Dell™ PowerConnect™ 6200 Series Configuration Guide Model: PC6224, PC6248, PC6224P, PC6248P, and PC6224F w w w. d e l l . c o m | s u p p o r t . d e l l .
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. ____________________ Information in this document is subject to change without notice. © 2010 Dell Inc. All rights reserved.
Contents 1 About this Document . Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Additional Documentation . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . System Configuration . Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . 9 10 . . . . . . . . . . . . . . . . . . . . . . . . . . 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 CLI Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Switching Configuration . Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . 29 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 VLAN Configuration Example . . . . CLI Examples . . . . . . . . . . . . Web Interface . . . . . . . . . . . . IP Subnet and MAC-Based VLANs . CLI Examples . . . . . . . . . . . . Private Edge VLANs. . . . . . . . . CLI Example . . . . . . . . . . . . . Voice VLAN . . . . . . . . . . . . . . . . . . . . . 30 31 33 34 34 35 36 . . . . . .
sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . . sFlow Agents CLI Examples 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing Configuration VLAN Routing. 67 68 69 . . . . . . . . . . . . . . . . . . . . . . . . . . 73 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 . . . . . . .
5 Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1x Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . 802.1x Network Access Control Examples 802.1X Authentication and VLANs . 106 . . . . . . . . . . . . . . . . . . . . . . 109 . . . . . . . . . . . . . . . 109 109 110 . . . . . . . . . . . . . . . . . . . 111 . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Authentication Server Filter Assignment Overview . . . . . . . . . .
6 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interface Configuration CLI Example . 7 135 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . Class of Service Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . .
9 Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auto Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . . . . . . . Functional Description CLI Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nonstop Forwarding on a Switch Stack. . . . . . . . . . . . . . . . . . . . Initiating a Failover . . . . . . .
1 About this Document This configuration guide provides examples of how to use the Dell™PowerConnect™ 6200 Series switch in a typical network. It describes the advantages of specific functions the PowerConnect 6200 Series switch provides and includes information about configuring those functions using the command line interface (CLI).
Additional Documentation The following documentation provides additional information about PowerConnect 6200 Series software: 10 • The CLI Command Reference for your Dell PowerConnect switch describes the commands available from the command-line interface (CLI) for managing, monitoring, and configuring the switch. • The User’s Guide for your Dell PowerConnect switch describes the Web GUI. Many of the scenarios described in this document can be fully configured using the Web interface.
2 System Configuration This section provides configuration scenarios for the following features: • "Traceroute" on page 12 • "Configuration Scripting" on page 13 • "Outbound Telnet" on page 16 • "Simple Network Time Protocol (SNTP)" on page 17 • "Syslog" on page 20 • "Port Description" on page 22 • "Storm Control" on page 23 • "Cable Diagnostics" on page 25 NOTE: For information on setting up the hardware and serial or TFTP connection, refer to the Getting Started Guide for your system.
Traceroute Use Traceroute to discover the routes that packets take when traveling on a hop-by-hop basis to their destination through the network.
--More-- or (q)uit 20 64.233.174.99 250 ms 240 ms 250 ms Hop Count = 20 Last TTL = 30 Test attempt = 90 Test Success = 90 Configuration Scripting Configuration scripting allows you to generate a text-formatted script file that shows the current system configuration. You can generate multiple scripts and upload and apply them to more than one switch. Overview Configuration scripting: • Provides scripts that can be uploaded from and downloaded to the system.
CLI Examples The following are examples of the commands used for configurations scripting. Example #1: Viewing the Script Options console#script ? apply delete list show validate Applies configuration script to the switch. Deletes a configuration script file from the switch. Lists all configuration script files present on the switch. Displays the contents of configuration script. Validate the commands of configuration script.
Example #4: Copying the Active Configuration into a Script Use this command to capture the running configuration into a script. console#show running-config running-config.scr Config script created successfully. Example #5: Uploading a Configuration Script to the TFTP Server Use this command to upload a configuration script to the TFTP server. console#copy script abc.scr tftp://10.27.64.141/abc.scr Mode........................................... Set TFTP Server IP............................. TFTP Path...
exit configure logging web-session bridge aging-time 100 exit Configuration script validated. File transfer operation completed successfully. Example #7: Validating a Script console#script validate abc.scr ip address dhcp username "admin" password 16d7a4fca7442dda3ad93c9a726597e4 level 15 encrypted exit Configuration script 'abc.scr' validated. console#script apply abc.
CLI Examples The following are examples of the commands used in the outbound telnet feature. Example #1: Connecting to Another System by Using Telnet console#telnet 192.168.77.151 Trying 192.168.77.151... console# User:admin Password: (Dell PC62XX Routing) >enable Password: console#show ip interface Management Interface: IP Address..................................... Subnet Mask.................................... Default Gateway................................ Burned In MAC Address........................
CLI Examples The following are examples of the commands used in the SNTP feature. Example #1: Viewing SNTP Options (Dell PC62XX Routing)(Config) #sntp ? console(config)#sntp ? authenticate authentication-key broadcast client server trusted-key unicast Require authentication for received Network Time Protocol (NTP) traffic from servers. Define an authentication key for Simple Network Time Protocol (SNTP). Configure SNTP client broadcast parameters. Configure the SNTP client parameters.
Example #3: Viewing SNTP Information console#show sntp ? configuration status Show the configuration of the Simple Network Time Protocol (SNTP). To show the status of the Simple Network Time Protocol (SNTP). console#show sntp configuration Polling interval: 64 seconds MD5 Authentication keys: Authentication is not required for synchronization. Trusted keys: No trusted keys. Unicast clients: Enable Unicast servers: Server Key ------------------192.168.0.
Syslog Overview Syslog: • Allows you to store system messages and/or errors. • Can store to local files on the switch or a remote server running a syslog daemon. • Provides a method of collecting message logs from many systems. Interpreting Log Files Figure 2-1 describes the information that displays in log messages. <130> JAN 01 00:00:06 A B A. B. C. D. E. F. G. H I. Figure 2-1. 0.0.0.0-1 UNKN [0x800023]: C D E bootos.
Web Session Logging : disabled SNMP Set Command Logging : disabled 0 Messages were not logged. Buffer Log: <189> JAN 01 03:57:58 10.27.65.86-1 TRAPMGR[216282304]: traputil.c(908) 31 %% Instance 0 has elected a new STP root: 8000:00ff:f2a3:8888 <189> JAN 01 03:57:58 10.27.65.86-1 TRAPMGR[216282304]: traputil.c(908) 32 %% Instance 0 has elected a new STP root: 8000:0002:bc00:7e2c <189> JAN 01 04:04:18 10.27.65.86-1 TRAPMGR[231781808]: traputil.
alert critical debug emergency error info notice warning Immediate action needed Critical conditions Debugging messages System is unusable Error conditions Informational messages Normal but significant conditions Warning conditions console(Config-logging)#level critical Port Description The Port Description feature lets you specify an alphanumeric interface identifier that can be used for SNMP network management. CLI Example Use the commands shown below for the Port Description feature.
Storm Control A traffic storm occurs when incoming packets flood the LAN resulting in network performance degradation. The Storm Control feature protects against this condition. The switch software provides broadcast, multicast, and unicast storm recovery for individual interfaces. Unicast Storm Control protects against traffic whose MAC addresses are not known by the system.
Example #1: Set Broadcast Storm Control for an Interface console#configure console(config)#interface ethernet 1/g17 console(config-if-1/g17)#storm-control broadcast ? level Press enter to execute the command. Configure storm-control thresholds. console(config-if-1/g17)#storm-control broadcast level ? Enter the storm-control threshold as percent of port speed. Percent of port speed is converted to PacketsPerSecond based on 512 byte average packet size and applied to HW.
Cable Diagnostics This section describes: • "Copper Port Cable Test" on page 25 • "Fiber Port Cable Test" on page 27 NOTE: Cable Diagnostics is supported on SFP/XFP ports but not on the Stacking/CX-4/SFP+/10GbaseT ports. Copper Port Cable Test The cable test feature enables you to determine the cable connection status on a selected port. The switch uses Time Domain Reflectometry (TDR) technology to determine the quality and characteristics of a copper cable attached to a port.
Example #1: Cable Test for Copper Ports console#test copper-port tdr 1/g1 Cable Status................................... Short Cable Length...................................
Example #3: Show Last Time Domain Reflectometry Tests Use the show copper-ports tdr command in Privileged EXEC mode to display the last Time Domain Reflectometry (TDR) tests on specified ports. The following example displays the last TDR tests on all ports.
System Configuration
3 Switching Configuration This section provides configuration scenarios for the following features: • "Virtual LANs" on page 29 • "Voice VLAN" on page 37 • "IGMP Snooping" on page 40 • "IGMP Snooping Querier" on page 43 • "Link Aggregation/Port Channels" on page 45 • "Port Mirroring" on page 49 • "Port Security" on page 50 • "Link Layer Discovery Protocol" on page 52 • "Denial of Service Attack Protection" on page 54 • "DHCP Snooping" on page 56 • "sFlow" on page 67 Virtual LANs Adding
• The IP-subnet Based VLAN feature lets you map IP addresses to VLANs by specifying a source IP address, network mask, and the desired VLAN ID. • The MAC-based VLAN feature let packets originating from end stations become part of a VLAN according to source MAC address. To configure the feature, you specify a source MAC address and a VLAN ID. The Private Edge VLAN feature lets you set protection between ports located on the switch.
CLI Examples The following examples show how to create VLANs, assign ports to the VLANs, and assign a VLAN as the default VLAN to a port. Example #1: Create Two VLANs Use the following commands to create two VLANs and to assign the VLAN IDs while leaving the names blank.
Example #3: Assign Ports to VLAN3 This example shows how to assign the ports that will belong to VLAN 3. Untagged frames will be accepted on ports 1/g19 and 1/g20. Note that port 1/g18 belongs to both VLANs and that port 1/g17 can never belong to VLAN 3.
Example #6: View Information About VLAN 2 console#show ip interface vlan 2 Primary IP Address............................ 192.168.10.33/255.255.255.0 Routing Mode.................................. Enable Administrative Mode........................... Enable Forward Net Directed Broadcasts............... Disable Proxy ARP..................................... Enable Local Proxy ARP............................... Disable Active State.................................. Inactive Link Speed Data Rate............
IP Subnet and MAC-Based VLANs In addition to port-based VLANs, the switch also supports VLANs that are based on the IP address or MAC address of a host. With IP subnet and MAC-based VLANs, the VLAN membership is determined by the address of the host rather than the port to which the host is attached. CLI Examples The following examples show how to associate an IP subnet with a VLAN, a specific IP address with a VLAN, and a MAC address with a VLAN.
Example #4: Viewing IP Subnet and MAC-Based VLAN Associations console#show vlan association mac MAC Address VLAN ID ----------------- ------- 00FF.F2A3.8886 10 console#show vlan association subnet IP Subnet IP Mask VLAN ID ---------------- ---------------- ------- 192.168.25.0 255.255.255.0 10 192.168.1.11 255.255.255.255 10 Private Edge VLANs Use the Private Edge VLAN feature to prevent ports on the switch from forwarding traffic to each other even if they are on the same VLAN.
CLI Example Example #1: Configuring a Protected Port The commands in this example name the protected port group 1 “PP_Test” and assign ports 1 and 2 to the group.
Voice VLAN Voice VLAN enables switch ports to carry voice traffic with a defined priority in order to enable the separation of voice and data traffic coming onto the port. A primary benefit of using Voice VLAN is to ensure that the sound quality of an IP phone is safeguarded from deteriorating when the data traffic on the port is high.
• When a dot1p priority is associated with the Voice VLAN port instead of a VLAN ID, then the priority information is passed onto the VOIP phone using the LLDP-MED mechanism. By this method, the voice data coming from the VOIP phone is tagged with VLAN 0 and with the exchanged priority; thus regular data arriving on the switch is given the default priority of the port (default 0), and the voice traffic is received with a higher priority. You can configure the switch to override the data traffic CoS.
Example #2: Configuring Voice VLAN on an Unauthenticated Port In some networks, multiple devices (for example, a PC, Printer, and phone) are connected to a single port on the switch. The PCs and printers are authenticated by 802.1X, but the phone might not support 802.1X authentication. The PowerConnect 6200 Series switches can allow unauthenticated traffic on the Voice VLAN for the phones that do not support authentication while requiring all other devices on the port to authenticate individually.
IGMP Snooping This section describes the Internet Group Management Protocol (IGMP) Snooping feature. IGMP Snooping enables the switch to monitor IGMP transactions between hosts and routers. It can help conserve bandwidth by allowing the switch to forward IP multicast traffic only to connected hosts that request multicast traffic. If you enable IGMP Snooping on the switch to listen to IGMP traffic, you do not need to enable IGMP, a layer 3 multicast protocol.
1. Create VLAN 100. console#configure console(config)#vlan database console(config-vlan)#vlan 100 2. Enable IGMP snooping on the VLAN. console(config-vlan)#ip igmp snooping 100 console(config-vlan)#exit 3. Forbid the forwarding of unregistered multicast addresses on VLAN 100 to prevent multicast flooding to ports if there are no "listeners." console(config)#interface vlan 100 console(config-if-vlan100)#bridge multicast forbidden forward-unregistered console(config-if-vlan100)#exit 4.
9. View information about the IGMP snooping configuration. console#show ip igmp snooping Admin Mode..................................... Enable Multicast Control Frame Count.................. 0 Interfaces Enabled for IGMP Snooping........... None Vlans enabled for IGMP snooping................ 100 In this example, Host A sends a join message for group 225.1.1.1. Host B sends a join message for group 225.1.1.2.
Multicast Packets Received..................... 626494 Broadcast Packets Received..................... 0 console#show statistics ethernet 1/g10 ... Total Packets Received Without Errors.......... 12 Unicast Packets Received....................... 0 Multicast Packets Received..................... 12 Broadcast Packets Received..................... 0 IGMP Snooping Querier When PIM and IGMP are enabled in a network with IP multicast routing, the IP multicast router acts as the IGMP querier.
Example #2: Configure IGMP Snooping Querier Properties The first command in this example sets the IGMP Querier Query Interval time to 100. This means that the switch waits 100 seconds before sending another general query. The second command sets the IGMP Querier timer expiration period to 100. This means that the switch remains in Non-Querier mode for 100 seconds after it has discovered that there is a Multicast Querier in the network.
Example #5: Show IGMP Snooping Querier Information for VLAN 10 console#show ip igmp snooping querier vlan 10 Vlan 10 : IGMP Snooping querier status ---------------------------------------------IGMP Snooping Querier Vlan Mode................ Enable Querier Election Participate Mode.............. Enable Querier Vlan Address........................... 10.10.11.40 Operational State.............................. Querier Operational version............................ 2 Operational Max Resp Time.............
CLI Example The following shows an example of configuring the software to support Link Aggregation (LAG) to a server and to a Layer 3 switch. Figure 3-3 shows the example network. Server Port 1/g18 Port 1/0/2 LAG_1 LAG_10 Subnet 3 Port 1/g19 Port 1/0/3 LAG_1 LAG_10 Layer 3 Switch Port 1/g23 Port 1/0/8 LAG_2 LAG_20 Port 1/0/9 1/g24 Port LAG_2 LAG_20 Layer 2 Switch Subnet 2 Figure 3-3.
Example 1: Create Names for Two Port-Channels console#configure console(config)#interface port-channel 1 console(config-if-ch1)#description lag_1 console(config-if-ch1)#exit console(config)#interface port-channel 2 console(config-if-ch2)#description lag_2 console(config-if-ch2)#exit Example 2: Add the Physical Ports to the Port-Channels console(config)#interface ethernet 1/g18 console(config-if-1/g18)#channel-group 1 mode auto console(config-if-1/g18)#exit console(config)#interface ethernet 1/g19 console(
ch2 No Configured Ports 3 ch3 No Configured Ports 3 ch4 No Configured Ports 3 ch5 No Configured Ports 3 ch6 No Configured Ports 3 ch7 No Configured Ports 3 ch8 No Configured Ports 3 ch9 No Configured Ports 3 ch10 No Configured Ports 3 ch11 No Configured Ports 3 ch12 No Configured Ports 3 ch13 No Configured Ports 3 ch14 No Configured Ports 3 ch15 No Configured Ports 3 ch16 No Configured Ports 3 ch17 No Configured Ports 3 ch18 No Configured Ports 3 ch19 No C
Port Mirroring This section describes the Port Mirroring feature, which can serve as a diagnostic tool, debugging tool, or means of fending off attacks. Overview Port mirroring selects network traffic from specific ports for analysis by a network analyzer, while allowing the same traffic to be switched to its destination. You can configure many switch ports as source ports and one switch port as a destination port. You can also configure how traffic is mirrored on a source port.
Port Security This section describes the Port Security feature. Overview Port Security: • Allows for limiting the number of MAC addresses on a given port. • Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted. • Enabled on a per port basis. • When locked, only packets with allowable MAC address will be forwarded. • Supports both dynamic and static. • Implement two traffic filtering methods.
CLI Examples The following are examples of the commands used in the Port Security feature. Example #1: Enable Port Security on an Interface console(config)#interface ethernet 1/g18 console(config-if-1/g18)#port security ? Press enter to execute the command. discard Discard frames with unlearned source addresses. max learned Configure the maximum addresses that can be on the port. trap Sends SNMP Traps, and specifies the minimum time between consecutive traps.
Link Layer Discovery Protocol The Link Layer Discovery Protocol (LLDP) feature allows individual interfaces on the switch to advertise major capabilities and physical descriptions. Network managers can view this information and identify system topology and detect bad configurations on the LAN. LLDP has separately configurable transmit and receive functions. Interfaces can transmit and receive LLDP information.
Example #3: Show Global LLDP Parameters console#show lldp LLDP Global Configuration Transmit Interval............................ 30 seconds Transmit Hold Multiplier..................... 8 Reinit Delay................................. 5 seconds Notification Interval........................
Denial of Service Attack Protection This section describes the PowerConnect 6200 Series Denial of Service Protection feature. Overview Denial of Service: • Spans two categories: – Protection of the switch – Protection of the network • Protects against the exploitation of a number of vulnerabilities which would make the host or network unstable • Compliant with Nessus. Dell tested the switch software with Nessus version 2.0.10. Nessus is a widelyused vulnerability assessment tool.
Table 3-1 describes the dos-control keywords. Table 3-1. Keyword DoS Control Meaning firstfrag Enabling First Fragment DoS prevention causes the switch to drop packets that have a TCP header smaller then the configured Min TCP Hdr Size. icmp ICMP DoS prevention causes the switch to drop ICMP packets that have a type set to ECHO_REQ (ping) and a size greater than the configured ICMP Pkt Size.
Example #2: Viewing the DoS Configuration Information console#show dos-control SIPDIP Mode.................................... Enable First Fragment Mode............................ Enable Min TCP Hdr Size............................... 20 TCP Fragment Mode.............................. Enable TCP Flag Mode.................................. Disable L4 Port Mode................................... Enable ICMP Mode...................................... Enable Max ICMP Pkt Size..............................
The hardware rate limits DHCP packets sent to the CPU from interfaces to 64 Kbps. The DHCP snooping application processes incoming DHCP messages. For DHCPRELEASE and DHCPDECLINE messages, the application compares the receive interface and VLAN with the client interface and VLAN in the bindings database. If the interfaces do not match, the application logs the event and drops the message. For valid client messages, DHCP snooping compares the source MAC address to the DHCP client hardware address.
No binding DISCOVER, REQUEST RELEASE, NACK DECLINE, NACK Tentative binding DISCOVER Complete binding ACK Figure 3-4. DHCP Binding The DHCP snooping component does not forward server messages since they are forwarded in hardware. DHCP snooping forwards valid DHCP client messages received on un-trusted interfaces to all trusted interfaces within the VLAN.
CLI Examples The commands below show examples of configuring DHCP Snooping for the switch and for individual interfaces.
console(config)# console(config)#exit Example #6 Configure DHCP snooping database Persistency interval console(config)#ip dhcp snooping database write-delay 500 console(config)# console(config)#exit Example #7 Configure an interface as DHCP snooping trusted console(config-if-1/g1)#ip dhcp snooping trust console(config-if-1/g1)#exit Example #8 Configure rate limiting on an interface console(config-if-1/g1)#ip dhcp snooping limit rate 50 burst interval 1 console(config-if-1/g1)#exit Example #9 Configur
Example #10 Show DHCP Snooping configuration on VLANs and Ports show ip dhcp snooping binding DHCP snooping is Enabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs: 1 Interface Trusted Log Invalid Pkts ----------- ---------- ---------------- 1/g1 Yes Yes 1/g2 No No 1/g3 No No 1/g4 No No 1/g5 No No 1/g6 No No 1/g7 No No 1/g8 No No 1/g9 No No 1/g10 No No 1/g11 No No 1/g12 No No 1/g13 No No 1/g14 No No --More-
----------- ---------- ---------------- 1/g15 No No 1/g16 No No 1/g17 No No 1/g18 No No 1/g19 No No 1/g20 No No 1/g21 No No 1/g22 No No 1/g23 No No 1/g24 No No 1/xg3 No No 1/xg4 No No ch1 No No ch2 No No ch3 No No ch4 No No ch5 No No ch6 No No --More-- or (q)uit console# 62 Switching Configuration
Example #12 Show DHCP Snooping database configurations console#show ip dhcp snooping database agent url: local write-delay: 500 console# Example #13 Show DHCP Snooping binding entries Total number of bindings: MAC Address 2 IP Address VLAN Interface Type ----------------- --------------- ---- ----------- ------- 00:01:02:03:04:05 10.131.11.1 1 1/g2 STATIC 00:02:B3:06:60:80 10.131.11.
1/g3 No 15 1 1/g4 No 15 1 1/g5 No 15 1 1/g6 No 15 1 1/g7 No 15 1 1/g8 No 15 1 1/g9 No 15 1 1/g10 No 15 1 1/g11 No 15 1 1/g12 No 15 1 1/g13 No 15 1 1/g14 No 15 1 1/g15 No 15 1 1/g16 No 15 1 1/g17 No 15 1 1/g18 No 15 1 --More-- or (q)uit 64 1/g19 No 15 1 1/g20 No 15 1 1/g21 No 15 1 1/g22 No 15 1 1/g23 No 15 1 1/g24 No 15 1 1/xg3 No 15 1 1/xg4 No 15 1 ch1 No 15 1 ch2 No 15 1 Switching Configuration
ch3 No 15 1 ch4 No 15 1 ch5 No 15 1 ch6 No 15 1 ch7 No 15 1 ch8 No 15 1 ch9 No 15 1 ch10 No 15 1 --More-- or (q)uit console# Example #15 Show DHCP Snooping Per Port Statistics console#show ip dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Server Failures Mismatch Msgs Rec'd ---------- ---------- ----------- 1/g2 0 0 0 1/g3 0 0 0 1/g4 0 0 0 1/g5 0 0 0 1/g6 0 0 0 1/g7 0 0 0 1/g8 0 0 0 1/g9 0 0 0 1/g10 0 0 0 ------
1/g11 0 0 0 1/g12 0 0 0 1/g13 0 0 0 1/g14 0 0 0 1/g15 0 0 0 1/g16 0 0 0 1/g17 0 0 0 1/g18 0 0 0 1/g19 0 0 0 1/g20 0 0 0 1/g21 0 0 0 1/g22 0 0 0 1/g23 0 0 0 1/g24 0 0 0 1/xg3 0 0 0 1/xg4 0 0 0 ch1 0 0 0 ch2 0 0 0 ch3 0 0 0 ch4 0 0 0 ch5 0 0 0 ch6 0 0 0 ch7 0 0 0 ch8 0 0 0 ch9 0 0 0 ch10 0 0 0 ch11 0 0 0 ch12 0 0 0 --More-- or (q)uit 66 Switching Configuration
ch13 0 0 0 ch14 0 0 0 ch15 0 0 0 ch16 0 0 0 ch17 0 0 0 --More-- or (q)uit sFlow This section describes the sFlow feature. sFlow is the industry standard for monitoring high-speed switched and routed networks. sFlow technology is built into network equipment and gives complete visibility into network activity, enabling effective management and control of network resources.
The advantages of using sFlow are: • It is possible to monitor all ports of the switch continuously, with no impact on the distributed switching performance. • Minimal memory/CPU is required. Samples are not aggregated into a flow-table on the switch; they are forwarded immediately over the network to the sFlow collector. • System is tolerant to packet loss in the network (statistical model means loss is equivalent to slight change in sampling rate).
The mechanism involves a counter that is decremented with each packet. When the counter reaches zero a sample is taken. 5. When a sample is taken, the counter indicating how many packets to skip before taking the next sample is reset. The value of the counter is set to a random integer where the sequence of random integers used over time is the Sampling Rate. Counter Sampling The primary objective of Counter Sampling is to efficiently, periodically export counters associated with Data Sources.
Example #4: Show the sFlow configuration for receiver index 1 console#show sflow 1 destination Receiver Index................................. 1 Owner String................................... site77 Time out....................................... 1529 IP Address:.................................... 30.30.30.1 Address Type................................... 1 Port........................................... 560 Datagram Version............................... 5 Maximum Datagram Size.........................
Example #6: Show sFlow polling for receiver index 1 console#show sflow 1 polling Poller Receiver Poller Data Source Index Interval ----------- ------- ------- 1/g1 1 200 1/g2 1 200 1/g3 1 200 1/g4 1 200 1/g5 1 200 1/g6 1 200 1/g7 1 200 1/g8 1 200 1/g9 1 200 1/g10 1 200 1/g15 1 400 Switching Configuration 71
Switching Configuration
4 Routing Configuration This section describes configuration scenarios and instructions for the following routing features: • "VLAN Routing" on page 74 • "Virtual Router Redundancy Protocol" on page 77 • "Proxy Address Resolution Protocol (ARP)" on page 80 • "OSPF" on page 81 • "Routing Information Protocol" on page 92 • "Route Preferences" on page 95 • "Loopback Interfaces" on page 99 • "IP Helper" on page 100 Routing Configuration 73
VLAN Routing This section provides an example of how to configure PowerConnect 6200 Series software to support VLAN routing. NOTE: The management VLAN cannot be configured as a routing interface. The switch may also be managed via VLAN routing interfaces. CLI Examples The diagram in this section shows a Layer 3 switch configured for VLAN routing. It connects two VLANs, with two ports participating in one VLAN, and one port in the other.
console(config-vlan)#vlan 10 console(config-vlan)#vlan 20 console(config-vlan)#exit Example 2: Configure the VLAN Members The following code sequence shows an example of adding ports to the VLANs and assigning the PVID for each port. The PVID determines the VLAN ID assigned to untagged frames received on the ports.
Example 3: Set Up VLAN Routing for the VLANs and Assign an IP Address The following code sequence shows how to enable routing for the VLANs and how to configure the IP addresses and subnet masks for the virtual router ports.: console#configure console(config)#interface vlan 10 console(config-if-vlan10)#routing console(config-if-vlan10)#ip address 192.150.3.1 255.255.255.
Virtual Router Redundancy Protocol When an end station is statically configured with the address of the router that will handle its routed traffic, a single point of failure is introduced into the network. If the router goes down, the end station is unable to communicate. Since static configuration is a convenient way to assign router addresses, Virtual Router Redundancy Protocol (VRRP) was developed to provide a backup mechanism.
Configuring VRRP on the Switch as a Master Router 1 Enable routing for the switch. IP forwarding is then enabled by default. console#config console(config)#ip routing 2 Configure the IP addresses and subnet masks for the VLAN routing interface that will participate in the protocol: console(config)#interface vlan 50 console(config-if-vlan50)#ip address 192.150.2.1 255.255.255.
4 Assign virtual router ID to the interface that will participate in the protocol: console(config)#interface vlan 50 console(config-if-vlan50)#ip vrrp 20 5 Specify the IP address that the virtual router function will recognize. console(config-if-vlan50)#ip vrrp 20 ip 192.150.2.1 6 Set the priority for the interface. Assigning a lower priority value than the interface on the other router ensures that this interface the backup.
Proxy Address Resolution Protocol (ARP) This section describes the Proxy Address Resolution Protocol (ARP) feature. Overview • Proxy ARP allows a router to answer ARP requests where the target IP address is not the router itself but a destination that the router can reach. • If a host does not know the default gateway, proxy ARP can learn the first hop. • Machines in one physical network appear to be part of another logical network.
Active State................................... Inactive Link Speed Data Rate........................... 10 Half MAC Address.................................... 00FF.F2A3.888A Encapsulation Type............................. Ethernet IP MTU......................................... 1500 OSPF Larger networks typically use the Open Shortest Path First (OSPF) protocol instead of RIP.
A virtual link can be used to connect an area to Area 0 when a direct link is not possible. A virtual link traverses an area between the remote area and Area 0 (see Figure 4-5). A stub area is an area that does not receive routes that were learned from a protocol other than OSPF or were statically configured. These routes typically send traffic outside the AS. Therefore, routes from a stub area to locations outside the AS use the default gateway. A virtual link cannot be configured across a stub area.
External routes are those imported into OSPF from other routing protocol or processes. OSPF computes the path cost differently for external type 1 and external type 2 routes. The cost of an external type 1 route is the cost advertised in the external LSA plus the path cost from the calculating router to the ASBR. The cost of an external type 2 route is the cost advertised by the ASBR in its external LSA. NOTE: The following example uses the CLI to configure OSPF. You can also use the Web interface.
IPv4 (OSPFv2) • IPv6 (OSPFv3) Enable routing for the switch: console#config ip routing exit console#config ipv6 unicast-routing exit Enable routing and assign IP for VLANs 70, 80 and 90. config config interface vlan 70 routing ip address 192.150.2.2 255.255.255.0 exit interface vlan 70 routing ipv6 enable interface vlan 80 routing ip address 192.130.3.1 255.255.255.0 exit exit interface vlan 80 routing ipv6 address 2002::1/64 exit interface vlan 90 routing ip address 192.64.4.1 255.255.255.
IPv4 (OSPFv2) IPv6 (OSPFv3) config config interface vlan 70 ip ospf area 0.0.0.0 ip ospf priority 128 ip ospf cost 32 exit interface vlan 80 ip ospf area 0.0.0.2 ip ospf priority 255 ip ospf cost 64 exit interface vlan 90 ip ospf area 0.0.0.2 ip ospf priority 255 ip ospf cost 64 exit exit interface vlan 70 ipv6 ospf ipv6 ospf areaid 0.0.0.0 ipv6 ospf priority 128 ipv6 ospf cost 32 exit interface vlan 80 ipv6 ospf ipv6 ospf areaid 0.0.0.
AS-1 AS-2 Area 0 (0.0.0.0) - backbone Area 1 (0.0.0.1) - Stub 10.2.3.3/24 3000:2:3::/64 IR (5.3.0.0) VLAN 6 VLAN 10 10.1.2.2/24 3000:1:2::/64 eui64 Router B - ABR (5.5.5.5) Router A - backbone (3.3.3.3) 10.3.100.3/24 3000:3:100::/64 ASBR (5.1.0.0) VLAN 12 VLAN 5 10.2.3.2 3000:2:3::/64 10.2.4.2 3000:2:4::/64 VLAN 17 IR (5.4.0.0) Area 2 (0.0.0.2) - NSSA Figure 4-4. OSPF Configuration—Stub Area and NSSA Area Configure Router A: Router A is a backbone router.
ipv6 address 3000:3:100::/64 eui64 ip ospf area 0.0.0.0 ipv6 ospf exit • Define an OSPF router: ipv6 router ospf router-id 3.3.3.3 exit router ospf router-id 3.3.3.3 exit exit Configure Router B: Router B is a ABR that connects Area 0 to Areas 1 and 2. • Configure IPv6 and IPv4 routing.
• For IPv4: Define an OSPF router. Define Area 1 as a stub. Enable OSPF for IPv4 on VLANs 10, 5, and 17 by globally defining the range of IP addresses associated with each interface, and then associating those ranges with Areas 1, 0, and 17, respectively. Then, configure a metric cost to associate with static routes when they are redistributed via OSPF: router ospf router-id 2.2.2.2 area 0.0.0.1 stub area 0.0.0.2 nssa network 10.1.2.0 0.0.0.255 network 10.2.3.0 0.0.0.255 network 10.2.4.0 0.0.0.
Example 3: Configuring a Virtual Link In this example, Area 0 connects directly to Area 1. A virtual link is defined that traverses Area 1 and connects to Area 2. Figure 4-5 illustrates this example OSPF configuration. Area 2 (0.0.0.2) IR (5.3.0.0) 10.1.101.1 VLAN 11 3000:1:101::/64 Router C - ABR (5.5.5.5) Area 0 (0.0.0.0) - backbone VLAN 10 10.1.2.1/24 3000:1:2::/64 VLAN 5 VLAN 7 10.1.2.2/24 3000:1:2::/64 eui64 Router B - ABR (4.4.4.4) Virtual Link 10.2.3.
router ospf router-id 3.3.3.3 network 10.2.3.0 0.0.0.255 area 0.0.0.0 exit exit Configure Router B: Router B is a ABR that directly connects Area 0 to Area 1. In addition to the configuration steps described in the previous example, we define a virtual link that traverses Area 1 to Router C (5.5.5.5). (console)#configure ipv6 unicast-routing ip routing interface vlan 2 routing ip address 10.2.3.2 255.255.255.0 ipv6 address 3000:2:3::/64 eui64 ipv6 ospf exit interface vlan 7 routing ip address 10.1.2.2 255.
routing ip address 10.1.2.1 255.255.255.0 ipv6 address 3000:1:2::/64 eui64 ipv6 ospf ipv6 ospf areaid 1 exit interface vlan 11 routing ip address 10.1.101.1 255.255.255.0 ipv6 address 3000:1:101::/64 eui64 ipv6 ospf ipv6 ospf areaid 2 exit ipv6 router ospf router-id 5.5.5.5 area 0.0.0.1 virtual-link 4.4.4.4 exit router ospf router-id 5.5.5.5 area 0.0.0.1 virtual-link 4.4.4.4 network 10.1.2.0 0.0.0.255 area 0.0.0.1 network 10.1.101.0 0.0.0.255 area 0.0.0.
Routing Information Protocol Routing Information Protocol (RIP) is one of the protocols which may be used by routers to exchange network topology information. It is characterized as an “interior” gateway protocol, and is typically used in small to medium-sized networks. RIP Configuration A router running RIP sends the contents of its routing table to each of its adjacent routers every 30 seconds.
CLI Examples The configuration commands used in the following example enable RIP on ports vlan 2 and vlan 3 as shown in the network illustrated in Figure 4-6. Subnet 3 VLAN Port31/0/3 192.130.3.1 192.130.3.1 Layer 3 Switch acting as a router VLAN 5 192.64.4.1 Port 1/0/22 VLAN 192.150.2.2 192.150.2.2 Port 1/0/5 192.64.4.1 Subnet 2 Figure 4-6.
Example #3. Enable RIP for the Switch The next sequence enables RIP for the switch. The route preference defaults to 15. console#config router rip enable exit exit Example #4. Enable RIP for the VLAN Routing Interfaces This command sequence enables RIP for VLAN 2 and VLAN 3. Authentication defaults to none, and no default route entry is created. The commands specify that both interfaces receive both RIP-1 and RIP-2 frames, but send only RIP-2 formatted frames.
Route Preferences You can use route preference assignment to control how the router chooses which routes to use when alternatives exist. This section describes three uses of route preference assignment: • "Assigning Administrative Preferences to Routing Protocols" on page 95 • "Using Equal Cost Multipath" on page 97 Assigning Administrative Preferences to Routing Protocols The router may learn routes from various sources: static configuration, local route discovery, RIP, and OSPF.
Example 1: Configure Administrative Preferences The following commands configure the administrative preference for the RIP and OSPF: console#Config router rip distance rip 130 exit For OSPF, an additional parameter identifies the type of OSPF route that the preference value applies to: router ospf distance ospf ? external inter-area intra-area Enter preference value for OSPF external routes. Enter preference value for inter-area routes. Enter preference value for intra-area routes.
Using Equal Cost Multipath The equal cost multipath (ECMP) feature allows a router to use more than one next hop to forward packets to a given destination prefix. It can be used to promote a more optimal use of network resources and bandwidth. A router that does not use ECMP forwards all packets to a given destination through a single next hop. This next hop may be chosen from among several next hops that provide equally good routes to the destination.
Routing protocols can also be configured to compute ECMP routes. For example, referring to Figure 4-8, if OSPF were configured in on both links connecting Router A and Router B, and if Router B advertised its connection to 20.0.0.0/8, then Router A could compute an OSPF route to 20.0.0.0/8 with next hops of 10.1.1.2 and 10.1.2.2. Static and dynamic routes are all included in a single combined routing table.
Loopback Interfaces PowerConnect 6200 Series software provides for the creation, deletion, and management of loopback interfaces. A loopback interface is a software-only interface that is not associated with a physical location; as such it is not dependent on the physical status of a particular router interface and is always considered “up” as long as the router is running. It enables configuring a stable IP address for remote clients to refer to.
IP MTU......................................... 1500 Bandwidth...................................... 100000 kbps Destination Unreachables....................... Enabled ICMP Redirects................................. Enabled To delete a loopback interface, enter the following command from the Global Config mode: console(config)#no interface loopback 0 console(config)# IP Helper The IP Helper feature provides the ability for a router to forward configured UDP broadcast packets to a particular IP address.
Table 4-1. Protocol Default Ports - UDP Port Numbers Implied By Wildcard UDP Port Number IEN-116 Name Service 42 DNS 53 NetBIOS Name Server 137 NetBIOS Datagram Server 138 TACACS Server 49 Time Service 37 DHCP 67 Trivial File Transfer Protocol 69 The switch limits the number of relay entries to four times the maximum number of VLAN routing interfaces (512 relay entries).
The relay agent only relays packets that meet the following conditions: • The destination MAC address must be the all-ones broadcast address (FF:FF:FF:FF:FF:FF). • The destination IP address must be the limited broadcast address (255.255.255.255) or a directed broadcast address for the receive interface. • The IP time-to-live (TTL) must be greater than 1. • The protocol field in the IP header must be UDP (17). • The destination UDP port must match a configured relay entry.
Example 5: Enable IP Helper on a VLAN Routing Interface to a Server (DHCP and DNS) To relay DHCP and DNS packets to 192.168.30.1, use the following commands: console(config-if-vlan100)#ip helper-address 192.168.30.1 dhcp console(config-if-vlan100)#ip helper-address 192.168.30.1 domain Example 6: Enable IP Helper on Multiple VLAN Routing Interfaces With the following configuration, the relay agent relays: • DHCP packets received on any interface other than VLAN 200 and VLAN 300 to 192.168.40.
Example 7: Show IP Helper Configurations The following command shows IP Helper configurations: console#show ip helper-a IP helper is enabled Interface UDP Port Discard Hit Count Server Address -------------------- ----------- ---------- ---------- -----------------vlan 100 domain No 0 192.168.30.1 vlan 100 dhcp No 0 192.168.10.1 192.168.20.1 192.168.30.1 vlan 200 domain No 0 192.168.40.2 vlan 200 dhcp No 0 192.168.40.2 vlan 300 dhcp Yes 0 vlan 300 162 No 0 192.168.23.1 Any Default No 0 20.1.1.
5 Device Security This section describes configuration scenarios for the following features: • "802.1x Network Access Control" on page 106 • "802.1X Authentication and VLANs" on page 109 • "Authentication Server Filter Assignment" on page 111 • "Access Control Lists (ACLs)" on page 111 • "RADIUS" on page 117 • "TACACS+" on page 120 • "802.
802.1x Network Access Control Port-based network access control allows the operation of a system’s port(s) to be controlled to ensure that access to its services is permitted only by systems that are authorized to do so. Port Access Control provides a means of preventing unauthorized access by supplicants or users to the services offered by a system.
Figure 5-1. Switch with 802.1x Network Access Control If a user, or supplicant, attempts to communicate via the switch on any interface except interface 1/g1, the system challenges the supplicant for login credentials. The system encrypts the provided information and transmits it to the RADIUS server. If the RADIUS server grants access, the system sets the 802.1x port state of the interface to authorized and the supplicant is able to access network resources. console(config)#radius-server host 10.10.10.
Example #2: MAC-Based Authentication Mode The PowerConnect 6200 Series switches support MAC-based 802.1X authentication. This feature allows multiple hosts to authenticate on a single port. The hosts are distinguished by their MAC addresses. When multiple hosts (for example, a PC, a printer, and a phone in the same office) are connected to the switch on the same port, each of the connected hosts authenticates separately with the RADIUS server.
802.1X Authentication and VLANs The PowerConnect 6200 Series switches allow a port to be placed into a particular VLAN based on the result of type of 802.1X authentication a client uses when it accesses the switch. The RADIUS server or IEEE 802.1X Authenticator can provide information to the switch about which VLAN to assign the host (supplicant). When a host connects to a switch that uses a RADIUS server or 802.
VLAN and the port is moved to the authorized state, allowing access to the client. However, if the port is in MAC-based 802.1X authentication mode, it will not move to the authorized state. MAC-based mode makes it possible for both authenticated and guest clients to use the same port at the same time. Client devices that are 802.1X-supplicant-enabled authenticate with the switch when they are plugged into the 802.1X-enabled switch port.
Authentication Server Filter Assignment The PowerConnect 6200 Series switches allow the external 802.1X Authenticator or RADIUS server to assign DiffServ policies to users that authenticate to the switch. When a host (supplicant) attempts to connect to the network through a port, the switch contacts the 802.1X authenticator or RADIUS server, which then provides information to the switch about which DiffServ policy to assign the host (supplicant).
Ingress ACLs support Flow-based Mirroring and ACL Logging, which have the following characteristics: • Flow-based mirroring is the ability to mirror traffic that matches a permit rule to a specific physical port or LAG. Flow-based mirroring is similar to the redirect function, except that in flow-based mirroring a copy of the permitted traffic is delivered to the mirror interface while the packet itself is forwarded normally through the device.
Egress ACL Limitations Egress ACLs have some additional limitations. The following limitations apply to egress ACLs only: • Egress ACLs support IP Protocol/Destination, IP Address Source/Destination, L4 Source/Destination port, IP DSCP, IP ToS, and IP precedence match conditions only. • MAC ACLs are not supported in the egress direction. • Egress ACLs only support Permit/Deny Action. Logging, mirroring and redirect action are not supported. • Only one Egress ACL can be applied on an interface.
IP ACLs IP ACLs classify for Layers 3 and 4. Each ACL is a set of up to ten rules applied to inbound traffic.
IP ACL CLI Example The script in this section shows you how to set up an IP ACL with two rules, one applicable to TCP traffic and one to UDP traffic. The content of the two rules is the same. TCP and UDP packets will only be accepted by the PowerConnect 6200 Series switch if the source and destination stations have IP addresses that fall within the defined sets. Figure 5-2.
Step 1: Create an ACL and Define an ACL Rule This command creates an ACL named list1 and configures a rule for the ACL. After the mask has been applied, it permits packets carrying TCP traffic that matches the specified Source IP address, and sends these packets to the specified Destination IP address. console#config console(config)#access-list list1 permit tcp 192.168.77.0 0.0.0.255 192.168.77.3 0.0.0.
Step 4: Viewing the MAC ACL Information console#show mac access-lists Current number of all ACLs: 2 Maximum number of all ACLs: 100 MAC ACL Name Rules Interface(s) Direction ------------------------------- ----- ------------------------- --------mac1 1 1/g5 Inbound console#show mac access-lists mac1 MAC ACL Name: mac1 Rule Number: 1 Action......................................... Destination MAC Address........................ Destination MAC Mask........................... Log.............................
attributes containing configuration information. If the server rejects the user, it returns a negative result. If the server rejects the client or the shared “secrets” differ, the server returns no result. If the server requires additional verification from the user, it returns a challenge, and the request process begins again. If you use a RADIUS server to authenticate users, you must configure user attributes in the user database on the RADIUS server.
Figure 5-3. RADIUS Servers in a Network When a user attempts to log in, the switch prompts for a username and password. The switch then attempts to communicate with the primary RADIUS server at 10.10.10.10. Upon successful connection with the server, the login credentials are exchanged over an encrypted channel. The server grants or denies access, which the switch honors, and either allows or does not allow the user to access the switch.
Example #2: Set the NAS-IP Address for the RADIUS Server The NAS-IP address attribute identifies the IP Address of the network authentication server (NAS) that is requesting authentication of the user. The address should be unique to the NAS within the scope of the RADIUS server. The NAS-IP-Address is only used in Access-Request packets. Either the NAS-IP-Address or NASIdentifier must be present in an Access-Request packet. NOTE: The feature is available in release 2.1 and later.
Figure 5-4. PowerConnect 6200 Series Switch with TACACS+ When a user attempts to log into the switch, the NAS or switch prompts for a username and password. The switch attempts to communicate with the highest priority configured TACACS+ server at 10.10.10.10. Upon successful connection with the server, the switch and server exchange the login credentials over an encrypted channel.
802.1x MAC Authentication Bypass (MAB) MAB is a supplemental authentication mechanism that allows 802.1x unaware clients, such as printers and fax machines, to authenticate to the network using the client MAC address as an identifier. The known and allowable MAC address and corresponding access rights of the client must be pre-populated in the authentication server. MAB only works when the port control mode of the port is mac-based. MAB uses the 802.
Client DOT 1x/MAB RADIUS Traffic from unknown client, Learn MAC EAPOL Request (Identity) D=01.80.c2.00.00.03 EAPOL Request (Identity) D=01.80.c2.00.00.03 (30 seconds) EAPOL Request (Identity) D=01.80.c2.00.00.03 (30 seconds) EAPOL Timeout – Initiate MAB (30 seconds) RADIUS Access-Request RADIUS Access-Accept Client Authentication Figure 5-5.
Example 2: Show MAB Configuration To show the MAB configuration for interface 1/5, use the following command: console#show dot1x ethernet 1/g5 Administrative Mode............... Enabled Port Admin Oper Reauth Reauth Mode Mode Control Period ------- ------------------ ------------ -------- ---------- 1/g5 mac-based Authorized TRUE 300 Quiet Period................................... 60 Transmit Period................................ 30 Maximum Requests...............................
Captive Portal Overview Captive Portal feature is a software implementation that allows client access only on user verification. Verification can be configured to allow access for guest and authenticated users. Users must be validated against a database of authorized captive portal users locally or through a radius client. The Authentication server supports both HTTP and HTTPS web connections.
In the unknown state, the CP doesn't redirect HTTP/S traffic to the switch, but queries the switch to determine whether the client is authenticated or unauthenticated. In the Unauthenticated state, the CP directs the HTTP/S traffic to the switch to allow the client to authenticate with the switch. Once the client is authenticated, the client is placed in Authenticated state; in this state all the traffic emerging from the client will be forwarded through the switch.
All new captive portal instances are also assigned to the "Default" group. The administrator can create new groups and modify the user/group association to only allow a subset of users access to a specific captive portal instance. Network access is granted upon successful verification of user credentials. A remote RADIUS server can be used for client authentication. RADIUS authentication and accounting servers are configured separately from the captive portal configuration.
In response to the request, the authenticated user is removed from the connection status tables. If the client logout request feature is not enabled, or the user does not specifically request logout, the connection status remains authenticated until Captive Portal deauthenticates (session timeout, idle time, etc.). In order for user logout to function properly, the client browser must be configured such that JavaScript is enabled and popup windows are allowed.
Captive Portal Statistics Client session statistics are available for both guest and authenticated users.Client statistics are used to enforce the idle timeout and other limits configured for the user and captive portal instance. Client statistics may not be cleared by the administrator since this would affect the ability to monitor the configured limits.
console#show captive-portal Administrative Mode....................... Enabled Operational Status........................ Enabled Disable Reason............................ Administrator Disabled Captive Portal IP Address................. 1.2.3.4 Example 6: Show Captive Portal Instances To show the status of all Captive Portal instances in the system, use the following command: console#show captive-portal status Additional HTTP Port........................... 81 Additional HTTP Secure Port...............
Example 7: Modify the Default Captive Portal Configuration (Change Verification Method to Local) To change the verification method to local, use the following command: console(config-CP 1)#verification local To view the configuration change, use the following command: console#show captive-portal configuration 1 status CP ID.......................................... 1 CP Name........................................ Default CP Mode........................................ Enable Protocol Mode................
To create a local user, use the following command: console(Config-CP)#user 1 name user1 console(config-CP)#user 1 password Enter password (8 to 64 characters): ******** Re-enter password: ******** console(Config-CP)#user 1 session-timeout 14400 To verify the creation of a local user, use the following command: console#show captive-portal user Session User ID User Name Idle Timeout Timeout Group ID Group Name ------- --------------------- ------- -------- -------- --------------------1 user1 14400
Operational Interface Interface Description Status Block Status --------- ---------------------------------------- ------------ ----------1/g18 Unit: 1 Slot: 0 Port: 18 Gigabit - Level Disabled Not Blocked To view the status of a captive client (connected to 1/g18), use the following command: console#show captive-portal configuration 1 client status CP ID.......................................... 1 CP Name........................................
Device Security
6 IPv6 This section includes the following subsections: • "Overview" on page 135 • "Interface Configuration" on page 135 Overview There are many conceptual similarities between IPv4 and IPv6 network operation. Addresses still have a network prefix portion (subnet) and a device interface specific portion (host). While the length of the network portion is still variable, most users have standardized on using a network prefix length of 64 bits.
• Allocated from part of the IPv6 unicast address space • Not visible off the local link • Not globally unique Next hop addresses computed by routing protocols are usually link-local. During a transition period, a global IPv6 Internet backbone may not be available. The solution of this is to tunnel IPv6 packets inside IPv4 to reach remote IPv6 islands.
ip ospf area 0.0.0.0 exit interface vlan 2 routing ipv6 enable ipv6 address 2020:1::1/64 ipv6 ospf ipv6 ospf network point-to-point exit interface tunnel 0 ipv6 address 2001::1/64 tunnel mode ipv6ip tunnel source 20.20.20.1 tunnel destination 10.10.10.1 ipv6 ospf ipv6 ospf network point-to-point exit interface loopback 0 ip address 1.1.1.1 255.255.255.0 exit exit Device 2 console# config ip routing ipv6 unicast-routing router ospf router-id 2.2.2.2 exit ipv6 router ospf router-id 2.2.2.
ipv6 address 2020:2::2/64 ipv6 ospf ipv6 ospf network point-to-point exit interface tunnel 0 ipv6 address 2001::2/64 tunnel mode ipv6ip tunnel source 10.10.10.1 tunnel destination 20.20.20.1 ipv6 ospf ipv6 ospf network point-to-point exit interface loopback 0 ip address 2.2.2.2 255.255.255.
7 Quality of Service This section includes the following subsections: • "Class of Service Queuing" on page 139 • "Differentiated Services" on page 143 Class of Service Queuing The Class of Service (CoS) feature lets you give preferential treatment to certain types of traffic over others. To set up this preferential treatment, you can configure the ingress ports, the egress ports, and individual queues on the egress ports to provide customization that suits your environment.
CoS Mapping Table for Trusted Ports Mapping is from the designated field values on trusted ports’ incoming packets to a traffic class priority (actually a CoS traffic queue). The trusted port field-to-traffic class configuration entries form the Mapping Table the switch uses to direct ingress packets from trusted ports to egress queues.
Ingress packet A UserPri=3 packet B UserPri=7 packet C (untagged) packet D UserPri=6 Port Port 1/g10 1/0/10 mode='trust dot1p' 802.1p->COS Q Map 0 2 1 0 2 1 3 5 4 4 5 5 6 5 7 6 port default priority->traffic class 2 1 Egress Forward via switch fabric to Port1/0/8 1x/g8 egress Port Port 1/0/8 Q6 B Q5 D A strict weighted 20% Q4 weighted 10% Q3 weighted 5% Q2 Q1 Q0 weighted 5% C weighted 0% weighted 0% Packet Transmission order: B, A, D, C Figure 7-1.
Port 1/g10 Port 1/0/10 Port Port1/0/8 1/g8 Server Figure 7-2. CoS1/g Configuration Example System Diagram You will configure the ingress interface uniquely for all cos-queue and VLAN parameters. console#config interface ethernet 1/g10 classofservice trust dot1p classofservice dot1p-mapping 6 3 vlan priority 2 exit interface ethernet 1/g8 cos-queue min-bandwidth 0 0 5 5 10 20 40 cos-queue strict 6 exit exit You can also set traffic shaping parameters for the interface.
Differentiated Services Differentiated Services (DiffServ) is one technique for implementing Quality of Service (QoS) policies. Using DiffServ in your network allows you to directly configure the relevant parameters on the switches and routers rather than using a resource reservation protocol.This section explains how to configure the switch to identify which traffic class a packet belongs to, and how it should be handled to provide the desired quality of service.
CLI Example This example shows how a network administrator can provide equal access to the Internet (or other external network) to different departments within a company. Each of four departments has its own Class B subnet that is allocated 25% of the available bandwidth on the port accessing the Internet. Figure 7-3. DiffServ Internet Access Example Network Diagram Example #1: DiffServ Inbound Configuration Ensure DiffServ operation is enabled for the switch.
match srcip 172.16.20.0 255.255.255.0 exit class-map match-all test_dept match srcip 172.16.30.0 255.255.255.0 exit class-map match-all development_dept match srcip 172.16.40.0 255.255.255.0 exit Create a DiffServ policy for inbound traffic named internet_access, adding the previously created department classes as instances within this policy. This policy uses the assign-queue attribute to put each department's traffic on a different egress queue.
Set the CoS queue configuration for the (presumed) egress interface 1/g5 such that each of queues 1, 2, 3 and 4 get a minimum guaranteed bandwidth of 25%. All queues for this interface use weighted round robin scheduling by default. The DiffServ inbound policy designates that these queues are to be used for the departmental traffic through the assign-queue attribute. It is presumed that the switch will forward this traffic to interface 1/g5 based on a normal destination address lookup for internet traffic.
Figure 7-4.
Example #2: Configuring DiffServ VoIP Support Enter Global Config mode. Set queue 6 on all ports to use strict priority mode. This queue shall be used for all VoIP packets. Activate DiffServ for the switch. console#config cos-queue strict 6 diffserv Create a DiffServ classifier named class_voip and define a single match criterion to detect UDP packets. The class type match-all indicates that all match criteria defined for the class must be satisfied in order for a packet to be considered a match.
8 Multicast This section provides configuration scenarios for the following features: • "IGMP Configuration" on page 150 • "IGMP Proxy" on page 151 • "DVMRP" on page 152 • "PIM" on page 154 • "Multicast Routing and IGMP Snooping" on page 157 Overview IP Multicasting enables a network host (or multiple hosts) to send an IP datagram to multiple destinations simultaneously.
When to Enable IP Multicast on the PowerConnect 6200 Series Switch Use the IP multicast feature on the PowerConnect 6200 Series switch to route multicast traffic between VLANs on the switch. If all hosts connected to the switch are on the same subnet, there is no need to configure the IP multicast feature. If the switch does not handle L3 routing, you can use IGMP snooping to manage port-based multicast group membership. For more information, see "IGMP Snooping" on page 40.
IGMP Proxy IGMP proxy enables a multicast router to learn multicast group membership information and forward multicast packets based upon the group membership information. The IGMP Proxy is capable of functioning only in certain topologies that do not require Multicast Routing Protocols (i.e., DVMRP, PIM-DM, and PIM-SM) and have a tree-like topology, as there is no support for features like reverse path forwarding (RPF) to correct packet route loops.
Example #2: View IGMP Proxy Configuration Data You can use various commands from Privileged EXEC or User EXEC modes to show IGMP proxy configuration data. • Use the following command to display a summary of the host interface status parameters. It displays the parameters only when IGMP Proxy is enabled. console#show ip igmp-proxy Interface Index................................ vlan 15 Admin Mode..................................... Enabled Operational Mode...............................
CLI Example The following example configures two DVMRP interfaces. First, this example configures an OSPF router1 and globally enables IP routing and IP multicast. IGMP is globally enabled so that this router can manage group membership information for its directly-connected hosts (IGMP may not be required when there are no directly connected hosts). Next, DVMRP is globally enabled. Finally, DVMRP, IGMP, and OSPF are enabled on several interfaces. console#configure router ospf router-id 3.3.1.
PIM Protocol Independent Multicast (PIM) is a standard multicast routing protocol that provides scalable inter-domain multicast routing across the Internet, independent of the mechanisms provided by any particular unicast routing protocol. PIM has two types: • PIM-Dense Mode (PIM-DM) • PIM-Sparse Mode (PIM-SM) PIM-SM PIM-SM is used to efficiently route multicast traffic to multicast groups that may span wide area networks where bandwidth is a constraint.
Example: PIM-SM The following example configures PIM-SM for IPv4 on a router. First, configure an OSPF1 router and globally enable IP routing, multicast, IGMP, and PIM-SM. Next, configure a PIM-SM rendezvous point with an IP address and group range. The IP address will serve as an RP for the range of potential multicast groups specified in the group range. Finally, enable routing, IGMP, PIM-SM, and OSPF on one or more interfaces. console#configure router ospf router-id 3.3.1.
To minimize the repeated flooding of datagrams and subsequent pruning associated with a particular source-group (S,G) pair, PIM-DM uses a State Refresh message. This message is sent by the router(s) directly connected to the source and is propagated throughout the network. When received by a router on its RPF interface, the State Refresh message causes an existing prune state to be refreshed. State Refresh messages are generated periodically by the router directly attached to the source.
Multicast Routing and IGMP Snooping In this example, ports 1/g5 and 1/g10 are members of VLAN 100, and port 1/g15 is a member of VLAN 200. Both VLANs are configured as VLAN routing interfaces and are in different subnets. IGMP snooping is configured on VLAN 100 so that a member port will receive multicast data only if it sends an IMGP join message for that multicast group. IGMP and PIM-DM are enabled on each VLAN so that multicast data sent from a port on VLAN 200 can be routed to VLAN 100.
8 Globally enable IGMP snooping, IP multicast, IGMP, and PIM-DM on the switch. console(config)#ip console(config)#ip console(config)#ip console(config)#ip igmp snooping multicast igmp pimdm NOTE: Only one multicast routing protocol (PIM-SM, PIM-DM, or DVMRP) can be enabled globally on the switch at a time. 9 Configure ports 1/g5 and 1/g10 as members of VLAN 100.
console#show ip igmp IGMP Admin Mode................................ Enabled IGMP Router-Alert check........................ Disabled IGMP Interface --------vlan 100 vlan 200 INTERFACE STATUS Interface-Mode Operational-Status -------------- ---------------Enabled Operational Enabled Operational The host connected to interface 1/g5 sends an IGMP join message for multicast group 225.1.1.1 in VLAN 100. Then, the host connected to 1/g15 sends multicast data for group 225.1.1.1 in VLAN 200.
Multicast
9 Utility This section describes the following features: • "Auto Config" on page 162 • "Nonstop Forwarding on a Switch Stack" on page 168 Utility 161
Auto Config Overview Auto Config is a software feature that automatically configures a switch when the device is initialized and no configuration file is found on the switch. Auto Config is accomplished in three phases: 1 Assignment (configuration) of an IP address for the device 2 Assignment of a TFTP server 3 Obtaining a configuration file for the device from the TFTP server Functional Description The Auto Config feature initiates when a switch is turned on and the startup-config file is not found.
– The hostname of the TFTP server (option 66 or sname). Either the TFTP address or name is specified (not both) in most network configurations. If a TFTP hostname is given, a DNS server is required to translate the name to an IP address. – The IP address of the TFTP server (option 150). – The address of the TFTP server (siaddr) to be used for Auto Config requests. No configuration assigned by BOOTP or DHCP is saved in startup-config.
Once a hostname has been determined, the switch then issues a TFTP request for a file named ".cfg" file, where is the first 32 characters of the switch's hostname. If the switch is unable to map its IP address to a hostname, Auto Config sends TFTP requests for the default configuration file "host.cfg." Table 9-1 summarizes the config files which may be downloaded, and the order in which they are sought. Table 9-1.
Host-Specific Config File Not Found If the Auto Config process fails to download a configuration file, a message is logged. If a final configuration file is not downloaded, as described in Table 9-1, the Auto Config procedure continues to issue TFTP broadcast requests. The frequency of the broadcasts is once per 10 minute period. Terminating the Auto Config Process A user can terminate the Auto Config process at any time prior to the downloading of the config file.
Dependency Upon Other Network Services The Auto Config process depends upon the following network services: • A DHCP or BOOTP server must be configured on the network with appropriate services. • A configuration file for the switch must be available from a TFTP server on the network. • The switch must be connected to the network. • A DNS server must contain an IP address to hostname mapping for the TFTP server if the DHCP server response contains only the hostname for the TFTP server.
TFTP Client The TFTP client downloads configuration files and sends TFTP requests to the broadcast IP address (255.255.255.255). DNS Client The DNS client resolves an IP address to a hostname and resolves a hostname to an IP address (reverse IP address to hostname mapping). BOOTP/DHCP Client The DHCP and BOOTP clients handle predefined IP address configuration. The DHCPINFORM message type is sent to request Auto Config boot options.
Nonstop Forwarding on a Switch Stack Networking devices, such as the PowerConnect 6200 Series switches, are often described in terms of three semi-independent functions called the forwarding plane, the control plane, and the management plane. The forwarding plane forwards data packets and is implemented in hardware. The control plane is the set of protocols that determine how the forwarding plane should forward packets, deciding which data packets are allowed to be forwarded and where they should go.
NOTE: The switch cannot guarantee that a backup unit has exactly the same data that the management unit has when it fails. For example, the management unit might fail before the checkpoint service gets data to the backup if an event occurs shortly before a failover. Table 9-3 lists the applications on the switch that checkpoint data and describes the type of data that is checkpointed. Table 9-3.
Switch Stack MAC Addressing and Stack Design Considerations The switch stack uses the MAC addresses1 assigned to the management unit. If the backup unit assumes control due to a management unit failure or warm restart, the backup unit continues to use the original management unit’s MAC addresses. This reduces the amount of disruption to the network because ARP and other L2 entries in neighbor tables remain valid after the failover to the backup unit.
Configuration Examples The actual configuration of the feature is simple. NSF is either enabled or disabled. The examples in this section describe how the NSF feature acts in various environments and with various switch applications. Data Center Figure 9-1 illustrates a data center scenario, where the stack of two PowerConnect 6200 Series switches acts as an access switch. The access switch is connected to two aggregation switches, AS1 and AS2.
VoIP Figure 9-2 shows how nonstop forwarding maintains existing voice calls during a management unit failure. Assume the top unit is the management unit. When the management unit fails, the call from phone A is immediately disconnected. The call from phone B continues. On the uplink, the forwarding plane removes the failed LAG member and continues using the remaining LAG member. If phone B has learned VLAN or priority parameters through LLDP-MED, it continues to use those parameters.
Figure 9-3. NSF and DHCP Snooping Hosts ` ` ` LAG ` ` Hosts DHCP Server If the management unit fails, all hosts connected to that unit lose network access until that unit reboots. The hardware on surviving units continues to enforce source filters IPSG installed prior to the failover. Valid hosts continue to communicate normally. During the failover, the hardware continues to drop data packets from unauthorized hosts so that security is not compromised.
Storage Access Network Scenario Figure 9-4 illustrates a stack of three PowerConnect 6200 Series switches connecting two servers (iSCSI initiators) to a disk array (iSCSI targets). There are two iSCSI connections as follows: Session A: 10.1.1.10 to 10.1.1.3 Session B: 10.1.1.11 to 10.1.1.
Routed Access Scenario Figure 9-5 shows a stack of three units serving as an access router for a set of hosts. Two LAGs connect the stack to two aggregation routers. Each LAG is a member of a VLAN routing interface. The stack has OSPF and PIM adjacencies with each of the aggregation routers. The top unit in the stack is the management unit. Figure 9-5.
Utility
