manualshive.com logo in svg

Dell PowerConnect 7024, Manual

Share
Download
Dell PowerConnect 7024 Manual Download Page 513

Configuring 802.1X and Port-Based Security

513

What is the Internal Authentication Server?

The Internal Authentication Server (IAS) is a dedicated database for local 

authentication of users for network access through 802.1X. In this database, 

the switch maintains a list of username and password combinations to use for 

802.1X authentication. You can manually create entries in the database, or 

you can upload the IAS information to the switch. 
If the authentication method for 802.1X is IAS, the switch uses the locally 

stored list of username and passwords to provide port-based authentication to 

users instead of using an external authentication server.

What is Port Security?

The Port Security feature allows you to limit the number of source MAC 

address that can be learned on a port. If a port reaches the configured limit, 

any other addresses beyond that limit are not learned and the frames are 

discarded. Frames with a source MAC address that has already been learned 

will be forwarded. 
The purpose of this feature, which is also known as port-MAC locking, is to 

help secure the network by preventing unknown devices from forwarding 

packets into the network. For example, to ensure that only a single device can 

be active on a port, you can set the number of allowable dynamic addresses to 

one. After the MAC address of the first device is learned, no other devices will 

be allowed to forward frames into the network.
When link goes down on a port, all of the dynamically locked addresses are 

cleared from the source MAC address table the feature maintains. When the 

link is restored, that port can once again learn addresses up to the specified 

limit. 
The port can learn MAC addresses dynamically, and you can manually specify 

a list of static MAC addresses for a port.

NOTE: 

The IAS database does not handle VLAN assignments or DiffServ policy 

assignments.

Summary of Contents for PowerConnect 7024

Page 1: ...Dell PowerConnect 7000 Series Switch User s Configuration Guide Regulatory Models PC7024 PC7024P PC7024F PC7048 PC7048P PC7048R and PC7048R RA ...

Page 2: ...t and OpenManage are trademarks of Dell Inc Microsoft Windows Windows Server MS DOS and Windows Vista are either trademarks or registered trademarks of Microsoft Corporation in the United States and or other countries sFlow is a registered trademark of InMon Corporation Cisco is a registered trademark of Cisco Systems Mozilla and Firefox are registered trademarks of the Mozilla Foundation Other tr...

Page 3: ...ent Options 52 System Time Management 52 Log Messages 52 Integrated DHCP Server 53 Management of Basic Network Information 53 IPv6 Management Features 53 Dual Software Images 53 File Management 54 Switch Database Management Templates 54 Automatic Installation of Firmware and Configuration 54 sFlow 55 SNMP Alarms and Trap Logs 55 CDP Interoperability through ISDP 55 Remote Monitoring RMON 55 ...

Page 4: ...ty Features 57 Configurable Access and Authentication Profiles 57 Password Protected Management Access 58 Strong Password Enforcement 58 TACACS Client 58 RADIUS Support 58 SSH SSL 59 Inbound Telnet Control 59 Denial of Service 59 Captive Portal 59 Dot1x Authentication IEEE 802 1X 60 MAC Based 802 1X Authentication 60 Dot1x Monitor Mode 60 MAC Based Port Security 60 Access Control Lists ACL 61 Time...

Page 5: ...uto MDI MDIX Support 64 VLAN Aware MAC based Switching 65 Back Pressure Support 65 Auto Negotiation 65 Broadcast Storm Control 65 Port Mirroring 66 Static and Dynamic MAC Address Tables 66 Link Layer Discovery Protocol LLDP 66 Link Layer Discovery Protocol LLDP for Media Endpoint Devices 66 Connectivity Fault Management IEEE 802 1ag 67 Cisco Protocol Filtering 67 DHCP Layer 2 Relay 67 Virtual Loca...

Page 6: ...k Aggregation Features 71 Link Aggregation 71 Link Aggregate Control Protocol LACP 71 Routing Features 72 Address Resolution Protocol ARP Table Management 72 VLAN Routing 72 IP Configuration 72 Open Shortest Path First OSPF 72 BOOTP DHCP Relay Agent 73 IP Helper and UDP Relay 73 Routing Information Protocol 73 Router Discovery 73 Routing Table 73 Virtual Router Redundancy Protocol VRRP 74 Tunnel a...

Page 7: ...erier 78 MLD Snooping 78 Multicast VLAN Registration 78 Layer 3 Multicast Features 78 Distance Vector Multicast Routing Protocol 78 Internet Group Management Protocol 79 IGMP Proxy 79 Protocol Independent Multicast Dense Mode 79 Protocol Independent Multicast Sparse Mode 79 Protocol Independent Multicast Source Specific Multicast 79 Protocol Independent Multicast IPv6 Support 79 MLD MLDv2 RFC2710 ...

Page 8: ...88 Power Supplies 89 Ventilation System 90 Locator LED 90 LED Definitions 91 Port LEDs 91 Module LEDs 93 System LEDs 95 4 Using Dell OpenManage Switch Administrator 97 About Dell OpenManage Switch Administrator 97 Starting the Application 98 Understanding the Interface 99 Defining Fields 101 Understanding the Device View 102 Using the Device View Port Features 102 Using the Device View Switch Loca...

Page 9: ... 108 Understanding Error Messages 109 Recalling Commands from the History Buffer 109 6 Default Settings 111 7 Setting the IP Address and Other Basic Network Information 115 IP Address and Network Information Overview 115 What Is the Basic Network Information 115 Why Is Basic Network Information Needed 116 How Is Basic Network Information Configured 117 What Is Out of Band Management and In Band Ma...

Page 10: ... Leases 129 Configuring Static Network Information on the OOB Port 130 Configuring Static Network Information on the Default VLAN 130 Configuring and Viewing Additional Network Information 131 Basic Network Information Configuration Example 132 8 Managing a Switch Stack 135 Stacking Overview 135 PowerConnect 7000 Series and M6348 Stacking Compatibility 137 How is the Management Unit Selected 137 A...

Page 11: ...upported Switches 150 Stack Port Summary 151 Stack Port Counters 152 Stack Port Diagnostics 152 NSF Summary 153 Checkpoint Statistics 154 Managing the Stack CLI 155 Configuring Stack Member and NSF Settings 155 Viewing and Clearing Stacking and NSF Information 156 Stacking and NSF Usage Scenarios 157 Basic Failover 158 Preconfiguring a Stack Member 160 NSF in the Data Center 162 NSF and VoIP 163 N...

Page 12: ...ures Use Authentication 178 Default Management Security Values 178 Controlling Management Access Web 180 Access Profile 180 Authentication Profiles 184 Select Authentication 187 Password Management 188 Last Password Set Result 190 User Login Configuration 191 Local User Database 192 Line Password 194 Enable Password 194 TACACS Settings 195 RADIUS Global Configuration 197 RADIUS Server Configuratio...

Page 13: ...guring Telnet and SSH Access 222 Configuring HTTP and HTTPS Access 223 Configuring DoS Information 225 Management Access Configuration Examples 227 Configuring a Management Access List 227 Configuring the Primary and Secondary RADIUS Servers 228 Configuring an Authentication Profile 230 Configuring Password Lockout 231 10 Monitoring and Logging System Information 235 System Monitoring Overview 235...

Page 14: ...tics 246 Log Global Settings 248 RAM Log 249 Log File 250 Remote Log Server 250 Email Alert Global Configuration 253 Email Alert Mail Server Configuration 254 Email Alert Subject Configuration 256 Email Alert To Address Configuration 257 Email Alert Statistics 258 Monitoring System Information and Configuring Logging CLI 259 Viewing System Information and Enabling the Locator LED 259 Running Cable...

Page 15: ...eded 274 How Does SNTP Work 274 What Configuration Is Required for Plug In Modules 275 What Are the Key PoE Plus Features for the PC7024P and PC7048P 275 Default General System Information 277 Configuring General System Settings Web 278 System Information 278 CLI Banner 281 SDM Template Preference 282 Clock 283 SNTP Global Settings 284 SNTP Authentication 285 SNTP Server 287 Summer Time Configurat...

Page 16: ...er 301 Setting the System Time and Date Manually 303 Configuring the Expansion Slots 304 Configuring PoE Settings 7024P 7048P Only 305 General System Settings Configuration Examples 308 Configuring System and Banner Information 308 Configuring SNTP 310 Configuring the Time Manually 312 12 Configuring SNMP 313 SNMP Overview 313 What Is SNMP 313 What Are SNMP Traps 314 Why Is SNMP Needed 315 Default...

Page 17: ...39 Configuring SNMP Notifications Traps and Informs 341 SNMP Configuration Examples 344 Configuring SNMPv1 and SNMPv2 344 Configuring SNMPv3 345 13 Managing Images and Files 349 Image and File Management Overview 349 What Files Can Be Managed 349 Why Is File Management Needed 351 What Methods Are Supported for File Management 353 What Factors Should Be Considered When Managing Files 353 How Is the...

Page 18: ...Upgrading the Firmware 368 Managing Configuration Scripts 371 Managing Files by Using the USB Flash Drive 373 14 Automatically Updating the Image and Configuration 375 Auto Configuration Overview 375 What Is USB Auto Configuration 376 What Files Does USB Auto Configuration Use 376 How Does USB Auto Configuration Use the Files on the USB Device 377 What Is the Setup File Format 378 What Is the DHCP...

Page 19: ...oad 390 15 Monitoring Switch Traffic 391 Traffic Monitoring Overview 391 What is sFlow Technology 391 What is RMON 394 What is Port Mirroring 395 Why is Traffic Monitoring Needed 396 Default Traffic Monitoring Values 396 Monitoring Switch Traffic Web 397 sFlow Agent Summary 397 sFlow Receiver Configuration 398 sFlow Sampler Configuration 399 sFlow Poll Configuration 400 Interface Statistics 401 Et...

Page 20: ...Port Mirroring 426 Traffic Monitoring Configuration Examples 427 Configuring sFlow 427 Configuring RMON 429 16 Configuring iSCSI Optimization 431 iSCSI Optimization Overview 431 When Should iSCSI Optimization Be Enabled 432 How Does the Switch Detect iSCSI Traffic Flows 432 How Is Quality of Service Applied to iSCSI Traffic Flows 432 What Information Does the Switch Track in iSCSI Traffic Flows 43...

Page 21: ... a Captive Portal 445 Captive Portal Overview 445 What Does a Captive Portal Do 445 Is the Captive Portal Feature Dependent on Any Other Feature 446 What Factors Should Be Considered When Designing and Configuring a Captive Portal 447 How Does Captive Portal Work 448 What Captive Portal Pages Can Be Customized 449 Default Captive Portal Behavior and Settings 450 Configuring the Captive Portal Web ...

Page 22: ...nfiguring Captive Portal Groups and Users 477 Managing Captive Portal Clients 478 Captive Portal Configuration Example 479 Configuration Overview 480 Detailed Configuration Procedures 481 18 Configuring Port Characteristics 483 Port Overview 483 What Physical Port Characteristics Can Be Configured 483 What is Link Dependency 484 What Interface Types are Supported 486 What is Interface Configuratio...

Page 23: ...y Groups 504 19 Configuring 802 1X and Port Based Security 505 Port Based Security Overview 505 What is IEEE 802 1X 506 What are the 802 1X Port States 507 What is MAC Based 802 1X Authentication 507 What is the Role of 802 1X in VLAN Assignment 509 What is Monitor Mode 511 How Does the Authentication Server Assign DiffServ Filters 512 What is the Internal Authentication Server 513 What is Port Se...

Page 24: ...ring Port Security 529 Configuring Internal Authentication Server Users 530 Port Based Security Configuration Examples 531 Configuring 802 1X Authentication 531 Configuring MAC Based Authentication Mode 535 Allowing RADIUS Assigned VLANs and a Guest VLAN 536 Configuring Authentication Server Filter Assignments 537 20 Configuring Access Control Lists 539 ACL Overview 539 What Are MAC ACLs 540 What ...

Page 25: ...figuration 555 Time Range Entry Configuration 556 Configuring ACLs CLI 558 Configuring an IPv4 ACL 558 Configuring a MAC ACL 560 Configuring an IPv6 ACL 562 Configuring a Time Range 564 ACL Configuration Examples 566 Configuring an IP ACL 566 Configuring a MAC ACL 567 Configuring a Time Based ACL 569 21 Configuring VLANs 571 VLAN Overview 571 Switchport Modes 574 VLAN Tagging 575 GVRP 576 Double V...

Page 26: ...VLAN 602 Configuring a Port in Access Mode 603 Configuring a Port in General Mode 604 Configuring a Port in Trunk Mode 605 Configuring VLAN Settings for a LAG 607 Configuring Double VLAN Tagging 608 Configuring MAC Based VLANs 609 Configuring IP Based VLANs 610 Configuring a Protocol Based VLAN 610 Configuring GVRP 612 Configuring Voice VLANs 614 VLAN Configuration Examples 615 Configuring VLANs U...

Page 27: ...gs 639 STP Port Settings 640 STP LAG Settings 642 Rapid Spanning Tree 643 MSTP Settings 645 MSTP Interface Settings 647 Configuring Spanning Tree CLI 649 Configuring Global STP Bridge Settings 649 Configuring Optional STP Features 650 Configuring STP Interface Settings 651 Configuring MSTP Switch Settings 652 Configuring MSTP Interface Settings 653 STP Configuration Examples 654 Configuring STP 65...

Page 28: ...l Configuration 673 LLDP MED Interface Configuration 674 LLDP MED Local Device Information 676 LLDP MED Remote Device Information 677 Configuring ISDP and LLDP CLI 678 Configuring Global ISDP Settings 678 Enabling ISDP on a Port 679 Viewing and Clearing ISDP Information 679 Configuring Global LLDP Settings 680 Configuring Port based LLDP Settings 680 Viewing and Clearing LLDP Information 681 Confi...

Page 29: ... 692 Protected Port Configuration 694 LLPF Configuration 696 Configuring Port Based Traffic Control CLI 698 Configuring Flow Control and Storm Control 698 Configuring Protected Ports 699 Configuring LLPF 700 Port Based Traffic Control Configuration Examples 701 25 Configuring L2 Multicast Features 703 L2 Multicast Overview 703 What Are the Multicast Bridging Features 703 What Is IP Multicast Traff...

Page 30: ...27 MLD Snooping VLAN Querier 728 MLD Snooping VLAN Querier Status 730 MFDB MLD Snooping Table 731 MVR Global Configuration 732 MVR Members 733 MVR Interface Configuration 734 MVR Statistics 737 GARP Timers 738 GMRP Parameters 740 MFDB GMRP Table 742 Configuring L2 Multicast Features CLI 743 Configuring Bridge Multicasting 743 Configuring IGMP Snooping 745 Configuring IGMP Snooping on VLANs 746 Con...

Page 31: ...5 Default Dot1ag Values 766 Configuring Dot1ag Web 767 Dot1ag Global Configuration 767 Dot1ag MD Configuration 767 Dot1ag MA Configuration 768 Dot1ag MEP Configuration 769 Dot1ag MIP Configuration 770 Dot1ag RMEP Summary 771 Dot1ag L2 Ping 772 Dot1ag L2 Traceroute 772 Dot1ag L2 Traceroute Cache 773 Dot1ag Statistics 774 Configuring Dot1ag CLI 775 Configuring Dot1ag Global Settings and Creating Dom...

Page 32: ...ffic Snooping and Inspection Web 789 DHCP Snooping Configuration 789 DHCP Snooping Interface Configuration 790 DHCP Snooping VLAN Configuration 792 DHCP Snooping Persistent Configuration 794 DHCP Snooping Static Bindings Configuration 795 DHCP Snooping Dynamic Bindings Summary 797 DHCP Snooping Statistics 798 IPSG Interface Configuration 799 IPSG Binding Configuration 800 IPSG Binding Summary 801 ...

Page 33: ...hy Are Link Aggregation Groups Necessary 820 What Is the Difference Between Static and Dynamic Link Aggregation 820 What is LAG Hashing 821 How Do LAGs Interact with Other Features 822 LAG Configuration Guidelines 823 Default Link Aggregation Values 823 Configuring Link Aggregation Web 824 LAG Configuration 824 LACP Parameters 825 LAG Membership 827 LAG Hash Configuration 828 LAG Hash Summary 829 ...

Page 34: ...ddress Table Maintained Across a Stack 838 Default MAC Address Table Values 838 Managing the MAC Address Table Web 839 Static Address Table 839 Dynamic Address Table 841 Managing the MAC Address Table CLI 842 Managing the MAC Address Table 842 30 Configuring Routing Interfaces 843 Routing Interface Overview 843 What Are VLAN Routing Interfaces 843 What Are Loopback Interfaces 844 What Are Tunnel I...

Page 35: ...ces IPv4 855 Configuring Loopback Interfaces 857 Configuring Tunnels 858 31 Configuring DHCP Server Settings 859 DHCP Overview 859 How Does DHCP Work 859 What are DHCP Options 860 What Additional DHCP Features Does the Switch Support 861 Default DHCP Server Values 861 Configuring the DHCP Server Web 862 DHCP Server Network Properties 862 Address Pool 864 Address Pool Options 868 DHCP Bindings 870 ...

Page 36: ...fault IP Routing Values 885 Configuring IP Routing Features Web 887 IP Configuration 887 IP Statistics 888 ARP Create 889 ARP Table Configuration 890 Router Discovery Configuration 891 Router Discovery Status 892 Route Table 893 Best Routes Table 894 Route Entry Configuration 895 Configured Routes 897 Route Preferences Configuration 898 Configuring IP Routing Features CLI 899 Configuring Global IP...

Page 37: ...3 Relay Values 913 Configuring L2 and L3 Relay Features Web 914 DHCP Relay Global Configuration 914 DHCP Relay Interface Configuration 915 DHCP Relay Interface Statistics 917 DHCP Relay VLAN Configuration 918 DHCP Relay Agent Configuration 919 IP Helper Global Configuration 920 IP Helper Interface Configuration 922 IP Helper Statistics 923 Configuring L2 and L3 Relay Features CLI 925 Configuring L...

Page 38: ...941 OSPF Interface Statistics 942 OSPF Interface Configuration 943 OSPF Neighbor Table 944 OSPF Neighbor Configuration 945 OSPF Link State Database 946 OSPF Virtual Link Configuration 946 OSPF Virtual Link Summary 948 OSPF Route Redistribution Configuration 949 OSPF Route Redistribution Summary 950 NSF OSPF Summary 951 Configuring OSPFv3 Features Web 952 OSPFv3 Configuration 952 OSPFv3 Area Config...

Page 39: ...ge Settings 977 Configuring NSF Settings for OSPF 979 Configuring OSPFv3 Features CLI 981 Configuring Global OSPFv3 Settings 981 Configuring OSPFv3 Interface Settings 983 Configuring Stub Areas and NSSAs 985 Configuring Virtual Links 987 Configuring an OSPFv3 Area Range 988 Configuring OSPFv3 Route Redistribution Settings 989 Configuring NSF Settings for OSPFv3 990 OSPF Configuration Examples 991 ...

Page 40: ...IP Route Redistribution Configuration 1012 RIP Route Redistribution Summary 1013 Configuring RIP Features CLI 1014 Configuring Global RIP Settings 1014 Configuring RIP Interface Settings 1015 Configuring Route Redistribution Settings 1016 RIP Configuration Example 1018 36 Configuring VRRP 1021 VRRP Overview 1021 How Does VRRP Work 1021 What Is the VRRP Router Priority 1022 What Is VRRP Preemption ...

Page 41: ...VRRP with Load Sharing 1036 VRRP with Route and Interface Tracking 1040 37 Configuring IPv6 Routing 1045 IPv6 Routing Overview 1045 How Does IPv6 Compare with IPv4 1046 How Are IPv6 Interfaces Configured 1046 Default IPv6 Routing Values 1047 Configuring IPv6 Routing Features Web 1049 Global Configuration 1049 Interface Configuration 1050 Interface Summary 1051 IPv6 Statistics 1052 IPv6 Neighbor Ta...

Page 42: ...n Option 1066 What Is a Prefix Delegation 1066 Default DHCPv6 Server and Relay Values 1067 Configuring the DHCPv6 Server and Relay Web 1068 DHCPv6 Global Configuration 1068 DHCPv6 Pool Configuration 1069 Prefix Delegation Configuration 1071 DHCPv6 Pool Summary 1072 DHCPv6 Interface Configuration 1073 DHCPv6 Server Bindings Summary 1075 DHCPv6 Statistics 1076 Configuring the DHCPv6 Server and Relay...

Page 43: ...rv Functionality Vary Based on the Role of the Switch 1086 What Are the Elements of DiffServ Configuration 1086 Default DiffServ Values 1087 Configuring DiffServ Web 1088 DiffServ Configuration 1088 Class Configuration 1089 Class Criteria 1090 Policy Configuration 1092 Policy Class Definition 1094 Service Configuration 1097 Service Detailed Statistics 1098 Flow Based Mirroring 1099 Configuring Dif...

Page 44: ...aping Used on Egress Traffic 1116 How Are Traffic Queues Defined 1117 Which Queue Management Methods Are Supported 1117 Default CoS Values 1118 Configuring CoS Web 1119 Mapping Table Configuration 1119 Interface Configuration 1121 Interface Queue Configuration 1122 Interface Queue Drop Precedence Configuration 1123 Configuring CoS CLI 1125 Mapping Table Configuration 1125 CoS Interface Configurati...

Page 45: ...c 1138 What Multicast Protocols Does the Switch Support 1139 What Are the Multicast Protocol Roles 1139 When Is L3 Multicast Required on the Switch 1140 What Is the Multicast Routing Table 1140 What Is Multicast Tunneling 1141 What Is IGMP 1141 What Is MLD 1142 What Is PIM 1143 What Is DVMRP 1145 Default L3 Multicast Values 1147 Configuring General IPv4 Multicast Features Web 1149 Multicast Global...

Page 46: ...161 IGMP Proxy Interface Configuration 1162 IGMP Proxy Configuration Summary 1163 IGMP Proxy Interface Membership Info 1164 Detailed IGMP Proxy Interface Membership Information 1165 Configuring MLD and MLD Proxy Web 1166 MLD Global Configuration 1166 MLD Routing Interface Configuration 1167 MLD Routing Interface Summary 1168 MLD Routing Interface Cache Information 1169 MLD Routing Interface Source...

Page 47: ...190 DVMRP Configuration Summary 1191 DVMRP Next Hop Summary 1192 DVMRP Prune Summary 1193 DVMRP Route Summary 1194 Configuring L3 Multicast Features CLI 1195 Configuring and Viewing IPv4 Multicast Information 1195 Configuring and Viewing IPv6 Multicast Route Information 1197 Configuring and Viewing IGMP 1198 Configuring and Viewing IGMP Proxy 1200 Configuring and Viewing MLD 1201 Configuring and V...

Page 48: ...Viewing PIM SM for IPv6 Multicast Routing 1207 Configuring and Viewing DVMRP Information 1210 L3 Multicast Configuration Examples 1211 Configuring Multicast VLAN Routing With IGMP and PIM SM 1211 Configuring DVMRP 1215 Index 1217 ...

Page 49: ...ers The PowerConnect 7000 Series includes six switch models PC7024 PC7024P PC7024F PC7048 PC7048P and PC7048R PC7048R RA The PC7048R PC7048R RA is a top of rack switch The difference between the PC7048R and PC7048R RA is the airflow direction About This Document This guide describes how to configure monitor and maintain a Dell PowerConnect 7000 Series switch by using Web based Dell OpenManage Swit...

Page 50: ...ovides in depth CLI descriptions syntax default values and usage guidelines Table 1 1 Document Conventions Convention Description Bold Page names field names menu options button names and CLI commands and keywords courier font Command line text CLI output and file names In a command line square brackets indicate an optional entry In a command line inclusive brackets indicate a selection of compuls...

Page 51: ...tes are part of the firmware download System Management Features Stacking Features Security Features Green Technology Features Power over Ethernet PoE Plus Features Switching Features Virtual Local Area Network Supported Features n b s p n b s p Spanning Tree Protocol Features Link Aggregation Features Routing Features IPv6 Routing Features Quality of Service QoS Features Layer 2 Multicast Feature...

Page 52: ...r or you can set the time and date locally on the switch You can also configure the time zone and information about time shifts that might occur during summer months If you use SNTP to obtain the time you can require communications between the switch and the SNTP server to be encrypted For information about configuring system time settings see Managing General System Settings on page 271 Log Messa...

Page 53: ...ork information Other configurable network information includes a Domain Name Server DNS hostname to IP address mapping and a default domain name If the switch detects an IP address conflict on the management interface it generates a trap and sends a log message For information about configuring basic network information see Setting the IP Address and Other Basic Network Information on page 115 IP...

Page 54: ...tem resources to support a different mix of features based on your network requirements PowerConnect 7000 Series switches support the following three templates Dual IPv4 and IPv6 default IPv4 Routing IPv4 Data Center For information about setting the SDM template see Managing General System Settings on page 271 Automatic Installation of Firmware and Configuration The Auto Install feature allows th...

Page 55: ...ee Configuring SNMP on page 313 CDP Interoperability through ISDP Industry Standard Discovery Protocol ISDP allows the PowerConnect switch to interoperate with Cisco devices running the Cisco Discovery Protocol CDP ISDP is a proprietary Layer 2 network protocol which inter operates with Cisco network equipment and is used to share information between neighboring devices routers bridges access serv...

Page 56: ...tiple switches are connected together through the stack ports they operate as a single unit with a larger port count The stack operates and is managed as a single entity One switch acts as the master and the entire stack is managed through the management interface Web CLI or SNMP of the master unit Automatic Firmware Upgrade for New Stack Members If a switch is added to a stack and the switch is r...

Page 57: ...lled nonstop forwarding When the management unit fails only the switch ASICs on the management unit need to be restarted Hot Add Delete and Firmware Synchronization You can add and remove units to and from the stack without cycling the power When you add a unit the Stack Firmware Synchronization feature automatically synchronizes the firmware version with the version running on the stack master Th...

Page 58: ...on about configuring password settings see Controlling Management Access on page 169 TACACS Client The switch has a TACACS client TACACS provides centralized security for validation of users accessing the switch TACACS provides a centralized user management system while still retaining consistency with RADIUS and other authentication processes For information about configuring TACACS client settin...

Page 59: ...cess on page 169 Denial of Service The switch supports configurable Denial of Service DoS attack protection for eight different types of attacks For information about configuring DoS settings see Controlling Management Access on page 169 Captive Portal The Captive Portal feature blocks clients from accessing the network until user verification has been established When a user attempts to connect t...

Page 60: ...mation about configuring MAC based 802 1X authentication see Configuring 802 1X and Port Based Security on page 505 Dot1x Monitor Mode Monitor mode can be enabled in conjunction with Dot1x authentication to allow network access even when the user fails to authenticate The switch logs the results of the authentication process for diagnostic purposes The main purpose of this mode is to help troubles...

Page 61: ...apply the ACL rule when the packet enters or exits the physical port LAG or VLAN interface For information about configuring ACLs see Configuring Access Control Lists on page 539 Time Based ACLs With the Time based ACL feature you can define when an ACL is in effect and the amount of time it is in effect For information about configuring time based ACLs see Configuring Access Control Lists on page...

Page 62: ... ARP packets The feature prevents a class of man in the middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors The malicious station sends ARP requests or responses mapping another station s IP address to its own MAC address Dynamic ARP Inspection relies on DHCP Snooping For information about configuring DAI see Sn...

Page 63: ...power savings when the link is lightly loaded Power Utilization Reporting The switch displays the current power consumption of the power supply or power supplies This information is available from the management interface Power over Ethernet PoE Plus Features For information about configuring PoE Plus features see Managing General System Settings on page 271 Power Over Ethernet PoE Plus Configurat...

Page 64: ...iguring flow control see Configuring Port Based Traffic Control on page 687 Head of Line Blocking Prevention Head of Line HOL blocking prevention prevents traffic delays and frame loss caused by traffic competing for the same egress port resources HOL blocking queues packets and the packets at the head of the queue are forwarded before packets at the end of the queue Jumbo Frames Support Jumbo fra...

Page 65: ...itches to take maximum advantage of their transmission capabilities PowerConnect 7000 Series switches enhance auto negotiation by providing port advertisement Port advertisement allows the system administrator to configure the port speeds advertised For information about configuring autonegotiation see Configuring Port Characteristics on page 483 Broadcast Storm Control When Layer 2 frames are for...

Page 66: ...tries in the dynamic MAC address table You can also search for entries in the dynamic table based on several different criteria For information about viewing and managing the MAC address table see Managing the MAC Address Table on page 837 Link Layer Discovery Protocol LLDP The IEEE 802 1AB defined standard Link Layer Discovery Protocol LLDP allows the switch to advertise major capabilities and ph...

Page 67: ...1 Cisco Protocol Filtering The Cisco Protocol Filtering feature also known as Link Local Protocol Filtering filters Cisco protocols that should not normally be relayed by a bridge The group addresses of these Cisco protocols do not fall within the IEEE defined range of the 802 1D MAC Bridge Filtered MAC Group Addresses 01 80 C2 00 00 00 to 01 80 C2 00 00 0F For information about configuring LLPF s...

Page 68: ...LANs based on their ingress port When a port uses 802 1X port authentication packets can be assigned to a VLAN based on the result of the 802 1X authentication a client uses when it accesses the switch This feature is useful for assigning traffic to Guest VLANs or Voice VLANs IP Subnet based VLAN This feature allows incoming untagged packets to be assigned to a VLAN and traffic class based on the ...

Page 69: ...voice traffic with defined priority The priority level enables the separation of voice and data traffic coming onto the port Guest VLAN The Guest VLAN feature allows a switch to provide a distinguished service to unauthenticated users This feature provides a mechanism to allow visitors and contractors to have network access to reach external network with no ability to browse information on the int...

Page 70: ...panning Tree Protocol RSTP detects and uses network topologies to enable faster spanning tree convergence after a topology change without creating forwarding loops The port settings supported by STP are also supported by RSTP Multiple Spanning Tree Multiple Spanning Tree MSTP operation maps VLANs to spanning tree instances Packets assigned to various VLANs are transmitted along different paths wit...

Page 71: ...ink Aggregation Features For information about configuring link aggregation port channel features see Configuring Link Aggregation on page 819 Link Aggregation Up to eight ports can combine to form a single Link Aggregated Group LAG This enables fault tolerance protection from physical link disruption higher bandwidth connections and improved bandwidth granularity A LAG is composed of ports of the...

Page 72: ... on page 843 IP Configuration The switch IP configuration settings to allow you to configure network information for VLAN routing interfaces such as IP address and subnet mask MTU size and ICMP redirects Global IP configuration settings for the switch allow you to enable or disable the generation of several types of ICMP messages and enable or disable the routing mode For information about managin...

Page 73: ... RIP like OSPF is an IGP used within an autonomous Internet system RIP is an IGP that is designed to work with moderate size networks For information about configuring RIP see Configuring RIP on page 1005 Router Discovery For each interface you can configure the Router Discovery Protocol RDP to transmit router advertisements These advertisements inform hosts on the local network about the presence...

Page 74: ...d management of tunnel and loopback interfaces Tunnel interfaces facilitate the transition of IPv4 networks to IPv6 networks A loopback interface is always expected to be up so you can configure a stable IP address that other network devices use to contact or identify the switch For information about configuring tunnel and loopback interfaces see Configuring Routing Interfaces on page 843 IPv6 Rou...

Page 75: ...ol for IPv6 networking OSPFv3 is a new routing component based on the OSPF version 2 component In dual stack IPv6 you can configure and use both OSPF and OSPFv3 components For information about configuring OSPFv3 see Configuring OSPF and OSPFv3 on page 931 DHCPv6 DHCPv6 incorporates the notion of the stateless server where DHCPv6 is not used for IP address assignment to a client rather it only pro...

Page 76: ... This provides the desired QoS behavior for different types of network traffic when the complexities of DiffServ are not required CoS queue characteristics such as minimum guaranteed bandwidth and transmission rate shaping are configurable at the queue or port level For information about configuring CoS see Configuring Class of Service on page 1115 Auto Voice over IP VoIP This feature provides eas...

Page 77: ... configuring L2 multicast features see Configuring L2 Multicast Features on page 703 MAC Multicast Support Multicast service is a limited broadcast service that allows one to many and many to many connections In Layer 2 multicast services a single frame addressed to a specific multicast address is received and copies of the frame to be transmitted on each relevant port are created IGMP Snooping In...

Page 78: ... constructed by snooping IPv6 multicast control packets Multicast VLAN Registration The Multicast VLAN Registration MVR protocol like IGMP Snooping allows a Layer 2 switch to listen to IGMP frames and forward the multicast traffic only to the receivers that request it Unlike IGMP Snooping MVR allows the switch to listen across different VLANs MVR uses a dedicated VLAN which is called the multicast...

Page 79: ...rovided by any particular unicast routing protocol The Protocol Independent Multicast Dense Mode PIM DM protocol uses an existing Unicast routing table and a Join Prune Graft mechanism to build a tree PIM DM creates source based shortest path distribution trees making use of reverse path forwarding RPF Protocol Independent Multicast Sparse Mode Protocol Independent Multicast Sparse Mode PIM SM is ...

Page 80: ...atible with MLD v1 MLD protocol enables the IPv6 router to discover the presence of multicast listeners the nodes that want to receive the multicast data packets on its directly attached interfaces The protocol specifically discovers which multicast addresses are of interest to its neighboring nodes and provides this information to the multicast routing protocol that make the decision on the flow ...

Page 81: ...ries Front Panel The PowerConnect 7000 Series front panel includes the following features Switch Ports Console Port Out of Band Management Port USB Port Reset Button Port and System LEDs Stack Master LED and Stack Number Display The following images show the front panels of the switch models in the PowerConnect 7000 Series Figure 3 1 PowerConnect 7024 with 24 10 100 1000Base T Ports Combo Ports 10...

Page 82: ...s Ports Figure 3 3 PowerConnect 7024F with 24 SFP Ports Figure 3 4 PowerConnect 7048 with 48 10 100 1000Base T Ports Combo Ports 10 100 1000Base T RJ 45 PoE Plus Ports Providing up to 30W per Port SFP Ports Combo Ports Combo Ports 10 100 1000Base T Auto sensing Full Duplex RJ 45 Ports ...

Page 83: ...P with 48 10 100 1000Base T PoE Plus Ports Figure 3 6 PowerConnect 7048R with 48 10 100 1000Base T Ports Combo Ports 10 100 1000Base T RJ 45 PoE Plus Ports Providing up to 30W per Port Combo Ports 10 100 1000Base T Auto sensing Full Duplex RJ 45 Ports ...

Page 84: ...P transceivers are sold separately The PowerConnect 7024P switch ports are IEEE 802 3at 2009 compliant PoE Plus and can provided up to 30W of power per port The PowerConnect 7024F front panel provides 20 Gigabit Ethernet 10 100 1000BASE FX SFP ports plus 4 combo ports for copper or SFP media support The PowerConnect 7048 PowerConnect 7048P and PowerConnect 7048R front panel provides 48 Gigabit Eth...

Page 85: ...stop bit no parity bit and no flow control The default baud rate is 9600 bps Out of Band Management Port The Out of Band OOB management port is a 10 100 1000BASE T Ethernet port dedicated to remote switch management Traffic on this port is segregated from operational network traffic on the switch ports and cannot be switched or routed to the operational network USB Port The Type A female USB port ...

Page 86: ...ng diodes LEDs that indicate the status of port links power supplies fans stacking and the overall system Additionally the PowerConnect 7024P and PowerConnect 7048P switches contain LEDs that provide information about Power over Ethernet Plus PoE status and activity on the ports For information about the status that the LEDs indicate see LED Definitions on page 91 Stack Master LED and Stack Number...

Page 87: ...lowing images show the back panel of the PowerConnect 7000 Series switches Figure 3 8 PC7024 PC7024F and PC7048 Back Panel Figure 3 9 PC7024P and PC7048P Back Panel Dual 10G Slots for SFP 10GBase T or Stacking 10GbE Modules AC Power Receptacle Redundant DC Power Supply Receptacle Fan Vents AC Power Receptacle External DC Power Supply Receptacle Fan Vents Dual 10G Slots for SFP 10Base T or Stacking...

Page 88: ...he Stacking 10GbE modules can be configured to operate as either 16 Gigabit stacking ports or 10 Gigabit Ethernet switch ports The plug in modules include hot swap support so you do not need to reboot the switch after you install a new module The following figures show the modules available for the PowerConnect 7000 Series switches Figure 3 11 10GBase T Module AC Power Receptacle Fan Trays AC Powe...

Page 89: ...720 provides 180 watts of power and gives full redundancy for the switch PC7024P PowerConnect 7024P switches have an internal 1000 watt power supply The additional external power supply PowerConnect MPS1000 provides 1000 Watts and gives full redundancy for the switch PC7048 PowerConnect 7048 switches have an internal 180 watt power supply The additional external power supply PowerConnect RPS720 pr...

Page 90: ...owever it is necessary to remove power from the power supply that is being removed or replaced Ventilation System Three fans cool the PowerConnect 7024 PowerConnect 7024F and PowerConnect 7048 The PowerConnect 7024P and PowerConnect 7048P each have two fans with a third fan in the internal power supply The PowerConnect 7048R has two hot swappable fan trays with one fan each Locator LED The back pa...

Page 91: ...rConnect 7024 PowerConnect 7048 and PowerConnect 7048R as well as the PowerConnect 7024F Combo ports 100 1000 10000Base T Port LEDs PC7024P and PC7048P The 100 1000 10000Base T ports on the PowerConnect 7024P and PowerConnect 7048P include Power over Ethernet Plus support and each port is capable of delivering up to 30W of power to the connected PoE powered device Table 3 2 contains the 100 1000 1...

Page 92: ... Off No link is present Right Green blinking The port is active and PoE Plus power is off Yellow blinking The port is active and PoE Plus power is on Yellow solid The port has no activity and PoE Plus power is on Off The port has no activity and PoE Plus power is off Table 3 3 SFP Port LED Definitions LED Color Activity Definition Left Green The port is operating at 1000 Mbps Yellow The port is op...

Page 93: ...P port on the plug in module available for PowerConnect 7000 Series switches Table 3 4 10 GbE Port LEDs Definitions LED Color Activity Definition LNK Left Green solid The port is linked at 10G Yellow solid The port is linked at another speed Off The port is not linked ACT Right Green blinking The port is sending and or receiving network traffic Off The port has no activity Table 3 5 SFP Port LEDs ...

Page 94: ...h management The OOB port is labeled with the symbol and is to the right of the console port Traffic on this port is segregated from operational network traffic on the switch ports and cannot be switched or routed to the operational network Table 3 7 contains the OOB port LED definitions for the PowerConnect 7000 Series switches Table 3 6 Console Port LED Definitions LED Color Activity Definition ...

Page 95: ...Ds available on each model in the PowerConnect 7000 Series Figure 3 14 System LEDs Table 3 8 contains the System LED definitions Table 3 8 System LED Definitions LED Color Definition Status Green solid Switch is operating normally Green blinking Booting and the diagnostics test is in progress Red solid Critical system error detected Red blinking Non critical system error detected FAN Green solid F...

Page 96: ... redundant power supply is detected EPS Green solid External power supply is operating normally Red solid An external power supply is detected but it is not operating correctly Off No external power supply is detected M Green solid Master switch for the stack A standalone switch is always the master Off Non master stack unit a The PowerConnect 7048R has two power supplies The PWR1 LED indicates th...

Page 97: ...Manage Switch Administrator Dell OpenManage Switch Administrator is a Web based tool to help you manage and monitor a PowerConnect 7000 Series switch Table 4 1 lists the Web browsers that are compatible with Dell OpenManage Switch Administrator The browsers have been tested on a PC running the Microsoft Windows operating system Table 4 1 Compatible Browsers Browser Version Internet Explorer v7 v8 ...

Page 98: ... page 115 3 When the Login window displays enter a user name and password Passwords are both case sensitive and alpha numeric Figure 4 1 Login Screen 4 Click Submit NOTE The switch is not configured with a default user name or password You must connect to the CLI by using the console port to configure the initial user name and password For information about connecting to the console see Console Co...

Page 99: ...left side of the page the navigation pane provides an expandable view of features and their components Configuration and status options The main panel contains the fields you use to configure and monitor the switch Page tabs Some pages contain tabs that allow you to access additional pages related to the feature Command buttons Command buttons are located at the bottom of the page Use the command ...

Page 100: ...l com About Contains the version and build number and Dell copyright information Log Out Logs out of the application and returns to the login screen Save Saves the running configuration to the startup configuration When you click Apply changes are saved to the running configuration When the system boots it loads the startup configuration Any changes to the running configuration that were not saved...

Page 101: ...ring and managing the switch The online help pages are context sensitive For example if the IP Addressing page is open the help topic for that page displays if you click Help Apply Updates the running configuration on the switch with the changes Configuration changes take effect immediately Clear Resets statistic counters and log files to the default configuration Query Queries tables Left arrow a...

Page 102: ...ates that the link is down Each port image is a hyperlink to the Port Configuration page for the specific port Using the Device View Switch Locator Feature The Device View graphic includes a Locate button and a drop down menu of timer settings When you click Locate the switch locator LED on the back panel of the switch blinks for the number of seconds selected from the timer menu The green blinkin...

Page 103: ...the management station you use to access the device must be able to ping the switch IP address For information about assigning an IP address to a switch see Setting the IP Address and Other Basic Network Information on page 115 Console Connection Use the following procedures to connect to the CLI by connecting to the console port For more information about creating a serial connection see the Gett...

Page 104: ...rk Telnet connections are enabled by default and the Telnet port number is 23 The switch supports up to four simultaneous Telnet sessions All CLI commands can be used over a Telnet session To connect to the switch by using Telnet the switch must have an IP address and the switch and management station must have network connectivity You can use any Telnet client on the management station to connect...

Page 105: ...s changing terminal settings on a temporary basis performing basic tests and listing system information Privileged EXEC Commands in this mode permit you to view all switch settings and to enter the global configuration mode Global Configuration Commands in this mode manage the device configuration on a global level and apply to system features rather than to a specific protocol or interface Interf...

Page 106: ... Configuration From Privileged EXEC mode use the configure command console config Use the exit command or press Ctrl Z to return to Privileged EXEC mode Interface Configuration From Global Configuration mode use the interface command and specify the interface type and ID console config if To exit to Global Configuration mode use the exit command or press Ctrl Z to return to Privileged EXEC mode VL...

Page 107: ...with particular Group Ids vlan Create a new VLAN or delete an existing VLAN Enter a question mark after each word you enter to display available command keywords or parameters console config vlan database Type vlan database to enter VLAN mode protocol Configure Protocol Based VLAN parameters If the help output shows a parameter in angle brackets you must replace the parameter with a value console ...

Page 108: ...dentify a single matching command continue entering characters until the switch can uniquely identify the command Use the question mark to display the available commands matching the characters already entered Entering Abbreviated Commands To execute a command you need to enter enough characters so that the switch can uniquely identify a command For example to enter Global Configuration mode from ...

Page 109: ...istory buffer By default the history buffer is enabled and stores the last 10 commands entered These commands can be recalled reviewed modified and reissued This buffer is not preserved after switch resets Table 5 2 CLI Error Messages Message Text Description Invalid input detected at marker Indicates that you entered an incorrect or unavailable command The carat shows where the invalid text is de...

Page 110: ...lls commands in the history buffer beginning with the most recent command Repeats the key sequence to recall successively older commands Down arrow key Ctrl N Returns to more recent commands in the history buffer after recalling commands with the up arrow key Repeating the key sequence recalls more recent commands in succession ...

Page 111: ...e Disabled on Management VLAN inband management ports Management VLAN ID 1 VLAN 1 Members All switch ports SDM template Dual IPv4 and IPv6 routing Users None Minimum password length 8 characters IPv6 management mode Enabled SNTP client Disabled Global logging Enabled Switch auditing Disabled CLI command logging Disabled Web logging Disabled SNMP logging Disabled Console logging Enabled Severity le...

Page 112: ...Telnet Enabled Denial of Service Protection Disabled Captive Portal Disabled Dot1x Authentication IEEE 802 1X Disabled MAC Based Port Security All ports are unlocked Access Control Lists ACL None configured IP Source Guard IPSG Disabled DHCP Snooping Disabled Dynamic ARP Inspection Disabled Protected Ports Private VLAN Edge None Energy Detect Mode Disabled EEE Lower Power Mode Disabled PoE Plus PC...

Page 113: ...rotocol Filtering LLPF No protocols are blocked DHCP Layer 2 Relay Disabled Default VLAN ID 1 Default VLAN Name Default GVRP Disabled GARP Timers Leave 60 centiseconds Leave All 1000 centiseconds Join 20 centiseconds Voice VLAN Disabled Guest VLAN Disabled RADIUS assigned VLANs Disabled Double VLANs Disabled Spanning Tree Protocol STP Enabled STP Operation Mode IEEE 802 1w Rapid Spanning Tree Opti...

Page 114: ...isabled Tunnel and Loopback Interfaces None IPv6 Routing Disabled DHCPv6 Disabled OSPFv3 Enabled DiffServ Enabled Auto VoIP Disabled Auto VoIP Traffic Class 6 iSCSI Disabled Bridge Multicast Filtering Disabled MLD Snooping Disabled IGMP Snooping Disabled IGMP Snooping Querier Disabled GMRP Disabled IPv4 Multicast Disabled IPv6 Multicast Disabled Table 6 1 Default Settings Continued Feature Default...

Page 115: ...ss and Network Information Overview What Is the Basic Network Information The basic network information includes settings that define the PowerConnect 7000 Series switch in relation to the network Table 7 1 provides an overview of the settings this chapter describes Table 7 1 Basic Network Information Feature Description IP Address On an IPv4 network the a 32 bit number that uniquely identifies a ...

Page 116: ...ch identify and locate other devices on the network and on the Internet For example to upgrade the switch software by using a TFTP Default Gateway Typically a router interface that is directly connected to the switch and is in the same subnet The switch sends IP packets to the default gateway when it does not recognize the destination IP address in a packet DHCP Client Requests network information...

Page 117: ...d see the Getting Started Guide at support dell com manuals If you do not use the wizard to prompt you for the initial configuration information you can enable the DHCP client on the switch to obtain network information from a DHCP server on your network or you can statically assign the network information After you configure the switch with an IP address and create a user account you can continue...

Page 118: ...network is experiencing problems you can still access the switch management interface and troubleshoot issues Because the OOB port is intended to be physically isolated from the production network configuration options are limited to just those protocols needed to manage the switch Limiting the configuration options makes it difficult to accidentally cut off management access to the switch DHCP ca...

Page 119: ...tion times out In order to resolve this issue you can reduce the MSS setting to a more appropriate value on the local host or alternatively you can set the MTU on the PowerConnect management port to a smaller value Default Network Information By default no network information is configured The DHCP client is enabled on the OOB interface and disabled on the management VLAN DNS is enabled but no DNS...

Page 120: ...ssign the Out of Band Interface IP address and subnet mask or to enable disable the DHCP client for address information assignment DHCP is enabled by default on the OOB interface To display the Out of Band Interface page click System IP Addressing Out of Band Interface in the navigation panel Figure 7 1 Out of Band Interface To enable the DHCP client and allow a DHCP server on your network to auto...

Page 121: ...onfiguration page click Routing IP IP Interface Configuration in the navigation panel Figure 7 2 IP Interface Configuration Default VLAN Assigning Network Information to the Default VLAN To assign an IP Address and subnet mask to the default VLAN 1 From the Interface menu select VLAN 1 2 From the Routing Mode field select Enable 3 From the IP Address Configuration Method field specify whether to a...

Page 122: ...itch default gateway as its default gateway To display the Route Entry Configuration page click Routing Router Route Entry Configuration in the navigation panel Figure 7 3 Route Configuration Default VLAN Configuring a Default Gateway for the Switch To configure the switch default gateway 1 Open the Route Entry Configuration page 2 From the Route Type field select Default NOTE You do not need to c...

Page 123: ... 123 Figure 7 4 Default Route Configuration Default VLAN 3 In the Next Hop IP Address field enter the IP address of the default gateway 4 Click Apply For more information about configuring routes see Configuring IP Routing on page 883 ...

Page 124: ...itch uses the DNS server to translate hostnames into IP addresses To display the Domain Name Server page click System IP Addressing Domain Name Server in the navigation panel Figure 7 5 DNS Server To configure DNS server information click the Add link and enter the IP address of the DNS server in the available field Figure 7 6 Add DNS Server ...

Page 125: ...ame Use the Default Domain Name page to configure the domain name the switch adds to a local unqualified hostname To display the Default Domain Name page click System IP Addressing Default Domain Name in the navigation panel Figure 7 7 Default Domain Name ...

Page 126: ...per host To display the Host Name Mapping page click System IP Addressing Host Name Mapping Figure 7 8 Host Name Mapping To map a host name to an IP address click the Add link type the name of the host and its IP address in the appropriate fields and then click Apply Figure 7 9 Add Static Host Name Mapping Use the Show All link to view all configured host name to IP address mappings ...

Page 127: ...using the configured DNS server to resolve a hostname For example if you ping www dell com from the CLI the switch uses the DNS server to lookup the IP address of dell com and adds the entry to the Dynamic Host Name Mapping table To display the Dynamic Host Name Mapping page click System IP Addressing Dynamic Host Name Mapping in the navigation panel Figure 7 10 View Dynamic Host Name Mapping ...

Page 128: ...eginning in Privileged EXEC mode use the following commands to enable the DHCP client on the default VLAN which is VLAN 1 Command Purpose configure Enter Global Configuration mode interface out of band Enter Interface Configuration mode for the OOB port ip address dhcp Enable the DHCP client CTRL Z Exit to Privileged EXEC mode show ip interface out of band Display network information for the OOB p...

Page 129: ... immediately renew an IPv4 address lease show dhcp lease interface interface Display IPv4 addresses leased from a DHCP server show ipv6 dhcp interface interface Display information about the IPv6 DHCP information for all interfaces or for the specified interface debug dhcp packet Display debug information about DHCPv4 client activities and to trace DHCPv4 packets to and from the local DHCPv4 clien...

Page 130: ...ask gateway_ip Configure a static IP address and subnet mask Optionally you can also configure a default gateway CTRL Z Exit to Privileged EXEC mode show ip interface out of band Verify the network information for the OOB port Command Purpose configure Enter Global Configuration mode interface vlan 1 Enter Interface Configuration mode for VLAN 1 ip address ip_address subnet_mask Enter the IP addre...

Page 131: ... up to six DNS servers The first server you configure is the primary DNS server ip domain name name Define a default domain name to complete unqualified host names ip host name ip_address Use to configure static host name to address mapping in the host cache ip address conflict detect run Trigger the switch to run active address conflict detection by sending gratuitous ARP packets for IPv4 address...

Page 132: ...s the administrative laptop host name to its IP address The administrator uses the OOB port to manage the switch To configure the switch 1 Connect the OOB port to the management network DHCP is enabled by on the switch OOB interface by default If the DHCP client on the switch has been disabled use the following commands to enable the DHCP client on the OOB port console configure console config int...

Page 133: ...ation console show hosts Host name Default domain sunny dell com dell com Name address lookup is enabled Name servers Preference order 10 27 138 20 10 27 138 21 Configured host name to address mapping Host Addresses admin laptop 10 27 65 103 cache TTL Hours Host Total Elapsed Type Addresses No hostname is mapped to an IP address 6 Verify that the static hostname is correctly mapped console ping ad...

Page 134: ...134 Setting Basic Network Information ...

Page 135: ...ing links on adjacent units A stack of units is manageable as a single entity when the units are connected together If a unit cannot detect a stacking partner on a port enabled for stacking the unit automatically operates as a standalone unit If a stacking partner is detected the switch always operates in stacking mode One unit in the stack is designated as the Master unit The Master manages all t...

Page 136: ...ontrol CPU The running configuration and application state is synchronized between the Master and Standby during the normal stacking operation In a stack of three or more switches Dell strongly recommends connecting the stack in a ring topology so that each switch is connected to two other switches Figure 8 1 shows a stack with three switches as stack members connected in a ring topology Figure 8 ...

Page 137: ...gher MAC address In most cases a switch that is added to an existing stack will become a stack member and not the Management Unit When you add a switch to the stack one of the following scenarios takes place regarding the management status of the new switch If the switch has the Management Unit function enabled but another Master unit is already active then the switch changes its configured Manage...

Page 138: ... maximum number of units already exist in the stack making it unable to assign a unit number then the switch sets its unit number to unassigned and does not participate in the stack Adding a Switch to the Stack When adding a new member to a stack make sure that only the stack cables and no network cables are connected before powering up the new unit Make sure the links are not already connected to...

Page 139: ... Switch from the Stack The main point to remember when you remove a unit from the stack is to disconnect all the links on the stack member to be removed Also be sure to take the following actions Remove all the STP participating ports and wait to stabilize the STP Remove all the member ports of any Port Channels LAGs so there will not be any control traffic destined to those ports connected to thi...

Page 140: ...y selects a Standby unit from the existing stack units When the failed Master resumes normal operation it joins the stack as a member not a Master if the new Master unit has already been elected The Master unit copies its running configuration to the Standby unit whenever it changes subject to some restrictions to reduce overhead This enables the Standby unit to take over the stack operation with ...

Page 141: ...tocol may enlist the cooperation of its neighbors through a technique known as graceful restart 3 A protocol may simply restart after the failover if neighbors react slowly enough that they will not normally detect the outage The NSF feature enables the Management unit to synchronize the running config within 60 seconds after a configuration change has been made However if a lot of configuration c...

Page 142: ... backup unit the checkpoint service notifies applications to start a complete checkpoint After the initial checkpoint is done applications checkpoint changes to their data Table 8 1 lists the applications on the switch that checkpoint data and describes the type of data that is checkpointed NOTE The switch cannot guarantee that a backup unit has exactly the same data that the Management Unit has w...

Page 143: ...ts then both parts of the stack start using the same MAC addresses This can cause severe problems in the network IGMP MLD Snooping Multicast groups list of router ports last query data for each VLAN IPv6 NDP Neighbor cache entries iSCSI Connections LLDP List of interfaces with MED devices attached OSPFv2 Neighbors and designated routers OSPFv3 Neighbors and designated routers Route Table Manager I...

Page 144: ...AGs with members on multiple units within the stack when possible If a stack unit fails the system can continue to forward on the remaining members of the stack If your switch stack performs VLAN routing another way to take advantage of NSF is to configure multiple best paths to the same destination on different stack members If a unit fails the forwarding plane removes Equal Cost Multipath ECMP n...

Page 145: ...efault You can disable NSF in order to redirect the CPU resources consumed by data checkpointing Checkpointing only occurs when a backup unit is elected so there is no need to disable the NSF feature on a standalone switch When a new unit is added to the stack the new unit takes the configuration of the stack including the NSF setting ...

Page 146: ...ails about the fields on a page click at the top of the page Unit Configuration Use the Unit Configuration page to change the unit number and unit type Management Member or Standby To display the Unit Configuration page click System Stack Management Unit Configuration in the navigation panel Figure 8 2 Stack Unit Configuration NOTE The changes you make to the Stacking configuration pages take effe...

Page 147: ... Type for a Stack Member To change the switch ID or type 1 Open the Unit Configuration page 2 Click Add to display the Add Unit page Figure 8 3 Add Remote Log Server Settings 3 Specify the switch ID and select the model number of the switch 4 Click Apply ...

Page 148: ...ck Stack Summary Use the Stack Summary page to view a summary of switches participating in the stack To display the Stack Summary page click System Stack Management Stack Summary in the navigation panel Figure 8 4 Stack Summary ...

Page 149: ...hether the firmware image on a new stack member can be automatically upgraded or downgraded to match the firmware image of the stack master To display the Stack Firmware Synchronization page click System Stack Management Stack Firmware Synchronization in the navigation panel Figure 8 5 Stack Firmware Synchronization ...

Page 150: ...hes page to view information regarding each type of supported switch for stacking and information regarding the supported switches To display the Supported Switches page click System Stack Management Supported Switches in the navigation panel Figure 8 6 Supported Switches ...

Page 151: ...bout the stackable ports This screen displays the unit the stackable interface the configured mode of the interface the running mode as well as the link status and link speed of the stackable port To display the Stack Port Summary page click System Stack Management Stack Port Summary in the navigation panel Figure 8 7 Stack Port Summary ...

Page 152: ...d statistics including data rate and error rate To display the Stack Port Counters page click System Stack Management Stack Point Counters in the navigation panel Figure 8 8 Stack Port Counters Stack Port Diagnostics The Stack Port Diagnostics page is intended for Field Application Engineers FAEs and developers only ...

Page 153: ...er to the standby unit click Initiate Failover The failover results in a warm restart of the master unit in the stack Initiating a failover reloads the Management Unit triggering the backup unit to take over NOTE The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over Management Unit responsibility To configure NSF on a ...

Page 154: ...he Checkpoint Statistics page to view information about checkpoint messages generated by the master unit To display the Checkpoint Statistics page click System Stack Management Checkpoint Statistics in the navigation panel Figure 8 10 Checkpoint Statistics ...

Page 155: ...The running configuration is cleared when the units reset stack Enter Global Stack Configuration mode movemanagement from_unit to_unit Move the management switch functionality from one switch to another standby unit Specify the stack member that will come up as the master if a stack failover occurs set description unit Configure a description for the specified stack member member unit SID Add a sw...

Page 156: ...es while a backup unit takes over Management Unit responsibility Additional NSF commands are available in OSPF and OSPFv3 command modes For more information see NSF OSPF Summary on page 951 and NSF OSPFv3 Configuration on page 968 Command Purpose show switch stack member number View information about all stack members or the specified member show stack standby View the ID of the switch that will a...

Page 157: ... stacking and NSF feature act in various environments This section contains the following examples Basic Failover Preconfiguring a Stack Member NSF in the Data Center NSF and VoIP NSF and DHCP Snooping NSF and the Storage Access Network NSF and Routed Access show checkpoint statistics View information about checkpoint messages generated by the master unit clear checkpoint statistics Reset the chec...

Page 158: ...en all four units are up and running the show switch CLI command gives the following output console show switch SW Management Status Standby Status Preconfig Model ID Plugged in Model ID Switch Status Code Version 1 Stack Member PCT7048 PCT7048 OK 9 19 0 2 2 Stack Member PCT7048 PCT7048 OK 9 19 0 2 3 Mgmt Switch PCT7048 PCT7048 OK 9 19 0 2 4 Stack Member PCT7048 PCT7048 OK 9 19 0 2 ...

Page 159: ...sole configure console config stack console config stack no member 2 console config stack exit console config exit console show switch SW Management Status Standby Status Preconfig Model ID Plugged in Model ID Switch Status Code Version 1 Stack Member PCT7048 PCT7048 OK 9 19 0 2 2 Unassigned PCT7048 Not Present 0 0 0 0 3 Mgmt Switch PCT7048 PCT7048 OK 9 19 0 2 4 Stack Member PCT7048 PCT7048 OK 9 1...

Page 160: ...048R switch To configure the switch 1 View the list of SIDs to determine which SID identifies the switch to preconfigure console show supported switchtype 2 Preconfigure the 7048P switch SID 6 as member number 2 in the stack console configure console config stack console config stack member 2 6 console config stack exit console config exit SID Switch Mode ID Code Type 1 PCM6348 0x100b000 2 PCT7024...

Page 161: ...ields have been omitted from the following output due to space limitations console show switch SW Management Status Standby Status Preconfig Model ID Plugged in Model ID Switch Status Code Version 1 Mgmt Sw PCT7048R PCT7048R OK M 10 2 2 Unassigned PCT7048P Not Present 0 0 0 0 ...

Page 162: ...ng tree is enabled on the VLAN Assume spanning tree selects AS1 as the root bridge Assume the LAG to AS1 is the root port on the stack and the LAG to AS2 is discarding Unit 1 is the Management Unit If unit 1 fails the stack removes the Unit 1 link to AS1 from its LAG The stack forwards outgoing packets through the Unit 2 link to AS1 during the failover During the failover the stack continues to se...

Page 163: ...remaining LAG member If phone B has learned VLAN or priority parameters through LLDP MED it continues to use those parameters The stack resumes sending LLDPDUs with MED TLVs once the control plane restarts Phone B may miss an LLDPDU from the stack but should not miss enough PDUs to revert its VLAN or priority assuming the administrator has not reduced the LLDPDU interval or hold count If phone B i...

Page 164: ...nd source MAC address Dynamic ARP Inspection DAI uses the bindings database to verify that ARP messages contain a valid sender IP address and sender MAC address DHCP snooping checkpoints its bindings database Figure 8 14 NSF and DHCP Snooping If the Management Unit fails all hosts connected to that unit lose network access until that unit reboots The hardware on surviving units continues to enforc...

Page 165: ...ess switch the hardware traps ARP packets to the CPU on untrusted ports During a restart the control plane drops ARP packets Thus new traffic sessions may be briefly delayed until after the control plane restarts If IPSG is enabled and a DHCP binding is not checkpointed to the backup unit before the failover that host will not be able to send data packets until it renews its IP address lease with ...

Page 166: ...n the disk array The hardware forwards the packets to establish this new session but assuming the session is established before the control plane is restarted on the backup unit the new session receives no priority treatment in the hardware Session B remains established and fully functional throughout the restart and continues to receive priority treatment in the hardware Servers iSCSI Initiators ...

Page 167: ...s OSPF neighbors the aggregation routers that it is going through a graceful restart The grace LSAs reach the neighbors before they drop their adjacencies with the access router PIM starts sending hello messages to its neighbors on the aggregation routers using a new generation ID to prompt the neighbors to quickly resend multicast routing information PIM neighbors recognize the new generation ID ...

Page 168: ...hes and the control plane deletes any stale unicast routes not relearned at this point The forwarding plane reconciles L3 multicast hardware tables Throughout the process the hosts continue to receive their multicast streams possibly with a short interruption as the top aggregation router learns that one of its LAG members is down The hosts see no more than a 50 ms interruption in unicast connecti...

Page 169: ...anagement Access CLI Management Access Configuration Examples Management Access Control Overview By default management access to the switch through the out of band OOB port and in band switch ports requires a user account to be configured on the switch A user can access the switch management interface only after providing a valid username and password combination that matches the user account info...

Page 170: ...ce The database contains a username with an associated password and security level The supported security levels are Read Write 15 Read Only 1 and Suspended 0 Password management features Includes settings such as minimum password length password aging password reuse rules password strength criteria and number of login attempts allowed Line and Enable passwords Passwords to allow only authorized u...

Page 171: ...gement interface The authentication method can be one or more of the following ENABLE Uses the enable password for authentication IAS Uses the Internal Authentication Server database for 801X port based authentication LINE Uses the Line password for authentication LOCAL Uses the ID and password in the Local User Database for authentication RADIUS Sends the user s ID and password will be authentica...

Page 172: ...ement Access TACACS Terminal Access Controller Access Control System provides access control for networked devices via one or more centralized servers TACACS simplifies authentication by making use of a single database that can be shared by many clients on a large network TACACS uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to encrypt all messages...

Page 173: ...ls or times out for a higher priority server You can configure each server host with a specific connection type port timeout and shared key or you can use global configuration for the key and timeout The TACACS server can do the authentication itself or redirect the request to another back end device All sensitive information is encrypted and the shared secret is never passed over the network it i...

Page 174: ...US standard has become the protocol of choice by administrators of large accessible networks To accomplish the authentication in a secure manner the RADIUS client and RADIUS server must both be configured with the same shared password or secret This secret is used to generate one way encrypted authenticators that are present in all RADIUS packets The secret is never transmitted over the network RA...

Page 175: ...the user it returns a challenge and the request process begins again If you use a RADIUS server to authenticate users you must configure user attributes in the user database on the RADIUS server The user attributes include the user name password and privilege level The following example shows an entry in the FreeRADIUS etc raddb users file that allows a user name admin to log onto the switch with ...

Page 176: ...ADIUS Server Name designate one server as the primary and the other s as the backup server s The switch attempts to use the primary server first and if the primary server does not respond the switch attempts to use one of the backup servers with the same RADIUS Server Name A priority value can be configured to determine which backup server to contact How Does the Switch Determine Which RADIUS Serv...

Page 177: ...f the configured priority value of the name2 server is lower lower value indicates higher priority the request would be sent to the name1 servers The request is sent to the name2 server only if the name1 server fails to respond To provide additional redundancy the administrator can configure additional servers within the named groups for example Server name is name1 and address is 1 1 1 3 Server n...

Page 178: ...Captive Portal see Configuring a Captive Portal on page 445 The RADIUS server can provide VLAN assignments to devices connected to the switch ports For information about RADIUS assigned VLANs see Dynamic VLAN Creation on page 510 Default Management Security Values By default the only management access to the switch is through the console port and no authentication is required Table 9 2 describes t...

Page 179: ... required The methods can be changed but the preconfigured profiles cannot be deleted or renamed Local User Database No users are defined Line and Enable passwords No passwords are configured TACACS No TACACS servers are defined RADIUS No RADIUS servers are defined Telnet New Telnet sessions are allowed and the default port is 23 SSH SSH access to the switch is disabled HTTP HTTP access to the swi...

Page 180: ...ss Profile Use the Access Profile page to define a profile and rules for accessing the switch You can limit access to specific management functions to specific ingress interfaces and or to source IP address and or source IP subnets Management access can be separately defined for each type of management access method including Web HTTP Secure web HTTPS Telnet SSH TFTP and SNTP To display the Access...

Page 181: ...gement access and then click Apply In Figure 9 4 the Access Profile name is mgmt_ACL and access is permitted on VLAN 1 from any host in the 10 27 65 0 24 subnet Access on VLAN 1 from a host in any other subnet is denied Figure 9 4 Add an Access Profile 5 Click Add Rule 6 If desired configure additional access rules to add to the profile and then click Apply NOTE Assigning an access profile to an i...

Page 182: ...at allows management access to a host in the 10 27 65 0 24 subnet that is connected to Port 1 The rule priority is 2 This rule might be necessary if Port 1 is not a member of VLAN 1 Figure 9 5 Add an Access Profile Rule 7 Click Show All to view information about the Access Profile and its rules ...

Page 183: ...profile select the Set Active Access Profile option and then click Apply In the Figure 9 7 mgmt_ACL is active and the configured rules are being enforced Figure 9 7 Activate the Access Profile NOTE The switch enforces the profile rules only if the profile is active If an access profile is not activated the device can be accessed by any host and on any interface ...

Page 184: ...m Management Security Authentication Profiles in the navigation panel Figure 9 8 Authentication Profiles Adding and Configuring an Authentication Profile To configure an authentication profile 1 Open the Authentication Profiles page 2 Click Add to display the Add Authentication Profiles page 3 Enter a name for the Authentication Profile 4 Select the authentication methods to use for the profile Th...

Page 185: ...Click Apply A profile is created You can apply the newly created authentication profile to an access method by using the System Management Security Select Authentication page For example you can select myList as the login authentication for anyone who connects to the switch by using Telnet NOTE To use the LINE or ENABLE method you must first define passwords for these methods For more information ...

Page 186: ...186 Controlling Management Access 6 To view the existing Authentication Profiles and the order in which the login methods are used click Show All Figure 9 10 View Authentication Profile Table ...

Page 187: ...gement access methods For example console users can be authenticated by Authentication Profile List 1 while Telnet users are authenticated by Authentication Profile List 2 To display the Select Authentication page click System Management Security Select Authentication in the navigation panel Figure 9 11 Select Authentication ...

Page 188: ... length is 8 when password length checking is enabled Password expiration Preventing frequent password reuse Locking out users out after failed login attempts Local users only Users authenticated by RADIUS and TACACS are subject to the policies defined by the RADIUS or TACACS server Several types of minimum and maximum character entries Keywords to prohibit as passwords To display the Password Man...

Page 189: ...igure 9 12 Password Management Adding Excluded Keywords To prevent keywords from being used in passwords 1 Make sure Create is selected from the Password Exclude keyword menu 2 Specify the keyword to exclude 3 Click Add Excluded Keyword ...

Page 190: ... Set Result page to view information about the most recently configured password for a user in the Local User Database To display the Last Password Set Result page click System Management Security Last Password Set Result in the navigation panel Figure 9 13 Last Password Set Result ...

Page 191: ...se to authenticate attempts to login to the switch by users configured in the Local User Database Each user in the database can have a different list applied To display the User Login Configuration page click System Management Security User Login Configuration in the navigation panel Figure 9 14 User Login Configuration ...

Page 192: ...nts have been suspended This page also contains fields to allow you to configure SNMPv3 settings for users in the local database For more information about SNMPv3 users see SNMPv3 User Security Model USM on page 321 To display the Local User Database page click System Management Security Local User Database in the navigation panel Figure 9 15 Local User Database ...

Page 193: ...ick Add to display the Add a New User page 3 Specify a login name select the access level and type retype the password Figure 9 16 Add a New User 4 Click Apply The user s login information is added to the local database 5 To view the existing Authentication Profiles and the order in which the login methods are used click Show All ...

Page 194: ...the Line Password page click System Management Security Line Password in the navigation panel Figure 9 17 Line Password Enable Password Use the Enable Password page to set a local password to control CLI access to normal and privilege levels To display the Enable Password page click System Management Security Enable Password in the navigation panel Figure 9 18 Enable Password ...

Page 195: ...login and through user names and user defined passwords Authorization Performed at login Once the authentication session is completed an authorization session starts using the authenticated user name The TACACS server checks the user privileges The TACACS protocol ensures network security through encrypted protocol exchanges between the device and TACACS server To display the TACACS Settings page ...

Page 196: ... to authenticate users 4 Enter additional information about the TACACS host Priority 0 is the highest Port default is 49 Authentication and encryption key for communication between the switch and the TACACS host default is no key Timeout default is 5 seconds Figure 9 20 Add a TACACS Host 5 Click Apply The user s login information is added to the local database 6 To view edit or remove a TACACS hos...

Page 197: ...guration Use the RADIUS Global Configuration page to configure that affect all RADIUS servers that are configured on the switch To display the RADIUS Global Configuration page click System Management Security RADIUS Global Configuration in the navigation panel Figure 9 22 RADIUS Global Configuration ...

Page 198: ... switch supports up to 32 named authentication and accounting servers To access the RADIUS Server Configuration page click System Management Security RADIUS Server Configuration in the navigation panel Figure 9 23 RADIUS Server Configuration Adding and Configuring RADIUS Server Information To configure a RADIUS server 1 Open the RADIUS Server Configuration page 2 Click Add to display the Add RADIU...

Page 199: ...tion about the RADIUS server 7 If more than one RADIUS server has been added select the IP address of the RADIUS server to configure 8 To configure a shared secret select the Apply check box and enter the text in the Secret field 9 To make the selected RADIUS server the primary server in the named RADIUS Server Group select Enable from the Primary Server menu 10 Click Apply 11 To view or remove a ...

Page 200: ...onfigure settings for a new or existing RADIUS accounting server and view RADIUS accounting server status information The RADIUS client on the switch supports up to 32 named authentication and accounting servers To access the RADIUS Accounting Server Configuration page click System Management Security RADIUS Accounting Server Configuration in the navigation panel Figure 9 26 RADIUS Accounting Serv...

Page 201: ...ame name for multiple RADIUS accounting servers RADIUS clients can use RADIUS accounting servers with the same name as backups for each other Figure 9 27 Add RADIUS Accounting Server 5 Click Apply 6 Click RADIUS Accounting Server Configuration to return to the main page and configure additional information about the RADIUS accounting server 7 If more than one server has been added select the IP ad...

Page 202: ...the RADIUS Accounting Server Statistics page to view statistical information for each RADIUS accounting server configured on the system To access the RADIUS Accounting Server Statistics page click System Management Security RADIUS Accounting Server Statistics in the navigation panel Figure 9 29 RADIUS Accounting Server Statistics ...

Page 203: ...DIUS Server Statistics page to view statistical information for each RADIUS server configured on the system To access the RADIUS Server Statistics page click System Management Security RADIUS Server Statistics in the navigation panel Figure 9 30 RADIUS Server Statistics ...

Page 204: ...ization Network RADIUS page you can enable the switch to accept VLAN assignment by the RADIUS server For more information about VLANs and RADIUS assigned VLANs see Dynamic VLAN Creation on page 510 To display the Authorization Network RADIUS page click System Management Security Authorization Network RADIUS in the navigation panel Figure 9 31 Authorization Network RADIUS ...

Page 205: ... 205 Telnet Server Use the Telnet Server page to enable or disable telnet service on the switch or to modify the telnet port To display the Telnet Server page click System Management Security Telnet Server Figure 9 32 Telnet Server ...

Page 206: ... of vulnerabilities which would interrupt the service of a host or make a network unstable Use the Denial of Service page to configure settings to help prevent DoS attacks To display the Denial of Service page click System Management Security Denial of Service in the navigation panel Figure 9 33 Denial of Service ...

Page 207: ...pting communication between the administrative system and the switch Use the Secure HTTP page to manage the HTTPS mode and certificate information that enables management of the switch through HTTPS To display the Secure HTTP page click System Management Security Secure HTTP Secure HTTP in the navigation panel Figure 9 34 Secure HTTP ...

Page 208: ...equest a certificate by using SSH 1 From the Secure HTTP page click SSH Request Figure 9 35 Secure HTTP SSH Request 2 Select the certificate number 3 Complete the fields that are relevant to the certificate 4 To import the certificate click Certificate Import 5 To request the certificate click Generate Request ...

Page 209: ...Controlling Management Access 209 Viewing Certificate Information To view the certificate request or to view the generated certificate click Show All Figure 9 36 View Certificate Requests ...

Page 210: ...f the switch through SSH To display the Secure Shell page click System Management Security Secure HTTP Secure Shell in the navigation panel Figure 9 37 Secure Shell The following buttons are available at the bottom of the page Download Host Keys Clicking this button opens the File Download page For more information about downloading files to the switch including SSH host key files see Managing Ima...

Page 211: ...at to generate SSH key files SSH must be administratively disabled and there must be no active SSH sessions Secure Public Key Configuration Use the Secure Public Key Configuration page to manually configure SSH public keys to use for authentication between the administrative system and the switch when using SSH To display the Secure HTTP page click System Management Security Secure HTTP Secure HTT...

Page 212: ...9 Secure Public Key Add 2 Specify the algorithm to use of the public key cryptography either DSA or RSA 3 Specify the user to associate with the public key 4 Click Configuration to return to the Secure Public Key page 5 Select the user name and type the key string 6 Click Apply 7 To view the manually configured public keys click Summary Figure 9 40 SSH Public Key Summary ...

Page 213: ...onfigure Enter Global Configuration mode management access list name Define an access list for management and enter the access list for configuration permit ip source ip address mask mask prefix length interface type interface number service service priority priority value Allow access to the management interface from hosts that meet the specified IP address value and other optional criteria inter...

Page 214: ...ccess to the management interface from the specified service exit Exit to Global Configuration mode management access class console only name Activate the management ACL or restrict access so that it is available only through the console port exit Exit to Privileged EXEC mode show management access class Display information about the active management access list show management access list name D...

Page 215: ...name of the user Range 1 20 characters password The authentication password for the user Range 8 64 characters This value can be 0 zero if the no passwords min length command has been executed level Supported levels are 15 Read Write access 1 Read Only access 0 Suspend this can be assigned by a level 15 user to another user to suspend that user s access encrypted Encrypted password entered copied ...

Page 216: ... of methods when a user logs in list name Character string used to name the list of authentication methods activated when a user logs in Range 1 12 characters method1 method2 Specify at least one method from the following list enable line local none radius tacacs NOTE The additional methods of authentication are used only if the previous method returns an error not if there is an authentication fa...

Page 217: ...ion methods View information about the configured authentication lists and the lists that are in use for login and enable access Command Purpose configure Enter Global Configuration mode passwords aging age Specify the number of days 1 365 a password can exist before it is expired passwords history historylength Set the number of previous passwords that are stored to ensure that users do not reuse...

Page 218: ...6 passwords strength minimum special characters min Enforce a minimum number of special characters that a password should contain The valid range is 0 16 passwords strength maximum consecutive characters min Enforce a maximum number of consecutive characters that a password can contain For example abcd is four consecutive characters If the password has more consecutive characters than the limit it...

Page 219: ...ords result View information about the last password configuration attempt and whether it was successful Command Purpose configure Enter Global Configuration mode radius server host acct auth ipaddress hostname Specify a RADIUS server host and enter RADIUS Configuration mode acct auth The type of server accounting or authentication If no type is specified the type is authentication ipaddress The R...

Page 220: ...he same server name exit Exit to Global Configuration mode aaa accounting network default start stop group radius Enable RADIUS accounting on the switch exit Exit to Privileged EXEC mode show aaa servers accounting authentication name servername Display the list of configured RADIUS servers and the values configured for the global parameters of the RADIUS client accounting This optional parameter ...

Page 221: ...y the server Command Purpose configure Enter Global Configuration mode tacacs server host ip address hostname Configure a TACACS server and enter into the TACACS configuration mode key key string Set the authentication and encryption key for all TACACS communications between the switch and the TACACS server NOTE You can also use the tacacs server key key string command in Global Configuration mode...

Page 222: ... public key authentication for incoming SSH sessions crypto key pubkey chain ssh Enter Public Key Configuration mode in order to manually specify public keys such as SSH client public keys user key username rsa dsa Specify which SSH public key you are configuring manually and enter SSH Public Key Configuration mode username Specifies the remote SSH client username Range 1 48 characters rsa RSA key...

Page 223: ...ion mode ip http server Enable HTTP access to the switch enabled by default crypto certificate number generate Generate a self signed HTTPS certificate and enter into Crypto Certificate Generation mode number Specifies the certificate number Range 1 2 common name name Specifies the common name country name Specifies the country name duration days Specifies number of days a self signed certificatio...

Page 224: ...ion mode crypto certificate number import Import the certificate into the switch by pasting an external certificate signed by the Certification Authority to the switch To end the session add a period on a separate line after the input and press ENTER This certificate replaces the self signed certificate If the public key found in the certificate does not match the switch s SSL RSA key the command ...

Page 225: ... enabled dos control firstfrag size Enable Minimum TCP Header Size Denial of Service protection where size is the TCP header size Range 0 255 dos control tcpfrag Enable TCP Fragment Denial of Service protection If packets ingress having IP Fragment Offset equal to one 1 the packets are dropped dos control tcpflag Enable TCP Flag Denial of Service protections If packets ingress having TCP Flag SYN ...

Page 226: ... Service protections where size is the Maximum ICMP packet size Range 0 16376 If ICMP Echo Request PING packets ingress having a size greater than the configured value the packets are dropped exit Exit to Privileged EXEC mode show dos control View the current DoS protection settings Command Purpose ...

Page 227: ...s from any other hosts and on any other interfaces is denied To configure the switch 1 Create a management ACL and enter the configuration mode for the ACL console configure console config management access list mgmt_ACL 2 Create a rule that allows access from hosts in the 10 27 65 0 network on VLAN 1 and assign a priority of 1 to the rule console config macl permit ip source 10 27 65 0 mask 255 2...

Page 228: ...the Primary and Secondary RADIUS Servers The commands in this example configure primary and secondary RADIUS servers that the switch will use to authenticate access The RADIUS servers belong to the same named server group Dell RADIUS and use the same RADIUS secret test1234 A third RADIUS server is configured as an accounting server and RADIUS accounting is globally enabled To configure the switch ...

Page 229: ...counting network default start stop group radius console config exit 5 View the configured RADIUS servers console show aaa servers IP address Type Port TimeOut Retran DeadTime Src IP Prio Usage 10 27 65 104 Auth 1812 Global Global Global Global 0 all 10 27 65 103 Auth 1812 Global Global Global Global 0 all 10 27 65 114 Acct 1813 N A N A N A N A N A N A Global values Number of Configured Authentica...

Page 230: ...List radius local 2 Enter line configuration mode for Telnet and specify that any attempt to access the switch by using Telnet are authenticated using the methods defined in the profile created in the previous step console config line telnet console config telnet login authentication myList console config telnet exit 3 Enter line configuration mode for SSH and specify that any attempt to access th...

Page 231: ...word Lockout To define the password lockout policy 1 Configuring the password lockout for a user requires the following steps Define the local user name and password 2 Select or configure an authentication policy for the access method line SSH Telnet 3 Set the password lockout policy globally The password lockout feature applies only to users configured in the local user database that log on to th...

Page 232: ... few extra steps because the serial port by default does not have an access method that enables password lockout By default Telnet and SSH access methods have password lockout enabled through the networkList authentication method With the exception of the line console command the steps in this example are similar to the steps required for enabling lockout for a user on the out of band port To conf...

Page 233: ...ists defaultList none networkList local Enable Authentication Method Lists enableList none Line Login Method List Enable Method List Console defaultList enableList Telnet networkList enableList SSH networkList enableList HTTPS local HTTP local DOT1X 5 Configure the serial port for network local authentication Telnet and SSH are already configured for password lockout because it has been globally e...

Page 234: ... of local user abc User abc Password Enter invalid password User abc Password Enter invalid password User abc Password User 188 FEB 04 19 44 52 10 27 22 46 1 USER_MGR 183162896 user_mgr c 1640 695 User abc locked out on authentication failure Enter valid password User abc Password Login is silently rejected User ...

Page 235: ...s Monitored The CLI and web based interfaces provide information about physical aspects of the switch such as system health and cable diagnostics as well as information about system events such as management login history The switch also reports system resource usage The system logging utility can monitor a variety of events including the following System events System state changes and errors tha...

Page 236: ... RAM cache This collection of log files is called the RAM log or buffered log When the RAM log file reaches the configured maximum size the oldest message is deleted from the RAM when a new message is added If the system restarts all messages are cleared In addition to the RAM log you can specify that log files are sent to the following sources Console If you are connected to the switch CLI throug...

Page 237: ...s the first 32 messages received after system reboot The log file stops when it is full The second log type is the system operation log The system operation log stores the last 1000 messages received during system operation The oldest messages are overwritten when the file is full A message is only logged in one file On system startup if the Log file is enabled the startup log stores messages up t...

Page 238: ... This consists of the facility code see RFC 3164 multiplied by 8 and added to the severity The log messages use the local7 facility code 23 Timestamp This is the system up time For systems that use SNTP this is UTC When time zones are enabled local time will be used Host IP address This is the IP address of the local system Stack ID This is the assigned stack ID The number 1 is used for systems wi...

Page 239: ...ty level warning and above and RAM log severity level informational and above Switch auditing CLI command logging Web logging and SNMP logging are disabled No messages are sent to the log file that is stored in flash and no remote log servers are defined Email alerting is disabled and no recipient email address is configured Additionally no mail server is defined If you add a mail server by defaul...

Page 240: ...The Device Information page displays after you successfully log on to the switch by using the Dell OpenManage Switch Administrator This page is a virtual representation of the switch front panel Use the Device Information page to view information about the port status system status and the switch stack Click on a port to access the Port Configuration page for the selected port To display the Devic...

Page 241: ...Monitoring and Logging System Information 241 Figure 10 2 Stack View For more information about the device view features see Understanding the Device View on page 102 ...

Page 242: ...g System Information System Health Use the Health page to view status information about the switch power and ventilation sources To display the Health page click System General Health in the navigation panel Figure 10 3 Health ...

Page 243: ...on 243 System Resources Use the System Resources page to view information about memory usage and task utilization To display the System Resources page click System General System Resources in the navigation panel Figure 10 4 System Resources ...

Page 244: ...r Usage History Use the Unit Power Usage History page to view information about switch power consumption To display the Unit Power Usage History page click System General Unit Power Usage History in the navigation panel Figure 10 5 Unit Power Usage History ...

Page 245: ...to test the quality and characteristics of a copper cable attached to a port Cables up to 120 meters long can be tested Cables are tested when the ports are in the down state with the exception of the Approximated Cable Length test To display the Integrated Cable Test for Copper Cables page click System Diagnostics Integrated Cable Test in the navigation panel Figure 10 6 Integrated Cable Test for...

Page 246: ... Cable Test Summary Optical Transceiver Diagnostics Use the Optical Transceiver Diagnostics page to perform tests on Fiber Optic cables To display the Optical Transceiver Diagnostics page click System Diagnostics Optical Transceiver Diagnostics in the navigation panel NOTE Optical transceiver diagnostics can be performed only when the link is present ...

Page 247: ...ging System Information 247 Figure 10 8 Optical Transceiver Diagnostics To view a summary of all optical transceiver diagnostics tests performed click the Show All link Figure 10 9 Optical Transceiver Diagnostics Summary ...

Page 248: ...d flash based log file The Severity table lists log messages from the highest severity Emergency to the lowest Debug When you select a severity level all higher levels are automatically selected To prevent log messages from being sent to the console RAM log or flash log file clear all check boxes in the Severity column To display the Global Settings page click System Logs Global Settings in the na...

Page 249: ... the RAM Log page to view information about specific RAM cache log entries including the time the log was entered the log severity and a description of the log To display the RAM Log click System Logs RAM Log in the navigation panel Figure 10 11 RAM Log Table ...

Page 250: ... description of the log To display the Log File click System Logs Log File in the navigation panel Figure 10 12 Log File Remote Log Server Use the Remote Log Server page to view and configure the available log servers to define new log servers and to set the severity of the log events sent to the server To display the Remote Log Server page click System Logs Remote Log Server ...

Page 251: ... Remote Log Server Adding a New Remote Log Server To add a log server 1 Open the Remote Log Server page 2 Click Add to display the Add Remote Log Server page 3 Specify the IP address or hostname of the remote server 4 Define the UDP Port and Description fields ...

Page 252: ... Log Server 5 Select the severity of the messages to send to the remote server 6 Click Apply Click the Show All link to view or remove remote log servers configured on the system NOTE When you select a severity level all higher severity levels are automatically selected ...

Page 253: ...ration page to enable the email alerting feature and configure global settings so that system log messages can be sent to from the switch to one or more email accounts To display the Email Alert Global Configuration page click System Email Alerts Email Alert Global Configuration in the navigation panel Figure 10 16 Email Alert Global Configuration ...

Page 254: ...ail alert messages To display the Email Alert Mail Server Configuration page click System Email Alerts Email Alert Mail Server Configuration in the navigation panel Figure 10 17 Email Alert Mail Server Configuration Adding a Mail Server To add a mail server 1 Open the Email Alert Mail Server Configuration page 2 Click Add to display the Email Alert Mail Server Add page 3 Specify the hostname of th...

Page 255: ... Click Apply 5 If desired click Configuration to return to the Email Alert Mail Server Configuration page to specify port and security settings for the mail server Click the Show All link to view or remove mail servers configured on the switch Figure 10 19 Show All Mali Servers ...

Page 256: ... sent by the switch You can customize the subject for the message severity and entry status To display the Email Alert Subject Configuration page click System Email Alerts Email Alert Subject Configuration in the navigation panel Figure 10 20 Email Alert Subject Configuration To view all configured email alert subjects click the Show All link Figure 10 21 View Email Alert Subjects ...

Page 257: ...ple recipients and associate different message severity levels with different recipient addresses To display the Email Alert To Address Configuration page click System Email Alerts Email Alert To Address Configuration in the navigation panel Figure 10 22 Email Alert To Address Configuration To view configured recipients click the Show All link Figure 10 23 View Email Alert To Address Configuration...

Page 258: ...mail Alert Statistics page to view the number of emails that were successfully and unsuccessfully sent and when emails were sent To display the Email Alert Statistics page click System Email Alerts Email Alert Statistics in the navigation panel Figure 10 24 Email Alert Statistics ...

Page 259: ...leged EXEC mode use the following commands to run the cable diagnostic tests Command Purpose show system Display various system information show system power Displays the power supply status show system temperature Displays the system temperature and fan status show memory cpu Displays the total and available RAM space on the switch show process cpu Displays the CPU utilization for each process cu...

Page 260: ...odes EEE or energy detect mode on the port before running the test The interface is specified in unit slot port format For example 1 0 3 is GbE interface 3 on unit 1 of the stack show copper ports tdr interface Display diagnostic information about all ports or a specified port show fiber ports optical transceiver interface Display the optical transceiver diagnostics for all ports Include the inter...

Page 261: ...isc name Optional Include a message discriminator to help filter log messages The disc name can contain up to eight alphanumeric characters Spaces are not permitted severity Optional Enter the number or name of the desired severity level For information about severity levels see Table 10 1 logging facility facility type Set the facility for logging messages Permitted facility type values are local...

Page 262: ...n mode for the specified log server description description Describe the log server Use up to 64 characters If the description includes spaces surround it with quotation marks level severity Specify the severity level of the logs that should be sent to the remote log server For information about severity levels see Table 10 1 port udp port Specify the UDP port to use for sending log messages The r...

Page 263: ...nfiguration mode for the mail server security tlsvl none Optional Specify the security protocol to use with the mail server port 25 465 Configure the TCP port to use for SMTP which can be 25 SMTP or 465 SMTP over SSL username username If the SMTP server requires authentication specify the username to use for the switch The same username and password settings must be configured on the SMTP host pas...

Page 264: ...For information about severity levels see Table 10 1 Log messages below the specified level are not emailed logging email urgent severity none Determine which log messages are critical and should be sent in a single email as soon as they are generated severity Optional Enter the number or name of the severity level for critical messages For information about severity levels see Table 10 1 logging ...

Page 265: ...recipient to verify that the feature is properly configured CTRL Z Exit to Privileged EXEC mode show logging email config View the configured settings for email alerts show logging email statistics View information about the number of emails sent and the time they were sent clear logging email statistics Clear the email alerting statistics Command Purpose ...

Page 266: ...n the console and sent to a remote syslog server To configure the switch 1 Enable switch auditing and CLI command logging console configure console config logging audit console config logging cli command 2 Specify where the logs are sent locally and what severity level of message is to be logged You can specify the severity as the level number as shown in the first two commands or as the keyword s...

Page 267: ...ages 748 Dropped Buffer Logging level notifications Buffer Messages 79 Logged File Logging level critical File Messages 973 Dropped CLI Command Logging enabled Switch Auditing enabled Web Session Logging disabled SNMP Set Command Logging disabled Syslog server 192 168 2 10 logging debug Messages 0 dropped 412 Messages dropped due to lack of resources Buffer Log 186 FEB 02 05 53 03 0 0 0 0 1 UNKN 1...

Page 268: ...will be sent in a single email every 120 minutes Warning notice info and debug messages are not sent in an email The email the administrator will in the inbox has a format similar to the following Figure 10 25 Email Alert Message Format For emergency level messages the subject is LOG MESSAGE EMERGENCY For messages with a severity level of alert critical and error the subject is LOG MESSAGE To conf...

Page 269: ...where email alerts should be sent console config logging email message type both to addr administrator dell com 6 Specify the text that will appear in the email alert Subject line console config logging email message type urgent subject LOG MESSAGES EMERGENCY console config logging email message type non urgent subject LOG MESSAGES 7 Verify the configuration console show mail server all config Mai...

Page 270: ...evel 3 Email Alert Trap Severity Level 6 Email Alert Notification Period 120 min Email Alert To Address Table For Msg Type 1 Address1 administrator dell com For Msg Type 2 Address1 administrator dell com Email Alert Subject Table For Msg Type 1 subject is LOG MESSAGES EMERGENCY For Msg Type 2 subject is LOG MESSAGE ...

Page 271: ...em Settings Web Configuring System Settings CLI General System Settings Configuration Examples System Settings Overview The system settings include the information described in Table 11 1 This information helps identify the switch Table 11 1 System Information Feature Description System Name The switch name host name If you change the system name the CLI prompt changes from console to the system n...

Page 272: ... switches and have SDM Template Determines the maximum resources a switch or router can use for various features For more information see What Are SDM Templates on page 273 Table 11 2 Time Settings Feature Description SNTP Controls whether the switch obtains its system time from an SNTP server and whether communication with the SNTP server requires authentication and encryption You can configure i...

Page 273: ... of scaling factors enabling different allocations of resources depending on how the device is used In other words SDM templates enable you to reallocate system resources to support a different mix of features based on your network requirements PowerConnect 7000 Series switches support the following three templates Dual IPv4 and IPv6 default IPv4 Routing IPv4 Data Center Table 11 3 describes the p...

Page 274: ...e established by Stratums Stratums define the accuracy of the reference clock The higher the stratum where zero is the highest the more accurate the clock The switch is at a stratum that is one lower than its time source For example if the SNTP server in an internal network is a Stratum 3 device the switch is a Stratum 4 device You can configure the switch to request the time from an SNTP server o...

Page 275: ...cking to Ethernet or vice versa The CX 4 modules will operate in the mode for which they are configured All other plug in modules will default to Ethernet mode upon rebooting the switch Before inserting a new module into the expansion slot issue a no slot or clear config command from the CLI so that the switch can recognize the new module What Are the Key PoE Plus Features for the PC7024P and PC70...

Page 276: ...e powered at the same time This feature is useful to efficiently power up more number of devices when the available power with the PoE switch is limited Power Detection Mode Allows you to set the mode to legacy or 4 point 802 3AF detection Enabling an additional high power setting will allow the detection of 802 1at devices Powered Device PD Disconnection Detection Mode Configurable setting to set...

Page 277: ...owing table shows the default PoE Plus settings for the PowerConnect 7024P and 7048P switches Table 11 5 PoE Plus Key Features 7024P and 7048P Only Feature Description Global Usage Threshold 96 Per Port Admin Status Auto Per Port Power Prioritization Enabled globally per port priority is Low Per Port Power Limit None Power Management Mode Dynamic Power Detection Mode 802 3af Only Powered Device PD...

Page 278: ...ect 7000 Series switch For details about the fields on a page click at the top of the page System Information Use the System Information page to configure the system name contact name location and asset tag To display the System Information page click System General System Information in the navigation panel Figure 11 1 System Information NOTE From the System Information page you can also initiate...

Page 279: ...neral System Information page click the Telnet link 2 Click the Telnet button Figure 11 2 Telnet 3 Select the Telnet client and click OK NOTE The Telnet client feature does not work with Microsoft Windows Internet Explorer 7 and later versions Initiating this feature from any browser running on a Linux operating system is not supported ...

Page 280: ...280 Managing General System Settings Figure 11 3 Select Telnet Client The selected Telnet client launches and connects to the switch CLI Figure 11 4 Telnet Session ...

Page 281: ...igure a message for the switch to display when a user connects to the switch by using the CLI You can configure different banners for various CLI modes and access methods To display the CLI Banner page click System General CLI Banner in the navigation panel Figure 11 5 CLI Banner ...

Page 282: ...ate resource settings and to select the template that the switch uses If you select a new SDM template for the switch to use you must reboot the switch before the template is applied To display the SDM Template Preference page click System General SDM Template Preference in the navigation panel Figure 11 6 SDM Template Preference ...

Page 283: ...the Clock page The Clock page also displays information about the time settings configured on the switch To display the Clock page click System Time Synchronization Clock in the navigation panel Figure 11 7 Clock NOTE The system time cannot be set manually if the SNTP client is enabled Use the SNTP Global Settings page to enable or disable the SNTP client ...

Page 284: ...or disable the SNTP client configure whether and how often the client sends SNTP requests and determine whether the switch can receive SNTP broadcasts To display the SNTP Global Settings page click System Time Synchronization SNTP Global Settings in the navigation panel Figure 11 8 SNTP Global Settings ...

Page 285: ... to remove the selected encryption key ID Click System Time Synchronization SNTP Authentication in the navigation panel to display the SNTP Authentication page Figure 11 9 SNTP Authentication Adding an SNTP Authentication Key To configure SNTP authentication 1 Open the SNTP Authentication page 2 Click the Add link NOTE The SNTP server must be configured with the same authentication information to ...

Page 286: ... be used to authenticate a unicast SNTP server select the Trusted Key check box If the check box is clear the key is untrusted and cannot be used for authentication 5 Click Apply The SNTP authentication key is added and the device is updated To view all configured authentication keys click the Show All link The Authentication Key Table displays You can also use the Authentication Key Table to remo...

Page 287: ...TP servers and to add new SNTP servers that the switch can use for time synchronization The switch can accept time information from both IPv4 and IPv6 SNTP servers To display the SNTP Server page click System Time Synchronization SNTP Server in the navigation panel If no servers have been configured the fields in the following image are not displayed ...

Page 288: ...288 Managing General System Settings Figure 11 12 SNTP Servers Defining a New SNTP Server To add an SNTP server 1 Open the SNTP Servers page 2 Click Add The Add SNTP Server page displays ...

Page 289: ...client on the switch and the SNTP server select the Encryption Key ID check box and then select the key ID to use To define a new encryption key see Adding an SNTP Authentication Key on page 285 To view all configured SNTP servers click the Show All link The SNTP Server Table displays You can also use the SNTP Server Table page to remove or edit existing SNTP servers NOTE The SNTP server must be c...

Page 290: ...290 Managing General System Settings Figure 11 14 SNTP Servers Table ...

Page 291: ...page click System Time Synchronization Summer Time Configuration in the navigation panel Figure 11 15 Summer Time Configuration To use the preconfigured summer time settings for the United States or European Union select the Recurring check box and specify USA or EU from the Location menu NOTE The fields on the Summer Time Configuration page change when you select or clear the Recurring check box ...

Page 292: ...igure time zone information including the amount time the local time is offset from UTC and the acronym that represents the local time zone To display the Time Zone Configuration page click System Time Synchronization Time Zone Configuration in the navigation panel Figure 11 16 Time Zone Configuration ...

Page 293: ... page to control the administrative status of the rear panel expansion slots Slot 1 or Slot 2 and to configure the plug in module to use in the slot To display the Card Configuration page click Switching Slots Card Configuration in the navigation panel Figure 11 17 Card Configuration ...

Page 294: ...l System Settings Slot Summary Use the Slot Summary page to view information about the expansion slot status To display the Slot Summary page click Switching Slots Summary in the navigation panel Figure 11 18 Slot Summary ...

Page 295: ...pported Cards Use the Supported Cards page to view information about the supported plug in modules for the switch To display the Supported Cards page click Switching Slots Supported Cards in the navigation panel Figure 11 19 Supported Cards ...

Page 296: ...ation 7024P 7048P Only Use the PoE Global Configuration page to configure the PoE settings for the switch To display the PoE Global Configuration page click System General Power over Ethernet Global Configuration in the navigation panel Figure 11 20 PoE Global Configuration ...

Page 297: ...oE settings From this page you can also access the PoE Counters table and PoE Port Table The PoE Port table allows you to view and configure PoE settings for multiple ports on the same page To display the PoE Interface Configuration page click System General Power over Ethernet Interface Configuration in the navigation panel Figure 11 21 PoE Interface Configuration ...

Page 298: ...for each port click Counters Figure 11 22 PoE Counters Table To view the PoE Port Table click Show All Figure 11 23 PoE Port Table If you change any settings for one or more ports on the PoE Port Table page click Apply to update the switch with the new settings ...

Page 299: ...urpose configure Enter Global Configuration mode hostname name Configure the system name The CLI prompt changes to the host name after you execute the command snmp server contact name Configure the name of the switch administrator If the name contains a space use quotation marks around the name snmp server location location Configure the switch location asset tag unit unit_id tag Configure the ass...

Page 300: ...sage that displays when you connect to the switch motd and login or enter User EXEC mode exec Use quotation marks around a message if it includes spaces line telnet ssh console Enter the terminal line configuration mode for Telnet SSH or the console motd banner Specify that the configured MOTD banner displays To prevent the banner from displaying enter no motd banner exec banner Specify that the c...

Page 301: ... with the same authentication information to allow time synchronization to take place between the two devices Command Purpose configure Enter Global Configuration mode sdm prefer dual ipv4 and ipv6 default ipv4 routing data center default Select the SDM template to apply to the switch after the next boot CTRL Z Exit to Privileged EXEC mode show sdm prefer template View information about the SDM te...

Page 302: ... determines which server the switch polls first The priority is 1 8 where 1 is the highest priority If you do not specify a priority the servers are polled in the order that they are entered key_id Optional Enter an authentication key to use The key must be previously defined by the sntp authentication key command sntp unicast broadcast client enable This command enables the SNTP client and allows...

Page 303: ... 13 minutes offset Minutes difference from UTC Range 0 59 acronym The acronym for the time zone Range Up to four characters clock summer time recurring usa eu week day month hh mm week day month hh mm offset offset zone acronym Use this command if the summer time starts and ends every year based on a set pattern For switches located in the United States or European Union use the usa or eu keywords...

Page 304: ...nge hh 0 23 mm 0 59 offset Number of minutes to add during the summertime Range 1 1440 acronym The acronym for the time zone to be displayed when summertime is in effect Range Up to four characters CTRL Z Exit to Privileged EXEC mode show clock detail View information about the time Include the detail keyword to view information about the time zone and summer time Command Purpose configure Enter G...

Page 305: ...er management mode for the switch 802 3af only IEEE 802 3af detection scheme is used 802 3af legacy IEEE 802 3af 4point detection scheme is used and when it fails to detect a connected PD legacy capacitive detection is used legacy only only legacy capacitive detection scheme is used interface interface Enter interface configuration mode for the specified port The interface variable includes the in...

Page 306: ... value The range of limit is 1000 31200 milliwatts power inline detection dot3af dot3af legacy legacy only Set the power management mode for the port This setting overrides the mode set for the switch in global configuration mode 802 3af only IEEE 802 3af detection scheme is used 802 3af legacy IEEE 802 3af 4point detection scheme is used and when it fails to detect a connected PD legacy capacitiv...

Page 307: ...eset the port You might use this command if the port is stuck in an Error state CTRL Z Exit to Privileged EXEC mode show power inline Display PoE information for the switch show power inline interface Display PoE information for the specified interface Command Purpose ...

Page 308: ...MOTD banner to alert other switch administrators of an upcoming event To configure the switch 1 Configure the hosts name console configure console config hostname PC7048 2 Configure the contact location and asset tag Notice that the prompt changed to the host name PC7048 config snmp server contact Jane Doe PC7048 config snmp server location RTP100 PC7048 config asset tag 006429 3 Configure the mes...

Page 309: ...ine Type PowerConnect 7048 Temperature Sensors Unit Temperature Celsius Status 1 43 OK Power Supplies Unit Description Status Source 1 Main OK AC 1 Secondary Error DC 5 View additional information about the system PC7048 show system id Service Tag Chassis Service Tag N A Serial Number 7024NX1011 Asset Tag unit 1 Unit Service tag Chassis Serv tag Serial number Asset tag 1 N A 70498NX1011 unit 1 6 I...

Page 310: ...hentication information The SNTP server must be configured with the same authentication key and ID console configure console config sntp authentication key 23456465 md5 sntpkey console config sntp trusted key 23456465 console config sntp authenticate 2 Specify the IP address of the SNTP server to poll and include the authentication key This command automatically enables polling and sets the priori...

Page 311: ...tication is required for synchronization Trusted keys 23456465 Unicast clients Enable Unicast servers Server Key Polling Priority 192 168 10 30 23456465 Enabled 1 4 View the SNTP status on the switch console show sntp status Client Mode Unicast Last Update Time MAR 01 09 12 43 2010 Unicast servers Server Status Last response 192 168 10 30 Other 09 12 43 Mar 1 2011 ...

Page 312: ...ure console config clock timezone 5 zone EST 2 Configure the summer time daylight saving time to use the preconfigured settings for the United States console config clock summer time recurring us 3 Set the local time and date console config clock set 16 13 06 03 01 2010 4 Verify the time settings console show clock detail 00 27 19 EST UTC 5 00 Feb 3 2039 No time source Time zone Acronym is EST Off...

Page 313: ... of a device through communication between an SNMP manager and an SNMP agent on the remote device The SNMP manager is typically part of a Network Management System NMS that runs on an administrative host The switch software includes Management Information Base MIB objects that the SNMP agent queries and modifies The switch uses standard public MIBs and private MIBs A MIB acts as a structured road ...

Page 314: ...hentication Timeliness Protects against message delay or message redundancy The SNMP agent compares incoming message to the message time information Key Management Defines key generation key updates and key use Authentication or Privacy Keys are modified in the SNMPv3 User Security Model USM What Are SNMP Traps SNMP is frequently used to monitor systems for fault conditions such as temperature vio...

Page 315: ...h Default SNMP Values By default SNMPv2 is automatically enabled on the device SNMPv1 and SNMPv3 are disabled To enable SNMPv3 you must define a local engine ID for the device The local engineID is by default set to the switch MAC address however when the switch operates in a stacking mode it is important to manually configure the local engineID for the stack This local engineID must be defined so...

Page 316: ...Portal traps Disabled OSPF traps Disabled Table 12 2 SNMP Default Views View Name OID Subtree View Type Default iso Included snmpVacmMIB Excluded usmUser Excluded snmpCommunityTable Excluded DefaultSuper iso Included Table 12 3 SNMP Default Groups Group Name Security Level Read Write Notify DefaultRead No Auth No Priv Default Default DefaultWrite No Auth No Priv Default Default Default DefaultSupe...

Page 317: ... click at the top of the page SNMP Global Parameters Use the Global Parameters page to enable SNMP and Authentication notifications To display the Global Parameters page click System SNMP Global Parameters in the navigation panel Figure 12 1 SNMP Global Parameters NOTE For some features the control to enable or disable traps is available from a configuration page for that feature and not from the ...

Page 318: ...ccessible and which are blocked You can create a view that includes or excludes OIDs corresponding to interfaces To display the View Settings page click System SNMP View Settings in the navigation panel Figure 12 2 SNMP View Settings Adding an SNMP View To add a view 1 Open the View Settings page 2 Click Add The Add View page displays ...

Page 319: ...gure 12 3 Add View 3 Specify a name for the view and a valid SNMP OID string 4 Select the view type 5 Click Apply The SNMP view is added and the device is updated Click Show All to view information about configured SNMP Views ...

Page 320: ... network managers to assign access rights to specific device features or features aspects To display the Access Control Group page click System SNMP Access Control in the navigation panel Figure 12 4 SNMP Access Control Group Adding an SNMP Group To add a group 1 Open the Access Control Configuration page 2 Click Add The Add an Access Control Configuration page displays ...

Page 321: ...ng access control configurations SNMPv3 User Security Model USM Use the User Security Model page to assign system users to SNMP groups and to define the user authentication method To display the User Security Model page click System SNMP User Security Model in the navigation panel NOTE You can also use the Local User Database page under Management Security to configure SNMPv3 settings for users Fo...

Page 322: ...2 Configuring SNMP Figure 12 6 SNMPv3 User Security Model Adding Local SNMPv3 Users to a USM To add local users 1 Open the User Security Model page 2 Click Add Local User The Add Local User page displays ...

Page 323: ... update the switch Click Show All to view the User Security Model Table which contains information about configured Local and Remote Users Adding Remote SNMPv3 Users to a USM To add remote users 1 Open the SNMPv3 User Security Model page 2 Click Add Remote User The Add Remote User page displays ...

Page 324: ... contains information about configured Local and Remote Users Communities Access rights for SNMPv1 and SNMPv2 are managed by defining communities Communities page When the community names are changed access rights are also changed SNMP Communities are defined only for SNMP v1 and SNMP v2 To display the Communities page click System SNMP Communities in the navigation panel ...

Page 325: ...Configuring SNMP 325 Figure 12 9 SNMP Communities Adding SNMP Communities To add a community 1 Open the Communities page 2 Click Add The Add SNMPv1 2 Community page displays ...

Page 326: ...f an SNMP management station and the community string to act as a password that will authenticate the management station to the SNMP agent on the switch 4 Select the access mode 5 Click Apply to update the switch Click Show All to view the communities that have already been configured ...

Page 327: ...or a feature aspect The Notification Filter page also allows you to filter notifications To display the Notification Filter page click System SNMP Notification Filters in the navigation panel Figure 12 11 SNMP Notification Filter Adding a Notification Filter To add a filter 1 Open the Notification Filter page 2 Click Add The Add Filter page displays ...

Page 328: ...n about the filters that have already been configured Notification Recipients Use the Notification Recipients page to view information for defining filters that determine whether traps are sent to specific users and the trap type sent SNMP notification filters provide the following services Identifying Management Trap Targets Trap Filtering Selecting Trap Generation Parameters Providing Access Con...

Page 329: ...Configuring SNMP 329 Figure 12 13 SNMP Notification Recipient Adding a Notification Recipient To add a recipient 1 Open the Notification Recipient page 2 Click Add The Add Recipient page displays ...

Page 330: ... notifications 4 Select whether to send traps or informs to the specified recipient 5 Define the relevant fields for the SNMP version you use 6 Configure information about the port on the recipient 7 Click Apply to update the switch Click Show All to view information about the recipients that have already been configured ...

Page 331: ...disable When the condition identified by an active trap is encountered by the switch a trap message is sent to any enabled SNMP Trap Receivers and a message is written to the trap log To access the Trap Flags page click Statistics RMON Trap Manager Trap Flags in the navigation panel Figure 12 15 Trap Flags ...

Page 332: ...disable When the condition identified by an active trap is encountered by the switch a trap message is sent to any enabled SNMP Trap Receivers and a message is written to the trap log To access the OSPFv2 Trap Flags page click Statistics RMON Trap Manager OSPFv2 Trap Flags in the navigation panel Figure 12 16 OSPFv2 Trap Flags ...

Page 333: ...disable When the condition identified by an active trap is encountered by the switch a trap message is sent to any enabled SNMP Trap Receivers and a message is written to the trap log To access the OSPFv3 Trap Flags page click Statistics RMON Trap Manager OSPFv3 Trap Flags in the navigation panel Figure 12 17 OSPFv3 Trap Flags ...

Page 334: ...og page is used to view entries that have been written to the trap log To access the Trap Log page click Statistics RMON Trap Manager Trap Log in the navigation panel Figure 12 18 Trap Logs Click Clear to delete all entries from the trap log ...

Page 335: ...main Changing the value of SNMP EngineID has important side effects A user s password entered on the command line is converted to an MD5 or SHA security digest This digest is based on both the password and the local engine ID The command line password is then destroyed as required by RFC 2274 Because of this deletion if the local value of engineID changes the security digests of SNMPv3 users will ...

Page 336: ...When you configure groups users and communities you can specify a view to associate with the group user or community view name Specifies the name of the view Range 1 30 characters oid tree Specifies the object identifier of the ASN 1 subtree to be included or excluded from the view To identify the subtree specify a text string consisting of numbers such as 1 3 6 2 4 or a word such as system Replac...

Page 337: ...MP Version 2 security model v3 Indicates the SNMP Version 3 security model noauth Indicates no authentication of a packet Applicable only to the SNMP Version 3 security model auth Indicates authentication of a packet without encrypting it Applicable only to the SNMP Version 3 security model priv Indicates authentication of a packet with encryption Applicable only to the SNMP Version 3 security mod...

Page 338: ...to informs Range 5 32 characters auth md5 The HMAC MD5 96 authentication level auth sha The HMAC SHA 96 authentication level password A password Range 1 to 32 characters auth md5 key The HMAC MD5 96 authentication level Enter a pregenerated MD5 key auth sha key The HMAC SHA 96 authentication level Enter a pregenerated SHA key md5 key Character string length 32 hex characters sha key Character stri...

Page 339: ...me ipaddress ip_address Configure the community string and specify access criteria for the community community string Acts as a password and is used to authenticate the SNMP management station to the switch The string must also be defined on the NMS in order for the NMS to access the SNMP agent on the switch Range 1 20 characters ro Indicates read only access rw Indicates read write access view na...

Page 340: ...Community string that acts like a password and permits access to the SNMP protocol Range 1 20 characters group name Name of a previously defined group The group defines the objects available to the community Range 1 30 characters ip address Management station IP address Default is all IP addresses exit Exit to Privileged EXEC mode show snmp View SNMP settings and verify the configuration Command P...

Page 341: ...se the CLI command help or see the CLI Command Reference snmp server filter filter name oid tree included excluded Configure a filter for SNMP traps and informs based on OIDs Each OID is linked to a device feature or a feature aspect filter name Specifies the label for the filter record that is being updated or created The name is used to reference the record Range 1 30 characters oid tree Specifi...

Page 342: ...re resending informs The default is 15 seconds Range 1 300 characters retries Maximum number of times to resend an inform request The default is 3 attempts traps Indicates that SNMP traps are sent to this host version 1 Indicates that SNMPv1 traps will be used version 2 Indicates that SNMPv2 traps will be used community string Specifies a password like community string sent with the notification o...

Page 343: ...t without authentication auth Specifies authentication of a packet without encrypting it priv Specifies authentication and encryption of a packet seconds Number of seconds to wait for an acknowledgment before resending informs This is not allowed for hosts configured to send traps The default is 15 seconds Range 1 300 seconds retries Maximum number of times to resend an inform request This is not ...

Page 344: ... features that produce traps The traps are sent to the host with an IP address of 192 168 3 65 using the community string public To configure the switch 1 Configure the public community string console configure console config snmp server community public ro 2 Configure the private community string console config snmp server community private rw 3 Enable all traps and specify the IP address of the ...

Page 345: ...supplying the appropriate authentication credentials secretkey To configure the switch 1 Configure the view view_snmpv3 and specify the objects to include console configure console config snmp server view view_snmpv3 internet included 2 Create the group group_snmpv3 and allow read write access to the view configured in the previous step console config snmp server group group_snmpv3 v3 auth read vi...

Page 346: ...itch The output includes the SNMPv1 2 configuration in the previous example console show snmp Community String Community Access View Name IP Address private Read Write Default All public Read Only Default All Traps are enabled Authentication trap is enabled Version 1 2 notifications Version 3 notifications System Contact System Location Community String Group Name IP Address private DefaultWrite A...

Page 347: ... Read Views Write Notify DefaultRead V1 NoAuth NoPriv Default Default DefaultRead V2 NoAuth NoPriv Default Default DefaultSuper V1 NoAuth NoPriv DefaultSu per Default Super Default Super DefaultSuper V2 NoAuth NoPriv DefaultSu per Default Super Default Super DefaultWrite V1 NoAuth NoPriv Default Default Default DefaultWrite V2 NoAuth NoPriv Default Default Default group_snmpv3 V3 Auth NoPriv view_...

Page 348: ...348 Configuring SNMP ...

Page 349: ...s the files that you can manage The table also lists the type of action you can take on the file which is one or more of the following Download the file to the switch from a remote system or USB flash drive Upload the file from the switch to a remote system or USB flash drive Copy the file from one location on the file system to another location NOTE For information about the Auto Configuration fe...

Page 350: ...ile with CLI commands When you activate a script on the switch the commands are executed and added to the running config Log files Upload Provides various information about events that occur on the switch For more information see Monitoring and Logging System Information SSH key files Download Contains information to authenticate SSH sessions The switch supports the following files for SSH SSH 1 R...

Page 351: ...ation The switch can maintain three separate configuration files startup config running config and backup config The switch loads the startup config file when the switch boots Any configuration SSL certificate files Download Contains information to encrypt authenticate and validate HTTPS sessions The switch supports the following files for SSL SSL Trusted Root Certificate File PEM Encoded SSL Serv...

Page 352: ...n file from the switch to a remote server for the following reasons To create a backup copy To use the configuration file on another switch To manually edit the file You might download a configuration file from a remote server to the switch for the following reasons To restore a previous configuration To load the configuration copied from another switch To load the same configuration file on multi...

Page 353: ...system You can use the ping command from the CLI to verify that a route exists between the switch and the remote system If you are downloading a file from the remote system to the switch be sure to provide the correct path to the file and the correct file name Managing Images When you download a new image to the switch it overwrites the backup image if it exists To use the new image you must activ...

Page 354: ...our of ten commands and the script fails the script stops at four and the final six commands are not executed Scripts cannot be modified or deleted while being applied Validation of scripts checks for syntax errors only It does not validate that the script will run The file extension must be scr A maximum of seven scripts are allowed on the switch The combined size of all script files on the switc...

Page 355: ... SNMP to upload a configuration file to a TFTP server the agentTransferUploadFileName object must be set to the local filename which is either startup config or backup config How Is the Running Configuration Saved Changes you make to the switch configuration while the switch is operating are written to the running config These changes are not automatically written to the startup config When you re...

Page 356: ...mages and files on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page File System Use the File System page to view a list of the files on the device and to modify the image file descriptions To display the File System page click System File Management File System in the navigation panel Figure 13 1 File System ...

Page 357: ...to set the firmware image to use when the switch boots If you change the boot image it does not become the active image until you reset the switch To display the Active Images page click System File Management Active Images in the navigation panel Figure 13 2 Active Images ...

Page 358: ... on the front panel of the switch The page also displays information about the files stored on the USB flash drive To safely remove the USB flash drive from the USB port click Unmount USB before removing the drive To display the USB Flash Drive page click System File Management USB Flash Drive in the navigation panel Figure 13 3 USB Flash Drive ...

Page 359: ...configuration ASCII files from a remote server to the switch To display the File Download page click System File Management File Download in the navigation panel Figure 13 4 File Download Downloading Files To download a file to the switch 1 Open the File Download page 2 Select the type of file to download to the switch 3 Select the transfer mode ...

Page 360: ... of the server that contains the file to download the name of the file and the path on the server where it is located For SFTP and SCP provide the user name and password 6 Click Apply to begin the download Figure 13 5 File Download in Progress 7 The file is downloaded to the switch NOTE If you are using HTTPS to manage the switch the download method will be HTTPS NOTE After you start a file downlo...

Page 361: ...click System File Management File Upload in the navigation panel Figure 13 6 File Upload Uploading Files To upload a file from the switch to a remote system 1 Open the File Upload page 2 Select the type of file to download to the remote server 3 Select the transfer mode If you select a transfer mode that requires authentication additional fields appear in the Upload section If you select HTTP as t...

Page 362: ...for the file For SFTP and SCP provide the user name and password 6 Click Apply to begin the upload 7 The file is uploaded to the specified location on the remote server NOTE If you are using HTTPS to manage the switch the download method will be HTTPS NOTE For some file uploads and methods the page refreshes and a transfer status field appears to indicate the number of bytes transferred The Web in...

Page 363: ...or all members of a stack Copy the running startup or backup configuration file to the startup or backup configuration file Restore the running configuration to the factory default settings To display the Copy Files page click System File Management Copy Files in the navigation panel Figure 13 8 Copy Files ...

Page 364: ... Upload download and copy functions use the copy command The basic syntax for the command is copy source destination This section shows several different ways to use the copy command Command Purpose copy tftp ip address hostname path file name image Use TFTP to download the firmware image at the specified source to the non active image If the image file is in the TFTP file system root download pat...

Page 365: ... inserted in the USB port on the front panel before executing the command rename current_name new_name Rename a file in flash delete filename Remove the specified file erase startup config backup image backup config Erase the startup configuration the backup configuration or the backup image copy startup config backup config Save the startup configuration to the backup configuration file copy runn...

Page 366: ...ash device details dir usb Display USB device contents and memory statistics copy usb filename backup config image running config script filename startup config filename Copy the specified file from the USB flash device to the specified file in internal flash unmount usb Make the USB flash device inactive Command Purpose copy file scp user ip address hostname path file name Adds a description to a...

Page 367: ...script dest name Downloads the specified script from the remote server to the switch Password entry After you enter the copy command the CLI prompts you for the password associated with the username script validate script name Checks the specified script for syntax errors The script is automatically validated when you download it to the switch You can validate again with this command script list V...

Page 368: ...repare the download and then download and upgrade the switch image 1 Check the connectivity between the switch and the TFTP server console ping 10 27 65 103 Pinging 10 27 65 103 with 0 bytes of data Reply From 10 27 65 103 icmp_seq 0 time 10 msec Reply From 10 27 65 103 icmp_seq 1 time 10 msec Reply From 10 27 65 103 icmp_seq 2 time 10 msec Reply From 10 27 65 103 icmp_seq 3 time 10 msec 10 27 65 ...

Page 369: ...sh 4 Download the image to the switch After you execute the copy command you must verify that you want to start the download console copy tftp 10 27 65 103 images dell_0308 stk image Mode TFTP Set TFTP Server IP 10 27 65 103 TFTP Path images TFTP Filename dell_0308 stk Data Type Code Destination Filename image unit image1 image2 current active next active 1 2 23 11 17 image1 image1 ...

Page 370: ...e1 image2 Images currently available on Flash 7 Copy the running configuration to the startup configuration to save the current configuration to NVRAM console copy running config startup config This operation may take a few minutes Management interfaces will not be available during this time Are you sure you want to save y n y Configuration Saved 8 Reset the switch to boot the system with the new ...

Page 371: ...ter and type the commands as if you were entering them by using the CLI Figure 13 10 Create Config Script 2 Save the file with an scr extension and copy it to the appropriate directory on your TFTP server 3 Download the file from the TFTP server to the switch console copy tftp 10 27 65 103 labhost scr script labhost scr Mode TFTP Set TFTP Server IP 10 27 65 103 TFTP Path TFTP Filename labhost scr ...

Page 372: ...ing configuration script configure exit configure ip host labpc1 192 168 3 56 ip host labpc2 192 168 3 58 ip host labpc3 192 168 3 59 Configuration script validated File transfer operation completed successfully 5 Run the script to execute the commands console script apply labhost scr Are you sure you want to apply the configuration script y n y configure exit configure ip host labpc1 192 168 3 56...

Page 373: ...t to a USB flash drive After the backups are performed the administrator downloads a new image from the USB flash drive to the switch to prepare for the upgrade This example assumes the new image is named new_img stk and has already been copied from an administrative host onto the USB flash drive To configure the switch 1 Insert the USB flash drive into the USB port on the front panel of the switc...

Page 374: ...from the USB flash drive to the switch The image overwrites the image that is not currently active console copy usb new_image stk image Mode unknown Data Type Code Management access will be blocked for the duration of the transfer Are you sure you want to start y n y 5 To activate the new image after it has been successfully downloaded to the switch follow the procedures described in Upgrading the...

Page 375: ...ized and no configuration file startup config is found or when the switch boots and loads a saved configuration that has Auto Configuration enabled Auto Configuration is enabled by default The Auto Configuration feature includes two components USB Auto Configuration DHCP Auto Install If no configuration file is found and the Auto Configuration feature is enabled the Auto Configuration process begi...

Page 376: ...USB Auto Configuration Use The USB Auto Configuration feature uses the following file types setup file for initial switch configuration text file for configuration information stk file for software image installation The Auto Configuration file searches the USB device for a file with a setup extension If only one setup file is present the switch uses the file When multiple setup files are present ...

Page 377: ...be handed out without regard to the specific switch identified by the MAC address A switch will mark a line as invalid if it is read and failed to properly parse if for example it contains an invalid configuration a duplicate IP address or an image file name that is not available If the setup file contains IP addresses but no file names the management IP address will be assigned and then the featu...

Page 378: ...the switch The configuration file specified in the setup file should exist on the USB device For information about the format and contents of the text file see Editing and Downloading Configuration Files Image File If the Auto Configuration process includes a switch image upgrade the name of the image file should be included in the setup file The specified image file should exist on the USB device...

Page 379: ...nd all other switch upgrades can take place as if for the first time What Is the DHCP Auto Configuration Process If the USB Auto Configuration fails or is not used the switch can use a DHCP server to obtain configuration information from a TFTP server DHCP Auto Configuration is accomplished in three phases 1 Assignment or configuration of an IP address for the switch 2 Assignment of a TFTP server ...

Page 380: ...d in the DHCP header When a DHCP OFFER identifies the TFTP server more than once the DHCP client selects one of the options in the following order sname option 66 option 150 siaddr If the TFTP server is identified by hostname a DNS server is required to translate the name to an IP address The DHCP client on the switch also processes the name of the text file option 125 the V I vendor specific Info...

Page 381: ... client makes three unicast requests If the unicast attempts fail or if the DHCP OFFER did not specify a TFTP server address the TFTP client makes three broadcast requests If the DHCP server does not specify a configuration file or download of the configuration file fails the Auto Configuration process attempts to download a configuration file with the name dell net cfg The switch unicasts or broa...

Page 382: ... file named hostname cfg where hostname is the first thirty two characters of the switch s hostname If the switch is unable to map its IP address to a hostname Auto Configuration sends TFTP requests for the default configuration file host cfg Table 14 1 summarizes the config files that may be downloaded and the order in which they are sought Table 14 1 Configuration File Possibilities Order Sought...

Page 383: ...owever AutoSave is disabled by default If AutoSave has not been enabled you must explicitly save the downloaded configuration in non volatile memory This makes the configuration available for the next reboot In the CLI this is performed by issuing a write command or copy running config startup config command and should be done after validating the contents of saved configuration Table 14 2 TFTP Re...

Page 384: ... not automatically deleted after it is downloaded The file does not take effect upon a reboot unless you explicitly save the configuration the saved configuration takes effect upon reboot If you do not save the configuration downloaded by the Auto Configuration feature the Auto Configuration process occurs again on a subsequent reboot This may result in one of the previously downloaded files being...

Page 385: ...ration is found the Auto Configuration automatically begins Retry Count 3 When the DHCP or BootP server returns information about the TFTP server and bootfile the switch makes three unicast TFTP requests for the specified bootfile If the unicast attempts fail or if a TFTP server address was not provided the switch makes three broadcast requests to any available TFTP server for the specified bootfi...

Page 386: ...click at the top of the page Auto Install Configuration Use the Auto Install Configuration page to allow the switch to obtain network information such as the IP address and subnet mask and automatically download a host specific or network configuration file during the boot process if no startup config file is found To display the Auto Configuration page click System General Auto Install Configurat...

Page 387: ...ile Command Purpose configure Enter Global Configuration mode boot autoinstall start Enable the Auto Configuration feature on the switch boot host dhcp Enable Auto Configuration for the next reboot cycle The command does not change the current behavior of Auto Configuration but it does save the command to NVRAM boot host autosave Allow the switch to automatically save the configuration file downlo...

Page 388: ...describes how to deploy three switches and automatically install a custom configuration file on the switch and upgrade each switch with the latest software image by using the USB Auto Configuration feature The switches have the following MAC addresses Switch A 001E C9AA AC17 Switch B 001E C9AA AC20 Switch C 001E C9AA AC33 To configure each switch with a static IP address you can include the IP add...

Page 389: ...The configuration in switchA txt file is downloaded to the switch and the management interface acquires network information After the process completes a message displays to indicate the status The PowerConnect setup file is updated to add the term in use to the end of the line The PC7000vR 5 4 1 stk image is also downloaded to the switch 10 Remove the USB device from Switch A and insert it into S...

Page 390: ...load the host cfg file to the TFTP server 3 Upload the image file to the TFTP server 4 Configure an address pool on the DHCP server that contains the following information a The IP address yiaddr and subnet mask option 1 to be assigned to the interface b The IP address of a default gateway option 3 c DNS server address option 6 d Name of config file for each host e Identification of the TFTP serve...

Page 391: ...ough sFlow and Remote Network Monitoring RMON agents What is sFlow Technology sFlow is an industry standard technology for monitoring high speed switched and routed networks PowerConnect 7000 Series switch software has a built in sFlow agent that can monitor network traffic on each port and generate sFlow data to an sFlow receiver also known as a collector sFlow helps to provide visibility into ne...

Page 392: ...are not aggregated into a flow table on the switch they are forwarded immediately over the network to the sFlow receiver The sFlow system is tolerant to packet loss in the network because statistical modeling means the loss is equivalent to a slight change in the sampling rate sFlow receiver can receive data from multiple switches providing a real time synchronized view of the whole network The re...

Page 393: ...t Flow Records To perform Counter Sampling an sFlow Poller Instance is configured with a Polling Interval Counter Sampling results in the generation of Counter Records sFlow Agents collect Counter Records and Packet Flow Records and send them as sFlow datagrams to sFlow Collectors Packet Flow Sampling Packet Flow Sampling carried out by each sFlow instance ensures that any packet observed at a Dat...

Page 394: ...val Periodically say every second the sFlow Agent examines the list of counter sources and sends any counters that must be sent to meet the sampling interval requirement The set of counters is a fixed set What is RMON Like sFlow RMON is a technology that enables the collection and analysis of a variety of data about network traffic PowerConnect 7000 Series switch software includes an RMON probe al...

Page 395: ... occurs RMON events occur when A threshold alarm is exceeded There is a match on certain filters What is Port Mirroring Port mirroring is used to monitor the network traffic that a port sends and receives The Port Mirroring feature creates a copy of the traffic that the source port handles and sends it to a destination port The source port is the port that is being monitored The destination port i...

Page 396: ...ocation Information about traffic flows can also help troubleshoot problems in the network Default Traffic Monitoring Values The sFlow agent is enabled by default but sampling and polling are disabled on all ports Additionally no sFlow receivers collectors are configured Table 15 1 contains additional default values for the sFlow feature RMON is enabled by default but no RMON alarms events or hist...

Page 397: ...etwork traffic on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page sFlow Agent Summary Use the sFlow Agent Summary page to view information about sFlow MIB and the sFlow Agent IP address To display the Agent Summary page click System sFlow Agent Summary in the navigation panel Figure 15 2 sFlow Agent Summary ...

Page 398: ...ceiver to which the switch sends sFlow datagrams You can configure up to eight sFlow receivers that will receive datagrams To display the Receiver Configuration page click System sFlow Receiver Configuration in the navigation panel Figure 15 3 sFlow Receiver Configuration Click Show All to view information about configured sFlow receivers ...

Page 399: ...ration page to configure the sFlow sampling settings for switch ports To display the Sampler Configuration page click System sFlow Sampler Configuration in the navigation panel Figure 15 4 sFlow Sampler Configuration Click Show All to view information about configured sampler data sources ...

Page 400: ... to configure how often a port should collect counter samples To display the Sampler Configuration page click System sFlow Sampler Configuration in the navigation panel Figure 15 5 sFlow Poll Configuration Click Show All to view information about the ports configured to collect counter samples ...

Page 401: ...istics page to display statistics for both received and transmitted packets The fields for both received and transmitted packets are identical To display the page click Statistics RMON Table Views Interface Statistics in the navigation panel Figure 15 6 Interface Statistics ...

Page 402: ...raffic Etherlike Statistics Use the Etherlike Statistics page to display interface statistics To display the page click Statistics RMON Table Views Etherlike Statistics in the navigation panel Figure 15 7 Etherlike Statistics ...

Page 403: ...h Traffic 403 GVRP Statistics Use the GVRP Statistics page to display switch statistics for GVRP To display the page click Statistics RMON Table Views GVRP Statistics in the navigation panel Figure 15 8 GVRP Statistics ...

Page 404: ...e to display information about EAP packets received on a specific port For more information about EAP see Dot1x Authentication on page 350 To display the EAP Statistics page click Statistics RMON Table Views EAP Statistics in the navigation panel Figure 15 9 EAP Statistics ...

Page 405: ...5 Utilization Summary Use the Utilization Summary page to display interface utilization statistics To display the page click Statistics RMON Table Views Utilization Summary in the navigation panel Figure 15 10 Utilization Summary ...

Page 406: ...mary Use the Counter Summary page to display interface utilization statistics in numeric sums as opposed to percentages To display the page click Statistics RMON Table Views Counter Summary in the navigation panel Figure 15 11 Counter Summary ...

Page 407: ...e the Switchport Statistics page to display statistical summary information about switch traffic address tables and VLANs To display the page click Statistics RMON Table Views Switchport Statistics in the navigation panel Figure 15 12 Switchport Statistics ...

Page 408: ...the RMON Statistics page to display details about switch use such as packet processing statistics and errors that have occurred on the switch To display the page click Statistics RMON RMON Statistics in the navigation panel Figure 15 13 RMON Statistics ...

Page 409: ... physical port or a port channel you can define how many buckets exist and the time interval between each bucket snapshot To display the page click Statistics RMON RMON History Control in the navigation panel Figure 15 14 RMON History Control Adding a History Control Entry To add an entry 1 Open the RMON History Control page 2 Click Add The Add History Entry page displays ...

Page 410: ...ory of statistics 4 Specify an owner the number of historical buckets to keep and the sampling interval 5 Click Apply to add the entry to the RMON History Control Table To view configured history entries click the Show All tab The RMON History Control Table displays From this page you can remove configured history entries ...

Page 411: ...age to display interface specific statistical network samplings Each table entry represents all counter values compiled during a single sample To display the RMON History Table page click Statistics RMON RMON History Table in the navigation panel Figure 15 16 RMON History Table ...

Page 412: ...hold is crossed for a particular RMON counter The event information can be stored in a log and or sent as a trap to a trap receiver To display the page click Statistics RMON RMON Event Control in the navigation panel Figure 15 17 RMON Event Control Adding an RMON Event To add an event 1 Open the RMON Event Control page 2 Click Add The Add an Event Entry page displays ...

Page 413: ...ick Apply The event is added to the RMON Event Table and the device is updated Viewing Modifying or Removing an RMON Event To manage an event 1 Open the RMON Event Control page 2 Click Show All to display the Event Control Table page 3 To edit an entry a Select the Edit check box in for the event entry to change b Modify the fields on the page as needed 4 To remove an entry select the Remove check...

Page 414: ...itoring Switch Traffic RMON Event Log Use the RMON Event Log page to display a list of RMON events To display the page click Statistics RMON RMON Events Log in the navigation panel Figure 15 19 RMON Event Log ...

Page 415: ...esholds are crossed for the configured RMON counters The alarm triggers an event to occur The events can be configured as part of the RMON Events group For more information about events see RMON Event Log on page 414 To display the page click Statistics RMON RMON Alarms in the navigation panel Figure 15 20 RMON Alarms ...

Page 416: ...Figure 15 21 Add an Alarm Entry 3 Complete the fields on this page as needed Use the help menu to learn more information about the data required for each field 4 Click Apply The RMON alarm is added and the device is updated To view configured alarm entries click the Show All tab The Alarms Table displays From this page you can remove configured alarms ...

Page 417: ... to chart port related statistics on a graph To display the page click Statistics RMON Charts Port Statistics in the navigation panel Figure 15 22 Ports Statistics To chart port statistics select the type of statistics to chart and if desired the refresh rate then click Draw ...

Page 418: ...ge to chart LAG related statistics on a graph To display the page click Statistics RMON Charts LAG Statistics in the navigation panel Figure 15 23 LAG Statistics To chart LAG statistics select the type of statistics to chart and if desired the refresh rate then click Draw ...

Page 419: ...s is mirrored to a destination port To display the Port Mirroring page click Switching Ports Traffic Mirroring Port Mirroring in the navigation panel Figure 15 24 Port Mirroring Configuring a Port Mirror Session To configure port mirroring 1 Open the Port Mirroring page 2 Click Add The Add Source Port page displays 3 Select the port to be mirrored 4 Select the traffic to be mirrored ...

Page 420: ...ck Apply 6 Repeat the previous steps to add additional source ports 7 Click Port Mirroring to return to the Port Mirroring page 8 Enable the administrative mode and specify the destination port Figure 15 26 Configure Additional Port Mirroring Settings 9 Click Apply ...

Page 421: ...ure the address of the sFlow receiver and optionally the destination UDP port for sFlow datagrams rcvr_index The index of this sFlow receiver Range 1 8 ip address The sFlow receiver IP address port The destination Layer 4 UDP port for sFlow datagrams Range 1 65535 sflow rcvr_index destination owner owner_string timeout timeout Specify the identity string of the receiver and set the receiver timeou...

Page 422: ...interface type can be Gigabitethernet gi or Tengigabitethernet te for example gi1 0 3 5 enables polling on ports 3 4 and 5 sampling rate The statistical sampling rate for packet sampling from this source A sampling rate of 1 counts all packets A value of n means that out of n incoming packets 1 packet will be sampled Range 1024 65536 size The maximum number of bytes that should be copied from the ...

Page 423: ...specified receiver show sflow index sampling View information about the configured sFlow sampler instances for the specified receiver Command Purpose configure Enter Global Configuration mode rmon event number log trap community description string owner string Configure an RMON event number The event index Range 1 65535 log Specify that an entry is made in the log table for each event trap communi...

Page 424: ... is used when a rising or falling threshold is crossed Range 1 65535 delta The sampling method for the selected variable and calculating the value to be compared against the thresholds If the method is delta the selected variable value at the last sample is subtracted from the current value and the difference compared with the thresholds absolute The sampling method for the selected variable and c...

Page 425: ...ckets specified for the RMON collection history group of statistics If unspecified defaults to 50 Range 1 65535 seconds The number of seconds in each polling cycle If unspecified defaults to 1800 Range 1 3600 CTRL Z Exit to Privileged EXEC mode show rmon alarms collection history events history log statistics View information collected by the RMON probe Command Purpose show interfaces counters if_...

Page 426: ...oring session ID which is always 1 interface The Ethernet interface to be monitored rx tx Monitor ingress rx or egress tx traffic If you not specify both ingress and egress traffic is monitored monitor session session_number destination interface interface Configure a destination probe port for a monitor session session_number The monitoring session ID which is always 1 interface The Ethernet inte...

Page 427: ...ch 1 Configure information about the sFlow receiver console configure console config sflow 1 destination 192 168 30 34 console config sflow 1 destination owner receiver1 timeout 100000 2 Configure the polling and sampling information for gigabit Ethernet ports 10 20 console config sflow 1 polling gi1 0 10 15 60 console config sflow 1 sampling gi1 0 10 15 8192 3 Configure the polling and sampling i...

Page 428: ...ndex Interval gi1 0 10 1 60 gi1 0 11 1 60 gi1 0 12 1 60 gi1 0 13 1 60 gi1 0 14 1 60 gi1 0 15 1 60 gi1 0 23 1 60 console show sflow 1 sampling Sampler Receiver Packet Max Header Data Source Index Sampling Rate Size gi1 0 10 1 8192 128 gi1 0 11 1 8192 128 gi1 0 12 1 8192 128 gi1 0 13 1 8192 128 gi1 0 14 1 8192 128 gi1 0 15 1 8192 128 gi1 0 23 1 8192 128 ...

Page 429: ...compare the MIB counter to the configured rising and falling thresholds If the rise is equal to or greater than 20 event 1 goes into effect To configure the switch 1 Create the event The trap is sent to the private SNMP community console configure console config rmon event 1 description emergency event log trap private 2 Create the alarm console config rmon alarm 1 1 3 6 1 2 1 2 2 1 14 1 30 delta ...

Page 430: ...430 Monitoring Switch Traffic ...

Page 431: ...Optimization CLI iSCSI Optimization Configuration Examples iSCSI Optimization Overview iSCSI optimization provides a means of giving special Quality of Service QoS treatment to iSCSI traffic on the switch This is accomplished by monitoring or snooping traffic to detect packets used by iSCSI stations to establish iSCSI sessions and connections Data from these exchanges is used to create classificat...

Page 432: ...0 to contact targets When iSCSI optimization is enabled by default the switch identifies IP packets to or from these ports as iSCSI session traffic You can configure the switch to monitor traffic for additional port numbers or port number target IP address combinations and you can remove the well known port numbers from monitoring You can also associate a target name with a configured target TCP p...

Page 433: ...et s IQN Initiator s TCP Port Target s TCP Port If no iSCSI traffic is detected for a session for a configurable aging period the session data is cleared How Does iSCSI Optimization Interact With Dell EqualLogic Arrays The iSCSI feature includes auto provisioning support with the ability to detect Dell EqualLogic SAN storage arrays on the network and automatically reconfigure the switch to enhance...

Page 434: ...ch the following actions occur The MTU on all ports and port channels is set to 9216 jumbo frames are enabled Flow control is globally enabled if it is not already enabled iSCSI LLDP monitoring starts to automatically detect Dell EqualLogic arrays If the iSCSI feature is disabled on the switch iSCSI resources are released and the detection of Dell EqualLogic arrays by using LLDP is disabled Disabl...

Page 435: ...tag iSCSI flows are assigned by default the highest 802 1p VLAN priority tag mapped to the highest queue not used for stack management or the voice VLAN DSCP When DSCP is selected as the classification iSCSI flows are assigned by default the highest DSCP tag mapped to the highest queue not used for stack management or the voice VLAN Remark Non configured iSCSI Session Aging Time 10 minutes iSCSI O...

Page 436: ... For details about the fields on a page click at the top of the page iSCSI Global Configuration Use the Global Configuration page to allow the switch to snoop for iSCSI sessions connections and to configure QoS treatment for packets where the iSCSI protocol is detected To access the iSCSI Global Configuration page click System iSCSI Global Configuration in the navigation panel Figure 16 1 iSCSI Gl...

Page 437: ...figure iSCSI targets on the switch To access the Targets Table page click System iSCSI Targets in the navigation panel Figure 16 2 iSCSI Targets Table To add an iSCSI Target click Add at the top of the page and configure the relevant information about the iSCSI target Figure 16 3 Add iSCSI Targets ...

Page 438: ...iSCSI sessions that the switch has discovered An iSCSI session occurs when an iSCSI initiator and iSCSI target communicate over one or more TCP connections The maximum number of iSCSI sessions is 192 To access the Sessions Table page click System iSCSI Sessions Table in the navigation panel Figure 16 4 iSCSI Sessions Table ...

Page 439: ...tailed Use the Sessions Detailed page to view detailed information about an iSCSI sessions that the switch has discovered To access the Sessions Detailed page click System iSCSI Sessions Detailed in the navigation panel Figure 16 5 iSCSI Sessions Detail ...

Page 440: ... address of the iSCSI target When the no form of this command is used and the tcp port to be deleted is one bound to a specific IP address the address field must be present targetname iSCSI name of the iSCSI target The name can be statically configured however it can be obtained from iSNS or from sendTargets response The initiator must present both its iSCSI Initiator Name and the iSCSI Target Nam...

Page 441: ...zation 441 iscsi aging time time Set aging time range 1 43 200 seconds for iSCSI sessions exit Exit to Privilege Exec mode show iscsi Display iSCSI settings show iscsi sessions Display iSCSI session information Command Purpose ...

Page 442: ... illustrates a stack of three PowerConnect 7000 Series switches connecting two servers iSCSI initiators to a disk array iSCSI targets An iSCSI application running on the management unit the top unit in the diagram has installed priority filters to ensure that iSCSI traffic that is part of these two sessions receives priority treatment when forwarded in hardware Figure 16 6 iSCSI Optimization 10 1 ...

Page 443: ...DSCP priority 45 and the queue that is mapped to it with detected iSCSI session traffic The remark keyword indicates that the switch should add this priority marking on packets as it forwards them console config iscsi cos dscp 45 remark console config exit 3 The default target port and IP address criteria is used to determine which packets are snooped for iSCSI session data ports 860 and 3260 any ...

Page 444: ...444 Configuring iSCSI Optimization ...

Page 445: ...ach room so that guests can connect to the Internet during their stay The hotel might charge for Internet use or the hotel might allow guests to connect only after they indicate that they have read and agree to the acceptable use policy What Does a Captive Portal Do The Captive Portal feature allows you to require a user to enter login information on a custom Web page before gaining access to the ...

Page 446: ... If you require RADIUS authentication you must configure the RADIUS server information on the switch see Configuring RADIUS Server Information on page 219 You must also configure the RADIUS attributes for Captive Portal users on the RADIUS server For information about the RADIUS attributes to configure see Table 17 2 You can configure the switch to send SNMP trap messages to any enabled SNMP Trap ...

Page 447: ...quire authentication consider the number of users that must exist in the user database The local user database supports up to 128 users If you need to support more than 128 authenticated users you must use a remote RADIUS server for authentication You can specify whether the captive portal uses HTTP or HTTPS as the protocol during the user verification process HTTP does not use encryption during v...

Page 448: ... If an unverified client opens a web browser and tries to connect to the network the Captive Portal redirects all the HTTP HTTPS traffic from the unverified clients to the authenticating server on the switch A Captive Portal web page is sent back to the unverified client If the verification mode for the Captive Portal associated with the port is Guest the client can be verified without providing a...

Page 449: ...ugh the captive portal to explicitly deauthenticate from the network When User Logout Mode is disabled or the user does not specifically request logout the connection status will remain authenticated until the Captive Portal deauthenticates the user based on the configured session timeout value In order for the user logout feature to function properly the client browser must have JavaScript enable...

Page 450: ...me in the Username field selects the Acceptance Use Policy check box and clicks Connect to gain network access By default the user does not need to be defined in a database or enter a password to access the network because the default verification mode is Guest Note that duplicate Username entries can exist in this mode because the client IP and MAC addresses are obtained for identification Table ...

Page 451: ...Local Users None configured Interface associations None Interface status Not blocked If the Captive Portal is blocked users cannot gain access to the network through the Captive Portal Use this function to temporarily protect the network during unexpected events such as denial of service attacks Supported Captive Portal users 1024 Supported local users 128 Supported Captive Portals 10 Table 17 1 D...

Page 452: ...ails about the fields on a page click at the top of the page Captive Portal Global Configuration Use the Captive Portal Global Configuration page to control the administrative state of the Captive Portal feature and configure global settings that affect all captive portals configured on the switch To display the Captive Portal Global Configuration page click System Captive Portal Global Configurat...

Page 453: ...ortals The switch supports 10 Captive Portal configurations Captive Portal configuration 1 is created by default and cannot be deleted Each captive portal configuration can have unique guest or group access modes and a customized acceptance use policy that displays when the client connects To display the Captive Portal Configuration page click System Captive Portal Configuration Figure 17 5 Captiv...

Page 454: ...e click Add to create a new Captive Portal instance Figure 17 6 Add Captive Portal Configuration From the Captive Portal Configuration page click Summary to view summary information about the Captive Portal instances configured on the switch Figure 17 7 Captive Portal Summary ...

Page 455: ...inks to the Captive Portal customization appear 2 Click Download Image to download one or more custom images to the switch You can use a downloaded custom image for the branding logo default Dell logo on the Authentication Page and Logout Success page the account image default blue banner with keys on the Authentication Page and the background image default blank on the Logout Success Page Figure ...

Page 456: ...ed is located and select the image 5 Click Apply to download the selected file to the switch 6 To customize the Authentication Page which is the page that a user sees upon attempting to connect to the network click the Authentication Page link Figure 17 9 Captive Portal Authentication Page ...

Page 457: ...rtal Logout Page 10 Customize the look and feel of the Logout Page such as the page title and logout instructions 11 Click Apply to save the settings to the running configuration or click Preview to view what the user will see To return to the default views click Clear 12 Click the Logout Success Page link to configure the page that contains the logout window A user is required to logout only if t...

Page 458: ... password that must first be validated against a local database or RADIUS server Authorized users can gain network access once the switch confirms the user s credentials By default each Captive Portal instance contains the default group The default group can be renamed or a different group can be created and assigned to each Captive Portal instance A Captive Portal instance can be associated to on...

Page 459: ...no users have been added to the switch many of the fields do not display on the screen Figure 17 12 Local User Configuration From the Local User page click Add to add a new user to the local database NOTE Multiple user groups can be selected by holding the CTRL key down while clicking the desired groups ...

Page 460: ...cal User page click Show All to view summary information about the local users configured in the local database Figure 17 14 Captive Portal Local User Summary To delete a configured user from the database select the Remove check box associated with the user and click Apply ...

Page 461: ...te column and are comma delimited vendor ID attribute ID Table 17 2 Captive Portal User RADIUS Attributes Attribute Number Description Range Usage Default User Name 1 User name to be authorized 1 32 characters Required None User Password 2 User password 8 64 characters Required None Session Timeout 27 Logout once session timeout is reached seconds If the attribute is 0 or not present then use the ...

Page 462: ... or RADIUS you assign a User Group to a Captive Portal Configuration All users who belong to the group are permitted to access the network through this portal The User Group list is the same for all Captive Portal configurations on the switch To display the User Group page click System Captive Portal User Group Figure 17 15 User Group ...

Page 463: ...group Figure 17 16 Add User Group From the User Group page click Show All to view summary information about the user groups configured on the switch Figure 17 17 Captive Portal User Group Summary To delete a configured group select the Remove check box associated with the group and click Apply ...

Page 464: ...ortal can have multiple interfaces associated with it but an interface can be associated to only one Captive Portal at a time To display the Interface Association page click System Captive Portal Interface Association Figure 17 18 Captive Portal Interface Association NOTE When you associate an interface with a Captive Portal the interface is disabled in the Interface List Each interface can be ass...

Page 465: ...ains a variety of information about the Captive Portal feature From the Captive Portal Global Status page you can access information about the Captive Portal activity and interfaces To display the Global Status page click System Captive Portal Status Global Status Figure 17 19 Captive Portal Global Status ...

Page 466: ...n you select a captive portal the activation and activity status for that portal displays To display the Activation and Activity Status page click System Captive Portal Status Activation and Activity Status Figure 17 20 Captive Portal Activation and Activity Status NOTE Use the Block and Unblock buttons to control the blocked status If the Captive Portal is blocked users cannot gain access to the ...

Page 467: ...terface Activation Status page shows information for every interface assigned to a captive portal instance To display the Interface Activation Status page click System Captive Portal Interface Status Interface Activation Status Figure 17 21 Interface Activation Status ...

Page 468: ...s status information for various capabilities Specifically this page indicates what services are provided through the Captive Portal to clients connected on this interface The list of services is determined by the interface capabilities To display the Interface Capability Status page click System Captive Portal Interface Status Interface Capability Status Figure 17 22 Interface Capability Status ...

Page 469: ... to disconnect one or more authenticated clients The list of clients is sorted by client MAC address To display the Client Summary page click System Captive Portal Client Connection Status Client Summary Figure 17 23 Client Summary To force the captive portal to disconnect an authenticated client select the Remove check box next to the client MAC address and click Apply To disconnect all clients f...

Page 470: ...l The Client Detail page shows detailed information about each client connected to the network through a captive portal To display the Client Detail page click System Captive Portal Client Connection Status Client Detail Figure 17 24 Client Detail ...

Page 471: ... Status Use the Interface Client Status page to view clients that are authenticated to a specific interface To display the Interface Client Status page click System Captive Portal Client Connection Status Interface Client Status Figure 17 25 Interface Client Status ...

Page 472: ...tatus Use the Client Status page to view clients that are authenticated to a specific Captive Portal configuration To display the Client Status page click System Captive Portal Client Connection Status Client Status Figure 17 26 Captive Portal Client Status ...

Page 473: ...mmand on networks that use an HTTP proxy server port num The port number to monitor Range 1 65535 excluding ports 80 443 and the configured switch management port https port port num Optional Configure an additional HTTPS port for Captive Portal to monitor Use this command on networks that use an HTTPS proxy server port num The port number to monitor Range 1 65535 excluding ports 80 443 and the co...

Page 474: ... The Captive Portal configuration identified by CP ID 1 is the default CP configuration name string Add a name to the Captive Portal instance string CP configuration name Range 1 32 characters protocol http https Specify whether to use HTTP or HTTPs during the Captive Portal user verification process verification guest local radius Specify how to process user credentials the user enters on the ver...

Page 475: ...ntication through the Captive Portal url The URL for redirection Range 1 512 characters group group number For Local and RADIUS verification Configure the group number associated with this Captive Portal configuration By default only the default group exists To assign a different user group to the Captive Portal instance you must first configure the group group number The number of the group to as...

Page 476: ...ance cp id The Captive Portal instance Range 1 10 status View additional information about the Captive Portal instance interface View information about the interface s associated with the specified Captive Portal show captive portal interface configuration cp id status View information about the interfaces associated with the specified Captive Portal instance cp id The Captive Portal instance Rang...

Page 477: ...oup name Range 1 32 characters user user id name name Create a new user for the local user authentication database user id User ID Range 1 128 name user name Range 1 32 characters user user id password password Configure the password for the specified user user id User ID Range 1 128 password User password Range 8 64 characters user user id group group id Associate a group with a Captive Portal us...

Page 478: ...id User ID Range 1 128 clear captive portal users Optional Delete all captive portal user entries from the local database Command Purpose show captive portal configuration cp id client status Display information about the clients authenticated to all Captive Portal configurations or a to specific configuration cp id The Captive Portal instance Range 1 10 show captive portal interface interface cli...

Page 479: ...ecides to configure the three Captive Portals Table 17 3 describes Table 17 3 Captive Portal Instances Captive Portal Name Description Guest Free Internet access is provided in each guest room but guests must enter a name and agree to the acceptable use policy before they can gain access The manager wants guests to be redirected to the resort s home web page upon successful verification No logout ...

Page 480: ...The images you download must be accessible from the switch either on the system you use to manage the switch or on a server that is on the same network as the switch 7 Customize the authentication logout and logout success web pages that a Captive Portal user will see Dell recommends that you use Use Dell OpenManage Administrator to customize the Captive Portal authentication logout and logout suc...

Page 481: ...group 2 name Conference console config CP user group 3 name Employee console config CP exit 3 Configure the Guest Captive Portal console config captive portal console config CP configuration 2 console config CP 2 name Guest console config CP 2 redirect console config CP 2 redirect url http www luxuryresorturl com console config CP 2 interface gi1 0 1 console config CP 2 interface gi1 0 2 console c...

Page 482: ...users to the local database console config CP user 1 name EaglesNest1 console config CP user 1 password Enter password 8 to 64 characters Re enter password console config CP user 1 group 2 Continue entering username and password combinations to populate the local database 8 Add the User Name User Password Session Timeout and Dell Captive Portal Groups attributes for each employee to the database o...

Page 483: ... Cables physically connect ports on devices such as PCs or servers to ports on the switch to provide access to the network The number and type of physical ports available on your PowerConnect 7000 Series switch depends on the model What Physical Port Characteristics Can Be Configured Table 18 1 provides a summary of the physical characteristics that can be configured on the switch ports Table 18 1...

Page 484: ...n the switch and the connected client in one direction at a time half or both directions simultaneously both Maximum frame size Indicates the maximum frame size that can be handled by the port Green Ethernet features Green Ethernet features include Energy detect mode Energy Efficient Ethernet EEE which enables the low power idle mode Flow control This is a global setting that affects all ports For...

Page 485: ...with the up link action essentially creates a backup link for the dependent link and alleviates the need to implement STP to handle the fail over Link Dependency Scenarios The Link Dependency feature supports the scenarios in the following list Port dependent on port If a port loses the link the switch brings up down the link on another port Port dependent on LAG If all ports in a channel group lo...

Page 486: ...ces on page 843 Loopback interfaces For more information see Configuring Routing Interfaces on page 843 The PowerConnect 7000 Series includes two Power over Ethernet PoE Plus models the PowerConnect 7024P and the PowerConnect 7048P For information about configuring PoE plus features for the ports see Managing General System Settings on page 271 Two expansion slots are located on the back of the sw...

Page 487: ...on the top row and even numbered ports are on the bottom row The port numbers increase from left to right For ports on the optional modules the left port is 1 and the right port is 2 For example to enter Interface Configuration mode for Gigabit Ethernet port 10 on a switch that is not part of a stack use the following command console config interface gigabitEthernet 1 0 10 To enter Interface Confi...

Page 488: ...e Green Ethernet feature supports two per port power saving modes Energy detect Mode EEE When the Energy Detect mode is enabled and the port link is down the PHY automatically goes down for short period of time and then wakes up to check link pulses This mode reduces power consumption on the port when no link partner is present EEE enables ports to enter a low power mode to reduce power consumptio...

Page 489: ...ter describes Table 18 2 Default Port Values Feature Description Administrative status All ports are enabled Description None defined Auto negotiation Enabled Speed Autonegotiate Duplex mode Autonegotiate Flow control Enabled Maximum frame size 1518 Energy Detect mode Disabled Low Power Idle mode Disabled Link Dependency None configured ...

Page 490: ...onfiguring and monitoring port characteristics on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page Port Configuration Use the Port Configuration page to define port parameters To display the Port Configuration page click Switching Ports Port Configuration in the navigation panel Figure 18 1 Port Configuration ...

Page 491: ...Ports list select the check box in the Edit column for the port to configure 4 Select the desired settings 5 Click Apply Figure 18 2 Configure Port Settings 6 Select the Copy Parameters From check box and select the port with the settings to apply to other ports 7 In the Ports list select the check box es in the Copy To column that will have the same settings as the port selected in the Copy Param...

Page 492: ...492 Configuring Port Characteristics In the following example Ports 3 4 and 5 will be updated with the settings that are applied to Port 1 Figure 18 3 Copy Port Settings 8 Click Apply ...

Page 493: ...n page click Switching Link Dependency Configuration in the navigation panel Figure 18 4 Link Dependency Configuration Creating a Link Dependency Group To create link dependencies 1 Open the Link Dependency Configuration page 2 In the Group ID field select the ID of the group to configure 3 Specify the link action 4 To add a port to the Member Ports column click the port in the Available Ports col...

Page 494: ...ble Ports column and then click the button to the right of the Available Ports column In the following example Group 1 is configured so that Port 3 is dependent on Port 4 Figure 18 5 Link Dependency Group Configuration 6 Click Apply The Link Dependency settings for the group are modified and the device is updated ...

Page 495: ...lays the groups whether they have been configured or not To display the Link Dependency Summary page click Switching Link Dependency Link Dependency Summary in the navigation panel Figure 18 6 Link Dependency Summary To configure a group click the Modify link associated with the ID of the group to configure Clicking the Modify link takes you to the Link Dependency Configuration page The Group ID i...

Page 496: ...on Use the Green Ethernet Configuration page to enable or disable energy saving modes on each port To display the Green Ethernet Configuration page click System Green Ethernet Green Ethernet Configuration in the navigation panel Figure 18 7 Green Ethernet Configuration ...

Page 497: ...tatistics Use the Green Ethernet Statistics page to view information about per port energy savings To display the Green Ethernet Statistics page click System Green Ethernet Green Ethernet Statistics in the navigation panel Figure 18 8 Green Ethernet Statistics ...

Page 498: ...498 Configuring Port Characteristics To view a summary of energy savings for the switch and all ports click Summary Figure 18 9 Green Ethernet Statistics Summary ...

Page 499: ...een Ethernet LPI History page to view data about the amount of time the switch has spent in low power idle LPI mode To display the Green Ethernet LPI History page click System Green Ethernet Green Ethernet LPI History in the navigation panel Figure 18 10 Green Ethernet LPI History ...

Page 500: ...d for example interface range gigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 description string Add a description to the port The text string can be from1 64 characters shutdown Administratively disable the interface speed 10 100 1000 10000 auto 100 1000 10000 Configure the speed of a given Ethernet interface or allow the interface to automatically detect the speed If you use the ...

Page 501: ...ber ports to the group The interface variable includes the interface type and number for example gigabitethernet 1 0 3 You can also add port channels LAGs as members by using the keyword port channel followed by an ID You can also specify a range of interfaces For example interface gigabitethernet 1 0 8 10 1 0 20 configures interfaces 8 9 10 and 20 depends on interface Specify the port s upon whic...

Page 502: ... for example gigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range gigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 green mode energy detect Enable low power idle mode on the interface green mode eee Enable EEE low power idle mode on the interface exit Exit to global configuration mode green mode eee lpi history...

Page 503: ...d duplex settings for the port console config if Gi1 0 1 speed 100 console config if Gi1 0 1 duplex full console config if Gi1 0 1 exit 3 Enter Interface Configuration mode for ports 10 11 12 20 and 24 console config interface range gigabitEthernet 1 0 10 12 1 0 20 1 0 24 4 Enable jumbo frame support on the interfaces console config if mtu 9216 console config if CTRL Z 5 View summary information a...

Page 504: ...switch 1 Enter the configuration mode for Group 1 console configure console config link dependency group 1 2 Configure the member and dependency information for the group console config linkDep group 1 add gigabitethernet 1 0 3 console config linkDep group 1 depends on gigabitethernet 1 0 4 console config linkDep group 1 exit 3 Enter the configuration mode for Group 2 console config link dependenc...

Page 505: ... in this chapter include Port Based Security Overview Default Port Based Security Values Configuring Port Based Security Web Configuring Port Based Security CLI Port Based Security Configuration Examples Port Based Security Overview Port based security controls access to the network through the switch ports Network access is permitted only to authorized devices clients This chapter describes IEEE ...

Page 506: ...er The network server such as a RADIUS server that performs the authentication on behalf of the authenticator and indicates whether the user is authorized to access system services Figure 19 1 shows the 802 1X network components Figure 19 1 IEEE 802 1X Network As shown in Figure 19 1 the PowerConnect 7000 Series switch is the authenticator and enforces the supplicant a PC that is attached to an 80...

Page 507: ...d automode the 802 1X mode of a port can be MAC based as the following section describes What is MAC Based 802 1X Authentication MAC based authentication allows multiple supplicants connected to the same port to each authenticate individually For example a PC attached to the port might be required to authenticate in order to gain access to the network while a VoIP phone might not need to authentic...

Page 508: ...time for a response Retries resends the EAP Request packet up to three times Considers the client to be 802 1X unaware client if it does not receive an EAP response packet from that client The authenticator sends a request to the authentication server with the MAC address of the client in a hexadecimal format as the username and the MD5 hash of the MAC address as the password The authentication se...

Page 509: ...ng on whether the host authenticates fails the authentication or is a guest The RADIUS server informs the switch of the selected VLAN as part of the authentication Authenticated and Unauthenticated VLANs Hosts that authenticate normally use a VLAN that includes access to network resources Hosts that fail the authentication might be denied access to the network or placed on a quarantine VLAN with l...

Page 510: ...nt that does not support 802 1X is connected to an unauthorized port that is 802 1X enabled the client does not respond to the 802 1X requests from the switch Therefore the port remains in the unauthorized state and the client is not granted access to the network If a guest VLAN is configured for that port then the port is placed in the configured guest VLAN and the port is moved to the authorized...

Page 511: ...switch fails to authenticate a user for any reason for example RADIUS access reject from RADIUS server RADIUS timeout or the client itself is Dot1x unaware the client is authenticated and is undisturbed by the failure condition s The reasons for failure are logged and buffered into the local logging database for tracking purposes Table 19 1 provides a summary of the 802 1X Monitor Mode behavior Ta...

Page 512: ...host after the authentication process has completed Unauth VLAN enabled Port State Permit VLAN Unauth Port State Permit VLAN Unauth RADIUS Timeout Default behavior Port State Deny Port State Permit VLAN Default Unauth VLAN enabled Port State Deny Port State Permit VLAN Unauth EAPOL Timeout Default behavior Port State Deny Port State Permit VLAN Default Guest VLAN enabled Port State Permit VLAN Gue...

Page 513: ...any other addresses beyond that limit are not learned and the frames are discarded Frames with a source MAC address that has already been learned will be forwarded The purpose of this feature which is also known as port MAC locking is to help secure the network by preventing unknown devices from forwarding packets into the network For example to ensure that only a single device can be active on a ...

Page 514: ...led Port state automode Periodic reauthentication Disabled Seconds between reauthentication attempts 3600 Authentication server timeout 30 seconds Resending EAP identity Request 30 seconds Quiet period 60 seconds Supplicant timeout 30 seconds Max EAP request 2 times Guest VLAN Disabled Unauthenticated VLAN Disabled Dynamic VLAN creation Disabled RADIUS assigned VLANs Disabled IAS users none config...

Page 515: ... on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page Dot1x Authentication Use the Dot1x Authentication page to configure the 802 1X administrative mode on the switch and to configure general 802 1X parameters for a port To display the Dot1x Authentication page click Switching Network Security Dot1x Authentication Authentication in the navigation...

Page 516: ... in the Edit column for the port to configure 4 Select the desired settings to change for all ports that are selected for editing Figure 19 3 Configure Dot1x Settings 5 Click Apply Re Authenticating One Port To reauthenticate a port 1 Open the Dot1x Authentication page 2 Click Show All The Dot1x Authentication Table displays 3 Check Edit to select the Unit Port to re authenticate 4 Check Reauthent...

Page 517: ...ports to be re authenticated 6 Click Apply Specified ports are re authenticated either immediately or periodically and the device is updated Changing Administrative Port Control To change the administrative port control 1 Open the Dot1x Authentication page 2 Click Show All The Dot1x Authentication Table displays 3 Scroll to the right side of the table and select the Edit check box for each port to...

Page 518: ...Port Access Control Configuration Use the Port Access Control Configuration page to globally enable or disable RADIUS assigned VLANs and to enable Monitor Mode to help troubleshoot 802 1X configuration issues To display the Port Access Control Configuration page click Switching Network Security Dot1x Authentication Monitor Mode Port Access Control Configuration in the navigation panel NOTE The VLA...

Page 519: ...ut 802 1X client authentication attempts The information on this page can help you troubleshoot 802 1X configuration issues To display the Port Access Control History Log Summary page click Port Access Control Configuration page click Switching Network Security Dot1x Authentication Monitor Mode Port Access Control History Log Summary in the navigation panel Figure 19 6 Port Access Control History ...

Page 520: ...Security page click Switching Network Security Port Security in the navigation panel Figure 19 7 Network Security Port Security Configuring Port Security Settings on Multiple Ports To configure port security on multiple ports 1 Open the Port Security page 2 Click Show All to display the Port Security Table page 3 In the Ports list select the check box in the Edit column for the port to configure 4...

Page 521: ...Configuring 802 1X and Port Based Security 521 Figure 19 8 Configure Port Security Settings 5 Click Apply ...

Page 522: ...ement Security Internal Authentication Server Users Configuration in the navigation panel Figure 19 9 Internal Authentication Server Users Configuration Adding Users to the IAS Database To add IAS users 1 Open the Internal Authentication Server Users Configuration page 2 Click Add to display the Internal Authentication Server Users Add page 3 Specify a username and password in the appropriate fiel...

Page 523: ...l Authentication Server Users Table page click Show All Removing an IAS User To delete an IAS user 1 Open the Internal Authentication Server Users Configuration page 2 From the User menu select the user to remove select the user to remove 3 Select the Remove check box Figure 19 11 Removing an IAS User 4 Click Apply ...

Page 524: ...ommand Purpose configure Enter Global Configuration mode aaa authentication dot1x default method1 Specify the authentication method to use to authenticate 802 1X clients that connect to the switch method1 The method keyword can be radius none or ias dot1x system auth control Globally enable 802 1X authentication on the switch interface interface Enter interface configuration mode for the specified...

Page 525: ...ation of the client force unauthorized Denies all access through this interface by forcing the port to transition to the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the interface mac based Enables 802 1X authentication on the interface and allows multiple hosts to authenticate on a single port The ho...

Page 526: ...or the specified interface The interface variable includes the interface type and number for example gigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range gigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 dot1x reauthentication Enable periodic re authentication of the client dot1x timeout re authperiod seconds Se...

Page 527: ... on the port when MAC based 802 1X authentication is enabled on the port CTRL Z Exit to Privileged EXEC mode dot1x re authenticate interface Manually initiate the re authentication of all 802 1X enabled ports or on the specified 802 1X enabled port The interface variable includes the interface type and number dot1x initialize interface Start the initialization sequence on all ports or on the speci...

Page 528: ...t on the switch allow the switch to dynamically create the assigned VLAN interface interface Enter interface configuration mode for the specified interface The interface variable includes the interface type and number for example gigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range gigabitethernet 1 0 8 12 configures interfac...

Page 529: ...9 10 11 and 12 port security discard trap seconds Enable port security on the port This prevents the switch from learning new addresses on this port after the maximum number of addresses has been learned discard Discards frames with unlearned source addresses This is the default if no option is indicated trap seconds Sends SNMP traps and defines the minimal amount of time in seconds between two co...

Page 530: ... 1X authentication Command Purpose configure Enter Global Configuration mode aaa ias user username user Add a user to the IAS user database This command also changes the mode to the AAA User Config mode password password encrypted Configure the password associated with the user CTRL Z Exit to Privileged EXEC mode show aaa ias users View all configured IAS users clear aaa ias users Delete all IAS u...

Page 531: ...th Cisco Secure Access Control Server ACS software 2 Configure the settings on the client such a PC running Microsoft Windows to require 802 1X authentication The switch uses the Authentication Server with an IP address of 10 10 10 10 to authenticate clients Port 7 is connected to a printer in the unsecured area The printer is an 802 1X unaware client so Port 7 is configured to use MAC based authe...

Page 532: ...xit console config radius server key secret console config exit 2 Create a new authentication list called radiusList which uses RADIUS as the authentication method and associate the list with the 802 1X default login console config aaa authentication login radiusList radius console config aaa authentication dot1x default radius Authentication Server RADIUS LAN PowerConnect Switch Server Port 9 Cli...

Page 533: ...to an 802 1Q VLAN It is recommended to configure the port as to be in general mode in order to enable MAC based 802 1X authentication console config if Gi1 0 7 switchport mode general console config if Gi1 0 7 exit console config if Gi1 0 7 exit 7 View the client connection status When the clients on Ports 1 3 and 7 supplicants attempt to communicate via the switch the switch challenges the suppli...

Page 534: ...ort status console show dot1x Administrative Mode Enabled Port Admin Oper Reauth Reauth Mode Mode Control Period Gi1 0 1 auto Authorized FALSE 3600 Gi1 0 2 auto N A FALSE 3600 Gi1 0 3 auto Authorized FALSE 3600 Gi1 0 4 auto N A FALSE 3600 Gi1 0 5 auto N A FALSE 3600 Gi1 0 6 auto N A FALSE 3600 Gi1 0 7 mac based Authorized FALSE 3600 Gi1 0 8 auto N A FALSE 3600 Gi1 0 9 force authorized Authorized F...

Page 535: ...ices that can authenticate on that port to 3 console configure console config interface gi1 0 8 console config if Gi1 0 8 dot1x port control mac based console config if Gi1 0 8 dot1x max users 3 2 Set the port to an 802 1Q VLAN The port must be in general mode in order to enable MAC based 802 1X authentication console config if Gi1 0 8 switchport mode general console config if Gi1 0 8 exit console...

Page 536: ...n created on the switch the VLAN can be dynamically created To configure the switch 1 Allow the switch to accept RADIUS assigned VLANs console config console config aaa authorization network default radius 2 Permit the switch to dynamically create a VLAN assigned by the RADIUS server if it does not already exist on the switch 3 Set the guest VLAN on port 20 to VLAN 100 This command automatically e...

Page 537: ...le if the DiffServ policy to assign is named internet_access include the following attribute in the RADIUS or 802 1X server configuration Filter id internet_access 3 The DiffServ policy specified in the attribute must already be configured on the switch and the policy names must be identical For information about configuring a DiffServ policy see DiffServ Configuration Examples on page 1107 The ex...

Page 538: ...538 Configuring 802 1X and Port Based Security ...

Page 539: ...updates and decide which types of traffic are forwarded or blocked ACLs can reside in a firewall router a router connecting two internal networks or a Layer 3 switch such as a PowerConnect 7000 Series switch The PowerConnect 7000 Series switches support ACL configuration in both the ingress and egress direction Egress ACLs provide the capability to implement security rules on the egress flows traf...

Page 540: ... to inspect the following fields of a packet Source MAC address Source MAC mask Destination MAC address Destination MAC mask VLAN ID Class of Service CoS 802 1p EtherType L2 ACLs can apply to one or more interfaces Multiple access lists can be applied to a single interface sequence number determines the order of execution You can assign packets to queues using the assign queue option NOTE Every AC...

Page 541: ...unction The redirect function allows traffic that matches a permit rule to be redirected to a specific physical port or LAG instead of processed on the original port The redirect function and mirror function are mutually exclusive In other words you cannot configure a given ACL rule with mirror and redirect attributes What Is the ACL Mirror Function ACL mirroring provides the ability to mirror tra...

Page 542: ...hin an ACL for a predefined time interval by specifying a time range on a per rule basis within an ACL so that the time restrictions are imposed on the ACL rule With a time based ACL you can define when and for how long an individual rule of an ACL is in effect To apply a time to an ACL first you define a specific time interval and then apply it to an individual ACL rule so that it is operational ...

Page 543: ... of 100 ACLs Maximum rules per ACL is 127 You can configure mirror or redirect attributes for a given ACL rule but not both The PowerConnect 7000 Series switches support a limited number of counter resources so it may not be possible to log every ACL rule You can define an ACL with any number of logging rules but the number of rules that are actually logged cannot be determined until the ACL is ap...

Page 544: ...to the ACL 4 Configure the match criteria for the rules 5 Apply the ACL to one or more interfaces NOTE Although the maximum number of ACLs is 100 and the maximum number of rules per ACL is 127 the system cannot support 100 ACLs that each have 127 rules The maximum number of ACLs and rules supported depends on the resources consumed by other processes and configured features running on the switch ...

Page 545: ...page click at the top of the page IP ACL Configuration Use the IP ACL Configuration page to add or remove IP based ACLs To display the IP ACL Configuration page click Switching Network Security Access Control Lists IP Access Control Lists Configuration in the navigation panel Figure 20 1 IP ACL Configuration Adding an IPv4 ACL To add an IPv4 ACL 1 Open the IP ACL Configuration page 2 Click Add to ...

Page 546: ... Apply Removing IPv4 ACLs To delete an IPv4 ACL 1 From the IP ACL Name menu on the IP ACL Configuration page select the ACL to remove 2 Select the Remove checkbox 3 Click Apply Viewing IPv4 ACLs To view configured ACLs click Show All from the IP ACL Configuration page ...

Page 547: ...n traffic to a particular queue filter on some traffic change VLAN tag shut down a port and or redirect the traffic to a particular port To display the IP ACL Rule Configuration page click Switching Network Security Access Control Lists IP Access Control Lists Rule Configuration in the navigation panel NOTE There is an implicit deny all rule at the end of an ACL list This means that if an ACL is a...

Page 548: ...gure 20 4 IP ACL Rule Configuration Removing an IP ACL Rule To delete an IP ACL rule 1 From the Rule ID menu select the ID of the rule to delete 2 Select the Remove option near the bottom of the page 3 Click Apply to remove the selected rule ...

Page 549: ...isplay the MAC ACL Configuration page click Switching Network Security Access Control Lists MAC Access Control Lists Configuration in the navigation panel Figure 20 5 MAC ACL Configuration Adding a MAC ACL To add a MAC ACL 1 Open the MAC ACL Configuration page 2 Click Add to display the Add MAC ACL page 3 Specify an ACL name ...

Page 550: ...rom the MAC ACL Name menu on the MAC ACL Configuration page select the ACL to rename or remove 2 To rename the ACL select the Rename checkbox and enter a new name in the associated field 3 To remove the ACL select the Remove checkbox 4 Click Apply Viewing MAC ACLs To view configured ACLs click Show All from the MAC ACL Configuration page ...

Page 551: ...A default deny all rule is the last rule of every list To display the MAC ACL Rule Configuration page click Switching Network Security Access Control Lists MAC Access Control Lists Rule Configuration in the navigation panel Figure 20 7 MAC ACL Rule Configuration Removing a MAC ACL Rule To delete a MAC ACL rule 1 From the Rule ID menu select the ID of the rule to delete 2 Select the Remove option n...

Page 552: ...y the IP ACL Configuration page click Switching Network Security Access Control Lists IPv6 Access Control Lists IPv6 ACL Configuration in the navigation panel Figure 20 8 IPv6 ACL Configuration Adding an IPv6 ACL To add an IPv6 ACL 1 Open the IPv6 ACL Configuration page 2 Click Add to display the Add IPv6 ACL page 3 Specify an ACL name ...

Page 553: ...on page to define rules for IPv6 based ACLs The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded Additionally you can specify to assign traffic to a particular queue filter on some traffic change VLAN tag shut down a port and or redirect the traffic to a particular port By default no specific value is in effect for any of t...

Page 554: ...trol Lists IPv6 Access Control Lists Rule Configuration in the navigation menu Figure 20 10 IPv6 ACL Rule Configuration Removing an IPv6 ACL Rule To delete an IPv6 ACL rule 1 From the Rule ID menu select the ID of the rule to delete 2 Select the Remove option near the bottom of the page 3 Click Apply to remove the selected rule ...

Page 555: ... and Interfaces From the Web interface you can configure the ACL rule in the ingress or egress direction so that the ACLs implement security rules for packets entering or exiting the port You can apply ACLs to any physical including 10 Gb interface LAG or routing port To display the ACL Binding Configuration page click Switching Network Security Access Control Lists Binding Configuration in the na...

Page 556: ...zation Time Range Configuration in the navigation panel The following image shows the page after at least one time range has been added Otherwise the page indicates that no time ranges are configured and the time range configuration fields are not displayed Figure 20 12 Time Range Configuration Adding a Time Range To configure a time range 1 From the Time Range Entry Configuration page click Add 2...

Page 557: ...e field select the name of the time range to configure 6 Specify an ID for the time range You can configure up to 10 different time range entries to include in the named range However only one absolute time entry is allowed per time range 7 Configure the values for the time range entry 8 Click Apply 9 To add additional entries to the named time range repeat step 5 through step 8 ...

Page 558: ...er global configuration mode access list name deny permit every icmp igmp ip tcp udp number srcip srcmask any eq portkey portvalue dstip dstmask any eq portkey portvalue precedence precedence tos tos tosmask dscp dscp log time range time range name assign queue queue id redirect interface mirror interface Create a named ACL if it does not already exist and create a rule for the named ACL If the AC...

Page 559: ... the traffic matching this rule to be forwarded to the specified interface interface interface Optional Enter interface configuration mode for the specified interface The interface variable includes the interface type and number for example gigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range gigabitethernet 1 0 8 12 configur...

Page 560: ...ask any dstmac dstmacmask any bpdu ethertypekey 0x0600 0xFFFF vlan eq 0 4095 cos 0 7 secondary vlan eq 0 4095 secondary cos 0 7 log time range time range name assign queue queue id mirror redirect interface Specify the rules match conditions for the MAC access list srcmac Valid source MAC address in format xxxx xxxx xxxx srcmacmask Valid MAC address bitmask for the source MAC address in format xxx...

Page 561: ... interface Optional Enter interface configuration mode for the specified interface The interface variable includes the interface type and number for example gigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range gigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 mac access group name direction seqnum Bind the speci...

Page 562: ...y portvalue any destination ipv6 prefix prefix length eq portkey portvalue flow label value dscp dscp log time range time range name assign queue queue id mirror redirect interface Specify the match conditions for the IPv6 access list deny permit Specifies whether the IP ACL rule permits or denies an action every Allows all protocols number Standard protocol number or protocol keywords icmp igmp i...

Page 563: ...matching this rule to be forwarded to the specified interface interface interface Optional Enter interface configuration mode for the specified interface The interface variable includes the interface type and number for example gigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range gigabitethernet 1 0 8 12 configures interfaces...

Page 564: ...ure Enter global configuration mode time range name Create a named time range and enter the Time Range Configuration mode for the range absolute start time date end time date Configure a nonrecurring time entry for the named time range start time date Time and date the ACL rule starts going into effect The time is expressed in a 24 hour clock in the form of hours minutes For example 8 00 is 8 00 a...

Page 565: ...ay or combinations of days Monday Tuesday Wednesday Thursday Friday Saturday Sunday Other possible values are daily Monday through Sunday weekdays Monday through Friday weekend Saturday and Sunday time Time the ACL rule starts going into effect first occurrence or ends second occurrence The time is expressed in a 24 hour clock in the form of hours minutes CTRL Z Exit to Privileged EXEC mode show t...

Page 566: ...ermits hosts in the 192 168 77 0 24 subnet to send TCP and UDP traffic only to the host with an IP address of 192 168 77 50 The ACL is applied to port 2 on the PowerConnect switch Figure 20 14 IP ACL Example Network Diagram 192 168 77 1 192 168 77 2 192 168 77 3 192 168 77 4 Layer 2 Switch PowerConnect Switch Layer 3 Port Gi 1 0 2 UDP or TCP packet to 192 168 88 50 rejected Dest IP not in range UD...

Page 567: ...on Gigabit Ethernet Port 2 Only traffic matching the criteria will be accepted on this port console config interface gi1 0 2 console config if Gi1 0 2 ip access group list1 in console config if Gi11 0 2 exit Configuring a MAC ACL The following example creates a MAC ACL named mac1 that denies all IPX traffic on all ports All other type of traffic is permitted To configure the switch 1 Create a MAC ...

Page 568: ...sole show mac access lists Current number of all ACLs 1 Maximum number of all ACLs 100 console show mac access lists mac1 MAC ACL Name mac1 Inbound Interface s ch1 48 Gi1 0 1 Gi1 0 48 Rule Number 1 Action deny Ethertype ipx Rule Number 2 Action permit Match All TRUE MAC ACL Name Rules Interface s Direction mac1 2 ch1 48 Gi1 0 1 Gi1 0 48 Inbound ...

Page 569: ...through Friday console config time range periodic weekdays 8 00 to 12 00 3 Configure an entry for the time range that applies to the afternoon shift Monday through Friday console config time range periodic weekdays 13 00 to 18 00 4 Configure an entry for the time range that applies to Saturday and Sunday console config time range periodic weekend 8 30 to 12 30 console config time range exit 5 Crea...

Page 570: ...le show ip access lists web limit IP ACL Name web limit Inbound VLAN s 100 Rule Number 1 Action deny Match All FALSE Protocol 6 tcp Source IP Address any Destination IP Address any Destination L4 Port Keyword 80 www http ip Time Range Name work hours Rule Status inactive ...

Page 571: ...omains can result in network congestion and end users might complain that the network is slow In addition to latency large broadcast domains are a greater security risk since all hosts receive all broadcasts Virtual Local Area Networks VLANs allow you to divide a broadcast domain into smaller logical networks Like a bridge a VLAN switch forwards traffic based on the Layer 2 header which is fast an...

Page 572: ...the VLAN ID The PowerConnect 7000 Series switches support a configurable VLAN ID range of 2 4093 A VLAN with VLAN ID 1 is configured on the switch by default You can associate a name with the VLAN ID In a tagged frame the VLAN is identified by the VLAN ID in the tag In an untagged frame the VLAN identifier is the Port VLAN ID PVID specified for the port that received the frame For information abou...

Page 573: ...N configured for the port The VLAN membership for this network is port based or static PowerConnect 7000 Series switches also support VLAN assignment based on any of the following criteria MAC address of the end station IP subnet of the end station Protocol of the packet transmitted by the end station Payroll VLAN 300 Engineering VLAN 100 Tech Pubs VLAN 200 Router Switch ...

Page 574: ...modes Table 21 1 VLAN Assignment VLAN Assignment Description Port based Static This is the most common way to assign hosts to VLANs The port where the traffic enters the switch determines the VLAN membership IP Subnet Hosts are assigned to a VLAN based on their IP address All hosts in the same subnet are members of the same VLAN MAC Based The MAC address of the device determines the VLAN assignmen...

Page 575: ...ngle port might be connected to an IP phone a PC and a printer the PC and printer are connected via ports on the IP phone IP phones are typically configured to use a tagged VLAN for voice traffic while the PC and printers typically use the untagged VLAN When a port is added to a VLAN as an untagged member untagged packets entering the switch are tagged with the PVID also called the native VLAN of ...

Page 576: ...tch the PowerConnect 7000 Series switches support double VLAN tagging This feature allows service providers to create Virtual Metropolitan Area Networks VMANs With double VLAN tagging service providers can pass VLAN traffic from one customer domain to another through a metro core in a simple and cost effective manner By using an additional tag on the traffic the switch can differentiate between cu...

Page 577: ... is inherently time sensitive for a network to provide acceptable service the transmission rate is vital The priority level enables the separation of voice and data traffic coming onto the port A primary benefit of using Voice VLAN is to ensure that the sound quality of an IP phone is safeguarded from deteriorating when the data traffic on the port is high The switch uses the source MAC address of...

Page 578: ...automatically direct the VoIP traffic to the Voice VLAN without manual configuration The switch identifies the device as a VoIP phone by one of the following protocols Cisco Discovery Protocol CDP or Industry Standard Discovery Protocol ISDP for Cisco VoIP phones DHCP for Avaya VoIP phones LLDP MED for most other VoIP phones After the VoIP phone receives its VLAN information all traffic is tagged ...

Page 579: ...ata arriving on the switch is given the default priority of the port default 0 and the voice traffic is received with a higher priority You can configure the switch to override the data traffic CoS This feature can override the 802 1 priority of the data traffic packets arriving at the port enabled for Voice VLAN Therefore any rogue client that is also connected to the Voice VLAN port does not det...

Page 580: ... to the VLAN database no ports are members The configurable VLAN range is 2 4093 VLAN 4094 and 4095 are reserved VLAN 4095 is designated as the Discard VLAN Setting an access port PVID to 4095 will effectively shut the port down because frames are not forwarded in either direction Ports in trunk and access mode have the default behavior shown in Table 21 2 and cannot be configured with different t...

Page 581: ...abled If double VLAN tagging is enabled the default EtherType value is 802 1Q Maximum number of configurable MAC to VLAN bindings 128 Maximum number of configurable IP Subnet to VLAN bindings 64 GVRP Disabled If GVRP is enabled the default port parameters are GVRP State Disabled Dynamic VLAN Creation Disabled GVRP Registration Disabled Number of dynamic VLANs that can be assigned through GVRP 1024...

Page 582: ...ally through GVRP or when the Static row is changed and Apply is clicked There are two tables on the page Ports Displays and assigns VLAN membership to ports To assign membership click in Static for a specific port Each click toggles between U T and blank See Table 21 5 for definitions LAGs Displays and assigns VLAN membership to LAGs To assign membership click in Static for a specific LAG Each cl...

Page 583: ... such as making the port a trunk port use the Port Settings page Figure 21 3 VLAN Membership Blank Blank the interface is not a VLAN member Packets in this VLAN are not forwarded on this interface Table 21 5 VLAN Port Membership Definitions Port Control Definition ...

Page 584: ...Add VLAN 4 Click Apply Configuring Ports as VLAN Members To add member ports to a VLAN 1 Open the VLAN Membership page 2 From the Show VLAN menu select the VLAN to which you want to assign ports 3 In the Static row of the VLAN Membership table click the blank field to assign the port as an untagged member Figure 21 5 shows Gigabit Ethernet ports 5 8 being added to VLAN 300 ...

Page 585: ...Configuring VLANs 585 Figure 21 5 Add Ports to VLAN 4 Click Apply 5 Verify that the ports have been added to the VLAN ...

Page 586: ...586 Configuring VLANs In Figure 21 6 the presence of the letter U in the Current row indicates that the port is an untagged member of the VLAN Figure 21 6 Add Ports to VLAN ...

Page 587: ... in the navigation panel Figure 21 7 VLAN Port Settings From the Port Settings page click Show All to see the current VLAN settings for all ports You can change the settings for one or more ports by clicking the Edit option for a port and selecting or entering new values NOTE You can add ports to a VLAN through the table on the VLAN Membership page or through the PVID field on the Port Settings pa...

Page 588: ...All Ports VLAN LAG Settings Use the VLAN LAG Settings page to map a LAG to a VLAN and to configure specific VLAN settings for the LAG To display the LAG Settings page click Switching VLAN LAG Settings in the navigation panel Figure 21 9 VLAN LAG Settings ...

Page 589: ... LAG Settings page click Show All to see the current VLAN settings for all LAGs You can change the settings for one or more LAGs by clicking the Edit option for a port and selecting or entering new values Figure 21 10 VLAN LAG Table ...

Page 590: ...hared across all ports of the switch The MAC to VLAN table supports up to 128 entries To display the Bind MAC to VLAN page click Switching VLAN Bind MAC to VLAN in the navigation panel Figure 21 11 Bind MAC to VLAN From the Bind MAC to VLAN page click Show All to see the MAC addresses that are mapped to VLANs From this page you can change the settings for one or more entries or remove an entry ...

Page 591: ... to assign an IP Subnet to a VLAN The IP Subnet to VLAN configurations are shared across all ports of the switch There can be up to 64 entries configured in this table To display the Bind IP Subnet to VLAN page click Switching VLAN Bind IP Subnet to VLAN in the navigation panel Figure 21 13 Bind IP Subnet to VLAN ...

Page 592: ...s From the Bind IP Subnet to VLAN page click Show All to see the IP subnets that are mapped to VLANs From this page you can change the settings for one or more entries or remove an entry Figure 21 14 Subnet VLAN Bind Table ...

Page 593: ...LAN GVRP Parameters in the navigation panel Figure 21 15 GVRP Parameters From the GVRP Parameters page click Show All to see the GVRP configuration for all ports From this page you can change the settings for one or more entries NOTE Per port and per LAG GVRP Statistics are available from the Statistics RMON page For more information see Monitoring Switch Traffic on page 391 ...

Page 594: ...594 Configuring VLANs Figure 21 16 GVRP Port Parameters Table ...

Page 595: ...hich VLANs and then enable certain ports to use these settings Protocol based VLANs are most often used in situations where network segments contain hosts running multiple protocols To display the Protocol Group page click Switching VLAN Protocol Group in the navigation panel Figure 21 17 Protocol Group ...

Page 596: ...pply 5 Click Protocol Group to return to the main Protocol Group page 6 From the Group ID field select the group to configure 7 In the Protocol Settings table select the protocol and interfaces to associate with the protocol based VLAN In Figure 21 19 the Protocol Group 1 named IPX is associated with the IPX protocol and ports 14 16 Ports 20 22 are selected in Available Ports list After clicking t...

Page 597: ...Configuring VLANs 597 Figure 21 19 Configure Protocol Group 8 Click Apply 9 Click Show All to see the protocol based VLANs and their members Figure 21 20 Protocol Group Table ...

Page 598: ...ration page to specify the value of the EtherType field in the first EtherType tag pair of the double tagged frame To display the Double VLAN Global Configuration page click Switching VLAN Double VLAN Global Configuration in the navigation panel Figure 21 21 Double VLAN Global Configuration ...

Page 599: ... EtherType tag pair of the double tagged frame To display the Double VLAN Interface Configuration page click Switching VLAN Double VLAN Interface Configuration in the navigation panel Figure 21 22 Double VLAN Interface Configuration To view a summary of the double VLAN configuration for all interfaces and to edit settings for one or more interfaces click Show All ...

Page 600: ...600 Configuring VLANs Figure 21 23 Double VLAN Port Parameter Table ...

Page 601: ...lay the page click Switching VLAN Voice VLAN Configuration in the navigation panel Figure 21 24 Voice VLAN Configuration NOTE IEEE 802 1X must be enabled on the switch before you disable voice VLAN authentication Voice VLAN authentication can be disabled in order to allow VoIP phones that do not support authentication to send and receive unauthenticated traffic on the Voice VLAN ...

Page 602: ... for the specified VLAN or VLAN range vlan id A valid VLAN IDs Range 2 4093 vlan range A list of valid VLAN IDs to be added List separate non consecutive VLAN IDs separated by commas without spaces use a hyphen to designate a range of IDs Range 2 4093 NOTE You can also create with this command in VLAN Database mode To enter VLAN Database mode use the vlan database command in Global Configuration m...

Page 603: ...mode interface interface Enter interface configuration mode for the specified interface The interface variable includes the interface type and number for example gigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range gigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 switchport mode access Configure the interface a...

Page 604: ... vlan add remove vlan list tagged untagged Configure the VLAN membership for the port You can also use this command to change the egress tagging for packets without changing the VLAN assignment add vlan list List of VLAN IDs to add Separate nonconsecutive VLAN IDs with a comma and no spaces Use a hyphen to designate a range of IDs Range 1 4093 remove vlan list List of VLAN IDs to remove Separate n...

Page 605: ...N in the tag CTRL Z Exit to Privileged EXEC mode show interfaces switchport interface Display information about the VLAN settings configured for the specified interface The interface variable includes the interface type and number Command Purpose configure Enter global configuration mode interface interface Enter interface configuration mode for the specified interface The interface variable inclu...

Page 606: ...LANs to those currently set instead of replacing the list remove Removes the defined list of VLANs from those currently set instead of replacing the list Valid IDs are from 1 to 1005 extended range VLAN IDs are valid in except Lists the VLANs that should be calculated by inverting the defined list of VLANs VLANs are added except the ones specified vlan atom Either a single VLAN number from 1 to 40...

Page 607: ...rt mode Command Purpose configure Enter global configuration mode interface port channel channel id Enter interface configuration mode for the specified interface channel id Specific port channel Range 1 48 You can also specify a range of LAGs with the interface range port channel command for example interface range port channel 4 8 switchport mode access general trunk Configure the interface as a...

Page 608: ...e gigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 mode dvlan tunnel Enable Double VLAN Tunneling on the specified interface exit Exit to global configuration mode dvlan tunnel ethertype 802 1Q vman custom 0 65535 Configure the EtherType to use for interfaces with double VLAN tunneling enabled 802 1Q Configures the EtherType as 0x8100 vman Configures the EtherType as 0x88A8 custom C...

Page 609: ...lobal configuration mode vlan database Enter VLAN database mode vlan association mac mac address vlan id Associate a MAC address with a VLAN mac address MAC address to associate Range Any MAC address in the format xxxx xxxx xxxx or xx xx xx xx xx xx vlanid VLAN to associate with subnet Range 1 4093 CTRL Z Exit to Privileged EXEC mode show vlan association mac mac address Display the VLAN associate...

Page 610: ...ation can be associated with one group only If adding an interface to a group causes any conflicts with protocols currently associated with the group adding the interface s to the group fails and no interfaces are added to the group Ensure that the referenced VLAN is created prior to the creation of the protocol based group except when GVRP is expected to create the VLAN Command Purpose configure ...

Page 611: ...ith the group this command fails and the protocol is not added to the group groupid The protocol based VLAN group ID protocol The protocol you want to add The ethertype can be any valid number in the range 0x0600 0xffff protocol vlan group all groupid Optional Add all physical interfaces to the protocol based group identified by groupid You can add individual interfaces to the protocol based group...

Page 612: ...the name of a protocol group use the show port protocol all command vlanid A valid VLAN ID CTRL Z Exit to Privileged EXEC mode show port protocol all groupid Display the Protocol Based VLAN information for either the entire system or for the indicated group Command Purpose configure Enter global configuration mode gvrp enable Enable GVRP on the switch interface interface Enter interface configurat...

Page 613: ...o spaces Use a hyphen to designate a range of IDs gvrp registration forbid Optional Deregister all VLANs on a port and prevent any dynamic registration on the port gvrp vlan creation forbid Optional Disable dynamic VLAN creation exit Exit to global configuration mode vlan database Enter VLAN database mode vlan makestatic vlan id Optional Change a dynamically created VLAN one that is created by GVR...

Page 614: ...1p priority none untagged data priority trust untrust auth enable disable dscp value Enable the voice vlan capability on the interface vlanid The voice VLAN ID priority The Dot1p priority for the voice VLAN on the port trust Trust the dot1p priority or DSCP values contained in packets arriving on the voice vlan port untrust Do not trust the dot1p priority or DSCP values contained in packets arrivi...

Page 615: ...ample VLANs VLAN ID VLAN Name VLAN Type Purpose 100 Engineering Port based All employees in the Engineering department use this VLAN Confining this department s traffic to a single VLAN helps reduce the amount of traffic in the broadcast domain which increases bandwidth 200 Marketing Port based All employees in the Marketing department use this VLAN 300 Sales MAC based The sales staff works remote...

Page 616: ...sts connect to Switch 1 and some connect to Switch 2 The Engineering and Marketing departments share the same file server Because security is a concern for the Payroll VLAN the ports and LAG that are members of this VLAN will accept and transmit only traffic tagged with VLAN 400 The Sales staff might connect to a port on Switch 1 or Switch 2 VLAN 400 Payroll Payroll Server Shared File Server Payro...

Page 617: ...LAG Function Switch 1 1 Connects to Switch 2 2 15 Host ports for Payroll 16 20 Host ports for Marketing LAG1 ports 21 24 Connects to Payroll server Switch 2 1 Connects to Switch 1 2 10 Host ports for Marketing 11 30 Host ports for Engineering LAG1 ports 35 39 Connects to file server LAG2 ports 40 44 Uplink to router ...

Page 618: ...se the Engineering VLAN VLAN 100 so it is not necessary to create it on that switch To configure Switch 1 1 Create the Marketing Sales and Payroll VLANs a From the Switching VLAN VLAN Membership page click Add b In the VLAN ID field enter 200 c In the VLAN Name field enter Marketing d Click Apply Figure 21 26 Add VLANs e Repeat steps b d to create VLANs 300 Sales and 400 Payroll 2 Assign ports 16 ...

Page 619: ... the Payroll VLAN a From the Switching VLAN VLAN Membership page select 400 Payroll from the Show VLAN field b In the Static row click the space for ports 2 15 and LAG 1 so the U untagged displays for each port and then click Apply 5 Configure LAG 1 to be in general mode and specify that the LAG will accept tagged or untagged frames but that untagged frames will be transmitted tagged with PVID 400...

Page 620: ...onfigure the following settings Port VLAN Mode General PVID 400 Frame Type AdmitAll c Click Apply Figure 21 28 LAG Settings 6 Configure port 1 as a trunk port a From the Switching VLAN Port Settings page make sure port Gi1 0 1 is selected b From the Port VLAN Mode field select Trunk c Click Apply ...

Page 621: ... 30 shows VLAN 200 in which port 1 is a tagged member and ports 16 20 are untagged members Figure 21 30 Trunk Port Configuration 8 Configure the MAC based VLAN information a Go to the Switching VLAN Bind MAC to VLAN page b In the MAC Address field enter a valid MAC address for example 00 1C 23 55 E9 8B c In the Bind to VLAN field enter 300 which is the Sales VLAN ID d Click Apply ...

Page 622: ...steps to configure the VLANs and ports on Switch 2 Many of the procedures in this section are the same as procedures used to configure Switch 1 For more information about specific procedures see the details and figures in the previous section To configure Switch 2 1 Create the Engineering Marketing Sales and Payroll VLANs Although the Payroll hosts do not connect to this switch traffic from the Pa...

Page 623: ...onfiguration to the startup configuration Configuring VLANs Using the CLI This example shows how to perform the same configuration by using CLI commands Configure the VLANs and Ports on Switch 1 Use the following steps to configure the VLANs and ports on Switch 1 None of the hosts that connect to Switch 1 use the Engineering VLAN VLAN 100 so it is not necessary to create it on that switch To confi...

Page 624: ...switchport access vlan 400 console config if exit 4 Assign LAG1 to the Payroll VLAN and specify that frames will always be transmitted tagged with a PVID of 400 console config interface port channel 1 console config if ch1 switchport mode general console config if ch1 switchport general allowed vlan add 400 tagged console config if ch1 switchport general pvid 400 console config if ch1 exit 5 Confi...

Page 625: ...ists across a system reset use the following command console copy running config startup config 8 View the VLAN settings console show vlan 9 View the VLAN membership information for a port console show interfaces switchport gi1 0 1 Port Gi1 0 1 VLAN Membership mode Trunk Mode Operating parameters PVID 1 Ingress Filtering Enabled Acceptable Frame Type VLAN Only Default Priority 0 GVRP status Disabl...

Page 626: ...o this switch traffic from the Payroll department must use Switch 2 to reach the rest of the network and Internet through the uplink port For that reason Switch 2 must be aware of VLAN 400 so that traffic is not rejected by the trunk port 2 Configure ports 2 10 as access ports and add VLAN 200 to the ports 3 Configure ports 11 30 as access ports and add VLAN 100 to the ports 4 Configure LAG 1 as a...

Page 627: ... Port Based Security on page 505 To configure the switch 1 Create the voice VLAN console configure console config vlan database console config vlan vlan 25 console config vlan exit 2 Enable the Voice VLAN feature on the switch console config voice vlan 3 Configure port 10 to be in general mode console config interface gi1 0 10 console config if Gi1 0 10 switchport mode general 4 Enable port based ...

Page 628: ...ication console config if Gi1 0 10 voice vlan auth disable 7 Exit to Privileged Exec mode console config if Gi1 0 10 CTRL Z 8 View the voice VLAN settings for port 10 console show voice vlan interface gi1 0 10 Interface Gi1 0 10 Voice VLAN Interface Mode Enabled Voice VLAN ID 25 Voice VLAN COS Override False Voice VLAN DSCP Value 46 Voice VLAN Port Status Disabled Voice VLAN Authentication Disable...

Page 629: ...rovide a single path between end stations on a network PowerConnect 7000 Series switches support Classic STP Multiple STP and Rapid STP What Are Classic STP Multiple STP and Rapid STP Classic STP provides a single path between end stations avoiding and eliminating loops Multiple Spanning Tree Protocol MSTP supports multiple instances of Spanning Tree to efficiently channel VLAN traffic over differ...

Page 630: ...ier of the bridge and its configurable priority number When two switches have an equal bridge ID value the switch with the lowest MAC address is the root bridge After the root bridge is elected each switch finds the lowest cost path to the root bridge The port that connects the switch to the lowest cost path is the root port on the switch The switches in the spanning tree also determine which port...

Page 631: ...lected to be the Root Bridge and Port 1 on Switch B and Switch C are calculated to be the root ports for those bridges Port 2 on Switch B and Switch C would be placed into the Blocking state This creates a loop free topology End stations in VLAN 10 can talk to other devices in VLAN 10 and end stations in VLAN 20 have a single path to communicate with other VLAN 20 devices Switch A Switch B Switch ...

Page 632: ...these inefficiencies could be eliminated MSTP does just that by allowing the configuration of MSTIs based upon a VLAN or groups of VLANs In this simple case VLAN 10 could be associated with Multiple Spanning Tree Instance MSTI 1 with an active topology similar to Figure 22 2 and VLAN 20 could be associated with MSTI 2 where Port 1 on both Switch A and Switch B begin discarding and all others forwa...

Page 633: ...hes is shown in Figure 22 3 Figure 22 3 Logical MSTP Environment Switch A Switch B Switch C Port 1 Port 1 VLAN 10 VLAN 10 VLAN 10 Port 2 Port 1 Switch A Switch B Switch C Port 1 Port 2 VLAN 20 VLAN 20 VLAN 20 Port 2 Port 2 MSTI 1 MSTI 2 MSTI 1 Regional Root CIST Regional Root CIST Regional Root MSTI 2 Regional Root ...

Page 634: ...alternate paths through each Region Above Switch A is elected as both the MSTI 1 Regional Root and the CIST Regional Root Bridge and after adjusting the Bridge Priority on Switch C in MSTI 2 it would be elected as the MSTI 2 Regional Root To further illustrate the full connectivity in an MSTP active topology the following rules apply 1 Each Bridge or LAN is in only one Region 2 Every frame is asso...

Page 635: ...re connected to end devices such as a desktop computer printer or file server to transition to the forwarding state without going through the listening and learning states BPDU Filtering Ports that have the PortFast feature enabled continue to transmit BPDUs The BPDU filtering feature prevents PortFast enabled ports from sending BPDUs If BPDU filtering is configured globally on the switch the feat...

Page 636: ...ding loops induced by BPDU packet loss The reasons for failing to receive packets are numerous including heavy traffic software problems incorrect configuration and unidirectional link failure When a non designated port no longer receives BPDUs the spanning tree algorithm considers that this link is loop free and begins transitioning the link from blocking to forwarding Once in forwarding state th...

Page 637: ...on to a forwarding state When the port receives a BPDU packet the system sets it to non edge port and recalculates the spanning tree which causes network topology flapping In normal cases these ports do not receive any BPDU packets However someone may forge BPDU to maliciously attack the switch and cause network flapping BPDU protection can be enabled in RSTP to prevent such attacks When BPDU prot...

Page 638: ...ate Enabled globally and on all ports Spanning tree mode RSTP Classic STP and MSTP are disabled Switch priority 32768 BPDU flooding Disabled PortFast mode Disabled PortFast BPDU filter Disabled Loop guard Disabled BPDU protection Disabled Spanning tree port priority 128 Maximum aging time 20 seconds Forward delay time 15 seconds Maximum hops 20 Spanning tree transmit hold count 6 MSTP region name ...

Page 639: ...monitoring STP settings on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page STP Global Settings The STP Global Settings page contains fields for enabling STP on the switch To display the STP Global Settings page click Switching Spanning Tree Global Settings in the navigation panel Figure 22 4 Spanning Tree Global Settings ...

Page 640: ...tocol STP Port Settings Use the STP Port Settings page to assign STP properties to individual ports To display the STP Port Settings page click Switching Spanning Tree STP Port Settings in the navigation panel Figure 22 5 STP Port Settings ...

Page 641: ...STP settings for multiple ports 1 Open the STP Port Settings page 2 Click Show All to display the STP Port Table Figure 22 6 Configure STP Port Settings 3 For each port to configure select the check box in the Edit column in the row associated with the port 4 Select the desired settings 5 Click Apply ...

Page 642: ...ports parameters To display the STP LAG Settings page click Switching Spanning Tree STP LAG Settings in the navigation panel Figure 22 7 STP LAG Settings Configuring STP Settings for Multiple LAGs To configure STP settings on multiple LAGS 1 Open the STP LAG Settings page 2 Click Show All to display the STP LAG Table ...

Page 643: ...h the LAG 4 Select the desired settings 5 Click Apply Rapid Spanning Tree Rapid Spanning Tree Protocol RSTP detects and uses network topologies that allow a faster convergence of the spanning tree without creating forwarding loops To display the Rapid Spanning Tree page click Switching Spanning Tree Rapid Spanning Tree in the navigation panel Figure 22 9 Rapid Spanning Tree ...

Page 644: ...644 Configuring the Spanning Tree Protocol To view RSTP Settings for all interfaces click the Show All link The Rapid Spanning Tree Table displays Figure 22 10 RSTP LAG Settings ...

Page 645: ...Spanning Tree to efficiently channel VLAN traffic over different interfaces MSTP is compatible with both RSTP and STP a MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge To display the MSTP Settings page click Switching Spanning Tree MSTP Settings in the navigation panel Figure 22 11 MSTP Settings ...

Page 646: ...tings for multiple VLANS 1 Open the MSTP Settings page 2 Click Show All to display the MSTP Settings Table Figure 22 12 Configure MSTP Settings 3 For each Instance ID to modify select the check box in the Edit column in the row associated with the VLAN 4 Update the Instance ID settings for the selected VLANs 5 Click Apply ...

Page 647: ...To display the MSTP Interface Settings page click Switching Spanning Tree MSTP Interface Settings in the navigation panel Figure 22 13 MSTP Interface Settings Configuring MSTP Settings for Multiple Interfaces To configure MSTP settings for multiple interfaces 1 Open the MSTP Interface Settings page 2 Click Show All to display the MSTP Interface Table ...

Page 648: ...nning Tree Protocol Figure 22 14 Configure MSTP Interface Settings 3 For each interface to configure select the check box in the Edit column in the row associated with the interface 4 Update the desired settings 5 Click Apply ...

Page 649: ...lowest priority value is elected as the root switch spanning tree max age seconds Specify the switch maximum age time which indicates the amount of time in seconds a bridge waits before implementing a topological change Valid values are from 6 to 40 seconds spanning tree forward time seconds Specify the switch forward delay time which indicates the amount of time in seconds a bridge remains in a l...

Page 650: ...tch interface interface Enter interface configuration mode for the specified interface The interface variable includes the interface type and number for example gigabitethernet 1 0 3 or port channel 4 You can also specify a range of interfaces with the interface range command for example interface range gigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 The range keyword is also valid...

Page 651: ...ures interfaces 8 9 10 11 and 12 The range keyword is also valid for LAGs port channels spanning tree disable Disable spanning tree on the port spanning tree port priority priority Specify the priority of the port Range 0 240 The priority value is used to determine which ports are put in the forwarding state and which ports are put in the blocking state A port with a lower priority value is more l...

Page 652: ...added to the existing MST instance To specify a range of VLANs use a hyphen To specify a series of VLANs use a comma Range 1 4093 exit Return to global configuration mode spanning tree mst instance id priority priority Set the switch priority for the specified spanning tree instance instance id ID of the spanning tree instance Range 1 4094 priority Sets the switch priority for the specified spanni...

Page 653: ...ommon spanning tree Range 0 200000000 spanning tree mst instance id cost cost Configure the path cost for MST calculations If a loop occurs the spanning tree considers path cost when selecting an interface to put in the forwarding state instance ID ID of the spanning tree instance Range 1 4094 cost The port path cost Range 0 200 000 000 spanning tree mst instance id port priority priority Specify ...

Page 654: ...e shows a LAN with four switches On each switch ports 1 2 and 3 connect to other switches and ports 4 20 connect to hosts in Figure 22 15 each PC represents 17 host systems Figure 22 15 STP Example Network Diagram Ports 4 20 Ports 4 20 Ports 4 20 Port 3 Port 1 Port 1 Switch A Switch B Switch C Port 1 Port 2 Port 1 Port 2 Port 2 Switch D Port 2 Port 3 Port 3 Port 3 Ports 4 20 ...

Page 655: ...apability to prevent network loops For all other STP settings the administrator uses the default STP values To configure the switch 1 Connect to Switch A and configure the priority to be higher a lower value than the other switches which use the default value of 32768 console config console config spanning tree priority 8192 2 Configure ports 4 20 to be in Port Fast mode console config interface r...

Page 656: ...es in the region To configure the switches 1 Create VLAN 10 Switch A and Switch B and VLAN 20 all switches console configure console config vlan database console config vlan vlan 10 console config vlan vlan 20 console config vlan exit NOTE Even Switch B does not have any ports that are members of VLAN 10 this VLAN must be created to allow the formation of MST regions made up of all bridges that ex...

Page 657: ...figure Switch A to be the root bridge of the spanning tree CIST Regional Root by configuring a higher root bridge priority console config spanning tree priority 8192 7 Switch A only Make Switch A the Regional Root for MSTI 1 by configuring a higher priority for MST ID 10 console config spanning tree mst 10 priority 12288 8 Switch A only Change the priority of MST ID 20 to ensure Switch C is the Re...

Page 658: ...658 Configuring the Spanning Tree Protocol ...

Page 659: ...tch to broadcast information about itself and to learn information about neighboring devices What Is ISDP The Industry Standard Discovery Protocol ISDP is a proprietary Layer 2 network protocol that inter operates with Cisco devices running the Cisco Discovery Protocol CDP ISDP is used to share information between neighboring devices The switch software participates in the CDP protocol and is able...

Page 660: ...matically translate into configuration An external application may query the MED MIB and take management actions in configuring functionality Why are Device Discovery Protocols Needed The device discovery protocols are used primarily in conjunction with network management tools to provide information about network topology and configuration and to help troubleshoot problems that occur on the netwo...

Page 661: ...ameter Default Value ISDP Mode Enabled globally and on all ports ISDPv2 Mode Enabled globally and on all ports Message Interval 30 seconds Hold Time Interval 180 seconds Device ID none Device ID Format Capability Serial Number Host Name Device ID Format Serial Number Table 23 2 LLDP Defaults Parameter Default Value Transmit Mode Enabled on all ports Receive Mode Enabled on all ports Transmit Inter...

Page 662: ...able 23 3 summarizes the default values for LLDP MED Table 23 3 LLDP MED Defaults Parameter Default Value LLDP MED Mode Disabled on all ports Config Notification Mode Disabled on all ports Transmit TVLs MED Capabilities Network Policy ...

Page 663: ...on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page ISDP Global Configuration From the ISDP Global Configuration page you can configure the ISDP settings for the switch such as the administrative mode To access the ISDP Global Configuration page click System ISDP Global Configuration in the navigation panel Figure 23 1 ISDP Global Configuration ...

Page 664: ... Table From the ISDP Cache Table page you can view information about other devices the switch has discovered through the ISDP To access the ISDP Cache Table page click System ISDP Cache Table in the navigation panel Figure 23 2 ISDP Cache Table ...

Page 665: ...must also be enabled globally in order for the interface to transmit ISDP packets If the ISDP mode on the ISDP Global Configuration page is disabled the interface will not transmit ISDP packets regardless of the mode configured on the interface To access the ISDP Interface Configuration page click System ISDP Interface Configuration in the navigation panel Figure 23 3 ISDP Interface Configuration ...

Page 666: ...666 Discovering Network Devices To view view the ISDP mode for multiple interfaces click Show All Figure 23 4 ISDP Interface Summary ...

Page 667: ... Statistics From the ISDP Statistics page you can view information about the ISDP packets sent and received by the switch To access the ISDP Statistics page click System ISDP Statistics in the navigation panel Figure 23 5 ISDP Statistics ...

Page 668: ...ration page to specify LLDP parameters Parameters that affect the entire system as well as those for a specific interface can be specified here To display the LLDP Configuration page click Switching LLDP Configuration in the navigation panel Figure 23 6 LLDP Configuration ...

Page 669: ... 669 To view the LLDP Interface Settings Table click Show All From the LLDP Interface Settings Table page you can view and edit information about the LLDP settings for multiple interfaces Figure 23 7 LLDP Interface Settings Table ...

Page 670: ...ng Network Devices LLDP Statistics Use the LLDP Statistics page to view LLPD related statistics To display the LLDP Statistics page click Switching LLDP Statistics in the navigation panel Figure 23 8 LLDP Statistics ...

Page 671: ...ections Use the LLDP Connections page to view the list of ports with LLDP enabled Basic connection details are displayed To display the LLDP Connections page click Switching LLDP Connections in the navigation panel Figure 23 9 LLDP Connections ...

Page 672: ...information about a device connected to a port that has been discovered through LLDP click the port number in the Local Interface table it is a hyperlink or click Details and select the port with the connected device Figure 23 10 LLDP Connection Detail ...

Page 673: ...LDP MED Global Configuration page to change or view the LLDP MED parameters that affect the entire system To display the LLDP MED Global Configuration page click Switching LLDP LLDP MED Global Configuration in the navigation panel Figure 23 11 LLDP MED Global Configuration ...

Page 674: ...DP MED Interface Configuration page to specify LLDP MED parameters that affect a specific interface To display the LLDP MED Interface Configuration page click Switching LLDP LLDP MED Interface Configuration in the navigation panel Figure 23 12 LLDP MED Interface Configuration ...

Page 675: ...Discovering Network Devices 675 To view the LLDP MED Interface Summary table click Show All Figure 23 13 LLDP MED Interface Summary ...

Page 676: ...e LLDP MED Local Device Information page to view the advertised LLDP local data for each port To display the LLDP MED Local Device Information page click Switching LLDP LLDP MED Local Device Information in the navigation panel Figure 23 14 LLDP MED Local Device Information ...

Page 677: ... MED Remote Device Information page to view the advertised LLDP data advertised by remote devices To display the LLDP MED Remote Device Information page click Switching LLDP LLDP MED Remote Device Information in the navigation panel Figure 23 15 LLDP MED Remote Device Information ...

Page 678: ...wing commands to configure ISDP settings that affect the entire switch Command Purpose configure Enter Global Configuration mode isdp enable Administratively enable ISDP on the switch isdp advertise v2 Allow the switch to send ISDPv2 packets isdp holdtime time Specify the number of seconds the device that receives ISDP packets from the switch should store information sent in the ISDP packet before...

Page 679: ...er interface configuration mode for the specified interface isdp enable Administratively enable ISDP on the switch exit Exit to Global Config mode exit Exit to Privileged Exec mode show isdp interface all View the ISDP mode on all interfaces Command Purpose show isdp entry all deviceid View information about all entries or a specific entry in the ISDP table show isdp neighbors View the neighboring...

Page 680: ...rts enabled for LLDP transmit interval The interval in seconds at which to transmit local data LLDP PDUs Range 5 32768 seconds hold value Multiplier on the transmit interval used to set the TTL in local data LLDP PDUs Range 2 10 reinit delay The delay in seconds before re initialization Range 1 10 seconds exit Exit to Privileged EXEC mode show lldp View global LLDP settings Command Purpose configu...

Page 681: ...e system capabilities TLV port desc Transmits the port description TLV exit Exit to Global Config mode exit Exit to Privileged EXEC mode show lldp interface all View LLDP settings for all interfaces Command Purpose show lldp local device all interface detail interface View LLDP information advertised by all ports or the specified port Include the keyword detail to see additional information show l...

Page 682: ...rface interface Enter interface configuration mode for the specified Ethernet interface lldp med Enable LLDP MED on the interface lldp med confignotification Allow the port to send topology change notifications lldp med transmit tlv capabilities network policy location inventory Specify which optional TLVs in the LLDP MED set are transmitted in the LLDP PDUs exit Exit to Global Config mode exit Ex...

Page 683: ...formation sent by the switch before discarding it console configure console config isdp holdtime 60 2 Specify how often in seconds the ISDP enabled ports should transmit information console config isdp timer 45 3 Enable ISDP on interface 1 0 3 console config interface gigabitEthernet1 0 3 console config if Gi1 0 3 isdp enable 4 Exit to Privileged EXEC mode and view the LLDP settings for the switch...

Page 684: ...ransmit all LLDP information available To configure the switch 1 Configure the transmission interval hold multiplier and reinitialization delay for LLDP PDUs sent from the switch console configure console config lldp timers interval 60 hold 5 reinit 3 2 Enable port 1 0 3 to transmit and receive LLDP PDUs console config interface gigabitEthernet1 0 3 console config if Gi1 0 3 lldp transmit console ...

Page 685: ...e show lldp LLDP Global Configuration Transmit Interval 60 seconds Transmit Hold Multiplier 5 Reinit Delay 3 seconds Notification Interval 5 seconds 8 View summary information about the LLDP configuration on port 1 0 3 console show lldp interface gi1 0 3 LLDP Interface Configuration Interface Link Transmit Receive Notify TLVs Mgmt Gi1 0 3 Down Enabled Enabled Enabled 0 1 2 3 Y TLV Codes 0 Port Des...

Page 686: ... 07 Port ID Subtype Interface Name Port ID gi 1 0 3 System Name console System Description PowerConnect 7048 3 16 22 30 VxWorks 6 5 Port Description Test Lab Port System Capabilities Supported bridge router System Capabilities Enabled bridge Management Address Type IPv4 Address 192 168 2 1 ...

Page 687: ...Configuring Port Based Traffic Control Web Configuring Port Based Traffic Control CLI Port Based Traffic Control Configuration Examples Port Based Traffic Control Overview Table 24 1 provides a summary of the features this chapter describes Table 24 1 Port Based Traffic Control Features Feature Description Flow control Allows traffic transmission between a switch port and another Ethernet device t...

Page 688: ...arded message responses can overload network resources and cause network congestion The storm control feature allows the switch to measure the incoming broadcast multicast and or unknown unicast packet rate per port and discard packets when the rate exceeds the defined threshold Storm control is enabled per interface by defining the packet type and the rate at which the packets are transmitted For...

Page 689: ...otocols running on standards based switches LLPF allows a PowerConnect 7000 Series switch to filter out various Cisco proprietary protocol data units PDUs and or ISDP if problems occur with these protocols running on standards based switches If certain protocol PDUs cause unexpected results LLPF can be enabled to prevent those protocol PDUs from being processed by the switch The LLPF feature can b...

Page 690: ...configuration overrides the LLPF configuration and the ISDP PDUs are allowed on the interface Default Port Based Traffic Control Values Table 24 2 lists the default values for the port based traffic control features that this chapter describes Table 24 2 Default Port Based Traffic Control Values Feature Default Flow control Enabled Storm control Disabled Protected ports None LLPF No protocols are ...

Page 691: ...rt based traffic on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page Flow Control Global Port Parameters Use the Global Parameters page for ports to enable or disable flow control support on the switch To display the Global Parameters page click Switching Ports Global Parameters in the navigation menu Figure 24 1 Global Port Parameters ...

Page 692: ...g Ports Storm Control in the navigation menu Figure 24 2 Storm Control Configuring Storm Control Settings on Multiple Ports To configure storm control on multiple ports 1 Open the Storm Control page 2 Click Show All to display the Storm Control Settings Table 3 In the Ports list select the check box in the Edit column for the port to configure 4 Select the desired storm control settings ...

Page 693: ...Configuring Port Based Traffic Control 693 Figure 24 3 Storm Control 5 Click Apply ...

Page 694: ...o see each other s traffic To display the Protected Port Configuration page click Switching Ports Protected Port Configuration in the navigation menu Figure 24 4 Protected Port Configuration Configuring Protected Ports To configure protected ports 1 Open the Protected Ports page 2 Click Add to display the Add Protected Group page 3 Select a group 0 2 4 Specify a name for the group ...

Page 695: ... Group 5 Click Apply 6 Click Protected Port Configuration to return to the main page 7 Select the port to add to the group 8 Select the protected port group ID Figure 24 6 Add Protected Ports 9 Click Apply 10 To view protected port group membership information click Show All ...

Page 696: ...rt and click Apply LLPF Configuration Use the LLPF Interface Configuration page to filter out various proprietary protocol data units PDUs and or ISDP if problems occur with these protocols running on standards based switches To display the LLPF Interface Configuration page click Switching Network Security Proprietary Protocol Filtering LLPF Interface Configuration the navigation menu ...

Page 697: ...Configuring Port Based Traffic Control 697 Figure 24 8 LLPF Interface Configuration To view the protocol types that have been blocked for an interface click Show All Figure 24 9 LLPF Filtering Summary ...

Page 698: ...f interfaces with the interface range command for example interface range gigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 storm control broadcast level rate Enable broadcast storm recovery mode on the interface and optionally set the threshold rate threshold as percentage of port speed The percentage is converted to a PacketsPerSecond value based on a 512 byte average packet size s...

Page 699: ... or the specified interface Command Purpose configure Enter global configuration mode switchport protected groupid name name Specify a name for one of the three protected port groups groupid Identifies which group the port is to be protected in Range 0 2 name Name of the group Range 0 32 characters interface interface Enter interface configuration mode for the specified interface The interface var...

Page 700: ...tethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range gigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 service acl input blockcdp blockvtp blockdtp blockudld blockpagp blocksstp blockall Use the appropriate keyword or combination of keywords to block any or all of the following PDUs on the interface VTP DTP UDLD PAgP ...

Page 701: ...ts connected to ports 3 4 and 9 from being able to communicate with each other To configure the switch 1 Configure storm control for broadcast traffic on all physical interfaces console config interface range gi1 0 1 24 console config if storm control broadcast level 10 2 Configure LLPF to block PAgP and VTP PDUs on all physical interfaces console config if service acl blockpagp blockvtp console c...

Page 702: ... Mcast Ucast Ucast Intf Mode Level Mode Level Mode Level Gi1 0 1 Enable 10 Enable 5 Disable 5 console show service acl interface gi1 0 1 Protocol Mode CDP Disabled VTP Enabled DTP Disabled UDLD Disabled PAGP Enabled SSTP Disabled ALL Disabled console show switchport protected 0 Name clients Member Ports Gi1 0 1 Gi1 0 2 Gi1 0 3 Gi1 0 4 Gi1 0 9 ...

Page 703: ...2 multicast features on the switch help control network flooding of Ethernet multicast and IP multicast traffic by keeping track of multicast group membership What Are the Multicast Bridging Features The PowerConnect 7000 Series switches support bridge multicast filtering and bridge multicast forwarding For Ethernet multicast traffic the switch uses a database called the Layer 2 Multicast Forwardi...

Page 704: ...F Forward All Permits registered and unregistered multicast packets to forward What Is IP Multicast Traffic IP multicast traffic is traffic that is destined to a host group Host groups are identified by class D IP addresses which range from 224 0 0 0 to 239 255 255 255 When a packet with a broadcast or multicast destination IP address is received the switch will forward a copy into each of the rem...

Page 705: ...the IGMP querier However if the IP multicast traffic in a VLAN needs to be Layer 2 switched only an IP multicast router is not required The IGMP Snooping Querier can perform the IGMP snooping functions on the VLAN When the IGMP snooping querier is enabled the IGMP snooping querier sends out periodic IGMP queries that trigger IGMP report messages from the switch that wants to receive IP multicast t...

Page 706: ...ulticast group MVR eliminates the need to duplicate the multicast traffic when multicast group member ports belong to different VLANs MVR uses a dedicated multicast VLAN to forward multicast traffic over the L2 network Only one MVLAN can be configured per switch and it is used only for certain multicast traffic such as traffic from an IPTV application to avoid duplication of multicast streams for ...

Page 707: ... You configure the IP IPv6 multicast features if the switch functions as a multicast router that can route multicast traffic between VLAN routing interfaces In this case you must enable a multicast routing protocol on the switch such as PIM SM For information about L3 multicast features see Managing IPv4 and IPv6 Multicast on page 1137 If you enable IGMP Snooping on the switch to listen to IGMP tr...

Page 708: ...group membership information GVRP and GMRP use the same set of GARP Timers to specify the amount of time to wait before transmitting various GARP messages GMRP is similar to IGMP snooping in its purpose but IGMP snooping is more widely used GMRP must be running on both the host and the switch to function properly Default L2 Multicast Values All L2 multicast features are disabled by default Details...

Page 709: ...erval 60 seconds IGMP MLD snooping VLAN querier Disabled VLAN querier election participate mode Disabled Snooping Querier VLAN Address 0 0 0 0 MVR running Disabled MVR multicast VLAN 1 MVR max multicast groups 256 MVR Global query response time 5 tenths of a second MVR Mode Compatible GARP Leave Timer 60 centiseconds GARP Leave All Timer 1000 centiseconds GARP Join Timer 20 centiseconds GMRP Disab...

Page 710: ...erConnect 7000 Series switch For details about the fields on a page click at the top of the page Multicast Global Parameters Use the Multicast Global Parameters page to enable or disable bridge multicast filtering IGMP Snooping or MLD Snooping on the switch To display the Multicast Global Parameters page click Switching Multicast Support Global Parameters in the navigation menu Figure 25 1 Multica...

Page 711: ...ticast Group page click Switching Multicast Support Bridge Multicast Group in the navigation menu Figure 25 2 Bridge Multicast Group Understanding the Port and LAG Member Tables The Bridge Multicast Group tables display which Ports and LAGs are members of the multicast group and whether they re static S dynamic D or forbidden F The tables have two rows Static and Current Only the Static row is acc...

Page 712: ...iguring Bridge Multicast Address Groups To configure a bridge multicast group 1 From the Bridge Multicast Group page click Add The Add Bridge Multicast Group page displays Table 25 2 Port LAG IGMP Management Settings Port Control Definition D Dynamic Indicates that the port LAG was dynamically joined to the Multicast group displays in the Current row S Static Attaches the port to the Multicast gro...

Page 713: ...group IP or MAC address associated with the selected VLAN 4 In the Bridge Multicast Group tables assign a setting by clicking in the Static row for a specific port LAG Each click toggles between S F and blank not a member 5 Click Apply The bridge multicast address is assigned to the multicast group ports LAGs are assigned to the group with the Current rows being updated with the Static settings an...

Page 714: ...e check box 4 Click Apply The selected bridge multicast group is removed and the device is updated Bridge Multicast Forwarding Use the Bridge Multicast Forwarding page to enable attaching ports or LAGs to a switch that is attached to a neighboring Multicast switch Once IGMP Snooping is enabled multicast packets are forwarded to the appropriate port or VLAN To display the Bridge Multicast Forwardin...

Page 715: ...5 MRouter Status Use the MRouter Status page to display the status of dynamically learned multicast router interfaces To access this page click Switching Multicast Support MRouter Status in the navigation panel Figure 25 5 MRouter Status ...

Page 716: ... Switching Multicast Support IGMP Snooping General in the navigation menu Figure 25 6 General IGMP Snooping Modifying IGMP Snooping Settings for Multiple Ports LAGs or VLANs To modify the IGMP snooping settings 1 From the General IGMP snooping page click Show All The IGMP Snooping Table displays 2 Select the Edit checkbox for each Port LAG or VLAN to modify In Figure 25 7 ports 2 and 3 are to be m...

Page 717: ...g settings are modified and the device is updated Copying IGMP Snooping Settings to Multiple Ports LAGs or VLANs To copy IGMP snooping settings 1 From the General IGMP snooping page click Show All The IGMP Snooping Table displays 2 Select the Copy Parameters From checkbox 3 Select a Unit Port LAG or VLAN to use as the source of the desired parameters ...

Page 718: ...he Unit Ports LAGs or VLANs that these parameters will be copied to In Figure 25 8 the settings for port 3 will be copied to ports 4 and 5 and LAGs 1 and 2 Figure 25 8 Copy IGMP Snooping Settings 5 Click Apply The IGMP Snooping settings are modified and the device is updated ...

Page 719: ...ing querier settings such as the IP address to use as the source in periodic IGMP queries when no source address has been configured on the VLAN To display the Global Querier Configuration page click Switching Multicast Support IGMP Snooping Global Querier Configuration in the navigation menu Figure 25 9 Global Querier Configuration ...

Page 720: ...vidual VLANs To display the VLAN Querier page click Switching Multicast Support IGMP Snooping VLAN Querier in the navigation menu Figure 25 10 VLAN Querier Adding a New VLAN and Configuring its VLAN Querier Settings To configure a VLAN querier 1 From the VLAN Querier page click Add The page refreshes and the Add VLAN page displays ...

Page 721: ... Querier 2 Enter the VLAN ID and if desired an optional VLAN name 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu 4 Specify the VLAN querier settings 5 Click Apply The VLAN Querier settings are modified and the device is updated ...

Page 722: ...722 Configuring L2 Multicast Features To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch click Show All Figure 25 12 Add VLAN Querier ...

Page 723: ... VLAN Querier Status page to view the IGMP Snooping Querier settings for individual VLANs To display the VLAN Querier Status page click Switching Multicast Support IGMP Snooping VLAN Querier Status in the navigation menu Figure 25 13 IGMP Snooping VLAN Querier Status ...

Page 724: ...age to view the multicast forwarding database MFDB IGMP Snooping Table and Forbidden Ports settings for individual VLANs To display the MFDB IGMP Snooping Table page click Switching Multicast Support IGMP Snooping MFDB IGMP Snooping Table in the navigation menu Figure 25 14 MFDB IGMP Snooping Table ...

Page 725: ...rs To access this page click Switching Multicast Support MLD Snooping General in the navigation panel Figure 25 15 MLD Snooping General Modifying MLD Snooping Settings for Multiple Ports LAGs or VLANs To configure MLD snooping 1 From the General MLD snooping page click Show All The MLD Snooping Table displays ...

Page 726: ... Select the Edit checkbox for each Port LAG or VLAN to modify 3 Edit the MLD Snooping fields as needed 4 Click Apply The MLD Snooping settings are modified and the device is updated Copying MLD Snooping Settings to Multiple Ports LAGs or VLANs To copy MLD snooping settings ...

Page 727: ...ts LAGs or VLANs that these parameters will be copied to 5 Click Apply The MLD Snooping settings are modified and the device is updated MLD Snooping Global Querier Configuration Use the MLD Snooping Global Querier Configuration page to configure the parameters for the MLD Snooping Querier To display the Global Querier Configuration page click Switching Multicast Support MLD Snooping Global Querier...

Page 728: ...To display the MLD Snooping VLAN Querier page click Switching Multicast Support MLD Snooping VLAN Querier in the navigation menu Figure 25 18 MLD Snooping VLAN Querier Adding a New VLAN and Configuring its MLD Snooping VLAN Querier Settings To configure an MLD snooping VLAN querier 1 From the VLAN Querier page click Add The page refreshes and the Add VLAN page displays ...

Page 729: ... name 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu 4 Specify the VLAN querier settings 5 Click Apply The VLAN Querier settings are modified and the device is updated To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch click Show All Figure 25 20 Add VLAN Querier ...

Page 730: ... Use the VLAN Querier Status page to view the MLD Snooping Querier settings for individual VLANs To display the VLAN Querier Status page click Switching Multicast Support MLD Snooping VLAN Querier Status in the navigation menu Figure 25 21 MLD Snooping VLAN Querier Status ...

Page 731: ... MFDB MLD Snooping Table page to view the MFDB MLD Snooping Table settings for individual VLANs To display the MFDB MLD Snooping Table page click Switching Multicast Support MLD Snooping MFDB MLD Snooping Table in the navigation menu Figure 25 22 MFDB MLD Snooping Table ...

Page 732: ...ion Use the MVR Global Configuration page to enable the MVR feature and configure global parameters To display the MVR Global Configuration page click Switching MVR Configuration Global Configuration in the navigation panel Figure 25 23 MVR Global Configuration ...

Page 733: ...configure MVR group members To display the MVR Members page click Switching MVR Configuration MVR Members in the navigation panel Figure 25 24 MVR Members Adding an MVR Membership Group To add an MVR membership group 1 From the MVR Membership page click Add The MVR Add Group page displays ...

Page 734: ...ddress 3 Click Apply MVR Interface Configuration Use the MVR Interface Configuration page to enable MVR on a port configure its MVR settings and add the port to an MVR group To display the MVR Interface Configuration page click Switching MVR Configuration MVR Interface Configuration in the navigation panel ...

Page 735: ...5 26 MVR Interface Configuration To view a summary of the MVR interface configuration click Show All Figure 25 27 MVR Interface Summary Adding an Interface to an MVR Group To add an interface to an MVR group 1 From the MVR Interface page click Add ...

Page 736: ... the MVR group IP multicast address 4 Click Apply Removing an Interface from an MVR Group To remove an interface from an MVR group 1 From the MVR Interface page click Remove Figure 25 29 MVR Remove from Group 2 Select the interface to remove from an MVR group 3 Specify the IP multicast address of the MVR group 4 Click Apply ...

Page 737: ...eatures 737 MVR Statistics Use the MVR Statistics page to view MVR statistics on the switch To display the MVR Statistics page click Switching MVR Configuration MVR Statistics in the navigation panel Figure 25 30 MVR Statistics ...

Page 738: ...rs used by GVRP and GMRP on the switch To display the Timers page click Switching GARP Timers in the navigation panel Figure 25 31 GARP Timers Configuring GARP Timer Settings for Multiple Ports To configure GARP timers on multiple ports 1 Open the Timers page 2 Click Show All to display the GARP Timers Table ...

Page 739: ...icast Features 739 Figure 25 32 Configure STP Port Settings 3 For each port or LAG to configure select the check box in the Edit column in the row associated with the port 4 Specify the desired timer values 5 Click Apply ...

Page 740: ... the same settings as the port selected in the Copy Parameters From field 3 Click Apply to copy the settings GMRP Parameters Use the GMRP Parameters page to configure the administrative mode of GMRP on the switch and on each port or LAG To display the GMRP Parameters page click Switching GARP GMRP Parameters in the navigation panel Figure 25 33 GMRP Parameters Configuring GMRP Parameters on Multip...

Page 741: ...cast Features 741 Figure 25 34 GMRP Port Configuration Table 3 For each port or LAG to configure select the check box in the Edit column in the row associated with the port 4 Specify the desired timer values 5 Click Apply ...

Page 742: ...r LAGs list select the check box es in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field 3 Click Apply to copy the settings MFDB GMRP Table Use the MFDB GMRP Table page to view all of the entries in the Multicast Forwarding Database that were created for the GMRP To display the MFDB GMRP Table page click Switching GARP MFDB GMRP Table in the...

Page 743: ...able multicast static vlan vlan id mac multicast address ip multicast address Register a MAC layer Multicast address in the bridge table mac multicast address MAC multicast address in the format xxxx xxxx xxxx ip multicast address IP multicast address mac address table multicast static vlan vlan id mac multicast address ip multicast address add remove interface interface list Add ports and LAGs to...

Page 744: ... Prevent the switch from forwarding traffic with unregistered multicast addresses on the specified VLAN This command sets the forwarding mode to Filter Unregistered mac address table multicast forward all vlan vlan id Allow the switch to forward all multicast packets on the specified VLAN mac address table multicast forward unregistered vlan vlan id Allow the switch to forward packets with unregis...

Page 745: ... Specify the host time out value for the interface If an IGMP report for a multicast group is not received in the number of seconds specified by the time out value this interface is deleted from the member list of that multicast group ip igmp snooping leave time out time out immediate leave Specify the leave time out value for an interface If an IGMP report for a multicast group is not received wi...

Page 746: ...his VLAN is deleted from the member list of that multicast group ip igmp snooping maxresponse vlan id seconds Specify the leave time out value for the VLAN If an IGMP report for a multicast group is not received within the number of seconds configured with this command after an IGMP leave was received from a specific interface the current VLAN is deleted from the member list of that multicast grou...

Page 747: ...should use as the source address when generating periodic queries ip igmp snooping querier query interval interval count Set the IGMP snooping querier query interval time which is the amount of time in seconds that the switch waits before sending another periodic query The range is 1 1800 seconds ip igmp snooping querier timer expiry seconds Set the IGMP snooping querier timer expiration period Th...

Page 748: ... querier settings configured on the switch on all VLANs or on the specified VLAN Command Purpose configure Enter global configuration mode ipv6 mld snooping Enable MLD snooping on the switch interface interface Enter interface configuration mode for the specified port or LAG The interface variable includes the interface type and number for example gigabitethernet 1 0 3 For a LAG the interface type...

Page 749: ...multicast group without first sending out MAC based general queries to the interface ipv6 mld snooping mcrtrexpiretime seconds Specify the multicast router time out value for an interface This command sets the number of seconds to wait to age out an automatically learned multicast router port CTRL Z Exit to Privileged EXEC mode show ipv6 mld snooping View MLD snooping settings configured on the sw...

Page 750: ...on receiving an MLD leave message for that multicast group without first sending out MAC based general queries to the interface ipv6 mld snooping mcrtexpiretime vlan id seconds Specify the multicast router time out value for to associate with a VLAN This command sets the number of seconds to wait to age out an automatically learned multicast router port CTRL Z Exit to Privileged EXEC mode show ipv...

Page 751: ...ess when generating periodic queries ipv6 mld snooping querier query interval interval count Set the MLD snooping querier query interval time which is the amount of time in seconds that the switch waits before sending another periodic query The range is 1 1800 seconds ipv6 mld snooping querier timer expiry seconds Set the MLD snooping querier timer expiration period This is the time period in seco...

Page 752: ...mmediate Enable MVR immediate leave mode on the port mvr type source receiver Specify the MVR port type mvr vlan vlan id group mcast address Allow the port to participate in the specified MVR group The vlan id parameter is the ID of the MVR multicast VLAN CTRL Z Exit to Privileged EXEC mode show ip dhcp snooping interfaces View the DHCP snooping global and per port configuration show ip dhcp snoop...

Page 753: ...leave and 200 6000 for leaveall gmrp enable Enable GMRP globally on the switch interface interface Enter interface configuration mode for the specified port or LAG The interface variable includes the interface type and number for example gigabitethernet 1 0 3 For a LAG the interface type is port channel You can also specify a range of ports with the interface range command for example interface ra...

Page 754: ...P snooping functions on the VLAN if necessary The switch can send queries even if it is not the IGMP snooping querier and will use 0 0 0 0 as the source IP address This will not cause any disruption to the operation of external querier In this configuration an IP multicast router is not required The three hosts in Figure 25 36 are connected to ports that enabled for IGMP snooping and are members o...

Page 755: ...ing on VLAN 100 console config vlan ip igmp snooping 100 6 Enable the IGMP snooping querier on VLAN 100 console config vlan ip igmp snooping querier 100 console config vlan exit 7 Configure an IP address for VLAN 100 This address will be used as the IGMP snooping querier address if this switch becomes the querier console config interface vlan 100 console config if vlan100 ip address 192 168 10 2 2...

Page 756: ...Gi1 0 1 Gi1 0 2 Gi1 0 3 Gi1 0 24 Vlans enabled for IGMP snooping 100 console show ip igmp snooping querier vlan 100 Vlan 100 IGMP Snooping querier status IGMP Snooping Querier Vlan Mode Enable Querier Election Participate Mode Enable Querier Vlan Address 0 0 0 0 Operational State Querier Operational version 2 Operational Max Resp Time 1 After performing the configuration in this example Host A sen...

Page 757: ...n requests These ports are configured as MVR receiver ports so that they can be treated as members of VLAN 99 the multicast VLAN to receive multicast traffic Ports 1 and 2 are members of VLAN 10 and ports 8 and 9 are members of VLAN 20 Port 24 connects the switch to the rest of the LAN including the multicast router The switch is configured to operate in MVR dynamic mode This mode allows port 24 t...

Page 758: ...e range gi1 0 1 2 console config if switchport access vlan 10 console config if exit 3 Configure ports 8 and 9 as members of VLAN 20 console config interface range gi1 0 8 9 console config if switchport access vlan 20 console config if exit 4 Configure port 24 as a member of VLAN 99 console config interface gigabitethernet 1 0 24 console config if Gi1 0 24 switchport mode trunk Port 1 RP VLAN 10 V...

Page 759: ...console config if Gi1 0 1 mvr type receiver console config if Gi1 0 1 exit console config interface gigabitethernet 1 0 2 console config if Gi1 0 2 mvr console config if Gi1 0 2 mvr type receiver console config if Gi1 0 2 exit console config interface gigabitethernet 1 0 8 console config if Gi1 0 8 mvr console config if Gi1 0 8 mvr type receiver console config if Gi1 0 8 exit console config interf...

Page 760: ...query response time 5 tenths of sec MVR Mode dynamic When hosts connected to receiver ports send IGMP join messages the receiver ports and source port are added to the MVR group and receive multicast data from the network The following output shows that ports 1 and 8 have joined the MVR group console show mvr members MVR Group IP Status Members 224 1 1 1 ACTIVE Gi1 0 1 r Gi1 0 8 r Gi1 0 24 s ...

Page 761: ...f Ethernet as a Metropolitan and Wide Area Networking technology different operators often work together to provide end to end services to enterprise customers This has driven the need of a new set of OAM Operations Administration and Maintenance Protocols Service Level Connectivity Fault Management CFM is the OAM protocol provision for end to end service layer instances in carrier networks CFM pr...

Page 762: ... This scenario is a likely one since no operator has complete coverage of a large region A service instance would span the provider network covering one or more operators Every domain has its own network management system Dot1ag defines OAM services that operate across these domains the vertical arrow and within them the horizontal arrow Figure 26 1 Organization of Domains Entities at different le...

Page 763: ...nfigurable unique identifier MEPID in a maintenance domain MEPs periodically issue Continuity Check Messages CCM to discover each other and issue SNMP traps to report connectivity losses or malformed or incorrect CCMs A MEP can be defined as down MEP or an up MEP A down MEPs reside in a bridge that transmits CFM PDUs towards and receives them from the direction of the LAN An up MEP resides in a br...

Page 764: ...h a unique SVLAN ID An MA is identified by a maintenance association ID All MEPs in the MA are assigned the maintenance identifier MAID for the association An MD consists of one or more MAs at the same domain level Figure 26 3 depicts one provider level domain and two operator level domains Dot1ag operation for a service instance is indicated by the path that traverses the different domains to pro...

Page 765: ...he Administrator can also use utilities to troubleshoot connectivity faults when reported via SNMP traps All the domains within the customer domain should use different domain levels Configuration Tasks The administrator defines the maintenance domains by configuring the domain level from 0 7 and a name For each domain the administrator defines maintenance associations that are specified by a SVLA...

Page 766: ...lt and no maintenance domains associations or endpoints are configured by default Table 26 1 shows the global default values for Dot1ag When you configure an association between a VLAN and a maintenance domain the following default value applies When you associate endpoints with SVLAN IDs the following default values apply and are configurable Table 26 1 Dot1ag Global Defaults Parameter Default Va...

Page 767: ...e Dot1ag Global Configuration Use the Global Configuration page to enable and disable the Dot1ag admin mode and to configure the time after which inactive RMEP messages are removed from the MEP database To display the page click Switching Dot1ag Global Configuration in the tree view Figure 26 4 Dot1ag Global Configuration Dot1ag MD Configuration Use the MD Configuration page to configure maintenan...

Page 768: ...guration page to associate a maintenance domain level with one or more VLAN ID provide a name for each maintenance association MA and to set the interval between continuity check messages sent by MEPs for the MA To display the page click Switching Dot1ag MA Configuration in the tree view Figure 26 6 Dot1ag MA Configuration ...

Page 769: ...the top of the page Dot1ag MEP Configuration Use the MEP Configuration page to define switch ports as Management End Points MEPs are configured per domain and per VLAN To display the page click Switching Dot1ag MEP Configuration in the tree view Figure 26 7 Dot1ag MEP Configuration ...

Page 770: ...elected domain before you configure a MEP to be used within an MA see the MA Configuration page Dot1ag MIP Configuration Use the MIP Configuration page to define a switch port as an intermediate bridge for a selected domain To display the page click Switching Dot1ag MIP Configuration in the tree view Figure 26 8 Dot1ag MIP Configuration ...

Page 771: ...MEP Summary Use the RMEP Summary page to view information on remote MEPs that the switch has learned through CFM PDU exchanges with MEPs on the switch To display the page click Switching Dot1ag RMEP Summary in the tree view Figure 26 9 Dot1ag RMEP Summary ...

Page 772: ...MEP ID or by its MAC address To display the page click Switching Dot1ag L2 Ping in the tree view Figure 26 10 Dot1ag L2 Ping Dot1ag L2 Traceroute Use the L2 Traceroute page to generate a Link Trace message from a specified MEP The MEP can be specified by the MAC address or by the remote MEP ID To display the page click Switching Dot1ag L2 Traceroute in the tree view ...

Page 773: ...1 Dot1ag L2 Traceroute Dot1ag L2 Traceroute Cache Use the L2 Traceroute Cache page to view link traces retained in the link trace database To display the page click Switching Dot1ag L2 Traceroute Cache in the tree view Figure 26 12 Dot1ag L2 Traceroute Cache ...

Page 774: ...vity Fault Management Dot1ag Statistics Use the Statistics page to view Dot1ag information for a selected domain and VLAN ID To display the page click Switching Dot1ag Statistics in the tree view Figure 26 13 Dot1ag Statistics ...

Page 775: ...s connectivity fault management services ethernet cfm mep archive hold time time Set the time interval range 1 65535 seconds after which inactive RMEPs are removed ethernet cfm cc level level vlan vlan id interval 1 10 60 600 Configure the Continuity Check Message CCM transmit interval for the specified VLAN ethernet cfm domain name level level Create a maintenance domain MD by assigning a name an...

Page 776: ... Define the port as a maintenance endpoint MEP and associate it with an SVLAN in a domain When the MEP is enabled it will generate CCM messages ethernet cfm mep level level direction up down mpid mep id vlan vlan id Enable a MEP at the specified level and direction ethernet cfm mep active Set the administrative state of the MEP to active ethernet cfm mip level level Create a MIP at the specified l...

Page 777: ... a loopback message from the MEP with the specified MAC address ping ethernet cfm remote mpid mep id Generate a loopback message from the MEP with the specified MEP ID traceroute ethernet cfm mac mac addr Generate a Link Trace message from the MEP with the specified MAC address traceroute ethernet cfm remote mpid mep id Generate a Link Trace message from the MEP with the specified MEP ID show ethe...

Page 778: ...Customer Network To configure the switch 1 Enable CFM globally on the switch and then create a level 6 management domain named CustDom for end to end CFM on the Metro Ethernet network VLAN 200 is associated with this domain console config console config ethernet cfm enable console config ethernet cfm domain CustDom level 6 console config cfm mdomain service vlan vlan 200 console config cfm mdomain...

Page 779: ...enabled and activated as a MEP console config interface gigabitethernet 1 0 5 console config if Gi1 0 5 ethernet cfm mep level 6 direction down mpid 20 vlan 200 console config if Gi1 0 5 ethernet cfm mep enabled level 6 vlan 200 mpid 20 console config if Gi1 0 5 ethernet cfm mep active level 6 vlan 200 mpid 20 console config if Gi1 0 5 exit 3 On an intermediate switch configure the MIP for the cus...

Page 780: ...780 Configuring Connectivity Fault Management ...

Page 781: ...eb Configuring Traffic Snooping and Inspection CLI Traffic Snooping and Inspection Configuration Examples Traffic Snooping and Inspection Overview DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to filter harmful DHCP messages and to build a bindings database The IPSG and DAI features use the DHCP Snooping bindings database to help enforce swit...

Page 782: ... specified on individual physical ports or LAGS that are members of a VLAN When a port or LAG is configured as untrusted it could potentially be used to launch a network attack DHCP servers must be reached through trusted ports DHCP snooping enforces the following security rules DHCP packets from a DHCP server DHCPOFFER DHCPACK DHCPNAK DHCPRELEASEQUERY are dropped if they are received on an untrus...

Page 783: ...tatic bindings into the binding database When a switch learns of new bindings or loses bindings the switch immediately updates the entries in the database The switch also updates the entries in the binding file The frequency at which the file is updated is based on a configurable delay and the updates are batched If the absolute lease time of the snooping database entry expires that entry is remov...

Page 784: ... and VLAN with the client interface and VLAN in the bindings database If the interfaces do not match the application logs the event and drops the message For valid client messages DHCP snooping compares the source MAC address to the DHCP client hardware address When there is a mismatch DHCP snooping drops the packet and generates a log message if logging of invalid packets is enabled If DHCP relay...

Page 785: ...rols source MAC address learning in the layer 2 forwarding database MAC address table When a frame is received with a previously unlearned source MAC address port security queries the IPSG feature to determine whether the MAC address belongs to a valid binding If IPSG is disabled on the ingress port IPSG replies that the MAC is valid If IPSG is enabled on the ingress port IPSG checks the bindings ...

Page 786: ...on the interfaces physical ports or LAGs that are members of that VLAN Individual interfaces are configured as trusted or untrusted The trust configuration for DAI is independent of the trust configuration for DHCP snooping Optional DAI Features If the network administrator has configured the option DAI verifies that the sender MAC address equals the source MAC address in the Ethernet header There...

Page 787: ...information from the rogue DHCP server However if the workstation with the rogue DHCP server is connected to a port that is configured as untrusted and is a member of a DHCP Snooping enabled VLAN the port discards the DHCP server messages Default Traffic Snooping and Inspection Values DHCP snooping is disabled globally and on all VLANs by default Ports are untrusted by default Table 27 1 Traffic S...

Page 788: ...P Disabled DAI trust state Disabled untrusted DAI Rate limit 15 packets per second DAI Burst interval 1 second DAI mode Disabled on all VLANs DAI logging invalid packets Disabled DAI ARP ACL None configured DAI Static flag Disabled validation by ARP ACL and DHCP snooping binding database Table 27 1 Traffic Snooping Defaults Continued Parameter Default Value ...

Page 789: ...ct 7000 Series switch For details about the fields on a page click at the top of the page DHCP Snooping Configuration Use the DHCP Snooping Configuration page to control the DHCP Snooping mode on the switch and to specify whether the sender MAC Address for DHCP Snooping must be validated To access the DHCP Snooping Configuration page click Switching DHCP Snooping Global Configuration in the naviga...

Page 790: ...nooping Interface Configuration page to configure the DHCP Snooping settings on individual ports and LAGs To access the DHCP Snooping Interface Configuration page click Switching DHCP Snooping Interface Configuration in the navigation panel Figure 27 3 DHCP Snooping Interface Configuration ...

Page 791: ...Snooping and Inspecting Traffic 791 To view a summary of the DHCP snooping configuration for all interfaces click Show All Figure 27 4 DHCP Snooping Interface Configuration Summary ...

Page 792: ...ion Use the DHCP Snooping VLAN Configuration page to control the DHCP snooping mode on each VLAN To access the DHCP Snooping VLAN Configuration page click Switching DHCP Snooping VLAN Configuration in the navigation panel Figure 27 5 DHCP Snooping VLAN Configuration ...

Page 793: ...Snooping and Inspecting Traffic 793 To view a summary of the DHCP snooping status for all VLANs click Show All Figure 27 6 DHCP Snooping VLAN Configuration Summary ...

Page 794: ...bindings database can be stored locally on the switch or on a remote system somewhere else in the network The switch must be able to reach the IP address of the remote system to send bindings to a remote database To access the DHCP Snooping Persistent Configuration page click Switching DHCP Snooping Persistent Configuration in the navigation panel Figure 27 7 DHCP Snooping Persistent Configuration...

Page 795: ...ooping Static Bindings Configuration page to add static DHCP bindings to the binding database To access the DHCP Snooping Static Bindings Configuration page click Switching DHCP Snooping Static Bindings Configuration in the navigation panel Figure 27 8 DHCP Snooping Static Bindings Configuration ...

Page 796: ...Traffic To view a summary of the DHCP snooping status for all VLANs click Show All Figure 27 9 DHCP Snooping Static Bindings Summary To remove a static binding select the Remove checkbox associated with the binding and click Apply ...

Page 797: ... Dynamic Bindings Summary lists all the DHCP snooping dynamic binding entries learned on the switch ports To access the DHCP Snooping Dynamic Bindings Summary page click Switching DHCP Snooping Dynamic Bindings Summary in the navigation panel Figure 27 10 DHCP Snooping Dynamic Bindings Summary ...

Page 798: ...nooping Statistics The DHCP Snooping Statistics page displays DHCP snooping interface statistics To access the DHCP Snooping Statistics page click Switching DHCP Snooping Statistics in the navigation panel Figure 27 11 DHCP Snooping Statistics ...

Page 799: ...uration Use the IPSG Interface Configuration page to configure IPSG on an interface To access the IPSG Interface Configuration page click Switching IP Source Guard IPSG Interface Configuration in the navigation panel Figure 27 12 IPSG Interface Configuration ...

Page 800: ...ation Use the IPSG Binding Configuration page displays DHCP snooping interface statistics To access the IPSG Binding Configuration page click Switching IP Source Guard IPSG Binding Configuration in the navigation panel Figure 27 13 IPSG Binding Configuration ...

Page 801: ...page displays the IPSG Static binding list and IPSG dynamic binding list the static bindings configured in Binding configuration page To access the IPSG Binding Summary page click Switching IP Source Guard IPSG Binding Summary in the navigation panel Figure 27 14 IPSG Binding Summary ...

Page 802: ...iguration Use the DAI Configuration page to configure global DAI settings To display the DAI Configuration page click Switching Dynamic ARP Inspection Global Configuration in the navigation panel Figure 27 15 Dynamic ARP Inspection Global Configuration ...

Page 803: ...terface for which information is to be displayed or configured To display the DAI Interface Configuration page click Switching Dynamic ARP Inspection Interface Configuration in the navigation panel Figure 27 16 Dynamic ARP Inspection Interface Configuration To view a summary of the DAI status for all interfaces click Show All ...

Page 804: ...804 Snooping and Inspecting Traffic Figure 27 17 DAI Interface Configuration Summary ...

Page 805: ...s to be displayed or configured To display the DAI VLAN Configuration page click Switching Dynamic ARP Inspection VLAN Configuration in the navigation panel Figure 27 18 Dynamic ARP Inspection VLAN Configuration To view a summary of the DAI status for all VLANs click Show All Figure 27 19 Dynamic ARP Inspection VLAN Configuration Summary ...

Page 806: ...figuration Use the DAI ACL Configuration page to add or remove ARP ACLs To display the DAI ACL Configuration page click Switching Dynamic ARP Inspection ACL Configuration in the navigation panel Figure 27 20 Dynamic ARP Inspection ACL Configuration ...

Page 807: ...n ACL Summary To remove an ARP ACL select the Remove checkbox associated with the ACL and click Apply DAI ACL Rule Configuration Use the DAI ARP ACL Rule Configuration page to add or remove DAI ARP ACL Rules To display the DAI ARP ACL Rule Configuration page click Switching Dynamic ARP Inspection ACL Rule Configuration in the navigation panel ...

Page 808: ... ARP Inspection Rule Configuration To view a summary of the ARP ACL rules that have been created click Show All Figure 27 23 Dynamic ARP Inspection ACL Rule Summary To remove an ARP ACL rule select the Remove checkbox associated with the rule and click Apply ...

Page 809: ...9 DAI Statistics Use the DAI Statistics page to display the statistics per VLAN To display the DAI Statistics page click Switching Dynamic ARP Inspection Statistics in the navigation panel Figure 27 24 Dynamic ARP Inspection Statistics ...

Page 810: ...ping log invalid Enable the logging of DHCP messages filtered by the DHCP Snooping application ip dhcp snooping binding mac address vlan vlan id ip address interface interface Configure a static binding in the DHCP snooping static bindings database mac address The client s MAC address vlan id The number of the VLAN the client is authorized to use ip address The IP address of the client interface T...

Page 811: ...terfaces 8 9 10 11 and 12 ip dhcp snooping trust Configure the interface or range of interfaces as a trusted port DHCP server messages are not filtered on trusted ports exit Exit to Global Configuration mode interface range vlan vlan id Enter interface configuration mode for the specified VLAN or range of VLANs ip dhcp snooping Enable DHCP snooping on the VLAN s CTRL Z Exit to Privileged EXEC mode...

Page 812: ... in the packet is not in the DHCP snooping binding database Use the option port security keyword to also prevent packet forwarding if the sender MAC address is not in forwarding database table or the DHCP snooping binding database NOTE To enforce filtering based on the source MAC address port security must also be enabled on the interface by using the port security command in Interface Configurati...

Page 813: ...d For example if a command enables source MAC address and destination validations and a second command enables IP address validation only the source MAC address and destination MAC address validations are disabled as a result of the second command src mac For validating the source MAC address of an ARP packet dst mac For validating the destination MAC address of an ARP packet ip For validating the...

Page 814: ...ace Use the keyword none to specify that the interface is not rate limited for Dynamic ARP Inspection none To set no rate limit pps Packets per second Range 0 300 seconds The number of seconds Range 1 15 ip arp inspection trust Specify that the interface as trusted for Dynamic ARP Inspection CTRL Z Exit to Privileged EXEC mode show ip arp inspection interfaces interface View the Dynamic ARP Inspec...

Page 815: ...ith a rate limit of 100 packets per second LAG 1 which is also a member of VLAN 100 and contains ports 21 24 is the trunk port that connects the switch to the data center so it is configured as a trusted port Figure 27 25 DHCP Snooping Configuration Topology The commands in this example also enforce rate limiting and remote storage of the bindings database The switch has a limited amount of storag...

Page 816: ... per second LAG 1 is a trusted port and keeps the default value for rate limiting unlimited console config interface range gi1 0 1 20 console config if ip dhcp snooping limit rate 100 console config if exit 4 Specify that the DHCP snooping database is to be stored remotely in a file called dsDb txt on a TFTP server with and IP address of 10 131 11 1 console config ip dhcp snooping database tftp 10...

Page 817: ...configure the switch 1 Enter interface configuration mode for the host ports and enable IPSG console config interface range gi1 0 1 20 console config if ip verify source port security 2 Enable port security on the ports console config if port security 3 View IPSG information console show ip verify source More or q uit Interface Filter IP Address MAC Address Vlan Gi1 0 1 ip mac 192 168 3 45 00 1C 2...

Page 818: ...818 Snooping and Inspecting Traffic ...

Page 819: ...at the LAG as if it is a single link The PowerConnect 7000 Series switches support industry standard LAGs that adhere to the IEEE 802 3ad specification A switch stack can support up to 96 static LAGs and 18 of the LAGs can be dynamic Each LAG can consist of up to eight 1 Gbps or eight 10 Gbps ports When eight Gigabit Ethernet ports are configured as a LAG the maximum bandwidth for the single logic...

Page 820: ...and Dynamic Link Aggregation Link aggregation can be configured as either dynamic or static Dynamic configuration is supported using the IEEE 802 3ad standard which is known as Link Aggregation Control Protocol LACP Static configuration is used when connecting a PowerConnect 7000 Series switch to an external Gigabit Ethernet switch that does not support LACP One advantage of LACP is that the proto...

Page 821: ...ng set of packet attributes to be used for hash computation Source MAC VLAN EtherType and incoming port Destination MAC VLAN EtherType and incoming port Source IP and Source TCP UDP port numbers Destination IP and Destination TCP UDP port numbers Source Destination MAC VLAN EtherType and incoming port Source Destination IP and Source Destination TCP UDP port numbers Enhanced hashing mode Enhanced ...

Page 822: ... be configured when it s a member of a LAG However this configuration is only actually applied when the port leaves the LAG The LAG interface can be a member of a VLAN complying with IEEE 802 1Q STP Spanning tree does not maintain state for members of a LAG but the Spanning Tree does maintain state for the LAG interface As far as STP is concerned members of a LAG do not exist Internally the STP st...

Page 823: ...me speed and must be in full duplex mode The port cannot be a mirrored port The following are the interface restrictions The configured speed of a LAG member cannot be changed An interface can be a member of only one LAG Default Link Aggregation Values The LAGs on the switch are created by default but no ports are members Table 28 1 summarizes the default values for the MAC address table Table 28 ...

Page 824: ... and monitoring LAGs on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page LAG Configuration Use the LAG Configuration page to set the name and administrative status up down of a LAG To display the LAG Configuration page click Switching Ports LAG Configuration in the navigation panel Figure 28 2 LAG Configuration ...

Page 825: ...the LACP Parameters page to configure LACP LAGs To display the LACP Parameters page click Switching Link Aggregation LACP Parameters in the navigation panel Figure 28 3 LACP Parameters Configuring LACP Parameters for Multiple Ports To configure LACP settings 1 Open the LACP Parameters page 2 Click Show All The LACP Parameters Table page displays ...

Page 826: ...onfiguring Link Aggregation Figure 28 4 LACP Parameters Table 3 Select the Edit check box associated with each port to configure 4 Specify the LACP port priority and LACP timeout for each port 5 Click Apply ...

Page 827: ...ership in the navigation panel Figure 28 5 LAG Membership Adding a Port to a Static LAG To add a static LAG member 1 Open the LAG Membership page 2 Click in the LAG row to toggle the port to the desired LAG The LAG number displays for that port The LAG number increases each time you click until the number reaches the maximum LAG number and then returns to blank no LAG assigned 3 Click Apply The po...

Page 828: ...t is added as a dynamic LAG member to the selected LAG LAG Hash Configuration Use the LAG hash algorithm to set the traffic distribution mode on the LAG You can set the hash type for each LAG To display the LAG Hash Configuration page click Switching Link Aggregation LAG Hash Configuration in the navigation panel Figure 28 6 LAG Hash Configuration NOTE The port must be assigned to a LAG before it ...

Page 829: ...ummary The LAG Hash Summary page lists the channels on the system and their assigned hash algorithm type To display the LAG Hash Summary page click Switching Link Aggregation LAG Hash Summary in the navigation panel Figure 28 7 LAG Hash Summary ...

Page 830: ...face configuration mode for the specified LAG The interface variable includes the interface type which is port channel and the LAG number for example port channel 3 You can also specify a range of LAGs with the interface range port channel command for example interface range port channel 3 6 configures LAGs 3 4 5 and 6 description description Configure a description for the LAG or range of LAGs po...

Page 831: ...0 8 12 configures interfaces 8 9 10 11 and 12 channel group port channel number mode on auto Add the port s to the LAG specified with the port channel number value Use the auto keyword to add the port s as dynamic members or use on to specify that the LAG membership is static port channel number Number of a valid port channel for the current port to join on Forces the port to join a channel withou...

Page 832: ... ID 3 Source IP and source TCP UDP port 4 Destination IP and destination TCP UDP port 5 Source destination MAC VLAN EtherType and source MODID port 6 Source destination IP and source destination TCP UDP port 7 Enhanced hashing mode CTRL Z Exit to Privileged EXEC mode show interfaces port channel port channel number View LAG information for the specified LAG or for all LAGs show statistics port cha...

Page 833: ...LAG You can also specify a range of LAGs to configure with the interface range port channel command for example interface range port channel 1 3 10 configures LAGs 1 2 3 and 10 lacp port priority value Set the Link Aggregation Control Protocol priority for the port or range of ports The priority value range is 1 65535 lacp timeout long short Specify whether to wait a long or short time between LAC...

Page 834: ...nfiguration mode for the ports that are to be configured as LAG members console config interface range gi1 0 1 3 gi1 0 6 7 2 Add the ports to LAG 2 without LACP console config if channel group 1 mode auto 3 View information about LAG 1 console show interfaces port channel 1 NOTE The examples in this section show the configuration of only one switch Because LAGs involve physical links between two s...

Page 835: ... switch 1 Enter interface configuration mode for the ports that are to be configured as LAG members console config interface range gi1 0 10 12 gi1 0 14 gi1 0 17 2 Add the ports to LAG 2 without LACP console config if channel group 2 mode on 3 View information about LAG 2 console show interfaces port channel 2 Channel Ports Hash Algorithm min links Po2 Inactive Gi1 0 10 Gi1 0 11 Gi1 0 12 Gi1 0 14 G...

Page 836: ...836 Configuring Link Aggregation ...

Page 837: ...ss Table Populated The MAC address table can contain two types of addresses Static The address has been manually configured and does not age out Dynamic The address has been automatically learned by the switch and can age out when it is not in use Static addresses are configured by the administrator and added to the table Dynamic addresses are learned by examining information in the Ethernet frame...

Page 838: ...ress can be associated with multiple VLANs How Is the MAC Address Table Maintained Across a Stack The MAC address table is synchronized across all stack members When a member joins the stack its previous MAC address table is overwritten by the table maintained by the stack Default MAC Address Table Values Table 29 1 summarizes the default values for the MAC address table Table 29 1 MAC Address Tab...

Page 839: ...e top of the page Static Address Table Use the Static Address Table page to view MAC addresses that have been manually added to the MAC address table and to configure static MAC addresses To display the Static Address Table page click Switching Address Tables Static Address Table in the navigation panel Figure 29 1 Static MAC Address Adding a Static MAC Address To add a static MAC address 1 Open t...

Page 840: ...9 2 Adding Static MAC Address 3 Select the interface to associate with the static address 4 Specify the MAC address and an associated VLAN ID 5 Click Apply The new static address is added to the Static MAC Address Table and the device is updated ...

Page 841: ... VLAN and table sorting key Packets forwarded to an address stored in the address table are forwarded directly to those ports The Dynamic Address Table also contains information about the aging time before a dynamic MAC address is removed from the table To display the Dynamic Address Table click Switching Address Tables Dynamic Address Table in the navigation panel Figure 29 3 Dynamic Address Tabl...

Page 842: ...ce type and number mac address table aging time 0 10 1000000 Specify the number of seconds that must pass before an unused dynamically learned MAC address is removed from the MAC address table A value of 0 disables the aging time for the MAC address table exit Exit to Privileged EXEC mode show mac address table static dynamic View information about the entries in the MAC address table Use the keyw...

Page 843: ...ter For a configuration example that includes tunnel and loopback interface creation see Interconnecting an IPv4 Backbone and Local IPv6 Network on page 1000 Routing Interface Overview Routing interfaces are logical interfaces that can be configured with an IP address Routing interfaces provide a means of transmitting IP packets between subnets on the network What Are VLAN Routing Interfaces VLANs...

Page 844: ...ysical networks or when additional segmentation or security is required What Are Loopback Interfaces A loopback interface is a logical interface that is always up and because it cannot go down allows the switch to have a stable IP address that other network devices and protocols can use to reach the switch The loopback can provide the source address for sent packets The loopback interface does not...

Page 845: ...ine the endpoint of the tunnel from the destination address of packets routed into the tunnel These tunnels correspond to Non Broadcast Multi Access NBMA interfaces A configured tunnel interface has a single tunnel associated with it while an automatic tunnel interface has an infinite number of tunnels limited only by the address encoding scheme Because tunnels are used as logical interfaces you c...

Page 846: ...ter VLAN routing Figure 30 1 Inter VLAN Routing Loopback Interfaces When packets are sent to the loopback IP address the network should be able to deliver the packets as long as any physical interface on the switch is up There are many cases where you need to send traffic to a switch such as in switch management The loopback interface IP address is a good choice for communicating with the switch i...

Page 847: ...arameters are not applicable to loopback interfaces so you cannot change the default values However when you create a loopback interface the default values are similar to those of VLAN routing interfaces as Table 30 1 shows Is this true the show interface loopback command lists all these features and values but it looks like there is no way to configure them When you create a tunnel it has the def...

Page 848: ...48 Configuring Routing Interfaces Table 30 2 Tunnel Interface Defaults Parameter Default Value Tunnel mode 6 in 4 configured Link Local Only Mode Disabled Source address None Destination address 0 0 0 0 ...

Page 849: ...00 Series switch For details about the fields on a page click at the top of the page IP Interface Configuration Use the IP Interface Configuration page to update IP interface data for this switch The IP interface configuration includes the ability to configure the bandwidth Destination Unreachable messages and ICMP Redirect messages To display the page click Routing IP IP Interface Configuration i...

Page 850: ...o an interface by the DHCP server To display the page click Routing IP DHCP Lease Parameters in the navigation panel Figure 30 3 DHCP Lease Parameters VLAN Routing Summary Use the VLAN Routing Summary page to view summary information about VLAN routing interfaces configured on the switch To display the page click Routing VLAN Routing Summary in the navigation panel ...

Page 851: ...gure 30 4 VLAN Routing Summary Tunnel Configuration Use the Tunnels Configuration page to create configure or delete a tunnel To display the page click Routing Tunnels Configuration in the navigation panel Figure 30 5 Tunnel Configuration ...

Page 852: ...ring Routing Interfaces Tunnels Summary Use the Tunnels Summary page to display a summary of configured tunnels To display the page click Routing Tunnels Summary in the navigation panel Figure 30 6 Tunnels Summary ...

Page 853: ...oopbacks Configuration page to create configure or remove loopback interfaces You can also set up or delete a secondary address for a loopback To display the page click Routing Loopbacks Loopbacks Configuration in the navigation panel Figure 30 7 Loopback Configuration ...

Page 854: ...s Loopbacks Summary Use the Loopbacks Summary page to display a summary of configured loopback interfaces on the switch To display the page click Routing Loopbacks Loopbacks Summary in the navigation panel Figure 30 8 Loopbacks Summary ...

Page 855: ...ord to enable the DHCP client and obtain an IP address from a network DHCP server Use none to release the address obtained from the DHCP server Use ip_address and subnet_mask to assign a static IP address If you configure a static address you can use the secondary keyword to specify that the address is a secondary IP address ip netdirbcast Enable the forwarding of network directed broadcasts encap...

Page 856: ...chable messages in response to packets received on the interface ip redirects Allow the switch to send ICMP Redirect messages in response to packets received on the interface exit Exit to Global Config mode ip default gateway ip_address Configure the default gateway All switch interfaces use the same default gateway exit Exit to Privileged EXEC mode show dhcp lease interface interface View informa...

Page 857: ...loopback id Create the loopback interface and enter Interface Configuration mode for the specified loopback interface ip address ip_address subnet_mask secondary Configure a static IP address and subnet mask Use the secondary keyword to specify that the address is a secondary IP address CTRL Z Exit to Privileged EXEC mode show ip interface loopback loopback id View interface configuration informat...

Page 858: ...tunnel tunnel mode ipv6ip 6to4 Specify the mode of the tunnel If you use the 6to4 keyword the tunnel is an automatic tunnel If you omit the keyword the tunnel is a point to point configured tunnel ipv6 enable Enable IPv6 on this interface using the Link Local address tunnel source ipv4addr vlan vlan id Specify the source transport address of the tunnel either which can be an IPv4 address or a VLAN...

Page 859: ...P is generally used between clients and servers for the purpose of assigning IP addresses gateways and other network settings such as DNS and SNTP server information How Does DHCP Work When a host connects to the network the host s DHCP client broadcasts a message requesting information from any DHCP server that receives the broadcast One or more DHCP servers respond to the request The response in...

Page 860: ...vers and so on When a client broadcasts a request for information the request includes the option codes that correspond to the information the client wants the DHCP server to supply The Web pages and CLI commands to configure DHCP server settings include many predefined options for the information that is most commonly requested by DHCP clients For example DHCP client discover requests typically i...

Page 861: ...guration on individual ports link aggregation groups LAGs and VLANs For information about Layer 2 and Layer 3 DHCP Relay see Configuring L2 and L3 Relay Features on page 907 DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server It filters harmful DHCP messages and builds a bindings database of MAC address IP address VLAN ID port tuples that are speci...

Page 862: ...ct 7000 Series switch For details about the fields on a page click at the top of the page DHCP Server Network Properties Use the Network Properties page to define global DHCP server settings and to configure addresses that are not included in any address pools To display the Network Properties page click Routing IP DHCP Server Network Properties in the navigation panel Figure 31 2 DHCP Server Netw...

Page 863: ...ld is the only address to exclude or if the excluded addresses are non contiguous leave the To field as the default value of 0 0 0 0 Otherwise enter the last IP address to excluded from a contiguous range of IP addresses In Figure 31 3 the From field contains the IP address 192 168 2 1 and the To field contains the IP address 192 168 2 5 This means that the following IP addresses are not available...

Page 864: ...e Excluded Addresses page 3 Select the check box next to the address or address range to delete Figure 31 4 Delete Excluded Addresses 4 Click Apply Address Pool Use the Address Pool page to create the pools of IP addresses and other network information that can be assigned by the server To display the Address Pool page click Routing IP DHCP Server Address Pool in the navigation panel ...

Page 865: ...twork Pool to display the Add Network Pool page 3 Assign a name to the pool and complete the desired fields In Figure 31 6 the network pool name is Engineering and the address pool contains all IP addresses in the 192 168 5 0 subnet which means a client that receives an address from the DHCP server might lease an address in the range of 192 168 5 1 to 192 168 5 254 ...

Page 866: ...the primary and secondary DNS servers 4 Click Apply Adding a Static Pool To create and configure a static pool of IP addresses 1 Open the Address Pool page 2 Click Add Static Pool to display the Add Static Pool page 3 Assign a name to the pool and complete the desired fields NOTE The IP address 192 168 5 1 should be added to the global list of excluded addresses so that it is not leased to a clien...

Page 867: ...d the name of the client in the pool is LabHost1 The client s MAC address is mapped to the IP address 192 168 11 54 the default gateway is 192 168 11 1 and the DNS servers the client will use have IP addresses of 192 168 5 100 and 192 168 2 5 Figure 31 7 Add Static Pool 4 Click Apply ...

Page 868: ...Server Address Pool Options in the navigation panel Figure 31 8 Address Pool Options Defining DHCP Options To configure DHCP options 1 Open the Address Pool page 2 Select the Add Options check box 3 Select the check box that corresponds to the value type ASCII Hexadecimal or IP address 4 Specify the value s in the corresponding field Figure 31 9 shows an example of adding the SMTP server IP addres...

Page 869: ...Configuring DHCP Server Settings 869 Figure 31 9 Add DHCP Option 5 Click Apply 6 To verify that the option has been added to the address pool open the Address Pool Options page ...

Page 870: ...l Options DHCP Bindings Use the DHCP Bindings page to view information about the clients that have leased IP addresses from the DHCP server To display the DHCP Bindings page click Routing IP DHCP Server DHCP Bindings in the navigation panel Figure 31 11 DHCP Bindings ...

Page 871: ... clear the client bindings for one or more clients You can also reset bindings for clients that have leased an IP address that is already in use on the network To display the Reset Configuration page click Routing IP DHCP Server Reset Configuration in the navigation panel Figure 31 12 Reset DHCP Bindings ...

Page 872: ...cts Information page to view information about clients that have leased an IP address that is already in use on the network To display the Conflicts Information page click Routing IP DHCP Server Conflicts Information in the navigation panel Figure 31 13 DHCP Server Conflicts Information ...

Page 873: ...ver Statistics page to view general DHCP server statistics messages received from DHCP clients and messages sent to DHCP clients To display the Server Statistics page click Routing IP DHCP Server Server Statistics in the navigation panel Figure 31 14 DHCP Server Statistics ...

Page 874: ...rvice dhcp Enable the DHCP server ip dhcp ping packets Specify the number in a range from 2 10 of packets a DHCP server sends to a pool address as part of a ping operation ip dhcp conflict logging Enable conflict logging on DHCP server ip dhcp bootp automatic Enable the allocation of the addresses to the BootP client ip dhcp excluded address lowaddress highaddress Specify the IP addresses that a D...

Page 875: ... infinite Specify the duration of the lease for an IP address that is assigned from a DHCP server to a DHCP client duration Days the lease is valid You can optionally specify the hours and minutes after specifying the days infinite 60 day lease default router address1 address2 address8 Specify the list of default gateway IP addresses to be assigned to the DHCP client dns server address1 address2 a...

Page 876: ... hexadecimal format type Indicates the protocol of the hardware platform It is 1 for Ethernet and 6 for IEEE 802 client identifier uniqueidentifier Specify the unique identifier for a DHCP client The unique identifier is a valid notation in hexadecimal format In some systems such as Microsoft DHCP clients the client identifier is required instead of hardware addresses The unique identifier is a co...

Page 877: ...o Privileged EXEC mode show ip dhcp pool configuration name all View the settings for the specified address pool or for all configured address pools Command Purpose show ip dhcp binding address View the current binding information in the DHCP server database Specify the IP address to view a specific binding clear ip dhcp binding address Delete an automatic address binding from the DHCP server data...

Page 878: ... and enter into DHCP pool configuration mode for the pool console configure console config ip dhcp pool Engineering 2 Specify the IP addresses that are available in the pool console config dhcp pool network 192 168 5 0 255 255 255 0 3 Specify the IP address to use as the default gateway console config dhcp pool default router 192 168 5 1 4 Specify the primary and secondary DNS servers the hosts wi...

Page 879: ...uration Service DHCP Enable Number of Ping Packets 2 Excluded Address 192 168 2 1 to 192 168 2 20 1 2 2 2 to 1 5 5 5 192 168 5 1 to 192 168 5 20 192 168 5 100 to 192 168 5 100 Conflict Logging Enable Bootp Automatic Disable 9 View information about all configured address pools console show ip dhcp pool configuration all Pool Engineering Pool Type Network Network 192 168 5 0 255 255 255 0 Lease Tim...

Page 880: ... the IP addresses that are available in the pool console config dhcp pool hardware address 00 1C 23 55 E9 F3 3 Specify the IP address and subnet mask to assign to the client console config dhcp pool host 192 168 2 10 255 255 255 0 4 Specify the IP address to use as the default gateway console config dhcp pool default router 192 168 2 1 5 Specify the primary and secondary DNS servers the hosts will...

Page 881: ...configuration Tyler PC Pool Tyler PC Pool Type Static Client Name TylerPC Hardware Address 00 1c 23 55 e9 f3 Hardware Address Type ethernet Host 192 168 2 10 255 255 255 0 Lease Time 1 days 0 hrs 0 mins DNS Servers 192 168 2 101 Default Routers 192 168 2 1 Domain Name executive dell com Option 69 ip 192 168 1 33 ...

Page 882: ...882 Configuring DHCP Server Settings ...

Page 883: ...ort static and dynamic routing Table 32 1 describes some of the general routing features that you can configure on the switch Table 32 1 IP Routing Features Feature Description ICMP message control You can configure the type of ICMP messages that the switch responds to as well as the rate limit and burst size Default gateway The switch supports a single default gateway A manually configured defaul...

Page 884: ...d a packet if the routing table does not contain a longer matching prefix for the packet s destination Static A static route is a route that you manually add to the routing table Static Reject Packets that match a reject route are discarded instead of forwarded The router may send an ICMP Destination Unreachable message Route preferences The common routing table collects static local and dynamic r...

Page 885: ...ects Enabled ICMP Rate Limit Interval 1000 milliseconds ICMP Rate Limit Burst Size 100 Maximum Next Hops 4 Global Default Gateway None Dynamic ARP Entry Age Time 1200 seconds Automatic Renewal of Dynamic ARP Entries Disabled ARP Response Timeout 1 second ARP Retries 4 Maximum Static ARP Entries 128 IRDP Advertise Mode Disabled IRDP Advertise Address 224 0 0 1 IRDP Maximum Advertise Interval 600 se...

Page 886: ...uring IP Routing Route Preference Values Preference values are as follows Local 0 Static 1 OSPF Intra 110 OSPF Inter 110 OSPF External 110 RIP 120 Table 32 2 IP Routing Defaults Continued Parameter Default Value ...

Page 887: ...7000 Series switch For details about the fields on a page click at the top of the page IP Configuration Use the Configuration page to configure routing parameters for the switch as opposed to an interface The IP configuration settings allow you to enable or disable the generation of various types of ICMP messages To display the page click Routing IP Configuration in the navigation panel Figure 32 ...

Page 888: ...iguring IP Routing IP Statistics The IP statistics reported on the Statistics page are as specified in RFC 1213 To display the page click Routing IP Statistics in the navigation panel Figure 32 2 IP Statistics ...

Page 889: ...ring IP Routing 889 ARP Create Use the Create page to add a static ARP entry to the Address Resolution Protocol table To display the page click Routing ARP Create in the navigation panel Figure 32 3 ARP Create ...

Page 890: ...ation page to change the configuration parameters for the Address Resolution Protocol Table You can also use this screen to display the contents of the table To display the page click Routing ARP Table Configuration in the navigation panel Figure 32 4 ARP Table Configuration ...

Page 891: ...er Discovery Configuration Use the Configuration page to enter or change router discovery parameters To display the page click Routing Router Discovery Configuration in the navigation panel Figure 32 5 Router Discovery Configuration ...

Page 892: ...Routing Router Discovery Status Use the Status page to display router discovery data for each interface To display the page click Routing Router Discovery Status in the navigation panel Figure 32 6 Router Discovery Status ...

Page 893: ...iguring IP Routing 893 Route Table Use the Route Table page to display the contents of the routing table To display the page click Routing Router Route Table in the navigation panel Figure 32 7 Route Table ...

Page 894: ... Routing Best Routes Table Use the Best Routes Table page to display the best routes from the routing table To display the page click Routing Router Best Routes Table in the navigation panel Figure 32 8 Best Routes Table ...

Page 895: ... click Routing Router Route Entry Configuration in the navigation panel Figure 32 9 Route Entry Configuration Adding a Route and Configuring Route Preference To configure routing table entries 1 Open the Route Entry Configuration page 2 Click Router Route Entry Configuration The screen refreshes and the Router Route Entry Configuration page displays ...

Page 896: ... Reject route The fields to configure are different for each route type Default Enter the default gateway address in the Next Hop IP Address field Static Enter values for Network Address Subnet Mask Next Hop IP Address and Preference Static Reject Enter values for Network Address Subnet Mask and Preference 4 Click Apply The new route is added to the routing table ...

Page 897: ...k Routing Router Configured Routes in the navigation panel Figure 32 11 Configured Routes To remove a configured route select the check box in the Remove column of the route to delete and click Apply NOTE For a static reject route the next hop interface value is Null0 Packets to the network address specified in static reject routes are intentionally dropped ...

Page 898: ...ic routes These values are arbitrary values that range from 1 to 255 and are independent of route metrics Most routing protocols use a route metric to determine the shortest path known to the protocol independent of any other protocol To display the page click Routing Router Route Preferences Configuration in the navigation panel Figure 32 12 Router Route Preferences Configuration ...

Page 899: ... on the switch ip icmp echo reply Allow the switch to generate ICMP Echo Reply messages ip icmp error interval burst interval burst size Limit the rate at which IPv4 ICMP error messages are sent burst interval How often the token bucket is initialized Range 0 2147483647 milliseconds burst size The maximum number of messages that can be sent during a burst interval Range 1 200 ip redirects Allow th...

Page 900: ...eout arp retries integer Configure the ARP count of maximum requests for retries The range is 1 10 arp cachesize integer Configure the maximum number of entries in the ARP cache arp dynamicrenew Allow the ARP component to automatically renew dynamic ARP entries when they age out exit Exit to Privileged EXEC mode show arp brief View the entries in the ARP cache and the ARP table settings Use the br...

Page 901: ...0 1 all hosts IP multicast address or 255 255 255 255 limited broadcast address ip irdp holdtime seconds Configure the value of the holdtime field of the router advertisement sent from this interface ip irdp maxadvertinterval seconds Configure the maximum time allowed between sending router advertisements from the interface ip irdp minadvertinterval seconds Configure the minimum time allowed betwe...

Page 902: ...ference Configure a static route Use the keyword null instead of the next hop router IP address to configure a static reject route ip address IP address of destination interface subnet mask Subnet mask of destination interface prefix length Length of prefix Must be preceded with a forward slash Range 0 32 bits nextHopRtr IP address of the next hop router null Specifies that the route is a static r...

Page 903: ...ith a forward slash Range 0 32 bits longer prefixes Indicates that the ip address and subnet mask pair becomes the prefix and the command displays the routes to the addresses that match that prefix protocol Specifies the protocol that installed the routes Range connected ospf rip static show ip route summary View summary information about the routing table show ip protocols View the parameters and...

Page 904: ... is configured on Switch A Additionally a default route is configured on Switch A so that all traffic with an unknown destination is sent to the backbone router through port 24 which is a member of VLAN 50 A default route is configured on PowerConnect Switch B to use Switch A as the default gateway The hosts use the IP address of the VLAN routing interface as their default gateway This example ass...

Page 905: ...onsole config interface vlan 20 console config if vlan20 ip address 192 168 20 20 255 255 255 0 console config if vlan20 exit 4 Assign an IP address to VLAN 50 console configure console config interface vlan 50 console config if vlan50 ip address 192 168 50 50 255 255 255 0 console config if vlan50 exit 5 Configure a static route to the network that VLAN 30 is in using the IP address of the VLAN 2...

Page 906: ... vlan20 ip address 192 168 20 25 255 255 255 0 console config if vlan20 exit 3 Assign an IP address to VLAN 30 This command also enables IP routing on the VLAN console configure console config interface vlan 30 console config if vlan30 ip address 192 168 30 30 255 255 255 0 console config if vlan30 exit 4 Configure the VLAN 20 routing interface on Switch A as the default gateway so that any traffi...

Page 907: ...n impractical The relay features on the PowerConnect 7000 Series switches can help enable communication between DHCP clients and DHCP servers that reside in different subnets Configuring L3 DHCP relay also enables the bootstrap protocol BOOTP relay What Is L3 DHCP Relay Network infrastructure devices can be used to relay packets between a DHCP client and server on different subnets Such a device a...

Page 908: ... more than one IP address the relay agent uses the primary IP address configured as its relay agent IP address What Is L2 DHCP Relay In Layer 2 switched networks there may be one or more infrastructure devices for example a switch between the client and the L3 Relay agent DHCP server In this instance some of the client device information required by the L3 Relay agent may not be visible to it In t...

Page 909: ... on routing interfaces Each relay entry maps an ingress interface and destination UDP port number to a single IPv4 address the helper address Multiple relay entries may be configured for the same interface and UDP port in which case the relay agent relays matching packets to each server address Interface configuration takes priority over global configuration If the destination UDP port for a packe...

Page 910: ...P server unicasts back to the relay agent For other protocols the relay agent only relays broadcast packets from the client to the server Packets from the server back to the client are assumed to be unicast directly to the client Because there is no relay in the return direction for protocols other than DHCP the relay agent retains the source IP address from the original client packet The relay ag...

Page 911: ...ss must be the all ones broadcast address FF FF FF FF FF FF The destination IP address must be the limited broadcast address 255 255 255 255 or a directed broadcast address for the receive interface The IP time to live TTL must be greater than 1 The protocol field in the IP header must be UDP 17 The destination UDP port must match a configured relay entry NOTE If the packet matches a discard relay...

Page 912: ... data FTP Data 21 FTP FTP 37 Time Time 42 NAMESERVER Host Name Server 43 NICNAME Who is 53 DOMAIN Domain Name Server 69 TFTP Trivial File Transfer 111 SUNRPC Sun Microsystems Rpc 123 NTP Network Time 137 NetBiosNameService NT Server to Station Connections 138 NetBiosDatagramService NT Server to Station Connections 139 NetBios SessionServiceNT Server to Station Connections 161 SNMP Simple Network M...

Page 913: ... Parameter Default Value L2 DHCP Relay Admin Mode Disabled globally and on all interfaces and VLANs Trust Mode Disabled on all interfaces Circuit ID Disabled on all VLANs Remote ID None configured L3 DHCP Relay UDP Relay Mode IP Helper Enabled Hop Count 4 Minimum Wait Time 0 seconds Circuit ID Option Mode Disabled Circuit ID Check Mode Enabled Information Option Insert Disabled on all VLAN interfa...

Page 914: ...nable or disable the switch to act as a DHCP Relay agent This functionality must also be enabled on each port you want this service to operate on see DHCP Relay Interface Configuration on page 915 The switch can also be configured to relay requests only when the VLAN of the requesting client corresponds to a service provider s VLAN ID that has been enabled with the L2 DHCP relay functionality see ...

Page 915: ... on individual ports To access this page click Switching DHCP Relay Interface Configuration in the navigation panel Figure 33 2 DHCP Relay Interface Configuration To view a summary of the L2 DHCP relay configuration on all ports and LAGS click Show All NOTE L2 DHCP relay must also be enabled globally on the switch ...

Page 916: ...916 Configuring L2 and L3 Relay Features Figure 33 3 DHCP Relay Interface Summary ...

Page 917: ...elay Interface Statistics Use this page to display statistics on DHCP Relay requests received on a selected port To access this page click Switching DHCP Relay Interface Statistics in the navigation panel Figure 33 4 DHCP Relay Interface Statistics ...

Page 918: ...le and configure DHCP Relay on specific VLANs To access this page click Switching DHCP Relay VLAN Configuration in the navigation panel Figure 33 5 DHCP Relay VLAN Configuration To view a summary of the L2 DHCP relay configuration on all VLANs click Show All Figure 33 6 DHCP Relay VLAN Summary ...

Page 919: ... 919 DHCP Relay Agent Configuration Use the Configuration page to configure and display a DHCP relay agent To display the page click Routing DHCP Relay Agent Configuration in the navigation panel Figure 33 7 DHCP Relay Agent Configuration ...

Page 920: ... UDP Relay and Helper IP configuration To display the page click Routing IP Helper Global Configuration in the navigation panel Figure 33 8 IP Helper Global Configuration Adding an IP Helper Entry To configure an IP helper entry 1 Open the IP Helper Global Configuration page 2 Click Add to display the Add Helper IP Address page ...

Page 921: ... 4 Enter the IP address of the server to which the packets with the given UDP Destination Port will be relayed 5 Click Apply The UDP Helper Relay is added and the device is updated NOTE If the DefaultSet option is specified the device by default forwards UDP Broadcast packets for the following services IEN 116 Name Service port 42 DNS port 53 NetBIOS Name Server port 137 NetBIOS Datagram Server po...

Page 922: ...figuration for a specific interface To display the page click Routing IP Helper Interface Configuration in the navigation panel Figure 33 10 IP Helper Interface Configuration Adding an IP Helper Entry to an Interface To add an IP helper entry to an interface 1 Open the IP Helper Interface Configuration page 2 Click Add to display the Add IP Helper Address page ...

Page 923: ...the IP address of the server to which the packets with the given UDP Destination Port will be relayed 7 Click Apply The UDP Helper Relay is added to the interface and the device is updated IP Helper Statistics Use the Statistics page to view UDP Relay Statistics for the switch To display the page click Routing IP Helper Statistics in the navigation panel NOTE If the DefaultSet option is specified ...

Page 924: ...924 Configuring L2 and L3 Relay Features Figure 33 12 IP Helper Statistics ...

Page 925: ... also specify a range of ports with the interface range command for example interface range gigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 dhcp l2relay Enable L2 DHCP relay on the port s or LAG s dhcp l2relay trust Configure the interface s to mandate Option 82 on receiving DHCP packets exit Exit to Global Configuration mode dhcp l2relay vlan vlan range Enable the L2 DHCP Relay ag...

Page 926: ...ure It is enabled by default ip helper address server address dest udp port dhcp domain isakmp mobile ip nameserver netbios dgm netbios ns ntp pim auto rp rip tacacs tftp time Configure the relay of certain UDP broadcast packets received on any interface Specify the one of the protocols defined in the command or the UDP port number server address The IPv4 unicast or directed broadcast address to w...

Page 927: ...er server address The IPv4 unicast or directed broadcast address to which relayed UDP broadcast packets are sent The server address cannot be an IP address configured on any interface of the local router dest udp port A destination UDP port number from 0 to 65535 exit Exit to Global Config mode exit Exit to Privileged EXEC mode show ip helper address vlan vlan id View IP helper L3 relay settings f...

Page 928: ... assumes that multiple VLAN routing interfaces have been created and configured with IP addresses To configure the switch 1 Relay DHCP packets received on VLAN 10 to 192 168 40 35 console config console config interface vlan 10 console config if vlan10 ip helper address 192 168 40 35 dhcp VLAN 30 DHCP Server 192 168 40 35 DHCP Clients VLAN 10 L3 Switch VLAN 20 No DHCP DHCP Server 192 168 40 22 SNM...

Page 929: ...p helper address discard dhcp console config if vlan20 exit 5 DHCP packets received from clients in any VLAN other than VLAN 10 and VLAN 20 are relayed to 192 168 40 22 console config ip helper address 192 168 40 22 dhcp 6 Verify the configuration console show ip helper address IP helper is enabled NOTE The following command is issued in Global Configuration mode so it applies to all interfaces ex...

Page 930: ...930 Configuring L2 and L3 Relay Features ...

Page 931: ...s The protocols are configured separately within the software but their functionality is largely similar for IPv4 and IPv6 networks The topics covered in this chapter include OSPF Overview Default OSPF Values Configuring OSPF Features Web Configuring OSPFv3 Features Web Configuring OSPF Features CLI Configuring OSPFv3 Features CLI OSPF Configuration Examples NOTE In this chapter references to OSPF...

Page 932: ...are not used as actual IP addresses For simplicity the area can be configured and referred to in normal integer notation For example Area 20 is identified as 0 0 0 20 and Area 256 as 0 0 1 0 The area identified as 0 0 0 0 is referred to as Area 0 and is considered the OSPF backbone All other OSPF areas in the network must connect to Area 0 directly or through a virtual link The backbone area is re...

Page 933: ...m other protocols and originate external LSAs How Are Routes Selected OSPF determines the best route using the route metric and the type of the OSPF route The following order is used for choosing a route if more than one type of route exists 1 Intra area the destination prefix is in the same area as the router computing the route 2 Inter area the destination is not in the same area as the router c...

Page 934: ... Router ID None Admin Mode Enabled RFC 1583 Compatibility Enabled OSPFv2 only ABR Status Enabled Opaque LSA Status Enabled OSPFv2 only Exit Overflow Interval Not configured SPF Delay Time 5 OSPFv2 only SPF Hold Time 10 OSPFv2 only External LSDB Limit None Default Metric Not configured Maximum Paths 4 AutoCost Reference Bandwidth 100 Mbps Default Passive Setting Disabled Default Information Origina...

Page 935: ...econds Dead Interval 40 seconds LSA Ack Interval 1 second Interface Delay Interval 1 second MTU Ignore Disabled Passive Mode Disabled Network Type Broadcast Authentication Type None OSPFv2 only Metric Cost Not configured Table 34 2 OSPF Per Interface Defaults Parameter Default Value ...

Page 936: ...g and monitoring OSPF features on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page OSPF Configuration Use the Configuration page to enable OSPF on a router and to configure the related OSPF settings To display the page click Routing OSPF Configuration in the navigation panel Figure 34 1 OSPF Configuration ...

Page 937: ...ing OSPF Interface Configuration At least one router must have OSPF enabled for this web page to display To display the page click Routing OSPF Area Configuration in the navigation panel If a Stub Area has been created the fields in the Stub Area Information are available If a NSSA has been created the fields in the NSSA Area Information are available Figure 34 2 OSPF Area Configuration ...

Page 938: ...ub Area To configure the area as an OSPF stub area click Create Stub Area The pages refreshes and displays additional fields that are specific to the stub area Figure 34 3 OSPF Stub Area Configuration Use the Delete Stub Area button to remove the stub area ...

Page 939: ...So Stubby Area To configure the area as an OSPF not so stubby area NSSA click NSSA Create The pages refreshes and displays additional fields that are specific to the NSSA Figure 34 4 OSPF NSSA Configuration Use the NSSA Delete button to remove the NSSA area ...

Page 940: ...ng OSPF and OSPFv3 OSPF Stub Area Summary The Stub Area Summary page displays OSPF stub area detail To display the page click Routing OSPF Stub Area Summary in the navigation panel Figure 34 5 OSPF Stub Area Summary ...

Page 941: ...nge Configuration Use the Area Range Configuration page to configure and display an area range for a specified NSSA To display the page click Routing OSPF Area Range Configuration in the navigation panel Figure 34 6 OSPF Area Range Configuration ...

Page 942: ... Use the Interface Statistics page to display statistics for the selected interface The information is displayed only if OSPF is enabled To display the page click Routing OSPF Interface Statistics in the navigation panel Figure 34 7 OSPF Interface Statistics ...

Page 943: ... 943 OSPF Interface Configuration Use the Interface Configuration page to configure an OSPF interface To display the page click Routing OSPF Interface Configuration in the navigation panel Figure 34 8 OSPF Interface Configuration ...

Page 944: ...ay the OSPF neighbor table list When a particular neighbor ID is specified detailed information about a neighbor is given The information below is only displayed if OSPF is enabled To display the page click Routing OSPF Neighbor Table in the navigation panel Figure 34 9 OSPF Neighbor Table ...

Page 945: ...r ID When a particular neighbor ID is specified detailed information about a neighbor is given The information below is only displayed if OSPF is enabled and the interface has a neighbor The IP address is the IP address of the neighbor To display the page click Routing OSPF Neighbor Configuration in the navigation panel Figure 34 10 OSPF Neighbor Configuration ...

Page 946: ...g OSPF Link State Database in the navigation panel Figure 34 11 OSPF Link State Database OSPF Virtual Link Configuration Use the Virtual Link Configuration page to create or configure virtual interface information for a specific area and neighbor A valid OSPF area must be configured before this page can be displayed To display the page click Routing OSPF Virtual Link Configuration in the navigatio...

Page 947: ...Configuring OSPF and OSPFv3 947 Figure 34 12 OSPF Virtual Link Creation After you create a virtual link additional fields display as the Figure 34 13 shows Figure 34 13 OSPF Virtual Link Configuration ...

Page 948: ...3 OSPF Virtual Link Summary Use the Virtual Link Summary page to display all of the configured virtual links To display the page click Routing OSPF Virtual Link Summary in the navigation panel Figure 34 14 OSPF Virtual Link Summary ...

Page 949: ...configure redistribution in OSPF for routes learned through various protocols You can choose to redistribute routes learned from all available protocols or from selected ones To display the page click Routing OSPF Route Redistribution Configuration in the navigation panel Figure 34 15 OSPF Route Redistribution Configuration ...

Page 950: ...tribution Summary Use the Route Redistribution Summary page to display OSPF Route Redistribution configurations To display the page click Routing OSPF Route Redistribution Summary in the navigation panel Figure 34 16 OSPF Route Redistribution Summary ...

Page 951: ...ation for the OSPF feature NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure For information about NSF see What is Nonstop Forwarding on page 140 in the Managing a Switch Stack chapter To display the page click Routing OSPF NSF OSPF Summary in the navigation panel Figure 34 17 NSF OSPF Summary ...

Page 952: ...configuring and monitoring OSPFv3 features on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page OSPFv3 Configuration Use the Configuration page to activate and configure OSPFv3 for a switch To display the page click IPv6 OSPFv3 Configuration in the navigation panel Figure 34 18 OSPFv3 Configuration ...

Page 953: ...PFv3 953 OSPFv3 Area Configuration Use the Area Configuration page to create and configure an OSPFv3 area To display the page click IPv6 OSPFv3 Area Configuration in the navigation panel Figure 34 19 OSPFv3 Area Configuration ...

Page 954: ... Area To configure the area as an OSPFv3 stub area click Create Stub Area The pages refreshes and displays additional fields that are specific to the stub area Figure 34 20 OSPFv3 Stub Area Configuration Use the Delete Stub Area button to remove the stub area ...

Page 955: ...o Stubby Area To configure the area as an OSPFv3 not so stubby area NSSA click Create NSSA The pages refreshes and displays additional fields that are specific to the NSSA Figure 34 21 OSPFv3 NSSA Configuration Use the Delete NSSA button to remove the NSSA area ...

Page 956: ...F and OSPFv3 OSPFv3 Stub Area Summary Use the Stub Area Summary page to display OSPFv3 stub area detail To display the page click IPv6 OSPFv3 Stub Area Summary in the navigation panel Figure 34 22 OSPFv3 Stub Area Summary ...

Page 957: ...OSPFv3 Area Range Configuration Use the Area Range Configuration page to configure OSPFv3 area ranges To display the page click IPv6 OSPFv3 Area Range Configuration in the navigation panel Figure 34 23 OSPFv3 Area Range Configuration ...

Page 958: ...e the Interface Configuration page to create and configure OSPFv3 interfaces This page has been updated to include the Passive Mode field To display the page click IPv6 OSPFv3 Interface Configuration in the navigation panel Figure 34 24 OSPFv3 Interface Configuration ...

Page 959: ...ace Statistics page to display OSPFv3 interface statistics Information is only displayed if OSPF is enabled Several fields have been added to this page To display the page click IPv6 OSPFv3 Interface Statistics in the navigation panel Figure 34 25 OSPFv3 Interface Statistics ...

Page 960: ...bor ID When a particular neighbor ID is specified detailed information about that neighbor is given Neighbor information only displays if OSPF is enabled and the interface has a neighbor The IP address is the IP address of the neighbor To display the page click IPv6 OSPFv3 Neighbors in the navigation panel Figure 34 26 OSPFv3 Neighbors ...

Page 961: ...lay the OSPF neighbor table list When a particular neighbor ID is specified detailed information about a neighbor is given The neighbor table is only displayed if OSPF is enabled To display the page click IPv6 OSPFv3 Neighbor Table in the navigation panel Figure 34 27 OSPFv3 Neighbor Table ...

Page 962: ...the link state and external LSA databases The OSPFv3 Link State Database page has been updated to display external LSDB table information in addition to OSPFv3 link state information To display the page click IPv6 OSPFv3 Link State Database in the navigation panel Figure 34 28 OSPFv3 Link State Database ...

Page 963: ...ion page to define a new or configure an existing virtual link To display this page a valid OSPFv3 area must be defined through the OSPFv3 Area Configuration page To display the page click IPv6 OSPFv3 Virtual Link Configuration in the navigation panel Figure 34 29 OSPFv3 Virtual Link Configuration ...

Page 964: ...964 Configuring OSPF and OSPFv3 After you create a virtual link additional fields display as the Figure 34 30 shows Figure 34 30 OSPFv3 Virtual Link Configuration ...

Page 965: ...Virtual Link Summary Use the Virtual Link Summary page to display virtual link data by Area ID and Neighbor Router ID To display the page click IPv6 OSPFv3 Virtual Link Summary in the navigation panel Figure 34 31 OSPFv3 Virtual Link Summary ...

Page 966: ...bution Configuration Use the Route Redistribution Configuration page to configure route redistribution To display the page click IPv6 OSPFv3 Route Redistribution Configuration in the navigation panel Figure 34 32 OSPFv3 Route Redistribution Configuration ...

Page 967: ...stribution Summary Use the Route Redistribution Summary page to display route redistribution settings by source To display the page click IPv6 OSPFv3 Route Redistribution Summary in the navigation panel Figure 34 33 OSPFv3 Route Redistribution Summary ...

Page 968: ...ion for the OSPFv3 feature NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure For information about NSF see What is Nonstop Forwarding on page 140 in the Managing a Switch Stack chapter To display the page click Routing OSPFv3 NSF OSPFv3 Configuration in the navigation panel Figure 34 34 NSF OSPFv3 Configuration ...

Page 969: ...nfiguration mode router ospf Enter OSPF configuration mode router id ip address Set the 4 digit dotted decimal number that uniquely identifies the router auto cost reference bandwidth ref_bw Set the reference bandwidth used in the formula to compute link cost for an interface link cost ref_bw interface bandwidth The ref_bw variable is the reference bandwidth in Mbps Range 1 4294967 capability opaq...

Page 970: ...ospf external inter area intra area distance Set the preference values of OSPF route types in the router The range for the distance variable is 1 255 Lower route preference values are preferred when determining the best route enable Enable OSPF exit overflow interval seconds Specify the exit overflow interval for OSPF as defined in RFC 1765 The interval is the number of seconds after entering over...

Page 971: ...SPF delay and hold time delay time SPF delay time Range 0 65535 seconds hold time SPF hold time Range 0 65535 seconds exit Exit to Global Configuration mode exit Exit to Privileged EXEC mode show ip ospf View OSPF global configuration and status show ip ospf statistics View OSPF routing table calculation statistics clear ip ospf configuration redistribution counters neighbor interface vlan vlan id...

Page 972: ...OSPF retransmit interval for the interface The seconds variable is the number of seconds between link state advertisements for adjacencies belonging to this router interface This value is also used when retransmitting database descriptions and link state request packets Valid values range from 0 to 3600 seconds 1 hour ip ospf hello interval seconds Set the OSPF hello interval for the interface Thi...

Page 973: ...interface encrypt MD5 encrypted authentication key key Authentication key for the specified interface Range 8 bytes or less if the authentication type is simple and 16 bytes or less if the type is encrypt key id Authentication key identifier for the authentication type encrypt Range 0 25 ip ospf cost interface cost Set the metric cost of the interface The interface cost variable specifies the cost...

Page 974: ...ospf interface vlan vlan id View summary information for all OSPF interfaces configured on the switch or for the specified routing interface show ip ospf interface stats vlan vlan id View per interface OSPF statistics Command Purpose configure Enter global configuration mode router ospf Enter OSPF configuration mode area area id stub Create a stub area for the specified area ID area area id stub n...

Page 975: ...nslator status has been deposed by another router Range 0 3600 area area id nssa default information originate metric metric value metric type metric type value Configure the metric value and type for the default route advertised into the NSSA The metric type can be comparable nssa external 1 or non comparable nssa external 2 area area id nssa no redistribution Prevent learned external routes from...

Page 976: ...or the specified interface Range 8 bytes or less if the authentication type is simple and 16 bytes or less if the type is encrypt key id Authentication key identifier for the authentication type encrypt Range 0 255 area area id virtual link neighbor id retransmit interval seconds Set the OSPF retransmit interval for the virtual link interface The seconds variable is the number of seconds to wait b...

Page 977: ...the switch Command Purpose configure Enter global configuration mode router ospf Enter OSPF configuration mode area area id range ip address mask summarylink nssaexternallink advertise not advertise Configure a summary prefix for routes learned in a given area area id Identifies the OSPF NSSA to configure Range IP address or decimal from 0 4294967295 ip address IP address subnet mask Subnet mask a...

Page 978: ...en RIP is the source protocol static Apply the specified access list when packets come through the static route connected Apply the specified access list when packets come from a directly connected route redistribute rip static connected metric integer metric type 1 2 tag integer subnets Configure OSPF to allow redistribution of routes from the specified source protocol routers rip Specifies RIP a...

Page 979: ...eighbor exit helper mode whenever a topology change occurs Use the ietf keyword to distinguish the IETF standard implementation of graceful restart from other implementations nsf ietf restart interval seconds Configure the length of the grace period on the restarting router The seconds keyword is the number of seconds that the restarting router asks its neighbors to wait before exiting helper mode...

Page 980: ...ndard implementation of graceful restart from other implementations Since the IETF implementation is the only one supported this keyword is optional planned only This keyword indicates that OSPF should only perform a graceful restart when the restart is planned i e when the restart is a result of the initiate failover command Command Purpose ...

Page 981: ...erence bandwidth ref_bw Set the reference bandwidth used in the formula to compute link cost for an interface link cost ref_bw interface bandwidth The ref_bw variable is the reference bandwidth in Mbps Range 1 4294967 default information originate always metric metric value metric type type value Control the advertisement of default routes always Normally OSPFv3 originates a default route only if ...

Page 982: ...then there is no limit The limit variable is the maximum number of non default AS external LSAs allowed in the router s link state database Range 1 to 2147483647 maximum paths maxpaths Set the number of paths that OSPFv3 can report for a given destination Range 1 4 passive interface default Configure OSPFv3 interfaces as passive by default This command overrides any interface level passive mode se...

Page 983: ...ecifies the priority of an interface Range 0 to 255 The default priority is 1 which is the highest router priority A value of 0 indicates that the router is not eligible to become the designated router on this network ipv6 ospf retransmit interval seconds Set the OSPFv3 retransmit interval for the interface The seconds variable is the number of seconds between link state advertisements for adjacen...

Page 984: ...OSPFv3 network type on the interface to broadcast or point to point OSPFv3 selects a designated router and originates network LSAs only for broadcast networks No more than two OSPFv3 routers may be present on a point to point link ipv6 ospf cost interface cost Set the metric cost of the interface The interface cost variable specifies the cost link state metric of the OSPFv3 interface Range 1 65535...

Page 985: ...ng interface show ipv6 ospf interface stats interface type interface number View per interface OSPFv3 statistics Command Purpose configure Enter global configuration mode ipv6 router ospf Enter OSPFv3 configuration mode area area id stub Create a stub area for the specified area ID area area id stub no summary Prevent Summary LSAs from being advertised into the stub area area area id default cost ...

Page 986: ... LSAs are not advertised into the NSSA role The translator role where role is one of the following always The router assumes the role of the translator when it becomes a border router candidate The router to participate in the translator election process when it attains border router status interval The period of time that an elected translator continues to perform its duties after it determines t...

Page 987: ...d virtual link neighbor id hello interval seconds Set the OSPFv3 hello interval for the virtual link The seconds variable indicates the number of seconds to wait before sending Hello packets from the virtual interface Range 1 65535 area area id virtual link neighbor id dead interval seconds Set the OSPFv3 dead interval for the virtual link The seconds variable indicates the number of seconds to wa...

Page 988: ...gure a summary prefix for routes learned in a given area area id Identifies the OSPFv3 NSSA to configure Range IP address or decimal from 0 4294967295 ipv6 prefix prefix length IPv6 address and prefix length summarylink Specifies a summary link LSDB type nssaexternallink Specifies an NSSA external link LSDB type advertise Advertisement of the area range not advertise Suppresses advertisement of th...

Page 989: ...es from the specified source protocol routers static Specifies that the source is a static route connected Specifies that the source is a directly connected route metric Specifies the metric to use when redistributing the route Range 0 16777214 metric type 1 Type 1 external route metric type 2 Type 2 external route tag Value attached to each external route which might be used to communicate inform...

Page 990: ...word is the number of seconds that the restarting router asks its neighbors to wait before exiting helper mode The restarting router includes the restart interval in its grace LSAs range 1 1800 seconds nsf helper planned only Allow OSPFv3 to act as a helpful neighbor for a restarting router Include the planned only keyword to indicate that OSPFv3 should only help a restarting router performing a p...

Page 991: ... OSPFv3 Configuring an OSPF Border Router and Setting Interface Costs This example shows how to configure the PowerConnect switch as an OSPF border router The commands in this example configure the areas and interfaces on Border Router A shown in Figure 34 35 Figure 34 35 OSPF Area Border Router Area 2 Area 3 Area 0 Backbone Area Internal Router Border Router A Border Router B VLAN 70 192 150 2 2 ...

Page 992: ...t console config interface vlan 90 console config if vlan90 ip address 192 150 4 1 255 255 255 0 console config if vlan90 exit 4 Enable OSPF on the switch and specify a router ID console config router ospf console config router router id 192 150 9 9 console config router exit 5 Configure the OSPF area ID priority and cost for each interface console config interface vlan 70 console config if vlan70...

Page 993: ... 0 2 console config if vlan90 ip ospf priority 255 console config if vlan90 ip ospf cost 64 console config if vlan90 exit Configuring Stub and NSSA Areas for OSPF and OSPFv3 In this example Area 0 connects directly to two other areas Area 1 is defined as a stub area and Area 2 is defined as an NSSA area Figure 34 36 illustrates this example OSPF configuration NOTE OSPFv2 and OSPFv3 can operate con...

Page 994: ...le config ipv6 unicast routing console config ip routing 2 Create VLANs 6 and 12 console config vlan 6 12 3 Configure IP and IPv6 addresses on VLAN routing interface 6 Area 1 Stub 0 0 0 1 Area 2 NSSA 0 0 0 2 Area 0 0 0 0 0 Internal Router Internal Router Area Border Router Backbone Router AS Boundary Router VLAN 6 10 2 3 3 3000 2 3 VLAN 12 10 3 100 3 3000 3 100 VLAN 5 10 2 3 2 3000 2 3 VLAN 17 10 ...

Page 995: ...eui64 6 Associate the interface with area 0 0 0 0 and enable OSPFv3 console config if vlan12 ip ospf area 0 0 0 0 console config if vlan12 ipv6 ospf console config if vlan12 exit 7 Define the OSPF and OSPFv3 router IDs for the switch console config ipv6 router ospf console config rtr router id 3 3 3 3 console config rtr exit console config router ospf console config router router id 3 3 3 3 consol...

Page 996: ...config if vlan5 ipv6 ospf areaid 0 console config if vlan5 exit console config interface vlan 10 console config if vlan10 ip address 10 1 2 2 255 255 255 0 console config if vlan10 ipv6 address 3000 1 2 64 eui64 console config if vlan10 ipv6 ospf console config if vlan10 ipv6 ospf areaid 1 console config if vlan10 exit console config interface vlan 17 console config if vlan17 ip address 10 2 4 2 2...

Page 997: ... static metric 1 subnets console config router exit 7 For IPv6 Define an OSPF router Define Area 1 as a stub and area 2 as a Not So Stubby Area NSSA Configure a metric cost to associate with static routes when they are redistributed via OSPF console config ipv6 router ospf console config rtr router id 2 2 2 2 console config rtr area 0 0 0 1 stub console config rtr area 0 0 0 2 nssa console config ...

Page 998: ... C 5 5 5 5 To configure Switch B 1 Configure the virtual link to Switch C for IPv4 console configure console config router ospf console config router area 0 0 0 1 virtual link 5 5 5 5 console config router exit 2 Configure the virtual link to Switch C for IPv6 console configure console config ipv6 router ospf Area 2 0 0 0 2 Area 1 0 0 0 1 Area 0 0 0 0 0 Area Border Router Internal Router Area Bord...

Page 999: ...o Switch B 2 2 2 2 To configure Switch C 1 For IPv4 assign the router ID create the virtual link to Switch B and associate the VLAN routing interfaces with the appropriate areas console config router ospf console config router area 0 0 0 1 virtual link 2 2 2 2 console config router exit 2 For IPv6 assign the router ID and create the virtual link to Switch B console config ipv6 router ospf console ...

Page 1000: ...ocal IPv6 network OSPFv3 is used to exchange IPv6 routes between the two devices The tunnel interface allows data to be transported between the two remote IPv6 networks over the IPv4 network Figure 34 38 IPv4 and IPv6 Interconnection Example To configure Switch A 1 Create the VLANs console config vlan 2 15 2 Enable IPv4 and IPv6 routing on the switch console config ip routing console config ipv6 u...

Page 1001: ... if vlan2 ipv6 ospf network point to point console config if vlan2 exit 7 Configure the tunnel console config interface tunnel 0 console config if tunnel0 ipv6 address 2001 1 64 console config if tunnel0 tunnel mode ipv6ip console config if tunnel0 tunnel source 20 20 20 1 console config if tunnel0 tunnel destination 10 10 10 1 console config if tunnel0 ipv6 ospf console config if tunnel0 ipv6 osp...

Page 1002: ...ddress and OSPF area for VLAN 15 console config interface vlan 15 console config if vlan15 ip address 10 10 10 1 255 255 255 0 console config if vlan15 ip ospf area 0 0 0 0 console config if vlan15 exit 6 Configure the IPv6 address and OSPFv3 information for VLAN 2 console config interface vlan 2 console config if vlan2 ipv6 address 2020 2 2 64 console config if vlan2 ipv6 ospf console config if v...

Page 1003: ...nfig if tunnel0 ipv6 ospf network point to point console config if tunnel0 exit 8 Configure the loopback interface The switch uses the loopback IP address as the OSPF and OSPFv3 router ID console config interface loopback 0 console config if loopback0 ip address 2 2 2 2 255 255 255 0 console config if loopback0 exit console config exit ...

Page 1004: ...1004 Configuring OSPF and OSPFv3 ...

Page 1005: ...onfiguring RIP Features CLI RIP Configuration Example RIP Overview RIP is an Interior Gateway Protocol IGP that performs dynamic routing within a network PowerConnect 7000 Series switches support two dynamic routing protocols OSPF and Routing Information Protocol RIP Unlike OSPF RIP is a distance vector protocol and uses UDP broadcasts to maintain topology information and hop counts to determine t...

Page 1006: ... hop count is preferred over a route with a higher hop count A directly connected route has a hop count of 0 With RIP the maximum number of hops from source to destination is 15 Packets with a hop count greater than 15 are dropped because the destination network is considered unreachable What Is Split Horizon RIP uses a technique called split horizon to avoid problems caused by including routes in...

Page 1007: ... to include subnet mask and gateway The routing table is sent to a multicast address reducing network traffic An authentication method is used for security The PowerConnect 7000 Series switches support both versions of RIP You may configure a given port To receive packets in either or both formats To transmit packets formatted for RIP 1 or RIP 2 or to send RIP 2 packets to the RIP 1 broadcast addr...

Page 1008: ...r interface default values for RIP Table 35 1 RIP Global Defaults Parameter Default Value Admin Mode Enabled Split Horizon Mode Simple Auto Summary Mode Disabled Host Routes Accept Mode Enabled Default Information Originate Disabled Default Metric None configured Route Redistribution Disabled for all sources Table 35 2 RIP Per Interface Defaults Parameter Default Value Admin Mode Disabled Send Ver...

Page 1009: ...uring and monitoring RIP features on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page RIP Configuration Use the Configuration page to enable and configure or disable RIP in Global mode To display the page click Routing RIP Configuration in the navigation panel Figure 35 1 RIP Configuration ...

Page 1010: ...figuration Use the Interface Configuration page to enable and configure or to disable RIP on a specific interface To display the page click Routing RIP Interface Configuration in the navigation panel Figure 35 2 RIP Interface Configuration ...

Page 1011: ...1 RIP Interface Summary Use the Interface Summary page to display RIP configuration status on an interface To display the page click Routing RIP Interface Summary in the navigation panel Figure 35 3 RIP Interface Summary ...

Page 1012: ... values are entered an alert message is displayed with the list of all the valid values To display the page click Routing RIP Route Redistribution Configuration in the navigation panel Figure 35 4 RIP Route Redistribution Configuration NOTE Static reject routes are not redistributed by RIP For a static reject route the next hop interface value is Null0 Packets to the network address specified in s...

Page 1013: ...ibution Summary Use the Route Redistribution Summary page to display Route Redistribution configurations To display the page click Routing RIP Route Redistribution Summary in the navigation panel Figure 35 5 RIP Route Redistribution Summary ...

Page 1014: ... none simple poison Set the RIP split horizon mode none RIP does not use split horizon to avoid routing loops simple RIP uses split horizon to avoid routing loops poison RIP uses split horizon with poison reverse increases routing packet update size auto summary Enable the RIP auto summarization mode no hostroutesaccept Prevent the switch from accepting host routes default information originate Co...

Page 1015: ...he interface to allow RIP control packets of the specified version s to be received ip rip authentication none simple key encrypt key key id set the RIP Version 2 Authentication Type and Key for the interface key Authentication key for the specified interface Range 16 bytes or less encrypt Specifies the Ethernet unit port of the interface to view information key id Authentication key identifier fo...

Page 1016: ...commands you use to configure ACLs see Configuring ACLs CLI on page 558 accesslistname The name used to identify an existing ACL ospf Apply the specified access list when OSPF is the source protocol static Apply the specified access list when packets come through the static route connected Apply the specified access list when packets come from a directly connected route redistribute static connect...

Page 1017: ...stributed external 2 Adds routes imported into OSPF as Type 2 external routes into any match types presently being redistributed nssa external 1 Adds routes imported into OSPF as NSSA Type 1 external routes into any match types presently being redistributed nssa external 2 Adds routes imported into OSPF as NSSA Type 2 external routes into any match types presently being redistributed distance rip ...

Page 1018: ...witch console config console config ip routing 2 Create VLANs 10 20 and 30 console config vlan 10 20 30 3 Assign an IP address and enable RIP on each interface Additionally the commands specify that each interface can receive both RIP 1 and RIP 2 frames but send only RIP 2 formatted frames console config interface vlan 10 console config if vlan10 ip address 192 168 10 1 255 255 255 0 console confi...

Page 1019: ...nfig interface vlan 30 console config if vlan30 ip address 192 168 30 1 255 255 255 0 console config if vlan30 ip rip console config if vlan30 ip rip receive version both console config if vlan30 ip rip send version rip2 console config if vlan30 exit 4 Enable auto summarization of subprefixes when crossing classful boundaries console config router rip console config router auto summary console con...

Page 1020: ...ise 0 console show ip rip interface brief Interface IP Address Send Version Receive Version RIP Mode Link State Vl1 0 0 0 0 RIP 2 RIP 2 Disable Down Vl10 192 168 10 1 RIP 2 Both Enable Down Vl20 192 168 10 1 RIP 2 Both Enable Down Vl30 192 168 10 1 RIP 2 Both Disable Down ...

Page 1021: ... help minimize black hole periods due to the failure of the default gateway router during which all traffic directed towards it is lost until the failure is detected How Does VRRP Work VRRP eliminates the single point of failure associated with static default routes by enabling a backup router to take over from a master router without affecting the end stations using the route The end stations wil...

Page 1022: ...ave the same priority the router with the highest IP address becomes the VRRP master If the VRRP master fails other members of the VRRP group will elect a master based on the configured router priority values For example router A is the interface owner and master and it has a priority of 255 Router B is configured with a priority of 200 and Router C is configured with a priority of 190 If Router A...

Page 1023: ...RP Master responds to both fragmented and un fragmented ICMP Echo Request packets The VRRP Master responds to Echo Requests sent to the virtual router s primary address or any of its secondary addresses Members of the virtual router who are in backup state discard ping packets destined to VRRP addresses just as they discard any Ethernet frame sent to a VRRP MAC address When the VRRP master respond...

Page 1024: ...s up the value of the priority decrement is added to the current router priority If the resulting priority is more than the backup router priority the original VRRP master resumes control VRRP route tracking monitors the reachability of an IP route A tracked route is considered up when a routing table entry exists for the route and the route is accessible When the tracked route is removed from the...

Page 1025: ...arameter Default Value Admin Mode Disabled Virtual Router ID VRID None Preempt Mode Enabled Preempt Delay 0 Seconds Learn Advertisement Timer Interval Enabled Accept Mode Disabled Configured Priority 100 Advertisement Interval 1 Authentication None Route Tracking No routes tracked Interface Tracking No interfaces tracked ...

Page 1026: ...nd monitoring VRRP features on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page VRRP Configuration Use the Configuration page to enable or disable the administrative status of a virtual router To display the page click Routing VRRP Configuration in the navigation panel Figure 36 1 VRRP Configuration ...

Page 1027: ...ng VRRP 1027 VRRP Virtual Router Status Use the Router Status page to display virtual router status To display the page click Routing VRRP Router Status in the navigation panel Figure 36 2 Virtual Router Status ...

Page 1028: ...Virtual Router Statistics Use the Router Statistics page to display statistics for a specified virtual router To display the page click Routing VRRP Router Statistics in the navigation panel Figure 36 3 Virtual Router Statistics ...

Page 1029: ...29 VRRP Router Configuration Use the Configuration page to configure a virtual router To display the page click Routing VRRP Router Configuration Configuration in the navigation panel Figure 36 4 VRRP Router Configuration ...

Page 1030: ... to add new tracked routes To display the page click Routing VRRP Router Configuration Route Tracking Configuration in the navigation panel Figure 36 5 VRRP Route Tracking Configuration Configuring VRRP Route Tracking To configure VRRP route tracking 1 From the Route Tracking Configuration page click Add The Add Route Tracking page displays ...

Page 1031: ...estination network address track route prefix for the route to track Use dotted decimal format for example 192 168 10 0 4 Specify the prefix length for the tracked route 5 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked route becomes unreachable 6 Click Apply to update the switch ...

Page 1032: ...new tracked interfaces To display the page click Routing VRRP Router Configuration Interface Tracking Configuration in the navigation panel Figure 36 7 VRRP Interface Tracking Configuration Configuring VRRP Interface Tracking To configure VRRP interface tracking 1 From the Interface Tracking Configuration page click Add The Add Interface Tracking page displays ...

Page 1033: ...virtual router ID and VLAN routing interface that will track the interface 3 Specify the interface to track 4 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked interface goes down 5 Click Apply to update the switch ...

Page 1034: ...tion mode for the specified VLAN vrrp vr id Allow the interface to create in the VRRP group specified by the vr id parameter which is a number from 1 255 vrrp vr id description Optional Create a text description that identifies the VRRP group vrrp vr id preempt delay seconds Enable the preemption mode value for the virtual router configured on a specified interface You can optionally configure a p...

Page 1035: ...rement priority Specify an interface the virtual router vr id on the interface will track If the interface goes down the virtual router priority is decreased by the amount specified by the priority value vrrp vr id track ip route ip address prefix length decrement priority Specify a route that the virtual router vr id on the interface will track If the route to the destination network specified by...

Page 1036: ...orming the routing for network clients Router A is the default gateway for some clients and Router B is the default gateway for other clients Figure 36 9 VRRP with Load Sharing Network Diagram Router A Router B L2 Switch External Network VLAN 10 192 168 10 1 VLAN 10 192 168 10 2 Default Gateway 192 168 10 1 Default Gateway 192 168 10 1 Default Gateway 192 168 10 2 Default Gateway 192 168 10 2 VRID...

Page 1037: ...faces such as the interface to the external network have been configured console config interface vlan 10 console config if vlan10 ip address 192 168 10 1 255 255 255 0 console config if vlan10 exit 3 Enable VRRP for the switch console config ip vrrp 4 Assign a virtual router ID to the VLAN routing interface for the first VRRP group console config interface vlan 10 console config if vlan10 vrrp 10...

Page 1038: ...address of VLAN 10 is 192 168 10 2 Because this is also the virtual IP address of VRID 20 Router B is the interface owner and VRRP master of VRRP group 20 To configure Router B 1 Enable routing for the switch console config console config ip routing 2 Create and configure the VLAN routing interface to use as the default gateway for network clients This example assumes all other routing interfaces ...

Page 1039: ... console config if vlan10 vrrp 20 8 Specify the IP address that the virtual router function will use The router is the virtual IP address owner of this address so the priority value is 255 by default console config if vlan10 vrrp 20 ip 192 168 10 2 9 Configure an optional description to help identify the VRRP group console config if vlan10 vrrp 20 description backup 10 Enable the VRRP groups on th...

Page 1040: ...if something happened to VLAN 25 or the route to the external network as long as Router A remains up it will continue to be the VRRP master even though traffic from the clients does not have a path to the external network However if the interface and or route tracking features are configured Router A can decrease its priority value when the problems occur so that Router B becomes the master Router...

Page 1041: ...console config interface vlan 10 console config if vlan10 vrrp 10 5 Specify the IP address that the virtual router function will use console config if vlan10 vrrp 10 ip 192 168 10 15 6 Configure the router priority console config if vlan10 vrrp 10 priority 200 7 Enable preempt mode so that the router can regain its position as VRRP master if its priority is greater than the priority of the backup ...

Page 1042: ...AN 25 and the route to the external network are back up the priority of Router A returns to 200 and it resumes its role as VRRP master To configure Router B 1 Enable routing for the switch console config console config ip routing 2 Create and configure the VLAN routing interface to use as the default gateway for network clients This example assumes all other routing interfaces such as the interfac...

Page 1043: ...preempt mode so that the router can regain its position as VRRP master if its priority is greater than the priority of the backup router console config if vlan10 vrrp 10 preempt 8 Enable the VRRP groups on the interface console config if vlan10 ip vrrp 10 mode console config if vlan10 exit console config exit ...

Page 1044: ...1044 Configuring VRRP ...

Page 1045: ...s on page 1065 For information about IPv6 multicast see Managing IPv4 and IPv6 Multicast on page 1137 For configuration examples that include IPv6 interface configuration see OSPF Configuration Examples on page 991 IPv6 Routing Overview IPv6 is the next generation of the Internet Protocol With 128 bit addresses versus 32 bit addresses for IPv4 IPv6 solves the address depletion issues seen with IPv...

Page 1046: ...for IPv4 How Are IPv6 Interfaces Configured In PowerConnect 7000 Series switch software IPv6 coexists with IPv4 As with IPv4 IPv6 routing can be enabled on VLAN interfaces Each L3 routing interface can be used for IPv4 IPv6 or both Neighbor discovery is the IPv6 replacement for Address Resolution Protocol ARP Router advertisement is part of the neighbor discovery process and is required for IPv6 A...

Page 1047: ...ove SDM template info to one of the chapters in the System section like the Managing System Information and System Time chapter Other ideas Default IPv6 Routing Values IPv6 is disabled by default on the switch and on all interfaces Table 37 1 shows the default values for the IP routing features this chapter describes Table 37 1 IPv6 Routing Defaults Parameter Default Value IPv6 Unicast Routing Mod...

Page 1048: ...e Disabled Routing Mode Enabled Interface Maximum Transmit Unit 1500 Router Duplicate Address Detection Transmits 1 Router Advertisement NS Interval Not configured Router Lifetime Interval 1800 seconds Router Advertisement Reachable Time 0 seconds Router Advertisement Interval 600 seconds Router Advertisement Managed Config Flag Disabled Router Advertisement Other Config Flag Disabled Router Adver...

Page 1049: ...res on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page Global Configuration Use the Global Configuration page to enable IPv6 forwarding on the router enable the forwarding of IPv6 unicast datagrams and configure global IPv6 settings To display the page click Routing IPv6 Global Configuration in the navigation panel Figure 37 1 IPv6 Global Confi...

Page 1050: ...face Configuration page to configure IPv6 interface parameters This page has been updated to include the IPv6 Destination Unreachables field To display the page click Routing IPv6 Interface Configuration in the navigation panel Figure 37 2 IPv6 Interface Configuration ...

Page 1051: ...outing 1051 Interface Summary Use the Interface Summary page to display settings for all IPv6 interfaces To display the page click Routing IPv6 Interface Summary in the navigation panel Figure 37 3 IPv6 Interface Summary ...

Page 1052: ...6 Routing IPv6 Statistics Use the IPv6 Statistics page to display IPv6 traffic statistics for one or all interfaces To display the page click Routing IPv6 IPv6 Statistics in the navigation panel Figure 37 4 IPv6 Statistics ...

Page 1053: ...ation panel Figure 37 5 IPv6 Neighbor Table DHCPv6 Client Parameters Use the DHCPv6 Client Parameters page to view information about the network information automatically assigned to an interface by the DHCPv6 server This page displays information only if the DHCPv6 client has been enabled on an IPv6 routing interface To display the page click Routing IPv6 DHCPv6 Client Parameters in the navigatio...

Page 1054: ...HCPv6 Client Parameters IPv6 Route Entry Configuration Use the IPv6 Route Entry Configuration page to configure information for IPv6 routes To display the page click Routing IPv6 IPv6 Routes IPv6 Route Entry Configuration in the navigation panel ...

Page 1055: ...igure 37 7 IPv6 Route Entry Configuration IPv6 Route Table Use the IPv6 Route Table page to display all active IPv6 routes and their settings To display the page click Routing IPv6 IPv6 Routes IPv6 Route Table in the navigation panel ...

Page 1056: ...wn to the protocol independent of any other protocol The best route to a destination is chosen by selecting the route with the lowest preference value When there are multiple routes to a destination the preference values are used to determine the preferred route If there is still a tie the route with the best route metric is chosen To avoid problems with mismatched metrics you must configure diffe...

Page 1057: ...Configuring IPv6 Routing 1057 Figure 37 9 IPv6 Route Preferences ...

Page 1058: ...Pv6 Routes Configured IPv6 Routes in the navigation panel Figure 37 10 Configured IPv6 Routes To remove a configured route select the check box in the Delete column of the route to remove and click Apply NOTE For a static reject route the next hop interface value is Null0 Packets to the network address specified in static reject routes are intentionally dropped ...

Page 1059: ...gs for the switch Command Purpose configure Enter global configuration mode ipv6 unicast routing Globally enable IPv6 routing on the switch ipv6 hop limit limit Set the TTL value for the router The valid range is 0 to 255 ipv6 icmp error interval burst interval burst size Limit the rate at which IPv4 ICMP error messages are sent burst interval How often the token bucket is initialized Range 0 2147...

Page 1060: ...owed to be configured Include the eui64 keyword to have the system add the 64 bit interface ID to the address You must use a prefix length of 64 in this case For VLAN interfaces use the dhcp keyword to enable the DHCPv6 client and obtain an IP address form a network DHCPv6 server or assign a static IP address ipv6 nd prefix prefix prefix length valid lifetime infinite preferred lifetime infinite n...

Page 1061: ... is 0 600 ipv6 nd ns interval milliseconds Set the interval between router advertisements for advertised neighbor solicitations The range is 1000 to 4294967295 milliseconds ipv6 nd other config flag Set the other stateful configuration flag in router advertisements sent from the interface ipv6 nd managed config flag Set the managed address configuration flag in router advertisements When the value...

Page 1062: ...and prefix length that is the destination of the static route Use the 0 form unspecified address and zero length prefix to specify a default route interface type interface number Must be specified when using a link local address as the next hop The interface type can be vlan or tunnel next hop address The IPv6 address of the next hop that can be used to reach the specified network A link local nex...

Page 1063: ...isplayed protocol Specifies the protocol that installed the routes Is one of the following keywords connected ospf static ipv6 prefix prefix length Specifies an IPv6 network for which the matching route would be displayed interface type interface number Valid IPv6 interface Specifies that the routes with next hops on the selected interface be displayed best Specifies that only the best routes are ...

Page 1064: ...1064 Configuring IPv6 Routing ...

Page 1065: ...ients and servers for the purpose of assigning IP addresses gateways and other networking definitions such as Domain Name System DNS and Network Time Protocol NTP parameters However IPv6 natively provides IP address autoconfiguration through IPv6 Neighbor Discovery Protocol NDP and through the use of Router Advertisement messages Thus the role of DHCPv6 within the network is different than that of...

Page 1066: ... response A DHCPv6 server then responds by providing only networking definitions such as DNS domain name and server definitions NTP server definitions or SIP definitions What Is the DHCPv6 Relay Agent Information Option The DHCPv6 Relay Agent Information Option allows for various sub options to be attached to messages that are being relayed by the local router to a DHCPv6 server The DHCPv6 server ...

Page 1067: ...lients may request specific IPv6 prefixes If the configured DHCPv6 pool contains the specific prefix that a DHCPv6 client requests then that prefix will be delegated to the client Otherwise the first available IPv6 prefix within the configured pool will be delegated to the client Default DHCPv6 Server and Relay Values By default the DHCPv6 server is disabled and no address pools are configured VLA...

Page 1068: ... configuring and monitoring the DHCPv6 server on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page DHCPv6 Global Configuration Use the Global Configuration page to configure DHCPv6 global parameters To display the page click Routing IPv6 DHCPv6 Global Configuration in the navigation panel Figure 38 2 DHCPv6 Global Configuration ...

Page 1069: ...omain names of DNS servers To display the page click Routing IPv6 DHCPv6 Pool Configuration in the navigation panel Figure 38 3 shows the page when no pools have been created After a pool has been created additional fields display Figure 38 3 Pool Configuration Configuring a DHCPv6 Pool To configure the pool 1 Open the Pool Configuration page 2 Select Create from the Pool Name menu and type a name...

Page 1070: ...om the DNS Server Address menu select an existing DNS Server Address to associate with this pool or select Add and specify a new server to add 5 From the Domain Name menu select an existing domain name to associate with this pool or select Add and specify a new domain name 6 Click Apply ...

Page 1071: ...iguration page to configure a delegated prefix for a pool At least one pool must be created using DHCPv6 Pool Configuration before a delegated prefix can be configured To display the page click Routing IPv6 DHCPv6 Prefix Delegation Configuration in the navigation panel Figure 38 5 Prefix Delegation Configuration ...

Page 1072: ...se the Pool Summary page to display settings for all DHCPv6 Pools At least one pool must be created using DHCPv6 Pool Configuration before the Pool Summary displays To display the page click Routing IPv6 DHCPv6 Pool Summary in the navigation panel Figure 38 6 Pool Summary ...

Page 1073: ...e the DHCPv6 Interface Configuration page to configure a DHCPv6 interface To display the page click Routing IPv6 DHCPv6 Interface Configuration in the navigation panel The fields that display on the page depend on the selected interface mode Figure 38 7 DHCPv6 Interface Configuration ...

Page 1074: ...Figure 38 8 shows the screen when the selected interface mode is Server Figure 38 8 DHCPv6 Interface Configuration Server Mode Figure 38 9 shows the screen when the selected interface mode is Relay Figure 38 9 DHCPv6 Interface Configuration Relay Mode ...

Page 1075: ...tings 1075 DHCPv6 Server Bindings Summary Use the Server Bindings Summary page to display all DHCPv6 server bindings To display the page click Routing IPv6 DHCPv6 Bindings Summary in the navigation panel Figure 38 10 Server Bindings Summary ...

Page 1076: ...nd Relay Settings DHCPv6 Statistics Use the DHCPv6 Statistics page to display DHCPv6 statistics for one or all interfaces To display the page click Routing IPv6 DHCPv6 Statistics in the navigation panel Figure 38 11 DHCPv6 Statistics ...

Page 1077: ...HCPv6 clients that obtain IPv6 network information dynamically Command Purpose configure Enter Global Configuration mode service dhcpv6 Enable the DHCPv6 server ipv6 dhcp relay agent info opt option Configure a number to represent the DHCPv6 Relay Agent Information Option The option parameter is an integer from 54 65535 ipv6 dhcp relay agent info remote id subopt suboption Configure a number to re...

Page 1078: ...fix length client DUID name hostname valid lifetime valid lifetime infinite preferred lifetime preferred lifetime infinite Define an IPv6 prefixes within a pool for distributing to specific DHCPv6 Prefix delegation clients prefix prefix length Delegated IPv6 prefix client DUID DHCP Unique Identifier for the client e g 00 01 00 09 f8 79 4e 00 04 76 73 43 76 hostname Client hostname used for logging...

Page 1079: ...interface vlan vlan id interface vlan vlan id remote id duid ifid user defined string Configure the interface for DHCPv6 relay functionality destination Keyword that sets the relay server IPv6 address relay address An IPv6 address of a DHCPv6 relay server interface Sets the relay server interface vlan id A valid VLAN ID remote id duid ifid user defined string The Relay Agent Information Option rem...

Page 1080: ...viated exchange between the client and server pref value Preference value used by clients to determine preference between multiple DHCPv6 servers Range 0 4294967295 CTRL Z Exit to Privileged Exec Mode show ipv6 dhcp interface tunnel tunnel id vlan vlan id View DHCPv6 information for all interfaces or for the specified interface Command Purpose show ipv6 dhcp binding address View the current bindin...

Page 1081: ...l VLAN routing interface 100 is configured as a DHCPv6 server Setting NDP on the interface to send the other config flag option allows the interface to prompt DHCPv6 clients to request only stateless server information To configure the switch 1 Enable the DHCPv6 feature console configure console config service dhcpv6 2 Create the DHCPv6 pool and configure stateless information console config ipv6 ...

Page 1082: ...figure the switch 1 Create the DHCPv6 pool and specify the domain name and DNS server information console config ipv6 dhcp pool my pool2 console config dhcp6s pool domain name dell com console config dhcp6s pool dns server 2001 DB8 A328 22C 1 2 Specify the prefix delegations for specific clients The first two commands provide multiple prefixes to the same client console config dhcp6s pool prefix d...

Page 1083: ...ver To configure the switch 1 Create VLAN 300 and define its IPv6 address console config interface vlan 300 console config if vlan300 ipv6 address 2001 DB8 03a 64 2 Configure the interface as a DHCPv6 relay agent and specify the IPv6 address of the relay server The command also specifies that the route to the server is through the VLAN 100 routing interface console config if vlan300 ipv6 dhcp rela...

Page 1084: ...1084 Configuring DHCPv6 Server and Relay Settings ...

Page 1085: ...v CLI DiffServ Configuration Examples DiffServ Overview Standard IP based networks are designed to provide best effort data delivery service Best effort service implies that the network delivers the data in a timely fashion although there is no guarantee that it will During times of congestion packets may be delayed sent sporadically or dropped For typical Internet applications such as email and f...

Page 1086: ...rConnect 7000 Series switches you must determine the QoS requirements for the network as a whole The requirements are expressed in terms of rules which are used to classify inbound or outbound traffic on a particular interface What Are the Elements of DiffServ Configuration During configuration you define DiffServ rules in terms of classes policies and services Class A class consists of a set of r...

Page 1087: ...tem uses IP Precedence or IP DSCP marking Policing packets by dropping or re marking those that exceed the class s assigned data rate Counting the traffic within the class Service Assigns a policy to an interface for inbound traffic Default DiffServ Values Table 39 1 shows the global default values for DiffServ Table 39 1 DiffServ Global Defaults Parameter Default Value DiffServ Enabled Classes No...

Page 1088: ...tch For details about the fields on a page click at the top of the page DiffServ Configuration Use the DiffServ Configuration page to display the DiffServ administrative mode setting as well as the current and maximum number of rows in each of the main DiffServ private MIB tables To display the page click Quality of Service Differentiated Services DiffServ Configuration in the navigation panel Fig...

Page 1089: ...he page click Quality of Service Differentiated Services Class Configuration in the navigation panel Figure 39 2 DiffServ Class Configuration Adding a DiffServ Class To add a DiffServ class 1 From the DiffServ Class Configuration page click Add to display the Add Class page Figure 39 3 Add DiffServ Class 2 Enter a name for the class and select the protocol to use for class match criteria ...

Page 1090: ... Show All Figure 39 4 View DiffServ Class Summary Class Criteria Use the DiffServ Class Criteria page to define the criteria to associate with a DiffServ class As packets are received these DiffServ classes are used to identify packets To display the page click Quality of Service Differentiated Services Class Criteria in the navigation panel ...

Page 1091: ...Configuring Differentiated Services 1091 Figure 39 5 DiffServ Class Criteria ...

Page 1092: ...n of classes with one or more policy statements To display the page click Quality of Service Differentiated Services Policy Configuration in the navigation panel Figure 39 6 DiffServ Policy Configuration Adding a New Policy Name To add a policy 1 From the DiffServ Policy Configuration page click Add to display the Add Policy page ...

Page 1093: ...ted Services 1093 Figure 39 7 Add DiffServ Policy 2 Enter the new Policy Name 3 Click Apply to save the new policy 4 To view a summary of the policies configured on the switch click Show All Figure 39 8 View DiffServ Policies ...

Page 1094: ...e to associate a class to a policy and to define attributes for that policy class instance To display the page click Quality of Service Differentiated Services Policy Class Definition in the navigation panel Figure 39 9 DiffServ Policy Class Definition To view a summary of the policy attributes click Show All ...

Page 1095: ...arked with either an IP DSCP IP precedence or CoS value 1 Select Marking from the Traffic Conditioning drop down menu on the DiffServ Policy Class Definition page The Packet Marking page displays Figure 39 11 Policy Class Definition Packet Marking 2 Select IP DSCP IP Precedence or Class of Service to mark for this policy class 3 Select or enter a value for this field 4 Click Apply to define the po...

Page 1096: ...icing page displays the Policy Name Class Name and Policing Style Select a value for the following fields Color Mode The type of color policing used Color Blind or Color Aware Conform Action Selector The action taken on packets that are considered conforming below the police rate Options are Send Drop Mark CoS Mark IP DSCP Mark IP Precedence Violate Action The action taken on packets that are cons...

Page 1097: ...age to activate a policy on a port To display the page click Quality of Service Differentiated Services Service Configuration in the navigation panel Figure 39 13 DiffServ Service Configuration To view a summary of the services configured on the switch click Show All Figure 39 14 DiffServ Service Summary ...

Page 1098: ...the DiffServ Service Detailed Statistics page to display packet details for a particular port and class To display the page click Quality of Service Differentiated Services Service Detailed Statistics in the navigation panel Figure 39 15 DiffServ Service Detailed Statistics ...

Page 1099: ... to create a mirroring session in which the traffic that matches the specified policy and member class is mirrored to a destination port To display the Flow Based Mirroring page click Switching Ports Traffic Mirroring Flow Based Mirroring in the navigation panel Figure 39 16 Flow Based Mirroring ...

Page 1100: ...on mode diffserv Set the DiffServ operational mode to active exit Exit to Privileged EXEC mode show diffserv Display the DiffServ general information which includes the current administrative mode setting as well as the current and maximum number of DiffServ components CLI Command Description configure Enter global configuration mode class map match all class map name Define a new DiffServ class a...

Page 1101: ...Serv Code Point DSCP field in a packet match ip precedence Add to the specified class definition a match condition based on the value of the IP match ip tos Add to the specified class definition a match condition based on the value of the IP TOS field in a packet match protocol Add to the specified class definition a match condition based on the value of the IP Protocol field in a packet using a s...

Page 1102: ...ap match all class map name ipv6 Define a new DiffServ class match any Configure a match condition for all the packets match class map Add to the specified class definition the set of match conditions defined for another class match dstip6 Add to the specified class definition a match condition based on the destination IPv6 address of a packet match dstl4port Add to the specified class definition ...

Page 1103: ...o the specified class definition a match condition based on the source IPv6 address of a packet match srcl4port Add to the specified class definition a match condition based on the source layer 4 port of a packet using a single keyword a numeric notation or a numeric range notation CLI Command Description configure Enter global configuration mode policy map policy name in Create a new DiffServ pol...

Page 1104: ...m action drop set cos transmit cos set prectransmit cos set dscp transmit dscpval transmit violateaction drop set cos transmit cos set prec transmit cos set dscp transmit dscpval transmit Establish the traffic policing style for the specified class The simple form of the police command uses a single data rate and burst size resulting in two outcomes conform and nonconform datarate Data rate in kil...

Page 1105: ...ue Mark all packets for the associated traffic stream with the specified IP DSCP value mark ip precedence value Mark all packets for the associated traffic stream with the specified IP precedence value range 0 7 mirror interface redirect interface Use mirror to mirror all packets for the associated traffic stream that matches the defined class to the specified destination port or LAG Use redirect ...

Page 1106: ...Global Configuration mode for all system interfaces or Interface Configuration mode for a specific interface exit Exit to Privilege Exec mode show diffserv service brief in out Display all interfaces in the system to which a DiffServ policy has been attached show diffserv service interface interface in out Display policy service information for the specified interface where interface is replaced b...

Page 1107: ...nternet or other external network to different departments within a company Each of four departments has its own Class B subnet that is allocated 25 of the available bandwidth on the port accessing the Internet Figure 39 17 DiffServ Internet Access Example Network Diagram Finance Marketing Test Development Internet Layer 3 Switch Port 1 0 5 Outbound 1 0 1 1 0 2 1 0 3 1 0 4 Source IP 172 16 10 0 25...

Page 1108: ...5 255 255 0 console config classmap exit console config class map match all test_dept console config classmap match srcip 172 16 30 0 255 255 255 0 console config classmap exit console config class map match all development_dept console config classmap match srcip 172 16 40 0 255 255 255 0 console config classmap exit 3 Create a DiffServ policy for inbound traffic named internet_access adding the ...

Page 1109: ...ig policy map exit 4 Attach the defined policy to Gigabit Ethernet interfaces 1 0 1 through 1 0 4 in the inbound direction console config interface gigabitethernet 1 0 1 console config if Gi1 0 1 service policy in internet_access console config if Gi1 0 1 exit console config interface gigabitethernet 1 0 2 console config if Gi1 0 2 service policy in internet_access console config if Gi1 0 2 exit c...

Page 1110: ...ng by default The DiffServ inbound policy designates that these queues are to be used for the departmental traffic through the assign queue attribute It is presumed that the switch will forward this traffic to Gigabit Ethernet interface 1 0 1 based on a normal destination address lookup for internet traffic console config interface gigabitethernet 1 0 5 console config if Gi1 0 5 cos queue min band...

Page 1111: ...ample shows one way to provide the necessary quality of service how to set up a class for UDP traffic have that traffic marked on the inbound side and then expedite the traffic on the outbound side The configuration script is for Router 1 in the accompanying diagram a similar script should be applied to Router 2 Figure 39 18 DiffServ VoIP Example Network Diagram Internet Layer 3 Switch Operating a...

Page 1112: ... DiffServ code point DSCP of EF expedited forwarding This handles incoming traffic that was previously marked as expedited elsewhere in the network console config class map match all class_ef console config classmap match ip dscp ef console config classmap exit 4 Create a DiffServ policy for inbound traffic named pol_voip then add the previously created classes class_ef and class_voip as instances...

Page 1113: ...licy classmap exit console config policy map exit 5 Attach the defined policy to an inbound service interface console config interface gigabitethernet 1 0 1 console config if Gi1 0 1 service policy in pol_voip console config if Gi1 0 1 exit console config exit ...

Page 1114: ...1114 Configuring Differentiated Services ...

Page 1115: ...s chapter include CoS Overview Default CoS Values Configuring CoS Web Configuring CoS CLI CoS Configuration Example CoS Overview The CoS feature lets you give preferential treatment to certain types of traffic over others To set up this preferential treatment you can configure the ingress ports the egress ports and individual queues on the egress ports to provide customization that suits your envi...

Page 1116: ...ed within packets arriving on the port You can configure ports to trust priority designations based on one of the following fields in the packet header 802 1 Priority values 0 7 IP DSCP values 0 63 A mapping table associates the designated field values in the incoming packet headers with a traffic class priority actually a CoS traffic queue Ports in Untrusted Mode If you configure an ingress port ...

Page 1117: ...ue for determining which packets are dropped when the queue is full Taildrop Any packet forwarded to a full queue is dropped regardless of its importance Weighted Random Early Detection WRED drops packets selectively based their drop precedence level For each of four drop precedence levels on each WRED enabled interface queue you can configure the following parameters Minimum Threshold A percentag...

Page 1118: ...p CoS value to queue mapping 802 1p CoS Queue 0 3 1 1 2 0 4 5 2 6 7 3 IP DSCP value to queue mapping IP DSCP Queue 0 7 24 31 1 8 23 0 32 47 2 48 63 3 Interface Shaping Rate 0 Kbps Minimum Bandwidth 0 Scheduler Type Weighted Queue Management Type Taildrop Drop Precedence Level 1 WRED Decay Exponent 9 WRED Minimum Threshold 40 WRED Maximum Threshold 100 WRED Drop Probability Scale 10 ...

Page 1119: ...ck at the top of the page Mapping Table Configuration Use the Mapping Table Configuration page to define how class of service is assigned to a packet To display the page click Quality of Service Class of Service Mapping Table Configuration in the navigation panel CoS 802 1P is the default mode so this is the page that displays when Mapping Table Configuration is selected from the Class of Service ...

Page 1120: ...1120 Configuring Class of Service To access the DSCP Queue Mapping Table click the DSCP Queue Mapping Table link at the top of the page Figure 40 2 DSCP Queue Mapping Table ...

Page 1121: ... the decay exponent for WRED queues defined on the interface Each interface CoS parameter can be configured globally or per port A global configuration change is applied to all interfaces in the system To display the Interface Configuration page click Quality of Service Class of Service Interface Configuration in the navigation panel Figure 40 3 Interface Configuration ...

Page 1122: ...ing method and the queue management method The configuration process is simplified by allowing each CoS queue parameter to be configured globally or per port A global configuration change is applied to the same queue ID on all ports in the system To display the Interface Queue Configuration page click Quality of Service Class of Service Interface Queue Configuration in the navigation panel Figure ...

Page 1123: ...led interface queue The settings you configure control the minimum and maximum thresholds and a drop probability scaling factor for the selected drop precedence level These parameters can be applied to each drop precedence level on a per interface queue basis or can be set globally for the same drop precedence level and queue ID on all interfaces To display the Interface Queue Drop Precedence Conf...

Page 1124: ...1124 Configuring Class of Service Figure 40 5 Interface Queue Drop Precedence Configuration To access the Interface Queue Drop Precedence Status page click the Show All link at the top of the page ...

Page 1125: ...t unit slot port or port channel port channel number classofservice dotlp mapping priority Map an 802 1p priority to an internal traffic class for a switch You can also use this command in Global Configuration mode to configure the same mappings on all interfaces classofservice trust dot1p ip dscp untrusted Set the class of service trust mode of an interface exit Exit to Global Config mode exit Ex...

Page 1126: ...e bw variable represents the shaping bandwidth value from 64 to 4294967295 kbps random detect exponential weighting constant exponent Configure the WRED decay exponent range 0 15 for the interface CLI Command Description configure Enter Global Configuration mode interface interface Enter Interface Configuration mode where interface is replaced by gigabitethernet unit slot port tengigabitethernet u...

Page 1127: ...n mode where interface is replaced by gigabitethernet unit slot port tengigabitethernet unit slot port or port channel port channel number random detect queue parms queue id queue id min thresh min1 min2 min3 min4 max thresh max1 max2 max3 max4 drop prob prob1 prob2 prob3 prob4 Configure the maximum and minimum thresholds for one or more queue IDs on a WRED enabled interface queue You can also use...

Page 1128: ...hich serves to direct packets A B and D to their respective queues on the egress port These three packets utilize the 802 1p to CoS Mapping Table for port 1 0 10 In this example the 802 1p user priority 3 is configured to send the packet to queue 5 instead of the default queue 3 Since packet C does not contain a VLAN tag the 802 1p user priority does not exist so Port 1 0 10 relies on its default ...

Page 1129: ...r packets at the egress port The following commands configure Port 10 ingress interface and Port 8 egress interface 1 Configure the Trust mode for Port 10 console config console config interface gigabitethernet 1 0 10 console config if Gi1 0 10 classofservice trust dot1p 2 For Port 10 configure the 802 1p user priority 3 to send the packet to queue 5 instead of the default queue queue 3 console co...

Page 1130: ...1130 Configuring Class of Service ...

Page 1131: ... above data packets in order to provide better QoS The topics covered in this chapter include Auto VoIP Overview Default Auto VoIP Values Configuring Auto VoIP Web Configuring Auto VoIP CLI Auto VoIP Overview The Auto VoIP feature explicitly matches VoIP streams in Ethernet switches and provides them with a better class of service than ordinary traffic If you enable the Auto VoIP feature on an int...

Page 1132: ... a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page Auto VoIP Global Configuration Use the Global Configuration page to enable or disable Auto VoIP on all interfaces To display the Auto VoIP Global Configuration page click Quality of Service Auto VoIP Global Configuration in the navigation menu Figure 41 1 Auto VoIP Global Configuration Table 41 1...

Page 1133: ...se the Interface Configuration page to enable or disable Auto VoIP on a particular interface To display the Interface Configuration page click Quality of Service Auto VoIP Interface Configuration in the navigation menu Figure 41 2 Auto VoIP Interface Configuration ...

Page 1134: ...1134 Configuring Auto VoIP To display summary Auto VoIP configuration information for all interfaces click the Show All link at the top of the page Figure 41 3 Auto VoIP ...

Page 1135: ...he following commands in to enable Auto VoIP and view its configuration CLI Command Description configure Enter Global Configuration mode switchport voice detect auto Enable the VoIP Profile on all the interfaces of the switch You can also enter Interface Configuration mode and use the same command to enable it on a specific interface exit Exit to Global Configuration Exec mode exit Exit to Privil...

Page 1136: ...1136 Configuring Auto VoIP ...

Page 1137: ... to hosts who are members of the multicast group Multicast enables efficient use of network bandwidth because each multicast datagram needs to be transmitted only once on each network link regardless of the number of destination hosts Multicasting contrasts with IP unicasting which sends a separate datagram to each recipient host The IP routing protocols can route multicast traffic but the IP mult...

Page 1138: ...s connected to the network This approach works well for broadcast packets that are intended to be seen or processed by all connected nodes In the case of multicast packets however this approach could lead to less efficient use of network bandwidth particularly when the packet is intended for only a small number of nodes Packets will be flooded into network segments where no node has any interest i...

Page 1139: ...ers must also be able to construct a multicast distribution tree that enables forwarding multicast datagrams only on the links that are required to reach a destination group member Protocols such as DVMRP and PIM handle this function IGMP and MLD are multicast group discovery protocols that are used between the clients and the local multicast router PIM SM PIM DM and DVMRP are multicast routing pr...

Page 1140: ...ast routing on the switch is recommended Determining Which Multicast Protocols to Enable IGMP is recommended on any switch that participates in IPv4 multicasting MLD is recommended on any switch that participates in IPv6 multicasting PIM DM PIM SM and DVMRP are multicast routing protocols that help determine the best route for IP PIM and DVMRP and IPv6 PIM multicast traffic For more information ab...

Page 1141: ...protocol The PowerConnect 7000 Series switch supports IGMP Version 3 Version 3 adds support for source filtering which is the ability for a system to report interest in receiving packets only from specific source addresses as required to support Source Specific Multicast SSM or from all but specific source addresses sent to a particular multicast address Version 3 is designed to be interoperable w...

Page 1142: ...nterest to its neighboring nodes and provides this information to the active multicast routing protocol that makes decisions on the flow of multicast data packets The Multicast router sends General Queries periodically to request multicast address listeners information from systems on an attached network These queries are used to build and refresh the multicast address listener state on attached n...

Page 1143: ...th is a constraint PIM SM uses shared trees by default and implements source based trees for efficiency it assumes that no hosts want the multicast traffic unless they specifically ask for it It creates a shared distribution tree centered on a defined rendezvous point RP from which source traffic is relayed to the receivers Senders first send the multicast data to the RP which in turn sends the da...

Page 1144: ...creates source based shortest path distribution trees that make use of reverse path forwarding RPF PIM DM assumes that when a sender starts sending data all downstream routers and hosts want to receive a multicast datagram PIM DM initially floods multicast traffic throughout the network Routers that do not have any downstream neighbors prune back the unwanted traffic In addition to PRUNE messages ...

Page 1145: ... DVMRP exchanges report packets and creates a unicast topology table with which it builds the multicast routing table This table is used to route the multicast packets Since every DVMRP router uses the same unicast routing protocol routing loops are avoided Understanding DVMRP Multicast Packet Routing DVMRP is based on RIP it forwards multicast datagrams to other routers in the AS and constructs a...

Page 1146: ...Series switch handles inter VLAN routing for IP traffic including IP multicast traffic multicast routing might be required on the switch DVRMP is best suited for small networks where the majority of hosts request a given multicast traffic stream DVMRP is similar to PIM DM in that it floods multicast packets throughout the network and prunes branches where the multicast traffic is not desired DVMRP...

Page 1147: ...red Interface TTL Threshold 1 IGMP Defaults IGMP Admin Mode Disabled globally and on all interfaces IGMP Version v3 IGMP Robustness 2 IGMP Query Interval 125 seconds IGMP Query Max Response Time 100 seconds IGMP Startup Query Interval 31 seconds IGMP Startup Query Count 2 IGMP Last Member Query Interval 1 second IGMP Last Member Query Count 2 IGMP Proxy Interface Mode Disabled IGMP Proxy Unsolicit...

Page 1148: ...rune Interval 60 seconds when enabled on an interface PIM SM BSR Border Disabled PIM SM DR Priority 1 when enabled on an interface PIM Candidate Rendezvous Points RPs None configured PIM Static RP None configured PIM Source Specific Multicast SSM Range None configured Default SSM group address is 232 0 0 0 8 for IPv4 multicast and ff3x 32 for IPv6 multicast PIM BSR Candidate Hash Mask Length 30 IP...

Page 1149: ...tocol specific on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page Multicast Global Configuration Use the Global Configuration page to configure the administrative status of Multicast Forwarding in the router and to display global multicast parameters To display the page click IPv4 Multicast Multicast Global Configuration in the navigation panel...

Page 1150: ...ge to configure the TTL threshold of a multicast interface At least one VLAN routing interface must be configured on the switch before fields display on this page To display the page click IPv4 Multicast Multicast Interface Configuration in the navigation panel Figure 42 2 Multicast Interface Configuration ...

Page 1151: ... Route Table Use the Route Table page to view information about the multicast routes in the IPv4 multicast routing table To display the page click IPv4 Multicast Multicast Multicast Route Table Multicast Route Table Figure 42 3 Multicast Route Table ...

Page 1152: ...en range of multicast addresses on a given routing interface Use the Admin Boundary Configuration page to configure a new or existing administratively scoped boundary To see this page you must have configured a valid routing interface and multicast To display the page click IPv4 Multicast Multicast Admin Boundary Configuration in the navigation panel Figure 42 4 Multicast Admin Boundary Configurat...

Page 1153: ...in Boundary Summary Use the Admin Boundary Summary page to display existing administratively scoped boundaries To display the page click IPv4 Multicast Multicast Admin Boundary Summary in the navigation panel Figure 42 5 Multicast Admin Boundary Summary ...

Page 1154: ... Use the Static MRoute Configuration page to configure a new static entry in the Mroute table or to modify an existing entry To display the page click IPv4 Multicast Multicast Static MRoute Configuration in the navigation panel Figure 42 6 Multicast Static MRoute Configuration ...

Page 1155: ... Static MRoute Summary Use the Static MRoute Summary page to display static routes and their configurations To display the page click IPv4 Multicast Multicast Static MRoute Summary in the navigation panel Figure 42 7 Multicast Static MRoute Summary ...

Page 1156: ...cast features that are not protocol specific on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page IPv6 Multicast Route Table Use the Multicast Route Table page to view information about the multicast routes in the IPv6 multicast routing table To display the page click IPv6 Multicast Multicast Multicast Route Table Figure 42 8 IPv6 Multicast Route...

Page 1157: ...toring the IGMP and IGMP proxy features on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page IGMP Global Configuration Use the Global Configuration page to set IGMP on the system to active or inactive To display the page click IPv4 Multicast IGMP Global Configuration in the navigation panel Figure 42 9 IGMP Global Configuration ...

Page 1158: ... and or display router interface parameters You must configure at least one valid routing interface before you can access this page and configure IP Multicast IGMP To display the page click IPv4 Multicast IGMP Routing Interface Interface Configuration in the navigation panel Figure 42 10 IGMP Interface Configuration ...

Page 1159: ...ace Summary page to display IGMP routing parameters and data You must configure at least one IGMP router interface to access this page To display the page click IPv4 Multicast IGMP Routing Interface Interface Summary in the navigation panel Figure 42 11 IGMP Interface Summary ...

Page 1160: ...che parameters and data for an IP multicast group address Group membership reports must have been received on the selected interface for data to display on the page To display the page click IPv4 Multicast IGMP Routing Interface Cache Information in the navigation panel Figure 42 12 IGMP Cache Information ...

Page 1161: ...lay detailed membership information for an interface Group membership reports must have been received on the selected interface for data to display information To display the page click IPv4 Multicast IGMP Routing Interface Source List Information in the navigation panel Figure 42 13 IGMP Interface Source List Information ...

Page 1162: ...eature acts as proxy to all hosts residing on its router interfaces Use the Interface Configuration page to configure IGMP proxy for an interface You must have configured at least one router interface before configuring or displaying data for an IGMP proxy interface and it should not be an IGMP routing interface To display the page click IPv4 Multicast IGMP Proxy Interface Interface Configuration ...

Page 1163: ...to display proxy interface configurations by interface You must have configured at least one router interface configured before data displays on this page To display the page click IPv4 Multicast IGMP Proxy Interface Configuration Summary in the navigation panel Figure 42 15 IGMP Proxy Configuration Summary ...

Page 1164: ...igured at least one router interface before you can display interface membership information and it should not be an IGMP routing interface Also if no group membership reports have been received on the selected interface no data displays on this page To display the page click IPv4 Multicast IGMP Proxy Interface Interface Membership Info in the navigation panel Figure 42 16 IGMP Proxy Interface Mem...

Page 1165: ...t one router interface before you can display detailed interface membership information and it should not be an IGMP routing interface Also if no group membership reports have been received on the selected interface you cannot display data To display the page click IPv4 Multicast IGMP Proxy Interface Interface Membership Info Detailed in the navigation panel Figure 42 17 IGMP Proxy Interface Membe...

Page 1166: ...ring the MLD and MLD proxy features on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page MLD Global Configuration Use the Global Configuration page to administratively enable and disable the MLD service To display the page click IPv6 Multicast MLD Global Configuration in the navigation panel Figure 42 18 MLD Global Configuration ...

Page 1167: ...ted IPv6 router interfaces to discover the presence of multicast listeners the nodes who wish to receive the multicast data packets on its directly attached interfaces To access this page click IPv6 Multicast MLD Routing Interface Interface Configuration in the navigation panel Figure 42 19 MLD Routing Interface Configuration ...

Page 1168: ...ge to display information and statistics on a selected MLD enabled interface You must configure at least one IGMP router interface to access this page To access this page click IPv6 Multicast MLD Routing Interface Interface Summary in the navigation panel Figure 42 20 MLD Routing Interface Summary ...

Page 1169: ...n reported to operational MLD routing interfaces You must configure at least one MLD router interface to access this page Also group membership reports must have been received on the selected interface in order for data to be displayed here To access this page click IPv6 Multicast MLD Routing Interface Cache Information in the navigation panel Figure 42 21 MLD Routing Interface Cache Information ...

Page 1170: ...an interface You must configure at least one MLD router interface to access this page Also group membership reports must have been received on the selected interface in order for data to be displayed here To access this page click IPv6 Multicast MLD Routing Interface Source List Information in the navigation panel Figure 42 22 MLD Routing Interface Source List Information ...

Page 1171: ...171 MLD Traffic The MLD Traffic page displays summary statistics on the MLD messages sent to and from the router To access this page click IPv6 Multicast MLD Routing Interface MLD Traffic in the navigation panel Figure 42 23 MLD Traffic ...

Page 1172: ... membership reports on one interface for MLD Membership reports received on all other MLD enabled router interfaces Use the Interface Configuration page to enable and disable ports as MLD proxy interfaces To display this page click IPv6 Multicast MLD Proxy Interface Interface Configuration in the navigation panel Figure 42 24 MLD Proxy Interface Configuration ...

Page 1173: ...Summary Use the Configuration Summary page to view configuration and statistics on MLD proxy enabled interfaces To display this page click IPv6 Multicast MLD Proxy Interface Configuration Summary in the navigation panel Figure 42 25 MLD Proxy Configuration Summary ...

Page 1174: ...terface Membership Information page lists each IP multicast group for which the MLD proxy interface has received membership reports To display this page click IPv6 Multicast MLD Proxy interface Interface Membership Info in the navigation panel Figure 42 26 Interface Membership Information ...

Page 1175: ...ation Detailed page provides additional information about the IP multicast groups for which the MLD proxy interface has received membership reports To display this page click IPv6 Multicast MLD Proxy Interface Interface Membership Info Detailed in the navigation panel Figure 42 27 Interface Membership Information Detailed ...

Page 1176: ... Use the Global Configuration page to configure the administrative status of PIM DM or PIM SM on the switch To display the page click IPv4 Multicast PIM Global Configuration or IPv6 Multicast PIM Global Configuration in the navigation panel Figure 42 28 PIM DM Global Configuration NOTE The OpenManage Switch Administrator pages to configure IPv4 multicast routing and IPv6 multicast routing is very ...

Page 1177: ...Managing IPv4 and IPv6 Multicast 1177 If you select PIM SM as the PIM protocol additional fields appear as Figure 42 29 shows Figure 42 29 PIM SM Global Configuration ...

Page 1178: ...Status Use the Global Status page to view the administrative status of PIM DM or PIM SM on the switch To display the page click IPv4 Multicast PIM Global Status or IPv6 Multicast PIM Global Status in the navigation panel Figure 42 30 PIM Global Status ...

Page 1179: ...tion Use the Interface Configuration page to configure specific interfaces with PIM To display the page click IPv4 Multicast PIM Interface Configuration or IPv6 Multicast PIM Interface Configuration in the navigation panel Figure 42 31 PIM Interface Configuration ...

Page 1180: ...face Summary Use the Interface Summary page to display a PIM interface and its settings To display the page click IPv4 Multicast PIM Interface Summary or IPv6 Multicast PIM Interface Summary in the navigation panel Figure 42 32 PIM Interface Summary ...

Page 1181: ...figured rendezvous points RPs for each port using PIM To access the page click IPv4 Multicast PIM Candidate RP Configuration or IPv6 Multicast PIM Candidate RP Configuration Figure 42 33 Candidate RP Configuration Adding a Candidate RP To add PIM Candidate rendezvous points RPs for each IP multicast group 1 Open the Candidate RP Configuration page 2 Click Add The Add Candidate RP page displays ...

Page 1182: ... configured 4 Enter the group address transmitted in Candidate RP Advertisements 5 Enter the prefix length transmitted in Candidate RP Advertisements to fully identify the scope of the group which the router supports if elected as a Rendezvous Point 6 Click Apply Changes The new Candidate RP is added and the device is updated ...

Page 1183: ...e PIM domain uses the BSR to dynamically learn the RP configuring a static RP is not required However you can configure the static RP to override any dynamically learned RP from the BSR To access the page click IPv4 Multicast PIM Static RP Configuration or IPv6 Multicast PIM Static RP Configuration Figure 42 35 Static RP Configuration Adding a Static RP To add a static RP for the PIM router 1 Open...

Page 1184: ... of the RP for the group range 4 Enter the group address of the RP 5 Enter the group mask of the RP 6 Check the Override option to configure the static RP to override the dynamic candidate RPs learned for same group ranges 7 Click Apply The new Static RP is added and the device is updated ...

Page 1185: ...uter To display the page click IPv4 Multicast PIM SSM Range Configuration or IPv6 Multicast PIM SSM Range Configuration Figure 42 37 SSM Range Configuration Adding an SSM Range To add the Source Specific Multicast SSM Group IP Address and Group Mask IPv4 or Prefix Length IPv6 for the PIM router 1 Open the SSM Range Configuration page 2 Click Add The Add SSM Range page displays ...

Page 1186: ...SM Range check box to add the default SSM Range The default SSM Range is 232 0 0 0 8 for IPv4 multicast and ff3x 32 for IPv6 multicast 4 Enter the SSM Group IP Address 5 Enter the SSM Group Mask IPv4 or SSM Prefix Length IPv6 6 Click Apply The new SSM Range is added and the device is updated ...

Page 1187: ...n Use this page to configure information to be used if the interface is selected as a bootstrap router To display the page click IPv4 Multicast PIM BSR Candidate Configuration or IPv6 Multicast PIM BSR Candidate Configuration Figure 42 39 BSR Candidate Configuration ...

Page 1188: ...SR Candidate Summary Use this page to display information about the configured BSR candidates To display this page click IPv4 Multicast PIM BSR Candidate Summary or IPv6 Multicast PIM BSR Candidate Summary Figure 42 40 BSR Candidate Summary ...

Page 1189: ...ng and monitoring DVRMP on a PowerConnect 7000 Series switch For details about the fields on a page click at the top of the page DVMRP Global Configuration Use the Global Configuration page to configure global DVMRP settings To display the page click IPv4 Multicast DVMRP Global Configuration in the navigation panel Figure 42 41 DVMRP Global Configuration ...

Page 1190: ...t configure at least one router interface before you configure a DVMRP interface Otherwise you see a message telling you that no router interfaces are available and the configuration screen is not displayed To display the page click IPv4 Multicast DVMRP Interface Configuration in the navigation panel Figure 42 42 DVMRP Interface Configuration ...

Page 1191: ...ce You must configure at least one router interface before you can display data for a DVMRP interface Otherwise you see a message telling you that no router interfaces are available and the configuration summary screen is not displayed To display the page click IPv4 Multicast DVMRP Configuration Summary in the navigation panel Figure 42 43 DVMRP Configuration Summary ...

Page 1192: ...ulticast DVMRP Next Hop Summary Use the Next Hop Summary page to display the next hop summary by Source IP To display the page click IPv4 Multicast DVMRP Next Hop Summary in the navigation panel Figure 42 44 DVMRP Next Hop Summary ...

Page 1193: ...6 Multicast 1193 DVMRP Prune Summary Use the Prune Summary page to display the prune summary by Group IP To display the page click IPv4 Multicast DVMRP Prune Summary in the navigation panel Figure 42 45 DVMRP Prune Summary ...

Page 1194: ... and IPv6 Multicast DVMRP Route Summary Use the Route Summary page to display the DVMRP route summary To display the page click IPv4 Multicast DVMRP Route Summary in the navigation panel Figure 42 46 DVMRP Route Summary ...

Page 1195: ...a static multicast route for a source range source address The IP address of the multicast data source mask The IP subnet mask of the multicast data source rpf address The IP address of the next hop towards the source preference The cost of the route Range 1 255 interface vlan vlan id Enter Interface Configuration mode for the specified VLAN ip mcast boundary groupipaddr mask Add an administrative...

Page 1196: ...roupipaddr detail summary View the multicast configuration settings such as flags timer settings incoming and outgoing interfaces RPF neighboring routers and expiration times of all the entries in the multicast mroute table containing the groupipaddr value show ip mcast mroute source sourceipaddr summary groupipaddr View the multicast configuration settings such as flags timer settings incoming an...

Page 1197: ...nterfaces or for the specified interface show ipv6 mroute detail summary View a summary or all the details of the multicast table show ipv6 mroute group groupipaddr detail summary View the multicast configuration settings such as flags timer settings incoming and outgoing interfaces RPF neighboring routers and expiration times of all the entries in the multicast mroute table containing the groupip...

Page 1198: ...to have significant loss the robustness variable may be increased for the interface The range for robustness is 1 255 ip igmp query interval seconds Configure the query interval for the specified interface The query interval determines how fast IGMP Host Query packets are transmitted on this interface The range for seconds is 0 3600 seconds ip igmp query max response time seconds Configure the max...

Page 1199: ... no local members on the interface The range for count is 1 20 CTRL Z Exit to Privileged EXEC mode show ip igmp View system wide IGMP information show ip igmp interface vlan vlan id View IGMP information for all interfaces or for the specified interface show ip igmp interface stats vlan vlan id View IGMP statistics for all interfaces or for the specified interface show ip igmp groups interface vla...

Page 1200: ...bal configuration mode interface vlan vlan id Enter Interface Configuration mode for the specified VLAN ip igmp proxy Configure the interface as an IGMP proxy interface ip igmp proxy reset status Optional Reset the host interface status parameters of the IGMP Proxy ip igmp proxy unsolicit rprt interval seconds Configure the unsolicited report interval for the IGMP proxy interface The range for sec...

Page 1201: ...nterval determines how fast MLD Host Query packets are transmitted on this interface The range for seconds is 0 3600 seconds ipv6 mld query max response time seconds Configure the maximum response time interval for the specified interface It is the maximum query response time advertised in MLD queries on this interface The range for seconds is 0 25 seconds ipv6 mld last member query interval tenth...

Page 1202: ...nterface vlan vlan id View the registered multicast groups on the interface show ip igmp membership View the list of interfaces that have registered in any multicast group NOTE Configure only the upstream interface as the MLD proxy MLD should be enabled on all downstream interfaces IPv6 routing must be enabled on the switch for the MLD proxy feature to operate Command Purpose configure Enter globa...

Page 1203: ...mation about multicast groups that MLD Proxy reported This command displays information only when MLD Proxy is operational Command Purpose configure Enter global configuration mode ip pim dense Enable PIM DM on the switch interface vlan vlan id Enter Interface Configuration mode for the specified VLAN ip pim Enable PIM DM on the interface ip pim hello interval seconds Specify the number of seconds...

Page 1204: ...DM on the switch interface vlan vlan id Enter Interface Configuration mode for the specified VLAN ipv6 pimdm Enable PIM DM on the interface ipv6 pimdm hello interval seconds Specify the number of seconds range 0 65535 to wait between sending PIM hello messages on the interface exit Exit to Privileged EXEC mode show ipv6 pim View system wide PIM DM information show ipv6 pimdm interface vlan vlan id...

Page 1205: ...ate vlan vlan id hash mask length priority Configure the switch to announce its candidacy as a bootstrap router BSR vlan id A valid VLAN ID hash mask length The length of a mask that is to be ANDed with the group address before the hash function is called All groups with the same seed hash correspond to the same RP For example if this value is 24 only the first 24 bits of the group addresses matte...

Page 1206: ...ecified VLAN ip pim hello interval seconds Specify the number of seconds range 0 65535 to wait between sending PIM hello messages on the interface ip pim bsr border Prevent bootstrap router BSR messages from being sent or received through the interface ip pim dr priority priority Set the priority value for which a router is elected as the designated router DR The election priority range is 0 21474...

Page 1207: ... by using a hash algorithm show ip pim bsr View the bootstrap router BSR information show ip pim rp mapping View group to RP mappings of which the router is aware either configured or learned from the BSR Command Purpose configure Enter global configuration mode ipv6 pimsm Enable PIM SM as the multicast routing protocol on the switch ipv6 pim spt threshold threshold Set the Data Threshold rate in ...

Page 1208: ...didate vlan vlan id group address prefix length Configure the router to advertise itself as a PIM candidate rendezvous point RP to the bootstrap router BSR vlan id A valid VLAN ID group address prefix length Group IPv6 address and prefix length supported by RP ipv6 pim rp address rp address group address prefix length override Optional Statically configure the RP address for one or more multicast ...

Page 1209: ...al range is 0 18000 seconds exit Exit to Global Config mode exit Exit to Privileged EXEC mode show ipv6 pimsm View system wide PIM DM information show ipv6 pimsm interface vlan vlan id View the PIM SM information for the specified interface show ipv6 pimsm neighbor interface vlan vlan id all View a summary or all the details of the multicast table show ipv6 pimsm rphash groupaddr View the RP route...

Page 1210: ...dvmrp Enable DVMRP on the interface ip dvmrp metric metric Configure the metric range 1 31 for an interface This value is used in the DVMRP messages as the cost to reach this network exit Exit to Privileged EXEC mode show ip dvmrp interface vlan vlan id View the multicast information for the specified interface show ip dvmrp neighbor View neighbor information for DVMRP show ip dvmrp nexthop View t...

Page 1211: ...ulticast routing IGMP snooping is enabled on the VLAN interfaces to control the multicast subscriptions within each VLAN VLAN 10 is statically configured as the RP for the multicast group The configuration in this example takes place on L3 switch A shown in Figure 42 47 The red arrows indicate the path that multicast traffic takes L3 Switch A is configured as the RP for the PIM domain so it is in ...

Page 1212: ...SPF on L3 Switch A STP is configured on the ports that connects the switch to other switches OSPF is configured to route unicast traffic between the VLANs To configure the switch 1 Create the two VLANs console configure console config vlan database Port 23 Port 24 L3 Switch A PIM RP Video Server VLAN 10 Members VLAN 20 Members IGMP Join L3 Switch B L3 Switch C IGMP Join ...

Page 1213: ...config if Gi1 0 24 switchport trunk allowed vlan add 10 console config if Gi1 0 24 exit 4 Enable routing on the switch and configure the OSPF router ID console config ip routing console config router ospf console config router router id 3 3 1 1 console config router exit 5 Configure VLAN 10 as a VLAN routing interface and specify the OSPF area When you assign an IP address to the VLAN routing is a...

Page 1214: ... interface console config if vlan20 ip igmp console config if vlan10 ip igmp version 2 console config if vlan20 ip pim console config if vlan20 exit 9 Globally enable IGMP snooping IP multicast IGMP and PIM SM on the switch console config ip igmp snooping console config ip multicast console config ip igmp console config ip pim sparse 10 Configure VLAN 10 as the RP and specify the range of multicas...

Page 1215: ...ly connected hosts Enabling IGMP is not required if there are no directly connected hosts console config ip igmp 3 Globally enable DVMRP console config ip dvmrp 4 Enable DVMRP and IGMP on VLAN routing interfaces 10 and 20 console config interface vlan 10 console config if vlan10 ip address 192 168 10 1 255 255 255 0 console config if vlan10 ip dvmrp console config if vlan10 ip igmp console config ...

Page 1216: ...1216 Managing IPv4 and IPv6 Multicast ...

Page 1217: ... configuring CLI 900 configuring web 890 authentication key SNTP 285 authentication profile configuring CLI 216 configuring web 184 example 230 understanding 171 authentication purposes 178 authentication server filter assignments 537 authorization network RADIUS 204 auto configuration auto save 383 CLI configuration 387 defaults 385 defined 375 DHCP 390 configuration file 381 image 380 IP address...

Page 1218: ...ridge multicast forwarding 714 bridge multicast group table 711 bridge table 837 broadcast storm control See storm control BSR 1143 C cable test 235 245 and green mode 245 488 candidate BSR 1144 captive portal CLI configuration 473 client management 478 configuring 480 customizing pages 449 defaults 450 defined 445 dependencies 446 design considerations 447 example 479 localization 449 understandi...

Page 1219: ...pts 354 371 configuration saving the 355 Configuring 859 connectivity fault management See IEEE 802 1ag console port connecting to 103 description 85 LED 94 Controlling 169 copy files 363 CoS and iSCSI 432 CLI configuration 1125 configuration example 1128 defaults 1118 defined 1115 queue management methods 1117 traffic queues 1117 traffic shaping 1116 trusted mode ports 1116 untrusted mode ports 1...

Page 1220: ...iguration 874 defaults 861 examples 878 leases 129 options 860 web based configuration 862 DHCP snooping 861 bindings database 783 defaults 787 example 815 logging 784 purpose 787 understanding 782 VLANs 784 DHCPv6 client 1053 defined 75 examples 1081 pool 1066 prefix delegation 1066 relay agent configuring 1083 relay agent understanding 1066 stateless server configuring 1081 stateless server unde...

Page 1221: ... 85 DVMRP defaults 1147 example 1215 understanding 1145 web based configuration 1189 when to use 1146 dynamic LAGs 834 E EAP statistics 404 email alert statistics 258 email alerting 268 log messages 264 energy detect mode 484 energy savings port 484 EqualLogic and iSCSI 433 error messages CLI 109 expansion slots 88 275 F failover stacking 141 file management CLI 364 considerations 353 copying 363 ...

Page 1222: ...ocking prevention 64 health system 242 help accessing web based 107 host name 271 host name mapping 116 HTTP access 223 HTTPS access 223 I IAS database 522 understanding 513 users 530 icons web based interface 100 identification asset tag 271 system contact 271 system location 271 system name 271 IDSP defaults 661 IEEE 802 1ag administrator 765 carrier network 762 configuration CLI 775 configurati...

Page 1223: ...all 378 considerations 353 defined 349 downloading 364 management CLI 364 management web based 356 purpose 351 in band management 117 interface 843 configuration mode 486 loopback 844 OOB 120 routing 843 CLI configuration 855 web configuration 849 routing defaults 847 supported types 486 tunnel 845 internal authentication server see IAS IP ACL configuration 545 defined 541 example 566 IP address c...

Page 1224: ...assigning flows 432 CLI configuration 440 defaults 435 examples 442 flow detection 432 information tracking 433 servers and a disk array 442 understanding 431 using 432 web based configuration 436 ISDP and CDP 55 CLI configuration 678 configuring 679 enabling 679 example 683 understanding 659 web based configuration 663 J jumbo frames 64 L LACP adding a LAG port 828 CLI configuration 833 web based...

Page 1225: ...659 web based configuration 663 LLDP MED and voice VLANs 579 configuring 682 understanding 660 viewing information 683 LLPF defaults 690 example 701 understanding 689 local user database 170 192 215 localization captive portal 449 locating the switch 102 locator LED 90 enabling 102 259 lockout password 231 log server remote 251 logging ACL 542 CLI configuration 259 considerations 239 defaults 239 ...

Page 1226: ...le 227 management access web based configuration 180 management security defaults 178 recommendations 171 management unit stacking 137 management in band and out of band 117 MD5 274 MDI MDIX auto 64 MEP configuring 776 MIB SNMP 313 mirror ACL 541 mirroring flow based 1099 MLD defaults 1147 understanding 1142 web based configuration 1166 MLD snooping configuring 748 defaults 708 787 understanding 7...

Page 1227: ...multicast routing table 1140 multicast tunneling 1141 multicast VLAN registration 706 MVR adding an interface 735 example 757 N netinfo 115 network information CLI configuration 128 default 119 defined 115 example 132 purpose 116 web based configuration 120 network pool DHCP 865 nonstop forwarding see NSF NSF and DHCP snooping 164 and routed access 167 and the storage access network 165 and VoIP 1...

Page 1228: ...d keywords 189 line 194 lockout 231 managing 188 217 protecting management access 58 strong 58 PIM defaults 1147 IPv4 web based configuration 1176 IPv6 web based configuration 1176 PIM DM using 1144 PIM SM using 1143 SSM range 1185 understanding 1143 plug in modules 88 configuring 275 PoE 275 305 port access control 518 characteristics 483 configuration examples 503 configuring multiple 491 defaul...

Page 1229: ...N 574 Q queues CoS 1117 R RADIUS configuring 219 contact order 176 defaults 178 DiffServ filters 512 primary and secondary servers 228 server configuration 198 server groups 176 understanding 174 RAM log 249 real time clock 272 redirect ACL 541 relay agent DHCPv6 1066 relay DHCP 907 remote logging 262 rendezvous point PIM 1143 reset button 86 RIP CLI configuration 1014 defaults 1008 determining ro...

Page 1230: ... configuring 902 IPv6 1062 RSA keys 211 RSTP understanding 629 running config saving 355 S save system settings 355 SDM template configuration guidelines 274 managing 301 understanding 273 security management 213 configuration examples 227 defaults 178 recommendations 171 understanding 169 port defined 513 port based CLI configuration 524 defaults 514 examples 531 web based configuration 515 setup...

Page 1231: ... LED 86 stacking adding a switch 138 and NSF 57 CLI configuration 155 defaults 145 defined 135 design consideration 143 failover example 158 failover initiating 141 file management 355 firmware synchronization 140 firmware update 140 MAC address table 838 MAC addresses 143 management unit 137 NSF usage scenario 157 preconfiguration 160 purpose 144 removing a switch 139 standby 140 switch compatibi...

Page 1232: ...ose 272 web based configuration 278 system LEDs 86 system time 274 T TACACS defaults 178 host information 196 server configuring 221 understanding 172 tagging VLAN 575 telnet configuration options 59 connecting to the switch 104 TFTP image download 364 time domain reflectometry 245 time range 564 time zone 292 time setting the system 312 time based ACLs 542 569 traffic class queue 432 traffic cont...

Page 1233: ... 574 RADIUS assigned 204 536 routing interfaces 843 855 static 574 switchport modes 574 trunk port 605 understanding 571 voice 578 voice traffic 578 voice example 627 voice understanding 577 web based configuration 582 VLAN membership defining 582 VLAN priority tag and iSCSI 432 VLAN routing 843 845 VLAN tagging 575 voice traffic identifying 578 voice VLAN 578 and LLDP MED 579 example 627 understa...

Page 1234: ...1234 Index understanding 1021 web based configuration 1026 W web based configuration 98 web based interface understanding 99 writing to memory 355 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands