Page 1 Dell PowerConnect 8024, 8024F, 8132, 8132F, 8164, and 8164F Switch User’s Configuration Guide Regulatory Models: PC8024, PC8024F, PC8132, PC8132F, PC8164, PC8164F...
Page 2: Notes And Cautions
Other trademarks and trade names may be used in this publication to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.
Page 3: Table Of Contents
Contents Introduction ..... . . About This Document ....Audience .
Page 4 Single IP Management ....Automatic Firmware Update for New Stack M embers ..... . . Master Failover with Transparent Transition .
Page 5 Jumbo Frames Support ....Auto-MDI/MDIX Support ....VLAN-Aware MAC-based Switching ..Back Pressure Support .
Page 6 Multiple Spanning Tree ....Bridge Protocol Data Unit (BPDU) Guard ..BPDU Filtering ....Link Aggregation Features .
Page 7 Front Panel ......PowerConnect 8024 Front Panel ..
Page 8 Using Dell OpenManage Switch Administrator ....About Dell OpenManage Switch Administrator ..Starting the Application ....
Page 9 Understanding Command Modes ... . Entering CLI Commands ....Using the Question Mark to Get Help .
Page 10 Dynamic Host Name Mapping ..Configuring Basic Network Information (CLI) ..Enabling the DHCP Client on the OOB Port ..Enabling the DHCP Client on the Default VLAN .
Page 11 Default Stacking Values ....Managing and Monitoring the Stack (Web) ..Unit Configuration ....Stack Summary .
Page 12 Authentication ..... Authorization ..... . Exec Authorization Capabilities .
Page 13 Using TACACS+ Servers to Control Management Access ......Which TACACS+ Attributes Does the Switch Support? .
Page 14 RAM Log ..... Log File ..... . Remote Log Server .
Page 15 CLI Banner ..... SDM Template Preference ... . . Clock .
Page 16 Default SNMP Values ....Configuring SNMP (Web) ....SNMP Global Parameters .
Page 17 What Factors Should Be Considered When Managing Files? ....How Is the Running Configuration Saved? ..Managing Images and Files (Web) .
Page 18 What Is the DHCP Auto Configuration Process? ..... Monitoring and Completing the DHCP Auto Configuration Process ... What Are the Dependencies for DHCP Auto Configuration? .
Page 19 GVRP Statistics ....EAP Statistics ....Utilization Summary .
Page 20 ....How Does iSCSI Optimization Interact With Dell EqualLogic Arrays? ....What Occurs When iSCSI Optimization Is Enabled or Disabled? .
Page 21 Default Captive Portal Behavior and Settings ..Configuring the Captive Portal (Web) ..Captive Portal Global Configuration ..Captive Portal Configuration .
Page 22 Default Port Values ....Configuring Port Characteristics (Web) ..Port Configuration ....Link Dependency Configuration .
Page 23 Port Security (Port-MAC Locking) ... . Default 802.1X Values ....Configuring Port Security (CLI) ... Denial of Service .
Page 24 ACL Configuration Examples ....Configuring an IP ACL ....Configuring a MAC ACL .
Page 25 VLAN Configuration Examples ... . . Configuring VLANs Using Dell OpenManage Administrator ....
Page 26 Rapid Spanning Tree ....MSTP Settings ....MSTP Interface Settings .
Page 27 LLDP-MED Interface Configuration ..LLDP-MED Local Device Information ..LLDP-MED Remote Device Information ..Configuring ISDP and LLDP (CLI) ... . Configuring Global ISDP Settings .
Page 28 Configuring Port-Based Traffic Control (CLI) ..Configuring Flow Control and Storm Control . . . Configuring Protected Ports ... Configuring LLPF ....Port-Based Traffic Control Configuration Example .
Page 29 Bridge Multicast Forwarding ... . MRouter Status ....General IGMP Snooping ....Global Querier Configuration .
Page 30 27 Snooping and Inspecting Traffic ..Traffic Snooping and Inspection Overview ..What Is DHCP Snooping? ... . . How Is the DHCP Snooping Bindings Database Populated? .
Page 31 Configuring IP Source Guard ... . Configuring Dynamic ARP Inspection ..Traffic Snooping and Inspection Configuration Examples ......Configuring DHCP Snooping .
Page 32 29 Configuring Data Center Bridging Features ......Data Center Bridging Technology Overview ..Default DCB Values .
Page 33 30 Managing the MAC Address Table ..MAC Address Table Overview ....How Is the Address Table Populated? ..What Information Is in the MAC Address Table? .
Page 34 Loopbacks Summary ....Configuring Routing Interfaces (CLI) ..Configuring VLAN Routing Interfaces (IPv4) . . . Configuring Loopback Interfaces .
Page 35 33 Configuring IP Routing ... . . IP Routing Overview ....Default IP Routing Values .
Page 36 What Is L2 DHCP Relay? ... . . What Is the IP Helper Feature? ..Default L2/L3 Relay Values ....Configuring L2 and L3 Relay Features (Web) .
Page 37 Default OSPF Values ....Configuring OSPF Features (Web) ... . OSPF Configuration .
Page 38 Configuring OSPF Interface Settings ..Configuring Stub Areas and NSSAs ..Configuring Virtual Links ... . . Configuring OSPF Area Range Settings .
Page 39 Default RIP Values 1021 ....Configuring RIP Features (Web) 1022 ... . RIP Configuration 1022 .
Page 40 Configuring VRRP Features (CLI) 1048 ... . Configuring VRRP Settings 1048 ... . VRRP Configuration Example 1050 ... . . VRRP with Load Sharing 1050 .
Page 41 IPv6 Static Reject and Discard Routes 1080 ..39 Configuring DHCPv6 Server and Relay Settings 1083 ....DHCPv6 Overview 1083 .
Page 42 Configuring the DHCPv6 Server for Prefix Delegation 1100 ..... Configuring an Interface as a DHCPv6 Relay Agent 1101 ....40 Configuring Differentiated Services 1103 DiffServ Overview...
Page 43 DiffServ for VoIP 1130 ....41 Configuring Class-of-Service 1133 ..CoS Overview 1133 ..... What Are Trusted and Untrusted Port Modes? 1134...
Page 44 CoS Configuration Example 1147 ....42 Configuring Auto VoIP 1151 ... . . Auto VoIP Overview 1151 .
Page 45 Default L3 Multicast Values 1167 ....Configuring General IPv4 Multicast Features (Web) 1169 ......Multicast Global Configuration 1169 .
Page 46 MLD Proxy Configuration Summary 1193 ..MLD Proxy Interface Membership Information 1194 ....Detailed MLD Proxy Interface Membership Information 1195 .
Page 47 Configuring and Viewing PIM-DM for IPv6 Multicast Routing 1224 ....Configuring and Viewing PIM-SM for IPv4 Multicast Routing 1225 ....Configuring and Viewing PIM-SM for IPv6 Multicast Routing 1227...
Page 48 Contents...
Page 49: Introduction
Introduction The Dell PowerConnect 8024, 8024F, 8132, 8132F, 8164, and 8164F switches are stackable Layer 2 and Layer 3 switches that extend the Dell PowerConnect LAN switching product range. NOTE: Throughout this document, the PowerConnect 8024 and 8024F switches are referred to as the PowerConnect 8000-series switches, and the PowerConnect 8132, 8132F, 8164, 8164F switches are referred to as the PowerConnect 8100-series switches.
Page 50: Audience
Audience This guide is for network administrators in charge of managing one or more PowerConnect 8024, 8024F, 8132, 8132F, 8164, and 8164F switches. To obtain the greatest benefit from this guide, you should have a basic understanding of Ethernet networks and local area network (LAN) concepts.
Page 51: Additional Documentation
Additional Documentation The following documents for the PowerConnect 8024, 8024F, 8132, 8132F, 8164, and 8164F switches are available at support.dell.com/manuals: Getting Started Guide— provides information about the switch models in • the series, including front and back panel features. It also describes the installation and initial configuration procedures.
Page 52 Introduction...
Page 53: Switch Features
Switch Features This section describes the switch user-configurable software features. NOTE: Before proceeding, read the release notes for this product. The release notes are part of the firmware download. The topics covered in this section include: • System Management • Link Aggregation Features Features •...
Page 54: System Management Features
Multiple Management Options You can use any of the following methods to manage the switch: • Use a web browser to access the Dell OpenManage Switch Administrator interface. The switch contains an embedded Web server that serves HTML pages. •...
Page 55: Integrated Dhcp Server
Integrated DHCP Server PowerConnect 8000-series and 8100-series switches include an integrated DHCP server that can deliver host-specific configuration information to hosts on the network. The switch DHCP server allows you to configure IP address pools (scopes), and when a host’s DHCP client requests an address, the switch DHCP server automatically assigns the host an address from the pool.
Page 56: File Management
File Management You can upload and download files such as configuration files and system images by using HTTP (web only), TFTP , Secure FTP (SFTP), or Secure Copy (SCP). Configuration file uploads from the switch to a server are a good way to back up the switch configuration.
Page 57: Sflow
sFlow sFlow is the standard for monitoring high-speed switched and routed networks. sFlow technology is built into network equipment and gives complete visibility into network activity, enabling effective management and control of network resources. The PowerConnect 8000-series and 8100-series switches support sFlow version 5. For information about configuring managing sFlow settings, see "Monitoring Switch Traffic"...
Page 58: Stacking Features
Stacking Features For information about creating and maintaining a stack of switches, see "Managing a Switch Stack" on page 141. High Port Count You can stack PowerConnect 8000-series and 8100-series switches up to six switches high, supporting up to 132 front-panel ports when two ports on each unit are configured as stacking ports.
Page 59: Master Failover With Transparent Transition
Master Failover with Transparent Transition standby The stacking feature supports a or backup unit that assumes the stack master role if the stack master fails. As soon as a stack master failure is detected, the standby unit initializes the control plane and enables all other stack units with the current configuration.
Page 60: Password-Protected Management Access
Password-Protected Management Access Access to the Web, CLI, and SNMP management interfaces is password protected, and there are no default users on the system. For information about configuring local user accounts, see "Configuring Authentication, Authorization, and Accounting" on page 177. Strong Password Enforcement The Strong Password feature enforces a baseline password strength for all locally administered users.
Page 61: Ssh/Ssl
SSH/SSL The switch supports Secure Shell (SSH) for secure, remote connections to the CLI and Secure Sockets Layer (SSL) to increase security when accessing the web-based management interface. For information about configuring SSH and SSL settings, see "Configuring Authentication, Authorization, and Accounting" on page 177. Inbound Telnet Control You can configure the switch to prevent new Telnet sessions from being established with the switch.
Page 62: Captive Portal
• Dynamic ARP Inspection: By default, if Dynamic ARP Inspection packets are received on a port at a rate that exceeds 15 pps for 1 second, the port will be diagnostically disabled. The threshold is configurable up to 300 pps and the burst is configurable up to 15s long using the ip arp inspection limit command.
Page 63: Dot1X Monitor Mode
Dot1x Monitor Mode Monitor mode can be enabled in conjunction with Dot1x authentication to allow network access even when the user fails to authenticate. The switch logs the results of the authentication process for diagnostic purposes. The main purpose of this mode is to help troubleshoot the configuration of a Dot1x authentication on the switch without affecting the network access to the users of the switch.
Page 64: Time-Based Acls
Time-Based ACLs With the Time-based ACL feature, you can define when an ACL is in effect and the amount of time it is in effect. For information about configuring time-based ACLs, see "Configuring Access Control Lists" on page 501. IP Source Guard (IPSG) IP source guard (IPSG) is a security feature that filters IP packets based on the source ID.
Page 65: Protected Ports (Private Vlan Edge)
Cell Buffer Pool (CBP) memory. AFS, which is also known as cut-through mode, is configurable through the command-line interface. For information about how to configure the AFS CLI Reference Guide feature, see the available at support.dell.com/manuals. Switch Features...
Page 66: Jumbo Frames Support
Jumbo Frames Support Jumbo frames enable transporting data in fewer frames to ensure less overhead, lower processing time, and fewer interrupts. For information about configuring the port MTU, see "Configuring Port Characteristics" on page 439. Auto-MDI/MDIX Support Your switch supports auto-detection between crossed and straight-through cables.
Page 67: Auto Negotiation
Auto Negotiation Auto negotiation allows the switch to advertise modes of operation. The auto negotiation function provides the means to exchange information between two switches that share a point-to-point link segment, and to automatically configure both switches to take maximum advantage of their transmission capabilities.
Page 68: Static And Dynamic Mac Address Tables
Static and Dynamic MAC Address Tables You can add static entries to the switch’s MAC address table and configure the aging time for entries in the dynamic MAC address table. You can also search for entries in the dynamic table based on several different criteria. For information about viewing and managing the MAC address table, see "Managing the MAC Address Table"...
Page 69: Data Center Bridging Exchange (Dbcx) Protocol
For information about configuring the PFC feature, see "Configuring Data Center Bridging Features" on page 799. Data Center Bridging Exchange (DBCx) Protocol The Data Center Bridging Exchange Protocol (DCBx) is used by DCB devices to exchange configuration information with directly connected peers. The protocol is also used to detect misconfiguration of the peer DCB devices and, optionally, for configuration of peer DCB devices.
Page 70: Cisco Protocol Filtering
Cisco Protocol Filtering The Cisco Protocol Filtering feature (also known as Link Local Protocol Filtering) filters Cisco protocols that should not normally be relayed by a bridge. The group addresses of these Cisco protocols do not fall within the IEEE defined range of the 802.1D MAC Bridge Filtered MAC Group Addresses (01-80-C2-00-00-00 to 01-80-C2-00-00-0F).
Page 71: Ip Subnet-Based Vlan
IP Subnet-based VLAN This feature allows incoming untagged packets to be assigned to a VLAN and traffic class based on the source IP address of the packet. MAC-based VLAN This feature allows incoming untagged packets to be assigned to a VLAN and traffic class based on the source MAC address of the packet.
Page 72: Guest Vlan
Guest VLAN The Guest VLAN feature allows a switch to provide a distinguished service to unauthenticated users. This feature provides a mechanism to allow visitors and contractors to have network access to reach external network with no ability to browse information on the internal LAN. For information about configuring the Guest VLAN see "Configuring Port and System Security"...
Page 73: Spanning Tree Protocol Features
Spanning Tree Protocol Features For information about configuring Spanning Tree Protocol features, see "Configuring the Spanning Tree Protocol" on page 605. Spanning Tree Protocol (STP) Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of Layer 2 switches that allows bridges to automatically prevent and resolve L2 forwarding loops.
Page 74: Bridge Protocol Data Unit (Bpdu) Guard
Bridge Protocol Data Unit (BPDU) Guard Spanning Tree BPDU Guard is used to disable the port in case a new device tries to enter the already existing topology of STP . Thus devices, which were originally not a part of STP , are not allowed to influence the STP topology. BPDU Filtering When spanning tree is disabled on a port, the BPDU Filtering feature allows BPDU packets received on that port to be dropped.
Page 75 achievable between a given pair of systems. LACP automatically determines, configures, binds, and monitors the binding of ports to aggregators within the system. Switch Features...
Page 76: Routing Features
Routing Features Address Resolution Protocol (ARP) Table Management You can create static ARP entries and manage many settings for the dynamic ARP table, such as age time for entries, retries, and cache size. For information about managing the ARP table, see "Configuring IP Routing" on page 883.
Page 77: Bootp/Dhcp Relay Agent
BOOTP/DHCP Relay Agent The switch BootP/DHCP Relay Agent feature relays BootP and DHCP messages between DHCP clients and DHCP servers that are located in different IP subnets. For information about configuring the BootP/DHCP Relay agent, see "Configuring L2 and L3 Relay Features" on page 907. IP Helper and UDP Relay The IP Helper and UDP Relay features provide the ability to relay various protocols to servers on a different subnet.
Page 78: Virtual Router Redundancy Protocol (Vrrp)
Virtual Router Redundancy Protocol (VRRP) VRRP provides hosts with redundant routers in the network topology without any need for the hosts to reconfigure or know that there are multiple routers. If the primary (master) router fails, a secondary router assumes control and continues to use the virtual router IP (VRIP) address.
Page 79: Ipv6 Routes
IPv6 Routes Because IPv4 and IPv6 can coexist on a network, the router on such a network needs to forward both traffic types. Given this coexistence, each switch maintains a separate routing table for IPv6 routes. The switch can forward IPv4 and IPv6 traffic over the same set of interfaces.
Page 80: Quality Of Service (Qos) Features
Quality of Service (QoS) Features NOTE: Some features that can affect QoS, such as ACLs and Voice VLAN, are described in other sections within this chapter. Differentiated Services (DiffServ) The QoS Differentiated Services (DiffServ) feature allows traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
Page 81: Internet Small Computer System Interface (Iscsi) Optimization
Internet Small Computer System Interface (iSCSI) Optimization The iSCSI Optimization feature helps network administrators track iSCSI traffic between iSCSI initiator and target systems. This is accomplished by monitoring, or snooping traffic to detect packets used by iSCSI stations in establishing iSCSI sessions and connections. Data from these exchanges may optionally be used to create classification rules to assign the traffic between the stations to a configured traffic class.
Page 82: Igmp Snooping Querier
IGMP Snooping Querier When Protocol Independent Multicast (PIM) and IGMP are enabled in a network with IP multicast routing, the IP multicast router acts as the IGMP querier. However, if it is desirable to keep the multicast network Layer 2 switched only, the IGMP Snooping Querier can perform the query functions of a Layer 3 multicast router.
Page 83: Layer 3 Multicast Features
Layer 3 Multicast Features For information about configuring L3 multicast features, see "Managing IPv4 and IPv6 Multicast" on page 1157. Distance Vector Multicast Routing Protocol Distance Vector Multicast Routing Protocol (DVMRP) exchanges probe packets with all DVMRP-enabled routers, establishing two way neighboring relationships and building a neighbor table.
Page 84: Protocol Independent Multicast-Sparse Mode
Protocol Independent Multicast—Sparse Mode Protocol Independent Multicast-Sparse Mode (PIM-SM) is used to efficiently route multicast traffic to multicast groups that may span wide area networks, and where bandwidth is a constraint. PIM-SM uses shared trees by default and implements source-based trees for efficiency. This data threshold rate is used to toggle between trees.
Page 85: Hardware Overview
The following sections describe the ports on the front panel of each switch. PowerConnect 8024 Front Panel The PowerConnect 8024 front panel provides 24 100M/1G/10GBase-T ports, four of which are combined with SFP/SFP+ ports. Figure 3-1. PowerConnect 8024 Front Panel...
Page 86: Powerconnect 8024F Front Panel
• RJ-45 ports support full-duplex mode 100/1000/10000 Mbps. • PowerConnect 8024 switches can be stacked using the 10G SFP+ fiber ports. The 10G ports default to Ethernet mode and must be configured to be used as stacking ports. PowerConnect 8024F Front Panel The PowerConnect 8024F front panel provides 24 SFP/SFP+ ports, four of which are combined with 100M/1G/10GBase-T ports.
Page 87: Powerconnect 8132 Front Panel
PowerConnect 8132 Front Panel The PowerConnect 8132 front panel provides the following ports: • 24 x 10GbE copper ports • A USB port. See "USB Port (Power Connect 8100-series switches only)" on page 92. • A module bay that supports the following modules: –...
Page 88: Powerconnect 8164 Front Panel
– 4 x SFP+ module – 4 x 10GBaseT module. See "Hot-Pluggable Interface Modules" on page 90 for details about these modules. Figure 3-4. PowerConnect 8132F Front Panel 10GbE Fiber Ports Module bay USB port PowerConnect 8132F switches can be stacked with other PowerConnect 81xx switches using 10G or 40G SFP+ or QSFP modules in the module bay.
Page 89: Powerconnect 8164F Front Panel
Figure 3-5. PowerConnect 8164 Front Panel Fixed QSFP USB port Module bay 10GbE Copper Ports PowerConnect 8164 switches can be stacked with other PowerConnect 81xx switches using the 10G or 40G SFP+ or QSFP modules in the module bay or fixed QSFP ports.
Page 90: Hot-Pluggable Interface Modules
PC8100-10GBT - 4 x 10GBase-T ports module - defaults to 4x10G mode • Blank module - defaults to 10G mode NOTE: The PowerConnect 8024 and 8024F switches do not support hot-swappable plug-in modules. A reboot is necessary when a hot-pluggable module is replaced with a module of different type.
Page 91 If a no slot command is not issued prior to inserting a module, a message such as the following will appear: Card Mismatch: Unit:1 Slot:1 Inserted-Card: Dell 2 Port QSFP Expansion Card Config-Card: Dell 4 Port 10GBase-T Expansion Card The following sections provides details on each module.
Page 92: Usb Port (Power Connect 8100-Series Switches Only)
USB Port (Power Connect 8100-series switches only) The Type-A, female USB port supports a USB 2.0-compliant flash memory drive. The PowerConnect switch can read or write to a flash drive formatted as FAT-32. You can use a USB flash drive to copy switch configuration files and images between the USB flash drive and the switch.
Page 93: Console Port
The following image show the back panel of the PowerConnect 8000-series and 8100-series switches. Figure 3-7. PowerConnect 8000-series and 8100-series Rear Panel RJ-45 serial console port AC power OOB Ethernet port Fans (3) AC power Console Port The console port is for management through a serial interface. This port provides a direct connection to the switch and allows you to access the CLI from a console terminal connected to the port through the provided serial cable (RJ-45 to female DB-9 connectors).
Page 94: Ventilation System
Ventilation System The PowerConnect 8000-series and 8100-series switches have three removable FANs (see "PowerConnect 8000-series and 8100-series Rear Panel" on page 93), four Thermal sensors, and a FAN Speed Controller which can be used to control FAN speeds. You can verify operation by observing the LEDs. Hardware Overview...
Page 95: Led Definitions
LED Definitions This section describes the LEDs on the front and back panels of the switch. Port LEDs Each port on a PowerConnect 8000-series and 8100-series switches includes two LEDs. One LED is on the left side of the port, and the second LED is on the right side of the port.
Page 96: System Leds
System LEDs The system LEDs, located on the back panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-2 shows the System LED definitions for the 8000-series switches. Table 3-2. System LED Definitions—PowerConnect 8000-Series Switches Color Definition DIAG Flashing Green A diagnostics test is in progress.
Page 97: Switch Addresses
Table 3-3. System LED Definitions—PowerConnect 8100-Series Switches Color Definition System Blinking blue The switch is booting Solid red A critical system error has occurred. Blinking red A noncritical system error occurred (fan or power supply failure). Temp The switch is operating at normal temperature. Solid amber The thermal sensor’s system temperature threshold of 75°C has been exceeded.
Page 98 Shown below are three commands that display the MAC addresses used by the switch: console#show system System Description: Dell Ethernet Switch System Up Time: 0 days, 00h:05m:11s System Contact: System Name: System Location: Burned In MAC Address: 001E.C9F0.004D System Object ID: 1.3.6.1.4.1.674.10895.3042...
Page 99 console#show ip interface out-of-band IP Address........10.27.21.29 Subnet Mask........255.255.252.0 Default Gateway........ 10.27.20.1 Configured IPv4 Protocol....... DHCP Burned In MAC Address......001E.C9F0.004E console#show ip interface vlan 1 Routing Interface Status....... Down Primary IP Address......1.1.1.2/255.255.255.0 Method......... Manual Routing Mode........Enable Administrative Mode......
Page 100 Hardware Overview...
Page 101: Using Dell Openmanage Switch
Dell OpenManage Switch Administrator is a web-based tool to help you manage and monitor a PowerConnect 8000-series and 8100-series switches. Table 4-1 lists the web browsers that are compatible with Dell OpenManage Switch Administrator. The browsers have been tested on a PC running the Microsoft Windows operating system.
Page 102: Starting The Application
Starting the Application To access the Dell OpenManage Switch Administrator and log on to the switch: 1 Open a web browser. 2 Enter the IP address of the switch in the address bar and press <Enter>. For information about assigning an IP address to a switch, see "Setting the IP Address and Other Basic Network Information"...
Page 103: Understanding The Interface
4 Click Submit. 5 The Dell OpenManage Switch Administrator home page displays. The home page is the Device Information page, which contains a graphical representation of the front panel of the switch. For more information about the home page, see "Device Information" on page 208.
Page 104 Save, Print, Refresh, Help Configuration and Status Options Command Button Using the Switch Administrator Buttons and Links Table 4-2 describes the buttons and links available from the Dell OpenManage Switch Administrator interface. Table 4-2. Button and Link Descriptions Button or Link Description...
Page 105: Defining Fields
Defining Fields User-defined fields can contain 1 159 characters, unless otherwise noted on – the Dell OpenManage Switch Administrator web page. All characters may be used except for the following: • • •...
Page 106: Understanding The Device View
Home page, which is the page that displays after a successful login. The graphic provides information about switch ports and system health. Figure 4-3. PowerConnect 8024 Device View Using the Device View Port Features The switching-port coloring indicates if a port is currently active. Green indicates that the port has a link, red indicates that an error has occurred on the port, and blue indicates that the link is down.
Page 107: Using The Command-Line Interface
For more information about creating a serial connection, see the Getting Started Guide available at support.dell.com/manuals. 1 Connect the DB-9 connector of the supplied serial cable to a management station, and connect the RJ-45 connector to the switch console port.
Page 108: Telnet Connection
2 Start the terminal emulator, such as Microsoft HyperTerminal, and select the appropriate serial port (for example, COM 1) to connect to the console. 3 Configure the management station serial port with the following settings: • Data rate — 9600 baud. •...
Page 109: Understanding Command Modes
Understanding Command Modes The CLI groups commands into modes according to the command function. Each of the command modes supports specific software commands. The commands in one mode are not available until you switch to that particular mode, with the exception of the User EXEC mode commands. You can execute the User EXEC mode commands in the Privileged EXEC mode.
Page 110 Table 5-1. Command Mode Overview Command Mode Access Method Command Prompt Exit or Access Previous Mode User EXEC The user is logout console> automatically in User EXEC mode unless the user is defined as a privileged user. Privileged EXEC From User Use the exit console# EXEC mode,...
Page 111: Entering Cli Commands
Entering CLI Commands The switch CLI uses several techniques to help you enter commands. Using the Question Mark to Get Help Enter a question mark (?) at the command prompt to display the commands available in the current mode. console(config-vlan)#? exit To exit from the mode.
Page 112: Using Command Completion
You can also enter a question mark (?) after typing one or more characters of a word to list the available command or parameters that begin with the letters, as shown in the following example: console#show po? policy-map port ports Using Command Completion The CLI can complete partially entered commands when you press the <Tab>...
Page 113: Understanding Error Messages
Understanding Error Messages If you enter a command and the system is unable to execute it, an error message appears. Table 5-2 describes the most common CLI error messages. Table 5-2. CLI Error Messages Message Text Description Indicates that you entered an incorrect or % Invalid input unavailable command.
Page 114 Table 5-3. History Buffer Navigation Keyword Source or Destination Up-arrow key Recalls commands in the history buffer, beginning with the most recent command. Repeats the key sequence to recall successively <Ctrl>+<P> older commands. Down-arrow key Returns to more recent commands in the history buffer after recalling commands with the up-arrow key.
Page 115: Default Settings
Default Settings This section describes the default settings for many of the software features on the PowerConnect 8000-series and 8100-series switches. Table 6-1. Default Settings Feature Default IP address None Subnet mask None Default gateway None DHCP client Enabled on out-of-band (OOB) interface. VLAN 1 Members All switch ports SDM template...
Page 116 Table 6-1. Default Settings (Continued) Feature Default SNMP Traps Enabled Auto Configuration Enabled Auto Save Disabled Stacking Enabled Nonstop Forwarding on the Stack Enabled sFlow Enabled ISDP Enabled (Versions 1 and 2) RMON Enabled TACACS+ Not configured RADIUS Not configured SSH/SSL Disabled Telnet...
Page 117 Table 6-1. Default Settings (Continued) Feature Default Broadcast Storm Control Disabled Port Mirroring Disabled LLDP Enabled LLDP-MED Disabled MAC Table Address Aging 300 seconds (Dynamic Addresses) Cisco Protocol Filtering (LLPF) No protocols are blocked DHCP Layer 2 Relay Disabled Default VLAN ID Default VLAN Name Default GVRP...
Page 118 Table 6-1. Default Settings (Continued) Feature Default IP Helper and UDP Relay Enabled Enabled VRRP Disabled Tunnel and Loopback Interfaces None IPv6 Routing Disabled DHCPv6 Disabled OSPFv3 Enabled DiffServ Enabled Auto VoIP Disabled Auto VoIP Traffic Class Disabled; no classifications configured. DCBx version Auto detect FIP snooping...
Page 119: Setting The Ip Address And Other
Setting the IP Address and Other Basic Network Information This chapter describes how to configure basic network information for the switch, such as the IP address, subnet mask, and default gateway. The topics in this chapter include: • IP Address and Network Information Overview •...
Page 120: Why Is Basic Network Information Needed
IP addresses. Default Domain Name Identifies your network, such as dell.com. If you enter a hostname and do not include the domain name information, the default domain name is automatically appended to the hostname.
Page 121: How Is Basic Network Information Configured
You must use a console-port connection to perform the initial switch configuration. When you boot the switch for the first time and the configuration file is empty, the Dell Easy Setup Wizard starts. The Dell Easy Setup Wizard is a CLI-based tool to help you perform the initial switch configuration.
Page 122 Dell recommends that you use the OOB port for remote management. The following list highlights some advantages of using OOB management instead of in-band management: •...
Page 123: Default Network Information
notification, the switch will reduce the MSS. However, many firewalls block ICMP Destination Unreachable messages, which causes the destination to request the packet again until the connection times out. In order to resolve this issue, you can reduce the MSS setting to a more appropriate value on the local host or alternatively, you can set the MTU on the PowerConnect management port to a smaller value.
Page 124: Configuring Basic Network Information (Web)
Configuring Basic Network Information (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring basic network information on the PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. Out-of-Band Interface Use the Out of Band Interface page to assign the Out of Band Interface IP address and subnet mask or to enable/disable the DHCP client for address...
Page 125: Ip Interface Configuration (Default Vlan Ip Address)
IP Interface Configuration (Default VLAN IP Address) Use the IP Interface Configuration page to assign the Default VLAN IP address and Subnet Mask, the Default Gateway IP address, and to assign the boot protocol. To display the IP Interface Configuration page, click Routing → IP → IP Interface Configuration in the navigation panel.
Page 126: Route Entry Configuration (Switch Default Gateway)
4 If you select Manual for the configuration method, specify the IP Address and Subnet Mask in the appropriate fields. 5 Click Apply. NOTE: You do not need to configure any additional fields on the page. For information about VLAN routing interfaces, see "Configuring Routing Interfaces" on page 843.
Page 127 Configuring a Default Gateway for the Switch: To configure the switch default gateway: 1 Open the Route Entry Configuration page. 2 From the Route Type field, select Default. Figure 7-4. Default Route Configuration (Default VLAN) 3 In the Next Hop IP Address field, enter the IP address of the default gateway.
Page 128: Domain Name Server
Domain Name Server Use the Domain Name Server page to configure the IP address of the DNS server. The switch uses the DNS server to translate hostnames into IP addresses. To display the Domain Name Server page, click System → IP Addressing → Domain Name Server in the navigation panel.
Page 129: Default Domain Name
Default Domain Name Use the Default Domain Name page to configure the domain name the switch adds to a local (unqualified) hostname. To display the Default Domain Name page, click System → IP Addressing → Default Domain Name in the navigation panel. Figure 7-7.
Page 130: Host Name Mapping
Host Name Mapping Use the Host Name Mapping page to assign an IP address to a static host name. The Host Name Mapping page provides one IP address per host. To display the Host Name Mapping page, click System → IP Addressing → Host Name Mapping.
Page 131: Dynamic Host Name Mapping
The switch learns hosts dynamically by using the configured DNS server to resolve a hostname. For example, if you ping www.dell.com from the CLI, the switch uses the DNS server to lookup the IP address of dell.com and adds the entry to the Dynamic Host Name Mapping table.
Page 132: Configuring Basic Network Information (Cli)
This section provides information about the commands you use to configure basic network information on the PowerConnect 8000-series and 8100-series switches. For more information about these commands, see the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Enabling the DHCP Client on the OOB Port Beginning in Privileged EXEC mode, use the following commands to enable the DHCP client on the OOB port.
Page 133: Managing Dhcp Leases
Managing DHCP Leases Beginning in Privileged EXEC mode, use the following commands to manage and troubleshoot DHCP leases on the switch. Command Purpose interface release dhcp Force the DHCPv4 client to release a leased address on the specified interface. interface renew dhcp Force the DHCP client to immediately renew an IPv4 address lease.
Page 134: Configuring Static Network Information On The Oob Port
Configuring Static Network Information on the OOB Port Beginning in Privileged EXEC mode, use the following commands to configure a static IP address, subnet mask, and default gateway on the OOB port. Command Purpose configure Enter Global Configuration mode. interface out-of-band Enter Interface Configuration mode for the OOB port.
Page 135: Configuring And Viewing Additional Network Information
Configuring and Viewing Additional Network Information Beginning in Privileged EXEC mode, use the following commands to configure a DNS server, the default domain name, and a static host name-to- address entry. Use the show commands to verify configured information and to view dynamic host name mappings.
Page 136: Basic Network Information Configuration Example
Basic Network Information Configuration Example In this example, an administrator at a Dell office in California decides not to use the Dell Easy Setup Wizard to perform the initial switch configuration. The administrator configures a PowerConnect 8000-series and 8100-series switches to obtain its information from a DHCP server on the network and creates the administrative user with read/write access.
Page 137 Default Gateway....10.27.22.1 Protocol Current....DHCP Burned In MAC Address.... 001E.C9AA.AA08 5 View additional network information. console#show hosts Host name: Default domain: sunny.dell.com dell.com Name/address lookup is enabled Name servers (Preference order): 10.27.138.20, 10.27.138.21 Configured host name-to-address mapping: Host Addresses...
Page 138 Setting Basic Network Information...
Page 139: Managing Qsfp Ports
Managing QSFP Ports QSFP ports can operate in 1 x 40G mode or in 4 x 10G mode. Appropriate cables must be used that match the selected mode. When changing from one mode to another, a switch reboot is required. The QSFP ports also support stacking over the interfaces in either 1 x 40G or 4 x 10G mode.
Page 140 To change a 4 x 10G port to 1 x 40G mode, enter the following commands on the 40-gigabit interface: console(config)#interface Fo2/1/1 console(config-if-Fo2/1/1)#hardware profile portmode 1x40g This command will not take effect until the switch is rebooted. console(config-if-Fo1/1/2)#do reload Are you sure you want to reload the stack? (y/n) Attempting to change the port mode on the tengigabit interface will give the error “An invalid interface has been used for this function.”...
Page 141: Managing A Switch Stack
Up to six PowerConnect 8024/8024F units can be stacked together using the 10G SFP+ fiber ports only. In other words, the copper 10 GbaseT ports on the PC8024/PC8024F units cannot be used for stacking. When a combo port is configured in stacking mode, the corresponding copper port is disabled.
Page 142: Creating A Powerconnect 8000/8100 Series Stack
In a stack of three or more switches, Dell strongly recommends connecting the stack in a ring topology so that each switch is connected to two other switches.
Page 143 Create a stack by connecting adjacent units using the 10G ports (SFP+ ports only on the PC80xx series). It is recommended that stacking link bandwidth be at least 10 times the bandwidth of the front panel port, that is, a 10G switch (PC8100) should have 100G of stacking bandwidth to each adjacent stack member.
Page 144: How Is The Stack Master Selected
Figure 9-1. Connecting a Stack of PowerConnect 8024/8024F Switches SFP+ Ports Configured as Stack Ports How is the Stack Master Selected? A stack master is elected or re-elected based on the following considerations, in order: 1 The switch is currently the stack master.
Page 145: Adding A Switch To The Stack
• If the stack master function is unassigned and there is another stack master in the system then the switch changes its configured stack master value to disabled. • If the stack master function is enabled or unassigned and there is no other stack master in the system, then the switch becomes stack master.
Page 146: Removing A Switch From The Stack
After the stack cables on the new member are connected to the stack, you can connect the power. Do not connect a new member to the stack after it is powered up. Also, do not connect two functional, powered-up stacks together. Hot insertion of units into the stack is not supported.
Page 147: How Is The Firmware Updated On The Stack
How is the Firmware Updated on the Stack? When you add a new switch to a stack, the Stack Firmware Synchronization feature automatically synchronizes the firmware version with the version running on the stack master per the configuration on the master switch. The synchronization operation may result in either upgrade or downgrade of firmware on the mismatched stack member.
Page 148 Application software on the stack master acts as the control plane. The management plane is application software running on the stack master that provides interfaces allowing a network administrator to configure the device. The Nonstop Forwarding (NSF) feature allows the forwarding plane of stack units to continue to forward packets while the control and management planes restart as a result of a power failure, hardware failure, or software fault on the stack master.
Page 149 Checkpointing Switch applications (features) that build up a list of data such as neighbors or clients can significantly improve their restart behavior by remembering this data across a warm restart. This data can either be stored persistently, as DHCP server and DHCP snooping store their bindings database, or the stack master can checkpoint this data directly to the standby unit.
Page 150: Switch Stack Mac Addressing And Stack Design Considerations
Table 9-1. Applications that Checkpoint Data Application Checkpointed Data IGMP/MLD Snooping Multicast groups, list of router ports, last query data for each VLAN IPv6 NDP Neighbor cache entries iSCSI Connections LLDP List of interfaces with MED devices attached OSPFv2 Neighbors and designated routers OSPFv3 Neighbors and designated routers Route Table Manager...
Page 151: Nsf Network Design Considerations
If you move the stack master to a different place in the network, make sure you power down the whole stack before you redeploy the stack master so that the stack members do not continue to use the MAC address of the redeployed switch.
Page 152: Default Stacking Values
Default Stacking Values Stacking is always enabled. By default, the 10G SFP+ ports are in Ethernet mode and must be configured to be used as stacking ports. Ports that are configured in stacking mode show as “detached” in the output of the show interfaces status command.
Page 153: Managing And Monitoring The Stack (Web)
Managing and Monitoring the Stack (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring stacking on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. NOTE: The changes you make to the Stacking configuration pages take effect only after the device is reset.
Page 154 Changing the ID or Switch Type for a Stack Member To change the switch ID or type: 1 Open the Unit Configuration page. 2 Click Add to display the Add Unit page. Figure 9-3. Add Remote Log Server Settings 3 Specify the switch ID, and select the model number of the switch. 4 Click Apply.
Page 155: Stack Summary
Stack Summary Use the Stack Summary page to view a summary of switches participating in the stack. To display the Stack Summary page, click System → Stack Management → Stack Summary in the navigation panel. Figure 9-4. Stack Summary Managing a Switch Stack...
Page 156: Stack Firmware Synchronization
Stack Firmware Synchronization Use the Stack Firmware Synchronization page to control whether the firmware image on a new stack member can be automatically upgraded or downgraded to match the firmware image of the stack master. To display the Stack Firmware Synchronization page, click System → Stack Management →...
Page 157: Supported Switches
Supported Switches Use the Supported Switches page to view information regarding each type of supported switch for stacking, and information regarding the supported switches. To display the Supported Switches page, click System → Stack Management → Supported Switches in the navigation panel. Figure 9-6.
Page 158: Stack Port Summary
Stack Port Summary Use the Stack Port Summary page to configure the stack-port mode and to view information about the stackable ports. This screen displays the unit, the stackable interface, the configured mode of the interface, the running mode as well as the link status and link speed of the stackable port. NOTE: By default the ports are configured to operate as Ethernet ports.
Page 159: Stack Port Counters
Stack Port Counters Use the Stack Port Counters page to view the transmitted and received statistics, including data rate and error rate. To display the Stack Port Counters page, click System → Stack Management → Stack Point Counters in the navigation panel. Figure 9-8.
Page 160: Nsf Summary
NSF Summary Use the NSF Summary page to change the administrative status of the NSF feature and to view NSF information. NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over stack master responsibility.
Page 161: Checkpoint Statistics
Checkpoint Statistics Use the Checkpoint Statistics page to view information about checkpoint messages generated by the stack master. To display the Checkpoint Statistics page, click System → Stack Management → Checkpoint Statistics in the navigation panel. Figure 9-10. Checkpoint Statistics Managing a Switch Stack...
Page 162: Managing The Stack (Cli)
For more information PowerConnect about these commands, see the 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide at support.dell.com/manuals. Configuring Stack Member, Stack Port, and NSF Settings Beginning in Privileged EXEC mode, use the following commands to configure stacking and NSF settings.
Page 163 Command Purpose unit SID member Add a switch to the stack and specify the model of the new stack member. unit • - The switch unit ID • - The index into the database of the supported switch types, indicating the type of the switch being preconfigured.
Page 164: Viewing And Clearing Stacking And Nsf Information
Viewing and Clearing Stacking and NSF Information Beginning in Privileged EXEC mode, use the following commands to view stacking information and to clear NSF statistics. Command Purpose stack- show switch [ View information about all stack members or the specified member-number member.
Page 165 • NSF and the Storage Access Network • NSF and Routed Access Managing a Switch Stack...
Page 166: Basic Failover
Basic Failover In this example, the stack has four members that are connected through a daisy-chain, as Figure 9-11 shows. Figure 9-11. Basic Stack Failover When all four units are up and running, the show switch CLI command gives the following output: console#show switch Management Standby...
Page 167 At this point, if Unit 2 is powered off or rebooted due to an unexpected failure, show switch gives the following output: console#show switch When the failed unit resumes normal operation, the previous configuration that exists for that unit is reapplied by the stack master. To permanently remove the unit from the stack, enter into Stack Config Mode and use the member command, as the following example shows.
Page 168: Preconfiguring A Stack Member
SID of the unit to be added. The example in this section demonstrates pre-configuring a PowerConnect 8024F switch on a stand-alone PowerConnect 8024 switch. To configure the switch: 1 View the list of SIDs to determine which SID identifies the switch to preconfigure.
Page 169 3 Confirm the stack configuration. Some of the fields have been omitted from the following output due to space limitations. console#show switch SW Management Standby Preconfig Plugged-in Switch Code Status Status Model ID Model ID Status Version --- --------- ------- -------- --------- ---------- -------- Mgmt Sw PC8024...
Page 170: Nsf In The Data Center
NSF in the Data Center Figure 9-12 illustrates a data center scenario, where the stack of two PowerConnect switches acts as an access switch. The access switch is connected to two aggregation switches, AS1 and AS2. The stack has a link from two different units to each aggregation switch, with each pair of links grouped together in a LAG.
Page 171: Nsf And Voip
NSF and VoIP Figure 9-13 shows how NSF maintains existing voice calls during a stack master failure. Assume the top unit is the stack master. When the stack master fails, the call from phone A is immediately disconnected. The call from phone B continues.
Page 172: Nsf And Dhcp Snooping
NSF and DHCP Snooping Figure 9-14 illustrates an L2 access switch running DHCP snooping. DHCP trusted snooping only accepts DHCP server messages on ports configured as ports. DHCP snooping listens to DHCP messages to build a bindings database that lists the IP address the DHCP server has assigned to each host. IP Source Guard (IPSG) uses the bindings database to filter data traffic in hardware based on source IP address and source MAC address.
Page 173: Nsf And The Storage Access Network
If a host is in the middle of an exchange with the DHCP server when the failover occurs, the exchange is interrupted while the control plane restarts. When DHCP snooping is enabled, the hardware traps all DHCP packets to the CPU. The control plane drops these packets during the restart. The DHCP client and server retransmit their DHCP messages until the control plane has resumed operation and messages get through.
Page 174 Figure 9-15. NSF and a Storage Area Network Disc Array (iSCSI Targets) Servers (iSCSI Initiators) 10.1.1.2 10.1.1.3 10.1.1.1 10.1.1.10 10.1.1.11 When the stack master fails, session A drops. The initiator at 10.1.1.10 detects a link down on its primary NIC and attempts to reestablish the session on its backup NIC to a different IP address on the disk array.
Page 175: Nsf And Routed Access
NSF and Routed Access Figure 9-16 shows a stack of three units serving as an access router for a set of hosts. Two LAGs connect the stack to two aggregation routers. Each LAG is a member of a VLAN routing interface. The stack has OSPF and PIM adjacencies with each of the aggregation routers.
Page 176 JOIN messages upstream. The control plane updates the driver with checkpointed unicast routes. The forwarding plane reconciles L3 hardware tables. The OSPF graceful restart finishes, and the control plane deletes any stale unicast routes not relearned at this point. The forwarding plane reconciles L3 multicast hardware tables.
Page 177: Configuring Authentication
Configuring Authentication, Authorization, and Accounting This chapter describes how to control access to the switch management interface using authentication and authorization. It also describes how to record this access using accounting. Together the three services are referred to by the acronym AAA. The topics covered in this chapter include: •...
Page 178: Methods
Each service is configured using method lists. The method lists define how each service is to be performed by specifying the methods available to perform a service. The first method in a list is tried first. If the first method returns an error, the next method in the list is tried.
Page 179: Access Lines
The ias method is a special method that is only used for 802.1X. It uses a • local database (separate from the local users) that acts like an 802.1X authentication server. This method never returns an error. It will always pass or deny a user.
Page 180: Authorization
Login— Login authentication grants access to the switch if the user • credentials are validated. Access is granted only at privilege level one. • Enable—Enable authentication grants access to a higher privilege level if the user credentials are validated for the higher privilege level. When RADIUS is used for enable authentication, the username for this request is always $enab15$.
Page 181: Exec Authorization Capabilities
Network: Network authorization enables a RADIUS server to assign a • particular 802.1X supplicant to a VLAN. For more information about 802.1X, see "Configuring Port and System Security" on page 457. Table 10-3 shows the valid methods for each type of authorization: Table 10-3.
Page 182: Accounting
profiles have an implicit “deny all” rule, such that any command that does not match any rule in the profile is considered to have been denied by that profile. A user can be assigned to more than one profile. If there are conflicting rules in profiles, the “permit”...
Page 183: Authentication Examples
Table 10-4. Accounting Methods Method Commands Dot1x Exec radius tacacs Authentication Examples It is important to understand that during authentication, all that happens is that the user is validated. If any attributes are returned from the server, they are not processed during authentication. In the examples below, it is assumed that the default configuration of authorization—that is, no authorization—is used.
Page 184: Tacacs+ Authentication Example
• The username guest password password command creates a user with the name “guest” and password “password”. A simple password can be configured here, since strength-checking has not yet been enabled. • The passwords strength minimum numeric-characters 2 command sets the minimum number of numeric characters required when password strength checking is enabled.
Page 185 aaa authentication enable “tacp” tacacs-server host 1.2.3.4 key “secret” exit line telnet login authentication tacplus enable authentication tacp exit The following describes each line in the above configuration: • The aaa authentication login “tacplus” tacacs command creates a login authentication list called “tacplus” that contains the method tacacs.
Page 186: Radius Authentication Example
RADIUS Authentication Example Use the following configuration to require RADIUS authentication to login over a telnet connection: aaa authentication login “rad” radius aaa authentication enable “raden” radius radius-server host 1.2.3.4 key “secret” exit line telnet login authentication rad enable authentication raden exit The following describes each line in the above configuration: •...
Page 187: Authorization Examples
Authorization Examples Authorization allows the administrator to control which services a user is allowed to access. Some of the things that can be controlled with authorization include the user's initial privilege level and which commands the user is allowed to execute. When authorization fails, the user is denied access to the switch, even though the user has passed authentication.
Page 188: Tacacs+ Authorization Example-Administrative Profiles
• The aaa authorization exec “tacex” tacacs command creates an exec authorization method list called tacex which contains the method tacacs. • The authorization exec tacex command assigns the tacex exec authorization method list to be used for users accessing the switch via telnet.
Page 189: Tacacs+ Authorization Example-Custom Administrative Profile
TACACS+ Authorization Example—Custom Administrative Profile This example creates a custom profile that allows the user to control user access to the switch by configuring a administrative profile that only allows access to AAA related commands. Use the following commands to create the administrative profile: admin-profile aaa rule 99 permit command “^show aaa .*”...
Page 190: Tacacs+ Authorization Example-Per-Command Authorization
string at the beginning of a line, the period (.) matches any single character, and the asterisk (*) repeats the previous match zero or more times. • To assign this profile to a user, configure the TACACS+ server so that it sends the following “roles”...
Page 191: Radius Authorization Example-Direct Login To Privileged Exec Mode
profiles and per-command authorization are configured for a user, any command must be permitted by both the administrative profiles and by per- command authorization. RADIUS Authorization Example—Direct Login to Privileged EXEC Mode Apply the following configuration to use RADIUS for authorization, such that a user can enter privileged exec mode directly: aaa authorization exec “rad”...
Page 192: Using Radius Servers To Control Management Access
The RADIUS server should be configured such that it will send the Cisco AV Pair attribute with the “roles” value. For example: shell:roles=router-admin The above example attribute gives the user access to the commands permitted by the router-admin profile. Using RADIUS Servers to Control Management Access The RADIUS client on the switch supports multiple RADIUS servers.
Page 193 “secret”. This “secret” is used to generate one-way encrypted authenticators that are present in all RADIUS packets. The “secret” is never transmitted over the network. RADIUS conforms to a secure communications client/server model using UDP as a transport protocol. It is extremely flexible, supporting a variety of methods to authenticate and statistically track users.
Page 194: Which Radius Attributes Does The Switch Support
If you use a RADIUS server to authenticate users, you must configure user attributes in the user database on the RADIUS server. The user attributes include the user name, password, and privilege level. NOTE: To set the privilege level, it is recommended to use the Service-Type attribute instead of the Cisco AV pair priv-lvl attribute.
Page 195 Table 10-5. Supported RADIUS Attributes (Continued) Type RADIUS Attribute Name 802.1X User Manager Captive Portal CALLING-STATION-ID NAS-IDENTIFIER ACCT-STATUS-TYPE Set by RADIUS client for Accounting ACCT-INPUT-OCTETS ACCT-OUTPUT-OCTETS ACCT-SESSION-ID Set by RADIUS client for Accounting ACCT-SESSION-TIME ACCT-TERMINATECAUSE Yes ACCT- INPUTGIGAWORDS ACCT- OUTPUTGIGAWORDS NAS-PORT-TYPE TUNNEL-TYPE TUNNEL-MEDIUM-TYPE Yes...
Page 196: How Are Radius Attributes Processed On The Switch
How Are RADIUS Attributes Processed on the Switch? The following attributes are processed in the RADIUS Access-Accept message received from a RADIUS server: • NAS-PORT—ifIndex of the port to be authenticated. • REPLY-MESSAGE—Trigger to respond to the Access-Accept message with an EAP notification. •...
Page 197: Using Tacacs+ Servers To Control Management Access
Using TACACS+ Servers to Control Management Access TACACS+ (Terminal Access Controller Access Control System) provides access control for networked devices via one or more centralized servers. TACACS+ simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS+ uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to encrypt all messages.
Page 198: Which Tacacs+ Attributes Does The Switch Support
You can configure each server host with a specific connection type, port, timeout, and shared key, or you can use global configuration for the key and timeout. The TACACS+ server can do the authentication itself, or redirect the request to another back-end device. All sensitive information is encrypted and the shared secret is never passed over the network;...
Page 199: Default Configurations
Default Configurations Method Lists The method lists shown in Table 10-7 are defined by default. They cannot be deleted, but they can be modified. Using the “no” command on these lists will return them to their default configuration. Table 10-7. Default Method Lists AAA Service (type) List Name List Methods...
Page 200: Access Lines (Non-Aaa)
Table 10-8. Default AAA Methods (Continued) AAA Service (type) Console Telnet Accounting (exec) none none none Accounting none none none (commands) Access Lines (Non-AAA) Table 10-9 shows the default configuration of the access lines that do not use method lists. Table 10-9.
Page 201 Table 10-10. Default Administrative Profiles (Continued) Name Description CP-admin Allows access to the Captive Portal feature. network-operator Allows access to all User EXEC mode commands and show commands. Configuring Authentication, Authorization, and Accounting...
Page 202 Configuring Authentication, Authorization, and Accounting...
Page 203: Monitoring And Logging System
Monitoring and Logging System Information This chapter provides information about the features you use to monitor the switch, including logging, cable tests, and email alerting. The topics covered in this chapter include: • System Monitoring Overview • Default Log Settings •...
Page 204: Why Is System Information Needed
Why Is System Information Needed? The information the switch provides can help you troubleshoot issues that might be affecting system performance. The cable diagnostics test help you troubleshoot problems with the physical connections to the switch. Auditing access to the switch and the activities an administrator performed while managing the switch can help provide security and accountability.
Page 205: What Are The Severity Levels
What Are the Severity Levels? For each local or remote log file, you can specify the severity of the messages to log. Each severity level is identified by a name and a number. Table 11-1 provides information about the severity levels. Table 11-1.
Page 206: What Is The Log Message Format
The first part of the log message up to the first left bracket is fixed by the Syslog standard (RFC 3164). The second part up to the two percent signs is standardized for all Dell PowerConnect logs. The variable text of the log message follows. The log message is limited to 96 bytes.
Page 207: What Factors Should Be Considered When Configuring Logging
Message — Contains the text of the log message. What Factors Should Be Considered When Configuring Logging? Dell recommends that network administrators deploy a syslog server in their network and configure all switches to log messages to the syslog server.
Page 208: Monitoring System Information And Configuring Logging (Web)
Device Information The Device Information page displays after you successfully log on to the switch by using the Dell OpenManage Switch Administrator. This page is a virtual representation of the switch front panel. Use the Device Information page to view information about the port status or system status. Click on a port to access the Port Configuration page for the selected port.
Page 209: System Health
System Health Use the Health page to view status information about the switch power and ventilation sources. To display the Health page, click System → General → Health in the navigation panel. Figure 11-2. Health Monitoring and Logging System Information...
Page 210: System Resources
System Resources Use the System Resources page to view information about memory usage and task utilization. To display the System Resources page, click System → General → System Resources in the navigation panel. Figure 11-3. System Resources Monitoring and Logging System Information...
Page 211: Integrated Cable Test For Copper Cables
Integrated Cable Test for Copper Cables Use the Integrated Cable Test for Copper Cables page to perform tests on copper cables. Cable testing provides information about where errors occurred in the cable, the last time a cable test was performed, and the type of cable error which occurred.
Page 212: Optical Transceiver Diagnostics
To view a summary of all integrated cable tests performed, click the Show All link. Figure 11-5. Integrated Cable Test Summary Optical Transceiver Diagnostics Use the Optical Transceiver Diagnostics page to perform tests on Fiber Optic cables. To display the Optical Transceiver Diagnostics page, click System → Diagnostics →...
Page 213 Figure 11-6. Optical Transceiver Diagnostics To view a summary of all optical transceiver diagnostics tests performed, click the Show All link. Figure 11-7. Optical Transceiver Diagnostics Summary Monitoring and Logging System Information...
Page 214: Log Global Settings
Log Global Settings Use the Global Settings page to enable logging globally, to enable other types of logging. You can also specify the severity of messages that are logged to the console, RAM log, and flash-based log file. The Severity table lists log messages from the highest severity (Emergency) to the lowest (Debug).
Page 215: Ram Log
RAM Log Use the RAM Log page to view information about specific RAM (cache) log entries, including the time the log was entered, the log severity, and a description of the log. To display the RAM Log, click System → Logs → RAM Log in the navigation panel.
Page 216: Log File
Log File The Log File contains information about specific log entries, including the time the log was entered, the log severity, and a description of the log. To display the Log File, click System → Logs → Log File in the navigation panel.
Page 217 Figure 11-11. Remote Log Server Adding a New Remote Log Server To add a log server: 1 Open the Remote Log Server page. 2 Click Add to display the Add Remote Log Server page. 3 Specify the IP address or hostname of the remote server. 4 Define the UDP Port and Description fields.
Page 218 Figure 11-12. Add Remote Log Server 5 Select the severity of the messages to send to the remote server. NOTE: When you select a severity level, all higher severity levels are automatically selected. 6 Click Apply. Click the Show All link to view or remove remote log servers configured on the system.
Page 219: Email Alert Global Configuration
Figure 11-13. Show All Log Servers Email Alert Global Configuration Use the Email Alert Global Configuration page to enable the email alerting feature and configure global settings so that system log messages can be sent to from the switch to one or more email accounts. To display the Email Alert Global Configuration page, click System →...
Page 220: Email Alert Mail Server Configuration
Email Alert Mail Server Configuration Use the Email Alert Mail Server Configuration page to configure information about the mail server the switch uses for sending email alert messages. To display the Email Alert Mail Server Configuration page, click System → Email Alerts →...
Page 221 Figure 11-16. Add Mail Server 4 Click Apply. 5 If desired, click Configuration to return to the Email Alert Mail Server Configuration page to specify port and security settings for the mail server. Click the Show All link to view or remove mail servers configured on the switch.
Page 222: Email Alert Subject Configuration
Email Alert Subject Configuration Use the Email Alert Subject Configuration page to configure the subject line for email alerts that are sent by the switch. You can customize the subject for the message severity and entry status. To display the Email Alert Subject Configuration page, click System → Email Alerts →...
Page 223: Email Alert To Address Configuration
Email Alert To Address Configuration Use the Email Alert To Address Configuration page to specify where the email alerts are sent. You can configure multiple recipients and associate different message severity levels with different recipient addresses. To display the Email Alert To Address Configuration page, click System → Email Alerts →...
Page 224: Email Alert Statistics
Figure 11-21. View Email Alert To Address Configuration Email Alert Statistics Use the Email Alert Statistics page to view the number of emails that were successfully and unsuccessfully sent, and when emails were sent. To display the Email Alert Statistics page, click System → Email Alerts → Email Alert Statistics in the navigation panel.
Page 225: Monitoring System Information And Configuring Logging (Cli)
This section provides information about the commands you use to configure information you use to monitor the PowerConnect 8000-series and 8100- series switches. For more information about these commands, see the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Viewing System Information Beginning in Privileged EXEC mode, use the following commands to view system health and resource information.
Page 226: Configuring Local Logging
Command Purpose test copper-port tdr Perform the Time Domain Reflectometry (TDR) test to interface diagnose the quality and characteristics of a copper cable attached to the specified port. CAUTION: Issuing the test copper-port tdr command will bring the interface down. The interface is specified in unit/slot/port format.
Page 227 Command Purpose logging Enable logging to the specified file. Optionally, you can {buffered|console| file} define a logging discriminator to help filter log messages severity and set the severity of the messages to log. • buffered — Enables logging to the RAM file (cache). If the switch resets, the buffered logs are cleared.
Page 228: Configuring Remote Logging
Configuring Remote Logging Beginning in Privileged EXEC mode, use the following commands to define a remote server to which the switch sends log messages. Command Purpose configure Enter Global Configuration mode. ip-address logging { Define a remote log server and enter the configuration hostname mode for the specified log server.
Page 229: Configuring Mail Server Settings
Configuring Mail Server Settings Beginning in Privileged EXEC mode, use the following commands to configure information about the mail server (SMTP host) on the network that will initially receive the email alerts from the switch and relay them to the correct recipient. Command Purpose configure...
Page 230: Configuring Email Alerts For Log Messages
Configuring Email Alerts for Log Messages Beginning in Privileged EXEC mode, use the following commands to configure email alerts so that log messages are sent to the specified address. Command Purpose configure Enter Global Configuration mode. severity logging email [ ] Enable email alerting and determine which non-critical log severity messages should be emailed.
Page 231 Command Purpose logging email test Send a test email to the configured recipient to verify that message-type {urgent | the feature is properly configured. non-urgent | both} body message-body CTRL + Z Exit to Privileged EXEC mode. show logging email View the configured settings for email alerts.
Page 232: Logging Configuration Examples
Logging Configuration Examples This section contains the following examples: • Configuring Local and Remote Logging • Configuring Email Alerting Configuring Local and Remote Logging This example shows how to enable switch auditing and CLI command logging. Log messages with a severity level of Notification (level 5) and above are sent to the RAM (buffered) log.
Page 233: Configuring Email Alerting
4 Verify the remote log server configuration. console#show syslog-servers IP Address/Hostname Port Severity Description ------------------------- ------ -------------- ---------- 192.168.2.10 debugging Syslog Server 5 Verify the local logging configuration and view the log messages stored in the buffer (RAM log). console#show logging Logging is enabled Console Logging: level debugging.
Page 234 Emergency messages (severity level 0) will be sent immediately as individual emails, and messages with a severity of alert, critical, and error (levels 1-3) will be sent in a single email every 120 minutes. Warning, notice, info, and debug messages are not sent in an email. The email the administrator will in the inbox has a format similar to the following: Figure 11-23.
Page 235: Verify The Configuration
5 Specify the address where email alerts should be sent. console(config)#logging email message-type both to-addr administrator@dell.com 6 Specify the text that will appear in the email alert Subject line. console(config)#logging email message-type urgent subject "LOG MESSAGES - EMERGENCY"...
Page 236 Email Alert To Address Table: For Msg Type......1 Address1......administrator@dell.com For Msg Type......2 Address1......administrator@dell.com Email Alert Subject Table For Msg Type 1, subject is....LOG MESSAGES - EMERGENCY For Msg Type 2, subject is....LOG MESSAGE Monitoring and Logging System Information...
Page 237: Managing General System Settings
Managing General System Settings This chapter describes how to set system information, such as the hostname, and time settings, and how to select the Switch Database Management (SDM) template to use on the switch. The topics covered in this chapter include: •...
Page 238: Why Does System Information Need To Be Configured
The switch can obtain the time from a Simple Network Time Protocol (SNTP) server, or you can set the time manually. Table 12-2 describes the settings that help the switch keep track of time. Table 12-2. Time Settings Feature Description SNTP Controls whether the switch obtains its system time from an SNTP server and whether communication...
Page 239: What Are Sdm Templates
What Are SDM Templates? An SDM template is a description of the maximum resources a switch or router can use for various features. Different SDM templates allow different combinations of scaling factors, enabling different allocations of resources depending on how the device is used. In other words, SDM templates enable you to reallocate system resources to support a different mix of features based on your network requirements.
Page 240: Why Is The System Time Needed
Why is the System Time Needed? The switch uses the system clock to provide time stamps on log messages. Additionally, some show commands include the time in the command output. For example, the show users login-history command includes a Login Time field.
Page 241: Configuring General System Settings (Web)
Configuring General System Settings (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring general system settings on the PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. System Information Use the System Information page to configure the system name, contact name, location, and asset tag.
Page 242 Initiating a Telnet Session from the Web Interface NOTE: The Telnet client feature does not work with Microsoft Windows Internet Explorer 7 and later versions. Initiating this feature from any browser running on a Linux operating system is not supported. To launch a Telnet session: 1 From the System →...
Page 243 Figure 12-3. Select Telnet Client The selected Telnet client launches and connects to the switch CLI. Figure 12-4. Telnet Session Managing General System Settings...
Page 244: Cli Banner
CLI Banner Use the CLI Banner page to configure a message for the switch to display when a user connects to the switch by using the CLI. You can configure different banners for various CLI modes and access methods. To display the CLI Banner page, click System → General → CLI Banner in the navigation panel.
Page 245: Sdm Template Preference
SDM Template Preference Use the SDM Template Preference page to view information about template resource settings and to select the template that the switch uses. If you select a new SDM template for the switch to use, you must reboot the switch before the template is applied.
Page 246: Clock
Clock If you do not obtain the system time from an SNTP server, you can manually set the date and time on the switch on the Clock page. The Clock page also displays information about the time settings configured on the switch. To display the Clock page, click System →...
Page 247: Sntp Global Settings
SNTP Global Settings Use the SNTP Global Settings page to enable or disable the SNTP client, configure whether and how often the client sends SNTP requests, and determine whether the switch can receive SNTP broadcasts. To display the SNTP Global Settings page, click System → Time Synchronization →...
Page 248: Sntp Authentication
SNTP Authentication Use the SNTP Authentication page to enable or disable SNTP authentication, to modify the authentication key for a selected encryption key ID, to designate the selected authentication key as a trusted key, and to remove the selected encryption key ID. NOTE: The SNTP server must be configured with the same authentication information to allow time synchronization to take place between the two devices.
Page 249 The Add Authentication Key page displays: Figure 12-10. Add Authentication Key 3 Enter a numerical encryption key ID and an authentication key in the appropriate fields. 4 If the key is to be used to authenticate a unicast SNTP server, select the Trusted Key check box.
Page 250: Sntp Server
Figure 12-11. Authentication Key Table SNTP Server Use the SNTP Server page to view and modify information about SNTP servers, and to add new SNTP servers that the switch can use for time synchronization. The switch can accept time information from both IPv4 and IPv6 SNTP servers.
Page 251 Figure 12-12. SNTP Servers Defining a New SNTP Server To add an SNTP server: 1 Open the SNTP Servers page. 2 Click Add. The Add SNTP Server page displays. Managing General System Settings...
Page 252 Figure 12-13. Add SNTP Server 3 In the SNTP Server field, enter the IP address or host name for the new SNTP server. 4 Specify whether the information entered in the SNTP Server field is an IPv4 address, IPv6 address, or a hostname (DNS). 5 If you require authentication between the SNTP client on the switch and the SNTP server, select the Encryption Key ID check box, and then select the key ID to use.
Page 253 To view all configured SNTP servers, click the Show All link. The SNTP Server Table displays. You can also use the SNTP Server Table page to remove or edit existing SNTP servers. Figure 12-14. SNTP Servers Table Managing General System Settings...
Page 254: Summer Time Configuration
Summer Time Configuration Use the Summer Time Configuration page to configure summer time (daylight saving time) settings. To display the Summer Time Configuration page, click System → Time Synchronization → Summer Time Configuration in the navigation panel. Figure 12-15. Summer Time Configuration NOTE: The fields on the Summer Time Configuration page change when you select or clear the Recurring check box.
Page 255: Time Zone Configuration
Time Zone Configuration Use the Time Zone Configuration to configure time zone information, including the amount time the local time is offset from UTC and the acronym that represents the local time zone. To display the Time Zone Configuration page, click System → Time Synchronization →...
Page 256: Slot Summary
Slot Summary Use the Slot Summary page to view information about the expansion slot status. To display the Slot Summary page, click Switching → Slots → Summary in the navigation panel. Figure 12-17. Slot Summary Managing General System Settings...
Page 257: Supported Cards
Supported Cards Use the Supported Cards page to view information about the supported plug-in modules for the switch. To display the Supported Cards page, click Switching → Slots → Supported Cards in the navigation panel. Figure 12-18. Supported Cards Managing General System Settings...
Page 258: Configuring System Settings (Cli)
This section provides information about the commands you use to configure system information and time settings on the PowerConnect 8000-series and 8100-series switches. For more information about these commands, see the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Configuring System Information Beginning in Privileged EXEC mode, use the following commands to configure system information.
Page 259: Configuring The Banner
Configuring the Banner Beginning in Privileged EXEC mode, use the following commands to configure the MOTD, login, or User EXEC banner. The switch supports the following banner messages: • MOTD—Displays when a user connects to the switch. • Login—Displays after the MOTD banner and before the login prompt. •...
Page 260: Managing The Sdm Template
Managing the SDM Template Beginning in Privileged EXEC mode, use the following commands to set the SDM template preference and to view information about the available SDM templates. Command Purpose configure Enter Global Configuration mode. sdm prefer {dual-ipv4- Select the SDM template to apply to the switch after the and-ipv6 default| ipv4- next boot.
Page 261 Command Purpose key_id sntp trusted-key Specify the authentication key the SNTP server must include in SNTP packets that it sends to the switch. key_id number must be an encryption key ID defined in the previous step. sntp authenticate Require authentication for communication with the SNTP server.
Page 262: Setting The System Time And Date Manually
Setting the System Time and Date Manually Beginning in Privileged EXEC mode, use the following commands to configure the time and date, time zone, and summer time settings. Command Purpose mm/dd/yyyy clock set { Configure the time and date. You can enter the time first hh:mm:ss and then the date, or the date and then the time.
Page 263: Viewing Slot Information
Command Purpose clock summer-time Use this command if the summer time does not start and date month date { end every year according to a recurring pattern. You can month date year enter the month and then the date, or the date and then the hh:mm date month month.
Page 264: General System Settings Configuration Examples
General System Settings Configuration Examples This section contains the following examples: • Configuring System and Banner Information • Configuring SNTP • Configuring the Time Manually Configuring System and Banner Information In this example, an administrator configures the following system information: •...
Page 265 4 View system information to verify the configuration. PC8024#show system System Description: Dell Ethernet Switch System Up Time: 0 days, 19h:36m:36s System Contact: Jane Doe System Name: PC8024 System Location: RTP100 Burned In MAC Address: 001E.C9AA.AA07 System Object ID: 1.3.6.1.4.1.674.10895.3035...
Page 266 Power Supplies: Unit Description Status Average Current Since Power Power Date/Time (Watts) (Watts) ---- ---------- -------- ---------- -------- ------------ System 97.8 Main Failure Secondary 97.6 97.8 01/10/2031 15:59:05 5 View additional information about the system. PC8024#show system id Service Tag: 0000000 Chassis Service Tag: Serial Number: TW282987BK0002 Asset Tag: 111222...
Page 267: Configuring Sntp
Configuring SNTP The commands in this example configure the switch to poll an SNTP server to synchronize the time. Additionally, the SNTP sessions between the client and server must be authenticated. To configure the switch: 1 Configure the authentication information. The SNTP server must be configured with the same authentication key and ID.
Page 268 4 View the SNTP status on the switch. console#show sntp status Client Mode: Unicast Last Update Time: MAR 01 09:12:43 2010 Unicast servers: Server Status Last response --------------- ------------ --------------------- 192.168.10.30 Other 09:12:43 Mar 1 2011 Managing General System Settings...
Page 269: Configuring The Time Manually
Configuring the Time Manually The commands in this example manually set the system time and date. The time zone is set to Eastern Standard Time (EST), which has an offset of -5 hours. Summer time is enabled and uses the preconfigured United States settings.
Page 270 Managing General System Settings...
Page 271: Configuring Snmp
Configuring SNMP The topics covered in this chapter include: • SNMP Overview • Default SNMP Values • Configuring SNMP (Web) • Configuring SNMP (CLI) • SNMP Configuration Examples SNMP Overview Simple Network Management Protocol (SNMP) provides a method for managing network devices. The PowerConnect 8000-series and 8100-series switches support SNMP version 1, SNMP version 2, and SNMP version 3.
Page 272: What Are Snmp Traps
The SNMP agent maintains a list of variables that are used to manage the switch. The variables are defined in the MIB. The MIB presents the variables controlled by the agent. The SNMP agent defines the MIB specification format, as well as the format used to access the information over the network. Access rights to the SNMP agent are controlled by access strings.
Page 273: Why Is Snmp Needed
Why Is SNMP Needed? Some network administrators prefer to use SNMP as the switch management interface. Settings that you view and configure by using the web-based Dell OpenManage Switch Administrator and the CLI are also available by using SNMP .
Page 274 Table 13-1. SNMP Defaults Parameter Default Value OSPF traps Disabled Table 13-2 describes the two views that are defined by default. Table 13-2. SNMP Default Views View Name OID Subtree View Type Default Included snmpVacmMIB Excluded usmUser Excluded snmpCommunityTable Excluded DefaultSuper Included By default, three groups are defined.
Page 275: Configuring Snmp (Web)
Configuring SNMP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the SNMP agent on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. NOTE: For some features, the control to enable or disable traps is available from a configuration page for that feature and not from the Trap Manager pages that...
Page 276: Snmp View Settings
SNMP View Settings Use the SNMP View Settings page to create views that define which features of the device are accessible and which are blocked. You can create a view that includes or excludes OIDs corresponding to interfaces. To display the View Settings page, click System → SNMP → View Settings in the navigation panel.
Page 277 Figure 13-3. Add View 3 Specify a name for the view and a valid SNMP OID string. 4 Select the view type. 5 Click Apply. The SNMP view is added, and the device is updated. Click Show All to view information about configured SNMP Views. Configuring SNMP...
Page 278: Access Control Group
Access Control Group Use the Access Control Group page to view information for creating SNMP groups, and to assign SNMP access privileges. Groups allow network managers to assign access rights to specific device features or features aspects. To display the Access Control Group page, click System → SNMP → Access Control in the navigation panel.
Page 279 Figure 13-5. Add Access Control Group 3 Specify a name for the group. 4 Select a security model and level 5 Define the context prefix and the operation. 6 Click Apply to update the switch. Click Show All to view information about existing access control configurations.
Page 280: Snmpv3 User Security Model (Usm)
SNMPv3 User Security Model (USM) Use the User Security Model page to assign system users to SNMP groups and to define the user authentication method. NOTE: You can also use the Local User Database page under Management Security to configure SNMPv3 settings for users. For more information, see "Configuring Authentication, Authorization, and Accounting"...
Page 281 Figure 13-7. Add Local Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users. Adding Remote SNMPv3 Users to a USM To add remote users: 1 Open the SNMPv3 User Security Model page.
Page 282 Figure 13-8. Add Remote Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users. Configuring SNMP...
Page 283: Communities
Communities Access rights for SNMPv1 and SNMPv2 are managed by defining communities Communities page. When the community names are changed, access rights are also changed. SNMP Communities are defined only for SNMP v1 and SNMP v2. To display the Communities page, click System → SNMP → Communities in the navigation panel.
Page 284 Figure 13-10. Add SNMPv1,2 Community 3 Specify the IP address of an SNMP management station and the community string to act as a password that will authenticate the management station to the SNMP agent on the switch. 4 Select the access mode. 5 Click Apply to update the switch.
Page 285: Notification Filter
Notification Filter Use the Notification Filter page to set filtering traps based on OIDs. Each OID is linked to a device feature or a feature aspect. The Notification Filter page also allows you to filter notifications. To display the Notification Filter page, click System → SNMP → Notification Filters in the navigation panel.
Page 286: Notification Recipients
Figure 13-12. Add Notification Filter 3 Specify the name of the filter, the OID for the filter. 4 Choose whether to send (include) traps or informs to the trap recipient or prevent the switch from sending (exclude) the traps or informs. 5 Click Apply to update the switch.
Page 287 Figure 13-13. SNMP Notification Recipient Adding a Notification Recipient To add a recipient: 1 Open the Notification Recipient page. 2 Click Add. The Add Recipient page displays: Configuring SNMP...
Page 288 Figure 13-14. Add Notification Recipient 3 Specify the IP address or hostname of the host to receive notifications. 4 Select whether to send traps or informs to the specified recipient 5 Define the relevant fields for the SNMP version you use. 6 Configure information about the port on the recipient.
Page 289: Trap Flags
Trap Flags The Trap Flags page is used to specify which traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
Page 290: Ospfv2 Trap Flags
OSPFv2 Trap Flags The OSPFv2 Trap Flags page is used to specify which OSPFv2 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
Page 291: Ospfv3 Trap Flags
OSPFv3 Trap Flags The OSPFv3 Trap Flags page is used to specify which OSPFv3 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
Page 292: Trap Log
Trap Log The Trap Log page is used to view entries that have been written to the trap log. To access the Trap Log page, click Statistics/RMON → Trap Manager → Trap Log in the navigation panel. Figure 13-18. Trap Logs Click Clear to delete all entries from the trap log.
Page 293: Configuring Snmp (Cli)
If the SNMPv3 engine ID is deleted, or if the configuration file is erased, then SNMPv3 cannot be used. Since the EngineID should be unique within an administrative domain, Dell recommends that you use the default keyword to configure the Engine ID.
Page 294: Configuring Snmp Views, Groups, And Users
Configuring SNMP Views, Groups, and Users Beginning in Privileged EXEC mode, use the following commands to define SNMP views, and SNMP groups, and local and remote SNMPv3 users. Command Purpose configure Enter Global Configuration mode view- snmp-server view Configure the SNMP view. When you configure groups, name oid-tree {included users, and communities, you can specify a view to associate...
Page 295 Command Purpose snmp-server group Specify the identity string of the receiver and set the groupname {v1 | v2 | v3 receiver timeout value. {noauth | auth | priv} groupname • — Specifies the name of the group. (Range: view-name [notify 1-30 characters.) view-name [context...
Page 296 Command Purpose snmp-server user Configure a new SNMPv3 user. username groupname username • — Specifies the name of the user on the host engineid-string [remote that connects to the agent. (Range: 1-30 characters.) password [{auth-md5 groupname • — Specifies the name of the group to which password auth-sha the user belongs.
Page 297: Configuring Communities
Command Purpose show snmp group View SNMP group configuration information. group_name show snmp user View SNMP user configuration information. user_name Configuring Communities Beginning in Privileged EXEC mode, use the following commands to configure access rights for SNMPv1 and SNMPv2. Command Purpose configure Enter Global Configuration mode...
Page 298 Command Purpose snmp-server community- Map the internal security name for SNMP v1 and SNMP community string group v2 security models to the group name. group-name [ipaddress community-string — • Community string that acts like a ip-address password and permits access to the SNMP protocol (Range: 1-20 characters) group-name —...
Page 299: Configuring Snmp Notifications (Traps And Informs)
Configuring SNMP Notifications (Traps and Informs) Beginning in Privileged EXEC mode, use the following commands to allow the switch to send SNMP traps and to configure which traps are sent. Command Purpose configure Enter Global Configuration mode snmp-server enable traps Specify the traps to enable.
Page 300 Command Purpose host- snmp-server host For SNMPv1 and SNMPv2, configure the system to receive addr [informs [timeout SNMP traps or informs. seconds retries ] [retries host-addr • — Specifies the IP address of the host (targeted | traps version {1 | 2}]] recipient) or the name of the host.
Page 301 Command Purpose snmp-server v3-host { For SNMPv3, configure the system to receive SNMP traps address hostname or informs. username {traps | ip-address • — Specifies the IP address of the host informs} [noauth | auth (targeted recipient). | priv] [timeout hostname •...
Page 302: Snmp Configuration Examples
SNMP Configuration Examples This section contains the following examples: • Configuring SNMPv1 and SNMPv2 • Configuring SNMPv3 Configuring SNMPv1 and SNMPv2 This example shows how to complete a basic SNMPv1/v2 configuration. The commands enable read-only access from any host to all objects on the switch public using the community string , and enable read-write access from any...
Page 303: Configuring Snmpv3
Community-String Group Name IP Address ----------------- -------------- ------------ private DefaultWrite public DefaultRead Traps are enabled. Authentication trap is enabled. Version 1,2 notifications Target Addr. Type Community Version UDP Filter Retries Port Name ------------ ---- --------- ---- ----- ----- ------- 192.168.3.65 Trap public Version 3 notifications Target Addr.
Page 304 admin , assign the user to the group, and specify the 3 Create the user authentication credentials. console(config)#snmp-server user admin group_snmpv3 auth-md5 secretkey 4 Specify the IP address of the host where traps are to be sent. Packet authentication using MD5-SHA is enabled for the traps. console(config)#snmp-server v3-host 192.168.3.35 admin traps auth console(config)#exit...
Page 305 console#show snmp views Name OID Tree Type ------------------ ------------------------ ------------ Default Included Default snmpVacmMIB Excluded Default usmUser Excluded Default snmpCommunityTable Excluded view_snmpv3 internet Included DefaultSuper Included console#show snmp group Name Context Model Security Read Views Notify Prefix Level Write ------------ -------- ------ -------- -------- ------ ------- DefaultRead ""...
Page 306 Configuring SNMP...
Page 307: Managing Images And Files
Managing Images and Files This chapter describes how to upload, download, and copy files, such as firmware images and configuration files, on the switch. The topics covered in this chapter include: • Image and File Management Overview • Managing Images and Files (Web) •...
Page 308 Table 14-1. Files to Manage File Action Description image Download Firmware for the switch. The switch can Upload maintain two images: the active image and Copy the backup image. startup-config Download Contains the software configuration that Upload loads during the boot process. Copy running-config Download...
Page 309: Why Is File Management Needed
Table 14-1. Files to Manage File Action Description SSL certificate files Download Contains information to encrypt, authenticate, and validate HTTPS sessions. The switch supports the following files for SSL: • SSL Trusted Root Certificate File (PEM Encoded) • SSL Server Certificate File (PEM Encoded) •...
Page 310 changes that take place after the boot process completes are written to the running-config file. The backup-config file does not exist until you explicitly create one by copying an existing configuration file to the backup-config file or downloading a backup-config file to the switch. You can also create configuration scripts, which are text files that contains CLI commands.
Page 311: What Methods Are Supported For File Management
What Methods Are Supported for File Management? You can use any of the following protocols to download files from a remote system to the switch or to upload files from the switch to a remote system: • TFTP • SFTP •...
Page 312 the switch through the console port to access the boot menu. The image files may contain firmware for the PHY processors on the switch. The PHY firmware may be updated to the firmware version supported by the switch firmware during the boot process or, in the case of switches that support the hot swap of cards, when the card is inserted into the switch.
Page 313: How Is The Running Configuration Saved
line, and all input following this character to the end of the line is ignored. Any line in the file that begins with the “!” character is recognized as a comment line and ignored by the parser. The following example shows annotations within a file (commands are bold): ! Script file for displaying management access show telnet !Displays the information about remote connections...
Page 314: Managing Images And Files (Web)
Managing Images and Files (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. File System Use the File System page to view a list of the files on the device and to modify the image file descriptions.
Page 315: Active Images
Active Images Use the Active Images page to set the firmware image to use when the switch boots. If you change the boot image, it does not become the active image until you reset the switch. NOTE: image1 image2 On the 8000-series switches, the images are named active backup On the 8100-series switches, the images are named...
Page 316: Usb Flash Drive
USB Flash Drive Use the USB Flash Drive page (on PowerConnect 8100-series switches) to view information about a USB flash drive connected to the USB port on the front panel of the switch. The page also displays information about the files stored on the USB flash drive.
Page 317: File Download
File Download Use the File Download page to download image (binary) files, SSH and SSL certificates, IAS User files, and configuration (ASCII), files from a remote server to the switch. To display the File Download page, click System → File Management → File Download in the navigation panel.
Page 318 If you select a transfer mode that requires authentication, additional fields appear in the Download section. If you select HTTP as the download method, some of the fields are hidden. NOTE: If you are using HTTPS to manage the switch, the download method will be HTTPS.
Page 319: File Upload
File Upload Use the File Upload to Server page to upload configuration (ASCII), image (binary), IAS user, operational log, and startup log files from the switch to a remote server. To display the File Upload to Server page, click System → File Management → File Upload in the navigation panel.
Page 320 NOTE: If you are using HTTPS to manage the switch, the download method will be HTTPS. 4 To upload by using HTTP, click Apply. A dialog box opens to allow you to open or save the file. Figure 14-7. File Upload 5 To upload by using any method other than HTTP, enter the IP address of the server and specify a name for the file.
Page 321: Copy Files
Copy Files Use the Copy Files page to: • Copy the active firmware image to the switch. • Copy the running, startup, or backup configuration file to the startup or backup configuration file. • Restore the running configuration to the factory default settings. To display the Copy Files page, click System →...
Page 322: Managing Images And Files (Cli)
PowerConnect 8000-series and 8100-series switches. For more information about these commands, see the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. It also describes the commands that control the Auto Configuration feature. NOTE: Upload, download, and copy functions use the copy command. The basic...
Page 323: Managing Files In Internal Flash
Managing Files in Internal Flash Beginning in Privileged EXEC mode, use the following commands to copy, rename, delete and list the files in the internal flash. Command Purpose List the files in the flash file system. current_name rename Rename a file in flash. new_name filename delete...
Page 324: Managing Files On A Usb Flash Device (Powerconnect 8100-Series Switches Only)
Managing Files on a USB Flash Device (PowerConnect 8100-series switches only) Beginning in Privileged EXEC mode, use the following commands to manage files that are on a USB device that is plugged into the USB flash port on the front panel of the switch. Command Purpose show usb device...
Page 325: Managing Configuration Scripts (Sftp)
Managing Configuration Scripts (SFTP) Beginning in Privileged EXEC mode, use the following commands to download a configuration script from a remote system to the switch, validate the script, and activate it. NOTE: The startup-config and backup-config files are essentially configuration scripts and can be validated and applied by using the commands in this section.
Page 326: File And Image Management Configuration Examples
File and Image Management Configuration Examples This section contains the following examples: • Upgrading the Firmware • Managing Configuration Scripts Upgrading the Firmware This example shows how to download a firmware image to the switch and activate it. The TFTP server in this example is PumpKIN, an open source TFTP server running on a Windows system.
Page 327 Figure 14-9. Image Path 3 View information about the current image. console#show bootvar Image Descriptions image1 : image2 : Images currently available on Flash ------- ------------ ------------ --------------- -------------- unit image1 image2 current-active next-active ------- ------------ ------------ --------------- -------------- 2.23.11.17 image1 image1 4 Download the image to the switch.
Page 328 Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n)y 5 Activate the new image (image2) so that it becomes the active image after the switch resets. console#boot system image2 Activating image image2.. 6 View information about the current image.
Page 329: Managing Configuration Scripts
Managing Configuration Scripts This example shows how to create a configuration script that adds three hostname-to-IP address mappings to the host table. To configure the switch: 1 Open a text editor on an administrative computer and type the commands as if you were entering them by using the CLI. Figure 14-10.
Page 330 Management access will be blocked for the duration of the transfer 4 After you confirm the download information and the script successfully downloads, it is automatically validated for correct syntax. Are you sure you want to start? (y/n) y 135 bytes transferred Validating configuration script...
Page 331: Managing Files By Using The Usb Flash Drive (Powerconnect 8100-Series Switches Only)
6 Verify that the script was successfully applied. console#show hosts Host name: test Name/address lookup is enabled Name servers (Preference order): 192.168.3.20 Configured host name-to-address mapping: Host Addresses ------------------------ ------------------------ labpc1 192.168.3.56 labpc2 192.168.3.58 labpc3 192.168.3.59 Managing Files by Using the USB Flash Drive (PowerConnect 8100- series switches only) In this example, the administrator copies the backup image to a USB flash drive before overwriting the backup image on the switch with a new image.
Page 332 3 Copy the running-config to the USB flash drive. console#copy running-config usb://rc_backup.scr Mode......unknown Data Type......Config Script Source Filename....temp-config.scr Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y 4 Download the new image from the USB flash drive to the switch.
Page 333: Automatically Updating The Image
Automatically Updating the Image and Configuration The topics covered in this chapter include: • Auto Configuration Overview • What Are the Dependencies for DHCP Auto Configuration? • Default Auto Configuration Values • Managing Auto Configuration (Web) • Managing Auto Configuration (CLI) •...
Page 334: What Is Usb Auto Configuration
no USB storage device is present, or no configuration or images files are present on the USB storage device, the switch uses the DHCP Auto Install process. NOTE: Neither USB Configuration nor Auto Install is invoked if a valid configuration file is on the switch.Auto Install is not invoked if a valid configuration file is on the switch.
Page 335: What Is The Dhcp Auto Configuration Process
multiple *.stk files are present, the switch uses the image with the highest (most recent) version. Finally, if no *.setup, *.text, or *.stk files are found, the switch proceeds to the DHCP Auto Configuration process. What Is the DHCP Auto Configuration Process? The switch can use a DHCP server to obtain configuration information from a TFTP server.
Page 336 Option 125 and specify the Dell Enterprise Number, 674. Within the Dell section of option 125, sub option 5 must specify the path and name of a file on the TFTP server. This file is not the image file itself, but rather a text file that contains the path and name of the image file.
Page 337 If the DHCP server does not specify a configuration file or download of the configuration file fails, the Auto Configuration process attempts to download a configuration file with the name dell-net.cfg. The switch unicasts or broadcasts TFTP requests for a network configuration file in the same manner as it attempts to download a host-specific configuration file.
Page 338 Final File Sought Sought Host-specific config file, ending in a bootfile.cfg *.cfg file extension Default network config file dell-net.cfg Host-specific config file, associated hostname.cfg with hostname. Default config file host.cfg Table 15-2 displays the determining factors for issuing unicast or broadcast TFTP requests.
Page 339: Monitoring And Completing The Dhcp Auto Configuration Process
Monitoring and Completing the DHCP Auto Configuration Process When the switch boots and triggers an Auto Configuration, a message displays on the console screen to indicate that the process is starting. After the process completes, the Auto Configuration process writes a log message. When Auto Configuration has successfully completed, you can execute a show running-config command to validate the contents of configuration.
Page 340: What Are The Dependencies For Dhcp Auto Configuration
What Are the Dependencies for DHCP Auto Configuration? The Auto Configuration process from TFTP servers depends upon the following network services: • A DHCP server must be configured on the network with appropriate services. • An image file and a text file containing the image file name for the switch must be available from a TFTP server if DHCP image download is desired.
Page 341: Default Auto Configuration Values
Default Auto Configuration Values Table 15-3 describes the Auto Configuration defaults. Table 15-3. Auto Configuration Defaults Feature Default Description Auto Install Enabled When the switch boots and no saved configuration is Mode found, the Auto Configuration automatically begins. Retry Count When the DHCP or BootP server returns information about the TFTP server and bootfile, the switch makes three unicast TFTP requests for the specified bootfile.
Page 342: Managing Auto Configuration (Web)
Managing Auto Configuration (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. Auto-Install Configuration Use the Auto-Install Configuration page to allow the switch to obtain network information (such as the IP address and subnet mask) and...
Page 343: Managing Auto Configuration (Cli)
Managing Auto Configuration (CLI) This section provides information about the commands you manage the Auto-Install Configuration feature on the switch. For more information about PowerConnect 8024/8024F/8132/8132F/8164/8164F these commands, see the CLI Reference Guide at support.dell.com/manuals. Managing Auto Configuration Beginning in Privileged EXEC mode, use the following commands to...
Page 344: Auto Configuration Example
Auto Configuration Example A network administrator is deploying three PowerConnect switches and wants to quickly and automatically install the latest image and a common configuration file that configures basic settings such as VLAN creation and membership, RADIUS server settings, and 802.1X information. The configuration file also contains the command boot host autosave so that the downloaded configuration is automatically saved to the startup config.
Page 345 5 Connect a port (OOB port for out-of-band management or any switch port for in-band management) on each switch to the network. 6 Boot the switches. Auto Image and Configuration Update...
Page 346 Auto Image and Configuration Update...
Page 347: Monitoring Switch Traffic
Monitoring Switch Traffic This chapter describes sFlow features, Remote Monitoring (RMON), and Port Mirroring features. The topics covered in this chapter include: • Traffic Monitoring Overview • Default Traffic Monitoring Values • Monitoring Switch Traffic (Web) • Monitoring Switch Traffic (CLI) •...
Page 348 traffic statistics from monitored devices. sFlow datagrams forward sampled traffic statistics to the sFlow Collector for analysis. You can specify up to eight different sFlow receivers to which the switch sends sFlow datagrams. Figure 16-1. sFlow Architecture sFlow Receiver PowerConnect Switches (sFlow Agents) sFlow Datagrams The advantages of using sFlow are:...
Page 349 sFlow Sampling The sFlow Agent in the PowerConnect software uses two forms of sampling: • Statistical packet-based sampling of switched or routed Packet Flows • Time-based sampling of counters Packet Flow Sampling and Counter Sampling are performed by sFlow Instances associated with individual Data Sources within an sFlow Agent. Both types of samples are combined in sFlow datagrams.
Page 350: What Is Rmon
Counter Sampling The primary objective of Counter Sampling is to efficiently, periodically export counters associated with Data Sources. A maximum Sampling Interval is assigned to each sFlow instance associated with a Data Source. Counter Sampling is accomplished as follows: • sFlow Agents keep a list of counter sources being sampled.
Page 351: What Is Port Mirroring
The RMON agent in the switch supports the following groups: • Group 1—Statistics. Contains cumulative traffic and error statistics. • Group 2—History. Generates reports from periodic traffic sampling that are useful for analyzing trends. • Group 3 —Alarm. Enables the definition and setting of thresholds for various counters.
Page 352: Why Is Traffic Monitoring Needed
The packet that is copied to the destination port is in the same format as the original packet on the wire. This means that if the mirror is copying a received packet, the copied packet is VLAN tagged or untagged as it was received on the source port.
Page 353: Monitoring Switch Traffic (Web)
Monitoring Switch Traffic (Web) This section provides information about the OpenManage Switch Administrator pages to use to monitor network traffic on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. sFlow Agent Summary Use the sFlow Agent Summary page to view information about sFlow MIB and the sFlow Agent IP address.
Page 354: Sflow Receiver Configuration
sFlow Receiver Configuration Use the sFlow Receiver Configuration page to configure settings for the sFlow receiver to which the switch sends sFlow datagrams. You can configure up to eight sFlow receivers that will receive datagrams. To display the Receiver Configuration page, click System → sFlow → Receiver Configuration in the navigation panel.
Page 355: Sflow Sampler Configuration
sFlow Sampler Configuration Use the sFLow Sampler Configuration page to configure the sFlow sampling settings for switch ports. To display the Sampler Configuration page, click System → sFlow → Sampler Configuration in the navigation panel. Figure 16-4. sFlow Sampler Configuration Click Show All to view information about configured sampler data sources.
Page 356: Sflow Poll Configuration
sFlow Poll Configuration Use the sFLow Poll Configuration page to configure how often a port should collect counter samples. To display the Sampler Configuration page, click System → sFlow → Sampler Configuration in the navigation panel. Figure 16-5. sFlow Poll Configuration Click Show All to view information about the ports configured to collect counter samples.
Page 357: Interface Statistics
Interface Statistics Use the Interface Statistics page to display statistics for both received and transmitted packets. The fields for both received and transmitted packets are identical. To display the page, click Statistics/RMON → Table Views → Interface Statistics in the navigation panel. Figure 16-6.
Page 358: Etherlike Statistics
Etherlike Statistics Use the Etherlike Statistics page to display interface statistics. To display the page, click Statistics/RMON → Table Views → Etherlike Statistics in the navigation panel. Figure 16-7. Etherlike Statistics Monitoring Switch Traffic...
Page 359: Gvrp Statistics
GVRP Statistics Use the GVRP Statistics page to display switch statistics for GVRP. To display the page, click Statistics/RMON → Table Views → GVRP Statistics in the navigation panel. Figure 16-8. GVRP Statistics Monitoring Switch Traffic...
Page 360: Eap Statistics
EAP Statistics Use the EAP Statistics page to display information about EAP packets received on a specific port. For more information about EAP, see "Configuring Port and System Security" on page 457. To display the EAP Statistics page, click Statistics/RMON → Table Views → EAP Statistics in the navigation panel Figure 16-9.
Page 361: Utilization Summary
Utilization Summary Use the Utilization Summary page to display interface utilization statistics. To display the page, click Statistics/RMON → Table Views → Utilization Summary in the navigation panel. Figure 16-10. Utilization Summary Monitoring Switch Traffic...
Page 362: Counter Summary
Counter Summary Use the Counter Summary page to display interface utilization statistics in numeric sums as opposed to percentages. To display the page, click Statistics/RMON → Table Views → Counter Summary in the navigation panel. Figure 16-11. Counter Summary Monitoring Switch Traffic...
Page 363: Switchport Statistics
Switchport Statistics Use the Switchport Statistics page to display statistical summary information about switch traffic, address tables, and VLANs. To display the page, click Statistics/RMON → Table Views → Switchport Statistics in the navigation panel. Figure 16-12. Switchport Statistics Monitoring Switch Traffic...
Page 364: Rmon Statistics
RMON Statistics Use the RMON Statistics page to display details about switch use such as packet processing statistics and errors that have occurred on the switch. To display the page, click Statistics/RMON → RMON → Statistics in the navigation panel. Figure 16-13.
Page 365: Rmon History Control Statistics
RMON History Control Statistics Use the RMON History Control page to maintain a history of statistics on each port. For each interface (either a physical port or a port-channel), you can define how many buckets exist, and the time interval between each bucket snapshot.
Page 366 Figure 16-15. Add History Entry 3 Select the port or LAG on which you want to maintain a history of statistics. 4 Specify an owner, the number of historical buckets to keep, and the sampling interval. 5 Click Apply to add the entry to the RMON History Control Table. To view configured history entries, click the Show All tab.
Page 367: Rmon History Table
RMON History Table Use the RMON History Table page to display interface-specific statistical network samplings. Each table entry represents all counter values compiled during a single sample. To display the RMON History Table page, click Statistics/RMON → RMON → History Table in the navigation panel. Figure 16-16.
Page 368: Rmon Event Control
RMON Event Control Use the RMON Events Control page to define RMON events. Events are used by RMON alarms to force some action when a threshold is crossed for a particular RMON counter. The event information can be stored in a log and/or sent as a trap to a trap receiver.
Page 369 Figure 16-18. Add an Event Entry 3 If the event sends an SNMP trap, specify the SNMP community to receive the trap. 4 Optionally, provide a description of the event and the name of the event owner. 5 Select an event type. 6 Click Apply.
Page 370: Rmon Event Log
RMON Event Log Use the RMON Event Log page to display a list of RMON events. To display the page, click Statistics/RMON → RMON → Events Log in the navigation panel. Figure 16-19. RMON Event Log Monitoring Switch Traffic...
Page 371: Rmon Alarms
RMON Alarms Use the RMON Alarms page to set network alarms. Alarms occur when certain thresholds are crossed for the configured RMON counters. The alarm triggers an event to occur. The events can be configured as part of the RMON Events group.
Page 372 Adding an Alarm Table Entry To add an alarm: 1. Open the RMON Alarms page. 2. Click Add. The Add an Alarm Entry page displays. Figure 16-21. Add an Alarm Entry 3. Complete the fields on this page as needed. Use the help menu to learn more information about the data required for each field.
Page 373: Port Statistics
Port Statistics Use the Port Statistics page to chart port-related statistics on a graph. To display the page, click Statistics/RMON → Charts → Port Statistics in the navigation panel. Figure 16-22. Ports Statistics To chart port statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
Page 374: Lag Statistics
LAG Statistics Use the LAG Statistics page to chart LAG-related statistics on a graph. To display the page, click Statistics/RMON → Charts → LAG Statistics in the navigation panel. Figure 16-23. LAG Statistics To chart LAG statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
Page 375: Port Mirroring
Port Mirroring Use the Port Mirroring page to create a mirroring session in which all traffic that is sent or received (or both) on one or more source ports is mirrored to a destination port. To display the Port Mirroring page, click Switching → Ports → Traffic Mirroring →...
Page 376 Figure 16-25. Add Source Port 5 Click Apply. 6 Repeat the previous steps to add additional source ports. 7 Click Port Mirroring to return to the Port Mirroring page. 8 Enable the administrative mode and specify the destination port. Monitoring Switch Traffic...
Page 377 Figure 16-26. Configure Additional Port Mirroring Settings 9 Click Apply. Monitoring Switch Traffic...
Page 378: Monitoring Switch Traffic (Cli)
This section provides information about the commands you use to manage traffic monitoring features on the switch and to view information about switch traffic. For more information about these commands, see the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Configuring sFlow...
Page 379 Command Purpose rcvr-index sflow polling Enable a new sFlow poller instance on an interface range. if_type if_number poll- rcvr-index • — The sFlow Receiver associated with the interval poller (Range: 1–8). if_type if_number • — The list of interfaces to poll. The interface type can be Tengigabitethernet (te), for example te1/0/3-5 enables polling on ports 3, 4, and 5.
Page 380: Configuring Rmon
Command Purpose show sflow agent View information about the switch sFlow agent. index show sflow View information about a configured sFlow receivers. destination index show sflow polling View information about the configured sFlow poller instances for the specified receiver. index show sflow View information about the configured sFlow sampler sampling...
Page 381 Command Purpose number rmon alarm Add an alarm entry variable interval number • — The alarm index. (Range: 1–65535) {absolute |delta} rising- variable • — A fully qualified SNMP object identifier that value event- threshold resolves to a particular instance of an MIB object. number ] rising- value...
Page 382: Viewing Statistics
Command Purpose rmon collection history Enable an RMON MIB history statistics group on the index [owner interface. ownername ] [buckets NOTE: You must configure RMON alarms and events before bucket-number RMON collection history is able to display. seconds [interval index •...
Page 383: Configuring Port Mirroring
Configuring Port Mirroring Use the following commands in Privileged EXEC mode to configure a port mirroring session. Command Purpose configure Enter Global Configuration mode monitor session Configure a source (monitored) port or CPU interface for session_number source a monitor session. interface {cpu | session_number •...
Page 384: Traffic Monitoring Configuration Examples
Traffic Monitoring Configuration Examples This section contains the following examples: • Configuring sFlow • Configuring RMON Configuring sFlow This example shows how to configure the switch so that ports 10-15 and port 23 send sFlow datagrams to an sFlow receiver at the IP address 192.168.20.34. The receiver owner is receiver1, and the timeout is 100000 seconds.
Page 385 Address Type...... 1 Port......6343 Datagram Version....5 Maximum Datagram Size..... 1400 console#show sflow 1 polling Poller Receiver Poller Data Source Index Interval ----------- ------- ------- te1/0/10 te1/0/11 te1/0/12 te1/0/13 te1/0/14 te1/0/15 te1/0/23 console#show sflow 1 sampling Sampler Receiver Packet Max Header Data Source Index...
Page 386: Configuring Rmon
Configuring RMON This example generates a trap and creates a log entry when the number of inbound packets are undeliverable due to errors increases by 20 or more. First, an RMON event is created. Then, the alarm is created. The event (event 1) generates a trap and creates a log entry.
Page 387: Configuring Iscsi Optimization
Configuring iSCSI Optimization This chapter describes how to configure Internet Small Computer System Interface (iSCSI) optimization, which enables special quality of service (QoS) treatment for iSCSI traffic. The topics covered in this chapter include: • iSCSI Optimization Overview • Default iSCSI Optimization Values •...
Page 388: What Does Iscsi Optimization Do
What Does iSCSI Optimization Do? In networks containing iSCSI initiators and targets, iSCSI Optimization helps to monitor iSCSI sessions or give iSCSI traffic preferential QoS treatment. Dynamically-generated classifier rules are used to direct the iSCSI data traffic to queues that can be given the desired preference characteristics over other data traveling through the switch.
Page 389: How Does Iscsi Optimization Use Acls
Class of Service → Mapping Table Configuration page to configure the relevant Class of Service parameters for the queue in order to complete the setting. You can configure whether iSCSI frames are remarked to contain the configured VLAN priority tag or IP DSCP when forwarded through the switch.
Page 390: How Does Iscsi Optimization Interact With Dell Equallogic Arrays
For more information about LLDP, see "Discovering Network Devices" on page 637. When the switch detects a Dell EqualLogic array, the following actions occur: • An MTU of 9216 is enabled on all ports and port-channels, if it is not already enabled.
Page 391: How Does Iscsi Optimization Interact With Dcbx
How Does iSCSI Optimization Interact with Dell Compellent Arrays? Dell PowerConnect switches support a macro that may be used to configure a port connected to a Dell Compellent storage array. The name of the macro is profile-compellent-nas. The macro takes a single argument: the interface identifier to which the Dell Compellent array is connected.
Page 392: Default Iscsi Optimization Values
Default iSCSI Optimization Values Table 17-1 shows the default values for the iSCSI optimization feature. Table 17-1. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization Global Status Enabled iSCSI CoS mode Disabled Classification iSCSI packets are classified by VLAN instead of by DSCP values. VLAN Priority tag iSCSI flows are assigned by default the highest 802.1p VLAN priority tag mapped...
Page 393: Configuring Iscsi Optimization (Web)
Configuring iSCSI Optimization (Web) This section provides information about the OpenManage Switch Administrator pages to use to the iSCSI features on a PowerConnect 8000- series and 8100-series switches. For details about the fields on a page, click at the top of the page. iSCSI Global Configuration Use the Global Configuration page to allow the switch to snoop for iSCSI sessions/connections and to configure QoS treatment for packets where the...
Page 394: Iscsi Targets Table
iSCSI Targets Table Use the Targets Table page to view and configure iSCSI targets on the switch. To access the Targets Table page, click System → iSCSI → Targets in the navigation panel. Figure 17-2. iSCSI Targets Table To add an iSCSI Target, click Add at the top of the page and configure the relevant information about the iSCSI target.
Page 395: Iscsi Sessions Table
iSCSI Sessions Table Use the Sessions Table page to view summary information about the iSCSI sessions that the switch has discovered. An iSCSI session occurs when an iSCSI initiator and iSCSI target communicate over one or more TCP connections. The maximum number of iSCSI sessions is 192. To access the Sessions Table page, click System →...
Page 396: Iscsi Sessions Detailed
iSCSI Sessions Detailed Use the Sessions Detailed page to view detailed information about an iSCSI sessions that the switch has discovered. To access the Sessions Detailed page, click System → iSCSI → Sessions Detailed in the navigation panel. Figure 17-5. iSCSI Sessions Detail Configuring iSCSI Optimization...
Page 397: Configuring Iscsi Optimization (Cli)
Configuring iSCSI Optimization (CLI) This section provides information about the commands you use to configure iSCSI settings on the switch. For more information about the commands, see PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide at support.dell.com/manuals. Command Purpose configure Enter Global Configuration mode.
Page 398 Command Purpose iscsi cos {enable | disable | Set the quality of service profile that will be applied to dscp | dscp [remark] iSCSI flows. • enable—Enables application of preferential QoS treatment to iSCSI frames • disable—Disables application of preferential QoS treatment to iSCSI frames.
Page 399: Iscsi Optimization Configuration Examples
iSCSI Optimization Configuration Examples iSCSI optimization is enabled by default with the appropriate settings to operate properly is almost all configurations. However, you find it necessary to alter those settings, the following procedure illustrates the configuration steps required. Configuring iSCSI Optimization Between Servers and a Disk Array Figure 17-6 illustrates a PowerConnect 8000-series and 8100-series switches connecting two servers (iSCSI initiators) to a disk array (iSCSI targets).
Page 400 The following commands show how to configure the iSCSI example depicted in Figure 17-6. 1 Enable iSCSI optimization on the switch if it has been previously disabled (iSCSI optimization is enabled by default). console#config console(config)#iscsi enable 2 Configure the switch to associate the DSCP priority 45 (and the queue that is mapped to it) with detected iSCSI session traffic.
Page 401: Configuring A Captive Portal
Configuring a Captive Portal This chapter describes how to configure the Captive Portal feature. The topics covered in this chapter include: • Captive Portal Overview • Default Captive Portal Behavior and Settings • Configuring the Captive Portal (Web) • Configuring a Captive Portal (CLI) •...
Page 402: Is The Captive Portal Feature Dependent On Any Other Feature
Figure 18-1. Connecting to the Captive Portal Switch with Captive Portal RADIUS Server Captive (Optional) Portal User (Host) Default Captive Portal Welcome Screen (Displays in Captive Portal User’s Browser) The Captive Portal feature blocks hosts connected to the switch from accessing the network until user verification has been established.
Page 403: What Factors Should Be Considered When Designing And Configuring A Captive Portal
You can configure the switch to send SNMP trap messages to any enabled SNMP Trap Receivers for several Captive Portal events, such as when a Captive Portal user has an authentication failure or when a Captive Portal user successfully connects to the network. If you enable the traps, the switch also writes a message to the trap log when the event occurs.
Page 404: How Does Captive Portal Work
Figure 18-2. Customized Captive Portal Welcome Screen How Does Captive Portal Work? When a port is enabled for Captive Portal, all the traffic coming onto the port from the unverified clients are dropped except for the ARP , DHCP, DNS and NETBIOS packets.
Page 405: What Captive Portal Pages Can Be Customized
What Captive Portal Pages Can Be Customized? You can customize the following three Captive Portal pages: • Authentication Page —This page displays when a client attempts to connect to the network. You can customize the images, text, and colors that display on this page. •...
Page 406: Default Captive Portal Behavior And Settings
Default Captive Portal Behavior and Settings Captive Portal is disabled by default. If you enable Captive Portal, no interfaces are associated with the default Captive Portal. After you associate an interface with the Captive Portal and globally enable the Captive Portal feature, a user who connects to the switch through that interface is presented with the Captive Portal Welcome screen shown in Figure 18-3.
Page 407 Table 18-1. Default Captive Portal Values Feature Value Authentication Timeout 300 seconds Configured Captive Portals Captive Portal Name Default Protocol Mode HTTP Verification Mode Guest URL Redirect Mode User Group 1-Default Session Timeout 86400 seconds Local Users None configured Interface associations None Interface status Not blocked...
Page 408: Configuring The Captive Portal (Web)
Configuring the Captive Portal (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Captive Portal settings on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. Captive Portal Global Configuration Use the Captive Portal Global Configuration page to control the administrative state of the Captive Portal feature and configure global...
Page 409: Captive Portal Configuration
Captive Portal Configuration Use the Captive Portal Configuration page to view summary information about captive portals on the system, add a captive portal, and configure existing captive portals. The switch supports 10 Captive Portal configurations. Captive Portal configuration 1 is created by default and cannot be deleted. Each captive portal configuration can have unique guest or group access modes and a customized acceptance use policy that displays when the client connects.
Page 410 From the Captive Portal Configuration page, click Add to create a new Captive Portal instance. Figure 18-6. Add Captive Portal Configuration From the Captive Portal Configuration page, click Summary to view summary information about the Captive Portal instances configured on the switch.
Page 411 2 Click Download Image to download one or more custom images to the switch. You can use a downloaded custom image for the branding logo (default: Dell logo) on the Authentication Page and Logout Success page, the account image (default: blue banner with keys) on the Authentication Page, and the background image (default: blank) on the Logout Success Page.
Page 412 4 Browse to the directory where the image to be downloaded is located and select the image. 5 Click Apply to download the selected file to the switch. 6 To customize the Authentication Page, which is the page that a user sees upon attempting to connect to the network, click the Authentication Page link.
Page 413 7 Select the branding image to use and customize other page components such as the font for all text the page displays, the page title, and the acceptance use policy. 8 Click Apply to save the settings to the running configuration or click Preview to view what the user will see.
Page 414: Local User
Figure 18-11. Captive Portal Logout Success Page 13 Customize the look and feel of the Logout Page, such as the background image and successful logout message. 14 Click Apply to save the settings to the running configuration or click Preview to view what the user will see. To return to the default views, click Clear.
Page 415 Figure 18-12 shows the Local User page after a user has been added. If no users have been added to the switch, many of the fields do not display on the screen. NOTE: Multiple user groups can be selected by holding the CTRL key down while clicking the desired groups.
Page 416 Figure 18-13. Add Local User From the Local User page, click Show All to view summary information about the local users configured in the local database. Figure 18-14. Captive Portal Local User Summary To delete a configured user from the database, select the Remove check box associated with the user and click Apply.
Page 417 Optional 0 session timeout is (seconds) reached (seconds). If the attribute is 0 or not present then use the value configured for the captive portal. Dell-Captive- 6231, A comma- String Optional None. The Portal-Groups delimited list of default group names that...
Page 418: User Group
User Group You can assign Local Users to User Groups that you create. If the Verification Mode is Local or RADIUS, you assign a User Group to a Captive Portal Configuration. All users who belong to the group are permitted to access the network through this portal.
Page 419 From the User Group page, click Add to configure a new user group. Figure 18-16. Add User Group From the User Group page, click Show All to view summary information about the user groups configured on the switch. Figure 18-17. Captive Portal User Group Summary To delete a configured group, select the Remove check box associated with the group and click Apply.
Page 420: Interface Association
Interface Association From the Interface Association page, you can associate a configured captive portal with specific interfaces. The captive portal feature only runs on the interfaces that you specify. A captive portal can have multiple interfaces associated with it, but an interface can be associated to only one Captive Portal at a time.
Page 421: Captive Portal Global Status
Captive Portal Global Status The Captive Portal Global Status page contains a variety of information about the Captive Portal feature. From the Captive Portal Global Status page, you can access information about the Captive Portal activity and interfaces. To display the Global Status page, click System → Captive Portal → Status → Global Status.
Page 422: Captive Portal Activation And Activity Status
Captive Portal Activation and Activity Status The Captive Portal Activation and Activity Status page provides information about each Captive Portal configured on the switch. The Captive Portal Activation and Activity Status page has a drop-down menu that contains all captive portals configured on the switch. When you select a captive portal, the activation and activity status for that portal displays.
Page 423: Interface Activation Status
Interface Activation Status The Interface Activation Status page shows information for every interface assigned to a captive portal instance. To display the Interface Activation Status page, click System → Captive Portal → Interface Status → Interface Activation Status. Figure 18-21. Interface Activation Status Configuring a Captive Portal...
Page 424: Interface Capability Status
Interface Capability Status The Interface Capability Status page contains information about interfaces that can have CPs associated with them. The page also contains status information for various capabilities. Specifically, this page indicates what services are provided through the Captive Portal to clients connected on this interface.
Page 425: Client Summary
Client Summary Use the Client Summary page to view summary information about all authenticated clients that are connected through the captive portal. From this page, you can manually force the captive portal to disconnect one or more authenticated clients. The list of clients is sorted by client MAC address.
Page 426: Client Detail
Client Detail The Client Detail page shows detailed information about each client connected to the network through a captive portal. To display the Client Detail page, click System → Captive Portal → Client Connection Status → Client Detail. Figure 18-24. Client Detail Configuring a Captive Portal...
Page 427: Captive Portal Interface Client Status
Captive Portal Interface Client Status Use the Interface Client Status page to view clients that are authenticated to a specific interface. To display the Interface Client Status page, click System → Captive Portal → Client Connection Status → Interface Client Status. Figure 18-25.
Page 428: Captive Portal Client Status
Captive Portal Client Status Use the Client Status page to view clients that are authenticated to a specific Captive Portal configuration. To display the Client Status page, click System → Captive Portal → Client Connection Status → Client Status. Figure 18-26. Captive Portal - Client Status Configuring a Captive Portal...
Page 429: Configuring A Captive Portal (Cli)
Configuring a Captive Portal (CLI) This section provides information about the commands you use to create and configure Captive Portal settings. For more information about the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI commands, see the Reference Guide at support.dell.com/manuals. Configuring Global Captive Portal Settings Beginning in Privileged EXEC mode, use the following commands to configure global Captive Portal settings.
Page 430: Creating And Configuring A Captive Portal
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show captive-portal View the Captive Portal administrative and operational [status] status. Use the status keyword to view additional global Captive Portal information and summary information about all configured Captive Portal instances. Creating and Configuring a Captive Portal Beginning in Privileged EXEC mode, use the following commands to create a Captive Portal instance and configure its settings.
Page 431 Command Purpose user-logout (Optional) Enable user logout mode to allow an authenticated client to deauthenticate from the network. If this option is clear or the user does not specifically request logout, the client connection status remains authenticated until the CP deauthenticates the user, for example by reaching the idle timeout or session timeout values.
Page 432 Command Purpose block (Optional) Block all traffic for a Captive Portal configuration. If the Captive Portal is blocked, users cannot gain access to the network through the Captive Portal. Use this function to temporarily protect the network during unexpected events, such as denial of service attacks.
Page 433: Configuring Captive Portal Groups And Users
Configuring Captive Portal Groups and Users Beginning in Privileged EXEC mode, use the following commands to create a Captive Portal group. You can use the default group, or you can create a new group. Command Purpose configure Enter global configuration mode. captive-portal Enter Captive Portal mode.
Page 434: Managing Captive Portal Clients
Command Purpose group-id user group (Optional) Move all of the users in a group to a different new-group-id moveusers group. This command removes the users from the group group-id specified by group-id • — Group ID (Range: 1–10). new-group-id • —...
Page 435: Captive Portal Configuration Example
Captive Portal Configuration Example The manager of a resort and conference center needs to provide wired Internet access to each guest room at the resort and in each conference room. Due to legal reasons, visitors and guests must agree to the resort’s acceptable use policy to gain network access.
Page 436: Configuration Overview
7. Customize the authentication, logout, and logout success web pages that a Captive Portal user will see. Dell recommends that you use Use Dell OpenManage Administrator to customize the Captive Portal authentication, logout, and logout success pages. A Preview button is available to allow you to see the pages that a Captive Portal user will see.
Page 437: Detailed Configuration Procedures
Detailed Configuration Procedures Use the following steps to perform the Captive Portal configuration: 1. Configure the RADIUS server information on the switch. In this example, the RADIUS server IP address is 192.168.2.188, and the RADIUS server name is luxury-radius. console#configure console(config)#radius-server host 192.168.12.182 console(Config-auth-radius)#name luxury-radius console(Config-auth-radius)#exit...
Page 438 1 group 2 Continue entering username and password combinations to populate the local database. 8. Add the User-Name, User-Password, Session-Timeout, and Dell-Captive- Portal-Groups attributes for each employee to the database on the RADIUS server. 9. Globally enable the Captive Portal.
Page 439: Configuring Port Characteristics
Configuring Port Characteristics This chapter describes how to configure physical switch port characteristics, including settings such as administrative status and maximum frame size. This chapter also describes the link dependency feature. The topics covered in this chapter include: • Port Overview •...
Page 440: What Is Link Dependency
Table 19-1. Port Characteristics (Continued) Feature Description Speed Specifies the transmission rate for frames. Duplex mode Specifies whether the interface supports transmission between the switch and the connected client in one direction at a time (half) or both directions simultaneously (both). Maximum frame size Indicates the maximum frame size that can be handled by the port.
Page 441 Link Action The link action specifies the action that the group members will take when the dependent port is down. The group members can transition to the same state as the dependant port, or they can transition to the opposite state. In other words, if the link action is down and the dependent port goes down, the members ports will go down as well.
Page 442: What Interface Types Are Supported
What Interface Types are Supported? The physical ports on the switch include the out-of-band (OOB) interface and 10-Gigabit Ethernet switch ports. The OOB interface supports a limited set of features and is for switch management only. The Ethernet switch ports support many logical features that are often supported by logical interfaces.
Page 443 • Port number—The number assigned to the port. For front-panel ports the port number is written above or below each port. Odd-numbered ports are on the top row, and even-numbered ports are on the bottom row. The port numbers increase from left to right. For example, to enter Interface Configuration mode for 10-Gigabit Ethernet port 10, use the following command: console(config)#interface tengigabitEthernet 1/0/10...
Page 444: Default Port Values
Default Port Values Table 19-2 lists the default values for the port characteristics that this chapter describes. Table 19-2. Default Port Values Feature Description Administrative status All ports are enabled Description None defined Auto negotiation Enabled Speed Auto negotiate Duplex mode Auto negotiate Flow control Enabled...
Page 445: Configuring Port Characteristics (Web)
Configuring Port Characteristics (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring port characteristics on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. Port Configuration Use the Port Configuration page to define port parameters.
Page 446 Configuring Multiple Ports To configure port settings on multiple ports: 1 Open the Port Configuration page. 2 Click Show All to display the Port Configuration Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure.
Page 447 In the following example, Ports 3, 4, and 5 will be updated with the settings that are applied to Port 1. Figure 19-3. Copy Port Settings 8 Click Apply. Configuring Port Characteristics...
Page 448: Link Dependency Configuration
Link Dependency Configuration Use the Link Dependency Configuration page to create link dependency groups. You can create a maximum of 16 dependency groups. The page displays the groups whether they have been configured or not. To display the Link Dependency Configuration page, click Switching → Link Dependency →...
Page 449 5 To add a port to the Ports Depended On column, click the port in the Available Ports column, and then click the > button to the right of the Available Ports column. In the following example, Group 1 is configured so that Port 3 is dependent on Port 4.
Page 450: Link Dependency Summary
Link Dependency Summary Use the Link Dependency Summary page to view all link dependencies on the system and to access the Link Dependency Configuration page. You can create a maximum of 16 dependency groups. The page displays the groups whether they have been configured or not. To display the Link Dependency Summary page, click Switching →...
Page 451: Configuring Port Characteristics (Cli)
Configuring Port Characteristics (CLI) This section provides information about the commands you use to configure port characteristics. For more information about the commands, see the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Configuring Port Settings Beginning in Privileged EXEC mode, use the following commands to configure various port settings.
Page 452: Configuring Link Dependencies
Command Purpose duplex {half | full | Configure the full/half duplex operation of a given auto} Ethernet interface, or enable duplex auto negotiation. Fiber ports must always be configured full-duplex. auto negotiation is never used on fiber ports. size Enable jumbo frames on an interface by adjusting the maximum size of a packet.
Page 453 Command Purpose interface depends-on Specify the port(s) upon which the member ports are interface dependent. For information about the variable, see the previous command description. action {down|up} Specifies the action the member ports take when the dependent link goes down. •...
Page 454: Port Configuration Examples
Port Configuration Examples This section contains the following examples: • Configuring Port Settings • Configuring a Link Dependency Groups Configuring Port Settings The commands in this example specify the speed and duplex mode for port 1 (tengigabitethernet 1/0/1) and change the MTU size for ports 10, 11, 12, 20, and 25.
Page 455: Configuring A Link Dependency Groups
Configuring a Link Dependency Groups The commands in this example create two link dependency groups. Group 1 has port 3 as a member port that is dependent on port 4. The group uses the default link action, which is down. This means that if port 4 goes down, port 3 goes down.
Page 456 Configuring Port Characteristics...
Page 457: Configuring Port And System
Configuring Port and System Security This chapter describes how to configure port-based security features, which control access to the network through the switch ports, and the denial of service (DoS) feature. Port-based security includes IEEE 802.1X authentication and port MAC locking.
Page 458: Ieee 802.1X
IEEE 802.1X What is IEEE 802.1X? The IEEE 802.1X standard provides a means of preventing unauthorized access by supplicants (clients) to the services the switch offers, such as access to the LAN. The 802.1X network has three components: • Supplicant — The client connected to the authenticated port that requests access to the network.
Page 459: What Are The 802.1X Port States
As shown in Figure 20-1, the PowerConnect 8000-series and 8100-series switches is the authenticator and enforces the supplicant (a PC) that is attached to an 802.1X-controlled port to be authenticated by an authentication server (a RADIUS server). The result of the authentication process determines whether the supplicant is authorized to access services on that controlled port.
Page 460: What Is Mac-Based 802.1X Authentication
What is MAC-Based 802.1X Authentication? MAC-based authentication allows multiple supplicants connected to the same port to each authenticate individually. For example, a 5-port hub might be connected to a single port on the switch. Each host connected to the hub must authenticate separately in order to gain access to the network.
Page 461: What Is The Role Of 802.1X In Vlan Assignment
NOTE: MAB initiates only after the dot1x guest VLAN period times out. If the client responds to any of the EAPOL identity requests, MAB does not initiate for that client. What is the Role of 802.1X in VLAN Assignment? PowerConnect 8000-series and 8100-series switches allow a port to be placed into a particular VLAN based on the result of the authentication or type of 802.1X authentication a client uses when it accesses the switch.
Page 462 The VLAN attributes defined in RFC3580 are as follows: • Tunnel-Type=VLAN (13) • Tunnel-Medium-Type=802 • Tunnel-Private-Group-ID=VLANID VLANID is 12-bits and has a value between 1 and 4093. Dynamic VLAN Creation If RADIUS-assigned VLANs are enabled though the Authorization Network RADIUS configuration option, the RADIUS server is expected to include the VLAN ID in the 802.1X tunnel attributes of its response message to the switch.
Page 463: What Is Monitor Mode
Client devices that are 802.1X-supplicant-enabled authenticate with the switch when they are plugged into the 802.1X-enabled switch port. The switch verifies the credentials of the client by communicating with an authentication server. If the credentials are verified, the authentication server unblock informs the switch to the switch port and allows the client...
Page 464 Table 20-1. IEEE 802.1X Monitor Mode Behavior (Continued) Case Sub-case Regular Dot1x Dot1x Monitor Mode Invalid VLAN Port State: Deny Port State: Permit Assignment VLAN: Default PVID of the port Invalid Filter-id Port State: Deny Port State: Permit VLAN: Default PVID of the port Bad RADIUS packet Port State: Deny Port State: Permit...
Page 465: How Does The Authentication Server Assign Diffserv Filters
Table 20-1. IEEE 802.1X Monitor Mode Behavior (Continued) Case Sub-case Regular Dot1x Dot1x Monitor Mode Supplicant Port State: Deny Port State: Deny Timeout Port/Client Delete Guest Port State: Deny Port State: Permit Authenticated VLANID through VLAN: Default PVID on Guest VLAN Dot1Q of the port How Does the Authentication Server Assign DiffServ Filters?
Page 466: Default 802.1X Values
Default 802.1X Values Table 20-2 lists the default values for the 802.1X features. Table 20-2. Default Port-Based Security Values Feature Description Global 802.1X status Disabled 802.1X authentication method none Per-port 802.1X status Disabled Port state automode Periodic reauthentication Disabled Seconds between reauthentication 3600 attempts Authentication server timeout...
Page 467: Configuring Ieee 802.1X (Web)
Configuring IEEE 802.1X (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IEEE 802.1X features and Port Security on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page.
Page 468 Figure 20-2. Dot1x Authentication Configuring 802.1X Settings on Multiple Ports To configure 802.1X authentication on multiple ports: 1 Open the Dot1x Authentication page. 2 Click Show All to display the Dot1x Authentication Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure.
Page 469 4 Select the desired settings to change for all ports that are selected for editing. Figure 20-3. Configure Dot1x Settings 5 Click Apply. Re-Authenticating One Port To reauthenticate a port: 1 Open the Dot1x Authentication page. 2 Click Show All. The Dot1x Authentication Table displays.
Page 470 5 To re-authenticate immediately, check Reauthenticate Now for all ports to be re-authenticated. 6 Click Apply. The authentication process is restarted on the specified ports (either immediately or periodically). Changing Administrative Port Control To change the administrative port control: 1 Open the Dot1x Authentication page. 2 Click Show All.
Page 471 Figure 20-4. Network Security Authenticated Users Port Access Control Configuration Use the Port Access Control Configuration page to globally enable or disable RADIUS-assigned VLANs and to enable Monitor Mode to help troubleshoot 802.1X configuration issues. NOTE: The VLAN Assignment Mode field is the same as the Admin Mode field on the System →...
Page 472 Figure 20-5. Port Access Control Configuration Port Access Control History Log Summary Use the Port Access Control History Log Summary page to view log messages about 802.1X client authentication attempts. The information on this page can help you troubleshoot 802.1X configuration issues. To display the Port Access Control History Log Summary page, click Port Access Control Configuration page, click Switching →...
Page 473 Figure 20-6. Port Access Control History Log Summary Internal Authentication Server Users Configuration Use the Internal Authentication Server Users Configuration page to add users to the local IAS database and to view the database entries. To display the Internal Authentication Server Users Configuration page, click System →...
Page 474 Figure 20-7. Internal Authentication Server Users Configuration NOTE: If no users exist in the IAS database, the IAS Users Configuration Page does not display the fields shown in the image. Adding Users to the IAS Database To add IAS users: 1 Open the Internal Authentication Server Users Configuration page.
Page 475 Figure 20-8. Adding an IAS User 4 Click Apply. To view the Internal Authentication Server Users Table page, click Show All. Removing an IAS User To delete an IAS user: 1 Open the Internal Authentication Server Users Configuration page. 2 From the User menu, select the user to remove, select the user to remove. 3 Select the Remove check box.
Page 476: Configuring Ieee 802.1X (Cli)
802.1X and Port Security settings. For additional information about the PowerConnect commands in this section, see the 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Configuring Basic 802.1X Authentication Settings Beginning in Privileged EXEC mode, use the following commands to enable and configure 802.1X authentication on the switch.
Page 477 Command Purpose dot1x port-control Specify the 802.1X mode for the port. {force-authorized | NOTE: For standard 802.1X implementations in which one force-unauthorized | client is connected to one port, use the dot1x port-control auto | mac-based} auto command to enable 802.1X authentication on the port. •...
Page 478 NOTE: To enable 802.1X Monitor Mode to help troubleshoot authentication issues, use the dot1x system-auth-control monitor command in Global Configuration mode. To view 802.1X authentication events and information, use the show dot1x interface authentication-history {< > | all} [failed-auth-only] [detail] command in Privileged EXEC mode.
Page 479 Command Purpose dot1x timeout supp- Set the time that the switch waits for a response before seconds timeout retransmitting an Extensible Authentication Protocol (EAP)-request frame to the client. count dot1x max-req Set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP)-request frame (assuming that no response is received) to the client before restarting the authentication process.
Page 480 Command Purpose dot1x dynamic-vlan If the RADIUS assigned VLAN does not exist on the enable switch, allow the switch to dynamically create the assigned VLAN. interface interface Enter interface configuration mode for the specified interface interface. The variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Page 481: Configuring Internal Authentication Server Users
Configuring Internal Authentication Server Users Beginning in Privileged EXEC mode, use the following commands to add users to the IAS database and to use the database for 802.1X authentication. Command Purpose configure Enter Global Configuration mode. aaa ias-user username Add a user to the IAS user database. This command also user changes the mode to the AAA User Config mode.
Page 482 The switch uses the Authentication Server with an IP address of 10.10.10.10 to authenticate clients. Port 7 is connected to a printer in the unsecured area. The printer is an 802.1X unaware client, so Port 7 is configured to use MAC- based authentication with MAB.
Page 483 Figure 20-10. 802.1X Example Physically Unsecured Devices Physically Secured Devices Clients Authentication Server (Ports 1 and 3) (RADIUS) PowerConnect Switch Clients (Port 8) LAN Uplink (Port 24) Printer Server (Port 7) (Port 9) The following example shows how to configure the example shown in Figure 20-10.
Page 484 console(config-if)#dot1x port-control force- authorized console(config-if)#exit 4 Configure Port 7 to require MAC-based authentication with MAB. console(config)#interface te1/0/7 console(config-if-Te1/0/7)#dot1x port-control mac- based console(config-if-Te1/0/7)#dot1x mac-auth-bypass 5 Set the port to an 802.1Q VLAN. The port must be in general mode in order to enable MAC-based 802.1X authentication. console(config-if-Te1/0/7)#switchport mode general console(config-if-Te1/0/7)#exit 6 Enable MAC-based authentication on port 8 and limit the number of...
Page 485 Filter Id........VLAN Assigned........1 (Default) Interface........Te1/0/3 User Name........dflint Supp MAC Address....... 0004.5A55.EFAD Session Time........826 Filter Id........VLAN Assigned........1 (Default) Interface........Te1/0/7 User Name........0006.6B33.06BA Supp MAC Address....... 0006.6B33.06BA Session Time........826 Filter Id........VLAN Assigned........1 (Default) 9 View a summary of the port status.
Page 486 10 View 802.1X information about Port 8. console#show dot1x interface te1/0/8 Administrative Mode....Enabled Dynamic VLAN Creation Mode..Enabled Monitor Mode...... Disabled Port Admin Oper Reauth Reauth Mode Mode Control Period ------- ---------------- ------------ -------- ---------- Te1/0/8 mac-based Authorized FALSE 3600 Quiet Period........
Page 487 NOTE: Dynamic VLAN creation applies only to authorized ports. The VLANs for unauthorized and guest users must be configured on the switch and cannot be dynamically created based on RADIUS-based VLAN assignment. The commands in this example show how to configure the switch to control VLAN assignment for the example network.
Page 488 To configure the switch: 1 Create the VLANs and configure the VLAN names. console(config)#vlan 100 console(config-vlan100)#name Authorized console(config-vlan100)#exit console(config)#vlan 200 console(config-vlan200)#name Unauthorized console(config-vlan200)#exit console(config)#vlan 300 console(config-vlan300)#name Guest console(config-vlan300)#exit 2 Configure information about the external RADIUS server the switch uses to authenticate clients. The RADIUS server IP address is 10.10.10.10, and the shared secret is qwerty123.
Page 489 8 Enable periodic reauthentication of the client on the ports and set the number of seconds to wait between reauthentication attempts to 300 seconds. Reauthentication is enabled to increase security. If the client information is removed from the RADIUS server after it has been authenticated, the client will be denied access when it attempts to reauthenticate.
Page 490 Allowing Dynamic VLAN Creation of RADIUS-Assigned VLANs The network in this example uses a RADIUS server to provide VLAN assignments to host that connect to the switch. In this example, the VLANs are not configured on the switch. Instead, the switch is configured to allow the dynamic creation of VLANs when a RADIUS-assigned VLAN does not already exist on the switch.
Page 491 5 Allow the switch to dynamically create VLANs when a RADIUS-assigned VLAN does not exist on the switch. console(config)#dot1x dynamic-vlan enable 6 Enter interface configuration mode for the downlink ports. console(config)#interface range te1/0/1-23 7 Set the downlink ports to the access mode because each downlink port connects to a single host that belongs to a single VLAN.
Page 492 • The RADIUS or 802.1X server must specify the policy to assign. For example, if the DiffServ policy to assign is named internet_access, include the following attribute in the RADIUS or 802.1X server configuration: Filter-id = “internet_access” • The DiffServ policy specified in the attribute must already be configured on the switch, and the policy names must be identical.
Page 493 To configure the switch : 1 Configure the DiffServ traffic class that matches SSH traffic. console#configure console(config)#class-map match-all cl-ssh console(config-classmap)#match srcl4port 23 console(config-classmap)#exit 2 Configure the DiffServ traffic class that matches HTTP traffic. console(config)#class-map match-all cl-http console(config-classmap)#match srcl4port 80 console(config-classmap)#exit 3 Configure the DiffServ policy.
Page 494 console(config)#aaa authentication dot1x default radius 8 Enter Interface Configuration mode for ports 1–23 and enable MAC- based authentication. console(config)#interface range te1/0/1-23 console(config-if)#dot1x port-control mac-based 9 Set the ports to an 802.1Q VLAN. The ports must be in general mode in order to enable MAC-based 802.1X authentication.
Page 495: Port Security (Port-Mac Locking)
Port Security (Port-MAC Locking) The Port Security feature allows you to limit the number of source MAC addresses that can be learned on a port. If a port reaches the configured limit, any other addresses beyond that limit are not learned and the frames are discarded.
Page 496 Configuring Port Security Configuration (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IEEE 802.1X features and Port Security on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page.
Page 497 3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings for all ports that are selected for editing. Figure 20-12. Configure Port Security Settings 5 Click Apply. Configuring Port and System Security...
Page 498: Configuring Port Security (Cli)
Configuring Port Security (CLI) Beginning in Privileged EXEC mode, use the following commands to enable port security on an interface to limit the number of source MAC addresses that can be learned. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface...
Page 499: Denial Of Service
Denial of Service Denial of Service (DoS) refers to the exploitation of a variety of vulnerabilities which would interrupt the service of a host or make a network unstable. Use the Denial of Service page to configure settings to help prevent DoS attacks.
Page 500 Configuring Port and System Security...
Page 501: Configuring Access Control Lists
Configuring Access Control Lists This chapter describes how to configure Access Control Lists (ACLs), including IPv4, IPv6, and MAC ACLs. This chapter also describes how to configure time ranges that can be applied to any of the ACL types. The topics covered in this chapter include: •...
Page 502: What Are Mac Acls
Depending on whether an ingress or egress ACL is applied to a port, when the traffic enters (ingress) or leaves (egress) a port, the ACL compares the criteria configured in its rules, in order, to the fields in a packet or frame to check for matching conditions.
Page 503: What Are Ip Acls
What Are IP ACLs? IP ACLs classify for Layers 3 and 4 on IPv4 or IPv6 traffic. Each ACL is a set of up to ten rules applied to inbound traffic. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network, and may apply to one or more of the following fields within a packet: •...
Page 504: What Is Acl Logging
Using ACLs to mirror traffic is considered to be flow-based mirroring since the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated on another interface. What Is ACL Logging ACL Logging provides a means for counting the number of “hits”...
Page 505: What Are The Acl Limitations
A named time range can contain up to 10 configured time ranges. Only one absolute time range can be configured per time range. During the ACL configuration, you can associate a configured time range with the ACL to provide additional control over permitting or denying a user access to network resources.
Page 506: How Are Acls Configured
NOTE: The actual number of ACLs and rules supported depends on the resources consumed by other processes and configured features running on the switch. How Are ACLs Configured? To configure ACLs, follow these steps: 1 Create a MAC ACL by specifying a name. 2 Create an IP ACL by specifying a number.
Page 507 Table 21-1. Common EtherType Numbers (Continued) EtherType Protocol 0x86DD Internet Protocol version 6 (IPv6) 0x8808 MAC Control 0x8809 Slow Protocols (IEEE 802.3) 0x8870 Jumbo frames 0x888E EAP over LAN (EAPOL – 802.1x) 0x88CC Link Layer Discovery Protocol 0x8906 Fibre Channel over Ethernet 0x8914 FCoE Initialization Protocol 0x9100...
Page 508: Configuring Acls (Web)
Configuring ACLs (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring ACLs on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. IP ACL Configuration Use the IP ACL Configuration page to add or remove IP-based ACLs.
Page 509 Figure 21-2. Add IP ACL 4 Click Apply. Removing IPv4 ACLs To delete an IPv4 ACL: 1 From the IP ACL Name menu on the IP ACL Configuration page, select the ACL to remove. 2 Select the Remove checkbox. 3 Click Apply. Viewing IPv4 ACLs To view configured ACLs, click Show All from the IP ACL Configuration page.
Page 510: Ip Acl Rule Configuration
Figure 21-3. View IPv4 ACLs IP ACL Rule Configuration Use the IP ACL Rule Configuration page to define rules for IP-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. Additionally, you can specify to assign traffic to a particular queue, filter on some traffic, change VLAN tag, shut down a port, and/or redirect the traffic to a particular port.
Page 511 Figure 21-4. IP ACL - Rule Configuration Removing an IP ACL Rule To delete an IP ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete. 2 Select the Remove option near the bottom of the page. 3 Click Apply to remove the selected rule.
Page 512: Mac Acl Configuration
MAC ACL Configuration Use the MAC ACL Configuration page to define a MAC-based ACL. To display the MAC ACL Configuration page, click Switching → Network Security → Access Control Lists → MAC Access Control Lists → Configuration in the navigation panel. Figure 21-5.
Page 513 Figure 21-6. Add MAC ACL 4 Click Apply. Renaming or Removing MAC ACLs To rename or delete a MAC ACL: 1 From the MAC ACL Name menu on the MAC ACL Configuration page, select the ACL to rename or remove. 2 To rename the ACL, select the Rename checkbox and enter a new name in the associated field.
Page 514: Mac Acl Rule Configuration
MAC ACL Rule Configuration Use the MAC ACL Rule Configuration page to define rules for MAC-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. A default deny all rule is the last rule of every list. To display the MAC ACL Rule Configuration page, click Switching →...
Page 515: Ipv6 Acl Configuration
IPv6 ACL Configuration Use the IPv6 ACL Configuration page to add or remove IP-based ACLs. To display the IP ACL Configuration page, click Switching → Network Security → Access Control Lists → IPv6 Access Control Lists → IPv6 ACL Configuration in the navigation panel.
Page 516: Ipv6 Acl Rule Configuration
Figure 21-9. Add IPv6 ACL 4 Click Apply. Removing IPv6 ACLs To delete an IPv6 ACL: 1 From the IPv6 ACL Name menu on the IPv6 ACL Configuration page, select the ACL to remove. 2 Select the Remove checkbox. 3 Click Apply. Viewing IPv6 ACLs To view configured ACLs, click Show All from the IPv6 ACL Configuration page.
Page 517 To display the IPv6 ACL Rule Configuration page, click Switching → Network Security → Access Control Lists → IPv6 Access Control Lists → Rule Configuration in the navigation menu. Figure 21-10. IPv6 ACL - Rule Configuration Removing an IPv6 ACL Rule To delete an IPv6 ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete.
Page 518: Acl Binding Configuration
ACL Binding Configuration When an ACL is bound to an interface, all the rules that have been defined are applied to the selected interface. Use the ACL Binding Configuration page to assign ACL lists to ACL Priorities and Interfaces. From the web interface, you can configure the ACL rule in the ingress or egress direction so that the ACLs implement security rules for packets entering or exiting the port.
Page 519: Time Range Entry Configuration
Time Range Entry Configuration Use the Time Range Entry Configuration page to define time ranges to associate with ACL rules. To display the Time Range Entry Configuration page, click System → Time Synchronization → Time Range Configuration in the navigation panel. The following image shows the page after at least one time range has been added.
Page 520 Figure 21-13. Add a Time Range 3 Click Apply. 4 Click Configuration to return to the Time Range Entry Configuration page. 5 In the Time Range Name field, select the name of the time range to configure. 6 Specify an ID for the time range. You can configure up to 10 different time range entries to include in the named range.
Page 521: Configuring Acls (Cli)
Configuring ACLs (CLI) This section provides information about the commands you use to create and configure ACLs. For more information about the commands, see the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Configuring an IPv4 ACL Beginning in Privileged EXEC mode, use the following commands to create an IPv4 ACL, configure rules for the ACL, and bind the ACL to an interface.
Page 522 Command Purpose portvalue (continued) • — The source layer 4 port match condition for the ACL rule is specified by the port value parameter (Range: 0–65535). portkey portkey • — Or you can specify the , which can be one of the following keywords: domain, echo, ftp, ftpdata, http, smtp, snmp, telnet, tftp, and www.
Page 523: Configuring A Mac Acl
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show ip access-lists Display all IPv4 access lists and all of the rules that are name name defined for the IPv4 ACL. Use the optional parameter to identify a specific IPv4 ACL to display. Configuring a MAC ACL Beginning in Privileged EXEC mode, use the following commands to create an MAC ACL, configure rules for the ACL, and bind the ACL to an interface.
Page 524 Command Purpose (Continued) • vlan eq — VLAN number. (Range 0-4095) • cos — Class of service. (Range 0-7) • log — Specifies that this rule is to be logged. time-range-name • — Specifies the named time range to associate with the ACL rule. •...
Page 525: Configuring An Ipv6 Acl
Command Purpose show mac access-lists Display all MAC access lists and all of the rules that are name name defined for the MAC ACL. Use the optional parameter to identify a specific MAC ACL to display. Configuring an IPv6 ACL Beginning in Privileged EXEC mode, use the following commands to create an IPv6 ACL, configure rules for the ACL, and bind the ACL to an interface.
Page 526 Command Purpose destination ipv6 prefix (Continued) • — IPv6 prefix in IPv6 global address format. value • flow label — The value to match in the Flow Label field of the IPv6 header (Range 0–1048575). dscp • dscp — Specifies the TOS for an IPv6 ACL rule depending on a match of DSCP values using the parameter dscp.
Page 527: Configuring A Time Range
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show ipv6 access-lists Display all IPv6 access lists and all of the rules that are name name defined for the IPv6 ACL. Use the optional parameter to identify a specific IPv6 ACL to display. Configuring a Time Range Beginning in Privileged EXEC mode, use the following commands to create a time range and configure time-based entries for the time range.
Page 528 Command Purpose days-of-the- periodic { Configure a recurring time entry for the named time week time days-of- } to {[ range. the-week time days-of-the-week • —The first occurrence indicates the starting day(s) the ACL goes into effect. The second occurrence is the ending day(s) when the ACL rule is no days-of-the-week longer in effect.
Page 529: Acl Configuration Examples
ACL Configuration Examples This section contains the following examples: • Configuring an IP ACL • Configuring a MAC ACL • Configuring a Time-Based ACL • Configuring a Management Access List Configuring an IP ACL The commands in this example set up an IP ACL that permits hosts in the 192.168.77.0/24 subnet to send TCP and UDP traffic only to the host with an IP address of 192.168.77.50.
Page 530 Figure 21-14. IP ACL Example Network Diagram PowerConnect Switch (Layer 3) Port Te 1/0/2 UDP or TCP packet to UDP or TCP packet to 192.168.88.50 rejected: 192.168.77.50 permitted: Layer 2 Switch Dest. IP not in range. Dest. IP in range. 192.168.77.1 192.168.77.2 192.168.77.3...
Page 531: Configuring A Mac Acl
3 Apply the rule to inbound (ingress) traffic on 10-Gigabit Ethernet Port 2. Only traffic matching the criteria will be accepted on this port. console(config)#interface te1/0/2 console(config-if-Te1/0/2)#ip access-group list1 console(config-if-Te11/0/2)#exit Configuring a MAC ACL The following example creates a MAC ACL named mac1 that denies all IPX traffic on all ports.
Page 532 mac1 ch1-12, Inbound Te1/0/1- Te1/0/24 console#show mac access-lists mac1 MAC ACL Name: mac1 Inbound Interface(s): ch1-12,Te1/0/1-Te1/0/24 Rule Number: 1 Action........deny Ethertype........ ipx Rule Number: 2 Action........permit Match All....... TRUE Configuring Access Control Lists...
Page 533: Configuring A Time-Based Acl
Configuring a Time-Based ACL The following example configures an ACL that denies HTTP traffic from 8:00 pm to 12:00 pm and 1:00 pm to 6:00 pm on weekdays and from 8:30 am to 12:30 pm on weekends. The ACL affects all hosts connected to ports that are members of VLAN 100.
Page 534: Configuring A Management Access List
7 Verify the configuration. console#show ip access-lists web-limit IP ACL Name: web-limit Inbound VLAN(s): Rule Number: 1 Action......deny Match All......FALSE Protocol......6(tcp) Source IP Address....any Destination IP Address.... any Destination L4 Port Keyword..80(www/http)ip Time Range Name....work-hours Rule Status.......
Page 535 Command Purpose management access-list Define an access list for management, and enter the name access-list for configuration. permit ip-source Allow access to the management interface from hosts that address mask [mask meet the specified IP address value and other optional prefix-length interface- criteria.
Page 536 Management Access List Example The commands in this example create a management ACL that permits access to the switch through the in-band switch ports on VLAN 1 and on port 9 from hosts with an IP address in the 10.27.65.0 subnet. Attempts to access the management interfaces from any other hosts and on any other interfaces is denied.
Page 537 console#show management access-class Management access-class is enabled, using access list mgmt_ACL. Configuring Access Control Lists...
Page 538 Configuring Access Control Lists...
Page 539: Configuring Vlans
Configuring VLANs This chapter describes how to configure VLANs, including port-based VLANs, protocol-based VLANs, double-tagged VLANs, subnet-based VLANs, and Voice VLANs. The topics covered in this chapter include: • VLAN Overview • Default VLAN Behavior • Configuring VLANs (Web) • Configuring VLANs (CLI) •...
Page 540 priority over other traffic, such as data. Administrators also use VLANs to protect network resources. Traffic sent by authenticated clients might be assigned to one VLAN, while traffic sent from unauthenticated clients might be assigned to a different VLAN that allows limited network access. When one host in a VLAN sends a broadcast, the switch forwards traffic only to other members of that VLAN.
Page 541 Figure 22-1. Simple VLAN Topology Router Engineering VLAN 100 Switch Payroll VLAN 300 Tech Pubs VLAN 200 In this example, each port is manually configured so that the end station attached to the port is a member of the VLAN configured for the port. The VLAN membership for this network is port-based or static.
Page 542: Switchport Modes
Table 22-1 provides an overview of the types of VLANs you can use to logically divide the network. Table 22-1. VLAN Assignment VLAN Assignment Description Port-based (Static) This is the most common way to assign hosts to VLANs. The port where the traffic enters the switch determines the VLAN membership.
Page 543: Vlan Tagging
VLAN membership rules that apply to a port are based on the switchport mode configured for the port. Table 22-2 shows the behavior of the three switchport modes. Table 22-2. Switchport Mode Behavior Mode VLAN Membership Frames Frames Sent Ingress Accepted Filtering Access...
Page 544: Gvrp
Access ports can receive untagged traffic and traffic tagged with the access port PVID. GVRP The GARP VLAN Registration Protocol (GVRP) helps to dynamically manage VLAN memberships on trunk ports. When GARP is enabled, switches can dynamically register (and de-register) VLAN membership information with other switches attached to the same segment.
Page 545: Voice Vlan
misconfiguration while exiting the metro core. For example, if the edge device on the other side of the metro core is not stripping the second tag, the packet would never be classified as a 802.1Q tag, so the packet would be dropped rather than forwarded in the incorrect VLAN.
Page 546 The Voice VLAN feature can be enabled on a per-port basis. This feature supports a configurable voice VLAN DSCP value. This value is later retrieved by LLDP when the LLDPDU is transmitted, if LLDP has been enabled on the port and the required TLV is configured for the port. Identifying Voice Traffic Some VoIP phones contain full support for IEEE 802.1X.
Page 547: Private Vlans
• When a VLAN is associated with the Voice VLAN port, then the VLAN ID information is passed onto the VoIP phone using either the LLDP-MED or the CPD mechanism, depending on how the phone is identified: if it is identified via CDP, then the VLAN assignment is via CDP and if it is identified via LLDP-MED, then the VLAN assignment is via LLDP-MED.
Page 548 The following types of VLANs can be configured in a private VLAN: Primary VLAN—Forwards the traffic from the promiscuous ports to • isolated ports, community ports and other promiscuous ports in the same private VLAN. Only one primary VLAN can be configured per private VLAN.
Page 549 associated with a primary VLAN. So, the advantage of the private VLANs feature is that it reduces the number of consumed VLANs, improves IP addressing space utilization, and helps to avoid layer 3 routing. Figure 22-3 shows an example Private VLAN scenario, in which five hosts (H- A through H-E) are connected to a stack of switches (SW1, SW2).
Page 550 Isolated Ports An endpoint connected to an isolated port is allowed to communicate with endpoints connected to promiscuous ports only. Endpoints connected to adjacent isolated ports cannot communicate with each other. Community Ports An endpoint connected to a community port is allowed to communicate with the endpoints within a community and can also communicate with any configured promiscuous port.
Page 551 Table 22-3. Forwarding Rules for Traffic in Primary VLAN From promiscuous community 1 community 2 isolated stack (trunk) promiscuous allow allow allow allow allow community 1 community 2 isolated stack (trunk) allow allow allow allow allow Table 22-4. Forwarding Rules for Traffic in Community 1 VLAN From promiscuous community 1...
Page 552 Limitations and Recommendations • Only a single isolated VLAN can be associated with a primary VLAN. Multiple community VLANs can be associated with a primary VLAN. • Trunk and general modes are not supported on private VLAN ports. • Do not configure access ports using the VLANs participating in any of the private VLANs.
Page 553: Additional Vlan Features
• It is recommended that the private VLAN IDs be removed from the trunk ports connected to devices that do not participate in the private VLAN traffic. Private VLAN Configuration Example See "Configuring a Private VLAN" on page 602. Additional VLAN Features The PowerConnect 8000-series and 8100-series switches also support the following VLANs and VLAN-related features: •...
Page 554: Default Vlan Behavior
Default VLAN Behavior One VLAN exists on the PowerConnect 8000-series and 8100-series switches by default. The VLAN ID is 1, and all ports are included in the VLAN as access ports, which are untagged. This means when a device connects to any port on the switch, the port forwards the packets without inserting a VLAN tag.
Page 555 Table 22-7 shows the default values or maximum values for VLAN features. Table 22-7. Additional VLAN Default and Maximum Values Feature Value Default VLAN VLAN 1 VLAN Name No VLAN name is configured except for VLAN 1, whose name “default” cannot be changed. VLAN Range 2–4093 Switchport mode...
Page 556: Configuring Vlans (Web)
Configuring VLANs (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLANs on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. VLAN Membership Use the VLAN Membership page to create VLANs and define VLAN groups stored in the VLAN membership table.
Page 557 Table 22-8. VLAN Port Membership Definitions Port Control Definition Blank Blank: the interface is not a VLAN member. Packets in this VLAN are not forwarded on this interface. To perform additional port configuration, such as making the port a trunk port, use the Port Settings page.
Page 558 3 Specify a VLAN ID and a VLAN name. Figure 22-5. Add VLAN 4 Click Apply. Configuring Ports as VLAN Members To add member ports to a VLAN: 1 Open the VLAN Membership page. 2 From the Show VLAN menu, select the VLAN to which you want to assign ports.
Page 559 Figure 22-6. Add Ports to VLAN 4 Click Apply. 5 Verify that the ports have been added to the VLAN. Configuring VLANs...
Page 560 In Figure 22-7, the presence of the letter U in the Current row indicates that the port is an untagged member of the VLAN. Figure 22-7. Add Ports to VLAN Configuring VLANs...
Page 561: Vlan Port Settings
VLAN Port Settings Use the VLAN Port Settings page to add ports to an existing VLAN and to configure settings for the port. If you select Trunk or Access as the Port VLAN Mode, some of the fields are not configurable because of the requirements for that mode.
Page 562: Vlan Lag Settings
Figure 22-9. VLAN Settings for All Ports VLAN LAG Settings Use the VLAN LAG Settings page to map a LAG to a VLAN and to configure specific VLAN settings for the LAG. To display the LAG Settings page, click Switching → VLAN → LAG Settings in the navigation panel.
Page 563 Figure 22-10. VLAN LAG Settings From the LAG Settings page, click Show All to see the current VLAN settings for all LAGs. You can change the settings for one or more LAGs by clicking the Edit option for a port and selecting or entering new values. Figure 22-11.
Page 564: Bind Mac To Vlan
Bind MAC to VLAN Use the Bind MAC to VLAN page to map a MAC address to a VLAN. After the source MAC address and the VLAN ID are specified, the MAC to VLAN configurations are shared across all ports of the switch. The MAC to VLAN table supports up to 128 entries.
Page 565: Bind Ip Subnet To Vlan
Figure 22-13. MAC-VLAN Bind Table Bind IP Subnet to VLAN Use the Bind IP Subnet to VLAN page to assign an IP Subnet to a VLAN. The IP Subnet to VLAN configurations are shared across all ports of the switch. There can be up to 64 entries configured in this table. To display the Bind IP Subnet to VLAN page, click Switching →...
Page 566 Figure 22-14. Bind IP Subnet to VLAN From the Bind IP Subnet to VLAN page, click Show All to see the IP subnets that are mapped to VLANs. From this page, you can change the settings for one or more entries or remove an entry. Figure 22-15.
Page 567: Gvrp Parameters
GVRP Parameters Use the GVRP Parameters page to enable GVRP globally and configure the port settings. To display the GVRP Parameters page, click Switching → VLAN → GVRP Parameters in the navigation panel. Figure 22-16. GVRP Parameters From the GVRP Parameters page, click Show All to see the GVRP configuration for all ports.
Page 568 Figure 22-17. GVRP Port Parameters Table Configuring VLANs...
Page 569: Protocol Group
Protocol Group Use the Protocol Group page to configure which EtherTypes go to which VLANs, and then enable certain ports to use these settings. Protocol-based VLANs are most often used in situations where network segments contain hosts running multiple protocols. To display the Protocol Group page, click Switching →...
Page 570: Adding A Protocol Group
Adding a Protocol Group To add a protocol group: 1 Open the Protocol Group page. 2 Click Add to display the Add Protocol Group page. 3 Create a name for the group and associate a VLAN with the group. Figure 22-19. Add Protocol Group 4 Click Apply.
Page 571 Figure 22-20. Configure Protocol Group 8 Click Apply. 9 Click Show All to see the protocol-based VLANs and their members. Figure 22-21. Protocol Group Table Configuring VLANs...
Page 572: Double Vlan Global Configuration
Double VLAN Global Configuration Use the Double VLAN Global Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Global Configuration page, click Switching → VLAN → Double VLAN → Global Configuration in the navigation panel. Figure 22-22.
Page 573: Double Vlan Interface Configuration
Double VLAN Interface Configuration Use the Double VLAN Interface Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Interface Configuration page, click Switching → VLAN → Double VLAN → Interface Configuration in the navigation panel. Figure 22-23.
Page 574 Figure 22-24. Double VLAN Port Parameter Table Configuring VLANs...
Page 575: Voice Vlan
Voice VLAN Use the Voice VLAN Configuration page to configure and view voice VLAN settings that apply to the entire system and to specific interfaces. To display the page, click Switching → VLAN → Voice VLAN → Configuration in the navigation panel. Figure 22-25.
Page 576: Configuring Vlans (Cli)
Configuring VLANs (CLI) This section provides information about the commands you use to create and configure VLANs. For more information about the commands, see the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Creating a VLAN Beginning in Privileged EXEC mode, use the following commands to configure a VLAN and associate a name with the VLAN.
Page 577: Configuring A Port In Access Mode
Configuring a Port in Access Mode Beginning in Privileged EXEC mode, use the following commands to configure an untagged layer 2 VLAN interface and assign the interface to a VLAN. When a port is in access mode, it can only be a member of one untagged VLAN.
Page 578: Configuring A Port In General Mode
Configuring a Port in General Mode Beginning in Privileged EXEC mode, use the following commands to configure an interface with full 802.1q support and configure the VLAN membership information for the interface. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface...
Page 579: Configuring A Port In Trunk Mode
Command Purpose switchport general (Optional) Specifies that the port will only accept tagged at ingress. acceptable-frame-type frames. Untagged frames are dropped tagged-only switchport general (Optional) Turn off ingress filtering so that all received ingress-filtering disable tagged frames are forwarded whether or not the port is a member of the VLAN in the tag.
Page 580 Command Purpose switchport trunk Set the list of allowed VLANs that can receive and send vlan- {allowed vlan traffic on this interface in tagged format when in trunking list vlan-id |native vlan mode. vlan-list • allowed — Set the list of allowed VLANs that can receive and send traffic on this interface in tagged format when in trunking mode.
Page 581: Configuring Vlan Settings For A Lag
Configuring VLAN Settings for a LAG The VLAN mode and memberships settings you configure for a port are also valid for a LAG (port channel). Beginning in Privileged EXEC mode, use the following commands to configure the VLAN mode for a LAG. Once you specify the switchport mode settings for a LAG, you can configure other VLAN memberships settings that are valid that the switchport mode.
Page 582: Configuring Double Vlan Tagging
Configuring Double VLAN Tagging Beginning in Privileged EXEC mode, use the following commands to configure an interface to send and accept frames with double VLAN tagging. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface interface.
Page 583: Configuring Mac-Based Vlans
Configuring MAC-Based VLANs Beginning in Privileged EXEC mode, use the following commands to associate a MAC address with a configured VLAN. The VLAN does not need to be configured on the system to associate a MAC address with it. You can create up to 256 VLAN to MAC address associations.
Page 584: Configuring Ip-Based Vlans
Configuring IP-Based VLANs Beginning in Privileged EXEC mode, use the following commands to associate an IP subnet with a configured VLAN. The VLAN does not need to be configured on the system to associate an IP subnet with it. You can create up to 256 VLAN to MAC address associations.
Page 585 Command Purpose configure Enter global configuration mode. vlan protocol group Create a new protocol group. name exit Exit to Privileged EXEC mode. show port protocol all Obtain the group ID for the newly configured group. configure Enter global configuration mode. vlan protocol group add Add any EtherType protocol to the protocol-based VLAN groupid...
Page 586: Configuring Gvrp
Command Purpose groupid protocol group Attach a VLAN ID to the protocol-based group identified vlanid by groupid. A group may only be associated with one VLAN at a time. However, the VLAN association can be changed. groupid • — The protocol-based VLAN group ID, which is automatically generated when you create a protocol- based VLAN group with the vlan protocol group command.
Page 587 Command Purpose switchport forbidden (Optional) Forbids adding the specified VLANs to a port. vlan- vlan {add To revert to allowing the addition of specific VLANs to the list vlan-list |remove port, use the remove parameter of this command. vlan-list — List of valid VLAN IDs to add to the forbidden list.
Page 588: Configuring Voice Vlans
Configuring Voice VLANs Beginning in Privileged EXEC mode, use the following commands to enable the Voice VLAN feature on the switch and on an interface. Command Purpose configure Enter global configuration mode. voice vlan Enable the voice vlan capability on the switch. interface interface Enter interface configuration mode for the specified...
Page 589: Vlan Configuration Examples
VLAN Configuration Examples This section contains the following examples: • Configuring VLANs Using Dell OpenManage Administrator • Configuring VLANs Using the CLI • Configuring a Voice VLAN NOTE: For an example that shows how to use a RADIUS server to provide VLAN information, see "Controlling Authentication-Based VLAN Assignment"...
Page 590 Figure 22-26 shows the network topology for this example. As the figure shows, there are two switches, two file servers, and many hosts. One switch has an uplink port that connects it to a layer 3 device and the rest of the corporate network.
Page 591 Table 22-10 shows the port assignments on the switches. Table 22-10. Switch Port Connections Port/LAG Function Switch 1 Connects to Switch 2 2–15 Host ports for Payroll 16–20 Host ports for Marketing LAG1 (ports 21–24) Connects to Payroll server Switch 2 Connects to Switch 1 2–10 Host ports for Marketing...
Page 592: Configuring Vlans Using Dell Openmanage Administrator
Configuring VLANs Using Dell OpenManage Administrator This example shows how to perform the configuration by using the web- based interface. Configure the VLANs and Ports on Switch 1 Use the following steps to configure the VLANs and ports on Switch 1. None of the hosts that connect to Switch 1 use the Engineering VLAN (VLAN 100), so it is not necessary to create it on that switch.
Page 593 Figure 22-28. VLAN Membership - VLAN 200 3 Click Apply. 4 Assign ports 2–15 and LAG1 to the Payroll VLAN. From the Switching → VLAN → VLAN Membership page, select 400-Payroll from the Show VLAN field. In the Static row, click the space for ports 2–15 and LAG 1 so the U (untagged) displays for each port, and then click Apply.
Page 594 Configure the following settings: • Port VLAN Mode — General • PVID — 400 • Frame Type — AdmitAll Click Apply. Figure 22-29. LAG Settings 6 Configure port 1 as a trunk port. From the Switching → VLAN → Port Settings page, make sure port Te1/0/1 is selected.
Page 595 Figure 22-30. Trunk Port Configuration 7 From the Switching → VLAN → VLAN Membership page, verify that port 1 is marked as a tagged member (T) for each VLAN. Figure 22-31 shows VLAN 200, in which port 1 is a tagged member, and ports 16–20 are untagged members.
Page 596: Configure The Vlans And Ports On Switch 2
Figure 22-32. Trunk Port Configuration Repeat steps b–d to add additional MAC address-to-VLAN information for the Sales department. 9 To save the configuration so that it persists across a system reset, use the following steps: Go to the System → File Management→ Copy Files page Select Copy Configuration and ensure that Running Config is the source and Startup Config is the destination.
Page 597: Configuring Vlans Using The Cli
2. Configure LAG 1 as a general port so that it can be a member of multiple VLANs. From the Switching → VLAN → LAG Settings page, make sure Po1 is selected. From the Port VLAN Mode field, select General. Click Apply.
Page 598 console(config-vlan300)#name Sales console(config-vlan300)#exit console(config)#vlan 400 console(config-vlan400)#name Payroll console(config-vlan400)#exit 2. Assign ports 16–20 to the Marketing VLAN. console(config)#interface range tengigabitEthernet 1/0/16-20 console(config-if)#switchport mode access console(config-if)#switchport access vlan 200 console(config-if)#exit 3. Assign ports 2–15 to the Payroll VLAN console(config)#interface range tengigabitEthernet 1/0/2-15 console(config-if)#switchport mode access console(config-if)#switchport access vlan 400 console(config-if)#exit...
Page 599 6. Configure the MAC-based VLAN information. The following commands show how to associate a system with a MAC address of 00:1C:23:55:E9:8B with VLAN 300. Repeat the vlan association mac command to associate additional MAC addresses with VLAN 300. console(config)#vlan database console(config-vlan)#vlan association mac 00:1C:23:55:E9:8B 300 console(config-vlan)#exit...
Page 600 Protected:Disabled Port Te1/0/1 is member in: VLAN Name Egress rule Type ---- ----------------- ----------- -------- Marketing Tagged Static Sales Tagged Static Payroll Tagged Static Configure the VLANs and Ports on Switch 2 Use the following steps to configure the VLANs and ports on Switch 2. Many of the procedures in this section are the same as procedures used to configure Switch 1.
Page 601: Configuring A Voice Vlan
Configuring a Voice VLAN The commands in this example create a VLAN for voice traffic with a VLAN ID of 25. Port 10 is set to an 802.1Q VLAN. In in this example, there are multiple devices connected to port 10, so the port must be in general mode in order to enable MAC-based 802.1X authentication.
Page 602 5 Enable the voice VLAN feature on the interface console(config-if-Te1/0/10)#voice vlan 25 6 Disable authentication for the voice VLAN on the port. This step is required only if the voice phone does not support port-based authentication. console(config-if-Te1/0/10)#voice vlan auth disable 7 Exit to Privileged Exec mode.
Page 603 switch(config-vlan-103)# exit 2 Associate the community and isolated VLANs with the primary VLAN. switch(config)# vlan 100 switch(config-vlan-100)# private-vlan association 101-102 switch(config-vlan-100)# exit This completes the configuration of the private VLAN. The only remaining step is to assign the ports to the private VLAN. 3 Assign the router connected port to the primary VLAN: console(config)#interface te1/1/1 console(config-if-Te1/1/1)#switchport mode private-vlan...
Page 604 ---- ----------------------- primary community isolated isolated console#show vlan private-vlan Primary VLAN Secondary VLAN Community ------------ -------------- ------------------- console(config)#show vlan VLAN Name Ports Type ----- ----------- ------------- ------------- default Po1-128, Default Te1/1/1, Gi1/0/1-10, Gi1/0/13-24 VLAN0100 Te1/1/1, Static Gi1/0/11-12 VLAN0101 Gi1/0/11 Static VLAN0102 Gi1/0/12 Static...
Page 605: Configuring The Spanning Tree
Configuring the Spanning Tree Protocol This chapter describes how to configure the Spanning Tree Protocol (STP) settings on the switch. The topics covered in this chapter include: • STP Overview • Default STP Values • Configuring Spanning Tree (Web) • Configuring Spanning Tree (CLI) •...
Page 606: How Does Stp Work
recognize full-duplex connectivity and ports which are connected to end stations, resulting in rapid transitioning of the port to the Forwarding state and the suppression of Topology Change Notifications. MSTP is compatible to both RSTP and STP . It behaves appropriately to STP and RSTP bridges.
Page 607: How Does Mstp Operate In The Network
How Does MSTP Operate in the Network? In the following diagram of a small 802.1d bridged network, STP is necessary to create an environment with full connectivity and without loops. Figure 23-1. Small Bridged Network Switch A Port 1 Port 2 VLAN 10 VLAN 20 Port 1...
Page 608 Figure 23-2 shows the logical single STP network topology. Figure 23-2. Single STP Topology Switch A Port 1 Port 2 VLAN 10 VLAN 20 Port 1 Port 1 Switch B Switch C VLAN 10 VLAN 20 VLAN 20 For VLAN 10 this single STP topology is fine and presents no limitations or inefficiencies.
Page 609 The logical representation of the MSTP environment for these three switches is shown in Figure 23-3. Figure 23-3. Logical MSTP Environment MSTI 1 Regional Root & CIST Regional Root Switch A MSTI 1 Port 1 Port 2 VLAN 10 Port 1 Port 1 Switch B Switch C...
Page 610 In order for MSTP to correctly establish the different MSTIs as above, some additional changes are required. For example, the configuration would have to be the same on each and every bridge. That means that Switch B would have to add VLAN 10 to its list of supported VLANs (shown in Figure 23-3 with a *).
Page 611: Mstp With Multiple Forwarding Paths
MSTP with Multiple Forwarding Paths Consider the physical topology shown in Figure 23-4. It might be assumed that MSTI 2 and MSTI 3 would follow the most direct path for VLANs 20 and 30. However, using the default path costs, this is not the case. MSTI operates without considering the VLAN membership of the ports.
Page 612: What Are The Optional Stp Features
What are the Optional STP Features? The PowerConnect 8000-series and 8100-series switches support the following optional STP features: • BPDU flooding • PortFast • BPDU filtering • Root guard • Loop guard • BPDU protection BPDU Flooding The BPDU flooding feature determines the behavior of the switch when it receives a BPDU on a port that is disabled for spanning tree.
Page 613 Root Guard Enabling root guard on a port ensures that the port does not become a root port or a blocked port. When a switch is elected as the root bridge, all ports are designated ports unless two or more ports of the root bridge are connected together.
Page 614 BPDU Protection When the switch is used as an access layer device, most ports function as edge ports that connect to a device such as a desktop computer or file server. The port has a single, direct connection and is configured as an edge port to implement the fast transition to a forwarding state.
Page 615: Default Stp Values
Default STP Values Spanning tree is globally enabled on the switch and on all ports and LAGs. Table 23-1 summarizes the default values for STP. Table 23-1. STP Defaults Parameter Default Value Enable state Enabled (globally and on all ports) Spanning-tree mode RSTP (Classic STP and MSTP are disabled) Switch priority...
Page 616: Configuring Spanning Tree (Web)
Configuring Spanning Tree (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring STP settings on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. STP Global Settings The STP Global Settings page contains fields for enabling STP on the switch.
Page 617 Figure 23-5. Spanning Tree Global Settings Configuring the Spanning Tree Protocol...
Page 618: Stp Port Settings
STP Port Settings Use the STP Port Settings page to assign STP properties to individual ports. To display the STP Port Settings page, click Switching → Spanning Tree → STP Port Settings in the navigation panel. Figure 23-6. STP Port Settings Configuring the Spanning Tree Protocol...
Page 619 Configuring STP Settings for Multiple Ports To configure STP settings for multiple ports: 1 Open the STP Port Settings page. 2 Click Show All to display the STP Port Table. Figure 23-7. Configure STP Port Settings 3 For each port to configure, select the check box in the Edit column in the row associated with the port.
Page 620: Stp Lag Settings
STP LAG Settings Use the STP LAG Settings page to assign STP aggregating ports parameters. To display the STP LAG Settings page, click Switching → Spanning Tree → STP LAG Settings in the navigation panel. Figure 23-8. STP LAG Settings Configuring STP Settings for Multiple LAGs To configure STP settings on multiple LAGS: 1 Open the STP LAG Settings page.
Page 621: Rapid Spanning Tree
Figure 23-9. Configure STP LAG Settings 3 For each LAG to configure, select the check box in the Edit column in the row associated with the LAG. 4 Select the desired settings. 5 Click Apply. Rapid Spanning Tree Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies that allow a faster convergence of the spanning tree without creating forwarding loops.
Page 622 Figure 23-10. Rapid Spanning Tree To view RSTP Settings for all interfaces, click the Show All link. The Rapid Spanning Tree Table displays. Configuring the Spanning Tree Protocol...
Page 623 Figure 23-11. RSTP LAG Settings Configuring the Spanning Tree Protocol...
Page 624: Mstp Settings
MSTP Settings The Multiple Spanning Tree Protocol (MSTP) supports multiple instances of Spanning Tree to efficiently channel VLAN traffic over different interfaces. MSTP is compatible with both RSTP and STP; a MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge. To display the MSTP Settings page, click Switching →...
Page 625 Viewing and Modifying the Instance ID for Multiple VLANs To configure MSTP settings for multiple VLANS: 1 Open the MSTP Settings page. 2 Click Show All to display the MSTP Settings Table. Figure 23-13. Configure MSTP Settings 3 For each Instance ID to modify, select the check box in the Edit column in the row associated with the VLAN.
Page 626: Mstp Interface Settings
MSTP Interface Settings Use the MSTP Interface Settings page to assign MSTP settings to specific interfaces. To display the MSTP Interface Settings page, click Switching → Spanning Tree → MSTP Interface Settings in the navigation panel. Figure 23-14. MSTP Interface Settings Configuring MSTP Settings for Multiple Interfaces To configure MSTP settings for multiple interfaces: 1 Open the MSTP Interface Settings page.
Page 627 Figure 23-15. Configure MSTP Interface Settings 3 For each interface to configure, select the check box in the Edit column in the row associated with the interface. 4 Update the desired settings. 5 Click Apply. Configuring the Spanning Tree Protocol...
Page 628: Configuring Spanning Tree (Cli)
Configuring Spanning Tree (CLI) This section provides information about the commands you use to configure STP settings on the switch. For more information about the commands, see PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide at support.dell.com/manuals. Configuring Global STP Bridge Settings Beginning in Privileged EXEC mode, use the following commands to configure the global STP settings for the switch, such as the priority and timers.
Page 629: Configuring Optional Stp Features
Command Purpose show spanning-tree View information about spanning tree and the spanning [detail] [active | tree configuration on the switch. blockedports] Configuring Optional STP Features Beginning in Privileged EXEC mode, use the following commands to configure the optional STP features on the switch or on specific interfaces. Command Purpose configure...
Page 630: Configuring Stp Interface Settings
Command Purpose spanning-tree tcnguard Prevent the port from propagating topology change notifications. CTRL + Z Exit to Privileged EXEC mode. show spanning-tree View various spanning tree settings and parameters for the summary switch. Configuring STP Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure the STP settings for a specific interface.
Page 631: Configuring Mstp Switch Settings
Configuring MSTP Switch Settings Beginning in Privileged EXEC mode, use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. spanning-tree mst Enable configuring an MST region by entering the configuration multiple spanning-tree (MST) mode. string name Define the MST configuration name...
Page 632: Configuring Mstp Interface Settings
Configuring MSTP Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. interface variable includes the interface type and number, for example tengigabitethernet 1/0/3 or port-channel 4.
Page 633: Stp Configuration Examples
STP Configuration Examples This section contains the following examples: • Configuring STP • Configuring MSTP Configuring STP This example shows a LAN with four switches. On each switch, ports 1, 2, and 3 connect to other switches, and ports 4–20 connect to hosts (in Figure 23-16, each PC represents 17 host systems).
Page 634 Of the four switches in Figure 23-16, the administrator decides that Switch A is the most centrally located in the network and is the least likely to be moved or redeployed. For these reasons, the administrator selects it as the root bridge for the spanning tree.
Page 635: Configuring Mstp
Configuring MSTP This example shows how to configure IEEE 802.1s Multiple Spanning Tree (MST) protocol on the switches shown in Figure 23-17. Figure 23-17. MSTP Configuration Example Switch A Port 1 Port 2 VLAN 10 VLAN 20 Port 1 Port 1 Switch B Switch C Port 2...
Page 636 5 Change the region name so that all the bridges that want to be part of the same region can form the region. console(config-mst)#name dell console(config-mst)#exit 6 (Switch A only) Configure Switch A to be the root bridge of the spanning tree (CIST Regional Root) by configuring a higher root bridge priority.
Page 637: Discovering Network Devices
Discovering Network Devices This chapter describes the Industry Standard Discovery Protocol (ISDP) feature and the Link Layer Discovery Protocol (LLDP) feature, including LLDP for Media Endpoint Devices (LLDP-MED). The topics covered in this chapter include: • Device Discovery Overview • Default IDSP and LLDP Values •...
Page 638: What Is Lldp-Med
LLDP is a one-way protocol; there are no request/response sequences. Information is advertised by stations implementing the transmit function, and is received and processed by stations implementing the receive function. The transmit and receive functions can be enabled/disabled separately on each switch port.
Page 639: Default Idsp And Lldp Values
Default IDSP and LLDP Values ISDP and LLDP are globally enabled on the switch and enabled on all ports by default. By default, the switch transmits and receives LLDP information on all ports. LLDP-MED is disabled on all ports. Table 24-1 summarizes the default values for ISDP . Table 24-1.
Page 640 Table 24-3 summarizes the default values for LLDP-MED. Table 24-3. LLDP-MED Defaults Parameter Default Value LLDP-MED Mode Disabled on all ports Config Notification Mode Disabled on all ports Transmit TVLs MED Capabilities Network Policy Discovering Network Devices...
Page 641: Configuring Isdp And Lldp (Web)
Configuring ISDP and LLDP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IDSP and LLDP/LLDP- MED on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. ISDP Global Configuration From the ISDP Global Configuration page, you can configure the ISDP settings for the switch, such as the administrative mode.
Page 642: Isdp Cache Table
ISDP Cache Table From the ISDP Cache Table page, you can view information about other devices the switch has discovered through the ISDP . To access the ISDP Cache Table page, click System → ISDP → Cache Table in the navigation panel. Figure 24-2.
Page 643: Isdp Interface Configuration
ISDP Interface Configuration From the ISDP Interface Configuration page, you can configure the ISDP settings for each interface. If ISDP is enabled on an interface, it must also be enabled globally in order for the interface to transmit ISDP packets. If the ISDP mode on the ISDP Global Configuration page is disabled, the interface will not transmit ISDP packets, regardless of the mode configured on the interface.
Page 644 To view view the ISDP mode for multiple interfaces, click Show All. Figure 24-4. ISDP Interface Summary Discovering Network Devices...
Page 645: Isdp Statistics
ISDP Statistics From the ISDP Statistics page, you can view information about the ISDP packets sent and received by the switch. To access the ISDP Statistics page, click System → ISDP → Statistics in the navigation panel. Figure 24-5. ISDP Statistics Discovering Network Devices...
Page 646: Lldp Configuration
LLDP Configuration Use the LLDP Configuration page to specify LLDP parameters. Parameters that affect the entire system as well as those for a specific interface can be specified here. To display the LLDP Configuration page, click Switching → LLDP → Configuration in the navigation panel.
Page 647 To view the LLDP Interface Settings Table, click Show All. From the LLDP Interface Settings Table page, you can view and edit information about the LLDP settings for multiple interfaces. Figure 24-7. LLDP Interface Settings Table Discovering Network Devices...
Page 648: Lldp Statistics
LLDP Statistics Use the LLDP Statistics page to view LLPD-related statistics. To display the LLDP Statistics page, click Switching → LLDP → Statistics in the navigation panel. Figure 24-8. LLDP Statistics Discovering Network Devices...
Page 649: Lldp Connections
LLDP Connections Use the LLDP Connections page to view the list of ports with LLDP enabled. Basic connection details are displayed. To display the LLDP Connections page, click Switching → LLDP → Connections in the navigation panel. Figure 24-9. LLDP Connections Discovering Network Devices...
Page 650 To view additional information about a device connected to a port that has been discovered through LLDP, click the port number in the Local Interface table (it is a hyperlink), or click Details and select the port with the connected device. Figure 24-10.
Page 651: Lldp-Med Global Configuration
LLDP-MED Global Configuration Use the LLDP-MED Global Configuration page to change or view the LLDP-MED parameters that affect the entire system. To display the LLDP-MED Global Configuration page, click Switching→ LLDP → LLDP-MED → Global Configuration in the navigation panel. Figure 24-11.
Page 652: Lldp-Med Interface Configuration
LLDP-MED Interface Configuration Use the LLDP-MED Interface Configuration page to specify LLDP-MED parameters that affect a specific interface. To display the LLDP-MED Interface Configuration page, click Switching → LLDP → LLDP-MED → Interface Configuration in the navigation panel. Figure 24-12. LLDP-MED Interface Configuration Discovering Network Devices...
Page 653 To view the LLDP-MED Interface Summary table, click Show All. Figure 24-13. LLDP-MED Interface Summary Discovering Network Devices...
Page 654: Lldp-Med Local Device Information
LLDP-MED Local Device Information Use the LLDP-MED Local Device Information page to view the advertised LLDP local data for each port. To display the LLDP-MED Local Device Information page, click Switching→ LLDP→ LLDP-MED→ Local Device Information in the navigation panel. Figure 24-14.
Page 655: Lldp-Med Remote Device Information
LLDP-MED Remote Device Information Use the LLDP-MED Remote Device Information page to view the advertised LLDP data advertised by remote devices. To display the LLDP-MED Remote Device Information page, click Switching→ LLDP→ LLDP-MED→ Remote Device Information in the navigation panel. Figure 24-15.
Page 656: Configuring Isdp And Lldp (Cli)
For more PowerConnect information about these commands, see the 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Configuring Global ISDP Settings Beginning in Privileged EXEC mode, use the following commands to configure ISDP settings that affect the entire switch.
Page 657: Enabling Isdp On A Port
Enabling ISDP on a Port Beginning in Privileged EXEC mode, use the following commands to enable ISDP on a port. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface. isdp enable Administratively enable ISDP on the switch. exit Exit to Global Config mode.
Page 658: Configuring Global Lldp Settings
Configuring Global LLDP Settings Beginning in Privileged EXEC mode, use the following commands to configure LLDP settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp notification- Specify how often, in seconds, the switch should send interval interval remote data change notifications.
Page 659: Viewing And Clearing Lldp Information
Command Purpose lldp notification Enable remote data change notifications on the interface. lldp transmit-tlv [sys- Specify which optional type-length-value settings (TLVs) desc][sys-name][sys- in the 802.1AB basic management set will be transmitted cap][port-desc] in the LLDP PDUs. • sys-name — Transmits the system name TLV •...
Page 660: Configuring Lldp-Med Settings
Configuring LLDP-MED Settings Beginning in Privileged EXEC mode, use the following commands to configure LLDP-MED settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp med Specifies the number of LLDP PDUs that will be faststartrepeatcount transmitted when the protocol is enabled.
Page 661: Viewing Lldp-Med Information
Viewing LLDP-MED Information Beginning in Privileged EXEC mode, use the following commands to view information about the LLDP-MED Protocol Data Units (PDUs) that are sent and have been received. Command Purpose show lldp med local- View LLDP information advertised by the specified port. interface device detail show lldp remote-device...
Page 662: Configuring Lldp
4 Exit to Privileged EXEC mode and view the LLDP settings for the switch and for interface 1/0/3. console(config-if-Te1/0/3)# <CTRL + Z> console#show isdp Timer........45 Hold Time........60 Version 2 Advertisements....Enabled Neighbors table time since last change...00 days 00:00:00 Device ID........none Device ID format capability..
Page 663 3 Enable port 1/0/3 to transmit management address information in the LLDP PDUs and to send topology change notifications if a device is added or removed from the port. console(config-if-Te1/0/3)#lldp transmit-mgmt console(config-if-Te1/0/3)#lldp notification 4 Specify the TLV information to be included in the LLDP PDUs transmitted from port 1/0/3.
Page 664 Chassis ID Subtype: MAC Address Chassis ID: 00:1E:C9:AA:AA:07 Port ID Subtype: Interface Name Port ID: te 1/0/3 System Name: console System Description: PowerConnect 8024 3.16.22.30, VxWorks 6.5 Port Description: Test Lab Port System Capabilities Supported: bridge, router System Capabilities Enabled: bridge...
Page 665: Configuring Port-Based Traffic
Configuring Port-Based Traffic Control This chapter describes how to configure features that provide traffic control through filtering the type of traffic or limiting the speed or amount of traffic on a per-port basis. The features this section describes includes flow control, storm control, protected ports, and Link Local Protocol Filtering (LLPF), which is also known as Cisco Protocol Filtering.
Page 666: What Is Flow Control
For information about Priority Flow Control (PFC), which provides a way to distinguish which traffic on a physical link is paused when congestion occurs based on the priority of the traffic, see "Configuring Data Center Bridging Features" on page 799 What is Flow Control? IEEE 802.3 Annex 31B flow control allows nodes that transmit at slower speeds to communicate with higher speed switches by requesting that the...
Page 667: What Are Protected Ports
configured limit is 10%, this is converted to ~25000 PPS, and this PPS limit is set in the hardware. You get the approximate desired output when 512 bytes packets are used. What are Protected Ports? The switch supports up to three separate groups of protected ports. Traffic can flow between protected ports belonging to different groups, but not within the same group.
Page 668: Default Port-Based Traffic Control Values
Access Control Lists (ACLs) and LLPF can exist on the same interface. However, the ACL rules override the LLPF rules when there is a conflict. Similarly, DiffServ and LLPF can both be enabled on an interface, but DiffServ rules override LLPF rules when there is a conflict. If Industry Standard Discovery Protocol (ISDP) is enabled on an interface, and the LLPF feature on an interface is enabled and configured to drop ISDP PDUs, the ISDP configuration overrides the LLPF configuration, and the...
Page 669: Configuring Port-Based Traffic Control (Web)
Configuring Port-Based Traffic Control (Web) This section provides information about the OpenManage Switch Administrator pages to use to control port-based traffic on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. Flow Control (Global Port Parameters) Use the Global Parameters page for ports to enable or disable flow control support on the switch.
Page 670: Storm Control
Storm Control Use the Storm Control page to enable and configure the storm control feature. To display the Storm Control interface, click Switching → Ports → Storm Control in the navigation menu. Figure 25-2. Storm Control Configuring Storm Control Settings on Multiple Ports To configure storm control on multiple ports: 1 Open the Storm Control page.
Page 671 Figure 25-3. Storm Control 5 Click Apply. Configuring Port-Based Traffic Control...
Page 672: Protected Port Configuration
Protected Port Configuration Use the Protected Port Configuration page to prevent ports in the same protected ports group from being able to see each other’s traffic. To display the Protected Port Configuration page, click Switching → Ports → Protected Port Configuration in the navigation menu. Figure 25-4.
Page 673 Figure 25-5. Add Protected Ports Group 5 Click Apply. 6 Click Protected Port Configuration to return to the main page. 7 Select the port to add to the group. 8 Select the protected port group ID. Figure 25-6. Add Protected Ports 9 Click Apply.
Page 674: Llpf Configuration
Figure 25-7. View Protected Port Information 11 To remove a port from a protected port group, select the Remove check box associated with the port and click Apply. LLPF Configuration Use the LLPF Interface Configuration page to filter out various proprietary protocol data units (PDUs) and/or ISDP if problems occur with these protocols running on standards-based switches.
Page 675 Figure 25-8. LLPF Interface Configuration To view the protocol types that have been blocked for an interface, click Show All. Figure 25-9. LLPF Filtering Summary Configuring Port-Based Traffic Control...
Page 676: Configuring Port-Based Traffic Control (Cli)
Configuring Port-Based Traffic Control (CLI) This section provides information about the commands you use to configure port-based traffic control settings. For more information about the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI commands, see the Reference Guide at support.dell.com/manuals. Configuring Flow Control and Storm Control Beginning in Privileged EXEC mode, use the following commands to configure the flow control and storm control features.
Page 677: Configuring Protected Ports
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show interfaces detail Display detailed information about the specified interface, interface including the flow control status. show storm-control View whether 802.3x flow control is enabled on the switch. show storm-control View storm control settings for all interfaces or the interface | all]...
Page 678: Configuring Llpf
Configuring LLPF Beginning in Privileged EXEC mode, use the following commands to configure LLPF settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface interface. The variable includes the interface type and number, for example tengigabitethernet 1/0/3. You can also specify a range of interfaces with the interface range command, for example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,...
Page 679: Port-Based Traffic Control Configuration Example
Port-Based Traffic Control Configuration Example The commands in this example configure storm control, LLPF, and protected port settings for various interfaces on the switch. The storm control configuration in this example sets thresholds on the switch so that if broadcast traffic occupies more than 10% on the bandwidth on any physical port, the interface blocks the broadcast traffic until the measured amount of this traffic drops below the threshold.
Page 680 5 Verify the configuration. console#show storm-control te1/0/1 Bcast Bcast Mcast Mcast Ucast Ucast Intf Mode Level Mode Level Mode Level ------ ------- ------- ------- ------- ------- ------- Te1/0/1 Enable Enable Disable console#show service-acl interface te1/0/1 Protocol Mode --------------- ---------- Disabled Enabled Disabled UDLD...
Page 681: Configuring L2 Multicast Features
Configuring L2 Multicast Features This chapter describes the layer 2 multicast features on the PowerConnect 8000-series and 8100-series switches. The features this chapter describes include bridge multicast filtering, Internet Group Management Protocol (IGMP) snooping, Multicast Listener Discovery (MLD) snooping, and Multicast VLAN Registration (MVR).
Page 682: L2 Multicast Forwarding Modes
When a packet enters the switch, the destination MAC address is combined with the VLAN ID, and a search is performed in the Layer 2 MFDB. If no match is found, then the packet is either flooded to all ports in the VLAN or discarded, depending on the switch configuration.
Page 683: What Is Igmp Snooping
particularly when the packet is intended for only a small number of nodes. Packets will be flooded into network segments where no node has any interest in receiving the packet. What Is IGMP Snooping? IGMP Snooping is a layer 2 feature that allows the switch to dynamically add or remove ports from IP multicast groups by listening to IGMP join and leave requests.
Page 684: What Is Multicast Vlan Registration
snooping, IPv6 multicast data is selectively forwarded to a list of ports that want to receive the data instead of being flooded to all ports in a VLAN. This list is constructed by snooping IPv6 multicast control packets. MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing to receive IPv6 multicast packets) on its directly-attached links and to discover which multicast packets are of interest to neighboring nodes.
Page 685: When Are L3 Multicast Features Required
There are two configured learning modes of the MVR operation: dynamic and compatible. • In the dynamic mode MVR learns existent multicast groups by parsing the IGMP queries from router on source ports and forwarding the IGMP joins from the hosts to the router. •...
Page 686: What Are Garp And Gmrp
What Are GARP and GMRP? Generic Attribute Registration Protocol (GARP) is a general-purpose protocol that registers any network connectivity or membership-style information. GARP defines a set of switches interested in a given network attribute, such as VLAN ID or multicast address. PowerConnect 8000-series and 8100-series switches can use GARP functionality for two applications: •...
Page 687: Snooping Switch Restrictions
Snooping Switch Restrictions Partial IGMPv3 and MLDv2 Support The IGMPv3 and MLDv2 protocols allow multicast listeners to specify the list of hosts from which they want to receive the traffic. However the PowerConnect snooping switch does not track this information. IGMPv3/MLDv2 Report messages that have the group record type CHANGE_TO_INCLUDE_MODE with a null source list are treated as Leave messages.
Page 688: Current Mld Snooping Functional Limitations
stream even when a Report message is successfully forwarded up to the querier. This problem is seen when multicast data forwarding behavior on snooping switches is configured to forward registered multicast groups and drop unregistered multicast groups. To overcome this problem, the administrator should configure static multicast forwarding entries on intermediate snooping switches to forward the multicast stream to the multicast querier.
Page 689: Default L2 Multicast Values
Default L2 Multicast Values All L2 multicast features are disabled by default. Details about the L2 multicast are in Table 26-1. Table 26-1. L2 Multicast Defaults Parameter Default Value Bridge Multicast Filtering Disabled IGMP Snooping mode Disabled MLD Snooping mode Disabled Bridge multicast group None configured...
Page 690 Table 26-1. L2 Multicast Defaults (Continued) Parameter Default Value GARP Leave Timer 60 centiseconds GARP Leave All Timer 1000 centiseconds GARP Join Timer 20 centiseconds GMRP Disabled globally and per-interface Configuring L2 Multicast Features...
Page 691: Configuring L2 Multicast Features (Web)
Configuring L2 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 multicast features on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. Multicast Global Parameters Use the Multicast Global Parameters page to enable or disable bridge multicast filtering, IGMP Snooping, or MLD Snooping on the switch.
Page 692: Bridge Multicast Group
Bridge Multicast Group Use the Bridge Multicast Group page to create new multicast service groups or to modify ports and LAGs assigned to existing multicast service groups. Attached interfaces display in the Port and LAG tables and reflect the manner in which each is joined to the Multicast group.
Page 693 LAGs — Displays and assigns multicast group membership to LAGs. To • assign membership, click in Static for a specific LAG. Each click toggles between S, F, and blank. See Table 26-2 for definitions. Table 26-2 contains definitions for port/LAG IGMP management settings. Table 26-2.
Page 694 Figure 26-3. Add Bridge Multicast Group 2 Select the ID of the VLAN to add to the multicast group or to modify membership for an existing group. 3 For a new group, specify the multicast group IP or MAC address associated with the selected VLAN.
Page 695: Bridge Multicast Forwarding
Removing a Bridge Multicast Group To delete a bridge multicast group: 1 Open the Bridge Multicast Group page. 2 Select the VLAN ID associated with the bridge multicast group to be removed from the drop-down menu. The Bridge Multicast Address and the assigned ports/LAGs display. 3 Check the Remove check box.
Page 696: Mrouter Status
MRouter Status Use the MRouter Status page to display the status of dynamically learned multicast router interfaces. To access this page, click Switching → Multicast Support → MRouter Status in the navigation panel. Figure 26-5. MRouter Status Configuring L2 Multicast Features...
Page 697: General Igmp Snooping
General IGMP Snooping Use the General IGMP snooping page to configure IGMP snooping settings on specific ports and LAGs. To display the General IGMP snooping page, click Switching → Multicast Support → IGMP Snooping → General in the navigation menu. Figure 26-6.
Page 698 Figure 26-7. Edit IGMP Snooping Settings 3 Edit the IGMP Snooping fields as needed. 4 Click Apply. The IGMP Snooping settings are modified, and the device is updated. Copying IGMP Snooping Settings to Multiple Ports, LAGs, or VLANs To copy IGMP snooping settings: 1 From the General IGMP snooping page, click Show All.
Page 699 4 Select the Copy To checkbox for the Unit/Ports, LAGs, or VLANs that these parameters will be copied to. In Figure 26-8, the settings for port 3 will be copied to ports 4 and 5 and LAGs 1 and 2. Figure 26-8.
Page 700: Global Querier Configuration
Global Querier Configuration Use the Global Querier Configuration page to configure IGMP snooping querier settings, such as the IP address to use as the source in periodic IGMP queries when no source address has been configured on the VLAN. To display the Global Querier Configuration page, click Switching → Multicast Support →...
Page 701: Vlan Querier
VLAN Querier Use the VLAN Querier page to specify the IGMP Snooping Querier settings for individual VLANs. To display the VLAN Querier page, click Switching → Multicast Support → IGMP Snooping → VLAN Querier in the navigation menu. Figure 26-10. VLAN Querier Adding a New VLAN and Configuring its VLAN Querier Settings To configure a VLAN querier: 1 From the VLAN Querier page, click Add.
Page 702 Figure 26-11. Add VLAN Querier 2 Enter the VLAN ID and, if desired, an optional VLAN name. 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu. 4 Specify the VLAN querier settings. 5 Click Apply.
Page 703 To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All. Figure 26-12. Add VLAN Querier Configuring L2 Multicast Features...
Page 704: Vlan Querier Status
VLAN Querier Status Use the VLAN Querier Status page to view the IGMP Snooping Querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching → Multicast Support → IGMP Snooping → VLAN Querier Status in the navigation menu. Figure 26-13.
Page 705: Mfdb Igmp Snooping Table
MFDB IGMP Snooping Table Use the MFDB IGMP Snooping Table page to view the multicast forwarding database (MFDB) IGMP Snooping Table and Forbidden Ports settings for individual VLANs. To display the MFDB IGMP Snooping Table page, click Switching → Multicast Support → IGMP Snooping → MFDB IGMP Snooping Table in the navigation menu.
Page 706: Mld Snooping General
MLD Snooping General Use the MLD Snooping General page to add MLD members. To access this page, click Switching → Multicast Support → MLD Snooping → General in the navigation panel. Figure 26-15. MLD Snooping General Modifying MLD Snooping Settings for Multiple Ports, LAGs, or VLANs To configure MLD snooping: 1 From the General MLD snooping page, click Show All.
Page 707 Figure 26-16. MLD Snooping Table 2 Select the Edit checkbox for each Port, LAG, or VLAN to modify. 3 Edit the MLD Snooping fields as needed. 4 Click Apply. The MLD Snooping settings are modified, and the device is updated. Configuring L2 Multicast Features...
Page 708: Mld Snooping Global Querier Configuration
Copying MLD Snooping Settings to Multiple Ports, LAGs, or VLANs To copy MLD snooping settings: 1 From the General MLD snooping page, click Show All. The MLD Snooping Table displays. 2 Select the Copy Parameters From checkbox. 3 Select a Unit/Port, LAG, or VLAN to use as the source of the desired parameters.
Page 709: Mld Snooping Vlan Querier
Figure 26-17. MLD Snooping Global Querier Configuration MLD Snooping VLAN Querier Use the MLD Snooping VLAN Querier page to specify the MLD Snooping Querier settings for individual VLANs. To display the MLD Snooping VLAN Querier page, click Switching → Multicast Support → MLD Snooping → VLAN Querier in the navigation menu.
Page 710 Figure 26-18. MLD Snooping VLAN Querier Adding a New VLAN and Configuring its MLD Snooping VLAN Querier Settings To configure an MLD snooping VLAN querier: 1 From the VLAN Querier page, click Add. The page refreshes, and the Add VLAN page displays. Figure 26-19.
Page 711 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu. 4 Specify the VLAN querier settings. 5 Click Apply. The VLAN Querier settings are modified, and the device is updated. To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All.
Page 712: Mld Snooping Vlan Querier Status
MLD Snooping VLAN Querier Status Use the VLAN Querier Status page to view the MLD Snooping Querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching → Multicast Support → MLD Snooping → VLAN Querier Status in the navigation menu. Figure 26-21.
Page 713: Mfdb Mld Snooping Table
MFDB MLD Snooping Table Use the MFDB MLD Snooping Table page to view the MFDB MLD Snooping Table settings for individual VLANs. To display the MFDB MLD Snooping Table page, click Switching → Multicast Support → MLD Snooping → MFDB MLD Snooping Table in the navigation menu.
Page 714: Mvr Global Configuration
MVR Global Configuration Use the MVR Global Configuration page to enable the MVR feature and configure global parameters. To display the MVR Global Configuration page, click Switching → MVR Configuration → Global Configuration in the navigation panel. Figure 26-23. MVR Global Configuration Configuring L2 Multicast Features...
Page 715: Mvr Members
MVR Members Use the MVR Members page to view and configure MVR group members. To display the MVR Members page, click Switching → MVR Configuration → MVR Members in the navigation panel. Figure 26-24. MVR Members Adding an MVR Membership Group To add an MVR membership group: 1 From the MVR Membership page, click Add.
Page 716: Mvr Interface Configuration
2 Specify the MVR group IP multicast address. 3 Click Apply. MVR Interface Configuration Use the MVR Interface Configuration page to enable MVR on a port, configure its MVR settings, and add the port to an MVR group. To display the MVR Interface Configuration page, click Switching →...
Page 717 To view a summary of the MVR interface configuration, click Show All. Figure 26-27. MVR Interface Summary Adding an Interface to an MVR Group To add an interface to an MVR group: 1 From the MVR Interface page, click Add. Figure 26-28.
Page 718 Removing an Interface from an MVR Group To remove an interface from an MVR group: 1 From the MVR Interface page, click Remove. Figure 26-29. MVR - Remove from Group 2 Select the interface to remove from an MVR group. 3 Specify the IP multicast address of the MVR group.
Page 719: Mvr Statistics
MVR Statistics Use the MVR Statistics page to view MVR statistics on the switch. To display the MVR Statistics page, click Switching → MVR Configuration → MVR Statistics in the navigation panel. Figure 26-30. MVR Statistics Configuring L2 Multicast Features...
Page 720: Garp Timers
GARP Timers The Timers page contains fields for setting the GARP timers used by GVRP and GMRP on the switch. To display the Timers page, click Switching → GARP → Timers in the navigation panel. Figure 26-31. GARP Timers Configuring GARP Timer Settings for Multiple Ports To configure GARP timers on multiple ports: 1 Open the Timers page.
Page 721 Figure 26-32. Configure STP Port Settings 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply. Configuring L2 Multicast Features...
Page 722: Gmrp Parameters
Copying GARP Timer Settings From One Port to Others To copy GARP timer settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field.
Page 723 2 Click Show All to display the GMRP Port Configuration Table. Figure 26-34. GMRP Port Configuration Table 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values.
Page 724: Mfdb Gmrp Table
Copying Settings From One Port or LAG to Others To copy GMRP settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field.
Page 725: Configuring L2 Multicast Features (Cli)
Configuring L2 Multicast Features (CLI) This section provides information about the commands you use to configure L2 multicast settings on the switch. For more information about the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI commands, see the Reference Guide at support.dell.com/manuals. Configuring Bridge Multicasting Beginning in Privileged EXEC mode, use the following commands to configure MAC address table features.
Page 726 Command Purpose mac address-table Forbid adding a specific Multicast address to specific ports. multicast forbidden mac-multicast-address • — MAC multicast address in the vlan-id address vlan format xxxx.xxxx.xxxx. mac-multicast-address ip- multicast-address • — IP multicast address. ip-multicast-address {add | remove} •...
Page 727: Configuring Igmp Snooping
Configuring IGMP Snooping Beginning in Privileged EXEC mode, use the following commands to configure IGMP snooping settings on the switch, ports, and LAGs. Command Purpose configure Enter global configuration mode. ip igmp snooping Globally enable IGMP snooping on the switch. (IGMP snooping is disabled by default.) interface interface...
Page 728: Configuring Igmp Snooping On Vlans
Command Purpose ip igmp snooping Specify the multicast router time-out value for an time- mrouter-time-out interface. This command sets the number of seconds to wait to age out an automatically-learned multicast router port. CTRL + Z Exit to Privileged EXEC mode. show ip igmp snooping View IGMP snooping settings configured on the switch.
Page 729: Configuring Igmp Snooping Querier
Command Purpose ip igmp snooping Specify the multicast router time-out value for to vlan-id mcrtexpiretime associate with a VLAN. This command sets the number of seconds seconds to wait to age out an automatically-learned multicast router port. CTRL + Z Exit to Privileged EXEC mode.
Page 730: Configuring Mld Snooping
Command Purpose ip igmp snooping querier Allow the IGMP snooping querier to participate in the vlan- election participate querier election process when it discovers the presence of another querier in the VLAN. When this mode is enabled, if the snooping querier finds that the other querier source address is more than the snooping querier address, it stops sending periodic queries.
Page 731: Configuring Mld Snooping On Vlans
Command Purpose ipv6 mld snooping Specify the leave time-out value for an interface. If an seconds maxresponse MLD report for a multicast group is not received within seconds the number of specified by the leave-time-out period after an MLD leave was received from a specific interface, the current interface is deleted from the member list of that multicast group.
Page 732: Configuring Mld Snooping Querier
Command Purpose ipv6 mld snooping Specify the leave time-out value for the VLAN. If an MLD vlan-id maxresponse report for a multicast group is not received within the seconds number of seconds configured with this command after an MLD leave was received from a specific interface, the current VLAN is deleted from the member list of that multicast group.
Page 733: Configuring Mvr
Command Purpose ipv6 mld snooping Allow the MLD snooping querier to participate in the querier election querier election process when it discovers the presence of vlan-id participate another querier in the VLAN. When this mode is enabled, if the snooping querier finds that the other querier source address is more than the snooping querier address, it stops sending periodic queries.
Page 734 Command Purpose mvr mode {compatible | Specify the MVR mode of operation. dynamic} mcast-address mvr group Add an MVR membership group. groups mcast-address • —The group IP multicast address group • —Specifies the number of contiguous groups interface interface Enter interface configuration mode for the specified port. interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Page 735: Configuring Garp Timers And Gmrp
Configuring GARP Timers and GMRP Beginning in Privileged EXEC mode, use the following commands to configure the GARP timers and to control the administrative mode GMRP on the switch and per-interface. Command Purpose configure Enter global configuration mode. garp timer {join | leave | Adjust the GARP application join, leave, and leaveall timer_value leaveall}...
Page 736: Case Study On A Real-World Network Topology
Case Study on a Real-World Network Topology Multicast Snooping Case Study Figure 26-36 shows the topology that the scenarios in this case study use. Figure 26-36. Case Study Topology Multicast and Snooping VLAN 20 192.168.20.x/24 Client RX 239.20.30.42 --or— VLAN 20 192.168.20.x/24 Client RX 239.20.30.40 Client RX 239.20.30.42 Streaming 239.20.30.42...
Page 737 • Router-attached ports: D3 – 1/0/20, D2 – PortChannel1, D1 – 1/0/15 Snooping Within a Subnet In the example network topology, the multicast source and listeners are in the same subnet VLAN 20 – 192.168.20.70/24. D1 and D3 are configured to drop unregistered multicast traffic.
Page 738 4 Client D will not receive the multicast stream from Server B because it is dropped at D1, where 239.20.30.42 is not a registered group. 5 The administrator creates a static multicast forwarding entry VLAN 20, 239.20.30.42 – 1/0/15 on D1. 6 Client G will not receive the Server B multicast stream because it did not request it, and the static multicast forwarding entry does not have D1 –...
Page 739 Multicast Source directly connected to Multicast Router, and Listener connected to a different routing VLAN via intermediate snooping switches: Server A Client F  Clients A, D and F are in the same subnet VLAN20 - 192.168.20.70/24. Server A is in a different subnet VLAN10 – 192.168.10.70/24. 1 Client F sends a report for 239.20.30.40.
Page 740 4 The administrator creates a static multicast forwarding entry on D1 VLAN 20, 239.20.30.42 – 1/0/15 and on D3 VLAN 20, 239.20.30.42 – 1/0/20. 5 The multicast stream from Server B reaches D4 via trunk links because it is a statically registered group on D1 and D3. 6 An IP multicast routing entry is created on D4 VLAN 20 –...
Page 741 11 Client E receives multicast data from Server B. 12 Clients B and C do not receive Server B data because no report messages were sent requesting Server B traffic. Configuring L2 Multicast Features...
Page 742 Configuring L2 Multicast Features...
Page 743: Snooping And Inspecting Traffic
Snooping and Inspecting Traffic This chapter describes Dynamic Host Configuration Protocol (DHCP) Snooping, IP Source Guard (IPSG), and Dynamic ARP Inspection (DAI), which are layer 2 security features that examine traffic to help prevent accidental and malicious attacks on the switch or network. The topics covered in this chapter include: •...
Page 744: What Is Dhcp Snooping
What Is DHCP Snooping? Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to accomplish the following tasks: • Filter harmful DHCP messages • Build a bindings database with entries that consist of the following information: •...
Page 745: How Is The Dhcp Snooping Bindings Database Populated
How Is the DHCP Snooping Bindings Database Populated? The DHCP snooping application uses DHCP messages to build and maintain the binding’s database. DHCP snooping creates a tentative binding from DHCP DISCOVER and REQUEST messages. Tentative bindings tie a client to a port (the port where the DHCP client message was received). Tentative bindings are completed when DHCP snooping learns the client’s IP address from a DHCP ACK message on a trusted port.
Page 746 DHCP Snooping and VLANs DHCP snooping forwards valid DHCP client messages received on non- routing VLANs. The message is forwarded on all trusted interfaces in the VLAN. DHCP snooping can be configured on switching VLANs and routing VLANs. When a DHCP packet is received on a routing VLAN, the DHCP snooping application applies its filtering rules and updates the bindings database.
Page 747: What Is Ip Source Guard
What Is IP Source Guard? IPSG is a security feature that filters IP packets based on source ID. This feature helps protect the network from attacks that use IP address spoofing to compromise or overwhelm the network. The source ID may be either the source IP address or a {source IP address, source MAC address} pair.
Page 748: What Is Dynamic Arp Inspection
What is Dynamic ARP Inspection? Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The malicious attacker sends ARP requests or responses mapping another station’s IP address to its own MAC address.
Page 749: Why Is Traffic Snooping And Inspection Necessary
Why Is Traffic Snooping and Inspection Necessary? DHCP Snooping, IPSG, and DAI are security features that can help protect the switch and the network against various types of accidental or malicious attacks. It might be a good idea to enable these features on ports that provide network access to hosts that are in physically unsecured locations or if network users connect nonstandard hosts to the network.
Page 750 Table 27-1. Traffic Snooping Defaults (Continued) Parameter Default Value Static IPSG bindings None configured DAI validate source MAC Disabled DAI validate destination MAC Disabled DAI validate IP Disabled DAI trust state Disabled (untrusted) DAI Rate limit 15 packets per second DAI Burst interval 1 second DAI mode...
Page 751: Configuring Traffic Snooping And Inspection (Web)
Configuring Traffic Snooping and Inspection (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DHCP snooping, IPSG, and DAI features on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page.
Page 752: Dhcp Snooping Interface Configuration
DHCP Snooping Interface Configuration Use the DHCP Snooping Interface Configuration page to configure the DHCP Snooping settings on individual ports and LAGs. To access the DHCP Snooping Interface Configuration page, click Switching → DHCP Snooping → Interface Configuration in the navigation panel.
Page 753 To view a summary of the DHCP snooping configuration for all interfaces, click Show All. Figure 27-4. DHCP Snooping Interface Configuration Summary Snooping and Inspecting Traffic...
Page 754: Dhcp Snooping Vlan Configuration
DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Configuration page to control the DHCP snooping mode on each VLAN. To access the DHCP Snooping VLAN Configuration page, click Switching → DHCP Snooping → VLAN Configuration in the navigation panel. Figure 27-5.
Page 755 To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-6. DHCP Snooping VLAN Configuration Summary Snooping and Inspecting Traffic...
Page 756: Dhcp Snooping Persistent Configuration
DHCP Snooping Persistent Configuration Use the DHCP Snooping Persistent Configuration page to configure the persistent location of the DHCP snooping database. The bindings database can be stored locally on the switch or on a remote system somewhere else in the network. The switch must be able to reach the IP address of the remote system to send bindings to a remote database.
Page 757: Dhcp Snooping Static Bindings Configuration
DHCP Snooping Static Bindings Configuration Use the DHCP Snooping Static Bindings Configuration page to add static DHCP bindings to the binding database. To access the DHCP Snooping Static Bindings Configuration page, click Switching → DHCP Snooping → Static Bindings Configuration in the navigation panel.
Page 758 To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-9. DHCP Snooping Static Bindings Summary To remove a static binding, select the Remove checkbox associated with the binding and click Apply. Snooping and Inspecting Traffic...
Page 759: Dhcp Snooping Dynamic Bindings Summary
DHCP Snooping Dynamic Bindings Summary The DHCP Snooping Dynamic Bindings Summary lists all the DHCP snooping dynamic binding entries learned on the switch ports. To access the DHCP Snooping Dynamic Bindings Summary page, click Switching → DHCP Snooping → Dynamic Bindings Summary in the navigation panel.
Page 760: Dhcp Snooping Statistics
DHCP Snooping Statistics The DHCP Snooping Statistics page displays DHCP snooping interface statistics. To access the DHCP Snooping Statistics page, click Switching → DHCP Snooping → Statistics in the navigation panel. Figure 27-11. DHCP Snooping Statistics Snooping and Inspecting Traffic...
Page 761: Ipsg Interface Configuration
IPSG Interface Configuration Use the IPSG Interface Configuration page to configure IPSG on an interface. To access the IPSG Interface Configuration page, click Switching → IP Source Guard → IPSG Interface Configuration in the navigation panel. Figure 27-12. IPSG Interface Configuration Snooping and Inspecting Traffic...
Page 762: Ipsg Binding Configuration
IPSG Binding Configuration Use the IPSG Binding Configuration page displays DHCP snooping interface statistics. To access the IPSG Binding Configuration page, click Switching → IP Source Guard → IPSG Binding Configuration in the navigation panel. Figure 27-13. IPSG Binding Configuration Snooping and Inspecting Traffic...
Page 763: Ipsg Binding Summary
IPSG Binding Summary The IPSG Binding Summary page displays the IPSG Static binding list and IPSG dynamic binding list (the static bindings configured in Binding configuration page). To access the IPSG Binding Summary page, click Switching → IP Source Guard → IPSG Binding Summary in the navigation panel. Figure 27-14.
Page 764: Dai Global Configuration
DAI Global Configuration Use the DAI Configuration page to configure global DAI settings. To display the DAI Configuration page, click Switching → Dynamic ARP Inspection → Global Configuration in the navigation panel. Figure 27-15. Dynamic ARP Inspection Global Configuration Snooping and Inspecting Traffic...
Page 765: Dai Interface Configuration
DAI Interface Configuration Use the DAI Interface Configuration page to select the DAI Interface for which information is to be displayed or configured. To display the DAI Interface Configuration page, click Switching → Dynamic ARP Inspection → Interface Configuration in the navigation panel. Figure 27-16.
Page 766 Figure 27-17. DAI Interface Configuration Summary Snooping and Inspecting Traffic...
Page 767: Dai Vlan Configuration
DAI VLAN Configuration Use the DAI VLAN Configuration page to select the VLANs for which information is to be displayed or configured. To display the DAI VLAN Configuration page, click Switching → Dynamic ARP Inspection → VLAN Configuration in the navigation panel. Figure 27-18.
Page 768: Dai Acl Configuration
Figure 27-19. Dynamic ARP Inspection VLAN Configuration Summary DAI ACL Configuration Use the DAI ACL Configuration page to add or remove ARP ACLs. To display the DAI ACL Configuration page, click Switching → Dynamic ARP Inspection → ACL Configuration in the navigation panel. Figure 27-20.
Page 769: Dai Acl Rule Configuration
To view a summary of the ARP ACLs that have been created, click Show All. Figure 27-21. Dynamic ARP Inspection ACL Summary To remove an ARP ACL, select the Remove checkbox associated with the ACL and click Apply. DAI ACL Rule Configuration Use the DAI ARP ACL Rule Configuration page to add or remove DAI ARP ACL Rules.
Page 770 Figure 27-22. Dynamic ARP Inspection Rule Configuration To view a summary of the ARP ACL rules that have been created, click Show All. Figure 27-23. Dynamic ARP Inspection ACL Rule Summary To remove an ARP ACL rule, select the Remove checkbox associated with the rule and click Apply.
Page 771: Dai Statistics
DAI Statistics Use the DAI Statistics page to display the statistics per VLAN. To display the DAI Statistics page, click Switching → Dynamic ARP Inspection → Statistics in the navigation panel. Figure 27-24. Dynamic ARP Inspection Statistics Snooping and Inspecting Traffic...
Page 772: Configuring Traffic Snooping And Inspection (Cli)
DHCP snooping, IPSG, and DAI settings on the switch. For more PowerConnect information about the commands, see the 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Configuring DHCP Snooping Beginning in Privileged EXEC mode, use the following commands to configure and view DHCP snooping settings.
Page 773 Command Purpose ip dhcp snooping limit Configure the maximum rate of DHCP messages allowed rate {none | rate [burst on the switch at any given time. seconds interval rate • —The maximum number of packets per second allowed (Range: 0–300 pps). seconds •...
Page 774: Configuring Ip Source Guard
Configuring IP Source Guard Beginning in Privileged EXEC mode, use the following commands to configure IPSG settings on the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port interface or LAG. The variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Page 775: Configuring Dynamic Arp Inspection
Configuring Dynamic ARP Inspection Beginning in Privileged EXEC mode, use the following commands to configure DAI settings on the switch. Command Purpose configure Enter global configuration mode. ip arp inspection vlan Enable Dynamic ARP Inspection on a single VLAN or a vlan-range [logging] range of VLANs.
Page 776 Command Purpose ip arp inspection filter Configure the ARP ACL to be used for a single VLAN or a acl-name vlan-range vlan range of VLANs to filter invalid ARP packets. [static] Use the static keyword to indicate that packets that do not match a permit statement are dropped without consulting the DHCP snooping bindings.
Page 777: Traffic Snooping And Inspection Configuration Examples
Traffic Snooping and Inspection Configuration Examples This section contains the following examples: • Configuring DHCP Snooping • Configuring IPSG Configuring DHCP Snooping In this example, DHCP snooping is enabled on VLAN 100. Ports 1-20 connect end users to the network and are members of VLAN 100. These ports are configured to limit the maximum number of DHCP packets with a rate limit of 100 packets per second.
Page 778 To configure the switch: 1 Enable DHCP snooping on VLAN 100. console#config console(config)#ip dhcp snooping vlan 100 2 Configure LAG 1, which includes ports 21-24, as a trusted port. All other interfaces are untrusted by default. console(config)#interface port-channel 1 console(config-if-Po1)#ip dhcp snooping trust console(config-if-Po1)#exit 3 Enter interface configuration mode for all untrusted interfaces (ports 1- 20) and limit the number of DHCP packets that an interface can receive...
Page 779: Configuring Ipsg
Configuring IPSG This example builds on the previous example and uses the same topology shown in Figure 27-25. In this configuration example, IP source guard is enabled on ports 1-20. DHCP snooping must also be enabled on these ports. Additionally, because the ports use IP source guard with source IP and MAC address filtering, port security must be enabled on the ports as well.
Page 780 Snooping and Inspecting Traffic...
Page 781: Configuring Link Aggregation
Configuring Link Aggregation This chapter describes how to create and configure link aggregation groups (LAGs), which are also known as port channels. The topics covered in this chapter include: • Link Aggregation Overview • Default Link Aggregation Values • Configuring Link Aggregation (Web) •...
Page 782: Why Are Link Aggregation Groups Necessary
Figure 28-1 shows an example of a switch in the wiring closet connected to a switch in the data center by a LAG that consists of four physical 10 Gbps links. The LAG provides full-duplex bandwidth of 40 Gbps between the two switches.
Page 783: What Is Lag Hashing
This provides a more resilient LAG. Best practices suggest using dynamic link aggregation instead of static link aggregation.When a port is added to a LAG as a static member, it neither transmits nor receives LACP PDUs. What is LAG Hashing? PowerConnect 8000-series and 8100-series switches support configuration of hashing algorithms for each LAG interface.
Page 784: How Do Lags Interact With Other Features
How Do LAGs Interact with Other Features? From a system perspective, a LAG is treated just as a physical port, with the same configuration parameters for administrative enable/disable, spanning tree port priority, path cost as may be for any other physical port. VLAN When members are added to a LAG, they are removed from all existing VLAN membership.
Page 785: Lag Configuration Guidelines
LAG Configuration Guidelines Ports to be aggregated must be configured so that they are compatible with the link aggregation feature and with the partner switch to which they connect. Ports to be added to a LAG must meet the following requirements: •...
Page 786: Configuring Link Aggregation (Web)
Configuring Link Aggregation (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring LAGs on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. LAG Configuration Use the LAG Configuration page to set the name and administrative status (up/down) of a LAG.
Page 787 To view or edit settings for multiple LAGs, click Show All. Configuring Link Aggregation...
Page 788: Lacp Parameters
LACP Parameters Dynamic link aggregation is initiated and maintained by the periodic exchanges of LACP PDUs. Use the LACP Parameters page to configure LACP LAGs. To display the LACP Parameters page, click Switching → Link Aggregation → LACP Parameters in the navigation panel. Figure 28-3.
Page 789 Figure 28-4. LACP Parameters Table 3 Select the Edit check box associated with each port to configure. 4 Specify the LACP port priority and LACP timeout for each port. 5 Click Apply. Configuring Link Aggregation...
Page 790: Lag Membership
LAG Membership Your switch supports 48 LAGs per system, and eight ports per LAG. Use the LAG Membership page to assign ports to static and dynamic LAGs. To display the LAG Membership page, click Switching → Link Aggregation → LAG Membership in the navigation panel. Figure 28-5.
Page 791: Lag Hash Configuration
Adding a LAG Port to a Dynamic LAG by Using LACP To add a dynamic LAG member: 1 Open the LAG Membership page. 2 Click in the LACP row to toggle the desired LAG port to L. NOTE: The port must be assigned to a LAG before it can be aggregated to an LACP.
Page 792: Lag Hash Summary
LAG Hash Summary The LAG Hash Summary page lists the channels on the system and their assigned hash algorithm type. To display the LAG Hash Summary page, click Switching → Link Aggregation → LAG Hash Summary in the navigation panel. Figure 28-7.
Page 793: Configuring Link Aggregation (Cli)
Configuring Link Aggregation (CLI) This section provides information about the commands you use to configure link aggregation settings on the switch. For more information about the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI commands, see the Reference Guide at support.dell.com/manuals. Configuring LAG Characteristics Beginning in Privileged EXEC mode, use the following commands to configure a few of the available LAG characteristics.
Page 794: Configuring Link Aggregation Groups
Configuring Link Aggregation Groups Beginning in Privileged EXEC mode, use the following commands to add ports as LAG members and to configure the LAG hashing mode. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port. interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Page 795 Command Purpose mode hashing-mode Set the hashing algorithm on the LAG. mode value is a number from 1 to 7. The numbers correspond to the following algorithms: • 1 — Source MAC, VLAN, EtherType, source module, and port ID • 2 — Destination MAC, VLAN, EtherType, source module, and port ID •...
Page 796: Configuring Lacp Parameters
Configuring LACP Parameters Beginning in Privileged EXEC mode, use the following commands to configure system and per-port LACP parameters. Command Purpose configure Enter global configuration mode. lacp system-priority Set the Link Aggregation Control Protocol priority for the value switch. the priority value range is 1–65535. interface port-channel Enter interface configuration mode for the specified LAG.
Page 797: Link Aggregation Configuration Examples
Link Aggregation Configuration Examples This section contains the following examples: • Configuring Dynamic LAGs • Configuring Static LAGs NOTE: The examples in this section show the configuration of only one switch. Because LAGs involve physical links between two switches, the LAG settings and member ports must be configured on both switches.
Page 798: Configuring Static Lags
Configuring Static LAGs The commands in this example show how to configure a static LAG on a switch. The LAG number is 2, and the member ports are 10, 11, 14, and 17. To configure the switch: 1 Enter interface configuration mode for the ports that are to be configured as LAG members.
Page 799: Configuring Data Center Bridging
• Enhanced Transmission Selection (ETS) Data Center Bridging Technology Overview The PowerConnect 8024/8024F switches support Data Center Bridging (DCB) features to increase the reliability of Ethernet-based networks in the data center. The PC81xx switches support PFC, ETS, and DCBX capability exchange, with the ability to autoconfigure from a peer switch.
Page 800: Default Dcb Values
Table 29-1. Data Center Features (Continued) Feature Description DCBx Allows DCB devices to exchange configuration information, using type-length-value (TLV) information elements over LLDP, with directly connected peers. FIP Snooping Inspects and monitors FIP frames and applies policies based upon the L2 header information in those frames Supports the ETS configuration and Application Priority TLVs, which are accepted from auto-upstream devices and propagated to auto-downstream devices.
Page 801: Priority Flow Control
Priority Flow Control Ordinarily, when flow control is enabled on a physical link, it applies to all traffic on the link. When congestion occurs, the hardware sends pause frames that temporarily suspend traffic flow to help prevent buffer overflow and dropped frames.
Page 802: Configuring Pfc Using The Web Interface
Operator configuration of PFC is used only when the port is configured in a manual role. When interoperating with other equipment in a manual role, the peer equipment must be configured with identical PFC priorities and VLAN assignments. Interfaces not enabled for PFC ignore received PFC frames.
Page 803 Figure 29-1. PFC Configuration PFC Statistics Page Use the PFC Statistics page to view the PFC statistics for interfaces on the switch. To display the PFC Statistics page, click Switching → PFC → PFC Statistics in the navigation menu. Configuring Data Center Bridging Features...
Page 804: Configuring Pfc Using The Cli
Figure 29-2. PFC Statistics Configuring PFC Using the CLI Beginning in Privileged EXEC mode, use the following commands to configure PFC. NOTE: If DCBx is enabled and the switch is set to autoconfigure from a DCBX peer, configuring PFC is not necessary because the DCBx protocol automatically configures the PFC parameters.
Page 805 Command Purpose interface interface Enter interface configuration mode for the specified interface interface. The variable includes the interface type and number, for example tengigabitethernet 1/0/3. You can also specify a range of interfaces with the interface range command, for example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12.
Page 806: Pfc Configuration Example
PFC Configuration Example The network in this example handles both data and voice traffic. Because the voice traffic is time sensitive, it requires a higher priority than standard data traffic. The voice traffic uses VLAN 100 and has an 802.1p priority of 5, which is mapped to hardware queue 4.
Page 807: Dcb Capability Exchange
DCB Capability Exchange The Data Center Bridging Exchange Protocol (DCBx) is used by DCB devices to exchange configuration information with directly connected peers. DCBx uses type-length-value (TLV) information elements over LLDP to exchange information, so LLDP must be enabled on the port to enable the information exchange.
Page 808: Interoperability With Ieee Dcbx
Interoperability with IEEE DCBx To be interoperable with legacy industry implementations of the DCBx protocol, The PowerConnect 8024/8024F switches use a hybrid model to support both the IEEE version of DCBx (IEEE 802.1Qaz) and legacy DCBx versions. The PowerConnect 8024/8024F switch automatically detects whether a peer is operating with either of the two CEE DCBx versions or the IEEE standard DCBx version (the default mode).
Page 809 explicitly by the operator. These ports advertise their configuration to their peer if DCBx is enabled on that port. Incompatible peer configurations are logged and counted with an error counter. The default operating mode for each port is manual. A port that is set to manual mode sets the willing bit for DCBx client TLVs to false.
Page 810: Configuration Source Port Selection Process
the willing parameter is disabled on auto-downstream. By default, auto- downstream ports have the recommendation TLV parameter enabled. Auto- downstream ports that receive internally propagated information ignore their local configuration and utilize the internally propagated information. Auto- downstream ports propagate PFC, ETS, and application priority information received from the configuration source.
Page 811: Disabling Dcbx
• The switch is capable of supporting the received configuration values, either directly or by translating the values into an equivalent configuration. Whether or not the peer configuration is compatible with the configured values is NOT considered. The newly elected configuration source propagates DCBx client information to the other ports and is internally marked as being the port over which configuration has been received.
Page 812: Configuring Dcbx
These commands eliminate only the DCBX TLVs from use by LLDP. They do not otherwise affect any manually configured DCBX capabilities or the normal operation of LLDP. Configuring DCBx You can use the CLI to configure DCBx. Beginning in Privileged EXEC mode, use the following commands to configure DCBx.
Page 813 Command Purpose lldp tlv-select dcbxp Override the global configuration for the LLDP DCBx [pfc | application- TLVs on this interface. Entering the command with no priority] parameters enables transmission of all TLVs. • pfc—Transmit the PFC configuration TLV. • application-priority—Transmit the application priority TLV.
Page 814: Fip Snooping
Fibre Channel forwarder (FCF) facing port (that receives traffic from FCFs targeted to the ENodes). NOTE: The PowerConnect 8024/8024F FIP Snooping Bridge feature supports the configuration of the perimeter port role and FCF-facing port roles and is intended for use only at the edge of the switched network.
Page 815: Enabling And Disabling Fip Snooping
FCF facing interface. Dell recommends that FCF-facing ports be placed into auto-upstream mode in order to receive DCBx information and propagate it to the Converged Network Adaptors (CNAs) on the downstream ports. Interfaces enabled for PFC should be configured in trunk or general mode and must be PFC operationally enabled before FCoE traffic can pass over the port.
Page 816 NOTE: FIP snooping will not allow FIP or FCoE frames to be forwarded over a port until the port is operationally enabled for PFC. VLAN tagging must be enabled on the interface in order to carry the dot1p values through the network. This section describes the FIP snooping commands only.
Page 817: Fip Snooping Configuration Example
Command Purpose show fip-snooping fcf Display information about the interfaces connected to fcf-mac fcf-mac Fibre Channel forwarder (FCF). Use the optional parameter to display additional information about the session with the specified FCF device. show fip-snooping Display information about the interfaces connected to enode-mac enode-mac enode [...
Page 818 Internet FCF Switch PowerConnect Switch FC SAN Workgroup Cluster FCF Switch FC SAN To configure FIP snooping: 1 Enter global configuration mode and enable FIP snooping on the switch. console#configure console(config)#feature fip-snooping 2 Create VLAN 100. This command also enters the VLAN configuration mode for VLAN 100.
Page 819: Enhanced Transmission Selection
5 Exit interface configuration mode for the range of interfaces. 6 Enter interface configuration mode for the CNA-facing ports and configure the DCBx port role as auto-downstream. This step automatically enables PFC on the ports. console(config)#interface te1/0/1-3,te2/0/1-3 console(config-if)#lldp dcbx port-role auto-down console(config-if#exit 7 Enter Interface Configuration mode for the ports connect to an FCF on both switches in the stack to configure the DCBx port role as auto-...
Page 820: Ets Operation
strict priority and Weighted Deficit Round Robin (WDRR) scheduling with up to two lossless traffic classes. WDRR schedules traffic based on average bandwidth consumed vs. frame counts. ETS Operation The normal (default) operation of PowerConnect switches, when uncongested, is that packets are scheduled for output in the order in which they are received, that is, using FIFO scheduling.
Page 821 At the first level of egress scheduling, each of the configured attributes of a CoS queue, namely scheduler algorithm, min-bandwidth and drop mechanism, are honored, and the packet is either dropped or forwarded to next level. Only frames selected by the first level scheduler are forwarded to the second level.
Page 822 (or the queues are empty), TCGs that have not met their maximum bandwidth limit are scheduled. Once the limits for a TCG are satisfied (maximum bandwidth, no frames available for transmission, etc.), the scheduler moves to the next TCG. If no minimum or maximum bandwidth limits are configured, TCGs are serviced by the second-level scheduler using the configured TCG weights to define the relative bandwidth allocation among the TCGs.
Page 823: Commands
Commands This section provides information about the commands you use to configure and monitor ETS. For more information about the commands, see the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Command Purpose classofservice traffic- Maps the internal Traffic Class to an internal Traffic Class class-group Group (TCG).
Page 824: Ets Configuration Example
ETS Configuration Example This example configures four classes of traffic: Best effort traffic CoS Queue 0 for untagged and VLAN-tagged frames with VPTs 0, 1, and 2 Lossless FCoE/iSCSI traffic CoS Queues 1 & 2 for VLAN tagged frames with VPTs 3 &...
Page 825 console(config-if-Te1/0/2)#classofservice dot1p-mapping 0 0 console(config-if-Te1/0/2)#classofservice dot1p-mapping 1 0 console(config-if-Te1/0/2)#classofservice dot1p-mapping 2 0 console(config-if-Te1/0/2)#classofservice dot1p-mapping 3 1 console(config-if-Te1/0/2)#classofservice dot1p-mapping 4 2 console(config-if-Te1/0/2)#classofservice dot1p-mapping 5 3 console(config-if-Te1/0/2)#classofservice dot1p-mapping 6 3 console(config-if-Te1/0/2)#classofservice dot1p-mapping 7 3 To show dot1p priority for an interface, use the following command: console#show classofservice dot1p-mapping tengigabitethernet 1/0/1 User Priority Traffic Class...
Page 826 console(config-if-Te1/0/1)#cos-queue min-bandwidth 20 35 35 10 0 0 0 4. Configure the Scheduler Mode for the CoS Queues This step enables strict priority scheduling on one or more CoS queues (traffic classes). Strict priority scheduling ensures that packets assigned to a higher CoS queue number are serviced before packets assigned to lower CoS queue numbers.
Page 827 The mapping may be configured on a single interface, a range of interfaces, or all the interfaces. It is required that TCGs always be assigned in order from 0 to 2. It is further recommended that the operator always utilize consecutive TCGs starting with TCG 0;...
Page 828 In example below, the TCG0 and TCG1 are allocated 30% and 70% of the bandwidth remaining after servicing TCG2 (strict priority) traffic. TCG2 traffic is handled with strict priority but can only consume up to 100% minus the sum of the minimum bandwidths of TCG0 and TCG1 (60%). console(config-if-Te1/0/1)#traffic-class-group weight 30 70 0 7.
Page 829 9. Set the Scheduler Modes for the TCGs This step enables strict priority scheduling on TCGs. Strict priority scheduling on multiple TCGs prioritizes traffic from the highest numbered TCG for transmission first. Strict priority scheduling on a single TCG selects that TCG for transmission before the WDRR TCGs.
Page 830: Ets Theory Of Operation
ETS Theory of Operation First Level of Scheduling To understand the first level of scheduling, consider Table 29-1. Assume that we have eight ingress ports, each one receiving line rate traffic with one dot1p priority each. The table shows the mapping of dot1p priorities to the cos- queues, the min-bandwidth settings, and scheduler modes.
Page 831 Second Level of Scheduling To consolidate different traffic classes within different traffic types in a typical DCB environment, ETS provides an operational model for prioritization and bandwidth allocation for traffic. Figure 29-3 illustrates a typical example that consolidates three traffic types on a single 10GE link. For consolidation to be effective all traffic types must be serviced according to their requirements.
Page 832 At time t2, a burst of LAN traffic is incoming at the rate of 4 Gbps, this burst is allowed to borrow the unused 0.5 Gbps bandwidth from SAN TCG and transmitted since the offered load of SAN is only 3 Gbps. At time t3, when the offered load of IPC falls to 2 Gbps and the bursty LAN traffic is at 6 Gbps, the available bandwidth for SAN and LAN is 4 Gbps each according to the TCG weights, which are set as 50% each.
Page 833 Traffic is passed across stacking links using WDRR for all CoS queues. This will affect the observed behavior of ETS on egress ports scheduling traffic from over-subscribed stacking links. The three supported traffic class groups support an industry standard configuration such that one traffic class group offers lossless service (PFC enabled using WRED);...
Page 834 console(config-if-Te1/0/1)#classofservice traffic-class-group 2 2 console(config-if-Te1/0/1)#traffic-class-group weight 30 70 0 console(config-if-Te1/0/1)#traffic-class-group strict 2 PC81xx Operation When DCBx is enabled on manually configured ports, it is not necessary for the ETS parameters to match, regardless of the version of DCBX negotiated or configured. Configuration mismatches are logged. In auto configuration mode, ETS parameters from the configuration source are checked (Max TCs 3 and bandwidth equal to 100%) and if the system is capable of performing the configuration, it is accepted and propagated as...
Page 835 TCG. PC8024 Operation with DCBx PowerConnect 8024 and 8024F switches can act as a proxy for ETS information via the auto configuration mechanism. ETS information received from the configuration source is transmitted via DCBX to the other auto configuration peers.
Page 836 Configuring Data Center Bridging Features...
Page 837: Managing The Mac Address Table
Managing the MAC Address Table This chapter describes the L2 MAC address table the switch uses to forward data between ports. The topics covered in this chapter include: • MAC Address Table Overview • Default MAC Address Table Values • Managing the MAC Address Table (Web) •...
Page 838: What Information Is In The Mac Address Table
What Information Is in the MAC Address Table? Each entry in the address table, whether it is static or dynamic, includes the MAC address, the VLAN ID associated with the MAC address, and the interface on which the address was learned or configured. Each port can maintain multiple MAC addresses, and a MAC address can be associated with multiple VLANs.
Page 839: Managing The Mac Address Table (Web)
Managing the MAC Address Table (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage the MAC address table on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page.
Page 840 Figure 30-2. Adding Static MAC Address 3 Select the interface to associate with the static address. 4 Specify the MAC address and an associated VLAN ID. 5 Click Apply. The new static address is added to the Static MAC Address Table, and the device is updated.
Page 841: Dynamic Address Table
Dynamic Address Table The Dynamic Address Table page contains fields for querying information in the dynamic address table, including the interface type, MAC addresses, VLAN, and table sorting key. Packets forwarded to an address stored in the address table are forwarded directly to those ports. The Dynamic Address Table also contains information about the aging time before a dynamic MAC address is removed from the table.
Page 842: Managing The Mac Address Table (Cli)
Managing the MAC Address Table (CLI) This section provides information about the commands you use to manage the MAC address table on the switch. For more information about the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI commands, see the Reference Guide at support.dell.com/manuals. Managing the MAC Address Table...
Page 843: Configuring Routing Interfaces
Configuring Routing Interfaces This chapter describes the routing (layer 3) interfaces the PowerConnect 8000-series and 8100-series switches support, which includes VLAN routing interfaces, loopback interfaces, and tunnel interfaces. The topics covered in this chapter are: • Routing Interface Overview • Default Routing Interface Values •...
Page 844: What Are Loopback Interfaces
between VLANs while still containing broadcast traffic within VLAN boundaries. The configuration of VLAN routing interfaces makes inter-VLAN routing possible. For each VLAN routing interface you can assign a static IP address, or you can allow a network DHCP server to assign a dynamic IP address. When a port is enabled for bridging (L2 switching) rather than routing, which is the default, all normal bridge processing is performed for an inbound packet, which is then associated with a VLAN.
Page 845: What Are Tunnel Interfaces
services such as Telnet and SSH. In this way, the IP address on a loopback behaves identically to any of the local addresses of the VLAN routing interfaces in terms of the processing of incoming packets. What Are Tunnel Interfaces? Tunnels are a mechanism for transporting a packet across a network so that it tunnel endpoint can be evaluated at a remote location or...
Page 846: Why Are Routing Interfaces Needed
Why Are Routing Interfaces Needed? The routing interfaces this chapter describes have very different applications and uses, as this section describes. If you use the switch as a layer 2 device that handles switching only, routing interface configuration is not required. When the switch is used as a layer 2 device, it typically connects to an external layer 3 device that handles the routing functions.
Page 847 Loopback Interfaces When packets are sent to the loopback IP address, the network should be able to deliver the packets as long as any physical interface on the switch is up. There are many cases where you need to send traffic to a switch, such as in switch management.
Page 848: Default Routing Interface Values
Default Routing Interface Values By default, no routing interfaces are configured. When you create a VLAN, no IP address is configured, and DHCP is disabled. After you configure an IP address on a VLAN or loopback interface, routing is automatically enabled on the VLAN interface, and the interface has the default configuration shown in Table 31-1.
Page 849: Configuring Routing Interfaces (Web)
Configuring Routing Interfaces (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLAN routing interfaces, loopback interfaces, and tunnels on a PowerConnect 8000-series and 8100- series switches. For details about the fields on a page, click at the top of the page.
Page 850: Dhcp Lease Parameters
DHCP Lease Parameters Use the DHCP Lease Parameters page to view information about the network information automatically assigned to an interface by the DHCP server. To display the page, click Routing → IP → DHCP Lease Parameters in the navigation panel. Figure 31-3.
Page 851: Tunnel Configuration
Figure 31-4. VLAN Routing Summary Tunnel Configuration Use the Tunnels Configuration page to create, configure, or delete a tunnel. To display the page, click Routing → Tunnels → Configuration in the navigation panel. Figure 31-5. Tunnel Configuration Configuring Routing Interfaces...
Page 852: Tunnels Summary
Tunnels Summary Use the Tunnels Summary page to display a summary of configured tunnels. To display the page, click Routing → Tunnels → Summary in the navigation panel. Figure 31-6. Tunnels Summary Configuring Routing Interfaces...
Page 853: Loopbacks Configuration
Loopbacks Configuration Use the Loopbacks Configuration page to create, configure, or remove loopback interfaces. You can also set up or delete a secondary address for a loopback. To display the page, click Routing → Loopbacks → Loopbacks Configuration in the navigation panel. Figure 31-7.
Page 854: Loopbacks Summary
Loopbacks Summary Use the Loopbacks Summary page to display a summary of configured loopback interfaces on the switch. To display the page, click Routing → Loopbacks → Loopbacks Summary in the navigation panel. Figure 31-8. Loopbacks Summary Configuring Routing Interfaces...
Page 855: Configuring Routing Interfaces (Cli)
VLAN routing interfaces, loopbacks, and tunnels on the switch. For more PowerConnect information about the commands, see the 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Configuring VLAN Routing Interfaces (IPv4) Beginning in Privileged EXEC mode, use the following commands to configure a VLAN as a routing interface and set the IP configuration parameters.
Page 856 Command Purpose ip local-proxy-arp Enable local proxy ARP on the interface to allow the switch to respond to ARP requests for hosts on the same subnet as the ARP source. size ip mtu Set the IP Maximum Transmission Unit (MTU) on a routing interface.
Page 857: Configuring Loopback Interfaces
Configuring Loopback Interfaces Beginning in Privileged EXEC mode, use the following commands to configure a loopback interface. Command Purpose configure Enter Global Configuration mode. interface loopback Create the loopback interface and enter Interface loopback-id Configuration mode for the specified loopback interface.
Page 858: Configuring Tunnels
Configuring Tunnels Beginning in Privileged EXEC mode, use the following commands to configure a loopback interface. NOTE: For information about configuring the IPv6 interface characteristics for a tunnel, see "Configuring IPv6 Routing" on page 1059. Command Purpose configure Enter Global Configuration mode. tunnel-id interface tunnel Create the tunnel interface and enter Interface...
Page 859: Configuring Dhcp Server Settings
Configuring DHCP Server Settings This chapter describes how to configure the switch to dynamically assign network information to hosts by using the Dynamic Host Configuration Protocol (DHCP). The topics covered in this chapter include: • DHCP Overview • Default DHCP Server Values •...
Page 860: What Are Dhcp Options
Figure 32-1. Message Exchange Between DHCP Client and Server DH C PD ISC O V ER (broadcast) DH C PO FFE R (unicast) DH C PR EQ U ES T (broadcast) D HC PA CK (unicast) DHCP Client DHCP Server (PowerConnect Switch) The DHCP server maintains one or more set of IP addresses the and other configuration information available, by request, to DHCP clients.
Page 861: What Additional Dhcp Features Does The Switch Support
What Additional DHCP Features Does the Switch Support? The switch software includes a DHCP client that can request network information from a DHCP server on the network during the initial system configuration process. For information about enabling the DHCP client, see "Setting the IP Address and Other Basic Network Information"...
Page 862: Configuring The Dhcp Server (Web)
Configuring the DHCP Server (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the DHCP server on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. DHCP Server Network Properties Use the Network Properties page to define global DHCP server settings and to configure addresses that are not included in any address pools.
Page 863 Adding Excluded Addresses To exclude an address: 1 Open the Network Properties page. 2 Click Add Excluded Addresses to display the Add Excluded Addresses page. 3 In the From field, enter the first IP address to exclude from any configured address pool.
Page 864: Address Pool
Deleting Excluded Addresses To remove an excluded address: 1 Open the Network Properties page. 2 Click Delete Excluded Addresses to display the Delete Excluded Addresses page. 3 Select the check box next to the address or address range to delete. Figure 32-4.
Page 865 Figure 32-5. Address Pool Adding a Network Pool To create and configure a network pool: 1 Open the Address Pool page. 2 Click Add Network Pool to display the Add Network Pool page. 3 Assign a name to the pool and complete the desired fields. In Figure 32-6, the network pool name is Engineering, and the address pool contains all IP addresses in the 192.168.5.0 subnet, which means a client that receives an address from the DHCP server might lease an...
Page 866 Figure 32-6. Add Network Pool The Engineering pool also configures clients to use 192.168.5.1 as the default gateway IP address and 192.168.1.5 and 192.168.2.5 as the primary and secondary DNS servers. NOTE: The IP address 192.168.5.1 should be added to the global list of excluded addresses so that it is not leased to a client.
Page 867 In Figure 32-7, the Static pool name is Lab, and the name of the client in the pool is LabHost1. The client’s MAC address is mapped to the IP address 192.168.11.54, the default gateway is 192.168.11.1, and the DNS servers the client will use have IP addresses of 192.168.5.100 and 192.168.2.5.
Page 868: Address Pool Options
Address Pool Options Use the Address Pool Options page to view manually configured options. You can define options when you create an address pool, or you can add options to an existing address pool. To display the Address Pool Options page, click Routing → IP → DHCP Server →...
Page 869 Figure 32-9. Add DHCP Option 5 Click Apply. 6 To verify that the option has been added to the address pool, open the Address Pool Options page. Configuring DHCP Server Settings...
Page 870: Dhcp Bindings
Figure 32-10. View Address Pool Options DHCP Bindings Use the DHCP Bindings page to view information about the clients that have leased IP addresses from the DHCP server. To display the DHCP Bindings page, click Routing → IP → DHCP Server → DHCP Bindings in the navigation panel.
Page 871: Dhcp Server Reset Configuration
DHCP Server Reset Configuration Use the Reset Configuration page to clear the client bindings for one or more clients. You can also reset bindings for clients that have leased an IP address that is already in use on the network. To display the Reset Configuration page, click Routing →...
Page 872: Dhcp Server Conflicts Information
DHCP Server Conflicts Information Use the Conflicts Information page to view information about clients that have leased an IP address that is already in use on the network. To display the Conflicts Information page, click Routing → IP → DHCP Server →...
Page 873: Dhcp Server Statistics
DHCP Server Statistics Use the Server Statistics page to view general DHCP server statistics, messages received from DHCP clients, and messages sent to DHCP clients. To display the Server Statistics page, click Routing → IP → DHCP Server → Server Statistics in the navigation panel. Figure 32-14.
Page 874: Configuring The Dhcp Server (Cli)
Configuring the DHCP Server (CLI) This section provides information about the commands you use to configure and monitor the DHCP server and address pools. For more information about PowerConnect 8024/8024F/8132/8132F/8164/8164F the commands, see the CLI Reference Guide at support.dell.com/manuals. Configuring Global DHCP Server Settings Beginning in Privileged EXEC mode, use the following commands to configure settings for the DHCP server.
Page 875: Configuring A Dynamic Address Pool
Configuring a Dynamic Address Pool Beginning in Privileged EXEC mode, use the following commands to create an address pool with network information that is dynamically assigned to hosts with DHCP clients that request the information. Command Purpose configure Enter Global Configuration mode. name ip dhcp pool Create a DHCP address pool and enters DHCP pool...
Page 876: Configuring A Static Address Pool
Configuring a Static Address Pool Beginning in Privileged EXEC mode, use the following commands to create a static address pool and specify the network information for the pool. The network information configured in the static address pool is assigned only to the host with the hardware address or client identifier that matches the information configured in the static pool.
Page 877: Monitoring Dhcp Server Information
Command Purpose address1 default-router Specify the list of default gateway IP addresses to be address2..address8 assigned to the DHCP client. address1 dns-server Specify the list of DNS server IP addresses to be assigned address2..address8 to the DHCP client. domain domain-name Specify the domain name for a DHCP client.
Page 878: Dhcp Server Configuration Examples
4 Specify the primary and secondary DNS servers the hosts will use. console(config-dhcp-pool)#dns-server 192.168.5.10 console(config-dhcp-pool)#dns-server 192.168.5.11 5 Specify the domain name to be assigned to clients that lease an address from this pool. console(config-dhcp-pool)#domain-name engineering.dell.com console(config-dhcp-pool)#exit Configuring DHCP Server Settings...
Page 879 9 View information about all configured address pools. console#show ip dhcp pool configuration all Pool: Engineering Pool Type......Network Network......192.168.5.0 255.255.255.0 Lease Time......1 days 0 hrs 0 mins DNS Servers......192.168.5.11 Default Routers....192.168.5.1 Domain Name......engineering.dell.com Configuring DHCP Server Settings...
Page 880: Configuring A Static Address Pool
192.168.5.101 6 Specify the domain name to be assigned to clients that lease an address from this pool. console(config-dhcp-pool)#domain-name executive.dell.com 7 Specify the option that configures the SMTP server IP address to the host. console(config-dhcp-pool)#option 69 ip 192.168.1.33 console(config-dhcp-pool)#exit...
Page 881 Pool: Tyler PC Pool Type......Static Client Name......TylerPC Hardware Address....00:1c:23:55:e9:f3 Hardware Address Type....ethernet Host......192.168.2.10 255.255.255.0 Lease Time......1 days 0 hrs 0 mins DNS Servers....... 192.168.2.101 Default Routers....192.168.2.1 Domain Name....... executive.dell.com Option......69 ip 192.168.1.33 Configuring DHCP Server Settings...
Page 882 Configuring DHCP Server Settings...
Page 883: Configuring Ip Routing
Configuring IP Routing This chapter describes how to configure routing on the switch, including global routing settings, Address Resolution Protocol (ARP), router discovery, and static routes. The topics covered in this chapter include: • IP Routing Overview • Default IP Routing Values •...
Page 884 Table 33-1. IP Routing Features (Continued) Feature Description ICMP Router Discovery Hosts can use IRDP to identify operational routers Protocol (IRDP) on the subnet. Routers periodically advertise their IP addresses. Hosts listen for these advertisements and discover the IP addresses of neighboring routers.
Page 885: Default Ip Routing Values
Default IP Routing Values Table 33-2 shows the default values for the IP routing features this chapter describes. Table 33-2. IP Routing Defaults Parameter Default Value Default Time to Live Routing Mode Disabled globally and on each interface ICMP Echo Replies Enabled ICMP Redirects Enabled...
Page 886 Table 33-2. IP Routing Defaults (Continued) Parameter Default Value Route Preference Values Preference values are as follows: • Local—0 • Static—1 • OSPF Intra—110 • OSPF Inter—110 • OSPF External—110 • RIP—120 Configuring IP Routing...
Page 887: Configuring Ip Routing Features (Web)
Configuring IP Routing Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IPv4 routing features on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. IP Configuration Use the Configuration page to configure routing parameters for the switch as opposed to an interface.
Page 888: Ip Statistics
IP Statistics The IP statistics reported on the Statistics page are as specified in RFC 1213. To display the page, click Routing → IP → Statistics in the navigation panel. Figure 33-2. IP Statistics Configuring IP Routing...
Page 889: Arp Create
ARP Create Use the Create page to add a static ARP entry to the Address Resolution Protocol table. To display the page, click Routing → ARP → Create in the navigation panel. Figure 33-3. ARP Create Configuring IP Routing...
Page 890: Arp Table Configuration
ARP Table Configuration Use the Table Configuration page to change the configuration parameters for the Address Resolution Protocol Table. You can also use this screen to display the contents of the table. To display the page, click Routing → ARP → Table Configuration in the navigation panel.
Page 891: Router Discovery Configuration
Router Discovery Configuration Use the Configuration page to enter or change router discovery parameters. To display the page, click Routing → Router Discovery → Configuration in the navigation panel. Figure 33-5. Router Discovery Configuration Configuring IP Routing...
Page 892: Router Discovery Status
Router Discovery Status Use the Status page to display router discovery data for each interface. To display the page, click Routing → Router Discovery → Status in the navigation panel. Figure 33-6. Router Discovery Status Configuring IP Routing...
Page 893: Route Table
Route Table Use the Route Table page to display the contents of the routing table. To display the page, click Routing → Router → Route Table in the navigation panel. Figure 33-7. Route Table Configuring IP Routing...
Page 894: Best Routes Table
Best Routes Table Use the Best Routes Table page to display the best routes from the routing table. To display the page, click Routing → Router → Best Routes Table in the navigation panel. Figure 33-8. Best Routes Table Configuring IP Routing...
Page 895: Route Entry Configuration
Route Entry Configuration Use the Route Entry Configuration page to add new and configure router routes. To display the page, click Routing → Router → Route Entry Configuration in the navigation panel. Figure 33-9. Route Entry Configuration Adding a Route and Configuring Route Preference To configure routing table entries: 1 Open the Route Entry Configuration page.
Page 896 Figure 33-10. Router Route Entry and Preference Configuration 3 Next to Route Type, use the drop-down box to add a Default, Static, or Static Reject route. The fields to configure are different for each route type. Default — Enter the default gateway address in the Next Hop IP •...
Page 897: Configured Routes
Configured Routes Use the Configured Routes page to display the routes that have been manually configured. NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped. To display the page, click Routing →...
Page 898: Route Preferences Configuration
Route Preferences Configuration Use the Route Preferences Configuration page to configure the default preference for each protocol (for example 60 for static routes). These values are arbitrary values that range from 1 to 255, and are independent of route metrics. Most routing protocols use a route metric to determine the shortest path known to the protocol, independent of any other protocol.
Page 899: Configuring Ip Routing Features (Cli)
Configuring IP Routing Features (CLI) This section provides information about the commands you use to configure IPv4 routing on the switch. For more information about the commands, see PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide at support.dell.com/manuals. Configuring Global IP Routing Settings Beginning in Privileged EXEC mode, use the following commands to configure various global IP routing settings for the switch.
Page 900: Adding Static Arp Entries And Configuring Arp Table Settings
Adding Static ARP Entries and Configuring ARP Table Settings Beginning in Privileged EXEC mode, use the following commands to configure static ARP entries in the ARP cache and to specify the settings for the ARP cache. Command Purpose configure Enter global configuration mode. ip-address hardware- Create a static ARP entry in the ARP table.
Page 901: Configuring Router Discovery (Irdp)
Configuring Router Discovery (IRDP) Beginning in Privileged EXEC mode, use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface VLAN routing interface. The variable includes the interface type (vlan) and number, for example vlan 100.
Page 902: Configuring Route Table Entries And Route Preferences
Configuring Route Table Entries and Route Preferences Beginning in Privileged EXEC mode, use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. ip route default Configure the default route. nextHopRtr preference nextHopRtr • — IP address of the next hop router. preference •...
Page 903 Command Purpose ip-address show ip route [ View the routing table. mask prefix-length ip-address • — Specifies the network for which the route [longer-prefixes] | is to be displayed and displays the best matching best- protocol route for the address. mask •...
Page 904: Ip Routing Configuration Example
IP Routing Configuration Example In this example, the PowerConnect switches are L3 switches with VLAN routing interfaces. VLAN routing is configured on PowerConnect Switch A and PowerConnect Switch B. This allows the host in VLAN 10 to communicate with the server in VLAN 30. A static route to the VLAN 30 subnet is configured on Switch A.
Page 905: Configuring Powerconnect Switch A
Configuring PowerConnect Switch A To configure Switch A. 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 10. This command also enables IP routing on the VLAN. console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.168.10.10 255.255.255.0 console(config-if-vlan10)#exit 3 Assign an IP address to VLAN 20.
Page 906: Configuring Powerconnect Switch B
Configuring PowerConnect Switch B To configure Switch B: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 20. This command also enables IP routing on the VLAN. console#configure console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.25 255.255.255.0 console(config-if-vlan20)#exit 3 Assign an IP address to VLAN 30.
Page 907: Configuring L2 And L3 Relay
Configuring L2 and L3 Relay Features This chapter describes how to configure the L2 DHCP Relay, L3 DHCP Relay, and IP Helper features on PowerConnect 8000-series and 8100-series switches. The topics covered in this chapter include: • L2 and L3 Relay Overview •...
Page 908: What Is L2 Dhcp Relay
The PowerConnect DHCP Relay Agent enables DHCP clients and servers to exchange DHCP messages across different subnets. The relay agent receives giaddr the requests from the clients, and checks the valid hops and fields in the DHCP request. If the number of hops is greater than the configured giaddr number, the agent discards the packet.
Page 909: What Is The Ip Helper Feature
Enabling L2 Relay on VLANs You can enable L2 DHCP relay on a particular VLAN. The VLAN is identified by a service VLAN ID (S-VID), which a service provider uses to identify a customer’s traffic while traversing the provider network to multiple remote sites.
Page 910 Table 34-1. Default Ports - UDP Port Numbers Implied By Wildcard Protocol UDP Port Number IEN-116 Name Service NetBIOS Name Server NetBIOS Datagram Server TACACS Server Time Service DHCP Trivial File Transfer Protocol The system limits the number of relay entries to four times the maximum number of routing interfaces (512 relay entries).
Page 911 configuration for the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise the packet is not relayed. NOTE: If the packet matches a discard relay entry on the ingress interface, the packet is not forwarded, regardless of the global configuration.
Page 912 Table 34-2 shows the most common protocols and their UDP port numbers and names that are relayed. Table 34-2. UDP Port Allocations UDP Port Number Acronym Application Echo Echo SysStat Active User NetStat NetStat Quote Quote of the day CHARGEN Character Generator FTP-data FTP Data...
Page 913: Default L2/L3 Relay Values
Default L2/L3 Relay Values By default L2 DHCP relay is disabled. L3 relay (UDP) is enabled, but no UDP destination ports or server addresses are defined on the switch or on any interfaces. Table 34-3. L2/L3 Relay Defaults Parameter Default Value L2 DHCP Relay Admin Mode Disabled globally and on all interfaces and...
Page 914: Configuring L2 And L3 Relay Features (Web)
Configuring L2 and L3 Relay Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 and L3 relay features on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page.
Page 915: Dhcp Relay Interface Configuration
DHCP Relay Interface Configuration Use this page to enable L2 DHCP relay on individual ports. NOTE: L2 DHCP relay must also be enabled globally on the switch. To access this page, click Switching → DHCP Relay → Interface Configuration in the navigation panel. Figure 34-2.
Page 916 Figure 34-3. DHCP Relay Interface Summary Configuring L2 and L3 Relay Features...
Page 917: Dhcp Relay Interface Statistics
DHCP Relay Interface Statistics Use this page to display statistics on DHCP Relay requests received on a selected port. To access this page, click Switching → DHCP Relay → Interface Statistics in the navigation panel. Figure 34-4. DHCP Relay Interface Statistics Configuring L2 and L3 Relay Features...
Page 918: Dhcp Relay Vlan Configuration
DHCP Relay VLAN Configuration Use this page to enable and configure DHCP Relay on specific VLANs. To access this page, click Switching → DHCP Relay → VLAN Configuration in the navigation panel. Figure 34-5. DHCP Relay VLAN Configuration To view a summary of the L2 DHCP relay configuration on all VLANs, click Show All.
Page 919: Dhcp Relay Agent Configuration
DHCP Relay Agent Configuration Use the Configuration page to configure and display a DHCP relay agent. To display the page, click Routing → DHCP Relay Agent → Configuration in the navigation panel. Figure 34-7. DHCP Relay Agent Configuration Configuring L2 and L3 Relay Features...
Page 920: Ip Helper Global Configuration
IP Helper Global Configuration Use the Global Configuration page to add, show, or delete UDP Relay and Helper IP configuration To display the page, click Routing → IP Helper → Global Configuration in the navigation panel. Figure 34-8. IP Helper Global Configuration Adding an IP Helper Entry To configure an IP helper entry: 1.
Page 921 Figure 34-9. Add Helper IP Address 3. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols. NOTE: If the DefaultSet option is specified, the device by default forwards UDP Broadcast packets for the following services: IEN-116 Name Service (port 42), DNS (port 53), NetBIOS Name Server (port 137), NetBIOS Datagram...
Page 922: Ip Helper Interface Configuration
IP Helper Interface Configuration Use the Interface Configuration page to add, show, or delete UDP Relay and Helper IP configuration for a specific interface. To display the page, click Routing → IP Helper → Interface Configuration in the navigation panel. Figure 34-10.
Page 923 Figure 34-11. Add Helper IP Address 3. Select the interface to use for the relay. 4. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols.
Page 924: Ip Helper Statistics
IP Helper Statistics Use the Statistics page to view UDP Relay Statistics for the switch. To display the page, click Routing → IP Helper → Statistics in the navigation panel. Figure 34-12. IP Helper Statistics Configuring L2 and L3 Relay Features...
Page 925: Configuring L2 And L3 Relay Features (Cli)
Configuring L2 and L3 Relay Features (CLI) This section provides information about the commands you use to configure L2 and L3 relay features on the switch. For more information about the PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI commands, see the Reference Guide at support.dell.com/manuals.
Page 926 Command Purpose dhcp l2relay remote-id Enable setting the DHCP Option 82 Remote ID for a remoteId vlan-range vlan VLAN. When enabled, the supplied string is used for the Remote ID in DHCP Option 82. remoteId variable is a string to be used as the remote ID in the Option 82 (Range: 1 - 128 characters).
Page 927: Configuring L3 Relay (Ip Helper) Settings
Configuring L3 Relay (IP Helper) Settings Beginning in Privileged EXEC mode, use the following commands to configure switch and interface L3 DHCP relay and IP helper settings. Command Purpose configure Enter global configuration mode. ip helper enable Use this command to enable the IP helper feature. It is enabled by default.
Page 928 Command Purpose ip helper-address Configure the relay of certain UDP broadcast packets server-address received on the VLAN routing interface(s). This command dest-udp-port discard} [ takes precedence over an ip helper-address command given | dhcp | domain | in global configuration mode. isakmp | mobile-ip | Specify the one of the protocols defined in the command nameserver | netbios-...
Page 929: Relay Agent Configuration Example
Relay Agent Configuration Example The example in this section shows how to configure the L3 relay agent (IP helper) to relay and discard various protocols. Figure 34-13. L3 Relay Network Diagram DHCP Server 192.168.40.22 DNS Server 192.168.40.43 DHCP Server SNMP Server 192.168.40.35 192.168.23.1 VLAN 30...
Page 930 2 Relay DNS packets received on VLAN 10 to 192.168.40.43 console(config-if-vlan10)#ip helper-address 192.168.40.35 domain console(config-if-vlan10)#exit 3 Relay SNMP traps (port 162) received on VLAN 20 to 192.168.23.1 console(config)#interface vlan 20 console(config-if-vlan20)#ip helper-address 192.168.23.1 162 4 The clients on VLAN 20 have statically-configured network information, so the switch is configured to drop DHCP packets received on VLAN 20 console(config-if-vlan20)#ip helper-address discard dhcp...
Page 931: Configuring Ospf And Ospfv3
Configuring OSPF and OSPFv3 This chapter describes how to configure Open Shortest Path First (OSPF) and OSPFv3. OSPF is a dynamic routing protocol for IPv4 networks, and OSPFv3 is used to route traffic in IPv6 networks. The protocols are configured separately within the software, but their functionality is largely similar for IPv4 and IPv6 networks.
Page 932: Ospf Overview
OSPF Overview OSPF is an Interior Gateway Protocol (IGP) that performs dynamic routing within a network. PowerConnect 8000-series and 8100-series switches support two dynamic routing protocols: OSPF and Routing Information Protocol (RIP). Unlike RIP , OSPF is a link-state protocol. Larger networks typically use the OSPF protocol instead of RIP.
Page 933: What Are Ospf Routers And Lsas
What Are OSPF Routers and LSAs? When a PowerConnect switch is configured to use OSPF for dynamic routing, it is considered to be an OSPF router. OSPF routers keep track of the state of the various links they send data to. Routers exchange OSPF link state advertisements (LSAs) with other routers.
Page 934: Ospf Feature Details
OSPF Feature Details This section provides details on the following OSPF features: • Max Metric • Static Area Range Cost • LSA Pacing • LSA Pacing Max Metric RFC 3137 introduced stub router behavior to OSPFv2. As a stub, a router can inform other routers that it is not available to forward data packets.
Page 935 mode. OSPF does not begin in stub router mode when OSPF is globally enabled. If the operator wants to avoid routing transients when he enables or configures OSPF, he can manually set OSPF in stub router mode. If OSPF is in startup stub router mode and encounters a resource limitation that would normally cause OSPF to become a stub router, OSPF cancels the timer to exit startup stub router and remains in stub router mode until the network administrator takes action.
Page 936: Static Area Range Cost
Static Area Range Cost This feature allows a network operator to configure a fixed OSPF cost that is always advertised when an area range is active. This feature applies to both OSPFv2 and OSPFv3. An OSPF domain can be divided into areas to limit the processing required on each router.
Page 937: Lsa Pacing
LSA Pacing OSPF refreshes each self-originated LSA every 30 minutes. Because a router tends to originate many LSAs at the same time, either at startup or when adjacencies are formed or when routes are first learned, LSA refreshes tend to be grouped.
Page 938: Flood Blocking
Flood Blocking OSPF is a link state routing protocol. Routers describe their local environment in Link State Advertisements (LSAs), which are distributed throughout an area or OSPF domain. Through this process, each router learns enough information to compute a set of routes consistent with the routes computed by all other routers.
Page 939 Flood blocking cannot be enabled on virtual interfaces. While the feature could be allowed on virtual interfaces, it is less likely to be used on a virtual interface, since virtual interfaces are created specifically to allow flooding between two backbone routers. So the option of flood blocking on virtual interfaces is not supported.
Page 940: Default Ospf Values
Default OSPF Values OSPF is globally enabled by default. To make it operational on the router, you must configure a router ID and enable OSPF on at least one interface. Table 35-1 shows the global default values for OSPF and OSPFv3. Table 35-1.
Page 941 Table 35-2 shows the per-interface default values for OSPF and OSPFv3. Table 35-2. OSPF Per-Interface Defaults Parameter Default Value Admin Mode Disabled Advertise Secondaries Enabled (OSPFv2 only) Router Priority Retransmit Interval 5 seconds Hello Interval 10 seconds Dead Interval 40 seconds LSA Ack Interval 1 second Interface Delay Interval...
Page 942: Configuring Ospf Features (Web)
Configuring OSPF Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPF features on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. OSPF Configuration Use the Configuration page to enable OSPF on a router and to configure the related OSPF settings.
Page 943 Figure 35-1. OSPF Configuration Configuring OSPF and OSPFv3...
Page 944: Ospf Area Configuration
OSPF Area Configuration The Area Configuration page lets you create a Stub area configuration and NSSA once you’ve enabled OSPF on an interface through Routing → OSPF → Interface Configuration. At least one router must have OSPF enabled for this web page to display. To display the page, click Routing →...
Page 945 Configuring an OSPF Stub Area To configure the area as an OSPF stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 35-3. OSPF Stub Area Configuration Use the Delete Stub Area button to remove the stub area. Configuring OSPF and OSPFv3...
Page 946 Configuring an OSPF Not-So-Stubby Area To configure the area as an OSPF not-so-stubby area (NSSA), click NSSA Create. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 35-4. OSPF NSSA Configuration Use the NSSA Delete button to remove the NSSA area. Configuring OSPF and OSPFv3...
Page 947: Ospf Stub Area Summary
OSPF Stub Area Summary The Stub Area Summary page displays OSPF stub area detail. To display the page, click Routing → OSPF → Stub Area Summary in the navigation panel. Figure 35-5. OSPF Stub Area Summary Configuring OSPF and OSPFv3...
Page 948: Ospf Area Range Configuration
OSPF Area Range Configuration Use the Area Range Configuration page to configure and display an area range for a specified NSSA. To display the page, click Routing → OSPF → Area Range Configuration in the navigation panel. Figure 35-6. OSPF Area Range Configuration Configuring OSPF and OSPFv3...
Page 949: Ospf Interface Statistics
OSPF Interface Statistics Use the Interface Statistics page to display statistics for the selected interface. The information is displayed only if OSPF is enabled. To display the page, click Routing → OSPF → Interface Statistics in the navigation panel. Figure 35-7. OSPF Interface Statistics Configuring OSPF and OSPFv3...
Page 950: Ospf Interface Configuration
OSPF Interface Configuration Use the Interface Configuration page to configure an OSPF interface. To display the page, click Routing → OSPF → Interface Configuration in the navigation panel. Figure 35-8. OSPF Interface Configuration Configuring OSPF and OSPFv3...
Page 951: Ospf Neighbor Table
OSPF Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled. To display the page, click Routing → OSPF → Neighbor Table in the navigation panel.
Page 952: Ospf Neighbor Configuration
OSPF Neighbor Configuration Use the Neighbor Configuration page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor.
Page 953: Ospf Link State Database
OSPF Link State Database Use the Link State Database page to display OSPF link state, external LSDB table, and AS opaque LSDB table information. To display the page, click Routing → OSPF → Link State Database in the navigation panel. Figure 35-11.
Page 954 Figure 35-12. OSPF Virtual Link Creation After you create a virtual link, additional fields display, as the Figure 35-13 shows. Figure 35-13. OSPF Virtual Link Configuration Configuring OSPF and OSPFv3...
Page 955: Ospf Virtual Link Summary
OSPF Virtual Link Summary Use the Virtual Link Summary page to display all of the configured virtual links. To display the page, click Routing → OSPF → Virtual Link Summary in the navigation panel. Figure 35-14. OSPF Virtual Link Summary Configuring OSPF and OSPFv3...
Page 956: Ospf Route Redistribution Configuration
OSPF Route Redistribution Configuration Use the Route Redistribution Configuration page to configure redistribution in OSPF for routes learned through various protocols. You can choose to redistribute routes learned from all available protocols or from selected ones. To display the page, click Routing → OSPF → Route Redistribution Configuration in the navigation panel.
Page 957: Ospf Route Redistribution Summary
OSPF Route Redistribution Summary Use the Route Redistribution Summary page to display OSPF Route Redistribution configurations. To display the page, click Routing → OSPF → Route Redistribution Summary in the navigation panel. Figure 35-16. OSPF Route Redistribution Summary Configuring OSPF and OSPFv3...
Page 958: Nsf Ospf Configuration
NSF OSPF Configuration Use the NSF OSPF Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPF feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding?"...
Page 959: Configuring Ospfv3 Features (Web)
Configuring OSPFv3 Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPFv3 features on a PowerConnect 8000-series and 8100-series switches. For details about the fields on a page, click at the top of the page. OSPFv3 Configuration Use the Configuration page to activate and configure OSPFv3 for a switch.
Page 960: Ospfv3 Area Configuration
OSPFv3 Area Configuration Use the Area Configuration page to create and configure an OSPFv3 area. To display the page, click IPv6 → OSPFv3 → Area Configuration in the navigation panel. Figure 35-19. OSPFv3 Area Configuration Configuring OSPF and OSPFv3...
Page 961 Configuring an OSPFv3 Stub Area To configure the area as an OSPFv3 stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 35-20. OSPFv3 Stub Area Configuration Use the Delete Stub Area button to remove the stub area. Configuring OSPF and OSPFv3...
Page 962 Configuring an OSPFv3 Not-So-Stubby Area To configure the area as an OSPFv3 not-so-stubby area (NSSA), click Create NSSA. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 35-21. OSPFv3 NSSA Configuration Use the Delete NSSA button to remove the NSSA area. Configuring OSPF and OSPFv3...
Page 963: Ospfv3 Stub Area Summary
OSPFv3 Stub Area Summary Use the Stub Area Summary page to display OSPFv3 stub area detail. To display the page, click IPv6 → OSPFv3 → Stub Area Summary in the navigation panel. Figure 35-22. OSPFv3 Stub Area Summary Configuring OSPF and OSPFv3...
Page 964: Ospfv3 Area Range Configuration
OSPFv3 Area Range Configuration Use the Area Range Configuration page to configure OSPFv3 area ranges. To display the page, click IPv6 → OSPFv3 → Area Range Configuration in the navigation panel. Figure 35-23. OSPFv3 Area Range Configuration Configuring OSPF and OSPFv3...
Page 965: Ospfv3 Interface Configuration
OSPFv3 Interface Configuration Use the Interface Configuration page to create and configure OSPFv3 interfaces. This page has been updated to include the Passive Mode field. To display the page, click IPv6 → OSPFv3 → Interface Configuration in the navigation panel. Figure 35-24.
Page 966: Ospfv3 Interface Statistics
OSPFv3 Interface Statistics Use the Interface Statistics page to display OSPFv3 interface statistics. Information is only displayed if OSPF is enabled. Several fields have been added to this page. To display the page, click IPv6 → OSPFv3 → Interface Statistics in the navigation panel.
Page 967: Ospfv3 Neighbors
OSPFv3 Neighbors Use the Neighbors page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about that neighbor is given. Neighbor information only displays if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor.
Page 968: Ospfv3 Neighbor Table
OSPFv3 Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The neighbor table is only displayed if OSPF is enabled. To display the page, click IPv6 → OSPFv3 → Neighbor Table in the navigation panel.
Page 969: Ospfv3 Link State Database
OSPFv3 Link State Database Use the Link State Database page to display the link state and external LSA databases. The OSPFv3 Link State Database page has been updated to display external LSDB table information in addition to OSPFv3 link state information.
Page 970: Ospfv3 Virtual Link Configuration
OSPFv3 Virtual Link Configuration Use the Virtual Link Configuration page to define a new or configure an existing virtual link. To display this page, a valid OSPFv3 area must be defined through the OSPFv3 Area Configuration page. To display the page, click IPv6 → OSPFv3 → Virtual Link Configuration in the navigation panel.
Page 971 After you create a virtual link, additional fields display, as the Figure 35-30 shows. Figure 35-30. OSPFv3 Virtual Link Configuration Configuring OSPF and OSPFv3...
Page 972: Ospfv3 Virtual Link Summary
OSPFv3 Virtual Link Summary Use the Virtual Link Summary page to display virtual link data by Area ID and Neighbor Router ID. To display the page, click IPv6 → OSPFv3 → Virtual Link Summary in the navigation panel. Figure 35-31. OSPFv3 Virtual Link Summary Configuring OSPF and OSPFv3...
Page 973: Ospfv3 Route Redistribution Configuration
OSPFv3 Route Redistribution Configuration Use the Route Redistribution Configuration page to configure route redistribution. To display the page, click IPv6 → OSPFv3 → Route Redistribution Configuration in the navigation panel. Figure 35-32. OSPFv3 Route Redistribution Configuration Configuring OSPF and OSPFv3...
Page 974: Ospfv3 Route Redistribution Summary
OSPFv3 Route Redistribution Summary Use the Route Redistribution Summary page to display route redistribution settings by source. To display the page, click IPv6 → OSPFv3 → Route Redistribution Summary in the navigation panel. Figure 35-33. OSPFv3 Route Redistribution Summary Configuring OSPF and OSPFv3...
Page 975: Nsf Ospfv3 Configuration
NSF OSPFv3 Configuration Use the NSF OSPFv3 Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPFv3 feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding?"...
Page 976: Configuring Ospf Features (Cli)
This section provides information about the commands you use to configure and view OSPF settings on the switch. This section does not describe all available show commands. For more information about all available OSPF PowerConnect 8024/8024F/8132/8132F/8164/8164F CLI commands, see the Reference Guide at support.dell.com/manuals.
Page 977 Command Purpose default-information Control the advertisement of default routes. originate [always] • always — Normally, OSPF originates a default route only metric-value [metric if a default route is redistributed into OSPF (and default- type-value [metric-type information originate is configured). When the always option is configured, OSPF originates a default route, even if no default route is redistributed.
Page 978 Command Purpose passive-interface default Configure OSPF interfaces as passive by default. This command overrides any interface-level passive mode settings.OSPF does not form adjacencies on passive interfaces but does advertise attached networks as stub networks. delay-time timers spf Specify the SPF delay and hold time. hold-time delay-time •...
Page 979: Configuring Ospf Interface Settings
Configuring OSPF Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure per-interface OSPF settings. Command Purpose configure Enter global configuration mode. vlan-id interface vlan Enter Interface Configuration mode for the specified VLAN. area-id ip ospf area Enables OSPFv2 on the interface and sets the area ID of [secondaries none] an interface.
Page 980 Command Purpose ip ospf dead-interval Set the OSPF dead interval for the interface. seconds seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network.
Page 981: Configuring Stub Areas And Nssas
Command Purpose exit Exit to Global Configuration Mode router ospf Enter OSPF configuration mode. passive-interface vlan Make an interface passive to prevent OSPF from forming vlan-id an adjacency on an interface. OSPF advertises networks attached to passive interfaces as stub networks. ip-address network Enable OSPFv2 on interfaces whose primary IP address...
Page 982 Command Purpose area-id area default-cost Configure the metric value (default cost) for the type 3 integer summary LSA sent into the stub area. Range: 1–16777215) area-id area nssa Create an NSSA for the specified area ID. area-id area nssa no- Configure the NSSA so that summary LSAs are not summary advertised into the NSSA.
Page 983: Configuring Virtual Links
Configuring Virtual Links Beginning in Privileged EXEC mode, use the following commands to configure OSPF Virtual Links. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. area-id area virtual-link Create the OSPF virtual interface for the specified area- neighbor-id neighbor-id id and neighbor router.
Page 984 Command Purpose area-id area virtual-link Set the OSPF hello interval for the virtual link. neighbor-id hello-interval seconds variable indicates the number of seconds to seconds wait before sending Hello packets from the virtual interface. (Range: 1–65535). area-id area virtual-link Set the OSPF dead interval for the virtual link. neighbor-id dead-interval seconds...
Page 985: Configuring Ospf Area Range Settings
Configuring OSPF Area Range Settings Beginning in Privileged EXEC mode, use the following commands to configure an OSPF area range. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. area-id area range Configure a summary prefix for routes learned in a given area. ip-address mask area-id •...
Page 986 Command Purpose distribute-list Specify the access list to filter routes received from the accesslistname out {rip | source protocol. The ACL must already exist on the static | connected} switch. For information about the commands you use to configure ACLs, see "Configuring ACLs (CLI)" on page 521.
Page 987: Configuring Ospfv3 Features (Cli)
OSPFv3 settings on the switch. For more information about the commands PowerConnect and about additional show commands, see the 8024/8024F/8132/8132F/8164/8164F CLI Reference Guide support.dell.com/manuals. Configuring Global OSPFv3 Settings Beginning in Privileged EXEC mode, use the following commands to configure various global OSPFv3 settings for the switch.
Page 988 Command Purpose distance ospf {external | Set the preference values of OSPFv3 route types in the inter-area | intra-area } router. distance distance The range for the variable is 1–255. Lower route preference values are preferred when determining the best route.
Page 989: Configuring Ospfv3 Interface Settings
Configuring OSPFv3 Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure per-interface OSPFv3 settings. Command Purpose configure Enter global configuration mode. vlan-id interface vlan Enter Interface Configuration mode for the specified VLAN. area-id ipv6 ospf areaid Enables OSPFv3 on the interface and sets the area ID of an interface.
Page 990 Command Purpose ipv6 ospf dead-interval Set the OSPFv3 dead interval for the interface. seconds seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network.
Page 991: Configuring Stub Areas And Nssas
Command Purpose show ipv6 ospf interface View summary information for all OSPFv3 interfaces interface-type interface- configured on the switch or for the specified routing number interface. show ipv6 ospf interface View per-interface OSPFv3 statistics. interface-type stats interface-number Configuring Stub Areas and NSSAs Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 stub areas and NSSAs.
Page 992 Command Purpose area-id area nssa [no- Create and configure an NSSA for the specified area ID. redistribution] [default- metric-value • —Specifies the metric of the default route information-originate advertised to the NSSA. (Range: 1–16777214) metric-value [metric metric-type-value • —The metric type can be one of the metric-type- [metric-type following :...
Page 993: Configuring Virtual Links
Configuring Virtual Links Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 Virtual Links. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. area-id area virtual-link Create the OSPFv3 virtual interface for the specified neighbor-id area-id neighbor-id...
Page 994: Configuring An Ospfv3 Area Range
Configuring an OSPFv3 Area Range Beginning in Privileged EXEC mode, use the following commands to configure an OSPFv3 area range. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. area-id ipv6- area range Configure a summary prefix for routes learned in a given prefix/prefix-length area.
Page 995: Configuring Ospfv3 Route Redistribution Settings
Configuring OSPFv3 Route Redistribution Settings Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 route redistribution settings. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. redistribute {static | Configure OSPFv3 to allow redistribution of routes from connected} [metric the specified source protocol/routers.
Page 996: Ospf Configuration Examples
OSPF Configuration Examples This section contains the following examples: • Configuring an OSPF Border Router and Setting Interface Costs • Configuring Stub and NSSA Areas for OSPF and OSPFv3 • Configuring a Virtual Link for OSPF and OSPFv3 Configuring an OSPF Border Router and Setting Interface Costs This example shows how to configure the PowerConnect switch as an OSPF border router.
Page 997 To Configure Border Router A: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Create VLANS 70, 80, and 90. console(config)#vlan 70,80,90 3 Assign IP addresses for VLANs 70, 80 and 90. console(config)#interface vlan 70 console(config-if-vlan70)#ip address 192.150.2.2 255.255.255.0 console(config-if-vlan70)#exit console(config)#interface vlan 80 console(config-if-vlan80)#ip address 192.150.3.1...
Page 998 5 Configure the OSPF area ID, priority, and cost for each interface. NOTE: OSPF is globally enabled by default. To make it operational on the router, you configure OSPF for particular interfaces and identify which area the interface is associated with. console(config)#interface vlan 70 console(config-if-vlan70)#ip ospf area 0.0.0.0 console(config-if-vlan70)#ip ospf priority 128...
Page 999: Configuring Stub And Nssa Areas For Ospf And Ospfv3
Configuring Stub and NSSA Areas for OSPF and OSPFv3 In this example, Area 0 connects directly to two other areas: Area 1 is defined as a stub area and Area 2 is defined as an NSSA area. NOTE: OSPFv2 and OSPFv3 can operate concurrently on a network and on the same interfaces (although they do not interact).
Page 1000 Switch A is a backbone router. It links to an ASBR (not defined here) that routes traffic outside the AS. To configure Switch A: 1 Globally enable IPv6 and IPv4 routing: console#configure console(config)#ipv6 unicast-routing console(config)#ip routing 2 Create VLANs 6 and 12. console(config)#vlan 6,12 3 Configure IP and IPv6 addresses on VLAN routing interface 6.

This manual is also suitable for:

Powerconnect 8024f Powerconnect 8132f Powerconnect 8164 Powerconnect 8164f Powerconnect 8132

Dell PowerConnect 8024 User Configuration Manual

1 Introduction

2 Switch Features

3 Hardware Overview

4 Using Dell Openmanage Switch

5 Using the Command-Line Interface

6 Default Settings

7 Setting the IP Address and Other

8 Managing QSFP Ports

9 Managing a Switch Stack

10 Configuring Authentication

11 Monitoring and Logging System

12 Managing General System Settings

Quick Links

Related Manuals for Dell PowerConnect 8024

Summary of Contents for Dell PowerConnect 8024