Dell POWERCONNECT 6200 SERIES Configuration Manual Download Page 113

Page: 113 / 176

Device Security

113

Egress ACL Limitations

Egress ACLs have some additional limitations. The following limitations apply to egress ACLs only:

• Egress ACLs support IP Protocol/Destination, IP Address Source/Destination, L4 Source/Destination

port, IP DSCP, IP ToS, and IP precedence match conditions only.

• MAC ACLs are not supported in the egress direction.
• Egress ACLs only support Permit/Deny Action. Logging, mirroring and redirect action are not

supported.

• Only one Egress ACL can be applied on an interface. The ACL can have multiple rules to classify flows

and apply permit/deny action.

• If the Egress ACLs have "over-lapping" rules, then there can be undesired behavior. This limitation is

only applicable if the conflicting ACLs are within the same unit. The restriction is explained below:
–

ACL 1: permit tcp destination port 3000; deny all

–

ACL 2: drop ip source 10.1.1.1; permit all

–

ACL 1 is applied on port 1 and ACL 2 is applied on port 2. Due to this limitation, all the packets

egressing port 2 with Source IP 10.1.1.1 and tcp source port 3000 will be permitted even though

they should be dropped.

MAC ACLs

MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet:

• Source MAC address
• Source MAC mask
• Destination MAC address
• Destination MAC mask
• VLAN ID
• Class of Service (CoS) (802.1p)
• Ethertype

L2 ACLs can apply to one or more interfaces.
Multiple access lists can be applied to a single interface; sequence number determines the order of

execution.
You can assign packets to queues using the assign queue option.

Summary of Contents for POWERCONNECT 6200 SERIES

Page 1: ...w w w d e l l c o m s u p p o r t d e l l c o m Dell PowerConnect 6200 Series Configuration Guide Model PC6224 PC6248 PC6224P PC6248P and PC6224F ...

Page 2: ...ls in any manner whatsoever without the written permission of Dell Inc is strictly forbidden Trademarks used in this text Dell the DELL logo and PowerConnect are trademarks of Dell Inc sFlow is a registered trademark of InMon Corporation Cisco is a registered trademark of Cisco Systems Inc and or its affiliates in the United States and certain other countries Other trademarks and trade names may b...

Page 3: ... Scripting 13 Overview 13 Considerations 13 CLI Examples 14 Outbound Telnet 16 Overview 16 CLI Examples 17 Simple Network Time Protocol SNTP 17 Overview 17 CLI Examples 18 Syslog 20 Overview 20 CLI Examples 20 Port Description 22 CLI Example 22 Storm Control 23 CLI Example 23 Cable Diagnostics 25 Copper Port Cable Test 25 Fiber Port Cable Test 27 ...

Page 4: ... with LLDP MED 38 IGMP Snooping 40 CLI Examples 40 IGMP Snooping Querier 43 CLI Examples 43 Link Aggregation Port Channels 45 CLI Example 46 Web Interface Configuration LAGs Port channels 48 Port Mirroring 49 Overview 49 CLI Examples 49 Port Security 50 Overview 50 Operation 50 CLI Examples 51 Link Layer Discovery Protocol 52 CLI Examples 52 Denial of Service Attack Protection 54 Overview 54 CLI E...

Page 5: ...Web Interface to Configure VRRP 79 Proxy Address Resolution Protocol ARP 80 Overview 80 CLI Examples 80 OSPF 81 OSPF Concepts and Terms 81 CLI Examples 83 Routing Information Protocol 92 RIP Configuration 92 CLI Examples 93 Using the Web Interface to Configure RIP 94 Route Preferences 95 Assigning Administrative Preferences to Routing Protocols 95 Using Equal Cost Multipath 97 Loopback Interfaces ...

Page 6: ... 111 Overview 111 MAC ACLs 113 IP ACLs 114 ACL Configuration Process 114 IP ACL CLI Example 115 Configuring a MAC ACL 116 RADIUS 117 RADIUS Configuration Examples 118 TACACS 120 TACACS Configuration Example 120 802 1x MAC Authentication Bypass MAB 122 Operation in the Network 122 CLI Examples 123 Captive Portal 125 Overview 125 Functional Description 125 Captive Portal Configuration Status and Sta...

Page 7: ...figuration 140 Queue Management Type 140 CLI Examples 140 Differentiated Services 143 CLI Example 144 DiffServ for VoIP Configuration Example 146 8 Multicast 149 Overview 149 When to Enable IP Multicast on the PowerConnect 6200 Series Switch 150 IGMP Configuration 150 CLI Example 150 IGMP Proxy 151 CLI Examples 151 DVMRP 152 CLI Example 153 PIM 154 PIM SM 154 PIM DM 155 Multicast Routing and IGMP ...

Page 8: ...tion 162 CLI Examples 167 Nonstop Forwarding on a Switch Stack 168 Initiating a Failover 168 Checkpointing 168 Switch Stack MAC Addressing and Stack Design Considerations 170 NSF Network Design Considerations 170 NSF Default Behavior 170 Configuration Examples 171 ...

Page 9: ... networks VLANs and Internet Group Management Protocol IGMP snooping interfaces and enabling port security Routing Configuration on page 73 provides configuration scenarios for layer 3 features such as VLAN routing Open Shortest Path First OSPF and Routing Information Protocol RIP Device Security on page 105 provides information on creating access control lists and configuring RADIUS and TACACS se...

Page 10: ... The User s Guide for your Dell PowerConnect switch describes the Web GUI Many of the scenarios described in this document can be fully configured using the Web interface This guide also provides initial system setup and configuration instructions The Getting Started Guide for your Dell PowerConnect switch provides basic information to install configure and operate the system Release notes for you...

Page 11: ... 12 Configuration Scripting on page 13 Outbound Telnet on page 16 Simple Network Time Protocol SNTP on page 17 Syslog on page 20 Port Description on page 22 Storm Control on page 23 Cable Diagnostics on page 25 NOTE For information on setting up the hardware and serial or TFTP connection refer to the Getting Started Guide for your system ...

Page 12: ...e the packet takes 16 hops to reach its destination console traceroute ip Enter IP Address ipv6 Use keyword ipv6 if entering IPv6 Address console traceroute 72 14 253 99 Traceroute to 72 14 253 99 30 hops max 0 byte packets 1 10 131 10 1 10 ms 10 ms 10 ms 2 210 210 108 193 10 ms 10 ms 10 ms 3 192 168 81 1 10 ms 10 ms 10 ms 4 210 214 5 161 10 ms 10 ms 10 ms 5 210 214 5 169 10 ms 10 ms 10 ms 6 124 7...

Page 13: ...ral switches Can save up to ten scripts up to a maximum size of 2 MB of memory Provides List Delete Apply Upload Download Provides script format of one CLI command per line NOTE The startup config and backup config scripts are not bound by the 2 MB memory limit Considerations When you use configuration scripting keep the following considerations in mind The total number of scripts stored on the sy...

Page 14: ...ipt validate Validate the commands of configuration script Example 2 Viewing and Deleting Existing Scripts console script list Configuration Script Name Size Bytes abc scr 360 running config 360 startup config 796 test scr 360 4 configuration script s found 2046 Kbytes free console script delete test scr Are you sure you want to delete the configuration script s y n y 1 configuration script s dele...

Page 15: ...ig Script Source Filename abc scr Management access will be blocked for the duration of the transfer Are you sure you want to start y n y 267 bytes transferred File transfer operation completed successfully Example 6 Downloading a Configuration Script to the TFTP Server Use this command to download a configuration script from the TFTP server to the switch console copy tftp 10 27 64 141 abc scr scr...

Page 16: ...e you want to apply the configuration script y n y ip address dhcp username admin password 16d7a4fca7442dda3ad93c9a726597e4 level 15 encrypted exit Configuration script abc scr applied Outbound Telnet Overview Outbound telnet Establishes an outbound telnet connection between a device and a remote host When a telnet connection is initiated each side of the connection is assumed to originate and ter...

Page 17: ...ress 10 27 65 89 Subnet Mask 255 255 254 0 Default Gateway 10 27 64 1 Burned In MAC Address 00FF F2A3 6688 Network Configuration Protocol Current DHCP Management VLAN ID 4086 Routing Interfaces Netdir Multi Interface IP Address IP Mask Bcast CastFwd Simple Network Time Protocol SNTP Overview The SNTP implementation has the following features Used for synchronizing network resources Adaptation of N...

Page 18: ...ameters client Configure the SNTP client parameters server Configure SNTP server parameters trusted key Authenticate the identity of a system to which SNTP will synchronize unicast Configure SNTP client unicast parameters Example 2 Configuring the SNTP Server console config sntp server ipaddress domain name Enter SNTP server address or the domain name console config sntp server 192 168 10 25 key A...

Page 19: ...etwork Time Protocol SNTP console show sntp configuration Polling interval 64 seconds MD5 Authentication keys Authentication is not required for synchronization Trusted keys No trusted keys Unicast clients Enable Unicast servers Server Key Polling Priority 192 168 0 1 Disabled Enabled 1 console show sntp status Unicast servers Server Status Last response 192 168 10 25 Unknown 00 00 00 Jan 1 1970 ...

Page 20: ... Examples The following are examples of the commands used in the Syslog feature Example 1 Viewing Logging Information console show logging Logging is enabled Console Logging level warning Console Messages 230 Dropped Buffer Logging level info Buffer Messages 230 Logged File Logging level notActive File Messages 0 Dropped CLI Command Logging disabled 130 JAN 01 00 00 06 0 0 0 0 1 UNKN 0x800023 boot...

Page 21: ...ing File console show logging file Persistent Logging disabled Persistent Log Count 0 Example 5 Configuring Syslog Server console config logging buffered Buffered In Memory Logging Configuration cli command CLI Command Logging Configuration console Console Logging Configuration facility Syslog Facility Configuration file Configure logging file parameters on Enable logging to all supporting destina...

Page 22: ...eature lets you specify an alphanumeric interface identifier that can be used for SNMP network management CLI Example Use the commands shown below for the Port Description feature Example 1 Enter a Description for a Port This example specifies the name Test for port 1 g17 console configure console config interface ethernet 1 g17 console config if 1 g17 description Test console config if 1 g17 exit...

Page 23: ...ntrol level also enables that form of storm control Disabling a storm control level using the no version of the command sets the storm control level back to default value and disables that form of storm control Using the no version of the storm control command not stating a level disables that form of storm control but maintains the configured level to be active next time that form of storm contro...

Page 24: ...oadcast level rate Enter the storm control threshold as percent of port speed Percent of port speed is converted to PacketsPerSecond based on 512 byte average packet size and applied to HW Refer to documentation for further details console config if 1 g17 storm control broadcast level 7 Example 2 Set Multicast Storm Control for an Interface console config if 1 g17 storm control multicast level 8 E...

Page 25: ...owing statuses are returned Normal The cable is working correctly Open The cable is disconnected or there is a faulty connector Short There is an electrical short in the cable Cable Test Failed The cable status could not be determined The cable may in fact be working The command also returns a cable length estimate if this feature is supported by the PHY for the current link speed The length is di...

Page 26: ...d 1 g5 Test has not been performed More or q uit NOTE You can also run a cable test using the Web Interface In the navigation tree click System Diagnostics Example 2 Show Copper Cable Length Use the show copper ports cable length command in Privileged EXEC mode to display the estimated copper cable length attached to a port The following example displays the estimated copper cable length attached ...

Page 27: ...r ports optical transceiver command in Privileged EXEC mode to display the optical transceiver diagnostics NOTE The show fiber ports command is only applicable to the SFP combo ports and XFP ports not the ports on the SFP plug in module The following example displays the optical transceiver diagnostics console show fiber ports optical transceiver Port Temp Voltage Current Output Input TX LOS Power...

Page 28: ...28 System Configuration ...

Page 29: ...des better administration security and management of multicast traffic A VLAN is a set of end stations and the switch ports that connect them You can have many reasons for the logical division for example department or project membership The only physical requirement is that the end station and the port to which it is connected both belong to the same VLAN Each VLAN in a network has an associated ...

Page 30: ...ide protection between ports located on different switches For information about authenticated unauthenticated and guest VLANs see 802 1X Authentication and VLANs on page 109 VLAN Configuration Example The diagram in this section shows a switch with four ports configured to handle the traffic for two VLANs Port 1 g18 handles traffic for both VLANs while port 1 g17 is a member of VLAN 2 only and po...

Page 31: ...assign ports to VLAN2 specify that frames will always be transmitted tagged from all member ports and that untagged frames will be rejected on receipt console config interface ethernet 1 g17 console config if 1 g17 switchport mode general console config if 1 g17 switchport general allowed vlan add 2 console config if 1 g17 switchport general acceptable frame type tagged only console config if 1 g1...

Page 32: ...e config interface ethernet 1 g20 console config if 1 g20 switchport general allowed vlan add 3 Example 4 Assign VLAN3 as the Default VLAN This example shows how to assign VLAN 3 as the default VLAN for port 1 g18 console config interface ethernet 1 g18 console config if 1 g18 switchport general pvid 3 Example 5 Assign IP Addresses to VLAN 2 In order for the VLAN to function as a routing interface...

Page 33: ...roadcasts Disable Proxy ARP Enable Local Proxy ARP Disable Active State Inactive Link Speed Data Rate 10 Half MAC Address 00FF F2A3 888A Encapsulation Type Ethernet IP MTU 1500 Web Interface Use the following screens to perform the same configuration using the Web Interface Switching VLAN Membership To create VLANs and specify port participation Switching VLAN Port Settings To specify the PVID and...

Page 34: ...that all hosts with IP addresses in the 192 168 25 0 24 network are members of VLAN 10 console configure console config vlan database console config vlan vlan association subnet 192 168 25 0 255 255 255 0 10 Example 2 Associate an IP Address with a VLAN This example shows how to configure the switch so a host with an IP addresses of 192 168 1 11 is a member of VLAN 10 console configure console con...

Page 35: ...e same group even if they have the same VLAN membership Protected ports can forward traffic to unprotected ports Unprotected ports can forward traffic to both protected and unprotected ports You can also configure groups of protected ports but unprotected ports are independent and cannot be added to a group Each group s configuration consists of a name and a mask of ports A port can belong to only...

Page 36: ...onfig switchport protected 1 name PP_Test console config interface ethernet 1 g17 console config if 1 g17 switchport protected 1 console config if 1 g17 exit console config interface ethernet 1 g18 console config if 1 g18 switchport protected 1 console config if 1 g18 exit console config exit Example 2 Viewing Protected Port Group 1 console show switchport protected 1 Name PP_Test 1 g17 1 g18 ...

Page 37: ... CDP DHCP or LLDP MED The voice traffic is sent to the switch tagged The setup protocols CDP DHCP etc are not tagged Using Voice VLAN When an IP phone is connected to the switch the voice traffic from the phone and the data traffic from the network could potentially deteriorate the voice quality You can overcome this in multiple ways using different options in Voice VLAN You can configure the swit...

Page 38: ...nent of the presence and absence of a VoIP phone on the network The Voice VLAN component interacts with LLDP MED for applying VLAN ID priority and tag information to the VoIP phone traffic For release 2 0 and earlier the Voice VLAN feature can only be used by IP phones that support LLDP MED e g 4610SW Avaya phones Example 1 Configuring Voice VLAN The commands in this example create a VLAN for voic...

Page 39: ...entication Then port 1 g10 is configured with MAC based port authentication to allow authentication for multiple hosts on the same port see Example 2 MAC Based Authentication Mode on page 108 for more information Next Voice VLAN is enabled on the port with the Voice VLAN ID set to 25 Finally Voice VLAN authentication is disabled on port 1 g10 because the phone connected to that port does not suppo...

Page 40: ... a multicast routing protocol on the switch such as PIM SM In this case you can enable both IGMP and IGMP Snooping so that the switch routes IGMP traffic between VLANs and examines the IGMP packets for join and leave information For information about configuring the PowerConnect 6200 Series switch as a mutlicast router that also performs IGMP snooping see Multicast Routing and IGMP Snooping on pag...

Page 41: ...e IGMP on the switch console config ip igmp snooping 5 Configure port 1 g5 as a member of VLAN 100 console config interface ethernet 1 g5 console config if 1 g5 switchport access vlan 100 console config if 1 g5 exit 6 Configure port 1 g10 as a member of VLAN 100 console config interface ethernet 1 g10 console config if 1 g10 switchport access vlan 100 console config if 1 g10 exit 7 Configure port ...

Page 42: ... g5 100 0100 5E01 0102 Dynamic 1 g10 Forbidden ports for multicast addresses Vlan MAC Address Ports 100 0100 5E01 0101 100 0100 5E01 0102 When the video server sends multicast data to group 225 1 1 1 port 1 g5 participates and receives multicast traffic but port 1 g10 does not participate because it is a member of a different multicast group Without IGMP snooping all ports that are members of VLAN...

Page 43: ... can send queries When the IGMP snooping querier is enabled the IGMP snooping querier sends out periodic IGMP queries that trigger IGMP report messages from the switch that wants to receive IP multicast traffic The IGMP snooping feature listens to these IGMP reports to establish appropriate forwarding CLI Examples The following examples show commands to use with the IGMP Snooping Querier feature E...

Page 44: ...sion 2 Querier Query Interval 100 Querier Expiry Interval 100 Example 4 Enable IGMP Snooping Querier on a VLAN To configure IGMP Snooping Querier on a VLAN enter VLAN Database mode The first ip igmp snooping command in this example enables the IGMP snooping querier on VLAN 10 The second ip igmp snooping command specifies the IP address that the snooping querier switch should use as source address ...

Page 45: ...ires high bandwidth and reliability or to provide a higher bandwidth connection to a public network You can configure the port channels as either dynamic or static Dynamic configuration uses the IEEE 802 3ad standard which provides for the periodic exchanges of LACPDUs Static configuration is used when connecting the switch to an external switch that does not support the exchange of LACPDUs The fe...

Page 46: ...G to a server and to a Layer 3 switch Figure 3 3 shows the example network Figure 3 3 LAG Port channel Example Network Diagram Subnet 3 Port 1 0 8 LAG_20 Layer 2 Switch Port 1 0 9 LAG_20 Server Port 1 0 2 LAG_10 Port 1 0 3 LAG_10 Layer 3 Switch Subnet 3 Subnet 2 Port 1 g18 LAG_1 Port 1 g19 LAG_1 Port 1 g23 LAG_2 Port 1 g24 LAG_2 ...

Page 47: ...g18 channel group 1 mode auto console config if 1 g18 exit console config interface ethernet 1 g19 console config if 1 g19 channel group 1 mode auto console config if 1 g19 exit console config interface ethernet 1 g23 console config if 1 g23 channel group 2 mode auto console config if 1 g238 exit console config interface ethernet 1 g24 console config if 1 g24 channel group 2 mode auto console conf...

Page 48: ... No Configured Ports 3 ch13 No Configured Ports 3 ch14 No Configured Ports 3 ch15 No Configured Ports 3 ch16 No Configured Ports 3 ch17 No Configured Ports 3 ch18 No Configured Ports 3 ch19 No Configured Ports 3 ch20 No Configured Ports 3 At this point the LAGs could be added to the default management VLAN Web Interface Configuration LAGs Port channels To perform the same configuration using the G...

Page 49: ... transmitted can be mirrored to the destination port CLI Examples The following are examples of the commands used in the Port Mirroring feature Example 1 Set up a Port Mirroring Session The following command sequence enables port mirroring and specifies a source and destination ports console configure console config monitor session 1 mode console config monitor session 1 source interface 1 g7 rx M...

Page 50: ...ddresses is 100 After the limit is reached additional MAC addresses are not learned Only frames with an allowable source MAC address are forwarded Static Locking User manually specifies a list of static MAC addresses for a port Operation Port Security Helps secure network by preventing unknown devices from forwarding packets When link goes down all dynamically locked addresses are freed If a speci...

Page 51: ...ses max Configure the maximum addresses that can be learned on the port trap Sends SNMP Traps and specifies the minimum time between consecutive traps console config if 1 g18 port security Example 2 Show Port Security console show ports security addresses Addresses ethernet Ethernet port port channel Link Aggregation interface cr Press enter to execute the command Example 3 Show Port Security on a...

Page 52: ...to specify switch wide notification interval and timers for all LLDP interfaces console config lldp notification interval Configure minimum interval to send remote data change notifications timers Configure the LLDP global timer values console config lldp notification interval 1000 console config lldp timers hold 8 reinit 5 console config exit Example 2 Set Interface LLDP Parameters The following ...

Page 53: ...ld Multiplier 8 Reinit Delay 5 seconds Notification Interval 1000 seconds Example 4 Show Interface LLDP Parameters console show lldp interface 1 g10 LLDP Interface Configuration Interface Link Transmit Receive Notify TLVs Mgmt 1 g10 Down Enabled Enabled Disabled Y TLV Codes 0 Port Description 1 System Name 2 System Description 3 System Capabilities ...

Page 54: ...are with Nessus version 2 0 10 Nessus is a widely used vulnerability assessment tool PowerConnect 6200 Series software provides a number of features that help a network administrator protect networks against DoS attacks There are 6 available types of attacks which can be monitored for and blocked Each type of attack is represented by a dos control command keyword console config dos control firstfr...

Page 55: ...auses the switch to drop ICMP packets that have a type set to ECHO_REQ ping and a size greater than the configured ICMP Pkt Size l4port Enabling L4 Port DoS prevention causes the switch to drop packets that have TCP UDP source port equal to TCP UDP destination port sipdip Enabling SIP DIP DoS prevention causes the switch to drop packets that have a source IP address equal to the destination IP add...

Page 56: ...g enforces the following security rules DHCP packets from a DHCP server DHCPOFFER DHCPACK DHCPNAK DHCPRELEASEQUERY are dropped if received on an untrusted port DHCPRELEASE and DHCPDECLINE messages are dropped if for a MAC addresses in the snooping database but the binding s interface is other than the interface where the message was received On untrusted interfaces the switch drops DHCP packets wi...

Page 57: ...ing from DHCP DISCOVER and REQUEST messages Tentative bindings tie a client to a port the port where the DHCP client message was received Tentative bindings are completed when DHCP snooping learns the client s IP address from a DHCP ACK message on a trusted port DHCP snooping removes bindings in response to DECLINE RELEASE and NACK messages DHCP Snooping application ignores the ACK messages as rep...

Page 58: ...s Client IP address Time when client lease expires Client VLAN ID Client port DHCP snooping can be configured on switching VLANs and routing VLANs When a DHCP packet is received on a routing VLAN the DHCP snooping application applies its filtering rules and updates the bindings database If a client message passes filtering rules the message is placed into the software forwarding path where it may ...

Page 59: ... a VLAN console config ip dhcp snooping vlan 1 console config exit console Example 3 Enable DHCP snooping s Source MAC verification console config ip dhcp snooping verify mac address console config exit Example 4 Configure DHCP snooping database remote storage parameters console config ip dhcp snooping database tftp 10 131 11 1 dsDb txt console config console config exit Example 5 Configure DHCP s...

Page 60: ...gure an interface as DHCP snooping trusted console config if 1 g1 ip dhcp snooping trust console config if 1 g1 exit Example 8 Configure rate limiting on an interface console config if 1 g1 ip dhcp snooping limit rate 50 burst interval 1 console config if 1 g1 exit Example 9 Configure a DHCP snooping static binding entry console config ip dhcp snooping binding 00 01 02 03 04 05 vlan 1 10 131 11 1 ...

Page 61: ...d DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs 1 Interface Trusted Log Invalid Pkts 1 g1 Yes Yes 1 g2 No No 1 g3 No No 1 g4 No No 1 g5 No No 1 g6 No No 1 g7 No No 1 g8 No No 1 g9 No No 1 g10 No No 1 g11 No No 1 g12 No No 1 g13 No No 1 g14 No No More or q uit Interface Trusted Log Invalid Pkts ...

Page 62: ...n 1 g15 No No 1 g16 No No 1 g17 No No 1 g18 No No 1 g19 No No 1 g20 No No 1 g21 No No 1 g22 No No 1 g23 No No 1 g24 No No 1 xg3 No No 1 xg4 No No ch1 No No ch2 No No ch3 No No ch4 No No ch5 No No ch6 No No More or q uit console ...

Page 63: ...oping binding entries Total number of bindings 2 MAC Address IP Address VLAN Interface Type Lease Secs 00 01 02 03 04 05 10 131 11 1 1 1 g2 STATIC 00 02 B3 06 60 80 10 131 11 3 1 1 g2 DYNAMIC 86400 Example 14 Show DHCP Snooping Per Port rate limiting configurations show ip dhcp snooping interfaces Interface Trust State Rate Limit Burst Interval pps seconds 1 g1 Yes 50 1 1 g2 No 15 1 ...

Page 64: ... No 15 1 1 g9 No 15 1 1 g10 No 15 1 1 g11 No 15 1 1 g12 No 15 1 1 g13 No 15 1 1 g14 No 15 1 1 g15 No 15 1 1 g16 No 15 1 1 g17 No 15 1 1 g18 No 15 1 More or q uit 1 g19 No 15 1 1 g20 No 15 1 1 g21 No 15 1 1 g22 No 15 1 1 g23 No 15 1 1 g24 No 15 1 1 xg3 No 15 1 1 xg4 No 15 1 ch1 No 15 1 ch2 No 15 1 ...

Page 65: ...o 15 1 ch10 No 15 1 More or q uit console Example 15 Show DHCP Snooping Per Port Statistics console show ip dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Server Failures Mismatch Msgs Rec d 1 g2 0 0 0 1 g3 0 0 0 1 g4 0 0 0 1 g5 0 0 0 1 g6 0 0 0 1 g7 0 0 0 1 g8 0 0 0 1 g9 0 0 0 1 g10 0 0 0 ...

Page 66: ...g15 0 0 0 1 g16 0 0 0 1 g17 0 0 0 1 g18 0 0 0 1 g19 0 0 0 1 g20 0 0 0 More or q uit 1 g21 0 0 0 1 g22 0 0 0 1 g23 0 0 0 1 g24 0 0 0 1 xg3 0 0 0 1 xg4 0 0 0 ch1 0 0 0 ch2 0 0 0 ch3 0 0 0 ch4 0 0 0 ch5 0 0 0 ch6 0 0 0 ch7 0 0 0 ch8 0 0 0 ch9 0 0 0 ch10 0 0 0 ch11 0 0 0 ch12 0 0 0 ...

Page 67: ... activity enabling effective management and control of network resources Overview As illustrated in Figure 3 5 the sFlow monitoring system consists of sFlow Agents embedded in a switch router or standalone probe and a central sFlow Collector sFlow Agents use sampling technology to capture traffic statistics from monitored devices sFlow datagrams forward sampled traffic statistics to the sFlow Coll...

Page 68: ...ithin an sFlow Agent Both types of samples are combined in sFlow datagrams Packet Flow Sampling creates a steady but random stream of sFlow datagrams that are sent to the sFlow Collector Counter samples may be taken opportunistically to fill these datagrams To perform Packet Flow Sampling an sFlow Sampler Instance is configured with a Sampling Rate Packet Flow sampling results in the generation of...

Page 69: ...ed the sFlow Agent examines the list and adds counters to the sample datagram least recently sampled first Counters are only added to the datagram if the sources are within a short period 5 seconds say of failing to meet the required Sampling Interval Periodically say every second the sFlow Agent examines the list of counter sources and sends any counters that must be sent to meet the sampling int...

Page 70: ... 1 Address Type 1 Port 560 Datagram Version 5 Maximum Datagram Size 500 Example 5 Show sFlow sampling for receiver index 1 console show sflow 1 sampling Sampler Receiver Packet Max Header Data Source Index Sampling Rate Size 1 g1 1 1500 50 1 g2 1 1500 50 1 g3 1 1500 50 1 g4 1 1500 50 1 g5 1 1500 50 1 g6 1 1500 50 1 g7 1 1500 50 1 g8 1 1500 50 1 g9 1 1500 50 1 g10 1 1500 50 1 g15 1 1500 50 ...

Page 71: ...how sFlow polling for receiver index 1 console show sflow 1 polling Poller Receiver Poller Data Source Index Interval 1 g1 1 200 1 g2 1 200 1 g3 1 200 1 g4 1 200 1 g5 1 200 1 g6 1 200 1 g7 1 200 1 g8 1 200 1 g9 1 200 1 g10 1 200 1 g15 1 400 ...

Page 72: ...72 Switching Configuration ...

Page 73: ...nstructions for the following routing features VLAN Routing on page 74 Virtual Router Redundancy Protocol on page 77 Proxy Address Resolution Protocol ARP on page 80 OSPF on page 81 Routing Information Protocol on page 92 Route Preferences on page 95 Loopback Interfaces on page 99 IP Helper on page 100 ...

Page 74: ...ith two ports participating in one VLAN and one port in the other The script shows the commands you would use to configure PowerConnect 6200 Series software to provide the VLAN routing support shown in the diagram Figure 4 1 VLAN Routing Example Network Diagram Example 1 Create Two VLANs The following code sequence shows an example of creating two VLANs with egress frame tagging enabled console co...

Page 75: ...eneral console config if 1 g1 switchport general allowed vlan add 10 console config if 1 g1 switchport general pvid 10 console config if 1 g1 exit console configure console config interface ethernet 1 g2 console config if 1 g2 switchport mode general console config if 1 g2 switchport general allowed vlan add 10 console config if 1 g2 switchport general pvid 10 console config if 1 g2 exit console c...

Page 76: ...vlan20 ip address 192 150 4 1 255 255 255 0 console config if vlan20 exit Example 4 Enable Routing for the Switch In order for the VLAN to function as a routing interface you must enable routing on the VLAN and on the switch console config ip routing Using the Web Interface to Configure VLAN Routing Use the following screens to perform the same configuration using the Web Interface Switching VLAN ...

Page 77: ...uter is the master router at any given time A given VLAN routing interface may appear as more than one virtual router to the network Also more than one VLAN routing interface on a switch may participate in a virtual router CLI Examples This example shows how to configure the switch to support VRRP Router 1 is the default master router for the virtual route and Router 2 is the backup router NOTE Th...

Page 78: ...he IP address that the virtual router function will recognize The interface IP address is the same as the virtual IP address This means the router is the interface owner and therefore has a priority of 255 which guarantees that it is the master console config if vlan50 ip vrrp 20 ip 192 150 2 1 6 Start the virtual router on the interface console config if vlan50 ip vrrp 20 mode console config if v...

Page 79: ... the backup console config if vlan50 ip vrrp 20 priority 250 7 Start the virtual router on the interface console config if vlan50 ip vrrp 20 mode console config if vlan50 exit Using the Web Interface to Configure VRRP Use the following screens to perform the same configuration using the Graphical User Interface Routing IP Configuration To enable routing for the switch Routing IP Interface Configur...

Page 80: ...uter responds to an ARP request only if the target IP address is an address configured on the interface where the ARP request arrived CLI Examples The following are examples of the commands used in the proxy ARP feature Example 1 Enabling Proxy ARP To enable IP Proxy ARP console config console config interface vlan 10 console config if vlan10 routing console config if vlan10 ip proxy arp console c...

Page 81: ...d in this section Areas and Topology The top level of the hierarchy of an OSPF network is known as an autonomous system AS or routing domain and is a collection of networks with a common administration and routing strategy The AS is divided into areas Routers within an area must share detailed information on the topology of their area but require less detailed information about the topology of oth...

Page 82: ...his information on the backbone Area border routers ABRs connect areas to the OSPF backbone in the case of virtual links the an ABR may connect to another ABR that provides a direct connection to Area 0 An ABR is a member of each area it connects to Internal routers IRs route traffic within an area When two routers in an area discover each other through OSPF Hello messages they are called OSPF nei...

Page 83: ... external type 2 route is the cost advertised by the ASBR in its external LSA NOTE The following example uses the CLI to configure OSPF You can also use the Web interface Click Routing OSPF or IPv6 OSPFv3 in the navigation tree CLI Examples Example 1 Configuring an OSPF Border Router and Setting Interface Costs The following example shows you how to configure an OSPF border router areas and interf...

Page 84: ...it config interface vlan 70 routing ipv6 enable exit interface vlan 80 routing ipv6 address 2002 1 64 exit interface vlan 90 routing ipv6 address 2003 1 64 exit exit Specify a router ID Disable 1583 compatibility to prevent a routing loop IPv4 only config router ospf router id 192 150 9 9 no 1583compatibility exit exit config ipv6 router ospf router id 1 1 1 1 exit exit OSPF is globally enabled by...

Page 85: ... OSPF configuration config interface vlan 70 ip ospf area 0 0 0 0 ip ospf priority 128 ip ospf cost 32 exit interface vlan 80 ip ospf area 0 0 0 2 ip ospf priority 255 ip ospf cost 64 exit interface vlan 90 ip ospf area 0 0 0 2 ip ospf priority 255 ip ospf cost 64 exit exit config interface vlan 70 ipv6 ospf ipv6 ospf areaid 0 0 0 0 ipv6 ospf priority 128 ipv6 ospf cost 32 exit interface vlan 80 i...

Page 86: ...on the interfaces OSPF is enabled on the IPv4 interface in the next code group interface vlan 6 routing ip address 10 2 3 3 255 255 255 0 ipv6 address 3000 2 3 64 eui64 ip ospf area 0 0 0 0 ipv6 ospf exit interface vlan 12 routing ip address 10 3 100 3 255 255 255 0 Router B ABR 5 5 5 5 10 1 2 2 24 3000 1 2 64 eui64 10 2 4 2 3000 2 4 64 10 2 3 2 3000 2 3 64 Area 1 0 0 0 1 Stub IR 5 3 0 0 ASBR 5 1 ...

Page 87: ...onfigure ipv6 unicast routing ipv6 route 3000 44 44 64 3000 2 3 210 18ff fe82 c14 ip route 10 23 67 0 255 255 255 0 10 2 3 3 On VLANs 10 5 and 17 configure IPv4 and IPv6 addresses and enable OSPF For IPv6 associate VLAN 10 with Area 1 and VLAN 17 with Area 2 OSPF is enabled on the IPv4 VLAN routing interface in the next code group interface vlan 10 routing ip address 10 1 2 2 255 255 255 0 ipv6 ad...

Page 88: ...uted via OSPF router ospf router id 2 2 2 2 area 0 0 0 1 stub area 0 0 0 2 nssa network 10 1 2 0 0 0 0 255 area 0 0 0 1 network 10 2 3 0 0 0 0 255 area 0 0 0 0 network 10 2 4 0 0 0 0 255 area 0 0 0 2 redistribute static metric 1 subnets exit For IPv6 Define an OSPF router Define Area 1 as a stub and area 2 as a Not So Stubby Area NSSA Configure a metric cost to associate with static routes when th...

Page 89: ...milar to those for Router A in the previous example console configure ipv6 unicast routing ip routing exit ipv6 router ospf router id 3 3 3 3 exit interface vlan 5 routing ip address 10 2 3 3 255 255 255 0 ipv6 address 3000 2 3 64 eui64 ipv6 ospf exit Router B ABR 4 4 4 4 Virtual Link 10 1 101 1 3000 1 101 64 10 1 2 2 24 3000 1 2 64 eui64 10 2 3 2 3000 2 3 64 Area 2 0 0 0 2 IR 5 3 0 0 Area 1 0 0 0...

Page 90: ...vlan 7 routing ip address 10 1 2 2 255 255 255 0 ipv6 address 3000 1 2 211 88FF FE2A 3CB3 64 eui64 ipv6 ospf ipv6 ospf areaid 1 exit router ospf router id 4 4 4 4 area 0 0 0 1 virtual link 5 5 5 5 network 10 2 3 0 0 0 0 255 area 0 0 0 0 network 10 1 2 0 0 0 0 255 area 0 0 0 1 exit ipv6 router ospf router id 4 4 4 4 area 0 0 0 1 virtual link 5 5 5 5 exit exit Configure Router C Router C is a ABR th...

Page 91: ...an 11 routing ip address 10 1 101 1 255 255 255 0 ipv6 address 3000 1 101 64 eui64 ipv6 ospf ipv6 ospf areaid 2 exit ipv6 router ospf router id 5 5 5 5 area 0 0 0 1 virtual link 4 4 4 4 exit router ospf router id 5 5 5 5 area 0 0 0 1 virtual link 4 4 4 4 network 10 1 2 0 0 0 0 255 area 0 0 0 1 network 10 1 101 0 0 0 0 255 area 0 0 0 2 exit exit ...

Page 92: ...ter an additional 120 seconds There are two versions of RIP RIP 1 defined in RFC 1058 Routes are specified by IP destination network and hop count The routing table is broadcast to all stations on the attached network RIP 2 defined in RFC 1723 Route specification is extended to include subnet mask and gateway The routing table is sent to a multicast address reducing network traffic An authenticati...

Page 93: ...or the switch console config ip routing exit Example 2 Enable Routing for Ports The following command sequence enables routing and assigns IP addresses for VLAN 2 and VLAN 3 console config interface vlan 2 routing ip address 192 150 2 2 255 255 255 0 exit interface vlan 3 routing ip address 192 130 3 1 255 255 255 0 exit exit Subnet 3 Subnet 5 Subnet 2 Port 1 0 2 192 150 2 2 Port 1 0 3 192 130 3 1...

Page 94: ...nd only RIP 2 formatted frames console config interface vlan 2 ip rip ip rip receive version both ip rip send version rip2 exit interface vlan 3 ip rip ip rip receive version both ip rip send version rip2 exit exit Using the Web Interface to Configure RIP Use the following screens to perform the same configuration using the Graphical User Interface Routing IP Configuration To enable routing for th...

Page 95: ... from two different sources the metrics do not provide a means of choosing the best route for your network The PowerConnect 6200 Series switch enables you to identify the preferred route type by assigning an administrative preference value to each type The values are arbitrary 1 to 255 however a route type that has a lower value is preferred over higher value types Local routes are assigned an adm...

Page 96: ... preference value of 1 The following command changes this default console Config ip route distance 20 exit When you configure a static route you can assign a preference value to it The preference overrides the setting inherited as the default value for static routes In this example two static routes are defined to the same destination but with different next hops and different preferences 25 and 3...

Page 97: ...ause Link A to be overloaded while Link B is not used at all Figure 4 7 Forwarding Without ECMP With ECMP Router A can forward traffic to some destinations in Network D via Link A and traffic to other destinations in Network D via Link B thereby taking advantage of the bandwidth of both links A hash algorithm is applied to the destination IP addresses to provide a mechanism for selecting among the...

Page 98: ...table will not combine the OSPF and static routes into a single route to 20 0 0 0 8 with two next hops All next hops within an ECMP route must be provided by the same source An ECMP route contains only next hops whose paths to the destination are of equal cost Referring to Figure 4 8 if OSPF were configured on all links but Router A s interface to the 10 1 1 x network had an OSPF link cost of 5 an...

Page 99: ... The address on a loopback behaves identically to any of the local addresses of the router in terms of the processing of incoming packets This interface provides the source address for sent packets and can receive both local and remote packets NOTE The following example uses the CLI to configure a loopback interface You can also use the Web interface Click Routing Loopbacks in the navigation tree ...

Page 100: ...ed for the same interface and UDP port in which case the relay agent relays matching packets to each server address Interface configuration takes priority over global configuration If the destination UDP port for a packet matches any entry on the ingress interface the packet is handled according to the interface configuration If the packet does not match any entry on the ingress interface the pack...

Page 101: ... relay agent only relays broadcast packets from the client to the server Packets from the server back to the client are assumed to be unicast directly to the client Because there is no relay in the return direction for protocols other than DHCP the relay agent retains the source IP address from the original client packet The relay agent uses a local IP address as the source IP address of relayed D...

Page 102: ... helper enable Example 2 Configure IP Helper Globally DHCP To relay DHCP packets received on any interface to two DHCP servers 10 1 1 1 and 10 1 2 1 use the following commands console config ip helper address 10 1 1 1 dhcp console config ip helper address 10 1 2 1 dhcp Example 3 Enable IP Helper Globally UDP To relay UDP packets received on any interface for all default ports Table 2 to the server...

Page 103: ...ny interface other than VLAN 200 and VLAN 300 to 192 168 40 1 DHCP and DNS packets received on VLAN 200 to 192 168 40 2 SNMP traps port 162 received on interface VLAN 300 to 192 168 23 1 Drops DHCP packets received on VLAN 300 console config ip helper address 192 168 40 1 dhcp console config interface vlan 200 console config if vlan200 ip helper address 192 168 40 2 dhcp console config if vlan200 ...

Page 104: ... 0 vlan 300 162 No 0 192 168 23 1 Any Default No 0 20 1 1 1 Any dhcp No 0 10 1 1 1 10 1 2 1 Example 8 Show IP Helper Statistics The following command shows IP Helper configurations console show ip helper statistics DHCP client messages received 8 DHCP client messages relayed 2 DHCP server messages received 2 DHCP server messages relayed 2 UDP client messages received 8 UDP client messages relayed ...

Page 105: ...ng features 802 1x Network Access Control on page 106 802 1X Authentication and VLANs on page 109 Authentication Server Filter Assignment on page 111 Access Control Lists ACLs on page 111 RADIUS on page 117 TACACS on page 120 802 1x MAC Authentication Bypass MAB on page 122 Captive Portal on page 125 ...

Page 106: ...t on behalf of the Authenticator Completion of an authentication exchange requires all three roles The PowerConnect 6200 Series switch supports the authenticator role only in which the PAE is responsible for communicating with the supplicant The authenticator PAE is also responsible for submitting information received from the supplicant to the authentication server in order for the credentials to...

Page 107: ...e config radius server key secret console config exit console show radius servers IP address Type Port TimeOut Retran DeadTime Source IP Prio Usage 10 27 5 157 Auth 1812 Global Global Global 10 27 65 13 0 all Global values Configured Authentication Servers 1 Configured Accounting Servers 0 Named Authentication Server Groups 1 Named Accounting Server Groups 0 Timeout 3 Retransmit 3 Deadtime 0 Sourc...

Page 108: ...to 3 The switchport mode general command sets the port to an 802 1Q VLAN The port must be in general mode in order to enable MAC based 802 1X authentication console configure console config interface ethernet 1 g8 console config if 1 g8 switchport mode general console config if 1 g8 dot1x port control mac based console config if 1 g8 dot1x max users 3 console config if 1 g8 exit console config exi...

Page 109: ...s to the network or placed on a quarantine VLAN with limited network access Much of the configuration to assign hosts to a particular VLAN takes place on the RADIUS server or 802 1X authenticator If you use an external RADIUS server to manage VLANs you configure the server to use Tunnel attributes in Access Accept messages in order to inform the switch about the selected VLAN These attributes are ...

Page 110: ...tatus Disabling the supplicant mode does not clear the ports that are already authorized and assigned Guest VLAN IDs CLI Examples The following examples show how to configure the switch to accept RADIUS assigned VLANs and Guest VLANs The examples assume that the RADIUS server and VLAN information has already been configured on the switch For information on configuring VLANs see Virtual LANs on pag...

Page 111: ...y specified in the attribute must already be configured on the switch and the policy names must be identical For information about configuring a DiffServ policy see Differentiated Services on page 143 The section Example 1 DiffServ Inbound Configuration on page 144 describes how to configure a policy named internet_access NOTE If the policy specified within the server attribute does not exist on t...

Page 112: ...countered on a specific interface is replicated on another interface You can set up ACLs to control traffic at Layer 2 Layer 3 or Layer 4 MAC ACLs operate on Layer 2 IP ACLs operate on Layers 3 and 4 Limitations The following limitations apply to ingress and egress ACLs Maximum of 100 ACLs Maximum rules per ACL is 127 You can configure mirror or redirect attributes for a given ACL rule but not bot...

Page 113: ...mitation is only applicable if the conflicting ACLs are within the same unit The restriction is explained below ACL 1 permit tcp destination port 3000 deny all ACL 2 drop ip source 10 1 1 1 permit all ACL 1 is applied on port 1 and ACL 2 is applied on port 2 Due to this limitation all the packets egressing port 2 with Source IP 10 1 1 1 and tcp source port 3000 will be permitted even though they s...

Page 114: ... following fields within a packet Destination IP with wildcard mask Destination L4 Port Every Packet IP DSCP IP Precedence IP TOS Protocol Source IP with wildcard mask Source L4 port Destination Layer 4 port ACL Configuration Process To configure ACLs follow these steps 1 Create an ACL Create a MAC ACL by specifying a name Create an IP ACL by specifying a number 2 Add new rules to the ACL 3 Config...

Page 115: ...ules one applicable to TCP traffic and one to UDP traffic The content of the two rules is the same TCP and UDP packets will only be accepted by the PowerConnect 6200 Series switch if the source and destination stations have IP addresses that fall within the defined sets Figure 5 2 IP ACL Example Network Diagram ...

Page 116: ...a MAC ACL that denies traffic with any MAC address access to hosts with a MAC address of 00 11 22 33 XX XX where XX is any hexadecimal value 1 F The log parameter specifies that the system should keep track of the number of times the rule is applied to traffic that meets the rule criteria When a frame entering the port matches the rule the rule hit counter increments Every five minutes the ACL app...

Page 117: ...be configured with the same shared password or secret This secret is used to generate one way encrypted authenticators that are present in all RADIUS packets The secret is never transmitted over the network RADIUS conforms to a secure communications client server model using UDP as a transport protocol It is extremely flexible supporting a variety of methods to authenticate and statistically track...

Page 118: ...1234 Service Type NAS Prompt User enable Auth Type Local User Password pass5678 Service Type Administrative User The values for the Service Type attribute are as follows NAS Prompt User indicates the user should be provided a command prompt on the NAS from which nonprivileged commands can be executed Administrative User indicates the user should be granted access to the administrative interface to...

Page 119: ...ch honors and either allows or does not allow the user to access the switch If neither of the two servers can be contacted the switch searches its local user database for the user console config radius server host 10 10 10 10 console Config radius key secret1 console Config radius priority 1 console Config radius exit console config radius server host 11 11 11 11 console Config radius key secret2 ...

Page 120: ...you configure TACACS as the authentication method for user login the NAS Network Access Server prompts for the user login credentials and requests services from the TACACS client The client then uses the configured list of servers for authentication and provides results back to the NAS You can configure the TACACS server list with one or more hosts defined via their network IP address You can also...

Page 121: ...ntials over an encrypted channel The server then grants or denies access which the switch honors and either allows or does not allow the user to gain access to the switch If neither of the two servers can be contacted the switch searches its local user database for the user console config console config tacacs server host 10 10 10 10 console config key tacacs1 console config exit console config ta...

Page 122: ...period of time for a response Retries resends the EAP Request packet up to three times Considers the client to be dot1x unaware client if it does not receive an EAP response packet from that client The authenticator sends a request to the authentication server with the MAC address of the client in hhhhhhhhhhhh format as the username and the MD5 hash of the Mac address as the password The authentic...

Page 123: ...sole config if 1 g5 dot1x mac auth bypass console config if 1 g5 no dot1x mac auth bypass Client DOT 1x MAB RADIUS Traffic from unknown client Learn MAC EAPOL Timeout Initiate MAB 30 seconds EAPOL Request Identity D 01 80 c2 00 00 03 30 seconds RADIUS Access Accept RADIUS Access Request Client Authentication EAPOL Request Identity D 01 80 c2 00 00 03 30 seconds EAPOL Request Identity D 01 80 c2 00...

Page 124: ... Port Admin Oper Reauth Reauth Mode Mode Control Period 1 g5 mac based Authorized TRUE 300 Quiet Period 60 Transmit Period 30 Maximum Requests 2 Max Users 16 Supplicant Timeout 30 Server Timeout secs 30 MAB mode configured Enabled MAB mode operational Enabled Logical Supplicant AuthPAE Backend VLAN Username Filter Port MAC Address State State Id Id 64 0012 43D1 D19F Authenticated Idle 1 ...

Page 125: ...icated using a Captive Portal mechanism before the client is given access to the network When a wired physical port is enabled for Captive Portal the port is set in a captive portal enabled state all traffic coming into the port from unauthenticated clients are dropped except for the ARP DHCP DNS and NETBIOS packets These packets forwarded by the switch so that the unauthenticated clients can get ...

Page 126: ...ient access and content used to customize the user verification web page A captive portal configuration can be applied to one or more interfaces An interface may only be a physical port on the switch Client Access Authentication and Control User verification can be configured to allow access for guest users users that do not have assigned user names and passwords User verification can also be conf...

Page 127: ...id attribute id Table 5 1 Captive Portal RADIUS Attributes A Captive Portal instance can be configured to use the HTTPS protocol during its user verification process The connection method for HTTPS uses the Secure Sockets Layer SSL protocol which requires a certificate to provide encryption The certificate is presented to the user at connection time The Captive Portal component uses the same certi...

Page 128: ...t can be selected from a drop down list and associated with a specific web page configuration The authentication server generates user verification pages upon receipt of a specific URL request The URL provides an interface identifier that links to the data in the Captive Portal configuration The authentication server reads the associated data to construct and serve the appropriate web page Captive...

Page 129: ...g captive portal console config CP Example 2 Enable Captive Portal To globally enable Captive Portal use the following command Captive Portal configuration mode console config CP enable Example 3 Enable Captive Portal on Additional HTTP Port To configure an additional HTTP port for Captive Portal to monitor use the following command Captive Portal configuration mode console config CP http port 81 ...

Page 130: ...es To show the status of all Captive Portal instances in the system use the following command console show captive portal status Additional HTTP Port 81 Additional HTTP Secure Port 0 Peer Switch Statistics Reporting Interval 300 Authentication Timeout 600 Supported Captive Portals 10 Configured Captive Portals 2 Active Captive Portals 1 System Supported Users 1024 Local Supported Users 128 Authent...

Page 131: ...the configuration change use the following command console show captive portal configuration 1 status CP ID 1 CP Name Default CP Mode Enable Protocol Mode HTTP Verification Mode Local Group ID 1 Group Name Default User Logout Mode Enable URL Redirect Mode Disable Session Timeout 0 Idle Timeout 0 Max Bandwidth Up bytes sec 0 Max Bandwidth Down bytes sec 0 Max Input Octets bytes 0 Max Output Octets ...

Page 132: ...le show captive portal user Session Idle User ID User Name Timeout Timeout Group ID Group Name 1 user1 14400 0 1 Default Example 8 Associate an Interface with a Captive Portal Configuration To associate an interface with a Captive Portal configuration use the following command console configure Config captive portal Config CP configuration 1 console Config CP 1 interface 1 g18 To view the new inte...

Page 133: ...how captive portal configuration 1 client status CP ID 1 CP Name Default Client Client MAC Address IP Address Interface Interface Description 00 12 79 BF 94 7A 192 168 1 10 1 g18 Slot 1 Port 18 Gigabit Level This command shows a statistics for the above client show captive portal client 00 12 79 BF 94 7A statistics Client MAC Address 00 12 79 BF 94 7A Bytes Received 10541 Bytes Transmitted 47447 P...

Page 134: ...134 Device Security ...

Page 135: ...ded for IPv4 NOTE The PowerConnect 6200 Series switch also implements OSPFv3 for use with IPv6 networks These configuration scenarios are included with the OSPFv2 scenarios in OSPF on page 81 Interface Configuration In PowerConnect 6200 Series software IPv6 coexists with IPv4 As with IPv4 IPv6 routing can be enabled on physical and VLAN interfaces Each L3 routing interface can be used for IPv4 IPv...

Page 136: ...The VLAN 15 routing interface on both devices connects to an IPv4 backbone network where OSPF is used as the dynamic routing protocol to exchange IPv4 routes OSPF allows device 1 and device 2 to learn routes to each other from the 20 20 20 x network to the 10 10 10 x network and vice versa The VLAN 2 routing interface on both devices connects to the local IPv6 network OSPFv3 is used to exchange IP...

Page 137: ...source 20 20 20 1 tunnel destination 10 10 10 1 ipv6 ospf ipv6 ospf network point to point exit interface loopback 0 ip address 1 1 1 1 255 255 255 0 exit exit Device 2 console config ip routing ipv6 unicast routing router ospf router id 2 2 2 2 exit ipv6 router ospf router id 2 2 2 2 exit interface vlan 15 routing ip address 10 10 10 1 255 255 255 0 ip ospf area 0 0 0 0 exit interface vlan 2 rout...

Page 138: ...network point to point exit interface tunnel 0 ipv6 address 2001 2 64 tunnel mode ipv6ip tunnel source 10 10 10 1 tunnel destination 20 20 20 1 ipv6 ospf ipv6 ospf network point to point exit interface loopback 0 ip address 2 2 2 2 255 255 255 0 exit exit ...

Page 139: ...sifications you can map this traffic to egress queues by setting up a CoS Mapping table Each ingress port on the switch has a default priority value set by configuring VLAN Port Priority in the Switching sub menu that determines the egress queue its traffic gets forwarded to Packets that arrive without a priority designation or packets from ports you ve identified as untrusted get forwarded accord...

Page 140: ...hted scheduling requires a specification of priority for each queue relative to the other queues based on their minimum bandwidth values Queue Management Type The switch supports the tail drop method of queue management This means that any packet forwarded to a full queue is dropped regardless of its importance CLI Examples Figure 7 1 illustrates the network operation as it relates to CoS mapping ...

Page 141: ... transmission order as seen on the network leading out of Port 1 g8 is B A D C Thus packet B with its higher user precedence than the others is able to work its way through the device with minimal delay and is transmitted ahead of the other packets at the egress port UserPri 3 packet A UserPri 7 packet B untagged packet C UserPri 6 packet D Port 1 0 10 mode trust dot1p 0 2 1 0 2 1 3 5 4 4 5 5 6 5 ...

Page 142: ...erface ethernet 1 g8 cos queue min bandwidth 0 0 5 5 10 20 40 cos queue strict 6 exit exit You can also set traffic shaping parameters for the interface If you wish to shape the egress interface for a sustained maximum data rate of 80 Kbps assuming a 100Mbps link speed you would add a simple configuration line expressing the shaping rate as a percentage of link speed console config interface ether...

Page 143: ...or classifying them It decodes the DSCP in an incoming packet and provides buffering and forwarding services using the appropriate queue management algorithms Before configuring DiffServ on a particular PowerConnect 6200 Series switch you must determine the QoS requirements for the network as a whole in terms of rules which are used to classify inbound traffic on a particular interface The switch ...

Page 144: ...ble bandwidth on the port accessing the Internet Figure 7 3 DiffServ Internet Access Example Network Diagram Example 1 DiffServ Inbound Configuration Ensure DiffServ operation is enabled for the switch console config diffserv Create a DiffServ class of type all for each of the departments and name them Define the match criteria Source IP address for the new classes class map match all finance_dept...

Page 145: ... a different egress queue This is how the DiffServ inbound policy connects to the CoS queue settings established below policy map internet_access in class finance_dept assign queue 1 exit class marketing_dept assign queue 2 exit class test_dept assign queue 3 exit class development_dept assign queue 4 exit exit Attach the defined policy to interfaces 1 g1 through 1 g4 in the inbound direction inte...

Page 146: ...tination address lookup for internet traffic interface ethernet 1 g5 cos queue min bandwidth 0 25 25 25 25 0 0 exit exit DiffServ for VoIP Configuration Example One of the most valuable uses of DiffServ is to support Voice over IP VoIP VoIP traffic is inherently time sensitive for a network to provide acceptable service a guaranteed transmission rate is vital This example shows one way to provide ...

Page 147: ...Quality of Service 147 Figure 7 4 DiffServ VoIP Example Network Diagram ...

Page 148: ...erv code point DSCP of EF expedited forwarding This handles incoming traffic that was previously marked as expedited elsewhere in the network class map match all class_ef match ip dscp ef exit Create a DiffServ policy for inbound traffic named pol_voip then add the previously created classes class_ef and class_voip as instances within this policy This policy handles incoming packets already marked...

Page 149: ...casting contrasts with IP unicasting which sends a separate datagram to each recipient host Hosts must have a way to identify their interest in joining any particular multicast group and routers must have a way to collect and maintain group memberships these functions are handled by the IGMP protocol in IPv4 In IPv6 multicast routers use the Multicast Listener Discover MLD protocol to maintain gro...

Page 150: ...lticast networks multicast routers are configured with IGMP so that they can receive join and leave request from directly connected hosts They use this information to build a multicast forwarding table IPv6 multicast routers use the MLD protocol to perform the functions that IGMP performs in IPv4 networks CLI Example The following example configures IGMP on a PowerConnect 6200 Series switch in ord...

Page 151: ...ies based on the membership information and adds it to the multicast forwarding cache MFC in order not to make the forwarding decision for subsequent multicast packets with same combination of source and group CLI Examples The CLI component of the Dell switch allows the end users to configure the network device and to view device settings and statistics using a serial interface or telnet session E...

Page 152: ...gmp proxy groups detail DVMRP The Distance Vector Multicast Routing Protocol DVMRP is one of several multicast routing protocols you can configure on the switch PIM SM and PIM DM are the others Note that only one multicast routing protocol MRP can be operational on a router at any time DVMRP is an interior gateway protocol i e it is suitable for use within an autonomous system but not between diff...

Page 153: ...o directly connected hosts Next DVMRP is globally enabled Finally DVMRP IGMP and OSPF are enabled on several interfaces console configure router ospf router id 3 3 1 1 exit ip routing ip multicast ip igmp ip dvmrp interface vlan 15 routing ip address 3 3 3 1 255 255 255 0 ip dvmrp ip igmp ip ospf area 0 exit interface vlan 30 routing ip address 1 1 1 1 255 255 255 0 ip dvmrp ip igmp ip ospf area 0...

Page 154: ... which source traffic is relayed to the receivers Senders first send the multicast data to the RP which in turn sends the data down the shared tree to the receivers Shared trees centered on an RP do not necessarily provide the shortest most optimal path In such cases PIM SM provides a means to switch to more efficient source specific trees A data threshold rate is configured to determine when to s...

Page 155: ...ple protocol independent multicast routing protocol It uses existing unicast routing table and join prune graft mechanism to build a tree PIM DM creates source based shortest path distribution trees making use of Reverse Path Forwarding RPF PIM DM cannot be used to build a shared distribution tree as PIM SM can PIM DM assumes that when a sender starts sending data all downstream routers and hosts ...

Page 156: ... senders to many receivers due to frequent flooding High volume of multicast traffic Constant stream of traffic Example PIM DM The following example configures PIM DM for IPv4 on a router First configure an OSPF1 router and globally enable IP routing multicast IGMP and PIM DM Next enable routing IGMP PIM DM and OSPF on one more interfaces console configure router ospf router id 3 3 1 1 exit ip rou...

Page 157: ...VLAN 100 console config vlan ip igmp snooping 100 console config vlan exit 3 Enable routing on the switch console config ip routing 4 Configure VLAN 100 as a VLAN routing interface and assign an IP address and subnet mask console config interface vlan 100 console config if vlan100 routing console config if vlan100 ip address 10 10 10 1 255 255 255 0 5 Enable IGMP and PIM DM on the VLAN routing int...

Page 158: ...AN 200 console config interface ethernet 1 g15 config if 1 g15 switchport access vlan 200 config if 1 g15 exit console config exit The following commands show multicast and routing information before any IGMP joins or multicast data is sent The commands are in bold text console show bridge multicast address table There are currently no entries in the table console show ip route Route Codes R RIP D...

Page 159: ...st data from the host on interface 1 g15 The multicast traffic must be routed because the hosts on 1 g5 and 1 g15 are in different subnets Due to IGMP snooping interface 1 g10 does not send or receive any multicast data even though it is in the same broadcast domain as interface 1 g5 console show bridge multicast address table Vlan MAC Address Type Ports 100 0100 5E01 0101 Dynamic 1 g5 Forbidden p...

Page 160: ...160 Multicast ...

Page 161: ...Utility 161 9 Utility This section describes the following features Auto Config on page 162 Nonstop Forwarding on a Switch Stack on page 168 ...

Page 162: ...twork including DHCP or BOOTP server TFTP server DNS server if necessary IP Address Assignment If BOOTP or DHCP is enabled on the switch and an IP address has not been assigned the switch issues requests for an IP address assignment The behavior of BOOTP or DHCP with respect to IP address assignment is unchanged by the addition of the Auto Config feature That is the following information returned ...

Page 163: ... the specified bootfile If the unicast attempts fail or if a TFTP server address was not provided the switch makes three broadcast requests to any available TFTP server for the specified bootfile A TFTP broadcast request is a simple TFTP request with broadcast destination MAC address ff ff ff ff ff ff and destination IP address 255 255 255 255 NOTE The bootfile is required to have a file type of c...

Page 164: ...sfully completed an administrator can execute a show running config command to validate the contents of configuration Saving a Configuration An administrator must explicitly save the downloaded configuration in non volatile memory This makes the configuration available for the next reboot In the CLI this is performed by issuing copy running config startup config command and should be done after va...

Page 165: ... does not opt to save config the Auto Config process occurs again on a subsequent reboot This may result in one of the previously downloaded files being overwritten Restarting the Auto Config Process The Auto Config process is automatically started on a subsequent reboot if the configuration file is not found on the switch This can occur if configuration has not been saved on the switch or after t...

Page 166: ... status and to stop or restart the feature Logging A message is logged for each of the following events Auto Config component receiving a config file name and other options upon resolving an IP address by DHCP or BOOTP client The boot options values are logged Auto Config component initiating a TFTP request for a boot config file receiving the file or timing out of that request Filenames and serve...

Page 167: ... options Stacking The downloaded configuration file is not distributed across a stack When an administrator saves configuration the config file is distributed across a stack CLI Examples Example 1 Show Auto Config Process To display the current status of the Auto Config process use the following command console show boot Config Download via DHCP enabled Auto Config State Waiting for boot options A...

Page 168: ...during the restart 2 A protocol may enlist the cooperation of its neighbors through a technique known as graceful restart 3 A protocol may simply restart after the failover if neighbors react slowly enough that they will not normally detect the outage Initiating a Failover The NSF feature allows you to initiate a failover which results in a warm restart of the master unit in the stack Initiating a...

Page 169: ...cated clients DHCP server Address bindings persistent DHCP snooping DHCP bindings database DOT1Q Internal VLAN assignments DOT1S Spanning tree port roles port states root bridge etc DOT1X Authenticated clients DOT3ad Port states IGMP MLD Snooping Multicast groups list of router ports last query data for each VLAN IPv6 NDP Neighbor cache entries iSCSI Connections LLDP List of interfaces with MED de...

Page 170: ...surviving units removes LAG members on the failed unit so that it only forwards traffic onto LAG members that remain up If a LAG is left with no active members the LAG goes down To prevent a LAG from going down configure LAGs with members on multiple units within the stack when possible If a stack unit fails the system can continue to forward on the remaining members of the stack If your switch st...

Page 171: ...inks grouped together in a LAG The two LAGs and link between AS1 and AS2 are members of the same VLAN Spanning tree is enabled on the VLAN Assume spanning tree selects AS1 as the root bridge Assume the LAG to AS1 is the root port on the stack and the LAG to AS2 is discarding Unit 1 is the management unit If unit 1 fails the stack removes the unit 1 link to AS1 from its LAG The stack forwards outgo...

Page 172: ... the administrator has not reduced the LLDPDU interval or hold count If phone B is receiving quality of service from policies installed in the hardware those policies are retained across the management unit restart Figure 9 2 NSF and VoIP DHCP Snooping Scenario Figure 9 3 illustrates an L2 access switch running DHCP snooping DHCP snooping only accepts DHCP server messages on ports configured as tr...

Page 173: ...e packets during the restart The DHCP client and server retransmit their DHCP messages until the control plane has resumed operation and messages get through Thus DHCP snooping does not miss any new bindings during a failover As DHCP snooping applies its checkpointed DHCP bindings IPSG confirms the existence of the bindings with the hardware by reinstalling its source IP address filters If Dynamic...

Page 174: ...ardware Figure 9 4 NSF and a Storage Area Network When the management unit fails session A drops The initiator at 10 1 1 10 detects a link down on its primary NIC and attempts to reestablish the session on its backup NIC to a different IP address on the disk array The hardware forwards the packets to establish this new session but assuming the session is established before the control plane is res...

Page 175: ...sole config router nsf The grace LSAs reach the neighbors before they drop their adjacencies with the access router PIM starts sending hello messages to its neighbors on the aggregation routers using a new generation ID to prompt the neighbors to quickly resend multicast routing information PIM neighbors recognize the new generation ID and immediately relay the group state back to the restarting r...

Page 176: ...176 Utility ...

Search results

Summary of Contents for POWERCONNECT 6200 SERIES

Reviews:

Related manuals for POWERCONNECT 6200 SERIES

Brands by name

Popular brands

Dell POWERCONNECT 6200 SERIES, Configuration Manual

Search results

Summary of Contents for POWERCONNECT 6200 SERIES

Reviews:

Related manuals for POWERCONNECT 6200 SERIES

Brands by name

Popular brands