Dell™ PowerConnect™ M6220/M6348/M8024 Switches Configuration Guide Model PCM6220/PCM6348/PCM8024 w w w. d e l l . c o m | s u p p o r t . d e l l .
Notes, Notices, and Cautions NOTE: A NOTE indicates important information that helps you make better use of your switch. NOTICE: A NOTICE indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. CAUTION: A CAUTION indicates a potential for property damage, personal injury, or death. ____________________ Information in this document is subject to change without notice. © 2009 Dell Inc. All rights reserved.
Contents 1 About this Document . Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Additional Documentation . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . System Configuration . Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . 9 10 . . . . . . . . . . . . . . . . . . . . . . . . . . 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 CLI Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Switching Configuration . Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . 25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 VLAN Configuration Example . . . . CLI Examples . . . . . . . . . . . . Web Interface . . . . . . . . . . . . IP Subnet and MAC-Based VLANs . CLI Examples . . . . . . . . . . . . Protocol-Based VLANs . . . . . . . Private Edge VLANs. . . . . . . . . IGMP Snooping. . . . . . . . . . . . . . . . . . . . . 26 26 29 29 29 30 31 . . . . . .
CLI Examples . . . . . . . . . . . . . . . . . . . Simple Switch Mode Supported CLI Commands . sFlow . . . . . . . . . . . . . . 54 59 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Overview sFlow Agents CLI Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
802.1x Network Access Control Examples 802.1X Authentication and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authenticated and Unauthenticated VLANs Guest VLAN . . . . . . . . . . . . . . . . . CLI Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 . . . . . . . . . . . . . . . . . . . . . . . . 103 104 105 . . . . . . . . . . . . . . . . . . . . . . . . . . 106 . . . . . . . . . . . . . . . . .
Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . Class of Service Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . Ingress Port Configuration . . . . . . . . . Egress Port Configuration—Traffic Shaping Queue configuration . . . . . . . . . . . . Queue Management Type . . . . . . . . . CLI Examples . . . . . . . . . . . . . . . . Differentiated Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 . . . . . . . . .
1 About this Document This configuration guide provides examples of how to use the following switches in a typical network: • Dell™ PowerConnect™ M6220 • Dell PowerConnect M6348 • Dell PowerConnect M8024 It describes the advantages of specific functions the PowerConnect M6220/M6348/M8024 switches and provides and includes information about configuring those functions using the command line interface (CLI).
Additional Documentation The following documentation provides additional information about PowerConnect M6220/M6348/M8024 software: 10 • The CLI Command Reference for your Dell PowerConnect switch describes the commands available from the command-line interface (CLI) for managing, monitoring, and configuring the switch. • The User’s Guide for your Dell PowerConnect switch describes the Web GUI. Many of the scenarios described in this document can be fully configured using the Web interface.
2 System Configuration This section provides configuration scenarios for the following features: • "Traceroute" on page 11 • "Configuration Scripting" on page 13 • "Outbound Telnet" on page 16 • "Simple Network Time Protocol (SNTP)" on page 17 • "Syslog" on page 19 • "Port Description" on page 21 • "Storm Control" on page 21 • "10GBASE-T Plug-in Module Configuration" on page 23 NOTE: For information on setting up the hardware and serial or TFTP connection, refer to the Getting Started Guide f
CLI Example The following shows an example of using the traceroute command to determine how many hops there are to the destination. The command output shows each IP address the packet passes through and how long it takes to get there. In this example, the packet takes 16 hops to reach its destination. console#traceroute ? ip ipv6 Enter IP Address. Use keyword 'ipv6' if entering IPv6 Address. console#traceroute 72.14.253.99 Traceroute to 72.14.253.99 ,30 hops max 0 byte packets: 1 10.131.10.1 2 210.210.
Configuration Scripting Configuration scripting allows you to generate a text-formatted script file that shows the current system configuration. You can generate multiple scripts and upload and apply them to more than one switch. Overview Configuration scripting: • Provides scripts that can be uploaded from and downloaded to the system. • Provides flexibility to create command configuration scripts. • Can be applied to several switches.
Example #2: Viewing and Deleting Existing Scripts console#script list Configuration Script Name Size(Bytes) -------------------------------- ----------abc.scr 360 running-config 360 startup-config 796 test.scr 360 4 configuration script(s) found. 2046 Kbytes free. console#script delete test.scr Are you sure you want to delete the configuration script(s)? (y/n)y 1 configuration script(s) deleted. Example #3: Applying a Script to the Active Configuration console#script apply abc.
Example #5: Uploading a Configuration Script to the TFTP Server Use this command to upload a configuration script to the TFTP server. console#copy script abc.scr tftp://10.27.64.141/abc.scr Mode........................................... Set TFTP Server IP............................. TFTP Path...................................... TFTP Filename.................................. Data Type...................................... Source Filename................................ TFTP 10.27.64.141 ./ abc.
Example #7: Validating a Script console#script validate abc.scr ip address dhcp username "admin" password 16d7a4fca7442dda3ad93c9a726597e4 level 15 encrypted exit Configuration script 'abc.scr' validated. console#script apply abc.scr Are you sure you want to apply the configuration script? (y/n)y ip address dhcp username "admin" password 16d7a4fca7442dda3ad93c9a726597e4 level 15 encrypted exit Configuration script 'abc.scr' applied.
IP Address..................................... Subnet Mask.................................... Default Gateway................................ Burned In MAC Address.......................... Network Configuration Protocol Current......... Management VLAN ID............................. 10.27.65.89 255.255.254.0 10.27.64.1 00FF.F2A3.
Example #2: Configuring the SNTP Server console(config)#sntp server ? Enter SNTP server address or the domain name. console(config)#sntp server 192.168.10.25 ? key Authentication this peer. Enable/Disable Configure SNTP Press enter to poll priority key to use when sending packets to SNTP server polling. server priority. execute the command. console(config)#sntp server 192.168.10.
Syslog Overview Syslog: • Allows you to store system messages and/or errors. • Can store to local files on the switch or a remote server running a syslog daemon. • Provides a method of collecting message logs from many systems. Interpreting Log Files Figure 2-1 describes the information that displays in log messages. Figure 2-1. <130> Log Files Key JAN 01 00:00:06 A B A. B. C. D. E. F. G. H I. 0.0.0.0-1 UNKN [0x800023]: C D E bootos.
SNMP Set Command Logging : disabled 0 Messages were not logged. Buffer Log: <189> JAN 01 03:57:58 10.27.65.86-1 TRAPMGR[216282304]: traputil.c(908) 31 %% Instance 0 has elected a new STP root: 8000:00ff:f2a3:8888 <189> JAN 01 03:57:58 10.27.65.86-1 TRAPMGR[216282304]: traputil.c(908) 32 %% Instance 0 has elected a new STP root: 8000:0002:bc00:7e2c <189> JAN 01 04:04:18 10.27.65.86-1 TRAPMGR[231781808]: traputil.c(908) 33 %% New Spanning Tree Root: 0, Unit: 1 <189> JAN 01 04:04:18 10.27.65.
error info notice warning Error conditions Informational messages Normal but significant conditions Warning conditions console(Config-logging)#level critical Port Description The Port Description feature lets you specify an alphanumeric interface identifier that can be used for SNMP network management. CLI Example Use the commands shown below for the Port Description feature.
Configuring a storm-control level also enables that form of storm-control. Disabling a storm-control level (using the “no” version of the command) sets the storm-control level back to default value and disables that form of storm-control. Using the “no” version of the “storm-control” command (not stating a “level”) disables that form of storm-control but maintains the configured “level” (to be active next time that form of storm-control is enabled).
10GBASE-T Plug-in Module Configuration NOTE: This feature is applicable to the PowerConnect M6220 and M8024 switches only. The PowerConnect M6220 and M8024 switches provide two 10-Gigabit module slots that support plugin modules: • The M6220 supports CX-4, SFP+, XFP, and 10GBASE-T modules. The 10GBASE-T may only be used on bay 2. • The M8024 supports CX-4, SFP+, and 10GBASE-T modules.
Use the following command to display the current status of low-power mode on an interface (see the Admin State column): console#show interfaces configuration 24 Port Type Duplex Speed Neg ----1/xg1 .... 1/xg21 1/xg22 ....
3 Switching Configuration This section provides configuration scenarios for the following features: • "Virtual LANs" on page 25 • "IGMP Snooping" on page 32 • "IGMP Snooping Querier" on page 33 • "Link Aggregation/Port Channels" on page 35 • "Port Mirroring" on page 38 • "Port Security" on page 39 • "Link Layer Discovery Protocol" on page 40 • "Denial of Service Attack Protection" on page 42 • "DHCP Snooping" on page 44 • "Port Aggregator" on page 51 • "sFlow" on page 63 Virtual LANs A
• The IP-subnet Based VLAN feature lets you map IP addresses to VLANs by specifying a source IP address, network mask, and the desired VLAN ID. • The MAC-based VLAN feature let packets originating from end stations become part of a VLAN according to source MAC address. To configure the feature, you specify a source MAC address and a VLAN ID. The Private Edge VLAN feature lets you set protection between ports located on the switch.
Example #1: Create Two VLANs Use the following commands to create two VLANs and to assign the VLAN IDs while leaving the names blank. console(config)#vlan database console(config-vlan)#vlan 2 console(config-vlan)#vlan 3 console(config-vlan)#exit Example #2: Assign Ports to VLAN2 This sequence shows how to assign ports to VLAN2, specify that frames will always be transmitted tagged from all member ports, and that untagged frames will be rejected on receipt.
Example #4: Assign VLAN3 as the Default VLAN This example shows how to assign VLAN 3 as the default VLAN for port 1/g18. console(config)#interface ethernet 1/g18 console(config-if-1/g18)#switchport general pvid 3 Example #5: Assign IP Addresses to VLAN 2 In order for the VLAN to function as a routing interface, you must enable routing on the VLAN and on the switch. Routing is only permitted on VLAN interfaces. Routing on physical interfaces is not supported.
Web Interface Use the following screens to perform the same configuration using the Web Interface: • Switching > VLAN > Membership. To create VLANs and specify port participation. • Switching > VLAN > Port Settings. To specify the PVID and mode for the port. IP Subnet and MAC-Based VLANs In addition to port-based VLANs, the switch also supports VLANs that are based on the IP address or MAC address of a host.
Example #4: Viewing IP Subnet and MAC-Based VLAN Associations console#show vlan association mac MAC Address VLAN ID ----------------- ------00FF.F2A3.8886 10 console#show vlan association subnet IP Subnet IP Mask ------------------------------192.168.25.0 255.255.255.0 192.168.1.11 255.255.255.255 VLAN ID ------10 10 Protocol-Based VLANs The software supports protocol-based VLANs, where only packets are bridged based on their layer 3 protocol.
Private Edge VLANs Use the Private Edge VLAN feature to prevent ports on the switch from forwarding traffic to each other even if they are on the same VLAN. • Protected ports cannot forward traffic to other protected ports in the same group, even if they have the same VLAN membership. Protected ports can forward traffic to unprotected ports. • Unprotected ports can forward traffic to both protected and unprotected ports.
IGMP Snooping This section describes the Internet Group Management Protocol (IGMP) Snooping feature. IGMP Snooping enables the switch to monitor IGMP transactions between hosts and routers. It can help conserve bandwidth by allowing the switch to forward IP multicast traffic only to connected hosts that request multicast traffic.
Example #3: Show IGMP Snooping Information for an Interface console#show ip igmp snooping interface ethernet 1/g17 Slot/Port...................................... Global IGMP Snooping Admin Mode................ IGMP Snooping Admin Mode....................... Fast Leave Mode................................ Group Membership Interval...................... Max Response Time.............................. Multicast Router Present Expiration Time.......
console(config)#ip igmp snooping querier query-interval 100 console(config)#ip igmp snooping querier timer expiry 100 Example #3: Show IGMP Snooping Querier Information console#show ip igmp snooping querier Global IGMP Snooping querier status ----------------------------------IGMP Snooping Querier Mode..................... Querier Address................................ IGMP Version................................... Querier Query Interval......................... Querier Expiry Interval...................
Example #5: Show IGMP Snooping Querier Information for VLAN 10 console#show ip igmp snooping querier vlan 10 Vlan 10 : IGMP Snooping querier status ---------------------------------------------IGMP Snooping Querier Vlan Mode................ Querier Election Participate Mode.............. Querier Vlan Address........................... Operational State.............................. Operational version............................ Operational Max Resp Time...................... Enable Enable 10.10.11.
Figure 3-2.
console(config)#interface ethernet 1/g18 console(config-if-1/g18)#channel-group 1 mode auto console(config-if-1/g18)#exit console(config)#interface ethernet 1/g19 console(config-if-1/g19)#channel-group 2 mode auto console(config-if-1/g19)#exit console(config)#interface ethernet 1/g20 console(config-if-1/g20)#channel-group 2 mode auto console(config-if-1/g20)#exit console(config)#exit Example 3: Show the Port Channels This command shows 48 LAGs; for brevity, this example shows only 20.
Web Interface Configuration: LAGs/Port-channels To perform the same configuration using the Graphical User Interface, click Switching > Link Aggregation > LAG Membership in the navigation tree. Port Mirroring This section describes the Port Mirroring feature, which can serve as a diagnostic tool, debugging tool, or means of fending off attacks.
Port Security This section describes the Port Security feature. Overview Port Security: • Allows for limiting the number of MAC addresses on a given port. • Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted. • Enabled on a per port basis. • When locked, only packets with allowable MAC address will be forwarded. • Supports both dynamic and static. • Implement two traffic filtering methods.
discard max Discard frames with unlearned source addresses. Configure the maximum addresses that can be learned on the port. Sends SNMP Traps, and specifies the minimum time between consecutive traps. trap console(config-if-1/g18)#port security Example #2: Show Port Security console#show ports security ? addresses Addresses. ethernet Ethernet port. port-channel Link Aggregation interface. Press enter to execute the command.
Range <5 - 3600> seconds. console(config)#lldp notification-interval 1000 console(config)#lldp timers ? hold interval reinit The interval multiplier to set local LLDP data TTL. The interval in seconds to transmit local LLDP data. The delay before re-initialization. Press enter to execute the command.
Example #4 Show Interface LLDP Parameters console#show lldp interface 1/g10 LLDP Interface Configuration Interface --------1/g10 Link -----Down Transmit -------Enabled Receive -------Enabled Notify -------Disabled TLVs ------- Mgmt ---Y TLV Codes: 0- Port Description, 1- System Name 2- System Description, 3- System Capabilities Denial of Service Attack Protection This section describes the PowerConnect M6220/M6348/M8024 switches Denial of Service Protection feature.
The following table describes the dos-control keywords. Table 3-1. DoS Control Keyword Meaning firstfrag Enabling First Fragment DoS prevention causes the switch to drop packets that have a TCP header smaller then the configured Min TCP Hdr Size. icmp ICMP DoS prevention causes the switch to drop ICMP packets that have a type set to ECHO_REQ (ping) and a size greater than the configured ICMP Pkt Size.
DHCP Snooping Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to: • Filter harmful DHCP messages • Build a bindings database of (MAC address, IP address, VLAN ID, port) authorized tuples. DHCP snooping is disabled globally and on all VLANs by default. Ports are untrusted by default. Network administrators can enable DHCP snooping globally and on specific VLANs.
snooping removes bindings in response to DECLINE, RELEASE, and NACK messages. DHCP Snooping application ignores the ACK messages as reply to the DHCP Inform messages received on trusted ports. The administrator can also enter static bindings into the binding database. The DHCP binding database resides on a configured external server or locally in flash depending upon the user configuration.
DHCP snooping can be configured on switching VLANs and routing VLANs. When a DHCP packet is received on a routing VLAN, the DHCP snooping application applies its filtering rules and updates the bindings database. If a client message passes filtering rules, the message is placed into the software forwarding path where it may be processed by the DHCP relay agent or forwarded as an IP packet.
Example #7 Configure an interface as DHCP snooping trusted console(config-if-1/g1)#ip dhcp snooping trust console(config-if-1/g1)#exit Example #8 Configure rate limiting on an interface console(config-if-1/g1)#ip dhcp snooping limit rate 50 burst interval 1 console(config-if-1/g1)#exit Example #9 Configure a DHCP snooping static binding entry console(config)#ip dhcp snooping binding 00:01:02:03:04:05 vlan 1 10.131.11.
1/g17 1/g18 1/g19 1/g20 1/g21 1/g22 1/g23 1/g24 1/xg3 1/xg4 ch1 ch2 ch3 ch4 ch5 ch6 No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No --More-- or (q)uit console# Example #12 Show DHCP Snooping database configurations console#show ip dhcp snooping database agent url: local write-delay: 500 console# Example #13 Show DHCP Snooping binding entries Total number of bindings: MAC Address ----------------00:01:02:03:04:05 00:02:B3:06:60:80 2 IP Address --------
1/g1 1/g2 1/g3 1/g4 1/g5 1/g6 1/g7 1/g8 1/g9 1/g10 1/g11 1/g12 1/g13 1/g14 1/g15 1/g16 1/g17 1/g18 Yes No No No No No No No No No No No No No No No No No 50 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 --More-- or (q)uit 1/g19 1/g20 1/g21 1/g22 1/g23 1/g24 1/xg3 1/xg4 ch1 ch2 ch3 ch4 ch5 ch6 ch7 ch8 ch9 ch10 No No No No No No No No No No No No No No No No No No --More--
Example #15 Show DHCP Snooping Per Port Statistics console#show ip dhcp snooping statistics Interface MAC Verify Failures -------------------1/g2 0 1/g3 0 1/g4 0 1/g5 0 1/g6 0 1/g7 0 1/g8 0 1/g9 0 1/g10 0 1/g11 0 1/g12 0 1/g13 0 1/g14 0 1/g15 0 1/g16 0 1/g17 0 1/g18 0 1/g19 0 1/g20 0 --More-- or (q)uit 1/g21 0 1/g22 0 1/g23 0 1/g24 0 1/xg3 0 1/xg4 0 ch1 0 ch2 0 ch3 0 ch4 0 ch5 0 ch6 0 ch7 0 ch8 0 ch9 0 ch10 0 ch11 0 ch12 0 ch13 0 ch14 0 ch15 0 50 Switching Configuration Client Ifc Mismatch ---------0 0
ch16 ch17 --More-- or (q)uit 0 0 0 0 0 0 Port Aggregator The Port Aggregator feature minimizes the administration required for managing the blade-centric switch blades. This feature provides administrators the ability to map internal ports to external ports without having to know anything about STP, VLANs, Link Aggregation or other L2/L3 protocols. The Port Aggregator feature is only available when the switch is operating in Simple mode, which is disabled by default.
Figure 3-4. Default Aggregator Groups on Standalone Switch (Blade) The default Port Aggregator Group mapping is shown in Table 3-2. Table 3-2. Default Port Aggregator Group Mapping Aggregator Group Member Internal Ports Member Uplink (External) Ports Group 1 1/xg1,1/xg2,1/xg3,1/xg4, 1/xg5, 1/xg6, 1/xg7, 1/xg8, 1/xg9, 1/xg10, 1/xg11, 1/xg12, 1/xg13, 1/xg14, 1/xg15, 1/xg16 1/xg17, 1/xg18, 1/xg19, 1/xg20 A standalone switch in Simple Mode supports up to 8 Aggregator Groups.
To prevent traffic from different groups being seen by other groups, a VLAN is reserved for each Aggregator Group by default. This VLAN reservation per group is not configurable; however you can configure each group to participate in more than one user-created (unreserved) VLAN. VLANs 4086 to 4093 are reserved for each Aggregator Group, starting from 4086 for Group 1. The reserved VLANs are excluded from the user-configurable VLAN list.
• Operational mode is set to Normal mode on resetting the configuration to Factory defaults from the software boot menu. The switch will boot up in this mode unless you select a different mode from the setup wizard. • The switch can be changed between Normal and Simple Mode without a reboot. • When you change the operational mode, a trap is generated apart from logging a message. • The switch maintains two separate config files, one for Simple mode and another for Normal mode.
console(config)#mode simple Switching modes will immediately clear the configuration. Are you sure you want to continue? (y/n) To select Normal mode as the operational mode, use the no form of mode simple command. console(config)#no mode simple Example #2: Enter Port Aggregator Mode Use the port-aggregator group command to enter the Port Aggregator mode to configure aggregator group attributes. GroupId is the Port Aggregator group identifier. (Range: 1-8) On a standalone switch, it is up to 8.
Example #6: Set Group LACP Mode to Dynamic Use the lacp auto command to set the LACP (Link Aggregation) mode to dynamic for that Aggregator Group. This means that when more than one uplink port is in the Group, those uplink ports will be enabled automatically with LACP.
Example #10: Show Group VLAN Table Use the show vlan [port-aggregator group < GroupId >] command to show the VLAN table for a particular aggregator group. [port-aggregator group is an optional parameter in the command and, if not specified, shows all the MAC entries in all the Groups.
Example #11: Show Group Configuration Summary Use the show port-aggregator group summary [< GroupId >] command to show the parameters configured on the aggregator group. is an optional parameter in the command and, if not specified, the command shows all the configured parameters for all the Groups.
Simple Switch Mode Supported CLI Commands Commands that were available in Interface mode of Normal switch mode are now available in Simple mode and can execute on a Port Aggregator group. For example, to apply any of the following commands on an aggregator group 1, enter the port configuration mode for that group: console(config)#port-aggregator group 1 console(config-aggregator-1)# The following commands that are available in Normal switch mode are also available in Simple mode.
• Dot1x feature commands: aaa authentication dot1x aaa authorization network default radius dot1x max-req dot1x port-control dot1x re-authenticate dot1x re-authentication dot1x system-auth-control dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout server-timeout dot1x timeout supp-timeout dot1x timeout tx-period show dot1x show dot1x statistics show dot1x users • Dot1x Advanced Features: dot1x guest-vlan dot1x unauth-vlan dot1x max-users show dot1x clients • Ethern
• Port Channel Commands: show interfaces port-channel show statistics port-channel • Radius commands: auth-port deadtime key priority radius-server deadtime radius-server host radius-server key radius-server retransmit radius-server source-ip radius-server timeout retransmit show radius-servers source-ip timeout usage • SNMP Commands: show snmp show snmp engineID show snmp groups show snmp views snmp-server community snmp-server community-group snmp-server contact snmp-server enable traps snmp-server e
user-key • System Management Commands: asset-tag hostname member movemanagement ping reload set description show sessions show supported switchtype show switch show system show system id show system power show users show version switch priority switch renumber telnet traceroute traceroute {ipaddress|hostname} • TACACS commands: key port priority show tacacs tacacs-server host tacacs-server key tacacs-server timeout timeout • VLAN Commands vlan add vlan-list vlan remove vlan-list • Web Server Command
ip https port ip https server key-generate location organization-unit show crypto certificate mycertificate show ip http show ip https state sFlow This section describes the sFlow feature. sFlow is the industry standard for monitoring high-speed switched and routed networks. sFlow technology is built into network equipment and gives complete visibility into network activity, enabling effective management and control of network resources.
• sFlow collector can receive data from multiple switches, providing a real-time synchronized view of the whole network. • The Collector can analyze traffic patterns based on protocols found in the headers (e.g., TCP/IP, IPX, Ethernet, AppleTalk…). This alleviates the need for a layer 2 switch to decode and understand all protocols.
Counter Sampling The primary objective of Counter Sampling is to efficiently, periodically export counters associated with Data Sources. A maximum Sampling Interval is assigned to each sFlow instance associated with a Data Source. Counter Sampling is accomplished as follows: • sFlow Agents keep a list of counter sources being sampled. • When a Packet Flow Sample is generated the sFlow Agent examines the list and adds counters to the sample datagram, least recently sampled first.
Example #5: Show sFlow sampling for receiver index 1 console#show sflow 1 sampling Sampler Data Source ----------1/g1 1/g2 1/g3 1/g4 1/g5 1/g6 1/g7 1/g8 1/g9 1/g10 1/g15 Receiver Index ------1 1 1 1 1 1 1 1 1 1 1 Packet Sampling Rate ------------1500 1500 1500 1500 1500 1500 1500 1500 1500 1500 1500 Example #6: Show sFlow polling for receiver index 1 console#show sflow 1 polling Poller Data Source ----------1/g1 1/g2 1/g3 1/g4 1/g5 1/g6 1/g7 1/g8 1/g9 1/g10 1/g15 66 Receiver Index ------1 1 1 1 1 1 1
4 Routing Configuration This section describes configuration scenarios and instructions for the following routing features: • "VLAN Routing" on page 67 • "Virtual Router Redundancy Protocol" on page 70 • "Proxy Address Resolution Protocol (ARP)" on page 73 • "OSPF" on page 74 • "Routing Information Protocol" on page 84 • "Route Preferences" on page 87 • "Loopback Interfaces" on page 90 • "IP Helper" on page 92 VLAN Routing This section provides an example of how to configure PowerConnect M62
Figure 4-1. VLAN Routing Example Network Diagram Layer 3 Switch Physical Port 1/xg2 VLAN 10: 192.150.3.1 Physical Port 1/xg3 VLAN 10: 192.150.4.1 Physical Port 1/xg1 Layer 2 Switch Layer 2 Switch VLAN 10 VLAN 20 Example 1: Create Two VLANs The following code sequence shows an example of creating two VLANs with egress frame tagging enabled.
console(config-if-1/g2)#exit console#configure console(config)#interface ethernet console(config-if-1/g3)#switchport console(config-if-1/g3)#switchport console(config-if-1/g3)#switchport console(config-if-1/g3)#exit 1/g3 mode general general allowed vlan add 20 general pvid 20 Example 3: Set Up VLAN Routing for the VLANs and Assign an IP Address The following code sequence shows how to enable routing for the VLANs and how to configure the IP addresses and subnet masks for the virtual router ports.
Using the Web Interface to Configure VLAN Routing Use the following screens to perform the same configuration using the Web Interface: • Switching > VLAN > VLAN Membership. To create the VLANs and specify port participation. • Switching > VLAN > Port Settings. To set the PVID and VLAN type. • Routing > VLAN Routing > Configuration. To enable routing on Vlans. • Routing > IP > Configuration. To enable routing for the switch. • Routing > IP > Interface Configuration.
Figure 4-2. VRRP Example Network Configuration Layer 3 Switch acting as Router 2 Layer 3 Switch acting as Router 1 VLAN 60 Port 1/0/4 192.150.4.1 Virtual Router ID 20 Virtual Addr. 192.150.2.1 VLAN 50 Port 1/0/2 192.150.2.1 Virtual Router ID 20 Virtual Addr. 192.150.2.1 Layer 2 Switch Hosts Example 1: Configuring VRRP on the Switch as a Master Router Enable routing for the switch. IP forwarding is then enabled by default.
Assign virtual router IDs to the port that will participate in the protocol: console(config)#interface vlan 50 console(config-if-vlan50)#ip vrrp 20 Specify the IP address that the virtual router function will recognize. The priority default is 255. console(config-if-vlan50)#ip vrrp 20 ip 192.150.2.1 Enable VRRP on the port: console(config-if-vlan50)#ip vrrp 20 mode console(config-if-vlan50)#exit Example 2: Configuring VRRP on the Switch as a Backup Router Enable routing for the switch.
Enable VRRP on the port. console(config-if-vlan60)#ip vrrp 20 mode console(config-if-vlan60)#exit Using the Web Interface to Configure VRRP Use the following screens to perform the same configuration using the Graphical User Interface: • Routing > IP > Configuration. To enable routing for the switch. • Routing > IP > Interface Configuration. To enable routing for the VLAN interfaces and configure their IP addresses and subnet masks. • Routing > VRRP > VRRP Configuration.
Primary IP Address............................. Routing Mode................................... Administrative Mode............................ Forward Net Directed Broadcasts................ Proxy ARP...................................... Local Proxy ARP................................ Active State................................... Link Speed Data Rate........................... MAC Address.................................... Encapsulation Type............................. IP MTU..........................
as 0.0.1.0). The area identified as 0.0.0.0 is referred to as Area 0 and is considered the OSPF backbone. All other OSPF areas in the network must connect to Area 0 directly or through a virtual link. The backbone area is responsible for distributing routing information between non-backbone areas. A virtual link can be used to connect an area to Area 0 when a direct link is not possible. A virtual link traverses an area between the remote area and Area 0 (see Figure 4-5).
External routes are those imported into OSPF from other routing protocol or processes. OSPF computes the path cost differently for external type 1 and external type 2 routes. The cost of an external type 1 route is the cost advertised in the external LSA plus the path cost from the calculating router to the ASBR. The cost of an external type 2 route is the cost advertised by the ASBR in its external LSA. NOTE: The following example uses the CLI to configure OSPF. You can also use the Web interface.
IPv4 (OSPFv2) IPv6 (OSPFv3) Enable routing and assign IP for VLANs 70, 80 and 90. config interface vlan 70 routing ip address 192.150.2.2 255.255.255.0 exit config interface vlan 70 routing ipv6 enable interface vlan 80 routing ip address 192.130.3.1 255.255.255.0 exit exit interface vlan 80 routing ipv6 address 2002::1/64 exit interface vlan 90 routing ip address 192.64.4.1 255.255.255.0 exit interface vlan 90 routing ipv6 address 2003::1/64 exit exit exit Specify a router ID.
IPv4 (OSPFv2) IPv6 (OSPFv3) config config interface vlan 70 ip ospf area 0.0.0.0 ip ospf priority 128 ip ospf cost 32 exit interface vlan 80 ip ospf area 0.0.0.2 ip ospf priority 255 ip ospf cost 64 exit interface vlan 90 ip ospf area 0.0.0.2 ip ospf priority 255 ip ospf cost 64 exit exit interface vlan 70 ipv6 ospf ipv6 ospf areaid 0.0.0.0 ipv6 ospf priority 128 ipv6 ospf cost 32 exit interface vlan 80 ipv6 ospf ipv6 ospf areaid 0.0.0.
Figure 4-4. OSPF Configuration—Stub Area and NSSA Area Area 2 (0.0.0.2) IR (5.3.0.0) 10.1.101.1 3000:1:101::/64 Area 0 (0.0.0.0) Router 1 (1.1.1.1) 10.1.2.1 3000:1:2::/64 10.1.2.2 3000:2:3:: 10.1.2.2 3000:1:2:: 10.3.100.3 Backbone Router (3.3.3.3) 3000:3:100:: ASBR (5.1.0.0) 10.2.3.3 3000:2:3:: Router 2 (2.2.2.2) 10.2.3.3 3000:2:3:: Virtual Link 10.2.4.2 3000:2:4:: Area 1 (0.0.0.1) - stub IR (5.4.0.0) Area 4 (0.0.0.4) - NSSA Configure Router A: Router A is a backbone router.
ipv6 address 3000:3:100::/64 eui64 ip ospf area 0.0.0.0 ipv6 ospf exit • Define an OSPF router: ipv6 router ospf router-id 3.3.3.3 exit router ospf router-id 3.3.3.3 exit exit Configure Router B: Router B is a ABR that connects Area 0 to Areas 1 and 2. • Configure IPv6 and IPv4 routing.
ipv6 address 3000:2:4::/64 eui64 ipv6 ospf ipv6 ospf areaid 2 exit • For IPv4: Define an OSPF router. Define Area 1 as a stub. Enable OSPF for IPv4 on VLANs 10, 5, and 17 by globally defining the range of IP addresses associated with each interface, and then associating those ranges with Areas 1, 0, and 17, respectively. Then, configure a metric cost to associate with static routes when they are redistributed via OSPF: router ospf router-id 2.2.2.2 area 0.0.0.1 stub area 0.0.0.2 nssa network 10.1.2.0 0.0.
Figure 4-5. OSPF Configuration—Virtual Link Area 2 (0.0.0.2) IR (5.3.0.0) 10.1.101.1 VLAN 11 3000:1:101::/64 Router C - ABR (5.5.5.5) Area 0 (0.0.0.0) - backbone VLAN 10 10.1.2.1/24 3000:1:2::/64 VLAN 5 VLAN 7 10.1.2.2/24 3000:1:2::/64 eui64 Router B - ABR (4.4.4.4) Virtual Link 10.2.3.3/24 3000:2:3::/64 Router A - backbone (3.3.3.3) 10.2.3.2 3000:2:3::/64 VLAN 2 Area 1 (0.0.0.1) Configure Router A: Router A is a backbone router.
Configure Router B: Router B is a ABR that directly connects Area 0 to Area 1. In addition to the configuration steps described in the previous example, we define a virtual link that traverses Area 1 to Router C (5.5.5.5). (console)#configure ipv6 unicast-routing ip routing interface vlan 2 routing ip address 10.2.3.2 255.255.255.0 ipv6 address 3000:2:3::/64 eui64 ipv6 ospf exit interface vlan 7 routing ip address 10.1.2.2 255.255.255.
ipv6 ospf ipv6 ospf areaid 1 exit interface vlan 11 routing ip address 10.1.101.1 255.255.255.0 ipv6 address 3000:1:101::/64 eui64 ipv6 ospf ipv6 ospf areaid 2 exit ipv6 router ospf router-id 5.5.5.5 area 0.0.0.1 virtual-link 4.4.4.4 exit router ospf router-id 5.5.5.5 area 0.0.0.1 virtual-link 4.4.4.4 network 10.1.2.0 0.0.0.255 area 0.0.0.1 network 10.1.101.0 0.0.0.255 area 0.0.0.
The PowerConnect M6220/M6348/M8024 switches support both versions of RIP.
Example #2: Enable Routing for Ports The following command sequence enables routing and assigns IP addresses for VLAN 2 and VLAN 3. console#config interface vlan 2 routing ip address 192.150.2.2 255.255.255.0 exit interface vlan 3 routing ip address 192.130.3.1 255.255.255.0 exit exit Example #3. Enable RIP for the Switch The next sequence enables RIP for the switch. The route preference defaults to 15. console#config router rip enable exit exit Example #4.
Using the Web Interface to Configure RIP Use the following screens to perform the same configuration using the Graphical User Interface: • Routing > IP > Configuration> To enable routing for the switch. • Routing > IP > Interface Configuration > To configure the VLAN routing interfaces. • Routing > RIP > Configuration. To enable RIP for the switch. • Routing > RIP > Interface Configuration. To enable RIP for the VLAN routing interfaces and specify the RIP versions.
Example 1: Configure Administrative Preferences The following commands configure the administrative preference for the RIP and OSPF: console#Config router rip distance rip 130 exit For OSPF, an additional parameter identifies the type of OSPF route that the preference value applies to: router ospf distance ospf ? external inter-area intra-area Enter preference value for OSPF external routes. Enter preference value for inter-area routes. Enter preference value for intra-area routes.
Using Equal Cost Multipath The equal cost multipath (ECMP) feature allows a router to use more than one next hop to forward packets to a given destination prefix. It can be used to promote a more optimal use of network resources and bandwidth. A router that does not use ECMP forwards all packets to a given destination through a single next hop. This next hop may be chosen from among several next hops that provide equally good routes to the destination.
Routing protocols can also be configured to compute ECMP routes. For example, referring to Figure 4-8, if OSPF were configured in on both links connecting Router A and Router B, and if Router B advertised its connection to 20.0.0.0/8, then Router A could compute an OSPF route to 20.0.0.0/8 with next hops of 10.1.1.2 and 10.1.2.2. Static and dynamic routes are all included in a single combined routing table.
Loopbacks are typically used for device management purposes. A client can use the loopback interface to communicate with the router through various services such as telnet and SSH. The address on a loopback behaves identically to any of the local addresses of the router in terms of the processing of incoming packets. This interface provides the source address for sent packets and can receive both local and remote packets. NOTE: The following example uses the CLI to configure a loopback interface.
IP Helper The IP Helper feature provides the ability for a router to forward configured UDP broadcast packets to a particular IP address. This allows applications to reach servers on non-local subnets. This is possible even when the application is designed to assume a server is always on a local subnet or when the application uses broadcast packets to reach the server (with the limited broadcast address 255.255.255.255, or a network directed broadcast address).
Certain pre-existing configurable DHCP relay options do not apply to relay of other protocols. These options are unchanged. The user may optionally set a maximum hop count or minimum wait time using the bootpdhcprelay maxhopcount and bootpdhcprelay minwaittime commands. The relay agent relays DHCP packets in both directions. It relays broadcast packets from the client to one or more DHCP servers, and relays packets to the client that the DHCP server unicasts back to the relay agent.
Example 2: Configure IP Helper Globally (DHCP) To relay DHCP packets received on any interface to two DHCP servers (10.1.1.1 and 10.1.2.1), use the following commands: console (config)#ip helper-address 10.1.1.1 dhcp console (config)#ip helper-address 10.1.2.1 dhcp Example 3: Enable IP Helper Globally (UDP) To relay UDP packets received on any interface for all default ports (Table 2) to the server at 20.1.1.1, use the following commands: console (config)#ip helper-address 20.1.1.
Example 7: Show IP Helper Configurations The following command shows IP Helper configurations: console#show ip helper-address IP helper is enabled Interface --------------vlan 100 vlan 101 any UDP Port ----------dhcp any dhcp Discard -------No Yes No Hit Count ---------10 2 0 Server Address --------------10.100.1.254 10.100.2.254 10.200.1.254 Example 8: Show IP Helper Statistics The following command shows IP Helper configurations: console#show ip helper statistics DHCP client messages received......
Routing Configuration
5 Device Security This section describes configuration scenarios for the following features: • "802.1x Network Access Control" on page 97 • "802.1X Authentication and VLANs" on page 100 • "802.1x MAC Authentication Bypass (MAB)" on page 103 • "Authentication Server Filter Assignment" on page 105 • "Access Control Lists (ACLs)" on page 106 • "RADIUS" on page 113 • "TACACS+" on page 115 • "Captive Portal" on page 117 802.
Completion of an authentication exchange requires all three roles. The PowerConnect M6220/M6348/M8024 switches support the authenticator role only, in which the PAE is responsible for communicating with the supplicant. The authenticator PAE is also responsible for submitting information received from the supplicant to the authentication server in order for the credentials to be checked, which determines the authorization state of the port.
IP address Type Port TimeOut Retran. DeadTime Source IP Prio. Usage ------------- ----- ----- ------- ------- -------- ------------- ----- ----10.27.5.157 Auth 1812 Global Global Global 10.27.65.13 0 all Global values Configured Authentication Servers : 1 Configured Accounting Servers : 0 Named Authentication Server Groups : 1 Named Accounting Server Groups : 0 Timeout : 3 Retransmit : 3 Deadtime : 0 Source IP : 0.0.0.0 RADIUS Attribute 4 Mode : Disable RADIUS Attribute 4 Value : 0.0.0.
Administrative Mode............... Enabled Port ------1/g8 Admin Mode -----------------mac-based Oper Mode -----------Unauthorized Reauth Control -------FALSE Reauth Period ---------3600 Quiet Period................................... 60 Transmit Period................................ 30 Maximum Requests............................... 2 Max Users...................................... 3 VLAN Assigned...................................10 Supplicant Timeout.............................
Much of the configuration to assign hosts to a particular VLAN takes place on the RADIUS server or 802.1X authenticator. If you use an external RADIUS server to manage VLANs, you configure the server to use Tunnel attributes in Access-Accept messages in order to inform the switch about the selected VLAN. These attributes are defined in RFC 2868, and their use for dynamic VLAN is specified in RFC 3580.
Example #1: Allow the Switch to Accept RADIUS-Assigned VLANs The RADIUS server can place a port in a particular VLAN based on the result of the authentication. The command in this example allows the switch to accept VLAN assignment by the RADIUS server. NOTE: The feature is available in release 2.1 and later. console#config console(config)#aaa authorization network default radius Example #2: Enable Guest VLANs This example shows how to set the guest VLAN on interface 1/g20 to VLAN 100.
802.1x MAC Authentication Bypass (MAB) MAB is a supplemental authentication mechanism that allows 802.1x unaware clients, such as printers and fax machines, to authenticate to the network using the client MAC address as an identifier. The known and allowable MAC address and corresponding access rights of the client must be pre-populated in the authentication server. MAB only works when the port control mode of the port is mac-based. MAB uses the 802.
Figure 5-2.
Example 2: Show MAB Configuration To show the MAB configuration for interface 1/5, use the following command: console#show dot1x ethernet 1/g5 Administrative Mode............... Enabled Port ------1/g5 Admin Mode -----------------mac-based Oper Mode -----------Authorized Reauth Control -------TRUE Quiet Period................................... Transmit Period................................ Maximum Requests............................... Max Users......................................
Filter-id = “internet_access” 3 The DiffServ policy specified in the attribute must already be configured on the switch, and the policy names must be identical. For information about configuring a DiffServ policy, see "Differentiated Services" on page 137. The section, "Example #1: DiffServ Inbound Configuration" on page 138," describes how to configure a policy named internet_access. NOTE: If the policy specified within the server attribute does not exist on the switch, authentication will fail.
Limitations The following limitations apply to ingress and egress ACLs. • Maximum of 100 ACLs. • Maximum rules per ACL is 127. • You can configure mirror or redirect attributes for a given ACL rule, but not both. • The PowerConnect M6220/M6348/M8024 switches support a limited number of counter resources, so it may not be possible to log every ACL rule.
IP ACLs IP ACLs classify for Layers 3 and 4. Each ACL is a set of up to ten rules applied to inbound traffic.
Figure 5-3. IP ACL Example Network Diagram Example #1: Create an ACL and Define an ACL Rule This command creates an ACL named list1 and configures a rule for the ACL. After the mask has been applied, it permits packets carrying TCP traffic that matches the specified Source IP address, and sends these packets to the specified Destination IP address. console#config console(config)#access-list list1 permit tcp 192.168.77.0 0.0.0.255 192.168.77.3 0.0.0.
Example #2: Define the Second Rule for ACL 179 Define the rule to set similar conditions for UDP traffic as for TCP traffic. console(config)#access-list list1 permit udp 192.168.77.0 0.0.0.255 192.168.77.3 0.0.0.255 console(config)#exit Example #3: Apply the Rule to Outbound (Egress) Traffic on Port 1/g2 Only traffic matching the criteria will be accepted.
log mirror redirect vlan <0x0600-0xffff> Configure logging for this access list rule. Configure the packet mirroring attribute. Configure the packet redirection attribute. Configure a match condition based on a VLAN ID. Enter a four-digit hexadecimal number in the range of 0x0600 to 0xffff to specify a custom Ethertype value. Press enter to execute the command.
Example #7: Setup an ACL with Permit Action console# Config console(config)#mac access-list extended mac2 console(config-mac-access-list)#permit ? any Configure a match condition for all the source MAC addresses in the Source MAC Address field. Enter a MAC Address. console(config-mac-access-list)#permit any ? any bpdu Configure a match condition for all the destination MAC addresses in the Destination MAC Address field. Match on any BPDU destination MAC Address. Enter a MAC Address.
MAC ACL Name: mac1 Rule Number: 1 Action......................................... Destination MAC Address........................ Destination MAC Mask........................... Log............................................ deny 00:11:22:33:44:55 00:00:00:00:FF:FF TRUE RADIUS Making use of a single database of accessible information—as in an Authentication Server—can greatly simplify the authentication and management of users in a large network.
Example #1: Basic RADIUS Server Configuration This example configures two RADIUS servers at 10.10.10.10 and 11.11.11.11. Each server has a unique shared secret key. The shared secrets are configured to be secret1 and secret2 respectively. The server at 10.10.10.10 is configured as the primary server.
console(config)#aaa authentication dot1x default radius Example #2: Set the NAS-IP Address for the RADIUS Server The NAS-IP address attribute identifies the IP Address of the network authentication server (NAS) that is requesting authentication of the user. The address should be unique to the NAS within the scope of the RADIUS server. The NAS-IP-Address is only used in Access-Request packets. Either the NAS-IP-Address or NASIdentifier must be present in an Access-Request packet.
TACACS+ Configuration Example This example configures two TACACS+ servers at 10.10.10.10 and 11.11.11.11. Each server has a unique shared secret key. The server at 10.10.10.10 has a default priority of 0, the highest priority, while the other server has a priority of 2. The process creates a new authentication list, called tacacsList, which uses TACACS+ to authenticate, and uses local authentication as a backup method. Figure 5-5.
console(config)#priority 2 console(config)#exit console(config)#aaa authentication login tacacsList tacacs local Captive Portal Overview Captive Portal feature is a software implementation that allows client access only on user verification. Verification can be configured to allow access for guest and authenticated users. Users must be validated against a database of authorized captive portal users locally or through a radius client. The Authentication server supports both HTTP and HTTPS web connections.
There are three states for clients connecting to the Captive Portal interface: • Unknown State • Unauthenticated State • Authenticated State In the unknown state, the CP doesn't redirect HTTP/S traffic to the switch, but queries the switch to determine whether the client is authenticated or unauthenticated. In the Unauthenticated state, the CP directs the HTTP/S traffic to the switch to allow the client to authenticate with the switch.
When using Local authentication, the administrator provides user identities for Captive Portal by adding unique user names and passwords to the Local User Database. This configuration is global to the captive portal component and can contain up to 128 user entries (a RADIUS server should be used if more users are required). A local user can belong to only one group. There is one group created by default with the group name "Default" to which all new users are assigned.
Client Authentication Logout Request The administrator can configure and enable 'user logout'. This feature allows the authenticated client to deauthenticate from the network. In response to the request, the authenticated user is removed from the connection status tables. If the client logout request feature is not enabled, or the user does not specifically request logout, the connection status remains authenticiated until Captive Portal deauthenticates (session timeout, idle time, etc.).
Captive Portal Configuration Management In order to provide text-based compatibility, Captive Portal converts the binary image data to text (and vice versa) through special CLI commands that are only issued for script files. Although the data is shown in ASCII, it not for the end user (it is intended to be read by the text-based configuration).
The size of the table has a limit of 1024 entries. If the list becomes full, new table entries are rejected and a trap is sent for every rejected client. Captive Portal Statistics Client session statistics are available for both guest and authenticated users.Client statistics are used to enforce the idle timeout and other limits configured for the user and captive portal instance. Client statistics may not be cleared by the administrator since this would affect the ability to monitor the configured limits.
Example 5: Show Captive Portal To show the status of Captive Portal, use the following command: console#show captive-portal Administrative Mode....................... Operational Status........................ Disable Reason............................ Captive Portal IP Address................. Enabled Enabled Administrator Disabled 1.2.3.
Max Input Octets (bytes)....................... 0 Max Output Octets (bytes)...................... 0 Max Total Octets (bytes).......................
CP ID.......................................... 1 CP Name........................................ Default Client MAC Address ----------------00:12:79:BF:94:7A Client IP Address Interface --------------- --------192.168.1.10 1/g18 Interface Description -------------------------Slot: 1 Port: 18 Gigabit - Level This command shows a statistics for the above client #show captive-portal client 00:12:79:BF:94:7A statistics Client MAC Address............................. Bytes Received...........................
Device Security
6 IPv6 This section includes the following subsections: • "Overview" on page 127 • "Interface Configuration" on page 127 • "DHCPv6" on page 130 Overview There are many conceptual similarities between IPv4 and IPv6 network operation. Addresses still have a network prefix portion (subnet) and a device interface specific portion (host). While the length of the network portion is still variable, most users have standardized on using a network prefix length of 64 bits.
While optional in IPv4, router advertisement is mandatory in IPv6. Router advertisements specify the network prefix(es) on a link which can be used by receiving hosts, in conjunction with an EUI64 identifier, to auto configure a host’s address. Routers have their network prefixes configured and may use EUI64 or manually configured interface IDs.
ipv6 router ospf router-id 1.1.1.1 exit interface vlan 15 routing ip address 20.20.20.1 255.255.255.0 ip ospf area 0.0.0.0 exit interface vlan 2 routing ipv6 enable ipv6 address 2020:1::1/64 ipv6 ospf ipv6 ospf network point-to-point exit interface tunnel 0 ipv6 address 2001::1/64 tunnel mode ipv6ip tunnel source 20.20.20.1 tunnel destination 10.10.10.1 ipv6 ospf ipv6 ospf network point-to-point exit interface loopback 0 ip address 1.1.1.1 255.255.255.
ip address 10.10.10.1 255.255.255.0 ip ospf area 0.0.0.0 exit interface vlan 2 routing ipv6 enable ipv6 address 2020:2::2/64 ipv6 ospf ipv6 ospf network point-to-point exit interface tunnel 0 ipv6 address 2001::2/64 tunnel mode ipv6ip tunnel source 10.10.10.1 tunnel destination 20.20.20.1 ipv6 ospf ipv6 ospf network point-to-point exit interface loopback 0 ip address 2.2.2.2 255.255.255.0 exit exit DHCPv6 DHCP is generally used between clients (e.g., hosts) and servers (e.g.
causes DHCPv6 clients to send the DHCPv6 “Information Request” message in response. A DHCPv6 server then responds by providing only networking definitions such as DNS domain name and server definitions, NTP server definitions, and/or SIP definitions. RFC 3315 also describes DHCPv6 Relay Agent interactions, which are very much like DHCPv4 Relay Agents.
DHCPv6 pool configuration: console# config ipv6 dhcp pool testpool domain-name dell.
7 Quality of Service This section includes the following subsections: • "Class of Service Queuing" on page 133 • "Differentiated Services" on page 137 Class of Service Queuing The Class of Service (CoS) feature lets you give preferential treatment to certain types of traffic over others. To set up this preferential treatment, you can configure the ingress ports, the egress ports, and individual queues on the egress ports to provide customization that suits your environment.
CoS Mapping Table for Trusted Ports Mapping is from the designated field values on trusted ports’ incoming packets to a traffic class priority (actually a CoS traffic queue). The trusted port field-to-traffic class configuration entries form the Mapping Table the switch uses to direct ingress packets from trusted ports to egress queues.
Figure 7-1. CoS Mapping and Queue Configuration Ingress packet A UserPri=3 packet B UserPri=7 packet C (untagged) packet D UserPri=6 Port Port 1/g10 1/0/10 mode='trust dot1p' 802.
Figure 7-2. CoS1/g Configuration Example System Diagram Port 1/g10 Port 1/0/10 Port Port1/0/8 1/g8 Server You will configure the ingress interface uniquely for all cos-queue and VLAN parameters. console#config interface ethernet 1/g10 classofservice trust dot1p classofservice dot1p-mapping 6 3 vlan priority 2 exit interface ethernet 1/g8 cos-queue min-bandwidth 0 0 5 5 10 20 40 cos-queue strict 6 exit exit You can also set traffic shaping parameters for the interface.
Differentiated Services Differentiated Services (DiffServ) is one technique for implementing Quality of Service (QoS) policies. Using DiffServ in your network allows you to directly configure the relevant parameters on the switches and routers rather than using a resource reservation protocol.This section explains how to configure the switch to identify which traffic class a packet belongs to, and how it should be handled to provide the desired quality of service.
• Service – Assigns a policy to an interface for inbound traffic. CLI Example This example shows how a network administrator can provide equal access to the Internet (or other external network) to different departments within a company. Each of four departments has its own Class B subnet that is allocated 25% of the available bandwidth on the port accessing the Internet. Figure 7-3.
exit class-map match-all marketing_dept match srcip 172.16.20.0 255.255.255.0 exit class-map match-all test_dept match srcip 172.16.30.0 255.255.255.0 exit class-map match-all development_dept match srcip 172.16.40.0 255.255.255.0 exit Create a DiffServ policy for inbound traffic named internet_access, adding the previously created department classes as instances within this policy. This policy uses the assign-queue attribute to put each department's traffic on a different egress queue.
exit Set the CoS queue configuration for the (presumed) egress interface 1/g5 such that each of queues 1, 2, 3 and 4 get a minimum guaranteed bandwidth of 25%. All queues for this interface use weighted round robin scheduling by default. The DiffServ inbound policy designates that these queues are to be used for the departmental traffic through the assign-queue attribute.
Figure 7-4.
Example #2: Configuring DiffServ VoIP Support Enter Global Config mode. Set queue 6 on all ports to use strict priority mode. This queue shall be used for all VoIP packets. Activate DiffServ for the switch. console#config cos-queue strict 6 diffserv Create a DiffServ classifier named class_voip and define a single match criterion to detect UDP packets. The class type match-all indicates that all match criteria defined for the class must be satisfied in order for a packet to be considered a match.
8 Multicast Overview IP Multicasting enables a network host (or multiple hosts) to send an IP datagram to multiple destinations simultaneously. The initiating host sends each multicast datagram only once to a destination multicast group address, and multicast routers forward the datagram only to hosts who are members of the multicast group.
IGMP Configuration The Internet Group Management Protocol (IGMP) is used by IPv4 hosts to send requests to join (or leave) multicast groups so that they receive (or discontinue receiving) packets sent to those groups. In IPv4 multicast networks, multicast routers are configured with IGMP so that they can receive join and leave request from directly-connected hosts. They use this information to build a multicast forwarding table.
The IGMP proxy offers a mechanism for multicast forwarding based only on IGMP membership information. The router must decide about forwarding packets on each of its interfaces based on the IGMP membership information. The proxy creates the forwarding entries based on the membership information and adds it to the multicast forwarding cache (MFC) in order not to make the forwarding decision for subsequent multicast packets with same combination of source and group.
• Use the following command to display interface parameters when IGMP Proxy is enabled: console#show ip igmp-proxy interface • Use this command to display information about multicast groups that IGMP proxy reported. It displays a table of entries with the following as the fields of each column. console#show ip igmp-proxy groups • Use the following command to display information about multicast groups that IGMP proxy reported.
CLI Example The following example configures two DVMRP interfaces. First, this example configures an OSPF router1 and globally enables IP routing and IP multicast. IGMP is globally enabled so that this router can manage group membership information for its directly-connected hosts (IGMP may not be required when there are no directly connected hosts). Next, DVMRP is globally enabled. Finally, DVMRP, IGMP, and OSPF are enabled on several interfaces. console#configure router ospf router-id 3.3.1.
PIM Protocol Independent Multicast (PIM) is a standard multicast routing protocol that provides scalable inter-domain multicast routing across the Internet, independent of the mechanisms provided by any particular unicast routing protocol. PIM has two types: • PIM-Dense Mode (PIM-DM) • PIM-Sparse Mode (PIM-SM) PIM-SM PIM-SM is used to efficiently route multicast traffic to multicast groups that may span wide area networks where bandwidth is a constraint.
Example: PIM-SM The following example configures PIM-SM for IPv4 on a router. First, configure an OSPF1 router and globally enable IP routing, multicast, IGMP, and PIM-SM. Next, configure a PIM-SM rendezvous point with an IP address and group range. The IP address will serve as an RP for the range of potential multicast groups specified in the group range. Finally, enable routing, IGMP, PIM-SM, and OSPF on one or more interfaces. console#configure router ospf router-id 3.3.1.
To minimize the repeated flooding of datagrams and subsequent pruning associated with a particular source-group (S,G) pair, PIM-DM uses a State Refresh message. This message is sent by the router(s) directly connected to the source and is propagated throughout the network. When received by a router on its RPF interface, the State Refresh message causes an existing prune state to be refreshed. State Refresh messages are generated periodically by the router directly attached to the source.
9 Utility This section describes the Auto Config commands. Auto Config Overview Auto Config is a software feature that automatically configures a switch when the device is initialized and no configuration file is found on the switch.
After an IP address is assigned to the switch, if a hostname is not already assigned, Auto Config issues a DNS request for the corresponding hostname. This hostname is also displayed as the CLI prompt (as in response to the hostname command). Assignment of TFTP Server The following information is also processed, and may be returned by a BOOTP or DHCP server: • Name of configuration file (bootfile or option 67) available for download from the TFTP server.
The default network configuration file should have IP address to hostname mappings using the command ip host . If the default network configuration file does not contain the switch's IP address, the switch uses DNS to attempt to resolve its hostname. A sample fp-net.cfg file follows: config ... ip host switch_to_setup 192.168.1.10 ip host another_switch 192.168.1.11 ...
Table 9-2.
A file is not automatically deleted after it is downloaded. The file does not take effect upon a reboot unless an administrator opts to save config (the saved configuration takes effect upon reboot). If the user does not opt to save config, the Auto Config process occurs again on a subsequent reboot. This may result in one of the previously downloaded files being overwritten.
Other Functions CLI Scripting CLI scripting can apply config files. It can be used to manage (view, validate, delete) downloaded config files, query Auto Config status, and to stop or restart the feature. Logging A message is logged for each of the following events: • Auto Config component receiving a config file name and other options upon resolving an IP address by DHCP or BOOTP client. The boot options values are logged.
Stacking The downloaded configuration file is not distributed across a stack. When an administrator saves configuration, the config file is distributed across a stack. CLI Examples Example 1: Show Auto Config Process To display the current status of the Auto Config process, use the following command: console#show boot Config Download via DHCP: enabled Auto Config State : Waiting for boot options ... Auto Config State : Resolving switch hostname ... Auto Config State : Downloading file .
Example 2: Enable Auto Config To start or stop Auto Config on the switch, use the following commands: console#boot host dhcp console#no boot host dhcp 158 Utility