Dell PowerConnect B-FCXs Configuration Manual Download Page 1304 | Manualshive

Page: 1304 / 1494

background image

1262

PowerConnect B-Series FCX Configuration Guide

53-1002266-01

Using multi-device port authentication and 802.1X security on the same port

34

!

interface ethernet 2

dot1x port-control auto

dual-mode

If User 1 is successfully authenticated before User 2, the PVID for port e2 would be changed from
the default VLAN to VLAN 3.

Had User 2 been the first to be successfully authenticated, the PVID would be changed to 20, and
User 1 would not be able to gain access to the network. If there were only one device connected to
the port that was sending untagged traffic, and 802.1X authentication failed for that device, it
would be placed in the restricted VLAN 1023, and would be able to gain access to the network.

Using multi-device port authentication and 802.1X
security on the same port

You can configure the Dell PowerConnect device to use multi-device port authentication and
802.1X security on the same port:

•

The multi-device port authentication feature allows you to configure a Dell PowerConnect
device to forward or block traffic from a MAC address based on information received from a
RADIUS server. Incoming traffic originating from a given MAC address is switched or forwarded
by the device only if the source MAC address is successfully authenticated by a RADIUS server.
The MAC address itself is used as the username and password for RADIUS authentication. A
connecting user does not need to provide a specific username and password to gain access to
the network.

•

The IEEE 802.1X standard is a means for authenticating devices attached to LAN ports. Using
802.1X port security, you can configure a Dell PowerConnect device to grant access to a port
based on information supplied by a client to an authentication server.

When both of these features are enabled on the same port, multi-device port authentication is
performed prior to 802.1X authentication. If multi-device port authentication is successful, 802.1X
authentication may be performed, based on the configuration of a vendor-specific attribute (VSA) in
the profile for the MAC address on the RADIUS server.

For more information, including configuration examples, see

“Using multi-device port

authentication and 802.1X security on the same port”

on page 1276.

«
...
1302
1303
1304
1305
1306
...
»

Summary of Contents for PowerConnect B-FCXs

Page 1: ...53 1002266 01 18 March 2011 PowerConnect B Series FCX Configuration Guide ...

Page 2: ...onnect are trademarks of Dell Inc Microsoft Windows and Windows Server are either trademarks or registered trademarks of Microsoft Corporation in the United States and or other countries Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products Dell Inc disclaims any proprietary interest in trademarks and trade name...

Page 3: ...lications Using the management port 1 How the management port works 1 CLI Commands for use with the management port 2 Logging on through the CLI 3 On line help 4 Command completion 4 Scroll control 4 Line editing commands 5 Using stack unit slot number and port number with CLI commands 5 CLI nomenclature on Stackable devices 6 Searching and filtering output from CLI commands 6 Using special charac...

Page 4: ... a port 38 Configuring flow control 38 Configuring symmetric flow control on PowerConnect B Series FCX devices 40 Configuring PHY FIFO Rx and Tx depth 44 Configuring the IPG on PowerConnect Stackable devices 44 Enabling and disabling support for 100BaseTX 45 Enabling and disabling support for 100BaseFX 45 Changing the Gbps fiber negotiation mode 46 Modifying port priority QoS 47 Dynamic configurat...

Page 5: ...figuration files 74 Scheduling a system reload 74 Reloading at a specific time 74 Reloading after a specific amount of time 75 Displaying the amount of time remaining before a scheduled reload 75 Canceling a scheduled reload 75 Diagnostic error codes and remedies for TFTP transfers 75 Testing network connectivity 76 Pinging an IPv4 address 76 Tracing an IPv4 route 78 Chapter 4 Software based Licen...

Page 6: ... IronStack 109 Configuring PowerConnect B Series FCX stacking ports 109 Configuring a default stacking port to function as a data port 115 Verifying an IronStack configuration 116 Managing your IronStack 118 Logging in through the CLI 118 Logging in through Brocade Network Advisor 118 Logging in through the console port 118 IronStack management MAC address 120 Removing MAC address entries 122 CLI ...

Page 7: ...ole in hitless stacking 168 Support during stack formation stack merge and stack split 169 Hitless stacking default behavior 173 Hitless stacking failover 175 Hitless stacking switchover 176 Displaying information about hitless stacking 183 Syslog messages for hitless stacking failover and switchover183 Displaying hitless stacking diagnostic information 184 Chapter 6 Monitoring Hardware Components...

Page 8: ...Enabling or disabling the Spanning Tree Protocol STP 209 Changing STP bridge and port parameters 210 STP protection enhancement 212 Displaying STP information 214 Configuring STP related features 223 Fast port span 223 Fast Uplink Span 225 802 1W Rapid Spanning Tree RSTP 227 802 1W Draft 3 265 Single Spanning Tree SSTP 269 STP per VLAN group 271 PVST PVST compatibility 275 Overview of PVST and PVS...

Page 9: ...learning rate control 307 Changing the MAC age time and disabling MAC address learning307 Disabling the automatic learning of MAC addresses 308 Displaying the MAC address table 308 Configuring static MAC entries 308 Multi port static MAC address 309 Configuring VLAN based static MAC entries 310 Clearing MAC address entries 310 Flow based MAC address learning 311 Feature overview 311 The benefits o...

Page 10: ...ee ports 334 Configuration considerations 334 Configuring a topology group 335 Displaying topology group information 336 Metro Ring Protocol MRP 337 Configuration notes 339 MRP rings without shared interfaces MRP Phase 1 339 MRP rings with shared interfaces MRP Phase 2 340 Ring initialization 341 How ring breaks are detected and healed 346 Master VLANs and customer VLANs 348 Configuring MRP 349 Us...

Page 11: ...ps and Dynamic Link Aggregation Trunk group overview 393 Trunk group connectivity to a server 394 Trunk group rules 395 Trunk group configuration examples 396 Support for flexible trunk group membership 398 Trunk group load sharing 398 Configuring a trunk group 400 CLI syntax for configuring consecutive ports in a trunk group400 CLI syntax for configuring non consecutive ports in a trunk group401 ...

Page 12: ...link LACP 425 Configuration notes 425 CLI syntax 425 Chapter 13 Configuring Virtual LANs VLANs VLAN overview 427 Types of VLANs 427 Default VLAN 433 802 1Q tagging 434 Spanning Tree Protocol STP 437 Virtual routing interfaces 437 VLAN and virtual routing interface groups 439 Dynamic static and excluded port membership 439 Super aggregated VLANs 441 Trunk group ports and VLAN membership 441 Summary...

Page 13: ...et address on multiple port based VLANs 469 Configuring VLAN groups and virtual routing interface groups 472 Configuring a VLAN group 472 Configuring a virtual routing interface group 474 Displaying the VLAN group and virtual routing interface group information 475 Allocating memory for more VLANs or virtual routing interfaces 476 Configuring super aggregated VLANs 477 Configuration notes 480 Conf...

Page 14: ...508 Configuration notes 508 Configuring GVRP 510 Changing the GVRP base VLAN ID 510 Increasing the maximum configurable value of the Leaveall timer 510 Enabling GVRP 511 Disabling VLAN advertising 511 Disabling VLAN learning 512 Changing the GVRP timers 512 Converting a VLAN created by GVRP into a statically configured VLAN514 Displaying GVRP information 514 Displaying GVRP configuration informati...

Page 15: ...laying detailed MAC VLAN data 539 Displaying MAC VLAN information for a specific interface 541 Displaying MAC addresses in a MAC based VLAN 542 Displaying MAC based VLAN logging 543 Clearing MAC VLAN information 543 Sample application 543 Chapter 16 Configuring Rule Based IP Access Control Lists ACLs ACL overview 548 Types of IP ACLs 548 ACL IDs and entries 548 Numbered and named ACLs 549 Default ...

Page 16: ...VLAN members on a port Layer 2 devices only 574 Applying an IPv4 ACL to a subset of ports on a virtual interface Layer 3 devices only 575 Using ACLs to filter ARP packets 576 Configuration considerations 576 Configuring ACLs for ARP filtering 576 Displaying ACL filters for ARP 577 Clearing the filter count 578 Filtering on IP precedence and ToS values 578 TCP flags edge port security 578 QoS optio...

Page 17: ... QoS 599 Configuring the QoS mappings 600 Default DSCP to internal forwarding priority mappings 600 Changing the DSCP to internal forwarding priority mappings 601 Changing the VLAN priority 802 1p to hardware forwarding queue mappings 602 8 to 4 queue mapping 602 Scheduling 603 QoS queuing methods 603 Selecting the QoS queuing method 605 Configuring the QoS queues 605 Viewing QoS settings 608 View...

Page 18: ...nto RIP 627 Enabling redistribution 628 Enabling learning of default routes 629 Changing the route loop prevention method 629 Other layer 3 protocols 629 Enabling or disabling routing protocols 629 Enabling or disabling layer 2 switching 630 Configuration Notes and Feature Limitations 630 Command syntax 630 Chapter 20 Configuring Port Mirroring and Monitoring Overview 633 Configuring port mirrorin...

Page 19: ...ration notes 651 Configuring queriers and non queriers 652 VLAN specific configuration 653 Using IGMPv2 with IGMPv3 653 PIM SM traffic snooping overview 653 Application example 653 Configuring IGMP snooping 655 Displaying IGMP snooping information 663 Displaying querier information 668 Clear IGMP snooping commands 671 Chapter 23 Enabling the Foundry Discovery Protocol FDP and Reading Cisco Discove...

Page 20: ... Enabling SNMP notifications and syslog messages for LLDP MED topology changes 708 Changing the fast start repeat count 708 Defining a location id 709 Defining an LLDP MED network policy 715 LLDP MED attributes advertised by the Dell PowerConnect device717 Displaying LLDP statistics and configuration settings 718 LLDP configuration summary 719 LLDP statistics 719 LLDP neighbors 721 LLDP neighbors ...

Page 21: ...lect multicast groups 767 CLI command syntax 768 Viewing disabled multicast addresses 768 Displaying the multicast configuration for another multicast router 769 IGMP V3 770 Default IGMP version 771 Compatibility with IGMP V1 and V2 771 Globally enabling the IGMP version 771 Enabling the IGMP version per interface setting 771 Enabling the IGMP version on a physical port within a virtual routing in...

Page 22: ...803 Configuring packet parameters 806 Changing the router ID 809 Configuring ARP parameters 810 Configuring forwarding parameters 815 Disabling ICMP messages 817 Disabling ICMP Redirect Messages 819 Configuring static routes 819 Configuring a default network route 828 Configuring IP load sharing 829 Configuring IRDP 832 Configuring RARP 834 Configuring UDP broadcast and IP helper parameters 836 Co...

Page 23: ... time before stopping traffic when receiving a leave message 896 Modifying the multicast cache mcache aging time 896 Disabling error and warning messages 896 Configuring the MLD mode for a VLAN 896 Disabling MLD snooping for the VLAN 897 Configuring the MLD version for the VLAN 897 Configuring the MLD version for individual ports 897 Configuring static groups to the entire VLAN or to individual po...

Page 24: ...on a VRRP or VRRPE backup interface 916 Configuring RIP route filters 916 Displaying RIP filters 917 Displaying CPU utilization statistics 918 Chapter 29 Configuring OSPF Version 2 IPv4 Overview of OSPF 922 OSPF point to point links 923 Designated routers in multi access networks 924 Designated router election in multi access networks 924 OSPF RFC 1583 and 2178 compliance 925 Reduction of equivale...

Page 25: ...the IP route table 950 Modifying the default metric for redistribution 953 Enabling route redistribution 953 Disabling or re enabling load sharing 955 Configuring external route summarization 956 Configuring default route origination 957 Modifying SPF timers 958 Modifying the redistribution metric type 959 Modifying the administrative distance 959 Configuring OSPF group Link State Advertisement LS...

Page 26: ... Displaying OSPF ABR and ASBR information 977 Displaying OSPF trap status 978 Displaying OSPF graceful restart information 978 Chapter 30 Configuring BGP4 IPv4 Overview of BGP4 982 Relationship between the BGP4 route table and the IP route table 982 How BGP4 selects a path for a route 983 BGP4 message types 985 BGP4 graceful restart 987 Basic configuration and activation for BGP4 987 Note regardin...

Page 27: ...ways compare Multi Exit Discriminators MEDs 1016 Treating missing MEDs as the worst MEDs 1017 Configuring route reflection parameters 1017 Configuration notes 1021 Aggregating routes advertised to BGP4 neighbors 1024 Configuring BGP4 graceful restart 1025 Configuring BGP4 graceful restart 1025 Configuring timers for BGP4 graceful restart optional 1025 BGP null0 routing 1026 Configuration steps 102...

Page 28: ...tion 1078 Displaying summary route information 1079 Displaying the BGP4 route table 1080 Displaying BGP4 route attribute entries 1086 Displaying the routes BGP4 has placed in the IP route table 1087 Displaying route flap dampening statistics 1088 Displaying the active route map configuration 1089 Displaying BGP4 graceful restart neighbor information 1090 Updating route information and resetting a ...

Page 29: ...ss methods 1135 Restricting remote access to management functions 1137 Using ACLs to restrict remote access 1138 Defining the console idle time 1140 Restricting remote access to the device to specific IP addresses 1141 Restricting access to the device based on IP or MAC address 1142 Defining the Telnet idle time 1143 Changing the login timeout period for Telnet sessions 1143 Specifying the maximum...

Page 30: ...hentication method lists for TACACS TACACS 1173 Configuring TACACS authorization 1175 Configuring TACACS accounting 1178 Configuring an interface as the source for all TACACS TACACS packets 1179 Displaying TACACS TACACS statistics and configuration information 1180 Configuring RADIUS security 1181 RADIUS authentication authorization and accounting 1181 RADIUS configuration considerations 1184 RADI...

Page 31: ...ng the SSH port number 1211 Setting the SSH login timeout value 1211 Designating an interface as the source for all SSH packets 1211 Configuring the maximum idle time for SSH sessions 1211 Filtering SSH access using ACLs 1212 Terminating an active SSH connection 1212 Displaying SSH connection information 1212 Using Secure copy with SSH2 1213 Enabling and disabling SCP 1213 Configuration notes 1214...

Page 32: ...er 1242 Initializing 802 1X on a port 1242 Allowing access to multiple hosts 1242 Defining MAC address filters for EAP frames 1245 Configuring VLAN access for non EAP capable clients 1245 Configuring 802 1X accounting 1246 802 1X Accounting attributes for RADIUS 1246 Enabling 802 1X accounting 1247 Displaying 802 1X information 1247 Displaying 802 1X configuration information 1247 Displaying 802 1...

Page 33: ...s 1268 Displaying port security information 1268 Displaying port security settings 1269 Displaying the secure MAC addresses 1269 Displaying port security statistics 1270 Displaying restricted MAC addresses on a port 1271 Chapter 36 Configuring Multi Device Port Authentication How multi device port authentication works 1274 RADIUS authentication 1274 Authentication failure actions 1274 Supported RA...

Page 34: ...i device port authentication information 1291 Displaying authenticated MAC address information 1292 Displaying multi device port authentication configuration information 1292 Displaying multi device port authentication information for a specific MAC address or port 1293 Displaying the authenticated MAC addresses 1294 Displaying the non authenticated MAC addresses 1294 Displaying multi device port ...

Page 35: ...ct address 1325 Deleting a web authentication VLAN 1326 Web authentication pages 1326 Displaying web authentication information 1333 Displaying the web authentication configuration 1333 Displaying a list of authenticated hosts 1335 Displaying a list of hosts attempting to authenticate 1336 Displaying a list of blocked hosts 1336 Displaying a list of local user databases 1337 Displaying a list of u...

Page 36: ... 1362 Defining static IP source bindings 1362 Enabling IP source guard per port per VLAN 1363 Enabling IP source guard on a VE 1363 Displaying learned IP addresses 1363 Chapter 40 Securing SNMP Access SNMP overview 1365 Establishing SNMP community strings 1366 Encryption of SNMP community strings 1366 Adding an SNMP community string 1366 Displaying the SNMP community strings 1368 Using the user ba...

Page 37: ...g server 1388 Specifying an additional Syslog server 1388 Disabling logging of a message level 1388 Changing the number of entries the local buffer can hold 1389 Changing the log facility 1389 Displaying Interface names in Syslog messages 1390 Displaying TCP or UDP port numbers in Syslog messages 1390 Retaining Syslog messages after a soft reboot 1391 Clearing the Syslog messages from the local bu...

Page 38: ...onsiderations 1429 Configuring and enabling sFlow 1430 Configuring sFlow version 5 features 1436 Displaying sFlow information 1439 Configuring a utilization list for an uplink port 1442 Command syntax 1443 Displaying utilization percentages for an uplink 1443 Appendix B Software Specifications IEEE compliance 1445 RFC support 1445 Internet drafts 1452 ...

Page 39: ...signed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing If you are using a Layer 3 Switch you should be familiar with the following protocols if applicable to your network IP RIP OSPF BGP ISIS IGMP PIM DVMRP and VRRP TABLE 1 PowerConnect family of switches This name Refers to these devices PowerConnect Stackable Devices NOTE The PowerConnect Stackable...

Page 40: ...ncreasing severity of potential hazards bold text Identifies command names Identifies the names of user manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles code text Identifies CLI output TABLE 2 Command syntax conventions Convention Description bold face font Commands and keywords ita...

Page 41: ...may contain references to the trademarks of the following corporations These trademarks are the properties of their respective companies and corporations Related publications The following Dell documents supplement the information in this guide PowerConnect B FCX Switch Hardware Installation Guide PowerConnect B MLXe MIB Reference PowerConnect B Series FCX Web Management Interface User Guide NOTE ...

Page 42: ...telephone based support and service options Availability varies by country and product and some services may not be available in your area To contact Dell for sales technical support or customer service issues 1 Visit http support dell com 2 Click your country or region at the bottom of the page For a full listing of countries and regions click All 3 In the Support menu click All Support Choose th...

Page 43: ...e module For example on a 48 port PowerConnect B Series FCX standalone device the base MAC address is 0000 1234 2200 The management port MAC address for this device would be 0000 1234 2200 plus 0x30 or 0000 1234 2230 The 0x30 in this case equals the 48 ports on the base module How the management port works The following rules apply to management ports Only packets that are specifically addressed t...

Page 44: ... be different CLI Commands for use with the management port The following CLI commands can be used with a management port To display the current configuration use the show running config interface management command Syntax show running config interface management num PowerConnect config if mgmt ip addr 10 44 9 64 24 PowerConnect config show running config interface management 1 interface managemen...

Page 45: ... InPkts 39939 OutPackets 22 InBroadcastPkts 4355 OutbroadcastPkts 0 InMultiastPkts 35214 OutMulticastPkts 6 InUnicastPkts 370 OutUnicastPkts 16 InBadPkts 0 InFragments 0 InDiscards 0 OutErrors 0 CRC 0 Collisions 0 InErrors 0 LateCollisions 0 InGiantPkts 0 InShortPkts 0 InJabber 0 InFlowCtrlPkts 0 OutFlowCtrlPkts 0 InBitsPerSec 83728 OutBitsPerSec 24 InPktsPerSec 130 OutPktsPerSec 0 InUtilization 0...

Page 46: ... Securing Access to Management Functions On line help To display a list of available commands or command options enter or press Tab If you have not entered part of a command at the command prompt all the commands supported at the current CLI level are listed If you enter part of a command then enter or press Tab the CLI lists the options you can enter at this point in the command string If you ent...

Page 47: ...uts display port numbers The port numbers are entered and displayed in one of the following formats port number only TABLE 4 CLI line editing commands Ctrl Key combination Description Ctrl A Moves to the first character on the command line Ctrl B Moves the cursor back one character Ctrl C Escapes and terminates command prompts and ongoing tasks such as lengthy displays and displays a fresh command...

Page 48: ...complex regular expressions to filter the output Searching and filtering output from Show commands You can filter output from show commands to display lines containing a specified string lines that do not contain a specified string or output starting with a line containing a specified string The search string is a regular expression consisting of a single character or string of characters You can ...

Page 49: ... and filtering output at the More prompt The More prompt displays when output extends beyond a single page From this prompt you can press the Space bar to display the next page the Return or Enter key to display the next line or Ctrl C or Q to cancel the display In addition you can search and filter output from this prompt At the More prompt you can press the forward slash key and then enter a sea...

Page 50: ...s You use a regular expression to specify a single character or multiple characters as a search string In addition you can include special characters that influence the way the software matches the output against the search string These special characters are listed in the following table More next page Space next line Return key quit Control c telnet The results of the search are displayed search...

Page 51: ...e a question mark the question mark is inserted into the command line allowing you to use it as part of a regular expression A caret when not used within brackets matches on the beginning of an input string For example the following regular expression matches output that begins with deg deg A dollar sign matches on the end of an input string For example the following regular expression matches out...

Page 52: ...levels of the CLI executes the show ip route command To create an alias called wrsbc for the CLI command copy running config tftp 10 10 10 10 test cfg enter the following command PowerConnect config alias wrsbc copy running config tftp 10 10 10 10 test cfg To remove the wrsbc alias from the configuration enter one of the following commands PowerConnect config no alias wrsbc or PowerConnect config ...

Page 53: ...se the write memory command Logging on through the Web Management Interface To use the Web Management Interface open a Web browser and enter the IP address of the management port on the Dell PowerConnect device in the Location or Address field The Web browser contacts the Dell PowerConnect device and displays a Login panel such as the one shown below FIGURE 1 Web Management Interface login panel N...

Page 54: ...ng You must add one using the CLI As an alternative to using the SNMP community strings to log in you can configure the Dell PowerConnect device to secure Web management access using local user accounts or Access Control Lists ACLs Navigating the Web Management Interface When you log into a device the System configuration panel is displayed This panel allows you to enable or disable major system f...

Page 55: ...NOTE If you are using Internet Explorer 6 0 to view the Web Management Interface make sure the version you are running includes the latest service packs Otherwise the navigation tree the left most pane in Figure 3 will not display properly For information on how to load the latest service packs refer to the on line help provided with your Web browser The left pane of the Web Management Interface w...

Page 56: ... start the Web Management Interface or if you are currently running the Web Management Interface the changes will take place when you click the Refresh button on your browser Using the Web Management Interface 1 Click on the plus sign next to Configure in the tree view to expand the list of configuration options 2 Click on the plus sign next to System in the tree view to expand the list of system ...

Page 57: ...ot include an option to display the tree view 6 When you have finished click the Apply button on the panel then click the Refresh button on your browser to activate the changes 7 To save the configuration click the plus sign next to the Command folder then click the Save to Flash link NOTE The only changes that become permanent are the settings to the Menu Type and the Front Panel Frame Any other ...

Page 58: ...es FCX Configuration Guide 53 1002266 01 Logging on through Brocade Network Advisor 1 Logging on through Brocade Network Advisor Refer to the Brocade Network Advisor manual for information about using Brocade Network Advisor ...

Page 59: ...ling an outbound Telnet session Yes System time using a Simple Network Time Protocol SNTP server or local system counter Yes System clock Yes Packet based broadcast multicast and unknown unicast limits Yes CLI banners Yes Local MAC address for Layer 2 management traffic Yes Basic Port Parameters Port name Yes 10 100 1000 port speed Yes Auto negotiation Yes Auto negotiation maximum port speed adver...

Page 60: ...information about the Syslog buffer and messages refer to Chapter 41 Using Syslog The procedures in this section describe how to configure the basic system parameters listed in Table 6 Entering system administration information You can configure a system name contact and location for a Dell PowerConnect device and save the information locally in the configuration file for future reference This inf...

Page 61: ...erver NOTE To add and modify get read only and set read write community strings refer to Chapter 32 Securing Access to Management Functions Specifying an SNMP trap receiver You can specify a trap receiver to ensure that all SNMP traps sent by the Dell PowerConnect device go to the same SNMP trap receiver or set of receivers typically one or more host devices on the network When you specify the hos...

Page 62: ...ypted string To add a trap receiver and configure the software to encrypt display of the community string in the CLI and Web Management Interface enter commands such as the following PowerConnect config snmp server host 2 2 2 2 0 PowerConnect 12 PowerConnect config write memory The port value parameter allows you to specify which UDP port will be used by the trap receiver This parameter allows you...

Page 63: ...seconds and can be from 1 600 ten minutes The default is 60 seconds Disabling SNMP traps Dell PowerConnect devices come with SNMP trap generation enabled by default for all traps You can selectively disable one or more of the following traps NOTE By default all SNMP traps are enabled at system startup Layer 2 traps The following traps are generated on devices running Layer 2 software SNMP authenti...

Page 64: ...essing this level is enable The feature is enabled by default Examples of Syslog messages for CLI access When a user whose access is authenticated by a local user account a RADIUS server or a TACACS TACACS server logs into or out of the CLI User EXEC or Privileged EXEC mode the software generates a Syslog message and trap containing the following information The time stamp The user name Whether th...

Page 65: ...session If you want to cancel a Telnet session from the console to a remote Telnet server for example if the connection is frozen you can terminate the Telnet session by doing the following 1 At the console press Ctrl Ctrl Shift 6 2 Press the X key to terminate the Telnet session Pressing Ctrl twice in a row causes a single Ctrl character to be sent to the Telnet server After you press Ctrl pressi...

Page 66: ...rConnect device to poll for clock updates from a SNTP server every 15 minutes enter the following PowerConnect config sntp poll interval 900 Syntax no sntp poll interval 1 65535 To display information about SNTP associations enter the following command Syntax show sntp associations The following table describes the information displayed by the show sntp associations command To display information ...

Page 67: ...e system time and date to 10 15 05 on October 15 2003 enter the following command PowerConnect clock set 10 15 05 10 15 2003 Syntax no clock set hh mm ss mm dd yy mm dd yyyy TABLE 8 Output from the show sntp status command This field Indicates unsynchronized System is not synchronized to an NTP peer synchronized System is synchronized to an NTP peer stratum NTP stratum level of this system referen...

Page 68: ...gmt 10 Syntax clock timezone gmt us time zone You can enter one of the following values for time zone US time zones us alaska aleutian arizona central east indiana eastern hawaii michigan mountain pacific samoa GMT time zones gmt gmt 0 00 to gmt 12 00 in increments of 1 and gmt 0 00 to gmt 12 00 in decrements of 1 are supported New start and end dates for US daylight saving time NOTE This feature ...

Page 69: ...at are flooded on the VLAN to other devices Configuration notes and feature limitationss PowerConnect B Series FCX devices To enable unknown unicast limiting or multicast limiting enable it after enabling broadcast limiting Unknown unicast limiting and multicast limiting use the limit defined in broadcast limiting You cannot set a separate limit for unknown unicast limiting and multicast limiting ...

Page 70: ... run interface command to display the broadcast multicast and unknown unicast limits configured on the device show rate limit unknown unicast show rate limit broadcast Use the show run interface command to view the broadcast multicast and unknown unicast limit configured on each port Example Syntax show run interface Use the show rate limit unknown unicast command to display the unknown unicast li...

Page 71: ...lished PowerConnect config banner motd Press Return Enter TEXT message End with the character Welcome to PowerConnect A delimiting character is established on the first line of the banner motd command You begin and end the message with this delimiting character The delimiting character can be any character except double quotation mark and cannot appear in the banner text In this example the delimi...

Page 72: ...ve to press Enter after the MOTD banner is displayed For example if the MOTD Authorized Access Only is configured by default the following messages are displayed when a user tries to access the Dell PowerConnect device from a Telnet session Authorized Access Only Username The user can then login to the device However if the requirement to press the Enter key is enabled the following messages are d...

Page 73: ... up to 4000 characters which can consist of multiple lines Syntax no banner exec_mode delimiting character To remove the banner enter the no banner exec_mode command Displaying a console message when an incoming Telnet session is detected You can configure the Dell PowerConnect device to display a message on the Console when a user establishes a Telnet session This message indicates where the user...

Page 74: ...C address without the local bit setting Example PowerConnect config use local management mac PowerConnect config write memory PowerConnect config end PowerConnect reload Syntax no use local management mac NOTE You must save the configuration and reload the software to place the change into effect NOTE This feature is only available for the switch code It is not available for router code Configurin...

Page 75: ...8 on a PowerConnect from the default of 10 100 1000 auto sense to 100 Mbps operating in full duplex mode PowerConnect config interface ethernet 8 PowerConnect config if e1000 8 speed duplex 100 full Syntax speed duplex value where value can be one of the following 10 full 10 Mbps full duplex 10 half 10 Mbps half duplex 100 full 100 Mbps full duplex 100 half 100 Mbps half duplex 1000 full master 1 ...

Page 76: ... speed down shift and maximum port speed advertisement features operate dynamically at the physical link layer independent of logical trunk group configurations Although Dell recommends that you use the same cable types and auto negotiation configuration on all members of a trunk group you could utilize the auto negotiation features conducive to your cabling environment For example in certain circ...

Page 77: ...ethernet 0 1 1 to 0 1 10 ethernet 0 1 15 to 0 1 20 To configure down shift on ports 5 to 13 and 17 to 19 on a compact switch enter the following PowerConnect config link config gig copper autoneg control down shift ethernet 5 to 13 ethernet 17 to 19 Syntax no link config gig copper autoneg control down shift 100m auto 10m auto ethernet port list The port list is the list of ports to which the comm...

Page 78: ...100m ethernet port ethernet port Specify the port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum You can list all of the ports individually use the keyword to to specify ranges of ports or a combination of both You can enable maximum port speed advertisement on one or two ports at a time To disable maximum port speed advertisement after it...

Page 79: ...tiation Thus these commands work whether auto negotiation is turned ON or OFF Do not use the mdi mdix commands on ports that are manually configured with a speed and duplex of 100 full In this case make sure the other port remote end of the connection is also configured to 100 full and a cross over cable is used if the connected device is another switch hub or router or a straight through cable if...

Page 80: ...device that is oversubscribed is receiving more traffic than it can handle sends an 802 3x PAUSE frame to its link partner to temporarily reduce the amount of data the link partner is transmitting Without flow control buffers would overflow packets would be dropped and data retransmission would be required All PowerConnect devices support asymmetric flow control meaning they can receive PAUSE fram...

Page 81: ...on is OFF or if the port speed was configured manually then flow control is not negotiated with or advertised to the peer For details about auto negotiation refer to Modifying port speed and duplex mode on page 33 To disable the advertisement of flow control capability on a port enter the following commands PowerConnect config interface ethernet 0 1 21 PowerConnect config if e1000 0 1 21 no flow c...

Page 82: ...zation 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 multicasts 0 unicasts 0 input errors 0 CRC 0 frame 0 ignored 0 runts 0 giants 5 packets output 320 bytes 0 underruns Transmitted 0 broadcasts 5 multicasts 0 unicasts 0 output errors 0 collisions The line highlighted in bold will resemble one of the following depending on the configuration If flow control negotiation is enabled and ...

Page 83: ...G ports Also the default XOFF and XON thresholds are different for jumbo mode versus non jumbo mode The defaults are shown in Table 9 If necessary you can change the total buffer limits and the XON and XOFF default thresholds Refer to Changing the total buffer limits on page 43 and Changing the XON and XOFF thresholds on page 42 respectively Configuration notes and feature limitations for symmetri...

Page 84: ...ric flow control is enabled To enable symmetric flow control globally on all full duplex data ports of a standalone unit enter the following command PowerConnect config symmetric flow control enable To enable symmetric flow control globally on all full duplex data ports of a particular unit in an IronStack enter a command such as the following PowerConnect config symmetric flow control enable unit...

Page 85: ... total buffer limit for all 10G ports enter a command such as the following PowerConnect config symmetric flow control set 2 buffers 128 Total buffers modified 1G 320 10G 128 Syntax symmetric flow control set 1 2 buffers value symmetric flow control set 1 buffers value sets the total buffer limits for 1G ports The default value is 272 You can specify a number from 64 320 symmetric flow control set...

Page 86: ... MIF config mode NOTE Higher settings give better tolerance for clock differences with the partner phy but may marginally increase latency as well Configuring the IPG on PowerConnect Stackable devices On PowerConnect B Series FCX devices you can configure an IPG for each port An IPG is a configurable time delay between successive data packets You can configure an IPG with a range from 48 120 bit t...

Page 87: ...P MTU 10222 bytes 300 second input rate 0 bits sec 0 packets sec 0 00 utilization 300 second output rate 248 bits sec 0 packets sec 0 00 utilization 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 multicasts 0 unicasts 0 input errors 0 CRC 0 frame 0 ignored 0 runts 0 giants 80 packets output 5120 bytes 0 underruns Transmitted 0 broadcasts 80 multicasts 0 unicasts 0 output errors 0 coll...

Page 88: ...port on a fiber port enter the no form of the command Note that you must disable 100BaseFX support before inserting a different type of module In the same port Otherwise the device will not recognize traffic traversing the port Changing the Gbps fiber negotiation mode The globally configured Gbps negotiation mode is the default mode for all Gbps fiber ports You can override the globally configured...

Page 89: ...rtise information about itself such as device ID port ID and platform When the Dell PowerConnect device receives the VoIP phone query it sends the voice VLAN ID in a reply packet back to the VoIP phone The VoIP phone then configures itself within the voice VLAN As long as the port to which the VoIP phone is connected has a voice VLAN ID the phone will configure itself into that voice VLAN If you c...

Page 90: ...oice VLAN configuration for a port specify the port number with the show voice vlan command The following example shows the command output results The following example shows the message that appears when the port does not have a configured voice VLAN To view the voice VLAN for all ports use the show voice vlan command The following example shows the command output results Syntax show voice vlan e...

Page 91: ...ethernet 2 1 PowerConnect config if e10000 2 1 link error disable 10 3 10 Syntax no link error disable toggle threshold sampling time in sec wait time in sec The toggle threshold is the number of times a port link state goes from up to down and down to up before the wait period is activated Enter a value from 1 50 The sampling time in sec is the amount of time during which the specified toggle thr...

Page 92: ...will go from up to down and down to up before the wait period is activated Sampling Time The number of seconds during which the specified toggle threshold can occur before the wait period is activated Shutoff Time The number of seconds the port will remain disabled down before it becomes enabled A zero 0 indicates that the port will stay down until an administrative override occurs PowerConnect sh...

Page 93: ...ollowing Syslog message is displayed 0d00h02m41s I ERR_DISABLE Interface ethernet 16 err disable recovery timeout State The port state can be one of the following Idle The link is normal and no link state toggles have been detected or sampled Down The port is disabled because the number of sampled errors exceeded the configured threshold Err The port sampled one or more errors Counter If the port ...

Page 94: ... re enables the port To set your device to automatically re enable Err Disabled ports refer to Configuring the device to automatically re enable ports on page 53 Configuration notes Loopback detection packets are sent and received on both tagged and untagged ports Therefore this feature cannot be used to detect a loop across separate devices The following information applies to Loose Mode loop det...

Page 95: ...e no form of the command to disable loop detection Configuring a global loop detection interval The loop detection interval specifies how often a test packet is sent on a port When loop detection is enabled the loop detection time unit is 0 1 second with a default of 10 one second The range is from 1 one tenth of a second to 100 10 seconds You can use the show loop detection status command to view...

Page 96: ... wait 120 seconds 2 minutes before re enabling the ports To revert back to the default recovery time interval of 300 seconds 5 minutes enter one of the following commands PowerConnect config errdisable recovery interval 300 OR PowerConnect config no errdisable recovery interval 120 Syntax no errdisable recovery interval seconds where seconds is a number from 10 to 65535 Clearing loop detection To ...

Page 97: ...ommand shows the hardware and software resources being used by the loop detection feature Vlans configured loop detection use 1 HW MAC Vlans not configured but use HW MAC 1 10 alloc in use avail get fail limit get mem size init configuration pool 16 6 10 0 3712 6 15 16 linklist pool 16 10 6 0 3712 10 16 16 Displaying loop detection resource information Use the show loop detection resource command ...

Page 98: ...due to loop detection This message also appears on the console loop detect port vlan into errdisable state The Errdisable function logs a message whenever it re enables a port get mem The number of get memory requests size The size init The number of requests initiated TABLE 11 Field definitions for the show loop detection resource command Continued This field Describes ...

Page 99: ...u can use the secondary flash to store redundant images for additional booting reliability or to preserve one software image while testing another one Only one flash device is active at a time By default the primary image will become active upon reload TABLE 12 Supported operations administration and maintenance features Feature PowerConnect B Series FCX Flash and boot code verification Yes Flash ...

Page 100: ...running on the device To determine the flash image version running on a device enter the show version command at any level of the CLI Some examples are shown below Compact devices To determine the flash image version running on a Compact device enter the show version command at any level of the CLI The following shows an example output PowerConnect show version SW Version 7 2 00aT53 Copyright c 20...

Page 101: ...ge 59 The Compressed Pri Code size line lists the flash code version installed in the primary flash area The Compressed Sec Code size line lists the flash code version installed in the secondary flash area The Boot Monitor Image size line lists the boot code version installed in flash memory The device does not have separate primary and secondary flash areas for the boot image The flash memory mod...

Page 102: ...werConnect Done Size 2044830 SHA1 49d12d26552072337f7f5fcaef4cf4b742a9f525 To generate a CRC32 hash value for the secondary image enter the following command PowerConnect verify crc32 secondary PowerConnect Done Size 2044830 CRC32 b31fcbc0 To verify the hash value of a secondary image with a known value enter the following commands PowerConnect verify md5 secondary 01c410d6d153189a4a5d36c955653861...

Page 103: ...st of files stored in flash memory do one of the following For PowerConnect B Series FCX devices enter the show dir command at any level of the CLI or enter the dir command at the boot monitor mode The following shows an example command output Syntax show dir To display the contents of a flash configuration file enter a command such as the following from the User EXEC or Privileged EXEC mode of th...

Page 104: ...0aT7f1 stack unit 1 module 1 FCX 24 port management module module 2 FCX cx4 2 port 16g module module 3 FCX xfp 2 port 16g module priority 80 stack port 1 2 1 1 2 2 stack unit 2 module 1 FCX 48 port management module module 2 FCX cx4 2 port 16g module module 3 FCX xfp 2 port 16g module stack port 2 2 1 2 2 2 stack enable vlan 1 name DEFAULT VLAN by port no spanning tree metro rings 1 metro ring 1 m...

Page 105: ...ll PowerConnect device by default the Dell PowerConnect device rejects the request Changing the block size for TFTP file transfers When you use TFTP to copy a file to or from a Dell PowerConnect device the device transfers the data in blocks of 8192 bytes by default You can change the block size to one of the following if needed 4096 2048 1024 512 256 128 64 32 16 To change the block size for TFTP...

Page 106: ...ation notes If you are booting the device from a TFTP server through a fiber connection use the following command boot system tftp ip address filename fiber port In an IronStack the boot system tftp ip address filename command will cause the system to boot the active unit with the image specified in the command The rest of the units in the stack will boot with the primary or secondary image depend...

Page 107: ...and at any CLI prompt Running configuration file This file contains the configuration active in the system RAM but not yet saved to flash These changes could represent a short term requirement or general configuration change To display this file enter the show running config or write terminal command at any CLI prompt Each device can have one startup configuration file and one running configuratio...

Page 108: ... Syntax no logging enable config changed Copying a configuration file to or from a TFTP server To copy the startup config or running config file to or from a TFTP server use one of the following methods NOTE For details about the copy and ncopy commands used with IPv6 refer to Using the IPv6 copy command on page 69and Using the IPv6 ncopy command on page 71 NOTE You can name the configuration file...

Page 109: ...oftware cannot implement the changes to the secondary port Preparing the configuration file A configuration file that you create must follow the same syntax rules as the startup config file the device creates The configuration file is a script containing CLI configuration commands The CLI reacts to each command entered from the file in the same way the CLI reacts to the command if you enter it For...

Page 110: ...tains these commands interface ethernet 2 no spanning tree The CLI responds like this PowerConnect config interface ethernet 2 Error cannot configure secondary ports of a trunk PowerConnect config no spanning tree PowerConnect config If the file contains commands that must be entered in a specific order the commands must appear in the file in the required order For example if you want to use the f...

Page 111: ... and the startup config file If you use TFTP to load additional information into a device running config or startup config file it is possible to exceed the maximum allowable size If this occurs you will not be able to save the configuration changes The maximum size for the running config and the startup config file is 64K each To determine the size of a running config or startup config file copy ...

Page 112: ... want to copy to the IPv6 TFTP server The primary keyword specifies the primary boot image while the secondary keyword specifies the secondary boot image Copying a file from the running or startup configuration For example to copy the running configuration to an IPv6 TFTP server enter a command such as the following PowerConnect copy running config tftp 2001 7382 e0ff 7837 3 newrun cfg This comman...

Page 113: ...flash memory Copying a file to the running or startup configuration For example to copy a configuration file from an IPv6 TFTP server to the running or startup configuration enter a command such as the following PowerConnect copy tftp running config 2001 7382 e0ff 7837 3 newrun cfg overwrite This command copies the newrun cfg file from the IPv6 TFTP server and overwrites the running configuration ...

Page 114: ...n hexadecimal using 16 bit values between colons as documented in RFC 2373 The source file name parameter specifies the name of the file you want to copy from flash memory Copying the running or startup configuration to an IPv6 TFTP server For example to copy a device running or startup configuration to an IPv6 TFTP server enter a command such as the following PowerConnect ncopy running config tft...

Page 115: ... from an IPv6 TFTP server For example to upload a running or startup configuration from an IPv6 TFTP server to a device enter a command such as the following PowerConnect ncopy tftp 2001 7382 e0ff 7837 3 newrun cfg running config This command uploads a file named newrun cfg from a TFTP server with the IPv6 address of 2001 7382 e0ff 7837 3 to the device Syntax ncopy tftp ipv6 address source file na...

Page 116: ... stored in secondary flash of the system erase startup config erases the configuration stored in the startup configuration file however the running configuration remains intact until system reboot Scheduling a system reload In addition to reloading the system manually you can configure the Dell PowerConnect device to reload itself at a specific time or after a specific amount of time has passed NO...

Page 117: ...cheduled reload To cancel a scheduled system reload using the CLI enter the following command at the global CONFIG level of the CLI PowerConnect reload cancel Diagnostic error codes and remedies for TFTP transfers If an error occurs with a TFTP transfer to or from a Layer 2 Switch or Layer 3 switch one of the following error codes displays on the console Error code Message Explanation and action 1...

Page 118: ...tch you can use the host name only if you have already enabled the Domain Name Server DNS resolver feature on the device from which you are sending the ping Refer to Configuring IP on page 783 The required parameter is the IP address or host name of the device 7 TFTP busy only one TFTP session can be active Another TFTP transfer is active on another CLI session or Web management session or Brocade...

Page 119: ...default the device does not verify the data The data 1 4 byte hex parameter lets you specify a specific data pattern for the payload instead of the default data pattern abcd in the packet data payload The pattern repeats itself throughout the ICMP message payload portion of the packet NOTE For numeric parameter values the CLI does not check that the value you enter is within the allowed range Inst...

Page 120: ... given TTL In addition if there are multiple equal cost routes to the destination the Dell PowerConnect device displays up to three responses by default PowerConnect traceroute 192 33 4 7 Syntax traceroute host ip addr maxttl value minttl value numeric timeout value source ip ip addr Possible and default values are as follows minttl minimum TTL hops value Possible values are 1 255 Default value is...

Page 121: ...e Dell PowerConnect device The LID is used in conjunction with a transaction key to generate and download a software license from the Brocade software portal The software license is tied to the LID of the Dell PowerConnect device for which the license was ordered and generated Licensed feature Any hardware or software feature or set of features that require a valid software license in order to ope...

Page 122: ...dered separately not pre installed an entitlement certificate along with a transaction key are issued to the customer by Dell as proof of purchase The transaction key and LID of the Dell PowerConnect device are used to generate a license key from the Brocade software licensing portal The license key is contained within a license file which is downloaded to the customer s PC where the file can then...

Page 123: ... Series FCX devices The following licensing rules apply to PowerConnect B Series FCX devices Each stack unit in an PowerConnect B Series FCX IronStack must have a separate software license for the same licensed feature For example if there are eight units in an IronStack eight separate licenses must be purchased to run BGP in the stack Any unit in a stack that does not have a license to run BGP wi...

Page 124: ...es unit 4 has an inferior license and will not be allowed to join the stack Likewise if unit 4 has a license to run BGP whereas the Active controller does not unit 4 has a superior license and will be allowed to join the stack but will not be elected as the Standby Controller For hitless stacking limitations with software based licensing refer to Configuration notes and feature limitations on page...

Page 125: ...nt certificate with electronic key Keep it in a safe place in case it is needed for technical support or product replacement RMAs 3 Log in to the brocade software portal at http swportal brocade com and complete the software license request If you do not have a login ID and password request access by following the instructions on the screen TABLE 17 Configuration tasks for software licensing Confi...

Page 126: ...84 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Configuration tasks 4 Figure 5 shows the Software Portal Login window FIGURE 5 Brocade Software Portal Login window ...

Page 127: ...gure 6 shows the License Management Welcome window that appears after logging in to the software portal From this window mouse over the License Management banner then IP Ethernet then click on License Generation with Transaction key FIGURE 6 License Management Welcome window License Query ...

Page 128: ...t box shown in Figure 7 For a description of the field move the mouse pointer over the text box An asterisk next to a field indicates that the information is required You can generate more than one license at a time For each license request enter the Unit Information Unit ID and transaction key then click on the Add button When you have finished entering the required information read the End User ...

Page 129: ... generated license file The license file will also be automatically e mailed to the specified Customer e mail ID If the license request failed the Status field will indicate the reason it failed and the action to be taken FIGURE 8 IP Ethernet License Generation Results window 4 Download the license file to your PC by either clicking on the hyperlink or saving it from the e mail attachment 5 Upload...

Page 130: ...lowing on the SCP enabled client c scp c license license101 terry 10 1 1 1 license Syntax scp license_file_on_host user IP_address license Verifying the license file installation Use the show license command to verify that the license is installed on the device Details about this command are in the section Viewing the license database on page 92 Deleting a license A license will remain in the lice...

Page 131: ... status of the license for example whether or not the license was generated the report will include the following Information Hardware part number serial number and description Software part number serial number and description Date the license was installed Transaction key LID Feature name Product line To access the License Query option select it from the License Management Welcome window shown i...

Page 132: ...nsferring a license A license can be transferred between Dell PowerConnect devices if the following conditions are true The device is under an active support contract and The license is being transferred between two like models e g from a 24 port model to another 24 port model or from a 48 port model to another 48 port model Contact your Dell representative for more information Syslog messages and...

Page 133: ...cense FCX ADV LIC SW installed Warning License Package package_name with LID LID_number expires in number days The trial license is about to expire This message will begin to display 3 days before the expiration date and every 2 hours on the last day that the license will expire Notification License Package package_name with LID LID_number has expired The trial license has expired TABLE 18 Syslog ...

Page 134: ...zed by the system Invalid The LID does not match the serial number of the device for which the license was purchased Active The license is valid and in effect on the device Not used The license is not in effect on the device Expired For trial licenses only this indicates that the trial license has expired License Type Indicates whether the license is normal permanent or trial temporary License Per...

Page 135: ...OUTER_SOFT_PACKAGE Yes PowerConnect show version Copyright c 1996 2010 Brocade Communications Systems Inc UNIT 1 compiled on Mar 30 2010 at 18 39 20 labeled as FCXR07000b1 5245400 bytes from Secondary FCXR07000b1 bin SW Version 07 0 00b1T7f3 Boot Monitor Image size 369286 Version 07 0 01T7f5 grz07001 HW Stackable FCX624SF UNIT 1 SL 1 FCX 24GS 24 port Management Module Serial PR320400289 license FC...

Page 136: ...94 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Viewing information about software licenses 4 ...

Page 137: ...ht units per stack Flexible stacking ports Linear and ring stack topology support Secure setup utility to make stack setup easy and secure TABLE 21 Supported Ironstack features Feature PowerConnect B Series FCX1 1 All PowerConnect B Series FCX models can be ordered from the factory as ADV models ADV models include support for Layer 3 BGP PowerConnect B Series FCX E and PowerConnect B Series FCX I ...

Page 138: ...The unit that will take over as Active Controller after the next reload if its priority has been changed to the highest priority When a priority for a stack unit is changed to be higher than the existing Active Controller the takeover does not happen immediately to prevent disruptions in the stack operation Standby Controller The stack member with the highest priority after the Active Controller T...

Page 139: ... is in a non functioning state Because of this state traffic from the non stack ports will not be forwarded into the stack they will be dropped or discarded This may be caused by an image or configuration mismatch Sequential Connection Stack unit IDs beginning with the Active Controller are sequential For example 1 3 4 6 7 is sequential if Active Controller is 1 1 7 6 4 3 are non sequential in a l...

Page 140: ...rmation about PowerConnect B Series FCX stack topologies see PowerConnect B Series FCX stack topologies on page 98 PowerConnect B Series FCX stack topologies A IronStack can contain all one model or any combination of the PowerConnect B Series FCX models You can mix 24 port and 48 port FCX devices in a single stack to a maximum of eight units per stack The procedure for cabling a stack of PowerCon...

Page 141: ... topology stack using SFP module ports 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 Reset 1 PS 2 Diag Console Mgmt 25 27 29 31 33 35 37 39 41 43 45 47 26 28 30 32 34 36 38 40 42 44 46 48 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 Reset 1 PS 2 Diag Console Mgmt 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 Reset 1 PS 2 Diag Console Mgmt ...

Page 142: ...e three ways to build an IronStack 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 Reset 1 PS 2 Diag Console Mgmt 25 27 29 31 33 35 37 39 41 43 45 47 26 28 30 32 34 36 38 40 42 44 46 48 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 Reset 1 PS 2 Diag Console Mgmt 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 Reset 1 PS 2 Diag Console Mgmt 1 3 5 7 9 1...

Page 143: ...pology using the manual configuration process on page 108 Configuration notes Before you configure your IronStack consider the following guidelines Consider the number of units and the mix of units your stack will contain and how the stacking ports on the units will be connected For more information about PowerConnect B Series FCX devices refer to the PowerConnect B FCX Switch Hardware Installatio...

Page 144: ... a priority of 128 by default if no other units in the stack have a priority higher than 128 If another unit in the stack has a priority of 128 or higher secure setup will give the Active Controller a priority equal to the highest priority unit in the stack which is by default the Standby Controller When the Active Controller and the Standby Controller have identical priorities during a reset the ...

Page 145: ... Hop s Type Mac Address 1 FCX624 0012 f239 2d40 2 FCX624 0012 f2d5 2100 Available DOWNSTREAM units Hop s Type Mac Address 1 FCX624 0012 f2d5 2100 2 FCX624 0012 f239 2d40 Do you accept the topology RING y n y If you accept the topology you will see output similar to the following Selected Topology Active Id Type Mac Address 1 FCX648 00e0 52ab cd00 Selected UPSTREAM units Hop s Id Type Mac Address 1...

Page 146: ...word before you can add the unit If you do not know the password take one of the following actions Discontinue secure setup by entering C Obtain the device password from the administrator Continue secure setup for your stack The password protected device and all devices connected behind it will not be included in the setup process In the following example the second unit is password protected so y...

Page 147: ...ommand initiates configuration synchronization which copies the configuration file of the Active Controller to the rest of the stack units NOTE The secure setup process may modify your configuration with information about new units stacking ports etc For this reason it is very important to save this information by issuing the write memory command If you do not do this you may lose your configurati...

Page 148: ...le PowerConnect config unit 2 stack unit 3 PowerConnect config unit 3 module 1 FCX 24 port management module PowerConnect config unit 3 module 2 FCX xfp 1 port 16g module PowerConnect config unit 3 module 3 FCX xfp 1 port 16g module NOTE Each stack unit must have a unique ID number 5 Assign a priority to the Active Controller using the priority command as shown PowerConnect config stack unit 1 Pow...

Page 149: ...nt 1 S FCX624 active 00e0 5200 0100 255 local Ready 2 S FCX624 standby 0012 f2eb afc0 240 remote Ready 3 S FCX624 member 001b ed5d a1c0 0 remote Ready active standby 2 1 1 3 1 2 1 2 3 1 2 2 3 2 1 Current stack management MAC is 00e0 5200 0100 PowerConnect NOTE For field descriptions for the show stack command refer to Displaying stack information on page 135 Configuration notes for scenario 2 Cons...

Page 150: ...onfig unit 1 priority 255 PowerConnect config unit 1 stack enable Enable stacking This unit actively participates in stacking PowerConnect config unit 1 write memory Write startup config done PowerConnect config unit 1 Flash Memory Write 8192 bytes per dot Flash to Flash Done PowerConnect config unit 1 end Unit 2 PowerConnect config t PowerConnectconfig stack enable Enable stacking This unit activ...

Page 151: ...ng ports on page 109 An PowerConnect B Series FCX clean unit may contain a default port configuration but it is still considered a clean unit To preserve this state do not do a write memory on the unit before you build the stack An PowerConnect B Series FCX device with the default port configuration is still considered a clean unit To ensure that the device remains a clean unit do not do a write m...

Page 152: ... of the link must be configured for 16 Gbps PowerConnect config if e10000 cx4 1 2 1 speed duplex 10g full PowerConnect config if e10000 cx4 1 2 1 end PowerConnect show int br in Up 1 1 4 Up Forward Full 1G None No 1 0 001b f288 0003 1 2 1 Up Forward Full 10G None No 1 0 001b f288 0019 1 3 1 Up Forward Full 10G None No N A 0 001b f288 001b 3 3 1 Up Forward Full 10G None No N A 0 0024 3814 9df3 mgmt...

Page 153: ...288 0019 bia 001b f288 0019 Interface type is 16Gig CX4 Configured speed 16Gbit actual 16Gbit configured duplex fdx actual fdx Member of L2 VLAN ID 1 port is untagged port state is FORWARDING BPDU guard is Disabled ROOT protect is Disabled Link Error Dampening is Disabled STP configured to ON priority is level0 mac learning is enabled Flow Control is enabled mirror disabled monitor disabled Not me...

Page 154: ...nce you have configured default port on all units you can then use any of the three stack construction methods to build a stack The Active Controller then learns the port configuration for each unit NOTE You cannot change the setting for a default port if the port is in use Changing default stacking port configurations For PowerConnect B Series FCX E and PowerConnect B Series FCX I devices ports 1...

Page 155: ... stack port stack unit slotnum portnum TABLE 22 Slot and port designations for PowerConnect stackable devices Device Slot 1 Slot 2 Slot 3 Slot 4 PowerConnect B Series FCX624S 24 10 100 1000 ports on front panel Two 16 Gbps ports on rear panel Two 10 Gbps ports on front panel N A PowerConnect B Series FCX648S 48 10 100 1000 ports on front panel Two 16 Gbps ports on rear panel Two 10 Gbps ports on f...

Page 156: ... setup PowerConnect Discovering the stack topology Available UPSTREAM units Hop s Id Type Mac Address 1 new FCX648 0012 f2d6 0511 2 new FCX624 0200 9999 0000 Enter the number of the desired UPSTREAM units 0 2 0 2 Selected Topology Active Id Type Mac Address 1 FCX624 001b f2e5 0100 Selected UPSTREAM units Hop s Id Type Mac Address 1 2 FCX648 0012 f2d6 0511 2 3 FCX624 0200 9999 0000 Do you accept th...

Page 157: ...one PowerConnect show stack alone standalone D dynamic config S static config ID Type Role Mac Address Pri State Comment 1 S FCX624 active 001b f2e5 0100 128 local Ready 2 S FCX648 standby 0012 f2d6 0511 0 remote Ready 3 S FCX624 member 0200 9999 0000 0 remote Ready standby active 3 3 1 3 1 2 2 1 2 1 1 Current stack management MAC is 001b f2e5 0100 PowerConnect Configuring a default stacking port ...

Page 158: ...he same FCX stack PowerConnect show version Copyright c 1996 2009 Brocade Communications Systems Inc UNIT 8 compiled on Jun 17 2009 at 06 23 29 labeled as FCX06000a359 3578117 bytes from Primary FCX06000a359 bin SW Version 7 2 0a UNIT 2 compiled on Jun 17 2009 at 06 23 29 labeled as FCX06000a359 3578117 bytes from Primary FCX06000a359 bin SW Version 7 2 0a UNIT 3 compiled on Jun 17 2009 at 06 23 2...

Page 159: ...TION NOTE For field descriptions for the show running config command refer to Displaying running configuration information on page 143 NOTE For field descriptions for the show stack and show stack detail commands refer to Displaying stack information on page 135 The output from the show stack command contains a visual diagram of the stack The dashed line between ports 1 2 1 and 3 2 1 indicates tha...

Page 160: ...ply to the specified stack member Configuration information resides in the Active Controller Configuration Mode This is where you make configuration changes to the unit To save changes across reloads you need to save them to the Active Controller startup config file The configuration mode contains sub levels for individual ports for VLANs for routing protocols and other configuration areas NOTE By...

Page 161: ...terminating the session are not available NOTE Error messages that are generated during a reload of the Active Controller will not appear on rconsole connections from the stack units to the Active Controller To see these error messages you must connect a console cable to the Active Controller itself To establish an rconsole session enter the rconsole command as shown PowerConnect rconsole 1 Syntax...

Page 162: ...Stack MAC address on page 120 In an IronStack the management MAC address is generated by the software and is always the MAC address of the first port of the Active Controller This ensures that the management MAC address remains consistent across stack reboots and helps prevent frequent topology changes as a result of protocol enable disable and configuration changes When you are configuring Layer ...

Page 163: ...mat Enter the no form of this command to return the MAC address to that of the Active Controller Output for this command resembles the following PowerConnect config stack mac 0000 0000 0011 PowerConnect config show running config Current configuration ver 7 2 00a 100T7e1 stack 1 module 1 FCX 48 port management module module 2 FCX cx4 2 port 16g module priority 80 stack 2 module 1 FCX 24 port manag...

Page 164: ...C address from all VLANs Specify the MAC address in the following format HHHH HHHH HHHH Use the ethernet port parameter to remove all MAC addresses for a specified Ethernet port Specify the port variable in the format stack unit slotnum portnum Use the vlan number parameter to remove all MAC addresses for a specified VLAN IronStack unit identification Stack units are identified by numbers 1 though...

Page 165: ...dby Controllers have the same priority If there are more than two units in a stack and the Active Controller leaves and comes back it cannot win back the Active role because the new Active Controller has more members than the old Active Controller which has no members If there are only two units in a stack the old Active Controller may win back the Active role if it has a lower unit ID In this cas...

Page 166: ...sful stack build on page 152 cx4 10g Changing PowerConnect B Series FCX S and CX4 ports from 16 Gbps to 10 Gbps on page 110 kill console Configuring TACACS TACACS for devices in a Dell IronStack on page 1165 priority Changing the priority of a stack unit on page 123 rconsole Logging in through the console port on page 118 reload stack unit Reloading a stack unit on page 126 show chassis Displaying...

Page 167: ...e stack disable command The stack disable command prevents a unit from sending or listening for any stacking probe messages In this mode the unit cannot be forced to join a stack PowerConnect config stack disable Syntax no stack disable To remove this restriction enter the no stack disable command show statistics stack port Displaying stacking port statistics on page 146 show interfaces stack port...

Page 168: ...copy images to a stack member from the Active Controller primary and secondary flash respectively For unit num enter a value from 1 through 8 For FCXS devices the unit range is from 1 through 10 Reloading a stack unit To reload a stack unit enter the following command PowerConnect reload Syntax reload after at cancel unit id unit list after schedule reloading after certain time period at schedule ...

Page 169: ...ootup id 1 PowerConnect show stack alone standalone D dynamic config S static config ID Type Role Mac Address Pri State Comment 1 S FCX624 active 0012 f239 2d40 128 local Ready 2 S FCX624 standby 0012 f2d5 2100 0 remote Ready Managing IronStack partitioning When a unit in an IronStack with a linear topology fails the IronStack divides partitions into two or more separate stacks that all have the s...

Page 170: ... lose their configuration and are reset If the IDs of the losing stack units conflict with the IDs of the winning units they may change and the IDs will no longer be sequential You can use secure setup to renumber the members in the newly merged stack The following examples show how stack merging works If a stack partitions into multiple stacks because of a connection failure and you fix the conne...

Page 171: ...able Persistent MAC Address enter the following command PowerConnect config stack persistent mac timer 120 Syntax no stack persistent mac timer number The number variable is the number of minutes during which the IronStack will retain the original MAC Address if the Active Controller fails or is removed for service The valid value range is from 5 6000 minutes If you enter a 0 it means keep this ad...

Page 172: ...that returns stack units to their pre stacking state When a stack unit is unconfigured its stacking flash is removed and its startup config txt flash file is recovered These actions apply to all units to which this command is applied regardless of the role of the unit in the stack When the stack unconfigure command is applied to the Active Controller it removes stack enable from the run time confi...

Page 173: ...tive 0012 f2eb a900 128 local Ready 2 S FCX648 member 0000 0000 0000 0 reserved 3 S FCX624 standby 00e0 5201 0100 0 remote Ready When the stack unconfigure 2 command is issued stack unit 2 recovers the startup config txt from the startup config old configuration file that was saved when this unit downloaded its configuration from the Active Controller As the output shows stack member 2 has been re...

Page 174: ...nits The following example shows output from this command for a stack with eight units PowerConnect show memory Stack unit 1 Total DRAM 268435456 bytes Dynamic memory 238026752 bytes total 182820476 bytes free 23 used Stack unit 2 Total DRAM 268435456 bytes Dynamic memory 238026752 bytes total 172751776 bytes free 27 used Stack unit 3 Total DRAM 268435456 bytes Dynamic memory 238026752 bytes total...

Page 175: ...s Current temperature 33 0 deg C Warning level 85 0 deg C Shutdown level 90 0 deg C Intake Side Temperature Readings Current temperature 31 0 deg C Boot Prom MAC 0012 f2e4 6e00 Management MAC 0012 f2e4 6e00 The stack unit 2 chassis info Power supply 1 NA AC Regular present status ok Power supply 2 not present Fan 1 ok Fan 2 ok Exhaust Side Temperature Readings Current temperature 32 5 deg C Warnin...

Page 176: ... 001b ed5e ac31 S5 M1 FCX 24G 24 port Management Module OK 24 001b ed5d a180 S5 M2 FCX 1XG 1 port 16G Module 1 XFP OK 1 001b ed5d a198 S5 M3 FCX 1XG 1 port 16G Module 1 XFP OK 1 001b ed5d a199 S5 M4 FCX 1XG 1 port 16G Module 1 XFP OK 1 001b ed5d a19a S6 M1 FCX 24G 24 port Management Module OK 24 00e0 5200 3000 S6 M2 FCX 1XGC 1 port 16G Module 1 CX4 OK 1 00e0 5200 3018 S6 M3 FCX 1XGC 1 port 16G Mod...

Page 177: ...nformation You can display information about any and all of the members in an IronStack by entering show commands from the Active Controller console port If you enter show commands from a unit that is not the Active Controller the information may not be displayed correctly TABLE 27 Field definitions for the show module command This field Describes Module Identifies the module by stack unit ID modu...

Page 178: ...0 424f 4243 0 remote Ready member after reload PowerConnect show stack 3 ID Type Role Mac Address Prio State Comment 3 S FCX624 member 00f0 424f 4243 0 remote Ready If you add detail to the show stack command output resembles the following PowerConnect config show stack detail ID Type Role Mac Address Prio State Comment 1 S FCX624 member 00e0 5201 4000 0 remote Ready 2 S FCX624 member 00e0 5205 00...

Page 179: ...onfiguration for this unit is static has been saved with a write memory command D dynamic configuration The configuration for this unit is dynamic and may be overwritten by a new stack unit To change to a static configuration enter the write memory command ID The stack identification number for this unit Type The model of this unit Role The role of this unit within the stack MAC address The MAC ad...

Page 180: ...ived 467 Atomic batches sent 0 Atomic batches received 0 Pkts sent 1242 Pkts received 1094 Msg bytes sent 68013 Msg bytes received 16812 Pkt bytes sent 291680 Pkt bytes received 31808 Flushes requested 108 Suspends 0 Resumes 0 Packets sent with data DAT ACKs and window updates WND Other 1 ACK 467 WND 6 ACK WND 0 DAT 768 DAT ACK 0 DAT WND 0 DAT ACK WND 0 Data retransmits done 160 Zero window probes...

Page 181: ...lushes requested 0 Suspends 0 Resumes 0 Packets sent with data DAT ACKs and window updates WND Other 1 ACK 0 WND 0 ACK WND 0 DAT 254 DAT ACK 0 DAT WND 0 DAT ACK WND 0 Data retransmits done 20 Zero window probes sent 0 Dup ACK pkts rcvd 7 Pkts rcvd w dup data 0 Pkts rcvd w data past window 0 Session statistics unit 2 channel 5 Session state established last established 31 minutes 5 seconds ago Conn...

Page 182: ...ed 0 Pkt bytes sent 12 Pkt bytes received 84 Flushes requested 0 Suspends 0 Resumes 0 Packets sent with data DAT ACKs and window updates WND Other 1 ACK 0 WND 0 ACK WND 0 DAT 0 DAT ACK 0 DAT WND 0 DAT ACK WND 0 Data retransmits done 0 Zero window probes sent 0 Dup ACK pkts rcvd 7 Pkts rcvd w dup data 0 Pkts rcvd w data past window 0 Session statistics unit 3 channel 3 Session state established las...

Page 183: ...es 19 seconds ago Connections established 1 Remote resets 0 Reset packets sent 0 Connection statistics for current connection if established Msgs sent 971 Msgs received 506 Atomic batches sent 0 Atomic batches received 0 Pkts sent 1205 Pkts received 1088 Msg bytes sent 44281 Msg bytes received 19308 Pkt bytes sent 238004 Pkt bytes received 34652 Flushes requested 59 Suspends 0 Resumes 0 Packets se...

Page 184: ...cvd 4 Pkts rcvd w dup data 0 Pkts rcvd w data past window 0 Session statistics unit 3 channel 6 Session state established last established 32 minutes 17 seconds ago Connections established 1 Remote resets 0 Reset packets sent 0 Connection statistics for current connection if established Msgs sent 2 Msgs received 2 Atomic batches sent 0 Atomic batches received 0 Pkts sent 8 Pkts received 13 Msg byt...

Page 185: ...dule stack unit 3 module 1 FCX 48 port management module module 2 FCX xfp 1 port 16g module module 3 FCX cx4 1 port 16g module stack unit 4 module 1 FCX 48 port management module module 2 FCX cx4 1 port 16g module TABLE 32 Field descriptions for the show stack neighbors command This field Indicates ID The stack identification number for this unit Stack port1 Identifies the neighbor stack unit for ...

Page 186: ...1 module 1 FCX 24 port management module module 2 FCX cx4 2 port 16g module module 3 FCX xfp 1 port 16g module stack port 1 3 1 Displaying software version information The show version command shows the software version that the stack is running Note that the last line of this output shows the bootup ID and role for this unit Output resembles the following PowerConnect config show version SW Versi...

Page 187: ...anagement Module Serial AN07510269 P ASIC 0 type D804 rev 01 P ASIC 1 type D804 rev 01 STACKID 3 SL 2 FCX 1XGC 1 port 16G Module 1 CX4 STACKID 3 SL 3 FCX 1XG 1 port 16G Module 1 XFP 400 MHz Power PC processor 8248 version 130 2014 66 MHz bus 512 KB boot flash memory 30720 KB code flash memory 128 MB DRAM Monitor Option is on The system uptime is 18 minutes 4 seconds STACKID 1 system uptime 18 minu...

Page 188: ...mand This field Indicates Port The stack identification number for this unit Link Identifies the configuration for modules on this unit State Indicates that a priority has been assigned to this stack unit Dupl Indicates whether the port is configured as half or full duplex Speed Indicates the port speed Trunk Indicates whether the port is part of a trunk Tag Indicates whether the port is tagged or...

Page 189: ...ter the module configuration of the new unit into the Active Controller configuration 2 Connect the new unit to the stack using the 10Gbps stacking ports The sequence in which you connect the unit must match that of the Active Controller configuration The Active Controller automatically resets the unit 3 Once the new unit boots and joins the stack do a write memory on the Active Controller You sho...

Page 190: ...nit Refer to Unconfiguring an IronStack on page 130 When a unit is removed from a stack the Active Controller deletes this unit configuration if it is dynamically learned Refer to IronStack terminology on page 96 for definitions of static and dynamic configurations Replacing an IronStack unit Replacing with a clean unit If the stack unit ID numbering is sequential you can easily swap a failed unit...

Page 191: ... 30 seconds and then assumes the role of Active Controller A single Active Controller device functions as a standalone unit even it is still stacking enabled You do not have to issue a stack unconfigure me command for an Active Controller Renumbering stack units You can use secure setup to renumber stack units in a previously constructed stack In the following example three units make up a stack y...

Page 192: ...the units will reset and assume the new IDs If you swap IDs for two units that are not identical The Active Controller removes the configurations and resets both units When both units boot with new IDs the Active Controller learns their module types and creates new unit configurations for both However all interface configuration information related to units 2 and 3 is gone When you renumber identi...

Page 193: ... devices if an engine ID is not manually created or a stack MAC address is not specified and saved the stack will lose its engine ID if the Active Controller fails and the Standby Controller takes over because the Standby Controller creates a new engine ID at bootup To prevent this from happening you will need to either create a new engine ID or create a new stack MAC address to ensure that the en...

Page 194: ...nk State Dupl Speed Trunk Tag P MAC Name 1 2 1 Up Forward Full 10G None No 1 0012 f2eb a902 1 2 2 Up Forward Full 10G None No 1 0012 f2eb a904 3 Confirm that all of the devices are running the same software image 4 Use the show log command to display any IPC version mismatch messages These messages appear in one minute when receiving mismatched probe packets and then once every 10 minutes 5 Type s...

Page 195: ...artup config old files which are preserved for recovery purposes refer to Unconfiguring an IronStack on page 130 for more information If you do not need these files you can delete them using the flash delete command Enter the show dir command to see all flash files 8 Check to be sure you do not have any stacking to non stacking connections If you see the following message Warning Proc packet in 2m...

Page 196: ...ontroller Stack Unit 2 00c0 1020 0100 image mismatch Configuration mismatch The module configuration for a stack unit does not match the reserved configuration on the Active Controller Stack Unit 2 00e0 1020 0100 config mismatch Memory allocation mismatch The Active Controller does not have enough memory to accommodate the stack unit Stack Malloc failure for unit 2 00e0 1020 0100 These mismatches ...

Page 197: ...put stack unit 2 to non operational reason image mismatch The show stack command displays output similar to the following PowerConnect show stack alone standalone D dynamic config S static config ID Type Role Mac Address Pri State Comment 1 S FCX624 active 0012 f2eb a900 128 local Ready 2 S FCX648 standby 00f0 424f 4243 0 remote NON OP image mismatch 3 S FCX624 member 00e0 5201 0100 0 remote Ready...

Page 198: ...roller does not have enough memory to run a stack unit This failure may occur if you configure large numbers for example 4 K of VLANs or STP instances for example 255 in the router image This message means that the Active Controller is low on memory after allocating these resources and does not have enough remaining memory to control a stack member You can correct this by reducing the number of VL...

Page 199: ...nfiguration from the Standby Controller or from other stack members Follow the steps given below to recover from an image mismatch 1 Use the copy flash flash command to replace a mis matched image with the correct image Refer to Copying the flash image to a stack unit from the Active Controller on page 126 2 Reset the unit After the reset the unit will contain the new image and the mis match condi...

Page 200: ... exceed the maximum of 8 Make sure that the replacement unit is a clean unit does not contain a startup config txt file Make sure that the replacement unit running configuration does not contain stack enable Make sure the replacement unit running configuration does not contain stack disable Make sure that the configurations of the stack ports on the Active Controller match the physical connections...

Page 201: ...ult in a different winner based on the priority in the unsaved configuration The new winner assumes its role after the next reboot If you change the stacking port configuration and do not save your changes you may encounter connectivity errors To recover from a configuration error run Secure Startup to define the correct stacking port NOTE You should always do a write memory after making stacking ...

Page 202: ... Active Controller may reset the rest of the stack members if necessary However if the Active Controller itself must be reset because of a role or ID change you must issue the reset command If the Active Controller fails the Standby Controller waits 30 seconds and then takes over as Active Controller resetting itself and all other stack members If the old Active Controller becomes operational it m...

Page 203: ...owest boot stack ID The unit that has the lowest boot stack ID 1 8 1 is the lowest MAC address The member with the lowest MAC address Active Controller and Standby Controller resets If the Active Controller is reset or removed from the stack the entire stack reloads and Active Controller and Standby Controller elections are initiated If the unit functioning as the previous Active Controller is no ...

Page 204: ...rd traffic seamlessly as if no failure or topology change has occurred In software releases that do not support hitless stacking events such as these could cause most of the units in a stack to reset resulting in an impact to data traffic The following hitless stacking features are supported Hitless stacking switchover A manually controlled CLI driven or automatic switchover of the Active and Stan...

Page 205: ...comes back up it reboots If it has fewer number of members than the Active Controller it loses the election regardless of its priority If it has a higher priority it becomes the Standby Controller after the reboot and is synchronized with the Active Controller Next a switchover occurs and it becomes the new Active Controller Supported protocols and services Table 37 lists the services and protocol...

Page 206: ...es operational new switched flows are learned and forwarded accordingly The Layer 2 control protocol states are not interrupted during the switchover process Layer 3 IPv4 routed traffic unicast BGP4 IPv4 unicast forwarding OSPF v2 OSPF v2 with ECMP Static routes VRRP VRRP E Layer 3 routed traffic for supported protocols is not impacted during a hitless stacking event All existing Layer 3 IPv4 mult...

Page 207: ...lies to ports with 802 1X only or multi device port authentication only For MAC port security secure MACs are synchronized between the Active and Standby Controllers so they are hitless However denied MACs are lost during a switchover or failover but may be relearned if traffic is present Configured ACLs will operate in a hitless manner meaning the system will continue to permit and deny traffic d...

Page 208: ...r will be placed in a non operational state The Standby Controller cannot have a superior license compared to the Active Controller For example if unit 2 has a license to run BGP whereas the Active Controller does not unit 2 has a superior license and will be allowed to join the stack but will not be elected as the Standby Controller If software based licensing is installed on the Active Controlle...

Page 209: ...pting data traffic After baseline synchronization any new events that occur on the Active Controller will be dynamically synchronized on the Standby Controller Examples of such events include CLI HTTP SNMP configurations CPU receive packets Link events Interrupts Layer 2 and Layer 3 forwarding table updates Dynamic user authentication updates such as 802 1X or multi device port authentication Dyna...

Page 210: ...t configuration transmission was lost After a failover the new Active Controller old standby programs all other units in hardware based on its runtime configuration Standby Controller election Candidates for Standby Controller must meet the following criteria The unit is operational and the image and module configuration match that of the Active Controller The runtime configuration matches that of...

Page 211: ...ndby Controller is reloaded As illustrated below the show stack command output will indicate whether there is a runtime configuration mismatch Support during stack formation stack merge and stack split This section illustrates hitless stacking support during stack formation stack merge and stack split PowerConnect sh stack alone standalone D dynamic config S static config ID Type Role Mac Address ...

Page 212: ...llowed No traffic loss is expected Switchover Failover The boot up Standby waits for 40 seconds then reboots all units including itself Not allowed Switchover Failover All units including Standby are rebooted Not allowed Switchover Failover Member 2 and 3 become orphans Not allowed Switchover Failover The stack is fully operational and ready for rapid failover and switchover After the stack boots ...

Page 213: ...pri 50 Member 3 pri 0 Member 4 pri 0 Active 1 pri 100 Standby 2 pri 50 Member 3 pri 0 Member 4 pri 0 Active 2 pri 50 Standby 3 pri 10 Member 4 pri 0 Member 5 pri 0 Active 1 pri 100 Active 1 pri 100 Standby 2 pri 20 Member 3 pri 10 Member 4 pri 0 1 Stack 1 Stack 2 Stack 1 Stack 1 MAC A Stack 2 MAC B Stack 2 1 When hitless failover is enabled the stack with more units will win Stack 2 will reload an...

Page 214: ...ort in a stack split 1 1 The stack splits into one operational stack and two orphan units 1 The stack splits into two operational stacks Active 1 pri 30 Standby 2 pri 20 Member 3 pri 10 Member 4 pri 0 Active 1 pri 30 Member 2 pri 10 Standby 3 pri 20 Member 4 pri 0 Active 1 pri 30 Standby 2 pri 10 Active 3 pri 20 Standby 2 pri 0 Active 1 pri 30 Standby 2 pri 20 Member 3 pri 10 Member 4 pri 0 stack ...

Page 215: ...er is allowed If a priority change occurred while hitless stacking was disabled and the configured priority value requires a switchover the system will start a 60 second timer before performing a switchover After the switchover the highest priority standby will become the Active Controller If there is no Active Controller after a reload the bootup standby will assume the active role in approximate...

Page 216: ...The Comment column displays the role that will take effect after a reload or when hitless stacking is enabled PowerConnect show stack alone standalone D dynamic config S static config ID Type Role Mac Address Pri State Comment 2 S FCX648S member 0000 0000 0000 0 reserve 3 S FCX624 member 0024 3876 2640 0 remote Ready 5 S FCX624 standby 00e0 5200 0400 100 remote Ready 8 S FCX648 active 0024 3877 79...

Page 217: ...scription this feature s impact to major system functions refer to Table 37 on page 164 For an example of hitless failover operation refer to Hitless stacking failover example on page 176 For feature limitations and configuration notes refer to Configuration notes and feature limitations on page 165 Enabling hitless failover To enable hitless failover enter the following command at the Global CONF...

Page 218: ...the CLI command priority depending on the configured priority value By default hitless switchover is not allowed The default behavior is described in Hitless stacking default behavior on page 173 Hitless switchover can be used by a system administrator for example to perform maintenance on a controller that has been functioning as the Active Controller For a description of the events that occur du...

Page 219: ...stacking is enabled The stack has a Standby Controller The Standby Controller has learned the protocols The Standby Controller has the same priority as the Active Controller More than 120 seconds have passed since the previous switchover or failover You can use the show stack command to view whether or not these properties are in effect For more information see Displaying information about hitless...

Page 220: ...Figure 19 illustrates a hitless stacking switchover triggered by the stack switch over command FIGURE 19 Manual switchover 1 1 Standby 1 Active 2 Member 3 Active 1 Standby 2 Member 3 No waiting period The Active and Standby priorities must match or the command is rejected The Active and Standby controllers switch roles immediately no waiting period No traffic loss is expected Device stack manual s...

Page 221: ...ority 200 reloads because it loses the election After the reload It joins the stack as a member The Active controller assigns Unit 1 priority 200 as the Standby controller Stages 1 and 2 are complete A switchover occurs Unit 1 becomes the Active controller 30 sec 70 sec Active controller comes back in a stack with user assigned priorities Active 1 pri 200 Standby 2 pri 100 Member 3 pri 0 Member 4 ...

Page 222: ...0 assigned to Unit 2 Standby The priority change triggers re election of the Active controller The Standby controller is re assigned and a switchover occurs Stages 1 and 2 are bypassed Standby 1 pri 100 Active 2 pri 200 Member 3 pri 0 Member 4 pri 0 Active 1 pri 100 Standby 2 pri 200 Member 3 pri 0 Member 4 pri 0 Active 1 pri 100 Standby 2 pri 200 Member 3 pri 0 Member 4 pri 0 Active 1 pri 100 Sta...

Page 223: ...Unit 3 A switchover occurs Stages 1 and 2 are complete The Standby controller is re assigned The priority change triggers re election of the Active controller 1 FCX stack formation Device stack priority change Scenario 2 Active 1 pri 100 Standby 2 pri 0 Member 3 pri 0 Member 4 pri 0 Active 1 pri 100 Standby 2 pri 0 Member 3 pri 200 Member 4 pri 0 Active 1 pri 100 Standby 2 pri 0 Member 3 pri 200 M...

Page 224: ...atch Switchover Failover Standby 1 becomes the Active controller without a reload Not allowed because priorities do not match Switchover Failover Standby 3 becomes the Active controller without a reload Priority 150 assigned to Unit 3 Member 3 Priority 200 assigned to Unit 4 Member 4 1 Active 1 pri 100 Standby 2 pri 0 Member 3 pri 0 Member 4 pri 0 1 Active 1 pri 100 Standby 2 pri 0 Member 3 pri 15...

Page 225: ...vents Switchover Failover Standby Controller assignment Table 38 lists the supported Syslog messages TABLE 38 Syslog messages Message level Message Explanation Informational Stack Stack unit unit_number has been assigned as STANDBY unit of the stack system Indicates that the unit has been assigned as the Standby Controller Informational Stack Stack is operational due to SWITCH OVER Indicates that ...

Page 226: ... Stack unit 5 Fan speed changed automatically to 2 0d00h05m00s I System Interface ethernet mgmt1 state down 0d00h05m00s I Security Telnet server enabled by from session PowerConnect show log Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Buffer logging level ACDMEINW 12 messages logged level code A alert C critical D debugging M emergency E error I informational N notification W wa...

Page 227: ...g sending trunk mapping start running config sync sync_cdb send cdb sess 0 pBuf 2132f068 sync_cdb send cdb sess 0 pBuf 2132f57c stk_sync_cdb finished cdb sync PowerConnect debug stacking sync_rel_msg 8 Hitless sync TRUNK INFO size 1282 Trunk ID 10 1 based Hw Trunk ID 1 g_sw_sys trunk_config trunk_entry 9 number_of_ports 2 creator 0 g_sw_sys trunk_config trunk_entry 9 MEMBER PORTS port_list 0 009 p...

Page 228: ...186 PowerConnect B Series FCX Configuration Guide 53 1002266 01 PowerConnect B Series FCX hitless stacking 5 ...

Page 229: ...PowerConnect B Series FCX Configuration Guide 187 53 1002266 01 PowerConnect B Series FCX hitless stacking 5 ...

Page 230: ...188 PowerConnect B Series FCX Configuration Guide 53 1002266 01 PowerConnect B Series FCX hitless stacking 5 ...

Page 231: ... not supported on fiber ports The port to which the cable is connected must be enabled when you issue the command to diagnose the cable If the port is disabled the command is rejected If the port is operating at 100 Mbps half duplex the TDR test on one pair will fail If the remote pair is set to forced 100 Mbps any change in MDI MDIX may cause the device to interpret the Multilevel Threshold 3 MLT...

Page 232: ... 50M Pair A Terminated Pair C 50M Pair D Terminated Pair D 50M Pair C Terminated In the above output Local pair indicates the assignment of wire pairs from left to right where Pair A is the left most pair Table 40 shows the Local pair mapping to the T568A pin pair and color assignment from the TIA EIA 568 B standard Figure 24 illustrates the T568A pin pair assignment FIGURE 24 T568A pin pair assig...

Page 233: ...te link name Pair status The status of the link This field displays one of the following Terminated The link is up Shorted A short is detected in the cable Open An opening is detected in the cable ImpedMis The impedance is mismatched Failed The TDR test failed TABLE 42 Supported fiber optic transceivers Label Manufacturing part number Type Dell part number Supports Digital Optical Monitoring E1MG ...

Page 234: ...and PowerConnect config optical monitor To enable optical monitoring on a specific port use the following command PowerConnect config interface ethernet 1 1 PowerConnect config if e10000 1 1 optical monitor To enable optical monitoring on a range of ports use the following command PowerConnect config interface ethernet 1 1 to 1 2 PowerConnect config mif e10000 1 1 1 2 optical monitor Syntax no opt...

Page 235: ...ut the media devices installed per device per slot and per port The results displayed from these commands provide the Type Vendor Part number Version and Serial number of the SFP or XFP optical device installed in the port 1G M C indicates 1b Gbps copper media If no SFP or XFP device is installed in a port the Type field will display EMPTY Use the show media command to obtain information about the...

Page 236: ...Type 100M M FX LR SFP Vendor Brocade Communications Inc Version A Part FTLF1323P1BTL FD Serial UD3085J Port 1 10 Type EMPTY Port 1 11 Type 100M M FX SR SFP Vendor Brocade Communications Inc Version A Part FTLF1217P2BTL F1 Serial UCQ003J Port 1 12 Type EMPTY Port 1 13 Type 100M M FX IR SFP Vendor Brocade Communications Inc Version A Part FTLF1323P1BTR F1 Serial PCA2XC5 Use the show media ethernet c...

Page 237: ...tus values TABLE 43 Output from the show optic command This field Displays Port The Dell port number Temperature The operating temperature in degrees Celsius of the optical transceiver The alarm status as described in Table 44 Tx Power The transmit power signal in decibels dB of the measured power referenced to one milliwatt mW The alarm status as described in Table 44 Rx Power The receive power s...

Page 238: ...red Syslog messages The system generates Syslog messages for optical transceivers in the following circumstances The temperature supply voltage TX Bias TX power or TX power value goes above or below the high or low warning or alarm threshold set by the manufacturer The optical transceiver does not support digital optical monitoring The optical transceiver is not qualified and therefore not support...

Page 239: ...d in Table 45 are documented in other chapters of this guide IPv6 copy Using the IPv6 copy command on page 69 IPv6 ncopy Using the IPv6 ncopy command on page 71 RADIUS RADIUS over IPv6 on page 1191 TFTP Loading and saving configuration files with IPv6 on page 69 TABLE 45 Supported IPv6 management features Feature PowerConnect B Series FCX Link Local IPv6 address Yes IPv6 copy1 Yes IPv6 ncopy1 Yes ...

Page 240: ...dressing IPv4 is limited because of the 32 bit addressing format which cannot satisfy potential increases in the number of users geographical needs and emerging applications To address this limitation IPv6 introduces a new 128 bit addressing format An IPv6 address is composed of 8 fields of 16 bit hexadecimal values separated by colons Figure 25 shows the IPv6 address format FIGURE 25 IPv6 address...

Page 241: ...at the Global CONFIG level of the CLI PowerConnect config no ipv6 enable Syntax no ipv6 enable To re enable IPv6 after it has been disabled enter the ipv6 enable command IPv6 management features This section describes the CLI management commands that are available to Dell PowerConnect devices that support IPv6 IPv6 management ACLs When you enter the ipv6 access list command the Dell PowerConnect d...

Page 242: ... or https ipv6 address in the browser address field NOTE You must enclose the IPv6 address with square brackets in order for the Web browser to work Restricting web access You can restrict Web management access to include only management functions on a Dell PowerConnect device that is acting as an IPv6 host or restrict access so that the PowerConnect host can be reached by a specified IPv6 device ...

Page 243: ... udp port num optional parameter specifies the UDP application port used for the Syslog facility Name to IPv6 address resolution using IPv6 DNS server The Domain Name Server DNS resolver feature lets you use a host name to perform Telnet ping and traceroute commands You can also define a DNS domain on a Dell PowerConnect device and thereby recognize all hosts within that domain After you define a ...

Page 244: ...e enter the following command PowerConnect ping ipv6 2001 3424 847f a385 34dd 45 Syntax ping ipv6 ipv6 address outgoing interface port ve number source ipv6 address count number timeout milliseconds ttl number size bytes quiet numeric no fragment verify data 1 to 4 byte hex brief The ipv6 address parameter specifies the address of the router You must specify this address in hexadecimal using 16 bi...

Page 245: ...d range Instead if you do exceed the range for a numeric value the software rounds the value to the nearest valid value The brief keyword causes ping test characters to be displayed The following ping test characters are supported Indicates that a reply was received Indicates that the network server timed out while waiting for a reply U Indicates that a destination unreachable error PDU was receiv...

Page 246: ...lnet sessions are supported on the router at one time Write access through Telnet is limited to one session and only one outgoing Telnet session is supported on the router at one time To see the number of open Telnet sessions at any time enter the show telnet command Example To establish a Telnet connection to a remote host with the IPv6 address of 3001 2837 3de2 c37 6 enter the following command ...

Page 247: ...werConnect device displays up to three responses For example to trace the path from the Dell PowerConnect device to a host with an IPv6 address of 3301 23dd 349e a384 34 enter the following command PowerConnect traceroute ipv6 3301 23dd 349e a384 34 Syntax traceroute ipv6 ipv6 address The ipv6 address parameter specifies the address of a host You must specify this address in hexadecimal using 16 b...

Page 248: ...206 PowerConnect B Series FCX Configuration Guide 53 1002266 01 IPv6 management commands 7 ...

Page 249: ...or disable STP on a global basis for the entire device a port based VLAN basis for the individual Layer 2 broadcast domain or an individual port basis Configuration procedures are provided for the standard STP bridge and port parameters as well as Dell features listed in Table 52 TABLE 46 Supported STP features Feature PowerConnect B Series FCX 802 1s Multiple Spanning Tree Yes 802 1W Rapid Spanni...

Page 250: ...ridge parameters affect the entire spanning tree If you are using MSTP the parameters affect the VLAN If you are using SSTP the parameters affect all VLANs that are members of the single spanning tree TABLE 47 Default STP states Device type Default STP type Default STP state Default STP state of new VLANs1 1 When you create a port based VLAN the new VLAN STP state is the same as the default STP st...

Page 251: ...al port Affects only the individual port However if you change the STP state of the primary port in a trunk group the change affects all ports in the trunk group Hello Time The interval of time between each configuration BPDU sent by the root bridge 2 seconds Possible values 1 10 seconds Priority A parameter used to identify the root bridge in a spanning tree instance of STP The bridge with the lo...

Page 252: ...tree This command enables a separate spanning tree in each VLAN including the default VLAN Syntax no spanning tree Enabling or disabling STP in a port based VLAN Use the following procedure to disable or enable STP on a device on which you have configured a port based VLAN Changing the STP state in a VLAN affects only that VLAN To enable STP for all ports in a port based VLAN enter commands such a...

Page 253: ...an 1 spanning tree priority 0 Syntax no spanning tree forward delay value hello time value maximum age value priority value The forward delay value parameter specifies the forward delay and can be a value from 4 30 seconds The default is 15 seconds NOTE You can configure a Dell PowerConnect device for faster convergence including a shorter forward delay using Fast Span or Fast Uplink Span Refer to...

Page 254: ...lease and the configuration contains a value from 0 7 for a port STP priority the software changes the priority to the default when you save the configuration while running the new release The disable enable parameter disables or re enables STP on the port The STP state change affects only this VLAN The port STP state in other VLANs is not changed STP protection enhancement STP protection provides...

Page 255: ...ice that have STP Protection enabled enter the following command at the Global CONFIG level of the CLI PowerConnect config clear stp protect statistics To clear the BPDU drop counter for a specific port that has STP Protection enabled enter the following command at the Global CONFIG level of the CLI PowerConnect clear stp protect statistics e 2 Syntax clear stp protect statistics ethernet port eth...

Page 256: ...ng formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum Displaying STP information You can display the following STP information All the global and interface STP settings CPU utilization statistics Detailed STP information for each interface STP state information for a port based VLAN STP state information for an individual interface PowerConnect show stp protect e 3 STP...

Page 257: ... you have port based VLANs 1 10 and 2024 then the command output has three STP entries To display information for VLANs 10 and 2024 only enter show span 1 The detail parameter and its additional optional parameters display detailed information for individual ports Refer to Displaying detailed STP information for each interface on page 219 The show span command shows the following information Power...

Page 258: ...arameters on page 211 Max age sec The number of seconds this device or VLAN waits for a configuration BPDU from the root bridge before deciding the root has become unavailable and performing a reconvergence Hello sec The interval between each configuration BPDU sent by the root bridge Hold sec The minimum number of seconds that must elapse between transmissions of consecutive Configuration BPDUs o...

Page 259: ... No user frames are transmitted or received during this state LEARNING The port has passed through the LISTENING state and will change to the FORWARDING state depending on the results of STP reconvergence The port does not transmit or receive user frames during this state However the device can learn the MAC addresses of frames that the port receives during this state and make corresponding entrie...

Page 260: ...he command lists the usage statistics for the previous one second one minute five minute and fifteen minute intervals Displaying the STP state of a port based VLAN When you display information for a port based VLAN that information includes the STP state of the VLAN To display information for a port based VLAN enter a command such as the following at any level of the CLI The STP state is shown in ...

Page 261: ...tput of the show span CLI command PowerConnect show vlans Total PORT VLAN entries 2 Maximum PORT VLAN entries 16 legend S Slot PORT VLAN 1 Name DEFAULT VLAN Priority level0 Spanning tree On Untagged Ports S3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Untagged Ports S3 17 18 19 20 21 22 23 24 Untagged Ports S4 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Untagged Ports S4 18 19 20 21 22 23 24 Tagged Ports N...

Page 262: ... information for the VLAN even if it is a member VLAN To list all the member VLANs within a VLAN group enter the show vlan group group id command The show span detail command shows the following information TABLE 51 CLI display of detailed STP information for ports This field Displays Active Spanning Tree protocol The VLAN that contains the listed ports and the active Spanning Tree protocol The ST...

Page 263: ...G state depending on the results of STP reconvergence The port does not transmit or receive user frames during this state However the device can learn the MAC addresses of frames that the port receives during this state and make corresponding entries in the MAC table NOTE If the state is DISABLED no further STP information is displayed for the port Port Path cost The STP path cost for the port Por...

Page 264: ...tnum You also can display the STP states of all ports by entering a command such as the following which uses the brief parameter PowerConnect show span detail vlan 1 ethernet 7 1 Port 7 1 is FORWARDING Port Path cost 19 Priority 128 Root 0x800000e052a9bb00 Designated Bridge 0x800000e052a9bb00 Interface 7 Path cost 0 Active Timers None BPDUs Sent 29 Received 0 PowerConnect show interface ethernet 3...

Page 265: ...present the potential to cause Layer 2 forwarding loops Because the end stations cannot cause forwarding loops they can safely go through the STP state changes blocking to listening to learning to forwarding more quickly than is allowed by the standard STP convergence time Fast Port Span performs the convergence on these ports in four seconds two seconds for listening and two seconds for learning ...

Page 266: ...ther networking devices the device automatically uses the normal STP settings If a port matches any of the following criteria the port is ineligible for Fast Port Span and uses normal STP instead The port is 802 1Q tagged The port is a member of a trunk group The port has learned more than one active MAC address An STP Configuration BPDU has been received on the port thus indicating the presence o...

Page 267: ...Span on all eligible ports To make sure Fast Port Span remains enabled on the ports following a system reset save the configuration changes to the startup config file after you re enable Fast Port Span Otherwise when the system resets those ports will again be excluded from Fast Port Span Fast Uplink Span The Fast Port Span feature described in the previous section enhances STP performance for end...

Page 268: ...d by 30 seconds The delay allows the remote port to transition to forwarding mode using the standard STP rules After 30 seconds the blocked active uplink port begins forwarding in four seconds and the redundant port is blocked NOTE Use caution when changing the spanning tree priority If the switch becomes the root bridge Fast Uplink Span will be disabled automatically Fast Uplink Span Rules for Tr...

Page 269: ...so all the ports you identify as Fast Uplink Span ports are members of the same group To remove a Fast Uplink Span group or to remove individual ports from a group use no in front of the appropriate fast uplink span command For example to remove ports 4 3 and 4 4 from the Fast Uplink Span group configured above enter the following commands PowerConnect config no fast uplink span ethernet 4 3 to 4 ...

Page 270: ...e referred to as non root bridges Unique roles are assigned to ports on the root and non root bridges Role assignments are based on the following information contained in the Rapid Spanning Tree Bridge Packet Data Unit RST BPDU Root bridge ID Path cost value Transmitting bridge ID Designated port ID The 802 1W algorithm uses this information to determine if the RST BPDU received by a port is super...

Page 271: ...kup port while the other port becomes the Designated port If a non root bridge already has a Root port then the port that receives an RST BPDU that is superior to those it can transmit becomes the Alternate port If the RST BPDU that a port receives is inferior to the RST BPDUs it transmits then the port becomes a Designated port If the port is down or if 802 1W is disabled on the port that port is...

Page 272: ...ts to the Designated port on the root bridge therefore it assumes the Root port role The root path cost of the RST BPDUs received on Port4 Switch 3 is inferior to the RST BPDUs transmitted by the port therefore Port4 Switch 3 becomes the Designated port Similarly Switch 3 has a bridge priority value inferior to Switch 2 Port3 on Switch 3 connects to Port 3 on Switch 2 This port will be given the A...

Page 273: ...igured Edge port 802 1W automatically makes the port as a non edge port This is extremely important to ensure a loop free Layer 2 operation since a non edge port is part of the active RSTP topology The 802 1W protocol can auto detect an Edge port and a non edge port An administrator can also configure a port to be an Edge port using the CLI It is recommended that Edge ports are configured explicit...

Page 274: ...he device can learn the MAC addresses of frames that the port receives during this state and make corresponding entries in the MAC table Disabled The port is not participating in 802 1W This can occur when the port is disconnected or 802 1W is administratively disabled on the port A port on a non root bridge with the role of Root port is always in a forwarding state If another port on that bridge ...

Page 275: ...ng state machines Port Information This state machine keeps track of spanning tree information currently used by the port It records the origin of the information and ages out any information that was derived from an incoming BPDU Port Role Transition This state machine keeps track of the current port role and transitions the port to the appropriate role when required It moves the Root port and th...

Page 276: ...carding states Alternate ports are quickly placed into discarding states A port operating in 802 1W mode may enter a learning state to allow MAC entries to be added to the filtering database however this state is transient and lasts only a few milliseconds if the port is operating in 802 1W mode and if the port meets the conditions for rapid transition Handshake mechanisms To rapidly transition a ...

Page 277: ... port is elected it sets a sync signal on all the ports on the bridge The signal tells the ports to synchronize their roles and states Figure 30 Ports that are non edge ports with a role of Designated port change into a discarding state These ports have to negotiate with their peer ports to establish their new roles and states Switch 100 Root Bridge Switch 200 Switch 300 Switch 400 Port2 Designate...

Page 278: ...nal Immediately Alternate ports and Backup ports are synced The Root port monitors the synced signals from all the bridge ports Once all bridge ports asserts a synced signal the Root port asserts its own synced signal Figure 31 BigIron Switch 100 Root Bridge Port1 Designated port Port1 Root port Sync Switch 200 Switch 300 Switch 400 Port2 Sync Discarding Port3 Sync Discarding Port2 Port3 Indicates...

Page 279: ...aining an agreed flag to its peer Designated port and moves into the forwarding state When the peer Designated port receives the RST BPDU it rapidly transitions into a forwarding state BigIron Switch 100 Root Bridge Switch 200 Switch 300 Switch 400 Port1 Designated port Port1 Root port Synced Port2 Port3 Indicates a signal Port2 Synced Discarding Port3 Synced Discarding ...

Page 280: ...h 300 asserts a proposed signal Ports in Switch 300 then set sync signals on the ports to synchronize and negotiate their roles and states Then the ports assert a synced signal and when the Root port in Switch 300 asserts its synced signal it sends an RST BPDU to Switch 200 with an agreed flag This handshake is repeated between Switch 200 and Switch 400 until all Designated and Root ports are in f...

Page 281: ... uses the Proposing Proposed Sync and Reroot Sync and Rerooted Rerooted and Synced Agreed handshake Proposing and Proposed The Designated port on the new root bridge Port4 Switch 60 sends an RST BPDU that contains a proposing signal to Port4 Switch 200 to inform the port that it is ready to put itself in a forwarding state Figure 34 802 1W algorithm determines that the RST BPDU that Port4 Switch 2...

Page 282: ...nd they are to renegotiate their new roles and states The other ports on the bridge assert their sync and reroot signals Information about the old Root port is discarded from all ports Designated ports change into discarding states Figure 35 Switch 100 Port2 Designated port Switch 60 Port1 Port2 Root port Handshake Completed Port4 Designated port Proposing Proposing Port1 Root port Forwarding RST ...

Page 283: ...their sync signals as they continue in their discarding states They also continue to negotiate their roles and states with their peer ports Figure 36 BigIron Switch 100 Port2 Root port Port2 Designated port Port1 Switch 60 Port4 Designated port Proposing Proposing Port1 Root port Sync Reroot Forwarding Port4 Root port Sync Reroot Discarding Port3 Sync Reroot Discarding Port2 Sync Reroot Discarding...

Page 284: ...PDU to Port4 Switch 60 that contains an agreed flag Figure 36 The Root port also moves into a forwarding state BigIron Switch 100 Port2 Designated port Switch 60 Port4 Designated port Port2 Root port Port1 Port1 Designated port Sync Rerooted Discarding Port4 Root port Sync Rerooted Discarding Port3 Sync Rerooted Discarding Port2 Sync Rerooted Discarding Switch 200 Proposing Port2 Port3 Switch 300 ...

Page 285: ...e Designated port on Switch 60 goes into a forwarding state once it receives the RST BPDU with the agreed flag BigIron Switch 100 Port2 Designated port Switch 60 Port4 Designated port Forwarding Port 2 Root port Port1 Proposing Port1 Rerooted Synced Discarding Port4 Root port Rerooted Synced Forwarding Port3 Rerooted Synced Discarding Port2 Rerooted Synced Discarding Port2 Port3 Switch 300 Indicat...

Page 286: ...e remaining bridges Switch 300 and Switch 400 may have to go through the reroot handshake if a new Root port needs to be assigned Convergence in a simple topology The examples in this section illustrate how 802 1W convergence occurs in a simple Layer 2 topology at start up NOTE The remaining examples assume that the appropriate handshake mechanisms occur as port roles and states change Convergence...

Page 287: ...with a role of Designated port receives the RST BPDU and finds that it is superior to what it can transmit therefore Port3 Switch 3 assumes a new port role that of a Root port Port3 Switch 3 transmits an RST BPDU with an agreed flag back to Switch 2 and immediately goes into a forwarding state Port3 Switch 2 receives the RST BPDU from Port3 Switch 3 and immediately goes into a forwarding state Now...

Page 288: ... sends an RST BPDU with an agreed flag to Port4 Switch 1 Both ports go into forwarding states Port2 Switch 2 receives an RST BPDU The 802 1W algorithm determines that these RST BPDUs that are superior to any that any port on Switch 2 can transmit therefore Port2 Switch 2 assumes the role of a Root port The new Root port then signals all ports on the bridge to start synchronization Since none of th...

Page 289: ...up port role while Port3 is given the Designated port role Port3 Switch 1 does not go directly into a forwarding state It waits until the forward delay time expires twice on that port before it can proceed to the forwarding state Once convergence is achieved the active Layer 2 forwarding path converges as shown in Figure 41 FIGURE 41 Active Layer 2 path Convergence after a link failure What happen...

Page 290: ...ng with the new role information However the root bridge ID transmitted in the RST BPDU is still Switch 1 When Port3 Switch 2 receives the RST BPDU 802 1W algorithm determines that it is superior to the RST BPDU that it can transmit therefore Port3 Switch 2 receives a new role that of a Root port Port3 Switch 2 then sends an RST BPDU with an agreed flag to Port3 Switch 3 Port3 Switch 2 goes into a...

Page 291: ...h 2 also sends an RST BPDU with an agreed flag to Port2 Switch 1 and then places itself into a forwarding state When Port2 Switch 1 receives the RST BPDU with an agreed flag sent by Port2 Switch 2 it puts that port into a forwarding state The topology is now fully converged When Port3 Switch 3 receives the RST BPDU that Port3 Switch 2 sent 802 1W algorithm determines that these RST BPDUs are super...

Page 292: ...Root port 802 1W algorithm selects Port7 as the Designated port while Port8 becomes the Backup port Port3 Switch 5 sends an RST BPDU to Port3 Switch 6 with a proposal flag When Port3 Switch 5 receives the RST BPDU handshake mechanisms select Port3 as the Root port of Switch 6 All other ports are given a Designated port role with discarding states Port3 Switch 6 then sends an RST BPDU with an agree...

Page 293: ...ort retains its Designated port role and goes into forwarding state only after the forward delay timer expires twice on that port while it is still in a Designated role Port3 Switch 2 sends an RST BPDU to Port3 Switch 3 that contains a proposal flag Port3 Switch 3 becomes the Root port while all other ports on Switch 3 are given Designated port roles and go into discarding states Port3 Switch 3 se...

Page 294: ...cknowledge the topology change once they receive the RST BPDU and send the TCN to other bridges until all the bridges are informed of the topology change For example Port3 Switch 2 in Figure 45 fails Port4 Switch 3 becomes the new Root port Port4 Switch 3 sends an RST BPDU with a TCN to Port4 Switch 4 To propagate the topology change Port4 Switch 4 then starts a TCN timer on itself on the bridge R...

Page 295: ...h 2 sends the TCN to Port2 Switch 5 Port4 Switch 2 sends the TCN to Port4 Switch 6 Port2 Switch 2 sends the TCN to Port2 Switch 1 Bridge priority 1000 Bridge priority 200 Bridge priority 60 Bridge priority 900 Bridge priority 400 Bridge priority 300 Port2 Port2 Port2 Port2 Port3 Port3 Port3 Port3 Port3 Port3 Port4 Port4 Port4 Port4 Port5 Port 5 Port5 Port7 Port8 Indicates the active Layer 2 path I...

Page 296: ...e TCN to Switch 3 and Switch 4 to complete the TCN propagation Figure 47 Bridge priority 1000 Bridge priority 200 Bridge priority 60 Bridge priority 900 Bridge priority 400 Bridge priority 300 Port3 Port3 Port3 Port3 Port3 Port3 Port4 Port4 Port4 Port4 Port2 Port2 Port2 Port2 Port5 Port5 Port5 Indicates the active Layer 2 path Indicates direction of TCN Port 7 Port8 Switch 1 Switch 3 Switch 4 Swit...

Page 297: ...U automatically configures itself to behave like a legacy port It sends and receives legacy BPDUs only The entire bridge is configured to operate in an 802 1D mode when an administrator sets the bridge parameter to zero at the CLI forcing all ports on the bridge to send legacy BPDUs only Once a port operates in the 802 1D mode 802 1D convergence times are used and rapid convergence is not realized...

Page 298: ...y the administrator needs to configure the bridge path cost appropriately Path costs for either 802 1W bridges or 802 1D bridges need to be changed in most cases path costs for 802 1W bridges need to be changed Configuring 802 1W parameters on a Dell PowerConnect device The remaining 802 1W sections explain how to configure the 802 1W protocol in a Dell PowerConnect device NOTE With RSTP running e...

Page 299: ...f t vlan 120 tag e 1 to e 2 spanning tree 802 1w spanning tree 802 1w priority 1001 end To avoid this issue 802 1W commands settings that are pasted into the configuration should be in the following order 1 Ports that are not yet connected 2 802 1W RSTP settings 3 Ports that are already up Example conf t vlan 120 untag e 3 spanning tree 802 1w spanning tree 802 1w priority 1001 tag e 1 to 2 end In...

Page 300: ... config vlan 20 PowerConnect config vlan 20 spanning tree 802 1w priority 0 To make this change in the default VLAN enter the following commands PowerConnect config vlan 1 PowerConnect config vlan 1 spanning tree 802 1w priority 0 Syntax spanning tree 802 1w forward delay value hello time value max age time force version value priority value The forward delay value parameter specifies how long a p...

Page 301: ... in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum The path cost value parameter specifies the cost of the port path to the root bridge 802 1W prefers the path with the lowest cost You can specify a value from 1 20 000 000 Table 52 shows the recommended path cost values from the IEEE standards The priority value parameter specifies the preference that...

Page 302: ...ng command Syntax show 802 1w vlan vlan id The vlan vlan id parameter displays 802 1W information for the specified port based VLAN The show 802 1w command shows the information listed in Table 53 TABLE 53 CLI display of 802 1W summary This field Displays VLAN ID The port based VLAN that owns the STP instance VLAN 1 is the default VLAN If you have not configured port based VLANs on this device all...

Page 303: ...long with the hello and message age parameters to compute the effective age of an RST BPDU The message age parameter is generated by the Designated port and transmitted in the RST BPDU RST BPDUs transmitted by a Designated port of the root bridge contains a message value of zero Effective age is the amount of time the Root port Alternate port or Backup port retains the information it received from...

Page 304: ... a point to point link This is the default Edge port Indicates if the port is configured as an operational Edge port T The port is configured as an Edge port F The port is not configured as an Edge port This is the default Role The current role of the port Root Designated Alternate Backup Disabled Refer to Bridges and bridge port roles on page 228 for definitions of the roles State The port curren...

Page 305: ...rent role of the port Root Designated Alternate Backup Disabled Refer to Bridges and bridge port roles on page 228for definitions of the roles PowerConnect show 802 1w detail VLAN 1 MULTIPLE SPANNING TREE MSTP IEEE 802 1W ACTIVE BridgeId 800000e080541700 forceVersion 2 txHoldCount 3 Port 1 Role ROOT State FORWARDING PathCost 200000 Priority 128 AdminOperEdge F AdminPt2PtMac F DesignatedPriority Ro...

Page 306: ... for this bridge Bridge Shows the ID of the Designated bridge that is associated with this port ActiveTimers Shows what timers are currently active on this port and the number of seconds they have before they expire rrWhile Recent root timer A non zero value means that the port has recently been a Root port rcvdInfoWhile Received information timer Shows the time remaining before the information he...

Page 307: ...ast two paths to the root bridge Switch 1 in this example One of the paths is through the root port The other path is a backup and is through the alternate port While the root port is in the forwarding state the alternate port is in the blocking state Machine States The current states of the various state machines on the port PIM State of the Port Information state machine PRT State of the Port Ro...

Page 308: ...fails over to the alternate port as shown in Figure 50 Switch 1 Switch 2 Switch 4 Switch 3 Root Bridge Bridge priority 2 Bridge priority 4 Root port 2 2 Alternate 2 3 2 4 Bridge priority 8 Root port 4 4 Alternate 4 3 Bridge priority 6 Root port 3 3 Alternate 3 4 Port1 2 FWD Port1 4 FWD Port1 3 FWD Port3 3 FWD Port3 4 BLK Port4 4 FWD Port4 3 BLK Port2 3 FWD Port2 4 FWD Port2 2 FWD The arrow shows t...

Page 309: ...s long as the root port is in the forwarding state but moves immediately to the active state if the root port becomes unavailable Thus using 802 1W Draft 3 Switch 3 immediately fails over to port 3 4 without the delays caused by the listening and learning states 802 1W Draft 3 selects the port with the next best cost to the root bridge For example on Switch 3 port 3 3 has the best cost to the root...

Page 310: ...anning tree traffic reconvergence occurs in the time it takes for the bridge to detect the link changes plus the STP maximum age set on the bridge If standard STP reconvergence occurs instead traffic reconvergence takes two times the forward delay plus the maximum age NOTE 802 1W Draft 3 does not apply when a failed root port comes back up When this happens standard STP is used Configuration consi...

Page 311: ...the rstp parameter After you enable STP enter the spanning tree rstp command to enable 802 1W Draft 3 To disable 802 1W Draft 3 enter the following command PowerConnect config vlan 10 no spanning tree rstp Enabling 802 1W Draft 3 when single STP is enabled To enable 802 1W Draft 3 on a device that is running single STP enter the following command at the global CONFIG level of the CLI PowerConnect ...

Page 312: ...rt based VLANs you have configured Other broadcast traffic is still contained within the individual port based VLANs Therefore you can use SSTP while still using your existing VLAN configurations without changing your network In addition SSTP does not affect 802 1Q tagging Tagged and untagged ports alike can be members of the single spanning tree domain NOTE When SSTP is enabled the BPDUs on tagge...

Page 313: ...n for the device Per VLAN Spanning Tree PVST compatibility configuration Refer to PVST PVST compatibility on page 275 Specify the port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum The num parameter displays only the entries after the number you specify For example on a device with three port based VLANs if you enter 1 then information fo...

Page 314: ... a member VLAN and the member s master VLAN For example ports 1 1 1 4 are in member VLAN 3 and also in master VLAN 2 since master VLAN 2 contains member VLAN 3 STP load balancing Notice that the STP groups each have different STP priorities In configurations that use the STP groups on multiple devices you can use the STP priorities to load balance the STP traffic By setting the STP priorities for ...

Page 315: ...er vlan 2 PowerConnect config stp group 1 member vlan 3 to 4 PowerConnect config stp group 1 exit PowerConnect config stp group 2 PowerConnect config stp group 2 master vlan 12 PowerConnect config stp group 2 member vlan 13 to 14 Syntax no stp group num This command changes the CLI to the STP group configuration level The following commands are valid at this level The num parameter specifies the S...

Page 316: ...vices block or forward VLAN 1 traffic based on STP convergence All the ports on the root bridge for VLAN 2 forward VLAN 2 traffic and so on All the portss are tagged The ports must be tagged so that they can be in both a member VLAN and the member s master VLAN For example port 1 1 and ports 5 1 5 2 and 5 3 are in member VLAN 2 and master VLAN 1 since master VLAN a contains member VLAN 2 Here are ...

Page 317: ...up 2 vlan 202 to 400 PowerConnect config vlan group 2 tag ethernet 1 2 ethernet 5 1 to 5 3 PowerConnect config vlan group 2 vlan group 3 vlan 402 to 600 PowerConnect config vlan group 2 tag ethernet 1 3 ethernet 5 1 to 5 3 PowerConnect config vlan group 19 vlan group 20 vlan 3082 to 4000 PowerConnect config vlan group 20 tag ethernet 1 20 ethernet 5 1 to 5 3 PowerConnect config vlan group 20 exit ...

Page 318: ... port that was originally interoperating with PVST to revert to MSTP when connected to a Dell PowerConnect device Overview of PVST and PVST Per VLAN Spanning Tree PVST is a Cisco proprietary protocol that allows a Cisco device to have multiple spanning trees The Cisco device can interoperate with spanning trees on other PVST devices but cannot interoperate with IEEE 802 1Q devices An IEEE 802 1Q d...

Page 319: ...able to send and receive untagged frames for VLAN 1 and tagged frames for the other VLANs and interoperate with other vendor devices using VLAN 1 If you want to use tagged frames on VLAN 1 you can change the default VLAN ID to an ID other than 1 You also can specify the VLAN on which you want the port to send and receive untagged frames the Port Native VLAN The Port Native VLAN ID does not need to...

Page 320: ... support on a port enter commands such as the following PowerConnect config interface ethernet 1 1 PowerConnect config if 1 1 pvst mode Syntax no pvst mode NOTE If you disable PVST support the software still automatically enables PVST support if the port receives a BPDU with PVST format NOTE If 802 1W and pvst mode either by auto detection or by explicit configuration are enabled on a tagged VLAN ...

Page 321: ...VLAN 1 for untagged BPDU To implement this configuration enter the following commands TABLE 55 CLI display of PVST information This field Displays Port The Dell PowerConnect port number NOTE The command lists information only for the ports on which PVST support is enabled Method The method by which PVST support was enabled on the port The method can be one of the following Set by configuration You...

Page 322: ...Native VLAN also is 1 The dual mode feature supports untagged frames on the default VLAN only Thus port 1 1 can send and receive untagged BPDUs for VLAN 1 and can send and receive tagged BPDUs for the other VLANs Port 1 1 will process BPDUs as follows Process IEEE 802 1Q BPDUs for VLAN 1 Process tagged PVST BPDUs for VLANs 2 3 and 4 Drop untagged PVST BPDUs for VLAN 1 Untagged port using VLAN 2 as...

Page 323: ... config default vlan id 1000 PowerConnect config vlan 1 PowerConnect config vlan 1 tagged ethernet 1 1 to 1 2 PowerConnect config vlan 1 exit PowerConnect config interface ethernet 1 1 PowerConnect config if 1 1 pvst mode PowerConnect config if 1 1 exit PowerConnect config interface ethernet 1 2 PowerConnect config if 1 2 pvst mode PowerConnect config if 1 2 exit In the configuration above all PVS...

Page 324: ...y change In this case you can enable the STP BPDU guard feature on the Dell PowerConnect port to which the end station is connected STP BPDU guard shuts down the port and puts it into an errdisable state This disables the connected device s ability to initiate or participate in an STP topology A log message is then generated for a BPDU guard violation and a CLI message is displayed to warn the net...

Page 325: ...it Displaying the BPDU guard status To display the BPDU guard state enter the show running configuration or the show stp bpdu guard command For PowerConnect B Series FCXdevices enter the following commands PowerConnect show stp bpdu guard BPDU Guard Enabled on Ports Stk0 S1 2 3 4 5 9 10 11 12 13 14 15 16 Ports Stk0 S1 17 18 19 20 21 22 23 24 Syntax show stp bpdu guard Example configurations Exampl...

Page 326: ...an 1 RSTP Received BPDU on BPDU guard enabled Port 23 vlan 1 errdisable Port 23 Root guard The standard STP 802 1D RSTP 802 1W or 802 1S does not provide any way for a network administrator to securely enforce the topology of a switched layer 2 network The forwarding topology of a switched network is calculated based on the root bridge position along with other parameters This means any switch can...

Page 327: ...display the STP root guard state enter the show running configuration or the show spanning tree root protect command PowerConnect show spanning tree root protect Root Protection Enabled on Port 1 Syntax show spanning tree root protect Displaying the root guard by VLAN You can display root guard information for all VLANs or for a specific VLAN For example to display root guard violation information...

Page 328: ... enter a command such as the following PowerConnect config errdisable recovery cause bpduguard To enable error disable recovery for any reason enter a command such as the following PowerConnect config errdisable recovery cause all Syntax errdisable recovery cause bpduguard l all The cause is the reason why the port is in the errdisable state Valid values are bpduguard and all Use the bpduguard par...

Page 329: ...zation 300 second output rate 0 bits sec 0 packets sec 0 00 utilization 145 packets input 23561 bytes 0 no buffer Received 124 broadcasts 21 multicasts 0 unicasts 1 input errors 0 CRC 0 frame 0 ignored 0 runts 0 giants 5067 packets output 330420 bytes 0 underruns Transmitted 90 broadcasts 4977 multicasts 0 unicasts 0 output errors 0 collisions Displaying the recovery state for all conditions Use t...

Page 330: ...P is RSTP which provides quick convergence Multiple spanning tree regions Using MSTP the entire network runs a common instance of RSTP Within that common instance one or more VLANs can be individually configured into distinct regions The entire network runs the common spanning tree instance CST and the regions run a local instance The local instance is known as Internal Spanning Tree IST The CST t...

Page 331: ... MST region and the CST that interconnects the MST regions and single spanning trees Multiple Spanning Tree Instance MSTI The MSTI is identified by an MST identifier MSTid value between 1 and 4094 MSTP Region These are clusters of bridges that run multiple instances of the MSTP protocol Multiple bridges detect that they are in the same region by exchanging their configuration instance to VLAN mapp...

Page 332: ...rdless of whether the VLAN is inside the MSTP scope or not All topology groups are deleted Any GVRP configuration is deleted Any VSRP configuration is deleted Single span if configured is deleted MRP running on a VLAN inside MSTP scope is deleted The CIST is created and all VLANS inside the MSTP scope are attached with the CIST Make sure that no physical layer 2 loops exist prior to switching from...

Page 333: ...ins the associated VLAN to MSTI mapping instead of deleting it from the configuration This way a VLAN can be pre mapped to an MSTI and MSTP reconvergence may not be necessary when a VLAN is added to or deleted from the configuration As long as the VLAN being created or deleted is pre mapped to an MSTI and the VLAN to MSTI mapping has not changed MSTP reconvergence will not occur NOTE MSTP reconver...

Page 334: ...nfiguration ver 7 2 00aT7f1 vlan 1 name DEFAULT VLAN by port no spanning tree vlan 10 by port tagged ethe 1 to 2 no spanning tree vlan 20 by port VLAN 20 configuration tagged ethe 1 to 2 no spanning tree mstp scope all mstp instance 0 vlan 1 mstp instance 1 vlan 20 mstp start some lines ommitted for brevity PowerConnect config vlan 20 no vlan 20 VLAN 20 deleted PowerConnect config vlan 20 show run...

Page 335: ...itch that is being configured for MSTP You must then create an MSTP Instance and assign an ID VLANs are then assigned to MSTP instances These instances must be configured on all switches that interoperate with the same VLAN assignments Port cost priority and global parameters can then be configured for individual ports and instances In addition operational edge ports and point to point links can b...

Page 336: ...t you are configuring on the switch It can be a number from 0 and 65535 The default revision number is 0 Configuring an MSTP instance An MSTP instance is configured with an MSTP ID for each region Each region can contain one or more VLANs The Dell implementation of MSTP allows you to assign VLANS or ranges of VLANs to an MSTP instance before or after they have been defined If pre defined a VLAN wi...

Page 337: ...e MSTP global parameters MSTP has many of the options available in RSTP as well as some unique options To configure MSTP Global parameters for all instances on a switch PowerConnect config mstp force version 0 forward delay 10 hello time 4 max age 12 max hops 9 Syntax no mstp force version mode number forward delay value hello time value max age value max hops value The force version parameter for...

Page 338: ...e port receives a BPDU later it is automatically reset to become an operational non edge port This feature is set globally to apply to all ports on a router where it is configured This feature is configured as shown in the following PowerConnect config mstp edge port auto detect Syntax no mstp edge port auto detect NOTE If this feature is enabled it takes the port about 3 seconds longer to come to...

Page 339: ...tion check ethernet port The port variable specifies the port or ports from which you want to transmit an MSTP BPDU Specify the port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum Activating MSTP on a switch MSTP scope must be enabled on the switch as described in Configuring MSTP mode and scope on page 290 before MSTP can be enabled To en...

Page 340: ...onfig vlan 21 by port PowerConnect config vlan 21 tagged ethernet 2 9 to 2 14 ethernet 2 16 PowerConnect config vlan 21 exit PowerConnect config vlan 22 by port PowerConnect config vlan 22 tagged ethernet 2 9 to 2 14 ethernet 2 16 PowerConnect config vlan 22 exit PowerConnect config vlan 23 by port PowerConnect config mstp scope all PowerConnect config mstp name HR PowerConnect config mstp revisio...

Page 341: ...min pt2pt mac ethernet 3 10 PowerConnect config mstp disable ethernet 3 7 ethernet 3 24 PowerConnect config mstp start PowerConnect config hostname CORE2 LAN 4 configuration PowerConnect config trunk ethernet 3 5 to 3 6 ethernet 3 1 to 3 2 PowerConnect config vlan 1 name DEFAULT VLAN by port PowerConnect config vlan 1 exit PowerConnect config vlan 20 by port PowerConnect config vlan 20 tagged ethe...

Page 342: ...ured on the root bridge Root FwdDly sec FwdDly interval configured on the root bridge Root Hop Cnt Current hop count from the root bridge Root Bridge Bridge identifier of the root bridge PowerConnect show mstp MSTP Instance 0 CIST VLANs 1 Bridge Bridge Bridge Bridge Bridge Root Root Root Root Identifier MaxAge Hello FwdDly Hop MaxAge Hello FwdDly Hop hex sec sec sec cnt sec sec sec cnt 8000000cdb8...

Page 343: ...ort Num The port number of the interface Pri The configured priority of the port The default is 128 PortPath Cost Configured or auto detected path cost for port P2P Mac Indicates if the port is configured with a point to point link T The port is configured in a point to point link F The port is not configured in a point to point link Edge Indicates if the port is configured as an operational edge ...

Page 344: ...ot Identifier Hop Bridge Cost Bridge Port Hop hex cnt hex hex cnt 8001000cdb80af01 20 8001000cdb80af01 0 8001000cdb80af01 Root 20 Port Pri PortPath Role State Designa Designated Num Cost ted cost bridge 3 1 128 2000 MASTER FORWARDING 0 8001000cdb80af01 PowerConnect show mstp 0 MSTP Instance 0 CIST VLANs 1 Bridge Bridge Bridge Bridge Bridge Root Root Root Root Identifier MaxAge Hello FwdDly Hop Max...

Page 345: ...T VLANs 4093 Bridge 800000b000c00000 Priority 32768 SysId 0 Mac 00b000c00000 FwdDelay 15 HelloTime 2 MaxHops 20 TxHoldCount 6 Port 6 54 Role DESIGNATED State FORWARDING PathCost 20000 Priority 128 OperEdge T OperPt2PtMac F Boundary T Designated Root 800000b000c00000 RegionalRoot 800000b000c00000 Bridge 800000b000c00000 ExtCost 0 IntCost 0 ActiveTimers helloWhen 1 MachineState PRX DISCARD PTX IDLE ...

Page 346: ...304 PowerConnect B Series FCX Configuration Guide 53 1002266 01 802 1s Multiple Spanning Tree Protocol 8 ...

Page 347: ...IG level of the CLI NOTES Before assigning or modifying any router parameters you must assign the IP subnet interface addresses for each port TABLE 57 Supported basic Layer 2 features Feature PowerConnect B Series FCX 16 000 MAC addresses per switch Yes 32 000 MAC addresses per switch Yes MAC learning rate control Yes Multi port static MAC address Yes Static MAC entries with option to set traffic ...

Page 348: ...g with ports 25 48 For PowerConnect B FCX648 devices with four 10 Gbps SFP ports 10 Gbps SFP ports 3 and 4 belong to port region 0 along with ports 1 24 10 Gbps SFP ports 1 and 2 ports belong to port region 1 along with ports 25 48 Enabling or disabling the Spanning Tree Protocol STP STP IEEE 802 1D bridge protocol is supported on all Dell PowerConnect devices STP detects and eliminates logical lo...

Page 349: ...iance of 200 or 100 Changing the MAC age time and disabling MAC address learning To change the MAC address age timer enter a command such as the following PowerConnect config mac age time 60 Syntax no mac age time secs secs specifies the number of seconds Possible values differ depending on the version of software running on your device as follows On PowerConnect B Series FCX devices learned MAC a...

Page 350: ...t port in all VLANs to which that port is a member For example if tagged port 3 1 is a member of VLAN 10 20 and 30 and you issue the mac learn disable command on port 3 1 port 3 1 will not learn MAC addresses even if it is a member of VLAN 10 20 and 30 Displaying the MAC address table To display the MAC table enter the following command In the output of the show mac address command the Type column...

Page 351: ...s As a result a switch must be able to learn the same MAC address on several ports Multi port static MAC allows you to statically configure a MAC address on multiple ports using a single command Configuration notes This feature is applicable for Layer 2 traffic This feature can be used to configure unicast as well as IPv4 and IPv6 multicast MAC addresses on one or more ports However when a multica...

Page 352: ...ommand is available at the configuration level for each port based VLAN Configuring VLAN based static MAC entries You can configure a VLAN to drop packets that have a particular source or destination MAC address You can configure a maximum of 2048 static MAC address drop entries on a Dell PowerConnect device Use the CLI command show running config to view the static MAC address drop entries curren...

Page 353: ...witch There are multiple packet processors one per port region in a compact switch and in each module in a chassis based switch With regular MAC address learning MAC addresses are global meaning the hardware MAC table is identical across all packet processors With the introduction of flow based MAC address learning when a new source MAC address is learned it is programmed only in the source packet...

Page 354: ...essor it is also aged out from all other packet processors on which the address is programmed In the above example when MAC address X is aged out from PP 1 it is also aged out from PP2 NOTE Even when flow based MAC address learning is enabled some MAC addresses including but not limited to control MACs static MACs multicast MACs and MAC addresses resolved through ARP will continue to be global MAC...

Page 355: ...C address learning To enable flow based MAC address learning enter the following command at the Global CONFIG level of the CLI PowerConnect config mac learning flow based This command enables flow based MAC address learning All dynamically learned MAC addresses are flushed from the hardware and software MAC tables and are subsequently learned using flow based MAC address learning Syntax no mac lea...

Page 356: ...dex the Index field displays NA not applicable Syntax show mac To display all of the packet processors that have a particular flow based MAC address use the show mac address vlan command PowerConnect show mac address vlan 1 0000 0000 0001 Total active entries from all ports 16 MAC Address Port Type Index 0000 0000 0001 1 1 Dynamic NA Present in following devices at hw index 0 8196 4 8196 In the ab...

Page 357: ...P Also if you are running an earlier release VLAN IDs 4091 and 4092 may be reserved for Dell internal use only If you want to use VLANs 4091 and 4092 as configurable VLANs you can assign them to different VLAN IDs For more information refer to Assigning different VLAN IDs to reserved VLANs 4091 and 4092 on page 445 NOTE The second command is optional and also creates the VLAN if the VLAN does not ...

Page 358: ...ystem resets Configuration notes and limitations MAC address filtering on PowerConnect devices is performed in hardware MAC address filtering on PowerConnect devices differ from other Dell PowerConnect devices in that you can only filter on source and destination MAC addresses Other Dell PowerConnect devices allow you to also filter on the encapsulation type and frame type MAC address filtering ap...

Page 359: ... zeros For example to match on the first two bytes of the address aabb ccdd eeff use the mask ffff 0000 0000 In this case the filter matches on all MAC addresses that contain aabb as the first two bytes The filter accepts any value for the remaining bytes of the MAC address If you specify any do not specify a mask In this case the filter matches on all MAC addresses The dest mac mask any parameter...

Page 360: ...nd an SNMP trap Messages for management packets permitted by MAC address filters are at the warning level of the Syslog When the first Syslog entry for a management packet permitted by a MAC address filter is generated the software starts a five minute timer After this the software sends Syslog messages every five minutes The messages list the number of management packets permitted by each MAC add...

Page 361: ...s feature on ports that have ACLs and MAC address filters defined Configuration syntax To configure MAC address filtering on an 802 1X enabled port enter commands such as the following PowerConnect config mac filter 1 permit 0050 04ab 9429 ffff ffff 0000 any PowerConnect config int e1 2 PowerConnect config if e1000 1 2 dot1x auth filter 1 3 to 5 10 The first line defines a MAC address filter that ...

Page 362: ...1x auth filter command When you add filters to or modify the dot1x auth filter the system clears all 802 1X sessions on the port Consequently all users that are logged in will need to be re authenticated The maximum number of filters that can be bound to a port is limited by the mac filter port default or configured value The filters must be applied as a group For example if you want to apply four...

Page 363: ...es for each table differ depending on the Dell PowerConnect device you are configuring To display the adjustable tables on your Dell PowerConnect device use the show default values command The following shows example outputs Configuration considerations Changing the table size for a parameter reconfigures the device memory Whenever you reconfigure the memory on a Dell PowerConnect device you must ...

Page 364: ...values sys log buffers 50 mac age time 300 sec telnet sessions 5 System Parameters Default Maximum Current igmp max group addr 4096 8192 1024 ip filter sys 2048 4096 4096 l3 vlan 32 1024 1024 mac 32768 32768 32768 vlan 64 4095 4095 spanning tree 32 255 255 mac filter port 32 256 256 mac filter sys 64 512 512 view 10 65535 65535 rmon entries 1024 32768 32768 mld max group addr 8192 32768 32768 igmp...

Page 365: ...al distance 200 System Parameters Default Maximum Current ip arp 6000 64000 6000 ip static arp 512 6000 512 multicast route 64 8192 64 dvmrp route 2048 32000 2048 dvmrp mcache 512 4096 512 pim mcache 1024 4096 1024 igmp max group addr 4096 8192 4096 ip cache 10000 32768 10000 ip filter port 1015 1015 1015 ip filter sys 2048 8192 2048 l3 vlan 32 1024 32 ip qos session 1024 16000 1024 mac 16384 3276...

Page 366: ...abled ospf dead 40 sec ospf hello 10 sec ospf retrans 5 sec ospf transit delay 1 sec when bgp enabled bgp local pref 100 bgp keep alive 60 sec bgp hold 180 sec bgp metric 10 bgp local as 1 bgp cluster id 0 bgp ext distance 20 bgp int distance 200 bgp local distance 200 System Parameters Default Maximum Current ip arp 4000 64000 64000 ip static arp 512 6000 6000 multicast route 64 8192 8192 pim mca...

Page 367: ...ip arp ARP entries ip cache IP forwarding cache entries ip filter port IP ACL entries per port ip filter sys IP ACL entries per system ip qos session Layer 4 session table entries ip route Learned IP routes ip static arp Static IP ARP entries ip static route Static IP routes ip subnet port IP subnets per port l3 vlan Layer 3 VLANs mac MAC entries mac filter port MAC address filter entries per port...

Page 368: ...o allocate additional egress buffering and descriptors to handle momentary bursty traffic periods especially when other priority queues may not be in use or may not be experiencing heavy levels of traffic This allows users to allocate and fine tune the depth of priority buffer queues for each packet processor The CLI commands for this feature are qd descriptor and qd buffer A descriptor points to ...

Page 369: ...lues for the 10 Gpbs ports the buffer values for the rear panel 10 Gbps 16 Gbps ports are also reset 1 Configure the allowable port descriptors by entering a command similar to the following PowerConnect qd descriptor 1 2 Syntax qd descriptor DeviceNum PortTypeVal NumDescriptors DeviceNum 1 x PortTypeVal 1 for 1Gbps 2 for 10Gbps NumDescriptors Number of descriptors to allocate minimum 1 maximum 40...

Page 370: ... processor number 6 Configuration Command Example The following commands allocate available buffers to be used by priority 0 queues in the four unit stack qd descriptor 0 1 4095 qd descriptor 1 1 4095 qd descriptor 2 1 4095 qd descriptor 4 1 4095 qd descriptor 5 1 4095 qd descriptor 6 1 4095 qd descriptor 0 2 4095 qd descriptor 1 2 4095 qd descriptor 2 2 4095 qd descriptor 4 2 4095 qd descriptor 5...

Page 371: ...s and 1000 downlink ports NOTE In previous versions users could manually configure buffers and descriptors using QD commands This feature cannot co exist with QD commands You may use one or the other but not both types at the same time Configuring buffer profiles To configure predefined buffers enter a command similar to the following PowerConnect buffer profile port region 0 voip downlink 100 upl...

Page 372: ...PowerConnect config if e1000 0 1 1 gig default auto gig Syntax gig default neg off auto gig For more information about the parameters supported with the gig default command see Changing the Gbps fiber negotiation mode on page 46 Link Fault Signaling LFS for 10G Link Fault Signaling LFS is a physical layer protocol that enables communication on a link between two 10 Gbps Ethernet devices When confi...

Page 373: ... maximum size of frames is called the Maximum Transmission Unit MTU When a network device receives a frame larger than its MTU the data is either fragmented or dropped Historically Ethernet has a maximum frame size of 1500 bytes so most devices use 1500 as their default MTU Jumbo frames are Ethernet frames with more than 1 500 bytes MTU Conventionally jumbo frames can carry up to 9 000 bytes MTU D...

Page 374: ...332 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Jumbo frame support 9 ...

Page 375: ... enabling you to use the same instance of a Layer 2 protocol for multiple VLANs For example if a Dell PowerConnect device is deployed in a Metro network and provides forwarding for two MRP rings that each contain 128 VLANs you can configure a topology group for each ring If a link failure in a ring causes a topology change the change is applied to all the VLANs in the ring topology group Without t...

Page 376: ... 1 1 in VLANs that are not members of the topology group Control ports and free ports A port that is in a topology group can be a control port or a free port Control port A control port is a port in the master VLAN and is therefore controlled by the Layer 2 protocol configured in the master VLAN The same port in all the member VLANs is controlled by the master VLAN Layer 2 protocol Each member VLA...

Page 377: ...up 2 and add the following Master VLAN 2 Member VLANs 2 3 and 4 Member VLAN group 2 Syntax no topology group group id The group id parameter specifies the topology group ID and can be from 1 256 Syntax no master vlan vlan id This command adds the master VLAN The VLAN must already be configured Make sure all the Layer 2 protocol settings in the VLAN are correct for your configuration before you add...

Page 378: ...S Displaying STP information To display STP information for a VLAN enter a command such as the following This example shows STP information for VLAN 4 The line shown in bold type indicates that the VLAN STP configuration is controlled by VLAN 2 This information indicates that VLAN 4 is a member of a topology group and VLAN 2 is the master VLAN in that topology group Displaying topology group infor...

Page 379: ...mple of an MRP metro ring TABLE 60 CLI display of topology group information This field Displays master vlan The master VLAN for the topology group The settings for STP MRP or VSRP on the control ports in the master VLAN apply to all control ports in the member VLANs within the topology group member vlan The member VLANs in the topology group Common control ports The master VLAN ports that are con...

Page 380: ...ame VLAN as the ring or in a separate VLAN One node is configured as the master node of the MRP ring One of the two interfaces on the master node is configured as the primary interface the other is the secondary interface The primary interface originates Ring Health Packets RHPs which are used to monitor the health of the ring An RHP is forwarded on the ring to the next interface until it reaches ...

Page 381: ...P Phase 1 MRP Phase 1 allows you to configure multiple MRP rings as shown in Figure 59 but the rings cannot share the same link For example you cannot configure ring 1 and ring 2 to each have interfaces 1 1 and 1 2 Also when you configure an MRP ring any node on the ring can be designated as the master node for the ring A master node can be the master node of more than one ring Refer to Figure 59 ...

Page 382: ...rface MRP Phase 2 On each node that will participate in the ring you specify the ring ID and the interfaces that will be used for ring traffic In a multiple ring configuration a ring ID determines its priority The lower the ring ID the higher priority of a ring A ring ID is also used to identify the interfaces that belong to a ring FIGURE 61 Interface IDs and types Example 1 Example 2 Ring 1 Ring ...

Page 383: ...s that do not belong to the ring with the highest priority become tunnel ports In Figure 61 nodes S1 and S2 have interfaces that belong to Rings 1 and 2 Those interfaces with a priority of 1 are regular ports The interfaces with a priority of 2 are the tunnel ports since they belong to Ring 2 which has a lower priority than Ring 1 Selection of master node Allowing MRP rings to share interfaces lim...

Page 384: ...dress for MRP The Master node generates RHPs and sends them on the ring The state of a ring port depends on the RHPs RHP processing in MRP Phase 1 A ring interface can have one of the following MRP states Preforwarding PF The interface can forward RHPS but cannot forward data All ring ports begin in this state when you enable MRP Customer A Customer A Customer A Customer A Switch B Switch A Switch...

Page 385: ... the Preforwarding state The primary interface on the Master node although it is in the Preforwarding state like the other ports immediately sends an RHP onto the ring The secondary port on the Master node listens for the RHP If the secondary port receives the RHP all links in the ring are up and the port changes its state to Blocking The primary port then sends another MRP with its forwarding bit...

Page 386: ...rmine the round trip time for RHPs in the ring Refer to Using MRP diagnostics on page 352 Customer A Customer A Customer A Customer A Switch B Switch A Switch C Switch D F F F F PF PF PF PF PF F F B Secondary port receives RHP 1 and changes to Blocking Primary port then sends RHP 2 with forwarding bit on Master Node Forwarding bit is on Each port changes from Preforwarding to Forwarding when it re...

Page 387: ...et priority is the same as the tunnel port priority the packet is forwarded up the link shared by Rings 1 and 2 When the RHP packet reaches the interface on node S2 shared by Rings 1 and 2 the packet is forwarded since its priority is less than the interface priority The packet continues to be forwarded to node S1 until it reaches the tunnel port on S1 That tunnel port determines that the RHP pack...

Page 388: ... ring ring break If a break in the ring occurs MRP heals the ring by changing the states of some of the ring interfaces Blocking interface The Blocking interface on the Master node has a dead timer If the dead time expires before the interface receives one of its ring RHPs the interface changes state to Preforwarding Once the secondary interface changes state to Preforwarding F F F Customer A Swit...

Page 389: ...rwarding state If the link between shared interfaces breaks Figure 66 the secondary interface on Ring 1 master node changes to a preforwarding state The RHP packet sent by port 3 1 on Ring 2 is forwarded through the interfaces on S4 then to S2 The packet is then forwarded through S2 to S3 but not from S2 to S1 since the link between the two nodes is not available When the packet reaches Ring 1 mas...

Page 390: ...ough the ring Since Customer A and Customer B are on different VLANs they will not receive each other traffic You can configure MRP separately on each customer VLAN However this is impractical if you have many customers To simplify configuration when you have a lot of customers and therefore a lot of VLANs you can use a topology group Customer A VLAN 30 Customer B VLAN 40 Customer A VLAN 30 Custom...

Page 391: ...To configure MRP perform the following tasks You need to perform the first task on only one of the nodes Perform the remaining tasks on all the nodes NOTE There are no new commands or parameters to configure MRP with shared interfaces MRP Phase 2 Disable one of the ring interfaces This prevents a Layer 2 loop from occurring while you are configuring the devices for MRP Add an MRP ring to a port ba...

Page 392: ...an 2 mrp 1 enable PowerConnect config vlan 2 mrp 1 metro ring 2 PowerConnect config vlan 2 mrp 2 name CustomerB PowerConnect config vlan 2 mrp 2 ring interface ethernet 1 1 ethernet 1 2 PowerConnect config vlan 2 mrp 2 enable Syntax no metro ring ring id The ring id parameter specifies the ring ID The ring id can be from 1 1023 ID 256 is reserved for VSRP OnPowerConnect B Series FCX devices enter ...

Page 393: ...ffic one ring while blocking traffic for another ring Syntax no enable The enable command enables the ring Changing the hello and preforwarding times You also can change the RHP hello time and preforwarding time To do so enter commands such as the following PowerConnect config vlan 2 mrp 1 hello time 200 PowerConnect config vlan 2 mrp 1 preforwarding time 400 These commands change the hello time t...

Page 394: ...s Syntax no diagnostics NOTE This command is valid only on the master node Displaying MRP diagnostics To display MRP diagnostics results enter the following command on the Master node Syntax show metro ring id diag This display shows the following information TABLE 61 CLI display of MRP ring diagnostic information This field Displays Ring id The ring ID Diag state The state of ring diagnostics RHP...

Page 395: ...ation on page 336 for more information Displaying ring information To display ring information enter the following command Syntax show metro ring id This display shows the following information Diag frame sent The number of diagnostic RHPs sent for the test Diag frame lost The number of diagnostic RHPs lost during the test TABLE 61 CLI display of MRP ring diagnostic information Continued This fiel...

Page 396: ...P within the Preforwarding time Prefwing time the port assumes that a topology change has occurred and changes to the Forwarding state The secondary port on the Master node changes to Blocking if it receives an RHP but changes to Forwarding if the port does not receive an RHP before the preforwarding time expires NOTE A member node Preforwarding interface also changes from Preforwarding to Forward...

Page 397: ...If a port is disabled its state is shown as disabled NOTE If an interface is a trunk group only the primary port of the group is listed Interface Type Shows if the interface is a regular port or a tunnel port RHPs sent The number of RHPs sent on the interface NOTE This field applies only to the master node On non master nodes this field contains 0 This is because the RHPs are forwarded in hardware...

Page 398: ...mands for configuring Switch A with two differences the nodes are not configured to be the ring master Omitting the master command is required for non master nodes PowerConnect config vlan 2 PowerConnect config vlan 2 tag ethernet 1 1 to 1 2 PowerConnect config vlan 2 metro ring 1 PowerConnect config vlan 2 mrp 1 name Metro A PowerConnect config vlan 2 mrp 1 ring interface ethernet 1 1 ethernet 1 ...

Page 399: ...onfig vlan 40 PowerConnect config vlan 40 tag ethernet 1 1 to 1 2 PowerConnect config vlan 40 tag ethernet 4 1 PowerConnect config vlan 40 exit PowerConnect config topology group 1 PowerConnect config topo group 1 master vlan 2 PowerConnect config topo group 1 member vlan 30 PowerConnect config topo group 1 member vlan 40 Virtual Switch Redundancy Protocol VSRP Virtual Switch Redundancy Protocol V...

Page 400: ... paths provided by the VSRP devices In this example three Dell PowerConnect devices use the redundant paths A Dell PowerConnect device that is not itself configured for VSRP but is connected to a Dell PowerConnect device that is configured for VSRP is VSRP aware In this example the three Dell PowerConnect devices connected to the VSRP devices are VSRP aware A Dell PowerConnect device that is VSRP ...

Page 401: ...ster Switches with management IP addresses are preferred over switches without management IP addresses If neither of the switches has a management IP address then the switch with the higher MAC address becomes the Master VSRP compares the MAC addresses of the ports configured for the VRID not the base MAC addresses of the switches Layer 3 Switches The Layer 3 Switch whose virtual routing interface...

Page 402: ...ID By default a device VSRP priority is the value configured on the device which is 100 by default However to ensure that a Backup with a high number of up ports for a given VRID is elected the device reduces the priority if a port in the VRID VLAN goes down For example if two Backups each have a configured priority of 100 and have three ports in VRID 1 in VLAN 10 each Backup begins with an equal ...

Page 403: ...rity bias Track ports Optionally you can configure track ports to be included during VSRP priority calculation In VSRP a track port is a port that is not a member of the VRID VLAN but whose state is nonetheless considered when the priority is calculated Typically a track port represents the exit side of traffic received on the VRID ports By default no track ports are configured X VSRP Backup VSRP ...

Page 404: ...rack port goes down resulting in a VSRP priority of 80 The new priority value is used when calculating the VSRP priority Figure 72 shows an example FIGURE 72 Track port priority In Figure 72 the track port is up SInce the port is up the track priority does not affect the VSRP priority calculation If the track port goes down the track priority does affect VSRP priority calculation as shown in Figur...

Page 405: ...failover has occurred to a new Master and moves the MAC addresses learned on the previous port to the new port The VRID records age out if unused This can occur if the VSRP aware device becomes disconnected from the Master The VSRP aware device will wait for a Hello message for the period of time equal to the following VRID Age Dead Interval Hold down Interval 3 x Hello Interval The values for the...

Page 406: ... use on a VSRP backup switch The authentication parameters that you define will not age out Define a list of ports that have authentic VSRP backup switch connections For ports included in the list the VSRP aware switch will process VSRP hello packets using the VSRP aware security configuration Conversely for ports not included in the list the VSRP aware switch will not use the VSRP aware security ...

Page 407: ...ing packets Not configured page 369 VRID parameters VSRP device type Whether the device is a VSRP Backup for the VRID All VSRP devices for a given VRID are Backups Not configured page 367 VSRP ports The ports in the VRID VLAN that you want to use as VRID interfaces You can selectively exclude individual ports from VSRP while allowing them to remain in the VLAN All ports in the VRID VLAN page 370 V...

Page 408: ...e interval can be from 60 3600 seconds You must enable the Backup to send the messages The messages are disabled by default on Backups The current Master sends Hello messages by default Disabled 60 seconds when enabled page 373 Hold down interval The amount of time a Backup that has sent a Hello packet announcing its intent to become Master waits before beginning to forward traffic for the VRID Th...

Page 409: ...owerConnect config vlan 200 vrid 1 backup PowerConnect config vlan 200 vrid 1 activate Syntax no vsrp vrid num The num parameter specifies the VRID and can be from 1 255 Syntax no backup priority value track priority value This command is required In VSRP all devices on which a VRID are configured are Backups The Master is then elected based on the VSRP priority of each device There is no owner de...

Page 410: ...lways enabled Changing the timer scale To achieve sub second failover times you can shorten the duration of all scale timers for VSRP VRRP and VRRP E by adjusting the timer scale The timer scale is a value used by the software to calculate the timers By default the scale value is 1 If you increase the timer scale each timer value is divided by the scale value Using the timer scale to adjust timer ...

Page 411: ...config if 1 6 ip vsrp auth type simple text auth ourpword This command configures the simple text password ourpword Syntax no ip vsrp auth type no auth simple text auth auth data The auth type no auth parameter indicates that the VRID and the interface it is configured on do not use authentication The auth type simple text auth auth data parameter indicates that the VRID and the interface it is co...

Page 412: ...cepting VSRP hello packets where string can be up to 8 characters port list port range specifies the range of ports to include in the configuration Removing a port from the VRID VLAN By default all the ports on which you configure a VRID are interfaces for the VRID You can remove a port from the VRID while allowing it to remain in the VLAN Removing a port is useful in the following cases There is ...

Page 413: ...ity The backup priority is used for election of the Master The VSRP Backup with the highest priority value for the VRID is elected as the Master for that VRID The default priority is 100 If two or more Backups are tied with the highest priority the Backup with the highest IP address becomes the Master for the VRID The track priority is used with the track port feature Refer to VSRP priority calcul...

Page 414: ...acket can traverse before being dropped A hop can be a Layer 3 Switch or a Layer 2 Switch You can specify from 1 255 The default TTL is 2 When a VSRP device Master or Backup sends a VSRP HEllo packet the device subtracts one from the TTL Thus if the TTL is 2 the device that originates the Hello packet sends it out with a TTL of 1 Each subsequent device that receives the packet also subtracts one f...

Page 415: ...econds NOTE If you change the timer scale the change affects the actual number of seconds Changing the backup hello state and interval By default Backups do not send Hello messages to advertise themselves to the Master You can enable these messages if desired and also change the message interval To enable a Backup to send Hello messages to the Master enter a command such as the following at the co...

Page 416: ...goes down the software reduces the VRID priority again by the amount of the tracked interface track priority The default track priority for all track ports is 1 You can change the default track priority or override the default for an individual track port To change the default track priority use the backup track priority command described below To override the default track priority for a specific...

Page 417: ...ip because the Backup with the higher priority was unavailable when ownership changed If you enable the non preempt mode thus disabling the preemption feature on all the Backups the Backup that becomes the Master following the disappearance of the Master continues to be the Master The new Master is not preempted To disable preemption on a Backup enter a command such as the following at the configu...

Page 418: ...fig vlan 10 vsrp aware vrid 11 tc vlan flush PowerConnect config vlan 10 show vsrp aware vlan 10 Aware Port Listing VLAN ID VRID Last Port Auth Type Mac Flush Age 10 11 N A no auth Configured Enabled 00 00 00 0 Displaying VSRP information You can display the following VSRP information Configuration information and current parameter values for a VRID or VLAN The interfaces on a VSRP aware device th...

Page 419: ...as been activated on the interface Advertise backup Whether the device is enabled to send VSRP Hello messages when it is a Backup This field can have one of the following values disabled The device does not send Hello messages when it is a Backup enabled The device does send Hello messages when it is a Backup Preempt mode Whether the device can be pre empted by a device with a higher VSRP priority...

Page 420: ... become the Master will wait before actually beginning to forward Layer 2 traffic for the VRID If the Backup receives a Hello message with a higher priority than its own before the hold down interval expires the Backup remains in the Backup state and does not become the new Master initial ttl The number of hops a Hello message can traverse after leaving the device before the Hello message is dropp...

Page 421: ...seconds enter the following command PowerConnect configure vlan 100 PowerConnect configure vlan 100 vsrp vrid 1 PowerConnect configure vlan 100 vrid 1 restart ports 5 Syntax no restart ports seconds This command shuts down all the ports that belong to the VLAN when a failover occurs All the ports will have the specified VRID To configure a single port on a VSRP configured device to shut down when ...

Page 422: ...RE 74 Two data paths from host on an MRP ring to a VSRP linked device If a VSRP failover from master to backup occurs VSRP needs to inform MRP of the topology change otherwise data from the host continues along the obsolete learned path and never reach the VSRP linked device as shown in Figure 75 PowerConnect show vsrp vrid 100 VLAN 100 auth type no authentication VRID 100 State Administrative sta...

Page 423: ...RP node then forwards the MRP PDU with the mac flush flag set to the next MRP node that is in forwarding state The process continues until the Master MRP node secondary blocking interface blocks the packet Once the MAC address entries have been flushed the MAC table can be rebuilt for the new path from the host to the VSRP linked device Figure 76 FIGURE 76 New path established There are no CLI com...

Page 424: ...382 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Virtual Switch Redundancy Protocol VSRP 10 ...

Page 425: ...onnect devices and brings the ports on both ends of the link down if the link goes down at any point between the two devices This feature is useful for links that are individual ports and for trunk links Figure 77 shows an example FIGURE 77 UDLD example TABLE 66 Supported UDLD and protected link group features Feature PowerConnect B Series FCX Uni directional Link Detection UDLD Link keepalive Yes...

Page 426: ...switch may reject the packet As a result UDLD may be limited only to Dell PowerConnect devices since UDLD may not function on third party switches To solve this issue you can configure ports to send out UDLD control packets that are tagged with a specific VLAN ID This feature also enables third party switches to receive the control packets that are tagged with the specified VLAN For tagged operati...

Page 427: ...e ethernet 1 18 vlan 22 This command enables UDLD on port 1 18 and allows UDLD control packet tagged with VLAN 22 to be received and sent on port 1 18 Syntax no link keepalive ethernet port vlan vlan ID Specify the port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum For the vlan ID variable enter the ID of the VLAN that the UDLD control pa...

Page 428: ...uration Displaying information for all ports To display UDLD information for all ports enter the following command Syntax show link keepalive TABLE 67 CLI display of UDLD information This field Displays Total link keepalive enabled ports The total number of ports on which UDLD is enabled Keepalive Retries The number of times a port will attempt the health check before concluding that the link is d...

Page 429: ... identifies this Dell PowerConnect device The ID can be used by Dell technical support for troubleshooting Remote System ID A unique value that identifies the Dell PowerConnect device at the remote end of the link Packets sent The number of UDLD health check packets sent on this port Packets received The number of UDLD health check packets received on this port Transitions The number of times the ...

Page 430: ...ffic If the active link goes down one of the standby links takes over During normal operation the active port in a protected link group is enabled and the standby ports are logically disabled If the active port fails the Dell PowerConnect device immediately enables one of the standby ports and switches traffic to the standby port The standby port becomes the new active port PowerConnect show inter...

Page 431: ...to improve the speed at which the device detects a failure in the link NOTE When UDLD and protected links are configured on a port and the link goes down protected links will not come up after UDLD becomes healthy again without first physically disabling then re enabling the link Configuration notes You can configure a maximum of 32 protected link groups There is no restriction on the number of po...

Page 432: ...e port the Dell PowerConnect device automatically assigns one as the first port in the protected link group to come up These commands configure port e1 as the active port and ports e2 e4 as standby ports If port 1 goes down the Dell PowerConnect device enables the first available standby port and switches the traffic to that port Since the above configuration consists of a statically configured ac...

Page 433: ...e Active Syntax show interface brief ethernet port Specify the port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum The show interface command also displays information about protected link groups TABLE 69 CLI display of protected link group information This field Displays Group ID The ID number of the protected link group Member Port s The...

Page 434: ...le switches stack unit slotnum portnum PowerConnect show int e 3 GigabitEthernet3 is up line protocol is up link keepalive is enabled Hardware is GigabitEthernet address is 0012 f2a8 7140 bia 0012 f2a8 7142 Configured speed auto actual 1Gbit configured duplex fdx actual fdx Configured mdi mode AUTO actual MDIX Member of 3 L2 VLANs port is tagged port state is protected link inactive BPDU guard is ...

Page 435: ...igured aggregate links containing multiple ports 802 3ad link aggregation is a protocol that dynamically creates and manages trunk groups NOTE You can use both types of trunking on the same device However you can use only one type of trunking for a given port For example you can configure port 1 1 as a member of a static trunk group or you can enable 802 3ad link aggregation on the port but you ca...

Page 436: ...connectivity to a server To support termination of a trunk group the server must have either multiple network interface cards NICs or either a dual or quad interface card installed The trunk server is designated as a server with multiple adapters or a single adapter with multiple ports that share the same MAC and IP address Figure 79 shows an example of a trunk group between a server and a Dell Po...

Page 437: ...groups or server trunk groups Trunking is supported on 10 GbE ports You cannot combine 1 Gbps and 10 Gbps ports in the same trunk group Port assignment on a module need not be consecutive The port range can contain gaps For example you can configure ports 1 3 and 4 excluding 2 Refer to Support for flexible trunk group membership on page 398 Although the PowerConnect devices have port ranges they d...

Page 438: ...s a reserved configuration on the Active Controller Any remaining ports of the static trunk in the IronStack continue to function When a new stack unit is added to an IronStack the new unit receives running configuration and trunk related information including a list of ports that are up and are members of a trunk from the Active Controller Before merging two IronStacks make sure that there are no...

Page 439: ... groups Figure 81 shows two IronStacks connected by multi slot trunk groups 424F 42XG Lnk Act Lnk Act 1 2 424C 424C 424C 424C 424F 424C 8X 12GM 4 Console Pwr Lnk Odd Even SYS EJECT DC OK ALM AC OK DC OK ALM AC OK SYS EJECT DC OK ALM AC OK SYS EJECT DC OK ALM AC OK SYS EJECT Odd Even Lnk Lnk POE 424C 424F Odd Even Odd Even Lnk Device ...

Page 440: ...erformed in the same way it is for IPv4 addresses that is trunk types whose traffic load is shared based on IPv4 address information can now use IPv6 addresses to make the load sharing decision Load sharing occurs as described in Table 72 1F 2F 3F 4F Console Lnk PS1 PS2 Pwr 25 26 Act Lnk Act 5 6 7 8 1 2 3 Stack 4 3 1 2 4 6 5 8 7 9 10 11 12 13 14 15 16 17 18 19 20 21 22 24 23 Odd Even Lnk Act 1F 2F...

Page 441: ...P addresses and protocol field not applicable for FastIron Stackable devices NOTE Table 72 do not include unknown unicast multicast and broadcast traffic Refer to Load sharing for unknown unicast multicast and broadcast traffic Table 72 describes how the FastIron Stackable devices load balance traffic Adding Layer 2 information to trunk hash output FastIron Stackable devices support the option to ...

Page 442: ...ation changes to the startup config file 4 Dynamically place the new trunk configuration into effect by entering the trunk deploy command at the global CONFIG level of the CLI 5 If the device at the other end of the trunk group is another Layer 2 Switch or Layer 3 Switch repeat Steps 2 4 for the other device 6 When the trunk groups on both devices are operational reconnect the cables to those port...

Page 443: ...mmand such as the following PowerConnect config trunk ethe 1 7 ethe 1 9 ethe 1 11 ethe 1 21 This creates a 4 port trunk group with the following members 1 7 1 9 1 11 1 21 To configure a 4 port trunk with non consecutive ports on a FastIron Stackable device enter a command similar to the following PowerConnect config trunk ethe 1 1 7 ethe 1 1 9 ethe 1 1 11 ethe 1 1 21 This creates a 4 port trunk gr...

Page 444: ...fect without a software reload Example 2 Configuring a trunk group that spans two Gbps Ethernet modules in a chassis device This section shows how to configure a trunk group that spans two modules in a Chassis device Multi slot trunk groups are supported on 1 GbE ports 10 GbE ports as well as on static and LACP trunk ports For multi slot trunk group rules refer to Table 74 on page 414 To configure...

Page 445: ... multi slot trunk group the corresponding trunk ports will remain up and running However when you re enable the module all of the trunk ports will go down then come back up In other words trunk ports are re deployed when a module is re enabled Example 4 Configuring a trunk group of 10 Gbps Ethernet ports You can configure 10 Gbps Ethernet ports together in a trunk group To configure a trunk group ...

Page 446: ... a trunk STK1 config trunk ethe 1 1 1 ethe 2 1 4 ethe 3 1 7 ethe 4 1 2 ethe 5 1 5 ethe 6 1 7 ethe 7 1 2 ethe 7 1 5 Trunk will be created in next trunk deploy STK1 config trunk deploy STK1 config show trunk Configured trunks Trunk ID 1 Hw Trunk ID 1 Ports_Configured 8 Primary Port Monitored Jointly Ports 1 1 1 2 1 4 3 1 7 4 1 2 5 1 5 6 1 7 7 1 2 7 1 5 Port Names none none none none none none none n...

Page 447: ...es the port name The name can be up to 49 characters long The portnum parameter is a valid port in the trunk group Specify the port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum Disabling or re enabling a trunk port This feature is supported on individual ports of a static trunk group You can disable or re enable individual ports in a tru...

Page 448: ...lowing formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum Syntax enable portname Disabling or re enabling a range or list of trunk ports To disable a range of ports in a trunk group enter commands such as the following PowerConnect config trunk ethernet 2 1 to 2 4 PowerConnect config trunk 2 1 2 4 config trunk ind PowerConnect config trunk 2 1 2 4 disable ethernet 2 3 ...

Page 449: ...e higher port number in the range Specifying the minimum number of ports in a static trunk group You can configure Dell PowerConnect devices to disable all of the ports in a trunk group when the number of active member ports drops below a specified threshold value For example if a trunk group has 4 ports and the threshold for the trunk group is 3 then the trunk group is disabled if the number of a...

Page 450: ...age 647 Enabling sFlow forwarding on a trunk port You can enable sFlow forwarding on individual ports of a static trunk group For configuration details refer to Enabling sFlow forwarding on individual trunk ports on page 1435 Setting the sFlow sampling rate on a trunk port You can configure an individual trunk port to use a different sampling rate than the global default sampling rate This feature...

Page 451: ...onal trunk groups Speed The speed set for the port The value can be one of the following None The link on the primary trunk port is down 10 The port speed is 10 Mbps 100 The port speed is 100 Mbps IG The port speed is 1000 Mbps Tag Indicates whether the ports have 802 1Q VLAN tagging The value can be Yes or No Priority Indicates the Quality of Service QoS priority of the ports The priority can be ...

Page 452: ...e trunk links Link aggregation support is disabled by default You can enable the feature on an individual port basis in active or passive mode Active mode When you enable a port for active link aggregation the Dell PowerConnect port can exchange standard LACP Protocol Data Unit LACPDU messages to negotiate trunk group configuration with the port on the other side of the link In addition the Dell P...

Page 453: ...werConnect config interface ethernet 1 1 1 to 1 1 4 PowerConnect config mif 1 1 1 1 1 4 link aggregate off PowerConnect config mif 1 1 1 1 1 4 link aggregate configure key 10000 PowerConnect config mif 1 1 1 1 1 4 link aggregate active PowerConnect config mif 1 1 1 1 1 4 interface ethernet 3 1 5 to 3 1 8 PowerConnect config mif 3 1 5 3 1 8 link aggregate off PowerConnect config mif 3 1 5 3 1 8 lin...

Page 454: ...ration rules for trunk links on Dell PowerConnect devices The Dell rules apply to a Dell PowerConnect device even if the device at the other end is from another vendor and uses different rules Refer to Trunk group rules on page 395 Configuration notes and limitations This section lists the configuration considerations and limitations for dynamic link aggregation Port1 1 Port1 2 Port1 3 Port1 4 Por...

Page 455: ...orts of the dynamic trunk in the IronStack continue to function Merging two IronStacks with a dynamic trunk configured between them results in self looped ports which are detected and corrected by the Spanning Tree Protocol STP LACP configuration on the winning Active Controller is not affected by the LACP configuration on the losing Active Controller is lost after the merge When an IronStack with...

Page 456: ...port range will be eligible for formation into an aggregate link based on port states Notice that the sets of ports that are eligible for the aggregate link must be valid static trunk configurations Enabling dynamic link aggregation By default link aggregation is disabled on all ports To enable link aggregation on a set of ports enter commands such as the following at the Interface configuration l...

Page 457: ... different physical capabilities will not be able to form a trunk Assigning a unique key PowerConnect config interface ethernet 1 1 PowerConnect config if e1000 1 1 link aggregate configure key 10000 PowerConnect config if e1000 1 1 link aggregate active PowerConnect config interface ethernet 1 2 PowerConnect config if e1000 1 2 link aggregate configure key 10000 PowerConnect config if e1000 1 2 l...

Page 458: ...ts Untagged to Tagged VLAN If the Dell PowerConnect device finds a port with matching port properties the port gets that port key If it does not find one the port gets a new key Untagged to Untagged VLAN The port gets a new key depending on whether it is in the default VLAN or not If there is a trunk group associated with the key it is not affected All other ports keep their existing key The new k...

Page 459: ...tware release The primary port in the port group becomes the default active port The primary port is the lowest numbered port in a valid trunk port group Timeout You can specify a timeout mode which determines how fast ports are removed from a trunk You can specify a short timeout mode Key Every port that is 802 3ad enabled has a key The key identifies the group of potential trunk ports to which t...

Page 460: ...ion However the link aggregation keys for the groups of ports on each module must match For example if you want to allow link aggregation to form an aggregate link containing ports 1 1 1 4 and 3 5 3 8 you must change the link aggregation key on one or both groups of ports so that the key is the same on all eight ports Figure 85 on page 419 shows an example All these ports have the same key but are...

Page 461: ...ged ports To display link aggregation information including the key for a specific port enter a command such as the following at any level of the CLI The command in this example shows the key and other link aggregation information for port 1 1 To display link aggregation information including the key for all ports on which link aggregation is enabled enter the following command at any level of the...

Page 462: ...1 4 interface ethernet 3 5 to 3 8 PowerConnect config mif 3 5 3 8 link aggregate configure key 10000 Configuring keys for ports with link aggregation enabled As shown in this command sequence to change the key on ports that already have link aggregation enabled you must first turn OFF link aggregation configure the new key then re enable link aggregation PowerConnect config interface ethernet 1 1 ...

Page 463: ... value from 10000 65535 Configuring port timeout You can control the time it takes to remove ports from a trunk with link aggregation enabled by configuring the link aggregated port with a short timeout mode Once a port is configured with a timeout mode it will remain in that timeout mode whether it is up or down or whether or not it is part of a trunk All ports in a trunk should have the same tim...

Page 464: ...ion Use the show link aggregate command to determine the operational status of ports associated with aggregate links To display the link aggregation information for a specific port enter a command such as the following at any level of the CLI The command in this example shows the link aggregation information for port 1 1 To display the link aggregation information for all ports on which link aggre...

Page 465: ...k group has already been formed and the port is therefore using a longer message timeout for the LACPDU messages exchanged with the remote port Typically these messages are used as confirmation of the health of the aggregate link S Short The port has just started the LACPDU message exchange process with the port at the other end of the link The S timeout value also can mean that the link aggregati...

Page 466: ...s not receive an LACPDU message from the port at the other end of the link before the message timer expires This field can have one of the following values Exp The link aggregation settings this port negotiated with the port at the other end of the link have expired The port is now using its default link aggregation settings No The link aggregation values that this port negotiated with the port at...

Page 467: ...l link detection Single link LACP is based on the 802 3ad LACP protocol but allows you to form an aggregated link with only one Ethernet port It is the preferred method for detecting unidirectional links across multi vendor devices instead of link keepalive UDLD since it is based on a standard rather than on a proprietary solution Configuration notes This feature is supported on 1 GbE and 10 GbE p...

Page 468: ...while singleton is configured on the port the following Syslog messages are generated Logical link on interface ethernet slot port is up Logical link on interface ethernet slot port is down PowerConnect show link agg System ID 00e0 5200 0118 Long timeout 120 default 120 Short timeout 3 default 3 Port Sys P Port P Key Act Tio Agg Syn Col Dis Def Exp Ope 2 1 1 1 1 Yes S Agg Syn No No Def Exp Ina 2 2...

Page 469: ...u can configure the following types of VLANs on PowerConnect devices Layer 2 port based VLAN a set of physical ports that share a common exclusive Layer 2 broadcast domain TABLE 76 Supported VLAN features Feature PowerConnect B Series FCX VLAN Support Yes 4096 maximum VLANs Yes 802 1Q with tagging Yes 802 1Q in Q tagging Yes 802 1Q in Q tag profiles Yes Dual mode VLANs Yes Port based VLANs Yes Upl...

Page 470: ... Layer 3 protocol VLAN ports If the packet cannot be forwarded based on either of the VLAN membership types listed above but the packet can be forwarded at Layer 2 the device forwards the packet on all the ports within the receiving port port based VLAN Protocol VLANs differ from IP subnet IPX network and AppleTalk VLANs in an important way Protocol VLANs accept any broadcast of the specified prot...

Page 471: ...than one port based VLAN unless the port is tagged 802 1Q tagging allows the port to add a four byte tag field which contains the VLAN ID to each packet sent on the port You also can configure port based VLANs that span multiple devices by tagging the ports within the VLAN The tag enables each device that receives the packet to determine the VLAN the packet belongs to 802 1Q tagging applies only t...

Page 472: ... VLAN Layer 3 protocol based VLANs are as follows AppleTalk The device sends AppleTalk broadcasts to all ports within the AppleTalk protocol VLAN IP The device sends IP broadcasts to all ports within the IP protocol VLAN IPv6 The device sends IPv6 broadcasts to all ports within the IPv6 protocol VLAN IPX The device sends IPX broadcasts to all ports within the IPX protocol VLAN DECnet The device se...

Page 473: ... 2 port based VLAN FIGURE 87 Layer 3 protocol VLANs within a Layer 2 port based VLAN DEFAULT VLAN VLAN ID 1 Layer 2 Port based VLAN User configured port based VLAN User configured protocol VLAN IP sub net VLAN IPX network VLAN or Apple Talk cable VLAN You can add Layer 3 protocol VLANs or IP sub net IPX network and AppleTalk cable VLANs to port based VLANs Layer 3 VLANs cannot span Layer 2 port ba...

Page 474: ...me as when you configure a physical interface for routing The logical interface allows the Layer 3 Switch to internally route traffic between the protocol based VLANs without using physical interfaces All the ports within a protocol based VLAN must be in the same port based VLAN The protocol based VLAN cannot have ports in multiple port based VLANs unless the ports in the port based VLAN to which ...

Page 475: ...N within the same port based VLAN This note also applies to IPX protocol VLANs and IPX network VLANs and to AppleTalk protocol VLANs and AppleTalk cable VLANs Default VLAN By default all the ports on a PowerConnect device are in a single port based VLAN This VLAN is called the DEFAULT VLAN and is VLAN number 1 PowerConnect devices do not contain any protocol VLANs or IP subnet IPX network or Apple...

Page 476: ...a user configured VLAN you can reassign the default VLAN to another valid VLAN ID Refer to Assigning a different VLAN ID to the default VLAN on page 444 802 1Q tagging 802 1Q tagging is an IEEE standard that allows a networking device to add information to a Layer 2 packet in order to identify the VLAN membership of the packet Dell PowerConnect devices tag a packet by adding a four byte tag to the...

Page 477: ...Dell PowerConnect devices Figure 90 shows an example of two devices that have the same Layer 2 port based VLANs configured across them Notice that only one of the VLANs requires tagging Untagged Packet Format 6 bytes Destination Address 6 bytes Source Address 2 bytes Type Field Up to 1500 bytes Data Field 4 bytes CRC Ethernet II IEEE 802 3 802 1q Tagged Packet Format 4 bytes 802 1q Tag Ethernet II...

Page 478: ...werConnect B Series FCX devices including those in an IronStack to use Q in Q and SAV by allowing the changing of a tag profile for ports In addition to the default tag type 0x8100 you can now configure one additional global tag profile with a number from 0xffff Tag profiles on a single port or a group of ports can be configured to point to the global tag profile For example applications and confi...

Page 479: ...a Layer 2 protocol Thus you cannot enable or disable STP for individual protocol VLANs or for IP subnet IPX network or AppleTalk cable VLANs The STP state of a port based VLAN containing these other types of VLANs determines the STP state for all the Layer 2 broadcasts within the port based VLAN This is true even though Layer 3 protocol broadcasts are sent on Layer 2 within the VLAN It is possible...

Page 480: ... configure the appropriate IP routing parameters on each of the virtual routing interfaces Figure 91 shows an example of Layer 3 protocol VLANs that use virtual routing interfaces for routing FIGURE 91 Use virtual routing interfaces for routing between Layer 3 protocol VLANs User configured port based VLAN User configured protocol VLAN IP sub net VLAN IPX network VLAN or AppleTalk cable VLAN VE vi...

Page 481: ...ive any traffic for the VLAN protocol within ten minutes the port is removed from the VLAN However the port remains a candidate for port membership Thus if the port receives traffic for the VLAN protocol the device adds the port back to the VLAN After the port is added back to the VLAN the port can remain an active member of the VLAN up to 20 minutes without receiving traffic for the VLAN protocol...

Page 482: ...didate ports become active again if they receive protocol traffic A active port C candidate port When you add ports dynamically all the ports are added when you add the VLAN A A A A A A A A Ports that time out remain candidates for membership in the VLAN and become active again if they receive traffic for the VLAN s protocol IP sub net IPX network or AppleTalk cable range When a candidate port rej...

Page 483: ...enable a host that has been silent for awhile to send and receive packets the dynamic ports that are currently members of the Layer 3 protocol VLAN leak Layer 3 broadcast packets to the ports that have aged out When a host connected to one of the aged out ports responds to a leaked broadcast the port is added to the protocol VLAN again To leak Layer 3 broadcast traffic an active port sends 1 8th o...

Page 484: ...iple unique overlapping Layer 3 protocol based VLANs without VLAN tagging A port can belong to multiple overlapping Layer 2 port based VLANs only if the port is a tagged port Packets sent out of a tagged port use an 802 1Q tagged frame When both port and protocol based VLANs are configured on a given device all protocol VLANs must be strictly contained within a port based VLAN A protocol VLAN cann...

Page 485: ...o you can create two separate backbones for the same protocol one bridged and one routed To bridge IP IPX or Appletalk at the same time these protocols are being routed you need to configure an IP protocol IP subnet IPX protocol IPX network or Appletalk protocol VLAN and not assign a virtual routing interface to the VLAN Packets for these protocols are bridged or switched at Layer 2 across ports o...

Page 486: ... backbone link as a separate tagged port based VLAN Routing will occur independently across the port based VLANs Because each port based VLAN STP domain is a single point to point backbone connection you are guaranteed to never have an STP loop STP will never block the virtual router interfaces within the tagged port based VLAN and you will have a fully routed backbone Dynamic port assignment Laye...

Page 487: ...o reserved vlan map vlan 4091 4092 new vlan vlan id For vlan id enter a valid VLAN ID that is not already in use For example if you have already defined VLAN 20 do not try to use 20 as the new VLAN ID Valid VLAN IDs are numbers from 1 4090 4093 and 4095 VLAN ID 4094 is reserved for use by the Single Spanning Tree feature Viewing reassigned VLAN IDs for reserved VLANs 4091 and 4092 To view the assi...

Page 488: ...a VLAN Modify a VLAN Change a VLAN priority Enable or disable STP on the VLAN Example 1 Figure 94 shows a simple port based VLAN configuration using a single Layer 2 Switch All ports within each VLAN are untagged One untagged port within each VLAN is used to connect the Layer 2 Switch to a Layer 3 Switch for Layer 3 connectivity between the two port based VLANs Re assign The VLAN ID to which the r...

Page 489: ...ckbone link connecting the three Layer 2 Switches is tagged One untagged port within each port based VLAN on device A connects each separate network wide Layer 2 broadcast domain to the router for Layer 3 forwarding between broadcast domains The STP priority is configured to force device A to be the root bridge for VLANs RED and BLUE The STP priority on device B is configured so that device B is t...

Page 490: ... spanning tree priority 500 PowerConnect A config vlan 4 vlan 5 name RED PowerConnect A config vlan 5 untagged ethernet 13 to 16 ethernet 20 PowerConnect A config vlan 5 tagged ethernet 25 to 26 PowerConnect A config vlan 5 spanning tree PowerConnect A config vlan 5 spanning tree priority 500 PowerConnect A config vlan 5 end PowerConnect A write memory IP Subnet1 IPX Net 1 Atalk 100 1 Zone A IP Su...

Page 491: ... PowerConnect B config vlan 5 end PowerConnect B write memory Configuring device C Enter the following commands to configure device C PowerConnect en PowerConnect configure terminal PowerConnect config hostname PowerConnect C PowerConnect C config vlan 2 name BROWN PowerConnect C config vlan 2 untagged ethernet 1 to 4 PowerConnect C config vlan 2 tagged ethernet 25 to 26 PowerConnect C config vlan...

Page 492: ... configuration to the system config file on flash memory PowerConnect A config PowerConnect A config end PowerConnect A write memory PowerConnect A 4 Repeat steps 1 3 on device B Syntax no vlan vlan id by port Removing a port from a VLAN Suppose you want to remove port 11 from VLAN 4 on device A shown in Figure 95 To do so use the following procedure 1 Access the global CONFIG level of the CLI on ...

Page 493: ...erating on the system STP is set on a system wide level at the global CONFIG level of the CLI 1 Access the global CONFIG level of the CLI on device A by entering the following commands PowerConnect A enable No password has been assigned yet PowerConnect A configure terminal PowerConnect A config 2 Access the level of the CLI for configuring port based VLAN 3 by entering the following command Power...

Page 494: ...ue has the highest priority and is the root Possible values 1 65 535 Default is 32 678 Port parameters applied to a specified port within a VLAN Path Cost a parameter used to assign a higher or lower path cost to a port Possible values 1 65535 Default is 1000 Port Speed for Half Duplex ports and is 1000 Port Speed 2 for Full Duplex ports Priority value determines when a port will be rerouted in re...

Page 495: ...mic PowerConnect config vlan ip subnet static ethernet 9 to 16 ethernet 25 3 To permanently assign ports 17 25 to IP subnet VLAN 1 1 3 0 enter the following commands PowerConnect config vlan 4 ip subnet 1 1 3 0 24 name Brown PowerConnect config vlan ip subnet no dynamic PowerConnect config vlan ip subnet static ethernet 17 to 25 4 To permanently assign ports 1 12 and port 25 to IPX network 1 VLAN ...

Page 496: ...s at each Layer 2 Switch location to be statically mapped to IP only No other protocols can enter the switches on this set of ports A second set of ports within STP domain VLAN 2 will be restricted to only IPX traffic The IP and IPX protocol VLANs will overlap on Port 1 of device A to support both protocols on the same router interface The IP subnets and IPX network that span the two protocol VLAN...

Page 497: ...idge for VLAN 2 PowerConnect A config vlan 2 spanning tree PowerConnect A config vlan 2 spanning tree priority 500 PowerConnect A config vlan 2 3 Create the IP and IPX protocol based VLANs and statically assign the ports within VLAN 2 that will be associated with each protocol based VLAN PowerConnect A config vlan 2 ip proto name Red PowerConnect A config vlan ip proto no dynamic PowerConnect A co...

Page 498: ... ipx network no dynamic PowerConnect A config vlan ipx network static e9 e13 to 16 e25 to 26 PowerConnect A config vlan ipx network exclude e10 to 12 PowerConnect A config vlan ipx network other proto name Block_other_proto PowerConnect A config vlan other proto no dynamic PowerConnect A config vlan other proto exclude e9 to 16 PowerConnect A config vlan other proto 7 Configure the last port based...

Page 499: ...ig host PowerConnect C PowerConnect C config vlan 2 name IP_IPX_Protocol PowerConnect C config vlan 2 untagged e1 to 8 PowerConnect C config vlan 2 tagged e25 to 26 PowerConnect C config vlan 2 spanning tree PowerConnect C config vlan 2 ip proto name Red PowerConnect C config vlan ip proto no dynamic PowerConnect C config vlan ip proto static e1 to 4 e25 to 26 PowerConnect C config vlan ip proto e...

Page 500: ...iod is reset for 20 minutes NOTE You can disable VLAN membership aging of dynamically added ports Refer to Disabling membership aging of dynamic VLAN ports on page 465 To configure an IPv6 VLAN enter commands such as the following PowerConnect config vlan 2 PowerConnect config vlan 2 untagged ethernet 1 1 to 1 8 PowerConnect config vlan 2 ipv6 proto name V6 PowerConnect config ipv6 subnet static e...

Page 501: ...t and IPX network that exists within VLAN 4 must remain a flat Layer 2 switched STP domain You enable routing for IP and IPX on a virtual routing interface only on device A This will provide the flat IP and IPX segment with connectivity to the rest of the network Within VLAN 4 IP and IPX will follow the STP topology All other IP subnets and IPX networks will be fully routed and have use of all pat...

Page 502: ...A config vlan 2 untagged ethernet 1 to 4 PowerConnect A config vlan 2 no spanning tree PowerConnect A config vlan 2 router interface ve1 PowerConnect A config vlan 2 other proto name block_other_protocols PowerConnect A config vlan other proto no dynamic PowerConnect A config vlan other proto exclude ethernet 1 to 4 Once you have defined the port based VLAN and created the virtual routing interfac...

Page 503: ... address 1 1 3 1 24 PowerConnect A config vif 5 ip ospf area 0 0 0 0 PowerConnect A config vif 5 ipx network 3 ethernet_802 3 PowerConnect A config vif 5 It is time to configure a separate port based VLAN for each of the routed backbone ports Ethernet 25 and 26 If you do not create a separate tagged port based VLAN for each point to point backbone link you need to include tagged interfaces for Eth...

Page 504: ...g vlan other proto no dynamic PowerConnect B config vlan other proto exclude ethernet 1 to 4 PowerConnect B config vlan other proto interface ve1 PowerConnect B config vif 1 ip addr 1 1 6 1 24 PowerConnect B config vif 1 ip ospf area 0 0 0 0 PowerConnect B config vif 1 vlan 8 name IPX_Network6 PowerConnect B config vlan 8 untagged ethernet 5 to 8 PowerConnect B config vlan 8 no span PowerConnect B...

Page 505: ... yet PowerConnect config t PowerConnect config hostname PowerConnect C PowerConnect C config router ospf PowerConnect C config ospf router area 0 0 0 0 normal PowerConnect C config ospf router router ipx PowerConnect C config ospf router vlan 2 name IP Subnet_1 1 9 0 24 PowerConnect C config vlan 2 untagged ethernet 1 to 4 PowerConnect C config vlan 2 no spanning tree PowerConnect C config vlan 2 ...

Page 506: ...ree PowerConnect C config vlan 7 router interface ve5 PowerConnect C config vlan 7 vlan 6 name Rtr_BB_to_Bldg 1 PowerConnect C config vlan 6 tagged ethernet 26 PowerConnect C config vlan 6 no spanning tree PowerConnect C config vlan 6 router interface ve6 PowerConnect C config vlan 6 interface ve5 PowerConnect C config vif 5 ip addr 1 1 8 2 24 PowerConnect C config vif 5 ip ospf area 0 0 0 0 Power...

Page 507: ...in and the aging out period is reset for 20 minutes Disabling membership aging of dynamic VLAN ports You can disable VLAN membership aging of ports that are dynamically assigned to protocol or subnet based VLANs This feature resolves the connectivity issue that may occur in certain configurations when protocol or subnet VLANs are configured with dynamic port membership NOTE This issue does not occ...

Page 508: ...g method To configure port based VLAN 10 then configure an IP protocol VLAN within the port based VLAN with dynamic ports enter the following commands such as the following PowerConnect config vlan 10 by port PowerConnect config vlan 10 untagged ethernet 1 1 to 1 6 added untagged port ethe 1 1 to 1 6 to port vlan 30 PowerConnect config vlan 10 ip proto name IP_Prot_VLAN PowerConnect config vlan 10...

Page 509: ...ntax ip subnet ip addr ip mask name string or Syntax ip subnet ip addr mask bits name string Syntax dynamic Configuring an IPX network VLAN with dynamic ports To configure port based VLAN 20 then configure an IPX network VLAN within the port based VLAN with dynamic ports enter commands such as the following PowerConnect config vlan 20 by port name IPX_VLAN PowerConnect config vlan 10 untagged ethe...

Page 510: ... attached to clients you can configure the two ports attached to the network as uplink ports In this configuration broadcast and unknown unicast traffic in the VLAN does not go to all ports The traffic goes only to the uplink ports The clients on the network do not receive broadcast and unknown unicast traffic from other ports including other clients Configuration considerations When this feature ...

Page 511: ...st be in a separate subnet The Dell PowerConnect device routes Layer 3 traffic between the subnets using the subnet addresses NOTE This feature applies only to Layer 3 Switches NOTE Before using the method described in this section refer to Configuring VLAN groups and virtual routing interface groups on page 472 You might be able to achieve the results you want using the methods in that section in...

Page 512: ...VRRP Virtual Router Redundancy Protocol The Dell PowerConnect device performs proxy Address Resolution Protocol ARP for hosts that want to send IP traffic to hosts in other VLANs that are sharing the same IP subnet address If the source and destination hosts are in the same VLAN the Dell PowerConnect device does not need to use ARP If a host attached to one VLAN sends an ARP message for the MAC ad...

Page 513: ... interface ve number The commands above configure port based VLAN 1 The VLAN has one untagged port 1 1 and a tagged port 1 8 In this example all three VLANs contain port 1 8 so the port must be tagged to allow the port to be in multiple VLANs You can configure VLANs to share a Layer 3 protocol interface regardless of tagging A combination of tagged and untagged ports is shown in this example to de...

Page 514: ...up config file on the device flash memory module Normally a startup config file with a large number of VLANs might not fit on the flash memory module By grouping the identically configured VLANs you can conserve space in the startup config file so that it fits on the flash memory module The virtual routing interface group feature is useful when you want to configure the same IP subnet address on a...

Page 515: ...ory for virtual routing interfaces before you configure the VLAN groups This is true regardless of whether you use the virtual routing interface groups The memory allocation is required because the VLAN groups and virtual routing interface groups have a one to one mapping Refer to Allocating memory for more VLANs or virtual routing interfaces on page 476 If a VLAN within the range you specify is a...

Page 516: ...e VLAN group by using the VLAN IDs of each of the VLANs as the corresponding virtual interface number Therefore if a VLAN group contains VLAN IDs greater than the maximum virtual interface number allowed the group router interface command will be rejected CLI syntax To configure a virtual routing interface group enter commands such as the following PowerConnect config vlan group 1 PowerConnect con...

Page 517: ...ed with group ve NOTE Dell PowerConnect devices do not support ACLs with group ve NOTE PowerConnect devices support group ve with OSPF and VRRP protocols only The syntax and usage for the ip address command is the same as when you use the command at the interface level to add an IP interface Displaying the VLAN group and virtual routing interface group information To verify configuration of VLAN g...

Page 518: ... Increasing the number of VLANs you can configure NOTE Although you can specify up to 4095 VLANs you can configure only 4094 VLANs VLAN ID 4094 is reserved for use by the Single Spanning Tree feature To increase the maximum number of VLANs you can configure enter commands such as the following at the global CONFIG level of the CLI PowerConnect config system max vlan 2048 PowerConnect config write ...

Page 519: ...s Transfer Mode ATM paths and channels A path contains multiple channels each of which is a dedicated circuit between two end points The two devices at the end points of the channel appear to each other to be directly attached The network that connects them is transparent to the two devices You can aggregate up to 4094 VLANs within another VLAN This provides a total VLAN capacity on one Dell Power...

Page 520: ...VLAN traffic through the core The core can consist of multiple devices that forward the aggregated VLAN traffic The edge device at the other end of the core separates the aggregated VLANs into the individual client VLANs before forwarding the traffic The edge devices forward the individual client traffic to the clients For the clients perspective the channel is a direct point to point link Figure ...

Page 521: ...channel Because each VLAN configured on the core devices is an aggregate of multiple client VLANs the aggregated VLANs greatly increase the number of clients a core device can accommodate This example shows a single link between the core devices However you can use a trunk group to add link level redundancy Client 1 Port1 1 VLAN 101 Client 3 Port1 3 VLAN 103 Client 5 Port1 5 VLAN 105 Client 1 192 ...

Page 522: ... Configure a VLAN tag type tag ID that is different than the tag type used on the edge devices If you use the default tag type 8100 on the edge devices set the tag type on the core devices to another value such as 9100 The tag type must be the same on all the core devices The edge devices also must have the same tag type but the type must be different from the tag type on the core devices NOTE You...

Page 523: ...the following commands PowerConnect config tag type 9100 PowerConnect config aggregated vlan PowerConnect config vlan 101 by port PowerConnect config vlan 101 tagged ethernet 4 1 PowerConnect config vlan 101 untagged ethernet 3 1 PowerConnect config vlan 101 exit PowerConnect config vlan 102 by port PowerConnect config vlan 102 tagged ethernet 4 1 PowerConnect config vlan 102 untagged ethernet 3 2...

Page 524: ...hernet 1 3 PowerConnectA config vlan 103 exit PowerConnectA config vlan 104 by port PowerConnectA config vlan 104 tagged ethernet 2 1 PowerConnectA config vlan 104 untagged ethernet 1 4 PowerConnectA config vlan 104 exit PowerConnectA config vlan 105 by port PowerConnectA config vlan 105 tagged ethernet 2 1 PowerConnectA config vlan 105 untagged ethernet 1 5 PowerConnectA config vlan 105 exit Powe...

Page 525: ...same as tag type configured on the other core device Device C In addition VLAN aggregation also must be enabled PowerConnectD config tag type 9100 PowerConnectD config aggregated vlan PowerConnectD config vlan 101 by port PowerConnectD config vlan 101 tagged ethernet 4 1 PowerConnectD config vlan 101 untagged ethernet 3 1 PowerConnectD config vlan 101 exit PowerConnectD config vlan 102 by port Pow...

Page 526: ...n 102 exit PowerConnectF config vlan 103 by port PowerConnectF config vlan 103 tagged ethernet 2 1 PowerConnectF config vlan 103 untagged ethernet 1 3 PowerConnectF config vlan 103 exit PowerConnectF config vlan 104 by port PowerConnectF config vlan 104 tagged ethernet 2 1 PowerConnectF config vlan 104 untagged ethernet 1 4 PowerConnectF config vlan 104 exit PowerConnectF config vlan 105 by port P...

Page 527: ...type the Dell PowerConnect device automatically applies the 802 1Q tag type to all ports within the same port region Likewise if you remove the 802 1Q tag type from a port the Dell PowerConnect device automatically removes the 802 1Q tag type from all ports within the same port region 802 1Q in Q tagging and VSRP are not supported together on the same device In addition to tag type PowerConnect B ...

Page 528: ... unit slotnum portnum The ethernet port to port parameter specifies the ports that will use the defined 802 1Q tag This parameter operates with the following rules If you specify a single port number the 802 1Q tag applies to all ports within the port region For example if you enter the command tag type 9100 ethernet 1 the Dell PowerConnect device automatically applies the 802 1Q tag to ports 1 12...

Page 529: ...AN 105 Ports 1 5 Untagged Ports 1 5 Untagged Device A Port6 Tagged Port6 Tagged Device B Port11 Untagged Port12 Untagged Port17 Tagged Port17 Tagged Port11 Untagged Port12 Untagged Port6 Tagged Port6 Tagged Device E Device F Ports 1 5 Untagged Ports 1 5 Untagged 192 168 1 129 24 Device C Device D Tag Type 8100 Tag Type 9100 on ports 11 and 12 9100 9100 9100 9100 8100 8100 Tag Type 9100 on ports 11...

Page 530: ... command you will see an error message telling you to remove the tag type before you add the tag profile For devices operating in an IronStack topology when a tag type for a port is changed the tag type for all of the ports on a stack unit also changes Because of this limitation SAV and Q in Q cannot be used at the same time on stacking devices CLI Syntax To add a global tag profile enter the foll...

Page 531: ...gistered multicast and unknown unicast packets from outside sources into the PVLAN By default in PowerConnect platforms other than the PowerConnect B Series FCX the device will not forward broadcast unregistered multicast and unknown unicast packets from outside sources into the PVLAN If needed you can override this behavior for broadcast packets unknown unicast packets or both Refer to Displaying...

Page 532: ...multicast traffic from the primary VLAN port is forwarded to all ports in isolated and community VLANs in both the switches Broadcast unknown unicast or unregistered multicast traffic from an isolated port in switch A is not forwarded to an isolated port in switch A It will not be forwarded to an isolated port in switch B across the PVLAN trunk port Broadcast unknown unicast or unregistered multic...

Page 533: ...e IGMP snooping configuration When protocol or subnet VLANs are enabled or if PVLAN mappings are enabled the Dell 3 4 2 1 VLAN 101 Isolated VLAN Ports VLAN 100 Promiscuous Ports VLAN 102 Community VLAN Ports 11 11 10 10 3 2 1 10 10 3 2 1 VLAN 101 Isolated VLAN Ports VLAN 102 Community VLAN Ports VLAN 101 Isolated VLAN Ports VLAN 102 Community VLAN Ports VLAN 101 Isolated VLAN Ports VLAN 102 Commun...

Page 534: ...mmands to create the VLAN and add ports Identify the PVLAN type isolated community or public For the primary VLAN map the other PVLANs to the ports in the primary VLAN A primary VLAN can have multiple ports All these ports are active but the ports that will be used depends on the PVLAN mappings Also secondary VLANs isolated and community VLANs can be mapped to multiple primary VLAN ports You can c...

Page 535: ...tnum portnum to stack unit slotnum portnum The untagged or tagged command adds the ports to the VLAN The pvlan type command specifies that this port based VLAN is a PVLAN Specify primary as the type The pvlan mapping command identifies the other PVLANs for which this VLAN is the primary The command also specifies the primary VLAN ports to which you are mapping the other secondary VLANs The mapping...

Page 536: ... ports of a community VLAN To configure a community PVLAN enter commands such as the following PowerConnect config vlan 901 PowerConnect config vlan 901 untagged ethernet 3 5 to 3 6 PowerConnect config vlan 901 pvlan type community These commands create port based VLAN 901 add ports 3 5 and 3 6 to the VLAN as untagged ports then specify that the VLAN is a community PVLAN Syntax untagged ethernet s...

Page 537: ...filters to control the traffic forwarded into and out of the PVLAN In addition if you are using a Layer 2 Switch you also can use ACLs NOTE PowerConnect B Series FCX devices do not support ACLs on interface groups Command syntax To configure the ports in the primary VLAN to forward broadcast or unknown unicast and multicast traffic received from sources outside the PVLAN enter the following comman...

Page 538: ...switch switch link ports To configure the PVLANs with tagged switch switch link ports as shown in Figure 107 on page 491 enter the following commands PowerConnect B Series FCX Switch 1 PowerConnect config vlan 101 by port PowerConnect config vlan 101 untagged ethernet 1 1 3 PowerConnect config vlan 101 pvlan type isolated PowerConnect config vlan 102 by port PowerConnect config vlan 102 untagged e...

Page 539: ...erConnect B Series FCX 4 PowerConnect config vlan 101 by port PowerConnect config vlan 101 untagged ethernet 1 1 3 PowerConnect config vlan 101 pvlan type isolated PowerConnect config vlan 102 by port PowerConnect config vlan 102 untagged ethernet 1 1 1 to 1 1 2 PowerConnect config vlan 102 pvlan type community PowerConnect config vlan 100 by port PowerConnect config vlan 100 tagged ethernet 1 1 1...

Page 540: ...ethernet 2 9 PowerConnect config vlan 20 interface ethernet 2 11 PowerConnect config if e1000 2 11 dual mode PowerConnect config if e1000 2 11 exit Syntax no dual mode You can configure a dual mode port to transmit traffic for a specified VLAN other than the DEFAULT VLAN as untagged while transmitting traffic for other VLANs as tagged Figure 109 illustrates this enhancement VLAN 20 Traffic Untagge...

Page 541: ... port 2 11 transmits only untagged traffic on VLAN 10 and only tagged traffic on VLAN 20 PowerConnect config vlan 10 by port PowerConnect config vlan 10 untagged ethernet 2 10 PowerConnect config vlan 10 tagged ethernet 2 11 PowerConnect config vlan 10 exit PowerConnect config vlan 20 by port PowerConnect config vlan 20 tagged ethernet 2 9 PowerConnect config vlan 20 tagged ethernet 2 11 PowerConn...

Page 542: ...lphanumeric order By default VLANs are displayed in alphanumeric order as shown in the following example PowerConnect show vlan Total PORT VLAN entries 3 Maximum PORT VLAN entries 16 legend S Slot PORT VLAN 1 Name DEFAULT VLAN Priority level0 Spanning tree Off Untagged Ports S1 1 2 3 4 5 6 7 8 Untagged Ports S2 1 2 3 4 5 6 7 8 12 13 14 15 16 17 18 19 Untagged Ports S2 20 21 22 23 24 Tagged Ports N...

Page 543: ...orts only in VLAN 3 and are not configured as dual mode ports PowerConnect show vlans Total PORT VLAN entries 2 Maximum PORT VLAN entries 8 legend S Slot PORT VLAN 1 Name DEFAULT VLAN Priority level0 Spanning tree Off Untagged Ports S2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Untagged Ports S2 17 18 19 20 21 22 23 24 Untagged Ports S4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Untagged Ports S4 17 18 19...

Page 544: ...he device The following shows example output Syntax show vlan brief Displaying VLAN information for specific ports Use one of the following methods to display VLAN information for specific ports To display VLAN information for all the VLANs of which port 7 1 is a member enter the following command PowerConnect show vlan 4 Total PORT VLAN entries 5 Maximum PORT VLAN entries 3210 PORT VLAN 4 Name No...

Page 545: ...bers The following shows an example output Syntax show interfaces ethernet slotnum portnum to slotnum portnum ethernet slotnum portnum The slotnum parameter is required on chassis devices Displaying port default VLAN IDs PVIDs The output of the show interfaces brief command lists the port default VLAN IDs PVIDs for each port PVIDs are displayed as follows PowerConnect show vlans ethernet 7 1 Total...

Page 546: ...d the command displays the default VLAN ID PowerConnect show interfaces brief Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name 1 Up Forward Full 1G None No 1 0 0012 f2a8 4700 a12345678901 2 Up Forward Full 1G None Yes 1 0 0012 f2a8 4701 3 Up Forward Full 1G None Yes NA 0 0012 f2a8 4702 4 Up Forward Full 1G None Yes NA 0 0012 f2a8 4703 5 Up Forward Full 1G None No 2 0 0012 f2a8 4704 6 Down No...

Page 547: ...ly configured VLANs and VLANs learned from other devices through GVRP GVRP enables a Dell PowerConnect device to dynamically create 802 1Q compliant VLANs on links with other devices that are running GVRP GVRP reduces the chances for errors in VLAN configuration by automatically providing VLAN ID consistency across the network You can use GVRP to propagate VLANs to other GVRP aware devices automat...

Page 548: ...e effects of GVRP in this network depend on which devices the feature is enabled on and whether both learning and advertising are enabled In this type of network a core device and edge devices you can have the following four combinations Dynamic core and fixed edge Dynamic core and dynamic edge Fixed core and dynamic edge Fixed core and fixed edge Dynamic core and fixed edge In this configuration ...

Page 549: ... device that is running GVRP GVRP can dynamically add other ports to the statically configured VLANs but cannot delete statically configured ports from the VLANs Dynamic core and dynamic edge GVRP is enabled on the core device and on the edge devices This type of configuration is useful if the devices in the edge clouds are running GVRP and advertise their VLANs to the edge devices The edge device...

Page 550: ... then reload the software However if you reload the software without first saving the configuration change the GVRP configuration is restored following a software reload The maximum number of VLANS supported on a device enabled for GVRP is the same as the maximum number on a device that is not enabled for GVRP To display the maximum number of VLANs allowed on your device enter the show default val...

Page 551: ...ce even if the device has statically configured VLANs GVRP does not remove any ports from the statically configured VLANs although GVRP can add ports to the VLANS GVRP advertises the statically configured VLANs Ports added by GVRP do not appear in the running config and will not appear in the startup config file when save the configuration You can manually add a port to make the port a permanent m...

Page 552: ...m 4093 to 1001 Syntax no gvrp base vlan id vlan id The vlan id parameter specifies the new VLAN ID You can specify a VLAN ID from 2 4092 or 4095 Increasing the maximum configurable value of the Leaveall timer By default the highest value you can specify for the Leaveall timer is 300000 ms You can increase the maximum configurable value of the Leaveall timer to 1000000 ms NOTE You must enter this c...

Page 553: ...ast port in the range For example ethernet 1 1 to 1 8 You can combine lists and ranges in the same command For example enable ethernet 1 1 to 1 8 ethernet 1 24 ethernet 6 24 ethernet 8 17 Disabling VLAN advertising To disable VLAN advertising on a port enabled for GVRP enter a command such as the following at the GVRP configuration level PowerConnect config gvrp block applicant ethernet 1 24 ether...

Page 554: ...imum number of milliseconds ms a device GVRP interfaces wait before sending VLAN advertisements on the interfaces The actual interval between Join messages is randomly calculated to a value between 0 and the maximum number of milliseconds specified for Join messages You can set the Join timer to a value from 200 one third the value of the Leave timer The default is 200 ms Leave The number of ms a ...

Page 555: ...imer command Refer to Increasing the maximum configurable value of the Leaveall timer on page 510 Timer configuration requirements All timer values must be in multiples of 100 ms The Leave timer must be 3 the Join timer The Leaveall timer must be 5 the Leave timer The GVRP timers must be set to the same values on all the devices that are exchanging information using GVRP Changing the Join Leave an...

Page 556: ...ly configured VLAN 22 Syntax no vlan vlan id Syntax no tagged ethernet port to port ethernet port Use the same commands to statically add ports that GVRP added to a VLAN NOTE You cannot add the VLAN ports as untagged ports NOTE After you convert the VLAN the VLAN name changes from GVRP_VLAN_ vlan id to STATIC_VLAN_ vlan id ethernet port specifies a port Specify the port variable in the following f...

Page 557: ...lowing GVRP is disabled on the system GVRP is enabled on the system GVRP BASE VLAN ID The ID of the base VLAN used by GVRP GVRP MAX Leaveall Timer The maximum number of ms to which you can set the Leaveall timer NOTE To change the maximum value refer to Increasing the maximum configurable value of the Leaveall timer on page 510 PowerConnect show gvrp GVRP is enabled on the system GVRP BASE VLAN ID...

Page 558: ...can be dropped for either of the following reasons GVRP packets are received on a port on which GVRP is not enabled NOTE If GVRP support is not globally enabled the device does not drop the GVRP packets but instead forwards them at Layer 2 GVRP packets are received with an invalid GARP Protocol ID The protocol ID must always be 0x0001 Number of VLANs in the GVRP Database The number of VLANs in the...

Page 559: ...n VLAN ID The VLAN ID Mode The type of VLAN which can be one of the following FIXED The port will always be a member of this VLAN and the VLAN will always be advertised on this port by GVRP A port becomes FIXED when you configure the port as a tagged member of a statically configured VLAN FORBIDDEN The VLAN is one of the special VLANs that is not advertised or learned by GVRP In the current releas...

Page 560: ... the maximum number of VLANs the device can have use the system max vlan num command Refer to Displaying and modifying system parameter default settings on page 321 VLAN ID The VLAN ID MODE The type of VLAN which can be one of the following STATIC The VLAN is statically configured and cannot be removed by GVRP This includes VLANs you have configured as well as the default VLAN 1 base GVRP VLAN 409...

Page 561: ... in Changing the GVRP timers on page 512 Legend The meanings of the letter codes used in other parts of the display Forbidden Members The ports that cannot become members of a VLAN advertised or leaned by GVRP Fixed Members The ports that are statically configured members of the VLAN GVRP cannot remove these ports Normal Dynamic Members The ports that were added by GVRP These ports also can be rem...

Page 562: ...smitted The number of Leaveall messages sent Join Empty Transmitted The number of Join Empty messages sent Join In Transmitted The number of Join In messages sent Leave Empty Transmitted The number of Leave Empty messages sent Leave In Transmitted The number of Leave In messages sent Empty Transmitted The number of Empty messages sent Invalid Messages Attributes Skipped The number of invalid messa...

Page 563: ...ge statistics only for the specified number of seconds If you do not use this parameter the command lists the usage statistics for the previous one second one minute five minute and fifteen minute intervals PowerConnect show process cpu Process Name 5Sec 1Min 5Min 15Min Runtime ms ARP 0 01 0 03 0 09 0 22 9 BGP 0 00 0 00 0 00 0 00 0 GVRP 0 00 0 03 0 04 0 07 4 ICMP 0 00 0 00 0 00 0 00 0 IP 0 00 0 00...

Page 564: ...irement You always can have statically configured VLANs on a device that is running GVRP PowerConnect debug gvrp packets GVRP Packets debugging is on GVRP 0x2095ced4 01 80 c2 00 00 21 00 e0 52 ab 87 40 00 3a 42 42 GVRP 0x2095cee4 03 00 01 01 02 00 04 05 00 02 04 05 00 07 04 05 GVRP 0x2095cef4 00 09 04 05 00 0b 04 02 03 e9 04 01 03 eb 04 01 GVRP 0x2095cf04 03 ec 04 01 03 ef 04 01 03 f1 04 01 05 dd ...

Page 565: ...vrp enable PowerConnect config gvrp enable ethernet 4 24 PowerConnect config gvrp block learning ethernet 4 24 These commands statically configure two port based VLANs enable GVRP on port 4 24 and block GVRP learning on the port The device will advertise the VLANs but will not learn VLANs from other devices Enter the following commands on edge device B PowerConnect enable PowerConnect configure te...

Page 566: ...re device PowerConnect enable PowerConnect configure terminal PowerConnect config vlan 20 PowerConnect config vlan 20 tag ethernet 1 24 PowerConnect config vlan 20 tag ethernet 6 24 PowerConnect config vlan 20 vlan 30 PowerConnect config vlan 30 tag ethernet 6 24 PowerConnect config vlan 30 tag ethernet 8 17 PowerConnect config vlan 30 vlan 40 PowerConnect config vlan 40 tag ethernet 1 5 PowerConn...

Page 567: ...dge device VLAN advertising is enabled but learning is disabled GVRP is not configured on the core device This configuration enables the devices in the edge clouds to learn the VLANs configured on the edge devices This configuration does not use any GVRP configuration on the core device The configuration on the edge device is the same as in Dynamic core and fixed edge on page 523 ...

Page 568: ...526 PowerConnect B Series FCX Configuration Guide 53 1002266 01 CLI examples 14 ...

Page 569: ...rce MAC address to VLAN mapping is successfully authenticated While multi device port authentication is in progress all traffic from the new MAC address will be blocked or dropped until the authentication succeeds Traffic is dropped if the authentication fails Static and dynamic hosts Static hosts are devices on the network that do not speak until spoken to Static hosts may not initiate a request ...

Page 570: ...rom a specific source MAC is dropped because authentication failed Incoming traffic from a specific source MAC is classified as untagged into a specific VLAN Incoming traffic from a specific source MAC is classified as untagged into a restricted VLAN Traffic classification is performed by programming incoming traffic and RADIUS returned attributes in the hardware Incoming traffic attributes includ...

Page 571: ...mit ports under the VLAN configuration In the RADIUS server configuration file a MAC address cannot be configured to associate with more than one VLAN This feature does not currently support dynamic assignment of a port to a VLAN Users must pre configure VLANs and port membership before enabling the feature Multi device port authentication filters will not work with MAC based VLANs on the same por...

Page 572: ...d 4000 ip address 10 44 3 3 255 255 255 0 ip default gateway 10 44 3 1 radius server host 10 44 3 111 radius server key 1 ndUno mac authentication enable mac authentication mac vlan dyn activation mac authentication max age 60 mac authentication hw deny age 30 mac authentication auth passwd format xxxx xxxx xxxx show table mac vlan Displays information about allowed and denied MAC addresses on por...

Page 573: ...t in any of the VLANs any MAC addresses learned on this port will be blocked in the reserved VLAN To prevent this you must create all of the VLANs and add all ports as mac vlan permit before enabling MAC based VLAN on any ports Disable any multi device port authentication on ports you will be using for MAC to VLAN mapping NOTE Do not configure MAC based VLAN on ports that are tagged to any VLAN Do...

Page 574: ...ric and Dell vendor specific attributes on the RADIUS server If the RADIUS authentication process is successful the RADIUS server sends an Access Accept message to the Dell PowerConnect device authenticating the device The Access Accept message includes Vendor Specific Attributes VSAs that specify additional information about the device Add Dell vendor specific attributes to your RADIUS server con...

Page 575: ...werConnect device is no longer receiving traffic from a MAC based VLAN MAC address the hardware aging period begins and lasts for a fixed length of time default or user configured TABLE 90 Dell vendor specific attributes for RADIUS Attribute name Attribute ID Data type Optional or mandatory Description Foundry MAC based VLAN QoS 8 decimal Optional The QoS attribute specifies the priority of the in...

Page 576: ...aging period To change the length of the software aging period for blocked MAC addresses enter a command such as the following PowerConnect config mac authentication max age 180 Syntax no mac authentication max age seconds You can specify from 1 65535 seconds The default is 120 seconds Disabling aging for MAC based VLAN sessions MAC addresses that have been authenticated or denied by a RADIUS serv...

Page 577: ...ased VLAN for a static host 1 Enable multi device port authentication globally using the following command PowerConnect config mac authentication enable 2 Add each port on which you want MAC based VLAN enabled as mac vlan permit for a specific VLAN PowerConnect config vlan 10 by port PowerConnect config vlan 10 mac vlan permit ethernet 0 1 1 to 0 1 6 added mac vlan permit ports ethe 0 1 1 to 0 1 6...

Page 578: ...t config if e1000 0 1 1 no mac auth mac vlan Configuring dynamic MAC based VLAN To globally enable MAC based VLAN globally for all MAC based VLAN ports enter the following commands PowerConnect config mac authentication enable PowerConnect config mac authentication mac vlan dyn activation To configure Dynamic MAC based VLAN to add a specific port to a specific VLAN enter commands similar to the fo...

Page 579: ...ess Enter the following command to display the MAC VLAN table information for a specific MAC address PowerConnect config show table mac vlan 0000 0010 1001 MAC Address Port Vlan Authenticated Time Age dot1x 0000 0010 1001 1 1 1 2 Yes 00d00h05m45s Ena Dis Syntax show table mac vlan mac address The following table describes the information in this output This field Displays Port The port number wher...

Page 580: ... a restricted VLAN Time The time at which the MAC address was authenticated If the clock is set on the Dell PowerConnect device then the actual date and time are displayed If the clock has not been set then the time is displayed relative to when the device was last restarted Age The age of the MAC address entry in the authenticated MAC address list Dot1x Indicates if 802 1X authentication is enabl...

Page 581: ...o display a detailed version of MAC VLAN information This field Displays MAC Address The denied MAC address for which the information is displayed Port The port where MAC based VLAN is enabled Vlan This field displays VLAN 4092 for blocked hosts or the restricted VLAN ID if it is configured on the port Authenticated No indicates that authentication has failed Inp indicates that authentication is i...

Page 582: ...ed mac 30 seconds MAC Filter applied No MAC Address RADIUS Authenticated Time Age CAM MAC Dot1x Type Pri Index Index 0000 0200 0012 0 0 0 0 No 00d00h00m00s S12 N A N A Dis Dyn 0 0000 0200 0017 0 0 0 0 No 00d00h00m00s S20 N A N A Dis Dyn 0 0000 0200 0018 0 0 0 0 No 00d00h00m00s S20 N A N A Dis Dyn 0 0000 0100 000a 10 44 3 111 Yes 00d19h38m30s Ena 000b 22d4 Dis Dyn 5 0000 0200 0019 0 0 0 0 No 00d00h...

Page 583: ...set for Foundry MAC based VLAN QoS attribute in the RADIUS configuration for dynamic hosts if configured If the Foundry MAC based VLAN QoS attribute is not configured the value will be zero For static hosts the user configured priority value for the MAC address is displayed PowerConnect show table mac vlan e 0 1 1 MAC Address Port Vlan Authenticated Time Age CAM MAC Dot1x Type Pri Index Index 0000...

Page 584: ...s displayed Type Dynamic MBV Indicates a dynamic host Static MBV indicates a static host Index The index of the entry in the hardware MAC table VLAN The VLAN to which these addresses are assigned PowerConnect show mac address Total active entries from all ports 1541 MAC Address Port Type Index VLAN 0000 2000 0001 0 1 32 Dynamic MBV 1048 1 0000 2000 0002 0 1 32 Dynamic MBV 1832 1 0000 2000 0003 0 1...

Page 585: ...d 0 messages dropped 0 flushes 15 overruns Buffer logging level ACDMEINW 50 messages logged level code A alert C critical D debugging M emergency E error Static Log Buffer 0d00h00m12s A System Power supply 1 is up Dynamic Log Buffer 50 lines 0d18h46m28s I running config was changed from console 0d02h12m25s A MAC Based Vlan Mapping failed for 0000 1111 0108 on port 0 2 1 Invalid User 0d02h08m52s A ...

Page 586: ... vlan permit ethe 0 1 1 to 0 1 2 no spanning tree vlan 2 by port untagged ethe 0 1 30 mac vlan permit ethe 0 1 1 to 0 1 2 no spanning tree vlan 666 name mac_restricted by port untagged ethe 0 1 20 mac vlan permit ethe 0 1 1 to 0 1 2 no spanning tree vlan 4000 name DEFAULT VLAN by port no spanning tree vlan 4004 by port mac vlan permit ethe 0 1 1 default vlan id 4000 ip address 10 44 3 8 255 255 25...

Page 587: ...mac vlan command returns the following results for all ports in this configuration The show table mac vlan e 0 1 1 command returns the following results for port 0 1 1 in this configuration PowerConnect show table mac vlan Port Vlan Accepted Rejected Attempted Static Static Max Macs Macs Macs Macs Conf Macs 0 1 1 N A 2 1 0 1 1 5 0 1 2 N A 0 0 0 0 0 5 PowerConnect show table mac vlan e 0 1 1 MAC Ad...

Page 588: ...546 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Sample application 15 ...

Page 589: ...nied packets Yes ACL logging with traffic rate limiting to prevent CPU overload Yes This feature is enabled by default on PowerConnect B Series FCX devices There is no CLI command to enable or disable it Strict control of ACL filtering of fragmented packets Yes ACL support for switched traffic in the router image Yes This feature is enabled by default on PowerConnect B Series FCX devices There is ...

Page 590: ...deny packets in the hardware without sending the packets to the CPU for processing Rule based ACLs are supported on the following interface types Gbps Ethernet ports 10 Gbps Ethernet ports Trunk groups Virtual routing interfaces Types of IP ACLs You can configure the following types of IP ACLs Standard Permits or denies packets based on source IP address Valid standard ACL IDs are 1 99 or a charac...

Page 591: ...commands for named ACLs Numbered ACL If you refer to the ACL by a numeric ID you can use 1 99 for a standard ACL or 100 199 for an extended ACL Named ACL If you refer to the ACL by a name you specify whether the ACL is a standard ACL or an extended ACL then specify the name You can configure up to 99 standard numbered IP ACLs and 100 extended numbered IP ACLs You also can configure up to 99 standa...

Page 592: ... handled the same way as non fragmented packets since the first fragment contains the Layer 4 source and destination application port numbers The device uses the Layer 4 CAM entry if one is programmed or applies the interface s ACL entries to the packet and permits or denies the packet according to the first matching ACL For other fragments of the same packet they are subject to a rule only if the...

Page 593: ...packet ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP Inspection DAI are enabled Also IP source guard and ACLs are supported together on the same port as long as both features are configured at the port level or per port per VLAN level Dell PowerConnect ports do not support IP source guard and ACLs on the same port if one is configured at the port level and the...

Page 594: ...ll hosts in the Class C subnet 209 157 22 x match the policy If you prefer to specify the wildcard mask value in CIDR format you can enter a forward slash after the IP address then enter the number of significant bits in the mask For example you can enter the CIDR equivalent of 209 157 22 26 0 0 0 255 as 209 157 22 26 24 The CLI automatically converts the CIDR number into the appropriate ACL mask ...

Page 595: ...ss list 1 permit any PowerConnect config int eth 1 1 PowerConnect config if 1 1 ip access group 1 in PowerConnect config write memory The commands in this example configure an ACL to deny packets from three source IP addresses from being received on port 1 1 The last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries Configuring standard named A...

Page 596: ...og The deny permit parameter indicates whether packets that match a policy in the access list are denied dropped or permitted forwarded The source ip parameter specifies the source IP address Alternatively you can specify the host name NOTE To specify the host name instead of the IP address the host name must be configured using the DNS resolver on the Dell PowerConnect device To configure the DNS...

Page 597: ... 0 0 0 0 is implied The any parameter configures the policy to match on all host addresses The log argument configures the device to generate Syslog entries and SNMP traps for packets that are denied by the access policy NOTE You can enable logging on ACLs and filters that support logging even when the ACLs and filters are already in use To do so re enter the ACL or filter command and add the log ...

Page 598: ...IP address or host name Source TCP or UDP port if the IP protocol is TCP or UDP Destination TCP or UDP port if the IP protocol is TCP or UDP The IP protocol can be one of the following well known names or any IP protocol number from 0 255 Internet Control Message Protocol ICMP Internet Group Management Protocol IGMP Internet Gateway Routing Protocol IGRP Internet Protocol IP Open Shortest Path Fir...

Page 599: ...f 209 157 22 26 0 0 0 255 as 209 157 22 26 24 The CLI automatically converts the CIDR number into the appropriate ACL mask where zeros instead of ones are the significant bits and changes the non significant portion of the IP address into zeros For example if you specify 209 157 22 26 24 or 209 157 22 26 0 0 0 255 then save the changes to the startup config file the value appears as 209 157 22 0 2...

Page 600: ...TCP ports gt The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt lt The policy applies to TCP or UDP port numbers that are less than the port number or the numeric equivalent of the port name you enter after lt neq The policy applies to all TCP or UDP port numbers except the port number or port name you enter afte...

Page 601: ...precedence If you specify the option number instead of the name specify number 7 priority or 1 The ACL matches packets that have the priority precedence If you specify the option number instead of the name specify number 1 routine or 0 The ACL matches packets that have the routine precedence If you specify the option number instead of the name specify number 0 The tos name num parameter of the ip ...

Page 602: ...hapter Configuring Traffic Policies on page 759 Configuration examples for extended numbered ACLs To configure an extended access list that blocks all Telnet traffic received on port 1 1 from IP host 209 157 22 26 enter the following commands Here is another example of commands for configuring an extended ACL and applying it to an interface These examples show many of the syntax choices Notice tha...

Page 603: ...lowed The fourth entry denies UDP packets from any source to the 209 157 22 x network if the UDP port number from the source network is 5 or 6 and the destination UDP port is 7 or 8 The fifth entry permits all packets that are not explicitly denied by the other entries Without this entry the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL The following c...

Page 604: ...ames or any IP protocol number from 0 255 Internet Control Message Protocol ICMP Internet Group Management Protocol IGMP Internet Gateway Routing Protocol IGRP Internet Protocol IP Open Shortest Path First OSPF Transmission Control Protocol TCP User Datagram Protocol UDP For TCP and UDP you also can specify a comparison operator and port name or number For example you can configure a policy to blo...

Page 605: ...e ACL mask where zeros instead of ones are the significant bits and changes the non significant portion of the IP address into zeros For example if you specify 209 157 22 26 24 or 209 157 22 26 0 0 0 255 then save the changes to the startup config file the value appears as 209 157 22 0 24 if you have enabled display of subnet lengths or 209 157 22 0 0 0 0 255 in the startup config file If you enab...

Page 606: ...licy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt lt The policy applies to TCP or UDP port numbers that are less than the port number or the numeric equivalent of the port name you enter after lt neq The policy applies to all TCP or UDP port numbers except the port number or port name you enter after neq range The pol...

Page 607: ...recedence If you specify the option number instead of the name specify number 7 priority or 1 The ACL matches packets that have the priority precedence If you specify the option number instead of the name specify number 1 routine or 0 The ACL matches packets that have the routine precedence If you specify the option number instead of the name specify number 0 The tos name num parameter of the ip a...

Page 608: ...raffic policy option enables the device to rate limit inbound traffic and to count the packets and bytes per packet to which ACL permit or deny clauses are applied For configuration procedures and examples refer to the chapter Configuring Traffic Policies on page 759 Configuration example for extended named ACLs To configure an extended named ACL enter commands such as the following The options at...

Page 609: ... commands that display ACL information This section describes how to add delete and view ACL comments Adding a comment to an entry in a numbered ACL To add comments to entries in a numbered ACL enter commands such as the following You can add comments to entries in a numbered ACL using the syntax for named ACLs For example using the same example configuration above you could instead enter the foll...

Page 610: ...entry that is you cannot enter the ACL entry and the ACL comment with the same ip access list command Also in order for the remark to be displayed correctly in the output of show commands the comment must be entered immediately before the ACL entry it describes Note that an ACL comment is tied to the ACL entry immediately following the comment Therefore if the ACL entry is removed the ACL comment ...

Page 611: ...tatic ethe 1 PowerConnect config vlan ip subnet router interface ve 10 PowerConnect config vlan ip subnet ip subnet 10 15 1 0 255 255 255 0 PowerConnect config vlan ip subnet static ethe 1 PowerConnect config vlan ip subnet router interface ve 20 PowerConnect config vlan ip subnet logging console PowerConnect config vlan ip subnet exit PowerConnect config vlan 1 no vlan dynamic discovery Vlan dyna...

Page 612: ...entries After five minutes the software generates a single Syslog entry for each ACL entry that denied a packet The Syslog entry message indicates the number of packets denied by the ACL entry during the previous five minutes Note however that packet count may be inaccurate if the packet rate is high and exceeds the CPU processing rate If no ACL entries explicitly deny packets during an entire fiv...

Page 613: ...000 1 4 ACL logging PowerConnect config if e1000 1 4 ip access group 1 in The above commands create ACL entries that include the log option enable ACL logging on interface e 1 4 then bind the ACL to interface e 1 4 Statistics for packets that match the deny statements will be logged Syntax ACL logging The ACL logging command applies to IPv4 devices only For IPv6 devices use the logging enable comm...

Page 614: ... as non fragmented packets since the first fragment contains the Layer 4 source and destination application port numbers The device uses the Layer 4 CAM entry if one is programmed or applies the interface s ACL entries to the packet and permits or denies the packet according to the first matching ACL For other fragments of the same packet they are subject to a rule only if there is no Layer 4 info...

Page 615: ...s applied to a physical or virtual routing interface the Layer 3 device filters routed traffic only It does not filter traffic that is switched from one port to another within the same VLAN or virtual routing interface even if an ACL is applied to the interface You can enable the device to filter switched traffic within a VLAN or virtual routing interface When filtering is enabled the device uses ...

Page 616: ...s do not support a globally configured PBR policy together with per port per VLAN ACLs IPv4 ACLs that filter based on VLAN membership or VE port membership ACL per port per VLAN are supported together with IPv6 ACLs on the same device as long as they are not bound to the same port or virtual interface Applying an IPv4 ACL to specific VLAN members on a port Layer 2 devices only NOTE This section ap...

Page 617: ...nterface You also can specify a subset of ports within the VLAN containing a specified virtual interface when assigning an ACL to that virtual interface Use this feature when you do not want the IPv4 ACLs to apply to all the ports in the virtual interface VLAN or when you want to streamline IPv4 ACL performance for the VLAN To apply an ACL to a subset of ports within a virtual interface enter comm...

Page 618: ...P table from being overwritten by a hijacking host Using ACLs to filter ARP requests checks the source IP address in the received ARP packet Only packets with the permitted IP address will be allowed to be to be written in the ARP table others are dropped Configuration considerations This feature is available on devices running Layer 3 code This filtering occurs on the management processor The fea...

Page 619: ...g ve 2 ip use ACL on arp 103 specifies ACL 103 to be used as the filter Allow the ACL ID to be inherited from the IP ACLs that have been defined for the device In the example above the line PowerConnect config ve 4 ip use ACL on arp allows the ACL to be inherited from IP ACL 101 because of the ip follow relationship between virtual routing interface 2 and virtual routing interface 4 Virtual routin...

Page 620: ...ter commands such as the following The first entry in this IP ACL denies TCP traffic from the 209 157 21 x network to the 209 157 22 x network if the traffic has the IP ToS option normal equivalent to 0 The second entry denies all FTP traffic from the 209 157 21 x network to the 209 157 22 x network if the traffic has the IP ToS value 13 equivalent to max throughput min delay and min monetary cost...

Page 621: ... the outgoing packet with the value you specify internal priority marking and 802 1p priority marking Supported with the DSCP marking option these commands assign traffic that matches the ACL to a hardware forwarding queue internal priority marking and re mark the packets that match the ACL with the 802 1p priority 802 1p priority marking dscp matching Matches on the packet DSCP value This option ...

Page 622: ... Dell PowerConnect devices support a simple method for assigning an 802 1p priority value to packets without affecting the actual packet or the DSCP In early IronWare software releases users were required to provide DSCP marking and DSCP matching information in order to assign 802 1p priority values which required the deployment of a 64 line ACL to match all possible DSCP values Users were also re...

Page 623: ...h this 802 1p priority later at the outgoing 802 1Q interface The internal priority marking 0 7 parameter assigns traffic that matches the ACL to a specific hardware forwarding queue qosp0 qosp7 NOTE The internal priority marking parameter overrides port based priority settings In addition to changing the internal forwarding priority if the outgoing interface is an 802 1Q interface this parameter ...

Page 624: ... guide and mean the same thing Using ACLs to control multicast features You can use ACLs to control the following multicast features Limit the number of multicast groups that are covered by a static rendezvous point RP Control which multicast groups for which candidate RPs sends advertisement messages to bootstrap routers Identify which multicast group packets will be forwarded or blocked on an in...

Page 625: ... the ACL itself is the total of the CAM entries used by the ACL entries For flow based ACLs the Total flows and Flows fields list the number of Layer 4 session table flows in use for the ACL The Total packets and Packets fields apply only to flow based ACLs Troubleshooting ACLs Use the following methods to troubleshoot ACLs To display the number of Layer 4 CAM entries being used by each ACL enter ...

Page 626: ... a port if that port already has ACLs ACL based rate limiting DSCP based QoS MAC address filtering The number of route maps that you can define is limited by the available system memory which is determined by the system configuration and how much memory other features use When a route map is used in a PBR policy the PBR policy uses up to six instances of a route map up to five ACLs in a matching p...

Page 627: ...onfigure a route map that matches based on this ACL the software uses the route map to set route attributes for the traffic thus enforcing PBR NOTE Do not use an access group to apply the ACL to an interface Instead use a route map to apply the ACL globally or to individual interfaces for PBR as shown in the following sections Syntax no access list num deny permit source ip hostname wildcard or Sy...

Page 628: ...ig file If you enable the software to display IP subnet masks in CIDR format the mask is saved in the file in mask bits format To enable the software to display the CIDR masks enter the ip show subnet length command at the global CONFIG level of the CLI You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format NOTE I...

Page 629: ...re compared to the instances in ascending numerical order For example a route is compared to instance 1 then instance 2 and so on PBR uses up to six route map instances for comparison and ignores the rest Syntax no match ip address ACL num or name The ACL num parameter specifies a standard or extended ACL number or name Syntax no set ip next hop ip addr This command sets the next hop IP address fo...

Page 630: ...s 209 157 23 x 209 157 24 x and 209 157 25 x In this example route maps specify the next hop gateway for packets from each of these subnets Packets from 209 157 23 x are sent to 192 168 2 1 Packets from 209 157 24 x are sent to 192 168 2 2 Packets from 209 157 25 x are sent to 192 168 2 3 The following commands configure three standard ACLs Each ACL contains one of the ACLs listed above Make sure ...

Page 631: ... 168 2 3 PowerConnect config route map test route permit 52 PowerConnect config routemap test route match ip address 52 PowerConnect config routemap test route set ip next hop 192 168 2 3 PowerConnect config routemap test route exit The following command enables PBR by globally applying the test route route map to all interfaces PowerConnect config ip policy route map test route Alternatively you ...

Page 632: ... if e10000 3 11 ip address 192 168 1 204 32 PowerConnect config if e10000 3 11 ip policy route map file 13 Trunk formation When a trunk is formed the PBR policy on the primary port applies to all the secondary ports If a different PBR policy exists on a secondary port at the time of a trunk formation that policy is overridden by the PBR policy on the primary port If the primary port does not have ...

Page 633: ...ey enter the switch These priorities can be determined on the basis of information contained within the packet or assigned to the packet as it arrives at the switch Once a packet or traffic flow is classified it is mapped to a forwarding priority queue Packets on Dell PowerConnect devices are classified in up to eight traffic classes with values between 0 and 7 Packets with higher priority classif...

Page 634: ...it along to the next hop This is described in the ACL chapter in the section QoS options for IP ACLs on page 579 Given the variety of different criteria there are many possibilities for traffic classification within a stream of network traffic For this reason the priority of packets must be resolved based on which criteria takes precedence Precedence follows the scheme illustrated in Figure throug...

Page 635: ...apping between the internal priority and the forwarding queue cannot be changed Table 94 through Table 97 show the default QoS mappings that are used if the trust level for CoS or DSCP is enabled Packet received on ingress port Does the port have a default priority Use the default priority of 0 Trust the port s default priority Trust the DSCP CoS mapping or the DSCP marking Yes Does the MAC addres...

Page 636: ...alue 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 DSCP value 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Internal forwarding priority 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 Forwarding queue 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 TABLE 96 Default QoS mappings columns 32 to 47 DSCP value 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 802 1p CoS value 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 DSCP value 32 33 34 35 36 37 38 39 40 4...

Page 637: ...tack topology the priority of stacking specific control packets is elevated above that of data path packets preventing loss of control packets and timed retries that affect performance This prioritization also prevents stack topology changes that may occur if enough stack topology information packets are lost IronStack technology reserves one QoS profile to provide a higher priority for stack topo...

Page 638: ... When stacking is disabled on a device outgoing traffic is marked with 802 1p based on the internal hardware queue QoS queues Dell PowerConnect devices support the eight QoS queues qosp0 through qosp7 listed in Table 98 The queue names listed in Table 98 are the default names If desired you can rename the queues as shown in Renaming the queues on page 605 Packets are classified and assigned to spe...

Page 639: ...802 1 equivalent to one of eight QoS queues listed in Table 98 Assigning static MAC entries to priority queues By default all MAC entries are in the best effort queue When you configure a static MAC entry you can assign the entry to a higher QoS level To configure a static MAC entry and assign the entry to the premium queue enter commands such as the following PowerConnect config vlan 9 PowerConne...

Page 640: ... configured static MAC address with priority then static MAC priority will be used If the ingress port has a configured priority then port priority will be used Otherwise the configured or default port priority 0 will be used Note that the original 802 1p priority in the packet will be retained This feature does not re mark the 802 1p value Configuration notes and feature limitations This feature ...

Page 641: ...cribed in the Enterprise Configuration and Management Guide Dell IronWare releases also support marking of the DSCP value The software can read Layer 3 Quality of Service QoS information in an IP packet and select a forwarding queue for the packet based on the information The software interprets the value in the six most significant bits of the IP packet header 8 bit ToS field as a Diffserv Contro...

Page 642: ...re forwarding queue The mappings are globally configurable and apply to all interfaces Default DSCP to internal forwarding priority mappings The DSCP values are described in RFCs 2474 and 2475 Table 99 lists the default mappings of DSCP values to internal forwarding priority values Notice that DSCP values range from 0 through 63 whereas the internal forwarding priority values range from 0 through ...

Page 643: ...lue dscp value to priority The dscp value dscp value variable specifies the DSCP value ranges you are remapping You can specify up to eight DSCP values in the same command to map to the same forwarding priority For example PowerConnect config qos tos map dscp priority 1 2 3 4 5 6 7 8 to 6 The priority variable specifies the internal forwarding priority The first command in the example maps priorit...

Page 644: ...queue variable specifies the hardware forwarding queue to which you are reassigning the priority The default queue names are as follows qosp7 qosp6 qosp5 qosp4 qosp3 qosp2 qosp1 qosp0 8 to 4 queue mapping The default scheduling configuration for Weighted Round Robin WRR Hybrid WRR and Strict Priority SP and SP mode for 8 to 4 queues is described in Table 101 TABLE 101 Default configuration for 8 t...

Page 645: ...RR ensures that all queues are serviced during each cycle A WRR algorithm is used to rotate service among the eight queues on the PowerConnect devices The rotation is based on the weights you assign to each queue This method rotates service among the queues forwarding a specific number of packets in one queue before moving on to the next one NOTE In stacking mode the qosp7 queue is reserved as str...

Page 646: ...ct priority to delay sensitive traffic such as VoIP traffic and weighted round robin priority to other traffic types By default when you select the combined SP and WRR queueing method the Dell PowerConnect device assigns strict priority to traffic in qosp7 and qosp6 and weighted round robin priority to traffic in qosp0 through qosp5 Thus the Dell PowerConnect device schedules traffic in queue 7 an...

Page 647: ... of a port outbound bandwidth guaranteed to the queue Renaming the queues The default queue names are qosp7 qosp6 qosp5 qosp4 qosp3 qosp2 qosp1 and qosp0 You can change one or more of the names if desired To rename queue qosp3 to 92 octane enter the following command PowerConnect config qos name qosp3 92 octane Syntax qos name old name new name The old name variable specifies the name of the queue...

Page 648: ...enter commands such as the following Note that this example uses the default queue names Syntax no qos profile queue percentage queue percentage queue percentage queue percentage queue percentage queue percentage queue percentage queue percentage Each queue variable specifies the name of a queue You can specify the queues in any order on the command line but you must specify each queue TABLE 103 D...

Page 649: ...6 qosp2 16 qosp1 16 qosp0 16 Syntax no qos profile queue 7 sp queue 6 sp percentage queue 5 percentage queue 4 percentage queue 3 percentage queue 2 percentage queue 1 percentage queue 0 percentage Each queue x variable specifies the name of a queue You can specify the queues in any order on the command line but you must specify each queue Note that queue 7 supports strict priority only queue 6 su...

Page 650: ...riority Profile qosp7 Priority7 bandwidth requested 25 calculated 25 Profile qosp6 Priority6 bandwidth requested 15 calculated 15 Profile qosp5 Priority5 bandwidth requested 12 calculated 12 Profile qosp4 Priority4 bandwidth requested 12 calculated 12 Profile qosp3 Priority3 bandwidth requested 10 calculated 10 Profile qosp2 Priority2 bandwidth requested 10 calculated 10 Profile qosp1 Priority1 ba...

Page 651: ... information This field Displays DSCP to traffic class map d1 and d2 The DSCP to forwarding priority mappings that are currently in effect NOTE The example shows the default mappings If you change the mappings the command displays the changed mappings Traffic class to 802 1 priority map Traffic Class and 802 1p Priority The traffic class to 802 1p priority mappings that are currently in effect NOT...

Page 652: ...eues that are currently in effect for 8 to 4 queue QoS priority 7 is the highest priority and QoS 0 is the lowest priority PowerConnect show qos tos DSCP Traffic Class map DSCP d1d2 00 01 63 d2 0 1 2 3 4 5 6 7 8 9 d1 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 6 6 5 6 6 6 6 6 6 7 7 7 7 6 7 7 7 7 Traffic Class 802 1p Priority map use to ...

Page 653: ...g policy The maximum number of supported active TPDs is a system wide parameter and depends on the device you are configuring The total number of active TPDs cannot exceed the system maximum Refer to Maximum number of traffic policies supported on a device on page 612 When you apply a traffic policy to an interface you do so by adding a reference to the traffic policy in an ACL entry instead of ap...

Page 654: ...rate limiting the device re marks CoS parameters based on the DSCP value in the packet header and the determined conformance level of the rate limited traffic as shown in Table 107 When you define a TPD reference the TPD in an ACL entry and then apply the ACL to a VE in the Layer 3 router code the rate limit policy is accumulative for all of the ports in the port region If the VE or VLAN contains ...

Page 655: ...e 0 disables hardware resources for traffic policies and n is a number up to 50 The maximum number you can configure depends on the configuration and available memory on your device If the configuration you enter causes the device to exceed the available memory the device will reject the configuration and display a warning message on the console NOTE Dell does not recommend setting the system maxi...

Page 656: ...ts above the limit You can configure adaptive rate limiting to forward traffic modify the IP precedence of and forward traffic or drop traffic based on whether the traffic is within the limit or exceeds the limit Configuring ACL based fixed rate limiting Use the procedures in this section to configure ACL based fixed rate limiting Before configuring this feature see what to consider in Configurati...

Page 657: ...hat you cannot delete a traffic policy definition if it is currently in use on a port To delete a traffic policy first unbind the associated ACL The traffic policy TPD name parameter is the name of the traffic policy definition This value can be eight or fewer alphanumeric characters The rate limit fixed cir value parameter specifies that the traffic policy will enforce a strict bandwidth The cir ...

Page 658: ...e port receives additional bits during a given one second interval the port drops all packets on the port until the next one second interval starts Syntax no traffic policy TPD name rate limit adaptive cir cir value cbs cbs value pir pir value pbs pbs value exceed action action count Syntax access list num permit deny traffic policy TPD name Syntax no ip access group num in NOTE For brevity some p...

Page 659: ... to ACL statistics and rate limit counting on page 619 Inspecting the 802 1p bit in the ACL for adaptive rate limiting NOTE This feature is supported on PowerConnect B Series FCX devices only You can configure the Dell device to rate limit traffic for a specified 802 1p priority value To do so complete the following configuration steps 1 Create an adaptive rate limiting traffic policy Enter comman...

Page 660: ... all packets on the port until the next one second interval starts Syntax no traffic policy TPD name rate limit adaptive cir cir value cbs cbs value pir pir value pbs pbs value exceed action drop Permitting packets that exceed the limit This section shows some example configurations and provides the CLI syntax for configuring a port to permit packets that exceed the configured limit for rate limit...

Page 661: ... the procedures in this section to configure ACL statistics Before configuring ACL statistics see what to consider in Configuration notes and feature limitations on page 612 You also can enable ACL statistics when you create a traffic policy for rate limiting Refer to Enabling ACL statistics with rate limiting traffic policies on page 620 Complete the following steps to implement the ACL statistic...

Page 662: ... fixed 10000 exceed action drop count Syntax no traffic policy TPD name rate limit fixed cir value count Syntax no traffic policy TPD name rate limit fixed cir value exceed action action count To enable ACL counting while defining traffic policies for adaptive rate limiting enter commands such as the following at the global CONFIG level of the CLI PowerConnect config traffic policy TPDA4 rate limi...

Page 663: ...t accounting traffic policy CountOne PowerConnect config clear statistics traffic policy CountTwo Syntax clear access list accounting traffic policy TPD name TABLE 109 ACL and rate limit counting statistics This line Displays Traffic Policy The name of the traffic policy General Counters Port Region The port region to which the active traffic policy applies Byte Count The number of bytes that were...

Page 664: ...enabled this field shows the type of metering enabled on the port Fixed Rate Limiting Adaptive Rate Limiting cir The committed information rate in kbps for the adaptive rate limiting policy cbs The committed burst size in bytes per second for the adaptive rate imiting policy pir The peak information rate in kbps for the adaptive rate limiting policy pbs The peak burst size in bytes per second for ...

Page 665: ...tes Adding a static IP route To add a static IP route enter a command such as the following at the global CONFIG level of the CLI PowerConnect config ip route 209 157 2 0 255 255 255 0 192 168 2 1 This command adds a static IP route to the 209 157 2 x 24 subnet Syntax no ip route dest ip addr dest mask next hop ip addr metric tag num TABLE 111 Supported base Layer 3 features Feature PowerConnect B...

Page 666: ...revent a particular entry from aging out The software removes a dynamic entry from the ARP cache if the ARP aging interval expires before the entry is refreshed Static entries do not age out regardless of whether the Dell PowerConnect device receives an ARP request from the device that has the entry address The software places a static ARP entry into the ARP cache as soon as you create the entry T...

Page 667: ...nfiguration differences for IPv6 models versus IPv4 models The differences are as follows Number of IP next hops and IP route entries 6144 maximum and default value The system automatically calculates this value based on the maximum number of VLANs supported system wide Number of hardware logical interfaces physical port and VLAN pairs This value is the same as the maximum number of VLANs supporte...

Page 668: ...igmp group memb 140 sec igmp query 60 sec ospf dead 40 sec ospf hello 10 sec ospf retrans 5 sec ospf transit delay 1 sec System Parameters Default Maximum Current ip arp 4000 64000 4000 ip static arp 512 1024 512 some lines omitted for brevity hw ip next hop 2048 6144 2048 hw logical interface 4096 4096 4096 hw ip mcast mll 1024 4096 1024 PowerConnect show default value sys log buffers 50 mac age ...

Page 669: ...e port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum Enabling redistribution of IP static routes into RIP By default the software does not redistribute the IP static routes in the route table into RIP To configure redistribution perform the following tasks Configure redistribution filters optional You can configure filters to permit or de...

Page 670: ...m being redistributed the software does not redistribute that route even if a filter with a higher ID permits redistribution of the route The address ip addr ip mask parameters apply redistribution to the specified network and subnet address Use 0 to specify any For example 207 92 0 0 255 255 0 0 means any 207 92 x x subnet However to specify any subnet all subnets match the filter enter address 2...

Page 671: ...ertising it on the same interface as the one on which it learned the route This is the default NOTE These methods are in addition to RIP maximum valid route cost of 15 To enable split horizon enter commands such as the following PowerConnect config interface ethernet 0 1 1 PowerConnect config if e1000 1 no ip rip poison reverse Syntax no ip rip poison reverse Other layer 3 protocols For informatio...

Page 672: ... If you want to disable Layer 2 switching you can do so globally or on individual ports depending on the version of software your device is running NOTE Make sure you really want to disable all Layer 2 switching operations before you use this option Consult Dell for information Configuration Notes and Feature Limitations This feature is supported in the edge Layer 3 and full Layer software images ...

Page 673: ... go to the Interface configuration level for that interface then disable the feature The following commands show how to disable Layer 2 switching on port 2 PowerConnect config interface ethernet 2 PowerConnect config if e1000 2 route only Syntax route only To re enable Layer 2 switching enter the command with no as in the following example PowerConnect config if e1000 2 no route only ...

Page 674: ...632 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Enabling or disabling layer 2 switching 19 ...

Page 675: ...r issued from the first port is forwarded to the second port as well Attach a protocol analyzer on the mirror port to monitor each segment separately The analyzer captures and evaluates the data without affecting the client on the original port The mirror port may be a port on the same switch with an attached RMON probe a port on a different switch in the same hub or the switch processor Configuri...

Page 676: ...ort and the mirror port The same port can be monitored by one mirror port for ingress traffic and another mirror port for egress traffic The mirror port cannot be a trunk port The monitored port and its mirror port do not need to belong to the same port based VLAN If the mirror port is in a different VLAN from the monitored port the packets are tagged with the monitor port VLAN ID If the mirror po...

Page 677: ...command PowerConnect config interface ethernet 1 1 3 PowerConnect config if e1000 1 1 3 ip access group 101 PowerConnect config if e1000 1 1 3 acl mirror port ethernet 2 1 48 PowerConnect config if e1000 1 1 3 permit ip any any mirror PowerConnect config if e1000 1 1 3 ip access group 102 PowerConnect config if e1000 1 1 3 deny ip any any log Command syntax This section describes how to configure ...

Page 678: ...x no mirror port ethernet port input output Syntax no config trunk ind Syntax no monitor ethernet port both in out The port variable for mirror port ethernet specifies the port to which the monitored traffic will be copied The port variable for monitor ethernet specifies the port on which traffic will be monitored Specify the port variable in the following formats PowerConnect B Series FCX stackab...

Page 679: ...mber of monitored VLANs on an IronStack is 8 Example 1 Configuring mirroring for ports on different members in an IronStack In this example although 2 ports are configured as active ports only one active mirror port port 1 1 24 is allowed for the entire stack since the mirror ports and the monitored ports are on different stack members PowerConnect config mirror port ethernet 1 1 24 PowerConnect c...

Page 680: ... enter the show access list all command PowerConnect show access list all Extended IP access list 101 permit ip any any mirror The configuration process is now complete MAC address filter based mirroring This feature allows traffic entering an ingress port to be monitored from a mirror port connected to a data analyzer based on specific source and destination MAC addresses This feature supports mi...

Page 681: ... ffff ffff fff mirror In this example any flow matching the SA source address 0000 1111 2222 and the DA destination address 0000 2222 3333 will be mirrored Other flows will not be mirrored 3 Apply the MAC address filter to an interface Apply the MAC address filter to an interface using the mac filter group command as shown PowerConnect config interface ethernet 0 1 1 PowerConnect config if e10000 ...

Page 682: ...tus The show vlan command displays the VLAN mirroring status PowerConnect show vlans Total PORT VLAN entries 4 Maximum PORT VLAN entries 4060 Legend Stk Stack Unit S Slot PORT VLAN 1 Name DEFAULT VLAN Priority level0 Spanning tree On Untagged Ports Stk0 S1 3 4 5 6 7 8 9 10 11 12 13 14 Untagged Ports Stk0 S1 15 16 17 18 19 20 21 22 23 24 25 26 Untagged Ports Stk0 S1 27 28 29 30 31 32 33 34 35 36 37...

Page 683: ...the same scheduling and bandwidth management as the other ports in the system If the amount of traffic being sent to the mirror port exceeds the available bandwidth some of that traffic may be dropped All incoming traffic tagged and untagged in the VLAN is mirrored Mirroring is as is and is not affected by the configuration of the mirror port itself Incoming tagged traffic is sent out tagged and i...

Page 684: ...642 PowerConnect B Series FCX Configuration Guide 53 1002266 01 VLAN based mirroring 20 ...

Page 685: ...ion only Fixed rate limiting applies to all traffic on the rate limited port Fixed rate limiting is at line rate and occurs in hardware Refer to Rate limiting in hardware on page 644 When you specify the maximum number of bytes you specify it in bits per second bps The Fixed rate limiting policy applies to one second intervals and allows the port to receive the number of bytes you specify in the p...

Page 686: ...he port clears the counter and re enables traffic Figure 113 shows an example of how Fixed rate limiting works In this example a Fixed rate limiting policy is applied to a port to limit the inbound traffic to 500000 bits 62500 bytes a second During the first two one second intervals the port receives less than 500000 bits in each interval However the port receives more than 500000 bits during the ...

Page 687: ...rt until the next one second interval starts Syntax no rate limit input fixed average rate For PowerConnect devices the average rate parameter specifies the maximum number of bits per second bps the port can receive The minimum rate that can be configured is 64 000 bits per second Configuring an ACL based rate limiting policy IP ACL based rate limiting of inbound traffic provides the facility to l...

Page 688: ... rules apply when configuring outbound rate shapers Outbound rate shapers can be configured only on physical ports not on virtual or loopback ports For trunk ports the rate shaper must be configured on individual ports of a trunk using the config trunk ind command trunk configuration level you cannot configure a rate shaper for a trunk This feature is supported on PowerConnect B Series FCX devices...

Page 689: ...tax no rate limit output shaping value On PowerConnect B Series FCX devices you can specify a value up to the port line rate for value Configuring outbound rate shaping for a specific priority To configure the maximum rate at which outbound traffic is sent out on a port priority queue enter commands such as the following PowerConnect config interface e 1 2 PowerConnect config if e1000 2 rate limit...

Page 690: ...ariable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum Specify the value variable as follows On PowerConnect B Series FCX devices you can specify a value up to the port line rate Displaying rate shaping configurations To display the configured outbound rate shaper on a device enter the following command The display lists the ports on a device the c...

Page 691: ... is a destination address in the range of 224 0 0 0 to 239 255 255 255 Addresses of 224 0 0 X are reserved Because packets destined for these addresses may require VLAN flooding devices do not do snooping in the reserved range Data packets destined to addresses in reserved range are flooded to the entire VLAN by hardware and mirrored to the CPU Multicast data packets destined for the non reserved ...

Page 692: ... can also contain a BLOCK record which lists the current traffic sources from which the interface wants to stop receiving traffic IGMP protocols provide a method for clients and a device to exchange messages and let the device build a database indicating which port wants what traffic The protocols do not specify forwarding methods They require IGMP snooping or multicast protocols such as PIM or DV...

Page 693: ...ata packets in hardware A user can configure static router ports to force all multicast traffic to these specific ports The devices support fast leave for IGMPv2 Fast leave stops traffic immediately when the port receives a leave message The devices support tracking and fast leave for IGMPv3 tracking all IGMPv3 clients If the only client on a port leaves traffic is stopped immediately An IGMP devi...

Page 694: ...ip reports in order to receive data traffic If a client application does not send reports you must configure static groups to force traffic to client ports A static group can apply to only some ports or to the entire VLAN Configuring queriers and non queriers An IGMP snooping enabled device can be configured as a querier active or non querier passive An IGMP querier sends queries a non querier lis...

Page 695: ...rse routers connect through a snooping enabled device the device always forwards multicast traffic to these routers For example PIM sparse routers R1 R2 and R3 connect through a device Assume R2 needs traffic and R1 sends it to the device which forwards it to both R2 and R3 even though R3 does not need it A PIM snooping enabled device listens to join and prune messages exchanged by PIM sparse rout...

Page 696: ...device As a result the device does not see a join message on behalf of the client However since IP multicast traffic reduction also is enabled the device uses the IGMP group membership report from the client to select the port for forwarding traffic to group 239 255 162 69 receivers The IP multicast traffic reduction feature and the PIM SM traffic snooping feature together build a list of groups a...

Page 697: ...nooping Modifying the age interval on page 657 Modifying the query interval active IGMP snooping mode only on page 657 Configuring the global IGMP version on page 657 Configuring report control on page 657 rate limiting Modifying the wait time before stopping traffic when receiving a leave message on page 658 Modifying the multicast cache age time on page 658 Enabling or disabling error and warnin...

Page 698: ... disabled port from receiving multicast traffic However if static groups to the entire VLAN are defined the traffic from these groups is VLAN flooded including to disabled ports Traffic from disabled ports cannot be blocked in hardware and is switched in the same way as traffic from enabled ports This command has no effect on a VLAN that is not snooping enabled because all multicast traffic is VLA...

Page 699: ...h the same query interval To modify the query interval enter the following command PowerConnect config ip multicast query interval 120 Syntax no ip multicast query interval interval The interval parameter specifies the time between queries You can specify a value from 10 through 3600 seconds The default is 125 seconds Configuring the global IGMP version You can globally specify IGMPv2 or IGMPv3 fo...

Page 700: ... to age out when it does not receive traffic The traffic is hardware switched One minute before aging out an mcache the device mirrors a packet of this mcache to CPU to reset the age If no data traffic arrives within one minute this mcache is deleted A lower value quickly removes resources consumed by idle streams but it mirrors packets to CPU often A higher value is recommended only data streams ...

Page 701: ...nect config vlan 20 multicast active Syntax no multicast active passive Disabling IGMP snooping for the VLAN When IGMP snooping is enabled globally you can still disable it for a specific VLAN For example the following commands cause IGMP snooping to be disabled for VLAN 20 This setting overrides the global setting PowerConnect config vlan 20 PowerConnect config vlan 20 multicast disable multicast...

Page 702: ...orts If clients cannot send reports you can configure a static group which applies to the entire VLAN or only to specific ports The static group allows packets to be forwarded to the static group ports even though they have no client membership reports The static group to the entire VLAN is used in VLAN flooding which consumes less hardware resource than the static group to ports The static group ...

Page 703: ...ation is removed it is deleted from active group table immediately However leave messages are not sent to the querier and the querier must age the group out Proxy activity can be turned off The default is on To turn proxy activity off for VLAN 20 enter the following commands PowerConnect config vlan 20 PowerConnect config vlan 20 multicast proxy off Syntax no multicast proxy off Enabling IGMPv3 me...

Page 704: ...s have multiple clients When two devices connect together the querier must not be configured for fast leave v2 because the port might have multiple clients through the non querier The number of queries and the waiting period in seconds can be configured using the ip multicast leave wait time command The default is 2 seconds To configure fast leave for IGMPv2 enter the following commands PowerConne...

Page 705: ... fast leave features are enabled you can display the list of clients that belong to a particular group by entering the following command Field Description SW processed pkt The number of multicast packets processed by IGMP snooping up time The time since the IGMP snooping is enabled PowerConnect show ip multicast group p physical ST static QR querier EX exclude IN include Y yes N no VL70 3 groups 4...

Page 706: ...anges to INCLUDE mode if it does not receive an IS_EX or TO_EX message during a certain period of time The default is 140 seconds There is no life displayed in INCLUDE mode mode Indicates current mode of the interface INCLUDE or EXCLUDE If the interface is in INCLUDE mode it admits traffic only from the source list If an interface is in EXCLUDE mode it denies traffic from the source list and accep...

Page 707: ...creases this number slowly OIF The output interfaces If entire vlan is displayed this indicates that static groups apply to the entire VLAN age The mcache age The mcache will be reset to 0 if traffic continues to arrive otherwise the mcache will be aged out when it reaches the time defined by the ip multicast mcache age command uptime The up time of this mcache in minutes vidx Vidx specifies outpu...

Page 708: ...the system max multicast snoop mcache command get mem The number of memory allocation This number should continue to increase size The size of a unit in bytes init The initial allocated amount of memory More memory can be allocated if resources run out Available vidx The output interface OIF port mask used by mcache The entire device has a maximum of 4096 vidx Different mcaches with the same OIF s...

Page 709: ...ddresses were allowed on the interface BLK Number of times that sources were removed from an interface Pkt Err Number of packets having errors such as checksum Pimsm snooping hello join prune Number of PIM sparse hello join and prune packets Field Description version The IGMP version number query t How often a querier sends a general query on the interface group aging t The number of seconds membe...

Page 710: ...h the VLAN interface is active and no other querier is present with the lowest IP address PowerConnect show ip multicast vlan 10 Version 2 Intervals Query 125 Group Age 260 Max Resp 10 Other Qr 260 VL10 dft V2 vlan cfg active 0 grp 0 G cache no rtr port 1 1 16 has 0 groups This interface is Querier default V2 1 1 24 has 0 groups This interface is Querier default V2 2 1 16 has 0 groups This interfa...

Page 711: ... V2 2 1 24 has 0 groups This interface is non Querier passive default V2 3 1 1 has 0 groups This interface is non Querier passive default V2 3 1 4 has 0 groups This interface is non Querier passive default V2 Active interface with other querier present The following example shows the output in which the VLAN interface is active and another querier is present with the lowest IP address PowerConnect...

Page 712: ...terface is non Querier Querier is 8 8 8 8 Age is 0 Max response time is 100 default V2 Warning has V3 age 0 nbrs group 236 6 6 6 life 260 Passive interface with other querier present The following example shows the output in which the VLAN interface is passive and another querier is present with the lowest IP address PowerConnect show ip multicast vlan 10 Version 2 Intervals Query 125 Group Age 26...

Page 713: ...e 260 group 228 8 8 8 life 260 group 230 0 0 0 life 260 group 224 4 4 4 life 260 3 1 4 has 1 groups This interface is non Querier passive Querier is 8 8 8 8 Age is 0 Max response time is 100 default V2 Warning has V3 age 0 nbrs group 236 6 6 6 life 260 Clear IGMP snooping commands The clear IGMP snooping commands must be used only in troubleshooting conditions or to recover from errors Clear IGMP ...

Page 714: ...t vlan 10 mcache Syntax clear ip multicast vlan vlan id mcache The vlan id parameter specifies the specific VLAN in which to clear the mcache Clear traffic on a specific VLAN To clear the traffic counters on a specific VLAN enter the following command PowerConnect clear ip multicast vlan 10 traffic Syntax clear ip multicast vlan vlan id traffic The vlan id parameter specifies the specific VLAN in ...

Page 715: ...P sends FDP updates on Layer 2 to MAC address 01 E0 52 CC CC CC Other Dell PowerConnect devices listening on that address receive the updates and can display the information in the updates Dell PowerConnect devices can send and receive FDP updates on Ethernet interfaces FDP is disabled by default NOTE If FDP is not enabled on a Dell PowerConnect device that receives an FDP update or the device is ...

Page 716: ...nter the following command at the Global CONFIG level of the CLI PowerConnect config fdp advertise ipv4 To configure a Layer 3 switch to advertise the IPv6 address enter the following command at the Interface level of the CLI PowerConnect config if 2 1 fdp advertise ipv6 Syntax fdp advertise ipv4 ipv6 Changing the FDP update timer By default a Dell PowerConnect device enabled for FDP sends an FDP ...

Page 717: ...ummary list of all the Dell PowerConnect neighbors that have sent FDP updates to this Dell PowerConnect device enter the following command Syntax show fdp neighbor ethernet port detail The ethernet port parameter lists the information for updates received on the specified port The detail parameter lists detailed information for each device The show fdp neighbor command without optional parameters ...

Page 718: ...is device If the neighbor is a Layer 2 Switch this field lists the management IP address Platform The product platform of the neighbor Capabilities The role the neighbor is capable of playing in the network Interface The interface on which this device received an FDP or CDP update for the neighbor Port ID The interface through which the neighbor sent the update Holdtime The maximum number of secon...

Page 719: ...nd CDP statistics To display FDP and CDP packet statistics enter the following command Syntax show fdp traffic Clearing FDP and CDP information You can clear the following FDP and CDP information Information received in FDP and CDP updates FDP and CDP statistics PowerConnectA show fdp entry PowerConnect B Device ID PowerConnect B configured as default VLAN1 tag type8100 Entry address es Platform P...

Page 720: ...onnect devices forward these packets without examining their contents You can configure a Dell PowerConnect device to intercept and display the contents of CDP packets This feature is useful for learning device and interface information for Cisco devices in the network Dell PowerConnect devices support intercepting and interpreting CDP version 1 and version 2 packets NOTE The Dell PowerConnect dev...

Page 721: ...s enter the following command To display detailed information for the neighbors enter the following command To display information about a neighbor attached to a specific port enter a command such as the following PowerConnect show fdp neighbors Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater indicates a Cisco device Device ID Local Int Holdtm Capab...

Page 722: ...sion 12 0 5 T1 RELEASE SOFTWARE fc1 Copyright c 1986 1999 by cisco Systems Inc Compiled Thu 19 Aug 99 04 12 by cmong PowerConnect show fdp entry Device ID Router Entry address es IP address 207 95 6 143 Platform cisco RSP4 Capabilities Router Interface Eth 1 1 Port ID outgoing port FastEthernet5 0 0 Holdtime 124 seconds Version Cisco Internetwork Operating System Software IOS tm RSP Software RSP J...

Page 723: ...No memory 0 Invalid packet 0 Fragmented 0 Syntax show fdp traffic Clearing CDP information You can clear the following CDP information Cisco Neighbor information CDP statistics To clear the Cisco neighbor information enter the following command PowerConnect clear fdp table Syntax clear fdp table To clear CDP statistics enter the following command PowerConnect clear fdp counters Syntax clear fdp co...

Page 724: ...682 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Reading CDP packets 23 ...

Page 725: ... configure and manage connected Media Endpoint devices that need to send media streams across the network e g IP telephones and security cameras LLDP enables network discovery between Network Connectivity devices such as switches whereas LLDP MED enables network discovery at the edge of the network between Network Connectivity devices and media Endpoint devices such as IP phones TABLE 120 Supporte...

Page 726: ...acket that consists of a sequence of short variable length information elements known as TLVs LLDP pass through is not supported in conformance to IEEE standard MIB Management Information Base A virtual database that identifies each manageable object by its name syntax accessibility and status along with a text description and unique object identifier OID The database is accessible by a Network Ma...

Page 727: ...ory Data Supports optional system name system description system capabilities and management address System description can contain the device product name or model number version of hardware type and operating system Provides device capability such as switch router or WLAN access point Network troubleshooting Information generated by LLDP can be used to detect speed and duplex mismatches I m a PC...

Page 728: ...dges Figure 116 demonstrates LLDP MED connectivity FIGURE 116 LLDP MED connectivity Benefits of LLDP MED LLDP MED provides the following benefits Vendor independent management capabilities enabling different IP telephony systems to interoperate in one network LLDP MED Network Connectivity Devices e g L2 L3 switch bridge etc provide IEEE 802 network access to LLDP MED endpoints LLDP MED Generic End...

Page 729: ...Endpoint supports end user IP communication Capabilities include aspects related to end user devices as well as all of the capabilities defined for Class 1 and Class 2 Endpoints A Class 3 Endpoint can be an IP telephone softphone PC based phone or other communication device that directly supports the end user Discovery services defined in Class 3 include location identifier ECS E911 information an...

Page 730: ...in software TLVs that are not recognized but do not contain basic formatting errors are assumed to be valid and are assigned a temporary identification index and stored for future possible alter retrieval by network management All validated TLVs are stored in the neighbor database LLDP packets LLDP agents transmit information about a sending device port in packets called LLDP Data Units LLDPDUs Al...

Page 731: ...c Management TLVs Chassis ID mandatory Port ID mandatory Time to Live mandatory Port description System name System description System capabilities Management address End of LLDPDU Organizationally specific TLVs are optional in LLDP implementations and are defined and encoded by individual organizations or vendors These TLVs include support for but are not limited to the IEEE 802 1 and 802 3 stand...

Page 732: ...erConnect devices use chassis ID subtype 4 the base MAC address of the device Other third party devices may use a chassis ID subtype other than 4 The chassis ID will appear similar to the following on the remote device and in the CLI display output on the Dell PowerConnect device show lldp local info Chassis ID MAC address 0012 f233 e2c0 The chassis ID TLV is always the first TLV in the LLDPDU Por...

Page 733: ... TTL value will appear similar to the following on the remote device and in the CLI display output on the Dell PowerConnect device show lldp local info Time to live 40 seconds If the TTL field has a value other than zero the receiving LLDP agent is notified to completely replace all information associated with the LLDP agent port with the information in the received LLDPDU If the TTL field value i...

Page 734: ...cations Refer to Enabling SNMP notifications and syslog messages for LLDP MED topology changes on page 708 Configuring LLDP This section describes how to enable and configure LLDP Table 123 lists the LLDP global level tasks and the default behavior value for each task TLV Type 3 TLV Information String Length 2 Time to Live TTL 7 bits 9 bits 2 octets TABLE 123 LLDP global configuration tasks and de...

Page 735: ...nabling and disabling LLDP LLDP is enabled by default on individual ports However to run LLDP you must first enable it on a global basis on the entire device To enable LLDP globally enter the following command at the global CONFIG level of the CLI PowerConnect config lldp run Syntax no lldp run Enabling and disabling TLV advertisements When LLDP transmit is enabled by default the Dell PowerConnect...

Page 736: ...ou can configure a different operating mode for each port on the Dell PowerConnect device For example you could disable the receipt and transmission of LLDP packets on port e 2 1 configure port e 2 3 to only receive LLDP packets and configure port e 2 5 to only transmit LLDP packets The following sections show how to change the operating mode Enabling and disabling receive and transmit mode To dis...

Page 737: ...t to both transmit and receive LLDP packets NOTE LLDP MED is not enabled when you enable the receive only operating mode To enable LLDP MED you must configure the port to both receive and transmit LLDP packets Refer to Enabling and disabling receive and transmit mode on page 694 Syntax no lldp enable receive ports ethernet port list all Use the no form of the command to disable the receive only mo...

Page 738: ...e the keyword to to specify ranges of ports or a combination of both To apply the configuration to all ports on the device use the keyword all instead of listing the ports individually Specifying the maximum number of LLDP neighbors You can change the limit of the number of LLDP neighbors for which LLDP data will be retained per device as well as per port Per device You can change the maximum numb...

Page 739: ...yslog message within a five second period If desired you can change this interval Refer to Specifying the minimum time between SNMP traps and syslog messages on page 697 Syntax no lldp enable snmp notifications ports ethernet port list all For port list specify the ports in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum You can list all of the ports i...

Page 740: ...d causes the LLDP agent to wait a minimum of seven seconds after transmitting an LLDP frame and before sending another LLDP frame Syntax no lldp transmit delay seconds where seconds is a value between 1 and 8192 The default is two seconds Note that this value must not be greater than one quarter of the LLDP transmission interval CLI command lldp transmit interval Changing the interval between regu...

Page 741: ... LLDP agent to transmit LLDPDUs with TTL values that are excessively high This in turn can affect how long a receiving device will retain the information if it is not refreshed Changing the minimum time between port reinitializations The LLDP re initialization delay timer specifies the minimum number of seconds the device will wait from when LLDP is disabled on a port until it will honor a request...

Page 742: ...ice Management address advertising has two modes default or explicitly configured The default mode is used when no addresses are configured to be advertised for a given port If any addresses are configured to be advertised for a given port then only those addresses are advertised This applies across address types so for example if just one IPv4 address is explicitly configured to be advertised for...

Page 743: ...reach higher layer entities to assist discovery by network management In addition to management addresses the advertisement will include the system interface number associated with the management address For port list specify the port s in the format slotnum portnum where slotnum is required on chassis devices only You can list all of the ports individually use the keyword to specify a range of po...

Page 744: ...he available capabilities except that when using a router image base or full Layer 3 if the global route only feature is turned on the bridge capability will not be included since no bridging takes place By default the system capabilities are automatically advertised when LLDP is enabled on a global basis To disable this advertisement enter a command such as the following PowerConnect config no ll...

Page 745: ... keyword to to specify ranges of ports or a combination of both To apply the configuration to all ports on the device use the keyword all instead of listing the ports individually Note that using the keyword all may cause undesirable effects on some ports For example if you configure all ports to advertise their VLAN name and the configuration includes ports that are not members of any VLAN the sy...

Page 746: ...AN name VLAN 99 Voice VLAN 99 Syntax no lldp advertise vlan name vlan vlan ID ports ethernet port list all For vlan ID enter the VLAN ID to advertise For port list specify the ports in one of the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum You can list all of the ports individually use the keyword to to specify ranges of ports or a combination of both ...

Page 747: ...able of being aggregated Whether the link is currently aggregated The primary trunk port Dell PowerConnect devices advertise link aggregation information about standard link aggregation LACP as well as static trunk configuration By default link aggregation information is automatically advertised when LLDP is enabled on a global basis To disable this advertisement enter a command such as the follow...

Page 748: ...s stack unit slotnum portnum You can list all of the ports individually use the keyword to to specify ranges of ports or a combination of both To apply the configuration to all ports on the device use the keyword all instead of listing the ports individually Note that using the keyword all may cause undesirable effects on some ports For example if you configure all ports to advertise their VLAN na...

Page 749: ... any VLAN will not send VLAN name advertisements Configuring LLDP MED This section provides the details for configuring LLDP MED Table 124 lists the global and interface level tasks and the default behavior value for each task Enabling LLDP MED When LLDP is enabled globally LLDP MED is enabled if the LLDP MED capabilities TLV is also enabled By default the LLDP MED capabilities TLV is automaticall...

Page 750: ...port list all For port list specify the ports in one of the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum You can list all of the ports individually use the keyword to to specify ranges of ports or a combination of both To apply the configuration to all ports on the device use the keyword all instead of listing the ports individually Note that using the ...

Page 751: ...mine the physical location of a user in North America that has just dialed 911 For each port you can define one or more of the following location ID formats Geographic location coordinate based Civic address Emergency Call Services ECS Emergency Location Identification Number ELIN The above location ID formats are defined in the following sections Coordinate based location Coordinate based locatio...

Page 752: ...elow ground level could be represented by negative values resolution bits specifies the precision of the value given for altitude A smaller value increases the area within which the device is located For floors resolution enter the value 0 if the floor is unknown or 30 if a valid floor is being specified altitude meters number is the vertical elevation in number of meters as opposed to floors reso...

Page 753: ...e and the elements that describe the civic or postal address To configure a civic address based location for LLDP MED enter commands such as the following at the Global CONFIG level of the CLI PowerConnect config lldp med location id civic address refers to client country US elem 1 CA elem 3 Santa Clara elem 6 4980 Great America Pkwy elem 24 95054 elem 27 5 elem 28 551 elem 29 office elem 23 John ...

Page 754: ... address Civic Address CA type Description Acceptable values examples 0 Language The ISO 639 language code used for presenting the address information 1 National subdivisions state canton region province or prefecture Examples Canada Province Germany State Japan Metropolis Korea Province United States State 2 County parish gun JP or district IN Examples Canada County Germany County Japan City or r...

Page 755: ...g name that conveys additional information about the location Example west wing 23 Name residence and office occupant Identifies the person or organization associated with the address Example Textures Beauty Salon 24 Postal zip code The valid postal zip code for the address Example 95054 1234 25 Building structure The name of a single building if the street address includes more than one building ...

Page 756: ...eplaced with this value Example P O Box 1234 32 Additional code An additional country specific code that identifies the location For example for Japan this is the Japan Industry Standard JIS address code The JIS address code provides a unique address inside of Japan down to the level of indicating the floor of the building 128 Script The script from ISO 15924 14 used to present the address informa...

Page 757: ...location advertisement will appear similar to the following on the remote device and in the CLI display output on the Dell PowerConnect device show lldp local info Defining an LLDP MED network policy An LLDP MED network policy defines an Endpoint VLAN configuration VLAN type and VLAN ID and associated Layer 2 and Layer 3 priorities that apply to a specific set of applications on a port NOTE This f...

Page 758: ...k policy Application type can be one of the following guest voice Limited voice service for guest users and visitors with their own IP telephony handsets or similar devices that support interactive voice services guest voice signaling Limited voice service for use in network topologies that require a different policy for guest voice signaling than for guest voice media softphone voice Softphone vo...

Page 759: ... or a combination of both To apply the configuration to all ports on the device use the keyword all instead of listing the ports individually Note that using the keyword all may cause undesirable effects on some ports For example if you configure all ports to advertise their VLAN name and the configuration includes ports that are not members of any VLAN the system will warn of the misconfiguration...

Page 760: ... all ports on the device use the keyword all instead of listing the ports individually Note that using the keyword all may cause undesirable effects on some ports For example if you configure all ports to advertise their VLAN name and the configuration includes ports that are not members of any VLAN the system will warn of the misconfigurations on non member VLAN ports The configuration will be ap...

Page 761: ...tting an LLDP frame and before transmitting another LLDP frame LLDP SNMP notification interval The number of seconds between transmission of SNMP LLDP traps lldpRemTablesChange and SNMP LLDP MED traps lldpXMedTopologyChangeDetected LLDP reinitialize delay The minimum number of seconds the device will wait from when LLDP is disabled on a port until a request to re enable LLDP on that port will be h...

Page 762: ...entries age out naturally when a port cable or module is disconnected or when a port becomes disabled However if a disabled port is re enabled the system will delete the old LLDP entries Neighbor advertisements dropped The number of valid LLDP neighbors the device detected but could not add This can occur for example when a new neighbor is detected and the device is already supporting the maximum ...

Page 763: ...use the base MAC address of the device as the Chassis ID Port ID The identifier for the port Dell PowerConnect devices use the permanent MAC address associated with the port as the port ID Port Description The description for the port Dell PowerConnect devices use the ifDescr MIB object from MIB II as the port description System Name The administratively assigned name for the system Dell PowerConn...

Page 764: ...ress 10 43 39 151 Port ID MAC address 0800 0f18 cc03 Time to live 120 seconds Port description LAN port System name regDN 1015 MITEL 5235 DM System description regDN 1015 MITEL 5235 DM h w rev 2 ASIC rev 1 f w Boot 02 01 00 11 f w Main 02 01 00 11 System capabilities bridge telephone Enabled capabilities bridge telephone Management address IPv4 10 43 39 151 802 3 MAC PHY auto negotiation enabled A...

Page 765: ...hows an example report PowerConnect show lldp local info ports e 20 Local port 20 Chassis ID MAC address 0012 f233 e2c0 Port ID MAC address 0012 f233 e2d3 Time to live 40 seconds System name PowerConnect Port description GigabitEthernet20 System description Brocade Communications Inc IronWare V ersion 04 0 00b256T3e1 Compiled on Sep 04 2007 at 0 3 54 29 labeled as SXS04000b256 System capabilities ...

Page 766: ...CA Value 551 CA Type 29 CA Value office CA Type 23 CA Value John Doe MED Location ID Data Format ECS ELIN Value 1234567890 MED Extended Power via MDI Power Type PSE device Power Source Unknown Power Source Power Priority Low 3 Power Value 6 5 watts PSE equivalent 7005 mWatts Port VLAN ID 99 Management address IPv4 192 1 1 121 VLAN name VLAN 99 Voice VLAN 99 NOTE The contents of the show output wil...

Page 767: ... ports or a combination of both To apply the configuration to all ports on the device use the keyword all instead of listing the ports individually Clearing cached LLDP neighbor information The Dell PowerConnect device clears cached LLDP neighbor information after a port becomes disabled and the LLDP neighbor information ages out However if a port is disabled then re enabled before the neighbor in...

Page 768: ...726 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Clearing cached LLDP neighbor information 24 ...

Page 769: ... Switches Overview of IP multicasting Multicast protocols allow a group or channel to be accessed over different networks by multiple stations clients for the receipt and transmit of multicast data Distribution of stock quotes video transmissions such as news services and remote classrooms and video conferencing are all examples of applications that use multicast routing TABLE 126 Supported IP mul...

Page 770: ... 1112 as follows An IP host group address is mapped to an Ethernet multicast address by placing the low order 23 bits of the IP address into the low order 23 bits of the Ethernet multicast address 01 00 5E 00 00 00 hex Because there are 28 significant bits in an IP host group address more than one host group address may map to the same Ethernet multicast address NOTE Since there are 5 bits in the ...

Page 771: ... group are present on the router Intermediate nodes Routers that are in the path between source routers and leaf routers Leaf nodes Routers that do not have any downstream routers Multicast Tree A unique tree is built for each source group S G pair A multicast tree is comprised of a root node and one or more nodes that are leaf or intermediate nodes Changing global IP multicast parameters The foll...

Page 772: ...r IGMP memberships applies to the device not to individual interfaces You can have up to 8192 IGMP memberships on all the individual interfaces not up to 8192 IGMP memberships on each interface Increasing the number of IGMP memberships To increase the number of IGMP membership interfaces for PIM enter commands such as the following PowerConnect config system max pim max int group 4000 PowerConnect...

Page 773: ...m number of multicast cache entries for PIM Enter a number from 256 4096 The default is 1024 Changing IGMP V1 and V2 parameters IGMP allows routers to limit the multicast of IGMP packets to only those ports on the router that are identified as IP Multicast members This section applies to Dell PowerConnect devices that support IGMP versions 1 and 2 The router actively sends out host queries to iden...

Page 774: ... membership time 240 Syntax ip igmp group membership time num The num variable specifies the IGMP group membership time in number of seconds Enter a value from 20 through 7200 seconds The value you enter must be a little more than two times the query interval 2 query interval 10 The default value is 260 Modifying IGMP V1 and V2 maximum response time Maximum response time defines how long the Layer...

Page 775: ...p addr parameter specifies the group number The ethernet portnum parameter specifies the port number Use this parameter if the port is a member of a virtual routing interface and you are entering this command at the configuration level for the virtual routing interface Manually added groups are included in the group information displayed by the following commands show ip igmp group show ip pim gro...

Page 776: ... sends a prune message to the upstream router The router that discarded the packet also maintains the prune state for the source group S G pair The branch is then pruned removed from the multicast tree No further multicast packets for that specific S G pair will be received from that upstream router until the prune state expires You can configure the PIM Prune Timer the length of time that a prune...

Page 777: ... source to host group members 229 225 0 1 Group Member Group Member Video Conferencing Server 207 95 5 1 229 225 0 1 Source Group 229 225 0 1 Group Member Group Member Group Member Group Member Group Member Group Member 229 225 0 1 Leaf Node Leaf Node Leaf Node No Group Members Intermediate Node No Group Members R2 R1 R3 R4 R5 R6 ...

Page 778: ... the tree S4 and S6 once again receive multicast packets Prune and graft messages are continuously used to maintain the multicast delivery tree No configuration is required on your part PIM DM versions Dell PowerConnect devices support PIM DM V1 and V2 The default is V2 You can specify the version on an individual interface basis The primary difference between PIM DM V1 and V2 is the methods the p...

Page 779: ...e of PIM described in RFC 1075 Refer to Configuring PIM Sparse on page 744 for information about configuring PIM Sparse Enabling PIM on the router and an interface By default PIM is disabled To enable PIM perform the following Enable the feature globally Configure the IP interfaces that will use PIM Enable PIM locally on the ports that have the IP interfaces you configured for PIM Suppose you want...

Page 780: ...ess 207 95 5 1 24 PowerConnect config if e1000 3 ip pim Syntax no ip pim version 1 2 The version 1 2 parameter specifies the PIM DM version The default version is 2 If you have enabled PIM version 1 but need to enable version 2 instead enter either of the following commands at the configuration level for the interface PowerConnect config if 1 1 ip pim version 2 PowerConnect config if 1 1 no ip pim...

Page 781: ... message upstream and stores a prune state This prune state travels up the tree and installs a prune state A prune state is maintained until the prune timer expires or a graft message is received for the forwarding entry The default value is 180 seconds To set the PIM prune timer to 90 enter the following PowerConnect config router pim PowerConnect config pim router prune timer 90 Syntax prune tim...

Page 782: ...ed to send multicast packets The PIM inactivity timer defines how long a forwarding entry can remain unused before the router deletes it To apply a PIM inactivity timer of 90 seconds to all PIM interfaces enter the following PowerConnect config router pim PowerConnect config pim router inactivity timer 90 Syntax inactivity timer 10 3600 The default is 180 seconds Selection of shortest path back to...

Page 783: ...irst entry in the IP routing table If some PIM traffic paths were selected based on the highest IP RPF these paths are changed immediately to use the first RPF in the routing table Failover time in a multi path topology When a port in a multi path topology fails and the failed port is the input port of the downstream router a new path is re established within a few seconds depending on the routing...

Page 784: ...3 Switches This feature does not apply to DVMRP traffic Refer to Passive multicast route insertion on page 763 PIM Sparse Dell PowerConnect devices support Protocol Independent Multicast PIM Sparse version 2 PIM Sparse provides multicasting that is especially suitable for widely distributed multicast environments The Dell implementation is based on RFC 2362 In a PIM Sparse network a PIM Sparse rou...

Page 785: ... parameter is elected If the priorities result in a tie then the candidate BSR interface with the highest IP address is elected In the example in Figure 122 PIM Sparse switch B is the BSR Port 2 2 is configured as a candidate BSR RP The RP is the meeting point for PIM Sparse sources and receivers A PIM Sparse domain can have multiple RPs but each PIM Sparse multicast group address can have only on...

Page 786: ...test Path Tree SPT between a given source and receiver PIM Sparse switches can use the SPT as an alternative to using the RP for forwarding traffic from a source to a receiver By default Layer 3 Switches forward the first packet they receive from a given source to a given receiver using the RP path but forward subsequent packets from that source to that receiver through the SPT In Figure 122 Switc...

Page 787: ...ulticast routing when configuring PIM Sparse The command in this example enables IP multicast routing and enables the PIM Sparse mode of IP multicast routing The command does not configure the Layer 3 Switch as a candidate PIM Sparse Bootstrap Router BSR and candidate Rendezvous Point RP You can configure a Layer 3 Switch as a PIM Sparse switch without configuring the it as a candidate BSR and RP ...

Page 788: ...ne Layer 3 Switch as a candidate PIM Sparse Bootstrap router BSR and candidate PIM Sparse Rendezvous Point RP NOTE It is possible to configure the Layer 3 Switch as only a candidate BSR or RP but Dell recommends that you configure the same interface on the same Layer 3 Switch as both a BSR and an RP This section presents how to configure BSRs Refer to Configuring RPs on page 747 for instructions o...

Page 789: ...ayer 3 Switch as a candidate RP for all group numbers beginning with 224 As a result the Layer 3 Switch is a candidate RP for all valid PIM Sparse group numbers You can change this by adding or deleting specific address ranges The following example narrows the group number range for which the Layer 3 Switch is a candidate RP by explicitly adding a range PowerConnect config pim router rp candidate ...

Page 790: ...ure the router is on the backbone or is otherwise well connected to the rest of the network To specify the IP address of the RP enter commands such as the following PowerConnect config router pim PowerConnect config pim router rp address 207 95 7 1 Syntax no rp address ip addr The ip addr parameter specifies the IP address of the RP The command in the example above identifies the router interface ...

Page 791: ...u specify infinity the Layer 3 Switch sends packets using the RP indefinitely and does not switch over to the SPT If you enter a specific number of packets the Layer 3 Switch does not switch over to using the SPT until it has sent the number of packets you specify using the RP Changing the PIM join and prune message interval By default the Layer 3 Switch sends PIM Sparse Join Prune messages every ...

Page 792: ...ow ip pim sparse This example shows the PIM Sparse configuration information on PIM Sparse router A in Figure 122 This display shows the following information TABLE 127 Output of show ip pim sparse This field Displays Global PIM Sparse mode settings Hello interval How frequently the Layer 3 Switch sends PIM Sparse hello messages to its PIM Sparse neighbors This field show the number of seconds bet...

Page 793: ... multicast groups it is forwarding This field show the number of seconds between Join Prune messages The Layer 3 Switch sends Join Prune messages on behalf of multicast receivers who want to join or leave a PIM Sparse group When forwarding packets from PIM Sparse sources the Layer 3 Switch sends the packets only on the interfaces on which it has received join requests in Join Prune messages for th...

Page 794: ...how ip pim group This field Displays Total number of Groups Lists the total number of IP multicast groups the Layer 3 Switch is forwarding NOTE This list can include groups that are not PIM Sparse groups If interfaces on the Layer 3 Switch are configured for regular PIM dense mode or DVMRP these groups are listed too Index The index number of the table entry in the display Group The multicast grou...

Page 795: ... appear this Layer 3 Switch is not the BSR Hash mask length The number of significant bits in the IP multicast group comparison mask This mask determines the IP multicast group numbers for which the Layer 3 Switch can be a BSR The default is 32 bits which allows the Layer 3 Switch to be a BSR for any valid IP multicast group number NOTE This field appears only if this Layer 3 Switch is the BSR Nex...

Page 796: ...ies PowerConnect show ip pim resource alloc in use avail allo fail up limit get mem NBR list 64 0 64 0 512 0 timer 256 0 256 0 4096 0 pimsm J P elem 0 0 0 0 48960 0 pimsm group2rp 0 0 0 0 4096 0 pimsm L2 reg xmt 64 0 64 0 no limit 0 mcache 256 0 256 0 1024 0 mcache hash link 997 0 997 0 no limit 0 mcache 2nd hash 9 0 9 0 997 0 graft if no mcache 197 0 197 0 no limit 0 pim dvm global group 256 0 25...

Page 797: ...y RP to group mappings enter the following command at any CLI level PowerConnect show ip pim rp map Number of group to RP mappings 6 Group address RP address TABLE 131 Output of show ip pim rp candidate This field Displays Candidate RP advertisement in Indicates how many seconds will pass before the BSR sends its next RP message NOTE This field appears only if this Layer 3 Switch is a candidate RP...

Page 798: ...d Displays Group address Indicates the PIM Sparse multicast group address using the listed RP RP address Indicates the IP address of the Rendezvous Point RP for the listed PIM Sparse group TABLE 133 Output of show ip pim rp hash This field Displays RP Indicates the IP address of the Rendezvous Point RP for the specified PIM Sparse group Following the IP address is the port or virtual interface thr...

Page 799: ... the election process the candidate RP with the highest priority is elected as the RP age The age in seconds of this RP set NOTE If this Layer 3 Switch is not a BSR this field contains zero Only the BSR ages the RP set TABLE 135 Output of show ip pim nbr This field Displays Port The interface through which the Layer 3 Switch is connected to the neighbor Neighbor The IP interface of the PIM neighbo...

Page 800: ...the following command at any CLI level Syntax show ip pim flowcache This display shows the following information Age sec The number of seconds since the Layer 3 Switch received the last hello message from the neighbor UpTime sec The number of seconds the PIM neighbor has been up This timer starts when the Layer 3 Switch receives the first Hello messages from the neighbor TABLE 136 Output of show i...

Page 801: ... addr Indicates the RP for the group for this cache entry NOTE The RP address appears only if the RPT flag is set to 1 and the SPT flag is set to 0 see below forward port The port through which the Layer 3 Switch reaches the source Count The number of packets forwarded using this cache entry Sparse Mode Indicates whether the cache entry is for regular PIM dense mode or PIM Sparse This flag can hav...

Page 802: ...This field can have one of the following values 0 The timer is not running 1 The timer is running member ports Indicates the Layer 3 Switch physical ports to which the receivers for the source and group are attached The receivers can be directly attached or indirectly attached through other PIM Sparse routers virtual ports Indicates the virtual interfaces to which the receivers for the source and ...

Page 803: ...ved on the interface J P The number of Join Prune messages sent or received on the interface NOTE Unlike PIM dense PIM Sparse uses the same messages for Joins and Prunes Register The number of Register messages sent or received on the interface RegStop The number of Register Stop messages sent or received on the interface Assert The number of Assert messages sent or received on the interface Total...

Page 804: ... the designated router DR which can prevent all hosts on the LAN from joining multicast traffic outside the LAN The following guidelines apply to PIM Passive 1 This is a Layer 3 interface Ethernet Ve level feature 2 Since the loopback interfaces are never used to form PIM neighbors this feature is not supported on loopback interface 3 Both PIM SM and PIM DM modes support this feature 4 Applying th...

Page 805: ...being dropped in hardware If the HW flag is set to 0 HW 0 it indicates that the packets are being processed in software The following shows an example display output Configuring an IP tunnel IP tunnels are used to send traffic through routers that do not support IP multicasting IP Multicast datagrams are encapsulated within an IP packet and then sent to the remote address Routers that are not conf...

Page 806: ... or blocked on an interface Using ACLs to limit static RP groups You can limit the number of multicast groups covered by a static RP using standard ACLs In the ACL you specify the group to which the RP address applies The following examples set the RP address to be applied to multicast groups with some minor variations To configure an RP that covers multicast groups in 239 255 162 x enter commands...

Page 807: ...ned by a BSR if there is a conflict between the RP configured in this command and the information that is learned by the BSR In previous releases static RP configuration precedes the RP address learned from the PIM Bootstrap protocol With this enhancement an RP address learned dynamically from PIM Bootstrap protocol takes precedence over static RP configuration unless the override parameter is use...

Page 808: ...255 PowerConnect config router pim PowerConnect config pim router bsr candidate ethernet 1 1 32 100 PowerConnect config pim router rp candidate ethernet 1 1 group list 5 The example above shows a configuration for an Ethernet interface To configure ACLs that are applied to a virtual routing interface enter commands such as the following PowerConnect config interface ve 16 PowerConnect config vif 1...

Page 809: ...efault packets destined to these groups are processed by the CPU However when a large number of packets for these groups are received by the Dell PowerConnect device all at once CPU resources may be overloaded To alleviate the load on the CPU you could disable CPU processing of packets for these groups When applied this feature protects the CPU from traffic sent to IPV4 multicast addresses in the ...

Page 810: ...age 767 Viewing disabled multicast addresses To display disabled multicast addresses for all configured VLANs enter the command show disabled multicast to cpu The following shows an example display To display disabled multicast addresses for a particular VLAN include the VLAN ID with the show disabled multicast to cpu command The following shows an example display Syntax show disabled multicast to...

Page 811: ...ce in the display points to a router address this is the address of the next hop PIM router on that interface In this example PIM interface 207 95 8 1 on PIM router 207 95 8 1 is connected to PIM router 207 95 8 10 The connection can be a direct one or can take place through non PIM routers In this example the PIM routers are directly connected When the arrow following an interface address points ...

Page 812: ...rd If the interface changes its current state from IS_IN to IS_EX a TO_EX record is included in the membership report Likewise if an interface current state changes from IS_EX to IS_IN a TO_IN record appears in the membership report IGMP V2 Leave report is equivalent to a TO_IN empty record in IGMP V3 This record means that no traffic from this group will be received regardless of the source An IG...

Page 813: ...es The interface or router does not automatically downgrade the IGMP version running on them to avoid version deadlock If an interface continuously receives queries from routers that are running versions of IGMP that are different from what is on the interface the interface logs warning messages in the syslog every five minutes Reports sent by interfaces to routers that contain different versions ...

Page 814: ...s membership tracking and fast leave to clients In IGMP V2 only one client on an interface needs to respond to a router queries therefore some of the clients may be invisible to the router making it impossible for the router to track the membership of all clients in a group Also when a client leaves the group the router sends group specific queries to the interface to see if other clients on that ...

Page 815: ...terval period defines how often a router will query an interface for group membership To modify the default value for the IGMP query interval enter the following PowerConnect config ip igmp query interval 120 Syntax ip igmp query interval num The num variable specifies the IGMP query interval in number of seconds Enter a value from 10 through 3600 The default value is 125 Setting the group members...

Page 816: ...ot enabled and before the SPT switchover the multicast router creates one G entry for the entire multicast group which can have many sources If the SSM protocol is enabled one S G entry is created for every member of the multicast group even for members with non existent traffic For example if there are 1 000 members in the group 1 000 S G entries will be created Therefore enabling the SSM protoco...

Page 817: ... _src 1 239 0 0 1 e4 20 no yes include 19 Interface v110 3 groups group phy port static querier life mode _src 2 239 0 0 1 e4 5 no yes include 10 3 239 0 0 1 e4 6 no yes 100 exclude 13 4 224 1 10 1 e4 5 no yes include 1 PowerConnect show ip igmp group 239 0 0 1 detail Display group 239 0 0 1 in all interfaces Interface v18 1 groups group phy port static querier life mode _src 1 239 0 0 1 e4 20 no ...

Page 818: ...e source list If an interface is in Exclude mode it denies traffic from the source list and accepts the rest _src Identifies the source list that will be included or excluded on the interface If IGMP V2 group is in Exclude mode with a _src of 0 the group excludes traffic from 0 zero source list which means that all traffic sources are included Group If you requested a detailed report the following...

Page 819: ...h interface The ID of the interface The IGMP version that it is running default IGMP V2 or configured IGMP V3 The multicast protocol it is running DVMRP PIM DM PIM SM Address of the multicast group on the interface If the interface is a virtual routing interface the physical port to which that interface belongs the number of groups on that physical port whether or not the port is a querier or a no...

Page 820: ...ter sends unsolicited membership reports to that group Configuration notes When using IGMP Proxy you must do the following 1 Configure PIM on all multicast client ports to build the group membership table The group membership table will be reported by the proxy interface Refer to Globally enabling and disabling PIM on page 737 Also note the following limitations IGMP Proxy cannot be enabled on the...

Page 821: ... the show ip igmp traffic command to see traffic for IGMP Proxy Syntax show ip igmp traffic Refer to Displaying IGMP traffic status on page 777 to interpret the information in the output The fields in bold show information for IGMP Proxy IP multicast protocols and IGMP snooping on the same device The PowerConnect device supports global Layer 2 IP multicast traffic reduction IGMP snooping and Layer...

Page 822: ... It will not receive traffic from the second source connected to the Layer 3 interface Similarly if there is another IP interface with a Layer 3 client or PIM DVMRP neighbor that requests traffic for the same group it will only receive traffic from the second source and not the first Configuration example Figure 124 and Figure 125 show an example IGMP snooping and PIM forwarding configuration FIGU...

Page 823: ...an 10 interface ve 10 PowerConnect config vif 10 ip address 10 10 10 10 24 2 On the device enable PIM routing between VLAN VE 20 and Interface e 13 PowerConnect config vlan 20 by port PowerConnect config vlan 20 untagged e 21 to 24 Added untagged port s ethe 21 to 24 to port vlan 20 PowerConnect config vlan 20 router interface ve 20 PowerConnect config vlan 20 exit PowerConnect config router pim P...

Page 824: ...g if e1000 13 ip pim 3 Configure the neighboring device PowerConnect config ip route 20 20 20 0 255 255 255 0 30 30 30 10 PowerConnect config router pim PowerConnect config pim router exit PowerConnect config interface ethernet 3 PowerConnect config if e1000 3 ip address 30 30 30 20 24 PowerConnect config if e1000 3 ip pim PowerConnect config if e1000 3 interface ethernet 4 PowerConnect config if ...

Page 825: ...Based Flash image Auto update Yes DHCP assist Yes Equal Cost Multi Path ECMP load sharing Yes IP helper Yes Routes in hardware maximum PowerConnect B Series FCX Up to 16K routes Yes Routing for directly connected IP subnets Yes Virtual Interfaces Up to 512 virtual interfaces Yes Address Resolution Protocol ARP Yes Reverse Address Resolution Protocol RARP Yes IP follow Yes Proxy ARP Yes Local proxy...

Page 826: ...nformation in this chapter if you need to change some of the IP parameters from their default values or you want to view configuration information or statistics Overview Layer 2 Switches and Layer 3 Switches support Internet Protocol version 4 IPv4 and IPv6 IP support on Layer 2 Switches consists of basic services to support management access and access to a default gateway Full Layer 3 support NO...

Page 827: ... routing interfaces used by VLANs to route among one another Loopback interfaces Each IP address on a Layer 3 Switch must be in a different subnet You can have only one interface that is in a given subnet For example you can configure IP addresses 192 168 1 1 24 and 192 168 2 1 24 on the same Layer 3 Switch but you cannot configure 192 168 1 1 24 and 192 168 1 2 24 on the same Layer 3 Switch You c...

Page 828: ...packet to a queue on the outgoing ports listed in the session table The Layer 3 Switch selects the queue based on the Quality of Service QoS level associated with the session table entry 3 If the session table does not contain an entry that matches the packet source address and TCP or UDP port the Layer 3 Switch looks in the IP forwarding cache for an entry that matches the packet destination IP a...

Page 829: ...e The ARP cache contains entries that map IP addresses to MAC addresses Generally the entries are for devices that are directly attached to the Layer 3 Switch An exception is an ARP entry for an interface based static IP route that goes to a destination that is one or more router hops away For this type of entry the MAC address is either the destination device MAC address or the MAC address of the...

Page 830: ...rp parameter controls the static ARP table size IP route table The IP route table contains paths to IP destinations NOTE Layer 2 Switches do not have an IP route table A Layer 2 Switch sends all packets addressed to another subnet to the default gateway which you specify when you configure the basic IP information on the Layer 2 Switch The IP route table can receive the paths from the following so...

Page 831: ...forwarding cache for an entry to the packet destination If the cache contains an entry with the destination IP address the device uses the information in the entry to forward the packet out the ports listed in the entry The destination IP address is the address of the packet final destination The port numbers are the ports through which the destination can be reached If the cache does not contain ...

Page 832: ...rwarding for the following features Layer 4 Quality of Service QoS policies IP access policies To increase the size of the session table refer to the section Displaying and modifying system parameter default settings on page 321 The ip qos session parameter controls the size of the session table IP route exchange protocols Layer 3 Switches support the following IP route exchange protocols Routing ...

Page 833: ... VRRP You can use VRRPE only on Layer 3 Switches For configuration information refer to the Chapter 31 Configuring VRRP and VRRPE Access Control Lists and IP access policies Layer 3 Switches provide two mechanisms for filtering IP traffic Access Control Lists ACLs IP access policies Both methods allow you to filter packets based on Layer 3 and Layer 4 source and destination information ACLs also p...

Page 834: ...aken effect by displaying the running config To display the running config enter the show running config or write terminal command at any CLI prompt You cannot display the running config from the Web Management Interface To save a configuration change permanently so that the change remains in effect following a system reset or software reload save the change to the startup config file To save conf...

Page 835: ...gth an Ethernet packet can be without being fragmented 1500 bytes for Ethernet II encapsulation 1492 bytes for SNAP encapsulation page 807 Address Resolution Protocol ARP A standard IP mechanism that routers use to learn the Media Access Control MAC address of a device on the network The router sends the IP address of a device in the ARP request and receives the device MAC address in an ARP reply ...

Page 836: ... destination address All ones NOTE If you enable all zeroes directed broadcasts all ones directed broadcasts remain enabled page 817 Source routed packet forwarding A source routed packet contains a list of IP addresses through which the packet must pass to reach its destination Enabled page 816 Internet Control Message Protocol ICMP messages The Layer 3 Switch can send the following types of ICMP...

Page 837: ...eld in the IP header NOTE Load sharing is sometimes called Equal Cost Multi Path ECMP Enabled page 829 Maximum IP load sharing paths The maximum number of equal cost paths across which the Layer 3 Switch is allowed to distribute traffic Four page 832 Origination of default routes You can enable a router to originate default routes for the following route exchange protocols on an individual protoco...

Page 838: ...44 on page 793 Ten minutes page 812 Metric A numeric cost the router adds to RIP routes learned on the interface This parameter applies only to RIP routes 1 one page 910 Directed broadcast forwarding Locally overrides the global setting Refer to Table 144 on page 793 Disabled page 815 ICMP Router Discovery Protocol IRDP Locally overrides the global IRDP settings Refer to Table 144 on page 793 Disa...

Page 839: ...ervers attached to other subnets NOTE To completely enable a client UDP application request to find a server on another subnet you must configure an IP helper address consisting of the server IP address or the directed broadcast address for the subnet that contains the server See the next row The router helps forward broadcasts for the following UDP application protocols bootps dns netbios dgm net...

Page 840: ...ayer 2 Switch sends the IP address of a device in the ARP request and receives the device MAC address in an ARP reply Enabled NOTE You cannot disable ARP n a ARP age The amount of time the device keeps a MAC address learned through ARP in the device ARP cache The device resets the timer to zero each time the ARP entry is refreshed and removes the entry if the timer reaches the ARP age Ten minutes ...

Page 841: ...router interface that forwards the packet in the packet Gateway field You can specify up to 32 gateway lists A gateway list contains up to eight gateway IP addresses You activate DHCP assistance by associating a gateway list with a port When you configure multiple IP addresses in a gateway list the Layer 2 Switch inserts the addresses into the DHCP Discovery packets in a round robin fashion None c...

Page 842: ...gnificant bits ones By default the CLI displays network masks in classical IP address format example 255 255 255 0 You can change the display to prefix format Refer to Changing the network mask display to prefix format on page 869 Assigning an IP address to an Ethernet port To assign an IP address to port 1 1 enter the following commands PowerConnect config interface ethernet 1 1 PowerConnect conf...

Page 843: ...ap problems that can occur due to unstable links between a Layer 3 Switch and other devices You can configure up to eight loopback interfaces on a Chassis Layer 3 Switch You can configure up to four loopback interfaces on a Compact Layer 3 Switch You can add up to 24 IP addresses to each loopback interface NOTE If you configure the Layer 3 Switch to use a loopback interface to communicate with a B...

Page 844: ... 3 protocol based VLAN name IP Subnet_1 1 2 0 24 and add a range of untagged ports to the VLAN The router interface command creates virtual interface 1 as the routing interface for the VLAN Syntax router interface ve num The num variable specifies the virtual interface number You can enter a number from 1 through 4095 When configuring virtual routing interfaces on a device you can specify a number...

Page 845: ... For number enter the ID of the virtual routing interface Use the no form of the command to disable the configuration Virtual routing interface 2 and 3 do not have their own IP subnet address but are sharing the IP address of virtual routing interface 1 Deleting an IP address To delete an IP address enter a command such as the following PowerConnect config if e1000 1 no ip address 1 1 2 1 This com...

Page 846: ...ent back to the client with the host IP address If no match is found an unknown host message is returned Refer to Figure 127 FIGURE 127 DNS resolution with one domain name Defining a domain name To define a domain to resolve host names enter a command such as the following PowerConnect config ip dns domain name ds company com Syntax no ip dns domain name domain name Enter the domain name for domai...

Page 847: ... example enter the commands such as the following PowerConnect config ip dns domain list company com PowerConnect config ip dns domain list ds company com PowerConnect config ip dns domain list hw_company com PowerConnect config ip dns domain list qa_company com PowerConnect config The domain names are tried in the order you enter them Syntax no ip dns domain list domain name Using a DNS name to i...

Page 848: ...The Layer 3 Switch encapsulates IP packets into Layer 2 packets to send the IP packets on the network A Layer 2 packet is also called a MAC layer packet or an Ethernet frame The source address of a Layer 2 packet is the MAC address of the Layer 3 Switch interface sending the packet The destination address can be one of the following The MAC address of the IP packet destination In this case the des...

Page 849: ...cannot use this command to set Layer 2 maximum frame sizes per interface The global jumbo command causes all interfaces to accept Layer 2 frames When you increase the MTU size of a port the increase uses system resources Increase the MTU size only on the ports that need it For example if you have one port connected to a server that uses jumbo frames and two other ports connected to clients that ca...

Page 850: ...rnet II encapsulation 10 240 bytes The maximum for SNAP encapsulation NOTE If you set the MTU of a port to a value lower than the global MTU and from 576 through 1499 the port fragments the packets However if the port MTU is exactly 1500 and this is larger than the global MTU the port drops the packets NOTE You must save the configuration change and then reload the software to enable jumbo support...

Page 851: ...s This IP address is the router ID NOTE Routing Information Protocol RIP does not use the router ID NOTE If you change the router ID all current BGP4 sessions are cleared By default the router ID on a Layer 3 Switch is one of the following If the router has loopback interfaces the default router ID is the IP address configured on the lowest numbered loopback interface configured on the Layer 3 Swi...

Page 852: ...cache The Layer 3 Switch needs to know the MAC address that corresponds with the IP address of either the packet locally attached destination or the next hop router that leads to the destination For example to forward a packet whose destination is multiple router hops away the Layer 3 Switch must send the packet to the next hop router toward its destination or to a default route or default network...

Page 853: ...nds an ICMP Host Unreachable message to the source Rate limiting ARP packets You can limit the number of ARP packets the Dell PowerConnect device accepts during each second By default the software does not limit the number of ARP packets the device can receive Since the device sends ARP packets to the CPU for processing if a device in a busy network receives a high number of ARP packets in a short...

Page 854: ...he default is 10 If you specify 0 aging is disabled To override the globally configured IP ARP age on an individual interface enter a command such as the following at the interface configuration level PowerConnect config if e1000 1 1 ip arp age 30 Syntax no ip arp age num The num parameter specifies the number of minutes and can be from 0 through 240 The default is the globally configured value wh...

Page 855: ...oxy arp enable disable Enabling local proxy ARP Dell PowerConnect devices support Proxy Address Resolution Protocol Proxy ARP a feature that enables router ports to respond to ARP requests for subnets it can reach However router ports will not respond to ARP requests for IP addresses in the same subnet as the incoming ports unless Local Proxy ARP per IP interface is enabled Local Proxy ARP enables...

Page 856: ...play the ARP table refer to Displaying the ARP cache on page 874 To display the static ARP table refer to Displaying the static ARP table on page 876 To create a static ARP entry enter a command such as the following PowerConnect config arp 1 192 53 4 2 1245 7654 2348 ethernet 1 2 Syntax arp num ip addr mac addr ethernet port The num parameter specifies the entry number You can specify a number fr...

Page 857: ...nes based and zero based broadcasts All these parameters are global and thus affect all IP interfaces configured on the Layer 3 Switch To configure these parameters use the procedures in the following sections Changing the TTL threshold The TTL threshold prevents routing loops by specifying the maximum number of router hops an IP packet originated by the Layer 3 Switch can travel through Each devi...

Page 858: ...face ethernet 1 1 PowerConnect config if 1 1 ip directed broadcast Syntax no ip directed broadcast Disabling forwarding of IP source routed packets A source routed packet specifies the exact router path for the packet The packet specifies the path by listing the IP addresses of the router interfaces through which the packet must pass on its way to the destination The Layer 3 Switch supports both t...

Page 859: ...t portion as IP subnet broadcasts too Thus the Layer 3 Switch can be configured to support all ones only the default or all ones and all zeroes NOTE This feature applies only to IP subnet broadcasts not to local network broadcasts The local network broadcast address is still expected to be all ones To enable the Layer 3 Switch for zero based IP subnet broadcasts in addition to ones based IP subnet...

Page 860: ...network Port The destination host does not have the destination TCP or UDP port specified in the packet In this case the host sends the ICMP Port Unreachable message to the Dell PowerConnect device which in turn sends the message to the host that sent the packet Protocol The TCP or UDP protocol on the destination host is not running This message is different from the Port Unreachable message which...

Page 861: ...ering the following command PowerConnect config ip icmp unreachable host Disabling ICMP Redirect Messages You can disable or re enable ICMP redirect messages By default a Layer 3 Switch sends an ICMP redirect message to the source of a misdirected packet in addition to forwarding the packet to the appropriate router You can disable ICMP redirect messages on a global basis or on an individual port ...

Page 862: ...e metric for load sharing or with different metrics to provide a primary route and backup routes Interface based the static route consists of the destination network address and network mask and the Layer 3 Switch interface through which you want the Layer 3 Switch to send traffic for the route Typically this type of static route is for directly attached destination networks Null the static route ...

Page 863: ...ministrative distances the Layer 3 Switch uses the route with the lowest administrative distance by default but uses another route to the same destination if the first route becomes unavailable Refer to the following sections for examples and configuration information Configuring load balancing and redundancy using multiple static routes to the same destination on page 824 Configuring standard sta...

Page 864: ...tead of a next hop address enter a command such as the following PowerConnect config ip route 192 128 2 69 255 255 255 0 ethernet 4 1 The command in the previous example configures a static IP route for destination network 192 128 2 69 24 Since an Ethernet port is specified instead of a gateway IP address as the next hop the Layer 3 Switch always forwards traffic for the 192 128 2 69 24 network to...

Page 865: ...her ones so make sure you use a low value for your default route The default is 1 NOTE The Layer 3 Switch will replace the static route if the it receives a route with a lower administrative distance Refer to Changing administrative distances on page 1014 for a list of the default administrative distances for all types of routes NOTE You can also assign the default router as the destination by ent...

Page 866: ...tination for the following benefits IP load sharing If you configure more than one static route to the same destination and the routes have different next hop gateways but have the same metrics the Layer 3 Switch load balances among the routes using basic round robin For example if you configure two static routes with the same metrics but to different gateways the Layer 3 Switch alternates between...

Page 867: ...ring a static IP route on page 822 Configuring standard static IP routes and interface or null static routes to the same destination You can configure a null0 or interface based static route to a destination and also configure a normal static route to the same destination so long as the route metrics are different When the Layer 3 Switch has multiple routes to the same destination the Layer 3 Swit...

Page 868: ...f two static routes In this example a standard static route and an interface based static route are configured for destination network 192 168 6 0 24 The interface based static route has a lower metric than the standard static route As a result the Layer 3 Switch always prefers the interface based route when the route is available However if the interface based route becomes unavailable the Layer ...

Page 869: ...lable the software uses the null route For complete syntax information refer to Configuring a static IP route on page 822 To configure a standard static route and an interface based route to the same destination enter commands such as the following PowerConnect config ip route 192 168 6 0 24 ethernet 1 1 1 PowerConnect config ip route 192 168 6 0 24 192 168 8 11 24 3 The first command configured a...

Page 870: ...f a topology change occurs and as a result the default network route s next hop gateway changes the software can still use the default network route To configure a default network route use the following CLI method If you configure more than one default network route the Layer 3 Switch uses the following algorithm to select one of the routes 1 Use the route with the lowest administrative distance ...

Page 871: ...oute to a destination Thus when the software compares multiple equal cost paths the software is comparing paths that use different next hop routers with equal costs to the same destination In many contexts the terms route and path mean the same thing Most of the user documentation uses the term route throughout The term path is used in this section to refer to an individual next hop router to a de...

Page 872: ... this value is not configurable Static IP route 1 applies to all static routes including default routes and default network routes Exterior Border Gateway Protocol EBGP 20 OSPF 110 RIP 120 Interior Gateway Protocol IBGP 200 Local BGP 200 Unknown 255 the router will not use this route Lower administrative distances are preferred over higher distances For example if the router receives routes for th...

Page 873: ...BGP4 route table cannot contain equal cost paths to the destination Consequently the IP route table will not receive multiple equal cost paths from BGP4 Table 149 lists the default and configurable maximum numbers of paths for each IP route source that can provide equal cost paths to the IP route table The table also lists where to find configuration information for the route source load sharing p...

Page 874: ...paths the Layer 3 Switch supports to a value from 2 through 8 Table 150 shows the maximum number of paths supported per device For optimal results set the maximum number of paths to a value at least as high as the maximum number of equal cost paths your network typically contains For example if the Layer 3 Switch you are configuring for IP load sharing has six next hop routers set the maximum path...

Page 875: ... Maximum message interval and minimum message interval When IRDP is enabled the Layer 3 Switch sends the Router Advertisement messages every 450 600 seconds by default The time within this interval that the Layer 3 Switch selects is random for each message and is not affected by traffic loads or other network factors The random interval minimizes the probability that a host will receive Router Adv...

Page 876: ...t the router interface that sent the advertisement is no longer available The value must be greater than the value of the maxadvertinterval parameter and cannot be greater than 9000 The default is three times the value of the maxadvertinterval parameter The maxadvertinterval parameter specifies the maximum amount of time the Layer 3 Switch waits between sending Router Advertisements You can specif...

Page 877: ...n of configured host addresses RARP requires static configuration of the host IP addresses on the Layer 3 Switch The Layer 3 Switch replies directly to a host request by sending an IP address you have configured in the RARP table The Layer 3 Switch forwards BootP and DHCP requests to a third party BootP DHCP server that contains the IP addresses and other host configuration information Connection ...

Page 878: ...onse to the client RARP request Changing the maximum number of static RARP entries supported The number of RARP entries the Layer 3 Switch supports depends on how much memory the Layer 3 Switch has To determine how many RARP entries your Layer 3 Switch can have display the system default information using the procedure in the section Displaying and modifying system parameter default settings on pa...

Page 879: ...er 3 Switch to forward BootP DHCP requests refer to Configuring BootP DHCP relay parameters on page 839 You can enable forwarding for other applications by specifying the application port number You also can disable forwarding for an application NOTE If you disable forwarding for a UDP application forwarding of client requests received as broadcasts to helper addresses is disabled Disabling forwar...

Page 880: ...nter a command such as the following PowerConnect config no ip forward protocol udp snmp This command disables forwarding of SNMP requests to the helper addresses configured on Layer 3 Switch interfaces Configuring an IP helper address To forward a client broadcast request for a UDP application when the client and server are on different networks you must configure a helper address on the interfac...

Page 881: ...ers The following parameters control the Layer 3 Switch forwarding of BootP DHCP requests Helper address The BootP DHCP server IP address You must configure the helper address on the interface that receives the BootP DHCP requests from the client The Layer 3 Switch cannot forward a request to the server unless you configure a helper address for the server Gateway address The Layer 3 Switch places ...

Page 882: ...he address The BootP DHCP stamp address is an interface parameter Change the parameter on the interface that is connected to the BootP DHCP client To change the IP address used for stamping BootP DHCP requests received on interface 1 1 enter commands such as the following PowerConnect config interface ethernet 1 1 PowerConnect config if 1 1 ip bootp gateway 109 157 22 26 These commands change the ...

Page 883: ...des greater control of address distribution within a subnet This feature is crucial if the subnet has more devices than available IP address In contrast to BOOTP which has two types of messages that can be used for leased negotiation DHCP provides 7 types of messages Refer to Supported Options for DHCP Servers on page 859 DHCP allocates temporary or permanent network IP addresses to clients When a...

Page 884: ...address assignments for a large number of subscribers If DHCP option 82 is disabled a DHCP policy can only be applied per subnet rather than per physical port When DCHP option 82 is enabled a subscriber is identified by the physical port through which it connects to the network DHCP Server options A PowerConnect configured as a DHCP server can support up to 1000 DHCP clients offering them the foll...

Page 885: ...address available Check for requested address from host options parameters Requested IP Address Host options requested address Log error to system log Mark address as available to another host Mark address as no available and log config error in system log No Yes Match found Log warning to system log Check host decline address against address pool DHCP request DHCP inform DHCP decline DHCP release...

Page 886: ...werConnect config ip dhcp server pool cabo 3 Configure the DHCP Server address pool by entering commands similar to the following PowerConnect config dhcp cabo network 172 16 1 0 24 PowerConnect config dhcp cabo domain name dell com PowerConnect config dhcp cabo dns server 172 16 1 2 172 16 1 3 PowerConnect config dhcp cabo netbios name server 172 16 1 2 PowerConnect config dhcp cabo lease 0 0 5 4...

Page 887: ...se transfer option domain name Specifies the domain name for the DHCP clients option domain nameservers Specifies the Domain Name System DNS IP servers that are available to the DHCP clients option merit dump Specifies the path name of a file into which the client s core image should be placed in the event that the client crashes the DHCP application issues an exception in case of errors such as d...

Page 888: ...all lease entries Refer to Display active lease entries on page 851 show ip dhcp server address pool name Displays a specific address pool or all address pools Refer to Display address pool information on page 851 show ip dhcp server flash Displays the lease binding database that is stored in flash memory Refer to Display lease binding information in flash memory on page 852 show ip dhcp server su...

Page 889: ...nt port enter the following command at the global Config level of the CLI PowerConnect config no ip dhcp server mgmt Syntax no ip dhcp server mgmt To re enable DHCP Server on the management port after it has been disabled enter the following command PowerConnect config ip dhcp server mgmt Syntax ip dhcp server mgmt netbios name server address address2 address3 Specifies the IP address of a NetBIOS...

Page 890: ...y These commands create an address pool named monterey Syntax dhcp server pool name Configuration notes If the DHCP server address is part of a configured DHCP address pool you must exclude the DHCP server address from the network pool Refer to Specify addresses to exclude from the address pool on page 850 While in DHCP server pool configuration mode the system will place the DHCP server pool in p...

Page 891: ... the ip addresses of the default routers for a client Syntax dhcp default router address address address Specify DNS servers available to the client The dns server command specifies DNS servers that are available to DHCP clients PowerConnect config dhcp cabo dns server 102 2 1 143 101 2 2 142 Syntax dns server address address address Configure the domain name for the client The domain name command...

Page 892: ...os name server address address2 address3 Configure the subnet and mask of a DHCP address pool This network command configures the subnet network and mask of the DHCP address pool PowerConnect config dhcp cabo network 101 2 3 44 24 Syntax network subnet mask Configure a next bootstrap server The next bootstrap server command specifies the IP address of the next server the client should use for boot...

Page 893: ...nly The following table describes this output Display address pool information This show ip dhcp server address pool command displays information about a specific address pool or for all address pools PowerConnect show ip dhcp server address pools Output similar to the following is displayed as shown here Showing all address pool s Pool Name one Time elapsed since last save 0d 0h 6m 52s Total numb...

Page 894: ...92 168 1 2 001b ed5d a440 0d 0h 18m 59s Automatic 192 168 1 3 0012 f2e1 26c0 0d 0h 19m 8s Automatic Syntax show ip dhcp server flash The following table describes this output TABLE 155 CLI display of show ip dhcp server address pools command This field Displays Pool name The name of the address pool Time elapsed since last save The time that has elapsed since the last save Total number of active l...

Page 895: ...owing information is displayed DHCP Server Summary Total number of active leases 2 Total number of deployed address pools 1 Total number of undeployed address pools 0 Server uptime 0d 0h 8m 27s Syntax show ip dhcp server summary The following table describes this output TABLE 156 CLI display of show ip dhcp server flash command This field Displays IP address The IP address of the flash memory leas...

Page 896: ...display of show ip dhcp server summary command This field Displays Total number of active leases Indicates the number of leases that are currently active Total number of deployed address pools The number of address pools currently in use Total number of undeployed address pools The number of address pools being held in reserve Server uptime The amount of time that the server has been active TABLE ...

Page 897: ...ices this feature is available for the default VLAN only For Layer 2 devices this feature is available for default VLANs and management VLANs This feature is not supported on virtual interfaces VEs trunked ports or LACP ports Although the DHCP server may provide multiple addresses only one IP address is installed at a time This feature is not supported together with DHCP snooping PowerConnect conf...

Page 898: ... DHCP option 067 bootfile name will be used for configuration download if it does not have the extension bin If the DHCP option 067 bootfile name is not configured or does not have the extension bin then the auto update image will not occur How DHCP Client Based Auto Configuration and Flash image update works Auto Configuration and Auto update are enabled by default To disable this feature refer t...

Page 899: ...Other Possible Events Has IP address Yes No Yes No Yes No Yes Yes No Yes No No Yes No Yes No System boot feature enable start Static Static or dynamic address Dynamic Requests new IP address from DHCP server Server responds 4 tries DHCP Client process ends Static address is kept Asks server if address is valid in pool and not leased DHCP server responds 4 tries Is IP address valid Continue lease C...

Page 900: ...hen the client device reboots or when DHCP client has been disabled and then re enabled Once a lease is obtained from the server described in The IP address validation and lease negotiation step on page 857 the device compares the filename of the requested flash image with the image stored in flash In a stacking configuration the device compares the filename with the image stored in the Active con...

Page 901: ...g for filenames in the following order bootfile name provided by the DHCP server if configured hostnameMAC config cfg for example PowerConnect Switch001b ed5e 4d00 config cfg hostnameMAC cfg for example PowerConnect Switch001b ed5e 4d00 cfg PowerConnect switch router cfg applies to Layer 2 or base Layer 3 devices for example PowerConnect switch cfg FCX Layer 2 PowerConnect router cfg FCX Layer 3 I...

Page 902: ...llowing commands PowerConnect config if e1000 0 1 1 ip dhcp client enable PowerConnect config if e1000 0 1 1 no ip dhcp client enable Syntax no ip dhcp client enable Disabling or re enabling Auto Update Auto update is enabled by default To disable it use the following command PowerConnect config no ip dhcp client auto update enabled To re enable auto update after it has been disabled use the follo...

Page 903: ...d PowerConnect config show ip Switch IP address 10 44 16 116 Subnet mask 255 255 255 0 Default router address 10 44 16 1 TFTP server address 10 44 16 41 Configuration filename foundry cfg Image filename None PowerConnect config show ip address IP Address Type Lease Time Interface 10 44 16 116 Dynamic 174 0 1 1 PowerConnect config show ip address IP Address Type Lease Time Interface 10 44 3 233 Dyn...

Page 904: ...vice found no DHCP server s on 3 possible subnet 2d01h48m21s I DHCPC changing 0 1 3 protocol from stopped to running Configuring IP parameters Layer 2 Switches The following sections describe how to configure IP parameters on a Layer 2 Switch NOTE This section describes how to configure IP parameters for Layer 2 Switches For IP configuration information for Layer 3 Switches refer to Configuring IP...

Page 905: ...ormat on page 869 To assign an IP address to a Layer 2 Switch enter a command such as the following at the global CONFIG level PowerConnect config ip address 192 45 6 110 255 255 255 0 Syntax ip address ip addr ip mask or Syntax ip address ip addr mask bits You also can enter the IP address and mask in CIDR format as follows PowerConnect config ip address 192 45 6 1 24 To specify the Layer 2 Switc...

Page 906: ...nnect config ip dns server address 209 157 22 199 205 96 7 15 208 95 7 25 201 98 7 15 Syntax ip dns server address ip addr ip addr ip addr ip addr In this example the first IP address in the ip dns server address command becomes the primary gateway address and all others are secondary addresses Because IP address 201 98 7 15 is the last address listed it is also the last address consulted to resol...

Page 907: ...ket The default TTL is 64 You can change the TTL to a value from 1 through 255 To modify the TTL threshold to 25 enter the following commands PowerConnect config ip ttl 25 PowerConnect config exit Syntax ip ttl 1 255 Configuring DHCP Assist DHCP Assist allows a Layer 2 Switch to assist a router that is performing multi netting on its interfaces as part of its DHCP relay function DHCP Assist ensure...

Page 908: ... unable to determine the origin of each packet by subnet it assumes the lowest IP address or the primary address is the gateway for all ports on the Layer 2 Switch and stamps the request with that address When the DHCP request is received at the server it assigns all IP addresses within that range only With DHCP Assist enabled on a Layer 2 Switch correct assignments are made because the Layer 2 Sw...

Page 909: ...e corresponding IP subnet Figure 137 The IP address is then forwarded back to the workstation that originated the request NOTE When DHCP Assist is enabled on any port Layer 2 broadcast packets are forwarded by the CPU Unknown unicast and multicast packets are still forwarded in hardware although selective packets such as IGMP are sent to the CPU for analysis When DHCP Assist is not enabled Layer 2...

Page 910: ...re a gateway list when DHCP Assist is enabled on a Layer 2 Switch The gateway list contains a gateway address for each subnet that will be requesting addresses from a DHCP server The list allows the stamping process to occur Each gateway address defined on the Layer 2 Switch corresponds to an IP address of the router interface or other router involved Step 4 DHCP Server extracts the gateway addres...

Page 911: ...ing IP configuration information and statistics The following sections describe IP display options for Layer 3 Switches and Layer 2 Switches To display IP information on a Layer 3 Switch refer to Displaying IP information Layer 3 Switches on page 869 To display IP information on a Layer 2 Switch refer to Displaying IP information Layer 2 Switches on page 883 Changing the network mask display to pr...

Page 912: ...ormation This information is described in other parts of this guide RIP OSPF BGP4 DVMRP PIM VRRP or VRRPE Displaying global IP configuration information To display IP configuration information enter the following command at any CLI level Syntax show ip NOTE This command has additional options which are explained in other sections in this guide including the sections following this one This display...

Page 913: ... ID on page 809 enabled The IP related protocols that are enabled on the router disabled The IP related protocols that are disabled on the router Static routes Index The row number of this entry in the IP route table IP Address The IP address of the route destination Subnet Mask The network mask for the IP address Next Hop Router The IP address of the router interface to which the router sends pac...

Page 914: ... name For example TCP port 80 can be displayed as HTTP NOTE This field applies only if the IP protocol is TCP or UDP Operator The comparison operator for TCP or UDP port names or numbers NOTE This field applies only if the IP protocol is TCP or UDP TABLE 159 CLI display of global IP configuration information Layer 3 Switch Continued This field Displays PowerConnect show process cpu Process Name 5S...

Page 915: ...nformation To display IP interface information enter the following command at any CLI level Syntax show ip interface ethernet slotnum portnum loopback num ve num This display shows the following information TABLE 160 CLI display of interface IP configuration information This field Displays Interface The type and the slot and port number of the interface IP Address The IP address of the interface N...

Page 916: ...erface in the Method field is manual Status The link status of the interface If you have disabled the interface with the disable command the entry in the Status field will be administratively down Otherwise the entry in the Status field will be either up or down Protocol Whether the interface can provide two way communication If the IP address is configured and the link status of the interface is ...

Page 917: ...isplay shows the following information The number in the left column of the CLI display is the row number of the entry in the ARP cache This number is not related to the number you assign to static MAC entries in the static ARP table TABLE 161 CLI display of ARP cache This field Displays Total number of ARP Entries The number of entries in the ARP cache Maximum capacity The total number of ARP ent...

Page 918: ...entries for multiple MAC addresses Specify the MAC address mask as f s and 0 s where f s are significant bits The ip addr and ip mask parameters let you restrict the display to entries for a specific IP address and network mask Specify the IP address masks in standard decimal mask format for example 255 255 0 0 NOTE The ip mask parameter and mask parameter perform different operations The ip mask ...

Page 919: ...age 814 Index The number of this entry in the table You specify the entry number when you create the entry IP Address The IP address of the device MAC Address The MAC address of the device Port The port attached to the device the entry is for TABLE 163 CLI display of IP forwarding cache Layer 3 Switch This field Displays IP Address The IP address of the destination Next Hop The IP address of the n...

Page 920: ...try whose row number corresponds to the number you specify For example if you want to display the tenth row in the table enter 10 Type The type of host entry which can be one or more of the following D Dynamic P Permanent F Forward U Us C Complex Filter W Wait ARP I ICMP Deny K Drop R Fragment S Snap Encap Port The port through which this device reaches the destination For destinations that are lo...

Page 921: ...beginning with 209 159 The mask value and longer parameter specify the range of network addresses to be displayed In this example all routes within the range 209 159 0 0 209 159 255 255 are listed The summary option displays a summary of the information in the IP route table The following is an example of the output from this command PowerConnect show ip route direct Start index 1 B BGP D Connecte...

Page 922: ...le ECMP next hops If the ARP entry for the next hop ages out or is cleared then the next packet to be routed through the PowerConnect device whose destination matches that route can cause the asterisk to move to the next hop down the list of ECMP next hops for that route This means that if the next hop goes down the asterisk can move to another next hop with equal cost Port The port through which ...

Page 923: ...e PowerConnect show ip traffic IP Statistics 139 received 145 sent 0 forwarded 0 filtered 0 fragmented 0 reassembled 0 bad header 0 no route 0 unknown proto 0 no buffer 0 other errors ICMP Statistics Received 0 total 0 errors 0 unreachable 0 time exceed 0 parameter 0 source quench 0 redirect 0 echo 0 echo reply 0 timestamp 0 timestamp reply 0 addr mask 0 addr mask reply 0 irdp advertisement 0 irdp...

Page 924: ...me Exceeded messages sent or received by the device parameter The number of Parameter Problem messages sent or received by the device source quench The number of Source Quench messages sent or received by the device redirect The number of Redirect messages sent or received by the device echo The number of Echo messages sent or received by the device echo reply The number of Echo Reply messages sen...

Page 925: ...requests sent The number of requests this device has sent to another RIP router for all or part of its RIP routing table requests received The number of requests this device has received from another RIP router for all or part of this device RIP routing table responses sent The number of responses this device has sent to another RIP router request for all or part of this device RIP routing table r...

Page 926: ...nfigured on the Layer 2 Switch Specify this address for Telnet or Web management access Subnet mask The subnet mask for the management IP address Default router address The address of the default gateway if you specified one Most recent TFTP access TFTP server address The IP address of the most recently contacted TFTP server if the switch has contacted a TFTP server since the last time the softwar...

Page 927: ... VlanId The VLAN the port that learned the entry is in NOTE If the MAC address is all zeros this field shows a random VLAN ID since the Layer 2 Switch does not yet know which port the device for this entry is attached to PowerConnect show ip traffic IP Statistics 27 received 24 sent 0 fragmented 0 reassembled 0 bad header 0 no route 0 unknown proto 0 no buffer 0 other errors ICMP Statistics Receiv...

Page 928: ... ICMP Router Discovery Messages Statistics are organized into Sent and Received The field descriptions below apply to each total The total number of ICMP messages sent or received by the device errors This information is used by Dell customer support unreachable The number of Destination Unreachable messages sent or received by the device time exceed The number of Time Exceeded messages sent or re...

Page 929: ...by this device in response to connection requests TCP SYNs received from other devices failed attempts This information is used by Dell customer support active resets The number of TCP connections this device reset by sending a TCP RESET message to the device at the other end of the connection passive resets The number of TCP connections this device reset because the device at the other end of the...

Page 930: ...888 PowerConnect B Series FCX Configuration Guide 53 1002266 01 26 ...

Page 931: ...y require VLAN flooding these devices do not snoop in the FF0X 000X range where X is from 0 to F Data packets destined to these addresses are flooded to the entire VLAN by hardware and mirrored to CPU Multicast data packets destined to addresses outside the FF0X 000X range are snooped A client must send MLD reports in order to receive traffic If an application outside the FF0X 000X range requires ...

Page 932: ...es do not support PIM SM routing If a VLAN is not MLD Snooping enabled it floods IPv6 multicast data and control packets to the entire VLAN in hardware When snooping is enabled MLD packets are trapped to the CPU Data packets are mirrored to the CPU and VLAN flooded The CPU then installs hardware resources so subsequent data packets can be hardware switched to desired ports without going through th...

Page 933: ...isten for queries and forward them to the entire VLAN Every VLAN can be independently configured as a querier or a non querier A VLAN that has a connection to an IPv6 PIM enabled port on another router should be configured as a non querier When multiple snooping devices connect together and there is no connection to IPv6 PIM ports only one device should be configured as the querier If multiple dev...

Page 934: ... devices are configured as queriers after multiple devices exchange queries then all devices except the winner the device with the lowest address stop sending queries Although the system works when multiple devices are configured as queriers Dell recommends that only one device preferably the one with the traffic source is configured as the querier Because non queriers always forward multicast dat...

Page 935: ...g and disabling report control rate limiting Modifying the leave wait time Modifying the mcache age interval Disabling error and warning messages VLAN specific tasks Configuring the MLD mode for the VLAN active or passive Enabling or disabling MLD Snooping for the VLAN Configuring the MLD version for the VLAN Configuring the MLD version for individual ports Configuring static groups to the entire ...

Page 936: ...e for either active or passive default MLD mode If you specify an MLD mode for a VLAN the MLD mode overrides the global setting Active In active MLD mode the device actively sends out MLD queries to identify IPv6 multicast groups on the network and makes entries in the MLD table based on the group membership reports it receives from the network Passive In passive MLD mode the device forwards repor...

Page 937: ...nect config ipv6 mld snooping version 2 Syntax no ipv6 mld snooping version 1 2 You can also specify the MLD version for individual VLANs or individual ports within VLANs If no MLD version is specified for a VLAN then the globally configured MLD version is used If an MLD version is specified for individual ports in a VLAN those ports use that version instead of the version specified for the VLAN o...

Page 938: ...igure a higher value only when data streams are arriving consistently The range is 60 to 3600 seconds and the default is 60 seconds PowerConnect config ipv6 mld snooping mcache age 180 Syntax no ipv6 mld snooping mcache age num Disabling error and warning messages The device prints error or warning messages when it runs out of software resources or when it receives packets with the wrong checksum ...

Page 939: ...to use MLDv2 The other ports use the MLD version specified with the mld snooping version command or the globally configured MLD version PowerConnect config vlan 20 PowerConnect config vlan 20 mld snooping port version 2 ethe 0 2 1 ethe 0 1 4 to 0 1 6 Syntax no mld snooping port version 1 2 ethernet stack unit slot port ethernet stack unit slot port to ethernet stack unit slot port Configuring stat...

Page 940: ... the querier The querier should age the group out The proxy activity can be turned off the default is on For example PowerConnect config vlan 20 PowerConnect config vlan 20 mld snooping proxy off Syntax no mld snooping proxy off Enabling MLDv2 membership tracking and fast leave for the VLAN MLDv2 provides membership tracking and fast leave services to clients In MLDv1 only one client per interface...

Page 941: ...ct the querier device should not be configured for fast leave v1 because the port to the non querier device could have multiple clients The number of queries and the waiting period in seconds can be configured using the ipv6 mld snooping leave wait time command The default is 2 seconds To configure fast leave for MLDv1 use commands such as the following PowerConnect config vlan 20 PowerConnect con...

Page 942: ...oup is in EXCLUDE mode with a source of 0 The group excludes traffic from the 0 zero source list which actually means that all traffic sources are included To display detailed MLD group information enter the following command This field Displays SW processed pkt The number of IPv6 multicast packets processed by MLD snooping up time The time since the MLD snooping last occurred is enabled PowerConn...

Page 943: ...life The number of seconds the group can remain in EXCLUDE mode An EXCLUDE mode changes to INCLUDE if it does not receive an IS_EX or TO_EX message during a specified period of time The default is 140 seconds There is no life displayed in INCLUDE mode mode The current mode of the interface INCLUDE or EXCLUDE If the interface is in INCLUDE mode it admits traffic only from the source list If the int...

Page 944: ...the time defined by ipv6 mld snooping mcache age uptime The up time of this mcache in minutes vidx The vidx is shared among mcaches using the same output interfaces The vidx specifies the output port list which shows the index Valid range is from 4096 to 8191 ref cnt The number of mcaches using this vidx This field Displays alloc The allocated number of units in use The number of units which are c...

Page 945: ...cessary Available vidx The output interface OIF port mask used by mcache The entire device has a maximum of 4096 vidx Different mcaches with the same OIF share the same vidx If vidx is not available the stream cannot be hardware switched This field Displays Q Query Qry General Query QryV1 Number of general MLDv1 queries received or sent QryV2 Number of general MLDv2 snooping queries received or se...

Page 946: ...ere removed from an interface Pkt Err Number of packets having errors such as checksum errors This field Displays version The MLD version number query t How often a querier sends a general query on the interface group aging t Number of seconds membership groups can be members of this group before aging out rtr port The router ports which are the ports receiving queries The display router ports 0 1...

Page 947: ...che Syntax clear ipv6 mld snooping mcache Clear mcache on a specific VLAN To clear the mcache on a specific VLAN enter the following command PowerConnect clear ipv6 mld snooping vlan 10 mcache Syntax clear ipv6 mld snooping vlan vlan id mcache The vlan id parameter specifies the specific VLAN from which to clear the cache Clear Traffic on a specific VLAN To clear the traffic counters on a specific...

Page 948: ...906 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Configuring MLD snooping 27 ...

Page 949: ...ored in the Layer 3 Switch route table the Layer 3 Switch replaces the older route with the newer one The Layer 3 Switch then includes the new path in the updates it sends to other RIP routers including Layer 3 Switches RIP routers including the Layer 3 Switch also can modify a route cost generally by adding to it to bias the selection of a route for a given destination In this case the actual num...

Page 950: ...efer to Table 172 on page 909 Disabled page 910 Administrative distance The administrative distance is a numeric value assigned to each type of route on the router When the router is selecting from among multiple routes sometimes of different origins to the same destination the router compares the administrative distances of the routes and selects the route with the lowest administrative distance ...

Page 951: ...ersion 1 only Version 2 only Version 1 but also compatible with version 2 NOTE You also must enable RIP globally Disabled page 910 Metric A numeric cost the router adds to RIP routes learned on the interface This parameter applies only to RIP routes 1 one page 910 Learning default routes Locally overrides the global setting Refer to Table 171 on page 908 Disabled page 915 Loop prevention The metho...

Page 952: ... only v1 compatible v2 v2 only NOTE You must specify the RIP version Configuring metric parameters By default a Layer 3 Switch port increases the cost of a RIP route that is learned on the port by one You can configure individual ports to add more than one to a learned route cost In addition you can configure a RIP offset list to increase the metric for learned or advertised routes based on networ...

Page 953: ... based offset list takes precedence The interface based offset list metric is added to the route in this case You can configure up to 24 global RIP offset lists and up to 24 RIP offset lists on each interface To configure a global RIP offset list enter commands such as the following PowerConnect config access list 21 deny 160 1 0 0 0 0 255 255 PowerConnect config access list 21 permit any PowerCon...

Page 954: ...o set the metric based on these criteria Change the default redistribution metric optional The Layer 3 Switch assigns a RIP metric of 1 to each redistributed route by default You can change the default metric to a value up to 16 Enable redistribution NOTE Do not enable redistribution until you configure the other redistribution parameters Configuring redistribution filters RIP redistribution filte...

Page 955: ... The set metric value parameter sets the RIP metric value that will be applied to those routes imported into RIP The following command denies redistribution into RIP for all OSPF routes PowerConnect config rip router deny redistribute 3 ospf address 207 92 0 0 255 255 0 0 The following command denies redistribution for all OSPF routes that have a metric of 10 PowerConnect config rip router deny re...

Page 956: ...ure the following learning and advertising parameters Update interval The update interval specifies how often the Layer 3 Switch sends RIP route advertisements to its neighbors You can change the interval to a value from 1 through 1000 seconds The default is 30 seconds Learning and advertising of RIP default routes The Layer 3 Switch learns and advertises RIP default routes by default You can disa...

Page 957: ...nfigures the Layer 3 Switch so that the device does not learn any RIP routes from any RIP neighbors Syntax no neighbor filter num permit deny source ip address any The following commands configure the Layer 3 Switch to learn routes from all neighbors except 192 168 1 170 Once you define a RIP neighbor filter the default action changes from learning all routes from all neighbors to denying all rout...

Page 958: ...er Redundancy Protocol VRRP or VRRP Extended VRRPE Refer to Chapter 31 Configuring VRRP and VRRPE Normally a VRRP or VRRPE backup includes route information for the virtual IP address the backed up interface in RIP advertisements As a result other routers receive multiple paths for the backed up interface and might sometimes unsuccessfully use the path to the backup rather than the path to the mas...

Page 959: ...rface Once you define RIP route filters you must assign them to individual interfaces The filters do not take effect until you apply them to interfaces When you apply a RIP route filter you also specify whether the filter applies to learned routes or advertised routes Out filters apply to routes the Layer 3 Switch advertises to its neighbor on the interface In filters apply to routes the Layer 3 S...

Page 960: ...atch the address and network mask information are accepted If applied to an interface outbound filter group the filter allows the router to advertise the route on that interface If applied to an interface inbound filter group the filter allows the router to add the route to its IP route table Route IP Address The IP address of the route destination network or host Subnet Mask The network mask for ...

Page 961: ...the usage statistics only for the specified number of seconds If you do not use this parameter the command lists the usage statistics for the previous five second one minute five minute and fifteen minute intervals PowerConnect show process cpu Process Name 5Sec 1Min 5Min 15Min Runtime ms ARP 0 01 0 03 0 09 0 22 9 BGP 0 04 0 06 0 08 0 14 13 GVRP 0 00 0 00 0 00 0 00 0 ICMP 0 00 0 00 0 00 0 00 0 IP ...

Page 962: ...920 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Displaying CPU utilization statistics 28 ...

Page 963: ...F graceful restart Yes PowerConnect B Series FCX stack only Assigning OSPF V2 areas Yes Assigning interfaces to an area Yes Timer for OSPF authentication changes Yes Block flooding of outbound LSAs on spe cific interfaces Yes OSPF non broadcast interface Yes Virtual links Yes Changing the reference bandwidth for the cost on OSPF interfaces Yes Route redistribution filters Yes Prevent specific OSPF...

Page 964: ...etworks all of which share the same routing and administration characteristics An AS can be divided into multiple areas as shown in Figure 138 on page 923 Each area represents a collection of contiguous networks and hosts Areas limit the area to which link state advertisements are broadcast thereby limiting the amount of flooding that occurs within the network An area is represented in OSPF by eit...

Page 965: ... occurs when a relationship is formed between neighboring routers for the purpose of exchanging routing information Adjacent OSPF neighbor routers go beyond the simple Hello packet exchange they exchange database information In order to minimize the amount of information exchanged on a particular segment one of the first steps in creating adjacency is to assign a Designated Router DR and a Backup ...

Page 966: ... networks In a network that has multiple routers attached OSPF elects one router to serve as the designated router DR and another router on the segment to act as the backup designated router BDR This arrangement minimizes the amount of repetitive information that is forwarded on the network by forwarding all messages to the designated router and backup designated routers responsible for forwarding...

Page 967: ...lves as DRs then both priority and router ID are used to select the designated router and backup designated routers When only one router on the network claims the DR role despite neighboring routers with higher priorities or router IDs this router remains the DR This is also true for BDRs The DR and BDR election process is performed when one of the following events occurs An interface is in a wait...

Page 968: ...ination Dell PowerConnect devices optimize OSPF by eliminating duplicate AS External LSAs in this case The Layer 3 Switch with the lower router ID flushes the duplicate External LSAs from its database and thus does not flood the duplicate External LSAs into the OSPF AS AS External LSA reduction therefore reduces the size of the Layer 3 Switch link state database This enhancement implements the por...

Page 969: ...and C either route to Router F through Router D or through Router E is equally good OSPF eliminates the duplicate AS External LSAs When two or more Layer 3 Switches configured as ASBRs have equal cost routes to the same next hop router in an external routing domain the ASBR with the highest router ID floods the AS External LSAs for the external domain into the OSPF AS while the other ASBRs flush t...

Page 970: ...r equivalent to the route the other ASBR is advertising In this case the ASBRs each flood AS External LSAs Since the LSAs either no longer have the same cost or no longer have the same next hop router the LSAs are no longer equivalent and the LSA reduction feature no longer applies The ASBR with the higher router ID becomes unavailable or is reconfigured so that it is no longer an ASBR In this cas...

Page 971: ...s as the ID For the more specific network use the network broadcast address as the ID The broadcast address is the network address with all ones bits in the host portion of the address For example the broadcast address for network 10 0 0 0 255 255 0 0 is 10 0 255 255 If this comparison results in a change to the ID of an LSA that has already been generated the router generates a new LSA to replace...

Page 972: ...ng the existing routes to and through the router after a restart When the restarting router comes back up it continues to use its existing OSPF routes as if nothing happened In the background the router relearns its neighbors prior to the restart recalculates its OSPF routes and replaces existing routes with new routes as necessary Once the grace period has passed adjacent routers resume normal op...

Page 973: ...one of the defined areas on an OSPF router When a port is assigned to an area all corresponding subnets on that port are automatically included in the assignment OSPF parameters You can modify or set the following global and interface OSPF parameters Global parameters Modify OSPF standard compliance setting Assign an area Define an area range Define the area virtual link Set global default metric ...

Page 974: ...n you enable OSPF on the router the protocol is automatically activated To enable OSPF on the router enter the following CLI command PowerConnect config router ospf This command launches you into the OSPF router level where you can assign areas and modify OSPF global parameters Syntax router ospf Note regarding disabling OSPF If you disable OSPF the Layer 3 Switch removes all the configuration inf...

Page 975: ...uration and are likely to disable and re enable the protocol This way you do not have to save the configuration after disabling the protocol and you do not have to restore the configuration by copying the backup copy of the startup config file onto the flash memory To reset OSPF without deleting the OSPF configuration enter the following command at the Global CONFIG level or at the Router OSPF lev...

Page 976: ... advertisements LSAs sent into a stub area by configuring the Layer 3 Switch to stop sending summary LSAs type 3 LSAs into the area You can disable the summary LSAs when you are configuring the stub area or later after you have configured the area This feature disables origination of summary LSAs but the Layer 3 Switch still accepts summary LSAs from OSPF neighbors and floods them to other neighbo...

Page 977: ...eas into an NSSA but does translate and flood route information from the NSSA into other areas such as the backbone NSSAs are especially useful when you want to summarize Type 5 External LSAs external routes before forwarding them into an OSPF area The OSPF specification RFC 2328 prohibits summarization of Type 5 LSAs and requires OSPF to flood Type 5 LSAs throughout a routing domain When you conf...

Page 978: ...meter causes the Layer 3 Switch to inject the default route into the NSSA NOTE The Layer 3 Switch does not inject the default route into an NSSA by default NOTE You can assign one area on a router interface For example if the system or chassis module has 16 ports 16 areas are supported on the chassis or module To configure additional parameters for OSPF interfaces in the NSSA use the ip ospf area ...

Page 979: ...ompares the address with the significant bits in the mask All network addresses that match this comparison are summarized in a single route advertised by the router The ip mask parameter specifies the portions of the IP address that a route must contain to be summarized in the summary route In the example above all networks that begin with 193 45 are summarized into a single route Assigning interf...

Page 980: ...he default authentication value is none meaning no authentication is performed The simple password method of authentication requires you to configure an alphanumeric password on an interface The simple password setting takes effect immediately All OSPF packets transmitted on the interface contain this password Any OSPF packet received on the interface is checked for this password If the password i...

Page 981: ...lue can be from 0 through 255 The default is 1 If you set the priority to 0 the Layer 3 Switch does not participate in DR and BDR election Retransmit interval The time between retransmissions of link state advertisements LSAs to adjacent routers for this interface The value can be from 0 through 3600 seconds The default is 5 seconds Transit delay The time it takes to transmit Link State Update pac...

Page 982: ...ge interval After this the software uses the new authentication for sending packets Inbound OSPF packets The software accepts packets containing the new authentication and continues to accept packets containing the older authentication for two authentication change intervals After the second interval ends the software accepts packets only if they contain the new authentication key The default auth...

Page 983: ...ng PowerConnect config if 1 1 no ip ospf database filter all out Configuring an OSPF non broadcast interface Layer 3 switches support Non Broadcast Multi Access NBMA networks This feature enables you to configure an interface on a Dell PowerConnect device to send OSPF traffic to its neighbor as unicast packets rather than broadcast packets OSPF routers generally use broadcast packets to establish ...

Page 984: ...ey None MD5 Authentication Key None Key Id None Auth change wait time 300 In the Type field non broadcast indicates that this is a non broadcast interface When the interface type is non broadcast the Non broadcast neighbor config field displays the neighbors that are configured in the same subnet If no neighbors are configured in the same subnet a message such as the following is displayed Warning...

Page 985: ...igure 143 shows an OSPF area border router PowerConnect A that is cut off from the backbone area area 0 To provide backbone access to PowerConnect A you can add a virtual link between PowerConnect A and PowerConnect C using area 1 as a transit area To configure the virtual link you define the link on the router that is at each end of the link No configuration for the virtual link is required on th...

Page 986: ...eter descriptions You can modify the following virtual link interface parameters Authentication Key This parameter allows you to assign different authentication methods on a port by port basis OSPF supports three methods of authentication for each interface none simple password and MD5 Only one method of authentication can be active on an interface at a time The simple password method of authentic...

Page 987: ...Connect devices encrypt display of the password or authentication string Encryption is enabled by default The software also provides an optional parameter to disable encryption of a password or authentication string on an individual OSPF area or OSPF interface basis When encryption of the passwords or authentication strings is enabled they are encrypted in the CLI regardless of the access level yo...

Page 988: ... 1 1000 Mbps port cost 100 1000 0 10 which is rounded up to 1 155 Mbps port cost 100 155 0 65 which is rounded up to 1 622 Mbps port cost 100 622 0 16 which is rounded up to 1 2488 Mbps port cost 100 2488 0 04 which is rounded up to 1 For 10 Gbps OSPF interfaces in order to differentiate the costs between 100 Mbps 1000 Mbps and 10 000 Mbps interfaces you can set the auto cost reference bandwidth t...

Page 989: ...osts for higher speed interfaces remain the same Syntax no auto cost reference bandwidth num The num parameter specifies the reference bandwidth and can be a value from 1 through 4294967 The default is 100 For 10 Gbps OSPF interfaces in order to differentiate the costs between 100 Mbps 1000 Mbps and 10 000 Mbps interfaces set the auto cost reference bandwidth to 10000 whereby each slower link is g...

Page 990: ... permit redistribute commands for OSPF at the OSPF router level NOTE Do not enable redistribution until you have configured the redistribution filters If you enable redistribution before you configure the redistribution filters the filters will not take affect and all routes will be distributed FIGURE 144 Redistributing OSPF and static routes to RIP routes Example To configure the PowerConnect Lay...

Page 991: ... the example above is shown for clarity but is not required You also have the option of specifying import of just OSPF BGP4 or static routes as well as specifying that only routes for a specific network or with a specific cost metric be imported as shown in the following command syntax For example to enable redistribution of RIP and static IP routes into OSPF enter the following commands PowerConn...

Page 992: ...e clear ip route command at the Privileged EXEC level of the CLI The following sections show how to use the CLI to configure an OSPF distribution list Separate examples are provided for standard and extended ACLs NOTE The examples show named ACLs However you also can use a numbered ACL as input to the OSPF distribution list Using a standard ACL as input to the distribution list To use a standard A...

Page 993: ...s mean any value matches For example the source ip and wildcard values 4 0 0 0 0 255 255 255 mean that all 4 x x x networks match the ACL If you want the policy to match on all destination networks enter any any If you prefer to specify the wildcard mask value in Classless Interdomain Routing CIDR format you can enter a forward slash after the IP address then enter the number of significant bits i...

Page 994: ... zero Each part is a number ranging from 0 to 255 for example 0 0 0 255 Zeros in the mask mean the packet source address must match the source ip Ones mean any value matches For example the source ip and wildcard values 4 0 0 0 0 255 255 255 mean that all 4 x x x networks match the ACL If you want the policy to match on all network addresses enter any any If you prefer to specify the wildcard mask...

Page 995: ... overrides the default cost To assign a default metric of 4 to all routes imported into OSPF enter the following commands PowerConnect config router ospf PowerConnect config ospf router default metric 4 Syntax default metric value The value can be from 1 through 16 777 215 The default is 10 Enabling route redistribution To enable route redistribution use one of the following methods NOTE Do not en...

Page 996: ... connected rip static route map map name The bgp connected rip static parameter specifies the route source The route map map name parameter specifies the route map name The following match parameters are valid for OSPF redistribution match ip address next hop ACL num match metric num match tag tag value The following set parameters are valid for OSPF redistribution set ip next hop ip addr set metr...

Page 997: ... is redistributed Notice that the route metric is 5 before redistribution but is 8 after redistribution Disabling or re enabling load sharing Dell routers can load share among up to eight equal cost IP routes to a destination By default IP load sharing is enabled The default is 4 equal cost paths but you can specify from 2 to 6 paths The router software can use the route information it learns thro...

Page 998: ...ng to the configured address range Imported routes that have already been advertised and that fall within the range are flushed out of the AS and a single route corresponding to the range is advertised If a route that falls within a configured address range is imported by the Layer 3 Switch no action is taken if the Layer 3 Switch has already advertised the aggregate route otherwise the Layer 3 Sw...

Page 999: ...iguring default route origination When the Layer 3 Switch is an OSPF Autonomous System Boundary Router ASBR you can configure it to automatically generate a default external route into an OSPF routing domain This feature is called default route origination or default information origination By default Layer 3 Switches do not advertise the default route into the OSPF domain If you want the Layer 3 ...

Page 1000: ...eter advertises the default route regardless of whether the router has a default route This option is disabled by default The metric value parameter specifies a metric for the default route If this option is not used the default metric is used for the route The metric type type parameter specifies the external link type associated with the default route advertised into the OSPF routing domain The ...

Page 1001: ... config ospf router metric type type1 Syntax metric type type1 type2 Modifying the administrative distance Layer 3 Switches can learn about networks from various protocols including Border Gateway Protocol version 4 BGP4 RIP and OSPF Consequently the routes to a network may differ depending on the protocol from which the routes were learned The default administrative distance for OSPF routes is 11...

Page 1002: ...ult 110 enter a command such as the following PowerConnect config ospf router no distance external 100 Configuring OSPF group Link State Advertisement LSA pacing The Layer 3 Switch paces LSA refreshes by delaying the refreshes for a specified time interval instead of performing a refresh each time an individual LSA refresh timer expires The accumulated LSAs constitute a group which the Layer 3 Swi...

Page 1003: ...te change trap MIB object OspfIfstateChange virtual interface state change trap MIB object OspfVirtIfStateChange neighbor state change trap MIB object ospfNbrStateChange virtual neighbor state change trap MIB object ospfVirtNbrStateChange interface config error trap MIB object ospfIfConfigError virtual interface config error trap MIB object ospfVirtIfConfigError interface authentication failure tr...

Page 1004: ...t checksum option logs all OSPF packets that have checksum errors This option is enabled by default The bad_packet option logs all other bad OSPF packets This option is disabled by default The database option logs OSPF LSA related information This option is disabled by default The memory option logs abnormal OSPF memory usage This option is enabled by default The retransmit option logs OSPF retran...

Page 1005: ...etwork Configuration notes and limitations This feature is supported on Gbps Ethernet and 10 Gbps Ethernet interfaces This feature is supported on physical interfaces It is not supported on virtual interfaces Dell supports numbered point to point networks meaning the OSPF router must have an IP interface address which uniquely identifies the router over the network Dell does not support unnumbered...

Page 1006: ...le sets the maximum restart wait time advertised to neighbors Possible values are from 10 through 1800 seconds The default value is 120 seconds Disabling OSPF graceful restart helper mode By default a PowerConnect Layer 3 switch supports other restarting routers as a helper You can prevent your PowerConnect router from participating in OSPF graceful restart by using the following commands PowerCon...

Page 1007: ...ighbor and the OSPF routes exchanged with neighbor 10 10 10 1 in the OSPF link state database in the Dell PowerConnect device After this information is cleared the adjacency with the neighbor is re established and routes are exchanged again The neighbor router can be specified either by its IP address or its router ID To specify the neighbor router using its IP address use the ip ip addr parameter...

Page 1008: ...mported into the specified area Adjacencies with neighbors belonging to the area are re established and routes imported into the area are re learned Syntax clear ip ospf area area id The area id can be specified in decimal format or in IP address format Displaying OSPF information You can use CLI commands and Web management options to display the following OSPF information Trap area and interface ...

Page 1009: ...l Neighbor State Change Trap Enabled Interface Configuration Error Trap Enabled Virtual Interface Configuration Error Trap Enabled Interface Authentication Failure Trap Enabled Virtual Interface Authentication Failure Trap Enabled Interface Receive Bad Packet Trap Enabled Virtual Interface Receive Bad Packet Trap Enabled Interface Retransmit Packet Trap Enabled Virtual Interface Retransmit Packet ...

Page 1010: ... this example statistics are requested for the previous two seconds The closest sample available is actually for the previous 1 second plus 80 milliseconds Syntax show process cpu num PowerConnect show process cpu Process Name 5Sec 1Min 5Min 15Min Runtime ms ARP 0 01 0 03 0 09 0 22 9 BGP 0 04 0 06 0 08 0 14 13 GVRP 0 00 0 00 0 00 0 00 0 ICMP 0 00 0 00 0 00 0 00 0 IP 0 00 0 00 0 00 0 00 0 OSPF 0 03...

Page 1011: ...laying OSPF neighbor information To display OSPF neighbor information enter the following command at any CLI level To display detailed OSPF neighbor information enter the following command at any CLI level TABLE 175 CLI display of OSPF area information Field Definition Indx The row number of the entry in the router OSPF area table Area The area number Type The area type which can be one of the fol...

Page 1012: ...yer 3 Switch is connected to the neighbor The port on which an OSPF point to point link is configured Address The IP address of this Layer 3 Switch interface with the neighbor Pri The OSPF priority of the neighbor For multi access networks the priority is used during election of the Designated Router DR and Backup designated Router BDR For point to point links this field shows one of the following...

Page 1013: ...router is describing its entire link state database by sending Database Description packets to the neighbor Each Database Description packet has a DD sequence number and is explicitly acknowledged Only one Database Description packet can be outstanding at any time In this state Link State Request packets can also be sent asking for the neighbor s more recent advertisements All adjacencies in Excha...

Page 1014: ...oint to point link with an assigned subnet Cost The configured output cost for the interface Options OSPF Options Bit7 Bit0 unused 1 opaque 1 summary 1 dont_propagate 1 nssa 1 multicast 1 externals 1 tos 1 Type The area type which can be one of the following Broadcast 0x01 NBMA 0x02 Point to Point 0x03 Virtual Link 0x04 Point to Multipoint 0x05 PowerConnect show ip ospf interface 192 168 1 1 Ether...

Page 1015: ...ion Index The row number of the entry in the router OSPF route table Destination The IP address of the route s destination Mask The network mask for the route Path_Cost The cost of this route path A route can have multiple paths Each path represents a different exit port for the Layer 3 Switch Type2_Cost The type 2 cost of this path TABLE 177 Output of the show ip ospf interface command Continued ...

Page 1016: ...ed the route to this Layer 3 Switch Link State The link state from which the route was calculated Dest_Type The destination type which can be one of the following ABR Area Border Router ASBR Autonomous System Boundary Router Network the network State The route state which can be one of the following Changed Invalid Valid This information is used by Dell technical support Tag The external route tag...

Page 1017: ...he External LSAs for the specified OSPF router The sequence number num Hex parameter displays the External LSA entries for the specified hexadecimal LSA sequence number The status num option shows status information This display shows the following information TABLE 179 CLI display of OSPF external link state information Field Definition Area ID The OSPF area the router is in Aging The age of the ...

Page 1018: ...or the LSA source specified by IP addr The network option shows network information The nssa option shows network information The opaque area option shows information for opaque areas The router id ip addr parameter shows the External LSAs for the specified OSPF router The sequence number num Hex parameter displays the External LSA entries for the specified hexadecimal LSA sequence number The stat...

Page 1019: ...formation To display OSPF virtual link information enter the following command at any CLI level PowerConnect show ip ospf virtual link Syntax show ip ospf virtual link num The num parameter displays the table beginning at the specified entry number Displaying OSPF ABR and ASBR information To display OSPF ABR and ASBR information enter the following command at any CLI level PowerConnect show ip osp...

Page 1020: ...ping 1 timer 60 sec Syntax show ip ospf neighbor Use the following command to display Type 9 grace LSAs on a PowerConnect Layer 3 switch PowerConnect show ip ospf database grace link state Graceful Link States Area Interface Adv Rtr Age Seq Hex Prd Rsn Nbr Intf IP 0 eth 1 2 2 2 2 2 7 80000001 60 SW 6 1 1 2 Syntax show ip ospf database grace link state PowerConnect show ip ospf trap Interface State...

Page 1021: ...ber This number enables the PowerConnect and other OSPF routers to determine the most recent LSA for a given route Prd The grace period The number of seconds that the neighbor routers should continue to advertise the router as fully adjacent regardless of the state of database synchronization between the router and its neighbors Since this time period begins when the grace LSA LS age is equal to 0...

Page 1022: ...980 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Displaying OSPF information 29 ...

Page 1023: ...745 OSPF Interactions RFC 1997 BGP Communities Attributes RFC 2385 TCP MD5 Signature Option RFC 2439 Route Flap Dampening RFC 2796 Route Reflection RFC 2842 Capability Advertisement RFC 3065 BGP4 Confederations To display BGP4 configuration information and statistics refer to Displaying BGP4 information on page 1061 NOTE Your Layer 3 Switch management module must have 32 MB or higher to run BGP4 T...

Page 1024: ...ows a simple example of two BGP4 autonomous systems Each AS contains three BGP4 switches All of the BGP4 switches within an AS communicate using IBGP BGP4 switches communicate with other autonomous systems using EBGP Notice that each of the switches also is running an Interior Gateway Protocol IGP The switches in AS1 are running OSPF and the switches in AS2 are running RIP Layer 3 Switches can be ...

Page 1025: ... the route The route origin and next hop are examples of these additional path attributes NOTE The Layer 3 Switch re advertises a learned best BGP4 route to the Layer 3 Switch neighbors even when the software does not select that route for installation in the IP route table The best BGP4 route is the route that the software selects based on comparison of the BGP4 route path attributes After a Laye...

Page 1026: ... you can enable the Layer 3 Switch to always compare the MEDs regardless of the AS information in the paths To enable this comparison enter the always compare med command at the BGP4 configuration level of the CLI This option is disabled by default NOTE By default value 0 most favorable is used in MED comparison when the MED attribute is not present The default MED comparison results in the Layer ...

Page 1027: ...a BGP4 neighbor before assuming that the neighbor is dead BGP4 routers exchange UPDATE and KEEPALIVE messages to update route information and maintain communication If BGP4 neighbors are using different Hold Times the lowest Hold Time is used by the neighbors If the Hold Time expires the BGP4 router closes its TCP connection to the neighbor and clears any information it has learned from the neighb...

Page 1028: ...ions For example if a Layer 3 Switch configured to perform BGP4 routing has already sent the latest route information to its peers in UPDATE messages the router does not send more UPDATE messages Instead BGP4 routers send KEEPALIVE messages to maintain the BGP4 sessions KEEPALIVE messages are 19 bytes long and consist only of a message header they contain no routing data BGP4 routers send KEEPALIV...

Page 1029: ...starting device as stale but continue to use the routes for the length of time specified by the restart timer After the device is restarted it begins to receive routing updates from the peers When it receives the end of RIB marker that indicates it has received all of the BGP4 route updates it recomputes the new routes and replaces the stale routes in the route map with the newly computed routes I...

Page 1030: ...he BGP4 configuration you must reload the software to load the configuration from the startup config Moreover when you save the configuration to the startup config file after disabling the protocol all the configuration information for the disabled protocol is removed from the startup config file The CLI displays a warning message such as the following PowerConnect config bgp router no router bgp ...

Page 1031: ... boundary A B or C Optional Aggregate routes in the BGP4 route table into CIDR blocks Optional Configure the router as a BGP4 router reflector Optional Configure the Layer 3 Switch as a member of a BGP4 confederation Optional Change the default metric for routes that BGP4 redistributes into RIP or OSPF Optional Change the parameters for RIP OSPF or static routes redistributed into BGP4 Optional Ch...

Page 1032: ... the AS Path length Enable comparison of the router ID Enable next hop recursion Enable or disable auto summary Change the default metric Disable or re enable route reflection Configure confederation parameters Disable or re enable load sharing Change the maximum number of load sharing paths Change other load sharing parameters Define route flap dampening parameters Add change or negate redistribu...

Page 1033: ...er 3 Switch sends to and receives from the neighbors In some cases where most of the neighbors do not send or receive a full BGP route table about 80 000 routes the memory can support a larger number of BGP4 neighbors However if most of the BGP4 neighbors send or receive full BGP route tables the number of BGP neighbors the memory can support is less than in configurations where the neighbors send...

Page 1034: ...er The router ID cannot be an IP address in use by another device By default the router ID on a Layer 3 Switch is one of the following If the router has loopback interfaces the default router ID is the IP address configured on the lowest numbered loopback interface configured on the Layer 3 Switch For example if you configure loopback interfaces 1 2 and 3 as follows the default router ID is 9 9 9 ...

Page 1035: ...hbors in the same AS that are multiple hops away from the router When you configure a BGP4 neighbor on the router you can specify whether the router uses the loopback interface to communicate with the neighbor As long as a path exists between the router and its neighbor BGP4 information can be exchanged The BGP4 session is not associated with a specific link but instead is associated with the virt...

Page 1036: ... additional parameters as shown in the following syntax Syntax no neighbor ip addr peer group name advertisement interval num capability orf prefixlist send receive default originate route map map name description string distribute list in out num num ACL num in out ebgp multihop num filter list in out num num ACL num in out weight maximum prefix num threshold teardown next hop self nlri multicast...

Page 1037: ...the route map injects the default route conditionally based on the match conditions in the route map description string specifies a name for the neighbor You can enter an alphanumeric text string up to 80 characters long distribute list in out num num specifies a distribute list to be applied to updates to or from the specified neighbor The in out keyword specifies whether the list is applied on u...

Page 1038: ...maximum prefix num at which you want the software to generate a Syslog message You can specify a value from 1 one percent to 100 100 percent The default is 100 The teardown parameter tears down the neighbor session if the maximum prefix limit is exceeded The session remains shutdown until you clear the prefixes using the clear ip bgp neighbor all or clear ip bgp neighbor ip addr command or change ...

Page 1039: ...ibute in UPDATE messages the Layer 3 Switch sends to the neighbor This option is disabled by default route map in out map name specifies a route map the Layer 3 Switch will apply to updates sent to or received from the specified neighbor The in out keyword specifies whether the list is applied on updates received from the neighbor or sent to the neighbor NOTE The route map must already be configur...

Page 1040: ...ing by default The software also provides an optional parameter to disable encryption of the authentication string on an individual neighbor or peer group basis By default the MD5 authentication strings are displayed in encrypted format in the output of the following commands show running config or write terminal show configuration show ip bgp config When encryption of the authentication string is...

Page 1041: ...ing 0 Disables encryption for the authentication string you specify with the command The password or string is shown as clear text in the output of commands that display neighbor or peer group configuration information 1 Assumes that the authentication string you enter is the encrypted form and decrypts the value before using it NOTE If you want the software to assume that the value you enter is t...

Page 1042: ... perform the following tasks on a peer group basis Reset neighbor sessions Perform soft outbound resets the Layer 3 Switch updates outgoing route information to neighbors but does not entirely reset the sessions with those neighbors Clear BGP message statistics Clear error buffers Peer group parameters You can set all neighbor parameters in a peer group When you add a neighbor to the peer group th...

Page 1043: ...ust have the same values for the outbound parameters To change an outbound parameter to the same value for all neighbors within a peer group you can change the parameter on a peer group basis In this case you do not need to remove the neighbors and change the parameter individually for each neighbor If you add an outbound parameter to a peer group that parameter is automatically applied to all nei...

Page 1044: ... distribute list for outbound traffic The software applies these parameters to each neighbor you add to the peer group You can override the description parameter for individual neighbors If you set the description parameter for an individual neighbor the description overrides the description configured for the peer group However you cannot override the remote AS and distribute list parameters for ...

Page 1045: ...92 168 3 69 peer group PeerGroup1 The commands in this example add three neighbors to the peer group PeerGroup1 As members of the peer group the neighbors automatically receive the neighbor parameter values configured for the peer group You also can override the parameters except parameters that govern outbound traffic on an individual neighbor basis For neighbor parameters not specified for the p...

Page 1046: ... Syntax no neighbor ip addr shutdown The ip addr parameter specifies the IP address of the neighbor Optional configuration tasks The following sections describe how to perform optional BGP4 configuration tasks Changing the Keep Alive Time and Hold Time The Keep Alive Time specifies how frequently the router will send KEEPALIVE messages to its BGP4 neighbors The Hold Time specifies how long the rou...

Page 1047: ...way such messages are the only indication that the BGP4 protocol has concerning the alive state of the neighbors As a result if a neighbor dies the router will wait until the Hold Time expires before concluding that the neighbor is dead and closing its BGP4 session and TCP connection with the neighbor The router waits for the Hold Time to expire before ending the connection to a directly attached ...

Page 1048: ...ts a path for a route on page 983 for a description of the BGP4 algorithm When you enable IP load sharing the Layer 3 Switch can load balance BGP4 or OSPF routes across up to four equal paths by default You can change the number of IP load sharing paths to a value from 2 through 6 How load sharing works Load sharing is performed in round robin fashion and is based on the destination IP address onl...

Page 1049: ... PowerConnect config bgp router write memory Syntax no maximum paths num The num parameter specifies the maximum number of paths across which the Layer 3 Switch can balance traffic to a given BGP4 destination You can change the maximum number of paths to a value from 2 through 4 The default is 1 Customizing BGP4 load sharing By default when BGP4 load sharing is enabled both IBGP and EBGP paths are...

Page 1050: ...is a multicast neighbor or a unicast neighbor Optionally you also can specify unicast if you want the Layer 3 Switch to exchange unicast BGP4 routes as well as multicast routes with the neighbor The default is unicast only The route map map name parameter specifies the name of the route map you want to use to set or change BGP4 attributes for the network you are advertising The route map must alre...

Page 1051: ...on page 1042 Changing the default local preference When the router uses the BGP4 algorithm to select a route to send to the IP route table one of the parameters the algorithm uses is the local preference Local preference is an attribute that indicates a degree of preference for a route relative to other routes BGP4 neighbors can send the local preference value as an attribute of a route in an UPDA...

Page 1052: ... advertise a default BGP4 route using either of the following methods NOTE The Layer 3 Switch checks for the existence of an IGP route for 0 0 0 0 0 in the IP route table before creating a local BGP route for 0 0 0 0 0 To enable the router to originate and advertise a default BGP4 route enter the following command PowerConnect config bgp router default information originate Syntax no default infor...

Page 1053: ...estination To enable the Layer 3 Switch to find the IGP route to a BGP route next hop gateway enable recursive next hop lookups When you enable recursive next hop lookup if the first lookup for a BGP route results in an IBGP path originated within the same Autonomous System AS rather than an IGP path or static route path the Layer 3 Switch performs a lookup on the next hop gateway next hop IP addr...

Page 1054: ... the next hop gateways along the route until the Layer 3 Switch finds an IGP route to the BGP route destination Here is an example PowerConnect show ip bgp route Total number of BGP Routes 5 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 0 0 0 0 0 10 1 0 2 0 100 0 BI AS_PATH 65001...

Page 1055: ...EBGP D DAMPED H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED Prefix Next Hop Metric LocPrf Weight Status 1 0 0 0 0 0 10 1 0 2 0 100 0 BI AS_PATH 65001 4355 701 80 2 102 0 0 0 24 10 0 0 1 1 100 0 BI AS_PATH 65001 4355 1 3 104 0 0 0 24 10 1 0 2 0 100 0 BI AS_PATH 65001 4355 701 1 189 4 240 0 0 0 24 102 0 0 1 1 100 0 BI AS_PATH 65001 4355 3356 7170 1455 5 250 0 0 0 24 209 157 24 1 1 100 0 I AS_PAT...

Page 1056: ...e Layer 3 Switch neighbors even when the software does not also select that route for installation in the IP route table The best BGP4 routes is the BGP4 path that the software selects based on comparison of the paths BGP4 route parameters Refer to How BGP4 selects a path for a route on page 983 When selecting a route from among different sources BGP4 OSPF RIP static routes and so on the software ...

Page 1057: ... external distance internal distance local distance The external distance sets the EBGP distance and can be a value from 1 through 255 The internal distance sets the IBGP distance and can be a value from 1 through 255 The local distance sets the Local BGP distance and can be a value from 1 through 255 Requiring the first AS to be the neighbor AS By default the Dell PowerConnect device does not req...

Page 1058: ...on is enabled by default and cannot be disabled To enable router ID comparison enter the following command at the BGP configuration level of the CLI PowerConnect config bgp router compare routerid Syntax no compare routerid For more information refer to How BGP4 selects a path for a route on page 983 Configuring the Layer 3 Switch to always compare Multi Exit Discriminators MEDs A Multi Exit Discr...

Page 1059: ...tch favors a lower MED over a higher MED during MED comparison Since the Layer 3 Switch assigns the value 0 to a route path MED if the MED value is missing the default MED comparison results in the Layer 3 Switch favoring the route paths that are missing their MEDs To change this behavior so that the Layer 3 Switch favors a route that has a MED over a route that is missing its MED enter the follow...

Page 1060: ...efault but does not take effect unless you add route reflector clients to the router A route reflector client is an IGP router identified as a member of a cluster You identify a router as a route reflector client on the router that is the route reflector not on the client The client itself requires no additional configuration In fact the client does not know that it is a route reflector client The...

Page 1061: ... attribute when reflecting a route to an IBGP neighbor If a BGP4 switch receives an advertisement that contains its own router ID as the ORIGINATOR_ID the switch discards the advertisement and does not forward it CLUSTER_LIST A list of the route reflection clusters through which the advertisement has passed A cluster contains a route reflector and its clients When a route reflector reflects a rout...

Page 1062: ... cluster ID the route reflector discards the route and does not forward it Configuration procedures To configure a Layer 3 Switch to be a BGP4 route reflector use either of the following methods NOTE All configuration for route reflection takes place on the route reflectors not on the clients Enter the following commands to configure a Layer 3 Switch as route reflector 1 in Figure 147 on page 1019...

Page 1063: ...t becomes unmanageable in autonomous systems containing many BGP routers When you configure BGP routers into a confederation all the routers within a sub AS a subdivision of the AS use IBGP and must be fully meshed However routers use EBGP to communicate between different sub autonomous systems NOTE Another method for reducing the complexity of an IBGP mesh is to use route reflection However if yo...

Page 1064: ...nfederation 10 send traffic to switches in other autonomous systems the confederation ID is the same as the AS number for the switches in the confederation Thus switches in other autonomous systems see traffic from AS 10 and are unaware that the switches in AS 10 are subdivided into sub autonomous systems within a confederation Configuring a BGP confederation Perform the following configuration ta...

Page 1065: ...mber for the BGP switches within the sub AS You can specify a number from 1 through 65535 Dell recommends that you use a number within the range of well known private autonomous systems 64512 through 65535 Syntax confederation identifier num The num parameter with the confederation identifier command indicates the confederation number The confederation ID is the AS number by which BGP switches out...

Page 1066: ...re The auto summary feature does not summarize networks that use CIDR numbers instead of class A B or C numbers To aggregate routes for 209 157 22 0 209 157 23 0 and 209 157 24 0 enter the following command PowerConnect config bgp router aggregate address 209 157 0 0 255 255 0 0 Syntax aggregate address ip addr ip mask as set nlri multicast unicast multicast unicast summary only suppress map map n...

Page 1067: ... graceful restart neighbor information on page 1090 Configuring BGP4 graceful restart BGP4 graceful restart is enabled by default on a PowerConnect Layer 3 switch To disable it use the following commands PowerConnect config router bgp PowerConnect config bgp no graceful restart To re enable BGP4 graceful restart after it has been disabled enter the following commands PowerConnect config router bgp...

Page 1068: ...owerConnect config bgp graceful restart purge time 900 Syntax no graceful restart purge time seconds The seconds variable sets the maximum time before a restarting device cleans up stale routes Possible values are from 1 through 3600 seconds The default value is 600 seconds BGP null0 routing The null0 routes were previously treated as invalid routes for BGP next hop resolution BGP now uses the nul...

Page 1069: ...ble internal or external local preference 50 4 Complete the route map by setting origin to IGP 5 On S6 redistribute the static routes into BGP using route map route map name redistribute static route map block user 6 On S1 the router facing the internet configure a null0 route matching the next hop address in the route map ip route 199 199 1 1 32 null0 7 Repeat step 3 for all switches interfacing ...

Page 1070: ...ference 1000000 PowerConnect config routemap blockuser set origin igp PowerConnect config routemap blockuser exit S1 The following configuration defines the null0 route to the specific next hop address The next hop address 199 199 1 1 points to the null0 route PowerConnect config ip route 199 199 1 1 32 null0 PowerConnect config router bgp PowerConnect config bgp router local as 100 PowerConnect c...

Page 1071: ... S PowerConnect show ip route static Type Codes B BGP D Connected S Static R RIP O OSPF Cost Dist Metric Destination Gateway Port Cost Type 1 199 199 1 1 32 DIRECT drop 1 1 S PowerConnect show ip bgp route Total number of BGP Routes 126 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CONFED_EBGP D DAMPED E EBGP H HISTORY I IBGP L LOCAL M MULTIPATH S SUPPRESSED s STALE Prefix Next Hop Metric LocPr...

Page 1072: ...outes to directly attached devices into BGP The ospf parameter indicates that you are redistributing OSPF routes into BGP4 NOTE Entering redistribute ospf simply redistributes internal OSPF routes If you want to redistribute external OSPF routes also you must use the redistribute ospf match external command Refer to Redistributing OSPF external routes on page 1031 The rip parameter indicates that ...

Page 1073: ...RIP route to the BGP4 route table NOTE The route map you specify must already be configured on the switch Refer to Defining route maps on page 1042 for information about defining route maps Redistributing RIP routes To configure BGP4 to redistribute RIP routes and add a metric of 10 to the redistributed routes enter the following command PowerConnect config bgp router redistribute rip metric 10 Sy...

Page 1074: ...mmand and the redistribute ospf match internal external1 external2 command the software uses only the route map for filtering Redistributing static routes To configure the Layer 3 Switch to redistribute static routes enter the following command PowerConnect config bgp router redistribute static Syntax redistribute static metric num route map map name The static parameter indicates that you are red...

Page 1075: ... bgp router bgp redistribute internal Syntax no bgp redistribute internal To disable redistribution of IBGP routes into RIP and OSPF enter the following command PowerConnect config bgp router no bgp redistribute internal Filtering This section describes the following Filtering specific IP addresses on page 1033 Filtering AS paths on page 1035 Filtering communities on page 1038 Defining IP prefix l...

Page 1076: ...o change the default action to permit configure the last filter as permit any any The ip addr parameter specifies the IP address If you want the filter to match on all addresses enter any The wildcard parameter specifies the portion of the IP address to match against The wildcard is in dotted decimal notation IP address format It is a four part value where each part is 8 bits one byte separated by...

Page 1077: ... not mix methods NOTE Once you define a filter or ACL the default action for updates that do not match a filter is deny To change the default action to permit configure the last filter or ACL as permit any any AS path filters or AS path ACLs can be referred to by a BGP neighbor s filter list number as well as by match statements in a route map Defining an AS path filter To define AS path filter 4 ...

Page 1078: ...ginning with the lowest sequence number The deny permit parameter specifies the action the software takes if a route AS path list matches a match statement in this ACL To configure the AS path match statements in a route map use the match as path command Refer to Matching based on AS path ACL on page 1045 The regular expression parameter specifies the AS path information you want to permit or deny...

Page 1079: ... regular expression matches on an AS path that contains the string 1111 followed by any value 1111 The plus sign matches on one or more sequences of a pattern For example the following regular expression matches on an AS path that contains a sequence of g s such as deg degg deggg and so on deg The question mark matches on zero occurrences or one occurrence of a pattern For example the following re...

Page 1080: ... community within that AS Using this convention communities 1 10 1 20 and 1 30 can be easily identified as member communities of AS 1 The Layer 3 Switch provides the following methods for filtering on community information Community filters Community list ACLs Square brackets enclose a range of single character patterns For example the following regular expression matches on an AS path that contai...

Page 1081: ... is referred to by a route map match statement the filter is applied in the order in which the filter is listed in the match statement The permit deny parameter indicates the action the router takes if the filter match is true If you specify permit the router permits the route into the BGP4 table if the filter match is true If you specify deny the router denies the route from entering the BGP4 tab...

Page 1082: ...rt regular expressions whereas an extended one does This is the only difference between standard and extended IP community lists The seq seq value parameter is optional and specifies the community list sequence number You can configure up to 199 entries in a community list If you do not specify a sequence number the software numbers them in increments of 5 beginning with number 5 The software inte...

Page 1083: ...lue description string deny permit network addr mask bits ge ge value le le value The name parameter specifies the prefix list name You use this name when applying the prefix list to a neighbor The description string parameter is a text string describing the prefix list The seq seq value parameter is optional and specifies the IP prefix list sequence number You can configure up to 100 prefix list ...

Page 1084: ...r with the distribute list Defining route maps A route map is a named set of match conditions and parameter settings that the router can use to modify route attributes and to control redistribution of the routes into other protocols A route map consists of a sequence of up to 50 instances If you think of a route map as a table an instance is a row in that table The router evaluates a route accordi...

Page 1085: ...h of the AS path Add a user defined tag to the route or add an automatically calculated tag to the route Set the community value Set the local preference Set the MED metric Set the IP address of the next hop router Set the origin to IGP or INCOMPLETE Set the weight For example when you configure parameters for redistributing routes into RIP one of the optional parameters is a route map If you spec...

Page 1086: ...s the other instances of the route map intact Specifying the match conditions Use the following command to define the match conditions for instance 1 of the route map GET_ONE This instance compares the route updates against BGP4 address filter 11 PowerConnect config routemap GET_ONE match address filters 11 Syntax match as path num address filters as path filters community filters num num communit...

Page 1087: ...of the route next hop to the specified IP address filters The filters must already be configured The nlri multicast unicast multicast unicast parameter specifies whether you want the route map to match on multicast routes unicast routes or both route types NOTE By default route maps apply to both unicast and multicast traffic The route type internal external type1 external type2 parameter applies ...

Page 1088: ...ifies an IP prefix list name To configure an IP prefix list refer to Defining IP prefix lists on page 1041 Matching based on next hop router To construct match statements for a route map that match based on the IP address of the next hop router use either of the following methods You can use the results of an IP ACL or an IP prefix list as the match condition To construct a route map that matches ...

Page 1089: ... that matches the community attributes field in BGP4 routes against the set of communities in the ACL A route matches the route map only if the route contains all the communities in the ACL and no other communities Syntax match community ACL exact match The ACL parameter specifies the name of a community list ACL You can specify up to five ACLs Separate the ACL names or IDs with spaces Here is ano...

Page 1090: ...amples refer to Configuring route flap dampening on page 1054 The default interface null0 parameter redirects the traffic to the specified interface You can send the traffic to the null0 interface which is the same as dropping the traffic You can specify more than one interface in which case the Layer 3 Switch uses the first available port If the first port is unavailable the Layer 3 Switch sends ...

Page 1091: ...ute in the IP route table instead of changing the value in the BGP route table Refer to Using a table map to set the rag value on page 1050 The weight num parameter sets the weight for the route You can specify a weight value from 0 through 4294967295 Setting a BP4 route MED to the same value as the IGP metric of the next hop route To set a route s MED to the same value as the IGP metric of the BG...

Page 1092: ...rs 12 99 and 12 86 The remaining commands configure a route map that matches on routes whose destination network is specified in ACL 1 and deletes communities 12 99 and 12 86 from those routes The route does not need to contain all the specified communities in order for them to be deleted For example if a route contains communities 12 86 33 44 and 66 77 community 12 86 is deleted Syntax set comm l...

Page 1093: ...or saves the resources it would otherwise use to generate the route updates and the Layer 3 Switch saves the resources it would use to filter out the routes When you enable cooperative filtering the Layer 3 Switch advertises this capability in its Open message to the neighbor when initiating the neighbor session The Open message also indicates whether the Layer 3 Switch is configured to send filte...

Page 1094: ...e send receive parameter specifies the support you are enabling send The Layer 3 Switch sends the IP prefix lists to the neighbor receive The Layer 3 Switch accepts filters from the neighbor If you do not specify the capability both capabilities are enabled The prefixlist parameter specifies the type of filter you want to send to the neighbor NOTE The current release supports cooperative filtering...

Page 1095: ...ntax show ip bgp neighbors ip addr To display the ORFs received from a neighbor enter a command such as the following Syntax show ip bgp neighbors ip addr received prefix filter PowerConnect show ip bgp neighbors 10 10 10 1 1 IP Address 10 10 10 1 AS 65200 IBGP RouterID 10 10 10 1 State ESTABLISHED Time 0h0m7s KeepAliveTime 60 HoldTime 180 RefreshCapability Received CooperativeFilteringCapability ...

Page 1096: ...default when a route has a penalty value greater than 2000 the Layer 3 Switch stops using the route Thus by default if a route goes down more than twice the Layer 3 Switch stops using the route You can set the suppression threshold to a value from 1 through 20000 The default is 2000 Half life Once a route has been assigned a penalty the penalty decreases exponentially and decreases by half after t...

Page 1097: ...es the route You can set the suppression threshold to a value from 1 through 20000 The default is 2000 two flaps The max suppress time parameter specifies the maximum number of minutes that a route can be suppressed regardless of how unstable it is You can set the maximum suppression time to a value from 1 through 20000 minutes The default is four times the half life setting Thus if you use the de...

Page 1098: ...ap that explicitly enables dampening Use a set statement within the route map to enable dampening When you associate this route map with a specific neighbor the route map enables dampening for all routes associated with the neighbor You also can use match statements within the route map to selectively perform dampening on some routes from the neighbor NOTE You still need to configure the first rou...

Page 1099: ...l required The second route map enables dampening for the neighbors to which the route map is applied However unless dampening is already enabled globally by the first route map the second route map has no effect The last two commands apply the route maps The dampening route map command applies the first route map which enables dampening globally The neighbor command applies the second route map t...

Page 1100: ...ssed route Syntax no neighbor ip addr peer group name unsuppress map map name The following command verifies that the route has been unsuppressed PowerConnect config bgp router aggregate address 209 1 0 0 255 255 0 0 summary only PowerConnect config bgp router show ip bgp route 209 1 0 0 16 longer Number of BGP Routes matching display condition 2 Status A AGGREGATE B BEST b NOT INSTALLED BEST C CO...

Page 1101: ... that have a longer prefix such as 209 157 22 are displayed The neighbor ip addr parameter displays route flap dampening statistics only for routes learned from the specified neighbor You also can display route flap statistics for routes learned from a neighbor by entering the following command show ip bgp neighbors ip addr flap statistics Table 183 shows the field definitions for the display outp...

Page 1102: ...on page 1059 Generating traps for BGP You can enable and disable SNMP traps for BGP BGP traps are enabled by default To enable BGP traps after they have been disabled enter the following command PowerConnect config snmp server enable traps bgp TABLE 183 Route flap dampening statistics Field Description Total number of flapping routes Total number of routes in the Layer 3 Switch BGP4 route table th...

Page 1103: ...4 information in the running config CPU utilization statistics Neighbor information Peer group information Information about the paths from which BGP4 selects routes Summary BGP4 route information The router BGP4 route table Route flap dampening statistics Active route maps the route map configuration information in the running config BGP4 graceful restart neighbor information Displaying summary B...

Page 1104: ...le To display the BGP4 route table refer to Displaying the BGP4 route table on page 1080 Number of Routes Advertising to All Neighbors The total of the RtSent and RtToSend columns for all neighbors Number of Attribute Entries Installed The number of BGP4 route attribute entries in the router route attributes table To display the route attribute table refer to Displaying BGP4 route attribute entrie...

Page 1105: ... the message is a NOTIFICATION the state changes to Idle ESTABLISHED BGP4 is ready to exchange UPDATE packets with the neighbor If there is more BGP data in the TCP receiver queue a plus sign is also displayed NOTE If you display information for the neighbor using the show ip bgp neighbors ip addr command the TCP receiver queue value will be greater than 0 Operational States Additional information...

Page 1106: ...w many routes were filtered out not placed in the BGP4 route table but retained in memory If soft reconfiguration is not enabled this field shows the number of BGP4 routes that have been filtered out Sent The number of BGP4 routes that the Layer 3 Switch has sent to the neighbor ToSend The number of routes the Layer 3 Switch has queued to send to this neighbor TABLE 184 BGP4 summary information Co...

Page 1107: ...age statistics only for the specified number of seconds If you do not use this parameter the command lists the usage statistics for the previous one second one minute five minute and fifteen minute intervals PowerConnect show process cpu Process Name 5Sec 1Min 5Min 15Min Runtime ms ARP 0 01 0 03 0 09 0 22 9 BGP 0 04 0 06 0 08 0 14 13 GVRP 0 00 0 00 0 00 0 00 0 ICMP 0 00 0 00 0 00 0 00 0 IP 0 00 0 ...

Page 1108: ... Table The number of routes received from the neighbor that are the best BGP4 routes to their destinations but were nonetheless not installed in the IP route table because the Layer 3 Switch received better routes from other sources such as OSPF RIP or static IP routes Unreachable Routes The number of routes received from the neighbor that are unreachable because the Layer 3 Switch does not have a...

Page 1109: ... cluster ID is not configured Routes Advertised The number of routes the Layer 3 Switch has advertised to this neighbor To be Sent The number of routes the Layer 3 Switch has queued to send to this neighbor To be Withdrawn The number of NLRIs for withdrawing routes the Layer 3 Switch has queued up to send to this neighbor in UPDATE messages NLRIs Sent in Update Message The number of NLRIs for new ...

Page 1110: ... bits ip addr net mask detail routes summary The ip addr option lets you narrow the scope of the command to a specific neighbor The advertised routes option displays only the routes that the Layer 3 Switch has advertised to the neighbor during the current BGP4 neighbor session PowerConnect show ip bgp neighbors 10 4 0 2 1 IP Address 10 4 0 2 AS 5 EBGP RouterID 100 0 0 1 Description neighbor 10 4 0...

Page 1111: ...table because the Layer 3 Switch received better routes from other sources such as OSPF RIP or static IP routes unreachable Displays the routes that are unreachable because the Layer 3 Switch does not have a valid RIP OSPF or static route to the next hop detail Displays detailed information for the specified routes You can refine your information request by also specifying one of the options above...

Page 1112: ...r and is now waiting for either a KEEPALIVE or NOTIFICATION message If the router receives a KEEPALIVE message from the neighbor the state changes to Established If the message is a NOTIFICATION the state changes to Idle ESTABLISHED BGP4 is ready to exchange UPDATE messages with the neighbor If there is more BGP data in the TCP receiver queue a plus sign is also displayed NOTE If you display infor...

Page 1113: ...red Filter list Lists the filter list parameters if configured Prefix list Lists the prefix list parameters if configured Route map Lists the route map parameters if configured Messages Sent The number of messages this router has sent to the neighbor The display shows statistics for the following message types Open Update KeepAlive Notification Refresh Req Messages Received The number of messages ...

Page 1114: ...Capability UPDATE Message Error Malformed Attribute List Unrecognized Well known Attribute Missing Well known Attribute Attribute Flags Error Attribute Length Error Invalid ORIGIN Attribute Invalid NEXT_HOP Attribute Optional Attribute Error Invalid Network Field Malformed AS_PATH Hold Timer Expired Finite State Machine Error Rcv Notification Last Connection Reset Reason cont Reasons specific to t...

Page 1115: ...ot Synchronized Bad Message Length Bad Message Type Unspecified Open Message Error Unsupported Version Bad Peer As Bad BGP Identifier Unsupported Optional Parameter Authentication Failure Unacceptable Hold Time Unspecified Update Message Error Malformed Attribute List Unrecognized Attribute Missing Attribute Attribute Flag Error Attribute Length Error Invalid Origin Attribute Invalid NextHop Attri...

Page 1116: ...ination request TIME WAIT Waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request CLOSED There is no connection state Byte Sent The number of bytes sent Byte Received The number of bytes received Local host The IP address of the Layer 3 Switch Local port The TCP port the Layer 3 Switch is using for the BGP4 TCP session with the ne...

Page 1117: ...neighbor use the following CLI methods Displaying summary route information To display summary route information enter a command such as the following at any level of the CLI Table 187 lists the field definitions for the command output RcvWnd The size of the receive window SendQue The number of sequence numbers in the send queue RcvQue The number of sequence numbers in the receive queue CngstWnd T...

Page 1118: ... RIP OSPF or static route to the next hop History Routes The number of routes that are down but are being retained for route flap dampening purposes NLRIs Received in Update Message The number of routes received in Network Layer Reachability NLRI format in UPDATE messages Withdraws The number of withdrawn routes the Layer 3 Switch has received Replacements The number of replacement routes the Laye...

Page 1119: ...thdraw Replacements The number of routes the Layer 3 Switch has sent to the neighbor to replace routes the neighbor already has Peer Out of Memory Count for Statistics for the times the Layer 3 Switch has run out of BGP4 memory for the neighbor during the current BGP4 session Receiving Update Messages The number of times UPDATE messages were discarded because there was no memory for attribute entr...

Page 1120: ...P4 route table enter a command such as the following at any level of the CLI PowerConnect show ip bgp neighbors 192 168 4 211 routes unreachable Syntax show ip bgp neighbors ip addr routes unreachable For information about the fields in this display refer to Table 189 on page 1083 The fields in this display also appear in the show ip bgp display Displaying the Adj RIB Out for a neighbor To display...

Page 1121: ...091 Routes originated by this router The number of routes in the BGP4 route table that this Layer 3 Switch originated Routes selected as BEST routes The number of routes in the BGP4 route table that this Layer 3 Switch has selected as the best routes to the destinations BEST routes not installed in IP forwarding table The number of BGP4 routes that are the best BGP4 routes to their destinations bu...

Page 1122: ... if you want to list entries beginning with table entry 100 specify 100 The age secs parameter displays only the routes that have been received or updated more recently than the number of seconds you specify The as path access list num parameter filters the display using the specified AS path ACL The best parameter displays the routes received from the neighbor that the Layer 3 Switch selected as ...

Page 1123: ...ived better routes from other sources such as OSPF RIP or static IP routes The prefix list string parameter filters the display using the specified IP prefix list The regular expression regular expression option filters the display based on a regular expression Refer to Using regular expressions on page 1036 The route map map name parameter filters the display using the specified route map The sof...

Page 1124: ... show ip bgp routes not installed best For information about the fields in this display refer to Table 189 on page 1083 The fields in this display also appear in the show ip bgp display NOTE To display the routes that the Layer 3 Switch has selected as the best routes and installed in the IP route table display the IP route table using the show ip route command Displaying BGP4 routes whose destina...

Page 1125: ... the network from the Layer 3 Switch Metric The value of the route MED attribute If the route does not have a metric this field is blank LocPrf The degree of preference for this route relative to other routes in the local AS When the BGP4 algorithm compares routes on the basis of local preferences the route with the higher local preference is chosen The preference can have a value from 0 through 4...

Page 1126: ...theless not installed in the IP route table because the Layer 3 Switch received better routes from other sources such as OSPF RIP or static IP routes C CONFED_EBGP The route was learned from a neighbor in the same confederation and AS but in a different sub AS within the confederation D DAMPED This route has been dampened by the route dampening feature and is currently unusable H HISTORY Route dam...

Page 1127: ...s route and the route has a history of flapping and is unreachable now I INTERNAL The route was learned through BGP4 L LOCAL The route originated on this Layer 3 Switch M MULTIPATH BGP4 load sharing is enabled and this route was selected as one of the best ones to the destination The best route among the multiple paths also is marked with B NOTE If the m is shown in lowercase the software was not ...

Page 1128: ...ances is a normal part of BGP4 and does not indicate an error Aggregation ID The router that originated this aggregator Aggregation AS The AS in which the network information was aggregated This value applies only to aggregated routes and is otherwise 0 Originator The originator of the route in a route reflector environment Cluster List The route reflector clusters through which this route has pas...

Page 1129: ...om an origin other than one of the above For example they may have been redistributed from OSPF or RIP When BGP4 compares multiple routes to a destination to select the best route IGP is preferred over EGP and both are preferred over INCOMPLETE Originator The originator of the route in a route reflector environment Cluster List The route reflector clusters through which this set of attributes has ...

Page 1130: ...show ip bgp neighbors ip addr flap statistics The filter list num parameter specifies one or more filters Only the routes that have been dampened and that match the specified filters are displayed Table 192 lists the field definitions for the command output PowerConnect show ip route Total number of IP routes 50834 B BGP D Directly Connected O OSPF R RIP S Static Network Address NetMask Gateway Po...

Page 1131: ...in the Layer 3 Switch BGP4 route table that have changed state and thus have been marked as flapping routes Status code Indicates the dampening status of the route which can be one of the following This is the best route among those in the BGP4 route table to the route destination d This route is currently dampened and thus unusable h The route has a history of flapping and is unreachable now The ...

Page 1132: ...ollowing methods Request the complete BGP4 route table from the neighbor or peer group You can use this method if the neighbor supports the refresh capability RFCs 2842 and 2858 Clear reset the session with the neighbor or peer group This is the only method you can use if the neighbor does not support the refresh capability Each of these methods is effective but can be disruptive to the network Th...

Page 1133: ...cies in the future To use soft reconfiguration Enable the feature Make the policy changes Apply the changes by requesting a soft reset of the inbound updates from the neighbor or group Use the following CLI methods to configure soft configuration apply policy changes and display information for the updates that are filtered out by the policies Enabling soft reconfiguration To configure a neighbor ...

Page 1134: ...addr as path access list num detail prefix list string The ip addr parameter specifies the IP address of the destination network The as path access list num parameter specifies an AS path ACL Only the routes permitted by the AS path ACL are displayed The detail parameter displays detailed information for the routes The example above shows summary information You can specify any of the other option...

Page 1135: ...of BGP4 routes Using the route refresh feature you do not need to reset the session with the neighbor The route refresh feature is based on the following specifications RFC 2842 This RFC specifies the Capability Advertisement which a BGP4 router uses to dynamically negotiate a capability with a neighbor RFC 2858 for Multi protocol Extension NOTE The Dell implementation of dynamic route refresh sup...

Page 1136: ...ter specifies all neighbors The soft outbound parameter updates all outbound routes by applying the new or changed filters but sends only the existing routes affected by the new or changed filters to the neighbor The soft in out parameter specifies whether you want to refresh the routes received from the neighbor or sent to the neighbor soft in does one of the following If you enabled soft reconfi...

Page 1137: ...ou must enter a clear ip bgp neighbor command regardless of whether the neighbor session is up or down You can enter the command without optional parameters or with the soft out or soft outbound option Either way you must specify a parameter for the neighbor ip addr as num peer group name or all Displaying dynamic refresh information You can use the show ip bgp neighbors command to display informa...

Page 1138: ...route maps you have configured to the list of routes If the filters or route maps result in changes to the list of routes the Layer 3 PowerConnect show ip bgp neighbors 10 4 0 2 1 IP Address 10 4 0 2 AS 5 EBGP RouterID 100 0 0 1 Description neighbor 10 4 0 2 State ESTABLISHED Time 0h1m0s KeepAliveTime 0 HoldTime 0 PeerGroup pg1 Mutihop EBGP yes ttl 1 RouteReflectorClient yes SendCommunity yes Next...

Page 1139: ...specifies all neighbors within the specified AS The all parameter specifies all neighbors To resend routes to a neighbor without closing the neighbor session enter a command such as the following PowerConnect clear ip bgp neighbor 10 0 0 1 soft out Clearing and resetting BGP4 routes in the IP route table To clear BGP4 routes from the IP route table and reset the routes enter a command such as the ...

Page 1140: ... addr The parameters are the same as those for the show ip bgp flap statistics command except the longer prefixes option is not supported Refer to Displaying route flap dampening statistics on page 1059 NOTE The clear ip bgp damping command not only clears statistics but also un suppresses the routes Refer to Displaying route flap dampening statistics on page 1059 Removing route flap dampening You...

Page 1141: ...errors all the bytes are changed to zeros The Last Connection Reset Reason field of the BGP neighbor table also is cleared If you clear the buffer containing the last NOTIFICATION message sent or received the buffer contains no data You can clear the buffers for all neighbors for an individual neighbor or for all the neighbors within a specific peer group To clear these buffers for neighbor 10 0 0...

Page 1142: ...1100 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Clearing diagnostic buffers 30 ...

Page 1143: ...r VRRP with another Layer 3 Switch or a third party router that is also configured for VRRP However you can use a Layer 3 Switch configured for VRRPE only with another Layer 3 Switch that also is configured for VRRPE For a summary of how these two router redundancy protocols differ refer to Comparison of VRRP and VRRPE on page 1109 Overview The following sections describe VRRP and VRRPE The protoc...

Page 1144: ...ingle point of failure for Host1 access to other networks If Switch 1 fails you could configure Host1 to use Switch 2 Configuring one host with a different default gateway might not require too much extra administration However consider a more realistic network with dozens or even hundreds of hosts per subnet reconfiguring the default gateways for all the hosts is impractical It is much simpler to...

Page 1145: ...u associate with the VRID For this reason the Master router is sometimes called the Owner Configure the VRID on the router that owns the default gateway interface The other router in the VRID does not own the IP address es associated with VRID but provides the backup path if the Master router becomes unavailable Virtual router MAC address Notice the MAC address associated with VRID1 The first five...

Page 1146: ...n the Backup router must have an IP address in the same subnet NOTE If you delete a real IP address used by a VRRP entry the VRRP entry also is deleted automatically NOTE When a Backup router takes over forwarding responsibilities from a failed Master router the Backup forwards traffic addressed to the VRID MAC address which the host believes is the MAC address of the router interface for its defa...

Page 1147: ... is acting as the Master This can occur if the new Backup has a higher priority than the Backup who is acting as Master You can disable this behavior if you want When you disable preemption a Backup router that has a higher priority than the router who is currently acting as Master does not preempt the new Master by initiating a new Master negotiation Refer to Backup preempt on page 1119 NOTE Rega...

Page 1148: ... path to the Master If you enable the Dell implementation of VRRP to suppress the VRRP Backup routers from advertising the backed up interface in RIP other routers learn only the path to the Master router for the backed up interface Authentication The Dell implementation of VRRP can use simple passwords to authenticate VRRP packets The VRRP authentication type is not a parameter specific to the VR...

Page 1149: ...multicast messages The Hello packets use the interface actual MAC address and IP address as the source addresses The destination MAC address is 01 00 5E 00 00 02 and the destination IP address is 224 0 0 2 the well known IP multicast address for all routers Both the source and destination UDP port number is 8888 VRRP messages are encapsulated in the data portion of the packet Track ports and track...

Page 1150: ...ed by 20 track priority 20 so that all traffic destined to the Internet is sent through Switch 2 instead Similarly Switch 2 is the master for VRID 2 backup priority 110 and Switch 1 is the backup for VRID 2 backup priority 100 Switch 1 and Switch 2 are both tracking the uplinks to the Internet If an uplink failure occurs on Switch 1 its backup priority is decremented by 20 track priority 20 so tha...

Page 1151: ...RIP advertisements Dell Layer 3 Switches configured for VRRP can interoperate with third party routers using VRRP VRRPE VRRPE is a Dell protocol that provides the benefits of VRRP without the limitations VRRPE is unlike VRRP in the following ways There is no Owner router You do not need to use an IP address configured on one of the Layer 3 Switches as the virtual router ID VRID which is the addres...

Page 1152: ...ABLE 194 VRRP and VRRPE parameters Parameter Description Default See page Protocol The Virtual Router Redundancy Protocol VRRP based on RFC 2338 or VRRP Extended the Dell enhanced implementation of VRRP Disabled NOTE Only one of the protocols can be enabled at a time page 1113 page 1113 VRRP or VRRPE router The Layer 3 Switch active participation as a VRRP or VRRPE router Enabling the protocol doe...

Page 1153: ...ress used by the VRID is configured Backup Routers that can provide routing services for the VRID but do not have a real IP address matching the VRID VRRP The Owner is always the router that has the real IP address used by the VRID All other routers for the VRID are Backups VRRPE All routers for the VRID are Backups page 1116 Backup priority A numeric value that determines a Backup preferability f...

Page 1154: ...k for a tracked interface goes down the VRRP or VRRPE priority of the VRID interface is changed causing the devices to renegotiate for Master None page 1105 page 1118 Track priority A VRRP or VRRPE priority value assigned to the tracked ports If a tracked port link goes down the VRID port VRRP or VRRPE priority changes VRRP The priority changes to the value of the tracked port priority VRRPE The V...

Page 1155: ...interfaces of all routers in a VRID must be in the same IP subnet The IP addresses associated with the VRID must already be configured on the router that will be the Owner router An IP address associated with the VRID must be on only one router The Hello interval must be set to the same value on both the Owner and Backups for the VRID The Dead interval must be set to the same value on both the Own...

Page 1156: ...ig data will be lost when writing to flash If you have disabled the protocol but have not yet saved the configuration to the startup config file and reloaded the software you can restore the configuration information by re entering the command to enable the protocol ex router vrrp If you have already saved the configuration to the startup config file and reloaded the software the information is go...

Page 1157: ...rd in packets sent on the interface If the interfaces use simple password authentication the VRID configured on the interfaces must use the same authentication type and the same password To configure the VRID interface on Router1 for simple password authentication using the password ourpword enter the following commands Configuring Router 1 Router1 config inter e 1 6 Router1 config if 1 6 ip vrrp ...

Page 1158: ... IP address or addresses on the interface on which you configure the VRID When you configure a Backup router the router interface on which you are configuring the VRID must have a real IP address that is in the same subnet as the address associated with the VRID by the Owner However the address cannot be the same To configure Router1 as a VRRP VRID Owner enter the following commands Router1 config...

Page 1159: ...her than the path to the Master You can prevent the Backups from advertising route information for the backed up interface by enabling suppression of the advertisements To suppress RIP advertisements for the backed up interface in Router2 enter the following commands Router2 config router rip Router2 config rip router use vrrp path Syntax use vrrp path The syntax is the same for VRRP and VRRPE Hel...

Page 1160: ...nd Hello messages to the Master enter commands such as the following PowerConnect config router vrrp PowerConnect config inter e 1 6 PowerConnect config if 1 6 ip vrrp vrid 1 PowerConnect config if 1 6 vrid 1 advertise backup Syntax no advertise backup When you enable a Backup to send Hello messages the Backup sends a Hello messages to the Master every 60 seconds by default You can change the inte...

Page 1161: ...th the owner or backup command Refer to Track port on page 1118 Syntax owner track priority value Syntax backup priority value track priority value The syntax is the same for VRRP and VRRPE Backup preempt By default a Backup that has a higher priority than another Backup that has become the Master can preempt the Master and take over the role of Master If you want to prevent this behavior disable ...

Page 1162: ...iguration are the values configured on the Backup or the values received from the Master To change the timer scale enter a command such as the following at the global CONFIG level of the CLI PowerConnect config scale timer 2 This command changes the scale to 2 All VSRP VRRP and VRRP E timer values will be divided by 2 Syntax no scale timer num The num parameter specifies the multiplier You can spe...

Page 1163: ...r always has priority 255 You can even use this feature to temporarily change the Owner priority to a value from 1 254 NOTE When you change a VRRP Owner priority the change takes effect only for the current power cycle The change is not saved to the startup config file when you save the configuration and is not retained across a reload or reboot Following a reload or reboot the VRRP Owner again ha...

Page 1164: ... Summary configuration and status information Detailed configuration and status information VRRP and VRRPE Statistics CPU utilization statistics Displaying summary information To display summary information for a Layer 3 Switch enter the following command at any level of the CLI The above example is for VRRP Here is an example for VRRPE Syntax show ip vrrp brief ethernet slotnum portnum ve num sta...

Page 1165: ...ch VRRP or VRRPE is configured If VRRP or VRRPE is configured on multiple interfaces information for each interface is listed separately VRID The VRID configured on this interface If multiple VRIDs are configured on the interface information for each VRID is listed in a separate row CurPri The current VRRP or VRRPE priority of this Layer 3 Switch for the VRID P Whether the backup preempt mode is e...

Page 1166: ...d 1 Interface ethernet 1 5 auth type no authentication VRID 1 state backup administrative status enabled mode non owner backup priority 100 current priority 100 hello interval 10000 msec dead interval 30000 msec current dead interval 10000 msec preempt mode true advertise backup enabled backup router 192 53 5 3 expires in 00 00 03 0 next hello sent in 00 00 02 0 track port 3 2 PowerConnect show ip...

Page 1167: ...ple interfaces information for each interface is listed separately auth type The authentication type enabled on the interface VRID parameters VRID The VRID configured on this interface If multiple VRIDs are configured on the interface information for each VRID is listed separately state This Layer 3 Switch VRRP or VRRPE state for the VRID The state can be one of the following initialize The VRID i...

Page 1168: ...nterval The current value of the dead interval This is the value in number of milliseconds actually in use by this interface for the VRID NOTE This field does not apply to VRRP Owners preempt mode Whether the backup preempt mode is enabled NOTE This field does not apply to VRRP Owners virtual ip address The virtual IP addresses that this VRID is backing up advertise backup The IP addresses of Back...

Page 1169: ...er by the time the interval expires either the IP address listed for the Master will change to the IP address of the new Master or this Layer 3 Switch itself will become the Master NOTE This field applies only when this Layer 3 Switch is a Backup track port The interfaces that the VRID interface is tracking If the link for a tracked interface goes down the VRRP or VRRPE priority of the VRID interf...

Page 1170: ...at the router receives for this VRID if the interface goes down hello interval How often the Master router sends Hello messages to the Backups dead interval The amount of time a Backup waits for a Hello message from the Master before determining that the Master is dead current dead interval The current Dead interval The software automatically adds one half second to the Dead interval value you ent...

Page 1171: ...p header error count The number of VRRP or VRRPE packets received by the interface that had a header error rxed vrrp auth error count The number of VRRP or VRRPE packets received by the interface that had an authentication error rxed vrrp auth passwd mismatch error count The number of VRRP or VRRPE packets received by the interface that had a password value that does not match the password used by...

Page 1172: ...cific number of seconds enter a command such as the following transitioned to master state count The number of times this Layer 3 Switch has changed from the backup state to the master state for the VRID transitioned to backup state count The number of times this Layer 3 Switch has changed from the master state to the backup state for the VRID TABLE 198 CLI display of VRRP or VRRPE statistics Cont...

Page 1173: ...he following sections contain the CLI commands for implementing the VRRP and VRRPE configurations shown in Figure 151 on page 1103 and Figure 152 on page 1108 VRRP example To implement the VRRP configuration shown in Figure 151 on page 1103 use the following method Configuring Router1 To configure VRRP Router1 enter the following commands NOTE When you configure the Master Owner the address you en...

Page 1174: ...P address that is in the same subnet as the address associated with the VRID by the Owner However the address cannot be the same The priority parameter establishes the router VRRP priority in relation to the other VRRP routers in this virtual router The track priority parameter specifies the new VRRP priority that the router receives for this VRID if the interface goes down Refer to Track ports an...

Page 1175: ...e following commands Router1 config router vrrp extended Router1 config interface ethernet 5 1 Router1 config if 5 1 ip address 192 53 5 3 24 Router1 config if 5 1 ip vrrp extended vrid 1 Router1 config if 5 1 vrid 1 backup priority 100 track priority 20 Router1 config if 5 1 vrid 1 track port ethernet 3 2 Router1 config if 5 1 vrid 1 ip address 192 53 5 254 Router1 config if 5 1 vrid 1 activate V...

Page 1176: ... track priority parameter specifies the new VRRPE priority that the router receives for this VRID if the interface goes down Refer to Track ports and track priority on page 1105 The activate command activates the VRID configuration on this interface The interface does not provide backup service for the virtual IP address until you activate the VRRPE configuration Alternatively you can use the enab...

Page 1177: ... login authentication Securing access methods The following table lists the management access methods available on a Dell PowerConnect device how they are secured by default and the ways in which they can be secured TABLE 199 Supported security access features Feature PowerConnect B Series FCX Authentication Authorization and Accounting AAA RADIUS TACACS TACACS Yes AAA support for console commands...

Page 1178: ...ecific IP addresses page 1141 Restrict Telnet access based on a client MAC address page 1142 Allow Telnet access only from specific MAC addresses page 1144 Define the Telnet idle time page 1143 Change the Telnet login timeout period page 1143 Specify the maximum number of login attempts for Telnet access page 1144 Disable Telnet access page 1148 Establish a password for Telnet access page 1149 Est...

Page 1179: ...CACS security page 1163 Configure RADIUS security page 1181 SNMP Brocade Network Advisor access SNMP read or read write community strings and the password to the Super User privilege level NOTE SNMPread or read write community strings are always required for SNMP access to the device Regulate SNMP access using ACLs page 1140 Allow SNMP access only from specific IP addresses page 1142 Disable SNMP ...

Page 1180: ...guration items accepts an ACL as a parameter The ACL contains entries that identify the IP addresses that can use the access method The following sections present examples of how to secure management access using ACLs Refer to Chapter 16 Configuring Rule Based IP Access Control Lists ACLs for more information on configuring ACLs Using an ACL to restrict Telnet access To configure an ACL that restr...

Page 1181: ...nd ssh access group 10 could have been used to apply the ACL configured in the example for Telnet access You can use the same ACL multiple times Using an ACL to restrict Web management access To configure an ACL that restricts Web management access to the device enter commands such as the following Syntax web access group num The num parameter specifies the number of a standard ACL and must be fro...

Page 1182: ... are validated first by their community strings and then by their bound ACLs Defining the console idle time By default a Dell PowerConnect device does not time out serial console sessions A serial session remains open indefinitely until you close it You can however define how many minutes a serial management session can remain idle before it is timed out NOTE You must enable AAA support for consol...

Page 1183: ...mmands for restricting remote access You can specify only one IP address with each command However you can enter each command ten times to specify up to ten IP addresses NOTE You cannot restrict remote management access using the Web Management Interface Restricting Telnet access to a specific IP address To allow Telnet access to the Dell PowerConnect device only to the host with IP address 209 15...

Page 1184: ...S based on the connecting client IP or MAC address Restricting Telnet connection You can restrict Telnet connection to a device based on the client IP address or MAC address To allow Telnet access to the Dell PowerConnect device only to the host with IP address 209 157 22 39 and MAC address 0007 e90f e9a0 enter the following command PowerConnect config telnet client 209 157 22 39 0007 e90f e9a0 Sy...

Page 1185: ...s to the Dell PowerConnect device to a host with any IP address and MAC address 0007 e90f 10ba PowerConnect config web client any 0007 e90f 10ba Syntax no web client any mac addr Defining the Telnet idle time You can define how many minutes a Telnet session can remain idle before it is timed out An idle Telnet session is a session that is still sending TCP ACKs in response to keepalive messages fr...

Page 1186: ... value from 1 10 The default is 2 minutes Restricting remote access to the device to specific VLAN IDs You can restrict management access to a Dell PowerConnect device to ports within a specific port based VLAN VLAN based access control applies to the following access methods Telnet access Web management access SNMP access TFTP access By default access is allowed for all the methods listed above o...

Page 1187: ...hin port based VLAN 40 Clients connected to ports that are not in VLAN 40 are denied access Syntax no snmp server enable vlan vlan id Restricting TFTP access to a specific VLAN To allow TFTP access only to clients in a specific VLAN enter a command such as the following PowerConnect config tftp client enable vlan 40 The command in this example configures the device to allow TFTP access only to cli...

Page 1188: ... 2 These commands configure port based VLAN 10 to consist of ports 1 1 1 4 and to be the designated management VLAN The last two commands configure default gateways for the VLAN Since the 10 10 10 1 gateway has a lower metric the software uses this gateway The other gateway remains in the configuration but is not used You can use the other one by changing the metrics so that the 20 20 20 1 gateway...

Page 1189: ...rameter specifies that web management is enabled for HTTPS access Web management through HTTPS To allow web management through HTTPS you must enable web management as shown in Web management through HTTP Additionally you must generate a crypto SSL certificate or import digital certificates issued by a third party Certificate Authority CA To generate a crypto SSL certificate use the following comma...

Page 1190: ...ect config no telnet server To re enable Telnet operation enter the following command PowerConnect config telnet server Syntax no telnet server Disabling Web management access If you want to prevent access to the device through the Web Management Interface you can disable the Web Management Interface NOTE As soon as you make this change the device stops responding to Web management sessions If you...

Page 1191: ...ble TFTP client access once it is disabled enter the following command PowerConnect config no tftp disable Syntax no tftp disable Setting passwords Passwords can be used to secure the following access methods Telnet access can be secured by setting a Telnet password Refer to Setting a Telnet password on page 1149 Access to the Privileged EXEC and CONFIG levels of the CLI can be secured by setting ...

Page 1192: ...write access to the system This is generally for system administrators and is the only management privilege level that allows you to configure passwords Port Configuration level Allows read and write access for specific ports but not for global system wide parameters Read Only level Allows access to the Privileged EXEC mode and User EXEC mode of the CLI but only with read access You can assign a p...

Page 1193: ... to Recovering from a lost password on page 1152 Augmenting management privilege levels Each management privilege level provides access to specific areas of the CLI by default Super User level provides access to all commands and displays Port Configuration level gives access to The User EXEC and Privileged EXEC levels The port specific parts of the CONFIG level All interface configuration levels R...

Page 1194: ...vel ipv6 access list IPv6 access list configuration level rip router RIP router level for example PowerConnect config rip router ospf router OSPF router level for example PowerConnect config ospf router dvmrp router DVMRP router level for example PowerConnect config dvmrp router pim router PIM router level for example PowerConnect config pim router bgp router BGP4 router level for example PowerCon...

Page 1195: ...the configuration to the flash memory on the Dell PowerConnect device the password is also saved to flash as part of the configuration file By default the passwords are encrypted so that the passwords cannot be observed by another user who displays the configuration file Even if someone observes the file while it is being transmitted over TFTP the password is encrypted NOTE You cannot disable pass...

Page 1196: ...guration files that contain privilege level passwords Refer to Setting passwords for management privilege levels on page 1150 If you configure local user accounts you also need to configure an authentication method list for Telnet access Web management access and SNMP access Refer to Configuring authentication method lists on page 1198 For each local user account you specify a user name You also c...

Page 1197: ...haracters NOTE Password minimum and combination requirements are strictly enforced Use the enable strict password enforcement command to enable the password security feature PowerConnect config enable strict password enforcement Syntax no enable strict password enforcement This feature is disabled by default The following security upgrades apply to the enable strict password enforcement command Pa...

Page 1198: ...d enforcement is enabled enter a password which contains the required character combination Refer to Enabling enhanced user password combination requirements on page 1155 To enable password masking enter the following command PowerConnect config enable user password masking Syntax no enable user password masking Enabling user password aging For enhanced security password aging enforces quarterly u...

Page 1199: ...e a password that is stored the system will prompt the user to choose a different password To configure enhanced password history enter a command such as the following at the global CONFIG level of the CLI PowerConnect config enable user password history 15 Syntax no enable user password history 1 15 Enhanced login lockout The CLI provides up to three login attempts If a user fails to login after ...

Page 1200: ...ress the Enter key after the message of the day banner on page 30 Configuring a local user account You can create accounts for local users with or without passwords Accounts with passwords can have encrypted or unencrypted passwords You can assign privilege levels to local user accounts but on a new device you must create a local user account that has a Super User privilege before you can create a...

Page 1201: ...ssword nopassword password string You can enter up to 255 characters for user string The privilege privilege level parameter specifies the privilege level for the account You can specify one of the following 0 Super User level full read write access 4 Port Configuration level 5 Read Only level The default privilege level is 0 If you want to assign Super User level access to the account you can ent...

Page 1202: ...ge 5 password willy PowerConnect config service password encryption If password masking is enabled enter the commands this way PowerConnect config username wonka privilege 5 password Enter Password willy PowerConnect config service password encryption Syntax no service password encryption Create password option As an alternative to the commands above the create password option allows you to create...

Page 1203: ...1 Security Password has been changed for user tester from console session The message includes the name of the user whose password was changed and during which session type such as Console Telnet SSH Web SNMP or others the password was changed Configuring SSL security for the Web Management Interface The Dell PowerConnect device supports Secure Sockets Layer Transport Level Security SSL 3 0 TLS 1 ...

Page 1204: ...a command such as the following at the Global CONFIG level of the CLI PowerConnect config ip ssl cert key size 3000 Syntax ip ssl cert key size 512 4096 NOTE The SSL server certificate key size applies to digital certificates issued by Dell as well as imported certificates Support for SSL digital certificates larger than 2048 bytes Dell PowerConnect devices have the ability to store and retrieve S...

Page 1205: ... is the IP address of a TFTP server that contains the digital certificate or private key Generating an SSL certificate After you have imported the digital certificate it should automatically generate If the certificate does not automatically generate enter the following command to generate it PowerConnect config crypto ssl certificate generate Syntax no crypto ssl certificate generate If you did n...

Page 1206: ... future development features The protocol allows the Dell PowerConnect device to request very precise access control and allows the TACACS server to respond to each component of that request NOTE TACACS provides for authentication authorization and accounting but an implementation or configuration is not required to employ all three TACACS TACACS authentication authorization and accounting When yo...

Page 1207: ...l console port on stack units that are not the Active Controller unit logs out the console port on a specified unit Once AAA console is enabled you should log out any open console ports on your IronStack using the kill console command PowerConnecth config kill console all In case a user forgets to log out or a console is left unattended you can also configure the console timeout in minutes on all ...

Page 1208: ...nnections 1 closed 2 closed 3 closed 4 closed 5 closed stack9 TACACS authentication NOTE Also multiple challenges are supported for TACACS login authentication When TACACS authentication takes place the following events occur 1 A user attempts to gain access to the Dell PowerConnect device by doing one of the following Logging into the device using Telnet SSH or the Web Management Interface Enteri...

Page 1209: ...d Command authorization consults a TACACS server to get authorization for commands entered by the user When TACACS exec authorization takes place the following events occur 1 A user logs into the Dell PowerConnect device using Telnet SSH or the Web Management Interface 2 The user is authenticated 3 The Dell PowerConnect device consults the TACACS server to determine the privilege level of the user...

Page 1210: ...the TACACS accounting server 7 The TACACS accounting server acknowledges the Accounting Stop packet AAA operations for TACACS TACACS The following table lists the sequence of authentication authorization and accounting operations that take place when a user gains access to a Dell PowerConnect device that has TACACS TACACS security configured User action Applicable AAA operations User attempts to g...

Page 1211: ...e CLI through Telnet CLI Privileged EXEC and CONFIG levels For example you can select TACACS as the primary authentication method for Telnet CLI access but you cannot also select RADIUS authentication as a primary method for the same type of access However you can configure backup authentication methods for each access type User logs out of Telnet SSH session Command accounting TACACS aaa accounti...

Page 1212: ...thentication method lists for TACACS TACACS on page 1173 4 Optionally configure TACACS authorization Refer to Configuring TACACS authorization on page 1175 5 Optionally configure TACACS accounting Refer to Configuring TACACS accounting on page 1178 Enabling TACACS TACACS is disabled by default To configure TACACS TACACS authentication parameters you must enable TACACS by entering the following com...

Page 1213: ...s that specify TACACS TACACS as an authentication method Refer to Configuring authentication method lists for TACACS TACACS on page 1173 Otherwise when you exit from the CONFIG mode or from a Telnet session the system continues to believe it is TACACS TACACS enabled and you will not be able to access the system The auth port parameter specifies the UDP for TACACS or TCP for TACACS port number of t...

Page 1214: ...is parameter specifies how many seconds the Dell PowerConnect device waits for a response from a TACACS TACACS server before either retrying the authentication request or determining that the TACACS TACACS servers are unavailable and moving on to the next authentication method in the authentication method list The timeout can be from 1 15 seconds The default is 3 seconds Setting the TACACS key The...

Page 1215: ...you create authentication method lists specifically for these access methods specifying TACACS TACACS as the primary authentication method Within the authentication method list TACACS TACACS is specified as the primary authentication method and up to six backup authentication methods are specified as alternates If TACACS TACACS authentication fails due to an error the device tries the backup authe...

Page 1216: ... how to define authentication method lists for types of authentication other than TACACS TACACS refer to Configuring authentication method lists on page 1198 Entering privileged EXEC mode after a Telnet or SSH login By default a user enters User EXEC mode after a successful login through Telnet or SSH Optionally you can configure the device so that a user enters Privileged EXEC mode after a Telnet...

Page 1217: ... TACACS server If a user attempts to login through Telnet or SSH but none of the configured TACACS servers are available the following takes place If the next method in the authentication method list is enable the login prompt is skipped and the user is prompted for the Enable password that is the password configured with the enable super user password command If the next method in the authenticat...

Page 1218: ... PowerConnect device expects the TACACS server to send a response containing an A V Attribute Value pair that specifies the privilege level of the user When the Dell PowerConnect device receives the response it extracts an A V pair configured for the Exec service and uses it to determine the user privilege level To set a user privilege level you can configure the foundry privlvl A V pair for the E...

Page 1219: ...ext cat service exec foundry privlvl 4 privlvl 15 In this example the user would be granted a privilege level of 4 port config level The privlvl 15 A V pair is ignored by the Dell PowerConnect device If the TACACS server has no A V pair configured for the Exec service the default privilege level of 5 read only is used Configuring command authorization When TACACS command authorization is enabled t...

Page 1220: ...onsole commands AAA support for commands entered at the console includes the following Login prompt that uses AAA authentication using authentication method Lists Exec Authorization Exec Accounting Command authorization Command accounting System Accounting To enable AAA support for commands entered at the console enter the following command PowerConnect config enable aaa console Syntax no enable a...

Page 1221: ...tacacs none The privilege level parameter can be one of the following 0 Records commands available at the Super User level all commands 4 Records commands available at the Port Configuration level port config and read only commands 5 Records commands available at the Read Only level read only commands Configuring TACACS accounting for system events You can configure TACACS accounting to record whe...

Page 1222: ... server timeout command Tacacs dead time The setting configured with the tacacs server dead time command Tacacs Server For each TACACS TACACS server the IP address port and the following statistics are displayed opens Number of times the port was opened for communication with the server closes Number of times the port was closed normally timeouts Number of times port was closed due to a timeout er...

Page 1223: ...ted the Dell PowerConnect device consults a RADIUS server to verify user names and passwords You can optionally configure RADIUS authorization in which the Dell PowerConnect device consults a list of commands supplied by the RADIUS server to determine whether a user can execute a command he or she has entered as well as accounting which causes the Dell PowerConnect device to log information on a R...

Page 1224: ...l If you configure RADIUS authorization the user is allowed or denied usage of the commands in the list RADIUS authorization When RADIUS authorization takes place the following events occur 1 A user previously authenticated by a RADIUS server enters a command on the Dell PowerConnect device 2 The Dell PowerConnect device looks at its configuration to see if the command is at a privilege level that...

Page 1225: ...the Accounting Stop packet AAA operations for RADIUS The following table lists the sequence of authentication authorization and accounting operations that take place when a user gains access to a Dell PowerConnect device that has RADIUS security configured User action Applicable AAA operations User attempts to gain access to the Privileged EXEC and CONFIG levels of the CLI Enable authentication aa...

Page 1226: ...agement The device tries to use the servers in the order you add them to the device configuration If one RADIUS server times out does not respond the Dell PowerConnect device tries the next one in the list Servers are tried in the same sequence each time there is a request You can optionally configure a RADIUS server as a port server indicating that the server will be used only to authenticate use...

Page 1227: ...vice Refer to Identifying the RADIUS server to the Dell PowerConnect device on page 1188 3 Optionally specify different servers for individual AAA functions Refer to Specifying different servers for individual AAA functions on page 1188 4 Optionally configure the RADIUS server as a port only server Refer to Configuring a RADIUS server per port on page 1189 5 Optionally bind the RADIUS servers to p...

Page 1228: ...nly with read access foundry command string 2 string Specifies a list of CLI commands that are permitted or denied to the user when RADIUS authorization is configured The commands are delimited by semi colons You can specify an asterisk as a wildcard at the end of a command string For example the following command list specifies all show and debug ip commands as well as the write terminal command ...

Page 1229: ...ies if 802 1x lookup is enabled 0 Disabled 1 Enabled foundry MAC based VLAN QOS 8 integer Specifies the priority for MAC based VLAN QOS 0 qos_priority_0 1 qos_priority_1 2 qos_priority_2 3 qos_priority_3 4 qos_priority_4 5 qos_priority_5 6 qos_priority_6 7 qos_priority_7 foundry INM Role AOR List 9 string Specifies the list of Roles and Area of Responsibility AOR that are allowed for an IronView N...

Page 1230: ... server to handle a specific AAA task For example you can designate one RADIUS server to handle authorization and another RADIUS server to handle accounting You can specify individual servers for authentication and accounting but not for authorization You can set the RADIUS key for each server To specify different RADIUS servers for authentication authorization and accounting enter commands such a...

Page 1231: ...ect RADIUS servers 10 10 10 103 and 10 10 10 104 will be used only to authenticate users on ports to which the servers are mapped To map a RADIUS server to a port refer to Mapping a RADIUS server to individual ports on page 1190 RADIUS servers 10 10 10 105 and 10 10 10 106 will be used to authenticate users on ports to which no RADIUS servers are mapped For example port e 9 to which no RADIUS serv...

Page 1232: ...0 103 first since it is the first server mapped to the port If it fails it will go to 10 10 10 110 Syntax use radius server ip addr The host ip addr is an IPv4 address Setting RADIUS parameters You can set the following parameters in a RADIUS configuration RADIUS key This parameter specifies the value that the Dell PowerConnect device sends to the RADIUS server when trying to authenticate user acc...

Page 1233: ...mit enter a command such as the following PowerConnect config radius server retransmit 5 Syntax radius server retransmit number Setting the timeout parameter The timeout parameter specifies how many seconds the Dell PowerConnect device waits for a response from the RADIUS server before either retrying the authentication request or determining that the RADIUS server is unavailable and moving on to ...

Page 1234: ...uthentication is used instead To create an authentication method list that specifies RADIUS as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI PowerConnect config aaa authentication enable default radius local none The command above causes RADIUS to be the primary authentication method for securing access to Privileged EXEC level and CONF...

Page 1235: ...Dell PowerConnect device to prompt only for a password when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI PowerConnect config aaa authentication enable implicit user Syntax no aaa authentication enable implicit user TABLE 205 Authentication method values Method parameter Description line Authenticate using the password you configured for Telnet acces...

Page 1236: ...orization exec default radius command does not exist in the configuration then the value in the foundry privilege level attribute is ignored and the user is granted Super User access Also note that in order for the aaa authorization exec default radius command to work either the aaa authentication enable default radius command or the aaa authentication login privilege mode command must also exist ...

Page 1237: ...quent commands entered on the console This happens because RADIUS command authorization requires a list of allowable commands from the RADIUS server This list is obtained during RADIUS authentication For console sessions RADIUS authentication is performed only if you have configured Enable authentication and specified RADIUS as the authentication method for example with the aaa authentication enab...

Page 1238: ...ecords commands available at the Super User level all commands 4 Records commands available at the Port Configuration level port config and read only commands 5 Records commands available at the Read Only level read only commands Configuring RADIUS accounting for system events You can configure RADIUS accounting to record when system events occur on the Dell PowerConnect device System events inclu...

Page 1239: ...istics are displayed Auth PortRADIUS authentication port number default 1645 Acct PortRADIUS accounting port number default 1646 opens Number of times the port was opened for communication with the server closes Number of times the port was closed normally timeouts Number of times port was closed due to a timeout errors Number of times an error occurred while opening the port packets in Number of ...

Page 1240: ...ccess NOTE To authenticate Telnet access to the CLI you also must enable the authentication by entering the enable telnet authentication command at the global CONFIG level of the CLI You cannot enable Telnet authentication using the Web Management Interface NOTE You do not need an authentication method list to secure access based on ACLs or a list of IP addresses Refer to Using ACLs to restrict re...

Page 1241: ...gement Interface You first must configure a read write community string using the CLI Then you can log on using set as the user name and the read write community string you configure as the password Refer to Configuring TACACS TACACS security on page 1163 If you configure an authentication method list for Web management access and specify local as the primary authentication method users who attemp...

Page 1242: ...ence Guide If AAA is set up to check both the username and password the string contains the username followed by a space then the password If AAA is set up to authenticate with the current Enable or Line password the string contains the password only Note that the above configuration can be overridden by the command no snmp server pw check which disables password checking for SNMP SET requests Exa...

Page 1243: ...ill match the number of configured flags TABLE 207 Authentication method values Method parameter Description line Authenticate using the password you configured for Telnet access The Telnet password is configured using the enable telnet password command Refer to Setting a Telnet password on page 1149 enable Authenticate using the password you configured for the Super User privilege level This pass...

Page 1244: ...t etc to the matched traffic PowerConnect config ext nACL permit tcp any any match all urg ack syn rst tos normal This command configures the ACL to match incoming traffic with the flags urg ack and syn and also sets the tos bit to normal when the traffic exits the device NOTE TCP Flags combines the functionality of older features such as TCP Syn Attack and TCP Establish Avoid configuring these ol...

Page 1245: ...ghest version of SSH2 supported by both the Brocade device and the client is the version that is used for the session Once the SSH2 version is negotiated the encryption algorithm with the highest security ranking is selected to be used for the session Brocade devices also support Secure Copy SCP for securely transferring files between a Brocade device and SCP enabled remote hosts NOTE The SSH feat...

Page 1246: ...rver The SSH server allows secure remote access management functions on a Dell PowerConnect device SSH provides a function that is similar to Telnet but unlike Telnet SSH provides a secure encrypted connection Dell SSH2 support includes the following Key exchange methods are diffie hellman group1 sha1 The public key algorithm is ssh dss Encryption is provided with 3des cbc aes128 cbc aes192 cbc or...

Page 1247: ...ys are stored on the device Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH NOTE SSH2 supports and validates DSA keys only It does not support or validate SSH1 RSA keys PowerConnect show ip ssh Connection Version Encryption Username 1 SSH 2 3des cbc Raymond 2 SSH 2 3des cbc Ron 3 SSH 2 aes128 cbc David 4 SSH 2 aes192 cbc Fra...

Page 1248: ...erate Syntax crypto key generate Generating a host key pair When SSH is configured a public and private host DSA key pair is generated for the Dell PowerConnect device The SSH server on the Brocade device uses this host DSA key pair along with a dynamically generated server DSA key pair to negotiate a session key and encryption method with the client trying to connect to it The host DSA key pair i...

Page 1249: ...ell PowerConnect device from a UNIX system you may need to add the public key on the Dell PowerConnect device to a known hosts file for example HOME ssh known_hosts The following is an example of an entry in a known hosts file Configuring DSA challenge response authentication With DSA challenge response authentication a collection of clients public keys are stored on the Dell PowerConnect device C...

Page 1250: ...erConnect device and place all of these keys into one file This public key file is imported into the Dell PowerConnect device The following is an example of a public key file containing one public key You can import the authorized public keys into the active configuration by loading them from a file on a TFTP server If you import a public key file from a TFTP server the file is automatically loade...

Page 1251: ...g ip ssh key authentication no Syntax ip ssh key authentication yes no Setting optional parameters You can adjust the following SSH settings on the Dell PowerConnect device The number of SSH authentication retries The user authentication method the Dell PowerConnect device uses for SSH connections Whether the Dell PowerConnect device allows users to log in without supplying a password The port num...

Page 1252: ...ne of the stored public keys can gain access to the device using SSH With password authentication users are prompted for a password when they attempt to log into the device provided empty password logins are not allowed If there is no user account that matches the user name and password supplied by the user the user is not granted access You can deactivate one or both user authentication methods f...

Page 1253: ...the client If there is no response from the client after 120 seconds the SSH server disconnects You can change this timeout value to between 1 120 seconds For example to change the timeout value to 60 seconds enter the following command PowerConnect config ip ssh timeout 60 Syntax ip ssh timeout seconds Designating an interface as the source for all SSH packets You can designate a loopback interfa...

Page 1254: ... the active SSH connections enter the following command PowerConnect kill ssh 1 Syntax kill ssh connection id Displaying SSH connection information Up to five SSH connections can be active on the Dell PowerConnect device To display information about SSH connections enter the following command Syntax show ip ssh begin expression exclude expression include expression This display shows the following...

Page 1255: ... to or from an SCP enabled remote host Enabling and disabling SCP SCP is enabled by default and can be disabled To disable SCP enter the following command PowerConnect config ip ssh scp disable Syntax ip ssh scp disable enable NOTE If you disable SSH SCP is also disabled PowerConnect show who Console connections established monitor enabled in config mode 2 minutes 17 seconds in idle Telnet connect...

Page 1256: ... 50 and log in as user terry enter the following command on the SCP enabled client C scp c cfg brocade cfg terry 192 168 1 50 runConfig If password authentication is enabled for SSH the user is prompted for user terry password before the file transfer takes place Copying a file to the startup config To copy the configuration file to the startup configuration file enter the following command C scp ...

Page 1257: ...flash secondary FCXR07000 bin NOTE The Dell PowerConnect device supports only one SCP copy session at a time Copying a Software Image file from flash memory The scp command syntax differs on a PowerConnect B Series FCX device compared to all other PowerConnect devices Use the command syntax in the appropriate section below PowerConnect B Series FCX Devices To copy a software image file from the pr...

Page 1258: ...1216 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Using Secure copy with SSH2 33 ...

Page 1259: ...by an authentication server The user based authentication in 802 1X port security provides an alternative to granting network access based on a user IP address MAC address or subnetwork The 802 1X port security supports the following RFCs RFC 2284 PPP Extensible Authentication Protocol EAP RFC 2865 Remote Authentication Dial In User Service RADIUS RFC 2869 RADIUS Extensions TABLE 210 Supported 802...

Page 1260: ...ased on the Client s information the Authentication Server determines whether the Client can use services provided by the Authenticator The Authentication Server passes this information to the Authenticator which then provides services to the Client based on the authentication result Figure 153 illustrates these roles FIGURE 153 Authenticator client supplicant and authentication server in an 802 1...

Page 1261: ...ationship between the Authenticator PAE and the Supplicant PAE FIGURE 154 Authenticator PAE and supplicant PAE Authenticator PAE The Authenticator PAE communicates with the Supplicant PAE receiving identifying information from the Supplicant Acting as a RADIUS client the Authenticator PAE passes the Supplicant information to the Authentication Server which decides whether the Supplicant can gain a...

Page 1262: ...can flow through the port normally By default all controlled ports on the PowerConnect device are placed in the authorized state allowing all traffic When authentication is activated on an 802 1X enabled interface the interface controlled port is placed initially in the unauthorized state When a Client connected to the port is successfully authenticated the controlled port is then placed in the au...

Page 1263: ...ore information If a Client does not support 802 1X authentication cannot take place The PowerConnect device sends EAP Request Identity frames to the Client but the Client does not respond to them When a Client that supports 802 1X attempts to gain access through a non 802 1X enabled port it sends an EAP start frame to the PowerConnect device When the device does not respond the Client considers t...

Page 1264: ...henticate clients against an existing user database such as LDAP PEAP secures the transmission between the client and authentication server with a TLS encrypted tunnel PEAP also allows other EAP authentication protocols to be used It relies on the mature TLS keying method for its key creation and exchange PEAP is best suited for installations that require strong authentication without the use of m...

Page 1265: ... support the RADIUS User name type 1 attribute in the Access Accept message returned during 802 1X authentication This feature is useful when the client supplicant does not provide its user name in the EAP response identity frame and the username is key to providing useful information For example when the User name attribute is sent in the Access Accept message it is then available for display in ...

Page 1266: ...vice as in Figure 157 802 1X authentication is performed in the following way 1 One of the 802 1X enabled Clients attempts to log into a network in which a Dell PowerConnect device serves as an Authenticator 2 The Dell PowerConnect device creates an internal session called a dot1x mac session for the Client A dot1x mac session serves to associate a Client MAC address and username with its authenti...

Page 1267: ...ddresses he or she would need to be authenticated from each Client If a Client has been denied access to the network that is the Client dot1x mac session is set to access denied then you can cause the Client to be re authenticated by manually disconnecting the Client from the network or by using the clear dot1x mac session command Refer to Clearing a dot1x mac session for a MAC address on page 124...

Page 1268: ...rdware aging and software aging The hardware aging period for a denied Client s dot1x mac session is not fixed at 70 seconds The hardware aging period for a denied Client s dot1x mac session is equal to the length of time specified with the dot1x timeout quiet period command By default the hardware aging time is 60 seconds Once the hardware aging period ends the software aging period begins When t...

Page 1269: ... 1230 optional Dynamically applying IP ACLs and MAC address filters to 802 1X ports on page 1234 2 Configure the device role as the Authenticator Enabling 802 1X port security on page 1237 Initializing 802 1X on a port on page 1242 optional 3 Configure the device interaction with Clients Configuring periodic re authentication on page 1239 optional Re authenticating a port manually on page 1239 opt...

Page 1270: ...t port 1813 default key mirabeau dot1x Syntax radius server host ip addr ipv6 addr server name auth port num acct port num default key 0 1 string dot1x The host ip addr ipv6 addr server name parameter is either an IP address or an ASCII text string The dot1x parameter indicates that this RADIUS server supports the 802 1X standard A RADIUS server that supports the 802 1X standard can also be used t...

Page 1271: ...uthenticated A pass essentially bypasses the authentication process and permits user access to the network A fail bypasses the authentication process and blocks user access to the network unless restrict vlan is configured in which case the user is placed into a VLAN with restricted or limited access By default the Dell PowerConnect device will reset the authentication process and retry to authent...

Page 1272: ...AN with restricted or limited access enter commands such as the following PowerConnect config interface ethernet 3 1 PowerConnect config if e100 3 1 dot1x auth fail action restrict vlan 100 PowerConnect config if e100 3 1 dot1x auth timeout action failure Syntax no dot1x auth fail action restrict vlan vlan id Syntax no dot1x auth timeout action failure Configuring dynamic VLAN assignment for 802 1...

Page 1273: ...checks whether the string when converted to a number matches the ID of a VLAN configured on the device If it does then the client port is placed in the VLAN with that ID If the vlan name string does not match either the name or the ID of a VLAN configured on the device then the client will not become authorized The show interface command displays the VLAN to which an 802 1X enabled port has been d...

Page 1274: ...d marketing When a tagged packet is authenticated and a list of VLANs is specified on the RADIUS server for the MAC address then the packet tag must match one of the VLANs in the list in order for the Client to be successfully authenticated If authentication is successful then the port is added to all of the VLANs specified in the list Unlike with a RADIUS specified untagged VLAN if the dot1x mac ...

Page 1275: ...from the Client is forwarded normally If the RADIUS Access Accept message specifies the name or ID of a VLAN that does not exist on the Dell PowerConnect device then it is considered an authentication failure If the port is a tagged or dual mode port and the RADIUS Access Accept message specifies the name or ID of a valid VLAN on the Dell PowerConnect device then the port is placed in that VLAN If...

Page 1276: ...or MAC address filter is no longer applied to the port If an IP ACL or MAC address filter had been applied to the port prior to 802 1X authentication it is then re applied to the port The Dell PowerConnect device uses information in the Filter ID and Vendor Specific attributes as follows The Filter ID attribute can specify the number of an existing IP ACL or MAC address filter configured on the De...

Page 1277: ...t have the system resources available to dynamically apply a filter to a port then the port will not be authenticated NOTE If the Access Accept message contains values for both the Filter ID and Vendor Specific attributes then the value in the Vendor Specific attribute the per user filter takes precedence Also if authentication for a port fails because the Filter ID attribute referred to a non exi...

Page 1278: ...o a Dell IP ACL or MAC address filter The following table lists examples of values you can assign to the Filter ID attribute on the RADIUS server to refer to IP ACLs and MAC address filters configured on a Dell PowerConnect device Notes The name in the Filter ID attribute is case sensitive You can specify only numbered MAC address filters in the Filter ID attribute Named MAC address filters are no...

Page 1279: ...lters and MAC address filters are not supported on the same port at the same time The following table shows the syntax for configuring the Dell Vendor Specific attributes with ACL or MAC address filter statements The following table shows examples of IP ACLs and MAC address filters configured in the Dell Vendor Specific attribute on a RADIUS server These IP ACLs and MAC address filters follow the ...

Page 1280: ...e used on the interface An interface used with 802 1X port security has two virtual access points a controlled port and an uncontrolled port The controlled port can be either the authorized or unauthorized state In the authorized state it allows normal traffic to pass between the Client and the Authenticator In the unauthorized state no traffic is allowed to pass The uncontrolled port allows only ...

Page 1281: ...evice to periodically re authenticate Clients connected to 802 1X enabled interfaces When you enable periodic re authentication the device re authenticates Clients every 3 600 seconds by default You can optionally specify a different re authentication interval of between 1 4294967295 seconds To configure periodic re authentication using the default interval of 3 600 seconds enter the following com...

Page 1282: ...y default if the Dell PowerConnect device does not receive an EAP response identity frame from a Client the device waits 30 seconds then retransmits the EAP request identity frame Also by default the Dell PowerConnect device retransmits the EAP request identity frame a maximum of two times You can optionally configure the amount of time the device will wait before retransmitting an EAP request ide...

Page 1283: ...nd sends them to the Client By default when the Dell PowerConnect device relays an EAP Request frame from the RADIUS server to the Client it expects to receive a response from the Client within 30 seconds If the Client does not respond within the allotted time the device retransmits the EAP Request frame to the Client Also by default the Dell PowerConnect device retransmits the EAP request frame t...

Page 1284: ...ponse within 30 seconds the Dell PowerConnect device retransmits the message to the RADIUS server The time constraint for retransmission of messages to the Authentication Server can be between 0 4294967295 seconds For example to configure the device to retransmit a message if the Authentication Server does not respond within 45 seconds enter the following command PowerConnect config dot1x serverti...

Page 1285: ... dot1x auth fail action restricted vlan Syntax no auth fail action restricted vlan To specify the ID of the restricted VLAN as VLAN 300 enter the following command PowerConnect config dot1x auth fail vlanid 300 Syntax no auth fail vlanid vlan id Specifying the number of authentication attempts the device makes before dropping packets When the authentication failure action is to drop traffic from t...

Page 1286: ... the aging time for blocked clients When the Dell PowerConnect device is configured to drop traffic from non authenticated Clients traffic from the blocked Clients is dropped in hardware without being sent to the CPU A Layer 2 CAM entry is created that drops traffic from the blocked Client MAC address in hardware If no traffic is received from the blocked Client MAC address for a certain amount of...

Page 1287: ...face e 3 11 PowerConnect config if 3 1 mac filter group 1 Refer to Defining MAC address filters on page 1280 for more information Configuring VLAN access for non EAP capable clients You can configure the Dell PowerConnect device to grant guest or restricted VLAN access to clients that do not support Extensible EAP The restricted VLAN limits access to the network or applications instead of blocking...

Page 1288: ...t The device will retry authentication requests three times the default or the number of times configured on the device An Accounting Stop packet is sent to the RADIUS server when one of the following events occur The user logs off The port goes down The port is disabled The user fails to re authenticate after a RADIUS timeout The 802 1X port control auto configuration changes The MAC session clea...

Page 1289: ...ormation The 802 1X configuration on the device and on individual ports Statistics about the EAPOL frames passing through the device 802 1X enabled ports dynamically assigned to a VLAN User defined and dynamically applied MAC address filters and IP ACLs currently active on the device The 802 1X multiple host configuration Displaying 802 1X configuration information To display information about the...

Page 1290: ... an EAP response identity frame the amount of time the Dell PowerConnect device waits before retransmitting the EAP request identity frame to a Client default 30 seconds Refer to Setting the wait interval for EAP frame retransmissions on page 1240 for information on how to change this setting supp timeout When a Client does not respond to an EAP request frame the amount of time before the Dell Pow...

Page 1291: ...state machine This can be REQUEST RESPONSE SUCCESS FAIL TIMEOUT IDLE or INITIALIZE AdminControlledDirections Indicates whether an unauthorized controlled port exerts control over communication in both directions disabling both reception of incoming frames and transmission of outgoing frames or just in the incoming direction disabling only reception of incoming frames On Powerconnect devices this p...

Page 1292: ...isplays RX EAPOL Start The number of EAPOL Start frames received on the port RX EAPOL Logoff The number of EAPOL Logoff frames received on the port RX EAPOL Invalid The number of invalid EAPOL frames received on the port RX EAPOL Total The total number of EAPOL frames received on the port RX EAP Resp Id The number of EAP Response Identity frames received on the port RX EAP Resp other than Resp Id ...

Page 1293: ...ckable switches stack unit slotnum portnum Displaying dynamically assigned VLAN information The show interface command displays the VLAN to which an 802 1X enabled port has been dynamically assigned as well as the port from which it was moved that is the port default VLAN The following example of the show interface command indicates the port dynamically assigned VLAN Information about the dynamica...

Page 1294: ...er the write memory command the VLAN to which the port is currently assigned becomes the port default VLAN in the device configuration Displaying information about dynamically applied MAC address filters and IP ACLs You can display information about currently active user defined and dynamically applied MAC address filters and IP ACLs Displaying user defined MAC address filters and IP ACLs To displ...

Page 1295: ...werConnect B Series FCX stackable switches stack unit slotnum portnum To display the dynamically applied IP ACLs active on an interface enter a command such as the following Syntax show dot1x ip ACL all ethernet port PowerConnect show dot1x ip ACL Port 1 3 User defined IP ACLs Extended IP access list Port_1 3_E_IN permit udp any any Extended IP access list Port_1 3_E_OUT permit udp any any PowerCo...

Page 1296: ... on an interface enter a command such as the following Syntax show dot1x config ethernet port Specify the port variable in the following formats PowerConnect show dot1x PAE Capability Authenticator Only system auth control Enable re authentication Disable global filter strict security Enable quiet period 60 Seconds tx period 30 Seconds supptimeout 30 Seconds servertimeout 30 Seconds maxreq 2 re au...

Page 1297: ...ltiple host authentication This field Displays Authentication fail action The configured authentication failure action This can be Restricted VLAN or Block Traffic Authentication Failure VLAN If the authentication failure action is Restricted VLAN the ID of the VLAN to which unsuccessfully authenticated Client ports are assigned Mac Session Aging Whether aging for dot1x mac sessions has been enabl...

Page 1298: ...he Dell PowerConnect device force unauthorized The controlled port is placed unconditionally in the unauthorized state No authentication takes place for any connected 802 1X Clients auto The authentication status for each 802 1X Client depends on the authentication status returned from the RADIUS server filter strict security Whether strict security mode is enabled or disabled on the interface PVI...

Page 1299: ...s been successfully authenticated and traffic from the Client is being forwarded normally blocked Authentication failed for the Client and traffic from the Client is being dropped in hardware restricted Authentication failed for the Client but traffic from the Client is allowed in the restricted VLAN only init The Client is in is in the process of 802 1X authentication or has not started the authe...

Page 1300: ...Sample 802 1X configurations This section illustrates a sample point to point configuration and a sample hub configuration that use 802 1X port security TABLE 218 Output from the show dot1x mac session brief command This field Displays Port Information about the users connected to each port Number of users The number of users connected to the port Number of Authorized users The number of users con...

Page 1301: ...u dot1x PowerConnect config dot1x enable e 1 to 3 PowerConnect config dot1x re authentication PowerConnect config dot1x timeout re authperiod 2000 PowerConnect config dot1x timeout quiet period 30 PowerConnect config dot1x timeout tx period 60 PowerConnect config dot1x maxreq 6 PowerConnect config dot1x exit PowerConnect config interface e 1 PowerConnect config if e1000 1 dot1x port control auto P...

Page 1302: ... PowerConnect device in Figure 159 PowerConnect config aaa authentication dot1x default radius PowerConnect config radius server host 192 168 9 22 auth port 1812 acct port 1813 default key mirabeau dot1x PowerConnect config dot1x enable e 1 PowerConnect config dot1x re authentication PowerConnect config dot1x timeout re authperiod 2000 PowerConnect config dot1x timeout quiet period 30 PowerConnect...

Page 1303: ...ticated If User 1 is authenticated first then the PVID for port e2 is changed to VLAN 3 If User 2 is authenticated first then the PVID for port e2 is changed to VLAN 20 Since a PVID cannot be changed by RADIUS authentication after it has been dynamically assigned if User 2 is authenticated after the port PVID was changed to VLAN 3 then User 2 would not be able to gain access to the network If ther...

Page 1304: ...o forward or block traffic from a MAC address based on information received from a RADIUS server Incoming traffic originating from a given MAC address is switched or forwarded by the device only if the source MAC address is successfully authenticated by a RADIUS server The MAC address itself is used as the username and password for RADIUS authentication A connecting user does not need to provide a...

Page 1305: ...ecurity violation When a security violation occurs a Syslog entry and an SNMP trap are generated In addition the device takes one of two actions it either drops packets from the violating address and allows packets from the secure addresses or disables the port for a specified amount of time You specify which of these actions takes place The secure MAC addresses are not flushed when an interface i...

Page 1306: ...ximum number of MAC addresses any single interface can secure is 64 the maximum number of local resources available to the interface plus the number of global resources not allocated to other interfaces Configuration notes and feature limitations The following limitations apply to this feature MAC port security applies only to Ethernet interfaces MAC port security is not supported on static trunk ...

Page 1307: ... MAC address You can increase the number of MAC addresses that can be stored to a maximum of 64 plus the total number of global resources available For example to configure interface 7 11 to have a maximum of 10 secure MAC addresses enter the following commands PowerConnect config interface ethernet 7 11 PowerConnect config if e1000 7 11 port security PowerConnect config port security e1000 7 11 m...

Page 1308: ... the following PowerConnect config interface ethernet 7 11 PowerConnect config if e1000 7 11 port security PowerConnect config port security e1000 7 11 secure mac address 0050 DA18 747C 2 Syntax no secure mac address mac address vlan ID NOTE If MAC port security is enabled on a port and you change the VLAN membership of the port make sure that you also change the VLAN ID specified in the secure ma...

Page 1309: ...nnect config if e1000 7 11 port security PowerConnect config port security e1000 7 11 violation restrict Syntax violation restrict NOTE When the restrict option is used the maximum number of MAC addresses that can be restricted is 128 If the number of violating MAC addresses exceeds this number the port is shut down An SNMP trap and the following Syslog message are generated Port Security violatio...

Page 1310: ...resses To clear all restricted MAC addresses globally enter the following command PowerConnect clear port security restricted macs all To clear restricted MAC addresses on a specific port enter a command such as the following PowerConnect clear port security restricted macs ethernet 5 Syntax clear port security restricted macs all ethernet port Specify the port variable in the following formats Po...

Page 1311: ...t security mac command TABLE 220 Output from the show port security ethernet command This field Displays Port The slot and port number of the interface Security Whether the port security feature has been enabled on the interface Violation The action to be undertaken when a security violation occurs either shutdown or restrict Shutdown Time The number of seconds a port is shut down following a secu...

Page 1312: ...he secure MAC address Resource Whether the address was secured using a local or global resource Refer to Local and global resources on page 1264 for more information Age Left The number of minutes the MAC address will remain secure Shutdown Time Left Whether the interface has been shut down due to a security violation and the number of seconds before it is enabled again TABLE 222 Output from the s...

Page 1313: ...rnet port restricted macs Specify the port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum TABLE 223 Output from the show port security statistics module command This field Displays Total ports The number of ports on the module Total MAC address es The total number of secure MAC addresses on the module Total violations The number of securit...

Page 1314: ...1272 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Displaying port security information 35 ...

Page 1315: ...t device to forward or block traffic from a MAC address based on information received from a RADIUS server TABLE 224 Supported Multi device port authentication MDPA features Feature PowerConnect B Series FCX Multi Device Port Authentication Yes Support for Multi Device Port Authentication together with Dynamic VLAN assignment Yes Dynamic ACLs Yes 802 1X Yes Denial of Service DoS attack protection ...

Page 1316: ...3 seconds the RADIUS session times out and the device retries the request up to three times If no response is received the next RADIUS server is chosen and the request is sent for authentication The RADIUS server is configured with the usernames and passwords of authenticated users For multi device port authentication the username and password is the MAC address itself that is the device uses the ...

Page 1317: ... multi device port authentication feature supports dynamic VLAN assignment where a port can be placed in one or more VLANs based on the MAC address learned on that interface For details about this feature refer to Configuring the RADIUS server to support dynamic VLAN assignment on page 1282 Support for dynamic ACLs The multi device port authentication feature supports the assignment of a MAC addre...

Page 1318: ...d on a port a device connected to the port is authenticated as follows 1 Multi device port authentication is performed on the device to authenticate the device MAC address 2 If multi device port authentication is successful for the device then the device checks whether the RADIUS server included the Foundry 802_1x enable VSA described in Table 225 in the Access Accept message that authenticated th...

Page 1319: ...hentication and 802 1X authentication Configuration examples are shown in Examples of multi device port authentication and 802 1X authentication configuration on the same port on page 1302 TABLE 225 Dell vendor specific attributes for RADIUS Attribute name Attribute ID Data type Description Foundry 802_1x enable 6 integer Specifies whether 802 1X authentication is performed when multi device port ...

Page 1320: ...cked MAC addresses optional Enabling multi device port authentication To enable multi device port authentication you first enable the feature globally on the device On some Dell PowerConnect devices you can then enable the feature on individual interfaces Globally enabling multi device port authentication To globally enable multi device port authentication on the device enter the following command...

Page 1321: ...he authentication failure action When RADIUS authentication for a MAC address fails you can configure the device to perform one of two actions Drop traffic from the MAC address in hardware the default Move the port on which the traffic was received to a restricted VLAN To configure the device to move the port to a restricted VLAN when multi device port authentication fails enter commands such as t...

Page 1322: ... multi device port authentication You should use a MAC address filter when the RADIUS server itself is connected to an interface where multi device port authentication is enabled If a MAC address filter is not defined for the MAC address of the RADIUS server and applied on the interface the RADIUS authentication process would fail since the device would drop all packets from the RADIUS server itse...

Page 1323: ...nto the RADIUS specified VLAN You can optionally configure the device to leave the port in the restricted VLAN To do this enter the following command PowerConnect config if e1000 3 1 mac authentication no override restrict vlan When the above command is applied if the RADIUS specified VLAN configuration is tagged e g T 1024 and the VLAN is valid then the port is placed in the RADIUS specified VLAN...

Page 1324: ...tes refer to Dynamic multiple VLAN assignment for 802 1X ports on page 1231 Also refer to the example configuration of Multi device port authentication with dynamic VLAN assignment on page 1300 Specifying to which VLAN a port is moved after its RADIUS specified VLAN assignment expires When a port is dynamically assigned to a VLAN through the authentication of a MAC address and the MAC session for ...

Page 1325: ... dynamicvlan to config is not configured Saving dynamic VLAN assignments to the running config file By default dynamic VLAN assignments are not saved to the running config file of the Dell PowerConnect device However you can configure the device to do so by entering the following command PowerConnect config mac authentication save dynamicvlan to config When the above command is applied dynamic VLA...

Page 1326: ...enabled when all of the required conditions are met The following describes the conditions and feature limitations On Layer 3 router code dynamic IP ACLs are allowed on physical ports when ACL per port per vlan is enabled On Layer 3 router code dynamic IP ACLs are allowed on tagged and dual mode ports when ACL per port per vlan is enabled If ACL per port per vlan is not enabled dynamic IP ACLs are...

Page 1327: ...atures IP source guard Rate limiting Protection against ICMP or TCP Denial of Service DoS attacks Policy based routing 802 1X dynamic filter Configuring the RADIUS server to support dynamic IP ACLs When a port is authenticated using multi device port authentication an IP ACL filter that exists in the running config file on the Dell PowerConnect device can be dynamically applied to the port To do t...

Page 1328: ...ddress is authenticated The IP address is learned The MAC to IP mapping is checked against the Static ARP Inspection table or the DHCP Secure table The Source Guard ACL entry is not written to the running configuration file However you can view the configuration using the show auth mac addresses authorized mac ip addr Refer to Viewing the assigned ACL for ports on which source guard protection is ...

Page 1329: ...entries learned on a specified interface enter a command such as the following PowerConnect clear auth mac table e 3 1 Syntax clear auth mac table ethernet port Specify the port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum To clear the MAC session for an address learned on a specific interface enter commands such as the following PowerCo...

Page 1330: ...owing command PowerConnect config mac authentication disable aging Syntax mac authentication disable aging Enter the command at the global or interface configuration level The denied only parameter prevents denied sessions from being aged out but ages out permitted sessions The permitted only parameter prevents permitted authenticated and restricted sessions from being aged out and ages denied ses...

Page 1331: ...ress for a certain amount of time this Layer 2 CAM entry is aged out If traffic is subsequently received from the MAC address then an attempt can be made to authenticate the MAC address again Aging of the Layer 2 CAM entry for a blocked MAC address occurs in two phases known as hardware aging and software aging The hardware aging period is fixed at 70 seconds and is non configurable The software a...

Page 1332: ... use the no form of the command to reset the RADIUS timeout behavior to retry Deny User access to the network after a RADIUS timeout To set the RADIUS timeout behavior to bypass multi device port authentication and block user access to the network enter commands such as the following PowerConnect config interface ethernet 1 3 PowerConnect config if e100 1 3 mac authentication auth timeout action f...

Page 1333: ...device port authentication enter a command such as the following at the GLOBAL Config Level of the CLI PowerConnect config mac authentication password override Syntax no mac authentication password override password where password can have up to 32 alphanumeric characters but cannot include blank spaces Limiting the number of authenticated MAC addresses You cannot enable MAC port security on the s...

Page 1334: ...ut from the show auth mac address configuration command TABLE 226 Output from the show authenticated mac address command This field Displays Port The port number where the multi device port authentication feature is enabled Vlan The VLAN to which the port has been assigned Accepted MACs The number of MAC addresses that have been successfully authenticated Rejected MACs The number of MAC addresses ...

Page 1335: ...ts on which the multi device port authentication feature is enabled Port Information for each multi device port authentication enabled port Fail Action What happens to traffic from a MAC address for which RADIUS authentication has failed either block the traffic or assign the MAC address to a restricted VLAN Fail vlan The restricted VLAN to which non authenticated MAC addresses are assigned if the...

Page 1336: ...the index entry for the Layer 2 CAM entry created for this MAC address If the MAC address is not blocked either through successful authentication or through being placed in the restricted VLAN then N A is displayed If the hardware aging period has expired then ffff is displayed for the MAC address during the software aging period TABLE 228 Output from the show authenticated mac address address com...

Page 1337: ...an IP address the IP address is also displayed Port ID of the port on which the MAC address was learned VLAN VLAN of which the port is a member Authenticated Whether the MAC address has been authenticated by the RADIUS server Time The time the MAC address was authenticated If the clock is set on the Dell PowerConnect device then the actual date and time are displayed If the clock has not been set ...

Page 1338: ...ether a port can be dynamically assigned to a VLAN specified by a RADIUS server if the port had been previously placed in the restricted VLAN because a previous attempt at authenticating a MAC address on that port failed PowerConnect show auth mac addresses detailed ethernet 15 23 Port 15 23 Dynamic Vlan Assignment Enabled RADIUS failure action Block Traffic Failure restrict use dot1x No Override ...

Page 1339: ... sent to the RADIUS server and for which the RADIUS server has not yet sent an Access Accept message Authentication attempts The total number of authentication attempts made for MAC addresses on an interface including pending authentication attempts RADIUS timeouts The number of times the session between the Dell PowerConnect device and the RADIUS server timed out RADIUS timeout action Action to b...

Page 1340: ...ect To display the table of allowed authenticated mac addresses enter the show table allowed mac command as shown Syntax show table allowed mac Output from this command resembles the following MAC Address The MAC addresses learned on the port If the packet for which multi device port authentication was performed also contained an IP address then the IP address is displayed as well RADIUS Server Th...

Page 1341: ...enied mac MAC Address Port Vlan Authenticated Time Age dot1x 0000 0010 1021 2 1 48 4092 No 00d00h32m48s H8 Dis 0000 0010 1022 2 1 48 4092 No 00d00h32m48s H8 Dis PowerConnect To display MAC authentication for a specific port enter the show table ethernet stack unit slot port command as shown PowerConnect show table eth 2 1 48 MAC AddressPortVlanAuthenticatedTimeAgeCAMMACDot1xTypePriIndex Index 0000...

Page 1342: ...FAULT VLAN to VLAN 102 If authentication for the PC fails then the PC can be placed in a specified restricted VLAN or traffic from the PC can be blocked in hardware In this example if authentication for the PC fails the PC would be placed in VLAN 1023 the restricted VLAN If authentication for the IP phone is successful then port e1 is added to VLAN 3 If authentication for the IP phone fails then t...

Page 1343: ...vices If the PC is successfully authenticated dual mode port e1 PVID is changed from the VLAN 1 the DEFAULT VLAN to VLAN 102 If authentication for the PC fails then the PC can be placed in a specified restricted VLAN or traffic from the PC can be blocked in hardware In this example if authentication for the PC fails the PC would be placed in VLAN 1023 the restricted VLAN If authentication for the ...

Page 1344: ...tion n the same port In this configuration a PC and an IP phone are connected to port e 1 3 on a Dell PowerConnect device Port e 1 3 is configured as a dual mode port The profile for the PC MAC address on the RADIUS server specifies that the PC should be dynamically assigned to VLAN Login VLAN and the RADIUS profile for the IP phone specifies that it should be dynamically assigned to the VLAN name...

Page 1345: ...1X authentication is required for this MAC address The PVID of the port e 1 3 is temporarily changed to VLAN 1024 pending 802 1X authentication When User 1 attempts to connect to the network from the PC he is subject to 802 1X authentication If User 1 is successfully authenticated the Access Accept message from the RADIUS server specifies that the PVID for User 1 port be changed to the VLAN named ...

Page 1346: ... device to perform 802 1X authentication when a device fails multi device port authentication Figure 164 shows a configuration where multi device port authentication is performed for an IP phone and 802 1X authentication is performed for a user PC There is a profile on the RADIUS server for the IP phone MAC address but not for the PC MAC address FIGURE 164 802 1X Authentication is performed when a...

Page 1347: ...entication If User 1 is successfully authenticated the PVID for port e 1 4 is changed to the VLAN named User VLAN NOTE This example assumes that the IP phone initially transmits untagged packets for example CDP or DHCP packets which trigger the authentication process on the Dell PowerConnect device and client lookup on the RADIUS server If the phone sends only tagged packets and the port e 1 4 is ...

Page 1348: ...1306 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Example configurations 36 ...

Page 1349: ...hod however it requires more support configuration maintenance and user intervention than multi device port authentication The Dell Web authentication method provides an ideal port based authentication alternative to multi device port authentication without the complexities and cost of 802 1x authentication Hosts gain access to the network by opening a Web browser and entering a valid URL address ...

Page 1350: ...red When the re authentication period ends the host is logged out A host can log out at any time by pressing the Logout button in the Web Authentication Success page NOTE The host can log out as long as the Logout window Success page is visible If the window is accidentally closed the host cannot log out unless the re authentication period ends or the host is manually cleared from the Web Authenti...

Page 1351: ...supports Web Authentication DHCP server if dynamic IP addressing is to be used Computer host with a web browser Your configuration may also require a RADIUS server with some Trusted Source such as LDAP or Active Directory NOTE The Web server RADIUS server and DHCP server can all be the same server FIGURE 165 Basic topology for web authentication Configuration tasks Follow the steps given below to ...

Page 1352: ...By default HTTPS is used To enable the non secure Web server on the PowerConnect switch enter the following command PowerConnect config web management HTTP PowerConnect config vlan 10 PowerConnect config vlan 10 webauth PowerConnect config vlan 10 webauth no secure login To enable the secure Web server on the PowerConnect switch enter the following command PowerConnect config web management HTTPS ...

Page 1353: ...bauth PowerConnect config config vlan 10 webauth enable The first command changes the CLI level to the VLAN configuration level The second command changes the configuration level to the Web Authentication VLAN level The last command enables Web Authentication In the example above VLAN 10 will require hosts to be authenticated using Web Authentication before they can forward traffic Syntax webauth ...

Page 1354: ... user database 1 Create the local user database 2 Add records to the local user database either by entering a series of CLI commands or by importing a list of user records from an ASCII text file on the TFTP server to the PowerConnect switch 3 Set the local user database authentication mode 4 If desired set the authentication method RADIUS local failover sequence 5 Assign a local user databse to a...

Page 1355: ...eleting All user records from a local user database To delete all user records from a local user database enter the following command PowerConnect config localuserdb userdb1 delete all Syntax delete all Creating a text file of user records If desired you can use the TFTP protocol to import a list of usernames and passwords from a text file on a TFTP server to the PowerConnect switch The text file ...

Page 1356: ...passwords unless the device is configured to use the local user database see the previous section To configure the PowerConnect switch to use a RADIUS server refer to Configuring RADIUS security on page 1181 You must also do the following 1 Configure the RADIUS server information on the PowerConnect switch Enter a command such as the following PowerConnect config radius server host 10 1 1 8 auth p...

Page 1357: ...nd setting the local user database authentication method to local you can configure a Web Authentication VLAN to use the database to authenticate users in a VLAN To do so enter a command such as the following PowerConnect config vlan 10 webauth auth mode username password local user database userdb1 These commands configure Web Authentication to use the usernames and passwords in the userdb1 datab...

Page 1358: ...ax auth mode passcode static passcode For passcode enter a number from 4 to 16 digits in length You can create up to four static passcodes each with a different length Static passcodes do not have to be the same length as passcodes that are automatically generated After creating static passcodes you can enable passcode authentication as described in the next section To view the passcodes configure...

Page 1359: ...generated in 40 minutes However if the passcode duration is changed from 100 to 75 minutes and the passcode was last generated 60 minutes prior a new passcode will be generated in 15 minutes Similarly if the passcode duration is changed from 100 to 50 minutes and the passcode was last generated 60 minutes prior the passcode will immediately expire and a new passcode will be generated The same prin...

Page 1360: ...ou can optionally configure a grace period for an expired passcode The grace period is the period of time that a passcode will remain valid even after a new passcode is generated For example if a five minute grace period is set and the passcode 1234 is refreshed to 5678 both passcodes will be valid for five minutes after which the 1234 passcode will expire and the 5678 passcode will remain in effe...

Page 1361: ...asscode log syslog Enter the following command to re enable SNMP trap messages for passcodes after they have been disabled PowerConnect config vlan 10 webauth auth mode passcode log snmp trap Syntax no auth mode passcode log syslog snmp trap Re sending the passcode log message If passcode logging is enabled you can enter a CLI command to retransmit the current passcode to a Syslog message or SNMP ...

Page 1362: ...ly authenticated even if automatic authentication is enabled To enable automatic authentication enter the following command PowerConnect config vlan 10 PowerConnect config vlan 10 webauth PowerConnect config vlan 10 webauth auth mode none Syntax no auth mode none If automatic authentication is enabled and a host address is not in the blocked MAC address list Web Authentication authenticates the ho...

Page 1363: ...mands configure ports 3 and 6 10 as trusted ports Syntax trust port ethernet port to port Specify the port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum Specifying hosts that are permanently authenticated Certain hosts such as DHCP server gateway printers may need to be permanently authenticated Typically these hosts are managed by the ne...

Page 1364: ...econds and 0 means the user is always authenticated and will never have to re authenticate except if an inactive period less than the re authentication period is configured on the Web Authentication VLAN If this is the case the user becomes de authenticated if there is no activity and the timer for the inactive period expires Defining the web authentication cycle You can set a limit as to how many...

Page 1365: ...entication attempts After users exceed the limit for Web Authentication attempts specify how many seconds users must wait before the next cycle of Web Authenticated begins Enter a command such as the following PowerConnect config vlan 10 webauth block duration 4 Syntax no block duration seconds Users cannot attempt Web Authentication during this time Enter 0 128000 seconds The default is 90 second...

Page 1366: ...osts to be forwarded explicitly to defined servers by defining DNS filters Any DNS query from an unauthenticated host to a server that is not defined in a DNS filter are dropped Only DNS queries from unauthenticated hosts are affected by DNS filters authenticated hosts are not If the DNS filters are not defined then any DNS queries can be made to any server You can have up to four DNS filters Crea...

Page 1367: ...n 23 webauth PowerConnect config vlan 23 webauth reauth time 303 PowerConnect config vlan 23 webauth authenticated mac age time 300 Syntax no authenticated mac age time seconds You can enter a value from 0 to the value entered for reauth time The default is 3600 Refer to Changing the MAC age time and disabling MAC address learning on page 307 for details on the mac age time command The default mac...

Page 1368: ... config vlan 10 PowerConnect config vlan 10 no webauth Syntax no webauth Web authentication pages There are several pages that can be displayed for Web Authentication When a user first enters a valid URL address on the Web browser the browser is redirected to the Web Authentication URL refer to Defining the web authorization redirect address on page 1325 If Automatic Authentication is enabled the ...

Page 1369: ...abled The user enters a user name and password which are then sent for authentication If passcode authentication is enabled the following Login page appears FIGURE 168 Example of a login page when automatic authentication is disabled and passcode Authentication is Enabled The user enters a passcode which is then sent for authentication If the Web Authentication fails the page to try again is displ...

Page 1370: ...ost limit page If the number of Web Authentication attempts by a user has been exceeded the Maximum Attempts Limit page is displayed Figure 171 The user is blocked from attempting any Web Authentication unless either the user MAC address is removed from the blocked list using the clear webauth block mac mac address command or when the block duration timer expires FIGURE 171 Example of a maximum at...

Page 1371: ... is not configured then the host remains logged in indefinitely NOTE If you accidentally close the Success page you will not be able to log out if a re authentication period is configured you will be logged out once the re authentication period ends The host can log out of the Web session by simply clicking the Logout button Once logged out the following window appears You can customize the top an...

Page 1372: ... what text has been configured for Web Authentication pages NOTE The banner image does not apply to the Web Authentication Maximum Attempts Limit page Figure 171 The text box and Login button apply to the Login page only Figure 173 shows the placement of these objects in the Login page PowerConnect show webauth vlan 25 webpage Web Page Customizations VLAN 25 Top Header Default Text h3 Welcome to B...

Page 1373: ...d no webpage custom text title Customizing the banner image Logo You can customize the logo that appears on all Web Authentication pages Figure 173 shows placement of the banner image in the Login page NOTE The banner image does not display in the Maximum Attempts Limit page Figure 171 To customize the banner image use the TFTP protocol to upload an image file from a TFTP server to the PowerConnec...

Page 1374: ... back to its default position left Customizing the header You can customize the header that appears on all Web Authentication pages Figure 173 shows placement of the header in the Login page To customize the header enter a command such as the following PowerConnect config vlan 10 webauth webpage custom text top Welcome to Network One Syntax no webpage custom text top text For text enter up to 255 ...

Page 1375: ...oter enter a command such as the following PowerConnect config vlan 10 webauth webpage custom text bottom Network One Copyright 2010 Syntax no webpage custom text bottom text For text enter up to 255 alphanumeric characters To reset the footer back to the default text enter the command no webpage custom text bottom The default text is This network is restricted to authorized users only Violators m...

Page 1376: ...le host max num The maximum number of users that can be authenticated at one time block duration How many seconds a user who failed Web Authentication must wait before attempting to be authenticated cycle time The number of seconds in one Web Authentication cycle port down authenticated mac cleanup Indicates if this option is enabled or disabled If enabled all authenticated users are de authentica...

Page 1377: ...onnect switch is used The actual text on the Web Authentication pages can be displayed using the show webauth vlan vlan id webpage command Refer to Displaying text for web authentication pages on page 1329 Host statistics The authentication status and the number of hosts in each state This field Displays VLAN Web Authentication The ID of the VLAN on which Web Authentication is enabled Web Authenti...

Page 1378: ...ddresses that are trying to be authenticated User Name The User Name associated with the MAC address of Failed Attempts Number of authentication attempts that have failed Cycle Time Remaining The remaining time the user has to be authenticated before the current authentication cycle expires Once it expires the user must enter a valid URL again to display the Web Authentication Welcome page PowerCo...

Page 1379: ...VLAN on which Web Authentication is enabled Web Block List MAC Address The MAC addresses that have been blocked from Web Authentication User Name The User Name associated with the MAC address Configuration Static Dynamic If the MAC address was dynamically or statically blocked The block mac command statically blocks MAC addresses Block Duration Remaining The remaining time the MAC address has befo...

Page 1380: ...ntax show local userdb db name Displaying passcodes If the passcode Web authentication mode is enabled you can use the following command to display current passcodes Syntax show webauth vlan vlan id passcode PowerConnect show webauth vlan 25 passcode Current Passcode 1389 This passcode is valid for 35089 seconds ...

Page 1381: ...GURE 174 How a Smurf attack floods a victim with ICMP replies The attacker sends an ICMP echo request packet to the broadcast address of an intermediary network The ICMP echo request packet contains the spoofed address of a victim network as its source When the ICMP echo request reaches the intermediary network it is converted to a Layer 2 broadcast and sent to the hosts on the intermediary networ...

Page 1382: ... is the victim of a Smurf attack You can set threshold values for ICMP packets that are targeted at the router itself or passing through an interface and drop them when the thresholds are exceeded For example to set threshold values for ICMP packets targeted at the router enter the following command in global CONFIG mode PowerConnect config ip icmp burst normal 5000 burst max 10000 lockup 300 To s...

Page 1383: ...packet the destination host keeps track of the as yet incomplete TCP connection in a connection queue When the ACK packet is received information about the connection is removed from the connection queue Usually there is not much time between the destination host sending a SYN ACK packet and the source host sending an ACK packet so the connection queue clears quickly In a TCP SYN attack an attacke...

Page 1384: ...000 seconds The number of incoming TCP SYN packets per second is measured and compared to the threshold values as follows If the number of TCP SYN packets exceeds the burst normal value the excess TCP SYN packets are dropped If the number of TCP SYN packets exceeds the burst max value all TCP SYN packets are dropped for the number of seconds specified by the lockup value When the lockup period exp...

Page 1385: ...ind TCP reset attack using the SYN bit a perpetrator attempts to guess the SYN bits to prematurely terminate an active TCP session To prevent a user from using the SYN bit to tear down a TCP connection in current software releases the SYN bit is subject to the following rules when receiving TCP segments If the SYN bit is set and the sequence number is outside the expected window the Dell PowerConn...

Page 1386: ...opped because burst thresholds were exceeded enter the following command PowerConnect clear statistics dos attack Syntax clear statistics dos attack PowerConnect show statistics dos attack Local Attack Statistics ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count 0 0 0 0 Transit Attack Statistics Port ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count 3 11 0 0 0 0 ...

Page 1387: ...e it creates an ARP request to resolve the mapping All computers on the subnet will receive and process the ARP requests and the host whose IP address matches the IP address in the request will send an ARP reply An ARP poisoning attack can target hosts switches and routers connected to the Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic in...

Page 1388: ...o MAC address bindings stored in a trusted binding database For the Brocade device the binding database is the ARP table which supports DAI DHCP snooping and IP Source Guard To inspect an ARP request packet DAI checks the source IP and source MAC address against the ARP table For an ARP reply packet DAI checks the source IP source MAC destination IP and destination MAC addresses DAI forwards the v...

Page 1389: ... Dell recommends that you do not enable DAI on a trunk port The maximum number of DHCP and static DAI entries depends on the maximum number of ARP table entries allowed on the device A Layer 2 switch can have up to 256 ARP entries and a Layer 3 switch can have up to 64 000 ARP entries In a Layer 3 switch you can use the system max ip arp command to change the maximum number of ARP entries for the ...

Page 1390: ...IP to MAC is received on a port Syntax no arp ip addr mac addr inspection The ip addr mac addr parameter specifies a device IP address and MAC address pairing Enabling DAI on a VLAN DAI is disabled by default To enable DAI on an existing VLAN enter the following command PowerConnect config ip arp inspection vlan 2 The command enables DAI on VLAN 2 ARP packets from untrusted ports in VLAN 2 will un...

Page 1391: ...vice to filter untrusted DHCP packets in a subnet DHCP snooping can ward off MiM attacks such as a malicious user posing as a DHCP server sending false DHCP server reply packets with the intention of misdirecting other users DHCP snooping can also stop unauthorized DHCP servers and prevent errors due to user mis configuration of DHCP servers Often DHCP snooping is used together with Dynamic ARP In...

Page 1392: ...rver reply packets on trusted ports the Dell PowerConnect device saves the client IP to MAC address binding information in the DHCP binding database This is how the DHCP snooping binding table is populated The information saved includes MAC address IP address lease time VLAN number and port number In the Brocade device the DHCP binding database is integrated with the enhanced ARP table which is us...

Page 1393: ...DHCP snooping is enabled Configuration notes and feature limitations The following limits and restrictions apply to DHCP snooping To run DHCP snooping you must first enable support for ACL filtering based on VLAN membership or VE port membership To do so enter the following commands at the Global CONFIG Level of the CLI PowerConnect config enable ACL per port per vlan PowerConnect config write mem...

Page 1394: ...setting for a port is untrusted To enable trust on a port connected to a DHCP server enter commands such as the following PowerConnect config interface ethernet 1 1 PowerConnect config if e10000 1 1 dhcp snooping trust Port 1 1 is connected to a DHCP server The commands change the CLI to the interface configuration level of port 1 1 and set the trust setting of port 1 1 to trusted Syntax no dhcp s...

Page 1395: ...ng info Displaying DHCP binding entry and status To display the DHCP binding entry and its current status use the show arp command Syntax show arp For field definitions refer to Table 161 on page 875 DHCP snooping configuration example The following example configures VLAN 2 and VLAN 20 and changes the CLI to the global configuration level to enable DHCP snooping on the two VLANs The commands are ...

Page 1396: ...ect config if e10000 1 2 dhcp snooping trust PowerConnect config if e10000 1 2 exit Hence DHCP server reply packets received on ports 1 1 and 1 2 are forwarded and client IP MAC binding information is collected The example also sets the DHCP server address for the local relay agent PowerConnect config interface ve 2 PowerConnect config vif 2 ip address 20 20 20 1 24 PowerConnect config vif 2 ip he...

Page 1397: ...nly when DHCP snooping is enabled for the client server ports Configuration notes DHCP snooping and DHCP option 82 are supported on a per VLAN basis DHCP option 82 follows the same configuration rules and limitations as for DHCP snooping For more information refer to Configuration notes and feature limitations on page 1351 DHCP Option 82 sub options The Dell implementation of DHCP Option 82 suppor...

Page 1398: ...mat FIGURE 180 General CID packet format Sub option 2 Remote ID The Remote ID RID identifies the remote host end of the circuit the relay agent Dell PowerConnect devices use the MAC address to identify itself as the relay agent Figure 181 illustrates the RID packet format FIGURE 181 RID packet format Sub option 6 subscriber id The Subscriber ID SID is a unique identification number that enables an...

Page 1399: ...By default when DHCP option 82 is enabled on a VLAN DHCP packets received on all member ports of the VLAN are subject to DHCP option 82 processing You can optionally disable and later re enable DHCP option 82 processing on one or more member ports of the VLAN To do so use the commands in this section To disable a particular port in a VLAN from adding relay agent information to DHCP packets enter c...

Page 1400: ...e default behavior Use the show ip dhcp relay information command to view the forwarding policy configured on the switch Refer to Viewing the circuit Id remote id and forwarding policy on page 1359 Enabling and disabling subscriber ID processing You can configure a unique subscriber ID SID per port Unlike the CID and RID sub options the SID sub option is not automatically enabled when DHCP option ...

Page 1401: ...uit ID format vlan mod port The default circuit ID format Remote ID The remote ID format This field displays mac which is the default remote ID format Policy How the Dell switch processes relay agent information it receives in DHCP messages drop drops the relay agent information keep keeps the relay agent information replace replaces the relay agent information with its own TABLE 235 Output for th...

Page 1402: ...IP address IP Source Guard then allows IP traffic Only the traffic with valid source IP addresses are permitted The system learns of a valid IP address from DHCP Snooping When it learns a valid IP address the system permits the learned source IP address PowerConnect show interfaces ethernet 3 GigabitEthernet3 is up line protocol is up Hardware is GigabitEthernet address is 00e0 5200 0002 bia 00e0 ...

Page 1403: ...ng as both features are configured at the port level or per port per VLAN level Dell PowerConnect devices do not support IP Source Guard and IPv4 ACLs on the same port if one is configured at the port level and the other is configured at the per port per VLAN level IP source guard and IPv6 ACLs are supported together on the same device as long as they are not configured on the same port or virtual...

Page 1404: ...fer to Defining static IP source bindings on page 1362 Source Guard Protection enables concurrent support with multi device port authentication For details Refer to Enabling source guard protection on page 1286 IP Source Guard is supported on a VE with or without an assigned IP address Enabling IP source guard on a port You can enable IP Source Guard on DHCP snooping untrusted ports Refer to DHCP ...

Page 1405: ...t config int e 23 PowerConnect config if e1000 23 per vlan vlan12 PowerConnect config if e1000 23 vlan 12 source guard enable The commands in this example configure port based VLAN 12 and add ports e 5 8 as untagged ports and ports e 23 24 as tagged ports to the VLAN The last two commands enable IP Source Guard on port e 23 a member of VLAN 12 Syntax no source guard enable Enabling IP source guard...

Page 1406: ...1364 PowerConnect B Series FCX Configuration Guide 53 1002266 01 IP source guard 39 ...

Page 1407: ...ctions introduced a few methods used to secure SNMP access They included the following Using ACLs to restrict SNMP access on page 1140 Restricting SNMP access to a specific IP address on page 1142 Restricting SNMP access to a specific VLAN on page 1145 Disabling SNMP access on page 1149 This chapter presents additional methods for securing SNMP access to Dell PowerConnect devices It contains the f...

Page 1408: ...gs as you need The number of strings you can configure depends on the memory on the device There is no practical limit The Web Management Interface supports only one read write session at a time When a read write session is open on the Web Management Interface subsequent sessions are read only even if the session login is set with a valid read write password NOTE If you delete the startup config f...

Page 1409: ...y string you enter is encrypted and decrypts the value before using it NOTE If you want the software to assume that the value you enter is the clear text form and to encrypt display of that form do not enter 0 or 1 Instead omit the encryption option and allow the software to use the default behavior NOTE If you specify encryption option 1 the software assumes that you are entering the encrypted fo...

Page 1410: ...ead ro view sysview 2 PowerConnect config snmp s community myread ro view sysview myACL The command in the first example indicates that ACL group 2 will filter incoming SNMP packets whereas the command in the second example uses the ACL group called myACL to filter incoming packets Refer to Using ACLs to restrict SNMP access on page 1140 for more information NOTE To make configuration changes incl...

Page 1411: ... v3 Configuration examples on page 1379 Configuring your NMS In order to use the SNMP version 3 features 1 Make sure that your Network Manager System NMS supports SNMP version 3 2 Configure your NMS agent with the necessary users 3 Configure the SNMP version 3 features in Dell PowerConnect devices Configuring SNMP version 3 on Dell PowerConnect devices Follow the steps given below to configure SNM...

Page 1412: ...ts of 11 octets entered as hexadecimal values There are two hexadecimal characters in each octet There should be an even number of hexadecimal characters in an engine ID The default engine ID has a maximum of 11 octets Octets 1 through 4 represent the agent s SNMP management private enterprise number as assigned by the Internet Assigned Numbers Authority IANA The most significant bit of Octet 1 is...

Page 1413: ...g write viewstring parameter is optional It indicates that users who belong to this group have either read or write access to the MIB The viewstring variable is the name of the view to which the SNMP group members have access If no view is specified then the group has no access to the MIB The value of viewstring is defined using the snmp server view command The SNMP agent comes with the all defaul...

Page 1414: ...the group will be used to filter packets The encrypted parameter means that the MD5 or SHA password will be a digest value MD5 has 16 octets in the digest SHA has 20 The digest string has to be entered as a hexadecimal string In this case the agent need not generate any explicit digest If the encrypted parameter is not used the user is expected to enter the authentication password string for MD5 o...

Page 1415: ...enter one of the following commands PowerConnect config snmp server view Maynes system included PowerConnect config snmp server view Maynes system 2 excluded PowerConnect config snmp server view Maynes 2 3 6 included PowerConnect config write mem NOTE The snmp server view command supports the MIB objects as defined in RFC 1445 Syntax no snmp server view name mib_tree included excluded The name par...

Page 1416: ... no snmp server group groupname v1 v2 v3 auth noauth priv access standard ACL id read viewstring write viewstring notify viewstring The group groupname parameter defines the name of the SNMP group to be created The v1 v2 or v3 parameter indicates which version of SNMP to use In most cases you will use v3 since groups are automatically created in SNMP versions 1 and 2 from community strings The aut...

Page 1417: ...nd the SMIv2 notification in SNMPv3 packet format configure v3 with auth or privacy parameters or both by specifying a security name The actual authorization and privacy values are obtained from the security name For SNMP version 2c enter v2 and the name of the community string This string is encrypted within the system For SNMP version 3 enter one of the following depending on the authorization r...

Page 1418: ...ion 3 Restricting SNMP Access to an IPv6 Node You can restrict SNMP access so that the Dell PowerConnect device including IronView Network Manager can only be accessed by the IPv6 host address that you specify To do so enter a command such as the following PowerConnect config snmp client ipv6 2001 efff 89 23 Syntax snmp client ipv6 ipv6 address The ipv6 address must be in hexadecimal format using ...

Page 1419: ...that the SNMP engine reinitialized itself with the same engine ID If the engineID is modified the boot count is reset to 0 The engine time represents the current time with the SNMP agent Displaying SNMP groups To display the definition of an SNMP group enter a command such as the following PowerConnect show snmp server Contact Location Community ro Traps Warm Cold start Enable Link up Enable Link ...

Page 1420: ...presents a list of varbinds supported by the SNMP agent Security level Authentication none If the security model shows v1 or v2 then security level is blank User names are not used to authenticate users community strings are used instead noauthNoPriv Displays if the security model shows v3 and user authentication is by user name only authNoPriv Displays if the security model shows v3 and user auth...

Page 1421: ...mp server group ops v3 priv read internet write system PowerConnect config snmp server group admin v3 priv read internet write internet PowerConnect config snmp server group restricted v3 priv read internet PowerConnect config snmp server user ops ops v3 encrypted auth md5 ab8e9cd6d46e7a270b8c9549d92a069 priv encrypted des 0e1b153303b6188089411447dbc32de PowerConnect config snmp server user admin ...

Page 1422: ...1380 PowerConnect B Series FCX Configuration Guide 53 1002266 01 SNMP v3 Configuration examples 40 ...

Page 1423: ...essages to provide information at the following severity levels Emergencies Alerts Critical TABLE 237 Supported Syslog features Feature PowerConnect B Series FCX Syslog messages Yes Real time display of Syslog messages Yes Real time display for Telnet or SSH sessions Yes Show log on all terminals Yes Time stamps Yes Multiple Syslog server logging up to 6 Syslog servers Yes Disabling logging of a m...

Page 1424: ...so provide Syslog running on NT Syslog uses UDP port 514 and each Syslog message thus is sent with destination port 514 Each Syslog message is one line with Syslog message format The message is embedded in the text portion of the Syslog format There are several subfields in the format Keywords are used to identify each subfield and commas are delimiters The subfield order is insensitive except tha...

Page 1425: ...a Telnet or SSH session Enabling real time display for a Telnet or SSH session To also enable the real time display for a Telnet or SSH session enter the following command from the Privileged EXEC level of the session telnet PowerConnect terminal monitor Syslog trace was turned ON Syntax terminal monitor Notice that the CLI displays a message to indicate the status change for the feature To disabl...

Page 1426: ...display of Syslog buffer configuration This field Displays Syslog logging The state enabled or disabled of the Syslog buffer messages dropped The number of Syslog messages dropped due to user configured filters By default the software logs messages for all Syslog levels You can disable individual Syslog levels in which case the software filters out messages at those levels Refer to Disabling loggi...

Page 1427: ...e failure of fan 1 with the newer message The software does not overwrite the message for fan 2 unless the software sends a newer message for fan 2 overruns The number of times the dynamic log buffer has filled up and been cleared to hold new entries For example if the buffer is set for 100 entries the 101st entry causes an overrun After that the 201st entry causes a second overrun level The messa...

Page 1428: ...format mm dd hh mm ss where mm abbreviation for the name of the month dd day hh hours mm minutes ss seconds For example Oct 15 17 38 03 means October 15 at 5 38 PM and 3 seconds If you have not set the time and date on the onboard system clock the time stamp shows the amount of time that has passed since the device was booted in the following format num d num h num m num s where num d day num h ho...

Page 1429: ... logged level code A alert C critical D debugging M emergency E error I informational N notification W warning Static Log Buffer Dec 15 19 04 14 A Fan 1 fan on right connector failed Dec 15 19 00 14 A Fan 2 fan on left connector failed Dynamic Log Buffer 50 entries Oct 15 17 38 03 warning list 101 denied tcp 209 157 22 191 0 Ethernet 18 0010 5a1f 77ed 198 99 4 69 http 1 event s Oct 15 07 03 30 war...

Page 1430: ... six Syslog servers PowerConnect config logging host 10 0 0 99 Syntax logging host ip addr server name Disabling logging of a message level To change the message level disable logging of specific message levels You must disable the message levels on an individual basis For example to disable logging of debugging and informational messages enter the following commands PowerConnect config no logging...

Page 1431: ...re placing the change into effect If you increase the size of the Syslog buffer the software will clear some of the older locally buffered Syslog messages Changing the log facility The Syslog daemon on the Syslog server uses a facility to determine where to log the messages from the Dell PowerConnect device The default facility for messages the Dell PowerConnect device sends to the Syslog server i...

Page 1432: ...r the Dynamic Log Buffer section The actual interface number is appended to the interface name For example if the interface name is lab and its port number is 2 you see lab2 displayed as in the example below PowerConnect show logging Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Buffer logging level ACDMEINW 3 messages logged level code A alert C critical D debugging M emergency E...

Page 1433: ...om clearing the System log leave the number of entries allowed in the Syslog buffer unchanged This feature does not save Syslog messages after a hard reboot When the Dell PowerConnect device is power cycled the Syslog messages are cleared To configure the device to save the System log messages after a soft reboot enter the following command PowerConnect config logging persistence Syntax no logging...

Page 1434: ...rtnum No VLAN Info received from RADIUS server RADIUS authentication was successful for the specified mac address on the specified portnum however dynamic VLAN assignment was enabled for the port but the RADIUS Access Accept message did not include VLAN information This is treated as an authentication failure Alert MAC Authentication failed for mac address on portnum Port is already in another rad...

Page 1435: ...ot num encountered PCI config read error Bus PCI bus number Dev PCI device number Reg Offset PCI config register offset The module encountered a hardware configuration read error Alert System Module in slot slot num encountered PCI config write error Bus PCI bus number Dev PCI device number Reg Offset PCI config register offset The module encountered a hardware configuration write error Alert Syst...

Page 1436: ...em will be shut down in the amount of time indicated Alert Temperature degrees C degrees warning level warn degrees C degrees shutdown level shutdown degrees C degrees Indicates an over temperature condition on the active module The degrees value indicates the temperature of the module The warn degrees value is the warning threshold temperature configured for the module The shutdown degrees value ...

Page 1437: ...ort is down The specified ports were logically brought down while singleton was configured on the port Informational device name Logical link on interface ethernet slot port is up The specified ports were logically brought up while singleton was configured on the port Informational user name login to PRIVILEGED mode A user has logged into the Privileged EXEC mode of the CLI The user name is the us...

Page 1438: ... a VE virtual interface The RADIUS server returned an IP ACL or MAC address filter but the port is a member of a virtual interface VE Informational DOT1X port portnum mac mac address cannot remove inbound ACL An error occurred while removing the inbound ACL Informational DOT1X port portnum mac mac address Downloading a MAC filter but MAC filter have no effect on router port The RADIUS server retur...

Page 1439: ... an IP ACL or MAC address filter to the port Invalid information was received from the RADIUS server for example the Filter ID attribute did not refer to an existing IP ACL or MAC address filter Informational DOT1X Port portnum currently used vlan id changes to vlan id due to dot1x RADIUS vlan assignment A user has completed 802 1X authentication The profile received from the RADIUS server specifi...

Page 1440: ...ed deleted or applied this MAC address filter through the Web SNMP console SSH or Telnet session Informational MSTP BPDU guard interface ethernet port number detect Received BPDU putting into err disable state BPDU guard violation occurred in MSTP Informational OPTICAL MONITORING port port number is not capable The optical transceiver is qualified by Dell PowerConnect but the transceiver does not ...

Page 1441: ...uration through the Web SNMP console SSH or Telnet session Informational startup config was changed or startup config was changed by user name A configuration change was saved to the startup config file The user name is the user ID if they entered a user ID to log in Informational STP Root Guard Port port number VLAN vlan ID consistent Timeout Root guard unblocks a port Informational STP Root Guar...

Page 1442: ...ry with Mac Address mac address is added to ethe unit slot port to unit slot port on vlan id A MAC address is added to a range of interfaces which are members of the specified VLAN Informational System Static Mac entry with Mac Address mac address is added to portnumber unit slot port on VLAN vlan id A MAC address is added to an interface and the interface is a member of the specified VLAN Informa...

Page 1443: ...stem The specified unit has been deleted from the stacking system Informational Stack unit unitNumber has been elected as ACTIVE unit of the stack system The specified unit in a stack has been elected as the Master unit for the stacking system Informational Stack Stack unit unit has been added to the stack system The specified unit has been added to the stacking system Informational System Managem...

Page 1444: ...he root selection computation Notification ACL exceed max DMA L4 cam resource using flow based ACL instead The port does not have enough Layer 4 CAM entries for the ACL To correct this condition allocate more Layer 4 CAM entries To allocate more Layer 4 CAM entries enter the following command at the CLI configuration level for the interface ip access group max l4 cam num Notification ACL insuffici...

Page 1445: ...dication of Port portnum to other software applications The device has indicated that the specified port has been authenticated but the actual port may not be active Notification DOT1X Port port_id Mac mac_address user user_id RADIUS timeout for authentication The RADIUS session has timed out for this 802 1x port Notification ISIS L1 ADJACENCY DOWN system id on circuit circuit id The Layer 3 Switc...

Page 1446: ...burst packets stopping for num seconds Threshold parameters for local TCP traffic on the device have been configured and the maximum burst size for TCP packets has been exceeded The first num is the maximum burst size maximum number of packets allowed The second num is the number of seconds during which additional TCP packets will be blocked on the device NOTE This message can occur in response to...

Page 1447: ...ddr error type error type pkt type pkt type Indicates that an OSPF interface authentication failure has occurred The router id is the router ID of the Dell PowerConnect device The ip addr is the IP address of the interface on the Dell PowerConnect device The src ip addr is the IP address of the interface from which the Dell PowerConnect device received the authentication failure The error type can...

Page 1448: ...ch authentication failure network mask mismatch hello interval mismatch dead interval mismatch option mismatch unknown The packet type can be one of the following hello database description link state request link state update link state ack unknown Notification OSPF intf rcvd bad pkt rid router id intf addr ip addr pkt src addr src ip addr pkt type pkt type Indicates that an OSPF interface receiv...

Page 1449: ...id packet type Notification OSPF intf rcvd bad pkt Bad Packet type rid ip addr intf addr ip addr pkt size num checksum num pkt src addr ip addr pkt type type The device received an OSPF packet with an invalid type The parameters are the same as for the Bad Checksum message The pkt type type value is unknown indicating that the packet type is invalid Notification OSPF intf rcvd bad pkt Invalid pack...

Page 1450: ...the type of LSA The lsa id is the LSA ID The lsa router id is the LSA router ID Notification OSPF LSDB approaching overflow rid router id limit num The software is close to an LSDB condition The router id is the router ID of the Dell PowerConnect device The num is the number of LSAs Notification OSPF LSDB overflow rid router id limit num A Link State Database Overflow LSDB condition has occurred T...

Page 1451: ...ighbor The ospf state indicates the state to which the interface has changed and can be one of the following down attempt initializing 2 way exchange start exchange loading full unknown Notification OSPF originate LSA rid router id area area id LSA type lsa type LSA id lsa id LSA router id lsa router id An OSPF interface has originated an LSA The router id is the router ID of the Dell PowerConnect...

Page 1452: ...e on the Dell PowerConnect device The src ip addr is the IP address of the interface from which the Dell PowerConnect device received the authentication failure The error type can be one of the following bad version area mismatch unknown NBMA neighbor unknown virtual neighbor authentication type mismatch authentication failure network mask mismatch hello interval mismatch dead interval mismatch op...

Page 1453: ...e mismatch authentication failure network mask mismatch hello interval mismatch dead interval mismatch option mismatch unknown The packet type can be one of the following hello database description link state request link state update link state ack unknown Notification OSPF virtual intf rcvd bad pkt rid router id intf addr ip addr pkt src addr src ip addr pkt type pkt type Indicates that an OSPF ...

Page 1454: ...ello database description link state request link state update link state ack unknown The lsa type is the type of LSA The lsa id is the LSA ID The lsa router id is the LSA router ID Notification OSPF virtual intf state changed rid router id area area id nbr ip addr state ospf state Indicates that the state of an OSPF virtual routing interface has changed The router id is the router ID of the route...

Page 1455: ...face and the maximum burst size for ICMP packets on the interface has been exceeded The portnum is the port number The first num is the maximum burst size maximum number of packets allowed The second num is the number of seconds during which additional ICMP packets will be blocked on the interface NOTE This message can occur in response to an attempted Smurf attack Notification Transit TCP in inte...

Page 1456: ...licate IP address The portnum is the Dell PowerConnect port that received the packet with the duplicate IP address The address is the packet source IP address Warning IGMP MLD no hardware vidx broadcast to the entire vlan rated limited number IGMP or MLD snooping has run out of hardware application VLANs There are 4096 application VLANs per device Traffic streams for snooping entries without an ap...

Page 1457: ... a port on which you have configured a lock address filter received a packet that was dropped because the packet source MAC address did not match an address learned by the port before the lock took effect The e portnum is the port number The mac address is the MAC address that was denied by the address lock Assuming that you configured the port to learn only the addresses that have valid access to...

Page 1458: ...NTP server ip addr failed to respond Indicates that a Simple Network Time Protocol SNTP server did not respond to the device query for the current time The ip addr indicates the IP address of the SNTP server Warning rip filter list list num direction V1 V2 denied ip addr num packets Indicates that a RIP route filter denied dropped packets The list num is the ID of the filter list The direction ind...

Page 1459: ...witch or Layer 3 Switch For software specifics refer to Determining the software versions installed and running on a device on page 58 To view the software and hardware details for the system enter the show version command The following shows an example output TABLE 240 Supported network monitoring features Feature PowerConnect B Series FCX Egress queue counters Yes Remote monitoring RMON Yes Spec...

Page 1460: ...ion level PowerConnect show version Active Management CPU Slot 9 SW Version 04 3 00b17T3e3 Copyright c 1996 2008 Brocade Communications Inc Inc Compiled on Sep 25 2008 at 04 09 20 labeled as SXR04300b17 4031365 bytes from Secondary sxr04300b17 bin BootROM Version 04 0 00T3e5 FEv2 HW ANR Chassis SX 1600 PREM PROM TYPE SX FIL3U Serial TE35069141 SL 3 SX FI424C 24 port Gig Copper Serial CY13073008 P ...

Page 1461: ...g formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum Table 241 lists the statistics displayed in the output of the show statistics command TABLE 241 Port statistics This line Displays Port configuration Port The port number PowerConnect show statistics ethernet 1 3 Port Link State Dupl Speed Trunk Tag Priori MAC Name 1 3 Up Forward Half 100M None No level0 00e0 5200 01...

Page 1462: ... good multicast packets received OutMulticastPkts The total number of good multicast packets sent InUnicastPkts The total number of good unicast packets received OutUnicastPkts The total number of good unicast packets sent InBadPkts The total number of packets received for which one of the following is true The CRC was invalid The packet was oversized Jabbers The packets were longer than 1518 octe...

Page 1463: ...e data length was longer than the maximum allowable frame size No Rx Error was detected NOTE Packets are counted for this statistic regardless of whether the CRC is valid or invalid InShortPkts The total number of packets received for which all of the following was true The data length was less than 64 bytes No Rx Error was detected No Collision or Late Collision was detected NOTE Packets are coun...

Page 1464: ...tual 1Gbit configured duplex fdx actual fdx Configured mdi mode AUTO actual none Member of L2 VLAN ID 52 port is untagged port state is FORWARDING BPDU guard is Disabled ROOT protect is Disabled Link Error Dampening is Disabled STP configured to ON priority is level0 mac learning is enabled Flow Control is config enabled oper enabled negotiation disabled mirror disabled monitor disabled Not member...

Page 1465: ...imum number of entries allowed in the RMON control table You can specify the maximum number of entries allowed in the RMON control table including alarms history and events The maximum number of RMON entries supported is 32768 To set the maximum number of allowable entries to 3000 in the RMON history table enter commands such as the following PowerConnect config system max rmon entries 3000 PowerC...

Page 1466: ...e same port is 2 1 This command shows the following information TABLE 243 Export configuration and statistics This line Displays Octets The total number of octets of data received on the network This number includes octets in bad packets This number does not include framing bits but does include Frame Check Sequence FCS octets Drop events Indicates an overrun at the port The port logic could not r...

Page 1467: ...CS with a non integral number of octets Alignment Error NOTE This definition of jabber is different from the definition in IEEE 802 3 section 8 2 1 5 10BASE5 and section 10 3 1 4 10BASE2 These documents define jabber as the condition where any packet exceeds 20 ms The allowed range to detect jabber is between 20 ms and 150 ms This number does not include framing bits but does include FCS octets Co...

Page 1468: ...ter the show rmon history command Alarm RMON group 3 Alarm is designed to monitor configured thresholds for any SNMP integer time tick gauge or counter MIB object Using the CLI you can define what MIB objects are monitored the type of thresholds that are monitored falling rising or both the value of those thresholds and the sample type absolute or delta An alarm event is reported each time that a ...

Page 1469: ...scribed in RFC 3176 InMon Corporation s sFlow A Method for Monitoring Traffic in Switched and Routed Networks PowerConnect B Series FCX devices you can use QoS queue 1 for priority traffic even when sFlow is enabled on the port sFlow version 5 sFlow version 5 enhances and modifies the format of the data sent to the sFlow collector sFlow version 5 introduces several new sFlow features and also defi...

Page 1470: ...include the following extended router information IP address of the next hop router Outgoing VLAN ID Source IP address prefix length Destination IP address prefix length Note that in IPv6 devices the prefix lengths of the source and destination IP addresses are collected if BGP is configured and the route lookup is completed In IPv4 devices this information is collected only if BGP is configured o...

Page 1471: ...tors includes an agent_address field This field identifies the IP address of the device that sent the data On a Layer 2 Switch agent_address is the Layer 2 Switch management IP address You must configure the management IP address in order to export sFlow data from the device If the switch has both an IPv4 and IPv6 address the agent_address is the IPv4 address If the switch has an IPv6 address only...

Page 1472: ...te Port monitoring and sFlow PowerConnect B Series FCX devices support sFlow and port monitoring together on the same port Configuring and enabling sFlow NOTE The commands in this section apply to sFlow version 2 and sFlow version 5 CLI commands that are specific to sFlow version 5 are documented in Configuring sFlow version 5 features on page 1436 To configure sFlow perform the following tasks Op...

Page 1473: ...for sFlow data on UDP port 6343 Syntax no sflow destination ipv6 ip addr dest udp port The ip addr parameter specifies the IP address of the collector The dest udp port parameter specifies the UDP port on which the sFlow collector will be listening for exported sFlow data The default port number is 6343 If the IPv6 address you specify is a link local address on a Layer 3 switch you must also speci...

Page 1474: ...e sampled The sflow sample command at the global level or port level specifies N the denominator of the fraction Thus a higher number for the denominator means a lower sampling rate since fewer packets are sampled Likewise a lower number for the denominator means a higher sampling rate because more packets are sampled For example if you change the denominator from 512 to 128 the sampling rate incr...

Page 1475: ...out of every four samples taken by the hardware will be exported Whether a port s sampling rate is configured explicitly or whether it uses the global default setting has no effect on the calculations You do not need to perform any of these calculations to change a sampling rate For simplicity the syntax information in this section lists the valid sampling rates You can display the rates you enter...

Page 1476: ...will be taken The software rounds the value you enter up to the next odd power of 2 The actual sampling rate becomes one of the values listed in Changing the default sampling rate Changing the sampling rate for a trunk port You can configure an individual static trunk port to use a different sampling rate than the global default sampling rate This feature is also supported on LACP trunk ports This...

Page 1477: ...2 1X Port Security Command syntax This section shows how to enable sFlow forwarding Globally enabling sFlow forwarding To enable sFlow forwarding you must first enable it on a global basis then on individual interfaces or trunk ports or both To globally enable sFlow forwarding enter the following command PowerConnect config sflow enable You can now enable sFlow forwarding on individual ports as de...

Page 1478: ...g and enabling sFlow on page 1430 When sFlow version 5 is enabled on the device you can do the following Specify the sFlow version version 2 or version 5 Specify the sFlow agent IP address Specify the maximum flow sample size Export CPU and memory usage Information to the sFlow collector Specify the polling interval for exporting CPU and memory usage information to the sFlow collector Export CPU d...

Page 1479: ... default when sFlow is enabled globally on the Dell PowerConnect device the sFlow agent exports sFlow data in version 5 format You can change this setting so that the sFlow agent exports data in version 2 format You can switch between versions without rebooting the device or disabling sFlow NOTE When the sFlow version number is changed the system will reset sFlow counters and flow sample sequence ...

Page 1480: ...val from 5 seconds to 1 800 seconds 30 minutes The default polling interval for exporting CPU and memory usage information is 300 seconds 5 minutes Exporting CPU directed data management traffic to the sFlow collector You can select which and how often data destined to the CPU for example Telnet sessions is sent to the sFlow collector CLI commands allow you to do the following Enable the sFlow age...

Page 1481: ...mpling rate depends on the Dell PowerConnect device being configured Refer to Changing the sampling rate on page 1432 for the default sampling rate for each kind of Dell PowerConnect device Displaying sFlow information To display sFlow configuration information and statistics enter the following command at any level of the CLI ...

Page 1482: ...ate 512 actual rate 512 Port Sampling Rates Port 8 4 configured rate 512 actual rate 512 Subsampling factor 1 Port 8 1 configured rate 512 actual rate 512 Subsampling factor 1 Port 5 20 configured rate 3000 actual rate 8192 Subsampling factor 16 Port 5 19 configured rate 512 actual rate 512 Subsampling factor 1 Port 5 18 configured rate 512 actual rate 512 Subsampling factor 1 Port 5 17 configured...

Page 1483: ... maximum sFlow sample size The maximum size of a flow sample sent to the sFlow collector exporting cpu traffic Indicates whether or not the sFlow agent is configured to export data destined to the CPU e g Telnet sessions to the sFlow collector enabled disabled exporting cpu traffic sample rate The sampling rate for CPU directed data which is the average ratio of the number of incoming packets on a...

Page 1484: ...fic regularly passes between the downlink ports the information displayed by the utilization lists does not provide a clear depiction of traffic exchanged by the downlink ports and the uplink port Each uplink utilization list consists of the following Utilization list number 1 2 3 or 4 exporting system info polling interval Specifies the interval in seconds that sFlow data is sent to the sFlow col...

Page 1485: ... the uplink ports The downlink ethernet parameters and the port numbers you specify after the parameters indicate the downlink ports Specify the port variable in the following formats PowerConnect B Series FCX stackable switches stack unit slotnum portnum Displaying utilization percentages for an uplink After you configure an uplink utilization list you can display the list to observe the percenta...

Page 1486: ...e traffic with other ports in the system or when the downlink ports are configured together in a port based VLAN In the following example ports 1 2 and 1 3 are in the same port based VLAN PowerConnect show relative utilization 1 uplink ethe 1 30 sec total uplink packet count 3011 packet count ratio 1 2 100 1 3 100 Here is another example showing different data for the same link utilization list In...

Page 1487: ...frastructure Link Layer Discovery Protocol LLDP for Media Endpoint Devices Yes 802 1d Ethernet Bridging Yes 802 1D MAC Bridges Yes 802 1p Mapping to Priority Queue Yes 802 1p q VLAN Tagging Yes 802 1Q Generic VLAN Registration Protocol GVRP Yes 802 1s Multiple Spanning Tree Yes 802 1w Rapid Spanning Tree Yes 802 1X Port based Network Access Control Yes 802 3 10Base T Yes 802 3 MAU MIB RFC 2239 Yes...

Page 1488: ...rnet Address Resolution Protocol ARP Yes 854 855 and 857 Telnet Yes 894 IP over Ethernet frames Yes 903 Reverse ARP RARP Yes 906 Bootstrap loading using TFTP Yes 919 Broadcast Internet datagrams Yes 920 Domain requirements Yes 922 Broadcast Internet datagrams in the presence of subnets Yes 950 Internet standard subnetting procedure Yes 951 Bootstrap Protocol BootP Yes 1027 Proxy ARP Yes 1042 IP da...

Page 1489: ... Classless Inter Domain Routing CIDR an Address Assignment and Aggregation Strategy Yes 1541 Dynamic Host Configuration Protocol DHCP Yes 1542 BootP Extensions Yes 1573 SNMP MIB II Yes 1583 Open Shortest Path First OSPF Yes 1587 OSPF Not So Stubby Areas NSSAs Yes 1591 Domain Name System DNS Structure and Delegation Yes 1643 Ethernet Interface MIB Yes 1657 Definitions of Managed Objects for the Fou...

Page 1490: ...013 SNMPv2 Management Information Base for the User Datagram Protocol using SMIv2 Yes 2068 HTTP Yes 2096 IP Forwarding MIB Yes 2030 SNTP Yes 2131 BootP or DHCP Relay Yes 2138 Remote Authentication Dial In User Server RADIUS Yes 2139 RADIUS Accounting Yes 2154 OSPF with Digital Signatures Password MD 5 Yes 2178 Open Shortest Path First OSPF Yes 2205 Resource ReSerVation Protocol RSVP version 1 Func...

Page 1491: ...pplications Yes 2574 User based Security USM for version 3 of the Simple Network Management Protocol SNMPv3 Yes 2575 View based Access Control Model VACM for the Simple Network Management Protocol SNMP Yes 2576 Coexistence between Version 1 Version 2 and Version 3 of the Internet standard Network Management Framework Yes 2578 Structure of Management Information Version 2 SMIv2 Yes 2579 Textual Con...

Page 1492: ... Management Protocol SNMP V3 Yes 3413 Simple Network Management Protocol SNMP Applications Yes 3414 User based Security Model USM for version 3 of the Simple Network Management Protocol SNMP V3 Yes 3415 View based Access Control Model VACM for the Simple Network Management Protocol SNMP Yes 3416 Version 2 of the Protocol Operations for the SNMP Yes 3418 Management Information Base MIB for the Simp...

Page 1493: ... 07 No Embedded Web Management Yes HTTP and HTTPS Yes IGMP Proxy Yes IGMP Snooping versions 1 2 and 3 Yes Integrated standard based Command Line Interface CLI Yes IronView Network Manager web based network management application Yes MRP Yes PIM DM V1 Yes PIM SSM Yes Protection for Denial of Service attacks such as TCP SYN or Smurf Attacks Yes PVST PVST PVRST Yes RMON Windows NT Yes Secure Copy SCP...

Page 1494: ...port the following Internet drafts ietf idmr dvmrp version 3 05 obsoletes RFC 1075 draft ietf magma igmp proxy txt draft ietf pim dm 05 V1 draft ietf pim v2 dm 03 V2 draft katz yeung ospf traffic 03 txt TACACS Protocol version 1 78 Virtual Cable Tester Yes VRRPE VRRP Enhanced Yes TABLE 246 Dell PowerConnect RFC support Continued RFC number Protocol or Standard PowerConnect B Series FCX ...

Reviews:

No comments

Related manuals for PowerConnect B-FCXs

Brand: CALIENT Pages: 22

D DGS-3048 DGS-3048

Brand: D-Link Pages: 3

Brand: Delta Pages: 4

Brand: rako Pages: 4

Brand: DAITEM Pages: 37

Brand: RDL Pages: 4

Brand: IDEM SAFETY SWITCHES Pages: 2

Brand: SMART Pages: 46

Brand: Eaton Pages: 2

IPES-5208T-X Series

Brand: Lantech Pages: 39

Brand: CGS Instruments Pages: 39

CESRA PIR 10VDC

Brand: DANLERS Pages: 2

Luzense RADIM RF

Brand: Unilamp Pages: 2

MULTI-TASKER MT105-108

Brand: Altinex Pages: 12

PMV PM Ultraswitch

Brand: Flowserve Pages: 9

Brand: AVLink Pages: 72

Brand: Targus Pages: 2

Brand: foxunhd Pages: 9

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands