hit counter script
Dell PowerConnect M6220 Configuration Manual

Dell PowerConnect M6220 Configuration Manual

Configuration guide
Hide thumbs Also See for PowerConnect M6220:
Table of Contents

Advertisement

Dell™ PowerConnect™ M6220

Configuration Guide

Model M6220
w w w . d e l l . c o m | s u p p o r t . d e l l . c o m

Advertisement

Table of Contents
loading

Summary of Contents for Dell PowerConnect M6220

  • Page 1: Configuration Guide

    Dell™ PowerConnect™ M6220 Configuration Guide Model M6220 w w w . d e l l . c o m | s u p p o r t . d e l l . c o m...
  • Page 2 Trademarks used in this text: Dell, Dell OpenManage, the DELL logo, Inspiron, Dell Precision, Dimension, OptiPlex, PowerConnect, PowerApp, PowerVault, Axim, DellNet, and Latitude are trademarks of Dell Inc.; Microsoft, Windows, and Windows Vista are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Procomm Plus is a registered trademark of Symantec Corporation or its affiliates in the U.S.
  • Page 3: Table Of Contents

    Contents About this Document ......Organization ........Additional Documentation .
  • Page 4 Switching Configuration ......Virtual LANs ........VLAN Configuration Example .
  • Page 5 Overview ........CLI Examples ....... . Simple Switch Mode Supported CLI Commands .
  • Page 6 Authentication Server Filter Assignment ....Access Control Lists (ACLs) ......Overview .
  • Page 7 Multicast ........Overview ........IGMP Configuration .
  • Page 9: About This Document

    About this Document This configuration guide provides examples of how to use the Dell™PowerConnect™ 6200 Series switch in a typical network. It describes the advantages of specific functions the PowerConnect 6200 Series switch provides and includes information about configuring those functions using the command line interface (CLI).
  • Page 10 • from the command-line interface (CLI) for managing, monitoring, and configuring the switch. User’s Guide for your Dell PowerConnect switch describes the Web GUI. Many of the scenarios • described in this document can be fully configured using the Web interface. This guide also provides initial system setup and configuration instructions.
  • Page 11: System Configuration

    System Configuration This section provides configuration scenarios for the following features: • "Traceroute" on page 11 • "Configuration Scripting" on page 13 • "Outbound Telnet" on page 16 • "Simple Network Time Protocol (SNTP)" on page 17 • "Syslog" on page 19 •...
  • Page 12: Cli Example

    CLI Example The following shows an example of using the traceroute command to determine how many hops there are to the destination. The command output shows each IP address the packet passes through and how long it takes to get there. In this example, the packet takes 16 hops to reach its destination. console#traceroute ? ipv6 Use keyword 'ipv6' if entering IPv6 Address.
  • Page 13: Configuration Scripting

    Switch-traceroute> Timeout (default: 3 seconds): 5 Switch-traceroute> Source ip-address (default to select best interface address): Switch-traceroute> Type of service byte (default) : Tracing route over a maximum of 20 hops 10.27.64.141 0 ms 0 ms 0 ms Configuration Scripting Configuration scripting allows you to generate a text-formatted script file that shows the current system configuration.
  • Page 14 apply Applies configuration script to the switch. delete Deletes a configuration script file from the switch. list Lists all configuration script files present on the switch. show Displays the contents of configuration script. validate Validate the commands of configuration script. Example #2: Viewing and Deleting Existing Scripts console#script list Configuration Script Name...
  • Page 15 console#copy script abc.scr tftp://10.27.64.141/abc.scr Mode........... TFTP Set TFTP Server IP......10.27.64.141 TFTP Path......../ TFTP Filename........abc.scr Data Type........Config Script Source Filename........ abc.scr Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y 267 bytes transferred File transfer operation completed successfully.
  • Page 16: Outbound Telnet

    configure stack member 1 2 exit exit configure stack exit ip address dhcp username "admin" password 16d7a4fca7442dda3ad93c9a726597e4 level 15 encrypted exit Configuration script 'abc' validated. console#script apply abc.scr Are you sure you want to apply the configuration script? (y/n)y configure stack member 1 2 Switch 1 already exists!
  • Page 17: Cli Examples

    The following are examples of the commands used in the outbound telnet feature. Example #1: Connecting to Another System by Using Telnet console#telnet 192.168.77.151 Trying 192.168.77.151... console# User:admin Password: (Dell PC62XX Routing) >enable Password: console#show ip interface Management Interface: IP Address........10.27.65.89 Subnet Mask........255.255.254.0 Default Gateway........ 10.27.64.1 Burned In MAC Address......
  • Page 18 Example #1: Viewing SNTP Options (Dell PC62XX Routing)(Config) #sntp ? console(config)#sntp ? authenticate Require authentication for received Network Time Protocol (NTP) traffic from servers. authentication-key Define an authentication key for Simple Network Time Protocol (SNTP). broadcast Configure SNTP client broadcast parameters.
  • Page 19: Syslog

    Unicast servers: Server Polling --------- ----------- ----------- 192.168.10.25 Disabled Enabled console#show sntp status Unicast servers: Server Status Last response --------- ----------- -------------------------- 192.168.10.25 Unknown 00:00:00 Jan 1 1970 Syslog Overview Syslog: • Allows you to store system messages and/or errors. •...
  • Page 20: Cli Examples

    Figure 2-1. Log Files Key CLI Examples The following are examples of the commands used in the Syslog feature. Example #1: Viewing Logging Information console#show logging Logging is enabled Console Logging: level warning. Console Messages: 230 Dropped. Buffer Logging: level info. Buffer Messages: 230 Logged, 200 Max File Logging: level notActive.
  • Page 21: Port Description

    console(config)#logging 192.168.10.65 console(Config-logging)#? description Specify syslog server description. exit To exit from the mode. level Specify logging level. port Specify UDP port (default is 514). console(Config-logging)#level ? alert Immediate action needed critical Critical conditions debug Debugging messages emergency System is unusable error Error conditions info...
  • Page 22: Storm Control

    Storm Control A traffic storm is a condition that occurs when incoming packets flood the LAN, which creates performance degradation in the network. The Storm Control feature protects against this condition. The switch software provides broadcast, multicast, and unicast storm recovery for individual interfaces. Unicast Storm Control protects against traffic whose MAC addresses are not known by the system.
  • Page 23: Cable Test For Copper Ports

    console(config-if-1/g2)#storm-control broadcast level 7 Example #2: Set Multicast Storm Control for an Interface console(config-if-1/g2)#storm-control multicast level 8 Example #3: Set Unicast Storm Control for an Interface console(config-if-1/g2)#storm-control unicast level 5 Cable Test for Copper Ports The cable test feature enables you to determine the cable connection status on a selected port. The switch uses Time Domain Reflectometry (TDR) technology to determine the quality and characteristics of a copper cable attached to a port.
  • Page 24 1/g3 Test has not been performed 1/g4 Test has not been performed 1/g5 Test has not been performed --More-- or (q)uit NOTE: You can also run a cable test using the Web Interface. In the navigation tree, click System > Diagnostics. System Configuration...
  • Page 25: Switching Configuration

    Switching Configuration This section provides configuration scenarios for the following features: • "Virtual LANs" on page 25 • "IGMP Snooping" on page 30 • "IGMP Snooping Querier" on page 32 • "Link Aggregation/Port Channels" on page 33 • "Port Mirroring" on page 37 •...
  • Page 26: Vlan Configuration Example

    • The MAC-based VLAN feature let packets originating from end stations become part of a VLAN according to source MAC address. To configure the feature, you specify a source MAC address and a VLAN ID. The Private Edge VLAN feature lets you set protection between ports located on the switch. This means that a protected port cannot forward traffic to another protected port on the same switch.
  • Page 27 Example #1: Create Two VLANs Use the following commands to create two VLANs and to assign the VLAN IDs while leaving the names blank. console(config)#vlan database console(config-vlan)#vlan 2 console(config-vlan)#vlan 3 console(config-vlan)#exit Example #2: Assign Ports to VLAN2 This sequence shows how to assign ports to VLAN2, specify that frames will always be transmitted tagged from all member ports, and that untagged frames will be rejected on receipt.
  • Page 28: Web Interface

    Example #5: Assign IP Addresses to VLAN 2 In order for the VLAN to function as a routing interface, you must enable routing on the VLAN and on the switch. Routing is only permitted on VLAN interfaces. Routing on physical interfaces is not supported.
  • Page 29: Private Edge Vlans

    Example #1: Associate an IP Subnet with a VLAN This example shows how to configure the switch so that all hosts with IP addresses in the 192.168.25.0/24 network are members of VLAN 10. console#configure console(config)#vlan database console(config-vlan)#vlan association subnet 192.168.25.0 255.255.255.0 10 Example #2: Associate an IP Address with a VLAN This example shows how to configure the switch so a host with an IP addresses of 192.168.1.11 is a member of VLAN 10.
  • Page 30: Cli Example

    You can also configure groups of protected ports, but unprotected ports are independent and cannot be added to a group. Each group’s configuration consists of a name and a mask of ports. A port can belong to only one set of protected ports, but an unprotected port can be added to a group as a protected port. The group name is configurable by the network administrator.
  • Page 31: Cli Examples

    CLI Examples The following examples show commands to use with the IGMP Snooping feature. Example #1: Enable IGMP Snooping on the Switch NOTE: Before you enable IGMP Snooping on the switch, you must enable the filtering of multicast addresses with the bridge multicast filtering command.
  • Page 32: Igmp Snooping Querier

    IGMP Snooping Querier When PIM and IGMP are enabled in a network with IP multicast routing, the IP multicast router acts as the IGMP querier. However, if the IP-multicast traffic in a VLAN needs to be Layer 2 switched only, an IP-multicast router is not required.
  • Page 33: Link Aggregation/Port Channels

    Example #4: Enable IGMP Snooping Querier on a VLAN To configure IGMP Snooping Querier on a VLAN, enter VLAN Database mode. The first ip igmp snooping command in this example enables the IGMP snooping querier on VLAN 10. The second ip igmp snooping command specifies the IP address that the snooping querier switch should use as source address when generating periodic queries.
  • Page 34: Cli Example

    • Increased bandwidth: The aggregated physical links deliver higher bandwidth than each individual link. • Incremental increase in bandwidth: A physical upgrade could produce a 10-times increase in bandwidth; LAG produces a two- or five-times increase, useful if only a small increase is needed. Management functions treat a port-channel as if it were a single physical port.
  • Page 35 Server Subnet Port 1/g3 Port 1/0/3 Port 1/g2 LAG_1 LAG_10 Port 1/0/2 LAG_1 LAG_10 Layer 3 Switch Port 1/g9 Port 1/g8 Port 1/0/8 Port 1/0/9 LAG_2 LAG_2 LAG_20 LAG_20 Layer 2 Switch Subnet 2 Subnet 3 Figure 3-2. LAG/Port-channel Example Network Diagram Example 1: Create Names for Two Port-Channels: console#configure console(config)#interface port-channel 1...
  • Page 36: Web Interface Configuration: Lags/Port-Channels

    console(config-if-1/g2)#exit console(config)#interface ethernet 1/g3 console(config-if-1/g3)#channel-group 1 mode auto console(config-if-1/g3)#exit console(config)#interface ethernet 1/g8 console(config-if-1/g8)#channel-group 2 mode auto console(config-if-1/g8)#exit console(config)#interface ethernet 1/g9 console(config-if-1/g9)#channel-group 2 mode auto console(config-if-1/g9)#exit console(config)#exit Example 3: Show the Port Channels By default, the system enables link trap notification console#show interfaces port-channel Channel Ports...
  • Page 37: Port Mirroring

    Port Mirroring This section describes the Port Mirroring feature, which can serve as a diagnostic tool, debugging tool, or means of fending off attacks. Overview Port mirroring selects network traffic from specific ports for analysis by a network analyzer, while allowing the same traffic to be switched to its destination.
  • Page 38: Operation

    • Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted. • Enabled on a per port basis. • When locked, only packets with allowable MAC address will be forwarded. • Supports both dynamic and static. •...
  • Page 39: Link Layer Discovery Protocol

    between consecutive traps. <cr> Press enter to execute the command. console(config-if-1/g2)#port security Example #2: Show Port Security console#show ports security ? addresses Addresses. ethernet Ethernet port. port-channel Link Aggregation interface. <cr> Press enter to execute the command. Example #3: Show Port Security on an Interface console#show ports security ethernet 1/g2 Port Status...
  • Page 40 console(config)#lldp notification-interval 1000 console(config)#lldp timers ? hold The interval multiplier to set local LLDP data TTL. interval The interval in seconds to transmit local LLDP data. reinit The delay before re-initialization. <cr> Press enter to execute the command. console(config)#lldp timers hold 8 reinit 5 console(config)#exit Example #2: Set Interface LLDP Parameters The following commands configure the Ethernet interface 1/g10 to transmit and receive LLDP...
  • Page 41: Denial Of Service Attack Protection

    Protects against the exploitation of a number of vulnerabilities which would make the host or network unstable • Compliant with Nessus. Dell tested the switch software with Nessus version 2.0.10. Nessus is a widely- used vulnerability assessment tool. • PowerConnect 6200 Series software provides a number of features that help a network administrator protect networks against DoS attacks.
  • Page 42: Cli Examples

    Table 3-1 describes the dos-control keywords. Table 3-1. DoS Control Keyword Meaning firstfrag Enabling First Fragment DoS prevention causes the switch to drop packets that have a TCP header smaller then the configured Min TCP Hdr Size. icmp ICMP DoS prevention causes the switch to drop ICMP packets that have a type set to ECHO_REQ (ping) and a size greater than the configured ICMP Pkt Size.
  • Page 43: Dhcp Filtering

    DHCP Filtering This section describes the Dynamic Host Configuration Protocol (DHCP) Filtering feature. Overview DHCP filtering provides security by filtering untrusted DHCP messages. An untrusted message is a message that is received from outside the network or firewall, and that can cause traffic attacks within network.
  • Page 44: Port Aggregator

    The Port Aggregator feature is only available when the switch is operating in Simple mode, which is disabled by default. From the Dell CLI Setup Wizard, you can select the operational mode as "Simple mode" or "Normal mode". In addition, users with privilege level 15 can change the mode via the CLI/Web/SNMP user interfaces.
  • Page 45: Overview

    A Trap identified by "operationalModeChangeTrap" is issued when the SNMP user changes the operational mode. If the new mode is selected from the Dell Setup wizard, or if a mode selected from the CLI/Web/SNMP user interfaces, the mode is effective only after the next reload.
  • Page 46 Server Blade 1 Switch Blade Aggregator Group Server Blade16 HiGig ports Internal Port xg1 to xg4 Connections Figure 3-3. Default Aggregator Groups on Standalone Switch (Blade) The default Port Aggregator Group mapping is shown in Table 3-2. Switching Configuration...
  • Page 47 Table 3-2. Default Port Aggregator Group Mapping Aggregator Member Internal Ports Member Uplink (External) Ports Group Group 1 1/g1,1/g2,1/g3,1/g4, 1/g5, 1/g6, 1/g7, 1/g8, 1/g17, 1/g18, 1/g19, 1/g20 1/g9, 1/g10, 1/g11, 1/g12, 1/g13, 1/g14, 1/g15, 1/g16 Group 2 2/g1,2/g2,2/g3,2/g4, 2/g5, 2/g6, 2/g7, 2/g8, 2/g17, 2/g18, 2/g19, 2/g20 2/g9, 2/g10, 2/g11, 2/g12, 2/g13, 2/g14, 2/g15, 2/g16...
  • Page 48 The switch will boot up in this mode unless you select a different mode from the setup wizard. • If the new mode is selected from the Dell Setup wizard, or if the mode is selected from the CLI/Web/SNMP user interfaces, the mode is effective only after the next reload. •...
  • Page 49: Cli Examples

    • Default VLAN tagged traffic should be switched and egress as untagged. • Tagged traffic that belongs to a user-created VLAN gets switched in that VLAN and egresses as tagged. NOTE: The reserved VLAN ID assigned to a group is also referred to as a default VLAN. •...
  • Page 50 Example #2: Enter Port Aggregator Mode Use the port-aggregator group <GroupId> command to enter the Port Aggregator mode to configure GroupId aggregator group attributes. is the Port Aggregator group identifier. (Range: 1-8 or 1-72) On a standalone switch, it is up to 8. On a stack, it is 1 to (6 x<number of units in stack). For a stack of 12 units it is 1-72.
  • Page 51 Example #7: Configure Group Full/Half Duplex Operation of All Member Ports Use the duplex command in port aggregator configuration mode to configure the full/half duplex operation of all member ports in the aggregator group. The example command below configures all member ports to full duplex operation.
  • Page 52 uplink ports should be active; otherwise, all the internal ports in the Group will be brought down. By default, the minimum active uplinks for a Group is 1, which means at least one uplink port should be active for the Aggregator Group to be active. console(config)#port-aggregator group 2 console(config-aggregator-2)#minimum active uplinks 2 console(config-aggregator-2)#...
  • Page 53 ----- ---------------- ------ ------------- Static Required Static Required 1000 Static Required 1001 Static Required Example #14: Show Group Configuration Summary Use the show port-aggregator group summary [< GroupId >] command to show the parameters <Group Id> configured on the aggregator group. is an optional parameter in the command and, if not specified, the command shows all the configured parameters for all the Groups.
  • Page 54: Simple Switch Mode Supported Cli Commands

    console#show port-aggregator port summary 2 Group Member Ports Active Configured Current Member Ports LACP Mode LACP Mode ----- ------------ ------------ ---------- --------- 1/g2,1/g6,1/g10 1/g2,1/g6,1/g10 static auto 1/g14,1/g18 1/g14,1/g18 console#show port-aggregator port summary Member Ports Active Configured Current Member Ports LACP Mode LACP Mode ----- ---------------------- ---------- --------- ---------...
  • Page 55 enable password ip http authentication ip https authentication login authentication password (Line Configuration) password (User EXEC) show authentication methods show user accounts show users login history username • Configuration and Image File Commands: boot system clear config copy delete backup-config delete backup-image delete startup-config filedescr...
  • Page 56 history history size line show line speed • Password Management Commands: passwords aging passwords history passwords lockout passwords min-length show passwords configuration • Port Channel Commands: show interfaces port-channel show statistics port-channel • Radius commands: auth-port deadtime priority radius-server deadtime radius-server host radius-server key radius-server retransmit...
  • Page 57 snmp-server enable traps snmp-server engineID local snmp-server group snmp-server host snmp-server location snmp-server trap authentication • SSH commands: crypto key generate dsa crypto key generate rsa crypto key pubkey-chain ssh ip ssh port ip ssh pubkey-auth ip ssh server key-string show crypto key mypubkey show crypto key pubkey-chain ssh show ip ssh...
  • Page 58 • Tacacs commands: port priority show tacacs tacacs-server host tacacs-server key tacacs-server timeout timeout • Web Server Commands: common-name country crypto certificate generate crypto certificate import crypto certificate request duration ip http port ip http server ip https certificate ip https port ip https server key-generate location...
  • Page 59 show dot1x show dot1x statistics show dot1x users • Dot1x Advanced Features: dot1x guest-vlan <vlan-id> dot1x unauth-vlan <vlan-id> dot1x max-users show dot1x clients Switching Configuration...
  • Page 60 Switching Configuration...
  • Page 61: Routing Configuration

    Routing Configuration This section describes configuration scenarios and instructions for the following routing features: • "VLAN Routing" on page 61 • "Virtual Router Redundancy Protocol" on page 64 • "Proxy Address Resolution Protocol (ARP)" on page 66 • "OSPF" on page 67 •...
  • Page 62 Layer 3 Switch Physical Port 1/g3 Physical Port 1/g2 Physical Port 1/0/2 Physical Port 1/0/3 VLAN 10: 192.150.4.1 VLAN 10: 192.150.3.1 VLAN Router Port 3/1 VLAN Router Port 3/2 192.150.3.1 192.150.4.1 Physical Physical Port 1/g1 Port 1/0/1 Layer 2 Switch Layer 2 Switch VLAN 10 VLAN 20...
  • Page 63: Using The Web Interface To Configure Vlan Routing

    console(config-if-1/g2)#switchport mode general console(config-if-1/g2)#switchport general allowed vlan add 10 console(config-if-1/g2)#switchport general pvid 10 console(config-if-1/g2)#exit console#configure console(config)#interface ethernet 1/g3 console(config-if-1/g3)#switchport mode general console(config-if-1/g3)#switchport general allowed vlan add 20 console(config-if-1/g3)#switchport general pvid 20 console(config-if-1/g3)#exit Example 3: Set Up VLAN Routing for the VLANs and Assign an IP Address The following code sequence shows how to enable routing for the VLANs and how to configure the IP addresses and subnet masks for the virtual router ports.: console#configure...
  • Page 64: Virtual Router Redundancy Protocol

    Virtual Router Redundancy Protocol When an end station is statically configured with the address of the router that will handle its routed traffic, a single point of failure is introduced into the network. If the router goes down, the end station is unable to communicate.
  • Page 65 Figure 4-2. VRRP Example Network Configuration Example 1: Configuring VRRP on the Switch as a Master Router Enable routing for the switch. IP forwarding is then enabled by default. console#config console(config)#ip routing Configure the IP addresses and subnet masks for the VLAN routing interfaces that will participate in the protocol, for example: console(config)#interface vlan 50 console(config-if-vlan50)#routing...
  • Page 66: Using The Web Interface To Configure Vrrp

    Specify the IP address that the virtual router function will recognize. console(config-if-vlan60)#ip vrrp 20 ip 192.150.2.1 Set the priority for the port. The default priority is 100. console(config-if-vlan60)#ip vrrp 20 priority 254 Enable VRRP on the port. console(config-if-vlan60)#ip vrrp 20 mode console(config-if-vlan60)#exit Using the Web Interface to Configure VRRP Use the following screens to perform the same configuration using the Graphical User Interface:...
  • Page 67: Ospf

    Example #2 Viewing the Interface Information console#show ip interface vlan 50 Primary IP Address......192.150.2.1/255.255.255.0 Routing Mode........Enable Administrative Mode......Enable Forward Net Directed Broadcasts....Disable Proxy ARP........Enable Local Proxy ARP........ Disable Active State........Inactive Link Speed Data Rate......10 Half MAC Address........
  • Page 68 n.n.n.n Areas are identified by a numeric ID in IP address format (note, however, that these are not used as actual IP addresses). For simplicity, the area can be configured and referred to in normal integer notation; however, the software converts these to dot notation by using the right-most octet up to 255 and proceeding to the next left octet for higher values (i.e., Area 20 is identified as 0.0.0.20 and Area 256 Area 0 OSPF backbone...
  • Page 69: Cli Examples

    2 Inter-area (the source and destination are not in the same area, i.e., the route crosses the OSPF backbone) 3 External Type 1 4 External Type 2 External routes are those imported into OSPF from other routing protocol or processes. OSPF computes the path cost differently for external type 1 and external type 2 routes.
  • Page 70 IPv4 (OSPFv2) IPv6 (OSPFv3) console#config console#config ip routing ipv6 unicast-routing exit exit Enable routing and assign IP for ports 1/g2, 1/g3, and 1/g4. config config interface vlan 70 interface vlan 70 routing routing ip address 192.150.2.2 255.255.255.0 ipv6 enable exit exit interface vlan 80 interface vlan 80...
  • Page 71 IPv4 (OSPFv2) IPv6 (OSPFv3) config config interface vlan 70 interface vlan 70 ip ospf area 0.0.0.0 ipv6 ospf ip ospf priority 128 ipv6 ospf areaid 0.0.0.0 ip ospf cost 32 ipv6 ospf priority 128 ipv6 ospf cost 32 exit exit interface vlan 80 ip ospf area 0.0.0.2 interface vlan 80...
  • Page 72: Interface Vlan

    AS-1 AS-2 Area 0 (0.0.0.0) - backbone Area 1 (0.0.0.1) - Stub 10.3.100.3/24 10.2.3.3/24 Router A - backbone IR (5.3.0.0) ASBR (5.1.0.0) 3000:3:100::/64 3000:2:3::/64 (3.3.3.3) VLAN 12 VLAN 6 Router B - ABR (5.5.5.5) VLAN 10 VLAN 5 10.2.3.2 10.1.2.2/24 3000:2:3::/64 3000:1:2::/64 eui64 10.2.4.2...
  • Page 73 ipv6 address 3000:3:100::/64 eui64 ip ospf area 0.0.0.0 ipv6 ospf exit • Define an OSPF router: ipv6 router ospf router-id 3.3.3.3 exit router ospf router-id 3.3.3.3 exit exit Configure Router B: Router B is a ABR that connects Area 0 to Areas 1 and 2. •...
  • Page 74 • For IPv4: Define an OSPF router. Define Area 1 as a stub. Enable OSPF for IPv4 on interfaces 10, 5, and 17 by globally defining the range of IP addresses associated with each interface, and then associating those ranges with Areas 1, 0, and 17, respectively. Then, configure a metric cost to associate with static routes when they are redistributed via OSPF: router ospf router-id 2.2.2.2...
  • Page 75: Ipv6 Router Ospf

    Area 2 (0.0.0.2) IR (5.3.0.0) 10.1.101.1 Area 0 (0.0.0.0) - backbone VLAN 11 3000:1:101::/64 VLAN 10 Router C - ABR (5.5.5.5) VLAN 5 10.1.2.1/24 10.2.3.3/24 Router A - backbone 3000:1:2::/64 VLAN 7 3000:2:3::/64 (3.3.3.3) 10.1.2.2/24 3000:1:2::/64 eui64 Router B - ABR (4.4.4.4) 10.2.3.2 3000:2:3::/64 Virtual Link...
  • Page 76 Configure Router B: Router B is a ABR that directly connects Area 0 to Area 1. In addition to the configuration steps described in the previous example, we define a virtual link that traverses Area 1 to Router C (5.5.5.5). (console)#configure ipv6 unicast-routing ip routing...
  • Page 77: Routing Information Protocol

    interface vlan 11 routing ip address 10.1.101.1 255.255.255.0 ipv6 address 3000:1:101::/64 eui64 ipv6 ospf ipv6 ospf areaid 2 exit ipv6 router ospf router-id 5.5.5.5 area 0.0.0.1 virtual-link 4.4.4.4 exit router ospf router-id 5.5.5.5 area 0.0.0.1 virtual-link 4.4.4.4 network 10.1.2.0 0.0.0.255 area 0.0.0.1 network 10.1.101.0 0.0.0.255 area 0.0.0.2 exit exit...
  • Page 78: Cli Examples

    • To prevent any RIP packets from being received • To prevent any RIP packets from being transmitted CLI Examples The configuration commands used in the following example enable RIP on ports vlan 2 and vlan 3 as shown in the network illustrated in Figure 4-6. Subnet 3 VLAN 3 Port 1/0/3...
  • Page 79: Using The Web Interface To Configure Rip

    interface vlan 3 routing ip address 192.130.3.1 255.255.255.0 exit exit Example #3. Enable RIP for the Switch The next sequence enables RIP for the switch. The route preference defaults to 15. console#config router rip enable exit exit Example #4. Enable RIP for the VLAN Routing Interfaces This command sequence enables RIP for ports vlan 2 and vlan 3.
  • Page 80: Route Preferences

    Route Preferences You can use route preference assignment to control how the router chooses which routes to use when alternatives exist. This section describes three uses of route preference assignment: • "Assigning Administrative Preferences to Routing Protocols" on page 80 •...
  • Page 81: Using Equal Cost Multipath

    Example 2: Assigning Administrative Preferences to Static Routes By default, static routes are assigned a preference value of 1. The following command changes this default: console#Config ip route distance 20 exit When you configure a static route, you can assign a preference value to it. The preference overrides the setting inherited as the default value for static routes.
  • Page 82 Link A Next hop 1 Network D Next hop 2 Link B Router A Router B Figure 4-7. Forwarding Without ECMP With ECMP, Router A can forward traffic to some destinations in Network D via Link A and traffic to other destinations in Network D via Link B, thereby taking advantage of the bandwidth of both links.
  • Page 83: Loopback Interfaces

    An ECMP route contains only next hops whose paths to the destination are of equal cost. Referring to Figure 4-8, if OSPF were configured on all links, but Router A's interface to the 10.1.1.x network had an OSPF link cost of 5 and its interface to the 10.1.2.x network had an OSPF link cost of 10, then OSPF would use only 10.1.1.2 as the next hop to 20.0.0.0/8.
  • Page 84 console(config-if-loopback0)#exit console(config)#exit You can view the interface configuration from the Privileged Exec mode: console#show ip interface loopback 0 Primary IP Address......192.168.1.2/255.255.255.255 Routing Mode........Enable Administrative Mode......Enable Forward Net Directed Broadcasts....Disable Proxy ARP........Enable Local Proxy ARP........ Disable Active State........
  • Page 85: Device Security

    Device Security This section describes configuration scenarios for the following features: • "802.1x Network Access Control" on page 85 • "802.1X Authentication and VLANs" on page 88 • "Authentication Server Filter Assignment" on page 90 • "Access Control Lists (ACLs)" on page 90 •...
  • Page 86: 802.1X Network Access Control Examples

    determines the authorization state of the port. Depending on the outcome of the authentication process, the authenticator PAE then controls the authorized/unauthorized state of the controlled Port. Authentication can be handled locally or via an external authentication server. Two are: Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+).
  • Page 87 Global values --------------- Timeout : 3 Retransmit : 3 Deadtime : 0 Source-ip : 0.0.0.0 console(config)#aaa authentication login radiusList radius console(config)#aaa authentication dot1x default radius console(config)#dot1x system-auth-control console(config)#interface ethernet 1/g1 console(config-if-1/g1)#dot1x port-control force-authorized console(config-if-1/g1)#exit Example #2: MAC-Based Authentication Mode Beginning in release 2.1, the PowerConnect 6200 Series switches support MAC-based 801.X authentication.
  • Page 88: 802.1X Authentication And Vlans

    Maximum Requests....... 2 Max Users........3 Supplicant Timeout......30 Server Timeout (secs)......30 Logical Supplicant AuthPAE Backend VLAN Username Filter Port MAC-Address State State ------- -------------- -------- -------- ----- -------- ------ 0000.0000.0000 Initialize Idle 802.1X Authentication and VLANs The PowerConnect 6200 Series switches allow a port to be placed into a particular VLAN based on the result of type of 802.1X authentication a client uses when it accesses the switch.
  • Page 89: Guest Vlan

    VLANID is 12-bits and has a value between 1 and 4093. Guest VLAN The Guest VLAN feature allows a switch to provide a distinguished service to unauthenticated users. This feature provides a mechanism to allow visitors and contractors to have network access to reach external network with no ability to browse information on the internal LAN.
  • Page 90: Authentication Server Filter Assignment

    Define the VLAN before configuring an interface to use it as the guest VLAN. console#configure console(config)#interface ethernet 1/g20 console(config-if-1/g20)#dot1x guest-vlan 100 console(config-if-1/g20)# <CTRL+Z> console#show dot1x advanced ethernet 1/g20 Port Guest VLAN --------- --------- 1/g20 Authentication Server Filter Assignment The PowerConnect 6200 Series switches allow the external 802.1X Authenticator or RADIUS server to assign DiffServ policies to users that authenticate to the switch.
  • Page 91: Overview

    Overview Access Control Lists (ACLs) are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources. ACLs can also provide traffic flow control, restrict contents of routing updates, and decide which types of traffic are forwarded or blocked.
  • Page 92: Mac Acls

    Furthermore, hardware counters that become available after an ACL is applied are not retroactively assigned to rules that were unable to be logged (the ACL must be un-applied then re-applied). Rules that are unable to be logged are still active in the ACL for purposes of permitting or denying a matching packet.
  • Page 93: Ip Acls

    L2 ACLs can apply to one or more interfaces. Multiple access lists can be applied to a single interface; sequence number determines the order of execution. You can assign packets to queues using the assign queue option. IP ACLs IP ACLs classify for Layers 3 and 4. Each ACL is a set of up to ten rules applied to inbound traffic.
  • Page 94 Layer 3 Switch Port 1/0/2 ACL 179 UDP or TCP packet to UDP or TCP packet to 192.168.88.3 rejected: 192.168.77.3 accepted: Dest. IP not in range Dest. IP in range Layer 2 Switch 192.168.77.1 192.168.77.4 192.168.77.9 192.168.77.2 Figure 5-2. IP ACL Example Network Diagram Example #1: Create an ACL and Define an ACL Rule This command creates an ACL named list1 and configures a rule for the ACL.
  • Page 95: Mac Acl Cli Examples

    Example #3: Apply the Rule to Outbound (Egress) Traffic on Port 1/g2 Only traffic matching the criteria will be accepted. console(config)#interface ethernet 1/g2 console(config-if-1/g2)#ip access-group list1 out console(config-if-1/g2)#exit MAC ACL CLI Examples The following are examples of the commands used for the MAC ACLs feature. Example #4: Set up a MAC Access List console#config console(config)#mac access-list extended mac1...
  • Page 96 mplsmcast, mplsucast, netbios, novell, pppoe, rarp). console(config-mac-access-list)#deny any 00:11:22:33:44:55 00:00:00:00:FF:FF log assign-queue Configure the Queue Id assignment attribute. mirror Configure the packet mirroring attribute. redirect Configure the packet redirection attribute. <cr> Press enter to execute the command. console(config-mac-access-list)#deny any 00:11:22:33:44:55 00:00:00:00:FF:FF log Example #6 Configure MAC Access Group console(config)#interface ethernet 1/g5 console(config-if-1/g5)#mac access-group mac1 ?
  • Page 97: Radius

    console(config-mac-access-list)#permit any any ? assign-queue Configure the Queue Id assignment attribute. Configure a match condition based on a COS value. Configure logging for this access list rule. mirror Configure the packet mirroring attribute. redirect Configure the packet redirection attribute. vlan Configure a match condition based on a VLAN ID.
  • Page 98: Radius Configuration Examples

    For authenticating users prior to access, the RADIUS standard has become the protocol of choice by administrators of large accessible networks. To accomplish the authentication in a secure manner, the RADIUS client and RADIUS server must both be configured with the same shared password or “secret”. This “secret”...
  • Page 99 Figure 5-3. RADIUS Servers in a Network When a user attempts to log in, the switch prompts for a username and password. The switch then attempts to communicate with the primary RADIUS server at 10.10.10.10. Upon successful connection with the server, the login credentials are exchanged over an encrypted channel. The server grants or denies access, which the switch honors, and either allows or does not allow the user to access the switch.
  • Page 100: Tacacs

    Example #2: Set the NAS-IP Address for the RADIUS Server The NAS-IP address attribute identifies the IP Address of the network authentication server (NAS) that is requesting authentication of the user. The address should be unique to the NAS within the scope of the RADIUS server.
  • Page 101 Figure 5-4. PowerConnect 6200 Series Switch with TACACS+ When a user attempts to log into the switch, the NAS or switch prompts for a username and password. The switch attempts to communicate with the highest priority configured TACACS+ server at 10.10.10.10.
  • Page 102 Device Security...
  • Page 103: Ipv6

    IPv6 This section includes the following subsections: • "Overview" on page 103 • "Interface Configuration" on page 103 • "DHCPv6" on page 106 Overview There are many conceptual similarities between IPv4 and IPv6 network operation. Addresses still have a network prefix portion (subnet) and a device interface specific portion (host). While the length of the network portion is still variable, most users have standardized on using a network prefix length of 64 bits.
  • Page 104: Cli Example

    While optional in IPv4, router advertisement is mandatory in IPv6. Router advertisements specify the network prefix(es) on a link which can be used by receiving hosts, in conjunction with an EUI64 identifier, to auto configure a host’s address. Routers have their network prefixes configured and may use EUI64 or manually configured interface IDs.
  • Page 105 router-id 1.1.1.1 exit interface vlan 15 routing ip address 20.20.20.1 255.255.255.0 ip ospf area 0.0.0.0 exit interface vlan 2 routing ipv6 enable ipv6 address 2020:1::1/64 ipv6 ospf ipv6 ospf network point-to-point exit interface tunnel 0 ipv6 address 2001::1/64 tunnel mode ipv6ip tunnel source 20.20.20.1 tunnel destination 10.10.10.1 ipv6 ospf...
  • Page 106: Dhcpv6

    ip ospf area 0.0.0.0 exit interface vlan 2 routing ipv6 enable ipv6 address 2020:2::2/64 ipv6 ospf ipv6 ospf network point-to-point exit interface tunnel 0 ipv6 address 2001::2/64 tunnel mode ipv6ip tunnel source 10.10.10.1 tunnel destination 20.20.20.1 ipv6 ospf ipv6 ospf network point-to-point exit interface loopback 0 ip address 2.2.2.2 255.255.255.0...
  • Page 107: Cli Examples

    RFC 3315 also describes DHCPv6 Relay Agent interactions, which are very much like DHCPv4 Relay Agents. Additionally, there is a DHCPv6 Relay Agent Option Internet draft [9], which employs very similar capabilities as those described by DHCPv4 Relay Agent Option in RFC 2132. With the larger address space inherent to IPv6, addresses within a network can be allocated more effectively in a hierarchical fashion.
  • Page 108 2001::1 exit exit Per-interface DHCPv6 configuration: console#config interface vlan 15 ipv6 dhcp server testpool preference 10 exit exit IPv6...
  • Page 109: Quality Of Service

    Quality of Service This section includes the following subsections: • "Class of Service Queuing" on page 109 • "Differentiated Services" on page 113 Class of Service Queuing The Class of Service (CoS) feature lets you give preferential treatment to certain types of traffic over others.
  • Page 110: Egress Port Configuration-Traffic Shaping

    CoS Mapping Table for Trusted Ports Mapping is from the designated field values on trusted ports’ incoming packets to a traffic class priority (actually a CoS traffic queue). The trusted port field-to-traffic class configuration entries form the Mapping Table the switch uses to direct ingress packets from trusted ports to egress queues. Egress Port Configuration—Traffic Shaping For unit/slot/port interfaces, you can specify the shaping rate for the port, which is an upper limit of the transmission bandwidth used, specified as a percentage of the maximum link speed.
  • Page 111 Ingress Port 1/g10 packet A Port 1/0/10 UserPri=3 mode='trust dot1p' 802.1p->COS Q Map packet B UserPri=7 packet C (untagged) packet D UserPri=6 port default priority->traffic class Egress Forward via Port 1/0/8 switch fabric to Port 1/g8 egress Port 1/0/8 strict weighted 20% weighted 10% weighted 5%...
  • Page 112 Port 1/g10 Port 1/g8 Port 1/0/8 Port 1/0/10 Server Figure 7-2. CoS Configuration Example System Diagram You will configure the ingress interface uniquely for all cos-queue and VLAN parameters. console#config interface ethernet 1/g10 classofservice trust dot1p classofservice dot1p-mapping 6 3 vlan priority 2 exit interface ethernet 1/g8...
  • Page 113: Differentiated Services

    exit exit Differentiated Services Differentiated Services (DiffServ) is one technique for implementing Quality of Service (QoS) policies. Using DiffServ in your network allows you to directly configure the relevant parameters on the switches and routers rather than using a resource reservation protocol.This section explains how to configure the switch to identify which traffic class a packet belongs to, and how it should be handled to provide the desired quality of service.
  • Page 114: Cli Example

    – Policing packets by dropping or re-marking those that exceed the class’s assigned data rate – Counting the traffic within the class • Service – Assigns a policy to an interface for inbound traffic. CLI Example This example shows how a network administrator can provide equal access to the Internet (or other external network) to different departments within a company.
  • Page 115 Create a DiffServ class of type “all” for each of the departments, and name them. Define the match criteria—Source IP address—for the new classes. class-map match-all finance_dept match srcip 172.16.10.0 255.255.255.0 exit class-map match-all marketing_dept match srcip 172.16.20.0 255.255.255.0 exit class-map match-all test_dept match srcip 172.16.30.0 255.255.255.0 exit...
  • Page 116: Diffserv For Voip Configuration Example

    interface ethernet 1/g4 service-policy in internet_access exit Set the CoS queue configuration for the (presumed) egress interface 1/g5 such that each of queues 1, 2, 3 and 4 get a minimum guaranteed bandwidth of 25%. All queues for this interface use weighted round robin scheduling by default.
  • Page 117 1 2 3 4 5 6 7 8 9 Port 1/g2 Port 1/0/2 Layer 3 Switch operating as Router 1 Port 1/g3 Port 1/0/3 Internet Layer 3 Switch operating as Router 2 Quality of Service...
  • Page 118 Figure 7-4. DiffServ VoIP Example Network Diagram Example #2: Configuring DiffServ VoIP Support Enter Global Config mode. Set queue 5 on all ports to use strict priority mode. This queue shall be used for all VoIP packets. Activate DiffServ for the switch. console#config cos-queue strict 5 diffserv...
  • Page 119: Multicast

    Multicast Overview IP Multicasting enables a network host (or multiple hosts) to send an IP datagram to multiple destinations simultaneously. The initiating host sends each multicast datagram only once to a destination multicast group address, and multicast routers forward the datagram only to hosts who are members of the multicast group.
  • Page 120: Cli Example

    CLI Examples The CLI component of the Dell switch allows the end users to configure the network device and to view device settings and statistics using a serial interface or telnet session.
  • Page 121 Example #1: Configuring IGMP Proxy on the Router This command enables the IGMP Proxy on the router. To enable IGMP Proxy on the router no multicast routing protocol should be enabled and also multicast forwarding must be enabled on the router. Use these commands from the Interface mode: console#configure ip routing...
  • Page 122: Dvmrp

    DVMRP The Distance Vector Multicast Routing Protocol (DVMRP) is one of several multicast routing protocols you can configure on the switch (PIM-SM and PIM-DM are the others). Note that only one multicast routing protocol (MRP) can be operational on a router at any time. DVMRP is an interior gateway protocol;...
  • Page 123: Pim

    routing ip address 1.1.1.1 255.255.255.0 ip dvmrp ip igmp ip ospf area 0 exit exit Protocol Independent Multicast (PIM) is a standard multicast routing protocol that provides scalable inter-domain multicast routing across the Internet, independent of the mechanisms provided by any particular unicast routing protocol.
  • Page 124: Pim-Dm

    console#configure router ospf router-id 3.3.1.1 exit ip routing ip multicast ip igmp ip pimsm [NOTE: This router should be an RP.] ip pimsm rp-address 1.1.1.1 224.0.0.0 240.0.0.0 interface vlan 15 routing ip address 3.3.3.1 255.255.255.0 ip pimsm ip igmp ip ospf area 0 exit interface vlan 30 routing...
  • Page 125 • Densely distributed receivers • A ratio of few senders-to-many receivers (due to frequent flooding) • High volume of multicast traffic • Constant stream of traffic Example: PIM-DM The following example configures PIM-DM for IPv4 on a router. First, configure an OSPF router and globally enable IP routing, multicast, IGMP , and PIM-DM.

Table of Contents