manualshive.com logo in svg

Dell PowerConnect 8024, User Configuration Manual

Share
Download
Dell PowerConnect 8024 User Configuration Manual Download Page 518

518

Configuring Access Control Lists

How Are ACLs Configured?

To configure ACLs, follow these steps:

1

Create a MAC ACL by specifying a name.

2

Create an IP ACL by specifying a number.

3

Add new rules to the ACL.

4

Configure the match criteria for the rules.

5

Apply the ACL to one or more interfaces.

Preventing False ACL Matches

Be sure to specify ACL access-list, permit, and deny rule criteria as fully as 

possible to avoid false matches. This is especially important in networks with 

protocols such as FCoE that have newly-introduced EtherType values. For 

example, rules that specify a TCP or UDP port value should also specify the 

TCP or UDP protocol and the IPv4 or IPv6 EtherType. Rules that specify an 

IP protocol should also specify the EtherType value for the frame. 
In general, any rule that specifies matching on an upper-layer protocol field 

should also include matching constraints for each of the lower-layer protocols. 

For example, a rule to match packets directed to the well-known UDP port 

number 22 (SSH) should also include matching constraints on the IP 

protocol field (protocol=0x11 or UDP) and the EtherType field (EtherType=

0x0800 or IPv4). Figure 21-1 lists commonly-used EtherTypes numbers:

NOTE: 

The actual number of ACLs and rules supported depends on the 

resources consumed by other processes and configured features running on the 

switch.

Table 21-1. Common EtherType Numbers

EtherType

Protocol

0x0800

Internet Protocol version 4 (IPv4)

0x0806

Address Resolution Protocol (ARP)

0x0842

Wake-on LAN Packet

0x8035

Reverse Address Resolution Protocol (RARP)

0x8100

VLAN tagged frame (IEEE 802.1Q)

Summary of Contents for PowerConnect 8024

Page 1: ...Dell PowerConnect 8024 8024F 8132 8132F 8164 and 8164F Switch User s Configuration Guide Regulatory Models PC8024 PC8024F PC8132 PC8132F PC8164 PC8164F ...

Page 2: ...rConnect and OpenManage are trademarks of Dell Inc Microsoft Windows Windows Server MS DOS and Windows Vista are either trademarks or registered trademarks of Microsoft Corporation in the United States and or other countries sFlow is a registered trademark of InMon Corporation Cisco is a registered trademark of Cisco Systems Mozilla and Firefox are registered trademarks of the Mozilla Foundation O...

Page 3: ...m Time Management 54 Log Messages 55 Integrated DHCP Server 56 Management of Basic Network Information 56 IPv6 Management Features 56 Dual Software Images 56 File Management 57 Switch Database Management Templates 57 Automatic Installation of Firmware and Configuration 57 sFlow 58 SNMP Alarms and Trap Logs 58 CDP Interoperability through ISDP 58 Remote Monitoring RMON 58 Stacking Features 59 High ...

Page 4: ...Enforcement 61 TACACS Client 61 RADIUS Support 61 SSH SSL 62 Inbound Telnet Control 62 Denial of Service 62 Port Protection 62 Captive Portal 63 Dot1x Authentication IEEE 802 1X 63 MAC Based 802 1X Authentication 63 Dot1x Monitor Mode 64 MAC Based Port Security 64 Access Control Lists ACL 64 Time Based ACLs 65 IP Source Guard IPSG 65 DHCP Snooping 65 Dynamic ARP Inspection 65 Protected Ports Priva...

Page 5: ...PFC 69 Data Center Bridging Exchange DBCx Protocol 70 Enhanced Transmission Selection 70 Fibre Channel over Ethernet FCoE Initialization Protocol Snooping 70 Cisco Protocol Filtering 71 DHCP Layer 2 Relay 71 Virtual Local Area Network Supported Features 71 VLAN Support 71 Port Based VLANs 71 IP Subnet based VLAN 72 MAC based VLAN 72 IEEE 802 1v Protocol Based VLANs 72 GARP and GVRP Support 72 Voic...

Page 6: ...en Shortest Path First OSPF 77 BOOTP DHCP Relay Agent 78 IP Helper and UDP Relay 78 Routing Information Protocol 78 Router Discovery 78 Routing Table 78 Virtual Router Redundancy Protocol VRRP 79 Tunnel and Loopback Interfaces 79 IPv6 Routing Features 79 IPv6 Configuration 79 IPv6 Routes 80 OSPFv3 80 DHCPv6 80 Quality of Service QoS Features 81 Differentiated Services DiffServ 81 Class Of Service ...

Page 7: ...Multicast Sparse Mode 85 Protocol Independent Multicast Source Specific Multicast 85 Protocol Independent Multicast IPv6 Support 85 MLD MLDv2 RFC2710 RFC3810 85 3 Hardware Overview 87 PowerConnect 8000 series and 8100 series Front Panel 87 PowerConnect 8024 Front Panel 87 PowerConnect 8024F Front Panel 88 PowerConnect 8132 Front Panel 89 PowerConnect 8132F Front Panel 89 PowerConnect 8164 Front Pa...

Page 8: ...gement Port LEDs 99 System LEDs 99 Switch Addresses 100 4 Using Dell OpenManage Switch Administrator 103 About Dell OpenManage Switch Administrator 103 Starting the Application 104 Understanding the Interface 105 Defining Fields 107 Understanding the Device View 108 Using the Device View Port Features 108 5 Using the Command Line Interface 109 Accessing the Switch Through the CLI 109 Console Conne...

Page 9: ...twork Information 121 IP Address and Network Information Overview 121 What Is the Basic Network Information 121 Why Is Basic Network Information Needed 122 How Is Basic Network Information Configured 123 What Is Out of Band Management and In Band Management 123 Default Network Information 125 Configuring Basic Network Information Web 126 Out of Band Interface 126 IP Interface Configuration Default...

Page 10: ...dditional Network Information 137 Basic Network Information Configuration Example 138 8 Managing QSFP Ports 141 9 Managing a Switch Stack 143 Stacking Overview 143 Creating a PowerConnect 8000 8100 Series Stack 145 How is the Stack Master Selected 146 Adding a Switch to the Stack 148 Removing a Switch from the Stack 148 How is the Firmware Updated on the Stack 149 What is Stacking Standby 149 What...

Page 11: ...tatistics 163 Managing the Stack CLI 164 Configuring Stack Member Stack Port and NSF Settings 164 Viewing and Clearing Stacking and NSF Information 166 Stacking and NSF Usage Scenarios 166 Basic Failover 167 Preconfiguring a Stack Member 169 NSF in the Data Center 171 NSF and VoIP 172 NSF and DHCP Snooping 173 NSF and the Storage Access Network 174 NSF and Routed Access 176 10 Configuring Authenti...

Page 12: ...e Direct Login to Privileged EXEC Mode 189 TACACS Authorization Example Administrative Profiles 190 TACACS Authorization Example Custom Administrative Profile 191 TACACS Authorization Example Per command Authorization 192 RADIUS Authorization Example Direct Login to Privileged EXEC Mode 193 RADIUS Authorization Example Administrative Profiles 193 Using RADIUS Servers to Control Management Access 1...

Page 13: ...nformation Is Monitored 205 Why Is System Information Needed 206 Where Are Log Messages Sent 206 What Are the Severity Levels 207 What Are the System Startup and Operation Logs 207 What Is the Log Message Format 208 What Factors Should Be Considered When Configuring Logging 209 Default Log Settings 209 Monitoring System Information and Configuring Logging Web 210 Device Information 210 System Heal...

Page 14: ...27 Configuring Local Logging 228 Configuring Remote Logging 230 Configuring Mail Server Settings 231 Configuring Email Alerts for Log Messages 232 Logging Configuration Examples 234 Configuring Local and Remote Logging 234 Configuring Email Alerting 235 12 Managing General System Settings 239 System Settings Overview 239 Why Does System Information Need to Be Configured 240 What Are SDM Templates ...

Page 15: ...ing System Information 260 Configuring the Banner 261 Managing the SDM Template 262 Configuring SNTP Authentication and an SNTP Server 262 Setting the System Time and Date Manually 264 Viewing Slot Information 265 General System Settings Configuration Examples 266 Configuring System and Banner Information 266 Configuring SNTP 269 Configuring the Time Manually 271 13 Configuring SNMP 273 SNMP Overv...

Page 16: ...p Flags 293 Trap Log 294 Configuring SNMP CLI 295 Configuring the SNMPv3 Engine ID 295 Configuring SNMP Views Groups and Users 296 Configuring Communities 299 Configuring SNMP Notifications Traps and Informs 301 SNMP Configuration Examples 304 Configuring SNMPv1 and SNMPv2 304 Configuring SNMPv3 305 14 Managing Images and Files 309 Image and File Management Overview 309 What Files Can Be Managed 3...

Page 17: ...Internal Flash 326 Managing Files on a USB Flash Device PowerConnect 8100 series switches only 327 Uploading a Configuration File SCP 327 Managing Configuration Scripts SFTP 328 File and Image Management Configuration Examples 329 Upgrading the Firmware 329 Managing Configuration Scripts 332 Managing Files by Using the USB Flash Drive PowerConnect 8100 series switches only 334 15 Automatically Upd...

Page 18: ...iguration Web 350 Auto Install Configuration 350 Managing Auto Configuration CLI 351 Managing Auto Configuration 351 Auto Configuration Example 352 Enabling DHCP Auto Configuration and Auto Image Download 352 16 Monitoring Switch Traffic 355 Traffic Monitoring Overview 355 What is sFlow Technology 355 What is RMON 358 What is Port Mirroring 359 Why is Traffic Monitoring Needed 360 Default Traffic ...

Page 19: ...vent Control 376 RMON Event Log 378 RMON Alarms 379 Port Statistics 381 LAG Statistics 382 Port Mirroring 383 Monitoring Switch Traffic CLI 386 Configuring sFlow 386 Configuring RMON 388 Viewing Statistics 390 Configuring Port Mirroring 391 Traffic Monitoring Configuration Examples 392 Configuring sFlow 392 Configuring RMON 394 17 Configuring iSCSI Optimization 395 iSCSI Optimization Overview 395 ...

Page 20: ...ell Compellent Arrays 400 iSCSI CoS and Priority Flow Control Enhanced Transmission Selection Interactions 401 Default iSCSI Optimization Values 402 Configuring iSCSI Optimization Web 403 iSCSI Global Configuration 403 iSCSI Targets Table 404 iSCSI Sessions Table 405 iSCSI Sessions Detailed 406 Configuring iSCSI Optimization CLI 407 iSCSI Optimization Configuration Examples 409 Configuring iSCSI O...

Page 21: ...ation 432 Captive Portal Global Status 433 Captive Portal Activation and Activity Status 434 Interface Activation Status 435 Interface Capability Status 436 Client Summary 437 Client Detail 438 Captive Portal Interface Client Status 439 Captive Portal Client Status 440 Configuring Captive Portal CLI 441 Configuring Global Captive Portal Settings 441 Creating and Configuring a Captive Portal 442 Co...

Page 22: ...ion 457 Link Dependency Configuration 460 Link Dependency Summary 462 Configuring Port Characteristics CLI 463 Configuring Port Settings 463 Configuring Link Dependencies 464 Port Configuration Examples 466 Configuring Port Settings 466 Configuring a Link Dependency Groups 467 20 Configuring Port and System Security 469 IEEE 802 1X 470 What is IEEE 802 1X 470 What are the 802 1X Port States 471 Wh...

Page 23: ...X Values 507 Configuring Port Security CLI 510 Denial of Service 511 21 Configuring Access Control Lists 513 ACL Overview 513 What Are MAC ACLs 514 What Are IP ACLs 515 What Is the ACL Redirect Function 515 What Is the ACL Mirror Function 515 What Is ACL Logging 516 What Are Time Based ACLs 516 What Are the ACL Limitations 517 How Are ACLs Configured 518 Preventing False ACL Matches 518 Configurin...

Page 24: ...s 541 Configuring an IP ACL 541 Configuring a MAC ACL 543 Configuring a Time Based ACL 545 Configuring a Management Access List 546 22 Configuring VLANs 551 VLAN Overview 551 Switchport Modes 554 VLAN Tagging 555 GVRP 556 Double VLAN Tagging 556 Voice VLAN 557 Private VLANs 560 Additional VLAN Features 565 Default VLAN Behavior 566 Configuring VLANs Web 568 VLAN Membership 568 VLAN Port Settings 5...

Page 25: ...593 Configuring Double VLAN Tagging 595 Configuring MAC Based VLANs 596 Configuring IP Based VLANs 597 Configuring a Protocol Based VLAN 597 Configuring GVRP 599 Configuring Voice VLANs 601 VLAN Configuration Examples 602 Configuring VLANs Using Dell OpenManage Administrator 605 Configure the VLANs and Ports on Switch 2 609 Configuring VLANs Using the CLI 610 Configuring a Voice VLAN 614 23 Config...

Page 26: ...ings 640 Configuring Spanning Tree CLI 642 Configuring Global STP Bridge Settings 642 Configuring Optional STP Features 643 Configuring STP Interface Settings 644 Configuring MSTP Switch Settings 645 Configuring MSTP Interface Settings 646 STP Configuration Examples 647 Configuring STP 647 Configuring MSTP 649 24 Discovering Network Devices 651 Device Discovery Overview 651 What Is ISDP 651 What i...

Page 27: ...Device Information 669 Configuring ISDP and LLDP CLI 670 Configuring Global ISDP Settings 670 Enabling ISDP on a Port 671 Viewing and Clearing ISDP Information 671 Configuring Global LLDP Settings 672 Configuring Port based LLDP Settings 672 Viewing and Clearing LLDP Information 673 Configuring LLDP MED Settings 674 Viewing LLDP MED Information 675 Device Discovery Configuration Examples 675 Confi...

Page 28: ...ontrol 690 Configuring Protected Ports 691 Configuring LLPF 692 Port Based Traffic Control Configuration Example 693 26 Configuring L2 Multicast Features 695 L2 Multicast Overview 695 What Are the Multicast Bridging Features 695 What Is L2 Multicast Traffic 696 What Is IGMP Snooping 697 What Is MLD Snooping 699 What Is Multicast VLAN Registration 700 When Are L3 Multicast Features Required 701 Wha...

Page 29: ... Status 719 MFDB IGMP Snooping Table 720 MLD Snooping General 721 MLD Snooping Global Querier Configuration 723 MLD Snooping VLAN Querier 724 MLD Snooping VLAN Querier Status 727 MFDB MLD Snooping Table 728 MVR Global Configuration 729 MVR Members 730 MVR Interface Configuration 731 MVR Statistics 734 GARP Timers 735 GMRP Parameters 737 MFDB GMRP Table 739 Configuring L2 Multicast Features CLI 740...

Page 30: ...ion Necessary 759 Default Traffic Snooping and Inspection Values 759 Configuring Traffic Snooping and Inspection Web 761 DHCP Snooping Configuration 761 DHCP Snooping Interface Configuration 762 DHCP Snooping VLAN Configuration 764 DHCP Snooping Persistent Configuration 766 DHCP Snooping Static Bindings Configuration 767 DHCP Snooping Dynamic Bindings Summary 769 DHCP Snooping Statistics 770 IPSG ...

Page 31: ...ation 791 Link Aggregation Overview 791 Why Are Link Aggregation Groups Necessary 792 What Is the Difference Between Static and Dynamic Link Aggregation 792 What is LAG Hashing 793 How Do LAGs Interact with Other Features 794 LAG Configuration Guidelines 795 Default Link Aggregation Values 795 Configuring Link Aggregation Web 796 LAG Configuration 796 LACP Parameters 798 LAG Membership 800 LAG Has...

Page 32: ...ng PFC Using the Web Interface 812 Configuring PFC Using the CLI 814 PFC Configuration Example 816 DCB Capability Exchange 818 Interoperability with IEEE DCBx 819 DCBx and Port Roles 819 Configuration Source Port Selection Process 821 Disabling DCBX 823 Configuring DCBx 823 FIP Snooping 826 Enabling and Disabling FIP Snooping 826 Configuring the FC Map Value 827 Configuring Ports for FIP Snooping ...

Page 33: ...Table Values 850 Managing the MAC Address Table Web 851 Static Address Table 851 Dynamic Address Table 853 Managing the MAC Address Table CLI 854 Managing the MAC Address Table 854 31 Configuring Routing Interfaces 855 Routing Interface Overview 855 What Are VLAN Routing Interfaces 855 What Are Loopback Interfaces 856 What Are Tunnel Interfaces 857 Why Are Routing Interfaces Needed 858 Default Rou...

Page 34: ...ork 871 What are DHCP Options 872 What Additional DHCP Features Does the Switch Support 873 Default DHCP Server Values 873 Configuring the DHCP Server Web 874 DHCP Server Network Properties 874 Address Pool 876 Address Pool Options 880 DHCP Bindings 882 DHCP Server Reset Configuration 883 DHCP Server Conflicts Information 884 DHCP Server Statistics 885 Configuring the DHCP Server CLI 886 Configuri...

Page 35: ...r Discovery Configuration 903 Router Discovery Status 904 Route Table 905 Best Routes Table 906 Route Entry Configuration 907 Configured Routes 909 Route Preferences Configuration 910 Configuring IP Routing Features CLI 911 Configuring Global IP Routing Settings 911 Adding Static ARP Entries and Configuring ARP Table Settings 912 Configuring Router Discovery IRDP 913 Configuring Route Table Entrie...

Page 36: ...atistics 929 DHCP Relay VLAN Configuration 930 DHCP Relay Agent Configuration 931 IP Helper Global Configuration 932 IP Helper Interface Configuration 934 IP Helper Statistics 936 Configuring L2 and L3 Relay Features CLI 937 Configuring L2 DHCP Relay 937 Configuring L3 Relay IP Helper Settings 939 Relay Agent Configuration Example 941 35 Configuring OSPF and OSPFv3 943 OSPF Overview 944 What Are O...

Page 37: ...figuration 964 OSPF Link State Database 965 OSPF Virtual Link Configuration 965 OSPF Virtual Link Summary 967 OSPF Route Redistribution Configuration 968 OSPF Route Redistribution Summary 969 NSF OSPF Configuration 970 Configuring OSPFv3 Features Web 971 OSPFv3 Configuration 971 OSPFv3 Area Configuration 972 OSPFv3 Stub Area Summary 975 OSPFv3 Area Range Configuration 976 OSPFv3 Interface Configur...

Page 38: ...nfiguring Global OSPFv3 Settings 999 Configuring OSPFv3 Interface Settings 1001 Configuring Stub Areas and NSSAs 1003 Configuring Virtual Links 1005 Configuring an OSPFv3 Area Range 1006 Configuring OSPFv3 Route Redistribution Settings 1007 OSPF Configuration Examples 1008 Configuring an OSPF Border Router and Setting Interface Costs 1008 Configuring Stub and NSSA Areas for OSPF and OSPFv3 1011 Co...

Page 39: ...ummary 1036 RIP Route Redistribution Configuration 1037 RIP Route Redistribution Summary 1038 Configuring RIP Features CLI 1039 Configuring Global RIP Settings 1039 Configuring RIP Interface Settings 1040 Configuring Route Redistribution Settings 1041 RIP Configuration Example 1043 37 Configuring VRRP 1045 VRRP Overview 1045 How Does VRRP Work 1045 What Is the VRRP Router Priority 1046 What Is VRR...

Page 40: ...xample 1060 VRRP with Load Sharing 1060 VRRP with Route and Interface Tracking 1064 38 Configuring IPv6 Routing 1069 IPv6 Routing Overview 1069 How Does IPv6 Compare with IPv4 1070 How Are IPv6 Interfaces Configured 1070 Default IPv6 Routing Values 1071 Configuring IPv6 Routing Features Web 1073 Global Configuration 1073 Interface Configuration 1074 Interface Summary 1075 IPv6 Statistics 1076 IPv6...

Page 41: ... 1094 What Is a Stateless Server 1094 What Is the DHCPv6 Relay Agent Information Option 1094 What Is a Prefix Delegation 1094 Default DHCPv6 Server and Relay Values 1095 Configuring the DHCPv6 Server and Relay Web 1096 DHCPv6 Global Configuration 1096 DHCPv6 Pool Configuration 1097 Prefix Delegation Configuration 1099 DHCPv6 Pool Summary 1100 DHCPv6 Interface Configuration 1101 DHCPv6 Server Bindi...

Page 42: ...rentiated Services 1113 DiffServ Overview 1113 How Does DiffServ Functionality Vary Based on the Role of the Switch 1114 What Are the Elements of DiffServ Configuration 1114 Default DiffServ Values 1115 Configuring DiffServ Web 1116 DiffServ Configuration 1116 Class Configuration 1117 Class Criteria 1118 Policy Configuration 1120 Policy Class Definition 1122 Service Configuration 1125 Service Deta...

Page 43: ...3 What Are Trusted and Untrusted Port Modes 1144 How Is Traffic Shaping Used on Egress Traffic 1144 How Are Traffic Queues Defined 1145 Which Queue Management Methods Are Supported 1145 CoS Queue Usage 1146 Default CoS Values 1146 Configuring CoS Web 1147 Mapping Table Configuration 1147 Interface Configuration 1150 Interface Queue Configuration 1151 Interface Queue Drop Precedence Configuration 1...

Page 44: ...lobal Configuration 1163 Auto VoIP Interface Configuration 1163 Configuring Auto VoIP CLI 1166 43 Managing IPv4 and IPv6 Multicast 1167 L3 Multicast Overview 1167 What Is IP Multicast Traffic 1168 What Multicast Protocols Does the Switch Support 1169 What Are the Multicast Protocol Roles 1169 When Is L3 Multicast Required on the Switch 1170 What Is the Multicast Routing Table 1170 What Is IGMP 117...

Page 45: ...P and IGMP Proxy Web 1195 IGMP Global Configuration 1195 IGMP Interface Configuration 1196 IGMP Interface Summary 1197 IGMP Cache Information 1198 IGMP Interface Source List Information 1199 IGMP Proxy Interface Configuration 1200 IGMP Proxy Configuration Summary 1201 IGMP Proxy Interface Membership Info 1202 Detailed IGMP Proxy Interface Membership Information 1203 Configuring MLD and MLD Proxy W...

Page 46: ...nfiguration 1224 BSR Candidate Summary 1225 Configuring DVMRP Web 1226 DVMRP Global Configuration 1226 DVMRP Interface Configuration 1227 DVMRP Configuration Summary 1228 DVMRP Next Hop Summary 1229 DVMRP Prune Summary 1231 DVMRP Route Summary 1232 Configuring L3 Multicast Features CLI 1233 Configuring and Viewing IPv4 Multicast Information 1233 Configuring and Viewing IPv6 Multicast Route Informa...

Page 47: ...1244 Configuring and Viewing PIM SM for IPv6 Multicast Routing 1246 Configuring and Viewing DVMRP Information 1250 L3 Multicast Configuration Examples 1251 Configuring Multicast VLAN Routing With IGMP and PIM SM 1251 Configuring DVMRP 1255 A Feature Limitations and Platform Constants 1257 44 System Process Definitions 1267 Index 1275 ...

Page 48: ...48 Contents ...

Page 49: ...switch has 24 or 48 ports of 10 Gb Ethernet in 10GBase T or SFP with redundant power supplies to provide high performance and high availability PowerConnect 8000 8100 series switches can be stacked with other PowerConnect switches of the same model number using the 10G SFP or QSFP fiber ports About This Document This guide describes how to configure monitor and maintain a Dell PowerConnect 8000 se...

Page 50: ...names field names menu options button names and CLI commands and keywords courier font Command line text CLI output and file names In a command line square brackets indicate an optional entry In a command line inclusive brackets indicate a selection of compulsory parameters separated by the character One option must be selected For example spanning tree mode stp rstp mstp means that for the spanni...

Page 51: ...des information about the switch models in the series including front and back panel features It also describes the installation and initial configuration procedures CLI Reference Guide provides information about the command line interface CLI commands used to configure and manage the switch The document provides in depth CLI descriptions syntax default values and usage guidelines ...

Page 52: ...52 Introduction ...

Page 53: ...se notes for this product The release notes are part of the firmware download System Management Features Stacking Features Security Features Switching Features Virtual Local Area Network Supported Features Spanning Tree Protocol Features Link Aggregation Features Routing Features IPv6 Routing Features Quality of Service QoS Features Layer 2 Multicast Features Layer 3 Multicast Features ...

Page 54: ...ia an admin mode control or when the required hardware is present or both For example a port can be preconfigured with both trunk and access mode information The trunk mode information is applied only when the port is placed into trunk mode and the access mode information is only applied when the port is placed into access mode Likewise OSPF routing can be configured in the switch without being en...

Page 55: ...emote log server You can also configure the switch to send log messages to a configured SMTP server This allows you to receive the log message in an e mail account of your choice Switch auditing messages CLI command logging Web logging and SNMP logging can be enabled or disabled For information about configuring system logging see Monitoring and Logging System Information on page 205 ...

Page 56: ... information Other configurable network information includes a Domain Name Server DNS hostname to IP address mapping and a default domain name If the switch detects an IP address conflict on the management interface it generates a trap and sends a log message For information about configuring basic network information see Setting the IP Address and Other Basic Network Information on page 121 IPv6 ...

Page 57: ...able you to reallocate system resources to support a different mix of features based on your network requirements PowerConnect 8000 8100 series switches support the following three templates Dual IPv4 and IPv6 default IPv4 Routing IPv4 Data Center For information about setting the SDM template see Managing General System Settings on page 239 Automatic Installation of Firmware and Configuration The...

Page 58: ... see Configuring SNMP on page 273 CDP Interoperability through ISDP Industry Standard Discovery Protocol ISDP allows the PowerConnect switch to interoperate with Cisco devices running the Cisco Discovery Protocol CDP ISDP is a proprietary Layer 2 network protocol which inter operates with Cisco network equipment and is used to share information between neighboring devices routers bridges access se...

Page 59: ... are running the same firmware version Single IP Management When multiple switches are connected together through the stack ports they operate as a single unit with a larger port count The stack operates and is managed as a single entity One switch acts as the master and the entire stack is managed through the management interface Web CLI or SNMP of the stack master Automatic Firmware Update for N...

Page 60: ...r When you add a unit the Stack Firmware Synchronization feature automatically synchronizes the firmware version with the version running on the stack master The synchronization operation may result in either an upgrade or a downgrade of firmware on the mismatched stack member In addition the running config on the member is updated to match the master switch The startup config on the standby and m...

Page 61: ...rall risk of a security breach For information about configuring password settings see Configuring Authentication Authorization and Accounting on page 179 TACACS Client The switch has a TACACS client TACACS provides centralized security for validation of users accessing the switch TACACS provides a centralized user management system while still retaining consistency with RADIUS and other authentic...

Page 62: ...he switch supports configurable Denial of Service DoS attack protection for eight different types of attacks For information about configuring DoS settings see Configuring Port and System Security on page 469 Port Protection A port may be put into the disabled state for any of the following reasons BPDU Storm Protection By default if Spanning Tree Protocol STP bridge protocol data units BPDUs are ...

Page 63: ...t configuring the Captive Portal features see Configuring Captive Portal on page 413 Dot1x Authentication IEEE 802 1X Dot1x authentication enables the authentication of system users through a local internal server or an external server Only authenticated and approved system users can transmit and receive data Supplicants are authenticated using the Extensible Authentication Protocol EAP PEAP EAP T...

Page 64: ...at port When a frame is seen on a locked port and the frame source MAC address is not tied to that port the protection mechanism is invoked For information about configuring MAC based port security see Configuring Port and System Security on page 469 Access Control Lists ACL Access Control Lists ACLs ensure that only authorized users have access to specific resources while blocking off any unwarra...

Page 65: ...database of MAC address IP address VLAN ID port tuples that are specified as authorized DHCP snooping can be enabled globally and on specific VLANs Ports within the VLAN can be configured to be trusted or untrusted DHCP servers must be reached through trusted ports For information about configuring DHCP Snooping see Snooping and Inspecting Traffic on page 753 Dynamic ARP Inspection Dynamic ARP Ins...

Page 66: ...ffer overflows For information about configuring flow control see Configuring Port Based Traffic Control on page 679 Head of Line Blocking Prevention Head of Line HOL blocking prevention prevents traffic delays and frame loss caused by traffic competing for the same egress port resources HOL blocking queues packets and the packets at the head of the queue are forwarded before packets at the end of...

Page 67: ... Interface with Crossover MDIX VLAN Aware MAC based Switching Packets arriving from an unknown source address are sent to the CPU and added to the Hardware Table Future packets addressed to or from this address are more efficiently forwarded Back Pressure Support On half duplex links a receiver may prevent buffer overflows by jamming the link so that it is unavailable for additional traffic On ful...

Page 68: ...the relevant virtual local area network VLAN The flooding occupies bandwidth and loads all nodes connected on all ports Storm control limits the amount of broadcast unknown unicast and multicast frames accepted and forwarded by the switch For information about configuring Broadcast Storm Control settings see Configuring Port Based Traffic Control on page 679 Port Mirroring Port mirroring monitors ...

Page 69: ... Media Endpoint Devices The Link Layer Discovery Protocol for Media Endpoint Devices LLDP MED provides an extension to the LLDP standard for network configuration and policy device location Power over Ethernet management and inventory management For information about configuring LLDP MED settings see Discovering Network Devices on page 651 Priority based Flow Control PFC The Priority based Flow Co...

Page 70: ...nhanced Transmission Selection ETS allows the switch to allocate bandwidth to traffic classes and share unused bandwidth with lower priority traffic classes while coexisting with strict priority traffic classes ETS is supported on the PowerConnect 8100 series switches and can be configured manually or automatically using the auto configuration feature For more information about ETS see Enhanced Tr...

Page 71: ...DHCP Relay settings see Configuring L2 and L3 Relay Features on page 919 Virtual Local Area Network Supported Features For information about configuring VLAN features see Configuring VLANs on page 551 VLAN Support VLANs are collections of switching ports that comprise a single broadcast domain Packets are classified as belonging to a VLAN based on either the VLAN tag or a combination of the ingres...

Page 72: ...s the configuration of Generic Attribute Registration Protocol GARP timers GARP VLAN Registration Protocol GVRP relies on the services provided by GARP to provide IEEE 802 1Q compliant VLAN pruning and dynamic VLAN creation on 802 1Q trunk ports When GVRP is enabled the switch registers and propagates VLAN membership on all ports that are part of the active spanning tree protocol topology For info...

Page 73: ... no ability to browse information on the internal LAN For information about configuring the Guest VLAN see Configuring Port and System Security on page 469 Double VLANs The Double VLAN feature IEEE 802 1QinQ allows the use of a second tag on network traffic The additional tag helps differentiate between customers in the Metropolitan Area Networks MAN while preserving individual customer s VLAN ide...

Page 74: ...panning Tree Protocol RSTP detects and uses network topologies to enable faster spanning tree convergence after a topology change without creating forwarding loops The port settings supported by STP are also supported by RSTP Multiple Spanning Tree Multiple Spanning Tree MSTP operation maps VLANs to spanning tree instances Packets assigned to various VLANs are transmitted along different paths wit...

Page 75: ...les fault tolerance protection from physical link disruption higher bandwidth connections and improved bandwidth granularity Per IEEE 802 1AX only links with the same operational characteristics such as speed and duplex setting may be aggregated PowerConnect switches aggregate links only if they have the same operational speed and duplex setting as opposed to the configured speed and duplex settin...

Page 76: ...76 Switch Features achievable between a given pair of systems LACP automatically determines configures binds and monitors the binding of ports to aggregators within the system ...

Page 77: ...ces on page 855 IP Configuration The switch IP configuration settings to allow you to configure network information for VLAN routing interfaces such as IP address and subnet mask MTU size and ICMP redirects Global IP configuration settings for the switch allow you to enable or disable the generation of several types of ICMP messages and enable or disable the routing mode For information about mana...

Page 78: ... RIP like OSPF is an IGP used within an autonomous Internet system RIP is an IGP that is designed to work with moderate size networks For information about configuring RIP see Configuring RIP on page 1031 Router Discovery For each interface you can configure the Router Discovery Protocol RDP to transmit router advertisements These advertisements inform hosts on the local network about the presence...

Page 79: ...and management of tunnel and loopback interfaces Tunnel interfaces facilitate the transition of IPv4 networks to IPv6 networks A loopback interface is always expected to be up so you can configure a stable IP address that other network devices use to contact or identify the switch For information about configuring tunnel and loopback interfaces see Configuring Routing Interfaces on page 855 IPv6 R...

Page 80: ...ol for IPv6 networking OSPFv3 is a new routing component based on the OSPF version 2 component In dual stack IPv6 you can configure and use both OSPF and OSPFv3 components For information about configuring OSPFv3 see Configuring OSPF and OSPFv3 on page 943 DHCPv6 DHCPv6 incorporates the notion of the stateless server where DHCPv6 is not used for IP address assignment to a client rather it only pro...

Page 81: ...ing This provides the desired QoS behavior for different types of network traffic when the complexities of DiffServ are not required CoS queue characteristics such as minimum guaranteed bandwidth and transmission rate shaping are configurable at the queue or port level For information about configuring CoS see Configuring Class of Service on page 1143 Auto Voice over IP VoIP This feature provides ...

Page 82: ...onfiguring L2 Multicast Features on page 695 MAC Multicast Support Multicast service is a limited broadcast service that allows one to many and many to many connections In Layer 2 multicast services a single frame addressed to a specific multicast address is received and copies of the frame to be transmitted on each relevant port are created IGMP Snooping Internet Group Management Protocol IGMP Sn...

Page 83: ...ted with IP multicast address In IPv6 MLD snooping performs a similar function With MLD snooping IPv6 multicast data is selectively forwarded to a list of ports intended to receive the data instead of being flooded to all of the ports in a VLAN This list is constructed by snooping IPv6 multicast control packets Multicast VLAN Registration The Multicast VLAN Registration MVR protocol like IGMP Snoo...

Page 84: ...neighboring multicast routers PowerConnect 8000 8100 series switches perform the multicast router part of the IGMP protocol which means it collects the membership information needed by the active multicast router IGMP Proxy The IGMP Proxy feature allows the switch to act as a proxy for hosts by sending IGMP host messages on behalf of the hosts that the switch discovered through standard IGMP route...

Page 85: ...ns such as audio or video broadcasts PIM SSM does not use shared trees Protocol Independent Multicast IPv6 Support PIM DM and PIM SM support IPv6 routes MLD MLDv2 RFC2710 RFC3810 MLD is used by IPv6 systems listeners and routers to report their IP multicast addresses memberships to any neighboring multicast routers The implementation of MLD v2 is backward compatible with MLD v1 MLD protocol enable...

Page 86: ...86 Switch Features ...

Page 87: ...ries Back Panel LED Definitions Switch Addresses PowerConnect 8000 series and 8100 series Front Panel The following sections describe the ports on the front panel of each switch PowerConnect 8024 Front Panel The PowerConnect 8024 front panel provides 24 100M 1G 10GBase T ports four of which are combined with SFP SFP ports Figure 3 1 PowerConnect 8024 Front Panel Combo Ports 100M 1G 10GBase T Auto ...

Page 88: ...M 1G 10GBase T ports Figure 3 2 PowerConnect 8024F Front Panel The switch automatically detects crossed and straight through cables on RJ 45 ports SFP ports support both SX and LX modules RJ 45 ports support full duplex mode 100 1000 10000 Mbps PowerConnect 8024F switches can be stacked with other PowerConnect 8024F switches using the 10G SFP fiber ports NOTE A combo port may have both the RJ 45 a...

Page 89: ...able Interface Modules on page 92 for more information Figure 3 3 PowerConnect 8132 Front Panel PowerConnect 8132 switches can be stacked with other PowerConnect 81xx switches using 10G or 40G SFP or QSFP modules in the module bay PowerConnect 8132F Front Panel The PowerConnect 8132F front panel provides the following ports 24 x 10GbE fiber ports A USB port See USB Port Power Connect 8100 series s...

Page 90: ...PowerConnect 8164 Front Panel The PowerConnect 8164 front panel provides the following ports 48 x 10GbE copper ports A USB port See USB Port Power Connect 8100 series switches only on page 94 Two fixed QSFP ports each supporting 4 x 10G or 1 x 40G connections One module bay that supports the following modules 2 x 40 Gig QSFP each QSFP may be configured as 4 x 10 Gig ports 4 x SFP module 4 x 10GBas...

Page 91: ...ront panel provides the following ports 48 x 10GbE fiber ports A USB port See USB Port Power Connect 8100 series switches only on page 94 Two fixed QSFP ports each supporting 4 x 10G or 1 x 40G connections One module bay that supports the following modules 2 x 40 Gig QSFP each QSFP may be configured as 4 x 10 Gig ports 4 x SFP module 4 x 10GBaseT module See Hot Pluggable Interface Modules on page ...

Page 92: ...Blank module defaults to 10G mode A reboot is necessary when a hot pluggable module is replaced with a module of different type Specifically changing from a 40G module to a 10G module or from a 10G module to a 40G module requires a reboot Plug in modules with any port configured as a stacking port are not hot swappable Remove the stack port configuration from a slot before plugging in a module You...

Page 93: ...ansceivers Front panel port status LEDs The QSFP interfaces can be used for stacking Stacking is supported at distances of up to 100M Quad Port SFP Uplink Module The PC8100 SFP module features four SFP ports each providing the following features SFP SR LR and LRM optical interfaces SFP copper twinax interface Front panel port status LEDs The SFP connections can be used for stacking Stacking is sup...

Page 94: ...drive and the switch You can also use the USB flash drive to move and copy configuration files and images from one switch to other switches in the network The USB port does not support any other type of USB device Port and System LEDs The front panel contains light emitting diodes LEDs to indicate port status For information about the status that the LEDs indicate see LED Definitions on page 97 Po...

Page 95: ...e 3 7 PowerConnect PC8000 Series Back Panel The following image show the back panel of the PowerConnect 8100 series switches Figure 3 8 PowerConnect PC8100 Series Back Panel AC power AC power OOB Ethernet port RJ 45 serial console port Fans 3 AC power AC power OOB Ethernet port RJ 45 serial console port Fans ...

Page 96: ...nt Traffic on this port is segregated from operational network traffic on the switch ports and cannot be switched or routed to the operational network Power Supplies Each PowerConnect 8000 series and 8100 series switch has two power supplies for redundant or loadsharing operation Each power supply can support 300W Ventilation System The PC8000 series switches have three removable FANs and the 8100...

Page 97: ...ase T Port LEDs Each 100 1000 10000Base T port has two LEDs Figure 3 9 illustrates the 100 1000 10000Base T port LEDs Figure 3 9 100 1000 10000Base T Port LEDs Table 3 1 shows the 100 1000 10000Base T port LED definitions Table 3 1 100 1000 10000Base T Port Definitions LED Color Definition Link LED Off There is no link Solid green The port is operating at 10 Gbps Solid amber The port is operating ...

Page 98: ...ely transmitting receiving Table 3 3 10GBase T Module LED Definitions LED Color Definition Link LED Off There is no link Solid green The port is operating at 10 Gbps Solid amber The port is operating at 100 1000 Mbps Activity LED Off There is no current transmit receive activity Blinking green The port is actively transmitting receiving Table 3 4 QSFP Module LED Definitions LED Color Definition Li...

Page 99: ...perating at 10 100 Mbps Activity LED Off There is no current transmit receive activity Blinking green The port is actively transmitting receiving Table 3 6 System LED Definitions PowerConnect 8000 Series Switches LED Color Definition Diag Flashing Green A diagnostics test is in progress Green The diagnostics test was successfully completed Red The diagnostics test failed Power Green Power Supply i...

Page 100: ...ly failure Temp Off The switch is operating at normal temperature Solid amber The thermal sensor s system temperature threshold of 75 C has been exceeded Diag Off The switch is operating normally Blinking green A diagnostic test is running Fan Solid green The fan is powered and is operating at the expected RPM Solid red A fan failure has occurred Stack Solid blue The switch is in stacking master m...

Page 101: ...del ID PCT8132 Machine Type PowerConnect 8132 Temperature Sensors Unit Description Temperature Status Celsius 1 MAC 32 Good 1 CPU 31 Good 1 PHY left side 26 Good 1 PHY right side 29 Good Fans Unit Description Status 1 Fan 1 OK 1 Fan 2 OK 1 Fan 3 OK 1 Fan 4 OK 1 Fan 5 OK 1 Fan 6 No Power Power Supplies Unit Description Status Average Current Since Power Power Date Time Watts Watts 1 System OK 42 0 ...

Page 102: ...sole show ip interface vlan 1 Routing Interface Status Down Primary IP Address 1 1 1 2 255 255 255 0 Method Manual Routing Mode Enable Administrative Mode Enable Forward Net Directed Broadcasts Disable Proxy ARP Enable Local Proxy ARP Disable Active State Inactive MAC Address 001E C9F0 0050 Encapsulation Type Ethernet IP MTU 1500 Bandwidth 10000 kbps Destination Unreachables Enabled ICMP Redirects...

Page 103: ... OpenManage Switch Administrator Dell OpenManage Switch Administrator is a web based tool to help you manage and monitor a PowerConnect 8000 8100 series switch Table 4 1 lists the web browsers that are compatible with Dell OpenManage Switch Administrator The browsers have been tested on a PC running the Microsoft Windows operating system Table 4 1 Compatible Browsers Browser Version Internet Explo...

Page 104: ...work Information on page 121 3 When the Login window displays enter a user name and password Passwords are both case sensitive and alpha numeric Figure 4 1 Login Screen NOTE The switch is not configured with a default user name or password You must connect to the CLI by using the console port to configure the initial user name and password For information about connecting to the console see Consol...

Page 105: ... on the left side of the page the navigation pane provides an expandable view of features and their components Configuration and status options The main panel contains the fields you use to configure and monitor the switch Page tabs Some pages contain tabs that allow you to access additional pages related to the feature Command buttons Command buttons are located at the bottom of the page Use the ...

Page 106: ...l com About Contains the version and build number and Dell copyright information Log Out Logs out of the application and returns to the login screen Save Saves the running configuration to the startup configuration When you click Apply changes are saved to the running configuration When the system boots it loads the startup configuration Any changes to the running configuration that were not saved...

Page 107: ...ring and managing the switch The online help pages are context sensitive For example if the IP Addressing page is open the help topic for that page displays if you click Help Apply Updates the running configuration on the switch with the changes Configuration changes take effect immediately Clear Resets statistic counters and log files to the default configuration Query Queries tables Left arrow a...

Page 108: ...cessful login The graphic provides information about switch ports and system health Figure 4 3 PowerConnect 8024 Device View Using the Device View Port Features The switching port coloring indicates if a port is currently active Green indicates that the port has a link red indicates that an error has occurred on the port and blue indicates that the link is down Each port image is a hyperlink to th...

Page 109: ... IP address and the management station you use to access the device must be able to ping the switch IP address For information about assigning an IP address to a switch see Setting the IP Address and Other Basic Network Information on page 121 Console Connection Use the following procedures to connect to the CLI by connecting to the console port For more information about creating a serial connect...

Page 110: ...3 The switch supports up to four simultaneous Telnet sessions All CLI commands can be used over a Telnet session To connect to the switch using Telnet the switch must have an IP address and the switch and management station must have network connectivity You can use any Telnet client on the management station to connect to the switch You can also initiate a Telnet session from the OpenManage Switc...

Page 111: ...s changing terminal settings on a temporary basis performing basic tests and listing system information Privileged EXEC Commands in this mode permit you to view all switch settings and to enter the global configuration mode Global Configuration Commands in this mode manage the device configuration on a global level and apply to system features rather than to a specific protocol or interface Interf...

Page 112: ...er the enable command console Use the exit command or press Ctrl Z to return to User EXEC mode Global Configuration From Privileged EXEC mode use the configure command console config Use the exit command or press Ctrl Z to return to Privileged EXEC mode Interface Configuration From Global Configuration mode use the interface command and specify the interface type and ID console config if To exit t...

Page 113: ...with particular Group Ids vlan Create a new VLAN or delete an existing VLAN Enter a question mark after each word you enter to display available command keywords or parameters console config vlan database Type vlan database to enter VLAN mode protocol Configure Protocol Based VLAN parameters If the help output shows a parameter in angle brackets you must replace the parameter with a value console ...

Page 114: ...dentify a single matching command continue entering characters until the switch can uniquely identify the command Use the question mark to display the available commands matching the characters already entered Entering Abbreviated Commands To execute a command you need to enter enough characters so that the switch can uniquely identify a command For example to enter Global Configuration mode from ...

Page 115: ...istory buffer By default the history buffer is enabled and stores the last 10 commands entered These commands can be recalled reviewed modified and reissued This buffer is not preserved after switch resets Table 5 2 CLI Error Messages Message Text Description Invalid input detected at marker Indicates that you entered an incorrect or unavailable command The carat shows where the invalid text is de...

Page 116: ...lls commands in the history buffer beginning with the most recent command Repeats the key sequence to recall successively older commands Down arrow key Ctrl N Returns to more recent commands in the history buffer after recalling commands with the up arrow key Repeating the key sequence recalls more recent commands in succession ...

Page 117: ...OOB interface VLAN 1 Members All switch ports SDM template Dual IPv4 and IPv6 routing Users None Minimum password length 8 characters IPv6 management mode Enabled SNTP client Disabled Global logging Enabled Switch auditing Disabled CLI command logging Disabled Web logging Disabled SNMP logging Disabled Console logging Enabled Severity level debug and above RAM logging Enabled Severity level debug ...

Page 118: ...tal Disabled Dot1x Authentication IEEE 802 1X Disabled MAC Based Port Security All ports are unlocked Access Control Lists ACL None configured IP Source Guard IPSG Disabled DHCP Snooping Disabled Dynamic ARP Inspection Disabled Protected Ports Private VLAN Edge None Flow Control Support IEEE 802 3x Enabled Head of Line Blocking Prevention Disabled Maximum Frame Size 1500 bytes Auto MDI MDIX Suppor...

Page 119: ...eave 60 centiseconds Leave All 1000 centiseconds Join 20 centiseconds Voice VLAN Disabled Guest VLAN Disabled RADIUS assigned VLANs Disabled Double VLANs Disabled Spanning Tree Protocol STP Enabled STP Operation Mode IEEE 802 1w Rapid Spanning Tree Optional STP Features Disabled STP Bridge Priority 32768 Multiple Spanning Tree Disabled Link Aggregation No LAGs configured LACP System Priority 1 Rou...

Page 120: ...oIP Disabled Auto VoIP Traffic Class 6 PFC Disabled no classifications configured DCBx version Auto detect FIP snooping Disabled globally and on all VLANs iSCSI Enabled Bridge Multicast Filtering Enabled MLD Snooping Enabled IGMP Snooping Enabled IGMP Snooping Querier Disabled GMRP Disabled IPv4 Multicast Disabled IPv6 Multicast Disabled Table 6 1 Default Settings Continued Feature Default ...

Page 121: ... and Network Information Overview What Is the Basic Network Information The basic network information includes settings that define the PowerConnect 8000 8100 series switch in relation to the network Table 7 1 provides an overview of the settings this chapter describes Table 7 1 Basic Network Information Feature Description IP Address On an IPv4 network the a 32 bit number that uniquely identifies...

Page 122: ...fy and locate other devices on the network and on the Internet For example to upgrade the switch software by using a TFTP Default Gateway Typically a router interface that is directly connected to the switch and is in the same subnet The switch sends IP packets to the default gateway when it does not recognize the destination IP address in a packet DHCP Client Requests network information from a D...

Page 123: ...prompt you for the initial configuration information you can enable the DHCP client on the switch to obtain network information from a DHCP server on your network or you can statically assign the network information After you configure the switch with an IP address and create a user account you can continue to use the console connection to configure basic network information or you can log on to t...

Page 124: ... If the production network is experiencing problems you can still access the switch management interface and troubleshoot issues Because the OOB port is intended to be physically isolated from the production network configuration options are limited to just those protocols needed to manage the switch Limiting the configuration options makes it difficult to accidentally cut off management access to...

Page 125: ...il the connection times out In order to resolve this issue you can reduce the MSS setting to a more appropriate value on the local host or alternatively you can set the MTU on the PowerConnect management port to a smaller value Default Network Information By default no network information is configured The DHCP client is enabled on the OOB interface by default DNS is enabled but no DNS servers are...

Page 126: ...o assign the Out of Band Interface IP address and subnet mask or to enable disable the DHCP client for address information assignment DHCP is enabled by default on the OOB interface To display the Out of Band Interface page click System IP Addressing Out of Band Interface in the navigation panel Figure 7 1 Out of Band Interface To enable the DHCP client and allow a DHCP server on your network to a...

Page 127: ...onfiguration page click Routing IP IP Interface Configuration in the navigation panel Figure 7 2 IP Interface Configuration Default VLAN Assigning Network Information to the Default VLAN To assign an IP Address and subnet mask to the default VLAN 1 From the Interface menu select VLAN 1 2 From the Routing Mode field select Enable 3 From the IP Address Configuration Method field specify whether to a...

Page 128: ...ion page to configure the default gateway for the switch The Default VLAN uses the switch default gateway as its default gateway To display the Route Entry Configuration page click Routing Router Route Entry Configuration in the navigation panel Figure 7 3 Route Configuration Default VLAN NOTE You do not need to configure any additional fields on the page For information about VLAN routing interfa...

Page 129: ...eway 1 Open the Route Entry Configuration page 2 From the Route Type field select Default Figure 7 4 Default Route Configuration Default VLAN 3 In the Next Hop IP Address field enter the IP address of the default gateway 4 Click Apply For more information about configuring routes see Configuring IP Routing on page 895 ...

Page 130: ...itch uses the DNS server to translate hostnames into IP addresses To display the Domain Name Server page click System IP Addressing Domain Name Server in the navigation panel Figure 7 5 DNS Server To configure DNS server information click the Add link and enter the IP address of the DNS server in the available field Figure 7 6 Add DNS Server ...

Page 131: ...ame Use the Default Domain Name page to configure the domain name the switch adds to a local unqualified hostname To display the Default Domain Name page click System IP Addressing Default Domain Name in the navigation panel Figure 7 7 Default Domain Name ...

Page 132: ...per host To display the Host Name Mapping page click System IP Addressing Host Name Mapping Figure 7 8 Host Name Mapping To map a host name to an IP address click the Add link type the name of the host and its IP address in the appropriate fields and then click Apply Figure 7 9 Add Static Host Name Mapping Use the Show All link to view all configured host name to IP address mappings ...

Page 133: ...using the configured DNS server to resolve a hostname For example if you ping www dell com from the CLI the switch uses the DNS server to lookup the IP address of dell com and adds the entry to the Dynamic Host Name Mapping table To display the Dynamic Host Name Mapping page click System IP Addressing Dynamic Host Name Mapping in the navigation panel Figure 7 10 View Dynamic Host Name Mapping ...

Page 134: ...lient on the Default VLAN Beginning in Privileged EXEC mode use the following commands to enable the DHCP client on the default VLAN which is VLAN 1 Command Purpose configure Enter Global Configuration mode interface out of band Enter Interface Configuration mode for the OOB port ip address dhcp Enable the DHCP client CTRL Z Exit to Privileged EXEC mode show ip interface out of band Display networ...

Page 135: ... immediately renew an IPv4 address lease show dhcp lease interface interface Display IPv4 addresses leased from a DHCP server show ipv6 dhcp interface interface Display information about the IPv6 DHCP information for all interfaces or for the specified interface debug dhcp packet Display debug information about DHCPv4 client activities and to trace DHCPv4 packets to and from the local DHCPv4 clien...

Page 136: ...ask gateway_ip Configure a static IP address and subnet mask Optionally you can also configure a default gateway CTRL Z Exit to Privileged EXEC mode show ip interface out of band Verify the network information for the OOB port Command Purpose configure Enter Global Configuration mode interface vlan 1 Enter Interface Configuration mode for VLAN 1 ip address ip_address subnet_mask Enter the IP addre...

Page 137: ... up to six DNS servers The first server you configure is the primary DNS server ip domain name name Define a default domain name to complete unqualified host names ip host name ip_address Use to configure static host name to address mapping in the host cache ip address conflict detect run Trigger the switch to run active address conflict detection by sending gratuitous ARP packets for IPv4 address...

Page 138: ...aps the administrative laptop host name to its IP address The administrator uses the OOB port to manage the switch To configure the switch 1 Connect the OOB port to the management network DHCP is enabled by on the switch OOB interface by default If the DHCP client on the switch has been disabled use the following commands to enable the DHCP client on the OOB port console configure console config i...

Page 139: ...ation console show hosts Host name Default domain sunny dell com dell com Name address lookup is enabled Name servers Preference order 10 27 138 20 10 27 138 21 Configured host name to address mapping Host Addresses admin laptop 10 27 65 103 cache TTL Hours Host Total Elapsed Type Addresses No hostname is mapped to an IP address 6 Verify that the static hostname is correctly mapped console ping ad...

Page 140: ...140 Setting Basic Network Information ...

Page 141: ... interfaces for plug in modules do not show in the show interfaces status command The default setting for a 40 gigabit Ethernet interface is nonstacking 40 gigabit Ethernet 1 x 40G The commands to change 1 x 40G and 4 x 10G modes are always entered on the 40 gigabit interfaces The commands to change the Ethernet stack mode are entered on the appropriate interface tengigabitethernet or fortygigabit...

Page 142: ... Fo2 1 1 console config if Fo2 1 1 hardware profile portmode 1x40g This command will not take effect until the switch is rebooted console config if Fo1 1 2 do reload Are you sure you want to reload the stack y n Attempting to change the port mode on the tengigabit interface will give the error An invalid interface has been used for this function ...

Page 143: ...orts on the PC8024 PC8024F units cannot be used for stacking When a combo port is configured in stacking mode the corresponding copper port is disabled The 10G SFP ports default to Ethernet mode so the ports must be reconfigured as stacking ports Also up to six PowerConnect 8132 8132F 8164 8164F switches can be stacked using any port as long as the link bandwidth for parallel stacking links is the...

Page 144: ...rface on member units does not allow access to the CLI A second switch is designated as the standby unit which becomes the master if the stack master is unavailable You can manually configure which unit is selected as the standby or the system can select the standby automatically When units are in a stack the following activities occur All units are checked for software version consistency The swi...

Page 145: ... PC8000 series switches PC8100 series switches can only be stacked with other PC8100 series switches Create a stack by connecting adjacent units using the 10G ports SFP ports only on the PC80xx series It is recommended that stacking link bandwidth be at least 10 times the bandwidth of the front panel port that is a 10G switch PC8100 should have 100G of stacking bandwidth to each adjacent stack mem...

Page 146: ...width is achieved 3 Repeat this process until all of the devices are connected 4 To complete the ring topology for the stack connect one ore more stacking ports on the last switch to the remaining stacking port s on the first switch Add additional cables of the same speed in parallel to achieve the desired stacking bandwidth Figure 9 1 Connecting a Stack of PowerConnect 8024 8024F Switches How is ...

Page 147: ...comes stack master If the stack master function is disabled the unit remains a non stack master If the entire stack is powered OFF and ON again the unit that was the stack master before the reboot will remain the stack master after the stack resumes operation You can manually set the unit number for the switch To avoid unit number conflicts one of the following scenarios takes place when you add a...

Page 148: ...w switch is added to a stack of switches that are powered and running and already have an elected stack master the newly added switch becomes a stack member rather than the stack master In this situation the firmware of the new unit may be overwritten based on the configuration of the stack master The running configuration of the newly added unit is overwritten with the stack master configuration ...

Page 149: ...use of the failed unit If you remove a unit and plan to renumber the stack issue a no member unit command in Stack Configuration mode to delete the removed switch from the configured stack member information How is the Firmware Updated on the Stack When you add a new switch to a stack the Stack Firmware Synchronization feature automatically synchronizes the firmware version with the version runnin...

Page 150: ...ing plane should forward packets deciding which data packets are allowed to be forwarded and where they should go Application software on the stack master acts as the control plane The management plane is application software running on the stack master that provides interfaces allowing a network administrator to configure the device The Nonstop Forwarding NSF feature allows the forwarding plane o...

Page 151: ...on data and other important information to the backup unit Although the handoff is controlled and causes minimal network disruption some application state is lost such as pending timers and other pending internal events Checkpointing Switch applications features that build up a list of data such as neighbors or clients can significantly improve their restart behavior by remembering this data acros...

Page 152: ...henticated clients DHCP server Address bindings persistent DHCP snooping DHCP bindings database DOT1Q Internal VLAN assignments DOT1S Spanning tree port roles port states root bridge etc DOT1X Authenticated clients DOT3ad Port states IGMP MLD Snooping Multicast groups list of router ports last query data for each VLAN IPv6 NDP Neighbor cache entries iSCSI Connections LLDP List of interfaces with M...

Page 153: ...n the network make sure you power down the whole stack before you redeploy the stack master so that the stack members do not continue to use the MAC address of the redeployed switch NSF Network Design Considerations You can design your network to take maximum advantage of NSF For example by distributing a LAG s member ports across multiple units the stack can quickly switch traffic from a port on ...

Page 154: ...cause you configure the stack as a single unit and do not need to configure individual switches Default Stacking Values Stacking is always enabled By default the 10G SFP ports are in Ethernet mode and must be configured to be used as stacking ports Ports that are configured in stacking mode show as detached in the output of the show interfaces status command Configuring an Ethernet port as a stack...

Page 155: ...details about the fields on a page click at the top of the page Unit Configuration Use the Unit Configuration page to change the unit number and unit type Management Member or Standby To display the Unit Configuration page click System Stack Management Unit Configuration in the navigation panel Figure 9 2 Stack Unit Configuration NOTE The changes you make to the Stacking configuration pages take e...

Page 156: ... Type for a Stack Member To change the switch ID or type 1 Open the Unit Configuration page 2 Click Add to display the Add Unit page Figure 9 3 Add Remote Log Server Settings 3 Specify the switch ID and select the model number of the switch 4 Click Apply ...

Page 157: ...57 Stack Summary Use the Stack Summary page to view a summary of switches participating in the stack To display the Stack Summary page click System Stack Management Stack Summary in the navigation panel Figure 9 4 Stack Summary ...

Page 158: ...hether the firmware image on a new stack member can be automatically upgraded or downgraded to match the firmware image of the stack master To display the Stack Firmware Synchronization page click System Stack Management Stack Firmware Synchronization in the navigation panel Figure 9 5 Stack Firmware Synchronization ...

Page 159: ...hes page to view information regarding each type of supported switch for stacking and information regarding the supported switches To display the Supported Switches page click System Stack Management Supported Switches in the navigation panel Figure 9 6 Supported Switches ...

Page 160: ...ured mode of the interface the running mode as well as the link status and link speed of the stackable port To display the Stack Port Summary page click System Stack Management Stack Port Summary in the navigation panel Figure 9 7 Stack Port Summary NOTE By default the ports are configured to operate as Ethernet ports To configure a port as a stack port you must change the Configured Stack Mode se...

Page 161: ...d statistics including data rate and error rate To display the Stack Port Counters page click System Stack Management Stack Point Counters in the navigation panel Figure 9 8 Stack Port Counters Stack Port Diagnostics The Stack Port Diagnostics page is intended for Field Application Engineers FAEs and developers only ...

Page 162: ...failover to the standby unit click Initiate Failover The failover results in a warm restart of the stack master Initiating a failover reloads the stack master triggering the backup unit to take over NOTE The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over stack master responsibility To configure NSF on a stack that u...

Page 163: ...he Checkpoint Statistics page to view information about checkpoint messages generated by the stack master To display the Checkpoint Statistics page click System Stack Management Checkpoint Statistics in the navigation panel Figure 9 10 Checkpoint Statistics ...

Page 164: ...king and NSF settings Command Purpose configure Enter Global Configuration mode switch current_ID renumber new_ID Change the switch ID number The valid range is 1 10 NOTE Changing the ID number causes all switches in the stack to be reset to perform stack master renumbering The running configuration is cleared when the units reset stack Enter Global Stack Configuration mode initiate failover Move ...

Page 165: ...he mode of the port to either Ethernet or stacking nsf Enable nonstop forwarding on the stack exit Exit to Global Config mode boot auto copy sw Enable the Stack Firmware Synchronization feature boot auto copy sw allow downgrade Allow the firmware version on the newly added stack member to be downgraded if the firmware version on manager is older exit Exit to Privileged EXEC mode show auto copy sw ...

Page 166: ...F and DHCP Snooping Command Purpose show switch stack member number View information about all stack members or the specified member show switch stack standby View the ID of the switch that will assume the role of the stack master if it goes down show switch stack port View information about the stacking ports show switch stack port counters View the statistics about the data the stacking ports ha...

Page 167: ...e 9 11 Basic Stack Failover When all four units are up and running the show switch CLI command gives the following output console show switch SW Management Status Standby Status Preconfig Model ID Plugged in Model ID Switch Status Code Version 1 Stack Member PC8024 PC8024 OK 9 19 0 2 2 Stack Member PC8024 PC8024 OK 9 19 0 2 3 Mgmt Switch PC8024 PC8024 OK 9 19 0 2 4 Stack Member PC8024F PC8024F OK ...

Page 168: ...s console configure console config stack console config stack no member 2 console config stack exit console config exit console show switch SW Management Status Standby Status Preconfig Model ID Plugged in Model ID Switch Status Code Version 1 Stack Member PC8024 PC8024 OK 9 19 0 2 2 Unassigned PC8024 Not Present 0 0 0 0 3 Mgmt Switch PC8024 PC8024 OK 9 19 0 2 4 Stack Member PC8024F PC8024F OK 9 1...

Page 169: ...uring a PowerConnect 8024F switch on a stand alone PowerConnect 8024 switch To configure the switch 1 View the list of SIDs to determine which SID identifies the switch to preconfigure console show supported switchtype 2 Preconfigure the 8024F switch SID 2 as member number 2 in the stack console configure console config stack console config stack member 2 2 console config stack exit console config...

Page 170: ...e fields have been omitted from the following output due to space limitations console show switch SW Management Status Standby Status Preconfig Model ID Plugged in Model ID Switch Status Code Version 1 Mgmt Sw PC8024 PC8024 OK M 10 2 2 Unassigned PC8024F Not Present 0 0 0 0 ...

Page 171: ... same VLAN Spanning tree is enabled on the VLAN Assume spanning tree selects AS1 as the root bridge Assume the LAG to AS1 is the root port on the stack and the LAG to AS2 is discarding Unit 1 is the stack master If unit 1 fails the stack removes the Unit 1 link to AS1 from its LAG The stack forwards outgoing packets through the Unit 2 link to AS1 during the failover During the failover the stack c...

Page 172: ...ng the remaining LAG member If phone B has learned VLAN or priority parameters through LLDP MED it continues to use those parameters The stack resumes sending LLDPDUs with MED TLVs once the control plane restarts Phone B may miss an LLDPDU from the stack but should not miss enough PDUs to revert its VLAN or priority assuming the administrator has not reduced the LLDPDU interval or hold count If ph...

Page 173: ...ce IP address and source MAC address Dynamic ARP Inspection DAI uses the bindings database to verify that ARP messages contain a valid sender IP address and sender MAC address DHCP snooping checkpoints its bindings database Figure 9 14 NSF and DHCP Snooping If the stack master fails all hosts connected to that unit lose network access until that unit reboots The hardware on surviving units continu...

Page 174: ...ccess switch the hardware traps ARP packets to the CPU on untrusted ports During a restart the control plane drops ARP packets Thus new traffic sessions may be briefly delayed until after the control plane restarts If IPSG is enabled and a DHCP binding is not checkpointed to the backup unit before the failover that host will not be able to send data packets until it renews its IP address lease wit...

Page 175: ...n on its backup NIC to a different IP address on the disk array The hardware forwards the packets to establish this new session but assuming the session is established before the control plane is restarted on the backup unit the new session receives no priority treatment in the hardware Session B remains established and fully functional throughout the restart and continues to receive priority trea...

Page 176: ...e LSAs to inform its OSPF neighbors the aggregation routers that it is going through a graceful restart The grace LSAs reach the neighbors before they drop their adjacencies with the access router PIM starts sending hello messages to its neighbors on the aggregation routers using a new generation ID to prompt the neighbors to quickly resend multicast routing information PIM neighbors recognize the...

Page 177: ...hes and the control plane deletes any stale unicast routes not relearned at this point The forwarding plane reconciles L3 multicast hardware tables Throughout the process the hosts continue to receive their multicast streams possibly with a short interruption as the top aggregation router learns that one of its LAG members is down The hosts see no more than a 50 ms interruption in unicast connecti...

Page 178: ...178 Managing a Switch Stack ...

Page 179: ...A Overview Authentication Authorization Accounting Authentication Examples Authorization Examples Using RADIUS Servers to Control Management Access Using TACACS Servers to Control Management Access Default Configurations AAA Overview AAA is a framework for configuring management security in a consistent way Three services make up AAA Authentication Validates the user identity Authentication takes ...

Page 180: ...r is not AAA gives the user flexibility in configuration by allowing different method lists to be assigned to different access lines In this way it is possible to configure different security requirements for the serial console than for telnet for example Methods A method performs the configured service Not every method is available for every service Some methods require a username and password an...

Page 181: ... the RADIUS and TACACS protocols respectively These methods can return an error if the switch is unable to contact the server Access Lines There are five access lines console telnet SSH HTTP and HTTPS HTTP and HTTPS are not configured using AAA method lists Instead the authentication list for HTTP and HTTPS is configured directly authorization and accounting are not supported The default method li...

Page 182: ... Configuring Port and System Security on page 469 Table 10 2 shows the valid methods for each type of authentication Authorization Authorization is used to determine which services the user is allowed to access For example the authorization process may assign a user s privilege level which determines the set of commands the user can execute There are three kinds of authorization commands exec and ...

Page 183: ...iles The Administrative Profiles feature allows the network administrator to define a list of rules that control the CLI commands available to a user These rules are collected in a profile The rules in a profile can define the set of commands or a command mode to which a user is permitted or denied access Within a profile rule numbers determine the order in which the rules are applied When a user ...

Page 184: ...ion or if exec authorization assigns a privilege level the user is permitted access to all commands This is also true if none of the administrative profiles provided are configured on the switch If some but not all of the profiles provided in the authentication are configured on the switch then the user is assigned the profiles that exist and a message is logged that indicates which profiles could...

Page 185: ...login loc local line telnet login authentication loc exit username guest password password passwords strength minimum numeric characters 2 passwords strength minimum character classes 4 passwords strength check username admin password paSS1 word2 privilege 15 passwords lock out 3 The following describes each line of this code The aaa authentication login loc local command creates a login authentic...

Page 186: ...sword paSS1 word2 privilege 15 command creates a user with the name admin and password paSS1 word2 This user is enabled for privilege level 15 Note that because password strength checking was enabled the password was required to have at least two numeric characters one uppercase character one lowercase character and one special character The passwords lock out 3 command locks out a local user afte...

Page 187: ...2 3 4 command is the first step in defining a TACACS server at IP address 1 2 3 4 The result of this command is to place the user in tacacs server mode to allow further configuration of the server The key secret command defines the shared secret This must be the same as the shared secret defined on the TACACS server The line telnet command enters the configuration mode for the telnet line The logi...

Page 188: ... an enable authentication list called raden that contains the method radius If this method fails then the user will fail to execute the enable command The radius server host 1 2 3 4 command is the first step in defining a RADIUS server at IP address 1 2 3 4 The result of this command is to place the user in radius server mode to allow further configuration of the server The key secret command defi...

Page 189: ...uch that a user can enter privileged EXEC mode directly aaa authorization exec locex local line telnet authorization exec locex exit With the users that were previously configured the guest user will still log into user EXEC mode since the guest user only has privilege level 1 the default The admin user will be able to login directly to privileged EXEC mode since his privilege level was configured...

Page 190: ...privilege level 15 so assigning a user a lower privilege level will be of no value A privilege level greater than 15 is invalid and treated as if privilege level zero had been supplied The shell service must be enabled on the TACACS server If this service is not enabled authorization will fail and the user will be denied access to the switch TACACS Authorization Example Administrative Profiles The...

Page 191: ... command accounting rule 89 permit command configure rule 88 permit command password rule 87 permit command username rule 86 permit command show user rule 85 permit command radius server rule 84 permit command tacacs server rule 83 permit mode radius auth config rule 82 permit mode radius acct config rule 81 permit mode tacacs config exit The following describes each line in the above configuratio...

Page 192: ...time the user enters a command a request is sent to the TACACS server to ask if the user is permitted to execute that command Exec authorization does not need to be configured to use per command authorization Apply the following configuration to use TACACS to authorize commands aaa authorization commands taccmd tacacs line telnet authorization commands taccmd exit The following describes each line...

Page 193: ...in the above configuration The aaa authorization exec rad radius command creates an exec authorization method list called rad that contains the method radius The authorization exec rad command assigns the rad exec authorization method list to be used for users accessing the switch via telnet Notes If the privilege level is zero that is blocked then authorization will fail and the user will be deni...

Page 194: ...kup servers are contacted How Does RADIUS Control Management Access Many networks use a RADIUS server to maintain a centralized user database that contains per user authentication information RADIUS servers provide a centralized authentication method for Telnet Access Web Access Console to Switch Access Access Control Port 802 1X Like TACACS RADIUS access control utilizes a database of user inform...

Page 195: ...d prompts the user for a name and password The switch encrypts the supplied information and a RADIUS client transports the request to a pre configured RADIUS server Figure 10 1 RADIUS Topology The server can authenticate the user itself or make use of a back end device to ascertain authenticity In either case a response may or may not be forthcoming to the client If the server accepts the user it ...

Page 196: ...butes on the RADIUS server s when utilizing the switch RADIUS service NOTE To set the privilege level it is recommended to use the Service Type attribute instead of the Cisco AV pair priv lvl attribute Table 10 5 Supported RADIUS Attributes Type RADIUS Attribute Name 802 1X User Manager Captive Portal 1 USER NAME Yes Yes No 2 USER PASSWORD Yes Yes No 4 NAS IP ADDRESS Yes No No 5 NAS PORT Yes Yes N...

Page 197: ...lient for Accounting Yes No 46 ACCT SESSION TIME Yes Yes No 49 ACCT TERMINATECAUSE Yes No No 52 ACCT INPUTGIGAWORDS Yes No No 53 ACCT OUTPUTGIGAWORDS Yes No No 61 NAS PORT TYPE Yes No No 64 TUNNEL TYPE Yes No No 65 TUNNEL MEDIUM TYPE Yes No No 79 EAP MESSAGE Yes No No 80 MESSAGEAUTHENTICAT OR Set by RADIUS client for Accounting Yes No 81 TUNNEL PRIVATEGROUP ID Yes No No Table 10 5 Supported RADIUS...

Page 198: ...ERMINATION ACTION Indication as to the action taken when the service is completed EAP MESSAGE Contains an EAP message to be sent to the user This is typically used for MAB clients VENDOR SPECIFIC The following Cisco AV Pairs are supported shell priv lvl shell roles FILTER ID Name of the filter list for this user TUNNEL TYPE Used to indicate that a VLAN is to be assigned to the user when set to tun...

Page 199: ...nd a user attempts to access the user interface on the switch the switch prompts for the user login credentials and requests services from the TACACS client The client then uses the configured list of servers for authentication and provides results back to the switch Figure 10 2 shows an example of access management using TACACS Figure 10 2 Basic TACACS Topology You can configure the TACACS server...

Page 200: ...a Which TACACS Attributes Does the Switch Support Table 10 6 lists the TACACS attributes that the switch supports and indicates whether the authorization or accounting service supports sending or receiving the attribute The authentication service does not use attributes You can configure these attributes on the TACACS server s when utilizing the switch TACACS service Table 10 6 Supported TACACS At...

Page 201: ...ntication login defaultList none Authentication login networkList local Authentication enable enableList enable none Authentication enable enableNetList enable Authorization exec dfltExecAuthList none Authorization commands dfltCmdAuthList none Accounting exec dfltExecList tacacs start stop Accounting commands dfltCmdList tacacs stop only Table 10 8 Default AAA Methods AAA Service type Console Tel...

Page 202: ...ccess Line Authentication Authorization HTTP local n a HTTPS local n a 802 1X none none Table 10 10 Default Administrative Profiles Name Description network admin Allows access to all commands network security Allows access to network security features such as 802 1X Voice VLAN Dynamic ARP Inspection and IP Source Guard router admin Allows access to Layer 3 features such as IPv4 Routing IPv6 Routi...

Page 203: ...orization and Accounting 203 CP admin Allows access to the Captive Portal feature network operator Allows access to all User EXEC mode commands and show commands Table 10 10 Default Administrative Profiles Continued Name Description ...

Page 204: ...204 Configuring Authentication Authorization and Accounting ...

Page 205: ...s Monitored The CLI and web based interfaces provide information about physical aspects of the switch such as system health and cable diagnostics as well as information about system events such as management login history The switch also reports system resource usage The system logging utility can monitor a variety of events including the following System events System state changes and errors tha...

Page 206: ...M log or buffered log When the RAM log file reaches the configured maximum size the oldest message is deleted from the RAM when a new message is added If the system restarts all messages are cleared In addition to the RAM log you can specify that log files are sent to the following sources Console If you are connected to the switch CLI through the console port messages display to the screen as the...

Page 207: ...s the first 32 messages received after system reboot The log file stops when it is full The second log type is the system operation log The system operation log stores the last 1000 messages received during system operation The oldest messages are overwritten when the file is full A message is only logged in one file On system startup if the Log file is enabled the startup log stores messages up t...

Page 208: ...irst part of the log message up to the first left bracket is fixed by the Syslog standard RFC 3164 The second part up to the two percent signs is standardized for all Dell PowerConnect logs The variable text of the log message follows The log message is limited to 96 bytes Each log message uses the following format PRI This consists of the facility code see RFC 3164 multiplied by 8 and added to th...

Page 209: ...ng on the switch Default Log Settings System logging is enabled and messages are sent to the console severity level warning and above and RAM log severity level informational and above Switch auditing CLI command logging Web logging and SNMP logging are disabled By default no messages are sent to the log file that is stored in flash and no remote log servers are defined Email alerting is disabled ...

Page 210: ...mation The Device Information page displays after you successfully log on to the switch by using the Dell OpenManage Switch Administrator This page is a virtual representation of the switch front panel Use the Device Information page to view information about the port status or system status Click on a port to access the Port Configuration page for the selected port To display the Device Informati...

Page 211: ...stem Information 211 System Health Use the Health page to view status information about the switch power and ventilation sources To display the Health page click System General Health in the navigation panel Figure 11 2 Health ...

Page 212: ...mation System Resources Use the System Resources page to view information about memory usage and task utilization To display the System Resources page click System General System Resources in the navigation panel Figure 11 3 System Resources ...

Page 213: ...ime Domain Reflectometry TDR technology to test the quality and characteristics of a copper cable attached to a port Cables up to 120 meters long can be tested Cables are tested when the ports are in the down state with the exception of the Approximated Cable Length test SFP SFP and QSFP cables with passive copper assemblies are not capable of performing TDR tests To display the Integrated Cable T...

Page 214: ... Cable Test Summary Optical Transceiver Diagnostics Use the Optical Transceiver Diagnostics page to perform tests on Fiber Optic cables To display the Optical Transceiver Diagnostics page click System Diagnostics Optical Transceiver Diagnostics in the navigation panel NOTE Optical transceiver diagnostics can be performed only when the link is present ...

Page 215: ...ging System Information 215 Figure 11 6 Optical Transceiver Diagnostics To view a summary of all optical transceiver diagnostics tests performed click the Show All link Figure 11 7 Optical Transceiver Diagnostics Summary ...

Page 216: ...nd flash based log file The Severity table lists log messages from the highest severity Emergency to the lowest Debug When you select a severity level all higher levels are automatically selected To prevent log messages from being sent to the console RAM log or flash log file clear all check boxes in the Severity column To display the Global Settings page click System Logs Global Settings in the n...

Page 217: ... the RAM Log page to view information about specific RAM cache log entries including the time the log was entered the log severity and a description of the log To display the RAM Log click System Logs RAM Log in the navigation panel Figure 11 9 RAM Log Table ...

Page 218: ... description of the log To display the Log File click System Logs Log File in the navigation panel Figure 11 10 Log File Remote Log Server Use the Remote Log Server page to view and configure the available log servers to define new log servers and to set the severity of the log events sent to the server To display the Remote Log Server page click System Logs Remote Log Server ...

Page 219: ... Remote Log Server Adding a New Remote Log Server To add a log server 1 Open the Remote Log Server page 2 Click Add to display the Add Remote Log Server page 3 Specify the IP address or hostname of the remote server 4 Define the UDP Port and Description fields ...

Page 220: ... Log Server 5 Select the severity of the messages to send to the remote server 6 Click Apply Click the Show All link to view or remove remote log servers configured on the system NOTE When you select a severity level all higher severity levels are automatically selected ...

Page 221: ...ration page to enable the email alerting feature and configure global settings so that system log messages can be sent to from the switch to one or more email accounts To display the Email Alert Global Configuration page click System Email Alerts Email Alert Global Configuration in the navigation panel Figure 11 14 Email Alert Global Configuration ...

Page 222: ...ail alert messages To display the Email Alert Mail Server Configuration page click System Email Alerts Email Alert Mail Server Configuration in the navigation panel Figure 11 15 Email Alert Mail Server Configuration Adding a Mail Server To add a mail server 1 Open the Email Alert Mail Server Configuration page 2 Click Add to display the Email Alert Mail Server Add page 3 Specify the hostname of th...

Page 223: ... Click Apply 5 If desired click Configuration to return to the Email Alert Mail Server Configuration page to specify port and security settings for the mail server Click the Show All link to view or remove mail servers configured on the switch Figure 11 17 Show All Mali Servers ...

Page 224: ... sent by the switch You can customize the subject for the message severity and entry status To display the Email Alert Subject Configuration page click System Email Alerts Email Alert Subject Configuration in the navigation panel Figure 11 18 Email Alert Subject Configuration To view all configured email alert subjects click the Show All link Figure 11 19 View Email Alert Subjects ...

Page 225: ...sent You can configure multiple recipients and associate different message severity levels with different recipient addresses To display the Email Alert To Address Configuration page click System Email Alerts Email Alert To Address Configuration in the navigation panel Figure 11 20 Email Alert To Address Configuration To view configured recipients click the Show All link ...

Page 226: ... Alert Statistics Use the Email Alert Statistics page to view the number of emails that were successfully and unsuccessfully sent and when emails were sent To display the Email Alert Statistics page click System Email Alerts Email Alert Statistics in the navigation panel Figure 11 22 Email Alert Statistics ...

Page 227: ...commands to view system health and resource information Running Cable Diagnostics Beginning in Privileged EXEC mode use the following commands to run the cable diagnostic tests Command Purpose show system Display various system information show system power Displays the power supply status show system temperature Displays the system temperature and fan status show memory cpu Displays the total and...

Page 228: ... tdr command will bring the interface down The interface is specified in unit slot port format show copper ports tdr interface Display the diagnostic information collected by the test copper port tdr command for all copper interfaces or a specific interface show fiber ports optical transceiver interface Display the optical transceiver diagnostics for all fiber ports Include the interface option to...

Page 229: ...isc name Optional Include a message discriminator to help filter log messages The disc name can contain up to eight alphanumeric characters Spaces are not permitted severity Optional Enter the number or name of the desired severity level For information about severity levels see Table 11 1 logging facility facility type Set the facility for logging messages Permitted facility type values are local...

Page 230: ...n mode for the specified log server description description Describe the log server Use up to 64 characters If the description includes spaces surround it with quotation marks level severity Specify the severity level of the logs that should be sent to the remote log server For information about severity levels see Table 11 1 port udp port Specify the UDP port to use for sending log messages The r...

Page 231: ...nfiguration mode for the mail server security tlsvl none Optional Specify the security protocol to use with the mail server port 25 465 Configure the TCP port to use for SMTP which can be 25 SMTP or 465 SMTP over SSL username username If the SMTP server requires authentication specify the username to use for the switch The same username and password settings must be configured on the SMTP host pas...

Page 232: ...For information about severity levels see Table 11 1 Log messages below the specified level are not emailed logging email urgent severity none Determine which log messages are critical and should be sent in a single email as soon as they are generated severity Optional Enter the number or name of the severity level for critical messages For information about severity levels see Table 11 1 logging ...

Page 233: ...recipient to verify that the feature is properly configured CTRL Z Exit to Privileged EXEC mode show logging email config View the configured settings for email alerts show logging email statistics View information about the number of emails sent and the time they were sent clear logging email statistics Clear the email alerting statistics Command Purpose ...

Page 234: ...n the console and sent to a remote syslog server To configure the switch 1 Enable switch auditing and CLI command logging console configure console config logging audit console config logging cli command 2 Specify where the logs are sent locally and what severity level of message is to be logged You can specify the severity as the level number as shown in the first two commands or as the keyword s...

Page 235: ...ges 973 Dropped CLI Command Logging enabled Switch Auditing enabled Web Session Logging disabled SNMP Set Command Logging disabled Syslog server 192 168 2 10 logging debug Messages 0 dropped 412 Messages dropped due to lack of resources Buffer Log 186 FEB 02 05 53 03 0 0 0 0 1 UNKN 1073741088 bootos c 232 1 Event 0xaaaaaaaa 189 FEB 02 05 53 03 0 0 0 0 1 UNKN 1073741088 bootos c 248 2 Starting code...

Page 236: ...milar to the following Figure 11 23 Email Alert Message Format For emergency level messages the subject is LOG MESSAGE EMERGENCY For messages with a severity level of alert critical and error the subject is LOG MESSAGE To configure the switch 1 Specify the mail server to use for sending messages console configure console config mail server ip address 192 168 2 34 2 Configure the username and passw...

Page 237: ...t that will appear in the email alert Subject line console config logging email message type urgent subject LOG MESSAGES EMERGENCY console config logging email message type non urgent subject LOG MESSAGES 7 Verify the configuration console show mail server all config Mail Servers Configuration No of mail servers configured 1 Email Alert Mail Server Address 192 168 2 34 Email Alert Mail Server Port...

Page 238: ...ation Email Alert To Address Table For Msg Type 1 Address1 administrator dell com For Msg Type 2 Address1 administrator dell com Email Alert Subject Table For Msg Type 1 subject is LOG MESSAGES EMERGENCY For Msg Type 2 subject is LOG MESSAGE ...

Page 239: ...e 12 1 This information helps identify the switch Table 12 1 System Information Feature Description System Name The switch name host name If you change the system name the CLI prompt changes from console to the system name System contact Identifies the person to contact for information regarding the switch System location Identifies the physical location of the switch Asset tag Uniquely identifies...

Page 240: ...n about the switch status For example if multiple users connect to the switch the message of the day MOTD banner might alert everyone who connects to the switch about a scheduled switch image upgrade Table 12 2 Time Settings Feature Description SNTP Controls whether the switch obtains its system time from an SNTP server and whether communication with the SNTP server requires authentication and enc...

Page 241: ...mplate and the per template maximum value of the parameter SDM Template Configuration Guidelines When you configure the switch to use an SDM template that is not currently in use you must reload the switch for the configuration to take effect If the IPv4 Routing or IPv4 Data Center template is currently in use and you attempt to configure IPv6 routing features without first selecting the Dual IPv4...

Page 242: ...e switch is a Stratum 4 device You can configure the switch to request the time from an SNTP server on the network or you can allow the switch to receive SNTP broadcasts Requesting the time from a unicast SNTP server is more secure Use this method if you know the IP address of the SNTP server on your network If you allow the switch to receive SNTP broadcasts any clock synchronization information i...

Page 243: ...t 8000 8100 series switch For details about the fields on a page click at the top of the page System Information Use the System Information page to configure the system name contact name location and asset tag To display the System Information page click System General System Information in the navigation panel Figure 12 1 System Information NOTE From the System Information page you can also initi...

Page 244: ...neral System Information page click the Telnet link 2 Click the Telnet button Figure 12 2 Telnet 3 Select the Telnet client and click OK NOTE The Telnet client feature does not work with Microsoft Windows Internet Explorer 7 and later versions Initiating this feature from any browser running on a Linux operating system is not supported ...

Page 245: ...Managing General System Settings 245 Figure 12 3 Select Telnet Client The selected Telnet client launches and connects to the switch CLI Figure 12 4 Telnet Session ...

Page 246: ...igure a message for the switch to display when a user connects to the switch by using the CLI You can configure different banners for various CLI modes and access methods To display the CLI Banner page click System General CLI Banner in the navigation panel Figure 12 5 CLI Banner ...

Page 247: ...ate resource settings and to select the template that the switch uses If you select a new SDM template for the switch to use you must reboot the switch before the template is applied To display the SDM Template Preference page click System General SDM Template Preference in the navigation panel Figure 12 6 SDM Template Preference ...

Page 248: ...the Clock page The Clock page also displays information about the time settings configured on the switch To display the Clock page click System Time Synchronization Clock in the navigation panel Figure 12 7 Clock NOTE The system time cannot be set manually if the SNTP client is enabled Use the SNTP Global Settings page to enable or disable the SNTP client ...

Page 249: ...or disable the SNTP client configure whether and how often the client sends SNTP requests and determine whether the switch can receive SNTP broadcasts To display the SNTP Global Settings page click System Time Synchronization SNTP Global Settings in the navigation panel Figure 12 8 SNTP Global Settings ...

Page 250: ... to remove the selected encryption key ID Click System Time Synchronization SNTP Authentication in the navigation panel to display the SNTP Authentication page Figure 12 9 SNTP Authentication Adding an SNTP Authentication Key To configure SNTP authentication 1 Open the SNTP Authentication page 2 Click the Add link NOTE The SNTP server must be configured with the same authentication information to ...

Page 251: ... be used to authenticate a unicast SNTP server select the Trusted Key check box If the check box is clear the key is untrusted and cannot be used for authentication 5 Click Apply The SNTP authentication key is added and the device is updated To view all configured authentication keys click the Show All link The Authentication Key Table displays You can also use the Authentication Key Table to remo...

Page 252: ...TP servers and to add new SNTP servers that the switch can use for time synchronization The switch can accept time information from both IPv4 and IPv6 SNTP servers To display the SNTP Server page click System Time Synchronization SNTP Server in the navigation panel If no servers have been configured the fields in the following image are not displayed ...

Page 253: ...Managing General System Settings 253 Figure 12 12 SNTP Servers Defining a New SNTP Server To add an SNTP server 1 Open the SNTP Servers page 2 Click Add The Add SNTP Server page displays ...

Page 254: ...address IPv6 address or a hostname DNS 5 If you require authentication between the SNTP client on the switch and the SNTP server select the Encryption Key ID check box and then select the key ID to use To define a new encryption key see Adding an SNTP Authentication Key on page 250 NOTE The SNTP server must be configured with the same authentication information to allow time synchronization to tak...

Page 255: ...em Settings 255 To view all configured SNTP servers click the Show All link The SNTP Server Table displays You can also use the SNTP Server Table page to remove or edit existing SNTP servers Figure 12 14 SNTP Servers Table ...

Page 256: ...page click System Time Synchronization Summer Time Configuration in the navigation panel Figure 12 15 Summer Time Configuration To use the preconfigured summer time settings for the United States or European Union select the Recurring check box and specify USA or EU from the Location menu NOTE The fields on the Summer Time Configuration page change when you select or clear the Recurring check box ...

Page 257: ...igure time zone information including the amount time the local time is offset from UTC and the acronym that represents the local time zone To display the Time Zone Configuration page click System Time Synchronization Time Zone Configuration in the navigation panel Figure 12 16 Time Zone Configuration ...

Page 258: ...l System Settings Slot Summary Use the Slot Summary page to view information about the expansion slot status To display the Slot Summary page click Switching Slots Summary in the navigation panel Figure 12 17 Slot Summary ...

Page 259: ...pported Cards Use the Supported Cards page to view information about the supported plug in modules for the switch To display the Supported Cards page click Switching Slots Supported Cards in the navigation panel Figure 12 18 Supported Cards ...

Page 260: ...EC mode use the following commands to configure system information Command Purpose configure Enter Global Configuration mode hostname name Configure the system name The CLI prompt changes to the host name after you execute the command snmp server contact name Configure the name of the switch administrator If the name contains a space use quotation marks around the name snmp server location locatio...

Page 261: ...sage that displays when you connect to the switch motd and login or enter User EXEC mode exec Use quotation marks around a message if it includes spaces line telnet ssh console Enter the terminal line configuration mode for Telnet SSH or the console motd banner Specify that the configured MOTD banner displays To prevent the banner from displaying enter no motd banner exec banner Specify that the c...

Page 262: ... with the same authentication information to allow time synchronization to take place between the two devices Command Purpose configure Enter Global Configuration mode sdm prefer dual ipv4 and ipv6 default ipv4 routing data center default Select the SDM template to apply to the switch after the next boot CTRL Z Exit to Privileged EXEC mode show sdm prefer template View information about the SDM te...

Page 263: ... determines which server the switch polls first The priority is 1 8 where 1 is the highest priority If you do not specify a priority the servers are polled in the order that they are entered key_id Optional Enter an authentication key to use The key must be previously defined by the sntp authentication key command sntp unicast broadcast client enable This command enables the SNTP client and allows...

Page 264: ... 13 minutes offset Minutes difference from UTC Range 0 59 acronym The acronym for the time zone Range Up to four characters clock summer time recurring usa eu week day month hh mm week day month hh mm offset offset zone acronym Use this command if the summer time starts and ends every year based on a set pattern For switches located in the United States or European Union use the usa or eu keywords...

Page 265: ...ange 1 31 month Month Range The first three letters by name hh mm Time in 24 hour format in hours and minutes Range hh 0 23 mm 0 59 offset Number of minutes to add during the summertime Range 1 1440 acronym The acronym for the time zone to be displayed when summertime is in effect Range Up to four characters CTRL Z Exit to Privileged EXEC mode show clock detail View information about the time Incl...

Page 266: ... other switch administrators of the connected topology To configure the switch 1 Configure the hosts name console configure console config hostname PC8024 2 Configure the contact location and asset tag Notice that the prompt changed to the host name PC8024 config snmp server contact Jane Doe PC8024 config snmp server location RTP100 PC8024 config asset tag 006429 3 Configure the message that displ...

Page 267: ...001E C9AA AA07 System Object ID 1 3 6 1 4 1 674 10895 3035 System Model ID PC8024 Machine Type PowerConnect PC8024 Temperature Sensors Temperature Sensors Unit Description Temperature Status Celsius 1 CPU 33 Good 1 MAC 39 Good 1 Left PHY 32 Good 1 Right PHY 33 Good Fans Unit Description Status 1 Fan 1 OK 1 Fan 2 OK 1 Fan 3 OK ...

Page 268: ...e 1 Secondary OK 97 6 97 8 01 10 2031 15 59 05 5 View additional information about the system PC8024 show system id Service Tag 0000000 Chassis Service Tag Serial Number TW282987BK0002 Asset Tag 111222 Unit Service tag Chassis Serv tag Serial number Asset tag 1 0000000 TW282987BK0002 111222 6 Initiate a new Telnet session to verify the MOTD Figure 12 19 Verify MOTD ...

Page 269: ...3456465 md5 sntpkey console config sntp trusted key 23456465 console config sntp authenticate 2 Specify the IP address of the SNTP server to poll and include the authentication key This command automatically enables polling and sets the priority to 1 console config sntp server 192 168 10 30 key 23456465 console config sntp unicast client enable 3 Verify the configuration console show sntp configur...

Page 270: ...l System Settings 4 View the SNTP status on the switch console show sntp status Client Mode Unicast Last Update Time MAR 01 09 12 43 2010 Unicast servers Server Status Last response 192 168 10 30 Other 09 12 43 Mar 1 2011 ...

Page 271: ...ure console config clock timezone 5 zone EST 2 Configure the summer time daylight saving time to use the preconfigured settings for the United States console config clock summer time recurring us 3 Set the local time and date console config clock set 16 13 06 03 01 2010 4 Verify the time settings console show clock detail 00 27 19 EST UTC 5 00 Feb 3 2039 No time source Time zone Acronym is EST Off...

Page 272: ...272 Managing General System Settings ...

Page 273: ...ent of a device through communication between an SNMP manager and an SNMP agent on the remote device The SNMP manager is typically part of a Network Management System NMS that runs on an administrative host The switch software includes Management Information Base MIB objects that the SNMP agent queries and modifies The switch uses standard public MIBs and private MIBs A MIB acts as a structured ro...

Page 274: ...hentication Timeliness Protects against message delay or message redundancy The SNMP agent compares incoming message to the message time information Key Management Defines key generation key updates and key use Authentication or Privacy Keys are modified in the SNMPv3 User Security Model USM What Are SNMP Traps SNMP is frequently used to monitor systems for fault conditions such as temperature vio...

Page 275: ... software to manage or monitor other devices on your network it might not be necessary to configure SNMP on the switch Default SNMP Values By default SNMPv2 is automatically enabled on the device SNMPv1 and SNMPv3 are disabled To enable SNMPv3 you must define a local engine ID for the device The local engineID is by default set to the switch MAC address This local engineID must be defined so that ...

Page 276: ...bled Table 13 2 SNMP Default Views View Name OID Subtree View Type Default iso Included snmpVacmMIB Excluded usmUser Excluded snmpCommunityTable Excluded DefaultSuper iso Included Table 13 3 SNMP Default Groups Group Name Security Level Read Write Notify DefaultRead No Auth No Priv Default Default DefaultWrite No Auth No Priv Default Default Default DefaultSuper No Auth No Priv DefaultSuper Defaul...

Page 277: ...age click at the top of the page SNMP Global Parameters Use the Global Parameters page to enable SNMP and Authentication notifications To display the Global Parameters page click System SNMP Global Parameters in the navigation panel Figure 13 1 SNMP Global Parameters NOTE For some features the control to enable or disable traps is available from a configuration page for that feature and not from t...

Page 278: ...ccessible and which are blocked You can create a view that includes or excludes OIDs corresponding to interfaces To display the View Settings page click System SNMP View Settings in the navigation panel Figure 13 2 SNMP View Settings Adding an SNMP View To add a view 1 Open the View Settings page 2 Click Add The Add View page displays ...

Page 279: ...gure 13 3 Add View 3 Specify a name for the view and a valid SNMP OID string 4 Select the view type 5 Click Apply The SNMP view is added and the device is updated Click Show All to view information about configured SNMP Views ...

Page 280: ... network managers to assign access rights to specific device features or features aspects To display the Access Control Group page click System SNMP Access Control in the navigation panel Figure 13 4 SNMP Access Control Group Adding an SNMP Group To add a group 1 Open the Access Control Configuration page 2 Click Add The Add an Access Control Configuration page displays ...

Page 281: ...s Control Group 3 Specify a name for the group 4 Select a security model and level 5 Define the context prefix and the operation 6 Click Apply to update the switch Click Show All to view information about existing access control configurations ...

Page 282: ...Security Model in the navigation panel Figure 13 6 SNMPv3 User Security Model Adding Local SNMPv3 Users to a USM To add local users 1 Open the User Security Model page 2 Click Add Local User The Add Local User page displays NOTE You can also use the Local User Database page under Management Security to configure SNMPv3 settings for users For more information see Configuring Authentication Authoriz...

Page 283: ... update the switch Click Show All to view the User Security Model Table which contains information about configured Local and Remote Users Adding Remote SNMPv3 Users to a USM To add remote users 1 Open the SNMPv3 User Security Model page 2 Click Add Remote User The Add Remote User page displays ...

Page 284: ...SNMP Figure 13 8 Add Remote Users 3 Define the relevant fields 4 Click Apply to update the switch Click Show All to view the User Security Model Table which contains information about configured Local and Remote Users ...

Page 285: ...ames are changed access rights are also changed SNMP Communities are defined only for SNMP v1 and SNMP v2 To display the Communities page click System SNMP Communities in the navigation panel Figure 13 9 SNMP Communities Adding SNMP Communities To add a community 1 Open the Communities page 2 Click Add The Add SNMPv1 2 Community page displays ...

Page 286: ...f an SNMP management station and the community string to act as a password that will authenticate the management station to the SNMP agent on the switch 4 Select the access mode 5 Click Apply to update the switch Click Show All to view the communities that have already been configured ...

Page 287: ...or a feature aspect The Notification Filter page also allows you to filter notifications To display the Notification Filter page click System SNMP Notification Filters in the navigation panel Figure 13 11 SNMP Notification Filter Adding a Notification Filter To add a filter 1 Open the Notification Filter page 2 Click Add The Add Filter page displays ...

Page 288: ...n about the filters that have already been configured Notification Recipients Use the Notification Recipients page to view information for defining filters that determine whether traps are sent to specific users and the trap type sent SNMP notification filters provide the following services Identifying Management Trap Targets Trap Filtering Selecting Trap Generation Parameters Providing Access Con...

Page 289: ...Configuring SNMP 289 Figure 13 13 SNMP Notification Recipient Adding a Notification Recipient To add a recipient 1 Open the Notification Recipient page 2 Click Add The Add Recipient page displays ...

Page 290: ... notifications 4 Select whether to send traps or informs to the specified recipient 5 Define the relevant fields for the SNMP version you use 6 Configure information about the port on the recipient 7 Click Apply to update the switch Click Show All to view information about the recipients that have already been configured ...

Page 291: ...disable When the condition identified by an active trap is encountered by the switch a trap message is sent to any enabled SNMP Trap Receivers and a message is written to the trap log To access the Trap Flags page click Statistics RMON Trap Manager Trap Flags in the navigation panel Figure 13 15 Trap Flags ...

Page 292: ...disable When the condition identified by an active trap is encountered by the switch a trap message is sent to any enabled SNMP Trap Receivers and a message is written to the trap log To access the OSPFv2 Trap Flags page click Statistics RMON Trap Manager OSPFv2 Trap Flags in the navigation panel Figure 13 16 OSPFv2 Trap Flags ...

Page 293: ...disable When the condition identified by an active trap is encountered by the switch a trap message is sent to any enabled SNMP Trap Receivers and a message is written to the trap log To access the OSPFv3 Trap Flags page click Statistics RMON Trap Manager OSPFv3 Trap Flags in the navigation panel Figure 13 17 OSPFv3 Trap Flags ...

Page 294: ...og page is used to view entries that have been written to the trap log To access the Trap Log page click Statistics RMON Trap Manager Trap Log in the navigation panel Figure 13 18 Trap Logs Click Clear to delete all entries from the trap log ...

Page 295: ... on the command line is converted to an MD5 or SHA security digest This digest is based on both the password and the local engine ID The command line password is then destroyed as required by RFC 2274 Because of this deletion if the local value of engineID changes the security digests of SNMPv3 users will be invalid and the users will have to be reconfigured Beginning in Privileged EXEC mode use t...

Page 296: ...nd communities you can specify a view to associate with the group user or community view name Specifies the name of the view Range 1 30 characters oid tree Specifies the object identifier of the ASN 1 subtree to be included or excluded from the view To identify the subtree specify a text string consisting of numbers such as 1 3 6 2 4 or a word such as system Replace a single subidentifier with the...

Page 297: ...MP Version 2 security model v3 Indicates the SNMP Version 3 security model noauth Indicates no authentication of a packet Applicable only to the SNMP Version 3 security model auth Indicates authentication of a packet without encrypting it Applicable only to the SNMP Version 3 security model priv Indicates authentication of a packet with encryption Applicable only to the SNMP Version 3 security mod...

Page 298: ...to informs Range 5 32 characters auth md5 The HMAC MD5 96 authentication level auth sha The HMAC SHA 96 authentication level password A password Range 1 to 32 characters auth md5 key The HMAC MD5 96 authentication level Enter a pregenerated MD5 key auth sha key The HMAC SHA 96 authentication level Enter a pregenerated SHA key md5 key Character string length 32 hex characters sha key Character stri...

Page 299: ...me ipaddress ip_address Configure the community string and specify access criteria for the community community string Acts as a password and is used to authenticate the SNMP management station to the switch The string must also be defined on the NMS in order for the NMS to access the SNMP agent on the switch Range 1 20 characters ro Indicates read only access rw Indicates read write access view na...

Page 300: ...Community string that acts like a password and permits access to the SNMP protocol Range 1 20 characters group name Name of a previously defined group The group defines the objects available to the community Range 1 30 characters ip address Management station IP address Default is all IP addresses exit Exit to Privileged EXEC mode show snmp View SNMP settings and verify the configuration Command P...

Page 301: ...the CLI command help or see the CLI Command Reference snmp server filter filter name oid tree included excluded Configure a filter for SNMP traps and informs based on OIDs Each OID is linked to a device feature or a feature aspect filter name Specifies the label for the filter record that is being updated or created The name is used to reference the record Range 1 30 characters oid tree Specifies ...

Page 302: ...re resending informs The default is 15 seconds Range 1 300 characters retries Maximum number of times to resend an inform request The default is 3 attempts traps Indicates that SNMP traps are sent to this host version 1 Indicates that SNMPv1 traps will be used version 2 Indicates that SNMPv2 traps will be used community string Specifies a password like community string sent with the notification o...

Page 303: ...t without authentication auth Specifies authentication of a packet without encrypting it priv Specifies authentication and encryption of a packet seconds Number of seconds to wait for an acknowledgment before resending informs This is not allowed for hosts configured to send traps The default is 15 seconds Range 1 300 seconds retries Maximum number of times to resend an inform request This is not ...

Page 304: ... features that produce traps The traps are sent to the host with an IP address of 192 168 3 65 using the community string public To configure the switch 1 Configure the public community string console configure console config snmp server community public ro 2 Configure the private community string console config snmp server community private rw 3 Enable all traps and specify the IP address of the ...

Page 305: ...supplying the appropriate authentication credentials secretkey To configure the switch 1 Configure the view view_snmpv3 and specify the objects to include console configure console config snmp server view view_snmpv3 internet included 2 Create the group group_snmpv3 and allow read write access to the view configured in the previous step console config snmp server group group_snmpv3 v3 auth read vi...

Page 306: ...itch The output includes the SNMPv1 2 configuration in the previous example console show snmp Community String Community Access View Name IP Address private Read Write Default All public Read Only Default All Traps are enabled Authentication trap is enabled Version 1 2 notifications Version 3 notifications System Contact System Location Community String Group Name IP Address private DefaultWrite A...

Page 307: ... Read Views Write Notify DefaultRead V1 NoAuth NoPriv Default Default DefaultRead V2 NoAuth NoPriv Default Default DefaultSuper V1 NoAuth NoPriv DefaultSu per Default Super Default Super DefaultSuper V2 NoAuth NoPriv DefaultSu per Default Super Default Super DefaultWrite V1 NoAuth NoPriv Default Default Default DefaultWrite V2 NoAuth NoPriv Default Default Default group_snmpv3 V3 Auth NoPriv view_...

Page 308: ...308 Configuring SNMP ...

Page 309: ...files on the flash file system Table 14 1 describes the files that you can manage The table also lists the type of action you can take on the file which is one or more of the following Download the file to the switch from a remote system or USB flash drive on the PowerConnect 8100 series devices Upload the file from the switch to a remote system or USB flash drive on the PowerConnect 8100 series d...

Page 310: ... Upload Copy An additional configuration file that serves as a backup Configuration script Download Upload Text file with CLI commands When you activate a script on the switch the commands are executed and added to the running config Log files Upload Provides various information about events that occur on the switch For more information see Monitoring and Logging System Information SSH key files D...

Page 311: ...ation The switch can maintain three separate configuration files startup config running config and backup config The switch loads the startup config file when the switch boots Any configuration SSL certificate files Download Contains information to encrypt authenticate and validate HTTPS sessions The switch supports the following files for SSL SSL Trusted Root Certificate File PEM Encoded SSL Serv...

Page 312: ...n file from the switch to a remote server for the following reasons To create a backup copy To use the configuration file on another switch To manually edit the file You might download a configuration file from a remote server to the switch for the following reasons To restore a previous configuration To load the configuration copied from another switch To load the same configuration file on multi...

Page 313: ...ommand from the CLI to verify that a route exists between the switch and the remote system If you are downloading a file from the remote system to the switch be sure to provide the correct path to the file and the correct file name Managing Images When you download a new image to the switch it overwrites the backup image if it exists To use the new image you must activate it and reload the switch ...

Page 314: ...n scripting keep the following considerations and rules in mind The application of scripts is partial if the script fails For example if the script executes four of ten commands and the script fails the script stops at four and the final six commands are not executed Scripts cannot be modified or deleted while being applied Validation of scripts checks for syntax errors only It does not validate t...

Page 315: ...ation while the switch is operating are written to the running config These changes are not automatically written to the startup config When you reload the switch the startup config file is loaded If you reload the switch or if the switch resets unexpectedly any settings in the running config that were not explicitly saved to the startup config are lost You must save the running config to the star...

Page 316: ...es and files on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page File System Use the File System page to view a list of the files on the device and to modify the image file descriptions To display the File System page click System File Management File System in the navigation panel Figure 14 1 File System ...

Page 317: ... boot image it does not become the active image until you reset the switch To display the Active Images page click System File Management Active Images in the navigation panel Figure 14 2 Active Images NOTE On the PC8000 series switches the images are named image1 and image2 On the PC8100 series switches the images are named active and backup ...

Page 318: ...ed to the USB port on the front panel of the switch The page also displays information about the files stored on the USB flash drive To safely remove the USB flash drive from the USB port click Unmount USB before removing the drive To display the USB Flash Drive page click System File Management USB Flash Drive in the navigation panel Figure 14 3 USB Flash Drive ...

Page 319: ...configuration ASCII files from a remote server to the switch To display the File Download page click System File Management File Download in the navigation panel Figure 14 4 File Download Downloading Files To download a file to the switch 1 Open the File Download page 2 Select the type of file to download to the switch 3 Select the transfer mode ...

Page 320: ... of the server that contains the file to download the name of the file and the path on the server where it is located For SFTP and SCP provide the user name and password 6 Click Apply to begin the download Figure 14 5 File Download in Progress 7 The file is downloaded to the switch NOTE If you are using HTTPS to manage the switch the download method will be HTTPS NOTE After you start a file downlo...

Page 321: ...click System File Management File Upload in the navigation panel Figure 14 6 File Upload Uploading Files To upload a file from the switch to a remote system 1 Open the File Upload page 2 Select the type of file to download to the remote server 3 Select the transfer mode If you select a transfer mode that requires authentication additional fields appear in the Upload section If you select HTTP as t...

Page 322: ...for the file For SFTP and SCP provide the user name and password 6 Click Apply to begin the upload 7 The file is uploaded to the specified location on the remote server NOTE If you are using HTTPS to manage the switch the download method will be HTTPS NOTE For some file uploads and methods the page refreshes and a transfer status field appears to indicate the number of bytes transferred The web in...

Page 323: ...ge to the switch Copy the running startup or backup configuration file to the startup or backup configuration file Restore the running configuration to the factory default settings To display the Copy Files page click System File Management Copy Files in the navigation panel Figure 14 8 Copy Files ...

Page 324: ...ws how to use TFTP to download the image NOTE Upload download and copy functions use the copy command The basic syntax for the command is copy source destination This section shows several different ways to use the copy command Command Purpose copy tftp ip address hostname path file name image Use TFTP to download the firmware image at the specified source to the non active image If the image file...

Page 325: ... image after the switch resets Images on the PC8132 PC8164 are named active and backup For 8100 series switches use the following command boot system active backup reload Reboot the switch to make the new image the active image You are prompted to verify that you want to continue Command Purpose ...

Page 326: ...emove the specified file erase startup config backup image backup config Erase the startup configuration the backup configuration or the backup image copy startup config backup config Save the startup configuration to the backup configuration file copy running config startup config Copy the current configuration to the startup configuration This saves the current configuration to NVRAM show startu...

Page 327: ...evice Display USB flash device details dir usb Display USB device contents and memory statistics copy usb filename backup config image running config script filename startup config filename Copy the specified file from the USB flash device to the specified file in internal flash unmount usb Make the USB flash device inactive Command Purpose copy file scp user ip address hostname path file name Add...

Page 328: ...script dest name Downloads the specified script from the remote server to the switch Password entry After you enter the copy command the CLI prompts you for the password associated with the username script validate script name Checks the specified script for syntax errors The script is automatically validated when you download it to the switch You can validate again with this command script list V...

Page 329: ...s to prepare the download and then download and upgrade the switch image 1 Check the connectivity between the switch and the TFTP server console ping 10 27 65 103 Pinging 10 27 65 103 with 0 bytes of data Reply From 10 27 65 103 icmp_seq 0 time 10 msec Reply From 10 27 65 103 icmp_seq 1 time 10 msec Reply From 10 27 65 103 icmp_seq 2 time 10 msec Reply From 10 27 65 103 icmp_seq 3 time 10 msec 10 ...

Page 330: ...mand you must verify that you want to start the download Use either the active or backup keyword to have the image to replace the specified image type which takes effect only after a reboot In the following example the active image is replaced console copy tftp 10 27 65 103 images dell_0308 stk active Mode TFTP Set TFTP Server IP 10 27 65 103 TFTP Path images TFTP Filename dell_0308 stk unit image...

Page 331: ...e Activating image active 6 View information about the current image console show bootvar Image Descriptions image1 image2 Images currently available on Flash 7 Copy the running configuration to the startup configuration to save the current configuration to NVRAM console copy running config startup config This operation may take a few minutes Management interfaces will not be available during this...

Page 332: ...ss mappings to the host table To configure the switch 1 Open a text editor on an administrative computer and type the commands as if you were entering them by using the CLI Figure 14 10 Create Config Script 2 Save the file with an scr extension and copy it to the appropriate directory on your TFTP server 3 Download the file from the TFTP server to the switch console copy tftp 10 27 65 103 labhost ...

Page 333: ...y validated for correct syntax Are you sure you want to start y n y 135 bytes transferred Validating configuration script configure exit configure ip host labpc1 192 168 3 56 ip host labpc2 192 168 3 58 ip host labpc3 192 168 3 59 Configuration script validated File transfer operation completed successfully 5 Run the script to execute the commands console script apply labhost scr Are you sure you ...

Page 334: ... drive before overwriting the backup image on the switch with a new image The administrator also makes a backup copy of the running config by uploading it to a USB flash drive After the backups are performed the administrator downloads a new image from the USB flash drive to the switch to prepare for the upgrade This example assumes the new image is named new_img stk and has already been copied fr...

Page 335: ...ked for the duration of the transfer Are you sure you want to start y n y 4 Download the new image from the USB flash drive to the switch The image overwrites the image that is not currently active console copy usb new_image stk image Mode unknown Data Type Code Management access will be blocked for the duration of the transfer Are you sure you want to start y n y 5 To activate the new image after...

Page 336: ...336 Managing Images and Files ...

Page 337: ...nd installation process when the switch or stack master is initialized and no configuration file startup config is found or when the switch boots and loads a saved configuration that has Auto Configuration enabled Auto Configuration is enabled by default Allow downgrade is also enabled by default The Auto Configuration feature includes two components USB Auto Configuration DHCP Auto Install If no ...

Page 338: ...0 for further information Refer to the example below for an explanation of the file format 2 Copy the file onto a USB device 3 Insert the USB device into the front panel USB port on the PowerConnect switch When the Auto Configuration process starts and a factory default or empty configuration file is present on the switch the feature automatically searches a plugged in USB device for information W...

Page 339: ... and a stk image file If multiple text files exist the switch uses the powerconnect text file If multiple stk files are present the switch uses the image with the highest most recent version Finally if no setup text or stk files are found the switch proceeds to the DHCP Auto Configuration process ...

Page 340: ...be handed out without regard to the specific switch identified by the MAC address A switch will mark a line as invalid if it is read and failed to properly parse if for example it contains an invalid configuration a duplicate IP address or an image file name that is not available If the setup file contains IP addresses but no file names the management IP address will be assigned and then the featu...

Page 341: ...the switch The configuration file specified in the setup file should exist on the USB device For information about the format and contents of the text file see Editing and Downloading Configuration Files Image File If the Auto Configuration process includes a switch image upgrade the name of the image file should be included in the setup file The specified image file should exist on the USB device...

Page 342: ...Then if the process is restarted the MAC address IP address combinations will be ensured for any switch that has previously attempted upgrade and all other switch upgrades can take place as if for the first time What Is the DHCP Auto Configuration Process If the USB Auto Configuration fails or is not used the switch can use a DHCP server to obtain configuration information from a TFTP server DHCP ...

Page 343: ...The following information is also processed and may be returned by a BOOTP or DHCP server Name of configuration file the file field in the DHCP header or option 67 to be downloaded from the TFTP server Identification of the TFTP server providing the file The TFTP server can be identified by name or by IP address as follows hostname DHCP option 66 or the sname field in the DHCP header IP address DH...

Page 344: ...a file on the TFTP server This file is not the image file itself but rather a text file that contains the path and name of the image file Upon receipt of option 125 the switch downloads the text file from the TFTP server reads the name of the image file and downloads the image file from the TFTP server After the switch successfully downloads and installs the new image it automatically reboots The ...

Page 345: ...configuration file The default network configuration file consists of a set of IP address to hostname mappings using the command ip host hostname address The switch finds its own IP address as learned from the DHCP server in the configuration file and extracts its hostname from the matching command If the default network configuration file does not contain the switch s IP address the switch attemp...

Page 346: ...nfig file No 3 hostname cfg Host specific config file associated with hostname Yes 4 host cfg Default config file Yes Table 15 2 TFTP Request Types TFTP Server Address Available Host specific Switch Config Filename Available TFTP Request Method Yes Yes Issue a unicast request for the host specific router config file to the TFTP server Yes No Issue a unicast request for a default network or router ...

Page 347: ...ion Process You can terminate the Auto Configuration process at any time before the image or configuration file is downloaded This is useful when the switch is disconnected from the network Termination of the Auto Configuration process ends further periodic requests for a host specific file The Auto Configuration process automatically starts after a reboot if the configuration file is not found on...

Page 348: ...red A configuration file either from bootfile or option 67 option for the switch must be available from a TFTP server The switch must be connected to the network and have a Layer 3 interface that is in an UP state A DNS server must contain an IP address to hostname mapping for the TFTP server if the DHCP server response identifies the TFTP server by name A DNS server must contain an IP address to ...

Page 349: ...bout the TFTP server and bootfile the switch makes three unicast TFTP requests for the specified bootfile If the unicast attempts fail or if a TFTP server address was not provided the switch makes three broadcast requests to any available TFTP server for the specified bootfile AutoSave Disabled If the switch is successfully auto configured the running configuration is not saved to the startup conf...

Page 350: ...e click at the top of the page Auto Install Configuration Use the Auto Install Configuration page to allow the switch to obtain network information such as the IP address and subnet mask and automatically download a host specific or network configuration file during the boot process if no startup config file is found To display the Auto Configuration page click System General Auto Install Configur...

Page 351: ...d in the startup config file Command Purpose configure Enter Global Configuration mode boot autoinstall start Enable the Auto Configuration feature on the switch boot host dhcp Enable Auto Configuration for the next reboot cycle The command does not change the current behavior of Auto Configuration but it does save the command to NVRAM boot host autosave Allow the switch to automatically save the ...

Page 352: ...to the switch This example describes the procedures to complete the configuration To use DHCP auto configuration 1 Create a default config file for the switches named host cfg For information about creating configuration files see Managing Images and Files 2 Upload the host cfg file to the TFTP server 3 Upload the image file to the TFTP server 4 Configure an address pool on the DHCP server that co...

Page 353: ...Auto Image and Configuration Update 353 5 Connect a port OOB port for out of band management or any switch port for in band management on each switch to the network 6 Boot the switches ...

Page 354: ...354 Auto Image and Configuration Update ...

Page 355: ...through sFlow and Remote Network Monitoring RMON agents What is sFlow Technology sFlow is an industry standard technology for monitoring high speed switched and routed networks PowerConnect 8000 8100 series switch software has a built in sFlow agent that can monitor network traffic on each port and generate sFlow data to an sFlow receiver also known as a collector sFlow helps to provide visibility...

Page 356: ...Minimal memory CPU is required Samples are not aggregated into a flow table on the switch they are forwarded immediately over the network to the sFlow receiver The sFlow system is tolerant to packet loss in the network because statistical modeling means the loss is equivalent to a slight change in the sampling rate sFlow receiver can receive data from multiple switches providing a real time synchr...

Page 357: ...lts in the generation of Counter Records sFlow Agents collect Counter Records and Packet Flow Records and send them as sFlow datagrams to sFlow Collectors Packet Flow Sampling Packet Flow Sampling carried out by each sFlow instance ensures that any packet observed at a Data Source has an equal chance of being sampled irrespective of the Packet Flow s to which it belongs Packet Flow Sampling is acc...

Page 358: ... is RMON Like sFlow RMON is a technology that enables the collection and analysis of a variety of data about network traffic PowerConnect 8000 8100 series switch software includes an RMON probe also known as an RMON agent that collect information and analyze packets The data that is collected is defined in the RMON MIB RFC 2819 RMON is defined in an Internet Engineering Task Force IETF specificati...

Page 359: ...sends and receives The Port Mirroring feature creates a copy of the traffic that the source port handles and sends it to a destination port The source port is the port that is being monitored The destination port is monitoring the source port The destination port is where you would connect a network protocol analyzer to learn more about the traffic that is handled by the source port A port monitor...

Page 360: ...ovide information about network performance and utilization This information can be useful in network planning and resource allocation Information about traffic flows can also help troubleshoot problems in the network Default Traffic Monitoring Values The sFlow agent is enabled by default but sampling and polling are disabled on all ports Additionally no sFlow receivers collectors are configured T...

Page 361: ...work traffic on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page sFlow Agent Summary Use the sFlow Agent Summary page to view information about sFlow MIB and the sFlow Agent IP address To display the Agent Summary page click System sFlow Agent Summary in the navigation panel Figure 16 2 sFlow Agent Summary ...

Page 362: ...ceiver to which the switch sends sFlow datagrams You can configure up to eight sFlow receivers that will receive datagrams To display the Receiver Configuration page click System sFlow Receiver Configuration in the navigation panel Figure 16 3 sFlow Receiver Configuration Click Show All to view information about configured sFlow receivers ...

Page 363: ...ration page to configure the sFlow sampling settings for switch ports To display the Sampler Configuration page click System sFlow Sampler Configuration in the navigation panel Figure 16 4 sFlow Sampler Configuration Click Show All to view information about configured sampler data sources ...

Page 364: ... to configure how often a port should collect counter samples To display the Sampler Configuration page click System sFlow Sampler Configuration in the navigation panel Figure 16 5 sFlow Poll Configuration Click Show All to view information about the ports configured to collect counter samples ...

Page 365: ...istics page to display statistics for both received and transmitted packets The fields for both received and transmitted packets are identical To display the page click Statistics RMON Table Views Interface Statistics in the navigation panel Figure 16 6 Interface Statistics ...

Page 366: ...raffic Etherlike Statistics Use the Etherlike Statistics page to display interface statistics To display the page click Statistics RMON Table Views Etherlike Statistics in the navigation panel Figure 16 7 Etherlike Statistics ...

Page 367: ...h Traffic 367 GVRP Statistics Use the GVRP Statistics page to display switch statistics for GVRP To display the page click Statistics RMON Table Views GVRP Statistics in the navigation panel Figure 16 8 GVRP Statistics ...

Page 368: ...play information about EAP packets received on a specific port For more information about EAP see Configuring Port and System Security on page 469 To display the EAP Statistics page click Statistics RMON Table Views EAP Statistics in the navigation panel Figure 16 9 EAP Statistics ...

Page 369: ...9 Utilization Summary Use the Utilization Summary page to display interface utilization statistics To display the page click Statistics RMON Table Views Utilization Summary in the navigation panel Figure 16 10 Utilization Summary ...

Page 370: ...mary Use the Counter Summary page to display interface utilization statistics in numeric sums as opposed to percentages To display the page click Statistics RMON Table Views Counter Summary in the navigation panel Figure 16 11 Counter Summary ...

Page 371: ...e the Switchport Statistics page to display statistical summary information about switch traffic address tables and VLANs To display the page click Statistics RMON Table Views Switchport Statistics in the navigation panel Figure 16 12 Switchport Statistics ...

Page 372: ...the RMON Statistics page to display details about switch use such as packet processing statistics and errors that have occurred on the switch To display the page click Statistics RMON RMON Statistics in the navigation panel Figure 16 13 RMON Statistics ...

Page 373: ... physical port or a port channel you can define how many buckets exist and the time interval between each bucket snapshot To display the page click Statistics RMON RMON History Control in the navigation panel Figure 16 14 RMON History Control Adding a History Control Entry To add an entry 1 Open the RMON History Control page 2 Click Add The Add History Entry page displays ...

Page 374: ...ory of statistics 4 Specify an owner the number of historical buckets to keep and the sampling interval 5 Click Apply to add the entry to the RMON History Control Table To view configured history entries click the Show All tab The RMON History Control Table displays From this page you can remove configured history entries ...

Page 375: ...age to display interface specific statistical network samplings Each table entry represents all counter values compiled during a single sample To display the RMON History Table page click Statistics RMON RMON History Table in the navigation panel Figure 16 16 RMON History Table ...

Page 376: ...hold is crossed for a particular RMON counter The event information can be stored in a log and or sent as a trap to a trap receiver To display the page click Statistics RMON RMON Event Control in the navigation panel Figure 16 17 RMON Event Control Adding an RMON Event To add an event 1 Open the RMON Event Control page 2 Click Add The Add an Event Entry page displays ...

Page 377: ...ick Apply The event is added to the RMON Event Table and the device is updated Viewing Modifying or Removing an RMON Event To manage an event 1 Open the RMON Event Control page 2 Click Show All to display the Event Control Table page 3 To edit an entry a Select the Edit check box in for the event entry to change b Modify the fields on the page as needed 4 To remove an entry select the Remove check...

Page 378: ...itoring Switch Traffic RMON Event Log Use the RMON Event Log page to display a list of RMON events To display the page click Statistics RMON RMON Events Log in the navigation panel Figure 16 19 RMON Event Log ...

Page 379: ...esholds are crossed for the configured RMON counters The alarm triggers an event to occur The events can be configured as part of the RMON Events group For more information about events see RMON Event Log on page 378 To display the page click Statistics RMON RMON Alarms in the navigation panel Figure 16 20 RMON Alarms ...

Page 380: ...Figure 16 21 Add an Alarm Entry 3 Complete the fields on this page as needed Use the help menu to learn more information about the data required for each field 4 Click Apply The RMON alarm is added and the device is updated To view configured alarm entries click the Show All tab The Alarms Table displays From this page you can remove configured alarms ...

Page 381: ... to chart port related statistics on a graph To display the page click Statistics RMON Charts Port Statistics in the navigation panel Figure 16 22 Ports Statistics To chart port statistics select the type of statistics to chart and if desired the refresh rate then click Draw ...

Page 382: ...ge to chart LAG related statistics on a graph To display the page click Statistics RMON Charts LAG Statistics in the navigation panel Figure 16 23 LAG Statistics To chart LAG statistics select the type of statistics to chart and if desired the refresh rate then click Draw ...

Page 383: ...s is mirrored to a destination port To display the Port Mirroring page click Switching Ports Traffic Mirroring Port Mirroring in the navigation panel Figure 16 24 Port Mirroring Configuring a Port Mirror Session To configure port mirroring 1 Open the Port Mirroring page 2 Click Add The Add Source Port page displays 3 Select the port to be mirrored 4 Select the traffic to be mirrored ...

Page 384: ...c Figure 16 25 Add Source Port 5 Click Apply 6 Repeat the previous steps to add additional source ports 7 Click Port Mirroring to return to the Port Mirroring page 8 Enable the administrative mode and specify the destination port ...

Page 385: ...Monitoring Switch Traffic 385 Figure 16 26 Configure Additional Port Mirroring Settings 9 Click Apply ...

Page 386: ...on ip address port Configure the address of the sFlow receiver and optionally the destination UDP port for sFlow datagrams rcvr_index The index of this sFlow receiver Range 1 8 ip address The sFlow receiver IP address port The destination Layer 4 UDP port for sFlow datagrams Range 1 65535 sflow rcvr_index destination owner owner_string timeout timeout Specify the identity string of the receiver an...

Page 387: ... Tengigabitethernet te for example te1 0 3 5 enables polling on ports 3 4 and 5 sampling rate The statistical sampling rate for packet sampling from this source A sampling rate of 1 counts all packets A value of n means that out of n incoming packets 1 packet will be sampled Range 1024 65536 size The maximum number of bytes that should be copied from the sampler packet Range 20 256 bytes interface...

Page 388: ... show sflow index sampling View information about the configured sFlow sampler instances for the specified receiver Command Purpose configure Enter Global Configuration mode rmon event number log trap community description string owner string Configure an RMON event number The event index Range 1 65535 log Specify that an entry is made in the log table for each event trap community If the event is...

Page 389: ... is used when a rising or falling threshold is crossed Range 1 65535 delta The sampling method for the selected variable and calculating the value to be compared against the thresholds If the method is delta the selected variable value at the last sample is subtracted from the current value and the difference compared with the thresholds absolute The sampling method for the selected variable and c...

Page 390: ...ckets specified for the RMON collection history group of statistics If unspecified defaults to 50 Range 1 65535 seconds The number of seconds in each polling cycle If unspecified defaults to 1800 Range 1 3600 CTRL Z Exit to Privileged EXEC mode show rmon alarms collection history events history log statistics View information collected by the RMON probe Command Purpose show interfaces counters if_...

Page 391: ...or ingress rx or egress tx traffic If you not specify both ingress and egress traffic is monitored monitor session session_number destination interface interface Configure a destination probe port for a monitor session session_number The monitoring session ID which is always 1 interface The Ethernet interface to which the monitored source traffic is copied monitor session session_number mode Enabl...

Page 392: ...wner string is configured To configure the switch 1 Configure information about the sFlow receiver console configure console config sflow 1 destination 192 168 30 34 console config sflow 1 destination owner receiver1 timeout 100000 2 Configure the polling and sampling information for tengigabit Ethernet ports 10 20 console config sflow 1 polling te1 0 10 15 60 console config sflow 1 sampling te1 0...

Page 393: ...ource Index Interval te1 0 10 1 60 te1 0 11 1 60 te1 0 12 1 60 te1 0 13 1 60 te1 0 14 1 60 te1 0 15 1 60 te1 0 23 1 60 console show sflow 1 sampling Sampler Receiver Packet Max Header Data Source Index Sampling Rate Size te1 0 10 1 8192 128 te1 0 11 1 8192 128 te1 0 12 1 8192 128 te1 0 13 1 8192 128 te1 0 14 1 8192 128 te1 0 15 1 8192 128 te1 0 23 1 8192 128 ...

Page 394: ...compare the MIB counter to the configured rising and falling thresholds If the rise is equal to or greater than 20 event 1 goes into effect To configure the switch 1 Create the event The trap is sent to the private SNMP community console configure console config rmon event 1 description emergency event log trap private 2 Create the alarm console config rmon alarm 1 1 3 6 1 2 1 2 2 1 14 1 30 delta ...

Page 395: ...ion Configuration Examples iSCSI Optimization Overview iSCSI optimization provides a means of monitoring iSCSI sessions and iSCSI traffic on the switch This is accomplished by monitoring or snooping traffic to detect packets used by iSCSI stations to establish iSCSI sessions and connections Data from these exchanges may optionally be used to create classification rules to assign traffic between th...

Page 396: ... sessions generally use well known TCP ports 3260 or 860 to contact targets When iSCSI optimization is enabled by default the switch identifies IP packets to or from these ports as iSCSI session traffic In addition the switch separately tracks connections associated with a login session ISID dynamically allocated source destination TCP port numbers You can configure the switch to monitor traffic f...

Page 397: ...switch iSCSI connections are aged out using the session aging timer If the connection has no detected data packets during the timeout period the connection is deleted from the switch internal session table When all connections associated with a session age out or disconnect the session is deleted You can configure whether the iSCSI optimization feature uses the VLAN priority or IP DSCP mapping to ...

Page 398: ...Does the Switch Track in iSCSI Traffic Flows Packets are examined to find the following data which is used in tracking the session and creating the classifier entries that enable QoS treatment Initiator s IP Address Target s IP Address ISID Initiator defined session identifier Initiator s IQN iSCSI Qualified Name Target s IQN Initiator s TCP Port Target s TCP Port If no iSCSI traffic is detected f...

Page 399: ... by LLDP It is advisable to enable spanning tree portfast and disable unicast storm control on ports connected to the initiators as well If the iSCSI CoS policy feature is enabled on the switch and an EQL array is detected the switch applies additional iSCSI CoS policies to the EQL inter array traffic on TCP ports 9876 and 25555 If the iSCSI CoS policy is disabled and EQL arrays are present the ad...

Page 400: ... Priority priority configured for iSCSI PFC by the iscsi cos vpt command default priority is 4 The existing application priority entries being transmitted if any will not be disturbed How Does iSCSI Optimization Interact with Dell Compellent Arrays Dell PowerConnect switches support a macro that may be used to configure a port connected to a Dell Compellent storage array The name of the macro is p...

Page 401: ...sification via the iSCSI command set provides no benefit The only case for enabling iSCSI CoS prioritization is when using PC81xx series switches to originate iSCSI configuration information via DCBX In this case enabling iSCSI CoS classification configures the PC81xx switch to generate the iSCSI TLV via DCBX in support of configuring directly connected storage and initiator devices Since EQL iSCS...

Page 402: ...are classified by VLAN instead of by DSCP values VLAN Priority tag iSCSI flows are assigned by default the highest 802 1p VLAN priority tag mapped to the highest queue not used for the voice VLAN DSCP When DSCP is selected as the classification iSCSI flows are assigned by default the highest DSCP tag mapped to the highest queue not used for the voice VLAN Remark Not enabled iSCSI Session Aging Tim...

Page 403: ...tch For details about the fields on a page click at the top of the page iSCSI Global Configuration Use the Global Configuration page to allow the switch to snoop for iSCSI sessions connections and to configure QoS treatment for packets where the iSCSI protocol is detected To access the iSCSI Global Configuration page click System iSCSI Global Configuration in the navigation panel Figure 17 1 iSCSI...

Page 404: ...figure iSCSI targets on the switch To access the Targets Table page click System iSCSI Targets in the navigation panel Figure 17 2 iSCSI Targets Table To add an iSCSI Target click Add at the top of the page and configure the relevant information about the iSCSI target Figure 17 3 Add iSCSI Targets ...

Page 405: ...an iSCSI initiator and iSCSI target communicate over one or more TCP connections The maximum number of iSCSI sessions is 192 Redundant MPIO paths may not be accounted for in the iSCSI sessions table if a separate iSCSI login is not issued during establishment of the session To access the Sessions Table page click System iSCSI Sessions Table in the navigation panel Figure 17 4 iSCSI Sessions Table ...

Page 406: ...tailed Use the Sessions Detailed page to view detailed information about an iSCSI sessions that the switch has discovered To access the Sessions Detailed page click System iSCSI Sessions Detailed in the navigation panel Figure 17 5 iSCSI Sessions Detail ...

Page 407: ...rt and optionally address and name tcp port n TCP port number or list of TCP port numbers on which the iSCSI target listens to requests Up to 16 TCP ports can be defined in the system in one command or by using multiple commands ip address IP address of the iSCSI target When the no form of this command is used and the tcp port to be deleted is one bound to a specific IP address the address field m...

Page 408: ...cp The VLAN Priority Tag or DSCP value to assign received iSCSI session packets remark Mark the iSCSI frames with the configured DSCP value when egressing the switch iscsi aging time time Optionally set aging time range 1 43 200 seconds for iSCSI connections When all connections associated with a session are aged out the session is deleted exit Exit to Privilege Exec mode show iscsi Display iSCSI ...

Page 409: ... illustrates the configuration steps required Configuring iSCSI Optimization Between Servers and a Disk Array Figure 17 6 illustrates a PowerConnect 8000 series or 8100 series switch connecting two servers iSCSI initiators to a disk array iSCSI targets An iSCSI application running on the switch has installed priority filters to ensure that iSCSI traffic that is part of these two sessions receives ...

Page 410: ...e config console config macro global apply profile compellent nas interface_name te1 0 21 console config macro global apply profile compellent nas interface_name te1 0 22 console config macro global apply profile compellent nas interface_name te1 0 23 To configure a PC81xx switch in a lossless DCBX environment where another switch connected to storage arrays supplies the DCBX configuration perform...

Page 411: ... the port channel to be in trunk mode console config interface po1 console config if switchport mode trunk console config if exit To configure a PC81xx switch in a lossless DCBX environment where the switch is directly connected to storage arrays and the CNAs no other switch is present perform the following steps starting from a default configuration 1 Enter global configuration mode and configure...

Page 412: ...width equally between the lossless and lossy traffic classes console config if classofservice traffic class group 0 0 console config if classofservice traffic class group 1 0 console config if classofservice traffic class group 2 0 console config if classofservice traffic class group 3 0 console config if classofservice traffic class group 4 1 console config if classofservice weight 50 50 0 10 Exi...

Page 413: ...h room so that guests can connect to the Internet during their stay The hotel might charge for Internet use or the hotel might allow guests to connect only after they indicate that they have read and agree to the acceptable use policy What Does Captive Portal Do The Captive Portal feature allows you to require a user to enter login information on a custom Web page before gaining access to the netw...

Page 414: ...n a RADIUS server Is the Captive Portal Feature Dependent on Any Other Feature If you require RADIUS authentication you must configure the RADIUS server information on the switch see Using RADIUS Servers to Control Management Access on page 194 You must also configure the RADIUS attributes for Captive Portal users on the RADIUS server For information about the RADIUS attributes to configure see Ta...

Page 415: ...rd and another that only requires the username For each Captive Portal you can customize the welcome screen including the colors and logo If you require authentication consider the number of users that must exist in the user database The local user database supports up to 128 users If you need to support more than 128 authenticated users you must use a remote RADIUS server for authentication You c...

Page 416: ...If an unverified client opens a web browser and tries to connect to the network the Captive Portal redirects all the HTTP HTTPS traffic from the unverified clients to the authenticating server on the switch A Captive Portal web page is sent back to the unverified client If the verification mode for the Captive Portal associated with the port is Guest the client can be verified without providing au...

Page 417: ...gh the captive portal to explicitly deauthenticate from the network When User Logout Mode is disabled or the user does not specifically request logout the connection status will remain authenticated until the Captive Portal deauthenticates the user based on the configured session timeout value In order for the user logout feature to function properly the client browser must have JavaScript enabled...

Page 418: ...e in the Username field selects the Acceptance Use Policy check box and clicks Connect to gain network access By default the user does not need to be defined in a database or enter a password to access the network because the default verification mode is Guest Note that duplicate Username entries can exist in this mode because the client IP and MAC addresses are obtained for identification Table 1...

Page 419: ...ocal Users None configured Interface associations None Interface status Not blocked If the Captive Portal is blocked users cannot gain access to the network through the Captive Portal Use this function to temporarily protect the network during unexpected events such as denial of service attacks Supported Captive Portal users 1024 Supported local users 128 Supported Captive Portals 10 Table 18 1 De...

Page 420: ...tails about the fields on a page click at the top of the page Captive Portal Global Configuration Use the Captive Portal Global Configuration page to control the administrative state of the Captive Portal feature and configure global settings that affect all captive portals configured on the switch To display the Captive Portal Global Configuration page click System Captive Portal Global Configura...

Page 421: ...rtals The switch supports 10 Captive Portal configurations Captive Portal configuration 1 is created by default and cannot be deleted Each captive portal configuration can have unique guest or group access modes and a customized acceptance use policy that displays when the client connects To display the Captive Portal Configuration page click System Captive Portal Configuration Figure 18 5 Captive...

Page 422: ... click Add to create a new Captive Portal instance Figure 18 6 Add Captive Portal Configuration From the Captive Portal Configuration page click Summary to view summary information about the Captive Portal instances configured on the switch Figure 18 7 Captive Portal Summary ...

Page 423: ...nks to the Captive Portal customization appear 2 Click Download Image to download one or more custom images to the switch You can use a downloaded custom image for the branding logo default Dell logo on the Authentication Page and Logout Success page the account image default blue banner with keys on the Authentication Page and the background image default blank on the Logout Success Page Figure 1...

Page 424: ...d is located and select the image 5 Click Apply to download the selected file to the switch 6 To customize the Authentication Page which is the page that a user sees upon attempting to connect to the network click the Authentication Page link Figure 18 9 Captive Portal Authentication Page ...

Page 425: ...tal Logout Page 10 Customize the look and feel of the Logout Page such as the page title and logout instructions 11 Click Apply to save the settings to the running configuration or click Preview to view what the user will see To return to the default views click Clear 12 Click the Logout Success Page link to configure the page that contains the logout window A user is required to logout only if th...

Page 426: ...password that must first be validated against a local database or RADIUS server Authorized users can gain network access once the switch confirms the user s credentials By default each Captive Portal instance contains the default group The default group can be renamed or a different group can be created and assigned to each Captive Portal instance A Captive Portal instance can be associated to one...

Page 427: ...o users have been added to the switch many of the fields do not display on the screen Figure 18 12 Local User Configuration From the Local User page click Add to add a new user to the local database NOTE Multiple user groups can be selected by holding the CTRL key down while clicking the desired groups ...

Page 428: ...al User page click Show All to view summary information about the local users configured in the local database Figure 18 14 Captive Portal Local User Summary To delete a configured user from the database select the Remove check box associated with the user and click Apply ...

Page 429: ...e column and are comma delimited vendor ID attribute ID Table 18 2 Captive Portal User RADIUS Attributes Attribute Number Description Range Usage Default User Name 1 User name to be authorized 1 32 characters Required None User Password 2 User password 8 64 characters Required None Session Timeout 27 Logout once session timeout is reached seconds If the attribute is 0 or not present then use the v...

Page 430: ...or RADIUS you assign a User Group to a Captive Portal Configuration All users who belong to the group are permitted to access the network through this portal The User Group list is the same for all Captive Portal configurations on the switch To display the User Group page click System Captive Portal User Group Figure 18 15 User Group ...

Page 431: ...roup Figure 18 16 Add User Group From the User Group page click Show All to view summary information about the user groups configured on the switch Figure 18 17 Captive Portal User Group Summary To delete a configured group select the Remove check box associated with the group and click Apply ...

Page 432: ...rtal can have multiple interfaces associated with it but an interface can be associated to only one Captive Portal at a time To display the Interface Association page click System Captive Portal Interface Association Figure 18 18 Captive Portal Interface Association NOTE When you associate an interface with a Captive Portal the interface is disabled in the Interface List Each interface can be asso...

Page 433: ...ins a variety of information about the Captive Portal feature From the Captive Portal Global Status page you can access information about the Captive Portal activity and interfaces To display the Global Status page click System Captive Portal Status Global Status Figure 18 19 Captive Portal Global Status ...

Page 434: ... you select a captive portal the activation and activity status for that portal displays To display the Activation and Activity Status page click System Captive Portal Status Activation and Activity Status Figure 18 20 Captive Portal Activation and Activity Status NOTE Use the Block and Unblock buttons to control the blocked status If the Captive Portal is blocked users cannot gain access to the n...

Page 435: ...erface Activation Status page shows information for every interface assigned to a captive portal instance To display the Interface Activation Status page click System Captive Portal Interface Status Interface Activation Status Figure 18 21 Interface Activation Status ...

Page 436: ... status information for various capabilities Specifically this page indicates what services are provided through the Captive Portal to clients connected on this interface The list of services is determined by the interface capabilities To display the Interface Capability Status page click System Captive Portal Interface Status Interface Capability Status Figure 18 22 Interface Capability Status ...

Page 437: ...to disconnect one or more authenticated clients The list of clients is sorted by client MAC address To display the Client Summary page click System Captive Portal Client Connection Status Client Summary Figure 18 23 Client Summary To force the captive portal to disconnect an authenticated client select the Remove check box next to the client MAC address and click Apply To disconnect all clients fr...

Page 438: ... The Client Detail page shows detailed information about each client connected to the network through a captive portal To display the Client Detail page click System Captive Portal Client Connection Status Client Detail Figure 18 24 Client Detail ...

Page 439: ...Status Use the Interface Client Status page to view clients that are authenticated to a specific interface To display the Interface Client Status page click System Captive Portal Client Connection Status Interface Client Status Figure 18 25 Interface Client Status ...

Page 440: ...atus Use the Client Status page to view clients that are authenticated to a specific Captive Portal configuration To display the Client Status page click System Captive Portal Client Connection Status Client Status Figure 18 26 Captive Portal Client Status ...

Page 441: ...to monitor Use this command on networks that use an HTTP proxy server port num The port number to monitor Range 1 65535 excluding ports 80 443 and the configured switch management port https port port num Optional Configure an additional HTTPS port for Captive Portal to monitor Use this command on networks that use an HTTPS proxy server port num The port number to monitor Range 1 65535 excluding p...

Page 442: ...ptive Portal configuration identified by CP ID 1 is the default CP configuration name string Add a name to the Captive Portal instance string CP configuration name Range 1 32 characters protocol http https Specify whether to use HTTP or HTTPs during the Captive Portal user verification process verification guest local radius Specify how to process user credentials the user enters on the verificati...

Page 443: ...ication through the Captive Portal url The URL for redirection Range 1 512 characters group group number For Local and RADIUS verification Configure the group number associated with this Captive Portal configuration By default only the default group exists To assign a different user group to the Captive Portal instance you must first configure the group group number The number of the group to asso...

Page 444: ...nce cp id The Captive Portal instance Range 1 10 status View additional information about the Captive Portal instance interface View information about the interface s associated with the specified Captive Portal show captive portal interface configuration cp id status View information about the interfaces associated with the specified Captive Portal instance cp id The Captive Portal instance Range...

Page 445: ...up name Range 1 32 characters user user id name name Create a new user for the local user authentication database user id User ID Range 1 128 name user name Range 1 32 characters user user id password password Configure the password for the specified user user id User ID Range 1 128 password User password Range 8 64 characters user user id group group id Associate a group with a Captive Portal use...

Page 446: ...d User ID Range 1 128 clear captive portal users Optional Delete all captive portal user entries from the local database Command Purpose show captive portal configuration cp id client status Display information about the clients authenticated to all Captive Portal configurations or a to specific configuration cp id The Captive Portal instance Range 1 10 show captive portal interface interface clie...

Page 447: ...cides to configure the three Captive Portals Table 18 3 describes Table 18 3 Captive Portal Instances Captive Portal Name Description Guest Free Internet access is provided in each guest room but guests must enter a name and agree to the acceptable use policy before they can gain access The manager wants guests to be redirected to the resort s home web page upon successful verification No logout i...

Page 448: ...he images you download must be accessible from the switch either on the system you use to manage the switch or on a server that is on the same network as the switch 7 Customize the authentication logout and logout success web pages that a Captive Portal user will see Dell recommends that you use Use Dell OpenManage Administrator to customize the Captive Portal authentication logout and logout succ...

Page 449: ...roup 2 name Conference console config CP user group 3 name Employee console config CP exit 3 Configure the Guest Captive Portal console config captive portal console config CP configuration 2 console config CP 2 name Guest console config CP 2 redirect console config CP 2 redirect url http www luxuryresorturl com console config CP 2 interface te1 0 1 console config CP 2 interface te1 0 2 console co...

Page 450: ...sers to the local database console config CP user 1 name EaglesNest1 console config CP user 1 password Enter password 8 to 64 characters Re enter password console config CP user 1 group 2 Continue entering username and password combinations to populate the local database 8 Add the User Name User Password Session Timeout and Dell Captive Portal Groups attributes for each employee to the database on...

Page 451: ... Cables physically connect ports on devices such as PCs or servers to ports on the switch to provide access to the network The type of physical ports available on your PowerConnect 8000 8100 series switch depends on the model What Physical Port Characteristics Can Be Configured Table 19 1 provides a summary of the physical characteristics that can be configured on the switch ports Table 19 1 Port ...

Page 452: ... rate for frames Duplex mode Specifies whether the interface supports transmission between the switch and the connected client in one direction at a time half or both directions simultaneously both Maximum frame size Indicates the maximum frame size that can be handled by the port Flow control This is a global setting that affects all ports For more information about this feature see Configuring P...

Page 453: ... and alleviates the need to implement STP to handle the fail over Link Dependency Scenarios The Link Dependency feature supports the scenarios in the following list Port dependent on port If a port loses the link the switch brings up down the link on another port Port dependent on LAG If all ports in a channel group lose the link the switch brings up down the link on another port LAG dependent on ...

Page 454: ...ng Interfaces on page 855 What is Interface Configuration Mode When you use the CLI to configure physical or logical characteristics for an interface you must enter Interface Configuration Mode for that interface To enter the mode type the keyword interface followed by the interface type and additional information to identify the interface such as the interface number To enter Interface Configurat...

Page 455: ...pply the same configuration to ports 1 10 on a standalone switch use the following command console config interface range tengigabitEthernet 1 0 1 10 To enter Interface Configuration mode for ports 3 4 5 12 and 14 on a standalone switch use the following command console config interface range tengigabitEthernet 1 0 3 5 1 0 12 1 0 14 NOTE When you enter Interface Configuration mode the command prom...

Page 456: ...racteristics that this chapter describes Table 19 2 Default Port Values Feature Description Administrative status All ports are enabled Description None defined Auto negotiation Enabled Speed Auto negotiate Duplex mode Auto negotiate Flow control Enabled Maximum frame size 1518 Link Dependency None configured ...

Page 457: ...iguring and monitoring port characteristics on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page Port Configuration Use the Port Configuration page to define port parameters To display the Port Configuration page click Switching Ports Port Configuration in the navigation panel Figure 19 1 Port Configuration ...

Page 458: ...Ports list select the check box in the Edit column for the port to configure 4 Select the desired settings 5 Click Apply Figure 19 2 Configure Port Settings 6 Select the Copy Parameters From check box and select the port with the settings to apply to other ports 7 In the Ports list select the check box es in the Copy To column that will have the same settings as the port selected in the Copy Param...

Page 459: ...Configuring Port Characteristics 459 In the following example Ports 3 4 and 5 will be updated with the settings that are applied to Port 1 Figure 19 3 Copy Port Settings 8 Click Apply ...

Page 460: ...n page click Switching Link Dependency Configuration in the navigation panel Figure 19 4 Link Dependency Configuration Creating a Link Dependency Group To create link dependencies 1 Open the Link Dependency Configuration page 2 In the Group ID field select the ID of the group to configure 3 Specify the link action 4 To add a port to the Member Ports column click the port in the Available Ports col...

Page 461: ...ble Ports column and then click the button to the right of the Available Ports column In the following example Group 1 is configured so that Port 3 is dependent on Port 4 Figure 19 5 Link Dependency Group Configuration 6 Click Apply The Link Dependency settings for the group are modified and the device is updated ...

Page 462: ...lays the groups whether they have been configured or not To display the Link Dependency Summary page click Switching Link Dependency Link Dependency Summary in the navigation panel Figure 19 6 Link Dependency Summary To configure a group click the Modify link associated with the ID of the group to configure Clicking the Modify link takes you to the Link Dependency Configuration page The Group ID i...

Page 463: ...mple tengigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 description string Add a description to the port The text string can be from1 64 characters shutdown Administratively disable the interface speed 10 100 1000 10000 auto 100 1000 10000 Configure the s...

Page 464: ...iew a summary of the configuration for all ports show interfaces advertise View a summary of the speeds that are advertised on each port show interfaces description View configured descriptions for all ports show interfaces detail interface View detailed information about the specified port Command Purpose configure Enter Global Configuration mode link dependency group group_id Enter the link depe...

Page 465: ... the member ports take when the dependent link goes down down When the dependent link is down the group members are down the members are up otherwise up When the dependent link goes down the group members are brought up the members are down otherwise CTRL Z Exit to Privileged EXEC mode show link dependency group group_id View link dependency settings for all groups or for the specified group along...

Page 466: ... speed and duplex settings for the port console config if Te1 0 1 speed 100 console config if Te1 0 1 duplex full console config if Te1 0 1 exit 3 Enter Interface Configuration mode for ports 10 11 12 20 and 24 console config interface range tengigabitEthernet 1 0 10 12 1 0 20 1 0 24 4 Enable jumbo frame support on the interfaces console config if mtu 9216 console config if CTRL Z 5 View summary i...

Page 467: ...h 1 Enter the configuration mode for Group 1 console configure console config link dependency group 1 2 Configure the member and dependency information for the group console config linkDep group 1 add tengigabitethernet 1 0 3 console config linkDep group 1 depends on tengigabitethernet 1 0 4 console config linkDep group 1 exit 3 Enter the configuration mode for Group 2 console config link dependen...

Page 468: ...468 Configuring Port Characteristics ...

Page 469: ...ss is permitted only to authorized devices clients Port MAC locking is used to enable security on a per port basis When a port is locked only packets with allowable source MAC addresses can be forwarded All other packets are discarded Port MAC locking allows a configurable limit to the number of source MAC addresses that can be learned on a port The topics covered in this chapter include IEEE 802 ...

Page 470: ...ent connected to the authenticated port that requests access to the network Authenticator The network device that prevents network access prior to authentication Authentication Server The network server such as a RADIUS server that performs the authentication on behalf of the authenticator and indicates whether the user is authorized to access system services Figure 20 1 shows the 802 1X network c...

Page 471: ...e 194 What are the 802 1X Port States The 802 1X port state determines whether to allow or prevent network traffic on the port A port can configured to be in one of the following 802 1X control modes Auto default MAC based Force authorized Force unauthorized These modes control the behavior of the port The port state is either Authorized or Unauthorized If the port is in the authorized state the p...

Page 472: ...wable MAC address and corresponding access rights of the client must be pre populated in the authentication server When a port configured for MAB receives traffic from an unauthenticated client the switch Authenticator Sends a EAP Request packet to the unauthenticated client Waits a pre determined period of time for a response Retries resends the EAP Request packet up to three times Considers the ...

Page 473: ...on whether the host authenticates fails the authentication or is a guest The RADIUS server informs the switch of the selected VLAN as part of the authentication Authenticated and Unauthenticated VLANs Hosts that authenticate normally use a VLAN that includes access to network resources Hosts that fail the authentication might be denied access to the network or placed on a quarantine VLAN with limi...

Page 474: ...nauthenticated users This feature provides a mechanism to allow users access to hosts on the guest VLAN For example a company might provide a guest VLAN to visitors and contractors to permit network access that allows visitors to connect to external network resources such as the Internet with no ability to browse information on the internal LAN In port based 802 1X mode when a client that does not...

Page 475: ...t can be enabled in conjunction with 802 1X authentication Monitor mode provides a way for network administrators to identify possible issues with the 802 1X configuration on the switch without affecting the network access to the users of the switch It allows network access even in case where there is a failure to authenticate but logs the results of the authentication process for diagnostic purpo...

Page 476: ...N Unauth RADIUS Timeout Default behavior Port State Deny Port State Permit VLAN Default PVID of the port Unauth VLAN enabled Port State Deny Port State Permit VLAN Unauth EAPOL Timeout Default behavior Port State Deny Port State Permit 3 EAPOL Timeout Guest VLAN timer expiry or MAB timer expiry Guest VLAN enabled Port State Permit VLAN Guest Port State Permit VLAN Guest MAB Success Case Port State...

Page 477: ...ion Server The Internal Authentication Server IAS is a dedicated database for localized authentication of users for network access through 802 1X In this database the switch maintains a list of username and password combinations to use for 802 1X authentication You can manually create entries in the database or you can upload the IAS information to the switch If the authentication method for 802 1...

Page 478: ...Seconds between reauthentication attempts 3600 Authentication server timeout 30 seconds Resending EAP identity Request 30 seconds Quiet period 60 seconds Supplicant timeout 30 seconds Max EAP request 2 times Maximum number of supplicants per port for MAC based authentication mode 16 Guest VLAN Disabled Unauthenticated VLAN Disabled Dynamic VLAN creation Disabled RADIUS assigned VLANs Disabled IAS ...

Page 479: ...ecurity on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page Dot1x Authentication Use the Dot1x Authentication page to configure the 802 1X administrative mode on the switch and to configure general 802 1X parameters for a port To display the Dot1x Authentication page click Switching Network Security Dot1x Authentication Authentication in th...

Page 480: ...guring 802 1X Settings on Multiple Ports To configure 802 1X authentication on multiple ports 1 Open the Dot1x Authentication page 2 Click Show All to display the Dot1x Authentication Table page 3 In the Ports list select the check box in the Edit column for the port to configure ...

Page 481: ... select the Unit Port to re authenticate 4 Check Reauthenticate Now 5 Click Apply The authentication process is restarted on the specified port Re Authenticating Multiple Ports in the Dot1x Authentication Table To reauthenticate multiple ports 1 Open the Dot1x Authentication page 2 Click Show All The Dot1x Authentication Table displays 3 Check Edit to select the Units Ports to re authenticate 4 To...

Page 482: ... Scroll to the right side of the table and select the Edit check box for each port to configure Change Admin Port Control to Authorized Unauthorized or Automode as needed for chosen ports Only MAC Based and Automode actually use 802 1X to authenticate Authorized and Unauthorized are manual overrides 4 Click Apply Admin Port Control is updated for the specified ports and the device is updated Authe...

Page 483: ...assigned VLANs and to enable Monitor Mode to help troubleshoot 802 1X configuration issues To display the Port Access Control Configuration page click Switching Network Security Dot1x Authentication Monitor Mode Port Access Control Configuration in the navigation panel NOTE The VLAN Assignment Mode field is the same as the Admin Mode field on the System Management Security Authorization Network RA...

Page 484: ...o view log messages about 802 1X client authentication attempts The information on this page can help you troubleshoot 802 1X configuration issues To display the Port Access Control History Log Summary page click Port Access Control Configuration page click Switching Network Security Dot1x Authentication Monitor Mode Port Access Control History Log Summary in the navigation panel ...

Page 485: ...s Configuration Use the Internal Authentication Server Users Configuration page to add users to the local IAS database and to view the database entries To display the Internal Authentication Server Users Configuration page click System Management Security Internal Authentication Server Users Configuration in the navigation panel ...

Page 486: ...To add IAS users 1 Open the Internal Authentication Server Users Configuration page 2 Click Add to display the Internal Authentication Server Users Add page 3 Specify a username and password in the appropriate fields NOTE If no users exist in the IAS database the IAS Users Configuration Page does not display the fields shown in the image ...

Page 487: ...thentication Server Users Table page click Show All Removing an IAS User To delete an IAS user 1 Open the Internal Authentication Server Users Configuration page 2 From the User menu select the user to remove select the user to remove 3 Select the Remove check box Figure 20 9 Removing an IAS User 4 Click Apply ...

Page 488: ...ter Global Configuration mode aaa accounting dot1x default Sets 802 1X accounting to the default operational mode aaa authentication dot1x default method1 Specify the authentication method to use to authenticate 802 1X clients that connect to the switch method1 The method keyword can be radius none or ias dot1x system auth control Globally enable 802 1X authentication on the switch interface inter...

Page 489: ...on of the client force unauthorized Denies all access through this interface by forcing the port to transition to the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the interface mac based Enables 802 1X authentication on the interface and allows multiple hosts to authenticate on a single port The hosts...

Page 490: ... specified interface The interface variable includes the interface type and number for example tengigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 dot1x reauthentication Enable periodic re authentication of the client dot1x timeout re authperiod seconds Se...

Page 491: ...s supported on the port when MAC based 802 1X authentication is enabled on the port CTRL Z Exit to Privileged EXEC mode dot1x re authenticate interface Manually initiate the re authentication of all 802 1X enabled ports or on the specified 802 1X enabled port The interface variable includes the interface type and number dot1x initialize interface Start the initialization sequence on all ports or o...

Page 492: ... for example interface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 dot1x guest vlan vlan id Specify the guest VLAN dot1x unauth vlan vlan id Specify the unauthenticated VLAN The VLAN must already have been created CTRL Z Exit to Privileged EXEC mode show dot1x advanced interface View the current 802 1X configuration NOTE When dynamically creating VLANs the uplink port ...

Page 493: ... to access the network through the switch ports The administrator must configure the following settings on systems other than the switch before configuring the switch 1 Add the users to the client database on the Authentication Server such as a RADIUS server with Cisco Secure Access Control Server ACS software 2 Configure the settings on the client such a PC running Microsoft Windows to require 80...

Page 494: ...ication which allows multiple hosts to authenticate on a single port The hosts are distinguished by their MAC addresses and hosts authenticate separately with the RADIUS server Port 9 is connected to a server in a part of the network that has secure physical access i e the doors to the wiring closet and data center are locked so this port is set to the Authorized state meaning that the device conn...

Page 495: ...er key secret console config exit 2 Enable 802 1X port based access control on the switch console config dot1x system auth control 3 Configure ports 9 and 24 to be in the Authorized state which allows the devices to connect to these ports to access the switch services without authentication console config interface range te1 0 9 te1 0 24 Authentication Server RADIUS LAN PowerConnect Switch Server ...

Page 496: ...onsole config if Te1 0 8 dot1x port control mac based console config if Te1 0 8 dot1x max users 2 7 Set Port 8 to switchport mode general The port must be in general mode in order to enable MAC based 802 1X authentication console config if Te1 0 8 switchport mode general console config if Te1 0 8 exit console config exit 8 View the client connection status When the clients on Ports 1 3 and 7 suppl...

Page 497: ...w a summary of the port status console show dot1x Administrative Mode Enabled Port Admin Oper Reauth Reauth Mode Mode Control Period Te1 0 1 auto Authorized FALSE 3600 Te1 0 2 auto N A FALSE 3600 Te1 0 3 auto Authorized FALSE 3600 Te1 0 4 auto N A FALSE 3600 Te1 0 5 auto N A FALSE 3600 Te1 0 6 auto N A FALSE 3600 Te1 0 7 mac based Authorized FALSE 3600 Te1 0 8 mac based N A FALSE 3600 Te1 0 9 forc...

Page 498: ...ing Authentication Based VLAN Assignment The network in this example uses three VLANs to control access to network resources When a client connects to the network it is assigned to a particular VLAN based on one of the following events It attempts to contact the 802 1X server and is authenticated It attempts to contact the 802 1X server and fails to authenticate It does not attempt to contact the ...

Page 499: ... the downlink or access ports ports connected to one or more hosts Ports 1 23 are downstream ports Port 24 is an uplink port An external RADIUS server handles the VLAN assignment NOTE Dynamic VLAN creation applies only to authorized ports The VLANs for unauthorized and guest users must be configured on the switch and cannot be dynamically created based on RADIUS based VLAN assignment NOTE The conf...

Page 500: ...onsole config radius server key qwerty123 console config radius server host 10 10 10 10 console Config auth radius exit 3 Enable 802 1X on the switch console config dot1x system auth control 4 Create a default authentication login list and use the RADIUS server for port based authentication for connected clients console config aaa authentication dot1x default radius 5 Allow the switch to accept VL...

Page 501: ...00 10 Set the guest VLAN on the ports to VLAN 300 This command automatically enables the Guest VLAN Mode on the downlink ports Any client that connects to the port and does not attempt to authenticate is placed on the guest VLAN console config if dot1x guest vlan 300 console config if exit 11 Enter Interface Configuration mode for port 24 the uplink trunk port console config interface te1 0 24 12 ...

Page 502: ... be forwarded on the trunk port even if the RADIUS server assigns a connected host to a VLAN in this range and the switch dynamically creates the VLAN To configure the switch 1 Configure information about the external RADIUS server the switch uses to authenticate clients The RADIUS server IP address is 10 10 10 10 and the shared secret is qwerty123 console config radius server key qwerty123 consol...

Page 503: ...tication exchange required This port does not connect to any end users so there is no need for 802 1X based authentication console config if Te1 0 24 dot1x port control force authorized 10 Set the uplink port to trunk mode so that it accepts tagged traffic and transmits it to the connected device another switch or router console config if Te1 0 24 switchport mode trunk 11 Forbid the trunk from for...

Page 504: ...erv service policy command to apply the filter to an interface if you configure the RADIUS server or 802 1X authenticator to assign the DiffServ filter In the following example Company XYZ uses IEEE 802 1X to authenticate all users Contractors and temporary employees at Company XYZ are not permitted to have access to SSH ports and data rates for Web traffic is limited When a contractor is authenti...

Page 505: ...onsole config policy classmap exit console config policy map class cl http console config policy classmap police simple 1000000 64 conform action transmit violate action drop console config policy classmap exit console config policy map exit 4 Enable DiffServ on the switch console config diffserv 5 Configure information about the external RADIUS server the switch uses to authenticate clients The R...

Page 506: ...ports 1 23 and enable MAC based authentication console config interface range te1 0 1 23 console config if dot1x port control mac based 9 Set the ports to an 802 1Q VLAN The ports must be in general mode in order to enable MAC based 802 1X authentication console config if switchport mode general console config if exit console config exit ...

Page 507: ...allowed to forward frames into the network When link goes down on a port all of the dynamically locked addresses are cleared from the source MAC address table the feature maintains When the link is restored that port can once again learn addresses up to the specified limit The port can learn MAC addresses dynamically and you can manually specify a list of static MAC addresses for a port Default 80...

Page 508: ...rity page click Switching Network Security Port Security in the navigation panel Figure 20 11 Network Security Port Security Configuring Port Security Settings on Multiple Ports To configure port security on multiple ports 1 Open the Port Security page 2 Click Show All to display the Port Security Table page 3 In the Ports list select the check box in the Edit column for the port to configure 4 Se...

Page 509: ...Configuring Port and System Security 509 Figure 20 12 Configure Port Security Settings 5 Click Apply ...

Page 510: ...8 9 10 11 and 12 port security discard trap seconds Enable port security on the port This prevents the switch from learning new addresses on this port after the maximum number of addresses has been learned discard Discards frames with unlearned source addresses This is the default if no option is indicated trap seconds Sends SNMP traps and defines the minimal amount of time in seconds between two ...

Page 511: ...ies which would interrupt the service of a host or make a network unstable Use the Denial of Service page to configure settings to help prevent DoS attacks DoS protection is disabled by default To display the Denial of Service page click System Management Security Denial of Service in the navigation panel Figure 20 13 Denial of Service ...

Page 512: ...512 Configuring Port and System Security ...

Page 513: ...Ls can also provide traffic flow control restrict contents of routing updates and decide which types of traffic are forwarded or blocked ACLs can reside in a firewall router a router connecting two internal networks or a Layer 3 switch such as a PowerConnect 8000 8100 series switch You can also create an ACL that limits access to the management interfaces based on the connection method for example...

Page 514: ... Layers 3 and 4 PowerConnect 8000 8100 series switches support both IPv4 and IPv6 ACLs What Are MAC ACLs MAC ACLs are Layer 2 ACLs You can configure the rules to inspect the following fields of a packet Source MAC address Source MAC mask Destination MAC address Destination MAC mask VLAN ID Class of Service CoS 802 1p EtherType L2 ACLs can apply to one or more interfaces Multiple access lists can b...

Page 515: ...unction The redirect function allows traffic that matches a permit rule to be redirected to a specific physical port or LAG instead of processed on the original port The redirect function and mirror function are mutually exclusive In other words you cannot configure a given ACL rule with mirror and redirect attributes What Is the ACL Mirror Function ACL mirroring provides the ability to mirror tra...

Page 516: ...hin an ACL for a predefined time interval by specifying a time range on a per rule basis within an ACL so that the time restrictions are imposed on the ACL rule With a time based ACL you can define when and for how long an individual rule of an ACL is in effect To apply a time to an ACL first you define a specific time interval and then apply it to an individual ACL rule so that it is operational ...

Page 517: ... rules with 1023 ingress and 511 egress IPv4 rules or 509 ingress and 253 egress IPv6 rules You can configure mirror or redirect attributes for a given ACL rule but not both The PowerConnect 8000 8100 series switches support a limited number of counter resources so it may not be possible to log every ACL rule You can define an ACL with any number of logging rules but the number of rules that are a...

Page 518: ...y an IP protocol should also specify the EtherType value for the frame In general any rule that specifies matching on an upper layer protocol field should also include matching constraints for each of the lower layer protocols For example a rule to match packets directed to the well known UDP port number 22 SSH should also include matching constraints on the IP protocol field protocol 0x11 or UDP ...

Page 519: ...870 Jumbo frames 0x888E EAP over LAN EAPOL 802 1x 0x88CC Link Layer Discovery Protocol 0x8906 Fibre Channel over Ethernet 0x8914 FCoE Initialization Protocol 0x9100 Q in Q Table 21 2 Common IP Protocol Numbers IP Protocol Number Protocol 0x00 IPv6 Hop by hop option 0x01 ICMP 0x02 IGMP 0x06 TCP 0x08 EGP 0x09 IGP 0x11 UDP Table 21 1 Common EtherType Numbers Continued EtherType Protocol ...

Page 520: ...a page click at the top of the page IP ACL Configuration Use the IP ACL Configuration page to add or remove IP based ACLs To display the IP ACL Configuration page click Switching Network Security Access Control Lists IP Access Control Lists Configuration in the navigation panel Figure 21 1 IP ACL Configuration Adding an IPv4 ACL To add an IPv4 ACL 1 Open the IP ACL Configuration page 2 Click Add t...

Page 521: ... Apply Removing IPv4 ACLs To delete an IPv4 ACL 1 From the IP ACL Name menu on the IP ACL Configuration page select the ACL to remove 2 Select the Remove checkbox 3 Click Apply Viewing IPv4 ACLs To view configured ACLs click Show All from the IP ACL Configuration page ...

Page 522: ...n traffic to a particular queue filter on some traffic change VLAN tag shut down a port and or redirect the traffic to a particular port To display the IP ACL Rule Configuration page click Switching Network Security Access Control Lists IP Access Control Lists Rule Configuration in the navigation panel NOTE There is an implicit deny all rule at the end of an ACL list This means that if an ACL is a...

Page 523: ...gure 21 4 IP ACL Rule Configuration Removing an IP ACL Rule To delete an IP ACL rule 1 From the Rule ID menu select the ID of the rule to delete 2 Select the Remove option near the bottom of the page 3 Click Apply to remove the selected rule ...

Page 524: ...isplay the MAC ACL Configuration page click Switching Network Security Access Control Lists MAC Access Control Lists Configuration in the navigation panel Figure 21 5 MAC ACL Configuration Adding a MAC ACL To add a MAC ACL 1 Open the MAC ACL Configuration page 2 Click Add to display the Add MAC ACL page 3 Specify an ACL name ...

Page 525: ...rom the MAC ACL Name menu on the MAC ACL Configuration page select the ACL to rename or remove 2 To rename the ACL select the Rename checkbox and enter a new name in the associated field 3 To remove the ACL select the Remove checkbox 4 Click Apply Viewing MAC ACLs To view configured ACLs click Show All from the MAC ACL Configuration page ...

Page 526: ...A default deny all rule is the last rule of every list To display the MAC ACL Rule Configuration page click Switching Network Security Access Control Lists MAC Access Control Lists Rule Configuration in the navigation panel Figure 21 7 MAC ACL Rule Configuration Removing a MAC ACL Rule To delete a MAC ACL rule 1 From the Rule ID menu select the ID of the rule to delete 2 Select the Remove option n...

Page 527: ...y the IP ACL Configuration page click Switching Network Security Access Control Lists IPv6 Access Control Lists IPv6 ACL Configuration in the navigation panel Figure 21 8 IPv6 ACL Configuration Adding an IPv6 ACL To add an IPv6 ACL 1 Open the IPv6 ACL Configuration page 2 Click Add to display the Add IPv6 ACL page 3 Specify an ACL name ...

Page 528: ...on page to define rules for IPv6 based ACLs The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded Additionally you can specify to assign traffic to a particular queue filter on some traffic change VLAN tag shut down a port and or redirect the traffic to a particular port By default no specific value is in effect for any of t...

Page 529: ...trol Lists IPv6 Access Control Lists Rule Configuration in the navigation menu Figure 21 10 IPv6 ACL Rule Configuration Removing an IPv6 ACL Rule To delete an IPv6 ACL rule 1 From the Rule ID menu select the ID of the rule to delete 2 Select the Remove option near the bottom of the page 3 Click Apply to remove the selected rule ...

Page 530: ... and Interfaces From the web interface you can configure the ACL rule in the ingress or egress direction so that the ACLs implement security rules for packets entering or exiting the port You can apply ACLs to any physical including 10 Gb interface LAG or routing port To display the ACL Binding Configuration page click Switching Network Security Access Control Lists Binding Configuration in the na...

Page 531: ...zation Time Range Configuration in the navigation panel The following image shows the page after at least one time range has been added Otherwise the page indicates that no time ranges are configured and the time range configuration fields are not displayed Figure 21 12 Time Range Configuration Adding a Time Range To configure a time range 1 From the Time Range Entry Configuration page click Add 2...

Page 532: ...e field select the name of the time range to configure 6 Specify an ID for the time range You can configure up to 10 different time range entries to include in the named range However only one absolute time entry is allowed per time range 7 Configure the values for the time range entry 8 Click Apply 9 To add additional entries to the named time range repeat step 5 through step 8 ...

Page 533: ...nd Purpose configure Enter global configuration mode access list name deny permit every icmp igmp ip tcp udp number srcip srcmask any eq portkey portvalue dstip dstmask any eq portkey portvalue precedence precedence tos tos tosmask dscp dscp log time range time range name assign queue queue id redirect interface mirror interface Create a named ACL if it does not already exist and create a rule for...

Page 534: ...e traffic matching this rule to be forwarded to the specified interface interface interface Optional Enter interface configuration mode for the specified interface The interface variable includes the interface type and number for example tengigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range tengigabitethernet 1 0 8 12 confi...

Page 535: ...ask any dstmac dstmacmask any bpdu ethertypekey 0x0600 0xFFFF vlan eq 0 4095 cos 0 7 secondary vlan eq 0 4095 secondary cos 0 7 log time range time range name assign queue queue id mirror redirect interface Specify the rules match conditions for the MAC access list srcmac Valid source MAC address in format xxxx xxxx xxxx srcmacmask Valid MAC address bitmask for the source MAC address in format xxx...

Page 536: ...terface Optional Enter interface configuration mode for the specified interface The interface variable includes the interface type and number for example tengigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 mac access group name direction seqnum Bind the sp...

Page 537: ...y portvalue any destination ipv6 prefix prefix length eq portkey portvalue flow label value dscp dscp log time range time range name assign queue queue id mirror redirect interface Specify the match conditions for the IPv6 access list deny permit Specifies whether the IP ACL rule permits or denies an action every Allows all protocols number Standard protocol number or protocol keywords icmp igmp i...

Page 538: ...ching this rule to be forwarded to the specified interface interface interface Optional Enter interface configuration mode for the specified interface The interface variable includes the interface type and number for example tengigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range tengigabitethernet 1 0 8 12 configures interfa...

Page 539: ...ure Enter global configuration mode time range name Create a named time range and enter the Time Range Configuration mode for the range absolute start time date end time date Configure a nonrecurring time entry for the named time range start time date Time and date the ACL rule starts going into effect The time is expressed in a 24 hour clock in the form of hours minutes For example 8 00 is 8 00 a...

Page 540: ...ay or combinations of days Monday Tuesday Wednesday Thursday Friday Saturday Sunday Other possible values are daily Monday through Sunday weekdays Monday through Friday weekend Saturday and Sunday time Time the ACL rule starts going into effect first occurrence or ends second occurrence The time is expressed in a 24 hour clock in the form of hours minutes CTRL Z Exit to Privileged EXEC mode show t...

Page 541: ...iguring a MAC ACL Configuring a Time Based ACL Configuring a Management Access List Configuring an IP ACL The commands in this example set up an IP ACL that permits hosts in the 192 168 77 0 24 subnet to send TCP and UDP traffic only to the host with an IP address of 192 168 77 50 The ACL is applied to port 2 on the PowerConnect switch ...

Page 542: ... 168 77 50 console config console config access list list1 permit tcp 192 168 77 0 0 0 0 255 192 168 77 50 0 0 0 0 2 Define the rule to set similar conditions for UDP traffic as for TCP traffic console config access list list1 permit udp 192 168 77 0 0 0 0 255 192 168 77 3 0 0 0 255 console config exit 192 168 77 1 192 168 77 2 192 168 77 3 192 168 77 4 Layer 2 Switch PowerConnect Switch Layer 3 P...

Page 543: ...MAC Access List named mac1 console config console config mac access list extended mac1 2 Configure a rule to deny all IPX traffic regardless of the source or destination MAC address console config mac access list deny any any ipx 3 Configure a rule to permit all other types of traffic regardless of the source or destination MAC address console config mac access list permit any any console config m...

Page 544: ...rol Lists console show mac access lists mac1 MAC ACL Name mac1 Inbound Interface s ch1 12 Te1 0 1 Te1 0 24 Rule Number 1 Action deny Ethertype ipx Rule Number 2 Action permit Match All TRUE mac1 2 ch1 12 Te1 0 1 Te1 0 24 Inbound ...

Page 545: ...through Friday console config time range periodic weekdays 8 00 to 12 00 3 Configure an entry for the time range that applies to the afternoon shift Monday through Friday console config time range periodic weekdays 13 00 to 18 00 4 Configure an entry for the time range that applies to Saturday and Sunday console config time range periodic weekend 8 30 to 12 30 console config time range exit 5 Crea...

Page 546: ...more in band ports LAGs or VLANs to limit management access by method for example Telnet or HTTP and or source IP address NOTE Management ACLs cannot be applied to the OOB port Management Access List Commands Beginning in Privileged EXEC mode use the following commands to create a management access list There is an implicit deny all rule at the end of every management ACL This means that any host ...

Page 547: ...a forward slash Range 0 32 service service Indicates service type Can be one of the following telnet ssh http https tftp snmp sntp or any priority priority value Priority for the rule Range 1 64 permit interface type interface number service service priority priority value Permit access to the management interface from the specified port VLAN or LAG and meet the other optional criteria permit serv...

Page 548: ... 65 0 network on VLAN 1 and assign a priority of 1 to the rule console config macl permit ip source 10 27 65 0 mask 255 255 255 0 vlan 1 priority 1 3 Create a rule that allows access from hosts in the 10 27 65 0 network on connected to port 9 and assign a priority of 2 to the rule console config macl permit ip source 10 27 65 0 mask 255 255 255 0 Te1 0 9 priority 2 console config macl exit 4 Activ...

Page 549: ...Configuring Access Control Lists 549 console show management access class Management access class is enabled using access list mgmt_ACL ...

Page 550: ...550 Configuring Access Control Lists ...

Page 551: ... domains can result in network congestion and end users might complain that the network is slow In addition to latency large broadcast domains are a greater security risk since all hosts receive all broadcasts Virtual Local Area Networks VLANs allow you to divide a broadcast domain into smaller logical networks Like a bridge a VLAN switch forwards traffic based on the Layer 2 header which is fast ...

Page 552: ...gurable VLAN ID range of 2 4093 A VLAN with VLAN ID 1 is configured on the switch by default VLAN 1 is named default which cannot be changed However you can associate names with any other VLANs that you create In a tagged frame the VLAN is identified by the VLAN ID in the tag In an untagged frame the VLAN identifier is the Port VLAN ID PVID specified for the port that received the frame For inform...

Page 553: ...onfigured for the port The VLAN membership for this network is port based or static PowerConnect 8000 8100 series switches also support VLAN assignment based on any of the following criteria MAC address of the end station IP subnet of the end station Protocol of the packet transmitted by the end station Payroll VLAN 300 Engineering VLAN 100 Tech Pubs VLAN 200 Router Switch ...

Page 554: ...tagged packets received on a trunk port are forwarded on the native VLAN Packets received on another interface belonging to the native VLAN are transmitted untagged on a trunk port Table 22 1 VLAN Assignment VLAN Assignment Description Port based Static This is the most common way to assign hosts to VLANs The port where the traffic enters the switch determines the VLAN membership IP Subnet Hosts a...

Page 555: ...is required when a VLAN spans multiple switches which is why trunk ports transmit and receive only tagged frames Tagging may be required when a single port supports multiple devices that are members of different VLANs For example a single port might be connected to an IP phone a PC and a printer the PC and printer are connected via ports on the IP phone IP phones are typically configured to use a ...

Page 556: ...ches attached to the same segment Information about the active VLANs is propagated across all networking switches in the bridged LAN that support GVRP You can configure ports to forbid dynamic VLAN assignment through GVRP The operation of GVRP relies upon the services provided by the Generic Attribute Registration Protocol GARP GVRP can create up to 1024 VLANs For information about GARP timers see...

Page 557: ...ules to each When the configurable EtherType is assigned to something different than the 802 1Q 0x8100 EtherType it allows the traffic to have added security from misconfiguration while exiting the metro core For example if the edge device on the other side of the metro core is not stripping the second tag the packet would never be classified as a 802 1Q tag so the packet would be dropped rather t...

Page 558: ...uses 802 1X port based authentication these phones authenticate and receive their VLAN information from LLDP MED However if a VoIP phone has limited support for 802 1X authentication it might try to authenticate and fail A phone with no 802 1X support would not attempt to authenticate at all Instead of placing these phones on an unauthenticated or guest VLAN the switch can automatically direct the...

Page 559: ...segregated in order to provide better service to the voice traffic When a dot1p priority is associated with the Voice VLAN port instead of a VLAN ID then the priority information is passed onto the VoIP phone using the LLDP MED or CDP mechanism By this method the voice data coming from the VoIP phone is tagged with VLAN 0 and with the exchanged priority thus regular data arriving on the switch is ...

Page 560: ...AN It forwards traffic between ports which belong to the same community and to the promiscuous ports There can be multiple community VLANs per private VLAN A port may be designated as one of the following types in a private VLAN Promiscuous port A port associated with a primary VLAN that is able to communicate with all interfaces in the private VLAN including other promiscuous ports community port...

Page 561: ...hare the common address space of a single subnet which is associated with a primary VLAN So the advantage of the private VLANs feature is that it reduces the number of consumed VLANs improves IP addressing space utilization and helps to avoid layer 3 routing Figure 22 3 shows an example Private VLAN scenario in which five hosts H A through H E are connected to a stack of switches SW1 SW2 The switc...

Page 562: ...scuous port The endpoints that belong to one community cannot communicate with endpoints that belong to a different community or with endpoints connected to isolated ports Private VLAN Operation in the Switch Stack and Inter switch Environment The Private VLAN feature is supported in a stacked switch environment The stack links are transparent to the configured VLANs thus there is no need for spec...

Page 563: ...n the same secondary VLAN A promiscuous port broadcasts traffic to other promiscuous ports isolated ports and community ports Table 22 3 Forwarding Rules for Traffic in Primary VLAN Table 22 4 Forwarding Rules for Traffic in Community 1 VLAN To From promiscuous community 1 community 2 isolated stack trunk promiscuous allow allow allow allow allow community 1 N A N A N A N A N A community 2 N A N A...

Page 564: ...face must physically exist in the switch Secondary community and isolated VLANS are associated to the same multiple spanning tree instance as the primary VLAN GVRP MVRP cannot be enabled after the private VLAN is configured The administrator will need to disable both before configuring the private VLAN DHCP snooping can be configured on the primary VLAN If it is enabled for a secondary VLAN the co...

Page 565: ...routing on secondary VLANs as the access to them is restricted However primary VLANs can be enabled for routing It is recommended that the private VLAN IDs be removed from the trunk ports connected to devices that do not participate in the private VLAN traffic Private VLAN Configuration Example See Configuring a Private VLAN on page 615 Additional VLAN Features The PowerConnect 8000 8100 series sw...

Page 566: ...omain and receive all broadcast and multicast traffic received on any port When you create a new VLAN all trunk ports are members of the VLAN by default The configurable VLAN range is 2 4093 VLANs 4094 and 4095 are reserved Ports in trunk and access mode have the default behavior shown in Table 22 2 and cannot be configured with different tagging or ingress filtering values When you add a VLAN to ...

Page 567: ...cess Double VLAN tagging Disabled If double VLAN tagging is enabled the default EtherType value is 802 1Q Maximum number of configurable MAC to VLAN bindings 128 Maximum number of configurable IP Subnet to VLAN bindings 64 GVRP Disabled If GVRP is enabled the default port parameters are GVRP State Disabled Dynamic VLAN Creation Disabled GVRP Registration Disabled Number of dynamic VLANs that can b...

Page 568: ...mically through GVRP or when the Static row is changed and Apply is clicked There are two tables on the page Ports Displays and assigns VLAN membership to ports To assign membership click in Static for a specific port Each click toggles between U T and blank See Table 22 8 for definitions LAGs Displays and assigns VLAN membership to LAGs To assign membership click in Static for a specific LAG Each...

Page 569: ...ettings page Figure 22 4 VLAN Membership Adding a VLAN To create a VLAN 1 Open the VLAN Membership page 2 Click Add to display the Add VLAN page Blank Blank the interface is not a VLAN member Packets in this VLAN are not forwarded on this interface Table 22 8 VLAN Port Membership Definitions Port Control Definition ...

Page 570: ...ers To add member ports to a VLAN 1 Open the VLAN Membership page 2 From the Show VLAN menu select the VLAN to which you want to assign ports 3 In the Static row of the VLAN Membership table click the blank field to assign the port as an untagged member Figure 22 6 shows 10 Gigabit Ethernet ports 5 8 being added to VLAN 300 ...

Page 571: ...Configuring VLANs 571 Figure 22 6 Add Ports to VLAN 4 Click Apply 5 Verify that the ports have been added to the VLAN ...

Page 572: ...572 Configuring VLANs In Figure 22 7 the presence of the letter U in the Current row indicates that the port is an untagged member of the VLAN Figure 22 7 Add Ports to VLAN ...

Page 573: ... in the navigation panel Figure 22 8 VLAN Port Settings From the Port Settings page click Show All to see the current VLAN settings for all ports You can change the settings for one or more ports by clicking the Edit option for a port and selecting or entering new values NOTE You can add ports to a VLAN through the table on the VLAN Membership page or through the PVID field on the Port Settings pa...

Page 574: ...N Settings for All Ports VLAN LAG Settings Use the VLAN LAG Settings page to map a LAG to a VLAN and to configure specific VLAN settings for the LAG To display the LAG Settings page click Switching VLAN LAG Settings in the navigation panel ...

Page 575: ...ttings From the LAG Settings page click Show All to see the current VLAN settings for all LAGs You can change the settings for one or more LAGs by clicking the Edit option for a port and selecting or entering new values Figure 22 11 VLAN LAG Table ...

Page 576: ...hared across all ports of the switch The MAC to VLAN table supports up to 128 entries To display the Bind MAC to VLAN page click Switching VLAN Bind MAC to VLAN in the navigation panel Figure 22 12 Bind MAC to VLAN From the Bind MAC to VLAN page click Show All to see the MAC addresses that are mapped to VLANs From this page you can change the settings for one or more entries or remove an entry ...

Page 577: ...ubnet to VLAN page to assign an IP Subnet to a VLAN The IP Subnet to VLAN configurations are shared across all ports of the switch There can be up to 64 entries configured in this table To display the Bind IP Subnet to VLAN page click Switching VLAN Bind IP Subnet to VLAN in the navigation panel ...

Page 578: ...d IP Subnet to VLAN From the Bind IP Subnet to VLAN page click Show All to see the IP subnets that are mapped to VLANs From this page you can change the settings for one or more entries or remove an entry Figure 22 15 Subnet VLAN Bind Table ...

Page 579: ...LAN GVRP Parameters in the navigation panel Figure 22 16 GVRP Parameters From the GVRP Parameters page click Show All to see the GVRP configuration for all ports From this page you can change the settings for one or more entries NOTE Per port and per LAG GVRP Statistics are available from the Statistics RMON page For more information see Monitoring Switch Traffic on page 355 ...

Page 580: ...580 Configuring VLANs Figure 22 17 GVRP Port Parameters Table ...

Page 581: ...hich VLANs and then enable certain ports to use these settings Protocol based VLANs are most often used in situations where network segments contain hosts running multiple protocols To display the Protocol Group page click Switching VLAN Protocol Group in the navigation panel Figure 22 18 Protocol Group ...

Page 582: ...pply 5 Click Protocol Group to return to the main Protocol Group page 6 From the Group ID field select the group to configure 7 In the Protocol Settings table select the protocol and interfaces to associate with the protocol based VLAN In Figure 22 20 the Protocol Group 1 named IPX is associated with the IPX protocol and ports 14 16 Ports 20 22 are selected in Available Ports list After clicking t...

Page 583: ...Configuring VLANs 583 Figure 22 20 Configure Protocol Group 8 Click Apply 9 Click Show All to see the protocol based VLANs and their members Figure 22 21 Protocol Group Table ...

Page 584: ...ration page to specify the value of the EtherType field in the first EtherType tag pair of the double tagged frame To display the Double VLAN Global Configuration page click Switching VLAN Double VLAN Global Configuration in the navigation panel Figure 22 22 Double VLAN Global Configuration ...

Page 585: ... EtherType tag pair of the double tagged frame To display the Double VLAN Interface Configuration page click Switching VLAN Double VLAN Interface Configuration in the navigation panel Figure 22 23 Double VLAN Interface Configuration To view a summary of the double VLAN configuration for all interfaces and to edit settings for one or more interfaces click Show All ...

Page 586: ...586 Configuring VLANs Figure 22 24 Double VLAN Port Parameter Table ...

Page 587: ...lay the page click Switching VLAN Voice VLAN Configuration in the navigation panel Figure 22 25 Voice VLAN Configuration NOTE IEEE 802 1X must be enabled on the switch before you disable voice VLAN authentication Voice VLAN authentication can be disabled in order to allow VoIP phones that do not support authentication to send and receive unauthenticated traffic on the Voice VLAN ...

Page 588: ...only be a member of one untagged VLAN When you configure the interface as a VLAN member the Command Purpose configure Enter global configuration mode vlan vlan id vlan range Create a new VLAN or a range of VLANs and enter the interface configuration mode for the specified VLAN or VLAN range vlan id A valid VLAN IDs Range 2 4093 vlan range A list of valid VLAN IDs to be added List separate non cons...

Page 589: ...rface configuration mode for the specified interface The interface variable includes the interface type and number for example tengigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 switchport mode access Configure the interface as an untagged layer 2 VLAN in...

Page 590: ...t when in trunking mode Separate non consecutive VLAN IDs with a comma and no spaces Use a hyphen to designate a range of IDs The vlan list format is all add remove except vlan atom vlan atom where all Specifies all VLANs from 1 to 4093 This keyword is not allowed on commands that do not permit all VLANs in the list to be set at the same time add Adds the list of VLANs to the allowed set remove Re...

Page 591: ...ng VLANs 591 show interfaces switchport interface Display information about the VLAN settings configured for the specified interface The interface variable includes the interface type and number Command Purpose ...

Page 592: ...rface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 switchport mode general Configure the interface as a tagged and an untagged layer 2 VLAN interface switchport general allowed vlan add remove vlan list tagged untagged Configure the VLAN membership for the port You can also use this command to change the egress tagging for packets without changing the VLAN assignment ad...

Page 593: ...e tagged only Optional Specifies that the port will only accept tagged frames Untagged frames are dropped at ingress switchport general ingress filtering disable Optional Turn off ingress filtering so that all received tagged frames are forwarded whether or not the port is a member of the VLAN in the tag CTRL Z Exit to Privileged EXEC mode show interfaces switchport interface Display information a...

Page 594: ...594 Configuring VLANs CTRL Z Exit to Privileged EXEC mode show interfaces switchport port channel channel id Display information about the VLAN settings configured for the specified LAG Command Purpose ...

Page 595: ... and 12 mode dvlan tunnel Enable Double VLAN Tunneling on the specified interface exit Exit to global configuration mode dvlan tunnel ethertype 802 1Q vman custom 0 65535 primary tpid Configure the EtherType to use for interfaces with double VLAN tunneling enabled 802 1Q Configures the EtherType as 0x8100 vman Configures the EtherType as 0x88A8 custom Custom configures the EtherType for the DVLAN ...

Page 596: ...lobal configuration mode vlan database Enter VLAN database mode vlan association mac mac address vlan id Associate a MAC address with a VLAN mac address MAC address to associate Range Any MAC address in the format xxxx xxxx xxxx or xx xx xx xx xx xx vlanid VLAN to associate with subnet Range 1 4093 CTRL Z Exit to Privileged EXEC mode show vlan association mac mac address Display the VLAN associate...

Page 597: ...ation can be associated with one group only If adding an interface to a group causes any conflicts with protocols currently associated with the group adding the interface s to the group fails and no interfaces are added to the group Ensure that the referenced VLAN is created prior to the creation of the protocol based group except when GVRP is expected to create the VLAN Command Purpose configure ...

Page 598: ...ith the group this command fails and the protocol is not added to the group groupid The protocol based VLAN group ID protocol The protocol you want to add The ethertype can be any valid number in the range 0x0600 0xffff protocol vlan group all groupid Optional Add all physical interfaces to the protocol based group identified by groupid You can add individual interfaces to the protocol based group...

Page 599: ... name of a protocol group use the show port protocol all command vlanid A valid VLAN ID CTRL Z Exit to Privileged EXEC mode show port protocol all groupid Display the Protocol Based VLAN information for either the entire system or for the indicated group Command Purpose configure Enter global configuration mode gvrp enable Enable GVRP on the switch interface interface Enter interface configuration...

Page 600: ...o spaces Use a hyphen to designate a range of IDs gvrp registration forbid Optional Deregister all VLANs on a port and prevent any dynamic registration on the port gvrp vlan creation forbid Optional Disable dynamic VLAN creation exit Exit to global configuration mode vlan database Enter VLAN database mode vlan makestatic vlan id Optional Change a dynamically created VLAN one that is created by GVR...

Page 601: ...1p priority none untagged data priority trust untrust auth enable disable dscp value Enable the voice vlan capability on the interface vlanid The voice VLAN ID priority The Dot1p priority for the voice VLAN on the port trust Trust the dot1p priority or DSCP values contained in packets arriving on the voice vlan port untrust Do not trust the dot1p priority or DSCP values contained in packets arrivi...

Page 602: ...n of RADIUS Assigned VLANs on page 502 Table 22 9 Example VLANs VLAN ID VLAN Name VLAN Type Purpose 100 Engineering Port based All employees in the Engineering department use this VLAN Confining this department s traffic to a single VLAN helps reduce the amount of traffic in the broadcast domain which increases bandwidth 200 Marketing Port based All employees in the Marketing department use this V...

Page 603: ...tiple ports and hosts The Payroll and File servers are connected to the switches through a LAG Some of the Marketing hosts connect to Switch 1 and some connect to Switch 2 The Engineering and Marketing departments share the same file server Because security is a concern for the Payroll VLAN the ports and LAG that are members of this VLAN will accept and transmit only traffic tagged with VLAN 400 T...

Page 604: ... LAG Function Switch 1 1 Connects to Switch 2 2 15 Host ports for Payroll 16 20 Host ports for Marketing LAG1 ports 21 24 Connects to Payroll server Switch 2 1 Connects to Switch 1 2 10 Host ports for Marketing 11 30 Host ports for Engineering LAG1 ports 35 39 Connects to file server LAG2 ports 40 44 Uplink to router ...

Page 605: ...s and ports on Switch 1 None of the hosts that connect to Switch 1 use the Engineering VLAN VLAN 100 so it is not necessary to create it on that switch To configure Switch 1 1 Create the Marketing Sales and Payroll VLANs a From the Switching VLAN VLAN Membership page click Add b In the VLAN ID field enter 200 c In the VLAN Name field enter Marketing d Click Apply Figure 22 27 Add VLANs e Repeat st...

Page 606: ...k the space for ports 16 20 so the U untagged displays for each port Figure 22 28 VLAN Membership VLAN 200 3 Click Apply 4 Assign ports 2 15 and LAG1 to the Payroll VLAN a From the Switching VLAN VLAN Membership page select 400 Payroll from the Show VLAN field b In the Static row click the space for ports 2 15 and LAG 1 so the U untagged displays for each port and then click Apply ...

Page 607: ...h PVID 400 a From the Switching VLAN LAG Settings page make sure Po1 is selected b Configure the following settings Port VLAN Mode General PVID 400 Frame Type AdmitAll c Click Apply Figure 22 29 LAG Settings 6 Configure port 1 as a trunk port a From the Switching VLAN Port Settings page make sure port Te1 0 1 is selected b From the Port VLAN Mode field select Trunk c Click Apply ...

Page 608: ... 31 shows VLAN 200 in which port 1 is a tagged member and ports 16 20 are untagged members Figure 22 31 Trunk Port Configuration 8 Configure the MAC based VLAN information a Go to the Switching VLAN Bind MAC to VLAN page b In the MAC Address field enter a valid MAC address for example 00 1C 23 55 E9 8B c In the Bind to VLAN field enter 300 which is the Sales VLAN ID d Click Apply ...

Page 609: ...and Ports on Switch 2 Use the following steps to configure the VLANs and ports on Switch 2 Many of the procedures in this section are the same as procedures used to configure Switch 1 For more information about specific procedures see the details and figures in the previous section To configure Switch 2 1 Create the Engineering Marketing Sales and Payroll VLANs Although the Payroll hosts do not co...

Page 610: ... Configure the MAC based VLAN information 10 If desired copy the running configuration to the startup configuration Configuring VLANs Using the CLI This example shows how to perform the same configuration by using CLI commands Configure the VLANs and Ports on Switch 1 Use the following steps to configure the VLANs and ports on Switch 1 None of the hosts that connect to Switch 1 use the Engineering...

Page 611: ...ess console config if switchport access vlan 400 console config if exit 4 Assign LAG1 to the Payroll VLAN and specify that frames will always be transmitted tagged with a VLAN ID of 400 By default all VLANs are members of a trunk port console config interface port channel 1 console config if Po1 switchport mode trunk console config if Po1 switchport trunk native vlan 400 console config if Po1 exit...

Page 612: ...so that it persists across a system reset use the following command console copy running config startup config 8 View the VLAN settings console show vlan 9 View the VLAN membership information for a port console show interfaces switchport te1 0 1 Port Te1 0 1 VLAN Membership mode Trunk Mode Operating parameters PVID 1 Ingress Filtering Enabled Acceptable Frame Type VLAN Only Default Priority 0 GVR...

Page 613: ...connect to this switch traffic from the Payroll department must use Switch 2 to reach the rest of the network and Internet through the uplink port For that reason Switch 2 must be aware of VLAN 400 so that traffic is not rejected by the trunk port 2 Configure ports 2 10 as access ports and add VLAN 200 to the ports 3 Configure ports 11 30 as access ports and add VLAN 100 to the ports 4 Configure L...

Page 614: ...tem Security on page 469 To configure the switch 1 Create the voice VLAN console configure console config vlan 25 console config vlan25 exit 2 Enable the Voice VLAN feature on the switch console config voice vlan 3 Configure port 10 to be in general mode console config interface te1 0 10 console config if Te1 0 10 switchport mode general 4 Enable port based 802 1X authentication on the port This s...

Page 615: ... VLAN Authentication Disabled Configuring a Private VLAN 1 Configure the VLANs and their roles This example configures VLAN 100 as the primary VLAN secondary VLAN 101 as the community VLAN and secondary VLANs 102 and 103 as the isolated VLANs switch configure switch config vlan 100 switch config vlan 100 private vlan primary switch config vlan 100 exit switch config vlan 101 switch config vlan 101...

Page 616: ...n 100 101 console config if Gi1 0 11 interface gi1 0 12 console config if Gi1 0 12 switchport mode private vlan host console config if Gi1 0 12 switchport private vlan host association 100 101 5 Assign the isolated VLAN ports console config interface gi1 0 10 console config if Gi1 0 10 switchport mode private vlan host console config if Gi1 0 10 switchport private vlan host association 100 102 con...

Page 617: ...ate vlan Primary VLAN Secondary VLAN Community 100 102 101 console config show vlan VLAN Name Ports Type 1 default Po1 128 Default Te1 1 1 Gi1 0 1 10 Gi1 0 13 24 100 VLAN0100 Te1 1 1 Static Gi1 0 11 12 101 VLAN0101 Gi1 0 11 Static 102 VLAN0102 Gi1 0 12 Static ...

Page 618: ...618 Configuring VLANs ...

Page 619: ...ide a single path between end stations on a network PowerConnect 8000 8100 series switches support Classic STP Multiple STP and Rapid STP What Are Classic STP Multiple STP and Rapid STP Classic STP provides a single path between end stations avoiding and eliminating loops Multiple Spanning Tree Protocol MSTP supports multiple instances of Spanning Tree to efficiently channel VLAN traffic over diff...

Page 620: ...ier of the bridge and its configurable priority number When two switches have an equal bridge ID value the switch with the lowest MAC address is the root bridge After the root bridge is elected each switch finds the lowest cost path to the root bridge The port that connects the switch to the lowest cost path is the root port on the switch The switches in the spanning tree also determine which port...

Page 621: ...e 23 1 Small Bridged Network Assume that Switch A is elected to be the Root Bridge and Port 1 on Switch B and Switch C are calculated to be the root ports for those bridges Port 2 on Switch B and Switch C would be placed into the Blocking state This creates a loop free topology End stations in VLAN 10 can talk to other devices in VLAN 10 and end stations in VLAN 20 have a single path to communicat...

Page 622: ... Port 2 on Switch B and Switch C could be used these inefficiencies could be eliminated MSTP does just that by allowing the configuration of MSTIs based upon a VLAN or groups of VLANs In this simple case VLAN 10 could be associated with Multiple Spanning Tree Instance MSTI 1 with an active topology similar to Figure 23 2 and VLAN 20 could be associated with MSTI 2 where Port 1 on both Switch A and...

Page 623: ...Configuring the Spanning Tree Protocol 623 The logical representation of the MSTP environment for these three switches is shown in Figure 23 3 Figure 23 3 Logical MSTP Environment ...

Page 624: ...alternate paths through each Region Above Switch A is elected as both the MSTI 1 Regional Root and the CIST Regional Root Bridge and after adjusting the Bridge Priority on Switch C in MSTI 2 it would be elected as the MSTI 2 Regional Root To further illustrate the full connectivity in an MSTP active topology the following rules apply 1 Each Bridge or LAN is in only one Region 2 Every frame is asso...

Page 625: ...thout considering the VLAN membership of the ports This results in unexpected behavior if the active topology of an MSTI depends on a port that is not a member of the VLAN assigned to the MSTI and the port is selected as root port In this configuration port TE 1 0 11 is selected as the root port and ports TE1 0 12 and TE1 0 13 are blocked To resolve the issue set the port path cost of the directly...

Page 626: ...t are connected to end devices such as a desktop computer printer or file server to transition to the forwarding state without going through the listening and learning states BPDU Filtering Ports that have the PortFast feature enabled continue to transmit BPDUs The BPDU filtering feature prevents PortFast enabled ports from sending BPDUs If BPDU filtering is configured globally on the switch the f...

Page 627: ...ding loops induced by BPDU packet loss The reasons for failing to receive packets are numerous including heavy traffic software problems incorrect configuration and unidirectional link failure When a non designated port no longer receives BPDUs the spanning tree algorithm considers that this link is loop free and begins transitioning the link from blocking to forwarding Once in forwarding state th...

Page 628: ...on to a forwarding state When the port receives a BPDU packet the system sets it to non edge port and recalculates the spanning tree which causes network topology flapping In normal cases these ports do not receive any BPDU packets However someone may forge BPDU to maliciously attack the switch and cause network flapping BPDU protection can be enabled in RSTP to prevent such attacks When BPDU prot...

Page 629: ...ate Enabled globally and on all ports Spanning tree mode RSTP Classic STP and MSTP are disabled Switch priority 32768 BPDU flooding Disabled PortFast mode Disabled PortFast BPDU filter Disabled Loop guard Disabled BPDU protection Disabled Spanning tree port priority 128 Maximum aging time 20 seconds Forward delay time 15 seconds Maximum hops 20 Spanning tree transmit hold count 6 MSTP region name ...

Page 630: ...or configuring and monitoring STP settings on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page STP Global Settings The STP Global Settings page contains fields for enabling STP on the switch To display the STP Global Settings page click Switching Spanning Tree Global Settings in the navigation panel ...

Page 631: ...Configuring the Spanning Tree Protocol 631 Figure 23 5 Spanning Tree Global Settings ...

Page 632: ...tocol STP Port Settings Use the STP Port Settings page to assign STP properties to individual ports To display the STP Port Settings page click Switching Spanning Tree STP Port Settings in the navigation panel Figure 23 6 STP Port Settings ...

Page 633: ...STP settings for multiple ports 1 Open the STP Port Settings page 2 Click Show All to display the STP Port Table Figure 23 7 Configure STP Port Settings 3 For each port to configure select the check box in the Edit column in the row associated with the port 4 Select the desired settings 5 Click Apply ...

Page 634: ...ports parameters To display the STP LAG Settings page click Switching Spanning Tree STP LAG Settings in the navigation panel Figure 23 8 STP LAG Settings Configuring STP Settings for Multiple LAGs To configure STP settings on multiple LAGS 1 Open the STP LAG Settings page 2 Click Show All to display the STP LAG Table ...

Page 635: ...w associated with the LAG 4 Select the desired settings 5 Click Apply Rapid Spanning Tree Rapid Spanning Tree Protocol RSTP detects and uses network topologies that allow a faster convergence of the spanning tree without creating forwarding loops To display the Rapid Spanning Tree page click Switching Spanning Tree Rapid Spanning Tree in the navigation panel ...

Page 636: ...636 Configuring the Spanning Tree Protocol Figure 23 10 Rapid Spanning Tree To view RSTP Settings for all interfaces click the Show All link The Rapid Spanning Tree Table displays ...

Page 637: ...Configuring the Spanning Tree Protocol 637 Figure 23 11 RSTP LAG Settings ...

Page 638: ...Spanning Tree to efficiently channel VLAN traffic over different interfaces MSTP is compatible with both RSTP and STP a MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge To display the MSTP Settings page click Switching Spanning Tree MSTP Settings in the navigation panel Figure 23 12 MSTP Settings ...

Page 639: ...tings for multiple VLANS 1 Open the MSTP Settings page 2 Click Show All to display the MSTP Settings Table Figure 23 13 Configure MSTP Settings 3 For each Instance ID to modify select the check box in the Edit column in the row associated with the VLAN 4 Update the Instance ID settings for the selected VLANs 5 Click Apply ...

Page 640: ...To display the MSTP Interface Settings page click Switching Spanning Tree MSTP Interface Settings in the navigation panel Figure 23 14 MSTP Interface Settings Configuring MSTP Settings for Multiple Interfaces To configure MSTP settings for multiple interfaces 1 Open the MSTP Interface Settings page 2 Click Show All to display the MSTP Interface Table ...

Page 641: ...g Tree Protocol 641 Figure 23 15 Configure MSTP Interface Settings 3 For each interface to configure select the check box in the Edit column in the row associated with the interface 4 Update the desired settings 5 Click Apply ...

Page 642: ...ree priority priority Specify the priority of the bridge Range 0 61440 The switch with the lowest priority value is elected as the root switch spanning tree max age seconds Specify the switch maximum age time which indicates the amount of time in seconds a bridge waits before implementing a topological change Valid values are from 6 to 40 seconds spanning tree forward time seconds Specify the swit...

Page 643: ...d in PortFast mode from sending BPDUs spanning tree loopguard default Enable loop guard on all ports spanning tree bpdu protection Enable BPDU protection on the switch interface interface Enter interface configuration mode for the specified interface The interface variable includes the interface type and number for example tengigabitethernet 1 0 3 or port channel 4 You can also specify a range of ...

Page 644: ...erfaces with the interface range command for example interface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 The range keyword is also valid for LAGs port channels spanning tree disable Disable spanning tree on the port spanning tree port priority priority Specify the priority of the port Range 0 240 The priority value is used to determine which ports are put in the forw...

Page 645: ...added to the existing MST instance To specify a range of VLANs use a hyphen To specify a series of VLANs use a comma Range 1 4093 exit Return to global configuration mode spanning tree mst instance id priority priority Set the switch priority for the specified spanning tree instance instance id ID of the spanning tree instance Range 1 4094 priority Sets the switch priority for the specified spanni...

Page 646: ...e common spanning tree Range 0 200000000 spanning tree mst instance id cost cost Configure the path cost for MST calculations If a loop occurs the spanning tree considers path cost when selecting an interface to put in the forwarding state instance ID ID of the spanning tree instance Range 1 4094 cost The port path cost Range 0 200 000 000 spanning tree mst instance id port priority priority Speci...

Page 647: ...he following examples Configuring STP Configuring MSTP Configuring STP This example shows a LAN with four switches On each switch ports 1 2 and 3 connect to other switches and ports 4 20 connect to hosts in Figure 23 16 each PC represents 17 host systems Figure 23 16 STP Example Network Diagram ...

Page 648: ...apability to prevent network loops For all other STP settings the administrator uses the default STP values To configure the switch 1 Connect to Switch A and configure the priority to be higher a lower value than the other switches which use the default value of 32768 console config console config spanning tree priority 8192 2 Configure ports 4 20 to be in Port Fast mode console config interface r...

Page 649: ...re the MST region name and revision level are the same for all switches in the region To configure the switches 1 Create VLAN 10 Switch A and Switch B and VLAN 20 all switches console configure console config vlan 10 20 console config vlan10 20 exit console config vlan exit NOTE Even Switch B does not have any ports that are members of VLAN 10 this VLAN must be created to allow the formation of MS...

Page 650: ...figure Switch A to be the root bridge of the spanning tree CIST Regional Root by configuring a higher root bridge priority console config spanning tree priority 8192 7 Switch A only Make Switch A the Regional Root for MSTI 1 by configuring a higher priority for MST ID 10 console config spanning tree mst 10 priority 12288 8 Switch A only Change the priority of MST ID 20 to ensure Switch C is the Re...

Page 651: ...tch to broadcast information about itself and to learn information about neighboring devices What Is ISDP The Industry Standard Discovery Protocol ISDP is a proprietary Layer 2 network protocol that inter operates with Cisco devices running the Cisco Discovery Protocol CDP ISDP is used to share information between neighboring devices The switch software participates in the CDP protocol and is able...

Page 652: ...matically translate into configuration An external application may query the MED MIB and take management actions in configuring functionality Why are Device Discovery Protocols Needed The device discovery protocols are used primarily in conjunction with network management tools to provide information about network topology and configuration and to help troubleshoot problems that occur on the netwo...

Page 653: ...ameter Default Value ISDP Mode Enabled globally and on all ports ISDPv2 Mode Enabled globally and on all ports Message Interval 30 seconds Hold Time Interval 180 seconds Device ID none Device ID Format Capability Serial Number Host Name Device ID Format Serial Number Table 24 2 LLDP Defaults Parameter Default Value Transmit Mode Enabled on all ports Receive Mode Enabled on all ports Transmit Inter...

Page 654: ...able 24 3 summarizes the default values for LLDP MED Table 24 3 LLDP MED Defaults Parameter Default Value LLDP MED Mode Disabled on all ports Config Notification Mode Disabled on all ports Transmit TVLs MED Capabilities Network Policy ...

Page 655: ... a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page ISDP Global Configuration From the ISDP Global Configuration page you can configure the ISDP settings for the switch such as the administrative mode To access the ISDP Global Configuration page click System ISDP Global Configuration in the navigation panel Figure 24 1 ISDP Global Configurati...

Page 656: ... Table From the ISDP Cache Table page you can view information about other devices the switch has discovered through the ISDP To access the ISDP Cache Table page click System ISDP Cache Table in the navigation panel Figure 24 2 ISDP Cache Table ...

Page 657: ...must also be enabled globally in order for the interface to transmit ISDP packets If the ISDP mode on the ISDP Global Configuration page is disabled the interface will not transmit ISDP packets regardless of the mode configured on the interface To access the ISDP Interface Configuration page click System ISDP Interface Configuration in the navigation panel Figure 24 3 ISDP Interface Configuration ...

Page 658: ...658 Discovering Network Devices To view view the ISDP mode for multiple interfaces click Show All Figure 24 4 ISDP Interface Summary ...

Page 659: ... Statistics From the ISDP Statistics page you can view information about the ISDP packets sent and received by the switch To access the ISDP Statistics page click System ISDP Statistics in the navigation panel Figure 24 5 ISDP Statistics ...

Page 660: ...ration page to specify LLDP parameters Parameters that affect the entire system as well as those for a specific interface can be specified here To display the LLDP Configuration page click Switching LLDP Configuration in the navigation panel Figure 24 6 LLDP Configuration ...

Page 661: ... 661 To view the LLDP Interface Settings Table click Show All From the LLDP Interface Settings Table page you can view and edit information about the LLDP settings for multiple interfaces Figure 24 7 LLDP Interface Settings Table ...

Page 662: ...ng Network Devices LLDP Statistics Use the LLDP Statistics page to view LLPD related statistics To display the LLDP Statistics page click Switching LLDP Statistics in the navigation panel Figure 24 8 LLDP Statistics ...

Page 663: ...ections Use the LLDP Connections page to view the list of ports with LLDP enabled Basic connection details are displayed To display the LLDP Connections page click Switching LLDP Connections in the navigation panel Figure 24 9 LLDP Connections ...

Page 664: ...information about a device connected to a port that has been discovered through LLDP click the port number in the Local Interface table it is a hyperlink or click Details and select the port with the connected device Figure 24 10 LLDP Connection Detail ...

Page 665: ...LDP MED Global Configuration page to change or view the LLDP MED parameters that affect the entire system To display the LLDP MED Global Configuration page click Switching LLDP LLDP MED Global Configuration in the navigation panel Figure 24 11 LLDP MED Global Configuration ...

Page 666: ...DP MED Interface Configuration page to specify LLDP MED parameters that affect a specific interface To display the LLDP MED Interface Configuration page click Switching LLDP LLDP MED Interface Configuration in the navigation panel Figure 24 12 LLDP MED Interface Configuration ...

Page 667: ...Discovering Network Devices 667 To view the LLDP MED Interface Summary table click Show All Figure 24 13 LLDP MED Interface Summary ...

Page 668: ...e LLDP MED Local Device Information page to view the advertised LLDP local data for each port To display the LLDP MED Local Device Information page click Switching LLDP LLDP MED Local Device Information in the navigation panel Figure 24 14 LLDP MED Local Device Information ...

Page 669: ... MED Remote Device Information page to view the advertised LLDP data advertised by remote devices To display the LLDP MED Remote Device Information page click Switching LLDP LLDP MED Remote Device Information in the navigation panel Figure 24 15 LLDP MED Remote Device Information ...

Page 670: ...d EXEC mode use the following commands to configure ISDP settings that affect the entire switch Command Purpose configure Enter Global Configuration mode isdp enable Administratively enable ISDP on the switch isdp advertise v2 Allow the switch to send ISDPv2 packets isdp holdtime time Specify the number of seconds the device that receives ISDP packets from the switch should store information sent ...

Page 671: ...er interface configuration mode for the specified interface isdp enable Administratively enable ISDP on the switch exit Exit to Global Config mode exit Exit to Privileged Exec mode show isdp interface all View the ISDP mode on all interfaces Command Purpose show isdp entry all deviceid View information about all entries or a specific entry in the ISDP table show isdp neighbors View the neighboring...

Page 672: ...rts enabled for LLDP transmit interval The interval in seconds at which to transmit local data LLDP PDUs Range 5 32768 seconds hold value Multiplier on the transmit interval used to set the TTL in local data LLDP PDUs Range 2 10 reinit delay The delay in seconds before re initialization Range 1 10 seconds exit Exit to Privileged EXEC mode show lldp View global LLDP settings Command Purpose configu...

Page 673: ...e system capabilities TLV port desc Transmits the port description TLV exit Exit to Global Config mode exit Exit to Privileged EXEC mode show lldp interface all View LLDP settings for all interfaces Command Purpose show lldp local device all interface detail interface View LLDP information advertised by all ports or the specified port Include the keyword detail to see additional information show l...

Page 674: ...rface interface Enter interface configuration mode for the specified Ethernet interface lldp med Enable LLDP MED on the interface lldp med confignotification Allow the port to send topology change notifications lldp med transmit tlv capabilities network policy location inventory Specify which optional TLVs in the LLDP MED set are transmitted in the LLDP PDUs exit Exit to Global Config mode exit Ex...

Page 675: ...ds that a remote device should keep the ISDP information sent by the switch before discarding it console configure console config isdp holdtime 60 2 Specify how often in seconds the ISDP enabled ports should transmit information console config isdp timer 45 3 Enable ISDP on interface 1 0 3 console config interface tengigabitEthernet1 0 3 console config if Te1 0 3 isdp enable Command Purpose show l...

Page 676: ...terface te1 0 3 Interface Mode Te1 0 3 Enabled Configuring LLDP This example shows how to configure LLDP settings for the switch and to allow 10 Gigabit Ethernet port 1 0 3 to transmit all LLDP information available To configure the switch 1 Configure the transmission interval hold multiplier and reinitialization delay for LLDP PDUs sent from the switch console configure console config lldp timers...

Page 677: ...t description to be transmitted in LLDP PDUs console config if Te1 0 3 description Test Lab Port 6 Exit to Privileged EXEC mode console config if Te1 0 3 CTRL Z 7 View global LLDP settings on the switch console show lldp LLDP Global Configuration Transmit Interval 60 seconds Transmit Hold Multiplier 5 Reinit Delay 3 seconds Notification Interval 5 seconds 8 View summary information about the LLDP ...

Page 678: ...etail Interface Te1 0 3 Chassis ID Subtype MAC Address Chassis ID 00 1E C9 AA AA 07 Port ID Subtype Interface Name Port ID te 1 0 3 System Name console System Description PowerConnect 8024 3 16 22 30 VxWorks 6 5 Port Description Test Lab Port System Capabilities Supported bridge router System Capabilities Enabled bridge Management Address Type IPv4 Address 192 168 2 1 ...

Page 679: ...Configuring Port Based Traffic Control Web Configuring Port Based Traffic Control CLI Port Based Traffic Control Configuration Example Port Based Traffic Control Overview Table 25 1 provides a summary of the features this chapter describes Table 25 1 Port Based Traffic Control Features Feature Description Flow control Allows traffic transmission between a switch port and another Ethernet device to...

Page 680: ...he result of an excessive number of broadcast multicast or unknown unicast messages simultaneously transmitted across a network by a single port Forwarded message responses can overload network resources and cause network congestion The storm control feature allows the switch to measure the incoming broadcast multicast and or unknown unicast packet rate per port and discard packets when the rate e...

Page 681: ... is possible between two protected ports What is Link Local Protocol Filtering The Link Local Protocol Filtering LLPF feature can help troubleshoot network problems that occur when a network includes proprietary protocols running on standards based switches LLPF allows a PowerConnect 8000 8100 series switch to filter out various Cisco proprietary protocol data units PDUs and or ISDP if problems oc...

Page 682: ...y Protocol ISDP is enabled on an interface and the LLPF feature on an interface is enabled and configured to drop ISDP PDUs the ISDP configuration overrides the LLPF configuration and the ISDP PDUs are allowed on the interface Default Port Based Traffic Control Values Table 25 2 lists the default values for the port based traffic control features that this chapter describes Table 25 2 Default Port...

Page 683: ...based traffic on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page Flow Control Global Port Parameters Use the Global Parameters page for ports to enable or disable flow control support on the switch To display the Global Parameters page click Switching Ports Global Parameters in the navigation menu Figure 25 1 Global Port Parameters ...

Page 684: ...g Ports Storm Control in the navigation menu Figure 25 2 Storm Control Configuring Storm Control Settings on Multiple Ports To configure storm control on multiple ports 1 Open the Storm Control page 2 Click Show All to display the Storm Control Settings Table 3 In the Ports list select the check box in the Edit column for the port to configure 4 Select the desired storm control settings ...

Page 685: ...Configuring Port Based Traffic Control 685 Figure 25 3 Storm Control 5 Click Apply ...

Page 686: ...o see each other s traffic To display the Protected Port Configuration page click Switching Ports Protected Port Configuration in the navigation menu Figure 25 4 Protected Port Configuration Configuring Protected Ports To configure protected ports 1 Open the Protected Ports page 2 Click Add to display the Add Protected Group page 3 Select a group 0 2 4 Specify a name for the group ...

Page 687: ... Group 5 Click Apply 6 Click Protected Port Configuration to return to the main page 7 Select the port to add to the group 8 Select the protected port group ID Figure 25 6 Add Protected Ports 9 Click Apply 10 To view protected port group membership information click Show All ...

Page 688: ...rt and click Apply LLPF Configuration Use the LLPF Interface Configuration page to filter out various proprietary protocol data units PDUs and or ISDP if problems occur with these protocols running on standards based switches To display the LLPF Interface Configuration page click Switching Network Security Proprietary Protocol Filtering LLPF Interface Configuration the navigation menu ...

Page 689: ...Configuring Port Based Traffic Control 689 Figure 25 8 LLPF Interface Configuration To view the protocol types that have been blocked for an interface click Show All Figure 25 9 LLPF Filtering Summary ...

Page 690: ...ernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 storm control broadcast level rate Enable broadcast storm recovery mode on the interface and optionally set the threshold rate threshold as percentage of port speed The percentage is converted to a PacketsPerSecond va...

Page 691: ...r all interfaces or the specified interface Command Purpose configure Enter global configuration mode switchport protected groupid name name Specify a name for one of the three protected port groups groupid Identifies which group the port is to be protected in Range 0 2 name Name of the group Range 0 32 characters interface interface Enter interface configuration mode for the specified interface T...

Page 692: ...tethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 service acl input blockcdp blockvtp blockdtp blockudld blockpagp blocksstp blockall Use the appropriate keyword or combination of keywords to block any or all of the following PDUs on the interface VTP DTP UDLD PA...

Page 693: ...d to ports 3 4 and 9 from being able to communicate with each other To configure the switch 1 Configure storm control for broadcast traffic on all physical interfaces console config interface range te1 0 1 24 console config if storm control broadcast level 10 2 Configure LLPF to block PAgP and VTP PDUs on all physical interfaces console config if service acl blockpagp blockvtp console config if ex...

Page 694: ...st Ucast Intf Mode Level Mode Level Mode Level Te1 0 1 Enable 10 Enable 5 Disable 5 console show service acl interface te1 0 1 Protocol Mode CDP Disabled VTP Enabled DTP Disabled UDLD Disabled PAGP Enabled SSTP Disabled ALL Disabled console show switchport protected 0 Name clients Member Ports Te1 0 1 Te1 0 2 Te1 0 3 Te1 0 4 Te1 0 9 ...

Page 695: ...t traffic is traffic from one source that has multiple destinations The L2 multicast features on the switch help control network flooding of Ethernet multicast and IP multicast traffic by keeping track of multicast group membership It is essential that a multicast router be connected to a PowerConnect layer 2 multicast switch for IGMP MLD snooping to operate properly The presence of a multicast ro...

Page 696: ...eports sent to the multicast routers This causes multicast data traffic to be forwarded to any hosts joining the multicast group What Is L2 Multicast Traffic L3 IP multicast traffic is traffic that is destined to a host group Host groups are identified by class D IPv4 addresses which range from 224 0 1 0 to 239 255 255 255 or by FF0x or FF3x IPv6 addresses In contrast to L3 multicast traffic L2 mu...

Page 697: ...responding 01 00 5e 00 00 xx MAC address When a multicast router is discovered its interface is added to the interface distribution list for all multicast groups in the VLAN If a switch is connected to a multicast source and no client the switch filters the traffic from that group to all interfaces in the VLAN If the switch sees an IGMP join from a host in the same VLAN then it forwards the traffi...

Page 698: ...IGMP Snooping Querier When PIM and IGMP are enabled in a network with IP multicast routing the IP multicast router acts as the IGMP querier However if the IP multicast traffic in a VLAN needs to be Layer 2 switched only an IP multicast router is not required The IGMP snooping querier can perform the role of generating IGMP queries that would normally be performed by the multicast router When IGMP ...

Page 699: ... by snooping IPv6 multicast control packets MLD snooping floods multicast data packets until a multicast router port has been identified MLD snooping forwards unregistered multicast data packets to IPv6 multicast routers MLD snooping discovers multicast routers by listening for MLD queries and populates the MFDB MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast...

Page 700: ...are two types of MVR ports source and receiver Source port is the port where multicast traffic is flowing to It has to be the member of so called multicast VLAN Receiver port is the port where listening host is connected to the switch It can be the member of any VLAN except multicast VLAN There are two configured learning modes of the MVR operation dynamic and compatible In the dynamic mode MVR le...

Page 701: ...s and IGMP snooping prevents the multicast router from flooding incoming multicast packets on the ingress VLAN For information about configuring a PowerConnect 8000 8100 series switch as a multicast router that also performs IGMP snooping see Configuring Multicast VLAN Routing With IGMP and PIM SM on page 1251 NOTE If a multicast source is connected to a VLAN on which both L3 multicast and IGMP sn...

Page 702: ...rotocol GVRP to help dynamically manage VLAN memberships on trunk ports GARP Multicast Registration Protocol GMRP to help control the flooding of multicast traffic by keeping track of group membership information GVRP and GMRP use the same set of GARP Timers to specify the amount of time to wait before transmitting various GARP messages GMRP is similar to IGMP snooping in its purpose but IGMP snoo...

Page 703: ... 3 map to 01 00 5E 03 03 03 As a result if a host requests 225 1 1 1 then it might receive multicast traffic of group 226 1 1 1 as well IGMP MLD Snooping in a Multicast Router IGMP MLD snooping is a Layer 2 feature and is achieved by using the L2 multicast forwarding table If a multicast source is connected to a VLAN on which both L3 multicast and IGMP MLD snooping are enabled the multicast source...

Page 704: ...C group addresses on a port in a VLAN it is necessary to configure all ports in the VLAN over which it is desired that the group traffic flow both host and router on all switches IGMP snooping does not dynamically add ports to a VLAN for a multicast group when a static entry is configured for that group in the VLAN This restriction applies to both multicast router connected ports and host connecte...

Page 705: ...t router timeout 300 seconds IGMP MLD snooping leave timeout 10 seconds IGMP snooping querier Disabled IGMP version v2 MLD version v1 IGMP MLD snooping querier query interval 60 seconds IGMP MLD snooping querier expiry interval 60 seconds IGMP MLD snooping VLAN querier Disabled VLAN querier election participate mode Disabled Snooping Querier VLAN Address 0 0 0 0 MVR running Disabled MVR multicast ...

Page 706: ...706 Configuring L2 Multicast Features GMRP Disabled globally and per interface Table 26 1 L2 Multicast Defaults Continued Parameter Default Value ...

Page 707: ...al Parameters page to enable or disable bridge multicast filtering IGMP snooping or MLD snooping on the switch To display the Multicast Global Parameters page click Switching Multicast Support Global Parameters in the navigation menu Figure 26 1 Multicast Global Parameters NOTE It is strongly recommended that users enable IGMP snooping if MLD snooping is enabled and vice versa This is because both...

Page 708: ...ure 26 2 Bridge Multicast Group Understanding the Port and LAG Member Tables The Bridge Multicast Group tables display which Ports and LAGs are members of the multicast group and whether they re static S dynamic D or forbidden F The tables have two rows Static and Current Only the Static row is accessible from this page The Current row is updated when the Static row is changed and Apply is clicked...

Page 709: ...icast Group page click Add The Add Bridge Multicast Group page displays Table 26 2 Port LAG IGMP Management Settings Port Control Definition D Dynamic Indicates that the port LAG was dynamically joined to the Multicast group displays in the Current row S Static Attaches the port to the Multicast group as a static member in the Static row Displays in the Current row once Apply is clicked F Forbidde...

Page 710: ...group IP or MAC address associated with the selected VLAN 4 In the Bridge Multicast Group tables assign a setting by clicking in the Static row for a specific port LAG Each click toggles between S F and blank not a member 5 Click Apply The bridge multicast address is assigned to the multicast group ports LAGs are assigned to the group with the Current rows being updated with the Static settings an...

Page 711: ...e drop down menu The Bridge Multicast Address and the assigned ports LAGs display 3 Check the Remove check box 4 Click Apply The selected bridge multicast group is removed and the device is updated MRouter Status Use the MRouter Status page to display the status of dynamically learned multicast router interfaces To access this page click Switching Multicast Support MRouter Status in the navigation...

Page 712: ... Switching Multicast Support IGMP Snooping General in the navigation menu Figure 26 5 General IGMP Snooping Modifying IGMP Snooping Settings for Multiple Ports LAGs or VLANs To modify the IGMP snooping settings 1 From the General IGMP snooping page click Show All The IGMP Snooping Table displays 2 Select the Edit checkbox for each Port LAG or VLAN to modify In Figure 26 6 ports 2 and 3 are to be m...

Page 713: ...ts LAGs or VLANs To copy IGMP snooping settings 1 From the General IGMP snooping page click Show All The IGMP Snooping Table displays 2 Select the Copy Parameters From checkbox 3 Select a Unit Port LAG or VLAN to use as the source of the desired parameters 4 Select the Copy To checkbox for the Unit Ports LAGs or VLANs that these parameters will be copied to In Figure 26 7 the settings for port 3 w...

Page 714: ...714 Configuring L2 Multicast Features Figure 26 7 Copy IGMP Snooping Settings 5 Click Apply The IGMP snooping settings are modified and the device is updated ...

Page 715: ...ing querier settings such as the IP address to use as the source in periodic IGMP queries when no source address has been configured on the VLAN To display the Global Querier Configuration page click Switching Multicast Support IGMP Snooping Global Querier Configuration in the navigation menu Figure 26 8 Global Querier Configuration ...

Page 716: ...ividual VLANs To display the VLAN Querier page click Switching Multicast Support IGMP Snooping VLAN Querier in the navigation menu Figure 26 9 VLAN Querier Adding a New VLAN and Configuring its VLAN Querier Settings To configure a VLAN querier 1 From the VLAN Querier page click Add The page refreshes and the Add VLAN page displays ...

Page 717: ... Querier 2 Enter the VLAN ID and if desired an optional VLAN name 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu 4 Specify the VLAN querier settings 5 Click Apply The VLAN Querier settings are modified and the device is updated ...

Page 718: ...718 Configuring L2 Multicast Features To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch click Show All Figure 26 11 Add VLAN Querier ...

Page 719: ... VLAN Querier Status page to view the IGMP snooping querier settings for individual VLANs To display the VLAN Querier Status page click Switching Multicast Support IGMP Snooping VLAN Querier Status in the navigation menu Figure 26 12 IGMP Snooping VLAN Querier Status ...

Page 720: ...age to view the multicast forwarding database MFDB IGMP Snooping Table and Forbidden Ports settings for individual VLANs To display the MFDB IGMP Snooping Table page click Switching Multicast Support IGMP Snooping MFDB IGMP Snooping Table in the navigation menu Figure 26 13 MFDB IGMP Snooping Table ...

Page 721: ...dd MLD members To access this page click Switching Multicast Support MLD Snooping General in the navigation panel Figure 26 14 MLD Snooping General Modifying MLD Snooping Settings for VLANs To configure MLD snooping 1 From the General MLD snooping page click Show All The MLD Snooping Table displays ...

Page 722: ...Multicast Features Figure 26 15 MLD Snooping Table 2 Select the Edit checkbox for each VLAN to modify 3 Edit the MLD snooping fields as needed 4 Click Apply The MLD snooping settings are modified and the device is updated ...

Page 723: ...sired parameters 4 Select the Copy To checkbox for the VLANs that these parameters will be copied to 5 Click Apply The MLD snooping settings are modified and the device is updated MLD Snooping Global Querier Configuration Use the MLD Snooping Global Querier Configuration page to configure the parameters for the MLD snooping querier To display the Global Querier Configuration page click Switching M...

Page 724: ...ier Configuration MLD Snooping VLAN Querier Use the MLD Snooping VLAN Querier page to specify the MLD snooping querier settings for individual VLANs To display the MLD Snooping VLAN Querier page click Switching Multicast Support MLD Snooping VLAN Querier in the navigation menu ...

Page 725: ... VLAN and Configuring its MLD Snooping VLAN Querier Settings To configure an MLD snooping VLAN querier 1 From the VLAN Querier page click Add The page refreshes and the Add VLAN page displays Figure 26 18 Add MLD Snooping VLAN Querier 2 Enter the VLAN ID and if desired an optional VLAN name ...

Page 726: ... the new VLAN from the VLAN ID menu 4 Specify the VLAN querier settings 5 Click Apply The VLAN Querier settings are modified and the device is updated To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch click Show All Figure 26 19 Add VLAN Querier ...

Page 727: ... Use the VLAN Querier Status page to view the MLD snooping querier settings for individual VLANs To display the VLAN Querier Status page click Switching Multicast Support MLD Snooping VLAN Querier Status in the navigation menu Figure 26 20 MLD Snooping VLAN Querier Status ...

Page 728: ... MFDB MLD Snooping Table page to view the MFDB MLD snooping table settings for individual VLANs To display the MFDB MLD Snooping Table page click Switching Multicast Support MLD Snooping MFDB MLD Snooping Table in the navigation menu Figure 26 21 MFDB MLD Snooping Table ...

Page 729: ...ion Use the MVR Global Configuration page to enable the MVR feature and configure global parameters To display the MVR Global Configuration page click Switching MVR Configuration Global Configuration in the navigation panel Figure 26 22 MVR Global Configuration ...

Page 730: ...roup members To display the MVR Members page click Switching MVR Configuration MVR Members in the navigation panel Figure 26 23 MVR Members Adding an MVR Membership Group To add an MVR membership group 1 From the MVR Membership page click Add The MVR Add Group page displays Figure 26 24 MVR Member Group ...

Page 731: ...Configuration Use the MVR Interface Configuration page to enable MVR on a port configure its MVR settings and add the port to an MVR group To display the MVR Interface Configuration page click Switching MVR Configuration MVR Interface Configuration in the navigation panel Figure 26 25 MVR Interface Configuration ...

Page 732: ...ick Show All Figure 26 26 MVR Interface Summary Adding an Interface to an MVR Group To add an interface to an MVR group 1 From the MVR Interface page click Add Figure 26 27 MVR Add to Group 2 Select the interface to add to the MVR group 3 Specify the MVR group IP multicast address 4 Click Apply ...

Page 733: ...ace from an MVR Group To remove an interface from an MVR group 1 From the MVR Interface page click Remove Figure 26 28 MVR Remove from Group 2 Select the interface to remove from an MVR group 3 Specify the IP multicast address of the MVR group 4 Click Apply ...

Page 734: ...st Features MVR Statistics Use the MVR Statistics page to view MVR statistics on the switch To display the MVR Statistics page click Switching MVR Configuration MVR Statistics in the navigation panel Figure 26 29 MVR Statistics ...

Page 735: ...rs used by GVRP and GMRP on the switch To display the Timers page click Switching GARP Timers in the navigation panel Figure 26 30 GARP Timers Configuring GARP Timer Settings for Multiple Ports To configure GARP timers on multiple ports 1 Open the Timers page 2 Click Show All to display the GARP Timers Table ...

Page 736: ...Multicast Features Figure 26 31 Configure STP Port Settings 3 For each port or LAG to configure select the check box in the Edit column in the row associated with the port 4 Specify the desired timer values 5 Click Apply ...

Page 737: ...e Copy To column that will have the same settings as the port selected in the Copy Parameters From field 3 Click Apply to copy the settings GMRP Parameters Use the GMRP Parameters page to configure the administrative mode of GMRP on the switch and on each port or LAG To display the GMRP Parameters page click Switching GARP GMRP Parameters in the navigation panel Figure 26 32 GMRP Parameters Config...

Page 738: ...All to display the GMRP Port Configuration Table Figure 26 33 GMRP Port Configuration Table 3 For each port or LAG to configure select the check box in the Edit column in the row associated with the port 4 Specify the desired timer values 5 Click Apply ...

Page 739: ...r LAGs list select the check box es in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field 3 Click Apply to copy the settings MFDB GMRP Table Use the MFDB GMRP Table page to view all of the entries in the Multicast Forwarding Database that were created for the GMRP To display the MFDB GMRP Table page click Switching GARP MFDB GMRP Table in the...

Page 740: ...ess table static mac multicast address vlan vlan id interface interface id Register a MAC layer Multicast address in the bridge table mac multicast address MAC multicast address in the format xxxx xxxx xxxx or xx xx xx xx xx xx interface id A physical interface or port channel mac address table multicast forbidden address vlan vlan id mac multicast address ip multicast address add remove interface...

Page 741: ...P report for a multicast group is not received in the number of seconds specified by the seconds value this port is deleted from the VLAN member list of that multicast group This command also enables IGMP snooping on the VLAN ip igmp snooping vlan vlan id last member query interval seconds Specify the leave time out value for the VLAN If an IGMP report for a multicast group is not received within ...

Page 742: ...ping querier on the switch or on the VLAN specified with the vlan id parameter Use the optional ip address parameter to specify the IP address that the snooping querier switch should use as the source address when generating periodic queries ip igmp snooping querier query interval interval count Set the IGMP snooping querier query interval time which is the amount of time in seconds that the switc...

Page 743: ... to Privileged EXEC mode show ip igmp snooping querier detail vlan vlan id View IGMP snooping querier settings configured on the switch on all VLANs or on the specified VLAN Command Purpose configure Enter global configuration mode ipv6 mld snooping vlan vlan id Enable MLD snooping on the specified VLAN ipv6 mld snooping vlan vlan id groupmembership interval seconds Specify the host time out value...

Page 744: ...ping vlan vlan id mcrtexpiretime seconds Specify the multicast router time out value for to associate with a VLAN This command sets the number of seconds to wait to age out an automatically learned multicast router port CTRL Z Exit to Privileged EXEC mode show ipv6 mld snooping vlan vlan id View the MLD snooping settings on the VLAN Command Purpose configure Enter global configuration mode ipv6 ml...

Page 745: ...pv6 address Specify the IP address that the snooping querier switch should use as the source address when generating periodic queries ipv6 mld snooping querier query interval interval count Set the MLD snooping querier query interval time which is the amount of time in seconds that the switch waits before sending another periodic query The range is 1 1800 seconds ipv6 mld snooping querier timer ex...

Page 746: ...faces 8 9 10 11 and 12 mvr Enable MVR on the port mvr immediate Enable MVR immediate leave mode on the port mvr type source receiver Specify the MVR port type mvr vlan vlan id group mcast address Allow the port to participate in the specified MVR group The vlan id parameter is the ID of the MVR multicast VLAN CTRL Z Exit to Privileged EXEC mode show ip dhcp snooping interfaces View the DHCP snoopi...

Page 747: ...ve and 200 6000 for leaveall gmrp enable Enable GMRP globally on the switch interface interface Enter interface configuration mode for the specified port or LAG The interface variable includes the interface type and number for example tengigabitethernet 1 0 3 For a LAG the interface type is port channel You can also specify a range of ports with the interface range command for example interface ra...

Page 748: ... the topology that the scenarios in this case study use Figure 26 35 Case Study Topology The topology in Figure 26 35 includes the following elements Snooping Switches D1 D2 D3 with IGMP snooping enabled on VLANs 10 20 Multicast Router D4 with PIM SM enabled and IGMP snooping disabled on VLANs 10 20 Multicast Listeners Client A G ...

Page 749: ...a report for 239 20 30 42 2 The report is forwarded to multicast router D4 via D1 1 0 15 and D3 1 0 20 3 A forwarding entry is created by D1 for VLAN 20 239 20 30 42 1 0 8 1 0 15 4 Client G receives the multicast stream from Server B 5 D3 receives the multicast stream and it is forwarded to D4 because D4 is a multicast router 6 Client D sends a report for 239 20 30 42 7 The report is forwarded to ...

Page 750: ... 20 to reach their respective attached clients PIM SM is enabled and IGMP snooping is disabled on router D4 and IGMP snooping is enabled on D1 D2 and D3 Multicast Source and Listener directly connected to Multicast Router on the same routing VLAN Server A Client B 1 Because multicast routing is enabled on D4 VLAN 10 an IP multicast table entry is created to include D4 1 0 15 D4 1 0 20 as part of t...

Page 751: ...urce connected to Multicast Router via intermediate snooping switches and Listener directly connected to multicast router in a different routing interface Server B Client B Server A and Clients B C and E are on the same subnet VLAN10 192 168 10 70 24 Server B is in a different subnet VLAN20 192 168 20 70 24 1 Client B sends a report for 239 20 30 42 2 Multicast Router D4 learns group 239 20 30 42 ...

Page 752: ...el 1 3 The report from Client E is forwarded to D3 via D2 PortChannel 1 4 A multicast forwarding entry is created on D3 VLAN10 239 20 30 42 PortChannel 1 1 0 20 5 The report from Client E is forwarded to D4 via D3 1 0 20 6 Multicast Router D4 learns group 239 20 30 42 7 The multicast stream from Server B reaches D4 via trunk links because it is a multicast router 8 An IP multicast routing entry is...

Page 753: ...eb Configuring Traffic Snooping and Inspection CLI Traffic Snooping and Inspection Configuration Examples Traffic Snooping and Inspection Overview DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to filter harmful DHCP messages and to build a bindings database The IPSG and DAI features use the DHCP Snooping bindings database to help enforce swit...

Page 754: ... specified on individual physical ports or LAGS that are members of a VLAN When a port or LAG is configured as untrusted it could potentially be used to launch a network attack DHCP servers must be reached through trusted ports DHCP snooping enforces the following security rules DHCP packets from a DHCP server DHCPOFFER DHCPACK DHCPNAK DHCPRELEASEQUERY are dropped if they are received on an untrus...

Page 755: ...tatic bindings into the binding database When a switch learns of new bindings or loses bindings the switch immediately updates the entries in the database The switch also updates the entries in the binding file The frequency at which the file is updated is based on a configurable delay and the updates are batched If the absolute lease time of the snooping database entry expires that entry is remov...

Page 756: ... and VLAN with the client interface and VLAN in the bindings database If the interfaces do not match the application logs the event and drops the message For valid client messages DHCP snooping compares the source MAC address to the DHCP client hardware address When there is a mismatch DHCP snooping drops the packet and generates a log message if logging of invalid packets is enabled If DHCP relay...

Page 757: ...ty controls source MAC address learning in the layer 2 forwarding database MAC address table When a frame is received with a previously unlearned source MAC address port security queries the IPSG feature to determine whether the MAC address belongs to a valid binding If IPSG is disabled on the ingress port IPSG replies that the MAC is valid If IPSG is enabled on the ingress port IPSG checks the bi...

Page 758: ...on the interfaces physical ports or LAGs that are members of that VLAN Individual interfaces are configured as trusted or untrusted The trust configuration for DAI is independent of the trust configuration for DHCP snooping Optional DAI Features If the network administrator has configured the option DAI verifies that the sender MAC address equals the source MAC address in the Ethernet header There...

Page 759: ...tion from the rogue DHCP server However if the workstation with the rogue DHCP server is connected to a port that is configured as untrusted and is a member of a DHCP Snooping enabled VLAN the port discards the DHCP server messages Default Traffic Snooping and Inspection Values DHCP snooping is disabled globally and on all VLANs by default Ports are untrusted by default Table 27 1 Traffic Snooping...

Page 760: ...P Disabled DAI trust state Disabled untrusted DAI Rate limit 15 packets per second DAI Burst interval 1 second DAI mode Disabled on all VLANs DAI logging invalid packets Disabled DAI ARP ACL None configured DAI Static flag Disabled validation by ARP ACL and DHCP snooping binding database Table 27 1 Traffic Snooping Defaults Continued Parameter Default Value ...

Page 761: ...8000 8100 series switch For details about the fields on a page click at the top of the page DHCP Snooping Configuration Use the DHCP Snooping Configuration page to control the DHCP Snooping mode on the switch and to specify whether the sender MAC Address for DHCP Snooping must be validated To access the DHCP Snooping Configuration page click Switching DHCP Snooping Global Configuration in the navi...

Page 762: ...nooping Interface Configuration page to configure the DHCP Snooping settings on individual ports and LAGs To access the DHCP Snooping Interface Configuration page click Switching DHCP Snooping Interface Configuration in the navigation panel Figure 27 3 DHCP Snooping Interface Configuration ...

Page 763: ...Snooping and Inspecting Traffic 763 To view a summary of the DHCP snooping configuration for all interfaces click Show All Figure 27 4 DHCP Snooping Interface Configuration Summary ...

Page 764: ...ion Use the DHCP Snooping VLAN Configuration page to control the DHCP snooping mode on each VLAN To access the DHCP Snooping VLAN Configuration page click Switching DHCP Snooping VLAN Configuration in the navigation panel Figure 27 5 DHCP Snooping VLAN Configuration ...

Page 765: ...Snooping and Inspecting Traffic 765 To view a summary of the DHCP snooping status for all VLANs click Show All Figure 27 6 DHCP Snooping VLAN Configuration Summary ...

Page 766: ...bindings database can be stored locally on the switch or on a remote system somewhere else in the network The switch must be able to reach the IP address of the remote system to send bindings to a remote database To access the DHCP Snooping Persistent Configuration page click Switching DHCP Snooping Persistent Configuration in the navigation panel Figure 27 7 DHCP Snooping Persistent Configuration...

Page 767: ...ooping Static Bindings Configuration page to add static DHCP bindings to the binding database To access the DHCP Snooping Static Bindings Configuration page click Switching DHCP Snooping Static Bindings Configuration in the navigation panel Figure 27 8 DHCP Snooping Static Bindings Configuration ...

Page 768: ...Traffic To view a summary of the DHCP snooping status for all VLANs click Show All Figure 27 9 DHCP Snooping Static Bindings Summary To remove a static binding select the Remove checkbox associated with the binding and click Apply ...

Page 769: ... Dynamic Bindings Summary lists all the DHCP snooping dynamic binding entries learned on the switch ports To access the DHCP Snooping Dynamic Bindings Summary page click Switching DHCP Snooping Dynamic Bindings Summary in the navigation panel Figure 27 10 DHCP Snooping Dynamic Bindings Summary ...

Page 770: ...nooping Statistics The DHCP Snooping Statistics page displays DHCP snooping interface statistics To access the DHCP Snooping Statistics page click Switching DHCP Snooping Statistics in the navigation panel Figure 27 11 DHCP Snooping Statistics ...

Page 771: ...uration Use the IPSG Interface Configuration page to configure IPSG on an interface To access the IPSG Interface Configuration page click Switching IP Source Guard IPSG Interface Configuration in the navigation panel Figure 27 12 IPSG Interface Configuration ...

Page 772: ...ation Use the IPSG Binding Configuration page displays DHCP snooping interface statistics To access the IPSG Binding Configuration page click Switching IP Source Guard IPSG Binding Configuration in the navigation panel Figure 27 13 IPSG Binding Configuration ...

Page 773: ...page displays the IPSG Static binding list and IPSG dynamic binding list the static bindings configured in Binding configuration page To access the IPSG Binding Summary page click Switching IP Source Guard IPSG Binding Summary in the navigation panel Figure 27 14 IPSG Binding Summary ...

Page 774: ...iguration Use the DAI Configuration page to configure global DAI settings To display the DAI Configuration page click Switching Dynamic ARP Inspection Global Configuration in the navigation panel Figure 27 15 Dynamic ARP Inspection Global Configuration ...

Page 775: ...terface for which information is to be displayed or configured To display the DAI Interface Configuration page click Switching Dynamic ARP Inspection Interface Configuration in the navigation panel Figure 27 16 Dynamic ARP Inspection Interface Configuration To view a summary of the DAI status for all interfaces click Show All ...

Page 776: ...776 Snooping and Inspecting Traffic Figure 27 17 DAI Interface Configuration Summary ...

Page 777: ...he VLANs for which information is to be displayed or configured To display the DAI VLAN Configuration page click Switching Dynamic ARP Inspection VLAN Configuration in the navigation panel Figure 27 18 Dynamic ARP Inspection VLAN Configuration To view a summary of the DAI status for all VLANs click Show All ...

Page 778: ...onfiguration Summary DAI ACL Configuration Use the DAI ACL Configuration page to add or remove ARP ACLs To display the DAI ACL Configuration page click Switching Dynamic ARP Inspection ACL Configuration in the navigation panel Figure 27 20 Dynamic ARP Inspection ACL Configuration ...

Page 779: ...n ACL Summary To remove an ARP ACL select the Remove checkbox associated with the ACL and click Apply DAI ACL Rule Configuration Use the DAI ARP ACL Rule Configuration page to add or remove DAI ARP ACL Rules To display the DAI ARP ACL Rule Configuration page click Switching Dynamic ARP Inspection ACL Rule Configuration in the navigation panel ...

Page 780: ... ARP Inspection Rule Configuration To view a summary of the ARP ACL rules that have been created click Show All Figure 27 23 Dynamic ARP Inspection ACL Rule Summary To remove an ARP ACL rule select the Remove checkbox associated with the rule and click Apply ...

Page 781: ...1 DAI Statistics Use the DAI Statistics page to display the statistics per VLAN To display the DAI Statistics page click Switching Dynamic ARP Inspection Statistics in the navigation panel Figure 27 24 Dynamic ARP Inspection Statistics ...

Page 782: ...DHCP message ip dhcp snooping log invalid Enable the logging of DHCP messages filtered by the DHCP Snooping application ip dhcp snooping binding mac address vlan vlan id ip address interface interface Configure a static binding in the DHCP snooping static bindings database mac address The client s MAC address vlan id The number of the VLAN the client is authorized to use ip address The IP address ...

Page 783: ...hernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 ip dhcp snooping trust Configure the interface or range of interfaces as a trusted port DHCP server messages are not filtered on trusted ports exit Exit to Global Configuration mode interface range vlan vlan id Enter interface configuration mode for the specified VLAN or range of VLANs CTRL Z Exit to Privileged EXEC mode show ip dhcp snooping ...

Page 784: ... IP address in the packet is not in the DHCP snooping binding database Use the option port security keyword to also prevent packet forwarding if the sender MAC address is not in forwarding database table or the DHCP snooping binding database NOTE To enforce filtering based on the source MAC address port security must also be enabled on the interface by using the port security command in Interface ...

Page 785: ...d For example if a command enables source MAC address and destination validations and a second command enables IP address validation only the source MAC address and destination MAC address validations are disabled as a result of the second command src mac For validating the source MAC address of an ARP packet dst mac For validating the destination MAC address of an ARP packet ip For validating the...

Page 786: ...erface Use the keyword none to specify that the interface is not rate limited for Dynamic ARP Inspection none To set no rate limit pps Packets per second Range 0 300 seconds The number of seconds Range 1 15 ip arp inspection trust Specify that the interface as trusted for Dynamic ARP Inspection CTRL Z Exit to Privileged EXEC mode show ip arp inspection interfaces interface View the Dynamic ARP Ins...

Page 787: ...aximum number of DHCP packets with a rate limit of 100 packets per second LAG 1 which is also a member of VLAN 100 and contains ports 21 24 is the trunk port that connects the switch to the data center so it is configured as a trusted port Figure 27 25 DHCP Snooping Configuration Topology The commands in this example also enforce rate limiting and remote storage of the bindings database The switch...

Page 788: ... per second LAG 1 is a trusted port and keeps the default value for rate limiting unlimited console config interface range te1 0 1 20 console config if ip dhcp snooping limit rate 100 console config if exit 4 Specify that the DHCP snooping database is to be stored remotely in a file called dsDb txt on a TFTP server with and IP address of 10 131 11 1 console config ip dhcp snooping database tftp 10...

Page 789: ...configure the switch 1 Enter interface configuration mode for the host ports and enable IPSG console config interface range te1 0 1 20 console config if ip verify source port security 2 Enable port security on the ports console config if port security 3 View IPSG information console show ip verify source More or q uit Interface Filter IP Address MAC Address Vlan Te1 0 1 ip mac 192 168 3 45 00 1C 2...

Page 790: ...790 Snooping and Inspecting Traffic ...

Page 791: ...EEE 802 3ad specification The maximum number of LAGs that may be configured is limited to the maximum number of ports possible in the switch stack or stand alone switch divided by two This allows for a flexible configuration of LAGs where LAGs may have up to eight ports or as few as two ports You can configure LAGs until all ports in the system are assigned to a LAG Assignment of interfaces to dyn...

Page 792: ...ion Link aggregation can be configured as either dynamic or static Dynamic configuration is supported using the IEEE 802 3ad standard which is known as Link Aggregation Control Protocol LACP Static configuration is used when connecting a PowerConnect 8000 8100 series switch to an external Gigabit Ethernet switch that does not support LACP One advantage of LACP is that the protocol enables the swit...

Page 793: ...he following set of packet attributes to be used for hash computation Source MAC VLAN EtherType and incoming port Destination MAC VLAN EtherType and incoming port Source IP and Source TCP UDP port numbers Destination IP and Destination TCP UDP port numbers Source Destination MAC VLAN EtherType and incoming port Source Destination IP and Source Destination TCP UDP port numbers Enhanced hashing mode...

Page 794: ... be configured when it s a member of a LAG However this configuration is only actually applied when the port leaves the LAG The LAG interface can be a member of a VLAN complying with IEEE 802 1Q STP Spanning tree does not maintain state for members of a LAG but the Spanning Tree does maintain state for the LAG interface As far as STP is concerned members of a LAG do not exist Internally the STP st...

Page 795: ...me speed and must be in full duplex mode The port cannot be a mirrored port The following are the interface restrictions The configured speed of a LAG member cannot be changed An interface can be a member of only one LAG Default Link Aggregation Values The LAGs on the switch are created by default but no ports are members Table 28 1 summarizes the default values for the MAC address table Table 28 ...

Page 796: ...d monitoring LAGs on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page LAG Configuration Use the LAG Configuration page to set the name and administrative status up down of a LAG To display the LAG Configuration page click Switching Ports LAG Configuration in the navigation panel Figure 28 2 LAG Configuration ...

Page 797: ...Configuring Link Aggregation 797 To view or edit settings for multiple LAGs click Show All ...

Page 798: ...the LACP Parameters page to configure LACP LAGs To display the LACP Parameters page click Switching Link Aggregation LACP Parameters in the navigation panel Figure 28 3 LACP Parameters Configuring LACP Parameters for Multiple Ports To configure LACP settings 1 Open the LACP Parameters page 2 Click Show All The LACP Parameters Table page displays ...

Page 799: ...guring Link Aggregation 799 Figure 28 4 LACP Parameters Table 3 Select the Edit check box associated with each port to configure 4 Specify the LACP port priority and LACP timeout for each port 5 Click Apply ...

Page 800: ...ership in the navigation panel Figure 28 5 LAG Membership Adding a Port to a Static LAG To add a static LAG member 1 Open the LAG Membership page 2 Click in the LAG row to toggle the port to the desired LAG The LAG number displays for that port The LAG number increases each time you click until the number reaches the maximum LAG number and then returns to blank no LAG assigned 3 Click Apply The po...

Page 801: ...t is added as a dynamic LAG member to the selected LAG LAG Hash Configuration Use the LAG hash algorithm to set the traffic distribution mode on the LAG You can set the hash type for each LAG To display the LAG Hash Configuration page click Switching Link Aggregation LAG Hash Configuration in the navigation panel Figure 28 6 LAG Hash Configuration NOTE The port must be assigned to a LAG before it ...

Page 802: ...ummary The LAG Hash Summary page lists the channels on the system and their assigned hash algorithm type To display the LAG Hash Summary page click Switching Link Aggregation LAG Hash Summary in the navigation panel Figure 28 7 LAG Hash Summary ...

Page 803: ...ce interface Enter interface configuration mode for the specified LAG The interface variable includes the interface type which is port channel and the LAG number for example port channel 3 You can also specify a range of LAGs with the interface range port channel command for example interface range port channel 3 6 configures LAGs 3 4 5 and 6 description description Configure a description for the...

Page 804: ...figures interfaces 8 9 10 11 and 12 channel group port channel number mode on auto Add the port s to the LAG specified with the port channel number value Use the auto keyword to add the port s as dynamic members or use on to specify that the LAG membership is static port channel number Number of a valid port channel for the current port to join on Forces the port to join a channel without LACP sta...

Page 805: ... ID 3 Source IP and source TCP UDP port 4 Destination IP and destination TCP UDP port 5 Source destination MAC VLAN EtherType and source MODID port 6 Source destination IP and source destination TCP UDP port 7 Enhanced hashing mode CTRL Z Exit to Privileged EXEC mode show interfaces port channel port channel number View LAG information for the specified LAG or for all LAGs show statistics port cha...

Page 806: ...ecified LAG You can also specify a range of LAGs to configure with the interface range port channel command for example interface range port channel 1 3 10 configures LAGs 1 2 3 and 10 lacp port priority value Set the Link Aggregation Control Protocol priority for the port or range of ports The priority value range is 1 65535 lacp timeout long short Specify whether to wait a long or short time bet...

Page 807: ...ion mode for the ports that are to be configured as LAG members console config interface range te1 0 1 3 te1 0 6 7 2 Add the ports to LAG 2 with LACP console config if channel group 1 mode active 3 View information about LAG 1 console show interfaces port channel 1 NOTE The examples in this section show the configuration of only one switch Because LAGs involve physical links between two switches t...

Page 808: ... 1 Enter interface configuration mode for the ports that are to be configured as LAG members console config interface range te1 0 10 12 te1 0 14 te1 0 17 2 Add the ports to LAG 2 without LACP console config if channel group 2 mode on 3 View information about LAG 2 console show interfaces port channel 2 Channel Ports Hash Algorithm Ch Type min links Po2 Inactive Te1 0 10 Te1 0 11 Te1 0 12 Te1 0 14 ...

Page 809: ...thernet based networks in the data center The PC81xx switches support PFC ETS and DCBX capability exchange with the ability to autoconfigure from a peer switch The PC80xx switches support FIP Snooping DCBX capability exchanges and ETS proxy and the ability to autoconfigure from a peer switch The PC80xx also can be manually configured to support bandwidth sharing among traffic classes The Ethernet ...

Page 810: ... Priority TLVs which are accepted from auto upstream devices and propagated to auto downstream devices In support of FIP snooping the 8024 switch only transports the ETS TLVs and does not configure itself with received ETS information The PC8132 PC8164 switches support the automatic configuration of the switch with received ETS parameters Table 29 2 Default Port Based Traffic Control Values Featur...

Page 811: ...1p priority value These priority values must be mapped to internal class of service CoS values The PFC feature allows you to specify the CoS values that should be paused due to greater loss sensitivity instead of dropped when congestion occurs on a link Unless configured as no drop all CoS priorities are considered non pausable drop when priority based flow control is enabled until no drop is spec...

Page 812: ...enabled on the interface so that the 802 1p priority values are carried through the network see VLAN Tagging on page 555 Additionally make sure that 802 1p priority values are mapped to CoS values see Configuring Class of Service on page 1143 If DCBX is enabled the manually configured PFC parameters no drop priorities must match the peers PFC parameters If they do not match PFC will not be operati...

Page 813: ...riorities are subject to being paused to prevent data loss To display the PFC Configuration page click Switching PFC PFC Configuration in the navigation menu Figure 29 1 PFC Configuration PFC Statistics Page Use the PFC Statistics page to view the PFC statistics for interfaces on the switch To display the PFC Statistics page click Switching PFC PFC Statistics in the navigation menu ...

Page 814: ...ng in Privileged EXEC mode use the following commands to configure PFC NOTE If DCBx is enabled and the switch is set to autoconfigure from a DCBX peer configuring PFC is not necessary because the DCBx protocol automatically configures the PFC parameters Command Purpose configure Enter global configuration mode ...

Page 815: ...rity flow control to enable if the lldp dcbx port role auto down or lldp dcbx port role auto up command has already been applied priority flow control priority priority id drop no drop Use the no drop option to enable the priority group for lossless behavior To enable lossy behavior use the drop form of the command priority id Specify the IEEE 802 1p priority value range 0 7 NOTE Only two queues c...

Page 816: ...s the priority to traffic class mapping to be one to one based upon the default switch settings For lossless service a priority must be mapped one to one to a traffic class For more information about traffic classes see Configuring Class of Service on page 1143 For a complete example of manually configuring a PC81xx switch for iSCSI with PFC refer to iSCSI Optimization Configuration Examples on pa...

Page 817: ...ridging Features 817 console config dcb exit 4 Enable VLAN tagging on the ports so the 802 1p priority is identified Trunk mode can also be enabled on port channels console config if switchport mode trunk console config if exit ...

Page 818: ...because some features may allow asymmetric configuration Peer configuration of DCB features DCBx can be used by a device to perform configuration of DCB features in its peer device if the peer device is willing to accept configuration DCBx is expected to be deployed in Fibre Channel over Ethernet FCoE topologies in support of lossless operation for FCoE traffic In these scenarios all network eleme...

Page 819: ... a legacy DCBx device based on the OUI of the organization TLV then the switch changes its DCBx mode on that port to support the version detected There is no timeout mechanism to move back to IEEE mode If the DCBx peer times out multiple peers are detected the link is reset link down up or if commanded by the operator DCBx resets its operational mode to IEEE The interaction between the DCBx compon...

Page 820: ...lso willing to accept a configuration from the link partner and propagate it internally to the auto downstream ports as well as receive configuration propagated internally by other auto upstream ports Specifically the willing parameter is enabled on the port and the recommendation TLV is sent to the peer and processed if received locally The first auto upstream port to successfully accept a compat...

Page 821: ... by the operator set the port to the manual role Since it is not possible to configure the port role for a port channel it is recommended that the individual links have an identical port role configured on all links in the port channel auto up or auto down Since only one port in the system can be configured as the configuration source configuring interfaces as auto up is a preferable alternative t...

Page 822: ...over the configuration source port are propagated to the other auto configuration ports Ports receiving auto configuration information from the configuration source ignore their current settings and utilize the configuration source information When a configuration source is selected all auto upstream ports other than the configuration source are marked as willing disabled To reduce flapping of con...

Page 823: ... use by LLDP They do not otherwise affect any manually configured DCBX capabilities or the normal operation of LLDP Configuring DCBx You can use the CLI to configure DCBx Beginning in Privileged EXEC mode use the following commands to configure DCBx NOTE This feature is available on the PC8024 and PC81xx switches Command Purpose configure Enter global configuration mode lldp dcbx version auto cin ...

Page 824: ...ode for the specified interface The interface variable includes the interface type and number for example tengigabitethernet 1 0 3 You can also specify a range of interfaces with the interface range command for example interface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 lldp tlv select dcbxp pfc application priority Override the global configuration for the LLDP DCBx...

Page 825: ...uld be connected to a trusted FCF manual Ports operating in the Manual role do not have their configuration affected by peer devices or by internal propagation of configuration These ports will advertise their configuration to their peer if DCBx is enabled on that port The willing bit is set to disabled on manual role ports configuration source In this role the port has been manually selected to b...

Page 826: ...oE security robustness by preventing FCoE MAC spoofing The role of FIP snooping enabled ports on the switch falls under one of the following types Perimeter or Edge port connected directly to a Fibre Channel end node or ENode Fibre Channel forwarder FCF facing port that receives traffic from FCFs targeted to the ENodes The default port role in an FCoE enabled VLAN is as a perimeter port FCF facing...

Page 827: ...e hosts toward the Fibre Channel forwarders FCFs such as an FC router that has a direct FC link into storage the switch needs to know the interfaces the FCFs are on By default an interface is configured to be a host facing interface not an FCF facing interface Dell recommends that FCF facing ports be placed into auto upstream mode in order to receive DCBx information and propagate it to the Conver...

Page 828: ...de feature fip snooping Globally enable FIP snooping on the switch vlan vlan_id Enter VLAN configuration mode for a VLAN or range of VLANs fip snooping enable Enable the snooping of FIP packets on the specified VLAN or VLAN range FIP snooping must be enabled on both the native VLAN on trunk ports and all VLANs configured to carry FCoE traffic fip snooping fc map fc_map_value Optionally configure t...

Page 829: ...EC mode show fip snooping sessions Display information about the active FIP snooping sessions show fip snooping fcf fcf mac Display information about the interfaces connected to Fibre Channel forwarder FCF Use the optional fcf mac parameter to display additional information about the session with the specified FCF device show fip snooping enode enode mac Display information about the interfaces co...

Page 830: ...nfig feature fip snooping 2 Create VLAN 100 This command also enters the VLAN configuration mode for VLAN 100 console config vlan 100 console config vlan100 fip snooping enable console config vlan100 exit 3 Enter Interface Configuration mode for ports 1 2 3 16 and 17 on both switches in the stack console config interface range te1 0 1 3 te1 0 16 17 te2 0 1 3 te2 0 16 17 4 Enable VLAN tagging to al...

Page 831: ...mands to verify the configuration view FIP snooping sessions and view information about the ports that are connected to end nodes or FCFs Enhanced Transmission Selection Networks classify and prioritize traffic to provide different service characteristics to end user traffic flows Administrators may wish to guarantee or limit bandwidth for certain traffic ensure lossless behavior for other traffic...

Page 832: ...es ETS provides a second level of scheduling for packets selected for transmission by the CoS scheduler ETS operates at the traffic class group TCG level and supports sharing of bandwidth across TCGs bandwidth assignment for each TCG and queue discipline drop behavior for each TCG PC81xx switches support three TCGs internally up to two of which may be configured as lossless When a packet arrives o...

Page 833: ...e minimum bandwidth setting can be used to override the strict priority and weighted settings The highest numbered strict priority queue will receive no more bandwidth than 100 percent minus the sum of the minimum bandwidth percentages assigned to the other queues If used it is recommended that minimum bandwidth percentages only be set high enough to ensure a minimum level of service for any queue...

Page 834: ...re serviced by the second level scheduler using the configured TCG weights to define the relative bandwidth allocation among the TCGs When an egress port is congested packets are selected for discard using the configured tail drop or WRED discipline Minimum TCG bandwidth maximum TCG bandwidth and TCG weights are metered to within approximately 3 of the link bandwidth In the case that all TCGs are ...

Page 835: ...l Traffic Class to an internal Traffic Class Group TCG The Traffic Class can range from 0 6 although the actual number of available traffic classes depends on the platform traffic class group max bandwidth Specifies the maximum transmission bandwidth limit for each TCG as a percentage of the interface rate Also known as rate shaping this has the effect of smoothing temporary traffic bursts over ti...

Page 836: ...836 Configuring Data Center Bridging Features show interfaces traffic class group Displays the Traffic Class to Traffic Class Group mapping Command Purpose ...

Page 837: ...nterfaces or all interfaces To ensure lossless behavior the dot1p priority must be mapped one to one to a CoS queue for the lossless priorities Up to two lossless priorities may be configured on PC81xx switches CoS queue 7 is reserved by the system and is not assignable It is generally recommended that the administrator utilize CoS queues 0 3 as CoS queues 4 6 may be utilized by the system for oth...

Page 838: ...tting has no effect The min bandwidth setting guarantees that any particular CoS queue is serviced often enough to ensure that the offered load can achieve the minimum transfer rate The bandwidth is measured internally as bytes transferred per second The minimum bandwidth setting is enforced on the egress queue it does not rate limit incoming frames The minimum bandwidth setting is configured as a...

Page 839: ...scheduling be assigned to a single strict priority enabled TCG other than TCG0 The following example sets CoS queue traffic class number 3 to be serviced with strict priority console config if Te1 0 1 cos queue strict 3 To show the minimum bandwidth and scheduler modes for CoS queues use the following command console show interfaces cos queue tengigabitethernet 1 0 1 Interface Te1 0 1 Interface Sh...

Page 840: ...p 0 0 console config if Te1 0 1 classofservice traffic class group 1 1 console config if Te1 0 1 classofservice traffic class group 2 1 console config if Te1 0 1 classofservice traffic class group 3 2 To show the CoS queue to TCG mapping use the following command console show classofservice traffic class group tengigabitethernet 1 0 1 Traffic Class Traffic Class Group 0 0 1 1 2 1 3 2 4 0 5 0 6 0 6...

Page 841: ...ress TCG regardless of the scheduling mode and does not directly affect incoming traffic The minimum bandwidth for a TCG is configured as a percentage of the total bandwidth and the configured minimum bandwidths may sum to less than 100 The sum may not exceed 100 Minimum bandwidth may be configured on a single interface a range of interfaces or all interfaces It is recommended that the minimum ban...

Page 842: ... selects that TCG for transmission before the WDRR TCGs Use the no command to disable strict priority scheduling It is recommended that all CoS queues enabled for strict priority scheduling be assigned to a single TCG other than TCG0 This scheme allows a larger number of priorities to be configured as strict priorities console config if Te1 0 1 traffic class group strict 2 To show the weight minim...

Page 843: ...ame TCG The minimum bandwidth setting on the CoS queue does not have any effect TCG1 would receive 10 each of pri1 and pri3 and 80 of pri2 Even though strict mode is enabled for pri2 the minimum bandwidth of pri1 and pri3 is first honored before applying strict mode on pri2 TCG2 receives 25 each of pri4 and pri5 traffic and the other 50 can be of pri6 or pri7 This is based on the minimum bandwidth...

Page 844: ...d be guaranteed a sufficiently high priority to meet the requirement of low latency Figure 29 3 Converged Link on the DCB Environment In this example to ensure that the server cluster traffic has low latency it may be assigned to a TCG say TCG0 and a strict mode of scheduling is enabled on this group weight set to 0 SAN traffic can be assigned to TCG1 and LAN to TCG2 The TCG1 and TCG2 can be set t...

Page 845: ...egress interfaces It is recommended that either a CoS queue level min bandwidth setting be utilized to ensure a minimum amount of bandwidth is processed on the non strict priority queues if there is a possibility that the strict priority traffic is not limited in bandwidth by some other means It is recommended that the sum of the minimum bandwidth percentages allocated to the group of CoS queues m...

Page 846: ...ironment the following minimum steps must be performed 1 Configure the CoS queue to Traffic Class Group mapping for the egress ports 2 Enable the appropriate scheduling algorithm for each TCG 3 Configure the weight percentage for each TCG Variation on the Example Configuration This example configures three classes of traffic and utilizes the secondary ETS scheduler only Best effort traffic CoS Que...

Page 847: ...odified and applied to the system via the DCBX Mapping function as follows references are to the 802 1Qaz parameters Like traffic classes are combined up to the limits of the system e g no more than 2 lossless CoS queues may be configured The Priority Assignment Table user priority to CoS queue mapping is utilized by the system to map user priorities to the traffic classes CoS queues The TSA Assig...

Page 848: ... and 8024F switches can act as a proxy for ETS information via the auto configuration mechanism ETS information received from the configuration source is transmitted via DCBX to the other auto configuration peers While 8024 and 8024F switches are not equipped with a hierarchical scheduler they do support the following ETS capabilities Both lossy and lossless service using PFC may be configured via...

Page 849: ...ss Table Populated The MAC address table can contain two types of addresses Static The address has been manually configured and does not age out Dynamic The address has been automatically learned by the switch and can age out when it is not in use Static addresses are configured by the administrator and added to the table Dynamic addresses are learned by examining information in the Ethernet frame...

Page 850: ...ress can be associated with multiple VLANs How Is the MAC Address Table Maintained Across a Stack The MAC address table is synchronized across all stack members When a member joins the stack its previous MAC address table is overwritten by the table maintained by the stack Default MAC Address Table Values Table 30 1 summarizes the default values for the MAC address table Table 30 1 MAC Address Tab...

Page 851: ... the top of the page Static Address Table Use the Static Address Table page to view MAC addresses that have been manually added to the MAC address table and to configure static MAC addresses To display the Static Address Table page click Switching Address Tables Static Address Table in the navigation panel Figure 30 1 Static MAC Address Adding a Static MAC Address To add a static MAC address 1 Ope...

Page 852: ...0 2 Adding Static MAC Address 3 Select the interface to associate with the static address 4 Specify the MAC address and an associated VLAN ID 5 Click Apply The new static address is added to the Static MAC Address Table and the device is updated ...

Page 853: ... VLAN and table sorting key Packets forwarded to an address stored in the address table are forwarded directly to those ports The Dynamic Address Table also contains information about the aging time before a dynamic MAC address is removed from the table To display the Dynamic Address Table click Switching Address Tables Dynamic Address Table in the navigation panel Figure 30 3 Dynamic Address Tabl...

Page 854: ...LAG including the interface type and number mac address table aging time 0 10 1000000 Specify the number of seconds that must pass before an unused dynamically learned MAC address is removed from the MAC address table A value of 0 disables the aging time for the MAC address table exit Exit to Privileged EXEC mode show mac address table static dynamic View information about the entries in the MAC a...

Page 855: ...ter For a configuration example that includes tunnel and loopback interface creation see Interconnecting an IPv4 Backbone and Local IPv6 Network on page 1017 Routing Interface Overview Routing interfaces are logical interfaces that can be configured with an IP address Routing interfaces provide a means of transmitting IP packets between subnets on the network What Are VLAN Routing Interfaces VLANs...

Page 856: ...ysical networks or when additional segmentation or security is required What Are Loopback Interfaces A loopback interface is a logical interface that is always up and because it cannot go down allows the switch to have a stable IP address that other network devices and protocols can use to reach the switch The loopback can provide the source address for sent packets The loopback interface does not...

Page 857: ... IPv4 tunnels to provide functionality to facilitate the transition of IPv4 networks to IPv6 networks The switch supports two types of tunnels configured 6 in 4 and automatic 6 to 4 Configured tunnels have an explicit configured endpoint and are considered to be point to point interfaces Automatic tunnels determine the endpoint of the tunnel from the destination address of packets routed into the ...

Page 858: ...equired when the switch is used as a layer 3 device VLAN routing must be configured to allow the switch to forward IP traffic between subnets and allow hosts in different networks to communicate In Figure 31 1 the PowerConnect switch is configured as an L3 device and performs the routing functions for hosts connected to the L2 switches For Host A to communicate with Host B no routing is necessary ...

Page 859: ...ere you need to send traffic to a switch such as in switch management The loopback interface IP address is a good choice for communicating with the switch in these cases because the loopback interface cannot go down when the switch is powered on and operational Tunnel Interface Tunnels can be used in networks that support both IPv6 and IPv4 The tunnel allows non contiguous IPv6 networks to be conn...

Page 860: ... values However when you create a loopback interface the default values are similar to those of VLAN routing interfaces as Table 31 1 shows When you create a tunnel it has the default values shown in Table 31 2 Table 31 1 VLAN Routing Interface and Loopback Interface Defaults Parameter Default Value Forward Net Directed Broadcasts Disabled Encapsulation Type Ethernet N A for loopbacks Proxy Arp En...

Page 861: ...8100 series switch For details about the fields on a page click at the top of the page IP Interface Configuration Use the IP Interface Configuration page to update IP interface data for this switch The IP interface configuration includes the ability to configure the bandwidth Destination Unreachable messages and ICMP Redirect messages To display the page click Routing IP IP Interface Configuration...

Page 862: ...o an interface by the DHCP server To display the page click Routing IP DHCP Lease Parameters in the navigation panel Figure 31 3 DHCP Lease Parameters VLAN Routing Summary Use the VLAN Routing Summary page to view summary information about VLAN routing interfaces configured on the switch To display the page click Routing VLAN Routing Summary in the navigation panel ...

Page 863: ...gure 31 4 VLAN Routing Summary Tunnel Configuration Use the Tunnels Configuration page to create configure or delete a tunnel To display the page click Routing Tunnels Configuration in the navigation panel Figure 31 5 Tunnel Configuration ...

Page 864: ...ring Routing Interfaces Tunnels Summary Use the Tunnels Summary page to display a summary of configured tunnels To display the page click Routing Tunnels Summary in the navigation panel Figure 31 6 Tunnels Summary ...

Page 865: ...oopbacks Configuration page to create configure or remove loopback interfaces You can also set up or delete a secondary address for a loopback To display the page click Routing Loopbacks Loopbacks Configuration in the navigation panel Figure 31 7 Loopback Configuration ...

Page 866: ...s Loopbacks Summary Use the Loopbacks Summary page to display a summary of configured loopback interfaces on the switch To display the page click Routing Loopbacks Loopbacks Summary in the navigation panel Figure 31 8 Loopbacks Summary ...

Page 867: ...p_address subnet_mask secondary Configure the IP address Use the dhcp keyword to enable the DHCP client and obtain an IP address from a network DHCP server Use none to release the address obtained from the DHCP server Use ip_address and subnet_mask to assign a static IP address If you configure a static address you can use the secondary keyword to specify that the address is a secondary IP address...

Page 868: ...is 1 10000000 ip unreachables Allow the switch to send ICMP Destination Unreachable messages in response to packets received on the interface ip redirects Allow the switch to send ICMP Redirect messages in response to packets received on the interface exit Exit to Global Config mode ip default gateway ip_address Configure the default gateway All switch interfaces use the same default gateway exit ...

Page 869: ...loopback id Create the loopback interface and enter Interface Configuration mode for the specified loopback interface ip address ip_address subnet_mask secondary Configure a static IP address and subnet mask Use the secondary keyword to specify that the address is a secondary IP address CTRL Z Exit to Privileged EXEC mode show ip interface loopback loopback id View interface configuration informat...

Page 870: ...tunnel tunnel mode ipv6ip 6to4 Specify the mode of the tunnel If you use the 6to4 keyword the tunnel is an automatic tunnel If you omit the keyword the tunnel is a point to point configured tunnel ipv6 enable Enable IPv6 on this interface using the Link Local address tunnel source ipv4addr vlan vlan id Specify the source transport address of the tunnel either which can be an IPv4 address or a VLAN...

Page 871: ...P is generally used between clients and servers for the purpose of assigning IP addresses gateways and other network settings such as DNS and SNTP server information How Does DHCP Work When a host connects to the network the host s DHCP client broadcasts a message requesting information from any DHCP server that receives the broadcast One or more DHCP servers respond to the request The response in...

Page 872: ...vers and so on When a client broadcasts a request for information the request includes the option codes that correspond to the information the client wants the DHCP server to supply The Web pages and CLI commands to configure DHCP server settings include many predefined options for the information that is most commonly requested by DHCP clients For example DHCP client discover requests typically i...

Page 873: ...guration on individual ports link aggregation groups LAGs and VLANs For information about Layer 2 and Layer 3 DHCP Relay see Configuring L2 and L3 Relay Features on page 919 DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server It filters harmful DHCP messages and builds a bindings database of MAC address IP address VLAN ID port tuples that are speci...

Page 874: ... 8000 8100 series switch For details about the fields on a page click at the top of the page DHCP Server Network Properties Use the Network Properties page to define global DHCP server settings and to configure addresses that are not included in any address pools To display the Network Properties page click Routing IP DHCP Server Network Properties in the navigation panel Figure 32 2 DHCP Server N...

Page 875: ...ld is the only address to exclude or if the excluded addresses are non contiguous leave the To field as the default value of 0 0 0 0 Otherwise enter the last IP address to excluded from a contiguous range of IP addresses In Figure 32 3 the From field contains the IP address 192 168 2 1 and the To field contains the IP address 192 168 2 5 This means that the following IP addresses are not available...

Page 876: ...e Excluded Addresses page 3 Select the check box next to the address or address range to delete Figure 32 4 Delete Excluded Addresses 4 Click Apply Address Pool Use the Address Pool page to create the pools of IP addresses and other network information that can be assigned by the server To display the Address Pool page click Routing IP DHCP Server Address Pool in the navigation panel ...

Page 877: ...twork Pool to display the Add Network Pool page 3 Assign a name to the pool and complete the desired fields In Figure 32 6 the network pool name is Engineering and the address pool contains all IP addresses in the 192 168 5 0 subnet which means a client that receives an address from the DHCP server might lease an address in the range of 192 168 5 1 to 192 168 5 254 ...

Page 878: ...the primary and secondary DNS servers 4 Click Apply Adding a Static Pool To create and configure a static pool of IP addresses 1 Open the Address Pool page 2 Click Add Static Pool to display the Add Static Pool page 3 Assign a name to the pool and complete the desired fields NOTE The IP address 192 168 5 1 should be added to the global list of excluded addresses so that it is not leased to a clien...

Page 879: ...d the name of the client in the pool is LabHost1 The client s MAC address is mapped to the IP address 192 168 11 54 the default gateway is 192 168 11 1 and the DNS servers the client will use have IP addresses of 192 168 5 100 and 192 168 2 5 Figure 32 7 Add Static Pool 4 Click Apply ...

Page 880: ...Server Address Pool Options in the navigation panel Figure 32 8 Address Pool Options Defining DHCP Options To configure DHCP options 1 Open the Address Pool page 2 Select the Add Options check box 3 Select the check box that corresponds to the value type ASCII Hexadecimal or IP address 4 Specify the value s in the corresponding field Figure 32 9 shows an example of adding the SMTP server IP addres...

Page 881: ...Configuring DHCP Server Settings 881 Figure 32 9 Add DHCP Option 5 Click Apply 6 To verify that the option has been added to the address pool open the Address Pool Options page ...

Page 882: ...l Options DHCP Bindings Use the DHCP Bindings page to view information about the clients that have leased IP addresses from the DHCP server To display the DHCP Bindings page click Routing IP DHCP Server DHCP Bindings in the navigation panel Figure 32 11 DHCP Bindings ...

Page 883: ... clear the client bindings for one or more clients You can also reset bindings for clients that have leased an IP address that is already in use on the network To display the Reset Configuration page click Routing IP DHCP Server Reset Configuration in the navigation panel Figure 32 12 Reset DHCP Bindings ...

Page 884: ...cts Information page to view information about clients that have leased an IP address that is already in use on the network To display the Conflicts Information page click Routing IP DHCP Server Conflicts Information in the navigation panel Figure 32 13 DHCP Server Conflicts Information ...

Page 885: ...ver Statistics page to view general DHCP server statistics messages received from DHCP clients and messages sent to DHCP clients To display the Server Statistics page click Routing IP DHCP Server Server Statistics in the navigation panel Figure 32 14 DHCP Server Statistics ...

Page 886: ...al Configuration mode service dhcp Enable the DHCP server ip dhcp ping packets Specify the number in a range from 2 10 of packets a DHCP server sends to a pool address as part of a ping operation ip dhcp conflict logging Enable conflict logging on DHCP server ip dhcp bootp automatic Enable the allocation of the addresses to the BootP client ip dhcp excluded address lowaddress highaddress Specify t...

Page 887: ... infinite Specify the duration of the lease for an IP address that is assigned from a DHCP server to a DHCP client duration Days the lease is valid You can optionally specify the hours and minutes after specifying the days infinite 60 day lease default router address1 address2 address8 Specify the list of default gateway IP addresses to be assigned to the DHCP client dns server address1 address2 a...

Page 888: ... hexadecimal format type Indicates the protocol of the hardware platform It is 1 for Ethernet and 6 for IEEE 802 client identifier uniqueidentifier Specify the unique identifier for a DHCP client The unique identifier is a valid notation in hexadecimal format In some systems such as Microsoft DHCP clients the client identifier is required instead of hardware addresses The unique identifier is a co...

Page 889: ...o Privileged EXEC mode show ip dhcp pool configuration name all View the settings for the specified address pool or for all configured address pools Command Purpose show ip dhcp binding address View the current binding information in the DHCP server database Specify the IP address to view a specific binding clear ip dhcp binding address Delete an automatic address binding from the DHCP server data...

Page 890: ...nfigure the switch 1 Create an address pool named Engineering and enter into DHCP pool configuration mode for the pool console configure console config ip dhcp pool Engineering 2 Specify the IP addresses that are available in the pool console config dhcp pool network 192 168 5 0 255 255 255 0 3 Specify the IP address to use as the default gateway console config dhcp pool default router 192 168 5 1...

Page 891: ... View DHCP server settings console show ip dhcp global configuration Service DHCP Enable Number of Ping Packets 2 Excluded Address 192 168 2 1 to 192 168 2 20 1 2 2 2 to 1 5 5 5 192 168 5 1 to 192 168 5 20 192 168 5 100 to 192 168 5 100 Conflict Logging Enable Bootp Automatic Disable 9 View information about all configured address pools console show ip dhcp pool configuration all Pool Engineering ...

Page 892: ... the IP addresses that are available in the pool console config dhcp pool hardware address 00 1C 23 55 E9 F3 3 Specify the IP address and subnet mask to assign to the client console config dhcp pool host 192 168 2 10 255 255 255 0 4 Specify the IP address to use as the default gateway console config dhcp pool default router 192 168 2 1 5 Specify the primary and secondary DNS servers the hosts will...

Page 893: ...configuration Tyler PC Pool Tyler PC Pool Type Static Client Name TylerPC Hardware Address 00 1c 23 55 e9 f3 Hardware Address Type ethernet Host 192 168 2 10 255 255 255 0 Lease Time 1 days 0 hrs 0 mins DNS Servers 192 168 2 101 Default Routers 192 168 2 1 Domain Name executive dell com Option 69 ip 192 168 1 33 ...

Page 894: ...894 Configuring DHCP Server Settings ...

Page 895: ...upport static and dynamic routing Table 33 1 describes some of the general routing features that you can configure on the switch Table 33 1 IP Routing Features Feature Description ICMP message control You can configure the type of ICMP messages that the switch responds to as well as the rate limit and burst size Default gateway The switch supports a single default gateway A manually configured def...

Page 896: ...d a packet if the routing table does not contain a longer matching prefix for the packet s destination Static A static route is a route that you manually add to the routing table Static Reject Packets that match a reject route are discarded instead of forwarded The router may send an ICMP Destination Unreachable message Route preferences The common routing table collects static local and dynamic r...

Page 897: ...ects Enabled ICMP Rate Limit Interval 1000 milliseconds ICMP Rate Limit Burst Size 100 Maximum Next Hops 4 Global Default Gateway None Dynamic ARP Entry Age Time 1200 seconds Automatic Renewal of Dynamic ARP Entries Disabled ARP Response Timeout 1 second ARP Retries 4 Maximum Static ARP Entries 128 IRDP Advertise Mode Disabled IRDP Advertise Address 224 0 0 1 IRDP Maximum Advertise Interval 600 se...

Page 898: ...uring IP Routing Route Preference Values Preference values are as follows Local 0 Static 1 OSPF Intra 110 OSPF Inter 110 OSPF External 110 RIP 120 Table 33 2 IP Routing Defaults Continued Parameter Default Value ...

Page 899: ...0 8100 series switch For details about the fields on a page click at the top of the page IP Configuration Use the Configuration page to configure routing parameters for the switch as opposed to an interface The IP configuration settings allow you to enable or disable the generation of various types of ICMP messages To display the page click Routing IP Configuration in the navigation panel Figure 3...

Page 900: ...iguring IP Routing IP Statistics The IP statistics reported on the Statistics page are as specified in RFC 1213 To display the page click Routing IP Statistics in the navigation panel Figure 33 2 IP Statistics ...

Page 901: ...ring IP Routing 901 ARP Create Use the Create page to add a static ARP entry to the Address Resolution Protocol table To display the page click Routing ARP Create in the navigation panel Figure 33 3 ARP Create ...

Page 902: ...ation page to change the configuration parameters for the Address Resolution Protocol Table You can also use this screen to display the contents of the table To display the page click Routing ARP Table Configuration in the navigation panel Figure 33 4 ARP Table Configuration ...

Page 903: ...er Discovery Configuration Use the Configuration page to enter or change router discovery parameters To display the page click Routing Router Discovery Configuration in the navigation panel Figure 33 5 Router Discovery Configuration ...

Page 904: ...Routing Router Discovery Status Use the Status page to display router discovery data for each interface To display the page click Routing Router Discovery Status in the navigation panel Figure 33 6 Router Discovery Status ...

Page 905: ...iguring IP Routing 905 Route Table Use the Route Table page to display the contents of the routing table To display the page click Routing Router Route Table in the navigation panel Figure 33 7 Route Table ...

Page 906: ... Routing Best Routes Table Use the Best Routes Table page to display the best routes from the routing table To display the page click Routing Router Best Routes Table in the navigation panel Figure 33 8 Best Routes Table ...

Page 907: ... click Routing Router Route Entry Configuration in the navigation panel Figure 33 9 Route Entry Configuration Adding a Route and Configuring Route Preference To configure routing table entries 1 Open the Route Entry Configuration page 2 Click Router Route Entry Configuration The screen refreshes and the Router Route Entry Configuration page displays ...

Page 908: ... Reject route The fields to configure are different for each route type Default Enter the default gateway address in the Next Hop IP Address field Static Enter values for Network Address Subnet Mask Next Hop IP Address and Preference Static Reject Enter values for Network Address Subnet Mask and Preference 4 Click Apply The new route is added to the routing table ...

Page 909: ...k Routing Router Configured Routes in the navigation panel Figure 33 11 Configured Routes To remove a configured route select the check box in the Remove column of the route to delete and click Apply NOTE For a static reject route the next hop interface value is Null0 Packets to the network address specified in static reject routes are intentionally dropped ...

Page 910: ...ic routes These values are arbitrary values that range from 1 to 255 and are independent of route metrics Most routing protocols use a route metric to determine the shortest path known to the protocol independent of any other protocol To display the page click Routing Router Route Preferences Configuration in the navigation panel Figure 33 12 Router Route Preferences Configuration ...

Page 911: ...bally enable IPv4 routing on the switch ip icmp echo reply Allow the switch to generate ICMP Echo Reply messages ip icmp error interval burst interval burst size Limit the rate at which IPv4 ICMP error messages are sent burst interval How often the token bucket is initialized Range 0 2147483647 milliseconds burst size The maximum number of messages that can be sent during a burst interval Range 1 ...

Page 912: ... the ARP count of maximum requests for retries The range is 1 10 arp cachesize integer Configure the maximum number of entries in the ARP cache arp dynamicrenew Allow the ARP component to automatically renew dynamic ARP entries when they age out exit Exit to Privileged EXEC mode show arp brief View the user configured static ARP entries The static entries display regardless of whether they are rea...

Page 913: ...0 1 all hosts IP multicast address or 255 255 255 255 limited broadcast address ip irdp holdtime seconds Configure the value of the holdtime field of the router advertisement sent from this interface ip irdp maxadvertinterval seconds Configure the maximum time allowed between sending router advertisements from the interface ip irdp minadvertinterval seconds Configure the minimum time allowed betwe...

Page 914: ...ference Configure a static route Use the keyword null instead of the next hop router IP address to configure a static reject route ip address IP address of destination interface subnet mask Subnet mask of destination interface prefix length Length of prefix Must be preceded with a forward slash Range 0 32 bits nextHopRtr IP address of the next hop router null Specifies that the route is a static r...

Page 915: ...prefixes Indicates that the ip address and subnet mask pair becomes the prefix and the command displays the routes to the addresses that match that prefix protocol Specifies the protocol that installed the routes Range connected ospf rip static show ip route configured View the configured routes whether they are reachable or not show ip route summary View summary information about the routing tabl...

Page 916: ... is configured on Switch A Additionally a default route is configured on Switch A so that all traffic with an unknown destination is sent to the backbone router through port 24 which is a member of VLAN 50 A default route is configured on PowerConnect Switch B to use Switch A as the default gateway The hosts use the IP address of the VLAN routing interface as their default gateway This example ass...

Page 917: ...onsole config interface vlan 20 console config if vlan20 ip address 192 168 20 20 255 255 255 0 console config if vlan20 exit 4 Assign an IP address to VLAN 50 console configure console config interface vlan 50 console config if vlan50 ip address 192 168 50 50 255 255 255 0 console config if vlan50 exit 5 Configure a static route to the network that VLAN 30 is in using the IP address of the VLAN 2...

Page 918: ... vlan20 ip address 192 168 20 25 255 255 255 0 console config if vlan20 exit 3 Assign an IP address to VLAN 30 This command also enables IP routing on the VLAN console configure console config interface vlan 30 console config if vlan30 ip address 192 168 30 30 255 255 255 0 console config if vlan30 exit 4 Configure the VLAN 20 routing interface on Switch A as the default gateway so that any traffi...

Page 919: ...n impractical The relay features on the PowerConnect 8000 8100 series switches can help enable communication between DHCP clients and DHCP servers that reside in different subnets Configuring L3 DHCP relay also enables the bootstrap protocol BOOTP relay What Is L3 DHCP Relay Network infrastructure devices can be used to relay packets between a DHCP client and server on different subnets Such a dev...

Page 920: ...has more than one IP address the relay agent uses the primary IP address configured as its relay agent IP address What Is L2 DHCP Relay In Layer 2 switched networks there may be one or more infrastructure devices for example a switch between the client and the L3 Relay agent DHCP server In this instance some of the client device information required by the L3 Relay agent may not be visible to it I...

Page 921: ... on routing interfaces Each relay entry maps an ingress interface and destination UDP port number to a single IPv4 address the helper address Multiple relay entries may be configured for the same interface and UDP port in which case the relay agent relays matching packets to each server address Interface configuration takes priority over global configuration If the destination UDP port for a packe...

Page 922: ...P server unicasts back to the relay agent For other protocols the relay agent only relays broadcast packets from the client to the server Packets from the server back to the client are assumed to be unicast directly to the client Because there is no relay in the return direction for protocols other than DHCP the relay agent retains the source IP address from the original client packet The relay ag...

Page 923: ...ss must be the all ones broadcast address FF FF FF FF FF FF The destination IP address must be the limited broadcast address 255 255 255 255 or a directed broadcast address for the receive interface The IP time to live TTL must be greater than 1 The protocol field in the IP header must be UDP 17 The destination UDP port must match a configured relay entry NOTE If the packet matches a discard relay...

Page 924: ... data FTP Data 21 FTP FTP 37 Time Time 42 NAMESERVER Host Name Server 43 NICNAME Who is 53 DOMAIN Domain Name Server 69 TFTP Trivial File Transfer 111 SUNRPC Sun Microsystems Rpc 123 NTP Network Time 137 NetBiosNameService NT Server to Station Connections 138 NetBiosDatagramService NT Server to Station Connections 139 NetBios SessionServiceNT Server to Station Connections 161 SNMP Simple Network M...

Page 925: ... Parameter Default Value L2 DHCP Relay Admin Mode Disabled globally and on all interfaces and VLANs Trust Mode Disabled on all interfaces Circuit ID Disabled on all VLANs Remote ID None configured L3 DHCP Relay UDP Relay Mode IP Helper Enabled Hop Count 4 Minimum Wait Time 0 seconds Circuit ID Option Mode Disabled Circuit ID Check Mode Enabled Information Option Insert Disabled on all VLAN interfa...

Page 926: ... enable or disable the switch to act as a DHCP Relay agent This functionality must also be enabled on each port you want this service to operate on see DHCP Relay Interface Configuration on page 927 The switch can also be configured to relay requests only when the VLAN of the requesting client corresponds to a service provider s VLAN ID that has been enabled with the L2 DHCP relay functionality se...

Page 927: ... on individual ports To access this page click Switching DHCP Relay Interface Configuration in the navigation panel Figure 34 2 DHCP Relay Interface Configuration To view a summary of the L2 DHCP relay configuration on all ports and LAGS click Show All NOTE L2 DHCP relay must also be enabled globally on the switch ...

Page 928: ...928 Configuring L2 and L3 Relay Features Figure 34 3 DHCP Relay Interface Summary ...

Page 929: ...elay Interface Statistics Use this page to display statistics on DHCP Relay requests received on a selected port To access this page click Switching DHCP Relay Interface Statistics in the navigation panel Figure 34 4 DHCP Relay Interface Statistics ...

Page 930: ...le and configure DHCP Relay on specific VLANs To access this page click Switching DHCP Relay VLAN Configuration in the navigation panel Figure 34 5 DHCP Relay VLAN Configuration To view a summary of the L2 DHCP relay configuration on all VLANs click Show All Figure 34 6 DHCP Relay VLAN Summary ...

Page 931: ... 931 DHCP Relay Agent Configuration Use the Configuration page to configure and display a DHCP relay agent To display the page click Routing DHCP Relay Agent Configuration in the navigation panel Figure 34 7 DHCP Relay Agent Configuration ...

Page 932: ... UDP Relay and Helper IP configuration To display the page click Routing IP Helper Global Configuration in the navigation panel Figure 34 8 IP Helper Global Configuration Adding an IP Helper Entry To configure an IP helper entry 1 Open the IP Helper Global Configuration page 2 Click Add to display the Add Helper IP Address page ...

Page 933: ... 4 Enter the IP address of the server to which the packets with the given UDP Destination Port will be relayed 5 Click Apply The UDP Helper Relay is added and the device is updated NOTE If the DefaultSet option is specified the device by default forwards UDP Broadcast packets for the following services IEN 116 Name Service port 42 DNS port 53 NetBIOS Name Server port 137 NetBIOS Datagram Server po...

Page 934: ...figuration for a specific interface To display the page click Routing IP Helper Interface Configuration in the navigation panel Figure 34 10 IP Helper Interface Configuration Adding an IP Helper Entry to an Interface To add an IP helper entry to an interface 1 Open the IP Helper Interface Configuration page 2 Click Add to display the Add IP Helper Address page ...

Page 935: ...packets arriving on the given interface with the given destination UDP port 6 Enter the IP address of the server to which the packets with the given UDP Destination Port will be relayed 7 Click Apply The UDP Helper Relay is added to the interface and the device is updated NOTE If the DefaultSet option is specified the device by default forwards UDP Broadcast packets for the following services IEN ...

Page 936: ...nd L3 Relay Features IP Helper Statistics Use the Statistics page to view UDP Relay Statistics for the switch To display the page click Routing IP Helper Statistics in the navigation panel Figure 34 12 IP Helper Statistics ...

Page 937: ...ed port or LAG The interface variable includes the interface type and number for example tengigabitethernet 1 0 3 For a LAG the interface type is port channel You can also specify a range of ports with the interface range command for example interface range tengigabitethernet 1 0 8 12 configures interfaces 8 9 10 11 and 12 dhcp l2relay Enable L2 DHCP relay on the port s or LAG s dhcp l2relay trust...

Page 938: ...nterfaces or for the specified interface show dhcp l2relay vlan vlan range View L2 DHCP relay settings for the specified VLAN show dhcp l2relay stats interface all interface View the number of DHCP packets processed and relayed by the L2 relay agent To reset the statistics to 0 use the clear dhcp l2relay statistics interface all interface command show dhcp l2relay agent option vlan vlan id View th...

Page 939: ... certain UDP broadcast packets received on any interface Specify the one of the protocols defined in the command or the UDP port number server address The IPv4 unicast or directed broadcast address to which relayed UDP broadcast packets are sent The server address cannot be an IP address configured on any interface of the local router dest udp port A destination UDP port number from 0 to 65535 int...

Page 940: ...er server address The IPv4 unicast or directed broadcast address to which relayed UDP broadcast packets are sent The server address cannot be an IP address configured on any interface of the local router dest udp port A destination UDP port number from 0 to 65535 exit Exit to Global Config mode exit Exit to Privileged EXEC mode show ip helper address vlan vlan id View IP helper L3 relay settings f...

Page 941: ... assumes that multiple VLAN routing interfaces have been created and configured with IP addresses To configure the switch 1 Relay DHCP packets received on VLAN 10 to 192 168 40 35 console config console config interface vlan 10 console config if vlan10 ip helper address 192 168 40 35 dhcp VLAN 30 DHCP Server 192 168 40 35 DHCP Clients VLAN 10 L3 Switch VLAN 20 No DHCP DHCP Server 192 168 40 22 SNM...

Page 942: ...p helper address discard dhcp console config if vlan20 exit 5 DHCP packets received from clients in any VLAN other than VLAN 10 and VLAN 20 are relayed to 192 168 40 22 console config ip helper address 192 168 40 22 dhcp 6 Verify the configuration console show ip helper address IP helper is enabled NOTE The following command is issued in Global Configuration mode so it applies to all interfaces ex...

Page 943: ...cols are configured separately within the software but their functionality is largely similar for IPv4 and IPv6 networks The topics covered in this chapter include OSPF Overview OSPF Feature Details Default OSPF Values Configuring OSPF Features Web Configuring OSPFv3 Features Web Configuring OSPF Features CLI Configuring OSPFv3 Features CLI OSPF Configuration Examples NOTE In this chapter referenc...

Page 944: ...se are not used as actual IP addresses For simplicity the area can be configured and referred to in normal integer notation For example Area 20 is identified as 0 0 0 20 and Area 256 as 0 0 1 0 The area identified as 0 0 0 0 is referred to as Area 0 and is considered the OSPF backbone All other OSPF areas in the network must connect to Area 0 directly or through a virtual link The backbone area is...

Page 945: ...m other protocols and originate external LSAs How Are Routes Selected OSPF determines the best route using the route metric and the type of the OSPF route The following order is used for choosing a route if more than one type of route exists 1 Intra area the destination prefix is in the same area as the router computing the route 2 Inter area the destination is not in the same area as the router c...

Page 946: ...rics in this way Stub router mode is global and applies to router LSAs for all areas Other routers prefer alternate paths that avoid the stub router however if no alternate path is available another router may compute a transit route through a stub router Because the stub router does not adjust the metric for stub links in its router LSA routes to destinations on these networks are unaffected Thus...

Page 947: ...nderlying path has cost greater than hexadecimal 0xffff the maximum size of an interface cost in a router LSA should be considered non operational To configure a router for stub router mode use the max metric router lsa command in Global Router Configuration mode The following example sets the router to start in stub router mode on a restart and remain in stub router mode for 5 minutes ABR R0 conf...

Page 948: ...son it is common to give the network administrator the option of configuring the cost for an area range When a static cost is configured the cost advertised in the type 3 LSA does not depend on the cost of the component networks Thus topology changes within an area do not propagate outside the area resulting in greater stability within the OSPF domain PowerConnect switches also use area ranges to ...

Page 949: ...r eliminate the packet drops caused by bursts in OSPF control packets The changes are as follows Introduce LSA transmit pacing limiting the rate of LS Update packets that OSPF can send Introduce LSA refresh groups so that OSPF efficiently bundles LSAs into LS Update packets when periodically refreshing self originated LSAs To configure LSA transmit pacing use the timers pacing flood command in rou...

Page 950: ...r and link failures This feature enables a network administrator to disable LSA flooding on an interface Flood blocking only affects flooding of LSAs with area or AS i e domain wide scope Such LSAs are expected to be flooded to neighbors on other unblocked interfaces and eventually reach neighbors on blocked interfaces An LSA with interface flooding scope cannot be blocked there is no other way fo...

Page 951: ...owed on virtual interfaces it is less likely to be used on a virtual interface since virtual interfaces are created specifically to allow flooding between two backbone routers So the option of flood blocking on virtual interfaces is not supported See Configuring Flood Blocking on page 1025 for a configuration example ...

Page 952: ... 35 1 OSPF OSPFv3 Global Defaults Parameter Default Value Router ID None Admin Mode Enabled RFC 1583 Compatibility Enabled OSPFv2 only ABR Status Enabled Opaque LSA Status Enabled OSPFv2 only Exit Overflow Interval Not configured SPF Delay Time 5 OSPFv2 only SPF Hold Time 10 OSPFv2 only External LSDB Limit None Default Metric Not configured Maximum Paths 4 AutoCost Reference Bandwidth 100 Mbps Def...

Page 953: ...lt Value Admin Mode Disabled Advertise Secondaries Enabled OSPFv2 only Router Priority 1 Retransmit Interval 5 seconds Hello Interval 10 seconds Dead Interval 40 seconds LSA Ack Interval 1 second Interface Delay Interval 1 second MTU Ignore Disabled Passive Mode Disabled Network Type Broadcast Authentication Type None OSPFv2 only Metric Cost Not configured ...

Page 954: ...or configuring and monitoring OSPF features on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page OSPF Configuration Use the Configuration page to enable OSPF on a router and to configure the related OSPF settings To display the page click Routing OSPF Configuration in the navigation panel ...

Page 955: ...Configuring OSPF and OSPFv3 955 Figure 35 1 OSPF Configuration ...

Page 956: ...ing OSPF Interface Configuration At least one router must have OSPF enabled for this web page to display To display the page click Routing OSPF Area Configuration in the navigation panel If a Stub Area has been created the fields in the Stub Area Information are available If a NSSA has been created the fields in the NSSA Area Information are available Figure 35 2 OSPF Area Configuration ...

Page 957: ...ub Area To configure the area as an OSPF stub area click Create Stub Area The pages refreshes and displays additional fields that are specific to the stub area Figure 35 3 OSPF Stub Area Configuration Use the Delete Stub Area button to remove the stub area ...

Page 958: ...So Stubby Area To configure the area as an OSPF not so stubby area NSSA click NSSA Create The pages refreshes and displays additional fields that are specific to the NSSA Figure 35 4 OSPF NSSA Configuration Use the NSSA Delete button to remove the NSSA area ...

Page 959: ...SPF and OSPFv3 959 OSPF Stub Area Summary The Stub Area Summary page displays OSPF stub area detail To display the page click Routing OSPF Stub Area Summary in the navigation panel Figure 35 5 OSPF Stub Area Summary ...

Page 960: ...nge Configuration Use the Area Range Configuration page to configure and display an area range for a specified NSSA To display the page click Routing OSPF Area Range Configuration in the navigation panel Figure 35 6 OSPF Area Range Configuration ...

Page 961: ... Use the Interface Statistics page to display statistics for the selected interface The information is displayed only if OSPF is enabled To display the page click Routing OSPF Interface Statistics in the navigation panel Figure 35 7 OSPF Interface Statistics ...

Page 962: ...PFv3 OSPF Interface Configuration Use the Interface Configuration page to configure an OSPF interface To display the page click Routing OSPF Interface Configuration in the navigation panel Figure 35 8 OSPF Interface Configuration ...

Page 963: ...ay the OSPF neighbor table list When a particular neighbor ID is specified detailed information about a neighbor is given The information below is only displayed if OSPF is enabled To display the page click Routing OSPF Neighbor Table in the navigation panel Figure 35 9 OSPF Neighbor Table ...

Page 964: ...r ID When a particular neighbor ID is specified detailed information about a neighbor is given The information below is only displayed if OSPF is enabled and the interface has a neighbor The IP address is the IP address of the neighbor To display the page click Routing OSPF Neighbor Configuration in the navigation panel Figure 35 10 OSPF Neighbor Configuration ...

Page 965: ...g OSPF Link State Database in the navigation panel Figure 35 11 OSPF Link State Database OSPF Virtual Link Configuration Use the Virtual Link Configuration page to create or configure virtual interface information for a specific area and neighbor A valid OSPF area must be configured before this page can be displayed To display the page click Routing OSPF Virtual Link Configuration in the navigatio...

Page 966: ...966 Configuring OSPF and OSPFv3 Figure 35 12 OSPF Virtual Link Creation After you create a virtual link additional fields display as the Figure 35 13 shows Figure 35 13 OSPF Virtual Link Configuration ...

Page 967: ...7 OSPF Virtual Link Summary Use the Virtual Link Summary page to display all of the configured virtual links To display the page click Routing OSPF Virtual Link Summary in the navigation panel Figure 35 14 OSPF Virtual Link Summary ...

Page 968: ...configure redistribution in OSPF for routes learned through various protocols You can choose to redistribute routes learned from all available protocols or from selected ones To display the page click Routing OSPF Route Redistribution Configuration in the navigation panel Figure 35 15 OSPF Route Redistribution Configuration ...

Page 969: ...tribution Summary Use the Route Redistribution Summary page to display OSPF Route Redistribution configurations To display the page click Routing OSPF Route Redistribution Summary in the navigation panel Figure 35 16 OSPF Route Redistribution Summary ...

Page 970: ...ation for the OSPF feature NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure For information about NSF see What is Nonstop Forwarding on page 150 in the Managing a Switch Stack chapter To display the page click Routing OSPF NSF OSPF Configuration in the navigation panel Figure 35 17 NSF OSPF Configuration ...

Page 971: ...nfiguring and monitoring OSPFv3 features on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page OSPFv3 Configuration Use the Configuration page to activate and configure OSPFv3 for a switch To display the page click IPv6 OSPFv3 Configuration in the navigation panel Figure 35 18 OSPFv3 Configuration ...

Page 972: ...d OSPFv3 OSPFv3 Area Configuration Use the Area Configuration page to create and configure an OSPFv3 area To display the page click IPv6 OSPFv3 Area Configuration in the navigation panel Figure 35 19 OSPFv3 Area Configuration ...

Page 973: ... Area To configure the area as an OSPFv3 stub area click Create Stub Area The pages refreshes and displays additional fields that are specific to the stub area Figure 35 20 OSPFv3 Stub Area Configuration Use the Delete Stub Area button to remove the stub area ...

Page 974: ...o Stubby Area To configure the area as an OSPFv3 not so stubby area NSSA click Create NSSA The pages refreshes and displays additional fields that are specific to the NSSA Figure 35 21 OSPFv3 NSSA Configuration Use the Delete NSSA button to remove the NSSA area ...

Page 975: ...d OSPFv3 975 OSPFv3 Stub Area Summary Use the Stub Area Summary page to display OSPFv3 stub area detail To display the page click IPv6 OSPFv3 Stub Area Summary in the navigation panel Figure 35 22 OSPFv3 Stub Area Summary ...

Page 976: ...OSPFv3 Area Range Configuration Use the Area Range Configuration page to configure OSPFv3 area ranges To display the page click IPv6 OSPFv3 Area Range Configuration in the navigation panel Figure 35 23 OSPFv3 Area Range Configuration ...

Page 977: ...e the Interface Configuration page to create and configure OSPFv3 interfaces This page has been updated to include the Passive Mode field To display the page click IPv6 OSPFv3 Interface Configuration in the navigation panel Figure 35 24 OSPFv3 Interface Configuration ...

Page 978: ...ace Statistics page to display OSPFv3 interface statistics Information is only displayed if OSPF is enabled Several fields have been added to this page To display the page click IPv6 OSPFv3 Interface Statistics in the navigation panel Figure 35 25 OSPFv3 Interface Statistics ...

Page 979: ...bor ID When a particular neighbor ID is specified detailed information about that neighbor is given Neighbor information only displays if OSPF is enabled and the interface has a neighbor The IP address is the IP address of the neighbor To display the page click IPv6 OSPFv3 Neighbors in the navigation panel Figure 35 26 OSPFv3 Neighbors ...

Page 980: ...lay the OSPF neighbor table list When a particular neighbor ID is specified detailed information about a neighbor is given The neighbor table is only displayed if OSPF is enabled To display the page click IPv6 OSPFv3 Neighbor Table in the navigation panel Figure 35 27 OSPFv3 Neighbor Table ...

Page 981: ...the link state and external LSA databases The OSPFv3 Link State Database page has been updated to display external LSDB table information in addition to OSPFv3 link state information To display the page click IPv6 OSPFv3 Link State Database in the navigation panel Figure 35 28 OSPFv3 Link State Database ...

Page 982: ...ion page to define a new or configure an existing virtual link To display this page a valid OSPFv3 area must be defined through the OSPFv3 Area Configuration page To display the page click IPv6 OSPFv3 Virtual Link Configuration in the navigation panel Figure 35 29 OSPFv3 Virtual Link Configuration ...

Page 983: ...Configuring OSPF and OSPFv3 983 After you create a virtual link additional fields display as the Figure 35 30 shows Figure 35 30 OSPFv3 Virtual Link Configuration ...

Page 984: ...Virtual Link Summary Use the Virtual Link Summary page to display virtual link data by Area ID and Neighbor Router ID To display the page click IPv6 OSPFv3 Virtual Link Summary in the navigation panel Figure 35 31 OSPFv3 Virtual Link Summary ...

Page 985: ...bution Configuration Use the Route Redistribution Configuration page to configure route redistribution To display the page click IPv6 OSPFv3 Route Redistribution Configuration in the navigation panel Figure 35 32 OSPFv3 Route Redistribution Configuration ...

Page 986: ...stribution Summary Use the Route Redistribution Summary page to display route redistribution settings by source To display the page click IPv6 OSPFv3 Route Redistribution Summary in the navigation panel Figure 35 33 OSPFv3 Route Redistribution Summary ...

Page 987: ...ion for the OSPFv3 feature NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure For information about NSF see What is Nonstop Forwarding on page 150 in the Managing a Switch Stack chapter To display the page click Routing OSPFv3 NSF OSPFv3 Configuration in the navigation panel Figure 35 34 NSF OSPFv3 Configuration ...

Page 988: ...configure Enter global configuration mode router ospf Enter OSPF configuration mode router id ip address Set the 4 digit dotted decimal number that uniquely identifies the router auto cost reference bandwidth ref_bw Set the reference bandwidth used in the formula to compute link cost for an interface link cost ref_bw interface bandwidth The ref_bw variable is the reference bandwidth in Mbps Range ...

Page 989: ...ospf external inter area intra area distance Set the preference values of OSPF route types in the router The range for the distance variable is 1 255 Lower route preference values are preferred when determining the best route enable Enable OSPF exit overflow interval seconds Specify the exit overflow interval for OSPF as defined in RFC 1765 The interval is the number of seconds after entering over...

Page 990: ...SPF delay and hold time delay time SPF delay time Range 0 65535 seconds hold time SPF hold time Range 0 65535 seconds exit Exit to Global Configuration mode exit Exit to Privileged EXEC mode show ip ospf View OSPF global configuration and status show ip ospf statistics View OSPF routing table calculation statistics clear ip ospf configuration redistribution counters neighbor interface vlan vlan id...

Page 991: ...Set the OSPF priority for the interface The number value variable specifies the priority of an interface Range 0 to 255 The default priority is 1 which is the highest router priority A value of 0 indicates that the router is not eligible to become the designated router on this network ip ospf retransmit interval seconds Set the OSPF retransmit interval for the interface The seconds variable is the...

Page 992: ...interface to broadcast or point to point OSPF selects a designated router and originates network LSAs only for broadcast networks No more than two OSPF routers may be present on a point to point link ip ospf authentication none simple key encrypt key key id Set the OSPF Authentication Type and Key for the specified interface encrypt MD5 encrypted authentication key key Authentication key for the s...

Page 993: ...rface a member of the specified area ip address Base IPv4 address of the network area wildcard mask The network mask indicating the subnet area id The ID of the area Range IP address or decimal from 0 4294967295 exit Exit to Global Config mode exit Exit to Privileged EXEC mode show ip ospf interface vlan vlan id View summary information for all OSPF interfaces configured on the switch or for the s...

Page 994: ...ea area id nssa translator stab intv integer Configure the translator stability interval of the NSSA The integer variable is the period of time that an elected translator continues to perform its duties after it determines that its translator status has been deposed by another router Range 0 3600 area area id nssa default information originate metric metric value metric type metric type value Conf...

Page 995: ...nk If the area has not been previously created it is created by this command If the area already exists the virtual link information is added or modified authentication Specifies authentication type message digest Specifies that message digest authentication is used null No authentication is used Overrides password or message digest authentication if configured for the area md5 Use MD5 Encryption ...

Page 996: ...econds variable indicates the number of seconds to wait before the virtual interface is assumed to be dead Range 1 65535 area area id virtual link neighbor id transmit delay seconds Set the OSPF Transit Delay for the interface The seconds variable is the number of seconds to increment the age of the LSA before sending based on the estimated time it takes to transmit from the interface Range 0 3600...

Page 997: ...dvertise Configure a summary prefix for routes learned in a given area area id Identifies the OSPF NSSA to configure Range IP address or decimal from 0 4294967295 ip address IP address subnet mask Subnet mask associated with IP address summarylink Specifies a summary link LSDB type nssaexternallink Specifies an NSSA external link LSDB type advertise Advertisement of the area range not advertise Su...

Page 998: ...p static connected metric integer metric type 1 2 tag integer subnets Configure OSPF to allow redistribution of routes from the specified source protocol routers rip Specifies RIP as the source protocol static Specifies that the source is a static route connected Specifies that the source is a directly connected route metric Specifies the metric to use when redistributing the route Range 0 1677721...

Page 999: ...the router auto cost reference bandwidth ref_bw Set the reference bandwidth used in the formula to compute link cost for an interface link cost ref_bw interface bandwidth The ref_bw variable is the reference bandwidth in Mbps Range 1 4294967 default information originate always metric metric value metric type type value Control the advertisement of default routes always Normally OSPFv3 originates ...

Page 1000: ... then there is no limit The limit variable is the maximum number of non default AS external LSAs allowed in the router s link state database Range 1 to 2147483647 maximum paths maxpaths Set the number of paths that OSPFv3 can report for a given destination Range 1 4 passive interface default Configure OSPFv3 interfaces as passive by default This command overrides any interface level passive mode s...

Page 1001: ...pecifies the priority of an interface Range 0 to 255 The default priority is 1 which is the highest router priority A value of 0 indicates that the router is not eligible to become the designated router on this network ipv6 ospf retransmit interval seconds Set the OSPFv3 retransmit interval for the interface The seconds variable is the number of seconds between link state advertisements for adjace...

Page 1002: ...OSPFv3 network type on the interface to broadcast or point to point OSPFv3 selects a designated router and originates network LSAs only for broadcast networks No more than two OSPFv3 routers may be present on a point to point link ipv6 ospf cost interface cost Set the metric cost of the interface The interface cost variable specifies the cost link state metric of the OSPFv3 interface Range 1 65535...

Page 1003: ...ng interface show ipv6 ospf interface stats interface type interface number View per interface OSPFv3 statistics Command Purpose configure Enter global configuration mode ipv6 router ospf Enter OSPFv3 configuration mode area area id stub Create a stub area for the specified area ID area area id stub no summary Prevent Summary LSAs from being advertised into the stub area area area id default cost ...

Page 1004: ... LSAs are not advertised into the NSSA role The translator role where role is one of the following always The router assumes the role of the translator when it becomes a border router candidate The router to participate in the translator election process when it attains border router status interval The period of time that an elected translator continues to perform its duties after it determines t...

Page 1005: ...d virtual link neighbor id hello interval seconds Set the OSPFv3 hello interval for the virtual link The seconds variable indicates the number of seconds to wait before sending Hello packets from the virtual interface Range 1 65535 area area id virtual link neighbor id dead interval seconds Set the OSPFv3 dead interval for the virtual link The seconds variable indicates the number of seconds to wa...

Page 1006: ...gure a summary prefix for routes learned in a given area area id Identifies the OSPFv3 NSSA to configure Range IP address or decimal from 0 4294967295 ipv6 prefix prefix length IPv6 address and prefix length summarylink Specifies a summary link LSDB type nssaexternallink Specifies an NSSA external link LSDB type advertise Advertisement of the area range not advertise Suppresses advertisement of th...

Page 1007: ...es from the specified source protocol routers static Specifies that the source is a static route connected Specifies that the source is a directly connected route metric Specifies the metric to use when redistributing the route Range 0 16777214 metric type 1 Type 1 external route metric type 2 Type 2 external route tag Value attached to each external route which might be used to communicate inform...

Page 1008: ...d OSPFv3 Configuring an OSPF Border Router and Setting Interface Costs This example shows how to configure the PowerConnect switch as an OSPF border router The commands in this example configure the areas and interfaces on Border Router A shown in Figure 35 35 Figure 35 35 OSPF Area Border Router Area 2 Area 3 Area 0 Backbone Area Internal Router Border Router A Border Router B VLAN 70 192 150 2 2...

Page 1009: ...onfig if vlan70 ip address 192 150 2 2 255 255 255 0 console config if vlan70 exit console config interface vlan 80 console config if vlan80 ip address 192 150 3 1 255 255 255 0 console config if vlan80 exit console config interface vlan 90 console config if vlan90 ip address 192 150 4 1 255 255 255 0 console config if vlan90 exit 4 Enable OSPF on the switch and specify a router ID console config ...

Page 1010: ...ole config if vlan80 ip ospf area 0 0 0 2 console config if vlan80 ip ospf priority 255 console config if vlan80 ip ospf cost 64 console config if vlan80 exit console config interface vlan 90 console config if vlan90 ip ospf area 0 0 0 2 console config if vlan90 ip ospf priority 255 console config if vlan90 ip ospf cost 64 console config if vlan90 exit NOTE OSPF is globally enabled by default To m...

Page 1011: ... 1 is defined as a stub area and Area 2 is defined as an NSSA area Figure 35 36 illustrates this example OSPF configuration Figure 35 36 OSPF Configuration Stub Area and NSSA Area NOTE OSPFv2 and OSPFv3 can operate concurrently on a network and on the same interfaces although they do not interact This example configures both protocols simultaneously ...

Page 1012: ...00 2 3 64 eui64 4 Associate the interface with area 0 0 0 0 and enable OSPFv3 console config if vlan6 ip ospf area 0 0 0 0 console config if vlan6 ipv6 ospf console config if vlan6 exit 5 Configure IP and IPv6 addresses on VLAN routing interface 12 console config interface vlan 12 console config if vlan12 ip address 10 3 100 3 255 255 255 0 console config if vlan12 ipv6 address 3000 3 100 64 eui64...

Page 1013: ...te 10 23 67 0 255 255 255 0 10 2 3 3 2 Create VLANs 5 10 and 17 console config vlan 5 10 17 3 On VLANs 5 10 and 17 configure IPv4 and IPv6 addresses and enable OSPFv3 For IPv6 associate VLAN 5 with Area 0 VLAN 10 with Area 1 and VLAN 17 with Area 2 console config interface vlan 5 console config if vlan5 ip address 10 2 3 2 255 255 255 0 console config if vlan5 ipv6 address 3000 2 3 64 eui64 consol...

Page 1014: ... range of IP addresses associated with each interface and then associating those ranges with Areas 1 0 and 2 respectively console config router network 10 1 2 0 0 0 0 255 area 0 0 0 1 console config router network 10 2 3 0 0 0 0 255 area 0 0 0 0 console config router network 10 2 4 0 0 0 0 255 area 0 0 0 2 6 For IPv4 Configure a metric cost to associate with static routes when they are redistribut...

Page 1015: ...a 1 and connects to Area 2 This example assumes other OSPF settings such as area and interface configuration have already been configured Figure 35 37 illustrates the relevant components in this example OSPF configuration Figure 35 37 OSPF Configuration Virtual Link Switch B is an ABR that directly connects Area 0 to Area 1 Note that in the previous example Switch B connected to a stub area and an...

Page 1016: ...link 5 5 5 5 console config rtr exit Switch C is a ABR that enables a virtual link from the remote Area 2 in the AS to Area 0 The following commands define a virtual link that traverses Area 1 to Switch B 2 2 2 2 To configure Switch C 1 For IPv4 assign the router ID create the virtual link to Switch B and associate the VLAN routing interfaces with the appropriate areas console config router ospf c...

Page 1017: ...uting interface on both devices connects to the local IPv6 network OSPFv3 is used to exchange IPv6 routes between the two devices The tunnel interface allows data to be transported between the two remote IPv6 networks over the IPv4 network Figure 35 38 IPv4 and IPv6 Interconnection Example To configure Switch A 1 Create the VLANs console config vlan 2 15 2 Enable IPv4 and IPv6 routing on the switc...

Page 1018: ... network point to point console config if vlan2 exit 7 Configure the tunnel console config interface tunnel 0 console config if tunnel0 ipv6 address 2001 1 64 console config if tunnel0 tunnel mode ipv6ip console config if tunnel0 tunnel source 20 20 20 1 console config if tunnel0 tunnel destination 10 10 10 1 console config if tunnel0 ipv6 ospf console config if tunnel0 ipv6 ospf network point to ...

Page 1019: ...an15 exit 6 Configure the IPv6 address and OSPFv3 information for VLAN 2 console config interface vlan 2 console config if vlan2 ipv6 address 2020 2 2 64 console config if vlan2 ipv6 ospf console config if vlan2 ipv6 ospf network point to point console config if vlan2 exit 7 Configure the tunnel console config interface tunnel 0 console config if tunnel0 ipv6 address 2001 2 64 console config if tu...

Page 1020: ...9 Static Area Range Cost Example Topology 1 Configure R0 terminal length 0 config hostname ABR R0 line console exec timeout 0 exit vlan 101 103 exit ip routing router ospf router id 10 10 10 10 network 172 20 0 0 0 0 255 255 area 0 network 172 21 0 0 0 0 255 255 area 1 area 1 range 172 21 0 0 255 255 0 0 summarylink timers spf 3 5 exit R3 ABR R0 VLAN 103 Area 0 R1 R2 Area 1 VLAN 104 VLAN 101 VLAN ...

Page 1021: ...ospf dead interval 4 ip ospf network point to point exit interface te1 0 22 description R2 switchport mode trunk exit interface vlan 103 ip address 172 20 1 10 255 255 255 0 ip ospf hello interval 1 ip ospf dead interval 4 ip ospf network point to point exit interface te1 0 23 switchport mode trunk description R3 exit exit 2 Configure R1 terminal length 0 config hostname R1 line console exec timeo...

Page 1022: ...al 1 ip ospf dead interval 4 ip ospf network point to point exit interface te1 0 22 switchport mode trunk exit interface loopback 0 ip address 172 21 254 1 255 255 255 255 exit exit 3 Configure R2 terminal length 0 config line console serial timeout 0 exit ip routing router ospf router id 2 2 2 2 network 172 21 0 0 0 0 255 255 area 1 timers spf 3 5 exit vlan 102 104 exit interface vlan 102 ip addr...

Page 1023: ... 0 ip address 172 21 254 2 255 255 255 255 exit exit 4 R3 config terminal length 0 config line console serial timeout 0 exit ip routing router ospf router id 3 3 3 3 network 172 21 0 0 0 0 255 255 area 0 timers spf 3 5 exit vlan 103 exit interface vlan 103 ip address 172 21 1 1 255 255 255 0 routing ip ospf hello interval 1 ip ospf dead interval 4 ip ospf network point to point exit interface te1 ...

Page 1024: ...ee1 Length 28 Network Mask 255 255 0 0 Metric 2 Min The cost can be set to 0 the minimum value OSPF re advertises the summary LSA with a metric of 0 ABR R0 config router area 1 range 172 21 0 0 255 255 0 0 summarylink advertise cost 0 16777215 Set area range cost ABR R0 config router area 1 range 172 21 0 0 255 255 0 0 summarylink advertise cost 0 ABR R0 show ip ospf range 1 Prefix Subnet Mask Typ...

Page 1025: ...ary LSA with this metric according to RFC 2328 the summary LSA is flushed The individual routes are not re advertised Configuring Flood Blocking Figure 35 40 shows an example topology for flood blocking The configuration follows Figure 35 40 Flood Blocking Topology 1 Configure R0 terminal length 0 config hostname R0 line console exec timeout 0 exit vlan 101 103 exit ip routing R3 R0 VLAN 103 R1 R2...

Page 1026: ...hport mode trunk description R1 exit interface vlan 102 ip address 172 21 2 10 255 255 255 0 ip ospf hello interval 1 ip ospf dead interval 4 ip ospf network point to point exit interface te1 0 22 description R2 switchport mode trunk exit interface vlan 103 ip address 172 20 1 10 255 255 255 0 ip ospf hello interval 1 ip ospf dead interval 4 ip ospf network point to point exit interface te1 0 23 s...

Page 1027: ...nt exit interface te1 0 21 switchport mode trunk exit interface vlan 104 ip address 172 21 3 1 255 255 255 0 routing ip ospf hello interval 1 ip ospf dead interval 4 ip ospf network point to point exit interface te1 0 22 switchport mode trunk exit interface loopback 0 ip address 172 21 254 1 255 255 255 255 exit exit 3 Configure R2 terminal length 0 config line console serial timeout 0 exit ip rou...

Page 1028: ...5 255 0 routing ip ospf hello interval 1 ip ospf dead interval 4 ip ospf network point to point exit interface te1 0 22 switchport mode trunk exit interface loopback 0 ip address 172 21 254 2 255 255 255 255 exit exit 4 Configure R3 terminal length 0 config line console serial timeout 0 exit ip routing router ospf router id 3 3 3 3 network 172 21 0 0 0 0 255 255 area 0 timers spf 3 5 exit vlan 103...

Page 1029: ...s not receive this LSA directly from R0 it still correctly computes the route through the R0 R1 show ip route Route Codes R RIP Derived O OSPF Derived C Connected S Static B BGP Derived IA OSPF Inter Area E1 OSPF External Type 1 E2 OSPF External Type 2 N1 OSPF NSSA External Type 1 N2 OSPF NSSA External Type 2 O IA 100 0 0 0 24 110 2 via 172 21 1 10 00h 01m 35s 0 25 OSPF also blocks external LSAs o...

Page 1030: ...1030 Configuring OSPF and OSPFv3 ...

Page 1031: ...ermine the best route to transmit IP traffic RIP is best suited for small homogenous networks How Does RIP Determine Route Information The routing information is propagated in RIP update packets that are sent out both periodically and in the event of a network topology change On receipt of a RIP update depending on whether the specified route exists or does not exist in the route table the router ...

Page 1032: ...RIP 1 defined in RFC 1058 Routes are specified by IP destination network and hop count The routing table is broadcast to all stations on the attached network RIP 2 defined in RFC 1723 Route specification is extended to include subnet mask and gateway The routing table is sent to a multicast address reducing network traffic An authentication method is used for security The PowerConnect 8000 8100 se...

Page 1033: ...r interface default values for RIP Table 36 1 RIP Global Defaults Parameter Default Value Admin Mode Enabled Split Horizon Mode Simple Auto Summary Mode Disabled Host Routes Accept Mode Enabled Default Information Originate Disabled Default Metric None configured Route Redistribution Disabled for all sources Table 36 2 RIP Per Interface Defaults Parameter Default Value Admin Mode Disabled Send Ver...

Page 1034: ...ing and monitoring RIP features on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page RIP Configuration Use the Configuration page to enable and configure or disable RIP in Global mode To display the page click Routing RIP Configuration in the navigation panel Figure 36 1 RIP Configuration ...

Page 1035: ...figuration Use the Interface Configuration page to enable and configure or to disable RIP on a specific interface To display the page click Routing RIP Interface Configuration in the navigation panel Figure 36 2 RIP Interface Configuration ...

Page 1036: ...P RIP Interface Summary Use the Interface Summary page to display RIP configuration status on an interface To display the page click Routing RIP Interface Summary in the navigation panel Figure 36 3 RIP Interface Summary ...

Page 1037: ... values are entered an alert message is displayed with the list of all the valid values To display the page click Routing RIP Route Redistribution Configuration in the navigation panel Figure 36 4 RIP Route Redistribution Configuration NOTE Static reject routes are not redistributed by RIP For a static reject route the next hop interface value is Null0 Packets to the network address specified in s...

Page 1038: ...ibution Summary Use the Route Redistribution Summary page to display Route Redistribution configurations To display the page click Routing RIP Route Redistribution Summary in the navigation panel Figure 36 5 RIP Route Redistribution Summary ...

Page 1039: ...ration mode split horizon none simple poison Set the RIP split horizon mode none RIP does not use split horizon to avoid routing loops simple RIP uses split horizon to avoid routing loops poison RIP uses split horizon with poison reverse increases routing packet update size auto summary Enable the RIP auto summarization mode no hostroutesaccept Prevent the switch from accepting host routes default...

Page 1040: ...he interface to allow RIP control packets of the specified version s to be received ip rip authentication none simple key encrypt key key id set the RIP Version 2 Authentication Type and Key for the interface key Authentication key for the specified interface Range 16 bytes or less encrypt Specifies the Ethernet unit port of the interface to view information key id Authentication key identifier fo...

Page 1041: ...commands you use to configure ACLs see Configuring ACLs CLI on page 533 accesslistname The name used to identify an existing ACL ospf Apply the specified access list when OSPF is the source protocol static Apply the specified access list when packets come through the static route connected Apply the specified access list when packets come from a directly connected route redistribute static connect...

Page 1042: ...stributed external 2 Adds routes imported into OSPF as Type 2 external routes into any match types presently being redistributed nssa external 1 Adds routes imported into OSPF as NSSA Type 1 external routes into any match types presently being redistributed nssa external 2 Adds routes imported into OSPF as NSSA Type 2 external routes into any match types presently being redistributed distance rip ...

Page 1043: ...g console config ip routing 2 Create VLANs 10 20 and 30 console config vlan 10 20 30 3 Assign an IP address and enable RIP on each interface Additionally the commands specify that each interface can receive both RIP 1 and RIP 2 frames but send only RIP 2 formatted frames console config interface vlan 10 console config if vlan10 ip address 192 168 10 1 255 255 255 0 console config if vlan10 ip rip ...

Page 1044: ... config if vlan30 exit 4 Enable auto summarization of subprefixes when crossing classful boundaries console config router rip console config router auto summary console config router exit console config exit 5 Verify the configuration console show ip rip RIP Admin Mode Enable Split Horizon Mode Simple Auto Summary Mode Enable Host Routes Accept Mode Enable Global route changes 0 Global queries 0 D...

Page 1045: ... periods due to the failure of the default gateway router during which all traffic directed towards it is lost until the failure is detected How Does VRRP Work VRRP eliminates the single point of failure associated with static default routes by enabling a backup router to take over from a master router without affecting the end stations using the route The end stations will use a virtual IP addres...

Page 1046: ...ter If the VRRP master fails other members of the VRRP group will elect a master based on the configured router priority values For example router A is the interface owner and master and it has a priority of 255 Router B is configured with a priority of 200 and Router C is configured with a priority of 190 If Router A fails Router B assumes the role of VRRP master because it has a higher priority ...

Page 1047: ...RP master responds to both fragmented and un fragmented ICMP Echo Request packets The VRRP master responds to Echo Requests sent to the virtual router s primary address or any of its secondary addresses Members of the virtual router who are in backup state discard ping packets destined to VRRP addresses just as they discard any Ethernet frame sent to a VRRP MAC address When the VRRP master respond...

Page 1048: ...s up the value of the priority decrement is added to the current router priority If the resulting priority is more than the backup router priority the original VRRP master resumes control VRRP route tracking monitors the reachability of an IP route A tracked route is considered up when a routing table entry exists for the route and the route is accessible When the tracked route is removed from the...

Page 1049: ...rameter Default Value Admin Mode Disabled Virtual Router ID VRID None Range 1 255 Preempt Mode Enabled Preempt Delay 0 Seconds Learn Advertisement Timer Interval Enabled Accept Mode Disabled Priority 100 Advertisement Interval 1 Authentication None Route Tracking No routes tracked Interface Tracking No interfaces tracked ...

Page 1050: ...monitoring VRRP features on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page VRRP Configuration Use the Configuration page to enable or disable the administrative status of a virtual router To display the page click Routing VRRP Configuration in the navigation panel Figure 37 1 VRRP Configuration ...

Page 1051: ...ng VRRP 1051 VRRP Virtual Router Status Use the Router Status page to display virtual router status To display the page click Routing VRRP Router Status in the navigation panel Figure 37 2 Virtual Router Status ...

Page 1052: ...Virtual Router Statistics Use the Router Statistics page to display statistics for a specified virtual router To display the page click Routing VRRP Router Statistics in the navigation panel Figure 37 3 Virtual Router Statistics ...

Page 1053: ...53 VRRP Router Configuration Use the Configuration page to configure a virtual router To display the page click Routing VRRP Router Configuration Configuration in the navigation panel Figure 37 4 VRRP Router Configuration ...

Page 1054: ... to add new tracked routes To display the page click Routing VRRP Router Configuration Route Tracking Configuration in the navigation panel Figure 37 5 VRRP Route Tracking Configuration Configuring VRRP Route Tracking To configure VRRP route tracking 1 From the Route Tracking Configuration page click Add The Add Route Tracking page displays ...

Page 1055: ...estination network address track route prefix for the route to track Use dotted decimal format for example 192 168 10 0 4 Specify the prefix length for the tracked route 5 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked route becomes unreachable 6 Click Apply to update the switch ...

Page 1056: ...new tracked interfaces To display the page click Routing VRRP Router Configuration Interface Tracking Configuration in the navigation panel Figure 37 7 VRRP Interface Tracking Configuration Configuring VRRP Interface Tracking To configure VRRP interface tracking 1 From the Interface Tracking Configuration page click Add The Add Interface Tracking page displays ...

Page 1057: ...virtual router ID and VLAN routing interface that will track the interface 3 Specify the interface to track 4 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked interface goes down 5 Click Apply to update the switch ...

Page 1058: ...nter Interface Configuration mode for the specified VLAN vrrp vr id Allow the interface to create in the VRRP group specified by the vr id parameter which is a number from 1 255 vrrp vr id description Optional Create a text description that identifies the VRRP group vrrp vr id preempt delay seconds Enable the preemption mode value for the virtual router configured on a specified interface You can ...

Page 1059: ...rement priority Specify an interface the virtual router vr id on the interface will track If the interface goes down the virtual router priority is decreased by the amount specified by the priority value vrrp vr id track ip route ip address prefix length decrement priority Specify a route that the virtual router vr id on the interface will track If the route to the destination network specified by...

Page 1060: ... Sharing VRRP with Route and Interface Tracking VRRP with Load Sharing In Figure 37 9 two L3 PowerConnect switches are performing the routing for network clients Router A is the default gateway for some clients and Router B is the default gateway for other clients Figure 37 9 VRRP with Load Sharing Network Diagram ...

Page 1061: ...onsole config interface vlan 10 console config if vlan10 ip address 192 168 10 1 255 255 255 0 console config if vlan10 exit 3 Enable VRRP for the switch console config ip vrrp 4 Assign a virtual router ID to the VLAN routing interface for the first VRRP group console config interface vlan 10 console config if vlan10 vrrp 10 5 Specify the IP address that the virtual router function will use The ro...

Page 1062: ...Create and configure the VLAN routing interface to use as the default gateway for network clients This example assumes all other routing interfaces such as the interface to the external network have been configured console config interface vlan 10 console config if vlan10 ip address 192 168 10 2 255 255 255 0 console config if vlan10 exit 3 Enable VRRP for the switch console config ip vrrp 4 Assig...

Page 1063: ...alue is 255 by default console config if vlan10 vrrp 20 ip 192 168 10 2 9 Configure an optional description to help identify the VRRP group console config if vlan10 vrrp 20 description backup 10 Enable the VRRP groups on the interface console config if vlan10 ip vrrp 10 mode console config if vlan10 ip vrrp 20 mode console config if vlan10 exit console config exit ...

Page 1064: ... IP address 192 168 10 15 as the default gateway Figure 37 10 VRRP with Tracking Network Diagram Without VRRP interface or route tracking if something happened to VLAN 25 or the route to the external network as long as Router A remains up it will continue to be the VRRP master even though traffic from the clients does not have a path to the external network However if the interface and or route tr...

Page 1065: ...ess that the virtual router function will use console config if vlan10 vrrp 10 ip 192 168 10 15 6 Configure the router priority console config if vlan10 vrrp 10 priority 200 7 Enable preempt mode so that the router can regain its position as VRRP master if its priority is greater than the priority of the backup router console config if vlan10 vrrp 10 preempt 8 Enable the VRRP groups on the interfa...

Page 1066: ...p routing 2 Create and configure the VLAN routing interface to use as the default gateway for network clients This example assumes all other routing interfaces such as the interface to the external network have been configured console config interface vlan 10 console config if vlan10 ip address 192 168 10 2 255 255 255 0 console config if vlan10 exit 3 Enable VRRP for the switch console config ip ...

Page 1067: ...Configuring VRRP 1067 8 Enable the VRRP groups on the interface console config if vlan10 ip vrrp 10 mode console config if vlan10 exit console config exit ...

Page 1068: ...1068 Configuring VRRP ...

Page 1069: ... on page 1093 For information about IPv6 multicast see Managing IPv4 and IPv6 Multicast on page 1167 For configuration examples that include IPv6 interface configuration see OSPF Configuration Examples on page 1008 IPv6 Routing Overview IPv6 is the next generation of the Internet Protocol With 128 bit addresses versus 32 bit addresses for IPv4 IPv6 solves the address depletion issues seen with IPv...

Page 1070: ...and multicast Unicast addresses allow direct one to one communication between two hosts whereas multicast addresses allow one to many communication Multicast addresses are used as destinations only Unicast addresses will have 00 through fe in the most significant octets and multicast addresses will have ff in the most significant octets How Are IPv6 Interfaces Configured In PowerConnect 8000 8100 ...

Page 1071: ...may not be available One transition mechanism is to tunnel IPv6 packets inside IPv4 to reach remote IPv6 islands When a packet is sent over such a link it is encapsulated in IPv4 in order to traverse an IPv4 network and has the IPv4 headers removed at the other end of the tunnel Default IPv6 Routing Values IPv6 is disabled by default on the switch and on all interfaces Table 38 1 shows the default...

Page 1072: ...e Disabled Routing Mode Enabled Interface Maximum Transmit Unit 1500 Router Duplicate Address Detection Transmits 1 Router Advertisement NS Interval Not configured Router Lifetime Interval 1800 seconds Router Advertisement Reachable Time 0 seconds Router Advertisement Interval 600 seconds Router Advertisement Managed Config Flag Disabled Router Advertisement Other Config Flag Disabled Router Adver...

Page 1073: ...s on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page Global Configuration Use the Global Configuration page to enable IPv6 forwarding on the router enable the forwarding of IPv6 unicast datagrams and configure global IPv6 settings To display the page click Routing IPv6 Global Configuration in the navigation panel Figure 38 1 IPv6 Global Co...

Page 1074: ...face Configuration page to configure IPv6 interface parameters This page has been updated to include the IPv6 Destination Unreachables field To display the page click Routing IPv6 Interface Configuration in the navigation panel Figure 38 2 IPv6 Interface Configuration ...

Page 1075: ...outing 1075 Interface Summary Use the Interface Summary page to display settings for all IPv6 interfaces To display the page click Routing IPv6 Interface Summary in the navigation panel Figure 38 3 IPv6 Interface Summary ...

Page 1076: ...6 Routing IPv6 Statistics Use the IPv6 Statistics page to display IPv6 traffic statistics for one or all interfaces To display the page click Routing IPv6 IPv6 Statistics in the navigation panel Figure 38 4 IPv6 Statistics ...

Page 1077: ...g 1077 IPv6 Neighbor Table Use the IPv6 Neighbor Table page to display IPv6 neighbor details for a specified interface To display the page click IPv6 IPv6 Neighbor Table in the navigation panel Figure 38 5 IPv6 Neighbor Table ...

Page 1078: ...bout the network information automatically assigned to an interface by the DHCPv6 server This page displays information only if the DHCPv6 client has been enabled on an IPv6 routing interface To display the page click Routing IPv6 DHCPv6 Client Parameters in the navigation panel Figure 38 6 DHCPv6 Client Parameters ...

Page 1079: ... Configuration Use the IPv6 Route Entry Configuration page to configure information for IPv6 routes To display the page click Routing IPv6 IPv6 Routes IPv6 Route Entry Configuration in the navigation panel Figure 38 7 IPv6 Route Entry Configuration ...

Page 1080: ...uting IPv6 Route Table Use the IPv6 Route Table page to display all active IPv6 routes and their settings To display the page click Routing IPv6 IPv6 Routes IPv6 Route Table in the navigation panel Figure 38 8 IPv6 Route Table ...

Page 1081: ...f any other protocol The best route to a destination is chosen by selecting the route with the lowest preference value When there are multiple routes to a destination the preference values are used to determine the preferred route If there is still a tie the route with the best route metric is chosen To avoid problems with mismatched metrics you must configure different preference values for each ...

Page 1082: ...Pv6 Routes Configured IPv6 Routes in the navigation panel Figure 38 10 Configured IPv6 Routes To remove a configured route select the check box in the Delete column of the route to remove and click Apply NOTE For a static reject route the next hop interface value is Null0 Packets to the network address specified in static reject routes are intentionally dropped ...

Page 1083: ...onfigure Enter global configuration mode sdm prefer dual ipv4 and ipv6 default Select a Switch Database Management SDM template to enable support for both IPv4 and IPv6 Changing the SDM template requires a system reload ipv6 unicast routing Globally enable IPv6 routing on the switch ipv6 hop limit limit Set the TTL value for the router The valid range is 0 to 255 ipv6 icmp error interval burst int...

Page 1084: ...setting an address Link local multicast IPv4 compatible and IPv4 mapped addresses are not allowed to be configured Include the EUI 64 keyword to have the system add the 64 bit interface ID to the address You must use a network prefix length of 64 in this case For VLAN interfaces use the dhcp keyword to enable the DHCPv6 client and obtain an IP address form a network DHCPv6 server ipv6 mtu size VLA...

Page 1085: ...onfiguration off link Do not use the prefix for onlink determination ipv6 nd ra interval maximum minimum Set the transmission interval between router Neighbor Discovery advertisements maximum The maximum interval duration Range 4 1800 seconds minimum The minimum interval duration Range 3 0 75 maximum seconds ipv6 nd ra lifetime seconds Set the value that is placed in the Router Lifetime field of t...

Page 1086: ...teful configuration flag in router advertisements sent from the interface ipv6 nd managed config flag Set the managed address configuration flag in router advertisements When the value is true end nodes use DHCPv6 When the value is false end nodes automatically configure addresses ipv6 nd reachable time milliseconds Set the router advertisement time to consider a neighbor reachable after neighbor ...

Page 1087: ...next hop address The IPv6 address of the next hop that can be used to reach the specified network A link local next hop address must have a prefix length of 128 The next hop address cannot be an unspecified address all zeros a multicast address or a loopback address If a link local next hop address is specified the interface VLAN or tunnel must also be specified preference Also known as Administra...

Page 1088: ...ce integer Set the default distance preference for static IPv6 routes Lower route preference values are preferred when determining the best route The default distance preference for static routes is 1 exit Exit to Global Config mode Command Purpose ...

Page 1089: ...ength protocol interface type interface number best View the routing table ipv6 address Specifies an IPv6 address for which the best matching route would be displayed protocol Specifies the protocol that installed the routes Is one of the following keywords connected ospf static ipv6 prefix prefix length Specifies an IPv6 network for which the matching route would be displayed interface type inter...

Page 1090: ... route 0 null 254 Use this in all routers except the ones with direct Internet connectivity Routers with direct Internet connectivity should advertise a default route The effect of this route is that when a router does not have connectivity to the Internet the router will quickly discard packets that it cannot deliver If the router learns a default route from another router the learned route will ...

Page 1091: ...cific route will have precedence Another use for the Reject route is to prevent internal hosts from communication with specific addresses or ranges of addresses The effect is the same as an outgoing access list with a deny statement A route is generally more efficient than an access list that performs the same function If you need more fine grained filtering such as protocols or port numbers use t...

Page 1092: ...1092 Configuring IPv6 Routing ...

Page 1093: ...ients and servers for the purpose of assigning IP addresses gateways and other networking definitions such as Domain Name System DNS and Network Time Protocol NTP parameters However IPv6 natively provides IP address auto configuration through IPv6 Neighbor Discovery Protocol NDP and through the use of Router Advertisement messages Thus the role of DHCPv6 within the network is different than that o...

Page 1094: ... response A DHCPv6 server then responds by providing only networking definitions such as DNS domain name and server definitions NTP server definitions or SIP definitions What Is the DHCPv6 Relay Agent Information Option The DHCPv6 Relay Agent Information Option allows for various sub options to be attached to messages that are being relayed by the local router to a DHCPv6 server The DHCPv6 server ...

Page 1095: ...ients may request multiple IPv6 prefixes Also DHCPv6 clients may request specific IPv6 prefixes If the configured DHCPv6 pool contains the specific prefix that a DHCPv6 client requests then that prefix will be delegated to the client Otherwise the first available IPv6 prefix within the configured pool will be delegated to the client Default DHCPv6 Server and Relay Values By default the DHCPv6 serv...

Page 1096: ...nfiguring and monitoring the DHCPv6 server on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page DHCPv6 Global Configuration Use the Global Configuration page to configure DHCPv6 global parameters To display the page click Routing IPv6 DHCPv6 Global Configuration in the navigation panel Figure 39 2 DHCPv6 Global Configuration ...

Page 1097: ...omain names of DNS servers To display the page click Routing IPv6 DHCPv6 Pool Configuration in the navigation panel Figure 39 3 shows the page when no pools have been created After a pool has been created additional fields display Figure 39 3 Pool Configuration Configuring a DHCPv6 Pool To configure the pool 1 Open the Pool Configuration page 2 Select Create from the Pool Name menu and type a name...

Page 1098: ...om the DNS Server Address menu select an existing DNS Server Address to associate with this pool or select Add and specify a new server to add 5 From the Domain Name menu select an existing domain name to associate with this pool or select Add and specify a new domain name 6 Click Apply ...

Page 1099: ...iguration page to configure a delegated prefix for a pool At least one pool must be created using DHCPv6 Pool Configuration before a delegated prefix can be configured To display the page click Routing IPv6 DHCPv6 Prefix Delegation Configuration in the navigation panel Figure 39 5 Prefix Delegation Configuration ...

Page 1100: ...se the Pool Summary page to display settings for all DHCPv6 Pools At least one pool must be created using DHCPv6 Pool Configuration before the Pool Summary displays To display the page click Routing IPv6 DHCPv6 Pool Summary in the navigation panel Figure 39 6 Pool Summary ...

Page 1101: ...e the DHCPv6 Interface Configuration page to configure a DHCPv6 interface To display the page click Routing IPv6 DHCPv6 Interface Configuration in the navigation panel The fields that display on the page depend on the selected interface mode Figure 39 7 DHCPv6 Interface Configuration ...

Page 1102: ...Figure 39 8 shows the screen when the selected interface mode is Server Figure 39 8 DHCPv6 Interface Configuration Server Mode Figure 39 9 shows the screen when the selected interface mode is Relay Figure 39 9 DHCPv6 Interface Configuration Relay Mode ...

Page 1103: ...tings 1103 DHCPv6 Server Bindings Summary Use the Server Bindings Summary page to display all DHCPv6 server bindings To display the page click Routing IPv6 DHCPv6 Bindings Summary in the navigation panel Figure 39 10 Server Bindings Summary ...

Page 1104: ...nd Relay Settings DHCPv6 Statistics Use the DHCPv6 Statistics page to display DHCPv6 statistics for one or all interfaces To display the page click Routing IPv6 DHCPv6 Statistics in the navigation panel Figure 39 11 DHCPv6 Statistics ...

Page 1105: ...re pool parameters for DHCPv6 clients that obtain IPv6 network information dynamically Command Purpose configure Enter Global Configuration mode service dhcpv6 Enable the DHCPv6 server ipv6 dhcp relay agent info opt option Configure a number to represent the DHCPv6 Relay Agent Information Option The option parameter is an integer from 54 65535 ipv6 dhcp relay agent info remote id subopt suboption ...

Page 1106: ...fix length client DUID name hostname valid lifetime valid lifetime infinite preferred lifetime preferred lifetime infinite Define an IPv6 prefixes within a pool for distributing to specific DHCPv6 Prefix delegation clients prefix prefix length Delegated IPv6 prefix client DUID DHCP Unique Identifier for the client e g 00 01 00 09 f8 79 4e 00 04 76 73 43 76 hostname Client hostname used for logging...

Page 1107: ...interface vlan vlan id interface vlan vlan id remote id duid ifid user defined string Configure the interface for DHCPv6 relay functionality destination Keyword that sets the relay server IPv6 address relay address An IPv6 address of a DHCPv6 relay server interface Sets the relay server interface vlan id A valid VLAN ID remote id duid ifid user defined string The Relay Agent Information Option rem...

Page 1108: ...viated exchange between the client and server pref value Preference value used by clients to determine preference between multiple DHCPv6 servers Range 0 4294967295 CTRL Z Exit to Privileged Exec Mode show ipv6 dhcp interface tunnel tunnel id vlan vlan id View DHCPv6 information for all interfaces or for the specified interface Command Purpose show ipv6 dhcp binding address View the current bindin...

Page 1109: ...l VLAN routing interface 100 is configured as a DHCPv6 server Setting NDP on the interface to send the other config flag option allows the interface to prompt DHCPv6 clients to request only stateless server information To configure the switch 1 Enable the DHCPv6 feature console configure console config service dhcpv6 2 Create the DHCPv6 pool and configure stateless information console config ipv6 ...

Page 1110: ...nts The prefix to DUID mapping is defined within the DHCPv6 pool To configure the switch 1 Create the DHCPv6 pool and specify the domain name and DNS server information console config ipv6 dhcp pool my pool2 console config dhcp6s pool domain name dell com console config dhcp6s pool dns server 2001 DB8 A328 22C 1 2 Specify the prefix delegations for specific clients The first two commands provide m...

Page 1111: ... the destination address of the relay server and the interface used for reachability to the relay server To configure the switch 1 Create VLAN 300 and define its IPv6 address console config interface vlan 300 console config if vlan300 ipv6 address 2001 DB8 03a 64 2 Configure the interface as a DHCPv6 relay agent and specify the IPv6 address of the relay server The command also specifies that the r...

Page 1112: ...1112 Configuring DHCPv6 Server and Relay Settings Relay Interface Number Vl100 Relay Remote ID Option Flags ...

Page 1113: ...v CLI DiffServ Configuration Examples DiffServ Overview Standard IP based networks are designed to provide best effort data delivery service Best effort service implies that the network delivers the data in a timely fashion although there is no guarantee that it will During times of congestion packets may be delayed sent sporadically or dropped For typical Internet applications such as email and f...

Page 1114: ...riate queue management algorithms Before configuring DiffServ on PowerConnect 8000 8100 series switches you must determine the QoS requirements for the network as a whole The requirements are expressed in terms of rules which are used to classify inbound or outbound traffic on a particular interface What Are the Elements of DiffServ Configuration During configuration you define DiffServ rules in t...

Page 1115: ...dropping or re marking those that exceed the class s assigned data rate Counting the traffic within the class Service Assigns a policy to an interface for inbound traffic Default DiffServ Values Table 40 1 shows the global default values for DiffServ NOTE You can use an 802 1X authenticator or RADIUS server to dynamically assign DiffServ filters to ports when a host connects to a port and authenti...

Page 1116: ...switch For details about the fields on a page click at the top of the page DiffServ Configuration Use the DiffServ Configuration page to display the DiffServ administrative mode setting as well as the current and maximum number of rows in each of the main DiffServ private MIB tables To display the page click Quality of Service Differentiated Services DiffServ Configuration in the navigation panel ...

Page 1117: ...he page click Quality of Service Differentiated Services Class Configuration in the navigation panel Figure 40 2 DiffServ Class Configuration Adding a DiffServ Class To add a DiffServ class 1 From the DiffServ Class Configuration page click Add to display the Add Class page Figure 40 3 Add DiffServ Class 2 Enter a name for the class and select the protocol to use for class match criteria ...

Page 1118: ... Show All Figure 40 4 View DiffServ Class Summary Class Criteria Use the DiffServ Class Criteria page to define the criteria to associate with a DiffServ class As packets are received these DiffServ classes are used to identify packets To display the page click Quality of Service Differentiated Services Class Criteria in the navigation panel ...

Page 1119: ...Configuring Differentiated Services 1119 Figure 40 5 DiffServ Class Criteria ...

Page 1120: ...n of classes with one or more policy statements To display the page click Quality of Service Differentiated Services Policy Configuration in the navigation panel Figure 40 6 DiffServ Policy Configuration Adding a New Policy Name To add a policy 1 From the DiffServ Policy Configuration page click Add to display the Add Policy page ...

Page 1121: ...ted Services 1121 Figure 40 7 Add DiffServ Policy 2 Enter the new Policy Name 3 Click Apply to save the new policy 4 To view a summary of the policies configured on the switch click Show All Figure 40 8 View DiffServ Policies ...

Page 1122: ...e to associate a class to a policy and to define attributes for that policy class instance To display the page click Quality of Service Differentiated Services Policy Class Definition in the navigation panel Figure 40 9 DiffServ Policy Class Definition To view a summary of the policy attributes click Show All ...

Page 1123: ...arked with either an IP DSCP IP precedence or CoS value 1 Select Marking from the Traffic Conditioning drop down menu on the DiffServ Policy Class Definition page The Packet Marking page displays Figure 40 11 Policy Class Definition Packet Marking 2 Select IP DSCP IP Precedence or Class of Service to mark for this policy class 3 Select or enter a value for this field 4 Click Apply to define the po...

Page 1124: ...icing page displays the Policy Name Class Name and Policing Style Select a value for the following fields Color Mode The type of color policing used Color Blind or Color Aware Conform Action Selector The action taken on packets that are considered conforming below the police rate Options are Send Drop Mark CoS Mark IP DSCP Mark IP Precedence Violate Action The action taken on packets that are cons...

Page 1125: ...ice Configuration page to activate a policy on a port To display the page click Quality of Service Differentiated Services Service Configuration in the navigation panel Figure 40 13 DiffServ Service Configuration To view a summary of the services configured on the switch click Show All ...

Page 1126: ...1126 Configuring Differentiated Services Figure 40 14 DiffServ Service Summary ...

Page 1127: ...the DiffServ Service Detailed Statistics page to display packet details for a particular port and class To display the page click Quality of Service Differentiated Services Service Detailed Statistics in the navigation panel Figure 40 15 DiffServ Service Detailed Statistics ...

Page 1128: ... to create a mirroring session in which the traffic that matches the specified policy and member class is mirrored to a destination port To display the Flow Based Mirroring page click Switching Ports Traffic Mirroring Flow Based Mirroring in the navigation panel Figure 40 16 Flow Based Mirroring ...

Page 1129: ...ed information CLI Command Description configure Enter global configuration mode diffserv Set the DiffServ operational mode to active exit Exit to Privileged EXEC mode show diffserv Display the DiffServ general information which includes the current administrative mode setting as well as the current and maximum number of DiffServ components CLI Command Description configure Enter global configurat...

Page 1130: ... match ip dscp Add to the specified class definition a match condition based on the value of the IP DiffServ Code Point DSCP field in a packet match ip precedence Add to the specified class definition a match condition based on the value of the IP match ip tos Add to the specified class definition a match condition based on the value of the IP TOS field in a packet match protocol Add to the specif...

Page 1131: ...iption configure Enter global configuration mode class map match all class map name ipv6 Define a new DiffServ class match any Configure a match condition for all the packets match class map Add to the specified class definition the set of match conditions defined for another class match dstip6 Add to the specified class definition a match condition based on the destination IPv6 address of a packe...

Page 1132: ...o the specified class definition a match condition based on the source IPv6 address of a packet match srcl4port Add to the specified class definition a match condition based on the source layer 4 port of a packet using a single keyword a numeric notation or a numeric range notation CLI Command Description configure Enter global configuration mode policy map policy name in Create a new DiffServ pol...

Page 1133: ...m action drop set cos transmit cos set prectransmit cos set dscp transmit dscpval transmit violateaction drop set cos transmit cos set prec transmit cos set dscp transmit dscpval transmit Establish the traffic policing style for the specified class The simple form of the police command uses a single data rate and burst size resulting in two outcomes conform and nonconform datarate Data rate in kil...

Page 1134: ...ue Mark all packets for the associated traffic stream with the specified IP DSCP value mark ip precedence value Mark all packets for the associated traffic stream with the specified IP precedence value range 0 7 mirror interface redirect interface Use mirror to mirror all packets for the associated traffic stream that matches the defined class to the specified destination port or LAG Use redirect ...

Page 1135: ...used in either Global Configuration mode for all system interfaces or Interface Configuration mode for a specific interface exit Exit to Privilege Exec mode show diffserv service brief in out Display all interfaces in the system to which a DiffServ policy has been attached show diffserv service interface interface in out Display policy service information for the specified interface where interfac...

Page 1136: ...nternet or other external network to different departments within a company Each of four departments has its own Class B subnet that is allocated 25 of the available bandwidth on the port accessing the Internet Figure 40 17 DiffServ Internet Access Example Network Diagram Finance Marketing Test Development Internet Layer 3 Switch Port 1 0 5 Outbound 1 0 1 1 0 2 1 0 3 1 0 4 Source IP 172 16 10 0 25...

Page 1137: ...5 0 console config classmap exit console config class map match all development_dept console config classmap match srcip 172 16 40 0 255 255 255 0 console config classmap exit 3 Create a DiffServ policy for inbound traffic named internet_access adding the previously created department classes as instances within this policy This policy uses the assign queue attribute to put each department s traff...

Page 1138: ..._access console config if Te1 0 3 exit console config interface tengigabitethernet 1 0 4 console config if Te1 0 4 service policy in internet_access console config if Te1 0 4 exit 5 Set the CoS queue configuration for the presumed egress 10 Gigabit Ethernet interface 1 0 1 such that each of queues 1 2 3 and 4 get a minimum guaranteed bandwidth of 25 All queues for this interface use weighted round...

Page 1139: ...ample shows one way to provide the necessary quality of service how to set up a class for UDP traffic have that traffic marked on the inbound side and then expedite the traffic on the outbound side The configuration script is for Router 1 in the accompanying diagram a similar script should be applied to Router 2 Figure 40 18 DiffServ VoIP Example Network Diagram Internet Layer 3 Switch Operating a...

Page 1140: ... DiffServ code point DSCP of EF expedited forwarding This handles incoming traffic that was previously marked as expedited elsewhere in the network console config class map match all class_ef console config classmap match ip dscp ef console config classmap exit 4 Create a DiffServ policy for inbound traffic named pol_voip then add the previously created classes class_ef and class_voip as instances...

Page 1141: ...cy classmap exit console config policy map exit 5 Attach the defined policy to an inbound service interface console config interface tengigabitethernet 1 0 1 console config if Te1 0 1 service policy in pol_voip console config if Te1 0 1 exit console config exit ...

Page 1142: ...1142 Configuring Differentiated Services ...

Page 1143: ...s chapter include CoS Overview Default CoS Values Configuring CoS Web Configuring CoS CLI CoS Configuration Example CoS Overview The CoS feature lets you give preferential treatment to certain types of traffic over others To set up this preferential treatment you can configure the ingress ports the egress ports and individual queues on the egress ports to provide customization that suits your envi...

Page 1144: ... priority designations based on one of the following fields in the packet header 802 1 Priority values 0 7 IP DSCP values 0 63 A mapping table associates the designated field values in the incoming packet headers with a traffic class priority actually a CoS traffic queue Ports in Untrusted Mode If you configure an ingress port in untrusted mode the system ignores any priority designations encoded ...

Page 1145: ... have an equal offered load toward a congested output port CoS queue 2 will receive 3 6 of the bandwidth CoS queue 1 will receive 2 6 of the bandwidth and CoS queue 0 will receive 1 6 of the bandwidth The minimum bandwidth setting can be used to override the strict priority and weighted settings The highest numbered strict priority queue will receive no more bandwidth than 100 percent minus the su...

Page 1146: ...is value provides a scaling factor for increasing the number of packets of the selected drop precedence level that are dropped as the queue depth increases The drop probability supports configuration in the range of 0 to 10 and the discrete values 25 50 and 75 Values not listed are truncated to the next lower value in hardware CoS Queue Usage CoS queue 7 is reserved by the system and is not assign...

Page 1147: ...lay the page click Quality of Service Class of Service Mapping Table Configuration in the navigation panel CoS 802 1P is the default mode so this is the page that displays when Mapping Table Configuration is selected from the Class of Service menu page IP DSCP value to queue mapping IP DSCP Queue 0 7 24 31 1 8 23 0 32 47 2 48 63 3 Interface Shaping Rate 0 Kbps Minimum Bandwidth 0 Scheduler Type We...

Page 1148: ...1148 Configuring Class of Service Figure 41 1 Mapping Table Configuration CoS 802 1P ...

Page 1149: ...Configuring Class of Service 1149 To access the DSCP Queue Mapping Table click the DSCP Queue Mapping Table link at the top of the page Figure 41 2 DSCP Queue Mapping Table ...

Page 1150: ... the decay exponent for WRED queues defined on the interface Each interface CoS parameter can be configured globally or per port A global configuration change is applied to all interfaces in the system To display the Interface Configuration page click Quality of Service Class of Service Interface Configuration in the navigation panel Figure 41 3 Interface Configuration ...

Page 1151: ...ing method and the queue management method The configuration process is simplified by allowing each CoS queue parameter to be configured globally or per port A global configuration change is applied to the same queue ID on all ports in the system To display the Interface Queue Configuration page click Quality of Service Class of Service Interface Queue Configuration in the navigation panel Figure ...

Page 1152: ...led interface queue The settings you configure control the minimum and maximum thresholds and a drop probability scaling factor for the selected drop precedence level These parameters can be applied to each drop precedence level on a per interface queue basis or can be set globally for the same drop precedence level and queue ID on all interfaces To display the Interface Queue Drop Precedence Conf...

Page 1153: ...Configuring Class of Service 1153 Figure 41 5 Interface Queue Drop Precedence Configuration To access the Interface Queue Drop Precedence Status page click the Show All link at the top of the page ...

Page 1154: ...itethernet unit slot port or port channel port channel number classofservice dotlp mapping priority Map an 802 1p priority to an internal traffic class for a switch You can also use this command in Global Configuration mode to configure the same mappings on all interfaces classofservice trust dot1p ip dscp untrusted Set the class of service trust mode of an interface exit Exit to Global Config mod...

Page 1155: ...om detect exponential weighting constant exponent Configure the WRED decay exponent range 0 15 for the interface The weighting constant exponent determines how much of the previous average queue length sample is added to the current average queue length A value of 0 indicates that no weight is given to the previous sample and only the instantaneous rate is used A value of 1 indicates that 1 2 of t...

Page 1156: ...xit to Privilege Exec mode show interfaces cos queue Display the class of service queue configuration for a specified interface or all interfaces CLI Command Description configure Enter Global Configuration mode interface interface Enter Interface Configuration mode where interface is replaced by tengigabitethernet unit slot port or port channel port channel number random detect queue parms queue ...

Page 1157: ...hich serves to direct packets A B and D to their respective queues on the egress port These three packets utilize the 802 1p to CoS Mapping Table for port te1 0 10 In this example the 802 1p user priority 3 is configured to send the packet to queue 5 instead of the default queue 3 Since packet C does not contain a VLAN tag the 802 1p user priority does not exist so port te1 0 10 relies on its defa...

Page 1158: ...port 10 console config console config interface tengigabitethernet 1 0 10 console config if Te1 0 10 classofservice trust dot1p 2 For port 10 configure the 802 1p user priority 3 to send the packet to queue 5 instead of the default queue queue 3 console config if Te1 0 10 classofservice dot1p mapping 3 5 3 For port 10 specify that untagged VLAN packets should have a default priority of 2 console c...

Page 1159: ...dth guarantee Lossless traffic classes generally use the default WRR scheduling mode as opposed to strict priority to avoid starving other traffic For example the following commands assign user priority 4 to CoS queue 4 and reserve 50 of the scheduler bandwidth to CoS queue 4 classofservice dot1p mapping 4 4 cos queue min bandwidth 0 0 0 0 50 0 0 ...

Page 1160: ...1160 Configuring Class of Service ...

Page 1161: ...limited to 16 sessions Voice VLAN is the preferred solution for enterprises wishing to deploy a large scale voice service The topics covered in this chapter include Auto VoIP Overview Default Auto VoIP Values Configuring Auto VoIP Web Configuring Auto VoIP CLI Auto VoIP Overview The Auto VoIP feature explicitly matches VoIP streams in Ethernet switches and provides them with a better class of serv...

Page 1162: ...ists from the global system pool ACL lists allocated by Auto VoIP reduce the total number of ACLs available for use by the network operator Enabling Auto VoIP uses one ACL list to monitor for VoIP sessions Each monitored VoIP session utilizes two rules from an additional ACL list This means that the maximum number of ACL lists allocated by Auto VoIP is two Default Auto VoIP Values Table 42 1 shows...

Page 1163: ...guration Use the Global Configuration page to enable or disable Auto VoIP on all interfaces To display the Auto VoIP Global Configuration page click Quality of Service Auto VoIP Global Configuration in the navigation menu Figure 42 1 Auto VoIP Global Configuration Auto VoIP Interface Configuration Use the Interface Configuration page to enable or disable Auto VoIP on a particular interface To disp...

Page 1164: ...1164 Configuring Auto VoIP Figure 42 2 Auto VoIP Interface Configuration ...

Page 1165: ...Configuring Auto VoIP 1165 To display summary Auto VoIP configuration information for all interfaces click the Show All link at the top of the page Figure 42 3 Auto VoIP ...

Page 1166: ...rivileged Exec mode use the following commands in to enable Auto VoIP and view its configuration CLI Command Description configure Enter Global Configuration mode switchport voice detect auto Enable the VoIP Profile on all the interfaces of the switch You can also enter Interface Configuration mode and use the same command to enable it on a specific interface exit Exit to Global Configuration Exec...

Page 1167: ...only to hosts who are members of the multicast group Multicast enables efficient use of network bandwidth because each multicast datagram needs to be transmitted only once on each network link regardless of the number of destination hosts Multicasting contrasts with IP unicasting which sends a separate datagram to each recipient host The IP routing protocols can route multicast traffic but the IP ...

Page 1168: ...s connected to the network This approach works well for broadcast packets that are intended to be seen or processed by all connected nodes In the case of multicast packets however this approach could lead to less efficient use of network bandwidth particularly when the packet is intended for only a small number of nodes Packets will be flooded into network segments where no node has any interest i...

Page 1169: ...cast distribution tree that enables forwarding multicast datagrams only on the links that are required to reach a destination group member Protocols such as DVMRP and PIM handle this function IGMP and MLD are multicast group discovery protocols that are used between the clients and the local multicast router PIM SM PIM DM and DVMRP are multicast routing protocols that are used across different sub...

Page 1170: ...cols to Enable IGMP is required on any multicast router that serves IPv4 hosts IGMP is not required on inter router links MLD is required on any router that serves IPv6 hosts MLD is not required on inter router links PIM DM PIM SM and DVMRP are multicast routing protocols that help determine the best route for IP PIM and DVMRP and IPv6 PIM multicast traffic For more information about when to use P...

Page 1171: ... router to learn multicast group membership information and forward multicast packets based upon the group membership information The IGMP Proxy is capable of functioning only in certain topologies that do not require Multicast Routing Protocols i e DVMRP PIM DM and PIM SM and have a tree like topology as there is no support for features like reverse path forwarding RPF to correct packet route loo...

Page 1172: ...lticast address listeners information from systems on an attached network These queries are used to build and refresh the multicast address listener state on attached networks Multicast listeners respond to these queries by reporting their multicast addresses listener state and their desired set of sources with Current State Multicast address Records in the MLD2 Membership Reports The Multicast ro...

Page 1173: ...want the multicast traffic unless they specifically ask for it It initially creates a shared distribution tree centered on a defined rendezvous point RP through which source traffic is relayed to the ultimate receiver Multicast traffic sources first send the multicast data to the RP which in turn sends the data down the shared tree to the receivers Shared trees centered on an RP do not necessarily...

Page 1174: ...applications and help ensure that the multicast traffic is recovered quickly in such scenarios PIM SM Protocol Operation This section describes the workings of PIM SM protocol per RFC 4601 The protocol operates essentially in three phases as explained in the following sections Phase 1 RP Tree Figure 43 1 PIM SM Shared Tree Join In this example an active receiver attached to leaf router at the bott...

Page 1175: ... an active source for group G sends a packet the designated router DR that is attached to this source is responsible for Registering this source with the RP and requesting the RP to build a tree back to that router To do this the source router encapsulates the multicast data from the source in a special PIM SM message called the Register message and unicasts that data to the RP When the RP receive...

Page 1176: ...ted in the entire router path along the SPT including the RP Figure 43 3 PIM SM Sender Registration Part 2 As soon as the SPT is built from the Source router to the RP multicast traffic begins to flow unencapsulated from source S to the RP Once this is complete the RP Router will send a Register Stop message to the first hop router to tell it to stop sending the encapsulated data to the RP ...

Page 1177: ...fic function called SwitchToSptDesired S G in the standard and generally takes a number of seconds to switch to the SPT In the above example the last hop router at the bottom of the drawing sends an S G Join message toward the source to join the SPT and bypass the RP This S G Join messages travels hop by hop to the first hop router i e the router connected directly to the source thereby creating a...

Page 1178: ...art 2 Finally special S G RP bit Prune messages are sent up the Shared Tree to prune off this S G traffic from the Shared Tree If this were not done S G traffic would continue flowing down the Shared Tree resulting in duplicate S G packets arriving at the receiver ...

Page 1179: ... and IPv6 Multicast 1179 Figure 43 6 PIM SM SPT Part 3 At this point S G traffic is now flowing directly from the first hop router to the last hop router and from there to the receiver Figure 43 7 PIM SM SPT Part 4 ...

Page 1180: ... and from there to the receiver Notice that traffic is no longer flowing to the RP The PIM standard requires support for multi hop RP in that a router running PIM can act as an RP even if it is multiple router hops away from the multicast source This requires that the first hop router perform encapsulation of the multicast data and forward it as unicast toward the RP In practice this encapsulation...

Page 1181: ...p router subsequently receives the PIM Join from the RP the block is replaced with a regular multicast forwarding entry so that subsequent data packets are forwarded in the hardware If the initial Register message s does not reach the RP or the PIM Join sent in response does not reach the first hop router then the data stream would never get forwarded To solve this the negative entry is timed out ...

Page 1182: ...ing data all downstream routers and hosts want to receive a multicast datagram PIM DM initially floods multicast traffic throughout the network Routers that do not have any downstream neighbors prune back the unwanted traffic In addition to PRUNE messages PIM DM makes use of graft and assert messages Graft messages are used whenever a new host wants to join the group Assert messages are used to sh...

Page 1183: ... avoided Understanding DVMRP Multicast Packet Routing DVMRP is based on RIP it forwards multicast datagrams to other routers in the AS and constructs a forwarding table based on information it learns in response More specifically it uses this sequence A new multicast packet is forwarded to the entire multicast network with respect to the time to live TTL of the packet The TTL restricts the area to...

Page 1184: ...en multicast traffic stream DVMRP is similar to PIM DM in that it floods multicast packets throughout the network and prunes branches where the multicast traffic is not desired DVMRP was developed before PIM DM and it has several limitations that do not exist with PIM DM You might use DVMRP as the multicast routing protocol if it has already been widely deployed within the network Microsoft Networ...

Page 1185: ...es are as follows PC8024 512 IPv4 256 IPv6 PC81xx 512 IPv4 256 IPv6 Static Multicast Routes None configured Interface TTL Threshold 1 IGMP Defaults IGMP Admin Mode Disabled globally and on all interfaces IGMP Version v3 IGMP Robustness 2 IGMP Query Interval 125 seconds IGMP Query Max Response Time 100 seconds IGMP Startup Query Interval 31 seconds IGMP Startup Query Count 2 IGMP Last Member Query ...

Page 1186: ...Join Prune Interval 60 seconds when enabled on an interface PIM SM BSR Border Disabled PIM SM DR Priority 1 when enabled on an interface PIM Candidate Rendezvous Points RPs None configured PIM Static RP None configured PIM Source Specific Multicast SSM Range None configured Default SSM group address is 232 0 0 0 8 for IPv4 multicast and ff3x 32 for IPv6 multicast PIM BSR Candidate Hash Mask Length...

Page 1187: ...ol specific on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page Multicast Global Configuration Use the Global Configuration page to configure the administrative status of Multicast Forwarding in the router and to display global multicast parameters To display the page click IPv4 Multicast Multicast Global Configuration in the navigation pan...

Page 1188: ...ge to configure the TTL threshold of a multicast interface At least one VLAN routing interface must be configured on the switch before fields display on this page To display the page click IPv4 Multicast Multicast Interface Configuration in the navigation panel Figure 43 10 Multicast Interface Configuration ...

Page 1189: ...Route Table Use the Route Table page to view information about the multicast routes in the IPv4 multicast routing table To display the page click IPv4 Multicast Multicast Multicast Route Table Multicast Route Table Figure 43 11 Multicast Route Table ...

Page 1190: ...n range of multicast addresses on a given routing interface Use the Admin Boundary Configuration page to configure a new or existing administratively scoped boundary To see this page you must have configured a valid routing interface and multicast To display the page click IPv4 Multicast Multicast Admin Boundary Configuration in the navigation panel Figure 43 12 Multicast Admin Boundary Configurat...

Page 1191: ...n Boundary Summary Use the Admin Boundary Summary page to display existing administratively scoped boundaries To display the page click IPv4 Multicast Multicast Admin Boundary Summary in the navigation panel Figure 43 13 Multicast Admin Boundary Summary ...

Page 1192: ...Use the Static MRoute Configuration page to configure a new static entry in the Mroute table or to modify an existing entry To display the page click IPv4 Multicast Multicast Static MRoute Configuration in the navigation panel Figure 43 14 Multicast Static MRoute Configuration ...

Page 1193: ... Static MRoute Summary Use the Static MRoute Summary page to display static routes and their configurations To display the page click IPv4 Multicast Multicast Static MRoute Summary in the navigation panel Figure 43 15 Multicast Static MRoute Summary ...

Page 1194: ...t features that are not protocol specific on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page IPv6 Multicast Route Table Use the Multicast Route Table page to view information about the multicast routes in the IPv6 multicast routing table To display the page click IPv6 Multicast Multicast Multicast Route Table Figure 43 16 IPv6 Multicast Ro...

Page 1195: ...ing the IGMP and IGMP proxy features on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page IGMP Global Configuration Use the Global Configuration page to set IGMP on the system to active or inactive To display the page click IPv4 Multicast IGMP Global Configuration in the navigation panel Figure 43 17 IGMP Global Configuration ...

Page 1196: ... and or display router interface parameters You must configure at least one valid routing interface before you can access this page and configure IP Multicast IGMP To display the page click IPv4 Multicast IGMP Routing Interface Interface Configuration in the navigation panel Figure 43 18 IGMP Interface Configuration ...

Page 1197: ...ace Summary page to display IGMP routing parameters and data You must configure at least one IGMP router interface to access this page To display the page click IPv4 Multicast IGMP Routing Interface Interface Summary in the navigation panel Figure 43 19 IGMP Interface Summary ...

Page 1198: ...che parameters and data for an IP multicast group address Group membership reports must have been received on the selected interface for data to display on the page To display the page click IPv4 Multicast IGMP Routing Interface Cache Information in the navigation panel Figure 43 20 IGMP Cache Information ...

Page 1199: ...lay detailed membership information for an interface Group membership reports must have been received on the selected interface for data to display information To display the page click IPv4 Multicast IGMP Routing Interface Source List Information in the navigation panel Figure 43 21 IGMP Interface Source List Information ...

Page 1200: ...e acts as proxy to all hosts residing on its router interfaces Use the Interface Configuration page to configure IGMP proxy for a VLAN interface You must have configured at least one VLAN routing interface before configuring or displaying data for an IGMP proxy interface and it should not be an IGMP routing interface To display the page click IPv4 Multicast IGMP Proxy Interface Interface Configura...

Page 1201: ...display proxy interface configurations by interface You must have configured at least one VLAN routing interface configured before data displays on this page To display the page click IPv4 Multicast IGMP Proxy Interface Configuration Summary in the navigation panel Figure 43 23 IGMP Proxy Configuration Summary ...

Page 1202: ...red at least one VLAN routing interface before you can display interface membership information and it should not be an IGMP routing interface Also if no group membership reports have been received on the selected interface no data displays on this page To display the page click IPv4 Multicast IGMP Proxy Interface Interface Membership Info in the navigation panel Figure 43 24 IGMP Proxy Interface ...

Page 1203: ...ne VLAN routing interface before you can display detailed interface membership information and it should not be an IGMP routing interface Also if no group membership reports have been received on the selected interface you cannot display data To display the page click IPv4 Multicast IGMP Proxy Interface Interface Membership Info Detailed in the navigation panel Figure 43 25 IGMP Proxy Interface Me...

Page 1204: ...g the MLD and MLD proxy features on a PowerConnect 8000 8100 series switch For details about the fields on a page click at the top of the page MLD Global Configuration Use the Global Configuration page to administratively enable and disable the MLD service To display the page click IPv6 Multicast MLD Global Configuration in the navigation panel Figure 43 26 MLD Global Configuration ...

Page 1205: ...ted IPv6 router interfaces to discover the presence of multicast listeners the nodes who wish to receive the multicast data packets on its directly attached interfaces To access this page click IPv6 Multicast MLD Routing Interface Interface Configuration in the navigation panel Figure 43 27 MLD Routing Interface Configuration ...

Page 1206: ...to display information and statistics on a selected MLD enabled interface You must configure at least one IGMP VLAN routing interface to access this page To access this page click IPv6 Multicast MLD Routing Interface Interface Summary in the navigation panel Figure 43 28 MLD Routing Interface Summary ...

Page 1207: ...eported to operational MLD routing interfaces You must configure at least one MLD VLAN routing interface to access this page Also group membership reports must have been received on the selected interface in order for data to be displayed here To access this page click IPv6 Multicast MLD Routing Interface Cache Information in the navigation panel Figure 43 29 MLD Routing Interface Cache Informatio...

Page 1208: ...interface You must configure at least one MLD VLAN routing interface to access this page Also group membership reports must have been received on the selected interface in order for data to be displayed here To access this page click IPv6 Multicast MLD Routing Interface Source List Information in the navigation panel Figure 43 30 MLD Routing Interface Source List Information ...

Page 1209: ...209 MLD Traffic The MLD Traffic page displays summary statistics on the MLD messages sent to and from the router To access this page click IPv6 Multicast MLD Routing Interface MLD Traffic in the navigation panel Figure 43 31 MLD Traffic ...

Page 1210: ...ership reports on one VLAN interface for MLD Membership reports received on all other MLD enabled VLAN routing interfaces Use the Interface Configuration page to enable and disable ports as MLD proxy interfaces To display this page click IPv6 Multicast MLD Proxy Interface Interface Configuration in the navigation panel Figure 43 32 MLD Proxy Interface Configuration ...

Page 1211: ...Summary Use the Configuration Summary page to view configuration and statistics on MLD proxy enabled interfaces To display this page click IPv6 Multicast MLD Proxy Interface Configuration Summary in the navigation panel Figure 43 33 MLD Proxy Configuration Summary ...

Page 1212: ...terface Membership Information page lists each IP multicast group for which the MLD proxy interface has received membership reports To display this page click IPv6 Multicast MLD Proxy interface Interface Membership Info in the navigation panel Figure 43 34 Interface Membership Information ...

Page 1213: ...ation Detailed page provides additional information about the IP multicast groups for which the MLD proxy interface has received membership reports To display this page click IPv6 Multicast MLD Proxy Interface Interface Membership Info Detailed in the navigation panel Figure 43 35 Interface Membership Information Detailed ...

Page 1214: ...tch It is strongly recommended that IGMP be enabled on any switch on which IPv4 PIM is enabled and MLD be enabled on any switch for which IPv6 PIM is enabled This ensures that the multicast router behaves as expected To display the page click IPv4 Multicast PIM Global Configuration or IPv6 Multicast PIM Global Configuration in the navigation panel Figure 43 36 PIM DM Global Configuration NOTE The ...

Page 1215: ...Status Use the Global Status page to view the administrative status of PIM DM or PIM SM on the switch To display the page click IPv4 Multicast PIM Global Status or IPv6 Multicast PIM Global Status in the navigation panel Figure 43 37 PIM Global Status ...

Page 1216: ...e the Interface Configuration page to configure specific VLAN routing interfaces with PIM To display the page click IPv4 Multicast PIM Interface Configuration or IPv6 Multicast PIM Interface Configuration in the navigation panel Figure 43 38 PIM Interface Configuration ...

Page 1217: ... the Interface Summary page to display a PIM enabled VLAN routing interface interface and its settings To display the page click IPv4 Multicast PIM Interface Summary or IPv6 Multicast PIM Interface Summary in the navigation panel Figure 43 39 PIM Interface Summary ...

Page 1218: ...figured rendezvous points RPs for each port using PIM To access the page click IPv4 Multicast PIM Candidate RP Configuration or IPv6 Multicast PIM Candidate RP Configuration Figure 43 40 Candidate RP Configuration Adding a Candidate RP To add PIM Candidate rendezvous points RPs for each IP multicast group 1 Open the Candidate RP Configuration page 2 Click Add The Add Candidate RP page displays ...

Page 1219: ... be configured 4 Enter the group address transmitted in Candidate RP Advertisements 5 Enter the prefix length transmitted in Candidate RP Advertisements to fully identify the scope of the group which the router supports if elected as a Rendezvous Point 6 Click Apply Changes The new Candidate RP is added and the device is updated ...

Page 1220: ...e PIM domain uses the BSR to dynamically learn the RP configuring a static RP is not required However you can configure the static RP to override any dynamically learned RP from the BSR To access the page click IPv4 Multicast PIM Static RP Configuration or IPv6 Multicast PIM Static RP Configuration Figure 43 42 Static RP Configuration Adding a Static RP To add a static RP for the PIM router 1 Open...

Page 1221: ... of the RP for the group range 4 Enter the group address of the RP 5 Enter the group mask of the RP 6 Check the Override option to configure the static RP to override the dynamic candidate RPs learned for same group ranges 7 Click Apply The new Static RP is added and the device is updated ...

Page 1222: ...uter To display the page click IPv4 Multicast PIM SSM Range Configuration or IPv6 Multicast PIM SSM Range Configuration Figure 43 44 SSM Range Configuration Adding an SSM Range To add the Source Specific Multicast SSM Group IP Address and Group Mask IPv4 or Prefix Length IPv6 for the PIM router 1 Open the SSM Range Configuration page 2 Click Add The Add SSM Range page displays ...

Page 1223: ...SM Range check box to add the default SSM Range The default SSM Range is 232 0 0 0 8 for IPv4 multicast and ff3x 32 for IPv6 multicast 4 Enter the SSM Group IP Address 5 Enter the SSM Group Mask IPv4 or SSM Prefix Length IPv6 6 Click Apply The new SSM Range is added and the device is updated ...

Page 1224: ...n Use this page to configure information to be used if the interface is selected as a bootstrap router To display the page click IPv4 Multicast PIM BSR Candidate Configuration or IPv6 Multicast PIM BSR Candidate Configuration Figure 43 46 BSR Candidate Configuration ...

Page 1225: ...SR Candidate Summary Use this page to display information about the configured BSR candidates To display this page click IPv4 Multicast PIM BSR Candidate Summary or IPv6 Multicast PIM BSR Candidate Summary Figure 43 47 BSR Candidate Summary ...

Page 1226: ...k at the top of the page DVMRP Global Configuration Use the Global Configuration page to configure global DVMRP settings It is strongly recommended that IGMP be enabled on any switch on which DVMRP is enabled The use cases for enabling DVMRP without IGMP are few and enabling IGMP ensures that the multicast router behaves as expected To display the page click IPv4 Multicast DVMRP Global Configurati...

Page 1227: ...RP interface Otherwise you see a message telling you that no router interfaces are available and the configuration screen is not displayed It is strongly recommended that IGMP be enabled on any interface on which DVMRP is enabled This ensures that the multicast router behaves as expected To display the page click IPv4 Multicast DVMRP Interface Configuration in the navigation panel Figure 43 49 DVM...

Page 1228: ...elected interface You must configure at least one VLAN routing interface before you can display data for a DVMRP interface Otherwise you see a message telling you that no VLAN router interfaces are available and the configuration summary screen is not displayed To display the page click IPv4 Multicast DVMRP Configuration Summary in the navigation panel ...

Page 1229: ...t 1229 Figure 43 50 DVMRP Configuration Summary DVMRP Next Hop Summary Use the Next Hop Summary page to display the next hop summary by Source IP To display the page click IPv4 Multicast DVMRP Next Hop Summary in the navigation panel ...

Page 1230: ...1230 Managing IPv4 and IPv6 Multicast Figure 43 51 DVMRP Next Hop Summary ...

Page 1231: ...6 Multicast 1231 DVMRP Prune Summary Use the Prune Summary page to display the prune summary by Group IP To display the page click IPv4 Multicast DVMRP Prune Summary in the navigation panel Figure 43 52 DVMRP Prune Summary ...

Page 1232: ... and IPv6 Multicast DVMRP Route Summary Use the Route Summary page to display the DVMRP route summary To display the page click IPv4 Multicast DVMRP Route Summary in the navigation panel Figure 43 53 DVMRP Route Summary ...

Page 1233: ...address mask rpf address preference Create a static multicast route for a source range source address The IP address of the multicast data source mask The IP subnet mask of the multicast data source rpf address The IP address of the next hop towards the source preference The cost of the route Range 1 255 interface vlan vlan id Enter Interface Configuration mode for the specified VLAN ip mcast boun...

Page 1234: ...guration settings such as flags timer settings incoming and outgoing interfaces RPF neighboring routers and expiration times of all the entries in the multicast mroute table containing the groupipaddr value show ip mcast mroute source sourceipaddr summary groupipaddr View the multicast configuration settings such as flags timer settings incoming and outgoing interfaces RPF neighboring routers and ...

Page 1235: ...e VLAN interface is not required preference The cost of the route Range 1 255 exit Exit to Privileged EXEC mode show ipv6 mroute detail summary View a summary or all the details of the multicast table show ipv6 mroute group groupipaddr detail summary View the multicast configuration settings such as flags timer settings incoming and outgoing interfaces RPF neighboring routers and expiration times ...

Page 1236: ...allows tuning of the interface that is tuning for the expected packet loss on a subnet If a subnet is expected to have significant loss the robustness variable may be increased for the interface The range for robustness is 1 255 ip igmp query interval seconds Configure the query interval for the specified interface The query interval determines how fast IGMP Host Query packets are transmitted on t...

Page 1237: ... Set the number of Group Specific Queries sent before the router assumes that there are no local members on the interface The range for count is 1 20 CTRL Z Exit to Privileged EXEC mode show ip igmp View system wide IGMP information show ip igmp interface vlan vlan id View IGMP information for all interfaces or for the specified interface show ip igmp interface stats vlan vlan id View IGMP statist...

Page 1238: ...bal configuration mode interface vlan vlan id Enter Interface Configuration mode for the specified VLAN ip igmp proxy Configure the interface as an IGMP proxy interface ip igmp proxy reset status Optional Reset the host interface status parameters of the IGMP Proxy ip igmp proxy unsolicit rprt interval seconds Configure the unsolicited report interval for the IGMP proxy interface The range for sec...

Page 1239: ...ed interface The query interval determines how fast MLD Host Query packets are transmitted on this interface The range for seconds is 0 3600 seconds ipv6 mld query max response time seconds Configure the maximum response time interval for the specified interface It is the maximum query response time advertised in MLD queries on this interface The range for seconds is 0 25 seconds ipv6 mld last mem...

Page 1240: ...nterface vlan vlan id View the registered multicast groups on the interface show ipv6 mld membership View the list of interfaces that have registered in any multicast group NOTE Configure only the upstream interface as the MLD proxy MLD should be enabled on all downstream interfaces IPv6 routing must be enabled on the switch for the MLD proxy feature to operate Command Purpose configure Enter glob...

Page 1241: ... This command displays information only when MLD Proxy is operational Command Purpose configure Enter global configuration mode ip routing Enable ip routing Routing is required for PIM to calculate where to prune the multicast trees ip pim dense Enable PIM DM on the switch ip igmp Enable IGMP IGMP is required for PIM to operate properly ip multicast Enable IPv4 IPv6 multicast routing interface vla...

Page 1242: ...ble IP routing Routing is required for PIM operation ipv6 unicast routing Enable IPv6 routing IPv6 routing is required for the operation of PIM ipv6 pim dense Enable PIM DM on the switch ip multicast Enable IPv6 IPv6 multicast routing ip igmp Enable IGMP IGMP is required for PIM to operate properly interface vlan vlan id Enter Interface Configuration mode for the specified VLAN ipv6 pim Enable PIM...

Page 1243: ...ulticast 1243 show ipv6 pim interface vlan vlan id View the PIM information for the specified interface show ipv6 pim neighbor interface vlan vlan id all View a summary or all the details of the multicast table Command Purpose ...

Page 1244: ... mask length priority interval interval Configure the switch to announce its candidacy as a bootstrap router BSR vlan id A valid VLAN ID hash mask length The length of a mask that is to be ANDed with the group address before the hash function is called All groups with the same seed hash correspond to the same RP For example if this value is 24 only the first 24 bits of the group addresses matter T...

Page 1245: ...hat if there is a conflict the RP configured with this command prevails over the RP learned by BSR ip pim ssm default group address group mask Define the Source Specific Multicast SSM range of IP multicast addresses default Defines the SSM range access list to 232 0 0 0 8 group address group mask defines the SSM range interface vlan vlan id Enter Interface Configuration mode for the specified VLAN...

Page 1246: ... groupaddr View the RP router being selected for the specified multicast group address from the set of active RP routers The RP router for the group is selected by using a hash algorithm show ip pim bsr router candidate elected View the bootstrap router BSR information show ip pim rp mapping View group to RP mappings of which the router is aware either configured or learned from the BSR Command Pu...

Page 1247: ...onal Indicates the BSR candidate advertisement interval The range is from 1 to 16383 seconds The default value is 60 seconds ipv6 pim rp candidate vlan vlan id group address prefix length interval interval Configure the router to advertise itself to the BSR router as a PIM candidate Rendezvous Point RP for a specific multicast group range vlan id A valid VLAN ID group address prefix length Group I...

Page 1248: ... sending PIM hello messages on the interface ipv6 pim bsr border Prevent bootstrap router BSR messages from being sent or received through the interface ipv6 pim dr priority priority Set the priority value for which a router is elected as the designated router DR The election priority range is 0 2147483647 ipv6 pim join prune interval interval Configure the interface join prune interval for the PI...

Page 1249: ...lticast group address from the set of active RP routers The RP router for the group is selected by using a hash algorithm show ipv6 pim bsr router View the bootstrap router BSR information show ipv6 pim rp mapping View group to RP mappings of which the router is aware either configured or learned from the BSR Command Purpose ...

Page 1250: ...ng interface ip dvmrp Enable DVMRP on the interface ip dvmrp metric metric Configure the metric range 1 31 for an interface This value is used in the DVMRP messages as the cost to reach this network exit Exit to Privileged EXEC mode show ip dvmrp interface vlan vlan id View the multicast information for the specified interface show ip dvmrp neighbor View neighbor information for DVMRP show ip dvmr...

Page 1251: ...enabled on the switch and interfaces to manage the multicast routing VLAN 10 is statically configured as the RP for the multicast group The configuration in this example takes place on L3 switch A shown in Figure 43 54 The red arrows indicate the path that multicast traffic takes L3 Switch A is configured as the RP for the PIM domain so it is in charge of sending the multicast stream to L3 Switch ...

Page 1252: ...r switches OSPF is configured to route unicast traffic between the VLANs and PIM is enabled to rout multicast traffic between the two VLANs Since IGMP snooping is enabled by default on all VLANs no commands to enable it appear in the example below To configure Switch A 1 Create the two VLANs IGMP MLD Snooping is disabled globally Port 23 Port 24 L3 Switch A PIM RP Video Server VLAN 10 Members VLAN...

Page 1253: ... config router router id 3 3 1 1 console config router exit 4 Configure VLAN 10 as a VLAN routing interface and specify the OSPF area When you assign an IP address to the VLAN routing is automatically enabled console config interface vlan 10 console config if vlan10 ip address 192 168 10 4 255 255 255 0 console config if vlan10 ip ospf area 0 5 Enable IGMPv2 and PIM SM on the VLAN routing interfac...

Page 1254: ...nsole config ip igmp console config ip pim sparse 9 Configure VLAN 10 as the RP and specify the range of multicast groups for PIM SM to control The 239 9 x x address is chosen as it is a locally administered address that maps to MAC addresses that do not conflict with control plane protocols console config ip pim rp address 192 168 10 4 239 9 0 0 255 255 0 0 ...

Page 1255: ...r it is recommended that it be enabled to ensure correct operation of multicast routing Disable IGMP MLD snooping console config ip igmp console config no ip igmp snooping console config no ipv6 mld snooping 3 Globally enable DVMRP console config ip dvmrp 4 Enable DVMRP and IGMP on VLAN routing interfaces 10 and 20 console config interface vlan 10 console config if vlan10 ip address 192 168 10 1 2...

Page 1256: ...1256 Managing IPv4 and IPv6 Multicast ...

Page 1257: ... Dependency Max Groups 16 72 Switching features RMON 1 2 3 9 Max History entries Max buckets per History entry Max Alarm entries Max Event entries Max Log entries per Event entry 270 50 32 32 100 270 50 32 32 100 Management ACL MACAL Max Rules 64 64 Routing features IP Helper Max entries 512 512 User management features User ID configuration Max number of configured users Max user name length Max ...

Page 1258: ...ion HTTP lists Max Count Max methods per list Max name length Y 1 6 15 Y 1 6 15 Authentication Dot1x lists Max Count Max methods per list Max name length Y 1 6 15 Y 1 6 15 Accounting Exec lists Max Count Max methods per list Max name length Y 5 2 15 Y 5 2 15 Accounting Commands lists Max Count Max methods per list Max name length Y 5 1 15 Y 5 1 15 Login History 50 50 Table A 1 Feature Limitations ...

Page 1259: ...Addresses Max Sessions Max Connections Y N Y 16 192 192 Y N Y 16 192 192 Stacking features Max physical units per stack 6 6 Max physical slots per unit 1 1 Max physical ports per slot 24 56 Max physical ports per stack 144 408 Nonstop forwarding Y Y Table A 1 Feature Limitations Continued Feature PC8000 series PC8100 series ...

Page 1260: ... stacking nonstacking 32768 131072 Number of VLANs 1024 1024 Maximum VLAN IDs 4093 4093 Number of 802 1p traffic classes 7 7 Number of IEEE 802 1x clients per port 16 16 Number of LAGs max lags ports max dynamic LAG ports per system 128 8 144 128 8 144 Maximum multiple spanning tree instances 15 15 Number of MAC based VLANs supported 256 256 Number of records in log 400 400 Number of subnet based ...

Page 1261: ...04 Port MAC locking Dynamic addresses per port 600 600 Static addresses per port 100 100 sFlow Number of samplers Number of pollers Number of receivers 32 416 8 52 416 8 RADIUS Max Authentication servers Max Accounting servers 32 32 32 32 Number of routes IPv4 IPv6 IPv4 IPv6 build IPv4 routes 32 due to prefix len sharing IPv6 routes 6112 3072 8160 4096 Number of static routes IPv4 IPv6 64 64 64 64...

Page 1262: ... hops 8 1 16 8 1 16 DHCP server Max number of pools Total max leases 16 256 16 256 DNS client Concurrent requests Name server entries Search list entries Static host entries Cache entries Domain search list entries 16 8 6 64 128 32 16 8 6 64 128 32 DHCPv6 Max number of pools DNS domain names within a pool DNS server addresses within a pool Delegated prefix definitions within a pool 16 5 8 10 16 5 ...

Page 1263: ... Number of IPv4 IPv6 Multicast Forwarding Entries Hardware limit IGMP Group Memberships per system DVMRP Neighbors PIM DM Neighbors PIM SM Neighbors PIM SM Static RP entries PIM SM Candidate RP Group Range entries PIM SM SSM range entries IGMP Sources processed per group per message 1024 512 IPv4 and 256 IPv6 2048 1024 256 256 256 5 20 5 73 1024 512 IPv4 and 256 IPv6 1024 2048 256 256 256 5 20 5 7...

Page 1264: ... and Direction IPv4 L2 Maximum ACL Rules per Interface and Direction IPv6 Maximum ACL Rules system wide Maximum ACL Logging Rules system wide 100 127 127 125 4096 128 100 1023 1023 1023 16384 128 CoS Device Characteristics Configurable Queues per port Configurable Drop Precedence levels 7 3 7 3 Table A 2 Platform Constants Continued Feature PC8000 series PC8100 series ...

Page 1265: ...nstance Max Service Interfaces nonstacking stacking Max table entries Class Table Class Rule Table Policy Table Policy Instance Table Policy Attribute Table Max Nested Class Reference Chain Rule Count 7 8 Y 13 12 3 58 624 32 416 64 768 2304 26 8 Y 13 28 3 116 32 416 64 1792 5376 26 AutoVoIP number of voice calls 16 16 Voice VLAN number of devices 144 408 Table A 2 Platform Constants Continued Feat...

Page 1266: ...1266 Feature Limitations and Platform Constants ...

Page 1267: ...ask USB etc bcmATP RX bcmATP TX BCM system task Acknowledged Transport Protocol bcmCNTR 0 BCM system task SDK Statistics collection bcmDISC BCM system task SDK Discovery task bcmDPC BCM system task SDK DPC task bcmL2X 0 BCM system task SDK L2 SOC shadow table maintenance bcmLINK 0 BCM system task SDK Physical link status monitor bcmNHOP BCM system task SDK transport Next Hop task bcmRLINK BCM syst...

Page 1268: ...tor Update task cliWebIORedirectTask CLI Web IO Redirection Task cmgrInsertTask Card Manager Insertion Handler cmgrTask Card Manager Status built in and plug in card configuration processing Cnfgr_Thread Configurator startup manager CP Wired If Captive Portal cpuUtilMonitorTask CPU Utilities monitor DapiDebugTask Device API debug processing DHCP Server Processing Task DHCP snoop dhcpsPingTask DHCP...

Page 1269: ...tlAddrTask dtlTask Device Transform Layer Silicon Integration Layer dvmrpMapTask DVMRP Mapping Layer Dynamic ARP Inspection Dynamic ARP Inspection task EDB Entity MIB Processing task EDB Trap Entity MIB Trap task emWeb UI processing task envMonTask Environment Monitor fans power supplies temperature fdbTask Forwarding Data Base Manager fftpTask FTP processing gccp_t GARP Central Control Point task...

Page 1270: ...k ip6MapLocalDataTask ip6MapNbrDiscTask ip6MapProcessingTask ip6MapRadvdTask ipcom_sysl IpHelperTask ipMapForwardingTask ipMapProcessingTask ipnetd IP Stack iscsiTask ISCSI task isdpTask ISDP task lldpTask LLDP task LOG System LOG processing LOGC System LOG processing MAC Age Task MAC address table aging MAC Send Task MAC address table learning macalTask Management ACL packet processing Table B 1 ...

Page 1271: ...sk pimsmMapTask PIMSM task pingAsync Ping response processing pktRcvrTask Multicast control plane packet receiver dispatch pmlTask Port MAC Locking management task portAggTask Port Aggregator task radius_rx_task radius_task RADIUS server tasks ripMapProcessingTask RIP Mapping layer RLIM cnfgr task VRRP configuration RLIM task VRRP message processing RMONTask RMON Statistics Collection serialInput ...

Page 1272: ...acket processing sshdEvTask SSH task ssltTask SSL task Stk Mgr Task Stack Manager Task tacacs_rx_task tacacs_task TACACS tasks tArpCallback tArpReissue ARP tasks tArpTimerExp ARP Timer Expiry tCpktSvc NSF Processing tCptvPrtl Captive portal control plane processing tDhcp6sTask tDhcpsTask DHCP Tasks tEmWeb Web page server tErfTask VxWorks Task tExcTask VxWorks Executive TimeRange Processing Task AC...

Page 1273: ...cessing tTffsPTask VxWorks True Flash File System driver tXbdService VxWorks flash file system load leveler usbFlashDriveTask USB Flash driver processing umCfgUpdateTask umWorkerTask unitMgrTask Stack Management Unit Manager tasks USL Worker Task USL Message processing primarily MAC address table CLI commands UtilTask Mgmt UI login logout processing voipTask Voice Over IP VRRPdaemon VRRP task Tabl...

Page 1274: ...1274 System Process Definitions ...

Page 1275: ...g false matches 518 supported types 64 time based 545 web based configuration 520 ACLs See also IP ACL IPv6 ACL and MAC ACL active images 317 address table See MAC address table administrative profiles 183 defaults 202 RADIUS authorization 193 TACACS authorization 190 alternate store and forward 66 Amber 97 99 ARP 77 dynamic ARP inspection 65 ARP inspection see DAI ARP table configuring CLI 912 co...

Page 1276: ...ion auto negotiation 68 auto save feature 347 auto VoIP CLI configuration 1166 defaults 1162 understanding 1161 web based configuration 1163 auto provisioning iSCSI 399 Auto VoIP and ACLs 1162 B back panel features 94 back pressure 67 banner CLI 266 baud rate 96 BOOTP DHCP relay agent 78 BPDU filtering 75 626 flooding 626 guard 75 protection 628 bridge multicast address groups configuring 709 brid...

Page 1277: ...g 266 clock system 248 command modes CLI 111 commands abbreviated 114 entering 113 history buffer 115 Compellent storage arrays 400 configuration file defined 311 DHCP auto configuration 345 downloading 314 editing 314 SNMP 315 USB auto configuration 341 USB device 334 configuration scripts 314 332 configuration saving the 315 Configuring 871 console port connecting to 109 description 96 copy file...

Page 1278: ...covery protocols 652 device view 108 DHCP understanding 871 DHCP auto configuration dependencies 348 enabling 352 monitoring 347 process 342 DHCP client 873 default VLAN 134 OOB port 134 DHCP relay 71 873 CLI configuration 937 defaults 925 example 941 layer 2 920 layer 3 919 understanding 919 VLAN 921 web based configuration 926 DHCP server 56 address pool configuration 890 CLI configuration 886 d...

Page 1279: ... 802 1X 477 and RADIUS 477 and switch role 1114 CLI configuration 1129 defaults 1115 elements 1114 example 1136 understanding 1113 VoIP 1139 web based configuration 1116 diffServ 81 discovery device 651 document conventions 50 domain name server 130 domain name default 131 Dot1x 63 dot1x authentication 182 double VLAN tagging 556 downloading files 319 DSCP value and iSCSI 397 dual images 56 dual I...

Page 1280: ...ile management CLI 324 considerations 313 copying 323 purpose 311 supported protocols 313 web based 316 file system 316 files downloading to the switch 313 types 309 uploading from the switch 313 filter assignments authentication server 503 filter DiffServ 477 FIP snooping 826 enabling and disabling 826 firmware managing 313 updating the stack 149 upgrade example 329 firmware synchronization stack...

Page 1281: ... 74 IEEE 802 1Q 72 IEEE 802 1Qaz 819 IEEE 802 1X 63 and DiffServ 477 authentication 63 configuring 493 defined 470 monitor mode 64 475 490 port authentication 488 port states 471 RADIUS assigned VLANs 491 reauthenticating ports 481 VLAN assignment 473 IEEE 802 1x authentication 182 IEEE 802 3x See flow control IGMP 84 defaults 1185 understanding 1171 web based configuration 1195 IGMP proxy 84 1171...

Page 1282: ...traffic layer 2 696 layer 3 1168 IP protocol numbers common 519 IP routing CLI configuration 911 defaults 897 example 916 understanding 895 web based configuration 899 IP source guard 65 IPSG and port security 757 example 789 purpose 759 understanding 757 IPv4 and IPv6 networks interconnecting 1017 IPv4 multicast web based configuration 1187 IPv4 routing template 241 IPv6 compared to IPv4 1070 DHC...

Page 1283: ...uring 671 enabling 671 example 675 understanding 651 web based configuration 655 J jumbo frames 67 L LACP 75 adding a LAG port 801 CLI configuration 806 web based configuration 798 LAG and STP 794 CLI configuration 803 defaults 795 examples 807 guidelines configuration 795 interaction with other features 794 LACP 75 purpose 792 static and dynamic 792 statistics 382 threshold minimum links 803 unde...

Page 1284: ...nsiderations 209 defaults 209 destination for log messages 206 example 234 file 218 log message format 208 operation logs 207 severity levels 207 system startup logs 207 trap log 294 web based configuration 210 loopback 79 loopback interface configuring 869 purpose 859 understanding 856 LSA OSPF 945 M M6348 and stacking 146 MAC ACL example 543 understanding 514 MAC address table and port security ...

Page 1285: ...MLD snooping 83 defaults 705 759 understanding 699 VLAN configuration 743 mode interface configuration 454 monitor mode IEEE 802 1X 475 monitoring system information 205 MSTP example 649 operation in the network 621 support 74 understanding 619 MTU configuring 464 MTU management interface 124 Multicast VLAN registration 83 multicast DVMRP 84 IGMP 84 IGMP proxy 84 IGMP snooping 82 IPv4 1187 layer 2...

Page 1286: ...uted access 176 and the storage access network 174 and VoIP 172 in the data center 171 network design considerations 153 understanding 150 O OOB port 94 96 126 DHCP client 134 OpenManage Switch Administrator about 103 optical transceiver diagnostics 214 OSPF 77 areas 944 border router 1008 CLI configuration 988 defaults 952 difference from OSPFv3 945 examples 1008 flood blocking 950 1025 LSA pacin...

Page 1287: ...ing multiple 458 defaults 456 defined 451 device view features 108 example 466 LEDs 94 locking 508 OOB 94 96 protected 66 686 691 statistics 381 traffic control 679 809 USB 94 port channel See LAG port characteristics CLI configuration 463 web based configuration 457 port control 482 port fast STP 626 Port LEDs 97 port mirroring configuring 383 mode enabling 360 understanding 359 port security con...

Page 1288: ...erstanding 194 RAM log 217 real time clock 240 Red 99 redirect ACL 515 relay agent DHCPv6 1094 relay DHCP 919 remote logging 230 RIP 78 CLI configuration 1039 defaults 1033 determining route information 1031 example 1043 supported versions 1032 understanding 1031 web based configuration 1034 RMON 58 CLI management 386 defaults 360 example 394 understanding 358 web based configuration 361 router di...

Page 1289: ...delines 241 managing 262 understanding 241 SDM templates 57 security port defined 507 port based CLI configuration 488 defaults 478 507 examples 493 web based configuration 479 setup file format auto configuration 341 sFlow 58 CLI management 386 defaults 360 example 392 understanding 355 web based management 361 SFP port LEDs 97 SFP module 93 SFTP managing files 328 SNMP CLI configuration 295 defa...

Page 1290: ...s 153 NSF usage scenario 166 preconfiguration 169 purpose 154 removing a switch 148 standby 149 switch compatibility 146 web based configuration 155 static reject route 896 statistics IPv6 1076 statistics Etherlike 366 storage arrays and iSCSI 399 storage arrays Compellent 400 storm control configuring 690 default 682 810 example 693 understanding 680 STP and LAGs 794 classic 619 CLI configuration...

Page 1291: ...2 connecting to the switch 110 TFTP image download 324 Thermal LEDs 99 time domain reflectometry 213 time management 54 time range 539 time zone 257 time setting the system 271 time based ACLs 516 545 traffic class queue 396 traffic control port based 679 809 traffic inspection 753 traffic monitoring 355 traffic snooping 753 traps OSPF 292 trunk port and 802 1X authentication 501 503 trunking 589 ...

Page 1292: ...itchport modes 554 trunk port 589 understanding 551 voice 72 559 voice traffic 558 voice example 614 voice understanding 557 web based configuration 568 VLAN membership defining 568 VLAN priority tag and iSCSI 397 VLAN routing 855 858 VLAN tagging 555 VLANs dynamically created 502 RADIUS assigned 502 voice traffic identifying 558 voice VLAN 559 and LLDP MED 559 example 614 understanding 557 VoIP 8...

Page 1293: ...Index 1293 understanding 1045 web based configuration 1050 W web based configuration 104 web based interface understanding 105 writing to memory 315 ...

Page 1294: ...Index 1294 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands