changing the block size for TFTP file transfers 3 1. Configure a read-write community string on the Dell PowerConnect device, if one is not already configured. To configure a read-write community string, enter the following command from the global CONFIG level of the CLI. snmp-server community ro | rw where is the community string and can be up to 32 characters long. 2. On the Dell PowerConnect device, enter the following command from the global CONFIG level of the CLI.
3 Rebooting Rebooting You can use boot commands to immediately initiate software boots from a software image stored in primary or secondary flash on a Dell PowerConnect device or from a BootP or TFTP server. You can test new versions of code on a Dell PowerConnect device or choose the preferred boot source from the console boot prompt without requiring a system reset. NOTE It is very important that you verify a successful TFTP transfer of the boot code before you reset the system.
Loading and saving configuration files 3 The results of the show run command for the configured example above appear as follows. PowerConnect #show run Current Configuration: ! ver 7.2.00aT7f1 ! module 1 FCX-48-port-management-module module 2 FCX-xfp-2-port-16g-module module 3 FCX-xfp-2-port-16g-module ! alias cp=copy tf 10.1.1.1 FCX04000bl.bin pri ! ! boot sys fl sec boot sys df 10.1.1.1 FCX04000bl.bin boot sys fl pri ip address 10.1.1.4 255.255.255.0 snmp-client 10.1.1.
3 Loading and saving configuration files To replace the startup configuration with the running configuration, enter the following command at any Enable or CONFIG command prompt. PowerConnect#write memory Replacing the running configuration with the startup configuration If you want to back out of the changes you have made to the running configuration and return to the startup configuration, enter the following command at the Privileged EXEC level of the CLI.
Loading and saving configuration files 3 Dynamic configuration loading You can load dynamic configuration commands (commands that do not require a reload to take effect) from a file on a TFTP server into the running-config on the Dell PowerConnect device. You can make configuration changes off-line, then load the changes directly into the device running-config, without reloading the software.
3 Loading and saving configuration files NOTE If you copy-and-paste a configuration into a management session, the CLI ignores the “ ! “ instead of changing the CLI to the global CONFIG level. As a result, you might get different results if you copy-and-paste a configuration instead of loading the configuration using TFTP. • Make sure you enter each command at the correct CLI level.
Loading and saving configuration files with IPv6 3 • Always use the end command at the end of the file. The end command must appear on the last line of the file, by itself.
3 Loading and saving configuration files with IPv6 • Copy a file from an IPv6 TFTP server to a specified destination Copying a file to an IPv6 TFTP server You can copy a file from the following sources to an IPv6 TFTP server: • Flash memory • Running configuration • Startup configuration Copying a file from flash memory For example, to copy the primary or secondary boot image from the device flash memory to an IPv6 TFTP server, enter a command such as the following.
Loading and saving configuration files with IPv6 3 • Flash memory • Running configuration • Startup configuration Copying a file to flash memory For example, to copy a boot image from an IPv6 TFTP server to the primary or secondary storage location in the device flash memory, enter a command such as the following. PowerConnect#copy tftp flash 2001:7382:e0ff:7837::3 test.img secondary This command copies a boot image named test.
3 Loading and saving configuration files with IPv6 • • • • Copy a primary or secondary boot image from flash memory to an IPv6 TFTP server. Copy the running configuration to an IPv6 TFTP server. Copy the startup configuration to an IPv6 TFTP server Upload various files from an IPv6 TFTP server.
Loading and saving configuration files with IPv6 3 • Startup configuration. Uploading a primary or secondary boot image from an IPv6 TFTP server For example, to upload a primary or secondary boot image from an IPv6 TFTP server to a device flash memory, enter a command such as the following. PowerConnect#ncopy tftp 2001:7382:e0ff:7837::3 primary.img flash primary This command uploads the primary boot image named primary.
3 Scheduling a system reload 1. Configure a read-write community string on the Dell PowerConnect device, if one is not already configured. To configure a read-write community string, enter the following command from the global CONFIG level of the CLI. snmp-server community ro | rw where is the community string and can be up to 32 characters long. 2. On the Dell device, enter the following command from the global CONFIG level of the CLI.
Diagnostic error codes and remedies for TFTP transfers 3 Reloading after a specific amount of time To schedule a system reload to occur after a specific amount of time has passed on the system clock, use reload after command. For example, to schedule a system reload from the secondary flash one day and 12 hours later, enter the following command at the global CONFIG level of the CLI.
3 Testing network connectivity Error code Message Explanation and action 7 TFTP busy, only one TFTP session can be active. Another TFTP transfer is active on another CLI session, or Web management session, or Brocade Network Advisor session. Wait, then retry the transfer. 8 File type check failed. You accidentally attempted to copy the incorrect image code into the system. For example, you might have tried to copy a Chassis image into a Compact device. Retry the transfer using the correct image.
Testing network connectivity 3 The source specifies an IP address to be used as the origin of the ping packets. The count parameter specifies how many ping packets the device sends. You can specify from 1 – 4294967296. The default is 1. The timeout parameter specifies how many milliseconds the Dell PowerConnect device waits for a reply from the pinged device. You can specify a timeout from 1 – 4294967296 milliseconds. The default is 5000 (5 seconds).
3 Testing network connectivity Tracing an IPv4 route NOTE This section describes the IPv4 traceroute command. For details about IPv6 traceroute, refer to “IPv6 Traceroute” on page 253. Use the traceroute command to determine the path through which a Dell PowerConnect device can reach another device. Enter the command at any level of the CLI. The CLI displays trace route information for each hop as soon as the information is received. Traceroute requests display all responses to a given TTL.
Chapter 4 Software-based Licensing Table 14 lists the individual Dell PowerConnect switches and the software licensing features they support. TABLE 14 Supported software licensing features Feature PowerConnect B-Series FCX Software-based licensing Yes License generation License query Deleting a license Software license terminology This section defines the key terms used in this chapter.
4 Software-based licensing overview Software-based licensing overview With the introduction of software-based licensing, one or more valid software licenses are required to run such licensed features on the device. Dell PowerConnect devices support software-based licensing will use software-based licensing only, eliminating the need for a customer- or factory-installed EEPROM on the management module or switch backplane.
Licensed features and part numbers 4 For a list of features supported with these images, refer to the release notes. Licensed features and part numbers Table 16 lists the supported licensed features, associated image filenames, and related part numbers. NOTE There are no changes to the part numbers for products with pre-installed (factory-installed) licenses. These part numbers are listed for reference in the last column of Table 16.
4 Licensed features and part numbers For example, if stack member unit 4 does not have a license to run BGP whereas the Active controller does, unit 4 has an inferior license and will not be allowed to join the stack. Likewise, if unit 4 has a license to run BGP whereas the Active controller does not, unit 4 has a superior license and will be allowed to join the stack, but will not be elected as the Standby Controller.
Configuration tasks 4 Configuration tasks This section describes the configuration tasks for generating and obtaining a software license, then installing it on the Dell PowerConnect device. Perform the tasks in the order listed in Table 17. TABLE 17 Configuration tasks for software licensing Configuration task See... 1 Order the desired license. For a list of available licenses and associated part numbers, see “Licensed features and part numbers” on page 81.
4 Configuration tasks Figure 5 shows the Software Portal Login window.
Configuration tasks 4 Figure 6 shows the License Management Welcome window that appears after logging in to the software portal. From this window, mouse over the License Management banner, then IP/Ethernet, then click on License Generation with Transaction key.
4 Configuration tasks Figure 7 shows the IP/Ethernet License Generation window for generating a license using a transaction key and LID. FIGURE 7 IP Ethernet License Generation window Enter the required information in each text box shown in Figure 7. • For a description of the field, move the mouse pointer over the text box. • An asterisk next to a field indicates that the information is required. • You can generate more than one license at a time.
4 Configuration tasks Press the Generate button to generate the license. Figure 8 shows the results window, which displays an order summary and the results of the license request. • If the license request was successful, the “Status” field will indicate Success and the “License File” field will contain a hyperlink to the generated license file. The license file will also be automatically e-mailed to the specified Customer e-mail ID.
4 Deleting a license Installing a license file Once you obtain a license file, place it on a TFTP or SCP server to which the Dell PowerConnect device has access, then use TFTP or SCP to copy the file to the license database of the Dell PowerConnect device. Using TFTP to install a license file To copy a license file from a TFTP server to the license database of the Dell PowerConnect device, enter a command such as the following at the Privileged EXEC level of the CLI: PowerConnect# copy tftp license 10.1.
Other licensing options available from the Brocade Software Portal 4 Other licensing options available from the Brocade Software Portal This section describes other software licensing tasks supported from the Brocade software portal. Viewing software license information You can use the License Query option to view software license information for a particular unit, transaction key, or both. You can export the report to Excel for sharing or archiving purposes.
4 Transferring a license Figure 10 shows an example of the license query results. FIGURE 10 License Query results window In this example, the line items for Level 1 display hardware-related information and the line items for Level 2 display software-related information. If the query was performed before the transaction key was generated, the first row (Level 1) would not appear as part of the search results.
Viewing information about software licenses TABLE 18 4 Syslog messages Message level Message Explanation Warning License: Package with LID expires in days The trial license is about to expire. This message will begin to display 3 days before the expiration date, and every 2 hours on the last day that the license will expire. Notification License: Package with LID has expired The trial license has expired.
4 Viewing information about software licenses Viewing the license database To display general information about all software licenses in the license database, use the show license command. The following shows example output.
Viewing information about software licenses 4 Viewing software packages installed in the device Use the show version command to view the software packages that are currently installed in the device. NOTE The software package name is not the same as the license name. PowerConnect#show version Copyright (c) 1996-2010 Brocade Communications Systems, Inc. UNIT 1: compiled on Mar 30 2010 at 18:39:20 labeled as FCXR07000b1 (5245400 bytes) from Secondary FCXR07000b1.bin SW: Version 07.0.
4 94 Viewing information about software licenses PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter 5 Stackable Devices Table 21 lists the individual Dell PowerConnect switches and the Ironstack features they support.
5 IronStack overview • • • • • • • Active Controller, Standby Controller, and member units in a stack Active Controller management of entire stack Active Controller download of software images to all stack units Standby Controller for stack redundancy Active Controller maintenance of information database for all stack units Packet switching in hardware between ports on stack units All protocols operate on an IronStack in the same way as on a chassis system.
IronStack overview 5 show, stack, and a few debug commands. When the stack is formed, all local consoles are directed to the Active Controller, which can access the entire CLI. The last line of output from the show version command indicates the role of a unit, unless it is a standalone unit, in which case it is not shown. For example: My stack unit ID = 1, bootup role = active • Clean Unit - A unit that contains no startup flash configuration or run time configuration.
5 Building an IronStack • Static Configuration - A configuration that remains in the database of the Active Controller even if the unit it refers to is removed from the stack. Static configurations are derived from the startup configuration file during the boot sequence, are manually entered, or are converted from dynamic configurations after a write memory command is issued. • Dynamic Configuration - A unit configuration that is dynamically learned by a new stack unit from the Active Controller.
5 Building an IronStack FIGURE 11 PowerConnect B-Series FCX linear and ring stack topologies FIGURE 12 PowerConnect B-FCX-E ring topology stack using SFP+ module ports Reset 1 Console PS Mgmt 1 2 1 PowerConnect B-Series FCX Configuration Guide 53-1002266-01 5 6 2 7 8 9 11 10 12 13 14 15 16 17 18 19 20 21 23 25 27 29 31 33 35 37 39 41 43 45 47 22 24 26 28 30 32 34 36 38 40 42 44 46 48 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16
5 Building an IronStack FIGURE 13 PowerConnect B-FCX-E linear topology stack using SFP+ module ports Reset 1 Console PS Mgmt 1 2 Diag 5 4 Reset Console Mgmt 1 7 6 2 8 9 11 10 12 13 15 14 17 16 19 18 20 21 23 25 27 29 31 33 35 37 39 41 43 45 47 22 24 26 28 30 32 34 36 38 40 42 44 46 48 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24
Building an IronStack 5 1. Use the secure-setup utility to form your stack. Secure-setup gives you control over the design of your stack topology and provides security through password verification. For the secure-setup procedure, refer to “Scenario 1 - Configuring a three-member IronStack in a ring topology using secure-setup” on page 101. 2. Automatic stack configuration.
5 Building an IronStack • Authentication of secure-setup packets provides verification that these packets are from genuine Dell stack unit. MD5-based port verification confirms stacking ports. • Superuser password is required to allow password-protected devices to become members of an IronStack. • The stack disable command.
Building an IronStack 5 5. Enter the stack secure-setup command. As shown In the following example, this command triggers a Dell proprietary discovery protocol that begins the discovery process in both upstream and downstream directions. The discovery process produces a list of upstream and downstream devices that are available to join the stack.
5 Building an IronStack 1 2 3 S FCX648 active 00e0.52ab.cd00 128 local D FCX624 standby 0012.f2d5.2100 60 remote D FCX624 member 0012.f239.2d40 0 remote Ready Ready Ready active standby +---+ +---+ +---+ -2/1| 1 |3/1--2/1| 2 |3/1--2/2| 3 |2/1+---+ +---+ +---+ Current stack management MAC is 00e0.52ab.cd00 NOTE For field descriptions for the show stack command, refer to “Displaying stack information” on page 135. NOTE In this output, D indicates a dynamic configuration.
Building an IronStack 7. 5 When the Active Controller has finished the authentication process, you will see output that shows the suggested assigned stack IDs for each member. You can accept these recommendations, or you can manually configure stack IDs. Enter the show stack command to verify that all units are in the ready state. PowerConnect# show stack alone: standalone, D: dynamic config, S: static ID Type Role Mac Address Pri State 1 S FCX624 active 00e0.5201.4000 128 local 2 S FCX648 standby 001b.
5 Building an IronStack Follow the steps given below to configure a three-member IronStack in a ring topology using automatic setup process. 1. Power on the devices. 2. This process requires clean devices (except for the Active Controller) that do not contain any configuration information. To change a device to a clean device, enter the erase startup-config command and reset the device. When all of the devices are clean, continue with the next step.
Building an IronStack 5 PowerConnect# show running config Current configuration: ! ver 07.2.00a ! stack unit 1 module 1 FCX-24-port-management-module priority 255 stack unit 2 module 1 FCX-24-port-management-module priority 240 stack unit 3 module 1 FCX-24-port-management-module stack enable ! NOTE For field descriptions for the show running config command, refer to “Displaying running configuration information” on page 143. 10. To see information about your stack, enter the show stack command.
5 Building an IronStack Scenario 3 - Configuring a three-member IronStack in a ring topology using the manual configuration process NOTE For more detailed information about configuring an PowerConnect B-Series FCX IronStack, see “Configuring an FCX IronStack” on page 109 Follow the steps given below to configure a three-member IronStack in a ring topology using the manual configuration process. 1. Power on the devices. Do not connect the stacking cables at this point. 2.
Building an IronStack 5 For more information about cabling the devices, refer to the appropriate hardware installation guides. NOTE This method does not guarantee sequential stack IDs. If you want to change stack IDs to make them sequential, you can use secure-setup. Refer to “Renumbering stack units” on page 149.
5 Building an IronStack NOTE If you are adding PowerConnect B-Series FCX-E or PowerConnect B-Series FCX-I devices to a stack containing PowerConnect B-Series FCX-S devices, you must reconfigure the stacking ports on the PowerConnect B-Series FCX-S devices to be the 10 Gbps ports on the front panel. You can then connect all of the devices in a stack using front panel ports.
Building an IronStack 5 0 runts, 0 giants 0 packets output, 0 bytes, 0 underruns Transmitted 0 broadcasts, 0 multicasts, 0 unicasts 0 output errors, 0 collisions Relay Agent Information option: Disabled Changing PowerConnect B-Series FCX-S and PowerConnect B-Series FCXS-PowerConnect B-Series FCX4 ports from 10 Gbps to 16 Gbps To change the PowerConnect B-Series FCX4 ports from 10 Gbps back to 16 Gbps, enter the no speed-duplex 10g command at the interface level of the CLI, as shown in this example.
5 Building an IronStack Secure-setup probe packets can be received by a default port whether or not it is acting as a stacking port. Stacking packets can be only received by a stacking port (which is also always a default port). In order to use stacking ports that are not defined in the default configuration, you must define the port settings for each unit using the default-port command, so that secure-setup can discover the topology of the stack.
Building an IronStack TABLE 22 5 Slot and port designations for PowerConnect stackable devices Device Slot 1 Slot 2 Slot 3 Slot 4 PowerConnect B-Series FCX624S 24 10/100/1000 ports on front panel Two 16 Gbps ports on rear panel Two 10 Gbps ports on front panel N/A PowerConnect B-Series FCX648S 48 10/100/1000 ports on front panel Two 16 Gbps ports on rear panel Two 10 Gbps ports on front panel N/A PowerConnect B-Series FCX-E devices with four-port 1 Gbps SFP module Four-port 1 Gbps SFP mo
5 Building an IronStack If you enter an incorrect stack port number, you will get an error similar to the following. PowerConnectconfig-unit-3)# stack-port 3/4/1 Error! port 3/4/1 is invalid PowerConnect(config-unit-3)# stack-port 3/2/1 To return both ports to stacking status, enter the no stack-port command on the single stacking port. This converts both ports to stacking ports. By default, if both ports are stacking ports, they are displayed by the system only when stacking is enabled.
Building an IronStack 5 Stack unit 3 Power supply 1 is up Stack unit 3 Power supply 2 is down Config changed due to add/del units. Do write mem if you want to keep it Election, was active, no role change, assigned-ID=1, total 3 units, my priority=128 PowerConnect# Config changed due to add/del units. Do write mem if you want to keep it PowerConnect# show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Pri State Comment 1 S FCX624 active 001b.f2e5.
5 Building an IronStack Use the no form of the command to revert to the 4-byte Ethernet preamble. Verifying an IronStack configuration Verifying an PowerConnect B-Series FCX IronStack configuration The following output shows an example configuration of an PowerConnect B-Series FCX IronStack. PowerConnect# show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Pri State Comment 2 S FCX648 standby 00e0.5202.0000 0 remote Ready 3 S FCX624 member 00e0.5203.
Building an IronStack 5 P-ENGINE 1: type DB90, rev 01 ========================================================================== UNIT 4: SL 2: FCX-2XGC 2-port 16G Module (2-CX4) ========================================================================== UNIT 4: SL 3: FCX-2XG 2-port 16G Module (2-XFP) ========================================================================== UNIT 8: SL 1: FCX-48G 48-port Management Module P-ENGINE 0: type DB90, rev 01 P-ENGINE 1: type DB90, rev 01 ==========================
5 Managing your IronStack Managing your IronStack Your IronStack can be managed through a single IP address. You can manage the stack using this IP address even if you remove the Active Controller or any member from the stack. You can also connect to the Active Controller through Telnet or SSH using this address. All management functions, such as SNMP, use this IP address to acquire MIB information and other management data.
Managing your IronStack 5 on the Active Controller physical console port during a reload will not be visible on the console ports of the stack members because the remote connections are not established until the software loading process is complete. It is preferable to connect a cable to the console port on the stack unit that will normally be the Active Controller, rather than to the console port of one of the other stack units.
5 Managing your IronStack PowerConnect# rconsole 2 Connecting to unit 2... (Press Ctrl-O X to exit) rconsole-2@PowerConnect#show stack ID Type Role Mac Address Prio State 2 S FCX624P standby 0012.f2e2.ba40 0 local Comment Ready rconsole-2@PowerConnect# exit rconsole-2@PowerConnect> exit Disconnected. Returning to local session... Establish a remote console session with stack unit 3. PowerConnect# rconsole 3 Connecting to unit 3...
Managing your IronStack 5 NOTE For hitless stacking failover, Dell recommends that you configure the IronStack MAC address using the stack mac command. Without this configuration, the MAC address of the stack will change to the new base MAC address of the Active Controller. This could cause a spanning tree root change. Even without a spanning tree change, a client (for example, a personal computer) pinging the stack might encounter a long delay depending on the client MAC aging time.
5 Managing your IronStack Fan 1 ok Fan 2 ok --More--, next page: Space, next line: Return key, quit: Control-c NOTE For field descriptions for the show chassis command, refer to “Displaying chassis information” on page 133.
Managing your IronStack 5 IronStack unit priority A unit with a higher priority is more likely to be elected Active Controller. The priority value can be 0 to 255 with a priority of 255 being the highest. The default priority value assigned to the Active Controller and Standby is 128. You can assign the highest priority value to the stack unit you want to function as the Active Controller.
5 Managing your IronStack CLI command syntax CLI syntax that refers to stack units must contain all of the following parameters: // • - If the device is operating as a standalone, the stack-unit will be 0 or 1. Stack IDs can be 0 or any number from 1 through 8. • - Refers to a specific group of ports on each device. • - A valid port number.
Managing your IronStack TABLE 23 5 Stacking CLI commands (Continued) Command Description location...
5 Managing your IronStack NOTE The two left ports on the Four-port 10Gbps SFP+ module do not pass regular Ethernet traffic by default. The stack disable command must be entered at the global level and the stack disable command must be configured on these two ports in order for them to pass regular traffic. Copying the flash image to a stack unit from the Active Controller To copy the flash image to a stack unit from the Active Controller primary or secondary flash, enter the following command.
Managing your IronStack 5 Available UPSTREAM units Hop(s) Type Mac Address 1 FCX624 0012.f2d5.2100 2 FCX624 001b.ed5d.9940 Available DOWNSTREAM units Hop(s) Type Mac Address 1 FCX624 001b.ed5d.9940 2 FCX624 0012.f2d5.2100 Do you accept the topology (RING) (y/n)?: n Available UPSTREAM units Hop(s) Type Mac Address 1 FCX624 0012.f2d5.2100 2 FCX624 001b.ed5d.9940 Available DOWNSTREAM units Hop(s) Type Mac Address 1 FCX624 001b.ed5d.9940 2 FCX624 0012.f2d5.
5 Managing your IronStack To reverse the partitioning, reconnect all of the units into the original stack topology using the stacking ports. This is the same as merging stacks. If the original Active Controller again has the highest priority, it will regain its role. If two partition Active Controllers have the same priority, the Active Controller with the most stack members will win the election. This process helps minimize traffic interruption.
Managing your IronStack 5 the stack MAC address changes. During this configured interval, if the previous Active Controller is reinstalled in the stack, the stack continues to use the MAC address of this unit, even though it may no longer be the Active Controller. If the previous Active Controller does not rejoin the stack during the specified time interval, the stack assumes the address of the new Active Controller as the stack MAC address.
5 Managing your IronStack priority 40 stack enable stack persistent-mac 60 To display the stack MAC addresses, enter the show stack command. PowerConnect(config)# show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Prio State Comment 1 S FCX648S active 0012.f2d5.9380 80 local Ready 2 S FCX648 member 00e0.6666.8880 0 remote Ready 3 S FCX624 standby 0012.f2dc.0ec0 40 remote Ready Current persistent MAC is 0012.f2d5.9380 PowerConnect(config)# stack mac 111.111.
Managing your IronStack 5 • me - unconfigure this unit only • clean - removes all startup configuration files including v4 and v5 and makes this a clean unit NOTE The stack unconfigure me command is available to all units, while stack unconfigure all and stack unconfigure are available on the Active Controller only. The following example shows a session where stack unit 2 is unconfigured.
5 Managing your IronStack Compressed Pri Code size = 3034232, Version 05.0.00T7e1 (FCX05000.bin) Compressed Sec Code size = 2873523, Version 04.2.00aT7e1 (FCX04200a.bin) Compressed BootROM Code size = 403073, Version 03.0.00T7e5 Code Flash Free Space = 24117248 Stack unit 3: Compressed Pri Code size = 3034232, Version 05.0.00T7e1 (FCX05000.bin) Compressed Sec Code size = 2873568, Version 04.2.00T7e1 (FCX04200.bin) Compressed BootROM Code size = 405217, Version 04.0.
Managing your IronStack 5 Dynamic memory: 238026752 bytes total, 182820504 bytes free, 23% used Stack unit 8: Total DRAM: 268435456 bytes Dynamic memory: 238026752 bytes total, 182811440 bytes free, 23% used PowerConnect# Syntax: show memory Table 25 describes the fields displayed in this output example. TABLE 25 Field definitions for the show memory command This field... Describes...
5 Managing your IronStack Fan 1 ok Fan 2 ok Exhaust Side Temperature Readings: Current temperature : 31.5 Warning level.......: 85.0 Shutdown level......: 90.0 Intake Side Temperature Readings: Current temperature : 32.0 Boot Prom MAC: 0012.f2db.e500 deg-C deg-C deg-C deg-C Syntax: show chassis Table 26 describes the fields displayed in this output example. TABLE 26 Field definitions for the show chassis command This field... Describes... Power Supply 1 The status of the primary power supply.
Managing your IronStack S8:M2 FCX-1XG 1-port 16G Module (1-XFP) S8:M3 FCX-1XG 1-port 16G Module (1-XFP) PowerConnect(config)# OK OK 1 1 5 0012.f2eb.d570 0012.f2eb.d571 Syntax: show module Table 27 describes the fields displayed in this output example. TABLE 27 Field definitions for the show module command This field... Describes...
5 Managing your IronStack The show stack command displays general information about an IronStack, for all members, for a specified member, and with additional detail if required. The following output covers the entire stack. PowerConnect(config)# show stack alone: standalone, D: dynamic config, S: static config ID Type Role Mac Address Pri State Comment 1 S FCX648 active 0012.f2eb.a900 130 local Ready 2 S FCX648 standby 00f0.424f.4243 0 remote Ready 3 S FCX624 member 00e0.5201.
Managing your IronStack TABLE 29 5 Field descriptions for the show stack command This field Indicates... alone: Standalone This device is operating as a standalone device S: static configuration The configuration for this unit is static (has been saved with a write memory command). D: dynamic configuration The configuration for this unit is dynamic and may be overwritten by a new stack unit. To change to a static configuration, enter the write memory command.
5 Managing your IronStack TABLE 31 Field descriptions for the show stack flash command This field Indicates... ID Device ID role The role of this device in the stack priority The priority of this device in the stack config Indicates the port state (up or down) and identifies the port by number (stack-ID/slot/port). Syntax: show stack flash Displaying stack rel-IPC statistics Use the show stack rel-ipc stats command to display session statistics for stack units.
Managing your IronStack 5 Msgs sent: 0, Msgs received: 0 Atomic batches sent: 0, Atomic batches received: 0 Pkts sent: 1, Pkts received: 6 Msg bytes sent: 0, Msg bytes received: 0 Pkt bytes sent: 12, Pkt bytes received: 72 Flushes requested: 0, Suspends: 0, Resumes: 0 Packets sent with data (DAT), ACKs, and window updates (WND): Other: 1, ACK: 0, WND: 0, ACK+WND: 0 DAT: 0, DAT+ACK: 0, DAT+WND: 0, DAT+ACK+WND: 0 Data retransmits done: 0, Zero-window probes sent: 0 Dup ACK pkts rcvd: 6, Pkts rcvd w/dup data
5 Managing your IronStack Session state: established (last established 31 minutes 11 seconds ago) Connections established: 1 Remote resets: 0, Reset packets sent: 0 Connection statistics (for current connection, if established): Msgs sent: 955, Msgs received: 489 Atomic batches sent: 0, Atomic batches received: 0 Pkts sent: 1172, Pkts received: 1054 Msg bytes sent: 43705, Msg bytes received: 18696 Pkt bytes sent: 236968, Pkt bytes received: 33564 Flushes requested: 59, Suspends: 0, Resumes: 0 Packets sent
Managing your IronStack 5 Pkts sent: 8, Pkts received: 13 Msg bytes sent: 123, Msg bytes received: 20V Pkt bytes sent: 232, Pkt bytes received: 296 Flushes requested: 2, Suspends: 0, Resumes: 0 Packets sent with data (DAT), ACKs, and window updates (WND) Other: 5, ACK: 1, WND: 0, ACK+WND: 0 DAT: 2, DAT+ACK: 0, DAT+WND: 0, DAT+ACK+WND: 0 Data retransmits done: 0, Zero-window probes sent: 0 Dup ACK pkts rcvd: 6, Pkts rcvd w/dup data: 0 Pkts rcvd w/data past window: 0 Syntax: show stack rel-ipc stats Displ
5 Managing your IronStack Other: 1, ACK: 0, WND: 0, ACK+WND: 0 DAT: 0, DAT+ACK: 0, DAT+WND: 0, DAT+ACK+WND: 0 Data retransmits done: 0, Zero-window probes sent: 0 Dup ACK pkts rcvd: 7, Pkts rcvd w/dup data: 0 Pkts rcvd w/data past window: 0 Session statistics, unit 3, channel 3: Session state: established (last established 32 minutes 19 seconds ago) Connections established: 1 Remote resets: 0, Reset packets sent: 0 Connection statistics (for current connection, if established): Msgs sent: 242, Msgs receiv
Managing your IronStack 5 Table 32 describes the output from the show stack neighbors command. TABLE 32 Field descriptions for the show stack neighbors command This field Indicates... ID The stack identification number for this unit.
5 Managing your IronStack module 3 FCX-xfp-1-port-16g-module priority 128 stack enable ! Syntax: show running-config Table 34 describes the output from the show running-config command. TABLE 34 Field descriptions for the show running-config command This field Indicates... Stack unit <#> The stack identification number for this unit. Module <#> Identifies the configuration for modules on this unit.
Managing your IronStack 5 (3054675 bytes) from Primary FCX05000.bin BootROM: Version 04.0.
5 Managing your IronStack PowerConnect# show interfaces stack-ports Port 1/2/1 1/2/2 2/2/1 2/2/2 3/2/1 3/2/2 4/2/1 4/2/2 Link Up Up Up Up Up Up Up Up State Forward Forward Forward Forward Forward Forward Forward Forward Dupl Full Full Full Full Full Full Full Full Speed 10G-CX4 10G-CX4 10G-CX4 10G-CX4 10G-CX4 10G-CX4 10G-CX4 10G-CX4 Trunk None None None None None None None None Tag No No No No No No No No P l l l l l l l l MAC Name 0012.f2e4.6e30 0012.f2e4.6e31 0012.f2e3.11f0 0012.f2e3.11f1 0012.
Managing your IronStack 5 Syntax: show statistics stack-ports Table 36 describes the fields displayed by the show statistics stack-ports command. TABLE 36 Field definitions for the show statistics stack-ports command This field Indicates... Port The stack identification number for this unit.
5 Managing your IronStack • If the Active Controller has configuration information for a new unit, and it matches the base module (module 1) of the new unit, no action is necessary. If configuration information for non-base modules on the new unit does not match the information on the Active Controller, the Active Controller learns the configuration for the new unit module types and merges it with the information it has for the base module.
Managing your IronStack 5 NOTE Adding, removing or replacing a stack unit which is not at the end of linear topology may cause the other units in the stack to reset if these units lose their path to the Active Controller during the process. Adding or removing a unit in a ring topology should not cause the other units to reset because each unit can still find a path to the Active Controller.
5 Managing your IronStack 2 6 FCX624 001b.ed5d.
Troubleshooting an IronStack 5 Syslog, SNMP, and traps Syslog messages from stack units are forwarded to, and can be viewed from, the Active Controller. All stack units support SNMP gets, sets, and traps, which are managed by the Active Controller. An SNMP trap is sent from a stack unit to the stack Active Controller, and forwarded from the Active Controller to an SNMP-configured server.
5 Troubleshooting an IronStack Troubleshooting an unsuccessful stack build If you are unable to build a stack, (for example, the show stack command does not display any stack units), perform the following steps. 1. Enter the show run command on each unit to make sure the configuration contains “stack enable”. If it does not, enter the stack enable command on the unit. Before a stack is formed, you can still access the console port on each device.
Troubleshooting an IronStack 5 If the send message types: field is empty, it means that stack enable has not been configured. If the number of Recv IPC packets increases, but there are no Recv message types, then the packets are being dropped for various reasons, including the wrong IPC version, or a checksum error. The Possible errors field will list reasons for packet loss. NOTE A small “***state not ready” count is normal, but if it continues to increase a problem is indicated. 6.
5 Stack mismatches Stack mismatches When a stack mismatch occurs, the Active Controller can put any stack member into a non-operational state, which disables all of the ports except the stacking ports. Stack mismatches can occur for a variety of reasons, which are discussed in this section. NOTE The Active Controller can still download an image to the non-operational unit. The Active Controller generates a log message whenever it puts a stack unit into a non-operational state.
Image mismatches 5 Major mismatch A major mismatch indicates an Interprocessor Communications (IPC)-related data structure change, or an election algorithm change, or that a version of the software that does not support stacking is installed on a unit. This can happen when the software undergoes a major change (such as a change from 05.0.00 to 05.1.00). When a major mismatch occurs, the system logs and prints a message similar to the following. Warning! Recv 424 IPC in 1m from 0012.f21b.
5 Image mismatches Configuration mismatches can happen during manual setups, or when moving a unit from one stack to another stack. Secure-setup will try to overwrite a configuration mismatch even if the configuration is static. The overwrite attempt may fail if there are multi-slot trunk or LACP configurations on the ports of the unit to be overwritten. If this is the case, secure-setup will be unable to resolve the mismatch.
Image mismatches 5 PowerConnectt# show running config stack unit 1 module 1 FCX-24-port-management-module module 3 FCX-cx4-2-port-16g-module module 4 FCX-xfp-2-port-16g-module priority 128 stack unit 2 module 1 FCX-24-port-management-module module 3 FCX-xfp-2-port-16g-module stack unit 3 module 1 FCX-48-port-management-module module 2 FCX-cx4-2-port-16g-module module 3 FCX-cx4-2-port-16g-module stack enable 3. To resolve the mismatch, you must remove the configuration for stack unit 3.
5 More about IronStack technology If secure-setup times out (this may happen due to inactivity), you will not be able to make any changes in your configuration or stack topology until you restart the session by entering the stack secure-setup command. The unit discovery process is triggered when secure-setup is initiated. However, if the stack unit is placed in a topology where another unit in the stack is already running the discovery process, the current discovery process is terminated.
More about IronStack technology 5 will recover their original startup-config.txt files and reboot as standalone devices. If you enter the stack unconfigure all command from the Active Controller all devices will recover their old startup-config.txt files and become standalone devices. When this happens, the startup-config.old file is renamed to startup-config.txt, and the stacking.boot file is removed. For more information, refer to “Unconfiguring an IronStack” on page 130.
5 More about IronStack technology • Active Controller • Standby Controller • Stack member Active Controller The Active Controller contains the saved and running configuration files for each stack member. The configuration files include the system-level settings for the stack, and the interface-level settings for each stack member, as well as MIB counters and port status.
More about IronStack technology 5 Example My stack unit ID = 1, bootup role = active My stack unit ID = 3, bootup role = standby Active Controller and Standby Controller elections Whenever there is a topology change in the stack (a reset, unit failure, or the addition or removal of members), elections are held to determine the status of the Active Controller and Standby Controller. The results of the election take effect after the next stack reset.
5 PowerConnect B-Series FCX hitless stacking Standby Controller election criteria The Standby Controller election is based on the following criteria. 1. The highest priority 2. Bootup as Active Controller 3. Bootup as Standby Controller 4. The lowest boot ID 5. The lowest MAC address Since Standby election candidates must have startup configurations that have been synchronized with the Active Controller, if the Active Controller does not have a startup-config.
PowerConnect B-Series FCX hitless stacking 5 Supported events The following events are supported by hitless stacking: • • • • Failover Switchover Priority change Role change Non-supported events The following events are not supported by hitless stacking. These events require a software reload, resulting in an impact to data traffic. • Unit ID change – When a stack is formed or when a unit is renumbered using secure-setup. • Stack merge – When the old Active Controller comes back up, it reboots.
5 PowerConnect B-Series FCX hitless stacking TABLE 37 Hitless-supported services and protocols – PowerConnect B-Series FCX Traffic type Supported protocols and services Impact Layer 2 switched traffic, including unicast and multicast + System-level + Layer 4 • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 802.1p and 802.1Q 802.3ad – LACP DSCP honoring and Diffserv Dual-mode VLAN IGMP v1, v2, and v3 snooping IPv4 ACLs Layer 2 ACLs Layer 2 switching (VLAN and 802.
PowerConnect B-Series FCX hitless stacking TABLE 37 5 Hitless-supported services and protocols – PowerConnect B-Series FCX Traffic type Supported protocols and services Impact Security • Supported security protocols and services are not impacted during a switchover or failover, with the following exceptions: • 802.1X is impacted if re-authentication does not occur in a specific time window. • MDPA is impacted if re-authentication does not occur in a variable-length time window.
5 PowerConnect B-Series FCX hitless stacking (for example, a personal computer) pinging the stack might encounter a long delay depending on the client MAC aging time. The client won’t work until it ages out the old MAC address and sends ARP requests to relearn the new stack MAC address. Refer to “Manual allocation of the IronStack MAC address” on page 120. • PBR is not supported by hitless stacking. When PBR is configured in an FCX IronStack, the stack will reload in the event of a failover.
PowerConnect B-Series FCX hitless stacking 5 • Hardware Abstraction Layer (HAL) – This includes the prefix-based routing table, next hop information for outgoing interfaces, and tunnel information. • Layer 3 IP forwarding information – This includes the routing table, IP cache table, and ARP table, as well as static and connected routes. • Layer 3 routing protocols are not copied to any of the units in the stack, but remain in init state on the Standby Controller until a switchover occurs.
5 PowerConnect B-Series FCX hitless stacking Standby Controller role in hitless stacking In software releases that do not support hitless stacking, the Standby Controller functions as a dummy device, meaning it provides limited access to the CLI, such as show, stack, and a few debug commands. The Active Controller can access the full range of the CLI. The Standby Controller synchronizes its configuration with the Active Controller at each reset.
PowerConnect B-Series FCX hitless stacking 5 When the Standby Controller is fully synchronized, the system will be ready for a switchover or failover. Runtime configuration mismatch In some cases, such as a runtime configuration mismatch between the Active Controller and candidate Standby Controller, the Standby Controller cannot be assigned by the Active Controller unless the candidate Standby Controller is reloaded.
5 PowerConnect B-Series FCX hitless stacking Figure 15 illustrates hitless stacking support during stack formation. Operational stages 1 and 2 are also shown in this illustration.
PowerConnect B-Series FCX hitless stacking 5 Figure 16 illustrates hitless stacking support during a stack merge. FIGURE 16 Hitless stacking support during a stack merge Device stack merge Stack 1 Active 1 (pri=30) Standby 2 (pri=20) Member 3 (pri=10) Member 4 (pri=0) Stack 2 Active 1 (pri=100) Standby 2 (pri=50) 1 1 Member 1 (pri=30) Member 2 (pri=20) Member 3 (pri=10) Member 4 (pri=0) Active 5 (pri=100) Standby 6 (pri=50) 1 When hitless failover is enabled, the stack with more units will win.
5 PowerConnect B-Series FCX hitless stacking Figure 17 illustrates hitless stacking support in a stack split. FIGURE 17 Hitless stacking support in a stack split stack split Active 1 (pri=30) Standby 2 (pri=20) Member 3 (pri=10) Member 4 (pri=0) Active 1 (pri=30) Standby 2 (pri=20) 1 1 Member 3 (pri=10) Member 4 (pri=0) The stack splits into one operational stack and two “orphan” units.
PowerConnect B-Series FCX hitless stacking 5 Hitless stacking default behavior Hitless stacking is disabled by default. When disabled, the following limitations are in effect: • If a failover occurs, every unit in the stack will reload • Manual switchover is not allowed. If the CLI command stack switch-over is entered, the following message will appear on the console: Switch-over is not allowed. Reason: hitless-failover not configured.
5 PowerConnect B-Series FCX hitless stacking Enabling hitless stacking Hitless stacking is disabled by default. To enable it, enable hitless failover as described in “Enabling hitless failover” on page 175. Displaying hitless stacking status You can use the show stack command to view whether or not hitless stacking is enabled. The following example shows that hitless stacking is disabled.
PowerConnect B-Series FCX hitless stacking 5 Syntax: show stack Hitless stacking failover Hitless stacking failover provides automatic failover from the Active Controller to the Standby Controller without resetting any of the units in the stack and with sub-second or no packet loss to hitless stacking-supported services and protocols. For a description of the events that occur during a hitless failover, refer to “What happens during a hitless stacking switchover or failover” on page 166.
5 PowerConnect B-Series FCX hitless stacking Hitless stacking failover example Figure 18 illustrates hitless stacking failover operation when the Active Controller fails. FIGURE 18 Hitless stacking failover when the Active Controller fails The stack comes back without the Active controller .
PowerConnect B-Series FCX hitless stacking 5 For a description this feature’s impact to major system functions, refer to Table 37 on page 164. For examples of hitless stacking switchover operation, refer to “Hitless stacking switchover examples” on page 178.
5 PowerConnect B-Series FCX hitless stacking Hitless stacking switchover examples This section illustrates hitless stacking failover and switchover operation during a CLI-driven switchover or priority change. Figure 19 illustrates a hitless stacking switchover triggered by the stack switch-over command.
PowerConnect B-Series FCX hitless stacking 5 Figure 20 illustrates a hitless stacking switchover when the Active Controller goes down then comes back up. The stack in this example has user-configured priorities. FIGURE 20 Hitless stacking switchover when the Active Controller comes back up Active controller comes back (in a stack with user-assigned priorities).
5 PowerConnect B-Series FCX hitless stacking Figure 21 illustrates a hitless stacking switchover after the network administrator increases the priority value of the Standby Controller.
5 PowerConnect B-Series FCX hitless stacking Figure 22 illustrates a hitless stacking switchover after the network administrator increases the priority value of one of the stack members. FIGURE 22 Scenario 2 – Hitless stacking switchover after a priority change Device stack priority - Scenario 2 FCX stackchange formation Active 1 (pri=100) Standby 2 (pri=0) Member 3 (pri=0) Member 4 (pri=0) Standby 1 (pri=100) Member 2 (pri=0) Active 3 (pri=200) Member 4 (pri=0) 1 A switchover occurs.
5 PowerConnect B-Series FCX hitless stacking Figure 23 illustrates a hitless stacking switchover after the network administrator increases the priority value for two of the stack members.
PowerConnect B-Series FCX hitless stacking 5 Displaying information about hitless stacking Use the show stack command to view information pertinent to a hitless stacking switchover or failover. The command output illustrates the Active and Standby Controllers, as well as the readiness of the Standby Controller to take over the role of Active Controller, if needed.
5 PowerConnect B-Series FCX hitless stacking To view the System log or the traps logged on an SNMP trap receiver, enter the show log command at any level of the CLI. The following example output shows what the log might look like after a switchover or assignment of the Standby Controller.
PowerConnect B-Series FCX hitless stacking 5 PowerConnect# debug stacking sync_rel_msg 4 stk_sync_trunk_mapping:sending trunk mapping... start running config sync sync_cdb:send cdb:sess = 0, pBuf = 2132f068 sync_cdb:send cdb:sess = 0, pBuf = 2132f57c ... stk_sync_cdb:finished cdb sync PowerConnect# debug stacking sync_rel_msg 8 Hitless sync: TRUNK INFO size (1282) ************************************* Trunk ID: 10 (1 based), (Hw Trunk ID: 1), g_sw_sys.trunk_config.
5 186 PowerConnect B-Series FCX hitless stacking PowerConnect B-Series FCX Configuration Guide 53-1002266-01
PowerConnect B-Series FCX hitless stacking PowerConnect B-Series FCX Configuration Guide 53-1002266-01 5 187
5 188 PowerConnect B-Series FCX hitless stacking PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Monitoring Hardware Components 6 Table 39 lists the individual Dell PowerConnect switches and the hardware monitoring features they support. TABLE 39 Supported hardware monitoring features Feature PowerConnect B-Series FCX Virtual cable testing (VCT) Yes Digital optical monitoring Yes The procedures in this chapter describe how to configure the software to monitor hardware components. Virtual cable testing PowerConnect devices support Virtual Cable Test (VCT) technology.
6 Virtual cable testing Syntax: phy cable-diag tdr Specify the variable in the following formats: • PowerConnect B-Series FCX stackable switches – Viewing the results of the cable analysis To display the results of the cable analysis, enter a command such as the following at the Privileged EXEC level of the CLI.
Supported Fiber Optic Transceivers 6 Specify the variable in the following formats: • PowerConnect B-Series FCX stackable switches – Table 41 defines the fields shown in the command output. TABLE 41 Cable statistics This line... Displays... Port The port that was tested. Speed The port current line speed. Local pair The local link name. Refer to Table 40.
6 Digital optical monitoring TABLE 42 Supported fiber optic transceivers (Continued) Label Manufacturing part number Type Dell part number Supports Digital Optical Monitoring? 10G-XFP-SR FTLX8511D3-F1 AFBR-720XPDZ-FD1 PLRXXL-SC-S43-59 TRF2001EN-GA250 10GBase-SR XFP YY0VX Yes 10G-SFPP-SR FTLX8571D3BNL-B2 AFBR-703ASDZ-BR2 10GE SR SFP+ DR7C1 Yes 10G-SFPP-LR FTLX1471D3BNL-B2 AFCT-701ASDZ-BR2 10GE LR SFP+ 6D0R3 Yes 579890006 XDL-10G-SFPP-TWX-0 2GSPWWA-BEB-EN 101 DIRECT ATTACHED SFPP COPP
Digital optical monitoring 6 Use the no form of the command to disable digital optical monitoring. Setting the alarm interval You can optionally change the interval between which alarms and warning messages are sent. The default interval is three minutes. To change the interval, use the following command.
6 Digital optical monitoring Port Port Port 24: Type : 1G M-C 25: Type : 10G XG-SR(XFP) Vendor: Brocade Communications Inc. Version: 02 Part# : JXPR01SW05306 Serial#: F617604000A3 26: Type : EMPTY Use the show media slot command to obtain information about the media device installed in a slot. PowerConnect#show media slot 1 Port 1/1: Type : 1G M-SX(SFP) Vendor: Brocade Communications, Inc.
Digital optical monitoring Normal Normal Normal 6 Normal Syntax: show optic NOTE The show optic function takes advantage of information stored and supplied by the manufacturer of the XFP or SFP transceiver. This information is an optional feature of the Multi-Source Agreement standard defining the optical interface. Not all component suppliers have implemented this feature set.
6 Digital optical monitoring Viewing optical transceiver thresholds The thresholds that determine the alarm status values for an optical transceiver are set by the manufacturer of the XFP or SFP. To view the thresholds for a qualified optical transceiver in a particular port, use the show optic threshold command as shown below.
Chapter Configuring IPv6 Management on PowerConnect B-Series FCXSwitches 7 Table 45 lists the individual Dell PowerConnect switches and the IPv6 management features they support. NOTE The following table only shows the IPv6 management features that are supported. Full IPv6 L2/L3 support will be added in a future release.
7 IPv6 management overview This chapter describes the IPv6 management features, including command syntax and management examples. IPv6 management overview IPv6 was designed to replace IPv4, the Internet protocol that is most commonly used currently throughout the world. IPv6 increases the number of network address bits from 32 (IPv4) to 128, which provides more than enough unique IP addresses to support all of the network devices on the planet into the future.
IPv6 management features 7 • The hexadecimal letters in IPv6 addresses are not case-sensitive As shown in Figure 25, the IPv6 network prefix is composed of the left-most bits of the address. As with an IPv4 address, you can specify the IPv6 prefix using the / format, where the following applies. The parameter is specified as 16-bit hexadecimal values separated by a colon.
7 IPv6 management features IPv6 debug The debug ipv6 commands enable the collection of information about IPv6 configurations for troubleshooting.
IPv6 management features 7 Restricting Web management access to an IPv6 host You can specify a single device with an IPv6 address to have Web management access to the host device. No other device except the one with the specified IPv6 address can access the Web Management Interface.
7 IPv6 management features AAAA DNS records are analogous to the A DNS records used with IPv4. They store a complete IPv6 address in each record. AAAA records have a type value of 28. To establish an IPv6 DNS entry for the device, enter the following command. PowerConnect(config)#ipv6 dns domain-name companynet.com Syntax: [no] ipv6 dns domain-name To define an IPv6 DNS server address, enter the following command.
IPv6 management features 7 • The size parameter specifies the size of the ICMP data portion of the packet. This is the payload and does not include the header. You can specify from 0 - 10173. The default is 16. • The no-fragment keyword turns on the "do not fragment" bit in the IPv6 header of the ping packet. This option is disabled by default.
7 IPv6 management features Syntax: snmp-server host ipv6 The you specify must be in hexadecimal format using 16-bit values between colons as documented in RFC 2373. Secure Shell, SCP, and IPv6 Secure Shell (SSH) is a mechanism that allows secure remote access to management functions on the Dell PowerConnect device. SSH provides a function similar to Telnet.
IPv6 management commands 7 IPv6 traceroute The traceroute command allows you to trace a path from the Dell PowerConnect device to an IPv6 host. The CLI displays trace route information for each hop as soon as the information is received. Traceroute requests display all responses to a minimum TTL of 1 second and a maximum TTL of 30 seconds. In addition, if there are multiple equal-cost routes to the destination, the Dell PowerConnect device displays up to three responses.
7 206 IPv6 management commands PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring Spanning Tree Protocol (STP) Related Features 8 Table 46 lists the individual Dell PowerConnect switches and the Spanning Tree Protocol (STP) features they support. TABLE 46 Supported STP features Feature PowerConnect B-Series FCX 802.1s Multiple Spanning Tree Yes 802.1W Rapid Spanning Tree (RSTP) Yes 802.
8 Configuring standard STP parameters Configuring standard STP parameters Layer 2 Switches and Layer 3 Switches support standard STP as described in the IEEE 802.1D specification. STP is enabled by default on Layer 2 Switches but disabled by default on Layer 3 Switches. By default, each port-based VLAN on a Dell PowerConnect device runs a separate spanning tree (a separate instance of STP). A Dell PowerConnect device has one port-based VLAN (VLAN 1) by default that contains all the device ports.
Configuring standard STP parameters TABLE 48 8 Default STP bridge parameters (Continued) Parameter Description Default and valid values Hello Time The interval of time between each configuration BPDU sent by the root bridge. 2 seconds Possible values: 1 – 10 seconds Priority A parameter used to identify the root bridge in a spanning tree (instance of STP). The bridge with the lowest value has the highest priority and is the root.
8 Configuring standard STP parameters NOTE The CLI converts the STP groups into topology groups when you save the configuration. For backward compatibility, you can still use the STP group commands. However, the CLI converts the commands into the topology group syntax. Likewise, the show stp-group command displays STP topology groups. Enabling or disabling STP globally Use the following method to enable or disable STP on a device on which you have not configured port-based VLANs.
Configuring standard STP parameters 8 Changing STP bridge parameters NOTE If you plan to change STP bridge timers, Dell recommends that you stay within the following ranges, from section 8.10.2 of the IEEE STP specification. 2 * (forward_delay -1) >= max_age max_age >= 2 * (hello_time +1) To change a STP bridge priority on a Dell PowerConnect device to the highest value to make the device the root bridge, enter the following command.
8 Configuring standard STP parameters Changing STP port parameters To change the path and priority costs for a port, enter commands such as the following.
Configuring standard STP parameters 8 Enabling STP protection You can enable STP Protection on a per-port basis. To prevent an end station from initiating or participating in STP topology changes, enter the following command at the Interface level of the CLI. PowerConnect#(config) interface e 2 PowerConnect#(config-if-e1000-2)#stp-protect This command causes the port to drop STP BPDUs sent from the device on the other end of the link.
8 Configuring standard STP parameters PowerConnect#show stp-protect e 3 STP-protect is enabled on port 3. BPDU drop count is 478 If you enter the show stp-protect command for a port that does not have STP protection enabled, the following message displays on the console. PowerConnect#show stp-protect e 4 STP-protect is not enabled on port 4.
Configuring standard STP parameters 8 Displaying STP information for an entire device To display STP information, enter the following command at any level of the CLI. PowerConnect#show span VLAN 1 BPDU cam_index is 3 and the Master DMA Are(HEX) STP instance owned by VLAN 1 Global STP (IEEE 802.
8 Configuring standard STP parameters TABLE 50 CLI display of STP information This field... Displays... Global STP parameters VLAN ID The port-based VLAN that contains this spanning tree (instance of STP). VLAN 1 is the default VLAN. If you have not configured port-based VLANs on this device, all STP information is for VLAN 1. Root ID The ID assigned by STP to the root bridge for this spanning tree. Root Cost The cumulative cost from this bridge to the root bridge.
Configuring standard STP parameters TABLE 50 8 CLI display of STP information (Continued) This field... State Displays... The port STP state. The state can be one of the following: BLOCKING – STP has blocked Layer 2 traffic on this port to prevent a loop. The device or VLAN can reach the root bridge using another port, whose state is FORWARDING. When a port is in this state, the port does not transmit or receive user frames, but the port does continue to receive STP BPDUs.
8 Configuring standard STP parameters PowerConnect#show process cpu The system has only been up for 6 seconds. Process Name 5Sec(%) 1Min(%) 5Min(%) ARP 0.01 0.00 0.00 BGP 0.00 0.00 0.00 GVRP 0.00 0.00 0.00 ICMP 0.01 0.00 0.00 IP 0.00 0.00 0.00 OSPF 0.00 0.00 0.00 RIP 0.00 0.00 0.00 STP 0.00 0.00 0.00 VRRP 0.00 0.00 0.00 15Min(%) 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.
Configuring standard STP parameters 8 PowerConnect#show vlans Total PORT-VLAN entries: 2 Maximum PORT-VLAN entries: 16 legend: [S=Slot] PORT-VLAN Untagged Untagged Untagged Untagged Tagged Uplink 1, Name DEFAULT-VLAN, Priority level0, Spanning tree On Ports: (S3) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Ports: (S3) 17 18 19 20 21 22 23 24 Ports: (S4) 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Ports: (S4) 18 19 20 21 22 23 24 Ports: None Ports: None PORT-VLAN Untagged Untagged Tagged Uplink 2, Name greenwell
8 Configuring standard STP parameters If a port is disabled, the only information shown by this command is “DISABLED”. If a port is enabled, this display shows the following information. Syntax: show span detail [vlan [ethernet | ] The vlan parameter specifies a VLAN.
Configuring standard STP parameters TABLE 51 8 CLI display of detailed STP information for ports (Continued) This field... Displays... Port number and STP state The internal port number and the port STP state. The internal port number is one of the following: • The port interface number, if the port is the designated port for the LAN. • The interface number of the designated port from the received BPDU, if the interface is not the designated port for the LAN.
8 Configuring standard STP parameters PowerConnect#show span detail vlan 1 ethernet 7/1 Port 7/1 is FORWARDING Port - Path cost: 19, Priority: 128, Root: 0x800000e052a9bb00 Designated - Bridge: 0x800000e052a9bb00, Interface: 7, Path cost: 0 Active Timers - None BPDUs - Sent: 29, Received: 0 Syntax: show span detail [vlan ethernet Specify the variable in the following formats: • PowerConnect B-Series FCX stackable switches – Displaying STP state infor
Configuring STP related features 8 PowerConnect#show interface brief Port 1/1 1/2 1/3 1/4 1/5 1/6 1/7 1/8 Link Down Down Down Down Down Down Down Down State None None None None None None None None Dupl None None None None None None None None Speed None None None None None None None None Trunk None None None None None None None None . . some rows omitted for brevity .
8 Configuring STP related features • Fast Port Span eliminates unnecessary MAC cache aging that can be caused by topology change notifications. Bridging devices age out the learned MAC addresses in their MAC caches if the addresses are unrefreshed for a given period of time, sometimes called the MAC aging interval. When STP sends a topology change notification, devices that receive the notification use the value of the STP forward delay to quickly age out their MAC caches.
Configuring STP related features 8 To exclude a set of ports from Fast Port Span, enter commands such as the following. PowerConnect(config)#fast port-span exclude ethernet 1 ethernet 2 ethernet 3 PowerConnect(config)#write memory To exclude a contiguous (unbroken) range of ports from Fast Span, enter commands such as the following.
8 Configuring STP related features NOTE To avoid the potential for temporary bridging loops, recommends that you use the Fast Uplink feature only for wiring closet switches (switches at the edge of the network cloud). In addition, enable the feature only on a group of ports intended for redundancy, so that at any given time only one of the ports is expected to be in the forwarding state.
Configuring STP related features 8 When the original working trunk group comes back (partially or fully), the transition back to the original topology is accelerated if the conditions listed above are met.
8 Configuring STP related features • Classic or legacy 802.1D STP protocol requires a newly selected Root port to go through listening and learning stages before traffic convergence can be achieved. The 802.1D traffic convergence time is calculated using the following formula. 2 x FORWARD_DELAY + BRIDGE_MAX_AGE. If default values are used in the parameter configuration, convergence can take up to 50 seconds. (In this document STP will be referred to as 802.1D.
Configuring STP related features 8 Assignment of port roles At system start-up, all 802.1W-enabled bridge ports assume a Designated role. Once start-up is complete, the 802.1W algorithm calculates the superiority or inferiority of the RST BPDU that is received and transmitted on a port. On a root bridge, each port is assigned a Designated port role, except for ports on the same bridge that are physically connected together.
8 Configuring STP related features FIGURE 26 Simple 802.1W topology Port7 Switch 1 Bridge priority = 100 Port2 Switch 2 Bridge priority = 200 Port2 Port4 Port3 Port3 Port2 Port8 Port3 Switch 3 Bridge priority = 300 Port4 Port3 Port4 Switch 4 Bridge priority = 400 Ports on Switch 1 All ports on Switch 1, the root bridge, are assigned Designated port roles. Ports on Switch 2 Port2 on Switch 2 directly connects to the root bridge; therefore, Port2 is the Root port.
Configuring STP related features 8 Edge ports and edge port roles The Dell implementation of 802.1W allows ports that are configured as Edge ports to be present in an 802.1W topology. (Figure 27). Edge ports are ports of a bridge that connect to workstations or computers. Edge ports do not register any incoming BPDU activities. Edge ports assume Designated port roles. Port flapping does not cause any topology change events on Edge ports since 802.
8 Configuring STP related features NOTE Configuring shared media or non-point-to-point links as point-to-point links could lead to Layer 2 loops. The topology in Figure 28 is an example of shared media that should not be configured as point-to-point links. In Figure 28, a port on a bridge communicates or is connected to at least two ports. FIGURE 28 Example of shared media Bridge port states Ports roles can have one of the following states: • Forwarding – 802.
Configuring STP related features 8 Edge port and non-edge port states As soon as a port is configured as an Edge port using the CLI, it goes into a forwarding state instantly (in less than 100 msec). When the link to a port comes up and 802.1W detects that the port is an Edge port, that port instantly goes into a forwarding state. If 802.1W detects that port as a non-edge port, the port state is changed as determined by the result of processing the received RST BPDU.
8 Configuring STP related features In contrast to the 802.1D standard, the 802.1W standard does not have any bridge specific timers. All timers in the CLI are applied on a per-port basis, even though they are configured under bridge parameters. 802.1W state machines attempt to quickly place the ports into either a forwarding or discarding state. Root ports are quickly placed in forwarding state when both of the following events occur: • It is assigned to be the Root port.
Configuring STP related features 8 NOTE Proposed will never be asserted if the port is connected on a shared media link. In Figure 29, Port3/Switch 200 is elected as the Root port FIGURE 29 Proposing and proposed stage Switch 100 Root Bridge RST BPDU sent with a Proposal flag Port2 Designated port Proposing Port1 Root port Proposed Switch 200 Port2 Port2 Switch 300 Port3 Port3 Switch 400 • Sync – Once the Root port is elected, it sets a sync signal on all the ports on the bridge.
8 Configuring STP related features FIGURE 30 Sync stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync BigIron Switch 200 Port3 Sync Discarding Port2 Sync Discarding Port2 Port3 Switch 300 Switch 400 Indicates a signal • Synced – Once the Designated port changes into a discarding state, it asserts a synced signal. Immediately, Alternate ports and Backup ports are synced. The Root port monitors the synced signals from all the bridge ports.
Configuring STP related features FIGURE 31 8 Synced stage Switch 100 Root Bridge Port1 Designated port Port1 Root port Synced BigIron Switch 200 Port2 Synced Discarding Port2 Port3 Synced Discarding Port3 Switch 300 Switch 400 Indicates a signal • Agreed – The Root port sends back an RST BPDU containing an agreed flag to its peer Designated port and moves into the forwarding state. When the peer Designated port receives the RST BPDU, it rapidly transitions into a forwarding state.
8 Configuring STP related features FIGURE 32 Agree stage Switch 100 Root Bridge Port1 Designated port Forwarding RST BPDU sent with an Agreed flag Port1 Root port Synced Forwarding BigIron Switch 200 Port2 Synced Discarding Port2 Port3 Synced Discarding Port3 Switch 300 Switch 400 Indicates a signal At this point, the handshake mechanism is complete between Switch 100, the root bridge, and Switch 200.
Configuring STP related features FIGURE 33 8 Addition of a new root bridge Port2 Designated port Switch 100 Switch 60 Port2 Port4 Designated port Port1 Designated port Port1 Root port Switch 200 Port4 Port2 Port2 Switch 300 Port3 Port3 Switch 400 The handshake that occurs between Switch 60 and Switch 100 follows the one described in the previous section (“Handshake when no root port is elected” on page 234).
8 Configuring STP related features FIGURE 34 New root bridge sending a proposal flag Handshake Completed Switch 100 Port2 Designated port Switch 60 Port2 Root port Port4 Designated port Proposing Port1 Proposing Port1 Root port Forwarding RST BPDU sent with a Proposing flag Switch 200 Port2 Port2 Switch 300 Port3 Port4 Designated port Proposed Port3 Switch 400 • Sync and Reroot – The Root port then asserts a sync and a reroot signal on all the ports on the bridge.
Configuring STP related features FIGURE 35 8 Sync and reroot Port2 Designated port Switch 100 Port4 Designated port Proposing Port1 Proposing Switch 60 Port2 Root port Port1 Root port Sync Reroot Forwarding BigIron Switch 200 Port2 Sync Reroot Discarding Port3 Sync Reroot Discarding Port2 Port4 Root port Sync Reroot Discarding Port3 Switch 300 Switch 400 Indicates a signal • Sync and Rerooted – When the ports on Switch 200 have completed the reroot phase, they assert their rerooted signa
8 Configuring STP related features FIGURE 36 Sync and rerooted Port2 Designated port Switch 100 Switch 60 Port2 Root port Port4 Designated port Port1 Proposing Port1 Designated port Sync Rerooted Discarding BigIron Switch 200 Port2 Sync Rerooted Discarding Port2 Port3 Sync Rerooted Discarding Port4 Root port Sync Rerooted Discarding Port3 Switch 300 Switch 400 Indicates an 802.
Configuring STP related features FIGURE 37 8 Rerooted, synced, and agreed Port2 Designated port Switch 100 Switch 60 Port 2 Root port Port4 Designated port Forwarding Port1 Proposing Port1 Rerooted Synced Discarding RST BPDU sent with an Agreed flag BigIron Switch 200 Port2 Rerooted Synced Discarding Port3 Rerooted Synced Discarding Port2 Port4 Root port Rerooted Synced Forwarding Port3 Switch 300 Switch 400 Indicates a signal The old Root port on Switch 200 becomes an Alternate Port (Fi
8 Configuring STP related features FIGURE 38 Handshake completed after election of new root port Port2 Designated port Switch 100 Port2 Root port Switch 60 Port4 Designated port Port1 Proposing Port1 Alternate port Switch 200 Port2 Port4 Root port Port3 Proposing Port2 Switch 300 Proposing Port3 Switch 400 Recall that Switch 200 sent the agreed flag to Port4/Switch 60 and not to Port1/Switch 100 (the port that connects Switch 100 to Switch 200).
Configuring STP related features FIGURE 39 8 Convergence between two bridges Bridge priority = 1500 Switch 2 Port3 Designated port Port3 Root port Switch 3 Bridge priority = 2000 At power up, all ports on Switch 2 and Switch 3 assume Designated port roles and are at discarding states before they receive any RST BPDU. Port3/Switch 2, with a Designated role, transmits an RST BPDU with a proposal flag to Port3/Switch 3.
8 Configuring STP related features FIGURE 40 Simple Layer 2 topology Port3 Designated port Bridge priority = 1500 Switch 2 Port2 Root port Port2 Designated port Port5 Backup port Switch 1 Bridge priority = 1000 Port4 Designated port Port3 Designated port Port3 Alternate port Bridge priority = 2000 Switch 3 Port4 Root port The point-to-point connections between the three bridges are as follows: • Port2/Switch 1 and Port2/Switch 2 • Port4/Switch 1 and Port4/Switch 3 • Port3/Switch 2 and Port
Configuring STP related features 8 Now, Port3/Switch 3 is currently in a discarding state and is negotiating a port role. It received RST BPDUs from Port3/Switch 2. The 802.1W algorithm determines that the RST BPDUs Port3/Switch 3 received are superior to those it can transmit; however, they are not superior to those that are currently being received by the current Root port (Port4). Therefore, Port3 retains the role of Alternate port. Ports 3/Switch 1 and Port5/Switch 1 are physically connected.
8 Configuring STP related features FIGURE 42 Link failure in the topology Port5 Port3 Port2 Bridge priority = 1500 Port2 Switch 1 Switch 2 Port3 Port3 Bridge priority = 2000 Bridge priority = 1000 Port4 Port4 Switch 3 Switch 1 sets its Port2 into a discarding state. At the same time, Switch 2 assumes the role of a root bridge since its root port failed and it has no operational Alternate port. Port3/Switch 2, which currently has a Designated port role, sends an RST BPDU to Switch 3.
Configuring STP related features 8 When Port2/Switch 2 receives the RST BPDUs, 802.1W algorithm determines that the RST BPDUs the port received are better than those received on Port3/Switch 3; therefore, Port2/Switch 2 is given the role of a Root port. All the ports on Switch 2 are informed that a new Root port has been assigned which then signals all the ports to synchronize their roles and states.
8 Configuring STP related features Convergence in a complex 802.1W topology The following is an example of a complex 802.1W topology. FIGURE 43 Complex 802.
Configuring STP related features 8 Next Switch 2 sends RST BPDUs with a proposal flag to Port3/Switch 4. Port3 becomes the Root port for the bridge; all other ports are given a Designated port role with discarding states. Port3/Switch 4 sends an RST BPDU with an agreed flag to Switch 2 to confirm that it is the new Root port. The port then goes into a forwarding state. Now Port4/Switch 4 receives an RST BPDU that is superior to what it can transmit.
8 Configuring STP related features FIGURE 44 Active Layer 2 path in complex topology Bridge priority = 200 Port7 Bridge priority = 1000 Port8 Port5 Port2 Switch 1 Port2 Port2 Port3 Switch 3 Port4 Switch 5 Port4 Port3 Port3 Port4 Port4 Bridge priority = 300 Port2 Switch 2 Port3 Port3 Bridge priority = 60 Port5 Switch 4 Bridge priority = 400 Port5 Port3 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Propagation of topology change The Topology Change state ma
Configuring STP related features FIGURE 45 8 Beginning of topology change notice Bridge priority = 200 Port7 Bridge priority = 1000 Port2 Switch 1 Port5 Port2 Port3 Bridge priority = 300 Switch 5 Port4 Port3 Switch 3 Port3 Port4 Port3 Port4 Port2 Switch 2 Port3 Port2 Bridge priority = 60 Port8 Port4 Switch 4 Bridge priority = 400 Port5 Port 5 Port3 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Switch 2 then starts the TCN time
8 Configuring STP related features FIGURE 46 Sending TCN to bridges connected to Switch 2 Bridge priority = 200 Port 7 Bridge priority = 1000 Port2 Switch 1 Port2 Port8 Port5 Port3 Port4 Switch 5 Port4 Port3 Switch 3 Port3 Port3 Port4 Bridge priority = 300 Port2 Switch 2 Port3 Port2 Bridge priority = 60 Port4 Port5 Switch 4 Bridge priority = 400 Port5 Port3 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Then Switch 1, Switch 5,
Configuring STP related features FIGURE 47 8 Completing the TCN propagation Port7 Switch 1 Bridge priority = 1000 Port2 Port2 Port8 Switch 2 Bridge priority = 200 Port5 Port2 Switch 5 Bridge priority = 60 Port3 Port4 Port3 Port2 Port3 Switch 3 Bridge priority = 300 Port3 Port3 Port4 Port4 Switch 4 Bridge priority = 400 Port4 Port5 Port5 Port3 Switch 6 Bridge priority = 900 Indicates the active Layer 2 path Indicates direction of TCN Compatibility of 802.1W with 802.1D 802.
8 Configuring STP related features FIGURE 48 802.1W bridges with an 802.1D bridge Switch 10 802.1W Switch 20 802.1D Switch 30 802.1W Once Switch 20 is removed from the LAN, Switch 10 and Switch 30 receive and transmit BPDUs in the STP format to and from each other. This state will continue until the administrator enables the force-migration-check command to force the bridge to send RSTP BPDU during a migrate time period.
Configuring STP related features 8 Enabling or disabling 802.1W in a port-based VLAN Use the following procedure to disable or enable 802.1W on a device on which you have configured a port-based VLAN. Changing the 802.1W state in a VLAN affects only that VLAN. To enable 802.1W for all ports in a port-based VLAN, enter commands such as the following. PowerConnect(config)#vlan 10 PowerConnect(config-vlan-10)#spanning-tree 802-1w Syntax: [no] spanning-tree 802-1w Note regarding pasting 802.
8 Configuring STP related features Once 802.1W is enabled on a port, it can be disabled on individual ports. 802.1W that have been disabled on individual ports can then be enabled as required. NOTE If you change the 802.1W state of the primary port in a trunk group, the change affects all ports in that trunk group. To disable or enable 802.1W on an individual port, enter commands such as the following.
Configuring STP related features 8 The priority parameter specifies the priority of the bridge. You can enter a value from 0 – 65535. A lower numerical value means the bridge has a higher priority. Thus, the highest priority is 0. The default is 32768. You can specify some or all of these parameters on the same command line. If you specify more than one parameter, you must specify them in the order shown above, from left to right. Changing port parameters The 802.
8 Configuring STP related features Set the admin-pt2pt-mac to enabled or disabled. If set to enabled, then a port is connected to another port through a point-to-point link. The point-to-point link increases the speed of convergence. This parameter, however, does not auto-detect whether or not the link is a physical point-to-point link. The force-migration-check parameter forces the specified port to sent one RST BPDU.
Configuring STP related features TABLE 53 8 CLI display of 802.1W summary (Continued) This field... Displays... Bridge IEEE 802.1W parameters Bridge Identifier The ID of the bridge. Bridge Max Age The configured max age for this bridge. The default is 20. Bridge Hello The configured hello time for this bridge.The default is 2. Bridge FwdDly The configured forward delay time for this bridge. The default is 15. Force-Version The configured force version value.
8 Configuring STP related features TABLE 53 CLI display of 802.1W summary (Continued) This field... Displays... Hello The hello value derived from the Root port. It is the number of seconds between two Hello packets. Port IEEE 802.1W parameters Port Num The port number shown in a slot#/port# format. Pri The configured priority of the port. The default is 128 or 0x80. Port Path Cost The configured path cost on a link connected to this port.
Configuring STP related features 8 PowerConnect#show 802-1w detail ====================================================================== VLAN 1 - MULTIPLE SPANNING TREE (MSTP - IEEE 802.
8 Configuring STP related features TABLE 54 CLI display of show spanning-tree 802.1W (Continued) This field... Displays... State The port current 802.1W state. A port can have one of the following states: • Forwarding • Discarding • Learning • Disabled Refer to “Bridge port states” on page 232 and “Edge port and non-edge port states” on page 233. Path Cost The configured path cost on a link connected to this port. Priority The configured priority of the port. The default is 128 or 0x80.
Configuring STP related features TABLE 54 8 CLI display of show spanning-tree 802.1W (Continued) This field... Displays... Machine States The current states of the various state machines on the port: PIM – State of the Port Information state machine. PRT – State of the Port Role Transition state machine. PST – State of the Port State Transition state machine. TCM – State of the Topology Change state machine. PPM – State of the Port Protocol Migration. PTX – State of the Port Transmit state machine.
8 Configuring STP related features FIGURE 49 802.
Configuring STP related features FIGURE 50 8 802.
8 Configuring STP related features Once a failover occurs, the Switch no longer has an alternate root port. If the port that was an alternate port but became the root port fails, standard STP is used to reconverge with the network. You can minimize the reconvergence delay in this case by setting the forwarding delay on the root bridge to a lower value. For example, if the forwarding delay is set to 15 seconds (the default), change the forwarding delay to a value from 3 – 10 seconds. During failover, 802.
Configuring STP related features 8 Enabling 802.1W Draft 3 802.1W Draft 3 is disabled by default. The procedure for enabling the feature differs depending on whether single STP is enabled on the device. NOTE STP must be enabled before you can enable 802.1W Draft 3. Enabling 802.1W Draft 3 when single STP is not enabled By default, each port-based VLAN on the device has its own spanning tree. To enable 802.1W Draft 3 in a port-based VLAN, enter commands such as the following.
8 Configuring STP related features Alternatively, you can configure a Dell PowerConnect device to run a single spanning tree across all ports and VLANs on the device. The Single STP feature (SSTP) is especially useful for connecting a Dell PowerConnect device to third-party devices that run a single spanning tree in accordance with the 802.1Q specification. SSTP uses the same parameters, with the same value ranges and defaults, as the default STP support on Dell PowerConnect devices.
Configuring STP related features 8 PowerConnect(config) spanning-tree single priority 2 This command changes the STP priority for all ports to 2. To change an STP parameter for a specific port, enter commands such as the following. PowerConnect(config) spanning-tree single ethernet 1 priority 10 The commands shown above override the global setting for STP priority and set the priority to 10 for port 1/1. Here is the syntax for the global STP parameters.
8 Configuring STP related features • Single STP – Single STP allows all the VLANs to run STP, but each VLAN runs the same instance of STP, resulting in numerous blocked ports that do not pass any Layer 2 traffic. STP per VLAN group uses all available links by load balancing traffic for different instances of STP on different ports. A port that blocks traffic for one spanning tree forwards traffic for another spanning tree.
Configuring STP related features 8 Here are the CLI commands for implementing the STP per VLAN group configuration shown in Figure 51. The following commands configure the member VLANs (3, 4, 13, and 14) and the master VLANs (2 and 12). Notice that changes to STP parameters are made in the master VLANs only, not in the member VLANs.
8 Configuring STP related features Configuration example for STP load sharing Figure 52 shows another example of a STP per VLAN group implementation.
PVST/PVST+ compatibility 8 PowerConnect(config-vlan-201)#tag ethernet 1/2 ethernet 5/1 to 5/3 PowerConnect(config-vlan-201)#vlan 401 PowerConnect(config-vlan-401)#spanning-tree priority 3 PowerConnect(config-vlan-401)#tag ethernet 1/3 ethernet 5/1 to 5/3 ...
8 PVST/PVST+ compatibility NOTE Dell PowerConnect ports automatically detect PVST+ BPDUs and enable support for the BPDUs once detected. You do not need to perform any configuration steps to enable PVST+ support. However, to support the IEEE 802.1Q BPDUs, you might need to enable dual-mode support. Support for Cisco's Per VLAN Spanning Tree plus (PVST+), allows a Dell PowerConnect device to run multiple spanning trees (MSTP) while also interoperating with IEEE 802.1Q devices.
PVST/PVST+ compatibility FIGURE 53 8 Interaction of IEEE 802.1Q, PVST, and PVST+ regions PVST BPDUs tunneled through the IEEE 802.1Q region 802.1D BPDUs PVST+Region dual mode port 802.1D BPDUs IEEE 802.1Q Region dual mode port PVST+Region Do not connect PVST BPDUs (over ISL trunks) PVST BPDUs (over ISL trunks) PVST Region VLAN tags and dual mode The dual-mode feature enables a port to send and receive both tagged and untagged frames.
8 PVST/PVST+ compatibility Configuring PVST+ support PVST+ support is automatically enabled when the port receives a PVST BPDU. You can manually enable the support at any time or disable the support if desired. If you want a tagged port to also support IEEE 802.1Q BPDUs, you need to enable the dual-mode feature on the port. The dual-mode feature is disabled by default and must be enabled manually.
PVST/PVST+ compatibility 8 PowerConnect#show span pvst-mode PVST+ Enabled on: Port Method 1/1 Set by configuration 1/2 Set by configuration 2/10 Set by auto-detect 3/12 Set by configuration 4/24 Set by auto-detect Syntax: show span pvst-mode This command displays the following information. TABLE 55 CLI display of PVST+ information This field... Displays... The Dell PowerConnect port number. Port NOTE: The command lists information only for the ports on which PVST+ support is enabled.
8 PVST/PVST+ compatibility Commands on the Dell PowerConnect Device PowerConnect(config)#vlan-group 1 vlan 2 to 4 PowerConnect(config-vlan-group-1)#tagged ethernet 1/1 PowerConnect(config-vlan-group-1)#exit PowerConnect(config)#interface ethernet 1/1 PowerConnect(config-if-1/1)#dual-mode PowerConnect(config-if-1/1)#pvst-mode These commands configure a VLAN group containing VLANs 2, 3, and 4, add port 1/1 as a tagged port to the VLANs, and enable the dual-mode feature and PVST+ support on the port.
PVST/PVST+ compatibility 8 These commands change the default VLAN ID, configure port 1/1 as a tagged member of VLANs 1 and 2, and enable the dual-mode feature and PVST+ support on port 1/1. Since VLAN 1 is tagged in this configuration, the default VLAN ID must be changed from VLAN 1 to another VLAN ID. Changing the default VLAN ID from 1 allows the port to process tagged frames for VLAN 1. VLAN 2 is specified with the dual-mode command, which makes VLAN 2 the port Port Native VLAN.
8 PVRST compatibility PVRST compatibility PVRST, the "rapid" version of per-VLAN spanning tree (PVST), is a Cisco proprietary protocol. PVRST corresponds to the Dell PowerConnect full implementation of IEEE 802.1w (RSTP). Likewise, PVST, also a Cisco proprietary protocol, corresponds to the Dell PowerConnect implementation of IEEE 802.1D (STP). When a Dell PowerConnect device receives PVRST BPDUs on a port configured to run 802.1w, it recognizes and processes these BPDUs and continues to operate in 802.
BPDU guard 8 Re-enabling ports disabled by BPDU guard When a BPSU Guard-enabled port is disabled by BPDU Guard, the Dell PowerConnect device will place the port in errdisable state and display a message on the console indicating that the port is errdisabled (refer to “Example console messages” on page 284). In addition, the show interface command output will indicate that the port is errdisabled.
8 Root guard STP configured to ON, priority is level0, flow control enabled mirror disabled, monitor disabled Not member of any active trunks Not member of any configured trunks No port name IPG MII 96 bits-time, IPG GMII 96 bits-time IP MTU 1500 bytes 300 second input rate: 8 bits/sec, 0 packets/sec, 0.00% utilization 300 second output rate: 256 bits/sec, 0 packets/sec, 0.
Root guard 8 Configure root guard on all ports where the root bridge should not appear. This establishes a protective network perimeter around the core bridged network, cutting it off from the user network. NOTE Root guard may prevent network connectivity if it is improperly configured. Root guard must be configured on the perimeter of the network rather than the core. NOTE Root guard is not supported when MSTP is enabled.
8 Error disable recovery Error disable recovery In case a BPDU guard violation occurs, a port is placed into an errdisable state which is functionally equivalent to a Disable state. Once in an errdiable state, it remains in that state until one of the following methods is used to return the port to an Enabled state. 1. Manually disabling and enabling that interface 2.
Error disable recovery 8 Displaying the error disable recovery state by interface The port status of errdisabled displays in the output of the show interface and the show interface brief commands. In this example, errdisable is enabled on interface ethernet 1 and errdisable is enabled because of a BPDU guard violation.
8 802.1s Multiple Spanning Tree Protocol Syntax: show errdisable summary Errdisable Syslog messages When the system places a port into an errdisabled state for BPDU guard, a log message is generated. When the errdisable recovery timer expires, a log message is also generated. A Syslog message such as the following is generated after a port is placed into an errdisable state for BPDU guard.
802.
8 802.1s Multiple Spanning Tree Protocol Configuration notes When configuring MSTP, note the following: • With MSTP running, enabling static trunk on ports that are members of many VLANs (4000 or more VLANs) will keep the system busy for 20 to 25 seconds. Configuring MSTP mode and scope With the introduction of MSTP, a system can be either under MSTP mode or not under MSTP mode. The default state is to not be under MSTP mode. MSTP configuration can only be performed in a system under MSTP mode.
802.1s Multiple Spanning Tree Protocol 8 NOTE Once under MSTP mode, CIST always controls all ports in the system. If you do not want a port to run MSTP, configure the no spanning-tree command under the specified interface configuration. Using the [no] option on a system that is configured for MSTP mode changes the system to non-MSTP mode. When this switch is made, all MSTP instances are deleted together with all MSTP configurations.
8 802.1s Multiple Spanning Tree Protocol PowerConnect(config-vlan-20)#show run Current configuration: ! ver 7.2.00aT7f1 ! ! vlan 1 name DEFAULT-VLAN by port no spanning-tree ! vlan 10 by port tagged ethe 1 to 2 no spanning tree ! vlan 20 by port <----- VLAN 20 configuration tagged ethe 1 to 2 no spanning-tree ! mstp scope all mstp instance 0 vlan 1 mstp instance 1 vlan 20 mstp start some lines ommitted for brevity...
802.1s Multiple Spanning Tree Protocol 8 The instance parameter defines the number for the instance of MSTP that you are deleting. The vlan parameter identifies one or more VLANs or a range of VLANs to the instance defined in this command. The vlan-group parameter identifies one or more VLAN groups to the instance defined in this command. Viewing the MSTP configuration digest The MSTP Configuration Digest indicates the occurrence of an MSTP reconvergence.
8 802.1s Multiple Spanning Tree Protocol • “Forcing ports to transmit an MSTP BPDU” • “Activating MSTP on a switch” Setting the MSTP name Each switch that is running MSTP is configured with a name. It applies to the switch which can have many different VLANs that can belong to many different MSTP regions. To configure an MSTP name, use a command such as the following at the Global Configuration level.
802.1s Multiple Spanning Tree Protocol 8 The no option moves a VLAN or VLAN group from its assigned MSTI back into the CIST. NOTE The system does not allow an MSTI without any VLANs mapped to it. Consequently, removing all VLANs from an MSTI, deletes the MSTI from the system. The CIST by contrast will exist regardless of whether or not any VLANs are assigned to it or not. Consequently, if all VLANs are moved out of a CIST, the CIST will still exist and functional.
8 802.1s Multiple Spanning Tree Protocol The max-hops parameter specifies the maximum hop count. You can specify a value from 1 – 40 hops. The default value is 20 hops. Setting ports to be operational edge ports You can define specific ports as edge ports for the region in which they are configured to connect to devices (such as a host) that are not running STP, RSTP, or MSTP. If a port is connected to an end device such as a PC, the port can be configured as an edge port.
802.1s Multiple Spanning Tree Protocol 8 • PowerConnect B-Series FCX stackable switches – When a port is disabled for MSTP, it behaves as blocking for all the VLAN traffic that is controlled by MSTIs and the CIST. Forcing ports to transmit an MSTP BPDU To force a port to transmit an MSTP BPDU, use a command such as the following at the Global Configuration level.
8 802.
802.
8 802.
802.1s Multiple Spanning Tree Protocol TABLE 56 8 Output from Show MSTP (Continued) This field... Displays... ExtPath Cost The configured path cost on a link connected to this port to an external MSTP region. Regional Root Bridge The Regional Root Bridge is the MAC address of the Root Bridge for the local region. IntPath Cost The configured path cost on a link connected to this port within the internal MSTP region.
8 802.
802.
8 304 802.
Chapter Configuring Basic Layer 2 Features 9 Table 57 lists the individual Dell PowerConnect switches and the basic Layer 2 features they support.
9 About port regions • For information about configuring IP addresses, DNS resolver, DHCP assist, and other IP-related parameters, refer to Chapter 26, “Configuring IP”. • For information about the Syslog buffer and messages, refer to Chapter 41, “Using Syslog”. About port regions This section describes port regions on PowerConnect switches.
MAC learning rate control 9 You can also enable and disable spanning tree on a port-based VLAN and on an individual port basis, and enable advanced STP features. Refer to Chapter 8, “Configuring Spanning Tree Protocol (STP) Related Features”.
9 Configuring static MAC entries Disabling the automatic learning of MAC addresses By default, when a packet with an unknown Source MAC address is received on a port, the Dell PowerConnect device learns this MAC address on the port. You can prevent a physical port from learning MAC addresses by entering the following command.
Configuring static MAC entries 9 NOTE Dell PowerConnect devices running Layer 3 code also support the assignment of static IP Routes, static ARP, and static RARP entries. For details on configuring these types of static entries, refer to “Configuring static routes” on page 819 and “Creating static ARP entries” on page 814. You can manually input the MAC address of a device to prevent it from being aged out of the system address table.
9 Configuring VLAN-based static MAC entries or Syntax: [no] static-mac-address ethernet [/] to ethernet [] [priority ] The parameter is required on chassis devices. The parameter is a valid port number. The priority is optional and can be a value from 0 – 7 (0 is lowest priority and 7 is highest priority). The default priority is 0.
Flow-based MAC address learning 9 For example, to remove entries for the MAC address 000d.cd80.00d0 in all VLANs, enter the following command at the Privilege EXEC level of the CLI. PowerConnect#clear mac-address 000d.cb80.00d0 Syntax: clear mac-address | ethernet | vlan If you enter clear mac-address without any parameter, the software removes all MAC address entries. Use the parameter to remove a specific MAC address from all VLANs.
9 Flow-based MAC address learning How flow-based learning works When a packet processor, let call it PP 1, receives an incoming packet with source MAC address X, it sends a new address message to the CPU. The system learns MAC address X by adding it to the software MAC table in the CPU, then programming it in the hardware MAC table in the source packet processor, in this case PP 1.
Flow-based MAC address learning 9 • A source MAC address is learned only on the ingress (source) packet processor. The MAC address is added to other packet processors as needed by their incoming traffic flows. During a brief period until the destination MAC address is successfully added to the hardware MAC table, unknown unicast flooding is expected on the VLAN.
9 Enabling port-based VLANs Syntax: system-max mac The parameter specifies the maximum number of MAC addresses in the MAC table. For flow-based MACs, the minimum value is 16K and the maximum value is 32K. The default is 16K. Use the command show default values to display the default, maximum, and currently configured values for the MAC address table.
Enabling port-based VLANs 9 Syntax: vlan by port Syntax: vlan name The parameter specifies the VLAN ID. The valid range for VLAN IDs starts at 1 on all systems but the upper limit of the range differs depending on the device. In addition, you can change the upper limit on some devices using the system max-vlans... command. The parameter is the VLAN name and can be a string up to 32 characters.
9 Defining MAC address filters Defining MAC address filters MAC layer filtering enables you to build access lists based on MAC layer headers in the Ethernet/IEEE 802.3 frame. You can filter on the source and destination MAC addresses. The filters apply to incoming traffic only. You configure MAC address filters globally, then apply them to individual interfaces. To apply MAC address filters to an interface, you add the filters to that interface MAC address filter group.
Defining MAC address filters PowerConnect(config)# mac filter PowerConnect(config)# mac filter PowerConnect(config)# mac filter PowerConnect(config)# mac filter PowerConnect(config)# int e 1 PowerConnect(config-if-e1000-1)# 9 3 deny any 0180.c200.0000 ffff.ffff.fff0 4 deny any 0000.1234.5678 ffff.ffff.ffff 5 deny any 0000.2345.6789 ffff.ffff.
9 Defining MAC address filters When a MAC address filter is applied to or removed from an interface, a Syslog message such as the following is generated. SYSLOG: <14>Jan 1 00:00:00 10.44.9.11 MAC Filter applied to port 0/1/2 by tester from telnet session (filter id=5 ). SYSLOG: <14>Jan 1 00:00:00 10.44.9.11 MAC Filter removed from port 0/1/2 by tester from telnet session (filter id=5 ).
Defining MAC address filters 9 PowerConnect(config)#int ethernet 1 PowerConnect(config-if-e1000-1)#mac filter-group log-enable PowerConnect(config-if-e1000-1)#int ethernet 3 PowerConnect(config-if-e1000-3)#mac filter-group log-enable PowerConnect(config-if-e1000-3)#write memory Syntax: [no] mac filter-group log-enable MAC address filter override for 802.1X-enabled ports The MAC address filtering feature on an 802.1X-enabled port allows 802.1X and non-802.1X devices to share the same physical port.
9 Locking a port to restrict addresses The | any parameter specifies the source MAC address. You can enter a specific address value and a comparison mask, or the keyword any to filter on all MAC addresses. Specify the mask using f (ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000.
Displaying and modifying system parameter default settings 9 Syntax: lock-address ethernet [ [addr-count ] Specify the variable in the following formats: • PowerConnect B-Series FCX stackable switches – The parameter is a value from 1 – 2048. Displaying and modifying system parameter default settings Dell PowerConnect devices have default table sizes for the system parameters shown in the following display outputs.
9 Displaying and modifying system parameter default settings The following shows an example output of the show default values command on a PowerConnect Layer 2 device.
Displaying and modifying system parameter default settings 9 The following shows an example output on a PowerConnect IPV4 device running Layer 3 software. PowerConnect#show default values sys log buffers:50 mac age time:300 sec ip arp age:10 min ip addr per intf:24 when multicast enabled : igmp group memb.:260 sec when ospf enabled : ospf dead:40 sec ospf transit delay:1 sec when bgp enabled : bgp local pref.:100 bgp metric:10 bgp ext.
9 Displaying and modifying system parameter default settings The following shows an example output on a PowerConnect B-Series FCX devices serving as a management host in an IPv6 network and running the Layer 3 software image. PowerConnect#show default values sys log buffers:50 mac age time:300 sec ip arp age:10 min ip addr per intf:24 when multicast enabled : igmp group memb.:260 sec when ospf enabled : ospf dead:40 sec ospf transit delay:1 sec when bgp enabled : bgp local pref.:100 bgp metric:10 bgp ext.
Displaying and modifying system parameter default settings TABLE 58 9 System parameters in show default values command (Continued) This system parameter... Defines the maximum number of...
9 TDynamic Buffer Allocation for an IronStack PowerConnect(config)#system-max ip-route 120000 PowerConnect(config)#write memory PowerConnect(config)#exit PowerConnect#reload Syntax: system-max ip-route The parameter specifies the maximum number of routes in the IP route table. The minimum value is 4096. The maximum value is 524288 (subject to route patterns for SuperX/SX). The default is 80000 IP routes.
TDynamic Buffer Allocation for an IronStack 9 For example, for an 8-unit stack of 48 ports, the packet processor numbering scheme is as follows:.
9 TDynamic Buffer Allocation for an IronStack PowerConnect#qd-buffer 1 2 76 2 Syntax: qd-buffer "DeviceNum: 0-x "PortTypeVal: 1 for 1 Gbps or 2 for 10 Gbps "NumBuffers: Number of buffers to allocate (minimum 1, maximum 4095) "PriorityQueue: Designates a specific queue (0 to 7). Sample Configuration This sample configuration assumes a four-unit stack with the following topology.
Remote Fault Notification (RFN) on 1G fiber connections qd-buffer qd-buffer qd-buffer qd-buffer qd-buffer qd-buffer qd-buffer qd-buffer qd-buffer qd-buffer qd-buffer qd-buffer 0 1 2 4 5 6 0 1 2 4 5 6 1 1 1 1 1 1 2 2 2 2 2 2 4095 4095 4095 4095 4095 4095 4095 4095 4095 4095 4095 4095 9 0 0 0 0 0 0 0 0 0 0 0 0 Generic buffer profiles on PowerConnect Stackable devices Default buffer settings are currently optimized for 1 GbE-to-1 GbE traffic.
9 Link Fault Signaling (LFS) for 10G For fiber-optic connections, you can optionally configure a transmit port to notify the receive port on the remote device whenever the transmit port becomes disabled. When you enable this feature, the transmit port notifies the remote port whenever the fiber cable is either physically disconnected or has failed. When this occurs and the feature is enabled, the device disables the link and turns OFF both LEDs associated with the ports. By default, RFN is enabled.
Jumbo frame support 9 PowerConnect(config)#interface e 1/1 PowerConnect(config-if-e1000-1/1)#link-fault-signal Syntax: [no] link-fault-signal Use the no form of the command to disable LFS. LFS is OFF by default. Viewing the status of LFS-enabled links The status of an LFS-enabled link is shown in the output of the show interface and show interface brief commands, as shown in the following examples.
9 332 Jumbo frame support PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter 10 Configuring Metro Features Table 59 lists the individual Dell PowerConnect switches and the metro features they support.
10 Topology groups Master VLAN and member VLANs Each topology group contains a master VLAN and can contain one or more member VLANs and VLAN groups: • Master VLAN – The master VLAN contains the configuration information for the Layer 2 protocol. For example, if you plan to use the topology group for MRP, the topology group master VLAN contains the ring configuration information. • Member VLANs – The member VLANs are additional VLANs that share ports with the master VLAN.
Topology groups 10 • If you remove the master VLAN (by entering no master-vlan ), the software selects the new master VLAN from member VLANs. A new candidate master VLAN will be in configured order to a member VLAN so that the first added member VLAN will be a new candidate master VLAN. Once you save and reload, a member-vlan with the youngest VLAN ID will be the new candidate master. The new master VLAN inherits the Layer 2 protocol settings of the older master VLAN.
10 Topology groups NOTE Once you add a VLAN or VLAN group as a member of a topology group, all the Layer 2 protocol configuration information for the VLAN or group is deleted. For example, if STP is configured on a VLAN and you add the VLAN to a topology group, the STP configuration is removed from the VLAN. Once you add the VLAN to a topology group, the VLAN uses the Layer 2 protocol settings of the master VLAN.
Metro Ring Protocol (MRP) TABLE 60 10 CLI display of topology group information This field... Displays... master-vlan The master VLAN for the topology group. The settings for STP, MRP, or VSRP on the control ports in the master VLAN apply to all control ports in the member VLANs within the topology group. member-vlan The member VLANs in the topology group. Common control ports The master VLAN ports that are configured with Layer 2 protocol information.
10 Metro Ring Protocol (MRP) FIGURE 58 Metro ring – normal state Customer A F F Switch B F F F F Switch A Master Node Switch C Customer A F This interface blocks Layer 2 traffic to prevent a loop F Switch D F Customer A B F F Customer A The ring in this example consists of four MRP nodes (Dell PowerConnect switches). Each node has two interfaces with the ring. Each node also is connected to a separate customer network.
Metro Ring Protocol (MRP) 10 Configuration notes • When you configure MRP, Dell recommends that you disable one of the ring interfaces before beginning the ring configuration. Disabling an interface prevents a Layer 2 loop from occurring while you are configuring MRP on the ring nodes. Once MRP is configured and enabled on all the nodes, you can re-enable the interface. • The above configurations can be configured as MRP masters or MRP members (for different rings).
10 Metro Ring Protocol (MRP) MRP rings with shared interfaces (MRP Phase 2) With MRP Phase 2, MRP rings can be configured to share the same interfaces as long as the interfaces belong to the same VLAN. Figure 60 shows examples of multiple MRP rings that share the same interface.
Metro Ring Protocol (MRP) 10 For example, in Figure 61, the ID of all interfaces on all nodes on Ring 1 is 1 and all interfaces on all nodes on Ring 2 is 2. Port 1/1 on node S1 and Port 2/2 on S2 have the IDs of 1 and 2 since the interfaces are shared by Rings 1 and 2. The ring ID is also used to determine an interface priority. Generally, a ring ID is also the ring priority and the priority of all interfaces on that ring.
10 Metro Ring Protocol (MRP) FIGURE 62 Metro ring – initial state Customer A F PF Switch B PF PF PF All ports start in Preforwarding state. F Switch A Master Node Switch C Customer A PF Primary port on Master node sends RHP 1 PF Switch D F Customer A PF PF F Customer A MRP uses Ring Health Packets (RHPs) to monitor the health of the ring. An RHP is an MRP protocol packet.
Metro Ring Protocol (MRP) 10 • Forwarding (F) – The interface can forward data as well as RHPs. An interface changes from Preforwarding to Forwarding when the port preforwarding time expires. This occurs if the port does not receive an RHP from the Master, or if the forwarding bit in the RHPs received by the port is off. This indicates a break in the ring. The port heals the ring by changing its state to Forwarding.
10 Metro Ring Protocol (MRP) FIGURE 63 Metro ring – from preforwarding to forwarding RHP 2 Customer A Forwarding bit is on. Each port changes from Preforwarding to Forwarding when it receives this RHP. F PF F Switch B PF F Switch C Customer A PF F Secondary port receives RHP 1 and changes to Blocking Switch A Master Node Primary port then sends RHP 2 with forwarding bit on PF Switch D F Customer A B PF F Customer A Each RHP also has a sequence number.
Metro Ring Protocol (MRP) 10 RHP processing in MRP Phase 2 Figure 64 shows an example of how RHP packets are processed normally in MRP rings with shared interfaces.
10 Metro Ring Protocol (MRP) How ring breaks are detected and healed Figure 65 shows ring interface states following a link break. MRP quickly heals the ring and preserves connectivity among the customer networks.
Metro Ring Protocol (MRP) 10 • If the interface receives an RHP, the interface changes back to the Blocking state and resets the dead timer. • If the interface does not receive an RHP for its ring before the Preforwarding time expires, the interface changes to the Forwarding state, as shown in Figure 65. • Forwarding interfaces – Each member interface remains in the Forwarding state.
10 Metro Ring Protocol (MRP) Master VLANs and customer VLANs All the ring ports must be in the same VLAN. Placing the ring ports in the same VLAN provides Layer 2 connectivity for a given customer across the ring. Figure 67 shows an example.
Metro Ring Protocol (MRP) 10 A topology group enables you to control forwarding in multiple VLANs using a single instance of a Layer 2 protocol such as MRP. A topology group contains a master VLAN and member VLANs. The master VLAN contains all the configuration parameters for the Layer 2 protocol (STP, MRP, or VSRP). The member VLANs use the Layer 2 configuration of the master VLAN. In Figure 67, VLAN 2 is the master VLAN and contains the MRP configuration parameters for ring 1.
10 Metro Ring Protocol (MRP) Adding an MRP ring to a VLAN To add an MRP ring to a VLAN, enter commands such as the following. NOTE If you plan to use a topology group to add VLANs to the ring, make sure you configure MRP on the topology group master VLAN.
Metro Ring Protocol (MRP) 10 Configures this node as the master node for the ring. Enter this command only on one node in the ring. The node is a member (non-master) node by default. Syntax: [no] ring-interface ethernet ethernet The ethernet parameter specifies the primary interface. On the master node, the primary interface is the one that originates RHPs.
10 Metro Ring Protocol (MRP) Using MRP diagnostics The MRP diagnostics feature calculates how long it takes for RHP packets to travel through the ring. When you enable MRP diagnostics, the software tracks RHP packets according to their sequence numbers and calculates how long it takes an RHP packet to travel one time through the entire ring. When you display the diagnostics, the CLI shows the average round-trip time for the RHP packets sent since you enabled diagnostics.
Metro Ring Protocol (MRP) TABLE 61 10 CLI display of MRP ring diagnostic information (Continued) This field... Displays... Diag frame sent The number of diagnostic RHPs sent for the test. Diag frame lost The number of diagnostic RHPs lost during the test. If the recommended hello time and preforwarding time are different from the actual settings and you want to change them, refer to “Configuring MRP” on page 349.
10 Metro Ring Protocol (MRP) TABLE 62 CLI display of MRP ring information This field... Displays... Ring id The ring ID State The state of MRP. The state can be one of the following: • enabled – MRP is enabled • disabled – MRP is disabled Ring role Whether this node is the master for the ring. The role can be one of the following: • master • member Master vlan The ID of the master VLAN in the topology group used by this ring.
Metro Ring Protocol (MRP) TABLE 62 10 CLI display of MRP ring information (Continued) This field... Active interface Displays... The physical interfaces that are sending and receiving RHPs. NOTE: If a port is disabled, its state is shown as “disabled”. NOTE: If an interface is a trunk group, only the primary port of the group is listed. Interface Type Shows if the interface is a regular port or a tunnel port. RHPs sent The number of RHPs sent on the interface.
10 Metro Ring Protocol (MRP) The following commands configure the customer VLANs. The customer VLANs must contain both the ring interfaces as well as the customer interfaces.
Virtual Switch Redundancy Protocol (VSRP) PowerConnect(config)#vlan 30 PowerConnect(config-vlan-30)#tag ethernet 1/1 PowerConnect(config-vlan-30)#tag ethernet 2/1 PowerConnect(config-vlan-30)#exit PowerConnect(config)#vlan 40 PowerConnect(config-vlan-40)#tag ethernet 1/1 PowerConnect(config-vlan-40)#tag ethernet 4/1 PowerConnect(config-vlan-40)#exit PowerConnect(config)#topology-group 1 PowerConnect(config-topo-group-1)#master-vlan PowerConnect(config-topo-group-1)#member-vlan PowerConnect(config-topo-grou
10 Virtual Switch Redundancy Protocol (VSRP) FIGURE 68 VSRP mesh – redundant paths for Layer 2 and Layer 3 traffic VSRP Master F F VSRP Aware VSRP Backup optional link F B B B VSRP Aware VSRP Aware Hello packets In this example, two Dell PowerConnect devices are configured as redundant paths for VRID 1. On each of the devices, a Virtual Router ID (VRID) is configured on a port-based VLAN. Since VSRP is primarily a Layer 2 redundancy protocol, the VRID applies to the entire VLAN.
Virtual Switch Redundancy Protocol (VSRP) 10 Layer 2 and Layer 3 redundancy You can configure VSRP to provide redundancy for Layer 2 only or also for Layer 3: • Layer 2 only – The Layer 2 links are backed up but specific IP addresses are not backed up. • Layer 2 and Layer 3 – The Layer 2 links are backed up and a specific IP address is also backed up. Layer 3 VSRP is the same as VRRPE. However, using VSRP provides redundancy at both layers at the same time. Layer 2 Switches support Layer 2 VSRP only.
10 Virtual Switch Redundancy Protocol (VSRP) • If the Backup does not receive a Hello message with a higher priority than its own by the time the hold-down timer expires, the Backup becomes the new Master and starts forwarding Layer 2 traffic on all ports. If you increase the timer scale value, each timer value is divided by the scale value. To achieve sub-second failover times, you can change the scale to a value up to 10. This shortens all the VSRP timers to 10 percent of their configured values.
Virtual Switch Redundancy Protocol (VSRP) FIGURE 70 10 VSRP priority recalculation Configured priority = 100 Actual priority = 100 * (3/3) = 100 Configured priority = 100 Actual priority = 100 * (2/3) = 67 VSRP Backup B B VSRP Master optional link F F B F X Link down VSRP Aware VSRP Aware VSRP Aware You can reduce the sensitivity of a VSRP device to failover by increasing its configured VSRP priority.
10 Virtual Switch Redundancy Protocol (VSRP) When you configure a track port, you assign a priority value to the port. If the port goes down, VSRP subtracts the track port priority value from the configured VSRP priority. For example, if the you configure a track port with priority 20 and the configured VSRP priority is 100, the software subtracts 20 from 100 if the track port goes down, resulting in a VSRP priority of 80. The new priority value is used when calculating the VSRP priority.
Virtual Switch Redundancy Protocol (VSRP) FIGURE 73 10 Track port priority subtracted during priority calculation Configured priority = 100 Track priority 20 Actual priority = (100 - 20) * (3/3) = 80 VSRP Backup X Track link is down B VSRP Aware B Configured priority = 100 Actual priority = 100 * (3/3) = 100 VSRP Master optional link F B VSRP Aware F F VSRP Aware MAC address failover on VSRP-aware devices VSRP-aware devices maintain a record of each VRID and its VLAN.
10 Virtual Switch Redundancy Protocol (VSRP) Timer scale The VSRP Hello interval, Dead interval, Backup Hello interval, and Hold-down interval timers are individually configurable. You also can easily change all the timers at the same time while preserving the ratios among their values. To do so, change the timer scale. The timer scale is a value used by the software to calculate the timers. The software divides a timer value by the timer scale value. By default, the scale is 1.
Virtual Switch Redundancy Protocol (VSRP) TABLE 63 10 VSRP parameters (Continued) Parameter Description Default See page... No authentication page 369 The type of authentication the VSRP-aware devices will use on a VSRP backup switch: • No authentication – The device does not accept incoming packets that have authentication strings. • Simple – The device uses a simple text-string as the authentication string for accepting incoming packets.
10 Virtual Switch Redundancy Protocol (VSRP) TABLE 63 VSRP parameters (Continued) Parameter Description Default See page... Preference of timer source When you save a Backup configuration, the software can save the configured VSRP timer values or the VSRP timer values received from the Master. Saving the current timer values instead of the configured ones helps ensure consistent timer usage for all the VRID devices.
Virtual Switch Redundancy Protocol (VSRP) TABLE 63 10 VSRP parameters (Continued) Parameter Description Default See page... A Layer 3 Switch that is running RIP normally advertises routes to a backed up VRID even when the Layer 3 Switch is not currently the active Layer 3 Switch for the VRID. Suppression of these advertisements helps ensure that other Layer 3 Switches do not receive invalid route paths for the VRID.
10 Virtual Switch Redundancy Protocol (VSRP) Syntax: enable | disable Configuring optional VSRP parameters The following sections describe how to configure optional VSRP parameters. Disabling or re-enabling VSRP VSRP is enabled by default on Layer 2 Switches and Layer 3 Switches. On a Layer 3 Switch, if you want to use VRRP or VRRPE for Layer 3 redundancy instead of VSRP, you need to disable VSRP first. To do so, enter the following command at the global CONFIG level.
Virtual Switch Redundancy Protocol (VSRP) 10 To change the timer scale, enter a command such as the following at the global CONFIG level of the CLI. PowerConnect(config)# scale-timer 2 This command changes the scale to 2. All VSRP, VRRP, and VRRP-E timer values will be divided by 2. Syntax: [no] scale-timer The parameter specifies the multiplier. You can specify a timer scale from 1 – 10.
10 Virtual Switch Redundancy Protocol (VSRP) Specifying no authentication for VSRP hello packets The following configuration specifies no authentication as the preferred VSRP-aware security method. In this case, the VSRP device will not accept incoming packets that have authentication strings.
Virtual Switch Redundancy Protocol (VSRP) 10 VSRP does not require you to specify an IP address. If you do not specify an address, VSRP provides Layer 2 redundancy. If you do specify an address, VSRP provides Layer 2 and Layer 3 redundancy. The Layer 3 redundancy support is the same as VRRPE support. For information, refer to Chapter 31, “Configuring VRRP and VRRPE”.
10 Virtual Switch Redundancy Protocol (VSRP) • Hold-down interval By default, each Backup saves the configured timer values to its startup-config file when you save the device configuration. You can configure a Backup to instead save the current timer values received from the Master when you save the configuration. Saving the current timer values instead of the configured ones helps ensure consistent timer usage for all the VRID devices.
Virtual Switch Redundancy Protocol (VSRP) 10 NOTE The default Dead interval is three times the Hello interval plus one-half second. Generally, if you change the Hello interval, you also should change the Dead interval on the Backups. NOTE If you change the timer scale, the change affects the actual number of seconds. Changing the dead interval The Dead interval is the number of seconds a Backup waits for a Hello message from the Master before determining that the Master is dead.
10 Virtual Switch Redundancy Protocol (VSRP) Changing the hold-down interval The hold-down interval prevents Layer 2 loops from occurring during failover, by delaying the new Master from forwarding traffic long enough to ensure that the failed Master is really unavailable. To change the Hold-down interval, enter a command such as the following at the configuration level for the VRID.
Virtual Switch Redundancy Protocol (VSRP) 10 NOTE The priority option changes the priority of the specified interface, overriding the default track port priority. To change the default track port priority, use the backup track-priority command. Disabling or re-enabling backup pre-emption By default, a Backup that has a higher priority than another Backup that has become the Master can preempt the Master, and take over the role of Master.
10 Virtual Switch Redundancy Protocol (VSRP) VSRP-aware interoperablilty The vsrp-aware tc-vlan-flush command should be used in network configurations in which the Dell PowerConnect switch operates as the VSRP-Aware device connecting to a other devices as a VSRP Master. The command is available at the VLAN level, and is issued per a specific VRID, as shown here for VRID 11.
Virtual Switch Redundancy Protocol (VSRP) 10 This display shows the following information when you use the vrid or vlan parameter. For information about the display when you use the aware parameter, refer to “Displaying the active interfaces for a VRID” on page 378. TABLE 64 CLI display of VSRP VRID or VLAN information This field... Displays... Total number of VSRP routers defined The total number of VRIDs configured on this device. VLAN The VLAN on which VSRP is configured.
10 Virtual Switch Redundancy Protocol (VSRP) TABLE 64 CLI display of VSRP VRID or VLAN information (Continued) This field... Displays... dead-interval The configured value for the dead interval. The dead interval is the number of seconds a Backup waits for a Hello message from the Master for the VRID before determining that the Master is no longer active.
Virtual Switch Redundancy Protocol (VSRP) TABLE 65 10 CLI display of VSRP-aware information (Continued) This field... Displays... VRID The VRID. Last Port The most recent active port connection to the VRID. This is the port connected to the current Master. If a failover occurs, the VSRP-aware device changes the port to the port connected to the new Master. The VSRP-aware device uses this port to send and receive data through the backed up node.
10 Virtual Switch Redundancy Protocol (VSRP) PowerConnect#show vsrp vrid 100 VLAN 100 auth-type no authentication VRID 100 ======== State Administrative-status Advertise-backup Preempt-mode save-current master enabled disabled true false Parameter Configured Current Unit/Formula priority 100 50 (100-0)*(2.0/4.0) hello-interval 1 1 sec/1 dead-interval 3 3 sec/1 hold-interval 3 3 sec/1 initial-ttl 2 2 hops next hello sent in 00:00:00.
Virtual Switch Redundancy Protocol (VSRP) FIGURE 75 10 VSRP on MRP rings that failed over Path 1 Path 2 MRP Member MRP Master MRP MRP Member MRP Member MRP Member VSRP Backup Host MRP MRP Member MRP Master VSRP Backup MRP Member VSRP Master Host MRP Member VSRP Master X VSRP X MRP Member VSRP Device 1 Device 1 A signaling process for the interaction between VSRP and MRP ensures that MRP is informed of the topology change and achieves convergence rapidly.
10 382 Virtual Switch Redundancy Protocol (VSRP) PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring Uni-Directional Link Detection (UDLD) and Protected Link Groups 11 Table 66 lists the individual Dell PowerConnect switches and the UDLD and protected link group features they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
11 UDLD overview Normally, a Dell PowerConnect device load balances traffic across the ports in a trunk group. In this example, each Dell PowerConnect device load balances traffic across two ports. Without the UDLD feature, a link failure on a link that is not directly attached to one of the Dell PowerConnect devices is undetected by the Dell PowerConnect devices. As a result, the Dell PowerConnect devices continue to send traffic on the ports connected to the failed link.
UDLD overview 11 Enabling UDLD NOTE This section shows how to configure UDLD for untagged control packets. To configure UDLD for tagged control packets, refer to “Enabling UDLD for tagged ports”. To enable UDLD on a port, enter a command such as the following at the global CONFIG level of the CLI. PowerConnect(config)#link-keepalive ethernet 0/1/1 To enable the feature on a trunk group, enter commands such as the following.
11 UDLD overview Changing the Keepalive retries By default, a port waits one second to receive a health-check reply packet from the port at the other end of the link. If the port does not receive a reply, the port tries four more times by sending up to four more health-check packets. If the port still does not receive a reply after the maximum number of retries, the port goes down. You can change the maximum number of keepalive attempts to a value from 3 – 64.
UDLD overview 11 If a port is disabled by UDLD, the change also is indicated in the output of the show interfaces brief command. An example is given below. PowerConnect#show interfaces brief Port 1/1 1/2 1/3 1/4 Link Up Down Down Down State LK-DISABLE None None None Dupl None None None None Speed None None None None Trunk None None None None Tag No No No No Priori level0 level0 level0 level0 MAC Name 00e0.52a9.bb00 00e0.52a9.bb01 00e0.52a9.bb02 00e0.52a9.
11 Protected link groups The show interface ethernet command also displays the UDLD state for an individual port. In addition, the line protocol state listed in the first line will say “down” if UDLD has brought the port down. An example is given below. PowerConnect#show interface ethernet 1/1 FastEthernet1/1 is down, line protocol is down, link keepalive is enabled Hardware is FastEthernet, address is 00e0.52a9.bbca (bia 00e0.52a9.
Protected link groups 11 About active ports When you create a protected link group, you can optionally specify which port in the protected link group is the active port. If you do not explicitly configure an active port, the Dell PowerConnect device dynamically assigns one. A dynamic active port is the first port in the protected link group that comes up (usually the lowest numbered port in the group).
11 Protected link groups active port Switch 1 Port1/1 Port1/10 Port1/2 Port1/11 Port1/3 Port1/12 Port1/4 Port1/13 Port1/5 Port1/14 Port1/6 Port1/15 Port1/7 Port1/16 Port1/8 Port1/17 active port Switch 2 The configuration for the above illustration is as follows.
Protected link groups 11 The parameter specifies the protected link group number. Enter a number from 1 – 32. The active-port ethernet defines the active port.
11 Protected link groups PowerConnect#show int e 3 GigabitEthernet3 is up, line protocol is up, link keepalive is enabled Hardware is GigabitEthernet, address is 0012.f2a8.7140 (bia 0012.f2a8.7142) Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx Configured mdi mode AUTO, actual MDIX Member of 3 L2 VLANs, port is tagged, port state is protected-link-inactive BPDU guard is Disabled, ROOT protect is Disabled Link Error Dampening is Disabled STP configured to ON, priority is level0 ....
Chapter Configuring Trunk Groups and Dynamic Link Aggregation 12 Table 70 lists the individual Dell PowerConnect switches and the trunk groups and dynamic link aggregation features they support. TABLE 70 Supported trunk group and dynamic link aggregation features Feature PowerConnect B-Series FCX Trunk groups Yes Trunk threshold for static trunk groups Yes Flexible trunk group membership Yes Option to include Layer 2 in trunk hash calculation Yes 802.
12 Trunk group overview FIGURE 78 Trunk group application within a PowerConnect network Switch Gigabit Backbone ... Trunk Group Server Power Users Dedicated 100 Mbps Switch1 Switch2 Trunk Group NOTE The ports in a trunk group make a single logical link. Therefore, all the ports in a trunk group must be connected to the same device at the other end.
Trunk group overview FIGURE 79 12 Trunk group between a server and a compact Layer 2 Switch or Layer 3 Switch Multi-homing Server Multi-homing adapter has the same IP and MAC address Trunk Group Switch ... Trunk group rules Table lists the maximum number of trunk groups you can configure on a Dell PowerConnect device and the valid number of ports in a trunk group. The table applies to static and LACP trunk ports.
12 Trunk group overview • statically configured port speed and duplex • QoS priority To change port parameters, you must change them on the primary port. The software automatically applies the changes to the other ports in the trunk group. Configuration notes for Dell PowerConnect devices in an IronStack In a Dell IronStack system, a trunk group may have port members distributed across multiple stack units. Both static and dynamic trunking are supported.
Trunk group overview FIGURE 80 12 Examples of 2-port and 3-port trunk groups 1 42XG 2 Lnk Act 424F Lnk Act 424C 424C 424C 424C 424C 424F 8X-12GM-4 Console Odd Odd Even Even Lnk Pwr Lnk Odd Odd Even Lnk Device Even 424F 424C POE AC OK DC OK ALM EJECT SYS AC OK DC OK ALM EJECT SYS AC OK DC OK ALM EJECT SYS Lnk AC OK DC OK ALM EJECT SYS Figure 81 shows two IronStacks connected by multi-slot trunk groups.
12 Trunk group overview FIGURE 81 Two IronStacks connected by multi-slot trunk groups 1F 1F 2F 3F Stack 1 2 3 4 Console 4F Lnk Act 2F 3F Stack 1 2 3 4 Console 4F Lnk-Act Odd Even Lnk Act Lnk-Act Odd Even 5 6 7 8 PS1 PS2 Pwr 5 6 7 8 25 PS1 PS2 Pwr 25 26 26 Lnk Lnk Act Act 1 2 3 4 9 10 7 8 5 6 13 14 11 12 15 16 1 2 21 22 19 20 17 18 2F 3F Stack 1 2 3 4 Console 4F 2F 3F 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Stack 1 2 3 4 Console 4F Lnk-Act Od
Trunk group overview 12 Load sharing for unknown unicast, multicast, and broadcast traffic Dell PowerConnect devices load balance unknown unicast, multicast, and broadcast traffic based on the source port and VLAN ID and not on any source or destination information in the packet. For example, when the switch receives unknown unicast, multicast, and broadcast packets, and the packets are from the same source port, the packets are forwarded to the same port of the trunk group.
12 Configuring a trunk group 4. IPv6 TCP/UDP: Source IP, Destination IP, Flow Label, Source TCP/UDP Port, Destination TCP/UDP Port, Source MAC, Destination MAC 5. IPv6 Non-TCP/UDP: Source IP, Destination IP, Flow Label, Source MAC, Destination MAC Syntax: [no] trunk hash-options include-layer2 Configuring a trunk group Follow the steps given below to configure a trunk group. 1. Disconnect the cables from those ports on both systems that will be connected by the trunk group.
Configuring a trunk group 12 Syntax: trunk deploy Each ethernet parameter introduces a port group. The variable specifies the primary port. Notice that each port group must begin with a primary port.. The primary port of the first port group specified (which must be the group with the lower port numbers) becomes the primary port for the entire trunk group.
12 Configuring a trunk group NOTE The text shown in italics in the CLI example below shows messages echoed to the screen in answer to the CLI commands entered.
Configuring a trunk group 12 Example 3: Configuring a multi-slot trunk group with one port per module You can select one port per module in a multi-slot trunk group. This feature is supported on GbE and 10-GbE ports, as well as on static and LACP trunk ports. For multi-slot trunk group rules, refer to Table 74 on page 414. To configure a two-port multi-slot trunk group consisting of ports 1/1 on module 1 and 2/1 on module 2, enter the following commands.
12 Configuring a trunk group STK1(config)#trunk ethe 1/1/1 ethe 2/1/4 ethe 3/1/7 ethe 4/1/2 ethe 5/1/5 ethe 6/1/7 ethe 7/1/2 ethe 7/1/5 Trunk will be created in next trunk deploy.
Configuring a trunk group 12 • Setting the sFlow sampling rate on an individual port in a trunk NOTE Depending on the operational state of LACP-enabled ports, at any time, these ports may join a trunk group, change trunk group membership, exit a trunk group, or possibly never join a trunk group. Therefore, before configuring trunking options on LACP-enabled ports (e.g., naming the port, disabiling the port, etc.), verify the actual trunk group port membership using the show trunk command.
12 Configuring a trunk group NOTE If you enter no config-trunk-ind, all port configuration commands are removed from the individual ports and the configuration of the primary port is applied to all the ports. Also, once you enter the no config-trunk-ind command, the enable, disable, and monitor commands are valid only on the primary port and apply to the entire trunk group. The disable command disables the port. The states of other ports in the trunk group are not affected.
Configuring a trunk group 12 The to keyword indicates that you are specifying a range. Specify the lower port number in the range first, then to, then the higher port number in the range. Deleting a static trunk group Use the command in this section to delete a static trunk group. NOTE To delete an LACP trunk group, use the CLI command no link-aggregate active | passive. To delete a trunk group, use no in front of the command you used to create the trunk group.
12 Displaying trunk group configuration information • The disable module command can be used to disable the ports on a module. However, on 10 Gbps modules, the disable module command does not cause the remote connection to be dropped. If a trunk group consists of 10 Gbps ports, and you use the disable module command to disable ports in the trunk group, which then causes the number of active ports in the trunk group to drop below the threshold value, the trunk group is not disabled.
Displaying trunk group configuration information 12 NOTE The show trunk command does not display any form of trunk when links are up. Table 73 describes the information displayed by the show trunk command. TABLE 73 CLI trunk group information This field... Displays... Trunk ID The trunk group number. The software numbers the groups in the display to make the display easy to use. HW Trunk ID The trunk ID.
12 Dynamic link aggregation PowerConnect#show mac Total active entries from all ports = 1 MAC-Address Port Type Index 0007.e910.c201 1/1/7*1/1/21 Dynamic 2920 For a trunk group with members 1/1/7 to 1/1/9, the output from the show mac command resembles the following. PowerConnect#show mac Total active entries from all ports = 1 MAC-Address Port Type Index 0007.e910.c201 1/1/7-1/1/9 Dynamic 2920 Dynamic link aggregation Dell software supports the IEEE 802.3ad standard for link aggregation.
Dynamic link aggregation 12 • With LACP trunk configurations, the LACP system id is the MAC address of the Active Controller. If the LACP system id changes, the entire trunk flaps and an STP re-convergence occurs. • Link aggregation can be used to form multi-slot aggregate links on stack units, but the link aggregation keys must match for the port groups on each stack unit.
12 Dynamic link aggregation FIGURE 82 Examples of valid aggregate links Ports enabled for link aggregation follow the same rules as ports configured for trunk groups.
Dynamic link aggregation 12 FastIron Stackable devices The following notes and feature limitations apply to the PowerConnect B-Series FCX devices. • The dynamic link aggregation (802.3ad) implementation allows any number of ports up to eight to be aggregated into a link. • The default key assigned to an aggregate link is based on the port type (1 Gbps port or 10 Gbps port).
12 Dynamic link aggregation Figure 83 shows an example of 2-port groups in a range of four ports on which link aggregation is enabled. Based on the states of the ports, some or all of them will be eligible to be used in an aggregate link. FIGURE 83 Two-port groups used to determine aggregation eligibility Port1/1 Group 1 Port1/2 Port1/3 Group 2 Port1/4 Table 74 shows examples of the ports from Figure 83 that will be eligible for an aggregate link based on individual port states.
Dynamic link aggregation 12 NOTE Configuration commands for link aggregation differ depending on whether you are using the default link aggregation key automatically assigned by the software, or if you are assigning a different, unique key. Follow the commands below, according to the type of key you are using. For more information about keys, refer to “Key” on page 417.
12 Dynamic link aggregation NOTE For more information about keys, including details about the syntax shown above, refer to “Key” on page 417. How changing the VLAN membership of a port affects trunk groups and dynamic keys When you change a port VLAN membership and the port is currently a member of a trunk group, the following changes occur to the trunk group: • The Dell PowerConnect device tears down the existing trunk group. • All ports in the trunk group get a new key.
Dynamic link aggregation 12 NOTE If you are connecting the Dell PowerConnect device to another vendor device and the link aggregation feature is not working, set the system priority on the Dell PowerConnect device to a lower priority (a higher priority value). In some cases, this change allows the link aggregation feature to operate successfully between the two devices. Port priority The port priority parameter determines the active and standby links.
12 Dynamic link aggregation FIGURE 84 Ports with the same key in different aggregate links Port1/1 Port1/2 System ID: dddd.eeee.ffff All these ports have the same key, but are in two separate aggregate links with two other devices. Port1/3 Ports 1/5 - 1/8: Key 4 Port1/4 Port1/5 Port1/6 Port1/7 Port1/8 System ID: aaaa.bbbb.cccc Ports 1/1 - 1/8 Key 0 System ID: 1111.2222.3333 Ports 1/5 - 1/8: Key 69 Notice that the keys between one device and another do not need to match.
Dynamic link aggregation FIGURE 85 12 Multi-slot aggregate link All ports in a multi-slot aggregate link have the same key. Port1/1 Port1/2 Port1/3 Port1/4 Port3/5 Port3/6 Port3/7 Port3/8 System ID: aaaa.bbbb.cccc Ports 1/1 - 1/4: Key 0 Ports 3/5 - 3/8: Key 0 By default, the device ports are divided into 4-port groups. The software dynamically assigns a unique key to each 4-port group.
12 Dynamic link aggregation PowerConnect#show link-aggregate System ID: 0004.8055.
Displaying and determining the status of aggregate links 12 PowerConnect(config-mif-1/1-1/4)#interface ethernet 3/5 to 3/8 PowerConnect(config-mif-3/5-3/8)#link-aggregate off PowerConnect(config-mif-3/5-3/8)#link-aggregate configure key 10000 PowerConnect(config-mif-3/5-3/8)#link-aggregate active These commands change the key for ports 1/1 – 1/4 and 3/5 – 3/8 to 10000.
12 Displaying and determining the status of aggregate links Events that affect the status of ports in an aggregate link Dell PowerConnect devices can block traffic on a port or shut down a port that is part of a trunk group or aggregate link, when a port joins a trunk group and the port on the other end of the link shuts down or stops transmitting LACP packets. Depending on the timeout value set on the port, the link aggregation information expires.
Displaying and determining the status of aggregate links 12 NOTE Ports that are configured as part of an aggregate link must also have the same key. For more information about assigning keys, refer to the section “Link aggregation parameters” on page 416. The show link-aggregate command shows the following information. TABLE 75 CLI display of link aggregation information This field... Displays... System ID Lists the base MAC address of the device. This is also the MAC address of port 1 (or 1/1).
12 Displaying and determining the status of aggregate links TABLE 75 CLI display of link aggregation information (Continued) This field... Displays... Def Indicates whether the port is using default link aggregation values. The port uses default values if it has not received link aggregation information through LACP from the port at the remote end of the link.
Clearing the negotiated aggregate links table 12 Clearing the negotiated aggregate links table When a group of ports negotiates a trunk group configuration, the software stores the negotiated configuration in a table. You can clear the negotiated link aggregation configurations from the software. When you clear the information, the software does not remove link aggregation parameter settings you have configured. Only the configuration information negotiated using LACP is removed.
12 Configuring single link LACP PowerConnect#show link-agg System ID: 00e0.5200.0118 Long timeout: 120, default: 120 Short timeout: 3, default: 3 Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] 2/1 1 1 1 Yes S Agg Syn No No Def Exp Ina 2/2 1 1 1 Yes S Agg Syn No No Def Exp Ina 2/3 1 1 singleton Yes S Agg Syn No No Def Exp Ina 2/4 1 1 singleton Yes S Agg Syn No No Def Exp Dwn If singleton is configured on the port, the “Key” column displays “singleton”.
Chapter Configuring Virtual LANs (VLANs) 13 Table 76 lists the individual Dell PowerConnect PowerConnect switches and the VLAN features they support. TABLE 76 Supported VLAN features Feature PowerConnect B-Series FCX VLAN Support Yes 4096 maximum VLANs Yes 802.1Q with tagging Yes 802.1Q-in-Q tagging Yes 802.
13 VLAN overview • Layer 3 protocol VLANs – a subset of ports within a port-based VLAN that share a common, exclusive broadcast domain for Layer 3 broadcasts of the specified protocol type • IP subnet VLANs – a subset of ports in a port-based VLAN that share a common, exclusive subnet broadcast domain for a specified IP subnet • IPv6 VLANs – a subset of ports in a port-based VLAN that share a common, exclusive network broadcast domain for IPv6 packets • IPX network VLANs – a subset of ports in a port-b
VLAN overview 13 NOTE VLAN IDs 4087, 4090, and 4093 are reserved for Dell internal use only. VLAN 4094 is reserved for use by Single STP. Also, if you are running an earlier release, VLAN IDs 4091 and 4092 may be reserved for Dell internal use only. If you want to use VLANs 4091 and 4092 as configurable VLANs, you can assign them to different VLAN IDs. For more information, refer to “Assigning different VLAN IDs to reserved VLANs 4091 and 4092” on page 445.
13 VLAN overview FIGURE 86 Dell PowerConnect device containing user-defined Layer 2 port-based VLAN DEFAULT-VLAN VLAN ID = 1 Layer 2 Port-based VLAN User-configured port-based VLAN When you add a port-based VLAN, the device removes all the ports in the new VLAN from DEFAULT-VLAN. Layer 3 protocol-based VLANs If you want some or all of the ports within a port-based VLAN to be organized according to Layer 3 protocol, you must configure a Layer 3 protocol-based VLAN within the port-based VLAN.
VLAN overview 13 • Other – The device sends broadcasts for all protocol types other than those listed above to all ports within the VLAN. Figure 87 shows an example of Layer 3 protocol VLANs configured within a Layer 2 port-based VLAN.
13 VLAN overview Integrated Switch Routing (ISR) The Dell Integrated Switch Routing (ISR) feature enables VLANs configured on Layer 3 Switches to route Layer 3 traffic from one protocol VLAN or IP subnet, IPX network, or AppleTalk cable VLAN to another. Normally, to route traffic from one IP subnet, IPX network, or AppleTalk cable VLAN to another, you would need to forward the traffic to an external router.
VLAN overview 13 NOTE The Layer 3 Switch routes packets between VLANs of the same protocol. The Layer 3 Switch cannot route from one protocol to another. NOTE IP subnet VLANs are not the same thing as IP protocol VLANs. An IP protocol VLAN sends all IP broadcasts on the ports within the IP protocol VLAN. An IP subnet VLAN sends only the IP subnet broadcasts for the subnet of the VLAN. You cannot configure an IP protocol VLAN and an IP subnet VLAN within the same port-based VLAN.
13 VLAN overview When you configure a port-based VLAN, one of the configuration items you provide is the ports that are in the VLAN. When you configure the VLAN, the Dell PowerConnect device automatically removes the ports that you place in the VLAN from DEFAULT-VLAN. By removing the ports from the default VLAN, the Dell PowerConnect device ensures that each port resides in only one Layer 2 broadcast domain. NOTE Information for the default VLAN is available only after you define another VLAN.
VLAN overview FIGURE 89 13 Packet containing a Dell 802.1Q VLAN tag Untagged Packet Format 6 bytes 6 bytes 2 bytes Destination Address Source Address Type Field 6 bytes 6 bytes 2 bytes Destination Address Source Address Length Field Up to 1500 bytes 4 bytes Data Field CRC Up to 1496 bytes 4 bytes Data Field CRC Ethernet II IEEE 802.3 802.1q Tagged Packet Format 6 bytes 6 bytes 4 bytes 2 bytes Destination Address Source Address 802.
13 VLAN overview FIGURE 90 VLANs configured across multiple devices User-configured port-based VLAN T = 802.1Q tagged port T T Segment 1 T T T T T Segment 2 Segment 1 Segment 2 Tagging is required for the ports on Segment 1 because the ports are in multiple port-based VLANs. Tagging is not required for the ports on Segment 2 because each port is in only one port-based VLAN.
VLAN overview 13 To direct individual ports or on a range of ports to this tag profile, enter commands similar to the following. PowerConnect(config)# interface ethernet 1/1/1 PowerConnect(config-if-e1000-1/1/1)# tag-profile enable PowerConnect(config-mif-1/1/1,1/2/1)# tag-profile enable Spanning Tree Protocol (STP) The default state of STP depends on the device type: • STP is disabled by default on Layer 3 Switches. • STP is enabled by default on Layer 2 Switches.
13 VLAN overview If you want the device to be able to send Layer 3 traffic from one protocol VLAN to another, you must configure a virtual routing interface on each protocol VLAN, then configure routing parameters on the virtual routing interfaces.
VLAN overview 13 VLAN and virtual routing interface groups Dell PowerConnect devices support the configuration of VLAN groups. To simplify configuration, you can configure VLAN groups and virtual routing interface groups. When you create a VLAN group, the VLAN parameters you configure for the group apply to all the VLANs within the group.
13 VLAN overview FIGURE 92 VLAN with dynamic ports—all ports are active when you create the VLAN A = active port C = candidate port When you add ports dynamically, all the ports are added when you add the VLAN. A A A A A A A A SUBNET Ports in a new protocol VLAN that do not receive traffic for the VLAN protocol age out after 10 minutes and become candidate ports. Figure 93 shows what happens if a candidate port receives traffic for the VLAN protocol.
VLAN overview 13 Static ports Static ports are permanent members of the protocol VLAN. The ports remain active members of the VLAN regardless of whether the ports receive traffic for the VLAN protocol. You must explicitly identify the port as a static port when you add it to the VLAN. Otherwise, the port is dynamic and is subject to aging out.
13 VLAN overview Summary of VLAN configuration rules A hierarchy of VLANs exists between the Layer 2 and Layer 3 protocol-based VLANs: • Port-based VLANs are at the lowest level of the hierarchy. • Layer 3 protocol-based VLANs, IP, IPv6, IPX, AppleTalk, Decnet, and NetBIOS are at the middle level of the hierarchy. • IP subnet, IPX network, and AppleTalk cable VLANs are at the top of the hierarchy.
Routing between VLANs 13 Routing between VLANs Layer 3 Switches can locally route IP, IPX, and Appletalk between VLANs defined within a single router. All other routable protocols or protocol VLANs (for example, DecNet) must be routed by another external router capable of routing the protocol.
13 Routing between VLANs If your backbone consists of virtual routing interfaces all within the same STP domain, it is a bridged backbone, not a routed one. This means that the set of backbone interfaces that are blocked by STP will be blocked for routed protocols as well. The routed protocols will be able to cross these paths only when the STP state of the link is FORWARDING. This problem is easily avoided by proper network design.
Routing between VLANs 13 NOTE does not change the properties of the default VLAN. Changing the name allows you to use the VLAN ID “1” as a configurable VLAN. Assigning different VLAN IDs to reserved VLANs 4091 and 4092 If you want to use VLANs 4091 and 4092 as configurable VLANs, you can assign them to different VLAN IDs. For example, to reassign reserved VLAN 4091 to VLAN 10, enter the following commands. PowerConnect(config)# reserved-vlan-map vlan 4091 new-vlan 10 Reload required.
13 Routing between VLANs TABLE 77 Output of the show reserved-vlan-map command (Continued) This field Displays Re-assign The VLAN ID to which the reserved VLAN was reassigned.1 Current The current VLAN ID for the reserved VLAN.1 1. If you reassign a reserved VLAN without saving the configuration and reloading the software, the reassigned VLAN ID will display in the Re-assign column.
Routing between VLANs FIGURE 94 13 Port-based VLANs 222 and 333 Device interface e 1 IP Subnet 1 IPX Network 1 Appletalk Cable-Range 100 Appletalk Zone Prepress VLAN 222 Ports 1 - 8 Port1 interface e 2 IP Subnet 2 IPX Network 2 Appletalk Cable-Range 200 Appletalk Zone CTP Port9 VLAN 333 Ports 9 - 16 Layer 3 Switch Ports 1 - 8 IP Subnet 1 IPX Network 1 Appletalk Cable-Range 100 Appletalk Zone Prepress Ports 9 - 16 IP Subnet 2 IPX Network 2 Appletalk Cable-Range 200 Appletalk Zone CTP To create th
13 Routing between VLANs FIGURE 95 More complex port-based VLAN Device IP Subnet1 IPX Net 1 Atalk 100.1 Zone “A” IP Subnet2 IPX Net 2 Atalk 200.1 Zone “B” Port17 Port18 = STP Blocked VLAN ROOT BRIDGE FOR VLAN - BROWN VLAN - GREEN IP Subnet4 IPX Net 4 Atalk 400.1 Zone “D” IP Subnet3 IPX Net 3 Atalk 300.
Routing between VLANs 13 Configuring device-B Enter the following commands to configure device-B.
13 Routing between VLANs Modifying a port-based VLAN You can make the following modifications to a port-based VLAN: • Add or delete a VLAN port. • Enable or disable STP. Removing a port-based VLAN Suppose you want to remove VLAN 5 from the example in Figure 95. To do so, use the following procedure. 1. Access the global CONFIG level of the CLI on device-A by entering the following commands. PowerConnect-A> enable No password has been assigned yet...
Routing between VLANs 13 4. Enter the following commands to exit the VLAN CONFIG mode and save the configuration to the system-config file on flash memory. PowerConnect-A(config-vlan-4)# PowerConnect-A(config-vlan-4)# end PowerConnect-A# write memory You can remove all the ports from a port-based VLAN without losing the rest of the VLAN configuration. However, you cannot configure an IP address on a virtual routing interface unless the VLAN contains ports.
13 Configuring IP subnet, IPX network and protocol-based VLANs To configure a specific path-cost or priority value for a given port, enter those values using the key words in the brackets [ ] shown in the syntax summary below. If you do not want to specify values for any given port, this portion of the command is not required.
Configuring IP subnet, IPX network and protocol-based VLANs FIGURE 96 13 Protocol-based (Layer 3) VLANs Device Port25 IP-Subnet 1 IP-Subnet 2 IP-Subnet 3 IPX Net 1 Appletalk Cable 100 Port25 Layer 3 Switch IP-Subnet 1 Ports 1-16, 25 IPX Net 1 IP-Subnet 2 IP-Subnet 3 Ports 17-25 Appletalk Cable 100 To configure the VLANs shown in Figure 96, use the following procedure. 1. To permanently assign ports 1 – 8 and port 25 to IP subnet VLAN 1.1.1.0, enter the following commands.
13 Configuring IP subnet, IPX network, and protocol-based VLANs within port-based VLANs PowerConnect(config-ipx-proto)# atalk-proto name Red PowerConnect(config-atalk-proto)# no dynamic PowerConnect(config-atalk-proto)# static ethernet 13 to 25 PowerConnect(config-atalk-proto)# end PowerConnect# write memory PowerConnect# Syntax: ip-subnet [name ] Syntax: ipx-network netbios-allow | netbios-disallow [name ] Syntax: ip-pro
Configuring IP subnet, IPX network, and protocol-based VLANs within port-based VLANs FIGURE 97 13 More protocol-based VLANs Device Device Port1 Port9 Port17 V2 Device-A Device-A V3 V2 V2 V3 V3 V4 V4 VLAN 2 VLAN 3 VLAN 4 Device-B Device-B V4 VLAN 2 VLAN 3 VLAN 4 = STP Blocked VLAN Device-C Device-C VLAN 2 VLAN 3 VLAN 4 To configure the Layer 3 VLANs on the Layer 2 Switches in Figure 97, use the following procedure.
13 Configuring IP subnet, IPX network, and protocol-based VLANs within port-based VLANs 4. To prevent machines with non-IP protocols from getting into the IP portion of VLAN 2, create another Layer 3 protocol VLAN to exclude all other protocols from the ports that contains the IP-protocol VLAN. To do so, enter the following commands.
Configuring IP subnet, IPX network, and protocol-based VLANs within port-based VLANs 13 PowerConnect-B(config-vlan-ipx-proto)# static e5 to 8 e25 to 26 PowerConnect-B(config-vlan-ipx-proto)# exclude e1 to 4 PowerConnect-B(config-vlan-other-proto)# vlan 3 name IP-Sub_IPX-Net_VLANs PowerConnect-B(config-vlan-3)# untagged e9 to 16 PowerConnect-B(config-vlan-3)# tagged e25 to 26 PowerConnect-B(config-vlan-3)# spanning-tree PowerConnect-B(config-vlan-3)# spanning-tree priority 500 PowerConnect-B(config-vlan-3)
13 Configuring an IPv6 protocol VLAN Configuring an IPv6 protocol VLAN You can configure a protocol-based VLAN as a broadcast domain for IPv6 traffic. When the Layer 3 Switch receives an IPv6 multicast packet (a packet with 06 in the version field and 0xFF as the beginning of the destination address), the Layer 3 Switch forwards the packet to all other ports.
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) 13 Example Suppose you want to move routing out to each of three buildings in a network. Remember that the only protocols present on VLAN 2 and VLAN 3 are IP and IPX. Therefore, you can eliminate tagged ports 25 and 26 from both VLAN 2 and VLAN 3 and create new tagged port-based VLANs to support separate IP subnets and IPX networks for each backbone link.
13 Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) PowerConnect>en No password has been assigned yet... PowerConnect# configure terminal PowerConnect(config)# hostname PowerConnect-A PowerConnect-A(config)# router ospf PowerConnect-A(config-ospf-router)# area 0.0.0.0 normal Please save configuration to flash and reboot. PowerConnect-A(config-ospf-router)# The following commands create the port-based VLAN 2.
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) 13 PowerConnect-A(config-vlan-ip-subnet)# ipx-network 1 ethernet_802.
13 Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) This completes the configuration for device-A. The configuration for device-B and C is very similar except for a few issues which are as follows: • IP subnets and IPX networks configured on device-B and device-C must be unique across the entire network, except for the backbone port-based VLANs 5, 6, and 7 where the subnet is the same but the IP address must change.
Routing between VLANs using virtual routing interfaces (Layer 3 Switches only) 13 PowerConnect-B(config-vif-4)# ipx network 7 ethernet_802.3 PowerConnect-B(config-vif-4)# vlan 4 name Bridged_ALL_Protocols PowerConnect-B(config-vlan-4)# untagged ethernet 17 to 24 PowerConnect-B(config-vlan-4)# tagged ethernet 25 to 26 PowerConnect-B(config-vlan-4)# spanning-tree PowerConnect-B(config-vlan-4)# vlan 5 name Rtr_BB_to_Bldg.
13 Configuring protocol VLANs with dynamic ports PowerConnect-C(config-vlan-ip-subnet)# ipx-network 10 ethernet_802.
Configuring protocol VLANs with dynamic ports 13 Aging of dynamic ports When you add the ports to the VLAN, the software automatically adds them all to the VLAN. However, dynamically added ports age out. If the age time for a dynamic port expires, the software removes the port from the VLAN. If that port receives traffic for the IP subnet or IPX network, the software adds the port to the VLAN again and starts the aging timer over.
13 Configuring protocol VLANs with dynamic ports Configuration guidelines • You cannot dynamically add a port to a protocol VLAN if the port has any routing configuration parameters. For example, the port cannot have a virtual routing interface, IP subnet address, IPX network address, or AppleTalk network address configured on it. • Once you dynamically add a port to a protocol VLAN, you cannot configure routing parameters on the port.
Configuring protocol VLANs with dynamic ports 13 PowerConnect(config)# vlan 10 by port name IP_VLAN PowerConnect(config-vlan-10)# untagged ethernet 1/1 to 1/6 added untagged port ethe 1/1 to 1/6 to port-vlan 10. PowerConnect(config-vlan-10)# ip-subnet 1.1.1.
13 Configuring uplink ports within a port-based VLAN Syntax: ipx-network ethernet_ii | ethernet_802.2 | ethernet_802.3 | ethernet_snap [name ] Syntax: dynamic Configuring uplink ports within a port-based VLAN You can configure a subset of the ports in a port-based VLAN as uplink ports. When you configure uplink ports in a port-based VLAN, the device sends all broadcast and unknown-unicast traffic from a port in the VLAN to the uplink ports, but not to other ports within the VLAN.
Configuring the same IP subnet address on multiple port-based VLANs 13 Configuring the same IP subnet address on multiple port-based VLANs For a Dell PowerConnect device to route between port-based VLANs, you must add a virtual routing interface to each VLAN. Generally, you also configure a unique IP subnet address on each virtual routing interface.
13 Configuring the same IP subnet address on multiple port-based VLANs FIGURE 100 Multiple port-based VLANs with the same protocol address VLAN 2 VLAN 3 VLAN 4 Switch VLAN 2 VE 1 -IP 10.0.0.1/24 VLAN 3 VE 2 -Follow VE 1 VLAN 4 VE 3 -Follow VE 1 Each VLAN still requires a separate virtual routing interface. However, all three VLANs now use the same IP subnet address. In addition to conserving IP subnet addresses, this feature allows containment of Layer 2 broadcasts to segments within an IP subnet.
Configuring the same IP subnet address on multiple port-based VLANs 13 NOTE If the Dell PowerConnect device ARP table does not contain the requested host, the Dell PowerConnect device forwards the ARP request on Layer 2 to the same VLAN as the one that received the ARP request. Then the device sends an ARP for the destination to the other VLANs that are using the same IP subnet address.
13 Configuring VLAN groups and virtual routing interface groups NOTE Because virtual routing interfaces 2 and 3 do not have their own IP subnet addresses but instead are “following” virtual routing interface a IP address, you still can configure an IPX or AppleTalk interface on virtual routing interfaces 2 and 3.
Configuring VLAN groups and virtual routing interface groups 13 The first command in this example begins configuration for VLAN group 1, and assigns VLANs 2 through 257 to the group. The second command adds ports 1/1 and 1/2 as tagged ports. Because all the VLANs in the group share the ports, you must add the ports as tagged ports.
13 Configuring VLAN groups and virtual routing interface groups PowerConnect# show vlan-group vlan-group 1 vlan 2 to 20 tagged ethe 1/1 to 1/2 ! vlan-group 2 vlan 21 to 40 tagged ethe 1/1 to 1/2 ! Syntax: show vlan-group [] The specifies a VLAN group. If you do not use this parameter, the configuration information for all the configured VLAN groups is displayed.
Configuring VLAN groups and virtual routing interface groups 13 The router-interface-group command enables a VLAN group to use a virtual routing interface group. Enter this command at the configuration level for the VLAN group. This command configures the VLAN group to use the virtual routing interface group that has the same ID as the VLAN group. You can enter this command when you configure the VLAN group for the first time or later, after you have added tagged ports to the VLAN and so on.
13 Configuring VLAN groups and virtual routing interface groups Allocating memory for more VLANs or virtual routing interfaces Layer 2 and Layer 3 Switches support up to 4095 VLANs. In addition, Layer 3 switches support up to 512 virtual routing interfaces. The number of VLANs and virtual routing interfaces supported on your product depends on the device and, for Chassis devices, the amount of DRAM on the management module.
Configuring super aggregated VLANs 13 The parameter indicates the maximum number of virtual routing interfaces. The range of valid values depends on the device you are configuring. Refer to Table 78. Configuring super aggregated VLANs You can aggregate multiple VLANs within another VLAN. This feature allows you to construct Layer 2 paths and channels.
13 Configuring super aggregated VLANs FIGURE 101 Conceptual model of the super aggregated VLAN application Client 1 . . . Client 3 . . . Client 5 Client 1 192.168.1.69/24 Path = a single VLAN into which client VLANs are aggregated Channel = a client VLAN nested inside a Path sub-net 192.168.1.0/24 Each client connected to the edge device is in its own port-based VLAN, which is like an ATM channel.
13 Configuring super aggregated VLANs FIGURE 102 Example of a super aggregated VLAN application Client 1 Port1/1 VLAN 101 . . . Client 3 Port1/3 VLAN 103 Client 6 Port1/1 VLAN 101 Client 5 Port1/5 VLAN 105 . . . Client 1 192.168.1.69/24 . . . Client 8 Port1/3 VLAN 103 . . . Client 10 Port1/5 VLAN 105 209.157.2.
13 Configuring super aggregated VLANs Configuration notes • Super Aggregated VLANs and VSRP are not supported together on the same device. Configuring aggregated VLANs To configure aggregated VLANs, perform the following tasks: • On each edge device, configure a separate port-based VLAN for each client connected to the edge device. In each client VLAN: • Add the port connected to the client as an untagged port.
Configuring super aggregated VLANs 13 PowerConnect(config-vlan-104)# tagged ethernet 2/1 PowerConnect(config-vlan-104)# untagged ethernet 1/4 PowerConnect(config-vlan-104)# exit PowerConnect(config)# vlan 105 by port PowerConnect(config-vlan-105)# tagged ethernet 2/1 PowerConnect(config-vlan-105)# untagged ethernet 1/5 PowerConnect(config-vlan-105)# exit PowerConnect(config)# write memory Syntax: [no] vlan [by port] Syntax: [no] tagged ethernet [/] [to [/] |
13 Configuring super aggregated VLANs NOTE In these examples, the configurations of the edge devices (A, B, E, and F) are identical. The configurations of the core devices (C and D) also are identical. The aggregated VLAN configurations of the edge and core devices on one side must be symmetrical (in fact, a mirror image) to the configurations of the devices on the other side. For simplicity, the example in Figure 102 on page 479 is symmetrical in terms of the port numbers.
Configuring super aggregated VLANs 13 PowerConnectB(config)# vlan 105 by port PowerConnectB(config-vlan-105)# tagged ethernet 2/1 PowerConnectB(config-vlan-105)# untagged ethernet 1/5 PowerConnectB(config-vlan-105)# exit PowerConnectB(config)# write memory Commands for device C Because device C is aggregating channel VLANs from devices A and B into a single path, you need to change the tag type and enable VLAN aggregation.
13 Configuring 802.
Configuring 802.1Q-in-Q tagging 13 FIGURE 103 802.1Q-in-Q configuration example To customer interface Uplink to provider cloud Configured tag-type 9100 Untagged DA SA 8100 Default tag-type 8100 Provider Edge Switch Customer VLAN DA Tagged SA 8100 Provider VLAN 8100 Customer VLAN In Figure 103, the untagged ports (to customer interfaces) accept frames that have any 802.1Q tag other than the configured tag-type 9100.
13 Configuring 802.1Q-in-Q tagging PowerConnect(config)# tag-type 9100 ethernet 11 to 12 PowerConnect(config)# aggregated-vlan Note that because ports 11 and 12 belong to the port region 1 – 12, the 802.1Q tag actually applies to ports 1 – 12.
13 Configuring 802.1Q-in-Q tagging Example configuration Figure 104 shows an example 802.1Q-in-Q configuration. FIGURE 104 Example 802.1Q-in-Q configuration Client 1 Port1 VLAN 101 . . . Client 3 Port3 VLAN 103 Client 6 Port1 VLAN 101 Client 5 Port5 VLAN 105 . . . Client 1 192.168.1.69/24 . . . Client 8 Port3 VLAN 103 . . . Client 10 Port5 VLAN 105 Client 5 209.157.2.
13 Configuring private VLANs Configuring 802.1Q-in-Q tag profiles The 802.1Q-in-Q tagging feature supports a tag-profile command that allows you to add a tag profile with a value of 0 to 0xffff in addition to the default tag-type 0x8100. This enhancement also allows you to add a tag profile for a single port, or to direct a group of ports to a globally-configured tag profile. Configuration notes • One global tag profile with a number between 0 and 0xffff can be configured on stackable devices.
Configuring private VLANs 13 FIGURE 105 PVLAN used to secure communication between a workstation and servers A private VLAN secures traffic between a primary port and host ports. Traffic between the hosts and the rest of the network must travel through the primary port.
13 Configuring private VLANs • Community – Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN. Each PVLAN must have a primary VLAN. The primary VLAN is the interface between the secured ports and the rest of the network. The PVLAN can have any combination of community and isolated VLANs. As with regular VLANs, PVLANs can span multiple switches.
13 Configuring private VLANs FIGURE 107 Example PVLAN network with tagged ports VLAN 101 VLAN 102 Isolated VLAN/Ports Community VLAN/Ports 3 2 VLAN 101 VLAN 102 Isolated VLAN/Ports Community VLAN/Ports 1 3 10 2 1 2 1 10 4 11 Switch 1 11 Switch 4 Switch 2 11 Switch 3 11 VLAN 100 Promiscuous Ports 10 3 2 1 VLAN 101 VLAN 102 Isolated VLAN/Ports Community VLAN/Ports 10 3 VLAN 101 VLAN 102 Isolated VLAN/Ports Community VLAN/Ports VLAN 100 - switch - switch link Ports Table 79 lists
13 Configuring private VLANs PowerConnect device will flood unknown unicast, unregistered multicast, and broadcast packets in software. The flooding of broadcast or unknown unicast from the community or isolated VLANs to other secondary VLANs will be governed by the PVLAN forwarding rules. The switching is done in hardware and thus the CPU does not enforce packet restrictions.The hardware forwarding behavior is supported on the PowerConnect B-Series FCX platforms only.
Configuring private VLANs 13 To map the secondary VLANs to the primary VLAN and to configure the tagged switch link port, enter commands such as the following.
13 Configuring private VLANs • An isolated VLAN must be associated with the primary VLAN for traffic from the isolated port to be switched. An isolated VLAN is associated with only one primary VLAN and to the same primary VLAN in the entire switched network. • An isolated port communicates only with the configured switch-switch link port if there are no promiscuous ports configured for the isolated VLAN. • A primary VLAN is associated with only one isolated VLAN.
Configuring private VLANs 13 Enabling broadcast or unknown unicast traffic to the PVLAN To enhance PVLAN security, the primary PVLAN does not forward broadcast or unknown unicast packets to its community and isolated VLANs, and other ports in the primary VLAN. For example, if port 3/2 in Figure 105 on page 489 receives a broadcast packet from the firewall, the port does not forward the packet to the other PVLAN ports (3/5, 3/6, 3/9, and 3/10).
13 Configuring private VLANs CLI example for a general PVLAN network To configure the PVLANs shown in Figure 105 on page 489, enter the following commands.
Dual-mode VLAN ports PowerConnect(config)# vlan 100 PowerConnect(config-vlan-100)# PowerConnect(config-vlan-100)# PowerConnect(config-vlan-100)# PowerConnect(config-vlan-100)# 13 by port tagged ethernet 1/1/10 to 1/1/11 pvlan type primary pvlan pvlan-trunk 102 ethernet 1/1/10 to 1/1/11 pvlan pvlan-trunk 101 ethernet 1/1/10 to 1/1/11 PowerConnect B-Series FCX 3 PowerConnect(config)# vlan 101 by port PowerConnect(config-vlan-101)# untagged ethernet 1/1/3 PowerConnect(config-vlan-101)# pvlan type isolated
13 Dual-mode VLAN ports FIGURE 108 Dual-mode VLAN port example VLAN 20 Traffic Untagged Traffic Hub Port2/11 Tagged, VLAN 20 dual-mode Switch Port2/9 Tagged, VLAN 20 VLAN 20 Traffic Port2/10 Untagged Untagged Traffic To enable the dual-mode feature on port 2/11 in Figure 108,enter the following commands.
Dual-mode VLAN ports 13 FIGURE 109 Specifying a default VLAN ID for a dual-mode port VLAN 10 Untagged Traffic VLAN 10 Untagged Traffic Port2/10 Untagged, VLAN 10 Dual-mode Port2/11 Default VLAN ID 10 Tagged, VLAN 20 Hub Switch Port2/9 Tagged, VLAN 20 VLAN 20 Tagged Traffic VLAN 20 Tagged Traffic In Figure 109, tagged port 2/11 is a dual-mode port belonging to VLANs 10 and 20. The default VLAN assigned to this dual-mode port is 10.
13 Displaying VLAN information The show vlan command displays a separate row for dual-mode ports on each VLAN.
Displaying VLAN information 13 Displaying system-wide VLAN information Use the show vlans command to display VLAN information for all the VLANs configured on the device. The following example shows the display for the IP subnet and IPX network VLANs configured in the examples in “Configuring an IP subnet VLAN with dynamic ports” on page 466 and “Configuring an IPX network VLAN with dynamic ports” on page 467.
13 Displaying VLAN information PowerConnect# show vlan 4 Total PORT-VLAN entries: 5 Maximum PORT-VLAN entries: 3210 PORT-VLAN 4, Name [None], Priority level0, Spanning tree Off Untagged Ports: None Tagged Ports: 6 9 10 11 Uplink Ports: None DualMode Ports: 7 8 PowerConnect# show vlan 3 Total PORT-VLAN entries: 5 Maximum PORT-VLAN entries: 3210 PORT-VLAN 3, Name [None], Priority level0, Spanning tree Off Untagged Ports: None Tagged Ports: 6 7 8 9 10 Uplink Ports: None DualMode Ports: None Syntax: show vla
Displaying VLAN information 13 PowerConnect# show vlans ethernet 7/1 Total PORT-VLAN entries: 3 Maximum PORT-VLAN entries: 8 legend: [S=Slot] PORT-VLAN 100, Name [None], Priority level0, Spanning tree Off Untagged Ports: (S7) 1 2 3 4 Tagged Ports: None Syntax: show vlans [ | ethernet [/] The parameter specifies a VLAN for which you want to display the configuration information. The parameter is required on chassis devices.
13 Displaying VLAN information • For untagged ports, the PVID is the VLAN ID number. • For dual-mode ports, the PVID is the dual-mode VLAN ID number. • For tagged ports without dual-mode, the PVID is always Not Applicable (NA).
Chapter Configuring GARP VLAN Registration Protocol (GVRP) 14 Table 81 lists the individual Dell PowerConnect switches and the GVRP features they support.
14 Application examples • IEEE draft P802.1t/D10, November 20, 2000 Application examples Figure 110 shows an example of a network that uses GVRP. This section describes various ways you can use GVRP in a network such as this one. “CLI examples” on page 522 lists the CLI commands to implement the applications of GVRP described in this section.
Application examples Core device Edge device A Edge device B Edge device C • • • • • GVRP is enabled on all ports. Both learning and advertising are enabled. NOTE: Since learning is disabled on all the edge devices, advertising on the core device has no effect in this configuration. • • • • • • GVRP is enabled on port 4/24. Learning is disabled. VLAN 20 Port 2/1 (untagged) Port 4/24 (tagged) VLAN 40 Port 4/1 (untagged) Port 4/24 (tagged) • • • • • • GVRP is enabled on port 4/1.
14 VLAN names Fixed core and dynamic edge GVRP learning is enabled on the edge devices. The VLANs on the core device are statically configured, and the core device is enabled to advertise its VLANs but not to learn VLANs. The edge devices learn the VLANs from the core. Fixed core and fixed edge The VLANs are statically configured on the core and edge devices. On each edge device, VLAN advertising is enabled but learning is disabled. GVRP is not enabled on the core device.
Configuration notes 14 • Single STP must be enabled on the device. Dell implementation of GVRP requires Single STP. If you do not have any statically configured VLANs on the device, you can enable Single STP as follows. PowerConnect(config)#vlan 1 PowerConnect(config-vlan-1)#exit PowerConnect(config)#span PowerConnect(config)#span single These commands enable configuration of the default VLAN (VLAN 1), which contains all the device ports, and enable STP and Single STP.
14 Configuring GVRP Configuring GVRP To configure a device for GVRP, globally enable support for the feature, then enable the feature on specific ports. Optionally, you can disable VLAN learning or advertising on specific interfaces. You can also change the protocol timers and the GVRP base VLAN ID. Changing the GVRP base VLAN ID By default, GVRP uses VLAN 4093 as a base VLAN for the protocol. All ports that are enabled for GVRP become tagged members of this VLAN.
Configuring GVRP 14 Enabling GVRP To enable GVRP, enter commands such as the following at the global CONFIG level of the CLI. PowerConnect(config)#gvrp-enable PowerConnect(config-gvrp)#enable all The first command globally enables support for the feature and changes the CLI to the GVRP configuration level. The second command enables GVRP on all ports on the device. The following command enables GVRP on ports 1/24, 2/24, and 4/17.
14 Configuring GVRP Disabling VLAN learning To disable VLAN learning on a port enabled for GVRP, enter a command such as the following at the GVRP configuration level. PowerConnect(config-gvrp)#block-learning ethernet 6/24 This command disables learning of VLAN information on port 6/24. NOTE The port still advertises VLAN information unless you also disable VLAN advertising.
Configuring GVRP 14 • Leaveall – The minimum interval at which GVRP sends Leaveall messages on all GVRP interfaces. Leaveall messages ensure that the GVRP VLAN membership information is current by aging out stale VLAN information and adding information for new VLAN memberships, if the information is missing. A Leaveall message instructs the port to change the GVRP state for all its VLANs to Leaving, and remove them unless a Join message is received before the Leave timer expires.
14 Converting a VLAN created by GVRP into a statically-configured VLAN • Leave – 600 ms • Leaveall – 10000 ms Converting a VLAN created by GVRP into a statically-configured VLAN You cannot configure VLAN parameters on VLANs created by GVRP. Moreover, VLANs and VLAN ports added by GVRP do not appear in the running-config and cannot be saved in the startup-config file. To be able to configure and save VLANs or ports added by GVRP, you must convert the VLAN ports to statically-configured ports.
Displaying GVRP information 14 • CPU utilization statistics • GVRP diagnostic information Displaying GVRP configuration information To display GVRP configuration information, enter a command such as the following.
14 Displaying GVRP information TABLE 82 CLI display of summary GVRP information (Continued) This field... GVRP Join Timer Displays... The value of the Join timer. NOTE: For descriptions of the Join, Leave, and Leaveall timers or to change the timers, refer to “Changing the GVRP timers” on page 512. GVRP Leave Timer The value of the Leave timer. GVRP Leave-all Timer The value of the Leaveall timer. Configuration that is being used The configuration commands used to enable GVRP on individual ports.
Displaying GVRP information PowerConnect#show Port 2/1 GVRP Enabled : GVRP Learning : GVRP Applicant : Port State : Forwarding : VLAN Membership: 14 gvrp ethernet 2/1 YES ALLOWED ALLOWED UP YES [VLAN-ID] 1 2 1001 1003 1004 1007 1009 1501 2507 4001 4093 4094 [MODE] FORBIDDEN FIXED NORMAL NORMAL NORMAL NORMAL NORMAL NORMAL NORMAL NORMAL FORBIDDEN FORBIDDEN This display shows the following information. TABLE 83 CLI display of detailed GVRP information for a port This field... Displays...
14 Displaying GVRP information PowerConnect#show gvrp vlan brief Number of VLANs in the GVRP Database: 7 Maximum Number of VLANs that can be present: 4095 [VLAN-ID] [MODE] [VLAN-INDEX] 1 7 11 1001 1003 4093 4094 STATIC-DEFAULT STATIC STATIC DYNAMIC DYNAMIC STATIC-GVRP-BASE-VLAN STATIC-SINGLE-SPAN-VLAN 0 2 4 7 8 6 5 =========================================================================== Syntax: show gvrp vlan all | brief | This display shows the following information.
Displaying GVRP information 14 This display shows the following information. TABLE 85 CLI display of summary VLAN information for GVRP This field... Displays... VLAN-ID The VLAN ID. VLAN-INDEX A number used as an index into the internal database. STATIC Whether the VLAN is a statically configured VLAN. DEFAULT Whether this is the default VLAN. BASE-VLAN Whether this is the base VLAN for GVRP.
14 Displaying GVRP information • PowerConnect B-Series FCX stackable switches – This display shows the following information for the port. TABLE 86 CLI display of GVRP statistics This field... Displays... Leave All Received The number of Leaveall messages received. Join Empty Received The number of Join Empty messages received. Join In Received The number of Join In messages received. Leave Empty Received The number of Leave Empty messages received.
Displaying GVRP information PowerConnect#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.00 0.00 GVRP 0.00 0.03 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.00 0.00 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.00 0.00 5Min(%) 0.09 0.00 0.04 0.00 0.00 0.00 0.00 0.00 0.00 15Min(%) 0.22 0.00 0.07 0.00 0.00 0.00 0.00 0.00 0.
14 Clearing GVRP statistics Displaying GVRP diagnostic information To display diagnostic information, enter the following command.
CLI examples 14 Dynamic core and fixed edge In this configuration, the edge devices advertise their statically configured VLANs to the core device. The core device does not have any statically configured VLANs but learns the VLANs from the edge devices. Enter the following commands on the core device. PowerConnect> enable PowerConnect#configure terminal PowerConnect(config)#gvrp-enable PowerConnect(config-gvrp)#enable all These commands globally enable GVRP support and enable the protocol on all ports.
14 CLI examples PowerConnect(config-vlan-40)#exit PowerConnect(config)#gvrp-enable PowerConnect(config-gvrp)#enable ethernet 4/1 PowerConnect(config-gvrp)#block-learning ethernet 4/1 Dynamic core and dynamic edge In this configuration, the core and edge devices have no statically configured VLANs and are enabled to learn and advertise VLANs. The edge and core devices learn the VLANs configured on the devices in the edge clouds.
CLI examples 14 Fixed core and fixed edge The VLANs are statically configured on the core and edge devices. On each edge device, VLAN advertising is enabled but learning is disabled. GVRP is not configured on the core device. This configuration enables the devices in the edge clouds to learn the VLANs configured on the edge devices. This configuration does not use any GVRP configuration on the core device. The configuration on the edge device is the same as in “Dynamic core and fixed edge” on page 523.
14 526 CLI examples PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter 15 Configuring MAC-based VLANs Table 87 lists the individual Dell PowerConnect switches and the MAC-based VLAN features they support. TABLE 87 Supported MAC-based VLAN features Feature PowerConnect B-Series FCX MAC-Based VLANs: • Source MAC address authentication • Policy-based classification and forwarding Yes MAC-based VLANs and 802.
15 Dynamic MAC-based VLAN • Source MAC Address Authentication • Policy-Based Classification and Forwarding Source MAC address authentication Source MAC address authentication is performed by a central RADIUS server when it receives a PAP request with a username and password that match the MAC address being authenticated.
Configuration notes and feature limitations 15 When this feature is not enabled, the physical port is statically added to the hardware table, regardless of the outcome of the authentication process. This feature prevents the addition of un-authenticated ports to the VLAN table. For information about how to configure Dynamic MAC-based VLAN, refer to “Configuring dynamic MAC-based VLAN” on page 536.
15 Configuration notes and feature limitations TABLE 88 CLI commands for MAC-based VLANs (Continued) CLI command Description CLI level show table-mac-vlan Displays information about allowed and denied MAC addresses on ports with MAC-based VLAN enabled.
Configuring MAC-based VLANs 15 mac-authentication auth-fail-vlan-id 666 interface ethernet 0/1/1 mac-authentication mac-vlan max-mac-entries 5 mac-authentication mac-vlan 0030.4888.
15 Configuring MAC-based VLANs When both features are configured on a port, a device connected to the port is authenticated as follows. 1. MAC-based VLAN is performed on the device to authenticate the device MAC address. 2. If MAC-based VLAN is successful, the device then checks to see if the RADIUS server included the Foundry-802_1x-enable VSA (described in Table 90) in the Access-Accept message that authenticated the device. 3.
Configuring MAC-based VLANs TABLE 90 15 Dell vendor-specific attributes for RADIUS Attribute name Attribute ID Data type Optional or mandatory Description Foundry-MAC-based VLAN-QoS 8 decimal Optional The QoS attribute specifies the priority of the incoming traffic based on any value between 0 (lowest priority) and 7 (highest priority). Default is 0. Foundry-802_1x-en able 6 integer Optional Specifies whether 802.
15 Configuring MAC-based VLANs When the hardware aging period ends, the software aging period begins. The software aging period lasts for a configurable amount of time (the default is 120 seconds). After the software aging period ends, the MAC-based VLAN session is flushed, and the MAC address can be authenticated or denied if the Dell PowerConnect device again receives traffic from that MAC address.
Configuring MAC-based VLANs 15 PowerConnect(config)#interface e 3/1 PowerConnect(config-if-e1000-3/1)#mac-authentication disable-aging Syntax: [no] mac-authentication disable-aging Configuring the maximum MAC addresses per port To configure the maximum number of MAC addresses allowed per port, use the following commands: PowerConnect(config)#interface e 0/1/1 PowerConnect(config-if-e1000-0/1/1)#mac-authentication mac-vlan max-mac-entries 24 NOTE 32 MAC addresses maximum are allowed per port.
15 Configuring MAC-based VLANs Configuring MAC-based VLAN for a dynamic host Follow the steps given below to configure MAC-based VLAN for a dynamic host. 1. Enable multi-device port authentication globally using the following command. PowerConnect(config)#mac-authentication enable 2. Add each port on which you want MAC-based VLAN enabled as mac-vlan-permit for a specific VLAN. PowerConnect(config)#vlan 10 by port PowerConnect(config-vlan-10)#mac-vlan-permit ethernet 0/1/1 to 0/1/6 3.
Configuring MAC-based VLANs using SNMP 15 Configuring MAC-based VLANs using SNMP Several MIB objects have been developed to allow the configuration of MAC-based VLANs using SNMP. For more information, refer to the IronWare MIB Reference Guide. Displaying Information about MAC-based VLANs This section describes the show commands that display information related to MAC-based VLANs. Displaying the MAC-VLAN table Enter the following command to display the MAC-VLAN table.
15 Displaying Information about MAC-based VLANs This field... Displays... MAC Address The MAC address for which this information is displayed. Port The port where MAC-based VLAN is enabled. Vlan The VLAN to which the MAC address has been assigned. Authenticated Yes indicates authentication is successful. No indicates authentication has failed. Inp indicates authentication in progress Rst indicates a restricted VLAN Time The time at which the MAC address was authenticated.
Displaying Information about MAC-based VLANs 15 PowerConnect(config)#show table-mac-vlan denied-mac ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age dot1x ------------------------------------------------------------------------------0000.0030.1002 1/1/1 4092 No 00d00h11m57s H40 Dis Syntax: show table-mac-vlan denied-mac The following table describes the information in this output. This field... Displays...
15 Displaying Information about MAC-based VLANs . PowerConnect#show table-mac-vlan detailed e 0/1/2 Port : 0/1/2 Dynamic-Vlan Assignment : Disabled RADIUS failure action : Block Traffic Failure restrict use dot1x : No Override-restrict-vlan : Yes Vlan : (MAC-PERMIT-VLAN ) Port Vlan State : DEFAULT 802.
Displaying Information about MAC-based VLANs 15 Displaying MAC-VLAN information for a specific interface Enter the following command to display MAC-VLAN information for a specific interface. PowerConnect#show table-mac-vlan e 0/1/1 ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age CAM MAC Dot1x Type Pri Index Index ------------------------------------------------------------------------------0000.0100.
15 Displaying Information about MAC-based VLANs Displaying MAC addresses in a MAC-based VLAN Enter the following command to display a list of MAC addresses in a MAC-based VLAN. PowerConnect#show mac-address Total active entries from all ports = 1541 MAC-Address Port Type 0000.2000.0001 0/1/32 Dynamic(MBV) 0000.2000.0002 0/1/32 Dynamic(MBV) 0000.2000.0003 0/1/32 Dynamic(MBV) 0000.2000.0004 0/1/32 Static(MBV) 0000.2000.0005 0/1/32 Dynamic(MBV) 0000.2000.0006 0/1/32 Dynamic(MBV) 0000.2000.
Clearing MAC-VLAN information 15 Displaying MAC-based VLAN logging Enter the following command to display MAC-based VLAN logging activity.
15 Sample application FIGURE 111 Sample MAC-based VLAN configuration RADIUS Server User: 0030.4875.3f73 (Host B) Tunnel-Private-Group-ID = VLAN2 No profile for MAC 0030.4875.3ff5 (Host C) Power PS1 PS2 1 2 Console Lnk/ Act Lnk/ Act 49C 49F 50C Lnk 13 14 25 26 37 38 Device FDX FDX 50F Act Port e1 mac-vlan-permit Hub Untagged Host station A MAC: 0030.4888.b9fe Untagged Host station B MAC: 0030.4875.3f73 Untagged Host station C MAC: 0030.4875.
Sample application 15 mac-authentication hw-deny-age 30 mac-authentication auth-passwd-format xxxx.xxxx.xxxx interface ethernet 0/1/1 mac-authentication mac-vlan max-mac-entries 5 mac-authentication mac-vlan 0030.4888.b9fe vlan 1 priority 1 mac-authentication mac-vlan enable ! interface ethernet 0/1/2 mac-authentication mac-vlan max-mac-entries 5 mac-authentication mac-vlan enable ! ! end The show table-mac-vlan command returns the following results for all ports in this configuration.
15 546 Sample application PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring Rule-Based IP Access Control Lists (ACLs) 16 Table 91 lists the individual Dell PowerConnect switches and ACL features they support.
16 ACL overview NOTE For information about IPv6 ACLs, refer to Chapter 19, “Configuring IPv6 Access Control Lists (ACLs)”. ACL overview Dell PowerConnect devices support rule-based ACLs (sometimes called hardware-based ACLs), where the decisions to permit or deny packets are processed in hardware and all permitted packets are switched or routed in hardware. All denied packets are also dropped in hardware. In addition, PowerConnect devices support inbound ACLs only. Outbound ACLs are not supported.
ACL overview 16 NOTE This is different from IP access policies. If you use IP access policies, you apply the individual policies to interfaces. • ACL entry – Also called an ACL rule, this is a filter command associated with an ACL ID. The maximum number of ACL rules you can configure is a system-wide parameter and depends on the device you are configuring. You can configure up to the maximum number of entries in any combination in different ACLs.
16 How hardware-based ACLs work How hardware-based ACLs work When you bind an ACL to inbound traffic on an interface, the device programs the Layer 4 CAM with the ACL. Permit and deny rules are programmed. Most ACL rules require one Layer 4 CAM entry. However, ACL rules that match on more than one TCP or UDP application port may require several CAM entries. The Layer 4 CAM entries for ACLs do not age out.
Configuring standard numbered ACLs 16 NOTE PowerConnect B-Series FCX devices do not support ACLs on Group VEs, even though the CLI contains commands for this action. • ACLs apply to all traffic, including management traffic. • The number of ACLs supported per device is listed in Table 92. • Hardware-based ACLs support only one ACL per port. The ACL of course can contain multiple entries (rules).
16 Configuring standard numbered ACLs or Syntax: [no] access-list deny | permit / | [log] Syntax: [no] access-list deny | permit host | [log] Syntax: [no] access-list deny | permit any [log] Syntax: [no] ip access-group in The parameter is the access list number from 1 – 99.
Configuring standard named ACLs 16 The log argument configures the device to generate Syslog entries and SNMP traps for packets that are denied by the access policy. NOTE You can enable logging on ACLs and filters that support logging even when the ACLs and filters are already in use. To do so, re-enter the ACL or filter command and add the log parameter to the end of the ACL or filter. The software replaces the ACL or filter command with the new one.
16 Configuring standard named ACLs Standard named ACL syntax Syntax: [no] ip access-list standard | Syntax: deny | permit | [log] or Syntax: deny | permit / | [log] Syntax: deny | permit host | [log] Syntax: deny | permit any [log] Syntax: [no] ip access-group in The parameter is the access list name. You can specify a string of up to 256 alphanumeric characters.
Configuring standard named ACLs 16 significant bits) and changes the non-significant portion of the IP address into ones. For example, if you specify 209.157.22.26/24 or 209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the value appears as 209.157.22.0/24 (if you have enabled display of subnet lengths) or 209.157.22.0 0.0.0.255 in the startup-config file. If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file in “/” format.
16 Configuring extended numbered ACLs The commands in this example configure a standard ACL named “Net1”. The entries in this ACL deny packets from three source IP addresses from being forwarded on port 1. Since the implicit action for an ACL is “deny”, the last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries. For an example of how to configure the same entries in a numbered ACL, refer to “Configuring standard numbered ACLs” on page 551.
Configuring extended numbered ACLs 16 The parameter is the extended access list number. Specify a number from 100 – 199. The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded. The parameter indicates the type of IP packet you are filtering. You can specify a well-known name for any protocol whose number is less than 255. For other protocols, you must enter the number.
16 Configuring extended numbered ACLs • • • • • • • • • • • • • • echo-reply information-request log mask-reply mask-request parameter-problem redirect source-quench time-exceeded timestamp-reply timestamp-request traffic policy unreachable The parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http.
Configuring extended numbered ACLs 16 NOTE If the ACL is for a virtual routing interface, you also can specify a subset of ports within the VLAN containing that interface when assigning an ACL to the interface. Refer to “Configuring standard numbered ACLs” on page 551. The precedence | parameter of the ip access-list command specifies the IP precedence. The precedence option for of an IP packet is set in a three-bit field following the four-bit header-length field of the packet’s header.
16 Configuring extended numbered ACLs The 802.1p-priority-matching option inspects the 802.1p bit in the ACL that can be used with adaptive rate limiting. Enter a value from 0 – 7. For details, refer to “Inspecting the 802.1p bit in the ACL for adaptive rate limiting” on page 765. The dscp-marking option enables you to configure an ACL that marks matching packets with a specified DSCP value Enter a value from 0 – 63. Refer to “Using an IP ACL to mark DSCP values (DSCP marking)” on page 580.
Configuring extended numbered ACLs 16 The fifth entry denies all OSPF traffic and generates Syslog entries for denied traffic. The sixth entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL. The following commands apply ACL 102 to the incoming traffic on port 1/2 and to the incoming traffic on port 4/3.
16 Configuring extended named ACLs Configuring extended named ACLs The commands for configuring named ACL entries are different from the commands for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The command for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry, you specify all the command parameters on the same command.
Configuring extended named ACLs 16 The parameter indicates the type of IP packet you are filtering. You can specify a well-known name for any protocol whose number is less than 255. For other protocols, you must enter the number. Enter “?” instead of a protocol to list the well-known names recognized by the CLI. The | parameter specifies the source IP host for the policy. If you want the policy to match on all source addresses, enter any.
16 Configuring extended named ACLs • • • • • • • • • • • mask-reply mask-request parameter-problem redirect source-quench time-exceeded timestamp-reply timestamp-request traffic policy unreachable The parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http.
Configuring extended named ACLs 16 NOTE If the ACL is for a virtual routing interface, you also can specify a subset of ports within the VLAN containing that interface when assigning an ACL to the interface. Refer to “Configuring standard numbered ACLs” on page 551. The precedence | parameter of the ip access-list command specifies the IP precedence. The precedence option for of an IP packet is set in a three-bit field following the four-bit header-length field of the packet’s header.
16 Preserving user input for ACL TCP/UDP port numbers The 802.1p-priority-matching option inspects the 802.1p bit in the ACL that can be used with adaptive rate limiting. Enter a value from 0 – 7. For details, refer to “Inspecting the 802.1p bit in the ACL for adaptive rate limiting” on page 765. The dscp-marking option enables you to configure an ACL that marks matching packets with a specified DSCP value Enter a value from 0 – 63.
Managing ACL comment text 16 The following example shows how this feature works for a TCP port (this feature works the same way for UDP ports). In this example, the user identifies the TCP port by number (80) when configuring ACL group 140. However, show ip access-list 140 reverts back to the port name for the TCP port (http in this example).
16 Managing ACL comment text The can be up to 128 characters in length. The comment must be entered separately from the actual ACL entry; that is, you cannot enter the ACL entry and the ACL comment with the same access-list or ip access-list command. Also, in order for the remark to be displayed correctly in the output of show commands, the comment must be entered immediately before the ACL entry it describes.
Applying an ACL to a virtual interface in a protocol- or subnet-based VLAN 16 PowerConnect#show running-config … access-list 100 remark The following line permits TCP packets access-list 100 permit tcp 192.168.4.40/24 2.2.2.2/24 access-list 100 remark The following line permits UDP packets access-list 100 permit udp 192.168.2.52/24 2.2.2.2/24 access-list 100 deny ip any any Syntax: show running-config The following example shows the comment text for an ACL in a show access-list display.
16 Enabling ACL logging PowerConnect(config-vif-10)#int ve 20 PowerConnect(config-vif-20)#ip access-group test1 in PowerConnect(config-vif-20)#ip address 10.15.1.10 255.255.255.0 PowerConnect(config-vif-20)#exit PowerConnect(config)#ip access-list extended test1 PowerConnect(config-ext-nACL)#permit ip 10.15.1.0 0.0.0.255 any log PowerConnect(config-ext-nACL)#permit ip 192.168.10.0 0.0.0.
Enabling ACL logging 16 • ACL logging is intended for debugging purposes. Dell recommends that you disable ACL logging after the debug session is over. Configuration Tasks To enable ACL logging, complete the following steps: 1. Create ACL entries with the log option 2. Enable ACL logging on individual ports NOTE The command syntax for enabling ACL logging is different on IPv4 devices than on IPv6 devices. See the configuration examples in the next section. 3.
16 Enabling strict control of ACL filtering of fragmented packets Displaying ACL Log Entries The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap. Messages for packets permitted or denied by ACLs are at the warning level of the Syslog. When the first Syslog entry for a packet permitted or denied by an ACL is generated, the software starts an ACL timer.
Enabling ACL support for switched traffic in the router image 16 The fragments are forwarded even if the first fragment, which contains the Layer 4 information, was denied. Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be completed without the entire packet. For tighter control, you can configure the port to drop all packet fragments. To do so, enter commands such as the following.
16 Enabling ACL filtering based on VLAN membership or VE port membership You can apply an inbound IPv4 ACL to specific VLAN members on a port (Layer 2 devices only) or to specific ports on a virtual interface (VE) (Layer 3 Devices only). By default, this feature support is disabled. To enable it, enter the following commands at the Global CONFIG level of the CLI.
Enabling ACL filtering based on VLAN membership or VE port membership 16 PowerConnect(config)#access-list 10 permit PowerConnect(config)#int e 1/23 PowerConnect(config-if-e1000-1/23))#per-vlan 12 PowerConnect(config-if-e1000-1/23-vlan-12))#ip access-group 10 in The commands in this example configure port-based VLAN 12, and add ports e 5 – 8 as untagged ports and ports e 23 – 24 as tagged ports to the VLAN. The commands following the VLAN configuration commands configure ACL 10.
16 Using ACLs to filter ARP packets Specify the variable in the following formats: • PowerConnect B-Series FCX stackable switches – Using ACLs to filter ARP packets You can use ACLs to filter ARP packets. Without this feature, ACLs cannot be used to permit or deny incoming ARP packets. Although an ARP packet contains an IP address just as an IP packet does, an ARP packet is not an IP packet; therefore, it is not subject to normal filtering provided by ACLs.
Using ACLs to filter ARP packets 16 PowerConnect(config-ve-2)# exit PowerConnect(config)# interface ve 3 PowerConnect(config-ve-3)# ip access-group 102 in PowerConnect(config-ve-3)# ip follow ve 2 PowerConnect(config-ve-3)# ip use-ACL-on-arp PowerConnect(config-ve-3)# exit PowerConnect(config-vlan-4)# interface ve 4 PowerConnect(config-ve-4)# ip follow ve 2 PowerConnect(config-ve-4)# ip use-ACL-on-arp PowerConnect(config-ve-4)# exit Syntax: [no] ip use-ACL-on-arp [ ] When the use-ACL
16 Filtering on IP precedence and ToS values Clearing the filter count To clear the filter count for all interfaces on the device, enter a command such as the following. PowerConnect(config)# clear ACL-on-arp The above command resets the filter count on all interfaces in a device back to zero. Syntax: clear ACL-on-arp Filtering on IP precedence and ToS values To configure an extended IP ACL that matches based on IP precedence, enter commands such as the following.
QoS options for IP ACLs 16 For details about the edge port security feature, refer to “Using TCP Flags in combination with other ACL features” on page 1202. QoS options for IP ACLs Quality of Service (QoS) options enable you to perform QoS for packets that match the ACLs. Using an ACL to perform QoS is an alternative to directly setting the internal forwarding priority based on incoming port, VLAN membership, and so on. (This method is described in “Assigning QoS priorities to traffic” on page 596.
16 QoS options for IP ACLs PowerConnect(config)#access-list 101 permit ip any any internal-priority-marking 6 The following command is not supported. PowerConnect(config)#access-list 101 permit ip any any dscp-marking 43 802.1p-priority-marking 4 internal-priority-marking 6 Using an IP ACL to mark DSCP values (DSCP marking) The dscp-marking option for extended ACLs allows you to configure an ACL that marks matching packets with a specified DSCP value.
QoS options for IP ACLs 16 PowerConnect(config)#acc 105 per tcp any any 802.1p-priority-marking 1 internal-priority-marking 5 Syntax: access-list permit tcp any any 802.1p-priority-marking [internal-priority-marking ] For UDP PowerConnect(config) #acc 105 per udp any any 802.1p-priority-marking 1 or the following command, which also assigns an optional internal-priority-marking value. PowerConnect(config) #acc 105 per udp any any 802.
16 ACL-based rate limiting Syntax: ...dscp-matching <0 – 63> NOTE For complete syntax information, refer to “Extended numbered ACL syntax” on page 556. ACL-based rate limiting ACL-based rate limiting provides the facility to limit the rate for IP traffic that matches the permit conditions in extended IP ACLs. This feature is available in the Layer 2 and Layer 3 code. For more details, including configuration procedures, refer to Chapter 18, “Configuring Traffic Policies”.
Displaying ACL information 16 PowerConnect#show access-list 100 Extended IP access list 100 (hw usage : 2) deny ip any any (hw usage : 1 The first command enables hardware usage statistics, and the second command displays the hardware usage for IP access list 100.4 Syntax: show access-list hw-usage on | off Syntax: show access-list | all By default, hardware usage statistics are disabled.
16 Policy-based routing (PBR) Policy-based routing (PBR) Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route IP packets in hardware. The ACLs classify the traffic. Route maps that match on the ACLs set routing attributes for the traffic. A PBR policy specifies the next hop for traffic that matches the policy. Using standard ACLs with PBR, you can route IP packets based on their source IP address.
Policy-based routing (PBR) 16 Configuring a PBR policy To configure PBR, you define the policies using IP ACLs and route maps, then enable PBR globally or on individual interfaces. The device programs the ACLs into the packet processor on the interfaces and routes traffic that matches the ACLs according to the instructions in the route maps. To configure a PBR policy: • Configure ACLs that contain the source IP addresses for the IP traffic you want to route using PBR.
16 Policy-based routing (PBR) The parameter specifies the mask value to compare against the host address specified by the parameter. The is in dotted-decimal notation (IP address format). It is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or a zero. Each part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in the mask mean the packet source address must match the . Ones mean any value matches.
Policy-based routing (PBR) 16 The commands in this example configure an entry in a route map named “test-route”. The match statement matches on IP information in ACL 99. The set statement changes the next-hop IP address for packets that match to 192.168.2.1. Syntax: [no]route-map permit | deny The is a string of characters that names the map. Map names can be up to 32 characters in length.
16 Policy-based routing (PBR) The commands in this example change the CLI to the Interface level for virtual interface 1, then apply the “test-route” route map to the interface. You can apply a PBR route map to Ethernet ports or virtual interfaces. Syntax: ip policy route-map Enter the name of the route map you want to use for the route-map parameter. Configuration examples This section presents configuration examples for configuring and applying a PBR policy.
Policy-based routing (PBR) 16 PowerConnect(config)#access-list 50 permit 209.157.23.0 0.0.0.255 PowerConnect(config)#access-list 51 permit 209.157.24.0 0.0.0.255 PowerConnect(config)#access-list 52 permit 209.157.25.0 0.0.0.255 The following commands configure three entries in a route map called “test-route”. The first entry (permit 50) matches on the IP address information in ACL 50 above. For IP traffic from subnet 209.157.23.0/24, this route map entry sets the next-hop IP address to 192.168.2.1.
16 Policy-based routing (PBR) The following command enables PBR by globally applying the route map to all interfaces. PowerConnect(config)#ip policy route-map file-13 Alternatively, you can enable PBR on specific interfaces, as shown in the following example. The commands in this example configure IP addresses in the source subnet identified in ACL 56, then apply route map file-13 to the interface. PowerConnect(config)#interface ethernet 3/11 PowerConnect(config-if-e10000-3/11)#ip address 192.168.1.
Chapter 17 Configuring Quality of Service Table 93 lists the individual Dell PowerConnect switches and the Quality of Service (QoS) features they support. TABLE 93 8802.1 Supported QoS features Feature PowerConnect B-Series FCX 802.1p Quality of Service (QoS): • Strict Priority (SP) • Weighted Round Robin (WRR) • Combined SP and WRR • 8 priority queues Yes 802.1p priority override Yes 802.
17 Classification • Static MAC address • Layer 2 Class of Service (CoS) value – This is the 802.1p priority value in the Ethernet frame. It can be a value from 0 through 7. The 802.1p priority is also called the Class of Service. • Layer 3 Differentiated Services Code Point (DSCP) – This is the value in the six most significant bits of the IP packet header 8-bit DSCP field. It can be a value from 0 through 63. These values are described in RFCs 2472 and 2475.
Classification 17 FIGURE 112 Determining a packet trust level - PowerConnect B-Series FCX devices Packet received on ingress port Does the packet match an ACL that defines a priority? Yes Trust the DSCPCoS-mapping or the DSCP-marking No Does the MAC address match a static entry? Yes Trust the priority of the static MAC entry No Is the packet tagged? Yes Trust the 802.
17 Classification TABLE 94 Default QoS mappings, columns 0 to 15 DSCP value 0 1 2 3 4 5 6 7 8 9 10 11 12 12 14 15 802.
QoS for stackable devices 17 • DSCP to internal forwarding priority mapping – You can change the mapping between the DSCP value and the internal forwarding priority value from the default values shown in Table 94 through Table 97. This mapping is used for CoS marking and determining the internal priority when the trust level is DSCP. Refer to “Changing the DSCP to internal forwarding priority mappings” on page 601. • VLAN priority (802.
17 QoS queues QoS behavior on port priority and VLAN priority in an IronStack Port priority and VLAN priority have a higher precedence than the 802.1p priority examination. If port priority is set to 7, all incoming traffic is mapped to internal hardware queue 6. When stacking is not enabled on a device, all priorities are mapped to their corresponding queues without restrictions. QoS behavior for 802.1p marking in an IronStack By default in stacking mode, 802.1p marking is not enabled.
Assigning QoS priorities to traffic 17 When you change the priority, you specify a number from 0 through 7. The priority number specifies the IEEE 802.1 equivalent to one of the eight QoS queues on Dell PowerConnect devices. The numbers correspond to the queues as shown in Table 98. Although it is possible for a packet to qualify for an adjusted QoS priority based on more than one of the criteria listed In the section above, the system always gives a packet the highest priority for which it qualifies.
17 802.1p priority override Buffer allocation/threshold for QoS queues By default, Dell Ironware software allocates a certain number of buffers to the outbound transport queue for each port based on QoS priority. The buffers control the total number of packets permitted in the outbound queue for the port. If desired, you can increase or decrease the maximum number of outbound transmit buffers allocated to all QoS queues, or to specific QoS queues on a port or group of ports.
Marking 17 Marking Marking is the process of changing the packet QoS information (the 802.1p and DSCP information in a packet) for the next hop. For example, for traffic coming from a device that does not support Differentiated Services (DiffServ), you can change the packet IP precedence value into a DSCP value before forwarding the packet. You can mark a packet Layer 2 CoS value, its Layer 3 DSCP value, or both values.
17 Configuring the QoS mappings PowerConnect stackable devices PowerConnect B-Series FCX devices support DSCP-based QoS on a per-port basis. DSCP-based QoS is not automatically honored for switched traffic. The default is 802.1p to CoS mapping. To honor DSCP-based QoS, enter the following command at the interface level of the CLI. PowerConnect(config-if-e1000-11)#trust dscp Syntax: trust dscp When trust dscp is enabled, the interface honors the Layer 3 DSCP value.
Configuring the QoS mappings TABLE 100 17 Default mappings of internal forwarding priority values Internal forwarding priority Forwarding queues 0 (lowest priority queue) qosp0 1 1 qosp1 2 qosp2 3 qosp3 4 qosp4 5 qosp5 6 qosp6 7 (highest priority queue) qosp7 1 You can change the DSCP to internal forwarding mappings. You also can change the internal forwarding priority to hardware forwarding queue mappings.
17 Configuring the QoS mappings PowerConnect#show qos-tos ...portions of table omitted for simplicity... DSCP-Priority map: (dscp = d1d2) d2| 0 1 2 3 4 5 6 7 8 9 d1 | -----+---------------------------------------0 | 1 0 1 1 1 0 0 0 5 1 1 | 6 1 1 1 1 1 4 2 2 2 2 | 2 2 2 2 2 3 3 3 3 3 3 | 3 3 0 4 4 4 4 4 4 4 4 | 7 5 5 5 5 5 5 5 3 6 5 | 6 6 6 6 6 6 6 7 7 7 6 | 7 7 7 7 Changing the VLAN priority 802.
Scheduling Hardware Queue Weighted Round Robin (WRR) mode Hybrid WRR and SP Strict Priority (SP) mode 3 Weight 82% Strict Priority Strict Priority 2 Weight 6% Weight 40% Strict Priority 1 Weight 6% Weight 30% Strict Priority 0 Weight 6% Weight 30% Strict Priority 17 The example configuration described below is for a default, non-jumbo mode. The hardware queues for WRR mode is calculated as follows.
17 Scheduling NOTE Queue cycles on the PowerConnect devices are based on bytes. These devices service a given number of bytes (based on weight) in each queue cycle. FES and BI/FI queue cycles are based on packets. The bytes-based scheme is more accurate than a packets-based scheme if packets vary greatly in size. • Strict priority (SP) – SP ensures service for high priority traffic.
Scheduling 17 Selecting the QoS queuing method By default, Dell PowerConnect devices use the WRR method of packet prioritization. To change the method to strict priority, enter the following command at the global CONFIG level of the CLI. PowerConnect(config)#qos mechanism strict To change the method back to weighted round robin, enter the following command.
17 Scheduling TABLE 103 Queue Default minimum bandwidth percentages on Dell PowerConnect devices Default minimum percentage of bandwidth Without jumbo frames With jumbo frames qosp7 75% 44% qosp6 7% 8% qosp5 3% 8% qosp4 3% 8% qosp3 3% 8% qosp2 3% 8% qosp1 3% 8% qosp0 3% 8% When the queuing method is weighted round robin, the software internally translates the percentages into weights.
Scheduling 17 The variable specifies a number for the percentage of the device outbound bandwidth that is allocated to the queue. Dell QoS queues require a minimum bandwidth percentage of 3 percent for each priority. When jumbo frames are enabled, the minimum bandwidth requirement is 8 percent. If these minimum values are not met, QoS may not be accurate. Configuration notes • The total of the percentages you enter must equal 100.
17 Viewing QoS settings Viewing QoS settings To display the QoS settings for all of the queues, enter the show qos-profiles command.
Viewing DSCP-based QoS settings TABLE 104 17 DSCP-based QoS configuration information This field... Displays... DSCP to traffic class map d1 and d2 The DSCP to forwarding priority mappings that are currently in effect. NOTE: The example shows the default mappings. If you change the mappings, the command displays the changed mappings Traffic class to 802.1 priority map Traffic Class and 802.1p Priority The traffic class to 802.1p priority mappings that are currently in effect.
17 Viewing DSCP-based QoS settings PowerConnect#show qos-tos DSCP-->Traffic-Class map: (DSCP = d1d2: 00, 01...63) d2| 0 1 2 3 4 5 6 7 8 9 d1 | -----+---------------------------------------0 | 0 0 0 0 0 0 0 0 1 1 1 | 1 1 1 1 1 1 2 2 2 2 2 | 2 2 2 2 3 3 3 3 3 3 3 | 3 3 4 4 4 4 4 4 4 4 4 | 5 5 5 5 5 5 5 5 6 6 5 | 6 6 6 6 6 6 7 7 7 7 6 | 7 7 7 7 Traffic-Class-->802.1p-Priority map (use to derive DSCP--802.1p-Priority): Traffic | 802.
Chapter 18 Configuring Traffic Policies Table 106 lists the individual Dell PowerConnect switches and the traffic policy features they support. TABLE 106 Supported traffic policy features Feature PowerConnect B-Series FCX Traffic policies Yes ACL-based fixed rate limiting Yes ACL-based adaptive rate limiting Yes 802.
18 Configuration notes and feature limitations Configuration notes and feature limitations Note the following when configuring traffic policies: • Traffic policies applies to IP ACLs only. • The maximum number of supported active TPDs is a system-wide parameter and depends on the device you are configuring. The total number of active TPDs cannot exceed the system maximum. Refer to “Maximum number of traffic policies supported on a device” on page 612.
ACL-based rate limiting using traffic policies 18 • By default, up to 1024 active traffic policies are supported on Layer 2 switches. This value is fixed on Layer 2 switches and cannot be modified. • On PowerConnect B-Series FCX devices, up to 1024 active traffic policies are supported on Layer 3 switches. This is the default value as well as the maximum value.
18 ACL-based rate limiting using traffic policies You can configure ACL-based rate limiting on the following interface types: • • • • Physical Ethernet interfaces Virtual interfaces Trunk ports Specific VLAN members on a port (refer to “Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only)” on page 574) • A subset of ports on a virtual interface (refer to “Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only)” on page 575) Support for fixed ra
ACL-based rate limiting using traffic policies 18 PowerConnect(config)#interface ethernet 5 PowerConnect(config-if-e5)#ip access-group 101 in PowerConnect(config-if-e5)#exit The previous commands configure a fixed rate limiting policy that allows port e5 to receive a maximum traffic rate of 100 kbps. If the port receives additional bits during a given one-second interval, the port drops the additional inbound packets that are received within that one-second interval.
18 ACL-based rate limiting using traffic policies TABLE 108 ACL based adaptive rate limiting parameters Parameter Definition Committed Information Rate (CIR) The guaranteed kilobit rate of inbound traffic that is allowed on a port. Committed Burst Size (CBS) The number of bytes per second allowed in a burst before some packets will exceed the committed information rate. Larger bursts are more likely to exceed the rate limit. The CBS must be a value greater than zero (0).
ACL-based rate limiting using traffic policies 18 Use the no form of the command to delete a traffic policy definition. Note that you cannot delete a traffic policy definition if it is currently in use on a port. To delete a traffic policy, first unbind the associated ACL. The traffic-policy parameter is the name of the traffic policy definition. This value can be eight or fewer alphanumeric characters.
18 ACL-based rate limiting using traffic policies • Drop packets that exceed the limit. • Permit packets that exceed the limit and forward them at the lowest priority level. Dropping packets that exceed the limit This section shows some example configurations and provides the CLI syntax for configuring a port to drop packets that exceed the configured limits for rate limiting. The following example shows a fixed rate limiting configuration.
ACL statistics and rate limit counting 18 Syntax: [no] traffic-policy rate-limit adaptive cir cbs pir pbs exceed-action permit-at-low-pri ACL statistics and rate limit counting ACL statistics, also called ACL counting, enables the Dell device to count the number of packets and the number of bytes per packet to which ACL filters are applied.
18 ACL statistics and rate limit counting The software allows you to add a reference to a non-existent TPD in an ACL statement and to bind that ACL to an interface. The software does not issue a warning or error message for non-existent TPDs. Use the no form of the command to delete a traffic policy definition. Note that you cannot delete a traffic policy definition if it is currently in use on a port. To delete a traffic policy, first unbind the associated ACL.
ACL statistics and rate limit counting 18 PowerConnect#show access-list accounting traffic-policy g_voip Traffic Policy - g_voip: General Counters: Port Region# Byte Count Packet Count ---------------------------------------------------------7 (4/1 - 4/12) 85367040 776064 All port regions 84367040 776064 Rate Limiting Counters: Port Region# Green Conformance Yellow Conformance Red Conformance ------------------ ------------------ ------------------ -----------------7 (4/1 - 4/12) 329114195612139520 375339
18 Viewing traffic policies or Syntax: clear statistics traffic-policy The is the name of the traffic policy definition for which you want to clear traffic policy counters. Viewing traffic policies To view traffic policies that are currently defined on the Dell device, enter the show traffic-policy command. The following example shows displayed output.Table 110 explains the output of the show traffic-policy command.
Chapter Configuring Base Layer 3 and Enabling Routing Protocols 19 Table 111 lists the individual Dell PowerConnect switches and the base Layer 3 features they support. TABLE 111 Supported base Layer 3 features Feature PowerConnect B-Series FCX Static IP routing Yes Layer 3 system parameter limits Yes Static ARP entries Yes (up to 1,000) RIP V1 and V2 (Static RIP support only in the base layer 3 image.
19 Adding a static ARP entry or Syntax: [no] ip route / [] [tag ] The is the route destination. The is the network mask for the route destination IP address. Alternatively, you can specify the network mask information by entering a forward slash followed by the number of bits in the network mask. For example, you can enter 192.0.0.0 255.255.255.0 as 192.0.0.0/.24. To configure a default route, enter 0.0.0.
Modifying and displaying layer 3 system parameter limits 19 Modifying and displaying layer 3 system parameter limits This section shows how to view and configure some of the Layer 3 system parameter limits. Configuration notes • Changing the system parameters reconfigures the device memory. Whenever you reconfigure the memory on a Dell PowerConnect device, you must save the change to the startup-config file, then reload the software to place the change into effect.
19 Configuring RIP PowerConnect#show default value sys log buffers:50 mac age time:300 sec telnet sessions:5 ip arp age:10 min ip addr per intf:24 bootp relay max hops:4 ip ttl:64 hops igmp group memb.:140 sec igmp query:60 sec ospf dead:40 sec ospf transit delay:1 sec ospf hello:10 sec System Parameters ip-arp ip-static-arp Default 4000 512 Maximum 64000 1024 ospf retrans:5 sec Current 4000 512 some lines omitted for brevity....
Configuring RIP 19 • Route redistribution – You can enable the software to redistribute static routes from the IP route table into RIP. Redistribution is disabled by default. • Learning of default routes – The default is disabled. • Loop prevention (split horizon or poison reverse) – The default is poison reverse. Enabling RIP RIP is disabled by default. To enable it, use the following CLI method. You must enable the protocol both globally and on the ports on which you want to use RIP.
19 Configuring RIP When you enable redistribution, all IP static routes are redistributed by default. If you want to deny certain routes from being redistributed into RIP, configure deny filters for those routes before you enable redistribution. You can configure up to 64 RIP redistribution filters. They are applied in ascending numerical order. NOTE The default redistribution action is still permit, even after you configure and apply redistribution filters to the port.
Other layer 3 protocols 19 To enable RIP redistribution, enter the following command. PowerConnect(config-rip-router)#redistribution Syntax: [no] redistribution Enabling learning of default routes By default, the software does not learn RIP default routes. To enable learning of default RIP routes, enter commands such as the following.
19 Enabling or disabling layer 2 switching • • • • • • • • IGMP IP IP multicast (DVMRP, PIM-SM, PIM-DM) OSPF RIPV1 and V2 VRRP VRRPE VSRP IP routing is enabled by default on devices running Layer 3 code. All other protocols are disabled, so you must enable them to configure and use them. To enable a protocol on a device running full Layer 3 code, enter router at the global CONFIG level, followed by the protocol to be enabled. The following example shows how to enable OSPF.
Enabling or disabling layer 2 switching 19 Syntax: no route-only To disable Layer 2 switching only on a specific interface, go to the Interface configuration level for that interface, then disable the feature. The following commands show how to disable Layer 2 switching on port 2. PowerConnect(config)#interface ethernet 2 PowerConnect(config-if-e1000-2)#route-only Syntax: route-only To re-enable Layer 2 switching, enter the command with “no”, as in the following example.
19 632 Enabling or disabling layer 2 switching PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring Port Mirroring and Monitoring 20 Table 112 lists the individual Dell PowerConnect switches and the mirroring features they support.
20 Configuring port mirroring and monitoring Configuration notes Refer to the following rules when configuring port mirroring and monitoring: • Port monitoring and sFlow support: • PowerConnect B-Series FCX devices support sFlow and port monitoring together on the same port. • If you configure both ACL mirroring and ACL based rate limiting on the same port, then all packets that match are mirrored, including the packets that exceed the rate limit.
Configuring port mirroring and monitoring 20 • For ingress ACL mirroring, the previous ingress rule also applies. The analyzer port setting command acl-mirror-port must be specified for each port, even though the hardware only supports one port per device. This applies whether the analyzer port is on the local device or on a remote device.
20 Configuring port mirroring and monitoring The both, in, and out parameters specify the traffic direction you want to monitor on the mirror port. There is no default. To display the port monitoring configuration, enter the show monitor and show mirror commands. Monitoring an individual trunk port You can monitor the traffic on an individual port of a static trunk group, and on an individual port of an LACP trunk group.
Configuring mirroring on an Ironstack 20 Configuring mirroring on an Ironstack You can configure mirroring on a Dell IronStack. An IronStack consists of up to 8 PowerConnect B-Series FCX devices. The stack operates as a chassis. The following examples show how to configure mirroring for ports that are on different members of a stack, and for ports that are on the same stack member as the mirror port.
20 ACL-based inbound mirroring ACL-based inbound mirroring This section describes ACL-based inbound mirroring for PowerConnect devices. Creating an ACL-based inbound mirror clause for PowerConnect B-Series FCX devices The following example shows how to configure an ACL-based inbound mirror clause. 1. Configure the mirror port. PowerConnect(config)#mirror-port ethernet 1/1/2 2. Configure the ACL inbound mirror clause. PowerConnect(config)#access-list 101 permit ip any any mirror 3.
VLAN-based mirroring 20 1. Define a mirror port To activate mirroring on a port, use the mirror command in the global configuration mode. Example PowerConnect(config)#mirror e 0/1/14 Configuration Notes • If there is no input mirror port configured, MAC-Filter Based Mirroring does not take effect. It remains in the configuration, but is not activated. • Port-Based Mirroring, VLAN Mirroring, and MAC-Filter-Based Mirroring can be enabled on a port at the same time.
20 VLAN-based mirroring PowerConnect(config)#mirror-port ethernet 1/1/21 input PowerConnect(config)#vlan 10 PowerConnect(config-VLAN-10)#monitor ethernet 1/1/21 PowerConnect(config)#vlan 20 PowerConnect(config-VLAN-20)#monitor ethernet 1/1/21 PowerConnect(config-VLAN-20)#end Syntax: [no] monitor ethernet NOTE For PowerConnect B-Series FCX devices, since it is possible to have multiple mirror ports, monitor ports must specify which mirror port they are monitoring.
VLAN-based mirroring 20 Configuration notes The following rules apply to VLAN-Based Mirroring configurations. • A VLAN must have at least one port member configured before “monitor” can be configured. • Multiple VLANs can have monitor enabled at the same time, and the maximum number of monitor-configured VLANs is 8. • The mirror port is subject to the same scheduling and bandwidth management as the other ports in the system.
20 642 VLAN-based mirroring PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring Rate Limiting and Rate Shaping on PowerConnect B-Series FCX Switches 21 Table 114 lists the individual Dell PowerConnect switches and the rate limiting and rate shaping features they support.
21 Rate limiting in hardware Rate limiting in hardware Each Dell PowerConnect device supports line-rate rate limiting in hardware. The device creates entries in Content Addressable Memory (CAM) for the rate limiting policies. The CAM entries enable the device to perform the rate limiting in hardware instead of sending the traffic to the CPU. The device sends the first packet in a given traffic flow to the CPU, which creates a CAM entry for the traffic flow.
Rate limiting in hardware 21 Configuration notes • Rate limiting is available only on inbound ports. • The rate limit on IPv6 hardware takes several seconds to take effect at higher configured rate limit values. For example, if the configured rate limit is 750 Mbps, line-rate limiting could take up to 43 seconds to take effect. Configuring a port-based rate limiting policy To configure rate limiting on a port, enter commands such as the following.
21 Rate shaping overview PowerConnect#show rate-limit fixed Total rate-limited interface count: 11.
Rate shaping overview 21 • When outbound rate shaping is enabled on a port on an IPv4 device, the port QoS queuing method (qos mechanism) will be strict mode. This applies to IPv4 devices only. On IPv6 devices, the QoS mechanism is whatever method is configured on the port, even when outbound rate shaping is enabled. • You can configure a rate shaper for a port and for the individual priority queues of that port.
21 Rate shaping overview The above commands configure an outbound rate shaper on port 1/14 and port 1/15. • On PowerConnect B-Series FCX devices, the configured outbound rate shaper (651 Kbps) on port 1/15 is the rounded to 616 Kbps. The configured 1300 Kbps limit on port 14 is rounded to 1232 Kbps.
Chapter Configuring IP Multicast Traffic Reduction for PowerConnect B-Series FCX Switches 22 Table 116 lists the individual Dell PowerConnect switches and the IP multicast traffic reduction features they support.
22 IGMP snooping overview An IGMP device is responsible for broadcasting general queries periodically, and sending group queries when it receives a leave message, to confirm that none of the clients on the port still want specific traffic before removing the traffic from the port. IGMPv2 lets clients specify what group (destination address) will receive the traffic but not to specify the source of the traffic.
IGMP snooping overview 22 The value can be 4, 8, 16, or 32. Any other value is truncated to the closest lower ceiling. For example, a value of 15 is changed to 8. The default hash chain length is 4. A chain length of more than 4 may affect line rate switching. NOTE For this command to take effect, you must save the configuration and reload the switch. The hardware resource limit applies only to the VLANs where IGMP snooping is enabled.
22 IGMP snooping overview The implementation allows snooping on some VLANs or all VLANs. Each VLAN can independently enable or disable IGMP, or configure V2 or V3. In general, global configuration commands ip multicast apply to every VLAN except those that have local multicast configurations (which supersede the global configuration). IGMP also allows independent configuration of individual ports in a VLAN for either IGMPv2 or IGMPv3.
PIM SM traffic snooping overview 22 VLAN specific configuration You can configure IGMP snooping on some VLANs or on all VLANs. Each VLAN can be independently enabled or disabled for IGMP snooping, and can be configured for IGMPv2 or IGMPv3. In general, the ip multicast commands apply globally to all VLANs except those configured with VLAN-specific multicast commands. The VLAN-specific multicast commands supersede the global ip multicast commands.
22 PIM SM traffic snooping overview FIGURE 114 PIM SM traffic reduction in an enterprise network Switch snoops for PIM SM join and prune messages. Detects source on port1/1 and receiver for source group on 5/1. Forwards multicast data from source on 1/1 to receiver via 5/1 only. Source for Groups 239.255.162.1 239.255.162.69 VLAN 2 Port1/1 Layer 2 Switch VLAN 2 Port5/1 Router 10.10.10.5 VLAN 2 Port7/1 20.20.20.
Configuring IGMP snooping 22 Notice that the ports connected to the source and the receivers are all in the same port-based VLAN on the device. This is required for the PIM SM snooping feature. The devices on the edge of the Global Ethernet cloud are configured for IP multicast traffic reduction and PIM SM traffic snooping. Although this application uses multiple devices, the feature has the same requirements and works the same way as it does on a single device.
22 Configuring IGMP snooping Configuring the hardware and software resource limits The system supports up to 8K of hardware-switched multicast streams. The configurable range is from 256 through 8192 with a default of 512. Enter the following command to define the maximum number of IGMP snooping cache entries. PowerConnect(config)# system-max igmp-snoop-mcache 8000 Syntax: [no] system-max igmp-snoop-mcache The system supports up to 32K of groups.
Configuring IGMP snooping 22 Modifying the age interval When the device receives a group membership report, it makes an entry for that group in the IGMP group table. The age interval specifies how long the entry can remain in the table before the device receives another group membership report. When multiple devices connect together, all devices must be configured for the same age interval, which must be at least twice the length of the query interval, so that missing one report won't stop traffic.
22 Configuring IGMP snooping IGMPv2 membership reports of the same group from different clients are considered to be the same and are rate-limited. Use the following command to alleviate report storms from many clients answering the upstream router query. PowerConnect(config)# ip multicast report-control Syntax: [no] ip multicast report-control The original command, ip igmp-report-control, has been renamed to ip multicast report-control.
Configuring IGMP snooping 22 Syntax: [no] ip pimsm-snooping NOTE The device must be in passive mode before it can be configured for PIM snooping. Configuring the IGMP mode for a VLAN You can configure a VLAN to use the active or passive IGMP mode. The default mode is passive.
22 Configuring IGMP snooping Configuring the IGMP version for the VLAN You can specify the IGMP version for a VLAN. For example, the following commands configure VLAN 20 to use IGMPv3. PowerConnect(config)# vlan 20 PowerConnect(config-vlan-20)# multicast version 3 Syntax: [no] multicast version 2 | 3 If no IGMP version is specified, then the globally-configured IGMP version is used. If an IGMP version is specified for individual ports, those ports use that version, instead of the VLAN version.
Configuring IGMP snooping 22 Configuring static router ports FastIron Stackable devices forward all multicast control and data packets to router ports which receive queries. Although router ports are learned, you can force multicast traffic to specified ports even though these ports never receive queries. To configure static router ports, enter the following commands.
22 Configuring IGMP snooping Every group on a physical port keeps its own tracking record. However, it can only track group membership; it cannot track by (source, group). For example, Client A and Client B belong to group1 but each receives traffic streams from different sources. Client A receives a stream from (source_1, group1) and Client B receives a stream from (source_2, group1).
Displaying IGMP snooping information 22 Displaying IGMP snooping information This section describes the show commands for IGMP snooping. Displaying IGMP errors To display information about possible IGMP errors, enter the following commands. PowerConnect# show ip multicast error snoop SW processed pkt: 173, up-time 160 sec Syntax: show ip multicast error The following table describes the output from the show ip multicast error command.
22 Displaying IGMP snooping information PowerConnect# show ip multicast group 224.1.1.1 tracking Display group 224.1.1.1 in all interfaces with tracking enabled. p-:physical, ST:static, QR:querier, EX:exclude, IN:include, Y:yes, N:no VL70 : 1 groups, 1 group-port, tracking_enabled group p-port ST QR life mode source *** Note: has 1 static groups to the entire vlan, not displayed here 1 224.1.1.1 0/1/33 no yes 100 EX 0 receive reports from 1 clients: (age) (2.2.100.
Displaying IGMP snooping information 22 Syntax: show ip multicast mcache The following table describes the output of the show ip multicast mcache command. Field Description (source group) Source and group addresses of this data stream. (* group) means match group only; (source group) means match both. cnt The number of packets processed in software. Packets are switched in hardware, which increases this number slowly. OIF The output interfaces.
22 Displaying IGMP snooping information Syntax: show ip multicast resource The following table describes the output from the show ip multicast resource command. Field Description alloc The allocated number of units. in-use The number of units which are currently being used. avail The number of available units. get-fail This displays the number of resource failures. NOTE: It is important to pay attention to this field. limit The upper limit of this expandable field.
Displaying IGMP snooping information 22 Field Description GSQry Number of group source-specific queries received or sent. Mbr The membership report. MbrV2 The IGMPv2 membership report. MbrV3 The IGMPv3 membership report. IsIN Number of source addresses that were included in the traffic. IsEX Number of source addresses that were excluded in the traffic. ToIN Number of times the interface mode changed from EXCLUDE to INCLUDE.
22 Displaying IGMP snooping information Field Description QR Indicates that the port is a querier. dft The IGMP version for the specified VLAN. In this example, VL70: dft V2 indicates that the default IGMP version V2 is set for VLAN 70. Displaying querier information You can use the show ip multicast vlan command to display the querier information for a VLAN. This command displays the VLAN interface status and if there is any other querier present with the lowest IP address.
Displaying IGMP snooping information 22 Passive interface with no other querier present The following example shows the output in which the VLAN interface is passive and no other querier is present with the lowest IP address.
22 Displaying IGMP snooping information This interface is Querier default V2 group: 226.6.6.6, life group: 228.8.8.8, life group: 230.0.0.0, life group: 224.4.4.4, life = = = = 240 240 240 240 2/1/24 has 2 groups, This interface is non-Querier Querier is 5.5.5.5 Age is 0 Max response time is 100 default V2 **** Warning! has V3 (age=0) nbrs group: 234.4.4.4, life = 260 group: 226.6.6.6, life = 260 3/1/1 has 4 groups, This interface is Querier default V2 group: 238.8.8.8, life group: 228.8.8.
Displaying IGMP snooping information 22 This interface is non-Querier (passive) default V2 group: 226.6.6.6, life = 260 group: 228.8.8.8, life = 260 group: 230.0.0.0, life = 260 group: 224.4.4.4, life = 260 2/1/24 has 2 groups, This interface is non-Querier (passive) Querier is 5.5.5.5 Age is 0 Max response time is 100 default V2 **** Warning! has V3 (age=0) nbrs group: 234.4.4.4, life = 260 group: 226.6.6.6, life = 260 3/1/1 has 4 groups, This interface is non-Querier (passive) default V2 group: 238.8.8.
22 Displaying IGMP snooping information Clear mcache on a specific VLAN To clear the mcache on a specific VLAN, enter the following command. PowerConnect# clear ip multicast vlan 10 mcache Syntax: clear ip multicast vlan mcache The parameter specifies the specific VLAN in which to clear the mcache. Clear traffic on a specific VLAN To clear the traffic counters on a specific VLAN, enter the following command.
Chapter Enabling the Foundry Discovery Protocol (FDP) and Reading Cisco Discovery Protocol (CDP) Packets 23 Table 117 lists individual Dell PowerConnect switches and the discovery protocols they support.
23 Using FDP PowerConnect(config)# fdp run Syntax: [no] fdp run The feature is disabled by default. Enabling FDP at the interface level You can enable FDP at the interface level by entering commands such as the following. PowerConnect(config)# int e 2/1 PowerConnect(config-if-2/1)# fdp enable Syntax: [no] fdp enable By default, the feature is enabled on an interface once FDP is enabled on the device.
Using FDP 23 To change the FDP hold time, enter a command such as the following at the global CONFIG level of the CLI. PowerConnect(config)# fdp holdtime 360 Syntax: [no] fdp holdtime The parameter specifies the number of seconds a Dell PowerConnect device that receives an FDP update can hold the update before discarding it. You can specify from 10 – 255 seconds. The default is 180 seconds.
23 Using FDP TABLE 118 Summary FDP and CDP neighbor information (Continued) This line... Displays... Capability The role the neighbor is capable of playing in the network. Platform The product platform of the neighbor. Port ID The interface through which the neighbor sent the update. To display detailed information, enter the following command. PowerConnectA# show fdp neighbor detail Device ID: PowerConnect B configured as default VLAN1, tag-type8100 Entry address(es): IP address: 192.168.0.
Using FDP 23 PowerConnectA# show fdp entry PowerConnect B Device ID: PowerConnect B configured as default VLAN1, tag-type8100 Entry address(es): Platform: PowerConnect Router, Capabilities: Router Interface: Eth 2/9 Port ID (outgoing port): Eth 2/9 is TAGGED in following VLAN(s): 9 10 11 Holdtime : 176 seconds Version : Foundry, Inc. Router, IronWare Version 07.6.
23 Reading CDP packets The same commands clear information for both FDP and CDP. Clearing FDP and CDP neighbor information To clear the information received in FDP and CDP updates from neighboring devices, enter the following command. PowerConnect# clear fdp table Syntax: clear fdp table NOTE This command clears all the updates for FDP and CDP. Clearing FDP and CDP statistics To clear FDP and CDP statistics, enter the following command.
Reading CDP packets 23 Enabling interception of CDP packets on an interface You can disable and enable CDP at the interface level. You can enter commands such as the following. PowerConnect(config)# int e 2/1 PowerConnect(config-if-2/1)# cdp enable Syntax: [no] cdp enable By default, the feature is enabled on an interface once CDP is enabled on the device.
23 Reading CDP packets PowerConnect# show fdp neighbors ethernet 1/1 Device ID: Router Entry address(es): IP address: 207.95.6.143 Platform: cisco RSP4, Capabilities: Router Interface: Eth 1/1, Port ID (outgoing port): FastEthernet5/0/0 Holdtime : 127 seconds Version : Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-JSV-M), Version 12.0(5)T1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc.
Reading CDP packets 23 PowerConnect# show fdp traffic CDP counters: Total packets output: 0, Input: 3 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 Syntax: show fdp traffic Clearing CDP information You can clear the following CDP information: • Cisco Neighbor information • CDP statistics To clear the Cisco neighbor information, enter the following command.
23 682 Reading CDP packets PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring LLDP and LLDP-MED 24 Table 120 lists the individual Dell PowerConnect switches and the Link Layer Discovery Protocol (LLDP) features they support.
24 Terms used in this chapter The information generated by LLDP and LLDP-MED can be used to diagnose and troubleshoot misconfigurations on both sides of a link. For example, the information generated can be used to discover devices with misconfigured or unreachable IP addresses, and to detect port speed and duplex mismatches. LLDP and LLDP-MED facilitate interoperability across multiple vendor devices. Dell PowerConnect devices running LLDP can interoperate with third-party devices running LLDP.
LLDP overview 24 FIGURE 115 LLDP connectivity port device info A19 C2 D2 F3 Switch IP-Phone IP-Phone OP-PBX xxxx xxxx xxxx xxxx I’m a PBX port device A4 B6 B21 IP-Phone PC Switch info xxxx xxxx xxxx I’m a switch I’m a switch I’m a switch I’m a switch I’m a switch I’m a switch I’m a switch I’m an IP Phone I’m an IP Phone I’m an IP Phone I’m a PC Benefits of LLDP LLDP provides the following benefits: • Network Management: • Simplifies the use of and enhances the ability of network manag
24 LLDP-MED overview • Accurate topologies simplify troubleshooting within enterprise networks • Can discover devices with misconfigured or unreachable IP addresses LLDP-MED overview LLDP-MED is an extension to LLDP. This protocol enables advanced LLDP features in a Voice over IP (VoIP) network.
General operating principles 24 • Automatically deploys network policies, such as Layer 2 and Layer 3 QoS policies and Voice VLANs. • Supports E-911 Emergency Call Services (ECS) for IP telephony • Collects Endpoint inventory information • Network troubleshooting • Helps to detect improper network policy configuration LLDP-MED class An LLDP-MED class specifies an Endpoint type and its capabilities.
24 General operating principles • Receive LLDP information only Transmit mode An LLDP agent sends LLDP packets to adjacent LLDP-enabled devices. The LLDP packets contain information about the transmitting device and port. An LLDP agent initiates the transmission of LLDP packets whenever the transmit countdown timing counter expires, or whenever LLDP information has changed. When a transmit cycle is initiated, the LLDP manager extracts the MIB objects and formats this information into TLVs.
General operating principles 24 TLV support This section lists the LLDP and LLDP-MED TLV support. LLDP TLVs There are two types of LLDP TLVs, as specified in the IEEE 802.3AB standard: • Basic management TLVs consist of both optional general system information TLVs as well as mandatory TLVs. Mandatory TLVs cannot be manually configured. They are always the first three TLVs in the LLDPDU, and are part of the packet header.
24 General operating principles • Location identification • Extended power-via-MDI Mandatory TLVs When an LLDP agent transmits LLDP packets to other agents in the same 802 LAN segments, the following mandatory TLVs are always included: • Chassis ID • Port ID • Time to Live (TTL) This section describes the above TLVs in detail. Chassis ID The Chassis ID identifies the device that sent the LLDP packets. There are several ways in which a device may be identified.
General operating principles TABLE 122 24 Port ID subtypes ID subtype Description 0 Reserved 1 Interface alias 2 Port component 3 MAC address 4 Network address 5 Interface name 6 Agent circuit ID 7 Locally assigned 8 – 255 Reserved Dell PowerConnect devices use port ID subtype 3, the permanent MAC address associated with the port. Other third party devices may use a port ID subtype other than 3.
24 MIB support FIGURE 119 TTL TLV packet format TLV Type = 3 7 bits TLV Information String Length = 2 Time to Live (TTL) 9 bits 2 octets MIB support Dell PowerConnect devices support the following standard MIB modules: • • • • LLDP-MIB LLDP-EXT-DOT1-MIB LLDP-EXT-DOT3-MIB LLDP-EXT-MED-MIB Syslog messages Syslog messages for LLDP provide management applications with information related to MIB data consistency and general status.
Configuring LLDP TABLE 123 24 LLDP global configuration tasks and default behavior /value (Continued) Global task Default behavior / value when LLDP is enabled Enabling and disabling TLV advertisements When LLDP transmit is enabled, by default, the Dell PowerConnect device will automatically advertise LLDP capabilities, except for the system description, VLAN name, and power-via-MDI information, which may be configured by the system administrator.
24 Configuring LLDP Enabling support for tagged LLDP packets By default, Dell PowerConnect devices do not accept tagged LLDP packets from other vendors’ devices. To enable support, apply the command lldp tagged-packets process at the Global CONFIG level of the CLI.
Configuring LLDP 24 NOTE When a port is configured to both receive and transmit LLDP packets and the MED capabilities TLV is enabled, LLDP-MED is enabled as well. LLDP-MED is not enabled if the operating mode is set to receive only or transmit only. Enabling and disabling receive only mode When LLDP is enabled on a global basis, by default, each port on the Dell PowerConnect device will be capable of transmitting and receiving LLDP packets.
24 Configuring LLDP PowerConnect(config)#no lldp enable receive ports e 2/7 e 2/8 PowerConnect(config)#lldp enable transmit ports e 2/7 e 2/8 The above commands change the LLDP operating mode on ports 2/7 and 2/8 from receive only mode to transmit only mode. Any incoming LLDP packets will be dropped in software. Note that if you do not disable receive only mode, you will configure the port to both receive and transmit LLDP packets.
Configuring LLDP 24 PowerConnect(config)#lldp max-neighbors-per-port 6 Syntax: [no] lldp max-neighbors-per-port Use the [no] form of the command to remove the static configuration and revert to the default value of four. where is a number from 1 to 64. The default is number of LLDP neighbors per port is four. Use the show lldp command to view the configuration.
24 Configuring LLDP Syntax: [no] lldp snmp-notification-interval where is a value between 5 and 3600. The default is 5 seconds. Changing the minimum time between LLDP transmissions The LLDP transmit delay timer limits the number of LLDP frames an LLDP agent can send within a specified time frame. When you enable LLDP, the system automatically sets the LLDP transmit delay timer to two seconds.
Configuring LLDP 24 Changing the holdtime multiplier for transmit TTL The holdtime multiplier for transmit TTL is used to compute the actual time-to-live (TTL) value used in an LLDP frame. The TTL value is the length of time the receiving device should maintain the information in its MIB. When you enable LLDP, the device automatically sets the holdtime multiplier for TTL to four. If desired, you can change the default behavior from four to a value between two and ten.
24 Configuring LLDP • System name 802.1 capabilities: • VLAN name (not automatically advertised) • Untagged VLAN ID 802.3 capabilities: • • • • Link aggregation information MAC/PHY configuration and status Maximum frame size Power-via-MDI information (not automatically advertised) The above TLVs are described in detail in the following sections. NOTE The system description, VLAN name, and power-via-MDI information TLVs are not automatically enabled.
Configuring LLDP 24 • Other interface For IPv6 addresses, link-local and anycast addresses will be excluded from these searches. If no IP address is configured on any of the above, the port's current MAC address will be advertised. To advertise a IPv4 management address, enter a command such as the following: PowerConnect(config)#lldp advertise management-address ipv4 209.157.2.
24 Configuring LLDP You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
Configuring LLDP 24 System description The system description is the network entity, which can include information such as the product name or model number, the version of the system hardware type, the software operating system level, and the networking software version. The information corresponds to the sysDescr MIB object in MIB-II. To advertise the system description, enter a command such as the following.
24 Configuring LLDP You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Note that using the keyword all may cause undesirable effects on some ports.
Configuring LLDP 24 Syntax: [no] lldp advertise port-vlan-id ports ethernet | all For , specify the ports in one of the following formats: • PowerConnect B-Series FCX stackable switches – You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually.
24 Configuring LLDP MAC/PHY configuration status The MAC/PHY configuration and status TLV includes the following information: • • • • • Auto-negotiation capability and status Speed and duplex mode Flow control capabilities for auto-negotiation Port speed down-shift and maximum port speed advertisement If applicable, indicates if the above settings are the result of auto-negotiation during link initiation or of a manual set override action The advertisement reflects the effects of the following CLI comm
Configuring LLDP-MED 24 The maximum frame size advertisement will appear similar to the following on the remote device, and in the CLI display output on the Dell PowerConnect device (show lldp local-info).
24 Configuring LLDP-MED NOTE LLDP-MED is not enabled on ports where the LLDP operating mode is receive only or transmit only. LLDP-MED is enabled on ports that are configured to both receive and transmit LLDP packets and have the LLDP-MED capabilities TLV enabled. Enabling SNMP notifications and syslog messages for LLDP-MED topology changes SNMP notifications and Syslog messages for LLDP-MED provide management applications with information related to topology changes.
Configuring LLDP-MED 24 NOTE The LLDP-MED fast start mechanism is only intended to run on links between Network Connectivity devices and Endpoint devices. It does not apply to links between LAN infrastructure elements, including between Network Connectivity devices, or to other types of links. To change the LLDP-MED fast start repeat count, enter commands such as the following.
24 Configuring LLDP-MED latitude is the angular distance north or south from the earth equator measured through 90 degrees. Positive numbers indicate a location north of the equator and negative numbers indicate a location south of the equator. resolution specifies the precision of the value given for latitude. A smaller value increases the area within which the device is located. For latitude, enter a number between 1 and 34.
Configuring LLDP-MED 24 • Latitude is 41.87884 degrees north (or 41.87884 degrees). • Longitude is 87.63602 degrees west (or 87.63602 degrees). • The latitude and longitude resolution of 18 describes a geo-location area that is latitude 41.8769531 to latitude 41.8789062 and extends from -87.6367188 to -87.6347657 degrees longitude. This is an area of approximately 373412 square feet (713.3 ft. x 523.5 ft.). • The location is inside a structure, on the 103rd floor.
24 Configuring LLDP-MED • KR – Korea • US – United States is a value from 0 – 255, that describes the civic address element. For example, a CA type of 24 specifies a postal or zip code. Valid elements and their types are listed in Table 125. is the actual value of the elem , above. For example, 95123 for the postal or zip code. Acceptable values are listed in Table 125, below.
Configuring LLDP-MED TABLE 125 24 Elements used with civic address (Continued) Civic Address (CA) type Description Acceptable values / examples 6 Street Examples: Canada – Street Germany – Street Japan – Block Korea – Street United States – Street 16 Leading street direction N (north), E (east), S (south), W (west), NE, NW, SE, SW 17 Trailing street suffix N (north), E (east), S (south), W (west), NE, NW, SE, SW 18 Street suffix Acceptable values for the United States are listed in the Uni
24 Configuring LLDP-MED TABLE 125 Elements used with civic address (Continued) Civic Address (CA) type Description Acceptable values / examples 30 Postal community name When the postal community name is defined, the civic community name (typically CA type 3) is replaced by this value. Example: Alviso 31 Post office box (P.O. box) When a P.O. box is defined, the street address components (CA types 6, 16, 17, 18, 19, and 20) are replaced with this value. Example: P.O.
Configuring LLDP-MED 24 When you configure a media Endpoint location using the emergency call services location, you specify the Emergency Location Identification Number (ELIN) from the North America Numbering Plan format, supplied to the Public Safety Answering Point (PSAP) for ECS purposes. To configure an ECS-based location for LLDP-MED, enter a command such as the following at the Global CONFIG level of the CLI.
24 Configuring LLDP-MED NOTE Endpoints will advertise a policy as “unknown” in the show lldp neighbor detail command output, if it is a policy that is required by the Endpoint and the Endpoint has not yet received it. Configuration syntax The CLI syntax for defining an LLDP-MED network policy differs for tagged, untagged, and priority tagged traffic. Refer to the appropriate syntax, below.
LLDP-MED attributes advertised by the Dell PowerConnect device 24 • voice – For use by dedicated IP telephony handsets and similar devices that support interactive voice services. • voice-signaling – For use in network topologies that require a different policy for voice signaling than for voice media. Note that this application type should not be advertised if all the same network policies apply as those advertised in the voice policy TLV.
24 LLDP-MED attributes advertised by the Dell PowerConnect device • The device type (Network Connectivity device or Endpoint (Class 1, 2, or 3)) By default, LLDP-MED information is automatically advertised when LLDP-MED is enabled. To disable this advertisement, enter a command such as the following. PowerConnect(config)#no lldp advertise med-capabilities ports e 2/4 to 2/12 NOTE Disabling the LLDP-MED capabilities TLV disables LLDP-MED.
LLDP-MED attributes advertised by the Dell PowerConnect device PowerConnect#show lldp LLDP transmit interval LLDP transmit hold multiplier LLDP transmit delay LLDP SNMP notification interval LLDP reinitialize delay LLDP-MED fast start repeat count : : : : : : LLDP maximum neighbors LLDP maximum neighbors per port : 392 : 4 24 10 seconds 4 (transmit TTL: 40 seconds) 1 seconds 5 seconds 1 seconds 3 Syntax: show lldp The following table describes the information displayed by the show lldp statistics com
24 LLDP-MED attributes advertised by the Dell PowerConnect device PowerConnect#show lldp statistics Last neighbor change time: 23 hours 50 minutes 40 seconds ago Neighbor Neighbor Neighbor Neighbor entries added entries deleted entries aged out advertisements dropped Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Tx Pkts Total 60963 0 60963 60963 0 0 0 0 0 60974 0 0 0 0 Rx Pkts Total 75179 0 60963 121925 0 0 0 0 0 0 0 0 0 0 : : : : 14 5 4 0 Rx Pkts Rx Pkts Rx TLVs Rx TLVs Neighbors w/Errors Discarded Unreco
LLDP-MED attributes advertised by the Dell PowerConnect device 24 This field... Displays... Rx Pkts w/Errors The number of LLDP packets the port received that have one or more detectable errors. Rx Pkts Discarded The number of LLDP packets the port received then discarded. Rx TLVs Unrecognz The number of TLVs the port received that were not recognized by the LLDP local agent.
24 LLDP-MED attributes advertised by the Dell PowerConnect device LLDP neighbors detail The show lldp neighbors detail command displays the LLDP advertisements received from LLDP neighbors. The following shows an example show lldp neighbors detail report. NOTE The show lldp neighbors detail output will vary depending on the data received. Also, values that are not recognized or do not have a recognizable format, may be displayed in hexadecimal binary form.
LLDP-MED attributes advertised by the Dell PowerConnect device 24 This field... Displays... Neighbor The source MAC address from which the packet was received, and the remaining TTL for the neighbor entry. Syntax: show lldp neighbors detail [ports ethernet | all] If you do not specify any ports or use the keyword all, by default, the report will show the LLDP neighbor details for all ports.
24 LLDP-MED attributes advertised by the Dell PowerConnect device Application Type : Video Conferencing Policy Flags : Known Policy, Tagged VLAN ID : 100 L2 Priority : 5 DSCP Value : 10 + MED Location ID Data Format: Coordinate-based location Latitude Resolution : 20 bits Latitude Value : -78.303 degrees Longitude Resolution : 18 bits Longitude Value : 34.27 degrees Altitude Resolution : 16 bits Altitude Value : 50.
Resetting LLDP statistics 24 • PowerConnect B-Series FCX stackable switches – You can list all of the ports individually, use the keyword to to specify ranges of ports, or a combination of both. To apply the configuration to all ports on the device, use the keyword all instead of listing the ports individually. Resetting LLDP statistics To reset LLDP statistics, enter the clear lldp statistics command at the Global CONFIG level of the CLI.
24 726 Clearing cached LLDP neighbor information PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring IP Multicast Protocols 25 Table 126 lists the individual Dell PowerConnect switches and the IP multicast features they support. These features are supported in the full Layer 3 software image only.
25 Overview of IP multicasting IPv4 multicast group addresses In IPv4 Multicast, host groups are identified by Class D addresses, i.e., those with “1110” as their higher-order four bits. In Internet standard "dotted decimal" notation, these group addresses range from 224.0.0.0 to 239.255.255.255. However, the IANA IPv4 Multicast Address Registry (referencing RFC 3171) stipulates that the range 224.0.0.0 through 224.0.0.255 should not be used for regular multicasting applications.
Changing global IP multicast parameters 25 Suppression of unregistered multicast packets Be default, unregistered multicast packets are always forwarded in hardware but not copied to the CPU. However, if Layer 2 multicast (IGMP or MLD) is enabled, then unregistered multicast packets are forwarded in hardware and also copied to the CPU. Multicast terms The following are commonly used terms in discussing multicast-capable routers.
25 Changing global IP multicast parameters NOTE The number of interface groups you can configure for DVMRP and PIM is unlimited; therefore, the system-max dvmrp-max-int-group and the system-max pim-max-int-group commands that define their maximum table sizes have been removed. The software allocates memory globally for each group, and also allocates memory separately for each interface IGMP membership in a multicast group.
Changing global IP multicast parameters 25 NOTE You do not need to reload the software for these changes to take effect. Defining the maximum number of DVMRP cache entries The DVMRP cache system parameter defines the maximum number of repeated DVMRP traffic being sent from the same source address and being received by the same destination address. To define this maximum, enter a command such as the following.
25 Adding an interface to a multicast group NOTE You must enter the ip multicast-routing command before changing the global IP Multicast parameters. Otherwise, the changes do not take effect and the software uses the default values. Modifying IGMP (V1 and V2) query interval period The IGMP query interval period defines how often a router will query an interface for group membership. To modify the default value for the IGMP (V1 and V2) query interval, enter the following.
PIM Dense 25 When you manually add an interface to a multicast group, the Dell PowerConnect device forwards multicast packets for the group but does not itself accept packets for the group. You can manually add a multicast group to individual ports only. If the port is a member of a virtual routing interface, you must add the ports to the group individually. To manually add a port to a multicast group, enter a command such as the following at the configuration level for the port.
25 PIM Dense Initiating PIM multicasts on a network Once PIM is enabled on each router, a network user can begin a video conference multicast from the server on R1 as shown in Figure 120. When a multicast packet is received on a PIM-capable router interface, the interface checks its IP routing table to determine whether the interface that received the message provides the shortest path back to the source.
PIM Dense 25 FIGURE 120 Transmission of multicast packets from the source to host group members Video Conferencing Server 229.225.0.1 Group Member Group Member (207.95.5.1, 229.225.0.1) (Source, Group) 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 Leaf Node R4 R6 R5 Leaf Node Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Member Member Group Member 229.225.0.
25 PIM Dense FIGURE 121 Pruning leaf nodes from a multicast tree 229.225.0.1 Video Conferencing Server Group Member (207.95.5.1, 229.225.0.1) (Source, Group) Group Member 229.225.0.1 Group Group Member Member Group Member ... R2 R1 R3 R4 Prune Message sent to upstream router (R4) R6 R5 Leaf Node (No Group Members) ... ... Intermediate Node (No Group Members) Group Group Group Member Member Member 229.225.0.
PIM Dense 25 • PIM DM V2 – sends messages to the multicast address 224.0.0.13 (ALL-PIM-ROUTERS) with protocol number 103 The CLI commands for configuring and managing PIM DM are the same for V1 and V2. The only difference is the command you use to enable the protocol on an interface. NOTE Version 2 is the default PIM DM version. The only difference between version 1 and version 2 is the way the protocol sends messages. The change is not apparent in most configurations.
25 PIM Dense • Entering a no router pim command removes all configuration for PIM multicast on a Layer 3 Switch (router pim level) only. Globally Enabling and Disabling PIM without Deleting Multicast Configuration As stated above entering a no router pim command deletes the PIM configuration. If you want to disable PIM without deleting any PIM configuration, enter the following command.
PIM Dense 25 To apply a PIM neighbor timeout value of 360 seconds to all ports on the router operating with PIM, enter the following. PowerConnect(config)#router pim PowerConnect(config-pim-router)#nbr-timeout 360 Syntax: nbr-timeout <60-8000> The default is 180 seconds. Modifying hello timer This parameter defines the interval at which periodic hellos are sent out PIM interfaces. Routers use hello messages to inform neighboring routers of their presence. The default rate is 60 seconds.
25 PIM Dense where
25 PIM Dense Total number of IP routes: 19 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination NetMask Gateway Port .. 9 172.17.41.4 255.255.255.252*137.80.127.3 v11 172.17.41.4 255.255.255.252 137.80.126.3 v10 172.17.41.4 255.255.255.252 137.80.129.1 v13 172.17.41.4 255.255.255.252 137.80.128.3 v12 10 172.17.41.8 255.255.255.252 0.0.0.
25 PIM Sparse Configuration notes • If the TTL for an interface is greater than 1, PIM packets received on the interface are always forwarded in software because each packet TTL must be examined. Therefore, Dell does not recommend modifying the TTL under normal operating conditions. • Multicast packets with a TTL value of 1 are switched within the same VLAN. These packets cannot be routed between different VLANs. Configuration syntax To configure a TTL of 24, enter the following.
PIM Sparse 25 FIGURE 122 Example of a PIM Sparse domain This interface is also the Bootstrap Router (BR) for this PIM Sparse domain, and the Rendezvous Point (RP) for the PIM Sparse groups in this domain. PIM Sparse Switch B Port2/1 207.95.8.10 Port2/2 207.95.7.1 Rendezvous Point (RP) path Port3/8 207.95.8.1 Port3/8 207.95.7.2 VE 1 207.95.6.2 VE 1 207.95.6.1 PIM Sparse Switch A PIM Sparse Switch C Shortest Path Tree (SPT) path 209.157.24.162 Source for Group 239.255.162.
25 PIM Sparse To enhance overall network performance, Layer 3 Switches use the RP to forward only the first packet from a group source to the group receivers. After the first packet, the Layer 3 Switch calculates the shortest path between the receiver and source (the Shortest Path Tree, or SPT) and uses the SPT for subsequent packets from the source to the receiver. The Layer 3 Switch calculates a separate SPT for each source-receiver pair.
PIM Sparse 25 NOTE Dell recommends that you configure the same Layer 3 Switch as both the BSR and the RP. Limitations The implementation of PIM Sparse in the current software release has the following limitations: • PIM Border Routers (PMBRs) are not supported. Thus, you cannot configure a Dell routing interface as a PMBR interface for PIM Sparse. • PIM Sparse and regular PIM (dense mode) cannot be used on the same interface.
25 PIM Sparse Configuring PIM interface parameters After you enable IP multicast routing and PIM Sparse at the global level, you must enable it on the individual interfaces connected to the PIM Sparse network. To do so, use the following CLI method. To enable PIM Sparse mode on an interface, enter commands such as the following. PowerConnect(config)#interface ethernet 2/2 PowerConnect(config-if-2/2)#ip address 207.95.7.1 255.255.255.
PIM Sparse 25 • Enter ve for a virtual interface. • Enter loopback for a loopback interface. The parameter specifies the number of bits in a group address that are significant when calculating the group-to-RP mapping. You can specify a value from 1 – 32. NOTE Dell recommends you specify 30 for IP version 4 (IPv4) networks. The specifies the BSR priority. You can specify a value from 0 – 255.
25 PIM Sparse Updating PIM-Sparse forwarding entries with new RP configuration If you make changes to your static RP configuration, the entries in the PIM-Sparse multicast forwarding table continue to use the old RP configuration until they are aged out. The clear pim rp-map command allows you to update the entries in the static multicast forwarding table immediately after making RP configuration changes. This command is meant to be used with rp-address command.
PIM Sparse 25 By default, the device switches from the RP to the SPT after receiving the first packet for a given PIM Sparse group. The Layer 3 Switch maintains a separate counter for each PIM Sparse source-group pair. After the Layer 3 Switch receives a packet for a given source-group pair, the Layer 3 Switch starts a PIM data timer for that source-group pair.
25 PIM Sparse Displaying PIM Sparse configuration information and statistics You can display the following PIM Sparse information: • • • • • • • • • • • Basic PIM Sparse configuration information Group information BSR information Candidate RP information RP-to-group mappings RP information for a PIM Sparse group RP set list PIM Neighbor information The PIM flow cache The PIM multicast cache PIM traffic statistics Displaying basic PIM Sparse configuration information To display basic configuration infor
PIM Sparse TABLE 127 25 Output of show ip pim sparse (Continued) This field... Displays... Neighbor timeout How many seconds the Layer 3 Switch will wait for a hello message from a neighbor before determining that the neighbor is no longer present and removing cached PIM Sparse forwarding entries for the neighbor. Bootstrap Msg interval How frequently the BSR configured on the Layer 3 Switch sends the RP set to the RPs within the PIM Sparse domain.
25 PIM Sparse PowerConnect#show ip pim group Total number of Groups: 2 Index 1 Group 239.255.162.1 Ports e3/11 Syntax: show ip pim group This display shows the following information. TABLE 128 Output of show ip pim group This field... Total number of Groups Displays... Lists the total number of IP multicast groups the Layer 3 Switch is forwarding. NOTE: This list can include groups that are not PIM Sparse groups.
PIM Sparse 25 TABLE 129 Output of show ip pim bsr This field... Displays... BSR address or local BSR address The IP address of the interface configured as the PIM Sparse Bootstrap Router (BSR). Uptime The amount of time the BSR has been running. NOTE: If the word “local” does not appear in the field, this Layer 3 Switch is the BSR. If the word “local” does appear, this Layer 3 Switch is not the BSR. NOTE: This field appears only if this Layer 3 Switch is the BSR.
25 PIM Sparse PowerConnect#show ip pim resource alloc in-use NBR list 64 0 timer 256 0 pimsm J/P elem 0 0 pimsm group2rp 0 0 pimsm L2 reg xmt 64 0 mcache 256 0 mcache hash link 997 0 mcache 2nd hash 9 0 graft if no mcache 197 0 pim/dvm global group 256 0 pim/dvmrp prune 128 0 Output intf-vlan 2000 0 group hash link 97 0 2D vlan for nbr, glb 2000 0 Output intf. 1024 0 2D for glb grp 1024 0 pim/dvm config.
PIM Sparse 25 NOTE When the product of the number of active PIM interfaces multiplied by the number of multicast streams exceeds the total number of MLL, the CLI displays the message, “MLL pool out of memory”. NOTE The total number of MLL available changes according to the hardware configuration. Displaying candidate RP information To display candidate RP information, enter the following command at any CLI level.
25 PIM Sparse 1 2 3 4 5 6 239.255.163.1 239.255.163.2 239.255.163.3 239.255.162.1 239.255.162.2 239.255.162.3 99.99.99.5 99.99.99.5 99.99.99.5 99.99.99.5 43.43.43.1 99.99.99.5 Syntax: show ip pim rp-map This display shows the following information. TABLE 132 Output of show ip pim rp-map This field... Displays... Group address Indicates the PIM Sparse multicast group address using the listed RP. RP address Indicates the IP address of the Rendezvous Point (RP) for the listed PIM Sparse group.
PIM Sparse 25 This display shows the following information. TABLE 134 Output of show ip pim rp-set This field... Displays... Number of group prefixes The number f PIM Sparse group prefixes for which the RP is responsible. Group prefix Indicates the multicast groups for which the RP listed by the previous field is a candidate RP. RPs expected/received Indicates how many RPs were expected and received in the latest Bootstrap message. RP Indicates the RP number.
25 PIM Sparse TABLE 135 Output of show ip pim nbr (Continued) This field... Displays... Age sec The number of seconds since the Layer 3 Switch received the last hello message from the neighbor. UpTime sec The number of seconds the PIM neighbor has been up. This timer starts when the Layer 3 Switch receives the first Hello messages from the neighbor.
PIM Sparse TABLE 136 25 Output of show ip pim flowcache (Continued) This field... Displays... Fid This field is used for troubleshooting. Flags This field is used for troubleshooting. Displaying the PIM multicast cache To display the PIM multicast cache, enter the following command at any CLI level. PowerConnect#show ip pim mcache 1 (*,239.255.162.1) RP207.95.7.1 forward port v1, Count 2 member ports ethe 3/3 virtual ports v2 prune ports virtual prune ports 2 (209.157.24.162,239.255.162.
25 PIM Sparse TABLE 137 Output of show ip pim mcache (Continued) This field... Displays... RPT Indicates whether the cache entry uses the RP path or the SPT path. The RPT flag can have one of the following values: • 0 – The SPT path is used instead of the RP path. • 1– The RP path is used instead of the SPT path. NOTE: The values of the RP and SPT flags are always opposite (one is set to 0 and the other is set to 1). SPT Indicates whether the cache entry uses the RP path or the SPT path.
25 PIM Sparse Displaying PIM traffic statistics To display PIM traffic statistics, use the following CLI method.
25 PIM Passive Syntax: show ip pim error This command displays the number of warnings and non-zero PIM errors on the device. This count can increase during transition periods such as reboots and topology changes; however, if the device is stable, the number of errors should not increase. If warnings keep increasing in a stable topology, then there may be a configuration error or problems on the device. To clear the counter for PIM errors, enter the following command.
Passive multicast route insertion 25 Passive multicast route insertion Passive Multicast Route Insertion (PMRI) enables a Layer 3 switch running PIM Sparse to create an entry for a multicast route (e.g., (S,G)), with no directly attached clients or when connected to another PIM router (transit network). PMRI is critical for Service Providers wanting to deliver IP-TV services or multicast-based video services.
25 Using ACLs to control multicast features PowerConnect(config)#int e1 PowerConnect(config-if-1)#ip tunnel 192.3.45.6 NOTE The IP tunnel address represents the configured IP tunnel address of the destination router. In the case of Router A, its destination router is Router B. Router A is the destination router of Router B. For router B, enter the following. PowerConnect (config-if-1)#ip tunnel 192.58.4.
Using ACLs to control multicast features 25 PowerConnect(config)#router pim PowerConnect(config-pim-router)#bsr-candidate ve 43 32 100 PowerConnect(config-pim-router)#rp-candidate ve 43 PowerConnect(config-pim-router)#rp-address 99.99.99.5 5 To configure an RP for multicast groups using the override switch, enter commands such as the following. PowerConnect(config)#access-list 44 permit 239.255.162.0 0.0.0.255 PowerConnect(config)#router pim PowerConnect(config-pim-router)#rp-address 43.43.43.
25 Using ACLs to control multicast features PowerConnect#show ip pim rp-map Number of group-to-RP mappings: 6 Group address RP address ------------------------------1 239.255.163.1 43.43.43.1 2 239.255.163.2 43.43.43.1 3 239.255.163.3 43.43.43.1 4 239.255.162.1 99.99.99.5 5 239.255.162.2 99.99.99.5 6 239.255.162.3 99.99.99.5 The display shows the multicast group addresses covered by the RP candidate and the IP address of the RP for the listed multicast group.
Disabling CPU processing for select multicast groups 25 PowerConnect(config)#router pim PowerConnect(config-pim-router)#bsr-candidate loopback 1 32 100 PowerConnect(config-pim-router)#rp-candidate loopback 1 group-list 5 Syntax: [no] rp-candidate ethernet [/] | loopback | ve [group-list ] The parameter is required on chassis devices. The | loopback | ve parameter specifies the interface.
25 Disabling CPU processing for select multicast groups TABLE 139 Reserved multicast addresses (Continued) Multicast address Reserved for... 224.0.0.9 RIP V2 224.0.0.13 PIM V2 224.0.0.18 VRRP 224.0.0.22 IGMP V3 reports CLI command syntax To disable CPU processing for selective multicast groups, enter commands such as the following. PowerConnect# config t PowerConnect(config)# vlan 5 PowerConnect(config-vlan-5)# disable multicast-to-cpu 224.0.0.
Displaying the multicast configuration for another multicast router 25 Displaying the multicast configuration for another multicast router The Dell implementation of Mrinfo is based on the DVMRP Internet draft by T. Pusateri, but applies to PIM and not to DVMRP. To display the PIM configuration of another PIM router, use the following CLI method. To display another PIM router PIM configuration, enter a command such as the following. PowerConnect#mrinfo 207.95.8.1 207.95.8.1 -> 207.95.8.10 [PIM/0 /1] 207.
25 IGMP V3 IGMP V3 The Internet Group Management Protocol (IGMP) allows an IPV4 interface to communicate IP Multicast group membership information to its neighboring routers. The routers in turn limit the multicast of IP packets with multicast destination addresses to only those interfaces on the router that are identified as IP Multicast group members. This release introduces the support of IGMP version 3 (IGMP V3) on Layer 3 Switches.
IGMP V3 25 Default IGMP version IGMP V3 is available on Dell PowerConnect devices; however, the devices are shipped with IGMP V2 enabled. You must enable IGMP V3 globally or per interface. Also, you must specify what version of IGMP you want to run on a device globally, on each interface (physical port or virtual routing interface), and on each physical port within a virtual routing interface. If you do not specify an IGMP version, IGMP V2 will be used.
25 IGMP V3 To specify the IGMP version for a virtual routing interface on a physical port, enter a command such as the following. PowerConnect(config)#interface ve 3 PowerConnect(config-vif-1) ip igmp version 3 Syntax: [no] ip igmp version Enter 1, 2, or 3 for . Version 2 is the default version.
IGMP V3 25 For example, two clients (Client A and Client B) belong to group1 but each is receiving traffic streams from different sources. Client A receives a stream from (source_1, group1) and Client B receives it from (source_2, group1). The router still waits for three seconds before it stops the traffic because the two clients are in the same group. If the clients are in different groups, then the three second waiting period is not applied and traffic is stopped immediately.
25 IGMP V3 PowerConnect(config)#ip igmp max-response-time 8 Syntax: [no] ip igmp max-response-time The parameter specifies the IGMP maximum response time in number of seconds. Enter a value from 1 through 10. The default is 10. IGMP V3 and source specific multicast protocols Enabling IGMP V3 enables source specific multicast (SSM) filtering for DVMRP and PIM Dense (PIM-DM) for multicast group addresses in the 224.0.1.0 through 239.255.255.255 address range.
IGMP V3 PowerConnect#show ip igmp group Interface v18 : 1 groups group phy-port 1 239.0.0.1 e4/20 Interface v110 : 3 groups group phy-port 2 239.0.0.1 e4/5 3 239.0.0.1 e4/6 4 224.1.10.1 e4/5 25 static querier life mode #_src no yes include 19 static no no no querier life mode #_src yes include 10 yes 100 exclude 13 yes include 1 To display the status of one IGMP multicast group, enter a command such as the following. PowerConnect#show ip igmp group 239.0.0.1 detail Display group 239.0.0.
25 IGMP V3 TABLE 140 Output of show ip igmp group (Continued) This field Displays Static A “yes” entry in this column indicates that the multicast group was configured as a static group; “No” means it was not. Static multicast groups can be configured in IGMP V2 using the ip igmp static command. In IGMP V3, static sources cannot be configured in static groups. Querier “Yes” means that the port is a querier port; “No” means it is not.
IGMP V3 25 Enter ve and its or ethernet and its to display information for a specific virtual routing interface or ethernet interface. Entering an address for displays information for a specified group on the specified interface. The report shows the following information. TABLE 141 Output of show ip igmp interface This field Displays Query interval Displays how often a querier sends a general query on the interface.
25 IGMP Proxy TABLE 142 Output of show ip igmp traffic (Continued) This field Displays MbrV2 The IGMP V2 membership report. MbrV3 The IGMP V3 membership report. Leave Number of IGMP V2 “leave” messages on the interface. (See ToEx for IGMP V3.) IsIN Number of source addresses that were included in the traffic. IsEX Number of source addresses that were excluded in the traffic. ToIN Number of times the interface mode changed from exclude to include.
IP multicast protocols and IGMP snooping on the same device 25 • IGMP Proxy is only supported in a PIM Dense environment where there are IGMP clients connected to the Dell PowerConnect device. The Dell PowerConnect device will not send IGMP reports on an IGMP proxy interface for remote clients connected to a PIM neighbor, as it will not be aware of groups that the remote clients are interested in. Configuring IGMP Proxy Follow the steps given below to configure IGMP Proxy. 1.
25 IP multicast protocols and IGMP snooping on the same device If there are two sources for a single group, where one source sends traffic into a VLAN with IGMP snooping enabled, while the other source sends traffic to a PIM enabled Layer 3 interface, a client for the group in the same VLAN as the first source will only receive traffic from that source. It will not receive traffic from the second source connected to the Layer 3 interface.
IP multicast protocols and IGMP snooping on the same device 25 FIGURE 125 Example 2: IGMP Snooping and PIM Forwarding Both Sources for Group 230.1.1.1 Server 10.10.10.100 Server 20.20.20.1 Vlan 20 (with VE 20) e1 Vlan 10 e4 Device (DUT) e21 e13 20.20.20.x/24 30.30.30.x/24 Client 10.10.10.1 for 230.1.1.1 e3 Router 40.40.40.x/24 e4 Client 40.40.40.1 for 230.1.1.1 CLI commands The following are the CLI commands for the configuration example shown in Figure 124 and Figure 125. 1.
25 IP multicast protocols and IGMP snooping on the same device PowerConnect(config-vif-20)#exit PowerConnect(config)#interface e 13 PowerConnect(config-if-e1000-13)#ip address 30.30.30.10/24 PowerConnect(config-if-e1000-13)#ip pim 3. Configure the neighboring device. PowerConnect(config)#ip route 20.20.20.0 255.255.255.0 30.30.30.10 PowerConnect(config)#router pim PowerConnect(config-pim-router)#exit PowerConnect(config)#interface ethernet 3 PowerConnect(config-if-e1000-3)#ip address 30.30.30.
Chapter 26 Configuring IP Table 143 lists the individual Dell PowerConnect switches and the IP features they support.
26 Basic configuration NOTE The terms Layer 3 Switch and router are used interchangeably in this chapter and mean the same. Basic configuration IP is enabled by default. Basic configuration consists of adding IP addresses for Layer 3 Switches, enabling a route exchange protocol, such as the Routing Information Protocol (RIP).
Overview 26 IP interfaces NOTE This section describes IPv4 addresses. For information about IPv6 addresses on all other PowerConnect devices, refer to “IPv6 addressing” on page 198. Layer 3 Switches and Layer 2 Switches allow you to configure IP addresses. On Layer 3 Switches, IP addresses are associated with individual interfaces. On Layer 2 Switches, a single IP address serves as the management access address for the entire device.
26 Overview Load Balancing Algorithm Y N Y PBR or IP acc policy Mult. Equalcost Paths Lowest Metric N RIP Incoming Port Session Table N Y Fwding Cache N IP Route Table Lowest Admin. Distance BGP4 Y Outgoing Port OSPF ARP Cache Static ARP Table Figure 126 shows the following packet flow: 1. When the Layer 3 Switch receives an IP packet, the Layer 3 Switch checks for filters on the receiving interface.
Overview 26 4. If the IP forwarding cache does not have an entry for the packet, the Layer 3 Switch checks the IP route table for a route to the packet destination. If the IP route table has a route, the Layer 3 Switch makes an entry in the session table or the forwarding cache, and sends the route to a queue on the outgoing ports: • If the running-config contains an IP access policy for the packet, the software makes an entry in the session table.
26 Overview The software places an entry from the static ARP table into the ARP cache when the entry interface comes up. Here is an example of a static ARP entry. Index 1 IP Address 207.95.6.111 MAC Address 0800.093b.d210 Port 1/1 Each entry lists the information you specified when you created the entry.
26 Overview Destination 1.1.0.0 NetMask 255.255.0.0 Gateway 99.1.1.2 Port 1/1 Cost 2 Type R Each IP route table entry contains the destination IP address and subnet mask and the IP address of the next-hop router interface to the destination. Each entry also indicates the port attached to the destination or the next-hop to the destination, the route IP metric (cost), and the type.
26 Overview NOTE You cannot add static entries to the IP forwarding cache, although you can increase the number of entries the cache can contain. Refer to the section “Displaying and modifying system parameter default settings” on page 321. Layer 4 session table The Layer 4 session provides a fast path for forwarding packets. A session is an entry that contains complete Layer 3 and Layer 4 information for a flow of traffic. Layer 3 information includes the source and destination IP addresses.
Basic IP parameters and defaults – Layer 3 Switches 26 NOTE Layer 2 Switches support IGMP and can forward IP multicast packets. Refer to Chapter 22, “Configuring IP Multicast Traffic Reduction for PowerConnect B-Series FCX Switches”. IP interface redundancy protocols You can configure a Layer 3 Switch to back up an IP interface configured on another Layer 3 Switch. If the link for the backed up interface becomes unavailable, the other Layer 3 Switch can continue service for the interface.
26 Basic IP parameters and defaults – Layer 3 Switches • Multicast protocols: - Internet Group Membership Protocol (IGMP) – refer to “Changing global IP multicast parameters” on page 729 - Protocol Independent Multicast Dense (PIM-DM) – refer to “PIM Dense” on page 733 Protocol Independent Multicast Sparse (PIM-SM) – refer to “PIM Sparse” on page 742 • Router redundancy protocols: - Virtual Router Redundancy Protocol Extended (VRRPE) – refer to Chapter 31, “Configuring VRRP and VRRPE” - Virtual Route
Basic IP parameters and defaults – Layer 3 Switches TABLE 144 26 IP global parameters – Layer 3 Switches Parameter Description Default See page... IP state The Internet Protocol, version 4 Enabled n/a NOTE: You cannot disable IP. page 869 IP address and mask notation Format for displaying an IP address and its network mask information. You can enable one of the following: • Class-based format; example: 192.168.1.1 255.255.255.0 • Classless Interdomain Routing (CIDR) format; example: 192.168.1.
26 Basic IP parameters and defaults – Layer 3 Switches TABLE 144 IP global parameters – Layer 3 Switches (Continued) Parameter Description Default See page... Time to Live (TTL) The maximum number of routers (hops) through which a packet can pass before being discarded. Each router decreases a packet TTL by 1 before forwarding the packet. If decreasing the TTL causes the TTL to be 0, the router drops the packet instead of forwarding it.
Basic IP parameters and defaults – Layer 3 Switches TABLE 144 26 IP global parameters – Layer 3 Switches (Continued) Parameter Description Default See page... Static RARP entries An IP address you place in the RARP table for RARP requests from hosts. No entries page 836 NOTE: You must enter the RARP entries manually. The Layer 3 Switch does not have a mechanism for learning or dynamically generating RARP entries.
26 Basic IP parameters and defaults – Layer 3 Switches IP interface parameters – Layer 3 Switches Table 145 lists the interface-level IP parameters for Layer 3 Switches. TABLE 145 IP interface parameters – Layer 3 Switches Parameter Description Default See page... IP state The Internet Protocol, version 4 Enabled n/a NOTE: You cannot disable IP.
Basic IP parameters and defaults – Layer 2 Switches TABLE 145 26 IP interface parameters – Layer 3 Switches (Continued) Parameter Description Default See page... DHCP Server All PowerConnect devices can be configured to function as DHCP servers. Disabled page 841 UDP broadcast forwarding The router can forward UDP broadcast packets for UDP applications such as BootP. By forwarding the UDP broadcasts, the router enables clients on one subnet to find servers attached to other subnets.
26 Basic IP parameters and defaults – Layer 2 Switches TABLE 146 IP global parameters – Layer 2 Switches Parameter Description Default See page... IP address and mask notation Format for displaying an IP address and its network mask information. You can enable one of the following: • Class-based format; example: 192.168.1.1 255.255.255.0 • Classless Interdomain Routing (CIDR) format; example: 192.168.1.
Configuring IP parameters – Layer 3 Switches TABLE 146 26 IP global parameters – Layer 2 Switches (Continued) Parameter Description Default See page... DHCP gateway stamp The device can assist DHCP/BootP Discovery packets from one subnet to reach DHCP/BootP servers on a different subnet by placing the IP address of the router interface that forwards the packet in the packet Gateway field. You can specify up to 32 gateway lists. A gateway list contains up to eight gateway IP addresses.
26 Configuring IP parameters – Layer 3 Switches • Virtual routing interface (also called a Virtual Ethernet or “VE”) • Loopback interface By default, you can configure up to 24 IP addresses on each interface. You can increase this amount to up to 128 IP subnet addresses per port by increasing the size of the ip-subnet-port table. Refer to the section “Displaying and modifying system parameter default settings” on page 321.
Configuring IP parameters – Layer 3 Switches 26 NOTE The ospf-passive option disables adjacency formation but does not disable advertisement of the interface into OSPF. To disable advertisement in addition to disabling adjacency formation, you must use the ospf-ignore option. Use the secondary parameter if you have already configured an IP address within the same subnet on the interface.
26 Configuring IP parameters – Layer 3 Switches Assigning an IP address to a virtual interface A virtual interface is a logical port associated with a Layer 3 Virtual LAN (VLAN) configured on a Layer 3 Switch. You can configure routing parameters on the virtual interface to enable the Layer 3 Switch to route protocol traffic from one Layer 3 VLAN to the other, without using an external router.1 You can configure IP routing interface parameters on a virtual interface.
Configuring IP parameters – Layer 3 Switches 26 Configuration limitations and feature limitations • When configuring IP Follow, the primary virtual routing interface should not have ACL or DoS Protection configured. It is recommended that you create a dummy virtual routing interface as the primary and use the IP-follow virtual routing interface for the network. • Global Policy Based Routing is not supported when IP Follow is configured. • IPv6 is not supported with ip-follow.
26 Configuring IP parameters – Layer 3 Switches For example, if the domain “ds.company.com” is defined on a Layer 2 Switch or Layer 3 Switch and you want to initiate a ping to “mary”. You need to reference only the host name instead of the host name and its domain name. For example, you could enter the following command to initiate the ping. U:> ping mary The Layer 2 Switch or Layer 3 Switch qualifies the host name by appending a domain name. For example, mary.ds1.company.com.
Configuring IP parameters – Layer 3 Switches 26 Defining DNS server addresses You can configure the Dell PowerConnect device to recognize up to four DNS servers. The first entry serves as the primary default address. If a query to the primary address fails to be resolved after three attempts, the next DNS address is queried (also up to three times). This process continues for each defined DNS address until the query is resolved.
26 Configuring IP parameters – Layer 3 Switches NOTE In the previousexample, 209.157.22.199 is the IP address of the domain name server (default DNS gateway address), and 209.157.22.80 represents the IP address of the NYC02 host. Configuring packet parameters You can configure the following packet parameters on Layer 3 Switches. These parameters control how the Layer 3 Switch sends IP packets to other devices on an Ethernet network.
Configuring IP parameters – Layer 3 Switches 26 Changing the Maximum Transmission Unit (MTU) The Maximum Transmission Unit (MTU) is the maximum length of IP packet that a Layer 2 packet can contain. IP packets that are longer than the MTU are fragmented and sent in multiple Layer 2 packets. You can change the MTU globally or on individual ports. The default MTU is 1500 bytes for Ethernet II packets and 1492 for Ethernet SNAP packets.
26 Configuring IP parameters – Layer 3 Switches You can increase the MTU size to accommodate jumbo packet sizes up to up to 10,232 bytes in an IronStack. Devices that are not part of an IronStack support up to 10,240 bytes. To globally enable jumbo support on all ports of a PowerConnect device, enter commands such as the following.
Configuring IP parameters – Layer 3 Switches 26 Path MTU discovery (RFC 1191) support When the Dell PowerConnect device receives an IP packet that has its Do not Fragment (DF) bit set, and the packet size is greater than the MTU value of the outbound interface, then the Dell PowerConnect device returns an ICMP Destination Unreachable message to the source of the packet, with the Code indicating "fragmentation needed and DF set".
26 Configuring IP parameters – Layer 3 Switches NOTE You can specify an IP address used for an interface on the Layer 3 Switch, but do not specify an IP address in use by another device. Configuring ARP parameters Address Resolution Protocol (ARP) is a standard IP protocol that enables an IP Layer 3 Switch to obtain the MAC address of another device interface when the Layer 3 Switch knows the IP address of the interface. ARP is enabled by default and cannot be disabled.
Configuring IP parameters – Layer 3 Switches 26 • If the ARP cache does not contain an entry for the destination IP address, the Layer 3 Switch broadcasts an ARP request out all its IP interfaces. The ARP request contains the IP address of the destination. If the device with the IP address is directly attached to the Layer 3 Switch, the device sends an ARP response containing its MAC address. The response is a unicast packet addressed directly to the Layer 3 Switch.
26 Configuring IP parameters – Layer 3 Switches NOTE If you want to change a previously configured the ARP rate limiting policy, you must remove the previously configured policy using the no rate-limit-arp command before entering the new policy. Changing the ARP aging period When the Layer 3 Switch places an entry in the ARP cache, the Layer 3 Switch also starts an aging timer for the entry. The aging timer ensures that the ARP cache does not retain learned entries that are no longer valid.
Configuring IP parameters – Layer 3 Switches 26 Proxy ARP is disabled by default on Layer 3 Switches. This feature is not supported on Layer 2 Switches. You can enable proxy ARP at the Interface level, as well as at the Global CONFIG level, of the CLI. NOTE Configuring proxy ARP at the Interface level overrides the global configuration. Enabling proxy ARP globally To enable IP proxy ARP on a global basis, enter the following command.
26 Configuring IP parameters – Layer 3 Switches PowerConnect(config)# interface ethernet 4 PowerConnect(config-if-e1000-4)# ip local-proxy-arp Syntax: [no] ip local-proxy-arp Use the no form of the command to disable Local Proxy ARP. Creating static ARP entries Layer 3 Switches have a static ARP table, in addition to the regular ARP cache. The static ARP table contains entries that you configure.
Configuring IP parameters – Layer 3 Switches 26 To increase the maximum number of static ARP table entries you can configure on a Layer 3 Switch, enter commands such as the following at the global CONFIG level of the CLI.
26 Configuring IP parameters – Layer 3 Switches NOTE A less common type, the all-subnets broadcast, goes to all directly-attached subnets. Forwarding for this broadcast type also is supported, but most networks use IP multicasting instead of all-subnet broadcasting. Forwarding for all types of IP directed broadcasts is disabled by default. You can enable forwarding for all types if needed. You cannot enable forwarding for specific broadcast types.
Configuring IP parameters – Layer 3 Switches 26 PowerConnect(config)# ip source-route Enabling support for zero-based IP subnet broadcasts By default, the Layer 3 Switch treats IP packets with all ones in the host portion of the address as IP broadcast packets. For example, the Layer 3 Switch treats IP packets with 209.157.22.255/24 as the destination IP address as IP broadcast packets and forwards the packets to all IP hosts within the 209.157.22.
26 Configuring IP parameters – Layer 3 Switches Disabling replies to broadcast ping requests By default, Dell PowerConnect devices are enabled to respond to broadcast ICMP echo packets, which are ping requests. To disable response to broadcast ICMP echo packets (ping requests), enter the following command. PowerConnect(config)# no ip icmp echo broadcast-request Syntax: [no] ip icmp echo broadcast-request If you need to re-enable response to ping requests, enter the following command.
Configuring IP parameters – Layer 3 Switches 26 • The administration parameter disables ICMP Unreachable (caused by Administration action) messages. • The fragmentation-needed parameter disables ICMP Fragmentation-Needed But Do not-Fragment Bit Set messages. • • • • The host parameter disables ICMP Host Unreachable messages. The port parameter disables ICMP Port Unreachable messages. The protocol parameter disables ICMP Protocol Unreachable messages.
26 Configuring IP parameters – Layer 3 Switches • RIP – If RIP is enabled, the Layer 3 Switch can learn about routes from the advertisements other RIP routers send to the Layer 3 Switch. If the route has a lower administrative distance than any other routes from different sources to the same destination, the Layer 3 Switch places the route in the IP route table. • OSPF – Refer to RIP, but substitute “OSPF” for “RIP”. • BGP4 – Refer to RIP, but substitute “BGP4” for “RIP”.
Configuring IP parameters – Layer 3 Switches 26 • The administrative distance for the route – The value that the Layer 3 Switch uses to compare this route with routes from other route sources to the same destination before placing a route in the IP route table. This parameter does not apply to routes that are already in the IP route table. The default administrative distance for static IP routes is 1.
26 Configuring IP parameters – Layer 3 Switches PowerConnect(config)# ip route 207.95.7.0/24 207.95.6.157 When you configure a static IP route, you specify the destination address for the route and the next-hop gateway or Layer 3 Switch interface through which the Layer 3 Switch can reach the route. The Layer 3 Switch adds the route to the IP route table. In this case, Switch A knows that 207.95.6.
Configuring IP parameters – Layer 3 Switches 26 If you do not want to specify a next-hop IP address, you can instead specify a port or interface number on the Layer 3 Switch. The parameter is a virtual interface number. If you instead specify an Ethernet port, the is the port number (including the slot number, if you are configuring a Chassis device). In this case, the Layer 3 Switch forwards packets destined for the static route destination network to the specified interface.
26 Configuring IP parameters – Layer 3 Switches The parameter specifies the network or host address. The Layer 3 Switch will drop packets that contain this address in the destination field instead of forwarding them. The parameter specifies the network mask. Ones are significant bits and zeros allow any value. For example, the mask 255.255.255.0 matches on all hosts within the Class C subnet address specified by .
Configuring IP parameters – Layer 3 Switches 26 The commands in the previous example configure two static IP routes. The routes go to different next-hop gateways but have the same metrics. These commands use the default metric value (1), so the metric is not specified. These static routes are used for load sharing among the next-hop gateways. The following commands configure static IP routes to the same destination, but with different metrics. The route with the lowest metric is used by default.
26 Configuring IP parameters – Layer 3 Switches Figure 129 shows an example of two static routes configured for the same destination network. In this example, one of the routes is a standard static route and has a metric of 1. The other static route is a null route and has a higher metric than the standard static route. The Layer 3 Switch always prefers the static route with the lower metric. In this example, the Layer 3 Switch always uses the standard static route for traffic to destination network 192.
Configuring IP parameters – Layer 3 Switches 26 FIGURE 130 Standard and interface routes to the same destination network Two static routes to 192.168.7.0/24: --Interface-based route through Port1/1, with metric 1. --Standard static route through gateway 192.168.8.11, with metric 3. 192.168.6.188/24 Port1/1 Switch A 192.168.8.12/24 Port4/4 When route through interface 1/1 is available, Switch A always uses that route. 192.168.6.69/24 192.168.8.
26 Configuring IP parameters – Layer 3 Switches Configuring a default network route The Layer 3 Switch enables you to specify a candidate default route without the need to specify the next hop gateway. If the IP route table does not contain an explicit default route (for example, 0.0.0.0/0) or propagate an explicit default route through routing protocols, the software can use the default network route as a default route instead.
Configuring IP parameters – Layer 3 Switches 26 To verify that the route is in the route table, enter the following command at any level of the CLI. PowerConnect# show ip route Total number of IP routes: 2 Start index: 1 B:BGP D:Connected R:RIP Destination NetMask 1 209.157.20.0 255.255.255.0 2 209.157.22.0 255.255.255.0 S:Static Gateway 0.0.0.0 0.0.0.0 O:OSPF *:Candidate default Port Cost Type lb1 1 D 4/11 1 *D This example shows two routes.
26 Configuring IP parameters – Layer 3 Switches • Routes learned through BGP4 Administrative distance The administrative distance is a unique value associated with each type (source) of IP route. Each path has an administrative distance. The administrative distance is not used when performing IP load sharing, but the administrative distance is used when evaluating multiple equal-cost paths to the same destination from different sources, such as RIP, OSPF and so on.
Configuring IP parameters – Layer 3 Switches 26 The source of a path cost value depends on the source of the path: • IP static route – The value you assign to the metric parameter when you configure the route. The default metric is 1. Refer to “Configuring load balancing and redundancy using multiple static routes to the same destination” on page 824. • RIP – The number of next-hop routers to the destination. • OSPF – The Path Cost associated with the path.
26 Configuring IP parameters – Layer 3 Switches • If the IP forwarding sharing cache contains a forwarding entry for the destination, the device uses the entry to forward the traffic. • If the IP load forwarding cache does not contain a forwarding entry for the destination, the software selects a path from among the available equal-cost paths to the destination, then creates a forwarding entry in the cache based on the calculation. Subsequent traffic for the same destination uses the forwarding entry.
Configuring IP parameters – Layer 3 Switches 26 • If you leave the feature disabled globally but enable it on individual ports, you also can configure the IRDP parameters on an individual port basis. NOTE You can configure IRDP parameters only an individual port basis. To do so, IRDP must be disabled globally and enabled only on individual ports. You cannot configure IRDP parameters if the feature is globally enabled.
26 Configuring IP parameters – Layer 3 Switches Enabling IRDP on an individual port To enable IRDP on an individual interface and change IRDP parameters, enter commands such as the following. PowerConnect(config)# interface ethernet 1/3 PowerConnect(config-if-1/3)# ip irdp maxadvertinterval 400 This example shows how to enable IRDP on a specific port and change the maximum advertisement interval for Router Advertisement messages to 400 seconds.
Configuring IP parameters – Layer 3 Switches 26 RARP is enabled by default. However, you must create a RARP entry for each host that will use the Layer 3 Switch for booting. A RARP entry consists of the following information: • The entry number – the entry sequence number in the RARP table. • The MAC address of the boot client. • The IP address you want the Layer 3 Switch to give to the client.
26 Configuring IP parameters – Layer 3 Switches Creating static RARP entries You must configure the RARP entries for the RARP table. The Layer 3 Switch can send an IP address in reply to a client RARP request only if create a RARP entry for that client. To assign a static IP RARP entry for static routes on a router, enter a command such as the following. PowerConnect(config)# rarp 1 1245.7654.2348 192.53.4.2 This command creates a RARP entry for a client with MAC address 1245.7654.2348.
Configuring IP parameters – Layer 3 Switches 26 • Configure a helper adders on the interface connected to the clients. Specify the helper address to be the IP address of the application server or the subnet directed broadcast address for the IP subnet the server is in. A helper address is associated with a specific interface and applies only to client requests received on that interface.
26 Configuring IP parameters – Layer 3 Switches Syntax: [no] ip forward-protocol udp | The parameter can have one of the following values. For reference, the corresponding port numbers from RFC 1340 are shown in parentheses.
Configuring IP parameters – Layer 3 Switches 26 Syntax: ip helper-address The parameter specifies the helper address number and can be from 1 through 16. The command specifies the server IP address or the subnet directed broadcast address of the IP subnet the server is in. Configuring BootP/DHCP relay parameters A host on an IP network can use BootP/DHCP to obtain its IP address from a BootP/DHCP server. To obtain the address, the client sends a BootP/DHCP request.
26 Configuring IP parameters – Layer 3 Switches Configuring an IP helper address The procedure for configuring a helper address for BootP/DHCP requests is the same as the procedure for configuring a helper address for other types of UDP broadcasts. Refer to “Configuring an IP helper address” on page 838. Configuring the BOOTP/DHCP reply source address NOTE This feature is supported on PowerConnect B-Series FCX devices.
Configuring IP parameters – Layer 3 Switches 26 NOTE The BootP/DHCP hop count is not the TTL parameter. To modify the maximum number of BootP/DHCP hops, enter the following command. PowerConnect(config)# bootp-relay-max-hops 10 This command allows the Layer 3 Switch to forward BootP/DHCP requests that have passed through ten previous hops before reaching the Layer 3 Switch. Requests that have traversed 11 hops before reaching the switch are dropped.
26 Configuring IP parameters – Layer 3 Switches • For DHCP client hitless support in an IronStack, the stack mac command must be used to configure the IronStack MAC address, so that the MAC address does not change in the event of a switchover or failover. If stack mac is not configured, the MAC address/IP address pair assigned to a DHCP client will not match after a switchover or failover.
26 Configuring IP parameters – Layer 3 Switches FIGURE 131 DHCP Server configuration flow chart Classify incoming message Yes DHCP enabled? Yes previous allocation in DB for this host? No Reserve the previous allocated address Yes Send offer to host and listen for response Host responds? No No Use RX Portnum, Ciaddr field, and Giaddr field to select proper address pool End Reserve an address from the address pool Reserve the address No Available address in the pool? Yes Host options requ
26 Configuring IP parameters – Layer 3 Switches Configuring DHCP Server on a device Perform the following steps to configure the DHCP Server feature on your PowerConnect device. 1. Enable DHCP Server by entering a command similar to the following. PowerConnect(config)# ip dhcp-server enable 2. Create a DHCP Server address pool by entering a command similar to the following. PowerConnect(config)# ip dhcp-server pool cabo 3.
Configuring IP parameters – Layer 3 Switches 26 Default DHCP server settings Table 151 shows the default DHCP server settings.
26 Configuring IP parameters – Layer 3 Switches TABLE 153 DHCP Server CLI commands Command Description ip dhcp-server arp-ping-timeout <#> Specifies the time (in seconds) the server will wait for a response to an arp-ping packet before deleting the client from the binding database. The minimum setting is 5 seconds and the maximum time is 30 seconds. NOTE: Do not alter the default value unless it is necessary.
Configuring IP parameters – Layer 3 Switches TABLE 153 26 DHCP Server CLI commands Command Description netbios-name-server
[ |] Specifies the IP address of a NetBIOS WINS server or servers that are available to Microsoft DHCP clients. Refer to “Configure the NetBIOS server for DHCP clients” on page 850. network / Configures the subnet network and mask of the DHCP address pool. Refer to “Configure the subnet and mask of a DHCP address pool” on page 850.26 Configuring IP parameters – Layer 3 Switches Setting the wait time for ARP-ping response At startup, the server reconciles the lease-binding database by sending an ARP-ping packet out to every client. If there is no response to the ARP-ping packet within a set amount of time (set in seconds), the server deletes the client from the lease-binding database. The minimum setting is 5 seconds and the maximum is 30 seconds.
Configuring IP parameters – Layer 3 Switches 26 •
- The IP address of the DHCP server This command assigns an IP address to the selected DHCP server. Configure the boot image The bootfile command specifies a boot image name to be used by the DHCP client. PowerConnect(config-dhcp-cabo)# bootfile foxhound In this example, the DHCP client should use the boot image called “foxhound”.26 Configuring IP parameters – Layer 3 Switches Specify addresses to exclude from the address pool The excluded-address command specifies either a single address, or a range of addresses that are to be excluded from the address pool. PowerConnect(config-dhcp-cabo)# excluded-address 101.2.3.
Configuring IP parameters – Layer 3 Switches 26 Displaying DHCP server information The following DHCP show commands may be entered from any level of the CLI. Display active lease entries The show ip dhcp-server binding command displays a specific active lease, or all active leases, as shown in this example: PowerConnect# show ip dhcp-server binding The following output is displayed: PowerConnect# show ip dhcp-server bind Bindings from all pools: IP Address Client-ID/ Hardware address 192.168.1.2 192.
26 Configuring IP parameters – Layer 3 Switches netbios-name-server: network: next-bootstrap-server: tftp-server: 192.168.1.101 192.168.1.0 255.255.255.0 192.168.1.102 192.168.1.103 Syntax: show ip dhcp-server address-pool[s] [] • address-pool[s] - If you enter address-pools, the display will show all address pools • - Displays information about a specific address pool The following table describes this output.
Configuring IP parameters – Layer 3 Switches TABLE 156 26 CLI display of show ip dhcp-server flash command This field... Displays...
26 Configuring IP parameters – Layer 3 Switches TABLE 157 CLI display of show ip dhcp-server summary command This field... Displays... Total number of active leases Indicates the number of leases that are currently active Total number of deployed address-pools The number of address pools currently in use. Total number of undeployed address-pools The number of address-pools being held in reserve. Server uptime The amount of time that the server has been active.
Configuring IP parameters – Layer 3 Switches 26 2. If auto-update is enabled, the TFTP flash image is downloaded and updated. The device compares the filename of the requested flash image with the image stored in flash. If the filenames are different, then the device will download the new image from a TFTP server, write the downloaded image to flash, then reload the device or stack. 3.
26 Configuring IP parameters – Layer 3 Switches The following configuration rules apply to flash image update: • To enable flash image update (ip dhcp-client auto-update enable command), also enable auto-configuration (ip dhcp-client enable command). • The image filename to be updated must have the extension .bin. • The DHCP option 067 bootfile name will be used for image update if it has the extension .bin.
26 Configuring IP parameters – Layer 3 Switches FIGURE 133 The DHCP Client-Based Auto-Configuration steps IP Address Validation and Lease Negotiation Legend: Typical process (may change depending on environment) System boot/ feature enable (start) Has IP address? Existing Device Asks server if Dynamic address is valid? (in pool and not leased) Static or dynamic address? Yes Other Possible Events DHCP Yes server responds? (4 tries) Static No Yes Is IP address valid? Dynamic IP is re-leased to
26 Configuring IP parameters – Layer 3 Switches 3. If the device has a dynamic address, the device asks the DHCP server to validate that address. If the server does not respond, the device will continue to use the existing address until the lease expires. If the server responds, and the IP address is outside of the DHCP address pool or has been leased to another device, it is automatically rejected, and the device receives a new IP address from the server.
Configuring IP parameters – Layer 3 Switches 26 The TFTP configuration download and update step NOTE This process only occurs when the client device reboots, or when Auto-Configuration has been disabled and then re-enabled. 1.
26 Configuring IP parameters – Layer 3 Switches Configuration notes • When using DHCP on a router, if you have a DHCP address for one interface, and you want to connect to the DHCP server from another interface, you must disable DHCP on the first interface, then enable DHCP on the second interface. • When DHCP is disabled, and then re-enabled, or if the system is rebooted, the TFTP process requires approximately three minutes to run in the background before file images can be downloaded manually.
Configuring IP parameters – Layer 3 Switches 26 PowerConnect(config)# show ip Switch IP address: 10.44.16.116 Subnet mask: 255.255.255.0 Default router address: TFTP server address: Configuration filename: Image filename: 10.44.16.1 10.44.16.41 foundry.cfg None The following example shows output from the show ip address command for a Layer 2 device. PowerConnect(config)# show ip address IP Address Type Lease Time 10.44.16.
26 Configuring IP parameters – Layer 2 Switches PowerConnect(config)# show run Current configuration: ! ver 7.2.00aT7f1 ! module 1 FCX-24-port-management-module module 2 FCX-cx4-2-port-16g-module module 3 FCX-xfp-1-port-16g-module ! vlan 1 name DEFAULT-VLAN by port ! ip dns domain-name test.com ip dns server-address 10.44.3.111 interface ethernet 0/1/2 ip address 10.44.3.233 255.255.255.0 dynamic ip dhcp-client lease 691109 ! interface ethernet 0/1/15 ip address 1.0.0.1 255.0.0.0 ip helper-address 1 10.
Configuring IP parameters – Layer 2 Switches 26 Configuring the management IP address and specifying the default gateway To manage a Layer 2 Switch using Telnet or Secure Shell (SSH) CLI connections or the Web Management Interface, you must configure an IP address for the Layer 2 Switch. Optionally, you also can specify the default gateway.
26 Configuring IP parameters – Layer 2 Switches For example, if the domain “newyork.com” is defined on a Layer 2 Switch or Layer 3 Switch and you want to initiate a ping to host “NYC01” on that domain, you need to reference only the host name in the command instead of the host name and its domain name. For example, you could enter either of the following commands to initiate the ping. PowerConnect# ping nyc01 PowerConnect# ping nyc01.newyork.
Configuring IP parameters – Layer 2 Switches 26 NOTE In the previous example, 209.157.22.199 is the IP address of the domain name server (default DNS gateway address), and 209.157.22.80 represents the IP address of the NYC02 host. FIGURE 134 Querying a Host on the newyork.com Domain Domain Name Server newyork.com [ nyc01 nyc02 207.95.6.199 Layer 3 Switch nyc02 ... nyc01 ...
26 Configuring IP parameters – Layer 2 Switches By allowing multiple subnet DHCP requests to be sent on the same wire, you can reduce the number of router ports required to support secondary addressing as well as reduce the number of DHCP servers required, by allowing a server to manage multiple subnet address assignments. FIGURE 135 DHCP requests in a network without DHCP Assist on the Layer 2 Switch Step 3: DHCP Server generates IP addresses for Hosts 1,2,3 and 4.
Configuring IP parameters – Layer 2 Switches 26 How DHCP Assist works Upon initiation of a DHCP session, the client sends out a DHCP discovery packet for an address from the DHCP server as seen in Figure 136. When the DHCP discovery packet is received at a Layer 2 Switch with the DHCP Assist feature enabled, the gateway address configured on the receiving interface is inserted into the packet. This address insertion is also referred to as stamping.
26 Configuring IP parameters – Layer 2 Switches NOTE The DHCP relay function of the connecting router must be turned on. FIGURE 137 DHCP offers are forwarded back toward the requestors Step 4: DHCP Server extracts the gateway address from each packet and assigns IP addresses for each host within the appropriate range. DHCP Server 207.95.7.6 DHCP response with IP addresses for Subnets 1, 2, 3 and 4 192.95.5.10 200.95.6.15 202.95.1.35 202.95.5.25 Router Layer 2 Switch 192.95.5.
Displaying IP configuration information and statistics 26 Up to eight addresses can be defined for each gateway list in support of ports that are multi-homed. When multiple IP addresses are configured for a gateway list, the Layer 2 Switch inserts the addresses into the discovery packet in a round robin fashion. Up to 32 gateway lists can be defined for each Layer 2 Switch. Example To create the configuration indicated in Figure 136 and Figure 137, enter commands such as the following.
26 Displaying IP configuration information and statistics • • • • • • IP interfaces – refer to “Displaying IP interface information” on page 873. ARP entries – refer to “Displaying ARP entries” on page 874. Static ARP entries – refer to “Displaying ARP entries” on page 874. IP forwarding cache – refer to “Displaying the forwarding cache” on page 877. IP route table – refer to “Displaying the IP route table” on page 878. IP traffic statistics – refer to “Displaying IP traffic statistics” on page 881.
Displaying IP configuration information and statistics TABLE 159 26 CLI display of global IP configuration information – Layer 3 Switch This field... Displays... Global settings ttl The Time-To-Live (TTL) for IP packets. The TTL specifies the maximum number of router hops a packet can travel before reaching the router. If the packet TTL value is higher than the value specified in this field, the router drops the packet. To change the maximum TTL, refer to “Changing the TTL threshold” on page 815.
26 Displaying IP configuration information and statistics TABLE 159 CLI display of global IP configuration information – Layer 3 Switch (Continued) This field... Displays... Port The Layer 4 TCP or UDP port the policy checks for in packets. The port can be displayed by its number or, for port types the router recognizes, by the well-known name. For example, TCP port 80 can be displayed as HTTP. NOTE: This field applies only if the IP protocol is TCP or UDP.
Displaying IP configuration information and statistics 26 To display utilization statistics for a specific number of seconds, enter a command such as the following. PowerConnect# show process cpu 2 Statistics for last 1 sec and 80 ms Process Name Sec(%) Time(ms) ACL 0 0.00 ARP 1 0.01 BGP 0 0.00 DOT1X 0 0.00 GVRP 0 0.00 ICMP 0 0.00 IP 0 0.00 L2VLAN 1 0.01 OSPF 0 0.00 RIP 0 0.00 STP 0 0.00 VRRP 0 0.
26 Displaying IP configuration information and statistics TABLE 160 CLI display of interface IP configuration information (Continued) This field... Displays... Method Whether the IP address has been saved in NVRAM. If you have set the IP address for the interface in the CLI or Web Management Interface, but have not saved the configuration, the entry for the interface in the Method field is “manual”. Status The link status of the interface.
Displaying IP configuration information and statistics 26 The mac-address parameter lets you restrict the display to entries for a specific MAC address. The parameter lets you specify a mask for the mac-address parameter, to display entries for multiple MAC addresses. Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits.
26 Displaying IP configuration information and statistics TABLE 161 This field... Port CLI display of ARP cache (Continued) Displays... The port on which the entry was learned. NOTE: If the ARP entry type is DHCP, the port number will not be available until the entry gets resolved through ARP. Status The status of the entry, which can be one of the following: Valid – This a valid ARP entry. Pend – The ARP entry is not yet resolved.
Displaying IP configuration information and statistics TABLE 162 26 CLI display of static ARP table This field... Displays... Static ARP table size The maximum number of static entries that can be configured on the device using the current memory allocation. The range of valid memory allocations for static ARP entries is listed after the current allocation.
26 Displaying IP configuration information and statistics TABLE 163 CLI display of IP forwarding cache – Layer 3 Switch (Continued) This field... Displays... Type The type of host entry, which can be one or more of the following: • D – Dynamic • P – Permanent • F – Forward • U – Us • C – Complex Filter • W – Wait ARP • I – ICMP Deny • K – Drop • R – Fragment • S – Snap Encap Port The port through which this device reaches the destination.
Displaying IP configuration information and statistics 26 The bgp option displays the BGP4 routes. The direct option displays only the IP routes that are directly attached to the Layer 3 Switch. The ospf option displays the OSPF routes. The rip option displays the RIP routes. The static option displays only the static IP routes. The default routes are displayed first. Here is an example of how to use the direct option.
26 Displaying IP configuration information and statistics Example PowerConnect# show ip route summary IP Routing Table - 35 entries: 6 connected, 28 static, 0 RIP, 1 OSPF, 0 BGP, 0 ISIS, 0 MPLS Number of prefixes: /0: 1 /16: 27 /22: 1 /24: 5 /32: 1 Syntax: show ip route summary In this example, the IP route table contains 35 entries. Of these entries, 6 are directly connected devices, 28 are static routes, and 1 route was calculated through OSPF.
Displaying IP configuration information and statistics 26 To clear route 209.157.22.0/24 from the IP routing table, enter the following command. PowerConnect# clear ip route 209.157.22.0/24 Syntax: clear ip route [ ] or Syntax: clear ip route [/] Displaying IP traffic statistics To display IP traffic statistics, enter the following command at any CLI level.
26 Displaying IP configuration information and statistics TABLE 165 CLI display of IP traffic statistics – Layer 3 Switch (Continued) This field... Displays... fragmented The total number of IP packets fragmented by this device to accommodate the MTU of this device or of another device. reassembled The total number of fragmented IP packets that this device re-assembled. bad header The number of IP packets dropped by the device due to a bad packet header.
Displaying IP configuration information and statistics TABLE 165 26 CLI display of IP traffic statistics – Layer 3 Switch (Continued) This field... Displays... passive opens The number of TCP connections opened by this device in response to connection requests (TCP SYNs) received from other devices. failed attempts This information is used by Dell customer support.
26 Displaying IP configuration information and statistics • Global IP settings – refer to “Displaying global IP configuration information” on page 884. • ARP entries – refer to “Displaying ARP entries” on page 884. • IP traffic statistics – refer to “Displaying IP traffic statistics” on page 885. Displaying global IP configuration information To display the Layer 2 Switch IP address and default gateway, enter the following command. PowerConnect# show ip Switch IP address: 192.168.1.2 Subnet mask: 255.
Displaying IP configuration information and statistics 26 Syntax: show arp This display shows the following information. TABLE 167 CLI display of ARP cache This field... Displays... Total ARP Entries The number of entries in the ARP cache. Maximum capacity The total number of ARP entries supported on the device. IP The IP address of the device. Mac The MAC address of the device.
26 Displaying IP configuration information and statistics The show ip traffic command displays the following information. TABLE 168 CLI display of IP traffic statistics – Layer 2 Switch This field... Displays... IP statistics received The total number of IP packets received by the device. sent The total number of IP packets originated and sent by the device. fragmented The total number of IP packets fragmented by this device to accommodate the MTU of this device or of another device.
26 TABLE 168 CLI display of IP traffic statistics – Layer 2 Switch (Continued) This field... Displays... no port The number of UDP packets dropped because the packet did not contain a valid UDP port number. input errors This information is used by Dell customer support. TCP statistics The TCP statistics are derived from RFC 793, “Transmission Control Protocol”. current active tcbs The number of TCP Control Blocks (TCBs) that are currently active.
26 888 PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring Multicast Listening Discovery (MLD) Snooping on PowerConnect B-Series FCX Switches 27 Table 169 lists the individual Dell PowerConnect switches and the MLD snooping features they support..
27 Overview The interfaces respond to general queries by sending a membership report containing one or more of the following records associated with a specific group: • Current-state record - Indicates the sources from which the interface wants to receive or not receive traffic. This record contains the source addresses of the interfaces and whether or not traffic will be included (IS_IN) or excluded (IS_EX) from that source address.
Overview 27 NOTE For this command to take effect, you must save the configuration and reload the switch. The hardware resource limit applies only to snooping-enabled VLANs. In VLANs where snooping is not enabled, multicast streams are switched in hardware without using any pre-installed resources. The Dell PowerConnect device supports up to 32K of MLD groups. They are produced by client membership reports. Configuration notes • Servers (traffic sources) are not required to send MLD memberships.
27 Overview When any port of a VLAN is configured for MLDv2, the VLAN matches both source and group (S G) in hardware switching. If no port is configured for MLDv2, the VLAN matches group only (* G). Matching (S G) requires more hardware resources than (* G) when there are multiple servers sharing the same group. For example, two data streams from different sources to the same group require two (S G) entries in MLDv2, compared to only one (* G) in MLDv1.
Configuring MLD snooping 27 NOTE To avoid version deadlock, when an interface receives a report with a lower version than that for which it has been configured, the interface does not automatically downgrade the running MLD version. Configuring MLD snooping Configuring MLD Snooping on Stackable devices consists of the following global and VLAN-specific tasks.
27 Configuring MLD snooping The system supports up to 32K of groups. The configurable range is 256 to 32768 and the default is 8192. The configured number is the upper limit of an expandable database. Client memberships exceeding the group limits are not processed. Disabling transmission and receipt of MLD packets on a port When a VLAN is snooping-enabled, all MLD packets are trapped to the CPU without hardware VLAN flooding.
Configuring MLD snooping 27 Syntax: [no] ipv6 mld-snooping age-interval The parameter specifies the aging time. You can specify a value from 20 – 7200 seconds. The default is 140 seconds. Modifying the query interval (Active MLD snooping mode only) If the MLD mode is set to active, you can modify the query interval, which specifies how often the device sends group membership queries. When multiple queriers connect together, all queriers should be configured with the same interval.
27 Configuring MLD snooping Modifying the wait time before stopping traffic when receiving a leave message You can define the wait time before stopping traffic to a port when the device receives a leave message for that port. The device sends group-specific queries once per second to determine if any client on the same port still needs the group. The value range is from 1 to 5, and the default is 2.
Configuring MLD snooping 27 Disabling MLD snooping for the VLAN When MLD snooping is enabled globally, you can disable it for a specific VLAN. For example, the following commands disable MLD snooping for VLAN 20. This setting overrides the global setting for VLAN 20. PowerConnect(config)#vlan 20 PowerConnect(config-vlan-20)#mld-snooping disable-mld-snoop Syntax: [no] mld-snooping disable-mld-snoop Configuring the MLD version for the VLAN You can specify the MLD version for a VLAN.
27 Configuring MLD snooping The ipv6-address parameter is the IPv6 address of the multicast group. The count is optional, which allows a contiguous range of groups. Omitting the count is equivalent to the count being 1. If there are no numbers, the static groups apply to the entire VLAN. Configuring static router ports A device always forwards all multicast control and data packets to router ports that receive queries.
Configuring MLD snooping 27 Every group on a physical port keeps its own tracking record. However, it can track group membership only; it cannot track by (source, group). For example, Client A and Client B belong to group1 but each is receiving traffic from different sources. Client A receives a traffic stream from (source_1, group1) and Client B receives a traffic stream from (source_2, group1).
27 Configuring MLD snooping Displaying MLD snooping information You can display the following MLD Snooping information: • • • • • • MLD Snooping error information Information about VLANs Group and forwarding information for VLANs MLD memory pool usage Status of MLD traffic MLD information by VLAN Displaying MLD snooping error information To display information about possible MLD errors, enter the following command.
Configuring MLD snooping 27 If tracking and fast leave are enabled, you can display the list of clients for a particular group by entering the following command. PowerConnect#show ipv6 mld-snooping group ff0e::ef00:a096 tracking Display group ff0e::ef00:a096 in all interfaces with tracking enabled.
27 Configuring MLD snooping PowerConnect#show ipv6 mld-snooping mcache Example: (S G) cnt=: (S G) are the lowest 32 bits, cnt: SW proc.
Configuring MLD snooping This field... get-fail 27 Displays... Displays the number of resource failures. NOTE: It is important to pay close attention to this field. limit The upper limit of this expandable field. The MLD group limit is configured using the system-max mld-max-group-addr command. The snoop mcache entry limit is configured using the system-max mld-snoop-mcache command. get-mem The number of memory allocation. This number should continue to increase. size The size of a unit (in bytes).
27 Configuring MLD snooping This field Displays IsEX Number of source addresses that were excluded in the traffic. ToIN Number of times the interface mode changed from EXCLUDE to INCLUDE. ToEX Number of times the interface mode changed from INCLUDE to EXCLUDE. ALLO Number of times additional source addresses were allowed on the interface. BLK Number of times sources were removed from an interface. Pkt-Err Number of packets having errors such as checksum errors.
Configuring MLD snooping 27 Clear MLD counters on VLANs To clear MLD Snooping error and traffic counters on all VLANs, enter a command similar to the following. PowerConnect#clear ipv6 mld-snooping counters Syntax: clear ipv6 mld-snooping counters Clear MLD mcache To clear the mcache on all VLANs, enter the following command.
27 906 Configuring MLD snooping PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter 28 Configuring RIP (IPv4) Table 170 lists the individual Dell PowerConnect switches and the RIP features they support.
28 RIP parameters and defaults • Version (V1) • V1 compatible with V2 • Version (V2) (the default) ICMP host unreachable message for undeliverable ARPs If the router receives an ARP request packet that it is unable to deliver to the final destination because of the ARP timeout and no ARP response is received (the router knows of no route to the destination address), the router sends an ICMP Host Unreachable message to the source.
RIP parameters and defaults TABLE 171 28 RIP global parameters (Continued) Parameter Description Default Reference Learning default routes The router can learn default routes from its RIP neighbors. Disabled page 915 Advertising and learning with specific neighbors The Layer 3 Switch learns and advertises RIP routes with all its neighbors by default. You can prevent the Layer 3 Switch from advertising routes to specific neighbors or learning routes from specific neighbors.
28 Configuring RIP parameters Configuring RIP parameters Use the following procedures to configure RIP parameters on a system-wide and individual interface basis. Enabling RIP RIP is disabled by default. To enable it, use the following method. NOTE You must enable the protocol globally and also on individual interfaces on which you want to advertise RIP. Globally enabling the protocol does not enable it on individual interfaces. To enable RIP globally, enter the following command.
Configuring RIP parameters 28 PowerConnect(config)#interface ethernet 0/6/1 PowerConnect(config-if-0/6/1)#ip metric 5 These commands configure port 6/1 to add 5 to the cost of each route learned on the port. Syntax: ip metric <1-16> Configuring a RIP offset list A RIP offset list allows you to add to the metric of specific inbound or outbound routes learned or advertised by RIP.
28 Configuring RIP parameters NOTE Refer to “Changing administrative distances” on page 1014 for the default distances for all route sources. To change the administrative distance for RIP routes, enter a command such as the following. PowerConnect(config-rip-router)#distance 140 This command changes the administrative distance to 140 for all RIP routes. Syntax: [no] distance The variable specifies a range from 1 through 255.
Configuring RIP parameters 28 Syntax: [no] permit | deny redistribute all | bgp | ospf | static address [match-metric | set-metric ] The variable specifies the redistribution filter ID. The software uses the filters in ascending numerical order. Thus, if filter 1 denies a route from being redistributed, the software does not redistribute that route even if a filter with a higher ID permits redistribution of the route.
28 Configuring RIP parameters This command assigns a RIP metric of 10 to each route that is redistributed into RIP. Syntax: [no] default-metric <1-15> Enabling redistribution After you configure redistribution parameters, you need to enable redistribution. To enable RIP redistribution, enter the following command. PowerConnect(config-rip-router)#redistribution Syntax: [no] redistribution The no form of this command disables RIP redistribution.
Configuring RIP parameters 28 PowerConnect(config-rip-router)#update-time 120 This command configures the Layer 3 Switch to send RIP updates every 120 seconds. Syntax: update-time <1-1000> Enabling learning of RIP default routes You can enable learning of RIP default routes on a global or individual interface basis. To enable learning of default RIP routes on a global basis, enter the following command.
28 Configuring RIP parameters These loop prevention methods are configurable on an individual interface basis. One of the methods is always in effect on an interface enabled for RIP. If you disable one method, the other method is enabled. NOTE These methods may be used in addition to the RIP maximum valid route cost of 15. To disable poison reverse and enable split horizon on an interface, enter commands such as the following.
Displaying RIP filters 28 NOTE By default, routes that do not match a route filter are learned or advertised. To prevent a route from being learned or advertised, you must configure a filter to deny the route. To configure RIP filters, enter commands such as the following. PowerConnect(config-rip-router)#filter PowerConnect(config-rip-router)#filter PowerConnect(config-rip-router)#filter PowerConnect(config-rip-router)#filter 1 2 3 4 permit 192.53.4.1 255.255.255.0 permit 192.53.5.1 255.255.255.
28 Displaying CPU utilization statistics TABLE 173 CLI display of RIP filter information This field... Displays... Route filters The rows underneath “RIP Route Filter Table” list the RIP route filters. If no RIP route filters are configured on the device, the following message is displayed: “No Filters are configured in RIP Route Filter Table”. Index The filter number. You assign this number when you configure the filter.
Displaying CPU utilization statistics PowerConnect#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 GVRP 0.00 0.00 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.00 0.00 RIP 0.04 0.07 STP 0.00 0.00 VRRP 0.00 0.00 5Min(%) 0.09 0.08 0.00 0.00 0.00 0.00 0.08 0.00 0.00 15Min(%) 0.22 0.14 0.00 0.00 0.00 0.00 0.09 0.00 0.
28 920 Displaying CPU utilization statistics PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring OSPF Version 2 (IPv4) 29 Table 174 lists the individual Dell PowerConnect switches and the OSPF Version 2 features they support.
29 Overview of OSPF TABLE 174 Supported OSPF V2 features (Continued) Feature PowerConnect B-Series FCX Syslog messages Yes Clearing OSPF information Yes This chapter describes how to configure OSPF Version 2 on Layer 3 Switches using the CLI. OSPF Version 2 is supported on devices running IPv4. NOTE The terms Layer 3 Switch and router are used interchangeably in this chapter and mean the same thing. Overview of OSPF OSPF is a link-state routing protocol.
Overview of OSPF 29 An Autonomous System Boundary Router (ASBR) is a router that is running multiple protocols and serves as a gateway to routers outside an area and those operating with different protocols. The ASBR is able to import and translate different protocol routes into OSPF through a process known as redistribution. For more details on redistribution and configuration examples, refer to “Enabling route redistribution” on page 953. FIGURE 138 OSPF operating in a network Area 0.0.0.
29 Overview of OSPF In an OSPF point-to-point network, where a direct Layer 3 connection exists between a single pair of OSPF routers, there is no need for Designated and Backup Designated Routers, as is the case in OSPF multi-access networks. Without the need for Designated and Backup Designated routers, a point-to-point network establishes adjacency and converges faster. The neighboring routers become adjacent whenever they can communicate directly.
Overview of OSPF 29 NOTE Priority is a configurable option at the interface level. You can use this parameter to help bias one router as the DR. FIGURE 140 Backup designated router becomes designated router Designated Router priority 10 Router A X Designated Backup Router priority 5 priority 20 Router C Router B If two neighbors share the same priority, the router with the highest router ID is designated as the DR. The router with the next highest router ID is designated as the BDR.
29 Overview of OSPF NOTE For details on how to configure the system to operate with the RFC 2178, refer to “Modifying the OSPF standard compliance setting” on page 962. Reduction of equivalent AS External LSAs An OSPF ASBR uses AS External link advertisements (AS External LSAs) to originate advertisements of a route to another routing domain, such as a BGP4 or RIP domain.
Overview of OSPF FIGURE 141 29 AS External LSA reduction Routers D, E, and F are OSPF ASBRs and EBGP routers. OSPF Autonomous System (AS) Another routing domain (such as BGP4 or RIP) Router A Router D Router ID: 2.2.2.2 Router F Router B Router E Router ID: 1.1.1.1 Router C Notice that both Router D and Router E have a route to the other routing domain through Router F.
29 Overview of OSPF that flush the duplicate AS External LSAs have more memory for other OSPF data. In Figure 141, since Router D has a higher router ID than Router E, Router D floods the AS External LSAs for Router F to Routers A, B, and C. Router E flushes the equivalent AS External LSAs from its database. Algorithm for AS External LSA reduction Figure 141 shows an example in which the normal AS External LSA reduction feature is in effect.
Overview of OSPF 29 All three networks have the same network address, 10.0.0.0. Without support for RFC 2328 Appendix E, an OSPF router uses the same link state ID, 10.0.0.0, for the LSAs for all three networks. For example, if the router generates an LSA with ID 10.0.0.0 for network 10.0.0.0 255.0.0.0, this LSA conflicts with the LSA generated for network 10.0.0.0 255.255.0.0 or 10.0.0.0 255.255.255.0. The result is multiple LSAs that have the same ID but that contain different route information.
29 OSPF graceful restart You also can change the amount of memory allocated to various types of LSA entries. However, these changes require a system reset or reboot. Dynamic OSPF memory PowerConnect devices dynamically allocate memory for Link State Advertisements (LSAs) and other OSPF data structures. This eliminates overflow conditions and does not require a reload to change OSPF memory allocation. So long as the Layer 3 Switch has free (unallocated) dynamic memory, OSPF can use the memory.
Configuring OSPF 29 4. Define redistribution filters, if desired. 5. Enable redistribution, if you defined redistribution filters. 6. Modify default global and port parameters as required. 7. Modify OSPF standard compliance, if desired. NOTE OSPF is automatically enabled without a system reset. Configuration rules • • • • Dell PowerConnect devices support a maximum of 676 OSPF interfaces. If a router is to operate as an ASBR, you must enable the ASBR capability at the system level.
29 Configuring OSPF Interface parameters: • • • • • • • • • Assign interfaces to an area. Define the authentication key for the interface. Change the authentication-change interval Modify the cost for a link. Modify the dead interval. Modify MD5 authentication key parameters. Modify the priority of the interface. Modify the retransmit interval for the interface. Modify the transit delay of the interface. NOTE When using the CLI, you set global level parameters at the OSPF CONFIG level of the CLI.
Configuring OSPF 29 If you have disabled the protocol but have not yet saved the configuration to the startup-config file and reloaded the software, you can restore the configuration information by re-entering the command to enable the protocol (for example, router ospf), or by selecting the Web management option to enable the protocol. If you have already saved the configuration to the startup-config file and reloaded the software, the information is gone.
29 Configuring OSPF When an NSSA contains more than one ABR, OSPF elects one of the ABRs to perform the LSA translation for NSSA. OSPF elects the ABR with the highest router ID. If the elected ABR becomes unavailable, OSPF automatically elects the ABR with the next highest router ID to take over translation of LSAs for the NSSA. The election process for NSSA ABRs is automatic. Example To set up the OSPF areas shown in Figure 138 on page 923, enter the following commands.
Configuring OSPF 29 The stub parameter specifies an additional cost for using a route to or from this area and can be from 1 through 16777215. There is no default. Normal areas do not use the cost parameter. The no-summary parameter applies only to stub areas and disables summary LSAs from being sent into the area. NOTE You can assign one area on a router interface. For example, if the system or chassis module has 16 ports, 16 areas are supported on the chassis or module.
29 Configuring OSPF The ABR translates the Type-7 LSAs into Type-5 LSAs. If an area range is configured for the NSSA, the ABR also summarizes the LSAs into an aggregate LSA before flooding the Type-5 LSAs into the backbone. Since the NSSA is partially “stubby” the ABR does not flood external LSAs from the backbone into the NSSA. To provide access to the rest of the Autonomous System (AS), the ABR generates a default Type-7 LSA into the NSSA. Configuring an NSSA To configure OSPF area 1.1.1.
Configuring OSPF 29 The parameter specifies the portions of the IP address that a route must contain to be summarized in the summary route. In the example above, all networks that begin with 209.157 are summarized into a single route. Assigning an area range (optional) You can assign a range for an area, but it is not required.
29 Configuring OSPF • • • • ip ospf cost • • • • ip ospf passive ip ospf dead-interval ip ospf hello-interval ip ospf md5-authentication key-activation-wait-time | key-id [0 | 1] key ip ospf priority ip ospf retransmit-interval ip ospf transmit-delay For a complete description of these parameters, see the summary of OSPF port parameters in the next section. OSPF interface parameters The following parameters apply to OSPF interfaces.
Configuring OSPF 29 MD5-authentication activation wait time: The number of seconds the Layer 3 Switch waits until placing a new MD5 key into effect. The wait time provides a way to gracefully transition from one MD5 key to another without disturbing the network. The wait time can be from 0 through 14400 seconds. The default is 300 seconds (5 minutes). MD5-authentication key ID and key: A method of authentication that requires you to configure a key ID and an MD5 key.
29 Configuring OSPF NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior. If you specify encryption option 1, the software assumes that you are entering the encrypted form of the password or authentication string. In this case, the software decrypts the password or string you enter before using the value for authentication.
Configuring OSPF 29 Block flooding of outbound LSAs on specific OSPF interfaces By default, the Layer 3 Switch floods all outbound LSAs on all the OSPF interfaces within an area. You can configure a filter to block outbound LSAs on an OSPF interface. This feature is particularly useful when you want to block LSAs from some, but not all, of the interfaces attached to the area. After you apply filters to block the outbound LSAs, the filtering occurs during the database synchronization and flooding.
29 Configuring OSPF PowerConnect(config)#int ve 20 PowerConnect(config-vif-20)#ip ospf area 0 PowerConnect(config-vif-20)#ip ospf network non-broadcast PowerConnect(config-vif-20)#exit Syntax: [no] ip ospf network non-broadcast The following commands specify 1.1.20.1 as an OSPF neighbor address. The address specified must be in the same subnet as a non-broadcast interface. PowerConnect(config)#router ospf PowerConnect(config-ospf-router)#neighbor 1.1.20.
Configuring OSPF 29 NOTE By default, the Dell router ID is the IP address configured on the lowest numbered loopback interface. If the Layer 3 Switch does not have a loopback interface, the default router ID is the lowest numbered IP address configured on the device. For more information or to change the router ID, refer to “Changing the router ID” on page 809. NOTE When you establish an area virtual link, you must configure it on both of the routers (both ends of the virtual link).
29 Configuring OSPF PowerConnectC(config-ospf-router)#area 1 virtual-link 10.0.0.1 PowerConnectC(config-ospf-router)#write memory Syntax: area | virtual-link [authentication-key | dead-interval | hello-interval | retransmit-interval | transmit-delay ] The area | parameter specifies the transit area. The parameter specifies the router ID of the OSPF router at the remote end of the virtual link.
Configuring OSPF 29 MD5 Authentication Wait Time: This parameter determines when a newly configured MD5 authentication key is valid. This parameter provides a graceful transition from one MD5 key to another without disturbing the network. All new packets transmitted after the key activation wait time interval use the newly configured MD5 Key. OSPF packets that contain the old MD5 key are accepted for up to five minutes after the new MD5 key is in operation.
29 Configuring OSPF Changing the reference bandwidth for the cost on OSPF interfaces Each interface on which OSPF is enabled has a cost associated with it. The Layer 3 Switch advertises its interfaces and their costs to OSPF neighbors. For example, if an interface has an OSPF cost of ten, the Layer 3 Switch advertises the interface with a cost of ten to other OSPF routers. By default, an interface OSPF cost is based on the port speed of the interface.
Configuring OSPF 29 Interface types to which the reference bandwidth does not apply Some interface types are not affected by the reference bandwidth and always have the same cost regardless of the reference bandwidth in use: • The cost of a loopback interface is always 0. • The cost of a virtual link is calculated using the Shortest Path First (SPF) algorithm and is not affected by the auto-cost feature. • The bandwidth for tunnel interfaces is 9 Kbps and is not affected by the auto-cost feature.
29 Configuring OSPF In Figure 144 on page 948, an administrator wants to configure the PowerConnect Layer 3 Switch acting as the ASBR (Autonomous System Boundary Router) between the RIP domain and the OSPF domain to redistribute routes between the two domains. NOTE The ASBR must be running both RIP and OSPF protocols to support this activity. To configure for redistribution, define the redistribution tables with deny and permit redistribution filters.
Configuring OSPF 29 NOTE Redistribution is permitted for all routes by default, so the permit redistribute 1 all command in the example above is shown for clarity but is not required. You also have the option of specifying import of just OSPF, BGP4, or static routes, as well as specifying that only routes for a specific network or with a specific cost (metric) be imported, as shown in the following command syntax.
29 Configuring OSPF Preventing specific OSPF routes from being installed in the IP route table By default, all OSPF routes in the OSPF route table are eligible for installation in the IP route table. You can configure a distribution list to explicitly deny specific routes from being eligible for installation in the IP route table. NOTE This feature does not block receipt of LSAs for the denied routes. The Layer 3 Switch still receives the routes and installs them in the OSPF database.
Configuring OSPF 29 Syntax: deny | permit The | parameter specifies the ACL name or ID. The in command applies the ACL to incoming route updates. The parameter specifies the interface number on which to apply the ACL. Enter only one valid interface number. If necessary, use the show interface brief command to display a list of valid interfaces.
29 Configuring OSPF PowerConnect(config)#ip access-list extended no_ip PowerConnect(config-ext-nACL)#deny ip 4.0.0.0 0.255.255.255 255.255.0.0 0.0.255.255 PowerConnect(config-ext-nACL)#permit ip any any PowerConnect(config-ext-nACL)#exit PowerConnect(config)#router ospf The first three commands configure an extended ACL that denies routes to any 4.x.x.x destination network with a 255.255.0.0 network mask and allows all other routes for eligibility to be installed in the IP route table.
Configuring OSPF 29 Because this ACL is input to an OSPF distribution list, the parameter actually specifies the subnet mask of the route. The parameter specifies the portion of the subnet mask to match against. For example, the and values 255.255.255.255 0.0.0.255 mean that subnet mask /24 and longer match the ACL. If you want the policy to match on all network masks, enter any any.
29 Configuring OSPF PowerConnect(config)#ip route 1.1.0.0 255.255.0.0 207.95.7.30 PowerConnect(config)#ip route 1.2.0.0 255.255.0.0 207.95.7.30 PowerConnect(config)#ip route 1.3.0.0 255.255.0.0 207.95.7.30 PowerConnect(config)#ip route 4.1.0.0 255.255.0.0 207.95.6.30 PowerConnect(config)#ip route 4.2.0.0 255.255.0.0 207.95.6.30 PowerConnect(config)#ip route 4.3.0.0 255.255.0.0 207.95.6.30 PowerConnect(config)#ip route 4.4.0.0 255.255.0.0 207.95.6.
Configuring OSPF 29 NOTE For an external route that is redistributed into OSPF through a route map, the metric value of the route remains the same unless the metric is set by a set metric command inside the route map. The default-metric command has no effect on the route. This behavior is different from a route that is redistributed without using a route map. For a route redistributed without using a route map, the metric is set by the default-metric command.
29 Configuring OSPF • PowerConnect->R4 • PowerConnect->R5 • PowerConnect->R6 Normally, the Dell PowerConnect switch will choose the path to the R1 with the lower metric. For example, if R3 metric is 1400 and R4 metric is 600, the Dell PowerConnect switch will always choose R4. However, suppose the metric is the same for all four routers in this example. If the costs are the same, the switch now has four equal-cost paths to R1.
Configuring OSPF 29 PowerConnect(config-ospf-router)#summary-address 10.1.0.0 255.255.0.0 The command in this example configures summary address 10.1.0.0, which includes addresses 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. For all of these networks, only the address 10.1.0.0 (the parent route) is advertised in external LSAs.
29 Configuring OSPF If the Layer 3 Switch is an ASBR, you can use the “always” option when you enable the default route origination. The always option causes the ASBR to create and advertise a default route if it does not already have one configured. If default route origination is enabled and you disable it, the default route originated by the Layer 3 Switch is flushed. Default routes generated by other OSPF routers are not affected.
Configuring OSPF 29 You can set the delay and hold time to lower values to cause the Layer 3 Switch to change to alternate paths more quickly in the event of a route failure. Note that lower values require more CPU processing time. You can change one or both of the timers. To do so, enter commands such as the following. PowerConnect(config-ospf-router)#timers spf 10 20 The command in this example changes the SPF delay to 10 seconds and changes the SPF hold time to 20 seconds.
29 Configuring OSPF • Inter-area routes • External routes The default for all these OSPF route types is 110. NOTE This feature does not influence the choice of routes within OSPF. For example, an OSPF intra-area route is always preferred over an OSPF inter-area route, even if the intra-area route distance is greater than the inter-area route distance. To change the default administrative distances for inter-area routes, intra-area routes, and external routes, enter the following command.
Configuring OSPF 29 Syntax: [no] timers lsa-group-pacing The parameter specifies the number of seconds and can be from 10 through 1800 (30 minutes). The default is 240 seconds (4 minutes). To restore the pacing interval to its default value, enter the following command. PowerConnect(config-ospf-router)#no timers lsa-group-pacing Modifying OSPF traps generated OSPF traps as defined by RFC 1850 are supported on Dell routers. OSPF trap generation is enabled on the router, by default.
29 Configuring OSPF Example To reinstate the trap, enter the following command. PowerConnect(config-ospf-router)#trap neighbor-state-change-trap Syntax: [no] trap Specifying the types of OSPF Syslog messages to log You can specify which kinds of OSPF-related Syslog messages are logged. By default, the only OSPF messages that are logged are those indicating possible system errors.
Configuring OSPF 29 NOTE PowerConnect devices dynamically allocate OSPF memory as needed. Refer to “Dynamic OSPF memory” on page 930. To modify the exit overflow interval to 60 seconds, enter the following command. PowerConnect(config-ospf-router)#database-overflow-interval 60 Syntax: database-overflow-interval The can be from 0 through 86400 seconds. The default is 0 seconds.
29 Clearing OSPF information Enabling and disabling OSPF graceful restart OSPF graceful restart is enabled by default on a PowerConnect Layer 3 switch. To disable it, use the following commands. PowerConnect (config)# router ospf PowerConnect (config-ospf-router)# no graceful-restart To re-enable OSPF graceful restart after it has been disabled, enter the following commands.
Clearing OSPF information 29 • OSPF area information, including routes received from OSPF neighbors within an area, as well as routes imported into the area. You can clear area information for all OSPF areas, or for a specified OSPF area The OSPF information is cleared dynamically when you enter the command; you do not need to remove statements from the Dell PowerConnect configuration or reload the software for the change to take effect.
29 Displaying OSPF information Syntax: clear ospf redistribution This command clears all routes in the OSPF routing table that are redistributed from other protocols, including direct connected, static, RIP, and BGP. To import redistributed routes from other protocols, use the redistribution command at the OSPF configuration level. Clearing information for OSPF areas To clear information on the Dell PowerConnect device about all OSPF areas, enter the following command.
Displaying OSPF information 29 • Trap state information – refer to “Displaying OSPF trap status” on page 978. • OSPF graceful restart - refer to “Displaying OSPF graceful restart information” on page 978. Displaying general OSPF configuration information To display general OSPF configuration information, enter the following command at any CLI level.
29 Displaying OSPF information Displaying CPU utilization statistics You can display CPU utilization statistics for OSPF and other IP protocols. To display CPU utilization statistics for OSPF for the previous one-second, one-minute, five-minute, and fifteen-minute intervals, enter the following command at any level of the CLI. PowerConnect#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 GVRP 0.00 0.00 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.03 0.06 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.
Displaying OSPF information 29 The parameter specifies the number of seconds and can be from 1 through 900. If you use this parameter, the command lists the usage statistics only for the specified number of seconds. If you do not use this parameter, the command lists the usage statistics for the previous one-second, one-minute, five-minute, and fifteen-minute intervals. Displaying OSPF area information To display OSPF area information, enter the following command at any CLI level.
29 Displaying OSPF information PowerConnect#show ip ospf neighbor detail Port 9/1 Address 20.2.0.2 Second-to-dead:39 10/1 20.3.0.2 Second-to-dead:36 1/1-1/8 23.5.0.1 Second-to-dead:33 2/1-2/2 23.2.0.1 Second-to-dead:33 Pri State 1 FULL/DR Neigh Address 20.2.0.1 Neigh ID 2.2.2.2 Ev Op Cnt 6 2 0 1 FULL/BDR 20.3.0.1 3.3.3.3 5 2 0 1 FULL/DR 23.5.0.2 16.16.16.16 6 2 0 1 FULL/DR 23.2.0.2 15.15.15.
Displaying OSPF information TABLE 176 29 CLI display of OSPF neighbor information (Continued) Field Description State The state of the conversation between the Layer 3 Switch and the neighbor. This field can have one of the following values: • Down – The initial state of a neighbor conversation. This value indicates that there has been no recent information received from the neighbor. • Attempt – This state is only valid for neighbors attached to non-broadcast networks.
29 Displaying OSPF information PowerConnect#show ip ospf interface 192.168.1.1 Ethernet 2/1,OSPF enabled IP Address 192.168.1.1, Area 0 OSPF state ptr2ptr, Pri 1, Cost 1, Options 2, Type pt-2-pt Events 1 Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40 DR: Router ID 0.0.0.0 Interface Address 0.0.0.0 BDR: Router ID 0.0.0.0 Interface Address 0.0.0.0 Neighbor Count = 0, Adjacent Neighbor Count= 1 Neighbor: 2.2.2.
Displaying OSPF information TABLE 177 29 Output of the show ip ospf interface command (Continued) Field Definition Events OSPF Interface Event: Interface_Up = 0x00 Wait_Timer = 0x01 Backup_Seen = 0x02 Neighbor_Change = 0x03 Loop_Indication = 0x04 Unloop_Indication = 0x05 Interface_Down = 0x06 Interface_Passive = 0x07 • • • • • • • • Adjacent Neighbor Count The number of adjacent neighbor routers. Neighbor: The neighbor router ID.
29 Displaying OSPF information TABLE 178 Field Path_Type CLI Display of OSPF route information (Continued) Definition The type of path, which can be one of the following: Inter – The path to the destination passes into another area. Intra – The path to the destination is entirely within the local area. External1 – The path to the destination is a type 1 external route. External2 – The path to the destination is a type 2 external route.
Displaying OSPF information 29 PowerConnect#show ip ospf redistribute route 3.1.0.0 255.255.0.0 3.1.0.0 255.255.0.0 static Displaying OSPF external link state information To display external link state information, enter the following command at any CLI level. PowerConnect#show ip ospf database external-link-state Index 1 2 3 4 5 6 7 8 9 Aging 1794 1794 1794 1794 1794 1794 1794 1794 1794 LS ID 1.168.64.0 3.215.0.0 1.27.250.0 1.24.23.0 1.21.52.0 1.18.81.0 1.15.110.0 1.12.139.0 1.9.168.0 Router 192.85.
29 Displaying OSPF information TABLE 179 CLI display of OSPF external link state information (Continued) Field Definition Seq(hex) The sequence number of the LSA. The OSPF neighbor that sent the LSA stamps it with a sequence number to enable the Layer 3 Switch and other OSPF routers to determine which LSA for a given route is the most recent. Chksum A checksum for the LSA packet, which is based on all the fields in the packet except the age field.
Displaying OSPF information 29 PowerConnect#show ip ospf database external-link-state advertise 3 Index Aging LS ID Router Netmask Metric Flag 3 619 1.27.250.0 192.85.0.3 fffffe00 000003e8 b500 0.0.0.0 LSA Header: age: 619, options: 0x02, seq-nbr: 0x80000003, length: 36 NetworkMask: 255.255.254.0 TOS 0: metric_type: 1, metric: 1000 forwarding_address: 0.0.0.
29 Displaying OSPF information PowerConnect#show ip ospf border-routers Syntax: show ip ospf border-routers [] The parameter displays the ABR and ASBR entries for the specified IP address. Displaying OSPF trap status All traps are enabled by default when you enable OSPF. To disable or re-enable an OSPF trap, refer to “Modifying OSPF traps generated” on page 961. To display the state of each OSPF trap, enter the following command at any CLI level.
Displaying OSPF information 29 Table 180 defines the fields in the show output. TABLE 180 CLI display of OSPF database grace LSA information Field Definition Area The OSPF area that the interface configured for OSPF graceful restart is in. Interface The interface that is configured for OSPF graceful restart. Adv Rtr The ID of the advertised route. Age The age of the LSA in seconds. Seq (Hex) The sequence number of the LSA.
29 980 Displaying OSPF information PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter 30 Configuring BGP4 (IPv4) Table 181 lists individual Dell PowerConnect switches and the BGP4 features they support. BGP4 features are supported on PowerConnect B-Series FCX ADV devices running the full Layer 3 software image.
30 Overview of BGP4 Overview of BGP4 BGP4 is the standard Exterior Gateway Protocol (EGP) used on the Internet to route traffic between Autonomous Systems (AS) and to maintain loop-free routing. An autonomous system is a collection of networks that share the same routing and administration characteristics. For example, a corporate intranet consisting of several networks under common administrative control might be considered an AS.
Overview of BGP4 30 Although a Layer 3 Switch BGP4 route table can have multiple routes to the same destination, the BGP4 protocol evaluates the routes and chooses only one of the routes to send to the IP route table. The route that BGP4 chooses and sends to the IP route table is the preferred route and will be used by the Layer 3 Switch. If the preferred route goes down, BGP4 updates the route information in the IP route table with a new BGP4 preferred route.
30 Overview of BGP4 3. If the weights are the same, prefer the route with the largest local preference. 4. If the routes have the same local preference, prefer the route that was originated locally (by this BGP4 Layer 3 Switch). 5. If the local preferences are the same, prefer the route with the shortest AS-path. An AS-SET counts as 1. A confederation path length, if present, is not counted as part of the path length. 6. If the AS-path lengths are the same, prefer the route with the lowest origin type.
Overview of BGP4 30 NOTE Layer 3 Switches support BGP4 load sharing among multiple equal-cost paths. BGP4 load sharing enables the Layer 3 Switch to balance the traffic across the multiple paths instead of choosing just one path based on router ID. For EBGP routes, load sharing applies only when the paths are from neighbors within the same remote AS. EBGP paths from neighbors in different autonomous systems are not compared.
30 Overview of BGP4 UPDATE message After BGP4 neighbors establish a BGP4 connection over TCP and exchange their BGP4 routing tables, they do not send periodic routing updates. Instead, a BGP4 neighbor sends an update to its neighbor when it has a new route to advertise or routes have changed or become unfeasible. An UPDATE message can contain the following information: • Network Layer Reachability Information (NLRI) – The mechanism by which BGP4 supports Classless Interdomain Routing (CIDR).
BGP4 graceful restart 30 BGP4 graceful restart BGP4 graceful restart is a high-availability routing feature that minimizes disruption in traffic forwarding, diminishes route flapping, and provides continuous service during a system restart, switchover, failover, or hitless OS upgrade. During such events, routes remain available between devices. BGP4 graceful restart operates between a device and its peers, and must be configured on each participating device.
30 BGP4 parameters NOTE By default, the router ID is the IP address configured on the lowest numbered loopback interface. If the Layer 3 Switch does not have a loopback interface, the default router ID is the lowest numbered IP interface address configured on the device. For more information or to change the router ID, refer to “Changing the router ID” on page 809. If you change the router ID, all current BGP4 sessions are cleared.
BGP4 parameters 30 • • • • • Required – Identify BGP4 neighbors. • • • • • • Optional – Change the default local preference for routes. • • • • • • • • • • • • • • • • • • • Optional – Require the first AS in an Update from an EBGP neighbor to be the neighbor AS. Optional – Change the Keep Alive Time and Hold Time. Optional – Change the update timer for route changes. Optional – Enable fast external fallover.
30 BGP4 parameters Immediately The following parameter changes take effect immediately: • • • • • • • Enable or disable BGP. • • • • • • • • • • • • • • • • Enable or disable use of a default route to resolve a BGP4 next-hop route. Set or change the local AS. Add neighbors. Change the update timer for route changes. Disable or enable fast external fallover. Specify individual networks that can be advertised.
Memory considerations 30 After disabling and re-enabling redistribution The following parameter change takes effect only after you disable and then re-enable redistribution: • Change the default MED (metric). Memory considerations BGP4 handles a very large number of routes and therefore requires a lot of memory. For example, in a typical configuration with just a single BGP4 neighbor, a BGP4 router may need to be able to hold up to 80,000 routes.
30 Basic configuration tasks Basic configuration tasks The following sections describe how to perform the configuration tasks that are required to use BGP4 on the Layer 3 Switch. You can modify many parameters in addition to the ones described in this section. Refer to “Optional configuration tasks” on page 1004. Enabling BGP4 on the router When you enable BGP4 on the router, BGP4 is automatically activated. To enable BGP4 on the router, enter the following commands.
Basic configuration tasks 30 Setting the local AS number The local AS number identifies the AS the Dell BGP4 router is in. The AS number can be from 1 through 65535. There is no default. AS numbers 64512 through 65535 are the well-known private BGP4 AS numbers and are not advertised to the Internet community. To set the local AS number, enter commands such as the following. PowerConnect(config)#router bgp BGP4: Please configure 'local-as' parameter in order to enable BGP4.
30 Basic configuration tasks NOTE If the Layer 3 Switch has multiple neighbors with similar attributes, you can simplify configuration by configuring a peer group, then adding individual neighbors to it. The configuration steps are similar, except you specify a peer group name instead of a neighbor IP address when configuring the neighbor parameters, then add individual neighbors to the peer group. Refer to “Adding a BGP4 peer group” on page 1000.
Basic configuration tasks 30 NOTE The Layer 3 Switch applies the advertisement interval only under certain conditions. The Layer 3 Switch does not apply the advertisement interval when sending initial updates to a BGP4 neighbor. As a result, the Layer 3 Switch sends the updates one immediately after another, without waiting for the advertisement interval. capability orf prefixlist [send | receive] configures cooperative router filtering.
30 Basic configuration tasks filter-list in | out specifies an AS-path filter list or a list of AS-path ACLs. The in | out keyword specifies whether the list is applied on updates received from the neighbor or sent to the neighbor. If you specify in or out, The parameter specifies the list of AS-path filters. The router applies the filters in the order in which you list them and stops applying the filters in the AS-path filter list when a match is found.
Basic configuration tasks 30 NOTE If you want the software to assume that the value you enter is the clear-text form, and to encrypt display of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default behavior. If you specify encryption option 1, the software assumes that you are entering the encrypted form of the password or authentication string.
30 Basic configuration tasks indefinitely for messages from a neighbor without concluding that the neighbor is dead. The defaults for these parameters are the currently configured global Keep Alive Time and Hold Time. For more information about these parameters, refer to “Changing the Keep Alive Time and Hold Time” on page 1004. unsuppress-map removes route dampening from a neighbor routes when those routes have been dampened due to aggregation.
Basic configuration tasks 30 PowerConnect#show ip bgp config Current BGP configuration: router bgp local-as 2 neighbor xyz peer-group neighbor xyz password 1 $!2d neighbor 10.10.200.102 peer-group xyz neighbor 10.10.200.102 remote-as 1 neighbor 10.10.200.102 password 1 $on-o Notice that the software has converted the commands that specify an authentication string into the new syntax (described below), and has encrypted display of the authentication strings.
30 Basic configuration tasks The enable password-display command enables display of the authentication string, but only in the output of the show ip bgp neighbors command. Display of the string is still encrypted in the startup-config file and running-config. Enter the command at the global CONFIG level of the CLI. NOTE The command also displays SNMP community strings in clear text, in the output of the show snmp server command.
Basic configuration tasks 30 NOTE If you enter a command to remove the remote AS parameter from a peer group, the software checks to ensure that the peer group does not contain any neighbors. If the peer group does contain neighbors, the software does not allow you to remove the remote AS. The software prevents removing the remote AS in this case so that the neighbors in the peer group that are using the remote AS do not lose connectivity to the Layer 3 Switch.
30 Basic configuration tasks • If you add a parameter to a peer group that already contains neighbors, the parameter value is applied to neighbors that do not already have the parameter explicitly set. If a neighbor has the parameter explicitly set, the explicitly set value overrides the value you set for the peer group.
Basic configuration tasks 30 [send-community] [soft-reconfiguration inbound] [shutdown] [timers keep-alive hold-time ] [update-source loopback ] [weight ] The | parameter indicates whether you are configuring a peer group or an individual neighbor. You can specify a peer group name or IP address with the neighbor command. If you specify a peer group name, you are configuring a peer group.
30 Optional configuration tasks NOTE The software also contains an option to end the session with a BGP4 neighbor and thus clear the routes learned from the neighbor. Unlike this clear option, the option for shutting down the neighbor can be saved in the startup-config file and thus can prevent the Layer 3 Switch from establishing a BGP4 session with the neighbor even after reloading the software.
Optional configuration tasks 30 For each keyword, indicates the number of seconds. The Keep Alive Time can be 0 through 65535. The Hold Time can be 0 or 3 through 65535 (1 and 2 are not allowed). If you set the Hold Time to 0, the router waits indefinitely for messages from a neighbor without concluding that the neighbor is dead. Changing the BGP4 next-hop update timer By default, the Layer 3 Switch updates its BGP4 next-hop tables and affected BGP4 routes five seconds after IGP route changes.
30 Optional configuration tasks Changing the maximum number of paths for BGP4 load sharing Load sharing enables the Layer 3 Switch to balance traffic to a route across multiple equal-cost paths of the same type (EBGP or IBGP) for the route. To configure the Layer 3 Switch to perform BGP4 load sharing: • Enable IP load sharing if it is disabled. • Set the maximum number of paths. The default maximum number of BGP4 load sharing paths is 1, which means no BGP4 load sharing takes place by default.
Optional configuration tasks 30 If an IGP path used by a BGP4 next-hop route path installed in the IP route table changes, then the BGP4 paths and IP paths are adjusted accordingly. For example, if one of the OSPF paths to reach the BGP4 next hop goes down, the software removes this path from the BGP4 route table and the IP route table.
30 Optional configuration tasks • multi-as – Load sharing is enabled for paths from different autonomous systems. By default, load sharing applies to EBGP and IBGP paths, and does not apply to paths from different neighboring autonomous systems. Specifying a list of networks to advertise By default, the router sends BGP4 routes only for the networks you identify using the network command or that are redistributed into BGP4 from RIP or OSPF. You can specify up to 600 networks.
Optional configuration tasks 30 To configure a route map, and use it to set or change route attributes for a network you define for BGP4 to advertise, enter commands such as the following. PowerConnect(config)#route-map set_net permit 1 PowerConnect(config-routemap set_net)#set community no-export PowerConnect(config-routemap set_net)#exit PowerConnect(config)#router bgp PowerConnect(config-bgp-router)#network 100.100.1.
30 Optional configuration tasks Using the IP default route as a valid next hop for a BGP4 route By default, the Layer 3 Switch does not use a default route to resolve a BGP4 next-hop route. If the IP route lookup for the BGP4 next hop does not result in a valid IGP route (including static or direct routes), the BGP4 next hop is considered to be unreachable and the BGP4 route is not used.
Optional configuration tasks 30 Enabling next-hop recursion For each BGP4 route a Layer 3 Switch learns, the Layer 3 Switch performs a route lookup to obtain the IP address of the route next hop. A BGP4 route becomes eligible for installation into the IP route table only if the following conditions are true: • The lookup succeeds in obtaining a valid next-hop IP address for the route. • The path to the next-hop IP address is an Interior Gateway Protocol (IGP) path or a static route path.
30 Optional configuration tasks PowerConnect#show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf Weight 1 0.0.0.0/0 10.1.0.2 0 100 0 AS_PATH: 65001 4355 701 80 2 102.0.0.0/24 10.0.0.1 1 100 0 AS_PATH: 65001 4355 1 3 104.0.0.0/24 10.1.0.2 0 100 0 AS_PATH: 65001 4355 701 1 189 4 240.0.0.0/24 102.0.0.1 1 100 0 AS_PATH: 65001 4355 3356 7170 1455 5 250.0.0.0/24 209.
Optional configuration tasks PowerConnect#show ip bgp route Total number of BGP Routes: 5 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED Prefix Next Hop Metric LocPrf 1 0.0.0.0/0 10.1.0.2 0 100 AS_PATH: 65001 4355 701 80 2 102.0.0.0/24 10.0.0.1 1 100 AS_PATH: 65001 4355 1 3 104.0.0.0/24 10.1.0.2 0 100 AS_PATH: 65001 4355 701 1 189 4 240.0.0.0/24 102.0.0.1 1 100 AS_PATH: 65001 4355 3356 7170 1455 5 250.0.0.0/24 209.157.24.
30 Optional configuration tasks This Layer 3 Switch can use this route because the Layer 3 Switch has an IP route to the next-hop gateway. Without recursive next-hop lookups, this route would not be in the IP route table. Enabling recursive next-hop lookups The recursive next-hop lookups feature is disabled by default. To enable recursive next-hop lookups, enter the following command at the BGP configuration level of the CLI.
Optional configuration tasks 30 Lower administrative distances are preferred over higher distances. For example, if the router receives routes for the same network from OSPF and from RIP, the router will prefer the OSPF route by default. The administrative distances are configured in different places in the software.
30 Optional configuration tasks PowerConnect(config-bgp-router)#as-path-ignore This command disables comparison of the AS-Path lengths of otherwise equal paths. When you disable AS-Path length comparison, the BGP4 algorithm shown in “How BGP4 selects a path for a route” on page 983 skips from Step 4 to Step 6. Syntax: [no] as-path-ignore Enabling or disabling comparison of the router IDs Router ID comparison is Step 10 in the algorithm BGP4 uses to select the next path for a route.
Optional configuration tasks 30 You can enable the Layer 3 Switch to always compare the MEDs, regardless of the AS information in the paths. For example, if the router receives UPDATES for the same route from neighbors in three autonomous systems, the router would compare the MEDs of all the paths together, rather than comparing the MEDs for the paths in each AS individually. NOTE By default, value 0 (most favorable) is used in MED comparison when the MED attribute is not present.
30 Optional configuration tasks • A cluster is a group of IGP routers organized into route reflectors and route reflector clients. You configure the cluster by assigning a cluster ID on the route reflector and identifying the IGP neighbors that are members of that cluster. All the configuration for route reflection takes place on the route reflectors. The clients are unaware that they are members of a route reflection cluster. All members of the cluster must be in the same AS.
30 Optional configuration tasks FIGURE 147 Example of a route reflector configuration AS 1 AS 2 Cluster 1 Route Reflector 1 Route Reflector 2 EBGP Switch IBGP IBGP Route Reflector Client 1 Route Reflector Client 2 10.0.1.0 10.0.2.0 Switch Switch IBGP Support for RFC 2796 Route reflection on Dell PowerConnect devices is based on RFC 2796. This updated RFC helps eliminate routing loops that are possible in some implementations of the older specification, RFC 1966.
30 Optional configuration tasks • A Layer 3 Switch configured as a route reflector sets the ORIGINATOR_ID attribute to the router ID of the router that originated the route. Moreover, the route reflector sets the attribute only if this is the first time the route is being reflected (sent by a route reflector). In previous software releases, the route reflector set the attribute to the router ID of the route reflector itself.
Optional configuration tasks 30 If you need to disable route reflection between clients, enter the following command. When the feature is disabled, route reflection does not occur between clients but reflection does still occur between clients and non-clients. PowerConnect(config-bgp-router)#no client-to-client-reflection Enter the following command to re-enable the feature.
30 Optional configuration tasks FIGURE 148 Example of a BGP4 confederation AS 20 Confederation 10 Sub-AS 64512 IBGP Switch A Switch B EBGP BGP4 Switch EBGP This BGP4 switch sees all traffic from Confederation 10 as traffic from AS 10. Sub-AS 64513 IBGP Switch C Switch D Switches outside the confederation do not know or care that the switches are subdivided into sub-ASs within a confederation.
Optional configuration tasks 30 • Configure the confederation ID. The confederation ID is the AS number by which BGP switches outside the confederation know the confederation. Thus, a BGP switch outside the confederation is not aware and does not care that your BGP switches are in multiple sub-autonomous systems. BGP switches use the confederation ID when communicating with switches outside the confederation. The confederation ID must be different from the sub-AS numbers.
30 Optional configuration tasks Commands for router C PowerConnectC(config)#router bgp PowerConnectC(config-bgp-router)#local-as 64513 PowerConnectC(config-bgp-router)#confederation identifier 10 PowerConnectC(config-bgp-router)#confederation peers 64512 64513 PowerConnectC(config-bgp-router)#write memory Commands for router D PowerConnectD(config)#router bgp PowerConnectD(config-bgp-router)#local-as 64513 PowerConnectD(config-bgp-router)#confederation identifier 10 PowerConnectD(config-bgp-router)#confe
Configuring BGP4 graceful restart 30 The advertise-map parameter configures the router to advertise the more specific routes in the specified route map. The attribute-map parameter configures the router to set attributes for the aggregate routes based on the specified route map. NOTE For the suppress-map, advertise-map, and attribute-map parameters, the route map must already be defined. Refer to “Defining route maps” on page 1042 for information on defining a route map.
30 BGP null0 routing Configuring the BGP4 graceful restart stale routes timer Use the following command to specify the maximum amount of time a helper device will wait for an end-of-RIB message from a peer before deleting routes from that peer. PowerConnect (config-bgp)# graceful-restart stale-routes-time 120 Syntax: [no] graceful-restart stale-routes-time The variable is the maximum time before a helper device cleans up stale routes. Possible values are from 1 through 3600 seconds.
BGP null0 routing 30 Figure 149 shows a topology for a null0 routing application example. FIGURE 149 Example of a null0 routing application Internet R1 R2 R3 AS 100 R5 R6 R4 R7 The following steps configure a null0 routing application for stopping denial of service attacks from remote hosts on the internet. Configuration steps 1. Select one switch, S6, to distribute null0 routes throughout the BGP network. 2.
30 BGP null0 routing Configuration examples S6 The following configuration defines specific prefixes to filter. PowerConnect(config)#ip route 110.0.0.40/29 ethernet 3/7 tag 50 PowerConnect(config)#ip route 115.0.0.192/27 ethernet 3/7 tag 50 PowerConnect(config)#ip route 120.014.0/23 ethernet 3/7 tag 50 The following configuration redistributes routes into BGP.
30 BGP null0 routing Show commands After configuring the null0 application, you can display the output. S6 The following is the show ip route static output for S6. PowerConnect#show ip route static Type Codes - B:BGP D:Connected S:Static Destination Gateway 1 110.0.0.40/29 DIRECT 2 115.0.0.192/27 DIRECT 3 120.0.14.0/23 DIRECT R:RIP O:OSPF; Port eth 3/7 eth 3/7 eth 3/7 Cost - Dist/Metric Cost Type 1/1 S 1/1 S 1/1 S S1 and S2 The following is the show ip route static output for S1 and S2.
30 Modifying redistribution parameters S1 and S2 The show ip route output for S1 and S2 shows "drop" under the Port column for the network prefixes you configured with null0 routing. PowerConnect#show ip route Total number of IP routes: 133 Type Codes - B:BGP D:Connected S:Static Destination Gateway 1 9.0.1.24/32 DIRECT 2 30.0.1.0/24 DIRECT 3 40.0.1.0/24 DIRECT . 13 110.0.0.6/31 90.0.1.3 14 110.0.0.16/30 90.0.1.3 15 110.0.0.40/29 DIRECT . .. . 42 115.0.0.192/27 DIRECT 43 115.0.1.128/26 30.0.1.3 . .. .
Modifying redistribution parameters 30 Refer to the following sections for details on redistributing specific routes using the CLI: • • • • “Redistributing connected routes” on page 1031 “Redistributing RIP routes” on page 1031 “Redistributing OSPF external routes” on page 1031 “Redistributing static routes” on page 1032 Redistributing connected routes To configure BGP4 to redistribute directly connected routes, enter the following command.
30 Modifying redistribution parameters Syntax: redistribute ospf [match internal | external1 | external2] [metric ] [route-map ] The ospf parameter indicates that you are redistributing OSPF routes into BGP4. The match internal | external1 | external2 parameter applies only to OSPF. This parameter specifies the types of OSPF routes to be redistributed into BGP4. The default is internal.
Filtering 30 To disable re-advertisement of BGP4 routes to BGP4 neighbors except for routes that the software also installs in the route table, enter the following command. PowerConnect(config-bgp-router)#no readvertise Syntax: [no] readvertise To re-enable re-advertisement, enter the following command. PowerConnect(config-bgp-router)#readvertise Redistributing IBGP routes into RIP and OSPF By default, the Layer 3 Switch does not redistribute IBGP routes from BGP4 into RIP or OSPF.
30 Filtering NOTE Once you define a filter, the default action for addresses that do not match a filter is “deny”. To change the default action to “permit”, configure the last filter as “permit any any”. Address filters can be referred to by a BGP neighbor's distribute list number as well as by match statements in a route map. NOTE If the filter is referred to by a route map match statement, the filter is applied in the order in which the filter is listed in the match statement.
Filtering 30 If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file in “/” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the filter regardless of whether the software is configured to display the masks in CIDR format. The parameter specifies the network mask.
30 Filtering The parameter indicates the AS-path information. You can enter an exact AS-path string if you want to filter for a specific value. You also can use regular expressions in the filter string. Defining an AS-path ACL To configure an AS-path list that uses ACL 1, enter a command such as the following. PowerConnect(config)#ip as-path access-list 1 permit 100 PowerConnect(config)#router bgp PowerConnect(config-bgp-router)#neighbor 10.10.10.
Filtering 30 Special characters When you enter as single-character expression or a list of characters, you also can use the following special characters. Table 182 on page 1037 lists the special characters. The description for each special character includes an example. Notice that you place some special characters in front of the characters they control but you place other special characters after the characters they control. In each case, the examples show where to place the special character.
30 Filtering TABLE 182 BGP4 special characters for regular expressions (Continued) Character Operation [] Square brackets enclose a range of single-character patterns. For example, the following regular expression matches on an AS-path that contains “1”, “2”, “3”, “4”, or “5”: [1-5] You can use the following expression symbols within the brackets. These symbols are allowed only inside the brackets: • ^ – The caret matches on any characters except the ones in the brackets.
Filtering 30 NOTE The Layer 3 Switch cannot actively support community filters and community list ACLs at the same time. Use one method or the other but do not mix methods. NOTE Once you define a filter or ACL, the default action for communities that do not match a filter or ACL is “deny”. To change the default action to “permit”, configure the last filter or ACL entry as “permit any any”. Community filters or ACLs can be referred to by match statements in a route map.
30 Filtering The no-export keyword filters for routes with the well-known community “NO_EXPORT”. A route in this community should not be advertised to any BGP4 neighbors outside the local AS. If the router is a member of a confederation, the Layer 3 Switch advertises the route only within the confederation. For information about confederations, refer to “Configuration notes” on page 1021. Defining a community ACL To configure community ACL 1, enter a command such as the following.
Filtering 30 The parameter specifies a regular expression for matching on community names. For information about regular expression syntax, refer to “Using regular expressions” on page 1036. You can specify a regular expression only in an extended community ACL. Defining IP prefix lists An IP prefix list specifies a list of networks. When you apply an IP prefix list to a neighbor, the Layer 3 Switch sends or receives only a route whose destination is in the IP prefix list.
30 Filtering Defining neighbor distribute lists A neighbor distribute list is a list of BGP4 address filters or ACLs that filter the traffic to or from a neighbor. To configure a neighbor distribute list, use either of the following methods. To configure a distribute list that uses ACL 1, enter a command such as the following. PowerConnect(config-bgp-router)#neighbor 10.10.10.
Filtering 30 If the route map contains set statements, routes that are permitted by the route map match statements are modified according to the set statements.
30 Filtering As shown in this example, the command prompt changes to the Route Map level. You can enter the match and set statements at this level. Refer to “Specifying the match conditions” on page 1044 and “Setting parameters in the routes” on page 1047. The is a string of characters that names the map. Map names can be up to 32 characters in length. The permit | deny parameter specifies the action the router will take if a route matches a match statement.
Filtering 30 NOTE The filters must already be configured. The community parameter specifies a community ACL. NOTE The ACL must already be configured. The community exact-match parameter matches a route if (and only if) the route's community attributes field contains the same community numbers specified in the match statement. The ip address | next-hop | prefix-list parameter specifies an ACL or IP prefix list.
30 Filtering PowerConnect(config)#ip community-list 1 permit 123:2 PowerConnect(config)#route-map CommMap permit 1 PowerConnect(config-routemap CommMap)#match community 1 Syntax: match community The parameter specifies a community list ACL. To configure a community list ACL, use the ip community-list command. Refer to “Defining a community ACL” on page 1040.
Filtering 30 The first command configures an IP ACL that matches on routes received from 192.168.6.0/24. The remaining commands configure a route map that matches on all BGP4 routes advertised by the BGP4 neighbors whose addresses match addresses in the IP prefix list. You can add a set statement to change a route attribute in the routes that match. You also can use the route map as input for other commands, such as the neighbor and network commands and some show commands.
30 Filtering [dampening [ ]] [[default] interface null0 | [ip [default] next hop ] [ip next-hop peer-address] | [local-preference ] | [metric [+ | - ] | none] | [metric-type type-1 | type-2] | [metric-type internal] | [next-hop ] | [nlri multicast | unicast | multicast unicast] | [origin igp | incomplete] | [tag ] | [weight ] The as-path prepend
Filtering 30 The metric-type type-1 | type-2 parameter changes the metric type of a route redistributed into OSPF. The metric-type internal parameter sets the route's MED to the same value as the IGP metric of the BGP4 next-hop route. The parameter does this when advertising a BGP4 route to an EBGP neighbor. The next-hop parameter sets the IP address of the route next hop router.
30 Filtering These commands configure a route map that matches on routes whose destination network is specified in ACL 1, and sets the next hop in the routes to the neighbor address (inbound filtering) or the local IP address of the BGP4 session (outbound filtering).
Filtering 30 To create a route map and identify it as a table map, enter commands such as following. These commands create a route map that uses an address filter. For routes that match the address filter, the route map changes the tag value to 100. This route map is then identified as a table map. As a result, the route map is applied only to routes that the Layer 3 Switch places in the IP route table. The route map is not applied to all routes.
30 Filtering PowerConnect(config)#ip prefix-list Routesfrom1234 deny 20.20.0.0/24 PowerConnect(config)#ip prefix-list Routesfrom1234 permit 0.0.0.0/0 le 32 PowerConnect(config)#router bgp PowerConnect(config-bgp-router)#neighbor 1.2.3.4 prefix-list Routesfrom1234 in PowerConnect(config-bgp-router)#neighbor 1.2.3.4 capability orf prefixlist send The first two commands configure statements for the IP prefix list Routesfrom1234. The first command configures a statement that denies routes to 20.20.20./24.
Filtering 30 To perform a soft reset of a neighbor session and send ORFs to the neighbor, enter a command such as the following. PowerConnect#clear ip bgp neighbor 1.2.3.4 soft in prefix-list Syntax: clear ip bgp neighbor [soft in prefix-filter] If you use the soft in prefix-filter parameter, the Layer 3 Switch sends the updated IP prefix list to the neighbor as part of its route refresh message to the neighbor.
30 Configuring route flap dampening Configuring route flap dampening A “route flap” is the change in a route state, from up to down or down to up. When a route state changes, the state change causes changes in the route tables of the routers that support the route. Frequent changes in a route state can cause Internet instability and add processing overhead to the routers that support the route.
Configuring route flap dampening 30 Globally configuring route flap dampening To enable route flap dampening using the default values, enter the following command. PowerConnect(config-bgp-router)#dampening Syntax: dampening [ ] The parameter specifies the number of minutes after which the route penalty becomes half its value.
30 Configuring route flap dampening PowerConnect(config)#router bgp PowerConnect(config-bgp-router)#address-filter 9 permit 209.157.22.0 255.255.255.0 255.255.255.0 255.255.255.0 PowerConnect(config-bgp-router)#address-filter 10 permit 209.157.23.0 255.255.255.0 255.255.255.0 255.255.255.
Configuring route flap dampening 30 PowerConnect(config)#route-map DAMPENING_MAP_ENABLE permit 1 PowerConnect(config-routemap DAMPENING_MAP_ENABLE)#exit PowerConnect(config)#route-map DAMPENING_MAP_NEIGHBOR_A permit 1 PowerConnect(config-routemap DAMPENING_MAP_NEIGHBOR_A)#set dampening PowerConnect(config-routemap DAMPENING_MAP_NEIGHBOR_A)#exit PowerConnect(config)#router bgp PowerConnect(config-bgp-router)#dampening route-map DAMPENING_MAP_ENABLE PowerConnect(config-bgp-router)#neighbor 10.10.10.
30 Configuring route flap dampening Here is an example. PowerConnect(config-bgp-router)#aggregate-address 209.1.0.0 255.255.0.0 summary-only PowerConnect(config-bgp-router)#show ip bgp route 209.1.0.0/16 longer Number of BGP Routes matching display condition : 2 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 209.1.0.0/16 0.0.0.0 101 32768 BAL AS_PATH: 2 209.1.44.0/24 10.
30 Configuring route flap dampening PowerConnect#show ip bgp route 209.1.44.0/24 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 209.1.44.0/24 10.2.0.1 1 101 32768 BLS AS_PATH: Route is advertised to 1 peers: 10.1.0.
30 Generating traps for BGP TABLE 183 Route flap dampening statistics Field Description Total number of flapping routes Total number of routes in the Layer 3 Switch BGP4 route table that have changed state and thus have been marked as flapping routes. Status code Indicates the dampening status of the route, which can be one of the following: > – This is the best route among those in the BGP4 route table to the route destination. • d – This route is currently dampened, and thus unusable.
Displaying BGP4 information 30 Syntax: [no] snmp-server enable traps bgp Use the no form of the command to disable BGP traps.
30 Displaying BGP4 information PowerConnect#show ip bgp summary BGP4 Summary Router ID: 101.0.0.1 Local AS Number : 4 Confederation Identifier : not configured Confederation Peers: 4 5 Maximum Number of Paths Supported for Load Sharing : 1 Number of Neighbors Configured : 11 Number of Routes Installed : 2 Number of Routes Advertising to All Neighbors : 8 Number of Attribute Entries Installed : 6 Neighbor Address AS# State Time Rt:Accepted Filtered Sent 1.2.3.4 200 ADMDN 0h44m56s 0 0 0 10.0.0.
Displaying BGP4 information TABLE 184 30 BGP4 summary information (Continued) Field Description State The state of this router neighbor session with each neighbor. The states are from this router perspective of the session, not the neighbor perspective. The state values are based on the BGP4 state machine values described in RFC 1771 and can be one of the following for each router: • IDLE – The BGP4 process is waiting to be started.
30 Displaying BGP4 information TABLE 184 BGP4 summary information (Continued) Field Filtered Description The routes or prefixes that have been filtered out: If soft reconfiguration is enabled, this field shows how many routes were filtered out (not placed in the BGP4 route table) but retained in memory. • If soft reconfiguration is not enabled, this field shows the number of BGP4 routes that have been filtered out. • Sent The number of BGP4 routes that the Layer 3 Switch has sent to the neighbor.
Displaying BGP4 information PowerConnect#show process cpu Process Name 5Sec(%) 1Min(%) ARP 0.01 0.03 BGP 0.04 0.06 GVRP 0.00 0.00 ICMP 0.00 0.00 IP 0.00 0.00 OSPF 0.00 0.00 RIP 0.00 0.00 STP 0.00 0.00 VRRP 0.00 0.00 5Min(%) 0.09 0.08 0.00 0.00 0.00 0.00 0.00 0.00 0.00 15Min(%) 0.22 0.14 0.00 0.00 0.00 0.00 0.00 0.00 0.
30 Displaying BGP4 information Displaying summary neighbor information To display summary neighbor information, enter a command such as the following at any level of the CLI. PowerConnect#show ip bgp neighbors 192.168.4.211 routes-summary 1 IP Address: 192.168.4.
Displaying BGP4 information TABLE 185 30 BGP4 route summary information for a neighbor (Continued) Field Description NLRIs Received in Update Message The number of routes received in Network Layer Reachability (NLRI) format in UPDATE messages: • Withdraws – The number of withdrawn routes the Layer 3 Switch has received. • Replacements – The number of replacement routes the Layer 3 Switch has received.
30 Displaying BGP4 information PowerConnect#show ip bgp neighbors 10.4.0.2 1 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.
Displaying BGP4 information 30 The attribute-entries option shows the attribute-entries associated with routes received from the neighbor. The flap-statistics option shows the route flap statistics for routes received from or sent to the neighbor. The last-packet-with-error option displays the last packet from the neighbor that contained an error. The packet's contents are displayed in decoded (human-readable) format.
30 Displaying BGP4 information TABLE 186 BGP4 neighbor information (Continued) Field Description RouterID The neighbor router ID. Description The description you gave the neighbor when you configured it on the Layer 3 Switch. State The state of the router session with the neighbor. The states are from this router perspective of the session, not the neighbor perspective.
Displaying BGP4 information TABLE 186 30 BGP4 neighbor information (Continued) Field Description RemovePrivateAs Whether this option is enabled for the neighbor. RefreshCapability Whether this Layer 3 Switch has received confirmation from the neighbor that the neighbor supports the dynamic refresh capability. CooperativeFilteringCapabilit y Whether the neighbor is enabled for cooperative route filtering. Distribute-list Lists the distribute list parameters, if configured.
30 Displaying BGP4 information TABLE 186 1072 BGP4 neighbor information (Continued) Field Description Last Connection Reset Reason The reason the previous session with this neighbor ended. The reason can be one of the following.
Displaying BGP4 information TABLE 186 30 BGP4 neighbor information (Continued) Field Description Notification Sent If the router receives a NOTIFICATION message from the neighbor, the message contains an error code corresponding to one of the following errors. Some errors have subcodes that clarify the reason for the error. Where applicable, the subcode messages are listed underneath the error code messages.
30 Displaying BGP4 information TABLE 186 1074 BGP4 neighbor information (Continued) Field Description TCP Connection state The state of the connection with the neighbor. The connection can have one of the following states: • LISTEN – Waiting for a connection request. • SYN-SENT – Waiting for a matching connection request after having sent a connection request. • SYN-RECEIVED – Waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
Displaying BGP4 information TABLE 186 30 BGP4 neighbor information (Continued) Field Description RcvWnd The size of the receive window. SendQue The number of sequence numbers in the send queue. RcvQue The number of sequence numbers in the receive queue. CngstWnd The number of times the window has changed. Displaying route information for a neighbor You can display routes based on the following criteria: • A summary of the routes for a specific neighbor.
30 Displaying BGP4 information TABLE 187 BGP4 route summary information for a neighbor Field Description Routes Received How many routes the Layer 3 Switch has received from the neighbor during the current BGP4 session: • Accepted/Installed – Indicates how many of the received routes the Layer 3 Switch accepted and installed in the BGP4 route table.
Displaying BGP4 information TABLE 187 30 BGP4 route summary information for a neighbor (Continued) Field Description NLRIs Sent in Update Message The number of NLRIs for new routes the Layer 3 Switch has sent to this neighbor in UPDATE messages: • Withdraws – The number of routes the Layer 3 Switch has sent to the neighbor to withdraw. • Replacements – The number of routes the Layer 3 Switch has sent to the neighbor to replace routes the neighbor already has.
30 Displaying BGP4 information Displaying the best routes that were nonetheless not installed in the IP route table To display the BGP4 routes received from a specific neighbor that are the “best” routes to their destinations but are not installed in the Layer 3 Switch IP route table, enter a command such as the following at any level of the CLI. PowerConnect#show ip bgp neighbors 192.168.4.
Displaying BGP4 information 30 PowerConnect#show ip bgp peer-group pg1 1 BGP peer-group is pg Description: peer group abc SendCommunity: yes NextHopSelf: yes DefaultOriginate: yes Members: IP Address: 192.168.10.10, AS: 65111 Syntax: show ip bgp peer-group [] Only the parameters that have values different from their defaults are listed.
30 Displaying BGP4 information TABLE 188 BGP4 summary route information (Continued) Field Description IBGP routes selected as best routes The number of “best” routes in the BGP4 route table that are IBGP routes. EBGP routes selected as best routes The number of “best” routes in the BGP4 route table that are EBGP routes.
Displaying BGP4 information 30 The community option lets you display routes for a specific community. You can specify local-as, no-export, no-advertise, internet, or a private community number. You can specify the community number as either two five-digit integer values of 1 through 65535, separated by a colon (for example, 12345:6789) or a single long integer value. The community-access-list parameter filters the display using the specified community ACL.
30 Displaying BGP4 information For information about the fields in this display, refer to Table 189 on page 1083. The fields in this display also appear in the show ip bgp display.
Displaying BGP4 information 30 Displaying information for a specific route To display BGP4 network information by specifying an IP address within the network, enter a command such as the following at any level of the CLI. PowerConnect#show ip bgp 9.3.4.0 Number of BGP Routes matching display condition : 1 Status codes: s suppressed, d damped, h history, * valid, > Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight *> 9.3.4.0/24 192.168.4.
30 Displaying BGP4 information TABLE 189 BGP4 network information (Continued) Field Description Weight The value that this router associates with routes from a specific neighbor. For example, if the router receives routes to the same destination from two BGP4 neighbors, the router prefers the route from the neighbor with the larger weight. Path The route AS path. NOTE: This field appears only if you do not enter the route option.
Displaying BGP4 information 30 These displays show the following information. TABLE 190 BGP4 route information Field Description Total number of BGP Routes The number of BGP4 routes. Status codes A list of the characters the display uses to indicate the route status. The status code is appears in the left column of the display, to the left of each route. The status codes are described in the command output. Prefix The network prefix and mask length.
30 Displaying BGP4 information TABLE 190 BGP4 route information (Continued) Field Description Weight The value that this router associates with routes from a specific neighbor. For example, if the router receives routes to the same destination from two BGP4 neighbors, the router prefers the route from the neighbor with the larger weight. Atomic Whether network information in this route has been aggregated and this aggregation has resulted in information loss.
Displaying BGP4 information TABLE 191 30 BGP4 route-attribute entries information Field Description Total number of BGP Attribute Entries The number of routes contained in this router BGP4 route table. Next Hop The IP address of the next hop router for routes that have this set of attributes. Metric The cost of the routes that have this set of attributes. Origin The source of the route information.
30 Displaying BGP4 information PowerConnect#show ip route Total number of IP routes: 50834 B:BGP D:Directly-Connected O:OSPF R:RIP S:Static Network Address NetMask Gateway 3.0.0.0 255.0.0.0 192.168.13.2 4.0.0.0 255.0.0.0 192.168.13.2 9.20.0.0 255.255.128.0 192.168.13.2 10.1.0.0 255.255.0.0 0.0.0.0 10.10.11.0 255.255.255.0 0.0.0.0 12.2.97.0 255.255.255.0 192.168.13.2 12.3.63.0 255.255.255.0 192.168.13.2 12.3.123.0 255.255.255.0 192.168.13.2 12.5.252.0 255.255.254.0 192.168.13.2 12.6.42.0 255.255.254.0 192.
Displaying BGP4 information TABLE 192 30 Route flap dampening statistics Field Description Total number of flapping routes The total number of routes in the Layer 3 Switch BGP4 route table that have changed state and thus have been marked as flapping routes. Status code Indicates the dampening status of the route, which can be one of the following: > – This is the best route among those in the BGP4 route table to the route destination. • d – This route is currently dampened, and thus unusable.
30 Updating route information and resetting a neighbor session This example shows the active configuration for a route map called “setcomm“. Syntax: show route-map [] Displaying BGP4 graceful restart neighbor information Use the show ip bgp neighbors command to display BGP4 restart information for BGP4 neighbors. PowerConnect# show ip bgp neighbors Total number of BGP Neighbors: 6 1 IP Address: 50.50.50.10, AS: 20 (EBGP), RouterID: 10.10.10.
Updating route information and resetting a neighbor session 30 Using soft reconfiguration The soft reconfiguration feature places policy changes into effect without resetting the BGP4 session. Soft reconfiguration does not request the neighbor or group to send its entire BGP4 table, nor does the feature reset the session with the neighbor or group. Instead, the soft reconfiguration feature stores all the route updates received from the neighbor or group.
30 Updating route information and resetting a neighbor session NOTE If you do not specify “in”, the command applies to both inbound and outbound updates. NOTE The syntax related to soft reconfiguration is shown. For complete command syntax, refer to “Dynamically refreshing routes” on page 1094. Displaying the filtered routes received from the neighbor or peer group When you enable soft reconfiguration, the Layer 3 Switch saves all updates received from the specified neighbor or peer group.
Updating route information and resetting a neighbor session 30 PowerConnect#show ip bgp neighbors 192.168.4.106 received-routes There are 97345 received routes from neighbor 192.168.4.106 Searching for matching routes, use ^C to quit... Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH S:SUPPRESSED F:FILTERED Prefix Next Hop Metric LocPrf Weight Status 1 3.0.0.0/8 192.168.4.106 100 0 BE AS_PATH: 65001 4355 701 80 2 4.0.0.0/8 192.168.4.
30 Updating route information and resetting a neighbor session NOTE The option for dynamically refreshing routes received from a neighbor requires the neighbor to support dynamic route refresh. If the neighbor does not support this feature, the option does not take effect and the software displays an error message. The option for dynamically re-advertising routes to a neighbor does not require the neighbor to support dynamic route refresh.
Updating route information and resetting a neighbor session 30 To dynamically resend all the Layer 3 Switch BGP4 routes to a neighbor, enter a command such as the following. PowerConnect(config-bgp-router)#clear ip bgp neighbor 192.168.1.170 soft out This command applies its filters for outgoing routes to the Layer 3 Switch BGP4 route table (Adj-RIB-Out), changes or excludes routes accordingly, then sends the resulting Adj-RIB-Out to the neighbor.
30 Updating route information and resetting a neighbor session PowerConnect#show ip bgp neighbors 10.4.0.2 1 IP Address: 10.4.0.2, AS: 5 (EBGP), RouterID: 100.0.0.1 Description: neighbor 10.4.0.
Clearing traffic counters 30 Switch sends updates to advertise, change, or even withdraw routes on the neighbor as needed. This ensures that the neighbor receives only the routes you want it to contain. Even if the neighbor already contains a route learned from the Layer 3 Switch that you later decided to filter out, using the soft-outbound option removes that route from the neighbor. You can specify a single neighbor or a peer group.
30 Clearing route flap dampening statistics Syntax: clear ip bgp neighbor all | | | traffic The all | | | option specifies the neighbor. The parameter specifies a neighbor by its IP interface with the Layer 3 Switch. The specifies all neighbors in a specific peer group. The parameter specifies all neighbors within the specified AS. The all parameter specifies all neighbors.
Clearing diagnostic buffers 30 • The first 400 bytes of the last packet that contained an error • The last NOTIFICATION message either sent or received by the Layer 3 Switch To display these buffers, use options with the show ip bgp neighbors command. Refer to “Displaying BGP4 neighbor information” on page 1067. This information can be useful if you are working with Dell Technical Support to resolve a problem. The buffers do not identify the system time when the data was written to the buffer.
30 1100 Clearing diagnostic buffers PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter 31 Configuring VRRP and VRRPE Table 193 lists the individual Dell PowerConnect switches and the VRRP and VRRPE features they support.
31 Overview Overview of VRRP VRRP is a protocol that provides redundancy to routers within a LAN. VRRP allows you to provide alternate router paths for a host without changing the IP address or MAC address by which the host knows its gateway. Consider the situation shown in Figure 150. FIGURE 150 Switch 1 is Host1 default gateway but is a single point of failure Internet or Enterprise Intranet Internet or Enterprise Intranet e 2/4 e 3/2 Switch 2 Switch 1 e 1/5 e 1/6 192.53.5.
Overview 31 FIGURE 151 Switch 1 and Switch 2 are configured as a VRRP virtual router for redundant network access for Host1 Internet or enterprise Intranet Internet or enterprise Intranet e 2/4 e 3/2 Router1 Router2 VRID1 Router1 = Master e 1/6 192.53.5.1 IP address = 192.53.5.1 MAC address = 00-00-5E-00-01-01 Owner Priority = 255 192.53.5.3 e 1/5 VRID1 Router2 = Backup IP address = 192.53.5.1 MAC address = 00-00-5E-00-01-01 Priority = 100 Host1 Default Gateway 192.53.5.
31 Overview When you configure a VRID, the software automatically assigns its MAC address. When a VRID becomes active, the Master router broadcasts a gratuitous ARP request containing the virtual router MAC address for each IP address associated with the virtual router. In Figure 151, Switch 1 sends a gratuitous ARP with MAC address 00-00-5e-00-01-01 and IP address 192.53.5.1. Hosts use the virtual router MAC address in routed traffic they send to their default IP gateway (in this example, 192.53.5.1).
Overview 31 Hello messages VRRP routers use Hello messages for negotiation to determine the Master router. VRRP routers send Hello messages to IP Multicast address 224.0.0.18. The frequency with which the Master sends Hello messages is the Hello Interval. Only the Master sends Hello messages. However, a Backup uses the Hello interval you configure for the Backup if it becomes the Master. The Backup routers wait for a period of time called the Dead Interval for a Hello message from the Master.
31 Overview In Figure 151 on page 1103, the track priority results in Switch 1 VRRP priority becoming lower than Switch 2 VRRP priority. As a result, when Switch 2 learns that it now has a higher priority than Switch 1, Switch 2 initiates negotiation for Master router and becomes the new Master router, thus providing an open path for Host1 traffic. To take advantage of the track port feature, make sure the track priorities are always lower than the VRRP priorities.
Overview 31 • VRRPE does not use Owners. All routers are Backups for a given VRID. The router with the highest priority becomes Master. If there is a tie for highest priority, the router with the highest IP address becomes Master. The elected Master owns the virtual IP address and answers ping and ARP requests and so on. • VRID's IP address: • VRRP requires that the VRID also be a real IP address configured on the VRID's interface on the Owner.
31 Overview FIGURE 152 Router1 and Router2 are configured to provide dual redundant network access for the host Internet VRID 1 Switch 1 = Master Virtual IP address 192.53.5.254 Priority = 110 Track Port = e 2/4 Track Priority = 20 e 2/4 e 3/2 Switch 1 Switch 2 e 1/6 192.53.5.2 e 5/1 192.53.5.3 VRID 1 Switch 2 = Backup Virtual IP address 192.53.5.254 Priority = 100 (Default) Track port = e 3/2 Track priority = 20 VRID 2 Switch 2 = Master Virtual IP address 192.53.5.
Comparison of VRRP and VRRPE 31 Configuration note VRRP-E is supported in the edge Layer 3 and full Layer 3 code only. It is not supported in the base Layer 3 code. Comparison of VRRP and VRRPE This section compares router redundancy protocols. VRRP VRRP is a standards-based protocol, described in RFC 2338. The Dell implementation of VRRP contains the features in RFC 2338.
31 VRRP and VRRPE parameters Virtual router IP address (the address you are backing up) • VRRP – The virtual router IP address is the same as an IP address or virtual interface configured on one of the Layer 3 Switches, which is the “Owner” and becomes the default Master. • VRRPE – The virtual router IP address is the gateway address you want to backup, but does not need to be an IP interface configured on one of the Layer 3 Switch ports or a virtual interface.
VRRP and VRRPE parameters TABLE 194 31 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... VRID MAC address The source MAC address in VRRP or VRRPE packets sent from the VRID interface, and the destination for packets sent to the VRID: • VRRP – A virtual MAC address defined as 00-00-5e-00-01-. The Master owns the Virtual MAC address.
31 VRRP and VRRPE parameters TABLE 194 1112 VRRP and VRRPE parameters (Continued) Parameter Description Default See page... Dead interval The number of seconds a Backup waits for a Hello message from the Master for the VRID before determining that the Master is no longer active. If the Master does not send a Hello message before the dead interval expires, the Backups negotiate (compare priorities) to select a new Master for the VRID.
Configuring basic VRRP parameters 31 Configuring basic VRRP parameters To implement a simple VRRP configuration using all the default values, enter commands such as the following. Configuring the Owner Router1(config)#router vrrp Router1(config)#inter e 1/6 Router1(config-if-1/6)#ip address 192.53.5.1 Router1(config-if-1/6)#ip vrrp vrid 1 Router1(config-if-1/6-vrid-1)#owner Router1(config-if-1/6-vrid-1)#ip-address 192.53.5.
31 Note regarding disabling VRRP or VRRPE NOTE You also can use the enable command to activate the configuration. This command does the same thing as the activate command. Configuration rules for VRRPE • • • • • The interfaces of all routers in a VRID must be in the same IP subnet. The IP address associated with the VRID cannot be configured on any of the Layer 3 Switches. The Hello interval must be set to the same value on all the Layer 3 Switches.
Configuring additional VRRP and VRRPE parameters • • • • • • • • • • 31 Backup priority Suppression of RIP advertisements on Backup routes for the backed up interface Hello interval Dead interval Backup Hello messages and message timer (Backup advertisement) Track port Track priority Backup preempt mode Timer scale VRRP-E slow start timer For information about the fields, see the parameter descriptions in the following sections.
31 Configuring additional VRRP and VRRPE parameters The parameter values are the same as for VRRP. Router type A VRRP interface is either an Owner or a Backup for a given VRID. By default, the Owner becomes the Master following the negotiation. A Backup becomes the Master only if the Master becomes unavailable. A VRRPE interface is always a Backup for its VRID. The Backup with the highest VRRP priority becomes the Master.
Configuring additional VRRP and VRRPE parameters 31 Syntax: backup [priority ] [track-priority ] The priority parameter specifies the VRRP priority for this interface and VRID. You can specify a value from 3 – 254. The default is 100. The track-priority parameter is the same as above. NOTE You cannot set the priority of a VRRP Owner. The Owner priority is always 255.
31 Configuring additional VRRP and VRRPE parameters Dead interval The Dead interval is the number of seconds a Backup waits for a Hello message from the Master before determining that the Master is dead. When Backups determine that the Master is dead, the Backup with the highest priority becomes the new Master. The Dead interval can be from 1 – 84 seconds. The default is 3.5 seconds. This is three times the default Hello interval (1 second) plus one-half second added by the router software.
Configuring additional VRRP and VRRPE parameters 31 Syntax: track-port ethernet [/] | ve The syntax is the same for VRRP and VRRPE.
31 Configuring additional VRRP and VRRPE parameters Syntax: non-preempt-mode The syntax is the same for VRRP and VRRPE. Changing the timer scale To achieve sub-second failover times, you can shorten the duration of all scale timers for VSRP, VRRP, and VRRP-E by adjusting the timer scale. The timer scale is a value used by the software to calculate the timers. By default, the scale value is 1. If you increase the timer scale, each timer’s value is divided by the scale value.
Forcing a Master router to abdicate to a standby router 31 To set the VRRP-E slow start timer to 30 seconds, enter the following commands. PowerConnect(config)#router vrrp-e PowerConnect(config-vrrpe-router)#slow-start 30 Syntax: [no] slow-start For , enter a value from 1 – 255. When the VRRP-E slow start timer is enabled, if the Master goes down, the Backup takes over immediately.
31 Displaying VRRP and VRRPE information mode owner priority 99 current priority 99 hello-interval 1 sec ip-address 192.53.5.1 backup routers 192.53.5.2 This example shows that even though this Layer 3 Switch is the Owner of the VRID (“mode owner”), the Layer 3 Switch priority for the VRID is only 99 and the state is now “backup” instead of “active”. In addition, the administrative status is “enabled”.
Displaying VRRP and VRRPE information 31 The parameter specifies an Ethernet port. If you use this parameter, the command displays VRRP or VRRPE information only for the specified port. The ve parameter specifies a virtual interface. If you use this parameter, the command displays VRRP or VRRPE information only for the specified virtual interface. The stat parameter displays statistics. Refer to “Displaying statistics” on page 1128. This display shows the following information.
31 Displaying VRRP and VRRPE information PowerConnect#show ip vrrp Total number of VRRP routers defined: 1 Interface ethernet 1/6 auth-type no authentication VRID 1 state master administrative-status enabled mode owner priority 255 current priority 255 hello-interval 10000 msec advertise backup: disabled track-port 2/4 This example is for a VRRP Owner. Here is an example for a VRRP Backup.
Displaying VRRP and VRRPE information 31 Syntax: show ip vrrp-extended brief | ethernet [/] | ve | stat The brief parameter displays summary information. Refer to “Displaying summary information” on page 1122. The parameter specifies an Ethernet port. If you use this parameter, the command displays VRRP or VRRPE information only for the specified port. Also, you must specify the on chassis devices. The ve parameter specifies a virtual interface.
31 Displaying VRRP and VRRPE information TABLE 196 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... priority The device preferability for becoming the Master for the VRID. During negotiation, the router with the highest priority becomes the Master. If two or more devices are tied with the highest priority, the Backup interface with the highest IP address becomes the active router for the VRID.
Displaying VRRP and VRRPE information TABLE 196 31 CLI display of VRRP or VRRPE detailed information (Continued) This field... Displays... master router expires in
31 Displaying VRRP and VRRPE information TABLE 197 Output from the show ip vrrp vrid command (Continued) This field... Displays... State This Layer 3 Switch VRRP state for the VRID. The state can be one of the following: • Init – The VRID is not enabled (activated). If the state remains Init after you activate the VRID, make sure that the VRID is also configured on the other routers and that the routers can communicate with each other.
Displaying VRRP and VRRPE information 31 Syntax: show ip vrrp-extended brief | ethernet [/] | ve | stat The brief parameter displays summary information. Refer to “Displaying summary information” on page 1122. If you specify a port, the parameter is required on chassis devices. The parameter specifies an Ethernet port. If you use this parameter, the command displays detailed VRRP or VRRPE information only for the specified port.
31 Displaying VRRP and VRRPE information TABLE 198 CLI display of VRRP or VRRPE statistics (Continued) This field... Displays... transitioned to master state count The number of times this Layer 3 Switch has changed from the backup state to the master state for the VRID. transitioned to backup state count The number of times this Layer 3 Switch has changed from the master state to the backup state for the VRID.
Configuration examples 31 PowerConnect#show process cpu 2 Statistics for last 1 sec and 80 ms Process Name Sec(%) Time(ms) ARP 0.00 0 BGP 0.00 0 GVRP 0.00 0 ICMP 0.01 1 IP 0.00 0 OSPF 0.00 0 RIP 0.00 0 STP 0.01 0 VRRP 0.00 0 When you specify how many seconds’ worth of statistics you want to display, the software selects the sample that most closely matches the number of seconds you specified. In this example, statistics are requested for the previous two seconds.
31 Configuration examples The ip vrrp owner command specifies that this router owns the IP address you are associating with the VRID. Because this router owns the IP address, this router is the default Master router and its VRRP priority is thus 255. Configuring Router2 To configure Router2 in Figure 151 on page 1103 after enabling VRRP, enter the following commands. Router2(config)#router vrrp Router2(config)#inter e 1/5 Router2(config-if-1/5)#ip address 192.53.5.
Configuration examples 31 Configuring Router1 To configure VRRP Router1 in Figure 152 on page 1108, enter the following commands. Router1(config)#router vrrp-extended Router1(config)#interface ethernet 1/6 Router1(config-if-1/6)#ip address 192.53.5.2/24 Router1(config-if-1/6)#ip vrrp-extended vrid 1 Router1(config-if-1/6-vrid-1)#backup priority 110 track-priority 20 Router1(config-if-1/6-vrid-1)#track-port ethernet 2/4 Router1(config-if-1/6-vrid-1)#ip-address 192.53.5.
31 Configuration examples NOTE When you configure a Backup router, the router interface on which you are configuring the VRID must have a real IP address that is in the same subnet as the address associated with the VRID by the Owner. However, the address cannot be the same. The priority parameter establishes the router VRRPE priority in relation to the other VRRPE routers in this virtual router.
Chapter Securing Access to Management Functions 32 Table 199 lists the individual Dell PowerConnect switches and the security access features they support..
32 Securing access methods TABLE 200 Ways to secure management access to Dell PowerConnect devices Access method How the access method is secured by default Ways to secure the access method See page Serial access to the CLI Not secured Establish passwords for management privilege levels page 1150 Access to the Privileged EXEC and CONFIG levels of the CLI Not secured Establish a password for Telnet access to the CLI page 1149 Establish passwords for management privilege levels page 1150 Set
Restricting remote access to management functions TABLE 200 32 Ways to secure management access to Dell PowerConnect devices (Continued) Access method How the access method is secured by default Ways to secure the access method See page Web management access SNMP read or read-write community strings Regulate Web management access using ACLs page 1139 Allow Web management access only from specific IP addresses page 1141 Allow Web management access only to clients connected to a specific VLAN p
32 Restricting remote access to management functions • • • • • Using ACLs to restrict Telnet, Web Management Interface, or SNMP access Allowing remote access only from specific IP addresses Allowing Telnet and SSH access only from specific MAC addresses Allowing remote access only to clients connected to a specific VLAN Specifically disabling Telnet, Web Management Interface, or SNMP access to the device The following sections describe how to restrict remote access to a Dell PowerConnect device using th
Restricting remote access to management functions 32 Example PowerConnect(config)#access-list 10 permit host 209.157.22.32 PowerConnect(config)#access-list 10 permit 209.157.23.0 0.0.0.255 PowerConnect(config)#access-list 10 permit 209.157.24.0 0.0.0.255 PowerConnect(config)#access-list 10 permit 209.157.25.
32 Restricting remote access to management functions Using ACLs to restrict SNMP access To restrict SNMP access to the device using ACLs, enter commands such as the following. NOTE The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet, SSH, and Web management access using ACLs. PowerConnect(config)#access-list 25 deny host 209.157.22.98 log PowerConnect(config)#access-list 25 deny 209.157.23.0 0.0.0.255 log PowerConnect(config)#access-list 25 deny 209.157.24.0 0.
Restricting remote access to management functions 32 NOTE In RADIUS, the standard attribute Idle-Timeout is used to define the console session timeout value. The attribute Idle-Timeout value is specified in seconds. Within the switch, it is truncated to the nearest minute, because the switch configuration is defined in minutes.
32 Restricting remote access to management functions Restricting SNMP access to a specific IP address To allow SNMP access (which includes Brocade Network Advisor) to the Dell PowerConnect device only to the host with IP address 209.157.22.14, enter the following command. PowerConnect(config)#snmp-client 209.157.22.
Restricting remote access to management functions 32 To allow SSH access to the Dell PowerConnect device to a host with any IP address and MAC address 0007.e90f.e9a0, enter the following command. PowerConnect(config)#ip ssh client any 0007.e90f.e9a0 Syntax: [no] ip ssh client any Restricting HTTP and HTTPS connection You can restrict an HTTP or HTTPS connection to a device based on the client IP address or MAC address.
32 Restricting remote access to management functions Specifying the maximum number of login attempts for Telnet access If you are connecting to the device using Telnet, the device prompts you for a username and password. By default, you have up to 4 chances to enter a correct username and password. If you do not enter a correct username or password after 4 attempts, the Dell PowerConnect device disconnects the Telnet session.
Restricting remote access to management functions 32 The command in this example configures the device to allow Telnet management access only to clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access. Syntax: [no] telnet server enable vlan Restricting Web management access to a specific VLAN To allow Web management access only to clients in a specific VLAN, enter a command such as the following.
32 Restricting remote access to management functions You also can configure up to five default gateways for the designated VLAN, and associate a metric with each one. The software uses the gateway with the lowest metric. The other gateways reside in the configuration but are not used. To use one of the other gateways, modify the configuration so that the gateway you want to use has the lowest metric.
Restricting remote access to management functions 32 The zeroize parameter deletes the currently operative dsa key pair. In addition, you must use AAA authentication to create a password to allow SSHv2 access. For example the following command configures AAA authentication to use TACACS+ for authentication as the default or local if TACACS+ is not available.
32 Restricting remote access to management functions Disabling specific access methods You can specifically disable the following access methods: • • • • Telnet access Web management access SNMP access TFTP NOTE If you disable Telnet access, you will not be able to access the CLI except through a serial connection to the management module. If you disable SNMP access, you will not be able to use Brocade Network Advisor or third-party SNMP management applications.
Setting passwords 32 Disabling SNMP access SNMP is required if you want to manage a Dell PowerConnect device using Brocade Network Advisor. To disable SNMP management of the device. PowerConnect(config)#no snmp-server To later re-enable SNMP management of the device. PowerConnect(config)#snmp-server Syntax: no snmp-server Disabling TFTP access You can globally disable TFTP to block TFTP client access. By default, TFTP client access is enabled.
32 Setting passwords Set the password “letmein” for Telnet access to the CLI using the following command at the global CONFIG level. PowerConnect(config)#enable telnet password letmein Syntax: [no] enable telnet password Suppressing Telnet connection rejection messages By default, if a Dell PowerConnect device denies Telnet management access to the device, the software sends a message to the denied Telnet client. You can optionally suppress the rejection message.
Setting passwords 32 PowerConnect#configure terminal PowerConnect(config)# 3. Enter the following command to set the Super User level password. PowerConnect(config)#enable super-user-password NOTE You must set the Super User level password before you can set other types of passwords. The Super User level password can be an alphanumeric string, but cannot begin with a number. 4. Enter the following commands to set the Port Configuration level and Read Only level passwords.
32 Setting passwords In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port Configuration). All users with Port Configuration privileges will have the enhanced access. The ip parameter indicates that the enhanced access is for the IP commands.
Setting passwords 32 1. Start a CLI session over the serial interface to the device. 2. Reboot the device. 3. At the initial boot prompt at system startup, enter b to enter the boot monitor mode. 4. Enter no password at the prompt. (You cannot abbreviate this command.) This command will cause the device to bypass the system password check. 5. Enter boot system flash primary at the prompt. 6. After the console prompt reappears, assign a new password.
32 Setting up local user accounts PowerConnect(config)#enable password-min-length 8 Syntax: enable password-min-length The can be from 1 – 48. Setting up local user accounts You can define up to 16 local user accounts on a Dell PowerConnect device.
Setting up local user accounts 32 • Users are locked out (disabled) if they fail to login after three attempts. This feature is automatically enabled. Use the disable-on-login-failure command to change the number of login attempts (up to 10) before users are locked out.
32 Setting up local user accounts Enabling user password masking By default, when you use the CLI to create a user password, the password displays on the console as you type it. For enhanced security, you can configure the Dell PowerConnect device to mask the password characters entered at the CLI. When password masking is enabled, the CLI displays asterisks (*) on the console instead of the actual password characters entered.
32 Setting up local user accounts • The username password expires When a username set-time configuration is removed, it no longer appears in the show running configuration output. Note that if a username does not have an assigned password, the username will not have a set-time configuration. Password aging is disabled by default. To enable it, enter the following command at the global CONFIG level of the CLI.
32 Setting up local user accounts Setting passwords to expire You can set a user password to expire. Once a password expires, the administrator must assign a new password to the user. To configure a user password to expire, enter the following. PowerConnect(config)#username sandy expires 20 Syntax: username expires Enter 1 – 365 for number of days. The default is 90 days.
Setting up local user accounts 32 Local user accounts with unencrypted passwords If you want to use unencrypted passwords for local user accounts, enter a command such as the following at the global CONFIG level of the CLI. PowerConnect(config)#username wonka password willy If password masking is enabled, press the [Enter] key before entering the password.
32 Setting up local user accounts Local accounts with encrypted passwords You can create local user accounts with MD5 encrypted passwords using one of the following methods: • Issuing the service password-encryption command after creating the local user account with a username [privilege ] password 0 command • Using the username create-password command NOTE To create an encrypted all-numeric password, use the username create-password command.
Configuring SSL security for the Web Management Interface 32 Changing a local user password To change a local user password for an existing local user account, enter a command such as the following at the global CONFIG level of the CLI. NOTE You must be logged on with Super User access (privilege level 0) to change user passwords. PowerConnect(config)#username wonka password willy If password masking is enabled, enter the username, press the [Enter] key, then enter the password.
32 Configuring SSL security for the Web Management Interface PowerConnect(config)#web-management https Syntax: [no] web-management http | https You can enable either the HTTP or HTTPs servers with this command. You can disable both the HTTP and HTTPs servers by entering the following command. PowerConnect(config)#no web-management Syntax: no web-management Specifying a port for SSL communication By default, SSL protocol exchanges occur on TCP port 443.
Configuring TACACS/TACACS+ security 32 If you want to allow the Dell PowerConnect device to create the digital certificates, refer to the next section, “Generating an SSL certificate”. If you choose to import an RSA certificate and private key file from a client, you can use TFTP to transfer the files. For example, to import a digital certificate using TFTP, enter a command such as the following. PowerConnect(config)#ip ssl certificate-data-file tftp 192.168.9.
32 Configuring TACACS/TACACS+ security NOTE You cannot authenticate Brocade Network Advisor (SNMP) access to a Dell PowerConnect device using TACACS/TACACS+. The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is sent between a Dell PowerConnect device and an authentication database on a TACACS/TACACS+ server. TACACS/TACACS+ services are maintained in a database, typically on a UNIX workstation or PC with a TACACS/TACACS+ server running.
Configuring TACACS/TACACS+ security 32 Configuring TACACS/TACACS+ for devices in a Dell IronStack Because devices operating in a Dell IronStack topology present multiple console ports, you must take additional steps to secure these ports when configuring TACACS/TACACS+. The following is a sample AAA console configuration using TACACS+.
32 Configuring TACACS/TACACS+ security 6 closed SSH connections: 1 closed 2 closed 3 closed 4 closed 5 closed stack9# stack9#show telnet Console connections (by unit number): 1 established you are connecting to this session 1 minutes 5 seconds in idle 2 established 1 hours 4 minutes 18 seconds in idle 3 established 1 hours 4 minutes 15 seconds in idle 4 established 1 hours 4 minutes 9 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6
Configuring TACACS/TACACS+ security 32 TACACS+ authentication When TACACS+ authentication takes place, the following events occur. 1. A user attempts to gain access to the Dell PowerConnect device by doing one of the following: • Logging into the device using Telnet, SSH, or the Web Management Interface • Entering the Privileged EXEC level or CONFIG level of the CLI 2. The user is prompted for a username. 3. The user enters a username. 4.
32 Configuring TACACS/TACACS+ security TACACS+ accounting TACACS+ accounting works as follows. 1. One of the following events occur on the Dell PowerConnect device: • A user logs into the management interface using Telnet or SSH • A user enters a command for which accounting has been configured • A system event occurs, such as a reboot or reloading of the configuration file 2. The Dell PowerConnect device checks the configuration to see if the event is one for which TACACS+ accounting is required. 3.
Configuring TACACS/TACACS+ security User action Applicable AAA operations User logs out of Telnet/SSH session Command accounting (TACACS+): aaa accounting commands default start-stop EXEC accounting stop (TACACS+): aaa accounting exec default start-stop User enters system commands (for example, reload, boot system) Command authorization (TACACS+): aaa authorization commands default 32 Command accounting (TACACS+): aaa acco
32 Configuring TACACS/TACACS+ security • You can configure the Dell PowerConnect device to authenticate using a TACACS or TACACS+ server, not both. TACACS configuration procedure Follow the procedure given below for TACACS configurations. 1. Identify TACACS servers. Refer to “Identifying the TACACS/TACACS+ servers” on page 1170. 2. Set optional parameters. Refer to “Setting optional TACACS/TACACS+ parameters” on page 1172. 3. Configure authentication-method lists.
Configuring TACACS/TACACS+ security 32 Syntax: tacacs-server host | | [auth-port ] The || parameter specifies the IP address or host name of the server. You can enter up to eight tacacs-server host commands to specify up to eight different servers. NOTE To specify the server's host name instead of its IP address, you must first identify a DNS server using the ip dns server-address command at the global CONFIG level.
32 Configuring TACACS/TACACS+ security After authentication takes place, the server that performed the authentication is used for authorization and accounting. If the authenticating server cannot perform the requested function, then the next server in the configured list of servers is tried; this process repeats until a server that can perform the requested function is found, or every server in the configured list has been tried.
Configuring TACACS/TACACS+ security 32 Setting the retransmission limit The retransmit parameter specifies how many times the Dell PowerConnect device will resend an authentication request when the TACACS/TACACS+ server does not respond. The retransmit limit can be from 1 – 5 times. The default is 3 times. To set the TACACS/TACACS+ retransmit limit, enter a command such as the following.
32 Configuring TACACS/TACACS+ security The command above causes TACACS/TACACS+ to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.
Configuring TACACS/TACACS+ security 32 PowerConnect(config)#aaa authentication login privilege-mode Syntax: aaa authentication login privilege-mode The user privilege level is based on the privilege level granted during login. Configuring enable authentication to prompt for password only If Enable authentication is configured on the device, when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a username and password.
32 Configuring TACACS/TACACS+ security A user privilege level is obtained from the TACACS+ server in the “foundry-privlvl” A-V pair. If the aaa authorization exec default tacacs command exists in the configuration, the device assigns the user the privilege level specified by this A-V pair. If the command does not exist in the configuration, then the value in the “foundry-privlvl” A-V pair is ignored, and the user is granted Super User access.
Configuring TACACS/TACACS+ security 32 service = exec { privlvl = 15 } } The attribute name in the A-V pair is not significant; the Dell PowerConnect device uses the last one that has a numeric value. However, the Dell PowerConnect device interprets the value for a non-”foundry-privlvl” A-V pair differently than it does for a “foundry-privlvl” A-V pair.
32 Configuring TACACS/TACACS+ security • 0 – Authorization is performed for commands available at the Super User level (all commands) • 4 – Authorization is performed for commands available at the Port Configuration level (port-config and read-only commands) • 5 – Authorization is performed for commands available at the Read Only level (read-only commands) NOTE TACACS+ command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console.
Configuring TACACS/TACACS+ security 32 Configuring TACACS+ accounting for CLI commands You can configure TACACS+ accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the Dell PowerConnect device to perform TACACS+ accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
32 Configuring TACACS/TACACS+ security Displaying TACACS/TACACS+ statistics and configuration information The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device. PowerConnect#show aaa Tacacs+ key: foundry Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 207.95.6.
Configuring RADIUS security 32 Example PowerConnect#show web-connection We management Sessions: User Privilege IP address roy READ-WRITE 10.1.1.3 MAC address Timeout(secs) 0030.488.
32 Configuring RADIUS security 2. The user is prompted for a username and password. 3. The user enters a username and password. 4. The Dell PowerConnect device sends a RADIUS Access-Request packet containing the username and password to the RADIUS server. 5. The RADIUS server validates the Dell PowerConnect device using a shared secret (the RADIUS key). 6. The RADIUS server looks up the username in its database. 7. If the username is found in the database, the RADIUS server validates the password. 8.
Configuring RADIUS security 32 1. One of the following events occur on the Dell PowerConnect device: • A user logs into the management interface using Telnet or SSH • A user enters a command for which accounting has been configured • A system event occurs, such as a reboot or reloading of the configuration file 2. The Dell PowerConnect device checks its configuration to see if the event is one for which RADIUS accounting is required. 3.
32 Configuring RADIUS security User action Applicable AAA operations User enters system commands (for example, reload, boot system) Command authorization: aaa authorization commands default Command accounting: aaa accounting commands default start-stop System accounting stop: aaa accounting system default start-stop User enters the command: Command authorization: [no] aaa accounting system default aaa authorization commands
Configuring RADIUS security 32 • You can map up to eight RADIUS servers to each port on the Dell PowerConnect device. The port will authenticate users using only the RADIUS servers to which it is mapped. If there are no RADIUS servers mapped to a port, it will use the “global” servers for authentication. In earlier releases, all RADIUS servers are “global” servers and cannot be bound to individual ports. Refer to “Mapping a RADIUS server to individual ports” on page 1190.
32 Configuring RADIUS security You must add these three Dell vendor-specific attributes to your RADIUS server configuration, and configure the attributes in the individual or group profiles of the users that will access the Dell PowerConnect device. Dell Vendor-ID is 1991, with Vendor-Type 1. The following table describes the Dell vendor-specific attributes.
Configuring RADIUS security TABLE 204 32 Dell vendor-specific attributes for RADIUS (Continued) Attribute name Attribute ID Data type Description foundry-access-list 5 string Specifies the access control list to be used for RADIUS authorization. Enter the access control list in the following format. type=string, value="ipacl.[e|s].[in|out] = [|] macfilter.
32 Configuring RADIUS security Syntax: [no] enable snmp The parameter specifies the RADIUS configuration mode. RADIUS is disabled by default. The parameter specifies the TACACS configuration mode. TACACS is disabled by default. Identifying the RADIUS server to the Dell PowerConnect device To use a RADIUS server to authenticate access to a Dell PowerConnect device, you must identify the server to the Dell PowerConnect device.
Configuring RADIUS security 32 Configuring a RADIUS server per port You can optionally configure a RADIUS server per port, indicating that it will be used only to authenticate users on ports to which it is mapped. A RADIUS server that is not explicitly configured as a RADIUS server per port is a global server, and can be used to authenticate users on ports to which no RADIUS servers are mapped. Configuration notes • This feature works with 802.1X and multi-device port authentication only.
32 Configuring RADIUS security Mapping a RADIUS server to individual ports You can map up to eight RADIUS servers to each port on the Dell PowerConnect device. The port will authenticate users using only the RADIUS servers to which the port is mapped. If there are no RADIUS servers mapped to a port, it will use the “global” servers for authentication.
Configuring RADIUS security 32 PowerConnect(config)#radius-server key mirabeau Syntax: radius-server key [0 | 1] When you display the configuration of the Dell PowerConnect device, the RADIUS key is encrypted. Example PowerConnect(config)#radius-server key 1 abc PowerConnect(config)#write terminal ... radius-server host 1.2.3.5 radius key 1 $!2d NOTE Encryption of the RADIUS keys is done by default. The 0 parameter disables encryption.
32 Configuring RADIUS security Configuring authentication-method lists for RADIUS You can use RADIUS to authenticate Telnet/SSH access and access to Privileged EXEC level and CONFIG levels of the CLI. When configuring RADIUS authentication, you create authentication-method lists specifically for these access methods, specifying RADIUS as the primary authentication method.
Configuring RADIUS security TABLE 205 32 Authentication method values Method parameter Description line Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password… command. Refer to “Setting a Telnet password” on page 1149. enable Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password… command.
32 Configuring RADIUS security Configuring RADIUS authorization Dell PowerConnect devices support RADIUS authorization for controlling access to management functions in the CLI.
Configuring RADIUS security 32 • 5 – Authorization is performed for commands available at the Read Only level (read-only commands) NOTE RADIUS command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console. No authorization is performed for commands entered at the Web Management Interface or Brocade Network Advisor.
32 Configuring RADIUS security Configuring RADIUS accounting for CLI commands You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the Dell PowerConnect device to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Configuring RADIUS security 32 Example PowerConnect#show aaa Tacacs+ key: foundry Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server: 207.95.6.
32 Configuring authentication-method lists PowerConnect#clear web-connection Syntax: clear web connection After issuing the clear web connection command, the show web connection command displays the following output: PowerConnect#show web-connection No WEB-MANAGEMENT sessions are currently established! Configuring authentication-method lists To implement one or more authentication methods for securing access to the device, you configure authentication-method lists that set the order in which the authent
Configuring authentication-method lists 32 NOTE If an authentication method is working properly and the password (and user name, if applicable) is not known to that method, this is not an error. The authentication attempt stops, and the user is denied access. The software will continue this process until either the authentication method is passed or the software reaches the end of the method list.
32 Configuring authentication-method lists This command configures the device to use the local user accounts to authenticate access to the device through the Web Management Interface. If the device does not have a user account that matches the user name and password entered by the user, the user is not granted access. Example 2 To configure an authentication-method list for SNMP, enter a command such as the following.
TCP Flags - edge port security 32 NOTE TACACS/TACACS+ and RADIUS are supported only with the enable and login parameters. The parameter specifies the primary authentication method. The remaining optional parameters specify additional methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Parameter column in the following table.
32 TCP Flags - edge port security • Match-all - Indicates that incoming TCP traffic must be matched against all of the TCP flags configured as part of the match-all ACL rule. In CAM hardware, there will be only one ACL rule for all configured flags. Example PowerConnect(config-ext-nACL)#permit tcp 1.1.1.1 0.0.0.255 eq 100 2.2.2.2 0.0.0.255 eq 300 match-all +urg +ack +syn -rst This command configures a single rule in CAM hardware.
Chapter 33 Configuring SSH2 and SCP Table 208 lists individual Dell PowerConnect switches and the SSH2 and Secure Copy features they support.
33 SSH version 2 support • • • • SSH Fingerprint Format SSH Protocol Assigned Numbers SSH Transport Layer Encryption Modes SCP/SFTP/SSH URI Format Tested SSH2 clients The following SSH clients have been tested with SSH2: • • • • • • SSH Secure Shell 3.2.3 Van Dyke SecureCRT 4.0 and 4.1 F-Secure SSH Client 5.3 and 6.0 PuTTY 0.54 and 0.56 OpenSSH 3.5_p1 and 3.6.1p2 Solaris Sun-SSH-1.0 NOTE Dell PowerConnect devices support client public key sizes of 1024 bytes or less.
AES encryption for SSH2 33 AES encryption for SSH2 Encryption is provided with 3des-cbc, aes128-cbc, aes192-cbc or aes256-cbc. AES encryption has been adopted by the U.S. Government as an encryption standard. A total of five SSH connections can be active on a Dell PowerConnect device. To display information about SSH connections, enter the following command.
33 Configuring SSH2 • Password authentication, where users attempting to gain access to the device using an SSH client are authenticated with passwords stored on the device or on a TACACS/TACACS+ or RADIUS server Both kinds of user authentication are enabled by default. You can configure the device to use one or both of them. Follow the steps given below to configure Secure Shell on a Brocade device. 1. If necessary, recreate the SSH keys 2.
Configuring SSH2 33 When a host key pair is generated, it is saved to the flash memory of all management modules. To disable SSH2 on a Dell PowerConnect device, enter the following command. PowerConnect(config)#crypto key zeroize When SSH is disabled, it is deleted from the flash memory of all management modules. Syntax: crypto key generate | zeroize The generate keyword places a DSA host key pair in the flash memory and enables SSH on the device.
33 Configuring SSH2 1. The client sends its public key to the Dell PowerConnect device. 2. The Brocade device compares the client public key to those stored in memory. 3. If there is a match, the Dell PowerConnect device uses the public key to encrypt a random sequence of bytes. 4. The Dell PowerConnect device sends these encrypted bytes to the client. 5. The client uses its private key to decrypt the bytes. 6. The client sends the decrypted bytes back to the Dell PowerConnect device. 7.
Setting optional parameters 33 The variable is the name of the dsa public key file that you want to import into the Dell PowerConnect device. The remove parameter deletes the key from the system. To display the currently loaded public keys, enter the following command.
33 Setting optional parameters • A specific interface to be used as the source for all SSH traffic from the device • The maximum idle time for SSH sessions Setting the number of SSH authentication retries By default, the Dell PowerConnect device attempts to negotiate a connection with the connecting host three times. The number of authentication retries can be changed to between 1 – 5. For example, the following command changes the number of authentication retries to 5.
Setting optional parameters 33 To enable empty password logins, enter the following command. PowerConnect(config)#ip ssh permit-empty-passwd yes Syntax: ip ssh permit-empty-passwd no | yes Setting the SSH port number By default, SSH traffic occurs on TCP port 22. You can change this port number. For example, the following command changes the SSH port number to 2200.
33 Filtering SSH access using ACLs Filtering SSH access using ACLs You can permit or deny SSH access to the Dell PowerConnect device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL Enter commands such as the following. PowerConnect(config)#access-list 10 permit host 192.168.144.241 PowerConnect(config)#access-list 10 deny host 192.168.144.242 log PowerConnect(config)#access-list 10 permit host 192.168.144.
Using Secure copy with SSH2 33 Example PowerConnect#show who Console connections: established, monitor enabled, in config mode 2 minutes 17 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 established, client ip address 192.168.144.241, 1 minutes 16 seconds in idle 2 established, client ip address 192.168.144.241, you are connecting to this session 18 seconds in idle 3 established, client ip address 192.
33 Using Secure copy with SSH2 Configuration notes • When using SCP, enter the scp commands on the SCP-enabled client, rather than the console on the Dell PowerConnect device. • Certain SCP client options, including -p and -r, are ignored by the SCP server on the Dell device. If an option is ignored, the client is notified. • An SCP AES copy of the running or start configuration file from the Dell PowerConnect device to Linux WS 4 or 5 may fail if the configuration size is less than 700 bytes.
Using Secure copy with SSH2 33 Copying a software image file to flash memory PowerConnect B-Series FCX Devices To copy a software image file from an SCP-enabled client to the primary flash on an PowerConnect B-Series FCX device, enter one of the following commands. C:\> scp FCXR07000.bin terry@192.168.1.50:flash:primary or C:\> scp terry@192.168.1.50:flash:primary FCXR07000.
33 1216 Using Secure copy with SSH2 PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring 802.1X Port Security 34 Table 210 lists individual Dell PowerConnect switches and the 802.1X port security features they support. TABLE 210 Supported 802.1X port security features Feature PowerConnect B-Series FCX 802.1X port security Yes Multiple host authentication Yes EAP pass-through support Yes 802.1X accounting Yes 802.1X dynamic assignment for ACL, MAC address filter, and VLAN Yes Automatic removal of Dynamic VLAN for 802.
34 How 802.1X port security works How 802.1X port security works This section explains the basic concepts behind 802.1X port security, including device roles, how the devices communicate, and the procedure used for authenticating clients. NOTE 802.1X Port Security cannot be configured on MAC Port Security-enabled ports. Device roles in an 802.1X configuration The 802.1X standard defines the roles of Client/Supplicant, Authenticator, and Authentication Server in a network.
How 802.1X port security works 34 Client/Supplicant – The device that seeks to gain access to the network. Clients must be running software that supports the 802.1X standard (for example, the Windows XP operating system). Clients can either be directly connected to a port on the Authenticator, or can be connected by way of a hub. Authentication server – The device that validates the Client and specifies whether or not the Client may access services on the device.
34 How 802.1X port security works FIGURE 155 Controlled and uncontrolled ports before and after client authentication Authentication Server Authentication Server Switch (Authenticator) Services PAE Services PAE Switch (Authenticator) Controlled Port (Unauthorized) Uncontrolled Port Controlled Port (Authorized) Uncontrolled Port Physical Port Physical Port PAE PAE 802.1X-Enabled Supplicant 802.
How 802.
34 How 802.1X port security works activities. Since EAP-TLS requires PKI digital certificates on both the clients and the authentication servers, the roll out, maintenance, and scalability of this authentication method is much more complex than other methods. EAP-TLS is best for installations with existing PKI certificate infrastructures.
How 802.1X port security works 34 EAP pass-through support EAP pass-through is supported on PowerConnect devices that have 802.1X enabled. EAP pass-through support is fully compliant with RFC 3748, in which, by default, compliant pass-through authenticator implementations forward EAP challenge request packets of any type, including those listed in the previous section. Configuration notes • If the 802.
34 How 802.1X port security works FIGURE 157 Multiple hosts connected to a single 802.1X-enabled port RADIUS Server (Authentication Server) 192.168.9.22 Switch (Authenticator) e2/1 Hub Clients/Supplicants running 802.1X-compliant client software If there are multiple hosts connected to a single 802.1X-enabled port, the Dell PowerConnect device authenticates each of them individually.
How 802.1X port security works 34 5. If authentication for the Client is unsuccessful the first time, multiple attempts to authenticate the client will be made as determined by the attempts variable in the auth-fail-max-attempts command. • Refer to “Specifying the number of authentication attempts the device makes before dropping packets” on page 1243 for information on how to do this. 6.
34 How 802.1X port security works • Dynamic multiple VLAN assignment for 802.1X ports. Refer “Dynamic multiple VLAN assignment for 802.1X ports” on page 1231. • Configure a restriction to forward authenticated and unauthenticated tagged and untagged clients to a restricted VLAN. • Configure an override to send failed dot1x and non-dot1x clients to a restricted VLAN. • Configure VLAN assignments for clients attempting to gain access through dual-mode ports. • Enhancements to some show commands.
Configuring 802.1X port security 34 1. A RADIUS server successfully authenticates an 802.1X client. 2. If 802.1X accounting is enabled, the Dell PowerConnect device sends an 802.1X Accounting Start packet to the RADIUS server, indicating the start of a new session. 3. The RADIUS server acknowledges the Accounting Start packet. 4. The RADIUS server records information about the client. 5.
34 Configuring 802.1X port security Example PowerConnect(config)#aaa authentication dot1x default radius Syntax: [no] aaa authentication dot1x default For the , enter at least one of the following authentication methods radius – Use the list of all RADIUS servers that support 802.1X for authentication. none – Use no authentication. The Client is automatically authenticated without the device using information supplied by the Client.
Configuring 802.
34 Configuring 802.1X port security The parameter specifies the number of seconds the device will wait to re-authenticate a user after a timeout. The minimum value is 10 seconds. The maximum value is 216-1 (maximum unsigned 16-bit value). Deny user access to the network after a RADIUS timeout To set the RADIUS timeout behavior to bypass 802.
Configuring 802.1X port security 34 NOTE When a show run command is issued during a session, the dynamically-assigned VLAN is not displayed. Enable 802.1X VLAN ID support by adding the following attributes to a user profile on the RADIUS server. Attribute name Type Value Tunnel-Type 064 13 (decimal) – VLAN Tunnel-Medium-Type 065 6 (decimal) – 802 Tunnel-Private-Group-ID 081 (string) – either the name or the number of a VLAN configured on the Dell PowerConnect device.
34 Configuring 802.1X port security To specify an untagged VLAN, use the following. "U:10" or "U:marketing" When the RADIUS server specifies an untagged VLAN ID, the port default VLAN ID (or PVID) is changed from the system DEFAULT-VLAN (VLAN 1) to the specified VLAN ID. The port transmits only untagged traffic on its PVID. In this example, the port PVID is changed from VLAN 1 (the DEFAULT-VLAN) to VLAN 10 or the VLAN named "marketing".
Configuring 802.1X port security 34 Syntax: save-dynamicvlan-to-config By default, the dynamic VLAN assignments are not saved to the running-config file. Entering the show running-config command does not display dynamic VLAN assignments, although they can be displayed with the show vlan and show authenticated-mac-address detail commands. NOTE When this feature is enabled, issuing the command write mem will save any dynamic VLAN assignments to the startup configuration file.
34 Configuring 802.1X port security Example PowerConnect(config)#int e 3/2 PowerConnect(config-if-e1000-3/2)#port security PowerConnect(config-port-security-e1000-3/2)#maximum 2 PowerConnect(config-port-security-e1000-3/2)#exit Refer to Chapter 35, “Using the MAC Port Security Feature” for more information. Dynamically applying IP ACLs and MAC address filters to 802.1X ports The 802.
Configuring 802.1X port security 34 • A dynamic IP ACL will take precedence over an IP ACL that is bound to a port (port ACL). When a client authenticates with a dynamic IP ACL, the port ACL will not be applied. Also, future clients on the same port will authenticate with a dynamic IP ACL or no IP ACL. If no clients on the port use dynamic ACL, then the port ACL will be applied to all traffic. Disabling and enabling strict security mode for dynamic filter assignment By default, 802.
34 Configuring 802.1X port security PowerConnect(config)#interface e 1 PowerConnect(config-if-e1000-1)#dot1x disable-filter-strict-security To re-enable strict security mode for an interface, enter the following command.
Configuring 802.1X port security 34 • Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters are not supported. • MAC address filters are supported only for the inbound direction. Outbound MAC address filters are not supported. • Dynamically assigned IP ACLs and MAC address filters are subject to the same configuration restrictions as non-dynamically assigned IP ACLs and MAC address filters.
34 Configuring 802.1X port security Syntax: [no] dot1x-enable At the dot1x configuration level, you can enable 802.1X port security on all interfaces at once, on individual interfaces, or on a range of interfaces. For example, to enable 802.1X port security on all interfaces on the device, enter the following command. PowerConnect(config-dot1x)#enable all Syntax: [no] enable all To enable 802.1X port security on interface 3/11, enter the following command.
Configuring 802.1X port security 34 When an interface control type is set to auto, the controlled port is initially set to unauthorized, but is changed to authorized when the connecting Client is successfully authenticated by an Authentication Server. The port control type can be one of the following force-authorized – The controlled port is placed unconditionally in the authorized state, allowing all traffic. This is the default state for ports on the Dell PowerConnect device.
34 Configuring 802.1X port security For example, to re-authenticate Clients connected to interface 3/1, enter the following command.
Configuring 802.1X port security 34 Setting the maximum number of EAP frame retransmissions The Dell PowerConnect device retransmits the EAP-request/identity frame a maximum of two times. If no EAP-response/identity frame is received from the Client after two EAP-request/identity frame retransmissions (or the amount of time specified with the auth-max command), the device restarts the authentication process with the Client.
34 Configuring 802.1X port security Setting the maximum number of EAP frame retransmissions You can optionally specify the number of times the Dell PowerConnect device will retransmit the EAP-request frame. You can specify between 1 – 10 frame retransmissions. For example, to configure the device to retransmit an EAP-request frame to a Client a maximum of three times, enter the following command. PowerConnect(config-dot1x)#maxreq 3 Syntax: maxreq is a number from 1 – 10. The default is 2.
Configuring 802.1X port security 34 Configuring 802.1X multiple-host authentication When multiple hosts are connected to the same 802.1X-enabled port, the functionality described in “How 802.1X Multiple-host authentication works” on page 1224 is enabled by default.
34 Configuring 802.1X port security • Permitted dot1x-mac-sessions, which are the dot1x-mac-sessions for authenticated Clients, as well as for non-authenticated Clients whose ports have been placed in the restricted VLAN, are aged out if no traffic is received from the Client MAC address over the normal MAC aging interval on the Dell PowerConnect device.
Configuring 802.1X port security 34 Clearing a dot1x-mac-session for a MAC address You can clear the dot1x-mac-session for a specified MAC address, so that the Client with that MAC address can be re-authenticated by the RADIUS server. Example PowerConnect#clear dot1x mac-session 00e0.1234.abd4 Syntax: clear dot1x mac-session Defining MAC address filters for EAP frames You can create MAC address filters to permit or deny EAP frames. To do this, you specify the Dell PowerConnect device 802.
34 Configuring 802.1X accounting Configuring 802.1X accounting 802.1X accounting enables the recording of information about 802.1X clients who were successfully authenticated and allowed access to the network. When 802.1X accounting is enabled on the Dell PowerConnect device, it sends the following information to a RADIUS server whenever an authenticated 802.
Displaying 802.1X information 34 Enabling 802.1X accounting To enable 802.1X accounting, enter the following command. PowerConnect(config)#aaa accounting dot1x default start-stop radius none Syntax: aaa accounting dot1x default start-stop radius | none radius – Use the list of all RADIUS servers that support 802.1X for authentication. none – Use no authentication. The client is automatically authenticated without the device using information supplied by the client.
34 Displaying 802.1X information TABLE 212 Output from the show dot1x command This field... Displays... PAE Capability The Port Access Entity (PAE) role for the Dell PowerConnect device. This is always “Authenticator Only”. system-auth-control Whether system authentication control is enabled on the device. The dot1x-enable command enables system authentication control on the device. re-authentication Whether periodic re-authentication is enabled on the device.
Displaying 802.
34 Displaying 802.1X information TABLE 213 Output from the show dot1x config command for an interface (Continued) This field... Displays... AuthControlledPortStatus The current status of the interface controlled port either authorized or unauthorized. multiple-hosts Whether the port is configured to allow multiple Supplicants accessing the interface on the Dell PowerConnect device through a hub. Refer to “Allowing access to multiple hosts” on page 1242 for information on how to change this setting.
Displaying 802.1X information 34 TABLE 214 Output from the show dot1x statistics command (Continued) This field... Displays... Last EAPOL Source The source MAC address in the last EAPOL frame received on the port. TX EAPOL Total The total number of EAPOL frames transmitted on the port. TX EAP Req/Id The number of EAP-Request/Identity frames transmitted on the port. TX EAP Req other than Req/Id The number of EAP-Request frames transmitted on the port that were not EAP-Request/Identity frames.
34 Displaying 802.1X information PowerConnect#show interface e 12/2 FastEthernet12/2 is up, line protocol is up Hardware is FastEthernet, address is 0204.80a0.4681 (bia 0204.80a0.
Displaying 802.1X information 34 PowerConnect#show dot1x mac-address filter Port 1/3 (User defined MAC Address Filter) : mac filter 1 permit any any Syntax: show dot1x mac-address-filter To display the user-defined IP ACLs active on the device, enter the following command.
34 Displaying 802.1X information The all keyword displays all dynamically applied IP ACLs active on the device. Specify the variable in the following formats: • PowerConnect B-Series FCX stackable switches – Displaying the status of strict security mode The output of the show dot1x and show dot1x config commands indicate whether strict security mode is enabled or disabled globally and on an interface.
Displaying 802.1X information 34 • PowerConnect B-Series FCX stackable switches – Displaying 802.1X multiple-host authentication information You can display the following information about 802.1X multiple-host authentication: • Information about the 802.1X multiple-host configuration • The dot1x-mac-sessions on each port • The number of users connected on each port in a 802.1X multiple-host configuration Displaying 802.
34 Displaying 802.1X information The output of the show dot1x config command for an interface displays the configured port control for the interface. This command also displays information related to 802.1X multiple host-authentication. The following is an example of the output of the show dot1x config command for an interface.
Displaying 802.1X information 34 Example PowerConnect#show dot1x mac-session Port MAC/(username) Vlan Auth ACL Age PAE State State ----------------------------------------------------------------------------1 0010.a498.24f7 :User 10 permit none S20 AUTHENTICATED Syntax: show dot1x mac-session Table 217 lists the new fields in the display. TABLE 217 Output from the show dot1x mac-session command This field... Displays... Port The port on which the dot1x-mac-session exists.
34 Sample 802.1X configurations 1/1/7 1/1/8 1/1/9 1/1/10 1/1/11 1/1/12 1/1/13 1/1/14 1/1/15 1/1/16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no Syntax: show dot1x mac-session brief The following table describes the information displayed by the show dot1x mac-session brief command. TABLE 218 Output from the show dot1x mac-session brief command This field... Displays...
Sample 802.1X configurations 34 Point-to-point configuration Figure 158 illustrates a sample 802.1X configuration with Clients connected to three ports on the Dell PowerConnect device. In a point-to-point configuration, only one 802.1X Client can be connected to each port. FIGURE 158 Sample point-to-point 802.1X configuration RADIUS Server (Authentication Server) 192.168.9.22 Switch (Authenticator) e2/1 e2/2 e2/3 Clients/Supplicants running 802.
34 Sample 802.1X configurations Hub configuration Figure 159 illustrates a configuration where three 802.1X-enabled Clients are connected to a hub, which is connected to a port on the Dell PowerConnect device. The configuration is similar to that in Figure 158, except that 802.1X port security is enabled on only one port, and the multiple-hosts command is used to allow multiple Clients on the port. FIGURE 159 Sample 802.1X configuration using a hub RADIUS Server (Authentication Server) 192.168.9.
Sample 802.1X configurations 34 802.1X Authentication with dynamic VLAN assignment Figure 160 illustrates 802.1X authentication with dynamic VLAN assignment. In this configuration, two user PCs are connected to a hub, which is connected to port e2. Port e2 is configured as a dual-mode port. Both PCs transmit untagged traffic. The profile for User 1 on the RADIUS server specifies that User 1 PC should be dynamically assigned to VLAN 3.
34 Using multi-device port authentication and 802.1X security on the same port ! interface ethernet 2 dot1x port-control auto dual-mode If User 1 is successfully authenticated before User 2, the PVID for port e2 would be changed from the default VLAN to VLAN 3. Had User 2 been the first to be successfully authenticated, the PVID would be changed to 20, and User 1 would not be able to gain access to the network.
Chapter Using the MAC Port Security Feature 35 Table 219 lists the individual Dell PowerConnect switches and the MAC port security features they support.
35 Configuring the MAC port security feature Local and global resources The MAC port security feature uses a concept of local and global “resources” to determine how many MAC addresses can be secured on each interface. In this context, a “resource” is the ability to store one secure MAC address entry. Each interface is allocated 64 local resources. Additional global resources are shared among all interfaces on the device.
Configuring the MAC port security feature 35 Enabling the MAC port security feature By default, the MAC port security feature is disabled on all interfaces. You can enable or disable the feature on all interfaces at once, or on individual interfaces. To enable the feature on all interfaces at once, enter the following commands. PowerConnect(config)#port security PowerConnect(config-port-security)#enable To disable the feature on all interfaces at once, enter the following commands.
35 Configuring the MAC port security feature PowerConnect(config)#interface ethernet 7/11 PowerConnect(config-if-e1000-7/11)#port security PowerConnect(config-port-security-e1000-7/11)#age 10 Syntax: [no] age The variable specifies a range from 0 through 1440 minutes.The default is 0 (never age out secure MAC addresses). Specifying secure MAC addresses You can configure secure MAC addresses on tagged and untagged interfaces.
Configuring the MAC port security feature 35 Syntax: [no] autosave The variable can be from 15 through 1440 minutes. By default, secure MAC addresses are not autosaved to the startup-config file. Specifying the action taken when a security violation occurs A security violation can occur when a user tries to connect to a port where a MAC address is already locked, or the maximum number of secure MAC addresses has been exceeded.
35 Clearing port security statistics Disabling the port for a specified amount of time You can configure the device to disable the port for a specified amount of time when a security violation occurs. To shut down the port for 5 minutes when a security violation occurs, enter the following commands.
Displaying port security information 35 • The port security settings for an individual port or for all the ports on a specified module • The secure MAC addresses configured on the device • Port security statistics for an interface or for a module Displaying port security settings You can display the port security settings for an individual port or for all the ports on a specified module. For example, to display the port security settings for port 7/11, enter the following command.
35 Displaying port security information TABLE 221 Output from the show port security mac command (Continued) This field... Displays... Secure-Src-Addr The secure MAC address. Resource Whether the address was secured using a local or global resource.Refer to “Local and global resources” on page 1264 for more information. Age-Left The number of minutes the MAC address will remain secure.
Displaying port security information TABLE 223 35 Output from the show port security statistics command This field... Displays... Total ports The number of ports on the module. Total MAC address(es) The total number of secure MAC addresses on the module. Total violations The number of security violations encountered on the module. Total shutdown ports The number of ports on the module shut down as a result of security violations.
35 1272 Displaying port security information PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring Multi-Device Port Authentication 36 Table 224 lists individual Dell PowerConnect switches and the Multi-device port authentication features they support. TABLE 224 Supported Multi-device port authentication (MDPA) features Feature PowerConnect B-Series FCX Multi-Device Port Authentication Yes Support for Multi-Device Port Authentication together with: • • • • Dynamic VLAN assignment Yes Dynamic ACLs Yes 802.
36 How multi-device port authentication works How multi-device port authentication works Multi-device port authentication is a way to configure a Dell PowerConnect device to forward or block traffic from a MAC address based on information received from a RADIUS server.
How multi-device port authentication works 36 Supported RADIUS attributes Dell PowerConnect devices support the following RADIUS attributes for multi-device port authentication: • • • • • • • • • • • • • • • • • • Username (1) – RFC 2865 NAS-IP-Address (4) – RFC 2865 NAS-Port (5) – RFC 2865 Service-Type (6) – RFC 2865 FilterId (11) – RFC 2865 Framed-MTU (12) – RFC 2865 State (24) – RFC 2865 Vendor-Specific (26) – RFC 2865 Session-Timeout (27) – RFC 2865 Termination-Action (29) – RFC 2865 Calling-Station
36 Using multi-device port authentication and 802.1X security on the same port Support for source guard protection The Dell proprietary Source Guard Protection feature, a form of IP Source Guard, can be used in conjunction with multi-device port authentication. For details, refer to “Enabling source guard protection” on page 1286. Using multi-device port authentication and 802.1X security on the same port On some Dell PowerConnect devices, multi-device port authentication and 802.
Using multi-device port authentication and 802.1X security on the same port 36 Configuring Dell-specific attributes on the RADIUS server If the RADIUS authentication process is successful, the RADIUS server sends an Access-Accept message to the Dell PowerConnect device, authenticating the device. The Access-Accept message can include Vendor-Specific Attributes (VSAs) that specify additional information about the device. If you are configuring multi-device port authentication and 802.
36 Configuring multi-device port authentication Configuring multi-device port authentication Configuring multi-device port authentication on the Dell PowerConnect device consists of the following tasks: • • • • • • • • • • • • Enabling multi-device port authentication globally and on individual interfaces Specifying the format of the MAC addresses sent to the RADIUS server (optional) Specifying the authentication-failure action (optional) Enabling and disabling SNMP traps for multi-device port authentic
Configuring multi-device port authentication 36 You can also configure multi-device port authentication commands on a range of interfaces. Example PowerConnect(config)#int e 3/1 to 3/12 PowerConnect(config-mif-3/1-3/12)#mac-authentication enable Specifying the format of the MAC addresses sent to the RADIUS server When multi-device port authentication is configured, the Dell PowerConnect device authenticates MAC addresses by sending username and password information to a RADIUS server.
36 Configuring multi-device port authentication PowerConnect(config)#interface e 3/1 PowerConnect(config-if-e1000-3/1)#mac-authentication auth-fail-action block-traffic Syntax: [no] mac-authentication auth-fail-action block-traffic Dropping traffic from non-authenticated MAC addresses is the default behavior when multi-device port authentication is enabled. Generating traps for multi-device port authentication You can enable and disable SNMP traps for multi-device port authentication.
Configuring multi-device port authentication 36 If one of the attributes in the Access-Accept message specifies one or more VLAN identifiers, and the VLAN is available on the Dell PowerConnect device, the port is moved from its default VLAN to the specified VLAN. To enable dynamic VLAN assignment for authenticated MAC addresses, you must add attributes to the profile for the MAC address on the RADIUS server, then enable dynamic VLAN assignment on multi-device port authentication-enabled interfaces.
36 Configuring multi-device port authentication • If an untagged port had previously been assigned to a VLAN through dynamic VLAN assignment, and then another MAC address is authenticated on the same port, but the RADIUS Access-Accept message for the second MAC address specifies a different VLAN, then it is considered an authentication failure for the second MAC address, and the configured authentication failure action is performed.
Configuring multi-device port authentication 36 You can optionally specify an alternate VLAN to which to move the port when the MAC session for the address is deleted. For example, to place the port in the restricted VLAN, enter commands such as the following.
36 Configuring multi-device port authentication The dynamic IP ACL is active as long as the client is connected to the network. When the client disconnects from the network, the IP ACL is no longer applied to the port. If an IP ACL had been applied to the port prior to multi-device port authentication; it will be re-applied to the port. NOTE A dynamic IP ACL will take precedence over an IP ACL that is bound to a port (port ACL).
Configuring multi-device port authentication 36 • The dynamic ACL must be an extended ACL. Standard ACLs are not supported. • Multi-device port authentication and 802.1x can be used together on the same port. However, Dell does not recommend the use of multi-device port authentication and 802.1X with dynamic ACLs together on the same port. If a single supplicant requires both 802.1x and multi-device port authentication, and if both 802.
36 Configuring multi-device port authentication Enabling source guard protection Source Guard Protection is a form of IP Source Guard used in conjunction with multi-device port authentication. When Source Guard Protection is enabled, IP traffic is blocked until the system learns the IP address. Once the IP address is validated, traffic with that source address is permitted.
Configuring multi-device port authentication 36 PowerConnect(config)#show auth-mac-addresses authorized-mac ip-addr ------------------------------------------------------------------------------MAC Address SourceIp Port Vlan Auth Age ACL dot1x ------------------------------------------------------------------------------00A1.0010.2000 200.1.17.5 6/12 171 Yes Dis SG Ena 00A1.0010.2001 200.1.17.
36 Configuring multi-device port authentication Disabling aging for authenticated MAC addresses MAC addresses that have been authenticated or denied by a RADIUS server are aged out if no traffic is received from the MAC address for a certain period of time: • Authenticated MAC addresses or non-authenticated MAC addresses that have been placed in the restricted VLAN are aged out if no traffic is received from the MAC address over the device normal MAC aging interval.
Configuring multi-device port authentication 36 Aging of the Layer 2 hardware entry for a blocked MAC address occurs in two phases, known as hardware aging and software aging. On PowerConnect devices, the hardware aging period for blocked MAC addresses is fixed at 70 seconds and is non-configurable. (The hardware aging time for non-blocked MAC addresses is the length of time specified with the mac-age command.
36 Configuring multi-device port authentication You can better control port behavior when a RADIUS timeout occurs by configuring a port on the Dell PowerConnect device to automatically pass or fail user authentication. A pass essentially bypasses the authentication process and permits user access to the network.
Displaying multi-device port authentication information 36 Multi-device port authentication password override The multi-device port authentication feature communicates with the RADIUS server to authenticate a newly found MAC address. The RADIUS server is configured with the usernames and passwords of authenticated users.
36 Displaying multi-device port authentication information Displaying authenticated MAC address information To display information about authenticated MAC addresses on the ports where the multi-device port authentication feature is enabled, enter the following command.
Displaying multi-device port authentication information TABLE 227 36 Output from the show authenticated-mac-address configuration command This field... Displays... Feature enabled Whether multi-device port authentication is enabled on the Dell PowerConnect device. Number of Ports enabled The number of ports on which the multi-device port authentication feature is enabled. Port Information for each multi-device port authentication-enabled port.
36 Displaying multi-device port authentication information TABLE 228 Output from the show authenticated-mac-address
command (Continued) This field... Displays... Time The time at which the MAC address was authenticated. If the clock is set on the Dell PowerConnect device, then the actual date and time are displayed. If the clock has not been set, then the time is displayed relative to when the device was last restarted.Displaying multi-device port authentication information 36 Displaying multi-device port authentication information for a port To display a summary of Multi-Device Port Authentication for ports on a device, enter the following command PowerConnect#show auth-mac-addresses ethernet 18/1 ------------------------------------------------------------------------------MAC Address Port Vlan Authenticated Time Age Dot1x ------------------------------------------------------------------------------000f.ed00.
36 Displaying multi-device port authentication information Omitting the ethernet parameter displays information for all interfaces where the multi-device port authentication feature is enabled. PowerConnect#show auth-mac-addresses detailed ethernet 15/23 Port : 15/23 Dynamic-Vlan Assignment : Enabled RADIUS failure action : Block Traffic Failure restrict use dot1x : No Override-restrict-vlan : Yes Port Default VLAN : 101 ( RADIUS assigned: No) (101) Port Vlan State : DEFAULT 802.
Displaying multi-device port authentication information TABLE 230 36 Output from the show auth-mac-addresses detailed command (Continued) This field... Displays... Port Default Vlan The VLAN to which the port is assigned, and whether the port had been dynamically assigned to the VLAN by a RADIUS server. Port VLAN state Indicates the state of the port VLAN. The State can be one of the following “Default”, “RADIUS Assigned” or “Restricted”. 802.1X override Dynamic PVID Indicates if 802.
36 Displaying multi-device port authentication information TABLE 230 Output from the show auth-mac-addresses detailed command (Continued) This field... Displays... MAC Address The MAC addresses learned on the port. If the packet for which multi-device port authentication was performed also contained an IP address, then the IP address is displayed as well. RADIUS Server The IP address of the RADIUS server used for authenticating the MAC addresses.
Example configurations 36 PowerConnect#show table allowed-mac ------------------------------------------------------------------------------MAC Address PortVlanAuthenticatedTimeAgedot1x ------------------------------------------------------------------------------0000.0010.100a 1/1/1 2 Yes 00d00h30m57s Ena Dis 0000.0010.100b 1/1/1 2 Yes 00d00h31m00s Ena Dis 0000.0010.1002 2/1/48 2 Yes 00d00h30m57s Ena Dis 0000.0010.1003 2/1/48 2 Yes 00d00h30m57s Ena Dis 0000.0010.
36 Example configurations Multi-device port authentication with dynamic VLAN assignment Figure 162 illustrates multi-device port authentication with dynamic VLAN assignment on a Dell PowerConnect device. In this configuration, a PC and an IP phone are connected to a hub, which is connected to port e1 on a Dell PowerConnect device.
Example configurations 36 The mac-authentication disable-ingress-filtering command enables tagged packets on the port, even if the port is not a member of the VLAN. If this feature is not enabled, authentication works as in “Example 2” Example 2 Figure 162 illustrates multi-device port authentication with dynamic VLAN assignment on a Dell PowerConnect device. In this configuration, a PC and an IP phone are connected to a hub, which is connected to port e1 on a Dell PowerConnect device.
36 Example configurations The part of the running-config related to multi-device port authentication would be as follows. mac-authentication enable mac-authentication auth-fail-vlan-id 1023 interface ethernet 1 mac-authentication enable mac-authentication auth-fail-action restrict-vlan mac-authentication enable-dynamic-vlan dual-mode Examples of multi-device port authentication and 802.
Example configurations 36 FIGURE 163 Using multi-device port authentication and 802.1X authentication on the same port User 0050.048e.86ac (IP Phone) Profile: Foundry-802_1x-enable = 0 Tunnel-Private-Group-ID = T:IP-Phone-VLAN User 0002.3f7f.2e0a (PC) Profile: Foundry-y-802_1x-enable = 1 Tunnel-Private-Group-ID: = U:Login-VLAN RADIUS Server User 1 Profile: Tunnel-Private-Group-ID: = U:IP-User-VLAN Switch Port e1/3 Dual Mode Hub Hub Untagged PC MAC: 0002.3f7f.2e0a Tagged IP Phone MAC: 0050.048e.
36 Example configurations When the PC is authenticated using multi-device port authentication, the port PVID is changed to “Login-VLAN”, which is VLAN 1024 in this example. When User 1 is authenticated using 802.1X authentication, the port PVID is changed to “User-VLAN”, which is VLAN 3 in this example. Example 2 The configuration in Figure 164 requires that you create a profile on the RADIUS server for each MAC address to which a device or user can connect to the network.
Example configurations 36 Since there is no profile for the PC MAC address on the RADIUS server, multi-device port authentication for this MAC address fails. Ordinarily, this would mean that the PVID for the port would be changed to that of the restricted VLAN, or traffic from this MAC would be blocked in hardware. However, the device is configured to perform 802.
36 1306 Example configurations PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter Configuring Web Authentication 37 Table 231 lists individual Dell PowerConnect switches and the Web Authentication features they support.
37 Configuration considerations While a MAC address is in the authenticated state, the host can forward data through the PowerConnect switch. The MAC address remains authenticated until one of the following events occurs: • The host MAC address is removed from a list of MAC addresses that are automatically authenticated. (Refer to “Specifying hosts that are permanently authenticated” on page 1321).
Configuration tasks 37 • Each Web Authentication VLAN must have a virtual interface (VE). • The VE must have at least one assigned IPv4 address. Web Authentication is enabled on a VLAN. That VLAN becomes a Web Authentication VLAN that does the following: • Forwards traffic from authenticated hosts, just like a regular VLAN. • Blocks traffic from unauthenticated hosts except from ARP, DHCP, DNS, HTTP, and HTTPs that are required to perform Web Authentication.
37 Configuration tasks • On a Layer 3 PowerConnect switch, assign an IP address to a virtual interface (VE) for each VLAN on which Web Authentication will be enabled. PowerConnect#configure terminal PowerConnect(config)#vlan 10 PowerConnect(config-vlan-10)#router-interface ve1 PowerConnect(config-vlan-10)#untagged e 1/1/1 to 1/1/10 PowerConnect(config-vlan-10)#interface ve1 PowerConnect(config-vif-1)#ip address 1.1.2.1/24 2.
Enabling and disabling web authentication 37 Once enabled, the CLI changes to the "webauth" configuration level. In the example above, VLAN 10 will require hosts to be authenticated using Web Authentication before they can forward traffic. 6. Configure the Web Authentication mode: • Username and password – Blocks users from accessing the switch until they enter a valid username and password on a web login page.
37 Configuring the web authentication mode Using local user databases Web Authentication supports the use of local user databases consisting of usernames and passwords, to authenticate devices. Users are blocked from accessing the switch until they enter a valid username and password on a web login page.
Configuring the web authentication mode 37 The first command changes the configuration level to the local user database level for userdb1. If the database does not already exist, it is created. The second command adds the user record marcia to the userdb1 database. Syntax: username password For , enter up to 31 ASCII characters. For , enter up to 29 ASCII characters. You can add up to 30 usernames and passwords to a local user database.
37 Configuring the web authentication mode For , , etc., enter up to 29 ASCII characters. Be sure to Insert a cursor return () after each user record. You can enter up to 30 user records per text file. Importing a text file of user records from a TFTP server NOTE Before importing the file, make sure it adheres to the ASCII text format described in the previous section, “Creating a text file of user records” on page 1313.
Configuring the web authentication mode 37 PowerConnect(config-vlan-10-webauth)#auth-mode username-password auth-methods local Syntax: auth-mode username-password auth-methods local To revert back to using the RADIUS server, enter the following command.
37 Configuring the web authentication mode Configuration steps Follow the steps given below to configure the device to use the passcode authentication mode. 1. Optionally create up to four static passcodes 2. Enable passcode authentication 3.
Configuring the web authentication mode 37 The next dynamically-created passcode will be 10 digits in length, for example, 0123456789. Syntax: auth-mode passcode length For , enter a number from 4 to 16. Configuring the passcode refresh method Passcode authentication supports two passcode refresh methods: • Duration of time – By default, dynamically-created passcodes are refreshed every 1440 minutes (24 hours). When refreshed, a new passcode is generated and the old passcode expires.
37 Configuring the web authentication mode To configure the switch to refresh passcodes at a certain time of day, enter commands such as the following. PowerConnect(config-vlan-10-webauth)#auth-mode passcode refresh-type time 6:00 PowerConnect(config-vlan-10-webauth)#auth-mode passcode refresh-type time 14:30 The passcode will be refreshed at 6:00am, 2:30pm, and 0:00 (12 midnight). Syntax: [no] auth-mode passcode refresh-type time . is the hour and minutes.
Configuring the web authentication mode 37 Syntax: auth-mode passcode flush-expired Disabling and re-enabling passcode logging The software generates a Syslog message and SNMP trap message every time a new passcode is generated and passcode authentication is attempted,. This is the default behavior. If desired, you can disable passcode-related Syslog messages or SNMP trap messages, or both. The following shows an example Syslog message and SNMP trap message related to passcode authentication.
37 Configuring web authentication options Using automatic authentication By default, if Web Authentication is enabled, hosts need to login and enter authentication credentials in order to gain access to the network. If a re-authentication period is configured, the host will be asked to re-enter authentication credentials once the re-authentication period ends. You can configure Web Authentication to authenticate a host when the user presses the ’Login’ button.
Configuring web authentication options 37 Syntax: [no] accounting Enter the no accounting command to disable RADIUS accounting for Web Authentication. Changing the login mode (HTTPS or HTTP) Web Authentication can be configured to use secure (HTTPS) or non-secure (HTTP) login and logout pages. By default, HTTPS is used. Figure 167 shows an example Login page. To change the login mode to non-secure (HTTP), enter the following command.
37 Configuring web authentication options Instead of just entering a duration for how long the MAC address remains authenticated, you can specify the MAC address to be added by the specified port that is a member of the VLAN. To do this, enter values for the ethernet duration option. Enter the port number and the number of seconds the MAC address remains authenticated.
Configuring web authentication options 37 Enter a number from 0 to 64, where 0 means there is no limit to the number of Web Authentication attempts. The default is 5. Clearing authenticated hosts from the web authentication table Use the following commands to clear dynamically-authenticated hosts from the Web Authentication table. To clear all authenticated hosts in a Web authentication VLAN, enter a command such as the following.
37 Configuring web authentication options Enter 0 – 128000 for . The default is the current value of block duration command. Entering a value of "0" means the MAC address is blocked permanently. Entering no block mac duration resets duration to its default value. You can unblock a host by entering the no block mac command.
Configuring web authentication options 37 PowerConnect(config-vlan-10-webauth)#port-down-auth-mac-cleanup Syntax: [no] port-down-auth-mac-cleanup While this command is enabled, the device checks the link state of all ports that are members of the Web Authentication VLAN. If the state of all the ports is down, then the device forces all authenticated hosts to re-authenticate.
37 Configuring web authentication options For , enter up to 64 alphanumeric characters. You can enter any value for , but entering the name on the security certificate prevents the display of error messages saying that the security certificate does not match the name of the site.
Configuring web authentication options 37 FIGURE 167 Example of a login page when automatic authentication is disabled and local user database is enabled The user enters a user name and password, which are then sent for authentication. If passcode authentication is enabled, the following Login page appears. FIGURE 168 Example of a login page when automatic authentication is disabled and passcode Authentication is Enabled The user enters a passcode, which is then sent for authentication.
37 Configuring web authentication options FIGURE 169 Example of a try again page If the limit for the number of authenticated users on the network is exceeded, the Maximum Host Limit page is displayed (Figure 170). FIGURE 170 Example of a maximum Host limit page If the number of Web Authentication attempts by a user has been exceeded, the Maximum Attempts Limit page is displayed (Figure 171).
Configuring web authentication options 37 FIGURE 172 Example of a web authentication success page Once a host is authenticated, that host can manually de-authenticate by clicking the ’Logout’ button in the Login Success page. The host remains logged in until the re-authentication period expires. At that time, the host is automatically logged out. However, if a re-authentication period is not configured, then the host remains logged in indefinitely.
37 Configuring web authentication options PowerConnect#show webauth vlan 25 webpage ================================= Web Page Customizations (VLAN 25): Top (Header): Default Text "
Welcome to Brocade Communications, Inc. Web Authentication Homepage
" Bottom (Footer): Custom Text "Copyright 2009 SNL" Title: Default Text "Web Authentication" Login Button: Custom Text "Sign On" Web Page Logo: blogo.gif align: left (Default) Web Page Terms and Conditions: policy1.Configuring web authentication options 37 FIGURE 173 Objects in the web authentication pages that can be customized Title bar Logo Header Text box Login button Footer Customizing the title bar You can customize the title bar that appears on all Web Authentication pages (refer to Figure 173). To do so, enter a command such as the following.
37 Configuring web authentication options NOTE This command downloads the image file and stores it in the device flash memory. Therefore, it is not necessary to follow this command with a write memory. The parameter specifies the address of the TFTP server on which the image file resides. The parameter specifies the name of the image file on the TFTP server. Use the no webpage logo command to delete the logo from all Web Authentication pages and remove it from flash memory.
Displaying web authentication information 37 The parameter is the name of the text file on the TFTP server. To revert back to the default text box (none), enter the command no webpage terms. Customizing the login button You can customize the Login button that appears on the bottom of the Web Authentication Login page (refer to Figure 173). To do so, enter a command such as the following.
37 Displaying web authentication information authentication mode: username and password (Default) authentication methods: radius Local user database name: Radius accounting: Enable (Default) Trusted port list: None Secure Login (HTTPS): Enable (Default) Web Page Customizations: Top (Header): Default Text Bottom (Footer): Custom Text "SNL Copyright 2009" Title: Default Text Login Button: Custom Text "Sign On" Web Page Logo: blogo.gif align: left (Default) Web Page Terms and Conditions: policy1.
Displaying web authentication information 37 This field... Displays... Secure login (HTTPS) Whether HTTPS is enabled or disabled. Web Page Customizations The current configuration for the text that appears on the Web Authentication pages. Either "Custom Text" or "Default Text" displays for each page type: • "Custom Text" means the message for the page has been customized. The custom text is also displayed. • "Default Text" means the default message that ships with the PowerConnect switch is used.
37 Displaying web authentication information Displaying a list of hosts attempting to authenticate Enter the following command to display a list of hosts that are trying to authenticate.
Displaying web authentication information 37 This field... Displays... VLAN #: Web Authentication The ID of the VLAN on which Web Authentication is enabled. Web Block List MAC Address The MAC addresses that have been blocked from Web Authentication. User Name The User Name associated with the MAC address. Configuration Static/Dynamic If the MAC address was dynamically or statically blocked. The block mac command statically blocks MAC addresses.
37 Displaying web authentication information Syntax: show local-userdb Displaying passcodes If the passcode Web authentication mode is enabled, you can use the following command to display current passcodes.
Chapter 38 Protecting Against Denial of Service Attacks Table 232 lists individual Dell PowerConnect switches and the DoS protection features they support. TABLE 232 Supported DoS protection features Feature PowerConnect B-Series FCX Smurf attack (ICMP attack) protection Yes TCP SYN attack protection Yes This chapter explains how to protect your Dell PowerConnect devices from Denial of Service (DoS) attacks.
38 Protecting against Smurf attacks For each ICMP echo request packet sent by the attacker, a number of ICMP replies equal to the number of hosts on the intermediary network are sent to the victim. If the attacker generates a large volume of ICMP echo request packets, and the intermediary network contains a large number of hosts, the victim can be overwhelmed with ICMP replies.
Protecting against TCP SYN attacks 38 The burst-max paramter can be from 1 through 100,000 packets per second. The lockup parameter can be from 1 through 10,000 seconds. This command is supported on Ethernet and Layer 3 interfaces. The number of incoming ICMP packets per second is measured and compared to the threshold values as follows: • If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped.
38 Protecting against TCP SYN attacks For Layer 3 router code, if the interface is part of a VLAN that has a router VE, you must configure TCP/SYN attack protection at the VE level. Otherwise, you can configure this feature at the interface level as shown in the previous example. WhenTCP/SYN attack protection is configured at the VE level, it will apply to routed traffic only. It will not affect switched traffic.
Protecting against TCP SYN attacks 38 • Blind TCP reset attack using the synchronization (SYN) bit • Blind TCP packet injection attack The TCP security enhancement is automatically enabled. Protecting against a blind TCP reset attack using the RST bit In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST bits to prematurely terminate an active TCP session.
38 Protecting against TCP SYN attacks PowerConnect#show statistics dos-attack ---------------------------- Local Attack Statistics -------------------------ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count --------------------------------------------------------0 0 0 0 --------------------------- Transit Attack Statistics ------------------------Port ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count ----- --------------------------------------------------------3/11 0 0 0 0 Syn
Chapter Inspecting and Tracking DHCP Packets 39 Table 233 lists individual Dell PowerConnect switches and the DHCP packet inspection and tracking features they support.
39 Dynamic ARP inspection How DAI works DAI allows only valid ARP requests and responses to be forwarded.
Dynamic ARP inspection 39 • DHCP-Snooping ARP – information collected from snooping DHCP packets when DHCP snooping is enabled on VLANs. The status of an ARP entry is either pending or valid: • Valid – the mapping is valid, and the port is resolved. This is always the case for static ARP entries. • Pending – for normal dynamic and inspection ARP entries before they are resolved, and the port mapped. Their status changes to valid when they are resolved, and the port mapped.
39 Dynamic ARP inspection Feature Default Dynamic ARP Inspection Disabled Trust setting for ports Untrusted Configuring an inspection ARP entry Static ARP and static inspection ARP entries need to be configured for hosts on untrusted ports. Otherwise, when DAI checks ARP packets from these hosts against entries in the ARP table, it will not find any entries for them, and the Dell PowerConnect device will not allow and learn ARP from an untrusted host.
DHCP snooping 39 Displaying ARP inspection status and ports To display the ARP inspection status for a VLAN and the trusted/untrusted port, enter the following command. PowerConnect#show ip arp inspection vlan 2 IP ARP inspection VLAN 2: Disabled Trusted Ports : ethe 1/4 Untrusted Ports : ethe 2/1 to 2/3 ethe 4/1 to 4/24 ethe 6/1 to 6/4 ethe 8/1 to 8/4 Syntax: show ip arp inspection [vlan ] The variable specifies the ID of a configured VLAN.
39 DHCP snooping How DHCP snooping works When enabled on a VLAN, DHCP snooping stands between untrusted ports (those connected to host ports) and trusted ports (those connected to DHCP servers).
DHCP snooping 39 About client IP-to-MAC address mappings Client IP addresses need not be on directly-connected networks, as long as the client MAC address is learned on the client port and the client port is in the same VLAN as the DHCP server port. In this case, the system will learn the client IP-to-MAC port mapping. Therefore, a VLAN with DHCP snooping enabled does not require a VE interface.
39 DHCP snooping 1. Enable DHCP snooping on a VLAN.Refer to “Enabling DHCP snooping on a VLAN” on page 1352. 2. For ports that are connected to a DHCP server, change their trust setting to trusted.Refer to “Enabling trust on a port” on page 1352. The following shows the default settings of DHCP snooping. Feature Default DHCP snooping Disabled Trust setting for ports Untrusted Enabling DHCP snooping on a VLAN When DHCP snooping is enabled on a VLAN, DHCP packets are inspected.
DHCP snooping 39 To remove all entries from the DHCP binding database, enter the following command. PowerConnect#clear dhcp To clear entries for a specific IP address, enter a command such as the following. PowerConnect#clear dhcp 10.10.102.4 Syntax: clear dhcp [] Displaying DHCP snooping status and ports To display the DHCP snooping status for a VLAN and the trusted/untrusted port, use the show ip dhcp snooping vlan command.
39 DHCP relay agent information (DHCP Option 82) PowerConnect(config)#vlan 2 PowerConnect(config-vlan-2)#untagged ethe 1/3 to 1/4 PowerConnect(config-vlan-2)#router-interface ve 2 PowerConnect(config-vlan-2)#exit PowerConnect(config)#ip dhcp snooping vlan 2 PowerConnect(config)#vlan 20 PowerConnect(config-vlan-20)#untagged ethe 1/1 to 1/2 PowerConnect(config-vlan-20)#router-interface ve 20 PowerConnect(config-vlan-20)#exit PowerConnect(config)#ip dhcp snooping vlan 20 On VLAN 2, client ports 1/3 and 1/4
DHCP relay agent information (DHCP Option 82) 39 As illustrated in Figure 178, the DHCP relay agent (the PowerConnect switch), inserts DHCP option 82 attributes when relaying a DHCP request packet to a DHCP server.
39 DHCP relay agent information (DHCP Option 82) Sub-option 1 – circuit id The Circuit ID (CID) identifies the circuit or port from which a DHCP client request was sent. The PowerConnect switch uses this information to relay DHCP responses back to the proper circuit, for example, the port number on which the DHCP client request packet was received. Dell PowerConnect devices support the General CID packet format.
DHCP relay agent information (DHCP Option 82) 39 Configuring DHCP option 82 When DHCP snooping is enabled on a VLAN, by default, DHCP option 82 also is enabled. You do not need to perform any extra configuration steps to enable this feature. To enable DHCP snooping, refer to“Enabling DHCP snooping on a VLAN” on page 1352.
39 DHCP relay agent information (DHCP Option 82) Changing the forwarding policy When the Dell PowerConnect device receives a DHCP message that contains relay agent information, by default, the device replaces the information with its own relay agent information. If desired, you can configure the device to keep the information instead of replacing it, or to drop (discard) messages that contain relay agent information. To do so, use the CLI commands in this section.
DHCP relay agent information (DHCP Option 82) 39 Viewing information about DHCP option 82 processing Use the commands in this section to view information about DHCP option 82 processing. Viewing the circuit Id, remote id, and forwarding policy Use the show ip dhcp relay information command to obtain information about the circuit ID, remote ID, and forwarding policy for DHCP option 82. The following shows an example output.
39 IP source guard Viewing the status of DHCP option 82 and the subscriber id Use the show interfaces ethernet command to obtain information about the status of DHCP option 82 and the configured subscriber ID, if applicable. In the example below, the text in bold type displays the information specific to DHCP option 82. PowerConnect#show interfaces ethernet 3 GigabitEthernet3 is up, line protocol is up Hardware is GigabitEthernet, address is 00e0.5200.0002 (bia 00e0.5200.
IP source guard 39 When a new IP source entry binding on the port is created or deleted, the ACL will be recalculated and reapplied in hardware to reflect the change in IP source binding. By default, if IP Source Guard is enabled without any IP source binding on the port, an ACL that denies all IP traffic is loaded on the port. Configuration notes and feature limitations • To run IP Source Guard, you must first enable support for ACL filtering based on VLAN membership or VE port membership.
39 IP source guard • The number of configured ACL rules affect the rate at which hardware resources are used when IP Source Guard is enabled. Use the show access-list hw-usage on command to enable hardware usage for an ACL, followed by a show access-list command to determine the hardware usage for an ACL.
IP source guard 39 The [vlan ] parameter is optional. If you enter a VLAN number, the binding applies to that VLAN only. If you do not enter a VLAN number, the static binding applies to all VLANs associated with the port. Note that since static IP source bindings consume system resources, you should avoid unnecessary bindings. Enabling IP source guard per-port-per-VLAN To enable IP Source Guard per-port-per VLAN, enter commands such as the following.
39 1364 IP source guard PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter 40 Securing SNMP Access Table 236 lists individual Dell PowerConnect switches and the SNMP access methods they support. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
40 Establishing SNMP community strings Restricting SNMP access using ACL, VLAN, or a specific IP address constitute the first level of defense when the packet arrives at a Dell PowerConnect device. The next level uses one of the following methods: • Community string match In SNMP versions 1 and 2 • User-based model in SNMP version 3 SNMP views are incorporated in community strings and the user-based model.
Establishing SNMP community strings 40 To add an encrypted community string, enter commands such as the following. PowerConnect(config)#snmp-server community private rw PowerConnect(config)#write memory Syntax: snmp-server community [0 | 1] ro | rw [view ] [ | ] The parameter specifies the community string name. The string can be up to 32 characters long.
40 Establishing SNMP community strings The view parameter is optional. It allows you to associate a view to the members of this community string. Enter up to 32 alphanumeric characters. If no view is specified, access to the full MIB is granted. The view that you want must exist before you can associate it to a community string. Here is an example of how to use the view parameter in the community string command.
Using the user-based security model 40 NOTE If display of the strings is encrypted, the strings are not displayed. Encryption is enabled by default. Using the user-based security model SNMP version 3 (RFC 2570 through 2575) introduces a User-Based Security model (RFC 2574) for authentication and privacy services. SNMP version 1 and version 2 use community strings to authenticate SNMP access to management modules. This method can still be used for authentication.
40 Using the user-based security model Defining the engine id A default engine ID is generated during system start up. To determine what the default engine ID of the device is, enter the show snmp engineid command and find the following line: Local SNMP Engine ID: 800007c70300e05290ab60 See the section “Displaying the Engine ID” on page 1377 for details. The default engine ID guarantees the uniqueness of the engine ID for SNMP version 3.
Using the user-based security model 40 NOTE This command is not used for SNMP version 1 and SNMP version 2. In these versions, groups and group views are created internally using community strings. (refer to “Establishing SNMP community strings” on page 1366.) When a community string is created, two groups are created, based on the community string name. One group is for SNMP version 1 packets, while the other is for SNMP version 2 packets.
40 Using the user-based security model PowerConnect(config)#snmp-s user bob admin v3 access 2 auth md5 bobmd5 priv des bobdes The CLI for creating SNMP version 3 users has been updated as follows. Syntax: [no] snmp-server user v3 [[access ] [[encrypted] [auth md5 | sha ] [priv [encrypted] des | aes ]]] The parameter defines the SNMP user name or security name used to access the management module.
Defining SNMP views 40 • If AES is the privacy protocol to be used, enter aes followed by the AES password key. For a small password key, enter 12 characters. For a big password key, enter 16 characters. If you include the encrypted keyword, enter a password string containing 32 hexadecimal characters. Defining SNMP views SNMP views are named groups of MIB objects that can be associated with user accounts to allow limited access for viewing and modification of SNMP statistics and system configuration.
40 SNMP version 3 traps You can exclude portions of the MIB within an inclusion scope. For example, if you want to exclude the snAgentSys objects, which begin with 1.3.6.1.4.1.1991.1.1.2 object identifier from the admin view, enter a second command such as the following. PowerConnect(config)#snmp-server view admin 1.3.6.1.4.1.1991.1.1.2 excluded NOTE Note that the exclusion is within the scope of the inclusion. To delete a view, use the no parameter before the command.
SNMP version 3 traps 40 Defining the UDP port for SNMP v3 traps The SNMP host command enhancements allow configuration of notifications in SMIv2 format, with or without encryption, in addition to the previously supported SMIv1 trap format. You can define a port that receives the SNMP v3 traps by entering a command such as the following. PowerConnect(config)#snmp-server host 192.168.4.
40 SNMP version 3 traps Backward compatibility with SMIv1 trap format The Dell PowerConnect device will continue to support creation of traps in SMIv1 format, as before. To allow the device to send notifications in SMIv2 format, configure the device as described above. The default mode is still the original SMIv1 format.
Displaying SNMP Information PowerConnect#show snmp server Contact: Location: Community(ro): ..... Traps Warm/Cold start: Link up: Link down: Authentication: Locked address violation: Power supply failure: Fan failure: Temperature warning: STP new root: STP topology change: vsrp: 40 Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Total Trap-Receiver Entries: 4 Trap-Receiver IP-Address 1 192.147.201.100 2 4000::200 3 192.147.202.100 4 3000::200 Port-Number Community 162 .....
40 Displaying SNMP Information PowerConnect#show snmp group groupname = exceptifgrp security model = v3 security level = authNoPriv ACL id = 2 readview = exceptif writeview = Syntax: show snmp group The value for security level can be one of the following. Security level Authentication If the security model shows v1 or v2, then security level is blank. User names are not used to authenticate users; community strings are used instead.
SNMP v3 Configuration examples Varbind object Identifier 1. 3. 6. 1. 6. 3. 15. 1. 1. 3. 0 40 Description Unknown user name. This varbind may also be generated: If the configured ACL for this user filters out this packet. If the group associated with the user is unknown. • • 1. 3. 6. 1. 6. 3. 15. 1. 1. 4. 0 Unknown engine ID. The value of this varbind would be the correct authoritative engineID that should be used. 1. 3. 6. 1. 6. 3. 15. 1. 1. 5. 0 Wrong digest. 1. 3. 6. 1. 6. 3. 15. 1. 1. 6.
40 1380 SNMP v3 Configuration examples PowerConnect B-Series FCX Configuration Guide 53-1002266-01
Chapter 41 Using Syslog Table 237 lists individual Dell PowerConnect switches and the Syslog features they support.
41 Displaying Syslog messages • • • • • Errors Warnings Notifications Informational Debugging The device writes the messages to a local buffer. You also can specify the IP address or host name of up to six Syslog servers. When you specify a Syslog server, the Dell PowerConnect device writes the messages both to the system log and to the Syslog server. Using a Syslog server ensures that the messages remain available even after a system reload.
Configuring the Syslog service 41 Enabling real-time display of Syslog messages By default, to view Syslog messages generated by a Dell PowerConnect device, you need to display the Syslog buffer or the log on a Syslog server used by the Dell PowerConnect device. You can enable real-time display of Syslog messages on the management console. When you enable this feature, the software displays a Syslog message on the management console when the message is generated.
41 Configuring the Syslog service • Specify a Syslog server. You can configure the Dell PowerConnect device to use up to six Syslog servers. (Use of a Syslog server is optional. The system can hold up to 1000 Syslog messages in an internal buffer.) • • • • Change the level of messages the system logs. Change the number of messages the local Syslog buffer can hold. Display the Syslog configuration. Clear the local Syslog buffer.
Configuring the Syslog service TABLE 238 41 CLI display of Syslog buffer configuration (Continued) This field... Displays... overruns The number of times the dynamic log buffer has filled up and been cleared to hold new entries. For example, if the buffer is set for 100 entries, the 101st entry causes an overrun. After that, the 201st entry causes a second overrun. level The message levels that are enabled.
41 Configuring the Syslog service When you clear log entries, you can selectively clear the static or dynamic buffer, or you can clear both. For example, to clear only the dynamic buffer, enter the following command at the Privileged EXEC level. PowerConnect#clear logging dynamic-buffer Syntax: clear logging [dynamic-buffer | static-buffer] You can specify dynamic-buffer to clear the dynamic buffer or static-buffer to clear the static buffer. If you do not specify a buffer, both buffers are cleared.
Configuring the Syslog service 41 PowerConnect#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Static Log Buffer: Dec 15 19:04:14:A:Fan 1, fan on right connector, failed Dec 15 19:00:14:A:Fan 2, fan on left connector, failed Dynamic Log Buffer (50 entries): Oct 15 17:38:03:warning:list 101 denied 0010.5a1f.77ed) -> 198.
41 Configuring the Syslog service This command enables local Syslog logging with the following defaults: • Messages of all severity levels (Emergencies – Debugging) are logged. • Up to 50 messages are retained in the local Syslog buffer. • No Syslog server is specified. Specifying a Syslog server To specify a Syslog server, enter a command such as the following. PowerConnect(config)#logging host 10.0.0.
Configuring the Syslog service 41 Changing the number of entries the local buffer can hold You also can use the logging buffered command to change the number of entries the local Syslog buffer can store. For example. PowerConnect(config)#logging buffered 100 PowerConnect(config)#write mem PowerConnect(config)#exit PowerConnect#reload Syntax: logging buffered The default number of messages is 50. For PowerConnect Layer 2 switches, you can set the Syslog buffer limit from 1 – 100 entries.
41 Configuring the Syslog service • • • • • • • • • • • • • • sys10 – reserved for system use sys11 – reserved for system use sys12 – reserved for system use sys13 – reserved for system use sys14 – reserved for system use cron – cron/at subsystem local0 – reserved for local use local1 – reserved for local use local2 – reserved for local use local3 – reserved for local use local4 – reserved for local use local5 – reserved for local use local6 – reserved for local use local7 – reserved for local use Displ
Syslog messages 41 To display TCP or UDP port numbers instead of their names, enter the following command. PowerConnect(config)#ip show-service-number-in-log Syntax: [no] ip show-service-number-in-log Retaining Syslog messages after a soft reboot You can configure the device to save the System log (Syslog) after a soft reboot (reload command).
41 Syslog messages TABLE 239 1392 Syslog messages Message level Message Explanation Alert modules and 1 power supply, need more power supply!! Indicates that the chassis needs more power supplies to run the modules in the chassis. The parameter indicates the number of modules in the chassis. Alert Fan , , failed A fan has failed. The is the fan number. The describes where the failed fan is in the chassis.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Alert Management module at slot state changed from to . Indicates a state change in a management module. The indicates the chassis slot containing the module. The can be one of the following: • active • standby • crashed • coming-up • unknown Alert OSPF LSA Overflow, LSA Type = Indicates an LSA database overflow.
41 Syslog messages TABLE 239 1394 Syslog messages (Continued) Message level Message Explanation Alert System: Module in slot encountered unrecoverable PCI config read failure. Module will be deleted. The module encountered an unrecoverable hardware configuration read failure. The module will be disabled or powered down. Alert System: Module in slot encountered unrecoverable PCI config write failure. Module will be deleted.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Informational IPv6: IPv6 protocol enabled on the device from IPv6 protocol was enabled on the device during the specified session. Informational MAC Filter applied to port by from (filter id= ) Indicates a MAC address filter was applied to the specified port by the specified user during the specified session.
41 Syslog messages TABLE 239 1396 Syslog messages (Continued) Message level Message Explanation Informational Bridge root changed, vlan , new root ID , root interface A Spanning Tree Protocol (STP) topology change has occurred. The is the ID of the VLAN in which the STP topology change occurred. The is the STP bridge root ID. The is the number of the port connected to the new root bridge.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Informational DOT1X : port - mac is unauthorized because system resource is not enough or the invalid information to set the dynamic assigned IP ACLs or MAC address filters 802.
41 Syslog messages TABLE 239 1398 Syslog messages (Continued) Message level Message Explanation Informational ERR_DISABLE: Interface ethernet 16, err-disable recovery timeout If the wait time (port is down and is waiting to come up) expires and the port is brought up the following message is displayed.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Informational Security: telnet | SSH logout by from src IP , src MAC to USER | PRIVILEGE EXEC mode The specified user logged out of the device. The user was using Telnet or SSH to access the device from either or both the specified IP address and MAC address. The user logged out of the specified EXEC mode.
41 Syslog messages TABLE 239 1400 Syslog messages (Continued) Message level Message Explanation Informational Syslog server deleted | added | modified from console | telnet | ssh | web | snmp OR Syslog operation enabled | disabled from console | telnet | ssh | web | snmp A user made Syslog configuration changes to the specified Syslog server address, or enabled or disabled a Syslog operation through the Web, SNMP, console, SSH, or Telnet session.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Informational telnet | SSH | web access [by ] from src IP
41 Syslog messages TABLE 239 1402 Syslog messages (Continued) Message level Message Explanation Informational vlan Bridge is RootBridge (MgmtPriChg) 802.1W changed the current bridge to be the root bridge of the given topology due to administrative change in bridge priority. Informational vlan Bridge is RootBridge (MsgAgeExpiry) The message age expired on the Root port so 802.1W changed the current bridge to be the root bridge of the topology.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Notification Authentication Disabled on The multi-device port authentication feature was disabled on the on the specified . Notification Authentication Enabled on The multi-device port authentication feature was enabled on the on the specified . Notification BGP Peer DOWN (IDLE) Indicates that a BGP4 neighbor has gone down.
41 Syslog messages TABLE 239 Syslog messages (Continued) Message level Message Explanation Notification Local ICMP exceeds burst packets, stopping for seconds!! The number of ICMP packets exceeds the threshold set by the ip icmp burst command. The Dell PowerConnect device may be the victim of a Denial of Service (DoS) attack. All ICMP packets will be dropped for the number of seconds specified by the value.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Notification OSPF interface state changed, rid , intf addr , state Indicates that the state of an OSPF interface has changed. The is the router ID of the Dell PowerConnect device. The is the interface IP address.
41 Syslog messages TABLE 239 1406 Syslog messages (Continued) Message level Message Explanation Notification OSPF intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF interface configuration error has occurred. The is the router ID of the Dell PowerConnect device. The is the IP address of the interface on the Dell PowerConnect device.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Notification OSPF intf rcvd bad pkt: Bad Checksum, rid , intf addr , pkt size , checksum , pkt src addr , pkt type The device received an OSPF packet that had an invalid checksum. The rid is the Dell PowerConnect router ID. The intf addr is the IP address of the Dell PowerConnect interface that received the packet.
41 Syslog messages TABLE 239 1408 Syslog messages (Continued) Message level Message Explanation Notification OSPF intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the Dell PowerConnect device has retransmitted a Link State Advertisement (LSA). The is the router ID of the Dell PowerConnect device.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Notification OSPF nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF neighbor has changed. The is the router ID of the Dell PowerConnect device. The is the IP address of the neighbor. The is the router ID of the neighbor.
41 Syslog messages TABLE 239 1410 Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf authen failure, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface authentication failure has occurred. The is the router ID of the Dell PowerConnect device. The is the IP address of the interface on the Dell PowerConnect device.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf config error, rid , intf addr , pkt src addr , error type , pkt type Indicates that an OSPF virtual routing interface configuration error has occurred. The is the router ID of the Dell PowerConnect device. The is the IP address of the interface on the Dell PowerConnect device.
41 Syslog messages TABLE 239 1412 Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual intf retransmit, rid , intf addr , nbr rid , pkt type is , LSA type , LSA id , LSA rid An OSPF interface on the Dell PowerConnect device has retransmitted a Link State Advertisement (LSA). The is the router ID of the Dell PowerConnect device.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Notification OSPF virtual nbr state changed, rid , nbr addr , nbr rid , state Indicates that the state of an OSPF virtual neighbor has changed. The is the router ID of the Dell PowerConnect device. The is the IP address of the neighbor. The is the router ID of the neighbor.
41 Syslog messages TABLE 239 1414 Syslog messages (Continued) Message level Message Explanation Notification VRRP intf state changed, intf , vrid , state A state change has occurred in a Virtual Router Redundancy Protocol (VRRP) interface. The is the port. The is the virtual router ID (VRID) configured on the interface.
Syslog messages TABLE 239 41 Syslog messages (Continued) Message level Message Explanation Warning list denied () (Ethernet ) -> (), 1 event(s) Indicates that an Access Control List (ACL) denied (dropped) packets. The indicates the ACL number. Numbers 1 – 99 indicate standard ACLs. Numbers 100 – 199 indicate extended ACLs. The indicates the IP protocol of the denied packets.
41 Syslog messages TABLE 239 1416 Syslog messages (Continued) Message level Message Explanation Warning No global IP! cannot send IGMP msg. The device is configured for ip multicast active but there is no configured IP address and the device cannot send out IGMP queries. Warning No of prefixes received from BGP peer exceeds warning limit The Layer 3 Switch has received more than the allowed percentage of prefixes from the neighbor.
Appendix A Network Monitoring Table 240 lists the individual Dell PowerConnect switches and the network monitoring features they support.
A Basic management PowerConnect#show version ========================================================================== Active Management CPU [Slot-9]: SW: Version 04.3.00b17T3e3 Copyright (c) 1996-2008 Brocade Communications, Inc., Inc. Compiled on Sep 25 2008 at 04:09:20 labeled as SXR04300b17 (4031365 bytes) from Secondary sxr04300b17.bin BootROM: Version 04.0.
Basic management A To determine the available show commands for the system or a specific level of the CLI, enter the following command. PowerConnect#show ? Syntax: show
A Basic management TABLE 241 Port statistics (Continued) This line... Displays... Link The link state. State The STP state. Dupl The mode (full-duplex or half-duplex). Speed The port speed (10M, 100M, or 1000M). Trunk The trunk group number, if the port is a member of a trunk group. Tag Whether the port is a tagged member of a VLAN. Priori The QoS forwarding priority of the port (level0 – level7). MAC The MAC address of the port. Name The name of the port, if you assigned a name.
Basic management TABLE 241 A Port statistics (Continued) This line... Displays... InErrors The total number of packets received that had Alignment errors or phy errors. LateCollisions The total number of packets received in which a Collision event was detected, but for which a receive error (Rx Error) event was not detected. InGiantPkts The total number of packets for which all of the following was true: • The data length was longer than the maximum allowable frame size.
A Basic management Viewing egress queue counters on PowerConnect B-Series FCX devices The show interface command displays the number of packets on a port that were queued for each QoS priority (traffic class) and dropped because of congestion. NOTE These counters do not include traffic on management ports or for a stack member unit that is down. The egress queue counters display at the end of the show interface command output as shown in the following example.
RMON support TABLE 242 A Egress queue statistics This line... Displays... Queue counters The QoS traffic class. Queued packets The number of packets queued on the port for the given traffic class. Dropped packets The number of packets for the given traffic class that were dropped because of congestion. Clearing the egress queue counters You can clear egress queue statistics (reset them to zero), using the clear statistics and clear statistics ethernet command.
A RMON support Statistics (RMON group 1) Count information on multicast and broadcast packets, total packets sent, undersized and oversized packets, CRC alignment errors, jabbers, collision, fragments and dropped events is collected for each port on a Layer 2 Switch or Layer 3 Switch. No configuration is required to activate collection of statistics for the Layer 2 Switch or Layer 3 Switch. This activity is by default automatically activated at system start-up.
RMON support TABLE 243 A Export configuration and statistics (Continued) This line... Displays... Multicast pkts The total number of good packets received that were directed to a multicast address. This number does not include packets directed to the broadcast address.
A RMON support History (RMON group 2) All active ports by default will generate two history control data entries per active Layer 2 Switch port or Layer 3 Switch interface. An active port is defined as one with a link up. If the link goes down the two entries are automatically deleted.
sFlow A PowerConnect(config)#rmon event 1 description ‘testing a longer string’ log-and-trap public owner nyc02 Syntax: rmon event description log | trap | log-and-trap owner sFlow NOTE PowerConnect devices support sFlow version 5 by default. sFlow is a standards-based protocol that allows network traffic to be sampled at a user-defined rate for the purpose of monitoring traffic flow patterns and identifying packet transfer rates on user-specified interfaces.
A sFlow The configuration procedures for sFlow version 5 are the same as for sFlow version 2, except where explicitly noted. Configuration procedures for sFlow are in the section “Configuring and enabling sFlow” on page 1430. The features and CLI commands that are specific to sFlow version 5 are described in the section “Configuring sFlow version 5 features” on page 1436. sFlow support for IPv6 packets The implementation of sFlow features support IPv6 packets.
sFlow A Configuration considerations This section lists the sFlow configuration considerations on Dell PowerConnect devices. PowerConnect B-Series FCX devices, you can use QoS queue 1 for priority traffic, even when sFlow is enabled on the port. • If an PowerConnect B-Series FCX stack is rebooted, sFlow is disabled on standby and member units until the configuration is synchronized between the Active and Standby Controllers.
A sFlow NOTE If an IP address is not already configured when you enable sFlow, the feature uses the source address 0.0.0.0. To display the agent_address, enable sFlow, then enter the show sflow command. Refer to “Enabling sFlow forwarding” on page 1435 and “Displaying sFlow information” on page 1439. NOTE In sFlow version 5, you can set an arbitrary IPv4 or IPv6 address as the sFlow agent IP address. Refer to “Specifying the sFlow agent IP address” on page 1437.
sFlow A Specifying the collector sFlow exports traffic statistics to an external collector. You can specify up to four collectors. You can specify more than one collector with the same IP address if the UDP port numbers are unique. You can have up to four unique combinations of IP addresses and UDP port numbers. IPv4 devices To specify an sFlow collector on an IPv4 device, enter a command such as the following. PowerConnect(config)#sflow destination 10.10.10.
A sFlow The default polling interval is 20 seconds. You can change the interval to a value from 1 to any higher value. The interval value applies to all interfaces on which sFlow is enabled. If you set the polling interval to 0, counter data sampling is disabled. To change the polling interval, enter a command such as the following at the global CONFIG level of the CLI.
sFlow A While different ports on a module may be configured to have different sampling rates, the hardware for the module will be programmed to take samples at a single rate (the module sampling rate). The module sampling rate will be the highest sampling rate (i.e. lowest number) configured for any of the ports on the module.
A sFlow • • • • • • 2097152 8388608 33554432 134217728 536870912 2147483648 For example, if the configured sampling rate is 1000, then the actual rate is 2048 and 1 in 2048 packets are sampled by the hardware. Changing the sampling rate of a module You cannot change a module sampling rate directly. You can change a module sampling rate only by changing the sampling rate of a port on that module.
sFlow A Enabling sFlow forwarding sFlow exports data only for the interfaces on which you enable sFlow forwarding. You can enable sFlow forwarding on Ethernet interfaces. To enable sFlow forwarding,perform the following: • Globally enable the sFlow feature • Enable sFlow forwarding on individual interfaces • Enable sFlow forwarding on individual trunk ports NOTE Before you enable sFlow, make sure the device has an IP address that sFlow can use as its source address.
A sFlow NOTE When you enable sFlow forwarding on a trunk port, only the primary port of the trunk group forwards sFlow samples. To enable sFlow forwarding on a trunk port, enter commands such as the following. PowerConnect(config)#sflow enable PowerConnect(config)#trunk e 4/1 to 4/8 PowerConnect(config-trunk-4/1-4/8)#config-trunk-ind PowerConnect(config-trunk-4/1-4/8)#sflow forwarding e 4/2 These commands globally enable sFlow, then enable sFlow forwarding on trunk port e 4/2.
sFlow A Specifying the sFlow agent IP address The sampled sFlow data sent to the collectors includes an agent_address field. This field identifies the device (the sFlow agent) that sent the data. By default, the device automatically selects the sFlow agent IP address based on the configuration, as described in the section “Source address” on page 1429. Alternatively, you can configure the device to instead use an arbitrary IPv4 or IPv6 address as the sFlow agent IP address.
A sFlow Exporting CPU and memory usage information to the sFlow collector With sFlow verion 5, you can optionally configure the sFlow agent on the Dell PowerConnect device to export information about CPU and memory usage to the sFlow collector. To export CPU usage and memory usage information, enter the following command. PowerConnect(config)# sflow export system-info Syntax: [no] sflow export system-info By default, CPU usage information and memory usage information are not exported.
sFlow A Syntax: [no] sflow export cpu-traffic The default sampling rate depends on the Dell PowerConnect device being configured. Refer to “Changing the sampling rate” on page 1432 for the default sampling rate for each kind of Dell PowerConnect device. Displaying sFlow information To display sFlow configuration information and statistics, enter the following command at any level of the CLI.
A sFlow PowerConnect#show sflow sFlow version:5 sFlow services are enabled. sFlow agent IP address: 123.123.123.1 4 collector destinations configured: Collector IP 192.168.4.204, UDP 6343 Collector IP 192.168.4.200, UDP 6333 Collector IP 192.168.4.202, UDP 6355 Collector IP 192.168.4.203, UDP 6565 Polling interval is 0 seconds.
sFlow A ...continued from previous page...
A Configuring a utilization list for an uplink port TABLE 244 sFlow information (Continued) This field... Displays... exporting system-info polling interval Specifies the interval, in seconds, that sFlow data is sent to the sFlow collector. UDP packets exported The number of sFlow export packets the Dell PowerConnect device has sent. NOTE: Each UDP packet can contain multiple samples. sFlow samples collected The number of sampled packets that have been sent to the collectors.
Configuring a utilization list for an uplink port A • One or more uplink ports • One or more downlink ports Each list displays the uplink port and the percentage of that port bandwidth that was utilized by the downlink ports over the most recent 30-second interval. You can configure up to four bandwidth utilization lists. Command syntax To configure an uplink utilization list, enter commands such as the following.
A Configuring a utilization list for an uplink port NOTE The example above represents a pure configuration in which traffic is exchanged only by ports 1/2 and 1/1, and by ports 1/3 and 1/1. For this reason, the percentages for the two downlink ports equal 100%. In some cases, the percentages do not always equal 100%. This is true in cases where the ports exchange some traffic with other ports in the system or when the downlink ports are configured together in a port-based VLAN.
Appendix B Software Specifications IEEE compliance Dell PowerConnect devices support the following standards. TABLE 245 IEEE compliance Standard Description PowerConnect B-Series FCX 802.1AB Station and Media Access Control Connectivity Discovery Also supports TIA-1057, Telecommunications – IP Telephony Infrastructure -– Link Layer Discovery Protocol (LLDP) for Media Endpoint Devices Yes 802.1d Ethernet Bridging Yes 802.1D MAC Bridges Yes 802.1p Mapping to Priority Queue Yes 802.
B RFC support NOTE Some devices support only a subset of the RFCs. For example, Layer 2 Switches do not support router-specific RFCs. For a list of features supported on your device, refer to the data sheet or the software release notes for the version of software running on your device.
RFC support TABLE 246 B Dell PowerConnect RFC support (Continued) RFC number Protocol or Standard PowerConnect B-Series FCX 1212 Concise MIB Definitions Yes 1213 MIB II Definitions Yes 1215 SNMP generic traps Yes 1256 ICMP Router Discovery Protocol (IRDP) Yes 1267 Border Gateway Protocol version 3 Yes 1269 Definitions of Managed Objects for the Border Gateway Protocol: Version 3 Yes 1321 The MD5 Message-Digest Algorithm Yes 1340 Assigned numbers (where applicable) Yes 1354 IP
B RFC support TABLE 246 Dell PowerConnect RFC support (Continued) RFC number Protocol or Standard PowerConnect B-Series FCX 1850 OSPF Traps Yes 1850 OSPF version 2 MIB Yes 1905 Protocol Operations for version 2 of the Simple Network Management Protocol (SNMPv2) Yes 1906 Transport Mappings for version 2 of the Simple Network Management Protocol (SNMPv2) Yes 1965 Autonomous System Configurations for BGP4 Yes 1966 BGP Route Reflection Yes 1997 BGP Communities Attributes Yes 2011 SN
RFC support TABLE 246 B Dell PowerConnect RFC support (Continued) RFC number Protocol or Standard PowerConnect B-Series FCX 2336 IGMP version 2 Yes 2338 Virtual Router Redundancy Protocol (VRRP) Yes 2362 IP Multicast PIM Sparse Yes 2370 The OSPF Opaque LSA Option Yes 2385 TCP MD5 Signature Option (for BGP4) Yes 2439 BGP Route Flap Dampening Yes 2482 Language Tagging in Unicode Plain Text Yes 2544 Benchmarking Methodology for Network Interconnect Devices Yes 2570 Introduction
B RFC support TABLE 246 1450 Dell PowerConnect RFC support (Continued) RFC number Protocol or Standard PowerConnect B-Series FCX 2866 RADIUS Accounting Yes 2869 RADIUS Extensions Yes 2889 Benchmarking Methodology for LAN Switching Devices Yes 2918 Route Refresh Capability for BGP4 Yes 2932 IPv4 Multicast Routing MIB Yes 2933 Internet Group Management Protocol MIB Yes 2934 Protocol Independent Multicast MIB for IPv4 Yes 3176 InMon Corporation's sFlow: A Method for Monitoring Tra
RFC support TABLE 246 B Dell PowerConnect RFC support (Continued) RFC number Protocol or Standard PowerConnect B-Series FCX 4252 The Secure Shell (SSH) Authentication Protocol Yes 4253 The Secure Shell (SSH) Transport Protocol Yes 4254 The Secure Shell (SSH) Connection Protocol Yes 4330 Simple Network Time Protocol (SNTP) version 4 Yes Authentication, Authorization, and Accounting (AAA) Yes Authentication of BGP Session Yes Bi-level access mode (standard and EXEC level) Yes DNS Clie
B Internet drafts TABLE 246 RFC number Dell PowerConnect RFC support (Continued) Protocol or Standard PowerConnect B-Series FCX Virtual Cable Tester Yes VRRPE (VRRP Enhanced) Yes Internet drafts In addition to the RFCs listed in “RFC support” on page 1445, Dell PowerConnect devices support the following Internet drafts: • • • • • • 1452 ietf-idmr-dvmrp version 3.05, obsoletes RFC 1075 draft-ietf-magma-igmp-proxy.