Dell PowerConnect M6220, M6348, M8024, and M8024-k Switch User’s Configuration Guide Regulatory Models: PCM6220, PCM6348, PCM8024, and PCM8024-k
Notes and Cautions NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed. ____________ Information in this publication is subject to change without notice. © 2013 Dell Inc. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . About This Document Audience . . . . . . . . . . . . . . . . . . . 49 . . . . . . . . . . . . . . . . . . . . . . . . 50 Document Conventions . . . . . . . . . . . . . . . . . Additional Documentation . 2 Switch Features 51 . . . . . . . . . . . . . . . . . . . 53 . . . . . . . . . . . . . 54 . . . . . . . . . . 54 . . . . . . . . . . . . . . . . . . . . 54 Multiple Management Options . Simple Mode 50 . . . . . . .
Stacking Features (PCM6220, PCM6348, and PCM8024-k Only) . . . . . . . . . . . . . . . High Port Count . . . . . . . 59 . . . . . . . . . . . . . . . . . . 59 Single IP Management . . . . . . . . . . . . . . . Automatic Firmware Update for New Stack Members . . . . . . . . . . . . . . . . . . . . . . Stacking Compatibility with the PowerConnect 7000 Series . . . . . . . . . . . . . . . . . . . . . 59 . . . 60 60 . . . . . . . . . . . 60 . . . . . . . . . . . . . . . . . . . .
Switching Features . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 . . . . . . . . . 66 Flow Control Support (IEEE 802.3x) . Head of Line Blocking Prevention Alternate Store and Forward (ASF). Jumbo Frames Support . . . . . . . . . 66 . . . . . . . . . . . . . . 67 Auto-MDI/MDIX Support . . . . . . . . . . . . . . VLAN-Aware MAC-based Switching . . . . . . . . 67 67 . . . . . . . . . . . . . . . . . . 68 . . . . . . . . . . . . . 68 . . . . . . . . . . . . . . . . . . .
Double VLANs . . . . . . . . . . . . . . . . . . . . Spanning Tree Protocol Features . . . . . . . . . . . . . . . . . . . . . . . 74 74 . . . . . . . . . . . . . . . . 74 Spanning Tree Port Settings Multiple Spanning Tree . . . . . . . . . . . . . . . 75 75 . . . . . . . . . . . . . . . 75 . . . . . . . . . . . . . . . . . . 75 Link Aggregation Features . 75 . . . . . . . . . . . . . . . . . . . . 77 Address Resolution Protocol (ARP) Table Management . . . . . . . . . . . . . . .
Quality of Service (QoS) Features . . . . . . . . . . . . . . . . . . . . . 81 . . . . . . . . . . . . . . . 81 Differentiated Services (DiffServ) Class Of Service (CoS) Auto Voice over IP (VoIP) . . . . . . . . . . . . . . Internet Small Computer System Interface (iSCSI) Optimization . . . . . . . . . . . . . Layer 2 Multicast Features 82 . . . . . . . . . . . . . . . 82 . . . . . . . . . . . . . . 82 . . . . . . . . . . . . . . . . . . 82 . . . . . . . . . . . . . . 83 . . . . . . . . .
Console (RS-232) Port . . . . . . . . . . . . . . . . . . 91 Console Redirect . . . . . . . . . . . . . . . . . . 92 Out-of-Band Management Port . . . . . . . . . . . . . 92 . . . . . . . . . . . . . . . . . . . . . 93 . . . . . . . . . . . . . . . . . . . . . . 93 LED Definitions . Port LEDs 4 System LEDs . . . . . . . . . . . . . . . . . . . . 96 Switch Addresses . . . . . . . . . . . . . . . . . . . . 97 Using Dell OpenManage Switch Administrator . . . . . . . . . . . . . . . . . .
Entering Abbreviated Commands Negating Commands . . . . . . . . . 112 . . . . . . . . . . . . . . . . 112 Understanding Error Messages . . . 113 . . . . . . . . . . . . . 114 Recalling Commands from the History Buffer Specifying Physical Ports 6 Default Settings . 7 Setting the IP Address and Other Basic Network Information . . . . . 117 . . . . . . . . . . . . . . . . . . What Is the Basic Network Information? . . . . 123 . . . . . 123 . . . 124 . . . . . . . .
Enabling the DHCP Client on the Default VLAN . . . . . . . . . . . . . . . . . . . Managing DHCP Leases . . . . 136 . . . . . . . . . . . . . 137 Configuring Static Network Information on the OOB Port . . . . . . . . . . . . . . . . . . . . Configuring Static Network Information on the Default VLAN . . . . . . . . . . . . . . . . . . . 138 . 138 . . 139 . . . . . . 140 . . . . . . . . . . . 143 . . . . . . . . . . . . . . . . . . 143 Configuring and Viewing Additional Network Information .
Stack Summary . Stack Firmware Synchronization . . . . . . . . . . 161 Supported Switches . . . . . . . . . . . . . . . . 162 Stack Port Summary . . . . . . . . . . . . . . . . 163 Stack Port Counters . . . . . . . . . . . . . . . . 164 Stack Port Diagnostics . NSF Summary . . . . . . . . . . . . . . . 164 . . . . . . . . . . . . . . . . . . . 165 Checkpoint Statistics . Managing the Stack (CLI) . . . . . . . . . . . . . . . 166 . . . . . . . . . . . . . . . .
Accounting . . . . . . . . . . . . . . . . . . . . . . . Authentication Examples . . . . . . . . . . . . . . . Local Authentication Example . . . . . . . . . . 187 . . . . . . . . 188 RADIUS Authentication Example . . . . . . . . . 190 . . . . . . . . . . . . . . . . 191 Local Authorization Example—Direct Login to Privileged EXEC Mode . . . . . . . . . . . . . . 191 TACACS+ Authorization Example—Direct Login to Privileged EXEC Mode . . . . . . . . . . . . .
Default Configurations . Method Lists . . . . . . . . . . . . . . . . . 203 . . . . . . . . . . . . . . . . . . . . 203 Access Lines (AAA) Administrative Profiles . . . . . . . . . . . . . 204 . . . . . . . . . . . . . . . 204 10 Monitoring and Logging System Information . . . . . . . . . . . . . . . . System Monitoring Overview . . . . . . Where Are Log Messages Sent? . 207 . . . . . 207 . . . . . . . 208 . . . . . . . . . 208 Why Is System Information Needed? . . . 209 . . .
Email Alert Subject Configuration . . Email Alert To Address Configuration. Email Alert Statistics . . . . . . 228 229 . . . . . . . . . . . . . . . 230 . . . . . . Monitoring System Information and Configuring Logging (CLI) . . . . . . . . . . . . . . . . . . . . . . 231 Viewing System Information . . . . . . . . . . . 231 Running Cable Diagnostics . . . . . . . . . . . . 231 . . . . . . . . . . . . 232 Configuring Local Logging . . . 234 235 236 . . . . . . . . . . .
Configuring General System Settings (Web) System Information . . . . . . . 254 . . . . . . . . . . . . . . . . 254 CLI Banner . . . . . . . . . . . . . . SDM Template Preference . . . . . . Operational Mode Configuration . . . Port Aggregator Global Configuration Port Aggregator Port Configuration . Port Aggregator Group Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port Aggregator Internal Port VLAN Configuration . . . . . . . . . . . . . . .
12 Configuring SNMP . SNMP Overview . . . . . . . . . . . . . . . . 297 . . . . . . . . . . . . . . . . . . . . 297 What Is SNMP? . . . . . . . . . . . . . . . . . . What Are SNMP Traps? . . . . . . . . . . . . . 298 Why Is SNMP Needed? . . . . . . . . . . . . . . 299 . . . . . . . . . . . . . . . . . 299 Default SNMP Values Configuring SNMP (Web) . . . . . . . . . . . . . . . SNMP Global Parameters . . . . . . . . . . . . Trap Flags . 301 . . . . . . . . . . . . . . . . . . . . . . .
13 Managing Images and Files . . . . . . . . . Image and File Management Overview . What Files Can Be Managed? 333 . . . . . . . . 333 . . . . . . . . . . . 333 Why Is File Management Needed?. . . . . . . . . What Methods Are Supported for File Management? . . . . . . . . . . . . . . . . . . . 335 337 What Factors Should Be Considered When Managing Files? . . . . . . . . . . . . . . . . . . 337 How Is the Running Configuration Saved? . . . . . 339 . . . . . . . . . . . 340 . . . . . . .
14 Automatically Updating the Image and Configuration . . . . . . . . . . . . . Auto Configuration Overview . . . . 357 . . . . . . . . . . . . . 357 What Is the DHCP Auto Configuration Process? . . . . . . . . . . . . . . . . . . . . . Monitoring and Completing the DHCP Auto Configuration Process . . . . . . . . . . . . . . What Are the Dependencies for DHCP Auto Configuration? . . . . . . . . . . . . . . . . Default Auto Configuration Values 363 . . . . . . . . . . 364 . . . . . . . . .
sFlow Sampler Configuration . . . sFlow Poll Configuration . . . . . Interface Statistics . . . . . . . . Etherlike Statistics . . . . . . . . GVRP Statistics . . . . . . . . . . EAP Statistics . . . . . . . . . . . Utilization Summary . . . . . . . Counter Summary. . . . . . . . . Switchport Statistics . . . . . . . RMON Statistics . . . . . . . . . RMON History Control Statistics . RMON History Table RMON Event Control RMON Event Log . . RMON Alarms . . . Port Statistics . . . . LAG Statistics . . . .
How Is Quality of Service Applied to iSCSI Traffic Flows? . . . . . . . . . . . . . . . . How Does iSCSI Optimization Use ACLs? . . . 410 . . . . 411 What Information Does the Switch Track in iSCSI Traffic Flows? . . . . . . . . . . . . . . . . 411 . . . 413 . . . 413 How Does iSCSI Optimization Interact with DCBx? . . . . . . . . . . . . . . . . . . . . . . . 414 How Does iSCSI Optimization Interact with Dell Compellent Arrays? . . . . . . . . . . . . .
What Factors Should Be Considered When Designing and Configuring a Captive Portal? How Does Captive Portal Work? . . . 427 . . . . . . . . . . 428 What Captive Portal Pages Can Be Customized? . . . . . . . . . . . . . . . . . . . . Default Captive Portal Behavior and Settings Configuring the Captive Portal (Web) . . . . . . 430 . . . . . . . . . 432 . . . . . . . . 432 . . . . . . . . . . . . 433 438 Captive Portal Global Configuration Captive Portal Configuration Local User . . . . . . . .
18 Configuring Port Characteristics . Port Overview . . . . . 463 . . . . . . . . . . . . . . . . . . . . . 463 What Physical Port Characteristics Can Be Configured? . . . . . . . . . . . . . . . . . What is Link Dependency? . . . 463 . . . . . . . . . . . . 464 What Interface Types are Supported? . What is Interface Configuration Mode? Default Port Values . . . . . . 466 466 . . . . . . . . . . . . . . . . . . 469 Configuring Port Characteristics (Web) . Port Configuration. . . . . . . .
How Does the Authentication Server Assign DiffServ Filters? . . . . . . . . . . . . . . . . . . . 489 What is the Internal Authentication Server? . . . . 489 . . . . . . . . . . . . . . . 490 Default 802.1X Values . Configuring IEEE 802.1X (Web) . . . . . . . . . . . 491 Configuring IEEE 802.1X (CLI) . . . . . . . . . . . . 499 Configuring Internal Authentication Server Users . . . . . . . . . . . . . . . . . . . . IEEE 802.1X Configuration Examples . . . . . . . . 504 504 . . . . . . . .
IPv6 ACL Rule Configuration . . . . . . . . . . . ACL Binding Configuration . . . Time Range Entry Configuration Configuring ACLs (CLI) . . . . . . . . . . 540 541 . . . . . . . . . . . . . . . . 543 . . . . . . . . . Configuring an IPv4 ACL . . . . . . . . . . . . . 543 Configuring a MAC ACL . . . . . . . . . . . . . . 545 Configuring an IPv6 ACL . . . . . . . . . . . . . 547 Configuring a Time Range. . . . . . . . . . . . . 549 . . . . . . . . . . . . . 551 . . . . . . . . . . . . .
GVRP Parameters. Protocol Group . . . . . . . . . . . . . . . . . . . Adding a Protocol Group 593 . . . . . . . . . . . . . . Double VLAN Global Configuration . . Double VLAN Interface Configuration Voice VLAN . . . . . . . . . . . . . . . . . . . . . 595 596 598 . . . . . . . . . . . . . . . . 599 . . . . . . . . . . . . . . . . . . 599 Configuring VLANs (CLI) . Creating a VLAN 590 592 . . . . . . . . . . . . . . . . . Configuring a Port in Access Mode Configuring a Port in Trunk Mode . . .
MSTP with Multiple Forwarding Paths . What are the Optional STP Features? . Default STP Values . . . . . . 635 636 . . . . . . . . . . . . . . . . . . 639 Configuring Spanning Tree (Web) . . . . . . . . . . . . . . . . 640 STP Global Settings . . . . . . . . . . . . . . . . 640 STP Port Settings . . STP LAG Settings . . Rapid Spanning Tree . . . . . . . . . . . . . . . 641 643 644 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MSTP Settings . . . . . MSTP Interface Settings . .
Default IDSP and LLDP Values Configuring ISDP and LLDP (Web). . . . . . . . . . . . 663 . . . . . . . . . . . . . 663 . . . . . . . . . . . . . . . . . 664 ISDP Global Configuration ISDP Cache Table . 661 . . . . . . . . . . . . . ISDP Interface Configuration . . . . . . ISDP Statistics . . . . . . . . . . . . . LLDP Configuration . . . . . . . . . . . LLDP Statistics . . . . . . . . . . . . . LLDP Connections . . . . . . . . . . . LLDP-MED Global Configuration . . . .
What are Protected Ports? . . . . . . . . . . . . What is Link Local Protocol Filtering? . . . . . . 689 Default Port-Based Traffic Control Values . . . . . . 690 Configuring Port-Based Traffic Control (Web) . . . . 691 . . . . . 691 . . . . . . . . . . 692 694 696 Flow Control (Global Port Parameters) . Storm Control . . . . . . . . . Protected Port Configuration . LLPF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Port-Based Traffic Control (CLI) . . . . .
Topologies Where the Multicast Source Is Not Directly Connected to the Querier . . . . . . . 713 Using Static Multicast MAC Configuration . . . . . 713 . . . . . . . . . . . . 713 . . . . . . . . . . . . . . . 713 IGMP Snooping and GMRP . PCM6220 Restrictions Default L2 Multicast Values . . . . . . . . . . . . . . . Configuring L2 Multicast Features (Web) . . . . . . . . 716 . . . . . . . . . . . 716 . . . . . . . . . . . . . . 717 720 Multicast Global Parameters .
Configuring MVR . . . . . . . . . . . . . . . . . Configuring GARP Timers and GMRP . . . . . . . Case Study on a Real-World Network Topology Multicast Snooping Case Study 756 . . . . . . . . . 756 . . . . . . . 761 . . . . . . . . . . . . . . . . . . . 761 How Does Dot1ag Work Across a Carrier Network? . . . . . . . . . . . . . . . . . What Entities Make Up a Maintenance Domain? . . . . . . . . . . . . . . . . . Default Dot1ag Values 762 . . . . . 763 765 . . . . . . . . . . . . . . . . .
Dot1ag Configuration Example 27 Snooping and Inspecting Traffic . Traffic Snooping and Inspection Overview . What Is DHCP Snooping?. . . . . . . How Is the DHCP Snooping Bindings Database Populated? . . . . . . . . . What Is IP Source Guard? . . . . . . What is Dynamic ARP Inspection? . . . . . . . . . . . . . 781 782 . . . . . . . 783 785 786 . . . . . . . . . . . . . . . . . . . . Default Traffic Snooping and Inspection Values 787 . . . . 787 . . . . . 789 . . . . . . . . . . .
Configuring Traffic Snooping and Inspection (CLI) . . . . . . . . . . . . . . . . . . . . . . . Configuring DHCP Snooping . . . . 810 . . . . . . . . . . . 810 Configuring IP Source Guard . . . . . . . . . . . Configuring Dynamic ARP Inspection . . . . . . Traffic Snooping and Inspection Configuration Examples . . . . . . . . . . . . . . . . . . . . . 815 . . . . . . . . . . . 815 . . . . . . . . . . . . . . . . . 817 28 Configuring Link Aggregation Link Aggregation Overview . . . . . . . .
Link Aggregation Configuration Examples . . . . . . . 834 . . . . . . . . . . . . 834 . . . . . . . . . . . . . . 835 Configuring Dynamic LAGs . Configuring Static LAGs 29 Configuring Data Center Bridging Features . . . . . . . . . . . . . . . . . . . . Data Center Bridging Technology Overview 837 . . . . . . . . . . . . . . . . 838 . . . . . . . . . . . . . . . . . . 839 PFC Operation and Behavior . . . . . . . . . . . . Configuring PFC Using the Web Interface . . . . . 840 842 . . . . .
Enhanced Transmission Selection Operation with DCBx . . . . . . . . . . . . . . . . . . . . . . . 859 30 Managing the MAC Address Table . . . . 861 . . . . . . . . . . . . 861 MAC Address Table Overview . How Is the Address Table Populated? . . . . . . What Information Is in the MAC Address Table? . . . . . . . . . . . . . . . . . . . . . . . How Is the MAC Address Table Maintained Across a Stack? . . . . . . . . . . . . . . . Default MAC Address Table Values 862 . . . . . . . . . . 862 . .
Tunnel Configuration Tunnels Summary . . . . . . . . . . . . . . . . . 875 . . . . . . . . . . . . . . . . . 876 Loopbacks Configuration . Loopbacks Summary . . . . . . . . . . . . . . . . Configuring Routing Interfaces (CLI) 879 . . . . . . . . . . . . . 879 . . . . . . . . . 881 882 Configuring VLAN Routing Interfaces (IPv4) . Configuring Loopback Interfaces. Configuring Tunnels . . . . . . . . . . . . . . . . 32 Configuring DHCP Server Settings DHCP Overview 877 878 . . . . . . . . . . .
DHCP Server Configuration Examples . . . . . . . . . . . . . . . 902 . . . . . . . . 904 . . . . . . . . . . . . . 907 . . . . . . . . . . . . . . . . . 907 Configuring a Dynamic Address Pool . Configuring a Static Address Pool 33 Configuring IP Routing . IP Routing Overview . Default IP Routing Values . . . . . . . . . . . . . . . Configuring IP Routing Features (Web) IP Configuration . 911 . . . . . . . . . . . . . . . . . 911 IP Statistics . . . . . . . . . . . . ARP Create . . . . . . .
34 Configuring L2 and L3 Relay Features . . . . . . . . . . . . . . . L2 and L3 Relay Overview . . . . . . . . . 931 931 . . . . . . . . . . . . . . . . What Is L3 DHCP Relay? . . . . . . . . . . . . . . 931 What Is L2 DHCP Relay? . . . . . . . . . . . . . . 932 What Is the IP Helper Feature? . Default L2/L3 Relay Values . . . . . . . . . . 933 . . . . . . . . . . . . . . . 937 Configuring L2 and L3 Relay Features (Web) DHCP Relay Global Configuration . . . . . . 938 . . . . . . . . .
OSPF Feature Details. Max Metric . . . . . . . . . . . . . . . . . 958 . . . . . . . . . . . . . . . . . . . . 958 Static Area Range Cost . LSA Pacing . . . . . . . . . . . . . 960 . . . . . . . . . . . . . . . . . . . . 961 Flood Blocking . . . . . . . . . . . . . . . . . . Default OSPF Values . . . . . . . . . . . . . . . . . . Configuring OSPF Features (Web) . OSPF Configuration . . . . . . . . . . . 966 966 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPFv3 Virtual Link Summary . . . . . . . . . . OSPFv3 Route Redistribution Configuration . . . OSPFv3 Route Redistribution Summary . . . . . NSF OSPFv3 Configuration (PCM6220, PCM6348, and PCM8024-k Only) . . . . . . . . . . . . . . . Configuring OSPF Features (CLI) . 995 996 997 . 998 . . . . . . . . . . . . 999 Configuring Global OSPF Settings . . . . . . . . . . . . Configuring Virtual Links . . . . . . . . . . . . Configuring OSPF Area Range Settings . . . .
36 Configuring RIP RIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Does RIP Determine Route Information? . . . . . . . . . . . What Is Split Horizon? 1043 . . . . . . . . . . . . . . 1044 . . . . . . . 1044 . . . . . . . . . . . . . . . . . . . 1045 Configuring RIP Features (Web) . RIP Configuration . . . . . . . . . . . 1046 . . . . . . . . . . . . . . . . . 1046 RIP Interface Configuration . . . . . . . RIP Interface Summary . . . . . . . .
Default VRRP Values . . . . . . . . . . . . . . . . . . Configuring VRRP Features (Web) . VRRP Configuration . 1061 . . . . . . . . . . 1062 . . . . . . . . . . . . . . . 1062 VRRP Virtual Router Status . . . . . . . VRRP Virtual Router Statistics . . . . . VRRP Router Configuration . . . . . . . VRRP Route Tracking Configuration . . VRRP Interface Tracking Configuration Configuring VRRP Features (CLI) . . . . . 1063 1064 1065 1066 1068 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring IPv6 Routing Features (CLI) . . . . . . . . . . . . . 1095 . . . . . . 1096 1097 Configuring Global IP Routing Settings . Configuring IPv6 Interface Settings . Configuring IPv6 Neighbor Discovery . . . . . . Configuring IPv6 Route Table Entries and Route Preferences . . . . . . . . . . . . IPv6 Show Commands . . . . 1099 . . . . . . . . . . . . . . 1101 IPv6 Static Reject and Discard Routes . . . . . . . . 39 Configuring DHCPv6 Server and Relay Settings . . . . . . . . . . . . . .
Configuring a DHCPv6 Pool for Specific Hosts . Configuring DHCPv6 Interface Information . . . 1119 1120 . . . . . . . . . . . 1121 Configuring a DHCPv6 Stateless Server . . . . . Configuring the DHCPv6 Server for Prefix Delegation . . . . . . . . . . . . . . . . Configuring an Interface as a DHCPv6 Relay Agent . . . . . . . . . . . . . . . 40 Configuring Differentiated Services . . . . . . . . . . . . . . DiffServ Overview 1118 . . . . . . . . .
DiffServ Policy Creation. . . . . . . . . . . . . . DiffServ Policy Attributes Configuration . . . . . 1144 . . . . . . . . . . 1146 . . . . . . . . . . . 1147 DiffServ Service Configuration DiffServ Configuration Examples Providing Subnets Equal Access to External Network . . . . . . . . . . . . . . . . . . . . DiffServ for VoIP . . 1147 . . . . . . . . . . . . . . . . . 1150 41 Configuring Class-of-Service CoS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CoS Configuration Example . . . . . . . . . . . . . . 42 Configuring Auto VoIP . Auto VoIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1171 1172 . . . . . . . . . . . . . . . 1172 Configuring Auto VoIP (Web) . . . . . . . . . . . . . Auto VoIP Global Configuration . . . . . . . . . Auto VoIP Interface Configuration Configuring Auto VoIP (CLI) 1173 1173 . . . . . . . . 1173 . . . . . . . . . . . . . . 1176 43 Managing IPv4 and IPv6 Multicast L3 Multicast Overview .
Multicast Interface Configuration . . . . Multicast Route Table . . . . . . . . . . . Multicast Admin Boundary Configuration Multicast Admin Boundary Summary . . Multicast Static MRoute Configuration . . Multicast Static MRoute Summary . . . . . . . . 1198 1199 1200 1201 1202 1203 . . . . . 1204 . . . . . . . . . . . . 1204 Configuring IPv6 Multicast Features (Web) . IPv6 Multicast Route Table Configuring IGMP and IGMP Proxy (Web). IGMP Global Configuration . . . . . . . . . . . . . . . . . . . .
Configuring PIM for IPv4 and IPv6 (Web) PIM Global Configuration . . . . . . . . 1224 . . . . . . . . . . . . 1224 PIM Global Status . . . . . . PIM Interface Configuration . PIM Interface Summary . . . Candidate RP Configuration . Static RP Configuration . . . . SSM Range Configuration . . BSR Candidate Configuration BSR Candidate Summary . . . Configuring DVMRP (Web) . . . . . . . . . . 1225 1226 1227 1228 1230 1232 1234 1235 . . . . . . . . . . . . . . 1236 DVMRP Global Configuration . . . . .
Configuring and Viewing DVMRP Information . . . . . . . . . . . . . . . . . . . . 1260 L3 Multicast Configuration Examples . . . . . . . . . 1261 Configuring Multicast VLAN Routing With IGMP and PIM-SM . . . . . . . . . . . . Configuring DVMRP . . . . . 1261 . . . . . . . . . . . . . . . 1265 44 System Process Definitions . Index 48 . . . . . . . . 1267 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Introduction The Dell PowerConnect M6220, M6348, M8024, and M8024-k switches are Layer 3, blade switches that operate in the Dell PowerEdge M1000e system. The M1000e system can support up to 16 server blades and six PowerConnect M6220, M6348, M8024, and M8024-k blade switches. The PowerConnect M6220 switch supports stacking and provides 20 Gigabit Ethernet (GbE) ports (16 internal, 4 external) and two expansion slots for external uplinks.
Audience This guide is for network administrators in charge of managing one or more PowerConnect M6220, M6348, M8024, and M8024-k switches. To obtain the greatest benefit from this guide, you should have a basic understanding of Ethernet networks and local area network (LAN) concepts. Document Conventions Table 1-1 describes the typographical conventions this document uses. Table 1-1.
Additional Documentation The following documents for the PowerConnect M6220, M6348, M8024, and M8024-k switches are available at support.dell.com/manuals: • Getting Started Guide—provides information about the switch models in the series, including front and back panel features. It also describes the installation and initial configuration procedures. • CLI Reference Guide—provides information about the command-line interface (CLI) commands used to configure and manage the switch.
Introduction
2 Switch Features This section describes the switch user-configurable software features. NOTE: Before proceeding, read the release notes for this product. The release notes are part of the firmware download.
System Management Features Multiple Management Options You can use any of the following methods to manage the switch: • Use a web browser to access the Dell OpenManage Switch Administrator interface. The switch contains an embedded Web server that serves HTML pages. • Use a telnet client, SSH client, or a direct console connection to access the CLI. The CLI syntax and semantics conform as much as possible to common industry practice.
For information about enabling Simple mode, see "Managing General System Settings" on page 243. Port Aggregator The Port Aggregator feature minimizes the administration required for managing the PowerConnect M6220/M6348/M8024/M8024-k switch. When the switch is operating in simple mode, the administrator can map internal ports to external ports without having to know anything about STP, VLANs, Link Aggregation or other L2/L3 protocols.
Integrated DHCP Server PowerConnect M6220, M6348, M8024, and M8024-k switches include an integrated DHCP server that can deliver host-specific configuration information to hosts on the network. The switch DHCP server allows you to configure IP address pools (scopes), and when a host’s DHCP client requests an address, the switch DHCP server automatically assigns the host an address from the pool. For information about configuring the DHCP server settings, see "Configuring DHCP Server Settings" on page 883.
File Management You can upload and download files such as configuration files and system images by using HTTP (web only), TFTP, Secure FTP (SFTP), or Secure Copy (SCP). Configuration file uploads from the switch to a server are a good way to back up the switch configuration. You can also download a configuration file from a server to the switch to restore the switch to the configuration in the downloaded file.
sFlow sFlow is the standard for monitoring high-speed switched and routed networks. sFlow technology is built into network equipment and gives complete visibility into network activity, enabling effective management and control of network resources. The PowerConnect M6220, M6348, M8024, and M8024-k switches support sFlow version 5. For information about configuring managing sFlow settings, see "Monitoring Switch Traffic" on page 369.
Stacking Features (PCM6220, PCM6348, and PCM8024-k Only) NOTE: PowerConnect M6220 switches can be stacked only with other PowerConnect M6220 switches, and PowerConnect M8024-k switches can be stacked only with other PowerConnect M8024-k switches.PCM6220, PCM8024-k, and PCM6348 switches cannot be combined within the same stack. For information about creating and maintaining a stack of switches, see "Managing a Switch Stack" on page 143.
Master Failover with Transparent Transition The stacking feature supports a standby or backup unit that assumes the stack master role if the stack master fails. As soon as a stack master failure is detected, the standby unit initializes the control plane and enables all other stack units with the current configuration. The standby unit maintains a synchronized copy of the running configuration for the stack.
For information about configuring access and authentication profiles, see "Configuring Authentication, Authorization, and Accounting" on page 181. Password-Protected Management Access Access to the Web, CLI, and SNMP management interfaces is password protected, and there are no default users on the system. For information about configuring local user accounts, see "Configuring Authentication, Authorization, and Accounting" on page 181.
SSH/SSL The switch supports Secure Shell (SSH) for secure, remote connections to the CLI and Secure Sockets Layer (SSL) to increase security when accessing the web-based management interface. For information about configuring SSH and SSL settings, see "Configuring Authentication, Authorization, and Accounting" on page 181. Inbound Telnet Control You can configure the switch to prevent new Telnet sessions from being established with the switch. Additionally, the Telnet port number is configurable.
• Dynamic ARP Inspection: By default, if Dynamic ARP Inspection packets are received on a port at a rate that exceeds 15 pps for 1 second, the port will be diagnostically disabled. The threshold is configurable up to 300 pps and the burst is configurable up to 15s long using the ip arp inspection limit command. A port that is diagnostically disabled due to exceeding one of the above limits may be returned to service using the no shut command.
Dot1x Monitor Mode Monitor mode can be enabled in conjunction with Dot1x authentication to allow network access even when the user fails to authenticate. The switch logs the results of the authentication process for diagnostic purposes. The main purpose of this mode is to help troubleshoot the configuration of a Dot1x authentication on the switch without affecting the network access to the users of the switch.
Time-Based ACLs With the Time-based ACL feature, you can define when an ACL is in effect and the amount of time it is in effect. For information about configuring time-based ACLs, see "Configuring Access Control Lists" on page 523. IP Source Guard (IPSG) IP source guard (IPSG) is a security feature that filters IP packets based on the source ID. The source ID may either be source IP address or a source IP address source MAC address pair.
Protected Ports (Private VLAN Edge) Private VLAN Edge (PVE) ports are a Layer 2 security feature that provides port-based security between ports that are members of the same VLAN. It is an extension of the common VLAN. Traffic from protected ports is sent only to the uplink ports and cannot be sent to other ports within the VLAN. For information about configuring IPSG, see "Configuring Port-Based Traffic Control" on page 687. Switching Features Flow Control Support (IEEE 802.
Jumbo Frames Support Jumbo frames enable transporting data in fewer frames to ensure less overhead, lower processing time, and fewer interrupts. For information about configuring the port MTU, see "Configuring Port Characteristics" on page 463. Auto-MDI/MDIX Support Your switch supports auto-detection between crossed and straight-through cables.
Auto Negotiation Auto negotiation allows the switch to advertise modes of operation. The auto negotiation function provides the means to exchange information between two switches that share a point-to-point link segment, and to automatically configure both switches to take maximum advantage of their transmission capabilities. PowerConnect M6220, M6348, M8024, and M8024-k switches enhance auto negotiation by providing configuration of port advertisement.
Static and Dynamic MAC Address Tables You can add static entries to the switch’s MAC address table and configure the aging time for entries in the dynamic MAC address table. You can also search for entries in the dynamic table based on several different criteria. For information about viewing and managing the MAC address table, see "Managing the MAC Address Table" on page 861. Link Layer Discovery Protocol (LLDP) The IEEE 802.
Priority-based Flow Control (PFC) NOTE: PFC is supported only on the PCM8024-k. The PCM6220, PCM6348, and PCM8024 switches do not support PFC. The Priority-based Flow Control feature allows the switch to pause or inhibit transmission of individual priorities within a single physical link. By configuring PFC to pause a congested priority (priorities) independently, protocols that are highly loss sensitive can share the same link with traffic that has different loss tolerances.
The FCoE Initialization Protocol (FIP) is used to perform the functions of FC_BB_E device discovery, initialization, and maintenance as defined in the ANSI T11 FC-BB-5 specification. The PCM8024-k switch supports FIP snooping, which is a frame inspection method used by FIP Snooping Bridges to monitor FIP frames and apply policies based upon the L2 header information in those frames. For information about configuring the FIP Snooping feature, see "Configuring Data Center Bridging Features" on page 837.
Port-Based VLANs Port-based VLANs classify incoming packets to VLANs based on their ingress port. When a port uses 802.1X port authentication, packets can be assigned to a VLAN based on the result of the 802.1X authentication a client uses when it accesses the switch. This feature is useful for assigning traffic to Guest VLANs or Voice VLANs. IP Subnet-based VLAN This feature allows incoming untagged packets to be assigned to a VLAN and traffic class based on the source IP address of the packet.
Guest VLAN The Guest VLAN feature allows a switch to provide a distinguished service to unauthenticated users. This feature provides a mechanism to allow visitors and contractors to have network access to reach external network with no ability to browse information on the internal LAN. For information about configuring the Guest VLAN see "Configuring Port and System Security" on page 481. Double VLANs The Double VLAN feature (IEEE 802.1QinQ) allows the use of a second tag on network traffic.
Spanning Tree Protocol Features For information about configuring Spanning Tree Protocol features, see "Configuring the Spanning Tree Protocol" on page 629. Spanning Tree Protocol (STP) Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of Layer 2 switches that allows bridges to automatically prevent and resolve L2 forwarding loops.
Bridge Protocol Data Unit (BPDU) Guard Spanning Tree BPDU Guard is used to disable the port in case a new device tries to enter the already existing topology of STP. Thus devices, which were originally not a part of STP, are not allowed to influence the STP topology. BPDU Filtering When spanning tree is disabled on a port, the BPDU Filtering feature allows BPDU packets received on that port to be dropped.
achievable between a given pair of systems. LACP automatically determines, configures, binds, and monitors the binding of ports to aggregators within the system.
Routing Features Address Resolution Protocol (ARP) Table Management You can create static ARP entries and manage many settings for the dynamic ARP table, such as age time for entries, retries, and cache size. For information about managing the ARP table, see "Configuring IP Routing" on page 907. VLAN Routing PowerConnect M6220, M6348, M8024, and M8024-k switches support VLAN routing. You can also configure the software to allow traffic on a VLAN to be treated as if the VLAN were a router port.
BOOTP/DHCP Relay Agent The switch BootP/DHCP Relay Agent feature relays BootP and DHCP messages between DHCP clients and DHCP servers that are located in different IP subnets. For information about configuring the BootP/DHCP Relay agent, see "Configuring L2 and L3 Relay Features" on page 931. IP Helper and UDP Relay The IP Helper and UDP Relay features provide the ability to relay various protocols to servers on a different subnet.
Virtual Router Redundancy Protocol (VRRP) VRRP provides hosts with redundant routers in the network topology without any need for the hosts to reconfigure or know that there are multiple routers. If the primary (master) router fails, a secondary router assumes control and continues to use the virtual router IP (VRIP) address.
IPv6 Routes Because IPv4 and IPv6 can coexist on a network, the router on such a network needs to forward both traffic types. Given this coexistence, each switch maintains a separate routing table for IPv6 routes. The switch can forward IPv4 and IPv6 traffic over the same set of interfaces. For information about configuring IPv6 routes, see "Configuring IPv6 Routing" on page 1081. OSPFv3 OSPFv3 provides a routing protocol for IPv6 networking.
Quality of Service (QoS) Features NOTE: Some features that can affect QoS, such as ACLs and Voice VLAN, are described in other sections within this chapter. Differentiated Services (DiffServ) The QoS Differentiated Services (DiffServ) feature allows traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors. PowerConnect M6220, M6348, M8024, and M8024-k switches support both IPv4 and IPv6 packet classification.
Internet Small Computer System Interface (iSCSI) Optimization NOTE: iSCSI is supported on the PCM6348, PCM8024, and PCM8024-k switches. The M6220 switch does not support iSCSI. The iSCSI Optimization feature helps network administrators track iSCSI traffic between iSCSI initiator and target systems. This is accomplished by monitoring, or snooping traffic to detect packets used by iSCSI stations in establishing iSCSI sessions and connections.
IGMP Snooping Querier When Protocol Independent Multicast (PIM) and IGMP are enabled in a network with IP multicast routing, the IP multicast router acts as the IGMP querier. However, if it is desirable to keep the multicast network Layer 2 switched only, the IGMP Snooping Querier can perform the query functions of a Layer 3 multicast router.
Layer 3 Multicast Features For information about configuring L3 multicast features, see "Managing IPv4 and IPv6 Multicast" on page 1177. Distance Vector Multicast Routing Protocol Distance Vector Multicast Routing Protocol (DVMRP) exchanges probe packets with all DVMRP-enabled routers, establishing two way neighboring relationships and building a neighbor table. It exchanges report packets and creates a unicast topology table, which is used to build the multicast routing table.
Protocol Independent Multicast—Sparse Mode Protocol Independent Multicast-Sparse Mode (PIM-SM) is used to efficiently route multicast traffic to multicast groups that may span wide area networks, and where bandwidth is a constraint. PIM-SM uses shared trees by default and implements source-based trees for efficiency. This data threshold rate is used to toggle between trees.
Switch Features
3 Hardware Overview This section provides an overview of the switch hardware. The topics covered in this section include: • PowerConnect M6220, M6348, M8024, and M8024-k Front Panel • Console (RS-232) Port • Out-of-Band Management Port • LED Definitions • Switch Addresses PowerConnect M6220, M6348, M8024, and M8024-k Front Panel The images in this section show the front panels of the PowerConnect M6220, M6348, M8024, and M8024-k switches.
Figure 3-1. PowerConnect M6220 Front Panel Stacking Module or 10 Gb Module 10 Gb Module 10/100/100Base-T Auto-sensing Full-Duplex RJ-45 Ports Console Port 88 • The switch automatically detects crossed and straight-through cables on RJ-45 ports. • The 10/100/100Base-T Auto-sensing RJ-45 ports support half- and fullduplex mode.
PowerConnect M6348 Front Panel The PowerConnect M6348 front panel provides 16 10/100/1000Base-T ports. There are also 32 internal 1 gigabit ports that connect to each of the server blades. Figure 3-2.
PowerConnect M8024 Front Panel The PowerConnect M8024 front panel supports up to eight 10-gigabit ports. It has two 10-gigabit bays that can support SFP+, CX-4, or 10GBase-T modules. The SFP+ Module supports four ports, the CX-4 module supports three ports, and the 10GBase-T module supports two ports. The modules can be used in any combination and are sold separately. There are also 16 internal 10-gigabit ports that connect to each of the server blades. Figure 3-3.
PowerConnect M8024-k Front Panel The PowerConnect M8024-k front panel includes four SFP+ ports and an expansion slot for 10-Gigabit modules. The expansion slot can support SFP+, CX-4, or 10GBase-T modules. The SFP+ Module supports four ports, the CX-4 module supports three ports, and the 10GBase-T module supports two ports. Each module is sold separately. There are also 16 internal 10-gigabit ports that connect to each of the server blades.
NOTE: If you are installing a stack of switches, you need to assemble and cable the stack before powering up and configuring it. When a stack is powered up for the first time, the switches elect a stack master, which may occupy any location in the stack. Connect the terminal to the stack master. If you connect the terminal to a subordinate switch, you will not be able to use the CLI.
LED Definitions This section describes the LEDs on the front panel of the switch and on the optional modules that plug into the back panel. Port LEDs The integrated external 10/100/1000Base-T switch ports on the PowerConnect M6220 and M6348 switches include two LEDs. The integrated SFP+ switch ports on the PowerConnect M8024-k include one LED. 10/100/1000Base-T Port LEDs (PowerConnect M26220 and M6348) Each integrated external 10/100/1000Base-T port on the PCM6220 and PCM6348 has two LEDs.
SFP+ Port LEDs (PowerConnect M6348 and M8024-k) Each integrated SFP port on the PowerConnect M6348 switch includes two LEDs. Table 3-3 contains SFP port LED definitions for the PowerConnect M6348. Table 3-2. PowerConnect M6348 SFP+ Port LEDs Definitions LED Color/Activity Definition LNK Solid green The port is linked. Off The port is not linked. Blinking green The port is sending and/or receiving network traffic. ACT Each integrated SFP port on the PowerConnect M8024-k switch includes one LED.
Table 3-4. 10GBase-T Module Definitions LED Color Definition Link/Speed Solid Green The link is operating at 10 Gbps. Solid Yellow The link is operating at a speed other than 10 Gbps. Off No link. Blinking Green Activity. Off No activity. Solid Red Module is in the wrong bay. Act Wrong Bay (PCM6220 Only) NOTE: On the PowerConnect M6220, the module must be inserted into Bay 2 to operate. When the module is inserted into Bay 1, it will not operate and the Wrong Bay LED is solid red.
System LEDs The system LEDs for the PowerConnect M6220, M6348, M8024, and M8024-k switches are located on the right side of the front panel next to the console port. Figure 3-6. System LEDs System Status LED System Power LED Table 3-6 contains the status LED definitions for the PowerConnect M6220 and M6348 switches. Table 3-6. PCM6220 and PCM6348 Power and Status LED Definitions LED Color Definition Green Power is being supplied to the switch. Off The switch does not have power.
Table 3-7 contains the status LED definitions for the PowerConnect M8024 and M8024-k switches. Table 3-7. PCM8024 and PCM8024-k Power and Status LED Definitions LED Color Definition Green Power is being supplied to the switch. Off The switch does not have power. Blue The switch is operating normally. Off The switch is powered off. Amber A fault has occurred, or the switch is currently booting.
Shown below are three commands that display the MAC addresses used by the switch: console#show system System Description: Dell Ethernet Switch System Up Time: 0 days, 00h:05m:11s System Contact: System Name: System Location: Burned In MAC Address: 001E.C9F0.004D System Object ID: 1.3.6.1.4.1.674.10895.
console#show ip interface out-of-band IP Address..................................... Subnet Mask.................................... Default Gateway................................ Configured IPv4 Protocol....................... Burned In MAC Address.......................... 10.27.21.29 255.255.252.0 10.27.20.1 DHCP 001E.C9F0.004E console#show ip interface vlan 1 Routing Interface Status....................... Primary IP Address............................. Method........................................
Hardware Overview
Using Dell OpenManage Switch Administrator 4 This section describes how to use the Dell OpenManage Switch Administrator application.
Starting the Application To access the Dell OpenManage Switch Administrator and log on to the switch: 1 Open a web browser. 2 Enter the IP address of the switch in the address bar and press . For information about assigning an IP address to a switch, see "Setting the IP Address and Other Basic Network Information" on page 123. 3 When the Login window displays, enter a user name and password. Passwords are both case sensitive and alpha-numeric. Figure 4-1.
5 The Dell OpenManage Switch Administrator home page displays. The home page is the Device Information page, which contains a graphical representation of the front panel of the switch. For more information about the home page, see "Device Information" on page 213.
Figure 4-2. Switch Administrator Components Navigation Panel Page Tabs Links Save, Print, Refresh, Help Configuration and Status Options Command Button Using the Switch Administrator Buttons and Links Table 4-2 describes the buttons and links available from the Dell OpenManage Switch Administrator interface. Table 4-2. Button and Link Descriptions Button or Link Description Support Opens the Dell Support page at support.dell.
Table 4-2. Button and Link Descriptions (Continued) Button or Link Description Print Opens the printer dialog box that allows you to print the current page. Only the main panel prints. Refresh Refreshes the screen with the current information. Help Online help that contains information to assist in configuring and managing the switch. The online help pages are context sensitive. For example, if the IP Addressing page is open, the help topic for that page displays if you click Help.
Understanding the Device View The Device View shows various information about switch. This graphic appears on the OpenManage Switch Administrator Home page, which is the page that displays after a successful login. The graphic provides information about switch ports and system health. Figure 4-3. PowerConnect M8024-k Device View Using the Device View Port Features The switching-port coloring indicates if a port is currently active.
5 Using the Command-Line Interface This section describes how to use the Command-Line Interface (CLI) on a PowerConnect M6220/M6348/M8024/M8024-k switch. The topics covered in this section include: • Accessing the Switch Through the CLI • Understanding Command Modes • Entering CLI Commands Accessing the Switch Through the CLI The CLI provides a text-based way to manage and monitor the PowerConnect M6220/M6348/M8024/M8024-k switch.
2 Start the terminal emulator, such as Microsoft HyperTerminal, and select the appropriate serial port (for example, COM 1) to connect to the console. 3 Configure the management station serial port with the following settings: • Data rate — 9600 baud. • Data format — 8 data bits • Parity — None • Stop bits — 1 • Flow control — None When you have successfully connected to the switch and configured the terminal settings, the console> prompt displays, and you can enter commands.
Understanding Command Modes The CLI groups commands into modes according to the command function. Each of the command modes supports specific software commands. The commands in one mode are not available until you switch to that particular mode, with the exception of the User EXEC mode commands. You can execute the User EXEC mode commands in the Privileged EXEC mode. To display the commands available in the current mode, enter a question mark (?) at the command prompt.
Table 5-1. Command Mode Overview Command Mode Access Method Command Prompt User EXEC The user is console> automatically in User EXEC mode unless the user is defined as a privileged user. Exit or Access Previous Mode logout Privileged EXEC From User console# EXEC mode, enter the enable command Use the exit command, or press Ctrl-Z to return to User EXEC mode. Global Configuration From Privileged console(config)# EXEC mode, use the configure command.
Entering CLI Commands The switch CLI uses several techniques to help you enter commands. Using the Question Mark to Get Help Enter a question mark (?) at the command prompt to display the commands available in the current mode. console(config-vlan)#? exit help ip ipv6 protocol vlan To exit from the mode. Display help for various special keys. Configure IP parameters. Configure IPv6 parameters. Configure the Protocols associated with particular Group Ids. Create a new VLAN or delete an existing VLAN.
You can also enter a question mark (?) after typing one or more characters of a word to list the available command or parameters that begin with the letters, as shown in the following example: console#show po? policy-map port ports Using Command Completion The CLI can complete partially entered commands when you press the or key.
Understanding Error Messages If you enter a command and the system is unable to execute it, an error message appears. Table 5-2 describes the most common CLI error messages. Table 5-2. CLI Error Messages Message Text Description % Invalid input detected at '^' marker. Indicates that you entered an incorrect or unavailable command. The carat (^) shows where the invalid text is detected. This message also appears if any of the parameters or values are not recognized.
Table 5-3. History Buffer Navigation Keyword Source or Destination Up-arrow key Recalls commands in the history buffer, beginning with the most recent command. Repeats the key sequence to recall successively older commands. + Down-arrow key + Returns to more recent commands in the history buffer after recalling commands with the up-arrow key. Repeating the key sequence recalls more recent commands in succession.
Unit, Slot, and Port Numbers The unit, slot, and port numbers are separated by forward slashes and follow the port type. For switches that do not support stacking (PCM8024 and PCM8024-k), the unit number is always 1. For stackable switches (PCM6220 and PCM6348), the unit number can be 1–12. All internal and external integrated ports are in slot 0. For the PCM6220 and PCM8024 switches, the slot number can also be 1 or 2 if optional modules are installed. For the PCM8024-k, the slot number can be 0 or 1.
Using the Command-Line Interface
6 Default Settings This section describes the default settings for many of the software features on the PowerConnect M6220, M6348, M8024, and M8024-k switches. Table 6-1. Default Settings Feature Default IP address None Subnet mask None Default gateway None DHCP client Enabled on out-of-band (OOB) interface.
Table 6-1.
Table 6-1. Default Settings (Continued) Feature Default Flow Control Support (IEEE 802.
Table 6-1. Default Settings (Continued) Feature Default Multiple Spanning Tree Disabled Link Aggregation No LAGs configured LACP System Priority 1 Routing Mode Disabled OSPF Admin Mode Enabled OSPF Router ID 0.0.0.
Default Settings 121
Default Settings
Setting the IP Address and Other Basic Network Information 7 This chapter describes how to configure basic network information for the switch, such as the IP address, subnet mask, and default gateway.
Table 7-1. Basic Network Information (Continued) Feature Description Default Gateway Typically a router interface that is directly connected to the switch and is in the same subnet. The switch sends IP packets to the default gateway when it does not recognize the destination IP address in a packet. DHCP Client Requests network information from a DHCP server on the network. Domain Name System (DNS) Server Translates hostnames into IP addresses.
server on the network, you must identify the TFTP server. If you configure the switch to use a DNS server to resolve hostnames into IP addresses, you can enter the hostname of the TFTP server instead of the IP address. It is often easier to remember a hostname than an IP address, and if the IP address is dynamically assigned, it might change from time-to-time. How Is Basic Network Information Configured? You must use a console-port connection to perform the initial switch configuration.
TFTP. If using the out-of-band management port, it is strongly recommended that the port be connected only to a physically isolated secure management network. NOTE: The OOB port is an internal Ethernet interface that is connected to the chassis management controller through the chassis mid-plane. Alternatively, network administrators may choose to manage their network via the production network. This is in-band management.
Adjusting the Management Interface MTU When logging in to the PowerConnect switch using TCP, the switch negotiates the TCP Maximum Segment Size (MSS) using the minimum of the requested MSS or the MTU setting of the port. TCP packets are transmitted from the switch with the DF (Don't Fragment) bit set in order to receive notification of fragmentation from any transit routers. Upon receiving an ICMP Destination Unreachable, Fragmentation needed but DF set notification, the switch will reduce the MSS.
Configuring Basic Network Information (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring basic network information on the PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Out-of-Band Interface Use the Out of Band Interface page to assign the Out of Band Interface IP address and subnet mask or to enable/disable the DHCP client for address information assignment.
IP Interface Configuration (Default VLAN IP Address) Use the IP Interface Configuration page to assign the Default VLAN IP address and Subnet Mask, the Default Gateway IP address, and to assign the boot protocol. To display the IP Interface Configuration page, click Routing → IP → IP Interface Configuration in the navigation panel. Figure 7-2.
4 If you select Manual for the configuration method, specify the IP Address and Subnet Mask in the appropriate fields. 5 Click Apply. NOTE: You do not need to configure any additional fields on the page. For information about VLAN routing interfaces, see "Configuring Routing Interfaces" on page 867. Route Entry Configuration (Switch Default Gateway) Use the Route Entry Configuration page to configure the default gateway for the switch.
Configuring a Default Gateway for the Switch: To configure the switch default gateway: 1 Open the Route Entry Configuration page. 2 From the Route Type field, select Default. Figure 7-4. Default Route Configuration (Default VLAN) 3 In the Next Hop IP Address field, enter the IP address of the default gateway. 4 Click Apply. For more information about configuring routes, see "Configuring IP Routing" on page 907.
Domain Name Server Use the Domain Name Server page to configure the IP address of the DNS server. The switch uses the DNS server to translate hostnames into IP addresses. To display the Domain Name Server page, click System → IP Addressing → Domain Name Server in the navigation panel. Figure 7-5. DNS Server To configure DNS server information, click the Add link and enter the IP address of the DNS server in the available field. Figure 7-6.
Default Domain Name Use the Default Domain Name page to configure the domain name the switch adds to a local (unqualified) hostname. To display the Default Domain Name page, click System → IP Addressing → Default Domain Name in the navigation panel. Figure 7-7.
Host Name Mapping Use the Host Name Mapping page to assign an IP address to a static host name. The Host Name Mapping page provides one IP address per host. To display the Host Name Mapping page, click System → IP Addressing → Host Name Mapping. Figure 7-8. Host Name Mapping To map a host name to an IP address, click the Add link, type the name of the host and its IP address in the appropriate fields, and then click Apply. Figure 7-9.
Dynamic Host Name Mapping Use the Dynamic Host Name Mapping page to view dynamic host entries the switch has learned. The switch learns hosts dynamically by using the configured DNS server to resolve a hostname. For example, if you ping www.dell.com from the CLI, the switch uses the DNS server to lookup the IP address of dell.com and adds the entry to the Dynamic Host Name Mapping table.
Configuring Basic Network Information (CLI) This section provides information about the commands you use to configure basic network information on the PowerConnect M6220/M6348/M8024/M8024-k switch. For more information about these commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Enabling the DHCP Client on the OOB Port Beginning in Privileged EXEC mode, use the following commands to enable the DHCP client on the OOB port.
Managing DHCP Leases Beginning in Privileged EXEC mode, use the following commands to manage and troubleshoot DHCP leases on the switch. Command Purpose release dhcp interface Force the DHCPv4 client to release a leased address on the specified interface. renew dhcp interface Force the DHCP client to immediately renew an IPv4 address lease. show dhcp lease interface [interface] Display IPv4 addresses leased from a DHCP server.
Configuring Static Network Information on the OOB Port Beginning in Privileged EXEC mode, use the following commands to configure a static IP address, subnet mask, and default gateway on the OOB port. Command Purpose configure Enter Global Configuration mode. interface out-of-band Enter Interface Configuration mode for the OOB port. ip address ip_address subnet_mask [gateway_ip] Configure a static IP address and subnet mask. Optionally, you can also configure a default gateway.
Configuring and Viewing Additional Network Information Beginning in Privileged EXEC mode, use the following commands to configure a DNS server, the default domain name, and a static host name-toaddress entry. Use the show commands to verify configured information and to view dynamic host name mappings. Command Purpose configure Enter Global Configuration mode. ip domain-lookup Enable IP DNS-based host name-to-address translation.
Basic Network Information Configuration Example In this example, an administrator at a Dell office in California decides not to use the Dell Easy Setup Wizard to perform the initial switch configuration. The administrator configures a PowerConnect M6220/M6348/M8024/M8024-k switch to obtain its information from a DHCP server on the network and creates the administrative user with read/write access. The administrator also configures the following information: • Primary DNS server: 10.27.138.
4 View the network information that the DHCP server on the network dynamically assigned to the switch. console#show ip interface out-of-band IP Address........................ 10.27.22.153 Subnet Mask...................... 255.255.255.0 Default Gateway.................. 10.27.22.1 Protocol Current................. DHCP Burned In MAC Address............ 001E.C9AA.AA08 5 View additional network information. console#show hosts Host name: Default domain: sunny.dell.com dell.
Setting Basic Network Information
Managing a Switch Stack 8 This chapter describes how to configure and manage a stack of switches. NOTE: Stacking is supported on the PowerConnect M6220, PowerConnect M6348, and PowerConnect M8024-k switches. PowerConnect M8024 switches do not support stacking.
NOTE: Each PowerConnect M6220 switch in the stack must have the optional Stacking module installed in Bay 1. NOTE: PowerConnect M6348, M6220, and M8024-k switches cannot be stacked together. A stack is created by daisy-chaining stacking links on adjacent units. Up to eight links per stack unit can be used for stacking (four in each direction). A stack of units is manageable as a single entity when the units are connected together.
Connecting switches in a ring topology allows the stack to utilize the redundant communication path to each switch. If a switch in a ring topology fails, the stack can automatically establish a new communications path to the other switches. Switches not stacked in a ring topology may split into multiple independent stacks upon the failure of a single switch or stacking link.
Figure 8-1. Connecting a Stack of PowerConnect M6220 Switches M6220 Switches Stacking Cables The stack in Figure 8-1 has six M6220 switches connected through the stacking ports. The first stacking port on each switch is physically connected to the second stacking port on the next switch by using a stacking cable. The first stacking port on switch six is connected to the second stacking port on switch one.
1 For each switch in the stack, connect one of the short stacking cables from stacking port one on the switch to stacking port two on the next switch. 2 If necessary, use a separately purchased, long (3 meter) stacking cable to connect the switches. Repeat this process until all of the devices are connected. 3 Use the remaining stacking cable to connect the remaining free ports, from port one of the last switch to port two of the first switch. Figure 8-2.
1 If you are using the 10G SFP+ ports for stacking, use the CLI or web interface to configure the ports for stacking. By default, the ports are configured to operate in Ethernet mode. For more information about configuring the port mode, see "Stack Port Summary" on page 163 (Web) or "Configuring Stack Member, Stack Port, and NSF Settings" on page 167 (CLI). 2 For each switch in the stack, connect one cable from a stacking port on the switch to a stacking port on the next switch.
Figure 8-3. Connecting a Stack of PowerConnect M8024-k Switches SFP+ Ports Configured as Stack Ports Fiber Optic Cables Connect the Stack PowerConnect 7000 Series and M6348 Stacking Compatibility The stack can contain any combination of switch models in the PowerConnect 7000 Series as well as the PowerConnect M6348 switch, as long as all switches are running the same firmware version.
How is the Stack Master Selected? A stack master is elected or re-elected based on the following considerations, in order: 1 The switch is currently the stack master. 2 The switch has the higher MAC address. 3 A unit is selected as standby by the administrator, and a fail over action is manually initiated or occurs due to stack master failure. In most cases, a switch that is added to an existing stack will become a stack member, and not the stack master.
• If the unit number is configured and there are no other devices using the unit number, then the switch starts using the configured unit number. • If the switch detects that the maximum number of units already exist in the stack making it unable to assign a unit number, then the switch sets its unit number to unassigned and does not participate in the stack.
Removing a Switch from the Stack Prior to removing a member from a stack, check that other members of the stack will not become isolated from the stack due to the removal. Check the stack-port error counters to ensure that a stack configured in a ring topology can establish a communication path around the member to be removed. The main point to remember when you remove a unit from the stack is to disconnect all the links on the stack member to be removed.
What is Stacking Standby? A standby unit is preconfigured in the stack. If the current stack master fails, the standby unit becomes the stack master. If no switch is pre-configured as the standby unit, the software automatically selects a standby unit from the existing stack units. When the failed master resumes normal operation, it joins the stack as a member (not a master) if the new stack master has already been elected.
1 A protocol can distribute a part of its control plane to stack units so that the protocol can give the appearance that it is still functional during the restart. 2 A protocol may enlist the cooperation of its neighbors through a technique known as graceful restart. 3 A protocol may simply restart after the failover if neighbors react slowly enough that they will not normally detect the outage.
The NSF checkpoint service allows the stack master to communicate certain data to the backup unit in the stack. When the stack selects a backup unit, the checkpoint service notifies applications to start a complete checkpoint. After the initial checkpoint is done, applications checkpoint changes to their data. NOTE: The switch cannot guarantee that a backup unit has exactly the same data that the stack master has when it fails.
Table 8-1. Applications that Checkpoint Data Application Checkpointed Data SIM The system's MAC addresses. System up time. IP address, network mask, default gateway on each management interface, DHCPv6 acquired IPv6 address. Voice VLAN VoIP phones identified by CDP or DHCP (not LLDP) Switch Stack MAC Addressing and Stack Design Considerations The switch stack uses the MAC addresses assigned to the stack master. NOTE: Each switch is assigned three consecutive MAC addresses.
LAG members that remain up. If a LAG is left with no active members, the LAG goes down. To prevent a LAG from going down, configure LAGs with members on multiple units within the stack, when possible. If a stack unit fails, the system can continue to forward on the remaining members of the stack. If your switch stack performs VLAN routing, another way to take advantage of NSF is to configure multiple “best paths” to the same destination on different stack members.
Managing and Monitoring the Stack (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring stacking on a PowerConnect M6220, PowerConnect M6348, or PowerConnect M8024-k switch. For details about the fields on a page, click at the top of the page. NOTE: The changes you make to the Stacking configuration pages take effect only after the device is reset.
Changing the ID or Switch Type for a Stack Member To change the switch ID or type: 1 Open the Unit Configuration page. 2 Click Add to display the Add Unit page. Figure 8-5. Add Remote Log Server Settings 3 Specify the switch ID, and select the model number of the switch. 4 Click Apply.
Stack Summary Use the Stack Summary page to view a summary of switches participating in the stack. To display the Stack Summary page, click System → Stack Management → Stack Summary in the navigation panel. Figure 8-6.
Stack Firmware Synchronization Use the Stack Firmware Synchronization page to control whether the firmware image on a new stack member can be automatically upgraded or downgraded to match the firmware image of the stack master. To display the Stack Firmware Synchronization page, click System → Stack Management → Stack Firmware Synchronization in the navigation panel. Figure 8-7.
Supported Switches Use the Supported Switches page to view information regarding each type of supported switch for stacking, and information regarding the supported switches. To display the Supported Switches page, click System → Stack Management → Supported Switches in the navigation panel. Figure 8-8.
Stack Port Summary Use the Stack Port Summary page to configure the stack-port mode and to view information about the stackable ports. This screen displays the unit, the stackable interface, the configured mode of the interface, the running mode as well as the link status and link speed of the stackable port. NOTE: By default the ports on the PCM8024-k are configured to operate as Ethernet ports. To configure a port as a stack port, you must change the Configured Stack Mode setting from Ethernet to Stack.
Stack Port Counters Use the Stack Port Counters page to view the transmitted and received statistics, including data rate and error rate. To display the Stack Port Counters page, click System → Stack Management → Stack Point Counters in the navigation panel. Figure 8-10.
NSF Summary Use the NSF Summary page to change the administrative status of the NSF feature and to view NSF information. NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over stack master responsibility. To configure NSF on a stack that uses OSPF or OSPFv3, see "NSF OSPF Configuration (PCM6220, PCM6348, and PCM8024-k Only)" on page 981 and "NSF OSPFv3 Configuration (PCM6220, PCM6348, and PCM8024-k Only)" on page 998.
Checkpoint Statistics Use the Checkpoint Statistics page to view information about checkpoint messages generated by the stack master. To display the Checkpoint Statistics page, click System → Stack Management → Checkpoint Statistics in the navigation panel. Figure 8-12.
Managing the Stack (CLI) This section provides information about the commands you use to manage the stack and view information about the switch stack. For more information about these commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Stack Member, Stack Port, and NSF Settings Beginning in Privileged EXEC mode, use the following commands to configure stacking and NSF settings. Command Purpose configure Enter Global Configuration mode.
Command Purpose member unit SID Add a switch to the stack and specify the model of the new stack member. • unit - The switch unit ID • SID - The index into the database of the supported switch types, indicating the type of the switch being preconfigured. Note: Member configuration displayed in the running config may be learned from the physical stack. Member configuration is not automatically saved in the startupconfig. Save the configuration to retain the current member settings.
Viewing and Clearing Stacking and NSF Information Beginning in Privileged EXEC mode, use the following commands to view stacking information and to clear NSF statistics. Command Purpose show switch [stack- member-number] View information about all stack members or the specified member. show switch stackstandby View the ID of the switch that will assume the role of the stack master if it goes down. show switch stack-port View information about the stacking ports.
• NSF and the Storage Access Network • NSF and Routed Access Basic Failover In this example, the stack has four members that are connected in a ring topology, as Figure 8-13 shows. Figure 8-13.
At this point, if Unit 2 is powered off or rebooted due to an unexpected failure, show switch gives the following output: console#show switch SW Management Status Standby Preconfig Plugged- Switch Status Model ID in Model Status ID --- --------------- -------- ------------------1 Stack Member PCM6348 PCM6348 OK 2 Unassigned PCM6348 Not Present 3 Mgmt Switch PCM6348 PCM6348 OK 4 Stack Member PCM6348 PCM6348 OK Code Version -------9.19.0.2 0.0.0.0 9.19.0.2 9.19.0.
Preconfiguring a Stack Member To preconfigure a stack member before connecting the physical unit to the stack, use the show support switchtype command to obtain the SID of the unit to be added. The example in this section demonstrates pre-configuring a PowerConnect 7048P switch on a stand-alone PowerConnect 6348 switch. To configure the switch: 1 View the list of SIDs to determine which SID identifies the switch to preconfigure.
3 Confirm the stack configuration. Some of the fields have been omitted from the following output due to space limitations. console#show switch SW Management Standby Status Status --- --------- ------1 Mgmt Sw 2 Unassigned Preconfig Plugged-in Model ID Model ID -------- --------PCM6348 PCM6348 PCT7048P Switch Code Status Version ---------- -------OK M.10.2 Not Present 0.0.0.
NSF in the Data Center Figure 8-14 illustrates a data center scenario, where the stack of two PowerConnect switches acts as an access switch. The access switch is connected to two aggregation switches, AS1 and AS2. The stack has a link from two different units to each aggregation switch, with each pair of links grouped together in a LAG. The two LAGs and link between AS1 and AS2 are members of the same VLAN. Spanning tree is enabled on the VLAN. Assume spanning tree selects AS1 as the root bridge.
NSF and VoIP Figure 8-15 shows how NSF maintains existing voice calls during a stack master failure. Assume the top unit is the stack master. When the stack master fails, the call from phone A is immediately disconnected. The call from phone B continues. On the uplink, the forwarding plane removes the failed LAG member and continues using the remaining LAG member. If phone B has learned VLAN or priority parameters through LLDP-MED, it continues to use those parameters.
NSF and DHCP Snooping Figure 8-16 illustrates an L2 access switch running DHCP snooping. DHCP snooping only accepts DHCP server messages on ports configured as trusted ports. DHCP snooping listens to DHCP messages to build a bindings database that lists the IP address the DHCP server has assigned to each host. IP Source Guard (IPSG) uses the bindings database to filter data traffic in hardware based on source IP address and source MAC address.
If a host is in the middle of an exchange with the DHCP server when the failover occurs, the exchange is interrupted while the control plane restarts. When DHCP snooping is enabled, the hardware traps all DHCP packets to the CPU. The control plane drops these packets during the restart. The DHCP client and server retransmit their DHCP messages until the control plane has resumed operation and messages get through. Thus, DHCP snooping does not miss any new bindings during a failover.
Figure 8-17. NSF and a Storage Area Network When the stack master fails, session A drops. The initiator at 10.1.1.10 detects a link down on its primary NIC and attempts to reestablish the session on its backup NIC to a different IP address on the disk array. The hardware forwards the packets to establish this new session, but assuming the session is established before the control plane is restarted on the backup unit, the new session receives no priority treatment in the hardware.
NSF and Routed Access Figure 8-18 shows a stack of three units serving as an access router for a set of hosts. Two LAGs connect the stack to two aggregation routers. Each LAG is a member of a VLAN routing interface. The stack has OSPF and PIM adjacencies with each of the aggregation routers. The top unit in the stack is the stack master. Figure 8-18. NSF and Routed Access If the stack master fails, its link to the aggregation router is removed from the LAG.
JOIN messages upstream. The control plane updates the driver with checkpointed unicast routes. The forwarding plane reconciles L3 hardware tables. The OSPF graceful restart finishes, and the control plane deletes any stale unicast routes not relearned at this point. The forwarding plane reconciles L3 multicast hardware tables.
Configuring Authentication, Authorization, and Accounting 9 This chapter describes how to control access to the switch management interface using authentication and authorization. It also describes how to record this access using accounting. Together the three services are referred to by the acronym AAA.
Each service is configured using method lists. The method lists define how each service is to be performed by specifying the methods available to perform a service. The first method in a list is tried first. If the first method returns an error, the next method in the list is tried. This continues until all methods in the list have been attempted. If no method can perform the service, then the service fails.
• The ias method is a special method that is only used for 802.1X. It uses an internal database (separate from the local user database) that acts like an 802.1X authentication server. This method never returns an error. It will always pass or deny a user. • The line method uses the password for the access line on which the user is accessing the switch. If there is no line password defined for the access line, then the line method will return an error. • The local method uses the local user database.
• Login— Login authentication grants access to the switch if the user credentials are validated. Access is granted only at privilege level one. • Enable—Enable authentication grants access to a higher privilege level if the user credentials are validated for the higher privilege level. When RADIUS is used for enable authentication, the username for this request is always $enab15$. The username used to log into the switch is not used for RADIUS enable authentication.
• Network: Network authorization enables a RADIUS server to assign a particular 802.1X supplicant to a VLAN. For more information about 802.1X, see "Configuring Port and System Security" on page 481. Table 9-3 shows the valid methods for each type of authorization: Table 9-3.
profiles have an implicit “deny all” rule, such that any command that does not match any rule in the profile is considered to have been denied by that profile. A user can be assigned to more than one profile. If there are conflicting rules in profiles, the “permit” rule always takes precedence over the “deny” rule. That is, if any profile assigned to a user permits a command, then the user is permitted access to that command. A user may be assigned up to 16 profiles.
Table 9-4. Accounting Methods Method Commands Dot1x Exec radius no yes yes tacacs yes no yes Authentication Examples It is important to understand that during authentication, all that happens is that the user is validated. If any attributes are returned from the server, they are not processed during authentication. In the examples below, it is assumed that the default configuration of authorization—that is, no authorization—is used.
• The username guest password password command creates a user with the name “guest” and password “password”. A simple password can be configured here, since strength-checking has not yet been enabled. • The passwords strength minimum numeric-characters 2 command sets the minimum number of numeric characters required when password strength checking is enabled.
aaa authentication enable “tacp” tacacs-server host 1.2.3.4 key “secret” exit line telnet login authentication tacplus enable authentication tacp exit The following describes each line in the above configuration: • The aaa authentication login “tacplus” tacacs command creates a login authentication list called “tacplus” that contains the method tacacs. If this method returns an error, the user will fail to login.
RADIUS Authentication Example Use the following configuration to require RADIUS authentication to login over a telnet connection: aaa authentication login “rad” radius aaa authentication enable “raden” radius radius-server host 1.2.3.
Authorization Examples Authorization allows the administrator to control which services a user is allowed to access. Some of the things that can be controlled with authorization include the user's initial privilege level and which commands the user is allowed to execute. When authorization fails, the user is denied access to the switch, even though the user has passed authentication. The following examples assume that the configuration used in the previous examples has already been applied.
• The aaa authorization exec “tacex” tacacs command creates an exec authorization method list called tacex which contains the method tacacs. • The authorization exec tacex command assigns the tacex exec authorization method list to be used for users accessing the switch via telnet. Notes: • If the privilege level is zero (that is, blocked), then authorization will fail and the user will be denied access to the switch.
TACACS+ Authorization Example—Custom Administrative Profile This example creates a custom profile that allows the user to control user access to the switch by configuring a administrative profile that only allows access to AAA related commands. Use the following commands to create the administrative profile: admin-profile aaa rule 99 permit command “^show aaa .*” rule 98 permit command “^show authentication .*” rule 97 permit command "^show authorization .*” rule 96 permit command “^show accounting .
string at the beginning of a line, the period (.) matches any single character, and the asterisk (*) repeats the previous match zero or more times.
profiles and per-command authorization are configured for a user, any command must be permitted by both the administrative profiles and by percommand authorization.
The RADIUS server should be configured such that it will send the Cisco AV Pair attribute with the “roles” value. For example: shell:roles=router-admin The above example attribute gives the user access to the commands permitted by the router-admin profile. Using RADIUS Servers to Control Management Access The RADIUS client on the switch supports multiple RADIUS servers. When multiple authentication servers are configured, they can help provide redundancy.
“secret”. This “secret” is used to generate one-way encrypted authenticators that are present in all RADIUS packets. The “secret” is never transmitted over the network. RADIUS conforms to a secure communications client/server model using UDP as a transport protocol. It is extremely flexible, supporting a variety of methods to authenticate and statistically track users. RADIUS is also extensible, allowing for new methods of authentication to be added without disrupting existing functionality.
If you use a RADIUS server to authenticate users, you must configure user attributes in the user database on the RADIUS server. The user attributes include the user name, password, and privilege level. NOTE: To set the privilege level, it is recommended to use the Service-Type attribute instead of the Cisco AV pair priv-lvl attribute. Which RADIUS Attributes Does the Switch Support? Table 9-5 lists the RADIUS attributes that the switch supports and indicates whether the 802.
Table 9-5. Supported RADIUS Attributes (Continued) Type RADIUS Attribute Name 802.
How Are RADIUS Attributes Processed on the Switch? The following attributes are processed in the RADIUS Access-Accept message received from a RADIUS server: 200 • NAS-PORT—ifIndex of the port to be authenticated. • REPLY-MESSAGE—Trigger to respond to the Access-Accept message with an EAP notification. • STATE-RADIUS—Server state. Transmitted in Access-Request and Accounting-Request messages. • SESSION-TIMEOUT—Session timeout value for the session (in seconds). Used by both 802.
Using TACACS+ Servers to Control Management Access TACACS+ (Terminal Access Controller Access Control System) provides access control for networked devices via one or more centralized servers. TACACS+ simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS+ uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to encrypt all messages.
You can configure each server host with a specific connection type, port, timeout, and shared key, or you can use global configuration for the key and timeout. The TACACS+ server can do the authentication itself, or redirect the request to another back-end device. All sensitive information is encrypted and the shared secret is never passed over the network; it is used only to encrypt the data.
Default Configurations Method Lists The method lists shown in Table 9-7 are defined by default. They cannot be deleted, but they can be modified. Using the “no” command on these lists will return them to their default configuration. Table 9-7.
Table 9-8. Default AAA Methods (Continued) AAA Service (type) Console Telnet SSH Accounting (exec) none none none Accounting (commands) none none none Access Lines (Non-AAA) Table 9-9 shows the default configuration of the access lines that do not use method lists. Table 9-9. Default Configuration for Non-AAA Access Lines Access Line Authentication Authorization HTTP local n/a HTTPS local n/a 802.
Table 9-10. Default Administrative Profiles (Continued) Name Description CP-admin Allows access to the Captive Portal feature. network-operator Allows access to all User EXEC mode commands and show commands.
Configuring Authentication, Authorization, and Accounting
10 Monitoring and Logging System Information This chapter provides information about the features you use to monitor the switch, including logging, cable tests, and email alerting.
Why Is System Information Needed? The information the switch provides can help you troubleshoot issues that might be affecting system performance. The cable diagnostics test help you troubleshoot problems with the physical connections to the switch. Auditing access to the switch and the activities an administrator performed while managing the switch can help provide security and accountability.
What Are the Severity Levels? For each local or remote log file, you can specify the severity of the messages to log. Each severity level is identified by a name and a number. Table 10-1 provides information about the severity levels. Table 10-1. Log Message Severity Severity Keyword Severity Level Description emergencies 0 The switch is unusable. alerts 1 Action must be taken immediately. critical 2 The switch is experiencing critical conditions.
To view the log messages in the system startup and operational log files, you must download the log files to an administrative host. The startup log files are named slogX.txt and the operation log files are named ologX.txt. When enabled, the system stores the startup and operation log files for the last three switch boots.
• Stack ID —This is the assigned stack ID. The number 1 is used for systems without stacking ability. The top of stack is used to collect messages for the entire stack. • Component name—The component name for the logging component. Component “UNKN” is substituted for components that do not identify themselves to the logging component. • Thread ID—The thread ID of the logging component. • File name —The name of the file containing the invoking macro.
After you enable email alerting and configure the mail server and recipient email address, log messages with a severity level of emergency and alert are sent immediately with each log message in a separate mail. The email subject is “Urgent Log Messages.” Log messages with a severity level of critical, error, and warning are sent periodically in a single email. The email subject is “Non Urgent Log Messages.” Messages with a severity level of notice and below are not sent in an email.
Monitoring System Information and Configuring Logging (Web) This section provides information about the OpenManage Switch Administrator pages to use to monitor system information and configure logging on the PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Device Information The Device Information page displays after you successfully log on to the switch by using the Dell OpenManage Switch Administrator.
Figure 10-2. Stack View For more information about the device view features, see "Understanding the Device View" on page 106.
System Health Use the Health page to view status information about the switch power and ventilation sources. To display the Health page, click System → General → Health in the navigation panel. Figure 10-3.
System Resources Use the System Resources page to view information about memory usage and task utilization. To display the System Resources page, click System → General → System Resources in the navigation panel. Figure 10-4.
Integrated Cable Test for Copper Cables Use the Integrated Cable Test for Copper Cables page to perform tests on copper cables. Cable testing provides information about where errors occurred in the cable, the last time a cable test was performed, and the type of cable error which occurred. The tests use Time Domain Reflectometry (TDR) technology to test the quality and characteristics of a copper cable attached to a port. Cables up to 120 meters long can be tested.
To view a summary of all integrated cable tests performed, click the Show All link. Figure 10-6. Integrated Cable Test Summary Optical Transceiver Diagnostics Use the Optical Transceiver Diagnostics page to perform tests on Fiber Optic cables. To display the Optical Transceiver Diagnostics page, click System → Diagnostics → Optical Transceiver Diagnostics in the navigation panel. NOTE: Optical transceiver diagnostics can be performed only when the link is present.
Figure 10-7. Optical Transceiver Diagnostics To view a summary of all optical transceiver diagnostics tests performed, click the Show All link. Figure 10-8.
Log Global Settings Use the Global Settings page to enable logging globally, to enable other types of logging. You can also specify the severity of messages that are logged to the console, RAM log, and flash-based log file. The Severity table lists log messages from the highest severity (Emergency) to the lowest (Debug). When you select a severity level, all higher levels are automatically selected.
RAM Log Use the RAM Log page to view information about specific RAM (cache) log entries, including the time the log was entered, the log severity, and a description of the log. To display the RAM Log, click System → Logs → RAM Log in the navigation panel. Figure 10-10.
Log File The Log File contains information about specific log entries, including the time the log was entered, the log severity, and a description of the log. To display the Log File, click System → Logs → Log File in the navigation panel. Figure 10-11. Log File Remote Log Server Use the Remote Log Server page to view and configure the available log servers, to define new log servers, and to set the severity of the log events sent to the server.
Figure 10-12. Remote Log Server Adding a New Remote Log Server To add a log server: 1 Open the Remote Log Server page. 2 Click Add to display the Add Remote Log Server page. 3 Specify the IP address or hostname of the remote server. 4 Define the UDP Port and Description fields.
Figure 10-13. Add Remote Log Server 5 Select the severity of the messages to send to the remote server. NOTE: When you select a severity level, all higher severity levels are automatically selected. 6 Click Apply. Click the Show All link to view or remove remote log servers configured on the system.
Figure 10-14. Show All Log Servers Email Alert Global Configuration Use the Email Alert Global Configuration page to enable the email alerting feature and configure global settings so that system log messages can be sent to from the switch to one or more email accounts. To display the Email Alert Global Configuration page, click System → Email Alerts → Email Alert Global Configuration in the navigation panel. Figure 10-15.
Email Alert Mail Server Configuration Use the Email Alert Mail Server Configuration page to configure information about the mail server the switch uses for sending email alert messages. To display the Email Alert Mail Server Configuration page, click System → Email Alerts → Email Alert Mail Server Configuration in the navigation panel. Figure 10-16. Email Alert Mail Server Configuration Adding a Mail Server To add a mail server: 1 Open the Email Alert Mail Server Configuration page.
Figure 10-17. Add Mail Server 4 Click Apply. 5 If desired, click Configuration to return to the Email Alert Mail Server Configuration page to specify port and security settings for the mail server. Click the Show All link to view or remove mail servers configured on the switch. Figure 10-18.
Email Alert Subject Configuration Use the Email Alert Subject Configuration page to configure the subject line for email alerts that are sent by the switch. You can customize the subject for the message severity and entry status. To display the Email Alert Subject Configuration page, click System → Email Alerts → Email Alert Subject Configuration in the navigation panel. Figure 10-19. Email Alert Subject Configuration To view all configured email alert subjects, click the Show All link. Figure 10-20.
Email Alert To Address Configuration Use the Email Alert To Address Configuration page to specify where the email alerts are sent. You can configure multiple recipients and associate different message severity levels with different recipient addresses. To display the Email Alert To Address Configuration page, click System → Email Alerts → Email Alert To Address Configuration in the navigation panel. Figure 10-21. Email Alert To Address Configuration To view configured recipients, click the Show All link.
Figure 10-22. View Email Alert To Address Configuration Email Alert Statistics Use the Email Alert Statistics page to view the number of emails that were successfully and unsuccessfully sent, and when emails were sent. To display the Email Alert Statistics page, click System → Email Alerts → Email Alert Statistics in the navigation panel. Figure 10-23.
Monitoring System Information and Configuring Logging (CLI) This section provides information about the commands you use to configure information you use to monitor the PowerConnect M6220/M6348/M8024/M8024-k switch. For more information about these commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Viewing System Information Beginning in Privileged EXEC mode, use the following commands to view system health and resource information.
Command Purpose test copper-port tdr Perform the Time Domain Reflectometry (TDR) test to diagnose the quality and characteristics of a copper cable attached to the specified port. SFP, SFP+, and QSFP cables with passive copper assemblies are not capable of performing TDR tests. interface CAUTION: Issuing the test copper-port tdr command will bring the interface down. The interface is specified in unit/slot/port format. For example 1/0/3 is GbE interface 3 on unit 1 of the stack.
Command Purpose logging Enable logging to the specified file. Optionally, you can {buffered|console| file} define a logging discriminator to help filter log messages [severity] and set the severity of the messages to log. • buffered — Enables logging to the RAM file (cache). If the switch resets, the buffered logs are cleared. • console — Enables logging to the screen when you are connected to the CLI through the console port. • file — Enables logging to the startup and operational log files on the flash.
Configuring Remote Logging Beginning in Privileged EXEC mode, use the following commands to define a remote server to which the switch sends log messages. Command Purpose configure Enter Global Configuration mode. logging {ip-address| hostname} Define a remote log server and enter the configuration mode for the specified log server. description description Describe the log server. Use up to 64 characters. If the description includes spaces, surround it with quotation marks.
Configuring Mail Server Settings Beginning in Privileged EXEC mode, use the following commands to configure information about the mail server (SMTP host) on the network that will initially receive the email alerts from the switch and relay them to the correct recipient. Command Purpose configure Enter Global Configuration mode. mail-server ip-address Specify the IP address of the SMTP server on the network and enter the configuration mode for the mail server.
Configuring Email Alerts for Log Messages Beginning in Privileged EXEC mode, use the following commands to configure email alerts so that log messages are sent to the specified address. Command Purpose configure Enter Global Configuration mode. logging email [severity] Enable email alerting and determine which non-critical log messages should be emailed. Including the severity value sets the lowest severity for which log messages are emailed.
Command Purpose logging email test message-type {urgent | non-urgent | both} message-body body Send a test email to the configured recipient to verify that the feature is properly configured. CTRL + Z Exit to Privileged EXEC mode. show logging email config View the configured settings for email alerts. show logging email statistics View information about the number of emails sent and the time they were sent. clear logging email statistics Clear the email alerting statistics.
Logging Configuration Examples This section contains the following examples: • Configuring Local and Remote Logging • Configuring Email Alerting Configuring Local and Remote Logging This example shows how to enable switch auditing and CLI command logging. Log messages with a severity level of Notification (level 5) and above are sent to the RAM (buffered) log. Emergency, Critical, and Alert (level 2) log messages are written to the log file on the flash drive.
4 Verify the remote log server configuration. console#show syslog-servers IP Address/Hostname Port ------------------------- -----192.168.2.10 514 Severity Description -------------- ---------debugging Syslog Server 5 Verify the local logging configuration and view the log messages stored in the buffer (RAM log). console#show logging Logging is enabled Console Logging: level debugging. Console Messages: 748 Dropped. Buffer Logging: level notifications.
Emergency messages (severity level 0) will be sent immediately as individual emails, and messages with a severity of alert, critical, and error (levels 1-3) will be sent in a single email every 120 minutes. Warning, notice, info, and debug messages are not sent in an email. The email the administrator will in the inbox has a format similar to the following: Figure 10-24. Email Alert Message Format For emergency-level messages, the subject is LOG MESSAGE EMERGENCY.
3 Configure emergencies and alerts to be sent immediately, and all other messages to be sent in a single email every 120 minutes. console(config)#logging email error console(config)#logging email urgent emergency console(config)#logging email logtime 120 4 Specify the email address of the sender (the switch). console(config)#logging email from-addr pcm6348_noreply@dell.com 5 Specify the address where email alerts should be sent. console(config)#logging email message-type both to-addr administrator@dell.
Email Alert To Address Table: For Msg Type..........................1 Address1..............................administrator@dell.com For Msg Type..........................2 Address1..............................administrator@dell.com Email Alert Subject Table : For Msg Type 1, subject is............LOG MESSAGES - EMERGENCY For Msg Type 2, subject is............
11 Managing General System Settings This chapter describes how to set system information, such as the hostname, and time settings, and how to select the Switch Database Management (SDM) template to use on the switch. This chapter also describes how to view expansion slot information as well as how to configure the operational mode and Port Aggregator feature.
Table 11-1. System Information Feature Description SDM Template Determines the maximum resources a switch or router can use for various features. For more information, see "What Are SDM Templates?" on page 248 The switch can obtain the time from a Simple Network Time Protocol (SNTP) server, or you can set the time manually. Table 11-2 describes the settings that help the switch keep track of time. Table 11-2.
The Banner can provide information about the switch status. For example, if multiple users connect to the switch, the message of the day (MOTD) banner might alert everyone who connects to the switch about a scheduled switch image upgrade. What is Simple Mode? The PowerConnect M6220, M6348, M8024, and M8024-k switches support a simple operational mode to allow auto configuration of complex network setting.
• Simple mode allows the user to create Aggregation Groups where internal ports and external ports can be configured in a separate broadcast domain. • Security-related configurations: dot1x, RADIUS, TACACS+ are allowed when the switch is operating in Simple Mode. • All other feature configurations from the CLI/Web/SNMP interfaces are disabled, and the user does not see any commands/pages/MIBs related to all other regular features that are available in Normal Mode.
• SNMP • SSH • General System Information (Read-Only) • HTTP Server • Port Aggregator (Available only in Simple mode) NOTE: The default username (root) and password (calvin) is not available in Simple mode. A user with privilege level of 15 must be configured to access the switch management interface from a remote connection. For information about configuring a user, see "Configuring Authentication, Authorization, and Accounting" on page 181.
Group. What Is the LAG Dependency Feature in Port Aggregator Mode? LAG (port-channel) dependency allows you to set the minimum number of uplinks to be active for the aggregator group. For example, if the number of uplink ports in the group is 2 and the number of internal ports is 4. If the user sets the minimum active uplink ports to be 2, then both the uplink ports should be active; otherwise, all the internal ports in the Group will be brought down.
Table 11-3. SDM Template Parameters and Values (Continued) Parameter Dual IPv4/IPv6 IPv4 Only IPv4 Data Center ECMP next hops 4 4 16 IPv4 multicast routes 1536 2048 2048 IPv6 multicast routes 512 0 0 SDM Template Configuration Guidelines When you configure the switch to use an SDM template that is not currently in use, you must reload the switch for the configuration to take effect.
You can configure the switch to request the time from an SNTP server on the network, or you can allow the switch to receive SNTP broadcasts. Requesting the time from a unicast SNTP server is more secure. Use this method if you know the IP address of the SNTP server on your network. If you allow the switch to receive SNTP broadcasts, any clock synchronization information is accepted, even if it has not been requested by the device. This method is less secure than polling a specified SNTP server.
Default General System Information By default, no system information or time information is configured, and the SNTP client is disabled. The default SDM Template applied to the switch is the Dual IPv4-IPv6 template. Simple mode is disabled by default on the PowerConnect M6220, M6348, and M8024 switches. Simple mode is enabled by default on the PowerConnect M8024-k switch.
Table 11-4.
Table 11-6. PCM8024 and PCM8024-k Default Port Aggregator Group Mapping Aggregator Group Member Internal Ports Member Uplink (External) Ports Group 1 Te1/0/1, Te1/0/2, Te1/0/3, Te1/0/4, Te1/0/5, Te1/0/6, Te1/0/7, Te1/0/8, Te1/0/9, Te1/0/10, Te1/0/11, Te1/0/12, Te1/0/13, Te1/0/14, Te1/0/15, Te1/0/16 Te1/0/17, Te1/0/18, Te1/0/19, Te1/0/20 Te1/0/21, Te1/0/22, Te1/0/23, Te1/0/24 For the PCM6220 and PCM6348 switches, the same default configuration is extended to each switch in the stack.
Configuring General System Settings (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring general system settings on the PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. System Information Use the System Information page to configure the system name, contact name, location, and asset tag.
Initiating a Telnet Session from the Web Interface NOTE: The Telnet client feature does not work with Microsoft Windows Internet Explorer 7 and later versions. Initiating this feature from any browser running on a Linux operating system is not supported. To launch a Telnet session: 1 From the System → General → System Information page, click the Telnet link. 2 Click the Telnet button. Figure 11-2. Telnet 3 Select the Telnet client, and click OK.
Figure 11-3. Select Telnet Client The selected Telnet client launches and connects to the switch CLI. Figure 11-4.
CLI Banner Use the CLI Banner page to configure a message for the switch to display when a user connects to the switch by using the CLI. You can configure different banners for various CLI modes and access methods. To display the CLI Banner page, click System → General → CLI Banner in the navigation panel. Figure 11-5.
SDM Template Preference Use the SDM Template Preference page to view information about template resource settings and to select the template that the switch uses. If you select a new SDM template for the switch to use, you must reboot the switch before the template is applied. To display the SDM Template Preference page, click System → General → SDM Template Preference in the navigation panel. Figure 11-6.
Operational Mode Configuration Use the Operational Mode Configuration page to enable Simple mode or return the switch to normal mode. Only users with the highest privilege level can change the operating mode. To display the Operational Mode Configuration page, click System → Operational Mode → Operational Mode Configuration in the navigation panel. Figure 11-7. Operational Mode Configuration Enabling Simple Mode To enable Simple mode: 1 From the Simple Mode field, select Enable. 2 Click Apply.
Figure 11-8. Operational Mode Configuration 4 Click Apply. The switch loads the Simple mode configuration file, and you are automatically logged off the system. To log on to the switch, you must enter a username and password in the logon screen. When the switch is operating in Simple mode, many of the pages available in normal mode are not available, and the navigation panel displays only the features that are available in Simple mode. Figure 11-9.
Port Aggregator Global Configuration Use the Global Configuration page to configure LAG failover settings for all port aggregator groups. To display the Global Configuration page, click Switching → Port Aggregator → Global Configuration in the tree view. Figure 11-10.
Port Aggregator Port Configuration Use the Port Configuration page to view and configure information about the port members and LAG roles for the aggregator groups. By default, all ports are in aggregator group 1. To display the Port Configuration page, click Switching → Port Aggregator → Port Configuration in the tree view. Figure 11-11.
Figure 11-12. Port Aggregator Port Configuration Summary 3 To modify the port assignment, click any Modify link to access the Port Configuration page. 4 If the system supports stacking, select the stack member to configure from the Unit field. 5 Enter the Port Aggregator Group ID in the Group ID field for the ports to add to a group. Each port can only belong to only one Port Aggregator group. 6 Click Apply. Removing Ports from an Aggregator Group To remove a port from an aggregator group: 1.
Port Aggregator Group Configuration Use the Group Configuration page to view and configure information about the port aggregator group settings for each aggregator group. To display the Group Configuration page, click Switching → Port Aggregator → Group Configuration in the tree view. Figure 11-13. Port Aggregator Group Configuration Viewing the Port Aggregator Group Summary To view a summary of the aggregator group settings: 1 Open the Group Configuration page. 2 Click Summary.
Figure 11-14. Port Aggregator Group Configuration Summary 3 To modify the settings for an aggregator group, click the Modify link associated with the group to access the Group Configuration page for the group.
Port Aggregator Internal Port VLAN Configuration Use the Internal Port VLAN Configuration page to configure VLAN settings for the internal ports. To display the Internal Port VLAN Configuration page, click Switching → Port Aggregator → Internal Port VLAN Configuration in the tree view. Figure 11-15.
Figure 11-16. Port Aggregator Group Configuration Summary 3 To view the VLAN settings for a different group, select the group from the Group ID menu.
Port Aggregator Port Channel Summary Use the Port Channel Summary page to view information about the LAG members and LAG status for each group. To display the Port Channel Summary page, click Switching → Port Aggregator → Port Channel Summary in the tree view. Figure 11-17.
Group VLAN MAC Summary Use the Group VLAN MAC Summary page to view the MAC address table entries for each Port Aggregator group. To display the Group VLAN MAC Summary page, click Switching → Port Aggregator → Group VLAN MAC Summary in the tree view. Figure 11-18.
Clock If you do not obtain the system time from an SNTP server, you can manually set the date and time on the switch on the Clock page. The Clock page also displays information about the time settings configured on the switch. To display the Clock page, click System → Time Synchronization → Clock in the navigation panel. Figure 11-19. Clock NOTE: The system time cannot be set manually if the SNTP client is enabled. Use the SNTP Global Settings page to enable or disable the SNTP client.
SNTP Global Settings Use the SNTP Global Settings page to enable or disable the SNTP client, configure whether and how often the client sends SNTP requests, and determine whether the switch can receive SNTP broadcasts. To display the SNTP Global Settings page, click System → Time Synchronization → SNTP Global Settings in the navigation panel. Figure 11-20.
SNTP Authentication Use the SNTP Authentication page to enable or disable SNTP authentication, to modify the authentication key for a selected encryption key ID, to designate the selected authentication key as a trusted key, and to remove the selected encryption key ID. NOTE: The SNTP server must be configured with the same authentication information to allow time synchronization to take place between the two devices.
Figure 11-22. Add Authentication Key 3 Enter a numerical encryption key ID and an authentication key in the appropriate fields. 4 If the key is to be used to authenticate a unicast SNTP server, select the Trusted Key check box. If the check box is clear, the key is untrusted and cannot be used for authentication. 5 Click Apply. The SNTP authentication key is added, and the device is updated. To view all configured authentication keys, click the Show All link. The Authentication Key Table displays.
Figure 11-23. Authentication Key Table SNTP Server Use the SNTP Server page to view and modify information about SNTP servers, and to add new SNTP servers that the switch can use for time synchronization. The switch can accept time information from both IPv4 and IPv6 SNTP servers. To display the SNTP Server page, click System → Time Synchronization → SNTP Server in the navigation panel. If no servers have been configured, the fields in the following image are not displayed.
Figure 11-24. SNTP Servers Defining a New SNTP Server To add an SNTP server: 1 Open the SNTP Servers page. 2 Click Add. The Add SNTP Server page displays.
Figure 11-25. Add SNTP Server 3 In the SNTP Server field, enter the IP address or host name for the new SNTP server. 4 Specify whether the information entered in the SNTP Server field is an IPv4 address, IPv6 address, or a hostname (DNS). 5 If you require authentication between the SNTP client on the switch and the SNTP server, select the Encryption Key ID check box, and then select the key ID to use. To define a new encryption key, see "Adding an SNTP Authentication Key" on page 272.
To view all configured SNTP servers, click the Show All link. The SNTP Server Table displays. You can also use the SNTP Server Table page to remove or edit existing SNTP servers. Figure 11-26.
Summer Time Configuration Use the Summer Time Configuration page to configure summer time (daylight saving time) settings. To display the Summer Time Configuration page, click System → Time Synchronization → Summer Time Configuration in the navigation panel. Figure 11-27. Summer Time Configuration NOTE: The fields on the Summer Time Configuration page change when you select or clear the Recurring check box.
Time Zone Configuration Use the Time Zone Configuration to configure time zone information, including the amount time the local time is offset from UTC and the acronym that represents the local time zone. To display the Time Zone Configuration page, click System → Time Synchronization → Time Zone Configuration in the navigation panel. Figure 11-28.
Slot Summary Use the Slot Summary page to view information about the expansion slot status. To display the Slot Summary page, click Switching → Slots → Summary in the navigation panel. Figure 11-29.
Supported Cards Use the Supported Cards page to view information about the supported plug-in modules for the switch. To display the Supported Cards page, click Switching → Slots → Supported Cards in the navigation panel. Figure 11-30.
Configuring System Settings (CLI) This section provides information about the commands you use to configure system information and time settings on the PowerConnect M6220/M6348/M8024/M8024-k switch. For more information about these commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring System Information Beginning in Privileged EXEC mode, use the following commands to configure system information.
Configuring the Banner Beginning in Privileged EXEC mode, use the following commands to configure the MOTD, login, or User EXEC banner. The switch supports the following banner messages: • MOTD—Displays when a user connects to the switch. • Login—Displays after the MOTD banner and before the login prompt. • Exec—Displays immediately after the user logs on to the switch. Command Purpose configure Enter Global Configuration mode.
Managing the SDM Template Beginning in Privileged EXEC mode, use the following commands to set the SDM template preference and to view information about the available SDM templates. Command Purpose configure Enter Global Configuration mode. sdm prefer {dual-ipv4and-ipv6 default| ipv4routing {data-center | default}} Select the SDM template to apply to the switch after the next boot. CTRL + Z Exit to Privileged EXEC mode.
Command Purpose add interface interface Add member Ethernet ports to the Aggregator Group. intf-list • interface–Specify the Ethernet interface type, for example GigabitEthernet or TenGigabitEthernet. • intf-list— List of Ethernet interfaces to add. Separate nonconsecutive ports with a comma and no spaces. Use a hyphen to designate a range of ports. duplex {half | full} Configure the full/half duplex operation of all member ports in the aggregator group/zone.
Configuring SNTP Authentication and an SNTP Server Beginning in Privileged EXEC mode, use the following commands to require the SNTP client to use authentication when communicating with the SNTP server. The commands also show how to configure an SNTP server. Requiring authentication is optional. However, if you configure authentication on the switch SNTP client, the SNTP server must be configured with the same authentication information to allow time synchronization to take place between the two devices.
Command Purpose sntp server {ip_address | Define the SNTP server. hostname} [priority • ip_address—The IP address (or host name) of the SNTP priority] [key key_id] server to poll. The IP address can be an IPv4 or IPv6 address. • priority—(Optional) If multiple SNTP servers are defined, this number determines which server the switch polls first. The priority is 1–8, where 1 is the highest priority. If you do not specify a priority, the servers are polled in the order that they are entered.
Setting the System Time and Date Manually Beginning in Privileged EXEC mode, use the following commands to configure the time and date, time zone, and summer time settings. Command Purpose clock set {mm/dd/yyyy Configure the time and date. You can enter the time first and then the date, or the date and then the time. hh:mm:ss} | {hh:mm:ss • hh:mm:ss —Time in hours (24-hour format, from 01-24), mm/dd/yyyy minutes (00-59), and seconds (00-59).
Command Purpose clock summer-time date {date month | month date} year hh:mm {date month | month date} year hh:mm [offset offset] [zone acronym] Use this command if the summer time does not start and end every year according to a recurring pattern. You can enter the month and then the date, or the date and then the month. • date— Day of the month. (Range: 1-31.) • month — Month. (Range: The first three letters by name) • hh:mm — Time in 24-hour format in hours and minutes.
General System Settings Configuration Examples This section contains the following examples: • Configuring System and Banner Information • Configuring SNTP • Configuring the Time Manually Configuring System and Banner Information In this example, an administrator configures the following system information: • System name: PCM6348 • System contact: Jane Doe • System location: RTP100 • Asset tag: 006429 The administrator then configures the MOTD banner to alert other switch administrators of the
System Contact: Jane Doe System Name: PCM6348 System Location: RTP100 Burned In MAC Address: 001E.C9AA.AA07 System Object ID: 1.3.6.1.4.1.674.10895.3035 System Model ID: PCM6348 Machine Type: PowerConnect M6348 Temperature Sensors: Unit Description ---1 ----------System Temperature (Celsius) ----------57 Status -----Good Power Supplies: Unit Description Status ---1 ----------Main ----------OK 5 View additional information about the system.
Figure 11-31.
Configuring SNTP The commands in this example configure the switch to poll an SNTP server to synchronize the time. Additionally, the SNTP sessions between the client and server must be authenticated. To configure the switch: 1 Configure the authentication information. The SNTP server must be configured with the same authentication key and ID.
4 View the SNTP status on the switch. console#show sntp status Client Mode: Last Update Time: Unicast MAR 01 09:12:43 2010 Unicast servers: Server Status Last response --------------- ------------ --------------------192.168.10.
Configuring the Time Manually The commands in this example manually set the system time and date. The time zone is set to Eastern Standard Time (EST), which has an offset of -5 hours. Summer time is enabled and uses the preconfigured United States settings. To configure the switch: 1 Configure the time zone offset and acronym. console#configure console(config)#clock timezone -5 zone EST 2 Configure the summer time (daylight saving time) to use the preconfigured settings for the United States.
Managing General System Settings
Configuring SNMP 12 The topics covered in this chapter include: • SNMP Overview • Default SNMP Values • Configuring SNMP (Web) • Configuring SNMP (CLI) • SNMP Configuration Examples SNMP Overview Simple Network Management Protocol (SNMP) provides a method for managing network devices. The PowerConnect M6220, M6348, M8024, and M8024-k switches support SNMP version 1, SNMP version 2, and SNMP version 3.
The SNMP agent maintains a list of variables that are used to manage the switch. The variables are defined in the MIB. The MIB presents the variables controlled by the agent. The SNMP agent defines the MIB specification format, as well as the format used to access the information over the network. Access rights to the SNMP agent are controlled by access strings. SNMP v3 also applies access control and a new traps mechanism to SNMPv1 and SNMPv2 PDUs.
You can configure various features on the switch to generate SNMP traps that inform the NMS about events or problems that occur on the switch. Traps generated by the switch can also be viewed locally by using the web-based interface or CLI. Why Is SNMP Needed? Some network administrators prefer to use SNMP as the switch management interface. Settings that you view and configure by using the web-based Dell OpenManage Switch Administrator and the CLI are also available by using SNMP.
Table 12-1. SNMP Defaults Parameter Default Value QoS traps Enabled Multicast traps Disabled Captive Portal traps Disabled OSPF traps Disabled Table 12-2 describes the two views that are defined by default. Table 12-2. SNMP Default Views View Name OID Subtree View Type Default iso Included snmpVacmMIB Excluded usmUser Excluded snmpCommunityTable Excluded iso Included DefaultSuper By default, three groups are defined. Table 12-3 describes the groups.
Configuring SNMP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the SNMP agent on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. NOTE: For some features, the control to enable or disable traps is available from a configuration page for that feature and not from the Trap Manager pages that this chapter describes.
SNMP View Settings Use the SNMP View Settings page to create views that define which features of the device are accessible and which are blocked. You can create a view that includes or excludes OIDs corresponding to interfaces. To display the View Settings page, click System → SNMP → View Settings in the navigation panel. Figure 12-2. SNMP View Settings Adding an SNMP View To add a view: 1 Open the View Settings page. 2 Click Add.
Figure 12-3. Add View 3 Specify a name for the view and a valid SNMP OID string. 4 Select the view type. 5 Click Apply. The SNMP view is added, and the device is updated. Click Show All to view information about configured SNMP Views.
Access Control Group Use the Access Control Group page to view information for creating SNMP groups, and to assign SNMP access privileges. Groups allow network managers to assign access rights to specific device features or features aspects. To display the Access Control Group page, click System → SNMP → Access Control in the navigation panel. Figure 12-4. SNMP Access Control Group Adding an SNMP Group To add a group: 1 Open the Access Control Configuration page. 2 Click Add.
Figure 12-5. Add Access Control Group 3 Specify a name for the group. 4 Select a security model and level 5 Define the context prefix and the operation. 6 Click Apply to update the switch. Click Show All to view information about existing access control configurations.
SNMPv3 User Security Model (USM) Use the User Security Model page to assign system users to SNMP groups and to define the user authentication method. NOTE: You can also use the Local User Database page under Management Security to configure SNMPv3 settings for users. For more information, see "Configuring Authentication, Authorization, and Accounting" on page 181. To display the User Security Model page, click System → SNMP → User Security Model in the navigation panel. Figure 12-6.
Figure 12-7. Add Local Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users. Adding Remote SNMPv3 Users to a USM To add remote users: 1 Open the SNMPv3 User Security Model page. 2 Click Add Remote User.
Figure 12-8. Add Remote Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users.
Communities Access rights for SNMPv1 and SNMPv2 are managed by defining communities Communities page. When the community names are changed, access rights are also changed. SNMP Communities are defined only for SNMP v1 and SNMP v2. To display the Communities page, click System → SNMP → Communities in the navigation panel. Figure 12-9. SNMP Communities Adding SNMP Communities To add a community: 1 Open the Communities page. 2 Click Add.
Figure 12-10. Add SNMPv1,2 Community 3 Specify the IP address of an SNMP management station and the community string to act as a password that will authenticate the management station to the SNMP agent on the switch. 4 Select the access mode. 5 Click Apply to update the switch. Click Show All to view the communities that have already been configured.
Notification Filter Use the Notification Filter page to set filtering traps based on OIDs. Each OID is linked to a device feature or a feature aspect. The Notification Filter page also allows you to filter notifications. To display the Notification Filter page, click System → SNMP → Notification Filters in the navigation panel. Figure 12-11. SNMP Notification Filter Adding a Notification Filter To add a filter: 1 Open the Notification Filter page. 2 Click Add.
Figure 12-12. Add Notification Filter 3 Specify the name of the filter, the OID for the filter. 4 Choose whether to send (include) traps or informs to the trap recipient or prevent the switch from sending (exclude) the traps or informs. 5 Click Apply to update the switch. Click Show All to view information about the filters that have already been configured.
Figure 12-13. SNMP Notification Recipient Adding a Notification Recipient To add a recipient: 1 Open the Notification Recipient page. 2 Click Add.
Figure 12-14. Add Notification Recipient 3 Specify the IP address or hostname of the host to receive notifications. 4 Select whether to send traps or informs to the specified recipient 5 Define the relevant fields for the SNMP version you use. 6 Configure information about the port on the recipient. 7 Click Apply to update the switch. Click Show All to view information about the recipients that have already been configured.
Trap Flags The Trap Flags page is used to specify which traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log. To access the Trap Flags page, click Statistics/RMON → Trap Manager → Trap Flags in the navigation panel. Figure 12-15.
OSPFv2 Trap Flags The OSPFv2 Trap Flags page is used to specify which OSPFv2 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log. To access the OSPFv2 Trap Flags page, click Statistics/RMON → Trap Manager → OSPFv2 Trap Flags in the navigation panel. Figure 12-16.
OSPFv3 Trap Flags The OSPFv3 Trap Flags page is used to specify which OSPFv3 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log. To access the OSPFv3 Trap Flags page, click Statistics/RMON → Trap Manager → OSPFv3 Trap Flags in the navigation panel. Figure 12-17.
Trap Log The Trap Log page is used to view entries that have been written to the trap log. To access the Trap Log page, click Statistics/RMON → Trap Manager → Trap Log in the navigation panel. Figure 12-18. Trap Logs Click Clear to delete all entries from the trap log.
Configuring SNMP (CLI) This section provides information about the commands you use to manage and view SNMP features on the switch. For more information about these commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring the SNMPv3 Engine ID To use SNMPv3, the switch must have engine ID. You can specify your own ID or use the default string that is generated using the MAC address of the switch.
Command Purpose snmp-server engineID local {engineid-string | default} Configure the SNMPv3 Engine ID. • engineid-string — The character string that identifies the engine ID. The engine ID is a concatenated hexadecimal string. Each byte in hexadecimal character strings is two hexadecimal digits. Each byte can be separated by a period or colon. (Range: 6-32 characters) • default — The engineID is created automatically, based on the device MAC address. exit Exit to Privileged EXEC mode.
Command Purpose snmp-server group groupname {v1 | v2 | v3 {noauth | auth | priv} [notify view-name]} [context view-name] [read view-name] [write view-name] Specify the identity string of the receiver and set the receiver timeout value. • groupname — Specifies the name of the group. (Range: 1-30 characters.) • v1 — Indicates the SNMP Version 1 security model. • v2 — Indicates the SNMP Version 2 security model. • v3 — Indicates the SNMP Version 3 security model.
Command Purpose snmp-server user Configure a new SNMPv3 user. username groupname • username — Specifies the name of the user on the host [remote engineid-string] that connects to the agent. (Range: 1-30 characters.) [{auth-md5 password | • groupname — Specifies the name of the group to which auth-sha password | the user belongs. (Range: 1-30 characters.
Command Purpose show snmp group [group_name] View SNMP group configuration information. show snmp user [user_name] View SNMP user configuration information. Configuring Communities Beginning in Privileged EXEC mode, use the following commands to configure access rights for SNMPv1 and SNMPv2. Command Purpose configure Enter Global Configuration mode snmp-server community Configure the community string and specify access criteria string [ro | rw | su] for the community.
Command Purpose snmp-server community- Map the internal security name for SNMP v1 and SNMP group community-string v2 security models to the group name. group-name [ipaddress • community-string — Community string that acts like a ip-address] password and permits access to the SNMP protocol. (Range: 1-20 characters) • group-name — Name of a previously defined group. The group defines the objects available to the community. (Range: 1-30 characters) • ip-address — Management station IP address.
Configuring SNMP Notifications (Traps and Informs) Beginning in Privileged EXEC mode, use the following commands to allow the switch to send SNMP traps and to configure which traps are sent. Command Purpose configure Enter Global Configuration mode snmp-server enable traps [acl | all | auto-copy-sw | captive-portal cp-type | dot1q | dvrmp | link | maclock | multipleusers | ospf ospftype | ospfv3 ospfv3type | pim | poe | snmp authentication | spanning-tree | stack | vrrp] Specify the traps to enable.
Command Purpose snmp-server host host- For SNMPv1 and SNMPv2, configure the system to receive addr [informs [timeout SNMP traps or informs. seconds] [retries retries] • host-addr — Specifies the IP address of the host (targeted | traps version {1 | 2}]] recipient) or the name of the host. (Range:1-158 community-string [udpcharacters).
Command Purpose snmp-server v3-host {ip- For SNMPv3, configure the system to receive SNMP traps or informs. address | hostname} username {traps | • ip-address — Specifies the IP address of the host informs} [noauth | auth (targeted recipient). | priv] [timeout • hostname — Specifies the name of the host. (Range: 1seconds] [retries retries] 158 characters.) [udpport port] [filter filtername] • username — Specifies user name used to generate the notification. (Range: 1-25 characters.
SNMP Configuration Examples This section contains the following examples: • Configuring SNMPv1 and SNMPv2 • Configuring SNMPv3 Configuring SNMPv1 and SNMPv2 This example shows how to complete a basic SNMPv1/v2 configuration. The commands enable read-only access from any host to all objects on the switch using the community string public, and enable read-write access from any host to all objects on the switch using the community string private.
Community-String ----------------private public Group Name -------------DefaultWrite DefaultRead IP Address -----------All All Traps are enabled. Authentication trap is enabled. Version 1,2 notifications Target Addr. Type Community Version UDP Filter TO Port Name Sec ------------ ---- --------- -------- ----- --192.168.3.65 Trap public 1 162 Version 3 notifications Target Addr.
3 Create the user admin, assign the user to the group, and specify the authentication credentials. console(config)#snmp-server user admin group_snmpv3 auth-md5 secretkey 4 Specify the IP address of the host where traps are to be sent. Packet authentication using MD5-SHA is enabled for the traps. console(config)#snmp-server v3-host 192.168.3.35 admin traps auth console(config)#exit 5 View the current SNMP configuration on the switch. The output includes the SNMPv1/2 configuration in the previous example.
console#show snmp views Name -----------------Default Default Default Default view_snmpv3 DefaultSuper OID Tree -----------------------iso snmpVacmMIB usmUser snmpCommunityTable internet iso Type -----------Included Excluded Excluded Excluded Included Included console#show snmp group Name Context Model Prefix ------------ -------- -----DefaultRead "" V1 DefaultRead "" V2 DefaultSuper "" V1 DefaultSuper "" V2 DefaultWrite "" V1 DefaultWrite "" V2 group_snmpv3 "" V3 Security Level -------NoAu
Configuring SNMP
Managing Images and Files 13 This chapter describes how to upload, download, and copy files, such as firmware images and configuration files, on the switch.
Table 13-1. Files to Manage File Action Description image Download Upload Copy Firmware for the switch. The switch can maintain two images: the active image and the backup image. startup-config Download Upload Copy Contains the software configuration that loads during the boot process. running-config Download Upload Copy Contains the current switch configuration. backup-config Download Upload Copy An additional configuration file that serves as a backup.
Table 13-1. Files to Manage File Action Description SSL certificate files Download Contains information to encrypt, authenticate, and validate HTTPS sessions.
changes that take place after the boot process completes are written to the running-config file. The backup-config file does not exist until you explicitly create one by copying an existing configuration file to the backup-config file or downloading a backup-config file to the switch. You can also create configuration scripts, which are text files that contains CLI commands. NOTE: You must use the CLI to manage configuration scripts.
What Methods Are Supported for File Management? You can use any of the following protocols to download files from a remote system to the switch or to upload files from the switch to a remote system: • TFTP • SFTP • SCP • FTP • HTTP (Web only) • HTTPS (Web only) What Factors Should Be Considered When Managing Files? Uploading and Downloading Files To use TFTP, SFTP, SCP, or FTP for file management, you must provide the IP address of the remote system that is running the appropriate server (TFTP,
Editing and Downloading Configuration Files Each configuration file contains a list of executable CLI commands. The commands must be complete and in a logical order, as if you were entering them by using the switch CLI. When you download a startup-config or backup-config file to the switch, the new file replaces the previous version. To change the running-config file, you execute CLI commands either by typing them into the CLI or by applying a configuration script with the script apply command.
! Display information about direct connections show serial ! End of the script file Managing Files on a Stack Image files downloaded to the master unit of a stack are automatically downloaded to all stack members. If you activate the backup image on the master, it is activated on all units as well so that when you reload the stack, all units use the same image.
Managing Images and Files (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. File System Use the File System page to view a list of the files on the device and to modify the image file descriptions. To display the File System page, click System → File Management → File System in the navigation panel. Figure 13-1.
Active Images Use the Active Images page to set the firmware image to use when the switch boots. If you change the boot image, it does not become the active image until you reset the switch. To display the Active Images page, click System → File Management → Active Images in the navigation panel. Figure 13-2.
File Download Use the File Download page to download image (binary) files, SSH and SSL certificates, IAS User files, and configuration (ASCII), files from a remote server to the switch. To display the File Download page, click System → File Management → File Download in the navigation panel. Figure 13-3. File Download Downloading Files To download a file to the switch: 1 Open the File Download page. 2 Select the type of file to download to the switch. 3 Select the transfer mode.
4 To download using HTTP, click Browse and select the file to download, then click Apply. 5 To download using any method other than HTTP, enter the IP address of the server that contains the file to download, the name of the file and the path on the server where it is located. For SFTP and SCP, provide the user name and password. 6 Click Apply to begin the download. NOTE: After you start a file download, the page refreshes and a transfer status field appears to indicate the number of bytes transferred.
File Upload Use the File Upload to Server page to upload configuration (ASCII), image (binary), IAS user, operational log, and startup log files from the switch to a remote server. To display the File Upload to Server page, click System → File Management → File Upload in the navigation panel. Figure 13-5. File Upload Uploading Files To upload a file from the switch to a remote system: 1 Open the File Upload page. 2 Select the type of file to download to the remote server. 3 Select the transfer mode.
NOTE: If you are using HTTPS to manage the switch, the download method will be HTTPS. 4 To upload by using HTTP, click Apply. A dialog box opens to allow you to open or save the file. Figure 13-6. File Upload 5 To upload by using any method other than HTTP, enter the IP address of the server and specify a name for the file. For SFTP and SCP, provide the user name and password. 6 Click Apply to begin the upload.
Copy Files Use the Copy Files page to: • Copy the active firmware image to one or all members of a stack. • Copy the running, startup, or backup configuration file to the startup or backup configuration file. • Restore the running configuration to the factory default settings. To display the Copy Files page, click System → File Management → Copy Files in the navigation panel. Figure 13-7.
Managing Images and Files (CLI) This section provides information about the commands you use to upload, download, and copy files to and from the PowerConnect M6220/M6348/M8024/M8024-k switch. For more information about these commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. It also describes the commands that control the Auto Configuration feature. NOTE: Upload, download, and copy functions use the copy command.
Managing Files in Internal Flash Beginning in Privileged EXEC mode, use the following commands to copy, rename, delete and list the files in the internal flash. Command Purpose dir List the files in the flash file system. rename current_name new_name Rename a file in flash. delete filename Remove the specified file. erase {startup-config | Erase the startup configuration, the backup configuration backup-image | backup- or the backup image.
Uploading a Configuration File (SCP) Beginning in Privileged EXEC mode, use the following commands to upload a configuration file from the switch to a remote system by using SCP. Command Purpose copy file scp://user@{ip- Adds a description to an image file.
Managing Configuration Scripts (SFTP) Beginning in Privileged EXEC mode, use the following commands to download a configuration script from a remote system to the switch, validate the script, and activate it. NOTE: The startup-config and backup-config files are essentially configuration scripts and can be validated and applied by using the commands in this section. Command Purpose Downloads the specified script from the remote server to copy sftp://user@{ipaddress|hostname}/path the switch.
File and Image Management Configuration Examples This section contains the following examples: • Upgrading the Firmware • Managing Configuration Scripts Upgrading the Firmware This example shows how to download a firmware image to the switch and activate it. The TFTP server in this example is PumpKIN, an open source TFTP server running on a Windows system. • TFTP server IP address: 10.27.65.103 • File path: \image • File name: dell_0308.
Figure 13-8. Image Path 3 View information about the current image. console#show version Image Descriptions image1 :default image image2 : Images currently available on Flash ------- ------------ ------------ --------------- -------------unit image1 image2 current-active next-active ------- ------------ ------------ --------------- -------------1 4.1.0.7 5.0.0.8 image1 image1 4 Download the image to the switch. After you execute the copy command, you must verify that you want to start the download.
Destination Filename........................... image Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n)y 5 Activate the new image (image2) so that it becomes the active image after the switch resets. console#boot system image2 Activating image image2.. 6 View information about the current image.
Reloading all switches... Managing Configuration Scripts This example shows how to create a configuration script that adds three hostname-to-IP address mappings to the host table. To configure the switch: 1 Open a text editor on an administrative computer and type the commands as if you were entering them by using the CLI. Figure 13-9. Create Config Script 2 Save the file with an *.scr extension and copy it to the appropriate directory on your TFTP server.
Data Type...................................... Config Script Destination Filename........................... labhost.scr Management access will be blocked for the duration of the transfer 4 After you confirm the download information and the script successfully downloads, it is automatically validated for correct syntax. Are you sure you want to start? (y/n) y 135 bytes transferred Validating configuration script... configure exit configure ip host labpc1 192.168.3.56 ip host labpc2 192.168.3.
6 Verify that the script was successfully applied. console#show hosts Host name: test Name/address lookup is enabled Name servers (Preference order): 192.168.3.20 Configured host name-to-address mapping: Host Addresses ------------------------ -----------------------labpc1 192.168.3.56 labpc2 192.168.3.58 labpc3 192.168.3.
14 Automatically Updating the Image and Configuration The topics covered in this chapter include: • Auto Configuration Overview • What Are the Dependencies for DHCP Auto Configuration? • Default Auto Configuration Values • Managing Auto Configuration (Web) • Managing Auto Configuration (CLI) • Auto Configuration Example Auto Configuration Overview The Auto Configuration feature can automatically update the firmware image and obtain configuration information when the switch boots.
3 Obtaining a configuration file for the switch from the TFTP server Auto Configuration is successful when an image or configuration file is downloaded to the switch or stack master from a TFTP server. NOTE: The downloaded configuration file is not automatically saved to startupconfig. You must explicitly issue a save request (copy running-config startupconfig) in order to save the configuration. Obtaining IP Address Information DHCP is enabled by default on the Out-of-Band (OOB) interface.
The DHCP client on the switch also processes the name of the text file (option 125, the V-I vendor-specific Information option) which contains the path to the image file. Obtaining the Image Auto Configuration attempts to download an image file from a TFTP server only if no configuration file was found in the internal flash, or even with a saved configuration file that has Auto Configuration enabled. The network DHCP server returns a DHCP OFFER message with option 125.
Obtaining the Configuration File If the DHCP OFFER identifies a configuration file, either as option 67 or in the file field of the DHCP header, the switch attempts to download the configuration file. NOTE: The configuration file is required to have a file type of *.cfg. The TFTP client makes three unicast requests. If the unicast attempts fail, or if the DHCP OFFER did not specify a TFTP server address, the TFTP client makes three broadcast requests.
Table 14-1 summarizes the config files that may be downloaded and the order in which they are sought. Table 14-1. Configuration File Possibilities Order Sought File Name Description Final File Sought 1 bootfile.cfg Host-specific config file, ending in a *.cfg file extension Yes 2 dell-net.cfg Default network config file No 3 hostname.cfg Host-specific config file, associated with hostname. Yes 4 host.
Monitoring and Completing the DHCP Auto Configuration Process When the switch boots and triggers an Auto Configuration, a message displays on the console screen to indicate that the process is starting. After the process completes, the Auto Configuration process writes a log message. When Auto Configuration has successfully completed, you can execute a show running-config command to validate the contents of configuration.
What Are the Dependencies for DHCP Auto Configuration? The Auto Configuration process from TFTP servers depends upon the following network services: • A DHCP server must be configured on the network with appropriate services. • An image file and a text file containing the image file name for the switch must be available from a TFTP server if DHCP image download is desired. • A configuration file (either from bootfile (or) option 67 option) for the switch must be available from a TFTP server.
Default Auto Configuration Values Table 14-3 describes the Auto Configuration defaults. Table 14-3. Auto Configuration Defaults Feature Default Description Auto Install Mode Enabled When the switch boots and no saved configuration is found, the Auto Configuration automatically begins. Retry Count 3 When the DHCP or BootP server returns information about the TFTP server and bootfile, the switch makes three unicast TFTP requests for the specified bootfile.
Managing Auto Configuration (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page.
Managing Auto Configuration (CLI) This section provides information about the commands you manage the Auto-Install Configuration feature on the switch. For more information about these commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals.
Auto Configuration Example A network administrator is deploying three PowerConnect switches and wants to quickly and automatically install the latest image and a common configuration file that configures basic settings such as VLAN creation and membership, RADIUS server settings, and 802.1X information. The configuration file also contains the command boot host autosave so that the downloaded configuration is automatically saved to the startup config.
5 Connect a port (OOB port for out-of-band management or any switch port for in-band management) on each switch to the network. 6 Boot the switches.
Monitoring Switch Traffic 15 This chapter describes sFlow features, Remote Monitoring (RMON), and Port Mirroring features. The topics covered in this chapter include: • Traffic Monitoring Overview • Default Traffic Monitoring Values • Monitoring Switch Traffic (Web) • Monitoring Switch Traffic (CLI) • Traffic Monitoring Configuration Examples Traffic Monitoring Overview The switch maintains statistics about network traffic that it handles.
sampled traffic statistics to the sFlow Collector for analysis. You can specify up to eight different sFlow receivers to which the switch sends sFlow datagrams. Figure 15-1. sFlow Architecture The advantages of using sFlow are: 370 • It is possible to monitor all ports of the switch continuously, with no impact on the distributed switching performance. • Minimal memory/CPU is required.
sFlow Sampling The sFlow Agent in the PowerConnect software uses two forms of sampling: • Statistical packet-based sampling of switched or routed Packet Flows • Time-based sampling of counters Packet Flow Sampling and Counter Sampling are performed by sFlow Instances associated with individual Data Sources within an sFlow Agent. Both types of samples are combined in sFlow datagrams. Packet Flow Sampling creates a steady, but random, stream of sFlow datagrams that are sent to the sFlow Collector.
Counter Sampling The primary objective of Counter Sampling is to efficiently, periodically export counters associated with Data Sources. A maximum Sampling Interval is assigned to each sFlow instance associated with a Data Source. Counter Sampling is accomplished as follows: • sFlow Agents keep a list of counter sources being sampled. • When a Packet Flow Sample is generated the sFlow Agent examines the list and adds counters to the sample datagram, least recently sampled first.
The RMON agent in the switch supports the following groups: • Group 1—Statistics. Contains cumulative traffic and error statistics. • Group 2—History. Generates reports from periodic traffic sampling that are useful for analyzing trends. • Group 3 —Alarm. Enables the definition and setting of thresholds for various counters. Thresholds can be passed in either a rising or falling direction on existing MIB objects, primarily those in the Statistics group.
The packet that is copied to the destination port is in the same format as the original packet on the wire. This means that if the mirror is copying a received packet, the copied packet is VLAN tagged or untagged as it was received on the source port. If the mirror is copying a transmitted packet, the copied packet is VLAN tagged or untagged as it is being transmitted on the source port.
Monitoring Switch Traffic (Web) This section provides information about the OpenManage Switch Administrator pages to use to monitor network traffic on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. sFlow Agent Summary Use the sFlow Agent Summary page to view information about sFlow MIB and the sFlow Agent IP address. To display the Agent Summary page, click System → sFlow → Agent Summary in the navigation panel. Figure 15-2.
sFlow Receiver Configuration Use the sFlow Receiver Configuration page to configure settings for the sFlow receiver to which the switch sends sFlow datagrams. You can configure up to eight sFlow receivers that will receive datagrams. To display the Receiver Configuration page, click System → sFlow → Receiver Configuration in the navigation panel. Figure 15-3. sFlow Receiver Configuration Click Show All to view information about configured sFlow receivers.
sFlow Sampler Configuration Use the sFLow Sampler Configuration page to configure the sFlow sampling settings for switch ports. To display the Sampler Configuration page, click System → sFlow → Sampler Configuration in the navigation panel. Figure 15-4. sFlow Sampler Configuration Click Show All to view information about configured sampler data sources.
sFlow Poll Configuration Use the sFLow Poll Configuration page to configure how often a port should collect counter samples. To display the Sampler Configuration page, click System → sFlow → Sampler Configuration in the navigation panel. Figure 15-5. sFlow Poll Configuration Click Show All to view information about the ports configured to collect counter samples.
Interface Statistics Use the Interface Statistics page to display statistics for both received and transmitted packets. The fields for both received and transmitted packets are identical. To display the page, click Statistics/RMON → Table Views → Interface Statistics in the navigation panel. Figure 15-6.
Etherlike Statistics Use the Etherlike Statistics page to display interface statistics. To display the page, click Statistics/RMON → Table Views → Etherlike Statistics in the navigation panel. Figure 15-7.
GVRP Statistics Use the GVRP Statistics page to display switch statistics for GVRP. To display the page, click Statistics/RMON → Table Views → GVRP Statistics in the navigation panel. Figure 15-8.
EAP Statistics Use the EAP Statistics page to display information about EAP packets received on a specific port. For more information about EAP, see "Configuring Port and System Security" on page 481. To display the EAP Statistics page, click Statistics/RMON → Table Views → EAP Statistics in the navigation panel. Figure 15-9.
Utilization Summary Use the Utilization Summary page to display interface utilization statistics. To display the page, click Statistics/RMON → Table Views → Utilization Summary in the navigation panel. Figure 15-10.
Counter Summary Use the Counter Summary page to display interface utilization statistics in numeric sums as opposed to percentages. To display the page, click Statistics/RMON → Table Views → Counter Summary in the navigation panel. Figure 15-11.
Switchport Statistics Use the Switchport Statistics page to display statistical summary information about switch traffic, address tables, and VLANs. To display the page, click Statistics/RMON → Table Views → Switchport Statistics in the navigation panel. Figure 15-12.
RMON Statistics Use the RMON Statistics page to display details about switch use such as packet processing statistics and errors that have occurred on the switch. To display the page, click Statistics/RMON → RMON → Statistics in the navigation panel. Figure 15-13.
RMON History Control Statistics Use the RMON History Control page to maintain a history of statistics on each port. For each interface (either a physical port or a port-channel), you can define how many buckets exist, and the time interval between each bucket snapshot. To display the page, click Statistics/RMON → RMON → History Control in the navigation panel. Figure 15-14. RMON History Control Adding a History Control Entry To add an entry: 1 Open the RMON History Control page. 2 Click Add.
Figure 15-15. Add History Entry 3 Select the port or LAG on which you want to maintain a history of statistics. 4 Specify an owner, the number of historical buckets to keep, and the sampling interval. 5 Click Apply to add the entry to the RMON History Control Table. To view configured history entries, click the Show All tab. The RMON History Control Table displays. From this page, you can remove configured history entries.
RMON History Table Use the RMON History Table page to display interface-specific statistical network samplings. Each table entry represents all counter values compiled during a single sample. To display the RMON History Table page, click Statistics/RMON → RMON → History Table in the navigation panel. Figure 15-16.
RMON Event Control Use the RMON Events Control page to define RMON events. Events are used by RMON alarms to force some action when a threshold is crossed for a particular RMON counter. The event information can be stored in a log and/or sent as a trap to a trap receiver. To display the page, click Statistics/RMON → RMON → Event Control in the navigation panel. Figure 15-17. RMON Event Control Adding an RMON Event To add an event: 1 Open the RMON Event Control page. 2 Click Add.
Figure 15-18. Add an Event Entry 3 If the event sends an SNMP trap, specify the SNMP community to receive the trap. 4 Optionally, provide a description of the event and the name of the event owner. 5 Select an event type. 6 Click Apply. The event is added to the RMON Event Table, and the device is updated. Viewing, Modifying, or Removing an RMON Event To manage an event: 1 Open the RMON Event Control page. 2 Click Show All to display the Event Control Table page.
RMON Event Log Use the RMON Event Log page to display a list of RMON events. To display the page, click Statistics/RMON → RMON → Events Log in the navigation panel. Figure 15-19.
RMON Alarms Use the RMON Alarms page to set network alarms. Alarms occur when certain thresholds are crossed for the configured RMON counters. The alarm triggers an event to occur. The events can be configured as part of the RMON Events group. For more information about events, see "RMON Event Log" on page 392. To display the page, click Statistics/RMON → RMON → Alarms in the navigation panel. Figure 15-20.
Adding an Alarm Table Entry To add an alarm: 1. Open the RMON Alarms page. 2. Click Add. The Add an Alarm Entry page displays. Figure 15-21. Add an Alarm Entry 3. Complete the fields on this page as needed. Use the help menu to learn more information about the data required for each field. 4. Click Apply. The RMON alarm is added, and the device is updated. To view configured alarm entries, click the Show All tab. The Alarms Table displays. From this page, you can remove configured alarms.
Port Statistics Use the Port Statistics page to chart port-related statistics on a graph. To display the page, click Statistics/RMON → Charts → Port Statistics in the navigation panel. Figure 15-22. Ports Statistics To chart port statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
LAG Statistics Use the LAG Statistics page to chart LAG-related statistics on a graph. To display the page, click Statistics/RMON → Charts → LAG Statistics in the navigation panel. Figure 15-23. LAG Statistics To chart LAG statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
Port Mirroring Use the Port Mirroring page to create a mirroring session in which all traffic that is sent or received (or both) on one or more source ports is mirrored to a destination port. To display the Port Mirroring page, click Switching → Ports → Traffic Mirroring → Port Mirroring in the navigation panel. Figure 15-24. Port Mirroring Configuring a Port Mirror Session To configure port mirroring: 1 Open the Port Mirroring page. 2 Click Add. The Add Source Port page displays.
Figure 15-25. Add Source Port 5 Click Apply. 6 Repeat the previous steps to add additional source ports. 7 Click Port Mirroring to return to the Port Mirroring page. 8 Enable the administrative mode and specify the destination port. Figure 15-26. Configure Additional Port Mirroring Settings 9 Click Apply.
Monitoring Switch Traffic (CLI) This section provides information about the commands you use to manage traffic monitoring features on the switch and to view information about switch traffic. For more information about these commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring sFlow Beginning in Privileged EXEC mode, use the following commands to configure the sFlow receiver and to configure the sampling and polling on switch interfaces.
Command Purpose sflow rcvr-index polling Enable a new sFlow poller instance on an interface range. if_type if_number pollinterval • rcvr-index — The sFlow Receiver associated with the poller (Range: 1–8). • if_type if_number — The list of interfaces to poll. The interface type can be Gigabitethernet (gi) or Tengigabitethernet (te), for example gi1/0/3-5 enables polling on ports 3, 4, and 5. • poll-interval — The sFlow instance polling interval.
Command Purpose CTRL + Z Exit to Privileged Exec mode. show sflow agent View information about the switch sFlow agent. show sflow index destination View information about a configured sFlow receivers. show sflow index polling View information about the configured sFlow poller instances for the specified receiver. show sflow index sampling View information about the configured sFlow sampler instances for the specified receiver.
Command Purpose rmon alarm number variable interval Add an alarm entry • number — The alarm index. (Range: 1–65535) {absolute |delta} risingthreshold value [event- • variable — A fully qualified SNMP object identifier that resolves to a particular instance of an MIB object. number] risingthreshold value [event- • interval — The interval in seconds over which the data is number] [startup sampled and compared with the rising and falling direction] [owner string] thresholds.
Command Purpose rmon collection history index [owner ownername] [buckets bucket-number] [interval seconds] Enable an RMON MIB history statistics group on the interface. NOTE: You must configure RMON alarms and events before RMON collection history is able to display. • index — The requested statistics index group. (Range: 1–65535) • ownername — Records the RMON statistics group owner name. If unspecified, the name is an empty string.
Configuring Port Mirroring Use the following commands in Privileged EXEC mode to configure a port mirroring session. Command Purpose configure Enter Global Configuration mode monitor session Configure a source (monitored) port or CPU interface for a monitor session. session_number source interface {cpu | interface} [rx | tx] • session_number —The monitoring session ID, which is always 1. • interface—The Ethernet interface to be monitored. • rx | tx — Monitor ingress (rx) or egress (tx) traffic.
Traffic Monitoring Configuration Examples This section contains the following examples: • Configuring sFlow • Configuring RMON Configuring sFlow This example shows how to configure the switch so that ports 10-15 and port 23 send sFlow datagrams to an sFlow receiver at the IP address 192.168.20.34. The receiver owner is receiver1, and the timeout is 100000 seconds. A counter sample is generated on the ports every 60 seconds (polling interval), and 1 out of every 8192 packets is sampled.
Address Type...................... Port.............................. Datagram Version.................. Maximum Datagram Size.............
Configuring RMON This example generates a trap and creates a log entry when the number of inbound packets are undeliverable due to errors increases by 20 or more. First, an RMON event is created. Then, the alarm is created. The event (event 1) generates a trap and creates a log entry. The alarm is configured for the MIB object ifInErrors (OID: 1.3.6.1.2.1.2.2.1.14.1). The OID is the variable.
Monitoring Switch Traffic
16 Configuring iSCSI Optimization This chapter describes how to configure Internet Small Computer System Interface (iSCSI) optimization, which enables special quality of service (QoS) treatment for iSCSI traffic.
What Does iSCSI Optimization Do? In networks containing iSCSI initiators and targets, iSCSI Optimization helps to monitor iSCSI sessions or give iSCSI traffic preferential QoS treatment. Dynamically-generated classifier rules generated by snooping iSCSI traffic are used to direct iSCSI data traffic to queues that can be given the desired preference characteristics over other data traveling through the switch.
Application Priority TLVs received from the configuration source are proxied to the other ports. When iSCSI CoS mode is enabled, iSCSI login sessions up to the switch limits are tracked, and data packets for those sessions are given the configured CoS treatment. iSCSI sessions in excess of the switch limits are not given the configured CoS treament; therefore, it is not advisable to exceed the iSCSI session limit.
• Initiator's IP Address • Target's IP Address • ISID (Initiator defined session identifier) • Initiator's IQN (iSCSI Qualified Name) • Target's IQN • Initiator's TCP Port • Target's TCP Port If no iSCSI traffic is detected for a session for a configurable aging period, the session data is cleared.
How Does iSCSI Optimization Interact With Dell EqualLogic Arrays? The iSCSI feature includes auto-provisioning support with the ability to detect directly connected Dell EqualLogic (EQL) SAN storage arrays and automatically reconfigure the switch to enhance storage traffic flows. The PowerConnect M6220, M6348, M8024, and M8024-k switches use LLDP, a vendor-neutral protocol, to discover Dell EQL devices on the network. LLDP is enabled by default.
How Does iSCSI Optimization Interact with DCBx? The Data Center Bridging Exchange (DCBx) component supports the reception, decoding, and transmission of the Application Priority TLV. In general, if the Application Priority TLV has been received from the configuration source, it will be transmitted to the other auto configuration ports. The DCBx component contains a control to generate the Application Priority TLV for iSCSI if it is not already present in the DCBX information.
iSCSI CoS and Priority Flow Control/Enhanced Transmission Selection Interactions When manually or automatically enabling the classification of iSCSI flows on PC80xx/PCM8024-k/PC81xx series switches, enabling iSCSI CoS is not recommended. When using manual configuration of the switch or auto-configuration via DCBX, the iSCSI packets are classified based on the user priority present in the VLAN tag and, in this case, enabling iSCSI CoS classification via the iSCSI command set provides no benefit.
Default iSCSI Optimization Values Table 16-1 shows the default values for the iSCSI optimization feature. Table 16-1. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization Global Status Enabled iSCSI CoS mode Disabled Jumbo Frames Disabled Spanning-tree Portfast Disabled Unicast Storm Control Disabled Classification iSCSI packets are classified by VLAN instead of by DSCP values. VLAN Priority tag iSCSI flows are assigned by default the highest 802.
Configuring iSCSI Optimization (Web) This section provides information about the OpenManage Switch Administrator pages to use to the iSCSI features on a PowerConnect M6348, M8024, or M8024-k switch. For details about the fields on a page, click at the top of the page. iSCSI Global Configuration Use the Global Configuration page to allow the switch to snoop for iSCSI sessions/connections and to configure QoS treatment for packets where the iSCSI protocol is detected.
iSCSI Targets Table Use the Targets Table page to view and configure iSCSI targets on the switch. To access the Targets Table page, click System → iSCSI → Targets in the navigation panel. Figure 16-2. iSCSI Targets Table To add an iSCSI Target, click Add at the top of the page and configure the relevant information about the iSCSI target. Figure 16-3.
iSCSI Sessions Table Use the Sessions Table page to view summary information about the iSCSI sessions that the switch has discovered. An iSCSI session occurs when an iSCSI initiator and iSCSI target communicate over one or more TCP connections. The maximum number of iSCSI sessions is 192. Redundant (MPIO paths) may not be accounted for in the iSCSI sessions table if a separate iSCSI login is not issued during establishment of the session.
iSCSI Sessions Detailed Use the Sessions Detailed page to view detailed information about an iSCSI sessions that the switch has discovered. To access the Sessions Detailed page, click System → iSCSI → Sessions Detailed in the navigation panel. Figure 16-5.
Configuring iSCSI Optimization (CLI) This section provides information about the commands you use to configure iSCSI settings on the PowerConnect M6348, M8024, or M8024-k switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Command Purpose configure Enter Global Configuration mode. iSCSI optimization is enabled by default. iscsi target port tcp-port-1 [tcp-port-2...
Command Purpose iscsi cos {enable | disable | Optionally set the quality of service profile that will vtp vtp | dscp dscp [remark] be applied to iSCSI flows. • enable—Enables application of preferential QoS treatment to iSCSI frames. On switches that support DCBX, this also enables the generation of the Application Priority TLV for iSCSI. • disable—Disables application of preferential QoS treatment to iSCSI frames. • vpt/dscp—The VLAN Priority Tag or DSCP value to assign received iSCSI session packets.
iSCSI Optimization Configuration Examples iSCSI optimization is enabled by default with the appropriate settings to operate properly is almost all configurations. However, you find it necessary to alter those settings, the following procedure illustrates the configuration steps required.
The following commands show how to configure the iSCSI example depicted in Figure 16-6. Remember that iSCSI optimization is enabled by default. 1 Set the MTU to 9216 to enable the use of jumbo frames. console#config console(config)#ip mtu 9216 2 Optionally configure the switch to associate CoS queue 5 with detected iSCSI session traffic.
Configuring Captive Portal 17 This chapter describes how to configure the Captive Portal feature. NOTE: The Captive Portal feature is not available on the M6220, M8024, and M8024-k switches.
Figure 17-1. Connecting to the Captive Portal RADIUS Server (Optional) Switch with Captive Portal Captive Portal User (Host) Default Captive Portal Welcome Screen (Displays in Captive Portal User’s Browser) The Captive Portal feature blocks hosts connected to the switch from accessing the network until user verification has been established. You can configure Captive Portal verification to allow access for both guest and authenticated users.
You can configure the switch to send SNMP trap messages to any enabled SNMP Trap Receivers for several Captive Portal events, such as when a Captive Portal user has an authentication failure or when a Captive Portal user successfully connects to the network. If you enable the traps, the switch also writes a message to the trap log when the event occurs. To enable the Captive Portal traps, see "Configuring SNMP Notifications (Traps and Informs)" on page 325.
Figure 17-2. Customized Captive Portal Welcome Screen How Does Captive Portal Work? When a port is enabled for Captive Portal, all the traffic coming onto the port from the unverified clients are dropped except for the ARP, DHCP, DNS and NETBIOS packets. These packets are allowed to be forwarded by the switch so that the unverified clients can get an IP address and are able to resolve the hostname or domain names. Data traffic from verified clients goes through as expected.
What Captive Portal Pages Can Be Customized? You can customize the following three Captive Portal pages: • Authentication Page —This page displays when a client attempts to connect to the network. You can customize the images, text, and colors that display on this page. • Logout Page — If the user logout mode is enabled, this page displays in a pop-up window after the user successfully authenticates. This window contains the logout button.
Default Captive Portal Behavior and Settings Captive Portal is disabled by default. If you enable Captive Portal, no interfaces are associated with the default Captive Portal. After you associate an interface with the Captive Portal and globally enable the Captive Portal feature, a user who connects to the switch through that interface is presented with the Captive Portal Welcome screen shown in Figure 17-3. Figure 17-3.
Table 17-1. Default Captive Portal Values Feature Value Authentication Timeout 300 seconds Configured Captive Portals 1 Captive Portal Name Default Protocol Mode HTTP Verification Mode Guest URL Redirect Mode Off User Group 1-Default Session Timeout 86400 seconds Local Users None configured Interface associations None Interface status Not blocked If the Captive Portal is blocked, users cannot gain access to the network through the Captive Portal.
Configuring the Captive Portal (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Captive Portal settings on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page.
Captive Portal Configuration Use the Captive Portal Configuration page to view summary information about captive portals on the system, add a captive portal, and configure existing captive portals. The switch supports 10 Captive Portal configurations. Captive Portal configuration 1 is created by default and cannot be deleted. Each captive portal configuration can have unique guest or group access modes and a customized acceptance use policy that displays when the client connects.
From the Captive Portal Configuration page, click Add to create a new Captive Portal instance. Figure 17-6. Add Captive Portal Configuration From the Captive Portal Configuration page, click Summary to view summary information about the Captive Portal instances configured on the switch. Figure 17-7.
Customizing a Captive Portal The procedures in this section customize the pages that the user sees when he or she attempts to connect to (and log off of) a network through the captive portal. These procedures configure the English version of the Default captive portal. To configure the switch: 1 From the Captive Portal Configuration page click the (English) tab.The settings for the Authentication Page display, and the links to the Captive Portal customization appear.
4 Browse to the directory where the image to be downloaded is located and select the image. 5 Click Apply to download the selected file to the switch. 6 To customize the Authentication Page, which is the page that a user sees upon attempting to connect to the network, click the Authentication Page link. Figure 17-9.
7 Select the branding image to use and customize other page components such as the font for all text the page displays, the page title, and the acceptance use policy. 8 Click Apply to save the settings to the running configuration or click Preview to view what the user will see. To return to the default views, click Clear. 9 Click the Logout Page link to configure the page that contains the logout window.
Figure 17-11. Captive Portal Logout Success Page 13 Customize the look and feel of the Logout Page, such as the background image and successful logout message. 14 Click Apply to save the settings to the running configuration or click Preview to view what the user will see. To return to the default views, click Clear. Local User You can configure a portal to accommodate guest users and authorized users. Guest users do not have assigned user names and passwords.
Figure 17-12 shows the Local User page after a user has been added. If no users have been added to the switch, many of the fields do not display on the screen. NOTE: Multiple user groups can be selected by holding the CTRL key down while clicking the desired groups. Figure 17-12. Local User Configuration From the Local User page, click Add to add a new user to the local database.
Figure 17-13. Add Local User From the Local User page, click Show All to view summary information about the local users configured in the local database. Figure 17-14. Captive Portal Local User Summary To delete a configured user from the database, select the Remove check box associated with the user and click Apply.
Configuring Users in a Remote RADIUS Server You can use a remote RADIUS server client authorization. You must add all users to the RADIUS server. The local database does not share any information with the remote RADIUS database. Table 17-2 indicates the RADIUS attributes you use to configure authorized captive portal clients. The table indicates both RADIUS attributes and vendor-specific attributes (VSA). VSAs are denoted in the Attribute column and are comma delimited (vendor ID, attribute ID).
User Group You can assign Local Users to User Groups that you create. If the Verification Mode is Local or RADIUS, you assign a User Group to a Captive Portal Configuration. All users who belong to the group are permitted to access the network through this portal. The User Group list is the same for all Captive Portal configurations on the switch. To display the User Group page, click System → Captive Portal → User Group. Figure 17-15.
From the User Group page, click Add to configure a new user group. Figure 17-16. Add User Group From the User Group page, click Show All to view summary information about the user groups configured on the switch. Figure 17-17. Captive Portal User Group Summary To delete a configured group, select the Remove check box associated with the group and click Apply.
Interface Association From the Interface Association page, you can associate a configured captive portal with specific interfaces. The captive portal feature only runs on the interfaces that you specify. A captive portal can have multiple interfaces associated with it, but an interface can be associated to only one Captive Portal at a time. To display the Interface Association page, click System → Captive Portal → Interface Association. Figure 17-18.
Captive Portal Global Status The Captive Portal Global Status page contains a variety of information about the Captive Portal feature. From the Captive Portal Global Status page, you can access information about the Captive Portal activity and interfaces. To display the Global Status page, click System → Captive Portal → Status → Global Status. Figure 17-19.
Captive Portal Activation and Activity Status The Captive Portal Activation and Activity Status page provides information about each Captive Portal configured on the switch. The Captive Portal Activation and Activity Status page has a drop-down menu that contains all captive portals configured on the switch. When you select a captive portal, the activation and activity status for that portal displays.
Interface Activation Status The Interface Activation Status page shows information for every interface assigned to a captive portal instance. To display the Interface Activation Status page, click System → Captive Portal → Interface Status → Interface Activation Status. Figure 17-21.
Interface Capability Status The Interface Capability Status page contains information about interfaces that can have CPs associated with them. The page also contains status information for various capabilities. Specifically, this page indicates what services are provided through the Captive Portal to clients connected on this interface. The list of services is determined by the interface capabilities.
Client Summary Use the Client Summary page to view summary information about all authenticated clients that are connected through the captive portal. From this page, you can manually force the captive portal to disconnect one or more authenticated clients. The list of clients is sorted by client MAC address. To display the Client Summary page, click System → Captive Portal → Client Connection Status → Client Summary. Figure 17-23.
Client Detail The Client Detail page shows detailed information about each client connected to the network through a captive portal. To display the Client Detail page, click System → Captive Portal → Client Connection Status → Client Detail. Figure 17-24.
Captive Portal Interface Client Status Use the Interface Client Status page to view clients that are authenticated to a specific interface. To display the Interface Client Status page, click System → Captive Portal → Client Connection Status → Interface Client Status. Figure 17-25.
Captive Portal Client Status Use the Client Status page to view clients that are authenticated to a specific Captive Portal configuration. To display the Client Status page, click System → Captive Portal → Client Connection Status → Client Status. Figure 17-26.
Configuring Captive Portal (CLI) This section provides information about the commands you use to create and configure Captive Portal settings. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Global Captive Portal Settings Beginning in Privileged EXEC mode, use the following commands to configure global Captive Portal settings. Command Purpose configure Enter global configuration mode.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show captive-portal [status] View the Captive Portal administrative and operational status. Use the status keyword to view additional global Captive Portal information and summary information about all configured Captive Portal instances. Creating and Configuring a Captive Portal Beginning in Privileged EXEC mode, use the following commands to create a Captive Portal instance and configure its settings.
Command Purpose user-logout (Optional) Enable user logout mode to allow an authenticated client to deauthenticate from the network. If this option is clear or the user does not specifically request logout, the client connection status remains authenticated until the CP deauthenticates the user, for example by reaching the idle timeout or session timeout values.
Command Purpose block (Optional) Block all traffic for a Captive Portal configuration. If the Captive Portal is blocked, users cannot gain access to the network through the Captive Portal. Use this function to temporarily protect the network during unexpected events, such as denial of service attacks. CTRL + Z Exit to Privileged EXEC mode. show captive-portal configuration cp-id [status | interface] View summary information about a Captive Portal instance.
Configuring Captive Portal Groups and Users Beginning in Privileged EXEC mode, use the following commands to create a Captive Portal group. You can use the default group, or you can create a new group. Command Purpose configure Enter global configuration mode. captive-portal Enter Captive Portal mode. user group group-id [name name] Configure a group. Each Captive Portal that requires authentication has a group associated with it.
Command Purpose user group group-id (Optional) Move all of the users in a group to a different moveusers new-group-id group. This command removes the users from the group specified by group-id. • group-id — Group ID (Range: 1–10). • new-group-id — Group ID (Range: 1–10). CTRL + Z Exit to Privileged EXEC mode. show captive-portal user View summary information about all users configured in [user-id] the local database. Specify the user ID to view additional information about a user.
Captive Portal Configuration Example The manager of a resort and conference center needs to provide wired Internet access to each guest room at the resort and in each conference room. Due to legal reasons, visitors and guests must agree to the resort’s acceptable use policy to gain network access. Additionally, network access from the conference rooms must be authenticated. The person who rents the conference room space receives a list username and password combinations upon arrival.
Configuration Overview The following steps provide an overview of the process you use to configure the Captive Portal feature. To configure the switch: 1. If you plan to use a RADIUS server for authentication, configure the RADIUS server settings on the switch. 2. If authentication is required, configure the user groups to associate with each Captive Portal. 3. Create (add) the Captive Portals. 4. Configure the Captive Portal settings for each Captive Portal, such as the verification mode. 5.
Detailed Configuration Procedures Use the following steps to perform the Captive Portal configuration: 1. Configure the RADIUS server information on the switch. In this example, the RADIUS server IP address is 192.168.2.188, and the RADIUS server name is luxury-radius. console#configure console(config)#radius-server host 192.168.12.182 console(Config-auth-radius)#name luxury-radius console(Config-auth-radius)#exit 2. Configure the Captive Portal groups.
5. Configure the Employee Captive Portal. console(config-CP)#configuration 4 console(config-CP 4)#name Employee console(config-CP 4)#verification radius console(config-CP 4)#group 3 console(config-CP 4)#interface gi1/0/34 ... console(config-CP 4)#interface gi1/0/40 console(config-CP 4)#exit 6. Use the web interface to customize the Captive Portal pages that are presented to users when they attempt to connect to the network. NOTE: Captive Portal page customization is supported only through the Web interface.
18 Configuring Port Characteristics This chapter describes how to configure physical switch port characteristics, including settings such as administrative status and maximum frame size. This chapter also describes the link dependency feature. The topics covered in this chapter include: • Port Overview • Default Port Values • Configuring Port Characteristics (Web) • Configuring Port Characteristics (CLI) • Port Configuration Examples Port Overview A port is a physical interface.
Table 18-1. Port Characteristics (Continued) Feature Description Auto negotiation Enables a port to advertise its transmission rate, duplex mode and flow control abilities to its partner. Speed Specifies the transmission rate for frames. Duplex mode Specifies whether the interface supports transmission between the switch and the connected client in one direction at a time (half) or both directions simultaneously (both).
You can create a maximum of 72 dependency groups for stacking switches or 16 groups for a standalone switch. The ports participating in the Link Dependency can be across all the Stack Units (Manager/Member unit). Link Action The link action specifies the action that the group members will take when the dependent port is down. The group members can transition to the same state as the dependant port, or they can transition to the opposite state.
What Interface Types are Supported? The physical ports on the switch include the out-of-band (OOB) interface, 10-Gigabit Ethernet (for some models), and Gigabit Ethernet switch ports. The OOB interface supports a limited set of features and is for switch management only. The Ethernet switch ports support many logical features that are often supported by logical interfaces.
• Stack member number— The unit number within the stack. The range is 1–12. The default unit number for a switch that has not been in a stack is 1. To view the member number assigned to each switch in a stack, use the show switch command. For non-stacking switches (PCM8024), the unit number is always 1. • Module (slot) number—The expansion module slot. Integrated internal and external ports have a slot number of 0. For switches that provide one or two expansion slots, the slot number is 1 or 2.
NOTE: You can switch to another interface or range of interfaces by entering the interface command while in Interface Configuration mode. It is not necessary to exit Interface Configuration mode to select a different interface.
Default Port Values Table 18-2 lists the default values for the port characteristics that this chapter describes. Table 18-2.
Configuring Port Characteristics (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring port characteristics on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Port Configuration Use the Port Configuration page to define port parameters. To display the Port Configuration page, click Switching → Ports → Port Configuration in the navigation panel. Figure 18-1.
Configuring Multiple Ports To configure port settings on multiple ports: 1 Open the Port Configuration page. 2 Click Show All to display the Port Configuration Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings. 5 Click Apply. Figure 18-2. Configure Port Settings 6 Select the Copy Parameters From check box, and select the port with the settings to apply to other ports.
In the following example, Ports 3, 4, and 5 will be updated with the settings that are applied to Port 1. Figure 18-3. Copy Port Settings 8 Click Apply.
Link Dependency Configuration Use the Link Dependency Configuration page to create link dependency groups. You can create a maximum of 16 dependency groups. The page displays the groups whether they have been configured or not. To display the Link Dependency Configuration page, click Switching → Link Dependency → Configuration in the navigation panel. Figure 18-4. Link Dependency Configuration Creating a Link Dependency Group To create link dependencies: 1 Open the Link Dependency Configuration page.
5 To add a port to the Ports Depended On column, click the port in the Available Ports column, and then click the > button to the right of the Available Ports column. In the following example, Group 1 is configured so that Port 3 is dependent on Port 4. Figure 18-5. Link Dependency Group Configuration 6 Click Apply. The Link Dependency settings for the group are modified, and the device is updated.
Link Dependency Summary Use the Link Dependency Summary page to view all link dependencies on the system and to access the Link Dependency Configuration page. You can create a maximum of 16 dependency groups. The page displays the groups whether they have been configured or not. To display the Link Dependency Summary page, click Switching → Link Dependency → Link Dependency Summary in the navigation panel. Figure 18-6.
Configuring Port Characteristics (CLI) This section provides information about the commands you use to configure port characteristics. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Port Settings Beginning in Privileged EXEC mode, use the following commands to configure various port settings. Command Purpose configure Enter Global Configuration mode.
Command Purpose duplex {half | full | auto} Configure the full/half duplex operation of a given Ethernet interface, or enable duplex auto negotiation. Fiber ports must always be configured full-duplex. auto negotiation is never used on fiber ports. mtu size Enable jumbo frames on an interface by adjusting the maximum size of a packet. CTRL + Z Exit to Privileged EXEC mode. show interfaces status Show summary information about all interfaces.
Command Purpose depends-on interface Specify the port(s) upon which the member ports are dependent. For information about the interface variable, see the previous command description. action {down|up} Specifies the action the member ports take when the dependent link goes down. • down—When the dependent link is down, the group members are down (the members are up otherwise).
Port Configuration Examples This section contains the following examples: • Configuring Port Settings • Configuring a Link Dependency Groups Configuring Port Settings The commands in this example specify the speed and duplex mode for port 1 (gigabitethernet 1/0/1) and change the MTU size for ports 10, 11, 12, 20, and 25. To configure the switch: 1 Enter Interface Configuration mode for port 1.
Configuring a Link Dependency Groups The commands in this example create two link dependency groups. Group 1 has port 3 as a member port that is dependent on port 4. The group uses the default link action, which is down. This means that if port 4 goes down, port 3 goes down. When port 4 returns to the up state, port 3 is brought back up. In Group 2, port 6 dependent on port-channel (LAG) 1, and the link action is up. If port-channel 1 goes down, port 6 is brought up.
Configuring Port and System Security 19 This chapter describes how to configure port-based security features, which control access to the network through the switch ports, and the denial of service (DoS) feature. Port-based security includes IEEE 802.1X authentication and port MAC locking. • IEEE 802.1X provides an authentication mechanism to devices connected to the switch. Network access is permitted only to authorized devices (clients).
IEEE 802.1X What is IEEE 802.1X? The IEEE 802.1X standard provides a means of preventing unauthorized access by supplicants (clients) to the services the switch offers, such as access to the LAN. The 802.1X network has three components: • Supplicant — The client connected to the authenticated port that requests access to the network. • Authenticator — The network device that prevents network access prior to authentication.
As shown in Figure 19-1, the PowerConnect M6220/M6348/M8024/M8024-k switch is the authenticator and enforces the supplicant (a PC) that is attached to an 802.1X-controlled port to be authenticated by an authentication server (a RADIUS server). The result of the authentication process determines whether the supplicant is authorized to access services on that controlled port.
What is MAC-Based 802.1X Authentication? MAC-based authentication allows multiple supplicants connected to the same port to each authenticate individually. For example, a 5-port hub might be connected to a single port on the switch. Each host connected to the hub must authenticate separately in order to gain access to the network. The hosts are distinguished by their MAC addresses. NOTE: By default, all ports are in VLAN Access mode.
NOTE: MAB initiates only after the dot1x guest VLAN period times out. If the client responds to any of the EAPOL identity requests, MAB does not initiate for that client. What is the Role of 802.1X in VLAN Assignment? PowerConnect M6220, M6348, M8024, and M8024-k switches allow a port to be placed into a particular VLAN based on the result of the authentication or type of 802.1X authentication a client uses when it accesses the switch.
The VLAN attributes defined in RFC3580 are as follows: • Tunnel-Type=VLAN (13) • Tunnel-Medium-Type=802 • Tunnel-Private-Group-ID=VLANID VLANID is 12-bits and has a value between 1 and 4093. Dynamic VLAN Creation If RADIUS-assigned VLANs are enabled though the Authorization Network RADIUS configuration option, the RADIUS server is expected to include the VLAN ID in the 802.1X tunnel attributes of its response message to the switch.
Client devices that are 802.1X-supplicant-enabled authenticate with the switch when they are plugged into the 802.1X-enabled switch port. The switch verifies the credentials of the client by communicating with an authentication server. If the credentials are verified, the authentication server informs the switch to unblock the switch port and allows the client unrestricted access to the network; i.e., the client is a member of an internal VLAN. Guest VLAN mode can be configured on a per-port basis.
Table 19-1. IEEE 802.
Table 19-1. IEEE 802.1X Monitor Mode Behavior (Continued) Case Sub-case Regular Dot1x Dot1x Monitor Mode Supplicant Timeout Port State: Deny Port State: Deny Port/Client Delete Guest Authenticated VLANID through on Guest VLAN Dot1Q Port State: Deny Port State: Permit VLAN: Default PVID of the port How Does the Authentication Server Assign DiffServ Filters? The PowerConnect M6220, M6348, M8024, and M8024-k switches allow the external 802.
Default 802.1X Values Table 19-2 lists the default values for the 802.1X features. Table 19-2. Default Port-Based Security Values Feature Description Global 802.1X status Disabled 802.1X authentication method none Per-port 802.
Configuring IEEE 802.1X (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IEEE 802.1X features and Port Security on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Dot1x Authentication Use the Dot1x Authentication page to configure the 802.1X administrative mode on the switch and to configure general 802.1X parameters for a port.
Configuring 802.1X Settings on Multiple Ports To configure 802.1X authentication on multiple ports: 1 Open the Dot1x Authentication page. 2 Click Show All to display the Dot1x Authentication Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings to change for all ports that are selected for editing. Figure 19-3. Configure Dot1x Settings 5 Click Apply.
2 Click Show All. The Dot1x Authentication Table displays. 3 Check Edit to select the Units/Ports to re-authenticate. 4 To re-authenticate on a periodic basis, set Periodic Re-Authentication to Enable, and specify a Re-Authentication Period for all desired ports. 5 To re-authenticate immediately, check Reauthenticate Now for all ports to be re-authenticated. 6 Click Apply. The authentication process is restarted on the specified ports (either immediately or periodically).
Figure 19-4. Network Security Authenticated Users Port Access Control Configuration Use the Port Access Control Configuration page to globally enable or disable RADIUS-assigned VLANs and to enable Monitor Mode to help troubleshoot 802.1X configuration issues. NOTE: The VLAN Assignment Mode field is the same as the Admin Mode field on the System → Management Security → Authorization Network RADIUS page.
Figure 19-5. Port Access Control Configuration Port Access Control History Log Summary Use the Port Access Control History Log Summary page to view log messages about 802.1X client authentication attempts. The information on this page can help you troubleshoot 802.1X configuration issues.
Figure 19-6. Port Access Control History Log Summary Internal Authentication Server Users Configuration Use the Internal Authentication Server Users Configuration page to add users to the local IAS database and to view the database entries. To display the Internal Authentication Server Users Configuration page, click System → Management Security → Internal Authentication Server Users Configuration in the navigation panel.
Figure 19-7. Internal Authentication Server Users Configuration NOTE: If no users exist in the IAS database, the IAS Users Configuration Page does not display the fields shown in the image. Adding Users to the IAS Database To add IAS users: 1 Open the Internal Authentication Server Users Configuration page. 2 Click Add to display the Internal Authentication Server Users Add page. 3 Specify a username and password in the appropriate fields.
Figure 19-8. Adding an IAS User 4 Click Apply. To view the Internal Authentication Server Users Table page, click Show All. Removing an IAS User To delete an IAS user: 1 Open the Internal Authentication Server Users Configuration page. 2 From the User menu, select the user to remove, select the user to remove. 3 Select the Remove check box. Figure 19-9. Removing an IAS User 4 Click Apply.
Configuring IEEE 802.1X (CLI) This section provides information about commands you use to configure 802.1X and Port Security settings. For additional information about the commands in this section, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Basic 802.1X Authentication Settings Beginning in Privileged EXEC mode, use the following commands to enable and configure 802.1X authentication on the switch.
Command Purpose dot1x port-control {force-authorized | force-unauthorized | auto | mac-based} Specify the 802.1X mode for the port. NOTE: For standard 802.1X implementations in which one client is connected to one port, use the dot1x port-control auto command to enable 802.1X authentication on the port. • auto — Enables 802.1X authentication on the interface and causes the port to transition to the authorized or unauthorized state based on the 802.
NOTE: To enable 802.1X Monitor Mode to help troubleshoot authentication issues, use the dot1x system-auth-control monitor command in Global Configuration mode. To view 802.1X authentication events and information, use the show dot1x authentication-history { | all} [failed-auth-only] [detail] command in Privileged EXEC mode. To clear the history, use the clear dot1x authenticationhistory command. Configuring Additional 802.
Command Purpose dot1x timeout supptimeout seconds Set the time that the switch waits for a response before retransmitting an Extensible Authentication Protocol (EAP)-request frame to the client. dot1x max-req count Set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP)-request frame (assuming that no response is received) to the client before restarting the authentication process.
Command Purpose dot1x dynamic-vlan enable If the RADIUS assigned VLAN does not exist on the switch, allow the switch to dynamically create the assigned VLAN. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3.
Configuring Internal Authentication Server Users Beginning in Privileged EXEC mode, use the following commands to add users to the IAS database and to use the database for 802.1X authentication. Command Purpose configure Enter Global Configuration mode. aaa ias-user username Add a user to the IAS user database. This command also changes the mode to the AAA User Config mode. password password [encrypted] Configure the password associated with the user. CTRL + Z Exit to Privileged EXEC mode.
The switch uses an authentication server with an IP address of 10.10.10.10 to authenticate clients. Port 7 is connected to a printer in the unsecured area. The printer is an 802.1X unaware client, so Port 7 is configured to use MACbased authentication with MAB. NOTE: The printer requires an entry in the client database that uses the printer MAC address as the username. An IP phone is directly connected to Port 8, and a PC is connected to the IP phone.
Figure 19-10. 802.1X Example Physically Unsecured Devices Physically Secured Devices Clients (Ports 1 and 3) Authentication Server (RADIUS) PowerConnect Switch Clients (Port 8) Printer (Port 7) LAN Uplink (Port 24) LAN Server (Port 9) The following example shows how to configure the example shown in Figure 19-10. 1 Configure the RADIUS server IP address and shared secret (secret). console#configure console(config)#radius-server host 10.10.10.
console(config-if)#dot1x port-control forceauthorized console(config-if)#exit 4 Configure Port 7 to require MAC-based authentication with MAB. console(config)#interface gi1/0/7 console(config-if-Gi1/0/7)#dot1x port-control macbased console(config-if-Gi1/0/7)#dot1x mac-auth-bypass 5 Set the port to an 802.1Q VLAN. The port must be in general mode in order to enable MAC-based 802.1X authentication.
Filter Id...................................... VLAN Assigned.................................. 1 (Default) Interface...................................... User Name...................................... Supp MAC Address............................... Session Time................................... Filter Id...................................... VLAN Assigned.................................. Gi1/0/3 dflint 0004.5A55.EFAD 826 Interface...................................... User Name.......................
10 View 802.1X information about Port 8. console#show dot1x interface gi1/0/8 Administrative Mode............... Enabled Dynamic VLAN Creation Mode........ Enabled Monitor Mode...................... Disabled Port ------Gi1/0/8 Admin Oper Reauth Reauth Mode Mode Control Period ---------------- ------------ -------- ---------mac-based Authorized FALSE 3600 Quiet Period................................... Transmit Period................................ Maximum Requests...............................
NOTE: Dynamic VLAN creation applies only to authorized ports. The VLANs for unauthorized and guest users must be configured on the switch and cannot be dynamically created based on RADIUS-based VLAN assignment. The commands in this example show how to configure the switch to control VLAN assignment for the example network.
To configure the switch: 1 Create the VLANs and configure the VLAN names. console(config)#vlan 100 console(config-vlan100)#name Authorized console(config-vlan100)#exit console(config)#vlan 200 console(config-vlan200)#name Unauthorized console(config-vlan200)#exit console(config)#vlan 300 console(config-vlan300)#name Guest console(config-vlan300)#exit 2 Configure information about the external RADIUS server the switch uses to authenticate clients. The RADIUS server IP address is 10.10.10.
8 Enable periodic reauthentication of the client on the ports and set the number of seconds to wait between reauthentication attempts to 300 seconds. Reauthentication is enabled to increase security. If the client information is removed from the RADIUS server after it has been authenticated, the client will be denied access when it attempts to reauthenticate.
Allowing Dynamic VLAN Creation of RADIUS-Assigned VLANs The network in this example uses a RADIUS server to provide VLAN assignments to host that connect to the switch. In this example, the VLANs are not configured on the switch. Instead, the switch is configured to allow the dynamic creation of VLANs when a RADIUS-assigned VLAN does not already exist on the switch. In this example, Ports 1–23 are configured as downlink, or access, ports, and Port 24 is the trunk port.
5 Allow the switch to dynamically create VLANs when a RADIUS-assigned VLAN does not exist on the switch. console(config)#dot1x dynamic-vlan enable 6 Enter interface configuration mode for the downlink ports. console(config)#interface range gi1/0/1-23 7 Set the downlink ports to the access mode because each downlink port connects to a single host that belongs to a single VLAN.
• The RADIUS or 802.1X server must specify the policy to assign. For example, if the DiffServ policy to assign is named internet_access, include the following attribute in the RADIUS or 802.1X server configuration: Filter-id = “internet_access” • The DiffServ policy specified in the attribute must already be configured on the switch, and the policy names must be identical. For information about configuring a DiffServ policy, see "DiffServ Configuration Examples" on page 1147.
To configure the switch : 1 Configure the DiffServ traffic class that matches SSH traffic. console#configure console(config)#class-map match-all cl-ssh console(config-classmap)#match srcl4port 23 console(config-classmap)#exit 2 Configure the DiffServ traffic class that matches HTTP traffic. console(config)#class-map match-all cl-http console(config-classmap)#match srcl4port 80 console(config-classmap)#exit 3 Configure the DiffServ policy.
console(config)#aaa authentication dot1x default radius 8 Enter Interface Configuration mode for ports 1–23 and enable MACbased authentication. console(config)#interface range gi1/0/1-23 console(config-if)#dot1x port-control mac-based 9 Set the ports to an 802.1Q VLAN. The ports must be in general mode in order to enable MAC-based 802.1X authentication.
Port Security (Port-MAC Locking) The Port Security feature allows you to limit the number of source MAC addresses that can be learned on a port. If a port reaches the configured limit, any other addresses beyond that limit are not learned and the frames are discarded. Frames with a source MAC address that has already been learned will be forwarded.
Configuring Port Security Configuration (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IEEE 802.1X features and Port Security on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Port Security Use the Port Security page to enable MAC locking on a per-port basis.
3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings for all ports that are selected for editing. Figure 19-12. Configure Port Security Settings 5 Click Apply.
Configuring Port Security (CLI) Beginning in Privileged EXEC mode, use the following commands to enable port security on an interface to limit the number of source MAC addresses that can be learned. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3.
Denial of Service Denial of Service (DoS) refers to the exploitation of a variety of vulnerabilities which would interrupt the service of a host or make a network unstable. Use the Denial of Service page to configure settings to help prevent DoS attacks. DoS protection is disabled by default. To display the Denial of Service page, click System → Management Security → Denial of Service in the navigation panel. Figure 19-13.
20 Configuring Access Control Lists This chapter describes how to configure Access Control Lists (ACLs), including IPv4, IPv6, and MAC ACLs. This chapter also describes how to configure time ranges that can be applied to any of the ACL types.
Depending on whether an ingress or egress ACL is applied to a port, when the traffic enters (ingress) or leaves (egress) a port, the ACL compares the criteria configured in its rules, in order, to the fields in a packet or frame to check for matching conditions. The ACL forwards or blocks the traffic based on the rules. NOTE: Every ACL is terminated by an implicit deny all rule, which covers any packet not matching a preceding explicit rule.
What Are IP ACLs? IP ACLs classify for Layers 3 and 4 on IPv4 or IPv6 traffic. Each ACL is a set of up to ten rules applied to inbound traffic.
Using ACLs to mirror traffic is considered to be flow-based mirroring since the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated on another interface. What Is ACL Logging ACL Logging provides a means for counting the number of “hits” against an ACL rule.
A named time range can contain up to 10 configured time ranges. Only one absolute time range can be configured per time range. During the ACL configuration, you can associate a configured time range with the ACL to provide additional control over permitting or denying a user access to network resources. Benefits of using time-based ACLs include: • Providing more control over permitting or denying a user access to resources, such as an application (identified by an IP address/mask pair and a port number).
NOTE: The actual number of ACLs and rules supported depends on the resources consumed by other processes and configured features running on the switch. How Are ACLs Configured? To configure ACLs, follow these steps: 1 Create a MAC ACL by specifying a name. 2 Create an IP ACL by specifying a number. 3 Add new rules to the ACL. 4 Configure the match criteria for the rules. 5 Apply the ACL to one or more interfaces.
Table 20-1. Common EtherType Numbers (Continued) EtherType Protocol 0x86DD Internet Protocol version 6 (IPv6) 0x8808 MAC Control 0x8809 Slow Protocols (IEEE 802.3) 0x8870 Jumbo frames 0x888E EAP over LAN (EAPOL – 802.1x) 0x88CC Link Layer Discovery Protocol 0x8906 Fibre Channel over Ethernet 0x8914 FCoE Initialization Protocol 0x9100 Q in Q Figure 20-2 lists commonly-used IP protocol numbers: \ Table 20-2.
Configuring ACLs (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring ACLs on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. IP ACL Configuration Use the IP ACL Configuration page to add or remove IP-based ACLs.
Figure 20-2. Add IP ACL 4 Click Apply. Removing IPv4 ACLs To delete an IPv4 ACL: 1 From the IP ACL Name menu on the IP ACL Configuration page, select the ACL to remove. 2 Select the Remove checkbox. 3 Click Apply. Viewing IPv4 ACLs To view configured ACLs, click Show All from the IP ACL Configuration page.
Figure 20-3. View IPv4 ACLs IP ACL Rule Configuration Use the IP ACL Rule Configuration page to define rules for IP-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. Additionally, you can specify to assign traffic to a particular queue, filter on some traffic, change VLAN tag, shut down a port, and/or redirect the traffic to a particular port. NOTE: There is an implicit deny all rule at the end of an ACL list.
Figure 20-4. IP ACL - Rule Configuration Removing an IP ACL Rule To delete an IP ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete. 2 Select the Remove option near the bottom of the page. 3 Click Apply to remove the selected rule.
MAC ACL Configuration Use the MAC ACL Configuration page to define a MAC-based ACL. To display the MAC ACL Configuration page, click Switching → Network Security → Access Control Lists → MAC Access Control Lists → Configuration in the navigation panel. Figure 20-5. MAC ACL Configuration Adding a MAC ACL To add a MAC ACL: 1 Open the MAC ACL Configuration page. 2 Click Add to display the Add MAC ACL page. 3 Specify an ACL name.
Figure 20-6. Add MAC ACL 4 Click Apply. Renaming or Removing MAC ACLs To rename or delete a MAC ACL: 1 From the MAC ACL Name menu on the MAC ACL Configuration page, select the ACL to rename or remove. 2 To rename the ACL, select the Rename checkbox and enter a new name in the associated field. 3 To remove the ACL, select the Remove checkbox. 4 Click Apply. Viewing MAC ACLs To view configured ACLs, click Show All from the MAC ACL Configuration page.
MAC ACL Rule Configuration Use the MAC ACL Rule Configuration page to define rules for MAC-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. A default deny all rule is the last rule of every list. To display the MAC ACL Rule Configuration page, click Switching → Network Security → Access Control Lists → MAC Access Control Lists → Rule Configuration in the navigation panel. Figure 20-7.
IPv6 ACL Configuration Use the IPv6 ACL Configuration page to add or remove IP-based ACLs. To display the IP ACL Configuration page, click Switching → Network Security → Access Control Lists → IPv6 Access Control Lists → IPv6 ACL Configuration in the navigation panel. Figure 20-8. IPv6 ACL Configuration Adding an IPv6 ACL To add an IPv6 ACL: 1 Open the IPv6 ACL Configuration page. 2 Click Add to display the Add IPv6 ACL page. 3 Specify an ACL name.
Figure 20-9. Add IPv6 ACL 4 Click Apply. Removing IPv6 ACLs To delete an IPv6 ACL: 1 From the IPv6 ACL Name menu on the IPv6 ACL Configuration page, select the ACL to remove. 2 Select the Remove checkbox. 3 Click Apply. Viewing IPv6 ACLs To view configured ACLs, click Show All from the IPv6 ACL Configuration page. The IPv6 ACL Table page displays. IPv6 ACL Rule Configuration Use the IPv6 ACL Rule Configuration page to define rules for IPv6-based ACLs.
To display the IPv6 ACL Rule Configuration page, click Switching → Network Security → Access Control Lists → IPv6 Access Control Lists → Rule Configuration in the navigation menu. Figure 20-10. IPv6 ACL - Rule Configuration Removing an IPv6 ACL Rule To delete an IPv6 ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete. 2 Select the Remove option near the bottom of the page. 3 Click Apply to remove the selected rule.
ACL Binding Configuration When an ACL is bound to an interface, all the rules that have been defined are applied to the selected interface. Use the ACL Binding Configuration page to assign ACL lists to ACL Priorities and Interfaces. From the web interface, you can configure the ACL rule in the ingress or egress direction so that the ACLs implement security rules for packets entering or exiting the port. You can apply ACLs to any physical (including 10 Gb) interface, LAG, or routing port.
Time Range Entry Configuration Use the Time Range Entry Configuration page to define time ranges to associate with ACL rules. To display the Time Range Entry Configuration page, click System → Time Synchronization → Time Range Configuration in the navigation panel. The following image shows the page after at least one time range has been added. Otherwise, the page indicates that no time ranges are configured, and the time range configuration fields are not displayed. Figure 20-12.
Figure 20-13. Add a Time Range 3 Click Apply. 4 Click Configuration to return to the Time Range Entry Configuration page. 5 In the Time Range Name field, select the name of the time range to configure. 6 Specify an ID for the time range. You can configure up to 10 different time range entries to include in the named range. However, only one absolute time entry is allowed per time range. 7 Configure the values for the time range entry. 8 Click Apply.
Configuring ACLs (CLI) This section provides information about the commands you use to create and configure ACLs. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring an IPv4 ACL Beginning in Privileged EXEC mode, use the following commands to create an IPv4 ACL, configure rules for the ACL, and bind the ACL to an interface.
Command Purpose (continued) • portvalue — The source layer 4 port match condition for the ACL rule is specified by the port value parameter (Range: 0–65535). • portkey — Or you can specify the portkey, which can be one of the following keywords: domain, echo, ftp, ftpdata, http, smtp, snmp, telnet, tftp, and www. • log — Specifies that this rule is to be logged. • time-range-name — Specifies the named time range to associate with the ACL rule.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show ip access-lists [name] Display all IPv4 access lists and all of the rules that are defined for the IPv4 ACL. Use the optional name parameter to identify a specific IPv4 ACL to display. Configuring a MAC ACL Beginning in Privileged EXEC mode, use the following commands to create an MAC ACL, configure rules for the ACL, and bind the ACL to an interface. Command Purpose configure Enter global configuration mode.
Command Purpose (Continued) • vlan eq — VLAN number. (Range 0-4095) • cos — Class of service. (Range 0-7) • log — Specifies that this rule is to be logged. • time-range-name — Specifies the named time range to associate with the ACL rule. • assign-queue — Specifies particular hardware queue for handling traffic that matches the rule. • queue-id — 0-6, where n is number of user configurable queues available for that hardware platform.
Command Purpose show mac access-lists [name] Display all MAC access lists and all of the rules that are defined for the MAC ACL. Use the optional name parameter to identify a specific MAC ACL to display. Configuring an IPv6 ACL Beginning in Privileged EXEC mode, use the following commands to create an IPv6 ACL, configure rules for the ACL, and bind the ACL to an interface. Command Purpose configure Enter global configuration mode. ipv6 access-list name Create a named IPv6 ACL.
Command Purpose (Continued) • destination ipv6 prefix — IPv6 prefix in IPv6 global address format. • flow label value — The value to match in the Flow Label field of the IPv6 header (Range 0–1048575). • dscp dscp — Specifies the TOS for an IPv6 ACL rule depending on a match of DSCP values using the parameter dscp. • log — Specifies that this rule is to be logged. • time-range-name — Specifies the named time range to associate with the ACL rule.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show ipv6 access-lists [name] Display all IPv6 access lists and all of the rules that are defined for the IPv6 ACL. Use the optional name parameter to identify a specific IPv6 ACL to display. Configuring a Time Range Beginning in Privileged EXEC mode, use the following commands to create a time range and configure time-based entries for the time range. Command Purpose configure Enter global configuration mode.
Command Purpose periodic {days-of-theConfigure a recurring time entry for the named time week time} to {[days-of- range. the-week ] time} • days-of-the-week —The first occurrence indicates the starting day(s) the ACL goes into effect. The second occurrence is the ending day(s) when the ACL rule is no longer in effect.
ACL Configuration Examples This section contains the following examples: • Configuring an IP ACL • Configuring a MAC ACL • Configuring a Time-Based ACL • Configuring a Management Access List Configuring an IP ACL The commands in this example set up an IP ACL that permits hosts in the 192.168.77.0/24 subnet to send TCP and UDP traffic only to the host with an IP address of 192.168.77.50. The ACL is applied to port 2 on the PowerConnect switch.
Figure 20-14. IP ACL Example Network Diagram PowerConnect Switch (Layer 3) Port Gi 1/0/2 UDP or TCP packet to 192.168.88.50 rejected: Dest. IP not in range. 192.168.77.1 Layer 2 Switch 192.168.77.2 192.168.77.3 UDP or TCP packet to 192.168.77.50 permitted: Dest. IP in range. 192.168.77.4 To configure the switch: 1 Create an ACL named list1 and configures a rule for the ACL that permits packets carrying TCP traffic that matches the specified Source IP address (192.168.77.
3 Apply the rule to inbound (ingress) traffic on Gigabit Ethernet Port 2. Only traffic matching the criteria will be accepted on this port. console(config)#interface gi1/0/2 console(config-if-Gi1/0/2)#ip access-group list1 in console(config-if-Gi11/0/2)#exit Configuring a MAC ACL The following example creates a MAC ACL named mac1 that denies all IPX traffic on all ports. All other type of traffic is permitted.
mac1 2 ch1-48, Gi1/0/1Gi1/0/48 Inbound console#show mac access-lists mac1 MAC ACL Name: mac1 Inbound Interface(s): ch1-48,Gi1/0/1-Gi1/0/48 Rule Number: 1 Action.................................. deny Ethertype................................ ipx Rule Number: 2 Action.................................. permit Match All...............................
Configuring a Time-Based ACL The following example configures an ACL that denies HTTP traffic from 8:00 pm to 12:00 pm and 1:00 pm to 6:00 pm on weekdays and from 8:30 am to 12:30 pm on weekends. The ACL affects all hosts connected to ports that are members of VLAN 100. The ACL permits VLAN 100 members to browse the Internet only during lunch and after hours. To configure the switch: 1 Create a time range called work-hours.
7 Verify the configuration. console#show ip access-lists web-limit IP ACL Name: web-limit Inbound VLAN(s): 100 Rule Number: 1 Action............................ deny Match All......................... FALSE Protocol.......................... 6(tcp) Source IP Address................. any Destination IP Address............ any Destination L4 Port Keyword........ 80(www/http)ip Time Range Name....................work-hours Rule Status.......................
Command Purpose management access-list Define an access list for management, and enter the access-list for configuration. permit ip-source ipaddress [mask mask | prefix-length] [interfacetype interface-number] [service service] [priority priority-value] Allow access to the management interface from hosts that meet the specified IP address value and other optional criteria. name • interface-type interface-number — A valid port, LAG, or VLAN interface, for example gi1/0/13, port-channel 3, or vlan 200.
Management Access List Example The commands in this example create a management ACL that permits access to the switch through the in-band switch ports on VLAN 1 and on port 9 from hosts with an IP address in the 10.27.65.0 subnet. Attempts to access the management interfaces from any other hosts and on any other interfaces is denied. To configure the switch: 1 Create a management ACL and enter the configuration mode for the ACL.
console#show management access-class Management access-class is enabled, using access list mgmt_ACL.
Configuring Access Control Lists
Configuring VLANs 21 This chapter describes how to configure VLANs, including port-based VLANs, protocol-based VLANs, double-tagged VLANs, subnet-based VLANs, and Voice VLANs. The topics covered in this chapter include: • VLAN Overview • Default VLAN Behavior • Configuring VLANs (Web) • Configuring VLANs (CLI) • VLAN Configuration Examples VLAN Overview By default, all switchports on a PowerConnect M6220/M6348/M8024/M8024-k switch are in the same broadcast domain.
segregate traffic by type so that the time-sensitive traffic, like voice traffic, has priority over other traffic, such as data. Administrators also use VLANs to protect network resources. Traffic sent by authenticated clients might be assigned to one VLAN, while traffic sent from unauthenticated clients might be assigned to a different VLAN that allows limited network access. When one host in a VLAN sends a broadcast, the switch forwards traffic only to other members of that VLAN.
Figure 21-1. Simple VLAN Topology Router Engineering VLAN 100 Switch Payroll VLAN 300 Tech Pubs VLAN 200 In this example, each port is manually configured so that the end station attached to the port is a member of the VLAN configured for the port. The VLAN membership for this network is port-based or static.
Table 21-1 provides an overview of the types of VLANs you can use to logically divide the network. Table 21-1. VLAN Assignment VLAN Assignment Description Port-based (Static) This is the most common way to assign hosts to VLANs. The port where the traffic enters the switch determines the VLAN membership. IP Subnet Hosts are assigned to a VLAN based on their IP address. All hosts in the same subnet are members of the same VLAN. MAC-Based The MAC address of the device determines the VLAN assignment.
• General — General ports can act like access or trunk ports or a hybrid of both. VLAN membership rules that apply to a port are based on the switchport mode configured for the port. Table 21-2 shows the behavior of the three switchport modes. Table 21-2.
Trunk ports can receive tagged and untagged traffic. Untagged traffic is tagged internally with the native VLAN. Native VLAN traffic received untagged is transmitted untagged on a trunk port. By default, trunk ports are members of all existing VLANs and will automatically participate in any newly created VLANs. The administrator can restrict the VLAN membership of a trunk port. VLAN membership for tagged frames received on a trunk port is configured separately from the membership of the native VLAN.
additional tag on the traffic, the switch can differentiate between customers in the MAN while preserving an individual customer’s VLAN identification when the traffic enters the customer’s 802.1Q domain. With the introduction of this second tag, customers are no longer required to divide the 4-byte VLAN ID space to send traffic on a Ethernet-based MAN.
Figure 21-2. Double VLAN Tagging Network Example Voice VLAN The Voice VLAN feature enables switch ports to carry voice traffic with defined priority. When multiple devices, such as a PC and an IP phone, are connected to the same port, you can configure the port to use one VLAN for voice traffic and another VLAN for data traffic. Voice over IP (VoIP) traffic is inherently time-sensitive: for a network to provide acceptable service, the transmission rate is vital.
Identifying Voice Traffic Some VoIP phones contain full support for IEEE 802.1X. When these phones are connected to a port that uses 802.1X port-based authentication, these phones authenticate and receive their VLAN information from LLDP-MED. However, if a VoIP phone has limited support for 802.1X authentication it might try to authenticate and fail. A phone with no 802.1X support would not attempt to authenticate at all.
default PVID of the port, and the voice traffic is received tagged with the predefined VLAN. As a result, both kinds of traffic are segregated in order to provide better service to the voice traffic. • When a dot1p priority is associated with the Voice VLAN port instead of a VLAN ID, then the priority information is passed onto the VoIP phone using the LLDP-MED or CDP mechanism.
• Isolated VLAN—A secondary VLAN. It carries traffic from isolated ports to promiscuous ports. Only one isolated VLAN can be configured per private VLAN. • Community VLAN—A secondary VLAN. It forwards traffic between ports which belong to the same community and to the promiscuous ports. There can be multiple community VLANs per private VLAN.
Figure 21-3 shows an example Private VLAN scenario, in which five hosts (HA through H-E) are connected to a stack of switches (SW1, SW2). The switch stack is connected to router R1. Port references shown are with reference to the stack. Figure 21-3. Private VLAN Domain R1 TE1/1/1 SW1 Gi1/0/10 H-A SW2 Gi1/0/12 Gi1/0/11 H-B H-C Gi2/0/10 H-D Gi2/0/11 H-E Promiscuous Ports An endpoint connected to a promiscuous port is allowed to communicate with any endpoint within the private VLAN.
Isolated Ports An endpoint connected to an isolated port is allowed to communicate with endpoints connected to promiscuous ports only. Endpoints connected to adjacent isolated ports cannot communicate with each other. Community Ports An endpoint connected to a community port is allowed to communicate with the endpoints within a community and can also communicate with any configured promiscuous port.
Table 21-3. Forwarding Rules for Traffic in Primary VLAN To From promiscuous community 1 community 2 isolated stack (trunk) promiscuous allow allow allow allow allow community 1 N/A N/A N/A N/A N/A community 2 N/A N/A N/A N/A N/A isolated N/A N/A N/A N/A N/A stack (trunk) allow allow allow allow allow Table 21-4.
Limitations and Recommendations • Only a single isolated VLAN can be associated with a primary VLAN. Multiple community VLANs can be associated with a primary VLAN. • Trunk and general modes are not supported on private VLAN ports. • Do not configure access ports using the VLANs participating in any of the private VLANs. • Multiple primary VLANs may be configured. Each primary VLAN must be unique and each defines a separate private VLAN domain.
• It is recommended that the private VLAN IDs be removed from the trunk ports connected to devices that do not participate in the private VLAN traffic. Private VLAN Configuration Example See "Configuring a Private VLAN" on page 626. Additional VLAN Features The PowerConnect M6220, M6348, M8024, and M8024-k switches also support the following VLANs and VLAN-related features: 576 • VLAN routing interfaces — See "Configuring Routing Interfaces" on page 867.
Default VLAN Behavior One VLAN is configured on the PowerConnect M6220, M6348, M8024, and M8024-k switches by default. The VLAN ID is 1, and all ports are included in the VLAN as access ports, which are untagged. This means when a device connects to any port on the switch, the port forwards the packets without inserting a VLAN tag. If a device sends a tagged frame to a port with a VLAN ID other than 1, the frame is dropped.
Table 21-7 shows the default values or maximum values for VLAN features. Table 21-7. Additional VLAN Default and Maximum Values Feature Value Default VLAN VLAN 1 VLAN Name No VLAN name is configured except for VLAN 1, whose name “default” cannot be changed. VLAN Range 2–4093 Switchport mode Access Double-VLAN tagging Disabled If double-VLAN tagging is enabled, the default EtherType value is 802.
Configuring VLANs (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLANs on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. VLAN Membership Use the VLAN Membership page to create VLANs and define VLAN groups stored in the VLAN membership table. To display the VLAN Membership page, click Switching → VLAN → VLAN Membership in the navigation panel.
Table 21-8. VLAN Port Membership Definitions Port Control Definition Blank Blank: the interface is not a VLAN member. Packets in this VLAN are not forwarded on this interface. To perform additional port configuration, such as making the port a trunk port, use the Port Settings page. Figure 21-4.
1 Open the VLAN Membership page. 2 Click Add to display the Add VLAN page. 3 Specify a VLAN ID and a VLAN name. Figure 21-5. Add VLAN 4 Click Apply. Configuring Ports as VLAN Members To add member ports to a VLAN: 1 Open the VLAN Membership page. 2 From the Show VLAN menu, select the VLAN to which you want to assign ports. 3 In the Static row of the VLAN Membership table, click the blank field to assign the port as an untagged member. Figure 21-6 shows Gigabit Ethernet ports 5–8 being added to VLAN 300.
Figure 21-6. Add Ports to VLAN 4 Click Apply. 5 Verify that the ports have been added to the VLAN.
In Figure 21-7, the presence of the letter U in the Current row indicates that the port is an untagged member of the VLAN. Figure 21-7.
VLAN Port Settings Use the VLAN Port Settings page to add ports to an existing VLAN and to configure settings for the port. If you select Trunk or Access as the Port VLAN Mode, some of the fields are not configurable because of the requirements for that mode. NOTE: You can add ports to a VLAN through the table on the VLAN Membership page or through the PVID field on the Port Settings page. The PVID is the VLAN that untagged received packets are assigned to.
Figure 21-9. VLAN Settings for All Ports VLAN LAG Settings Use the VLAN LAG Settings page to map a LAG to a VLAN and to configure specific VLAN settings for the LAG. To display the LAG Settings page, click Switching → VLAN → LAG Settings in the navigation panel. Figure 21-10.
From the LAG Settings page, click Show All to see the current VLAN settings for all LAGs. You can change the settings for one or more LAGs by clicking the Edit option for a port and selecting or entering new values. Figure 21-11.
Bind MAC to VLAN Use the Bind MAC to VLAN page to map a MAC address to a VLAN. After the source MAC address and the VLAN ID are specified, the MAC to VLAN configurations are shared across all ports of the switch. The MAC to VLAN table supports up to 128 entries. To display the Bind MAC to VLAN page, click Switching → VLAN → Bind MAC to VLAN in the navigation panel. Figure 21-12. Bind MAC to VLAN From the Bind MAC to VLAN page, click Show All to see the MAC addresses that are mapped to VLANs.
Figure 21-13. MAC-VLAN Bind Table Bind IP Subnet to VLAN Use the Bind IP Subnet to VLAN page to assign an IP Subnet to a VLAN. The IP Subnet to VLAN configurations are shared across all ports of the switch. There can be up to 64 entries configured in this table. To display the Bind IP Subnet to VLAN page, click Switching → VLAN → Bind IP Subnet to VLAN in the navigation panel. Figure 21-14.
From the Bind IP Subnet to VLAN page, click Show All to see the IP subnets that are mapped to VLANs. From this page, you can change the settings for one or more entries or remove an entry. Figure 21-15.
GVRP Parameters Use the GVRP Parameters page to enable GVRP globally and configure the port settings. To display the GVRP Parameters page, click Switching → VLAN → GVRP Parameters in the navigation panel. Figure 21-16. GVRP Parameters From the GVRP Parameters page, click Show All to see the GVRP configuration for all ports. From this page, you can change the settings for one or more entries. NOTE: Per-port and per-LAG GVRP Statistics are available from the Statistics/RMON page.
Figure 21-17.
Protocol Group Use the Protocol Group page to configure which EtherTypes go to which VLANs, and then enable certain ports to use these settings. Protocol-based VLANs are most often used in situations where network segments contain hosts running multiple protocols. To display the Protocol Group page, click Switching → VLAN → Protocol Group in the navigation panel. Figure 21-18.
Adding a Protocol Group To add a protocol group: 1 Open the Protocol Group page. 2 Click Add to display the Add Protocol Group page. 3 Create a name for the group and associate a VLAN with the group. Figure 21-19. Add Protocol Group 4 Click Apply. 5 Click Protocol Group to return to the main Protocol Group page. 6 From the Group ID field, select the group to configure. 7 In the Protocol Settings table, select the protocol and interfaces to associate with the protocol-based VLAN.
Figure 21-20. Configure Protocol Group 8 Click Apply. 9 Click Show All to see the protocol-based VLANs and their members. Figure 21-21.
Double VLAN Global Configuration Use the Double VLAN Global Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Global Configuration page, click Switching → VLAN → Double VLAN → Global Configuration in the navigation panel. Figure 21-22.
Double VLAN Interface Configuration Use the Double VLAN Interface Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Interface Configuration page, click Switching → VLAN → Double VLAN → Interface Configuration in the navigation panel. Figure 21-23.
Figure 21-24.
Voice VLAN Use the Voice VLAN Configuration page to configure and view voice VLAN settings that apply to the entire system and to specific interfaces. To display the page, click Switching → VLAN → Voice VLAN → Configuration in the navigation panel. Figure 21-25. Voice VLAN Configuration NOTE: IEEE 802.1X must be enabled on the switch before you disable voice VLAN authentication.
Configuring VLANs (CLI) This section provides information about the commands you use to create and configure VLANs. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Creating a VLAN Beginning in Privileged EXEC mode, use the following commands to configure a VLAN and associate a name with the VLAN. Command Purpose configure Enter global configuration mode.
interface is automatically removed from its previous VLAN membership. You can configure each interface separately, or you can configure a range of interfaces with the same settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3.
Command Purpose interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3. You can also specify a range of interfaces with the interface range command, for example, interface range gigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12. switchport mode trunk Configure the interface as a tagged layer 2 VLAN interface.
Command Purpose show interfaces switchport interface Display information about the VLAN settings configured for the specified interface. The interface variable includes the interface type and number.
Configuring a Port in General Mode Beginning in Privileged EXEC mode, use the following commands to configure an interface with full 802.1q support and configure the VLAN membership information for the interface. Except when noted as required (for example, when configuring MAB, Voice VLAN, or 802.1x), it is recommended that operators use either trunk or access mode. Command Purpose configure Enter global configuration mode.
Command Purpose switchport general pvid (Optional) Set the port VLAN ID. Untagged traffic that enters the switch through this port is tagged with the PVID. vlan-id vlan-id — PVID. The selected PVID assignment must be to an existing VLAN. (Range: 1–4093). Entering a PVID value does not remove the previous PVID value from the list of allowed VLANs. switchport general acceptable-frame-type tagged-only (Optional) Specifies that the port will only accept tagged frames.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show interfaces Display information about the VLAN settings configured switchport port-channel for the specified LAG.
Configuring Double VLAN Tagging Beginning in Privileged EXEC mode, use the following commands to configure an interface to send and accept frames with double VLAN tagging. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3.
Configuring MAC-Based VLANs Beginning in Privileged EXEC mode, use the following commands to associate a MAC address with a configured VLAN. The VLAN does not need to be configured on the system to associate a MAC address with it. You can create up to 256 VLAN to MAC address associations. Command Purpose configure Enter global configuration mode. vlan database Enter VLAN database mode. vlan association mac Associate a MAC address with a VLAN.
Configuring IP-Based VLANs Beginning in Privileged EXEC mode, use the following commands to associate an IP subnet with a configured VLAN. The VLAN does not need to be configured on the system to associate an IP subnet with it. You can create up to 256 VLAN to MAC address associations. Command Purpose configure Enter global configuration mode. vlan database Enter VLAN database mode. vlan association subnet Associate an IP subnet with a VLAN.
Command Purpose configure Enter global configuration mode. vlan protocol group Create a new protocol group. exit Exit to Privileged EXEC mode. show port protocol all Obtain the group ID for the newly configured group. configure Enter global configuration mode. name vlan protocol group add Add any EtherType protocol to the protocol-based VLAN protocol groupid groups identified by groupid. A group may have more than one protocol associated with it.
Command Purpose protocol group groupid Attach a VLAN ID to the protocol-based group identified by groupid. A group may only be associated with one VLAN at a time. However, the VLAN association can be changed. vlanid • groupid — The protocol-based VLAN group ID, which is automatically generated when you create a protocolbased VLAN group with the vlan protocol group command. To see the group ID associated with the name of a protocol group, use the show port protocol all command.
Command Purpose switchport forbidden vlan {add vlanlist|remove vlan-list} (Optional) Forbids adding the specified VLANs to a port. To revert to allowing the addition of specific VLANs to the port, use the remove parameter of this command. add vlan-list — List of valid VLAN IDs to add to the forbidden list. Separate nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs. remove vlan-list — List of valid VLAN IDs to remove from the forbidden list.
Configuring Voice VLANs Beginning in Privileged EXEC mode, use the following commands to enable the Voice VLAN feature on the switch and on an interface. Command Purpose configure Enter global configuration mode. voice vlan Enable the voice vlan capability on the switch. interface interface Enter interface configuration mode for the specified interface. interface — Specific interface, such as gi1/0/8.
VLAN Configuration Examples This section contains the following examples: • Configuring VLANs Using Dell OpenManage Administrator • Configuring VLANs Using the CLI • Configuring a Voice VLAN NOTE: For an example that shows how to use a RADIUS server to provide VLAN information, see "Controlling Authentication-Based VLAN Assignment" on page 509.
Figure 21-26 shows the network topology for this example. As the figure shows, there are two switches, two file servers, and many hosts. One switch has an uplink port that connects it to a layer 3 device and the rest of the corporate network. Figure 21-26.
Table 21-10 shows the port assignments on the switches. Table 21-10. Switch Port Connections Port/LAG Function Switch 1 1 Connects to Switch 2 2–15 Host ports for Payroll 16–20 Host ports for Marketing LAG1 (ports 21–24) Connects to Payroll server Switch 2 1 Connects to Switch 1 2–10 Host ports for Marketing 11–30 Host ports for Engineering LAG1 (ports 35–39) Connects to file server LAG2 (ports 40–44) Uplink to router.
Configuring VLANs Using Dell OpenManage Administrator This example shows how to perform the configuration by using the webbased interface. Configure the VLANs and Ports on Switch 1 Use the following steps to configure the VLANs and ports on Switch 1. None of the hosts that connect to Switch 1 use the Engineering VLAN (VLAN 100), so it is not necessary to create it on that switch. To configure Switch 1: 1 Create the Marketing, Sales, and Payroll VLANs.
2 Assign ports 16–20 to the Marketing VLAN. a From the Switching → VLAN → VLAN Membership page, select 200-Marketing from the Show VLAN field. b In the Static row, click the space for ports 16–20 so the U (untagged) displays for each port. Figure 21-28. VLAN Membership - VLAN 200 3 Click Apply. 4 Assign ports 2–15 and LAG1 to the Payroll VLAN. a From the Switching → VLAN → VLAN Membership page, select 400-Payroll from the Show VLAN field.
5. Configure LAG 1 to be in general mode and specify that the LAG will accept tagged or untagged frames, but that untagged frames will be transmitted tagged with PVID 400. a. From the Switching → VLAN → LAG Settings page, make sure Po1 is selected. b. Configure the following settings: c. • Port VLAN Mode — General • PVID — 400 • Frame Type — AdmitAll Click Apply. Figure 21-29. LAG Settings 6 Configure port 1 as a trunk port.
Figure 21-30. Trunk Port Configuration 7 From the Switching → VLAN → VLAN Membership page, verify that port 1 is marked as a tagged member (T) for each VLAN. Figure 21-31 shows VLAN 200, in which port 1 is a tagged member, and ports 16–20 are untagged members. Figure 21-31. Trunk Port Configuration 8 Configure the MAC-based VLAN information. a Go to the Switching → VLAN → Bind MAC to VLAN page. b In the MAC Address field, enter a valid MAC address, for example 00:1C:23:55:E9:8B.
Figure 21-32. e Trunk Port Configuration Repeat steps b–d to add additional MAC address-to-VLAN information for the Sales department. 9 To save the configuration so that it persists across a system reset, use the following steps: a Go to the System → File Management→ Copy Files page b Select Copy Configuration and ensure that Running Config is the source and Startup Config is the destination. c Click Apply.
2. Configure LAG 1 as a general port so that it can be a member of multiple VLANs. a. From the Switching → VLAN → LAG Settings page, make sure Po1 is selected. b. From the Port VLAN Mode field, select General. c. Click Apply. 3. Configure port 1 as a trunk port. 4. Configure LAG2 as a trunk port. 5. Assign ports 1–10 to VLAN 200 as untagged (U) members. 6. Assign ports 11–30 to VLAN 100 as untagged (U) members. 7. Assign LAG1 to VLAN 100 and 200 as a tagged (T) member. 8.
console(config-vlan300)#name Sales console(config-vlan300)#exit console(config)#vlan 400 console(config-vlan400)#name Payroll console(config-vlan400)#exit 2. Assign ports 16–20 to the Marketing VLAN. console(config)#interface range gigabitEthernet 1/0/16-20 console(config-if)#switchport mode access console(config-if)#switchport access vlan 200 console(config-if)#exit 3.
6. Configure the MAC-based VLAN information. The following commands show how to associate a system with a MAC address of 00:1C:23:55:E9:8B with VLAN 300. Repeat the vlan association mac command to associate additional MAC addresses with VLAN 300. console(config)#vlan database console(config-vlan)#vlan association mac 00:1C:23:55:E9:8B 300 console(config-vlan)#exit console(config)#exit 7.
Protected:Disabled Port Gi1/0/1 is member in: VLAN ---200 300 400 Name Egress rule ----------------- ----------Marketing Tagged Sales Tagged Payroll Tagged Type -------Static Static Static Configure the VLANs and Ports on Switch 2 Use the following steps to configure the VLANs and ports on Switch 2. Many of the procedures in this section are the same as procedures used to configure Switch 1. For more information about specific procedures, see the details and figures in the previous section.
Configuring a Voice VLAN The commands in this example create a VLAN for voice traffic with a VLAN ID of 25. Port 10 is set to an 802.1Q VLAN. In in this example, there are multiple devices connected to port 10, so the port must be in general mode in order to enable MAC-based 802.1X authentication. Next, Voice VLAN is enabled on the port with the Voice VLAN ID set to 25. Finally, Voice VLAN authentication is disabled on port 10 because the phone connected to that port does not support 802.1X authentication.
6 Disable authentication for the voice VLAN on the port. This step is required only if the voice phone does not support port-based authentication. console(config-if-Gi1/0/10)#voice vlan auth disable 7 Exit to Privileged Exec mode. console(config-if-Gi1/0/10)# 8 View the voice VLAN settings for port 10. console#show voice vlan interface gi1/0/10 Interface............................. Voice VLAN Interface Mode............. Voice VLAN ID......................... Voice VLAN COS Override...............
switch(config-vlan-100)# private-vlan association 101-102 switch(config-vlan-100)# exit This completes the configuration of the private VLAN. The only remaining step is to assign the ports to the private VLAN.
103 isolated console#show vlan private-vlan Primary VLAN Secondary VLAN Community ------------ -------------- ------------------100 102 101 console(config)#show vlan VLAN ----1 100 101 102 628 Name Ports ----------- ------------default Po1-128, Te1/1/1, Gi1/0/1-10, Gi1/0/13-24 VLAN0100 Te1/1/1, Gi1/0/11-12 VLAN0101 Gi1/0/11 VLAN0102 Gi1/0/12 Configuring VLANs Type ------------Default Static Static Static
22 Configuring the Spanning Tree Protocol This chapter describes how to configure the Spanning Tree Protocol (STP) settings on the switch. The topics covered in this chapter include: • STP Overview • Default STP Values • Configuring Spanning Tree (Web) • Configuring Spanning Tree (CLI) • STP Configuration Examples STP Overview STP is a layer 2 protocol that provides a tree topology for switches on a bridged LAN. STP allows a network to have redundant paths without the risk of network loops.
recognize full-duplex connectivity and ports which are connected to end stations, resulting in rapid transitioning of the port to the Forwarding state and the suppression of Topology Change Notifications. MSTP is compatible to both RSTP and STP. It behaves appropriately to STP and RSTP bridges. A MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge.
How Does MSTP Operate in the Network? In the following diagram of a small 802.1d bridged network, STP is necessary to create an environment with full connectivity and without loops. Figure 22-1. Small Bridged Network Assume that Switch A is elected to be the Root Bridge, and Port 1 on Switch B and Switch C are calculated to be the root ports for those bridges, Port 2 on Switch B and Switch C would be placed into the Blocking state. This creates a loop-free topology.
Figure 22-2 shows the logical single STP network topology. Figure 22-2. Single STP Topology For VLAN 10 this single STP topology is fine and presents no limitations or inefficiencies. On the other hand, VLAN 20's traffic pattern is inefficient. All frames from Switch B will have to traverse a path through Switch A before arriving at Switch C. If the Port 2 on Switch B and Switch C could be used, these inefficiencies could be eliminated.
The logical representation of the MSTP environment for these three switches is shown in Figure 22-3. Figure 22-3.
In order for MSTP to correctly establish the different MSTIs as above, some additional changes are required. For example, the configuration would have to be the same on each and every bridge. That means that Switch B would have to add VLAN 10 to its list of supported VLANs (shown in Figure 22-3 with a *). This is necessary with MSTP to allow the formation of Regions made up of all switches that exchange the same MST Configuration Identifier.
MSTP with Multiple Forwarding Paths Consider the physical topology shown in Figure 22-4. It might be assumed that MSTI 2 and MSTI 3 would follow the most direct path for VLANs 20 and 30. However, using the default path costs, this is not the case. MSTI operates without considering the VLAN membership of the ports. This results in unexpected behavior if the active topology of an MSTI depends on a port that is not a member of the VLAN assigned to the MSTI and the port is selected as root port.
What are the Optional STP Features? The PowerConnect M6220, M6348, M8024, and M8024-k switches support the following optional STP features: • BPDU flooding • PortFast • BPDU filtering • Root guard • Loop guard • BPDU protection BPDU Flooding The BPDU flooding feature determines the behavior of the switch when it receives a BPDU on a port that is disabled for spanning tree.
Root Guard Enabling root guard on a port ensures that the port does not become a root port or a blocked port. When a switch is elected as the root bridge, all ports are designated ports unless two or more ports of the root bridge are connected together. If the switch receives superior STP BPDUs on a root-guard enabled port, the root guard feature moves this port to a root-inconsistent STP state, which is effectively equal to a listening state. No traffic is forwarded across this port.
BPDU Protection When the switch is used as an access layer device, most ports function as edge ports that connect to a device such as a desktop computer or file server. The port has a single, direct connection and is configured as an edge port to implement the fast transition to a forwarding state. When the port receives a BPDU packet, the system sets it to non-edge port and recalculates the spanning tree, which causes network topology flapping. In normal cases, these ports do not receive any BPDU packets.
Default STP Values Spanning tree is globally enabled on the switch and on all ports and LAGs. Table 22-1 summarizes the default values for STP. Table 22-1.
Configuring Spanning Tree (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring STP settings on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. STP Global Settings The STP Global Settings page contains fields for enabling STP on the switch. To display the STP Global Settings page, click Switching → Spanning Tree → Global Settings in the navigation panel. Figure 22-5.
STP Port Settings Use the STP Port Settings page to assign STP properties to individual ports. To display the STP Port Settings page, click Switching → Spanning Tree → STP Port Settings in the navigation panel. Figure 22-6.
Configuring STP Settings for Multiple Ports To configure STP settings for multiple ports: 1 Open the STP Port Settings page. 2 Click Show All to display the STP Port Table. Figure 22-7. Configure STP Port Settings 3 For each port to configure, select the check box in the Edit column in the row associated with the port. 4 Select the desired settings. 5 Click Apply.
STP LAG Settings Use the STP LAG Settings page to assign STP aggregating ports parameters. To display the STP LAG Settings page, click Switching → Spanning Tree → STP LAG Settings in the navigation panel. Figure 22-8. STP LAG Settings Configuring STP Settings for Multiple LAGs To configure STP settings on multiple LAGS: 1 Open the STP LAG Settings page. 2 Click Show All to display the STP LAG Table.
Figure 22-9. Configure STP LAG Settings 3 For each LAG to configure, select the check box in the Edit column in the row associated with the LAG. 4 Select the desired settings. 5 Click Apply. Rapid Spanning Tree Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies that allow a faster convergence of the spanning tree without creating forwarding loops. To display the Rapid Spanning Tree page, click Switching → Spanning Tree → Rapid Spanning Tree in the navigation panel. Figure 22-10.
To view RSTP Settings for all interfaces, click the Show All link. The Rapid Spanning Tree Table displays. Figure 22-11.
MSTP Settings The Multiple Spanning Tree Protocol (MSTP) supports multiple instances of Spanning Tree to efficiently channel VLAN traffic over different interfaces. MSTP is compatible with both RSTP and STP; a MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge. To display the MSTP Settings page, click Switching → Spanning Tree → MSTP Settings in the navigation panel. Figure 22-12.
Viewing and Modifying the Instance ID for Multiple VLANs To configure MSTP settings for multiple VLANS: 1 Open the MSTP Settings page. 2 Click Show All to display the MSTP Settings Table. Figure 22-13. Configure MSTP Settings 3 For each Instance ID to modify, select the check box in the Edit column in the row associated with the VLAN. 4 Update the Instance ID settings for the selected VLANs. 5 Click Apply.
MSTP Interface Settings Use the MSTP Interface Settings page to assign MSTP settings to specific interfaces. To display the MSTP Interface Settings page, click Switching → Spanning Tree → MSTP Interface Settings in the navigation panel. Figure 22-14. MSTP Interface Settings Configuring MSTP Settings for Multiple Interfaces To configure MSTP settings for multiple interfaces: 1 Open the MSTP Interface Settings page. 2 Click Show All to display the MSTP Interface Table.
Figure 22-15. Configure MSTP Interface Settings 3 For each interface to configure, select the check box in the Edit column in the row associated with the interface. 4 Update the desired settings. 5 Click Apply.
Configuring Spanning Tree (CLI) This section provides information about the commands you use to configure STP settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Global STP Bridge Settings Beginning in Privileged EXEC mode, use the following commands to configure the global STP settings for the switch, such as the priority and timers.
Command Purpose show spanning-tree [detail] [active | blockedports] View information about spanning tree and the spanning tree configuration on the switch. Configuring Optional STP Features Beginning in Privileged EXEC mode, use the following commands to configure the optional STP features on the switch or on specific interfaces. Command Purpose configure Enter global configuration mode.
Command Purpose spanning-tree tcnguard Prevent the port from propagating topology change notifications. CTRL + Z Exit to Privileged EXEC mode. show spanning-tree summary View various spanning tree settings and parameters for the switch. Configuring STP Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure the STP settings for a specific interface. Command Purpose configure Enter global configuration mode.
Configuring MSTP Switch Settings Beginning in Privileged EXEC mode, use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. spanning-tree mst configuration Enable configuring an MST region by entering the multiple spanning-tree (MST) mode. name string Define the MST configuration name revision version Identify the MST configuration revision number. instance instance-id {add | remove} vlan Map VLANs to an MST instance.
Configuring MSTP Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3 or port-channel 4.
STP Configuration Examples This section contains the following examples: • Configuring STP • Configuring MSTP Configuring STP This example shows a LAN with four switches. On each switch, ports 1, 2, and 3 connect to other switches, and ports 4–20 connect to hosts (in Figure 22-16, each PC represents 17 host systems). Figure 22-16.
Of the four switches in Figure 22-16, the administrator decides that Switch A is the most centrally located in the network and is the least likely to be moved or redeployed. For these reasons, the administrator selects it as the root bridge for the spanning tree. The administrator configures Switch A with the highest priority and uses the default priority values for Switch B, Switch C, and Switch D.
Configuring MSTP This example shows how to configure IEEE 802.1s Multiple Spanning Tree (MST) protocol on the switches shown in Figure 22-17. Figure 22-17. MSTP Configuration Example To make multiple switches be part of the same MSTP region, make sure the STP operational mode for all switches is MSTP. Also, make sure the MST region name and revision level are the same for all switches in the region. To configure the switches: 1 Create VLAN 10 (Switch A and Switch B) and VLAN 20 (all switches).
2 Set the STP operational mode to MSTP. console(config)#spanning-tree mode mst 3 Create MST instance 10 and associate it to VLAN 10. console(config)#spanning-tree mst configuration console(config-mst)#instance 10 add vlan 10 4 Create MST instances 20 and associate it to VLAN 20. console(config-mst)#instance 20 add vlan 20 5 Change the region name so that all the bridges that want to be part of the same region can form the region.
23 Discovering Network Devices This chapter describes the Industry Standard Discovery Protocol (ISDP) feature and the Link Layer Discovery Protocol (LLDP) feature, including LLDP for Media Endpoint Devices (LLDP-MED).
LLDP is a one-way protocol; there are no request/response sequences. Information is advertised by stations implementing the transmit function, and is received and processed by stations implementing the receive function. The transmit and receive functions can be enabled/disabled separately on each switch port. What is LLDP-MED? LLDP-MED is an extension of the LLDP standard.
Default IDSP and LLDP Values ISDP and LLDP are globally enabled on the switch and enabled on all ports by default. By default, the switch transmits and receives LLDP information on all ports. LLDP-MED is disabled on all ports. Table 23-1 summarizes the default values for ISDP. Table 23-1.
Table 23-3 summarizes the default values for LLDP-MED. Table 23-3.
Configuring ISDP and LLDP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IDSP and LLDP/LLDPMED on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. ISDP Global Configuration From the ISDP Global Configuration page, you can configure the ISDP settings for the switch, such as the administrative mode.
ISDP Cache Table From the ISDP Cache Table page, you can view information about other devices the switch has discovered through the ISDP. To access the ISDP Cache Table page, click System → ISDP → Cache Table in the navigation panel. Figure 23-2.
ISDP Interface Configuration From the ISDP Interface Configuration page, you can configure the ISDP settings for each interface. If ISDP is enabled on an interface, it must also be enabled globally in order for the interface to transmit ISDP packets. If the ISDP mode on the ISDP Global Configuration page is disabled, the interface will not transmit ISDP packets, regardless of the mode configured on the interface.
To view view the ISDP mode for multiple interfaces, click Show All. Figure 23-4.
ISDP Statistics From the ISDP Statistics page, you can view information about the ISDP packets sent and received by the switch. To access the ISDP Statistics page, click System → ISDP → Statistics in the navigation panel. Figure 23-5.
LLDP Configuration Use the LLDP Configuration page to specify LLDP parameters. Parameters that affect the entire system as well as those for a specific interface can be specified here. To display the LLDP Configuration page, click Switching → LLDP → Configuration in the navigation panel. Figure 23-6.
To view the LLDP Interface Settings Table, click Show All. From the LLDP Interface Settings Table page, you can view and edit information about the LLDP settings for multiple interfaces. Figure 23-7.
LLDP Statistics Use the LLDP Statistics page to view LLPD-related statistics. To display the LLDP Statistics page, click Switching → LLDP → Statistics in the navigation panel. Figure 23-8.
LLDP Connections Use the LLDP Connections page to view the list of ports with LLDP enabled. Basic connection details are displayed. To display the LLDP Connections page, click Switching → LLDP → Connections in the navigation panel. Figure 23-9.
To view additional information about a device connected to a port that has been discovered through LLDP, click the port number in the Local Interface table (it is a hyperlink), or click Details and select the port with the connected device. Figure 23-10.
LLDP-MED Global Configuration Use the LLDP-MED Global Configuration page to change or view the LLDP-MED parameters that affect the entire system. To display the LLDP-MED Global Configuration page, click Switching→ LLDP → LLDP-MED → Global Configuration in the navigation panel. Figure 23-11.
LLDP-MED Interface Configuration Use the LLDP-MED Interface Configuration page to specify LLDP-MED parameters that affect a specific interface. To display the LLDP-MED Interface Configuration page, click Switching → LLDP → LLDP-MED → Interface Configuration in the navigation panel. Figure 23-12.
To view the LLDP-MED Interface Summary table, click Show All. Figure 23-13.
LLDP-MED Local Device Information Use the LLDP-MED Local Device Information page to view the advertised LLDP local data for each port. To display the LLDP-MED Local Device Information page, click Switching→ LLDP→ LLDP-MED→ Local Device Information in the navigation panel. Figure 23-14.
LLDP-MED Remote Device Information Use the LLDP-MED Remote Device Information page to view the advertised LLDP data advertised by remote devices. To display the LLDP-MED Remote Device Information page, click Switching→ LLDP→ LLDP-MED→ Remote Device Information in the navigation panel. Figure 23-15.
Configuring ISDP and LLDP (CLI) This section provides information about the commands you use to manage and view the device discovery protocol features on the switch. For more information about these commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Global ISDP Settings Beginning in Privileged EXEC mode, use the following commands to configure ISDP settings that affect the entire switch.
Enabling ISDP on a Port Beginning in Privileged EXEC mode, use the following commands to enable ISDP on a port. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface. isdp enable Administratively enable ISDP on the switch. exit Exit to Global Config mode. exit Exit to Privileged Exec mode. show isdp interface all View the ISDP mode on all interfaces.
Configuring Global LLDP Settings Beginning in Privileged EXEC mode, use the following commands to configure LLDP settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp notificationinterval interval Specify how often, in seconds, the switch should send remote data change notifications. lldp timers [interval Configure the timing for local data transmission on ports transmit-interval] [hold enabled for LLDP.
Command Purpose lldp notification Enable remote data change notifications on the interface. lldp transmit-tlv [sysdesc][sys-name][syscap][port-desc] Specify which optional type-length-value settings (TLVs) in the 802.1AB basic management set will be transmitted in the LLDP PDUs. • sys-name — Transmits the system name TLV • sys-desc — Transmits the system description TLV • sys-cap — Transmits the system capabilities TLV • port desc — Transmits the port description TLV exit Exit to Global Config mode.
Configuring LLDP-MED Settings Beginning in Privileged EXEC mode, use the following commands to configure LLDP-MED settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp med faststartrepeatcount Specifies the number of LLDP PDUs that will be transmitted when the protocol is enabled. interface interface Enter interface configuration mode for the specified Ethernet interface. lldp med Enable LLDP-MED on the interface.
Viewing LLDP-MED Information Beginning in Privileged EXEC mode, use the following commands to view information about the LLDP-MED Protocol Data Units (PDUs) that are sent and have been received. Command Purpose show lldp med localdevice detail interface View LLDP information advertised by the specified port. show lldp remote-device View LLDP-MED information received by all ports or by {all | interface | detail the specified port. Include the keyword detail to see interface} additional information.
4 Exit to Privileged EXEC mode and view the LLDP settings for the switch and for interface 1/0/3. console(config-if-Gi1/0/3)# console#show isdp Timer....................................45 Hold Time................................60 Version 2 Advertisements.................Enabled Neighbors table time since last change...00 days 00:00:00 Device ID................................none Device ID format capability........ Serial Number, Host Name Device ID format..................
3 Enable port 1/0/3 to transmit management address information in the LLDP PDUs and to send topology change notifications if a device is added or removed from the port. console(config-if-Gi1/0/3)#lldp transmit-mgmt console(config-if-Gi1/0/3)#lldp notification 4 Specify the TLV information to be included in the LLDP PDUs transmitted from port 1/0/3. console(config-if-Gi1/0/3)#lldp transmit-tlv sysname sys-desc sys-cap port-desc 5 Set the port description to be transmitted in LLDP PDUs.
9 View detailed information about the LLDP configuration on port 1/0/3. console#show lldp local-device detail gi1/0/3 LLDP Local Device Detail Interface: Gi1/0/3 Chassis ID Subtype: MAC Address Chassis ID: 00:1E:C9:AA:AA:07 Port ID Subtype: Interface Name Port ID: gi 1/0/3 System Name: console System Description: PowerConnect M6348 3.16.22.30, VxWorks 6.
24 Configuring Port-Based Traffic Control This chapter describes how to configure features that provide traffic control through filtering the type of traffic or limiting the speed or amount of traffic on a per-port basis. The features this section describes includes flow control, storm control, protected ports, and Link Local Protocol Filtering (LLPF), which is also known as Cisco Protocol Filtering.
For information about Priority Flow Control (PFC), which provides a way to distinguish which traffic on a physical link is paused when congestion occurs based on the priority of the traffic, see "Configuring Data Center Bridging Features" on page 837 What is Flow Control? IEEE 802.3 Annex 31B flow control allows nodes that transmit at slower speeds to communicate with higher speed switches by requesting that the higher speed switch refrain from sending packets.
configured limit is 10%, this is converted to ~25000 PPS, and this PPS limit is set in the hardware. You get the approximate desired output when 512 bytes packets are used. What are Protected Ports? The switch supports up to three separate groups of protected ports. Traffic can flow between protected ports belonging to different groups, but not within the same group. A port can belong to only one protected port group. You must remove an interface from one group before adding it to another group.
Access Control Lists (ACLs) and LLPF can exist on the same interface. However, the ACL rules override the LLPF rules when there is a conflict. Similarly, DiffServ and LLPF can both be enabled on an interface, but DiffServ rules override LLPF rules when there is a conflict.
Configuring Port-Based Traffic Control (Web) This section provides information about the OpenManage Switch Administrator pages to use to control port-based traffic on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Flow Control (Global Port Parameters) Use the Global Parameters page for ports to enable or disable flow control support on the switch.
Storm Control Use the Storm Control page to enable and configure the storm control feature. To display the Storm Control interface, click Switching → Ports → Storm Control in the navigation menu. Figure 24-2. Storm Control Configuring Storm Control Settings on Multiple Ports To configure storm control on multiple ports: 1 Open the Storm Control page. 2 Click Show All to display the Storm Control Settings Table. 3 In the Ports list, select the check box in the Edit column for the port to configure.
Figure 24-3. Storm Control 5 Click Apply.
Protected Port Configuration Use the Protected Port Configuration page to prevent ports in the same protected ports group from being able to see each other’s traffic. To display the Protected Port Configuration page, click Switching → Ports → Protected Port Configuration in the navigation menu. Figure 24-4. Protected Port Configuration Configuring Protected Ports To configure protected ports: 1 Open the Protected Ports page. 2 Click Add to display the Add Protected Group page. 3 Select a group (0–2).
Figure 24-5. Add Protected Ports Group 5 Click Apply. 6 Click Protected Port Configuration to return to the main page. 7 Select the port to add to the group. 8 Select the protected port group ID. Figure 24-6. Add Protected Ports 9 Click Apply. 10 To view protected port group membership information, click Show All.
Figure 24-7. View Protected Port Information 11 To remove a port from a protected port group, select the Remove check box associated with the port and click Apply. LLPF Configuration Use the LLPF Interface Configuration page to filter out various proprietary protocol data units (PDUs) and/or ISDP if problems occur with these protocols running on standards-based switches.
Figure 24-8. LLPF Interface Configuration To view the protocol types that have been blocked for an interface, click Show All. Figure 24-9.
Configuring Port-Based Traffic Control (CLI) This section provides information about the commands you use to configure port-based traffic control settings. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Flow Control and Storm Control Beginning in Privileged EXEC mode, use the following commands to configure the flow control and storm control features.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show interfaces detail interface Display detailed information about the specified interface, including the flow control status. show storm-control View whether 802.3x flow control is enabled on the switch. show storm-control [interface | all] View storm control settings for all interfaces or the specified interface.
Configuring LLPF Beginning in Privileged EXEC mode, use the following commands to configure LLPF settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3.
Port-Based Traffic Control Configuration Example The commands in this example configure storm control, LLPF, and protected port settings for various interfaces on the switch. The storm control configuration in this example sets thresholds on the switch so that if broadcast traffic occupies more than 10% on the bandwidth on any physical port, the interface blocks the broadcast traffic until the measured amount of this traffic drops below the threshold.
5 Verify the configuration. console#show storm-control gi1/0/1 Bcast Bcast Mcast Mcast Ucast Ucast Intf Mode Level Mode Level Mode Level ------ ------- ------- ------- ------- ------- ------Gi1/0/1 Enable 10 Enable 5 Disable 5 console#show service-acl interface gi1/0/1 Protocol --------------CDP VTP DTP UDLD PAGP SSTP ALL Mode ---------Disabled Enabled Disabled Disabled Enabled Disabled Disabled console#show switchport protected 0 Name.........................................
25 Configuring L2 Multicast Features This chapter describes the layer 2 multicast features on the PowerConnect M6220, M6348, M8024, and M8024-k switches. The features this chapter describes include bridge multicast filtering, Internet Group Management Protocol (IGMP) snooping, Multicast Listener Discovery (MLD) snooping, and Multicast VLAN Registration (MVR). NOTE: MVR is not supported on the PowerConnect M6220.
What Are the Multicast Bridging Features? The PowerConnect M6220, M6348, M8024, and M8024-k switches support multicast filtering and multicast flooding. For multicast traffic, the switch uses a database called the Layer 2 Multicast Forwarding Database (MFDB) to make forwarding decisions for packets that arrive with a multicast destination MAC address. By limiting multicasts to only certain ports in the switch, traffic is prevented from going to parts of the network where that traffic is unnecessary.
This approach works well for broadcast packets that are intended to be seen or processed by all connected nodes. In the case of multicast packets, however, this approach could lead to less efficient use of network bandwidth, particularly when the packet is intended for only a small number of nodes. Packets will be flooded into network segments where no node has any interest in receiving the packet.
in scenarios, such as FCoE/FIP snooping, where it is desirable to flood L2 control plane multicast messages that do not utilize well-known multicast addresses. By default, multicast routers are aged out every five minutes. The user can control whether or not multicast routers age out. If all multicast routers age out, the switch floods the VLAN with the multicast group. Multicast routers send an IGMP query every 60 seconds. This query is intercepted by the switch and forwarded to all ports in the VLAN.
NOTE: Without an IP-multicast router on a VLAN, you must configure another switch as the IGMP querier so that it can send queries. When IGMP snooping querier is enabled, the querier switch sends out periodic IGMP queries that trigger IGMP report messages from the hosts that want to receive IP multicast traffic. The IGMP snooping feature listens to these IGMP reports to identify multicast router ports.
permanently assigned (well-known) multicast address FF0x::/12 to all ports in the VLAN, except for MLD packets, which are handled according the MLD snooping rules. NOTE: It is strongly recommended that users enable IGMP snooping if MLD snooping is enabled and vice-versa. This is because both IGMP snooping and MLD snooping utilize the same forwarding table, and not enabling both may cause unwanted pruning of protocol packets utilized by other protocols, e.g. OSPFv2.
There are two configured learning modes of the MVR operation: dynamic and compatible. • In the dynamic mode MVR learns existent multicast groups by parsing the IGMP queries from router on source ports and forwarding the IGMP joins from the hosts to the router. • In the compatible mode MVR does not learn multicast groups, but they have to be configured by administrator and protocol does not forward joins from the hosts to the router.
NOTE: If a multicast source is connected to a VLAN on which both L3 multicast and IGMP snooping are enabled, the multicast source is forwarded to the mrouter ports that have been discovered when the multicast source is first seen. If a new mrouter is later discovered on a different port, the multicast source data is not forwarded to the new port. Likewise, if an existing mrouter times out or stops querying, the multicast source data continues to be forwarded to that port.
GMRP is similar to IGMP snooping in its purpose, but IGMP snooping is more widely used. GMRP must be running on both the host and the switch to function properly and IGMP/MLD snooping must be disabled on the switch, as IGMP snooping and GMRP cannot simultaneously operate within the same VLAN.
Snooping Switch Restrictions Partial IGMPv3 and MLDv2 Support The IGMPv3 and MLDv2 protocols allow multicast listeners to specify the list of hosts from which they want to receive the traffic. However the PowerConnect snooping switch does not track this information. IGMPv3/MLDv2 Report messages that have the group record type CHANGE_TO_INCLUDE_MODE with a null source list are treated as Leave messages. All other report messages are treated as IGMPv2/MLDv1 Report messages.
Topologies Where the Multicast Source Is Not Directly Connected to the Querier If the multicast source is not directly connected to a multicast querier, the multicast stream is forwarded to any router ports on the switch (within the VLAN). Because multicast router queries are flooded to all ports in the VLAN, intermediate IGMP snooping switches will receive the multicast stream from the multicast source and forward it to the multicast router.
Default L2 Multicast Values Details about the L2 multicast are in Table 25-1. Table 25-1.
Table 25-1.
Configuring L2 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 multicast features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Multicast Global Parameters Use the Multicast Global Parameters page to enable or disable bridge multicast filtering, IGMP snooping, or MLD snooping on the switch.
Bridge Multicast Group Use the Bridge Multicast Group page to create new multicast service groups or to modify ports and LAGs assigned to existing multicast service groups. Attached interfaces display in the Port and LAG tables and reflect the manner in which each is joined to the Multicast group. To display the Bridge Multicast Group page, click Switching → Multicast Support → Bridge Multicast Group in the navigation menu. Figure 25-2.
The Bridge Multicast Group page contains two editable tables: • Unit and Ports — Displays and assigns multicast group membership to ports. To assign membership, click in Static for a specific port. Each click toggles between S, F, and blank. See Table 25-2 for definitions. • LAGs — Displays and assigns multicast group membership to LAGs. To assign membership, click in Static for a specific LAG. Each click toggles between S, F, and blank. See Table 25-2 for definitions.
Figure 25-3. Add Bridge Multicast Group 2 Select the ID of the VLAN to add to the multicast group or to modify membership for an existing group. 3 For a new group, specify the multicast group IP or MAC address associated with the selected VLAN. 4 In the Bridge Multicast Group tables, assign a setting by clicking in the Static row for a specific port/LAG. Each click toggles between S, F, and blank. (not a member). 5 Click Apply.
Removing a Bridge Multicast Group To delete a bridge multicast group: 1 Open the Bridge Multicast Group page. 2 Select the VLAN ID associated with the bridge multicast group to be removed from the drop-down menu. The Bridge Multicast Address and the assigned ports/LAGs display. 3 Check the Remove check box. 4 Click Apply. The selected bridge multicast group is removed, and the device is updated.
General IGMP Snooping Use the General IGMP snooping page to configure IGMP snooping settings on specific ports and LAGs. To display the General IGMP snooping page, click Switching → Multicast Support → IGMP Snooping → General in the navigation menu. Figure 25-5. General IGMP Snooping Modifying IGMP Snooping Settings for Multiple Ports, LAGs, or VLANs To modify the IGMP snooping settings: 1 From the General IGMP snooping page, click Show All. The IGMP Snooping Table displays.
Figure 25-6. Edit IGMP Snooping Settings 3 Edit the IGMP snooping fields as needed. 4 Click Apply. The IGMP snooping settings are modified, and the device is updated. Copying IGMP Snooping Settings to Multiple Ports, LAGs, or VLANs To copy IGMP snooping settings: 1 From the General IGMP snooping page, click Show All. The IGMP Snooping Table displays. 2 Select the Copy Parameters From checkbox. 3 Select a Unit/Port, LAG, or VLAN to use as the source of the desired parameters.
Figure 25-7. Copy IGMP Snooping Settings 5 Click Apply. The IGMP snooping settings are modified, and the device is updated.
Global Querier Configuration Use the Global Querier Configuration page to configure IGMP snooping querier settings, such as the IP address to use as the source in periodic IGMP queries when no source address has been configured on the VLAN. To display the Global Querier Configuration page, click Switching → Multicast Support → IGMP Snooping → Global Querier Configuration in the navigation menu. Figure 25-8.
VLAN Querier Use the VLAN Querier page to specify the IGMP snooping querier settings for individual VLANs. To display the VLAN Querier page, click Switching → Multicast Support → IGMP Snooping → VLAN Querier in the navigation menu. Figure 25-9. VLAN Querier Adding a New VLAN and Configuring its VLAN Querier Settings To configure a VLAN querier: 1 From the VLAN Querier page, click Add. The page refreshes, and the Add VLAN page displays.
Figure 25-10. Add VLAN Querier 2 Enter the VLAN ID and, if desired, an optional VLAN name. 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu. 4 Specify the VLAN querier settings. 5 Click Apply. The VLAN Querier settings are modified, and the device is updated.
To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All. Figure 25-11.
VLAN Querier Status Use the VLAN Querier Status page to view the IGMP snooping querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching → Multicast Support → IGMP Snooping → VLAN Querier Status in the navigation menu. Figure 25-12.
MFDB IGMP Snooping Table Use the MFDB IGMP Snooping Table page to view the multicast forwarding database (MFDB) IGMP Snooping Table and Forbidden Ports settings for individual VLANs. To display the MFDB IGMP Snooping Table page, click Switching → Multicast Support → IGMP Snooping → MFDB IGMP Snooping Table in the navigation menu. Figure 25-13.
MLD Snooping General Use the MLD Snooping General page to add MLD members. To access this page, click Switching → Multicast Support → MLD Snooping → General in the navigation panel. Figure 25-14. MLD Snooping General Modifying MLD Snooping Settings for VLANs To configure MLD snooping: 1 From the General MLD snooping page, click Show All. The MLD Snooping Table displays.
Figure 25-15. MLD Snooping Table 2 Select the Edit checkbox for each VLAN to modify. 3 Edit the MLD snooping fields as needed. 4 Click Apply. The MLD snooping settings are modified, and the device is updated.
Copying MLD Snooping Settings to VLANs To copy MLD snooping settings: 1 From the General MLD snooping page, click Show All. The MLD Snooping Table displays. 2 Select the Copy Parameters From checkbox. 3 Select a VLAN to use as the source of the desired parameters. 4 Select the Copy To checkbox for the VLANs that these parameters will be copied to. 5 Click Apply. The MLD snooping settings are modified, and the device is updated.
MLD Snooping VLAN Querier Use the MLD Snooping VLAN Querier page to specify the MLD snooping querier settings for individual VLANs. To display the MLD Snooping VLAN Querier page, click Switching → Multicast Support → MLD Snooping → VLAN Querier in the navigation menu. Figure 25-17. MLD Snooping VLAN Querier Adding a New VLAN and Configuring its MLD Snooping VLAN Querier Settings To configure an MLD snooping VLAN querier: 1 From the VLAN Querier page, click Add.
Figure 25-18. Add MLD Snooping VLAN Querier 2 Enter the VLAN ID and, if desired, an optional VLAN name. 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu. 4 Specify the VLAN querier settings. 5 Click Apply. The VLAN Querier settings are modified, and the device is updated. To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All. Figure 25-19.
MLD Snooping VLAN Querier Status Use the VLAN Querier Status page to view the MLD snooping querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching → Multicast Support → MLD Snooping → VLAN Querier Status in the navigation menu. Figure 25-20.
MFDB MLD Snooping Table Use the MFDB MLD Snooping Table page to view the MFDB MLD snooping table settings for individual VLANs. To display the MFDB MLD Snooping Table page, click Switching → Multicast Support → MLD Snooping → MFDB MLD Snooping Table in the navigation menu. Figure 25-21.
MVR Global Configuration NOTE: MVR is not supported on the PowerConnect M6220. Use the MVR Global Configuration page to enable the MVR feature and configure global parameters. To display the MVR Global Configuration page, click Switching → MVR Configuration → Global Configuration in the navigation panel. Figure 25-22.
MVR Members Use the MVR Members page to view and configure MVR group members. To display the MVR Members page, click Switching → MVR Configuration → MVR Members in the navigation panel. Figure 25-23. MVR Members Adding an MVR Membership Group To add an MVR membership group: 1 From the MVR Membership page, click Add. The MVR Add Group page displays.
Figure 25-24. MVR Member Group 2 Specify the MVR group IP multicast address. 3 Click Apply. MVR Interface Configuration Use the MVR Interface Configuration page to enable MVR on a port, configure its MVR settings, and add the port to an MVR group. To display the MVR Interface Configuration page, click Switching → MVR Configuration → MVR Interface Configuration in the navigation panel. Figure 25-25.
To view a summary of the MVR interface configuration, click Show All. Figure 25-26. MVR Interface Summary Adding an Interface to an MVR Group To add an interface to an MVR group: 1 From the MVR Interface page, click Add. Figure 25-27. MVR - Add to Group 2 Select the interface to add to the MVR group. 3 Specify the MVR group IP multicast address. 4 Click Apply.
Removing an Interface from an MVR Group To remove an interface from an MVR group: 1 From the MVR Interface page, click Remove. Figure 25-28. MVR - Remove from Group 2 Select the interface to remove from an MVR group. 3 Specify the IP multicast address of the MVR group. 4 Click Apply.
MVR Statistics Use the MVR Statistics page to view MVR statistics on the switch. To display the MVR Statistics page, click Switching → MVR Configuration → MVR Statistics in the navigation panel. Figure 25-29.
GARP Timers The Timers page contains fields for setting the GARP timers used by GVRP and GMRP on the switch. To display the Timers page, click Switching → GARP → Timers in the navigation panel. Figure 25-30. GARP Timers Configuring GARP Timer Settings for Multiple Ports To configure GARP timers on multiple ports: 1 Open the Timers page. 2 Click Show All to display the GARP Timers Table.
Figure 25-31. Configure STP Port Settings 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply.
Copying GARP Timer Settings From One Port to Others To copy GARP timer settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field. 3 Click Apply to copy the settings.
Figure 25-33. GMRP Port Configuration Table 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply.
Copying Settings From One Port or LAG to Others To copy GMRP settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field. 3 Click Apply to copy the settings.
Configuring L2 Multicast Features (CLI) This section provides information about the commands you use to configure L2 multicast settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Because L3 IP multicast (PIM/IGMP) utilizes a separate forwarding database from L2 multicast, it is recommended that L3 multicast features, including PIM and IGMP, be disabled on L2 multicast enabled switches.
Command Purpose show mac address-table multicast [vlan vlan-id] [address mac-multicastaddress | ip-multicastaddress] [format ip | mac]] View entries in the multicast MAC address table. The show mac address-table multicast command shows only multicast addresses. Multicast address are shown along with unicast addresses if the multicast keyword is not used. Configuring IGMP Snooping on VLANs Beginning in Privileged EXEC mode, use the following commands to configure IGMP snooping settings on VLANs.
Command Purpose ip igmp snooping vlan vlan-id mcrtexpiretime Specify the multicast router time-out value for to associate with a VLAN. This command sets the number of seconds to wait to age out an automatically-learned multicast router port. CTRL + Z Exit to Privileged EXEC mode. show ip igmp snooping groups Shows IGMP snooping configuration on all VLANs. show ip igmp snooping vlan vlan-id View the IGMP snooping settings on the VLAN.
Command Purpose ip igmp snooping querier Allow the IGMP snooping querier to participate in the election participate vlan- querier election process when it discovers the presence of id another querier in the VLAN. When this mode is enabled, if the snooping querier finds that the other querier source address is more than the snooping querier address, it stops sending periodic queries.
Command Purpose ipv6 mld snooping vlan Enables MLD snooping immediate-leave mode on the vlan-id immediate-leave specified VLAN. Enabling immediate-leave allows the switch to immediately remove the layer 2 LAN interface from its forwarding table entry upon receiving an MLD leave message for that multicast group without first sending out MAC-based general queries to the interface.
Command Purpose ipv6 mld snooping querier election participate vlan-id Allow the MLD snooping querier to participate in the querier election process when it discovers the presence of another querier in the VLAN. When this mode is enabled, if the snooping querier finds that the other querier source address is more than the snooping querier address, it stops sending periodic queries. If the snooping querier wins the election, then it continues sending periodic queries.
Command Purpose mvr Enable MVR on the switch. mvr vlan vlan-id Set the VLAN to use as the multicast VLAN for MVR. mvr querytime time Set the MVR query response time. The value for time is in units of tenths of a second. mvr mode {compatible | Specify the MVR mode of operation. dynamic} mvr group mcast-address Add an MVR membership group.
Command Purpose show mvr interface interface View information about the MVR configuration for a specific port. show mvr traffic View information about IGMP traffic in the MVR table. Configuring GARP Timers and GMRP Beginning in Privileged EXEC mode, use the following commands to configure the GARP timers and to control the administrative mode GMRP on the switch and per-interface. Command Purpose configure Enter global configuration mode.
Case Study on a Real-World Network Topology Multicast Snooping Case Study Figure 25-35 shows the topology that the scenarios in this case study use. Figure 25-35.
• Multicast Sources: Server A – 239.20.30.40, Server B – 239.20.30.42 • Subnets: VLAN 10 – 192.168.10.x, VLAN 20 – 192.168.20.x • Mrouter ports: D3 – 1/0/20, D2 – PortChannel1, D1 – 1/0/15 Snooping Within a Subnet In the example network topology, the multicast source and listeners are in the same subnet VLAN 20 – 192.168.20.x/24. D4 sends periodic queries on VLAN 10 and 20, and these queries are forwarded to D1, D2, and D3 via trunk links.
3 A forwarding entry is created by D3 for VLAN20, 239.20.30.42 – 1/0/6, 1/0/20. 4 Client D will receive the multicast stream from Server B because it is forwarded by D1 to D3 and then to D4 because D4 is a multicast router. Because the multicast stream is present on D3, a L2 forwarding entry is created on D3, where 239.20.30.42 is not a registered group. 5 Client F does not receive the multicast stream because it did not respond to queries from D4.
2 A multicast forwarding entry is created on D2 VLAN20, 239.20.30.40 – 1/0/20, PortChannel1. 3 The Client F report message is forwarded to D3-PortChannel1 (multicast router attached port). 4 A multicast forwarding entry is created on D3 VLAN 20, 239.20.30.40 – PortChannel1, 1/0/20. 5 The Client F report message is forwarded to D4 via D3 – 1/0/20 (multicast router attached port). 6 An IP multicast routing entry is created on D4 VLAN 10 – VLAN 20 with the L3 outgoing port list as VLAN 20 – 1/0/20.
Multicast Source and Listener connected to Multicast Router via intermediate snooping switches and are part of different routing VLANs: Server B Client E Clients E, B, and C are on the same subnet VLAN10 – 192.168.10.70/24. Server B is in a different subnet VLAN20 – 192.168.20.70/24. 1 Client E sends a report for 239.20.30.42. 2 A multicast forwarding entry is created on D2 VLAN10, 239.20.30.42 – 1/0/2, PortChannel 1. 3 The report from Client E is forwarded to D3 via D2 – PortChannel 1.
26 Configuring Connectivity Fault Management This chapter describes how to configure the Connectivity Fault Management feature, which is specified in IEEE 802.1ag (IEEE Standard for Local and Metropolitan Area Networks Virtual Bridged Local Area Networks Amendment 5: Connectivity Fault Management). This protocol, also known as Dot1ag, enables the detection and isolation of connectivity faults at the service level for traffic that is bridged over a metropolitan Ethernet LAN.
802.3ah), where the faults are detected and notified on a single point-to-point IEEE Std. 802.3 LAN, Dot1ag addresses fault diagnosis at the service layer across networks comprising multiple LANs, including LANs other than 802.3 media. How Does Dot1ag Work Across a Carrier Network? A typical metropolitan area network comprises operator, service provider, and customer networks. To suit this business model, CFM relies on a functional model of hierarchical maintenance domains (MDs).
Entities at different levels have different responsibilities. For example, the lower level (operator) overlooks a subset of the network in detail and provides information about its status to its higher levels such as the provider level). Higher levels have a broader, but less detailed, view of the network. As a result, a provider could include multiple operators, provided that the domains never intersect.
• MIPs are entities within a domain that enable the outer domain to achieve end-to-end connectivity checks. MIPs passively receive CFM messages and respond back to the originating MEP. Figure 26-2 depicts two MEPs and the MIPs that connect them in a maintenance domain. Figure 26-2. Maintenance Endpoints and Intermediate Points Maintenance Associations An MA is a logical connection between one or more MEPs that enables monitoring a particular service instance.
Figure 26-3. Provider View for Service Level OAM What is the Administrator’s Role? On the switch, the administrator configures the customer-level maintenance domains, associations, and endpoints used to participate in Dot1ag services with other switches connected through the provider network. The Administrator can also use utilities to troubleshoot connectivity faults when reported via SNMP traps. All the domains within the customer domain should use different domain levels.
Troubleshooting Tasks In the event of a connectivity loss between MEPs, the administrator can perform path discovery, similar to traceroute, from one MEP to any MEP or MIP in a maintenance domain using Link Trace Messages (LTMs). The connectivity loss is narrowed down using path discovery and is verified using Loop-back Messages (LBMs), which are similar to ping operations in IP networks.
Configuring Dot1ag (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Dot1ag features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Dot1ag Global Configuration Use the Global Configuration page to enable and disable the Dot1ag admin mode and to configure the time after which inactive RMEP messages are removed from the MEP database.
Figure 26-5. Dot1ag MD Configuration Dot1ag MA Configuration Use the MA Configuration page to associate a maintenance domain level with one or more VLAN ID, provide a name for each maintenance association (MA), and to set the interval between continuity check messages sent by MEPs for the MA. To display the page, click Switching → Dot1ag → MA Configuration in the tree view. Figure 26-6.
To add an MA, click the Add link at the top of the page. Dot1ag MEP Configuration Use the MEP Configuration page to define switch ports as Management End Points. MEPs are configured per domain and per VLAN. To display the page, click Switching → Dot1ag → MEP Configuration in the tree view. Figure 26-7.
To add a MEP, click the Add link at the top of the page. A VLAN must be associated with the selected domain before you configure a MEP to be used within an MA (see the MA Configuration page). Dot1ag MIP Configuration Use the MIP Configuration page to define a switch port as an intermediate bridge for a selected domain. To display the page, click Switching → Dot1ag → MIP Configuration in the tree view. Figure 26-8.
Dot1ag RMEP Summary Use the RMEP Summary page to view information on remote MEPs that the switch has learned through CFM PDU exchanges with MEPs on the switch. To display the page, click Switching → Dot1ag → RMEP Summary in the tree view. Figure 26-9.
Dot1ag L2 Ping Use the L2 Ping page to generate a loopback message from a specified MEP. The MEP can be identified by the MEP ID or by its MAC address. To display the page, click Switching → Dot1ag → L2 Ping in the tree view. Figure 26-10. Dot1ag L2 Ping Dot1ag L2 Traceroute Use the L2 Traceroute page to generate a Link Trace message from a specified MEP. The MEP can be specified by the MAC address, or by the remote MEP ID. To display the page, click Switching → Dot1ag → L2 Traceroute in the tree view.
Figure 26-11. Dot1ag L2 Traceroute Dot1ag L2 Traceroute Cache Use the L2 Traceroute Cache page to view link traces retained in the link trace database. To display the page, click Switching → Dot1ag → L2 Traceroute Cache in the tree view. Figure 26-12.
Dot1ag Statistics Use the Statistics page to view Dot1ag information for a selected domain and VLAN ID. To display the page, click Switching → Dot1ag → Statistics in the tree view. Figure 26-13.
Configuring Dot1ag (CLI) This section provides information about the commands you use to configure Dot1ag settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Dot1ag Global Settings and Creating Domains Beginning in Privileged Exec mode, use the following commands to configure CFM settings and to view global status and domain information.
Configuring MEP Information Beginning in Privileged Exec mode, use the following commands to configure the mode and view related settings. CLI Command Description configure Enter global configuration mode. interface interface Enter Interface Config mode for the specified interface, where interface is replaced by gigabitethernet unit/slot/port, or tengigabitethernet unit/slot/port.
Dot1ag Ping and Traceroute Beginning in Privileged Exec mode, use the following commands to help identify and troubleshoot Ethernet CFM settings. CLI Command Description ping ethernet cfm mac mac- addr Generate a loopback message from the MEP with the specified MAC address. ping ethernet cfm remote–mpid mep-id Generate a loopback message from the MEP with the specified MEP ID. traceroute ethernet cfm mac mac-addr Generate a Link Trace message from the MEP with the specified MAC address.
Dot1ag Configuration Example In the following example, the switch at the customer site is part of a Metro Ethernet network that is bridged to remote sites through a provider network. A service VLAN (SVID 200) identifies a particular set of customer traffic on the provider network. Figure 26-14.
2 Configure port 1/0/5 as an MEP for service VLAN 200 so that the port can exchange CFM PDUs with its counterpart MEPs on the customer network. The port is first configured as a MEP with MEP ID 20 on domain level 6 for VLAN 200. Then the port is enabled and activated as a MEP.
Configuring Connectivity Fault Management
27 Snooping and Inspecting Traffic This chapter describes Dynamic Host Configuration Protocol (DHCP) Snooping, IP Source Guard (IPSG), and Dynamic ARP Inspection (DAI), which are layer 2 security features that examine traffic to help prevent accidental and malicious attacks on the switch or network.
What Is DHCP Snooping? Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to accomplish the following tasks: • Filter harmful DHCP messages • Build a bindings database with entries that consist of the following information: • MAC address • IP address • VLAN ID • Client port Entries in the bindings database are considered to be authorized network clients.
How Is the DHCP Snooping Bindings Database Populated? The DHCP snooping application uses DHCP messages to build and maintain the binding’s database. DHCP snooping creates a tentative binding from DHCP DISCOVER and REQUEST messages. Tentative bindings tie a client to a port (the port where the DHCP client message was received). Tentative bindings are completed when DHCP snooping learns the client’s IP address from a DHCP ACK message on a trusted port.
DHCP Snooping and VLANs DHCP snooping forwards valid DHCP client messages received on nonrouting VLANs. The message is forwarded on all trusted interfaces in the VLAN. DHCP snooping can be configured on switching VLANs and routing VLANs. When a DHCP packet is received on a routing VLAN, the DHCP snooping application applies its filtering rules and updates the bindings database.
What Is IP Source Guard? IPSG is a security feature that filters IP packets based on source ID. This feature helps protect the network from attacks that use IP address spoofing to compromise or overwhelm the network. The source ID may be either the source IP address or a {source IP address, source MAC address} pair.
What is Dynamic ARP Inspection? Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The malicious attacker sends ARP requests or responses mapping another station’s IP address to its own MAC address.
Why Is Traffic Snooping and Inspection Necessary? DHCP Snooping, IPSG, and DAI are security features that can help protect the switch and the network against various types of accidental or malicious attacks. It might be a good idea to enable these features on ports that provide network access to hosts that are in physically unsecured locations or if network users connect nonstandard hosts to the network.
Table 27-1.
Configuring Traffic Snooping and Inspection (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DHCP snooping, IPSG, and DAI features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page.
DHCP Snooping Interface Configuration Use the DHCP Snooping Interface Configuration page to configure the DHCP Snooping settings on individual ports and LAGs. To access the DHCP Snooping Interface Configuration page, click Switching → DHCP Snooping → Interface Configuration in the navigation panel. Figure 27-3.
To view a summary of the DHCP snooping configuration for all interfaces, click Show All. Figure 27-4.
DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Configuration page to control the DHCP snooping mode on each VLAN. To access the DHCP Snooping VLAN Configuration page, click Switching → DHCP Snooping → VLAN Configuration in the navigation panel. Figure 27-5.
To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-6.
DHCP Snooping Persistent Configuration Use the DHCP Snooping Persistent Configuration page to configure the persistent location of the DHCP snooping database. The bindings database can be stored locally on the switch or on a remote system somewhere else in the network. The switch must be able to reach the IP address of the remote system to send bindings to a remote database.
DHCP Snooping Static Bindings Configuration Use the DHCP Snooping Static Bindings Configuration page to add static DHCP bindings to the binding database. To access the DHCP Snooping Static Bindings Configuration page, click Switching → DHCP Snooping → Static Bindings Configuration in the navigation panel. Figure 27-8.
To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-9. DHCP Snooping Static Bindings Summary To remove a static binding, select the Remove checkbox associated with the binding and click Apply.
DHCP Snooping Dynamic Bindings Summary The DHCP Snooping Dynamic Bindings Summary lists all the DHCP snooping dynamic binding entries learned on the switch ports. To access the DHCP Snooping Dynamic Bindings Summary page, click Switching → DHCP Snooping → Dynamic Bindings Summary in the navigation panel. Figure 27-10.
DHCP Snooping Statistics The DHCP Snooping Statistics page displays DHCP snooping interface statistics. To access the DHCP Snooping Statistics page, click Switching → DHCP Snooping → Statistics in the navigation panel. Figure 27-11.
IPSG Interface Configuration Use the IPSG Interface Configuration page to configure IPSG on an interface. To access the IPSG Interface Configuration page, click Switching → IP Source Guard → IPSG Interface Configuration in the navigation panel. Figure 27-12.
IPSG Binding Configuration Use the IPSG Binding Configuration page displays DHCP snooping interface statistics. To access the IPSG Binding Configuration page, click Switching → IP Source Guard → IPSG Binding Configuration in the navigation panel. Figure 27-13.
IPSG Binding Summary The IPSG Binding Summary page displays the IPSG Static binding list and IPSG dynamic binding list (the static bindings configured in Binding configuration page). To access the IPSG Binding Summary page, click Switching → IP Source Guard → IPSG Binding Summary in the navigation panel. Figure 27-14.
DAI Global Configuration Use the DAI Configuration page to configure global DAI settings. To display the DAI Configuration page, click Switching → Dynamic ARP Inspection → Global Configuration in the navigation panel. Figure 27-15.
DAI Interface Configuration Use the DAI Interface Configuration page to select the DAI Interface for which information is to be displayed or configured. To display the DAI Interface Configuration page, click Switching → Dynamic ARP Inspection → Interface Configuration in the navigation panel. Figure 27-16. Dynamic ARP Inspection Interface Configuration To view a summary of the DAI status for all interfaces, click Show All.
Figure 27-17.
DAI VLAN Configuration Use the DAI VLAN Configuration page to select the VLANs for which information is to be displayed or configured. To display the DAI VLAN Configuration page, click Switching → Dynamic ARP Inspection → VLAN Configuration in the navigation panel. Figure 27-18. Dynamic ARP Inspection VLAN Configuration To view a summary of the DAI status for all VLANs, click Show All. Figure 27-19.
DAI ACL Configuration Use the DAI ACL Configuration page to add or remove ARP ACLs. To display the DAI ACL Configuration page, click Switching → Dynamic ARP Inspection → ACL Configuration in the navigation panel. Figure 27-20.
To view a summary of the ARP ACLs that have been created, click Show All. Figure 27-21. Dynamic ARP Inspection ACL Summary To remove an ARP ACL, select the Remove checkbox associated with the ACL and click Apply. DAI ACL Rule Configuration Use the DAI ARP ACL Rule Configuration page to add or remove DAI ARP ACL Rules. To display the DAI ARP ACL Rule Configuration page, click Switching → Dynamic ARP Inspection → ACL Rule Configuration in the navigation panel.
Figure 27-22. Dynamic ARP Inspection Rule Configuration To view a summary of the ARP ACL rules that have been created, click Show All. Figure 27-23. Dynamic ARP Inspection ACL Rule Summary To remove an ARP ACL rule, select the Remove checkbox associated with the rule and click Apply.
DAI Statistics Use the DAI Statistics page to display the statistics per VLAN. To display the DAI Statistics page, click Switching → Dynamic ARP Inspection → Statistics in the navigation panel. Figure 27-24.
Configuring Traffic Snooping and Inspection (CLI) This section provides information about the commands you use to configure DHCP snooping, IPSG, and DAI settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring DHCP Snooping Beginning in Privileged EXEC mode, use the following commands to configure and view DHCP snooping settings. Command Purpose configure Enter global configuration mode.
Command Purpose ip dhcp snooping limit {none | rate rate [burst interval seconds]} Configure the maximum rate of DHCP messages allowed on the switch at any given time. • rate —The maximum number of packets per second allowed (Range: 0–300 pps). • seconds —The time allowed for a burst (Range: 1–15 seconds). interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3.
Configuring IP Source Guard Beginning in Privileged EXEC mode, use the following commands to configure IPSG settings on the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3. For a LAG, the interface type is port-channel.
Configuring Dynamic ARP Inspection Beginning in Privileged EXEC mode, use the following commands to configure DAI settings on the switch. Command Purpose configure Enter global configuration mode. ip arp inspection vlan vlan-range [logging] Enable Dynamic ARP Inspection on a single VLAN or a range of VLANs. Use the logging keyword to enable logging of invalid packets.
Command Purpose Configure the ARP ACL to be used for a single VLAN or a ip arp inspection filter acl-name vlan vlan-range range of VLANs to filter invalid ARP packets. [static] Use the static keyword to indicate that packets that do not match a permit statement are dropped without consulting the DHCP snooping bindings. interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3.
Traffic Snooping and Inspection Configuration Examples This section contains the following examples: • Configuring DHCP Snooping • Configuring IPSG Configuring DHCP Snooping In this example, DHCP snooping is enabled on VLAN 100. Ports 1-20 connect end users to the network and are members of VLAN 100. These ports are configured to limit the maximum number of DHCP packets with a rate limit of 100 packets per second.
To configure the switch: 1 Enable DHCP snooping on VLAN 100. console#config console(config)#ip dhcp snooping vlan 100 2 Configure LAG 1, which includes ports 21-24, as a trusted port. All other interfaces are untrusted by default.
Configuring IPSG This example builds on the previous example and uses the same topology shown in Figure 27-25. In this configuration example, IP source guard is enabled on ports 1-20. DHCP snooping must also be enabled on these ports. Additionally, because the ports use IP source guard with source IP and MAC address filtering, port security must be enabled on the ports as well. To configure the switch: 1 Enter interface configuration mode for the host ports and enable IPSG.
Snooping and Inspecting Traffic
28 Configuring Link Aggregation This chapter describes how to create and configure link aggregation groups (LAGs), which are also known as port channels.
Figure 28-1 shows an example of a switch in the wiring closet connected to a switch in the data center by a LAG that consists of four physical 1 Gbps links. The LAG provides full-duplex bandwidth of 4 Gbps between the two switches. Figure 28-1. LAG Configuration LAGs can be configured on stand-alone or stacked switches. In a stack of switches, the LAG can consist of ports on a single unit or across multiple stack members.
M6348, M8024, and M8024-k switch or the external switch could go undetected and thus cause undesirable network behavior. Both static and dynamic LAGs (via LACP) can detect physical link failures within the LAG and continue forwarding traffic through the other connected links within that same LAG. LACP can also detect switch or port failures that do not result in loss of link. This provides a more resilient LAG. Best practices suggest using dynamic link aggregation instead of static link aggregation.
How Do LAGs Interact with Other Features? From a system perspective, a LAG is treated just as a physical port, with the same configuration parameters for administrative enable/disable, spanning tree port priority, path cost as may be for any other physical port. VLAN When members are added to a LAG, they are removed from all existing VLAN membership. When members are removed from a LAG they are added back to the VLANs that they were previously members of as per the configuration file.
LAG Configuration Guidelines Ports to be aggregated must be configured so that they are compatible with the link aggregation feature and with the partner switch to which they connect. Ports to be added to a LAG must meet the following requirements: • Interface must be a physical Ethernet link. • Each member of the LAG must be running at the same speed and must be in full duplex mode.
Configuring Link Aggregation (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring LAGs on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. LAG Configuration Use the LAG Configuration page to set the name and administrative status (up/down) of a LAG. To display the LAG Configuration page, click Switching → Ports → LAG Configuration in the navigation panel. Figure 28-2.
LACP Parameters Dynamic link aggregation is initiated and maintained by the periodic exchanges of LACP PDUs. Use the LACP Parameters page to configure LACP LAGs. To display the LACP Parameters page, click Switching → Link Aggregation → LACP Parameters in the navigation panel. Figure 28-3. LACP Parameters Configuring LACP Parameters for Multiple Ports To configure LACP settings: 1 Open the LACP Parameters page. 2 Click Show All. The LACP Parameters Table page displays.
Figure 28-4. LACP Parameters Table 3 Select the Edit check box associated with each port to configure. 4 Specify the LACP port priority and LACP timeout for each port. 5 Click Apply.
LAG Membership Your switch supports 48 LAGs per system, and eight ports per LAG. Use the LAG Membership page to assign ports to static and dynamic LAGs. To display the LAG Membership page, click Switching → Link Aggregation → LAG Membership in the navigation panel. Figure 28-5. LAG Membership Adding a Port to a Static LAG To add a static LAG member: 1 Open the LAG Membership page. 2 Click in the LAG row to toggle the port to the desired LAG. The LAG number displays for that port.
Adding a LAG Port to a Dynamic LAG by Using LACP To add a dynamic LAG member: 1 Open the LAG Membership page. 2 Click in the LACP row to toggle the desired LAG port to L. NOTE: The port must be assigned to a LAG before it can be aggregated to an LACP. 3 Click Apply. The LAG port is added as a dynamic LAG member to the selected LAG. LAG Hash Configuration Use the LAG hash algorithm to set the traffic distribution mode on the LAG. You can set the hash type for each LAG.
LAG Hash Summary The LAG Hash Summary page lists the channels on the system and their assigned hash algorithm type. To display the LAG Hash Summary page, click Switching → Link Aggregation → LAG Hash Summary in the navigation panel. Figure 28-7.
Configuring Link Aggregation (CLI) This section provides information about the commands you use to configure link aggregation settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring LAG Characteristics Beginning in Privileged EXEC mode, use the following commands to configure a few of the available LAG characteristics.
Configuring Link Aggregation Groups Beginning in Privileged EXEC mode, use the following commands to add ports as LAG members and to configure the LAG hashing mode. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3.
Command Purpose hashing-mode mode Set the hashing algorithm on the LAG. The mode value is a number from 1 to 7.
Configuring LACP Parameters Beginning in Privileged EXEC mode, use the following commands to configure system and per-port LACP parameters. Command Purpose configure Enter global configuration mode. lacp system-priority value Set the Link Aggregation Control Protocol priority for the switch. the priority value range is 1–65535. interface port-channel Enter interface configuration mode for the specified LAG.
Link Aggregation Configuration Examples This section contains the following examples: • Configuring Dynamic LAGs • Configuring Static LAGs NOTE: The examples in this section show the configuration of only one switch. Because LAGs involve physical links between two switches, the LAG settings and member ports must be configured on both switches. Configuring Dynamic LAGs The commands in this example show how to configure a static LAG on a switch.
Configuring Static LAGs The commands in this example show how to configure a static LAG on a switch. The LAG number is 2, and the member ports are 10, 11, 14, and 17. To configure the switch: 1 Enter interface configuration mode for the ports that are to be configured as LAG members. console(config)#interface range gi1/0/10-12, gi1/0/14,gi1/0/17 2 Add the ports to LAG 2 without LACP. console(config-if)#channel-group 2 mode on 3 View information about LAG 2.
Configuring Link Aggregation
29 Configuring Data Center Bridging Features This chapter describes how to manage the features developed for use in data center environments but often used in a variety of 10G applications. NOTE: Data Center features are supported only on the PCM8024-k for PowerConnect modular switches. The PCM6220, PCM6348, and PCM8024 switches do not support the features in this chapter.
Table 29-1. Data Center Features (Continued) Feature Description DCBx Allows DCB devices to exchange configuration information, using type-length-value (TLV) information elements over LLDP, with directly connected peers. FIP Snooping Inspects and monitors FIP frames and applies policies based upon the L2 header information in those frames Default DCB Values Table 29-2 lists the default values for the DCB features that this chapter describes. Table 29-2.
Priority Flow Control Ordinarily, when flow control is enabled on a physical link, it applies to all traffic on the link. When congestion occurs, the hardware sends pause frames that temporarily suspend traffic flow to help prevent buffer overflow and dropped frames. PFC provides a means of pausing individual priorities within a single physical link.
Operator configuration of PFC is used only when the port is configured in a manual role. When interoperating with other equipment in a manual role, the peer equipment must be configured with identical PFC priorities and VLAN assignments. Interfaces not enabled for PFC ignore received PFC frames. Ports configured in auto-upstream or auto-downstream roles receive their PFC configuration from the configuration source and ignore any manually configured information.
PFC Configuration Page Use the PFC Configuration page to enable priority flow control on one or more interfaces and to configure which priorities are subject to being paused to prevent data loss. To display the PFC Configuration page, click Switching → PFC → PFC Configuration in the navigation menu. Figure 29-1. PFC Configuration PFC Statistics Page Use the PFC Statistics page to view the PFC statistics for interfaces on the switch.
Figure 29-2. PFC Statistics Configuring PFC Using the CLI Beginning in Privileged EXEC mode, use the following commands to configure PFC. NOTE: If DCBx is enabled and the switch is set to autoconfigure from a DCBX peer, configuring PFC is not necessary because the DCBx protocol automatically configures the PFC parameters. Command Purpose configure Enter global configuration mode.
Command Purpose interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. You can also specify a range of interfaces with the interface range command, for example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12. datacenter-bridging priority-flow-control mode on Enter the Data Center Bridging mode.
PFC Configuration Example The network in this example handles both data and voice traffic. Because the voice traffic is time sensitive, it requires a higher priority than standard data traffic. The voice traffic uses VLAN 100 and has an 802.1p priority of 5, which is mapped to hardware queue 4. IP phones are connected to ports 3, 5, and 10, so PFC is enabled on these ports with 802.1p priority 5 traffic as no-drop. The configuration also enables VLAN tagging so that the 802.1p priority is identified.
4 Enable VLAN tagging on the ports so the 802.1p priority is identified. Trunk mode can also be enabled on port-channels.
DCB Capability Exchange The Data Center Bridging Exchange Protocol (DCBx) is used by DCB devices to exchange configuration information with directly connected peers. DCBx uses type-length-value (TLV) information elements over LLDP to exchange information, so LLDP must be enabled on the port to enable the information exchange. By default, LLDP is enabled on all ports. For more information, see "Discovering Network Devices" on page 659.
DCBX information is carried over LLDP, which is a link-local protocol. When configuring links in a port channel to use DCBX, the DCBX settings should be the same for all links in the port channel. Interoperability with IEEE DCBx To be interoperable with legacy industry implementations of the DCBx protocol, The PowerConnect M8024-k switches use a hybrid model to support both the IEEE version of DCBx (IEEE 802.1Qaz) and legacy DCBx versions.
Ports operating in the manual role do not have their configuration affected by peer devices or by internal propagation of configuration. These ports have their operational mode, traffic classes, and bandwidth information specified explicitly by the operator. These ports advertise their configuration to their peer if DCBx is enabled on that port. Incompatible peer configurations are logged and counted with an error counter. The default operating mode for each port is manual.
A port operating in the auto-downstream role advertises a configuration but is not willing to accept one from the link partner. However, the port will accept a configuration propagated internally by the configuration source. Specifically, the willing parameter is disabled on auto-downstream. By default, autodownstream ports have the recommendation TLV parameter enabled.
If there is no configuration source, a port may elect itself as the configuration source on a first-come, first-serve basis from the set of eligible ports. A port is eligible to become the configuration source if the following conditions are true: • No other port is the configuration source. • The port role is auto-upstream. • The port is enabled with link up and DCBx enabled. • The port has negotiated a DCBx relationship with the partner.
Disabling DCBX If it is desired to disable DCBX, the network operator can use the following commands to eliminate the transmission of DCBX TLVs in the LLDP frames on an interface: no no no no no lldp lldp lldp lldp lldp tlv-select tlv-select tlv-select tlv-select tlv-select dcbxp dcbxp dcbxp dcbxp dcbxp application-priority congestion-notification ets-config ets-recommend pfc These commands eliminate only the DCBX TLVs from use by LLDP.
Command Purpose interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. You can also specify a range of interfaces with the interface range command, for example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12. lldp tlv-select dcbxp [pfc | applicationpriority] Override the global configuration for the LLDP DCBx TLVs on this interface.
Command Purpose lldp dcbx port-role Configure the DCBx port role on the interface: {auto-up |auto-down | • auto-up—Advertises a configuration, but is also willing to manual | configurationaccept a configuration from the link-partner and source} propagate it internally to the auto-downstream ports as well as receive configuration propagated internally by other auto-upstream ports. These ports have the willing bit enabled. These ports should be connected to FCFs.
FIP Snooping The FCoE Initialization Protocol (FIP) is used to perform the functions of FC_BB_E device discovery, initialization, and maintenance. FIP uses a separate EtherType from FCoE to distinguish discovery, initialization, and maintenance traffic from other FCoE traffic. FIP frames are standard Ethernet size (1518 Byte 802.1q frame), whereas FCoE frames are a maximum of 2240 bytes.
a FIP session requires that an untagged VLAN exist on all FIP-enabled ports, in addition to the VLAN that carries established FIP sessions. FIP snooping must be enabled on all VLANs carrying FIP or FCoE traffic. When FIP snooping is disabled, received FIP frames are forwarded or flooded using the normal multicast rules. NOTE: FIP Snooping will become operationally active on a port only when priority flow control is enabled and at least one lossless CoS queue is active.
Configuring FIP Snooping (CLI) Beginning in Privileged EXEC mode, use the following commands to configure FIP snooping. NOTE: FIP snooping will not allow FIP or FCoE frames to be forwarded over a port until the port is operationally enabled for PFC. VLAN tagging must be enabled on the interface in order to carry the dot1p values through the network. This section describes the FIP snooping commands only.
Command Purpose interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. You can also specify a range of interfaces with the interface range command, for example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12. fip-snooping port-mode Configure the interface to be connected to a FCF switch. fcf CTRL + Z Exit to Privileged EXEC mode.
ports are designated as default DCBX auto-upstream ports. Three 10G internal ports (ports 1–3) are connected to Converged Network Adapters (CNAs) on blade servers over the chassis 10G backplane. These ports are designated as DCBX default auto-downstream ports. FCF Switch Chassis FC SAN VM on Blade Server with CNA PowerConnect Switch FCF Switch FC SAN To configure FIP snooping: 1 Enter global configuration mode and enable FIP snooping on the switch.
6 Enter interface configuration mode for the CNA-facing ports and configure the DCBx port role as auto-downstream. This step automatically enables PFC on the ports. console(config)#interface te1/0/1-3 console(config-if)#lldp dcbx port-role auto-down console(config-if#exit 7 Enter Interface Configuration mode for the ports connect to an FCF to configure the DCBx port role as auto-upstream.
Configuring Data Center Bridging Features
30 Managing the MAC Address Table This chapter describes the L2 MAC address table the switch uses to forward data between ports.
What Information Is in the MAC Address Table? Each entry in the address table, whether it is static or dynamic, includes the MAC address, the VLAN ID associated with the MAC address, and the interface on which the address was learned or configured. Each port can maintain multiple MAC addresses, and a MAC address can be associated with multiple VLANs. How Is the MAC Address Table Maintained Across a Stack? The MAC address table is synchronized across all stack members.
Managing the MAC Address Table (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage the MAC address table on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Static Address Table Use the Static Address Table page to view MAC addresses that have been manually added to the MAC address table and to configure static MAC addresses.
Figure 30-2. Adding Static MAC Address 3 Select the interface to associate with the static address. 4 Specify the MAC address and an associated VLAN ID. 5 Click Apply. The new static address is added to the Static MAC Address Table, and the device is updated.
Dynamic Address Table The Dynamic Address Table page contains fields for querying information in the dynamic address table, including the interface type, MAC addresses, VLAN, and table sorting key. Packets forwarded to an address stored in the address table are forwarded directly to those ports. The Dynamic Address Table also contains information about the aging time before a dynamic MAC address is removed from the table.
Managing the MAC Address Table (CLI) This section provides information about the commands you use to manage the MAC address table on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Managing the MAC Address Table Beginning in Privileged EXEC mode, use the following commands to add a static MAC address to the table, control the aging time for dynamic addresses, and view entries in the MAC address table.
31 Configuring Routing Interfaces This chapter describes the routing (layer 3) interfaces the PowerConnect M6220, M6348, M8024, and M8024-k switches support, which includes VLAN routing interfaces, loopback interfaces, and tunnel interfaces.
traffic between VLANs while still containing broadcast traffic within VLAN boundaries. The configuration of VLAN routing interfaces makes inter-VLAN routing possible. For each VLAN routing interface you can assign a static IP address, or you can allow a network DHCP server to assign a dynamic IP address. When a port is enabled for bridging (L2 switching) rather than routing, which is the default, all normal bridge processing is performed for an inbound packet, which is then associated with a VLAN.
services such as Telnet and SSH. In this way, the IP address on a loopback behaves identically to any of the local addresses of the VLAN routing interfaces in terms of the processing of incoming packets. What Are Tunnel Interfaces? Tunnels are a mechanism for transporting a packet across a network so that it can be evaluated at a remote location or tunnel endpoint. The tunnel, effectively, hides the packet from the network used to transport the packet to the endpoint.
Why Are Routing Interfaces Needed? The routing interfaces this chapter describes have very different applications and uses, as this section describes. If you use the switch as a layer 2 device that handles switching only, routing interface configuration is not required. When the switch is used as a layer 2 device, it typically connects to an external layer 3 device that handles the routing functions. VLAN Routing VLAN routing is required when the switch is used as a layer 3 device.
Loopback Interfaces When packets are sent to the loopback IP address, the network should be able to deliver the packets as long as any physical interface on the switch is up. There are many cases where you need to send traffic to a switch, such as in switch management. The loopback interface IP address is a good choice for communicating with the switch in these cases because the loopback interface cannot go down when the switch is powered on and operational.
Default Routing Interface Values By default, no routing interfaces are configured. When you create a VLAN, no IP address is configured, and DHCP is disabled. After you configure an IP address on a VLAN or loopback interface, routing is automatically enabled on the VLAN interface, and the interface has the default configuration shown in Table 31-1. Most interface configuration parameters are not applicable to loopback interfaces, so you cannot change the default values.
Configuring Routing Interfaces (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLAN routing interfaces, loopback interfaces, and tunnels on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. IP Interface Configuration Use the IP Interface Configuration page to update IP interface data for this switch.
DHCP Lease Parameters Use the DHCP Lease Parameters page to view information about the network information automatically assigned to an interface by the DHCP server. To display the page, click Routing → IP → DHCP Lease Parameters in the navigation panel. Figure 31-3. DHCP Lease Parameters VLAN Routing Summary Use the VLAN Routing Summary page to view summary information about VLAN routing interfaces configured on the switch.
Figure 31-4. VLAN Routing Summary Tunnel Configuration Use the Tunnels Configuration page to create, configure, or delete a tunnel. To display the page, click Routing → Tunnels → Configuration in the navigation panel. Figure 31-5.
Tunnels Summary Use the Tunnels Summary page to display a summary of configured tunnels. To display the page, click Routing → Tunnels → Summary in the navigation panel. Figure 31-6.
Loopbacks Configuration Use the Loopbacks Configuration page to create, configure, or remove loopback interfaces. You can also set up or delete a secondary address for a loopback. To display the page, click Routing → Loopbacks → Loopbacks Configuration in the navigation panel. Figure 31-7.
Loopbacks Summary Use the Loopbacks Summary page to display a summary of configured loopback interfaces on the switch. To display the page, click Routing → Loopbacks → Loopbacks Summary in the navigation panel. Figure 31-8.
Configuring Routing Interfaces (CLI) This section provides information about the commands you use to configure VLAN routing interfaces, loopbacks, and tunnels on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring VLAN Routing Interfaces (IPv4) Beginning in Privileged EXEC mode, use the following commands to configure a VLAN as a routing interface and set the IP configuration parameters.
Command Purpose ip local-proxy-arp Enable local proxy ARP on the interface to allow the switch to respond to ARP requests for hosts on the same subnet as the ARP source. ip mtu size Set the IP Maximum Transmission Unit (MTU) on a routing interface. The IP MTU is the size of the largest IP packet that can be transmitted on the interface without fragmentation. The range is 68–9198 bytes.
Configuring Loopback Interfaces Beginning in Privileged EXEC mode, use the following commands to configure a loopback interface. Command Purpose configure Enter Global Configuration mode. interface loopback Create the loopback interface and enter Interface Configuration mode for the specified loopback interface. ip address ip_address subnet_mask [secondary] Configure a static IP address and subnet mask. Use the secondary keyword to specify that the address is a secondary IP address.
Configuring Tunnels Beginning in Privileged EXEC mode, use the following commands to configure a loopback interface. NOTE: For information about configuring the IPv6 interface characteristics for a tunnel, see "Configuring IPv6 Routing" on page 1081. Command Purpose configure Enter Global Configuration mode. interface tunnel tunnel-id Create the tunnel interface and enter Interface Configuration mode for the specified tunnel. tunnel mode ipv6ip [6to4] Specify the mode of the tunnel.
32 Configuring DHCP Server Settings This chapter describes how to configure the switch to dynamically assign network information to hosts by using the Dynamic Host Configuration Protocol (DHCP).
Figure 32-1. Message Exchange Between DHCP Client and Server DH C PD ISC O V ER (broadcast) DH C PO FFE R (unicast) ` DH C PR EQ U ES T (broadcast) D HC PA CK (unicast) DHCP Client DHCP Server (PowerConnect Switch) The DHCP server maintains one or more set of IP addresses the and other configuration information available, by request, to DHCP clients. Each set of information is known as an address pool. After a client leases an IP address from the DHCP server, the server adds an entry to its database.
What Additional DHCP Features Does the Switch Support? The switch software includes a DHCP client that can request network information from a DHCP server on the network during the initial system configuration process. For information about enabling the DHCP client, see "Setting the IP Address and Other Basic Network Information" on page 123.
Configuring the DHCP Server (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the DHCP server on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. DHCP Server Network Properties Use the Network Properties page to define global DHCP server settings and to configure addresses that are not included in any address pools.
Adding Excluded Addresses To exclude an address: 1 Open the Network Properties page. 2 Click Add Excluded Addresses to display the Add Excluded Addresses page. 3 In the From field, enter the first IP address to exclude from any configured address pool. 4 If the address in the From field is the only address to exclude, or if the excluded addresses are non-contiguous, leave the To field as the default value of 0.0.0.0. Otherwise, enter the last IP address to excluded from a contiguous range of IP addresses.
Deleting Excluded Addresses To remove an excluded address: 1 Open the Network Properties page. 2 Click Delete Excluded Addresses to display the Delete Excluded Addresses page. 3 Select the check box next to the address or address range to delete. Figure 32-4. Delete Excluded Addresses 4 Click Apply. Address Pool Use the Address Pool page to create the pools of IP addresses and other network information that can be assigned by the server.
Figure 32-5. Address Pool Adding a Network Pool To create and configure a network pool: 1 Open the Address Pool page. 2 Click Add Network Pool to display the Add Network Pool page. 3 Assign a name to the pool and complete the desired fields. In Figure 32-6, the network pool name is Engineering, and the address pool contains all IP addresses in the 192.168.5.0 subnet, which means a client that receives an address from the DHCP server might lease an address in the range of 192.168.5.1 to 192.168.5.254.
Figure 32-6. Add Network Pool The Engineering pool also configures clients to use 192.168.5.1 as the default gateway IP address and 192.168.1.5 and 192.168.2.5 as the primary and secondary DNS servers. NOTE: The IP address 192.168.5.1 should be added to the global list of excluded addresses so that it is not leased to a client. 4 Click Apply. Adding a Static Pool To create and configure a static pool of IP addresses: 1 Open the Address Pool page.
In Figure 32-7, the Static pool name is Lab, and the name of the client in the pool is LabHost1. The client’s MAC address is mapped to the IP address 192.168.11.54, the default gateway is 192.168.11.1, and the DNS servers the client will use have IP addresses of 192.168.5.100 and 192.168.2.5. Figure 32-7. Add Static Pool 4 Click Apply.
Address Pool Options Use the Address Pool Options page to view manually configured options. You can define options when you create an address pool, or you can add options to an existing address pool. To display the Address Pool Options page, click Routing → IP → DHCP Server → Address Pool Options in the navigation panel. Figure 32-8. Address Pool Options Defining DHCP Options To configure DHCP options: 1 Open the Address Pool page. 2 Select the Add Options check box.
Figure 32-9. Add DHCP Option 5 Click Apply. 6 To verify that the option has been added to the address pool, open the Address Pool Options page.
Figure 32-10. View Address Pool Options DHCP Bindings Use the DHCP Bindings page to view information about the clients that have leased IP addresses from the DHCP server. To display the DHCP Bindings page, click Routing → IP → DHCP Server → DHCP Bindings in the navigation panel. Figure 32-11.
DHCP Server Reset Configuration Use the Reset Configuration page to clear the client bindings for one or more clients. You can also reset bindings for clients that have leased an IP address that is already in use on the network. To display the Reset Configuration page, click Routing → IP → DHCP Server → Reset Configuration in the navigation panel. Figure 32-12.
DHCP Server Conflicts Information Use the Conflicts Information page to view information about clients that have leased an IP address that is already in use on the network. To display the Conflicts Information page, click Routing → IP → DHCP Server → Conflicts Information in the navigation panel. Figure 32-13.
DHCP Server Statistics Use the Server Statistics page to view general DHCP server statistics, messages received from DHCP clients, and messages sent to DHCP clients. To display the Server Statistics page, click Routing → IP → DHCP Server → Server Statistics in the navigation panel. Figure 32-14.
Configuring the DHCP Server (CLI) This section provides information about the commands you use to configure and monitor the DHCP server and address pools. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Global DHCP Server Settings Beginning in Privileged EXEC mode, use the following commands to configure settings for the DHCP server. Command Purpose configure Enter Global Configuration mode.
Configuring a Dynamic Address Pool Beginning in Privileged EXEC mode, use the following commands to create an address pool with network information that is dynamically assigned to hosts with DHCP clients that request the information. Command Purpose configure Enter Global Configuration mode. ip dhcp pool name Create a DHCP address pool and enters DHCP pool configuration mode. network network-ip [mask | prefixlength] Configure the subnet number and mask for a DHCP address pool.
Configuring a Static Address Pool Beginning in Privileged EXEC mode, use the following commands to create a static address pool and specify the network information for the pool. The network information configured in the static address pool is assigned only to the host with the hardware address or client identifier that matches the information configured in the static pool. Command Purpose configure Enter Global Configuration mode.
Command Purpose default-router address1 [address2....address8] Specify the list of default gateway IP addresses to be assigned to the DHCP client. dns-server address1 [address2....address8] Specify the list of DNS server IP addresses to be assigned to the DHCP client. domain-name domain Specify the domain name for a DHCP client. option code {ascii string Manually configure DHCP options. | hex string1 [string2...string8] | ip address1 [address2...address8]} CTRL + Z Exit to Privileged EXEC mode.
DHCP Server Configuration Examples This section contains the following examples: • Configuring a Dynamic Address Pool • Configuring a Static Address Pool Configuring a Dynamic Address Pool The commands in this example create an address pool that dynamically assigns network information to hosts with DHCP clients that broadcast DHCP messages. The hosts are assigned an IP address from the 192.168.5.0 network. The IP addresses 192.168.5.1–192.168.5.20, and 192.168.5.100 are excluded from the address pool.
6 In Global Configuration mode, add the addresses to exclude from the pool. Clients will not be assigned these IP addresses. console(config)#ip dhcp excluded-address 192.168.5.1 192.168.5.20 console(config)#ip dhcp excluded-address 192.168.5.100 7 Enable the DHCP server on the switch. console(config)#service dhcp console(config)#exit 8 View DHCP server settings. console#show ip dhcp global configuration Service DHCP...................Enable Number of Ping Packets.........2 Excluded Address...............
Configuring a Static Address Pool The commands in this example create an address pool that assigns the address 192.168.2.10 to the host with a MAC address of 00:1C:23:55:E9:F3. When this hosts sends a DHCP message requesting network information, the switch will offer the information configured in this example, which includes a custom DHCP option to assign the SMTP server IP address. To configure the switch: 1 Create an address pool named “Tyler PC” and enter into DHCP pool configuration mode for the pool.
8 View information about the static address pool. console#show ip dhcp pool configuration "Tyler PC" Pool: Tyler PC Pool Type..........................Static Client Name........................TylerPC Hardware Address.................. 00:1c:23:55:e9:f3 Hardware Address Type..............ethernet Host.............................. 192.168.2.10 255.255.255.0 Lease Time........................ 1 days 0 hrs 0 mins DNS Servers....................... 192.168.2.101 Default Routers................... 192.168.2.
Configuring DHCP Server Settings
Configuring IP Routing 33 This chapter describes how to configure routing on the switch, including global routing settings, Address Resolution Protocol (ARP), router discovery, and static routes.
Table 33-1. IP Routing Features (Continued) Feature Description ARP table The switch maintains an ARP table that maps an IP address to a MAC address. You can create static ARP entries in the table and manage various ARP table settings such as the aging time of dynamically-learned entries. ICMP Router Discovery Protocol (IRDP) Hosts can use IRDP to identify operational routers on the subnet. Routers periodically advertise their IP addresses.
Default IP Routing Values Table 33-2 shows the default values for the IP routing features this chapter describes. Table 33-2.
Table 33-2.
Configuring IP Routing Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IPv4 routing features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. IP Configuration Use the Configuration page to configure routing parameters for the switch as opposed to an interface.
IP Statistics The IP statistics reported on the Statistics page are as specified in RFC 1213. To display the page, click Routing → IP → Statistics in the navigation panel. Figure 33-2.
ARP Create Use the Create page to add a static ARP entry to the Address Resolution Protocol table. To display the page, click Routing → ARP → Create in the navigation panel. Figure 33-3.
ARP Table Configuration Use the Table Configuration page to change the configuration parameters for the Address Resolution Protocol Table. You can also use this screen to display the contents of the table. To display the page, click Routing → ARP → Table Configuration in the navigation panel. Figure 33-4.
Router Discovery Configuration Use the Configuration page to enter or change router discovery parameters. To display the page, click Routing → Router Discovery → Configuration in the navigation panel. Figure 33-5.
Router Discovery Status Use the Status page to display router discovery data for each interface. To display the page, click Routing → Router Discovery → Status in the navigation panel. Figure 33-6.
Route Table Use the Route Table page to display the contents of the routing table. To display the page, click Routing → Router → Route Table in the navigation panel. Figure 33-7.
Best Routes Table Use the Best Routes Table page to display the best routes from the routing table. To display the page, click Routing → Router → Best Routes Table in the navigation panel. Figure 33-8.
Route Entry Configuration Use the Route Entry Configuration page to add new and configure router routes. To display the page, click Routing → Router → Route Entry Configuration in the navigation panel. Figure 33-9. Route Entry Configuration Adding a Route and Configuring Route Preference To configure routing table entries: 1 Open the Route Entry Configuration page. 2 Click Router Route Entry Configuration. The screen refreshes and the Router Route Entry Configuration page displays.
Figure 33-10. Router Route Entry and Preference Configuration 3 Next to Route Type, use the drop-down box to add a Default, Static, or Static Reject route. The fields to configure are different for each route type. • Default — Enter the default gateway address in the Next Hop IP Address field. • Static — Enter values for Network Address, Subnet Mask, Next Hop IP Address, and Preference. • Static Reject — Enter values for Network Address, Subnet Mask, and Preference. 4 Click Apply.
Configured Routes Use the Configured Routes page to display the routes that have been manually configured. NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped. To display the page, click Routing → Router → Configured Routes in the navigation panel. Figure 33-11. Configured Routes To remove a configured route, select the check box in the Remove column of the route to delete, and click Apply.
Route Preferences Configuration Use the Route Preferences Configuration page to configure the default preference for each protocol (for example 60 for static routes). These values are arbitrary values that range from 1 to 255, and are independent of route metrics. Most routing protocols use a route metric to determine the shortest path known to the protocol, independent of any other protocol. To display the page, click Routing → Router → Route Preferences Configuration in the navigation panel. Figure 33-12.
Configuring IP Routing Features (CLI) This section provides information about the commands you use to configure IPv4 routing on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Global IP Routing Settings Beginning in Privileged EXEC mode, use the following commands to configure various global IP routing settings for the switch. Command Purpose configure Enter global configuration mode.
Adding Static ARP Entries and Configuring ARP Table Settings Beginning in Privileged EXEC mode, use the following commands to configure static ARP entries in the ARP cache and to specify the settings for the ARP cache. Command Purpose configure Enter global configuration mode. arp ip-address hardware- Create a static ARP entry in the ARP table. address • ip-address — IP address of a device on a subnet attached to an existing routing interface.
Configuring Router Discovery (IRDP) Beginning in Privileged EXEC mode, use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified VLAN routing interface. The interface variable includes the interface type (vlan) and number, for example vlan 100. ip irdp Enable IRDP on the interface.
Configuring Route Table Entries and Route Preferences Beginning in Privileged EXEC mode, use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. Configure the default route. ip route default nextHopRtr [preference ] • nextHopRtr — IP address of the next hop router. • preference — Specifies the preference value (administrative distance) of an individual static route.
Command Purpose show ip route [ip-address [mask | prefix-length] [longer-prefixes] | protocol] View the routing table. • ip-address — Specifies the network for which the route is to be displayed and displays the best matching bestroute for the address. • mask — Subnet mask of the IP address. • prefix-length — Length of prefix, in bits. Must be preceded with a forward slash (‘/’).
IP Routing Configuration Example In this example, the PowerConnect switches are L3 switches with VLAN routing interfaces. VLAN routing is configured on PowerConnect Switch A and PowerConnect Switch B. This allows the host in VLAN 10 to communicate with the server in VLAN 30. A static route to the VLAN 30 subnet is configured on Switch A.
Configuring PowerConnect Switch A To configure Switch A. 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 10. This command also enables IP routing on the VLAN. console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.168.10.10 255.255.255.0 console(config-if-vlan10)#exit 3 Assign an IP address to VLAN 20. console#configure console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.20 255.255.255.
Configuring PowerConnect Switch B To configure Switch B: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 20. This command also enables IP routing on the VLAN. console#configure console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.25 255.255.255.0 console(config-if-vlan20)#exit 3 Assign an IP address to VLAN 30. This command also enables IP routing on the VLAN.
Configuring L2 and L3 Relay Features 34 This chapter describes how to configure the L2 DHCP Relay, L3 DHCP Relay, and IP Helper features on PowerConnect M6220, M6348, M8024, and M8024-k switches.
The PowerConnect DHCP Relay Agent enables DHCP clients and servers to exchange DHCP messages across different subnets. The relay agent receives the requests from the clients, and checks the valid hops and giaddr fields in the DHCP request. If the number of hops is greater than the configured number, the agent discards the packet. If the giaddr field is zero, the agent must fill in this field with the IP address of the interface on which the request was received.
Enabling L2 Relay on VLANs You can enable L2 DHCP relay on a particular VLAN. The VLAN is identified by a service VLAN ID (S-VID), which a service provider uses to identify a customer’s traffic while traversing the provider network to multiple remote sites. The switch uses the VLAN membership of the switch port client (the customer VLAN ID, or C-VID) to perform a lookup a corresponding S-VID. If the S-VID is enabled for DHCP Relay, then the packet can be forwarded.
Table 34-1. Default Ports - UDP Port Numbers Implied By Wildcard Protocol UDP Port Number IEN-116 Name Service 42 DNS 53 NetBIOS Name Server 137 NetBIOS Datagram Server 138 TACACS Server 49 Time Service 37 DHCP 67 Trivial File Transfer Protocol 69 The system limits the number of relay entries to four times the maximum number of routing interfaces (512 relay entries).
configuration for the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise the packet is not relayed. NOTE: If the packet matches a discard relay entry on the ingress interface, the packet is not forwarded, regardless of the global configuration. The relay agent relays packets that meet only the following conditions: • The destination MAC address must be the all-ones broadcast address (FF:FF:FF:FF:FF:FF).
Table 34-2 shows the most common protocols and their UDP port numbers and names that are relayed. Table 34-2.
Default L2/L3 Relay Values By default L2 DHCP relay is disabled. L3 relay (UDP) is enabled, but no UDP destination ports or server addresses are defined on the switch or on any interfaces. Table 34-3.
Configuring L2 and L3 Relay Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 and L3 relay features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. DHCP Relay Global Configuration Use this page to enable or disable the switch to act as a DHCP Relay agent.
DHCP Relay Interface Configuration Use this page to enable L2 DHCP relay on individual ports. NOTE: L2 DHCP relay must also be enabled globally on the switch. To access this page, click Switching → DHCP Relay → Interface Configuration in the navigation panel. Figure 34-2. DHCP Relay Interface Configuration To view a summary of the L2 DHCP relay configuration on all ports and LAGS, click Show All.
Figure 34-3.
DHCP Relay Interface Statistics Use this page to display statistics on DHCP Relay requests received on a selected port. To access this page, click Switching → DHCP Relay → Interface Statistics in the navigation panel. Figure 34-4.
DHCP Relay VLAN Configuration Use this page to enable and configure DHCP Relay on specific VLANs. To access this page, click Switching → DHCP Relay → VLAN Configuration in the navigation panel. Figure 34-5. DHCP Relay VLAN Configuration To view a summary of the L2 DHCP relay configuration on all VLANs, click Show All. Figure 34-6.
DHCP Relay Agent Configuration Use the Configuration page to configure and display a DHCP relay agent. To display the page, click Routing → DHCP Relay Agent → Configuration in the navigation panel. Figure 34-7.
IP Helper Global Configuration Use the Global Configuration page to add, show, or delete UDP Relay and Helper IP configuration To display the page, click Routing → IP Helper → Global Configuration in the navigation panel. Figure 34-8. IP Helper Global Configuration Adding an IP Helper Entry To configure an IP helper entry: 1. Open the IP Helper Global Configuration page. 2.
Figure 34-9. Add Helper IP Address 3. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols. NOTE: If the DefaultSet option is specified, the device by default forwards UDP Broadcast packets for the following services: IEN-116 Name Service (port 42), DNS (port 53), NetBIOS Name Server (port 137), NetBIOS Datagram Server (port 138), TACACS Server (Port 49), and Time Service (port 37). 4.
IP Helper Interface Configuration Use the Interface Configuration page to add, show, or delete UDP Relay and Helper IP configuration for a specific interface. To display the page, click Routing → IP Helper → Interface Configuration in the navigation panel. Figure 34-10. IP Helper Interface Configuration Adding an IP Helper Entry to an Interface To add an IP helper entry to an interface: 1. Open the IP Helper Interface Configuration page. 2.
Figure 34-11. Add Helper IP Address 3. Select the interface to use for the relay. 4. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols.
IP Helper Statistics Use the Statistics page to view UDP Relay Statistics for the switch. To display the page, click Routing → IP Helper → Statistics in the navigation panel. Figure 34-12.
Configuring L2 and L3 Relay Features (CLI) This section provides information about the commands you use to configure L2 and L3 relay features on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring L2 DHCP Relay Beginning in Privileged EXEC mode, use the following commands to configure switch and interface L2 DHCP relay settings. Command Purpose configure Enter global configuration mode.
Command Purpose dhcp l2relay remote-id Enable setting the DHCP Option 82 Remote ID for a remoteId vlan vlan-range VLAN. When enabled, the supplied string is used for the Remote ID in DHCP Option 82. The remoteId variable is a string to be used as the remote ID in the Option 82 (Range: 1 - 128 characters). exit Exit to Privileged EXEC mode. show dhcp l2relay all View L2 DHCP relay settings on the switch.
Configuring L3 Relay (IP Helper) Settings Beginning in Privileged EXEC mode, use the following commands to configure switch and interface L3 DHCP relay and IP helper settings. Command Purpose configure Enter global configuration mode. ip helper enable Use this command to enable the IP helper feature. It is enabled by default.
Command Purpose ip helper-address {server-address | discard} [dest-udp-port | dhcp | domain | isakmp | mobile-ip | nameserver | netbiosdgm | netbios-ns | ntp | pim-auto-rp | rip | tacacs | tftp | time] Configure the relay of certain UDP broadcast packets received on the VLAN routing interface(s). This command takes precedence over an ip helper-address command given in global configuration mode. Specify the one of the protocols defined in the command or the UDP port number.
Relay Agent Configuration Example The example in this section shows how to configure the L3 relay agent (IP helper) to relay and discard various protocols. Figure 34-13. L3 Relay Network Diagram DHCP Server 192.168.40.22 DNS Server 192.168.40.43 DHCP Server 192.168.40.35 SNMP Server 192.168.23.1 VLAN 30 L3 Switch ` DHCP Clients VLAN 10 ` ` ` VLAN 20 (No DHCP) This example assumes that multiple VLAN routing interfaces have been created, and configured with IP addresses.
2 Relay DNS packets received on VLAN 10 to 192.168.40.43 console(config-if-vlan10)#ip helper-address 192.168.40.35 domain console(config-if-vlan10)#exit 3 Relay SNMP traps (port 162) received on VLAN 20 to 192.168.23.1 console(config)#interface vlan 20 console(config-if-vlan20)#ip helper-address 192.168.23.
35 Configuring OSPF and OSPFv3 This chapter describes how to configure Open Shortest Path First (OSPF) and OSPFv3. OSPF is a dynamic routing protocol for IPv4 networks, and OSPFv3 is used to route traffic in IPv6 networks. The protocols are configured separately within the software, but their functionality is largely similar for IPv4 and IPv6 networks. NOTE: In this chapter references to OSPF apply to OSPFv2 and OSPFv3 unless otherwise noted.
OSPF Overview OSPF is an Interior Gateway Protocol (IGP) that performs dynamic routing within a network. PowerConnect M6220, M6348, M8024, and M8024-k switches support two dynamic routing protocols: OSPF and Routing Information Protocol (RIP). Unlike RIP, OSPF is a link-state protocol. Larger networks typically use the OSPF protocol instead of RIP. What Are OSPF Areas and Other OSPF Topology Features? The top level of the hierarchy of an OSPF network is known as an OSPF domain.
What Are OSPF Routers and LSAs? When a PowerConnect switch is configured to use OSPF for dynamic routing, it is considered to be an OSPF router. OSPF routers keep track of the state of the various links they send data to. Routers exchange OSPF link state advertisements (LSAs) with other routers. External LSAs provide information on static routes or routes learned from other routing protocols. OSPF defines various router types: • Backbone routers have an interface in Area 0.
OSPF Feature Details This section provides details on the following OSPF features: • Max Metric • Static Area Range Cost • LSA Pacing • LSA Pacing Max Metric RFC 3137 introduced stub router behavior to OSPFv2. As a stub, a router can inform other routers that it is not available to forward data packets.
mode. OSPF does not begin in stub router mode when OSPF is globally enabled. If the operator wants to avoid routing transients when he enables or configures OSPF, he can manually set OSPF in stub router mode. If OSPF is in startup stub router mode and encounters a resource limitation that would normally cause OSPF to become a stub router, OSPF cancels the timer to exit startup stub router and remains in stub router mode until the network administrator takes action.
Static Area Range Cost This feature allows a network operator to configure a fixed OSPF cost that is always advertised when an area range is active. This feature applies to both OSPFv2 and OSPFv3. An OSPF domain can be divided into areas to limit the processing required on each router. Area Border Routers (ABRs) advertise reachability across area boundaries. It is common to summarize the set of prefixes that an ABR advertises across an area boundary.
LSA Pacing OSPF refreshes each self-originated LSA every 30 minutes. Because a router tends to originate many LSAs at the same time, either at startup or when adjacencies are formed or when routes are first learned, LSA refreshes tend to be grouped. Further, Area Border Routers (ABRs) attached to the same area tend to originate summary LSAs into the area at the same time. This behavior leads to periodic bursts of LS Update packets.
Flood Blocking OSPF is a link state routing protocol. Routers describe their local environment in Link State Advertisements (LSAs), which are distributed throughout an area or OSPF domain. Through this process, each router learns enough information to compute a set of routes consistent with the routes computed by all other routers. Normally, OSPF floods an LSA on all interfaces within the LSA's flooding scope. Flooding ensures that all routers receive all LSAs.
Flood blocking cannot be enabled on virtual interfaces. While the feature could be allowed on virtual interfaces, it is less likely to be used on a virtual interface, since virtual interfaces are created specifically to allow flooding between two backbone routers. So the option of flood blocking on virtual interfaces is not supported. See "Configuring Flood Blocking" on page 1038 for a configuration example.
Default OSPF Values OSPF is globally enabled by default. To make it operational on the router, you must configure a router ID and enable OSPF on at least one interface. Table 35-1 shows the global default values for OSPF and OSPFv3. Table 35-1.
Table 35-2 shows the per-interface default values for OSPF and OSPFv3. Table 35-2.
Configuring OSPF Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPF features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. OSPF Configuration Use the Configuration page to enable OSPF on a router and to configure the related OSPF settings. To display the page, click Routing → OSPF → Configuration in the navigation panel. Figure 35-1.
OSPF Area Configuration The Area Configuration page lets you create a Stub area configuration and NSSA once you’ve enabled OSPF on an interface through Routing → OSPF → Interface Configuration. At least one router must have OSPF enabled for this web page to display. To display the page, click Routing → OSPF → Area Configuration in the navigation panel. If a Stub Area has been created, the fields in the Stub Area Information are available.
Configuring an OSPF Stub Area To configure the area as an OSPF stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 35-3. OSPF Stub Area Configuration Use the Delete Stub Area button to remove the stub area.
Configuring an OSPF Not-So-Stubby Area To configure the area as an OSPF not-so-stubby area (NSSA), click NSSA Create. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 35-4. OSPF NSSA Configuration Use the NSSA Delete button to remove the NSSA area.
OSPF Stub Area Summary The Stub Area Summary page displays OSPF stub area detail. To display the page, click Routing → OSPF → Stub Area Summary in the navigation panel. Figure 35-5.
OSPF Area Range Configuration Use the Area Range Configuration page to configure and display an area range for a specified NSSA. To display the page, click Routing → OSPF → Area Range Configuration in the navigation panel. Figure 35-6.
OSPF Interface Statistics Use the Interface Statistics page to display statistics for the selected interface. The information is displayed only if OSPF is enabled. To display the page, click Routing → OSPF → Interface Statistics in the navigation panel. Figure 35-7.
OSPF Interface Configuration Use the Interface Configuration page to configure an OSPF interface. To display the page, click Routing → OSPF → Interface Configuration in the navigation panel. Figure 35-8.
OSPF Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled. To display the page, click Routing → OSPF → Neighbor Table in the navigation panel. Figure 35-9.
OSPF Neighbor Configuration Use the Neighbor Configuration page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor. To display the page, click Routing → OSPF → Neighbor Configuration in the navigation panel. Figure 35-10.
OSPF Link State Database Use the Link State Database page to display OSPF link state, external LSDB table, and AS opaque LSDB table information. To display the page, click Routing → OSPF → Link State Database in the navigation panel. Figure 35-11. OSPF Link State Database OSPF Virtual Link Configuration Use the Virtual Link Configuration page to create or configure virtual interface information for a specific area and neighbor. A valid OSPF area must be configured before this page can be displayed.
Figure 35-12. OSPF Virtual Link Creation After you create a virtual link, additional fields display, as the Figure 35-13 shows. Figure 35-13.
OSPF Virtual Link Summary Use the Virtual Link Summary page to display all of the configured virtual links. To display the page, click Routing → OSPF → Virtual Link Summary in the navigation panel. Figure 35-14.
OSPF Route Redistribution Configuration Use the Route Redistribution Configuration page to configure redistribution in OSPF for routes learned through various protocols. You can choose to redistribute routes learned from all available protocols or from selected ones. To display the page, click Routing → OSPF → Route Redistribution Configuration in the navigation panel. Figure 35-15.
OSPF Route Redistribution Summary Use the Route Redistribution Summary page to display OSPF Route Redistribution configurations. To display the page, click Routing → OSPF → Route Redistribution Summary in the navigation panel. Figure 35-16.
NSF OSPF Configuration (PCM6220, PCM6348, and PCM8024-k Only) Use the NSF OSPF Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPF feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding?" on page 153 in the Managing a Switch Stack chapter.
Configuring OSPFv3 Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPFv3 features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. OSPFv3 Configuration Use the Configuration page to activate and configure OSPFv3 for a switch. To display the page, click IPv6 → OSPFv3 → Configuration in the navigation panel. Figure 35-18.
OSPFv3 Area Configuration Use the Area Configuration page to create and configure an OSPFv3 area. To display the page, click IPv6 → OSPFv3 → Area Configuration in the navigation panel. Figure 35-19.
Configuring an OSPFv3 Stub Area To configure the area as an OSPFv3 stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 35-20. OSPFv3 Stub Area Configuration Use the Delete Stub Area button to remove the stub area.
Configuring an OSPFv3 Not-So-Stubby Area To configure the area as an OSPFv3 not-so-stubby area (NSSA), click Create NSSA. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 35-21. OSPFv3 NSSA Configuration Use the Delete NSSA button to remove the NSSA area.
OSPFv3 Stub Area Summary Use the Stub Area Summary page to display OSPFv3 stub area detail. To display the page, click IPv6 → OSPFv3 → Stub Area Summary in the navigation panel. Figure 35-22.
OSPFv3 Area Range Configuration Use the Area Range Configuration page to configure OSPFv3 area ranges. To display the page, click IPv6 → OSPFv3 → Area Range Configuration in the navigation panel. Figure 35-23.
OSPFv3 Interface Configuration Use the Interface Configuration page to create and configure OSPFv3 interfaces. This page has been updated to include the Passive Mode field. To display the page, click IPv6 → OSPFv3 → Interface Configuration in the navigation panel. Figure 35-24.
OSPFv3 Interface Statistics Use the Interface Statistics page to display OSPFv3 interface statistics. Information is only displayed if OSPF is enabled. Several fields have been added to this page. To display the page, click IPv6 → OSPFv3 → Interface Statistics in the navigation panel. Figure 35-25.
OSPFv3 Neighbors Use the Neighbors page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about that neighbor is given. Neighbor information only displays if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor. To display the page, click IPv6 → OSPFv3 → Neighbors in the navigation panel. Figure 35-26.
OSPFv3 Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The neighbor table is only displayed if OSPF is enabled. To display the page, click IPv6 → OSPFv3 → Neighbor Table in the navigation panel. Figure 35-27.
OSPFv3 Link State Database Use the Link State Database page to display the link state and external LSA databases. The OSPFv3 Link State Database page has been updated to display external LSDB table information in addition to OSPFv3 link state information. To display the page, click IPv6 → OSPFv3 → Link State Database in the navigation panel. Figure 35-28.
OSPFv3 Virtual Link Configuration Use the Virtual Link Configuration page to define a new or configure an existing virtual link. To display this page, a valid OSPFv3 area must be defined through the OSPFv3 Area Configuration page. To display the page, click IPv6 → OSPFv3 → Virtual Link Configuration in the navigation panel. Figure 35-29.
After you create a virtual link, additional fields display, as the Figure 35-30 shows. Figure 35-30.
OSPFv3 Virtual Link Summary Use the Virtual Link Summary page to display virtual link data by Area ID and Neighbor Router ID. To display the page, click IPv6 → OSPFv3 → Virtual Link Summary in the navigation panel. Figure 35-31.
OSPFv3 Route Redistribution Configuration Use the Route Redistribution Configuration page to configure route redistribution. To display the page, click IPv6 → OSPFv3 → Route Redistribution Configuration in the navigation panel. Figure 35-32.
OSPFv3 Route Redistribution Summary Use the Route Redistribution Summary page to display route redistribution settings by source. To display the page, click IPv6 → OSPFv3 → Route Redistribution Summary in the navigation panel. Figure 35-33.
NSF OSPFv3 Configuration (PCM6220, PCM6348, and PCM8024-k Only) Use the NSF OSPFv3 Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPFv3 feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding?" on page 153 in the Managing a Switch Stack chapter.
Configuring OSPF Features (CLI) This section provides information about the commands you use to configure and view OSPF settings on the switch. This section does not describe all available show commands. For more information about all available OSPF commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Global OSPF Settings Beginning in Privileged EXEC mode, use the following commands to configure various global OSPF settings for the switch.
Command Purpose Control the advertisement of default routes. default-information originate [always] • always — Normally, OSPF originates a default route only [metric metric-value] if a default route is redistributed into OSPF (and default[metric-type type-value] information originate is configured). When the always option is configured, OSPF originates a default route, even if no default route is redistributed. • metric-value — The metric (or preference) value of the default route.
Command Purpose passive-interface default Configure OSPF interfaces as passive by default. This command overrides any interface-level passive mode settings.OSPF does not form adjacencies on passive interfaces but does advertise attached networks as stub networks. timers spf delay-time hold-time Specify the SPF delay and hold time. • delay-time — SPF delay time. (Range: 0–65535 seconds) • hold-time — SPF hold time. (Range: 0–65535 seconds) exit Exit to Global Configuration mode.
Configuring OSPF Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure per-interface OSPF settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip ospf area area-id [secondaries none] Enables OSPFv2 on the interface and sets the area ID of an interface. This command supersedes the effects of network area command.
Command Purpose ip ospf dead-interval Set the OSPF dead interval for the interface. seconds The seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network. This value should be some multiple of the Hello Interval. ip ospf transmit-delay seconds Set the OSPF Transit Delay for the interface.
Command Purpose exit Exit to Global Configuration Mode router ospf Enter OSPF configuration mode. passive-interface vlan Make an interface passive to prevent OSPF from forming an adjacency on an interface. OSPF advertises networks attached to passive interfaces as stub networks. vlan-id network ip-address Enable OSPFv2 on interfaces whose primary IP address wildcard-mask area area- matches this command, and make the interface a member id of the specified area.
Command Purpose area area-id default-cost integer Configure the metric value (default cost) for the type 3 summary LSA sent into the stub area. Range: 1–16777215) area area-id nssa Create an NSSA for the specified area ID. area area-id nssa nosummary Configure the NSSA so that summary LSAs are not advertised into the NSSA. area area-id nssa Configure the translator role of the NSSA.
Configuring Virtual Links Beginning in Privileged EXEC mode, use the following commands to configure OSPF Virtual Links. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. area area-id virtual-link Create the OSPF virtual interface for the specified areaid and neighbor router. The neighbor-id variable is the IP address of the neighboring router.
Command Purpose area area-id virtual-link Set the OSPF hello interval for the virtual link. neighbor-id hello-interval The seconds variable indicates the number of seconds to seconds wait before sending Hello packets from the virtual interface. (Range: 1–65535). Set the OSPF dead interval for the virtual link. area area-id virtual-link neighbor-id dead-interval The seconds variable indicates the number of seconds to seconds wait before the virtual interface is assumed to be dead.
Configuring OSPF Area Range Settings Beginning in Privileged EXEC mode, use the following commands to configure an OSPF area range. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. area area-id range Configure a summary prefix for routes learned in a given area. ip-address mask {summarylink | nssaexternallink} [advertise |not-advertise] • area-id — Identifies the OSPF NSSA to configure.
Command Purpose distribute-list Specify the access list to filter routes received from the static | connected} switch. For information about the commands you use to configure ACLs, see "Configuring ACLs (CLI)" on page 543. accesslistname out {rip | source protocol. The ACL must already exist on the • accesslistname — The name used to identify an existing ACL. • rip — Apply the specified access list when RIP is the source protocol.
Configuring NSF Settings for OSPF (PCM6220 and PCM6348 Only) Beginning in Privileged EXEC mode, use the following commands to configure the non-stop forwarding settings for OSPF. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. nsf [ietf ] helper strict-lsa- Require that an OSPF helpful neighbor exit helper mode checking whenever a topology change occurs.
Configuring OSPFv3 Features (CLI) This section provides information about the commands you use to configure OSPFv3 settings on the switch. For more information about the commands and about additional show commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Global OSPFv3 Settings Beginning in Privileged EXEC mode, use the following commands to configure various global OSPFv3 settings for the switch.
Command Purpose distance ospf {external | Set the preference values of OSPFv3 route types in the inter-area | intra-area } router. distance The range for the distance variable is 1–255. Lower route preference values are preferred when determining the best route. enable Enable OSPFv3. exit-overflow-interval Specify the exit overflow interval for OSPFv3 as defined in RFC 1765.
Configuring OSPFv3 Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure per-interface OSPFv3 settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ipv6 ospf areaid area-id Enables OSPFv3 on the interface and sets the area ID of an interface. This command supersedes the effects of network area command.
Command Purpose ipv6 ospf dead-interval Set the OSPFv3 dead interval for the interface. seconds The seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network. This value should be some multiple of the Hello Interval. ipv6 ospf transmit-delay Set the OSPFv3 Transit Delay for the interface.
Command Purpose show ipv6 ospf interface View summary information for all OSPFv3 interfaces [interface-type interface- configured on the switch or for the specified routing number] interface. show ipv6 ospf interface View per-interface OSPFv3 statistics. stats interface-type interface-number Configuring Stub Areas and NSSAs Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 stub areas and NSSAs. Command Purpose configure Enter global configuration mode.
Command Purpose area area-id nssa [noCreate and configure an NSSA for the specified area ID. redistribution] [default- • metric-value—Specifies the metric of the default route information-originate advertised to the NSSA.
Configuring Virtual Links Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 Virtual Links. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. area area-id virtual-link Create the OSPFv3 virtual interface for the specified area-id and neighbor router. The neighbor-id variable is the IP address of the neighboring router.
Configuring an OSPFv3 Area Range Beginning in Privileged EXEC mode, use the following commands to configure an OSPFv3 area range. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. area area-id range ipv6- Configure a summary prefix for routes learned in a given area. prefix/prefix-length {summarylink | • area-id — Identifies the OSPFv3 NSSA to configure.
Configuring OSPFv3 Route Redistribution Settings Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 route redistribution settings. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. redistribute {static | Configure OSPFv3 to allow redistribution of routes from connected} [metric the specified source protocol/routers. metric] [metric-type {1 | • static — Specifies that the source is a static route.
Configuring NSF Settings for OSPFv3 (PCM6220 and PCM6348 Only) Beginning in Privileged EXEC mode, use the following commands to configure the non-stop forwarding settings for OSPFv3. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. nsf [ietf ] helper strict-lsa- Require that an OSPFv3 helpful neighbor exit helper checking mode whenever a topology change occurs.
OSPF Configuration Examples This section contains the following examples: • Configuring an OSPF Border Router and Setting Interface Costs • Configuring Stub and NSSA Areas for OSPF and OSPFv3 • Configuring a Virtual Link for OSPF and OSPFv3 Configuring an OSPF Border Router and Setting Interface Costs This example shows how to configure the PowerConnect switch as an OSPF border router. The commands in this example configure the areas and interfaces on Border Router A shown in Figure 35-35.
To Configure Border Router A: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Create VLANS 70, 80, and 90. console(config)#vlan 70,80,90 3 Assign IP addresses for VLANs 70, 80 and 90. console(config)#interface vlan 70 console(config-if-vlan70)#ip address 192.150.2.2 255.255.255.0 console(config-if-vlan70)#exit console(config)#interface vlan 80 console(config-if-vlan80)#ip address 192.150.3.1 255.255.255.
5 Configure the OSPF area ID, priority, and cost for each interface. NOTE: OSPF is globally enabled by default. To make it operational on the router, you configure OSPF for particular interfaces and identify which area the interface is associated with. console(config)#interface vlan 70 console(config-if-vlan70)#ip ospf area 0.0.0.
Configuring Stub and NSSA Areas for OSPF and OSPFv3 In this example, Area 0 connects directly to two other areas: Area 1 is defined as a stub area and Area 2 is defined as an NSSA area. NOTE: OSPFv2 and OSPFv3 can operate concurrently on a network and on the same interfaces (although they do not interact). This example configures both protocols simultaneously. Figure 35-36 illustrates this example OSPF configuration. Figure 35-36.
Switch A is a backbone router. It links to an ASBR (not defined here) that routes traffic outside the AS. To configure Switch A: 1 Globally enable IPv6 and IPv4 routing: console#configure console(config)#ipv6 unicast-routing console(config)#ip routing 2 Create VLANs 6 and 12. console(config)#vlan 6,12 3 Configure IP and IPv6 addresses on VLAN routing interface 6. console(config-if)#interface vlan 6 console(config-if-vlan6)#ip address 10.2.3.3 255.255.255.
console(config)#router ospf console(config-router)#router-id 3.3.3.3 console(config-router)#exit Switch B is a ABR that connects Area 0 to Areas 1 and 2. To configure Switch B: 1 Configure IPv6 and IPv4 routing.
console(config)#interface vlan 17 console(config-if-vlan17)#ip address 10.2.4.2 255.255.255.0 console(config-if-vlan17)#ipv6 address 3000:2:4::/64 eui64 console(config-if-vlan17)#ipv6 ospf console(config-if-vlan17)#ipv6 ospf areaid 2 console(config-if-vlan17)#exit 4 For IPv4: Configure the router ID, define an OSPF router, and define Area 1 as a stub., and define Area 2 as an NSSA. console(config)#router ospf console(config-router)#router-id 2.2.2.2 console(config-router)#area 0.0.0.
console(config-rtr)#redistribute static metric 105 metric-type 1 console(config-rtr)#exit Configuring a Virtual Link for OSPF and OSPFv3 In this example, Area 0 connects directly to Area 1. A virtual link is defined that traverses Area 1 and connects to Area 2. This example assumes other OSPF settings, such as area and interface configuration, have already been configured. Figure 35-37 illustrates the relevant components in this example OSPF configuration. Figure 35-37.
The following commands define a virtual link that traverses Area 1 to Switch C (5.5.5.5). To configure Switch B: 1 Configure the virtual link to Switch C for IPv4. console#configure console(config)#router ospf console(config-router)#area 0.0.0.1 virtual-link 5.5.5.5 console(config-router)#exit 2 Configure the virtual link to Switch C for IPv6. console#configure console(config)#ipv6 router ospf console(config-rtr)#area 0.0.0.1 virtual-link 5.5.5.
Interconnecting an IPv4 Backbone and Local IPv6 Network In Figure 35-38, two PowerConnect L3 switches are connected as shown in the diagram. The VLAN 15 routing interface on both switches connects to an IPv4 backbone network where OSPF is used as the dynamic routing protocol to exchange IPv4 routes. OSPF allows device 1 and device 2 to learn routes to each other (from the 20.20.20.x network to the 10.10.10.x network and vice versa).
console(config-rtr)#exit 5 Configure the IPv4 address and OSPF area for VLAN 15. console(config)#interface vlan 15 console(config-if-vlan15)#ip address 20.20.20.1 255.255.255.0 console(config-if-vlan15)#ip ospf area 0.0.0.0 console(config-if-vlan15)#exit 6 Configure the IPv6 address and OSPFv3 information for VLAN 2.
To configure Switch B: 1 Create the VLANs. console(config)#vlan 2,15 2 Enable IPv4 and IPv6 routing on the switch. console(config)#ip routing console(config)#ipv6 unicast-routing 3 Set the OSPF router ID. console(config)#router ospf console(config-router)#router-id 2.2.2.2 console(config-router)#exit 4 Set the OSPFv3 router ID. console(config)#ipv6 router ospf console(config-rtr)#router-id 2.2.2.2 console(config-rtr)#exit 5 Configure the IPv4 address and OSPF area for VLAN 15.
console(config-if-loopback0)#exit console(config)#exit Configuring the Static Area Range Cost Figure 35-39 shows a topology for the configuration that follows. Figure 35-39. Static Area Range Cost Example Topology R3 Area 0 VLAN 103 ABR R0 VLAN 101 R1 VLAN 102 VLAN 104 R2 Area 1 1 Configure R0. terminal length 0 config hostname ABR-R0 line console exec-timeout 0 exit vlan 101-103 exit ip routing router ospf router-id 10.10.10.10 network 172.20.0.0 0.0.255.255 area 0 network 172.21.0.0 0.0.255.
interface vlan 101 ip address 172.21.1.10 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk description “R1” exit interface vlan 102 ip address 172.21.2.10 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 description “R2” switchport mode trunk exit interface vlan 103 ip address 172.20.1.10 255.255.255.
exit interface vlan 101 ip address 172.21.1.1 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.1 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.21.254.1 255.255.255.255 exit exit 3 Configure R2.
exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.2 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.21.254.2 255.255.255.255 exit exit 4 R3 config: terminal length 0 config line console serial timeout 0 exit ip routing router ospf router-id 3.3.3.3 network 172.21.0.0 0.0.255.
exit Discussion With no area range cost specified, the range uses auto cost: (ABR-R0) #show ip ospf range 1 Prefix 172.21.0.0 Subnet Mask 255.255.0.0 Type S Action Advertise Cost Auto Active Y (ABR-R0) #show ip ospf database summary Network Summary States (Area 0.0.0.0) LS Age: 644 LS options: (E-Bit) LS Type: Network Summary LSA LS Id: 172.21.0.0 (network prefix) Advertising Router: 10.10.10.10 LS Seq Number: 0x80000002 Checksum: 0x8ee1 Length: 28 Network Mask: 255.255.0.
LS Seq Number: 0x80000003 Checksum: 0x78f8 Length: 28 Network Mask: 255.255.0.0 Metric: 0 The cost can be set to the maximum value, 16,777,215, which is LSInfinity. Since OSPF cannot send a type 3 summary LSA with this metric (according to RFC 2328), the summary LSA is flushed. The individual routes are not readvertised. Configuring Flood Blocking Figure 35-40 shows an example topology for flood blocking. The configuration follows. Figure 35-40.
router ospf router-id 10.10.10.10 network 172.20.0.0 0.0.255.255 area 0 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.10 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk description “R1” exit interface vlan 102 ip address 172.21.2.10 255.255.255.
vlan 101,104 exit ip routing router ospf router-id 1.1.1.1 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.1 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.1 255.255.255.
vlan 102,104 exit interface vlan 102 ip address 172.21.2.2 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.2 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.21.254.2 255.255.255.
ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface loopback 0 ip address 172.21.254.2 255.255.255.255 exit exit Discussion With flood blocking disabled on all interfaces, sending a T3 summary LSA from R3 to R0 will cause R0 to forward the LSA on its interface to R1. Enabling flood blocking on R0's interface to R1 will inhibit this behavior.
Configuring RIP 36 This chapter describes how to configure Routing Information Protocol (RIP) on the switch. RIP is a dynamic routing protocol for IPv4 networks. The topics covered in this chapter include: • RIP Overview • Default RIP Values • Configuring RIP Features (Web) • Configuring RIP Features (CLI) • RIP Configuration Example RIP Overview RIP is an Interior Gateway Protocol (IGP) that performs dynamic routing within a network.
has a hop-count of 0. With RIP, the maximum number of hops from source to destination is 15. Packets with a hop count greater than 15 are dropped because the destination network is considered unreachable. What Is Split Horizon? RIP uses a technique called split horizon to avoid problems caused by including routes in updates sent to the router from which the route was originally learned. With simple split horizon, a route is not included in updates sent on the interface on which it was learned.
Default RIP Values RIP is globally enabled by default. To make it operational on the router, you configure and enable RIP for particular VLAN routing interfaces. Table 36-1 shows the global default values for RIP. Table 36-1. RIP Global Defaults Parameter Default Value Admin Mode Enabled Split Horizon Mode Simple Auto Summary Mode Disabled Host Routes Accept Mode Enabled Default Information Originate Disabled Default Metric None configured Route Redistribution Disabled for all sources.
Configuring RIP Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring RIP features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. RIP Configuration Use the Configuration page to enable and configure or disable RIP in Global mode. To display the page, click Routing → RIP → Configuration in the navigation panel. Figure 36-1.
RIP Interface Configuration Use the Interface Configuration page to enable and configure or to disable RIP on a specific interface. To display the page, click Routing → RIP → Interface Configuration in the navigation panel. Figure 36-2.
RIP Interface Summary Use the Interface Summary page to display RIP configuration status on an interface. To display the page, click Routing → RIP → Interface Summary in the navigation panel. Figure 36-3.
RIP Route Redistribution Configuration Use the Route Redistribution Configuration page to configure the RIP Route Redistribution parameters. The allowable values for each fields are displayed next to the field. If any invalid values are entered, an alert message is displayed with the list of all the valid values. To display the page, click Routing → RIP → Route Redistribution Configuration in the navigation panel. Figure 36-4.
RIP Route Redistribution Summary Use the Route Redistribution Summary page to display Route Redistribution configurations. To display the page, click Routing → RIP → Route Redistribution Summary in the navigation panel. Figure 36-5.
Configuring RIP Features (CLI) This section provides information about the commands you use to configure RIP settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Global RIP Settings Beginning in Privileged EXEC mode, use the following commands to configure various global RIP settings for the switch. NOTE: RIP is enabled by default. The Global RIP Settings are optional.
Configuring RIP Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure per-interface RIP settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip rip Enable RIP on the interface. ip rip send version {rip1 Configure the interface to allow RIP control packets of the rip1c | rip2 |none} specified version(s) to be sent.
Configuring Route Redistribution Settings Beginning in Privileged EXEC mode, use the following commands to configure an OSPF area range and to configure route redistribution settings. Command Purpose configure Enter global configuration mode. router rip Enter RIP configuration mode. distribute-list Specify the access list to filter routes received from the static | connected} switch. For information about the commands you use to configure ACLs, see "Configuring ACLs (CLI)" on page 543.
Command Purpose redistribute ospf [metric Configure RIP to allow redistribution of routes from the metric] [match [internal] OSPF. [external 1] [external 2] • ospf— Specifies OSPF as the source protocol. [nssa-external 1] [nssa• metric — Specifies the metric to use when external 2]] redistributing the route. Range: 1-15. • internal — Adds internal matches to any match types presently being redistributed.
RIP Configuration Example This example includes four PowerConnect switches that use RIP to determine network topology and route information. The commands in this example configure Switch A shown in Figure 36-6. Figure 36-6. RIP Network Diagram To configure the switch: 1 Enable routing on the switch console#config console(config)#ip routing 2 Create VLANs 10, 20, and 30. console(config)#vlan 10,20,30 3 Assign an IP address and enable RIP on each interface.
console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.1 255.255.255.0 console(config-if-vlan20)#ip rip console(config-if-vlan20)#ip rip receive version both console(config-if-vlan20)#ip rip send version rip2 console(config-if-vlan20)#exit console(config)#interface vlan 30 console(config-if-vlan30)#ip address 192.168.30.1 255.255.255.
Configuring VRRP 37 This chapter describes how to configure Virtual Routing Redundancy Protocol (VRRP) on the switch. VRRP can help create redundancy on networks in which end-stations are statically configured with the default gateway IP address.
With VRRP, a virtual router is associated with one or more IP addresses that serve as default gateways. In the event that the VRRP router controlling these IP addresses (formally known as the master) fails, the group of IP addresses and the default forwarding role is taken over by a Backup VRRP router. NOTE: It is not possible to ping the VRRP IP address from the VRRP master.
What Is VRRP Accept Mode? The accept mode allows the switch to respond to pings (ICMP Echo Requests) sent to the VRRP virtual IP address. The VRRP specification (RFC 3768) indicates that a router may accept IP packets sent to the virtual router IP address only if the router is the address owner. In practice, this restriction makes it more difficult to troubleshoot network connectivity problems.
With standard VRRP, the backup router takes over only if the router goes down. With VRRP interface tracking, if a tracked interface goes down on the VRRP master, the priority decrement value is subtracted from the router priority. If the master router priority becomes less than the priority on the backup router, the backup router takes over. If the tracked interface becomes up, the value of the priority decrement is added to the current router priority.
Default VRRP Values Table 37-1 shows the global default values for VRRP. Table 37-1.
Configuring VRRP Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VRRP features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. VRRP Configuration Use the Configuration page to enable or disable the administrative status of a virtual router. To display the page, click Routing → VRRP → Configuration in the navigation panel. Figure 37-1.
VRRP Virtual Router Status Use the Router Status page to display virtual router status. To display the page, click Routing → VRRP → Router Status in the navigation panel. Figure 37-2.
VRRP Virtual Router Statistics Use the Router Statistics page to display statistics for a specified virtual router. To display the page, click Routing → VRRP → Router Statistics in the navigation panel. Figure 37-3.
VRRP Router Configuration Use the Configuration page to configure a virtual router. To display the page, click Routing → VRRP → Router Configuration → Configuration in the navigation panel. Figure 37-4.
VRRP Route Tracking Configuration Use the Route Tracking Configuration page to view routes that are tracked by VRRP and to add new tracked routes. To display the page, click Routing → VRRP → Router Configuration → Route Tracking Configuration in the navigation panel. Figure 37-5. VRRP Route Tracking Configuration Configuring VRRP Route Tracking To configure VRRP route tracking: 1 From the Route Tracking Configuration page, click Add. The Add Route Tracking page displays.
Figure 37-6. Add Route Tracking 2 Select the virtual router ID and VLAN routing interface that will track the route. 3 Specify the destination network address (track route prefix) for the route to track. Use dotted decimal format, for example 192.168.10.0. 4 Specify the prefix length for the tracked route. 5 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked route becomes unreachable. 6. Click Apply to update the switch.
VRRP Interface Tracking Configuration Use the Interface Tracking Configuration page to view interfaces that are tracked by VRRP and to add new tracked interfaces. To display the page, click Routing → VRRP → Router Configuration → Interface Tracking Configuration in the navigation panel. Figure 37-7. VRRP Interface Tracking Configuration Configuring VRRP Interface Tracking To configure VRRP interface tracking: 1 From the Interface Tracking Configuration page, click Add.
Figure 37-8. VRRP Interface Tracking Configuration 2 Select the virtual router ID and VLAN routing interface that will track the interface. 3 Specify the interface to track. 4 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked interface goes down. 5. Click Apply to update the switch.
Configuring VRRP Features (CLI) This section provides information about the commands you use to configure VRRP settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring VRRP Settings Beginning in Privileged EXEC mode, use the following commands to configure switch and interface VRRP settings. This set of commands also describes how to configure VRRP interface and route tracking.
Command Purpose vrrp vr-id timers {learn | Configure the VRRP timer settings. advertise seconds} Use the keyword learn to enable VRRP to learn the advertisement timer interval of the master router. Use the keyword advertise to set the frequency, in seconds, that an interface on the specified virtual router sends a virtual router advertisement. vrrp vr-id authentication Set the authorization details value for the virtual router configured on a specified interface.
VRRP Configuration Example This section contains the following VRRP examples: • VRRP with Load Sharing • VRRP with Route and Interface Tracking VRRP with Load Sharing In Figure 37-9, two L3 PowerConnect switches are performing the routing for network clients. Router A is the default gateway for some clients, and Router B is the default gateway for other clients. Figure 37-9.
This example configures two VRRP groups on each router. Router A is the VRRP master for the VRRP group with VRID 10 and the backup for VRID 20. Router B is the VRRP master for VRID 20 and the backup for VRID 10. If Router A fails, Router B will become the master of VRID 10 and will use the virtual IP address 192.168.10.1. Traffic from the clients configured to use Router A as the default gateway will be handled by Router B. To configure Router A: 1 Enable routing for the switch.
9 Configure an optional description to help identify the VRRP group. console(config-if-vlan10)#vrrp 20 description backup 10 Enable the VRRP groups on the interface. console(config-if-vlan10)#ip vrrp 10 mode console(config-if-vlan10)#ip vrrp 20 mode console(config-if-vlan10)#exit console(config)#exit The only difference between the Router A and Router B configurations is the IP address assigned to VLAN 10. On Router B, the IP address of VLAN 10 is 192.168.10.2.
8 Specify the IP address that the virtual router function will use. The router is the virtual IP address owner of this address, so the priority value is 255 by default. console(config-if-vlan10)#vrrp 20 ip 192.168.10.2 9 Configure an optional description to help identify the VRRP group. console(config-if-vlan10)#vrrp 20 description backup 10 Enable the VRRP groups on the interface.
VRRP with Route and Interface Tracking In Figure 37-10, the VRRP priorities are configured so that Router A is the VRRP master, and Router B is the VRRP backup. Router A forwards IP traffic from clients to the external network through the VLAN 25 routing interface. The clients are configured to use the virtual IP address 192.168.10.15 as the default gateway. Figure 37-10.
To configure Router A: 1 Enable routing for the switch. console#config console(config)#ip routing 2 Create and configure the VLAN routing interface to use as the default gateway for network clients. This example assumes all other routing interfaces, such as the interface to the external network, have been configured. console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.168.10.1 255.255.255.0 console(config-if-vlan10)#exit 3 Enable VRRP for the switch.
console(config-if-vlan10)#vrrp 10 track ip route 192.168.200.0/24 console(config-if-vlan10)#exit Router B is the backup router for VRID 10. The configured priority is 195. If the VLAN 25 routing interface or route to the external network on Router A go down, the priority of Router A will become 190 (or 180, if both the interface and router are down). Because the configured priority of Router B is greater than the actual priority of Router A, Router B will become the master for VRID 10.
8 Enable the VRRP groups on the interface.
Configuring VRRP
Configuring IPv6 Routing 38 This chapter describes how to configure general IPv6 routing information on the switch, including global routing settings and IPv6 static routes.
How Does IPv6 Compare with IPv4? There are many conceptual similarities between IPv4 and IPv6 network operation. Addresses still have a network prefix portion (network) and a device interface specific portion (host). While the length of the network portion is still variable, most users have standardized on using a network prefix length of 64 bits. This leaves 64 bits for the interface specific portion, called an Interface ID in IPv6.
While optional in IPv4, router advertisement is mandatory in IPv6. Router advertisements specify the network prefix(es) on a link which can be used by receiving hosts, in conjunction with an EUI-64 identifier, to autoconfigure a host’s address. Routers have their network prefixes configured and may use EUI-64 or manually configured interface IDs.
Table 38-1. IPv6 Routing Defaults (Continued) Parameter Default Value IPv6 Router Route Preferences Local—0 Static—1 OSPFv3 Intra—110 OSPFv3 Inter—110 OSPFv3 External—110 Table 38-2 shows the default IPv6 interface values after a VLAN routing interface has been created. Table 38-2.
Configuring IPv6 Routing Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IPv6 unicast routing features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Global Configuration Use the Global Configuration page to enable IPv6 forwarding on the router, enable the forwarding of IPv6 unicast datagrams, and configure global IPv6 settings.
Interface Configuration Use the Interface Configuration page to configure IPv6 interface parameters. This page has been updated to include the IPv6 Destination Unreachables field. To display the page, click Routing → IPv6 → Interface Configuration in the navigation panel. Figure 38-2.
Interface Summary Use the Interface Summary page to display settings for all IPv6 interfaces. To display the page, click Routing → IPv6 → Interface Summary in the navigation panel. Figure 38-3.
IPv6 Statistics Use the IPv6 Statistics page to display IPv6 traffic statistics for one or all interfaces. To display the page, click Routing → IPv6 → IPv6 Statistics in the navigation panel. Figure 38-4.
IPv6 Neighbor Table Use the IPv6 Neighbor Table page to display IPv6 neighbor details for a specified interface. To display the page, click IPv6 → IPv6 Neighbor Table in the navigation panel. Figure 38-5.
DHCPv6 Client Parameters Use the DHCPv6 Client Parameters page to view information about the network information automatically assigned to an interface by the DHCPv6 server. This page displays information only if the DHCPv6 client has been enabled on an IPv6 routing interface. To display the page, click Routing → IPv6 → DHCPv6 Client Parameters in the navigation panel. Figure 38-6.
IPv6 Route Entry Configuration Use the IPv6 Route Entry Configuration page to configure information for IPv6 routes. To display the page, click Routing → IPv6 → IPv6 Routes → IPv6 Route Entry Configuration in the navigation panel. Figure 38-7.
IPv6 Route Table Use the IPv6 Route Table page to display all active IPv6 routes and their settings. To display the page, click Routing → IPv6 → IPv6 Routes → IPv6 Route Table in the navigation panel. Figure 38-8.
IPv6 Route Preferences Use the IPv6 Route Preferences page to configure the default preference for each protocol. These values are arbitrary values in the range of 1 to 255 and are independent of route metrics. Most routing protocols use a route metric to determine the shortest path known to the protocol, independent of any other protocol. The best route to a destination is chosen by selecting the route with the lowest preference value.
Configured IPv6 Routes Use the Configured IPv6 Routes page to display selected IPv6 routes. NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped. To display the page, click Routing → IPv6 → IPv6 Routes → Configured IPv6 Routes in the navigation panel. Figure 38-10.
Configuring IPv6 Routing Features (CLI) This section provides information about the commands you use to configure IPv6 routing on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Global IP Routing Settings Beginning in Privileged EXEC mode, use the following commands to configure various global IP routing settings for the switch. Command Purpose configure Enter global configuration mode.
Configuring IPv6 Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure IPv6 settings for VLAN, tunnel, or loopback interfaces. Command Purpose configure Enter Global Configuration mode. interface {vlan | tunnel | loopback} Enter Interface Configuration mode for the specified VLAN, tunnel, or loopback interface. ipv6 enable Enable IPv6 on the interface. Configuring an IPv6 address will automatically enable IPv6 on the interface.
Configuring IPv6 Neighbor Discovery Use the following commands to configure IPv6 Neighbor Discovery settings. Command Purpose ipv6 nd prefix Configure parameters associated with network prefixes that the router advertises in its Neighbor Discovery advertisements. prefix/prefix-length [{valid-lifetime| infinite} {preferredlifetime| infinite}] [no-autoconfig] [offlink] • ipv6-prefix—IPv6 network prefix. • prefix-length—IPv6 network prefix length. • valid-lifetime—Valid lifetime of the router in seconds.
Command Purpose ipv6 nd ns-interval milliseconds Set the interval between router advertisements for advertised neighbor solicitations. The range is 1000 to 4294967295 milliseconds. ipv6 nd other-configflag Set the other stateful configuration flag in router advertisements sent from the interface. ipv6 nd managedconfig-flag Set the managed address configuration flag in router advertisements. When the value is true, end nodes use DHCPv6.
Configuring IPv6 Route Table Entries and Route Preferences Beginning in Privileged EXEC mode, use the following commands to configure IPv6 Static Routes. Command Purpose configure Enter global configuration mode. ipv6 route ipv6prefix/prefix-length {nexthop-address | interfacetype interface-number next-hop-address } [preference] Configure a static route.Use the keyword null instead of the next hop router IP address to configure a static reject route.
Command Purpose ipv6 route distance Set the default distance (preference) for static IPv6 routes. Lower route preference values are preferred when determining the best route. The default distance (preference) for static routes is 1. exit Exit to Global Config mode.
IPv6 Show Commands Use the following commands in Privileged EXEC mode to view IPv6 configuration status and related data. Command Purpose show sdm prefer Show the currently active SDM template. show sdm prefer dualipv4-and-ipv6 default Show parameters for the SDM template. show ipv6 dhcp interface vlan vlan-id View information about the DHCPv6 lease acquired by the specified interface.
IPv6 Static Reject and Discard Routes A static configured route with a next-hop of “null” causes any packet matching the route to disappear or vanish from the network. This type of route is called a “Discard” route if the router returns an ICMP “networkunreachable” message, or is called a “Reject” route if no ICMP message is returned. The PowerConnect M6220, M6348, M8024, and M8024-k switches support “Reject” routes, where any packets matching the route network prefix silently disappear.
• ipv6 route 2001::/16 null 254 ipv6 route 2002::/16 null 254 These address ranges are reserved and not reachable in the Internet. If for some reason you have local networks in this range, a more specific route will have precedence. Another use for the Reject route is to prevent internal hosts from communication with specific addresses or ranges of addresses. The effect is the same as an outgoing access-list with a “deny” statement.
Configuring IPv6 Routing
39 Configuring DHCPv6 Server and Relay Settings This chapter describes how to configure the switch to dynamically assign network information to IPv6 hosts by using the Dynamic Host Configuration Protocol for IPv6 (DHCPv6).
What Is a DHCPv6 Pool? DHCPv6 pools are used to specify information for DHCPv6 server to distribute to DHCPv6 clients. These pools are shared between multiple interfaces over which DHCPv6 server capabilities are configured. What Is a Stateless Server? DHCPv6 incorporates the notion of the stateless server, where DHCPv6 is not used for IP address assignment to a client; rather, it provides other networking information such as DNS or NTP information.
Figure 39-1. DHCPv6 Prefix Delegation Scenario In Figure 39-1, the PowerConnect acts as the Prefix Delegation (PD) server and defines one or more general prefixes to allocate and assign addresses to hosts that may be utilizing IPv6 auto-address configuration or acting as DHCPv6 clients. DHCPv6 clients may request multiple IPv6 prefixes. Also, DHCPv6 clients may request specific IPv6 prefixes.
Configuring the DHCPv6 Server and Relay (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the DHCPv6 server on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. DHCPv6 Global Configuration Use the Global Configuration page to configure DHCPv6 global parameters. To display the page, click Routing → IPv6 → DHCPv6 → Global Configuration in the navigation panel. Figure 39-2.
DHCPv6 Pool Configuration Use the Pool Configuration page to set up a pool of DHCPv6 parameters for DHCPv6 clients. The pool is identified with a pool name and contains IPv6 addresses and domain names of DNS servers. To display the page, click Routing → IPv6 → DHCPv6 → Pool Configuration in the navigation panel. Figure 39-3 shows the page when no pools have been created. After a pool has been created, additional fields display. Figure 39-3.
Figure 39-4. Pool Configuration 4 From the DNS Server Address menu, select an existing DNS Server Address to associate with this pool, or select Add and specify a new server to add. 5 From the Domain Name menu, select an existing domain name to associate with this pool, or select Add and specify a new domain name. 6 Click Apply.
Prefix Delegation Configuration Use the Prefix Delegation Configuration page to configure a delegated prefix for a pool. At least one pool must be created using DHCPv6 Pool Configuration before a delegated prefix can be configured. To display the page, click Routing → IPv6 → DHCPv6 → Prefix Delegation Configuration in the navigation panel. Figure 39-5.
DHCPv6 Pool Summary Use the Pool Summary page to display settings for all DHCPv6 Pools. At least one pool must be created using DHCPv6 Pool Configuration before the Pool Summary displays. To display the page, click Routing → IPv6 → DHCPv6 → Pool Summary in the navigation panel. Figure 39-6.
DHCPv6 Interface Configuration Use the DHCPv6 Interface Configuration page to configure a DHCPv6 interface. To display the page, click Routing → IPv6 → DHCPv6 → Interface Configuration in the navigation panel. The fields that display on the page depend on the selected interface mode. Figure 39-7.
Figure 39-8 shows the screen when the selected interface mode is Server. Figure 39-8. DHCPv6 Interface Configuration - Server Mode Figure 39-9 shows the screen when the selected interface mode is Relay. Figure 39-9.
DHCPv6 Server Bindings Summary Use the Server Bindings Summary page to display all DHCPv6 server bindings. To display the page, click Routing → IPv6 → DHCPv6 → Bindings Summary in the navigation panel. Figure 39-10.
DHCPv6 Statistics Use the DHCPv6 Statistics page to display DHCPv6 statistics for one or all interfaces. To display the page, click Routing → IPv6 → DHCPv6 → Statistics in the navigation panel. Figure 39-11.
Configuring the DHCPv6 Server and Relay (CLI) This section provides information about the commands you use to configure and monitor the DHCP server and address pools. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring Global DHCP Server and Relay Agent Settings Beginning in Privileged EXEC mode, use the following commands to configure settings for the DHCPv6 server.
Command Purpose domain-name domain Set up to 5 DNS domain names to provide to a DHCPv6 client by the DHCPv6 server. CTRL + Z Exit to Privileged EXEC mode. show ipv6 dhcp pool [name] View the settings for all DHCPv6 pools or for the specified pool. Configuring a DHCPv6 Pool for Specific Hosts Beginning in Privileged EXEC mode, use the following commands to create a pool and/or configure pool parameters for specific DHCPv6 clients. Command Purpose configure Enter Global Configuration mode.
Configuring DHCPv6 Interface Information Beginning in Privileged EXEC mode, use the following commands to configure an interface as a DHCPv6 server or a DHCPv6 relay agent. The server and relay functionality are mutually exclusive. In other words, a VLAN routing interface can be configured as a DHCPv6 server or a DHCPv6 relay agent, but not both. Command Purpose configure Enter Global Configuration mode.
Command Purpose ipv6 dhcp server poolname [rapid-commit] [preference pref-value] Configure DHCPv6 server functionality on the interface. • pool-name — The name of the DHCPv6 pool containing stateless and/or prefix delegation parameters • rapid-commit — Is an option that allows for an abbreviated exchange between the client and server. • pref-value — Preference value—used by clients to determine preference between multiple DHCPv6 servers. (Range: 0-4294967295) CTRL + Z Exit to Privileged Exec Mode.
DHCPv6 Configuration Examples This section contains the following examples: • Configuring a DHCPv6 Stateless Server • Configuring the DHCPv6 Server for Prefix Delegation • Configuring an Interface as a DHCPv6 Relay Agent Configuring a DHCPv6 Stateless Server This example configures a DHCPv6 pool that will provide information for the DHCPv6 server to distribute to DHCPv6 clients that are members of VLAN 100.
4 Configure the DHCPv6 server functionality on VLAN 100. Clients can use the preference value to determine which DHCPv6 server to use when multiple servers exist. console(config-if-vlan100)#ipv6 dhcp server mypool preference 10 console(config-if-vlan100)#ipv6 nd other-configflag console(config-if-vlan100)#exit Configuring the DHCPv6 Server for Prefix Delegation In this example, VLAN routing interface 200 is configured to delegate specific prefixes to certain DHCPv6 clients.
console(config-dhcp6s-pool)#prefix-delegation 2001:DB8:1002::/32 00:01:00:09:f8:79:4e:00:04:76:73:43:76 validlifetime 600 preferred-lifetime 400 console(config-dhcp6s-pool)#exit 3 Configure the DHCPv6 server functionality on VLAN 200 and specify the pool to use for DHCPv6 clients. console(config)#interface vlan 200 console(config-if-vlan200)#ipv6 dhcp server mypool2 preference 20 Configuring an Interface as a DHCPv6 Relay Agent This example configures a VLAN routing interface as a DHCPv6 Relay.
Relay Interface Number.................. ...Vl100 Relay Remote ID............................. Option Flags................................
40 Configuring Differentiated Services This chapter describes how to configure the Differentiated Services (DiffServ) feature. DiffServ enables traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
How Does DiffServ Functionality Vary Based on the Role of the Switch? How you configure DiffServ support in PowerConnect M6220/M6348/M8024/M8024-k switch software varies depending on the role of the switch in your network: • Edge device: An edge device handles ingress traffic, flowing towards the core of the network, and egress traffic, flowing away from the core. An edge device segregates inbound traffic into a small set of traffic classes, and is responsible for determining a packet’s classification.
PowerConnect M6220/M6348/M8024/M8024-k switch software supports the Traffic Conditioning Policy type which is associated with an inbound traffic class and specifies the actions to be performed on packets meeting the class rules: • – Marking the packet with a given DSCP, IP precedence, or CoS value. Traffic to be processed by the DiffServ feature requires an IP header if the system uses IP Precedence or IP DSCP marking.
Configuring DiffServ (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DiffServ features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. DiffServ Configuration Use the DiffServ Configuration page to display the DiffServ administrative mode setting as well as the current and maximum number of rows in each of the main DiffServ private MIB tables.
Class Configuration Use the DiffServ Class Configuration page to add a new DiffServ class name, or to rename or delete an existing class. To display the page, click Quality of Service → Differentiated Services → Class Configuration in the navigation panel. Figure 40-2. DiffServ Class Configuration Adding a DiffServ Class To add a DiffServ class: 1 From the DiffServ Class Configuration page, click Add to display the Add Class page. Figure 40-3.
3 Click Apply to add the new class. 4 To view a summary of the classes configured on the switch, click Show All. Figure 40-4. View DiffServ Class Summary Class Criteria Use the DiffServ Class Criteria page to define the criteria to associate with a DiffServ class. As packets are received, these DiffServ classes are used to identify packets. To display the page, click Quality of Service → Differentiated Services → Class Criteria in the navigation panel.
Figure 40-5.
Policy Configuration Use the DiffServ Policy Configuration page to associate a collection of classes with one or more policy statements. To display the page, click Quality of Service → Differentiated Services → Policy Configuration in the navigation panel. Figure 40-6. DiffServ Policy Configuration Adding a New Policy Name To add a policy: 1 From the DiffServ Policy Configuration page, click Add to display the Add Policy page.
Figure 40-7. Add DiffServ Policy 2 Enter the new Policy Name. 3 Click Apply to save the new policy. 4 To view a summary of the policies configured on the switch, click Show All. Figure 40-8.
Policy Class Definition Use the DiffServ Policy Class Definition page to associate a class to a policy, and to define attributes for that policy-class instance. To display the page, click Quality of Service → Differentiated Services → Policy Class Definition in the navigation panel. Figure 40-9. DiffServ Policy Class Definition To view a summary of the policy attributes, click Show All.
Figure 40-10. Policy Attribute Summary Packet Marking Traffic Condition Follow these steps to have packets that match the class criteria for this policy marked with a marked with either an IP DSCP, IP precedence, or CoS value: 1 Select Marking from the Traffic Conditioning drop-down menu on the DiffServ Policy Class Definition page. The Packet Marking page displays. Figure 40-11. Policy Class Definition - Packet Marking 2 Select IP DSCP, IP Precedence, or Class of Service to mark for this policyclass.
Policing Traffic Condition Follow these steps to perform policing on the packets that match this policy class: 1 Select Policing from the Traffic Conditioning drop-down menu on the DiffServ Policy Class Definition page to display the DiffServ Policy Policing page. Figure 40-12. Policy Class Definition - Policing The DiffServ Policy - Policing page displays the Policy Name, Class Name, and Policing Style.
Service Configuration Use the DiffServ Service Configuration page to activate a policy on a port. To display the page, click Quality of Service → Differentiated Services → Service Configuration in the navigation panel. Figure 40-13. DiffServ Service Configuration To view a summary of the services configured on the switch, click Show All. Figure 40-14.
Service Detailed Statistics Use the DiffServ Service Detailed Statistics page to display packet details for a particular port and class. To display the page, click Quality of Service → Differentiated Services → Service Detailed Statistics in the navigation panel. Figure 40-15.
Flow-Based Mirroring Use the Flow-Based Mirroring page to create a mirroring session in which the traffic that matches the specified policy and member class is mirrored to a destination port. To display the Flow-Based Mirroring page, click Switching → Ports → Traffic Mirroring → Flow-Based Mirroring in the navigation panel. Figure 40-16.
Configuring DiffServ (CLI) This section provides information about the commands you use to configure DiffServ settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. DiffServ Configuration (Global) Beginning in Privileged Exec mode, use the following commands in to configure the global DiffServ mode and view related settings. CLI Command Description configure Enter global configuration mode.
CLI Command Description match cos Add to the specified class definition a match condition for the Class of Service value. match destination-address mac Add to the specified class definition a match condition based on the destination MAC address of a packet. match dstip Add to the specified class definition a match condition based on the destination IP address of a packet.
CLI Command Description match srcip Add to the specified class definition a match condition based on the source IP address of a packet. match srcl4port Add to the specified class definition a match condition based on the source layer 4 port of a packet using a single keyword, a numeric notation, or a numeric range notation. match vlan Add to the specified class definition a match condition based on the value of the layer 2 VLAN Identifier field.
CLI Command Description match protocol Add to the specified class definition a match condition based on the value of the IP Protocol field in a packet using a single keyword notation or a numeric value notation. match source-address mac Add to the specified class definition a match condition based on the source MAC address of the packet. match srcip6 Add to the specified class definition a match condition based on the source IPv6 address of a packet.
DiffServ Policy Attributes Configuration Beginning in Privilege Exec mode, use the following commands to configure policy attributes and view related information. CLI Command Description configure Enter global configuration mode. policy-map policy-map-name Enter Policy Map Configuration mode for the specified policy.
CLI Command Description conform-color class-map-name Specify the color class for color-aware policing. [exceed-color class-map-name] The action for the policy-class-map instance must be set to police-simple before issuing the conformcolor command. drop Specify that all packets for the associated traffic stream are to be dropped at ingress. mark cos cos-value Mark all packets for the associated traffic stream with the specified class of service value (range: 0–7) in the priority field of the 802.
DiffServ Service Configuration Beginning Privilege Exec mode, use the following commands to associate a policy with an interface and view related information. CLI Command Description configure Enter Global Configuration mode. service-policy {in | out} policy-map-name Attach a policy to an interface in the inbound or outbound direction. This command can be used in either Global Configuration mode (for all system interfaces) or Interface Configuration mode (for a specific interface).
DiffServ Configuration Examples This section contains the following examples: • Providing Subnets Equal Access to External Network • DiffServ for VoIP Providing Subnets Equal Access to External Network This example shows how a network administrator can provide equal access to the Internet (or other external network) to different departments within a company. Each of four departments has its own Class B subnet that is allocated 25% of the available bandwidth on the port accessing the Internet.
The following commands show how to configure the DiffServ example depicted in Figure 40-17. 1 Enable DiffServ operation for the switch. console#config console(config)#diffserv 2 Create a DiffServ class of type all for each of the departments, and name them. Also, define the match criteria—Source IP address—for the new classes. console(config)#class-map match-all finance_dept console(config-classmap)#match srcip 172.16.10.0 255.255.255.
console(config-policy-map)#class development_dept console(config-policy-classmap)#assign-queue 4 console(config-policy-classmap)#exit console(config-policy-map)#exit 4 Attach the defined policy to Gigabit Ethernet interfaces 1/0/1 through 1/0/4 in the inbound direction console(config)#interface gigabitethernet 1/0/1 console(config-if-Gi1/0/1)#service-policy in internet_access console(config-if-Gi1/0/1)#exit console(config)#interface gigabitethernet 1/0/2 console(config-if-Gi1/0/2)#service-policy in interne
DiffServ for VoIP One of the most valuable uses of DiffServ is to support Voice over IP (VoIP). VoIP traffic is inherently time-sensitive: for a network to provide acceptable service, a guaranteed transmission rate is vital. This example shows one way to provide the necessary quality of service: how to set up a class for UDP traffic, have that traffic marked on the inbound side, and then expedite the traffic on the outbound side.
The following commands show how to configure the DiffServ example depicted in Figure 40-18. 1 Set queue 6 on all ports to use strict priority mode. This queue shall be used for all VoIP packets. Activate DiffServ for the switch. console#config console(config)#cos-queue strict 6 console(config)#diffserv 2 Create a DiffServ classifier named class_voip and define a single match criterion to detect UDP packets.
console(config-policy-classmap)#exit console(config-policy-map)#exit 5 Attach the defined policy to an inbound service interface.
Configuring Class-of-Service 41 This chapter describes how to configure the Class-of-Service (CoS) feature. The CoS queueing feature lets you directly configure certain aspects of switch queueing. This provides the desired QoS behavior for different types of network traffic when the complexities of DiffServ are not required. The priority of a packet arriving at an interface can be used to steer the packet to the appropriate outbound CoS queue through a mapping table.
Each ingress port on the switch has a default priority value (set by configuring VLAN Port Priority in the Switching sub-menu) that determines the egress queue its traffic gets forwarded to. Packets that arrive without a VLAN user priority, or packets from ports you’ve identified as “untrusted,” get forwarded according to this default. What Are Trusted and Untrusted Port Modes? Ports can be configured in “trusted” mode or “untrusted” mode with respect to ingress traffic.
How Are Traffic Queues Defined? For each queue, you can specify: • Minimum bandwidth guarantee—A percentage of the port’s maximum negotiated bandwidth reserved for the queue. Unreserved bandwidth can be utilized by lower-priority queues. If the sum of the minimum bandwidth is 100%, then there is no unreserved bandwidth and no sharing of bandwidth is possible.
• Weighted Random Early Detection (WRED)—Drops packets queued for transmission selectively based their drop precedence level. For each of four drop precedence levels on each WRED-enabled interface queue, you can configure the following parameters: – Minimum Threshold: A percentage of the total queue size below which no packets of the selected drop precedence level are dropped.
Table 41-1.
Figure 41-1. Mapping Table Configuration — CoS (802.
To access the DSCP Queue Mapping Table, click the DSCP Queue Mapping Table link at the top of the page. Figure 41-2.
Interface Configuration Use the Interface Configuration page to define the interface shaping rate for egress packets on an interface and the decay exponent for WRED queues defined on the interface. Each interface CoS parameter can be configured globally or per-port. A global configuration change is applied to all interfaces in the system. To display the Interface Configuration page, click Quality of Service → Class of Service → Interface Configuration in the navigation panel. Figure 41-3.
Interface Queue Configuration Use the Interface Queue Configuration page to configure egress queues on interfaces. The settings you configure control the amount of bandwidth the queue uses, the scheduling method, and the queue management method. The configuration process is simplified by allowing each CoS queue parameter to be configured globally or per-port. A global configuration change is applied to the same queue ID on all ports in the system.
To access the Interface Queue Status page, click the Show All link at the top of the page. Interface Queue Drop Precedence Configuration Use the Interface Queue Drop Precedence Configuration page to configure thresholds and scaling values for each of four drop precedence levels on a WRED-enabled interface queue. The settings you configure control the minimum and maximum thresholds and a drop probability scaling factor for the selected drop precedence level.
Figure 41-5. Interface Queue Drop Precedence Configuration To access the Interface Queue Drop Precedence Status page, click the Show All link at the top of the page.
Configuring CoS (CLI) This section provides information about the commands you use to configure CoS settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Mapping Table Configuration Beginning in Privileged Exec mode, use the following commands in to configure the CoS mapping tables. CLI Command Description configure Enter Global Configuration mode.
CoS Interface Configuration Commands Beginning in Privileged Exec mode, use the following commands in to configure the traffic shaping and WRED exponent values for an interface. CLI Command Description configure Enter Global Configuration mode. interface interface Enter Interface Configuration mode, where interface is replaced by gigabitethernet unit/slot/port, tengigabitethernet unit/slot/port, or port-channel port-channel number.
CLI Command Description cos-queue min-bandwidth Specify the minimum transmission bandwidth (range: 0-100% in 1% increments) for each interface queue. cos-queue strict queue-id Activate the strict priority scheduler mode for each specified queue. The queue-id value ranges from 0 to 6. queue-id cos-queue random-detect Set the queue management type for the specified queue to WRED. The no version of this command resets the value to taildrop. exit Exit to Global Config mode.
Configuring Interface Queue Drop Probability Beginning in Privileged Exec mode, use the following commands in to configure characteristics of the drop probability and view related settings. The drop probability supports configuration in the range of 0 to 10%, and the discrete values 25%, 50%, and 75%. Values not listed are truncated to the next lower value in hardware. CLI Command Description configure Enter Global Configuration mode.
CoS Configuration Example Figure 41-6 illustrates the network operation as it relates to CoS mapping and queue configuration. Four packets arrive at the ingress port te1/0/10 in the order A, B, C, and D. port te1/0/10 is configured to trust the 802.1p field of the packet, which serves to direct packets A, B, and D to their respective queues on the egress port. These three packets utilize the 802.1p to CoS Mapping Table for port te1/0/10. In this example, the 802.
Continuing this example, the egress port te1/0/8 is configured for strict priority on queue 6, and a weighted scheduling scheme is configured for queues 5-0. Assuming queue 5 has a higher minimum bandwidth than queue 1 (relative bandwidth values are shown as a percentage, with 0% indicating the bandwidth is not guaranteed), the queue service order is 6 followed by 5 followed by 1.
CoS queue 4, with a 50% minimum bandwidth guarantee. Lossless traffic classes generally use the default WRR scheduling mode as opposed to strict priority, to avoid starving other traffic. For example, the following commands assign user priority 4 to CoS queue 4 and reserve 50% of the scheduler bandwidth to CoS queue 4.
Configuring Auto VoIP 42 Voice over Internet Protocol (VoIP) allows you to make telephone calls using a computer network over a data network like the Internet. With the increased prominence of delay-sensitive applications (voice, video, and other multimedia applications) deployed in networks today, proper QoS configuration will ensure high-quality application performance.
When a call-control protocol is detected the switch assigns the traffic in that session to the highest CoS queue, which is generally used for time-sensitive traffic. Auto-VoIP is limited to 16 sessions and makes use of the switch CPU to classify traffic. It is preferable to use the Voice VLAN feature in larger enterprise environments as it uses the switching silicon to classify voice traffic onto a VLAN. How Does Auto-VoIP Use ACLs? Auto-VoIP borrows ACL lists from the global system pool.
Configuring Auto VoIP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Auto VoIP features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Auto VoIP Global Configuration Use the Global Configuration page to enable or disable Auto VoIP on all interfaces.
Figure 42-2.
To display summary Auto VoIP configuration information for all interfaces, click the Show All link at the top of the page. Figure 42-3.
Configuring Auto VoIP (CLI) This section provides information about the commands you use to configure Auto VoIP settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Mapping Table Configuration Beginning in Privileged Exec mode, use the following commands in to enable Auto VoIP and view its configuration. CLI Command Description configure Enter Global Configuration mode.
43 Managing IPv4 and IPv6 Multicast This chapter describes how to configure and monitor layer 3 multicast features for IPv4 and IPv6, including global IP and IPv6 multicast features as well as multicast protocols, including IGMP, DVMRP, and PIM for IPv4 and MLD and PIM for IPv6.
Applications that often send multicast traffic include video or audio conferencing, Whiteboard tools, stock distribution tickers, and IP-based television (IP/TV). What Is IP Multicast Traffic? IP multicast traffic is traffic that is destined to a host group. Host groups are identified by class D IP addresses, which range from 224.0.0.0 to 239.255.255.255.
What Multicast Protocols Does the Switch Support? Multicast protocols are used to deliver multicast packets from one source to multiple receivers. Table 43-1 summarizes the multicast protocols that the switch supports. Table 43-1.
When Is L3 Multicast Required on the Switch? Use the IPv4/IPv6 multicast feature on PowerConnect M6220, M6348, M8024, and M8024-k switches to route multicast traffic between VLANs on the switch. If all hosts connected to the switch are on the same subnet, there is no need to configure the IP/IPv6 multicast feature. If the switch does not require L3 routing, you can use IGMP snooping or MLD snooping to manage port-based multicast group membership.
What Is IGMP? The Internet Group Management Protocol (IGMP) is used by IPv4 systems (hosts, L3 switches, and routers) to report their IP multicast group memberships to any neighboring multicast routers. The PowerConnect M6220/M6348/M8024/M8024-k switch performs the multicast router role of the IGMP protocol, which means it collects the membership information needed by the active multicast routing protocol. The PowerConnect M6220/M6348/M8024/M8024-k switch also supports IGMP Version 3.
What Is MLD? Multicast Listener Discovery (MLD) protocol enables IPv6 routers to discover the presence of multicast listeners, the hosts that wish to receive the multicast data packets, on its directly-attached interfaces. The protocol specifically discovers which multicast addresses are of interest to its neighboring nodes and provides this information to the active multicast routing protocol that makes decisions on the flow of multicast data packets.
What Is PIM? The Protocol Independent Multicast protocol is a simple, protocolindependent multicast routing protocol. PIM uses an existing unicast routing table and a Join/Prune/Graft mechanism to build a tree. PowerConnect M6220, M6348, M8024, and M8024-k switches support two types of PIM: sparse mode (PIM-SM) and dense mode (PIM-DM). PIM-SM is most effective in networks with a sparse population of multicast receivers.
candidate RPs to all the PIM routers in the network. Each PIM router then runs the RP selection algorithm to determine an RP for the given group range. All the interested PIMSM routers then initiate re-reception of traffic through this new RP, and the multicast traffic is rerouted via the new RP. This is to provide high availability to the multicast applications and help ensure that the multicast traffic is recovered quickly in such scenarios.
• This (*, G) Join travels hop-by-hop to the RP, building a branch of the Shared Tree that extends from the RP to the last-hop router directly connected to the receiver. • At this point, group “G” traffic can flow down the Shared Tree to the receiver. Phase-2: Register Stop Figure 43-2.
– The RP sends a source group (S, G) Join back towards the source to create a branch of an (S, G) Shortest-Path Tree (SPT). This results in the (S, G) state being created in the entire router path along the SPT, including the RP. Figure 43-3. PIM-SM Sender Registration—Part 2 • As soon as the SPT is built from the Source router to the RP, multicast traffic begins to flow unencapsulated from source S to the RP.
Phase 3: Shortest Path Tree Figure 43-4. PIM-SM SPT—Part 1 • PIM-SM has the capability for last-hop routers (i.e., routers with directly connected group members) to switch to the Shortest-Path Tree and bypass the RP. This switchover is based upon an implementation-specific function called SwitchToSptDesired(S,G) in the standard and generally takes a number of seconds to switch to the SPT.
Figure 43-5. PIM-SM SPT—Part 2 • Finally, special (S, G) RP-bit Prune messages are sent up the Shared Tree to prune off this (S, G) traffic from the Shared Tree. If this were not done, (S, G) traffic would continue flowing down the Shared Tree resulting in duplicate (S, G) packets arriving at the receiver.
Figure 43-6. PIM-SM SPT—Part 3 • At this point, (S, G) traffic is now flowing directly from the first -hop router to the last-hop router and from there to the receiver. Figure 43-7.
• At this point, the RP no longer needs the flow of (S, G) traffic since all branches of the Shared Tree (in this case there is only one) have pruned off the flow of (S, G) traffic. • As a result, the RP will send (S, G) Prunes back toward the source to shut off the flow of the now unnecessary (S, G) traffic to the RP. NOTE: This will occur if the RP has received an (S, G) RP-bit Prune on all interfaces on the Shared Tree. Figure 43-8.
creates a performance problem in that it limits the number of packets that can be processed and places a high load on the CPUs in the first hop and RP routers, which can then adversely affect other router functions. PowerConnect Optimizations to PIM-SM PowerConnect Switches performs the following optimizations to reduce the impact of multicast encapsulation/de-encapsulation and provide a higher level of multicast performance in the network.
sending the encapsulated Register messages. This removes the load from the CPU of the first-hop router and the RP, as they no longer need to encapsulate and de-encapsulate register messages with multicast data. These optimizations significantly reduce the load on first-hop routers and RPs to encapsulate/de-encapsulate PIM register messages and their associated multicast data. In addition, the switchover to the SPT is initiated immediately upon the first multicast packet reaching the last-hop router.
router on its RPF interface, the State Refresh message causes an existing prune state to be refreshed. State Refresh messages are generated periodically by the router directly attached to the source. What Is DVMRP? DVMRP is an interior gateway protocol that is suitable for routing multicast traffic within an autonomous system (AS). DVMRP should not be used between different autonomous systems due to limitations with hop count and scalability.
Using DVMRP as the Multicast Routing Protocol DVMRP is used to communicate multicast information between L3 switches or routers. If a PowerConnect M6220/M6348/M8024/M8024-k switch handles inter-VLAN routing for IP traffic, including IP multicast traffic, multicast routing might be required on the switch. DVMRP is best suited for small networks where the majority of hosts request a given multicast traffic stream.
Default L3 Multicast Values IP and IPv6 multicast is disabled by default. Table 43-2 shows the default values for L3 multicast and the multicast protocols. Table 43-2.
Table 43-2.
Configuring General IPv4 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the L3 multicast features that are not protocol-specific on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page.
Multicast Interface Configuration Use the Interface Configuration page to configure the TTL threshold of a multicast interface. At least one VLAN routing interface must be configured on the switch before fields display on this page. To display the page, click IPv4 Multicast → Multicast → Interface Configuration in the navigation panel. Figure 43-10.
Multicast Route Table Use the Route Table page to view information about the multicast routes in the IPv4 multicast routing table. To display the page, click IPv4 Multicast → Multicast → Multicast Route Table Multicast Route Table Figure 43-11.
Multicast Admin Boundary Configuration The definition of an administratively scoped boundary is a way to stop the ingress and egress of multicast traffic for a given range of multicast addresses on a given routing interface. Use the Admin Boundary Configuration page to configure a new or existing administratively scoped boundary. To see this page, you must have configured a valid routing interface and multicast.
Multicast Admin Boundary Summary Use the Admin Boundary Summary page to display existing administratively scoped boundaries. To display the page, click IPv4 Multicast → Multicast → Admin Boundary Summary in the navigation panel. Figure 43-13.
Multicast Static MRoute Configuration Use the Static MRoute Configuration page to configure a new static entry in the Mroute table or to modify an existing entry. To display the page, click IPv4 Multicast → Multicast → Static MRoute Configuration in the navigation panel. Figure 43-14.
Multicast Static MRoute Summary Use the Static MRoute Summary page to display static routes and their configurations. To display the page, click IPv4 Multicast → Multicast → Static MRoute Summary in the navigation panel. Figure 43-15.
Configuring IPv6 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IPv6 multicast features that are not protocol-specific on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. IPv6 Multicast Route Table Use the Multicast Route Table page to view information about the multicast routes in the IPv6 multicast routing table.
Configuring IGMP and IGMP Proxy (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IGMP and IGMP proxy features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. IGMP Global Configuration Use the Global Configuration page to set IGMP on the system to active or inactive. To display the page, click IPv4 Multicast → IGMP → Global Configuration in the navigation panel.
IGMP Interface Configuration Use the Interface Configuration page to configure and/or display router interface parameters. You must configure at least one valid routing interface before you can access this page and configure IP Multicast IGMP. To display the page, click IPv4 Multicast → IGMP → Routing Interface → Interface Configuration in the navigation panel. Figure 43-18.
IGMP Interface Summary Use the Interface Summary page to display IGMP routing parameters and data. You must configure at least one IGMP router interface to access this page. To display the page, click IPv4 Multicast → IGMP → Routing Interface → Interface Summary in the navigation panel. Figure 43-19.
IGMP Cache Information Use the Cache Information page to display cache parameters and data for an IP multicast group address. Group membership reports must have been received on the selected interface for data to display on the page. To display the page, click IPv4 Multicast → IGMP → Routing Interface → Cache Information in the navigation panel. Figure 43-20.
IGMP Interface Source List Information Use the Source List Information page to display detailed membership information for an interface. Group membership reports must have been received on the selected interface for data to display information. To display the page, click IPv4 Multicast → IGMP → Routing Interface → Source List Information in the navigation panel. Figure 43-21.
IGMP Proxy Interface Configuration The IGMP Proxy is used by IGMP Router (IPv4 system) to enable the system to issue IGMP host messages on behalf of hosts that the system discovered through standard IGMP router interfaces. Thus, this feature acts as proxy to all hosts residing on its router interfaces. Use the Interface Configuration page to configure IGMP proxy for a VLAN interface.
IGMP Proxy Configuration Summary Use the Configuration Summary page to display proxy interface configurations by interface. You must have configured at least one VLAN routing interface configured before data displays on this page. To display the page, click IPv4 Multicast → IGMP → Proxy Interface → Configuration Summary in the navigation panel. Figure 43-23.
IGMP Proxy Interface Membership Info Use the Interface Membership Info page to display interface membership data for a specific IP multicast group address. You must have configured at least one VLAN routing interface before you can display interface membership information, and it should not be an IGMP routing interface. Also, if no group membership reports have been received on the selected interface, no data displays on this page.
Detailed IGMP Proxy Interface Membership Information Use the Interface Membership Info Detailed page to display detailed interface membership data. You must have configured at least one VLAN routing interface before you can display detailed interface membership information, and it should not be an IGMP routing interface. Also, if no group membership reports have been received on the selected interface you cannot display data.
Configuring MLD and MLD Proxy (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the MLD and MLD proxy features on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. MLD Global Configuration Use the Global Configuration page to administratively enable and disable the MLD service.
MLD Routing Interface Configuration Use the Interface Configuration page to enable selected IPv6 router interfaces to discover the presence of multicast listeners, the nodes who wish to receive the multicast data packets, on its directly attached interfaces. To access this page, click IPv6 Multicast → MLD → Routing Interface → Interface Configuration in the navigation panel. Figure 43-27.
MLD Routing Interface Summary Use the Interface Summary page to display information and statistics on a selected MLD-enabled interface. You must configure at least one IGMP VLAN routing interface to access this page. To access this page, click IPv6 Multicast → MLD → Routing Interface → Interface Summary in the navigation panel. Figure 43-28.
MLD Routing Interface Cache Information The Interface Cache Information page displays cache parameters and data for an IP multicast group address that has been reported to operational MLD routing interfaces. You must configure at least one MLD VLAN routing interface to access this page. Also, group membership reports must have been received on the selected interface in order for data to be displayed here.
MLD Routing Interface Source List Information The Interface Source List Information page displays detailed membership information for an interface. You must configure at least one MLD VLAN routing interface to access this page. Also, group membership reports must have been received on the selected interface in order for data to be displayed here. To access this page, click IPv6 Multicast → MLD → Routing Interface → Source List Information in the navigation panel. Figure 43-30.
MLD Traffic The MLD Traffic page displays summary statistics on the MLD messages sent to and from the router. To access this page, click IPv6 Multicast → MLD → Routing Interface → MLD Traffic in the navigation panel. Figure 43-31.
MLD Proxy Configuration When you configure an interface in MLD proxy mode, it acts as a proxy multicast host that sends MLD membership reports on one VLAN interface for MLD Membership reports received on all other MLD-enabled VLAN routing interfaces. Use the Interface Configuration page to enable and disable ports as MLD proxy interfaces. To display this page, click IPv6 Multicast → MLD → Proxy Interface → Interface Configuration in the navigation panel. Figure 43-32.
MLD Proxy Configuration Summary Use the Configuration Summary page to view configuration and statistics on MLD proxy-enabled interfaces. To display this page, click IPv6 Multicast → MLD → Proxy Interface → Configuration Summary in the navigation panel. Figure 43-33.
MLD Proxy Interface Membership Information The Interface Membership Information page lists each IP multicast group for which the MLD proxy interface has received membership reports. To display this page, click IPv6 Multicast → MLD → Proxy interface → Interface Membership Info in the navigation panel. Figure 43-34.
Detailed MLD Proxy Interface Membership Information The Interface Membership Information Detailed page provides additional information about the IP multicast groups for which the MLD proxy interface has received membership reports. To display this page, click IPv6 Multicast → MLD → Proxy Interface → Interface Membership Info Detailed in the navigation panel. Figure 43-35.
Configuring PIM for IPv4 and IPv6 (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring PIM-SM and PIM-DM for IPv4 and IPv6 multicast routing on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. NOTE: The OpenManage Switch Administrator pages to configure IPv4 multicast routing and IPv6 multicast routing is very similar.
PIM Global Status Use the Global Status page to view the administrative status of PIM-DM or PIM-SM on the switch. To display the page, click IPv4 Multicast → PIM → Global Status or IPv6 Multicast → PIM → Global Status in the navigation panel. Figure 43-37.
PIM Interface Configuration Use the Interface Configuration page to configure specific VLAN routing interfaces with PIM. To display the page, click IPv4 Multicast → PIM → Interface Configuration or IPv6 Multicast → PIM → Interface Configuration in the navigation panel. Figure 43-38.
PIM Interface Summary Use the Interface Summary page to display a PIM-enabled VLAN routing interface interface and its settings. To display the page, click IPv4 Multicast → PIM → Interface Summary or IPv6 Multicast → PIM → Interface Summary in the navigation panel. Figure 43-39.
Candidate RP Configuration The Candidate RP is configured on the Add Candidate RP page. Use the Candidate RP Configuration page to display and delete the configured rendezvous points (RPs) for each port using PIM. To access the page, click IPv4 Multicast → PIM → Candidate RP Configuration or IPv6 Multicast → PIM → Candidate RP Configuration. Figure 43-40.
Figure 43-41. Add Candidate RP 3 Select the VLAN interface for which the Candidate RP is to be configured. 4 Enter the group address transmitted in Candidate-RP-Advertisements. 5 Enter the prefix length transmitted in Candidate-RP-Advertisements to fully identify the scope of the group which the router supports if elected as a Rendezvous Point. 6 Click Apply Changes. The new Candidate RP is added, and the device is updated.
Static RP Configuration Use the Static RP Configuration page to display or remove the configured RP. The page also allows adding new static RPs by clicking the Add button. Only one RP address can be used at a time within a PIM domain. If the PIM domain uses the BSR to dynamically learn the RP, configuring a static RP is not required. However, you can configure the static RP to override any dynamically learned RP from the BSR.
Figure 43-43. Add Static RP 3 Enter the IP address of the RP for the group range. 4 Enter the group address of the RP. 5 Enter the group mask of the RP. 6 Check the Override option to configure the static RP to override the dynamic (candidate) RPs learned for same group ranges. 7 Click Apply. The new Static RP is added, and the device is updated.
SSM Range Configuration Use this page to display or remove the Source Specific Multicast (SSM) group IP address and group mask for the PIM router. To display the page, click IPv4 Multicast → PIM → SSM Range Configuration or IPv6 Multicast → PIM → SSM Range Configuration. Figure 43-44. SSM Range Configuration Adding an SSM Range To add the Source-Specific Multicast (SSM) Group IP Address and Group Mask (IPv4) or Prefix Length (IPv6) for the PIM router: 1 Open the SSM Range Configuration page. 2 Click Add.
Figure 43-45. Add SSM Range 3 Click the Add Default SSM Range check box to add the default SSM Range. The default SSM Range is 232.0.0.0/8 for IPv4 multicast and ff3x::/32 for IPv6 multicast. 4 Enter the SSM Group IP Address. 5 Enter the SSM Group Mask (IPv4) or SSM Prefix Length (IPv6). 6 Click Apply. The new SSM Range is added, and the device is updated.
BSR Candidate Configuration Use this page to configure information to be used if the interface is selected as a bootstrap router. To display the page, click IPv4 Multicast → PIM → BSR Candidate Configuration or IPv6 Multicast → PIM → BSR Candidate Configuration. Figure 43-46.
BSR Candidate Summary Use this page to display information about the configured BSR candidates. To display this page, click IPv4 Multicast → PIM → BSR Candidate Summary or IPv6 Multicast → PIM → BSR Candidate Summary. Figure 43-47.
Configuring DVMRP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DVMRP on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. DVMRP Global Configuration Use the Global Configuration page to configure global DVMRP settings. It is strongly recommended that IGMP be enabled on any switch on which DVMRP is enabled.
DVMRP Interface Configuration Use the Interface Configuration page to configure a DVMRP VLAN routing interface. You must configure at least one router interface before you configure a DVMRP interface. Otherwise you see a message telling you that no router interfaces are available, and the configuration screen is not displayed. It is strongly recommended that IGMP be enabled on any interface on which DVMRP is enabled. This ensures that the multicast router behaves as expected.
DVMRP Configuration Summary Use the Configuration Summary page to display the DVMRP configuration and data for a selected interface. You must configure at least one VLAN routing interface before you can display data for a DVMRP interface. Otherwise you see a message telling you that no VLAN router interfaces are available, and the configuration summary screen is not displayed. To display the page, click IPv4 Multicast → DVMRP → Configuration Summary in the navigation panel.
Figure 43-50. DVMRP Configuration Summary DVMRP Next Hop Summary Use the Next Hop Summary page to display the next hop summary by Source IP. To display the page, click IPv4 Multicast → DVMRP → Next Hop Summary in the navigation panel.
Figure 43-51.
DVMRP Prune Summary Use the Prune Summary page to display the prune summary by Group IP. To display the page, click IPv4 Multicast → DVMRP → Prune Summary in the navigation panel. Figure 43-52.
DVMRP Route Summary Use the Route Summary page to display the DVMRP route summary. To display the page, click IPv4 Multicast → DVMRP → Route Summary in the navigation panel. Figure 43-53.
Configuring L3 Multicast Features (CLI) This section provides information about the commands you use to configure general IPv4 multicast settings on the switch. For more information about the commands, see the PowerConnect M6220/M6348/M8024/M8024-k CLI Reference Guide at support.dell.com/manuals. Configuring and Viewing IPv4 Multicast Information Beginning in Privileged EXEC mode, use the following commands to enable IPv4 multicast on the switch and to view and configure other general multicast settings.
Command Purpose exit Exit to Global Config mode. exit Exit to Privileged EXEC mode. show ip multicast View system-wide multicast information. show ip mcast boundary {vlan vlan-id | all} View all the configured administrative scoped multicast boundaries. show ip mcast mroute {detail | summary} View a summary or all the details of the multicast table. show mac address-table multicast [count] View information about the entries in the multicast address table.
Configuring and Viewing IPv6 Multicast Route Information Beginning in Privileged EXEC mode, use the following commands to configure static IPv6 multicast routes on the switch and to view IPv6 multicast table information. Command Purpose configure Enter global configuration mode. ip multicast Enable IPv4/IPv6 multicast routing. ipv6 mroute source- Create a static multicast route for a source range.
Configuring and Viewing IGMP Beginning in Privileged EXEC mode, use the following commands to configure IGMP on the switch and on VLAN routing interfaces and to view IGMP information. Command Purpose configure Enter global configuration mode. ip multicast Enable IPv4/IPv6 multicast routing. ip igmp Enable IGMP on the switch. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip igmp Enable IGMP on the interface.
Command Purpose ip igmp startup-querycount count Set the number of queries sent out on startup —at intervals equal to the startup query interval for the interface. The range for count is 1–20. ip igmp last-memberquery-interval tenthsofseconds Configure the Maximum Response Time inserted in Group-Specific Queries which are sent in response to Leave Group messages. The range is 0–255 tenths of a second.
Configuring and Viewing IGMP Proxy Beginning in Privileged EXEC mode, use the following commands to configure the upstream VLAN routing interface as an IGMP proxy. The IGMP proxy issues host messages on behalf of the hosts that have been discovered on IGMP-enabled interfaces. The upstream interface is the interface closest to the root multicast router, which should be running IGMP. NOTE: Configure only the upstream interface as the IGMP proxy. IGMP should be enabled on all downstream interfaces.
Configuring and Viewing MLD Beginning in Privileged EXEC mode, use the following commands to configure MLD on the switch and on VLAN routing interfaces and to view IGMP information. Command Purpose configure Enter global configuration mode. ip multicast Enable IPv4/IPv6 multicast routing. ipv6 mld router Enable MLD on the switch. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ipv6 mld router Enable MLD on the interface.
Command Purpose show ipv6 mld interface [vlan vlan-id] View MLD information for all interfaces or for the specified interface. show ipv6 mld interface stats [vlan vlan-id] View MLD statistics for all interfaces or for the specified interface. show ipv6 mld groups [interface vlan vlan-id] View the registered multicast groups on the interface. show ipv6 mld membership View the list of interfaces that have registered in any multicast group.
Command Purpose show ipv6 mld-proxy View a summary of the host interface status parameters. show ipv6 mld-proxy interface View a detailed list of the host interface status parameters. This command displays information only when MLD Proxy is operational. show ipv6 mld-proxy groups View a table of information about multicast groups that MLD Proxy reported. This command displays information only when MLD Proxy is operational.
Command Purpose show ip pim interface vlan vlan-id View the PIM-DM information for the specified interface. show ip pim neighbor [interface vlan vlan-id | all] View a summary or all the details of the multicast table. Configuring and Viewing PIM-DM for IPv6 Multicast Routing Beginning in Privileged EXEC mode, use the following commands to configure PIM-DM for IPv6 multicast routing on the switch and on VLAN routing interfaces and to view PIM-DM information.
Command Purpose show ipv6 pim interface vlan vlan-id View the PIM information for the specified interface. show ipv6 pim neighbor [interface vlan vlan-id | all] View a summary or all the details of the multicast table.
Configuring and Viewing PIM-SM for IPv4 Multicast Routing Beginning in Privileged EXEC mode, use the following commands to configure PIM-SM for IPv4 multicast routing on the switch and on VLAN routing interfaces and to view PIM-SM information. Command Purpose configure Enter global configuration mode. ip routing Enable ip routing. Routing is required for PIM operation. ip pim sparse Enable PIM-SM as the multicast routing protocol on the switch. ip igmp Enable IGMP.
Command Purpose ip pim rp-candidate vlan Configure the router to advertise itself to the BSR vlan-id group-address group- router as a PIM candidate Rendezvous Point (RP) for mask [interval interval] a specific multicast group range. • vlan-id — A valid VLAN ID. • group-address — Group IP address supported by RP. • group-mask — Group subnet mask for group address. • interval — (Optional) Indicates the RP candidate advertisement interval. The range is from 1 to 16383 seconds.
Command Purpose exit Exit to Global Config mode. exit Exit to Privileged EXEC mode. show ip pim View system-wide PIM information. show ip pim interface vlan View the PIM information for the specified interface. show ip pim neighbor [interface vlan vlan-id | all] View a summary or all the details of the multicast table. show ip pim rp-hash View the RP router being selected for the specified multicast group address from the set of active RP routers.
Command Purpose ipv6 pim bsr-candidate vlan Configure the switch to announce its candidacy as a bootstrap router (BSR) vlan-id hash-mask-length [priority] [interval interval] • vlan-id — A valid VLAN ID. • hash-mask-length — The length of a mask that is to be ANDed with the group address before the hash function is called. All groups with the same seed hash correspond to the same RP. For example, if this value is 24, only the first 24 bits of the group addresses matter.
Command Purpose ipv6 pim ssm {default | Define the Source Specific Multicast (SSM) range of group-address/prefix-length } IPv6 multicast addresses. • default — Defines the SSM range access list to FF3x::/32. • group-address/prefix-length — defines the SSM range. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ipv6 pim Enable PIM on the VLAN. ipv6 enable Enable IPv6 on the VLAN. ipv6 mld router Enable MLD on the VLAN. MLD is required for IPv6 PIM.
Command Purpose show ipv6 pim rp-hash View the RP router being selected for the specified multicast group address from the set of active RP routers. The RP router for the group is selected by using a hash algorithm. show ipv6 pim bsr-router View the bootstrap router (BSR) information.
Configuring and Viewing DVMRP Information Beginning in Privileged EXEC mode, use the following commands to configure DVMRP on the switch and on VLAN routing interfaces and to view DVMRP information. Command Purpose configure Enter global configuration mode. ip dvmrp Enable DVMRP on the switch. ip multicast Enable IP multicast. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN routing interface. ip dvmrp Enable DVMRP on the interface.
L3 Multicast Configuration Examples This section contains the following configuration examples: • Configuring Multicast VLAN Routing With IGMP and PIM-SM • Configuring DVMRP Configuring Multicast VLAN Routing With IGMP and PIM-SM This example describes how to configure a PowerConnect switch with two VLAN routing interfaces that route IP multicast traffic between the VLANs. PIM and IGMP are enabled on the switch and interfaces to manage the multicast routing.
Figure 43-54. IPv4 Multicast VLAN Routing Video Server L3 Switch A (PIM RP) Port 23 Port 24 L3 Switch B L3 Switch C IGMP Join IGMP Join ` ` ` VLAN 10 Members ` VLAN 20 Members In addition to multicast configuration, this example includes commands to configure STP and OSPF on L3 Switch A. STP is configured on the ports that connects the switch to other switches. OSPF is configured to route unicast traffic between the VLANs and PIM is enabled to rout multicast traffic between the two VLANs.
console#configure console(config)#no ip igmp snooping console(config)#no ipv6 mld snooping console(config)#vlan 10,20 console(config-vlan10,20)#exit 2 Configure port 23 and 24 as trunk ports.
console(config-if-vlan20)#exit 8 Globally enable IP multicast, IGMP, and PIM-SM on the switch. console(config)#ip multicast console(config)#ip igmp console(config)#ip pim sparse 9 Configure VLAN 10 as the RP and specify the range of multicast groups for PIM-SM to control. The 239.9.x.x address is chosen as it is a locally administered address that maps to MAC addresses that do not conflict with control plane protocols. console(config)#ip pim rp-address 192.168.10.4 239.9.0.0 255.255.0.
Configuring DVMRP The following example configures two DVMRP interfaces on the switch to enable inter-VLAN multicast routing. To configure the switch: 1 Globally enable IP routing and IP multicast. console#configure console(config)#ip routing console(config)#ip multicast 2 Globally enable IGMP so that this L3 switch can manage group membership information for its directly-connected hosts.
Managing IPv4 and IPv6 Multicast
System Process Definitions 44 The following process/thread definitions are intended to assist the end user in troubleshooting switch issues. Only the most often seen threads/processes are listed here. Other processes or threads may be seen occasionally but are not a cause for concern. Table 44-1. System Process Definitions Name Task Summary aclClusterTask ACL tasks aclEventTask aclLogTask ARP Timer ARP tasks autoInstTask Auto Install task - USB, etc.
Table 44-1.
Table 44-1. System Process Definitions (Continued) Name Task Summary Dot1s transport task Spanning Tree tasks dot1s_helper_task dot1s_task dot1s_timer_task dot1xTask 802.
Table 44-1. System Process Definitions (Continued) Name Task Summary hapiBpduTxTask High Level API - SDK Integration Layer hapiL2AsyncTask hapiL2FlushTask hapiL3AsyncTask hapiLinkStatusTask hapiMcAsyncTask hapiRxTask hapiTxTask hpcBroadRpcTask SDK Remote messaging task.
Table 44-1.
Table 44-1. System Process Definitions (Continued) Name Task Summary simPts_task System Interface Manager (time zone, system name, service port config, file transfers, ...
Table 44-1.
System Process Definitions
Index Numerics 802.1p see CoS queuing ACLs. See also IP ACL, IPv6 ACL, and MAC ACL. active images, 341 address table. See MAC address table.
CLI configuration, 366 defaults, 364 defined, 357 DHCP, 367 configuration file, 360 image, 359 IP address, obtaining, 358 example, 367 files, managing, 362 stopping, 362 using DHCP, 357 web-based configuration, 365 auto image download DHCP, 367 BOOTP/DHCP relay agent, 78 BPDU filtering, 75, 636 flooding, 636 guard, 75 protection, 638 bridge multicast address groups, configuring, 718 bridge multicast group table, 717 bridge table, 861 broadcast storm control. See storm control.
supported, 281 Configuring, 883 CDP, interoperability through ISDP, 58 connectivity fault management. See IEEE 802.1ag.
SDM template, 248 data center bridging exchange, 70 Data Center Bridging Exchange protocol, 846 date, setting, 288 daylight saving time, 244 DCBX and iSCSI, 414 DCBx, 846 default gateway, configuring, 125, 131 default VLAN, 138 DHCP client, 136 IP address configuration, 129 denial of service, 62, 522 device discovery protocols, 660 device view, 106 DHCP understanding, 883 DHCP auto configuration dependencies, 363 enabling, 367 monitoring, 362 process, 357 DHCP client, 885 default VLAN, 136 OOB port, 136 DHC
dhcpv6, 1105 double-VLAN tagging, 566 DHCPv6 pool stateless server support, 1117 downloading files, 342 DHCPv6 relay CLI configuration, 1117 defaults, 1107 web-based configuration, 1108 dual images, 56 DHCPv6 server CLI configuration, 1117 prefix delegation, 1122 web-based configuration, 1108 DVMRP, 84 defaults, 1195 example, 1265 understanding, 1193 web-based configuration, 1236 when to use, 1194 DHCPv6 server relay defaults, 1107 DiffServ and 802.
exec authorization, 185 filter, DiffServ, 489 expansion slots, 250 FIP snooping, 854 enabling and disabling, 854 F failover, 60 failover, stacking, 154 false matches, ACL, 528 FC map value, 855 FCoE configuring CoS queues for, 1169 frames, forwarding, 854 FCoE Initialization Protocol, 854 FCoE initialization protocol snooping, 70 FCoE, FC map value, 855 file management CLI, 347 considerations, 337 copying, 346 purpose, 335 supported protocols, 337 web-based, 340 file system, 340 files and stacking, 339
H understanding, 761 head of line blocking prevention, 66 IEEE 802.1d, 74 health, system, 215 IEEE 802.1Qaz, 847 help, accessing web-based, 111 IEEE 802.
downloading, 347 management, CLI, 347 management, web-based, 340 purpose, 335 in-band management, 125 interface, 867 configuration mode, 466 loopback, 868 OOB, 128 routing, 867 CLI configuration, 879 web configuration, 873 routing defaults, 872 supported types, 466 tunnel, 869 internal authentication server, see IAS IP ACL configuration, 530 defined, 525 example, 551 IP address configuring, 125 default, 127 default VLAN, 129, 138 OOB port, 138 IP helper, 78, 933 IP multicast traffic layer 2, 704 layer 3, 11
CLI configuration, 1095 defaults, 1083 features, 79 understanding, 1081 web-based configuration, 1085 IRDP, configuring, 925 iSCSI ACL usage, 411 and Compellent storage arrays, 414 and CoS, 410 and DCBX, 414 and Dell EqualLogic arrays, 413 assigning flows, 410 CLI configuration, 421 defaults, 416 examples, 423 flow detection, 410 information tracking, 411 servers and a disk array, 423 understanding, 409 using, 410 web-based configuration, 417 ISDP and CDP, 58 CLI configuration, 678 configuring, 679 enabling
CLI configuration, 477 creating, 473 example, 480 scenarios, 465 understanding, 464 web configuration, 473 link local protocol filtering, see LLPF LLDP CLI configuration, 678 defaults, 661 example, 684 understanding, 659 web-based configuration, 663 LLDP-MED and voice VLANs, 570 configuring, 682 understanding, 660 viewing information, 683 LLPF defaults, 690, 838 example, 701 understanding, 689 localization, captive portal, 429 log messages, 55 log server, remote, 223 logging ACL, 526 CLI configuration, 231
MAC-based 802.
defaults, 1195 examples, 1261 understanding, 1177 when to use, 1180 MAC layer, 82 MLD snooping, 83 protocols roles, 1179-1180 VLAN Routing with IGMP and PIM-SM, 1261 multicast bridging, 704, 748 multicast protocols, supported, 1179 nonstop forwarding, see NSF NSF and DHCP snooping, 176 and routed access, 179 and the storage access network, 177 and VoIP, 175 in the data center, 174 network design considerations, 156 understanding, 153 numbering, ports, 114 multicast routing table, 1180 multicast snooping,
static area range cost, 960, 1033 stub area, 1024 stub routers, 958 topology, 956 trap flags, 316 understanding, 956 web-based configuration, 966 SSM range, 1232 understanding, 1183 plug-in modules configuring, 250 out-of-band management, 125 port access control, 494 characteristics, 463 configuration examples, 479 configuring multiple, 471 defaults, 469 defined, 463 device view features, 106 example, 479 locking, 519 OOB, 92 protected, 66, 694, 699 statistics, 395 traffic control, 687, 837 P port aggr
port security configuring, 521 MAC-based, 64 understanding, 518 port-based traffic control CLI configuration, 698, 846 web-based configuration, 691 port-based VLAN, 564 port-MAC locking, 64 see port security R RADIUS, 61 and DiffServ, 489 authentication, 190 authorization, 195 for management access control, 196 supported attributes, 198 understanding, 196 RAM log, 221 ports, identifying, 114 real time clock, 244 priority flow control, 839 redirect, ACL, 525 priority-based flow control, 70, 839 relay
router, OSPF, 957 S routes IPv4, 921 IPv6, 1094 selecting, 957 save, system settings, 339 Routing table, 78 routing defaults (IPv4), 909 defaults (IPv6), 1083 example, 928 IPv4, CLI configuration, 923 IPv4, web-based configuration, 911 IPv6, CLI configuration, 1095 IPv6, web-based configuration, 1085 understanding, 907 routing interfaces CLI configuration, 879 defaults, 872 understanding, 867 using, 870 web-based configuration, 873 routing table best routes, 918 configuring, 926 IPv6, 1099, 1101 RSTP un
understanding, 297 uploading files, 339 web-based configuration, 301 SNMPv1 example, 328 SNMPv2 example, 328 SNMPv3 engine ID, 319 example, 329 snooping,FIP, 854 SNTP authentication, 286 authentication key, 272 example, 293 server, 286 server configuration, 275 understanding, 249 software image, 333 spanning tree. See STP.
loop guard, 637 MSTP, 74 optional features, 636 port fast, 636 port settings, 74 root guard, 637 RSTP, 74 understanding, 630 web-based configuration, 640 subnet mask, configuring, 125 subnet-based VLAN, 564 summer time, 244 switchport modes, VLAN, 564 switchport statistics, web view, 385 system health, monitoring, 213 system information CLI configuration, 282 default, 251 defined, 243 example, 290 purpose, 244 web-based configuration, 254 system time, 249 tagging, VLAN, 565 telnet configuration options, 62
unit number, 115 upgrade, stack firmware, 59 uploading files, 344 user security model, SNMP, 298 users authenticated, 493 captive portal, 438 IAS database, 489 USM, 298 switchport modes, 564 trunk port, 600 understanding, 561 voice, 72, 569 voice traffic, 569 voice, example, 625 voice, understanding, 568 web-based configuration, 579 VLAN membership, defining, 579 VLAN priority tag and iSCSI, 411 V VLAN routing, 867, 870 virtual link, OSPF, 1028 VLAN tagging, 565 VLAN, 822 authenticated and unauthentic
preemption, 1058 route and interface tracking example, 1076 route tracking, 1059 router priority, 1058 understanding, 1057 web-based configuration, 1062 W web-based configuration, 102 web-based interface, understanding, 103 writing to memory, 339 Index 1293
Index